Now it's not an actual archive but a linker script, and the absolute
paths in there were broken due to moving *.a into $static.
Let's fix this up in all *.a in case there are more in future.
3.4 branch detects support for getrandom() call during configure-time,
which gets picked up since glibc-2.25, and consequently it will fail
with older kernels during rutime.
First of all, these "documents" are not really documentation, so it
really doesn't make much sense to put it into $doc.
The main point however is that the installer tests are failing since
this was introduced in ac0cdc1952.
One way to circumvent this is putting dbus.doc into
system.extraDependencies of the installer tests, but given the first
point this sounds a bit odd to me.
So I went for the second way of putting it into $out, because it's now
basically necessary to build a NixOS system.
With this the NixOS installer tests should now work again, although I
have only tested this with the installer.simple test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
The problem with using libxslt as buildInputs is that the dev output is
used for building the dbus config.
This is one of the reasons why the installer tests are failing since
ac0cdc1952, because the tests do not have
libxslt.dev in their closure and really shouldn't.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
This is the output of the builder:
building path(s) `/nix/store/khkcfb8433i9mabb6wnb8ik6p9skg644-dbus-1'
error : connection refused
error : connection refused
However, even when using --nonet we'd still get this:
I/O error : Attempt to load network entity
http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd
So in order to avoid this, we now provide an XML catalog file, mapping
the public URLs to the local DTD paths inside the store instead of using
--path (which doesn't seem to work with xsltproc).
Tested this by comparing the SHA256 (nix-hash --type sha256) of the
output path generated by:
nix-build -E '(import ./. {}).makeDBusConf {
suidHelper = "SUIDHELPER";
serviceDirectories = [ "SERVICEDIR1" "SERVICEDIR1" ];
}'
... with the SHA256 of the generated output path prior to this commit
and they have the same hash:
6f3f9594b12fddbff9407b85252b6f649da11f56b7fd514f761966c11399a7ab
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".
CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/
/cc #22826.