diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index b44e167b9f0..d5ac94c76e6 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -27,7 +27,7 @@ with stdenv.lib; let majorVersion = "3.6"; - minorVersion = "3"; + minorVersion = "4"; minorVersionSuffix = ""; pythonVersion = majorVersion; version = "${majorVersion}.${minorVersion}${minorVersionSuffix}"; @@ -48,7 +48,7 @@ in stdenv.mkDerivation { src = fetchurl { url = "https://www.python.org/ftp/python/${majorVersion}.${minorVersion}/Python-${version}.tar.xz"; - sha256 = "1nl1raaagr4car787a2hmjv2dw6gqny53xfd6wisbgx4r5kxk9yd"; + sha256 = "1fna7g8jxzl4kd2pqmmqhva5724c5m920x3fsrpsgskaylmr76qm"; }; NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; diff --git a/pkgs/development/libraries/kerberos/krb5.nix b/pkgs/development/libraries/kerberos/krb5.nix index 1e64a4d6600..101c3aca07d 100644 --- a/pkgs/development/libraries/kerberos/krb5.nix +++ b/pkgs/development/libraries/kerberos/krb5.nix @@ -19,10 +19,13 @@ stdenv.mkDerivation rec { sha256 = "0zn8s7anb10hw3nzwjz7vg10fgmmgvwnibn2zrn3nppjxn9f6f8n"; }; + outputs = [ "out" "dev" ]; + configureFlags = [ "--with-tcl=no" "--localstatedir=/var/lib"] ++ optional stdenv.isFreeBSD ''WARN_CFLAGS=""''; - nativeBuildInputs = [ pkgconfig perl yacc ] + nativeBuildInputs = [ pkgconfig perl ] + ++ optional (!libOnly) yacc # Provides the mig command used by the build scripts ++ optional stdenv.isDarwin bootstrap_cmds; buildInputs = [ openssl ] @@ -31,20 +34,26 @@ stdenv.mkDerivation rec { preConfigure = "cd ./src"; buildPhase = optionalString libOnly '' - (cd util; make -j $NIX_BUILD_CORES) - (cd include; make -j $NIX_BUILD_CORES) - (cd lib; make -j $NIX_BUILD_CORES) - (cd build-tools; make -j $NIX_BUILD_CORES) + MAKE="make -j $NIX_BUILD_CORES -l $NIX_BUILD_CORES" + (cd util; $MAKE) + (cd include; $MAKE) + (cd lib; $MAKE) + (cd build-tools; $MAKE) ''; installPhase = optionalString libOnly '' - mkdir -p $out/{bin,include/{gssapi,gssrpc,kadm5,krb5},lib/pkgconfig,sbin,share/{et,man/man1}} - (cd util; make -j $NIX_BUILD_CORES install) - (cd include; make -j $NIX_BUILD_CORES install) - (cd lib; make -j $NIX_BUILD_CORES install) - (cd build-tools; make -j $NIX_BUILD_CORES install) - rm -rf $out/{sbin,share} - find $out/bin -type f | grep -v 'krb5-config' | xargs rm + mkdir -p "$out"/{bin,sbin,lib/pkgconfig,share/{et,man/man1}} \ + "$dev"/include/{gssapi,gssrpc,kadm5,krb5} + (cd util; $MAKE install) + (cd include; $MAKE install) + (cd lib; $MAKE install) + (cd build-tools; $MAKE install) + ${postInstall} + ''; + + # not via outputBin, due to reference from libkrb5.so + postInstall = '' + moveToOutput bin "$dev" ''; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/qt-5/modules/qttools.nix b/pkgs/development/libraries/qt-5/modules/qttools.nix index ae6bd18cb14..622d841b405 100644 --- a/pkgs/development/libraries/qt-5/modules/qttools.nix +++ b/pkgs/development/libraries/qt-5/modules/qttools.nix @@ -1,4 +1,4 @@ -{ qtModule, lib, qtbase }: +{ qtModule, stdenv, lib, qtbase }: with lib; @@ -28,6 +28,8 @@ qtModule { "bin/qhelpgenerator" "bin/qtplugininfo" "bin/qthelpconverter" + ] ++ optionals stdenv.isDarwin [ + "bin/macdeployqt" ]; setupHook = ../hooks/qttools-setup-hook.sh; diff --git a/pkgs/development/libraries/serf/default.nix b/pkgs/development/libraries/serf/default.nix index 001199cd821..81dff49571d 100644 --- a/pkgs/development/libraries/serf/default.nix +++ b/pkgs/development/libraries/serf/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { APU="$(echo "${aprutil.dev}"/bin/*-config)" CC="${ if stdenv.cc.isClang then "clang" else "${stdenv.cc}/bin/gcc" }" ${ - if (stdenv.isDarwin || stdenv.isCygwin) then "" else "GSSAPI=\"${kerberos}\"" + if (stdenv.isDarwin || stdenv.isCygwin) then "" else "GSSAPI=\"${kerberos.dev}\"" } ''; diff --git a/pkgs/development/python-modules/gssapi/default.nix b/pkgs/development/python-modules/gssapi/default.nix index 7b90f10338c..3b13f8a2049 100644 --- a/pkgs/development/python-modules/gssapi/default.nix +++ b/pkgs/development/python-modules/gssapi/default.nix @@ -11,7 +11,13 @@ buildPythonPackage rec { sha256 = "1q6ccpz6anl9vggwxdq32wp6xjh2lyfbf7av6jqnmvmyqdfwh3b9"; }; - LD_LIBRARY_PATH="${pkgs.krb5Full}/lib"; + # It's used to locate headers + postPatch = '' + substituteInPlace setup.py \ + --replace "get_output('krb5-config gssapi --prefix')" "'${lib.getDev krb5Full}'" + ''; + + LD_LIBRARY_PATH = "${pkgs.krb5Full}/lib"; buildInputs = [ krb5Full which nose shouldbe ] ++ ( if stdenv.isDarwin then [ darwin.apple_sdk.frameworks.GSS ] else [ gss ] ); diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix index e52174c0901..904dae55c9c 100644 --- a/pkgs/os-specific/linux/nfs-utils/default.nix +++ b/pkgs/os-specific/linux/nfs-utils/default.nix @@ -1,10 +1,17 @@ { stdenv, fetchurl, lib, pkgconfig, utillinux, libcap, libtirpc, libevent, libnfsidmap , sqlite, kerberos, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers +, buildEnv }: let statdPath = lib.makeBinPath [ systemd utillinux coreutils ]; + # Not nice; feel free to find a nicer solution. + kerberosEnv = buildEnv { + name = "kerberos-env-${kerberos.version}"; + paths = with lib; [ (getDev kerberos) (getLib kerberos) ]; + }; + in stdenv.mkDerivation rec { name = "nfs-utils-${version}"; version = "2.1.1"; @@ -26,7 +33,7 @@ in stdenv.mkDerivation rec { configureFlags = [ "--enable-gss" "--with-statedir=/var/lib/nfs" - "--with-krb5=${kerberos}" + "--with-krb5=${kerberosEnv}" "--with-systemd=$(out)/etc/systemd/system" "--enable-libmount-mount" ] diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index cb004e15cc7..661888c5c5c 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { ./regen.sh ${stdenv.lib.optionalString (kerberos != null) - "export KRB5_CONFIG=${kerberos}/bin/krb5-config"} + "export KRB5_CONFIG=${kerberos.dev}/bin/krb5-config"} configureFlagsArray=( "--with-linux-kernel-build=$TMP/linux" diff --git a/pkgs/stdenv/darwin/make-bootstrap-tools.nix b/pkgs/stdenv/darwin/make-bootstrap-tools.nix index 5d5a3a81d44..6fb37f24914 100644 --- a/pkgs/stdenv/darwin/make-bootstrap-tools.nix +++ b/pkgs/stdenv/darwin/make-bootstrap-tools.nix @@ -15,6 +15,9 @@ in rec { # Avoid debugging larger changes for now. bzip2_ = bzip2.override (args: { linkStatic = true; }); + # Avoid messing with libkrb5. + curl_ = curl.override (args: { gssSupport = false; }); + build = stdenv.mkDerivation { name = "stdenv-bootstrap-tools"; @@ -60,8 +63,8 @@ in rec { # This used to be in-nixpkgs, but now is in the bundle # because I can't be bothered to make it partially static - cp ${curl.bin}/bin/curl $out/bin - cp -d ${curl.out}/lib/libcurl*.dylib $out/lib + cp ${curl_.bin}/bin/curl $out/bin + cp -d ${curl_.out}/lib/libcurl*.dylib $out/lib cp -d ${libssh2.out}/lib/libssh*.dylib $out/lib cp -d ${openssl.out}/lib/*.dylib $out/lib diff --git a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch deleted file mode 100644 index c53d92891fc..00000000000 --- a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit 7340f67b9860ea0531c1450e5aa261c50f67165d -Author: Paul Eggert -Date: Sat Oct 29 21:04:40 2016 -0700 - - When extracting, skip ".." members - - * NEWS: Document this. - * src/extract.c (extract_archive): Skip members whose names - contain "..". - -diff --git a/src/extract.c b/src/extract.c -index f982433..7904148 100644 ---- a/src/extract.c -+++ b/src/extract.c -@@ -1629,12 +1629,20 @@ extract_archive (void) - { - char typeflag; - tar_extractor_t fun; -+ bool skip_dotdot_name; - - fatal_exit_hook = extract_finish; - - set_next_block_after (current_header); - -+ skip_dotdot_name = (!absolute_names_option -+ && contains_dot_dot (current_stat_info.orig_file_name)); -+ if (skip_dotdot_name) -+ ERROR ((0, 0, _("%s: Member name contains '..'"), -+ quotearg_colon (current_stat_info.orig_file_name))); -+ - if (!current_stat_info.file_name[0] -+ || skip_dotdot_name - || (interactive_option - && !confirm ("extract", current_stat_info.file_name))) - { diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix index 447ef1f623f..4677ee45afb 100644 --- a/pkgs/tools/archivers/gnutar/default.nix +++ b/pkgs/tools/archivers/gnutar/default.nix @@ -2,15 +2,13 @@ stdenv.mkDerivation rec { name = "gnutar-${version}"; - version = "1.29"; + version = "1.30"; src = fetchurl { url = "mirror://gnu/tar/tar-${version}.tar.xz"; - sha256 = "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"; + sha256 = "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi"; }; - patches = [ ./CVE-2016-6321.patch ]; - # avoid retaining reference to CF during stdenv bootstrap configureFlags = stdenv.lib.optionals stdenv.isDarwin [ "gt_cv_func_CFPreferencesCopyAppValue=no" diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index c356a307e3e..be42c4a1381 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -6,7 +6,7 @@ , sslSupport ? false, openssl ? null , gnutlsSupport ? false, gnutls ? null , scpSupport ? false, libssh2 ? null -, gssSupport ? false, gss ? null +, gssSupport ? false, kerberos ? null , c-aresSupport ? false, c-ares ? null , brotliSupport ? false, brotli ? null }: @@ -21,6 +21,7 @@ assert gnutlsSupport -> gnutls != null; assert scpSupport -> libssh2 != null; assert c-aresSupport -> c-ares != null; assert brotliSupport -> brotli != null; +assert gssSupport -> kerberos != null; stdenv.mkDerivation rec { name = "curl-7.57.0"; @@ -45,7 +46,7 @@ stdenv.mkDerivation rec { optional idnSupport libidn ++ optional ldapSupport openldap ++ optional zlibSupport zlib ++ - optional gssSupport gss ++ + optional gssSupport kerberos ++ optional c-aresSupport c-ares ++ optional sslSupport openssl ++ optional gnutlsSupport gnutls ++ @@ -70,7 +71,7 @@ stdenv.mkDerivation rec { ( if brotliSupport then "--with-brotli" else "--without-brotli" ) ] ++ stdenv.lib.optional c-aresSupport "--enable-ares=${c-ares}" - ++ stdenv.lib.optional gssSupport "--with-gssapi=${gss}"; + ++ stdenv.lib.optional gssSupport "--with-gssapi=${kerberos.dev}"; CXX = "c++"; CXXCPP = "c++ -E"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 3da75c9420e..27808c11934 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -184,7 +184,10 @@ with pkgs; # `fetchurl' downloads a file from the network. fetchurl = import ../build-support/fetchurl { - inherit curl stdenv; + inherit stdenv; + # On darwin, libkrb5 needs bootstrap_cmds which would require + # converting many packages to fetchurl_boot to avoid evaluation cycles. + curl = curl.override (lib.optionalAttrs stdenv.isDarwin { gssSupport = false; }); }; fetchRepoProject = callPackage ../build-support/fetchrepoproject { }; @@ -1685,6 +1688,7 @@ with pkgs; zlibSupport = true; sslSupport = zlibSupport; scpSupport = zlibSupport && !stdenv.isSunOS && !stdenv.isCygwin; + gssSupport = true; }; curl_unix_socket = callPackage ../tools/networking/curl-unix-socket rec { }; @@ -8989,7 +8993,10 @@ with pkgs; krb5Full = callPackage ../development/libraries/kerberos/krb5.nix { inherit (darwin) bootstrap_cmds; }; - libkrb5 = krb5Full.override { type = "lib"; }; + libkrb5 = krb5Full.override { + fetchurl = fetchurlBoot; + type = "lib"; + }; languageMachines = recurseIntoAttrs (import ../development/libraries/languagemachines/packages.nix { inherit callPackage; });