This was probably needed for scriptrelay(1) before it was rewritten
from Perl to C in util-linux 2.14. I've checked with Diffoscope that
after removing the build input, the result is bit-for-bit identical
except for the different prefix.
Maintainers Notes below.
~~~
Hello,
New versions of all the skarnet.org packages are available.
skalibs has undergone a major update, with a few APIs having disappeared,
and others having changed. Compatibility with previous versions is *not*
assured.
Consequently, all the rest of the skarnet.org software has undergone
at least a release bump, in order to build with the new skalibs. But
some packages also have new functionality added (hence, a minor bump),
and others also have their own incompatible changes (hence, a major bump).
The new versions are the following:
skalibs-2.11.0.0 (major)
nsss-0.2.0.0 (major)
utmps-0.1.0.3 (release)
execline-2.8.1.0 (minor)
s6-2.11.0.0 (major)
s6-rc-0.5.2.3 (release)
s6-portable-utils-2.2.3.3 (release)
s6-linux-utils-2.5.1.6 (release)
s6-linux-init-1.0.6.4 (release)
s6-dns-2.3.5.2 (release)
s6-networking-2.5.0.0 (major)
mdevd-0.1.5.0 (minor)
bcnm-0.0.1.4 (release)
dnsfunnel-0.0.1.2 (release)
Additionally, a new package has been released:
smtpd-starttls-proxy-0.0.1.0
Dependencies have all been updated to the latest versions. They are,
this time, partially strict: libraries and binaries may build with older
releases of their dependencies, but not across major version bumps. The
safest approach is to upgrade everything at the same time.
You do not need to recompile your s6-rc service databases or recreate
your s6-linux-init run-images.
You should restart your supervision tree after upgrading skalibs and s6,
as soon as is convenient for you.
Details of major and minor package changes follow.
* skalibs-2.11.0.0
----------------
- A lot of obsolete or useless functionality has been removed:
libbiguint, rc4, md5, iobuffer, skasigaction, environ.h and
getpeereid.h headers, various functions that have not proven their
value in a while.
- Some functions changed signatures or changed names, or both.
- All custom types ending in _t have been renamed, to avoid treading on
POSIX namespace. (The same change has not been done yet in other
packages, but skalibs was the biggest offender by far.)
- Signal functions have been deeply reworked.
- cdb has been reworked, the API is now more user-friendly.
- New functions have been added.
The deletion of significant portions of code has made skalibs leaner.
libskarnet.so has dropped under 190 kB on x86_64.
The cdb rewrite on its own has helped reduce an important amount of
boilerplate in cdb-using code.
All in all, code linked against the new skalibs should be slightly
smaller and use a tiny bit less RAM.
https://skarnet.org/software/skalibs/
git://git.skarnet.org/skalibs
* nsss-0.2.0.0
------------
- Bugfixes.
- nsss-switch wire protocol slightly modified, which is enough to
warrant a major version bump.
- _r functions are now entirely thread-safe.
- Spawned nsssd programs are now persistent and only expire after a
timeout on non-enumeration queries. This saves a lot of forking with
applications that can call primitives such as getpwnam() repeatedly, as
e.g. mdevd does when initially parsing its configuration file.
- New nsssd-switch program, implementing real nsswitch functionality
by dispatching queries to various backends according to a script.
It does not dlopen a single library or read a single config file.
https://skarnet.org/software/nsss/
git://git.skarnet.org/nsss
* execline-2.8.1.0
----------------
- Bugfixes.
- New binary: case. It compares a value against a series of regular
expressions, executing into another command line on the first match.
https://skarnet.org/software/execline/
git://git.skarnet.org/execline
* s6-2.11.0.0
-----------
- Bugfixes.
- Some libs6 header names have been simplified.
- s6-svwait now accepts -r and -R options.
- s6-supervise now reads an optional lock-fd file in the service
directory; if it finds one, the first action of the service is to take
a blocking lock. This prevents confusion when a controller process dies
while still leaving workers holding resources; it also prevents log
spamming on user mistakes (autobackgrounding services, notably).
- New binaries: s6-socklog, s6-svlink, s6-svunlink. The former is a
rewrite of smarden.org's socklog program, in order to implement a fully
functional syslogd with only s6 programs. The latter are tools that start
and stop services by symlinking/unlinking service directories from a
scan directory, in order to make it easier to integrate s6-style services
in boot scripts for sequential service managers such as OpenRC.
https://skarnet.org/software/s6/
git://git.skarnet.org/s6
* s6-networking-2.5.0.0
---------------------
- Bugfixes.
- minidentd has been removed. It was an old and somehow still buggy
piece of code that was only hanging around for nostalgia reasons.
- Full support for client certificates. Details of the client
certificate are transmitted to the application via environment
variables (or via an environment string in the case of opportunistic
TLS).
- Full SNI support, including server-side. (That involved a deep dive
into the bearssl internals, which is why it took so long.) The filenames
containing secret keys and certificates for <domain> are read in the
environment variables KEYFILE:<domain> and CERTFILE:<domain>.
Complete client certificate and SNI support now make the TLS part of
s6-networking a fully viable replacement of stunnel and other similar
TLS tunneling tools. This is most interesting when s6-networking is
built against bearssl, which uses about 1/9 of the resources that OpenSSL
needs.
https://skarnet.org/software/s6-networking/
git://git.skarnet.org/s6-networking
* mdevd-0.1.5.0
-------------
- A new option to mdevd is available: -O <nlgroups>.
This option makes mdevd rebroadcast uevents to a netlink group (or set
of netlink groups) once they have been handled. This allows applications
to read uevents from a netlink group *after* the device manager is done
with them. This is useful, for instance, when pairing mdevd with
libudev-zero for full udev emulation.
- The * and & directives, which previously were only triggered by
"add" and "remove" actions, are now triggered by *all* action types.
This gives users full scripting access to any event, which can be
used to implement complex rules similar to udev ones.
These two changes make it possible to now build a full-featured desktop
system based on mdevd + libudev-zero, without running systemd-udevd or
eudev.
https://skarnet.org/software/mdevd/
git://git.skarnet.org/mdevd
* smtpd-starttls-proxy-0.0.1.0
----------------------------
This new package, in conjunction with the latest s6-networking,
implements the STARTTLS functionality for inetd-like mail servers that
do not already support it. (Currently only tested with qmail-smtpd.)
If you have noticed that sending mail to skarnet.org supports STARTTLS
now, it is thanks to this little piece of software.
https://skarnet.org/software/smtpd-starttls-proxy/
git://git.skarnet.org/smtpd-starttls-proxy
Enjoy,
Bug-reports welcome.
Laurent
Use Debian downstream patch to fix compilation against linuxHeaders < 5.14.
Our linux headers exposed by glibc are still at 5.12. We should be able
to remove this patch once our linuxHeaders are bumped to 5.14+.
Fix the following error when running `nix run .#zfs`:
error: unable to execute '/nix/store/ns6rifm17r0lp17w8gb4qr5db4cwbkj9-zfs-user-2.1.1/bin/zfs-user': No such file or directory
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
Conflicts:
pkgs/development/compilers/ghc/8.10.7.nix
pkgs/development/compilers/ghc/8.8.4.nix
I've removed the isWindows check from useLdGold in ghc, since that should
be covered by the new hasGold check.
Conflicts:
- pkgs/development/python-modules/pathspec/default.nix
The hashes are equivalent, so it's not a real conflict.
- pkgs/top-level/static.nix
I can't see a solution, deffered redoing this to the later PR:
https://github.com/NixOS/nixpkgs/pull/136849
The qmake-based build didn't seem to work any more, but there's a
Kbuild-based build system available anyway, so let's just switch to
that and save a dependency.
Also clarify license.
