diff options
Diffstat (limited to 'guix')
-rw-r--r-- | guix/build-system/r.scm | 4 | ||||
-rw-r--r-- | guix/download.scm | 4 | ||||
-rw-r--r-- | guix/git-authenticate.scm | 29 | ||||
-rw-r--r-- | guix/import/cran.scm | 4 | ||||
-rw-r--r-- | guix/lint.scm | 13 | ||||
-rw-r--r-- | guix/scripts/system.scm | 4 |
6 files changed, 46 insertions, 12 deletions
diff --git a/guix/build-system/r.scm b/guix/build-system/r.scm index 2d328764b0..c8ec9abd0d 100644 --- a/guix/build-system/r.scm +++ b/guix/build-system/r.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2017, 2018 Ricardo Wurmus <rekado@elephly.net> +;;; Copyright © 2015, 2017, 2018, 2019, 2020 Ricardo Wurmus <rekado@elephly.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -59,7 +59,7 @@ release corresponding to NAME and VERSION." "/src/contrib/" name "_" version ".tar.gz") ;; TODO: use %bioconductor-version from (guix import cran) - (string-append "https://bioconductor.org/packages/3.10" + (string-append "https://bioconductor.org/packages/3.11" type-url-part "/src/contrib/Archive/" name "_" version ".tar.gz")))) diff --git a/guix/download.scm b/guix/download.scm index c3dc5a208c..7d6edddbdd 100644 --- a/guix/download.scm +++ b/guix/download.scm @@ -141,8 +141,12 @@ "http://www.eu.apache.org/dist/" "http://www.us.apache.org/dist/" "http://apache.belnet.be/" + "http://apache.mirror.iweb.ca/" "http://mirrors.ircam.fr/pub/apache/" + "http://apache.mirrors.ovh.net/ftp.apache.org/dist/" "http://apache-mirror.rbc.ru/pub/apache/" + "ftp://ftp.osuosl.org/pub/apache/" + "http://mirrors.ibiblio.org/apache/" ;; As a last resort, try the archive. "http://archive.apache.org/dist/") diff --git a/guix/git-authenticate.scm b/guix/git-authenticate.scm index c333717136..0d6f696a0b 100644 --- a/guix/git-authenticate.scm +++ b/guix/git-authenticate.scm @@ -85,9 +85,11 @@ (signature missing-key-error-signature)) -(define (commit-signing-key repo commit-id keyring) +(define* (commit-signing-key repo commit-id keyring + #:key (disallowed-hash-algorithms '(sha1))) "Return the OpenPGP key that signed COMMIT-ID (an OID). Raise an exception -if the commit is unsigned, has an invalid signature, or if its signing key is +if the commit is unsigned, has an invalid signature, has a signature using one +of the hash algorithms in DISALLOWED-HASH-ALGORITHMS, or if its signing key is not in KEYRING." (let-values (((signature signed-data) (catch 'git-error @@ -103,6 +105,17 @@ not in KEYRING." (oid->string commit-id))))))) (let ((signature (string->openpgp-packet signature))) + (when (memq (openpgp-signature-hash-algorithm signature) + `(,@disallowed-hash-algorithms md5)) + (raise (condition + (&unsigned-commit-error (commit commit-id)) + (&message + (message (format #f (G_ "commit ~a has a ~a signature, \ +which is not permitted") + (oid->string commit-id) + (openpgp-signature-hash-algorithm + signature))))))) + (with-fluids ((%default-port-encoding "UTF-8")) (let-values (((status data) (verify-openpgp-signature signature keyring @@ -198,8 +211,18 @@ not specify anything, fall back to DEFAULT-AUTHORIZATIONS." (define id (commit-id commit)) + (define recent-commit? + (false-if-git-not-found + (tree-entry-bypath (commit-tree commit) ".guix-authorizations"))) + (define signing-key - (commit-signing-key repository id keyring)) + (commit-signing-key repository id keyring + ;; Reject SHA1 signatures unconditionally as suggested + ;; by the authors of "SHA-1 is a Shambles" (2019). + ;; Accept it for "historical" commits (there are such + ;; signatures from April 2020 in the repository). + #:disallowed-hash-algorithms + (if recent-commit? '(sha1) '()))) (unless (member (openpgp-public-key-fingerprint signing-key) (commit-authorized-keys repository commit diff --git a/guix/import/cran.scm b/guix/import/cran.scm index ad66a644ee..b822fbc0ae 100644 --- a/guix/import/cran.scm +++ b/guix/import/cran.scm @@ -141,9 +141,9 @@ package definition." (define %cran-url "https://cran.r-project.org/web/packages/") (define %bioconductor-url "https://bioconductor.org/packages/") -;; The latest Bioconductor release is 3.10. Bioconductor packages should be +;; The latest Bioconductor release is 3.11. Bioconductor packages should be ;; updated together. -(define %bioconductor-version "3.10") +(define %bioconductor-version "3.11") (define* (bioconductor-packages-list-url #:optional type) (string-append "https://bioconductor.org/packages/" diff --git a/guix/lint.scm b/guix/lint.scm index 6271894360..82861b8a27 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -9,6 +9,7 @@ ;;; Copyright © 2017 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2017, 2018, 2020 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2018, 2019 Arun Isaac <arunisaac@systemreboot.net> +;;; Copyright © 2020 Chris Marusich <cmmarusich@gmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -669,13 +670,17 @@ patch could not be found." (or (and=> (package-source package) origin-patches) '())) + (define (starts-with-package-name? file-name) + (and=> (string-contains file-name (package-name package)) + zero?)) + (append (if (every (match-lambda ;patch starts with package name? ((? string? patch) - (and=> (string-contains (basename patch) - (package-name package)) - zero?)) - (_ #f)) ;must be an <origin> or something like that. + (starts-with-package-name? (basename patch))) + ((? origin? patch) + (starts-with-package-name? (origin-actual-file-name patch))) + (_ #f)) ;must be some other file-like object patches) '() (list diff --git a/guix/scripts/system.scm b/guix/scripts/system.scm index 3d7aa77cb7..6769a602b1 100644 --- a/guix/scripts/system.scm +++ b/guix/scripts/system.scm @@ -5,6 +5,7 @@ ;;; Copyright © 2017, 2019 Mathieu Othacehe <m.othacehe@gmail.com> ;;; Copyright © 2018 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2019 Christopher Baines <mail@cbaines.net> +;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org> ;;; ;;; This file is part of GNU Guix. ;;; @@ -801,7 +802,8 @@ static checks." (check-initrd-modules os))) (mlet* %store-monad - ((image (find-image file-system-type)) + ((target (current-target-system)) + (image -> (find-image file-system-type target)) (sys (system-derivation-for-action os image action #:file-system-type file-system-type #:image-size image-size |