6 files changed, 46 insertions, 12 deletions
diff --git a/guix/build-system/r.scm b/guix/build-system/r.scm
index 2d328764b0..c8ec9abd0d 100644
--- a/guix/build-system/r.scm
+++ b/guix/build-system/r.scm
@@ -1,5 +1,5 @@
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2015, 2017, 2018 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2015, 2017, 2018, 2019, 2020 Ricardo Wurmus <rekado@elephly.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -59,7 +59,7 @@ release corresponding to NAME and VERSION."
                          "/src/contrib/"
                          name "_" version ".tar.gz")
           ;; TODO: use %bioconductor-version from (guix import cran)
-          (string-append "https://bioconductor.org/packages/3.10"
+          (string-append "https://bioconductor.org/packages/3.11"
                          type-url-part
                          "/src/contrib/Archive/"
                          name "_" version ".tar.gz"))))
diff --git a/guix/download.scm b/guix/download.scm
index c3dc5a208c..7d6edddbdd 100644
--- a/guix/download.scm
+++ b/guix/download.scm
@@ -141,8 +141,12 @@
        "http://www.eu.apache.org/dist/"
        "http://www.us.apache.org/dist/"
        "http://apache.belnet.be/"
+       "http://apache.mirror.iweb.ca/"
        "http://mirrors.ircam.fr/pub/apache/"
+       "http://apache.mirrors.ovh.net/ftp.apache.org/dist/"
        "http://apache-mirror.rbc.ru/pub/apache/"
+       "ftp://ftp.osuosl.org/pub/apache/"
+       "http://mirrors.ibiblio.org/apache/"
 
        ;; As a last resort, try the archive.
        "http://archive.apache.org/dist/")
diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scm
index c333717136..0d6f696a0b 100644
--- a/guix/git-authenticate.scm
+++ b/guix/git-authenticate.scm
@@ -85,9 +85,11 @@
   (signature missing-key-error-signature))
 
 
-(define (commit-signing-key repo commit-id keyring)
+(define* (commit-signing-key repo commit-id keyring
+                             #:key (disallowed-hash-algorithms '(sha1)))
   "Return the OpenPGP key that signed COMMIT-ID (an OID).  Raise an exception
-if the commit is unsigned, has an invalid signature, or if its signing key is
+if the commit is unsigned, has an invalid signature, has a signature using one
+of the hash algorithms in DISALLOWED-HASH-ALGORITHMS, or if its signing key is
 not in KEYRING."
   (let-values (((signature signed-data)
                 (catch 'git-error
@@ -103,6 +105,17 @@ not in KEYRING."
                                 (oid->string commit-id)))))))
 
     (let ((signature (string->openpgp-packet signature)))
+      (when (memq (openpgp-signature-hash-algorithm signature)
+                  `(,@disallowed-hash-algorithms md5))
+        (raise (condition
+                (&unsigned-commit-error (commit commit-id))
+                (&message
+                 (message (format #f (G_ "commit ~a has a ~a signature, \
+which is not permitted")
+                                  (oid->string commit-id)
+                                  (openpgp-signature-hash-algorithm
+                                   signature)))))))
+
       (with-fluids ((%default-port-encoding "UTF-8"))
         (let-values (((status data)
                       (verify-openpgp-signature signature keyring
@@ -198,8 +211,18 @@ not specify anything, fall back to DEFAULT-AUTHORIZATIONS."
   (define id
     (commit-id commit))
 
+  (define recent-commit?
+    (false-if-git-not-found
+     (tree-entry-bypath (commit-tree commit) ".guix-authorizations")))
+
   (define signing-key
-    (commit-signing-key repository id keyring))
+    (commit-signing-key repository id keyring
+                        ;; Reject SHA1 signatures unconditionally as suggested
+                        ;; by the authors of "SHA-1 is a Shambles" (2019).
+                        ;; Accept it for "historical" commits (there are such
+                        ;; signatures from April 2020 in the repository).
+                        #:disallowed-hash-algorithms
+                        (if recent-commit? '(sha1) '())))
 
   (unless (member (openpgp-public-key-fingerprint signing-key)
                   (commit-authorized-keys repository commit
diff --git a/guix/import/cran.scm b/guix/import/cran.scm
index ad66a644ee..b822fbc0ae 100644
--- a/guix/import/cran.scm
+++ b/guix/import/cran.scm
@@ -141,9 +141,9 @@ package definition."
 (define %cran-url "https://cran.r-project.org/web/packages/")
 (define %bioconductor-url "https://bioconductor.org/packages/")
 
-;; The latest Bioconductor release is 3.10.  Bioconductor packages should be
+;; The latest Bioconductor release is 3.11.  Bioconductor packages should be
 ;; updated together.
-(define %bioconductor-version "3.10")
+(define %bioconductor-version "3.11")
 
 (define* (bioconductor-packages-list-url #:optional type)
   (string-append "https://bioconductor.org/packages/"
diff --git a/guix/lint.scm b/guix/lint.scm
index 6271894360..82861b8a27 100644
--- a/guix/lint.scm
+++ b/guix/lint.scm
@@ -9,6 +9,7 @@
 ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net>
+;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -669,13 +670,17 @@ patch could not be found."
       (or (and=> (package-source package) origin-patches)
           '()))
 
+    (define (starts-with-package-name? file-name)
+      (and=> (string-contains file-name (package-name package))
+             zero?))
+
     (append
      (if (every (match-lambda        ;patch starts with package name?
                   ((? string? patch)
-                   (and=> (string-contains (basename patch)
-                                           (package-name package))
-                          zero?))
-                  (_  #f))     ;must be an <origin> or something like that.
+                   (starts-with-package-name? (basename patch)))
+                  ((? origin? patch)
+                   (starts-with-package-name? (origin-actual-file-name patch)))
+                  (_  #f))     ;must be some other file-like object
                 patches)
          '()
          (list
diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm
index 3d7aa77cb7..6769a602b1 100644
--- a/guix/scripts/system.scm
+++ b/guix/scripts/system.scm
@@ -5,6 +5,7 @@
 ;;; Copyright © 2017, 2019 Mathieu Othacehe <m.othacehe@gmail.com>
 ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2019 Christopher Baines <mail@cbaines.net>
+;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -801,7 +802,8 @@ static checks."
       (check-initrd-modules os)))
 
   (mlet* %store-monad
-      ((image     (find-image file-system-type))
+      ((target    (current-target-system))
+       (image ->  (find-image file-system-type target))
        (sys       (system-derivation-for-action os image action
                                                 #:file-system-type file-system-type
                                                 #:image-size image-size