3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

222350 commits

Author SHA1 Message Date
Peter Simons 783af05bbb all-cabal-hashes: update to Hackage at 2020-04-17T17:47:53Z 2020-04-17 20:56:52 +02:00
Peter Simons d6aedf7bcd haskell-ghc-lib-parser-ex: fix build with GHC versions prior to 8.8.x 2020-04-17 20:50:48 +02:00
Guillaume Bouchard abc4f961b4 haskellPackages.ghcWithPackages: fix for GHC 8.10
This closes #79441.

ghcWithPackages is using `ghc-pkg recache` to build its package
database. By doing so, it overrides the `package.cache[.lock]` files.

Details are unclear, but GHC 8.10 changed a bit the behavior.
Previously, it was unconditionally replacing the files by new ones. Now
it tries to open (for modification) the files. These files are symlinks
to another nix derivation, which is hence read-only.

This commit removes the files before running `ghc-pkg recache`, hence it
will just write the new files.

Tested with `haskellPackages.ghcWithPackages` (i.e. GHC 8.8) and
`haskell.packages.ghc8101.ghcWithPackages` (i.e GHC 8.10) with the
following nix file, at the root of the nixpkgs repository:

```
with import ./. {
  overlays = [
    (
      self: super: {
        haskellPackages = super.haskell.packages.ghc8101.override {
          overrides = selfh: superh: {
             th-lift-instances = super.haskell.lib.doJailbreak superh.th-lift-instances;
             th-expand-syns    = super.haskell.lib.doJailbreak superh.th-expand-syns;
             th-reify-many     = super.haskell.lib.doJailbreak superh.th-reify-many;
             th-orphans        = super.haskell.lib.doJailbreak superh.th-orphans;
             haskell-src-meta  = super.haskell.lib.doJailbreak superh.haskell-src-meta;
          };
        };
      }
  )
  ];
};
haskellPackages.ghcWithPackages(p:[p.PyF])
```

This will test with GHC 8.10. Comment out the `overlays` to test with
GHC 8.8.
2020-04-17 20:50:48 +02:00
Mike Sperber 53cfd1d132 haskell-tensorflow: unbreak
- get the current Git head of haskell-tensorflow
- adjust dependencies
2020-04-17 20:50:48 +02:00
Michael Alan Dorman d59d157ad9 cabal-install-parsers: update Cabal dependency
This also unbreaks `haskell-ci`.
2020-04-17 20:50:48 +02:00
Jappie Klooster b95534aaea cut-the-crap: init at 1.0.0 2020-04-17 20:50:48 +02:00
Manuel Bärenz a762316e72 haskell simple-affine-space: Disable test suite 2020-04-17 20:50:48 +02:00
Troels Henriksen 802dfc8bd7 futhark: stop wrapping the executable 2020-04-17 20:50:48 +02:00
(cdep)illabout a0612c2a06 spago: 0.14.0 -> 0.15.1 2020-04-17 20:50:48 +02:00
Gabor Greif 7932fb22cb ghcHEAD: bump to 8.11.20200403 (#84217)
* ghcHEAD: bump to 8.11.20200403

* ghcHead: reduce diff vs. 8.10.1

dontAddExtraLibs was removed by accident (IMO) in ea19a8ed1e

* ghcHEAD: add ability to use system libffi

- enable nixpkgs' libffi
- minimise diffs against 8.10.1
- remove patching

* remove configure warning about --with-curses-includes

configure: WARNING: unrecognized options: --with-curses-includes
2020-04-17 20:50:48 +02:00
Peter Simons fd1103227d hackage-packages.nix: automatic Haskell package set update
This update was generated by hackage2nix v2.15.1 from Hackage revision
fcda2563cd.
2020-04-17 20:50:40 +02:00
Peter Simons fd63776ff4 hackage2nix: update list of broken builds to fix evaluation errors 2020-04-17 20:50:26 +02:00
Remo 83d84e6233 hackage2nix: unbreak postgrest 2020-04-17 20:50:07 +02:00
Remo 629af9f518 hackage2nix: unbreak hasql-pool 2020-04-17 20:49:49 +02:00
Peter Simons 572e8f6008 LTS Haskell 15.8 2020-04-17 20:49:10 +02:00
Graham Christensen be9cc04925
Merge pull request #85453 from bqv/patch-1
sv-kalendar: fix meta
2020-04-17 14:16:34 -04:00
Tony O 39b1de0fbf
sv-kalendar: fix meta 2020-04-17 19:03:26 +01:00
Maximilian Bosch 192485f8fa
neomutt: 20200320 -> 20200417
https://github.com/neomutt/neomutt/releases/tag/20200417

To fix the tests, I had to copy the recently created
`neomutt-test-files`[1] repository into the build-environment.

Also applied a patch from master[2] which ensures that the
`change-folder` macro actually switches to the specified folder.

[1] https://github.com/neomutt/neomutt-test-files
[2] 9e7537cadd
2020-04-17 19:35:20 +02:00
worldofpeace 40f3faedbd nixos/manual: 19.09 -> 20.03 2020-04-17 12:41:24 -04:00
Jan Tojnar 42f2d370a5
Merge pull request #81955 from r-ryantm/auto-update/poppler-glib 2020-04-17 18:38:20 +02:00
Michele Guerini Rocco 8afc0daa29
Merge pull request #85431 from rnhmjoj/vapoursynth
vapoursynth: R48 -> R49
2020-04-17 18:20:46 +02:00
Peter Simons 464d1861ee
Merge pull request #81307 from jabranham/r-pkgs
R: Update R, CRAN, & Bioconductor
2020-04-17 17:43:38 +02:00
Benjamin Hipple ba8c116519 mesa-glu: use HTTPS instead of FTP
FTP is often blocked by firewalls and is generally slower and less secure than HTTPS.

No change to `src` hash.
2020-04-17 11:35:16 -04:00
Emily 2e31fb407e nixos/release-combined: add {,latestKernel.}hardened
These now depend on an external patch set; add them to the release tests
to ensure that the build doesn't break silently as new kernel updates
are merged.
2020-04-17 16:13:39 +01:00
Emily e133e396df nixos/release-{small,combined}: add latestKernel.login
Seems like a good idea to ensure that you can always use the latest
stable upstream kernel.
2020-04-17 16:13:39 +01:00
Emily fe031d07f8 nixos/tests/hardened: add latestKernel argument 2020-04-17 16:13:39 +01:00
Emily b0d5032ee4 nixos/hardened: add emily to maintainers 2020-04-17 16:13:39 +01:00
Emily ad9bfe2254 nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see
anthraxx/linux-hardened@104f44058f.

This allows the Nix sandbox to function while reducing the attack
surface posed by user namespaces, which allow unprivileged code to
exercise lots of root-only code paths and have lead to privilege
escalation vulnerabilities in the past.

We can safely leave user namespaces on for privileged users, as root
already has root privileges, but if you're not running builds on your
machine and really want to minimize the kernel attack surface then you
can set security.allowUserNamespaces to false.

Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or
setuid, and Firefox's silently reduces the security level if it isn't
allowed (see about:support), so desktop users may want to set:

    boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
2020-04-17 16:13:39 +01:00
Emily 84f258bf09 nixos/hardened: don't set vm.unprivileged_userfaultfd
Upstreamed in anthraxx/linux-hardened@a712392b88.
2020-04-17 16:13:39 +01:00
Emily cc28d51237 nixos/hardened: don't set vm.mmap_min_addr
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily 46d12cca56 nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits
Upstreamed in anthraxx/linux-hardened@ae6d85f437.
2020-04-17 16:13:39 +01:00
Emily af4f57b2c4 nixos/hardened: don't set net.core.bpf_jit_harden
Upstreamed in anthraxx/linux-hardened@82e384401d.
2020-04-17 16:13:39 +01:00
Emily 71bbd876b7 nixos/hardened: don't set kernel.unprivileged_bpf_disabled
Upstreamed in anthraxx/linux-hardened@1a3e0c2830.
2020-04-17 16:13:39 +01:00
Emily 9da578a78f nixos/hardened: don't set kernel.dmesg_restrict
Upstreamed in anthraxx/linux-hardened@e3d3f13ffb.
2020-04-17 16:13:39 +01:00
Emily cf1bce6a7a nixos/hardened: don't set vsyscall=none
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily 3b32cd2a5b nixos/hardened: don't set slab_nomerge
Upstreamed in anthraxx/linux-hardened@df29f9248c.
2020-04-17 16:13:39 +01:00
Emily 7fdfe5381d linux_*_hardened: don't set FORTIFY_SOURCE
Upstreamed in anthraxx/linux-hardened@d12c0d5f0c.
2020-04-17 16:13:39 +01:00
Emily ed89b5b3f1 linux_*_hardened: don't set PANIC_ON_OOPS
Upstreamed in anthraxx/linux-hardened@366e0216f1.
2020-04-17 16:13:39 +01:00
Emily 0d5f1697b7 linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED}
Upstreamed in anthraxx/linux-hardened@786126f177,
anthraxx/linux-hardened@44822ebeb7.
2020-04-17 16:13:39 +01:00
Emily 4fb796e341 linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK
Upstreamed in anthraxx/linux-hardened@c1fe7a68e3,
anthraxx/linux-hardened@2c553a2bb1.
2020-04-17 16:13:39 +01:00
Emily 3eeb5240ac linux_*_hardened: don't set DEBUG_LIST
Upstreamed in anthraxx/linux-hardened@6b20124185.
2020-04-17 16:13:39 +01:00
Emily 0611462e33 linux_*_hardened: don't set {,IO_}STRICT_DEVMEM
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is
turned on by anthraxx/linux-hardened@103d23cb66.

Note that anthraxx/linux-hardened@db1d27e10e
disables DEVMEM by default, so this is only relevant if that default is
overridden to turn it back on.
2020-04-17 16:13:39 +01:00
Emily 303bb60fb1 linux_*_hardened: don't set DEBUG_WX
Upstreamed in anthraxx/linux-hardened@55ee7417f3.
2020-04-17 16:13:39 +01:00
Emily 33b94e5a44 linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION
Upstreamed in anthraxx/linux-hardened@3fcd15014c.
2020-04-17 16:13:39 +01:00
Emily db6b327508 linux_*_hardened: don't set LEGACY_VSYSCALL_NONE
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily 130f6812be linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY}
These are on by default for x86 in upstream linux-5.6.2, and turned on
for arm64 by anthraxx/linux-hardened@90f9670bc3.
2020-04-17 16:13:39 +01:00
Emily 8c68055432 linux_*_hardened: don't set MODIFY_LDT_SYSCALL
Upstreamed in anthraxx/linux-hardened@05644876fa.
2020-04-17 16:13:39 +01:00
Emily 8efe83c22e linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily 3d4c8ae901 linux_*_hardened: don't set VMAP_STACK
This has been on by default upstream for as long as it's been an option.
2020-04-17 16:13:39 +01:00
Emily 7d5352df31 linux_*_hardened: don't set X86_X32
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
2020-04-17 16:13:39 +01:00