aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-10-13 05:53:07 -0400
committerMark H Weaver <mhw@netris.org>2016-10-13 05:53:07 -0400
commit061d7f3bd2cc67c964acb2cb1bde07ee61df5d1a (patch)
tree5b22d1081972956d9190c94a7cc2b271d5f85d67
parentf2ec23d18e50eef3e4f574a3e6498d8964e4e1a3 (diff)
parent1cc213850a2009d55e137fee990f9743894c76c5 (diff)
downloadpatches-061d7f3bd2cc67c964acb2cb1bde07ee61df5d1a.tar
patches-061d7f3bd2cc67c964acb2cb1bde07ee61df5d1a.tar.gz
Merge branch 'master' into core-updates
-rw-r--r--Makefile.am5
-rw-r--r--build-aux/compile-all.scm6
-rw-r--r--doc/guix.texi148
-rw-r--r--gnu/local.mk7
-rw-r--r--gnu/packages/ghostscript.scm19
-rw-r--r--gnu/packages/imagemagick.scm102
-rw-r--r--gnu/packages/maths.scm59
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2013-5653.patch85
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2016-7976.patch185
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2016-7978.patch25
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2016-7979.patch48
-rw-r--r--gnu/packages/patches/ghostscript-CVE-2016-8602.patch47
-rw-r--r--gnu/packages/patches/hdf4-reproducibility.patch35
-rw-r--r--gnu/packages/patches/hdf4-shared-fortran.patch25
-rw-r--r--gnu/services/nfs.scm129
15 files changed, 873 insertions, 52 deletions
diff --git a/Makefile.am b/Makefile.am
index 7f2281cfa4..908eaf6ec0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -495,7 +495,10 @@ gen-AUTHORS:
# Make sure we're not shipping a file that embeds a local /gnu/store file name.
assert-no-store-file-names:
$(AM_V_at)if grep -r --exclude=*.texi --exclude=*.info \
- "$(storedir)/[a-z0-9]{32}-" $(distdir) ; \
+ --exclude=*.info-[0-9] --exclude=*.dot \
+ --exclude=*.eps --exclude-dir=bootstrap \
+ --exclude=guix-prettify.el \
+ -E "$(storedir)/[a-z0-9]{32}-" $(distdir) ; \
then \
echo "error: store file names embedded in the distribution" >&2 ; \
exit 1 ; \
diff --git a/build-aux/compile-all.scm b/build-aux/compile-all.scm
index 46b381723b..6ce4040887 100644
--- a/build-aux/compile-all.scm
+++ b/build-aux/compile-all.scm
@@ -76,6 +76,12 @@
#:output-file go
#:opts `(#:warnings ,warnings)))))))
+;; Install a SIGINT handler to give unwind handlers in 'compile-file' an
+;; opportunity to run upon SIGINT and to remove temporary output files.
+(sigaction SIGINT
+ (lambda args
+ (exit 1)))
+
(match (command-line)
((_ . files)
(let ((files (filter file-needs-compilation? files)))
diff --git a/doc/guix.texi b/doc/guix.texi
index 5096f184ad..c6bc70fe6b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -221,6 +221,7 @@ Services
* Database Services:: SQL databases.
* Mail Services:: IMAP, POP3, SMTP, and all that.
* Web Services:: Web servers.
+* Network File System:: NFS related services.
* Miscellaneous Services:: Other services.
Defining Services
@@ -7648,6 +7649,7 @@ declaration.
* Database Services:: SQL databases.
* Mail Services:: IMAP, POP3, SMTP, and all that.
* Web Services:: Web servers.
+* Network File System:: NFS related services.
* Miscellaneous Services:: Other services.
@end menu
@@ -11198,14 +11200,21 @@ directories are created when the service is activated.
@end deffn
-@node Miscellaneous Services
-@subsubsection Miscellaneous Services
+@node Network File System
+@subsubsection Network File System
+@cindex NFS
+The @code{(gnu services nfs)} module provides the following services,
+which are most commonly used in relation to mounting or exporting
+directory trees as @dfn{network file systems} (NFS).
@subsubheading RPC Bind Service
@cindex rpcbind
-The @code{(gnu services nfs)} module provides the following:
+The RPC Bind service provides a facility to map program numbers into
+universal addresses.
+Many NFS related services use this facility. Hence it is automatically
+started when a dependent service starts.
@defvr {Scheme Variable} rpcbind-service-type
A service type for the RPC portmapper daemon.
@@ -11226,6 +11235,91 @@ instance.
@end table
@end deftp
+
+@subsubheading Pipefs Pseudo File System
+@cindex pipefs
+@cindex rpc_pipefs
+
+The pipefs file system is used to transfer NFS related data
+between the kernel and user space programs.
+
+@defvr {Scheme Variable} pipefs-service-type
+A service type for the pipefs pseudo file system.
+@end defvr
+
+@deftp {Data Type} pipefs-configuration
+Data type representing the configuration of the pipefs pseudo file system service.
+This type has the following parameters:
+@table @asis
+@item @code{mount-point} (default: @code{"/var/lib/nfs/rpc_pipefs"})
+The directory to which the file system is to be attached.
+@end table
+@end deftp
+
+
+@subsubheading GSS Daemon Service
+@cindex GSSD
+@cindex GSS
+@cindex global security system
+
+The @dfn{global security system} (GSS) daemon provides strong security for RPC
+based protocols.
+Before exchanging RPC requests an RPC client must establish a security
+context. Typically this is done using the Kerberos command @command{kinit}
+or automatically at login time using PAM services.
+
+@defvr {Scheme Variable} gss-service-type
+A service type for the Global Security System (GSS) daemon.
+@end defvr
+
+@deftp {Data Type} gss-configuration
+Data type representing the configuration of the GSS daemon service.
+This type has the following parameters:
+@table @asis
+@item @code{nfs-utils} (default: @code{nfs-utils})
+The package in which the @command{rpc.gssd} command is to be found.
+
+@item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
+The directory where the pipefs file system is mounted.
+
+@end table
+@end deftp
+
+
+@subsubheading IDMAP Daemon Service
+@cindex idmapd
+@cindex name mapper
+
+The idmap daemon service provides mapping between user IDs and user names.
+Typically it is required in order to access file systems mounted via NFSv4.
+
+@defvr {Scheme Variable} idmap-service-type
+A service type for the Identity Mapper (IDMAP) daemon.
+@end defvr
+
+@deftp {Data Type} idmap-configuration
+Data type representing the configuration of the IDMAP daemon service.
+This type has the following parameters:
+@table @asis
+@item @code{nfs-utils} (default: @code{nfs-utils})
+The package in which the @command{rpc.idmapd} command is to be found.
+
+@item @code{pipefs-directory} (default: @code{"/var/lib/nfs/rpc_pipefs"})
+The directory where the pipefs file system is mounted.
+
+@item @code{domain} (default: @code{#f})
+The local NFSv4 domain name.
+This must be a string or @code{#f}.
+If it is @code{#f} then the daemon will use the host's fully qualified domain name.
+
+@end table
+@end deftp
+
+
+@node Miscellaneous Services
+@subsubsection Miscellaneous Services
+
+
@cindex lirc
@subsubheading Lirc Service
@@ -13083,6 +13177,54 @@ starts with @code{py} (e.g. @code{pytz}), we keep it and prefix it as
described above.
+@subsubsection Specifying Dependencies
+@cindex inputs, for Python packages
+
+Dependency information for Python packages is usually available in the
+package source tree, with varying degrees of accuracy: in the
+@file{setup.py} file, in @file{requirements.txt}, or in @file{tox.ini}.
+
+Your mission, when writing a recipe for a Python package, is to map
+these dependencies to the appropriate type of ``input'' (@pxref{package
+Reference, inputs}). Although the @code{pypi} importer normally does a
+good job (@pxref{Invoking guix import}), you may want to check the
+following check list to determine which dependency goes where.
+
+@itemize
+
+@item
+Python dependencies required at run time go into
+@code{propagated-inputs}. They are typically defined with the
+@code{install_requires} keyword in @file{setup.py}, or in the
+@file{requirements.txt} file.
+
+@item
+Python packages required only at build time---e.g., those listed with
+the @code{setup_requires} keyword in @file{setup.py}---or only for
+testing---e.g., those in @code{tests_require}---go into
+@code{native-inputs}. The rationale is that (1) they do not need to be
+propagated because they are not needed at run time, and (2) in a
+cross-compilation context, it's the ``native'' input that we'd want.
+
+Examples are @code{setuptools}, which is usually needed only at build
+time, or the @code{pytest}, @code{mock}, and @code{nose} test
+frameworks. Of course if any of these packages is also required at
+run-time, it needs to go to @code{propagated-inputs}.
+
+@item
+Anything that does not fall in the previous categories goes to
+@code{inputs}, for example programs or C libraries required for building
+Python packages containing C extensions.
+
+@item
+If a Python package has optional dependencies (@code{extras_require}),
+it is up to you to decide whether to add them or not, based on their
+usefulness/overhead ratio (@pxref{Submitting Patches, @command{guix
+size}}).
+
+@end itemize
+
+
@node Perl Modules
@subsection Perl Modules
diff --git a/gnu/local.mk b/gnu/local.mk
index debe348fd0..125e54013b 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -538,7 +538,12 @@ dist_patch_DATA = \
%D%/packages/patches/gd-fix-tests-on-i686.patch \
%D%/packages/patches/gegl-CVE-2012-4433.patch \
%D%/packages/patches/geoclue-config.patch \
+ %D%/packages/patches/ghostscript-CVE-2013-5653.patch \
%D%/packages/patches/ghostscript-CVE-2015-3228.patch \
+ %D%/packages/patches/ghostscript-CVE-2016-7976.patch \
+ %D%/packages/patches/ghostscript-CVE-2016-7978.patch \
+ %D%/packages/patches/ghostscript-CVE-2016-7979.patch \
+ %D%/packages/patches/ghostscript-CVE-2016-8602.patch \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
@@ -573,6 +578,8 @@ dist_patch_DATA = \
%D%/packages/patches/gtk3-respect-GUIX_GTK3_PATH.patch \
%D%/packages/patches/gtk3-respect-GUIX_GTK3_IM_MODULE_FILE.patch \
%D%/packages/patches/gtkglext-disable-disable-deprecated.patch \
+ %D%/packages/patches/hdf4-shared-fortran.patch \
+ %D%/packages/patches/hdf4-reproducibility.patch \
%D%/packages/patches/hdf5-config-date.patch \
%D%/packages/patches/hdf-eos5-build-shared.patch \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm
index 8f10b18074..fcf769fb35 100644
--- a/gnu/packages/ghostscript.scm
+++ b/gnu/packages/ghostscript.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2013, 2015, 2016 Ludovic Courtès <ludo@gnu.org>
;;;
@@ -127,6 +127,7 @@ printing, and psresize, for adjusting page sizes.")
(package
(name "ghostscript")
(version "9.14.0")
+ (replacement ghostscript/fixed)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/ghostscript/gnu-ghostscript-"
@@ -197,8 +198,22 @@ output file formats and printers.")
(license license:agpl3+)
(home-page "http://www.gnu.org/software/ghostscript/")))
+(define ghostscript/fixed
+ (package
+ (inherit ghostscript)
+ (replacement #f) ; Prevent ghostscript/x from inheriting the replacement
+ (source (origin
+ (inherit (package-source ghostscript))
+ (patches (search-patches "ghostscript-CVE-2013-5653.patch"
+ "ghostscript-CVE-2015-3228.patch"
+ "ghostscript-CVE-2016-7976.patch"
+ "ghostscript-CVE-2016-7978.patch"
+ "ghostscript-CVE-2016-7979.patch"
+ "ghostscript-CVE-2016-8602.patch"
+ "ghostscript-runpath.patch"))))))
+
(define-public ghostscript/x
- (package (inherit ghostscript)
+ (package (inherit ghostscript/fixed)
(name (string-append (package-name ghostscript) "-with-x"))
(inputs `(("libxext" ,libxext)
("libxt" ,libxt)
diff --git a/gnu/packages/imagemagick.scm b/gnu/packages/imagemagick.scm
index 75427a4ce1..4c3c636b68 100644
--- a/gnu/packages/imagemagick.scm
+++ b/gnu/packages/imagemagick.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2015 Eric Bavier <bavier@member.fsf.org>
;;; Copyright © 2015 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2016 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016 Mark H Weaver <mhw@netris.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -24,6 +25,7 @@
#:use-module (guix build-system gnu)
#:use-module (guix build-system perl)
#:use-module (guix download)
+ #:use-module (guix hg-download)
#:use-module (guix utils)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (gnu packages)
@@ -41,17 +43,20 @@
(define-public imagemagick
(package
(name "imagemagick")
- (version "6.9.5-10")
+ (version "6.9.6-2")
(source (origin
(method url-fetch)
(uri (string-append "mirror://imagemagick/ImageMagick-"
version ".tar.xz"))
(sha256
(base32
- "0cxjzqzca80vf6sfx4z9zq4wq2w0vy9ajp9kf88jb4na8mwsn198"))))
+ "139h9lycxw3lszn052m34xm0rqyanin4nb529vxjcrkkzqilh91r"))))
(build-system gnu-build-system)
(arguments
`(#:configure-flags '("--with-frozenpaths" "--without-gcc-arch")
+ ;; FIXME: The test suite succeeded before version 6.9.6-2.
+ ;; Try enabling it again with newer releases.
+ #:tests? #f
#:phases (modify-phases %standard-phases
(add-before
'build 'pre-build
@@ -154,48 +159,55 @@ script.")
(license (package-license imagemagick))))
(define-public graphicsmagick
- (package
- (name "graphicsmagick")
- (version "1.3.25")
- (source (origin
- (method url-fetch)
- (uri (string-append "ftp://ftp.graphicsmagick.org/pub/"
- "GraphicsMagick/" (version-major+minor version)
- "/GraphicsMagick-" version ".tar.xz"))
- (sha256
- (base32
- "17xcc7pfcmiwpfr1g8ys5a7bdnvqzka53vg3kkzhwwz0s99gljyn"))))
- (build-system gnu-build-system)
- (arguments
- `(#:configure-flags
- (list "--with-frozenpaths"
- "--enable-shared=yes"
- "--with-x=yes"
- (string-append "--with-gs-font-dir="
- (assoc-ref %build-inputs "gs-fonts")
- "/share/fonts/type1/ghostscript"))))
- (inputs
- `(("graphviz" ,graphviz)
- ("ghostscript" ,ghostscript)
- ("gs-fonts" ,gs-fonts)
- ("lcms" ,lcms)
- ("libx11" ,libx11)
- ("libxml2" ,libxml2)
- ("libtiff" ,libtiff)
- ("libpng" ,libpng)
- ("libjpeg" ,libjpeg)
- ("freetype" ,freetype)
- ("bzip2" ,bzip2)
- ("xz" ,xz)
- ("zlib" ,zlib)))
- (native-inputs
- `(("pkg-config" ,pkg-config)))
- (outputs '("out" ; 13 MiB
- "doc")) ; ~7 MiB
- (home-page "http://www.graphicsmagick.org")
- (synopsis "Create, edit, compose, or convert bitmap images")
- (description
- "GraphicsMagick provides a comprehensive collection of utilities,
+ (let ((changeset "56c8cae") ; 3e01b
+ (revision "1"))
+ (package
+ (name "graphicsmagick")
+ (version (string-append "1.3.25-" revision "." changeset))
+ (source (origin
+ (method hg-fetch)
+ (uri (hg-reference
+ (url "http://hg.code.sf.net/p/graphicsmagick/code")
+ (changeset changeset)))
+ (file-name (string-append name "-" version "-checkout"))
+ ;;(method url-fetch)
+ ;;(uri (string-append "ftp://ftp.graphicsmagick.org/pub/"
+ ;; "GraphicsMagick/" (version-major+minor version)
+ ;; "/GraphicsMagick-" version ".tar.xz"))
+ (sha256
+ (base32
+ "1s9apvkn0kxr6i4i5wlkfw1prja02rgk689n3cf822zc0dkycxdh"))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:configure-flags
+ (list "--with-frozenpaths"
+ "--enable-shared=yes"
+ "--with-x=yes"
+ (string-append "--with-gs-font-dir="
+ (assoc-ref %build-inputs "gs-fonts")
+ "/share/fonts/type1/ghostscript"))))
+ (inputs
+ `(("graphviz" ,graphviz)
+ ("ghostscript" ,ghostscript)
+ ("gs-fonts" ,gs-fonts)
+ ("lcms" ,lcms)
+ ("libx11" ,libx11)
+ ("libxml2" ,libxml2)
+ ("libtiff" ,libtiff)
+ ("libpng" ,libpng)
+ ("libjpeg" ,libjpeg)
+ ("freetype" ,freetype)
+ ("bzip2" ,bzip2)
+ ("xz" ,xz)
+ ("zlib" ,zlib)))
+ (native-inputs
+ `(("pkg-config" ,pkg-config)))
+ (outputs '("out" ; 13 MiB
+ "doc")) ; ~7 MiB
+ (home-page "http://www.graphicsmagick.org")
+ (synopsis "Create, edit, compose, or convert bitmap images")
+ (description
+ "GraphicsMagick provides a comprehensive collection of utilities,
programming interfaces, and GUIs, to support file format conversion, image
processing, and 2D vector rendering.")
- (license license:expat)))
+ (license license:expat))))
diff --git a/gnu/packages/maths.scm b/gnu/packages/maths.scm
index 97f545b8e5..83f55c9f18 100644
--- a/gnu/packages/maths.scm
+++ b/gnu/packages/maths.scm
@@ -445,6 +445,65 @@ computations.")
(home-page "https://github.com/OkoSanto/GCTP")
(license license:public-domain))) ;https://www2.usgs.gov/laws/info_policies.html
+(define-public hdf4
+ (package
+ (name "hdf4")
+ (version "4.2.11")
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://support.hdfgroup.org/ftp/HDF/releases/HDF"
+ version "/src/hdf-" version ".tar.bz2"))
+ (sha256
+ (base32 "16yr50j845zlfx20skmw3y75ww77akk9gg0affjqkg66ih5r03mv"))
+ (patches (search-patches "hdf4-reproducibility.patch"
+ "hdf4-shared-fortran.patch"))))
+
+ (build-system gnu-build-system)
+ (native-inputs
+ `(("gfortran" ,gfortran)
+ ("bison" ,bison)
+ ("flex" ,flex)))
+ (inputs
+ `(("zlib" ,zlib)
+ ("libjpeg" ,libjpeg)))
+ (arguments
+ `(#:parallel-tests? #f
+ #:configure-flags '("--enable-shared")
+ #:phases
+ (modify-phases %standard-phases
+ (add-before 'configure 'patchbuild
+ (lambda _
+ (substitute*
+ '("mfhdf/hdfimport/testutil.sh.in" "hdf/util/testutil.sh.in")
+ (("/bin/rm") "rm")
+ (("/bin/mkdir") "mkdir"))
+ (substitute* (find-files "." "^Makefile\\.in$")
+ (("@HDF_BUILD_XDR_TRUE@XDR_ADD = \
+-R\\$\\(abs_top_builddir\\)/mfhdf/xdr/\\.libs") "")
+ (("@HDF_BUILD_SHARED_TRUE@AM_LDFLAGS = \
+-R\\$\\(abs_top_builddir\\)/mfhdf/libsrc/\\.libs \
+-R\\$\\(abs_top_builddir\\)/hdf/src/\\.libs \\$\\(XDR_ADD\\)") "")))))))
+ (home-page "https://www.hdfgroup.org/products/hdf4/")
+ (synopsis
+ "Library and multi-object file format for storing and managing data")
+ (description "HDF4 is a library and multi-object file format for storing
+and managing data between machines. HDF4 is an older hierarchical data format,
+incompatible with HDF5.")
+ (license
+ (license:non-copyleft
+ "https://www.hdfgroup.org/ftp/HDF/HDF_Current/src/unpacked/COPYING"))))
+
+(define-public hdf4-alt
+ (package
+ (inherit hdf4)
+ (name "hdf4-alt")
+ (arguments
+ (substitute-keyword-arguments (package-arguments hdf4)
+ ((#:configure-flags flags) `(cons* "--disable-netcdf" ,flags))))
+ (synopsis
+ "HDF4 without netCDF API, can be combined with the regular netCDF library")))
+
(define-public hdf5
(package
(name "hdf5")
diff --git a/gnu/packages/patches/ghostscript-CVE-2013-5653.patch b/gnu/packages/patches/ghostscript-CVE-2013-5653.patch
new file mode 100644
index 0000000000..622266b176
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2013-5653.patch
@@ -0,0 +1,85 @@
+The following patch was adapted for GNU Ghostscript
+by Mark H Weaver <mhw@netris.org> based on:
+
+http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
+
+From ab109aaeb3ddba59518b036fb288402a65cf7ce8 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Sat, 5 Mar 2016 14:56:03 -0800
+Subject: [PATCH] Bug 694724: Have filenameforall and getenv honor SAFER
+
+---
+ Resource/Init/gs_init.ps | 2 ++
+ psi/zfile.c | 36 ++++++++++++++++++++----------------
+ 2 files changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/Resource/Init/gs_init.ps b/Resource/Init/gs_init.ps
+index fa33d88..99888ac 100644
+--- a/Resource/Init/gs_init.ps
++++ b/Resource/Init/gs_init.ps
+@@ -2018,6 +2018,7 @@ readonly def
+
+ /.locksafe {
+ .locksafe_userparams
++ systemdict /getenv {pop //false} put
+ % setpagedevice has the side effect of clearing the page, but
+ % we will just document that. Using setpagedevice keeps the device
+ % properties and pagedevice .LockSafetyParams in agreement even
+@@ -2036,6 +2037,7 @@ readonly def
+ %%
+ /.locksafeglobal {
+ .locksafe_userparams
++ systemdict /getenv {pop //false} put
+ % setpagedevice has the side effect of clearing the page, but
+ % we will just document that. Using setpagedevice keeps the device
+ % properties and pagedevice .LockSafetyParams in agreement even
+diff --git a/psi/zfile.c b/psi/zfile.c
+index 320ecd5..0b9f299 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -371,22 +371,26 @@ file_continue(i_ctx_t *i_ctx_p)
+
+ if (len < devlen)
+ return_error(e_rangecheck); /* not even room for device len */
+- memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
+- code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
+- len - devlen);
+- if (code == ~(uint) 0) { /* all done */
+- esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
+- return o_pop_estack;
+- } else if (code > len) /* overran string */
+- return_error(e_rangecheck);
+- else {
+- push(1);
+- ref_assign(op, pscratch);
+- r_set_size(op, code + devlen);
+- push_op_estack(file_continue); /* come again */
+- *++esp = pscratch[2]; /* proc */
+- return o_push_estack;
+- }
++
++ do {
++ memcpy((char *)pscratch->value.bytes, iodev->dname, devlen);
++ code = iodev->procs.enumerate_next(pfen, (char *)pscratch->value.bytes + devlen,
++ len - devlen);
++ if (code == ~(uint) 0) { /* all done */
++ esp -= 5; /* pop proc, pfen, devlen, iodev , mark */
++ return o_pop_estack;
++ } else if (code > len) /* overran string */
++ return_error(e_rangecheck);
++ else if (iodev != iodev_default(imemory)
++ || (check_file_permissions_reduced(i_ctx_p, (char *)pscratch->value.bytes, code + devlen, "PermitFileReading")) == 0) {
++ push(1);
++ ref_assign(op, pscratch);
++ r_set_size(op, code + devlen);
++ push_op_estack(file_continue); /* come again */
++ *++esp = pscratch[2]; /* proc */
++ return o_push_estack;
++ }
++ } while(1);
+ }
+ /* Cleanup procedure for enumerating files */
+ static int
+--
+2.9.1
+
diff --git a/gnu/packages/patches/ghostscript-CVE-2016-7976.patch b/gnu/packages/patches/ghostscript-CVE-2016-7976.patch
new file mode 100644
index 0000000000..0a09f89016
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2016-7976.patch
@@ -0,0 +1,185 @@
+The following patch was adapted for GNU Ghostscript
+by Mark H Weaver <mhw@netris.org> based on:
+
+http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=6d444c273da5499a4cd72f21cb6d4c9a5256807d
+
+From 6d444c273da5499a4cd72f21cb6d4c9a5256807d Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 5 Oct 2016 09:55:55 +0100
+Subject: [PATCH] Bug 697178: Add a file permissions callback
+
+For the rare occasions when the graphics library directly opens a file
+(currently for reading), this allows us to apply any restrictions on
+file access normally applied in the interpteter.
+---
+ base/gsicc_manage.c | 10 ++++++----
+ base/gslibctx.c | 12 +++++++++++-
+ base/gslibctx.h | 7 +++++++
+ psi/imain.c | 2 ++
+ psi/int.mak | 2 +-
+ psi/zfile.c | 19 +++++++++++++++++++
+ psi/zfile.h | 7 +++++++
+ 7 files changed, 53 insertions(+), 6 deletions(-)
+
+diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
+index 931c2a6..e9c09c3 100644
+--- a/base/gsicc_manage.c
++++ b/base/gsicc_manage.c
+@@ -1028,10 +1028,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
+ }
+
+ /* First just try it like it is */
+- str = sfopen(pname, "rb", mem_gc);
+- if (str != NULL) {
+- *strp = str;
+- return 0;
++ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
++ str = sfopen(pname, "rb", mem_gc);
++ if (str != NULL) {
++ *strp = str;
++ return 0;
++ }
+ }
+
+ /* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
+diff --git a/base/gslibctx.c b/base/gslibctx.c
+index eaa0458..37ce1ca 100644
+--- a/base/gslibctx.c
++++ b/base/gslibctx.c
+@@ -121,7 +121,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
+ mem->gs_lib_ctx = NULL;
+ return -1;
+ }
+-
++ pio->client_check_file_permission = NULL;
+ gp_get_realtime(pio->real_time_0);
+
+ return 0;
+@@ -262,3 +262,13 @@ void errflush(const gs_memory_t *mem)
+ fflush(mem->gs_lib_ctx->fstderr);
+ /* else nothing to flush */
+ }
++
++int
++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
++{
++ int code = 0;
++ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
++ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
++ }
++ return code;
++}
+diff --git a/base/gslibctx.h b/base/gslibctx.h
+index 7a4e110..020e2d9 100644
+--- a/base/gslibctx.h
++++ b/base/gslibctx.h
+@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
+ # define gs_font_dir_DEFINED
+ typedef struct gs_font_dir_s gs_font_dir;
+ #endif
++
++typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
++
+ typedef struct gs_lib_ctx_s
+ {
+ gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */
+@@ -59,6 +62,7 @@ typedef struct gs_lib_ctx_s
+ bool dict_auto_expand; /* ps dictionary: false level 1 true level 2 or 3 */
+ /* A table of local copies of the IODevices */
+ struct gx_io_device_s **io_device_table;
++ client_check_file_permission_t client_check_file_permission;
+ /* Define the default value of AccurateScreens that affects setscreen
+ and setcolorscreen. */
+ bool screen_accurate_screens;
+@@ -108,6 +112,9 @@ int
+ void gs_lib_ctx_set_icc_directory(const gs_memory_t *mem_gc, const char* pname,
+ int dir_namelen);
+
++int
++gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
++
+ #define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
+ #define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
+
+diff --git a/psi/imain.c b/psi/imain.c
+index 9a9bb5d..6874128 100644
+--- a/psi/imain.c
++++ b/psi/imain.c
+@@ -57,6 +57,7 @@
+ #include "ivmspace.h"
+ #include "idisp.h" /* for setting display device callback */
+ #include "iplugin.h"
++#include "zfile.h"
+
+ #ifdef PACIFY_VALGRIND
+ #include "valgrind.h"
+@@ -215,6 +216,7 @@ gs_main_init1(gs_main_instance * minst)
+ "the_gs_name_table");
+ if (code < 0)
+ return code;
++ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
+ }
+ code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
+ if (code < 0)
+diff --git a/psi/int.mak b/psi/int.mak
+index 4654afc..bb30d51 100644
+--- a/psi/int.mak
++++ b/psi/int.mak
+@@ -1868,7 +1868,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
+ $(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
+ $(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
+ $(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
+- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)
++ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)
+ $(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
+
+ #****** $(CCINT) interp.c
+diff --git a/psi/zfile.c b/psi/zfile.c
+index 2c6c958..2f27f82 100644
+--- a/psi/zfile.c
++++ b/psi/zfile.c
+@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len,
+ return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
+ }
+
++/* z_check_file_permissions: see zfile.h for explanation
++ */
++int
++z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
++{
++ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
++ gs_parsed_file_name_t pname;
++ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
++ int code = gs_parse_file_name(&pname, fname, len, imemory);
++ if (code < 0)
++ return code;
++
++ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
++ return e_invalidfileaccess;
++
++ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
++ return code;
++}
++
+ /* <name_string> <access_string> file <file> */
+ int /* exported for zsysvm.c */
+ zfile(i_ctx_t *i_ctx_p)
+diff --git a/psi/zfile.h b/psi/zfile.h
+index fdf1373..a9399c7 100644
+--- a/psi/zfile.h
++++ b/psi/zfile.h
+@@ -22,4 +22,11 @@
+ int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
+ const char *file_access, stream **ps, gs_memory_t *mem);
+
++/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
++ * to allow applying the above permissions checks when opening file(s) from
++ * the graphics library
++ */
++int
++z_check_file_permissions(gs_memory_t *mem, const char *fname,
++ const int len, const char *permission);
+ #endif
+--
+2.9.1
+
diff --git a/gnu/packages/patches/ghostscript-CVE-2016-7978.patch b/gnu/packages/patches/ghostscript-CVE-2016-7978.patch
new file mode 100644
index 0000000000..81cb26e9ed
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2016-7978.patch
@@ -0,0 +1,25 @@
+From 6f749c0c44e7b9e09737b9f29edf29925a34f0cf Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Wed, 5 Oct 2016 09:59:25 +0100
+Subject: [PATCH] Bug 697179: Reference count device icc profile
+
+when copying a device
+---
+ base/gsdevice.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/base/gsdevice.c b/base/gsdevice.c
+index 778106f..aea986a 100644
+--- a/base/gsdevice.c
++++ b/base/gsdevice.c
+@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem,
+ dev->memory = mem;
+ dev->retained = !internal;
+ rc_init(dev, mem, (internal ? 0 : 1));
++ rc_increment(dev->icc_struct);
+ }
+
+ void
+--
+2.9.1
+
diff --git a/gnu/packages/patches/ghostscript-CVE-2016-7979.patch b/gnu/packages/patches/ghostscript-CVE-2016-7979.patch
new file mode 100644
index 0000000000..a557adfdea
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2016-7979.patch
@@ -0,0 +1,48 @@
+The following patch was adapted for GNU Ghostscript
+by Mark H Weaver <mhw@netris.org> based on:
+
+http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=875a0095f37626a721c7ff57d606a0f95af03913
+
+From 875a0095f37626a721c7ff57d606a0f95af03913 Mon Sep 17 00:00:00 2001
+From: Ken Sharp <ken.sharp@artifex.com>
+Date: Wed, 5 Oct 2016 10:10:58 +0100
+Subject: [PATCH] DSC parser - validate parameters
+
+Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."
+
+Regardless of any security implications, its simply wrong for a PostScript
+operator not to validate its parameter(s).
+
+No differences expected.
+---
+ psi/zdscpars.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/psi/zdscpars.c b/psi/zdscpars.c
+index c05e154..9b4b605 100644
+--- a/psi/zdscpars.c
++++ b/psi/zdscpars.c
+@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
+ ref local_ref;
+ int code;
+ os_ptr const op = osp;
+- dict * const pdict = op->value.pdict;
+- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
+- dsc_data_t * const data =
+- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
++ dict *pdict;
++ gs_memory_t *mem;
++ dsc_data_t *data;
+
++ check_read_type(*op, t_dictionary);
++
++ pdict = op->value.pdict;
++ mem = (gs_memory_t *)dict_memory(pdict);
++
++ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+ if (!data)
+ return_error(e_VMerror);
+ data->document_level = 0;
+--
+2.9.1
+
diff --git a/gnu/packages/patches/ghostscript-CVE-2016-8602.patch b/gnu/packages/patches/ghostscript-CVE-2016-8602.patch
new file mode 100644
index 0000000000..aaf20b6c6c
--- /dev/null
+++ b/gnu/packages/patches/ghostscript-CVE-2016-8602.patch
@@ -0,0 +1,47 @@
+The following patch was adapted for GNU Ghostscript
+by Mark H Weaver <mhw@netris.org> based on:
+
+http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
+
+From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
+From: Chris Liddell <chris.liddell@artifex.com>
+Date: Sat, 8 Oct 2016 16:10:27 +0100
+Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
+
+and param types
+---
+ psi/zht2.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/psi/zht2.c b/psi/zht2.c
+index fb4a264..dfa27a4 100644
+--- a/psi/zht2.c
++++ b/psi/zht2.c
+@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
+ gs_memory_t *mem;
+ uint edepth = ref_stack_count(&e_stack);
+ int npop = 2;
+- int dict_enum = dict_first(op);
++ int dict_enum;
+ ref rvalue[2];
+ int cname, colorant_number;
+ byte * pname;
+ uint name_size;
+ int halftonetype, type = 0;
+ gs_state *pgs = igs;
+- int space_index = r_space_index(op - 1);
++ int space_index;
++
++ if (ref_stack_count(&o_stack) < 2)
++ return_error(e_stackunderflow);
++ check_type(*op, t_dictionary);
++ check_type(*(op - 1), t_dictionary);
++
++ dict_enum = dict_first(op);
++ space_index = r_space_index(op - 1);
+
+ mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
+
+--
+2.9.1
+
diff --git a/gnu/packages/patches/hdf4-reproducibility.patch b/gnu/packages/patches/hdf4-reproducibility.patch
new file mode 100644
index 0000000000..9b5fea6269
--- /dev/null
+++ b/gnu/packages/patches/hdf4-reproducibility.patch
@@ -0,0 +1,35 @@
+Remove/patch unreproducible config data.
+
+diff --git a/configure b/configure
+index eb9f346..ebab94d 100755
+--- a/configure
++++ b/configure
+@@ -23163,7 +23163,7 @@ H4_VERSION="`cut -d' ' -f3 $srcdir/README.txt | head -1`"
+
+
+ ## Configuration date
+- CONFIG_DATE="`date`"
++CONFIG_DATE=`date -u -d "@$SOURCE_DATE_EPOCH"`
+
+ ## User doing the configuration
+ CONFIG_USER="`whoami`@`hostname`"
+diff --git a/libhdf4.settings.in b/libhdf4.settings.in
+index 1d9bbb9..4180d72 100644
+--- a/libhdf4.settings.in
++++ b/libhdf4.settings.in
+@@ -5,10 +5,10 @@ General Information:
+ -------------------
+ HDF4 Version: @H4_VERSION@
+ Configured on: @CONFIG_DATE@
+- Configured by: @CONFIG_USER@
++ Configured by: guix
+ Configure mode: @CONFIG_MODE@
+- Host system: @host_cpu@-@host_vendor@-@host_os@
+- Uname information: @UNAME_INFO@
++ Host system: guix
++ Uname information: guix
+ Libraries: @STATIC_SHARED@
+ Installation point: @prefix@
+
+--
+2.10.0
diff --git a/gnu/packages/patches/hdf4-shared-fortran.patch b/gnu/packages/patches/hdf4-shared-fortran.patch
new file mode 100644
index 0000000000..60db355bea
--- /dev/null
+++ b/gnu/packages/patches/hdf4-shared-fortran.patch
@@ -0,0 +1,25 @@
+Allow building a shared library with Fortran.
+---
+ configure | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/configure b/configure
+index f37d2fa..eb9f346 100755
+--- a/configure
++++ b/configure
+@@ -6141,12 +6141,6 @@ if test "X${enable_shared}" != "Xyes"; then
+ enable_shared="no"
+ fi
+
+-if test "X${enable_shared}" = "Xyes"; then
+- if test "X${BUILD_FORTRAN}" = "Xyes"; then
+- as_fn_error $? "Cannot build shared fortran libraries. Please configure with --disable-fortran flag." "$LINENO" 5
+- fi
+-fi
+-
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5
+ $as_echo_n "checking whether ln -s works... " >&6; }
+--
+2.10.0
+
diff --git a/gnu/services/nfs.scm b/gnu/services/nfs.scm
index b1e1f53fb6..8f58920e4a 100644
--- a/gnu/services/nfs.scm
+++ b/gnu/services/nfs.scm
@@ -20,11 +20,31 @@
#:use-module (gnu)
#:use-module (gnu services shepherd)
#:use-module (gnu packages onc-rpc)
+ #:use-module (gnu packages linux)
#:use-module (guix)
#:use-module (guix records)
+ #:use-module (ice-9 match)
+ #:use-module (gnu build file-systems)
#:export (rpcbind-service-type
rpcbind-configuration
- rpcbind-configuration?))
+ rpcbind-configuration?
+
+ pipefs-service-type
+ pipefs-configuration
+ pipefs-configuration?
+
+ idmap-service-type
+ idmap-configuration
+ idmap-configuration?
+
+ gss-service-type
+ gss-configuration
+ gss-configuration?))
+
+
+(define default-pipefs-directory "/var/lib/nfs/rpc_pipefs")
+
+
(define-record-type* <rpcbind-configuration>
rpcbind-configuration make-rpcbind-configuration
@@ -52,3 +72,110 @@
(start #~(make-forkexec-constructor #$rpcbind-command))
(stop #~(make-kill-destructor))))))
+
+
+
+(define-record-type* <pipefs-configuration>
+ pipefs-configuration make-pipefs-configuration
+ pipefs-configuration?
+ (mount-point pipefs-configuration-mount-point
+ (default default-pipefs-directory)))
+
+(define pipefs-service-type
+ (shepherd-service-type
+ 'pipefs
+ (lambda (config)
+ (define pipefs-directory (pipefs-configuration-mount-point config))
+
+ (shepherd-service
+ (documentation "Mount the pipefs pseudo filesystem.")
+ (provision '(rpc-pipefs))
+
+ (start #~(lambda ()
+ (mkdir-p #$pipefs-directory)
+ (mount "rpc_pipefs" #$pipefs-directory "rpc_pipefs")
+ (member #$pipefs-directory (mount-points))))
+
+ (stop #~(lambda (pid . args)
+ (umount #$pipefs-directory MNT_DETACH)
+ (not (member #$pipefs-directory (mount-points)))))))))
+
+
+
+(define-record-type* <gss-configuration>
+ gss-configuration make-gss-configuration
+ gss-configuration?
+ (pipefs-directory gss-configuration-pipefs-directory
+ (default default-pipefs-directory))
+ (nfs-utils gss-configuration-gss
+ (default nfs-utils)))
+
+(define gss-service-type
+ (shepherd-service-type
+ 'gss
+ (lambda (config)
+ (define nfs-utils
+ (gss-configuration-gss config))
+
+ (define pipefs-directory
+ (gss-configuration-pipefs-directory config))
+
+ (define gss-command
+ #~(list (string-append #$nfs-utils "/sbin/rpc.gssd") "-f"
+ "-p" #$pipefs-directory))
+
+ (shepherd-service
+ (documentation "Start the RPC GSS daemon.")
+ (requirement '(rpcbind-daemon rpc-pipefs))
+ (provision '(gss-daemon))
+
+ (start #~(make-forkexec-constructor #$gss-command))
+ (stop #~(make-kill-destructor))))))
+
+
+
+(define-record-type* <idmap-configuration>
+ idmap-configuration make-idmap-configuration
+ idmap-configuration?
+ (pipefs-directory idmap-configuration-pipefs-directory
+ (default default-pipefs-directory))
+ (domain idmap-configuration-domain
+ (default #f))
+ (nfs-utils idmap-configuration-idmap
+ (default nfs-utils)))
+
+(define idmap-service-type
+ (shepherd-service-type
+ 'idmap
+ (lambda (config)
+
+ (define nfs-utils
+ (idmap-configuration-idmap config))
+
+ (define pipefs-directory
+ (idmap-configuration-pipefs-directory config))
+
+ (define domain (idmap-configuration-domain config))
+
+ (define (idmap-config-file config)
+ (plain-file "idmapd.conf"
+ (string-append
+ "\n[General]\n"
+ (if domain
+ (format #f "Domain = ~a\n" domain))
+ "\n[Mapping]\n"
+ "Nobody-User = nobody\n"
+ "Nobody-Group = nogroup\n")))
+
+ (define idmap-command
+ #~(list (string-append #$nfs-utils "/sbin/rpc.idmapd") "-f"
+ "-p" #$pipefs-directory
+ "-c" #$(idmap-config-file config)))
+
+ (shepherd-service
+ (documentation "Start the RPC IDMAP daemon.")
+ (requirement '(rpcbind-daemon rpc-pipefs))
+ (provision '(idmap-daemon))
+ (start #~(make-forkexec-constructor #$idmap-command))
+ (stop #~(make-kill-destructor))))))
+