ci: merge bitcoin#24585, #25549, #26834, #26773, #30989, #32498, #32439, #32678, #33073, update channels, substitution servers, fix guix-check

Makefile.am

@@ -41,7 +41,6 @@ OSX_PLIST=$(top_builddir)/share/qt/Info.plist #not installed
 
 DIST_CONTRIB = \
            $(top_srcdir)/contrib/debian/copyright \
-           $(top_srcdir)/contrib/install_db4.sh \
            $(top_srcdir)/test/sanitizer_suppressions/lsan \
            $(top_srcdir)/test/sanitizer_suppressions/tsan \
            $(top_srcdir)/test/sanitizer_suppressions/ubsan \

contrib/containers/guix/Dockerfile

@@ -52,8 +52,9 @@ RUN guix_file_name=guix-binary-${guix_version}.$(uname -m)-linux.tar.xz
 
 RUN touch /etc/nsswitch.conf
 
-RUN guix archive --authorize < /usr/local/guix/current/share/guix/ci.guix.gnu.org.pub && \
-    guix archive --authorize < /usr/local/guix/current/share/guix/bordeaux.guix.gnu.org.pub
+RUN guix archive --authorize < /usr/local/guix/current/share/guix/berlin.guix.gnu.org.pub && \
+    guix archive --authorize < /usr/local/guix/current/share/guix/bordeaux.guix.gnu.org.pub && \
+    guix archive --authorize < /usr/local/guix/current/share/guix/ci.guix.gnu.org.pub
 
 # Build Environment Setup
 # https://guix.gnu.org/manual/en/html_node/Build-Environment-Setup.html
@@ -73,6 +74,9 @@ RUN groupmod -g ${GROUP_ID} ubuntu; \
     echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 
 # Copy required files to container
+COPY --chown=${USER_ID}:${GROUP_ID} \
+     --chmod=u=rwX,go=rX \
+     --from=docker_root ./channels.scm         /home/ubuntu/.config/guix/channels.scm
 COPY --from=docker_root ./motd.txt             /etc/motd
 COPY --from=docker_root ./scripts/entrypoint   /usr/local/bin/entrypoint
 COPY --from=docker_root ./scripts/guix-check   /usr/local/bin/guix-check

contrib/containers/guix/channels.scm

@@ -0,0 +1,11 @@
+(list (channel
+        (name 'guix)
+        (url "https://codeberg.org/guix/guix")
+        (branch "master")
+        (commit
+          "56344729cd07c76d5133047f2866237bbb08dced")
+        (introduction
+          (make-channel-introduction
+            "9edb3f66fd807b096b48283debdcddccfea34bad"
+            (openpgp-fingerprint
+              "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5")))))

contrib/containers/guix/scripts/entrypoint

@@ -5,10 +5,21 @@ set -eo pipefail
 # Read instructions
 cat /etc/motd
 
+SERVERS=(
+  # Official substitution servers
+  https://berlin.guix.gnu.org
+  https://bordeaux.guix.gnu.org
+  https://ci.guix.gnu.org
+
+  # Mirrors of Bordeaux substitution server
+  https://bordeaux-singapore-mirror.cbaines.net
+  https://bordeaux-us-east-mirror.cbaines.net
+  https://hydra-guix-129.guix.gnu.org
+)
+
 # Start the Guix daemon
-sudo env PATH=${PATH} guix-daemon \
-  --build-users-group='guixbuild' \
-  --substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org' < /dev/null 2>&1 |
+sudo env PATH=${PATH} \
+  guix-daemon --build-users-group='guixbuild' --substitute-urls="$(IFS=' '; echo "${SERVERS[*]}")" < /dev/null 2>&1 |
   sudo tee /var/log/guix.log > /dev/null &
 
 # Hand over control

contrib/containers/guix/scripts/guix-check

@@ -13,13 +13,9 @@ cd "$WORKSPACE_PATH"
 
 source "contrib/guix/libexec/prelude.bash"
 
-printf "\nBinaries:\n\n"
-( \
-SRC_PATH_PREFIX="${VERSION_BASE}/distsrc-" && \
-sha256sum ${SRC_PATH_PREFIX}*/src/dash{d,-cli,-tx,-wallet}{,.exe} && \
-sha256sum ${SRC_PATH_PREFIX}*/src/qt/dash-qt{,.exe} && \
-sha256sum ${SRC_PATH_PREFIX}*/src/test/test_dash{,.exe} \
-) | sort -k 2
-
-printf "\nArchives:\n\n"
-find "${OUTDIR_BASE}" -type f | grep -v SHA256 | xargs sha256sum | sort -k 2
+GUIX_SIGS_REPO="$(mktemp -d)"
+trap 'rm -rf -- "$GUIX_SIGS_REPO"' EXIT
+SIGNER=dummy
+env GUIX_SIGS_REPO="${GUIX_SIGS_REPO}" NO_SIGN=1 SIGNER=${SIGNER} ./contrib/guix/guix-attest
+SHASUM_LOC="${GUIX_SIGS_REPO}/${VERSION}/${SIGNER}"
+cat "${SHASUM_LOC}/all.sha256sums" 2>/dev/null || cat "${SHASUM_LOC}/noncodesigned.SHA256SUMS"

contrib/guix/INSTALL.md

@@ -319,7 +319,7 @@ Source: https://logs.guix.gnu.org/guix/2020-11-12.log#232527
 Start by cloning Guix:
 
 ```
-git clone https://git.savannah.gnu.org/git/guix.git
+git clone https://codeberg.org/guix/guix.git
 cd guix
 ```
 
@@ -607,7 +607,7 @@ checklist.
    ```
    Generation 38   Feb 22 2021 16:39:31    (current)
      guix f350df4
-       repository URL: https://git.savannah.gnu.org/git/guix.git
+       repository URL: https://codeberg.org/guix/guix.git
        branch: version-1.2.0
        commit: f350df405fbcd5b9e27e6b6aa500da7f101f41e7
    ```
@@ -760,8 +760,8 @@ Please see the following links for more details:
 
 - An upstream coreutils bug has been filed: [debbugs#47940](https://debbugs.gnu.org/cgi/bugreport.cgi?bug=47940)
 - A Guix bug detailing the underlying problem has been filed: [guix-issues#47935](https://issues.guix.gnu.org/47935), [guix-issues#49985](https://issues.guix.gnu.org/49985#5)
-- A commit to skip this test in Guix has been merged into the core-updates branch:
-[savannah/guix@6ba1058](https://git.savannah.gnu.org/cgit/guix.git/commit/?id=6ba1058df0c4ce5611c2367531ae5c3cdc729ab4)
+- A commit to skip this test is included since Guix 1.4.0:
+[codeberg/guix@6ba1058](https://codeberg.org/guix/guix/commit/6ba1058df0c4ce5611c2367531ae5c3cdc729ab4)
 
 
 [install-script]: #options-1-and-2-using-the-official-shell-installer-script-or-binary-tarball

contrib/guix/README.md

@@ -364,12 +364,6 @@ Where `<PREFIX>` is likely:
 - `/usr/local` if you installed Guix from source and didn't supply any
   prefix-modifying flags to Guix's `./configure`
 
-For dongcarl's substitute server at https://guix.carldong.io, run as root:
-
-```sh
-wget -qO- 'https://guix.carldong.io/signing-key.pub' | guix archive --authorize
-```
-
 #### Removing authorized keys
 
 To remove previously authorized keys, simply edit `/etc/guix/acl` and remove the
@@ -381,28 +375,28 @@ Once its key is authorized, the official Guix build farm at
 https://ci.guix.gnu.org is automatically used unless the `--no-substitutes` flag
 is supplied. This default list of substitute servers is overridable both on a
 `guix-daemon` level and when you invoke `guix` commands. See examples below for
-the various ways of adding dongcarl's substitute server after having [authorized
-his signing key](#step-1-authorize-the-signing-keys).
+the various ways of adding a substitute server after having [authorized
+its signing key](#step-1-authorize-the-signing-keys).
 
 Change the **default list** of substitute servers by starting `guix-daemon` with
 the `--substitute-urls` option (you will likely need to edit your init script):
 
 ```sh
-guix-daemon <cmd> --substitute-urls='https://guix.carldong.io https://ci.guix.gnu.org'
+guix-daemon <cmd> --substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'
 ```
 
 Override the default list of substitute servers by passing the
 `--substitute-urls` option for invocations of `guix` commands:
 
 ```sh
-guix <cmd> --substitute-urls='https://guix.carldong.io https://ci.guix.gnu.org'
+guix <cmd> --substitute-urls='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'
 ```
 
 For scripts under `./contrib/guix`, set the `SUBSTITUTE_URLS` environment
 variable:
 
 ```sh
-export SUBSTITUTE_URLS='https://guix.carldong.io https://ci.guix.gnu.org'
+export SUBSTITUTE_URLS='https://bordeaux.guix.gnu.org https://ci.guix.gnu.org'
 ```
 
 ## Option 2: Disabling substitutes on an ad-hoc basis

contrib/guix/guix-build

@@ -69,6 +69,12 @@ fi
 
 mkdir -p "$VERSION_BASE"
 
+################
+# SOURCE_DATE_EPOCH should not unintentionally be set
+################
+
+check_source_date_epoch
+
 ################
 # Build directories should not exist
 ################

contrib/guix/guix-codesign

@@ -67,6 +67,12 @@ EOF
 exit 1
 fi
 
+################
+# SOURCE_DATE_EPOCH should not unintentionally be set
+################
+
+check_source_date_epoch
+
 ################
 # The codesignature git worktree should not be dirty
 ################

contrib/guix/libexec/build.sh

@@ -238,8 +238,6 @@ case "$HOST" in
     *mingw*)  HOST_LDFLAGS="-Wl,--no-insert-timestamp" ;;
 esac
 
-# Make $HOST-specific native binaries from depends available in $PATH
-export PATH="${BASEPREFIX}/${HOST}/native/bin:${PATH}"
 mkdir -p "$DISTSRC"
 (
     cd "$DISTSRC"

contrib/guix/libexec/prelude.bash

@@ -21,6 +21,26 @@ check_tools() {
     done
 }
 
+################
+# SOURCE_DATE_EPOCH should not unintentionally be set
+################
+
+check_source_date_epoch() {
+    if [ -n "$SOURCE_DATE_EPOCH" ] && [ -z "$FORCE_SOURCE_DATE_EPOCH" ]; then
+        cat << EOF
+ERR: Environment variable SOURCE_DATE_EPOCH is set which may break reproducibility.
+
+     Aborting...
+
+Hint: You may want to:
+      1. Unset this variable: \`unset SOURCE_DATE_EPOCH\` before rebuilding
+      2. Set the 'FORCE_SOURCE_DATE_EPOCH' environment variable if you insist on
+         using your own epoch
+EOF
+        exit 1
+    fi
+}
+
 check_tools cat env readlink dirname basename git
 
 ################
@@ -50,7 +70,7 @@ fi
 # across time.
 time-machine() {
     # shellcheck disable=SC2086
-    guix time-machine --url=https://git.savannah.gnu.org/git/guix.git \
+    guix time-machine --url=https://codeberg.org/guix/guix.git \
                       --commit=7bf1d7aeaffba15c4f680f93ae88fbef25427252 \
                       --cores="$JOBS" \
                       --keep-failed \