gnu: icecat: Update to 102.10.0-guix0-preview1 [security fixes].
Includes fixes for CVE-2023-1945, CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29542, CVE-2023-29545, CVE-2023-29548, CVE-2023-29550, and MFSA-TMP-2023-0001. * gnu/packages/gnuzilla.scm (%icecat-base-version, %icecat-build-id): Update. (icecat-source): Update gnuzilla commit, base version, and hashes. Remove the vestigial RENAME_CMD environment variable setting. (icecat-102.9.0-source): New variable. (icedove-source): Use it.master
Mark H Weaver
parent
c5b659a251
commit
3ab983d630
|
|
@ -497,9 +497,9 @@ variable defined below. It requires guile-json to be installed."
|
|||
;; XXXX: Workaround 'snippet' limitations.
|
||||
(define computed-origin-method (@@ (guix packages) computed-origin-method))
|
||||
|
||||
(define %icecat-base-version "102.9.0")
|
||||
(define %icecat-base-version "102.10.0")
|
||||
(define %icecat-version (string-append %icecat-base-version "-guix0-preview1"))
|
||||
(define %icecat-build-id "20230314000000") ;must be of the form YYYYMMDDhhmmss
|
||||
(define %icecat-build-id "20230411000000") ;must be of the form YYYYMMDDhhmmss
|
||||
|
||||
;; 'icecat-source' is a "computed" origin that generates an IceCat tarball
|
||||
;; from the corresponding upstream Firefox ESR tarball, using the 'makeicecat'
|
||||
|
|
@ -519,12 +519,12 @@ variable defined below. It requires guile-json to be installed."
|
|||
"firefox-" upstream-firefox-version ".source.tar.xz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1l8xlbba8sa9dg132k96ch8mz97i5lyhpvkxi8d85jh97xi79c1i"))))
|
||||
"1y7v19xxl6jchywd0zxy5vr4pj23pi6di4lhlivxpki2pkgm8scc"))))
|
||||
|
||||
;; The upstream-icecat-base-version may be older than the
|
||||
;; %icecat-base-version.
|
||||
(upstream-icecat-base-version "102.9.0")
|
||||
(gnuzilla-commit "f55ede39713d1533734f37e39927cbb78abe1604")
|
||||
(upstream-icecat-base-version "102.10.0")
|
||||
(gnuzilla-commit "15c6c2229a053cdcc064eda89cee07f18efac35d")
|
||||
(gnuzilla-source
|
||||
(origin
|
||||
(method git-fetch)
|
||||
|
|
@ -536,7 +536,7 @@ variable defined below. It requires guile-json to be installed."
|
|||
(string-take gnuzilla-commit 8)))
|
||||
(sha256
|
||||
(base32
|
||||
"0z15h3lxfn9pmj5bj62qim3h320dcd2v69xrg1phb7lh5gq0bylf"))))
|
||||
"0v3wak2fd9bmq1j8k8k5xw0i4xbqy7fbasycr4swaqmsaf22sdv4"))))
|
||||
|
||||
;; 'search-patch' returns either a valid file name or #f, so wrap it
|
||||
;; in 'assume-valid-file-name' to avoid 'local-file' warnings.
|
||||
|
|
@ -582,9 +582,6 @@ variable defined below. It requires guile-json to be installed."
|
|||
(package-transitive-propagated-inputs
|
||||
python-jsonschema))))
|
||||
|
||||
;; Needed by the 'makeicecat' script.
|
||||
(setenv "RENAME_CMD" "rename")
|
||||
|
||||
;; We copy the gnuzilla source directory because it is
|
||||
;; read-only in 'gnuzilla-source', and the makeicecat script
|
||||
;; uses "cp -a" to copy parts of it and assumes that the
|
||||
|
|
@ -1117,6 +1114,176 @@ standards of the IceCat project.")
|
|||
"ru" "sco" "si" "sk" "sl" "son" "sq" "sr" "sv-SE" "szl" "ta" "te" "th" "tl"
|
||||
"tr" "trs" "uk" "ur" "uz" "vi" "xh" "zh-CN" "zh-TW"))
|
||||
|
||||
(define icecat-102.9.0-source
|
||||
(let* ((base-version "102.9.0")
|
||||
(version "102.9.0-guix0-preview1")
|
||||
(major-version (first (string-split base-version #\.)))
|
||||
(minor-version (second (string-split base-version #\.)))
|
||||
(sub-version (third (string-split base-version #\.)))
|
||||
|
||||
(upstream-firefox-version (string-append base-version "esr"))
|
||||
(upstream-firefox-source
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append
|
||||
"https://ftp.mozilla.org/pub/firefox/releases/"
|
||||
upstream-firefox-version "/source/"
|
||||
"firefox-" upstream-firefox-version ".source.tar.xz"))
|
||||
(sha256
|
||||
(base32
|
||||
"1l8xlbba8sa9dg132k96ch8mz97i5lyhpvkxi8d85jh97xi79c1i"))))
|
||||
|
||||
;; The upstream-icecat-base-version may be older than the
|
||||
;; base-version.
|
||||
(upstream-icecat-base-version base-version)
|
||||
(gnuzilla-commit "f55ede39713d1533734f37e39927cbb78abe1604")
|
||||
(gnuzilla-source
|
||||
(origin
|
||||
(method git-fetch)
|
||||
(uri (git-reference
|
||||
(url "git://git.savannah.gnu.org/gnuzilla.git")
|
||||
(commit gnuzilla-commit)))
|
||||
(file-name (git-file-name "gnuzilla"
|
||||
;;upstream-icecat-base-version
|
||||
(string-take gnuzilla-commit 8)))
|
||||
(sha256
|
||||
(base32
|
||||
"0z15h3lxfn9pmj5bj62qim3h320dcd2v69xrg1phb7lh5gq0bylf"))))
|
||||
|
||||
;; 'search-patch' returns either a valid file name or #f, so wrap it
|
||||
;; in 'assume-valid-file-name' to avoid 'local-file' warnings.
|
||||
(makeicecat-patch
|
||||
(local-file (assume-valid-file-name
|
||||
(search-patch "icecat-makeicecat.patch")))))
|
||||
|
||||
(origin
|
||||
(method computed-origin-method)
|
||||
(file-name (string-append "icecat-" version ".tar.xz"))
|
||||
(sha256 #f)
|
||||
(uri
|
||||
(delay
|
||||
(with-imported-modules '((guix build utils))
|
||||
#~(begin
|
||||
(use-modules (guix build utils))
|
||||
(let ((firefox-dir
|
||||
(string-append "firefox-" #$base-version))
|
||||
(icecat-dir
|
||||
(string-append "icecat-" #$version)))
|
||||
|
||||
(set-path-environment-variable
|
||||
"PATH" '("bin")
|
||||
(list #+python
|
||||
#+(canonical-package bash)
|
||||
#+(canonical-package coreutils)
|
||||
#+(canonical-package findutils)
|
||||
#+(canonical-package patch)
|
||||
#+(canonical-package xz)
|
||||
#+(canonical-package sed)
|
||||
#+(canonical-package grep)
|
||||
#+(canonical-package bzip2)
|
||||
#+(canonical-package gzip)
|
||||
#+(canonical-package tar)))
|
||||
|
||||
(set-path-environment-variable
|
||||
"PYTHONPATH"
|
||||
(list #+(format #f "lib/python~a/site-packages"
|
||||
(version-major+minor
|
||||
(package-version python))))
|
||||
'#+(cons python-jsonschema
|
||||
(map second
|
||||
(package-transitive-propagated-inputs
|
||||
python-jsonschema))))
|
||||
|
||||
;; Needed by the 'makeicecat' script.
|
||||
(setenv "RENAME_CMD" "rename")
|
||||
|
||||
;; We copy the gnuzilla source directory because it is
|
||||
;; read-only in 'gnuzilla-source', and the makeicecat script
|
||||
;; uses "cp -a" to copy parts of it and assumes that the
|
||||
;; copies will be writable.
|
||||
(copy-recursively #+gnuzilla-source "/tmp/gnuzilla"
|
||||
#:log (%make-void-port "w"))
|
||||
|
||||
(with-directory-excursion "/tmp/gnuzilla"
|
||||
(make-file-writable "makeicecat")
|
||||
(invoke "patch" "--force" "--no-backup-if-mismatch"
|
||||
"-p1" "--input" #+makeicecat-patch)
|
||||
(patch-shebang "makeicecat")
|
||||
(substitute* "makeicecat"
|
||||
(("^readonly FFMAJOR=(.*)" all ffmajor)
|
||||
(unless (string=? #$major-version
|
||||
(string-trim-both ffmajor))
|
||||
;; The makeicecat script cannot be expected to work
|
||||
;; properly on a different version of Firefox, even if
|
||||
;; no errors occur during execution.
|
||||
(error "makeicecat major version mismatch"))
|
||||
(string-append "readonly FFMAJOR=" #$major-version "\n"))
|
||||
(("^readonly FFMINOR=.*")
|
||||
(string-append "readonly FFMINOR=" #$minor-version "\n"))
|
||||
(("^readonly FFSUB=.*")
|
||||
(string-append "readonly FFSUB=" #$sub-version "\n"))
|
||||
(("^readonly DATADIR=.*")
|
||||
"readonly DATADIR=/tmp/gnuzilla/data\n")
|
||||
(("^readonly SOURCEDIR=.*")
|
||||
(string-append "readonly SOURCEDIR=" icecat-dir "\n"))
|
||||
(("/bin/sed")
|
||||
#+(file-append (canonical-package sed) "/bin/sed"))))
|
||||
|
||||
(format #t "Unpacking upstream firefox tarball...~%")
|
||||
(force-output)
|
||||
(invoke "tar" "xf" #+upstream-firefox-source)
|
||||
(rename-file firefox-dir icecat-dir)
|
||||
|
||||
(with-directory-excursion icecat-dir
|
||||
(format #t "Populating l10n directory...~%")
|
||||
(force-output)
|
||||
(mkdir "l10n")
|
||||
(with-directory-excursion "l10n"
|
||||
(for-each
|
||||
(lambda (locale-dir)
|
||||
(let ((locale
|
||||
(string-drop (basename locale-dir)
|
||||
(+ 32 ; length of hash
|
||||
(string-length "-mozilla-locale-")))))
|
||||
(format #t " ~a~%" locale)
|
||||
(force-output)
|
||||
(copy-recursively locale-dir locale
|
||||
#:log (%make-void-port "w"))
|
||||
(for-each make-file-writable (find-files locale))
|
||||
(with-directory-excursion locale
|
||||
(when (file-exists? ".hgtags")
|
||||
(delete-file ".hgtags"))
|
||||
(mkdir-p "browser/chrome/browser/preferences")
|
||||
(call-with-output-file
|
||||
"browser/chrome/browser/preferences/advanced-scripts.dtd"
|
||||
(lambda (port) #f)))))
|
||||
'#+all-mozilla-locales)
|
||||
(copy-recursively #+mozilla-compare-locales
|
||||
"compare-locales"
|
||||
#:log (%make-void-port "w"))
|
||||
(delete-file "compare-locales/.gitignore")
|
||||
(delete-file "compare-locales/.hgignore")
|
||||
(delete-file "compare-locales/.hgtags")))
|
||||
|
||||
(format #t "Running makeicecat script...~%")
|
||||
(force-output)
|
||||
(invoke "bash" "/tmp/gnuzilla/makeicecat")
|
||||
|
||||
(format #t "Packing IceCat source tarball...~%")
|
||||
(force-output)
|
||||
(setenv "XZ_DEFAULTS" (string-join (%xz-parallel-args)))
|
||||
(invoke "tar" "cfa" #$output
|
||||
;; Avoid non-determinism in the archive. We set the
|
||||
;; mtime of files in the archive to early 1980 because
|
||||
;; the build process fails if the mtime of source
|
||||
;; files is pre-1980, due to the creation of zip
|
||||
;; archives.
|
||||
"--mtime=@315619200" ; 1980-01-02 UTC
|
||||
"--owner=root:0"
|
||||
"--group=root:0"
|
||||
"--sort=name"
|
||||
icecat-dir)))))))))
|
||||
|
||||
(define %icedove-build-id "20230328000000") ;must be of the form YYYYMMDDhhmmss
|
||||
(define %icedove-version "102.9.1")
|
||||
|
||||
|
|
@ -1192,7 +1359,7 @@ list of languages supported as well as the currently used changeset."
|
|||
;; Extract the base Icecat tarball, renaming its top-level
|
||||
;; directory.
|
||||
(invoke "tar" "--transform" (string-append "s,[^/]*," #$name ",")
|
||||
"-xf" #$icecat-source)
|
||||
"-xf" #$icecat-102.9.0-source)
|
||||
(chdir #$name)
|
||||
|
||||
;; Merge the Thunderdbird localization data.
|
||||
|
|
|
|||
Reference in New Issue