Commit 986f361946 started to use
<nix/fetchurl.nix> to "download" the bootstrap binaries from the
Nixpkgs tree, using the file:/// scheme. This has really bad
consequences:
* It makes any derivation depend on the path of the Nixpkgs tree. So
evaluating a package will produce a different .drv file when run
from different locations. No wonder Hydra evaluation has been so
slow lately: for every Nixpkgs evaluation, it had to create tens of
thousands of .drv files, even if nothing had changed.
* It requires the builder to have file system access to the Nixpkgs
tree. So if your tree is in your home directory, the stdenv
bootstrap would probably fail.
So now the binaries are downloaded from tarballs.nixos.org.
Also dropped PowerPC "support".
The version of v8 to use for Chromium is heavily tied to the specific
version of Chromium and thus it doesn't really make sense to use v8 from
<nixpkgs>, as we would need to have 3 different versions of v8, one for
each Chromium channel.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It doesn't make sense to do the splitting of the source code on a remote
machine, so don't try to do it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This results in a new function called mkChromiumDerivation, which can be
used to easily build packages that are based on the Chromium source
tree.
We pass through this function as mkDerivation in the chromium wrappre,
so in the end if you want to create such a package, something like:
chromium.mkDerivation (base: {
name = "your-shiny-package-based-on-chromium";
...
})
will suffice.
Of course, this is only the first step towards this functionality,
because right now I'm not even sure the Chromium browser itself will
build.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The reason I'm not making this the default is because it seems to add
complexity and degrades performance of the library. For details have a
look at this lengthy discussion at:
https://bugs.debian.org/686777
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This now uses the Debian package from the sources derivation instead of
hardcoding it, so we finally should have proper PepperAPI plugin support
without crashing plugins and whatnot.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This cases the Debian binaries to be fetched from Google's official APT
repository. If we aren't able to find a package from the APT repository,
it's very likely that it already got deleted upstream and we need to
fallback to mirrors instead.
Unfortunately, we can't use mirrors for updating, because Google doesn't
sign the Debian packages themselves and only the release files.
We're going to hook it into a Chromium updater soon, making the sha256
hashes publicly available, so if it is missing, we can still put the
sha256 manually into sources.nix, without risking anything by blindly
fetching from one of the provided mirrors.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The updater is now splitted between a shellscript and a Nix expression
file which contains helpers and lookup functions to reconstruct all
information needed in order to fetch the source tarballs.
This means, that the sources.nix now doesn't contain URLs and only
versions and the corresponding SHA256 hashes. Of course, right now this
sounds like it's unnecessary, but we're going to fetch binaries soon so
it's a good idea to not unnecessarily clutter up sources.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Next, we're going to refactor update.sh and the first step is to ensure
that we keep everything related to sources into its own subdirectory to
not clutter up the main directory too much.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The current version of v8 breaks builds of nodejs, mongodb and
rethinkdb. So let's bring back the old package with annoying _3_14
version suffix so hopefully the corresponding maintainers will get rid
of that dependency :-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We don't want ta have the source derivation in the runtime dependencies
of the browser itself. Also, we've broken the Firefox wrapper, because
we've no longer exposed the packageName attribute.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I'm giving up on this after several attempts to correctly unbundle the
largest part, namely Google's WebKit fork Blink. Right now it's so much
tied into the Chromium source it's going to be fairly hard to do if
you're not working full time on it.
Also, the intermediate steps needed to do this properly would introduce
uneccesary complexity on our side, so we really need to finish this
without leaving it in the "messy" state in order to not make Chromium
even more difficult to maintain than it is already.
However, anyone who wants to proceed on this messy step is free to
revert this commit and continue doing so. In my case I'm going to try
again once https://crbug.com/239107 and https://crbug.com/239181 are
fixed in _stable_ (I don't want to introduce *lots* of conditionals on
the version either).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We obviously don't want the Hydra job of nixpkgs to fail, so we need to
make sure that we have a proper meta attribute on the outermost
derivation.
For builds based on the Chromium source tree (like for example libcef),
we can still move the wrapper elsewhere when we need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is because of our symlink mess, as Chromium's build support scripts
are trying to resolve everything based on absolute paths and we split
off the bundled sources from the main derivation.
Yes, I'm refering to this as a mess, because in the end, we're going to
patch up the gyp files and use references someday.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now, we no longer tie the sandbox directly to the browser derivation but
wrap everything together into one derivation at the entry point at
default.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we just copied everything from source.* into the build directory
during the prePatch. This somewhat defeated the purpose of the source
splitup because it involved more I/O than just unpacking the entire
source tree.
Now, we're selectively *symlinking* the bundled sources into the build
directory. Even that isn't perfect because in the end we'd just
reference foreign derivations and we're done. But for now, this gets us
at least prepared for a massive reduction of compile time.
Unfortunately, gyp's behaviour when it comes to symlinks is quite
painful to come by, so we need to fix a few references to use absolute
paths.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now no longer pass enablePepperFlash and enablePepperPDF to the
browser package itself and only use plugins.flagsEnabled from there.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This currently only passes through the arguments and is nothing more
than the foundation of the new structure. In essence, I want to have a
really small default.nix which is then going down into the respective
subparts that are isolated from each other.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is hardcoded for the dev channel at the moment and we're going to
fetch it along with the main Chromium sources.
Also I'm putting this in default.nix at the moment, because we're going
to tear apart the whole Chromium package into several subparts soon.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is required to build Chromium. Making it a non-optional dependency
as it shouldn't really hurt other packages using it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is needed by Chromium and is part of the zlib source tree in
contrib/, so let's propagate the version of zlib and use the same source
tree.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Not sure whether those are really needed for Chromium, but I suppose it
doesn't hurt to have support for conversion.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This now uses fetchurl instead of fetchsvn and now invokes gyp directly
instead of copying over the gyp command to the source tree.
Also, we're now using stdenv.is64bit to properly determine the host
architecture.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We currently can't build the -lite package because beta and dev versions
aren't yet compatible with ICU version 52. But apart from that blocker,
this should get us ready for the switch.
Also, we're now correctly unbundling all dependencies which are used
from <nixpkgs>.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Starting with version 35, version 2 of libgnome_keyring is no longer
supported and it's probably pretty useless to do backports to version 2,
given the assumption that most users on Nix probably don't use it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Note: simply calling `virtualenv .` will not produce a ./bin/python
which can import e.g. sqlite3, using `virtualenv --python=python2.7`
will, if python2.7 is python27Full (the wrapped python). I'm not sure
if this is a bug or a feature.
This creates static device nodes such as /dev/fuse or
/dev/snd/seq. The kernel modules for these devices will be loaded on
demand when the device node is opened.
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.
This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
plan9port ships with an INSTALL script. This commit modifies the
builder to use the script instead of a custom build script. The
commit also adds a patch to build fontsrv, which is otherwise
omitted from the build.
Enabling by default on gnome3 as now it's possible to create and use
accounts (tested with telepathy_gabble and gtalk).
At this time, empathy x86-64 fails to build on hydra but I'm unable
to reproduce. Therefore, try disabling the parallel build.
Changelog:
- Configurable status line via -F option, see manpage for a listing of
format specifier.
- Improve display of device name in status line.
- Script: Binary transmission feature via "!<"
- Bugfixes
Changes since 1.6.0:
1.7.3 (3.4.2014)
- bugfix: test routines, gpg2 asked for passphrase although GPG_PW was set
1.7.2 (1.4.2014 "April,April")
- bugfix: debian Bug#743190 "duply no longer allows restoration without
gpg passphrase in conf file"
GPG_AGENT_INFO env var is now needed to trigger --use-agent
- bugfix: gpg keyenc test routines didn't work if GPG_PW was not set
1.7.1 (30.3.2014)
- bugfix: purge-* commands renamed to purgeFull, purgeIncr due to
incompatibility with new minus batch separator
1.7.0 (20.3.2014)
- disabled gpg key id plausibility check, too many valid possibilities
- featreq 7 "Halt if precondition fails":
added and(+), or(-) batch command(separator) support
- featreq 26 "pre/post script with shebang line":
if a script is flagged executable it's executed in a subshell
now as opposed to sourced to bash, which is the default
- bugfix: do not check if dpbx, swift credentials are set anymore
- bugfix: properly escape profile name, archdir if used as arguments
- add DUPL_PRECMD conf setting for use with e.g. trickle
Release 1.25.27 (released March 15, 2014):
Fix bug: When serializing a very large floating point number, sender
of an XML-RPC message adds some junk after the decimal point. With
assertion checking enabled, it just crashes. Broken in 1.15 (June 2008).
Changes since 0.7.5:
* added libav 10 and ffmpeg 2.2 support;
* fixed url parsing;
* fixed freezing on playback resume;
* fixed random freezing in the mplayer plugin;
* fixed reset selection of tracks when calling context menu;
* fixed multimedia keys support under win32.
(And update liburcu to 0.8.4 according to release notes for lttng 2.4.x.)
In addition to new features and bug fixes, version 2.4.x is needed to build
against Linux 3.12 (our new stable kernel).
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
See the comments at f67015cae4
for more information.
Please note: this makes initrd unrepeatable again, but most people will prefer that above an unbootable system.
- mark llvm34 as broken on darwin (so it doesn't install by default with nix-env)
- don't use our gcc for llvm_34 (might fix the build)
- switch also clang default to 3.3 on darwin (llvm was before)
