| blob | 5752a45ae63560713b7a16b6e6e8a23e1d8c95d4 |
1 {
2 lib,
3 stdenv,
4 fetchurl,
5 fetchpatch,
6 autoreconfHook,
7 disarchive,
8 git,
9 glibcLocales,
10 guile,
11 guile-avahi,
12 guile-gcrypt,
13 guile-git,
14 guile-gnutls,
15 guile-json,
16 guile-lib,
17 guile-lzlib,
18 guile-lzma,
19 guile-semver,
20 guile-ssh,
21 guile-sqlite3,
22 guile-zlib,
23 guile-zstd,
24 help2man,
25 makeWrapper,
26 pkg-config,
27 po4a,
28 scheme-bytestructures,
29 texinfo,
30 bzip2,
31 libgcrypt,
32 sqlite,
33 nixosTests,
35 stateDir ? "/var",
36 storeDir ? "/gnu/store",
37 confDir ? "/etc",
38 }:
40 stdenv.mkDerivation rec {
41 pname = "guix";
42 version = "1.4.0";
44 src = fetchurl {
45 url = "mirror://gnu/guix/guix-${version}.tar.gz";
46 hash = "sha256-Q8dpy/Yy7wVEmsH6SMG6FSwzSUxqvH5HE3u6eyFJ+KQ=";
47 };
49 patches = [
50 (fetchpatch {
51 name = "CVE-2024-27297_1.patch";
52 url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143";
53 hash = "sha256-xKo1h2uckC2pYHt+memekagfL6dWcF8gOnTOOW/wJUU=";
54 })
55 (fetchpatch {
56 name = "CVE-2024-27297_2.patch";
57 url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
58 hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
59 })
60 # manual port of build user takeover remediation commit
61 # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
62 ./guix-build-user-takeover-fix.patch
63 ];
65 postPatch = ''
66 sed nix/local.mk -i -E \
67 -e "s|^sysvinitservicedir = .*$|sysvinitservicedir = $out/etc/init.d|" \
68 -e "s|^openrcservicedir = .*$|openrcservicedir = $out/etc/openrc|"
69 '';
71 strictDeps = true;
73 nativeBuildInputs = [
74 autoreconfHook
75 disarchive
76 git
77 glibcLocales
78 guile
79 guile-avahi
80 guile-gcrypt
81 guile-git
82 guile-gnutls
83 guile-json
84 guile-lib
85 guile-lzlib
86 guile-lzma
87 guile-semver
88 guile-ssh
89 guile-sqlite3
90 guile-zlib
91 guile-zstd
92 help2man
93 makeWrapper
94 pkg-config
95 po4a
96 scheme-bytestructures
97 texinfo
98 ];
100 buildInputs = [
101 bzip2
102 guile
103 libgcrypt
104 sqlite
105 ];
107 propagatedBuildInputs = [
108 disarchive
109 guile-avahi
110 guile-gcrypt
111 guile-git
112 guile-gnutls
113 guile-json
114 guile-lib
115 guile-lzlib
116 guile-lzma
117 guile-semver
118 guile-ssh
119 guile-sqlite3
120 guile-zlib
121 guile-zstd
122 scheme-bytestructures
123 ];
125 configureFlags = [
126 "--with-store-dir=${storeDir}"
127 "--localstatedir=${stateDir}"
128 "--sysconfdir=${confDir}"
129 "--with-bash-completion-dir=$(out)/etc/bash_completion.d"
130 ];
132 enableParallelBuilding = true;
134 postInstall = ''
135 for f in $out/bin/*; do
136 wrapProgram $f \
137 --prefix GUILE_LOAD_PATH : "$out/${guile.siteDir}:$GUILE_LOAD_PATH" \
138 --prefix GUILE_LOAD_COMPILED_PATH : "$out/${guile.siteCcacheDir}:$GUILE_LOAD_COMPILED_PATH"
139 done
140 '';
142 passthru.tests = {
143 inherit (nixosTests) guix;
144 };
146 meta = with lib; {
147 description = "Functional package manager with a Scheme interface";
148 longDescription = ''
149 GNU Guix is a purely functional package manager for the GNU system, and a distribution thereof.
150 In addition to standard package management features, Guix supports
151 transactional upgrades and roll-backs, unprivileged package management,
152 per-user profiles, and garbage collection.
153 It provides Guile Scheme APIs, including high-level embedded
154 domain-specific languages (EDSLs), to describe how packages are built
155 and composed.
156 A user-land free software distribution for GNU/Linux comes as part of
157 Guix.
158 Guix is based on the Nix package manager.
159 '';
160 homepage = "http://www.gnu.org/software/guix";
161 changelog = "https://git.savannah.gnu.org/cgit/guix.git/plain/NEWS?h=v${version}";
162 license = licenses.gpl3Plus;
163 mainProgram = "guix";
164 maintainers = with maintainers; [
165 cafkafk
166 foo-dogsquared
167 ];
168 platforms = platforms.linux;
169 };
170 }