From a3f2c295e7f8719dc47d5757b89188e0ed68faf2 Mon Sep 17 00:00:00 2001 From: ng0 Date: Thu, 14 Mar 2019 10:43:47 +0000 Subject: gnu: libextractor: Update to 1.9. * gnu/packages/gnunet (libextractor): Update to 1.9. [source]: Remove patches. * gnu/packages/patches/libextractor-CVE-2018-20430.patch gnu/packages/patches/libextractor-CVE-2018-20431.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. Signed-off-by: Tobias Geerinckx-Rice --- gnu/local.mk | 2 -- 1 file changed, 2 deletions(-) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index af2bf87273..49537e19f8 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -968,8 +968,6 @@ dist_patch_DATA = \ %D%/packages/patches/libevent-2.1-skip-failing-test.patch \ %D%/packages/patches/libexif-CVE-2016-6328.patch \ %D%/packages/patches/libexif-CVE-2017-7544.patch \ - %D%/packages/patches/libextractor-CVE-2018-20430.patch \ - %D%/packages/patches/libextractor-CVE-2018-20431.patch \ %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \ %D%/packages/patches/libgit2-mtime-0.patch \ %D%/packages/patches/libgit2-oom-test.patch \ -- cgit v1.2.3 From 9081333bcd3ff0d6d7cc2f357f56cc2a39bfef50 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Mon, 18 Mar 2019 23:04:31 +0100 Subject: gnu: cracklib: Update to 2.9.7. * gnu/packages/password-utils.scm (cracklib): Update to 2.9.7. [source]: Remove patches. * gnu/packages/patches/cracklib-CVE-2016-6318.patch, gnu/packages/patches/cracklib-fix-buffer-overflow.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 2 - gnu/packages/password-utils.scm | 22 +++-- gnu/packages/patches/cracklib-CVE-2016-6318.patch | 95 ---------------------- .../patches/cracklib-fix-buffer-overflow.patch | 39 --------- 4 files changed, 10 insertions(+), 148 deletions(-) delete mode 100644 gnu/packages/patches/cracklib-CVE-2016-6318.patch delete mode 100644 gnu/packages/patches/cracklib-fix-buffer-overflow.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 49537e19f8..0a7e9bbc67 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -706,8 +706,6 @@ dist_patch_DATA = \ %D%/packages/patches/combinatorial-blas-io-fix.patch \ %D%/packages/patches/cpio-CVE-2016-2037.patch \ %D%/packages/patches/cpufrequtils-fix-aclocal.patch \ - %D%/packages/patches/cracklib-CVE-2016-6318.patch \ - %D%/packages/patches/cracklib-fix-buffer-overflow.patch \ %D%/packages/patches/crawl-upgrade-saves.patch \ %D%/packages/patches/crda-optional-gcrypt.patch \ %D%/packages/patches/clucene-contribs-lib.patch \ diff --git a/gnu/packages/password-utils.scm b/gnu/packages/password-utils.scm index 9fd5a6ff0d..ad89cee5a8 100644 --- a/gnu/packages/password-utils.scm +++ b/gnu/packages/password-utils.scm @@ -9,7 +9,7 @@ ;;; Copyright © 2016 Alex Griffin ;;; Copyright © 2017 Leo Famulari ;;; Copyright © 2017, 2018 Clément Lassieur -;;; Copyright © 2017, 2018 Tobias Geerinckx-Rice +;;; Copyright © 2017, 2018, 2019 Tobias Geerinckx-Rice ;;; Copyright © 2017 Jelle Licht ;;; Copyright © 2017 Eric Bavier ;;; Copyright © 2017 Nicolas Goaziou @@ -295,17 +295,15 @@ and vice versa.") (define-public cracklib (package (name "cracklib") - (version "2.9.6") - (source (origin - (method url-fetch) - (uri (string-append "https://github.com/cracklib/cracklib/" - "releases/download/" name "-" version "/" - name "-" version ".tar.gz")) - (patches (search-patches "cracklib-CVE-2016-6318.patch" - "cracklib-fix-buffer-overflow.patch")) - (sha256 - (base32 - "0hrkb0prf7n92w6rxgq0ilzkk6rkhpys2cfqkrbzswp27na7dkqp")))) + (version "2.9.7") + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/cracklib/cracklib/" + "releases/download/v" version "/" + "cracklib-" version ".tar.bz2")) + (sha256 + (base32 "1rimpjsdnmw8f5b7k558cic41p2qy2n2yrlqp5vh7mp4162hk0py")))) (build-system gnu-build-system) (synopsis "Password checking library") (home-page "https://github.com/cracklib/cracklib") diff --git a/gnu/packages/patches/cracklib-CVE-2016-6318.patch b/gnu/packages/patches/cracklib-CVE-2016-6318.patch deleted file mode 100644 index 4806ecaae9..0000000000 --- a/gnu/packages/patches/cracklib-CVE-2016-6318.patch +++ /dev/null @@ -1,95 +0,0 @@ -Fix CVE-2016-6318. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6318 - -Patch copied from Red Hat: - -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6318 -https://bugzilla.redhat.com/attachment.cgi?id=1188599&action=diff - -It is not safe to pass words longer than STRINGSIZE further to cracklib -so the longbuffer cannot be longer than STRINGSIZE. -diff -up cracklib-2.9.0/lib/fascist.c.longgecos cracklib-2.9.0/lib/fascist.c ---- cracklib-2.9.0/lib/fascist.c.longgecos 2014-02-06 16:03:59.000000000 +0100 -+++ cracklib-2.9.0/lib/fascist.c 2016-08-08 12:05:40.279235815 +0200 -@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c - char gbuffer[STRINGSIZE]; - char tbuffer[STRINGSIZE]; - char *uwords[STRINGSIZE]; -- char longbuffer[STRINGSIZE * 2]; -+ char longbuffer[STRINGSIZE]; - - if (gecos == NULL) - gecos = ""; -@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c - { - for (i = 0; i < j; i++) - { -- strcpy(longbuffer, uwords[i]); -- strcat(longbuffer, uwords[j]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE) - { -- return _("it is derived from your password entry"); -- } -- -- strcpy(longbuffer, uwords[j]); -- strcat(longbuffer, uwords[i]); -+ strcpy(longbuffer, uwords[i]); -+ strcat(longbuffer, uwords[j]); - -- if (GTry(longbuffer, password)) -- { -- return _("it's derived from your password entry"); -+ if (GTry(longbuffer, password)) -+ { -+ return _("it is derived from your password entry"); -+ } -+ -+ strcpy(longbuffer, uwords[j]); -+ strcat(longbuffer, uwords[i]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it's derived from your password entry"); -+ } - } - -- longbuffer[0] = uwords[i][0]; -- longbuffer[1] = '\0'; -- strcat(longbuffer, uwords[j]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[j]) < STRINGSIZE - 1) - { -- return _("it is derivable from your password entry"); -+ longbuffer[0] = uwords[i][0]; -+ longbuffer[1] = '\0'; -+ strcat(longbuffer, uwords[j]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it is derivable from your password entry"); -+ } - } - -- longbuffer[0] = uwords[j][0]; -- longbuffer[1] = '\0'; -- strcat(longbuffer, uwords[i]); -- -- if (GTry(longbuffer, password)) -+ if (strlen(uwords[i]) < STRINGSIZE - 1) - { -- return _("it's derivable from your password entry"); -+ longbuffer[0] = uwords[j][0]; -+ longbuffer[1] = '\0'; -+ strcat(longbuffer, uwords[i]); -+ -+ if (GTry(longbuffer, password)) -+ { -+ return _("it's derivable from your password entry"); -+ } - } - } - } diff --git a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch b/gnu/packages/patches/cracklib-fix-buffer-overflow.patch deleted file mode 100644 index b1c990f282..0000000000 --- a/gnu/packages/patches/cracklib-fix-buffer-overflow.patch +++ /dev/null @@ -1,39 +0,0 @@ -Fix buffer overflow processing long words in Mangle(). - -Patch adpated from upstream commit, omitting changes to 'NEWS': - -https://github.com/cracklib/cracklib/commit/33d7fa4585247cd2247a1ffa032ad245836c6edb - -From 33d7fa4585247cd2247a1ffa032ad245836c6edb Mon Sep 17 00:00:00 2001 -From: Jan Dittberner -Date: Thu, 25 Aug 2016 17:17:53 +0200 -Subject: [PATCH] Fix a buffer overflow processing long words - -A buffer overflow processing long words has been discovered. This commit -applies the patch from -https://build.opensuse.org/package/view_file/Base:System/cracklib/0004-overflow-processing-long-words.patch -by Howard Guo. - -See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835386 and -http://www.openwall.com/lists/oss-security/2016/08/23/8 ---- - src/NEWS | 1 + - src/lib/rules.c | 5 ++--- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/lib/rules.c b/src/lib/rules.c -index d193cc0..3a2aa46 100644 ---- a/lib/rules.c -+++ b/lib/rules.c -@@ -434,9 +434,8 @@ Mangle(input, control) /* returns a pointer to a controlled Mangle */ - { - int limit; - register char *ptr; -- static char area[STRINGSIZE]; -- char area2[STRINGSIZE]; -- area[0] = '\0'; -+ static char area[STRINGSIZE * 2] = {0}; -+ char area2[STRINGSIZE * 2] = {0}; - strcpy(area, input); - - for (ptr = control; *ptr; ptr++) -- cgit v1.2.3 From 1d6589db81c7c390e04795805e684b01f5a0c45f Mon Sep 17 00:00:00 2001 From: Andreas Enge Date: Tue, 19 Mar 2019 10:44:15 +0100 Subject: gnu: Add python-flint. * gnu/packages/algebra.scm (python-flint): New variable. * gnu/packages/patches/python-flint-includes.patch: New file. * gnu/local.mk (dist_patch_DATA): Register the patch. --- gnu/local.mk | 1 + gnu/packages/algebra.scm | 34 ++++++ gnu/packages/patches/python-flint-includes.patch | 131 +++++++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 gnu/packages/patches/python-flint-includes.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 0a7e9bbc67..87bed6e827 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1176,6 +1176,7 @@ dist_patch_DATA = \ %D%/packages/patches/python2-larch-coverage-4.0a6-compatibility.patch \ %D%/packages/patches/python-configobj-setuptools.patch \ %D%/packages/patches/python-faker-fix-build-32bit.patch \ + %D%/packages/patches/python-flint-includes.patch \ %D%/packages/patches/python-mox3-python3.6-compat.patch \ %D%/packages/patches/python-testtools.patch \ %D%/packages/patches/python-paste-remove-timing-test.patch \ diff --git a/gnu/packages/algebra.scm b/gnu/packages/algebra.scm index 2849a565c3..e272cd990b 100644 --- a/gnu/packages/algebra.scm +++ b/gnu/packages/algebra.scm @@ -43,6 +43,7 @@ #:use-module (gnu packages multiprecision) #:use-module (gnu packages perl) #:use-module (gnu packages python) + #:use-module (gnu packages python-xyz) #:use-module (gnu packages readline) #:use-module (gnu packages shells) #:use-module (gnu packages tex) @@ -52,6 +53,7 @@ #:use-module (guix build-system ant) #:use-module (guix build-system gnu) #:use-module (guix build-system cmake) + #:use-module (guix build-system python) #:use-module (guix download) #:use-module (guix git-download) #:use-module ((guix licenses) #:prefix license:) @@ -421,6 +423,38 @@ real and complex numbers, with automatic, rigorous error control.") (license license:lgpl2.1+) (home-page "http://fredrikj.net/arb/"))) +(define-public python-flint + (package + (name "python-flint") + (version "0.3.0") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/fredrik-johansson/python-flint.git") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1v0anazbj1cfi68nl2j6dbd31kgkc1563xmr0zk5xk3xj78569pw")) + (patches (search-patches "python-flint-includes.patch")))) + (build-system python-build-system) + (native-inputs + `(("python-cython" ,python-cython))) + (propagated-inputs + `(("python-numpy" ,python-numpy))) + (inputs + `(("arb" ,arb) + ("flint" ,flint))) + (synopsis "Python module wrapping ARB and FLINT") + (description + "Python-flint is a Python extension module wrapping FLINT +(Fast Library for Number Theory) and Arb (arbitrary-precision ball +arithmetic). It supports integers, rationals, modular integers, +real and complex ball arithmetic, polynomials and matrices over all +these types and other mathematical functions.") + (license license:expat) + (home-page "http://fredrikj.net/python-flint/"))) + (define-public ntl (package (name "ntl") diff --git a/gnu/packages/patches/python-flint-includes.patch b/gnu/packages/patches/python-flint-includes.patch new file mode 100644 index 0000000000..c0cfe94a04 --- /dev/null +++ b/gnu/packages/patches/python-flint-includes.patch @@ -0,0 +1,131 @@ +The following patch, authored by Andreas Enge, looks for the flint include +files in the correct subdirectory. + +diff -u -r python-flint-old/src/flint.pxd python-flint-new/src/flint.pxd +--- python-flint-old/src/flint.pxd 2019-03-19 10:26:11.055748626 +0100 ++++ python-flint-new/src/flint.pxd 2019-03-19 10:35:23.269341203 +0100 +@@ -27,7 +27,7 @@ + + ctypedef long fmpz_struct + +-cdef extern from "flint.h": ++cdef extern from "flint/flint.h": + ctypedef void * flint_rand_t + void flint_randinit(flint_rand_t state) + void flint_randclear(flint_rand_t state) +@@ -35,7 +35,7 @@ + long flint_get_num_threads() + void flint_cleanup() + +-cdef extern from "nmod_vec.h": ++cdef extern from "flint/nmod_vec.h": + ctypedef struct nmod_t: + mp_limb_t n + mp_limb_t ninv +@@ -47,7 +47,7 @@ + mp_limb_t nmod_mul(mp_limb_t a, mp_limb_t b, nmod_t mod) + mp_limb_t nmod_div(mp_limb_t a, mp_limb_t b, nmod_t mod) + +-cdef extern from "nmod_poly.h": ++cdef extern from "flint/nmod_poly.h": + ctypedef struct nmod_poly_struct: + mp_ptr coeffs + long alloc +@@ -129,7 +129,7 @@ + void nmod_poly_factor_init(nmod_poly_factor_t fac) + void nmod_poly_factor_clear(nmod_poly_factor_t fac) + +-cdef extern from "nmod_mat.h": ++cdef extern from "flint/nmod_mat.h": + ctypedef struct nmod_mat_struct: + mp_limb_t * entries + long r +@@ -178,7 +178,7 @@ + long nmod_mat_rref(nmod_mat_t A) + long nmod_mat_nullspace(nmod_mat_t X, nmod_mat_t A) + +-cdef extern from "fmpz.h": ++cdef extern from "flint/fmpz.h": + ctypedef fmpz_struct fmpz_t[1] + int COEFF_IS_MPZ(fmpz_struct v) + void fmpz_init(fmpz_t op) +@@ -268,7 +268,7 @@ + void fmpz_rfac_uiui(fmpz_t r, ulong x, ulong n) + void fmpz_primorial(fmpz_t res, ulong n) + +-cdef extern from "fmpz_factor.h": ++cdef extern from "flint/fmpz_factor.h": + ctypedef struct fmpz_factor_struct: + int sign + fmpz_struct * p +@@ -280,7 +280,7 @@ + void fmpz_factor_clear(fmpz_factor_t factor) + void fmpz_factor(fmpz_factor_t factor, fmpz_t n) + +-cdef extern from "fmpz_poly.h": ++cdef extern from "flint/fmpz_poly.h": + ctypedef struct fmpz_poly_struct: + fmpz_struct * coeffs + long alloc +@@ -390,14 +390,14 @@ + void fmpz_poly_cos_minpoly(fmpz_poly_t, ulong) + void fmpz_poly_swinnerton_dyer(fmpz_poly_t, ulong) + +-cdef extern from "fmpz_poly_factor.h": ++cdef extern from "flint/fmpz_poly_factor.h": + void fmpz_poly_factor_init(fmpz_poly_factor_t fac) + void fmpz_poly_factor_clear(fmpz_poly_factor_t fac) + void fmpz_poly_factor_zassenhaus(fmpz_poly_factor_t fac, fmpz_poly_t G) + void fmpz_poly_factor(fmpz_poly_factor_t fac, fmpz_poly_t G) + void fmpz_poly_factor_squarefree(fmpz_poly_factor_t fac, fmpz_poly_t G) + +-cdef extern from "fmpz_mat.h": ++cdef extern from "flint/fmpz_mat.h": + ctypedef struct fmpz_mat_struct: + fmpz_struct * entries + long r +@@ -448,7 +448,7 @@ + void fmpz_mat_snf(fmpz_mat_t S, const fmpz_mat_t A) + int fmpz_mat_is_in_snf(const fmpz_mat_t A) + +-cdef extern from "fmpz_lll.h": ++cdef extern from "flint/fmpz_lll.h": + ctypedef struct fmpz_lll_struct: + double delta + double eta +@@ -461,7 +461,7 @@ + void fmpz_lll(fmpz_mat_t B, fmpz_mat_t U, const fmpz_lll_t fl) + + +-cdef extern from "fmpq.h": ++cdef extern from "flint/fmpq.h": + ctypedef struct fmpq_struct: + fmpz_struct num + fmpz_struct den +@@ -506,7 +506,7 @@ + void fmpq_next_signed_minimal(fmpq_t res, fmpq_t x) + void fmpq_harmonic_ui(fmpq_t res, ulong n) + +-cdef extern from "fmpq_poly.h": ++cdef extern from "flint/fmpq_poly.h": + ctypedef struct fmpq_poly_struct: + fmpz_struct * coeffs + fmpz_t den +@@ -620,7 +620,7 @@ + void fmpq_poly_compose_series(fmpq_poly_t res, fmpq_poly_t poly1, fmpq_poly_t poly2, long n) + void fmpq_poly_revert_series(fmpq_poly_t res, fmpq_poly_t poly1, long n) + +-cdef extern from "fmpq_mat.h": ++cdef extern from "flint/fmpq_mat.h": + ctypedef struct fmpq_mat_struct: + fmpq_struct * entries + long r +@@ -672,7 +672,7 @@ + long fmpq_mat_rref(fmpq_mat_t B, fmpq_mat_t A) + void fmpq_mat_transpose(fmpq_mat_t B, fmpq_mat_t A) + +-cdef extern from "arith.h": ++cdef extern from "flint/arith.h": + void arith_number_of_partitions(fmpz_t res, ulong n) + int arith_moebius_mu(fmpz_t n) + void arith_divisor_sigma(fmpz_t v, fmpz_t n, ulong k) -- cgit v1.2.3 From d17b1c0891c2e1b2b1bfc92a120e91c1f8909c39 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 20 Mar 2019 00:13:57 +0100 Subject: gnu: knot: Update to 2.8.0. * gnu/packages/dns.scm (knot): Update to 2.8.0. [source]: Add patch. * gnu/packages/patches/knot-include-system-lmdb-header.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/dns.scm | 6 ++-- .../patches/knot-include-system-lmdb-header.patch | 34 ++++++++++++++++++++++ 3 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/knot-include-system-lmdb-header.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 87bed6e827..c32876cdcf 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -929,6 +929,7 @@ dist_patch_DATA = \ %D%/packages/patches/kio-search-smbd-on-PATH.patch \ %D%/packages/patches/kmod-module-directory.patch \ %D%/packages/patches/kmscon-runtime-keymap-switch.patch \ + %D%/packages/patches/knot-include-system-lmdb-header.patch \ %D%/packages/patches/kpackage-allow-external-paths.patch \ %D%/packages/patches/kobodeluxe-paths.patch \ %D%/packages/patches/kobodeluxe-enemies-pipe-decl.patch \ diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index f8b60e34c5..034fe6916a 100644 --- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -569,14 +569,16 @@ Extensions} (DNSSEC).") (define-public knot (package (name "knot") - (version "2.7.6") + (version "2.8.0") (source (origin (method url-fetch) (uri (string-append "https://secure.nic.cz/files/knot-dns/" "knot-" version ".tar.xz")) (sha256 (base32 - "18lpyq3vgr2ainmfiy14x7hcf1zxza66bhkpr54jaz2gy1viijx1")) + "1vw7xx7bm440jwrpvdd04vrp6ccz2b11swcn9msvs62hf0kdjjj9")) + (patches + (search-patches "knot-include-system-lmdb-header.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/knot-include-system-lmdb-header.patch b/gnu/packages/patches/knot-include-system-lmdb-header.patch new file mode 100644 index 0000000000..5c5c0beabc --- /dev/null +++ b/gnu/packages/patches/knot-include-system-lmdb-header.patch @@ -0,0 +1,34 @@ +From: Tobias Geerinckx-Rice +Date: Wed, 20 Mar 2019 00:08:00 +0100 +Subject: [PATCH] gnu: knot: Include system . + +Copied verbatim from Knot master[0]. + +[0]: https://gitlab.labs.nic.cz/knot/knot-dns/commit/b557430cffbb1c6b30617a394b02acc514e7e536 + +From b557430cffbb1c6b30617a394b02acc514e7e536 Mon Sep 17 00:00:00 2001 +From: Daniel Salzman +Date: Wed, 6 Mar 2019 17:35:44 +0100 +Subject: [PATCH] journal: include proper header + +fixes #638 +--- + src/knot/journal/knot_lmdb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/knot/journal/knot_lmdb.h b/src/knot/journal/knot_lmdb.h +index 35a88845c..b1d09cbb4 100644 +--- a/src/knot/journal/knot_lmdb.h ++++ b/src/knot/journal/knot_lmdb.h +@@ -16,7 +16,7 @@ + + #pragma once + +-#include "contrib/lmdb/lmdb.h" ++#include + + #include + #include +-- +2.18.1 + -- cgit v1.2.3 From c16423f143919916a5273761d7ed29bd49f14519 Mon Sep 17 00:00:00 2001 From: Ricardo Wurmus Date: Wed, 20 Mar 2019 19:43:07 +0100 Subject: services: Add nslcd-service-type. * gnu/services/authentication.scm (nslcd-service-type, nslcd-configuration, %nslcd-accounts): New variables. (uglify-field-name, value->string, serialize-field, serialize-list, ssl-option?, tls-reqcert-option?, deref-option?, comma-separated-list-of-strings?, serialize-ignore-users-option, log-option?, serialize-log-option, valid-map?, scope-option?, serialize-scope-option, map-entry?, list-of-map-entries?, filter-entry?, list-of-filter-entries?, serialize-filter-entry, serialize-list-of-filter-entries, serialize-map-entry, serialize-list-of-map-entries, nslcd-config-file, nslcd-etc-service, nslcd-shepherd-service, pam-ldap-pam-services, pam-ldap-pam-service, generate-nslcd-documentation): New procedures. * gnu/tests/ldap.scm: New file. * gnu/local.mk (GNU_SYSTEM_MODULES): Add it. * doc/guix.texi (LDAP Services): Document it. --- doc/guix.texi | 479 +++++++++++++++++++++++++++++++++++++ gnu/local.mk | 1 + gnu/services/authentication.scm | 511 +++++++++++++++++++++++++++++++++++++++- gnu/tests/ldap.scm | 160 +++++++++++++ 4 files changed, 1150 insertions(+), 1 deletion(-) create mode 100644 gnu/tests/ldap.scm (limited to 'gnu/local.mk') diff --git a/doc/guix.texi b/doc/guix.texi index bb344e1625..94d7a29bdf 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11139,6 +11139,7 @@ declaration. * Telephony Services:: Telephony services. * Monitoring Services:: Monitoring services. * Kerberos Services:: Kerberos services. +* LDAP Services:: LDAP services. * Web Services:: Web servers. * Certificate Services:: TLS certificates via Let's Encrypt. * DNS Services:: DNS daemons. @@ -17685,6 +17686,484 @@ Local accounts with lower values will silently fail to authenticate. @end deftp +@node LDAP Services +@subsection LDAP Services +@cindex LDAP +@cindex nslcd, LDAP service + +The @code{(gnu services authentication)} module provides the +@code{nslcd-service-type}, which can be used to authenticate against an LDAP +server. In addition to configuring the service itself, you may want to add +@code{ldap} as a name service to the Name Service Switch. @xref{Name Service +Switch} for detailed information. + +Here is a simple operating system declaration with a default configuration of +the @code{nslcd-service-type} and a Name Service Switch configuration that +consults the @code{ldap} name service last: + +@example +(use-service-modules authentication) +(use-modules (gnu system nss)) +... +(operating-system + ... + (services + (cons* + (service nslcd-service-type) + (service dhcp-client-service-type) + %base-services)) + (name-service-switch + (let ((services (list (name-service (name "db")) + (name-service (name "files")) + (name-service (name "ldap"))))) + (name-service-switch + (inherit %mdns-host-lookup-nss) + (password services) + (shadow services) + (group services) + (netgroup services) + (gshadow services))))) +@end example + +@c %start of generated documentation for nslcd-configuration + +Available @code{nslcd-configuration} fields are: + +@deftypevr {@code{nslcd-configuration} parameter} package nss-pam-ldapd +The @code{nss-pam-ldapd} package to use. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number threads +The number of threads to start that can handle requests and perform LDAP +queries. Each thread opens a separate connection to the LDAP server. +The default is to start 5 threads. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} string uid +This specifies the user id with which the daemon should be run. + +Defaults to @samp{"nslcd"}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} string gid +This specifies the group id with which the daemon should be run. + +Defaults to @samp{"nslcd"}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} log-option log +This option controls the way logging is done via a list containing +SCHEME and LEVEL. The SCHEME argument may either be the symbols "none" +or "syslog", or an absolute file name. The LEVEL argument is optional +and specifies the log level. The log level may be one of the following +symbols: "crit", "error", "warning", "notice", "info" or "debug". All +messages with the specified log level or higher are logged. + +Defaults to @samp{("/var/log/nslcd" info)}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list uri +The list of LDAP server URIs. Normally, only the first server will be +used with the following servers as fall-back. + +Defaults to @samp{("ldap://localhost:389/")}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string ldap-version +The version of the LDAP protocol to use. The default is to use the +maximum version supported by the LDAP library. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string binddn +Specifies the distinguished name with which to bind to the directory +server for lookups. The default is to bind anonymously. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string bindpw +Specifies the credentials with which to bind. This option is only +applicable when used with binddn. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmoddn +Specifies the distinguished name to use when the root user tries to +modify a user's password using the PAM module. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string rootpwmodpw +Specifies the credentials with which to bind if the root user tries to +change a user's password. This option is only applicable when used with +rootpwmoddn + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-mech +Specifies the SASL mechanism to be used when performing SASL +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-realm +Specifies the SASL realm to be used when performing SASL authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authcid +Specifies the authentication identity to be used when performing SASL +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string sasl-authzid +Specifies the authorization identity to be used when performing SASL +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean sasl-canonicalize? +Determines whether the LDAP server host name should be canonicalised. If +this is enabled the LDAP library will do a reverse host name lookup. By +default, it is left up to the LDAP library whether this check is +performed or not. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string krb5-ccname +Set the name for the GSS-API Kerberos credentials cache. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} string base +The directory search base. + +Defaults to @samp{"dc=example,dc=com"}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} scope-option scope +Specifies the search scope (subtree, onelevel, base or children). The +default scope is subtree; base scope is almost never useful for name +service lookups; children scope is not supported on all servers. + +Defaults to @samp{(subtree)}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-deref-option deref +Specifies the policy for dereferencing aliases. The default policy is +to never dereference aliases. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean referrals +Specifies whether automatic referral chasing should be enabled. The +default behaviour is to chase referrals. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list-of-map-entries maps +This option allows for custom attributes to be looked up instead of the +default RFC 2307 attributes. It is a list of maps, each consisting of +the name of a map, the RFC 2307 attribute to match and the query +expression for the attribute as it is available in the directory. + +Defaults to @samp{()}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list-of-filter-entries filters +A list of filters consisting of the name of a map to which the filter +applies and an LDAP search filter expression. + +Defaults to @samp{()}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number bind-timelimit +Specifies the time limit in seconds to use when connecting to the +directory server. The default value is 10 seconds. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number timelimit +Specifies the time limit (in seconds) to wait for a response from the +LDAP server. A value of zero, which is the default, is to wait +indefinitely for searches to be completed. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number idle-timelimit +Specifies the period if inactivity (in seconds) after which the con‐ +nection to the LDAP server will be closed. The default is not to time +out connections. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-sleeptime +Specifies the number of seconds to sleep when connecting to all LDAP +servers fails. By default one second is waited between the first +failure and the first retry. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number reconnect-retrytime +Specifies the time after which the LDAP server is considered to be +permanently unavailable. Once this time is reached retries will be done +only once per this time period. The default value is 10 seconds. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-ssl-option ssl +Specifies whether to use SSL/TLS or not (the default is not to). If +'start-tls is specified then StartTLS is used rather than raw LDAP over +SSL. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-tls-reqcert-option tls-reqcert +Specifies what checks to perform on a server-supplied certificate. The +meaning of the values is described in the ldap.conf(5) manual page. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertdir +Specifies the directory containing X.509 certificates for peer authen‐ +tication. This parameter is ignored when using GnuTLS. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cacertfile +Specifies the path to the X.509 certificate for peer authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-randfile +Specifies the path to an entropy source. This parameter is ignored when +using GnuTLS. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-ciphers +Specifies the ciphers to use for TLS as a string. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-cert +Specifies the path to the file containing the local certificate for +client TLS authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string tls-key +Specifies the path to the file containing the private key for client TLS +authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number pagesize +Set this to a number greater than 0 to request paged results from the +LDAP server in accordance with RFC2696. The default (0) is to not +request paged results. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-ignore-users-option nss-initgroups-ignoreusers +This option prevents group membership lookups through LDAP for the +specified users. Alternatively, the value 'all-local may be used. With +that value nslcd builds a full list of non-LDAP users on startup. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-min-uid +This option ensures that LDAP users with a numeric user id lower than +the specified value are ignored. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-uid-offset +This option specifies an offset that is added to all LDAP numeric user +ids. This can be used to avoid user id collisions with local users. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-number nss-gid-offset +This option specifies an offset that is added to all LDAP numeric group +ids. This can be used to avoid user id collisions with local groups. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-nested-groups +If this option is set, the member attribute of a group may point to +another group. Members of nested groups are also returned in the higher +level group and parent groups are returned when finding groups for a +specific user. The default is not to perform extra searches for nested +groups. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-getgrent-skipmembers +If this option is set, the group member list is not retrieved when +looking up groups. Lookups for finding which groups a user belongs to +will remain functional so the user will likely still get the correct +groups assigned on login. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean nss-disable-enumeration +If this option is set, functions which cause all user/group entries to +be loaded from the directory will not succeed in doing so. This can +dramatically reduce LDAP server load in situations where there are a +great number of users and/or groups. This option is not recommended for +most configurations. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string validnames +This option can be used to specify how user and group names are verified +within the system. This pattern is used to check all user and group +names that are requested and returned from LDAP. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean ignorecase +This specifies whether or not to perform searches using case-insensitive +matching. Enabling this could open up the system to authorization +bypass vulnerabilities and introduce nscd cache poisoning +vulnerabilities which allow denial of service. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-boolean pam-authc-ppolicy +This option specifies whether password policy controls are requested and +handled from the LDAP server when performing user authentication. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authc-search +By default nslcd performs an LDAP search with the user's credentials +after BIND (authentication) to ensure that the BIND operation was +successful. The default search is a simple check to see if the user's +DN exists. A search filter can be specified that will be used instead. +It should return at least one entry. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-authz-search +This option allows flexible fine tuning of the authorisation check that +should be performed. The search filter specified is executed and if any +entries match, access is granted, otherwise access is denied. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} maybe-string pam-password-prohibit-message +If this option is set password modification using pam_ldap will be +denied and the specified message will be presented to the user instead. +The message can be used to direct the user to an alternative means of +changing their password. + +Defaults to @samp{disabled}. + +@end deftypevr + +@deftypevr {@code{nslcd-configuration} parameter} list pam-services +List of pam service names for which LDAP authentication should suffice. + +Defaults to @samp{()}. + +@end deftypevr + +@c %end of generated documentation for nslcd-configuration + + @node Web Services @subsection Web Services diff --git a/gnu/local.mk b/gnu/local.mk index c32876cdcf..a5a2f11538 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -569,6 +569,7 @@ GNU_SYSTEM_MODULES = \ %D%/tests/monitoring.scm \ %D%/tests/nfs.scm \ %D%/tests/install.scm \ + %D%/tests/ldap.scm \ %D%/tests/mail.scm \ %D%/tests/messaging.scm \ %D%/tests/networking.scm \ diff --git a/gnu/services/authentication.scm b/gnu/services/authentication.scm index 1a2629d475..ab54aaf698 100644 --- a/gnu/services/authentication.scm +++ b/gnu/services/authentication.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018 Danny Milosavljevic +;;; Copyright © 2018, 2019 Ricardo Wurmus ;;; ;;; This file is part of GNU Guix. ;;; @@ -18,13 +19,28 @@ (define-module (gnu services authentication) #:use-module (gnu services) + #:use-module (gnu services base) + #:use-module (gnu services configuration) #:use-module (gnu services dbus) + #:use-module (gnu services shepherd) + #:use-module (gnu system pam) + #:use-module (gnu system shadow) + #:use-module (gnu packages admin) #:use-module (gnu packages freedesktop) + #:use-module (gnu packages openldap) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix packages) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-26) #:export (fprintd-configuration fprintd-configuration? - fprintd-service-type)) + fprintd-service-type + + nslcd-configuration + nslcd-configuration? + nslcd-service-type)) (define-record-type* fprintd-configuration make-fprintd-configuration @@ -39,3 +55,496 @@ list))) (description "Run fprintd, a fingerprint management daemon."))) + + +;;; +;;; NSS Pam LDAP service (nslcd) +;;; + +(define (uglify-field-name name) + (match name + ('filters "filter") + ('maps "map") + (_ (string-map (match-lambda + (#\- #\_) + (chr chr)) + (symbol->string name))))) + +(define (value->string val) + (cond + ((boolean? val) + (if val "on" "off")) + ((number? val) + (number->string val)) + ((symbol? val) + (string-map (match-lambda + (#\- #\_) + (chr chr)) + (symbol->string val))) + (else val))) + +(define (serialize-field field-name val) + (if (eq? field-name 'pam-services) + #t + (format #t "~a ~a\n" + (uglify-field-name field-name) + (value->string val)))) + +(define serialize-string serialize-field) +(define serialize-boolean serialize-field) +(define serialize-number serialize-field) +(define (serialize-list field-name val) + (map (cut serialize-field field-name <>) val)) +(define-maybe string) +(define-maybe boolean) +(define-maybe number) + +(define (ssl-option? val) + (or (boolean? val) + (eq? val 'start-tls))) +(define serialize-ssl-option serialize-field) +(define-maybe ssl-option) + +(define (tls-reqcert-option? val) + (member val '(never allow try demand hard))) +(define serialize-tls-reqcert-option serialize-field) +(define-maybe tls-reqcert-option) + +(define (deref-option? val) + (member val '(never searching finding always))) +(define serialize-deref-option serialize-field) +(define-maybe deref-option) + +(define (comma-separated-list-of-strings? val) + (and (list? val) + (every string? val))) +(define (ignore-users-option? val) + (or (comma-separated-list-of-strings? val) + (eq? 'all-local val))) +(define (serialize-ignore-users-option field-name val) + (serialize-field field-name (if (eq? 'all-local val) + val + (string-join val ",")))) +(define-maybe ignore-users-option) + +(define (log-option? val) + (let ((valid-scheme? (lambda (scheme) + (or (string? scheme) + (member scheme '(none syslog)))))) + (match val + ((scheme level) + (and (valid-scheme? scheme) + (member level '(crit error warning notice info debug)))) + ((scheme) + (valid-scheme? scheme))))) +(define (serialize-log-option field-name val) + (serialize-field field-name + (string-join (map (cut format #f "~a" <>) val)))) + +(define (valid-map? val) + "Is VAL a supported map name?" + (member val + '(alias aliases ether ethers group host hosts netgroup network networks + passwd protocol protocols rpc service services shadow))) + +(define (scope-option? val) + (let ((valid-scopes '(subtree onelevel base children))) + (match val + ((map-name scope) + (and (valid-map? map-name) + (member scope valid-scopes))) + ((scope) + (member scope valid-scopes))))) +(define (serialize-scope-option field-name val) + (serialize-field field-name + (string-join (map (cut format #f "~a" <>) val)))) + +(define (map-entry? val) + (match val + (((? valid-map? map-name) + (? string? attribute) + (? string? new-attribute)) #t) + (_ #f))) + +(define (list-of-map-entries? val) + (and (list? val) + (every map-entry? val))) + +(define (filter-entry? val) + (match val + (((? valid-map? map-name) + (? string? filter-expression)) #t) + (_ #f))) + +(define (list-of-filter-entries? val) + (and (list? val) + (every filter-entry? val))) + +(define (serialize-filter-entry field-name val) + (serialize-field 'filter + (match val + (((? valid-map? map-name) + (? string? filter-expression)) + (string-append (symbol->string map-name) + " " filter-expression))))) + +(define (serialize-list-of-filter-entries field-name val) + (for-each (cut serialize-filter-entry field-name <>) val)) + +(define (serialize-map-entry field-name val) + (serialize-field 'map + (match val + (((? valid-map? map-name) + (? string? attribute) + (? string? new-attribute)) + (string-append (symbol->string map-name) + " " attribute + " " new-attribute))))) + +(define (serialize-list-of-map-entries field-name val) + (for-each (cut serialize-map-entry field-name <>) val)) + + +(define-configuration nslcd-configuration + (nss-pam-ldapd + (package nss-pam-ldapd) + "The NSS-PAM-LDAPD package to use.") + + ;; Runtime options + (threads + (maybe-number 'disabled) + "The number of threads to start that can handle requests and perform LDAP +queries. Each thread opens a separate connection to the LDAP server. The +default is to start 5 threads.") + (uid + (string "nslcd") + "This specifies the user id with which the daemon should be run.") + (gid + (string "nslcd") + "This specifies the group id with which the daemon should be run.") + (log + (log-option '("/var/log/nslcd" info)) + "This option controls the way logging is done via a list containing SCHEME +and LEVEL. The SCHEME argument may either be the symbols \"none\" or +\"syslog\", or an absolute file name. The LEVEL argument is optional and +specifies the log level. The log level may be one of the following symbols: +\"crit\", \"error\", \"warning\", \"notice\", \"info\" or \"debug\". All +messages with the specified log level or higher are logged.") + + ;; LDAP connection settings + (uri + (list '("ldap://localhost:389/")) + "The list of LDAP server URIs. Normally, only the first server will be +used with the following servers as fall-back.") + (ldap-version + (maybe-string 'disabled) + "The version of the LDAP protocol to use. The default is to use the +maximum version supported by the LDAP library.") + (binddn + (maybe-string 'disabled) + "Specifies the distinguished name with which to bind to the directory +server for lookups. The default is to bind anonymously.") + (bindpw + (maybe-string 'disabled) + "Specifies the credentials with which to bind. This option is only +applicable when used with binddn.") + (rootpwmoddn + (maybe-string 'disabled) + "Specifies the distinguished name to use when the root user tries to modify +a user's password using the PAM module.") + (rootpwmodpw + (maybe-string 'disabled) + "Specifies the credentials with which to bind if the root user tries to +change a user's password. This option is only applicable when used with +rootpwmoddn") + + ;; SASL authentication options + (sasl-mech + (maybe-string 'disabled) + "Specifies the SASL mechanism to be used when performing SASL +authentication.") + (sasl-realm + (maybe-string 'disabled) + "Specifies the SASL realm to be used when performing SASL authentication.") + (sasl-authcid + (maybe-string 'disabled) + "Specifies the authentication identity to be used when performing SASL +authentication.") + (sasl-authzid + (maybe-string 'disabled) + "Specifies the authorization identity to be used when performing SASL +authentication.") + (sasl-canonicalize? + (maybe-boolean 'disabled) + "Determines whether the LDAP server host name should be canonicalised. If +this is enabled the LDAP library will do a reverse host name lookup. By +default, it is left up to the LDAP library whether this check is performed or +not.") + + ;; Kerberos authentication options + (krb5-ccname + (maybe-string 'disabled) + "Set the name for the GSS-API Kerberos credentials cache.") + + ;; Search / mapping options + (base + (string "dc=example,dc=com") + "The directory search base.") + (scope + (scope-option '(subtree)) + "Specifies the search scope (subtree, onelevel, base or children). The +default scope is subtree; base scope is almost never useful for name service +lookups; children scope is not supported on all servers.") + (deref + (maybe-deref-option 'disabled) + "Specifies the policy for dereferencing aliases. The default policy is to +never dereference aliases.") + (referrals + (maybe-boolean 'disabled) + "Specifies whether automatic referral chasing should be enabled. The +default behaviour is to chase referrals.") + (maps + (list-of-map-entries '()) + "This option allows for custom attributes to be looked up instead of the +default RFC 2307 attributes. It is a list of maps, each consisting of the +name of a map, the RFC 2307 attribute to match and the query expression for +the attribute as it is available in the directory.") + (filters + (list-of-filter-entries '()) + "A list of filters consisting of the name of a map to which the filter +applies and an LDAP search filter expression.") + + ;; Timing / reconnect options + (bind-timelimit + (maybe-number 'disabled) + "Specifies the time limit in seconds to use when connecting to the +directory server. The default value is 10 seconds.") + (timelimit + (maybe-number 'disabled) + "Specifies the time limit (in seconds) to wait for a response from the LDAP +server. A value of zero, which is the default, is to wait indefinitely for +searches to be completed.") + (idle-timelimit + (maybe-number 'disabled) + "Specifies the period if inactivity (in seconds) after which the con‐ +nection to the LDAP server will be closed. The default is not to time out +connections.") + (reconnect-sleeptime + (maybe-number 'disabled) + "Specifies the number of seconds to sleep when connecting to all LDAP +servers fails. By default one second is waited between the first failure and +the first retry.") + (reconnect-retrytime + (maybe-number 'disabled) + "Specifies the time after which the LDAP server is considered to be +permanently unavailable. Once this time is reached retries will be done only +once per this time period. The default value is 10 seconds.") + + ;; TLS options + (ssl + (maybe-ssl-option 'disabled) + "Specifies whether to use SSL/TLS or not (the default is not to). If +'start-tls is specified then StartTLS is used rather than raw LDAP over SSL.") + (tls-reqcert + (maybe-tls-reqcert-option 'disabled) + "Specifies what checks to perform on a server-supplied certificate. +The meaning of the values is described in the ldap.conf(5) manual page.") + (tls-cacertdir + (maybe-string 'disabled) + "Specifies the directory containing X.509 certificates for peer authen‐ +tication. This parameter is ignored when using GnuTLS.") + (tls-cacertfile + (maybe-string 'disabled) + "Specifies the path to the X.509 certificate for peer authentication.") + (tls-randfile + (maybe-string 'disabled) + "Specifies the path to an entropy source. This parameter is ignored when +using GnuTLS.") + (tls-ciphers + (maybe-string 'disabled) + "Specifies the ciphers to use for TLS as a string.") + (tls-cert + (maybe-string 'disabled) + "Specifies the path to the file containing the local certificate for client +TLS authentication.") + (tls-key + (maybe-string 'disabled) + "Specifies the path to the file containing the private key for client TLS +authentication.") + + ;; Other options + (pagesize + (maybe-number 'disabled) + "Set this to a number greater than 0 to request paged results from the LDAP +server in accordance with RFC2696. The default (0) is to not request paged +results.") + (nss-initgroups-ignoreusers + (maybe-ignore-users-option 'disabled) + "This option prevents group membership lookups through LDAP for the +specified users. Alternatively, the value 'all-local may be used. With that +value nslcd builds a full list of non-LDAP users on startup.") + (nss-min-uid + (maybe-number 'disabled) + "This option ensures that LDAP users with a numeric user id lower than the +specified value are ignored.") + (nss-uid-offset + (maybe-number 'disabled) + "This option specifies an offset that is added to all LDAP numeric user +ids. This can be used to avoid user id collisions with local users.") + (nss-gid-offset + (maybe-number 'disabled) + "This option specifies an offset that is added to all LDAP numeric group +ids. This can be used to avoid user id collisions with local groups.") + (nss-nested-groups + (maybe-boolean 'disabled) + "If this option is set, the member attribute of a group may point to +another group. Members of nested groups are also returned in the higher level +group and parent groups are returned when finding groups for a specific user. +The default is not to perform extra searches for nested groups.") + (nss-getgrent-skipmembers + (maybe-boolean 'disabled) + "If this option is set, the group member list is not retrieved when looking +up groups. Lookups for finding which groups a user belongs to will remain +functional so the user will likely still get the correct groups assigned on +login.") + (nss-disable-enumeration + (maybe-boolean 'disabled) + "If this option is set, functions which cause all user/group entries to be +loaded from the directory will not succeed in doing so. This can dramatically +reduce LDAP server load in situations where there are a great number of users +and/or groups. This option is not recommended for most configurations.") + (validnames + (maybe-string 'disabled) + "This option can be used to specify how user and group names are verified +within the system. This pattern is used to check all user and group names +that are requested and returned from LDAP.") + (ignorecase + (maybe-boolean 'disabled) + "This specifies whether or not to perform searches using case-insensitive +matching. Enabling this could open up the system to authorization bypass +vulnerabilities and introduce nscd cache poisoning vulnerabilities which allow +denial of service.") + (pam-authc-ppolicy + (maybe-boolean 'disabled) + "This option specifies whether password policy controls are requested and +handled from the LDAP server when performing user authentication.") + (pam-authc-search + (maybe-string 'disabled) + "By default nslcd performs an LDAP search with the user's credentials after +BIND (authentication) to ensure that the BIND operation was successful. The +default search is a simple check to see if the user's DN exists. A search +filter can be specified that will be used instead. It should return at least +one entry.") + (pam-authz-search + (maybe-string 'disabled) + "This option allows flexible fine tuning of the authorisation check that +should be performed. The search filter specified is executed and if any +entries match, access is granted, otherwise access is denied.") + (pam-password-prohibit-message + (maybe-string 'disabled) + "If this option is set password modification using pam_ldap will be denied +and the specified message will be presented to the user instead. The message +can be used to direct the user to an alternative means of changing their +password.") + + ;; Options for extension of pam-root-service-type. + (pam-services + (list '()) + "List of pam service names for which LDAP authentication should suffice.")) + +(define %nslcd-accounts + (list (user-group + (name "nslcd") + (system? #t)) + (user-account + (name "nslcd") + (group "nslcd") + (comment "NSLCD service account") + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (system? #t)))) + +(define (nslcd-config-file config) + "Return an NSLCD configuration file." + (plain-file "nslcd.conf" + (with-output-to-string + (lambda () + (serialize-configuration config nslcd-configuration-fields) + ;; The file must end with a newline character. + (format #t "\n"))))) + +;; XXX: The file should only be readable by root if it contains a "bindpw" +;; declaration. Unfortunately, this etc-service-type extension does not +;; support setting file modes, so we do this in the activation service. +(define (nslcd-etc-service config) + `(("nslcd.conf" ,(nslcd-config-file config)))) + +(define (nslcd-shepherd-service config) + (list (shepherd-service + (documentation "Run the nslcd service for resolving names from LDAP.") + (provision '(nslcd)) + (requirement '(networking user-processes)) + (start #~(make-forkexec-constructor + (list (string-append #$(nslcd-configuration-nss-pam-ldapd config) + "/sbin/nslcd") + "--nofork") + #:pid-file "/var/run/nslcd/nslcd.pid" + #:environment-variables + (list (string-append "LD_LIBRARY_PATH=" + #$(nslcd-configuration-nss-pam-ldapd config) + "/lib")))) + (stop #~(make-kill-destructor))))) + +(define (pam-ldap-pam-service config) + "Return a PAM service for LDAP authentication." + (define pam-ldap-module + #~(string-append #$(nslcd-configuration-nss-pam-ldapd config) + "/lib/security/pam_ldap.so")) + (lambda (pam) + (if (member (pam-service-name pam) + (nslcd-configuration-pam-services config)) + (let ((sufficient + (pam-entry + (control "sufficient") + (module pam-ldap-module)))) + (pam-service + (inherit pam) + (auth (cons sufficient (pam-service-auth pam))) + (session (cons sufficient (pam-service-session pam))) + (account (cons sufficient (pam-service-account pam))))) + pam))) + +(define (pam-ldap-pam-services config) + (list (pam-ldap-pam-service config))) + +(define nslcd-service-type + (service-type + (name 'nslcd) + (description "Run the NSLCD service for looking up names from LDAP.") + (extensions + (list (service-extension account-service-type + (const %nslcd-accounts)) + (service-extension etc-service-type + nslcd-etc-service) + (service-extension activation-service-type + (const #~(begin + (use-modules (guix build utils)) + (let ((rundir "/var/run/nslcd") + (user (getpwnam "nslcd"))) + (mkdir-p rundir) + (chown rundir (passwd:uid user) (passwd:gid user)) + (chmod rundir #o755) + (when (file-exists? "/etc/nslcd.conf") + (chmod "/etc/nslcd.conf" #o400)))))) + (service-extension pam-root-service-type + pam-ldap-pam-services) + (service-extension nscd-service-type + (const (list nss-pam-ldapd))) + (service-extension shepherd-root-service-type + nslcd-shepherd-service))) + (default-value (nslcd-configuration)))) + +(define (generate-nslcd-documentation) + (generate-documentation + `((nslcd-configuration ,nslcd-configuration-fields)) + 'nslcd-configuration)) diff --git a/gnu/tests/ldap.scm b/gnu/tests/ldap.scm new file mode 100644 index 0000000000..2d4f15fb3c --- /dev/null +++ b/gnu/tests/ldap.scm @@ -0,0 +1,160 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Ricardo Wurmus +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (gnu tests ldap) + #:use-module (gnu tests) + #:use-module (gnu system) + #:use-module (gnu system nss) + #:use-module (gnu system vm) + #:use-module (gnu services) + #:use-module (gnu services authentication) + #:use-module (gnu services networking) + #:use-module (gnu packages base) + #:use-module (gnu packages openldap) + #:use-module (guix gexp) + #:use-module (guix store) + #:export (%test-ldap)) + +(define %ldap-os + (let ((simple + (simple-operating-system + (service dhcp-client-service-type) + (service nslcd-service-type)))) + (operating-system + (inherit simple) + (name-service-switch + (let ((services (list (name-service (name "db")) + (name-service (name "files")) + (name-service (name "ldap"))))) + (name-service-switch + (inherit %mdns-host-lookup-nss) + (password services) + (shadow services) + (group services) + (netgroup services) + (gshadow services))))))) + +(define (run-ldap-test) + "Run tests in %LDAP-OS." + (define os + (marionette-operating-system + %ldap-os + #:imported-modules '((gnu services herd) + (guix combinators)))) + + (define vm + (virtual-machine os)) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (srfi srfi-11) (srfi srfi-64) + (gnu build marionette)) + + (define marionette + (make-marionette (list #$vm))) + + (mkdir #$output) + (chdir #$output) + + (test-begin "ldap") + + ;; Set up LDAP directory server + (test-assert "LDAP server instance running" + (marionette-eval + '(begin + (with-output-to-file "instance.inf" + (lambda () + (display "[general] +config_version = 2 + +\n[slapd] +root_password = SECRET +user = root +group = root + +\n[backend-userroot] +sample_entries = yes +suffix = dc=example,dc=com"))) + (and + ;; Create instance + (zero? (system* #$(file-append 389-ds-base "/sbin/dscreate") + "-v" "from-file" "instance.inf")) + ;; Start instance + (zero? (system* #$(file-append 389-ds-base "/sbin/dsctl") + "localhost" "start")) + ;; Create user account + (zero? (system* #$(file-append 389-ds-base "/sbin/dsidm") + "-b" "dc=example,dc=com" + "localhost" "user" "create" + "--uid" "eva" "--cn" "Eva Lu Ator" + "--displayName" "Eva Lu Ator" + "--uidNumber" "1234" "--gidNumber" "2345" + "--homeDirectory" "/home/eva")))) + marionette)) + + (test-assert "Manager can bind to LDAP server instance" + (marionette-eval + '(zero? (system* #$(file-append openldap "/bin/ldapwhoami") + "-H" "ldap://localhost" "-D" + "cn=Directory Manager" "-w" "SECRET")) + marionette)) + + ;; Wait for nslcd to be up and running. + (test-assert "nslcd service running" + (marionette-eval + '(begin + (use-modules (gnu services herd)) + (match (start-service 'nslcd) + (#f #f) + (('service response-parts ...) + (match (assq-ref response-parts 'running) + ((pid) (number? pid)))))) + marionette)) + + (test-assert "nslcd produces a log file" + (marionette-eval + '(file-exists? "/var/log/nslcd") + marionette)) + + (test-assert "Can query LDAP user accounts" + (marionette-eval + '(begin + ;; TODO: This shouldn't be necessary, but unfortunately it + ;; really is needed to discover LDAP accounts with "id". + (setenv "LD_LIBRARY_PATH" + #$(file-append nss-pam-ldapd "/lib")) + (zero? (system* #$(file-append coreutils "/bin/id") "eva"))) + marionette)) + + (test-assert "Can become LDAP user" + (marionette-eval + '(zero? (system* "/run/setuid-programs/su" "eva" "-c" + #$(file-append coreutils "/bin/true"))) + marionette)) + + (test-end) + (exit (= (test-runner-fail-count (test-runner-current)) 0))))) + + (gexp->derivation "ldap-test" test)) + +(define %test-ldap + (system-test + (name "ldap") + (description "Run an LDAP directory server and authenticate against it.") + (value (run-ldap-test)))) -- cgit v1.2.3 From 8b672b2c48164c78731ae142ae4761d91666bdec Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Mon, 18 Mar 2019 21:39:12 -0400 Subject: gnu: blender: Restore version 2.79b for systems without OpenGL 3. Fixes . * gnu/packages/graphics.scm (blender-2.79): New variable. (blender)[description]: Remove obsolete claim that the stable release no longer works in Guix. * gnu/packages/patches/blender-2.79-newer-ffmpeg.patch, gnu/packages/patches/blender-2.79-python-3.7-fix.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 2 + gnu/packages/graphics.scm | 93 +++++++++++++++++++++- .../patches/blender-2.79-newer-ffmpeg.patch | 80 +++++++++++++++++++ .../patches/blender-2.79-python-3.7-fix.patch | 43 ++++++++++ 4 files changed, 216 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/blender-2.79-newer-ffmpeg.patch create mode 100644 gnu/packages/patches/blender-2.79-python-3.7-fix.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index a5a2f11538..c9c7378f02 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -672,6 +672,8 @@ dist_patch_DATA = \ %D%/packages/patches/beignet-correct-file-names.patch \ %D%/packages/patches/biber-fix-encoding-write.patch \ %D%/packages/patches/binutils-loongson-workaround.patch \ + %D%/packages/patches/blender-2.79-newer-ffmpeg.patch \ + %D%/packages/patches/blender-2.79-python-3.7-fix.patch \ %D%/packages/patches/boost-fix-icu-build.patch \ %D%/packages/patches/byobu-writable-status.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ diff --git a/gnu/packages/graphics.scm b/gnu/packages/graphics.scm index bf4cc89b08..11158bdfd1 100644 --- a/gnu/packages/graphics.scm +++ b/gnu/packages/graphics.scm @@ -11,6 +11,7 @@ ;;; Copyright © 2018 Mathieu Othacehe ;;; Copyright © 2018 Alex Kost ;;; Copyright © 2018 Kei Kebreau +;;; Copyright © 2019 Mark H Weaver ;;; ;;; This file is part of GNU Guix. ;;; @@ -165,10 +166,98 @@ the 3D pipeline—modeling, rigging, animation, simulation, rendering, compositing and motion tracking, even video editing and game creation. The application can be customized via its API for Python scripting. -WARNING: This package offers a beta build of Blender, because the stable release -no longer works in Guix. See @uref{https://issues.guix.info/issue/33882}.") +WARNING: This is a beta build of Blender.") (license license:gpl2+)))) +(define-public blender-2.79 + (package + (name "blender") + (version "2.79b") + (source (origin + (method url-fetch) + (uri (string-append "https://download.blender.org/source/" + "blender-" version ".tar.gz")) + (sha256 + (base32 + "1g4kcdqmf67srzhi3hkdnr4z1ph4h9sza1pahz38mrj998q4r52c")) + (patches (search-patches "blender-2.79-newer-ffmpeg.patch" + "blender-2.79-python-3.7-fix.patch")))) + (build-system cmake-build-system) + (arguments + (let ((python-version (version-major+minor (package-version python)))) + `(;; Test files are very large and not included in the release tarball. + #:tests? #f + #:configure-flags + (list "-DWITH_CODEC_FFMPEG=ON" + "-DWITH_CODEC_SNDFILE=ON" + "-DWITH_CYCLES=ON" + "-DWITH_DOC_MANPAGE=ON" + "-DWITH_FFTW3=ON" + "-DWITH_GAMEENGINE=ON" + "-DWITH_IMAGE_OPENJPEG=ON" + "-DWITH_INPUT_NDOF=ON" + "-DWITH_INSTALL_PORTABLE=OFF" + "-DWITH_JACK=ON" + "-DWITH_MOD_OCEANSIM=ON" + "-DWITH_PLAYER=ON" + "-DWITH_PYTHON_INSTALL=OFF" + "-DWITH_PYTHON_INSTALL=OFF" + "-DWITH_SYSTEM_OPENJPEG=ON" + (string-append "-DPYTHON_LIBRARY=python" ,python-version "m") + (string-append "-DPYTHON_LIBPATH=" (assoc-ref %build-inputs "python") + "/lib") + (string-append "-DPYTHON_INCLUDE_DIR=" (assoc-ref %build-inputs "python") + "/include/python" ,python-version "m") + (string-append "-DPYTHON_VERSION=" ,python-version)) + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'fix-broken-import + (lambda _ + (substitute* "release/scripts/addons/io_scene_fbx/json2fbx.py" + (("import encode_bin") "from . import encode_bin")) + #t)) + (add-after 'set-paths 'add-ilmbase-include-path + (lambda* (#:key inputs #:allow-other-keys) + ;; OpenEXR propagates ilmbase, but its include files do not appear + ;; in the CPATH, so we need to add "$ilmbase/include/OpenEXR/" to + ;; the CPATH to satisfy the dependency on "half.h". + (setenv "CPATH" + (string-append (assoc-ref inputs "ilmbase") + "/include/OpenEXR" + ":" (or (getenv "CPATH") ""))) + #t)))))) + (inputs + `(("boost" ,boost) + ("jemalloc" ,jemalloc) + ("libx11" ,libx11) + ("openimageio" ,openimageio) + ("openexr" ,openexr) + ("ilmbase" ,ilmbase) + ("openjpeg" ,openjpeg-1) + ("libjpeg" ,libjpeg) + ("libpng" ,libpng) + ("libtiff" ,libtiff) + ("ffmpeg" ,ffmpeg) + ("fftw" ,fftw) + ("jack" ,jack-1) + ("libsndfile" ,libsndfile) + ("freetype" ,freetype) + ("glew" ,glew) + ("openal" ,openal) + ("python" ,python) + ("zlib" ,zlib))) + (home-page "https://blender.org/") + (synopsis "3D graphics creation suite") + (description + "Blender is a 3D graphics creation suite. It supports the entirety of +the 3D pipeline—modeling, rigging, animation, simulation, rendering, +compositing and motion tracking, even video editing and game creation. The +application can be customized via its API for Python scripting. + +NOTE: This older version of Blender is the last release that does not require +OpenGL 3. It is retained for use with older computers.") + (license license:gpl2+))) + (define-public assimp (package (name "assimp") diff --git a/gnu/packages/patches/blender-2.79-newer-ffmpeg.patch b/gnu/packages/patches/blender-2.79-newer-ffmpeg.patch new file mode 100644 index 0000000000..363489bc70 --- /dev/null +++ b/gnu/packages/patches/blender-2.79-newer-ffmpeg.patch @@ -0,0 +1,80 @@ +https://sources.debian.org/data/main/b/blender/2.79.b+dfsg0-4/debian/patches/0008-fix_building_with_latest_versions_of_FFmpeg.patch + +From: Bastien Montagne +Date: Tue, 8 May 2018 16:00:52 +0200 +Subject: fix_building_with_latest_versions_of_FFmpeg + +Some years-old deprecated stuff has now been removed. + +Correct solution is probably to use valid defines etc. in own code, but +this is more FFMEPG maintainer task (since it also may change how old +FFMPEG we do support...). +--- + intern/ffmpeg/ffmpeg_compat.h | 39 ++++++++++++++++++++++++++ + source/blender/blenkernel/intern/writeffmpeg.c | 3 +- + 2 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/intern/ffmpeg/ffmpeg_compat.h b/intern/ffmpeg/ffmpeg_compat.h +index 9c06c8a..f7f437c 100644 +--- a/intern/ffmpeg/ffmpeg_compat.h ++++ b/intern/ffmpeg/ffmpeg_compat.h +@@ -109,6 +109,45 @@ int av_sample_fmt_is_planar(enum AVSampleFormat sample_fmt) + + #endif + ++/* XXX TODO Probably fix to correct modern flags in code? Not sure how old FFMPEG we want to support though, ++ * so for now this will do. */ ++ ++#ifndef FF_MIN_BUFFER_SIZE ++# ifdef AV_INPUT_BUFFER_MIN_SIZE ++# define FF_MIN_BUFFER_SIZE AV_INPUT_BUFFER_MIN_SIZE ++# endif ++#endif ++ ++#ifndef FF_INPUT_BUFFER_PADDING_SIZE ++# ifdef AV_INPUT_BUFFER_PADDING_SIZE ++# define FF_INPUT_BUFFER_PADDING_SIZE AV_INPUT_BUFFER_PADDING_SIZE ++# endif ++#endif ++ ++#ifndef CODEC_FLAG_GLOBAL_HEADER ++# ifdef AV_CODEC_FLAG_GLOBAL_HEADER ++# define CODEC_FLAG_GLOBAL_HEADER AV_CODEC_FLAG_GLOBAL_HEADER ++# endif ++#endif ++ ++#ifndef CODEC_FLAG_GLOBAL_HEADER ++# ifdef AV_CODEC_FLAG_GLOBAL_HEADER ++# define CODEC_FLAG_GLOBAL_HEADER AV_CODEC_FLAG_GLOBAL_HEADER ++# endif ++#endif ++ ++#ifndef CODEC_FLAG_INTERLACED_DCT ++# ifdef AV_CODEC_FLAG_INTERLACED_DCT ++# define CODEC_FLAG_INTERLACED_DCT AV_CODEC_FLAG_INTERLACED_DCT ++# endif ++#endif ++ ++#ifndef CODEC_FLAG_INTERLACED_ME ++# ifdef AV_CODEC_FLAG_INTERLACED_ME ++# define CODEC_FLAG_INTERLACED_ME AV_CODEC_FLAG_INTERLACED_ME ++# endif ++#endif ++ + /* FFmpeg upstream 1.0 is the first who added AV_ prefix. */ + #if LIBAVCODEC_VERSION_INT < AV_VERSION_INT(54, 59, 100) + # define AV_CODEC_ID_NONE CODEC_ID_NONE +diff --git a/source/blender/blenkernel/intern/writeffmpeg.c b/source/blender/blenkernel/intern/writeffmpeg.c +index a19e414..04d508a 100644 +--- a/source/blender/blenkernel/intern/writeffmpeg.c ++++ b/source/blender/blenkernel/intern/writeffmpeg.c +@@ -605,7 +605,8 @@ static AVStream *alloc_video_stream(FFMpegContext *context, RenderData *rd, int + c->rc_buffer_aggressivity = 1.0; + #endif + +- c->me_method = ME_EPZS; ++ /* Deprecated and not doing anything since July 2015, deleted in recent ffmpeg */ ++ //c->me_method = ME_EPZS; + + codec = avcodec_find_encoder(c->codec_id); + if (!codec) diff --git a/gnu/packages/patches/blender-2.79-python-3.7-fix.patch b/gnu/packages/patches/blender-2.79-python-3.7-fix.patch new file mode 100644 index 0000000000..fd1d8ba437 --- /dev/null +++ b/gnu/packages/patches/blender-2.79-python-3.7-fix.patch @@ -0,0 +1,43 @@ +Copied from https://git.blender.org/gitweb/gitweb.cgi/blender.git/patch/1db47a2ccd1e68994bf8140eba6cc2a26a2bc91f +Fixes . + +From 1db47a2ccd1e68994bf8140eba6cc2a26a2bc91f Mon Sep 17 00:00:00 2001 +From: Campbell Barton +Date: Thu, 12 Jul 2018 08:28:06 +0200 +Subject: [PATCH] Fix PyRNA class registration w/ Python 3.7 + +In Python3.7 this now raises an error. +--- + source/blender/python/intern/bpy_rna.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source/blender/python/intern/bpy_rna.c b/source/blender/python/intern/bpy_rna.c +index 9052b6f580a..80b0aa7a51b 100644 +--- a/source/blender/python/intern/bpy_rna.c ++++ b/source/blender/python/intern/bpy_rna.c +@@ -7577,10 +7577,12 @@ static int bpy_class_validate_recursive(PointerRNA *dummyptr, StructRNA *srna, v + if (!(flag & PROP_REGISTER)) + continue; + ++ /* TODO(campbell): Use Python3.7x _PyObject_LookupAttr(), also in the macro below. */ + identifier = RNA_property_identifier(prop); + item = PyObject_GetAttrString(py_class, identifier); + + if (item == NULL) { ++ PyErr_Clear(); + /* Sneaky workaround to use the class name as the bl_idname */ + + #define BPY_REPLACEMENT_STRING(rna_attr, py_attr) \ +@@ -7596,6 +7598,9 @@ static int bpy_class_validate_recursive(PointerRNA *dummyptr, StructRNA *srna, v + } \ + Py_DECREF(item); \ + } \ ++ else { \ ++ PyErr_Clear(); \ ++ } \ + } /* intentionally allow else here */ + + if (false) {} /* needed for macro */ +-- +2.20.1 + -- cgit v1.2.3 From c11f86ff164b750151645caae9cdecca3570d876 Mon Sep 17 00:00:00 2001 From: Marius Bakke Date: Mon, 18 Mar 2019 13:49:44 +0100 Subject: gnu: libgit2: Update to 0.28.1. * gnu/packages/patches/libgit2-oom-test.patch: Delete file. * gnu/local.mk (dist_patch_DATA): Remove it. * gnu/packages/version-control.scm (libgit2): Update to 0.28.1. [source](patches): Remove 'libgit2-oom-test.patch'. --- gnu/local.mk | 1 - gnu/packages/patches/libgit2-oom-test.patch | 62 ----------------------------- gnu/packages/version-control.scm | 7 ++-- 3 files changed, 3 insertions(+), 67 deletions(-) delete mode 100644 gnu/packages/patches/libgit2-oom-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c9c7378f02..c0b7478635 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -972,7 +972,6 @@ dist_patch_DATA = \ %D%/packages/patches/libexif-CVE-2017-7544.patch \ %D%/packages/patches/libgcrypt-make-yat2m-reproducible.patch \ %D%/packages/patches/libgit2-mtime-0.patch \ - %D%/packages/patches/libgit2-oom-test.patch \ %D%/packages/patches/libgdata-fix-tests.patch \ %D%/packages/patches/libgdata-glib-duplicate-tests.patch \ %D%/packages/patches/libgnome-encoding.patch \ diff --git a/gnu/packages/patches/libgit2-oom-test.patch b/gnu/packages/patches/libgit2-oom-test.patch deleted file mode 100644 index 9667d1c0da..0000000000 --- a/gnu/packages/patches/libgit2-oom-test.patch +++ /dev/null @@ -1,62 +0,0 @@ -Fix a test failure on 32-bit platforms as reported -at . - -From 415a8ae9c9b6ac18f0524b6af8e58408b426457d Mon Sep 17 00:00:00 2001 -From: Edward Thomson -Date: Thu, 13 Sep 2018 13:27:07 +0100 -Subject: [PATCH] tests: don't run buf::oom on 32-bit systems - -On a 32-bit Linux systems, the value large enough to make malloc -guarantee a failure is also large enough that valgrind considers it -"fishy". Skip this test on those systems entirely. ---- - tests/buf/oom.c | 14 +++++++++----- - 1 file changed, 9 insertions(+), 5 deletions(-) - -diff --git a/tests/buf/oom.c b/tests/buf/oom.c -index 2741a8ddf2..ec3bad9979 100644 ---- a/tests/buf/oom.c -+++ b/tests/buf/oom.c -@@ -11,12 +11,8 @@ - */ - #if defined(GIT_ARCH_64) && defined(__linux__) - # define TOOBIG 0x0fffffffffffffff --#elif defined(__linux__) --# define TOOBIG 0x0fffffff - #elif defined(GIT_ARCH_64) - # define TOOBIG 0xffffffffffffff00 --#else --# define TOOBIG 0xffffff00 - #endif - - /** -@@ -25,13 +21,18 @@ - * will fail. And because the git_buf_grow() wrapper always - * sets mark_oom, the code in git_buf_try_grow() will free - * the internal buffer and set it to git_buf__oom. -- * -+ * - * We initialized the internal buffer to (the static variable) - * git_buf__initbuf. The purpose of this test is to make sure - * that we don't try to free the static buffer. -+ * -+ * Skip this test entirely on 32-bit platforms; a buffer large enough -+ * to guarantee malloc failures is so large that valgrind considers -+ * it likely to be an error. - */ - void test_buf_oom__grow(void) - { -+#ifdef GIT_ARCH_64 - git_buf buf = GIT_BUF_INIT; - - git_buf_clear(&buf); -@@ -40,6 +41,9 @@ void test_buf_oom__grow(void) - cl_assert(git_buf_oom(&buf)); - - git_buf_free(&buf); -+#else -+ cl_skip(); -+#endif - } - - void test_buf_oom__grow_by(void) diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index d750863f30..385ebeadc9 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -526,7 +526,7 @@ everything from small to very large projects with speed and efficiency.") (define-public libgit2 (package (name "libgit2") - (version "0.27.7") + (version "0.28.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/libgit2/libgit2/" @@ -534,9 +534,8 @@ everything from small to very large projects with speed and efficiency.") (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "0c95pbv7hwclwmn51nqnh1lb0cajpcdb24pbdzcir6vmhfj3am0s")) - (patches (search-patches "libgit2-mtime-0.patch" - "libgit2-oom-test.patch")) + "0swk2dyq5a4p1jn5wvbcsrxckhh808vifxz5y8w663avg541188c")) + (patches (search-patches "libgit2-mtime-0.patch")) ;; Remove bundled software. (snippet '(begin -- cgit v1.2.3 From 2f87048dbe14097b9fe19ec470e2628cfca7fdbf Mon Sep 17 00:00:00 2001 From: Robert Smith Date: Mon, 18 Mar 2019 15:05:18 +0100 Subject: gnu: elixir: Update to 1.8.1. * gnu/packages/elixir.scm (elixir): Update to 1.8.1. [source](patches): New field. [home-page]: Use HTTPS. * gnu/packages/patches/elixir-path-length.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Signed-off-by: Marius Bakke --- gnu/local.mk | 1 + gnu/packages/elixir.scm | 7 ++++--- gnu/packages/patches/elixir-path-length.patch | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/elixir-path-length.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index c0b7478635..b3c54a752a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -732,6 +732,7 @@ dist_patch_DATA = \ %D%/packages/patches/dvd+rw-tools-add-include.patch \ %D%/packages/patches/efl-mesa-compat.patch \ %D%/packages/patches/elfutils-tests-ptrace.patch \ + %D%/packages/patches/elixir-path-length.patch \ %D%/packages/patches/einstein-build.patch \ %D%/packages/patches/emacs-exec-path.patch \ %D%/packages/patches/emacs-fix-scheme-indent-function.patch \ diff --git a/gnu/packages/elixir.scm b/gnu/packages/elixir.scm index 29c7ee966f..9763c7a22b 100644 --- a/gnu/packages/elixir.scm +++ b/gnu/packages/elixir.scm @@ -33,7 +33,7 @@ (define-public elixir (package (name "elixir") - (version "1.6.6") + (version "1.8.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/elixir-lang/elixir" @@ -41,7 +41,8 @@ (file-name (string-append name "-" version ".tar.gz")) (sha256 (base32 - "0c9qz5hasa59a9x1iwpcqpqj6wdbzpijfxqfmzimwj5z8q37nl3l")))) + "08lq5p82pnicd49gsj6r2zsbg35wrk6098nrrjb28fcrm5p6736y")) + (patches (search-patches "elixir-path-length.patch")))) (build-system gnu-build-system) (arguments `(#:test-target "test" @@ -84,7 +85,7 @@ (inputs `(("erlang" ,erlang) ("git" ,git))) - (home-page "http://elixir-lang.org/") + (home-page "https://elixir-lang.org/") (synopsis "Elixir programming language") (description "Elixir is a dynamic, functional language used to build scalable and maintainable applications. Elixir leverages the Erlang VM, known diff --git a/gnu/packages/patches/elixir-path-length.patch b/gnu/packages/patches/elixir-path-length.patch new file mode 100644 index 0000000000..aa8bf38829 --- /dev/null +++ b/gnu/packages/patches/elixir-path-length.patch @@ -0,0 +1,15 @@ +In the package definition the call to the command 'git' is substituted with +the full path to the git executable. This change causes the mix formatting tool +to complain that the line is too long. This workaround reformats the file +after the substitution is made. + +--- a/Makefile ++++ b/Makefile +@@ -213,6 +213,7 @@ + TEST_ERLS = $(addprefix $(TEST_EBIN)/, $(addsuffix .beam, $(basename $(notdir $(wildcard $(TEST_ERL)/*.erl))))) + + test_formatted: compile ++ bin/elixir bin/mix format lib/mix/lib/mix/scm/git.ex + bin/elixir bin/mix format --check-formatted + + test_erlang: compile $(TEST_ERLS) -- cgit v1.2.3