[...]
make modules -C /nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/build EXTRA_CFLAGS=-Werror-implicit-function-declaration M=/tmp/nix-build-spl-kernel-2017-11-16-4.14.9.drv-0/source/build
/nix/store/h1vzl6bq4wif3m8dd1bw2p3fv4shjg3n-linux-4.14.9-dev/lib/modules/4.14.9/source/Makefile:939: *** "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel". Stop.
This patch introduces kernel.moduleBuildDependencies to avoid the logic "stdenv.lib.optional (stdenv.lib.versionAtLeast kernel.version "4.14") libelf" in multiple places.
[dezgeg did some minor tweaks on top]
Reverse the PartOf dependency between network-setup and network-addresses-*
This was joint work of: @nh2, @domenkozar, @fpletz, @aszlig and @basvandijk
at the NixCon 2017 hackathon.
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
(cherry picked from commit ea50efcc67)
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
(cherry picked from commit 629965a532)
"batch" is a shell script so invoking it via setuid wrapper never worked
anyway. (The kernel drops perms on executables with shebang.) A previous
nixpkgs commit made "batch" invoke the NixOS setuid "at" wrapper to gain
needed privileges.
Thanks to @yesbox for noticing.
(cherry picked from commit 497108b456)
The output of ./configure shows all modules/plugins, both enabled and
disabled. With this info we can finally build the _complete_ list of
modules. We were missing these:
mod_authn_gssapi
mod_authn_ldap
mod_geoip
(I hit this as I was building lighttpd with ldap support and the NixOS
module said ldap was unsupported, due to these missing entries in
allKnownModules.)
(cherry picked from commit d26f8b5e00)
* mod_dirlisting is auto-loaded by lighttpd and should not be explicitly
loaded in the configuration file.
* The rest comes from looking at "ls -1 $lighttpd/lib/*.so" when
lighttpd is built with "enableMagnet" and "enableMysql".
(cherry picked from commit b339e6e13f)
otherwise fcronsighup is not found.
Set PATH to /run/current-system/sw/bin does not seems to be used by service file anyway.
(cherry picked from commit e34e28e573)
It doesn't look good when the initial admin user is named
"<hash>-gitolite-admin" and the key stored as
"<hash>-gitolite-admin.pub". Instead, make it simply "gitolite-admin"
and "gitolite-admin.pub".
(cherry picked from commit 6b9ee30672)
TeXLive version is effectively identical anyway, and it caused an
unneccessary file name collision.
Fixes: #29671
(cherry picked from commit 8d001911db)
We cannot rely on wrapPythonPrograms to wrap the installed executables because
they are symlinks (which it ignores). Instead, we have to emulate it to make
the wrappers ourselves.
(cherry picked from commit 1e2ebee42a)
* hplip: introduce nettools dependency
Some HP printers (notably a HP MFP M477fnw) need to run `hostname` as part of
the printing process. This executable is provided by the "nettools" package.
* hplip: prepend nettools to PATH
(cherry picked from commit 0c54a292fb)
Need to refer directly to `darwin.binutils` as on Linux, `binutils`
doesn't take a `cctools` parameter. Persist `darwin.binutils` from the
previous stage too, so no hashes change.
https://lists.gnu.org/archive/html/emacs-devel/2017-09/msg00211.html
> This is an emergency release to fix a security vulnerability in Emacs.
>
> Enriched Text mode has its support for decoding 'x-display' disabled.
> This feature allows saving 'display' properties as part of text.
> Emacs 'display' properties support evaluation of arbitrary Lisp forms
> as part of instantiating the property, so decoding 'x-display' is
> vulnerable to executing arbitrary malicious Lisp code included in the
> text (e.g., sent as part of an email message).
(cherry picked from commit 78f457c76c)
Also fix numberous bugs, such as:
- Not getting confused on more flags taking file arguments.
- Ensuring children reexport their children, but the original
binary/library doesn't.
- Not spawning children when it turns out we just dynamically link
under the threshold but our total number of inputs exceeeds it.
- Children were always named `libunnamed-*`, when that name was
supposed to be the last resort only.
In addition to the script, we also patch ld-wrapper to respect `.dylib`
and `.so` alike. In a future version of nixpkgs, this can be so enabled
by defaut. Newer nixpkgs will probably do this by default.
Fixes a number of CVEs:
- a DNS request hijacking vulnerability. (CVE-2017-0902)
- an ANSI escape sequence vulnerability. (CVE-2017-0899)
- a DoS vulnerability in the query command. (CVE-2017-0900)
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)
(cherry picked from commit 9f51b3c105)
While 17.03 does not have binutils-wrapper and thus doesn't need this to
work, I'll be continuing to improve this on all 3 platforms for the
immediate future. It's thus prudent to keep them somewhat in sync for
sake of future cherry-picking.
This post-dates the initial release of 17.03 and isn't used by anything
there at the moment, so I deem churn like this inconsequential and thus
acceptable.
(adapted from commit eb326c9cb7)
This is a security release theoretically under emgargo, but leaked by
Mageia and Fedora.
We have permission to deliver this prior to public release.
(cherry picked from commit 993a83d395)
One of the goals of 74f5fe5 was to allow passing in a custom stdenv,
which would be used for genericBuilder's `mkDerivation` call. That does
work, but if packages takes `stdenv` as an parameter for any reason,
they'll get the default one instead. This change remedies it.
(cherry picked from commit 19de1f537e)
The newer DEB packages have a setuid file, creating an error when
unpacking the source during the build phase.
As dpkg doesn't have a way to pass parameters to tar, dpkg is then
told to just extract the filesystem tar file and that is unpacked by
tar directly.
Fixes#28494
(cherry picked from commit fae458c5e7)
From the upstream changelog:
Version 0.9.34:
* quick fix to "Assertion mapInfo.count" failed, don't mess with these
addrman structures!
Version 0.9.33:
* fix serious connectivity problem: not trying to connect to >=0.9.30
peers with random ports.
Version 0.9.31:
* backport from upstream (arvidn/libtorrent@677e642):
fixed uTP vulnerability from
The fixes in 0.9.31 are a bit more serious and it actually contains two
fixes from what I've been able to dig through:
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5685
* https://www.us-cert.gov/ncas/alerts/TA14-017A
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit c905b7895c)
(cherry picked from commit 6c3513b4c0)
They are three simple bugfixes; only bashInteractive uses readline-7;
(at least) one of the bugs manifests in 17.03.
The message buffer of the kernel lists
> Please run 'e2fsck -f /dev/disk/by-label/nixos' first.
as the output of the command `resize2fs "$device"`.
This fixesNixOS/nixpkgs#26910.
(cherry picked from commit 899e2b5748)
Signed-off-by: Domen Kožar <domen@dev.si>
The tiff debian tarball URL has disappeared (since debian updated their current
version), which renders this package unbuildable.
Change it to a debian snapshot URL, which should be around indefinitely.
(cherry picked from commit edf6176d8a)
The PAM service name used before this commit was "sambda", with an
extra 'd'. For some reason I don't quite fully understand this typo
prevents GDM from starting. This change fixes that as tested in VMs
built using "nixos-rebuild -I nixpkgs=<mypkgs> build-vm".
(cherry picked from commit f9204b9762)
Several git commands are implemented as shell scripts that run awk, sed, grep
and perl. There is some existing patching in the postinstall for perl to rewrite
it to an absolute reference to pkgs.perl, but several other packages are both
missing as a dependency and have no rewrite logic.
In particular git filter-branch depends on sed and grep.
Additionally, the perl logic also seds git-am, which is now a binary not a shell
script anymore (see <github.com/git/git/blob/master/builtin/am.c>), so this part
was obsolete.
I tested this by grepping all shell scripts for the relevant commands and then
comparing the diffs of the new version to what is produced in master. All
changes in the scripts seem good to me.
(cherry picked from commit 2c1097a83b)
- The haskell lib is very close to not relying on Nixpkgs. I think
this is good---simpler to think about and matches Nixpkgs's lib.
- The haskell lib is only imported once
- stdenv is exposed more shallowly so it can be overriden more easily.
I'll eventually use this on Darwin to avoid the Sierra shared
library problems (unless changes are to be made system-wide).
Closes https://github.com/NixOS/nixpkgs/pull/27840.
Alternative fix for #27534 that prevents the use of a double wrapper
(creating even uglier script names than usual, like
..diffoscope-wrapped-wrapped).
This was my bad in 96d7f35e96.
(cherry picked from commit 91dc811566)
(master commit 62e4e3301b)
I know this is a larger update, but 1.2.x is unmaintained there's quite
a lot of bugs fixed and no significant incompatibility.
It would otherwise result into undefined referenecs for some functions
in the base when using the gold linker:
error: undefined reference to 'sqrt'
Fixes https://github.com/bos/double-conversion/pull/17
Previously ghc option -optl=-lm was used for packages depending on
such functions, but that could result into
fatal error: cannot mix -r with dynamic object /nix/store/7crrmih8c52r8fbnqb933dxrsp44md93-glibc-2.25/lib/libm.so.6
in some situations like profiling builds.
Patch was prepared by Michael Bishop and Niklas Hambüchen.
Closes https://github.com/NixOS/nixpkgs/pull/27584.
(cherry picked from commit aafe3d29c1)
The patch is from Arch Linux at:
https://aur.archlinux.org/cgit/aur.git/tree/linux412.patch?h=broadcom-wl
Tested this by building against the following attributes:
* linuxPackages.broadcom_sta
* linuxPackages_latest.broadcom_sta
* pkgsI686Linux.linuxPackages.broadcom_sta
* pkgsI686Linux.linuxPackages_latest.broadcom_sta
I have not tested whether this works at runtime, because I do not posess
the hardware.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit c71233f12c)
Fixes#27607.
The main changes are in libSystem, which lost the coretls component in 10.13
and some hardening changes that quietly crash any program that uses %n in
a non-constant format string, so we've needed to patch a lot of programs that
use gnulib.
(cherry picked from commit 0419452113)
starting with linux 4.12 our patch no longer applied. In order to
avoid having to maintain patches for different linux kernels it is
easier to use a wrapper instead.
(cherry picked from commit 887570883e)
diffoscope was looking for the tools it uses during runtime, but the
tools there neither part of the closure nor were they in the
PATH. This commit fixes this.
(cherry picked from commit 23ad77b998)
Syntax errors prevented important parameters from being passed to
oauth2_proxy, which could have permitted unauthorised access to
services behind the proxy.
(cherry picked from commit 8777174d60)
The `DISPLAY` environment variable is propagated into chroots built with
`buildFHSUserEnv`, but currently the `XAUTHORITY` variable is not. When
the latter is set, its value is usually necessary in order to connect to
the X server identified by the former.
This matters for users running gdm3, for example, who have `XAUTHORITY`
set to something like `/run/user/1000/gdm/Xauthority` instead of the X
default of `~/.Xauthority`, which doesn't exist in that setup.
Fixes#21532.
(cherry picked from commit 09bae7cb70)
The helper tool had a very early check whether the automatically created
CA key/cert are available and thus it would abort if the key was
unavailable even though we don't need or even want to have the CA key.
Unfortunately our NixOS test didn't catch this, because it was just
switching from a configuration with an automatically created CA to a
manual configuration without deleting the generated keys and certs.
This is done now in the tests and it's also fixed in the helper tool.
Reported-by: @jpotier
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Tested-by: @jpotier
(cherry picked from commit b618843860)
Use xmlstarlet to update the OVMF path on each startup, like we do for
<emulator>...qemu-kvm</emulator>.
A libvirt domain using UEFI cannot start if the OVMF path is garbage
collected/missing.
(cherry picked from commit b8e109d6ac)
Instead of grep and sed, which is brittle.
(I don't know how to preserve the comment we currently add to say that
this line is auto-updated. But I don't think it adds much value, so I'm
not spending any effort on it.)
(cherry picked from commit 292827b0e0)
OVMF{,CODE,VARS}.fd are now available in a dedicated fd output, greatly
reducing the closure in the common case where only those files are used (a
few MBs versus several hundred MBs for the full OVMF).
Note: it's unclear why `dontPatchELF` is now necessary for the build to
pass (on my end, at any rate) but it doesn't make much sense to run this
fixup anyway,
Note: my reading of xen's INSTALL suggests that --with-system-ovmf should
point directly to the OVMF binary. As such, the previous invocation was
incorrect (it pointed to the root of the OVMF tree). In any case, I have
only built xen with `--with-system-ovmf`, I have not tested it.
Fixes https://github.com/NixOS/nixpkgs/issues/25854
Closes https://github.com/NixOS/nixpkgs/pull/25855
(cherry picked from commit 252dcd62f3)
[Bjørn: Conflicts in pkgs/applications/virtualization/xen/4.5.nix were
resolved by dropping the changes. In branch release-17.03
.../xen/4.5.nix doesn't use OVMF at all.]
* Create "full.pem" from selfsigned certificate
* Tell simp_le to create "full.pem"
* Inject service dependency between lighttpd and the generation of certificates
Side note: According to the internet these servers also use the
"full.pem" format: pound, ejabberd, pure-ftpd.
(cherry picked from commit 7a0e958b97)
runit-init calls the runit executable as /sbin/runit, which
obviously fails for us.
This should improve support for using runit as an init replacement.
(cherry picked from commit 5a04a30653)
Various CPP improvements/fixes
Support forward declaration of enums (GNU extension)
Initial implementation of C11 _Generic
(cherry picked from commit cfc6e4471b)
This change adds the .desktop file so that pgAdmin shows up in the menu
system of desktop environments (ex. GNOME, XFCE, etc).
Closes#27067
(cherry picked from commit b6e15bde7a)
Fixes broken save dialogue (causes chrome to crash) and missing icons.
(cherry picked from commit 39fd944402)
release-17.03 now contains chrome & chromium version >= 59, in form of dev and
beta releases.
This reverts commit c9cf9ceac3.
Upstream commit b6f75b986a7f7b79953b94f9778de295a253c624 [1] adds a call to a non-existent function, breaking perf:
util/probe-event.c: In function 'post_process_module_probe_trace_events':
util/probe-event.c:669:9: error: implicit declaration of function 'post_process_probe_trace_point' [-Werror=implicit-function-declaration]
ret = post_process_probe_trace_point(&tevs[i].point,
^
util/probe-event.c:669:3: error: nested extern declaration of 'post_process_probe_trace_point' [-Werror=nested-externs]
ret = post_process_probe_trace_point(&tevs[i].point,
^
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/tools/perf/util/probe-event.c?h=v4.9.36&id=b6f75b986a7f7b79953b94f9778de295a253c624
Compiling the kernel modules on Linux 4.12 fails, so I've included an
upstream patch from:
https://www.virtualbox.org/changeset/66927/vbox
The patch is applied against the guest additions as well, where we need
to transform the patch a bit so that we get CR LF line endings (DOS
format), which is what is the case for the guest additions ISO.
I've tested this with all the subtests of the "virtualbox" NixOS VM
tests and they all succeed on x86_64-linux.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit 12ee0fbd88)
With newer Nix it's (fortunately) no longer possible to create a file
with setuid bits, even though the permissions are fixed later the build
will fail during installPhase already.
I've verified whether the contents of the output path are the same as
before this change and the contents match.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit 4007ee974c)
(cherry picked from commit d88c0cf867)
There were just a couple of conflicts, apparently someone has already
fixed rewritefs and cron on 17.03.
I re-checked that all those do build now (with a new-enough nix daemon).
Fixes#24343. These parts of upstream texlive are really ugly.
Also improve variable quoting in the code around.
(cherry picked from commit 8dddd2b672)
The change seems safe enough.
It's not critical functionality and AFAICT only fails in environments
that wouldn't benefit from "successfully" installing it anyway.
Fixes#24709Fixes#24821
(cherry picked from commit 4f4ae214a3a46ba83f790d23c0e9df0bf9f04215)
Done by setting PATH and PYTHONPATH appropriately.
Adds the following patches:
* One that removes hardcodes to /sbin, /usr/bin, etc.
from gluster, so that programs like `lvm` and `xfs_info` can be
called at runtime; see https://bugzilla.redhat.com/show_bug.cgi?id=1450546.
* One that fixes unsubstituted autoconf macros in paths (a problem
in the 3.10 release); see https://bugzilla.redhat.com/show_bug.cgi?id=1450588.
* One that removes uses of the `find_library()` Python function that does
not behave as expected in Python < 3.6 (and would not behave correctly
even on 3.6 in nixpkgs due to #25763);
see https://bugzilla.redhat.com/show_bug.cgi?id=1450593.
I think that all of these patches should be upstreamed.
Also adds tests to check that none of the Python based utilities
throw import errors, calling `--help` or equivalent on them.
This is because the source tarball available on
https://download.gluster.org/pub/gluster/glusterfs/3.10/3.10.1/glusterfs-3.10.1.tar.gz
has different contents than the v3.10.1 tag;
for example, it lacks the file `xlators/features/ganesha/src/Makefile.am`,
which the tag has.
This is because GluserFS's release process removes some unused files.
This made impossible to apply patches written by or for upstream, as those
are written against what's in upstream's git.
As a nice side effect, we no longer have to hardcode the "3.10" in the
`3.10/${version}` part of the URL.
XSA-216 Issue Description:
> The block interface response structure has some discontiguous fields.
> Certain backends populate the structure fields of an otherwise
> uninitialized instance of this structure on their stacks, leaking
> data through the (internal or trailing) padding field.
More: https://xenbits.xen.org/xsa/advisory-216.html
XSA-217 Issue Description:
> Domains controlling other domains are permitted to map pages owned by
> the domain being controlled. If the controlling domain unmaps such a
> page without flushing the TLB, and if soon after the domain being
> controlled transfers this page to another PV domain (via
> GNTTABOP_transfer or, indirectly, XENMEM_exchange), and that third
> domain uses the page as a page table, the controlling domain will have
> write access to a live page table until the applicable TLB entry is
> flushed or evicted. Note that the domain being controlled is
> necessarily HVM, while the controlling domain is PV.
More: https://xenbits.xen.org/xsa/advisory-217.html
XSA-218 Issue Description:
> We have discovered two bugs in the code unmapping grant references.
>
> * When a grant had been mapped twice by a backend domain, and then
> unmapped by two concurrent unmap calls, the frontend may be informed
> that the page had no further mappings when the first call completed rather
> than when the second call completed.
>
> * A race triggerable by an unprivileged guest could cause a grant
> maptrack entry for grants to be "freed" twice. The ultimate effect of
> this would be for maptrack entries for a single domain to be re-used.
More: https://xenbits.xen.org/xsa/advisory-218.html
XSA-219 Issue Description:
> When using shadow paging, writes to guest pagetables must be trapped and
> emulated, so the shadows can be suitably adjusted as well.
>
> When emulating the write, Xen maps the guests pagetable(s) to make the final
> adjustment and leave the guest's view of its state consistent.
>
> However, when mapping the frame, Xen drops the page reference before
> performing the write. This is a race window where the underlying frame can
> change ownership.
>
> One possible attack scenario is for the frame to change ownership and to be
> inserted into a PV guest's pagetables. At that point, the emulated write will
> be an unaudited modification to the PV pagetables whose value is under guest
> control.
More: https://xenbits.xen.org/xsa/advisory-219.html
XSA-220 Issue Description:
> Memory Protection Extensions (MPX) and Protection Key (PKU) are features in
> newer processors, whose state is intended to be per-thread and context
> switched along with all other XSAVE state.
>
> Xen's vCPU context switch code would save and restore the state only
> if the guest had set the relevant XSTATE enable bits. However,
> surprisingly, the use of these features is not dependent (PKU) or may
> not be dependent (MPX) on having the relevant XSTATE bits enabled.
>
> VMs which use MPX or PKU, and context switch the state manually rather
> than via XSAVE, will have the state leak between vCPUs (possibly,
> between vCPUs in different guests). This in turn corrupts state in
> the destination vCPU, and hence may lead to weakened protections
>
> Experimentally, MPX appears not to make any interaction with BND*
> state if BNDCFGS.EN is set but XCR0.BND{CSR,REGS} are clear. However,
> the SDM is not clear in this case; therefore MPX is included in this
> advisory as a precaution.
More: https://xenbits.xen.org/xsa/advisory-220.html
XSA-221 Issue Description:
> When polling event channels, in general arbitrary port numbers can be
> specified. Specifically, there is no requirement that a polled event
> channel ports has ever been created. When the code was generalised
> from an earlier implementation, introducing some intermediate
> pointers, a check should have been made that these intermediate
> pointers are non-NULL. However, that check was omitted.
More: https://xenbits.xen.org/xsa/advisory-221.html
XSA-222 Issue Description:
> Certain actions require removing pages from a guest's P2M
> (Physical-to-Machine) mapping. When large pages are in use to map
> guest pages in the 2nd-stage page tables, such a removal operation may
> incur a memory allocation (to replace a large mapping with individual
> smaller ones). If this allocation fails, these errors are ignored by
> the callers, which would then continue and (for example) free the
> referenced page for reuse. This leaves the guest with a mapping to a
> page it shouldn't have access to.
>
> The allocation involved comes from a separate pool of memory created
> when the domain is created; under normal operating conditions it never
> fails, but a malicious guest may be able to engineer situations where
> this pool is exhausted.
More: https://xenbits.xen.org/xsa/advisory-222.html
XSA-224 Issue Description:
> We have discovered a number of bugs in the code mapping and unmapping
> grant references.
>
> * If a grant is mapped with both the GNTMAP_device_map and
> GNTMAP_host_map flags, but unmapped only with host_map, the device_map
> portion remains but the page reference counts are lowered as though it
> had been removed. This bug can be leveraged cause a page's reference
> counts and type counts to fall to zero while retaining writeable
> mappings to the page.
>
> * Under some specific conditions, if a grant is mapped with both the
> GNTMAP_device_map and GNTMAP_host_map flags, the operation may not
> grab sufficient type counts. When the grant is then unmapped, the
> type count will be erroneously reduced. This bug can be leveraged
> cause a page's reference counts and type counts to fall to zero while
> retaining writeable mappings to the page.
>
> * When a grant reference is given to an MMIO region (as opposed to a
> normal guest page), if the grant is mapped with only the
> GNTMAP_device_map flag set, a mapping is created at host_addr anyway.
> This does *not* cause reference counts to change, but there will be no
> record of this mapping, so it will not be considered when reporting
> whether the grant is still in use.
More: https://xenbits.xen.org/xsa/advisory-224.html
(cherry picked and adapted from commit 80e0cda7ff)
Adds /dev/disk/by-{id,label}/* symlinks for bcache device nodes, in the
final rootfs.
Symlinks will only be created for bcache devices that contain
filesystems. So if you have a blank bcache device or run LVM on top of
bcache you will not get this kind of symlink.
(cherry picked from commit 5b48368386)
Or else `services.udev.packages = [ bcache-tools ]` cannot be used.
To not break bcache in the initrd I'm modifying this in stage-1.nix:
- --replace /bin/sh ${extraUtils}/bin/sh
+ --replace ${bash}/bin/sh ${extraUtils}/bin/sh
Reasoning behind that change:
* If not modifying the /bin/sh pattern in any way, it will also match
${bash}/bin/sh, creating a broken path like
/nix/store/HASH-bash/nix/store/HASH-bash/bin/sh in the udev rule file.
* The addition of /bin/sh was done in 775f381a9e
("stage-1: add bcache support"). It seems somewhat plausible that
no new users have appeared since then and we can take this opportunity
to back out of this change without much fear of regressions.
If there _are_ regressions, they should be in the form of build time
errors, not runtime (boot), due to how the udev rule output is checked
for invalid path references. So low risk, IMHO.
* An alternative approach could be to copy the /bin/sh substitute rule
over to the non-initrd udev rules implementation in NixOS, but I think
this way is better:
- The rules file comes with a working path out of the box.
- We can use more precise pattern matching when modifying the udev
rules for the initrd.
(cherry picked from commit 581226cfb4)
So that
$ nix-build -A bcache-tools.src
gives
/nix/store/HASH-bcache-tools-1.0.7.tar.gz
instead of
/nix/store/HASH-v1.0.7.tar.gz
(cherry picked from commit f12b0a2179)
Change kernel config to allow for changing the functions of the audio
jacks at run-time as well as at boot time.
(cherry picked from commit d74f8351a5)
The motivation is to be able to get rid of common configuration
when initial packages differs since common configuration assumes
a very specific version set.
cc @jmitchell @peti
(cherry picked from commit bb9e23837a)
Signed-off-by: Domen Kožar <domen@dev.si>
Including also a patch for bug https://bugs.kde.org/show_bug.cgi?id=379433
which is a quite annoying regression from 5.0.4. The patch is the same as
the change committed upstream.
(cherry picked from commit 8f4619bb3d)
Due the recent inclusion of broadcom-bt-firmware in enableAllFirmware,
it was required to set `nixpkgs.config.allowUnfree` to obtain the full
list. To make this dependency more explicit an assertion is added and an
alternative option `enableRedistributalFirmware` is provided to only
obtain firmware with an license allowing redistribution.
(cherry picked from commit 05aa80c06a)
license was misinterpreted, it is now only conditionally in the all
firmware list included, if `allowUnfree` is set.
fixes#25567
(cherry picked from commit 192f8e7699)
... via picking the state in nixpkgs master. Fixes#26490.
I saw no reason to omit any of the changes we've done in master.
I'm testing it, though just briefly ATM. It still uses gtk2 by default.
This is intended to provide better consistency with other NixOS modules.
Please refer to mayflower/nixpkgs#21 for further information.
(cherry picked from commit a549596700)
Right now the `programs.zsh.syntax-highlighting.highlighters` option
lacks appropriate validation which can cause confusing things when
mistyping a higlighter for zsh-syntax-highlighting.
(cherry picked from commit baa3b3efff)
* programs.zsh: factor zsh-syntax-highlighting out into its own module
* programs.zsh.syntax-highlighting: add `highlighters` option
* programs.zsh: document BC break introduced by moving zsh-syntax-completion into its own module
(cherry picked from commit 0a12aafde4)
* programs.zsh: add enableOhMyZsh option to automate setup of oh-my-zsh in global zshrc
* programs.zsh: make oh-my-zsh plugins configurable
* programs.zsh: add ohMyZshCustom option
* programs.zsh: add ohMyZshTheme option
* programs.zsh: applying minor fixes to evaluate expressions properly
* programs.zsh: fix ordering of oh-my-zsh config and execution
* programs.zsh: move all oh-my-zsh params into its own scope named programs.zsh.oh-my-zsh
(cherry picked from commit 9ec64d2890)
XSA-206 Issue Description:
> xenstored supports transactions, such that if writes which would
> invalidate assumptions of a transaction occur, the entire transaction
> fails. Typical response on a failed transaction is to simply retry
> the transaction until it succeeds.
>
> Unprivileged domains may issue writes to xenstore which conflict with
> transactions either of the toolstack or of backends such as the driver
> domain. Depending on the exact timing, repeated writes may cause
> transactions made by these entities to fail indefinitely.
More: https://xenbits.xen.org/xsa/advisory-206.html
XSA-211 Issue Description:
> When a graphics update command gets passed to the VGA emulator, there
> are 3 possible modes that can be used to update the display:
>
> * blank - Clears the display
> * text - Treats the display as showing text
> * graph - Treats the display as showing graphics
>
> After the display geometry gets changed (i.e., after the CIRRUS VGA
> emulation has resized the display), the VGA emulator will resize the
> console during the next update command. However, when a blank mode is
> also selected during an update, this resize doesn't happen. The resize
> will be properly handled during the next time a non-blank mode is
> selected during an update.
>
> However, other console components - such as the VNC emulation - will
> operate as though this resize had happened. When the display is
> resized to be larger than before, this can result in a heap overflow
> as console components will expect the display buffer to be larger than
> it is currently allocated.
More: https://xenbits.xen.org/xsa/advisory-211.html
XSA-212 Issue Description:
> The XSA-29 fix introduced an insufficient check on XENMEM_exchange
> input, allowing the caller to drive hypervisor memory accesses outside
> of the guest provided input/output arrays.
More: https://xenbits.xen.org/xsa/advisory-212.html
XSA-213 Issue Description:
> 64-bit PV guests typically use separate (root) page tables for their
> kernel and user modes. Hypercalls are accessible to guest kernel
> context only, which certain hypercall handlers make assumptions on.
> The IRET hypercall (replacing the identically name CPU instruction)
> is used by guest kernels to transfer control from kernel mode to user
> mode. If such an IRET hypercall is placed in the middle of a multicall
> batch, subsequent operations invoked by the same multicall batch may
> wrongly assume the guest to still be in kernel mode. If one or more of
> these subsequent operations involve operations on page tables, they may
> be using the wrong root page table, confusing internal accounting. As
> a result the guest may gain writable access to some of its page tables.
More: https://xenbits.xen.org/xsa/advisory-213.html
XSA-214 Issue Description:
> The GNTTABOP_transfer operation allows one guest to transfer a page to
> another guest. The internal processing of this, however, does not
> include zapping the previous type of the page being transferred. This
> makes it possible for a PV guest to transfer a page previously used as
> part of a segment descriptor table to another guest while retaining the
> "contains segment descriptors" property.
>
> If the destination guest is a PV one of different bitness, it may gain
> access to segment descriptors it is not normally allowed to have, like
> 64-bit code segments in a 32-bit PV guest.
>
> If the destination guest is a HVM one, that guest may freely alter the
> page contents and then hand the page back to the same or another PV
> guest.
>
> In either case, if the destination PV guest then inserts that page into
> one of its own descriptor tables, the page still having the designated
> type results in validation of its contents being skipped.
More: https://xenbits.xen.org/xsa/advisory-214.html
XSA-215 Issue Description:
> Under certain special conditions Xen reports an exception resulting
> from returning to guest mode not via ordinary exception entry points,
> but via a so call failsafe callback. This callback, unlike exception
> handlers, takes 4 extra arguments on the stack (the saved data
> selectors DS, ES, FS, and GS). Prior to placing exception or failsafe
> callback frames on the guest kernel stack, Xen checks the linear
> address range to not overlap with hypervisor space. The range spanned
> by that check was mistakenly not covering these extra 4 slots.
More: https://xenbits.xen.org/xsa/advisory-215.html
(cherry picked from commit dd3dcceb23)
somehow, the build seems to have changed with chromium 58, to not auto
download the node binary. It is needed to generate webui files and we
can substitute our own.
(cherry picked from commit 1fe7bd9ed6)
This particular revision brings significant performance improvements
when building code that uses TemplateHaskell.
(cherry picked from commit d0c68a1658)
The application requires the main_menubar.glade alongside the
Startup.pdf. Just making sure all required assets are present 😉.
Currently `apvlv` fails with the `(apvlv:16999): Gtk-ERROR **: failed to add UI: Failed to open file '${store-path}-apvlv-0.1.5/share/doc/apvlv/main_menubar.glade': No such file or directory
zsh: trace trap apvlv` error.
(cherry picked from commit 5029b39b44)
This change updates the instructions for building a NixOS ISO so that it's clear how to do it.
Previously, the instructions stated to set NIXOS_CONFIG prior to running `nix-build`, yet the example provided by-passed NIXOS_CONFIG anyway. But the *really* important missing piece is the need for nixos/default.nix. See #21840.
This change removes the NIXOS_CONFIG verbiage, and adds steps to clone nixpkgs and (most importantly) cd'ing into nixpkgs/nixos. That way, the reader may think: *Oh, so I need a default.nix and a configuration.nix. Ahhh, OK.*
I purposely added the redundant default.nix argument.
(cherry picked from commit 4bee34dcc5)
This change is effectively a no-op to nixpkgs. However, it gives users
the flexibility to create and maintain their own package sets per
project, while benefiting from nix's Haskell configurations.
I would make immediate use of this change in stack2nix, a project that
generates nix expressions for all the dependencies of a given Haskell
project. @domenkozar is familiar with the motivations and helped
refine this change
(cherry picked from commit ed6ecacf64)
Reason: enable faster builds for current users of the stack2nix
project.
This reverts commit b1f8bd12d3.
Fixes#26080.
In this bugfix release, upstream has changed the Qt dependency requirement from
Qt 5.6 to Qt 5.7; such an update is not acceptable for an LTS release, so
updates to the Plasma desktop environment in NixOS are discontinued.
This is a slightly less ambitious version of the (now reverted) commit
377cef8d16, which had a bunch of issues
that I don't have time to resolve right now.
(cherry picked from commit 59b795c590)
We're using the names 'make-travis-yml' and 'make-travis-yml-2' now, which
feels more in-line'ish with the Cabal file hvr is distributing.
(cherry picked from commit 769e14a422)
Fixes this:
.vino-server-wr[8931]: Using the 'memory' GSettings backend. \
Your settings will not be saved or shared with other applications.
Still, the screen sharing settings under "gnome-control-center sharing"
does not seem to be persisted (except the enabling/disabling sharing
flag itself). Making changes and then re-opening gnome-control-center
shows the default screen sharing settings. Sigh.
(cherry picked from commit 0eff1d9f2a)
Without this change there will be silent errors when enabling screen
sharing. The GUI thinks it enables the service when it in fact does not
(errors are seen in the system journal).
vino is already in the closure of gnome-control-center, so this is
basically free.
Configuration of screen sharing is done in GNOME control center.
(cherry picked from commit f9633c7791)
This reverts commit 76296ce3a5. That patch is
intended for R 3.4.0 only. Not sure this commit ever appeared here in this
branch. It looks like *I* committed it??? Must have been confused.
Closes https://github.com/NixOS/nixpkgs/issues/25572.
Add the binaries from gitlab-workhorse to the path of the
gitlab-workhorse service, as gitlab-zip-metadata is needed
by the service
(cherry picked from commit 8aa756b64a)
Ensure that bin/scmp_sys_resolver doesn't have $TMPDIR in its RPATH.
I can't reproduce the issue reported in
98edb24368 that required the addition of
a wrapper script. It seems to work fine without.
(cherry picked from commit d46e78ed0f)
`libseccomp` is updated to 2.3.2
`scmp_sys_resolver` is fixed (it could not find libseccomp.so.2 shared library before)
(cherry picked from commit 98edb24368)
Use a solid black background when no background image (via
~/.background-image) is provided. In my case this fixes the really
strange behaviour when i3 without a desktop manager starts with the SDDM
login screen as background image.
(cherry picked from commit 852813689a)
The xsession script was called with inconsistent (depending on the
display managers) and wrong parameters. The main reason for this where
the spaces the parameter syntax. In order to fix this the old syntax:
$1 = '<desktop-manager> + <window-manager>'
Will be replaced with a new syntax:
$1 = "<desktop-manager>+<window-manager>"
This assumes that neither "<desktop-manager>" nor "<window-manager>"
contain the "+" character but this shouldn't be a problem.
This patch also fixes the quoting by using double quotes (") instead of
single quotes (') [0].
Last but not least this'll add some comments for the better
understanding of the script.
[0]: https://specifications.freedesktop.org/desktop-entry-spec/latest/ar01s06.html
(cherry picked from commit 1273f414a7)
Add $out/opt/vivaldi/lib to RPATH so that libffmpeg.so distributed
with Vivaldi can be found. Otherwise launching Vivaldi fails.
(cherry picked from commit 9747994a7b)
The Sierra linker added a limit on the number of paths that any one
dynamic library (`*.dylib`) can reference. This causes problems when
a Haskell library has many immediate dependencies (#22810).
We follow a similar fix as GHC/Cabal/Stack: for each derivation,
create a new directory with symlinks to all the dylibs of its immediate
dependencies, and patch its package DB to reference that directory
using the new `dynamic-library-dirs` field.
Note that this change is a no-op for older versions of GHC, i.e., they will
continue to fail on some packages as before.
Also note that this change causes the bootstrapped versions of GHC to be
recompiled, since they depend on `hscolour` which is built by
`generic-builder.nix`.
Tested by building the `stack` binary as described in #22810.
(cherry picked from commit 7131e06214)
to /etc/dd-agent/conf.d by default, and make sure
/etc/dd-agent/conf.d is used.
Before NixOS 17.03, we were using dd-agent 5.5.X which
used configuration from /etc/dd-agent/conf.d
In NixOS 17.03 the default conf.d location is first used relative,
meaning that $out/agent/conf.d was used without NixOS overrides.
This change implements similar functionality as PR #25288, without
breaking backwards compatibility.
The configure script calls nix-instantiate, which fails if /nix/var
doesn't exist (e.g. in a sandbox). This caused a bogus Nix::Config
module to be generated, causing issues in Hydra.
(cherry picked from commit 20d846bcdd)
The command "R CMD Sweave" always exits with error code "1", even if the
command was successful. This upstream patch remedies this issue.
(cherry picked from commit 5e5d16f425)
According to the release page, version 31 of efivar is still considered
as a pre-release and the sha256sum has changed at least once. This commit
switches to the last, stable release.
(cherry picked from commit cc4e2505e4)
Upstream has decided to make -testing patches private, effectively ceasing
free support for grsecurity/PaX [1]. Consequently, we can no longer
responsibly support grsecurity on NixOS.
This patch turns the kernel and patch expressions into build errors and
adds a warning to the manual, but retains most of the infrastructure, in
an effort to make the transition smoother. For 17.09 all of it should
probably be pruned.
[1]: https://grsecurity.net/passing_the_baton.php
(cherry picked from commit 32b8512e54)
This reverts commit 9f86136cef.
Rust is nowadays required for building Firefox, so the channel updates
are blocked on this.
(It also builds fine for me.)
(cherry picked from commit c90998d5cf)
This reverts commit b72d4e13c7.
(cherry picked from commit 5a3e454db3)
The hash was actually fine, but Hydra re-used the bad derivation from
master. Nondeterministic fixed-output derivations are hell.
This unbreaks the build since the latest nixUnstable update
(3dd66ec6e9).
It's basically the same fix as in hydra git repo:
a0376a92e5
(cherry picked from commit 9c830c8456)
This reverts commit c2b56626f1.
It broke creating the manual. I suspect the descriptions are
auto-wrapped by <para> and </para>.
We've been through this already in 3af715af90.
/cc #24978, @zraexy, @Mic92.
(cherry picked from commit 91ad6b3597)
This patch fixes file modification times to $SOURCE_DATE_EPOCH, and
ensures that files originating from the store are owned by root:root.
Both changes improve reproducibility, and the latter allows proper
building on a host where the store is owned by a non-root user.
(cherry picked from commit 5ca1646bb0)
This change fixes two major issues:
1. If you don't use SIGQUIT to stop Plex it will corrupt its own
database :(
2. Newer versions of Plex keep metadata in the
`com.plexapp.plugins.library.db` database. This is the file that
we copy into `/var/lib/plex/.skeleton`. If we copy the empty
database on top of this one the user will lose their entire
library metadata. This change skips the copy if the file
already exists.
(cherry picked from commit 5a50b26662)
See https://github.com/NixOS/nixpkgs/pull/24900#issuecomment-294513707
The page at logcheck dot org contains questionable links and it is unclear
whether it is controlled by the logcheck project at all. Fix by using the
homepage debian points to instead.
Fixes https://github.com/NixOS/nixpkgs/issues/24952
(cherry picked from commit c2130eca44)
Dropbox is again updated without a release announcement. I noticed on Friday
that the client was malfunctioning. I was waiting for a release announcement
with the new version number, but as one was not forthcoming, I simply guessed at it.
(cherry picked from commit 4f5391e8c4)
Additionally:
- some minor cleanups
- define meta.platforms so hydra doesn't try to evaluate at all on i686 instead
of waiting for "assert" to fail.
As spotify is distributing a i686 version, there really is no reason not to
support that. Someone just has to add support for it.
(cherry picked from commit 58db2099b4)
This allows gitweb to expand '~' in /etc/gitconfig. Without a $HOME
variable, it fails to list any projects and instead show the text
"No such projects found" in the UI.
Setting $HOME to the gitweb project root seems like a sensible value.
(cherry picked from commit d916ce2ef4)
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
(cherry picked from commit 35e0eea053)
It is needed to override "explicit" as this is a C++ keyword. But it
is used as variable name in xkb.h. This is causing a failure in C++
compile time. Similar bug here:
https://bugs.freedesktop.org/show_bug.cgi?id=74080
Workaround from
ec62109e0f.
(cherry picked from commit e2ad762394)
CVE-2017-5055: Use after free in printing. Credit to Wadih Matar
CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs
CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin
CVE-2017-5056: Use after free in Blink. Credit to anonymous
CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587)
(cherry picked from commit 552efadbef)
Because if you don't, the configure script assumes that your getcwd()
function is broken. Which then makes bash use it's own getcwd()
implementation, which doesn't work if the path to the current directory
contains bind mounts in its paths. This shows up as:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: Bad file descriptor
... and fails the aarch64 glibc build with sandboxes enabled.
Sigh.
(cherry picked from commit dff0ba38a2)
Restarting them is useless since the filesystem is already
checked. Worse, restarting them causes the filesystem to be unmounted.
Also remove an override for systemd-rkill@.service which no longer
exists.
(cherry picked from commit de51ad6cd1)
Fixes#24731.
(cherry picked from commit e3559c23c2)
This is useful on servers like mine, which often prefer to stay on stable
releases. Since there's no impact if you're not using the new option, this
should be safe to pull in.
Also add udev to dependencies and don't strip unneeded ones.
Fixes#22513.
(cherry picked from commit 8c56608078)
It's a version bump but currently Unity doesn't work at all.
Because this is pulled from emacswiki, there's no way to continue to
retrieve the prior version after it's updated; since we've had a
couple of reports of it rendering _other_ packages
uninstallable (#24540), it seems worth updating.
tzinfo 0.3.xx does not contain the file
lib/tzinfo/zoneinfo_data_source.rb
it is only included in the 1.x branch.
closes#24080closes#24682
(cherry picked from commit d84029f296)
User themes may use SVG icons which won't work if the app can't access this
library. This is quite sure to happen (e.g. Adwaita's icons are vector).
(cherry picked from commit f68de22683)
This allows for a less blanket approach than nuke-refs, targetting specific
references that we know we don't want rather than all references that we don't
know we want.
(cherry picked from commit 603b799bcb)
[tuomas: rename the patch from 9p-hacks to something slighly more
meaningful]
Signed-off-by: Tuomas Tynkkynen <tuomas@tuxera.com>
(cherry picked from commit ed41d50e9f)
Allows using a different haskell package set to generate the nix
expressions (during eval time) than the one used to actually build the
package (at build time).
(cherry picked from commit 1feca4cae3)
This functionality was initially introduced in
3644f9124a to fix
https://github.com/NixOS/nixos/pull/52, but was broken in the update from 0.9.5
to 0.10.3. The original patch does not cleanly apply due to reformatting and
parameter changes upstream, but the adaptations of the patch to the new version
are not too severe.
(cherry picked from commit 3948891112)
Commit 75f131da02 added
`chown 'nginx:nginx' '/var/lib/acme'` to the pre-start script,
but since it doesn't use `chown -R`, it is possible that there
are older existing subdirs (like `acme-challenge`)
that are owned to `root` from before that commit went it.
Fix the failure of running applications like GWorkspace, which depends
on 'back'. It fails with a message similar to the one below:
Error (objc-load):/nix/store/fpxksxkl26qd5a7ay52mzv5qbj8di6b5-gnustep-back-0.25.0/lib/GNUstep/Bundles/libgnustep-back-025.bundle/./libgnustep-back-025: undefined symbol: XmuLookupStandardColormap
(cherry picked from commit 8765d1edda)
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
(cherry picked from commit 80b40fdf03)
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that
rm -f /etc/ssh/ssh_host_ed25519_key*
systemctl restart sshd
cat /etc/ssh/ssh_host_ed25519_key.pub
works.
(cherry picked from commit 4e79b0b075)
This option was initially added to make it easier to use an
up-to-date list, but now that we always use an up-to-date list
from upstream, there's no point to the option.
From now on, you can either use a resolver listed by dnscrypt
upstream or a custom resolver.
(cherry picked from commit 472002f216)
Removes tcpOnly and ephemeralKeys: reifying them as nixos
options adds little beyond improved discoverability. Until
17.09 we'll automatically translate these options into extraArgs
for convenience.
Unless reifying an option is necessary for conditional
computation or greatly simplifies configuration/reduces risk of
misconfiguration, it should go into extraArgs instead.
(cherry picked from commit 719813caf6)
Newer versions of DNSCrypt proxy *can* cache lookups (via
plugin); make the wording more neutral wrt. why one might want
to run the proxy in a forwarding setup.
(cherry picked from commit 5279ec111f)
Couple of things:
- fix the path to notify-send
- add a standard icon to the notification
- rename the notification from "gcalcli" to "Calendar"
Lastly, there are no tests, so do not try to run them.
(cherry picked from commit f67ec45de6)
When a user or group is revived, this allows it to be allocated the
UID/GID it had before.
A consequence is that UIDs and GIDs are no longer reused.
Fixes#24010.
(cherry picked from commit a57bcd38b4)
- the function loading the udev library was moved to another file
- the test runner did not work correctly, causing it to fail on Python
3.
- the test runner now works correctly, but there's a bunch of tests
failing and therefore tests are disabled. The package does seem to
function (as in, it can load the library again).
(cherry picked from commit 078412521e)
meek still broken, but then, sending all your traffic to Amazon seems like
something you'd do only if everything else fails.
(cherry picked from commit 6911ae7c0c)
This patch restructures the expression and wrapper to minimize Nix store
references captured by the user's state directory.
The previous version would write lots of references to the Nix store into
the user's state directory, resulting in synchronization issues between
the Store and the local state directory. At best, this would cause TBB to
stop working when the version used to instantiate the local state was
garbage collected; at worst, a user would continue to use the old version
even after an upgrade.
To solve the issue, hard-code as much as possible at the Store side and
minimize the amount of stuff being copied into the local state dir.
Currently, only a few files generated at firefox startup and fontconfig
cache files end up capturing store paths; these files are simply removed
upon every startup. Otherwise, no capture should occur and the user
should always be using the TBB associated with the tor-browser wrapper
script.
To check for stale Store paths, do
`grep -Ero '/nix/store/[^/]+' ~/.local/share/tor-browser`
This command should *never* return any other store path than the one
associated with the current tor-browser wrapper script, even after an
update (assuming you've run tor-browser at least once after updating).
Deviations from this general rule are considered bugs from now on.
Note that no attempt has been made to support pluggable transports; they
are still broken with this patch (to be fixed in a follow-up patch).
User visible changes:
- Wrapper retains only environment variables required for TBB to work
- pulseaudioSupport can be toggled independently of mediaSupport (the
latter weakly implies the former).
- Store local state under $TBB_HOME. Defaults to $XDG_DATA_HOME/tor-browser
- Stop obnoxious first-run stuff (NoScript redirect, in particular)
- Set desktop item GenericName to Web Browser
Some minor enhancements:
- Disable Hydra builds
- Specify system -> source mapping to make it easier to
extend supported platforms.
(cherry picked from commit ecd0e1a2c7)
Otherwise, the service unit just fails for no discernable
reason. Verifcation failure is bad so it ought to be easily
discoverable.
(cherry picked from commit f122f0147b)
It's sad, but he's been inactive for the last five years.
Keeping such people in meta.maintainers is counter-productive.
(cherry picked from commit 96d41e393d)
There were just a few trivial conflicts.
This has surfaced since f803270b7e.
The commit bumped bash to version 4.4, which caused to change the order
of --subst-var flags in substituteAll, which this test was relying on,
because it added a @shell@ to boot.initrd.postMountCommands.
Our substituter is currently working a bit like this:
original.replace('@var1@', 'val1').replace('@var2@', 'val2')...
Unfortunately, this means that if @var2@ occurs within @var1@ it is
replaced by the new value, so the order of the substvars actually
matter. I highly doubt that we want a behaviour like this and I'm
wondering why it didn't occur to me as a problem while writing the
initial implementation of the VirtualBox tests.
Whether to get rid of this and disallowing substitution of substvars
within substvars is another topic which I think needs discussion in a
different place.
As for now, I'm using stdenv.shell, because the closure size of this
should fit within the initrd, so it's fine especially because it's just
a test.
Tested with the net-hostonlyif and systemd-detect-virt tests and they
both succeed with this change.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Reported-by: @globin on IRC
(cherry picked from commit ee39d4b98a)
Having fixed the Google Compute Engine image build process's copying
of store paths in PR #24264, I ran `nixos-rebuild --upgrade switch`...
and the GCE image broke again, because it sets the NixOS configuration
option for the sysctl variable `kernel.yama.ptrace_scope` to
`mkDefault "1"`, i.e., with override priority 1000, and now the
`sysctl` module sets the same option to `mkDefault "0"` (this was
changed in commit 86721a5f78).
This patch raises the override priority of the Google Compute Engine
image configuration's definition of the Yama sysctl option to 500
(still lower than the priority of an unmodified option definition).
I have tested that this patch allows the Google Compute Engine image
to again build successfully for me.
(cherry picked from commit a4ac5506f5)
And adopt the tests to add an interface and remove it again.
It should work when deactivating rstp, it will not work when activating
rstp for the first bridge as then the userspace daemon is not yet
available. But once one bridge is active with stp, it should work with
the reload for any further bridge.
Fixes#21745. Also see #22547.
(cherry picked from commit 68729958e8)
The community support window for Qt 5.5 has ended. All packages should
- update to Qt 5.8, or
- pin to Qt 5.6 (the 3-year long-term support release), or
- for proprietary software, use the vendored libraries.
The community support window for Qt 5.7 has ended. All packages should
- update to Qt 5.8, or
- pin to Qt 5.6 (the 3-year long-term support release), or
- for proprietary software, use the vendored libraries.
This is needed now that PYTHONPATH is not propagated. Also several packages
with additional dependencies are now properly wrapped.
(cherry picked from commit 66b05cd4e6)
Set MOZ_APP_LAUNCHER for firefox as per [1] (see [2] for detailed discussion).
Firefox will recognise itself across verions, skipping the 'not-the-default-browser' prompt.
Firefox will also write sane paths to the generated desktop file, should someone ever set it as default through the 'not-the-default-browser' prompt.
Also removed the unnecessary libtrick cruft.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=611953
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=593948
(cherry picked from commit 816beccf50)
Linux behavior should be largely unchanged but we now build minikube
ourselves. Unfortunately localkube is still tricky to build so I pull in
a binary version from upstream.
(cherry picked from commit fe339d281b)
This reverts commit 6542ea7f31.
I included this commit from master by accident. The stable release should use
the Qt 5.6 long-term support release by default because Qt 5.7 is already out of
its support window.
When I reduced the closure size, I broke the built-in theme. When I reverted
that fix, the built-in theme worked but the Plasma theme was broken. Now the
wrapper is fixed so that both themes work.
In `nixos/modules/virtualisation/google-compute-image.nix`, copy store
paths with `rsync -a` rather than `cp -prd`, because `rsync` seems
better able to handle the hard-links that may be present in the store,
whereas `cp` may fail to copy them.
I have tested that the Google Compute Engine image builds successfully
for me with this patch, whereas it did not without this patch.
This is the same fix applied for Azure images in commit
097ef6e435.
Fixes#23973.
(cherry picked from commit e0e520a519)
It's effectively required for GTK3 applications because various parts of the library use GIO to store settings.
Also propagate GTK for clarity (it should be there anyway).
(cherry picked from commit 670744e1fa)
See https://github.com/spesmilo/electrum/blob/master/RELEASE-NOTES
Also
- patch .desktop file to include full path to electrum
- add dep on pysocks
- remove dep on pyasn; per the changelog, it has not been used since v2.1
- replace dep on slowaes with pyaes
(cherry picked from commit d575efc5f0)
This reverts commit 8c410f4b18 with a fix
to make the tests run correctly. bochs-drm must not be blacklisted for
that.
(cherry picked from commit 785e45ac06)
Having curl fall back to openssl's CA means that we need not patch curl
to respect NIX_SSL_CERT_FILE. It will work in all the cases.
This reverts commit fb4c43dd8a "curl: Use CA bundle in nix default profile by default"
If we want to reintroduce that feature, this needs to go inside openssl
(cherry picked from commit 8ecb94bb97)
Improve patching of curl to use NIX_SSL_CERT_FILE as default CA
Remove patches from git, as git uses curl and passes its environment
variables to curl.
(cherry picked from commit 525a663174)
We did this for 2.2 (cc61d31902) but
lost this for 2.4. This reduces the Apache closure size from 312 MiB
to 102 MiB (primarily by getting rid of -dev outputs).
(cherry picked from commit 4e5461127d)
- Description from upstream
- A more informative homepage
- Per upstream, pax-utils should work for unix-likes beyond linux
(cherry picked from commit 41e2ffa1d7)
(cherry picked from commit eccc1fa9bb)
This is to sync expression code with master/staging;
the derivations evaluate the same, at least on x86_64-linux.
The inability to run strace or gdb is the kind of
developer-unfriendliness that we're used to from OS X, let's not do it
on NixOS.
This restriction can be re-enabled by setting
boot.kernel.sysctl."kernel.yama.ptrace_scope" = 1;
It might be nice to have a NixOS module for enabling hardened defaults.
Xref #14392.
Thanks @abbradar.
(cherry picked from commit 86721a5f78)
This reverts commit
c37e76b4d2. Unfortunately, using
"machinectl shell" has two bad side effects:
* It sends the command's stderr to stdout.
* It doesn't propagate the command's exit status.
This broke NixOps.
PR #18825.
(cherry picked from commit cb49c14324)
If both are set, nginx won't start. More error checking is certainly in
order, but this seems like a reasonable start.
(cherry picked from commit e7358b192a)
* Update python.md
this makes it clear how to alter `attributes` by using `packageOverrides`
* Update python.md
* Update python.md
* Update python.md
* Update python.md
* Update python.md
* Update python.md
(cherry picked from commit 91debcb482)
drbd was installing files into $out/nix/store/... due to the usage of DESTDIR
(setting both DESTDIR + prefix to $out will cause files to be installed into $out/$out/...)
(cherry picked from commit 8c0074dd9f)
Also updates the documention of the NixOS option `services.nginx.package`
that upstream recommends using the mainline version instead.
Fixes#21665.
(cherry picked from commit c13922f012)
kimpanel does not show installed IBus engines or allow switching input
methods. kimpanel does show configured keyboard layouts through kxkb, so I
believe there is some problem communicating with IBus. No error messages are
produced in the log and I have been unable to discover the cause. I have no
intention of continuing to work on kimpanel at this time, so it should be
disabled. The GTK+ 3-based panel provided by IBus is perfectly serviceable in
the interim.
(cherry picked from commit d709cdd829)
This `tsocks` wrapper leaks DNS requests to clearnet, meanwhile Tor comes with
`torsocks` which doesn't.
Previous commits to this file state that all of this still useful somehow.
Assuming that it's true, at least let's not confuse users with two different tools
and don't clash with the `tsocks` binary from nixpkgs by disabling this by default.
(cherry picked from commit a04782581a)
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available. We
filter mount syscalls to prevent the process from undoing the fs
isolation.
(cherry picked from commit 5f27abec23)
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.
We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
(cherry picked from commit e72aaa73ea)
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...). Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
(cherry picked from commit adf044e1fb)
The wrapper for Atom was loading libraries via LD_PRELOAD, for example
libxkbfile. Now, if you installed atom via nix-env and happened to use a newer
nixpkgs for that than what your system environment is build against, you could
end up with an error like this:
```
uname: relocation error:
/nix/store/68sa3m89shpfaqq1b9xp5p1360vqhwx6-glibc-2.25/lib/libdl.so.2:
symbol _dl_catch_error, version GLIBC_PRIVATE not defined in file libc.so.6
with link time reference
```
This happens because atom calls the `uname` executable from the system to
determine the platform. Because that inherits the `LD_PRELOAD` environment
variable, so the libxkbfile library that the `atom` wrapper was build against
is loaded into `uname`. But since `atom` comes from `nix-env`, the `libxkbfile`
it was built with might be compiled against a newer version of `glibc` than
`uname`, which comes from the system, was! Having two versions of glibc loaded
into the same processes results in chaos.
To fix this, we avoid setting `LD_PRELOAD` and instead use patchelf to set the
correct RPATH. RPATH is not inherited by child processes, so the above issue
can no longer occur.
The only small complication here is that the library that actually loads
libxkbfile is not the atom binary itself, but a node extension that atom uses.
So instead of setting the RPATH on `atom` only, we also set the `rpath` on all
node extensions (`*.node`) the output.
(cherry picked from commit a4d6e2cf16)
They contain no useful information and increase the length of the
autogenerated options documentation.
See discussion in #18816.
(cherry picked from commit 9536169074)
Run Firefox inside an XTerm, it doesn't crash mysteriously this way.
Also try opening developer tools and checking that Firefox doesn't
crash in the process.
(cherry picked from commit 14a3412048)
This fixes a somewhat critical (security?) bug.
We are trying to get it merged upstream but have had no response from
the ordinary maintainer in over a week.
(See <https://github.com/keenerd/jshon/issues/53>.)
fixes#23727
(cherry picked from commit 5d6ea2d64e)
This setting should ensure that email notifications are sent
*only* when the commit caused the build to start failing. That
is, no more "the build is still failing" spam.
As an alternative we could consider disabling email
notifications outright and possibly enable IRC notifications
instead.
(cherry picked from commit 541b3ec1bc)
* sublime3: replace hardcoded /bin/bash with /usr/bin/env
exec.py in Default.package-sublime calls /bin/bash with subprocess.
See Issue #12011. Because of this builds could not be started from
withtin Sublime Text.
* sublime3: use wrapped of bash to fix internal build system
Without the wrapped version of bash (a symlink to $bash/bin/bash)
with LD_PRELOAD to glibc an relocation error occurs when trying
to run builds from within Sublime Text 3. See Issue #12011.
(cherry picked from commit 1893ed54dc)
qtquickcontrols2, qtwebchannel, qtwebengine, qtwebkit.
Added in the same order as the modules are listed in default.nix (and
then reformatted the block).
(cherry picked from commit db937b9d60)
qtquickcontrols2, qtwebkit.
Added in the same order as the modules are listed in default.nix (and
then reformatted the block).
(The qt55 expression already has all modules in *full.)
(cherry picked from commit 961c73a78c)
* Moved the wordpress sources derivation to the attribute pkgs.wordpress. This
makes it easier to override.
* Also introduce the `package` option for the wordpress virtual host config which
defaults to pkgs.wordpress.
* Also fixed the test in nixos/tests/wordpress.nix.
(cherry picked from commit 308c09d41f)
Having `glib` in the build inputs will allow its build hook to
trigger. Also adds `gsettings_desktop_schemas` as a dependency since
Eclipse appears to need the schemas under certain circumstances.
(cherry picked from commit 5228bc9f2e)
Added extra config options to allow reading passwords from file rather
than the world-readable nix store.
The full config.json file is created at service startup.
Relevant to #18881
(cherry picked from commit f488b1811b)
The package stopped building for some unknown reason (npm could no
longer fetch a module).
This is one of the build failures listed in #23253.
http://hydra.nixos.org/build/49551309http://hydra.nixos.org/build/49548753
Easiest fix is to upgrade to latest stable version and regenerate
packages with node2nix.
The databank-memcached dependency needed to be dropped due to
dependency failures.
(cherry picked from commit 252e58a95e)
JS devs found a new way to be annoying - adjust code accordingly.
Have also put this change in PR svanderburg/node2nix#40
(cherry picked from commit 453529bd60)
Modify the `ripgrep` package to install the tool's manual page.
I have tested this commit per nixpkgs manual section 11.1 ("Making
patches").
(cherry picked from commit a856dd50b5e9d7f4de1acd158c4ae548f6de86be)
by hiding under llvm-general. There seems no use in a separately named
attribute. The derivations are unchanged.
(cherry picked from commit 69448187a4)
Both patches are conflicting. Keeping the vulnerability unpatched in qemu
binaries used for nixos test is tolerable.
(cherry picked from commit 3a4e2376e4)
New upstream patch function and patches for fixing a bug in the patch for
CVE-2017-5667 and the following security issues:
* CVE-2016-7907
* CVE-2016-9602
* CVE-2016-10155
* CVE-2017-2620
* CVE-2017-2630
* CVE-2017-5525
* CVE-2017-5526
* CVE-2017-5579
* CVE-2017-5856
* CVE-2017-5857
* CVE-2017-5987
* CVE-2017-6058
(cherry picked from commit c512180f9c)
Firefox requires the latest sqlite to build:
```
checking for sqlite3 >= 3.17.0... Requested 'sqlite3 >= 3.17.0' but version of SQLite is 3.16.2
configure: error: Library requirements (sqlite3 >= 3.17.0) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.
```
(cherry picked from commit d4bb1c786f)
Firefox requires new version of the icu to build:
```
checking for icu-i18n >= 58.1... Requested 'icu-i18n >= 58.1' but version of icu-i18n is 57.1
configure: error: Library requirements (icu-i18n >= 58.1) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.
```
(cherry picked from commit 28598c01e7)
After the change of the bonding options, the examples were not quite correct.
The diff is over-the top because the new `let` needs everything indented.
Also add a small docstring to the `networkd` attr in the networking test.
(cherry picked from commit 22c265182f)
This causes unintended schema upgrades, and is no longer needed now
that we have nixos/modules/installer/tools/nix-fallback-paths.nix.
(cherry picked from commit d72a34311a)
The package included outdated intltool makefiles, resulting in installation of
local files to `$out/'@DATADIRNAME'`. Running `intltoolize -f` forces
regeneration of the Makefile and fixes the issue.
(cherry picked from commit f9b08c9dbb)
Make requires variables with more than one letter to be surrounded by parentheses,
like `$(out)`. Just writing `$out` will be interpreted as `$o` followed by `ut`, so
the package installed its documentaion to `ut/share/doc`.
/cc maintainers @jgeerds @nckx
(cherry picked from commit 3449107d68)
The build system tries to update the mtime of the icons directory if
`DESTDIR` is unset. That code has bug though that does not deal well
with absolute `CMAKE_SHARE_PREFIX` resulting a double prefix bug.
Setting `DESTDIR=/` (should be a no-op) fixes this.
(cherry picked from commit 128901e09f)
Due to setting `DESTDIR` *and* `exec_prefix` (defaulted to `$prefix`), binaries
ended up in `$out/$out/bin` instead of just $out/bin. Not setting `DESTDIR` and adapting
the `LIBDIR` patch a little fixes this issue.
(cherry picked from commit dd23d08b90)
Fixes a "double prefix" issue, where parts of the include files
for hhvm where located in `$out/$out/include` instead of `$out/include`.
(cherry picked from commit 029c3f917e)
This patch was actively causing harm, because it lead to a "double prefix"
issue where the etc files were installed into $out/$out/etc instead of just
$out/etc.
(cherry picked from commit c0bfcdf3a6)
disk image for qemu VM with bootloader:
* remove redundant command
* improve readability
* improve execution speed
* make output more reproducible
(cherry picked from commit b9a7aacef7)
Fix code syntax highlighting by specifying language in every code block
and adding some context to Nix code blocks to make them valid
expressions. Use the same markup style for all code blocks. Reformat
some code blocks.
fixes#23535
(cherry picked from commit 34afc31c49)
We only care about /nix/store because its contents might be out of
sync with /nix/var/nix/db. Syncing other filesystems might cause
unnecessary delays or hangs (e.g. I encountered a case where an NFS
mount was taking a very long time to sync).
(cherry picked from commit 136f77b7b9)
Fixed the Makefile for the doc : there is no .map files to install in
this release since dot outputs images in PNG and SVG
fixes#23456
(cherry picked from commit f39e718cab)
Switched from callPackage to import so that dependencies are passed
instead of being grabbed from pkgs.
[Bjørn: wrap overlong line.]
(cherry picked from commit 7582da5d8b)
Add aliases like "eclipse-cpp = eclipse-cpp-46" so that user
configurations can point to "eclipse-cpp" and have it not regularly
break as nixpkgs is updated.
(cherry picked from commit 81de55118d)
Prevent the download of jsoncpp to happen at build time.
Don’t treat warnings as errors, since there is a warning about the major() macros in GNU libc.
I've accidentially removed it from build inputs.
Notice that GNOME 3 icons weren't removed accidentially -- it works without
them for me on XFCE.
(cherry picked from commit fe265f129e)
It's a release candidate but it works with new WebKitGTK and we don't build old
one anymore because of vulnerabilities.
(cherry picked from commit 4a6ba21bdd)
Looks abandoned by upstream (last commit 2014, no response on
issue tracker). For an application of this nature it seems
prudent to simply mark the package as broken instead of
attempting to fix the build.
Prospective users can check out richochet or tor messenger.
(cherry picked from commit db2f87a998)
Looks like the latest version no longer requires the patch, and the patch instead resulted in
/etc files being installed to `$out/$out/etc` instead of `$out/etc`
(cherry picked from commit 253d736398)
Saves about 5.2 MiB.
To use geoip, add something like
```
GeoIPFile ${tor.geoip}/share/tor/geoip
GeoIPv6File ${tor.geoip}/share/tor/geoip6
```
to torrc
(cherry picked from commit c44a41c73f)
Removed patches that are purely for testing.
Removed dependencies that seemed to not be needed.
Expand all instances of #!/bin/bash, not just those at the start of scripts.
(cherry picked from commit 1f709ad136)
The build fails with boost-1.62.
More specifically, the test of the boost-serialization integration fails
due to the protected destructor in the class template `MemoryBlock`.
(cherry picked from commit 5a68d5484e)
The upstream release is from 2004. The website of this software talks
about configuring XFree86. I *highly* doubt this software is of any use
nowadays.
(cherry picked from commit 256e764226)
The 0.2.9 series is now a long-term support release, which will
receive backported security fixes until at least 2020.
tor should now build against libressl, as in
```nix
tor.override { openssl = libressl; }
```
Also re-enable the test-suite; works fine on my end.
(cherry picked from commit 05054e34c0)
Looks like enable-shared defaults to false, so we actually
ended up with no usable object files in the lib output.
This also appears to have broken open-iscsi, as evinced by
/nix/store/[...]-binutils-2.27/bin/ld: cannot find -lisns
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:57: iscsid] Error 1
https://hydra.nixos.org/build/49437400/log/raw
With this patch, open-iscsi builds fine here.
(cherry picked from commit ab6d358ebf)
It fails with hardening-related errors like:
reloc.o: In function `.L41':
reloc.c:(.text+0x452): undefined reference to `__stack_chk_fail_local'
... and several others as well!
Since nobody has noticed that this package has been broken the entire
16.09 release, it's probably not worth to try fixing it.
(Note that this is a different package from memtest86plus!)
(cherry picked from commit 8dcfa44a53)
Fixes#18839. I suspect I once added this just because of some
deficiencies in an early development version of the multiple-output
framework in stdenv.
(cherry picked from commit e2e270d1e2)
Because of bash 4.4 the semantics GLOBIGNORE changed.
This resulted in already compressed manpages to be compressed twice.
Also be careful about symlinks to fix#21777, e.g. the ledger example.
(cherry picked from commit 20ffc3cd73)
From the manual:
> This attribute should be a number, with a higher value denoting a
lower priority. The default priority is 0.
Just passing -5 or -10 wasn't sufficient, so let's make it -100.
(cherry picked from commit 079353e208)
Higher priority than Python 3.x so that `/bin/python` points to
`/bin/python2` in case both 2 and 3 are installed.
(cherry picked from commit 4bc1d02698)
Also remove cudatoolkit override as we have cudatoolkit = cudatoolkit8 now.
(cherry picked from commit d7ecf89580)
Fixes build with CUDA support, as we are early in the testing cycle it's easier
to just backport the new version.
also enable http plugin again. Readme mention using the protocol be a
security risk because it is unencrypted, but the connections stays local
(127.0.0.1) and the plugins has to explicitly enabled in settings
(disabled by default).
(cherry picked from commit 61785c5531)
The cycle:
QuickCheck -> semigroups
semigroups -> hashable
semigroups -> unordered-containers
unordered-containers -> hashable
unordered-containers -> QuickCheck # test suite only
hashable -> QuickCheck # test suite only
(cherry picked from commit 24c93619e9)
<!-- Please check what applies. Note that these are not hard requirements but merely serve as information for reviewers. -->
- [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS)
- [ ] Tested using sandboxing
([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS,
or option `build-use-sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file)
on non-NixOS)
- Built on platform(s)
- [ ] NixOS
- [ ] macOS
- [ ] Linux
- [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
- [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nox --run "nox-review wip"`
- [ ] Tested execution of all binary files (usually in `./result/bin/`)
The three GNU Autoconf platforms, <wordasword>build</wordasword>, <wordasword>host</wordasword>, and <wordasword>target</wordasword>, are historically the result of much confusion.
The three GNU Autoconf platforms, <wordasword>build</wordasword>, <wordasword>host</wordasword>, and <wordasword>cross</wordasword>, are historically the result of much confusion.
<linkxlink:href="https://gcc.gnu.org/onlinedocs/gccint/Configure-Terms.html"/> clears this up somewhat but there is more to be said.
An important advice to get out the way is, unless you are packaging a compiler or other build tool, just worry about the build and host platforms.
Dealing with just two platforms usually better matches people's preconceptions, and in this case is completely correct.
</para>
<para>
In Nixpkgs, these three platforms are defined as attribute sets under the names <literal>buildPlatform</literal>, <literal>hostPlatform</literal>, and <literal>targetPlatform</literal>.
All three are always defined as attributes in the standard environment, and at the top level. That means one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
<programlisting>{ stdenv, buildPlatform, hostPlatform, fooDep, barDep, .. }: ...buildPlatform...</programlisting>, or just off <varname>stdenv</varname>:
All are guaranteed to contain at least a <varname>platform</varname> field, which contains detailed information on the platform.
All three are always defined at the top level, so one can get at them just like a dependency in a function that is imported with <literal>callPackage</literal>:
These platforms should all have the same structure in all scenarios, but that is currently not the case.
When not cross-compiling, they will each contain a <literal>system</literal> field with a short 2-part, hyphen-separated summering string name for the platform.
But, when when cross compiling, <literal>hostPlatform</literal> and <literal>targetPlatform</literal> may instead contain <literal>config</literal> with a fuller 3- or 4-part string in the manner of LLVM.
We should have all 3 platforms always contain both, and maybe give <literal>config</literal> a better name while we are at it.
</para></warning>
<variablelist>
<varlistentry>
<term><varname>buildPlatform</varname></term>
@@ -63,8 +69,8 @@
The "target platform" is black sheep.
The other two intrinsically apply to all compiled software—or any build process with a notion of "build-time" followed by "run-time".
The target platform only applies to programming tools, and even then only is a good for for some of them.
Briefly, GCC, Binutils, GHC, and certain other tools are written in such a way such that a single build can only compile code for a single platform.
Thus, when building them, one must think ahead about which platforms they wish to use the tool to produce machine code for, and build binaries for each.
Briefly, GCC, Binutils, GHC, and certain other tools are written in such a way such that a single build can only compiler code for a single platform.
Thus, when building them, one must think ahead about what platforms they wish to use the tool to produce machine code for, and build binaries for each.
</para>
<para>
There is no fundamental need to think about the target ahead of time like this.
@@ -77,79 +83,14 @@
Nixpkgs tries to avoid this where possible too, but still, because the concept of a target platform is so ingrained now in Autoconf and other tools, it is best to support it as is.
Tools like LLVM that don't need up-front target platforms can safely ignore it like normal packages, and it will do no harm.
</para>
</listitem>
</varlistentry>
</variablelist>
<para>
The exact schema these fields follow is a bit ill-defined due to a long and convoluted evolution, but this is slowly being cleaned up.
You can see examples of ones used in practice in <literal>lib.systems.examples</literal>; note how they are not all very consistent.
For now, here are few fields can count on them containing:
</para>
<variablelist>
<varlistentry>
<term><varname>system</varname></term>
<listitem>
<para>
This is a two-component shorthand for the platform.
Examples of this would be "x86_64-darwin" and "i686-linux"; see <literal>lib.systems.doubles</literal> for more.
This format isn't very standard, but has built-in support in Nix, such as the <varname>builtins.currentSystem</varname> impure string.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>config</varname></term>
<listitem>
<para>
This is a 3- or 4- component shorthand for the platform.
Examples of this would be "x86_64-unknown-linux-gnu" and "aarch64-apple-darwin14".
This is a standard format called the "LLVM target triple", as they are pioneered by LLVM and traditionally just used for the <varname>targetPlatform</varname>.
This format is strictly more informative than the "Nix host double", as the previous format could analogously be termed.
This needs a better name than <varname>config</varname>!
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>parsed</varname></term>
<listitem>
<para>
This is a nix representation of a parsed LLVM target triple with white-listed components.
This can be specified directly, or actually parsed from the <varname>config</varname>.
[Technically, only one need be specified and the others can be inferred, though the precision of inference may not be very good.]
See <literal>lib.systems.parse</literal> for the exact representation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>libc</varname></term>
<listitem>
<para>
This is a string identifying the standard C library used.
Valid identifiers include "glibc" for GNU libc, "libSystem" for Darwin's Libsystem, and "uclibc" for µClibc.
It should probably be refactored to use the module system, like <varname>parse</varname>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>is*</varname></term>
<listitem>
<para>
These predicates are defined in <literal>lib.systems.inspect</literal>, and slapped on every platform.
They are superior to the ones in <varname>stdenv</varname> as they force the user to be explicit about which platform they are inspecting.
Please use these instead of those.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><varname>platform</varname></term>
<listitem>
<para>
This is, quite frankly, a dumping ground of ad-hoc settings (it's an attribute set).
See <literal>lib.systems.platforms</literal> for examples—there's hopefully one in there that will work verbatim for each platform that is working.
Please help us triage these flags and give them better homes!
</para>
</listitem>
</listitem>
</varlistentry>
</variablelist>
<note><para>
If you dig around nixpkgs, you may notice there is also <varname>stdenv.cross</varname>.
This field defined as <varname>hostPlatform</varname> when the host and build platforms differ, but otherwise not defined at all.
This field is obsolete and will soon disappear—please do not use it.
</para></note>
</section>
<section>
@@ -174,20 +115,15 @@
The depending package's target platform is unconstrained by the sliding window principle, which makes sense in that one can in principle build cross compilers targeting arbitrary platforms.
</para></note>
<para>
How does this work in practice? Nixpkgs is now structured so that build-time dependencies are taken from <varname>buildPackages</varname>, whereas run-time dependencies are taken from the top level attribute set.
How does this work in practice? Nixpkgs is now structured so that build-time dependencies are taken from from <varname>buildPackages</varname>, whereas run-time dependencies are taken from the top level attribute set.
For example, <varname>buildPackages.gcc</varname> should be used at build time, while <varname>gcc</varname> should be used at run time.
Now, for most of Nixpkgs's history, there was no <varname>buildPackages</varname>, and most packages have not been refactored to use it explicitly.
Instead, one can use the four attributes used for specifying dependencies as documented in <xreflinkend="ssec-stdenv-attributes"/>.
Instead, one can use the four attributes used for specifying dependencies as documented in <linklinkend="ssec-stdenv-attributes"/>.
We "splice" together the run-time and build-time package sets with <varname>callPackage</varname>, and then <varname>mkDerivation</varname> for each of four attributes pulls the right derivation out.
This splicing can be skipped when not cross compiling as the package sets are the same, but is a bit slow for cross compiling.
Because of this, a best-of-both-worlds solution is in the works with no splicing or explicit access of <varname>buildPackages</varname> needed.
For now, feel free to use either method.
</para>
<note><para>
There is also a "backlink" <varname>__targetPackages</varname>, yielding a package set whose <varname>buildPackages</varname> is the current package set.
This is a hack, though, to accommodate compilers with lousy build systems.
Please do not use this unless you are absolutely sure you are packaging such a compiler and there is no other way.
</para></note>
</section>
</section>
@@ -200,27 +136,11 @@
More information needs to moved from the old wiki, especially <linkxlink:href="https://nixos.org/wiki/CrossCompiling"/>, for this section.
</para></note>
<para>
Nixpkgs can be instantiated with<varname>localSystem</varname> alone, in which case there is no cross compiling and everything is built by and for that system,
or also with <varname>crossSystem</varname>, in which case packages run on the latter, but all building happens on the former.
Both parameters take the same schema as the 3 (build, host, and target) platforms defined in the previous section.
As mentioned above, <literal>lib.systems.examples</literal> has some platforms which are used as arguments for these parameters in practice.
You can use them programmatically, or on the command line like <command>nix-build <nixpkgs> --arg crossSystem '(import <nixpkgs/lib>).systems.examples.fooBarBaz'</command>.
Many sources (manual, wiki, etc) probably mention passing<varname>system</varname>, <varname>platform</varname>, and, optionally, <varname>crossSystem</varname> to nixpkgs:
<varname>system</varname> and <varname>platform</varname> together determine the system on which packages are built, and <varname>crossSystem</varname> specifies the platform on which packages are ultimately intended to run, if it is different.
This still works, but with more recent changes, one can alternatively pass <varname>localSystem</varname>, containing <varname>system</varname> and <varname>platform</varname>, for symmetry.
</para>
<para>
While one is free to pass both parameters in full, there's a lot of logic to fill in missing fields.
As discussed in the previous section, only one of <varname>system</varname>, <varname>config</varname>, and <varname>parsed</varname> is needed to infer the other two.
Additionally, <varname>libc</varname> will be inferred from <varname>parse</varname>.
Finally, <literal>localSystem.system</literal> is also <emphasis>impurely</emphasis> inferred based on the platform evaluation occurs.
This means it is often not necessary to pass <varname>localSystem</varname> at all, as in the command-line example in the previous paragraph.
</para>
<note>
<para>
Many sources (manual, wiki, etc) probably mention passing <varname>system</varname>, <varname>platform</varname>, along with the optional <varname>crossSystem</varname> to nixpkgs:
Passing those two instead of <varname>localSystem</varname> is still supported for compatibility, but is discouraged.
Indeed, much of the inference we do for these parameters is motivated by compatibility as much as convenience.
</para>
</note>
<para>
One would think that <varname>localSystem</varname> and <varname>crossSystem</varname> overlap horribly with the three <varname>*Platforms</varname> (<varname>buildPlatform</varname>, <varname>hostPlatform,</varname> and <varname>targetPlatform</varname>; see <varname>stage.nix</varname> or the manual).
Actually, those identifiers are purposefully not used here to draw a subtle but important distinction:
Again, it is possible to launch the interpreter from the shell.
The Python interpreter has the attribute `pkgs` which contains all Python libraries for that specific interpreter.
If the packages were not available yet in the Nix store, Nix would download or
build them automatically. A convenient option with `nix-shell` is the `--run`
option, with which you can execute a command in the `nix-shell`. Let's say we
want the above environment and directly run the Python interpreter
##### Load environment from `.nix` expression
As explained in the Nix manual, `nix-shell` can also load an
expression from a `.nix` file. Say we want to have Python 3.5, `numpy`
and `toolz`, like before, in an environment. Consider a `shell.nix` file
with
```nix
withimport<nixpkgs>{};
python35.withPackages(ps:[ps.numpyps.toolz])
```
Executing `nix-shell` gives you again a Nix shell from which you can run Python.
What's happening here?
1. We begin with importing the Nix Packages collections. `import <nixpkgs>` imports the `<nixpkgs>` function, `{}` calls it and the `with` statement brings all attributes of `nixpkgs` in the local scope. These attributes form the main package set.
2. Then we create a Python 3.5 environment with the `withPackages` function.
3. The `withPackages` function expects us to provide a function as an argument that takes the set of all python packages and returns a list of packages to include in the environment. Here, we select the packages `numpy` and `toolz` from the package set.
##### Execute command with `--run`
A convenient option with `nix-shell` is the `--run`
option, with which you can execute a command in the `nix-shell`. We can
executing `nix-shell` gives you again a Nix shell from which you can run Python.
What's happening here?
1. We begin with importing the Nix Packages collections. `import <nixpkgs>` import the `<nixpkgs>` function, `{}` calls it and the `with` statement brings all attributes of `nixpkgs` in the local scope. Therefore we can now use `pkgs`.
2. Then we create a Python 3.5 environment with the `withPackages` function.
3. The `withPackages` function expects us to provide a function as an argument that takes the set of all python packages and returns a list of packages to include in the environment. Here, we select the packages `numpy` and `toolz` from the package set.
4. And finally, for in interactive use we return the environment by using the `env` attribute.
### Developing with Python
Now that you know how to get a working Python environment with Nix, it is time
to go forward and start actually developing with Python. We will first have a
look at how Python packages are packaged on Nix. Then, we will look at how you
can use development mode with your code.
#### Packaging a library
Now that you know how to get a working Python environment on Nix, it is time to go forward and start actually developing with Python.
We will first have a look at how Python packages are packaged on Nix. Then, we will look how you can use development mode with your code.
With Nix all packages are built by functions. The main function in Nix for
building Python libraries is `buildPythonPackage`. Let's see how we can build the
`toolz`package.
#### Python packaging on Nix
On Nix all packages are built by functions. The main function in Nix for building Python packages is [`buildPythonPackage`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/interpreters/python/build-python-package.nix).
Let's see how we would build the `toolz` package. According to [`python-packages.nix`](https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/top-level/python-packages.nix) `toolz` is build using
In contrast to `python.buildEnv`, `python.withPackages` does not support the more advanced options
@@ -774,36 +683,65 @@ The `buildPythonPackage` function sets `DETERMINISTIC_BUILD=1` and
Both are also exported in `nix-shell`.
### Automatic tests
It is recommended to test packages as part of the build process.
Source distributions (`sdist`) often include test files, but not always.
By default the command `python setup.py test` is run as part of the
`checkPhase`, but often it is necessary to pass a custom `checkPhase`. An
example of such a situation is when `py.test` is used.
#### Common issues
- Non-working tests can often be deselected. By default `buildPythonPackage` runs `python setup.py test`.
Most python modules follows the standard test protocol where the pytest runner can be used instead.
`py.test` supports a `-k` parameter to ignore test methods or classes:
```nix
buildPythonPackage {
# ...
# assumes the tests are located in tests
checkInputs = [ pytest ];
checkPhase = ''
py.test -k 'not function_name and not other_function' tests
'';
}
```
- Unicode issues can typically be fixed by including `glibcLocales` in `buildInputs` and exporting `LC_ALL=en_US.utf-8`.
- Tests that attempt to access `$HOME` can be fixed by using the following work-around before running tests (e.g. `preCheck`): `export HOME=$(mktemp -d)`
## FAQ
### How can I install a working Python environment?
As explained in the user's guide installing individual Python packages
imperatively with `nix-env -i` or declaratively in `environment.systemPackages`
is not supported. However, it is possible to install a Python environment with packages (`python.buildEnv`).
In the following examples we create an environment with Python 3.5, `numpy` and `ipython`.
As you might imagine there is one limitation here, and that's you can install
only one environment at a time. You will notice the complaints about collisions
when you try to install a second environment.
#### Environment defined in separate `.nix` file
Create a file, e.g. `build.nix`, with the following expression
Using `nix-build` on this expression will build an environment that contains the
package `pandas` but with the new name `foo`.
Using `nix-build` on this expression will build the package `pandas`
but with the new name `foo`.
All packages in the package set will use the renamed package.
A typical use case is to switch to another version of a certain package.
@@ -985,37 +923,14 @@ If you need to change a package's attribute(s) from `configuration.nix` you coul
If you are using the `bepasty-server` package somewhere, for example in `systemPackages` or indirectly from `services.bepasty`, then a `nixos-rebuild switch` will rebuild the system but with the `bepasty-server` package using a different `src` attribute. This way one can modify `python` based software/libraries easily. Using `self` and `super` one can also alter dependencies (`buildInputs`) between the old state (`self`) and new state (`super`).
### How to override a Python package using overlays?
To alter a python package using overlays, you would use the following approach:
* Python libraries are called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
* Python libraries are supposed to be called from `python-packages.nix` and packaged with `buildPythonPackage`. The expression of a library should be in `pkgs/development/python-modules/<name>/default.nix`. Libraries in `pkgs/top-level/python-packages.nix` are sorted quasi-alphabetically to avoid merge conflicts.
* Python applications live outside of `python-packages.nix` and are packaged with `buildPythonApplication`.
* Make sure libraries build for all Python interpreters.
* By default we enable tests. Make sure the tests are found and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.
* Commit names of Python libraries should reflect that they are Python libraries, so write for example `pythonPackages.numpy: 1.11 -> 1.12`.
* Commit names of Python libraries should include `pythonPackages`, for example `pythonPackages.numpy: 1.11 -> 1.12`.
Qt is a comprehensive desktop and mobile application development toolkit for C++.
Legacy support is available for Qt 3 and Qt 4, but all current development uses Qt 5.
The Qt 5 packages in Nixpkgs are updated frequently to take advantage of new features,
but older versions are typically retained until their support window ends.
The most important consideration in packaging Qt-based software is ensuring that each package and all its dependencies use the same version of Qt 5;
this consideration motivates most of the tools described below.
</para>
<para>Qt is a comprehensive desktop and mobile application development toolkit for C++. Legacy support is available for Qt 3 and Qt 4, but all current development uses Qt 5. The Qt 5 packages in Nixpkgs are updated frequently to take advantage of new features, but older versions are typically retained to support packages that may not be compatible with the latest version. When packaging applications and libraries for Nixpkgs, it is important to ensure that compatible versions of Qt 5 are used throughout; this consideration motivates the tools described below.</para>
<sectionxml:id="ssec-qt-libraries"><title>Packaging Libraries for Nixpkgs</title>
Whenever possible, libraries that use Qt 5 should be built with each available version.
Packages providing libraries should be added to the top-level function <varname>mkLibsForQt5</varname>,
which is used to build a set of libraries for every Qt 5 version.
A special <varname>callPackage</varname> function is used in this scope to ensure that the entire dependency tree uses the same Qt 5 version.
Import dependencies unqualified, i.e., <literal>qtbase</literal> not <literal>qt5.qtbase</literal>.
<emphasis>Do not</emphasis> import a package set such as <literal>qt5</literal> or <literal>libsForQt5</literal>.
</para>
<para>Libraries that depend on Qt 5 should be built with each available version to avoid linking a dependent package against incompatible versions of Qt 5. (Although Qt 5 maintains backward ABI compatibility, linking against multiple versions at once is generally not possible; at best it will lead to runtime faults.) Packages that provide libraries should be added to the top-level function <varname>mkLibsForQt5</varname>, which is used to build a set of libraries for every Qt 5 version. The <varname>callPackage</varname> provided in this scope will ensure that only one Qt version will be used throughout the dependency tree. Dependencies should be imported unqualified, i.e. <literal>qtbase</literal> not <literal>qt5.qtbase</literal>, so that <varname>callPackage</varname> can do its work. <emphasis>Do not</emphasis> import a package set such as <literal>qt5</literal> or <literal>libsForQt5</literal> into your package; although it may work fine in the moment, it could well break at the next Qt update.</para>
<para>
If a library does not support a particular version of Qt 5, it is best to mark it as broken by setting its <literal>meta.broken</literal> attribute.
A package may be marked broken for certain versions by testing the <literal>qtbase.version</literal> attribute, which will always give the current Qt 5 version.
</para>
<para>If a library does not support a particular version of Qt 5, it is best to mark it as broken by setting its <literal>meta.broken</literal> attribute. A package may be marked broken for certain versions by testing the <literal>qtbase.version</literal> attribute, which will always give the current Qt 5 version.</para>
</section>
<sectionxml:id="ssec-qt-applications"><title>Packaging Applications for Nixpkgs</title>
Call your application expression using <literal>libsForQt5.callPackage</literal> instead of <literal>callPackage</literal>.
Import dependencies unqualified, i.e., <literal>qtbase</literal> not <literal>qt5.qtbase</literal>.
<emphasis>Do not</emphasis> import a package set such as <literal>qt5</literal> or <literal>libsForQt5</literal>.
</para>
<para>Applications generally do not need to be built with every Qt version because they do not provide any libraries for dependent packages to link against. The primary consideration is merely ensuring that the application itself and its dependencies are linked against only one version of Qt. To call your application expression, use <literal>libsForQt5.callPackage</literal> instead of <literal>callPackage</literal>. Dependencies should be imported unqualified, i.e. <literal>qtbase</literal> not <literal>qt5.qtbase</literal>. <emphasis>Do not</emphasis> import a package set such as <literal>qt5</literal> or <literal>libsForQt5</literal> into your package; although it may work fine in the moment, it could well break at the next Qt update.</para>
<para>
Qt 5 maintains strict backward compatibility, so it is generally best to build an application package against the latest version using the <varname>libsForQt5</varname> library set.
In case a package does not build with the latest Qt version, it is possible to pick a set pinned to a particular version, e.g. <varname>libsForQt55</varname> for Qt 5.5, if that is the latest version the package supports.
If a package must be pinned to an older Qt version, be sure to file a bug upstream;
because Qt is strictly backwards-compatible, any incompatibility is by definition a bug in the application.
</para>
<para>It is generally best to build an application package against the <varname>libsForQt5</varname> library set. In case a package does not build with the latest Qt version, it is possible to pick a set pinned to a particular version, e.g. <varname>libsForQt55</varname> for Qt 5.5, if that is the latest version the package supports.</para>
<para>
When testing applications in Nixpkgs, it is a common practice to build the package with <literal>nix-build</literal> and run it using the created symbolic link.
This will not work with Qt applications, however, because they have many hard runtime requirements that can only be guaranteed if the package is actually installed.
To test a Qt application, install it with <literal>nix-env</literal> or run it inside <literal>nix-shell</literal>.
</para>
<para>Qt-based applications require that several paths be set at runtime. This is accomplished by wrapping the provided executables in a package with <literal>wrapQtProgram</literal> or <literal>makeQtWrapper</literal> during the <literal>postFixup</literal> phase. To use the wrapper generators, add <literal>makeQtWrapper</literal> to <literal>nativeBuildInputs</literal>. The wrapper generators support the same options as <literal>wrapProgram</literal> and <literal>makeWrapper</literal> respectively. It is usually only necessary to generate wrappers for programs intended to be invoked by the user.</para>
</section>
<sectionxml:id="ssec-qt-kde"><title>KDE</title>
<para>The KDE Frameworks are a set of libraries for Qt 5 which form the basis of the Plasma desktop environment and the KDE Applications suite. Packaging a Frameworks-based library does not require any steps beyond those described above for general Qt-based libraries. Frameworks-based applications should not use <literal>makeQtWrapper</literal>; instead, use <literal>kdeWrapper</literal> to create the necessary wrappers: <literal>kdeWrapper { unwrapped = <replaceable>expr</replaceable>; targets = <replaceable>exes</replaceable>; }</literal>, where <replaceable>expr</replaceable> is the un-wrapped package expression and <replaceable>exes</replaceable> is a list of strings giving the relative paths to programs in the package which should be wrapped.</para>
<para>There currently is support to bundle applications that are packaged as
Ruby gems. The utility "bundix" allows you to write a
<filename>Gemfile</filename>, let bundler create a
<filename>Gemfile.lock</filename>, and then convert this into a nix
expression that contains all Gem dependencies automatically.
</para>
<para>There currently is support to bundle applications that are packaged as Ruby gems. The utility "bundix" allows you to write a <filename>Gemfile</filename>, let bundler create a <filename>Gemfile.lock</filename>, and then convert
this into a nix expression that contains all Gem dependencies automatically.</para>
<para>For example, to package sensu, we did:</para>
<para>For example, to package sensu, we did:</para>
<screen>
<![CDATA[$ cd pkgs/servers/monitoring
@@ -20,7 +16,8 @@ $ cd sensu
$ cat > Gemfile
source 'https://rubygems.org'
gem 'sensu'
$ $(nix-build '<nixpkgs>' -A bundix --no-out-link)/bin/bundix --magic
<para>Please check in the <filename>Gemfile</filename>,
<filename>Gemfile.lock</filename> and the
<filename>gemset.nix</filename> so future updates can be run easily.
<para>Please check in the <filename>Gemfile</filename>,<filename>Gemfile.lock</filename> and the <filename>gemset.nix</filename> so future updates can be run easily.
</para>
<para>For tools written in Ruby - i.e. where the desire is to install
a package and then execute e.g. <command>rake</command> at the command
line, there is an alternative builder called<literal>bundlerApp</literal>.
Set up the <filename>gemset.nix</filename> the same way, and then, for
example:
</para>
<screen>
<![CDATA[{ lib, bundlerApp }:
bundlerApp {
pname = "corundum";
gemdir = ./.;
exes = [ "corundum-skel" ];
meta = with lib; {
description = "Tool and libraries for maintaining Ruby gems.";
homepage = https://github.com/nyarly/corundum;
license = licenses.mit;
maintainers = [ maintainers.nyarly ];
platforms = platforms.unix;
};
}]]>
</screen>
<para>The chief advantage of <literal>bundlerApp</literal> over
<literal>bundlerEnv</literal> is the executables introduced in the
environment are precisely those selected in the <literal>exes</literal>
list, as opposed to <literal>bundlerEnv</literal> which adds all the
executables made available by gems in the gemset, which can mean e.g.
<command>rspec</command> or <command>rake</command> in unpredictable
versions available from various packages.
</para>
<para>Resulting derivations for both builders also have two helpful
attributes, <literal>env</literal> and <literal>wrappedRuby</literal>.
The first one allows one to quickly drop into
<command>nix-shell</command> with the specified environment present.
E.g. <command>nix-shell -A sensu.env</command> would give you an
environment with Ruby preset so it has all the libraries necessary
for <literal>sensu</literal> in its paths. The second one can be
used to make derivations from custom Ruby scripts which have
<filename>Gemfile</filename>s with their dependencies specified. It is
a derivation with <command>ruby</command> wrapped so it can find all
the needed dependencies. For example, to make a derivation
<literal>my-script</literal> for a <filename>my-script.rb</filename>
(which should be placed in <filename>bin</filename>) you should run
<command>bundix</command> as specified above and then use
<literal>bundlerEnv</literal> like this:
</para>
<para>Resulting derivations also have two helpful items, <literal>env</literal> and <literal>wrapper</literal>. The first one allows one to quickly drop into
<command>nix-shell</command> with the specified environment present. E.g. <command>nix-shell -A sensu.env</command> would give you an environment with Ruby preset
so it has all the libraries necessary for<literal>sensu</literal> in its paths. The second one can be used to make derivations from custom Ruby scripts which have
<filename>Gemfile</filename>s with their dependencies specified. It is a derivation with <command>ruby</command> wrapped so it can find all the needed dependencies.
For example, to make a derivation <literal>my-script</literal> for a <filename>my-script.rb</filename> (which should be placed in <filename>bin</filename>) you should
run <command>bundix</command> as specified above and then use <literal>bundlerEnv</literal> lile this:</para>
<programlisting>
<