Guix channel for packages that can't be included upstream. Please do NOT promote or refer to this repository on any official Guix communication channels.
Find a file
Tomas Volf 9fe6f0751b
nongnu: firefox: Update to 128.0 [security fixes].
Fixes CVE-2024-6600, CVE-2024-6601, CVE-2024-6602, CVE-2024-6603,
CVE-2024-6604, CVE-2024-6605, CVE-2024-6606, CVE-2024-6607,
CVE-2024-6608, CVE-2024-6609, CVE-2024-6610, CVE-2024-6611,
CVE-2024-6612, CVE-2024-6613, CVE-2024-6614, CVE-2024-6615.

* nongnu/packages/mozilla.scm (firefox): Update to 128.0.

Signed-off-by: Jonathan Brielmaier <jonathan.brielmaier@web.de>
2024-07-10 09:21:38 +02:00
nongnu nongnu: firefox: Update to 128.0 [security fixes]. 2024-07-10 09:21:38 +02:00
nonguix build-system/chromium-binary: Remove references to source. 2024-06-21 16:05:24 +02:00
.dir-locals.el .dir-locals.el: Add geiser-insert-actual-lambda. 2024-01-17 22:19:48 +01:00
.gitignore Add .gitignore 2019-05-27 18:48:39 -05:00
.guix-authorizations .*: Use SPDX license identifiers for hidden files. 2022-12-19 17:39:39 +01:00
.guix-channel .*: Use SPDX license identifiers for hidden files. 2022-12-19 17:39:39 +01:00
COPYING Initial commit with non-free Linux kernel. 2019-05-11 11:36:21 -05:00
NEWS NEWS: Add entry for chromium-binary-build-system. 2023-07-12 23:35:11 +02:00
news.txt news: Add entry for update/changes to nvidia driver. 2024-04-24 23:51:02 -04:00
README.org README.org: Document setup for NVIDIA graphics card. 2024-04-24 20:06:58 -04:00

Nonguix

Nonguix is a software repository for the GNU Guix package manager, which packages some software which cannot be included in the official distribution for ethical or policy-related reasons.

Please do NOT promote this repository on any official Guix communication channels, such as their mailing lists or IRC channel, even in response to support requests! This is to show respect for the Guix project's strict policy against recommending nonfree software, and to avoid any unnecessary hostility.

Before using this channel, you should understand the implications of using nonfree software. Read What is free software? for more information.

(Check out the Guix Gaming Channels if you're interested in nonfree games too!)

Warning

This channel does not endorse any non-free application. We believe it is non-ethical, harmful to software development and restricts the users freedom. See the GNU philosophy for a more thorough discussion.

Those packages are provided as a last resort, should none of the official Guix packages work for you.

You should understand the implication of using non-free software. Some of those implications include:

  • Endorsement of non-free products and the perpetration of a culture of restriction on liberties.
  • Non-free software cannot (or hardly) be audited: it can potentially spy on you, destroy or steal your data.

As a minimal security measure, it's heavily recommended to run any non-free software inside a container.

Installation

Nonguix can be installed as a Guix channel. To do so, add it to ~/.config/guix/channels.scm:

  (cons* (channel
          (name 'nonguix)
          (url "https://gitlab.com/nonguix/nonguix")
          ;; Enable signature verification:
          (introduction
           (make-channel-introduction
            "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
            (openpgp-fingerprint
             "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
         %default-channels)

Then run guix pull.

Using Nonfree Firmware and Drivers

To use Guix System with the standard Linux kernel and nonfree firmware, edit the kernel and firmware fields of the operating-system definition in config.scm:

  ;; Import nonfree linux module.
  (use-modules (nongnu packages linux)
               (nongnu system linux-initrd))

  (operating-system
    (kernel linux)
    (initrd microcode-initrd)
    (firmware (list linux-firmware))
    ...
    )

If you only need firmware for a specific piece of hardware, you may be able to save disk space by using a smaller firmware package instead:

  (firmware (cons* iwlwifi-firmware
                   %base-firmware))

Then of course, run sudo guix system reconfigure /etc/config.scm to apply your configuration.

Installation image

For some hardware the official Guix installation image won't do (e.g. unsupported wifi). You can find a pre-generated installation image (time and version in line with upstream Guix), running the nonfree Linux kernel and nonfree firmware, on the Releases page. Or, you can generate an installation image from a local checkout of this repository, at a more recent commit, with the following command:

guix system image --image-type=iso9660 /path/to/this/channel/nongnu/system/install.scm

Like the official Guix installation image, this will produce a read-only image with any changes made stored in memory. As indicated below, you will need to run guix pull to download the Nonguix package descriptions, so will need enough memory to hold the cached channel code which can be several hundred megabytes. As an alternative, you can create a writable image with the following command:

guix system image --image-size=7.2GiB /path/to/this/channel/nongnu/system/install.scm

The --image-size option allows you to specify the size of the image and, as such, to allocate free space to it. The given value is purely indicative. It obviously depends on your thumbdrive capacity.

Either type of image can be written to a USB thumbdrive with:

# NOTE: This example assumes your thumbdrive is recognized by Linux as /dev/sdb.
dd if=/path/to/disk-image of=/dev/sdb bs=4M status=progress oflag=sync

The installation media produced by the above method does not automatically configure your channels specification. You need to add Nonguix "manually" into /etc/guix/channels.scm and then run guix pull to make Guix aware of Nonguix scheme libraries. Below is Guile scheme code to include Nonguix in the channel specification.

(use-modules (ice-9 pretty-print))
(with-output-to-file "/etc/guix/channels.scm"
  (lambda _
    (pretty-print
     '(cons*
       (channel (name 'nonguix)
		(url "https://gitlab.com/nonguix/nonguix"))
       %default-channels))))

CPU Microcode

CPU microcode updates are nonfree blobs that apply directly to a processor to patch its behavior, and are therefore not included in upstream GNU Guix. However, running the latest microcode is important to avoid nasty CPU bugs and hardware security vulnerabilities.

To enable early loading of CPU microcode, use the microcode-initrd function to add the microcode to the Initial RAM Disk. Most users can simply import (nongnu system linux-initrd) and add (initrd microcode-initrd) to their operating-system definition, as illustrated above.

If you need to customize the initrd for some reason, you should first understand the upstream documentation on Initial RAM Disks. microcode-initrd simply wraps another initrd function, which you can swap out for your own. For example, this:

  (initrd microcode-initrd)

is exactly equivalent to:

  (initrd (lambda (file-systems . rest)
            (apply microcode-initrd file-systems
                   #:initrd base-initrd
                   #:microcode-packages (list amd-microcode
                                              intel-microcode)
                   rest)))

Broadcom

Wireless

Some Broadcom wireless hardware requires a proprietary kernel module in addition to firmware. To use such hardware you will also need to add a service to load that module on boot and blacklist conflicting kernel modules:

  (use-modules (nongnu packages linux))

  (operating-system
    (kernel linux)
    ;; Blacklist conflicting kernel modules.
    (kernel-arguments '("modprobe.blacklist=b43,b43legacy,ssb,bcm43xx,brcm80211,brcmfmac,brcmsmac,bcma"))
    (kernel-loadable-modules (list broadcom-sta))
    (firmware (cons* broadcom-bt-firmware
                     %base-firmware))
    ...)

Webcam

Like Broadcom wireless hardware, the Broadcom 1570 PCIe webcam (better known as FacetimeHD and found in recent Macbooks) also requires a kernel module, firmware, and blacklisting of conflicting modules:

  (use-modules (nongnu packages linux))
  (use-modules (nongnu packages firmware))

  (operating-system
    (kernel-arguments '("modprobe.blacklist=bdc_pci"))
    (kernel-loadable-modules (list facetimehd))
    (firmware (cons* facetimehd-firmware
                     facetimehd-calibration ; Optional but make the colors look better.
                     %base-firmware))
    (services
     (cons* (simple-service 'facetimehd
                            kernel-module-loader-service-type
                            '("facetimehd"))
            ...))
    ...)

NVIDIA graphics card

NVIDIA graphics card support in Nonguix consists of a system service nvidia-service-type and a package nvda for application setup.

The following code serves as an example for system setup:

  (use-modules (gnu services gnome)
               (gnu services xorg)
               (nongnu packages nvidia)
               (nongnu services nvidia))

  (operating-system
    (kernel-arguments '("modprobe.blacklist=nouveau"
                        ;; Set this if the card is not used for displaying or
                        ;; you're using Wayland:
                        "nvidia_drm.modeset=1"))
    (services
     (cons* (service nvidia-service-type)
            ;; Configure desktop environment, GNOME for example.
            (service gnome-desktop-service-type
                     ;; Enable NVIDIA support, only do this when the card is
                     ;; used for displaying.
                     (gnome-desktop-configuration
                      (gnome (replace-mesa gnome))))
            ;; Configure Xorg server, only do this when the card is used for
            ;; displaying.
            (set-xorg-configuration
             (xorg-configuration
              (modules (cons nvda %default-xorg-modules))
              (drivers '("nvidia"))))
            ...))
    ...)

For application setup, mesa has to be replaced with nvda for every individual package that requires the NVIDIA driver, this can be done with grafting (which doesn't rebuild packages) or rewriting inputs (which rebuilds packages) (see Package Transformation Options in GNU Guix Reference Manual). For example:

  guix build mesa-utils --with-graft=mesa=nvda
  guix build mesa-utils --with-input=mesa=nvda

The above transformation can be used within an one-off software environment spawned by guix shell as well, for correct environment variables, the nvda package may be added into the environment:

  guix shell mesa-utils nvda --with-graft=mesa=nvda \
       -- glxinfo

To graft mesa with nvda programmatically, use replace-mesa defined in (nongnu packages nvidia):

  (use-modules (nongnu packages nvidia))

  ;; Replace mesa with nvda for a single package.
  (replace-mesa <some-package>)

  ;; Replace mesa with nvda for a package list.
  (map replace-mesa (list <some-package> ...))

  ;; A package with mesa replaced is still a package, it can be part of a
  ;; package list.
  (list (replace-mesa <some-package>)
        ...)

When the card is not used for displaying, environment variables __GLX_VENDOR_LIBRARY_NAME=nvidia and __NV_PRIME_RENDER_OFFLOAD=1 may be set.

Substitutes for nonguix

A Nonguix substitute server is available at https://substitutes.nonguix.org. On Guix System, you can add and authorize this URL in the following way:

(operating-system
  (services (modify-services %desktop-services
             (guix-service-type config => (guix-configuration
               (inherit config)
               (substitute-urls
                (append (list "https://substitutes.nonguix.org")
                  %default-substitute-urls))
               (authorized-keys
                (append (list (local-file "./signing-key.pub"))
                  %default-authorized-guix-keys))))))
  ...)

Notice that the URL of the server should be specified without a trailing slash. The file signing-key.pub should be downloaded directly from https://substitutes.nonguix.org/signing-key.pub.

Alternatively, you can replace (local-file "./signing-key.pub") by:

(plain-file "non-guix.pub"
            "<contents of signing-key.pub>")

Guix System will only use the substitution server after it has been reconfigured. The substitution server will therefore by default not be used the first time you run guix system reconfigure after adding the substitution server. It is therefore recommended to explicitly specify the use of the substitution server the first time you reconfigure your system:

sudo guix archive --authorize < signing-key.pub
sudo guix system reconfigure /etc/config.scm --substitute-urls='https://ci.guix.gnu.org https://bordeaux.guix.gnu.org https://substitutes.nonguix.org'

Check out the chapter on substitutes in the Guix manual for more details.

Pinning package versions

When using substitutes is not an option, you may find that guix system reconfigure recompiles the kernel frequently due to version bumps in the kernel package. An inferior can be used to pin the kernel version and avoid lengthy rebuilds.

You must pin both Guix and Nonguix, as the Nonguix kernel packages derive from those in Guix (so changes in either could cause a rebuild). Your preferred kernel version must be available in both pinned channels.

Consult the output of guix system describe to get the commits of Guix and Nonguix for the current generation. Once you have determined the commits to use, create an inferior in your system configuration file that pins the channels to them. Then grab the appropriately-versioned Linux package from the inferior to use as your kernel.

  (use-modules (srfi srfi-1)    ; for `first'
               (guix channels))
  (operating-system
    (kernel
      (let*
        ((channels
          (list (channel
                 (name 'nonguix)
                 (url "https://gitlab.com/nonguix/nonguix")
                 (commit "ff6ca98099c7c90e64256236a49ab21fa96fe11e"))
                (channel
                 (name 'guix)
                 (url "https://git.savannah.gnu.org/git/guix.git")
                 (commit "3be96aa9d93ea760e2d965cb3ef03540f01a0a22"))))
         (inferior
          (inferior-for-channels channels)))
        (first (lookup-inferior-packages inferior "linux" "5.4.21"))))
    ...)

Contributing

Contributions are welcome! If there's a package you would like to add, just fork the repository and create a Merge Request when your package is ready. Keep in mind:

  • Nonguix follows the same coding style as GNU Guix. If you don't use Emacs, you should make use of the indent script from the GNU Guix repository (./etc/indent-code.el).
  • Commit messages should follow the same conventions set by GNU Guix.
  • Although licensing restrictions are relaxed, packages should still have accurate license metadata.
  • If a package could be added to upstream GNU Guix with a reasonable amount of effort, then it probably doesn't belong in Nonguix. This isn't a dumping ground for subpar packages, but sometimes we may accept free software packages which are currently too cumbersome to properly build from source.
  • If your package is a game, you should submit it to the Guix Gaming Channels instead.

If you have a history of making quality contributions to GNU Guix or Nonguix and would like commit access, just ask! Nontrivial changes should still go through a simple Merge Request and code review process, but Nonguix needs more people involved to succeed as a community project.

Community

If you want to discuss Nonguix-related topics, you can hang out and stay in touch on the #nonguix IRC channel on Libera Chat.