summaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2022-08-30 18:58:57 +0200
committerMarius Bakke <marius@gnu.org>2022-08-30 18:58:57 +0200
commit827b4117daa7a7f5cdd84e0211c3acb778e9246b (patch)
tree6ca042081f2e98c599bb3121af025ca35bdc0431 /gnu/packages/patches
parent1cf37370937665f21b4fb01daeffbf90c671611e (diff)
parentdb2444ad824ab529fd9e850dbae42359009ac4a2 (diff)
Merge branch 'master' into staging
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/accountsservice-extensions.patch25
-rw-r--r--gnu/packages/patches/lightdm-arguments-ordering.patch54
-rw-r--r--gnu/packages/patches/lightdm-vnc-color-depth.patch81
-rw-r--r--gnu/packages/patches/lightdm-vncserver-check.patch66
-rw-r--r--gnu/packages/patches/mercurial-openssl-compat.patch89
5 files changed, 315 insertions, 0 deletions
diff --git a/gnu/packages/patches/accountsservice-extensions.patch b/gnu/packages/patches/accountsservice-extensions.patch
new file mode 100644
index 0000000000..2cfab580e3
--- /dev/null
+++ b/gnu/packages/patches/accountsservice-extensions.patch
@@ -0,0 +1,25 @@
+Patch from NixOS retrieved from
+https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/accountsservice/drop-prefix-check-extensions.patch.
+
+diff --git a/src/extensions.c b/src/extensions.c
+index 038dcb2..830465d 100644
+--- a/src/extensions.c
++++ b/src/extensions.c
+@@ -121,16 +121,7 @@ daemon_read_extension_directory (GHashTable *ifaces,
+ continue;
+ }
+
+- /* Ensure it looks like "../../dbus-1/interfaces/${name}" */
+- const gchar * const prefix = "../../dbus-1/interfaces/";
+- if (g_str_has_prefix (symlink, prefix) && g_str_equal (symlink + strlen (prefix), name)) {
+- daemon_read_extension_file (ifaces, filename);
+- }
+- else {
+- g_warning ("Found accounts service vendor extension symlink %s, but it must be exactly "
+- "equal to '../../dbus-1/interfaces/%s' for forwards-compatibility reasons.",
+- filename, name);
+- }
++ daemon_read_extension_file (ifaces, filename);
+ }
+
+ g_dir_close (dir);
diff --git a/gnu/packages/patches/lightdm-arguments-ordering.patch b/gnu/packages/patches/lightdm-arguments-ordering.patch
new file mode 100644
index 0000000000..c3b513a19a
--- /dev/null
+++ b/gnu/packages/patches/lightdm-arguments-ordering.patch
@@ -0,0 +1,54 @@
+When providing the VNCServer command as 'Xvnc -SecurityTypes None',
+the formatted command line used would look like:
+
+ Xvnc -SecurityTypes None :1 -auth /var/run/lightdm/root/:1
+
+which is invalid (the display number must appear first).
+
+Submitted upstream at: https://github.com/canonical/lightdm/pull/265
+
+ src/x-server-local.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/src/x-server-local.c b/src/x-server-local.c
+index 7c4ab870..6c540d18 100644
+--- a/src/x-server-local.c
++++ b/src/x-server-local.c
+@@ -463,14 +463,20 @@ x_server_local_start (DisplayServer *display_server)
+ l_debug (display_server, "Logging to %s", log_file);
+
+ g_autofree gchar *absolute_command = get_absolute_command (priv->command);
++ g_auto(GStrv) tokens = g_strsplit (absolute_command, " ", 2);
++ const gchar* binary = tokens[0];
++ const gchar *extra_options = tokens[1];
++
+ if (!absolute_command)
+ {
+ l_debug (display_server, "Can't launch X server %s, not found in path", priv->command);
+ stopped_cb (priv->x_server_process, X_SERVER_LOCAL (server));
+ return FALSE;
+ }
+- g_autoptr(GString) command = g_string_new (absolute_command);
++ g_autoptr(GString) command = g_string_new (binary);
+
++ /* The display argument must be given first when the X server used
++ * is Xvnc. */
+ g_string_append_printf (command, " :%d", priv->display_number);
+
+ if (priv->config_file)
+@@ -513,6 +519,12 @@ x_server_local_start (DisplayServer *display_server)
+ if (X_SERVER_LOCAL_GET_CLASS (server)->add_args)
+ X_SERVER_LOCAL_GET_CLASS (server)->add_args (server, command);
+
++ /* Any extra user options provided via the VNCServer 'command'
++ * config option are appended last, so the user can override any
++ * of the above. */
++ if (extra_options)
++ g_string_append_printf (command, " %s", extra_options);
++
+ process_set_command (priv->x_server_process, command->str);
+
+ l_debug (display_server, "Launching X Server");
+--
+2.36.1
+
diff --git a/gnu/packages/patches/lightdm-vnc-color-depth.patch b/gnu/packages/patches/lightdm-vnc-color-depth.patch
new file mode 100644
index 0000000000..cd69977d6a
--- /dev/null
+++ b/gnu/packages/patches/lightdm-vnc-color-depth.patch
@@ -0,0 +1,81 @@
+There is no longer support for 8 bit color depth in TigerVNC (see:
+https://github.com/TigerVNC/tigervnc/commit/e86d8720ba1e79b486ca29a5c2b27fa25811e6a2);
+using it causes a fatal error.
+
+Submitted upstream at: https://github.com/canonical/lightdm/pull/265.
+
+diff --git a/data/lightdm.conf b/data/lightdm.conf
+index 0df38429..60e3e8b4 100644
+--- a/data/lightdm.conf
++++ b/data/lightdm.conf
+@@ -160,4 +160,4 @@
+ #listen-address=
+ #width=1024
+ #height=768
+-#depth=8
++#depth=24
+diff --git a/src/x-server-xvnc.c b/src/x-server-xvnc.c
+index 68340d53..27ca4454 100644
+--- a/src/x-server-xvnc.c
++++ b/src/x-server-xvnc.c
+@@ -127,7 +127,7 @@ x_server_xvnc_init (XServerXVNC *server)
+ XServerXVNCPrivate *priv = x_server_xvnc_get_instance_private (server);
+ priv->width = 1024;
+ priv->height = 768;
+- priv->depth = 8;
++ priv->depth = 24;
+ }
+
+ static void
+diff --git a/tests/scripts/vnc-command.conf b/tests/scripts/vnc-command.conf
+index 0f1e25fd..335956d9 100644
+--- a/tests/scripts/vnc-command.conf
++++ b/tests/scripts/vnc-command.conf
+@@ -19,7 +19,7 @@ command=Xvnc -option
+ #?VNC-CLIENT CONNECT
+
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=TRUE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=TRUE
+
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
+diff --git a/tests/scripts/vnc-guest.conf b/tests/scripts/vnc-guest.conf
+index 431bb244..ce2b97db 100644
+--- a/tests/scripts/vnc-guest.conf
++++ b/tests/scripts/vnc-guest.conf
+@@ -21,7 +21,7 @@ user-session=default
+ #?VNC-CLIENT CONNECT
+
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE
+
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
+diff --git a/tests/scripts/vnc-login.conf b/tests/scripts/vnc-login.conf
+index cdfe17b8..f0d65b7f 100644
+--- a/tests/scripts/vnc-login.conf
++++ b/tests/scripts/vnc-login.conf
+@@ -21,7 +21,7 @@ user-session=default
+ #?VNC-CLIENT CONNECT
+
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE
+
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
+diff --git a/tests/scripts/vnc-open-file-descriptors.conf b/tests/scripts/vnc-open-file-descriptors.conf
+index 753c84dd..e5d35730 100644
+--- a/tests/scripts/vnc-open-file-descriptors.conf
++++ b/tests/scripts/vnc-open-file-descriptors.conf
+@@ -21,7 +21,7 @@ user-session=default
+ #?VNC-CLIENT CONNECT
+
+ # Xvnc server starts
+-#?XVNC-0 START GEOMETRY=1024x768 DEPTH=8 OPTION=FALSE
++#?XVNC-0 START GEOMETRY=1024x768 DEPTH=24 OPTION=FALSE
+
+ # Daemon connects when X server is ready
+ #?*XVNC-0 INDICATE-READY
diff --git a/gnu/packages/patches/lightdm-vncserver-check.patch b/gnu/packages/patches/lightdm-vncserver-check.patch
new file mode 100644
index 0000000000..0e31ff3d68
--- /dev/null
+++ b/gnu/packages/patches/lightdm-vncserver-check.patch
@@ -0,0 +1,66 @@
+Honor the Xvnc command specified in the config instead of using a hard-coded
+default.
+
+Submitted upstream at: https://github.com/canonical/lightdm/pull/265
+
+diff --git a/src/lightdm.c b/src/lightdm.c
+index 74f9ff2d..0ccfcd78 100644
+--- a/src/lightdm.c
++++ b/src/lightdm.c
+@@ -349,27 +349,42 @@ start_display_manager (void)
+ /* Start the VNC server */
+ if (config_get_boolean (config_get_instance (), "VNCServer", "enabled"))
+ {
+- g_autofree gchar *path = g_find_program_in_path ("Xvnc");
+- if (path)
++ /* Validate that a the VNC command is available. */
++ g_autofree gchar *command = config_get_string (config_get_instance (), "VNCServer", "command");
++ if (command)
+ {
+- vnc_server = vnc_server_new ();
+- if (config_has_key (config_get_instance (), "VNCServer", "port"))
++ g_auto(GStrv) tokens = g_strsplit (command, " ", 2);
++ if (!g_find_program_in_path (tokens[0]))
+ {
+- gint port = config_get_integer (config_get_instance (), "VNCServer", "port");
+- if (port > 0)
+- vnc_server_set_port (vnc_server, port);
++ g_warning ("Can't start VNC server; command '%s' not found", tokens[0]);
++ return;
+ }
+- g_autofree gchar *listen_address = config_get_string (config_get_instance (), "VNCServer", "listen-address");
+- vnc_server_set_listen_address (vnc_server, listen_address);
+- g_signal_connect (vnc_server, VNC_SERVER_SIGNAL_NEW_CONNECTION, G_CALLBACK (vnc_connection_cb), NULL);
+-
+- g_debug ("Starting VNC server on TCP/IP port %d", vnc_server_get_port (vnc_server));
+- vnc_server_start (vnc_server);
+ }
+ else
+- g_warning ("Can't start VNC server, Xvnc is not in the path");
++ {
++ /* Fallback to 'Xvnc'. */
++ if (!g_find_program_in_path ("Xvnc")) {
++ g_warning ("Can't start VNC server; 'Xvnc' command not found");
++ return;
++ }
++ }
++
++ vnc_server = vnc_server_new ();
++ if (config_has_key (config_get_instance (), "VNCServer", "port"))
++ {
++ gint port = config_get_integer (config_get_instance (), "VNCServer", "port");
++ if (port > 0)
++ vnc_server_set_port (vnc_server, port);
++ }
++ g_autofree gchar *listen_address = config_get_string (config_get_instance (), "VNCServer", "listen-address");
++ vnc_server_set_listen_address (vnc_server, listen_address);
++ g_signal_connect (vnc_server, VNC_SERVER_SIGNAL_NEW_CONNECTION, G_CALLBACK (vnc_connection_cb), NULL);
++
++ g_debug ("Starting VNC server on TCP/IP port %d", vnc_server_get_port (vnc_server));
++ vnc_server_start (vnc_server);
+ }
+ }
++
+ static void
+ service_ready_cb (DisplayManagerService *service)
+ {
diff --git a/gnu/packages/patches/mercurial-openssl-compat.patch b/gnu/packages/patches/mercurial-openssl-compat.patch
new file mode 100644
index 0000000000..139356f285
--- /dev/null
+++ b/gnu/packages/patches/mercurial-openssl-compat.patch
@@ -0,0 +1,89 @@
+Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3.
+
+Taken from Debian:
+
+ https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch
+
+--- a/mercurial/sslutil.py
++++ b/mercurial/sslutil.py
+@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname):
+ ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers)
+
+ # If --insecure is used, we allow the use of TLS 1.0 despite config options.
+ # We always print a "connection security to %s is disabled..." message when
+ # --insecure is used. So no need to print anything more here.
+ if ui.insecureconnections:
+ minimumprotocol = b'tls1.0'
+ if not ciphers:
+- ciphers = b'DEFAULT'
++ ciphers = b'DEFAULT:@SECLEVEL=0'
+
+ s[b'minimumprotocol'] = minimumprotocol
+ s[b'ciphers'] = ciphers
+
+ # Look for fingerprints in [hostsecurity] section. Value is a list
+ # of <alg>:<fingerprint> strings.
+ fingerprints = ui.configlist(
+ b'hostsecurity', b'%s:fingerprints' % bhostname
+@@ -621,17 +621,17 @@ def wrapserversocket(
+
+ # Improve forward secrecy.
+ sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0)
+ sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0)
+
+ # In tests, allow insecure ciphers
+ # Otherwise, use the list of more secure ciphers if found in the ssl module.
+ if exactprotocol:
+- sslcontext.set_ciphers('DEFAULT')
++ sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0')
+ elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'):
+ sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0)
+ # pytype: disable=module-attr
+ sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS)
+ # pytype: enable=module-attr
+
+ if requireclientcert:
+ sslcontext.verify_mode = ssl.CERT_REQUIRED
+--- a/tests/test-https.t
++++ b/tests/test-https.t
+@@ -356,19 +356,19 @@ Start servers running supported TLS vers
+ $ cat ../hg1.pid >> $DAEMON_PIDS
+ $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \
+ > --config devel.serverexactprotocol=tls1.2
+ $ cat ../hg2.pid >> $DAEMON_PIDS
+ $ cd ..
+
+ Clients talking same TLS versions work
+
+- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/
++ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/
+ 5fed3813f7f5
+- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/
++ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/
+ 5fed3813f7f5
+ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/
+ 5fed3813f7f5
+
+ Clients requiring newer TLS version than what server supports fail
+
+ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/
+ (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support)
+@@ -400,17 +400,17 @@ Clients requiring newer TLS version than
+
+ $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/
+ warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering
+ 5fed3813f7f5
+
+ The per-host config option overrides the default
+
+ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+- > --config hostsecurity.ciphers=DEFAULT \
++ > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \
+ > --config hostsecurity.minimumprotocol=tls1.2 \
+ > --config hostsecurity.localhost:minimumprotocol=tls1.0
+ 5fed3813f7f5
+
+ The per-host config option by itself works
+
+ $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \
+ > --config hostsecurity.localhost:minimumprotocol=tls1.2