checksec needs the readelf command to work properly, which is contained
in the binutils-unwrapped derivation but not in the normal binutils.
Before this commit, this tool wasn't working due to that.
We override the ESP mount point in the config file /etc/fwupd/uefi.conf
(available since version 1.0.6), as it is set to a path in the nix store
during build time.
Tests are disabled as it needs /etc/os-release, which is not available
when building with sandboxing enabled.
I *want* cross-specific overrides to be verbose, so I rather not have
this shorthand. This makes the syntactic overhead more proportional to
the maintainence cost. Hopefully this pushes people towards fewer
conditionals and more abstractions.
This was silently blocking the channels. Thanks amine* from IRC.
Maybe inheriting whole meta should be avoided and particular attributes
should be picked instead, as e.g. adding longDescription would have
unexpected consequences as well.
`ps` can show various systemd-related information, like a unit to
which a process belongs. But when it's not compiled it, it shows only
'?' in such fields.
Can be tested with:
ps -o unit= ax
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
for unprivileged users to specify the allow_other option even when
this was forbidden in /etc/fuse.conf. The vulnerability is present
only on systems where SELinux is active (including in permissive
mode).
- libfuse no longer segfaults when fuse_interrupted() is called outside
the event loop.
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount
options must now match a hard-coded whitelist. It is expected that
this whitelist covers all regular use-cases.
- Fixed rename deadlock on FreeBSD.
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
for unprivileged users to specify the allow_other option even when
this was forbidden in /etc/fuse.conf. The vulnerability is present
only on systems where SELinux is active (including in permissive
mode).
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount
options must now match a hard-coded whitelist. It is expected that
this whitelist covers all regular use-cases.
- Added a test of seekdir to test_syscalls.
- Fixed readdir bug when non-zero offsets are given to filler and the
filesystem client, after reading a whole directory, re-reads it from a
non-zero offset e. g. by calling seekdir followed by readdir.
Since commit f620b1b693, the build directory is located inside the
source directory. Thus, the `cp -dpR` copies gigabytes worth of .o files
only to be deleted later on when we trim all non-essential files from
`$dev/lib/modules/${modDirVersion}/source/` thus causing a significant
amount of wasted I/O and peak disk usage.
As `cp` doesn't come with a `--exclude` flag, use rsync. And throw out
the Documentation folder while at it.
* substitute(): --subst-var was silently coercing to "" if the variable does not exist.
* libffi: simplify using `checkInputs`
* pythonPackges.hypothesis, pythonPackages.pytest: simpify dependency cycle fix
* utillinux: 2.32 -> 2.32.1
https://lkml.org/lkml/2018/7/16/532
* busybox: 1.29.0 -> 1.29.1
* bind: 9.12.1-P2 -> 9.12.2
https://ftp.isc.org/isc/bind9/9.12.2/RELEASE-NOTES-bind-9.12.2.html
* curl: 7.60.0 -> 7.61.0
* gvfs: make tests run, but disable
* ilmbase: disable tests on i686. Spooky!
* mdds: fix tests
* git: disable checks as tests are run in installcheck
* ruby: disable tests
* libcommuni: disable checks as tests are run in installcheck
* librdf: make tests run, but disable
* neon, neon_0_29: make tests run, but disable
* pciutils: 3.6.0 -> 3.6.1
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/pciutils/versions.
* mesa: more include fixes
mostly from void-linux (thanks!)
* npth: 1.5 -> 1.6
minor bump
* boost167: Add lockfree next_prior patch
* stdenv: cleanup darwin bootstrapping
Also gets rid of the full python and some of it's dependencies in the
stdenv build closure.
* Revert "pciutils: use standardized equivalent for canonicalize_file_name"
This reverts commit f8db20fb3a.
Patching should no longer be needed with 3.6.1.
* binutils-wrapper: Try to avoid adding unnecessary -L flags
(cherry picked from commit f3758258b8895508475caf83e92bfb236a27ceb9)
Signed-off-by: Domen Kožar <domen@dev.si>
* libffi: don't check on darwin
libffi usages in stdenv broken darwin. We need to disable doCheck for that case.
* "rm $out/share/icons/hicolor/icon-theme.cache" -> hicolor-icon-theme setup-hook
* python.pkgs.pytest: setupHook to prevent creation of .pytest-cache folder, fixes#40273
When `py.test` was run with a folder as argument, it would not only
search for tests in that folder, but also create a .pytest-cache folder.
Not only is this state we don't want, but it was also causing
collisions.
* parity-ui: fix after merge
* python.pkgs.pytest-flake8: disable test, fix build
* Revert "meson: 0.46.1 -> 0.47.0"
With meson 0.47.0 (or 0.47.1, or git)
things are very wrong re:rpath handling
resulting in at best missing libs but
even corrupt binaries :(.
When we run patchelf it masks the problem
by removing obviously busted paths.
Which is probably why this wasn't noticed immediately.
Unfortunately the binary already
has a long series of paths scribbled
in a space intended for a much smaller string;
in my testing it was something like
lengths were 67 with 300+ written to it.
I think we've reported the relevant issues upstream,
but unfortunately it appears our patches
are what introduces the overwrite/corruption
(by no longer being correct in what they assume)
This doesn't look so bad to fix but it's
not something I can spend more time on
at the moment.
--
Interestingly the overwritten string data
(because it is scribbled past the bounds)
remains in the binary and is why we're suddenly
seeing unexpected references in various builds
-- notably this is is the reason we're
seeing the "extra-utils" breakage
that entirely crippled NixOS on master
(and probably on staging before?).
Fixes#43650.
This reverts commit 305ac4dade.
(cherry picked from commit 273d68eff8)
Signed-off-by: Domen Kožar <domen@dev.si>
Since years I'm not maintaining anything of the list below other
than some updates when I needed them for some reason. Other people
is doing that maintenance on my behalf so I better take me out but
for very few packages. Finally!
This makes the command ‘nix-env -qa -f. --arg config '{skipAliases =
true;}'’ work in Nixpkgs.
Misc...
- qtikz: use libsForQt5.callPackage
This ensures we get the right poppler.
- rewrites:
docbook5_xsl -> docbook_xsl_ns
docbook_xml_xslt -> docbook_xsl
diffpdf: fixup
Not every package that needs xcbuild will want to use its build phase.
I have moved the xcbuild setup hook to the new attribute xcbuildHook.
This means that dontUseXcbuild is no longer needed. If you just need
to call xcbuild on its own you can just refer to xcbuild.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/libsmbios/versions.
Version release notes (from GitHub):
Compatibility changes to fix man page and includes in some installations
These checks were done:
- built on NixOS
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-battery-ctl had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-get-ut-data passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-keyboard-ctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-lcd-brightness had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-passwd had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-state-byte-ctl passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-sys-info had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-sys-info-lite passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-thermal-ctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-token-ctl had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-upflag-ctl passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-wakeup-ctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-wireless-ctl had a zero exit code or showed the expected version
- 4 of 13 passed binary check by having a zero exit code.
- 4 of 13 passed binary check by having the new version present in output.
- found 2.4.2 with grep in /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2
- directory tree listing: https://gist.github.com/117a562c97fde114f3fc3c00cd8747c4
- du listing: https://gist.github.com/1b95e63032cd1ceb958e443695bd5cd8
Fix a serious issue with the xen-netfront driver introduced in
upstream commit f599c64fdf7d ("xen-netfront: Fix race between device
setup and open") where the MTU of the device cannot be set
properly. This should be removed once it's included in upstream.
* thunderbolt: 0.9.2 -> 0.9.3
Fixed up `cmakeFlags` so `tbtacl`, `tbtacl-write`, `tbtxdomain`, and
the udev rules now show up in the derivation output. Previously there
was only `tbtadm`.
* Add a note about placeholder expressions
Instead of using a string to describe kernel config, use a nix
attribute set, then converted to a string.
- allows to override the config, aka convert 'yes' into 'modules' or
vice-versa
- while for now merging different configs is still crude (last spec wins),
at least there should be only one CONFIG_XYZ value compared to the current string
config where the first defined would be used and others ignored.
[initial idea by copumpkin in 2016, a major rebase to 2018 by teto]
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
Linux 4.16 introduces a stackprotector detection script that returns
different results for the kernel compilation run and the spl/zfs
compilation run, as the setting for hardening are different. This
results in a broken ABI between spl/zfs and the compiled kernel,
breaking ZFS. Also disabling the fortify and stackprotector hardening,
as we do for the kernel, fixes that.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/audit/versions.
These checks were done:
- built on NixOS
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/aulast had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/aulastlog had a zero exit code or showed the expected version
- /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/ausyscall passed the binary check.
- /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/auvirt passed the binary check.
- /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/audisp-remote passed the binary check.
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/audispd had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/auditctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/auditd had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/augenrules had a zero exit code or showed the expected version
- /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/aureport passed the binary check.
- /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/ausearch passed the binary check.
- Warning: no invocation of /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin/bin/autrace had a zero exit code or showed the expected version
- 5 of 12 passed binary check by having a zero exit code.
- 2 of 12 passed binary check by having the new version present in output.
- found 2.8.4 with grep in /nix/store/z8k58mpjfb5yrmcscbz3ym983chbqmsn-audit-2.8.4-bin
- directory tree listing: https://gist.github.com/8d6dcaf4f506959d1a86eef7beb7a558
- du listing: https://gist.github.com/c275dcc78169bdf2e405337bca948365
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/fwts/versions.
These checks were done:
- built on NixOS
- /nix/store/bs0xv1vsc6zf0cylv6j8iidiwcg9zqx9-fwts-18.06.02/bin/fwts passed the binary check.
- Warning: no invocation of /nix/store/bs0xv1vsc6zf0cylv6j8iidiwcg9zqx9-fwts-18.06.02/bin/kernelscan had a zero exit code or showed the expected version
- 1 of 2 passed binary check by having a zero exit code.
- 0 of 2 passed binary check by having the new version present in output.
- found 18.06.02 with grep in /nix/store/bs0xv1vsc6zf0cylv6j8iidiwcg9zqx9-fwts-18.06.02
- directory tree listing: https://gist.github.com/c871651eb151d0cf25aa751e4e925e27
- du listing: https://gist.github.com/a7b8160c0b4fbc5ed2fa237004865949
I hoped that setting -D_GNU_SOURCE in the build would avoid
the need for this patch -- but that only fixes the build itself,
this patch adds the define so headers work elsewhere.
Particularly, this fixes libblockdev w/musl -- before this change
it fails to "detect" headers for dmraid.h since it doesn't compile.
This is the newest sdk. I have skipped 9.3 for now but someone can
certainly add it if they need it for some reason.
Also I added a generic "xcode" that will always point to the newest
xcode that is available in Nixpkgs.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/sssd/versions.
These checks were done:
- built on NixOS
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_ssh_authorizedkeys passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_ssh_knownhostsproxy passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_cache passed the binary check.
- Warning: no invocation of /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_debuglevel had a zero exit code or showed the expected version
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_groupadd passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_groupdel passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_groupmod passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_groupshow passed the binary check.
- Warning: no invocation of /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_obfuscate had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_override had a zero exit code or showed the expected version
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_seed passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_useradd passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_userdel passed the binary check.
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sss_usermod passed the binary check.
- Warning: no invocation of /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sssctl had a zero exit code or showed the expected version
- /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2/bin/sssd passed the binary check.
- 12 of 16 passed binary check by having a zero exit code.
- 1 of 16 passed binary check by having the new version present in output.
- found 1.16.2 with grep in /nix/store/i0srimsn8chzyqblbf6jvzxndw0w35lg-sssd-1.16.2
- directory tree listing: https://gist.github.com/842245741e6082400e50d4fd7e764d2c
- du listing: https://gist.github.com/e4b7c96457a7134ffcc6ecf385b7c5c6
In particular, this contains Firefox-related and libgcrypt updates.
Other larger rebuilds would apparently need lots of time to catch up
on Hydra, due to nontrivial rebuilds in other branches than staging.