From ab8bcd05f6fa970f7364a1fe3c51a74bdb5d225f Mon Sep 17 00:00:00 2001
From: Johannes Bornhold <johannes@bornhold.name>
Date: Mon, 20 Feb 2017 21:30:43 +0100
Subject: [PATCH 01/35] pytestcov: 2.3.1 -> 2.4.0

---
 pkgs/top-level/python-packages.nix | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 9f65ef80b14..e6ba350d922 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -5436,27 +5436,32 @@ in {
     '';
   };
 
-  pytestcov = buildPythonPackage (rec {
-    name = "pytest-cov-2.3.1";
+  pytestcov = buildPythonPackage rec {
+    name = "pytest-cov-2.4.0";
 
     src = pkgs.fetchurl {
       url = "mirror://pypi/p/pytest-cov/${name}.tar.gz";
-      sha256 = "fa0a212283cdf52e2eecc24dd6459bb7687cc29adb60cb84258fab73be8dda0f";
+      sha256 = "03c2qc42r4bczyw93gd7n0qi1h1jfhw7fnbhi33c3vp1hs81gm2k";
     };
 
-   buildInputs = with self; [ covCore pytest virtualenv process-tests helper ];
+   buildInputs = with self; [ pytest pytest_xdist virtualenv process-tests ];
+   propagatedBuildInputs = with self; [ coverage ];
 
+   # xdist related tests fail with the following error
+   # OSError: [Errno 13] Permission denied: 'py/_code'
    doCheck = false;
    checkPhase = ''
+     # allow to find the module helper during the test run
+     export PYTHONPATH=$PYTHONPATH:$PWD/tests
      py.test tests
    '';
 
     meta = {
       description = "Plugin for coverage reporting with support for both centralised and distributed testing, including subprocesses and multiprocessing";
-      homepage = https://github.com/schlamar/pytest-cov;
+      homepage = https://github.com/pytest-dev/pytest-cov;
       license = licenses.mit;
     };
-  });
+  };
 
   pytest-expect = callPackage ../development/python-modules/pytest-expect { };
 

From 3c65b4ac9a727d22bdf1f49221ad738005a1113a Mon Sep 17 00:00:00 2001
From: Johannes Bornhold <johannes@bornhold.name>
Date: Mon, 20 Feb 2017 21:35:28 +0100
Subject: [PATCH 02/35] freezegun: 0.3.5 -> 0.3.8

---
 pkgs/top-level/python-packages.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index e6ba350d922..1480113e46e 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -25350,11 +25350,11 @@ in {
 
   freezegun = buildPythonPackage rec {
     name = "freezegun-${version}";
-    version = "0.3.5";
+    version = "0.3.8";
 
     src = pkgs.fetchurl {
       url = "mirror://pypi/f/freezegun/freezegun-${version}.tar.gz";
-      sha256 = "02ly89wwn0plcw8clkkzvxaw6zlpm8qyqpm9x2mfw4a0vppb4ngf";
+      sha256 = "1sf38d3ibv1jhhvr52x7dhrsiyqk1hm165dfv8w8wh0fhmgxg151";
     };
 
     propagatedBuildInputs = with self; [
@@ -25365,6 +25365,7 @@ in {
     meta = with stdenv.lib; {
       description = "FreezeGun: Let your Python tests travel through time";
       homepage = "https://github.com/spulec/freezegun";
+      license = licenses.asl20;
     };
   };
 

From a189f8cc0fb1d676c8e5de9b81c2b1feb189b726 Mon Sep 17 00:00:00 2001
From: Johannes Bornhold <johannes@bornhold.name>
Date: Mon, 20 Feb 2017 22:13:57 +0100
Subject: [PATCH 03/35] pytest_xdist: 1.8 -> 1.14

---
 pkgs/top-level/python-packages.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 1480113e46e..75fcfd60f90 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -5486,19 +5486,20 @@ in {
   };
 
   pytest_xdist = buildPythonPackage rec {
-    name = "pytest-xdist-1.8";
+    name = "pytest-xdist-1.14";
 
     src = pkgs.fetchurl {
-      url = "mirror://pypi/p/pytest-xdist/pytest-xdist-1.8.zip";
-      sha256 = "b02135db7080c0978b7ce5d8f43a5879231441c2062a4791bc42b6f98c94fa69";
+      url = "mirror://pypi/p/pytest-xdist/${name}.zip";
+      sha256 = "08rn2l39ds60xshs4js787l84pfckksqklfq2wq9x8ig2aci2pja";
     };
 
-    buildInputs = with self; [ pytest ];
+    buildInputs = with self; [ pytest setuptools_scm ];
     propagatedBuildInputs = with self; [ execnet ];
 
     meta = {
       description = "py.test xdist plugin for distributed testing and loop-on-failing modes";
-      homepage = http://bitbucket.org/hpk42/pytest-xdist;
+      homepage = https://github.com/pytest-dev/pytest-xdist;
+      license = licenses.mit;
     };
   };
 

From e9adf383e685bdb9812111fa8ec50450b16cfb11 Mon Sep 17 00:00:00 2001
From: Orivej Desh <orivej@gmx.fr>
Date: Tue, 25 Apr 2017 09:31:06 +0000
Subject: [PATCH 04/35] Fix parsing @args.rsp compiler arguments

---
 pkgs/build-support/cc-wrapper/utils.sh | 69 ++++++++++++++++++--------
 1 file changed, 49 insertions(+), 20 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/utils.sh b/pkgs/build-support/cc-wrapper/utils.sh
index aba5f3295a9..d17930e8ab5 100644
--- a/pkgs/build-support/cc-wrapper/utils.sh
+++ b/pkgs/build-support/cc-wrapper/utils.sh
@@ -23,26 +23,55 @@ badPath() {
         "${p:0:${#NIX_BUILD_TOP}}" != "$NIX_BUILD_TOP"
 }
 
-expandResponseParams() {
-    local inparams=("$@")
-    local n=0
-    local p
-    params=()
-    while [ $n -lt ${#inparams[*]} ]; do
-        p=${inparams[n]}
-        case $p in
-            @*)
-                if [ -e "${p:1}" ]; then
-                    args=$(<"${p:1}")
-                    eval 'for arg in '${args//$/\\$}'; do params+=("$arg"); done'
-                else
-                    params+=("$p")
-                fi
-                ;;
-            *)
-                params+=("$p")
-                ;;
+# @args.rsp parser.
+# Char classes: space, other, backslash, single quote, double quote.
+# States: 0 - outside, 1/2 - unquoted arg/slash, 3/4 - 'arg'/slash, 5/6 - "arg"/slash.
+# State transitions:
+rspT=(01235 01235 11111 33413 33333 55651 55555)
+# Push char on transition:
+rspC[01]=1 rspC[11]=1 rspC[21]=1 rspC[33]=1 rspC[43]=1 rspC[55]=1 rspC[65]=1
+
+rspParse() {
+    rsp=()
+    local s="$1"
+    local state=0
+    local arg=''
+
+    for (( i=0; i<${#s}; i++ )); do
+        local c="${s:$i:1}"
+        local cls=1
+        case "$c" in
+            ' ' | $'\t' | $'\r' | $'\n') cls=0 ;;
+            '\') cls=2 ;;
+            "'") cls=3 ;;
+            '"') cls=4 ;;
         esac
-        n=$((n + 1))
+        local nextstates="${rspT[$state]}"
+        local nextstate="${nextstates:$cls:1}"
+        if [ "${rspC[$state$nextstate]}" ]; then
+            arg+="$c"
+        elif [ "$state$nextstate" = "10" ]; then
+            rsp+=("$arg")
+            arg=''
+        fi
+        state="$nextstate"
+    done
+
+    if [ "$state" -ne 0 ]; then
+        rsp+=("$arg")
+    fi
+}
+
+expandResponseParams() {
+    params=()
+    while [ $# -gt 0 ]; do
+        local p="$1"
+        shift
+        if [ "${p:0:1}" = '@' -a -e "${p:1}" ]; then
+            rspParse "$(<"${p:1}")"
+            set -- "${rsp[@]}" "$@"
+        else
+            params+=("$p")
+        fi
     done
 }

From 34436df0d0e57caafb6b0ed5911f71861b10a6eb Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Sun, 23 Apr 2017 23:44:50 +0000
Subject: [PATCH 05/35] clang: Use cmake from buildPackages

---
 pkgs/development/compilers/llvm/3.9/clang/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/llvm/3.9/clang/default.nix b/pkgs/development/compilers/llvm/3.9/clang/default.nix
index 91068227110..87216e424ca 100644
--- a/pkgs/development/compilers/llvm/3.9/clang/default.nix
+++ b/pkgs/development/compilers/llvm/3.9/clang/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetch, cmake, libxml2, libedit, llvm, version, clang-tools-extra_src, python }:
+{ stdenv, fetch, libxml2, libedit, llvm, version, clang-tools-extra_src, python, buildPackages }:
 
 let
   gcc = if stdenv.cc.isGNU then stdenv.cc.cc else stdenv.cc.cc.gcc;
@@ -13,7 +13,7 @@ let
       mv clang-tools-extra-* $sourceRoot/tools/extra
     '';
 
-    buildInputs = [ cmake libedit libxml2 llvm python ];
+    buildInputs = [ buildPackages.cmake libedit libxml2 llvm python ];
 
     cmakeFlags = [
       "-DCMAKE_CXX_FLAGS=-std=c++11"

From 3eee6ea7c17aea50b8a1e04b95e9ee226591e38f Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Mon, 24 Apr 2017 00:01:56 +0000
Subject: [PATCH 06/35] groff: use buildPackages to fix cross compile

---
 pkgs/tools/text/groff/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/text/groff/default.nix b/pkgs/tools/text/groff/default.nix
index df6a1119800..aa9ece8955b 100644
--- a/pkgs/tools/text/groff/default.nix
+++ b/pkgs/tools/text/groff/default.nix
@@ -1,6 +1,7 @@
 { stdenv, fetchurl, perl, groff
 , ghostscript #for postscript and html output
 , psutils, netpbm #for html output
+, buildPackages
 }:
 
 stdenv.mkDerivation rec {
@@ -49,7 +50,7 @@ stdenv.mkDerivation rec {
     # Trick to get the build system find the proper 'native' groff
     # http://www.mail-archive.com/bug-groff@gnu.org/msg01335.html
     preBuild = ''
-      makeFlags="GROFF_BIN_PATH=${groff}/bin GROFFBIN=${groff}/bin/groff"
+      makeFlags="GROFF_BIN_PATH=${buildPackages.groff}/bin GROFFBIN=${buildPackages.groff}/bin/groff"
     '';
   };
 

From 12bbc630247f85f4fa84c100d856a712b6d7cf4d Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Sun, 23 Apr 2017 23:48:02 +0000
Subject: [PATCH 07/35] llvm-3.9: Fix cross compilation

It's now possible to cross compile llvm:

`nix-build -E '(import ./. { crossSystem = import ./platform.nix; }).pkgs.llvm'`
---
 pkgs/development/compilers/llvm/3.9/llvm.nix | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix
index 2c47ec5127f..0408b9413c8 100644
--- a/pkgs/development/compilers/llvm/3.9/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.9/llvm.nix
@@ -17,6 +17,9 @@
 , debugVersion ? false
 , enableSharedLibraries ? true
 , darwin
+, buildPackages
+, buildPlatform
+, hostPlatform
 }:
 
 let
@@ -39,7 +42,13 @@ in stdenv.mkDerivation rec {
 
   outputs = [ "out" ] ++ stdenv.lib.optional enableSharedLibraries "lib";
 
-  buildInputs = [ perl groff cmake libxml2 python libffi ]
+  buildInputs = [
+    buildPackages.perl
+    buildPackages.buildPackages.cmake
+    buildPackages.python
+    groff
+    libxml2
+    libffi ]
     ++ stdenv.lib.optionals stdenv.isDarwin [ libcxxabi ];
 
   propagatedBuildInputs = [ ncurses zlib ];
@@ -88,6 +97,9 @@ in stdenv.mkDerivation rec {
     ++ stdenv.lib.optionals (isDarwin) [
     "-DLLVM_ENABLE_LIBCXX=ON"
     "-DCAN_TARGET_i386=false"
+  ] ++ stdenv.lib.optionals (buildPlatform != hostPlatform) [
+    "-DCMAKE_CROSSCOMPILING=True"
+    "-DLLVM_TABLEGEN=${buildPackages.llvmPackages_39.llvm}/bin/llvm-tblgen"
   ];
 
   postBuild = ''

From fea424fea33b7b71dfc43b3297ad2d1d2da36f5a Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Tue, 25 Apr 2017 22:23:58 +0000
Subject: [PATCH 08/35] LLVM-3.9: Fix RPATH in cross compile builds

This error was cause by multiple-outputs.sh not setting
NIX_CROSS_LDFLAGS
---
 pkgs/development/compilers/llvm/3.9/llvm.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix
index 0408b9413c8..6c86ac0c294 100644
--- a/pkgs/development/compilers/llvm/3.9/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.9/llvm.nix
@@ -81,6 +81,12 @@ in stdenv.mkDerivation rec {
   preBuild = ''
     mkdir -p $out/
     ln -sv $PWD/lib $out
+  ''
+  + # This is a good candidate for using the `placeholder` primitive when it's released
+    # This should hopefully be unnecessary once
+    # https://github.com/NixOS/nixpkgs/pull/25047 is merged
+    stdenv.lib.optionalString (buildPlatform != hostPlatform && enableSharedLibraries) ''
+    export NIX_CROSS_LDFLAGS="-rpath $lib/lib -rpath $lib/lib64 $NIX_CROSS_LDFLAGS"
   '';
 
   cmakeFlags = with stdenv; [

From bad5ca052553aefb724e32bed1ea547b911cbb4b Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Tue, 25 Apr 2017 22:31:31 +0000
Subject: [PATCH 09/35] LLVM-3.9: Use nativeBuildInputs instead of
 buildPackages

---
 pkgs/development/compilers/llvm/3.9/clang/default.nix | 6 ++++--
 pkgs/development/compilers/llvm/3.9/llvm.nix          | 9 ++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/compilers/llvm/3.9/clang/default.nix b/pkgs/development/compilers/llvm/3.9/clang/default.nix
index 87216e424ca..ec2ec27df36 100644
--- a/pkgs/development/compilers/llvm/3.9/clang/default.nix
+++ b/pkgs/development/compilers/llvm/3.9/clang/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetch, libxml2, libedit, llvm, version, clang-tools-extra_src, python, buildPackages }:
+{ stdenv, fetch, cmake, libxml2, libedit, llvm, version, clang-tools-extra_src, python }:
 
 let
   gcc = if stdenv.cc.isGNU then stdenv.cc.cc else stdenv.cc.cc.gcc;
@@ -13,7 +13,9 @@ let
       mv clang-tools-extra-* $sourceRoot/tools/extra
     '';
 
-    buildInputs = [ buildPackages.cmake libedit libxml2 llvm python ];
+    nativeBuildInputs = [ cmake ];
+
+    buildInputs = [ libedit libxml2 llvm python ];
 
     cmakeFlags = [
       "-DCMAKE_CXX_FLAGS=-std=c++11"
diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix
index 6c86ac0c294..380abc0b9b4 100644
--- a/pkgs/development/compilers/llvm/3.9/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.9/llvm.nix
@@ -42,10 +42,13 @@ in stdenv.mkDerivation rec {
 
   outputs = [ "out" ] ++ stdenv.lib.optional enableSharedLibraries "lib";
 
+  nativeBuildInputs = [
+    perl
+    cmake
+    python
+  ];
+
   buildInputs = [
-    buildPackages.perl
-    buildPackages.buildPackages.cmake
-    buildPackages.python
     groff
     libxml2
     libffi ]

From 7b7ffc4999ba4b38f8090aab48a78ace0eb3424a Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Wed, 26 Apr 2017 14:01:35 +0000
Subject: [PATCH 10/35] LLVM-3.9: disable shared libraries in cross builds

The current cc-wrapper script seems to have trouble setting the rpath
correctly. Hopefully #25047 will fix this.
---
 pkgs/development/compilers/llvm/3.9/llvm.nix | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix
index 380abc0b9b4..96efc97323c 100644
--- a/pkgs/development/compilers/llvm/3.9/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.9/llvm.nix
@@ -15,13 +15,15 @@
 , compiler-rt_src
 , libcxxabi
 , debugVersion ? false
-, enableSharedLibraries ? true
+, enableSharedLibraries ? (buildPlatform == hostPlatform)
 , darwin
 , buildPackages
 , buildPlatform
 , hostPlatform
 }:
 
+assert (hostPlatform != buildPlatform) -> !enableSharedLibraries;
+
 let
   src = fetch "llvm" "1vi9sf7rx1q04wj479rsvxayb6z740iaz3qniwp266fgp5a07n8z";
   shlib = if stdenv.isDarwin then "dylib" else "so";
@@ -84,12 +86,6 @@ in stdenv.mkDerivation rec {
   preBuild = ''
     mkdir -p $out/
     ln -sv $PWD/lib $out
-  ''
-  + # This is a good candidate for using the `placeholder` primitive when it's released
-    # This should hopefully be unnecessary once
-    # https://github.com/NixOS/nixpkgs/pull/25047 is merged
-    stdenv.lib.optionalString (buildPlatform != hostPlatform && enableSharedLibraries) ''
-    export NIX_CROSS_LDFLAGS="-rpath $lib/lib -rpath $lib/lib64 $NIX_CROSS_LDFLAGS"
   '';
 
   cmakeFlags = with stdenv; [

From ad778a64d7c887405e37a2ddc375dc01350dfe10 Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Wed, 26 Apr 2017 13:14:00 +0000
Subject: [PATCH 11/35] LLVM-3.9: formatting

---
 pkgs/development/compilers/llvm/3.9/llvm.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/llvm/3.9/llvm.nix b/pkgs/development/compilers/llvm/3.9/llvm.nix
index 96efc97323c..964b6232fb5 100644
--- a/pkgs/development/compilers/llvm/3.9/llvm.nix
+++ b/pkgs/development/compilers/llvm/3.9/llvm.nix
@@ -53,8 +53,8 @@ in stdenv.mkDerivation rec {
   buildInputs = [
     groff
     libxml2
-    libffi ]
-    ++ stdenv.lib.optionals stdenv.isDarwin [ libcxxabi ];
+    libffi
+  ] ++ stdenv.lib.optionals stdenv.isDarwin [ libcxxabi ];
 
   propagatedBuildInputs = [ ncurses zlib ];
 

From 66f7398e4a6dd9d8ee4016712bc6cb3ca7579b1d Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Tue, 18 Apr 2017 14:58:58 +0200
Subject: [PATCH 12/35] Python 3 is now an alias of 3.6 instead of 3.5

---
 pkgs/top-level/all-packages.nix | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 157c9ba336c..e8df4011bc7 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -6070,7 +6070,7 @@ with pkgs;
   # available as `pythonPackages.tkinter` and can be used as any other Python package.
   python = python2;
   python2 = python27;
-  python3 = python35;
+  python3 = python36;
 
   # Python interpreter that is build with all modules, including tkinter.
   # These are for compatibility and should not be used inside Nixpkgs.
@@ -6084,9 +6084,9 @@ with pkgs;
   python36Full = python36.override{x11Support=true;};
 
   # pythonPackages further below, but assigned here because they need to be in sync
-  pythonPackages = python2Packages;
-  python2Packages = python27Packages;
-  python3Packages = python35Packages;
+  pythonPackages = python.pkgs;
+  python2Packages = python2.pkgs;
+  python3Packages = python3.pkgs;
 
   python27 = callPackage ../development/interpreters/python/cpython/2.7 {
     self = python27;
@@ -6096,14 +6096,14 @@ with pkgs;
     self = python33;
     inherit (darwin) CF configd;
   };
-  python34 = hiPrio (callPackage ../development/interpreters/python/cpython/3.4 {
+  python34 = callPackage ../development/interpreters/python/cpython/3.4 {
     inherit (darwin) CF configd;
     self = python34;
-  });
-  python35 = hiPrio (callPackage ../development/interpreters/python/cpython/3.5 {
+  };
+  python35 = callPackage ../development/interpreters/python/cpython/3.5 {
     inherit (darwin) CF configd;
     self = python35;
-  });
+  };
   python36 = callPackage ../development/interpreters/python/cpython/3.6 {
     inherit (darwin) CF configd;
     self = python36;
@@ -10556,9 +10556,9 @@ with pkgs;
 
   python34Packages = python34.pkgs;
 
-  python35Packages = recurseIntoAttrs python35.pkgs;
+  python35Packages = python35.pkgs;
 
-  python36Packages = python36.pkgs;
+  python36Packages = recurseIntoAttrs python36.pkgs;
 
   pypyPackages = pypy.pkgs;
 

From 33962a4420cc908af5f64083a6bfe843dc0c7ecb Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Thu, 4 May 2017 16:52:07 +0100
Subject: [PATCH 13/35] stdenv: fix "grep: invalid range"

---
 pkgs/build-support/setup-hooks/multiple-outputs.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/setup-hooks/multiple-outputs.sh b/pkgs/build-support/setup-hooks/multiple-outputs.sh
index eafc770a8e1..62a6491b8dc 100644
--- a/pkgs/build-support/setup-hooks/multiple-outputs.sh
+++ b/pkgs/build-support/setup-hooks/multiple-outputs.sh
@@ -61,7 +61,7 @@ _multioutConfig() {
             local shareDocName="$(sed -n "s/^PACKAGE_TARNAME='\(.*\)'$/\1/p" < "$confScript")"
         fi
                                     # PACKAGE_TARNAME sometimes contains garbage.
-        if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z-_0-9]'; then
+        if [ -n "$shareDocName" ] || echo "$shareDocName" | grep -q '[^a-zA-Z0-9_-]'; then
             shareDocName="$(echo "$name" | sed 's/-[^a-zA-Z].*//')"
         fi
     fi

From 94d164dd7f20c785a543d1fb1d5bd359fb38bd25 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 4 May 2017 20:06:40 +0200
Subject: [PATCH 14/35] Add a setup hook for detecting $TMPDIR references in
 RPATHs and wrapper scripts

---
 .../build-support/setup-hooks/audit-tmpdir.sh | 41 +++++++++++++++++++
 pkgs/stdenv/generic/default.nix               |  1 +
 pkgs/stdenv/generic/setup.sh                  | 12 ++++++
 3 files changed, 54 insertions(+)
 create mode 100644 pkgs/build-support/setup-hooks/audit-tmpdir.sh

diff --git a/pkgs/build-support/setup-hooks/audit-tmpdir.sh b/pkgs/build-support/setup-hooks/audit-tmpdir.sh
new file mode 100644
index 00000000000..ffaa61f2d80
--- /dev/null
+++ b/pkgs/build-support/setup-hooks/audit-tmpdir.sh
@@ -0,0 +1,41 @@
+# Check whether RPATHs or wrapper scripts contain references to
+# $TMPDIR. This is a serious security bug because it allows any user
+# to inject files into search paths of other users' processes.
+#
+# It might be better to have Nix scan build output for any occurrence
+# of $TMPDIR (which would also be good for reproducibility), but at
+# the moment that would produce too many spurious errors (e.g. debug
+# info or assertion messages that refer to $TMPDIR).
+
+fixupOutputHooks+=('if [ -z "$noAuditTmpdir" -a -e "$prefix" ]; then auditTmpdir "$prefix"; fi')
+
+auditTmpdir() {
+    local dir="$1"
+    [ -e "$dir" ] || return 0
+
+    header "checking for references to $TMPDIR in $dir..."
+
+    local i
+    while IFS= read -r -d $'\0' i; do
+        if [[ "$i" =~ .build-id ]]; then continue; fi
+
+        if isELF "$i"; then
+            if patchelf --print-rpath "$i" | grep -q -F "$TMPDIR"; then
+                echo "RPATH of binary $i contains a forbidden reference to $TMPDIR"
+                exit 1
+            fi
+        fi
+
+        if  isScript "$i"; then
+            if [ -e "$(dirname $i)/.$(basename $i)-wrapped" ]; then
+                if grep -q -F "$TMPDIR" "$i"; then
+                    echo "wrapper script $i contains a forbidden reference to $TMPDIR"
+                    exit 1
+                fi
+            fi
+        fi
+
+    done < <(find "$dir" -type f -print0)
+
+    stopNest
+}
diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index a063a1ed2dc..43b35082161 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -94,6 +94,7 @@ let
       ../../build-support/setup-hooks/compress-man-pages.sh
       ../../build-support/setup-hooks/strip.sh
       ../../build-support/setup-hooks/patch-shebangs.sh
+      ../../build-support/setup-hooks/audit-tmpdir.sh
       ../../build-support/setup-hooks/multiple-outputs.sh
       ../../build-support/setup-hooks/move-sbin.sh
       ../../build-support/setup-hooks/move-lib64.sh
diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh
index de33ab56598..eb63b18e5f3 100644
--- a/pkgs/stdenv/generic/setup.sh
+++ b/pkgs/stdenv/generic/setup.sh
@@ -199,6 +199,18 @@ isELF() {
     if [[ "$magic" =~ ELF ]]; then return 0; else return 1; fi
 }
 
+# Return success if the specified file is a script (i.e. starts with
+# "#!").
+isScript() {
+    local fn="$1"
+    local magic
+    if ! [ -x /bin/sh ]; then return 0; fi
+    exec {fd}< "$fn"
+    read -n 2 -u $fd magic
+    exec {fd}<&-
+    if [[ "$magic" =~ \#! ]]; then return 0; else return 1; fi
+}
+
 
 ######################################################################
 # Initialisation.

From 1823113f8792fc67b11b35dfffe72c88d69dd791 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 11:51:24 +0200
Subject: [PATCH 15/35] xorg: misc updates

---
 pkgs/servers/x11/xorg/default.nix       | 24 ++++++++++++------------
 pkgs/servers/x11/xorg/extra.list        |  2 +-
 pkgs/servers/x11/xorg/tarballs-7.7.list |  6 +++---
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index a4de1ecda43..2ef8597efff 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -1010,22 +1010,22 @@ let
   }) // {inherit xproto zlib ;};
 
   libpciaccess = (mkDerivation "libpciaccess" {
-    name = "libpciaccess-0.13.4";
+    name = "libpciaccess-0.13.5";
     builder = ./builder.sh;
     src = fetchurl {
-      url = mirror://xorg/individual/lib/libpciaccess-0.13.4.tar.bz2;
-      sha256 = "1krgryi9ngjr66242v0v5mczihgv0y7rrvx0563arr318mjn9y07";
+      url = mirror://xorg/individual/lib/libpciaccess-0.13.5.tar.bz2;
+      sha256 = "16dr80rdw5bzdyhahvilfjrflj7scs2yl2mmghsb84f3nglm8b3m";
     };
     buildInputs = [pkgconfig zlib ];
     meta.platforms = stdenv.lib.platforms.unix;
   }) // {inherit zlib ;};
 
   libpthreadstubs = (mkDerivation "libpthreadstubs" {
-    name = "libpthread-stubs-0.3";
+    name = "libpthread-stubs-0.4";
     builder = ./builder.sh;
     src = fetchurl {
-      url = http://xcb.freedesktop.org/dist/libpthread-stubs-0.3.tar.bz2;
-      sha256 = "16bjv3in19l84hbri41iayvvg4ls9gv1ma0x0qlbmwy67i7dbdim";
+      url = http://xcb.freedesktop.org/dist/libpthread-stubs-0.4.tar.bz2;
+      sha256 = "0cz7s9w8lqgzinicd4g36rjg08zhsbyngh0w68c3np8nlc8mkl74";
     };
     buildInputs = [pkgconfig ];
     meta.platforms = stdenv.lib.platforms.unix;
@@ -1197,11 +1197,11 @@ let
   }) // {inherit ;};
 
   sessreg = (mkDerivation "sessreg" {
-    name = "sessreg-1.1.0";
+    name = "sessreg-1.1.1";
     builder = ./builder.sh;
     src = fetchurl {
-      url = mirror://xorg/individual/app/sessreg-1.1.0.tar.bz2;
-      sha256 = "0z013rskwmdadd8cdlxvh4asmgim61qijyzfbqmr1q1mg1jpf4am";
+      url = mirror://xorg/individual/app/sessreg-1.1.1.tar.bz2;
+      sha256 = "1qd66mg2bnppqz4xgdjzif2488zl82vx2c26ld3nb8pnyginm9vq";
     };
     buildInputs = [pkgconfig xproto ];
     meta.platforms = stdenv.lib.platforms.unix;
@@ -2210,11 +2210,11 @@ let
   }) // {inherit inputproto libX11 libXext libXi libXinerama libXrandr ;};
 
   xkbcomp = (mkDerivation "xkbcomp" {
-    name = "xkbcomp-1.3.1";
+    name = "xkbcomp-1.4.0";
     builder = ./builder.sh;
     src = fetchurl {
-      url = mirror://xorg/individual/app/xkbcomp-1.3.1.tar.bz2;
-      sha256 = "0gcjy70ppmcl610z8gxc7sydsx93f8cm8pggm4qhihaa1ngdq103";
+      url = mirror://xorg/individual/app/xkbcomp-1.4.0.tar.bz2;
+      sha256 = "0syfc6zscvai824mzihlnrqxhkcr27dzkpy8zndavi83iischsdw";
     };
     buildInputs = [pkgconfig libX11 libxkbfile xproto ];
     meta.platforms = stdenv.lib.platforms.unix;
diff --git a/pkgs/servers/x11/xorg/extra.list b/pkgs/servers/x11/xorg/extra.list
index 56a7b1f76a9..28b698bdc81 100644
--- a/pkgs/servers/x11/xorg/extra.list
+++ b/pkgs/servers/x11/xorg/extra.list
@@ -1,4 +1,4 @@
-http://xcb.freedesktop.org/dist/libpthread-stubs-0.3.tar.bz2
+http://xcb.freedesktop.org/dist/libpthread-stubs-0.4.tar.bz2
 http://xcb.freedesktop.org/dist/libxcb-1.12.tar.bz2
 http://xcb.freedesktop.org/dist/xcb-proto-1.12.tar.bz2
 http://xcb.freedesktop.org/dist/xcb-util-0.4.0.tar.bz2
diff --git a/pkgs/servers/x11/xorg/tarballs-7.7.list b/pkgs/servers/x11/xorg/tarballs-7.7.list
index ee85de75b40..c2d4f8dca57 100644
--- a/pkgs/servers/x11/xorg/tarballs-7.7.list
+++ b/pkgs/servers/x11/xorg/tarballs-7.7.list
@@ -56,7 +56,7 @@ mirror://xorg/individual/lib/libxshmfence-1.2.tar.bz2
 mirror://xorg/individual/lib/libfontenc-1.1.3.tar.bz2
 mirror://xorg/individual/lib/libFS-1.0.7.tar.bz2
 mirror://xorg/individual/lib/libICE-1.0.9.tar.bz2
-mirror://xorg/individual/lib/libpciaccess-0.13.4.tar.bz2
+mirror://xorg/individual/lib/libpciaccess-0.13.5.tar.bz2
 mirror://xorg/individual/lib/libSM-1.2.2.tar.bz2
 mirror://xorg/X11R7.7/src/everything/libWindowsWM-1.0.1.tar.bz2
 mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2
@@ -96,7 +96,7 @@ mirror://xorg/X11R7.7/src/everything/recordproto-1.14.2.tar.bz2
 mirror://xorg/X11R7.7/src/everything/renderproto-0.11.1.tar.bz2
 mirror://xorg/X11R7.7/src/everything/resourceproto-1.2.0.tar.bz2
 mirror://xorg/X11R7.7/src/everything/scrnsaverproto-1.2.2.tar.bz2
-mirror://xorg/individual/app/sessreg-1.1.0.tar.bz2
+mirror://xorg/individual/app/sessreg-1.1.1.tar.bz2
 mirror://xorg/individual/app/setxkbmap-1.3.1.tar.bz2
 mirror://xorg/individual/app/smproxy-1.0.6.tar.bz2
 mirror://xorg/individual/app/twm-1.0.9.tar.bz2
@@ -174,7 +174,7 @@ mirror://xorg/individual/app/xgc-1.0.5.tar.bz2
 mirror://xorg/individual/app/xhost-1.0.7.tar.bz2
 mirror://xorg/X11R7.7/src/everything/xineramaproto-1.2.1.tar.bz2
 mirror://xorg/individual/app/xinput-1.6.2.tar.bz2
-mirror://xorg/individual/app/xkbcomp-1.3.1.tar.bz2
+mirror://xorg/individual/app/xkbcomp-1.4.0.tar.bz2
 mirror://xorg/individual/app/xkbevd-1.1.4.tar.bz2
 mirror://xorg/individual/app/xkbutils-1.0.4.tar.bz2
 mirror://xorg/individual/data/xkeyboard-config/xkeyboard-config-2.20.tar.bz2

From 572550596752fe6f69b2c07f5a928889df223fe7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 11:57:02 +0200
Subject: [PATCH 16/35] mesa: maintenance 17.0.4 -> 17.0.5

---
 pkgs/development/libraries/mesa/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
index e9edda698f4..a8516b62314 100644
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@@ -67,7 +67,7 @@ let
 in
 
 let
-  version = "17.0.4";
+  version = "17.0.5";
   branch  = head (splitString "." version);
   driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32";
 in
@@ -82,7 +82,7 @@ stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
       "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz"
     ];
-    sha256 = "1269dc8545a193932a0779b2db5bce9be4a5f6813b98c38b93b372be8362a346";
+    sha256 = "668efa445d2f57a26e5c096b1965a685733a3b57d9c736f9d6460263847f9bfe";
   };
 
   prePatch = "patchShebangs .";

From 24f0fa56a65b0f6e31894413864014413fe06cfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 11:57:32 +0200
Subject: [PATCH 17/35] mesa: no more grsecurity support by default

Nixpkgs discontinued grsecurity support: #25277.
---
 pkgs/top-level/all-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e10e5fc24e5..3c729aa2226 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -9129,7 +9129,7 @@ with pkgs;
   mesa_noglu = mesaDarwinOr (callPackage ../development/libraries/mesa {
     # makes it slower, but during runtime we link against just mesa_drivers
     # through /run/opengl-driver*, which is overriden according to config.grsecurity
-    grsecEnabled = true;
+    # grsecEnabled = true; # no more support in nixpkgs ATM
     llvmPackages = llvmPackages_39;
   });
   mesa_glu =  mesaDarwinOr (callPackage ../development/libraries/mesa-glu { });

From 24ec5f07bc41ce1c976e7ed1b689440d8696b988 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 12:47:27 +0200
Subject: [PATCH 18/35] mesa: LLVM dependency 3.9 -> 4

---
 pkgs/top-level/all-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 3c729aa2226..5c0a66ca5f6 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -9130,7 +9130,7 @@ with pkgs;
     # makes it slower, but during runtime we link against just mesa_drivers
     # through /run/opengl-driver*, which is overriden according to config.grsecurity
     # grsecEnabled = true; # no more support in nixpkgs ATM
-    llvmPackages = llvmPackages_39;
+    llvmPackages = llvmPackages_4;
   });
   mesa_glu =  mesaDarwinOr (callPackage ../development/libraries/mesa-glu { });
   mesa_drivers = mesaDarwinOr (

From 7830ce47cb931f748f8a08ddbb29caf430befe1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 12:48:15 +0200
Subject: [PATCH 19/35] xf86-video-nouveau: maintenance 1.0.14 -> 1.0.15

---
 pkgs/servers/x11/xorg/default.nix       | 6 +++---
 pkgs/servers/x11/xorg/tarballs-7.7.list | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index 2ef8597efff..6ad0afef348 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -1869,11 +1869,11 @@ let
   }) // {inherit fontsproto randrproto renderproto videoproto xorgserver xproto ;};
 
   xf86videonouveau = (mkDerivation "xf86videonouveau" {
-    name = "xf86-video-nouveau-1.0.14";
+    name = "xf86-video-nouveau-1.0.15";
     builder = ./builder.sh;
     src = fetchurl {
-      url = mirror://xorg/individual/driver/xf86-video-nouveau-1.0.14.tar.bz2;
-      sha256 = "1h9izq510m2pvg77d0y9krc0cvvbhp2y3xlrrz6id7y47jdzkpsd";
+      url = mirror://xorg/individual/driver/xf86-video-nouveau-1.0.15.tar.bz2;
+      sha256 = "0k0xah72ryjwak4dc4crszxrlkmi9x1s7p3sd4la642n77yi1pmf";
     };
     buildInputs = [pkgconfig dri2proto fontsproto libdrm udev libpciaccess randrproto renderproto videoproto xextproto xorgserver xproto ];
     meta.platforms = stdenv.lib.platforms.unix;
diff --git a/pkgs/servers/x11/xorg/tarballs-7.7.list b/pkgs/servers/x11/xorg/tarballs-7.7.list
index c2d4f8dca57..46c07f291ac 100644
--- a/pkgs/servers/x11/xorg/tarballs-7.7.list
+++ b/pkgs/servers/x11/xorg/tarballs-7.7.list
@@ -131,7 +131,7 @@ mirror://xorg/individual/driver/xf86-video-amdgpu-1.3.0.tar.bz2
 mirror://xorg/individual/driver/xf86-video-ark-0.7.5.tar.bz2
 mirror://xorg/individual/driver/xf86-video-ast-1.1.5.tar.bz2
 mirror://xorg/individual/driver/xf86-video-ati-7.9.0.tar.bz2
-mirror://xorg/individual/driver/xf86-video-nouveau-1.0.14.tar.bz2
+mirror://xorg/individual/driver/xf86-video-nouveau-1.0.15.tar.bz2
 mirror://xorg/individual/driver/xf86-video-chips-1.2.7.tar.bz2
 mirror://xorg/individual/driver/xf86-video-cirrus-1.5.3.tar.bz2
 mirror://xorg/individual/driver/xf86-video-dummy-0.3.8.tar.bz2

From ef5844be6cf7da93f4c2bee9242da3bddf083ad8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 13:18:28 +0200
Subject: [PATCH 20/35] stdenv: disable audit-tmpdir on non-Linux for now

Without changing any hashes.
---
 pkgs/stdenv/generic/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkgs/stdenv/generic/default.nix b/pkgs/stdenv/generic/default.nix
index 43b35082161..2fd477ca853 100644
--- a/pkgs/stdenv/generic/default.nix
+++ b/pkgs/stdenv/generic/default.nix
@@ -94,7 +94,11 @@ let
       ../../build-support/setup-hooks/compress-man-pages.sh
       ../../build-support/setup-hooks/strip.sh
       ../../build-support/setup-hooks/patch-shebangs.sh
-      ../../build-support/setup-hooks/audit-tmpdir.sh
+    ]
+      # FIXME this on Darwin; see
+      # https://github.com/NixOS/nixpkgs/commit/94d164dd7#commitcomment-22030369
+    ++ lib.optional result.isLinux ../../build-support/setup-hooks/audit-tmpdir.sh
+    ++ [
       ../../build-support/setup-hooks/multiple-outputs.sh
       ../../build-support/setup-hooks/move-sbin.sh
       ../../build-support/setup-hooks/move-lib64.sh

From 0a897b2a33dd920456b058de9f835aa890a67cd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sat, 6 May 2017 15:53:06 +0200
Subject: [PATCH 21/35] mesa: use older LLVM on aarch64 for now

---
 pkgs/top-level/all-packages.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e6e65cee66e..c59497d4be3 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -9139,12 +9139,16 @@ with pkgs;
       inherit (darwin) apple_sdk;
     }
     else alternative;
+
   mesa_noglu = mesaDarwinOr (callPackage ../development/libraries/mesa {
     # makes it slower, but during runtime we link against just mesa_drivers
     # through /run/opengl-driver*, which is overriden according to config.grsecurity
     # grsecEnabled = true; # no more support in nixpkgs ATM
-    llvmPackages = llvmPackages_4;
+
+    # llvm-4.0.0 won't pass tests on aarch64
+    llvmPackages = if system == "aarch64-linux" then llvmPackages_39 else llvmPackages_4;
   });
+
   mesa_glu =  mesaDarwinOr (callPackage ../development/libraries/mesa-glu { });
   mesa_drivers = mesaDarwinOr (
     let mo = mesa_noglu.override {

From d4dde073fd9d59f104d295df32f60ad8d56889ea Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Sun, 7 May 2017 21:35:43 +0200
Subject: [PATCH 22/35] Python release: do not build all Python packages

as we agreed not to. Maybe in the future we will again. Do build a
couple of packages that take a longer time to build.
---
 pkgs/top-level/release.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix
index cf4d54fe049..089e0ef4518 100644
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@@ -111,6 +111,7 @@ let
       ocamlPackages = { };
       perlPackages = { };
       pythonPackages = {
+        blaze = unix;
         pandas = unix;
         scikitlearn = unix;
       };
@@ -122,6 +123,12 @@ let
         pandas = unix;
         scikitlearn = unix;
       };
+      python36Packages = {
+        blaze = unix;
+        pandas = unix;
+        scikitlearn = unix;
+      };
+
     } ));
 
 in jobs

From 28154f45a6b56258f9df7f7e7ffc3a743427aac9 Mon Sep 17 00:00:00 2001
From: Linus Heckemann <git@sphalerite.org>
Date: Wed, 10 May 2017 14:31:54 +0100
Subject: [PATCH 23/35] cmake setup hook: allow other build types

---
 pkgs/development/tools/build-managers/cmake/setup-hook.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/tools/build-managers/cmake/setup-hook.sh b/pkgs/development/tools/build-managers/cmake/setup-hook.sh
index f6dd5460c35..bf876e81cda 100755
--- a/pkgs/development/tools/build-managers/cmake/setup-hook.sh
+++ b/pkgs/development/tools/build-managers/cmake/setup-hook.sh
@@ -49,7 +49,7 @@ cmakeConfigurePhase() {
 
     # Avoid cmake resetting the rpath of binaries, on make install
     # And build always Release, to ensure optimisation flags
-    cmakeFlags="-DCMAKE_BUILD_TYPE=Release -DCMAKE_SKIP_BUILD_RPATH=ON $cmakeFlags"
+    cmakeFlags="-DCMAKE_BUILD_TYPE=${cmakeBuildType:-Release} -DCMAKE_SKIP_BUILD_RPATH=ON $cmakeFlags"
 
     echo "cmake flags: $cmakeFlags ${cmakeFlagsArray[@]}"
 

From 1c9ed32a343f4016a4b85bc3e179fc49e286e5c2 Mon Sep 17 00:00:00 2001
From: Marc Nickert <marcnnn@gmail.com>
Date: Fri, 12 May 2017 17:27:18 +0200
Subject: [PATCH 24/35] libtiff: security 4.0.7-5 -> 4.0.7-6 (Debian patches)

Taken from PR #25742, only adding extra comment.
---
 pkgs/development/libraries/libtiff/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix
index c6705703149..a23e3704035 100644
--- a/pkgs/development/libraries/libtiff/default.nix
+++ b/pkgs/development/libraries/libtiff/default.nix
@@ -12,10 +12,10 @@ stdenv.mkDerivation rec {
   };
 
   prePatch =let
-      # https://lwn.net/Vulnerabilities/711777/
+      # https://lwn.net/Vulnerabilities/711777/ and more patched in *-6 -> *-7
       debian = fetchurl {
-        url = http://http.debian.net/debian/pool/main/t/tiff/tiff_4.0.7-5.debian.tar.xz;
-        sha256 = "1ribxdn89wx3nllcyh7ql3dx6wpr1h7z3waglz1w7dklxm43q67l";
+        url = http://http.debian.net/debian/pool/main/t/tiff/tiff_4.0.7-6.debian.tar.xz;
+        sha256 = "9c9048c28205bdbeb5ba36c7a194d0cd604bd137c70961607bfc8a079be5fa31";
       };
     in ''
       tar xf '${debian}'

From fcdb4b51f852a5654e101f2035e55f129562658d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sun, 14 May 2017 14:36:54 +0200
Subject: [PATCH 25/35] mesa: maintenance 17.0.5 -> 17.0.6

---
 pkgs/development/libraries/mesa/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
index a8516b62314..b6ca7a0a476 100644
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@@ -67,7 +67,7 @@ let
 in
 
 let
-  version = "17.0.5";
+  version = "17.0.6";
   branch  = head (splitString "." version);
   driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32";
 in
@@ -82,7 +82,7 @@ stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
       "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz"
     ];
-    sha256 = "668efa445d2f57a26e5c096b1965a685733a3b57d9c736f9d6460263847f9bfe";
+    sha256 = "17d60jjzg4ddm95gk2cqx0xz6b9anmmz6ax4majwr3gis2yg7v49";
   };
 
   prePatch = "patchShebangs .";

From b0d2de45cddcd1e4578bfae121e606f89b00fc5e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Sun, 14 May 2017 14:59:55 +0200
Subject: [PATCH 26/35] freetype: fix CVE-2017-{8105,8287} by upstream patches

I copied the patches, as the changelog changes would certainly conflict.
---
 .../libraries/freetype/cve-2017-8105.patch    | 27 +++++++++++++++++++
 .../libraries/freetype/cve-2017-8287.patch    | 22 +++++++++++++++
 .../libraries/freetype/default.nix            |  3 +++
 3 files changed, 52 insertions(+)
 create mode 100644 pkgs/development/libraries/freetype/cve-2017-8105.patch
 create mode 100644 pkgs/development/libraries/freetype/cve-2017-8287.patch

diff --git a/pkgs/development/libraries/freetype/cve-2017-8105.patch b/pkgs/development/libraries/freetype/cve-2017-8105.patch
new file mode 100644
index 00000000000..dc4327a52a8
--- /dev/null
+++ b/pkgs/development/libraries/freetype/cve-2017-8105.patch
@@ -0,0 +1,27 @@
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee43
+
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465..7dd4513 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+             /* point without adding any point to the outline    */
+             idx = decoder->num_flex_vectors++;
+             if ( idx > 0 && idx < 7 )
++            {
++              /* in malformed fonts it is possible to have other */
++              /* opcodes in the middle of a flex (which don't    */
++              /* increase `num_flex_vectors'); we thus have to   */
++              /* check whether we can add a point                */
++              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++                goto Syntax_Error;
++
+               t1_builder_add_point( builder,
+                                     x,
+                                     y,
+                                     (FT_Byte)( idx == 3 || idx == 6 ) );
++            }
+           }
+           break;
+ 
+
diff --git a/pkgs/development/libraries/freetype/cve-2017-8287.patch b/pkgs/development/libraries/freetype/cve-2017-8287.patch
new file mode 100644
index 00000000000..7ccf4f3278b
--- /dev/null
+++ b/pkgs/development/libraries/freetype/cve-2017-8287.patch
@@ -0,0 +1,22 @@
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b
+
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821..0baf836 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+     first = outline->n_contours <= 1
+             ? 0 : outline->contours[outline->n_contours - 2] + 1;
+ 
++    /* in malformed fonts it can happen that a contour was started */
++    /* but no points were added                                    */
++    if ( outline->n_contours && first == outline->n_points )
++    {
++      outline->n_contours--;
++      return;
++    }
++
+     /* We must not include the last point in the path if it */
+     /* is located on the first point.                       */
+     if ( outline->n_points > 1 )
+
diff --git a/pkgs/development/libraries/freetype/default.nix b/pkgs/development/libraries/freetype/default.nix
index 287a0742440..9b2c6fe11e1 100644
--- a/pkgs/development/libraries/freetype/default.nix
+++ b/pkgs/development/libraries/freetype/default.nix
@@ -48,6 +48,9 @@ in stdenv.mkDerivation {
       ./pcf-config-long-family-names.patch
       ./disable-pcf-long-family-names.patch
       ./enable-table-validation.patch
+      # remove the two CVE patches after updating to >= 2.8
+      ./cve-2017-8105.patch
+      ./cve-2017-8287.patch
     ] ++
     optional useEncumberedCode ./enable-subpixel-rendering.patch;
 

From 0b89f71a07676a09571e22c0e8e8e6928da9334b Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 May 2017 19:35:50 +0200
Subject: [PATCH 27/35] unbound: 1.6.1 -> 1.6.2

---
 pkgs/tools/networking/unbound/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index 0a1d557dd93..4d24a7f4e83 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "unbound-${version}";
-  version = "1.6.1";
+  version = "1.6.2";
 
   src = fetchurl {
     url = "http://unbound.net/downloads/${name}.tar.gz";
-    sha256 = "000lylg5qgriaxh6k78l2inb905qshx01kxgmqj89zn08gvn7ps2";
+    sha256 = "171vbqijfk1crm04dbgbvw4052n6kwcvyvly3habg011qdr3schs";
   };
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB

From c68a24120815411e82224d6c96ff287cb79c11ac Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Mon, 15 May 2017 19:32:35 +0200
Subject: [PATCH 28/35] gnutls: 3.5.11 -> 3.5.12

---
 pkgs/development/libraries/gnutls/3.5.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/gnutls/3.5.nix b/pkgs/development/libraries/gnutls/3.5.nix
index 77ecd4957f7..8071cd4b46b 100644
--- a/pkgs/development/libraries/gnutls/3.5.nix
+++ b/pkgs/development/libraries/gnutls/3.5.nix
@@ -1,11 +1,11 @@
 { callPackage, fetchurl, libunistring, ... } @ args:
 
 callPackage ./generic.nix (args // rec {
-  version = "3.5.11";
+  version = "3.5.12";
 
   src = fetchurl {
     url = "ftp://ftp.gnutls.org/gcrypt/gnutls/v3.5/gnutls-${version}.tar.xz";
-    sha256 = "13z2dxxyrsb7gfpl1k2kafqh2zaigi872y5xgykhs9cyaz2mqxji";
+    sha256 = "1jspvrmydqgz30c1ji94b55gr2dynz7p96p4y8fkhad0xajkkjv3";
   };
 
   # Skip two tests introduced in 3.5.11.  Probable reasons of failure:

From 65ede052fa9f005efcdb2e852315a0e6f02ce92d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 16 May 2017 16:35:52 +0200
Subject: [PATCH 29/35] treewide: fixup packages with RPATH problems

---
 pkgs/applications/science/math/calc/default.nix | 3 +++
 pkgs/development/compilers/bigloo/default.nix   | 3 +++
 pkgs/development/compilers/swift/default.nix    | 3 +++
 pkgs/development/libraries/libftdi/default.nix  | 3 +++
 pkgs/games/klavaro/default.nix                  | 3 +++
 pkgs/os-specific/linux/libsmbios/default.nix    | 3 +++
 pkgs/tools/security/ssdeep/default.nix          | 3 +++
 7 files changed, 21 insertions(+)

diff --git a/pkgs/applications/science/math/calc/default.nix b/pkgs/applications/science/math/calc/default.nix
index 19f769e4365..b8ed7ffac3c 100644
--- a/pkgs/applications/science/math/calc/default.nix
+++ b/pkgs/applications/science/math/calc/default.nix
@@ -34,6 +34,9 @@ stdenv.mkDerivation rec {
     wrapProgram $out/bin/calc --prefix LD_LIBRARY_PATH : $out/lib
   '';
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = {
     description = "C-style arbitrary precision calculator";
     homepage = http://www.isthe.com/chongo/tech/comp/calc/;
diff --git a/pkgs/development/compilers/bigloo/default.nix b/pkgs/development/compilers/bigloo/default.nix
index 3599ff750c2..bf2272a75c1 100644
--- a/pkgs/development/compilers/bigloo/default.nix
+++ b/pkgs/development/compilers/bigloo/default.nix
@@ -32,6 +32,9 @@ stdenv.mkDerivation rec {
 
   checkTarget = "test";
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = {
     description = "Efficient Scheme compiler";
     homepage    = http://www-sop.inria.fr/indes/fp/Bigloo/;
diff --git a/pkgs/development/compilers/swift/default.nix b/pkgs/development/compilers/swift/default.nix
index 4b918c9e32a..839ecdbeb65 100644
--- a/pkgs/development/compilers/swift/default.nix
+++ b/pkgs/development/compilers/swift/default.nix
@@ -253,6 +253,9 @@ stdenv.mkDerivation rec {
     ln -s ${binutils}/bin/ar $out/bin/ar
   '';
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = with stdenv.lib; {
     description = "The Swift Programming Language";
     homepage = "https://github.com/apple/swift";
diff --git a/pkgs/development/libraries/libftdi/default.nix b/pkgs/development/libraries/libftdi/default.nix
index 36f4a04c9df..f0d05c0b263 100644
--- a/pkgs/development/libraries/libftdi/default.nix
+++ b/pkgs/development/libraries/libftdi/default.nix
@@ -12,6 +12,9 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [ libusb ];
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = {
     description = "A library to talk to FTDI chips using libusb";
     homepage = http://www.intra2net.com/en/developer/libftdi/;
diff --git a/pkgs/games/klavaro/default.nix b/pkgs/games/klavaro/default.nix
index 2ca105af19d..162543da10c 100644
--- a/pkgs/games/klavaro/default.nix
+++ b/pkgs/games/klavaro/default.nix
@@ -16,6 +16,9 @@ stdenv.mkDerivation rec {
       --prefix LD_LIBRARY_PATH : $out/lib
   '';
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = {
     description = "Just another free touch typing tutor program";
     homepage = http://klavaro.sourceforge.net/;
diff --git a/pkgs/os-specific/linux/libsmbios/default.nix b/pkgs/os-specific/linux/libsmbios/default.nix
index e2b675fb4ff..eaf6d98ba9d 100644
--- a/pkgs/os-specific/linux/libsmbios/default.nix
+++ b/pkgs/os-specific/linux/libsmbios/default.nix
@@ -23,6 +23,9 @@ stdenv.mkDerivation {
       cp -va "out/public-include/"* "$out/include/"
     '';
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = {
     homepage = "http://linux.dell.com/libsmbios/main";
     description = "A library to obtain BIOS information";
diff --git a/pkgs/tools/security/ssdeep/default.nix b/pkgs/tools/security/ssdeep/default.nix
index b581d800794..0a9804a743b 100644
--- a/pkgs/tools/security/ssdeep/default.nix
+++ b/pkgs/tools/security/ssdeep/default.nix
@@ -9,6 +9,9 @@ stdenv.mkDerivation rec {
     sha256 = "1igqy0j7jrklb8fdlrm6ald4cyl1fda5ipfl8crzyl6bax2ajk3f";
   };
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   # For some reason (probably a build system bug), the binary isn't
   # properly linked to $out/lib to find libfuzzy.so
   postFixup = stdenv.lib.optionalString (!stdenv.isDarwin) ''

From f5c568446a12dbf58836925c5487e5cdad1fa578 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 16 May 2017 18:11:07 +0200
Subject: [PATCH 30/35] qtwebkit-*: fix #25585: bad RPATH entries

---
 pkgs/development/libraries/qt-5/5.6/qtwebkit/default.nix | 4 ++++
 pkgs/development/libraries/qt-5/5.8/qtwebkit/default.nix | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/pkgs/development/libraries/qt-5/5.6/qtwebkit/default.nix b/pkgs/development/libraries/qt-5/5.6/qtwebkit/default.nix
index 915a6bcae8a..23a45dd44ed 100644
--- a/pkgs/development/libraries/qt-5/5.6/qtwebkit/default.nix
+++ b/pkgs/development/libraries/qt-5/5.6/qtwebkit/default.nix
@@ -31,5 +31,9 @@ qtSubmodule {
         };
     in optionals flashplayerFix [ dlopen-webkit-nsplugin dlopen-webkit-gtk ]
     ++ [ dlopen-webkit-udev ];
+
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" && mkdir "$(pwd)" '';
+
   meta.maintainers = with stdenv.lib.maintainers; [ abbradar ];
 }
diff --git a/pkgs/development/libraries/qt-5/5.8/qtwebkit/default.nix b/pkgs/development/libraries/qt-5/5.8/qtwebkit/default.nix
index 881acb442e8..bee3786ef32 100644
--- a/pkgs/development/libraries/qt-5/5.8/qtwebkit/default.nix
+++ b/pkgs/development/libraries/qt-5/5.8/qtwebkit/default.nix
@@ -39,5 +39,9 @@ qtSubmodule {
     in optionals flashplayerFix [ dlopen-webkit-nsplugin dlopen-webkit-gtk ]
     ++ optionals (!stdenv.isDarwin) [ dlopen-webkit-udev ]
     ++ optionals (stdenv.isDarwin) [ ./0004-icucore-darwin.patch ];
+
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" && mkdir "$(pwd)" '';
+
   meta.maintainers = with stdenv.lib.maintainers; [ abbradar periklis ];
 }

From 71a7e221d8f0def852f3a692daa3904a50523b30 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 16 May 2017 16:35:52 +0200
Subject: [PATCH 31/35] treewide: fixup packages with RPATH problems

---
 pkgs/development/libraries/accounts-qt/default.nix | 3 +++
 pkgs/development/libraries/libcommuni/default.nix  | 3 +++
 pkgs/development/libraries/libdwg/default.nix      | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/pkgs/development/libraries/accounts-qt/default.nix b/pkgs/development/libraries/accounts-qt/default.nix
index 4f74c5fca35..a6d9a9381f9 100644
--- a/pkgs/development/libraries/accounts-qt/default.nix
+++ b/pkgs/development/libraries/accounts-qt/default.nix
@@ -18,6 +18,9 @@ stdenv.mkDerivation rec {
     qmakeFlags="$qmakeFlags LIBDIR=$out/lib CMAKE_CONFIG_PATH=$out/lib/cmake"
   '';
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = with stdenv.lib; {
     description = "Qt library for accessing the online accounts database";
     homepage = "http://code.google.com/p/accounts-sso/";
diff --git a/pkgs/development/libraries/libcommuni/default.nix b/pkgs/development/libraries/libcommuni/default.nix
index 8e911a9b015..3632fff43bd 100644
--- a/pkgs/development/libraries/libcommuni/default.nix
+++ b/pkgs/development/libraries/libcommuni/default.nix
@@ -25,6 +25,9 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = with stdenv.lib; {
     description = "A cross-platform IRC framework written with Qt";
     homepage = https://communi.github.io;
diff --git a/pkgs/development/libraries/libdwg/default.nix b/pkgs/development/libraries/libdwg/default.nix
index 2a2dfbb0be5..5ee92b46385 100644
--- a/pkgs/development/libraries/libdwg/default.nix
+++ b/pkgs/development/libraries/libdwg/default.nix
@@ -12,6 +12,9 @@ stdenv.mkDerivation {
 
   hardeningDisable = [ "format" ];
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" '';
+
   meta = {
     description = "Library reading dwg files";
     homepage = http://libdwg.sourceforge.net/en/;

From cbdcc20e7778630cd67f6425c70d272055e2fecd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Thu, 18 May 2017 11:39:00 +0200
Subject: [PATCH 32/35] sile, simavr: fixup packages with RPATH problems

---
 pkgs/development/tools/simavr/default.nix | 3 +++
 pkgs/tools/typesetting/sile/default.nix   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/pkgs/development/tools/simavr/default.nix b/pkgs/development/tools/simavr/default.nix
index 9fa6b8b5716..5ad2647ea31 100644
--- a/pkgs/development/tools/simavr/default.nix
+++ b/pkgs/development/tools/simavr/default.nix
@@ -18,6 +18,9 @@ stdenv.mkDerivation rec {
   buildFlags = "AVR_ROOT=${avrgcclibc}/avr SIMAVR_VERSION=${version}";
   installFlags = buildFlags + " DESTDIR=$(out)";
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" && mkdir "$(pwd)" '';
+
   postFixup = ''
     target="$out/bin/simavr"
     patchelf --set-rpath "$(patchelf --print-rpath "$target"):$out/lib" "$target"
diff --git a/pkgs/tools/typesetting/sile/default.nix b/pkgs/tools/typesetting/sile/default.nix
index 2c34a9aff32..18ab2d1f9c7 100644
--- a/pkgs/tools/typesetting/sile/default.nix
+++ b/pkgs/tools/typesetting/sile/default.nix
@@ -45,6 +45,9 @@ stdenv.mkDerivation rec {
       --set LUA_CPATH "${luaCPath};" \
   '';
 
+  # Hack to avoid TMPDIR in RPATHs.
+  preFixup = ''rm -rf "$(pwd)" && mkdir "$(pwd)" '';
+
   meta = {
     description = "A typesetting system";
     longDescription = ''

From a19cf228d5032ad9aaaa722ef1aa82abc4814da5 Mon Sep 17 00:00:00 2001
From: John Ericson <Ericson2314@Yahoo.com>
Date: Wed, 17 May 2017 19:30:19 -0400
Subject: [PATCH 33/35] ncurses: Break hash to simplify derivation

---
 pkgs/development/libraries/ncurses/default.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pkgs/development/libraries/ncurses/default.nix b/pkgs/development/libraries/ncurses/default.nix
index 9e7f2eef46b..46283e371aa 100644
--- a/pkgs/development/libraries/ncurses/default.nix
+++ b/pkgs/development/libraries/ncurses/default.nix
@@ -65,9 +65,6 @@ stdenv.mkDerivation rec {
     sed -i -e 's,LIB_SUFFIX="t,LIB_SUFFIX=",' configure
   '';
 
-  # Here only for native hash, remove on next mass rebuild
-  selfNativeBuildInput = buildPlatform == hostPlatform;
-
   enableParallelBuilding = true;
 
   doCheck = false;

From acd32a4caf533ca6202afad07c085450649dbe4a Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Fri, 19 May 2017 14:21:58 +0200
Subject: [PATCH 34/35] Python: set DETERMINISTIC_BUILD and PYTHONHASHSEED in
 setupHook

The Python interpreters are patched so they can build .pyc bytecode free
of certain indeterminism.

When building Python packages we currently set

```
compiling python files.
in nix store.
DETERMINISTIC_BUILD=1;
PYTHONHASHSEED = 0;
```

Instead if setting these environment variables in the function that
builds the package, this commit sets the variables instead in the Python
setup hook. That way, whenever Python is included in a derivation, these
variables are set.

See also the issue https://github.com/NixOS/nixpkgs/issues/25707.
---
 .../python/cpython/2.7/default.nix            |  3 ++-
 .../python/cpython/2.7/setup-hook.sh          | 15 -------------
 .../python/cpython/3.3/default.nix            |  2 +-
 .../python/cpython/3.3/setup-hook.sh          | 15 -------------
 .../python/cpython/3.4/default.nix            |  3 ++-
 .../python/cpython/3.4/setup-hook.sh          | 15 -------------
 .../python/cpython/3.5/default.nix            |  3 ++-
 .../python/cpython/3.5/setup-hook.sh          | 15 -------------
 .../python/cpython/3.6/default.nix            |  3 ++-
 .../python/cpython/3.6/setup-hook.sh          | 15 -------------
 .../python/mk-python-derivation.nix           |  7 -------
 .../interpreters/python/pypy/2.7/default.nix  |  7 ++++---
 .../python/pypy/2.7/setup-hook.sh             | 15 -------------
 .../interpreters/python/setup-hook.nix        | 13 ++++++++++++
 .../interpreters/python/setup-hook.sh         | 21 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  3 +++
 16 files changed, 50 insertions(+), 105 deletions(-)
 delete mode 100644 pkgs/development/interpreters/python/cpython/2.7/setup-hook.sh
 delete mode 100644 pkgs/development/interpreters/python/cpython/3.3/setup-hook.sh
 delete mode 100644 pkgs/development/interpreters/python/cpython/3.4/setup-hook.sh
 delete mode 100644 pkgs/development/interpreters/python/cpython/3.5/setup-hook.sh
 delete mode 100644 pkgs/development/interpreters/python/cpython/3.6/setup-hook.sh
 delete mode 100644 pkgs/development/interpreters/python/pypy/2.7/setup-hook.sh
 create mode 100644 pkgs/development/interpreters/python/setup-hook.nix
 create mode 100644 pkgs/development/interpreters/python/setup-hook.sh

diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix
index 8426902414a..c5fa05651bb 100644
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@@ -15,6 +15,7 @@
 , expat
 , libffi
 , CF, configd, coreutils
+, python-setup-hook
 # For the Python package set
 , pkgs, packageOverrides ? (self: super: {})
 }:
@@ -150,7 +151,7 @@ in stdenv.mkDerivation {
     NIX_CFLAGS_COMPILE = optionalString stdenv.isDarwin "-msse2";
     DETERMINISTIC_BUILD = 1;
 
-    setupHook = ./setup-hook.sh;
+    setupHook = python-setup-hook sitePackages;
 
     postPatch = optionalString (x11Support && (tix != null)) ''
           substituteInPlace "Lib/lib-tk/Tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'"
diff --git a/pkgs/development/interpreters/python/cpython/2.7/setup-hook.sh b/pkgs/development/interpreters/python/cpython/2.7/setup-hook.sh
deleted file mode 100644
index 4770eea886f..00000000000
--- a/pkgs/development/interpreters/python/cpython/2.7/setup-hook.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-addPythonPath() {
-    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/lib/python2.7/site-packages
-}
-
-toPythonPath() {
-    local paths="$1"
-    local result=
-    for i in $paths; do
-        p="$i/lib/python2.7/site-packages"
-        result="${result}${result:+:}$p"
-    done
-    echo $result
-}
-
-envHooks+=(addPythonPath)
diff --git a/pkgs/development/interpreters/python/cpython/3.3/default.nix b/pkgs/development/interpreters/python/cpython/3.3/default.nix
index c561a1ed750..061176335c4 100644
--- a/pkgs/development/interpreters/python/cpython/3.3/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.3/default.nix
@@ -77,7 +77,7 @@ in stdenv.mkDerivation {
                         )
   '';
 
-  setupHook = ./setup-hook.sh;
+  setupHook = python-setup-hook sitePackages;
 
   postInstall = ''
     # needed for some packages, especially packages that backport functionality
diff --git a/pkgs/development/interpreters/python/cpython/3.3/setup-hook.sh b/pkgs/development/interpreters/python/cpython/3.3/setup-hook.sh
deleted file mode 100644
index 82a8c0abd32..00000000000
--- a/pkgs/development/interpreters/python/cpython/3.3/setup-hook.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-addPythonPath() {
-    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/lib/python3.3/site-packages
-}
-
-toPythonPath() {
-    local paths="$1"
-    local result=
-    for i in $paths; do
-        p="$i/lib/python3.3/site-packages"
-        result="${result}${result:+:}$p"
-    done
-    echo $result
-}
-
-envHooks+=(addPythonPath)
diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix
index b2a4d849c94..4d20a21a4d1 100644
--- a/pkgs/development/interpreters/python/cpython/3.4/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix
@@ -13,6 +13,7 @@
 , callPackage
 , self
 , CF, configd
+, python-setup-hook
 # For the Python package set
 , pkgs, packageOverrides ? (self: super: {})
 }:
@@ -100,7 +101,7 @@ in stdenv.mkDerivation {
      ''}
   '';
 
-  setupHook = ./setup-hook.sh;
+  setupHook = python-setup-hook sitePackages;
 
   postInstall = ''
     # needed for some packages, especially packages that backport functionality
diff --git a/pkgs/development/interpreters/python/cpython/3.4/setup-hook.sh b/pkgs/development/interpreters/python/cpython/3.4/setup-hook.sh
deleted file mode 100644
index fddcc0b73fe..00000000000
--- a/pkgs/development/interpreters/python/cpython/3.4/setup-hook.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-addPythonPath() {
-    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/lib/python3.4/site-packages
-}
-
-toPythonPath() {
-    local paths="$1"
-    local result=
-    for i in $paths; do
-        p="$i/lib/python3.4/site-packages"
-        result="${result}${result:+:}$p"
-    done
-    echo $result
-}
-
-envHooks+=(addPythonPath)
diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix
index 76f445f7a50..a4aec241a1a 100644
--- a/pkgs/development/interpreters/python/cpython/3.5/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix
@@ -13,6 +13,7 @@
 , callPackage
 , self
 , CF, configd
+, python-setup-hook
 # For the Python package set
 , pkgs, packageOverrides ? (self: super: {})
 }:
@@ -102,7 +103,7 @@ in stdenv.mkDerivation {
      ''}
   '';
 
-  setupHook = ./setup-hook.sh;
+  setupHook = python-setup-hook sitePackages;
 
   postInstall = ''
     # needed for some packages, especially packages that backport functionality
diff --git a/pkgs/development/interpreters/python/cpython/3.5/setup-hook.sh b/pkgs/development/interpreters/python/cpython/3.5/setup-hook.sh
deleted file mode 100644
index 2836ad7e8f5..00000000000
--- a/pkgs/development/interpreters/python/cpython/3.5/setup-hook.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-addPythonPath() {
-    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/lib/python3.5/site-packages
-}
-
-toPythonPath() {
-    local paths="$1"
-    local result=
-    for i in $paths; do
-        p="$i/lib/python3.5/site-packages"
-        result="${result}${result:+:}$p"
-    done
-    echo $result
-}
-
-envHooks+=(addPythonPath)
diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix
index 15078619166..d2d922ce495 100644
--- a/pkgs/development/interpreters/python/cpython/3.6/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix
@@ -14,6 +14,7 @@
 , callPackage
 , self
 , CF, configd
+, python-setup-hook
 # For the Python package set
 , pkgs, packageOverrides ? (self: super: {})
 }:
@@ -94,7 +95,7 @@ in stdenv.mkDerivation {
      ''}
   '';
 
-  setupHook = ./setup-hook.sh;
+  setupHook = python-setup-hook sitePackages;
 
   postInstall = ''
     # needed for some packages, especially packages that backport functionality
diff --git a/pkgs/development/interpreters/python/cpython/3.6/setup-hook.sh b/pkgs/development/interpreters/python/cpython/3.6/setup-hook.sh
deleted file mode 100644
index 26a0d57bc87..00000000000
--- a/pkgs/development/interpreters/python/cpython/3.6/setup-hook.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-addPythonPath() {
-    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/lib/python3.6/site-packages
-}
-
-toPythonPath() {
-    local paths="$1"
-    local result=
-    for i in $paths; do
-        p="$i/lib/python3.6/site-packages"
-        result="${result}${result:+:}$p"
-    done
-    echo $result
-}
-
-envHooks+=(addPythonPath)
diff --git a/pkgs/development/interpreters/python/mk-python-derivation.nix b/pkgs/development/interpreters/python/mk-python-derivation.nix
index 5d710fcad88..1a388bfe4af 100644
--- a/pkgs/development/interpreters/python/mk-python-derivation.nix
+++ b/pkgs/development/interpreters/python/mk-python-derivation.nix
@@ -57,13 +57,6 @@ python.stdenv.mkDerivation (builtins.removeAttrs attrs ["disabled"] // {
 
   inherit pythonPath;
 
-
-  # Determinism: The interpreter is patched to write null timestamps when compiling python files.
-  # This way python doesn't try to update them when we freeze timestamps in nix store.
-  DETERMINISTIC_BUILD=1;
-  # Determinism: We fix the hashes of str, bytes and datetime objects.
-  PYTHONHASHSEED = 0;
-
   buildInputs = [ wrapPython ] ++ buildInputs ++ pythonPath
     ++ [ (ensureNewerSourcesHook { year = "1980"; }) ]
     ++ (lib.optional (lib.hasSuffix "zip" attrs.src.name or "") unzip)
diff --git a/pkgs/development/interpreters/python/pypy/2.7/default.nix b/pkgs/development/interpreters/python/pypy/2.7/default.nix
index 456a078874c..7552c6cd285 100644
--- a/pkgs/development/interpreters/python/pypy/2.7/default.nix
+++ b/pkgs/development/interpreters/python/pypy/2.7/default.nix
@@ -1,6 +1,7 @@
 { stdenv, fetchurl, zlib ? null, zlibSupport ? true, bzip2, pkgconfig, libffi
 , sqlite, openssl, ncurses, python, expat, tcl, tk, tix, xlibsWrapper, libX11
 , makeWrapper, callPackage, self, gdbm, db
+, python-setup-hook
 # For the Python package set
 , pkgs, packageOverrides ? (self: super: {})
 }:
@@ -14,6 +15,7 @@ let
   pythonVersion = "2.7";
   version = "${majorVersion}.${minorVersion}${minorVersionSuffix}";
   libPrefix = "pypy${majorVersion}";
+  sitePackages = "site-packages";
 
 in stdenv.mkDerivation rec {
     name = "pypy-${version}";
@@ -67,7 +69,7 @@ in stdenv.mkDerivation rec {
       ${python.interpreter} rpython/bin/rpython --make-jobs="$NIX_BUILD_CORES" -Ojit --batch pypy/goal/targetpypystandalone.py --withmod-_minimal_curses --withmod-unicodedata --withmod-thread --withmod-bz2 --withmod-_multiprocessing
     '';
 
-    setupHook = ./setup-hook.sh;
+    setupHook = python-setup-hook sitePackages;
 
     postBuild = ''
       cd ./lib_pypy
@@ -125,12 +127,11 @@ in stdenv.mkDerivation rec {
     passthru = let
       pythonPackages = callPackage ../../../../../top-level/python-packages.nix {python=self; overrides=packageOverrides;};
     in rec {
-      inherit zlibSupport libPrefix;
+      inherit zlibSupport libPrefix sitePackages;
       executable = "pypy";
       isPypy = true;
       buildEnv = callPackage ../../wrapper.nix { python = self; };
       interpreter = "${self}/bin/${executable}";
-      sitePackages = "site-packages";
       withPackages = import ../../with-packages.nix { inherit buildEnv pythonPackages;};
       pkgs = pythonPackages;
     };
diff --git a/pkgs/development/interpreters/python/pypy/2.7/setup-hook.sh b/pkgs/development/interpreters/python/pypy/2.7/setup-hook.sh
deleted file mode 100644
index e9081d1eaa5..00000000000
--- a/pkgs/development/interpreters/python/pypy/2.7/setup-hook.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-addPythonPath() {
-    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/site-packages
-}
-
-toPythonPath() {
-    local paths="$1"
-    local result=
-    for i in $paths; do
-        p="$i/site-packages"
-        result="${result}${result:+:}$p"
-    done
-    echo $result
-}
-
-envHooks+=(addPythonPath)
diff --git a/pkgs/development/interpreters/python/setup-hook.nix b/pkgs/development/interpreters/python/setup-hook.nix
new file mode 100644
index 00000000000..b66bd1cc5f6
--- /dev/null
+++ b/pkgs/development/interpreters/python/setup-hook.nix
@@ -0,0 +1,13 @@
+{ runCommand }:
+
+sitePackages:
+
+let
+  hook = ./setup-hook.sh;
+in runCommand "python-setup-hook.sh" {
+  inherit sitePackages;
+} ''
+  cp ${hook} hook.sh
+  substituteAllInPlace hook.sh
+  mv hook.sh $out
+''
diff --git a/pkgs/development/interpreters/python/setup-hook.sh b/pkgs/development/interpreters/python/setup-hook.sh
new file mode 100644
index 00000000000..dda9bed39f8
--- /dev/null
+++ b/pkgs/development/interpreters/python/setup-hook.sh
@@ -0,0 +1,21 @@
+addPythonPath() {
+    addToSearchPathWithCustomDelimiter : PYTHONPATH $1/@sitePackages@
+}
+
+toPythonPath() {
+    local paths="$1"
+    local result=
+    for i in $paths; do
+        p="$i/@sitePackages@"
+        result="${result}${result:+:}$p"
+    done
+    echo $result
+}
+
+envHooks+=(addPythonPath)
+
+# Determinism: The interpreter is patched to write null timestamps when compiling python files.
+# This way python doesn't try to update them when we freeze timestamps in nix store.
+export DETERMINISTIC_BUILD=1;
+# Determinism: We fix the hashes of str, bytes and datetime objects.
+export PYTHONHASHSEED=0;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index ea47d41fc34..ae7e30d0ff8 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -6162,6 +6162,9 @@ with pkgs;
     self = python36;
   };
 
+  # Should eventually be moved inside Python interpreters.
+  python-setup-hook = callPackage ../development/interpreters/python/setup-hook.nix { };
+
   pypy = pypy27;
 
   pypy27 = callPackage ../development/interpreters/python/pypy/2.7 {

From b7fed33057e29fa0d5ab4921598d037c040baae6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Wed, 24 May 2017 14:09:14 +0200
Subject: [PATCH 35/35] python-3.3: fixup evaluation after #25916

---
 pkgs/development/interpreters/python/cpython/3.3/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/interpreters/python/cpython/3.3/default.nix b/pkgs/development/interpreters/python/cpython/3.3/default.nix
index 061176335c4..9ff8ec51efe 100644
--- a/pkgs/development/interpreters/python/cpython/3.3/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.3/default.nix
@@ -11,6 +11,7 @@
 , callPackage
 , self
 , CF, configd
+, python-setup-hook
 # For the Python package set
 , pkgs, packageOverrides ? (self: super: {})
 }: