From 0374617920e3d278e68c71826fec1f590921e31b Mon Sep 17 00:00:00 2001 From: Chris Marusich Date: Tue, 30 Mar 2021 22:38:05 -0700 Subject: news: Add entry announcing powerpc64le-linux support. * etc/news.scm: Add entry. --- etc/news.scm | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index deedc69f6e..e735473f7c 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -12,6 +12,7 @@ ;; Copyright © 2020, 2021 Maxim Cournoyer ;; Copyright © 2021 Leo Famulari ;; Copyright © 2021 Zhu Zihao +;; Copyright © 2021 Chris Marusich ;; ;; Copying and distribution of this file, with or without modification, are ;; permitted in any medium without royalty provided the copyright notice and @@ -20,6 +21,21 @@ (channel-news (version 0) + (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") + (title + (en "New supported platform: powerpc64le-linux")) + (body + (en "A new platform, powerpc64le-linux, has been added for +little-endian 64-bit Power ISA processors using the Linux-Libre kernel. This +includes POWER9 systems such as the +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +RYF Talos II mainboard}. This platform is available as a \"technology +preview\": although it is supported, substitutes are not yet available from +the build farm, and some packages may fail to build. In addition, Guix System +is not yet available on this platform. That said, the Guix community is +actively working on improving this support, and now is a great time to try it +and get involved!"))) + (entry (commit "9ade2b720af91acecf76278b4d9b99ace406781e") (title (en "Update on previous @command{guix-daemon} local privilege escalation") -- cgit 1.4.1 From f73b4ecb0c265987be1cb03ffc68171223c1c443 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 31 Mar 2021 17:18:14 +0200 Subject: news: Add 'fr' translation. * etc/news.scm: Add French translation of POWER9 entry. --- etc/news.scm | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index e735473f7c..8f219d6962 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -23,7 +23,8 @@ (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title - (en "New supported platform: powerpc64le-linux")) + (en "New supported platform: powerpc64le-linux") + (fr "Nouvelle plate-forme prise en charge : powerpc64le-linux")) (body (en "A new platform, powerpc64le-linux, has been added for little-endian 64-bit Power ISA processors using the Linux-Libre kernel. This @@ -34,7 +35,18 @@ preview\": although it is supported, substitutes are not yet available from the build farm, and some packages may fail to build. In addition, Guix System is not yet available on this platform. That said, the Guix community is actively working on improving this support, and now is a great time to try it -and get involved!"))) +and get involved!") + (fr "Une nouvelle plate-forme, powerpc64le-linux, a été ajoutée pour +les processeurs POWER 64-bits utilisant le noyau Linux-libre. Ça inclut les +systèmes POWER9 tels que les +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +cartes Talos II RYF}. Il s'agit pour le moment d'un « avant-goût » de la +technologie : bien que la plate-forme soit prise en charge, la ferme de +compilation ne fournit pas encore de substituts et certains paquets risquent +de ne pas compiler. En outre, Guix System n'est pas encore disponible sur +cette plate-forme. Ceci dit, la communauté Guix travaille activement pour +améliorer cette prise en charge et c'est maintenant un bon moment pour +l'essayer et pour s'impliquer !"))) (entry (commit "9ade2b720af91acecf76278b4d9b99ace406781e") (title -- cgit 1.4.1 From 2743a0b28dc55837f118b87cc04aa2baf1386faf Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Thu, 1 Apr 2021 19:07:45 +0200 Subject: news: Add 'de' translation. * etc/news.scm: Add German translation of POWER9 entry. --- etc/news.scm | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index 8f219d6962..6d7a4a9d4f 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -24,6 +24,7 @@ (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title (en "New supported platform: powerpc64le-linux") + (de "Neue Plattform wird unterstützt: powerpc64le-linux") (fr "Nouvelle plate-forme prise en charge : powerpc64le-linux")) (body (en "A new platform, powerpc64le-linux, has been added for @@ -36,6 +37,17 @@ the build farm, and some packages may fail to build. In addition, Guix System is not yet available on this platform. That said, the Guix community is actively working on improving this support, and now is a great time to try it and get involved!") + (de "Eine neue Plattform, powerpc64le-linux, wurde hinzugefügt. Mit +ihr können Prozessoren mit 64-Bit-Power-Befehlssatz, little-endian, mit dem +Linux-Libre-Kernel betrieben werden. Dazu gehören POWER9-Systeme wie die +@uref{https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom, +RYF-zertifizierte Talos-II-Hauptplatine}. Bei der Plattform handelt es sich +um eine „Technologievorschau“; obwohl sie unterstützt wird, gibt es noch keine +Substitute von der Erstellungsfarm und bei manchen Paketen könnte die +Erstellung fehlschlagen. Des Weiteren ist Guix System auf dieser Plattform +noch nicht verfügbar. Dennoch arbeitet die Guix-Gemeinde aktiv daran, diese +Unterstützung auszubauen, und jetzt ist eine gute Gelegenheit, sie +auszuprobieren und mitzumachen!") (fr "Une nouvelle plate-forme, powerpc64le-linux, a été ajoutée pour les processeurs POWER 64-bits utilisant le noyau Linux-libre. Ça inclut les systèmes POWER9 tels que les -- cgit 1.4.1 From 72f911bf059ec3d984dbc2d22e02165940cb9983 Mon Sep 17 00:00:00 2001 From: Maxime Devos Date: Sat, 3 Apr 2021 12:19:10 +0200 Subject: news: Add entry for user account activation vulnerability. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * etc/news.scm: Add entry. Co-authored-by: Ludovic Courtès --- etc/news.scm | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index 6d7a4a9d4f..9b23c7ca0f 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -13,6 +13,7 @@ ;; Copyright © 2021 Leo Famulari ;; Copyright © 2021 Zhu Zihao ;; Copyright © 2021 Chris Marusich +;; Copyright © 2021 Maxime Devos ;; ;; Copying and distribution of this file, with or without modification, are ;; permitted in any medium without royalty provided the copyright notice and @@ -21,6 +22,26 @@ (channel-news (version 0) + (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586") + (title + (en "Risk of local privilege escalation during user account creation")) + (body + (en "A security vulnerability that can lead to local privilege +escalation has been found in the code that creates user accounts on Guix +System---Guix on other distros is unaffected. The system is only vulnerable +during the activation of user accounts that do not already exist. + +The attack can happen when @command{guix system reconfigure} is running. +Running @command{guix system reconfigure} can trigger the creation of new user +accounts if the configuration specifies new accounts. If a user whose account +is being created manages to log in after the account has been created but +before ``skeleton files'' have been copied to its home directory, they may, by +creating an appropriately-named symbolic link in the home directory pointing +to a sensitive file, such as @file{/etc/shadow}, get root privileges. + +See @uref{https://issues.guix.gnu.org/47584} for more information on this +bug."))) + (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title (en "New supported platform: powerpc64le-linux") -- cgit 1.4.1 From c9960ad67c7644225343e913d5fea620d97bb293 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 3 Apr 2021 22:13:28 +0200 Subject: news: Recommend upgrade for account activation vulnerability. * etc/news.scm: Recommend upgrade. --- etc/news.scm | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index 9b23c7ca0f..adb81dd64b 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -31,6 +31,13 @@ escalation has been found in the code that creates user accounts on Guix System---Guix on other distros is unaffected. The system is only vulnerable during the activation of user accounts that do not already exist. +This bug is fixed and Guix System users are advised to upgrade their system, +with a command along the lines of: + +@example +guix system reconfigure /run/current-system/configuration.scm +@end example + The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new user accounts if the configuration specifies new accounts. If a user whose account -- cgit 1.4.1 From 3b6247ba6d531be61b85e8b0c02ff4d7118593f5 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 3 Apr 2021 22:19:28 +0200 Subject: news: Clarify time window for account activation vulnerability. * etc/news.scm: Tweak wording about skeleton files. --- etc/news.scm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index adb81dd64b..3e5b2d7824 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -42,9 +42,10 @@ The attack can happen when @command{guix system reconfigure} is running. Running @command{guix system reconfigure} can trigger the creation of new user accounts if the configuration specifies new accounts. If a user whose account is being created manages to log in after the account has been created but -before ``skeleton files'' have been copied to its home directory, they may, by -creating an appropriately-named symbolic link in the home directory pointing -to a sensitive file, such as @file{/etc/shadow}, get root privileges. +before ``skeleton files'' copied to its home directory have the right +ownership, they may, by creating an appropriately-named symbolic link in the +home directory pointing to a sensitive file, such as @file{/etc/shadow}, get +root privileges. See @uref{https://issues.guix.gnu.org/47584} for more information on this bug."))) -- cgit 1.4.1 From 86617c92c6a795668b2eca3d3c3b285cb742cb24 Mon Sep 17 00:00:00 2001 From: Florian Pelz Date: Sun, 4 Apr 2021 06:47:42 +0200 Subject: news: Add 'de' translation. * etc/news.scm: Add German translation of user activation entry. --- etc/news.scm | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/news.scm b/etc/news.scm index 3e5b2d7824..65d83061df 100644 --- a/etc/news.scm +++ b/etc/news.scm @@ -24,7 +24,8 @@ (entry (commit "2161820ebbbab62a5ce76c9101ebaec54dc61586") (title - (en "Risk of local privilege escalation during user account creation")) + (en "Risk of local privilege escalation during user account creation") + (de "Risiko lokaler Rechteausweitung während der Erstellung von Benutzerkonten")) (body (en "A security vulnerability that can lead to local privilege escalation has been found in the code that creates user accounts on Guix @@ -48,7 +49,31 @@ home directory pointing to a sensitive file, such as @file{/etc/shadow}, get root privileges. See @uref{https://issues.guix.gnu.org/47584} for more information on this -bug."))) +bug.") + (de "Eine Sicherheitslücke, die eine lokale Rechteausweitung zur +Folge haben kann, wurde in dem Code gefunden, mit dem Benutzerkonten auf Guix +System angelegt werden — Guix auf anderen Distributionen ist nicht betroffen. +Das System kann nur während der Aktivierung noch nicht existierender +Benutzerkonten angegriffen werden. + +Der Fehler wurde behoben und wir empfehlen Nutzern von Guix System, ihre +Systeme zu aktualisieren, mit einem Befehl wie: + +@example +guix system reconfigure /run/current-system/configuration.scm +@end example + +Der Angriff kann erfolgen, während @command{guix system reconfigure} läuft. +Wenn @command{guix system reconfigure} ausgeführt wird, kann das die Erzeugung +neuer Benutzerkonten auslösen, wenn in der Konfiguration neue Konten angegeben +wurden. Wenn ein Benutzer, dessen Konto gerade angelegt wird, es +fertigbringt, sich anzumelden, bevor „Skeleton-Dateien“ in seinem Persönlichen +Verzeichnis den richtigen Besitzer haben, kann er durch Anlegen einer gezielt +benannten symbolischen Verknüpfung in seinem Persönlichen Verzeichnis auf eine +sensible Datei wie @file{/etc/shadow} Administratorrechte erlangen. + +Siehe @uref{https://issues.guix.gnu.org/47584} für mehr Informationen zu +diesem Fehler."))) (entry (commit "e52ec6c64a17a99ae4bb6ff02309067499915b06") (title -- cgit 1.4.1 From c8c3afe8485bd614692f13e1e8a4200136da1302 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Wed, 7 Apr 2021 21:20:55 +0200 Subject: etc/committer: Handle package additions. * etc/committer.scm.in ()[diff]: Rename this field... [diff-lines]: ...to this. [definition?]: New field. (hunk->patch): Join diff lines. (diff-info): Do not join diff lines; record whether a hunk is a new definition. (commit-message): Rename this procedure... (change-commit-message): ...to this. (add-commit-message): New procedure. (main): Handle new package definitions before changes. --- etc/committer.scm.in | 113 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 80 insertions(+), 33 deletions(-) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index ebe6b96bcc..824483e088 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -3,7 +3,7 @@ !# ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2020 Ricardo Wurmus +;;; Copyright © 2020, 2021 Ricardo Wurmus ;;; ;;; This file is part of GNU Guix. ;;; @@ -28,7 +28,10 @@ (import (sxml xpath) (srfi srfi-1) + (srfi srfi-2) (srfi srfi-9) + (srfi srfi-11) + (srfi srfi-26) (ice-9 format) (ice-9 popen) (ice-9 match) @@ -63,7 +66,8 @@ LINE-NO in PORT." (make-hunk file-name old-line-number new-line-number - diff) + diff-lines + definition?) hunk? (file-name hunk-file-name) ;; Line number before the change @@ -71,14 +75,16 @@ LINE-NO in PORT." ;; Line number after the change (new-line-number hunk-new-line-number) ;; The full diff to be used with "git apply --cached" - (diff hunk-diff)) + (diff-lines hunk-diff-lines) + ;; Does this hunk add a definition? + (definition? hunk-definition?)) (define* (hunk->patch hunk #:optional (port (current-output-port))) (let ((file-name (hunk-file-name hunk))) (format port "diff --git a/~a b/~a~%--- a/~a~%+++ b/~a~%~a" file-name file-name file-name file-name - (hunk-diff hunk)))) + (string-join (hunk-diff-lines hunk) "")))) (define (diff-info) "Read the diff and return a list of values." @@ -88,21 +94,26 @@ LINE-NO in PORT." ;; Do not include any context lines. This makes it ;; easier to find the S-expression surrounding the ;; change. - "--unified=0"))) + "--unified=0" + "gnu"))) (define (extract-line-number line-tag) (abs (string->number (car (string-split line-tag #\,))))) (define (read-hunk) - (reverse - (let loop ((lines '())) - (let ((line (read-line port 'concat))) - (cond - ((eof-object? line) lines) - ((or (string-prefix? "@@ " line) - (string-prefix? "diff --git" line)) - (unget-string port line) - lines) - (else (loop (cons line lines)))))))) + (let loop ((lines '()) + (definition? #false)) + (let ((line (read-line port 'concat))) + (cond + ((eof-object? line) + (values (reverse lines) definition?)) + ((or (string-prefix? "@@ " line) + (string-prefix? "diff --git" line)) + (unget-string port line) + (values (reverse lines) definition?)) + (else + (loop (cons line lines) + (or definition? + (string-prefix? "+(define" line)))))))) (define info (let loop ((acc '()) (file-name #f)) @@ -116,13 +127,14 @@ LINE-NO in PORT." ((string-prefix? "@@ " line) (match (string-split line #\space) ((_ old-start new-start . _) - (loop (cons (make-hunk file-name - (extract-line-number old-start) - (extract-line-number new-start) - (string-join (cons* line "\n" - (read-hunk)) "")) - acc) - file-name)))) + (let-values + (((diff-lines definition?) (read-hunk))) + (loop (cons (make-hunk file-name + (extract-line-number old-start) + (extract-line-number new-start) + (cons* line "\n" diff-lines) + definition?) acc) + file-name))))) (else (loop acc file-name)))))) (close-pipe port) info)) @@ -148,7 +160,7 @@ corresponding to the top-level definition containing the staged changes." (surrounding-sexp port (hunk-new-line-number hunk))))) -(define* (commit-message file-name old new #:optional (port (current-output-port))) +(define* (change-commit-message file-name old new #:optional (port (current-output-port))) "Print ChangeLog commit message for changes between OLD and NEW." (define (get-values expr field) (match ((sxpath `(// ,field quasiquote *)) expr) @@ -193,6 +205,12 @@ corresponding to the top-level definition containing the staged changes." (listify added))))))))) '(inputs propagated-inputs native-inputs))) +(define* (add-commit-message file-name variable-name #:optional (port (current-output-port))) + "Print ChangeLog commit message for a change to FILE-NAME adding a definition." + (format port + "gnu: Add ~a.~%~%* ~a (~a): New variable.~%" + variable-name file-name variable-name)) + (define (group-hunks-by-sexp hunks) "Return a list of pairs associating all hunks with the S-expression they are modifying." @@ -223,9 +241,38 @@ modifying." (() (display "Nothing to be done." (current-error-port))) (hunks - (for-each (match-lambda - ((new old . hunks) - (for-each (lambda (hunk) + (let-values + (((definitions changes) + (partition hunk-definition? hunks))) + + ;; Additions. + (for-each (lambda (hunk) + (and-let* + ((define-line (find (cut string-prefix? "+(define" <>) + (hunk-diff-lines hunk))) + (variable-name (and=> (string-tokenize define-line) second))) + (add-commit-message (hunk-file-name hunk) variable-name) + (let ((port (open-pipe* OPEN_WRITE + "git" "apply" + "--cached" + "--unidiff-zero"))) + (hunk->patch hunk port) + (unless (eqv? 0 (status:exit-val (close-pipe port))) + (error "Cannot apply"))) + + (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-"))) + (add-commit-message (hunk-file-name hunk) + variable-name port) + (sleep 1) + (unless (eqv? 0 (status:exit-val (close-pipe port))) + (error "Cannot commit")))) + (sleep 1)) + definitions) + + ;; Changes. + (for-each (match-lambda + ((new old . hunks) + (for-each (lambda (hunk) (let ((port (open-pipe* OPEN_WRITE "git" "apply" "--cached" @@ -235,16 +282,16 @@ modifying." (error "Cannot apply"))) (sleep 1)) hunks) - (commit-message (hunk-file-name (first hunks)) - old new - (current-output-port)) + (change-commit-message (hunk-file-name (first hunks)) + old new + (current-output-port)) (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-"))) - (commit-message (hunk-file-name (first hunks)) - old new - port) + (change-commit-message (hunk-file-name (first hunks)) + old new + port) (sleep 1) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot commit"))))) - (new+old+hunks hunks))))) + (new+old+hunks changes)))))) (main) -- cgit 1.4.1 From 56270c1275d8dcdec80c04c032079b694204052a Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Thu, 8 Apr 2021 02:59:55 +0200 Subject: etc/committer: Define delay duration as a variable. * etc/committer.scm.in (%delay): New variable. (main): Use it. --- etc/committer.scm.in | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index 824483e088..8744bae4a7 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -236,6 +236,8 @@ modifying." (cons* new (old-sexp (first hunks)) hunks))) (group-hunks-by-sexp hunks))) +(define %delay 1000) + (define (main . args) (match (diff-info) (() @@ -263,10 +265,10 @@ modifying." (let ((port (open-pipe* OPEN_WRITE "git" "commit" "-F" "-"))) (add-commit-message (hunk-file-name hunk) variable-name port) - (sleep 1) + (usleep %delay) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot commit")))) - (sleep 1)) + (usleep %delay)) definitions) ;; Changes. @@ -280,7 +282,7 @@ modifying." (hunk->patch hunk port) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot apply"))) - (sleep 1)) + (usleep %delay)) hunks) (change-commit-message (hunk-file-name (first hunks)) old new @@ -289,7 +291,7 @@ modifying." (change-commit-message (hunk-file-name (first hunks)) old new port) - (sleep 1) + (usleep %delay) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot commit"))))) (new+old+hunks changes)))))) -- cgit 1.4.1 From 43fb6b765d82ea5acfdc83f61472d99594ee1cbf Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Thu, 8 Apr 2021 03:00:57 +0200 Subject: etc/committer: Record minimal context for hunks to avoid problems. With zero context new definitions would be applied to the wrong location in the file. More context lines lead to larger hunks, though, so we use just one line of context. * etc/committer.scm.in (diff-info): Invoke "git diff" with one line of context. [info]: Merge line break and first line. (lines-to-first-change): New procedure. (old-sexp, new-sexp): Use it. --- etc/committer.scm.in | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index 8744bae4a7..376e1ac063 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -91,10 +91,10 @@ LINE-NO in PORT." (let ((port (open-pipe* OPEN_READ "git" "diff" "--no-prefix" - ;; Do not include any context lines. This makes it - ;; easier to find the S-expression surrounding the - ;; change. - "--unified=0" + ;; Only include one context line to avoid lumping in + ;; new definitions with changes to existing + ;; definitions. + "--unified=1" "gnu"))) (define (extract-line-number line-tag) (abs (string->number @@ -132,13 +132,22 @@ LINE-NO in PORT." (loop (cons (make-hunk file-name (extract-line-number old-start) (extract-line-number new-start) - (cons* line "\n" diff-lines) + (cons (string-append line "\n") + diff-lines) definition?) acc) file-name))))) (else (loop acc file-name)))))) (close-pipe port) info)) +(define (lines-to-first-change hunk) + "Return the number of diff lines until the first change." + (1- (count (lambda (line) + ((negate char-set-contains?) + (char-set #\+ #\-) + (string-ref line 0))) + (hunk-diff-lines hunk)))) + (define (old-sexp hunk) "Using the diff information in HUNK return the unmodified S-expression corresponding to the top-level definition containing the staged changes." @@ -150,7 +159,9 @@ corresponding to the top-level definition containing the staged changes." (close-pipe port) (call-with-input-string contents (lambda (port) - (surrounding-sexp port (hunk-old-line-number hunk)))))) + (surrounding-sexp port + (+ (lines-to-first-change hunk) + (hunk-old-line-number hunk))))))) (define (new-sexp hunk) "Using the diff information in HUNK return the modified S-expression @@ -158,7 +169,8 @@ corresponding to the top-level definition containing the staged changes." (call-with-input-file (hunk-file-name hunk) (lambda (port) (surrounding-sexp port - (hunk-new-line-number hunk))))) + (+ (lines-to-first-change hunk) + (hunk-new-line-number hunk)))))) (define* (change-commit-message file-name old new #:optional (port (current-output-port))) "Print ChangeLog commit message for changes between OLD and NEW." -- cgit 1.4.1 From 83991a34d5c1d4985e54dd029a81412277ad062a Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Thu, 8 Apr 2021 03:08:00 +0200 Subject: etc/committer: Recompute hunks before processing changes. * etc/committer.scm.in (main): Re-evaluate diff-info after processing insertions. --- etc/committer.scm.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index 376e1ac063..7991dc7430 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -306,6 +306,8 @@ modifying." (usleep %delay) (unless (eqv? 0 (status:exit-val (close-pipe port))) (error "Cannot commit"))))) - (new+old+hunks changes)))))) + ;; XXX: we recompute the hunks here because previous + ;; insertions lead to offsets. + (new+old+hunks (diff-info))))))) (main) -- cgit 1.4.1 From c762df54786fd6f005f3b5307323f1d2df3cbf0b Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Thu, 8 Apr 2021 17:11:14 +0200 Subject: etc/committer: Disable diff colors. Reported by: morgansmith on IRC. * etc/committer.scm.in (diff-info): Invoke "git diff" with "--no-color". --- etc/committer.scm.in | 1 + 1 file changed, 1 insertion(+) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index 7991dc7430..801b5d195e 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -90,6 +90,7 @@ LINE-NO in PORT." "Read the diff and return a list of values." (let ((port (open-pipe* OPEN_READ "git" "diff" + "--no-color" "--no-prefix" ;; Only include one context line to avoid lumping in ;; new definitions with changes to existing -- cgit 1.4.1 From d375eddda0b407b29ce0f7d29a582623cef20a89 Mon Sep 17 00:00:00 2001 From: Morgan Smith Date: Thu, 8 Apr 2021 12:16:35 -0400 Subject: etc/committer: Use git plumbing instead of porcelain. * etc/committer.scm.in (diff-info): Use "git diff-files" instead of "git diff". (old-sexp): Use "git cat-file" instead of "git show". Signed-off-by: Ricardo Wurmus --- etc/committer.scm.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index 801b5d195e..cc713dcdcd 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -89,8 +89,7 @@ LINE-NO in PORT." (define (diff-info) "Read the diff and return a list of values." (let ((port (open-pipe* OPEN_READ - "git" "diff" - "--no-color" + "git" "diff-files" "--no-prefix" ;; Only include one context line to avoid lumping in ;; new definitions with changes to existing @@ -154,8 +153,9 @@ LINE-NO in PORT." corresponding to the top-level definition containing the staged changes." ;; TODO: We can't seek with a pipe port... (let* ((port (open-pipe* OPEN_READ - "git" "show" (string-append "HEAD:" - (hunk-file-name hunk)))) + "git" "cat-file" "-p" (string-append + "HEAD:" + (hunk-file-name hunk)))) (contents (get-string-all port))) (close-pipe port) (call-with-input-string contents -- cgit 1.4.1 From a6ac141ebb2efabbd47cbb04dfeb13779b7e50f6 Mon Sep 17 00:00:00 2001 From: Morgan Smith Date: Mon, 12 Apr 2021 21:37:18 +0200 Subject: etc/committer: Add missing newline. * etc/committer.scm.in (main): Add newline to message. Signed-off-by: Ricardo Wurmus --- etc/committer.scm.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/committer.scm.in b/etc/committer.scm.in index cc713dcdcd..1f19ccfd6d 100755 --- a/etc/committer.scm.in +++ b/etc/committer.scm.in @@ -254,7 +254,7 @@ modifying." (define (main . args) (match (diff-info) (() - (display "Nothing to be done." (current-error-port))) + (display "Nothing to be done.\n" (current-error-port))) (hunks (let-values (((definitions changes) -- cgit 1.4.1 From 8e214c53a48a841887a59f24a20e7392b5e59b55 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 8 Apr 2021 18:34:43 -0400 Subject: guix-install.sh: Add the build users to the 'kvm' group. Fixes . * etc/guix-install.sh (sys_create_build_user): If a 'kvm' group exists, add it to the guixbuilders' lists of supplementary groups. --- etc/guix-install.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'etc') diff --git a/etc/guix-install.sh b/etc/guix-install.sh index c84e7b7577..949ef7719f 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -330,15 +330,20 @@ sys_create_build_user() _msg "${PAS}group created" fi + if [ $(getent group kvm) ]; then + _msg "${INF}group kvm exists and build users will be added to it" + local KVMGROUP=,kvm + fi + for i in $(seq -w 1 10); do if id "guixbuilder${i}" &>/dev/null; then _msg "${INF}user is already in the system, reset" - usermod -g guixbuild -G guixbuild \ + usermod -g guixbuild -G guixbuild${KVMGROUP} \ -d /var/empty -s "$(which nologin)" \ -c "Guix build user $i" \ "guixbuilder${i}"; else - useradd -g guixbuild -G guixbuild \ + useradd -g guixbuild -G guixbuild${KVMGROUP} \ -d /var/empty -s "$(which nologin)" \ -c "Guix build user $i" --system \ "guixbuilder${i}"; -- cgit 1.4.1