[PATCH 0/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].

  • Done
  • quality assurance status badge
Details
2 participants
  • Alex Vong
  • Leo Famulari
Owner
unassigned
Submitted by
Alex Vong
Severity
normal

Debbugs page

A
A
Alex Vong wrote on 11 Nov 2018 11:03
(address . guix-patches@gnu.org)(address . alexvong1995@gmail.com)
871s7r3095.fsf@gmail.com
Tags: patch, security

Hello Guix,

This patch set upgrades teeworlds to its latest version in order to fix
CVE-2018-18541, which is present in teeworlds before 0.6.5.

Cheers,
Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+h89wAKCRBh71Au9gJS
8ta7APoCx6Xy7BCPwWgUNIN0Qw2u83sSLsDNdXwqw9PwslgXJQEAwT+wdy+LP17N
cFeJYnsxSpV+WC/JrtpMjuu/k8USdA0=
=Z4Gr
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 11 Nov 2018 11:06
[PATCH 1/4] gnu: Add pnglite.
(address . 33347@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87wopj1ljg.fsf@gmail.com
From 71b7ccb3de4ca3d08032ca89f8bb2e7782f9959b Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 12 Nov 2018 01:55:05 +0800
Subject: [PATCH 1/4] gnu: Add pnglite.

* gnu/packages/image.scm (pnglite): New variable.
---
gnu/packages/image.scm | 55 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 55 insertions(+)

Toggle diff (75 lines)
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 9bf9bd7e5..889128173 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -21,6 +21,7 @@
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -253,6 +254,60 @@ files. It can compress them as much as 40% losslessly.")
;; This package used to be wrongfully name "pngcrunch".
(deprecated-package "pngcrunch" pngcrush))
+(define-public pnglite
+ (let ((commit "11695c56f7d7db806920bd9229b69f230e6ffb38")
+ (revision "1"))
+ (package
+ (name "pnglite")
+ ;; The project was moved from sourceforge to github.
+ ;; The latest version in sourceforge was 0.1.17:
+ ;; https://sourceforge.net/projects/pnglite/files/pnglite/
+ ;; No releases are made in github.
+ (version (git-version "0.1.17" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/dankar/pnglite")
+ (commit commit)))
+ (sha256
+ (base32
+ "1lmmkdxby5b8z9kx3zrpgpk33njpcf2xx8z9bgqag855sjsqbbby"))
+ (file-name (git-file-name name version))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:tests? #f
+ #:phases
+ (modify-phases %standard-phases
+ (delete 'configure)
+ (replace 'build
+ (lambda _
+ (let ((cflags '("-O2" "-fPIC"))
+ (ldflags '("-shared")))
+ (apply invoke
+ `("gcc"
+ "-o" "libpnglite.so"
+ ,@cflags
+ ,@ldflags
+ "pnglite.c"))
+ #t)))
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (lib (string-append out "/lib/"))
+ (include (string-append out "/include/"))
+ (doc (string-append out "/share/doc/"
+ ,name "-" ,version "/")))
+ (install-file "libpnglite.so" lib)
+ (install-file "pnglite.h" include)
+ (install-file "README.md" doc)
+ #t))))))
+ (inputs `(("zlib" ,zlib)))
+ (home-page "https://github.com/dankar/pnglite")
+ (synopsis "Pretty small png library")
+ (description "A pretty small png library.
+Currently all documentation resides in @file{pnglite.h}.")
+ (license license:zlib))))
+
(define-public libjpeg
(package
(name "libjpeg")
--
2.19.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+h9swAKCRBh71Au9gJS
8iYAAQCwz1cgPN+ocTn/SfrwjwufnKZI8C+JXR/5AqXKJpj6RAD8DbsHTc+H3S2B
XfLNg6tAB5EpesW5dpleC8vSkysJ0wY=
=bX0y
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 11 Nov 2018 11:07
[PATCH 2/4] gnu: Add json-parser.
(address . 33347@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87sh071lic.fsf@gmail.com
From 7caabdd6a49d568463501adadf70f13b818bccec Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 8 Nov 2018 10:53:43 +0800
Subject: [PATCH 3/4] gnu: bam: Update to 0.5.1.

* gnu/packages/build-tools.scm (bam): Update to 0.5.1.
[arguments]: Use newly provided Makefile.
[inputs]: Add lua.
---
gnu/packages/build-tools.scm | 33 +++++++++++++++------------------
1 file changed, 15 insertions(+), 18 deletions(-)

Toggle diff (69 lines)
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index 42de56f8c..d24c9ce18 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
;;; Copyright © 2018 Tomáš Čech <sleep_walker@gnu.org>
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -30,6 +31,7 @@
#:use-module (guix build-system cmake)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
+ #:use-module (gnu packages lua)
#:use-module (gnu packages python)
#:use-module (gnu packages python-crypto)
#:use-module (gnu packages python-web)
@@ -40,33 +42,28 @@
(define-public bam
(package
(name "bam")
- (version "0.4.0")
+ (version "0.5.1")
(source (origin
(method url-fetch)
- (uri (string-append "http://github.com/downloads/matricks/"
- "bam/bam-" version ".tar.bz2"))
+ (uri (string-append "https://github.com/matricks/bam"
+ "/archive/v" version ".tar.gz"))
(sha256
(base32
- "0z90wvyd4nfl7mybdrv9dsd4caaikc6fxw801b72gqi1m9q0c0sn"))))
+ "1a8m7aa2xc23z3rqi5d15mxwp0hfappbmhkfpn7b3v156fprd1fc"))
+ (file-name (string-append name "-" version ".tar.gz"))))
(build-system gnu-build-system)
(arguments
- `(#:phases
+ `(#:make-flags `("CC=gcc"
+ ,(string-append "INSTALL_PREFIX="
+ (assoc-ref %outputs "out")))
+ #:test-target "test"
+ #:phases
(modify-phases %standard-phases
- (delete 'configure)
- (replace 'build
- (lambda _
- (zero? (system* "bash" "make_unix.sh"))))
- (replace 'check
- (lambda _
- (zero? (system* "python" "scripts/test.py"))))
- (replace 'install
- (lambda* (#:key outputs #:allow-other-keys)
- (let ((bin (string-append (assoc-ref outputs "out") "/bin")))
- (mkdir-p bin)
- (install-file "bam" bin)
- #t))))))
+ (delete 'configure))))
(native-inputs
`(("python" ,python-2)))
+ (inputs
+ `(("lua" ,lua)))
(home-page "https://matricks.github.io/bam/")
(synopsis "Fast and flexible build system")
(description "Bam is a fast and flexible build system. Bam uses Lua to
--
2.19.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+h93AAKCRBh71Au9gJS
8s5XAP9lptgNvVLzepPWA/zhw/Bo9MY17dZnRFD/ypsebFM1FAD+KsS5qc0smbEV
f/6nBhz+WBpJAMnrLHBB1noK7hLMhQU=
=vCYn
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 11 Nov 2018 11:09
[PATCH 3/4] gnu: Add json-parser.
(address . 33347@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87o9av1lf3.fsf@gmail.com
From 6696a1dd8c69b9349c4897d1ce5b73d585d9f077 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 12 Nov 2018 02:23:27 +0800
Subject: [PATCH 2/4] gnu: Add json-parser.

* gnu/packages/web.scm (json-parser): New variable.
---
gnu/packages/web.scm | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)

Toggle diff (47 lines)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index b0ab4add8..082337d00 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -28,6 +28,7 @@
;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr>
;;; Copyright © 2018 Gábor Boskovits <boskovits@gmail.com>
;;; Copyright © 2018 Mădălin Ionel Patrașcu <madalinionel.patrascu@mdc-berlin.de>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -582,6 +583,32 @@ It aims to conform to RFC 7159.")
(("-Werror") ""))
#t))))))
+(define-public json-parser
+ (package
+ (name "json-parser")
+ (version "1.1.0")
+ (source (origin
+ (method url-fetch)
+ (uri (string-append "https://github.com/udp/json-parser"
+ "/archive/v" version ".tar.gz"))
+ (file-name (string-append name "-" version ".tar.gz"))
+ (sha256
+ (base32
+ "0cyixd9azd2l86hkha4d11lxz0a54fbwg4hmby6zkfwx4s9qf9sw"))))
+ (build-system gnu-build-system)
+ (arguments '(#:tests? #f))
+ (home-page "https://github.com/udp/json-parser")
+ (synopsis "JSON parser written in ANSI C")
+ (description "Very low footprint JSON parser written in portable ANSI C.
+
+@itemize
+@item BSD licensed with no dependencies (i.e. just drop the C file into your
+project)
+@item Never recurses or allocates more memory than it needs
+@item Very simple API with operator sugar for C++
+@end itemize")
+ (license l:bsd-2)))
+
(define-public qjson
(package
(name "qjson")
--
2.19.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+h+UAAKCRBh71Au9gJS
8mdrAP9SaTYcU+CwT9RklhU25NtApL3G3l3N/JY+DPJ9I7sv9wEAtS+p5CWQ/k41
+XLLzBD9Av94+wmJao/SeWFZncJRBQg=
=+bND
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 11 Nov 2018 11:09
[PATCH 4/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].
(address . 33347@debbugs.gnu.org)(address . alexvong1995@gmail.com)
87k1lj1le4.fsf@gmail.com
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+h+cwAKCRBh71Au9gJS
8vuPAQC61zDZU1DCN9gbznDK941IZGv9isiKv1Ik4mWGkE6+zwEAgwfkouzxHBix
n7oIl/OXYqCZH9KpJVqPiw+UKrEhrQU=
=Xatc
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 11 Nov 2018 11:13
Re: [PATCH 0/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].
(address . guix-patches@gnu.org)(address . alexvong1995@gmail.com)
87a7mf1l8a.fsf@gmail.com
Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (7 lines)
> Tags: patch, security
>
> Hello Guix,
>
> This patch set upgrades teeworlds to its latest version in order to fix
> CVE-2018-18541, which is present in teeworlds before 0.6.5.
>
I forget to mention I also remove all bundled libraries.

Toggle quote (2 lines)
> Cheers,
> Alex
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+h/RQAKCRBh71Au9gJS
8qEIAQC1x22IgYyoL4cUAFSV41dwlXH9rbvwGLvwdPrqpcNBWgD9FeDhiHm13n8v
IoTQoNAf25Uj+uR9bEW7sUZRfACDDgg=
=TK+i
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 13 Nov 2018 08:47
Re: [bug#33347] [PATCH 3/4] gnu: Add json-parser.
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33347@debbugs.gnu.org)
20181113164749.GA8498@jasmine.lan
On Mon, Nov 12, 2018 at 03:09:04AM +0800, Alex Vong wrote:
Toggle quote (9 lines)
> From 6696a1dd8c69b9349c4897d1ce5b73d585d9f077 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 12 Nov 2018 02:23:27 +0800
> Subject: [PATCH 2/4] gnu: Add json-parser.
>
> * gnu/packages/web.scm (json-parser): New variable.

> + (arguments '(#:tests? #f))

Please add a comment explaining why we skip the tests. If there are no
tests, it can be as simple as "No test suite.".

Toggle quote (2 lines)
> + (description "Very low footprint JSON parser written in portable ANSI C.

Please use a complete sentence. For example, "This package provides a
very low footprint ...".
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvrADUACgkQJkb6MLrK
fwjQZA/+NApPELGIyqyMQ51SuTINHyBDwyoB0+PVOtqL8Xob68W4yvTbjHI/enHF
r11kckwcCkmbutRs1kRJFtXKQ+IcdtTaZAX4v2ptH7sJUuTXwM9lRX29V66rzeZ5
7eORGz80/ZK53O92zjvewkd8cK/nFsGjsiZ4EphC1OAnJ6Qm85uIkA+KhxN+Vmxy
x/G27IOAo/WPBf4PBoVJg1Mq6FGZbhQNXkBkCYItQgbDcGHGRwulfeEkBo4pl3od
ZuJ2I5FozcAbwpcPnPw+Z3jvs9eiKvKQbYGjQBVRmlIQ4buRqnjy2CQogpiMrEIk
+4YOJCti1mb8gnKAXVUOGgOBEt0TA12G0Vzy4uwnI4d4EM3wZ29Do9y4A85GgtIU
NxFsU2Tk/J+ZLheT56JZoxi41/zsOzVFlYMjJ0AywBLzDJuxm6klz3eP2DGEPEO6
/WwvU6ckMw0fpDVpeFf+S9kEn+TkzK/16Fsl1cUm9K8QzELg2aDmcSr+9ympPbAq
eJbMzf4wvimexjl3ovQtXoIU6HNXRcUKijL42cLjnk7oEDT/Hc+4Gq0rnwyxXswZ
Y4WMTQ0OI5JANDPLWVGMtFagrQ+u8SE+tFcMZNrEKoqdiJkIltge8NK+gOb1PbEa
Llak6nva48mZwuHsCVqOT6ctUhbvhopwu1W5+6FA+7OdRIlOeaA=
=Eb+Q
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 13 Nov 2018 08:49
Re: [bug#33347] [PATCH 2/4] gnu: Add json-parser.
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33347@debbugs.gnu.org)
20181113164900.GB8498@jasmine.lan
On Mon, Nov 12, 2018 at 03:07:07AM +0800, Alex Vong wrote:
Toggle quote (7 lines)
> (source (origin
> (method url-fetch)
> - (uri (string-append "http://github.com/downloads/matricks/"
> - "bam/bam-" version ".tar.bz2"))
> + (uri (string-append "https://github.com/matricks/bam"
> + "/archive/v" version ".tar.gz"))

We should consider fetching the source with Git — these auto-generated
GitHub snapshot tarballs may change in the future.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvrAHwACgkQJkb6MLrK
fwjziBAAwnrQBmaR6tRhmtssxxKIG0fyMHEIRQ+EqBE1wElb6Y2iZTJwa8No/B7e
vfYkhXy+LGnRVCjYwNFcEWgQCGob3HYoU0a5GBLD59AHwGo33NneE8AI/6HXYIQw
sJFa8TyBMxd48LqRBrBdZkpVWZg9kub2tJjhTUNwLDg4GqQm2pdKgB3ple3bC/4p
k7umQIg3btLt3O9heUanOU7uUARKz4I/0h50Mq2lH4b8tPJ0CnZbXOcQX6qotJc6
bcV0G/rsDxEtWlFbcox3/2aifGHZWLnIIXH9mlP+u8ZHJ7oiaHJMH1RR0K8RUBWo
VVhclROD2RK2CiXIedSDwXC+nGUBBXEubRJJMEHdt6qZQuYPnggAdunIP/CASqZX
j8fDfRxo5ECNZh+UOzTcR5FAo+AOZ/3grcnxkEGmhD/J+q0ypfLr6jjJBi6Z8psT
gkvKlImWqwz41E1JhbTT0G6yOFI3bwyx+DfY1tM7j7R9aiwFFG6be50tvhXTp9NS
XKCfsQjOUBBj8oBXcLTo3fxOOZHQ/iSK8jP9/HgCkjo38t0k7SqGk/ZytF/2zMvx
9R7b/2vr5KKjjPJWjaC2dO8xdQScE2nQMtGCRqfSlVsR2RDwT4Ian3ltOmtb1wfg
mN2cAhqBDIl7OeoCu8GaHHYIKQXcIN2oYg8hvn5XhMOGkWpKTLs=
=1ex1
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 13 Nov 2018 08:53
Re: [bug#33347] [PATCH 4/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33347@debbugs.gnu.org)
20181113165310.GC8498@jasmine.lan
On Mon, Nov 12, 2018 at 03:09:39AM +0800, Alex Vong wrote:
Toggle quote (13 lines)
> (replace 'configure
> (lambda* (#:key outputs #:allow-other-keys)
> + (define (use-latest-json-parser file)
> + (substitute* file
> + (("engine/external/json-parser/json\\.h")
> + "json-parser/json.h")
> + (("json_parse_ex\\(&JsonSettings, pFileData, aError\\);")
> + "json_parse_ex(&JsonSettings,
> + pFileData,
> + strlen(pFileData),
> + aError);")))
> +

Please add a code comment explaining this.

Toggle quote (3 lines)
> - ;; FIXME: teeworlds bundles the sources of "pnglite", a two-file PNG
> - ;; library without a build system.

These sorts of mini-libraries are designed to be copied and pasted into
host projects rather than packaged on their own. That's why they don't
include a build system. For example, many cryptographic primitive
implementations are distributed this way — that's why you never see a
package for 'SHA256'. Is there a particular reason we should unbundle
pnglite?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvrAXUACgkQJkb6MLrK
fwg5rBAAkV7c6kOp6J0nBxmTjX8ChY3gvrjMyF7S0xBJrR7xLQBz1C+bICdFk7qQ
LS5XQ/m0thJmyCIUsaN9XXqTNvX37d3B+ZGqL+DoW1QZ919H98TqMrFxnTaQd+4q
qwbQpRFbj1WRgkwQYVydPwall1BzwnxRkxp63UrIa4fnloExaSzLZQKE28ckrDeL
OahayLKL/OHqs5ufRDq5TPRFYrccnfc4G29r3tWMf/AxP0bnrpG7ArXf9c9lRdib
LvZwfDy3c4Er6fOj7idk90M1+SdTfcXO2mpYCFQ65f/E8vQuxHF7KlOgLGb2upKn
2WECnLFag+10CVgnUGozi7N1N9M+Z8vg4zdnExD5fdlnry205I1itt/+0Al7nvEc
hyc1CRyhBxSVqSnPplILL7uXv95UVCppyvJrxaWmsS4pLOOXPbIg1X3t4gaSEvO2
dSrgXHwXJDoR/KQ8aJKaiywKrggNeR9nLipySSVLkPyMi4YW43EC2q6XzKUJurB/
aDtwKVwpseBZ+cKdVBcJQyhjJr6gToB1noCuS0cfJ+EKBJ188kHbGTsa/3ulrHZ8
S43QqjCiw4brxD2dHVtQj/cVZnFH0KkFXF9iGIjvdYKVjn6VWBtZ7CaW36gPRwud
LbX46/Dq6hl7wuiidqZzoMtD1pJ5VgIWMvszVXjbnibg55doOrg=
=xckU
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 13 Nov 2018 08:54
Re: [bug#33347] [PATCH 0/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33347@debbugs.gnu.org)
20181113165417.GD8498@jasmine.lan
On Mon, Nov 12, 2018 at 03:03:18AM +0800, Alex Vong wrote:
Toggle quote (7 lines)
> Tags: patch, security
>
> Hello Guix,
>
> This patch set upgrades teeworlds to its latest version in order to fix
> CVE-2018-18541, which is present in teeworlds before 0.6.5.

I sent my comments to the individual patches. Thank you!
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvrAbkACgkQJkb6MLrK
fwgiexAA3FTA6Ups1nD0VSyWhFFWUCprzhD+pGT+bbSky53wTs189ILkso+MXEzO
f8DIQLqJIhemWOxW7bEHbg4J1YU0uIjkIhNExJIiJEJ9OrR1O1QISrqBp8vqwdyD
1KvHuIApOsnKiUPhq4UsABfO2uu5doDC/1m+sQlyA/cLtT3CSE2azedz9NHSNNlr
wsKzTg2+GXL+kjJetNA0WQZvmXge6IKJwerEahrfjg+NgkkFqzn/++CSbBWh0dLV
Ly4DuEBR26VKxjiw0/DBSAxaEzdxCTHkMNLPNdIuQTaeF3A9ivFUDNr9JrGGpnX7
8amuCMCJo33umg5BOHfhA5CrgeguO/WVm+D+7c6ARVuPXmJop3/LxphN03McL/Rt
8uVf5VBvmNlhJUcuR2b17KkzVs3pbLujYFwptOmbWqVIc9je6CEF1YBkSXUbWaWE
c/uN6lJ6qZq2en3xZjbW/qnIXCRhLsn2Lxzb0Brfi2TbSFdbRMztwbqQs9jOaWSh
XJZdhi12APXx+8eoq78MLxGYYdmHm59rrzu3U1RJEPAhei1/g+8s6W8BUy6+6B+P
3jog8k9HPg9RTZ/l4AEwxKHS452ZzzVGbO/qA9jSAdO8vsVHmtWn1C+7sX8vQFMJ
QWgFCdjFD+R7v+gMXTBRGVOPVWhvfO200ojwvz4F62vYsNjXSb8=
=pv2m
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 14 Nov 2018 05:14
Re: [bug#33347] [PATCH 3/4] gnu: Add json-parser.
(name . Leo Famulari)(address . leo@famulari.name)
87bm6r3ip0.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (13 lines)
> On Mon, Nov 12, 2018 at 03:09:04AM +0800, Alex Vong wrote:
>> From 6696a1dd8c69b9349c4897d1ce5b73d585d9f077 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Mon, 12 Nov 2018 02:23:27 +0800
>> Subject: [PATCH 2/4] gnu: Add json-parser.
>>
>> * gnu/packages/web.scm (json-parser): New variable.
>
>> + (arguments '(#:tests? #f))
>
> Please add a comment explaining why we skip the tests. If there are no
> tests, it can be as simple as "No test suite.".
>
OK

Toggle quote (5 lines)
>> + (description "Very low footprint JSON parser written in portable ANSI C.
>
> Please use a complete sentence. For example, "This package provides a
> very low footprint ...".

The description was copied from upstream, but of course we can improve
it.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+wfmwAKCRBh71Au9gJS
8r2rAP9UTht2031ZRuMH592By3UXUAy+BvCwcx99WI0XjJnu5gEAnV9ir3/zYRvT
k+EirxIZnlAtgp8GzEJlqx0myUCZvQ0=
=+4bR
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 14 Nov 2018 05:19
Re: [bug#33347] [PATCH 2/4] gnu: Add json-parser.
(name . Leo Famulari)(address . leo@famulari.name)
877ehf3if9.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (11 lines)
> On Mon, Nov 12, 2018 at 03:07:07AM +0800, Alex Vong wrote:
>> (source (origin
>> (method url-fetch)
>> - (uri (string-append "http://github.com/downloads/matricks/"
>> - "bam/bam-" version ".tar.bz2"))
>> + (uri (string-append "https://github.com/matricks/bam"
>> + "/archive/v" version ".tar.gz"))
>
> We should consider fetching the source with Git — these auto-generated
> GitHub snapshot tarballs may change in the future.

OK
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+wg+gAKCRBh71Au9gJS
8nnTAP9kKgCJ46ksir5zFSB42ESKi/s5teYjVOjQKk/t3XTF7AD/by8GJCoNmz9T
rT0Ijoke5ftb+liX71rV4tyyF1VigwQ=
=iTlA
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 14 Nov 2018 05:36
Re: [bug#33347] [PATCH 4/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].
(name . Leo Famulari)(address . leo@famulari.name)
8736s33hnq.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (16 lines)
> On Mon, Nov 12, 2018 at 03:09:39AM +0800, Alex Vong wrote:
>> (replace 'configure
>> (lambda* (#:key outputs #:allow-other-keys)
>> + (define (use-latest-json-parser file)
>> + (substitute* file
>> + (("engine/external/json-parser/json\\.h")
>> + "json-parser/json.h")
>> + (("json_parse_ex\\(&JsonSettings, pFileData, aError\\);")
>> + "json_parse_ex(&JsonSettings,
>> + pFileData,
>> + strlen(pFileData),
>> + aError);")))
>> +
>
> Please add a code comment explaining this.
>
OK

Toggle quote (10 lines)
>> - ;; FIXME: teeworlds bundles the sources of "pnglite", a two-file PNG
>> - ;; library without a build system.
>
> These sorts of mini-libraries are designed to be copied and pasted into
> host projects rather than packaged on their own. That's why they don't
> include a build system. For example, many cryptographic primitive
> implementations are distributed this way — that's why you never see a
> package for 'SHA256'. Is there a particular reason we should unbundle
> pnglite?

Well, I though we have a policy to remove bundle dependencies in order
to avoid building the same library many times. Do we make exceptions for
shared libraries w/o a build system? (an exception I can think of is
gnulib)

Besides, the FIXME comment seems to suggest future readers to help
remove the bundled pnglite. Debian also removes the bundled pnglite in
teeworlds[0].

Thanks for all the feedback!

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+wk2QAKCRBh71Au9gJS
8jRoAQDq5PV9VGZ8JgmIoqVwlO8MJF7pZBJvT8bOSOVP+qNzZAEA4cxSAIZiJ4MZ
j5MM/YtuyHmmGa7rkhHHyYdGPFkp1A0=
=mO6F
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 14 Nov 2018 09:39
(name . Alex Vong)(address . alexvong1995@gmail.com)(address . 33347@debbugs.gnu.org)
20181114173931.GB2408@jasmine.lan
On Wed, Nov 14, 2018 at 09:36:25PM +0800, Alex Vong wrote:
Toggle quote (5 lines)
> Well, I though we have a policy to remove bundle dependencies in order
> to avoid building the same library many times. Do we make exceptions for
> shared libraries w/o a build system? (an exception I can think of is
> gnulib)

In general, yes, our policy is to unbundle things when practical.

But there are some commonly used software implementations of basic
functions (like base64, sha1 (most hash functions actually), et cetera)
that are specifically designed to be copied and pasted into the
application that will be using them.

You can usually tell this is the case because the thing will not have
any build system at all, like you suggest. Also because you find the
same copy-pasted code in almost every program you look at, like with
base64 and the hash functions.

Toggle quote (4 lines)
> Besides, the FIXME comment seems to suggest future readers to help
> remove the bundled pnglite. Debian also removes the bundled pnglite in
> teeworlds[0].

Well, at a certain point it becomes a matter of taste, and the choice
should be made by the person doing the work — you! Either way is fine
for Guix :) The important thing is to get this Teeworlds fix pushed
without too much delay.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlvsXdMACgkQJkb6MLrK
fwgwtRAA5LEBjDS8bZD7YwI6revifNLwVriClW4/n+HS02K0dBiZXUQ3ZbxJ4DYF
k79qr9J27P3lkr9iW+ks8LzBJhfSKm7PMKuzVN1cEXmsblOC+7MJctnM0ctANxnm
vwk07omESQw6yBvusenrt9GU5kDUtx6coN3KR3gAHZ6UF7ol0rwgeewjgeSOyviP
uQrWbAkRlBVr1imGFpqn5JObgYEs0Ffy0O8fq8CNUt++/zIKXXH9OTht+dC1UDDH
fuYwLiyzr/OXL+npDTnzwuPRBz/9YKa4a7Ezwcs/H4y7bQqhpZljml+LVPiUJWsm
uBKXO2Aa7ytNv096xJGkQSLmpR1V8g5lZPoDfEdk5PAtI52vc0L1vzkWHIQCoaTe
Qe0NuM7qNsAbg0qUJAHvANDyBD3AMnLtP/k7Hz5aKz/kwLCGMLMl7bWAuqUH6vC/
MqeazaBfX6b2XfjvE1tzqoSiWyDwLeXNdpz/QVK6zs4Cl8sZ5B+1XUKXX5jTasyz
zmzsFwsd0cdh+hDyWMtClKyPgoIUTcXEtj3Q7PGDldYIhKfOotulB8cLlxyHOYnr
zp9crwQf40ZMl8TChCJb1V2/a4Xu5M90IspClapJQvW5zpbOuIUzGvFdRxOI/FZn
coetY1NO7JDlg7wlHQyHqgIsys3gewK9teRmK2NkYWjTIPGlBUk=
=3UKK
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 14 Nov 2018 13:14
(name . Leo Famulari)(address . leo@famulari.name)
87va4z1hv9.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (27 lines)
> On Wed, Nov 14, 2018 at 09:36:25PM +0800, Alex Vong wrote:
>> Well, I though we have a policy to remove bundle dependencies in order
>> to avoid building the same library many times. Do we make exceptions for
>> shared libraries w/o a build system? (an exception I can think of is
>> gnulib)
>
> In general, yes, our policy is to unbundle things when practical.
>
> But there are some commonly used software implementations of basic
> functions (like base64, sha1 (most hash functions actually), et cetera)
> that are specifically designed to be copied and pasted into the
> application that will be using them.
>
> You can usually tell this is the case because the thing will not have
> any build system at all, like you suggest. Also because you find the
> same copy-pasted code in almost every program you look at, like with
> base64 and the hash functions.
>
>> Besides, the FIXME comment seems to suggest future readers to help
>> remove the bundled pnglite. Debian also removes the bundled pnglite in
>> teeworlds[0].
>
> Well, at a certain point it becomes a matter of taste, and the choice
> should be made by the person doing the work — you! Either way is fine
> for Guix :) The important thing is to get this Teeworlds fix pushed
> without too much delay.

Yes, we should get it fix fast :) I decide not to unbundle md5 because I
actually need to use a hack to make teeworlds build with libmd. But I
still have pnglite unbundle because it looks standalone enough for me
and no hacks are required to unbundle. Here are the new patches:
From 5e7cb656306622e88352332c6ed9668d8afc60c4 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 12 Nov 2018 01:55:05 +0800
Subject: [PATCH 1/4] gnu: Add pnglite.

* gnu/packages/image.scm (pnglite): New variable.
---
gnu/packages/image.scm | 56 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)

Toggle diff (76 lines)
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 9bf9bd7e5..6c025e02f 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -21,6 +21,7 @@
;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -253,6 +254,61 @@ files. It can compress them as much as 40% losslessly.")
;; This package used to be wrongfully name "pngcrunch".
(deprecated-package "pngcrunch" pngcrush))
+(define-public pnglite
+ (let ((commit "11695c56f7d7db806920bd9229b69f230e6ffb38")
+ (revision "1"))
+ (package
+ (name "pnglite")
+ ;; The project was moved from sourceforge to github.
+ ;; The latest version in sourceforge was 0.1.17:
+ ;; https://sourceforge.net/projects/pnglite/files/pnglite/
+ ;; No releases are made in github.
+ (version (git-version "0.1.17" revision commit))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/dankar/pnglite")
+ (commit commit)))
+ (sha256
+ (base32
+ "1lmmkdxby5b8z9kx3zrpgpk33njpcf2xx8z9bgqag855sjsqbbby"))
+ (file-name (git-file-name name version))))
+ (build-system gnu-build-system)
+ (arguments
+ `(#:tests? #f ; no tests
+ #:phases
+ (modify-phases %standard-phases
+ (delete 'configure)
+ (replace 'build
+ (lambda _
+ ;; common build flags for building shared libraries
+ (let ((cflags '("-O2" "-g" "-fPIC"))
+ (ldflags '("-shared")))
+ (apply invoke
+ `("gcc"
+ "-o" "libpnglite.so"
+ ,@cflags
+ ,@ldflags
+ "pnglite.c"))
+ #t)))
+ (replace 'install
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let* ((out (assoc-ref outputs "out"))
+ (lib (string-append out "/lib/"))
+ (include (string-append out "/include/"))
+ (doc (string-append out "/share/doc/"
+ ,name "-" ,version "/")))
+ (install-file "libpnglite.so" lib)
+ (install-file "pnglite.h" include)
+ (install-file "README.md" doc)
+ #t))))))
+ (inputs `(("zlib" ,zlib)))
+ (home-page "https://github.com/dankar/pnglite")
+ (synopsis "Pretty small png library")
+ (description "A pretty small png library.
+Currently all documentation resides in @file{pnglite.h}.")
+ (license license:zlib))))
+
(define-public libjpeg
(package
(name "libjpeg")
--
2.19.1
From e786c6e470a6930af9107e9722bea95a03c5d1c9 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Mon, 12 Nov 2018 02:23:27 +0800
Subject: [PATCH 2/4] gnu: Add json-parser.

* gnu/packages/web.scm (json-parser): New variable.
---
gnu/packages/web.scm | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)

Toggle diff (52 lines)
diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
index 03deab422..cde3d00c1 100644
--- a/gnu/packages/web.scm
+++ b/gnu/packages/web.scm
@@ -28,6 +28,7 @@
;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr>
;;; Copyright © 2018 Gábor Boskovits <boskovits@gmail.com>
;;; Copyright © 2018 Mădălin Ionel Patrașcu <madalinionel.patrascu@mdc-berlin.de>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -582,6 +583,37 @@ It aims to conform to RFC 7159.")
(("-Werror") ""))
#t))))))
+(define-public json-parser
+ (package
+ (name "json-parser")
+ (version "1.1.0")
+ (source (origin
+ ;; do not use auto-generated tarballs
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/udp/json-parser.git")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1ls7z4fx0sq633s5bc0j1gh36sv087gmrgr7rza22wjq2d4606yf"))))
+ ;; FIXME: we should build the python bindings in a separate package
+ (build-system gnu-build-system)
+ ;; the tests are written for the python bindings which are not built here
+ (arguments '(#:tests? #f))
+ (home-page "https://github.com/udp/json-parser")
+ (synopsis "JSON parser written in ANSI C")
+ (description "This package provides a very low footprint JSON parser
+written in portable ANSI C.
+
+@itemize
+@item BSD licensed with no dependencies (i.e. just drop the C file into your
+project)
+@item Never recurses or allocates more memory than it needs
+@item Very simple API with operator sugar for C++
+@end itemize")
+ (license l:bsd-2)))
+
(define-public qjson
(package
(name "qjson")
--
2.19.1
From b1cdc9568f8d82ed7096328d0b3845fc32b4efe8 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 8 Nov 2018 10:53:43 +0800
Subject: [PATCH 3/4] gnu: bam: Update to 0.5.1.

* gnu/packages/build-tools.scm (bam): Update to 0.5.1.
[source]: Switch to git-fetch.
[arguments]: Use newly provided Makefile.
[inputs]: Add lua.
---
gnu/packages/build-tools.scm | 37 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 19 deletions(-)

Toggle diff (72 lines)
diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
index 42de56f8c..a52ee480a 100644
--- a/gnu/packages/build-tools.scm
+++ b/gnu/packages/build-tools.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
;;; Copyright © 2018 Tomáš Čech <sleep_walker@gnu.org>
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
+;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -30,6 +31,7 @@
#:use-module (guix build-system cmake)
#:use-module (gnu packages)
#:use-module (gnu packages compression)
+ #:use-module (gnu packages lua)
#:use-module (gnu packages python)
#:use-module (gnu packages python-crypto)
#:use-module (gnu packages python-web)
@@ -40,33 +42,30 @@
(define-public bam
(package
(name "bam")
- (version "0.4.0")
+ (version "0.5.1")
(source (origin
- (method url-fetch)
- (uri (string-append "http://github.com/downloads/matricks/"
- "bam/bam-" version ".tar.bz2"))
+ ;; do not use auto-generated tarballs
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/matricks/bam.git")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
(sha256
(base32
- "0z90wvyd4nfl7mybdrv9dsd4caaikc6fxw801b72gqi1m9q0c0sn"))))
+ "13br735ig7lygvzyfd15fc2rdygrqm503j6xj5xkrl1r7w2wipq6"))))
(build-system gnu-build-system)
(arguments
- `(#:phases
+ `(#:make-flags `("CC=gcc"
+ ,(string-append "INSTALL_PREFIX="
+ (assoc-ref %outputs "out")))
+ #:test-target "test"
+ #:phases
(modify-phases %standard-phases
- (delete 'configure)
- (replace 'build
- (lambda _
- (zero? (system* "bash" "make_unix.sh"))))
- (replace 'check
- (lambda _
- (zero? (system* "python" "scripts/test.py"))))
- (replace 'install
- (lambda* (#:key outputs #:allow-other-keys)
- (let ((bin (string-append (assoc-ref outputs "out") "/bin")))
- (mkdir-p bin)
- (install-file "bam" bin)
- #t))))))
+ (delete 'configure))))
(native-inputs
`(("python" ,python-2)))
+ (inputs
+ `(("lua" ,lua)))
(home-page "https://matricks.github.io/bam/")
(synopsis "Fast and flexible build system")
(description "Bam is a fast and flexible build system. Bam uses Lua to
--
2.19.1
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW+yQSwAKCRBh71Au9gJS
8rQJAQDUpO9wIJ3K1NFvTnjVJYmaSK/LQO6GMcTGLY7HHKQWawEAvwWG5AwMiTVz
D6oXiHcMpCSH6CpCTdaGMoDE2+rrEQ4=
=RPHl
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 21 Nov 2018 06:41
(name . Leo Famulari)(address . leo@famulari.name)
87va4q7at7.fsf@gmail.com
Hello everyone,

I think Leo may be busy since he hasn't reply yet. Should I just push
given the CVE fix?

Cheers,
Alex

Alex Vong <alexvong1995@gmail.com> writes:

Toggle quote (460 lines)
> Leo Famulari <leo@famulari.name> writes:
>
>> On Wed, Nov 14, 2018 at 09:36:25PM +0800, Alex Vong wrote:
>>> Well, I though we have a policy to remove bundle dependencies in order
>>> to avoid building the same library many times. Do we make exceptions for
>>> shared libraries w/o a build system? (an exception I can think of is
>>> gnulib)
>>
>> In general, yes, our policy is to unbundle things when practical.
>>
>> But there are some commonly used software implementations of basic
>> functions (like base64, sha1 (most hash functions actually), et cetera)
>> that are specifically designed to be copied and pasted into the
>> application that will be using them.
>>
>> You can usually tell this is the case because the thing will not have
>> any build system at all, like you suggest. Also because you find the
>> same copy-pasted code in almost every program you look at, like with
>> base64 and the hash functions.
>>
>>> Besides, the FIXME comment seems to suggest future readers to help
>>> remove the bundled pnglite. Debian also removes the bundled pnglite in
>>> teeworlds[0].
>>
>> Well, at a certain point it becomes a matter of taste, and the choice
>> should be made by the person doing the work — you! Either way is fine
>> for Guix :) The important thing is to get this Teeworlds fix pushed
>> without too much delay.
>
> Yes, we should get it fix fast :) I decide not to unbundle md5 because I
> actually need to use a hack to make teeworlds build with libmd. But I
> still have pnglite unbundle because it looks standalone enough for me
> and no hacks are required to unbundle. Here are the new patches:
>
> From 5e7cb656306622e88352332c6ed9668d8afc60c4 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 12 Nov 2018 01:55:05 +0800
> Subject: [PATCH 1/4] gnu: Add pnglite.
>
> * gnu/packages/image.scm (pnglite): New variable.
> ---
> gnu/packages/image.scm | 56 ++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 56 insertions(+)
>
> diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
> index 9bf9bd7e5..6c025e02f 100644
> --- a/gnu/packages/image.scm
> +++ b/gnu/packages/image.scm
> @@ -21,6 +21,7 @@
> ;;; Copyright © 2018 Pierre Neidhardt <mail@ambrevar.xyz>
> ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
> ;;; Copyright © 2018 Pierre-Antoine Rouby <contact@parouby.fr>
> +;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -253,6 +254,61 @@ files. It can compress them as much as 40% losslessly.")
> ;; This package used to be wrongfully name "pngcrunch".
> (deprecated-package "pngcrunch" pngcrush))
>
> +(define-public pnglite
> + (let ((commit "11695c56f7d7db806920bd9229b69f230e6ffb38")
> + (revision "1"))
> + (package
> + (name "pnglite")
> + ;; The project was moved from sourceforge to github.
> + ;; The latest version in sourceforge was 0.1.17:
> + ;; https://sourceforge.net/projects/pnglite/files/pnglite/
> + ;; No releases are made in github.
> + (version (git-version "0.1.17" revision commit))
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/dankar/pnglite")
> + (commit commit)))
> + (sha256
> + (base32
> + "1lmmkdxby5b8z9kx3zrpgpk33njpcf2xx8z9bgqag855sjsqbbby"))
> + (file-name (git-file-name name version))))
> + (build-system gnu-build-system)
> + (arguments
> + `(#:tests? #f ; no tests
> + #:phases
> + (modify-phases %standard-phases
> + (delete 'configure)
> + (replace 'build
> + (lambda _
> + ;; common build flags for building shared libraries
> + (let ((cflags '("-O2" "-g" "-fPIC"))
> + (ldflags '("-shared")))
> + (apply invoke
> + `("gcc"
> + "-o" "libpnglite.so"
> + ,@cflags
> + ,@ldflags
> + "pnglite.c"))
> + #t)))
> + (replace 'install
> + (lambda* (#:key outputs #:allow-other-keys)
> + (let* ((out (assoc-ref outputs "out"))
> + (lib (string-append out "/lib/"))
> + (include (string-append out "/include/"))
> + (doc (string-append out "/share/doc/"
> + ,name "-" ,version "/")))
> + (install-file "libpnglite.so" lib)
> + (install-file "pnglite.h" include)
> + (install-file "README.md" doc)
> + #t))))))
> + (inputs `(("zlib" ,zlib)))
> + (home-page "https://github.com/dankar/pnglite")
> + (synopsis "Pretty small png library")
> + (description "A pretty small png library.
> +Currently all documentation resides in @file{pnglite.h}.")
> + (license license:zlib))))
> +
> (define-public libjpeg
> (package
> (name "libjpeg")
> --
> 2.19.1
>
> From e786c6e470a6930af9107e9722bea95a03c5d1c9 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 12 Nov 2018 02:23:27 +0800
> Subject: [PATCH 2/4] gnu: Add json-parser.
>
> * gnu/packages/web.scm (json-parser): New variable.
> ---
> gnu/packages/web.scm | 32 ++++++++++++++++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm
> index 03deab422..cde3d00c1 100644
> --- a/gnu/packages/web.scm
> +++ b/gnu/packages/web.scm
> @@ -28,6 +28,7 @@
> ;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr>
> ;;; Copyright © 2018 Gábor Boskovits <boskovits@gmail.com>
> ;;; Copyright © 2018 Mădălin Ionel Patrașcu <madalinionel.patrascu@mdc-berlin.de>
> +;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -582,6 +583,37 @@ It aims to conform to RFC 7159.")
> (("-Werror") ""))
> #t))))))
>
> +(define-public json-parser
> + (package
> + (name "json-parser")
> + (version "1.1.0")
> + (source (origin
> + ;; do not use auto-generated tarballs
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/udp/json-parser.git")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1ls7z4fx0sq633s5bc0j1gh36sv087gmrgr7rza22wjq2d4606yf"))))
> + ;; FIXME: we should build the python bindings in a separate package
> + (build-system gnu-build-system)
> + ;; the tests are written for the python bindings which are not built here
> + (arguments '(#:tests? #f))
> + (home-page "https://github.com/udp/json-parser")
> + (synopsis "JSON parser written in ANSI C")
> + (description "This package provides a very low footprint JSON parser
> +written in portable ANSI C.
> +
> +@itemize
> +@item BSD licensed with no dependencies (i.e. just drop the C file into your
> +project)
> +@item Never recurses or allocates more memory than it needs
> +@item Very simple API with operator sugar for C++
> +@end itemize")
> + (license l:bsd-2)))
> +
> (define-public qjson
> (package
> (name "qjson")
> --
> 2.19.1
>
> From b1cdc9568f8d82ed7096328d0b3845fc32b4efe8 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Thu, 8 Nov 2018 10:53:43 +0800
> Subject: [PATCH 3/4] gnu: bam: Update to 0.5.1.
>
> * gnu/packages/build-tools.scm (bam): Update to 0.5.1.
> [source]: Switch to git-fetch.
> [arguments]: Use newly provided Makefile.
> [inputs]: Add lua.
> ---
> gnu/packages/build-tools.scm | 37 ++++++++++++++++++------------------
> 1 file changed, 18 insertions(+), 19 deletions(-)
>
> diff --git a/gnu/packages/build-tools.scm b/gnu/packages/build-tools.scm
> index 42de56f8c..a52ee480a 100644
> --- a/gnu/packages/build-tools.scm
> +++ b/gnu/packages/build-tools.scm
> @@ -5,6 +5,7 @@
> ;;; Copyright © 2018 Fis Trivial <ybbs.daans@hotmail.com>
> ;;; Copyright © 2018 Tomáš Čech <sleep_walker@gnu.org>
> ;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
> +;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -30,6 +31,7 @@
> #:use-module (guix build-system cmake)
> #:use-module (gnu packages)
> #:use-module (gnu packages compression)
> + #:use-module (gnu packages lua)
> #:use-module (gnu packages python)
> #:use-module (gnu packages python-crypto)
> #:use-module (gnu packages python-web)
> @@ -40,33 +42,30 @@
> (define-public bam
> (package
> (name "bam")
> - (version "0.4.0")
> + (version "0.5.1")
> (source (origin
> - (method url-fetch)
> - (uri (string-append "http://github.com/downloads/matricks/"
> - "bam/bam-" version ".tar.bz2"))
> + ;; do not use auto-generated tarballs
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/matricks/bam.git")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> (sha256
> (base32
> - "0z90wvyd4nfl7mybdrv9dsd4caaikc6fxw801b72gqi1m9q0c0sn"))))
> + "13br735ig7lygvzyfd15fc2rdygrqm503j6xj5xkrl1r7w2wipq6"))))
> (build-system gnu-build-system)
> (arguments
> - `(#:phases
> + `(#:make-flags `("CC=gcc"
> + ,(string-append "INSTALL_PREFIX="
> + (assoc-ref %outputs "out")))
> + #:test-target "test"
> + #:phases
> (modify-phases %standard-phases
> - (delete 'configure)
> - (replace 'build
> - (lambda _
> - (zero? (system* "bash" "make_unix.sh"))))
> - (replace 'check
> - (lambda _
> - (zero? (system* "python" "scripts/test.py"))))
> - (replace 'install
> - (lambda* (#:key outputs #:allow-other-keys)
> - (let ((bin (string-append (assoc-ref outputs "out") "/bin")))
> - (mkdir-p bin)
> - (install-file "bam" bin)
> - #t))))))
> + (delete 'configure))))
> (native-inputs
> `(("python" ,python-2)))
> + (inputs
> + `(("lua" ,lua)))
> (home-page "https://matricks.github.io/bam/")
> (synopsis "Fast and flexible build system")
> (description "Bam is a fast and flexible build system. Bam uses Lua to
> --
> 2.19.1
>
> From 3aa13808d20fcf2eea585c85b96e8f6b1f5fe292 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Mon, 12 Nov 2018 02:42:25 +0800
> Subject: [PATCH 4/4] gnu: teeworlds: Update to 0.7.0 [fixes CVE-2018-18541].
>
> * gnu/packages/games.scm (teeworlds): Update to 0.7.0.
> [source]: Switch to git-fetch. Remove all bundled libraries except md5.
> [arguments]: Adjust accordingly.
> [inputs]: Use sdl2 instead of sdl and python-wrapper instead of python-2.
> Add json-parser and pnglite.
> * gnu/packages/patches/teeworlds-use-latest-wavpack.patch: Update it.
> ---
> gnu/packages/games.scm | 116 ++++++++++++------
> .../teeworlds-use-latest-wavpack.patch | 72 ++++++++---
> 2 files changed, 136 insertions(+), 52 deletions(-)
>
> diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm
> index 3679aa09c..a1a571c51 100644
> --- a/gnu/packages/games.scm
> +++ b/gnu/packages/games.scm
> @@ -35,6 +35,7 @@
> ;;; Copyright © 2018 Tim Gesthuizen <tim.gesthuizen@yahoo.de>
> ;;; Copyright © 2018 Madalin Ionel-Patrascu <madalinionel.patrascu@mdc-berlin.de>
> ;;; Copyright © 2018 Benjamin Slade <slade@jnanam.net>
> +;;; Copyright © 2018 Alex Vong <alexvong1995@gmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -4139,31 +4140,54 @@ small robot living in the nano world, repair its maker.")
> (define-public teeworlds
> (package
> (name "teeworlds")
> - (version "0.6.4")
> + (version "0.7.0")
> (source (origin
> - (method url-fetch)
> - (uri (string-append "https://github.com/teeworlds/teeworlds/"
> - "archive/" version "-release.tar.gz"))
> - (file-name (string-append name "-" version ".tar.gz"))
> + ;; do not use auto-generated tarballs
> + (method git-fetch)
> + (uri (git-reference
> + (url "https://github.com/teeworlds/teeworlds.git")
> + (commit version)))
> + (file-name (git-file-name name version))
> (sha256
> (base32
> - "1mqhp6xjl75l49050cid36wxyjn1qr0vjx1c709dfg1lkvmgs6l3"))
> - (modules '((guix build utils)))
> - (snippet
> - '(begin
> - (for-each delete-file-recursively
> - '("src/engine/external/wavpack/"
> - "src/engine/external/zlib/"))
> + "0jigg2yikihbivzs7hpljr0mghx1l9v4f1cdr8fbmqv2wb51ah8q"))
> + (modules '((guix build utils)
> + (ice-9 ftw)
> + (ice-9 regex)
> + (srfi srfi-1)
> + (srfi srfi-26)))
> + (snippet ; remove bundled libraries except md5
> + '(let ((base-dir "src/engine/external/"))
> + (for-each (compose (cut delete-file-recursively <>)
> + (cut string-append base-dir <>))
> + (remove (cut string-match "(^.)|(^md5$)" <>)
> + (scandir base-dir)))
> #t))
> (patches
> (search-patches "teeworlds-use-latest-wavpack.patch"))))
> (build-system gnu-build-system)
> (arguments
> `(#:tests? #f ; no tests included
> + #:modules ((guix build gnu-build-system)
> + (guix build utils)
> + (srfi srfi-26))
> #:phases
> (modify-phases %standard-phases
> (replace 'configure
> (lambda* (#:key outputs #:allow-other-keys)
> + ;; The bundled json-parser uses an old API.
> + ;; To use the latest non-bundled version, we need to pass the
> + ;; length of the data in all 'json_parse_ex' calls.
> + (define (use-latest-json-parser file)
> + (substitute* file
> + (("engine/external/json-parser/json\\.h")
> + "json-parser/json.h")
> + (("json_parse_ex\\(&JsonSettings, pFileData, aError\\);")
> + "json_parse_ex(&JsonSettings,
> + pFileData,
> + strlen(pFileData),
> + aError);")))
> +
> ;; Embed path to assets.
> (substitute* "src/engine/shared/storage.cpp"
> (("#define DATA_DIR.*")
> @@ -4173,50 +4197,68 @@ small robot living in the nano world, repair its maker.")
> "\"")))
>
> ;; Bam expects all files to have a recent time stamp.
> - (for-each (lambda (file)
> - (utime file 1 1))
> + (for-each (cut utime <> 1 1)
> (find-files "."))
>
> ;; Do not use bundled libraries.
> (substitute* "bam.lua"
> - (("if config.zlib.value == 1 then")
> - "if true then")
> - (("wavpack = .*")
> - "wavpack = {}
> -settings.link.libs:Add(\"wavpack\")\n"))
> + (("local json = Compile.+$")
> + "local json = nil
> +settings.link.libs:Add(\"jsonparser\")")
> + (("local png = Compile.+$")
> + "local png = nil
> +settings.link.libs:Add(\"pnglite\")")
> + (("local wavpack = Compile.+$")
> + "local wavpack = nil
> +settings.link.libs:Add(\"wavpack\")")
> + (("if config\\.zlib\\.value == 1")
> + "if config.zlib.value"))
> + (substitute* "src/engine/client/graphics_threaded.cpp"
> + (("engine/external/pnglite/pnglite\\.h")
> + "pnglite.h"))
> (substitute* "src/engine/client/sound.cpp"
> - (("#include <engine/external/wavpack/wavpack.h>")
> - "#include <wavpack/wavpack.h>"))
> + (("engine/external/wavpack/wavpack\\.h")
> + "wavpack/wavpack.h"))
> + (for-each use-latest-json-parser
> + '("src/game/client/components/countryflags.cpp"
> + "src/game/client/components/menus_settings.cpp"
> + "src/game/client/components/skins.cpp"
> + "src/game/client/localization.cpp"
> + "src/game/editor/auto_map.h"
> + "src/game/editor/editor.cpp"))
> #t))
> (replace 'build
> (lambda _
> - (zero? (system* "bam" "-a" "-v" "release"))))
> + (invoke "bam" "-a" "-v" "conf=release")))
> (replace 'install
> (lambda* (#:key outputs #:allow-other-keys)
> - (let* ((out (assoc-ref outputs "out"))
> - (bin (string-append out "/bin"))
> - (data (string-append out "/share/teeworlds/data")))
> - (mkdir-p bin)
> - (mkdir-p data)
> - (for-each (lambda (file)
> - (install-file file bin))
> - '("teeworlds" "teeworlds_srv"))
> - (copy-recursively "data" data)
> + (let* ((arch ,(system->linux-architecture
> + (or (%current-target-system)
> + (%current-system))))
> + (build (string-append "build/" arch "/release/"))
> + (data-built (string-append build "data/"))
> + (out (assoc-ref outputs "out"))
> + (bin (string-append out "/bin/"))
> + (data (string-append out "/share/teeworlds/data/")))
> + (for-each (cut install-file <> bin)
> + (map (cut string-append build <>)
> + '("teeworlds" "teeworlds_srv")))
> + (copy-recursively data-built data)
> #t))))))
> - ;; FIXME: teeworlds bundles the sources of "pnglite", a two-file PNG
> - ;; library without a build system.
> (inputs
> `(("freetype" ,freetype)
> ("glu" ,glu)
> + ("json-parser" ,json-parser)
> ("mesa" ,mesa)
> - ("sdl-union" ,(sdl-union (list sdl
> - sdl-mixer
> - sdl-image)))
> + ("pnglite" ,pnglite)
> + ("sdl2" ,sdl2)
> + ("sdl2-image" ,sdl2-image)
> + ("sdl2-mixer" ,sdl2-mixer)
> ("wavpack" ,wavpack)
> ("zlib" ,zlib)))
> (native-inputs
> `(("bam" ,bam)
> - ("python" ,python-2)
> + ("python" ,python-wrapper)
> ("pkg-config" ,pkg-config)))
> (home-page "https://www.teeworlds.com")
> (synopsis "2D retro multiplayer shooter game")
> diff --git a/gnu/packages/patches/teeworlds-us
This message was truncated. Download the full message here.
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW/VuhAAKCRBh71Au9gJS
8i8EAQDF5p9V/DxO5YEJE5L14IEyyFNgDJGfCLPyCXeWR884YwEAlgf7NIM8OxTz
R4a3lMGFNjmkQ5ok0uE6GJHQhPvsyA8=
=qMoM
-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 21 Nov 2018 08:14
(name . Alex Vong)(address . alexvong1995@gmail.com)
20181121161436.GA18964@jasmine.lan
On Wed, Nov 21, 2018 at 10:41:08PM +0800, Alex Vong wrote:
Toggle quote (3 lines)
> I think Leo may be busy since he hasn't reply yet. Should I just push
> given the CVE fix?

Yes, please push :)
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlv1hGkACgkQJkb6MLrK
fwhAKRAAlaGmq/vO95osnKT+SmVPiipJugODrxTSlTYNmPOmOwsXUPWu3Vmo0O7g
KPpQzyLiBaQbTideWIpYRHEuHk0x6cI64qLVaBbY4ixDwafVQ3e6/boT3/ayE6CK
xtHpoHlB76xs29G72OqUlETAkNUXg60oIfSFggOXRwImLx+PxydC99qZn3OLj/5L
MNcysHkRIlZxTF9j0TL9DQ5VWNSreb+/+UKQkwMyNSv+LiYtR1kjSBhcnVjXG6Ws
FjsuVMQNf+uXs2sVXpWKT1SFUGf+JnESLwnuLMXFPnmDd2ziEFvzL8qnuS4o9IjK
ENuFiYcMl7mLuD617i26pJLC5MF8Q3mlfRzv6i9a5m1vPS45S2bApHm+2rPWmV29
9VbXPVUdFTkdxv57k3TWa8rPQWWkeo8mwpPqpsg+Y8fbWskCoVsnRhd7Pbpk0yRy
HKUY5SHzEMj/UYZqvnoKpM5G/R83hNOxdaNfOZlqcPrdee+SCAYrZTGMUxRIrCuv
kRWjlxdc7EBCJ8JLCC1afalRe84C7mEhdx+SnjQOgQ3J1U0UmQDQdRIF1DppjWKz
g5whVEa9G3/INpyV8rrUh7D7GD3judzz3xi3nrX70biQn9AqHVDXjF6buGK7j8Yy
gcQmwPnRNeUPHVcXeE71RT79NGyv6woPepRVaDKuIa6wTDd1PDI=
=wQ6V
-----END PGP SIGNATURE-----


A
A
Alex Vong wrote on 21 Nov 2018 11:51
(address . 33347-done@debbugs.gnu.org)
87k1l66wg8.fsf@gmail.com
Leo Famulari <leo@famulari.name> writes:

Toggle quote (6 lines)
> On Wed, Nov 21, 2018 at 10:41:08PM +0800, Alex Vong wrote:
>> I think Leo may be busy since he hasn't reply yet. Should I just push
>> given the CVE fix?
>
> Yes, please push :)

Pushed as
6e35bad0a9d00f1eb94bb427ad856c219655e95d..f9e5caf9bae93fdafbaa6732b3b4eb45f0126656
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQQwb8uPLAHCXSnTBVZh71Au9gJS8gUCW/W3NwAKCRBh71Au9gJS
8hBuAP98sRGADgxaI2FZLgjuduGg1wzO/l/pWc3ILG8uFtgUfQD/XdrVCyQV6RSi
ks+PNjFGMlvF2XXOkAOV8YXrLzI8XQQ=
=HAma
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 33347@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 33347
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch