This package takes an excessive amount of time to build (e.g., right
now Hydra is showing eight concurrent builds of webkitgtk, some of
them running for more than 6 hours). This may also delay channel
updates.
stdenv.system should be almost always used instead of builtins.currentSystem
or cross-evaluation (e.g. evaluating a i686 NixOS system on a 64-bit nix)
will be subtly broken.
No changes in functionality, but to make future source updates a bit
easier on the eyes when viewing the diff.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The update.sh shell script now is only a call to nix-build, which does
all the hard work of updating the Chromium source channels and the
plugins. It results in a store path with the new sources.nix that
replaces the already existing sources.nix.
Along the way, this has led to a quite massive workaround, which abuses
MD5 collisions to detect whether an URL is existing, because something
like builtins.tryEval (builtins.fetchurl url) unfortunately doesn't
work. Further explanations and implementation details are documented in
the actual implementation.
The drawback of this is that we don't have nice status messages anymore,
but on the upside we have a more robust generation of the sources.nix
file, which now also should work properly on missing upstream
sources/binaries.
This also makes it much easier to implement fetching non-GNU/Linux
versions of Chromium and we have all values from omahaproxy available as
an attribute set (see the csv2nix and channels attributes in the update
attribute).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This fixes the previous attempt (in commit 46d1dd5) to make ctags' ctags
override emacs' ctags. The higher the value of the priority attribute,
the higher the priority (see the definition of `buildEnv`).
As stated in the parent commit, the 32bit Chrome package is not
available upstream, so let's at least provide the SHA256 hash for the
64bit package.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Until now, if we have a failure to fetch either the 32bit Debian package
or the 64bit Debian package, neither of these will be put into
sources.nix.
Unfortunately the beta/dev channels do not have a 32bit Debian package,
so even though there is a 64bit Debian package available we don't get
plugins *at* *all*.
This also introduces a nicer error message rather than just failing with
an assertion in fetchurl because we did not provide url/urls.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Updates gitlab to the current stable version and fixes a lot of features that
were broken, at least with the current version and our configuration.
Quite a lot of sweat and tears has gone into testing nearly all features and
reading/patching the Gitlab source as we're about to deploy gitlab for our
whole company.
Things to note:
* The gitlab config is now written as a nix attribute set and will be
converted to JSON. Gitlab uses YAML but JSON is a subset of YAML.
The `extraConfig` opition is also an attribute set that will be merged
with the default config. This way *all* Gitlab options are supported.
* Some paths like uploads and configs are hardcoded in rails (at least
after my study of the Gitlab source). This is why they are linked from
the Gitlab root to /run/gitlab and then linked to the configurable
`statePath`.
* Backup & restore should work out of the box from another Gitlab instance.
* gitlab-git-http-server has been replaced by gitlab-workhorse upstream.
Push & pull over HTTPS works perfectly. Communication to gitlab is done
over unix sockets. An HTTP server is required to proxy requests to
gitlab-workhorse over another unix socket at
`/run/gitlab/gitlab-workhorse.socket`.
* The user & group running gitlab are now configurable. These can even be
changed for live instances.
* The initial email address & password of the root user can be configured.
Fixes #8598.
This release includes the following changes:
o libssh2_session_set_last_error: Add function
o mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
o WinCNG: support for SHA256/512 HMAC
o kex: Added diffie-hellman-group-exchange-sha256 support
o OS/400 crypto library QC3 support
This release includes the following security advisory:
o diffie_hellman_sha256: convert bytes to bits
CVE-2016-0787: http://www.libssh2.org/adv_20160223.html
This release includes the following bugfixes:
o SFTP: Increase speed and datasize in SFTP read
o openssl: make libssh2_sha1 return error code
o openssl: fix memleak in _libssh2_dsa_sha1_verify()
o cmake: include CMake files in the release tarballs
o Fix builds with Visual Studio 2015
o hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
o GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
o GNUmakefile: add -m64 CFLAGS when targeting mingw64
o kex: free server host key before allocating it (again)
o SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
o channel: Detect bad usage of libssh2_channel_process_startup
o userauth: Fix off by one error when reading public key file
o kex: removed dupe entry from libssh2_kex_methods
o _libssh2_error: Support allocating the error message
o hostkey: fix invalid memory access if libssh2_dsa_new fails
o hostkey: align code path of ssh_rsa_init to ssh_dss_init
o libssh2.pc.in: fix the output of pkg-config --libs
o wincng: fixed possible memory leak in _libssh2_wincng_hash
o wincng: fixed _libssh2_wincng_hash_final return value
o add OpenSSL 1.1.0-pre2 compatibility
o agent_disconnect_unix: unset the agent fd after closing it
o sftp: stop reading when buffer is full
o sftp: Send at least one read request before reading
o sftp: Don't return EAGAIN if data was written to buffer
o sftp: Check read packet file offset
o configure: build "silent" if possible
o openssl: add OpenSSL 1.1.0-pre3-dev compatibility
o GNUmakefile: list system libs after user libs
NetworkManager needs an additional avahi-user to use link-local
IPv4 (and probably IPv6) addresses. avahi-autoipd also needs to be
patched to the right path.
By default all plugins from pkgs.gimpPlugins set are enabled.
Default location of plugins changed from $out/${gimp.name} to
$out/lib/gimp/${majorVersion}. Resulting derivation for gimp+plugins
is set as search path for plugins by default (additional tweaking in
gimprc done for old plugin scheme should be removed)
From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
New features
------------
* Processes under PRoot now appear with their real names, that is,
they are not renamed ld-linux.so or prooted-... anymore.
* Own ELF loader.
Fixes
-----
* Most bugs related to shebang support -- ie. #! at the beginning of
a program -- were fixed.
* It is now possible to use GDB against multi-threaded programs under
PRoot x86_64 and x86.
* It is possible to execute x86_64 programs from x86 programs again.
* It is possible to use x86 ptrace-based programs (strace, gdb, ...)
under PRoot x86_64 again.
* The loader is now built with the build-id linker option explicitly
disabled. This special section might interfere with loaded
programs.
* The loader can now load relocatable objects that have a predefined
base address.
Bugfix release; released on February 22 2016:
- Fix argument checks for interpreter invoke with `-m` and `-c`
on Windows.
- Fixed a bug that cased locale detection to error out on Python 3.
Re-builds many Python packages, but no new failures on x86-64.
