Merge branch 'make-authenticate' into 'master'

Add git hook for checking commit signing. See merge request nonguix/nonguix!399
nongnu: firefox: Update to 147.0 [security fixes].
2026-01-25 03:54:58 -06:00 · 2026-01-22 19:05:23 +01:00 · 2026-01-20 23:41:28 -05:00 · 2026-01-20 23:38:14 -05:00 · 2026-01-20 23:26:16 -05:00 · 2024-03-03 22:03:21 +01:00
5 changed files with 80 additions and 7 deletions
--- a/14
+++ b/14
@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2022 Giacomo Leidi <goodoldpaul@autistici.org>
+# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+# Copyright © 2024 Wolf <wolf@wolfsden.cz>
+
+# nonguix channel
+channel_intro_commit = 897c1a470da759236cc11798f4e0a5f7d4d59fbc
+channel_intro_signer = 2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5
+
+authenticate:
+	echo "Authenticating Git checkout..." ;	\
+	guix git authenticate					\
+	    --cache-key=channels/nonguix --stats			\
+	    "$(channel_intro_commit)" "$(channel_intro_signer)"
--- a/etc/git/pre-push
+++ b/etc/git/pre-push
@ -0,0 +1,48 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-3.0-or-later
+# Copyright © 2024 Jonathan Brielmaier <jonathan.brielmaier@web.de>
+# Copyright © 2024 Wolf <wolf@wolfsden.cz>
+
+# This hook script prevents the user from pushing to GitLab if any of the new
+# commits' OpenPGP signatures cannot be verified, or if a commit is signed
+# with an unauthorized key.
+
+# Called by "git push" after it has checked the remote status, but before
+# anything has been pushed.  If this script exits with a non-zero status nothing
+# will be pushed.
+#
+# This hook is called with the following parameters:
+#
+# $1 -- Name of the remote to which the push is being done
+# $2 -- URL to which the push is being done
+#
+# If pushing without using a named remote those arguments will be equal.
+#
+# Information about the commits which are being pushed is supplied as lines to
+# the standard input in the form:
+#
+#   <local ref> <local sha1> <remote ref> <remote sha1>
+
+# This is the "empty hash" used by Git when pushing a branch deletion.
+z40=0000000000000000000000000000000000000000
+
+while read local_ref local_hash remote_ref remote_hash
+do
+  # When deleting a remote branch, no commits are pushed to the remote, and
+  # thus there are no signatures to be verified.
+  if [ "$local_hash" != $z40 ]
+  then
+    # Only use the hook when pushing to the nonguix project on GitLab.
+    case "$2" in
+      *gitlab.com[:/]nonguix/*)
+        exec make authenticate
+        exit 127
+        ;;
+      *)
+        exit 0
+        ;;
+    esac
+  fi
+done
+
+exit 0
--- a/nongnu/packages/dotnet.scm
+++ b/nongnu/packages/dotnet.scm
@ -177,7 +177,7 @@ various IDEs and plugins.")
              (files '("share/dotnet")))))
      (inputs
       `(("gcc:lib" ,gcc "lib")
-         ("icu4c" ,icu4c-71)
+         ("icu4c" ,icu4c)
         ("lttng-ust" ,lttng-ust)
         ("mit-krb5" ,mit-krb5)
         ("openssl" ,openssl)
@ -287,7 +287,7 @@ building different types of applications.")
      (inputs
       `(("gcc:lib" ,gcc "lib")
         ("glibc", glibc)
-         ("icu4c" ,icu4c-71)
+         ("icu4c" ,icu4c)
         ("lttng-ust" ,lttng-ust)
         ("mit-krb5" ,mit-krb5)
         ("openssl" ,openssl)
--- a/nongnu/packages/gradle.scm
+++ b/nongnu/packages/gradle.scm
@ -3,6 +3,7 @@
 ;;; Copyright © 2025 Maxim Cournoyer <maxim@guixotic.coop>

 (define-module (nongnu packages gradle)
+  #:use-module (gnu packages base)
  #:use-module (gnu packages compression)
  #:use-module (gnu packages java)
  #:use-module (guix build-system copy)
@ -35,9 +36,16 @@
                     `("JAVA_HOME" =
                       (,(dirname
                          (dirname
-                           (search-input-file inputs "bin/javac")))))))))))
+                           (search-input-file inputs "bin/javac")))))
+                     `("PATH" prefix
+                       (,(dirname
+                          (search-input-file inputs "bin/sed"))
+                        ,(dirname
+                          (search-input-file inputs "bin/uname"))
+                        ,(dirname
+                          (search-input-file inputs "/bin/xargs"))))))))))
    (native-inputs (list unzip))
-    (inputs (list `(,openjdk "jdk")))
+    (inputs (list coreutils findutils `(,openjdk "jdk") sed))
    (home-page "https://gradle.org/")
    (synopsis "Flexible build automation tool for JVM")
    (description "Gradle is a build tool with a focus on build automation and
--- a/nongnu/packages/mozilla.scm
+++ b/nongnu/packages/mozilla.scm
@ -529,20 +529,20 @@ Release (ESR) version.")

 ;; Update this id with every firefox update to its release date.
 ;; It's used for cache validation and therefore can lead to strange bugs.
-(define %firefox-build-id "20251217214444")
+(define %firefox-build-id "20260112140453")

 (define-public firefox
  (package
    (inherit firefox-esr)
    (name "firefox")
-    (version "146.0.1")
+    (version "147.0")
    (source
     (origin
       (method url-fetch)
       (uri (string-append "https://archive.mozilla.org/pub/firefox/releases/"
                           version "/source/firefox-" version ".source.tar.xz"))
       (sha256
-        (base32 "1swih4jljq162vgdl2m2d8xn4s4hj4vjqcfww59kk4kkhh78lrz9"))
+        (base32 "1znr9wp4f79b83mv0as9kj0nh09yjxzqv4nbi4bmn7jgfmiqwb92"))
       (patches
        (map (lambda (patch)
               (search-path
@ -564,6 +564,9 @@ Release (ESR) version.")
            (replace 'set-build-id
              (lambda _
                (setenv "MOZ_BUILD_DATE" #$%firefox-build-id)))))))
+    (inputs
+     (modify-inputs (package-inputs firefox-esr)
+       (replace "icu4c" icu4c-78)))
    (native-inputs
     (modify-inputs (package-native-inputs firefox-esr)
       (replace "rust" rust-firefox)
Author	SHA1	Message	Date
Jonathan Brielmaier	5dafcf82ef	Merge branch 'make-authenticate' into 'master' Add git hook for checking commit signing. See merge request nonguix/nonguix!399	2026-01-22 19:05:23 +01:00
Tomas Volf	f5338f63fc	nongnu: firefox: Update to 147.0 [security fixes]. Fixes CVE-2026-0877, CVE-2026-0878, CVE-2026-0879, CVE-2026-0880, CVE-2026-0881, CVE-2026-0882, CVE-2026-0883, CVE-2026-0884, CVE-2026-0885, CVE-2026-0886, CVE-2026-0887, CVE-2026-0888, CVE-2026-0889, CVE-2026-0890, CVE-2026-0891, CVE-2026-0892. * nongnu/packages/mozilla.scm (firefox): Update to 147.0. [inputs]: Use icu4c-78. Signed-off-by: John Kehayias <john.kehayias@protonmail.com> Modified-by: John Kehayias <john.kehayias@protonmail.com>	2026-01-20 23:41:28 -05:00
Maxim Cournoyer	60d1e7b0f6	nongnu: gradle: Wrap PATH. * nongnu/packages/gradle.scm (gradle)[#:phases]{wrap}: Add PATH wrapping. [inputs]: Add coreutils, findutils and sed. Signed-off-by: John Kehayias <john.kehayias@protonmail.com>	2026-01-20 23:38:14 -05:00
John Kehayias	260dc0fdb7	nongnu: Remove icu4c-71 references. Fixes #434. Upstream guix removed icu4c-71 in commit <`c65c25e82b`>. While dotnet builds and at least basic running works, it may require an update (or restoring an older icu4c version). * nongnu/packages/dotnet.scm (dotnet, dotnet-core-3.1)[inputs]: Change icu4c-71 to icu4c.	2026-01-20 23:26:16 -05:00
Jonathan Brielmaier	843e2d7d8d	Add git hook for checking commit signing. This is analogue to what upstream Guix does in order to prevent invalid signed commits being pushed. * Makefile: New file. * etc/git/pre-push: New file. Co-authored-by: Wolf <wolf@wolfsden.cz>	2024-03-03 22:03:21 +01:00