2024-10-27 12:45:02 +00:00
|
|
|
{
|
|
|
|
|
lib,
|
|
|
|
|
stdenv,
|
|
|
|
|
fetchurl,
|
|
|
|
|
fetchpatch,
|
2024-11-03 22:58:39 +00:00
|
|
|
fetchDebianPatch,
|
2024-10-27 12:45:02 +00:00
|
|
|
autoreconfHook,
|
|
|
|
|
disarchive,
|
|
|
|
|
git,
|
|
|
|
|
glibcLocales,
|
|
|
|
|
guile,
|
|
|
|
|
guile-avahi,
|
|
|
|
|
guile-gcrypt,
|
|
|
|
|
guile-git,
|
|
|
|
|
guile-gnutls,
|
|
|
|
|
guile-json,
|
|
|
|
|
guile-lib,
|
|
|
|
|
guile-lzlib,
|
|
|
|
|
guile-lzma,
|
|
|
|
|
guile-semver,
|
|
|
|
|
guile-ssh,
|
|
|
|
|
guile-sqlite3,
|
|
|
|
|
guile-zlib,
|
|
|
|
|
guile-zstd,
|
|
|
|
|
help2man,
|
|
|
|
|
makeWrapper,
|
|
|
|
|
pkg-config,
|
|
|
|
|
po4a,
|
|
|
|
|
scheme-bytestructures,
|
|
|
|
|
texinfo,
|
|
|
|
|
bzip2,
|
|
|
|
|
libgcrypt,
|
|
|
|
|
sqlite,
|
|
|
|
|
nixosTests,
|
2023-10-29 07:03:42 +00:00
|
|
|
|
2024-10-27 12:45:02 +00:00
|
|
|
stateDir ? "/var",
|
|
|
|
|
storeDir ? "/gnu/store",
|
|
|
|
|
confDir ? "/etc",
|
2023-08-03 14:30:43 +00:00
|
|
|
}:
|
|
|
|
|
|
|
|
|
|
stdenv.mkDerivation rec {
|
|
|
|
|
pname = "guix";
|
|
|
|
|
version = "1.4.0";
|
|
|
|
|
|
|
|
|
|
src = fetchurl {
|
|
|
|
|
url = "mirror://gnu/guix/guix-${version}.tar.gz";
|
|
|
|
|
hash = "sha256-Q8dpy/Yy7wVEmsH6SMG6FSwzSUxqvH5HE3u6eyFJ+KQ=";
|
|
|
|
|
};
|
|
|
|
|
|
2024-04-10 05:30:37 +00:00
|
|
|
patches = [
|
|
|
|
|
(fetchpatch {
|
|
|
|
|
name = "CVE-2024-27297_1.patch";
|
|
|
|
|
url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143";
|
|
|
|
|
hash = "sha256-xKo1h2uckC2pYHt+memekagfL6dWcF8gOnTOOW/wJUU=";
|
|
|
|
|
})
|
|
|
|
|
(fetchpatch {
|
|
|
|
|
name = "CVE-2024-27297_2.patch";
|
|
|
|
|
url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
|
|
|
|
|
hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
|
|
|
|
|
})
|
2024-10-27 12:57:29 +00:00
|
|
|
# see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
|
2024-11-03 22:58:39 +00:00
|
|
|
(fetchDebianPatch {
|
|
|
|
|
inherit pname version;
|
|
|
|
|
debianRevision = "8";
|
|
|
|
|
patch = "security/0101-daemon-Sanitize-failed-build-outputs-prior-to-exposi.patch";
|
|
|
|
|
hash = "sha256-cbra/+K8+xHUJrCKRgzJCuhMBpzCSjgjosKAkJx7QIo=";
|
|
|
|
|
})
|
|
|
|
|
(fetchDebianPatch {
|
|
|
|
|
inherit pname version;
|
|
|
|
|
debianRevision = "8";
|
|
|
|
|
patch = "security/0102-daemon-Sanitize-successful-build-outputs-prior-to-ex.patch";
|
|
|
|
|
hash = "sha256-mOnlYtpIuYL+kDvSNuXuoDLJP03AA9aI2ALhap+0NOM=";
|
|
|
|
|
})
|
2024-04-10 05:30:37 +00:00
|
|
|
];
|
|
|
|
|
|
2023-08-03 14:30:43 +00:00
|
|
|
postPatch = ''
|
|
|
|
|
sed nix/local.mk -i -E \
|
|
|
|
|
-e "s|^sysvinitservicedir = .*$|sysvinitservicedir = $out/etc/init.d|" \
|
|
|
|
|
-e "s|^openrcservicedir = .*$|openrcservicedir = $out/etc/openrc|"
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
strictDeps = true;
|
|
|
|
|
|
|
|
|
|
nativeBuildInputs = [
|
|
|
|
|
autoreconfHook
|
2023-10-27 17:27:00 +00:00
|
|
|
disarchive
|
2023-08-03 14:30:43 +00:00
|
|
|
git
|
|
|
|
|
glibcLocales
|
|
|
|
|
guile
|
|
|
|
|
guile-avahi
|
|
|
|
|
guile-gcrypt
|
|
|
|
|
guile-git
|
|
|
|
|
guile-gnutls
|
|
|
|
|
guile-json
|
|
|
|
|
guile-lib
|
|
|
|
|
guile-lzlib
|
|
|
|
|
guile-lzma
|
|
|
|
|
guile-semver
|
|
|
|
|
guile-ssh
|
|
|
|
|
guile-sqlite3
|
|
|
|
|
guile-zlib
|
|
|
|
|
guile-zstd
|
|
|
|
|
help2man
|
|
|
|
|
makeWrapper
|
|
|
|
|
pkg-config
|
|
|
|
|
po4a
|
|
|
|
|
scheme-bytestructures
|
|
|
|
|
texinfo
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
buildInputs = [
|
|
|
|
|
bzip2
|
|
|
|
|
guile
|
|
|
|
|
libgcrypt
|
|
|
|
|
sqlite
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
propagatedBuildInputs = [
|
2023-10-27 17:27:00 +00:00
|
|
|
disarchive
|
2023-08-03 14:30:43 +00:00
|
|
|
guile-avahi
|
|
|
|
|
guile-gcrypt
|
|
|
|
|
guile-git
|
|
|
|
|
guile-gnutls
|
|
|
|
|
guile-json
|
|
|
|
|
guile-lib
|
|
|
|
|
guile-lzlib
|
|
|
|
|
guile-lzma
|
|
|
|
|
guile-semver
|
|
|
|
|
guile-ssh
|
|
|
|
|
guile-sqlite3
|
|
|
|
|
guile-zlib
|
|
|
|
|
guile-zstd
|
|
|
|
|
scheme-bytestructures
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
configureFlags = [
|
2023-10-29 07:03:42 +00:00
|
|
|
"--with-store-dir=${storeDir}"
|
|
|
|
|
"--localstatedir=${stateDir}"
|
|
|
|
|
"--sysconfdir=${confDir}"
|
2023-08-03 14:30:43 +00:00
|
|
|
"--with-bash-completion-dir=$(out)/etc/bash_completion.d"
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
enableParallelBuilding = true;
|
|
|
|
|
|
|
|
|
|
postInstall = ''
|
|
|
|
|
for f in $out/bin/*; do
|
|
|
|
|
wrapProgram $f \
|
|
|
|
|
--prefix GUILE_LOAD_PATH : "$out/${guile.siteDir}:$GUILE_LOAD_PATH" \
|
|
|
|
|
--prefix GUILE_LOAD_COMPILED_PATH : "$out/${guile.siteCcacheDir}:$GUILE_LOAD_COMPILED_PATH"
|
|
|
|
|
done
|
|
|
|
|
'';
|
|
|
|
|
|
2024-08-17 22:29:43 +00:00
|
|
|
passthru.tests = {
|
|
|
|
|
inherit (nixosTests) guix;
|
|
|
|
|
};
|
|
|
|
|
|
2023-08-03 14:30:43 +00:00
|
|
|
meta = with lib; {
|
|
|
|
|
description = "Functional package manager with a Scheme interface";
|
|
|
|
|
longDescription = ''
|
|
|
|
|
GNU Guix is a purely functional package manager for the GNU system, and a distribution thereof.
|
|
|
|
|
In addition to standard package management features, Guix supports
|
|
|
|
|
transactional upgrades and roll-backs, unprivileged package management,
|
|
|
|
|
per-user profiles, and garbage collection.
|
|
|
|
|
It provides Guile Scheme APIs, including high-level embedded
|
|
|
|
|
domain-specific languages (EDSLs), to describe how packages are built
|
|
|
|
|
and composed.
|
|
|
|
|
A user-land free software distribution for GNU/Linux comes as part of
|
|
|
|
|
Guix.
|
|
|
|
|
Guix is based on the Nix package manager.
|
|
|
|
|
'';
|
|
|
|
|
homepage = "http://www.gnu.org/software/guix";
|
2024-10-04 19:35:12 +00:00
|
|
|
changelog = "https://git.savannah.gnu.org/cgit/guix.git/plain/NEWS?h=v${version}";
|
2023-08-03 14:30:43 +00:00
|
|
|
license = licenses.gpl3Plus;
|
|
|
|
|
mainProgram = "guix";
|
2024-10-27 12:45:02 +00:00
|
|
|
maintainers = with maintainers; [
|
|
|
|
|
cafkafk
|
|
|
|
|
foo-dogsquared
|
|
|
|
|
];
|
2023-08-03 14:30:43 +00:00
|
|
|
platforms = platforms.linux;
|
|
|
|
|
};
|
|
|
|
|
}
|
