From 764a1d3752ee90998eaa01d42be3f4e6c68beb6e Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sat, 7 Jan 2023 13:48:16 +0000
Subject: [PATCH 01/11] libconfuse: add patch for CVE-2022-40320
---
.../libraries/libconfuse/default.nix | 20 ++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/pkgs/development/libraries/libconfuse/default.nix b/pkgs/development/libraries/libconfuse/default.nix
index 7545fe9617cc..91a5a2f26f87 100644
--- a/pkgs/development/libraries/libconfuse/default.nix
+++ b/pkgs/development/libraries/libconfuse/default.nix
@@ -1,4 +1,10 @@
-{ lib, stdenv, fetchFromGitHub, autoreconfHook, flex }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, fetchpatch
+, autoreconfHook
+, flex
+}:
stdenv.mkDerivation rec {
pname = "libconfuse";
@@ -11,6 +17,18 @@ stdenv.mkDerivation rec {
owner = "martinh";
};
+ patches = [
+ (fetchpatch {
+ name = "CVE-2022-40320.patch";
+ urls = [
+ "https://sources.debian.org/data/main/libc/libconfuse/3.3-3/debian/patches/CVE-2022-40320.patch"
+ # files on sources.debian.org can disappear
+ "https://web.archive.org/web/20230107133212/https://sources.debian.org/data/main/libc/libconfuse/3.3-3/debian/patches/CVE-2022-40320.patch"
+ ];
+ sha256 = "sha256-ftfE9JFz4nyRSOb2xHb9BAtgWn5Yv2WLm4RegDLtiBw=";
+ })
+ ];
+
postPatch = ''
substituteInPlace tests/Makefile.am \
--replace 'TESTS += empty_string' "" \
From 35441890e67452531f23312667705ad30666defa Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Sat, 7 Jan 2023 15:41:53 +0000
Subject: [PATCH 02/11] kodiPackages.youtube: 6.8.23+matrix.1 ->
6.8.24+matrix.1
---
pkgs/applications/video/kodi/addons/youtube/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/applications/video/kodi/addons/youtube/default.nix b/pkgs/applications/video/kodi/addons/youtube/default.nix
index fe6ac234cc14..8dab69bb56ac 100644
--- a/pkgs/applications/video/kodi/addons/youtube/default.nix
+++ b/pkgs/applications/video/kodi/addons/youtube/default.nix
@@ -3,11 +3,11 @@
buildKodiAddon rec {
pname = "youtube";
namespace = "plugin.video.youtube";
- version = "6.8.23+matrix.1";
+ version = "6.8.24+matrix.1";
src = fetchzip {
url = "https://mirrors.kodi.tv/addons/matrix/${namespace}/${namespace}-${version}.zip";
- sha256 = "GIPgw1exAgw/D5vNpQQkUnTye66jfLLI5/asrthEDPQ=";
+ sha256 = "/yQML2iK5jcIhN6RJC+WJ8EnH640qFJFdaaVeGPEg9U=";
};
propagatedBuildInputs = [
From 4b2f36fc9f95f4ed095314ab741482dad10fc489 Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Sun, 8 Jan 2023 12:09:49 +0100
Subject: [PATCH 03/11] crowdsec: 1.4.3 -> 1.4.4
Diff: https://github.com/crowdsecurity/crowdsec/compare/v1.4.3...v1.4.4
Changelog: https://github.com/crowdsecurity/crowdsec/releases/tag/v1.4.4
---
pkgs/tools/security/crowdsec/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/tools/security/crowdsec/default.nix b/pkgs/tools/security/crowdsec/default.nix
index 55107d627104..e05a1f5927a6 100644
--- a/pkgs/tools/security/crowdsec/default.nix
+++ b/pkgs/tools/security/crowdsec/default.nix
@@ -2,13 +2,13 @@
buildGoModule rec {
pname = "crowdsec";
- version = "1.4.3";
+ version = "1.4.4";
src = fetchFromGitHub {
owner = "crowdsecurity";
repo = pname;
rev = "v${version}";
- hash = "sha256-joLnKWKJR4XSoGTTx5xIKB8OH3EwSJbjEArYsPaVAOk=";
+ hash = "sha256-XzIgkGL/G3nCRX+L5U2gM1ZEzddd6hanwaWJmn9uKzc=";
};
vendorHash = "sha256-FPsoufB9UDgBDIE3yUq4doBse3qgjP19ussYnMAxntk=";
From 6ae53e4cca6ceb603d108a6b7fcaf52960d972bb Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Sun, 8 Jan 2023 12:24:33 +0100
Subject: [PATCH 04/11] grype: 0.54.0 -> 0.55.0
Diff: https://github.com/anchore/grype.git/compare/v0.54.0...v0.55.0
Changelog: https://github.com/anchore/grype/releases/tag/v0.55.0
---
pkgs/tools/security/grype/default.nix | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/pkgs/tools/security/grype/default.nix b/pkgs/tools/security/grype/default.nix
index f225c0e03835..862cde157a2f 100644
--- a/pkgs/tools/security/grype/default.nix
+++ b/pkgs/tools/security/grype/default.nix
@@ -8,13 +8,13 @@
buildGoModule rec {
pname = "grype";
- version = "0.54.0";
+ version = "0.55.0";
src = fetchFromGitHub {
owner = "anchore";
repo = pname;
rev = "v${version}";
- hash = "sha256-/c7WP9m+8AULjmchpZmcTcnXG0K8gGxjseXS/QJXj+k=";
+ hash = "sha256-Y72h1YCf42RinGw2mKZb8Bz8ip+LUW377xwJht67Q1s=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
@@ -28,7 +28,7 @@ buildGoModule rec {
};
proxyVendor = true;
- vendorHash = "sha256-+WMaQaBf4uMCCQTyycHlkYeKbRtk6oAlqbHBYBqh64M=";
+ vendorHash = "sha256-xzBOZyzwxVFTFgtmu7DLBpdkV9bwzJ9RETkdyV2HtQo=";
nativeBuildInputs = [
installShellFiles
@@ -70,14 +70,6 @@ buildGoModule rec {
--replace "TestCmd" "SkipCmd"
substituteInPlace grype/pkg/provider_test.go \
--replace "TestSyftLocationExcludes" "SkipSyftLocationExcludes"
- substituteInPlace grype/presenter/cyclonedx/presenter_test.go \
- --replace "TestCycloneDxPresenterImage" "SkipCycloneDxPresenterImage"
- substituteInPlace grype/presenter/cyclonedxvex/presenter_test.go \
- --replace "TestCycloneDxPresenterImage" "SkipCycloneDxPresenterImage"
- substituteInPlace grype/presenter/sarif/presenter_test.go \
- --replace "Test_imageToSarifReport" "Skip_imageToSarifReport" \
- --replace "TestSarifPresenterImage" "SkipSarifPresenterImage"
-
# remove tests that depend on git
substituteInPlace test/cli/db_validations_test.go \
--replace "TestDBValidations" "SkipDBValidations"
From dfe8d8e58de8cb58d31c393010b04cd0ab63cbd5 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Sun, 8 Jan 2023 12:45:37 +0000
Subject: [PATCH 05/11] uncover: 1.0.1 -> 1.0.2
---
pkgs/tools/security/uncover/default.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pkgs/tools/security/uncover/default.nix b/pkgs/tools/security/uncover/default.nix
index fdfa3c108057..d8eb2d46b923 100644
--- a/pkgs/tools/security/uncover/default.nix
+++ b/pkgs/tools/security/uncover/default.nix
@@ -5,16 +5,16 @@
buildGoModule rec {
pname = "uncover";
- version = "1.0.1";
+ version = "1.0.2";
src = fetchFromGitHub {
owner = "projectdiscovery";
repo = pname;
rev = "v${version}";
- hash = "sha256-N2560u3rkLhB9wL48hLzrw8NksXruGQuvjQGvVFOxsk=";
+ hash = "sha256-yyx7gkOUQibcrMCEeeSeHtnKlxSnd/i6c1pq1V6hzA4=";
};
- vendorSha256 = "sha256-71tXOm444xmRuOkw7Sa1T0afrZowvhreiwIxwlAeK6A=";
+ vendorHash = "sha256-xB1JJIM/aro1Hk4JIwpR6WV6V+5hO9T3yWokxbybRXU=";
meta = with lib; {
description = "API wrapper to search for exposed hosts";
From 8ee214066de807ae8e77cb1d45f78927cbccb4d8 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Sun, 8 Jan 2023 14:43:00 +0000
Subject: [PATCH 06/11] python310Packages.google-cloud-secret-manager: 2.13.0
-> 2.14.0
---
.../python-modules/google-cloud-secret-manager/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/development/python-modules/google-cloud-secret-manager/default.nix b/pkgs/development/python-modules/google-cloud-secret-manager/default.nix
index 1c2bc12ae371..167099c30a60 100644
--- a/pkgs/development/python-modules/google-cloud-secret-manager/default.nix
+++ b/pkgs/development/python-modules/google-cloud-secret-manager/default.nix
@@ -12,14 +12,14 @@
buildPythonPackage rec {
pname = "google-cloud-secret-manager";
- version = "2.13.0";
+ version = "2.14.0";
format = "setuptools";
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
- hash = "sha256-1BBOEdkh0jVBHtSVEnOsXtaCPF/GuXB90FCZeOmue9I=";
+ hash = "sha256-x0Ktu4o1I+eEJXUjMjowwxW7967DdjZWAfcs331qP7s=";
};
propagatedBuildInputs = [
From 5a245ecfd6a755381fa32110104761da5ae5008c Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Sun, 8 Jan 2023 14:59:03 +0000
Subject: [PATCH 07/11] marwaita: 16.1 -> 16.2
---
pkgs/data/themes/marwaita/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/data/themes/marwaita/default.nix b/pkgs/data/themes/marwaita/default.nix
index 70d519e73161..42be4e53027e 100644
--- a/pkgs/data/themes/marwaita/default.nix
+++ b/pkgs/data/themes/marwaita/default.nix
@@ -10,13 +10,13 @@
stdenv.mkDerivation rec {
pname = "marwaita";
- version = "16.1";
+ version = "16.2";
src = fetchFromGitHub {
owner = "darkomarko42";
repo = pname;
rev = version;
- sha256 = "sha256-NYJ3cVxWd3vVkjr+Ni4kmhQzL9E+paexejrNA8pRfPE=";
+ sha256 = "sha256-jhcmFrTZgWChNvZofLSQzGvOj/U2UqaQ0Cq5sv4UAxE=";
};
buildInputs = [
From d5cb89b024a347d3f27e45f6f1f5332ff22905c6 Mon Sep 17 00:00:00 2001
From: Maciej Pasternacki <maciej@3ofcoins.net>
Date: Sun, 8 Jan 2023 17:00:51 +0100
Subject: [PATCH 08/11] nixos/gitlab-runner: fix problems introduced by last
#209716
---
.../services/continuous-integration/gitlab-runner.nix | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix
index d18c4cff0405..3f697739bef0 100644
--- a/nixos/modules/services/continuous-integration/gitlab-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix
@@ -9,14 +9,14 @@ let
The hash is recorded in the runner's name because we can't do better yet
See https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29350 for more details
*/
- genRunnerName = service: let
+ genRunnerName = name: service: let
hash = substring 0 12 (hashString "md5" (unsafeDiscardStringContext (toJSON service)));
- in if service ? description
+ in if service ? description && service.description != null
then "${hash} ${service.description}"
else "${name}_${config.networking.hostName}_${hash}";
hashedServices = mapAttrs'
- (name: service: nameValuePair (genRunnerName service) service) cfg.services;
+ (name: service: nameValuePair (genRunnerName name service) service) cfg.services;
configPath = ''"$HOME"/.gitlab-runner/config.toml'';
configureScript = pkgs.writeShellApplication {
name = "gitlab-runner-configure";
@@ -38,7 +38,7 @@ let
'' else ''
export CONFIG_FILE=${configPath}
- mkdir -p "$(dirname "${configPath}")"
+ mkdir -p "$(dirname ${configPath})"
touch ${configPath}
# update global options
From c3ec444a612d33027c9629b83b9faaf1fd6ddedc Mon Sep 17 00:00:00 2001
From: Maciej Pasternacki <maciej@3ofcoins.net>
Date: Sun, 8 Jan 2023 17:06:20 +0100
Subject: [PATCH 09/11] nixos/gitlab-runner: fix style issues flagged by statix
---
.../services/continuous-integration/gitlab-runner.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/nixos/modules/services/continuous-integration/gitlab-runner.nix b/nixos/modules/services/continuous-integration/gitlab-runner.nix
index 3f697739bef0..3e6dba16e8ac 100644
--- a/nixos/modules/services/continuous-integration/gitlab-runner.nix
+++ b/nixos/modules/services/continuous-integration/gitlab-runner.nix
@@ -534,9 +534,9 @@ in {
};
};
config = mkIf cfg.enable {
- warnings = (mapAttrsToList
+ warnings = mapAttrsToList
(n: v: "services.gitlab-runner.services.${n}.`registrationConfigFile` points to a file in Nix Store. You should use quoted absolute path to prevent this.")
- (filterAttrs (n: v: isStorePath v.registrationConfigFile) cfg.services));
+ (filterAttrs (n: v: isStorePath v.registrationConfigFile) cfg.services);
environment.systemPackages = [ cfg.package ];
systemd.services.gitlab-runner = {
@@ -570,7 +570,7 @@ in {
ExecStartPre = "!${configureScript}/bin/gitlab-runner-configure";
ExecStart = "${startScript}/bin/gitlab-runner-start";
ExecReload = "!${configureScript}/bin/gitlab-runner-configure";
- } // optionalAttrs (cfg.gracefulTermination) {
+ } // optionalAttrs cfg.gracefulTermination {
TimeoutStopSec = "${cfg.gracefulTimeout}";
KillSignal = "SIGQUIT";
KillMode = "process";
From ab370f9ea9bbb3ad1f66f22cc297884c4646b729 Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Sun, 8 Jan 2023 08:59:59 -0800
Subject: [PATCH 10/11] buildkite-agent: 3.41.0 -> 3.42.0 (#209637)
---
.../continuous-integration/buildkite-agent/default.nix | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pkgs/development/tools/continuous-integration/buildkite-agent/default.nix b/pkgs/development/tools/continuous-integration/buildkite-agent/default.nix
index 70598ee7266e..659cba2c42be 100644
--- a/pkgs/development/tools/continuous-integration/buildkite-agent/default.nix
+++ b/pkgs/development/tools/continuous-integration/buildkite-agent/default.nix
@@ -3,16 +3,16 @@
nixosTests }:
buildGoModule rec {
pname = "buildkite-agent";
- version = "3.41.0";
+ version = "3.42.0";
src = fetchFromGitHub {
owner = "buildkite";
repo = "agent";
rev = "v${version}";
- sha256 = "sha256-AQaSwdletUP7amDHXIG/3Xsw6rJCJE+eYWj2FYe/vRY=";
+ sha256 = "sha256-vLfIZ2y9e6I0kEqI10D/B6VaNFh/D0k6GXY2OB8mZf8=";
};
- vendorSha256 = "sha256-NEdwdDM/H6l2XzYCTU11uijZTSEqjIWRHsqg6ML/daY=";
+ vendorHash = "sha256-8nMN62vnzlus2kjefVUKj1SMkM1YfIm8ppPQaDXSeIA=";
postPatch = ''
substituteInPlace bootstrap/shell/shell.go --replace /bin/bash ${bash}/bin/bash
From 186a0b45757c69e2408c6ed239e517695ec6a303 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sun, 8 Jan 2023 17:08:01 +0100
Subject: [PATCH 11/11] pulseview: fix hash of the patch
The patch introduced in 475e7fa8027530682bd19d8b97f1a2f29b848eea have an
incorrect hash. OfBorg was already complaining about it in the PR
checks.
---
pkgs/applications/science/electronics/pulseview/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/applications/science/electronics/pulseview/default.nix b/pkgs/applications/science/electronics/pulseview/default.nix
index 3bc4133a222c..7f001e73cf7b 100644
--- a/pkgs/applications/science/electronics/pulseview/default.nix
+++ b/pkgs/applications/science/electronics/pulseview/default.nix
@@ -30,7 +30,7 @@ mkDerivation rec {
# Fixes replaced/obsolete Qt methods
(fetchpatch {
url = "https://github.com/sigrokproject/pulseview/commit/ae726b70a7ada9a4be5808e00f0c951318479684.patch";
- sha256 = "1rg8azin2b7gmp68bn3z398swqlg15ddyp4xynrz49wj44cgxsdv";
+ sha256 = "sha256-6bFXFAnTO+MBUmslw55gWWSCCPwnejqKGpHeJOoH0e8=";
})
];