fetchFromGitHub and thus fetchzip hashes the contents of the archive and
not the archive itself. Unicode file names lead to different checksums
on HFS+ vs. other file systems because of Unicode normalisation
Whenever we create scripts that are installed to $out, we must use runtimeShell
in order to get the shell that can be executed on the machine we create the
package for. This is relevant for cross-compiling. The only use case for
stdenv.shell are scripts that are executed as part of the build system.
Usages in checkPhase are borderline however to decrease the likelyhood
of people copying the wrong examples, I decided to use runtimeShell as well.
https://groups.google.com/forum/#!msg/golang-announce/mVeX35iXuSw/Flp8FX7QEAAJ
We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5).
This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
The issue is CVE-2019-6486 and Go issue golang.org/issue/29903. See the Go issue for more details.
He prefers to contribute to his own nixpkgs fork triton.
Since he is still marked as maintainer in many packages
this leaves the wrong impression he still maintains those.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/go/versions.
These checks were done:
- built on NixOS
- Warning: no invocation of /nix/store/sz746n0jm0n8dnv47d7cqvwny8ncfbi4-go-1.10.3/bin/gofmt had a zero exit code or showed the expected version
- /nix/store/sz746n0jm0n8dnv47d7cqvwny8ncfbi4-go-1.10.3/bin/.go-wrapped passed the binary check.
- /nix/store/sz746n0jm0n8dnv47d7cqvwny8ncfbi4-go-1.10.3/bin/go passed the binary check.
- 2 of 3 passed binary check by having a zero exit code.
- 0 of 3 passed binary check by having the new version present in output.
- found 1.10.3 with grep in /nix/store/sz746n0jm0n8dnv47d7cqvwny8ncfbi4-go-1.10.3
- directory tree listing: https://gist.github.com/499abd38cfb9318ba6bbcd885951c6b8
- du listing: https://gist.github.com/04fbe15eac23c814fa6b313c8e543e4c
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/go/versions.
These checks were done:
- built on NixOS
- ran ‘/nix/store/w2wgdl5ljbx1fq6iwlavrl4nzbchq954-go-1.10.2/bin/.go-wrapped help’ got 0 exit code
- ran ‘/nix/store/w2wgdl5ljbx1fq6iwlavrl4nzbchq954-go-1.10.2/bin/go help’ got 0 exit code
- found 1.10.2 with grep in /nix/store/w2wgdl5ljbx1fq6iwlavrl4nzbchq954-go-1.10.2
- directory tree listing: https://gist.github.com/249bfa4dc4d10281576f20de902e501a
Following legacy packing conventions, `isArm` was defined just for
32-bit ARM instruction set. This is confusing to non packagers though,
because Aarch64 is an ARM instruction set.
The official ARM overview for ARMv8[1] is surprisingly not confusing,
given the overall state of affairs for ARM naming conventions, and
offers us a solution. It divides the nomenclature into three levels:
```
ISA: ARMv8 {-A, -R, -M}
/ \
Mode: Aarch32 Aarch64
| / \
Encoding: A64 A32 T32
```
At the top is the overall v8 instruction set archicture. Second are the
two modes, defined by bitwidth but differing in other semantics too, and
buttom are the encodings, (hopefully?) isomorphic if they encode the
same mode.
The 32 bit encodings are mostly backwards compatible with previous
non-Thumb and Thumb encodings, and if so we can pun the mode names to
instead mean "sets of compatable or isomorphic encodings", and then
voilà we have nice names for 32-bit and 64-bit arm instruction sets
which do not use the word ARM so as to not confused either laymen or
experienced ARM packages.
[1]: https://developer.arm.com/products/architecture/a-profile
In a user namespace, sending credentials for an unmapped user return
EINVAL instead of EPERM. So handle that case.
http://hydra.nixos.org/build/44839000
(cherry picked from commit 1dd0fb6b5a)
The darwin stdenv currently provides clang-3.7; however,
a) go-1.7 currently expects a compiler that supports "-fdebug-prefix-map"
arguments (which clang-3.8 supports but clang-3.7 does not) and
b) even with clang-3.8, go-1.7 misinterprets the result of its runtime probes
for support for the "-no-pie" flag, thereby failing to build runtime/cgo.
This patch resolves (a) by building go-1.7 with clang-3.8 and resolves (b) by
teaching go how to correctly probe "-no-pie" error messages from clang.
The go tests get tripped up due to error messages along the lines of:
ld: warning: /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation, ignoring unexpected dylib file
Which is due to us passing that along via $NIX_LDFLAGS in the `clang` wrapper.
To keep `go` from getting confused, I create a small `clang` wrapper that
filters out that warning.
Also, the strip.patch is no longer necessary, and only causes problems when
testing DWARF support:
--- FAIL: TestDwarfAranges (0.59s)
runtime-lldb_test.go:218: Missing aranges section
FAIL
FAIL runtime 17.123s
Also, I disable the misc/cgo/errors test, as I suspect it is also due to similar
problems regarding `ld`:
##### ../misc/cgo/errors
misc/cgo/errors/test.bash: BUG: expected error output to contain "err1.go:11:" but saw:
# command-line-arguments
cannot parse gcc output $WORK/command-line-arguments/_obj//_cgo_.o as ELF, Mach-O, PE object
2016/05/07 02:07:58 Failed: exit status 1
Closes#14208
One of the test scripts dynamically creates and executes a bash script,
which attempts to use `/usr/bin/env bash`. This patches the file to
use the stdenv's shell instead.
Otherwise, the only way this could have worked was by building go_1_6
outside of the sandbox.
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow