After #16017 there were a lot
of comments saying that `nix` would be better than `JSON`
for Go packages dependency sets.
As said in https://github.com/NixOS/nixpkgs/pull/16017#issuecomment-229624046
> Because of the content-addressable store, if two programs have the
> same dependency it will already result in the same derivation in
> the
> store. Git also has compression in the pack files so it won't make
> much difference to duplicate the dependencies on disk. And finally
> most users will just use the binary builds so it won't make any
> differences to them.
This PR removes `libs.json` file and puts all package dependencies in
theirs `deps.json`.
Closes#17460
Changed the wrapper derivation to produce a second output containing the sandbox.
Add a launch wrapper to try and locate the sandbox (either in /var/setuid-wrappers or in /nix/store).
This launch wrapper also sheds libredirect.so from LD_PRELOAD as Chromium does not tolerate it.
Does not trigger a Chromium rebuild.
cc @cleverca22 @joachifm @jasom
First step towards addressing #17460
In order to be able to run the SUID sandbox, which is good for security
and required to run Chromium with any kind of reasonable sandboxing when
using grsecurity kernels, we want to be able to control where the
sandbox comes from in the Chromium wrapper. This commit patches the
appropriate bit of source and adds the same old sandbox to the wrapper
(so it should be a no-op)
* pidgin-osd: init at 0.1.0
A straightforward pidgin plugin; kind of ancient, but still works fine.
* Use autoreconf, which minor hackery around ChangeLog.
The licensing terms depend on use [1], but the software is clearly nonfree.
Previously, the package would happily build even with allowUnfree = false.
[1]: http://sales.teamspeakusa.com/licensing.php
* removed firefox-developer-bin
* extend firefox-bin expression to accept sources as input so
firefox-developer-bin can be packaged outside nixpkgs
* generate_sources.rb now includes full urls in the output
Bugfix release, detect Exchange throttling to temporarily block requests and a few Carddav fixes.
EWS:
- EWS: handle Exchange throttling, suspend all requests according to server provided delay
- EWS: send DavMailException instead of authentication exception on EWS not available error
Enhancements:
- 128x128 DavMail icon
- Add a new davmail.httpMaxRedirects setting
- DAV: add a hidden davmail.disableNTLM setting
Carddav:
- Carddav: fix another regression on contact create with empty field
- Carddav: remove email over EWS unit test
- Carddav: fix email address removal over EWS
In line with the Nixpkgs manual.
A mechanical change, done with this command:
find pkgs -name "*.nix" | \
while read f; do \
sed -e 's/description\s*=\s*"\([a-z]\)/description = "\u\1/' -i "$f"; \
done
I manually skipped some:
* Descriptions starting with an abbreviation, a user name or package name
* Frequently generated expressions (haskell-packages.nix)
stable 51.0.2704.63 => 51.0.2704.103
beta 51.0.2704.63 => 52.0.2743.41
dev 52.0.2743.10 => 53.0.2767.4
This addresses 15 security fixes, including:
* High CVE-2015-1696: Cross-origin bypass in Extension bindings. Credit to
anonymous.
* High CVE-2015-1697: Cross-origin bypass in Blink. Credit to Mariusz
Mlynski.
* Medium CVE-2016-1698: Information leak in Extension bindings. Credit to
Rob Wu.
* Medium CVE-2016-1699: Parameter sanitization failure in DevTools. Credit
to Gregory Panakkal.
* Medium CVE-2016-1700: Use-after-free in Extensions. Credit to Rob Wu.
* Medium CVE-2016-1701: Use-after-free in Autofill. Credit to Rob Wu.
* Medium CVE-2016-1702: Out-of-bounds read in Skia. Credit to cloudfuzzer.
See: http://googlechromereleases.blogspot.com/2016/06/stable-channel-update.html
This reverts commit 83406bc171, because
it broke the build.
x2goclient requires to be built with its top-level (hand coded) Makefile
(in accordance with upstream documentation). Invoking qmake directly on
the .pro file, without specifying a separate build tree, will overwrite
the Makefile and break the build.
For instance, there are no install rules in the .pro file. That exists
only in the Makefile.
With this update we need to rebase the nix_plugin_paths patch, which was
done by @srp and I took it from his comment at:
https://github.com/NixOS/nixpkgs/pull/15762#issuecomment-222230677
Other than that, using libjpeg from nixpkgs fails to link:
https://headcounter.org/hydra/build/1114273
Rather than just using versionAtLeast to check for >= version 52, we're
matching on the explicit version number. That way we can make sure that
we (try to) build with system libjpeg again so we can keep it out of the
overall Chromium build time.
Built and tested using the VM tests on my Hydra at:
https://headcounter.org/hydra/eval/322006
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We're already on version 52, so there really is no need to keep all
those conditionals and old patches anymore.
Tested dropping the unconditional build_fixes_46.patch via the Chromium
VM tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I'm not sure how the wrong hash ended up being there, but I've checked
the hash from three different machines (and networks) just to be sure I
didn't make a mistake.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Overview of updated versions:
stable: 50.0.2661.102 -> 51.0.2704.63
beta: 51.0.2704.47 -> 51.0.2704.63
I tried to update dev, but couldn't get it to compile, it was failing
with a "'isnan' was not declared in this scope.
As far as I can tell, at the moment the beta and stable channels are
on the same version.
The stable update addresses the following security issues:
* High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit
to Mariusz Mlynski.
* High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz
Mlynski.
* High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz
Mlynski.
* High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz
Mlynski.
* High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit
to Rob Wu.
* Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of
Qihoo 360.
* High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
* High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
* High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen
of OUSPG.
* High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic
of Cisco Talos.
* Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to
KingstonTime.
* Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas
Gregoire.
* Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas
Gregoire.
* Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu
of Tencent's Xuanwu LAB.
* Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu
of Tencent's Xuanwu LAB.
* Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
* Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
* Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte
Kettunen of OUSPG.
* Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
* Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen
of OUSPG.
* Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit
to Til Jasper Ullrich.
* Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to
Khalil Zhani.
* Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan
Lester and Bryant Zadegan.
See: http://googlechromereleases.blogspot.com/2016/05/stable-channel-update_25.html
