1
0
forked from tribes/guix

Compare commits

...

11 Commits

Author SHA1 Message Date
Andreas Enge 689c0c1ce5 gnu: python-geventhttpclient: Update to 2.3.9.
* gnu/packages/python-web.scm (python-geventhttpclient): Update to 2.3.9.

Change-Id: I83ff865b8ae052d24f9920b3d5c029e7c91373cc
2026-04-16 11:37:55 +02:00
Andreas Enge 02473f2995 gnu: openssl: Switch to openssl-3.5 as the default.
* gnu/packages/tls.scm (openssl): Define as openssl-3.5.
(perl-net-ssleay)[inputs]: Replace openssl by openssl-3.0.

Change-Id: Ia13ea615a5265fc7012e881e516b98066cad8e3f
2026-04-16 11:37:55 +02:00
Cayetano Santos 99e64e1c39 gnu: libsodium: Update to 1.0.21.
* gnu/packages/crypto.scm (libsodium): Update to 1.0.21.
[source]: Switch to git-fetch.

Change-Id: Iaaefe80eec5e82fa3c7a81712389894d37faa5c2
Signed-off-by: Andreas Enge <andreas@enge.fr>
2026-04-16 11:37:55 +02:00
Ashish SHUKLA 4c41f5d235 gnu: openssh: Update to 10.3p1 [security-fixes].
Release notes since 10.2p1 (2025-10-10):
- 10.3p1 (2026-04-02)
  <https://www.openssh.org/txt/release-10.3>.

Contains fixes for:
CVE-2026-35385: A file downloaded by scp may be installed setuid or setgid, an
                outcome contrary to some users' expectations, if the download is
                performed as root with -O (legacy scp protocol) and without -p
                (preserve mode).
CVE-2026-35386: Command execution can occur via shell metacharacters in a
                username within a command line. This requires a scenario where
                the username on the command line is untrusted, and also requires
                a non-default configurations of % in ssh_config.
CVE-2026-35387: OpenSSH can use unintended ECDSA algorithms. Listing of any
                ECDSA algorithm in PubkeyAcceptedAlgorithms or
                HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA
                algorithms.
CVE-2026-35388: OpenSSH before omits connection multiplexing confirmation for
                proxy-mode multiplexing sessions.
CVE-2026-35414: OpenSSH mishandles the authorized_keys principals option in
                uncommon scenarios involving a principals list in conjunction
                with a Certificate Authority that makes certain use of comma
                characters.

* gnu/packages/ssh.scm (openssh): Update to 10.3p1.

Merges: https://codeberg.org/guix/guix/pulls/7695
Change-Id: I9e90c3ef02f567d0f5b2485c4e0bcfaa1a1f31c8
Reviewed-by: Nguyễn Gia Phong <cnx@loang.net>
Reviewed-by: Jonas Meeuws <jonas.meeuws@gmail.com>
Reviewed-by: Cayetano Santos <csantosb@inventati.org>
Signed-off-by: Sharlatan Hellseher <sharlatanus@gmail.com>
2026-04-16 11:37:54 +02:00
Andy Tai d1b1111917 gnu: libtasn1: Update to 4.21.0.
* gnu/packages/tls.scm (libtasn1): Update to 4.21.0.

Change-Id: I8a33a95def0d22e9df5ec592abb9c6728dce2ccb
Signed-off-by: Andreas Enge <andreas@enge.fr>
2026-04-16 11:37:54 +02:00
Andreas Enge 599636b65f gnu: openssl-3.0: Change inheritance.
* gnu/packages/tls.scm (openssl-3.0)[inherit]: Use openssl-3.5
instead of openssl-1.1.
[source]: Add hurd patch.

Fixes: guix/guix#4062
Change-Id: Id03fdd9532855bd66fbd9da9eb64768f8b9fb780
2026-04-16 11:37:54 +02:00
Andreas Enge 1aefb0656f gnu: Add openssl-3.5.
* gnu/packages/tls.scm (openssl-3.5): New variable.

Change-Id: I0636a3455cec5636e926a51eddb96d3bdec7adeb
2026-04-16 11:37:54 +02:00
Andreas Enge 6ca437dbae gnu: openssl-1.1: Re-enable tls_ssl_new test.
* gnu/packages/tls.scm (openssl-1.1)[make-flags]: Do not disable
tls_ssl_new.

Change-Id: I95e6ef5906f7477f0ac6bfcd685a69229eb1a54d
2026-04-16 11:37:54 +02:00
Andreas Enge 1ef32d265f gnu: openssl-3.0: Update to 3.0.19.
* gnu/packages/tls.scm (openssl-3.0): Update to 3.0.19.

Change-Id: Iebfaeb06b6a9dd270a9fca69c67fa9c32eaa4962
2026-04-16 11:37:54 +02:00
Andreas Enge 53f2f75fb1 gnu: openssl-1.1: Update to 1.1.1w.
* gnu/packages/tls.scm (openssl-1.1): Update to 1.1.1w.

Change-Id: Ibb7efac450bf942088a5332fa4a4b0a041ba2283
2026-04-16 11:37:46 +02:00
John Kehayias f77bbf8016 gnu: steam-devices-udev-rules: Update to 1.0.0.61-2.7dde9ec.
* gnu/packages/games.scm (steam-devices-udev-rules): Update to 1.0.0.61-2.7dde9ec.

Change-Id: If5931e836978b27d09e128cb5b581292eebcde96
2026-04-15 23:47:42 -04:00
5 changed files with 161 additions and 66 deletions
+11 -12
View File
@@ -276,18 +276,17 @@ Ed448-Goldilocks and Curve448, using the Decaf encoding.")
(define-public libsodium
(package
(name "libsodium")
(version "1.0.18")
(source (origin
(method url-fetch)
(uri (list (string-append
"https://download.libsodium.org/libsodium/"
"releases/libsodium-" version ".tar.gz")
(string-append
"https://download.libsodium.org/libsodium/"
"releases/old/libsodium-" version ".tar.gz")))
(sha256
(base32
"1h9ncvj23qbbni958knzsli8dvybcswcjbx0qjjgi922nf848l3g"))))
(version "1.0.21")
(source
(origin
(method git-fetch)
(uri (git-reference
(url "https://github.com/jedisct1/libsodium")
(commit (string-append version "-RELEASE"))))
(file-name (git-file-name name version))
(sha256
(base32
"1l6pc3m8zl1sip9ib91bjsb2z2zr7xa7bhblwwmyn9x4nkwqj17n"))))
(build-system gnu-build-system)
(synopsis "Portable NaCl-based crypto library")
(description
+3 -3
View File
@@ -13508,8 +13508,8 @@ rules to solve permissions issues.")
(define-public steam-devices-udev-rules
;; Last release from 2019-04-10
(let ((commit "13443480a64fe8f10676606bd57da6de89f8ccb1")
(revision "1"))
(let ((commit "7dde9ecb3c386363ecd9bd0a3b77e4756d200704")
(revision "2"))
(package
(name "steam-devices-udev-rules")
(version (git-version "1.0.0.61" revision commit))
@@ -13521,7 +13521,7 @@ rules to solve permissions issues.")
(file-name (git-file-name name version))
(sha256
(base32
"0i086gmnk93q76sw1laa9br6b7zj2r6nrrw7d64y4q9wcrlxw2bi"))))
"0w0xkgi9fpvdbpl57f8fy2nwy2icm6iag39b8ifpkijlxgclx1p3"))))
(build-system copy-build-system)
(arguments
'(#:install-plan '(("./" "lib/udev/rules.d"
+2 -2
View File
@@ -7883,7 +7883,7 @@ basic TCP/IP protocols.")
(define-public python-geventhttpclient
(package
(name "python-geventhttpclient")
(version "2.3.3")
(version "2.3.9")
(source (origin
(method git-fetch)
(uri (git-reference
@@ -7893,7 +7893,7 @@ basic TCP/IP protocols.")
(file-name (git-file-name name version))
(sha256
(base32
"1ya0i0fbx054mfx5d1k75fcf64xzp7vva8lkwwzan41xbnc56nyj"))))
"1diq6n9sr92rsqbpxlbhbn1d22hrlzp6swykz9bfzh7sxpywa6j8"))))
(build-system pyproject-build-system)
(arguments
(list
+3 -3
View File
@@ -19,7 +19,7 @@
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
;;; Copyright © 2023 Simon Streit <simon@netpanic.org>
;;; Copyright © 2024 Zheng Junjie <873216071@qq.com>
;;; Copyright © 2024, 2025 Ashish SHUKLA <ashish.is@lostca.se>
;;; Copyright © 2024-2026 Ashish SHUKLA <ashish.is@lostca.se>
;;; Copyright © 2024, 2025 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2025 Ghislain Vaillant <ghislain.vaillant@inria.fr>
;;; Copyright © 2025 Cayetano Santos <csantosb@inventati.org>
@@ -237,7 +237,7 @@ a server that supports the SSH-2 protocol.")
(define-public openssh
(package
(name "openssh")
(version "10.2p1")
(version "10.3p1")
(source
(origin
(method url-fetch)
@@ -245,7 +245,7 @@ a server that supports the SSH-2 protocol.")
"openssh-" version ".tar.gz"))
(patches (search-patches "openssh-trust-guix-store-directory.patch"))
(sha256
(base32 "1clqyxh6mrbwjg964df0hjwmd361mxnx3nx17wk5jyck3422ri6c"))))
(base32 "1x25iv8yfcfpf3b1ap72indbfna0wz48xz8ny2sg9p4jpcv2ls2n"))))
(build-system gnu-build-system)
(arguments
(list
+142 -46
View File
@@ -2,7 +2,7 @@
;;; Copyright © 2012-2017, 2019-2025 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2021 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Ian Denhardt <ian@zenhack.net>
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2013, 2015, 2026 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2015 David Thompson <davet@gnu.org>
;;; Copyright © 2015, 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
;;; Copyright © 2016, 2017, 2019, 2021-2024 Efraim Flashner <efraim@flashner.co.il>
@@ -98,7 +98,7 @@
(define-public libtasn1
(package
(name "libtasn1")
(version "4.20.0")
(version "4.21.0")
(source
(origin
(method url-fetch)
@@ -106,7 +106,7 @@
version ".tar.gz"))
(sha256
(base32
"0v57hwsv4wijb0fvfp6s9jx35izhhgfjssq3fvpaxm029jyy7q4j"))))
"11ywcy8n115c8b3vmf7hmgkdhlfy4phlcwvp8114di9w495492hx"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags '("--disable-static")))
@@ -430,7 +430,7 @@ OpenSSL for TARGET."
(define-public openssl-1.1
(package
(name "openssl")
(version "1.1.1u")
(version "1.1.1w")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -443,7 +443,7 @@ OpenSSL for TARGET."
(patches (search-patches "openssl-1.1-c-rehash-in.patch"))
(sha256
(base32
"1ipbcdlqyxbj5lagasrq2p6gn0036wq6hqp7gdnd1v1ya95xiy72"))))
"1j3anw4554lk3m9cvjngvh1c2gbdkhgiz160jnnm7n5l1jarhc6g"))))
(build-system gnu-build-system)
(outputs '("out"
"doc" ;6.8 MiB of man3 pages and full HTML documentation
@@ -452,14 +452,11 @@ OpenSSL for TARGET."
(arguments
(list
#:make-flags
;; 'test_ssl_new.t' in 1.1.1n and 3.0.3 fails due to an expired
;; certificate: <https://github.com/openssl/openssl/issues/18441>. Skip
;; it.
#~(list #$@(if (or (target-arm?) (target-riscv64?))
;; 'test_afalg' seems to be dependent on kernel features:
;; <https://github.com/openssl/openssl/issues/12242>.
#~("TESTS=-test_afalg -tls_ssl_new")
#~("TESTS=-test_ssl_new")))
(if (or (target-arm?) (target-riscv64?))
;; 'test_afalg' seems to be dependent on kernel features:
;; <https://github.com/openssl/openssl/issues/12242>.
#~(list "TESTS=-test_afalg")
#~(list))
#:test-target "test"
;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
;; so we explicitly disallow it here.
@@ -550,10 +547,11 @@ OpenSSL for TARGET."
(license license:openssl)
(home-page "https://www.openssl.org/")))
(define-public openssl-3.0
(define-public openssl-3.5
;; LTS series with EOL 2030-04-08
(package
(inherit openssl-1.1)
(version "3.0.8")
(name "openssl")
(version "3.5.5")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
@@ -566,38 +564,136 @@ OpenSSL for TARGET."
(patches (search-patches "openssl-3.0-c-rehash-in.patch"))
(sha256
(base32
"0gjb7qjl2jnzs1liz3rrccrddxbk6q3lg8z27jn1xwzx72zx44vc"))))
"129aphl9yy5xd67cwacf000llkhpi1s8phmlhgws2rcb599r335j"))))
(build-system gnu-build-system)
(outputs '("out"
"doc"
"static"))
(arguments
(substitute-keyword-arguments (package-arguments openssl-1.1)
((#:phases phases '%standard-phases)
#~(modify-phases #$phases
(add-before 'configure 'configure-perl
(lambda* (#:key native-inputs inputs #:allow-other-keys)
(setenv "HASHBANGPERL"
(search-input-file (or native-inputs inputs)
"/bin/perl"))))
#$@(if (target-hurd?)
#~((delete 'patch-configure))
#~())
#$@(if (target-hurd64?)
#~((add-after 'unpack 'apply-hurd-patch
(lambda _
(let ((patch-file
#$(local-file
(search-patch "openssl-hurd64.patch"))))
(invoke "patch" "--force" "-p1" "-i"
patch-file)))))
#~())))
((#:configure-flags flags #~'())
(if (system-hurd?) ;must not be used when
#~(append #$flags ;cross-compiling!
#$(if (target-hurd64?)
#~'("hurd-x86_64")
#~'("hurd-x86")))
flags))))
(list
#:parallel-tests? #f
#:make-flags
(if (or (target-arm?) (target-riscv64?))
;; 'test_afalg' seems to be dependent on kernel features:
;; <https://github.com/openssl/openssl/issues/12242>.
#~(list "TESTS=-test_afalg")
#~(list))
#:test-target "test"
#:configure-flags
(if (system-hurd?)
(if (target-hurd64?)
#~(list "hurd-x86_64")
#~(list "hurd-x86"))
#~(list))
;; Changes to OpenSSL sometimes cause Perl to "sneak in" to the closure,
;; so we explicitly disallow it here.
#:disallowed-references (list (this-package-native-input "perl"))
#:phases
#~(modify-phases %standard-phases
(replace 'configure
(lambda* (#:key configure-flags native-inputs inputs target #:allow-other-keys)
;; It's not a shebang so patch-source-shebangs misses it.
(substitute* "config"
(("/usr/bin/env")
(which "env")))
#$@(if (%current-target-system)
#~((setenv "CROSS_COMPILE" (string-append target "-"))
(setenv "CONFIGURE_TARGET_ARCH"
#$(target->openssl-target
this-package
(%current-target-system))))
#~())
;; Configure PERL.
(setenv "HASHBANGPERL"
(search-input-file (or native-inputs inputs)
"/bin/perl"))
(apply
invoke #$@(if (%current-target-system)
#~("./Configure")
#~("./config"))
"shared" ;build shared libraries
"--libdir=lib"
;; The default for this catch-all directory is
;; PREFIX/ssl. Change that to something more
;; conventional.
(string-append "--openssldir=" #$output
"/share/openssl-"
#$(package-version this-package))
(string-append "--prefix=" #$output)
(string-append "-Wl,-rpath," (string-append #$output "/lib"))
#$@(if (%current-target-system)
#~((getenv "CONFIGURE_TARGET_ARCH"))
#~())
configure-flags)
;; Output the configure variables.
(invoke "perl" "configdata.pm" "--dump")))
(add-after 'install 'move-static-libraries
(lambda _
;; Move static libraries to the "static" output.
(let* ((lib (string-append #$output "/lib"))
(slib (string-append #$output:static "/lib")))
(for-each (lambda (file)
(install-file file slib)
(delete-file file))
(find-files
lib
#$(if (target-mingw?)
'(lambda (filename _)
(and (string-suffix? ".a" filename)
(not (string-suffix? ".dll.a"
filename))))
"\\.a$"))))))
(add-after 'install 'move-extra-documentation
(lambda _
;; Move man pages and full HTML documentation to "doc".
(let* ((man (string-append #$output "/share/man"))
(html (string-append #$output "/share/doc/openssl"))
(man-target (string-append #$output:doc "/share/man"))
(html-target (string-append
#$output:doc "/share/doc/openssl")))
(mkdir-p (dirname man-target))
(mkdir-p (dirname html-target))
(rename-file man man-target)
(rename-file html html-target))))
(add-after 'install 'remove-miscellany
(lambda _
;; The 'misc' directory contains random undocumented shell and
;; Perl scripts. Remove them to avoid retaining a reference on
;; Perl.
(delete-file-recursively
(string-append #$output "/share/openssl-"
#$(package-version this-package) "/misc")))))))
(native-inputs (list perl))
(native-search-paths
(list $SSL_CERT_DIR $SSL_CERT_FILE))
(home-page "https://www.openssl.org/")
(synopsis "SSL/TLS implementation")
(description "OpenSSL is an implementation of SSL/TLS.")
(license license:asl2.0)))
(define-public openssl openssl-3.0)
(define-public openssl-3.0
;; LTS series with EOL 2026-09-07
(package
(inherit openssl-3.5)
(version "3.0.19")
(source (origin
(method url-fetch)
(uri (list (string-append "https://www.openssl.org/source/openssl-"
version ".tar.gz")
(string-append "ftp://ftp.openssl.org/source/"
"openssl-" version ".tar.gz")
(string-append "ftp://ftp.openssl.org/source/old/"
(string-trim-right version char-set:letter)
"/openssl-" version ".tar.gz")))
(patches (search-patches "openssl-3.0-c-rehash-in.patch"
"openssl-hurd64.patch"))
(sha256
(base32
"0wihnr5bjdc3v0r4viwb1d1lf1rfkbrcmwzj7vjqpqdap11l2nps"))))))
(define-public openssl openssl-3.5)
(define-public bearssl
(package
@@ -821,7 +917,7 @@ certificates for free.")
"0pfrpi77964cg15dm6y0w03l64xs0k2nqc15qh2xmv8vdnjyhywx"))
(patches (search-patches "perl-net-ssleay-colon-parsing.patch"))))
(build-system perl-build-system)
(inputs (list openssl))
(inputs (list openssl-3.0))
(arguments
`(#:phases
(modify-phases %standard-phases