checksec needs the readelf command to work properly, which is contained
in the binutils-unwrapped derivation but not in the normal binutils.
Before this commit, this tool wasn't working due to that.
We override the ESP mount point in the config file /etc/fwupd/uefi.conf
(available since version 1.0.6), as it is set to a path in the nix store
during build time.
Tests are disabled as it needs /etc/os-release, which is not available
when building with sandboxing enabled.
I *want* cross-specific overrides to be verbose, so I rather not have
this shorthand. This makes the syntactic overhead more proportional to
the maintainence cost. Hopefully this pushes people towards fewer
conditionals and more abstractions.
This was silently blocking the channels. Thanks amine* from IRC.
Maybe inheriting whole meta should be avoided and particular attributes
should be picked instead, as e.g. adding longDescription would have
unexpected consequences as well.
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
for unprivileged users to specify the allow_other option even when
this was forbidden in /etc/fuse.conf. The vulnerability is present
only on systems where SELinux is active (including in permissive
mode).
- libfuse no longer segfaults when fuse_interrupted() is called outside
the event loop.
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount
options must now match a hard-coded whitelist. It is expected that
this whitelist covers all regular use-cases.
- Fixed rename deadlock on FreeBSD.
Upstream changelog:
- SECURITY UPDATE: In previous versions of libfuse it was possible to
for unprivileged users to specify the allow_other option even when
this was forbidden in /etc/fuse.conf. The vulnerability is present
only on systems where SELinux is active (including in permissive
mode).
- The fusermount binary has been hardened in several ways to reduce
potential attack surface. Most importantly, mountpoints and mount
options must now match a hard-coded whitelist. It is expected that
this whitelist covers all regular use-cases.
- Added a test of seekdir to test_syscalls.
- Fixed readdir bug when non-zero offsets are given to filler and the
filesystem client, after reading a whole directory, re-reads it from a
non-zero offset e. g. by calling seekdir followed by readdir.
Since commit f620b1b693, the build directory is located inside the
source directory. Thus, the `cp -dpR` copies gigabytes worth of .o files
only to be deleted later on when we trim all non-essential files from
`$dev/lib/modules/${modDirVersion}/source/` thus causing a significant
amount of wasted I/O and peak disk usage.
As `cp` doesn't come with a `--exclude` flag, use rsync. And throw out
the Documentation folder while at it.
* substitute(): --subst-var was silently coercing to "" if the variable does not exist.
* libffi: simplify using `checkInputs`
* pythonPackges.hypothesis, pythonPackages.pytest: simpify dependency cycle fix
* utillinux: 2.32 -> 2.32.1
https://lkml.org/lkml/2018/7/16/532
* busybox: 1.29.0 -> 1.29.1
* bind: 9.12.1-P2 -> 9.12.2
https://ftp.isc.org/isc/bind9/9.12.2/RELEASE-NOTES-bind-9.12.2.html
* curl: 7.60.0 -> 7.61.0
* gvfs: make tests run, but disable
* ilmbase: disable tests on i686. Spooky!
* mdds: fix tests
* git: disable checks as tests are run in installcheck
* ruby: disable tests
* libcommuni: disable checks as tests are run in installcheck
* librdf: make tests run, but disable
* neon, neon_0_29: make tests run, but disable
* pciutils: 3.6.0 -> 3.6.1
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools. This update was made based on information from https://repology.org/metapackage/pciutils/versions.
* mesa: more include fixes
mostly from void-linux (thanks!)
* npth: 1.5 -> 1.6
minor bump
* boost167: Add lockfree next_prior patch
* stdenv: cleanup darwin bootstrapping
Also gets rid of the full python and some of it's dependencies in the
stdenv build closure.
* Revert "pciutils: use standardized equivalent for canonicalize_file_name"
This reverts commit f8db20fb3a.
Patching should no longer be needed with 3.6.1.
* binutils-wrapper: Try to avoid adding unnecessary -L flags
(cherry picked from commit f3758258b8895508475caf83e92bfb236a27ceb9)
Signed-off-by: Domen Kožar <domen@dev.si>
* libffi: don't check on darwin
libffi usages in stdenv broken darwin. We need to disable doCheck for that case.
* "rm $out/share/icons/hicolor/icon-theme.cache" -> hicolor-icon-theme setup-hook
* python.pkgs.pytest: setupHook to prevent creation of .pytest-cache folder, fixes#40273
When `py.test` was run with a folder as argument, it would not only
search for tests in that folder, but also create a .pytest-cache folder.
Not only is this state we don't want, but it was also causing
collisions.
* parity-ui: fix after merge
* python.pkgs.pytest-flake8: disable test, fix build
* Revert "meson: 0.46.1 -> 0.47.0"
With meson 0.47.0 (or 0.47.1, or git)
things are very wrong re:rpath handling
resulting in at best missing libs but
even corrupt binaries :(.
When we run patchelf it masks the problem
by removing obviously busted paths.
Which is probably why this wasn't noticed immediately.
Unfortunately the binary already
has a long series of paths scribbled
in a space intended for a much smaller string;
in my testing it was something like
lengths were 67 with 300+ written to it.
I think we've reported the relevant issues upstream,
but unfortunately it appears our patches
are what introduces the overwrite/corruption
(by no longer being correct in what they assume)
This doesn't look so bad to fix but it's
not something I can spend more time on
at the moment.
--
Interestingly the overwritten string data
(because it is scribbled past the bounds)
remains in the binary and is why we're suddenly
seeing unexpected references in various builds
-- notably this is is the reason we're
seeing the "extra-utils" breakage
that entirely crippled NixOS on master
(and probably on staging before?).
Fixes#43650.
This reverts commit 305ac4dade.
(cherry picked from commit 273d68eff8)
Signed-off-by: Domen Kožar <domen@dev.si>
Since years I'm not maintaining anything of the list below other
than some updates when I needed them for some reason. Other people
is doing that maintenance on my behalf so I better take me out but
for very few packages. Finally!
This makes the command ‘nix-env -qa -f. --arg config '{skipAliases =
true;}'’ work in Nixpkgs.
Misc...
- qtikz: use libsForQt5.callPackage
This ensures we get the right poppler.
- rewrites:
docbook5_xsl -> docbook_xsl_ns
docbook_xml_xslt -> docbook_xsl
diffpdf: fixup
Not every package that needs xcbuild will want to use its build phase.
I have moved the xcbuild setup hook to the new attribute xcbuildHook.
This means that dontUseXcbuild is no longer needed. If you just need
to call xcbuild on its own you can just refer to xcbuild.
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/libsmbios/versions.
Version release notes (from GitHub):
Compatibility changes to fix man page and includes in some installations
These checks were done:
- built on NixOS
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-battery-ctl had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-get-ut-data passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-keyboard-ctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-lcd-brightness had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-passwd had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-state-byte-ctl passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-sys-info had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-sys-info-lite passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-thermal-ctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-token-ctl had a zero exit code or showed the expected version
- /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-upflag-ctl passed the binary check.
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-wakeup-ctl had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2/bin/smbios-wireless-ctl had a zero exit code or showed the expected version
- 4 of 13 passed binary check by having a zero exit code.
- 4 of 13 passed binary check by having the new version present in output.
- found 2.4.2 with grep in /nix/store/38kz148d7anxsqcchlqmqjcb4mi34158-libsmbios-2.4.2
- directory tree listing: https://gist.github.com/117a562c97fde114f3fc3c00cd8747c4
- du listing: https://gist.github.com/1b95e63032cd1ceb958e443695bd5cd8
Fix a serious issue with the xen-netfront driver introduced in
upstream commit f599c64fdf7d ("xen-netfront: Fix race between device
setup and open") where the MTU of the device cannot be set
properly. This should be removed once it's included in upstream.
* thunderbolt: 0.9.2 -> 0.9.3
Fixed up `cmakeFlags` so `tbtacl`, `tbtacl-write`, `tbtxdomain`, and
the udev rules now show up in the derivation output. Previously there
was only `tbtadm`.
* Add a note about placeholder expressions
Instead of using a string to describe kernel config, use a nix
attribute set, then converted to a string.
- allows to override the config, aka convert 'yes' into 'modules' or
vice-versa
- while for now merging different configs is still crude (last spec wins),
at least there should be only one CONFIG_XYZ value compared to the current string
config where the first defined would be used and others ignored.
[initial idea by copumpkin in 2016, a major rebase to 2018 by teto]
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces