git-cinnabar calls into Mercurial as a library, so we make use the
same version of Python as Mercurial.
Support for Python 3 is an experimental feature in git-cinnabar, but
we unconditionally use it here because:
* Mercurial in Nixpkgs only supports Python 3.
* git-cinnabar touches a network, and for that purpose it's good to
use a version of Python that is going to get security updates.
###### Motivation for this change
Update to latest upstream version
###### Things done
* [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
* Built on platform(s)
* [x] NixOS
* [ ] macOS
* [ ] other Linux distributions
* [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
* [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nix-review --run "nix-review wip"`
* [x] Tested execution of all binary files (usually in `./result/bin/`)
* [ ] Determined the impact on package closure size (by running `nix path-info -S` before and after)
* [ ] Ensured that relevant documentation is up to date
* [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
###### Notify maintainers
cc @worldofpeace @tfc @jtraue
Updates `gitea` to the latest version available[1]. Also ensured that
upgrading from `gitea-1.9` (used on NixOS 19.09) to `1.11.3` works
seamlessly.
The derivation required a few more changes this time since `gitea` uses
`npm` now to build the frontend[2]. When using the default tarball from
GitHub, we'd have to build the frontend manually. By fetching a custom
tarball published on every release, we get a prebuilt frontend
(as it was the case on previous versions) and build the backend only from
source.
Co-authored-by: kolaente <k@knt.li>
Closes#80175
[1] https://github.com/go-gitea/gitea/releases/tag/v1.11.3
[2] https://github.com/go-gitea/gitea/issues/10253
In 6733ece `-DUSE_HTTP_PARSER=system` was introduced, which does not seem
to work with this fork. So instead fallback to the `builtin`.
Also sync with upstream cmake flags.
See inline comment; this does not build on Hydra and either requires custom
patching or a new release from upstream before it will build.
Note that we can still recompute the `cargoSha256` for #79975; the package
is broken in the identical way.
Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)
- Directory Traversal to Arbitrary File Read
- Account Takeover Through Expired Link
- Server Side Request Forgery Through Deprecated Service
- Group Two-Factor Authentication Requirement Bypass
- Stored XSS in Merge Request Pages
- Stored XSS in Merge Request Submission Form
- Stored XSS in File View
- Stored XSS in Grafana Integration
- Contribution Analytics Exposed to Non-members
- Incorrect Access Control in Docker Registry via Deploy Tokens
- Denial of Service via Permission Checks
- Denial of Service in Design For Public Issue
- GitHub Tokens Displayed in Plaintext on Integrations Page
- Incorrect Access Control via LFS Import
- Unescaped HTML in Header
- Private Merge Request Titles Leaked via Widget
- Project Namespace Exposed via Vulnerability Feedback Endpoint
- Denial of Service Through Recursive Requests
- Project Authorization Not Being Updated
- Incorrect Permission Level For Group Invites
- Disclosure of Private Group Epic Information
- User IP Address Exposed via Badge images
- Update postgresql (GitLab Omnibus)
###### Motivation for this change
Update to latest upstream version
###### Things done
* [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
* Built on platform(s)
* [x] NixOS
* [ ] macOS
* [ ] other Linux distributions
* [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
* [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nix-review --run "nix-review wip"`
* [x] Tested execution of all binary files (usually in `./result/bin/`)
* [ ] Determined the impact on package closure size (by running `nix path-info -S` before and after)
* [ ] Ensured that relevant documentation is up to date
* [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
###### Notify maintainers
cc @worldofpeace @tfc @jtraue
Old intercaps names are aliased.
darcs-to-git: rename from darcsToGit
git-fast-export: rename from gitFastExport
git-remote-gcrypt: rename from gitRemoteGcrypt
hub-unstable: rename from hubUnstable
top-git: rename from topGit
Changes the default fetcher in the Rust Platform to be the newer
`fetchCargoTarball`, and changes every application using the current default to
instead opt out.
This commit does not change any hashes or cause any rebuilds. Once integrated,
we will start deleting the opt-outs and recomputing hashes.
See #79975 for details.
The existing post-install was not successfully patching the git-gui script,
and thus was invoking the packaged osx app which uses the system tk,
which is too old to work (and is no longer supported by Apple anyway).
This has several advantages:
1. It takes up less space on disk in-between builds in the nix store.
2. It uses less space in the binary cache for vendor derivation packages.
3. It uses less network traffic downloading from the binary cache.
4. It plays nicely with hashed mirrors like tarballs.nixos.org, which only
substitute --flat hashes on single files (not recursive directory hashes).
5. It's consistent with how simple `fetchurl` src derivations work.
6. It provides a stronger abstraction between input src-package and output
package, e.g., it's harder to accidentally depend on the src derivation at
runtime by referencing something like `${src}/etc/index.html`. Likewise, in
the store it's harder to get confused with something that is just there as a
build-time dependency vs. a runtime dependency, since the build-time
src dependencies are tarred up.
Disadvantages are:
1. It takes slightly longer to untar at the start of a build.
As currently implemented, this attaches the compacted vendor.tar.gz feature as a
rider on `verifyCargoDeps`, since both of them are relatively newly implemented
behavior that change the `cargoSha256`.
If this PR is accepted, I will push forward the remaining rust packages with a
series of treewide PRs to update the `cargoSha256`s.
Git ships with a zsh completion script, but this script was previously
only available at $out/share/git/contrib/completion/git-completion.zsh,
which is not a path (or a filename) that would be discovered by a
typical zsh installation. This commit symlinks that file to
$out/share/zsh/site-functions/_git, which is a more standard location.
That zsh completion script is mostly a wrapper around the Bash
completion script, so this commit also patches the former so that it can
"find" the latter.
The old variant is still working but setting "cafile" is deprecated
since version 3.6 [0] and generates a warning:
DeprecationWarning: cafile, capath and cadefault are deprecated, use a custom context instead.
But without this patch "fetchRepoProject" still fails with
"error no host given" (see 337380ea1d).
[0]: https://docs.python.org/3.7/library/urllib.request.html#urllib.request.urlopen
- use fetchzip to retrieve the tarball for GitKraken, as the deb now tries to change permissions and etc which nix will not like
- add at-spi2-core dependency
- remove dpkg dependency
- refactor expression to properly handle the GitKraken tarball (compared to the deb archive)
According to https://repology.org/repository/nix_unstable/problems, we have a
lot of packages that have http links that redirect to https as their homepage.
This commit updates all these packages to use the https links as their
homepage.
The following script was used to make these updates:
```
curl https://repology.org/api/v1/repository/nix_unstable/problems \
| jq '.[] | .problem' -r \
| rg 'Homepage link "(.+)" is a permanent redirect to "(.+)" and should be updated' --replace 's@$1@$2@' \
| sort | uniq > script.sed
find -name '*.nix' | xargs -P4 -- sed -f script.sed -i
```