diff mbox

[1/2] gnu: Add perl-net-psyc.

Message ID 87shstccqg.fsf@we.make.ritual.n0.is
State New
Headers show

Commit Message

ng0 Sept. 21, 2016, 6:46 p.m. UTC
Patch on top of this, containing psyclpc. The psyced package which
follows as the last one after all of this needs some minor adjustments
and then I need to write a service (and/or guile bindings. Hopefully a
service is enough.).
ng0 <ngillmann@runbox.com> writes:

> [ Unknown signature status ]
>
>> I will resend this patch with the fail-safe mirror I just added on
>> sdf.org. This is okay with the others in group and very much welcomed.
>> The shasum file is signed by my rsa opengpg key which is also used by
>> some releases of Gnurl.
>
> Where the group means other developers hacking around psyced.org,
> secushare.org etc.
> I also changed my email address, which will make its way into .mailmap
> in a commit which happened in the "tinycm" patch series I am working
> on.
>
> From 33d8584709a74e20924743b2606158cacd5ed0c6 Mon Sep 17 00:00:00 2001
> From: ng0 <ng0@we.make.ritual.n0.is>
> Date: Tue, 13 Sep 2016 10:20:31 +0000
> Subject: [PATCH 1/2] gnu: Add perl-net-psyc.
>
> * gnu/packages/psyc.scm: New file.
> * gnu/local.mk (GNU_SYSTEM_MODULES): Add it.
> ---
>  gnu/local.mk          |   1 +
>  gnu/packages/psyc.scm | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 112 insertions(+)
>  create mode 100644 gnu/packages/psyc.scm
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e2cf40d..2957e16 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -293,6 +293,7 @@ GNU_SYSTEM_MODULES =				\
>    %D%/packages/pumpio.scm			\
>    %D%/packages/pretty-print.scm			\
>    %D%/packages/protobuf.scm			\
> +  %D%/packages/psyc.scm                         \
>    %D%/packages/pv.scm				\
>    %D%/packages/python.scm			\
>    %D%/packages/qemu.scm				\
> diff --git a/gnu/packages/psyc.scm b/gnu/packages/psyc.scm
> new file mode 100644
> index 0000000..dd8a3eb
> --- /dev/null
> +++ b/gnu/packages/psyc.scm
> @@ -0,0 +1,111 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2016 ng0 <ngillmann@runbox.com>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (gnu packages psyc)
> +  #:use-module (guix download)
> +  #:use-module ((guix licenses) #:prefix license:)
> +  #:use-module (guix packages)
> +  #:use-module (guix build-system perl)
> +  #:use-module (gnu packages)
> +  #:use-module (gnu packages ncurses)
> +  #:use-module (gnu packages perl)
> +  #:use-module (gnu packages web))
> +
> +;; The URL at sdf.org is a mirror, officially known. The host www.psyced.org
> +;; is running on is sometimes (rarely) attacked and this ensure that the files
> +;; are available.
> +(define-public perl-net-psyc
> +  (package
> +    (name "perl-net-psyc")
> +    (version "1.1")
> +    (source
> +     (origin
> +       (method url-fetch)
> +       (uri (list
> +             (string-append "http://perl.psyc.eu/"
> +                            "perlpsyc-" version ".zip")
> +             (string-append "http://krosos.sdf.org/static/unix/"
> +                            "perlpsyc-" version ".zip")))
> +       (file-name (string-append name "-" version ".zip"))
> +       (sha256
> +        (base32
> +         "1lw6807qrbmvzbrjn1rna1dhir2k70xpcjvyjn45y35hav333a42"))
> +       ;; psycmp3 currently depends on MP3::List and rxaudio (shareware),
> +       ;; we can add it back when this is no longer the case.
> +       (snippet '(delete-file "contrib/psycmp3"))))
> +    (build-system perl-build-system)
> +    (inputs
> +     `(("perl-curses" ,perl-curses)
> +       ("perl-io-socket-ssl" ,perl-io-socket-ssl)))
> +    (arguments
> +     `(#:phases
> +       (modify-phases %standard-phases
> +         (delete 'configure) ; No configure script
> +         ;; There is a Makefile, but it does not install everything
> +         ;; (leaves out psycion) and says
> +         ;; "# Just to give you a rough idea". XXX: Fix it upstream.
> +         (replace 'build
> +           (lambda _
> +             (zero? (system* "make" "manuals"))))
> +         (replace 'install
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let* ((out (assoc-ref outputs "out"))
> +                    (doc (string-append out "/share/doc/perl-net-psyc"))
> +                    (man1 (string-append out "/share/man/man1"))
> +                    (man3 (string-append out "/share/man/man3"))
> +                    (bin (string-append out "/bin"))
> +                    (libpsyc (string-append out "/lib/psyc/ion"))
> +                    (libperl (string-append out "/lib/perl5/site_perl/"
> +                                            ,(package-version perl))))
> +
> +               (copy-recursively "lib/perl5" libperl)
> +               (copy-recursively "lib/psycion" libpsyc)
> +               (copy-recursively "bin" bin)
> +               (install-file "cgi/psycpager" (string-append doc "/cgi"))
> +               (copy-recursively "contrib" (string-append doc "/contrib"))
> +               (copy-recursively "hooks" (string-append doc "/hooks"))
> +               (copy-recursively "sdj" (string-append doc "/sdj"))
> +               (install-file "README.txt" doc)
> +               (install-file "TODO.txt" doc)
> +               (copy-recursively "share/man/man1" man1)
> +               (copy-recursively "share/man/man3" man3)
> +               #t)))
> +         (add-after 'install 'wrap-programs
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             ;; Make sure all executables in "bin" find the Perl modules
> +             ;; provided by this package at runtime.
> +             (let* ((out  (assoc-ref outputs "out"))
> +                    (bin  (string-append out "/bin/"))
> +                    (path (getenv "PERL5LIB")))
> +               (for-each (lambda (file)
> +                           (wrap-program file
> +                             `("PERL5LIB" ":" prefix (,path))))
> +                         (find-files bin "\\.*$"))
> +               #t))))))
> +    (description
> +     "@code{Net::PSYC} with support for TCP, UDP, Event.pm, @code{IO::Select} and
> +Gtk2 event loops.  This package includes 12 applications and additional scripts:
> +psycion (a @uref{http://about.psyc.eu,PSYC} chat client), remotor (a control console
> +for @uref{https://torproject.org,tor} router) and many more.")
> +    (synopsis "Perl implementation of PSYC protocol")
> +    (home-page "http://perlpsyc.pages.de")
> +    (license (list license:gpl2 (package-license perl)
> +                   ;; contrib/irssi-psyc.pl:
> +                   license:public-domain
> +                   ;; bin/psycplay states AGPL with no version:
> +                   license:agpl3+))))
> -- 
> 2.10.0
>
> From 3b20fd89b6f6e6d1fe00b89bcb1a8ec80853157e Mon Sep 17 00:00:00 2001
> From: ng0 <ng0@we.make.ritual.n0.is>
> Date: Tue, 13 Sep 2016 10:57:12 +0000
> Subject: [PATCH 2/2] gnu: Add libpsyc.
>
> * gnu/packages/psyc.scm (libpsyc): New variable.
> ---
>  gnu/packages/psyc.scm | 42 ++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 42 insertions(+)
>
> diff --git a/gnu/packages/psyc.scm b/gnu/packages/psyc.scm
> index dd8a3eb..58ce3c6 100644
> --- a/gnu/packages/psyc.scm
> +++ b/gnu/packages/psyc.scm
> @@ -20,8 +20,11 @@
>    #:use-module (guix download)
>    #:use-module ((guix licenses) #:prefix license:)
>    #:use-module (guix packages)
> +  #:use-module (guix build-system gnu)
>    #:use-module (guix build-system perl)
>    #:use-module (gnu packages)
> +  #:use-module (gnu packages admin)
> +  #:use-module (gnu packages linux)
>    #:use-module (gnu packages ncurses)
>    #:use-module (gnu packages perl)
>    #:use-module (gnu packages web))
> @@ -109,3 +112,42 @@ for @uref{https://torproject.org,tor} router) and many more.")
>                     license:public-domain
>                     ;; bin/psycplay states AGPL with no version:
>                     license:agpl3+))))
> +
> +(define-public libpsyc
> +  (package
> +    (name "libpsyc")
> +    (version "20160913")
> +    (source (origin
> +              (method url-fetch)
> +              (uri (list
> +                    (string-append "http://www.psyced.org/files/"
> +                                   name "-" version ".tar.xz")
> +                    (string-append "http://krosos.sdf.org/static/unix/"
> +                                   "perlpsyc-" version ".zip")))
> +              (sha256
> +               (base32
> +                "14q89fxap05ajkfn20rnhc6b1h4i3i2adyr7y6hs5zqwb2lcmc1p"))))
> +    (build-system gnu-build-system)
> +    (native-inputs
> +     `(("perl" ,perl)
> +       ("netcat" ,netcat)
> +       ("procps" ,procps)))
> +    (arguments
> +     `(#:make-flags
> +       (list "CC=gcc"
> +             (string-append "PREFIX=" (assoc-ref %outputs "out")))
> +       #:phases
> +       (modify-phases %standard-phases
> +         ;; The rust bindings are the only ones in use, the lpc bindings
> +         ;; are in psyclpc.  The other bindings are not used by anything,
> +         ;; the chances are high that the bindings do not even work,
> +         ;; therefore we do not include them.
> +         ;; TODO: Get a cargo build system.
> +         (delete 'configure)))) ; no configure script
> +    (home-page "http://about.psyc.eu/libpsyc")
> +    (description "libpsyc is a PSYC library in C which implements core aspects of
> +PSYC, useful for all kinds of clients and servers including psyced.")
> +    (synopsis "PSYC library in C useful for all kinds of clients and servers")
> +    (license (list license:agpl3+
> +                   ;; test/test.c is based on a public-domain test
> +                   license:public-domain))))
> -- 
> 2.10.0
>
>
> -- 
>               ng0

Comments

Leo Famulari Sept. 27, 2016, 4:56 p.m. UTC | #1
On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
> From 74a6c1e552a6ae8f438e91cbe318882401b440f8 Mon Sep 17 00:00:00 2001
> From: ng0 <ngillmann@runbox.com>
> Date: Wed, 21 Sep 2016 18:08:42 +0000
> Subject: [PATCH 1/2] gnu: Add psyclpc.
> 
> * gnu/packages/psyc.scm (psyclpc): New variable.

> +    (source (origin
> +              (method url-fetch)
> +              (uri (list (string-append "http://www.psyced.org/files/"
> +                                        name "-" version ".tar.xz")
> +                         (string-append "http://krosos.sdf.org/static/unix/"
> +                                        "perlpsyc-" version ".zip")))
> +              (sha256
> +               (base32
> +                "0c2afcj8b2yr2vmy9sy0528iqs9sw01j6q35lvxicm42gs7vnik2"))))

Do both of those URLs provide a file with the same hash?

> +    (arguments
> +     `(#:tests? #f ; There are no tests/checks.
> +       #:configure-flags (list
> +                          "--enable-use-tls=yes"
> +                          "--enable-use-mccp"

The "Mud Client Compression Protocol"?

> +                          (string-append "--with-openssl="
> +                                         (assoc-ref %build-inputs "openssl"))
> +                          (string-append "--prefix="
> +                                         (assoc-ref %outputs "out"))
> +                          (string-append "--libdir=" ; "-DMUD_LIB="

What does this commented text mean?

> +                                         (assoc-ref %outputs "out")
> +                                         "/opt/psyced/world")
> +                          (string-append "--bindir="
> +                                         (assoc-ref %outputs "out")
> +                                         "/opt/psyced/bin")
> +                          (string-append "--libexecdir=" ; "-DERQ_DIR="

Same question here.

> +    (inputs
> +     `(("zlib" ,zlib)
> +       ("openssl" ,openssl)))
> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
> +    ;; functionality reasons we can not unbundle it now.
> +    ;; ("pcre" ,pcre)))

That version of PCRE was released in 2003. We might want to add a
warning to the package description...

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
ng0 Sept. 27, 2016, 9:41 p.m. UTC | #2
Thanks for reviewing,

Leo Famulari <leo@famulari.name> writes:

> [ Unknown signature status ]
> On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>> From 74a6c1e552a6ae8f438e91cbe318882401b440f8 Mon Sep 17 00:00:00 2001
>> From: ng0 <ngillmann@runbox.com>
>> Date: Wed, 21 Sep 2016 18:08:42 +0000
>> Subject: [PATCH 1/2] gnu: Add psyclpc.
>> 
>> * gnu/packages/psyc.scm (psyclpc): New variable.
>
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (list (string-append "http://www.psyced.org/files/"
>> +                                        name "-" version ".tar.xz")
>> +                         (string-append "http://krosos.sdf.org/static/unix/"
>> +                                        "perlpsyc-" version ".zip")))
>> +              (sha256
>> +               (base32
>> +                "0c2afcj8b2yr2vmy9sy0528iqs9sw01j6q35lvxicm42gs7vnik2"))))
>
> Do both of those URLs provide a file with the same hash?

They should. But the server of psyced.org recently had to move, like you
already noticed there's a mismatch now everywhere. I'll adjust again,
try tomorrow around 11:59 AM UTC if I don't run into a problem I can't
control. Updated patches will follow before this.

>> +    (arguments
>> +     `(#:tests? #f ; There are no tests/checks.
>> +       #:configure-flags (list
>> +                          "--enable-use-tls=yes"
>> +                          "--enable-use-mccp"
>
> The "Mud Client Compression Protocol"?

Probably. For the why/how/what refer to the source and the Gentoo
ebuild. I just do the integration/packaging.

>> +                          (string-append "--with-openssl="
>> +                                         (assoc-ref %build-inputs "openssl"))
>> +                          (string-append "--prefix="
>> +                                         (assoc-ref %outputs "out"))
>> +                          (string-append "--libdir=" ; "-DMUD_LIB="
>
> What does this commented text mean?

References taken how I translated the buildsystem.

>> +                                         (assoc-ref %outputs "out")
>> +                                         "/opt/psyced/world")
>> +                          (string-append "--bindir="
>> +                                         (assoc-ref %outputs "out")
>> +                                         "/opt/psyced/bin")
>> +                          (string-append "--libexecdir=" ; "-DERQ_DIR="
>
> Same question here.
>
>> +    (inputs
>> +     `(("zlib" ,zlib)
>> +       ("openssl" ,openssl)))
>> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>> +    ;; functionality reasons we can not unbundle it now.
>> +    ;; ("pcre" ,pcre)))
>
> That version of PCRE was released in 2003. We might want to add a
> warning to the package description...
>
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre

Let's wait with the commit then, I've asked the people at our side who
are working on the code about a statement as I don't have a full
understanding of psyclpc. I've also pointed out that we (psyc/secushare)
are advised to update pcre (before you've sent this) to fix CVEs.

I have to send a new patchseries anyway, so I can adjust this. If
we'll add a comment, it's useful to point out that this is being fixed.
psyclpc in the wild is not used by anything other than psyced these
days, so I don't know if what's being used by psyclpc is worth to point
out.
ng0 Sept. 28, 2016, 2:03 p.m. UTC | #3
Leo Famulari <leo@famulari.name> writes:

> [ Unknown signature status ]
> On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>> From 74a6c1e552a6ae8f438e91cbe318882401b440f8 Mon Sep 17 00:00:00 2001
>> From: ng0 <ngillmann@runbox.com>
>> Date: Wed, 21 Sep 2016 18:08:42 +0000
>> Subject: [PATCH 1/2] gnu: Add psyclpc.
>> 
>> * gnu/packages/psyc.scm (psyclpc): New variable.
                              ^--------------------------------------------------|
>> +    (source (origin                                                          |
>> +              (method url-fetch)                                             |
>> +              (uri (list (string-append "http://www.psyced.org/files/"       |
>> +                                        name "-" version ".tar.xz")          |
>> +                         (string-append "http://krosos.sdf.org/static/unix/" |
>> +                                        "perlpsyc-" version ".zip")))        |
>> +              (sha256                       ^--------------------------------
>> +               (base32
>> +                "0c2afcj8b2yr2vmy9sy0528iqs9sw01j6q35lvxicm42gs7vnik2"))))
>
> Do both of those URLs provide a file with the same hash?

So there was a classic copy&paste and commit too early mistake.... Sorry
for the mix up. Mirror will be added back when we still haven't solved
the attacks now. Looks very stable now. I'm preparing new patches.

>> +    (arguments
>> +     `(#:tests? #f ; There are no tests/checks.
>> +       #:configure-flags (list
>> +                          "--enable-use-tls=yes"
>> +                          "--enable-use-mccp"
>
> The "Mud Client Compression Protocol"?
>
>> +                          (string-append "--with-openssl="
>> +                                         (assoc-ref %build-inputs "openssl"))
>> +                          (string-append "--prefix="
>> +                                         (assoc-ref %outputs "out"))
>> +                          (string-append "--libdir=" ; "-DMUD_LIB="
>
> What does this commented text mean?
>
>> +                                         (assoc-ref %outputs "out")
>> +                                         "/opt/psyced/world")
>> +                          (string-append "--bindir="
>> +                                         (assoc-ref %outputs "out")
>> +                                         "/opt/psyced/bin")
>> +                          (string-append "--libexecdir=" ; "-DERQ_DIR="
>
> Same question here.
>
>> +    (inputs
>> +     `(("zlib" ,zlib)
>> +       ("openssl" ,openssl)))
>> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>> +    ;; functionality reasons we can not unbundle it now.
>> +    ;; ("pcre" ,pcre)))
>
> That version of PCRE was released in 2003. We might want to add a
> warning to the package description...
>
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
ng0 Sept. 29, 2016, 8:58 a.m. UTC | #4
Leo Famulari <leo@famulari.name> writes:

> [ Unknown signature status ]
> On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>> From 74a6c1e552a6ae8f438e91cbe318882401b440f8 Mon Sep 17 00:00:00 2001
>> From: ng0 <ngillmann@runbox.com>
>> Date: Wed, 21 Sep 2016 18:08:42 +0000
>> Subject: [PATCH 1/2] gnu: Add psyclpc.
>> 
>> * gnu/packages/psyc.scm (psyclpc): New variable.
>
>> +    (source (origin
>> +              (method url-fetch)
>> +              (uri (list (string-append "http://www.psyced.org/files/"
>> +                                        name "-" version ".tar.xz")
>> +                         (string-append "http://krosos.sdf.org/static/unix/"
>> +                                        "perlpsyc-" version ".zip")))
>> +              (sha256
>> +               (base32
>> +                "0c2afcj8b2yr2vmy9sy0528iqs9sw01j6q35lvxicm42gs7vnik2"))))
>
> Do both of those URLs provide a file with the same hash?
>
>> +    (arguments
>> +     `(#:tests? #f ; There are no tests/checks.
>> +       #:configure-flags (list
>> +                          "--enable-use-tls=yes"
>> +                          "--enable-use-mccp"
>
> The "Mud Client Compression Protocol"?
>
>> +                          (string-append "--with-openssl="
>> +                                         (assoc-ref %build-inputs "openssl"))
>> +                          (string-append "--prefix="
>> +                                         (assoc-ref %outputs "out"))
>> +                          (string-append "--libdir=" ; "-DMUD_LIB="
>
> What does this commented text mean?
>
>> +                                         (assoc-ref %outputs "out")
>> +                                         "/opt/psyced/world")
>> +                          (string-append "--bindir="
>> +                                         (assoc-ref %outputs "out")
>> +                                         "/opt/psyced/bin")
>> +                          (string-append "--libexecdir=" ; "-DERQ_DIR="
>
> Same question here.
>
>> +    (inputs
>> +     `(("zlib" ,zlib)
>> +       ("openssl" ,openssl)))
>> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>> +    ;; functionality reasons we can not unbundle it now.
>> +    ;; ("pcre" ,pcre)))
>
> That version of PCRE was released in 2003. We might want to add a
> warning to the package description...
>
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre

Update on this: the pcre bundling was inherited from ldmud, current
ldmud has unbundled pcre, so we will be able to unbundle pcre.

I'd still like to have the patches in their current form and update
psyclpc when the next version without pcre is out.
Leo Famulari Oct. 2, 2016, 1:50 a.m. UTC | #5
On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
> Leo Famulari <leo@famulari.name> writes:
> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
> >> 
> >> * gnu/packages/psyc.scm (psyclpc): New variable.

> >> +    (inputs
> >> +     `(("zlib" ,zlib)
> >> +       ("openssl" ,openssl)))
> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
> >> +    ;; functionality reasons we can not unbundle it now.
> >> +    ;; ("pcre" ,pcre)))
> >
> > That version of PCRE was released in 2003. We might want to add a
> > warning to the package description...
> >
> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
> 
> Update on this: the pcre bundling was inherited from ldmud, current
> ldmud has unbundled pcre, so we will be able to unbundle pcre.
> 
> I'd still like to have the patches in their current form and update
> psyclpc when the next version without pcre is out.

I'd like some more opinions on this. Should we add this package even
though we know it contains some security bugs (linked above)?
ng0 Oct. 2, 2016, 10:30 a.m. UTC | #6
Leo Famulari <leo@famulari.name> writes:

> On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
>> >> 
>> >> * gnu/packages/psyc.scm (psyclpc): New variable.
>
>> >> +    (inputs
>> >> +     `(("zlib" ,zlib)
>> >> +       ("openssl" ,openssl)))
>> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>> >> +    ;; functionality reasons we can not unbundle it now.
>> >> +    ;; ("pcre" ,pcre)))
>> >
>> > That version of PCRE was released in 2003. We might want to add a
>> > warning to the package description...
>> >
>> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
>> 
>> Update on this: the pcre bundling was inherited from ldmud, current
>> ldmud has unbundled pcre, so we will be able to unbundle pcre.
>> 
>> I'd still like to have the patches in their current form and update
>> psyclpc when the next version without pcre is out.

Where do you take this information from? You must have picked the wrong
thread. We updated psyclpc and I added a version which uses a git commit.

> I'd like some more opinions on this. Should we add this package even
> though we know it contains some security bugs (linked above)?
>

--
ng0 Oct. 2, 2016, 10:40 a.m. UTC | #7
ng0 <ngillmann@runbox.com> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
>>> Leo Famulari <leo@famulari.name> writes:
>>> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>>> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
>>> >> 
>>> >> * gnu/packages/psyc.scm (psyclpc): New variable.
>>
>>> >> +    (inputs
>>> >> +     `(("zlib" ,zlib)
>>> >> +       ("openssl" ,openssl)))
>>> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>>> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>>> >> +    ;; functionality reasons we can not unbundle it now.
>>> >> +    ;; ("pcre" ,pcre)))
>>> >
>>> > That version of PCRE was released in 2003. We might want to add a
>>> > warning to the package description...
>>> >
>>> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
>>> 
>>> Update on this: the pcre bundling was inherited from ldmud, current
>>> ldmud has unbundled pcre, so we will be able to unbundle pcre.
>>> 
>>> I'd still like to have the patches in their current form and update
>>> psyclpc when the next version without pcre is out.
>
> Where do you take this information from? You must have picked the wrong
> thread. We updated psyclpc and I added a version which uses a git commit.

Just to be clear on this, this is the current patch version:
https://lists.gnu.org/archive/html/guix-devel/2016-09/msg02219.html
everything else is outdated.

>> I'd like some more opinions on this. Should we add this package even
>> though we know it contains some security bugs (linked above)?
>>
>
> -- 
>
>

--
Ludovic Courtès Oct. 3, 2016, 3:44 p.m. UTC | #8
Leo Famulari <leo@famulari.name> skribis:

> On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
>> >> 
>> >> * gnu/packages/psyc.scm (psyclpc): New variable.
>
>> >> +    (inputs
>> >> +     `(("zlib" ,zlib)
>> >> +       ("openssl" ,openssl)))
>> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>> >> +    ;; functionality reasons we can not unbundle it now.
>> >> +    ;; ("pcre" ,pcre)))
>> >
>> > That version of PCRE was released in 2003. We might want to add a
>> > warning to the package description...
>> >
>> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
>> 
>> Update on this: the pcre bundling was inherited from ldmud, current
>> ldmud has unbundled pcre, so we will be able to unbundle pcre.
>> 
>> I'd still like to have the patches in their current form and update
>> psyclpc when the next version without pcre is out.
>
> I'd like some more opinions on this. Should we add this package even
> though we know it contains some security bugs (linked above)?

I don’t think so.

From the comment above, it seems difficult to have this package use a
current version of PCRE, right?  Then I would suggest discussing it with
upstream.  After all, they’re developing network-facing software, so
they’re probably interested in avoiding security issues.

ng0, could you take it with them?

TIA,
Ludo’.
ng0 Oct. 3, 2016, 9:06 p.m. UTC | #9
Ludovic Courtès <ludo@gnu.org> writes:

> Leo Famulari <leo@famulari.name> skribis:
>
>> On Thu, Sep 29, 2016 at 08:58:29AM +0000, ng0 wrote:
>>> Leo Famulari <leo@famulari.name> writes:
>>> > On Wed, Sep 21, 2016 at 06:46:31PM +0000, ng0 wrote:
>>> >> Subject: [PATCH 1/2] gnu: Add psyclpc.
>>> >> 
>>> >> * gnu/packages/psyc.scm (psyclpc): New variable.
>>
>>> >> +    (inputs
>>> >> +     `(("zlib" ,zlib)
>>> >> +       ("openssl" ,openssl)))
>>> >> +    ;; pcre is bundled to ensure the version is compatible. XXX: look into
>>> >> +    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
>>> >> +    ;; functionality reasons we can not unbundle it now.
>>> >> +    ;; ("pcre" ,pcre)))
>>> >
>>> > That version of PCRE was released in 2003. We might want to add a
>>> > warning to the package description...
>>> >
>>> > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pcre
>>> 
>>> Update on this: the pcre bundling was inherited from ldmud, current
>>> ldmud has unbundled pcre, so we will be able to unbundle pcre.
>>> 
>>> I'd still like to have the patches in their current form and update
>>> psyclpc when the next version without pcre is out.
>>
>> I'd like some more opinions on this. Should we add this package even
>> though we know it contains some security bugs (linked above)?
>
> I don’t think so.
>
> From the comment above, it seems difficult to have this package use a
> current version of PCRE, right?  Then I would suggest discussing it with
> upstream.  After all, they’re developing network-facing software, so
> they’re probably interested in avoiding security issues.
>
> ng0, could you take it with them?
>
> TIA,
> Ludo’.
>

Leo, Ludovic: I really appreciate the review, but please use the more
current thread. I commented that this is the wrong thread and that we
already fixed the pcre, last week. No need to discuss about pcre
anymore.

Thanks
--
diff mbox

Patch

From 74a6c1e552a6ae8f438e91cbe318882401b440f8 Mon Sep 17 00:00:00 2001
From: ng0 <ngillmann@runbox.com>
Date: Wed, 21 Sep 2016 18:08:42 +0000
Subject: [PATCH 1/2] gnu: Add psyclpc.

* gnu/packages/psyc.scm (psyclpc): New variable.
---
 gnu/packages/psyc.scm | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/gnu/packages/psyc.scm b/gnu/packages/psyc.scm
index 58ce3c6..5a6f1db 100644
--- a/gnu/packages/psyc.scm
+++ b/gnu/packages/psyc.scm
@@ -24,9 +24,16 @@ 
   #:use-module (guix build-system perl)
   #:use-module (gnu packages)
   #:use-module (gnu packages admin)
+  #:use-module (gnu packages autotools)
+  #:use-module (gnu packages bison)
+  #:use-module (gnu packages compression)
+  #:use-module (gnu packages gettext)
   #:use-module (gnu packages linux)
+  #:use-module (gnu packages man)
   #:use-module (gnu packages ncurses)
   #:use-module (gnu packages perl)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages tls)
   #:use-module (gnu packages web))
 
 ;; The URL at sdf.org is a mirror, officially known. The host www.psyced.org
@@ -151,3 +158,68 @@  PSYC, useful for all kinds of clients and servers including psyced.")
     (license (list license:agpl3+
                    ;; test/test.c is based on a public-domain test
                    license:public-domain))))
+
+(define-public psyclpc
+  (package
+    (name "psyclpc")
+    (version "20160821")
+    (source (origin
+              (method url-fetch)
+              (uri (list (string-append "http://www.psyced.org/files/"
+                                        name "-" version ".tar.xz")
+                         (string-append "http://krosos.sdf.org/static/unix/"
+                                        "perlpsyc-" version ".zip")))
+              (sha256
+               (base32
+                "0c2afcj8b2yr2vmy9sy0528iqs9sw01j6q35lvxicm42gs7vnik2"))))
+    (build-system gnu-build-system)
+    (arguments
+     `(#:tests? #f ; There are no tests/checks.
+       #:configure-flags (list
+                          "--enable-use-tls=yes"
+                          "--enable-use-mccp"
+                          (string-append "--with-openssl="
+                                         (assoc-ref %build-inputs "openssl"))
+                          (string-append "--prefix="
+                                         (assoc-ref %outputs "out"))
+                          (string-append "--libdir=" ; "-DMUD_LIB="
+                                         (assoc-ref %outputs "out")
+                                         "/opt/psyced/world")
+                          (string-append "--bindir="
+                                         (assoc-ref %outputs "out")
+                                         "/opt/psyced/bin")
+                          (string-append "--libexecdir=" ; "-DERQ_DIR="
+                                         (assoc-ref %outputs "out")
+                                         "/opt/psyced/run"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'configure 'chdir-to-src
+           (lambda _
+             (chdir "src")
+             (setenv "CONFIG_SHELL" (which "sh"))
+             (setenv "SHELL" (which "sh"))))
+         (replace 'install
+           (lambda _
+             (zero? (system* "make" "install-all")))))))
+    (inputs
+     `(("zlib" ,zlib)
+       ("openssl" ,openssl)))
+    ;; pcre is bundled to ensure the version is compatible. XXX: look into
+    ;; unbundling it. Upstream should update from pcre 4.5 to 8.38. For
+    ;; functionality reasons we can not unbundle it now.
+    ;; ("pcre" ,pcre)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("bison" ,bison)
+       ("gnu-gettext" ,gnu-gettext)
+       ("help2man" ,help2man)
+       ("autoconf" ,autoconf)
+       ("automake" ,automake)))
+    (home-page "http://lpc.psyc.eu/")
+    (synopsis "psycLPC is a multi-user network server programming language")
+    (description
+     "LPC is a bytecode language, invented to specifically implement
+multi user virtual environments on the internet.  This technology is used for
+MUDs and also the psyced implementation of the Protocol for SYnchronous Conferencing (PSYC).  psycLPC is a fork of LDMud with some new features and
+many bug fixes.")
+    (license license:gpl2)))
-- 
2.10.0