3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

138429 commits

Author SHA1 Message Date
aszlig 81fc2c3509
nixos/dhparams: Add a defaultBitSize option
This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).

Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.

I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.

Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:58:52 +02:00
aszlig b3d5ca8359
nixos/dhparams: Set default bit size to 2048
@Ekleog writes in https://github.com/NixOS/nixpkgs/pull/39526:

> I think a default of 4096 is maybe too much? See certbot/certbot#4973;
> Let's Encrypt supposedly know what they are doing and use a
> pre-generated 2048-bit DH params (and using the same DH params as
> others is quite bad, even compared to lower bit size, if I correctly
> remember the attacks available -- because it increases by as much the
> value of breaking the group).

> Basically I don't have anything personal against 4096, but fear it may
> re-start the arms race: people like having "more security" than their
> distributions, and having NixOS already having more security than is
> actually useful (I personally don't know whether a real-size quantum
> computer will come before or after our being able to break 2048-bit
> keys, let alone 3072-bit ones -- see wikipedia for some numbers).

> So basically, I'd have set it to 3072 in order to both decrease build
> time and avoid having people setting it to 8192 and complaining about
> how slow things are, but that's just my opinion. :)

While he suggests is 3072 I'm using 2048 now, because it's the default
of "openssl dhparam". If users want to have a higher value, they can
still change it.

Signed-off-by: aszlig <aszlig@nix.build>
2018-04-30 05:53:38 +02:00
aszlig ce87773867
nixos/dhparams: Clean up module expression
First of all let's start with a clean up the multiline string
indentation for descriptions, because having two indentation levels
after description is a waste of screen estate.

A quick survey in the form of the following also reveals that the
majority of multiline strings in nixpkgs is starting the two beginning
quotes in the same line:

$ find -name '*.nix' -exec sed -n -e '/=$/ { n; /'\'\''/p }' {} + | wc -l
817
$ find -name '*.nix' -exec grep "= *'' *\$" {} + | wc -l
14818

The next point is to get the type, default and example attributes on top
of the description because that's the way it's rendered in the manual.

Most services have their enable option close to the beginning of the
file, so let's move it to the top.

Also, I found the script attribute for dhparams-init.service a bit hard
to read as it was using string concatenation to split a "for" loop.

Now for the more substantial clean ups rather than just code style:

  * Remove the "with lib;" at the beginning of the module, because it
    makes it easier to do a quick check with "nix-instantiate --parse".
  * Use ConditionPathExists instead of test -e for checking whether we
    need to generate the dhparams file. This avoids spawning a shell if
    the file exists already and it's probably more common that it will
    exist, except for the initial creation of course.
  * When cleaning up old dhparams file, use RemainAfterExit so that the
    unit won't be triggered again whenever we stop and start a service
    depending on it.
  * Capitalize systemd unit descriptions to be more in par with most
    other unit descriptions (also see 0c5e837b66).
  * Use "=" instead of "==" for conditionals using []. It's just a very
    small nitpick though and it will only fail for POSIX shells. Bash on
    the other side accepts it anyway.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:52 +02:00
aszlig 3e11ff6e0d
nixos/dhparams: Introduce a 'stateful' option
This option allows us to turn off stateful generation of Diffie-Hellman
parameters, which in some way is still stateful as the generated DH
params file is non-deterministic.

However what we can avoid with this is to have an increased surface for
failures during system startup, because generation of the parameters is
done during build-time.

Another advantage of this is that we no longer need to take care of
cleaning up the files that are no longer used and in my humble opinion I
would have preferred that #11505 (which puts the dhparams in the Nix
store) would have been merged instead of #22634 (which we have now).

Luckily we can still change that and this change gives the user the
option to put the dhparams into the Nix store.

Beside of the more obvious advantages pointed out here, this also
effects test runtime if more services are starting to use this (for
example see #39507 and #39288), because generating DH params could take
a long time depending on the bit size which adds up to test runtime.

If we generate the DH params in a separate derivation, subsequent test
runs won't need to wait for DH params generation during bootup.

Of course, tests could still mock this by force-disabling the service
and adding a service or activation script that places pre-generated DH
params in /var/lib/dhparams but this would make tests less readable and
the workaround would have to be made for each test affected.

Note that the 'stateful' option is still true by default so that we are
backwards-compatible with existing systems.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog, @abbradar, @fpletz
2018-04-26 08:04:50 +02:00
aszlig 761266bd18
nixos/dhparams: Turn params into a submodule
We're going to implement an option which allows us to turn off stateful
handling of Diffie-Hellman parameter files by putting them into the Nix
store.

However, modules now might need a way to reference these files, so we
add a now path option to every param specified, which carries a
read-only value of the path where to find the corresponding DH params
file.

I've also improved the description of security.dhparams.params a bit so
that it uses <warning/> and <note/>.

The NixOS VM test also reflects this change and checks whether the old
way to specify the bit size still works.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:48 +02:00
aszlig 4de774a63b
nixos/dhparams: Add a VM test
We're going to make changes to the dhparams module so we really want to
make sure we don't break it, so having a NixOS VM test is to make sure
we don't blow things up and can iterate on it.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @Ekleog
2018-04-26 08:04:45 +02:00
Dan Peebles ca52152a91 boto{3,core}: {1.6.0,1.9.3} -> {1.7.9,1.10.9}
Yeah yeah, I want parallel glob expansion but you get what I mean.
These two packages like getting upgraded together so to minimize
incompatibilities I'm upgrading them both in the same commit.
2018-04-25 21:36:15 -04:00
Robin Gloster 7673593c85
gem-config.grpc: disable format hardening 2018-04-26 00:15:24 +02:00
Robin Gloster 94f5e5ad14
Revert "gitlab: disable"
This reverts commit 68c4605f1a.

Gitlab has been fixed
2018-04-26 00:15:24 +02:00
Robin Gloster 783fb86de4
gitlab module: update to gitlab 10.7 2018-04-26 00:15:24 +02:00
Robin Gloster 04ab1ed623
gitlab: 10.5.6 -> 10.7.0 2018-04-26 00:15:24 +02:00
Robin Gloster 775bbc2d57
gitlab-workhorse: 3.6.0 -> 4.1.0 2018-04-26 00:15:24 +02:00
Robin Gloster ddec4ae7a0
gitlab-shell: 6.0.3 -> 7.1.2 2018-04-26 00:15:24 +02:00
Robin Gloster 59ad9933ff
gitaly: 0.81.0 -> 0.95.0 2018-04-26 00:15:23 +02:00
Michiel Derhaeg 189a4f3656 verifast: 14.5 -> 18.02 (#39480) 2018-04-25 22:54:57 +01:00
Jörg Thalheim e15b2ed917
Merge pull request #39494 from magnetophon/guitarix
guitarix: 0.36.1 -> 0.37.0
2018-04-25 22:39:34 +01:00
Jörg Thalheim a631da0376
Merge pull request #39489 from jlesquembre/kitty
kitty: 0.8.2 -> 0.9.0
2018-04-25 22:32:23 +01:00
Jörg Thalheim e4ffd5cf3d
Merge pull request #39490 from jlesquembre/clojure
clojure: 1.9.0.358 -> 1.9.0.375
2018-04-25 22:31:38 +01:00
Jörg Thalheim 18da50d8d3
Merge pull request #39503 from veprbl/pr/sacrifice_darwin_fix
sacrifice: fix runtime on darwin
2018-04-25 22:22:19 +01:00
Jörg Thalheim a21607c47d
Merge pull request #39485 from sorki/ipmicfg_patchelf
ipmicfg: fix patchelf args
2018-04-25 22:21:37 +01:00
Jörg Thalheim c3e137e7cb rubycop: 0.47.0 -> 0.55.0 2018-04-25 22:15:44 +01:00
Matthew Justin Bauer e4d2d32a32
Merge pull request #33679 from flokli/deluge-module
Deluge: use mkEnableOption, add test
2018-04-25 14:54:34 -05:00
Matthew Justin Bauer 160d9ed652
Merge pull request #36055 from ryantm/auto-update/thin-provisioning-tools-0.6.3-to-0.7.5
thin-provisioning-tools: 0.6.3 -> 0.7.5
2018-04-25 14:48:56 -05:00
Matthew Justin Bauer a4a2626cd9
Merge pull request #35280 from markus1189/logkeys
Logkeys: Update and add `device` option to service
2018-04-25 14:48:29 -05:00
Matthew Justin Bauer edf5548958
Merge pull request #35201 from xurei/app/postman
postman : 5.5.2 -> 5.5.3
2018-04-25 14:47:43 -05:00
Matthew Justin Bauer fb836946de
Merge pull request #35187 from xurei/app/yarssr
yarssr: init at git-2017-12-01
2018-04-25 14:47:08 -05:00
John Ericson 948c8dc474
Merge pull request #37401 from obsidiansystems/aarch32
treewide: isArm -> isAarch32
2018-04-25 15:42:08 -04:00
John Ericson ba52ae5048 treewide: isArm -> isAarch32
Following legacy packing conventions, `isArm` was defined just for
32-bit ARM instruction set. This is confusing to non packagers though,
because Aarch64 is an ARM instruction set.

The official ARM overview for ARMv8[1] is surprisingly not confusing,
given the overall state of affairs for ARM naming conventions, and
offers us a solution. It divides the nomenclature into three levels:

```
ISA:             ARMv8   {-A, -R, -M}
                 /    \
Mode:     Aarch32     Aarch64
             |         /   \
Encoding:   A64      A32   T32
```

At the top is the overall v8 instruction set archicture. Second are the
two modes, defined by bitwidth but differing in other semantics too, and
buttom are the encodings, (hopefully?) isomorphic if they encode the
same mode.

The 32 bit encodings are mostly backwards compatible with previous
non-Thumb and Thumb encodings, and if so we can pun the mode names to
instead mean "sets of compatable or isomorphic encodings", and then
voilà we have nice names for 32-bit and 64-bit arm instruction sets
which do not use the word ARM so as to not confused either laymen or
experienced ARM packages.

[1]: https://developer.arm.com/products/architecture/a-profile
2018-04-25 15:28:55 -04:00
Matthew Justin Bauer e40213ed24
Merge pull request #39183 from r-ryantm/auto-update/xpra
xpra: 2.2.5 -> 2.2.6
2018-04-25 14:28:51 -05:00
Dmitry Kalinkin c1f45f76ad
sacrifice: fix runtime on darwin 2018-04-25 14:58:23 -04:00
Daiderd Jordan 5eea946c25
Merge pull request #39492 from LnL7/vim-nix
vim-nix: 2018-04-15 -> 2018-04-24
2018-04-25 20:09:29 +02:00
Will Dietz d6ca2d38a1
Merge pull request #39497 from dtzWill/update/lsof-4.91
lsof: 4.90 -> 4.91
2018-04-25 13:09:05 -05:00
Jan Tojnar 0009ae3d5e
onboard: fix missing typelibs 2018-04-25 19:55:39 +02:00
Will Dietz 30357e203a lsof: 4.90 -> 4.91 2018-04-25 12:53:37 -05:00
Bart Brouns 00528006cf guitarix: 0.36.1 -> 0.37.0 2018-04-25 19:24:41 +02:00
Daiderd Jordan 43c837b578
Merge pull request #39475 from hedning/nix-completions-bump
nix-zsh-completions: 0.3.8 -> 0.3.9 ,  nix-bash-completions: 0.6.5 -> 0.6.6
2018-04-25 18:51:06 +02:00
Daiderd Jordan e609551090
vim-nix: 2018-04-15 -> 2018-04-24 2018-04-25 18:48:16 +02:00
Vincent Laporte 5c4ee2a3ab ocaml: init at 4.07.0+beta2 2018-04-25 18:19:57 +02:00
Vincent Laporte c4b7bbf77e ocamlPackages.findlib: 1.7.3 -> 1.8.0 2018-04-25 18:19:27 +02:00
José Luis Lafuente c19eeccc64
clojure: 1.9.0.358 -> 1.9.0.375 2018-04-25 18:16:33 +02:00
José Luis Lafuente ac0fd5a909
kitty: 0.8.2 -> 0.9.0 2018-04-25 18:03:48 +02:00
Michael Raskin a1349f0a3b
Merge pull request #39486 from dtzWill/fix/musl-provide-iconv-tool
musl: provide 'iconv' utility like other libc's
2018-04-25 15:42:26 +00:00
aszlig 6c748ae749
inkscape: Fix build on NixOS
The first problem that was introduced in a276d5160c
was a linking error:

ld: cannot find -licui18n
ld: cannot find -licuuc
ld: cannot find -licudata

So I added icu to the buildInputs.

The second problem was that the interpreter wasn't patched in
share/filters, apparently this is only needed when building with
autotools:

make[3]: Entering directory '/build/inkscape-0.92.3/share/filters'
./i18n.py ./filters.svg > ./filters.svg.h
./i18n.py: /usr/bin/env: bad interpreter: No such file or directory

A similar error also occurs for share/palettes, share/patterns,
share/symbols and share/templates, so I added patching the interpreter
there as well.

Switching to autotools in Inkscape is a very bad idea, because upstream
currently still has their own autotools files in the 0.92.x tree but
master already has them removed, see this commit:

e471a664f9

However for the sake of trying to not break Inkscape on Darwin again,
I tried to keep the fixes minimal and not went back to CMake.

I did however mark the stuff that's unneeded for CMake, so that we can
avoid forgetting to remove that crap once we get back to CMake.

Signed-off-by: aszlig <aszlig@nix.build>
Cc: @matthewbauer
2018-04-25 17:09:04 +02:00
Will Dietz 542f3dba06
Merge pull request #39414 from dtzWill/update/ngx_brotli-0.1.1
ngx_brotli: -> 0.1.1
2018-04-25 09:34:55 -05:00
Richard Marko ec371a5d98 ipmicfg: fix patchelf args 2018-04-25 16:08:05 +02:00
Will Dietz e1235e0fb6
Merge pull request #39484 from dtzWill/update/radiotray-ng-0.2.2
radiotray-ng: 0.2.1 -> 0.2.2
2018-04-25 09:03:27 -05:00
Jan Tojnar 0dec4fa1db
rarian: merge gnome{2,3}.rarian 2018-04-25 15:53:26 +02:00
Will Dietz 2236f418f5 radiotray-ng: disable tests, they now want to download unconditionally 2018-04-25 08:38:36 -05:00
Ben Wolsieffer 4d40adb86d nginx: allow basic auth passwords to be specified in a file 2018-04-25 15:37:09 +02:00
Will Dietz 4f16b36fed radiotray-ng: 0.2.1 -> 0.2.2
https://github.com/ebruck/radiotray-ng/releases/tag/v0.2.2
2018-04-25 08:32:49 -05:00