guix: upgrade version from FTBFS + add missing CVE-2024-27297 fix via helper.

helpers/DATA/guix/cve/CVE-2024-27297_4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472.patch

@@ -0,0 +1,378 @@
+From 4a67c00ad02fbe7a7f5796c4c4dc2c0ad70f0472 Mon Sep 17 00:00:00 2001
+From: Vagrant Cascadian <vagrant@debian.org>
+Date: Tue, 12 Mar 2024 09:18:23 -0700
+Subject: [PATCH] debian/patches: guix-daemon: Protect against file descriptor
+ escape when building fixed-output derivations (CVE-2024-27297). (Closes:
+ #1066113)
+
+---
+ ...gainst-FD-escape-when-building-fixed.patch | 232 ++++++++++++++++++
+ ...hortcoming-in-previous-security-fix-.patch | 106 ++++++++
+ debian/patches/series                         |   2 +
+ 3 files changed, 340 insertions(+)
+ create mode 100644 debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+ create mode 100644 debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+
+diff --git a/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+new file mode 100644
+index 0000000000..e6e02cf206
+--- /dev/null
++++ b/debian/patches/security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
+@@ -0,0 +1,232 @@
++From 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Mon, 11 Mar 2024 10:59:42 +0100
++Subject: [PATCH 01/36] daemon: Protect against FD escape when building
++ fixed-output derivations (CVE-2024-27297).
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This fixes a security issue (CVE-2024-27297) whereby a fixed-output
++derivation build process could open a writable file descriptor to its
++output, send it to some outside process for instance over an abstract
++AF_UNIX socket, which would then allow said process to modify the file
++in the store after it has been marked as “valid”.
++
++Vulnerability discovered by puck <https://github.com/puckipedia>.
++
++Nix security advisory:
++https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
++
++Nix fix:
++https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
++
++* nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and
++a file descriptor.  Rewrite the ‘Path’ variant accordingly.
++(copyFile, copyFileRecursively): New functions.
++* nix/libutil/util.hh (copyFileRecursively): New declaration.
++* nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’
++is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output.
++
++Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4
++
++Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
++Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88
++---
++ nix/libstore/build.cc |  16 ++++++
++ nix/libutil/util.cc   | 112 ++++++++++++++++++++++++++++++++++++++++--
++ nix/libutil/util.hh   |   6 +++
++ 3 files changed, 129 insertions(+), 5 deletions(-)
++
++diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
++index 461fcbc584..e2adee118b 100644
++--- a/nix/libstore/build.cc
+++++ b/nix/libstore/build.cc
++@@ -1382,6 +1382,22 @@ void DerivationGoal::buildDone()
++                 % drvPath % statusToString(status));
++         }
++ 
+++	if (fixedOutput) {
+++	    /* Replace the output, if it exists, by a fresh copy of itself to
+++               make sure that there's no stale file descriptor pointing to it
+++               (CVE-2024-27297).  */
+++	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
+++		if (pathExists(i->second.path)) {
+++		    Path pivot = i->second.path + ".tmp";
+++		    copyFileRecursively(i->second.path, pivot, true);
+++		    int err = rename(pivot.c_str(), i->second.path.c_str());
+++		    if (err != 0)
+++			throw SysError(format("renaming `%1%' to `%2%'")
+++				       % pivot % i->second.path);
+++		}
+++	    }
+++	}
+++
++         /* Compute the FS closure of the outputs and register them as
++            being valid. */
++         registerOutputs();
++diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
++index 82eac72120..493f06f357 100644
++--- a/nix/libutil/util.cc
+++++ b/nix/libutil/util.cc
++@@ -215,14 +215,11 @@ bool isLink(const Path & path)
++ }
++ 
++ 
++-DirEntries readDirectory(const Path & path)
+++static DirEntries readDirectory(DIR *dir)
++ {
++     DirEntries entries;
++     entries.reserve(64);
++ 
++-    AutoCloseDir dir = opendir(path.c_str());
++-    if (!dir) throw SysError(format("opening directory `%1%'") % path);
++-
++     struct dirent * dirent;
++     while (errno = 0, dirent = readdir(dir)) { /* sic */
++         checkInterrupt();
++@@ -230,11 +227,29 @@ DirEntries readDirectory(const Path & path)
++         if (name == "." || name == "..") continue;
++         entries.emplace_back(name, dirent->d_ino, dirent->d_type);
++     }
++-    if (errno) throw SysError(format("reading directory `%1%'") % path);
+++    if (errno) throw SysError(format("reading directory"));
++ 
++     return entries;
++ }
++ 
+++DirEntries readDirectory(const Path & path)
+++{
+++    AutoCloseDir dir = opendir(path.c_str());
+++    if (!dir) throw SysError(format("opening directory `%1%'") % path);
+++    return readDirectory(dir);
+++}
+++
+++static DirEntries readDirectory(int fd)
+++{
+++    /* Since 'closedir' closes the underlying file descriptor, duplicate FD
+++       beforehand.  */
+++    int fdcopy = dup(fd);
+++    if (fdcopy < 0) throw SysError("dup");
+++
+++    AutoCloseDir dir = fdopendir(fdcopy);
+++    if (!dir) throw SysError(format("opening directory from file descriptor `%1%'") % fd);
+++    return readDirectory(dir);
+++}
++ 
++ unsigned char getFileType(const Path & path)
++ {
++@@ -364,6 +379,93 @@ void deletePath(const Path & path, unsigned long long & bytesFreed, size_t linkT
++     _deletePath(path, bytesFreed, linkThreshold);
++ }
++ 
+++static void copyFile(int sourceFd, int destinationFd)
+++{
+++    struct stat st;
+++    if (fstat(sourceFd, &st) == -1) throw SysError("statting file");
+++
+++    ssize_t result = copy_file_range(sourceFd, NULL, destinationFd, NULL, st.st_size, 0);
+++    if (result < 0 && errno == ENOSYS) {
+++	for (size_t remaining = st.st_size; remaining > 0; ) {
+++	    unsigned char buf[8192];
+++	    size_t count = std::min(remaining, sizeof buf);
+++
+++	    readFull(sourceFd, buf, count);
+++	    writeFull(destinationFd, buf, count);
+++	    remaining -= count;
+++	}
+++    } else {
+++	if (result < 0)
+++	    throw SysError(format("copy_file_range `%1%' to `%2%'") % sourceFd % destinationFd);
+++	if (result < st.st_size)
+++	    throw SysError(format("short write in copy_file_range `%1%' to `%2%'")
+++			   % sourceFd % destinationFd);
+++    }
+++}
+++
+++static void copyFileRecursively(int sourceroot, const Path &source,
+++				int destinationroot, const Path &destination,
+++				bool deleteSource)
+++{
+++    struct stat st;
+++    if (fstatat(sourceroot, source.c_str(), &st, AT_SYMLINK_NOFOLLOW) == -1)
+++	throw SysError(format("statting file `%1%'") % source);
+++
+++    if (S_ISREG(st.st_mode)) {
+++	AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
+++				      O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
+++	if (sourceFd == -1) throw SysError(format("opening `%1%'") % source);
+++
+++	AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
+++					   O_CLOEXEC | O_CREAT | O_WRONLY | O_TRUNC,
+++					   st.st_mode);
+++	if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
+++
+++	copyFile(sourceFd, destinationFd);
+++    } else if (S_ISLNK(st.st_mode)) {
+++	char target[st.st_size + 1];
+++	ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
+++	if (result != st.st_size) throw SysError("reading symlink target");
+++	target[st.st_size] = '\0';
+++	int err = symlinkat(target, destinationroot, destination.c_str());
+++	if (err != 0)
+++	    throw SysError(format("creating symlink `%1%'") % destination);
+++    } else if (S_ISDIR(st.st_mode)) {
+++	int err = mkdirat(destinationroot, destination.c_str(), 0755);
+++	if (err != 0)
+++	    throw SysError(format("creating directory `%1%'") % destination);
+++
+++	AutoCloseFD destinationFd = openat(destinationroot, destination.c_str(),
+++					   O_CLOEXEC | O_RDONLY | O_DIRECTORY);
+++	if (err != 0)
+++	    throw SysError(format("opening directory `%1%'") % destination);
+++
+++	AutoCloseFD sourceFd = openat(sourceroot, source.c_str(),
+++				      O_CLOEXEC | O_NOFOLLOW | O_RDONLY);
+++	if (sourceFd == -1)
+++	    throw SysError(format("opening `%1%'") % source);
+++
+++        if (deleteSource && !(st.st_mode & S_IWUSR)) {
+++	    /* Ensure the directory writable so files within it can be
+++	       deleted.  */
+++            if (fchmod(sourceFd, st.st_mode | S_IWUSR) == -1)
+++                throw SysError(format("making `%1%' directory writable") % source);
+++        }
+++
+++        for (auto & i : readDirectory(sourceFd))
+++	    copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
+++				deleteSource);
+++    } else throw Error(format("refusing to copy irregular file `%1%'") % source);
+++
+++    if (deleteSource)
+++	unlinkat(sourceroot, source.c_str(),
+++		 S_ISDIR(st.st_mode) ? AT_REMOVEDIR : 0);
+++}
+++
+++void copyFileRecursively(const Path &source, const Path &destination, bool deleteSource)
+++{
+++    copyFileRecursively(AT_FDCWD, source, AT_FDCWD, destination, deleteSource);
+++}
++ 
++ static Path tempName(Path tmpRoot, const Path & prefix, bool includePid,
++     int & counter)
++diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
++index 880b0e93b2..058f5f8446 100644
++--- a/nix/libutil/util.hh
+++++ b/nix/libutil/util.hh
++@@ -102,6 +102,12 @@ void deletePath(const Path & path);
++ void deletePath(const Path & path, unsigned long long & bytesFreed,
++     size_t linkThreshold = 1);
++ 
+++/* Copy SOURCE to DESTINATION, recursively.  Throw if SOURCE contains a file
+++   that is not a regular file, symlink, or directory.  When DELETESOURCE is
+++   true, delete source files once they have been copied.  */
+++void copyFileRecursively(const Path &source, const Path &destination,
+++    bool deleteSource = false);
+++
++ /* Create a temporary directory. */
++ Path createTempDir(const Path & tmpRoot = "", const Path & prefix = "nix",
++     bool includePid = true, bool useGlobalCounter = true, mode_t mode = 0755);
++-- 
++2.39.2
++
+diff --git a/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+new file mode 100644
+index 0000000000..0d0b6bd22f
+--- /dev/null
++++ b/debian/patches/security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+@@ -0,0 +1,106 @@
++From ff1251de0bc327ec478fc66a562430fbf35aef42 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Tue, 12 Mar 2024 11:53:35 +0100
++Subject: [PATCH 32/36] daemon: Address shortcoming in previous security fix
++ for CVE-2024-27297.
++MIME-Version: 1.0
++Content-Type: text/plain; charset=UTF-8
++Content-Transfer-Encoding: 8bit
++
++This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143.
++
++Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two
++ways: (1) it didn’t have any effet for fixed-output derivations
++performed in a chroot, which is the case for all of them except those
++using “builtin:download” and “builtin:git-download”, and (2) it did not
++preserve ownership when copying, leading to “suspicious ownership or
++permission […] rejecting this build output” errors.
++
++* nix/libstore/build.cc (DerivationGoal::buildDone): Account for
++‘chrootRootDir’ when copying ‘drv.outputs’.
++* nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’
++calls to preserve file ownership; this is necessary for chrooted
++fixed-output derivation builds.
++* nix/libutil/util.hh: Update comment.
++
++Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156
++---
++ nix/libstore/build.cc | 11 ++++++-----
++ nix/libutil/util.cc   |  4 ++++
++ nix/libutil/util.hh   |  7 ++++---
++ 3 files changed, 14 insertions(+), 8 deletions(-)
++
++diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
++index e2adee118b..d23c0944a4 100644
++--- a/nix/libstore/build.cc
+++++ b/nix/libstore/build.cc
++@@ -1387,13 +1387,14 @@ void DerivationGoal::buildDone()
++                make sure that there's no stale file descriptor pointing to it
++                (CVE-2024-27297).  */
++ 	    foreach (DerivationOutputs::iterator, i, drv.outputs) {
++-		if (pathExists(i->second.path)) {
++-		    Path pivot = i->second.path + ".tmp";
++-		    copyFileRecursively(i->second.path, pivot, true);
++-		    int err = rename(pivot.c_str(), i->second.path.c_str());
+++		Path output = chrootRootDir + i->second.path;
+++		if (pathExists(output)) {
+++		    Path pivot = output + ".tmp";
+++		    copyFileRecursively(output, pivot, true);
+++		    int err = rename(pivot.c_str(), output.c_str());
++ 		    if (err != 0)
++ 			throw SysError(format("renaming `%1%' to `%2%'")
++-				       % pivot % i->second.path);
+++				       % pivot % output);
++ 		}
++ 	    }
++ 	}
++diff --git a/nix/libutil/util.cc b/nix/libutil/util.cc
++index 493f06f357..578d657293 100644
++--- a/nix/libutil/util.cc
+++++ b/nix/libutil/util.cc
++@@ -422,6 +422,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++ 	if (destinationFd == -1) throw SysError(format("opening `%1%'") % source);
++ 
++ 	copyFile(sourceFd, destinationFd);
+++	fchown(destinationFd, st.st_uid, st.st_gid);
++     } else if (S_ISLNK(st.st_mode)) {
++ 	char target[st.st_size + 1];
++ 	ssize_t result = readlinkat(sourceroot, source.c_str(), target, st.st_size);
++@@ -430,6 +431,8 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++ 	int err = symlinkat(target, destinationroot, destination.c_str());
++ 	if (err != 0)
++ 	    throw SysError(format("creating symlink `%1%'") % destination);
+++	fchownat(destinationroot, destination.c_str(),
+++		 st.st_uid, st.st_gid, AT_SYMLINK_NOFOLLOW);
++     } else if (S_ISDIR(st.st_mode)) {
++ 	int err = mkdirat(destinationroot, destination.c_str(), 0755);
++ 	if (err != 0)
++@@ -455,6 +458,7 @@ static void copyFileRecursively(int sourceroot, const Path &source,
++         for (auto & i : readDirectory(sourceFd))
++ 	    copyFileRecursively((int)sourceFd, i.name, (int)destinationFd, i.name,
++ 				deleteSource);
+++	fchown(destinationFd, st.st_uid, st.st_gid);
++     } else throw Error(format("refusing to copy irregular file `%1%'") % source);
++ 
++     if (deleteSource)
++diff --git a/nix/libutil/util.hh b/nix/libutil/util.hh
++index 058f5f8446..377aac0684 100644
++--- a/nix/libutil/util.hh
+++++ b/nix/libutil/util.hh
++@@ -102,9 +102,10 @@ void deletePath(const Path & path);
++ void deletePath(const Path & path, unsigned long long & bytesFreed,
++     size_t linkThreshold = 1);
++ 
++-/* Copy SOURCE to DESTINATION, recursively.  Throw if SOURCE contains a file
++-   that is not a regular file, symlink, or directory.  When DELETESOURCE is
++-   true, delete source files once they have been copied.  */
+++/* Copy SOURCE to DESTINATION, recursively, preserving ownership.  Throw if
+++   SOURCE contains a file that is not a regular file, symlink, or directory.
+++   When DELETESOURCE is true, delete source files once they have been
+++   copied.  */
++ void copyFileRecursively(const Path &source, const Path &destination,
++     bool deleteSource = false);
++ 
++-- 
++2.39.2
++
+diff --git a/debian/patches/series b/debian/patches/series_
+index 5d506e57..0b8879d1 100644
+--- a/debian/patches/series
++++ b/debian/patches/series_
+@@ -40,3 +40,5 @@ lsb-init-functions
+ guix-daemon-openrc-fixes
+ tests-Ensure-test-OpenPGP-keys-never-expire.patch
+ use-c-utf8-locale
++security/0001-daemon-Protect-against-FD-escape-when-building-fixed.patch
++security/0032-daemon-Address-shortcoming-in-previous-security-fix-.patch
+-- 
+GitLab
+

helpers/DATA/guix/guix-1.3.0.4-to-1.3.0-5.patch

@@ -0,0 +1,157 @@
+diff --git a/debian/control b/debian/control
+index f5080c40..24f545ae 100644
+--- a/debian/control
++++ b/debian/control
+@@ -44,7 +44,9 @@ Depends: ${misc:Depends}, ${shlibs:Depends},
+  guile-sqlite3 (>= 0.1.3-2~),
+  guile-zlib (>= 0.1.0),
+  libssh-dev,
+-Recommends: nscd,
++Recommends: ca-certificates,
++ less,
++ nscd,
+  systemd,
+ Description: GNU Guix functional package manager
+  Guix is an advanced distribution of the GNU operating system
+diff --git a/debian/patches/series b/debian/patches/series
+index 2151eca4..5d506e57 100644
+--- a/debian/patches/series
++++ b/debian/patches/series
+@@ -38,3 +38,5 @@ lsb-init-functions
+ 0030-Disable-gexp-derivation-allowed-references-test-when.patch
+ 0031-Disable-substitue-deduplication-test-when-network-is.patch
+ guix-daemon-openrc-fixes
++tests-Ensure-test-OpenPGP-keys-never-expire.patch
++use-c-utf8-locale
+diff --git a/guix/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
+new file mode 100644
+index 00000000..3d23bd95
+--- /dev/null
++++ b/debian/patches/tests-Ensure-test-OpenPGP-keys-never-expire.patch
+@@ -0,0 +1,62 @@
++From 3ae7632ca0a1edca9d8c3c766efb0dcc8aa5da37 Mon Sep 17 00:00:00 2001
++From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= <ludo@gnu.org>
++Date: Wed, 18 May 2022 23:20:21 +0200
++Subject: [PATCH] tests: Ensure test OpenPGP keys never expire.
++
++All these keys had expiration dates.  'tests/keys/ed25519.pub' expired
++on 2022-04-24.
++
++Fixes <https://issues.guix.gnu.org/55506>.
++
++* tests/keys/ed25519.pub, tests/keys/ed25519-2.pub,
++tests/keys/ed25519-3.pub: Remove expiration date.
++---
++ tests/keys/ed25519-2.pub | 11 +++++------
++ tests/keys/ed25519-3.pub | 10 +++++-----
++ tests/keys/ed25519.pub   | 10 +++++-----
++ 3 files changed, 15 insertions(+), 16 deletions(-)
++
++Adjusted to apply to older locations present in 1.3.0.
++
++diff --git a/tests/ed25519bis.key b/tests/ed25519bis.key
++index f5329105d5..ef050e3845 100644
++--- a/tests/ed25519bis.key
+++++ b/tests/ed25519bis.key
++@@ -1,10 +1,9 @@
++ -----BEGIN PGP PUBLIC KEY BLOCK-----
++ 
++ mDMEXtVsNhYJKwYBBAHaRw8BAQdAnLsYdh3BpeK1xDguJE80XW2/MSmqeeP6pbQw
++-8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IlgQTFggA
++-PhYhBKBDaY1jer75FlruS4IkDtyrgNqDBQJe1Ww2AhsDBQkDwmcABQsJCAcCBhUK
++-CQgLAgQWAgMBAh4BAheAAAoJEIIkDtyrgNqDM6cA/idDdoxo9SU+witdTXt24APH
++-yRzHbX9Iyh4dZNIek9JwAP9E0BwSvDHB4LY9z4RWf2hJp3dm/yZ/jEpK+w4BGN4J
++-Ag==
++-=JIU0
+++8jAw0OG0IkNoYXJsaWUgR3VpeCA8Y2hhcmxpZUBleGFtcGxlLm9yZz6IkAQTFggA
+++OAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBKBDaY1jer75FlruS4IkDtyr
+++gNqDBQJihWJtAAoJEIIkDtyrgNqDbs0BAPOaGSYf3pX3DReEe1zbxxVQrolX9/AZ
+++VP0AOt0TAgkzAP0Sr7G1NuCtjWWGK1WmlyTFPhOWLhNriKgZFkBZrGypAw==
+++=pdTB
++ -----END PGP PUBLIC KEY BLOCK-----
++diff --git a/tests/ed25519.key b/tests/ed25519.key
++index f6bf906783..5a2fccc9f9 100644
++--- a/tests/ed25519.key
+++++ b/tests/ed25519.key
++@@ -2,9 +2,9 @@
++ 
++ mDMEXqNaoBYJKwYBBAHaRw8BAQdArviKtelb4g0I3zx9xyDS40Oz8i1/LRXqppG6
++ b23Hdim0KEVkIFR3by1GaWZ0eSA8bHVkbyt0ZXN0LWVjY0BjaGJvdWliLm9yZz6I
++-lgQTFggAPhYhBETTHiGvcTj5tjIoCncfScv6rgctBQJeo1qgAhsDBQkDwmcABQsJ
++-CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHcfScv6rgctq4MA/1R9G0roEwrHwmTd
++-DHxt211eLqupwXE0Z7xY2FH6DHk9AP4owEefBU7jQprSAzBS+c6gdS3SCCKKqAh6
++-ToZ4LmbKAw==
++-=FXMK
+++kAQTFggAOAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBETTHiGvcTj5tjIo
+++CncfScv6rgctBQJihWH6AAoJEHcfScv6rgctfPMBAPv+yPmEgM+J6D1nZjXsO4zW
++++4e3y2Ez+QxgI2tn8Z2xAQDBUWyyu0X+8dguGmVlsaiQdkazaUSpexvIhh9zONYw
+++Bg==
+++=s4Vp
++ -----END PGP PUBLIC KEY BLOCK-----
++-- 
++2.30.2
++
+diff --git a/guix/debian/patches/use-c-utf8-locale b/debian/patches/use-c-utf8-locale
+new file mode 100644
+index 00000000..6f69c0fa
+--- /dev/null
++++ b/debian/patches/use-c-utf8-locale
+@@ -0,0 +1,58 @@
++Use the C.UTF-8 locale for guix-daemon and guix-publish.
++
++https://bugs.debian.org/1012536
++
++Index: guix/etc/guix-daemon.service.in
++===================================================================
++--- guix.orig/etc/guix-daemon.service.in
+++++ guix/etc/guix-daemon.service.in
++@@ -7,7 +7,7 @@ Description=Build daemon for GNU Guix
++ 
++ [Service]
++ ExecStart=/usr/bin/guix-daemon --build-users-group=_guixbuild
++-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
+++Environment=LC_ALL=C.UTF-8
++ RemainAfterExit=yes
++ StandardOutput=syslog
++ StandardError=syslog
++Index: guix/etc/init.d/guix-daemon.in
++===================================================================
++--- guix.orig/etc/init.d/guix-daemon.in
+++++ guix/etc/init.d/guix-daemon.in
++@@ -35,8 +35,7 @@ start)
++       -a \
++       -e "/var/log/guix-daemon-stderr.log" \
++       -o "/var/log/guix-daemon-stdout.log" \
++-      -E GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale \
++-      -E LC_ALL=en_US.utf8 \
+++      -E LC_ALL=C.UTF-8 \
++       -p "/var/run/guix-daemon.pid" \
++       /usr/bin/guix-daemon \
++       --build-users-group=_guixbuild
++Index: guix/etc/openrc/guix-daemon.in
++===================================================================
++--- guix.orig/etc/openrc/guix-daemon.in
+++++ guix/etc/openrc/guix-daemon.in
++@@ -17,8 +17,7 @@
++ # You should have received a copy of the GNU General Public License
++ # along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
++ 
++-export GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale
++-export LC_ALL=en_US.utf8
+++export LC_ALL=C.UTF-8
++ command="/usr/bin/guix-daemon"
++ command_args="--build-users-group=_guixbuild"
++ command_background="yes"
++Index: guix/etc/guix-publish.service.in
++===================================================================
++--- guix.orig/etc/guix-publish.service.in
+++++ guix/etc/guix-publish.service.in
++@@ -10,7 +10,7 @@ After=guix-daemon.service
++ 
++ [Service]
++ ExecStart=/usr/bin/guix publish --user=nobody --port=8181
++-Environment='GUIX_LOCPATH=@localstatedir@/guix/profiles/per-user/root/guix-profile/lib/locale' LC_ALL=en_US.utf8
+++Environment=LC_ALL=C.UTF-8
++ RemainAfterExit=yes
++ StandardOutput=syslog
++ StandardError=syslog

helpers/make-guix

@@ -0,0 +1,40 @@
+#!/bin/sh
+#
+#    Copyright (C) 2024 Luis Guzmán <ark@switnet.org>
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+#
+
+VERSION=0
+. ./config
+
+export FULLVERSION="$(sed 's|1.3.0-4|1.3.0-4+really1.3.0-5|' <<< $FULLVERSION)"
+
+# Upgrade 1.3.0-4 to 1.3.0-5
+patch_p1 $DATA/guix-1.3.0.4-to-1.3.0-5.patch
+
+# Apply missing CVEs upstream:
+## 1.CVE-2024-27297
+for patch in $(ls -v ${DATA}/cve/*.patch)
+do
+    patch_p1 $patch
+done
+
+# TODO: Confirm fix for nix package.
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066812
+
+changelog "Upgrade to 1.3.0-5 and apply missing CVE-2024-27297 upstream patch."
+
+package