Merge branch 'master' into staging

This commit is contained in:
Marius Bakke 2018-06-19 17:02:16 +02:00
commit 0106d6b40d
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
29 changed files with 8998 additions and 3569 deletions

View File

@ -53,7 +53,7 @@
(define %dependency-variables
;; (guix config) variables corresponding to dependencies.
'(%libgcrypt %libz %xz %gzip %bzip2 %nix-instantiate))
'(%libgcrypt %libz %xz %gzip %bzip2))
(define %persona-variables
;; (guix config) variables that define Guix's persona.
@ -63,17 +63,14 @@
%guix-home-page-url))
(define %config-variables
;; (guix config) variables corresponding to Guix configuration (storedir,
;; localstatedir, etc.)
(sort (filter pair?
(module-map (lambda (name var)
(and (not (memq name %dependency-variables))
(not (memq name %persona-variables))
(cons name (variable-ref var))))
(resolve-interface '(guix config))))
(lambda (name+value1 name+value2)
(string<? (symbol->string (car name+value1))
(symbol->string (car name+value2))))))
;; (guix config) variables corresponding to Guix configuration.
(letrec-syntax ((variables (syntax-rules ()
((_)
'())
((_ variable rest ...)
(cons `(variable . ,variable)
(variables rest ...))))))
(variables %localstatedir %storedir %sysconfdir %system)))
(define* (make-config.scm #:key libgcrypt zlib gzip xz bzip2
(package-name "GNU Guix")
@ -91,12 +88,15 @@
%guix-version
%guix-bug-report-address
%guix-home-page-url
%store-directory
%state-directory
%store-database-directory
%config-directory
%libgcrypt
%libz
%gzip
%bzip2
%xz
%nix-instantiate))
%xz))
;; XXX: Work around <http://bugs.gnu.org/15602>.
(eval-when (expand load eval)
@ -105,6 +105,26 @@
#~(define-public #$name #$value)))
%config-variables)
(define %store-directory
(or (and=> (getenv "NIX_STORE_DIR") canonicalize-path)
%storedir))
(define %state-directory
;; This must match `NIX_STATE_DIR' as defined in
;; `nix/local.mk'.
(or (getenv "NIX_STATE_DIR")
(string-append %localstatedir "/guix")))
(define %store-database-directory
(or (getenv "NIX_DB_DIR")
(string-append %state-directory "/db")))
(define %config-directory
;; This must match `GUIX_CONFIGURATION_DIRECTORY' as
;; defined in `nix/local.mk'.
(or (getenv "GUIX_CONFIGURATION_DIRECTORY")
(string-append %sysconfdir "/guix")))
(define %guix-package-name #$package-name)
(define %guix-version #$package-version)
(define %guix-bug-report-address #$bug-report-address)
@ -122,10 +142,7 @@
(file-append libgcrypt "/lib/libgcrypt")))
(define %libz
#+(and zlib
(file-append zlib "/lib/libz")))
(define %nix-instantiate ;for (guix import snix)
"nix-instantiate")))))
(file-append zlib "/lib/libz")))))))
;;;

View File

@ -160,18 +160,11 @@ AC_ARG_WITH([nix-prefix],
esac],
[])
AC_PATH_PROG([NIX_INSTANTIATE], [nix-instantiate])
AC_PATH_PROG([NIX_HASH], [nix-hash])
if test "x$guix_build_daemon$NIX_INSTANTIATE$NIX_HASH" = "xno"; then
if test "x$guix_build_daemon$NIX_HASH" = "xno"; then
AC_MSG_ERROR([Nix programs not found; please install Nix or use `--with-nix-prefix'.])
fi
if test "x$NIX_INSTANTIATE" = "x"; then
# This program is an optional dependency, so we just want it to be
# taken from $PATH if it's not available right now.
NIX_INSTANTIATE="nix-instantiate"
fi
AC_ARG_WITH([nixpkgs],
[AS_HELP_STRING([--with-nixpkgs=DIR],
[search for Nixpkgs in DIR (for testing purposes only)])],

View File

@ -974,6 +974,10 @@ dist_patch_DATA = \
%D%/packages/patches/openscenegraph-ffmpeg3.patch \
%D%/packages/patches/opensmtpd-fix-crash.patch \
%D%/packages/patches/openssl-runpath.patch \
%D%/packages/patches/openssl-1.0.2-CVE-2018-0495.patch \
%D%/packages/patches/openssl-1.0.2-CVE-2018-0732.patch \
%D%/packages/patches/openssl-1.1.0-CVE-2018-0495.patch \
%D%/packages/patches/openssl-1.1.0-CVE-2018-0732.patch \
%D%/packages/patches/openssl-1.1.0-c-rehash-in.patch \
%D%/packages/patches/openssl-c-rehash-in.patch \
%D%/packages/patches/orpheus-cast-errors-and-includes.patch \
@ -1068,6 +1072,7 @@ dist_patch_DATA = \
%D%/packages/patches/python-unittest2-remove-argparse.patch \
%D%/packages/patches/python-waitress-fix-tests.patch \
%D%/packages/patches/qemu-glibc-2.27.patch \
%D%/packages/patches/qemu-CVE-2018-11806.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtbase-use-TZDIR.patch \
%D%/packages/patches/qtscript-disable-tests.patch \

View File

@ -1220,7 +1220,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
(define-public guitarix
(package
(name "guitarix")
(version "0.36.1")
(version "0.37.1")
(source (origin
(method url-fetch)
(uri (string-append
@ -1228,7 +1228,7 @@ patches that can be used with softsynths such as Timidity and WildMidi.")
version ".tar.xz"))
(sha256
(base32
"1g5949jwh2n755xjs3kcbdb8a1wxr5mn0m115wdnk27dxcdn93b0"))))
"064k0jzxqgx9gwf8za6jziansabzrwzjaim3qx1743ify5g3gaai"))))
(build-system waf-build-system)
(arguments
`(#:tests? #f ; no "check" target

View File

@ -826,10 +826,12 @@ is like a time machine for your data. ")
(license (license:fsf-free "file://COPYING"
"Open Software License 2.0"))))
(define-public restic ; bundled / vendored dependencies
(define-public restic
(package
(name "restic")
(version "0.9.1")
;; TODO Try packaging the bundled / vendored dependencies in the 'vendor/'
;; directory.
(source (origin
(method url-fetch)
(uri (string-append

View File

@ -1487,14 +1487,14 @@ similar to BerkeleyDB, LevelDB, etc.")
(define-public redis
(package
(name "redis")
(version "4.0.9")
(version "4.0.10")
(source (origin
(method url-fetch)
(uri (string-append "http://download.redis.io/releases/redis-"
version".tar.gz"))
(sha256
(base32
"0465bv6yxnwmas3wzg07vmrprv2pxhnr56hn5pxrybwf66y76kyz"))))
"194cydhv3hf4v95ifvjvsqrs4jn3ffrkg5lvxj5d3y04lwsp9dhx"))))
(build-system gnu-build-system)
(arguments
'(#:tests? #f ; tests related to master/slave and replication fail

View File

@ -34,14 +34,14 @@
(define-public elfutils
(package
(name "elfutils")
(version "0.170")
(version "0.172")
(source (origin
(method url-fetch)
(uri (string-append "https://sourceware.org/elfutils/ftp/"
version "/elfutils-" version ".tar.bz2"))
(sha256
(base32
"0rp0r54z44is49c594qy7hr211nhb00aa5y7z74vsybbaxslg10z"))
"090fmbnvd9jblkwhb2bm3hanim63rrvd5f30mfxq4jac6kk9k73p"))
(patches (search-patches "elfutils-tests-ptrace.patch"))))
(build-system gnu-build-system)

View File

@ -1430,11 +1430,11 @@ Maps directly inside Emacs.")
(license license:gpl3+)))
(define-public emacs-graphviz-dot-mode
(let ((commit "fdaabbcc95d9156e3dadc84f81a4750c5b692580")
(let ((commit "c456a2b65c734089e6c44e87209a5a432a741b1a")
(revision "1"))
(package
(name "emacs-graphviz-dot-mode")
(version (string-append "0.3.10-" revision "."
(version (string-append "0.3.11-" revision "."
(string-take commit 7)))
(source (origin
(method git-fetch)
@ -1444,7 +1444,7 @@ Maps directly inside Emacs.")
(file-name (string-append name "-" version "-checkout"))
(sha256
(base32
"1s1qh5r0xp6hs0rl5yz5mkmjhpg04bh449c7vgjbb1pjsl1dl714"))))
"0j1r2rspaakw37b0mx7pwpvdsvixq9sw3xjbww5piihzpdxz58z1"))))
(build-system emacs-build-system)
(arguments
`(#:phases
@ -2662,7 +2662,7 @@ build jobs.")
(define-public emacs-company
(package
(name "emacs-company")
(version "0.9.3")
(version "0.9.6")
(source
(origin
(method url-fetch)
@ -2671,7 +2671,7 @@ build jobs.")
(file-name (string-append name "-" version ".tar.gz"))
(sha256
(base32
"1fyrpchpdmvszssy1qmsw41aqpv6q5rybvs1bw00nv9xdhiaq4vh"))))
"0a7zvmfvxh9w67myvcj2511ayk0fvkm06cdg38y8khnsx63jrr4k"))))
(build-system emacs-build-system)
(arguments
`(#:phases
@ -7237,7 +7237,7 @@ messaging service.")
(define-public emacs-bash-completion
(package
(name "emacs-bash-completion")
(version "2.0.0")
(version "2.1.0")
(source
(origin
(method url-fetch)
@ -7247,7 +7247,7 @@ messaging service.")
(file-name (string-append name "-" version ".tar.gz"))
(sha256
(base32
"0mkci4a1fy8z4cmry8mx5vsx4f16a8r454slnh7lqzidnhfi63hj"))))
"1z0qck3v3ra6ivacn8n04w1v33a4xn01xx860761q31qzsv3sksq"))))
(inputs `(("bash" ,bash)))
(build-system emacs-build-system)
(arguments
@ -10893,20 +10893,20 @@ try completing. See @code{fish-completion-fallback-on-bash-p}.")
(license license:gpl3+))))
(define-public emacs-gif-screencast
(let ((commit "825e606950ec842304bf75cf85baef707b853b03"))
(let ((commit "12b25442b97b84abae74ecb5190a9d14ff7cfe5a"))
(package
(name "emacs-gif-screencast")
(version (git-version "20180309" "1" commit))
(version (git-version "20180616" "1" commit))
(source
(origin
(method url-fetch)
(uri (string-append
"https://github.com/Ambrevar/emacs-gif-screencast/archive/"
commit
".tar.gz"))
"https://gitlab.com/Ambrevar/emacs-gif-screencast/"
"repository/archive.tar.gz?ref="
commit))
(sha256
(base32
"1f83sdx4qj4g6byvbdq7aayissbcy5lqm43djp8h0lq455nf7jkc"))))
"0lc457i78xjkn5idr2aaiadkh76zcsksj84z0qh80a9y775syrgh"))))
(build-system emacs-build-system)
(inputs
`(("scrot" ,scrot)
@ -10933,7 +10933,7 @@ try completing. See @code{fish-completion-fallback-on-bash-p}.")
("gif-screencast-optimize-program"
(string-append imagemagick "/bin/gifsicle")))))))))
(home-page
"https://github.com/Ambrevar/emacs-gif-screencast")
"https://gitlab.com/Ambrevar/emacs-gif-screencast")
(synopsis "One-frame-per-action GIF recording")
(description
"Call @code{gif-screencast} to start a recording.
@ -11217,7 +11217,22 @@ provided by other Emacs packages dealing with pass:
(base32
"0v66wk9nh0raih4jhrzmmyi5lbysjnmbv791vm2230ffi2hmwxnd"))))
(build-system emacs-build-system)
(propagated-inputs `(("imagemagick" ,imagemagick)))
(inputs `(("imagemagick" ,imagemagick)))
(arguments
`(#:phases
(modify-phases %standard-phases
(add-after 'unpack 'configure
(lambda* (#:key inputs outputs #:allow-other-keys)
(let ((imagemagick (assoc-ref inputs "imagemagick")))
;; Specify the absolute file names of the various
;; programs so that everything works out-of-the-box.
(chmod "image+.el" #o666)
(emacs-substitute-variables
"image+.el"
("imagex-convert-command"
(string-append imagemagick "/bin/convert"))
("imagex-identify-command"
(string-append imagemagick "/bin/identify")))))))))
(home-page "https://github.com/mhayashi1120/Emacs-imagex")
(synopsis "Image manipulation extensions for Emacs")
(description

View File

@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016, 2018 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@ -30,7 +30,7 @@
(define-public gnu-pw-mgr
(package
(name "gnu-pw-mgr")
(version "2.0")
(version "2.3.1")
(source
(origin
(method url-fetch)
@ -38,8 +38,16 @@
version ".tar.xz"))
(sha256
(base32
"19qvg37snfa8s06q5crx25m1r1n4l0wvfpkbdxz17q7whp0plrl6"))))
"05vv6n5sqdswhzm21cqn8m2p6avblxl3cv7b39nqx8yxf58gi2xv"))))
(build-system gnu-build-system)
(arguments
'(#:phases
(modify-phases %standard-phases
(add-after 'patch-source-shebangs 'patch-more-shebangs
(lambda _
(substitute* "tests/dom.test"
(("/usr/bin/printf") (which "printf")))
#t)))))
(native-inputs
`(("which" ,which)
("autogen" ,autogen)))

View File

@ -763,14 +763,14 @@ invoking @command{notifymuch} from the post-new hook.")
(define-public notmuch
(package
(name "notmuch")
(version "0.26.2")
(version "0.27")
(source (origin
(method url-fetch)
(uri (string-append "https://notmuchmail.org/releases/notmuch-"
version ".tar.gz"))
(sha256
(base32
"0fqf6wwvqlccq9qdnd0mky7fx0kbkczd28blf045s0vsvdjii70h"))))
"0xh8vq2sa7r07xb3n13drc6gdiqhcgl0pj0za5xj43qkiwpikls0"))))
(build-system gnu-build-system)
(arguments
`(#:modules ((guix build gnu-build-system)

View File

@ -2683,7 +2683,7 @@ for improved Amiga ProTracker 2/3 compatibility.")
(define-public schismtracker
(package
(name "schismtracker")
(version "20170910")
(version "20180513")
(source (origin
(method url-fetch)
(uri (string-append
@ -2692,7 +2692,7 @@ for improved Amiga ProTracker 2/3 compatibility.")
(file-name (string-append name "-" version ".tar.gz"))
(sha256
(base32
"01gfcjngbpv87y9w5jln8k313hycpkb1d617hdy2cdw2hxqzlclz"))
"1yjfd02arb51n0vyv11qgpn6imh7hcqnc3953cbvgwb4cnrswk9f"))
(modules '((guix build utils)))
(snippet
;; Remove use of __DATE__ and __TIME__ for reproducibility.
@ -2706,7 +2706,7 @@ for improved Amiga ProTracker 2/3 compatibility.")
`(#:phases
(modify-phases %standard-phases
(add-after 'unpack 'autoconf
(lambda _ (zero? (system* "autoreconf" "-vfi"))))
(lambda _ (invoke "autoreconf" "-vfi")))
(add-before 'configure 'link-libm
(lambda _ (setenv "LIBS" "-lm") #t)))))
(native-inputs

View File

@ -100,8 +100,8 @@
;; Note: the 'update-guix-package.scm' script expects this definition to
;; start precisely like this.
(let ((version "0.14.0")
(commit "77a1aac6cccc79d7c8085762f610e22e6ebfb43b")
(revision 12))
(commit "7af5c2a248b6c229187fc850517c84b0917c452b")
(revision 13))
(package
(name "guix")
@ -117,7 +117,7 @@
(commit commit)))
(sha256
(base32
"0f0agvw3fizy0aaf51vc2d1rbsvxhg6vnzgjb1n1hbyym79f17j6"))
"06kjimcln4ydirgl05qy98kxjyx3l6brxnq1ly7wb85f73s97gix"))
(file-name (string-append "guix-" version "-checkout"))))
(build-system gnu-build-system)
(arguments
@ -310,11 +310,18 @@ the Nix package manager.")
(inputs
`(("gnutls" ,gnutls)
("guile-git" ,guile-git)
,@(package-inputs guix)))
,@(fold alist-delete (package-inputs guix)
'("boot-guile" "boot-guile/i686" "util-linux"))))
(propagated-inputs '())
(arguments
(substitute-keyword-arguments (package-arguments guix)
((#:configure-flags flags '())
;; Pretend we have those libraries; we don't actually need them.
`(append ,flags
'("guix_cv_have_recent_guile_sqlite3=yes"
"guix_cv_have_recent_guile_ssh=yes")))
((#:tests? #f #f)
#f)
((#:phases phases '%standard-phases)

View File

@ -0,0 +1,215 @@
Fix CVE-2018-0495:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Patch copied from upstream source repository:
https://github.com/openssl/openssl/commit/949ff36623eafc3523a9f91784992965018ffb05
From 949ff36623eafc3523a9f91784992965018ffb05 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 25 May 2018 12:10:13 +0100
Subject: [PATCH] Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
CHANGES | 4 ++
crypto/ecdsa/ecdsatest.c | 9 ++++-
crypto/ecdsa/ecs_ossl.c | 82 ++++++++++++++++++++++++++++++++--------
3 files changed, 79 insertions(+), 16 deletions(-)
diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c
index 0f301f86d9..a130fc9117 100644
--- a/crypto/ecdsa/ecdsatest.c
+++ b/crypto/ecdsa/ecdsatest.c
@@ -137,7 +137,7 @@ int restore_rand(void)
return 1;
}
-static int fbytes_counter = 0;
+static int fbytes_counter = 0, use_fake = 0;
static const char *numbers[8] = {
"651056770906015076056810763456358567190100156695615665659",
"6140507067065001063065065565667405560006161556565665656654",
@@ -158,6 +158,11 @@ int fbytes(unsigned char *buf, int num)
int ret;
BIGNUM *tmp = NULL;
+ if (use_fake == 0)
+ return old_rand->bytes(buf, num);
+
+ use_fake = 0;
+
if (fbytes_counter >= 8)
return 0;
tmp = BN_new();
@@ -199,11 +204,13 @@ int x9_62_test_internal(BIO *out, int nid, const char *r_in, const char *s_in)
/* create the key */
if ((key = EC_KEY_new_by_curve_name(nid)) == NULL)
goto x962_int_err;
+ use_fake = 1;
if (!EC_KEY_generate_key(key))
goto x962_int_err;
BIO_printf(out, ".");
(void)BIO_flush(out);
/* create the signature */
+ use_fake = 1;
signature = ECDSA_do_sign(digest, 20, key);
if (signature == NULL)
goto x962_int_err;
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 16d4f59b9b..1d37551803 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -252,6 +252,7 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
{
int ok = 0, i;
BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL;
+ BIGNUM *blind = NULL, *blindm = NULL;
const BIGNUM *ckinv;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
@@ -269,14 +270,25 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
}
ret = ECDSA_SIG_new();
- if (!ret) {
+ if (ret == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
return NULL;
}
s = ret->s;
- if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL ||
- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
+ ctx = BN_CTX_new();
+ if (ctx == NULL) {
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ BN_CTX_start(ctx);
+ order = BN_CTX_get(ctx);
+ tmp = BN_CTX_get(ctx);
+ m = BN_CTX_get(ctx);
+ blind = BN_CTX_get(ctx);
+ blindm = BN_CTX_get(ctx);
+ if (blindm == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -315,26 +327,70 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
}
}
- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
+ /*
+ * The normal signature calculation is:
+ *
+ * s := k^-1 * (m + r * priv_key) mod order
+ *
+ * We will blind this to protect against side channel attacks
+ *
+ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
+ */
+
+ /* Generate a blinding value */
+ do {
+ if (!BN_rand(blind, BN_num_bits(order) - 1, -1, 0))
+ goto err;
+ } while (BN_is_zero(blind));
+ BN_set_flags(blind, BN_FLG_CONSTTIME);
+ BN_set_flags(blindm, BN_FLG_CONSTTIME);
+ BN_set_flags(tmp, BN_FLG_CONSTTIME);
+
+ /* tmp := blind * priv_key * r mod order */
+ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ /* blindm := blind * m mod order */
+ if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ /* s : = (blind * priv_key * r) + (blind * m) mod order */
+ if (!BN_mod_add_quick(s, tmp, blindm, order)) {
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ /* s:= s * blind^-1 mod order */
+ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
- if (!BN_mod_add_quick(s, tmp, m, order)) {
+ if (!BN_mod_mul(s, s, blind, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
+
+ /* s := s * k^-1 mod order */
if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
+
if (BN_is_zero(s)) {
/*
* if kinv and r have been supplied by the caller don't to
* generate new kinv and r values
*/
if (in_kinv != NULL && in_r != NULL) {
- ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
- ECDSA_R_NEED_NEW_SETUP_VALUES);
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
goto err;
}
} else
@@ -349,15 +405,11 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
ECDSA_SIG_free(ret);
ret = NULL;
}
- if (ctx)
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
- if (m)
- BN_clear_free(m);
- if (tmp)
- BN_clear_free(tmp);
- if (order)
- BN_free(order);
- if (kinv)
+ }
+ if (kinv != NULL)
BN_clear_free(kinv);
return ret;
}
--
2.17.1

View File

@ -0,0 +1,50 @@
Fix CVE-2018-0732:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
Patch copied from upstream source repository:
https://github.com/openssl/openssl/commit/3984ef0b72831da8b3ece4745cac4f8575b19098
From 3984ef0b72831da8b3ece4745cac4f8575b19098 Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Mon, 11 Jun 2018 19:38:54 +0200
Subject: [PATCH] Reject excessively large primes in DH key generation.
CVE-2018-0732
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)
---
crypto/dh/dh_key.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index 387558f146..f235e0d682 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -130,10 +130,15 @@ static int generate_key(DH *dh)
int ok = 0;
int generate_new_key = 0;
unsigned l;
- BN_CTX *ctx;
+ BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
--
2.17.1

View File

@ -0,0 +1,152 @@
Fix CVE-2018-0495:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/
Patch copied from upstream source repository:
https://github.com/openssl/openssl/commit/0c27d793745c7837b13646302b6890a556b7017a
From 0c27d793745c7837b13646302b6890a556b7017a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 25 May 2018 12:10:13 +0100
Subject: [PATCH] Add blinding to an ECDSA signature
Keegan Ryan (NCC Group) has demonstrated a side channel attack on an
ECDSA signature operation. During signing the signer calculates:
s:= k^-1 * (m + r * priv_key) mod order
The addition operation above provides a sufficient signal for a
flush+reload attack to derive the private key given sufficient signature
operations.
As a mitigation (based on a suggestion from Keegan) we add blinding to
the operation so that:
s := k^-1 * blind^-1 (blind * m + blind * r * priv_key) mod order
Since this attack is a localhost side channel only no CVE is assigned.
Reviewed-by: Rich Salz <rsalz@openssl.org>
---
CHANGES | 4 +++
crypto/ec/ecdsa_ossl.c | 70 +++++++++++++++++++++++++++++++++++++-----
2 files changed, 67 insertions(+), 7 deletions(-)
diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
index 72e2f0f28b..449be0e92a 100644
--- a/crypto/ec/ecdsa_ossl.c
+++ b/crypto/ec/ecdsa_ossl.c
@@ -210,7 +210,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
EC_KEY *eckey)
{
int ok = 0, i;
- BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL;
+ BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *blind = NULL;
+ BIGNUM *blindm = NULL;
const BIGNUM *order, *ckinv;
BN_CTX *ctx = NULL;
const EC_GROUP *group;
@@ -243,8 +244,18 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
}
s = ret->s;
- if ((ctx = BN_CTX_new()) == NULL ||
- (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) {
+ ctx = BN_CTX_secure_new();
+ if (ctx == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ BN_CTX_start(ctx);
+ tmp = BN_CTX_get(ctx);
+ m = BN_CTX_get(ctx);
+ blind = BN_CTX_get(ctx);
+ blindm = BN_CTX_get(ctx);
+ if (blindm == NULL) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
goto err;
}
@@ -284,18 +295,64 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
}
}
- if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) {
+ /*
+ * The normal signature calculation is:
+ *
+ * s := k^-1 * (m + r * priv_key) mod order
+ *
+ * We will blind this to protect against side channel attacks
+ *
+ * s := k^-1 * blind^-1 * (blind * m + blind * r * priv_key) mod order
+ */
+
+ /* Generate a blinding value */
+ do {
+ if (!BN_rand(blind, BN_num_bits(order) - 1, BN_RAND_TOP_ANY,
+ BN_RAND_BOTTOM_ANY))
+ goto err;
+ } while (BN_is_zero(blind));
+ BN_set_flags(blind, BN_FLG_CONSTTIME);
+ BN_set_flags(blindm, BN_FLG_CONSTTIME);
+ BN_set_flags(tmp, BN_FLG_CONSTTIME);
+
+ /* tmp := blind * priv_key * r mod order */
+ if (!BN_mod_mul(tmp, blind, priv_key, order, ctx)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
- if (!BN_mod_add_quick(s, tmp, m, order)) {
+ if (!BN_mod_mul(tmp, tmp, ret->r, order, ctx)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
+
+ /* blindm := blind * m mod order */
+ if (!BN_mod_mul(blindm, blind, m, order, ctx)) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ /* s : = (blind * priv_key * r) + (blind * m) mod order */
+ if (!BN_mod_add_quick(s, tmp, blindm, order)) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ /* s:= s * blind^-1 mod order */
+ if (BN_mod_inverse(blind, blind, order, ctx) == NULL) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+ if (!BN_mod_mul(s, s, blind, order, ctx)) {
+ ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
+ goto err;
+ }
+
+ /* s := s * k^-1 mod order */
if (!BN_mod_mul(s, s, ckinv, order, ctx)) {
ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
goto err;
}
+
if (BN_is_zero(s)) {
/*
* if kinv and r have been supplied by the caller don't to
@@ -317,9 +374,8 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
ECDSA_SIG_free(ret);
ret = NULL;
}
+ BN_CTX_end(ctx);
BN_CTX_free(ctx);
- BN_clear_free(m);
- BN_clear_free(tmp);
BN_clear_free(kinv);
return ret;
}
--
2.17.1

View File

@ -0,0 +1,50 @@
Fix CVE-2018-0732:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732
Patch copied from upstream source repository:
https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4
From ea7abeeabf92b7aca160bdd0208636d4da69f4f4 Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Mon, 11 Jun 2018 19:38:54 +0200
Subject: [PATCH] Reject excessively large primes in DH key generation.
CVE-2018-0732
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
(cherry picked from commit 91f7361f47b082ae61ffe1a7b17bb2adf213c7fe)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6457)
---
crypto/dh/dh_key.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
index fce9ff47f3..58003d7087 100644
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -78,10 +78,15 @@ static int generate_key(DH *dh)
int ok = 0;
int generate_new_key = 0;
unsigned l;
- BN_CTX *ctx;
+ BN_CTX *ctx = NULL;
BN_MONT_CTX *mont = NULL;
BIGNUM *pub_key = NULL, *priv_key = NULL;
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+ DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
+ return 0;
+ }
+
ctx = BN_CTX_new();
if (ctx == NULL)
goto err;
--
2.17.1

View File

@ -0,0 +1,105 @@
Fix CVE-2018-11806:
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
Patch copied from upstream source repository:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=864036e251f54c99d31df124aad7f34f01f5344c
From 864036e251f54c99d31df124aad7f34f01f5344c Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 5 Jun 2018 23:38:35 +0530
Subject: [PATCH] slirp: correct size computation while concatenating mbuf
While reassembling incoming fragmented datagrams, 'm_cat' routine
extends the 'mbuf' buffer, if it has insufficient room. It computes
a wrong buffer size, which leads to overwriting adjacent heap buffer
area. Correct this size computation in m_cat.
Reported-by: ZDI Disclosures <zdi-disclosures@trendmicro.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
slirp/mbuf.c | 11 +++++------
slirp/mbuf.h | 8 +++-----
2 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/slirp/mbuf.c b/slirp/mbuf.c
index 5ff24559fd..18cbf759a7 100644
--- a/slirp/mbuf.c
+++ b/slirp/mbuf.c
@@ -138,7 +138,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
* If there's no room, realloc
*/
if (M_FREEROOM(m) < n->m_len)
- m_inc(m,m->m_size+MINCSIZE);
+ m_inc(m, m->m_len + n->m_len);
memcpy(m->m_data+m->m_len, n->m_data, n->m_len);
m->m_len += n->m_len;
@@ -147,7 +147,7 @@ m_cat(struct mbuf *m, struct mbuf *n)
}
-/* make m size bytes large */
+/* make m 'size' bytes large from m_data */
void
m_inc(struct mbuf *m, int size)
{
@@ -158,12 +158,12 @@ m_inc(struct mbuf *m, int size)
if (m->m_flags & M_EXT) {
datasize = m->m_data - m->m_ext;
- m->m_ext = g_realloc(m->m_ext, size);
+ m->m_ext = g_realloc(m->m_ext, size + datasize);
m->m_data = m->m_ext + datasize;
} else {
char *dat;
datasize = m->m_data - m->m_dat;
- dat = g_malloc(size);
+ dat = g_malloc(size + datasize);
memcpy(dat, m->m_dat, m->m_size);
m->m_ext = dat;
@@ -171,8 +171,7 @@ m_inc(struct mbuf *m, int size)
m->m_flags |= M_EXT;
}
- m->m_size = size;
-
+ m->m_size = size + datasize;
}
diff --git a/slirp/mbuf.h b/slirp/mbuf.h
index 893601ff9d..33b84485d6 100644
--- a/slirp/mbuf.h
+++ b/slirp/mbuf.h
@@ -33,8 +33,6 @@
#ifndef MBUF_H
#define MBUF_H
-#define MINCSIZE 4096 /* Amount to increase mbuf if too small */
-
/*
* Macros for type conversion
* mtod(m,t) - convert mbuf pointer to data pointer of correct type
@@ -72,11 +70,11 @@ struct mbuf {
struct mbuf *m_prevpkt; /* Flags aren't used in the output queue */
int m_flags; /* Misc flags */
- int m_size; /* Size of data */
+ int m_size; /* Size of mbuf, from m_dat or m_ext */
struct socket *m_so;
- caddr_t m_data; /* Location of data */
- int m_len; /* Amount of data in this mbuf */
+ caddr_t m_data; /* Current location of data */
+ int m_len; /* Amount of data in this mbuf, from m_data */
Slirp *slirp;
bool resolution_requested;
--
2.17.1

View File

@ -260,6 +260,7 @@ required structures.")
(define-public openssl
(package
(name "openssl")
(replacement openssl/fixed)
(version "1.0.2o")
(source (origin
(method url-fetch)
@ -396,6 +397,15 @@ required structures.")
(license license:openssl)
(home-page "https://www.openssl.org/")))
(define openssl/fixed
(package
(inherit openssl)
(source (origin
(inherit (package-source openssl))
(patches (append (origin-patches (package-source openssl))
(search-patches "openssl-1.0.2-CVE-2018-0495.patch"
"openssl-1.0.2-CVE-2018-0732.patch")))))))
(define-public openssl-next
(package
(inherit openssl)
@ -410,7 +420,9 @@ required structures.")
(string-append "ftp://ftp.openssl.org/source/old/"
(string-trim-right version char-set:letter)
"/" name "-" version ".tar.gz")))
(patches (search-patches "openssl-1.1.0-c-rehash-in.patch"))
(patches (search-patches "openssl-1.1.0-c-rehash-in.patch"
"openssl-1.1.0-CVE-2018-0495.patch"
"openssl-1.1.0-CVE-2018-0732.patch"))
(sha256
(base32
"05x509lccqjscgyi935z809pwfm708islypwhmjnb6cyvrn64daq"))))

View File

@ -98,6 +98,7 @@
(method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz"))
(patches (search-patches "qemu-CVE-2018-11806.patch"))
(sha256
(base32
"1z66spkm1prvhbq7h5mfnp0i6mmamsb938fqmdfvyrgzc7rh34z6"))))

View File

@ -42,10 +42,9 @@
(version "0.5.3+git20180125")
(source (origin
(method git-fetch)
;; Debian's fork of w3m is the only one that is still
;; maintained.
;; Debian's fork of w3m is the only one that is still maintained.
(uri (git-reference
(url "https://anonscm.debian.org/cgit/collab-maint/w3m.git")
(url "https://salsa.debian.org/debian/w3m.git")
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256

View File

@ -2530,7 +2530,7 @@ It is used to cotrol the pointer with a joystick device.")
(define-public xf86-input-mouse
(package
(name "xf86-input-mouse")
(version "1.9.2")
(version "1.9.3")
(source
(origin
(method url-fetch)
@ -2540,7 +2540,7 @@ It is used to cotrol the pointer with a joystick device.")
".tar.bz2"))
(sha256
(base32
"0bsbgww9421792zan43j60mndqprhfxhc48agsi15d3abjqda9gl"))))
"1iawr1wyl2qch1mqszcs0s84i92mh4xxprflnycbw1adc18b7v4k"))))
(build-system gnu-build-system)
(inputs `(("xorg-server" ,xorg-server)))
(native-inputs `(("pkg-config" ,pkg-config)))
@ -5636,7 +5636,7 @@ user-friendly mechanism to start the X server.")
(define-public libxaw3d
(package
(name "libxaw3d")
(version "1.6.2")
(version "1.6.3")
(source
(origin
(method url-fetch)
@ -5646,7 +5646,7 @@ user-friendly mechanism to start the X server.")
".tar.bz2"))
(sha256
(base32
"0awplv1nf53ywv01yxphga3v6dcniwqnxgnb0cn4khb121l12kxp"))))
"0i653s8g25cc0mimkwid9366bqkbyhdyjhckx7bw77j20hzrkfid"))))
(build-system gnu-build-system)
(propagated-inputs
`(("libxext" ,libxext)

View File

@ -616,9 +616,6 @@ unset PATH
GUIX_PROFILE=/run/current-system/profile ; \\
. /run/current-system/profile/etc/profile
# Prepend setuid programs.
export PATH=/run/setuid-programs:$PATH
# Since 'lshd' does not use pam_env, /etc/environment must be explicitly
# loaded when someone logs in via SSH. See <http://bugs.gnu.org/22175>.
# We need 'PATH' to be defined here, for 'cat' and 'cut'. Do this before
@ -645,6 +642,9 @@ do
fi
done
# Prepend setuid programs.
export PATH=/run/setuid-programs:$PATH
# Arrange so that ~/.config/guix/current/share/info comes first.
export INFOPATH=\"$HOME/.config/guix/current/share/info:$INFOPATH\"

View File

@ -196,6 +196,20 @@ files are for HOST, a GNU triplet such as \"x86_64-linux-gnu\"."
(unless (zero? total)
(report-compilation #f total total)))))
(eval-when (eval load)
(when (and (string=? "2" (major-version))
(or (string=? "0" (minor-version))
(and (string=? (minor-version) "2")
(< (string->number (micro-version)) 4))))
;; Work around <https://bugs.gnu.org/31878> on Guile < 2.2.4.
;; Serialize 'try-module-autoload' calls.
(set! (@ (guile) try-module-autoload)
(let ((mutex (make-mutex 'recursive))
(real (@ (guile) try-module-autoload)))
(lambda* (module #:optional version)
(with-mutex mutex
(real module version)))))))
;;; Local Variables:
;;; eval: (put 'with-augmented-search-path 'scheme-indent-function 2)
;;; eval: (put 'with-target 'scheme-indent-function 1)

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015, 2018 Ricardo Wurmus <rekado@elephly.net>
;;;
;;; This file is part of GNU Guix.
;;;
@ -38,7 +38,8 @@
(begin
(format #t "running \"python waf\" with command ~s and parameters ~s~%"
command params)
(zero? (apply system* "python" "waf" command params)))
(apply invoke "python" "waf" command params)
#t)
(error "no waf found")))
(define* (configure #:key target native-inputs inputs outputs

View File

@ -35,7 +35,6 @@
%system
%libgcrypt
%libz
%nix-instantiate
%gzip
%bzip2
%xz))
@ -95,9 +94,6 @@
(define %libz
"@LIBZ@")
(define %nix-instantiate
"@NIX_INSTANTIATE@")
(define %gzip
"@GZIP@")

View File

@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 Ludovic Courtès <ludo@gnu.org>
;;;
;;; This file is part of GNU Guix.
;;;
@ -283,7 +283,7 @@ ATTRIBUTE is true, only that attribute is considered."
platform = (import ~a/pkgs/top-level/platforms.nix).sheevaplug;
}" nixpkgs)))
(apply open-pipe* OPEN_READ
%nix-instantiate "--strict" "--eval-only" "--xml"
"nix-instantiate" "--strict" "--eval-only" "--xml"
;; Pass a dummy `crossSystem' argument so that `buildInputs' and
;; `nativeBuildInputs' are not coalesced.

View File

@ -26,9 +26,8 @@
#:use-module (guix discovery)
#:use-module (guix packages)
#:use-module (guix sets)
#:use-module (guix utils)
#:use-module (guix modules)
#:use-module (guix build utils)
#:use-module ((guix build utils) #:select (find-files))
#:use-module ((guix build compile) #:select (%lightweight-optimizations))
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-9)
@ -656,7 +655,7 @@ assumed to be part of MODULES."
(define %dependency-variables
;; (guix config) variables corresponding to dependencies.
'(%libgcrypt %libz %xz %gzip %bzip2 %nix-instantiate))
'(%libgcrypt %libz %xz %gzip %bzip2))
(define %persona-variables
;; (guix config) variables that define Guix's persona.
@ -666,17 +665,14 @@ assumed to be part of MODULES."
%guix-home-page-url))
(define %config-variables
;; (guix config) variables corresponding to Guix configuration (storedir,
;; localstatedir, etc.)
(sort (filter pair?
(module-map (lambda (name var)
(and (not (memq name %dependency-variables))
(not (memq name %persona-variables))
(cons name (variable-ref var))))
(resolve-interface '(guix config))))
(lambda (name+value1 name+value2)
(string<? (symbol->string (car name+value1))
(symbol->string (car name+value2))))))
;; (guix config) variables corresponding to Guix configuration.
(letrec-syntax ((variables (syntax-rules ()
((_)
'())
((_ variable rest ...)
(cons `(variable . ,variable)
(variables rest ...))))))
(variables %localstatedir %storedir %sysconfdir %system)))
(define* (make-config.scm #:key libgcrypt zlib gzip xz bzip2
(package-name "GNU Guix")
@ -694,18 +690,41 @@ assumed to be part of MODULES."
%guix-version
%guix-bug-report-address
%guix-home-page-url
%store-directory
%state-directory
%store-database-directory
%config-directory
%libgcrypt
%libz
%gzip
%bzip2
%xz
%nix-instantiate))
%xz))
#$@(map (match-lambda
((name . value)
#~(define-public #$name #$value)))
%config-variables)
(define %store-directory
(or (and=> (getenv "NIX_STORE_DIR") canonicalize-path)
%storedir))
(define %state-directory
;; This must match `NIX_STATE_DIR' as defined in
;; `nix/local.mk'.
(or (getenv "NIX_STATE_DIR")
(string-append %localstatedir "/guix")))
(define %store-database-directory
(or (getenv "NIX_DB_DIR")
(string-append %state-directory "/db")))
(define %config-directory
;; This must match `GUIX_CONFIGURATION_DIRECTORY' as
;; defined in `nix/local.mk'.
(or (getenv "GUIX_CONFIGURATION_DIRECTORY")
(string-append %sysconfdir "/guix")))
(define %guix-package-name #$package-name)
(define %guix-version #$package-version)
(define %guix-bug-report-address #$bug-report-address)
@ -723,13 +742,10 @@ assumed to be part of MODULES."
(file-append libgcrypt "/lib/libgcrypt")))
(define %libz
#+(and zlib
(file-append zlib "/lib/libz")))
(define %nix-instantiate ;for (guix import snix)
"nix-instantiate"))
(file-append zlib "/lib/libz"))))
;; Guile 2.0 *requires* the 'define-module' to be at the
;; top-level or it 'toplevel-ref' in the resulting .go file are
;; top-level or the 'toplevel-ref' in the resulting .go file are
;; made relative to a nonexistent anonymous module.
#:splice? #t))

View File

@ -4,12 +4,16 @@
# Joe Hansen <joedalton2@yahoo.dk>, 2015, 2016, 2017, 2018.
#
# build -> kompilering
# consider -> tag i betragtning (men mon ikke tag hensyn til eller overvej
# er bedre)
# derivation -> derivat
# emit -> opret
# garbage -> affald (spild, bedre forslag?)
# in a row -> i træk
# item -> element
# replacement -> erstatning
# specify -> angiv
# substitut -> substitut
# unloading -> afslutter
#
msgid ""
@ -17,7 +21,7 @@ msgstr ""
"Project-Id-Version: guix 0.15.0-pre1\n"
"Report-Msgid-Bugs-To: ludo@gnu.org\n"
"POT-Creation-Date: 2018-04-27 19:13+0200\n"
"PO-Revision-Date: 2018-06-05 20:58+0200\n"
"PO-Revision-Date: 2018-06-15 20:58+0200\n"
"Last-Translator: joe Hansen <joedalton2@yahoo.dk>\n"
"Language-Team: Danish <dansk@dansk-gruppen.dk>\n"
"Language: da\n"
@ -228,7 +232,7 @@ msgid ""
"Consider running 'guix pull' followed by\n"
"'~a' to get up-to-date packages and security updates.\n"
msgstr ""
"Overvej at afvikle »guix pull« efterfulgt af\n"
"Tag i betragtning at afvikle »guix pull« efterfulgt af\n"
"»~a« for at få opdaterede pakker og sikkerhedsopdateringer.\n"
#: guix/scripts/build.scm:81
@ -319,7 +323,7 @@ msgid ""
" --fallback fall back to building when the substituter fails"
msgstr ""
"\n"
" --fallback fald tilbage til kompilering når erstatningen fejler"
" --fallback fald tilbage til kompilering når substituten fejler"
#: guix/scripts/build.scm:353
msgid ""
@ -1240,7 +1244,7 @@ msgid ""
" export GUILE_LOAD_COMPILED_PATH=$HOME/.guix-profile/lib/guile/~a/site-ccache:$GUILE_LOAD_COMPILED_PATH\n"
"\n"
msgstr ""
"Guile-Git mangler men er ikke krævet af »guix pull«.\n"
"Guile-Git mangler men er nu krævet af »guix pull«.\n"
"Installer den ved at køre:\n"
"\n"
" guix package -i ~a\n"
@ -1310,7 +1314,7 @@ msgstr "kan ikke gennemtvinge brugen af Let's Encrypt-certifikater~%"
#: guix/scripts/pull.scm:219
#, scheme-format
msgid "please upgrade Guile-Git~%"
msgstr "opgrader venligst til Guile-Git~%"
msgstr "opgrader venligst Guile-Git~%"
#: guix/scripts/pull.scm:227
#, scheme-format
@ -1656,8 +1660,8 @@ msgid ""
"label, you need to add @code{(title 'label)} to your @code{file-system}\n"
"definition."
msgstr ""
"Hvis »~a« er et filsystem\n"
"etiket, du skal tilføje @code{(title 'label)} til din @code{file-system}-\n"
"Hvis »~a« er en filsystemetiket,\n"
"skal du tilføje @code{(title 'label)} til din @code{file-system}-\n"
"definition."
#: guix/scripts/system.scm:637
@ -1678,7 +1682,7 @@ msgstr "~a blev ikke fundet: »guix pull« blev aldrig kørt~%"
#: guix/scripts/system.scm:742
#, scheme-format
msgid "Consider running 'guix pull' before 'reconfigure'.~%"
msgstr "Overvej at køre »guix pull« før »reconfigure«.~%"
msgstr "Tag i betragtning at køre »guix pull« før »reconfigure«.~%"
#: guix/scripts/system.scm:743
#, scheme-format
@ -1706,7 +1710,7 @@ msgstr "De gyldige værdier for HANDLING er:\n"
#: guix/scripts/system.scm:911
msgid " search search for existing service types\n"
msgstr " søg søg efter eksisterende tjenestetyper\n"
msgstr " search søg efter eksisterende tjenestetyper\n"
#: guix/scripts/system.scm:913
msgid " reconfigure switch to a new operating system configuration\n"
@ -1775,8 +1779,9 @@ msgid ""
" instead of reading FILE, when applicable"
msgstr ""
"\n"
" -e, --expression=UDTRYK overvej hvad operativsystemets UDTRYK evaluerer\n"
" til i stedet for at læse FIL, når anvendelig"
" -e, --expression=UDTRYK tag i betragtning hvad operativsystemets UDTRYK\n"
" evaluerer til i stedet for at læse FIL, når\n"
" anvendelig"
#: guix/scripts/system.scm:946
msgid ""
@ -1799,7 +1804,7 @@ msgstr ""
"\n"
" --file-system-type=TYPE\n"
" for »disk-image«, lav et rodfilsystem med TYPE (typen)\n"
" (en af »ext4«, »iso9660«)"
" (enten »ext4« eller »iso9660«)"
#: guix/scripts/system.scm:953
msgid ""
@ -1865,7 +1870,7 @@ msgstr ""
#: guix/scripts/system.scm:1066
#, scheme-format
msgid "both file and expression cannot be specified~%"
msgstr "både fil og udtryk kan ikke angives~%"
msgstr "fil og udtryk kan ikke angives samtidigt~%"
#: guix/scripts/system.scm:1073
#, scheme-format
@ -2354,7 +2359,7 @@ msgstr "brugeren »~a« blev ikke fundet: ~a~%"
#: guix/scripts/publish.scm:910
#, scheme-format
msgid "server running as root; consider using the '--user' option!~%"
msgstr "server kører som root; overvej at bruge tilvalget »--user«!~%"
msgstr "server kører som root; tag i betragtning at bruge tilvalget »--user«!~%"
#: guix/scripts/publish.scm:915
#, scheme-format
@ -2427,7 +2432,7 @@ msgid ""
" -s, --system=SYSTEM consider packages for SYSTEM--e.g., \"i686-linux\""
msgstr ""
"\n"
" -s, --system=SYSTEM overvej pakker for SYSTEM--f.eks., »i686-linux«"
" -s, --system=SYSTEM tag i betragtning pakker for SYSTEM--f.eks., »i686-linux«"
#. TRANSLATORS: "closure" and "self" must not be translated.
#: guix/scripts/size.scm:238
@ -2575,7 +2580,7 @@ msgid ""
" -e, --expression=EXPR consider the package EXPR evaluates to"
msgstr ""
"\n"
" -e, --expression=UDTRYK overvej pakken UDTRYK evaluerer til"
" -e, --expression=UDTRYK tag i betragtning pakken UDTRYK evaluerer til"
#: guix/scripts/challenge.scm:191
#, scheme-format
@ -2771,7 +2776,7 @@ msgstr "~a: ukendt pakkeformat"
#: guix/scripts/weather.scm:72
msgid "computing ~h package derivations for ~a...~%"
msgstr "beregner ~h pakkeafledninger for ~a...~%"
msgstr "beregner ~h pakkederivater for ~a...~%"
#: guix/scripts/weather.scm:161
msgid "looking for ~h store items on ~a...~%"
@ -2779,12 +2784,12 @@ msgstr "kigger efter ~h lagerelementer på ~a...~%"
#: guix/scripts/weather.scm:173
msgid " ~2,1f% substitutes available (~h out of ~h)~%"
msgstr " ~2,1f% erstatninger tilgængelige (~h ud af ~h)~%"
msgstr " ~2,1f% substitutter tilgængelige (~h ud af ~h)~%"
#: guix/scripts/weather.scm:179
#, scheme-format
msgid " unknown substitute sizes~%"
msgstr " ukendte erstatningsstørrelser~%"
msgstr " ukendte substitutstørrelser~%"
#: guix/scripts/weather.scm:182
msgid " ~,1h MiB of nars (compressed)~%"
@ -2849,7 +2854,7 @@ msgid ""
"Report the availability of substitutes.\n"
msgstr ""
"Brug: guix weather [TILVALG]\n"
"Rapporter tilgængelighed over erstatninger.\n"
"Rapporter tilgængelighed over substitutter.\n"
#: guix/scripts/weather.scm:249
msgid ""
@ -2859,7 +2864,7 @@ msgid ""
msgstr ""
"\n"
" --substitute-urls=ADRESSER\n"
" kontroller for tilgængelige erstatninger på URLS\n"
" kontroller for tilgængelige substitutter på URLS\n"
" (ADRESSER)"
#: guix/scripts/weather.scm:252
@ -2870,7 +2875,7 @@ msgid ""
msgstr ""
"\n"
" -m, --manifest=MANIFEST\n"
" slå erstatninger op for pakker angivet i MANIFEST"
" slå substitutter op for pakker angivet i MANIFEST"
#: guix/scripts/weather.scm:255
msgid ""
@ -2878,7 +2883,8 @@ msgid ""
" -s, --system=SYSTEM consider substitutes for SYSTEM--e.g., \"i686-linux\""
msgstr ""
"\n"
" -s, --system=SYSTEM overvej erstatninger for SYSTEM--f.eks., »i686-linux«"
" -s, --system=SYSTEM tag i betragtning substitutter for SYSTEM--f.eks.,\n"
"»i686-linux«"
#: guix/scripts/weather.scm:279
#, scheme-format
@ -2891,7 +2897,7 @@ msgstr "Opdater for GNU-pakker"
#: guix/gnu-maintenance.scm:579
msgid "Updater for GNU packages only available via FTP"
msgstr "Opdater kun for GNU-pakker tilgængelige via FTP"
msgstr "Opdateringsprogram for GNU-pakker er kun tilgængelig via FTP"
#: guix/gnu-maintenance.scm:588
msgid "Updater for KDE packages"
@ -3247,7 +3253,7 @@ msgstr[1] "~:[De følgende derivater ville blive kompileret:~%~{ ~a~%~}~;~]"
#. translated to the corresponding abbreviation.
#: guix/ui.scm:819
msgid "~:[~,1h MB would be downloaded:~%~{ ~a~%~}~;~]"
msgstr "~:[D,1h MB ville blive hentet:~%~{ ~a~%~}~;~]"
msgstr "~:[~,1h MB ville blive hentet:~%~{ ~a~%~}~;~]"
#: guix/ui.scm:824
#, scheme-format

File diff suppressed because it is too large Load Diff