First, this closes#167972 by explicitly disabling Python tests for the
backported pycrypto library. Those tests were written for Python 2 only.
Furthermore, the meta.knownVulnerabilities attribute was added as the
last weechat-otr upstream release was in 2018-03 [0] and the backported
Debian package of pycrypto is from 2020-04 [1]. As there are no known
vulnerabilities for weechat-otr itself, pycrypto "is unmaintained,
obsolete, and contains security vulnerabilities" [2]. Even with Debian's
patches, this is no good situation.
As weechat-otr being a security and privacy related software, it should
be made obvious, that its code base is old and unmaintained.
[0] https://github.com/mmb/weechat-otr/releases/tag/v1.9.2
[1] https://salsa.debian.org/sramacher/python-crypto/-/tags/debian%2F2.6.1-13.1
[2] https://www.pycrypto.org/
At some point, I'd like to make another attempt at
71f1f4884b ("openssl: stop static binaries referencing libs"), which
was reverted in 195c7da07d. One problem with my previous attempt is
that I moved OpenSSL's libraries to a lib output, but many dependent
packages were hardcoding the out output as the location of the
libraries. This patch fixes every such case I could find in the tree.
It won't have any effect immediately, but will mean these packages
will automatically use an OpenSSL lib output if it is reintroduced in
future.
This patch should cause very few rebuilds, because it shouldn't make
any change at all to most packages I'm touching. The few rebuilds
that are introduced come from when I've changed a package builder not
to use variable names like openssl.out in scripts / substitution
patterns, which would be confusing since they don't hardcode the
output any more.
I started by making the following global replacements:
${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib
${openssl.out}/lib -> ${lib.getLib openssl}/lib
Then I removed the ".out" suffix when part of the argument to
lib.makeLibraryPath, since that function uses lib.getLib internally.
Then I fixed up cases where openssl was part of the -L flag to the
compiler/linker, since that unambigously is referring to libraries.
Then I manually investigated and fixed the following packages:
- pycurl
- citrix-workspace
- ppp
- wraith
- unbound
- gambit
- acl2
I'm reasonably confindent in my fixes for all of them.
For acl2, since the openssl library paths are manually provided above
anyway, I don't think openssl is required separately as a build input
at all. Removing it doesn't make a difference to the output size, the
file list, or the closure.
I've tested evaluation with the OfBorg meta checks, to protect against
introducing evaluation failures.
This commit exposes support for compilation without dbus, controlled
by the global dbusSupport argument. This argument is understood by
many other nixpkgs expressions and can be set globally in
~/.config/nixpkgs/config.nix.
This commit also adds two package-specific arguments:
* notificationsSupport allows to disable the desktop-notifications
feature when invoking cargo.
* useOpenSSL can be set to false in order to compile tiny with rustls
instead of openssl.
I've just switched irssi to build from the 1.2.3 tag in the git tree, as
the build was failing on apple silicon when linking libirc_proxy.la in
dir `src/irc/proxy`
I kinda just switched it and it built. I did not dig very deep on the
reasons behind why this fixed things. I am hoping that Linux still
builds, as i have not tested it. Some notes:
- The sys_lib_search_path done by fixLibtool in the configure phase now
no longer seems to update with the NIX_LDFLAGS. It appears that this
is because the newer libtool script does not start the line with
'eval', so the sed does not match.
- My system still builds, despite the previous item. I noticed that on
this new build, my system defines `allow_undefined_flag` in the
libtool script to something nonempty. I guess that may be the reason
everything still builds and works at runtime.
