Upstream changes:
* Fix ordering between systemd socket file descriptor names and rules.
* Fix usage of C library path as discovered by Meson.
Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit 8b7f8e2e69)
The new version string for jdk11 contains a '+' character, which needs
to be escaped for use in the sed command.
Fixes#95117.
(cherry picked from commit 5622b6b6fe)
Recent changes in the Hetzner Robot API have removed a few obsolete
fields which version 0.8.2 was still referencing and which is now fixed
in version 0.8.3.
Due to a misunderstanding on my side I haven't updated to version 0.8.3
in nixpkgs yet, which resulted in this delay.
This fixes the NixOps Hetzner backend.
Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit e899b57c8a)
The new configuration name for this is plural. Currently, attempting to enable ec2 SD results in a `promtool check config` error
(cherry picked from commit 8389fb8f16)
mutt has improper handling of broken IMAP connections, this could result
in authentication credentials being sent over an unencrypted connection,
without $ssl_force_tls being consulted.
https://security.archlinux.org/CVE-2020-2889604b06aaa3e
without master's fix in #83888, opencv3 & opencv4 end up with an 8-byte
openblas, which it does work with. however this causes the python
bindings to also end up with an 8-byte openblas, which numpy doesn't work
with. force 4-byte openblas for opencv.
The gn version depends on the channel and new gn versions aren't always
backward compatible. Therefore we should also include it in
upstream-info.json (I've scoped it under "deps" as we'll likely have to
add more like this in the future).
(cherry picked from commit d7f5386474)
Patch copied from https://github.com/archlinux/svntogit-packages/blob/packages/wireguard-dkms/trunk/lts.diff
This fixes:
```
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
44 | #define SYM_FUNC_START ENTRY
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:218: note: this is the location of the previous definition
218 | #define SYM_FUNC_START(name) \
|
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined
45 | #define SYM_FUNC_END ENDPROC
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:265: note: this is the location of the previous definition
265 | #define SYM_FUNC_END(name) \
|
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S: Assembler messages:
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:50: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:176: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:180: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/blake2s/blake2s-x86_64.S:257: Error: invalid character '(' in mnemonic
make[3]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/scripts/Makefile.build:348: /build/source/src/crypto/zinc/blake2s/blake2s-x86_64.o] Error 1
make[3]: *** Waiting for unfinished jobs....
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:44: warning: "SYM_FUNC_START" redefined
44 | #define SYM_FUNC_START ENTRY
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:218: note: this is the location of the previous definition
218 | #define SYM_FUNC_START(name) \
|
In file included from <command-line>:
/build/source/src/compat/compat-asm.h:45: warning: "SYM_FUNC_END" redefined
45 | #define SYM_FUNC_END ENDPROC
|
In file included from /build/source/src/compat/compat-asm.h:9,
from <command-line>:
/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/include/linux/linkage.h:265: note: this is the location of the previous definition
265 | #define SYM_FUNC_END(name) \
|
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S: Assembler messages:
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:123: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:185: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:187: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:319: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1016: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1616: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1620: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1810: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1812: Error: invalid character '(' in mnemonic
/build/source/src/crypto/zinc/chacha20/chacha20-x86_64.S:1959: Error: invalid character '(' in mnemonic
make[3]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/scripts/Makefile.build:348: /build/source/src/crypto/zinc/chacha20/chacha20-x86_64.o] Error 1
make[2]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/Makefile:1729: /build/source/src] Error 2
make[1]: *** [/nix/store/cz60577g5hwk78c2z7rhxl21bklaqr0d-linux-5.4.77-dev/lib/modules/5.4.77-hardened/source/Makefile:179: sub-make] Error 2
make: *** [Makefile:26: module] Error 2
builder for '/nix/store/hll3sjyrwa55arzlsxnbacqdd8s842l1-wireguard-1.0.20200908.drv' failed with exit code 2
```
(cherry picked from commit c945b47a25)
* CVE-2020-0198: unsigned integer overflow in exif_data_load_data_content
* CVE-2020-0452: compiler optimization could remove an a bufferoverflow check, making a buffer overflow possible with some EXIF tags
Fixes: CVE-2020-0198, CVE-2020-0452
(cherry picked from commit 602d26e8bd)
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html
This update includes 10 security fixes. Google is aware of reports that
an exploit for CVE-2020-16009 exists in the wild.
CVEs:
CVE-2020-16004 CVE-2020-16005 CVE-2020-16006 CVE-2020-16007
CVE-2020-16008 CVE-2020-16009 CVE-2020-16011
(cherry picked from commit 531decc11d)
Backport of #102608. I'll push this directly as it should build fine and
we need the security fixes timely (see above).
This should also fix VA-API for chromiumBeta (though that part needs
some cleanup). However, chromiumDev likely still fails due to the
absence of dirmd (not included in the tarball so far, we might have to
package and add it as a dependency).
(cherry picked from commit 50a2f50acb)
libcubeb has dlopened libraries for awhile now. In nixpkgs there was
support for the PulseAudio backend doing this, however the ALSA backend
support was missed and caused issue #79310 (no sound with ALSA). This
gives ALSA users the ability to hear sound once again.
(cherry picked from commit 57ea265674)
The icon naming scheme for Chrome Beta/Dev has changed from
`product_logo_{res}.png` to `product_logo_{res}_{branch}.png`.
(cherry picked from commit 9b06980c61)
If a program (e.g. nixos-install) writes more than 1000 lines to
stderr during execute(), then process_serial_output() deadlocks
waiting for the queue to be processed. So use an unbounded queue
instead.
We should probably get rid of the structured log output (log.xml),
since then we don't need the log queue anymore.
(cherry picked from commit 78f2a83029)
This is done to avoid driver specific issues and restores the previous
behaviour. Like before video acceleration can be enabled without having
to rebuild Chromium.
(cherry picked from commit 73b67da169)
This will additionally install the following files:
libEGL.so libGLESv2.so
libVkICD_mock_icd.so libvk_swiftshader.so libvulkan.so
libEGL.so and libGLESv2.so are required to fix our ANGLE support.
The rest should help with the Vulkan support (currently an experimental
feature that is disabled by default).
(cherry picked from commit 757bbdd948)
I didn't feel comfortable with *immediately* removing 68,
even though nixers have rollbacks etc.
(cherry picked from commit 2be22836b1)
It's not nice, but the 68 branch seems unsupported upstream now,
and soon it will surely contain public vulnerabilities.
This fixes both `nix-shell` failing to eval with `nixUnstable`, as well
as ofborg's failure to eval on aarch64 due to passing an "unexpected
arg" (1112e3a8c8/ofborg/src/nix.rs (L334-L340)).
(cherry picked from commit 11eddd61bc)
The /run/wrapper directory is a tmpfs. Unfortunately, it's mounted with
its root directory has the standard (for tmpfs) mode: 1777 (world writeable,
sticky -- the standard mode of shared temporary directories). This means that
every user can create new files and subdirectories there, but can't
move/delete/rename files that belong to other users.
Note: The following might also need to be updated:
substituteStream(): WARNING: pattern '/usr/share/xcb' doesn't match anything in file 'ui/gfx/x/BUILD.gn'
(cherry picked from commit 8815c9e186)
I didn't look into this yet but IIRC M86 will finally have a flag for
Linux to enable VA-API. So we shouldn't need
enable-video-acceleration-on-linux.patch anymore.
But we likely need to update enable-vdpau-support-for-nvidia.patch
when/before M86 hits the stable channel if we want to keep VDPAU
support.
(cherry picked from commit bf0e13a322)
Ok, so I was about to update the patch (didn't apply anymore) when I
also started looking at it's usage and realized that
NIX_CHROMIUM_PLUGIN_PATH_ (and other substrings) only appears in the
patch itself (i.e. it seemed like we don't need this patch anymore).
Turns out that we have this patch since 2014 (1b84fbf0ca) and it was
only ever used for NIX_CHROMIUM_PLUGIN_PATH_WIDEVINE (and from the log
it isn't clear if/when or how well that worked). But in 2019 that last
usage got removed (545d58a1ef) so we should be able to safely drop this
patch now :) \o/
(I just wanted to note that as it seemed somewhat of a funny story :D
But there is of course nothing wrong with it.)
Git history (git log --oneline -S NIX_CHROMIUM_PLUGIN_PATH_):
7205bd64a3 ungoogled-chromium: init at 81.0.4044.92-2
545d58a1ef chromium: fix widevine
cd3283f921 chromium: 67.0.3396.99 -> 68.0.3440.75
72d7b5ddb1 chromium: fix nix_plugin_paths for 68+
7a3a16dd80 chromium: Remove plugin paths patch for version 50
79d18eb604 chromium: Update dev channel to v52.0.2743.10
c7a3645e7b chromium: Remove stuff for versions <= v51
8b97ca270e chromium: Update all channels to latest versions
b9093f1c64 chromium: Updates, fixes#11492471cdd15e2 chromium: Update beta and dev channels.
5c6aa391fc chromium: Cleanup old patch and update stable
af54ddf8b6 chromium: Drop plugin_paths patch for old versions.
6a8afa4bb3 chromium: Fix plugin_paths patch for version 44.
0aad4b7ee4 chromium: Update all channels to latest versions.
1b84fbf0ca chromium: Allow env vars for passing plugin paths.
(cherry picked from commit 2213c464f6)
This makes Git diffs way easier to read.
Using sort_keys=True is usually better but with this implementation the
output is a bit nicer to read IMO.
(cherry picked from commit ceb3acfa8b)
This is required for certain URIs that require launching external
programs (e.g. mailto:, magnet:, or irc:) or setting the default browser
via xdg-settings.
Fix#96897 and fix#92751.
(cherry picked from commit 1fa610bdf0)
update.nix was a huuuuge hack, abusing checksum collisions, etc., and
was extremely difficult to read and maintain, especially because
values from update.nix were also used in the derivations themselves!
I've replaced this with an implementation in Python, which I chose for
readability. Rather than generating Nix, I chose to
generate JSON, since Python can do that in the standard library and
Nix can read it.
I also set update.py as an updateScript, so Chromium can now
automatically be updated!
Fixes: https://github.com/NixOS/nixpkgs/issues/89635
(cherry picked from commit de69b705d2)
The previously provided patch is still necessary,
as nix python reports an old version of macOS
that has the bug, when in fact modern macOS
does not have the misspelling.
The patch has been upstreamed, so we take it
to fix 1.9.9 in anticipation of the next release.
(cherry picked from commit 44fd570d73)
systemd-confinement's automatic package extraction does not work correctly
if ExecStarts ExecReload etc are lists.
Add an extra flatten to make things smooth.
Fixes#96840.
(cherry picked from commit fd196452f0)
Fontconfig 2.14 from unstable reverted back to using /etc/fonts/fonts.conf
for its configuration. Unfortunately, on NixOS 20.03, this still points
to configuration for Fontconfig 2.10, with cache version 3.
When an app linked against Fontconfig 2.14 reads the config and does not
find a compatible cache, it writes a new cache entries to ~/.cache/fontconfig.
Unfortunately, the fontconfig 2.14 uses the same cache version as 2.12 in 20.03 (7)
so when the apps from 20.03 later read the cache, they cannot make much sense
of it and are unable to find any fonts.
I added a new fonts.fontconfig.disableVersionedFontConfiguration option, which,
when enabled, makes /etc/fonts/fonts.conf point to the configuration file
for the latest fontconfig, instead of the ancient 2.10 version.
This is necessary to prevent packages from Nixpkgs unstable breaking apps
from 20.03.
Enabling this should not cause any issues as there are no programs
using the legacy fontconfig version since NixOS 15.03.
Unfortunately, if a person already ran an app from unstable
before applying this patch, they will need to delete ~/.cache/fontconfig manually.
We should really avoid that people unknowingly use Adobe Reader, it
has literally tens of known high-score code execution vulnerabilities,
probably exploited in the wild.
(cherry picked from commit 4b07b00c0d)
Regarding microsoft_gsl: The CMake scripts from Telegram-Desktop did not
find it anymore (I didn't investigate this) and Arch already made this
change during the last update. It's probably best to do the same here
especially since Telegram-Desktop is currently based on GSL 3.0.1 while
our version is still at 2.1.0.
(cherry picked from commit e9e2f81590)
This is more robust than depending on the channel, though the version
should only matter if the configuration phase fails.
This also switches to the intended version for `chromium` which should
be higher since M85 is in the stable channel.
Thanks `@volth` for pointing this out.
(cherry picked from commit 25aed428aa)
nginx -t not only verifies configuration, but also creates (and chowns)
files. When the `nginx-config-reload` service is used, this can cause
directories to be chowned to `root`, causing nginx to fail.
This moves the nginx -t command into a second ExecReload command, which
runs as nginx's user. While fixing above issue, this will also cause the
configuration to be verified when running `systemctl reload nginx`, not
only when restarting the dummy `nginx-config-reload` unit. The latter is
mostly a workaround for missing features in our activation script
anyways.
(cherry picked from commit 300049ca51)
This patch ensures that latest Nextcloud works flawlessly again on our
`nginx`. The new config is mostly based on upstream recommendations
(again)[1]:
* Trying to access internals now results in a 404.
* All `.php`-routes get properly resolved now.
* Removed 404/403 handling from `nginx` as the app itself takes care of
this. Also, this breaks the `/ocs`-API.
* `.woff2?`-files expire later than other assets like images.
Closes#95293
[1] https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
(cherry picked from commit 42f6244899)
Fixes this warning at ibus-daemon startup:
(ibus-dconf:15691): dconf-WARNING **: 21:49:24.018: unable to open file '/etc/dconf/db/ibus': Failed to open file ?/etc/dconf/db/ibus?: open() failed: No such file or directory; expect degraded performance
(cherry picked from commit 3dbd629fa4)
Fixes this warning at ibus-daemon startup:
(ibus-dconf:15691): dconf-WARNING **: 21:49:24.018: unable to open file '/etc/dconf/db/ibus': Failed to open file ?/etc/dconf/db/ibus?: open() failed: No such file or directory; expect degraded performance
(cherry picked from commit a71dc0b27e)
gappsWrapperArgsHook tries to collect GI_TYPELIB_PATH environment variable so if we want it to see the path giDiscoverSelf adds, we need to force the order.
(cherry picked from commit 8f7387f219)
The script that runs chromium calls tr from coreutils - however
it just assumed that coreutils are in PATH.
With missing coreutils chromium did still launch (at least with
d433839007 applied) but emitted
`line 15: tr: command not found` error messages.
(cherry picked from commit 6e4d33a001)
The bin script that runs chromium calls out to gnugrep - but gnugrep is
missing as a runtime dependency of the chromium package. I found this
out when I was trying to put it in a docker image.
(cherry picked from commit d433839007)
Mark chromiumDev as broken since the build requires LLVM 11 which is not
yet in Nixpkgs (due to the lack of an RC, see #93324). Build error:
clang (LLVM option parsing): Unknown command line argument '-basic-aa-recphi=0'. Try: 'clang (LLVM option parsing) --help'
clang (LLVM option parsing): Did you mean '--basicaa-recphi=0'?
ninja: build stopped: subcommand failed.
(cherry picked from commit 11fbe97810)
It appears that the autotools based build isn't supported on Darwin.
Just use the stdenv-builtin cmake build everywhere, as it works just
fine and is simpler.
(cherry picked from commit f509255ff7)
The expression was taken from current master;
the list of commits getting there would be too complex for me.
(This doesn't work; fixes come in a child commit.)
Patch release which adds a manpage.
Adding a `man` and a `doc` output, and copying the files to the
corresponding directories.
The `overrideAttrs` is necessary because `buildRustPackage` does not
allow adding outputs.
We've been slipping behind on backporting for the default
firefox version. This doesn't make it perfect, but using ESR 78
should make it easier for us to keep up.
Certainly feel free to work on backporting 79+ as well.
I briefly tested both affected versions (68 and 78).
It's exactly code written for nixpkgs master (over multiple commits),
except that gyp is used from python2 as the version in nixpkgs 20.03
refuses to work with python3.
Bumps Graylog and integrations plugins to 3.3.3 which fixes CVE-2020-15813
(cherry picked from commit 1bb1b67087)
Reason: Security fix for CVE-2020-15813 (closes#94001)
Fixes errors like this for me:
```
error: --- Error ------------------------------- nix-build
Nix daemon out of memory
(use '--show-trace' to show detailed location information)
```
(cherry picked from commit 85819d4bbf)
Fixes#93341.
Using strace reveals that zoom is attempting to load "libfaac1.so" from
its PATH. As faac provides "libfaac.so.0", solve this by linking from
there to "libfaac1.so" in zoom's output.
This is the same solution as the one we use for libjpeg_turbo.
(cherry picked from commit 903a0cac04)
This fixes a bug in the parser, where member IDs in Openstreetmap files
were not correctly parsed.
This update significantly increases the usability of the package.
This fixes the failing build.
Build system changed to cmake.
(cherry picked from commit e9848d11ad)
Reason: fixes CVE-2019-15785, CVE-2020-5395, CVE-2020-5496
- Init libuninameslist at 20190701 as it is a new dependency to fontforge
- Remove gnulib, as it is not used anymore
- Remove a non-applying patch
- Add myself as maintainer
(cherry picked from commit 4496f8f4b8)
Build error introduced in fe7053f75a:
parser error : Opening and ending tag mismatch: commmand line 6139 and command
escription><para>Base64 preshared key generated by <commmand>wg genpsk</command>
^
Writing "command" with only two "m" fixes building the NixOS manual.
Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit 4e92b613cc)
Initially the 2.3.3 release was based on the wrong commit by upstream,
later retagged (see [1]). This resulted in resulted in Audacity
complaining it is an alpha release.
This commit changes the hash to the fixed upstream tarball.
[1]: https://github.com/audacity/audacity/issues/421
The generated yarnNix file doesn't need to be part of the mkDerivation.
And doing so prevents other platforms from reproducibly instantiating
it. With this change you can e.g. do
darwinPkgs.yarn2nix.mkYarnPackage {
# ...
yarnNix = pkgs.yarn2nix.mkYarnNix {
yarnLock = ./yarn.lock;
};
}
Which is a darwin derivation, but can still be instantiated reproducibly on Linux.
(cherry picked from commit 75ee18766a)
Per upstream:
> libvirtd-tcp.socket - the unit file corresponding to the TCP 16509
> port for non-TLS remote access. This socket should not be configured
> to start on boot until the administrator has configured a suitable
> authentication mechanism.
(cherry picked from commit 84ecbc9a19)
This version is 5 commits ahead of version 1.0.0 because we need at
least one patch [0] that prevents CMake from trying to use Git to fetch
the already fetched submodule...
Also some files have the wrong formatting (CRLF line endings) which
makes the patching really messy. At this point is seems therefore better
to use the master version instead (1.0.0 is pretty broken regarding
CMake).
[0]: 0ca73ee30e
(cherry picked from commit 818628c53a)
This closes#79441.
ghcWithPackages is using `ghc-pkg recache` to build its package
database. By doing so, it overrides the `package.cache[.lock]` files.
Details are unclear, but GHC 8.10 changed a bit the behavior.
Previously, it was unconditionally replacing the files by new ones. Now
it tries to open (for modification) the files. These files are symlinks
to another nix derivation, which is hence read-only.
This commit removes the files before running `ghc-pkg recache`, hence it
will just write the new files.
Tested with `haskellPackages.ghcWithPackages` (i.e. GHC 8.8) and
`haskell.packages.ghc8101.ghcWithPackages` (i.e GHC 8.10) with the
following nix file, at the root of the nixpkgs repository:
```
with import ./. {
overlays = [
(
self: super: {
haskellPackages = super.haskell.packages.ghc8101.override {
overrides = selfh: superh: {
th-lift-instances = super.haskell.lib.doJailbreak superh.th-lift-instances;
th-expand-syns = super.haskell.lib.doJailbreak superh.th-expand-syns;
th-reify-many = super.haskell.lib.doJailbreak superh.th-reify-many;
th-orphans = super.haskell.lib.doJailbreak superh.th-orphans;
haskell-src-meta = super.haskell.lib.doJailbreak superh.haskell-src-meta;
};
};
}
)
];
};
haskellPackages.ghcWithPackages(p:[p.PyF])
```
This will test with GHC 8.10. Comment out the `overlays` to test with
GHC 8.8.
(cherry picked from commit abc4f961b4)
(cherry picked from commit 751a27020e)
Reason: Back-porting this straight-forward fix is the best way to
allow tests affected by this user-shell problem to run in 20.03.
There isn't a great override point to apply just this fix. Copy/pasting
testing-python.nix just to specify a new test-driver.py isn't great --
it would cut off receiving any other fixes in the testing infrastructure
until 20.09. A 20.03 system using testing-python.nix from the unstable
branch and then passing 20.03's pkgs in to avoid getting unstable's
pkgs is quite a bit of configuration to expect from clients and seems
fragile against future changes in the unstable branch that expect pkgs
to be mostly in-sync with the test driver. Both of these not-great
options leave a bunch of "TODO: Remove after 20.09" junk in clients'
configs & make that upgrade harder.
The rtl8821ce repository was updated to address for ABI changes to
Linux but our package was too far behind, resulting in breakages
as reported in #88068Fixes: #88068
(cherry picked from commit 6cbbe4dbba)
qt5Full may not be installed on users' systems and the gns3-gui depends
on it explicitly.
Note: This also fixes e.g. "nix-shell -p gns3-gui --pure" (at the cost
of an increased closure size).
(cherry picked from commit 0eaec4dee2)
Reason: This is a fix for possible runtime crashes.
Switch into maintanable fork. It is the community central fork.
Remove old patch, use new minor upstream patch to compile.
I weighted-in on the patch reasoning to be merged.
Strictify hardening.
Documentation update
M pkgs/development/libraries/mp4v2/default.nix
(cherry picked from commit c281c84a1e)
Changes:
- Copied linux-5.7.nix from linux-5.6.nix
- Add linux_5_7 and linuxPackages_5_7
- Update linux_latest to 5.7
Note:
The kernel patch 'kernelPatches.export_kernel_fpu_functions."5.3"' is
still applied as I copied the list from linux_5_7 (vs. linux_testing).
This patch is probably still required for the ZFS performance.
(cherry picked from commit 19b2efbc39)
This option exposes the prefconfigured nextcloud-occ
program. nextcloud-occ can then be used in other systemd services or
added in environment.systemPackages.
The nextcloud test shows how it can be add in
environment.systemPackages.
(cherry picked from commit 7d994ad445)
Without elinks / w3m / lynx in the nativeBuildInputs, there are these
errors in the build:
LC_ALL=C w3m -dump -O UTF8 docs/manual.html > docs/manual.txt || \
LC_ALL=C lynx -dump -nolist -with_backspaces \
-display_charset=us-ascii docs/manual.html > docs/manual.txt || \
LC_ALL=C elinks -dump -no-numbering -no-references \
docs/manual.html | sed -e 's,\\001, ,g' > docs/manual.txt
/nix/store/xfbmj7sl2ikicym9x3yq7cms5qx1w39k-bash-4.4-p23/bin/bash: w3m: command not found
/nix/store/xfbmj7sl2ikicym9x3yq7cms5qx1w39k-bash-4.4-p23/bin/bash: line 1: lynx: command not found
/nix/store/xfbmj7sl2ikicym9x3yq7cms5qx1w39k-bash-4.4-p23/bin/bash: line 3: elinks: command not found
(cherry picked from commit b8f65212ec)
This plugin is no longer necessary anyway, but having it enabled can
cause Firefox and KDE to malfunction, e.g. by hanging for a few
seconds frequently. This is caused by the broken LD_PRELOAD library
that doesn't handle O_TMPFILE properly, so ~/.cache/ksycoca5_* is
created with 0000 permissions. As a result Firefox will constantly
regenerate the ksycoca database.
- upstream argues that this kind of problems can't be called
vulnerabilities
- the upstream patch is trivial, so why not fix the bug
- nixpkgs master uses git versions already containing that commit
Fixes#90875 (roundup ticket).
This is done in response to complaints that the module format is not
human readable. The vendor source blob is flat files and should be
extremely readable.
(cherry picked from commit 9761128d2d)
The builder does not technically need the modSha256 of the vendor dir, and even
though we pass it the entire vendor dir it makes sense not to risk having an
accidental dependency on that variable.
However, tools like [nixpkgs-update](https://github.com/ryantm/nixpkgs-update)
need to inspect the `modSha256` of a package in order to be able to update them,
and since this is a real part of the package (describes info about its
dependencies) let's add it to `passthru`.
Specifically, this allows us to run a cmd like `nix eval -f . tflint.modSha256`
to get the current value, which is how the bot finds it to replace with the new
version in the Rust ecosystem.
(cherry picked from commit 5f77ff6384)
The compiler does not need it anymore, has not needed it for many years
iirc. This just goes in and pollutes the environment overriding the
users GOPATH and causing grief.
Go even warns about it itself, without vs with this commit:
```sh
~> go env GOPATH
/home/manny/go
~> nix-shell -p go
~> go env GOPATH
warning: GOPATH set to GOROOT (/nix/store/gvw1mfpdrk7i82884yhxf9lf5j3c12zm-go-1.14.1/share/go) has no effect
/nix/store/gvw1mfpdrk7i82884yhxf9lf5j3c12zm-go-1.14.1/share/go
~> exit
~> nix-shell -I nixpkgs=cloned/NixOS/nixpkgs -p go
~> go env GOPATH
/home/manny/go
~> exit
```
(cherry picked from commit a1e13f6140)
In /etc/sudoers, the last-matched rule will override all
previously-matched rules. Thus, make the default rule show up first (but
still allow some wiggle room for a user to `mkBefore` it), before any
user-defined rules.
(cherry picked from commit 13e2c75c93)
Includes a security fix for CVE-2020-13428.
improved security for stored passwords (from 3.0.9)
multiple security fixes, including microdns (from 3.0.9.1)
(cherry picked from commit 745245a62a)
(cherry picked from commit cb053733b5)
Reason: 3.3.1 contains bugfix for potential dataloss when Elasticsearch
index is read-only due to disk space problems
This makes it possible to enable VA-API without having to rebuild
Chromium: `chromium.override { enableVaapi = true; }`
(cherry picked from commit 267eefcdb7)
slurmd requires su and echo to work with "--get-user-env". If slurmd
does not find /bin/su or /bin/echo, it crashes.
(cherry picked from commit 5d8f61f3bf)
reasoning:
sjlj (short jump long jump) exception handling makes no sense on x86_64, it's forcably slowing programs down as it produces a constant overhead. On x86_64 we have SEH (Structured Exception Handling) and we should use that. On i686, we do not have SEH, and have to use sjlj with dwarf2. Hence it's now conditional on x86_32
(cherry picked from commit e27e475f0d)
(cherry picked from commit 58ffaee5d7)
The OC_PASS environment variable can be used to create a user with
`occ user:add --password-from-env`. It is currently not possible to
use the `nextcloud-occ` to "non-interactively" create a user since
this variable is ignored by sudo.
(cherry picked from commit cb682317b0)
This makes things so much easier, and we install to
the path that both gnome-backgrounds and
elementary-wallpapers install to.
(cherry picked from commit 62587f43dd)
Building with -std=c99 breaks the obsolete "%as" format string, which
completely breaks the parsing of epkowa interpreters. This means that
no scanner requiring plugins worked.
(cherry picked from commit e22eb2d7b5)
Co-authored-by: Dominik Honnef <dominik@honnef.co>
For some reason the hash from 9ec139b672 became invalid, see #89615.
The update script does now produce the correct hash.
(cherry picked from commit 19e939d98e)
Without it, building a document fails with the following error:
pdflatex failed
index.tex: File `pdflscape.sty' not found.
index.tex:47: Emergency stop.
(cherry picked from commit 75b0777831)
Upstream fixes:
- Pass linker version script to the linker instead of the compiler.
- Compile with `-fPIC` again (regression from version 2.1.2).
- Out of bounds array access in `globpath`.
- Handling of `epoll_ctl` calls (they're now replayed after replacing
socket).
- GCC 10 build errors and Clang warnings.
While most of these fixes are more relevant for other distros, the
linker script fix is actually a regression existing since a long time
(version 1.x) and caused libip2unix to expose way too many symbols.
Built and tested on i686-linux and x86_64-linux.
Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit 67325b12c6)
Rationale for backport: only used by `matrix-synapse` atm which requires
0.14 to work.
(cherry picked from commit c37b4466c0)
(cherry picked from commit 7c6a40c812)
/cc roundup #88306; the issue seems quite serious to me.
I also made two other patches non-conditional, as we rebuild
all platforms anyway.
(cherry picked from commit 3f08d642fe)
* Add test case for include dir
* buildRustCrate: replace hyphen with underscore in env
This fixes a bug that prevents encoding_c from building.
(cherry picked from commit c21cbf22d0)
This fixes the issues with glibc 2.30, which were caused because glibc
no longer allows to dlopen/LD_PRELOAD a PIE executable.
So this release is essentially just a hotfix release which addresses
this issue by splitting the executable and library.
Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @zimbatm
(cherry picked from commit b51d39fbe4)
Previously, the NixOS ACME module defaulted to using P-384 for
TLS certificates. I believe that this is a mistake, and that we
should use P-256 instead, despite it being theoretically
cryptographically weaker.
The security margin of a 256-bit elliptic curve cipher is substantial;
beyond a certain level, more bits in the key serve more to slow things
down than add meaningful protection. It's much more likely that ECDSA
will be broken entirely, or some fatal flaw will be found in the NIST
curves that makes them all insecure, than that the security margin
will be reduced enough to put P-256 at risk but not P-384. It's also
inconsistent to target a curve with a 192-bit security margin when our
recommended nginx TLS configuration allows 128-bit AES. [This Stack
Exchange answer][pornin] by cryptographer Thomas Pornin conveys the
general attitude among experts:
> Use P-256 to minimize trouble. If you feel that your manhood is
> threatened by using a 256-bit curve where a 384-bit curve is
> available, then use P-384: it will increases your computational and
> network costs (a factor of about 3 for CPU, a few extra dozen bytes
> on the network) but this is likely to be negligible in practice (in a
> SSL-powered Web server, the heavy cost is in "Web", not "SSL").
[pornin]: https://security.stackexchange.com/a/78624
While the NIST curves have many flaws (see [SafeCurves][safecurves]),
P-256 and P-384 are no different in this respect; SafeCurves gives
them the same rating. The only NIST curve Bernstein [thinks better of,
P-521][bernstein] (see "Other standard primes"), isn't usable for Web
PKI (it's [not supported by BoringSSL by default][boringssl] and hence
[doesn't work in Chromium/Chrome][chromium], and Let's Encrypt [don't
support it either][letsencrypt]).
[safecurves]: https://safecurves.cr.yp.to/
[bernstein]: https://blog.cr.yp.to/20140323-ecdsa.html
[boringssl]: https://boringssl.googlesource.com/boringssl/+/e9fc3e547e557492316932b62881c3386973ceb2
[chromium]: https://bugs.chromium.org/p/chromium/issues/detail?id=478225
[letsencrypt]: https://letsencrypt.org/docs/integration-guide/#supported-key-algorithms
So there's no real benefit to using P-384; what's the cost? In the
Stack Exchange answer I linked, Pornin estimates a factor of 3×
CPU usage, which wouldn't be so bad; unfortunately, this is wildly
optimistic in practice, as P-256 is much more common and therefore
much better optimized. [This GitHub comment][openssl] measures the
performance differential for raw Diffie-Hellman operations with OpenSSL
1.1.1 at a whopping 14× (even P-521 fares better!); [Caddy disables
P-384 by default][caddy] due to Go's [lack of accelerated assembly
implementations][crypto/elliptic] for it, and the difference there seems
even more extreme: [this golang-nuts post][golang-nuts] measures the key
generation performance differential at 275×. It's unlikely to be the
bottleneck for anyone, but I still feel kind of bad for anyone having
lego generate hundreds of certificates and sign challenges with them
with performance like that...
[openssl]: https://github.com/mozilla/server-side-tls/issues/190#issuecomment-421831599
[caddy]: 2cab475ba5/modules/caddytls/values.go (L113-L124)
[crypto/elliptic]: 2910c5b4a0/src/crypto/elliptic
[golang-nuts]: https://groups.google.com/forum/#!topic/golang-nuts/nlnJkBMMyzk
In conclusion, there's no real reason to use P-384 in general: if you
don't care about Web PKI compatibility and want to use a nicer curve,
then Ed25519 or P-521 are better options; if you're a NIST-fearing
paranoiac, you should use good old RSA; but if you're a normal person
running a web server, then you're best served by just using P-256. Right
now, NixOS makes an arbitrary decision between two equally-mediocre
curves that just so happens to slow down ECDH key agreement for every
TLS connection by over an order of magnitude; this commit fixes that.
Unfortunately, it seems like existing P-384 certificates won't get
migrated automatically on renewal without manual intervention, but
that's a more general problem with the existing ACME module (see #81634;
I know @yegortimoshenko is working on this). To migrate your
certificates manually, run:
$ sudo find /var/lib/acme/.lego/certificates -type f -delete
$ sudo find /var/lib/acme -name '*.pem' -delete
$ sudo systemctl restart 'acme-*.service' nginx.service
(No warranty. If it breaks, you get to keep both pieces. But it worked
for me.)
(cherry picked from commit 62e34d1c87)
(cherry picked from commit 2e192dc5db)
It's just adding new packages; they might be useful on 20.03 as well.
We didn't have gnat backported to 20.03, so I didn't touch that.
It's supposed to be `wireguard-go` instead of `wireguard`. Upstream does
this right in their Makefile, however we use our own build-script which
creates a wrong file in $out, so it has to be fixed in the
`postInstall`-hook.
Closes#88567
(cherry picked from commit 0f65693e6b)
https://gitlab.labs.nic.cz/knot/knot-resolver/-/tags/v5.1.0
The upcoming major version will contain reworked
hints/policy/prefill/rebinding/view modules and related functionalities.
Please participate in the following survey to ensure we do not forget
about your particular use-case:
https://www.knot-resolver.cz/survey/
It will help us to improve Knot Resolver. Thank you!
(cherry picked from commit 26d3ae2f24)
This is needed for the followup security bump.
Some already have it, this adds it to the rest.
With all extensions having an 'uuid' attr we can do cool things like
declaratively enable extensions on NixOS.
(cherry picked from commit eb12149979)
Boost generates its installed cmake configuration using custom logic
in its own build system; while this logic *knows* where it should be
installed, the generated config overrides the correct information with
new paths based on the location of the cmake configuration file in an
attempt to let the package be relocated after installation.
This patch simply undoes that.
(cherry picked from commit 777df0b4a5)
AWS's SDK by default tries to prepend its install root to each of the
library paths; this obviously fails with the absolute paths that Nix
gives it. Worse, it computes the installation root by walking up the
filesystem from its cmake file, so even if the AWSSDK_ROOT_DIR is
explicitly set to the root directory, it gets replaced with the path
to the derivation's dev output.
This is all fixed with a patch to the cmake files that generate the
installed configuration.
Once this is fixed, it *still* doesn't work because the export
generator built into cmake insists on adding `$out/include` to the
header search path; when importing this configuration in another
package, cmake will fail because `$out/include` doesn't exist (After
all, it was relocated by a fixup hook). A small postFixupHook will
recreate the directory and make cmake happy.
(cherry picked from commit 9d7885276a)
Allow the darwin links code to overwrite libs that were already
copied, because C dependencies can occur multiple times.
Solves errors like
ln: failed to create symbolic link '/nix/store/higpc9xavwcjjzdipz7m9ly03bh7iy2z-hercules-ci-agent-source-0.7.0/lib/links/libboost_context.dylib': File exists
(cherry picked from commit a9373cdb0a)
The option "--skip-getting-started" no longer exists in vscode and causes files in "$@" to not be opened.
Message from stdout: "Warning: 'skip-getting-started' is not in the list of known options, but still passed to Electron/Chromium."
"--skip-getting-started" being removed: 6a8b201c8a
(cherry picked from commit f1e6d96a78)
NoMachine removes each old release as soon as a new one is available,
resulting in failed downloads. Thankfully, the Internet Archive
provides backups of old downloads, so we can use it as a fallback.
(cherry picked from commit 022f2cc02f)
The Intel MKL pkg-config files did not work, because they expect that
the MKLROOT environment variable is set. This change replaces
occurences by the actual path of MKL in the Nix store.
Since the pkg-config files seem to break quite frequently after
upgrades, add a post-install check to validate the pkg-config files.
(cherry picked from commit e88673aa27)
Regression introduced by bce5268a21.
The bit size of the initialisation vector for AES GCM has been
introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the
ulIvBits field.
Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it
gets initialised to zero, which in turn causes IV generation to fail.
I found out about this because WebRTC stopped working after updating to
NSS 3.52 and so I started bisecting.
Since there wasn't an obvious error in Firefox hinting towards NSS but
instead just the video stream ended up as a "null" stream, I didn't
suspect the NSS update to be the culprit at first. So I verified a few
times and then also started bisecting the actual commit in NSS that
caused the issue.
This turned out to be the problematic change:
https://phabricator.services.mozilla.com/D63241
> One notable change was caused by an inconsistancy between the spec and
> the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra
> field in the header that was not in the spec. OASIS considers the
> header file to be normative, so PKCS#11 v3.0 resolved the issue in
> favor of the header file definition.
Since the test I've used[1] was a bit flaky, I still didn't believe the
result of the bisect to be accurate, but after running the test several
times leading same results I dug through the above change line by line
to get more clues.
It fortunately didn't take that long to stumble upon the ulIvBits change
(which is actually documented in the NSS 3.52 release notes[4], but I
managed to blatantly ignore it for some reason) and started checking the
Firefox source tree for changes regarding that field.
Initialisation of that new field has been introduced[2] in preparation
for the 76 release, but subsequently got reverted[3] prior to the
release, because Firefox 76 is expected to be shipped with NSS 3.51,
which didn't have the ulIvBits field.
The patch I'm adding here is just a reintroduction of that change,
because we're using NSS 3.52. Not initialising that field will break
WebRTC and WebCrypto, which I think the former seems to gain in
popularity these days ;-)
Tested the change against the mentioned VM test[1] and also by testing
manually using Jitsi Meet and Nextcloud Talk.
[1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk
[2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1
[3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee
[4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes
Signed-off-by: aszlig <aszlig@nix.build>
(cherry picked from commit 8fb49973ce & moved to packages.nix)
When there is no .version-suffix file in nixpkgs (like when fetching
nixpkgs with builtins.fetchGit), lib.version suffixes the version string
with "pre-git". The "pre" bit is special cased in
builtins.compareVersions which means "20.03pre-git" is interpreted as
"less than 20.03". This is clearly wrong for the release-20.03 branch
*after* the release has been made.
Change the suffix to "post-git" to make code like this behave the same
whether nixpkgs is fetched from git or the channel (which has
.version-suffix file):
lib.versionOlder lib.version "20.03"
lib.versionAtLeast lib.version "20.03"
(Currently the result depend on how nixpkgs was obtained!)
This change should be made part of the release process.
The new version supports older versions of Cabal again and therefore doesn't
need any overrides or a newer compiler to build. The default ghc-8.6.x in the
release-20.03 release branch can compile it just fine.
Fixes https://github.com/NixOS/nixpkgs/issues/87184.
* remove pinned dependencies where nixpkgs provides a version
in the acceptable range
* disable tests;
they are no longer in the Pypi archive, see
https://github.com/conan-io/conan/issues/4563
(cherry picked from commit f460e62d9b)
The new version of the launcher script in version 105 doesn't have the #8665
bug, but it does try to find the shell library using Debian tools, which
obviously doesn't work on Nix. Removed the now-unneccessary makeWrapper and
patched out the Debian bits.
(cherry picked from commit 4e9b94836f)
Noticed that the setup.sh for steam was trying to call the file command.
I'm not sure what the ramifications are for these missing,
but some steam features are quietly disabled when they
don't follow happy paths.
(cherry picked from commit 9cd683ccc0)
zoom-us: fix launch
Probably due to glibc update, ZoomLauncher became broken when v4l is present in
LD_PRELOAD path. It can be fixed by a) removing ZoomLauncher from startup chain,
so `zoom` is started directly or b) removing v4l from LD_PRELOAD.
The reason v4l was added before was because my video was rotated upside down without it.
Seem like nowadays this is fixed by Zoom itself, so I'm removing it.
Fixes https://github.com/NixOS/nixpkgs/issues/79954
Co-authored-by: @mmlb
(cherry picked from commit 854638ea29)
The prefix will now be correct in case of Nix env.
Note, however, that creating a venv from a Nix env still does not function. This does not seem to be possible
with the current approach either, because venv will copy or symlink our Python wrapper. In case it symlinks
(the default) it won't see a pyvenv.cfg. If it is copied I think it should function but it does not...
(cherry picked from commit 7447fff95a)
This is needed in case of `python.buildEnv` to make sure site.PREFIXES
does not only point to the unwrapped executable prefix.
--------------------------------------------------------------------------------
This PR is a story where your valiant hero sets out on a very simple adventure but ends up having to slay dragons, starts questioning his own sanity and finally manages to gain enough knowledge to slay the evil dragon and finally win the proverbial price.
It all started out on sunny spring day with trying to tackle the Nixops plugin infrastructure and make that nice enough to work with.
Our story begins in the shanty town of [NixOps-AWS](https://github.com/nixos/nixops-aws) where [mypy](http://mypy-lang.org/) type checking has not yet been seen.
As our deuteragonist (@grahamc) has made great strides in the capital city of [NixOps](https://github.com/nixos/nixops) our hero wanted to bring this out into the land and let the people rejoice in reliability and a wonderful development experience.
The plugin work itself was straight forward and our hero quickly slayed the first small dragon, at this point things felt good and our hero thought he was going to reach the town of NixOps-AWS very quickly.
But alas! Mypy did not want to go, it said:
`Cannot find implementation or library stub for module named 'nixops'`
Our hero felt a small sliver of life escape from his body. Things were not going to be so easy.
After some frustration our hero discovered there was a [rule of the land of Python](https://www.python.org/dev/peps/pep-0561/) that governed the import of types into the kingdom, more specificaly a very special document (file) called `py.typed`.
Things were looking good.
But no, what the law said did not seem to match reality. How could things be so?
After some frustrating debugging our valiant hero thought to himself "Hmm, I wonder if this is simply a Nix idiosyncrasy", and it turns out indeed it was.
Things that were working in the blessed way of the land of Python (inside a `virtualenv`) were not working the way they were from his home town of Nix (`nix-shell` + `python.withPackages`).
After even more frustrating attempts at reading the mypy documentation and trying to understand how things were supposed to work our hero started questioning his sanity.
This is where things started to get truly interesting.
Our hero started to use a number of powerful weapons, both forged in the land of Python (pdb) & by the mages of UNIX (printf-style-debugging & strace).
After first trying to slay the dragon simply by `strace` and a keen eye our hero did not spot any weak points.
Time to break out a more powerful sword (`pdb`) which also did not divulge any secrets about what was wrong.
Our hero went back to the `strace` output and after a fair bit of thought and analysis a pattern started to emerge. Mypy was looking in the wrong place (i.e. not in in the environment created by `python.withPackages` but in the interpreter store path) and our princess was in another castle!
Our hero went to the pub full of old grumpy men giving out the inner workings of the open source universe (Github) and acquired a copy of Mypy.
He littered the code with print statements & break points.
After a fierce battle full of blood, sweat & tears he ended up in 20f7f2dd71/mypy/sitepkgs.py and realised that everything came down to the Python `site` module and more specifically https://docs.python.org/3.7/library/site.html#site.getsitepackages which in turn relies on https://docs.python.org/3.7/library/site.html#site.PREFIXES .
Our hero created a copy of the environment created by `python.withPackages` and manually modified it to confirm his findings, and it turned out it was indeed the case.
Our hero had damaged the dragon and it was time for a celebration.
He went out and acquired some mead which he ingested while he typed up his story and waited for the dragon to finally die (the commit caused a mass-rebuild, I had to wait for my repro).
In the end all was good in [NixOps-AWS](https://github.com/nixos/nixops-aws)-town and type checks could run. (PR for that incoming tomorrow).
(cherry picked from commit d88a7735d2)
It seems the atom feed now needs authentication. Use the /refs endpoint,
which is used for the switch branch/tag dropdown. It doesn't show all
records, but has some pagination, but works well enough for now.
(cherry picked from commit fc64bca95b)
The university of chigaco keeps the binaries of old releases.
This reduces the change of #81868 and #85724 happening again in the
future.
(cherry picked from commit e4aab9cded)
- Add packages installed in a sub-directory of site-lisp, such as
mu4e, to EMACSLOADPATH.
- Add ELPA packages to EMACSLOADPATH.
- Add each package only once to EMACSLOADPATH. Before, each package
would typically be added twice for each transitive dependency
leading to a huge variable for a package having many dependencies.
Fixed#78680
(cherry picked from commit 2d2de743d0)
Fixes: CVE-2020-6061, CVE-2020-6062
An exploitable heap overflow vulnerability exists in the way CoTURN
4.5.1.1 web server parses POST requests. A specially crafted HTTP
POST request can lead to information leaks and other misbehavior.
An attacker needs to send an HTTPS request to trigger this vulnerability.
An exploitable denial-of-service vulnerability exists in the way
CoTURN 4.5.1.1 web server parses POST requests. A specially crafted
HTTP POST request can lead to server crash and denial of service.
An attacker needs to send an HTTP request to trigger this vulnerability.
(cherry picked from commit 704a018aae)
Fixes: CVE-2019-14834
A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.
Changelog:
version 2.81
Improve cache behaviour for TCP connections. For ease of
implementaion, dnsmasq has always forked a new process to handle
each incoming TCP connection. A side-effect of this is that
any DNS queries answered from TCP connections are not cached:
when TCP connections were rare, this was not a problem.
With the coming of DNSSEC, it is now the case that some
DNSSEC queries have answers which spill to TCP, and if,
for instance, this applies to the keys for the root, then
those never get cached, and performance is very bad.
This fix passes cache entries back from the TCP child process to
the main server process, and fixes the problem.
Remove the NO_FORK compile-time option, and support for uclinux.
In an era where everything has an MMU, this looks like
an anachronism, and it adds to (Ok, multiplies!) the
combinatorial explosion of compile-time options. Thanks to
Kevin Darbyshire-Bryant for the patch.
Fix line-counting when reading /etc/hosts and friends; for
correct error messages. Thanks to Christian Rosentreter
for reporting this.
Fix bug in DNS non-terminal code, added in 2.80, which could
sometimes cause a NODATA rather than an NXDOMAIN reply.
Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
for spotting and diagnosing the bug and providing patches.
Support TCP-fastopen (RFC-7413) on both incoming and
outgoing TCP connections, if supported and enabled in the OS.
Improve kernel-capability manipulation code under Linux. Dnsmasq
now fails early if a required capability is not available, and
tries not to request capabilities not required by its
configuration.
Add --shared-network config. This enables allocation of addresses
by the DHCP server in subnets where the server (or relay) does not
have an interface on the network in that subnet. Many thanks to
kamp.de for sponsoring this feature.
Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
validation check got borked in commit 2b38e382 and release 2.80.
Thanks to Tomasz Szajner for spotting this.
Fix compilation against nettle version 3.5 and later.
Fix spurious DNSSEC validation failures when the auth section
of a reply contains unsigned RRs from a signed zone,
with the exception that NSEC and NSEC3 RRs must always be signed.
Thanks to Tore Anderson for spotting and diagnosing the bug.
Add --dhcp-ignore-clid. This disables reading of DHCP client
identifier option (option 61), so clients are only identified by
MAC addresses.
Fix a bug which stopped --dhcp-name-match from working when a hostname
is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
Fix bug which caused very rarely caused zero-length DHCPv6 packets.
Thanks to Dereck Higgins for spotting this.
Add --tftp-single-port option.
Enhance --conf-dir to load files in a deterministic order. Thanks to
Evgenii Seliavka for the suggestion and initial patch.
In the router advert code, handle case where we have two
different interfaces on the same IPv6 net, and we are doing
RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
for spotting this case and making the initial patch.
Support prefixed ranges of ipv6 addresses in dhcp-host.
This eases problems chain-netbooting, where each link in the
chain requests an address using a different UID. With a single
address, only one gets the "static" address, but with this
fix, enough addresses can be reserved for all the stages of the
boot. Many thanks to Harald Jensås for his work on this idea and
earlier patches.
Add filtering by tag of --dhcp-host directives. Based on a patch
by Harald Jensås.
Allow empty server spec in --rev-server, to match --server.
Remove DSA signature verification from DNSSEC, as specified in
RFC 8624. Thanks to Loganaden Velvindron for the original patch.
Add --script-on-renewal option.
(cherry picked from commit 051af8e386dc7d2fd1feeea7ba4ed2e162b52320)
Fixes: CVE-2020-12243
In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters
with nested boolean expressions can result in denial of service
(daemon crash).
(cherry picked from commit 8934e710d4692f954b5b3616c71e10e374df0137)
These .desktop files set InitialPreference>1 which will override other
associations even the .desktop appears first in XDG_DATA_DIRS. This
applies to:
- org.kde.kate.desktop
- org.kde.kwrite.desktop
- kfmclient_html.desktop
- okularApplication_txt.desktop
Fixes#86137
(cherry picked from commit b3f812688c)
`bundix -l` doesn't work, as it treats bundler's warning about upgrading
the lockfile version as an error, so invoke `bundle lock` manually.
(cherry picked from commit c7d47ce06f)
While it's already possible to invoke `update-data` with the `--rev`
argument, one still needs to run all later phases manually.
Fix this, by having `update-all` also accept a `--rev` argument, and
pass it down to `update-data`.
Also, make the help text a bit more usable, by suggesting the usual
versioning scheme used these times.
(cherry picked from commit 191c2c67a4)
'toString false' results in an empty string, which, in this context,
is a syntax error. Use boolToString instead.
Fixes#86160
(cherry picked from commit c0a838df38)
ftp.gnu.org intends to disable the FTP protocol for downloads on this
server, and strongly recommends using https instead.
(cherry picked from commit 295475a378)
Since 20.03 still uses old oauth2_proxy (3.2.0), which is not compatible
with the newest one (5.1.0), this change backports an important security
fix to 3.2.0:
a316f8a06f
The vulnerability is an open redirect, where a bad actor can redirect a
session to another domain using `/\` in redirect URIs.
It seems like luaexpat as been mistakenly marked as broken during a
20.03 a zero hydra failures tree-wide commit. Removing the broken meta
attribute.
Discovered this problem when trying to rebuild the prosody XMPP server.
only very few people followed the strict policy in the last 5 years. the
maintainers accept backports without reason when it's obvious, so i
updated the policy to reflect that
(cherry picked from commit bcc269e6c8)
Zulip 5.0 fixes multiple security issues. See:
https://blog.zulip.org/2020/04/01/zulip-desktop-5-0-0-security-release/
(cherry picked from commit 1586f2851e)
Reason: Zulip < 5.0.0 no longer works with the Zulip server---if you run
it with an up to date Zulip server you get an error message requesting
you upgrade to 5.0 and the app will otherwise not be functional.
The cargo hash differed from the cherry-picked one due to changes to
fetchCargoTarball on the master branch #79975
On the master this happened here:
eb11feaa0b1f03a3434f
This should not effect the actual build result.
* alacritty now has its own org, so I changed the URLs to point there
* updated the description to match upstream's description
* formatted with nixpkgs-format
(cherry picked from commit 45f53ccd8b)
Reason:
Fixes some bugs on X11, namely:
- Crash when starting on some X11 systems
- Alacritty not ignoring keyboard events for changing WM focus on X11
- Incorrect modifiers tracking on X11 and macOS, leading to 'sticky' modifiers
As reported in 974f11cb29 (commitcomment-38735081),
the tarball will fail to evaluate when updateScript is given a non-existing attrPath because getAttrFromPath
uses abort, which terminates the evaluation.
(cherry picked from commit f544c293ec)
AP mode PMF disconnection protection bypass
Published: September 11, 2019
Identifiers:
- CVE-2019-16275
Latest version available from: https://w1.fi/security/2019-7/
Vulnerability
hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this type
of issues. It should be noted that if PMF is not enabled, there would be
no protocol level protection against this type of denial service
attacks.
An attacker in radio range of the access point could inject a specially
constructed unauthenticated IEEE 802.11 frame to the access point to
cause associated stations to be disconnected and require a reconnection
to the network.
Vulnerable versions/configurations
All hostapd and wpa_supplicants versions with PMF support
(CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
PMF being enabled (optional or required). In addition, this would be
applicable only when using user space based MLME/SME in AP mode, i.e.,
when hostapd (or wpa_supplicant when controlling AP mode) would process
authentication and association management frames. This condition would
be applicable mainly with drivers that use mac80211.
Possible mitigation steps
- Merge the following commit to wpa_supplicant/hostapd and rebuild:
AP: Silently ignore management frame from unexpected source address
This patch is available from https://w1.fi/security/2019-7/
- Update to wpa_supplicant/hostapd v2.10 or newer, once available
(cherry picked from commit 3e9f3a3ebd)
I was using a 5.5 kernel on NixOS 20.03 and got an "attribute not found"
error yesterday when trying to update my system.
In order to understand why, I had to look up what happened in the `git
log` which is IMHO not a good experience for e.g. a beginner.
The package was marked as broken for 3 years, there were no
upstream updates for 8 years, and the program requires third
party services that don't provide APIs to work. I think it's
safe to say that this program is not going to work.
(cherry picked from commit 409f57508d)
SRI hashes (base64 encoded) can contain + sign which is a special character
in extended regular expressions so it needs to be escaped.
(cherry picked from commit 09a4a051e8)
Previously, when downloading src failed for other reason than hash mismatch,
the error ended up in newHash. This made evaluation fail since the error message
is not valid hash. Now the failure will make newHash empty.
It is also much cleaner than previously since \K is very cool thing
and we no longer grep for legacy messages.
(cherry picked from commit 2e9eb449eb)
On stable releases, we will want to change the freeze parameter in pkgs/desktops/gnome-3/update.nix
to true to limit the gnome update script to only bump patch versions.
(cherry picked from commit 974f11cb29)
The upgrade of ghostscript to 9.50 produced some issues with texlive
2019. This patch adds an additional fix necessary for the upgrade
preventing pstricks from working correctly:
https://tug.org/pipermail/dvipdfmx/2019-November/000036.html
(cherry picked from commit bb79233b94)
cc #85736
Conflicts:
pkgs/tools/typesetting/tex/texlive/bin.nix
Fixes#858001d61efb7f1 accidentially changed the
restartTriggers of `datadog-agent.service` to point to the attribute
name (in this case, a location relative to `/etc`), instead of the
location of the config files in the nix store.
This caused datadog to not get restarted on activation of new
config, if the file name hasn't changed.
Fix this, by pointing this back to the location in the nix store.
(cherry picked from commit f332109ebf)
1d61efb7f1 accidentially changed the
restartTriggers of systemd-networkd.service` to point to the attribute
name (in this case, a location relative to `/etc`), instead of the
location of the network-related unit files in the nix store.
This caused systemd-networkd to not get restarted on activation of new
networking config, if the file name hasn't changed.
Fix this, by pointing this back to the location in the nix store.
(cherry picked from commit 14395cc687)
7-Zip's RAR implementation is built on the non-free UnRAR source code;
DOC/License.txt says:
Licenses for files are:
1) CPP/7zip/Compress/Rar* files: GNU LGPL + unRAR restriction
2) All other files: GNU LGPL
The GNU LGPL + unRAR restriction means that you must follow both
GNU LGPL rules and unRAR restriction rules.
...
unRAR restriction
-----------------
The decompression engine for RAR archives was developed using source
code of unRAR program.
All copyrights to original unRAR code are owned by Alexander Roshal.
The license for original unRAR code has the following restriction:
The unRAR sources cannot be used to re-create the RAR compression algorithm,
which is proprietary. Distribution of modified unRAR sources in separate form
or as a part of other software is permitted, provided that it is clearly
stated in the documentation and source comments that the code may
not be used to develop a RAR (WinRAR) compatible archiver.
The unrar licensing is [infamously restrictive and non-free][fedora];
it's inappropriate for us to keep the RAR support while labelling the
package as free software (and indeed there's a commented-out line
pointing out that the current `meta.license` is false). Unfortunately,
the 7-Zip upstream seems uninterested in replacing the code with a
freely-licensed alternative (see [7-Zip ticket #1229][7zip]).
[fedora]: https://fedoraproject.org/wiki/Licensing:Unrar
[7zip]: https://sourceforge.net/p/sevenzip/feature-requests/1229/
An alternative solution would be to mark the p7zip package as non-free
instead; I decided not to because its other functionality (especially
`.7z` support) is freely-licensed and useful, and there are free
software alternatives for extracting RAR files (e.g. in nixpkgs there's
`archiver`, which is written in a memory-safe language, and `unar`,
which at least doesn't have two patches for CVEs that haven't been
addressed upstream...).
I checked that `7z(1)` fails gracefully on `.rar` files now:
emily@renko ~/tmp> curl -L -O https://www.philippwinterberg.com/download/example.rar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5715k 100 5715k 0 0 6716k 0 --:--:-- --:--:-- --:--:-- 6716k
emily@renko ~/tmp> 7z x example.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_CA.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 5853119 bytes (5716 KiB)
Extracting archive: example.rar
ERROR: example.rar
Can not open the file as archive
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
(cherry picked from commit 95f82e2a45)
The syntax is ${parameter:-word} (i.e. previously this used
"latestTag" instead of the actual value).
(Fixes a regression from #85278.)
Also: Even though getting the latest tag isn't really security critical
(as long as Git itself is secure against untrusted input), I'd prefer to
switch from the Git to the HTTPS protocol (for authentication of the
server and encryption + uses a standard port).
(cherry picked from commit 666042141e)
Dear all,
Babeld-1.9.2 is available from
https://www.irif.fr/~jch/software/files/babeld-1.9.2.tar.gzhttps://www.irif.fr/~jch/software/files/babeld-1.9.2.tar.gz.asc
For more information about the Babel routing protocol, please see
https://www.irif.fr/~jch/software/babel/
This is a bug fix release. It fixes two bugs where IPv4 prefixes could be
represented incorrectly, with a range of confusing symptoms ; many thanks
to Faban Bläse for diagnosing the issue. In addition, it fixes incorrect
parsing of unknown address encodings, thanks to Théo Bastian for the fix.
21 April 2020: babeld-1.9.2
* Fixed two issues that could cause IPv4 routes to be represented
incorrectly, with a range of confusing symptoms. Thanks to
Fabian Bläse.
* Fixed incorrect parsing of TLVs with an unknown Address Encoding.
Thanks to Théophile Bastian.
* Fixed access to mis-aligned data structure. Thanks to Antonin Décimo.
-- Juliusz Chroboczek
_______________________________________________
Babel-users mailing list
Babel-users@alioth-lists.debian.nethttps://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
(cherry picked from commit 34c230ad12)
Kyndig on IRC noticed that building `ninja` from source would fail due
to a patch 404'ing (because the repo appears to no longer exist). Fetch
from upstream instead.
Fixes: CVE-2020-1967
Segmentation fault in SSL_check_chain (CVE-2020-1967)
=====================================================
Severity: High
Server or client applications that call the SSL_check_chain() function during or
after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. This could be exploited by a malicious peer in a Denial of
Service attack.
OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This
issue did not affect OpenSSL versions prior to 1.1.1d.
Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g
This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
- -fanalyzer. Additional analysis was performed by Matt Caswell and Benjamin
Kaduk.
(cherry picked from commit bb4f46855f)
When killing processes, android-studio uses `ps` to figure out which
subprocesses to kill. Without `ps` in the closure, this fails and the
process is never killed.
(cherry picked from commit c296bf7169)
Reason: Fixes a bug, see #85719.
The resolver is mainly useful for the ACME server, and acme.nix uses its
own DNS server to test DNS-01 challenges.
(cherry picked from commit 21f183a3fe)
Shimming out the Let's Encrypt domain name to reuse client configuration
doesn't work properly (Pebble uses different endpoint URL formats), is
recommended against by upstream,[1] and is unnecessary now that the ACME
module supports specifying an ACME server. This commit changes the tests
to use the domain name acme.test instead, and renames the letsencrypt
node to acme to reflect that it has nothing to do with the ACME server
that Let's Encrypt runs. The imports are renamed for clarity:
* nixos/tests/common/{letsencrypt => acme}/{common.nix => client}
* nixos/tests/common/{letsencrypt => acme}/{default.nix => server}
The test's other domain names are also adjusted to use *.test for
consistency (and to avoid misuse of non-reserved domain names such
as standalone.com).
[1] https://github.com/letsencrypt/pebble/issues/283#issuecomment-545123242
Co-authored-by: Yegor Timoshenko <yegortimoshenko@riseup.net>
(cherry picked from commit d0f04c1623)
This was added in aade4e577b, but the
implementation of the ACME module has been entirely rewritten since
then, and the test seems to run fine on AArch64.
(cherry picked from commit 352e30df8a)
The patch phase runs after the build phase. Which means than when
using an override to override both 'conf' and 'patches' to provide
a custom config file and apply some patches, it doesn't work:
- first the patches applied (optionally changing config.def.h)
- then preBuild is run which overrides config.def.h with the user
supplied one (effectively cancelling previously applied patches)
By copying the config file in the prePatch phase instead, changes
are kept and applied in order.
(cherry picked from commit b584941ab9)
(cherry picked from commit ac374d41c8)
Backported 32.0.0.363 to release 20.03 for important bug fixes.
Also needed because old upstream release is no longer available.
These values were incorrect. We need to use NIX_LDFLAGS, not
NIX_LD_FLAGS. Also need to prefix all flags with -Wl, for GCC to
accept it.
(cherry picked from commit 184cd9f6ff)
This reverts commit 5532065d06.
As far as I can tell setting RemainAfterExit=true here completely breaks
certificate renewal, which is really bad!
the sytemd timer will activate the service unit every OnCalendar=,
however with RemainAfterExit=true the service is already active! So the
timer doesn't rerun the service!
The commit also broke the actual tests, (As it broke activation too)
but this was fixed later in https://github.com/NixOS/nixpkgs/pull/76052
I wrongly assumed that PR fixed renewal too, which it didn't!
testing renewals is hard, as we need to sleep in tests.
tig recently updated it's bash-completion making it depend on __git-complete from git.
Becase __git-complete is not automatically sourced tig bash completion fails.
Also this PR makes tig completion load on-demand.
(cherry picked from commit f57da8ef0a)
The configuration phase was failing due to:
```
configuring
ERROR at //BUILD.gn:1376:5: Unknown function.
filter_exclude([ "$root_build_dir/foo" ],
^-------------
```
(cherry picked from commit ad3220f9ff)
With #83290 merged the build would fail during the configuration phase:
```
configuring
ERROR at //gn/BUILDCONFIG.gn:85:14: Script returned non-zero exit code.
is_clang = exec_script("gn/is_clang.py",
^----------
Current dir: /build/source/out/Release/
Command: python /build/source/gn/gn/is_clang.py cc c++
Returned 2.
stderr:
python: can't open file '/build/source/gn/gn/is_clang.py': [Errno 2] No such file or directory
```
(cherry picked from commit ad66bbd98b)
This updates gn to the required version for chromiumDev (the recommended
version for the stable release of Chromium isn't sufficient [0]).
[0]: The Chromium build fails during the configuration phase:
ERROR at //mojo/public/tools/bindings/mojom.gni:393:16: Undefined identifier
"cpp_typemaps",
^-------------
(cherry picked from commit a1b4bfe34f)
We only need to wait for network.target to get up, and the
network-addresses-${interfaceName} units are scripted networking only.
(cherry picked from commit a501abd5499d8f82f0991a7b78bcbc4169b0537f)
ZHF: #80379
Fix a failing test.
There are strict rate limits on account creation for Let's Encrypt
certificates. It is important to reuse credentails when possible.
(cherry picked from commit 827d5e6b44)
According to my analysis the last critical fix went into v5.4.23, I have
confirmed this by running WebGL over night and haven't seen a single
i915 GPU hang. Lets remove the notes from the release notes.
The new wording does not assume the user is upgrading.
This is because a user could be setting up a new installation on 20.03
on a server that has a 19.09 or before stateVersion!!
The new wording ensures that confusion is reduced by stating that they
do not have to care about the assumed 16→17 transition.
Then, the wording explains that they should, and how to upgrade to
version 18.
It also reviews the confusing wording about "multiple" upgrades.
* * *
The only thing we cannot really do is stop a fresh install of 17 if
there was no previous install, as it cannot be detected. That makes a
useless upgrade forced for new users with old state versions.
It is also important to state that they must set their package to
Nextcloud 18, as future upgrades to Nextcloud will not allow an uprade
from 17!
I assume future warning messages will exist specifically stating what to
do to go from 18 to 19, then 19 to 20, etc...
(cherry picked from commit a1efbdb600)
Assert that the user doesn't have a bridge configured while
networking.useDHCP is true. Due to new behaviour of dhcpcd [0], this
would result in the bridge not getting an address via DHCP, regardless
of wether it has networking.interfaces.<name?>.useDHCP set or not.
[0] https://roy.marples.name/archives/dhcpcd-discuss/0002621.html
we use stdenv.hostPlatform.uname.processor, which I believe is just like
`uname -p`.
Example values:
```
(import <nixpkgs> { system = "x86_64-linux"; }).stdenv.hostPlatform.uname.processor
"x86_64"
(import <nixpkgs> { system = "aarch64-linux"; }).stdenv.hostPlatform.uname.processor
aarch64
(import <nixpkgs> { system = "armv7l-linux"; }).stdenv.hostPlatform.uname.processor
"armv7l"
```
(cherry picked from commit df8c30fa25)
The volumeID will now be in the format of:
nixos-$EDITON-$RELEASE-$ARCH
an example for the minimal image would look like:
nixos-minimal-20.09-x86-64-linux
(cherry picked from commit 70a8e9ace9)
Otherwise you get errors like this when running `thermald.service` from
the `services.thermald` module:
```
[WARN]22 CPUID levels; family:model:stepping 0x6:8e:a (6:142:10)
[WARN]Polling mode is enabled: 4
[WARN]sensor id 10 : No temp sysfs for reading raw temp
I/O warning : failed to load external entity "/nix/store/7d7cfc1949g7n7ywx47a0dsfz3b3rix5-thermald-1.9.1/etc/thermald/thermal-conf.xml"
[WARN]error: could not parse file /nix/store/7d7cfc1949g7n7ywx47a0dsfz3b3rix5-thermald-1.9.1/etc/thermald/thermal-conf.xml
[WARN]sysfs open failed
I/O warning : failed to load external entity "/nix/store/7d7cfc1949g7n7ywx47a0dsfz3b3rix5-thermald-1.9.1/etc/thermald/thermal-conf.xml"
[WARN]error: could not parse file /nix/store/7d7cfc1949g7n7ywx47a0dsfz3b3rix5-thermald-1.9.1/etc/thermald/thermal-conf.xml
I/O warning : failed to load external entity "/nix/store/7d7cfc1949g7n7ywx47a0dsfz3b3rix5-thermald-1.9.1/etc/thermald/thermal-conf.xml"
[WARN]error: could not parse file /nix/store/7d7cfc1949g7n7ywx47a0dsfz3b3rix5-thermald-1.9.1/etc/thermald/thermal-conf.xml
```
(cherry picked from commit 9fc8856b25)
This avoids glibc verions mismatches in vscode terminal, as
LD_LIBRARY_PATH leaks into terminal and break with user installed
executables.
(cherry picked from commit 40d7ce7828)
kwallet sets a limit of 1000 for a single characters for environment
variables read from the socket[1]. wrapQtApps gives us a huge value
for QT_PLUGIN_PATH (up to 13000 bytes on my system!) Since this was
overflowing, the Qt plugin loading mechanism was hitting a segfault
when it was trying to parse the truncated QT_PLUGIN_PATH.
So for now, we can just unset QT_PLUGIN_PATH in the pam_kwallet_init
script. kwalletd5 has its own QT_PLUGIN_PATH which it can use.
This problem occured on 20.03, but not 19.09. It’s unclear what
changes were made in that time, but likely that previously we weren’t
getting a QT_PLUGIN_PATH set in the plasma5 startup at all. This means
that in 19.09 our QT_PLUGIN_PATH value must have been small enough to
fit into the 1000 char limit.
Fixes#77290
[1]: bc9713e272/src/runtime/kwalletd/main.cpp (L44)
/cc @ttuegel
(cherry picked from commit f0db4de598)
Also removed `pkgs.hydra-flakes` since flake-support has been merged
into master[1]. Because of that, `pkgs.hydra-unstable` is now compiled
against `pkgs.nixFlakes` and currently requires a patch since Hydra's
master doesn't compile[2] atm.
[1] https://github.com/NixOS/hydra/pull/730
[2] https://github.com/NixOS/hydra/pull/732
(cherry picked from commit 0f5c38feed)
This allows to have multiple certificates with the same common name.
Lego uses in its internal directory the common name to name the certificate.
fixes#84409
(cherry picked from commit d7ff6ab94a)
Fixes the following error when attempting to build packages using this
compiler:
<no location info>: error:
Warning: Couldn't figure out LLVM version!
Make sure you have installed LLVM 3.9
<no location info>: error: ghc: could not execute: opt
(cherry picked from commit 31f557c88f)
Building Chromium 82 requires LLVM 10 for the new argument
"-fintegrated-cc1". LLVM 9 fails with:
clang++: error: unknown argument: '-fintegrated-cc1'
(cherry picked from commit 1d961a4c6d)
This can e.g. save around 150k lines of unnecessary log messages which
take up around 66% of the total lines (based on a log of 80.0.3987.100):
29527 warning: unknown warning option '-Wno-bitwise-conditional-parentheses'; did you mean '-Wno-bitwise-op-parentheses'? [-Wunknown-warning-option]
29527 warning: unknown warning option '-Wno-builtin-assume-aligned-alignment' [-Wunknown-warning-option]
29527 warning: unknown warning option '-Wno-deprecated-copy'; did you mean '-Wno-deprecated'? [-Wunknown-warning-option]
29527 warning: unknown warning option '-Wno-final-dtor-non-final-class'; did you mean '-Wno-abstract-final-class'? [-Wunknown-warning-option]
29527 warning: unknown warning option '-Wno-implicit-int-float-conversion'; did you mean '-Wno-implicit-float-conversion'? [-Wunknown-warning-option]
(cherry picked from commit 9f3914824d)
Many of the tmux plugins had not been updated in some time. This PR:
- Updates all of them to the latest version. This is notable because `tmux 3.0`
has come out recently, and some of them have compatibility fixes for the new
version (e.g., `vim-tmux-navigator`), as well as general performance
improvements and bugfixes for many of them.
- Uses `fetchFromGitHub`, which is both more performant and hashed mirror friendly.
- Adds the standard `version = "unstable-YYYY-MM-DD"`, which makes it easy to
determine at a glance how old/unmaintained some of these are.
- Adds the standard `pname` for overlay friendliness
(cherry picked from commit d5ccc59056)
Adding this as a new attribute as software is likely going to break when
we switch the default from the 1.7 branch to 1.8.
(cherry picked from commit 1859b5a5ae)
It seems like all QT apps which use dynamic plugins should be wrapped
with `wrapQtAppsHook`. However, rockbox-utility is still not wrapped,
therefore fails to launch.
This change adds `qt5.wrapQtAppsHook` to nativeBuildInputs of
rockbox-utility.
(cherry picked from commit 861df8abd5)
Them removing cerbere and registering with the SessionManager
should make shutdown very fast. This was even done in plank [0]
which was the last factor outside cerbere causing this.
[0]]: a8d2f255b2
Allow build pass by disabling test. Isolated issue to
test_sockets.py::TestAIOSockets::test_sock_close_add_reader_race.
This test is supposed to be skipped, but it isn't for some reason,
so we disable it instead.
See uvloop#284 (https://github.com/MagicStack/uvloop/pull/284)
for full details. Don't know why this test isn't properly skipped.
(cherry picked from commit 364909d535)
This is a backport to support building stable firefox version on the
stable release channel. Firefox has some very strict requirements on
it's dependencies. Since we do not want to use bundled versions of
dependencies this backport is required fore Firefox >=74.
This is a backport to support building stable firefox version on the
stable release channel. Firefox has some very strict requirements on
it's dependencies. Since we do not want to use bundled versions of
dependencies this backport is required fore Firefox >=74.
This is an backward incompatible change from upstream dhcpcd [0], as
this could have easily locked me out of my box.
As dhcpcd doesn't allow to use only a blacklist (denyinterfaces in
dhcpcd.conf) of devices and use all remaining devices, while explicitly
allowing some interfaces like bridges, I think the best option would be
to not change anything about it and just educate the users here about
that edge case and how to solve it.
[0] https://roy.marples.name/archives/dhcpcd-discuss/0002621.html
Because ProtectKernelModules implies NoNewPrivileges, postfix's sendmail
executable, which is setgid, wasn't able to send mail.
(cherry picked from commit fdc36e2c89)
When used as a global override, it breaks most of the options in the
mysql module, such as ensureDatabases, ensureUsers, initialDatabases,
initialScript.
We could use `.client` there, but if the reasoning behind this was
closure size reduction, we now end up with the same (or a bigger)
runtime closure and more complexity.
Apart from the options exposed by the mysql module, the client is also
likely to be required for local backups or DBA tasks anyways.
Instead of dealing with all the increased complexity of this for no
arguable benefit, let's just remove the `withoutClient` argument.
Storage space on mysql servers shouldn't be that much of an issue.
Closes#82428.
(cherry picked from commit 4b8d66aa72)
This allows you to specify the system-wide flake registry. One use is
to pin 'nixpkgs' to the Nixpkgs version used to build the system:
nix.registry.nixpkgs.flake = nixpkgs;
where 'nixpkgs' is a flake input. This ensures that commands like
$ nix run nixpkgs#hello
pull in a minimum of additional store paths.
You can also use this to redirect flakes, e.g.
nix.registry.nixpkgs.to = {
type = "github";
owner = "my-org";
repo = "my-nixpkgs";
};
(cherry picked from commit 74e7ef35fe)
This helps kpathsea to find texmf.cnf in some cases. For example,
dvipng was trying to look for it in
/nix/store/<hash>-texlive-dvipng.bin-2019/ instead of
/nix/store/<hash>-texlive-combined-full-2019/.
(cherry picked from commit 91c9f2ab5c)
cc #83816
The webrtc code suffered from a race condition when used
with Pulseaudio. This lead to audio input breaking every
couple of minutes during a webrtc session.
(cherry picked from commit 81b18c3711)
Backport of llvmPackages_10 since Chromium 83 will depend on it.
See https://github.com/NixOS/nixpkgs/pull/83350#issuecomment-605994185
llvmPackages_10: copy llvmPackages_9
* starting with rc2
* make `lldb` compilable again on Darwin
* separate out manpage creation for `lldb` into a new derivation
* minor tweaks to the patching of sources,
some of which are backportable to earlier versions
(cherry picked from commit f111c6f9ce)
llvmPackages_10: rc2 -> rc3
http://lists.llvm.org/pipermail/llvm-dev/2020-March/139729.html
Additionally cherry-picked 3 commits from `llvm-project/master`:
- llvm/llvm-project@d21664c
- llvm/llvm-project@3a0f6e6
- llvm/llvm-project@87dac7d
such that clang can automatically pick up the polly plugin from the
`llvm-polly` build.
(cherry picked from commit 3a84353edb)
llvmPackages_10: rc3 -> rc4
Only needed to update hashes and the version.
Updated comment for extension handling patch
(cherry picked from commit 0ec3f4e26b)
llvmPackages_10: removed extra polly-build
There is no good reason to have separate builds for polly and no-polly
versions. wwwwwThe reason for the two versions was (as far as I can
tell) to defer rebuilds (see ed60483257).
Polly is now enabled by default.
(cherry picked from commit e9aa8770ea)
llvmPackges_10: rc4 -> rc5
updated versino and hashes for new rc
(cherry picked from commit cdee144dfc)
llvmPackages_10: rc5 -> release
updated hashes and url
updated comment regarding version/release_version to make it clearer
(cherry picked from commit 4665b2a9a2)
fetchpatch can't be used here and fetchurl from GitHub
like in PR #82928 has the risk of breaking the hash later;
fortunately the patches aren't too large.
(cherry picked from commit 2071e3be28)
The build is currently broken due to failure to build `darcs` to fetch the src
package. The homepage is already their GitHub repo, and it appears to be the
active src of development anyways. See #83718
I came across this while debugging this failure:
https://hydra.nixos.org/build/115510612
Note that the `application` dependency *does* succeed on Hydra, because it's
already on local disk in Hydra's store, but I cannot rebuild locally because it
has prefer local builds.
https://hydra.nixos.org/build/115512559
This package is not reproducible on 20.03 or buildable outside of Hydra, so I
intend to backport the fix.
CC @NixOS/nixos-release-managers
ZHF: #80379
(cherry picked from commit 2c5fe63fbe)
It only increases the closure size by 0.5M and users who do not set
the NixOS option `hardware.pulseaudio.package = pkgs.pulseaudioFull;`
will be stumped by their bluetooth audio not working.
(cherry picked from commit e41f3d9ef3)
In contrast to e.g. Telegram or Slack, Skype does not show an app
indicator in the GNOME tray. This is quite annoying, since Skype will
continue to run in the background when its main window is closed, but
there is no way to access it.
This change adds libappindicator-gtk3 to the rpath to enable app
indicator support.
which was deprecated in 2018 and is now gone for good. I guess many
won’t notice because the nix-cache kept the files around?
(cherry picked from commit
b872b8a200 and 29ca177c68)
...and remove superfluous dependency files (*.d).
...and copy dSYM directories on Mac OS when in release=false mode.
(cherry picked from commit 782b304dba)
As it turns out Darwin does most of the things differently then "normal"
systems. They are using a different shared library extension and require
an obscure commandline parameter that has to be added to every build
system out there. That issue seems to be with clang on Darwin as on
Linux that flag isn't required to build the very same tests (when using
clang).
After adjusting these two details the tests are running fine on the
darwin box that I was able to obtain.
(cherry picked from commit c8de31baa6)
* Catalyst::Plugin::Unicode::Encoding has been merged into Catalyst::Runtime
* Test::More is apparently part of Perl core modules since 5.6.2
(cherry picked from commit dc88e94ff1)
- Keberos is a dependency that you really want included in the pkg,
this is also needed to run the test suite by default
(cherry picked from commit 36a1d1023a)
Upgrades Hydra to the latest master/flake branch. To perform this
upgrade, it's needed to do a non-trivial db-migration which provides a
massive performance-improvement[1].
The basic ideas behind multi-step upgrades of services between NixOS versions
have been gathered already[2]. For further context it's recommended to
read this first.
Basically, the following steps are needed:
* Upgrade to a non-breaking version of Hydra with the db-changes
(columns are still nullable here). If `system.stateVersion` is set to
something older than 20.03, the package will be selected
automatically, otherwise `pkgs.hydra-migration` needs to be used.
* Run `hydra-backfill-ids` on the server.
* Deploy either `pkgs.hydra-unstable` (for Hydra master) or
`pkgs.hydra-flakes` (for flakes-support) to activate the optimization.
The steps are also documented in the release-notes and in the module
using `warnings`.
`pkgs.hydra` has been removed as latest Hydra doesn't compile with
`pkgs.nixStable` and to ensure a graceful migration using the newly
introduced packages.
To verify the approach, a simple vm-test has been added which verifies
the migration steps.
[1] https://github.com/NixOS/hydra/pull/711
[2] https://github.com/NixOS/nixpkgs/pull/82353#issuecomment-598269471
(cherry picked from commit bd5324c4fc)
It seems the quoting breaks it just like in da587daae5
(cherry picked from commit e50bb280cbf5339ed671b0a7208e6aba4002c713)
(cherry picked from commit f8ccef5edb)
Due to 9pnet_virtio bugs, /nix is no longer available after
hibernation. It happens to work on x86_64, but not on other
platforms.
(cherry picked from commit d85fb28414)
fix: Adding libtool to allow darwin compiles
Libtool seems to be required for mongodb to compile on darwin.
fix: Marking MongoDB as broken on aarch64
fix: Adding libtools to the pkg imports
Update mongodb to 4.0.4
(cherry picked from commit e9bec1adf6)
According to the Cargo documentation:
> The build script does not have access to the dependencies listed in
> the dependencies or dev-dependencies section (they’re not built
> yet!). Also, build dependencies are not available to the package
> itself unless also explicitly added in the [dependencies] table.
https://doc.rust-lang.org/cargo/reference/build-scripts.html
This change separates linkage of regular dependencies and build
dependencies.
(cherry picked from commit ea6e048c37)
* Make errors include the crate name and make them much more prominent.
* Move more code into lib.sh
* Already source generated logging code and lib.sh in configure
(cherry picked from commit 04e7462ee6)
By overriding each dependency on every level of the dependency tree we
are creating a lot of unnecessary instances of the same derivation
Looking at the output size of `nix-instantiate --trace-function-calls
-vvvv …` and the execution time I got about a 10x improvement after
applying this change.
It was probably good intentions that lead to these overrides but in
practice no tooling (that I know of) really needs this. `carnix` and
`crate2nix` are fine without those overrides. Furthermore I believe that
it is the job of the tooling around `buildRustCrate` to provide a
coherent set of overrides. By not enforcing all of the overrides, debug
flags, verbosity, … to be the same throughout the closure we also allow
consumers to override specific aspects of the crates. Some (older?)
crates might need different `crateOverrides` then newer crates with the
same name. Currently such situations can not (easily) be implemented
with the override in-place.
(cherry picked from commit be5597fc9d)
Currently fails to build on python 3.8 due to an overly restrictive version bound.
ZHF: #80379
CC @NixOS/nixos-release-managers
(cherry picked from commit a65e052e4c)
If the host network stack is slow to start, the alertmanager fails to
start with this error message:
caller=main.go:256 msg="unable to initialize gossip mesh" err="create memberlist: Failed to get final advertise address: No private IP address found, and explicit IP not provided"
This bug can be reproduced by shutting down the network stack and
restarting the alertmanager.
Note I don't know why I didn't hit this issue with previous
alertmanager releases.
(cherry picked from commit 39621bb8de)
dependencies:
perlPackages.BytesRandomSecure: init at 0.29
perlPackages.CryptRandomSeed: init at 0.03
perlPackages.CryptRandomTESHA2: init at 0.01
(cherry picked from commit 3aade16ff3)
While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.
Recently, @devhell has reported a bug with a nginx location directive
like this:
location ~^/\~([a-z0-9_]+)(/.*)?$" {
alias /home/$1/public_html$2;
}
While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:
*2 http script copy: "/home/"
*2 http script capture: "foo"
*2 http script copy: "/public_html/"
*2 http script capture: "bar.txt"
In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)
During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.
Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.
However since we're using the unaltered root from the config we have
another issue, consider this root:
/nix/store/...-abcde/$1
Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.
While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.
I added a small NixOS VM test, which uses the example above as a
regression test.
It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:
https://github.com/NixOS/nixpkgs/pull/66532
However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.
[1]: https://github.com/NixOS/nixpkgs/pull/48337
Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: https://github.com/NixOS/nixpkgs/pull/80671
Fixes: https://github.com/NixOS/nixpkgs/pull/66532
(cherry picked from commit e1d63ada02)
This makes it possible to use chromium headless with WebGL
(e.g. for webdriver tests) without having to rebuild from source.
The upstram default is to enable, thus simply removing our disabling switch.
Also fixes#41918.
(cherry picked from commit 015bb28ae1)
The app is still maintained upstream, but they aren't cutting releases on
crates.io anymore:
https://crates.io/crates/ion-shell
This fixes the build with the latest Rust toolchain by upgrading to the current
commit off the project's `master`.
ZHF: #80379
(cherry picked from commit 16cdff0711)
It is currently failing on master and 20.03. I spent some time reading the src
code but was not able to figure out why the env var activation is not working.
Since this is currently failing, and since it's dying alongside python 2 anyways
I propose we just disable the 1 failing test.
There's some more information inline in the comment if someone wants to fix this
or dig further.
(cherry picked from commit 643d10295d)
It's impossible to move two major-versions forward when upgrading
Nextcloud. This is an issue when comming from 19.09 (using Nextcloud 16)
and trying to upgrade to 20.03 (using Nextcloud 18 by default).
This patch implements the measurements discussed in #82056 and #82353 to
improve the update process and to circumvent similar issues in the
future:
* `pkgs.nextcloud` has been removed in favor of versioned attributes
(currently `pkgs.nextcloud17` and `pkgs.nextcloud18`). With that
approach we can safely backport major-releases in the future to
simplify those upgrade-paths and we can select one of the
major-releases as default depending on the configuration (helpful to
decide whether e.g. `pkgs.nextcloud17` or `pkgs.nextcloud18` should be
used on 20.03 and `master` atm).
* If `system.stateVersion` is older than `20.03`, `nextcloud17` will be
used (which is one major-release behind v16 from 19.09). When using a
package older than the latest major-release available (currently v18),
the evaluation will cause a warning which describes the issue and
suggests next steps.
To make those package-selections easier, a new option to define the
package to be used for the service (namely
`services.nextcloud.package`) was introduced.
* If `pkgs.nextcloud` exists (e.g. due to an overlay which was used to
provide more recent Nextcloud versions on older NixOS-releases), an
evaluation error will be thrown by default: this is to make sure that
`services.nextcloud.package` doesn't use an older version by accident
after checking the state-version. If `pkgs.nextcloud` is added
manually, it needs to be declared explicitly in
`services.nextcloud.package`.
* The `nixos/nextcloud`-documentation contains a
"Maintainer information"-chapter which describes how to roll out new
Nextcloud releases and how to deal with old (and probably unsafe)
versions.
Closes#82056
(cherry picked from commit 702f645aa8)
This reverts commit 7cb100b683.
This appears to break at least the `container`-backend of `nixops`: when
running `switch-to-configuration` within `nixos-container run`, the
running `systemd`-instance gets reloaded which appears to kill the
`systemd-run` command and causes `nixos-container run` to hang.
The full issue is reported in the original PR[1].
[1] https://github.com/NixOS/nixpkgs/pull/67332#issuecomment-604145869
There were a number of fixes that were not backported. I made a branch
with those cherry-picked fixes to be merged into both 20.03 and master
(not changing master), to ensure the two release branches didn't diverge
when they shouldn't.
I like this "apply the fixes to the comment ancester and then merge
both" approach because it makes it much easier to avoid backporting
issues. I suspect I'll be making more fixes to both in the future.
Some changes were made after final review of the package. There was a
missing runtime dependency that was discovered after merge of the
backport
(cherry picked from commit 9fe4a634c1)
Reason: The dependency can make the package work or not
The build is currently broken on master and 20.03. This upgrades to the latest
version and also disables the bad py2 test. I spent a long time trying to figure
out what the issue is, but since it's disabled upstream on python3 anyways let's
just skip it on python2 as well.
ZHF: #80379
(cherry picked from commit e9979380cf)
Since #81475 this caused the wrapper to be empty of entries from
wrapGAppsHook because the wrapGAppsHook function doesn't add
them anymore, and was moved to gappsWrapperArgsHook. Instead
of just running that in postBuild it's more future proof to make this
use stdenv.mkDerivation because we want to mess around with the
generic builder.
(cherry picked from commit a9e7e93311)
Since #81475 this caused the wrapper to be empty of entries from
wrapGAppsHook because the wrapGAppsHook function doesn't add
them anymore, and was moved to gappsWrapperArgsHook. Instead
of just running that in postBuild it's more future proof to make this
use stdenv.mkDerivation because we want to mess around with the
generic builder.
(cherry picked from commit db41c787f4)
The tag points to the same commit hash, so the binary
is unchanged.
Signed-off-by: David Anderson <dave@natulte.net>
(cherry picked from commit 3fa813e820)
Up to including nixos-19.09 configure fall back and included right
libraries. Since nixos-20.03 pkg-config returns a valid value for opengl, but
opengl misses glx symbols.
(cherry picked from commit d315b3d267)
Previously top-level/python-packages.nix called spyder-kernels v0.5 for
Py2k. Now both v0.5 and v1.8 (default.nix) are in pythonPackages, as
required by cq-editor and spyder v4 respectively.
v0.5 also now comes from GitHub instead of PyPi, with checks enabled.
(cherry picked from commit a1f4519814)
NixOS 20.03 is built on kernel 5.4 and 19.09 is on 4.19, so we should update
this option to the highest value possible, per linked upstream instructions from
Amazon.
(cherry picked from commit 129176452c)
While renaming `networking.defaultMailServer` directly to
`services.ssmtp` is shorter and probably clearer, it causes eval errors
due to the second rename (directDelivery -> enable) when using e.g. `lib.mkForce`.
For instance,
``` nix
{ lib, ... }: {
networking.defaultMailServer = {
hostName = "localhost";
directDelivery = lib.mkForce true;
domain = "example.org";
};
}
```
would break with the following (rather confusing) error:
```
error: The option value `services.ssmtp.enable' in `/home/ma27/Projects/nixpkgs/nixos/modules/programs/ssmtp.nix' is not of type `boolean'.
(use '--show-trace' to show detailed location information)
```
(cherry picked from commit fc316f7b31)
Updates `gitea` to the latest version available[1]. Also ensured that
upgrading from `gitea-1.9` (used on NixOS 19.09) to `1.11.3` works
seamlessly.
The derivation required a few more changes this time since `gitea` uses
`npm` now to build the frontend[2]. When using the default tarball from
GitHub, we'd have to build the frontend manually. By fetching a custom
tarball published on every release, we get a prebuilt frontend
(as it was the case on previous versions) and build the backend only from
source.
Co-authored-by: kolaente <k@knt.li>
Closes#80175
[1] https://github.com/go-gitea/gitea/releases/tag/v1.11.3
[2] https://github.com/go-gitea/gitea/issues/10253
(cherry picked from commit cbceee8e97)
Previously, systemd.network.links was only respected with networkd
enabled, but it's really udev taking care of links, no matter if
networkd is enabled or not.
With our module fixed, there's no need to manually manage the text file
anymore.
This was originally applied in 3d1079a20d,
but was reverted due to 1115959a8d causing
evaluation errors on hydra.
(cherry picked from commit 4e53f84c79)
This mirrors the behaviour of systemd - It's udev that parses `.link`
files, not `systemd-networkd`.
This was originally applied in 36ef112a47,
but was reverted due to 1115959a8d causing
evaluation errors on hydra.
(cherry picked from commit 355c58e485)
nixos/manual: fix build
(cherry picked from commit d96bd3394b)
Simply keep up to date the cli since it is used to connect to a VPN.
(cherry picked from commit eb96574e9df3aba387c4abe902b154398271becf)
Reason: A tool to communicate with a VPN provider should be kept
up-to-date
The release-20.03-aarch64 jobset on hydra only evals for aarch64, so the
x86_64 jobs do not exists. We need to make sure that the tested job only
aggregates jobs that actually exist.
This commit solves the issue by generating the tested job constituents
names based on the supported systems.
The hydraPlatforms have to be set on the kicad package itself, that can be
checked using:
echo ":p { inherit kicad kicad-small kicad-unstable; }" | nix repl ./pkgs/top-level/release.nix
This commit disables build of all kicad variants that require downloading
packages3d, which currently fail on hydra with the "Output limit exceeded"
status. This leaves Hydra with only building the kicad-small, which will allow
us to cache the build of kicad-base as well as all libraries except of
packages3d.
(cherry picked from commit ebe5f10794)
This fixes the build, also of
- eths-rlp
- vorbiscomment
- webify
which depend on binary-strict. Everything else that depends on
binary-strict remains broken, so this commit shouldn't break anything
that wasn't broken yet.
- Reverting the version of Starlette as FastAPI can not use anything
greater than 0.12.12. FastAPI is Starlette's only dependent.
- Use fetchurl instead of fetchPypi as this is now the preferred
method. This also makes the tests pass and, thus, the build, which
was failing.
Fixes#78744
My previous change broke when there are more packages than the maximum
number of layers. I had assumed that the `store-path-to-layer.sh` was
only ever passed a single store path, but that is not the case if
there are multiple packages going into the final layer. To fix this, we
loop through the paths going into the final layer, appending them to the
tar file and making sure they end up at the right path.
Fixes#61867 and #61505, bumps the ocaml version unison is built
against to 4.08. The patches included here appear in the trunk version
of unison, but were not backported to 2.51.2.
(cherry picked from commit 3355e8d1ca)
* Linkify all service options used in the code-examples.
* Demonstrated the use of `riot-web.override {}`.
* Moved the example how to configure a postgresql-database for
`matrix-synapse` to this document from the 20.03 release-notes.
(cherry picked from commit 849e16888f)
Update Virtualbox to its latest version. This allows compilation against
kernel >= 5.4 to succeed without further patches (see #74260, build
would fail for linux-5.5.5 to 5.5.9).
(cherry picked from commit 3132c237b1)
Announced in [1], versioned tarballs allow to make sure that a
specific version is fetched. This does not guarantee that all previous
versions are retained on the main mirrors.
Logically, we would want to first try to download versioned tarballs
from any mirror and only then try the unversioned ones. But right now
we only have two mirrors and only some of the tarballs are versioned
in texlive-2019, so the order is changed to not hammer the weak
tug.org mirror.
[1] https://tug.org/pipermail/tex-live/2019-September/044086.html
(cherry picked from commit 9f44a61f39)
The biber package is now at 2.14, but TextBibTeX is still required.
Few changes were needed for newly introduced scripts-extra path. This
broke some of our old tricks which were relying on having writable
script directories. The changes to the script locations made buildEnv
create symlinks to the script directories instead of directories of
symlinks to scripts. The changes to texlinks.sh and texlive/TeXLive
perl path were made because of this.
(cherry picked from commit 9752593eb0)
The shell script doesn't work very well in non-GNU environments like
darwin. This provides an implementation that uses just a single GNU tool
- gawk, thus reduces number of points of failure.
(cherry picked from commit d9fb53ddd6)
The package doesn't have a testsuite, but fails as the checkPhase is
missing appropriate locale configuration (usually taken from
`pkgs.glibcLocales`). Entirely disabling the `checkPhase` for now as
it's basically a no-op.
ZHF: #80379
See also https://hydra.nixos.org/build/114125176
(cherry picked from commit 1505633e2f)
These patches are gathered from different sources,
such as https://patchwork.kernel.org/patch/10862231/ for the
`gettid` patch.
Another patch comes from the issue in the AFL repository.
The ultimate goal is to get these patches upstream as well,
so we don't keep these general patches only within nixos.
A PR is created against Google/AFL
https://github.com/google/AFL/pull/79,
but it might take a while before it's landed, considering the history
of the project (there are more PRs open).
ZHF: #80379
Fixes issue #82232
Running haproxy with "DynamicUser = true" doesn't really work, since
it prohibits specifying a TLS certificate bundle with limited
permissions. This revives the haproxy user and group, but makes them
dynamically allocated by NixOS, rather than statically allocated. It
also adds options to specify which user and group haproxy runs as.
(cherry picked from commit bb7ad853fb)
The previously committed checksums seem to have been mistakenly taken
directly from fetchurl without fetchpatch normalization.
(cherry picked from commit adfb8a039b)
We started having issues with `pkgs.dockerTools.pullImage`, were it
would fail with:
```
FATA[0000] Error loading trust policy: open /etc/containers/policy.json: no such file or directory
```
It turns out that since `skopeo` was bumped to `0.1.40`, it was
accidentally no longer being built with a default policy.
This may happen again, see https://github.com/containers/skopeo/issues/787
(cherry picked from commit a646f4b454)
* The 'arm.patch' patch doesn't apply anymore.
* The 'build-arm-libopus.patch' patch isn't required anymore.
* See the mozilla phabricator link for the added patch.
Additionally, we are now *always* undconditionally applying all patches
to all architectures. That is, unless they have undesirable
side-effects, but those might not be fit for inclusion.
By applying all patches all the time, they'll be removed or replaced
when they stop applying.
(cherry picked from commit d4446c563d)
This package was last released in 2017, and no longer compiles with the latest
Rust compiler. It has just 1 commit from someone other than the original author
and appears to be a dead project.
(cherry picked from commit 27a0a1376b)
This avoids a possible surprise if the user is using `nixpkgs.system`
and `nesting.children`. `nesting.children` is expected to ignore all
parent configuration so we shouldn't propagate the user-facing option
`nixpkgs.system`. To avoid doing so, we introduce a new internal
option for holding the value passed to eval-config.nix, and use that
when recursing for nesting.
(cherry picked from commit ce416779bb)
The current behavior lets `system` default to
`builtins.currentSystem`. The system value specified to
`eval-config.nix` has very low precedence, so this should compose
properly.
Fixes#80806
(cherry picked from commit b83164a049)
In case of invalid chars, the error-message references "perl variables"
which is not the case here as the python-based framework is used.
(cherry picked from commit 6d14bac048)
Previously, systemd.network.links was only respected with networkd
enabled, but it's really udev taking care of links, no matter if
networkd is enabled or not.
With our module fixed, there's no need to manually manage the text file
anymore.
(cherry picked from commit 3d1079a20d)
The better way to fix this would be to backport the upstream sphinx
patch:
faedcc48cc
Unfortunately it doesn't apply cleanly and isn't worth the effort
of backporting. Let's hope we can switch to python3 sage and the recent
sphinx version that comes with it before this becomes a problem.
(cherry picked from commit 7133577405)
This is useful when buildLayeredImage is called in a generic way
that should allow simple (base) images to be built, which may not
reference any store paths.
(cherry picked from commit 6dab1b50a6)
Signed-off-by: Domen Kožar <domen@dev.si>
The current version of glibc implements support for kernels down to
3.2.0 (and we make sure to enable such support with apporopriate
--enable-kernel setting). The current RHEL6 operating system is based on
a maintained kernel based on 2.6.32 with lots of backports. We provide
basic support for this specific kernel by patching glibc to provide an
exception for this specific version of kernel. This allows for nixpkgs
software distribution to work on RHEL6 and it does so quite well with
almost no problems. There are, however, a few syscalls that are missing
in the 2.6.32 kernel, one of which is prlimit64. This commit provides a
fallback that uses an older {get,set}rlimit syscalls in cases when
prlimit64 is not available. This should streamline the experience for
nixpkgs users wanting to run it on RHEL6, namely, this fixes one of the
tests in findutils.
See also discussion in guix:
https://lists.gnu.org/archive/html/guix-devel/2018-03/msg00356.html
(cherry picked from commit 6740593bdd)
Version 1.1.11 (2020-03-08)
Compatibility notes:
When upgrading from borg 1.0.x to 1.1.x, please note:
read all the compatibility notes for 1.1.0*, starting from 1.1.0b1.
borg upgrade: you do not need to and you also should not run it.
borg might ask some security-related questions once after upgrading. You can answer them either manually or via environment variable. One known case is if you use unencrypted repositories, then it will ask about a unknown unencrypted repository one time.
your first backup with 1.1.x might be significantly slower (it might completely read, chunk, hash a lot files) - this is due to the --files-cache mode change (and happens every time you change mode). You can avoid the one-time slowdown by using the pre-1.1.0rc4-compatible mode (but that is less safe for detecting changed files than the default). See the --files-cache docs for details.
1.1.11 removes WSL autodetection (Windows 10 Subsystem for Linux). If WSL still has a problem with sync_file_range, you need to set BORG_WORKAROUNDS=basesyncfile in the borg process environment to work around the WSL issue.
Fixes:
fixed potential index corruption / data loss issue due to bug in hashindex_set, #4829 Please read and follow the more detailled notes close to the top of this document.
upgrade bundled xxhash to 0.7.3, #4891 0.7.2 is the minimum requirement for correct operations on ARMv6 in non-fixup mode, where unaligned memory accesses cause bus errors. 0.7.3 adds some speedups and libxxhash 0.7.3 even has a pkg-config file now.
upgrade bundled lz4 to 1.9.2
upgrade bundled zstd to 1.4.4
fix crash when upgrading erroneous hints file, #4922
extract:
fix KeyError for "partial" extraction, #4607
fix "partial" extract for hardlinked contentless file types, #4725
fix preloading for old (0.xx) remote servers, #4652
fix confusing output of borg extract --list --strip-components, #4934
delete: after double-force delete, warn about necessary repair, #4704
create: give invalid repo error msg if repo config not found, #4411
mount: fix FUSE mount missing st_birthtime, #4763#4767
check: do not stumble over invalid item key, #4845
info: if the archive doesn't exist, print a pretty message, #4793
SecurityManager.known(): check all files, #4614
Repository.open: use stat() to check for repo dir, #4695
Repository.check_can_create_repository: use stat() to check, #4695
fix invalid archive error message
fix optional/non-optional location arg, #4541
commit-time free space calc: ignore bad compact map entries, #4796
ignore EACCES (errno 13) when hardlinking the old config, #4730
--prefix / -P: fix processing, avoid argparse issue, #4769
New features:
enable placeholder usage in all extra archive arguments
new BORG_WORKAROUNDS mechanism, basesyncfile, #4710
recreate: support --timestamp option, #4745
support platforms without os.link (e.g. Android with Termux), #4901 if we don't have os.link, we just extract another copy instead of making a hardlink.
support linux platforms without sync_file_range (e.g. Android 7 with Termux), #4905
Other:
ignore --stats when given with --dry-run, but continue, #4373
add some ProgressIndicator msgids to code / fix docs, #4935
elaborate on "Calculating size" message
argparser: always use REPOSITORY in metavar, also use more consistent help phrasing.
check: improve error output for matching index size, see #4829
docs:
changelog: add advisory about hashindex_set bug #4829
better describe BORG_SECURITY_DIR, BORG_CACHE_DIR, #4919
infos about cache security assumptions, #4900
add FAQ describing difference between a local repo vs. repo on a server.
document how to test exclusion patterns without performing an actual backup
timestamps in the files cache are now usually ctime, #4583
fix bad reference to borg compact (does not exist in 1.1), #4660
create: borg 1.1 is not future any more
extract: document limitation "needs empty destination", #4598
how to supply a passphrase, use crypto devices, #4549
fix osxfuse github link in installation docs
add example of exclude-norecurse rule in help patterns
update macOS Brew link
add note about software for automating backups, #4581
AUTHORS: mention copyright+license for bundled msgpack
fix various code blocks in the docs, #4708
updated docs to cover use of temp directory on remote, #4545
add restore docs, #4670
add a pull backup / push restore how-to, #1552
add FAQ how to retain original paths, #4532
explain difference between --exclude and --pattern, #4118
add FAQs for SSH connection issues, #3866
improve password FAQ, #4591
reiterate that 'file cache names are absolute' in FAQ
tests:
cope with ANY error when importing pytest into borg.testsuite, #4652
fix broken test that relied on improper zlib assumptions
test_fuse: filter out selinux xattrs, #4574
travis / vagrant:
misc python versions removed / changed (due to openssl 1.1 compatibility) or added (3.7 and 3.8, for better borg compatibility testing)
binary building is on python 3.5.9 now
vagrant:
add new boxes: ubuntu 18.04 and 20.04, debian 10
update boxes: openindiana, darwin, netbsd
remove old boxes: centos 6
darwin: updated osxfuse to 3.10.4
use debian/ubuntu pip/virtualenv packages
rather use python 3.6.2 than 3.6.0, fixes coverage/sqlite3 issue
use requirements.d/development.lock.txt to avoid compat issues
travis:
darwin: backport some install code / order from master
remove deprecated keyword "sudo" from travis config
allow osx builds to fail, #4955 this is due to travis-ci frequently being so slow that the OS X builds just fail because they exceed 50 minutes and get killed by travis.
(cherry picked from commit dbff9b5479)
This prevents confusion by nix-env when installing packages by
derivation name, since there is another package named dust already
(cherry picked from commit ad126ee28e)
Includes some bugfixes/cleanups to the scripts and packaging, a run of the
updater and a bump of the version.
Fixes#75863
(cherry picked from commit 9131efe52d)
This fixes the situtation where, if `/usr/share/zoneinfo` was
inaccessible/didn't otherwise exist, `howard-hinnant-date` would
download and drop a `~/Downloads/tzdata` directory containing some
timezone information from IANA [1]. To avoid this, we make use of the
`tzdata`'s `zoneinfo`, preventing the dropping of random directories and
files.
[1] https://data.iana.org/time-zones/releases/tzdata2019c.tar.gz
(cherry picked from commit 25057960ce)
This fixes a bug which breaks the clock module. See
<https://github.com/Alexays/Waybar/issues/566>.
- Fix misspelled option. mkRenamedOptionModule is not used because the
option hasn't really worked before.
- Add missing cfg.telemetryPath arg to ExecStart.
- Fix mkdir invocation in test.
(cherry picked from commit e7ed7901a8)
The allowed values have changed in bd3319d28c.
0.15:
--log.level="info" Only log messages with the given severity or above. Valid levels: [debug, info, warn, error, fatal]
--log.format="logger:stderr"
Set the log target and format. Example: "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true"
0.17:
--log.level=info Only log messages with the given severity or above. One of: [debug, info, warn, error]
--log.format=logfmt Output format of log messages. One of: [logfmt, json]
(cherry picked from commit 87f87fb3e9)
drive-by contributions, as I was playing around with this (it has better
support for the `num` library, it seems.)
js_of_ocaml: 3.4.0 -> 3.5.2
ocamlPackages.js_of_ocaml-ppx_deriving_json: use ppxlib-0.12.0
ocamlPackages.eliom: 6.8.0 → 6.10.1
ocamlPackages.ocsigen-toolkit: 2.2.0 → 2.5.0
ocamlPackages.ocsigen-start: 2.7.0 → 2.16.1
Co-authored-by: Vincent Laporte <Vincent.Laporte@gmail.com>
(cherry picked from commit 2d2a5a9b63)
Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)
- Directory Traversal to Arbitrary File Read
- Account Takeover Through Expired Link
- Server Side Request Forgery Through Deprecated Service
- Group Two-Factor Authentication Requirement Bypass
- Stored XSS in Merge Request Pages
- Stored XSS in Merge Request Submission Form
- Stored XSS in File View
- Stored XSS in Grafana Integration
- Contribution Analytics Exposed to Non-members
- Incorrect Access Control in Docker Registry via Deploy Tokens
- Denial of Service via Permission Checks
- Denial of Service in Design For Public Issue
- GitHub Tokens Displayed in Plaintext on Integrations Page
- Incorrect Access Control via LFS Import
- Unescaped HTML in Header
- Private Merge Request Titles Leaked via Widget
- Project Namespace Exposed via Vulnerability Feedback Endpoint
- Denial of Service Through Recursive Requests
- Project Authorization Not Being Updated
- Incorrect Permission Level For Group Invites
- Disclosure of Private Group Epic Information
- User IP Address Exposed via Badge images
- Update postgresql (GitLab Omnibus)
(cherry-picked from commit c25756f91c)
Since we split wrapGAppsHook and move its variable initialization to preFixupPhases in #81475, it was getting run before glibPreFixupPhase which sets GSETTINGS_SCHEMAS_PATH variable gappsWrapperArgsHook depends on. Let's introduce this ugly hack to ensure glibPreFixupPhase will run before gappsWrapperArgsHook.
(cherry picked from commit 8e4f502fc6)
As outlined in #71447, postCommands should always be run if networking
in initrd is enabled. regardless if the configuration actually
succeeded.
(cherry picked from commit 589789997f)
The backport of this patch has been requested in #79532[1]. The diff is
slightly off the original commit since some changes from
ea7d02406b were needed, however this
commit shouldn't be backported as it potentially breaks existing setups.
[1] https://github.com/NixOS/nixpkgs/pull/79532#issuecomment-593511638
The way ruby loads gems and keeps track of their paths seems to not
always work very well when the gems are accessed through
symlinks. Ruby will then complain that the same files are loaded
multiple times; it relies on the file's full path to determine whether
the file is loaded or not.
This adds an option to simply copy all gem files into the environment
instead, which gets rid of this issue, but may instead result in major
file duplication.
No vulnerabilities are know so far (to me), but still I'd go this way.
Especially for 20.03 it seems better to deprecate it before official
release happens.
Current casualties:
$ ./maintainers/scripts/rebuild-amount.sh --print HEAD HEAD^
Estimating rebuild amount by counting changed Hydra jobs.
87 x86_64-darwin
161 x86_64-linux
(cherry picked from commit 7cda2823be)
Also python34 is not supported:
979e6fd2db
nixpkgs doesn't provide python34 anymore, so pythonOlder "3.5" is always
true and can be removed.
(cherry picked from commit d35009ee63)
cc #80940
This makes predictable interfaces names available as soon as possible
with udev by adding the default network link units to initrd which are read
by udev. Also adds some udev rules that are needed but which would normally
loaded from the udev store path which is not included in the initrd.
(cherry picked from commit 44e289f93b)
I am not sure if we still need the old packages, nothing explicitly
depends on polyml56 or polyml57 according to a grep, not sure if
external packages might (hol and isabelle depend on polyml, the latest
version).
(cherry picked from commit f4c29ebfc2)
New libffi doesn't have FFI_SYSV for x86/64 unix, this pulls in the
commit for the upstream version which fixes it, and ports that patch to
the 5.7 version. The 5.6 version is unchanged.
For ZHF: #80379
(cherry picked from commit f8c402ecad)
This bumps to the latest state of the systemd 242 stable, published at
https://github.com/systemd/systemd-stable/tree/v243-stable.
Should cover CVE-2020-1712.
Git Log:
f8dd0f2f15 (tag: v243.7, systemd-stable/v243-stable) Revert "Support Plugable UD-PRO8 dock"
1a5428c2ab hibernate-resume-generator: wait "infinitely" for the resume device
eb3148c468 (tag: v243.6) hwdb: update to v245-rc1
f14fa558ae Fix typo in function name
fb21e13e8e polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it
2e504c92d1 sd-bus: introduce API for re-enqueuing incoming messages
4d80c8f158 polkit: use structured initialization
54791aff01 polkit: on async pk requests, re-validate action/details
81532beddc polkit: reuse some common bus message appending code
4441844d58 bus-polkit: rename return error parameter to ret_error
31a1d569db shared: split out polkit stuff from bus-util.c → bus-polkit.c
560eb5babf test: adapt to the new capsh format
275b266bde meson: update efi path detection to gnu-efi-3.0.11
9239154545 presets: "disable" all passive targets by default
a827c41851 shared/sysctl-util: normalize repeated slashes or dots to a single value
fb1bfd6804 dhcp6: do not use T1 and T2 longer than one provided by the lease
ca43a515c6 network: fix implicit type conversion warning by GCC-10
421eca7edf bootspec: parse random-seed-mode line in loader.conf
34e21fc6de sd-boot: fix typo
df7b3a05c9 test: Synchronize journal before reading from it
9326efee71 sd-bus: fix introspection bug in signal parameter names
7bbdc56aaf efi: fix build.
486f8ca365 generator: order growfs for the root fs after systemd-remount-fs
56d442e29d loginctl: use /org/freedesktop/login1/session/auto when "lock-session" is called without argument
6ed1152282 Documentation update for x-systemd.{before,after}
dba3efa34a man: fix typo in systemd.netdev Xfrm example
6f9a8621d8 timesyncd: log louder when we refuse a server due to root distance
0637255d3b resolved: drop DNSSEC root key that is not valid anymore
9a135baa40 journal: don't use startswith() on something that is not a NUL-terminated string
1ff3972a0f test: add test for https://github.com/systemd/systemd/issues/14560
cac79b606b core: make sure StandardInput=file: doesn't get dup'ed to stdout/stderr by default
906ba9a67d pkgconf: add full generator paths
01b93e2c68 tree-wide: we forgot to destroy some bus errors
5c9455657e mount: make checks on perpetual mount units more lax
28c58beca1 core: never allow perpetual units to be masked
d3b044b3e7 typo: "May modify to" -> "May modify"
fd378d3d3c sysctl: downgrade message when we have no permission
db4fbf5c61 Clarify journald.conf MaxLevelStore documentation
c8365f71c0 logind: refuse overriding idle hint on tty sessions
cd91f567b6 cgroup: update only siblings that got realized once
c672dcd212 mount: mark an existing "mounting" unit from /proc/self/mountinfo as "just_mounted"
a592a40564 journalctl: Correctly handle combination of --reverse and --lines (fixes#1596)
0aa144ab1d journalctl: Correctly handle --show-cursor in combination with --until or --since and --reverse
3b803a5e66 core: fix re-realization of cgroup siblings
7549dd40fc core: propagate service state to socket in more load states
af6df343b2 man: describe "symlink" and "systemctl link" explicitly in UNIT FILE LOAD PATH
a3c1ce25a7 core: be more restrictive on the dependency types we allow to be created transiently
2b9ec8384c udev: don't import parent ID_FS_ data on partitions
ecd95c507c man: fix option name
0d4f06156b Support Plugable UD-PRO8 dock
7fba869abd gpt-auto: don't assume XBOOTLDR is vfat
494c281b67 man: fix documentation of IBM VIO device naming
7271fb056a man: slightly extend documentation on difference between ID_NET_NAME_ONBOARD and ID_NET_LABEL_ONBOARD
852ae28e68 boot: fix osrel parser
2613200370 udev: do not use exact match of file permission
46477397c1 network: lower the log-level of harmless message
7163b1fe86 hwdb: ignore keys added in kernel 5.5
92f90837dc systemctl: skip non-existent units in the 'cat' verb
a67227cc99 systemd.exec: document the file system for EnvironmentFile paths
cfb4c0aca5 systemd-analyze: fixed typo in documentation
017fddd998 test-condition: fix group check condition
9d5e3cb774 umount: show correct error message
252f1a5277 Revert "Drop dbus activation stub service"
20bbfac95e man: add section about user manager units
c93ef60212 man: add remote-*.targets to the bootup sequence
55e0f99689 time-util: also use 32bit hack on EOVERFLOW
7afe2ecb02 [man] note which UID ranges will get user journals
a43b67a4c9 [man] fix URL
dedb26a8d6 analyze: badness if neither of RootImage and RootDirectory exists
714c93862a initrd: make udev cleanup service confict trigger and settle too
8932407ae1 man: we support growing xfs too these days
19af11dc07 time-util: deal with systems where userspace has 64bit time_t but kernel does not
c90229d81d [import] fix stdin/stdout pipe behavior in import/export tar/raw
39910328da cryptsetup-generator: unconfuse writing of the device timeout
fc5e6c87a4 shared/install: log syntax error for invalid DefaultInstance=
409c94a407 shared/install: provide a nicer error message for invalid WantedBy=/Required= values
70e8c1978a seccomp: real syscall numbers are >= 0
a0a1977d9a seccomp: more comprehensive protection against libseccomp's __NR_xyz namespace invasion
7f936c60d5 network: set ipv6 mtu after link-up or device mtu change
b59d88cc62 man: fix typo in net-naming-scheme man page
c5e5ac0958 man: fix typos (#14304)
9a2f26564d ipv4ll: do not reset conflict counter on restart
bc9e1ebfdd Fix typo (duplicate "or")
c6cb71b7e7 network: if /sys is rw, then udev should be around
67dcdfd956 nspawn: do not fail if udev is not running
a7938a1bc6 Create parent directories when creating systemd-private subdirs
53aa44f873 network: do not return error but return UINT64_MAX if speed meter is disabled
65abf12674 core: swap priority can be negative
b1cf452ff5 systemctl: enhance message about kexec missing kernel
07a0e5b425 man: use mkswap@ instead of makeswap@
57dc017c6b journald: don't ask for the machine ID if we don't need it
ac392a57c0 journalctl: pager_close() calls fflush(stdout) anyway as first thing
ee7dfadc82 journald: remove unused field
471073f1b5 journalctl: return EOPNOTSUPP if pcre is not enabled
002ededb61 man: drop reference to machined, add one for journald instead
fd3bd4be3b pid1: make TimeoutAbortSec settable for transient units
eb2ef4d664 pid1: fix setting of DefaultTimeoutAbortSec
1d75e29b23 shared/ask-password-api: modify keyctl break value
a16b1ee7e5 cryptsetup: reduce the chance that we will be OOM killed
4836fb010a core: write out correct field name when creating transient service units
3e2c547f6d udevd: don't use monitor after manager_exit()
d42f7d45a8 Revert "udevd: fix crash when workers time out after exit is signal caught"
c9a287eee8 man/systemd.link: Add missing verb *be*
a67a3ae04b man: document all pager variables for systemctl and systemd
3a8fce3f38 core.timer: fix "systemd-analyze dump" and docs syntax inconsistencies wrt OnTimezoneChange=
fdffd284b6 core/service: downgrade "scheduling restart" message to debug
733e7f19d3 travis: add missing closing quote sign
0d7b7817fc systemd-tmpfiles: don't install timer when service isn't installed either
0e7f83cd2b pam_systemd: prolong method call timeout when allocating session
(cherry picked from commit 53488b27be)
* remove no-op substitution of s6_addr16 -> s6_addr
This string doesn't exist anymore in that file.
* clean up configureFlags
(cherry picked from commit 43ec75d470)
This adds a patch from debian to switch ipmitool to openssl 1.1.
Upstream seems to already carry a version of this but that is yet to be
part of a release.
(cherry picked from commit ad19bb5ff8)
Also separate directory and file permissions so the certificate files
don't end up with the executable bit.
Fixes#81335
(cherry picked from commit 3575555fa8)
This package uses CMake's install(EXPORT ...) command which assumes that
libraries are installed in the same location as the CMake files.
(cherry picked from commit bdbbe6f34f)
The current weekly setting causes every NixOS server to try to renew
its certificate at midnight on the dot on Monday. This contributes to
the general problem of periodic load spikes for Let's Encrypt; NixOS
is probably not a major contributor to that problem, but we can lead by
example by picking good defaults here.
The values here were chosen after consulting with @yuriks, an SRE at
Let's Encrypt:
* Randomize the time certificates are renewed within a 24 hour period.
* Check for renewal every 24 hours, to ensure the certificate is always
renewed before an expiry notice is sent out.
* Increase the AccuracySec (thus lowering the accuracy(!)), so that
systemd can coalesce the renewal with other timers being run.
(You might be worried that this would defeat the purpose of the time
skewing, but systemd is documented as avoiding this by picking a
random time.)
(cherry picked from commit 7b14bbd734)
* pass IOKit to libfido2
* Add a patch so that cmake uses lld flags when linking
* Upgrade from 1.3.0 to 1.3.1 (based off #80781)
* Specify CMAKE_INSTALL_LIBDIR so that the demo binaries link
correctly on macOS and libfido2.pc specifies correct arguments
(cherry picked from commit 099359afc7)
There have been a couple of patches floating around for about the last
18 months. While they originated with FreeBSD, but they've been
adopted by Gentoo and Debian as well---and the most straightforward
way to get access to them was from the Debian repository.
(cherry picked from commit b6b3e04759)
The subtest was mainly written to demonstrate the VRF-issues with a
5.x-kernel. However this breaks the entire test now as we have 5.4 as
default kernel. Disabling the test for now, I still need to find some
time to investigate.
ZHF: #80379
(cherry picked from commit 58c7a952a1)
We don't compile blender with alembic. The linux build is able to detect
that, but this is not done for darwin. This explicitly disables alembic
to fix blender build on darwin.
(cherry picked from commit ac560382c5)
cc #80155
nixpkgs prefers absolute install names. Replace the manually specified
relative install name with the standard hook.
(cherry picked from commit 1a73b69e20)
cc #81015
* nixos/gdm: Fix pulseaudio tmpfiles structure
Fix the following startup failure of the sound service in the gdm
session that was introduced by #75893:
```
Feb 16 11:44:15 qp pulseaudio[1432]: W: [pulseaudio] core-util.c: Failed to open configuration file '/run/gdm/.config/pulse//daemon.conf': Not a directory
Feb 16 11:44:15 qp pulseaudio[1432]: W: [pulseaudio] daemon-conf.c: Failed to open configuration file: Not a directory
Feb 16 11:44:15 qp systemd[1380]: pulseaudio.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 11:44:15 qp systemd[1380]: pulseaudio.service: Failed with result 'exit-code'.
Feb 16 11:44:15 qp systemd[1380]: Failed to start Sound Service.
```
Co-authored-by: worldofpeace <worldofpeace@protonmail.ch>
(cherry picked from commit 44a4a3839c)
lego already bundles the chain with the certificate,[1] so the current
code, designed for simp_le, was resulting in duplicate certificate
chains, manifesting as "Chain issues: Incorrect order, Extra certs" on
the Qualys SSL Server Test.
cert.pem stays around as a symlink for backwards compatibility.
[1] 5cdc0002e9/acme/api/certificate.go (L40-L44)
(cherry picked from commit 8ecbd97f82)
Also disable tests until upstream test data issues are resolved.
See link in comment in code for more information.
(cherry picked from commit bf88bf47d1)
See https://hackage.haskell.org/package/store-0.7.2/changelog, 0.7.2 is just an
update to fix compilation with vector >= 0.12.1.1
As such this also isn't needed on master, as the new version gets there
automatically through hackage updates
Release notes:
irc: fix crash when receiving a malformed message 352 (who)
irc: fix crash when a new message 005 is received with longer nick prefixes
irc: fix crash when receiving a malformed message 324 (channel mode) (CVE-2020-8955)
(cherry picked from commit 2d77fc3053)
- Drop the Boost patch. The patch does not apply anymore and the new
CMake infrastructure picks up boost.
- Distable setuptools reStructuredText check. This check fails, but
is (as far as I understand) an upstream bug.
- Clean up derivation a bit.
(cherry picked from commit 0688cba0cd)
Ugarit only works with CHICKEN 4, not CHICKEN 5 (which is the default
version in nixpkgs since 69ef0702), so use the compiler and egg tools
from `chickenPackages_4` for ugarit and ugarit-manifest-maker.
(cherry picked from commit a6d39ee9db)
Monotonic timer test expects sleep(200ms) to take at most 1s. On
loaded systems like hydra, it's possible for such a test to take
longer than 1 second.
Tests expecting sleep(200ms) to take at least 175ms weren't removed,
because load shouldn't cause sleep to be shorter.
(cherry picked from commit 58af3177c0)
This reverts commit 6a756af3e7.
Currently zshenv by default only set fpath and HELPDIR without exporting them.
A parent shell would also not set those variables usually as they are shell local.
It also sources a file called set-environment but this is protected by an
environment variable called __NIXOS_SET_ENVIRONMENT_DONE. Hence any modification
done by the parent shell should persist as long as __NIXOS_SET_ENVIRONMENT_DONE
is not unset.
This behavior deviates from what we do in bashrc and breaks common setups such
as tmux/mosh or screen.
Fixes#80437
(cherry picked from commit 55819e6c86)
It fails with:
src/gpu/gl/glx/GrGLMakeNativeInterface_glx.cpp:15:10: fatal error: GL/glx.h: No such file or directory
15 | #include <GL/glx.h>
(cherry picked from commit 3ad2c20fe6)
Otherwise it fails with:
In file included from /build/source/src/allegro/include/allegro/base.h:41,
from /build/source/src/allegro/include/allegro.h:25,
from /build/source/src/./she/alleg4/alleg_surface.h:11,
from /build/source/src/she/alleg4/alleg_surface.cpp:11:
/build/source/src/allegro/include/allegro/alcompat.h:44:22: error: conflicting declaration of C function 'fixed fadd(fixed, fixed)'
44 | AL_ALIAS(fixed fadd(fixed x, fixed y), fixadd(x, y))
| ^~~~
/build/source/src/allegro/include/allegro/internal/alconfig.h:164:49: note: in definition of macro 'AL_ALIAS'
164 | static __attribute__((unused)) __inline__ DECL \
| ^~~~
In file included from /nix/store/y57skwl8a5vbkrjrc30ygdw9vr1p6n19-gcc-9.2.0/include/c++/9.2.0/cmath:45,
from /nix/store/y57skwl8a5vbkrjrc30ygdw9vr1p6n19-gcc-9.2.0/include/c++/9.2.0/math.h:36,
from /build/source/src/./base/base.h:13,
from /build/source/src/./config.h:40,
from /build/source/src/she/alleg4/alleg_surface.cpp:8:
/nix/store/2v6pi2wj3lcsc3j48n7flx9mgqyii1lv-glibc-2.30-dev/include/bits/mathcalls-narrow.h:24:20: note: previous declaration 'float fadd(double, double)'
24 | __MATHCALL_NARROW (__MATHCALL_NAME (add), __MATHCALL_REDIR_NAME (add), 2);
| ^~~~~~~~~~~~~~~
(cherry picked from commit 0ded378b10)
The Hydra build [1] failed because it was unable to link to `LLVM9`; add
`llvmShared` to `passthru` in order to stay up to date with required
LLVM versions. Also quote the homepage URLs, since that's preferred.
[1] https://hydra.nixos.org/build/112989779/nixlog/1
(cherry picked from commit 502c0ee899)
The update checking mechanism references the tests, and thus
dbaafbbf73 turned it into a crash at
startup.
It isn't much use in nixpkgs, so we're better off without it.
(cherry picked from commit 0c403efde9)
The command module references the tests, and since all command modules
get imported at startup, dbaafbbf73
turned it into a startup crash.
Unless you're actively hacking on gsutil, this command isn't much use,
so we're better off without it.
(cherry picked from commit 5bda7e7fb2)
Same as efivar; I believe it doesn't really needs LTO. I checked:
nix build -f nixos/release-combined.nix nixos.iso_minimal.i686-linux
(cherry picked from commit f595677418)
/cc ZHF: #80379
Pantheon's sideload broke:
```
meson.build:17:0: ERROR: Could not generate cargs for flatpak:
Package ostree-1 was not found in the pkg-config search path.
Perhaps you should add the directory containing `ostree-1.pc'
to the PKG_CONFIG_PATH environment variable
Package 'ostree-1', required by 'flatpak', not found
```
https://hydra.nixos.org/build/113077888
ZHF: #80379
(cherry picked from commit 461ea02544)
start_kdeinit reads its environment over a pipe from start_kdeinit_wrapper. For
security, each environment entry must be smaller than 4kb by default. Qt-based
applications in Nixpkgs may have larger environments, and the recent upgrade to
Plasma 5.17 pushed start_kdeinit_wrapper over the limit. The limit is now
extended to 16kb.
This problem was not detected during testing because the failure is silent:
start_kdeinit will continue with an empty environment. In other circumstances,
this strategy might work, but it does not work on NixOS. This failure is now
treated as a fatal error.
Fixes: #79707
(cherry picked from commit c75860918f)
This avoids using NIX_CFLAGS_COMPILE by switching to hardeningDisable.
The hack is also only needed for darwin sources and is not specific to
clang.
Co-authored-by: Dmitry Kalinkin <dmitry.kalinkin@gmail.com>
(cherry picked from commit 5ef4af7afc)
cc #79794
Note that we need to build from a tarball now to get the vendored
crates. A bit ugly to fetch tarballs from Hydra...
(cherry picked from commit dd7f6b0c6b)
Due to the support of the systemd-logind API the udev rules aren't
required anymore which renders this module useless [0].
Note: brightnessctl should now require a working D-Bus setup and a valid
local logind session for this to work.
[0]: https://github.com/NixOS/nixpkgs/pull/79663
(cherry picked from commit 5282bc9a74)
This should improve the speed of bootstrapping process.
Cost of evaluation also decreases a bit,
but I don't expect that will be significant.
(cherry picked from commit f6519103bf)
This leads to inconsistent results between local builds and
Hydra. Also Nix is not a general purpose language, we shouldn't be
parsing .git from inside Nix code.
(cherry picked from commit f0f040c3f7)
See 3fadc45499. Since the beta channel is now also on 81 and the stable
channel will be on 81 soon, it makes sense to already add this
unconditionally for all channels.
(cherry picked from commit 67f349d224)
Backport of #80074.
Some display managers (e.g. SDDM) set the XDG_CURRENT_DESKTOP variable accroding to this parameter.
If this variable is not defined, there will be some problems (e.g. MATE doesn't have icons on the desktop).
Fixes https://github.com/NixOS/nixpkgs/issues/71427
(cherry picked from commit f7768c939a)
In 0945178b3c we decided that Perl-based
VM tests should be deprecated and will be removed between 20.03 and
20.09. So let's switch `nixos-build-vms(8)` to python as well (which is
entirely interactive, so other scripts won't break).
In my experience, the test-driver isn't used most of the time, so this
patch is mainly supposed to get rid of the (probably misleading)
deprecation warning when running `nixos-build-vms`. Apart from that, the
interface for python's test-driver is way nicer.
(cherry picked from commit c391343fcd)
Otherwise knot tries to write to non-writable directories.
This for example breaks dnssec signing.
While it's possible to overwrite these path in the configuration,
having a sane defaults is nicer.
(cherry picked from commit 6adc09ed30)
The test script's were unported.
It's unclear whether the preBuild or
postBuild will work as expect, due to
the linting of the test scripts.
(cherry picked from commit fa9af83e96)
3c74e48d9c was a bit too much, it updated
permissions of all files recursively, causing files to be readable by
the group.
This isn't a problem immediately after bootup, but on a new activation,
as tmpfiles.d get restarted then, updating the permission bits of
now-existing files.
This updates the `Z` to be a `z` (the non-recursive variant), and adds a
`d` to ensure a directory is created (which should be covered by the
initrd shell script anyway)
(cherry picked from commit 4c8bdd1c4f)
The nixos/moinmoin module uses gunicorn, however the 20.0 version
dropped python2 support which broke the module as there's no python3
port planned for moinmoin: http://moinmo.in/Python3
(cherry picked from commit d202e9eac2)
Attribute was removed in a4916fdea5 which
will land in 20.03, but breaks evaluation for everyone using
pinentry_qt5 on NixOS 19.09 when updating.
(cherry picked from commit 3d1007716c)
Test binaries are linked to the libraries at their install path, but
those are not installed when checkPhase executes.
(cherry picked from commit 7cc5d84cd7)
According to https://endoflife.software/programming-languages/server-side-scripting/ruby
ruby 2.4 will go end-of-life in march, where the new release of nixpkgs
will be cut. We won't be able to support it for security updates.
Remove all references to ruby_2_4 and add ruby_2_7 instead where
missing.
Mark packages that depend on ruby 2.4 as broken:
* chefdk
* sonic-pi
(cherry picked from commit bcdc90a3a7)
@@ -50,13 +50,12 @@ For package version upgrades and such a one-line commit message is usually suffi
## Backporting changes
Follow these steps to backport a change into a release branch in compliance with the [commit policy](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches).
To [backport a change into a release branch](https://nixos.org/nixpkgs/manual/#submitting-changes-stable-release-branches):
1. Take note of the commits in which the change was introduced into `master` branch.
2. Check out the target _release branch_, e.g. `release-20.09`. Do not use a _channel branch_ like `nixos-20.09` or `nixpkgs-20.09`.
3. Create a branch for your change, e.g. `git checkout -b backport`.
4. When the reason to backport is not obvious from the original commit message, use `git cherry-pick -xe <original commit>` and add a reason. Otherwise use `git cherry-pick -x <original commit>`. That's fine for minor version updates that only include security and bug fixes, commits that fixes an otherwise broken package or similar. Please also ensure the commits exists on the master branch; in the case of squashed or rebased merges, the commit hash will change and the new commits can be found in the merge message at the bottom of the master pull request.
5. Push to GitHub and open a backport pull request. Make sure to select the release branch (e.g. `release-20.09`) as the target branch of the pull request, and link to the pull request in which the original change was comitted to `master`. The pull request title should be the commit title with the release version as prefix, e.g. `[20.09]`.
1. Take note of the commit in which the change was introduced into `master`.
2. Check out the target _release branch_, e.g. `release-20.03`. Do not use a _channel branch_ like `nixos-20.03` or `nixpkgs-20.03`.
3. Use `git cherry-pick -x <original commit>`.
4. Open your backport PR. Make sure to select the release branch (e.g. `release-20.03`) as the target branch of the PR, and link to the PR in which the original change was made to `master`.
<!-- Nixpkgs has a lot of new incoming Pull Requests, but not enough people to review this constant stream. Even if you aren't a committer, we would appreciate reviews of other PRs, especially simple ones like package updates. Just testing the relevant package/service and leaving a comment saying what you tested, how you tested it and whether it worked would be great. List of open PRs: <https://github.com/NixOS/nixpkgs/pulls>, for more about reviewing contributions: <https://hydra.nixos.org/job/nixpkgs/trunk/manual/latest/download/1/nixpkgs/manual.html#chap-reviewing-contributions>. Reviewing isn't mandatory, but it would help out a lot and reduce the average time-to-merge for all of us. Thanks a lot if you do! -->
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an issue becomes stale
daysUntilStale:180
# Number of days of inactivity before a stale issue is closed
daysUntilClose:false
# Issues with these labels will never be considered stale
exemptLabels:
- "1.severity: security"
- 1.severity:security
# Label to use when marking an issue as stale
staleLabel:"2.status: stale"
staleLabel: 2.status:stale
# Comment to post when marking an issue as stale. Set to `false` to disable
pulls:
markComment:|
Hello, I'm a bot and I thank you in the name of the community for your contributions.
markComment:>
Thank you for your contributions.
Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.
This has been automatically marked as stale because it has had no
activity for 180 days.
If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:
If this is still important to you, we ask that you leave a
comment below. Your comment can be as simple as "still important
to me". This lets people see that at least one person still cares
about this. Someone will have to do this at most twice a year if
there is no other activity.
If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using [Git blame](https://git-scm.com/docs/git-blame) on the relevant files, or via [GitHub's web interface](https://docs.github.com/en/github/managing-files-in-a-repository/tracking-changes-in-a-file). You can see if someone's a member of the [nixpkgs-committers](https://github.com/orgs/NixOS/teams/nixpkgs-committers) team, by hovering with the mouse over their username on the web interface, or by searching them directly on [the list](https://github.com/orgs/NixOS/teams/nixpkgs-committers).
Here are suggestions that might help resolve this more quickly:
If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use [Git blame](https://git-scm.com/docs/git-blame) on the relevant files, or [GitHub's web interface](https://docs.github.com/en/github/managing-files-in-a-repository/tracking-changes-in-a-file) to find someone who touched the relevant files in the past.
If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always [officially request them for a review](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/requesting-a-pull-request-review), or just @ mention them and say you've addressed their comments.
Lastly, you can always ask for help at [our Discourse Forum](https://discourse.nixos.org/), or more specifically, [at this thread](https://discourse.nixos.org/t/prs-in-distress/3604) or at [#nixos' IRC channel](https://webchat.freenode.net/#nixos).
issues:
markComment:|
Hello, I'm a bot and I thank you in the name of the community for opening this issue.
To help our human contributors focus on the most-relevant reports, I check up on old issues to see if they're still relevant. This issue has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.
The community would appreciate your effort in checking if the issue is still valid. If it isn't, please close it.
If the issue persists, and you'd like to remove the stale label, you simply need to leave a comment. Your comment can be as simple as "still important to me". If you'd like it to get more attention, you can ask for help by searching for maintainers and people that previously touched related code and @ mention them in a comment. You can use [Git blame](https://git-scm.com/docs/git-blame) or [GitHub's web interface](https://docs.github.com/en/github/managing-files-in-a-repository/tracking-changes-in-a-file) on the relevant files to find them.
Lastly, you can always ask for help at [our Discourse Forum](https://discourse.nixos.org/) or at [#nixos' IRC channel](https://webchat.freenode.net/#nixos).
1. Search for maintainers and people that previously touched the
related code and @ mention them in a comment.
2. Ask on the [NixOS Discourse](https://discourse.nixos.org/).
3. Ask on the [#nixos channel](irc://irc.freenode.net/#nixos) on
[irc.freenode.net](https://freenode.net).
# Comment to post when closing a stale issue. Set to `false` to disable
-d '{"state": "failure", "target_url": " ", "description": "This failed status will be cleared when ofborg finishes eval.", "context": "Wait for ofborg"}' \
By default <function>buildImage</function> will use a static date of one second past the UNIX Epoch. This allows <function>buildImage</function> to produce binary reproducible images. When listing images with <command>docker images</command>, the newly created images will be listed like this:
</para>
<screen>
<prompt>$ </prompt>docker images
<screen><![CDATA[
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello latest 08c791c7846e 48 years ago 25.2MB
</screen>
]]></screen>
<para>
You can break binary reproducibility but have a sorted, meaningful <literal>CREATED</literal> column by setting <literal>created</literal> to <literal>now</literal>.
and now the Docker CLI will display a reasonable date and sort the images as expected:
<screen>
<prompt>$ </prompt>docker images
<screen><![CDATA[
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello latest de2bf4786de6 About a minute ago 25.2MB
</screen>
]]></screen>
however, the produced images will not be binary reproducible.
</para>
</example>
@@ -166,7 +166,7 @@ hello latest de2bf4786de6 About a minute ago 25.2MB
<title>buildLayeredImage</title>
<para>
Create a Docker image with many of the store paths being on their own layer to improve sharing between images. The image is realized into the Nix store as a gzipped tarball. Depending on the intended usage, many users might prefer to use <function>streamLayeredImage</function> instead, which this function uses internally.
Create a Docker image with many of the store paths being on their own layer to improve sharing between images.
Builds a script which, when run, will stream an uncompressed tarball of a Docker image to stdout. The arguments to this function are as for <function>buildLayeredImage</function>. This method of constructing an image does not realize the image into the Nix store, so it saves on IO and disk/cache space, particularly with large images.
</para>
<para>
The image produced by running the output script can be piped directly into <command>docker load</command>, to load it into the local docker daemon:
<screen><![CDATA[
$(nix-build) | docker load
]]></screen>
</para>
<para>
Alternatively, the image be piped via <command>gzip</command> into <command>skopeo</command>, e.g. to copy it into a registry:
The <linkxlink:href="https://www.citrix.com/products/workspace-app/">Citrix Workspace App</link> is a remote desktop viewer which provides access to <linkxlink:href="https://www.citrix.com/products/xenapp-xendesktop/">XenDesktop</link> installations.
<note>
<para>
Please note that the <literal>citrix_receiver</literal> package has been deprecated since its development was <linkxlink:href="https://docs.citrix.com/en-us/citrix-workspace-app.html">discontinued by upstream</link> and has been replaced by <linkxlink:href="https://www.citrix.com/products/workspace-app/">the citrix workspace app</link>.
</para>
</note>
<linkxlink:href="https://www.citrix.com/products/receiver/">Citrix Receiver</link> and <linkxlink:href="https://www.citrix.com/products/workspace-app/">Citrix Workspace App</link> are a remote desktop viewers which provide access to <linkxlink:href="https://www.citrix.com/products/xenapp-xendesktop/">XenDesktop</link> installations.
</para>
<sectionxml:id="sec-citrix-base">
<title>Basic usage</title>
<para>
The tarball archive needs to be downloaded manually as the license agreements of the vendor for <linkxlink:href="https://www.citrix.de/downloads/workspace-app/linux/workspace-app-for-linux-latest.html">Citrix Workspace</link> needs to be accepted first. Then run <command>nix-prefetch-url file://$PWD/linuxx64-$version.tar.gz</command>. With the archive available in the store the package can be built and installed with Nix.
The tarball archive needs to be downloaded manually as the license agreements of the vendor for <linkxlink:href="https://www.citrix.com/downloads/citrix-receiver/">Citrix Receiver</link> or <linkxlink:href="https://www.citrix.de/downloads/workspace-app/linux/workspace-app-for-linux-latest.html">Citrix Workspace</link> need to be accepted first. Then run <command>nix-prefetch-url file://$PWD/linuxx64-$version.tar.gz</command>. With the archive available in the store the package can be built and installed with Nix.
</para>
</section>
<sectionxml:id="sec-citrix-selfservice">
<title>Citrix Selfservice</title>
<para>
The <linkxlink:href="https://support.citrix.com/article/CTX200337">selfservice</link> is an application managing Citrix desktops and applications. Please note that this feature only works with at least <package>citrix_workspace_20_06_0</package> and later versions.
</para>
<para>
In order to set this up, you first have to <linkxlink:href="https://its.uiowa.edu/support/article/102186">download the <literal>.cr</literal> file from the Netscaler Gateway</link>. After that you can configure the <command>selfservice</command> like this:
<title>Caution with <command>nix-shell</command> installs</title>
<para>
It's recommended to install <literal>Citrix Receiver</literal> and/or <literal>Citrix Workspace</literal> using <literal>nix-env -i</literal> or globally to ensure that the <literal>.desktop</literal> files are installed properly into <literal>$XDG_CONFIG_DIRS</literal>. Otherwise it won't be possible to open <literal>.ica</literal> files automatically from the browser to start a Citrix connection.
</para>
</warning>
</section>
<sectionxml:id="sec-citrix-custom-certs">
<title>Custom certificates</title>
<para>
The <literal>Citrix Workspace App</literal> in <literal>nixpkgs</literal> trusts several certificates <linkxlink:href="https://curl.haxx.se/docs/caextract.html">from the Mozilla database</link> by default. However several companies using Citrix might require their own corporate certificate. On distros with imperative packaging these certs can be stored easily in <linkxlink:href="https://developer-docs.citrix.com/projects/receiver-for-linux-command-reference/en/13.7/"><literal>$ICAROOT</literal></link>, however this directory is a store path in <literal>nixpkgs</literal>. In order to work around this issue the package provides a simple mechanism to add custom certificates without rebuilding the entire package using <literal>symlinkJoin</literal>:
The <literal>Citrix Workspace App</literal> in <literal>nixpkgs</literal> trust several certificates <linkxlink:href="https://curl.haxx.se/docs/caextract.html">from the Mozilla database</link> by default. However several companies using Citrix might require their own corporate certificate. On distros with imperative packaging these certs can be stored easily in <linkxlink:href="https://developer-docs.citrix.com/projects/receiver-for-linux-command-reference/en/13.7/"><literal>$ICAROOT</literal></link>, however this directory is a store path in <literal>nixpkgs</literal>. In order to work around this issue the package provides a simple mechanism to add custom certificates without rebuilding the entire package using <literal>symlinkJoin</literal>:
Use <programlisting>programs.steam.enable = true;</programlisting> if you want to add steam to systemPackages and also enable a few workarrounds aswell as Steam controller support or other Steam supported controllers such as the DualShock 4 or Nintendo Switch Pr.
if you are using PulseAudio - this will enable 32bit ALSA apps integration. To use the Steam controller or other Steam supported controllers such as the DualShock 4 or Nintendo Switch Pro, you need to add
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/misc/jdiskreport/default.nix"><filename>pkgs/tools/misc/jdiskreport/default.nix</filename></link>. Nixpkgs doesn’t have a decent <varname>stdenv</varname> for Java yet so this is pretty ad-hoc.
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/misc/jdiskreport/default.nix"><filename>pkgs/tools/misc/jdiskreport/default.nix</filename></link> (and the <link
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/misc/jdiskreport/builder.sh">builder</link>). Nixpkgs doesn’t have a decent <varname>stdenv</varname> for Java yet so this is pretty ad-hoc.
If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.
or can be called as in the [Compiling Agda](#compiling-agda) section.
If you want to use a library in your home directory (for instance if it is a development version) then typecheck it manually (using `agda.withPackages` if necessary) and then override the `src` attribute of the package to point to your local repository.
Agda will not by default use these libraries. To tell agda to use the library we have some options:
- Call `agda` with the library flag:
```
$ agda -l standard-library -i . MyFile.agda
```
- Write a `my-library.agda-lib` file for the project you are working on which may look like:
```
name: my-library
include: .
depend: standard-library
```
- Create the file `~/.agda/defaults` and add any libraries you want to use by default.
More information can be found in the [official Agda documentation on library management](https://agda.readthedocs.io/en/v2.6.1/tools/package-system.html).
## Compiling Agda
Agda modules can be compiled with the `--compile` flag. A version of `ghc` with `ieee` is made available to the Agda program via the `--with-compiler` flag.
This can be overridden by a different version of `ghc` as follows:
```
agda.withPackages {
pkgs = [ ... ];
ghc = haskell.compiler.ghcHEAD;
}
```
## Writing Agda packages
To write a nix derivation for an agda library, first check that the library has a `*.agda-lib` file.
A derivation can then be written using `agdaPackages.mkDerivation`. This has similar arguments to `stdenv.mkDerivation` with the following additions:
+ `everythingFile` can be used to specify the location of the `Everything.agda` file, defaulting to `./Everything.agda`. If this file does not exist then either it should be patched in or the `buildPhase` should be overridden (see below).
+ `libraryName` should be the name that appears in the `*.agda-lib` file, defaulting to `pname`.
+ `libraryFile` should be the file name of the `*.agda-lib` file, defaulting to `${libraryName}.agda-lib`.
### Building Agda packages
The default build phase for `agdaPackages.mkDerivation` simply runs `agda` on the `Everything.agda` file.
If something else is needed to build the package (e.g. `make`) then the `buildPhase` should be overridden.
Additionally, a `preBuild` or `configurePhase` can be used if there are steps that need to be done prior to checking the `Everything.agda` file.
`agda` and the Agda libraries contained in `buildInputs` are made available during the build phase.
### Installing Agda packages
The default install phase copies agda source files, agda interface files (`*.agdai`) and `*.agda-lib` files to the output directory.
This can be overridden.
By default, agda sources are files ending on `.agda`, or literate agda files ending on `.lagda`, `.lagda.tex`, `.lagda.org`, `.lagda.md`, `.lagda.rst`. The list of recognised agda source extensions can be extended by setting the `extraExtensions` config variable.
To add an agda package to `nixpkgs`, the derivation should be written to `pkgs/development/libraries/agda/${library-name}/` and an entry should be added to `pkgs/top-level/agda-packages.nix`. Here it is called in a scope with access to all other agda libraries, so the top line of the `default.nix` can look like:
and `mkDerivation` should be called instead of `agdaPackages.mkDerivation`. Here is an example skeleton derivation for iowa-stdlib:
```
mkDerivation {
version = "1.5.0";
pname = "iowa-stdlib";
src = ...
libraryFile = "";
libraryName = "IAL-1.3";
buildPhase = ''
patchShebangs find-deps.sh
make
'';
}
```
This library has a file called `.agda-lib`, and so we give an empty string to `libraryFile` as nothing precedes `.agda-lib` in the filename. This file contains `name: IAL-1.3`, and so we let `libraryName = "IAL-1.3"`. This library does not use an `Everything.agda` file and instead has a Makefile, so there is no need to set `everythingFile` and we set a custom `buildPhase`.
When writing an agda package it is essential to make sure that no `.agda-lib` file gets added to the store as a single file (for example by using `writeText`). This causes agda to think that the nix store is a agda library and it will attempt to write to it whenever it typechecks something. See [https://github.com/agda/agda/issues/4613](https://github.com/agda/agda/issues/4613).
This mode is far more power full since this makes use of `nix` for dependency management of emscripten libraries and targets by using the `mkDerivation` which is implemented by `pkgs.emscriptenStdenv` and `pkgs.buildEmscriptenPackage`. The source for the packages is in `pkgs/top-level/emscripten-packages.nix` and the abstraction behind it in `pkgs/development/em-modules/generic/default.nix`.
* build and install all packages:
*`nix-env -iA emscriptenPackages`
* dev-shell for zlib implementation hacking:
*`nix-shell -A emscriptenPackages.zlib`
* build and install all packages:
*`nix-env -iA emscriptenPackages`
* dev-shell for zlib implementation hacking:
*`nix-shell -A emscriptenPackages.zlib`
## Imperative usage
@@ -90,7 +90,7 @@ See the `zlib` example:
libz.so.${old.version} -I . -o example.js
echo "Using node to execute the test"
${pkgs.nodejs}/bin/node ./example.js
${pkgs.nodejs}/bin/node ./example.js
set +x
if [ $? -ne 0 ]; then
@@ -112,7 +112,7 @@ See the `zlib` example:
### Usage 2: pkgs.buildEmscriptenPackage
This `xmlmirror` example features a emscriptenPackage which is defined completely from this context and no `pkgs.zlib.override` is used.
This `xmlmirror` example features a emscriptenPackage which is defined completely from this context and no `pkgs.zlib.override` is used.
xmlmirror = pkgs.buildEmscriptenPackage rec {
name = "xmlmirror";
@@ -163,7 +163,7 @@ This `xmlmirror` example features a emscriptenPackage which is defined completel
checkPhase = ''
'';
};
};
### Declarative debugging
@@ -182,3 +182,4 @@ Use `nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz` and from
Using this toolchain makes it easy to leverage `nix` from NixOS, MacOSX or even Windows (WSL+ubuntu+nix). This toolchain is reproducible, behaves like the rest of the packages from nixpkgs and contains a set of well working examples to learn and adapt from.
Icon themes may inherit from other icon themes. The inheritance is specified using the <literal>Inherits</literal> key in the <filename>index.theme</filename> file distributed with the icon theme. According to the <linkxlink:href="https://specifications.freedesktop.org/icon-theme-spec/icon-theme-spec-latest.html">icon theme specification</link>, icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.
</para>
<para>
The package <package>hicolor-icon-theme</package> provides a setup hook which makes symbolic links for the parent themes into the directory <filename>share/icons</filename> of the current theme directory in the nix store, making sure they can be found at runtime. For that to work the packages providing parent icon themes should be listed as propagated build dependencies, together with <package>hicolor-icon-theme</package>.
</para>
<para>
Also make sure that <filename>icon-theme.cache</filename> is installed for each theme provided by the package, and set <code>dontDropIconThemeCache</code> to <code>true</code> so that the cache file is not removed by the <package>gtk3</package> setup hook.
description = "Simple command-line snippet manager, written in Go";
homepage = "https://github.com/knqyf263/pet";
homepage = https://github.com/knqyf263/pet;
license = licenses.mit;
maintainers = with maintainers; [ kalbasit ];
platforms = platforms.linux ++ platforms.darwin;
@@ -60,7 +56,7 @@ pet = buildGoModule rec {
<calloutlist>
<calloutarearefs='ex-buildGoModule-1'>
<para>
<varname>vendorSha256</varname> is the hash of the output of the intermediate fetcher derivation.
<varname>modSha256</varname> is the hash of the output of the intermediate fetcher derivation.
</para>
</callout>
<calloutarearefs='ex-buildGoModule-2'>
@@ -68,26 +64,16 @@ pet = buildGoModule rec {
<varname>subPackages</varname> limits the builder from building child packages that have not been listed. If <varname>subPackages</varname> is not specified, all child packages will be built.
</para>
</callout>
<calloutarearefs='ex-buildGoModule-3'>
<para>
<varname>deleteVendor</varname> removes the pre-existing vendor directory and fetches the dependencies. This should only be used if the dependencies included in the vendor folder are broken or incomplete.
</para>
</callout>
<calloutarearefs='ex-buildGoModule-4'>
<para>
<varname>runVend</varname> runs the vend command to generate the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build.
</para>
</callout>
</calloutlist>
</para>
<para>
<varname>vendorSha256</varname> can also take <varname>null</varname> as an input.
<varname>modSha256</varname> can also take <varname>null</varname> as an input.
When `null` is used as a value, rather than fetching the dependencies
and vendoring them, we use the vendoring included within the source repo.
If you'd like to not have to update this field on dependency changes,
run `go mod vendor` in your source repo and set 'vendorSha256 = null;'
When `null` is used as a value, the derivation won't be a
fixed-output derivation but disable the build sandbox instead. This can be useful outside
of nixpkgs where re-generating the modSha256 on each mod.sum changes is cumbersome,
but will fail to build by Hydra, as builds with a disabled sandbox are discouraged.
</para>
</section>
@@ -205,6 +191,18 @@ deis = buildGoPackage rec {
To extract dependency information from a Go package in automated way use <linkxlink:href="https://github.com/kamilchm/go2nix">go2nix</link>. It can produce complete derivation and <varname>goDeps</varname> file for Go programs.
</para>
<para>
<varname>buildGoPackage</varname> produces <xreflinkend='chap-multiple-output'xrefstyle="select: title"/> where <varname>bin</varname> includes program binaries. You can test build a Go binary as follows:
<screen>
<prompt>$ </prompt>nix-build -A deis.bin
</screen>
or build all outputs with:
<screen>
<prompt>$ </prompt>nix-build -A deis.all
</screen>
<varname>bin</varname> output will be installed by default with <varname>nix-env -i</varname> or <varname>systemPackages</varname>.
</para>
<para>
You may use Go packages installed into the active Nix profiles by adding the following to your ~/.bashrc:
The <linklinkend="chap-stdenv">standard build environment</link> makes it easy to build typical Autotools-based packages with very little code. Any other kind of package can be accomodated by overriding the appropriate phases of <literal>stdenv</literal>. However, there are specialised functions in Nixpkgs to easily build packages for other programming languages, such as Perl or Haskell. These are described in this chapter.
Again, it is possible to launch the interpreter from the shell.
The Lua interpreter has the attribute `pkgs` which contains all Lua libraries for that specific interpreter.
## Developing with Lua
Now that you know how to get a working Lua environment with Nix, it is time
to go forward and start actually developing with Lua. There are two ways to
package lua software, either it is on luarocks and most of it can be taken care
of by the luarocks2nix converter or the packaging has to be done manually.
Let's present the luarocks way first and the manual one in a second time.
### Packaging a library on luarocks
[Luarocks.org](www.luarocks.org) is the main repository of lua packages.
The site proposes two types of packages, the rockspec and the src.rock
(equivalent of a [rockspec](https://github.com/luarocks/luarocks/wiki/Rockspec-format) but with the source).
These packages can have different build types such as `cmake`, `builtin` etc .
Luarocks-based packages are generated in pkgs/development/lua-modules/generated-packages.nix from
the whitelist maintainers/scripts/luarocks-packages.csv and updated by running maintainers/scripts/update-luarocks-packages.
[luarocks2nix](https://github.com/nix-community/luarocks) is a tool capable of generating nix derivations from both rockspec and src.rock (and favors the src.rock).
The automation only goes so far though and some packages need to be customized.
These customizations go in `pkgs/development/lua-modules/overrides.nix`.
For instance if the rockspec defines `external_dependencies`, these need to be manually added in in its rockspec file then it won't work.
You can try converting luarocks packages to nix packages with the command `nix-shell -p luarocks-nix` and then `luarocks nix PKG_NAME`.
Nix rely on luarocks to install lua packages, basically it runs:
`luarocks make --deps-mode=none --tree $out`
#### Packaging a library manually
You can develop your package as you usually would, just don't forget to wrap it
within a `toLuaModule` call, for instance
```nix
mynewlib=toLuaModule(stdenv.mkDerivation{...});
```
There is also the `buildLuaPackage` function that can be used when lua modules
are not packaged for luarocks. You can see a few examples at `pkgs/top-level/lua-packages.nix`.
## Lua Reference
### Lua interpreters
Versions 5.1, 5.2 and 5.3 of the lua interpreter are available as
respectively `lua5_1`, `lua5_2` and `lua5_3`. Luajit is available too.
The Nix expressions for the interpreters can be found in `pkgs/development/interpreters/lua-5`.
#### Attributes on lua interpreters packages
Each interpreter has the following attributes:
-`interpreter`. Alias for `${pkgs.lua}/bin/lua`.
-`buildEnv`. Function to build lua interpreter environments with extra packages bundled together. See section *lua.buildEnv function* for usage and documentation.
-`withPackages`. Simpler interface to `buildEnv`.
-`pkgs`. Set of Lua packages for that specific interpreter. The package set can be modified by overriding the interpreter and passing `packageOverrides`.
#### `buildLuarocksPackage` function
The `buildLuarocksPackage` function is implemented in `pkgs/development/interpreters/lua-5/build-lua-package.nix`
The `buildLuarocksPackage` delegates most tasks to luarocks:
* it adds `luarocks` as an unpacker for `src.rock` files (zip files really).
* configurePhase` writes a temporary luarocks configuration file which location
is exported via the environment variable `LUAROCKS_CONFIG`.
* the `buildPhase` does nothing.
*`installPhase` calls `luarocks make --deps-mode=none --tree $out` to build and
install the package
* In the `postFixup` phase, the `wrapLuaPrograms` bash function is called to
wrap all programs in the `$out/bin/*` directory to include `$PATH`
environment variable and add dependent libraries to script's `LUA_PATH` and
`LUA_CPATH`.
By default `meta.platforms` is set to the same value as the interpreter unless overridden otherwise.
#### `buildLuaApplication` function
The `buildLuaApplication` function is practically the same as `buildLuaPackage`.
The difference is that `buildLuaPackage` by default prefixes the names of the packages with the version of the interpreter.
Because with an application we're not interested in multiple version the prefix is dropped.
#### lua.withPackages function
The `lua.withPackages` takes a function as an argument that is passed the set of lua packages and returns the list of packages to be included in the environment.
Using the `withPackages` function, the previous example for the luafilesystem environment can be written like this:
```nix
withimport<nixpkgs>{};
lua.withPackages(ps:[ps.luafilesystem])
```
`withPackages` passes the correct package set for the specific interpreter version as an argument to the function. In the above example, `ps` equals `luaPackages`.
But you can also easily switch to using `lua5_2`:
```nix
withimport<nixpkgs>{};
lua5_2.withPackages(ps:[ps.lua])
```
Now, `ps` is set to `lua52Packages`, matching the version of the interpreter.
### Possible Todos
* export/use version specific variables such as `LUA_PATH_5_2`/`LUAROCKS_CONFIG_5_2`
* let luarocks check for dependencies via exporting the different rocktrees in temporary config
### Lua Contributing guidelines
Following rules should be respected:
* Make sure libraries build for all Lua interpreters.
* Commit names of Lua libraries should reflect that they are Lua libraries, so write for example `luaPackages.luafilesystem: 1.11 -> 1.12`.
Lua packages are built by the <varname>buildLuaPackage</varname> function. This function is implemented in <linkxlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/lua-modules/generic/default.nix"><filename>pkgs/development/lua-modules/generic/default.nix</filename></link> and works similarly to <varname>buildPerlPackage</varname>. (See <xreflinkend="sec-language-perl"/> for details.)
</para>
<para>
Lua packages are defined in <linkxlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/lua-packages.nix"><filename>pkgs/top-level/lua-packages.nix</filename></link>. Most of them are simple. For example:
Lua packages accept additional parameter <varname>disabled</varname>, which defines the condition of disabling package from luaPackages. For example, if package has <varname>disabled</varname> assigned to <literal>lua.luaversion != "5.1"</literal>, it will not be included in any luaPackages except lua51Packages, making it only be built for lua 5.1.
@@ -12,9 +12,10 @@ When it is desired to use NPM libraries in a development project, use the
`node2nix` generator directly on the `package.json` configuration file of the
project.
The package set provides support for the official stable Node.js versions.
The latest stable LTS release in `nodePackages`, as well as the latest stable
Current release in `nodePackages_latest`.
The package set also provides support for multiple Node.js versions. The policy
is that a new package should be added to the collection for the latest stable LTS
release (which is currently 10.x), unless there is an explicit reason to support
a different release.
If your package uses native addons, you need to examine what kind of native
build system it uses. Here are some examples:
@@ -25,25 +26,24 @@ build system it uses. Here are some examples:
After you have identified the correct system, you need to override your package
expression while adding in build system as a build input. For example, `dat`
requires `node-gyp-build`, so [we override](https://github.com/NixOS/nixpkgs/blob/32f5e5da4a1b3f0595527f5195ac3a91451e9b56/pkgs/development/node-packages/default.nix#L37-L40) its expression in [`default.nix`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages/default.nix):
requires `node-gyp-build`, so we override its expression in `default-v10.nix`:
Nixpkgs provides a function <varname>buildPerlPackage</varname>, a generic package builder function for any Perl package that has a standard <varname>Makefile.PL</varname>. It’s implemented in <link
When executing a Perl script, it is possible you get an error such as <literal>./myscript.pl: bad interpreter: /usr/bin/perl: no such file or directory</literal>. This happens when the script expects Perl to be installed at <filename>/usr/bin/perl</filename>, which is not the case when using Perl from nixpkgs. You can fix the script by changing the first line to:
<programlisting>
#!/usr/bin/env perl
</programlisting>
to take the Perl installation from the <literal>PATH</literal> environment variable, or invoke Perl directly with:
<screen>
<prompt>$ </prompt>perl ./myscript.pl
</screen>
</para>
<para>
When the script is using a Perl library that is not installed globally, you might get an error such as <literal>Can't locate DB_File.pm in @INC (you may need to install the DB_File module)</literal>. In that case, you can use <command>nix-shell</command> to start an ad-hoc shell with that library installed, for instance:
If you are always using the script in places where <command>nix-shell</command> is available, you can embed the <command>nix-shell</command> invocation in the shebang like this:
<programlisting>
#!/usr/bin/env nix-shell
#! nix-shell -i perl -p perl perlPackages.DBFile
</programlisting>
</para>
</section>
<sectionxml:id="ssec-perl-packaging">
<title>Packaging Perl programs</title>
<para>
Nixpkgs provides a function <varname>buildPerlPackage</varname>, a generic package builder function for any Perl package that has a standard <varname>Makefile.PL</varname>. It’s implemented in <link
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/perl-packages.nix"><filename>pkgs/top-level/perl-packages.nix</filename></link>, rather than <filename>pkgs/all-packages.nix</filename>. Most Perl packages are so straight-forward to build that they are defined here directly, rather than having a separate function for each package called from <filename>perl-packages.nix</filename>. However, more complicated packages should be put in a separate file, typically in <filename>pkgs/development/perl-modules</filename>. Here is an example of the former:
<para>
Perl packages from CPAN are defined in <link
xlink:href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/perl-packages.nix"><filename>pkgs/top-level/perl-packages.nix</filename></link>, rather than <filename>pkgs/all-packages.nix</filename>. Most Perl packages are so straight-forward to build that they are defined here directly, rather than having a separate function for each package called from <filename>perl-packages.nix</filename>. However, more complicated packages should be put in a separate file, typically in <filename>pkgs/development/perl-modules</filename>. Here is an example of the former:
Note the use of <literal>mirror://cpan/</literal>, and the <literal>${name}</literal> in the URL definition to ensure that the name attribute is consistent with the source that we’re actually downloading. Perl packages are made available in <filename>all-packages.nix</filename> through the variable <varname>perlPackages</varname>. For instance, if you have a package that needs <varname>ClassC3</varname>, you would typically write
Note the use of <literal>mirror://cpan/</literal>, and the <literal>${name}</literal> in the URL definition to ensure that the name attribute is consistent with the source that we’re actually downloading. Perl packages are made available in <filename>all-packages.nix</filename> through the variable <varname>perlPackages</varname>. For instance, if you have a package that needs <varname>ClassC3</varname>, you would typically write
<programlisting>
foo = import ../path/to/foo.nix {
inherit stdenv fetchurl ...;
inherit (perlPackages) ClassC3;
};
</programlisting>
in <filename>all-packages.nix</filename>. You can test building a Perl package as follows:
in <filename>all-packages.nix</filename>. You can test building a Perl package as follows:
<screen>
<prompt>$ </prompt>nix-build -A perlPackages.ClassC3
</screen>
<varname>buildPerlPackage</varname> adds <literal>perl-</literal> to the start of the name attribute, so the package above is actually called <literal>perl-Class-C3-0.21</literal>. So to install it, you can say:
<varname>buildPerlPackage</varname> adds <literal>perl-</literal> to the start of the name attribute, so the package above is actually called <literal>perl-Class-C3-0.21</literal>. So to install it, you can say:
<screen>
<prompt>$ </prompt>nix-env -i perl-Class-C3
</screen>
(Of course you can also install using the attribute name: <literal>nix-env -i -A perlPackages.ClassC3</literal>.)
</para>
(Of course you can also install using the attribute name: <literal>nix-env -i -A perlPackages.ClassC3</literal>.)
</para>
<para>
So what does <varname>buildPerlPackage</varname> do? It does the following:
<orderedlist>
<listitem>
<para>
In the configure phase, it calls <literal>perl Makefile.PL</literal> to generate a Makefile. You can set the variable <varname>makeMakerFlags</varname> to pass flags to <filename>Makefile.PL</filename>
</para>
</listitem>
<listitem>
<para>
It adds the contents of the <envar>PERL5LIB</envar> environment variable to <literal>#! .../bin/perl</literal> line of Perl scripts as <literal>-I<replaceable>dir</replaceable></literal> flags. This ensures that a script can find its dependencies. (This can cause this shebang line to become too long for Darwin to handle; see the note below.)
</para>
</listitem>
<listitem>
<para>
In the fixup phase, it writes the propagated build inputs (<varname>propagatedBuildInputs</varname>) to the file <filename>$out/nix-support/propagated-user-env-packages</filename>. <command>nix-env</command> recursively installs all packages listed in this file when you install a package that has it. This ensures that a Perl package can find its dependencies.
</para>
</listitem>
</orderedlist>
</para>
<para>
So what does <varname>buildPerlPackage</varname> do? It does the following:
<orderedlist>
<listitem>
<para>
In the configure phase, it calls <literal>perl Makefile.PL</literal> to generate a Makefile. You can set the variable <varname>makeMakerFlags</varname> to pass flags to <filename>Makefile.PL</filename>
</para>
</listitem>
<listitem>
<para>
It adds the contents of the <envar>PERL5LIB</envar> environment variable to <literal>#! .../bin/perl</literal> line of Perl scripts as <literal>-I<replaceable>dir</replaceable></literal> flags. This ensures that a script can find its dependencies. (This can cause this shebang line to become too long for Darwin to handle; see the note below.)
</para>
</listitem>
<listitem>
<para>
In the fixup phase, it writes the propagated build inputs (<varname>propagatedBuildInputs</varname>) to the file <filename>$out/nix-support/propagated-user-env-packages</filename>. <command>nix-env</command> recursively installs all packages listed in this file when you install a package that has it. This ensures that a Perl package can find its dependencies.
</para>
</listitem>
</orderedlist>
</para>
<para>
<varname>buildPerlPackage</varname> is built on top of <varname>stdenv</varname>, so everything can be customised in the usual way. For instance, the <literal>BerkeleyDB</literal> module has a <varname>preConfigure</varname> hook to generate a configuration file used by <filename>Makefile.PL</filename>:
<para>
<varname>buildPerlPackage</varname> is built on top of <varname>stdenv</varname>, so everything can be customised in the usual way. For instance, the <literal>BerkeleyDB</literal> module has a <varname>preConfigure</varname> hook to generate a configuration file used by <filename>Makefile.PL</filename>:
<programlisting>
{ buildPerlPackage, fetchurl, db }:
@@ -111,10 +78,10 @@ buildPerlPackage rec {
'';
}
</programlisting>
</para>
</para>
<para>
Dependencies on other Perl packages can be specified in the <varname>buildInputs</varname> and <varname>propagatedBuildInputs</varname> attributes. If something is exclusively a build-time dependency, use <varname>buildInputs</varname>; if it’s (also) a runtime dependency, use <varname>propagatedBuildInputs</varname>. For instance, this builds a Perl module that has runtime dependencies on a bunch of other modules:
<para>
Dependencies on other Perl packages can be specified in the <varname>buildInputs</varname> and <varname>propagatedBuildInputs</varname> attributes. If something is exclusively a build-time dependency, use <varname>buildInputs</varname>; if it’s (also) a runtime dependency, use <varname>propagatedBuildInputs</varname>. For instance, this builds a Perl module that has runtime dependencies on a bunch of other modules:
On Darwin, if a script has too many <literal>-I<replaceable>dir</replaceable></literal> flags in its first line (its “shebang line”), it will not run. This can be worked around by calling the <literal>shortenPerlShebang</literal> function from the <literal>postInstall</literal> phase:
<para>
On Darwin, if a script has too many <literal>-I<replaceable>dir</replaceable></literal> flags in its first line (its “shebang line”), it will not run. This can be worked around by calling the <literal>shortenPerlShebang</literal> function from the <literal>postInstall</literal> phase:
This will remove the <literal>-I</literal> flags from the shebang line, rewrite them in the <literal>use lib</literal> form, and put them on the next line instead. This function can be given any number of Perl scripts as arguments; it will modify them in-place.
This will remove the <literal>-I</literal> flags from the shebang line, rewrite them in the <literal>use lib</literal> form, and put them on the next line instead. This function can be given any number of Perl scripts as arguments; it will modify them in-place.
</para>
<sectionxml:id="ssec-generation-from-CPAN">
<title>Generation from CPAN</title>
<para>
Nix expressions for Perl packages can be generated (almost) automatically from CPAN. This is done by the program <command>nix-generate-from-cpan</command>, which can be installed as follows:
</para>
<sectionxml:id="ssec-generation-from-CPAN">
<title>Generation from CPAN</title>
<para>
Nix expressions for Perl packages can be generated (almost) automatically from CPAN. This is done by the program <command>nix-generate-from-cpan</command>, which can be installed as follows:
This program takes a Perl module name, looks it up on CPAN, fetches and unpacks the corresponding package, and prints a Nix expression on standard output. For example:
<para>
This program takes a Perl module name, looks it up on CPAN, fetches and unpacks the corresponding package, and prints a Nix expression on standard output. For example:
The output can be pasted into <filename>pkgs/top-level/perl-packages.nix</filename> or wherever else you need it.
</para>
</section>
The output can be pasted into <filename>pkgs/top-level/perl-packages.nix</filename> or wherever else you need it.
</para>
</section>
<sectionxml:id="ssec-perl-cross-compilation">
<title>Cross-compiling modules</title>
<sectionxml:id="ssec-perl-cross-compilation">
<title>Cross-compiling modules</title>
<para>
Nixpkgs has experimental support for cross-compiling Perl modules. In many cases, it will just work out of the box, even for modules with native extensions. Sometimes, however, the Makefile.PL for a module may (indirectly) import a native module. In that case, you will need to make a stub for that module that will satisfy the Makefile.PL and install it into <filename>lib/perl5/site_perl/cross_perl/${perl.version}</filename>. See the <varname>postInstall</varname> for <varname>DBI</varname> for an example.
</para>
</section>
<para>
Nixpkgs has experimental support for cross-compiling Perl modules. In many cases, it will just work out of the box, even for modules with native extensions. Sometimes, however, the Makefile.PL for a module may (indirectly) import a native module. In that case, you will need to make a stub for that module that will satisfy the Makefile.PL and install it into <filename>lib/perl5/site_perl/cross_perl/${perl.version}</filename>. See the <varname>postInstall</varname> for <varname>DBI</varname> for an example.
For tools written in Ruby - i.e. where the desire is to install a package and then execute e.g. <command>rake</command> at the command line, there is an alternative builder called <literal>bundlerApp</literal>. Set up the <filename>gemset.nix</filename> the same way, and then, for example:
</para>
<programlisting>
<screen>
<![CDATA[{ lib, bundlerApp }:
bundlerApp {
@@ -68,13 +69,13 @@ bundlerApp {
meta = with lib; {
description = "Tool and libraries for maintaining Ruby gems.";
homepage = "https://github.com/nyarly/corundum";
homepage = https://github.com/nyarly/corundum;
license = licenses.mit;
maintainers = [ maintainers.nyarly ];
platforms = platforms.unix;
};
}]]>
</programlisting>
</screen>
<para>
The chief advantage of <literal>bundlerApp</literal> over <literal>bundlerEnv</literal> is the executables introduced in the environment are precisely those selected in the <literal>exes</literal> list, as opposed to <literal>bundlerEnv</literal> which adds all the executables made available by gems in the gemset, which can mean e.g. <command>rspec</command> or <command>rake</command> in unpredictable versions available from various packages.
Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn't updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running `./update.py` doesn't change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is `LanguageClient-neovim`.
To add a new plugin, run `./update.py --add "[owner]/[name]"`. **NOTE**: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.
To add a new plugin:
Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in `vim-plugin-names` or managed by`update.py` at all, and are included separately in `overrides.nix`. Currently, all these plugins are related to the `coc.nvim` ecosystem of Language Server Protocol integration with vim/neovim.
1. run`./update.py` and create a commit named "vimPlugins: Update",
2. add the new plugin to [vim-plugin-names](/pkgs/misc/vim-plugins/vim-plugin-names) and add overrides if required to [overrides.nix](/pkgs/misc/vim-plugins/overrides.nix),
3. run `./update.py` again and create a commit named "vimPlugins.[name]: init at [version]" (where `name` and `version` can be found in [generated.nix](/pkgs/misc/vim-plugins/generated.nix)), and
The function <function>fetchurl</function> now has support for two different kinds of mirroring of files. First, it has support for <emphasis>content-addressable mirrors</emphasis>. For example, given the <function>fetchurl</function> call
The reduction effects could be instead achieved by building the parts in completely separate derivations. That would often additionally reduce build-time closures, but it tends to be much harder to write such derivations, as build systems typically assume all parts are being built at once. This compromise approach of single source package producing multiple binary packages is also utilized often by rpm and deb.
</para>
</note>
<para>
A number of attributes can be used to work with a derivation with multiple outputs. The attribute <varname>outputs</varname> is a list of strings, which are the names of the outputs. For each of these names, an identically named attribute is created, corresponding to that output. The attribute <varname>meta.outputsToInstall</varname> is used to determine the default set of outputs to install when using the derivation name unqualified.
</para>
</section>
<sectionxml:id="sec-multiple-outputs-installing">
<title>Installing a split package</title>
<para>
When installing a package with multiple outputs, the package's <varname>meta.outputsToInstall</varname> attribute determines which outputs are actually installed. <varname>meta.outputsToInstall</varname> is a list whose <linkxlink:href="https://github.com/NixOS/nixpkgs/blob/f1680774340d5443a1409c3421ced84ac1163ba9/pkgs/stdenv/generic/make-derivation.nix#L310-L320">default installs binaries and the associated man pages</link>. The following sections describe ways to install different outputs.
When installing a package via <varname>systemPackages</varname> or <command>nix-env</command> you have several options:
<title>Selecting outputs to install via NixOS</title>
<para>
NixOS provides two ways to select the outputs to install for packages listed in <varname>environment.systemPackages</varname>:
</para>
<itemizedlist>
<listitem>
<para>
The configuration option <varname>environment.extraOutputsToInstall</varname> is appended to each package's <varname>meta.outputsToInstall</varname> attribute to determine the outputs to install. It can for example be used to install <literal>info</literal> documentation or debug symbols for all packages.
</para>
</listitem>
<listitem>
<para>
The outputs can be listed as packages in <varname>environment.systemPackages</varname>. For example, the <literal>"out"</literal> and <literal>"info"</literal> outputs for the <varname>coreutils</varname> package can be installed by including <varname>coreutils</varname> and <varname>coreutils.info</varname> in <varname>environment.systemPackages</varname>.
<title>Selecting outputs to install via <command>nix-env</command></title>
<para>
<command>nix-env</command> lacks an easy way to select the outputs to install. When installing a package, <command>nix-env</command> always installs the outputs listed in <varname>meta.outputsToInstall</varname>, even when the user explicitly selects an output.
</para>
<warning>
<itemizedlist>
<listitem>
<para>
<command>nix-env</command> silenty disregards the outputs selected by the user, and instead installs the outputs from<varname>meta.outputsToInstall</varname>. For example,
You can install particular outputs explicitly, as each is available in the Nix language as an attribute of the package. The<varname>outputs</varname> attribute contains a list of output names.
installs the <literal>"out"</literal> output (<varname>coreutils.meta.outputsToInstall</varname>is <literal>[ "out" ]</literal>) instead of the requested <literal>"info"</literal>.
You can let it use the default outputs. These are handled by <varname>meta.outputsToInstall</varname>attribute that contains a list of output names.
</para>
</warning>
<para>
The only recourse to select an output with <command>nix-env</command> is to override the package's <varname>meta.outputsToInstall</varname>, using the functions described in <xreflinkend="chap-overrides"/>. For example, the following overlay adds the <literal>"info"</literal> output for the <varname>coreutils</varname> package:
meta = oldAttrs.meta // { outputsToInstall = oldAttrs.meta.outputsToInstall or [ "out" ] ++ [ "info" ]; };
});
}
</programlisting>
</section>
<para>
TODO: more about tweaking the attribute, etc.
</para>
</listitem>
<listitem>
<para>
NixOS provides configuration option <varname>environment.extraOutputsToInstall</varname> that allows adding extra outputs of <varname>environment.systemPackages</varname> atop the default ones. It's mainly meant for documentation and debug symbols, and it's also modified by specific options.
</para>
<note>
<para>
At this moment there is no similar configurability for packages installed by <command>nix-env</command>. You can still use approach from <xreflinkend="sec-modify-via-packageOverrides"/> to override <varname>meta.outputsToInstall</varname> attributes, but that's a rather inconvenient way.
The reason for why <literal>glibc</literal> deviates from the convention is because referencing a library provided by <literal>glibc</literal> is a very common operation among Nix packages. For instance, third-party executables packaged by Nix are typically patched and relinked with the relevant version of <literal>glibc</literal> libraries from Nix packages (please see the documentation on <linkxlink:href="https://github.com/NixOS/patchelf/blob/master/README">patchelf</link> for more details).
The reason for why <literal>glibc</literal> deviates from the convention is because referencing a library provided by <literal>glibc</literal> is a very common operation among Nix packages. For instance, third-party executables packaged by Nix are typically patched and relinked with the relevant version of <literal>glibc</literal> libraries from Nix packages (please see the documentation on <linkxlink:href="https://nixos.org/patchelf.html">patchelf</link> for more details).
GNU Make. It has been patched to provide <quote>nested</quote> output that can be fed into the <command>nix-log2xml</command> command and <command>log2html</command> stylesheet to create a structured, readable output of the build steps performed by Make.
List of directories to search for libraries and executables from which only debugging-related symbols should be stripped. It defaults to <literal>lib lib32 lib64 libexec bin sbin</literal>.
List of directories to search for libraries and executables from which only debugging-related symbols should be stripped. It defaults to <literal>lib bin sbin</literal>.
This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given <varname>buildInputs</varname> and <varname>nativeBuildInputs</varname>.
</para>
<para>
You can also specify a <varname>runtimeDependencies</varname> variable which lists dependencies to be unconditionally added to <glossterm>rpath</glossterm> of all executables.
You can also specify a <envar>runtimeDependencies</envar> environment variable which lists dependencies that are unconditionally added to all executables.
</para>
<para>
This is useful for programs that use <citerefentry>
<refentrytitle>dlopen</refentrytitle>
<manvolnum>3</manvolnum></citerefentry> to load libraries at runtime.
</para>
<para>
In certain situations you may want to run the main command (<command>autoPatchelf</command>) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the <varname>dontAutoPatchelf</varname> environment variable to a non-empty value.
</para>
<para>
By default <command>autoPatchelf</command> will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the <envar>autoPatchelfIgnoreMissingDeps</envar> environment variable to a non-empty value.
In certain situations you may want to run the main command (<command>autoPatchelf</command>) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the <envar>dontAutoPatchelf</envar> environment variable to a non-empty value.
</para>
<para>
The <command>autoPatchelf</command> command also recognizes a <parameterclass="command">--no-recurse</parameter> command line flag, which prevents it from recursing into subdirectories.
@@ -2084,16 +2073,6 @@ postInstall = ''
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
validatePkgConfig
</term>
<listitem>
<para>
The <literal>validatePkgConfig</literal> hook validates all pkg-config (<filename>.pc</filename>) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.
For permanently allowing unsupported packages to be built, you may add <literal>allowUnsupportedSystem = true;</literal> to your user's configuration file, like this:
For permanently allowing broken packages to be built, you may add <literal>allowUnsupportedSystem = true;</literal> to your user's configuration file, like this:
<programlisting>
{
allowUnsupportedSystem = true;
@@ -122,7 +122,7 @@
<listitem>
<para>
To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:
Overlays are similar to other methods for customizing Nixpkgs, in particular the <literal>packageOverrides</literal> attribute described in <xreflinkend="sec-modify-via-packageOverrides"/>. Indeed, <literal>packageOverrides</literal> acts as an overlay with only the <varname>super</varname> argument. It is therefore appropriate for basic use, but overlays are more powerful and easier to distribute.
</para>
</section>
<sectionxml:id="sec-overlays-alternatives">
<title>Using overlays to configure alternatives</title>
<para>
Certain software packages have different implementations of the
same interface. Other distributions have functionality to switch
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
