Merge #2798: stdenv and a few other big updates

Stdenv-changing things: - gcc 4.8.2 -> 4.8.3 - long-running grsecurity branch Others: - pkgconfig update - CVE for libtasn1, dbus Conflicts (simple): pkgs/development/compilers/ghc/7.6.3.nix
2014-06-16 10:23:36 +02:00 · 2014-06-16 10:23:36 +02:00 · 1b78ca58bc
parent 5e16c9428b 9757785295
commit 1b78ca58bc
52 changed files with 2216 additions and 368 deletions
--- a/pkgs/applications/networking/browsers/chromium/browser.nix
+++ b/pkgs/applications/networking/browsers/chromium/browser.nix
@ -1,11 +1,11 @@
-{ stdenv, mkChromiumDerivation }:
+{ stdenv, mkChromiumDerivation, arch }:
 with stdenv.lib;
 mkChromiumDerivation (base: rec {
  name = "chromium-browser";
  packageName = "chromium";
-  buildTargets = [ "chrome" ];
+  buildTargets = [ "mksnapshot.${arch}" "chrome" ];
  installPhase = ''
    ensureDir "$libExecPath"
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@ -30,6 +30,7 @@
 , source
 , plugins
 , archInfo
 }:
 buildFun:
@ -172,13 +173,7 @@ let
      # enable support for the H.264 codec
      proprietary_codecs = true;
      ffmpeg_branding = "Chrome";
-    } // optionalAttrs (stdenv.system == "x86_64-linux") {
+    } // archInfo // (extraAttrs.gypFlags or {}));
      target_arch = "x64";
      python_arch = "x86-64";
    } // optionalAttrs (stdenv.system == "i686-linux") {
      target_arch = "ia32";
      python_arch = "ia32";
    } // (extraAttrs.gypFlags or {}));
    configurePhase = ''
      # This is to ensure expansion of $out.
@ -190,14 +185,21 @@ let
    buildPhase = let
      CC = "${gcc}/bin/gcc";
      CXX = "${gcc}/bin/g++";
-    in ''
+      buildCommand = target: ''
        CC="${CC}" CC_host="${CC}"     \
        CXX="${CXX}" CXX_host="${CXX}" \
        LINK_host="${CXX}"             \
          "${ninja}/bin/ninja" -C "${buildPath}"  \
            -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES \
-          ${concatStringsSep " " (extraAttrs.buildTargets or [])}
+            ${target}
        if [[ "${target}" == mksnapshot.* || "${target}" == "chrome" ]]; then
          paxmark m "${buildPath}/${target}"
        fi
      '';
      targets = extraAttrs.buildTargets or [];
      commands = map buildCommand targets;
    in concatStringsSep "\n" commands;
  };
 # Remove some extraAttrs we supplied to the base attributes already.
--- a/pkgs/applications/networking/browsers/chromium/default.nix
+++ b/pkgs/applications/networking/browsers/chromium/default.nix
@ -15,6 +15,14 @@
 }:
 let
  archInfo = with stdenv.lib; optionalAttrs (stdenv.system == "i686-linux") {
    target_arch = "ia32";
    python_arch = "ia32";
  } // optionalAttrs (stdenv.system == "x86_64-linux") {
    target_arch = "x64";
    python_arch = "x86-64";
  };
  callPackage = newScope chromium;
  chromium = {
@ -27,10 +35,13 @@ let
    mkChromiumDerivation = callPackage ./common.nix {
      inherit enableSELinux enableNaCl useOpenSSL gnomeSupport
              gnomeKeyringSupport proprietaryCodecs cupsSupport
-              pulseSupport;
+              pulseSupport archInfo;
    };
    browser = callPackage ./browser.nix {
      arch = archInfo.target_arch;
    };
    browser = callPackage ./browser.nix { };
    sandbox = callPackage ./sandbox.nix { };
    plugins = callPackage ./plugins.nix {
--- a/pkgs/applications/networking/browsers/firefox/default.nix
+++ b/pkgs/applications/networking/browsers/firefox/default.nix
@ -91,6 +91,11 @@ rec {
    #installFlags = "SKIP_GRE_REGISTRATION=1";
    preInstall = ''
      # The following is needed for startup cache creation on grsecurity kernels
      paxmark m ../objdir/dist/bin/xpcshell
    '';
    postInstall = ''
      # Fix run-mozilla.sh search
      libDir=$(cd $out/lib && ls -d xulrunner-[0-9]*)
@ -109,6 +114,10 @@ rec {
      for i in $out/lib/$libDir/*.so; do
          patchelf --set-rpath "$(patchelf --print-rpath "$i"):$out/lib/$libDir" $i || true
      done
      # For grsecurity kernels
      paxmark m $out/lib/$libDir/{plugin-container,xulrunner}
      for i in $out/lib/$libDir/{plugin-container,xulrunner,xulrunner-stub}; do
          wrapProgram $i --prefix LD_LIBRARY_PATH ':' "$out/lib/$libDir"
      done
--- a/pkgs/development/compilers/gcc/4.6/builder.sh
+++ b/pkgs/development/compilers/gcc/4.6/builder.sh
@ -240,6 +240,11 @@ postInstall() {
        fi
    done
    # Disable RANDMMAP on grsec, which causes segfaults when using
    # precompiled headers.
    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
    eval "$postInstallGhdl"
 }
--- a/pkgs/development/compilers/gcc/4.8/bug-58800.patch
+++ b/pkgs/development/compilers/gcc/4.8/bug-58800.patch
@ -1,79 +0,0 @@
 Index: gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h
 ===================================================================
 --- gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h	(revision 203872)
 +++ gcc-4_8-branch/libstdc++-v3/include/bits/stl_algo.h	(revision 203873)
@@ -2279,7 +2279,7 @@
 				_RandomAccessIterator __last)
     {
       _RandomAccessIterator __mid = __first + (__last - __first) / 2;
 -      std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2));
 +      std::__move_median_to_first(__first, __first + 1, __mid, __last - 1);
       return std::__unguarded_partition(__first + 1, __last, *__first);
     }
@@ -2291,7 +2291,7 @@
 				_RandomAccessIterator __last, _Compare __comp)
     {
       _RandomAccessIterator __mid = __first + (__last - __first) / 2;
 -      std::__move_median_to_first(__first, __first + 1, __mid, (__last - 2),
 +      std::__move_median_to_first(__first, __first + 1, __mid, __last - 1,
 				  __comp);
       return std::__unguarded_partition(__first + 1, __last, *__first, __comp);
     }
 Index: gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc
 ===================================================================
 --- gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc	(revision 0)
 +++ gcc-4_8-branch/libstdc++-v3/testsuite/25_algorithms/nth_element/58800.cc	(revision 203873)
@@ -0,0 +1,52 @@
 +// Copyright (C) 2013 Free Software Foundation, Inc.
 +//
 +// This file is part of the GNU ISO C++ Library.  This library is free
 +// software; you can redistribute it and/or modify it under the
 +// terms of the GNU General Public License as published by the
 +// Free Software Foundation; either version 3, or (at your option)
 +// any later version.
 +
 +// This library is distributed in the hope that it will be useful,
 +// but WITHOUT ANY WARRANTY; without even the implied warranty of
 +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +// GNU General Public License for more details.
 +
 +// You should have received a copy of the GNU General Public License along
 +// with this library; see the file COPYING3.  If not see
 +// <http://www.gnu.org/licenses/>.
 +
 +// 25.3.2 [lib.alg.nth.element]
 +
 +// { dg-options "-std=gnu++11" }
 +
 +#include <algorithm>
 +#include <testsuite_hooks.h>
 +#include <testsuite_iterators.h>
 +
 +using __gnu_test::test_container;
 +using __gnu_test::random_access_iterator_wrapper;
 +
 +typedef test_container<int, random_access_iterator_wrapper> Container;
 +
 +void test01()
 +{
 +  std::vector<int> v = {
 +    207089,
 +    202585,
 +    180067,
 +    157549,
 +    211592,
 +    216096,
 +    207089
 +  };
 +
 +  Container con(v.data(), v.data() + 7);
 +
 +  std::nth_element(con.begin(), con.begin() + 3, con.end());
 +}
 +
 +int main()
 +{
 +  test01();
 +  return 0;
 +}
--- a/pkgs/development/compilers/gcc/4.8/builder.sh
+++ b/pkgs/development/compilers/gcc/4.8/builder.sh
@ -239,6 +239,11 @@ postInstall() {
        fi
    done
    # Disable RANDMMAP on grsec, which causes segfaults when using
    # precompiled headers.
    # See https://bugs.gentoo.org/show_bug.cgi?id=301299#c31
    paxmark r $out/libexec/gcc/*/*/{cc1,cc1plus}
    eval "$postInstallGhdl"
 }
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@ -54,7 +54,7 @@ assert langGo -> langCC;
 with stdenv.lib;
 with builtins;
-let version = "4.8.2";
+let version = "4.8.3";
    # Whether building a cross-compiler for GNU/Hurd.
    crossGNU = cross != null && cross.config == "i586-pc-gnu";
@ -64,7 +64,7 @@ let version = "4.8.2";
  */
    enableParallelBuilding = !profiledCompiler;
-    patches = [ ./bug-58800.patch ] # http://gcc.gnu.org/bugzilla/show_bug.cgi?id=58800
+    patches = []
      ++ optional enableParallelBuilding ./parallel-bconfig.patch
      ++ optional (cross != null) ./libstdc++-target.patch
      # ++ optional noSysDirs ./no-sys-dirs.patch
@ -212,7 +212,7 @@ stdenv.mkDerivation ({
  src = fetchurl {
    url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2";
-    sha256 = "1j6dwgby4g3p3lz7zkss32ghr45zpdidrg8xvazvn91lqxv25p09";
+    sha256 = "07hg10zs7gnqz58my10ch0zygizqh0z0bz6pv4pgxx45n48lz3ka";
  };
  inherit patches;
--- a/pkgs/development/compilers/ghc/6.10.4.nix
+++ b/pkgs/development/compilers/ghc/6.10.4.nix
@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];
  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
  meta = {
    inherit homepage;
    description = "The Glasgow Haskell Compiler";
--- a/pkgs/development/compilers/ghc/6.12.3.nix
+++ b/pkgs/development/compilers/ghc/6.12.3.nix
@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];
  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/ghc/7.0.4.nix
+++ b/pkgs/development/compilers/ghc/7.0.4.nix
@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];
  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/ghc/7.2.2.nix
+++ b/pkgs/development/compilers/ghc/7.2.2.nix
@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
    "--with-gcc=${stdenv.gcc}/bin/gcc"
  ];
  NIX_CFLAGS_COMPILE = "-fomit-frame-pointer";
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/ghc/7.6.3.nix
+++ b/pkgs/development/compilers/ghc/7.6.3.nix
@ -1,6 +1,13 @@
-{ stdenv, fetchurl, ghc, perl, gmp, ncurses }:
+{ stdenv, fetchurl, ghc, perl, gmp, ncurses, binutils }:
-stdenv.mkDerivation rec {
+let
  # The "-Wa,--noexecstack" options might be needed only with GNU ld (as opposed
  # to the gold linker). It prevents binaries' stacks from being marked as
  # executable, which fails to run on a grsecurity/PaX kernel.
  ghcFlags = "-optc-Wa,--noexecstack -opta-Wa,--noexecstack";
  cFlags = "-Wa,--noexecstack";
 in stdenv.mkDerivation rec {
  version = "7.6.3";
  name = "ghc-${version}";
@ -12,21 +19,40 @@ stdenv.mkDerivation rec {
  buildInputs = [ ghc perl gmp ncurses ];
  buildMK = ''
    libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-libraries="${gmp}/lib"
    libraries/integer-gmp_CONFIGURE_OPTS += --configure-option=--with-gmp-includes="${gmp}/include"
  '' + stdenv.lib.optionalString stdenv.isLinux ''
    # Set ghcFlags for building ghc itself
    SRC_HC_OPTS += ${ghcFlags}
    SRC_CC_OPTS += ${cFlags}
  '';
  preConfigure = ''
    echo "${buildMK}" > mk/build.mk
    sed -i -e 's|-isysroot /Developer/SDKs/MacOSX10.5.sdk||' configure
  '' + stdenv.lib.optionalString stdenv.isLinux ''
    # Set ghcFlags for binaries that ghc builds
    sed -i -e 's|"\$topdir"|"\$topdir" ${ghcFlags}|' ghc/ghc.wrapper
  '' + stdenv.lib.optionalString (!stdenv.isDarwin) ''
    export NIX_LDFLAGS="$NIX_LDFLAGS -rpath $out/lib/ghc-${version}"
  '';
  configureFlags = "--with-gcc=${stdenv.gcc}/bin/gcc";
  postInstall = ''
    # ghci uses mmap with rwx protection at it implements dynamic
    # linking on its own. See:
    # - https://bugs.gentoo.org/show_bug.cgi?id=299709
    # - https://ghc.haskell.org/trac/ghc/ticket/4244
    # Therefore, we have to pax-mark the resulting binary.
    # Haddock also seems to run with ghci, so mark it as well.
    paxmark m $out/lib/${name}/{ghc,haddock}
  '';
  # required, because otherwise all symbols from HSffi.o are stripped, and
  # that in turn causes GHCi to abort
  stripDebugFlags=["-S" "--keep-file-symbols"];
--- a/pkgs/development/compilers/icedtea/default.nix
+++ b/pkgs/development/compilers/icedtea/default.nix
@ -59,7 +59,7 @@ with srcInfo; stdenv.mkDerivation {
    "--disable-downloading"
    "--without-rhino"
-    # Uncomment this when paxctl lands in stdenv: "--with-pax=paxctl"
+    "--with-pax=paxctl"
    "--with-jdk-home=${jdkPath}"
  ];
--- a/pkgs/development/compilers/jdk/jdk7-linux.nix
+++ b/pkgs/development/compilers/jdk/jdk7-linux.nix
@ -2,6 +2,7 @@
 , stdenv
 , requireFile
 , unzip
 , file
 , xlibs ? null
 , installjdk ? true
 , pluginSupport ? true
@ -71,10 +72,20 @@ stdenv.mkDerivation rec {
    else
      abort "jdk requires i686-linux or x86_64 linux";
-  buildInputs = if installjce then [ unzip ] else [];
+  nativeBuildInputs = [ file ]
    ++ stdenv.lib.optional installjce unzip;
  installPhase = ''
    cd ..
    # Set PaX markings
    exes=$(file $sourceRoot/bin/* $sourceRoot/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
    for file in $exes; do
      paxmark m "$file"
      # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
      ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
    done
    if test -z "$installjdk"; then
      mv $sourceRoot/jre $out
    else
--- a/pkgs/development/compilers/llvm/3.3/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.3/llvm.nix
@ -22,11 +22,20 @@ in stdenv.mkDerivation rec {
  cmakeFlags = with stdenv; [
    "-DCMAKE_BUILD_TYPE=Release"
    "-DLLVM_BUILD_TESTS=ON"
    "-DLLVM_ENABLE_FFI=ON"
    "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
    "-DLLVM_EXPERIMENTAL_TARGETS_TO_BUILD=R600" # for mesa
  ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
  postBuild = ''
    paxmark m bin/{lli,llvm-rtdyld}
    paxmark m unittests/ExecutionEngine/JIT/JITTests
    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
    paxmark m unittests/Support/SupportTests
  '';
  enableParallelBuilding = true;
  doCheck = true;
--- a/pkgs/development/compilers/llvm/3.4/dragonegg.nix
+++ b/pkgs/development/compilers/llvm/3.4/dragonegg.nix
@ -1,10 +1,18 @@
-{stdenv, fetch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}:
+{stdenv, fetch, fetchpatch, llvm, gmp, mpfr, mpc, ncurses, zlib, version}:
 stdenv.mkDerivation rec {
  name = "dragonegg-${version}";
  src = fetch "dragonegg" "1733czbvby1ww3xkwcwmm0km0bpwhfyxvf56wb0zv5gksp3kbgrl";
  patches = [(fetchpatch {
    url = "https://llvm.org/viewvc/llvm-project/dragonegg/trunk/src/x86/ABIHack.inc"
      + "?r1=208730&r2=208729&view=patch";
    sha256 = "1al82gqz90hzjx24p0wls029lw2bgnlgd209kgvxsp82p4z1v1c1";
    name = "bug-18548.patch";
  })];
  patchFlags = "-p2";
  # The gcc the plugin will be built for (the same used building dragonegg)
  GCC = "gcc";
--- a/pkgs/development/compilers/llvm/3.4/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.4/llvm.nix
@ -36,15 +36,25 @@ in stdenv.mkDerivation rec {
    mkdir -p $out/
    ln -sv $PWD/lib $out
  '';
  postBuild = "rm -fR $out";
  cmakeFlags = with stdenv; [
    "-DCMAKE_BUILD_TYPE=Release"
    "-DLLVM_BUILD_TESTS=ON"
    "-DLLVM_ENABLE_FFI=ON"
    "-DLLVM_BINUTILS_INCDIR=${binutils}/include"
    "-DCMAKE_CXX_FLAGS=-std=c++11"
  ] ++ stdenv.lib.optional (!isDarwin) "-DBUILD_SHARED_LIBS=ON";
  postBuild = ''
    rm -fR $out
    paxmark m bin/{lli,llvm-rtdyld}
    paxmark m unittests/ExecutionEngine/JIT/JITTests
    paxmark m unittests/ExecutionEngine/MCJIT/MCJITTests
    paxmark m unittests/Support/SupportTests
  '';
  enableParallelBuilding = true;
  passthru.src = src;
--- a/pkgs/development/compilers/openjdk/bootstrap.nix
+++ b/pkgs/development/compilers/openjdk/bootstrap.nix
@ -1,4 +1,4 @@
-{ runCommand, glibc, fetchurl }:
+{ stdenv, runCommand, glibc, fetchurl, file }:
 let
  # !!! These should be on nixos.org
@ -18,4 +18,12 @@ in
 runCommand "openjdk-bootstrap" {} ''
  xz -dc ${src} | sed "s/e*-glibc-[^/]*/$(basename ${glibc})/g" | tar xv
  mv openjdk-bootstrap $out
  # Temporarily, while NixOS's OpenJDK bootstrap tarball doesn't have PaX markings:
  exes=$(${file}/bin/file $out/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
  for file in $exes; do
    paxmark m "$file"
    # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
    ${stdenv.lib.optionalString stdenv.isi686 ''paxmark msp "$file"''}
  done
 ''
--- a/pkgs/development/compilers/openjdk/default.nix
+++ b/pkgs/development/compilers/openjdk/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchurl, unzip, zip, procps, coreutils, alsaLib, ant, freetype, cups
-, which, jdk, nettools, xorg
+, which, jdk, nettools, xorg, file
 , fontconfig, cpio, cacert, perl, setJavaClassPath }:
 let
@ -19,6 +19,9 @@ let
  build = "43";
  # On x86 for heap sizes over 700MB disable SEGMEXEC and PAGEEXEC as well.
  paxflags = if stdenv.isi686 then "msp" else "m";
 in
 stdenv.mkDerivation rec {
@ -35,7 +38,7 @@ stdenv.mkDerivation rec {
    [ unzip procps ant which zip cpio nettools alsaLib
      xorg.libX11 xorg.libXt xorg.libXext xorg.libXrender xorg.libXtst
      xorg.libXi xorg.libXinerama xorg.libXcursor xorg.lndir
-      fontconfig perl
+      fontconfig perl file
    ];
  NIX_LDFLAGS = "-lfontconfig -lXcursor -lXinerama";
@ -49,7 +52,7 @@ stdenv.mkDerivation rec {
      openjdk/{jdk,corba}/make/common/shared/Defs-utils.gmk
  '';
-  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ];
+  patches = [ ./cppflags-include-fix.patch ./fix-java-home.patch ./paxctl.patch ];
  NIX_NO_SELF_RPATH = true;
@ -72,6 +75,14 @@ stdenv.mkDerivation rec {
  configurePhase = "true";
  preBuild = ''
    # We also need to PaX-mark in the middle of the build
    substituteInPlace hotspot/make/linux/makefiles/launcher.make \
       --replace XXX_PAXFLAGS_XXX ${paxflags}
    substituteInPlace jdk/make/common/Program.gmk  \
       --replace XXX_PAXFLAGS_XXX ${paxflags}
  '';
  installPhase = ''
    mkdir -p $out/lib/openjdk $out/share $jre/lib/openjdk
@ -98,6 +109,14 @@ stdenv.mkDerivation rec {
    rm -rf $out/lib/openjdk/jre/bin
    ln -s $out/lib/openjdk/bin $out/lib/openjdk/jre/bin
    # Set PaX markings
    exes=$(file $out/lib/openjdk/bin/* $jre/lib/openjdk/jre/bin/* 2> /dev/null | grep -E 'ELF.*(executable|shared object)' | sed -e 's/: .*$//')
    echo "to mark: *$exes*"
    for file in $exes; do
      echo "marking *$file*"
      paxmark ${paxflags} "$file"
    done
    # Remove duplicate binaries.
    for i in $(cd $out/lib/openjdk/bin && echo *); do
      if [ "$i" = java ]; then continue; fi
--- a/pkgs/development/compilers/openjdk/paxctl.patch
+++ b/pkgs/development/compilers/openjdk/paxctl.patch
@ -0,0 +1,28 @@
 diff --git a/hotspot/make/linux/makefiles/launcher.make b/hotspot/make/linux/makefiles/launcher.make
 index 34bbcd6..41b9332 100644
 --- a/hotspot/make/linux/makefiles/launcher.make
 +++ b/hotspot/make/linux/makefiles/launcher.make
@@ -83,6 +83,8 @@ $(LAUNCHER): $(OBJS) $(LIBJVM) $(LAUNCHER_MAPFILE)
 	$(QUIETLY) echo Linking launcher...
 	$(QUIETLY) $(LINK_LAUNCHER/PRE_HOOK)
 	$(QUIETLY) $(LINK_LAUNCHER) $(LFLAGS_LAUNCHER) -o $@ $(OBJS) $(LIBS_LAUNCHER)
 +	paxctl -c $(LAUNCHER)
 +	paxctl -zex -XXX_PAXFLAGS_XXX $(LAUNCHER)
 	$(QUIETLY) $(LINK_LAUNCHER/POST_HOOK)
 $(LAUNCHER): $(LAUNCHER_SCRIPT)
 diff --git a/jdk/make/common/Program.gmk b/jdk/make/common/Program.gmk
 index 091800d..1de8cb4 100644
 --- a/jdk/make/common/Program.gmk
 +++ b/jdk/make/common/Program.gmk
@@ -60,6 +60,10 @@ ACTUAL_PROGRAM      = $(ACTUAL_PROGRAM_DIR)/$(ACTUAL_PROGRAM_NAME)
 program_default_rule: all
 program: $(ACTUAL_PROGRAM)
 +	if [[ "$(PROGRAM)" = "java" ]]; then \
 +		paxctl -c $(ACTUAL_PROGRAM); \
 +		paxctl -zex -XXX_PAXFLAGS_XXX $(ACTUAL_PROGRAM); \
 +	fi
 # Work-around for missing processor specific mapfiles
 ifndef CROSS_COMPILE_ARCH
--- a/pkgs/development/interpreters/python/2.7/default.nix
+++ b/pkgs/development/interpreters/python/2.7/default.nix
@ -80,6 +80,8 @@ let
        ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb
        ln -s $out/lib/python${majorVersion}/pdb.py $out/bin/pdb${majorVersion}
        ln -s $out/share/man/man1/{python2.7.1.gz,python.1.gz}
        paxmark E $out/bin/python${majorVersion}
      '';
    passthru = {
--- a/pkgs/development/interpreters/python/3.3/default.nix
+++ b/pkgs/development/interpreters/python/3.3/default.nix
@ -53,6 +53,8 @@ stdenv.mkDerivation {
  postInstall = ''
    rm -rf "$out/lib/python${majorVersion}/test"
    ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
    paxmark E $out/bin/python${majorVersion}
  '';
  passthru = {
--- a/pkgs/development/interpreters/python/3.4/default.nix
+++ b/pkgs/development/interpreters/python/3.4/default.nix
@ -54,6 +54,8 @@ stdenv.mkDerivation {
  postInstall = ''
    rm -rf "$out/lib/python${majorVersion}/test"
    ln -s "$out/include/python${majorVersion}m" "$out/include/python${majorVersion}"
    paxmark E $out/bin/python${majorVersion}
  '';
  passthru = {
--- a/pkgs/development/interpreters/spidermonkey/17.0.nix
+++ b/pkgs/development/interpreters/spidermonkey/17.0.nix
@ -28,7 +28,12 @@ stdenv.mkDerivation rec {
  enableParallelBuilding = true;
  doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+  preCheck = ''
    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
    paxmark m shell/js17
    paxmark mr jsapi-tests/jsapi-tests
  '';
  meta = with stdenv.lib; {
    description = "Mozilla's JavaScript engine written in C/C++";
--- a/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
+++ b/pkgs/development/interpreters/spidermonkey/185-1.0.0.nix
@ -28,7 +28,13 @@ stdenv.mkDerivation rec {
  enableParallelBuilding = true;
  doCheck = true;
-  preCheck = "rm jit-test/tests/sunspider/check-date-format-tofte.js"; # https://bugzil.la/600522
+
  preCheck = ''
    rm jit-test/tests/sunspider/check-date-format-tofte.js    # https://bugzil.la/600522
    paxmark mr shell/js
    paxmark mr jsapi-tests/jsapi-tests
  '';
  meta = with stdenv.lib; {
    description = "Mozilla's JavaScript engine written in C/C++";
--- a/pkgs/development/libraries/dbus/default.nix
+++ b/pkgs/development/libraries/dbus/default.nix
@ -3,8 +3,8 @@
 , libX11, libICE, libSM, useX11 ? (stdenv.isLinux || stdenv.isDarwin) }:
 let
-  version = "1.8.2";
+  version = "1.8.4";
-  sha256 = "025f7dnhr4gy5vcqsvn78x2bk382ldvf4x3ryd9wkbb5250zg2an";
+  sha256 = "1y0zcmd4jsf2gq5yymz9gcnwxijh0vxbmxz73q3l440is343vxiy";
  inherit (stdenv) lib;
--- a/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix
+++ b/pkgs/development/libraries/gstreamer/legacy/gstreamer/default.nix
@ -22,8 +22,12 @@ stdenv.mkDerivation rec {
    --disable-examples --enable-failing-tests --localstatedir=/var --disable-gtk-doc --disable-docbook
  '';
  postInstall = ''
    # Hm, apparently --disable-gtk-doc is ignored...
-  postInstall = "rm -rf $out/share/gtk-doc";
+    rm -rf $out/share/gtk-doc
    paxmark m $out/bin/gst-launch* $out/libexec/gstreamer-*/gst-plugin-scanner
  '';
  setupHook = ./setup-hook.sh;
--- a/pkgs/development/libraries/libffi/default.nix
+++ b/pkgs/development/libraries/libffi/default.nix
@ -8,9 +8,13 @@ stdenv.mkDerivation rec {
    sha256 = "077ibkf84bvcd6rw1m6jb107br63i2pp301rkmsbgg6300adxp8x";
  };
  patches = stdenv.lib.optional (stdenv.needsPax) ./libffi-3.0.13-emutramp_pax_proc.patch;
  buildInputs = stdenv.lib.optional doCheck dejagnu;
-  configureFlags = [ "--with-gcc-arch=generic" ]; # no detection of -march= or -mtune=
+  configureFlags = [
    "--with-gcc-arch=generic" # no detection of -march= or -mtune=
  ] ++ stdenv.lib.optional (stdenv.needsPax) "--enable-pax_emutramp";
  doCheck = stdenv.isLinux; # until we solve dejagnu problems on darwin and expect on BSD
--- a/pkgs/development/libraries/libffi/libffi-3.0.13-emutramp_pax_proc.patch
+++ b/pkgs/development/libraries/libffi/libffi-3.0.13-emutramp_pax_proc.patch
@ -0,0 +1,37 @@
 2013-05-22  Magnus Granberg  <zorry@gentoo.org>
 	#457194
 	* src/closuer.c (emutramp_enabled_check): Check with /proc.
 --- a/src/closures.c	2013-03-17 23:27:11.000000000 +0100
 +++ b/src/closures.c	2013-04-29 23:26:02.279022022 +0200
@@ -181,10 +181,26 @@ static int emutramp_enabled = -1;
 static int
 emutramp_enabled_check (void)
 {
 -  if (getenv ("FFI_DISABLE_EMUTRAMP") == NULL)
 -    return 1;
 -  else
 +  char *buf = NULL;
 +  size_t len = 0;
 +  FILE *f;
 +  int ret;
 +  f = fopen ("/proc/self/status", "r");
 +  if (f == NULL)
     return 0;
 +  ret = 0;
 +
 +  while (getline (&buf, &len, f) != -1)
 +    if (!strncmp (buf, "PaX:", 4))
 +      {
 +        char emutramp;
 +        if (sscanf (buf, "%*s %*c%c", &emutramp) == 1)
 +          ret = (emutramp == 'E');
 +        break;
 +      }
 +  free (buf);
 +  fclose (f);
 +  return ret;
 }
 #define is_emutramp_enabled() (emutramp_enabled >= 0 ? emutramp_enabled \
--- a/pkgs/development/libraries/libshout/default.nix
+++ b/pkgs/development/libraries/libshout/default.nix
@ -1,5 +1,5 @@
-{stdenv, fetchurl, pkgconfig 
+{ stdenv, fetchurl, pkgconfig
-, libvorbis, libtheora, speex}:
+, libvorbis, libtheora, speex }:
 # need pkgconfig so that libshout installs ${out}/lib/pkgconfig/shout.pc
@ -11,7 +11,8 @@ stdenv.mkDerivation rec {
    sha256 = "cf3c5f6b4a5e3fcfbe09fb7024aa88ad4099a9945f7cb037ec06bcee7a23926e";
  };
-  buildInputs = [ libvorbis libtheora speex pkgconfig ];
+  nativeBuildInputs = [ pkgconfig ];
  propagatedBuildInputs = [ libvorbis libtheora speex ];
  meta = {
    description = "icecast 'c' language bindings";
--- a/pkgs/development/libraries/libtasn1/default.nix
+++ b/pkgs/development/libraries/libtasn1/default.nix
@ -1,11 +1,11 @@
 { stdenv, fetchurl, perl, texinfo }:
 stdenv.mkDerivation rec {
-  name = "libtasn1-3.4";
+  name = "libtasn1-3.6";
  src = fetchurl {
    url = "mirror://gnu/libtasn1/${name}.tar.gz";
-    sha256 = "1j5cwsjk9wai700ljsr5qyzywijrr5ba05hhg4mkgqlg8mx50lzk";
+    sha256 = "0c547qa1vfk1x2jzgjhf65izf4sfi86c6g46q7779g4aldk4gqqr";
  };
  buildInputs = [ perl texinfo ];
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@ -1,7 +1,8 @@
-{ stdenv, fetchurl, pkgconfig, intltool, flex, bison, autoreconfHook
+{ stdenv, fetchurl, pkgconfig, intltool, flex, bison, autoreconfHook, substituteAll
 , python, libxml2Python, file, expat, makedepend
 , libdrm, xorg, wayland, udev, llvm, libffi
 , libvdpau, libelf
 , grsecEnabled
 , enableTextureFloats ? false # Texture floats are patented, see docs/patents.txt
 , enableExtraFeatures ? false # not maintained
 }:
@ -23,7 +24,7 @@ else
 */
 let
-  version = "10.1.4";
+  version = "10.1.5";
  # this is the default search path for DRI drivers
  driverLink = "/run/opengl-driver" + stdenv.lib.optionalString stdenv.isi686 "-32";
 in
@ -34,16 +35,21 @@ stdenv.mkDerivation {
  src =  fetchurl {
    url = "ftp://ftp.freedesktop.org/pub/mesa/${version}/MesaLib-${version}.tar.bz2";
-    sha256 = "0g2j2zz7yq3i8k8dkji8h7iqfbcm8afb5lrb4dxrcyjl1bh6gibg";
+    sha256 = "1g2vy7zaamzs00xasiwg0d6cb5sclfd9v8jms14ll9bghg3mwv5w";
  };
  prePatch = "patchShebangs .";
  patches = [
    ./static-gallium.patch
    ./glx_ro_text_segm.patch # fix for grsecurity/PaX
   # TODO: revive ./dricore-gallium.patch when it gets ported (from Ubuntu),
   #  as it saved ~35 MB in $drivers; watch https://launchpad.net/ubuntu/+source/mesa/+changelog
-  ];
+  ] ++ optional stdenv.isLinux
      (substituteAll {
        src = ./dlopen-absolute-paths.diff;
        inherit udev;
      });
  # Change the search path for EGL drivers from $drivers/* to driverLink
  postPatch = ''
@ -79,7 +85,8 @@ stdenv.mkDerivation {
      "--enable-openvg" "--enable-gallium-egl" # not needed for EGL in Gallium, but OpenVG might be useful
      #"--enable-xvmc" # tests segfault with 9.1.{1,2,3}
      #"--enable-opencl" # ToDo: opencl seems to need libclc for clover
-    ];
+    ]
    ++ optional grsecEnabled "--enable-glx-rts"; # slight performance degradation, enable only for grsec
  nativeBuildInputs = [ pkgconfig python makedepend file flex bison ];
--- a/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff
+++ b/pkgs/development/libraries/mesa/dlopen-absolute-paths.diff
@ -0,0 +1,13 @@
 diff --git a/src/loader/loader.c b/src/loader/loader.c
 index 666d015..4d7a9be 100644
 --- a/src/loader/loader.c
 +++ b/src/loader/loader.c
@@ -101,7 +101,7 @@ static void *
 udev_dlopen_handle(void)
 {
    if (!udev_handle) {
 -      udev_handle = dlopen("libudev.so.1", RTLD_LOCAL | RTLD_LAZY);
 +      udev_handle = dlopen("@udev@/lib/libudev.so.1", RTLD_LOCAL | RTLD_LAZY);
       if (!udev_handle) {
          /* libudev.so.1 changed the return types of the two unref functions
--- a/pkgs/development/libraries/mesa/glx_ro_text_segm.patch
+++ b/pkgs/development/libraries/mesa/glx_ro_text_segm.patch
@ -0,0 +1,25 @@
 diff --git a/configure.ac b/configure.ac
 index 5068913..3d4271e 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -429,6 +429,20 @@ AC_SUBST([GLESv2_LIB_GLOB])
 AC_SUBST([VG_LIB_GLOB])
 AC_SUBST([GLAPI_LIB_GLOB])
 +
 +dnl readonly text segment on x86 hardened platforms
 +AC_ARG_ENABLE([glx_rts],
 +    [AS_HELP_STRING([--enable-glx-rts],
 +        [on x86, use a readonly text segment for libGL @<:@default=disabled@:>@])],
 +    [enable_glx_rts="$enableval"],
 +    [enable_glx_rts=no])
 +if test "x$enable_glx_rts" = xyes; then
 +    DEFINES="$DEFINES -DGLX_X86_READONLY_TEXT"
 +else
 +    enable_glx_rts=no
 +fi
 +
 +
 dnl
 dnl Arch/platform-specific settings
 dnl
--- a/pkgs/development/libraries/polkit/default.nix
+++ b/pkgs/development/libraries/polkit/default.nix
@ -58,6 +58,12 @@ stdenv.mkDerivation rec {
  makeFlags = "INTROSPECTION_GIRDIR=$(out)/share/gir-1.0 INTROSPECTION_TYPELIBDIR=$(out)/lib/girepository-1.0";
  # The following is required on grsecurity/PaX due to spidermonkey's JIT
  postBuild = ''
    paxmark mr src/polkitbackend/.libs/polkitd
    paxmark mr test/polkitbackend/.libs/polkitbackendjsauthoritytest
  '';
  #doCheck = true; # some /bin/bash problem that isn't auto-solved by patchShebangs
  meta = with stdenv.lib; {
--- a/pkgs/development/libraries/qimageblitz/default.nix
+++ b/pkgs/development/libraries/qimageblitz/default.nix
@ -15,6 +15,8 @@ stdenv.mkDerivation {
  buildInputs = [ cmake qt4 ];
  patches = [ ./qimageblitz-9999-exec-stack.patch ];
  meta = {
    description = "Graphical effect and filter library for KDE4";
    license = "BSD";
--- a/pkgs/development/libraries/qimageblitz/qimageblitz-9999-exec-stack.patch
+++ b/pkgs/development/libraries/qimageblitz/qimageblitz-9999-exec-stack.patch
@ -0,0 +1,11 @@
 diff -uar qimageblitz/blitz/asm_scale.S qimageblitz~/blitz/asm_scale.S
 --- qimageblitz-orig/blitz/asm_scale.S	2007-10-17 01:17:57.000000000 +0200
 +++ qimageblitz/blitz/asm_scale.S	2007-10-17 01:19:12.000000000 +0200
@@ -814,3 +814,7 @@
 SIZE(qimageScale_mmx_AARGBA)
 #endif
 +#if defined(__linux__) && defined(__ELF__)
 +.section .note.GNU-stack,"",%progbits
 +#endif
 +
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@ -27,6 +27,11 @@ stdenv.mkDerivation rec {
    # Make binutils output deterministic by default.
    ./deterministic.patch
    # Always add PaX flags section to ELF files.
    # This is needed, for instance, so that running "ldd" on a binary that is
    # PaX-marked to disable mprotect doesn't fail with permission denied.
    ./pt-pax-flags-20121023.patch
  ];
  buildInputs =
--- a/pkgs/development/tools/misc/binutils/pt-pax-flags-20121023.patch
+++ b/pkgs/development/tools/misc/binutils/pt-pax-flags-20121023.patch
--- a/pkgs/development/tools/misc/pkgconfig/default.nix
+++ b/pkgs/development/tools/misc/pkgconfig/default.nix
@ -1,15 +1,17 @@
 {stdenv, fetchurl, automake, vanilla ? false}:
 stdenv.mkDerivation (rec {
-  name = "pkg-config-0.23";
+  name = "pkg-config-0.28";
  setupHook = ./setup-hook.sh;
  src = fetchurl {
    url = "http://pkgconfig.freedesktop.org/releases/${name}.tar.gz";
-    sha256 = "0lrvk17724mc2nzpaa0vwybarrl50r7qdnr4h6jijm50srrf1808";
+    sha256 = "0igqq5m204w71m11y0nipbdf5apx87hwfll6axs12hn4dqfb6vkb";
  };
  configureFlags = [ "--with-internal-glib" ];
  patches = if vanilla then [] else [
    # Process Requires.private properly, see
    # http://bugs.freedesktop.org/show_bug.cgi?id=4738.
--- a/pkgs/development/tools/misc/pkgconfig/requires-private.patch
+++ b/pkgs/development/tools/misc/pkgconfig/requires-private.patch
@ -1,221 +1,17 @@
-diff -rc pkg-config-0.23-orig/main.c pkg-config-0.23/main.c
+diff --git a/main.c b/main.c
-*** pkg-config-0.23-orig/main.c	2008-01-16 23:06:48.000000000 +0100
+index b61ca34..5a420c2 100644
--- pkg-config-0.23/main.c	2008-10-14 13:04:04.000000000 +0200
+--- a/main.c
-***************
+++ b/main.c
-*** 431,436 ****
+@@ -602,10 +602,10 @@ main (int argc, char **argv)
 --- 431,454 ----
   else
     disable_private_libs();
-+   /* Only process Requires field if cflags or libs wanted */
+-  /* honor Requires.private if any Cflags are requested or any static
-+   if (want_libs ||
+  /* honor Requires.private if any any static
-+       want_cflags ||
+    * libs are requested */
 +       want_l_libs ||
 +       want_L_libs ||
 +       want_other_libs ||
 +       want_I_cflags ||
 +       want_other_cflags)
 +     enable_requires();
 +   else
 +     disable_requires();
 + 
 +   /* Only process Requires.private if static libs wanted */
 +   if (want_static_lib_list)
 +     enable_requires_private();
 +   else
 +     disable_requires_private();
 + 
    if (want_my_version)
      {
        printf ("%s\n", VERSION);
 diff -rc pkg-config-0.23-orig/parse.c pkg-config-0.23/parse.c
 *** pkg-config-0.23-orig/parse.c	2008-01-16 21:42:49.000000000 +0100
 --- pkg-config-0.23/parse.c	2008-10-13 14:41:42.000000000 +0200
 ***************
 *** 913,919 ****
  #endif
-  static void
+-  if (pkg_flags & CFLAGS_ANY || want_requires_private || want_exists ||
-! parse_line (Package *pkg, const char *untrimmed, const char *path, gboolean ignore_requires, gboolean ignore_private_libs)
+  if (want_requires_private ||
-  {
+       (want_static_lib_list && (pkg_flags & LIBS_ANY)))
-    char *str;
+     enable_requires_private();
    char *p;
 --- 913,921 ----
  #endif
  static void
 ! parse_line (Package *pkg, const char *untrimmed, const char *path,
 !             gboolean ignore_requires, gboolean ignore_requires_private,
 !             gboolean ignore_private_libs)
  {
    char *str;
    char *p;
 ***************
 *** 956,970 ****
          parse_description (pkg, p, path);
        else if (strcmp (tag, "Version") == 0)
          parse_version (pkg, p, path);
 !       else if (strcmp (tag, "Requires.private") == 0)
 ! 	parse_requires_private (pkg, p, path);
 !       else if (strcmp (tag, "Requires") == 0)
 ! 	{
 !           if (ignore_requires == FALSE)
 ! 	    parse_requires (pkg, p, path);
 !           else
 ! 	    goto cleanup;
 !         }
        else if ((strcmp (tag, "Libs.private") == 0) && 
                 ignore_private_libs == FALSE)
          parse_libs_private (pkg, p, path);
 --- 958,969 ----
          parse_description (pkg, p, path);
        else if (strcmp (tag, "Version") == 0)
          parse_version (pkg, p, path);
 !       else if ((strcmp (tag, "Requires.private") == 0) &&
 !                ignore_requires_private == FALSE)
 !         parse_requires_private (pkg, p, path);
 !       else if ((strcmp (tag, "Requires") == 0) &&
 !                ignore_requires == FALSE)
 !         parse_requires (pkg, p, path);
        else if ((strcmp (tag, "Libs.private") == 0) && 
                 ignore_private_libs == FALSE)
          parse_libs_private (pkg, p, path);
 ***************
 *** 1067,1073 ****
  }
  Package*
 ! parse_package_file (const char *path, gboolean ignore_requires, gboolean ignore_private_libs)
  {
    FILE *f;
    Package *pkg;
 --- 1066,1074 ----
  }
  Package*
 ! parse_package_file (const char *path, gboolean ignore_requires,
 !                     gboolean ignore_requires_private,
 !                     gboolean ignore_private_libs)
  {
    FILE *f;
    Package *pkg;
 ***************
 *** 1104,1110 ****
      {
        one_line = TRUE;
 !       parse_line (pkg, str->str, path, ignore_requires, ignore_private_libs);
        g_string_truncate (str, 0);
      }
 --- 1105,1112 ----
      {
        one_line = TRUE;
 !       parse_line (pkg, str->str, path, ignore_requires,
 !                   ignore_requires_private, ignore_private_libs);
        g_string_truncate (str, 0);
      }
 diff -rc pkg-config-0.23-orig/parse.h pkg-config-0.23/parse.h
 *** pkg-config-0.23-orig/parse.h	2008-01-16 21:42:49.000000000 +0100
 --- pkg-config-0.23/parse.h	2008-10-13 14:41:42.000000000 +0200
 ***************
 *** 23,28 ****
 --- 23,29 ----
  #include "pkg.h"
  Package *parse_package_file (const char *path, gboolean ignore_requires,
 +                              gboolean ignore_requires_private,
                               gboolean ignore_private_libs);
  Package *get_compat_package (const char *name);
 diff -rc pkg-config-0.23-orig/pkg.c pkg-config-0.23/pkg.c
 *** pkg-config-0.23-orig/pkg.c	2008-01-16 22:59:49.000000000 +0100
 --- pkg-config-0.23/pkg.c	2008-10-13 14:41:42.000000000 +0200
 ***************
 *** 55,60 ****
 --- 55,61 ----
  gboolean disable_uninstalled = FALSE;
  gboolean ignore_requires = FALSE;
 + gboolean ignore_requires_private = FALSE;
  gboolean ignore_private_libs = TRUE;
  void
 ***************
 *** 337,343 ****
      }
    debug_spew ("Reading '%s' from file '%s'\n", name, location);
 !   pkg = parse_package_file (location, ignore_requires, ignore_private_libs);
    if (pkg == NULL)
      {
 --- 338,345 ----
      }
    debug_spew ("Reading '%s' from file '%s'\n", name, location);
 !   pkg = parse_package_file (location, ignore_requires, ignore_requires_private,
 !                             ignore_private_libs);
    if (pkg == NULL)
      {
 ***************
 *** 1506,1511 ****
 --- 1508,1514 ----
    int mlen = 0;
    ignore_requires = TRUE;
 +   ignore_requires_private = TRUE;
    g_hash_table_foreach (locations, max_len_foreach, &mlen);
    g_hash_table_foreach (locations, packages_foreach, GINT_TO_POINTER (mlen + 1));
 ***************
 *** 1522,1524 ****
 --- 1525,1551 ----
  {
    ignore_private_libs = TRUE;
  }
 + 
 + void
 + enable_requires(void)
 + {
 +   ignore_requires = FALSE;
 + }
 + 
 + void
 + disable_requires(void)
 + {
 +   ignore_requires = TRUE;
 + }
 + 
 + void
 + enable_requires_private(void)
 + {
 +   ignore_requires_private = FALSE;
 + }
 + 
 + void
 + disable_requires_private(void)
 + {
 +   ignore_requires_private = TRUE;
 + }
 diff -rc pkg-config-0.23-orig/pkg.h pkg-config-0.23/pkg.h
 *** pkg-config-0.23-orig/pkg.h	2008-01-16 22:27:19.000000000 +0100
 --- pkg-config-0.23/pkg.h	2008-10-13 14:41:42.000000000 +0200
 ***************
 *** 120,125 ****
 --- 120,131 ----
  void enable_private_libs(void);
  void disable_private_libs(void);
 + void enable_requires(void);
 + void disable_requires(void);
 + 
 + void enable_requires_private(void);
 + void disable_requires_private(void);
 + 
  /* If TRUE, do not automatically prefer uninstalled versions */
  extern gboolean disable_uninstalled;
--- a/pkgs/misc/emulators/wine/stable.nix
+++ b/pkgs/misc/emulators/wine/stable.nix
@ -62,6 +62,9 @@ in stdenv.mkDerivation rec {
    install -D ${gecko} $out/share/wine/gecko/${gecko64.name}
  '' + ''
    install -D ${mono} $out/share/wine/mono/${mono.name}
    paxmark psmr $out/bin/wine{,-preloader}
    wrapProgram $out/bin/wine --prefix LD_LIBRARY_PATH : ${stdenv.gcc.gcc}/lib
  '';
--- a/pkgs/os-specific/linux/spl/const.patch
+++ b/pkgs/os-specific/linux/spl/const.patch
@ -0,0 +1,13 @@
 diff --git a/module/spl/spl-proc.c b/module/spl/spl-proc.c
 index f25239a..b731123 100644
 --- a/module/spl/spl-proc.c
 +++ b/module/spl/spl-proc.c
@@ -38,7 +38,7 @@
 #define SS_DEBUG_SUBSYS SS_PROC
 -#if defined(CONSTIFY_PLUGIN) && LINUX_VERSION_CODE >= KERNEL_VERSION(3,8,0)
 +#if defined(CONSTIFY_PLUGIN)
 typedef struct ctl_table __no_const spl_ctl_table;
 #else
 typedef struct ctl_table spl_ctl_table;
--- a/pkgs/os-specific/linux/spl/default.nix
+++ b/pkgs/os-specific/linux/spl/default.nix
@ -7,7 +7,7 @@ stdenv.mkDerivation {
    sha256 = "196scl8q0bkkak6m0p1l1fz254cgsizqm73bf9wk3iynamq7qmrw";
  };
-  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ];
+  patches = [ ./install_prefix.patch ./3_12-compat.patch ./3_13-compat-1.patch ./3_13-compat-2.patch ./const.patch ];
  buildInputs = [ perl autoconf automake libtool ];
--- a/pkgs/stdenv/generic/builder.sh
+++ b/pkgs/stdenv/generic/builder.sh
@ -12,6 +12,7 @@ cat "$setup" >> $out/setup
 sed -e "s^@initialPath@^$initialPath^g" \
    -e "s^@gcc@^$gcc^g" \
    -e "s^@shell@^$shell^g" \
    -e "s^@needsPax@^$needsPax^g" \
    < $out/setup > $out/setup.tmp
 mv $out/setup.tmp $out/setup
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@ -10,6 +10,8 @@ let lib = import ../../../lib; in lib.makeOverridable (
 , setupScript ? ./setup.sh
 , extraBuildInputs ? []
 , skipPaxMarking ? false
 }:
 let
@ -38,11 +40,19 @@ let
      builder = shell;
      args = ["-e" ./builder.sh];
      /* TODO: special-cased @var@ substitutions are ugly.
          However, using substituteAll* from setup.sh seems difficult,
          as setup.sh can't be directly sourced.
          Suggestion: split similar utility functions into a separate script.
      */
      setup = setupScript;
      inherit preHook initialPath gcc shell;
      # Whether we should run paxctl to pax-mark binaries
      needsPax = result.isLinux && !skipPaxMarking;
      propagatedUserEnvPkgs = [gcc] ++
        lib.filter lib.isDerivation initialPath;
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@ -93,6 +93,7 @@ PATH=
 for i in $NIX_GCC @initialPath@; do
    if [ "$i" = / ]; then i=; fi
    addToSearchPath PATH $i/bin
    addToSearchPath PATH $i/sbin
 done
 if [ "$NIX_DEBUG" = 1 ]; then
@ -293,6 +294,18 @@ stripDirs() {
    fi
 }
 # PaX-mark binaries
 paxmark() {
    local flags="$1"
    shift
    if [ -z "@needsPax@" ]; then
        return
    fi
    paxctl -c "$@"
    paxctl -zex -${flags} "$@"
 }
 ######################################################################
 # Textual substitution functions.
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@ -210,6 +210,7 @@ rec {
    extraAttrs = {
      glibc = stdenvLinuxGlibc;   # Required by gcc47 build
    };
    extraPath = [ stdenvLinuxBoot1Pkgs.paxctl ];
    inherit fetchurl;
  };
@ -268,7 +269,7 @@ rec {
    initialPath =
      ((import ../common-path.nix) {pkgs = stdenvLinuxBoot4Pkgs;})
-      ++ [stdenvLinuxBoot4Pkgs.patchelf];
+      ++ [stdenvLinuxBoot4Pkgs.patchelf stdenvLinuxBoot4Pkgs.paxctl ];
    gcc = wrapGCC rec {
      inherit (stdenvLinuxBoot4Pkgs) binutils coreutils;
@ -295,7 +296,7 @@ rec {
      inherit (stdenvLinuxBoot4Pkgs)
        gzip bzip2 xz bash coreutils diffutils findutils gawk
        gnumake gnused gnutar gnugrep gnupatch patchelf
-        attr acl;
+        attr acl paxctl;
    };
  };
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@ -68,6 +68,10 @@ stdenv.mkDerivation rec {
  doCheck = false;
  enableParallelBuilding = true;
  postInstall = ''
    paxmark pms $out/sbin/grub-{probe,bios-setup}
  '';
  meta = {
    description = "GNU GRUB, the Grand Unified Boot Loader (2.x beta)";
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -5559,11 +5559,18 @@ let
  mesaSupported = lib.elem system lib.platforms.mesaPlatforms;
-  mesa_original = callPackage ../development/libraries/mesa { };
+  mesa_original = callPackage ../development/libraries/mesa {
    # makes it slower, but during runtime we link against just mesa_drivers
    # through /run/opengl-driver*, which is overriden according to config.grsecurity
    grsecEnabled = true;
  };
  mesa_noglu = if stdenv.isDarwin
    then darwinX11AndOpenGL // { driverLink = mesa_noglu; }
    else mesa_original;
-  mesa_drivers = mesa_original.drivers;
+  mesa_drivers = let
      mo = mesa_original.override { grsecEnabled = config.grsecurity or false; };
    in mo.drivers;
  mesa_glu = callPackage ../development/libraries/mesa-glu { };
  mesa = if stdenv.isDarwin then darwinX11AndOpenGL
    else buildEnv {