From 00d732195812234f578a9513b32010fbe6469cd1 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 15 Oct 2019 12:24:09 +0200 Subject: offload: Set a longer SSH session timeout. Fixes . * guix/scripts/offload.scm (open-ssh-session): Add 'max-silent-time' parameter. Add call to 'session-set!' before returning SESSION. (transfer-and-offload): Pass MAX-SILENT-TIME to 'open-ssh-session'. (%short-timeout): New variable. (choose-build-machine): Pass %SHORT-TIMEOUT to 'open-ssh-session'. (check-machine-availability): Likewise. (check-machine-status): Likewise. --- guix/scripts/offload.scm | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'guix') diff --git a/guix/scripts/offload.scm b/guix/scripts/offload.scm index bb307cefd1..1384f6b41d 100644 --- a/guix/scripts/offload.scm +++ b/guix/scripts/offload.scm @@ -174,7 +174,7 @@ can interpret meaningfully." private key from '~a': ~a") file str)))))))) -(define (open-ssh-session machine) +(define* (open-ssh-session machine #:optional (max-silent-time -1)) "Open an SSH session for MACHINE and return it. Throw an error on failure." (let ((private (private-key-from-file* (build-machine-private-key machine))) (public (public-key-from-file @@ -183,7 +183,7 @@ private key from '~a': ~a") (session (make-session #:user (build-machine-user machine) #:host (build-machine-name machine) #:port (build-machine-port machine) - #:timeout 10 ;seconds + #:timeout 10 ;initial timeout (seconds) ;; #:log-verbosity 'protocol #:identity (build-machine-private-key machine) @@ -225,6 +225,10 @@ instead of '~a' of type '~a'~%") (leave (G_ "SSH public key authentication failed for '~a': ~a~%") (build-machine-name machine) (get-error session)))) + ;; From then on use MAX-SILENT-TIME as the absolute timeout when + ;; reading from or write to a channel for this session. + (session-set! session 'timeout max-silent-time) + session) (x ;; Connection failed or timeout expired. @@ -313,7 +317,7 @@ hook." INPUTS to MACHINE; if building DRV succeeds, retrieve all of OUTPUTS from MACHINE." (define session - (open-ssh-session machine)) + (open-ssh-session machine max-silent-time)) (define store (connect-to-remote-daemon session @@ -472,7 +476,8 @@ slot (which must later be released with 'release-build-slot'), or #f and #f." ;; Return the best machine unless it's already overloaded. ;; Note: We call 'node-load' only as a last resort because it is ;; too costly to call it once for every machine. - (let* ((session (false-if-exception (open-ssh-session best))) + (let* ((session (false-if-exception (open-ssh-session best + %short-timeout))) (node (and session (remote-inferior session))) (load (and node (normalized-load best (node-load node)))) (space (and node (node-free-disk-space node)))) @@ -573,6 +578,11 @@ If TIMEOUT is #f, simply evaluate EXP..." ;;; Installation tests. ;;; +(define %short-timeout + ;; Timeout in seconds used on SSH connections where reads and writes + ;; shouldn't take long. + 15) + (define (assert-node-repl node name) "Bail out if NODE is not running Guile." (match (node-guile-version node) @@ -658,7 +668,7 @@ machine." (length machines) machine-file) (let* ((names (map build-machine-name machines)) (sockets (map build-machine-daemon-socket machines)) - (sessions (map open-ssh-session machines)) + (sessions (map (cut open-ssh-session <> %short-timeout) machines)) (nodes (map remote-inferior sessions))) (for-each assert-node-has-guix nodes names) (for-each assert-node-repl nodes names) @@ -682,7 +692,7 @@ machine." (length machines) machine-file) (for-each (lambda (machine) (define session - (open-ssh-session machine)) + (open-ssh-session machine %short-timeout)) (match (remote-inferior session) (#f -- cgit v1.2.3 From 81c5873ab7405de8d6c2f6024f05a5afe43fe005 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 15 Oct 2019 12:33:46 +0200 Subject: ssh: Add a longer SSH timeout by default. * guix/ssh.scm (open-ssh-session): Add #:timeout parameter, and add call to 'session-set!' to honor it. --- guix/ssh.scm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'guix') diff --git a/guix/ssh.scm b/guix/ssh.scm index b6b55bdfcb..5fd3c280e8 100644 --- a/guix/ssh.scm +++ b/guix/ssh.scm @@ -61,11 +61,16 @@ "zlib@openssh.com,zlib") (define* (open-ssh-session host #:key user port identity - (compression %compression)) + (compression %compression) + (timeout 3600)) "Open an SSH session for HOST and return it. IDENTITY specifies the file name of a private key to use for authenticating with the host. When USER, PORT, or IDENTITY are #f, use default values or whatever '~/.ssh/config' -specifies; otherwise use them. Throw an error on failure." +specifies; otherwise use them. Install TIMEOUT as the maximum time in seconds +after which a read or write operation on a channel of the returned session is +considered as failing. + +Throw an error on failure." (let ((session (make-session #:user user #:identity identity #:host host @@ -86,6 +91,7 @@ specifies; otherwise use them. Throw an error on failure." ;; Use public key authentication, via the SSH agent if it's available. (match (userauth-public-key/auto! session) ('success + (session-set! session 'timeout timeout) session) (x (disconnect! session) -- cgit v1.2.3 From f0428c18f85692f11ddd28fc12e949c420e971c9 Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Wed, 2 Oct 2019 19:12:38 +0100 Subject: inferior: Allow controlling the inferior error port. Previously, stderr for the inferior process would always be sent to /dev/null because the current-output-port when the process is launched is a void port. This change means that it's possible to pass in a different port to use. * guix/inferior.scm (inferior-pipe): Take the error-port as an argument. (open-inferior): Add new error-port keyword argument, with a default of (%make-void-port "w"). --- guix/inferior.scm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'guix') diff --git a/guix/inferior.scm b/guix/inferior.scm index d6d2053ab8..eecdbdd5ca 100644 --- a/guix/inferior.scm +++ b/guix/inferior.scm @@ -110,11 +110,11 @@ (packages inferior-package-promise) ;promise of inferior packages (table inferior-package-table)) ;promise of vhash -(define (inferior-pipe directory command) +(define* (inferior-pipe directory command error-port) "Return an input/output pipe on the Guix instance in DIRECTORY. This runs 'DIRECTORY/COMMAND repl' if it exists, or falls back to some other method if it's an old Guix." - (let ((pipe (with-error-to-port (%make-void-port "w") + (let ((pipe (with-error-to-port error-port (lambda () (open-pipe* OPEN_BOTH (string-append directory "/" command) @@ -161,11 +161,13 @@ inferior." (_ #f))) -(define* (open-inferior directory #:key (command "bin/guix")) +(define* (open-inferior directory + #:key (command "bin/guix") + (error-port (%make-void-port "w"))) "Open the inferior Guix in DIRECTORY, running 'DIRECTORY/COMMAND repl' or equivalent. Return #f if the inferior could not be launched." (define pipe - (inferior-pipe directory command)) + (inferior-pipe directory command error-port)) (port->inferior pipe close-pipe)) -- cgit v1.2.3 From ef0c265438149691d980ce17f0c5aaea5e8f6b77 Mon Sep 17 00:00:00 2001 From: Christopher Baines Date: Wed, 2 Oct 2019 19:14:05 +0100 Subject: inferior: Set the error port when using older Guix versions. This makes the behaviour more consistent. * guix/inferior.scm (inferior-pipe): Wrap the second open-pipe* call with with-error-to-port, to match the first call to open-pipe*. --- guix/inferior.scm | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) (limited to 'guix') diff --git a/guix/inferior.scm b/guix/inferior.scm index eecdbdd5ca..b8e2f21f42 100644 --- a/guix/inferior.scm +++ b/guix/inferior.scm @@ -125,19 +125,21 @@ it's an old Guix." ;; Older versions of Guix didn't have a 'guix repl' command, so ;; emulate it. - (open-pipe* OPEN_BOTH "guile" - "-L" (string-append directory "/share/guile/site/" - (effective-version)) - "-C" (string-append directory "/share/guile/site/" - (effective-version)) - "-C" (string-append directory "/lib/guile/" - (effective-version) "/site-ccache") - "-c" - (object->string - `(begin - (primitive-load ,(search-path %load-path - "guix/repl.scm")) - ((@ (guix repl) machine-repl)))))) + (with-error-to-port error-port + (lambda () + (open-pipe* OPEN_BOTH "guile" + "-L" (string-append directory "/share/guile/site/" + (effective-version)) + "-C" (string-append directory "/share/guile/site/" + (effective-version)) + "-C" (string-append directory "/lib/guile/" + (effective-version) "/site-ccache") + "-c" + (object->string + `(begin + (primitive-load ,(search-path %load-path + "guix/repl.scm")) + ((@ (guix repl) machine-repl)))))))) pipe))) (define* (port->inferior pipe #:optional (close close-port)) -- cgit v1.2.3 From 81c580c8664bfeeb767e2c47ea343004e88223c7 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 16 Oct 2019 11:51:42 +0200 Subject: daemon: Make 'profiles/per-user' non-world-writable. Fixes . Reported at . Based on Nix commit 5a303093dcae1e5ce9212616ef18f2ca51020b0d by Eelco Dolstra . * nix/libstore/local-store.cc (LocalStore::LocalStore): Set 'perUserDir' to #o755 instead of #o1777. (LocalStore::createUser): New function. * nix/libstore/local-store.hh (LocalStore): Add it. * nix/libstore/store-api.hh (StoreAPI): Add it. * nix/nix-daemon/nix-daemon.cc (performOp): In 'wopSetOptions', add condition to handle "user-name" property and honor it. (processConnection): Add 'userId' parameter. Call 'store->createUser' when userId is not -1. * guix/profiles.scm (ensure-profile-directory): Note that this is now handled by the daemon. * guix/store.scm (current-user-name): New procedure. (set-build-options): Add #:user-name parameter and pass it to the daemon. * tests/guix-daemon.sh: Test the creation of 'profiles/per-user' when listening on a TCP socket. * tests/store.scm ("profiles/per-user exists and is not writable") ("profiles/per-user/$USER exists"): New tests. --- guix/profiles.scm | 3 ++- guix/store.scm | 12 ++++++++++++ nix/libstore/local-store.cc | 17 +++++++++++++++-- nix/libstore/local-store.hh | 2 ++ nix/libstore/store-api.hh | 4 ++++ nix/nix-daemon/nix-daemon.cc | 24 ++++++++++++++++++++++-- tests/guix-daemon.sh | 21 +++++++++++++++++++++ tests/store.scm | 13 ++++++++++++- 8 files changed, 90 insertions(+), 6 deletions(-) (limited to 'guix') diff --git a/guix/profiles.scm b/guix/profiles.scm index f5c863945c..cd3b21e390 100644 --- a/guix/profiles.scm +++ b/guix/profiles.scm @@ -1732,7 +1732,8 @@ because the NUMBER is zero.)" (string-append %profile-directory "/guix-profile")) (define (ensure-profile-directory) - "Attempt to create /…/profiles/per-user/$USER if needed." + "Attempt to create /…/profiles/per-user/$USER if needed. Nowadays this is +taken care of by the daemon." (let ((s (stat %profile-directory #f))) (unless (and s (eq? 'directory (stat:type s))) (catch 'system-error diff --git a/guix/store.scm b/guix/store.scm index d7c603898c..382aad29d9 100644 --- a/guix/store.scm +++ b/guix/store.scm @@ -748,6 +748,14 @@ encoding conversion errors." (cut string-append "http://" <>)) '("ci.guix.gnu.org"))) +(define (current-user-name) + "Return the name of the calling user." + (catch #t + (lambda () + (passwd:name (getpwuid (getuid)))) + (lambda _ + (getenv "USER")))) + (define* (set-build-options server #:key keep-failed? keep-going? fallback? (verbosity 0) @@ -759,6 +767,7 @@ encoding conversion errors." (build-verbosity 0) (log-type 0) (print-build-trace #t) + (user-name (current-user-name)) ;; When true, provide machine-readable "build ;; traces" for use by (guix status). Old clients @@ -849,6 +858,9 @@ encoding conversion errors." `(("build-repeat" . ,(number->string (max 0 (1- rounds))))) '()) + ,@(if user-name + `(("user-name" . ,user-name)) + '()) ,@(if terminal-columns `(("terminal-columns" . ,(number->string terminal-columns))) diff --git a/nix/libstore/local-store.cc b/nix/libstore/local-store.cc index 3b08492c64..3793382361 100644 --- a/nix/libstore/local-store.cc +++ b/nix/libstore/local-store.cc @@ -88,8 +88,9 @@ LocalStore::LocalStore(bool reserveSpace) Path perUserDir = profilesDir + "/per-user"; createDirs(perUserDir); - if (chmod(perUserDir.c_str(), 01777) == -1) - throw SysError(format("could not set permissions on '%1%' to 1777") % perUserDir); + if (chmod(perUserDir.c_str(), 0755) == -1) + throw SysError(format("could not set permissions on '%1%' to 755") + % perUserDir); mode_t perm = 01775; @@ -1642,4 +1643,16 @@ void LocalStore::vacuumDB() } +void LocalStore::createUser(const std::string & userName, uid_t userId) +{ + auto dir = settings.nixStateDir + "/profiles/per-user/" + userName; + + createDirs(dir); + if (chmod(dir.c_str(), 0755) == -1) + throw SysError(format("changing permissions of directory '%s'") % dir); + if (chown(dir.c_str(), userId, -1) == -1) + throw SysError(format("changing owner of directory '%s'") % dir); +} + + } diff --git a/nix/libstore/local-store.hh b/nix/libstore/local-store.hh index 4113fafcb5..2e48cf03e6 100644 --- a/nix/libstore/local-store.hh +++ b/nix/libstore/local-store.hh @@ -180,6 +180,8 @@ public: void setSubstituterEnv(); + void createUser(const std::string & userName, uid_t userId); + private: Path schemaPath; diff --git a/nix/libstore/store-api.hh b/nix/libstore/store-api.hh index 2d9dcbd573..7d2ad2270d 100644 --- a/nix/libstore/store-api.hh +++ b/nix/libstore/store-api.hh @@ -289,6 +289,10 @@ public: /* Check the integrity of the Nix store. Returns true if errors remain. */ virtual bool verifyStore(bool checkContents, bool repair) = 0; + + /* Create a profile for the given user. This is done by the daemon + because the 'profiles/per-user' directory is not writable by users. */ + virtual void createUser(const std::string & userName, uid_t userId) = 0; }; diff --git a/nix/nix-daemon/nix-daemon.cc b/nix/nix-daemon/nix-daemon.cc index 1163a249d1..3dd156ba77 100644 --- a/nix/nix-daemon/nix-daemon.cc +++ b/nix/nix-daemon/nix-daemon.cc @@ -613,6 +613,17 @@ static void performOp(bool trusted, unsigned int clientVersion, || name == "build-repeat" || name == "multiplexed-build-output") settings.set(name, value); + else if (name == "user-name" + && settings.clientUid == (uid_t) -1) { + /* Create the user profile. This is necessary if + clientUid = -1, for instance because the client + connected over TCP. */ + struct passwd *pw = getpwnam(value.c_str()); + if (pw != NULL) + store->createUser(value, pw->pw_uid); + else + printMsg(lvlInfo, format("user name %1% not found") % value); + } else settings.set(trusted ? name : "untrusted-" + name, value); } @@ -731,7 +742,7 @@ static void performOp(bool trusted, unsigned int clientVersion, } -static void processConnection(bool trusted) +static void processConnection(bool trusted, uid_t userId) { canSendStderr = false; _writeToStderr = tunnelStderr; @@ -778,6 +789,15 @@ static void processConnection(bool trusted) /* Open the store. */ store = std::shared_ptr(new LocalStore(reserveSpace)); + if (userId != (uid_t) -1) { + /* Create the user profile. */ + struct passwd *pw = getpwuid(userId); + if (pw != NULL && pw->pw_name != NULL) + store->createUser(pw->pw_name, userId); + else + printMsg(lvlInfo, format("user with UID %1% not found") % userId); + } + stopWork(); to.flush(); @@ -963,7 +983,7 @@ static void acceptConnection(int fdSocket) /* Handle the connection. */ from.fd = remote; to.fd = remote; - processConnection(trusted); + processConnection(trusted, clientUid); exit(0); }, false, "unexpected build daemon error: ", true); diff --git a/tests/guix-daemon.sh b/tests/guix-daemon.sh index 758f18cc36..b58500966b 100644 --- a/tests/guix-daemon.sh +++ b/tests/guix-daemon.sh @@ -94,6 +94,27 @@ done kill "$daemon_pid" +# Make sure 'profiles/per-user' is created when connecting over TCP. + +orig_GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY" +GUIX_STATE_DIRECTORY="$GUIX_STATE_DIRECTORY-2" + +guix-daemon --disable-chroot --listen="localhost:9877" & +daemon_pid=$! + +GUIX_DAEMON_SOCKET="guix://localhost:9877" +export GUIX_DAEMON_SOCKET + +test ! -d "$GUIX_STATE_DIRECTORY/profiles/per-user" + +guix build guile-bootstrap -d + +test -d "$GUIX_STATE_DIRECTORY/profiles/per-user/$USER" + +kill "$daemon_pid" +unset GUIX_DAEMON_SOCKET +GUIX_STATE_DIRECTORY="$orig_GUIX_STATE_DIRECTORY" + # Check the failed build cache. guix-daemon --no-substitutes --listen="$socket" --disable-chroot \ diff --git a/tests/store.scm b/tests/store.scm index 518750d26a..2b14a4af0a 100644 --- a/tests/store.scm +++ b/tests/store.scm @@ -18,6 +18,7 @@ (define-module (test-store) #:use-module (guix tests) + #:use-module (guix config) #:use-module (guix store) #:use-module (guix utils) #:use-module (guix monads) @@ -102,7 +103,17 @@ "/283gqy39v3g9dxjy26rynl0zls82fmcg-guile-2.0.7/bin/guile"))) (not (direct-store-path? (%store-prefix))))) -(test-skip (if %store 0 13)) +(test-skip (if %store 0 15)) + +(test-equal "profiles/per-user exists and is not writable" + #o755 + (stat:perms (stat (string-append %state-directory "/profiles/per-user")))) + +(test-equal "profiles/per-user/$USER exists" + (list (getuid) #o755) + (let ((s (stat (string-append %state-directory "/profiles/per-user/" + (passwd:name (getpwuid (getuid))))))) + (list (stat:uid s) (stat:perms s)))) (test-equal "add-data-to-store" #vu8(1 2 3 4 5) -- cgit v1.2.3 From 5cace974a4c10b4748b526dba5d20e12afbd2835 Mon Sep 17 00:00:00 2001 From: Guillaume Le Vaillant Date: Thu, 17 Oct 2019 16:43:09 +0200 Subject: build-system/asdf: Fix package transform. * guix/build-system/asdf.scm (package-with-build-system): [find-input-package]: New function. [rewrite]: Use it. --- guix/build-system/asdf.scm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/build-system/asdf.scm b/guix/build-system/asdf.scm index af04084c86..f794bf006b 100644 --- a/guix/build-system/asdf.scm +++ b/guix/build-system/asdf.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016, 2017 Andy Patterson +;;; Copyright © 2019 Guillaume Le Vaillant ;;; ;;; This file is part of GNU Guix. ;;; @@ -32,6 +33,7 @@ #:use-module (ice-9 regex) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) + #:use-module (gnu packages) #:export (%asdf-build-system-modules %asdf-build-modules asdf-build @@ -160,13 +162,22 @@ set up using CL source package conventions." (define (has-from-build-system? pkg) (eq? from-build-system (package-build-system pkg))) + (define (find-input-package pkg) + (let* ((name (package-name pkg)) + (new-name (transform-package-name name)) + (pkgs (find-packages-by-name new-name))) + (if (null? pkgs) #f (list-ref pkgs 0)))) + (define transform (mlambda (pkg) (define rewrite (match-lambda ((name content . rest) (let* ((is-package? (package? content)) - (new-content (if is-package? (transform content) content))) + (new-content (if is-package? + (or (find-input-package content) + (transform content)) + content))) `(,name ,new-content ,@rest))))) ;; Special considerations for source packages: CL inputs become -- cgit v1.2.3 From e6ea74d86c628c6b5365b69e23c3e5ef3e15c336 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 18 Oct 2019 11:07:21 +0200 Subject: pull: Call 'ensure-default-profile' after 'set-build-options'. This is a followup to 81c580c8664bfeeb767e2c47ea343004e88223c7. * guix/scripts/pull.scm (guix-pull): Move 'ensure-default-profile' call after 'set-build-options-from-command-line' call. This ensures that the 'profiles/per-user/$USER' directory is created before 'ensure-default-profile' is called when 'GUIX_DAEMON_SOCKET' points to a remote TCP daemon. --- guix/scripts/pull.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 04970cf503..7876019eac 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -772,11 +772,11 @@ Use '~/.config/guix/channels.scm' instead.")) (process-generation-change opts profile)) (else (with-store store - (ensure-default-profile) (with-status-verbosity (assoc-ref opts 'verbosity) (parameterize ((%current-system (assoc-ref opts 'system)) (%graft? (assoc-ref opts 'graft?))) (set-build-options-from-command-line store opts) + (ensure-default-profile) (honor-x509-certificates store) (let ((instances (latest-channel-instances store channels))) -- cgit v1.2.3 From d7fcd9c565812919109ae88049f5d8bf4c56f9bd Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 18 Oct 2019 11:55:24 +0200 Subject: lint: Comment out 'cve' checker. * guix/lint.scm (%network-dependent-checkers): Comment out 'cve' checker. --- guix/lint.scm | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) (limited to 'guix') diff --git a/guix/lint.scm b/guix/lint.scm index 03a8e88225..6336cf4e3b 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1319,11 +1319,17 @@ or a list thereof") (name 'github-url) (description "Suggest GitHub URLs") (check check-github-url)) - (lint-checker - (name 'cve) - (description "Check the Common Vulnerabilities and Exposures\ - (CVE) database") - (check check-vulnerabilities)) + + ;; FIXME: Commented out as a consequence of the XML CVE feed retirement: + ;; . + ;; Reinstate it once the JSON feed is supported. + + ;; (lint-checker + ;; (name 'cve) + ;; (description "Check the Common Vulnerabilities and Exposures\ + ;; (CVE) database") + ;; (check check-vulnerabilities)) + (lint-checker (name 'refresh) (description "Check the package for new upstream releases") -- cgit v1.2.3 From f05f722657aebc282ba389ab4f4c07843241c4f0 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 18 Oct 2019 22:39:03 +0200 Subject: reconfigure: Silence "shepherd: Evaluating ..." messages. * guix/scripts/system/reconfigure.scm (upgrade-services-program): Parameterize 'shepherd-message-port' to silent "Evaluating ..." messages. --- guix/scripts/system/reconfigure.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/scripts/system/reconfigure.scm b/guix/scripts/system/reconfigure.scm index 579b7fffbe..2f9dbb2508 100644 --- a/guix/scripts/system/reconfigure.scm +++ b/guix/scripts/system/reconfigure.scm @@ -136,7 +136,10 @@ canonical names (symbols)." (srfi srfi-1)) ;; Load the service files for any new services. - (load-services/safe '#$service-files) + ;; Silence messages coming from shepherd such as "Evaluating + ;; expression ..." since they are unhelpful. + (parameterize ((shepherd-message-port (%make-void-port "w"))) + (load-services/safe '#$service-files)) ;; Unload obsolete services and start new services. (for-each unload-service '#$to-unload) -- cgit v1.2.3 From d04285647dda1d5b8b49de22a4cb91614e725093 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 20 Oct 2019 15:43:18 +0200 Subject: packages: Add "aarch64-linux" to '%hydra-supported-systems'. * guix/packages.scm (%hydra-supported-systems): Keep "aarch64-linux". --- guix/packages.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'guix') diff --git a/guix/packages.scm b/guix/packages.scm index f2c94c7bc2..c98fb98aec 100644 --- a/guix/packages.scm +++ b/guix/packages.scm @@ -241,9 +241,9 @@ name of its URI." (define %hydra-supported-systems ;; This is the list of system types for which build machines are available. ;; - ;; XXX: MIPS is temporarily unavailable on Hydra: + ;; XXX: MIPS is unavailable in CI: ;; . - (fold delete %supported-systems '("aarch64-linux" "mips64el-linux"))) + (fold delete %supported-systems '("mips64el-linux"))) ;; A package. -- cgit v1.2.3 From 674e143cf8e7dff7d62a29c63e43839efc23edba Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 21 Oct 2019 15:33:32 +0200 Subject: download: Honor /etc/ssl/certs when 'SSL_CERT_DIR' is not set. * guix/build/download.scm (%x509-certificate-directory): Use "/etc/ssl/certs" as a last resort. This ensures, for instance, that 'guix download' honors system-wide certificates when SSL_CERT_DIR is unset. --- guix/build/download.scm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/build/download.scm b/guix/build/download.scm index 0c9c61de4b..a4c91550a6 100644 --- a/guix/build/download.scm +++ b/guix/build/download.scm @@ -172,7 +172,8 @@ session record port using PORT as its underlying communication port." (define %x509-certificate-directory ;; The directory where X.509 authority PEM certificates are stored. (make-parameter (or (getenv "GUIX_TLS_CERTIFICATE_DIRECTORY") - (getenv "SSL_CERT_DIR")))) ;like OpenSSL + (getenv "SSL_CERT_DIR") ;like OpenSSL + "/etc/ssl/certs"))) (define (set-certificate-credentials-x509-trust-file!* cred file format) "Like 'set-certificate-credentials-x509-trust-file!', but without the file -- cgit v1.2.3 From 74afaa37d5dec1a9d1b83951529ba69d8947fb07 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 20 Oct 2019 22:10:00 +0200 Subject: cve: Rewrite to read the JSON feed instead of the XML feed. The XML feed was discontinued on Oct. 16th, 2019: * guix/cve.scm (string->date*): New procedure. (, , ): New record types. (cpe-match->cve-configuration, configuration-data->cve-configurations) (json->cve-items, version-matches?): New procedures. (yearly-feed-uri): Change URL to refer to JSON feed. (cpe->product-alist, %parse-vulnerability-feed) (xml->vulnerabilities): Remove. (cve-configuration->package-list, merge-package-lists) (cve-item->vulnerability, json->vulnerabilities): New procedures. (write-cache): Use 'json->vulnerabilities' instead of 'xml->vulnerabilities', and remove 'parameterize'. (vulnerabilities->lookup-proc): Use 'version-matches?' when VERSION is true. * tests/cve.scm (%sample): Use 'tests/cve-sample.json'. (%expected-vulnerabilities): Rewrite accordingly. ("json->cve-items", "cve-item-published-date") ("json->vulnerabilities"): New tests. ("xml->vulnerabilities"): Remove. ("vulnerabilities->lookup-proc"): Adjust to new vulnerabilities. * tests/cve-sample.json: New file. * tests/cve-sample.xml: Remove. * Makefile.am (EXTRA_DIST): Adjust accordingly. * doc/guix.texi (Invoking guix lint): Update nist.gov URLs. --- Makefile.am | 2 +- doc/guix.texi | 4 +- guix/cve.scm | 376 ++++++++++----- tests/cve-sample.json | 1279 +++++++++++++++++++++++++++++++++++++++++++++++++ tests/cve-sample.xml | 616 ------------------------ tests/cve.scm | 83 +++- 6 files changed, 1605 insertions(+), 755 deletions(-) create mode 100644 tests/cve-sample.json delete mode 100644 tests/cve-sample.xml (limited to 'guix') diff --git a/Makefile.am b/Makefile.am index 36767c2f47..b1f33946c5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -564,7 +564,7 @@ EXTRA_DIST += \ tests/test.drv \ tests/signing-key.pub \ tests/signing-key.sec \ - tests/cve-sample.xml \ + tests/cve-sample.json \ build-aux/config.rpath \ bootstrap \ doc/build.scm \ diff --git a/doc/guix.texi b/doc/guix.texi index cb004d034d..746561ed97 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9484,7 +9484,7 @@ that limit has been reset. @cindex CVE, Common Vulnerabilities and Exposures Report known vulnerabilities found in the Common Vulnerabilities and Exposures (CVE) databases of the current and past year -@uref{https://nvd.nist.gov/download.cfm#CVE_FEED, published by the US +@uref{https://nvd.nist.gov/vuln/data-feeds, published by the US NIST}. To view information about a particular vulnerability, visit pages such as: @@ -9501,7 +9501,7 @@ where @code{CVE-YYYY-ABCD} is the CVE identifier---e.g., @code{CVE-2015-7554}. Package developers can specify in package recipes the -@uref{https://nvd.nist.gov/cpe.cfm,Common Platform Enumeration (CPE)} +@uref{https://nvd.nist.gov/products/cpe,Common Platform Enumeration (CPE)} name and version of the package when they differ from the name or version that Guix uses, as in this example: diff --git a/guix/cve.scm b/guix/cve.scm index 99754fa1f6..903d94a8a6 100644 --- a/guix/cve.scm +++ b/guix/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016, 2017, 2018 Ludovic Courtès +;;; Copyright © 2015, 2016, 2017, 2018, 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,21 +19,43 @@ (define-module (guix cve) #:use-module (guix utils) #:use-module (guix http-client) - #:use-module (sxml ssax) + #:use-module (guix json) + #:use-module (guix i18n) + #:use-module (json) #:use-module (web uri) #:use-module (srfi srfi-1) #:use-module (srfi srfi-9) #:use-module (srfi srfi-11) #:use-module (srfi srfi-19) #:use-module (srfi srfi-26) + #:use-module (srfi srfi-34) + #:use-module (srfi srfi-35) #:use-module (ice-9 match) #:use-module (ice-9 regex) #:use-module (ice-9 vlist) - #:export (vulnerability? + #:export (json->cve-items + + cve-item? + cve-item-cve + cve-item-configurations + cve-item-published-date + cve-item-last-modified-date + + cve? + cve-id + cve-data-type + cve-data-format + cvs-references + + cve-reference? + cve-reference-url + cve-reference-tags + + vulnerability? vulnerability-id vulnerability-packages - xml->vulnerabilities + json->vulnerabilities current-vulnerabilities vulnerabilities->lookup-proc)) @@ -41,15 +63,174 @@ ;;; ;;; This modules provides the tools to fetch, parse, and digest part of the ;;; Common Vulnerabilities and Exposures (CVE) feeds provided by the US NIST -;;; at . +;;; at . ;;; ;;; Code: -(define-record-type - (vulnerability id packages) - vulnerability? - (id vulnerability-id) ;string - (packages vulnerability-packages)) ;((p1 v1 v2 v3) (p2 v1) ...) +(define (string->date* str) + (string->date str "~Y-~m-~dT~H:~M~z")) + +(define-json-mapping cve-item cve-item? + json->cve-item + (cve cve-item-cve "cve" json->cve) ; + (configurations cve-item-configurations ;list of sexps + "configurations" configuration-data->cve-configurations) + (published-date cve-item-published-date + "publishedDate" string->date*) + (last-modified-date cve-item-last-modified-date + "lastModifiedDate" string->date*)) + +(define-json-mapping cve cve? + json->cve + (id cve-id "CVE_data_meta" ;string + (cut assoc-ref <> "ID")) + (data-type cve-data-type ;'CVE + "data_type" string->symbol) + (data-format cve-data-format ;'MITRE + "data_format" string->symbol) + (references cve-item-references ;list of + "references" reference-data->cve-references)) + +(define-json-mapping cve-reference cve-reference? + json->cve-reference + (url cve-reference-url) ;string + (tags cve-reference-tags ;list of strings + "tags" vector->list)) + +(define (reference-data->cve-references alist) + (map json->cve-reference + (vector->list (assoc-ref alist "reference_data")))) + +(define %cpe-package-rx + ;; For applications: "cpe:2.3:a:VENDOR:PACKAGE:VERSION", or sometimes + ;; "cpe:2.3:a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". + (make-regexp "^cpe:2\\.3:a:([^:]+):([^:]+):([^:]+):([^:]+):")) + +(define (cpe->package-name cpe) + "Converts the Common Platform Enumeration (CPE) string CPE to a package +name, in a very naive way. Return two values: the package name, and its +version string. Return #f and #f if CPE does not look like an application CPE +string." + (cond ((regexp-exec %cpe-package-rx cpe) + => + (lambda (matches) + (values (match:substring matches 2) + (match (match:substring matches 3) + ("*" '_) + (version + (string-append version + (match (match:substring matches 4) + ("" "") + (patch-level + ;; Drop the colon from things like + ;; "cpe:2.3:a:openbsd:openssh:6.8:p1". + (string-drop patch-level 1))))))))) + (else + (values #f #f)))) + +(define (cpe-match->cve-configuration alist) + "Convert ALIST, a \"cpe_match\" alist, into an sexp representing the package +and versions matched. Return #f if ALIST doesn't correspond to an application +package." + (let ((cpe (assoc-ref alist "cpe23Uri")) + (starti (assoc-ref alist "versionStartIncluding")) + (starte (assoc-ref alist "versionStartExcluding")) + (endi (assoc-ref alist "versionEndIncluding")) + (ende (assoc-ref alist "versionEndExcluding"))) + (let-values (((package version) (cpe->package-name cpe))) + (and package + `(,package + ,(cond ((and (or starti starte) (or endi ende)) + `(and ,(if starti `(>= ,starti) `(> ,starte)) + ,(if endi `(<= ,endi) `(< ,ende)))) + (starti `(>= ,starti)) + (starte `(> ,starte)) + (endi `(<= ,endi)) + (ende `(< ,ende)) + (else version))))))) + +(define (configuration-data->cve-configurations alist) + "Given ALIST, a JSON dictionary for the baroque \"configurations\" +element found in CVEs, return an sexp such as (\"binutils\" (< +\"2.31\")) that represents matching configurations." + (define string->operator + (match-lambda + ("OR" 'or) + ("AND" 'and))) + + (define (node->configuration node) + (let ((operator (string->operator (assoc-ref node "operator")))) + (cond + ((assoc-ref node "cpe_match") + => + (lambda (matches) + (let ((matches (vector->list matches))) + (match (filter-map cpe-match->cve-configuration + matches) + (() #f) + ((one) one) + (lst (cons operator lst)))))) + ((assoc-ref node "children") ;typically for 'and' + => + (lambda (children) + (match (filter-map node->configuration (vector->list children)) + (() #f) + ((one) one) + (lst (cons operator lst))))) + (else + #f)))) + + (let ((nodes (vector->list (assoc-ref alist "nodes")))) + (filter-map node->configuration nodes))) + +(define (json->cve-items json) + "Parse JSON, an input port or a string, and return a list of +records." + (let* ((alist (json->scm json)) + (type (assoc-ref alist "CVE_data_type")) + (format (assoc-ref alist "CVE_data_format")) + (version (assoc-ref alist "CVE_data_version"))) + (unless (equal? type "CVE") + (raise (condition (&message + (message "invalid CVE feed"))))) + (unless (equal? format "MITRE") + (raise (condition + (&message + (message (format #f (G_ "unsupported CVE format: '~a'") + format)))))) + (unless (equal? version "4.0") + (raise (condition + (&message + (message (format #f (G_ "unsupported CVE data version: '~a'") + version)))))) + + (map json->cve-item + (vector->list (assoc-ref alist "CVE_Items"))))) + +(define (version-matches? version sexp) + "Return true if VERSION, a string, matches SEXP." + (match sexp + ('_ + #t) + ((? string? expected) + (version-prefix? expected version)) + (('or sexps ...) + (any (cut version-matches? version <>) sexps)) + (('and sexps ...) + (every (cut version-matches? version <>) sexps)) + (('< max) + (version>? max version)) + (('<= max) + (version>=? max version)) + (('> min) + (version>? version min)) + (('>= min) + (version>=? version min)))) + + +;;; +;;; High-level interface. +;;; (define %now (current-date)) @@ -61,8 +242,8 @@ (define (yearly-feed-uri year) "Return the URI for the CVE feed for YEAR." (string->uri - (string-append "https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-" - (number->string year) ".xml.gz"))) + (string-append "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" + (number->string year) ".json.gz"))) (define %current-year-ttl ;; According to , feeds are @@ -73,102 +254,11 @@ ;; Update the previous year's database more and more infrequently. (* 3600 24 (date-month %now))) -(define %cpe-package-rx - ;; For applications: "cpe:/a:VENDOR:PACKAGE:VERSION", or sometimes - ;; "cpe/a:VENDOR:PACKAGE:VERSION:PATCH-LEVEL". - (make-regexp "^cpe:/a:([^:]+):([^:]+):([^:]+)((:.+)?)")) - -(define (cpe->package-name cpe) - "Converts the Common Platform Enumeration (CPE) string CPE to a package -name, in a very naive way. Return two values: the package name, and its -version string. Return #f and #f if CPE does not look like an application CPE -string." - (cond ((regexp-exec %cpe-package-rx (string-trim-both cpe)) - => - (lambda (matches) - (values (match:substring matches 2) - (string-append (match:substring matches 3) - (match (match:substring matches 4) - ("" "") - (patch-level - ;; Drop the colon from things like - ;; "cpe:/a:openbsd:openssh:6.8:p1". - (string-drop patch-level 1))))))) - (else - (values #f #f)))) - -(define (cpe->product-alist products) - "Given PRODUCTS, a list of CPE names, return the subset limited to the -applications listed in PRODUCTS, with names converted to package names: - - (cpe->product-alist - '(\"cpe:/a:gnu:libtasn1:4.7\" \"cpe:/a:gnu:libtasn1:4.6\" \"cpe:/a:gnu:cpio:2.11\")) - => ((\"libtasn1\" \"4.7\" \"4.6\") (\"cpio\" \"2.11\")) -" - (fold (lambda (product result) - (let-values (((name version) (cpe->package-name product))) - (if name - (match result - (((previous . versions) . tail) - ;; Attempt to coalesce NAME and PREVIOUS. - (if (string=? name previous) - (alist-cons name (cons version versions) tail) - (alist-cons name (list version) result))) - (() - (alist-cons name (list version) result))) - result))) - '() - (sort products string and return a list of - ;; vulnerability objects. - (ssax:make-parser NEW-LEVEL-SEED - (lambda (elem-gi attributes namespaces expected-content - seed) - (match elem-gi - ((name-space . 'entry) - (cons (assoc-ref attributes 'id) seed)) - ((name-space . 'vulnerable-software-list) - (cons '() seed)) - ((name-space . 'product) - (cons 'product seed)) - (x seed))) - - FINISH-ELEMENT - (lambda (elem-gi attributes namespaces parent-seed - seed) - (match elem-gi - ((name-space . 'entry) - (match seed - (((? string? id) . rest) - ;; Some entries have no vulnerable-software-list. - rest) - ((products id . rest) - (match (cpe->product-alist products) - (() - ;; No application among PRODUCTS. - rest) - (packages - (cons (vulnerability id packages) - rest)))))) - (x - seed))) - - CHAR-DATA-HANDLER - (lambda (str _ seed) - (match seed - (('product software-list . rest) - ;; Add STR to the vulnerable software list this - ;; tag is part of. - (cons (cons str software-list) rest)) - (x x))))) - -(define (xml->vulnerabilities port) - "Read from PORT an XML feed of vulnerabilities and return a list of -vulnerability objects." - (reverse (%parse-vulnerability-feed port '()))) +(define-record-type + (vulnerability id packages) + vulnerability? + (id vulnerability-id) ;string + (packages vulnerability-packages)) ;((p1 sexp1) (p2 sexp2) ...) (define vulnerability->sexp (match-lambda @@ -180,16 +270,70 @@ vulnerability objects." (('v id (packages ...)) (vulnerability id packages)))) +(define (cve-configuration->package-list config) + "Parse CONFIG, a config sexp, and return a list of the form (P SEXP) +where P is a package name and SEXP expresses constraints on the matching +versions." + (let loop ((config config) + (packages '())) + (match config + (('or configs ...) + (fold loop packages configs)) + (('and config _ ...) ;XXX + (loop config packages)) + (((? string? package) '_) ;any version + (cons `(,package _) + (alist-delete package packages))) + (((? string? package) sexp) + (let ((previous (assoc-ref packages package))) + (if previous + (cons `(,package (or ,sexp ,@previous)) + (alist-delete package packages)) + (cons `(,package ,sexp) packages))))))) + +(define (merge-package-lists lst) + "Merge the list in LST, each of which has the form (p sexp), where P +is the name of a package and SEXP is an sexp that constrains matching +versions." + (fold (lambda (plist result) ;XXX: quadratic + (fold (match-lambda* + (((package version) result) + (match (assoc-ref result package) + (#f + (cons `(,package ,version) result)) + ((previous) + (cons `(,package (or ,version ,previous)) + (alist-delete package result)))))) + result + plist)) + '() + lst)) + +(define (cve-item->vulnerability item) + "Return a corresponding to ITEM, a record; +return #f if ITEM does not list any configuration or if it does not list +any \"a\" (application) configuration." + (let ((id (cve-id (cve-item-cve item)))) + (match (cve-item-configurations item) + (() ;no configurations + #f) + ((configs ...) + (vulnerability id + (merge-package-lists + (map cve-configuration->package-list configs))))))) + +(define (json->vulnerabilities json) + "Parse JSON, an input port or a string, and return the list of +vulnerabilities found therein." + (filter-map cve-item->vulnerability (json->cve-items json))) + (define (write-cache input cache) - "Read vulnerabilities as gzipped XML from INPUT, and write it as a compact + "Read vulnerabilities as gzipped JSON from INPUT, and write it as a compact sexp to CACHE." (call-with-decompressed-port 'gzip input (lambda (input) - ;; XXX: The SSAX "error port" is used to send pointless warnings such as - ;; "warning: Skipping PI". Turn that off. (define vulns - (parameterize ((current-ssax-error-port (%make-void-port "w"))) - (xml->vulnerabilities input))) + (json->vulnerabilities input)) (write `(vulnerabilities 1 ;format version @@ -215,7 +359,7 @@ the given TTL (fetch from the NIST web site when TTL has expired)." (lambda () (read-options options))))) - ;; Note: We used to keep the original XML files in cache but parsing it + ;; Note: We used to keep the original JSON files in cache but parsing it ;; would take typically ~15s for a year of data. Thus, we instead store a ;; summarized version thereof as an sexp, which can be parsed in 1s or so. (let* ((port (http-fetch/cached (yearly-feed-uri year) @@ -269,8 +413,8 @@ vulnerabilities affecting the given package version." (vhash-fold* (if version (lambda (pair result) (match pair - ((vuln . versions) - (if (member version versions) + ((vuln sexp) + (if (version-matches? version sexp) (cons vuln result) result)))) (lambda (pair result) diff --git a/tests/cve-sample.json b/tests/cve-sample.json new file mode 100644 index 0000000000..39816f9dd4 --- /dev/null +++ b/tests/cve-sample.json @@ -0,0 +1,1279 @@ +{ + "CVE_data_type" : "CVE", + "CVE_data_format" : "MITRE", + "CVE_data_version" : "4.0", + "CVE_data_numberOfCVEs" : "9826", + "CVE_data_timestamp" : "2019-10-17T07:00Z", + "CVE_Items" : [ { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0001", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106541", + "name" : "106541", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://kb.juniper.net/JSA10900", + "name" : "https://kb.juniper.net/JSA10900", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Receipt of a malformed packet on MX Series devices with dynamic vlan configuration can trigger an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (bbe-smgd), and lead to high CPU usage and a crash of the bbe-smgd service. Repeated receipt of the same packet can result in an extended denial of service condition for the device. Affected releases are Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + } ] + } { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.2:*:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.2:r1-s4:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.9, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 2.2, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:C", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "baseScore" : 7.1 + }, + "severity" : "HIGH", + "exploitabilityScore" : 8.6, + "impactScore" : 6.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-10-09T23:43Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-0005", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-400" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/106665", + "name" : "106665", + "refsource" : "BID", + "tags" : [ "Third Party Advisory" ] + }, { + "url" : "https://kb.juniper.net/JSA10905", + "name" : "https://kb.juniper.net/JSA10905", + "refsource" : "CONFIRM", + "tags" : [ "Vendor Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter configuration cannot perform packet matching on any IPv6 extension headers. This issue may allow IPv6 packets that should have been blocked to be forwarded. IPv4 packet filtering is unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS on EX and QFX series;: 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R7; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 series; 15.1X53 versions prior to 15.1X53-D591 on EX2300/EX3400 series; 16.1 versions prior to 16.1R7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d15:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d16:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d25:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d26:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d27:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d35:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d40:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d42:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d43:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d44:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d45:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:14.1x53:d46:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1:r6:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d20:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d210:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d230:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d234:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d34:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d50:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d51:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d52:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d55:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d57:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d58:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d59:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:15.1x53:d590:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r2:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r3-s10:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r4:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r5:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r6-s6:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:16.1:r7:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r1-s7:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.2:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r1:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.3:r2:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:gfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:o:juniper:junos:17.4:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + }, { + "operator" : "AND", + "children" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:*:*:*:*:*:*:*" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:juniper:junos:18.1:r1:*:*:*:*:*:*" + } ] + }, { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex2300-c:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex3400:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:ex4650:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3500:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx3600:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5100:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5110:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5120:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*" + }, { + "vulnerable" : false, + "cpe23Uri" : "cpe:2.3:h:juniper:qfx5210:-:*:*:*:*:*:*:*" + } ] + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseScore" : 5.3, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 3.9, + "impactScore" : 1.4 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:L/Au:N/C:N/I:P/A:N", + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "baseScore" : 5.0 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 10.0, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-01-15T21:29Z", + "lastModifiedDate" : "2019-02-14T18:40Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-14811", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-264" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html", + "name" : "openSUSE-SU-2019:2223", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html", + "name" : "openSUSE-SU-2019:2222", + "refsource" : "SUSE", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHBA-2019:2824", + "name" : "RHBA-2019:2824", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://access.redhat.com/errata/RHSA-2019:2594", + "name" : "RHSA-2019:2594", + "refsource" : "REDHAT", + "tags" : [ ] + }, { + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811", + "refsource" : "CONFIRM", + "tags" : [ "Exploit", "Issue Tracking", "Mitigation", "Patch", "Third Party Advisory" ] + }, { + "url" : "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html", + "name" : "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/", + "name" : "FEDORA-2019-ebd6c4f15a", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/", + "name" : "FEDORA-2019-0a9d525d71", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/", + "name" : "FEDORA-2019-953fc0f16d", + "refsource" : "FEDORA", + "tags" : [ ] + }, { + "url" : "https://seclists.org/bugtraq/2019/Sep/15", + "name" : "20190910 [SECURITY] [DSA 4518-1] ghostscript security update", + "refsource" : "BUGTRAQ", + "tags" : [ ] + }, { + "url" : "https://www.debian.org/security/2019/dsa-4518", + "name" : "DSA-4518", + "refsource" : "DEBIAN", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.28" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-09-03T16:15Z", + "lastModifiedDate" : "2019-09-10T03:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-17365", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-276" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "name" : "http://www.openwall.com/lists/oss-security/2019/10/09/4", + "refsource" : "MISC", + "tags" : [ "Exploit", "Mailing List", "Third Party Advisory" ] + }, { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/10/1", + "name" : "[oss-security] 20191010 Re: CVE-2019-17365: Nix per-user profile directory hijack", + "refsource" : "MLIST", + "tags" : [ "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "Nix through 2.3 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:nixos:nix:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "2.3" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.1", + "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:L/AC:L/Au:N/C:P/I:P/A:P", + "accessVector" : "LOCAL", + "accessComplexity" : "LOW", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.6 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 3.9, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : false + } + }, + "publishedDate" : "2019-10-09T22:15Z", + "lastModifiedDate" : "2019-10-11T13:19Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010180", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-119" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.securityfocus.com/bid/109367", + "name" : "109367", + "refsource" : "BID", + "tags" : [ "Third Party Advisory", "VDB Entry" ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23657", + "refsource" : "MISC", + "tags" : [ "Exploit", "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:gdb:*:*:*:*:*:*:*:*" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseScore" : 7.8, + "baseSeverity" : "HIGH" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 5.9 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "baseScore" : 6.8 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 6.4, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-24T13:15Z", + "lastModifiedDate" : "2019-08-01T15:39Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-1010204", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ { + "lang" : "en", + "value" : "CWE-125" + }, { + "lang" : "en", + "value" : "CWE-20" + } ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190822-0001/", + "refsource" : "CONFIRM", + "tags" : [ ] + }, { + "url" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "name" : "https://sourceware.org/bugzilla/show_bug.cgi?id=23765", + "refsource" : "MISC", + "tags" : [ "Issue Tracking", "Third Party Advisory" ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ { + "operator" : "OR", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.21", + "versionEndIncluding" : "2.31.1" + }, { + "vulnerable" : true, + "cpe23Uri" : "cpe:2.3:a:gnu:binutils_gold:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "1.11", + "versionEndIncluding" : "1.16" + } ] + } ] + }, + "impact" : { + "baseMetricV3" : { + "cvssV3" : { + "version" : "3.0", + "vectorString" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseScore" : 5.5, + "baseSeverity" : "MEDIUM" + }, + "exploitabilityScore" : 1.8, + "impactScore" : 3.6 + }, + "baseMetricV2" : { + "cvssV2" : { + "version" : "2.0", + "vectorString" : "AV:N/AC:M/Au:N/C:N/I:N/A:P", + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authentication" : "NONE", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "baseScore" : 4.3 + }, + "severity" : "MEDIUM", + "exploitabilityScore" : 8.6, + "impactScore" : 2.9, + "acInsufInfo" : false, + "obtainAllPrivilege" : false, + "obtainUserPrivilege" : false, + "obtainOtherPrivilege" : false, + "userInteractionRequired" : true + } + }, + "publishedDate" : "2019-07-23T14:15Z", + "lastModifiedDate" : "2019-08-22T07:15Z" + }, { + "cve" : { + "data_type" : "CVE", + "data_format" : "MITRE", + "data_version" : "4.0", + "CVE_data_meta" : { + "ID" : "CVE-2019-18192", + "ASSIGNER" : "cve@mitre.org" + }, + "problemtype" : { + "problemtype_data" : [ { + "description" : [ ] + } ] + }, + "references" : { + "reference_data" : [ { + "url" : "http://www.openwall.com/lists/oss-security/2019/10/17/3", + "name" : "[oss-security] 20191017 CVE-2019-18192: Insecure permissions on Guix profile directory", + "refsource" : "MLIST", + "tags" : [ ] + }, { + "url" : "https://issues.guix.gnu.org/issue/37744", + "name" : "https://issues.guix.gnu.org/issue/37744", + "refsource" : "MISC", + "tags" : [ ] + } ] + }, + "description" : { + "description_data" : [ { + "lang" : "en", + "value" : "GNU Guix 1.0.1 allows local users to gain access to an arbitrary user's account because the parent directory of the user-profile directories is world writable, a similar issue to CVE-2019-17365." + } ] + } + }, + "configurations" : { + "CVE_data_version" : "4.0", + "nodes" : [ ] + }, + "impact" : { }, + "publishedDate" : "2019-10-17T20:15Z", + "lastModifiedDate" : "2019-10-17T20:29Z" + } ] +} diff --git a/tests/cve-sample.xml b/tests/cve-sample.xml deleted file mode 100644 index ce158490f1..0000000000 --- a/tests/cve-sample.xml +++ /dev/null @@ -1,616 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cpe:/o:microsoft:windows_2000::sp2:professional - cpe:/o:linux:linux_kernel:2.4.4 - cpe:/o:microsoft:windows_2000_terminal_services::sp1 - cpe:/o:microsoft:windows_2000::sp1:advanced_server - cpe:/o:linux:linux_kernel:2.4.19 - cpe:/o:microsoft:windows_2000::sp2:advanced_server - cpe:/o:microsoft:windows_2000_terminal_services - cpe:/o:microsoft:windows_2000:::advanced_server - cpe:/o:linux:linux_kernel:2.4.20 - cpe:/o:netbsd:netbsd:1.5.1 - cpe:/o:microsoft:windows_2000_terminal_services::sp2 - cpe:/o:netbsd:netbsd:1.5.3 - cpe:/o:netbsd:netbsd:1.5.2 - cpe:/o:linux:linux_kernel:2.4.6 - cpe:/o:linux:linux_kernel:2.4.9 - cpe:/o:microsoft:windows_2000:::datacenter_server - cpe:/o:netbsd:netbsd:1.6 - cpe:/o:netbsd:netbsd:1.5 - cpe:/o:linux:linux_kernel:2.4.7 - cpe:/o:linux:linux_kernel:2.4.8 - cpe:/o:microsoft:windows_2000::sp1:datacenter_server - cpe:/o:microsoft:windows_2000::sp2:datacenter_server - cpe:/o:freebsd:freebsd:4.3 - cpe:/o:linux:linux_kernel:2.4.10 - cpe:/o:microsoft:windows_2000::sp1:server - cpe:/o:freebsd:freebsd:4.5 - cpe:/o:linux:linux_kernel:2.4.12 - cpe:/o:freebsd:freebsd:4.2 - cpe:/o:freebsd:freebsd:4.7 - cpe:/o:freebsd:freebsd:4.4 - cpe:/o:freebsd:freebsd:4.6 - cpe:/o:microsoft:windows_2000::sp2:server - cpe:/o:linux:linux_kernel:2.4.18 - cpe:/o:linux:linux_kernel:2.4.1 - cpe:/o:linux:linux_kernel:2.4.15 - cpe:/o:microsoft:windows_2000:::server - cpe:/o:linux:linux_kernel:2.4.17 - cpe:/o:linux:linux_kernel:2.4.14 - cpe:/o:linux:linux_kernel:2.4.2 - cpe:/o:microsoft:windows_2000:::professional - cpe:/o:linux:linux_kernel:2.4.11 - cpe:/o:linux:linux_kernel:2.4.5 - cpe:/o:linux:linux_kernel:2.4.16 - cpe:/o:microsoft:windows_2000::sp1:professional - cpe:/o:linux:linux_kernel:2.4.13 - cpe:/o:linux:linux_kernel:2.4.3 - - CVE-2003-0001 - 2003-01-17T00:00:00.000-05:00 - 2015-11-24T13:05:47.073-05:00 - - - 5.0 - NETWORK - LOW - NONE - PARTIAL - NONE - NONE - http://nvd.nist.gov - 2015-11-24T12:23:33.593-05:00 - - - - - - CERT-VN - VU#412115 - - - BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - BUGTRAQ - 20030117 Re: More information regarding Etherleak - - - BUGTRAQ - 20030106 Etherleak: Ethernet frame padding information leakage (A010603-1) - - - REDHAT - RHSA-2003:088 - - - REDHAT - RHSA-2003:025 - - - OSVDB - 9962 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - - - MISC - http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf - - - ATSTAKE - A010603-1 - - - FULLDISC - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html - - - BUGTRAQ - 20030110 More information regarding Etherleak - - - VULNWATCH - 20030110 More information regarding Etherleak - - - - - Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. - - - - - - - - - cpe:/a:tcp:tcp - - CVE-2004-0230 - 2004-08-18T00:00:00.000-04:00 - 2015-11-24T13:06:40.597-05:00 - - - 5.0 - NETWORK - LOW - NONE - NONE - NONE - PARTIAL - http://nvd.nist.gov - 2015-11-24T12:17:30.930-05:00 - - - - - - - - - CERT - TA04-111A - - - CERT-VN - VU#415294 - - - CONFIRM - https://kc.mcafee.com/corporate/index?page=content&id=SB10053 - - - XF - tcp-rst-dos(15886) - - - VUPEN - ADV-2006-3983 - - - MISC - http://www.uniras.gov.uk/vuls/2004/236929/index.htm - - - BID - 10183 - - - BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - HP - SSRT061264 - - - OSVDB - 4030 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html - - - MS - MS06-064 - - - MS - MS05-019 - - - CISCO - 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products - - - FULLDISC - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE - - - MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html - - - HP - SSRT4696 - - - BUGTRAQ - 20040425 Perl code exploting TCP not checking RST ACK. - - - CONFIRM - http://kb.juniper.net/JSA10638 - - - SGI - 20040403-01-A - - - SCO - SCOSA-2005.14 - - - SCO - SCOSA-2005.9 - - - SCO - SCOSA-2005.3 - - - NETBSD - NetBSD-SA2004-006 - - - - - - - - - - - - - - - - - TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. - - - - - - - - - - cpe:/a:vastal:phpvid:1.1 - cpe:/a:vastal:phpvid:1.2 - - CVE-2008-2335 - 2008-05-19T09:20:00.000-04:00 - 2015-11-24T11:45:25.057-05:00 - - - 4.3 - NETWORK - MEDIUM - NONE - NONE - PARTIAL - NONE - http://nvd.nist.gov - 2015-11-24T10:50:05.737-05:00 - - - - - XF - phpvid-query-xss(42450) - - - VUPEN - ADV-2008-2552 - - - BID - 29238 - - - MILW0RM - 6422 - - - EXPLOIT-DB - 27519 - - - MISC - http://tetraph.com/security/xss-vulnerability/vastal-i-tech-phpvid-1-2-3-multiple-xss-cross-site-scripting-security-vulnerabilities/ - - - FULLDISC - 20150310 Vastal I-tech phpVID 1.2.3 Multiple XSS (Cross-site Scripting) Security Vulnerabilities - - - MISC - http://packetstormsecurity.com/files/130755/Vastal-I-tech-phpVID-1.2.3-Cross-Site-Scripting.html - - - MISC - http://packetstormsecurity.com/files/122746/PHP-VID-XSS-SQL-Injection-CRLF-Injection.html - - - OSVDB - 45171 - - - MISC - http://holisticinfosec.org/content/view/65/45/ - - Cross-site scripting (XSS) vulnerability in search_results.php in Vastal I-Tech phpVID 1.1 and 1.2 allows remote attackers to inject arbitrary web script or HTML via the query parameter. NOTE: some of these details are obtained from third party information. NOTE: it was later reported that 1.2.3 is also affected. - - - - - - - - - - - - - - cpe:/a:redhat:enterprise_virtualization:3.5 - cpe:/a:jasper_project:jasper:1.900.1 - - CVE-2008-3522 - 2008-10-02T14:18:05.790-04:00 - 2015-11-24T11:46:04.933-05:00 - - - 10.0 - NETWORK - LOW - NONE - COMPLETE - COMPLETE - COMPLETE - http://nvd.nist.gov - 2015-11-24T10:05:46.467-05:00 - - - ALLOWS_ADMIN_ACCESS - - - XF - jasper-jasstreamprintf-bo(45623) - - - UBUNTU - USN-742-1 - - - BID - 31470 - - - MANDRIVA - MDVSA-2009:164 - - - MANDRIVA - MDVSA-2009:144 - - - MANDRIVA - MDVSA-2009:142 - - - GENTOO - GLSA-200812-18 - - - REDHAT - RHSA-2015:0698 - - - MISC - http://bugs.gentoo.org/show_bug.cgi?id=222819 - - - MISC - http://bugs.gentoo.org/attachment.cgi?id=163282&action=view - - Buffer overflow in the jas_stream_printf function in libjasper/base/jas_stream.c in JasPer 1.900.1 might allow context-dependent attackers to have an unknown impact via vectors related to the mif_hdr_put function and use of vsprintf. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - cpe:/o:canonical:ubuntu_linux:10.04::~~lts~~~ - cpe:/o:canonical:ubuntu_linux:8.04:-:lts - cpe:/o:canonical:ubuntu_linux:10.10 - cpe:/a:sun:openoffice.org:2.1.0 - cpe:/a:sun:openoffice.org:2.3.0 - cpe:/a:sun:openoffice.org:2.2.1 - - - CVE-2009-3301 - 2010-02-16T14:30:00.533-05:00 - 2015-11-17T10:59:44.723-05:00 - - - 9.3 - NETWORK - MEDIUM - NONE - COMPLETE - COMPLETE - COMPLETE - http://nvd.nist.gov - 2015-11-17T10:02:50.097-05:00 - - - - - - CERT - TA10-287A - - - CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=533038 - - - XF - openoffice-word-sprmtdeftable-bo(56240) - - - VUPEN - ADV-2010-2905 - - - VUPEN - ADV-2010-0635 - - - VUPEN - ADV-2010-0366 - - - UBUNTU - USN-903-1 - - - BID - 38218 - - - REDHAT - RHSA-2010:0101 - - - CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html - - - CONFIRM - http://www.openoffice.org/security/cves/CVE-2009-3301-3302.html - - - CONFIRM - http://www.openoffice.org/security/bulletin.html - - - MANDRIVA - MDVSA-2010:221 - - - GENTOO - GLSA-201408-19 - - - DEBIAN - DSA-1995 - - - SECTRACK - 1023591 - - - SUSE - SUSE-SA:2010:017 - - - - - Integer underflow in filter/ww8/ww8par2.cxx in OpenOffice.org (OOo) before 3.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted sprmTDefTable table property modifier in a Word document. - - - CVE-2015-8330 - 2015-11-24T15:59:25.897-05:00 - 2015-11-24T15:59:26.930-05:00 - - MISC - https://www.onapsis.com/blog/analyzing-sap-security-notes-november-2015 - - - MISC - http://erpscan.com/advisories/erpscan-15-032-sap-pco-agent-dos-vulnerability/ - - The PCo agent in SAP Plant Connectivity (PCo) allows remote attackers to cause a denial of service (memory corruption and agent crash) via crafted xMII requests, aka SAP Security Note 2238619. - - diff --git a/tests/cve.scm b/tests/cve.scm index e95b21c073..b69da0e120 100644 --- a/tests/cve.scm +++ b/tests/cve.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2015, 2016 Ludovic Courtès +;;; Copyright © 2015, 2016, 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -19,10 +19,11 @@ (define-module (test-cve) #:use-module (guix cve) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-19) #:use-module (srfi srfi-64)) (define %sample - (search-path %load-path "tests/cve-sample.xml")) + (search-path %load-path "tests/cve-sample.json")) (define (vulnerability id packages) (make-struct/no-tail (@@ (guix cve) ) id packages)) @@ -30,34 +31,76 @@ (define %expected-vulnerabilities ;; What we should get when reading %SAMPLE. (list - ;; CVE-2003-0001 has no "/a" in its product list so it is omitted. - ;; CVE-2004-0230 lists "tcp" as an application, but lacks a version number. - (vulnerability "CVE-2008-2335" '(("phpvid" "1.2" "1.1"))) - (vulnerability "CVE-2008-3522" '(("enterprise_virtualization" "3.5") - ("jasper" "1.900.1"))) - (vulnerability "CVE-2009-3301" '(("openoffice.org" "2.3.0" "2.2.1" "2.1.0"))) - ;; CVE-2015-8330 has no software list. + (vulnerability "CVE-2019-0001" + ;; Only the "a" CPE configurations are kept; the "o" + ;; configurations are discarded. + '(("junos" (or "18.21-s4" (or "18.21-s3" "18.2"))))) + (vulnerability "CVE-2019-0005" + '(("junos" (or "18.11" "18.1")))) + ;; CVE-2019-0005 has no "a" configurations. + (vulnerability "CVE-2019-14811" + '(("ghostscript" (< "9.28")))) + (vulnerability "CVE-2019-17365" + '(("nix" (<= "2.3")))) + (vulnerability "CVE-2019-1010180" + '(("gdb" _))) ;any version + (vulnerability "CVE-2019-1010204" + '(("binutils" (and (>= "2.21") (<= "2.31.1"))) + ("binutils_gold" (and (>= "1.11") (<= "1.16"))))) + ;; CVE-2019-18192 has no associated configurations. )) (test-begin "cve") -(test-equal "xml->vulnerabilities" +(test-equal "json->cve-items" + '("CVE-2019-0001" + "CVE-2019-0005" + "CVE-2019-14811" + "CVE-2019-17365" + "CVE-2019-1010180" + "CVE-2019-1010204" + "CVE-2019-18192") + (map (compose cve-id cve-item-cve) + (call-with-input-file %sample json->cve-items))) + +(test-equal "cve-item-published-date" + '(2019) + (delete-duplicates + (map (compose date-year cve-item-published-date) + (call-with-input-file %sample json->cve-items)))) + +(test-equal "json->vulnerabilities" %expected-vulnerabilities - (call-with-input-file %sample xml->vulnerabilities)) + (call-with-input-file %sample json->vulnerabilities)) (test-equal "vulnerabilities->lookup-proc" - (list (list (first %expected-vulnerabilities)) + (list (list (third %expected-vulnerabilities)) ;ghostscript + (list (third %expected-vulnerabilities)) + '() + + (list (fifth %expected-vulnerabilities)) ;gdb + (list (fifth %expected-vulnerabilities)) + + (list (fourth %expected-vulnerabilities)) ;nix '() + + (list (sixth %expected-vulnerabilities)) ;binutils '() - (list (second %expected-vulnerabilities)) - (list (third %expected-vulnerabilities))) - (let* ((vulns (call-with-input-file %sample xml->vulnerabilities)) + (list (sixth %expected-vulnerabilities)) + '()) + (let* ((vulns (call-with-input-file %sample json->vulnerabilities)) (lookup (vulnerabilities->lookup-proc vulns))) - (list (lookup "phpvid") - (lookup "jasper" "2.0") - (lookup "foobar") - (lookup "jasper" "1.900.1") - (lookup "openoffice.org" "2.3.0")))) + (list (lookup "ghostscript") + (lookup "ghostscript" "9.27") + (lookup "ghostscript" "9.28") + (lookup "gdb") + (lookup "gdb" "42.0") + (lookup "nix") + (lookup "nix" "2.4") + (lookup "binutils" "2.31.1") + (lookup "binutils" "2.10") + (lookup "binutils_gold" "1.11") + (lookup "binutils" "2.32")))) (test-end "cve") -- cgit v1.2.3 From 9efa2c28a4f842b7ca1977e084299de441842856 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 20 Oct 2019 22:17:59 +0200 Subject: lint: Re-enable CVE checker. This reverts d7fcd9c565812919109ae88049f5d8bf4c56f9bd. * guix/lint.scm (%network-dependent-checkers): Re-enable 'cve checker. --- guix/lint.scm | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) (limited to 'guix') diff --git a/guix/lint.scm b/guix/lint.scm index 6336cf4e3b..03a8e88225 100644 --- a/guix/lint.scm +++ b/guix/lint.scm @@ -1319,17 +1319,11 @@ or a list thereof") (name 'github-url) (description "Suggest GitHub URLs") (check check-github-url)) - - ;; FIXME: Commented out as a consequence of the XML CVE feed retirement: - ;; . - ;; Reinstate it once the JSON feed is supported. - - ;; (lint-checker - ;; (name 'cve) - ;; (description "Check the Common Vulnerabilities and Exposures\ - ;; (CVE) database") - ;; (check check-vulnerabilities)) - + (lint-checker + (name 'cve) + (description "Check the Common Vulnerabilities and Exposures\ + (CVE) database") + (check check-vulnerabilities)) (lint-checker (name 'refresh) (description "Check the package for new upstream releases") -- cgit v1.2.3 From 51395c84fdbf8daed6392951a973ad750cf3eefa Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Mon, 21 Oct 2019 21:48:31 +0200 Subject: guix: svn: Allow dropping externals. * guix/build/svn.scm (svn-fetch): Allow to ignore externals. * guix/svn-download.scm (svn-reference, svn-multi-reference): Add recursive? field. --- guix/build/svn.scm | 4 ++++ guix/svn-download.scm | 15 +++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'guix') diff --git a/guix/build/svn.scm b/guix/build/svn.scm index e3188add3e..33783f3056 100644 --- a/guix/build/svn.scm +++ b/guix/build/svn.scm @@ -31,6 +31,7 @@ (define* (svn-fetch url revision directory #:key (svn-command "svn") + (recursive? #t) (user-name #f) (password #f)) "Fetch REVISION from URL into DIRECTORY. REVISION must be an integer, and a @@ -45,6 +46,9 @@ valid Subversion revision. Return #t on success, #f otherwise." (list (string-append "--username=" user-name) (string-append "--password=" password)) '()) + ,@(if recursive? + '() + (list "--ignore-externals")) ,url ,directory)) #t) diff --git a/guix/svn-download.scm b/guix/svn-download.scm index 4139cbc2e2..d912474aa2 100644 --- a/guix/svn-download.scm +++ b/guix/svn-download.scm @@ -31,6 +31,7 @@ svn-reference? svn-reference-url svn-reference-revision + svn-reference-recursive? svn-fetch download-svn-to-store @@ -39,6 +40,7 @@ svn-multi-reference-url svn-multi-reference-revision svn-multi-reference-locations + svn-multi-reference-recursive? svn-multi-fetch)) ;;; Commentary: @@ -52,10 +54,11 @@ (define-record-type* svn-reference make-svn-reference svn-reference? - (url svn-reference-url) ; string - (revision svn-reference-revision) ; number - (user-name svn-reference-user-name (default #f)) - (password svn-reference-password (default #f))) + (url svn-reference-url) ; string + (revision svn-reference-revision) ; number + (recursive? svn-reference-recursive? (default #t)) + (user-name svn-reference-user-name (default #f)) + (password svn-reference-password (default #f))) (define (subversion-package) "Return the default Subversion package." @@ -78,6 +81,7 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." '#$(svn-reference-revision ref) #$output #:svn-command (string-append #+svn "/bin/svn") + #:recursive? #$(svn-reference-recursive? ref) #:user-name #$(svn-reference-user-name ref) #:password #$(svn-reference-password ref))))) @@ -96,6 +100,7 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." (url svn-multi-reference-url) ; string (revision svn-multi-reference-revision) ; number (locations svn-multi-reference-locations) ; list of strings + (recursive? svn-multi-reference-recursive? (default #t)) (user-name svn-multi-reference-user-name (default #f)) (password svn-multi-reference-password (default #f))) @@ -125,6 +130,8 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." (string-append #$output "/" location) (string-append #$output "/" (dirname location))) #:svn-command (string-append #+svn "/bin/svn") + #:recursive? + #$(svn-reference-recursive? ref) #:user-name #$(svn-multi-reference-user-name ref) #:password #$(svn-multi-reference-password ref))) '#$(svn-multi-reference-locations ref))))) -- cgit v1.2.3 From 8a2b23178274127dac07e1163267d623790ce36a Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 24 Oct 2019 00:57:23 +0200 Subject: Revert "guix: svn: Allow dropping externals." This reverts commit 51395c84fdbf8daed6392951a973ad750cf3eefa, fixing . Reported by . --- guix/build/svn.scm | 4 ---- guix/svn-download.scm | 15 ++++----------- 2 files changed, 4 insertions(+), 15 deletions(-) (limited to 'guix') diff --git a/guix/build/svn.scm b/guix/build/svn.scm index 33783f3056..e3188add3e 100644 --- a/guix/build/svn.scm +++ b/guix/build/svn.scm @@ -31,7 +31,6 @@ (define* (svn-fetch url revision directory #:key (svn-command "svn") - (recursive? #t) (user-name #f) (password #f)) "Fetch REVISION from URL into DIRECTORY. REVISION must be an integer, and a @@ -46,9 +45,6 @@ valid Subversion revision. Return #t on success, #f otherwise." (list (string-append "--username=" user-name) (string-append "--password=" password)) '()) - ,@(if recursive? - '() - (list "--ignore-externals")) ,url ,directory)) #t) diff --git a/guix/svn-download.scm b/guix/svn-download.scm index d912474aa2..4139cbc2e2 100644 --- a/guix/svn-download.scm +++ b/guix/svn-download.scm @@ -31,7 +31,6 @@ svn-reference? svn-reference-url svn-reference-revision - svn-reference-recursive? svn-fetch download-svn-to-store @@ -40,7 +39,6 @@ svn-multi-reference-url svn-multi-reference-revision svn-multi-reference-locations - svn-multi-reference-recursive? svn-multi-fetch)) ;;; Commentary: @@ -54,11 +52,10 @@ (define-record-type* svn-reference make-svn-reference svn-reference? - (url svn-reference-url) ; string - (revision svn-reference-revision) ; number - (recursive? svn-reference-recursive? (default #t)) - (user-name svn-reference-user-name (default #f)) - (password svn-reference-password (default #f))) + (url svn-reference-url) ; string + (revision svn-reference-revision) ; number + (user-name svn-reference-user-name (default #f)) + (password svn-reference-password (default #f))) (define (subversion-package) "Return the default Subversion package." @@ -81,7 +78,6 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." '#$(svn-reference-revision ref) #$output #:svn-command (string-append #+svn "/bin/svn") - #:recursive? #$(svn-reference-recursive? ref) #:user-name #$(svn-reference-user-name ref) #:password #$(svn-reference-password ref))))) @@ -100,7 +96,6 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." (url svn-multi-reference-url) ; string (revision svn-multi-reference-revision) ; number (locations svn-multi-reference-locations) ; list of strings - (recursive? svn-multi-reference-recursive? (default #t)) (user-name svn-multi-reference-user-name (default #f)) (password svn-multi-reference-password (default #f))) @@ -130,8 +125,6 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." (string-append #$output "/" location) (string-append #$output "/" (dirname location))) #:svn-command (string-append #+svn "/bin/svn") - #:recursive? - #$(svn-reference-recursive? ref) #:user-name #$(svn-multi-reference-user-name ref) #:password #$(svn-multi-reference-password ref))) '#$(svn-multi-reference-locations ref))))) -- cgit v1.2.3 From b3673e9917217fc27c743092e58e4eb33d0fdd16 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 24 Oct 2019 18:15:15 +0200 Subject: guix build: Warn when '--keep-failed' is passed to a remote daemon. * guix/scripts/build.scm (set-build-options-from-command-line): When OPTS has 'keep-failed?' set, check whether STORE is connected over AF_UNIX and warn when it's not. --- guix/scripts/build.scm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'guix') diff --git a/guix/scripts/build.scm b/guix/scripts/build.scm index 3ee0b737fe..ee1a9a81c1 100644 --- a/guix/scripts/build.scm +++ b/guix/scripts/build.scm @@ -523,6 +523,20 @@ options handled by 'set-build-options-from-command-line', and listed in "Given OPTS, an alist as returned by 'args-fold' given '%standard-build-options', set the corresponding build options on STORE." ;; TODO: Add more options. + + ;; '--keep-failed' has no effect when talking to a remote daemon. Catch the + ;; case where GUIX_DAEMON_SOCKET=guix://…. + (when (and (assoc-ref opts 'keep-failed?) + (let* ((socket (store-connection-socket store)) + (peer (catch 'system-error + (lambda () + (and (file-port? socket) + (getpeername socket))) + (const #f)))) + (and peer (not (= AF_UNIX (sockaddr:fam peer)))))) + (warning (G_ "'--keep-failed' ignored since you are \ +talking to a remote daemon\n"))) + (set-build-options store #:keep-failed? (assoc-ref opts 'keep-failed?) #:keep-going? (assoc-ref opts 'keep-going?) -- cgit v1.2.3 From b1b27f284fa5e9529b1ce2edffff9cce952b8849 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 24 Oct 2019 19:35:29 +0200 Subject: guix build: Remove obsolete TODO. * guix/scripts/build.scm (set-build-options-from-command-line): Remove obsolete TODO comment. --- guix/scripts/build.scm | 1 - 1 file changed, 1 deletion(-) (limited to 'guix') diff --git a/guix/scripts/build.scm b/guix/scripts/build.scm index ee1a9a81c1..9ad7379bbe 100644 --- a/guix/scripts/build.scm +++ b/guix/scripts/build.scm @@ -522,7 +522,6 @@ options handled by 'set-build-options-from-command-line', and listed in (define (set-build-options-from-command-line store opts) "Given OPTS, an alist as returned by 'args-fold' given '%standard-build-options', set the corresponding build options on STORE." - ;; TODO: Add more options. ;; '--keep-failed' has no effect when talking to a remote daemon. Catch the ;; case where GUIX_DAEMON_SOCKET=guix://…. -- cgit v1.2.3 From cf7648f882380dd7a4e82760ecc10cc6078498eb Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 15:18:31 +0100 Subject: derivations: Introduce 'imported+compiled-modules'. * guix/derivations.scm (imported+compiled-modules): New procedure. (build-expression->derivation): Use it instead of separate calls to '%imported-modules' and '%compiled-modules'. --- guix/derivations.scm | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) (limited to 'guix') diff --git a/guix/derivations.scm b/guix/derivations.scm index e1073ea39b..8309f845d9 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -1207,6 +1207,14 @@ they can refer to each other." #:guile-for-build guile #:local-build? #t))) +(define* (imported+compiled-modules store modules #:key + (system (%current-system)) + (guile (%guile-for-build))) + "Return a pair containing the derivation to import MODULES and that where +MODULES are compiled." + (cons (%imported-modules store modules #:system system #:guile guile) + (%compiled-modules store modules #:system system #:guile guile))) + (define* (build-expression->derivation store name exp ;deprecated #:key (system (%current-system)) @@ -1330,16 +1338,15 @@ and PROPERTIES." ;; fixed-output. (filter-map source-path inputs))) - (mod-drv (and (pair? modules) - (%imported-modules store modules - #:guile guile-drv - #:system system))) + (mod+go-drv (if (pair? modules) + (imported+compiled-modules store modules + #:guile guile-drv + #:system system) + '(#f . #f))) + (mod-drv (car mod+go-drv)) + (go-drv (cdr mod+go-drv)) (mod-dir (and mod-drv (derivation->output-path mod-drv))) - (go-drv (and (pair? modules) - (%compiled-modules store modules - #:guile guile-drv - #:system system))) (go-dir (and go-drv (derivation->output-path go-drv)))) (derivation store name guile -- cgit v1.2.3 From f726f6f8021e78b6a50ca0dbdb4acc91ed2161c4 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 15:24:41 +0100 Subject: derivations: 'build-expression->derivation' caches its module derivations. This reduces the number of lookups in the 'add-data-to-store' cache from 7505 to 3329 (hit rate from 68% to 27%) when running: GUIX_PROFILING=add-data-to-store-cache guix build libreoffice -nd The execution time of "guix build libreoffice -nd" goes from 2.12s to 1.87s. * guix/derivations.scm (%module-cache): New variable. (imported+compiled-modules)[key]: New variable. Lookup KEY in %MODULE-CACHE and populate %MODULE-CACHE upon cache miss. --- guix/derivations.scm | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'guix') diff --git a/guix/derivations.scm b/guix/derivations.scm index 8309f845d9..140c22b620 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -1207,13 +1207,25 @@ they can refer to each other." #:guile-for-build guile #:local-build? #t))) +(define %module-cache + ;; Map a list of modules to its 'imported+compiled-modules' result. + (make-weak-value-hash-table)) + (define* (imported+compiled-modules store modules #:key (system (%current-system)) (guile (%guile-for-build))) "Return a pair containing the derivation to import MODULES and that where MODULES are compiled." - (cons (%imported-modules store modules #:system system #:guile guile) - (%compiled-modules store modules #:system system #:guile guile))) + (define key + (list modules (derivation-file-name guile) system)) + + (or (hash-ref %module-cache key) + (let ((result (cons (%imported-modules store modules + #:system system #:guile guile) + (%compiled-modules store modules + #:system system #:guile guile)))) + (hash-set! %module-cache key result) + result))) (define* (build-expression->derivation store name exp ;deprecated #:key -- cgit v1.2.3 From f58b45350b0ebfc36a707d9e986f5fe904af3605 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 18:55:44 +0100 Subject: gexp: Add 'imported+compiled-modules'. * guix/gexp.scm (imported+compiled-modules): New procedure. (lower-gexp): Use it instead of separate calls to 'imported-modules' and 'compiled-modules'. --- guix/gexp.scm | 45 +++++++++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 14 deletions(-) (limited to 'guix') diff --git a/guix/gexp.scm b/guix/gexp.scm index 7323277511..fa74e80cd6 100644 --- a/guix/gexp.scm +++ b/guix/gexp.scm @@ -654,6 +654,28 @@ names and file names suitable for the #:allowed-references argument to (load-path lowered-gexp-load-path) ;list of store items (load-compiled-path lowered-gexp-load-compiled-path)) ;list of store items +(define* (imported+compiled-modules modules system + #:key (extensions '()) + deprecation-warnings guile + (module-path %load-path)) + "Return a pair where the first element is the imported MODULES and the +second element is the derivation to compile them." + (mlet %store-monad ((modules (if (pair? modules) + (imported-modules modules + #:system system + #:module-path module-path) + (return #f))) + (compiled (if (pair? modules) + (compiled-modules modules + #:system system + #:module-path module-path + #:extensions extensions + #:guile guile + #:deprecation-warnings + deprecation-warnings) + (return #f)))) + (return (cons modules compiled)))) + (define* (lower-gexp exp #:key (module-path %load-path) @@ -719,20 +741,15 @@ derivations--e.g., code evaluated for its side effects." (lambda (obj) (lower-object obj system)) extensions)) - (modules (if (pair? %modules) - (imported-modules %modules - #:system system - #:module-path module-path) - (return #f))) - (compiled (if (pair? %modules) - (compiled-modules %modules - #:system system - #:module-path module-path - #:extensions extensions - #:guile guile - #:deprecation-warnings - deprecation-warnings) - (return #f)))) + (modules+compiled (imported+compiled-modules + %modules system + #:extensions extensions + #:deprecation-warnings + deprecation-warnings + #:guile guile + #:module-path module-path)) + (modules -> (car modules+compiled)) + (compiled -> (cdr modules+compiled))) (define load-path (search-path modules exts (string-append "/share/guile/site/" effective-version))) -- cgit v1.2.3 From c57e417eff8649fce44041bc8e187a3e0c91b801 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 19:08:15 +0100 Subject: store: Allow objects in the cache to be inserted and search for with 'equal?'. * guix/store.scm (cache-object-mapping): Add #:vhash-cons parameter and honor it. (lookup-cached-object): Add #:vhash-fold* parameter and honor it. (%mcached): Add #:vhash-fold* and #:vhash-cons and honor them. (mcached): Add clauses with 'eq?' and 'equal?' as the first argument. --- guix/store.scm | 67 +++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 24 deletions(-) (limited to 'guix') diff --git a/guix/store.scm b/guix/store.scm index 382aad29d9..a276554a52 100644 --- a/guix/store.scm +++ b/guix/store.scm @@ -1612,10 +1612,11 @@ This makes sense only when the daemon was started with '--cache-failures'." ;; from %STATE-MONAD. (template-directory instantiations %store-monad) -(define* (cache-object-mapping object keys result) +(define* (cache-object-mapping object keys result + #:key (vhash-cons vhash-consq)) "Augment the store's object cache with a mapping from OBJECT/KEYS to RESULT. KEYS is a list of additional keys to match against, for instance a (SYSTEM -TARGET) tuple. +TARGET) tuple. Use VHASH-CONS to insert OBJECT into the cache. OBJECT is typically a high-level object such as a or an , and RESULT is typically its derivation." @@ -1623,8 +1624,8 @@ and RESULT is typically its derivation." (values result (store-connection (inherit store) - (object-cache (vhash-consq object (cons result keys) - (store-connection-object-cache store))))))) + (object-cache (vhash-cons object (cons result keys) + (store-connection-object-cache store))))))) (define record-cache-lookup! (if (profiled? "object-cache") @@ -1653,11 +1654,12 @@ and RESULT is typically its derivation." (lambda (x y) #t))) -(define* (lookup-cached-object object #:optional (keys '())) +(define* (lookup-cached-object object #:optional (keys '()) + #:key (vhash-fold* vhash-foldq*)) "Return the cached object in the store connection corresponding to OBJECT -and KEYS. KEYS is a list of additional keys to match against, and which are -compared with 'equal?'. Return #f on failure and the cached result -otherwise." +and KEYS; use VHASH-FOLD* to look for OBJECT in the cache. KEYS is a list of +additional keys to match against, and which are compared with 'equal?'. +Return #f on failure and the cached result otherwise." (lambda (store) (let* ((cache (store-connection-object-cache store)) @@ -1665,33 +1667,50 @@ otherwise." ;; the whole vlist chain and significantly reduces the number of ;; 'hashq' calls. (value (let/ec return - (vhash-foldq* (lambda (item result) - (match item - ((value . keys*) - (if (equal? keys keys*) - (return value) - result)))) - #f object - cache)))) + (vhash-fold* (lambda (item result) + (match item + ((value . keys*) + (if (equal? keys keys*) + (return value) + result)))) + #f object + cache)))) (record-cache-lookup! value cache) (values value store)))) -(define* (%mcached mthunk object #:optional (keys '())) +(define* (%mcached mthunk object #:optional (keys '()) + #:key + (vhash-cons vhash-consq) + (vhash-fold* vhash-foldq*)) "Bind the monadic value returned by MTHUNK, which supposedly corresponds to -OBJECT/KEYS, or return its cached value." - (mlet %store-monad ((cached (lookup-cached-object object keys))) +OBJECT/KEYS, or return its cached value. Use VHASH-CONS to insert OBJECT into +the cache, and VHASH-FOLD* to look it up." + (mlet %store-monad ((cached (lookup-cached-object object keys + #:vhash-fold* vhash-fold*))) (if cached (return cached) (>>= (mthunk) (lambda (result) - (cache-object-mapping object keys result)))))) + (cache-object-mapping object keys result + #:vhash-cons vhash-cons)))))) -(define-syntax-rule (mcached mvalue object keys ...) - "Run MVALUE, which corresponds to OBJECT/KEYS, and cache it; or return the +(define-syntax mcached + (syntax-rules (eq? equal?) + "Run MVALUE, which corresponds to OBJECT/KEYS, and cache it; or return the value associated with OBJECT/KEYS in the store's object cache if there is one." - (%mcached (lambda () mvalue) - object (list keys ...))) + ((_ eq? mvalue object keys ...) + (%mcached (lambda () mvalue) + object (list keys ...) + #:vhash-cons vhash-consq + #:vhash-fold* vhash-foldq*)) + ((_ equal? mvalue object keys ...) + (%mcached (lambda () mvalue) + object (list keys ...) + #:vhash-cons vhash-cons + #:vhash-fold* vhash-fold*)) + ((_ mvalue object keys ...) + (mcached eq? mvalue object keys ...)))) (define (preserve-documentation original proc) "Return PROC with documentation taken from ORIGINAL." -- cgit v1.2.3 From f5fca9a82cec76d2e10b8b6c96be2dd79f638ba0 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 19:12:11 +0100 Subject: gexp: Cache the module to derivation mappings. This reduces the number of 'add-data-to-store' cache lookups from 3329 to 2743 (hit rate: 27% to 11%) when running: GUIX_PROFILING=add-data-to-store-cache guix build libreoffice -nd Execution time of "guix build libreoffice -nd" goes from 1.86s to 1.80s. * guix/gexp.scm (imported+compiled-modules): Wrap body in 'mcached'. --- guix/gexp.scm | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) (limited to 'guix') diff --git a/guix/gexp.scm b/guix/gexp.scm index fa74e80cd6..b640c079e4 100644 --- a/guix/gexp.scm +++ b/guix/gexp.scm @@ -660,21 +660,24 @@ names and file names suitable for the #:allowed-references argument to (module-path %load-path)) "Return a pair where the first element is the imported MODULES and the second element is the derivation to compile them." - (mlet %store-monad ((modules (if (pair? modules) - (imported-modules modules - #:system system - #:module-path module-path) - (return #f))) - (compiled (if (pair? modules) - (compiled-modules modules - #:system system - #:module-path module-path - #:extensions extensions - #:guile guile - #:deprecation-warnings - deprecation-warnings) - (return #f)))) - (return (cons modules compiled)))) + (mcached equal? + (mlet %store-monad ((modules (if (pair? modules) + (imported-modules modules + #:system system + #:module-path module-path) + (return #f))) + (compiled (if (pair? modules) + (compiled-modules modules + #:system system + #:module-path module-path + #:extensions extensions + #:guile guile + #:deprecation-warnings + deprecation-warnings) + (return #f)))) + (return (cons modules compiled))) + modules + system extensions guile deprecation-warnings module-path)) (define* (lower-gexp exp #:key -- cgit v1.2.3 From d727a9343d861cf775645df8be5bfefd43d6c6f0 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 19:19:14 +0100 Subject: derivations: Don't memoize 'derivation->bytevector'. Its hit rate was only 8%. Removing it reduces heap size of "guix build libreoffice -nd" from 69MiB to 61MiB and the wall-clock time is unchanged. * guix/derivations.scm (derivation->bytevector): Change from 'mlambda' to 'lambda'. --- guix/derivations.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/derivations.scm b/guix/derivations.scm index 140c22b620..706c650469 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -622,7 +622,7 @@ that form." (display ")" port)))) (define derivation->bytevector - (mlambda (drv) + (lambda (drv) "Return the external representation of DRV as a UTF-8-encoded string." (with-fluids ((%default-port-encoding "UTF-8")) (call-with-values open-bytevector-output-port -- cgit v1.2.3 From b74ed90916dce6239dbe6842548f82e22fc8c249 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sun, 27 Oct 2019 23:00:39 +0100 Subject: channels: Refer to 'guile-json-3'. Fixes a regression introduced in 84af1e74029fd4c43636f7d8d3e6f82ddab9ce82. * guix/channels.scm (whole-package-for-legacy): Refer to GUILE-JSON-3, not GUILE-JSON. --- guix/channels.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/channels.scm b/guix/channels.scm index 2c28dccbcb..826ee729ad 100644 --- a/guix/channels.scm +++ b/guix/channels.scm @@ -505,7 +505,7 @@ modules in the old ~/.config/guix/latest style." ;; In the "old style", %SELF-BUILD-FILE would simply return a ;; derivation that builds modules. We have to infer what the ;; dependencies of these modules were. - (list guile-json guile-git guile-bytestructures + (list guile-json-3 guile-git guile-bytestructures (ssh -> guile-ssh) (tls -> gnutls))))) (define (old-style-guix? drv) -- cgit v1.2.3 From 49af34cfac89d384c46269bfd9388b2c73b1220a Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 22 Oct 2019 18:05:51 +0200 Subject: pull: Honor '/etc/guix/channels.scm'. * guix/scripts/pull.scm (channel-list)[global-file]: New variable. [channels]: Honor it. * doc/guix.texi (Invoking guix pull): Document it. --- doc/guix.texi | 18 +++++++++++++++++- guix/scripts/pull.scm | 5 +++++ 2 files changed, 22 insertions(+), 1 deletion(-) (limited to 'guix') diff --git a/doc/guix.texi b/doc/guix.texi index a934626e5a..7cc33c6e22 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -3666,6 +3666,21 @@ descriptions, and deploys it. Source code is downloaded from a @uref{https://git-scm.com, Git} repository, by default the official GNU@tie{}Guix repository, though this can be customized. +Specifically, @command{guix pull} downloads code from the @dfn{channels} +(@pxref{Channels}) specified by one of the followings, in this order: + +@enumerate +@item +the @option{--channels} option; +@item +the user's @file{~/.config/guix/channels.scm} file; +@item +the system-wide @file{/etc/guix/channels.scm} file; +@item +the built-in default channels specified in the @code{%default-channels} +variable. +@end enumerate + On completion, @command{guix package} will use packages and package versions from this just-retrieved copy of Guix. Not only that, but all the Guix commands and Scheme modules will also be taken from that latest @@ -3763,7 +3778,8 @@ configuration in the @file{~/.config/guix/channels.scm} file or using the @item --channels=@var{file} @itemx -C @var{file} Read the list of channels from @var{file} instead of -@file{~/.config/guix/channels.scm}. @var{file} must contain Scheme code that +@file{~/.config/guix/channels.scm} or @file{/etc/guix/channels.scm}. +@var{file} must contain Scheme code that evaluates to a list of channel objects. @xref{Channels}, for more information. diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 7876019eac..80d070652b 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -714,6 +714,9 @@ transformations specified in OPTS (resulting from '--url', '--commit', or (define default-file (string-append (config-directory) "/channels.scm")) + (define global-file + (string-append %sysconfdir "/guix/channels.scm")) + (define (load-channels file) (let ((result (load* file (make-user-module '((guix channels)))))) (if (and (list? result) (every channel? result)) @@ -725,6 +728,8 @@ transformations specified in OPTS (resulting from '--url', '--commit', or (load-channels file)) ((file-exists? default-file) (load-channels default-file)) + ((file-exists? global-file) + (load-channels global-file)) (else %default-channels))) -- cgit v1.2.3 From 8c8d60752e1ad73d5bd87d8497b357f8a8a389ab Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Mon, 28 Oct 2019 15:54:47 +0100 Subject: derivation: Remove memoization invalidation for 'derivation->bytevector'. This is a followup to d727a9343d861cf775645df8be5bfefd43d6c6f0, which broke 'hydra-jobs' from (gnu ci). * guix/derivations.scm (invalidate-derivation-caches!): Remove call to 'invalidate-memoization!' for 'derivation->bytevector'. --- guix/derivations.scm | 1 - 1 file changed, 1 deletion(-) (limited to 'guix') diff --git a/guix/derivations.scm b/guix/derivations.scm index 706c650469..bde937044a 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -919,7 +919,6 @@ derivation. It is kept as-is, uninterpreted, in the derivation." long-running processes that know what they're doing. Use with care!" ;; Typically this is meant to be used by Cuirass and Hydra, which can clear ;; caches when they start evaluating packages for another architecture. - (invalidate-memoization! derivation->bytevector) (invalidate-memoization! derivation-base16-hash) ;; FIXME: Comment out to work around . -- cgit v1.2.3 From 6330db4d55bf9be3702cc03145470c970fb7ae9b Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 1 Nov 2019 12:21:26 +0100 Subject: pull: Gracefully handle invalid Texinfo markup in news. Reported by Oleg Pykhalov . * guix/scripts/pull.scm (display-news-entry-title) (display-news-entry): Catch 'parser-error' around call to 'texi->plain-text', and return Texinfo as-is when an exception is caught. --- guix/scripts/pull.scm | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) (limited to 'guix') diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 80d070652b..92aac6066e 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -235,12 +235,18 @@ purposes." (define title (channel-news-entry-title entry)) - (format port " ~a~%" - (highlight - (string-trim-right - (texi->plain-text (or (assoc-ref title language) - (assoc-ref title (%default-message-language)) - "")))))) + (let ((title (or (assoc-ref title language) + (assoc-ref title (%default-message-language)) + ""))) + (format port " ~a~%" + (highlight + (string-trim-right + (catch 'parser-error + (lambda () + (texi->plain-text title)) + + ;; When Texinfo markup is invalid, display it as-is. + (const title))))))) (define (display-news-entry entry language port) "Display ENTRY, a , in LANGUAGE, a language code, to @@ -252,14 +258,20 @@ PORT." (format port (dim (G_ " commit ~a~%")) (channel-news-entry-commit entry)) (newline port) - (format port " ~a~%" - (indented-string - (parameterize ((%text-width (- (%text-width) 4))) - (string-trim-right - (texi->plain-text (or (assoc-ref body language) - (assoc-ref body (%default-message-language)) - "")))) - 4))) + (let ((body (or (assoc-ref body language) + (assoc-ref body (%default-message-language)) + ""))) + (format port " ~a~%" + (indented-string + (parameterize ((%text-width (- (%text-width) 4))) + (string-trim-right + (catch 'parser-error + (lambda () + (texi->plain-text body)) + (lambda _ + ;; When Texinfo markup is invalid, display it as-is. + (fill-paragraph body (%text-width)))))) + 4)))) (define* (display-channel-specific-news new old #:key (port (current-output-port)) -- cgit v1.2.3 From 665467767577172db40eea510583dbf2faf56a58 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Wed, 6 Nov 2019 22:02:34 +0100 Subject: derivations: Use a regular hash table for the module cache. The hit rate of the 'add-data-to-store' cache goes from 10% to 4% on: guix build -e '(@@ (gnu packages libreoffice) libreoffice)' -nd * guix/derivations.scm (%module-cache): Turn into a regular hash table. It didn't make sense to use a weak-value hash table given that values are pairs. --- guix/derivations.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guix') diff --git a/guix/derivations.scm b/guix/derivations.scm index bde937044a..6cdf55b1fe 100644 --- a/guix/derivations.scm +++ b/guix/derivations.scm @@ -1208,7 +1208,7 @@ they can refer to each other." (define %module-cache ;; Map a list of modules to its 'imported+compiled-modules' result. - (make-weak-value-hash-table)) + (make-hash-table)) (define* (imported+compiled-modules store modules #:key (system (%current-system)) -- cgit v1.2.3 From 3e962e59d849e4300e447d94487684102d9d412e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Thu, 7 Nov 2019 18:15:55 +0100 Subject: graph: Support package transformation options. * guix/scripts/graph.scm (%options): Append %TRANSFORMATION-OPTIONS. (show-help): Call 'show-transformation-options-help'. (guix-graph): Call 'options->transformation' and use it. * tests/guix-graph.sh: Add test. * doc/guix.texi (Invoking guix graph): Document it. --- doc/guix.texi | 11 ++++++ guix/scripts/graph.scm | 105 ++++++++++++++++++++++++++++--------------------- tests/guix-graph.sh | 8 +++- 3 files changed, 78 insertions(+), 46 deletions(-) (limited to 'guix') diff --git a/doc/guix.texi b/doc/guix.texi index 3a9d206b9f..3b8e5935bb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9907,7 +9907,18 @@ The package dependency graph is largely architecture-independent, but there are some architecture-dependent bits that this option allows you to visualize. @end table +On top of that, @command{guix graph} supports all the usual package +transformation options (@pxref{Package Transformation Options}). This +makes it easy to view the effect of a graph-rewriting transformation +such as @option{--with-input}. For example, the command below outputs +the graph of @code{git} once @code{openssl} has been replaced by +@code{libressl} everywhere in the graph: +@example +guix graph git --with-input=openssl=libressl +@end example + +So many possibilities, so much fun! @node Invoking guix publish @section Invoking @command{guix publish} diff --git a/guix/scripts/graph.scm b/guix/scripts/graph.scm index 2e14857f1e..7558cb1e85 100644 --- a/guix/scripts/graph.scm +++ b/guix/scripts/graph.scm @@ -32,6 +32,10 @@ #:use-module (gnu packages) #:use-module (guix sets) #:use-module ((guix utils) #:select (location-file)) + #:use-module ((guix scripts build) + #:select (show-transformation-options-help + options->transformation + %transformation-options)) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (srfi srfi-34) @@ -446,36 +450,38 @@ package modules, while attempting to retain user package modules." ;;; (define %options - (list (option '(#\t "type") #t #f - (lambda (opt name arg result) - (alist-cons 'node-type (lookup-node-type arg) - result))) - (option '("list-types") #f #f - (lambda (opt name arg result) - (list-node-types) - (exit 0))) - (option '(#\b "backend") #t #f - (lambda (opt name arg result) - (alist-cons 'backend (lookup-backend arg) - result))) - (option '("list-backends") #f #f - (lambda (opt name arg result) - (list-backends) - (exit 0))) - (option '(#\e "expression") #t #f - (lambda (opt name arg result) - (alist-cons 'expression arg result))) - (option '(#\s "system") #t #f - (lambda (opt name arg result) - (alist-cons 'system arg - (alist-delete 'system result eq?)))) - (option '(#\h "help") #f #f - (lambda args - (show-help) - (exit 0))) - (option '(#\V "version") #f #f - (lambda args - (show-version-and-exit "guix edit"))))) + (cons* (option '(#\t "type") #t #f + (lambda (opt name arg result) + (alist-cons 'node-type (lookup-node-type arg) + result))) + (option '("list-types") #f #f + (lambda (opt name arg result) + (list-node-types) + (exit 0))) + (option '(#\b "backend") #t #f + (lambda (opt name arg result) + (alist-cons 'backend (lookup-backend arg) + result))) + (option '("list-backends") #f #f + (lambda (opt name arg result) + (list-backends) + (exit 0))) + (option '(#\e "expression") #t #f + (lambda (opt name arg result) + (alist-cons 'expression arg result))) + (option '(#\s "system") #t #f + (lambda (opt name arg result) + (alist-cons 'system arg + (alist-delete 'system result eq?)))) + (option '(#\h "help") #f #f + (lambda args + (show-help) + (exit 0))) + (option '(#\V "version") #f #f + (lambda args + (show-version-and-exit "guix graph"))) + + %transformation-options)) (define (show-help) ;; TRANSLATORS: Here 'dot' is the name of a program; it must not be @@ -495,6 +501,8 @@ Emit a representation of the dependency graph of PACKAGE...\n")) (display (G_ " -s, --system=SYSTEM consider the graph for SYSTEM--e.g., \"i686-linux\"")) (newline) + (show-transformation-options-help) + (newline) (display (G_ " -h, --help display this help and exit")) (display (G_ " @@ -514,21 +522,28 @@ Emit a representation of the dependency graph of PACKAGE...\n")) (define (guix-graph . args) (with-error-handling - (let* ((opts (parse-command-line args %options - (list %default-options) - #:build-options? #f)) - (backend (assoc-ref opts 'backend)) - (type (assoc-ref opts 'node-type)) - (items (filter-map (match-lambda - (('argument . (? store-path? item)) - item) - (('argument . spec) - (specification->package spec)) - (('expression . exp) - (read/eval-package-expression exp)) - (_ #f)) - opts))) - (with-store store + (define opts + (parse-command-line args %options + (list %default-options) + #:build-options? #f)) + (define backend + (assoc-ref opts 'backend)) + (define type + (assoc-ref opts 'node-type)) + + (with-store store + (let* ((transform (options->transformation opts)) + (items (filter-map (match-lambda + (('argument . (? store-path? item)) + item) + (('argument . spec) + (transform store + (specification->package spec))) + (('expression . exp) + (transform store + (read/eval-package-expression exp))) + (_ #f)) + opts))) ;; Ask for absolute file names so that .drv file names passed from the ;; user to 'read-derivation' are absolute when it returns. (with-fluids ((%file-port-name-canonicalization 'absolute)) diff --git a/tests/guix-graph.sh b/tests/guix-graph.sh index 1ec99706fd..2d4b3fac3f 100644 --- a/tests/guix-graph.sh +++ b/tests/guix-graph.sh @@ -1,5 +1,5 @@ # GNU Guix --- Functional package management for GNU -# Copyright © 2015, 2016 Ludovic Courtès +# Copyright © 2015, 2016, 2019 Ludovic Courtès # # This file is part of GNU Guix. # @@ -53,3 +53,9 @@ cmp "$tmpfile1" "$tmpfile2" guix graph -t derivation coreutils > "$tmpfile1" guix graph -t derivation `guix build -d coreutils` > "$tmpfile2" cmp "$tmpfile1" "$tmpfile2" + +# Try package transformation options. +guix graph git | grep 'label = "openssl' +guix graph git --with-input=openssl=libressl | grep 'label = "libressl' +if guix graph git --with-input=openssl=libressl | grep 'label = "openssl' +then false; else true; fi -- cgit v1.2.3 From f49e9131889775a74a85c1f9b29f108030337b8b Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Thu, 7 Nov 2019 21:50:54 +0100 Subject: guix: Add file-locking with no wait. * guix/build/syscalls.scm (with-file-lock/no-wait): New procedure. (lock-file): Take a #:wait? key. --- guix/build/syscalls.scm | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) (limited to 'guix') diff --git a/guix/build/syscalls.scm b/guix/build/syscalls.scm index bbf2531c79..a5a9c92a42 100644 --- a/guix/build/syscalls.scm +++ b/guix/build/syscalls.scm @@ -80,6 +80,7 @@ lock-file unlock-file with-file-lock + with-file-lock/no-wait set-thread-name thread-name @@ -1087,10 +1088,10 @@ exception if it's already taken." ;; Presumably we got EAGAIN or so. (throw 'flock-error err)))))) -(define (lock-file file) +(define* (lock-file file #:key (wait? #t)) "Wait and acquire an exclusive lock on FILE. Return an open port." (let ((port (open-file file "w0"))) - (fcntl-flock port 'write-lock) + (fcntl-flock port 'write-lock #:wait? wait?) port)) (define (unlock-file port) @@ -1119,10 +1120,40 @@ exception if it's already taken." (when port (unlock-file port)))))) +(define (call-with-file-lock/no-wait file thunk handler) + (let ((port (catch #t + (lambda () + (lock-file file #:wait? #f)) + (lambda (key . args) + (match key + ('flock-error + (handler args)) + ('system-error + ;; When using the statically-linked Guile in the initrd, + ;; 'fcntl-flock' returns ENOSYS unconditionally. Ignore + ;; that error since we're typically the only process running + ;; at this point. + (if (= ENOSYS (system-error-errno (cons key args))) + #f + (apply throw args))) + (_ (apply throw key args))))))) + (dynamic-wind + (lambda () + #t) + thunk + (lambda () + (when port + (unlock-file port)))))) + (define-syntax-rule (with-file-lock file exp ...) "Wait to acquire a lock on FILE and evaluate EXP in that context." (call-with-file-lock file (lambda () exp ...))) +(define-syntax-rule (with-file-lock/no-wait file handler exp ...) + "Try to acquire a lock on FILE and evaluate EXP in that context. Execute +handler if the lock is already held by another process." + (call-with-file-lock/no-wait file (lambda () exp ...) handler)) + ;;; ;;; Miscellaneous, aka. 'prctl'. -- cgit v1.2.3 From b1fb663404894268b5ee92c040f12c52c0bee425 Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Fri, 25 Oct 2019 21:39:21 +0200 Subject: guix: package: lock profiles when processing them. * guix/scripts/package.scm (process-actions): Get a per-profile lock to prevent concurrent actions on profiles. * tests/guix-package.sh: Add test. --- guix/scripts/package.scm | 70 +++++++++++++++++++++++++++--------------------- tests/guix-package.sh | 10 ++++++- 2 files changed, 49 insertions(+), 31 deletions(-) (limited to 'guix') diff --git a/guix/scripts/package.scm b/guix/scripts/package.scm index 1a58d43e5c..bcd03a1df9 100644 --- a/guix/scripts/package.scm +++ b/guix/scripts/package.scm @@ -42,6 +42,8 @@ #:autoload (guix store roots) (gc-roots) #:use-module ((guix build utils) #:select (directory-exists? mkdir-p)) + #:use-module ((guix build syscalls) + #:select (with-file-lock/no-wait)) #:use-module (ice-9 format) #:use-module (ice-9 match) #:use-module (ice-9 regex) @@ -876,36 +878,44 @@ processed, #f otherwise." (package-version item) (manifest-entry-version entry)))))) - ;; First, process roll-backs, generation removals, etc. - (for-each (match-lambda - ((key . arg) - (and=> (assoc-ref %actions key) - (lambda (proc) - (proc store profile arg opts - #:dry-run? dry-run?))))) - opts) - - ;; Then, process normal package removal/installation/upgrade. - (let* ((manifest (profile-manifest profile)) - (step1 (options->removable opts manifest - (manifest-transaction))) - (step2 (options->installable opts manifest step1)) - (step3 (manifest-transaction - (inherit step2) - (install (map transform-entry - (manifest-transaction-install step2))))) - (new (manifest-perform-transaction manifest step3))) - - (warn-about-old-distro) - - (unless (manifest-transaction-null? step3) - (show-manifest-transaction store manifest step3 - #:dry-run? dry-run?) - (build-and-use-profile store profile new - #:allow-collisions? allow-collisions? - #:bootstrap? bootstrap? - #:use-substitutes? substitutes? - #:dry-run? dry-run?)))) + + ;; First, acquire a lock on the profile, to ensure only one guix process + ;; is modifying it at a time. + (with-file-lock/no-wait (string-append profile ".lock") + (lambda (key . args) + (leave (G_ "profile ~a is locked by another process~%") + profile)) + + ;; Then, process roll-backs, generation removals, etc. + (for-each (match-lambda + ((key . arg) + (and=> (assoc-ref %actions key) + (lambda (proc) + (proc store profile arg opts + #:dry-run? dry-run?))))) + opts) + + ;; Then, process normal package removal/installation/upgrade. + (let* ((manifest (profile-manifest profile)) + (step1 (options->removable opts manifest + (manifest-transaction))) + (step2 (options->installable opts manifest step1)) + (step3 (manifest-transaction + (inherit step2) + (install (map transform-entry + (manifest-transaction-install step2))))) + (new (manifest-perform-transaction manifest step3))) + + (warn-about-old-distro) + + (unless (manifest-transaction-null? step3) + (show-manifest-transaction store manifest step3 + #:dry-run? dry-run?) + (build-and-use-profile store profile new + #:allow-collisions? allow-collisions? + #:bootstrap? bootstrap? + #:use-substitutes? substitutes? + #:dry-run? dry-run?))))) ;;; diff --git a/tests/guix-package.sh b/tests/guix-package.sh index 0de30bf6c1..7ad0699380 100644 --- a/tests/guix-package.sh +++ b/tests/guix-package.sh @@ -33,7 +33,7 @@ profile="t-profile-$$" tmpfile="t-guix-package-file-$$" rm -f "$profile" "$tmpfile" -trap 'rm -f "$profile" "$profile-"[0-9]* "$tmpfile"; rm -rf "$module_dir" t-home-'"$$" EXIT +trap 'rm -f "$profile" "$profile.lock" "$profile-"[0-9]* "$tmpfile"; rm -rf "$module_dir" t-home-'"$$" EXIT # Use `-e' with a non-package expression. if guix package --bootstrap -e +; @@ -452,3 +452,11 @@ rm -rf "$module_dir" # Make sure we can see user profiles. guix package --list-profiles | grep "$profile" guix package --list-profiles | grep '\.guix-profile' + +# Make sure we can properly lock a profile. +mkdir "$module_dir" +echo '(sleep 60)' > "$module_dir/manifest.scm" +guix package -m "$module_dir/manifest.scm" -p "$module_dir/profile" & +pid=$! +if guix install emacs -p "$module_dir/profile"; then kill $pid; false; else true; fi +kill $pid -- cgit v1.2.3 From 7f0f38b54c98f13fed4cec1ee4785d493f29abee Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 8 Nov 2019 23:19:07 +0100 Subject: ui: Produce hyperlinks for the 'location' field of search results. This affects the output of 'guix show', 'guix search', and 'guix system search'. * guix/ui.scm (hyperlink, supports-hyperlinks?, location->hyperlink): New procedures. (package->recutils): Add #:hyperlinks? and honor it. (display-search-results): Pass #:hyperlinks? to PRINT. * guix/scripts/system/search.scm (service-type->recutils): Add #:hyperlinks? and honor it. --- guix/scripts/system/search.scm | 10 +++++--- guix/ui.scm | 55 ++++++++++++++++++++++++++++++++++++------ 2 files changed, 54 insertions(+), 11 deletions(-) (limited to 'guix') diff --git a/guix/scripts/system/search.scm b/guix/scripts/system/search.scm index 5278062edd..d2eac06cca 100644 --- a/guix/scripts/system/search.scm +++ b/guix/scripts/system/search.scm @@ -65,9 +65,12 @@ provided TYPE has a default value." (define* (service-type->recutils type port #:optional (width (%text-width)) - #:key (extra-fields '())) + #:key + (extra-fields '()) + (hyperlinks? (supports-hyperlinks? port))) "Write to PORT a recutils record of TYPE, arranging to fit within WIDTH -columns." +columns. When HYPERLINKS? is true, emit hyperlink escape sequences when +appropriate." (define width* ;; The available number of columns once we've taken into account space for ;; the initial "+ " prefix. @@ -84,7 +87,8 @@ columns." ;; Note: Don't i18n field names so that people can post-process it. (format port "name: ~a~%" (service-type-name type)) (format port "location: ~a~%" - (or (and=> (service-type-location type) location->string) + (or (and=> (service-type-location type) + (if hyperlinks? location->hyperlink location->string)) (G_ "unknown"))) (format port "extends: ~a~%" diff --git a/guix/ui.scm b/guix/ui.scm index 3e4bd5787e..bce0df5e8f 100644 --- a/guix/ui.scm +++ b/guix/ui.scm @@ -69,6 +69,7 @@ #:autoload (system base compile) (compile-file) #:autoload (system repl repl) (start-repl) #:autoload (system repl debug) (make-debug stack->vector) + #:autoload (web uri) (encode-and-join-uri-path) #:use-module (texinfo) #:use-module (texinfo plain-text) #:use-module (texinfo string-utils) @@ -108,6 +109,9 @@ package->recutils package-specification->name+version+output + supports-hyperlinks? + location->hyperlink + relevance package-relevance display-search-results @@ -1234,10 +1238,42 @@ followed by \"+ \", which makes for a valid multi-line field value in the '() str))) +(define (hyperlink uri text) + "Return a string that denotes a hyperlink using an OSC escape sequence as +documented at +." + (string-append "\x1b]8;;" uri "\x1b\\" + text "\x1b]8;;\x1b\\")) + +(define (supports-hyperlinks? port) + "Return true if PORT is a terminal that supports hyperlink escapes." + ;; Note that terminals are supposed to ignore OSC escapes they don't + ;; understand (this is the case of xterm as of version 349, for instance.) + ;; However, Emacs comint as of 26.3 does not ignore it and instead lets it + ;; through, hence the 'INSIDE_EMACS' special case below. + (and (isatty?* port) + (not (getenv "INSIDE_EMACS")))) + +(define (location->hyperlink location) + "Return a string corresponding to LOCATION, with escapes for a hyperlink." + (let ((str (location->string location)) + (file (if (string-prefix? "/" (location-file location)) + (location-file location) + (search-path %load-path (location-file location))))) + (if file + (hyperlink (string-append "file://" (gethostname) + (encode-and-join-uri-path + (string-split file #\/))) + str) + str))) + (define* (package->recutils p port #:optional (width (%text-width)) - #:key (extra-fields '())) + #:key + (hyperlinks? (supports-hyperlinks? port)) + (extra-fields '())) "Write to PORT a `recutils' record of package P, arranging to fit within -WIDTH columns. EXTRA-FIELDS is a list of symbol/value pairs to emit." +WIDTH columns. EXTRA-FIELDS is a list of symbol/value pairs to emit. When +HYPERLINKS? is true, emit hyperlink escape sequences when appropriate." (define width* ;; The available number of columns once we've taken into account space for ;; the initial "+ " prefix. @@ -1265,7 +1301,8 @@ WIDTH columns. EXTRA-FIELDS is a list of symbol/value pairs to emit." (((labels inputs . _) ...) (dependencies->recutils (filter package? inputs))))) (format port "location: ~a~%" - (or (and=> (package-location p) location->string) + (or (and=> (package-location p) + (if hyperlinks? location->hyperlink location->string)) (G_ "unknown"))) ;; Note: Starting from version 1.6 or recutils, hyphens are not allowed in @@ -1398,11 +1435,13 @@ them. If PORT is a terminal, print at most a full screen of results." (let loop ((matches matches)) (match matches (((package . score) rest ...) - (let ((text (call-with-output-string - (lambda (port) - (print package port - #:extra-fields - `((relevance . ,score))))))) + (let* ((links? (supports-hyperlinks? port)) + (text (call-with-output-string + (lambda (port) + (print package port + #:hyperlinks? links? + #:extra-fields + `((relevance . ,score))))))) (if (and max-rows (> (port-line port) first-line) ;print at least one result (> (+ 4 (line-count text) (port-line port)) -- cgit v1.2.3 From edd25a8caca7ff7184c98823845ee0d49c16916c Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 8 Nov 2019 23:23:01 +0100 Subject: ui: Emit hyperlinks for 'license' in package search results. * guix/ui.scm (package->recutils): When HYPERLINKS is true, call 'hyperlink' for the 'license' field. --- guix/ui.scm | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'guix') diff --git a/guix/ui.scm b/guix/ui.scm index bce0df5e8f..eb17d274c8 100644 --- a/guix/ui.scm +++ b/guix/ui.scm @@ -44,7 +44,8 @@ #:use-module (guix derivations) #:use-module (guix build-system) #:use-module (guix serialization) - #:use-module ((guix licenses) #:select (license? license-name)) + #:use-module ((guix licenses) + #:select (license? license-name license-uri)) #:use-module ((guix build syscalls) #:select (free-disk-space terminal-columns terminal-rows)) @@ -1315,7 +1316,11 @@ HYPERLINKS? is true, emit hyperlink escape sequences when appropriate." (string-join (map license-name licenses) ", ")) ((? license? license) - (license-name license)) + (let ((text (license-name license)) + (uri (license-uri license))) + (if (and hyperlinks? uri (string-prefix? "http" uri)) + (hyperlink uri text) + text))) (x (G_ "unknown")))) (format port "synopsis: ~a~%" -- cgit v1.2.3 From 277ba1d4f841dcc57a259caeed298567d5143eae Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Mon, 21 Oct 2019 21:48:31 +0200 Subject: guix: svn: Allow dropping externals. * guix/build/svn.scm (svn-fetch): Allow to ignore externals. * guix/svn-download.scm (svn-reference, svn-multi-reference): Add recursive? field. --- guix/build/svn.scm | 4 ++++ guix/svn-download.scm | 15 +++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) (limited to 'guix') diff --git a/guix/build/svn.scm b/guix/build/svn.scm index e3188add3e..33783f3056 100644 --- a/guix/build/svn.scm +++ b/guix/build/svn.scm @@ -31,6 +31,7 @@ (define* (svn-fetch url revision directory #:key (svn-command "svn") + (recursive? #t) (user-name #f) (password #f)) "Fetch REVISION from URL into DIRECTORY. REVISION must be an integer, and a @@ -45,6 +46,9 @@ valid Subversion revision. Return #t on success, #f otherwise." (list (string-append "--username=" user-name) (string-append "--password=" password)) '()) + ,@(if recursive? + '() + (list "--ignore-externals")) ,url ,directory)) #t) diff --git a/guix/svn-download.scm b/guix/svn-download.scm index 4139cbc2e2..59e2eb8d07 100644 --- a/guix/svn-download.scm +++ b/guix/svn-download.scm @@ -31,6 +31,7 @@ svn-reference? svn-reference-url svn-reference-revision + svn-reference-recursive? svn-fetch download-svn-to-store @@ -39,6 +40,7 @@ svn-multi-reference-url svn-multi-reference-revision svn-multi-reference-locations + svn-multi-reference-recursive? svn-multi-fetch)) ;;; Commentary: @@ -52,10 +54,11 @@ (define-record-type* svn-reference make-svn-reference svn-reference? - (url svn-reference-url) ; string - (revision svn-reference-revision) ; number - (user-name svn-reference-user-name (default #f)) - (password svn-reference-password (default #f))) + (url svn-reference-url) ; string + (revision svn-reference-revision) ; number + (recursive? svn-reference-recursive? (default #t)) + (user-name svn-reference-user-name (default #f)) + (password svn-reference-password (default #f))) (define (subversion-package) "Return the default Subversion package." @@ -78,6 +81,7 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." '#$(svn-reference-revision ref) #$output #:svn-command (string-append #+svn "/bin/svn") + #:recursive? #$(svn-reference-recursive? ref) #:user-name #$(svn-reference-user-name ref) #:password #$(svn-reference-password ref))))) @@ -96,6 +100,7 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." (url svn-multi-reference-url) ; string (revision svn-multi-reference-revision) ; number (locations svn-multi-reference-locations) ; list of strings + (recursive? svn-multi-reference-recursive? (default #t)) (user-name svn-multi-reference-user-name (default #f)) (password svn-multi-reference-password (default #f))) @@ -125,6 +130,8 @@ HASH-ALGO (a symbol). Use NAME as the file name, or a generic name if #f." (string-append #$output "/" location) (string-append #$output "/" (dirname location))) #:svn-command (string-append #+svn "/bin/svn") + #:recursive? + #$(svn-multi-reference-recursive? ref) #:user-name #$(svn-multi-reference-user-name ref) #:password #$(svn-multi-reference-password ref))) '#$(svn-multi-reference-locations ref))))) -- cgit v1.2.3 From cda79c7cc938ae3d9e77d09e8ebd7cbdf7f4d20c Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Tue, 5 Nov 2019 14:55:05 +0200 Subject: make-bootstrap: Adjust copied linux headers. * guix/build/make-bootstrap.scm (copy-linux-headers): Remove header file 'a.out.h' is no longer part of the linux kernel headers. --- guix/build/make-bootstrap.scm | 1 - 1 file changed, 1 deletion(-) (limited to 'guix') diff --git a/guix/build/make-bootstrap.scm b/guix/build/make-bootstrap.scm index e5ef1d6d2b..0d29338ce3 100644 --- a/guix/build/make-bootstrap.scm +++ b/guix/build/make-bootstrap.scm @@ -47,7 +47,6 @@ bootstrap libc." (install-file (pk 'src (string-append kernel-headers "/include/linux/" file)) (pk 'dest (string-append incdir "/linux")))) '( - "a.out.h" ; for 2.2.5 "atalk.h" ; for 2.2.5 "errno.h" "falloc.h" -- cgit v1.2.3 From 1edcfda81ba5c20ca715473d45315662c60dd81e Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 15 Nov 2019 21:30:37 +0100 Subject: pull: Remove unused '--verbose' option. This option had been ignored since commit 0d39a3b98948314e135566b9315717695a9035ea (August 2018). * guix/scripts/pull.scm (show-help, %options): Remove "--verbose". (build-and-install): Remove #:verbose?, which was unused. (guix-pull): Adjust accordingly. --- guix/scripts/pull.scm | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) (limited to 'guix') diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 92aac6066e..418998409a 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -78,8 +78,6 @@ (define (show-help) (display (G_ "Usage: guix pull [OPTION]... Download and deploy the latest version of Guix.\n")) - (display (G_ " - --verbose produce verbose output")) (display (G_ " -C, --channels=FILE deploy the channels defined in FILE")) (display (G_ " @@ -120,10 +118,7 @@ Download and deploy the latest version of Guix.\n")) (define %options ;; Specifications of the command-line options. - (cons* (option '("verbose") #f #f - (lambda (opt name arg result) - (alist-cons 'verbose? #t result))) - (option '(#\C "channels") #t #f + (cons* (option '(#\C "channels") #t #f (lambda (opt name arg result) (alist-cons 'channel-file arg result))) (option '(#\l "list-generations") #f #t @@ -382,7 +377,7 @@ previous generation. Return true if there are news to display." (display-channel-news profile)) (define* (build-and-install instances profile - #:key use-substitutes? verbose? dry-run?) + #:key use-substitutes? dry-run?) "Build the tool from SOURCE, and install it in PROFILE. When DRY-RUN? is true, display what would be built without actually building it." (define update-profile @@ -823,8 +818,6 @@ Use '~/.config/guix/channels.scm' instead.")) #:dry-run? (assoc-ref opts 'dry-run?) #:use-substitutes? - (assoc-ref opts 'substitutes?) - #:verbose? - (assoc-ref opts 'verbose?)))))))))))))) + (assoc-ref opts 'substitutes?)))))))))))))) ;;; pull.scm ends here -- cgit v1.2.3 From f675f8dec73d02e319e607559ed2316c299ae8c7 Mon Sep 17 00:00:00 2001 From: Konrad Hinsen Date: Fri, 25 Oct 2019 17:42:21 +0200 Subject: Add 'guix time-machine'. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * guix/scripts/time-machine.scm: New file. * Makefile.am: (MODULES): Add it. * guix/scripts/pull.scm (channel-list): Export. * guix/inferior.scm (cached-channel-instance): New procedure. (inferior-for-channels): Use it. * doc/guix.texi (Invoking guix time-machine): New section. (Channels): Cross-reference it. Signed-off-by: Ludovic Courtès --- Makefile.am | 1 + doc/guix.texi | 59 +++++++++++++++++++++++- guix/inferior.scm | 38 +++++++++++----- guix/scripts/pull.scm | 1 + guix/scripts/time-machine.scm | 102 ++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 187 insertions(+), 14 deletions(-) create mode 100644 guix/scripts/time-machine.scm (limited to 'guix') diff --git a/Makefile.am b/Makefile.am index b1f33946c5..b3f03d44c8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -278,6 +278,7 @@ MODULES = \ guix/scripts/container.scm \ guix/scripts/container/exec.scm \ guix/scripts/deploy.scm \ + guix/scripts/time-machine.scm \ guix.scm \ $(GNU_SYSTEM_MODULES) diff --git a/doc/guix.texi b/doc/guix.texi index ed88778016..bc1d5d863a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -198,6 +198,7 @@ Package Management * Invoking guix gc:: Running the garbage collector. * Invoking guix pull:: Fetching the latest Guix and distribution. * Channels:: Customizing the package collection. +* Invoking guix time-machine:: Running an older revision of Guix. * Inferiors:: Interacting with another revision of Guix. * Invoking guix describe:: Display information about your Guix revision. * Invoking guix archive:: Exporting and importing store files. @@ -2550,6 +2551,7 @@ guix install emacs-guix * Invoking guix gc:: Running the garbage collector. * Invoking guix pull:: Fetching the latest Guix and distribution. * Channels:: Customizing the package collection. +* Invoking guix time-machine:: Running an older revision of Guix. * Inferiors:: Interacting with another revision of Guix. * Invoking guix describe:: Display information about your Guix revision. * Invoking guix archive:: Exporting and importing store files. @@ -4152,7 +4154,10 @@ say, on another machine, by providing a channel specification in @end lisp The @command{guix describe --format=channels} command can even generate this -list of channels directly (@pxref{Invoking guix describe}). +list of channels directly (@pxref{Invoking guix describe}). The resulting +file can be used with the -C options of @command{guix pull} +(@pxref{Invoking guix pull}) or @command{guix time-machine} +(@pxref{Invoking guix time-machine}). At this point the two machines run the @emph{exact same Guix}, with access to the @emph{exact same packages}. The output of @command{guix build gimp} on @@ -4166,6 +4171,57 @@ artifacts with very fine grain, and to reproduce software environments at will---some sort of ``meta reproducibility'' capabilities, if you will. @xref{Inferiors}, for another way to take advantage of these super powers. +@node Invoking guix time-machine +@section Invoking @command{guix time-machine} + +@cindex @command{guix time-machine} +@cindex pinning, channels +@cindex replicating Guix +@cindex reproducibility, of Guix + +The @command{guix time-machine} command provides access to other +revisions of Guix, for example to install older versions of packages, +or to reproduce a computation in an identical environment. The revision +of Guix to be used is defined by a commit or by a channel +description file created by @command{guix describe} +(@pxref{Invoking guix describe}). + +The general syntax is: + +@example +guix time-machine @var{options}@dots{} -- @var{command} @var {arg}@dots{} +@end example + +where @var{command} and @var{arg}@dots{} are passed unmodified to the +@command{guix} command if the specified revision. The @var{options} that define +this revision are the same as for @command{guix pull} (@pxref{Invoking guix pull}): + +@table @code +@item --url=@var{url} +@itemx --commit=@var{commit} +@itemx --branch=@var{branch} +Use the @code{guix} channel from the specified @var{url}, at the +given @var{commit} (a valid Git commit ID represented as a hexadecimal +string), or @var{branch}. + +@item --channels=@var{file} +@itemx -C @var{file} +Read the list of channels from @var{file}. @var{file} must contain +Scheme code that evaluates to a list of channel objects. +@xref{Channels} for more information. +@end table + +As for @command{guix pull}, the absence of any options means that the +the latest commit on the master branch will be used. The command + +@example +guix time-machine -- build hello +@end example + +will thus build the package @code{hello} as defined in the master branch, +which is in general a newer revison of Guix than you have installed. +Time travel works in both directions! + @node Inferiors @section Inferiors @@ -10589,7 +10645,6 @@ ClientPID: 19419 ClientCommand: cuirass --cache-directory /var/cache/cuirass @dots{} @end example - @node System Configuration @chapter System Configuration diff --git a/guix/inferior.scm b/guix/inferior.scm index b8e2f21f42..be50e0ec26 100644 --- a/guix/inferior.scm +++ b/guix/inferior.scm @@ -89,6 +89,7 @@ gexp->derivation-in-inferior %inferior-cache-directory + cached-channel-instance inferior-for-channels)) ;;; Commentary: @@ -635,16 +636,13 @@ failing when GUIX is too old and lacks the 'guix repl' command." (make-parameter (string-append (cache-directory #:ensure? #f) "/inferiors"))) -(define* (inferior-for-channels channels - #:key - (cache-directory (%inferior-cache-directory)) - (ttl (* 3600 24 30))) - "Return an inferior for CHANNELS, a list of channels. Use the cache at -CACHE-DIRECTORY, where entries can be reclaimed after TTL seconds. This -procedure opens a new connection to the build daemon. - -This is a convenience procedure that people may use in manifests passed to -'guix package -m', for instance." +(define* (cached-channel-instance channels + #:key + (cache-directory (%inferior-cache-directory)) + (ttl (* 3600 24 30))) + "Return a directory containing a guix filetree defined by CHANNELS, a list of channels. +The directory is a subdirectory of CACHE-DIRECTORY, where entries can be reclaimed after TTL seconds. +This procedure opens a new connection to the build daemon." (with-store store (let () (define instances @@ -680,7 +678,7 @@ This is a convenience procedure that people may use in manifests passed to (file-expiration-time ttl)) (if (file-exists? cached) - (open-inferior cached) + cached (run-with-store store (mlet %store-monad ((profile (channel-instances->derivation instances))) @@ -689,4 +687,20 @@ This is a convenience procedure that people may use in manifests passed to (built-derivations (list profile)) (symlink* (derivation->output-path profile) cached) (add-indirect-root* cached) - (return (open-inferior cached))))))))) + (return cached)))))))) + +(define* (inferior-for-channels channels + #:key + (cache-directory (%inferior-cache-directory)) + (ttl (* 3600 24 30))) + "Return an inferior for CHANNELS, a list of channels. Use the cache at +CACHE-DIRECTORY, where entries can be reclaimed after TTL seconds. This +procedure opens a new connection to the build daemon. + +This is a convenience procedure that people may use in manifests passed to +'guix package -m', for instance." + (define cached + (cached-channel-instance channels + #:cache-directory cache-directory + #:ttl ttl)) + (open-inferior cached)) diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index 418998409a..c42794dbcb 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -56,6 +56,7 @@ #:use-module (ice-9 vlist) #:use-module (ice-9 format) #:export (display-profile-content + channel-list guix-pull)) diff --git a/guix/scripts/time-machine.scm b/guix/scripts/time-machine.scm new file mode 100644 index 0000000000..a6598fb0f7 --- /dev/null +++ b/guix/scripts/time-machine.scm @@ -0,0 +1,102 @@ +;;; GNU Guix --- Functional package management for GNU +;;; Copyright © 2019 Konrad Hinsen +;;; +;;; This file is part of GNU Guix. +;;; +;;; GNU Guix is free software; you can redistribute it and/or modify it +;;; under the terms of the GNU General Public License as published by +;;; the Free Software Foundation; either version 3 of the License, or (at +;;; your option) any later version. +;;; +;;; GNU Guix is distributed in the hope that it will be useful, but +;;; WITHOUT ANY WARRANTY; without even the implied warranty of +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;;; GNU General Public License for more details. +;;; +;;; You should have received a copy of the GNU General Public License +;;; along with GNU Guix. If not, see . + +(define-module (guix scripts time-machine) + #:use-module (guix ui) + #:use-module (guix scripts) + #:use-module (guix inferior) + #:use-module (guix channels) + #:use-module ((guix scripts pull) #:select (channel-list)) + #:use-module (ice-9 match) + #:use-module (srfi srfi-1) + #:use-module (srfi srfi-11) + #:use-module (srfi srfi-26) + #:use-module (srfi srfi-37) + #:export (guix-time-machine)) + + +;;; +;;; Command-line options. +;;; + +(define (show-help) + (display (G_ "Usage: guix time-machine [OPTION] -- COMMAND ARGS... +Execute COMMAND ARGS... in an older version of Guix.\n")) + (display (G_ " + -C, --channels=FILE deploy the channels defined in FILE")) + (display (G_ " + --url=URL use the Git repository at URL")) + (display (G_ " + --commit=COMMIT use the specified COMMIT")) + (display (G_ " + --branch=BRANCH use the tip of the specified BRANCH")) + (display (G_ " + -h, --help display this help and exit")) + (display (G_ " + -V, --version display version information and exit")) + (newline) + (show-bug-report-information)) + +(define %options + ;; Specifications of the command-line options. + (list (option '(#\C "channels") #t #f + (lambda (opt name arg result) + (alist-cons 'channel-file arg result))) + (option '("url") #t #f + (lambda (opt name arg result) + (alist-cons 'repository-url arg + (alist-delete 'repository-url result)))) + (option '("commit") #t #f + (lambda (opt name arg result) + (alist-cons 'ref `(commit . ,arg) result))) + (option '("branch") #t #f + (lambda (opt name arg result) + (alist-cons 'ref `(branch . ,arg) result))) + (option '(#\h "help") #f #f + (lambda args + (show-help) + (exit 0))) + (option '(#\V "version") #f #f + (lambda args + (show-version-and-exit "guix time-machine"))))) + +(define (parse-args args) + "Parse the list of command line arguments ARGS." + ;; The '--' token is used to separate the command to run from the rest of + ;; the operands. + (let-values (((args command) (break (cut string=? "--" <>) args))) + (let ((opts (parse-command-line args %options '(()) #:build-options? #f))) + (match command + (() opts) + (("--") opts) + (("--" command ...) (alist-cons 'exec command opts)))))) + + +;;; +;;; Entry point. +;;; + +(define (guix-time-machine . args) + (with-error-handling + (let* ((opts (parse-args args)) + (channels (channel-list opts)) + (command-line (assoc-ref opts 'exec))) + (when command-line + (let* ((directory (cached-channel-instance channels)) + (executable (string-append directory "/bin/guix"))) + (apply execl (cons* executable executable command-line))))))) -- cgit v1.2.3 From 1d5485690ba75d6b355fd519caf40881a606678b Mon Sep 17 00:00:00 2001 From: Konrad Hinsen Date: Tue, 12 Nov 2019 16:39:46 +0100 Subject: inferior: 'cached-channel-instance' takes an open store connection. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * guix/inferior.scm (cached-channel-instance): Take an explicit 'store' argument. (inferior-for-channels): Wrap call to 'cached-channel-instance' in 'with-store'. * guix/time-machine.scm (guix-time-machine): Wrap call to 'cached-channel-instance' in 'with-store'. Signed-off-by: Ludovic Courtès --- guix/inferior.scm | 99 ++++++++++++++++++++++--------------------- guix/scripts/time-machine.scm | 4 +- 2 files changed, 53 insertions(+), 50 deletions(-) (limited to 'guix') diff --git a/guix/inferior.scm b/guix/inferior.scm index be50e0ec26..71dae89e92 100644 --- a/guix/inferior.scm +++ b/guix/inferior.scm @@ -636,58 +636,57 @@ failing when GUIX is too old and lacks the 'guix repl' command." (make-parameter (string-append (cache-directory #:ensure? #f) "/inferiors"))) -(define* (cached-channel-instance channels +(define* (cached-channel-instance store + channels #:key (cache-directory (%inferior-cache-directory)) (ttl (* 3600 24 30))) "Return a directory containing a guix filetree defined by CHANNELS, a list of channels. The directory is a subdirectory of CACHE-DIRECTORY, where entries can be reclaimed after TTL seconds. This procedure opens a new connection to the build daemon." - (with-store store - (let () - (define instances - (latest-channel-instances store channels)) - - (define key - (bytevector->base32-string - (sha256 - (string->utf8 - (string-concatenate (map channel-instance-commit instances)))))) - - (define cached - (string-append cache-directory "/" key)) - - (define (base32-encoded-sha256? str) - (= (string-length str) 52)) - - (define (cache-entries directory) - (map (lambda (file) - (string-append directory "/" file)) - (scandir directory base32-encoded-sha256?))) - - (define symlink* - (lift2 symlink %store-monad)) - - (define add-indirect-root* - (store-lift add-indirect-root)) - - (mkdir-p cache-directory) - (maybe-remove-expired-cache-entries cache-directory - cache-entries - #:entry-expiration - (file-expiration-time ttl)) - - (if (file-exists? cached) - cached - (run-with-store store - (mlet %store-monad ((profile - (channel-instances->derivation instances))) - (mbegin %store-monad - (show-what-to-build* (list profile)) - (built-derivations (list profile)) - (symlink* (derivation->output-path profile) cached) - (add-indirect-root* cached) - (return cached)))))))) + (define instances + (latest-channel-instances store channels)) + + (define key + (bytevector->base32-string + (sha256 + (string->utf8 + (string-concatenate (map channel-instance-commit instances)))))) + + (define cached + (string-append cache-directory "/" key)) + + (define (base32-encoded-sha256? str) + (= (string-length str) 52)) + + (define (cache-entries directory) + (map (lambda (file) + (string-append directory "/" file)) + (scandir directory base32-encoded-sha256?))) + + (define symlink* + (lift2 symlink %store-monad)) + + (define add-indirect-root* + (store-lift add-indirect-root)) + + (mkdir-p cache-directory) + (maybe-remove-expired-cache-entries cache-directory + cache-entries + #:entry-expiration + (file-expiration-time ttl)) + + (if (file-exists? cached) + cached + (run-with-store store + (mlet %store-monad ((profile + (channel-instances->derivation instances))) + (mbegin %store-monad + (show-what-to-build* (list profile)) + (built-derivations (list profile)) + (symlink* (derivation->output-path profile) cached) + (add-indirect-root* cached) + (return cached)))))) (define* (inferior-for-channels channels #:key @@ -700,7 +699,9 @@ procedure opens a new connection to the build daemon. This is a convenience procedure that people may use in manifests passed to 'guix package -m', for instance." (define cached - (cached-channel-instance channels - #:cache-directory cache-directory - #:ttl ttl)) + (with-store store + (cached-channel-instance store + channels + #:cache-directory cache-directory + #:ttl ttl))) (open-inferior cached)) diff --git a/guix/scripts/time-machine.scm b/guix/scripts/time-machine.scm index a6598fb0f7..a64badc27b 100644 --- a/guix/scripts/time-machine.scm +++ b/guix/scripts/time-machine.scm @@ -21,6 +21,7 @@ #:use-module (guix scripts) #:use-module (guix inferior) #:use-module (guix channels) + #:use-module (guix store) #:use-module ((guix scripts pull) #:select (channel-list)) #:use-module (ice-9 match) #:use-module (srfi srfi-1) @@ -97,6 +98,7 @@ Execute COMMAND ARGS... in an older version of Guix.\n")) (channels (channel-list opts)) (command-line (assoc-ref opts 'exec))) (when command-line - (let* ((directory (cached-channel-instance channels)) + (let* ((directory (with-store store + (cached-channel-instance store channels))) (executable (string-append directory "/bin/guix"))) (apply execl (cons* executable executable command-line))))))) -- cgit v1.2.3 From d17e012da7b41165cb49a5604a773459736144e3 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 15 Nov 2019 21:11:58 +0100 Subject: time-machine: Handle 'git-error' exceptions. * guix/scripts/pull.scm (with-git-error-handling): Export. * guix/scripts/time-machine.scm (guix-time-machine): Wrap body in 'with-git-error-handling'. --- guix/scripts/pull.scm | 1 + guix/scripts/time-machine.scm | 20 +++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) (limited to 'guix') diff --git a/guix/scripts/pull.scm b/guix/scripts/pull.scm index c42794dbcb..0ab688ac24 100644 --- a/guix/scripts/pull.scm +++ b/guix/scripts/pull.scm @@ -57,6 +57,7 @@ #:use-module (ice-9 format) #:export (display-profile-content channel-list + with-git-error-handling guix-pull)) diff --git a/guix/scripts/time-machine.scm b/guix/scripts/time-machine.scm index a64badc27b..946b523741 100644 --- a/guix/scripts/time-machine.scm +++ b/guix/scripts/time-machine.scm @@ -22,7 +22,8 @@ #:use-module (guix inferior) #:use-module (guix channels) #:use-module (guix store) - #:use-module ((guix scripts pull) #:select (channel-list)) + #:use-module ((guix scripts pull) + #:select (with-git-error-handling channel-list)) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-11) @@ -94,11 +95,12 @@ Execute COMMAND ARGS... in an older version of Guix.\n")) (define (guix-time-machine . args) (with-error-handling - (let* ((opts (parse-args args)) - (channels (channel-list opts)) - (command-line (assoc-ref opts 'exec))) - (when command-line - (let* ((directory (with-store store - (cached-channel-instance store channels))) - (executable (string-append directory "/bin/guix"))) - (apply execl (cons* executable executable command-line))))))) + (with-git-error-handling + (let* ((opts (parse-args args)) + (channels (channel-list opts)) + (command-line (assoc-ref opts 'exec))) + (when command-line + (let* ((directory (with-store store + (cached-channel-instance store channels))) + (executable (string-append directory "/bin/guix"))) + (apply execl (cons* executable executable command-line)))))))) -- cgit v1.2.3 From 87e7faa2ae641d8302efc8b90f1e45f43f67f6da Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Fri, 15 Nov 2019 21:48:35 +0100 Subject: time-machine: Honor the standard build options. * guix/scripts/time-machine.scm (show-help): Call 'show-build-options-help'. (%options): Add %STANDARD-BUILD-OPTIONS. (%default-options): New variable. (parse-args): Pass (list %default-options) to 'parse-command-line' and remove #:build-options? parameter. (guix-time-machine): Call 'set-build-options-from-command-line' and wrap 'cached-channel-instance' call in 'with-status-verbosity'. * doc/guix.texi (Invoking guix time-machine): Mention common build options. --- doc/guix.texi | 4 ++++ guix/scripts/time-machine.scm | 55 +++++++++++++++++++++++++++++++++---------- 2 files changed, 46 insertions(+), 13 deletions(-) (limited to 'guix') diff --git a/doc/guix.texi b/doc/guix.texi index bc1d5d863a..51147e3e9a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -4222,6 +4222,10 @@ will thus build the package @code{hello} as defined in the master branch, which is in general a newer revison of Guix than you have installed. Time travel works in both directions! +Note that @command{guix time-machine} can trigger builds of channels and +their dependencies, and these are controlled by the standard build +options (@pxref{Common Build Options}). + @node Inferiors @section Inferiors diff --git a/guix/scripts/time-machine.scm b/guix/scripts/time-machine.scm index 946b523741..19e635555a 100644 --- a/guix/scripts/time-machine.scm +++ b/guix/scripts/time-machine.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2019 Konrad Hinsen +;;; Copyright © 2019 Ludovic Courtès ;;; ;;; This file is part of GNU Guix. ;;; @@ -22,8 +23,15 @@ #:use-module (guix inferior) #:use-module (guix channels) #:use-module (guix store) + #:use-module (guix status) + #:use-module ((guix utils) + #:select (%current-system)) #:use-module ((guix scripts pull) #:select (with-git-error-handling channel-list)) + #:use-module ((guix scripts build) + #:select (%standard-build-options + show-build-options-help + set-build-options-from-command-line)) #:use-module (ice-9 match) #:use-module (srfi srfi-1) #:use-module (srfi srfi-11) @@ -47,6 +55,9 @@ Execute COMMAND ARGS... in an older version of Guix.\n")) --commit=COMMIT use the specified COMMIT")) (display (G_ " --branch=BRANCH use the tip of the specified BRANCH")) + (newline) + (show-build-options-help) + (newline) (display (G_ " -h, --help display this help and exit")) (display (G_ " @@ -56,9 +67,9 @@ Execute COMMAND ARGS... in an older version of Guix.\n")) (define %options ;; Specifications of the command-line options. - (list (option '(#\C "channels") #t #f - (lambda (opt name arg result) - (alist-cons 'channel-file arg result))) + (cons* (option '(#\C "channels") #t #f + (lambda (opt name arg result) + (alist-cons 'channel-file arg result))) (option '("url") #t #f (lambda (opt name arg result) (alist-cons 'repository-url arg @@ -69,20 +80,35 @@ Execute COMMAND ARGS... in an older version of Guix.\n")) (option '("branch") #t #f (lambda (opt name arg result) (alist-cons 'ref `(branch . ,arg) result))) - (option '(#\h "help") #f #f - (lambda args - (show-help) - (exit 0))) - (option '(#\V "version") #f #f - (lambda args - (show-version-and-exit "guix time-machine"))))) + (option '(#\h "help") #f #f + (lambda args + (show-help) + (exit 0))) + (option '(#\V "version") #f #f + (lambda args + (show-version-and-exit "guix time-machine"))) + + %standard-build-options)) + +(define %default-options + ;; Alist of default option values. + `((system . ,(%current-system)) + (substitutes? . #t) + (build-hook? . #t) + (print-build-trace? . #t) + (print-extended-build-trace? . #t) + (multiplexed-build-output? . #t) + (graft? . #t) + (debug . 0) + (verbosity . 1))) (define (parse-args args) "Parse the list of command line arguments ARGS." ;; The '--' token is used to separate the command to run from the rest of ;; the operands. (let-values (((args command) (break (cut string=? "--" <>) args))) - (let ((opts (parse-command-line args %options '(()) #:build-options? #f))) + (let ((opts (parse-command-line args %options + (list %default-options)))) (match command (() opts) (("--") opts) @@ -100,7 +126,10 @@ Execute COMMAND ARGS... in an older version of Guix.\n")) (channels (channel-list opts)) (command-line (assoc-ref opts 'exec))) (when command-line - (let* ((directory (with-store store - (cached-channel-instance store channels))) + (let* ((directory + (with-store store + (with-status-verbosity (assoc-ref opts 'verbosity) + (set-build-options-from-command-line store opts) + (cached-channel-instance store channels)))) (executable (string-append directory "/bin/guix"))) (apply execl (cons* executable executable command-line)))))))) -- cgit v1.2.3