From 75353853fce3a1bd8559eac8562d9a87baebbbf6 Mon Sep 17 00:00:00 2001 From: Spencer Baugh Date: Mon, 25 Sep 2017 19:53:52 +0000 Subject: [PATCH 01/10] curl: use the "kerberos" package rather than specifically GNU gss This allows a policy decision about which Kerberos to use. --- pkgs/tools/networking/curl/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index c01dbbaa3a7..814bc1c5ff3 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -6,7 +6,7 @@ , sslSupport ? false, openssl ? null , gnutlsSupport ? false, gnutls ? null , scpSupport ? false, libssh2 ? null -, gssSupport ? false, gss ? null +, gssSupport ? false, kerberos ? null , c-aresSupport ? false, c-ares ? null }: @@ -19,6 +19,7 @@ assert !(gnutlsSupport && sslSupport); assert gnutlsSupport -> gnutls != null; assert scpSupport -> libssh2 != null; assert c-aresSupport -> c-ares != null; +assert gssSupport -> kerberos != null; stdenv.mkDerivation rec { name = "curl-7.56.0"; @@ -43,7 +44,7 @@ stdenv.mkDerivation rec { optional idnSupport libidn ++ optional ldapSupport openldap ++ optional zlibSupport zlib ++ - optional gssSupport gss ++ + optional gssSupport kerberos ++ optional c-aresSupport c-ares ++ optional sslSupport openssl ++ optional gnutlsSupport gnutls ++ @@ -66,7 +67,7 @@ stdenv.mkDerivation rec { ( if idnSupport then "--with-libidn=${libidn.dev}" else "--without-libidn" ) ] ++ stdenv.lib.optional c-aresSupport "--enable-ares=${c-ares}" - ++ stdenv.lib.optional gssSupport "--with-gssapi=${gss}"; + ++ stdenv.lib.optional gssSupport "--with-gssapi=${kerberos}"; CXX = "c++"; CXXCPP = "c++ -E"; From 68432fd1c99f3cad303ce2ba495419c762e93d96 Mon Sep 17 00:00:00 2001 From: Spencer Baugh Date: Mon, 25 Sep 2017 20:00:34 +0000 Subject: [PATCH 02/10] curl: enable gssSupport in non-fetchurl builds --- pkgs/top-level/all-packages.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f9183ad14a7..d6631d36074 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -179,7 +179,8 @@ with pkgs; # `fetchurl' downloads a file from the network. fetchurl = import ../build-support/fetchurl { - inherit curl stdenv; + inherit stdenv; + curl = curl.override { gssSupport = false; }; }; fetchRepoProject = callPackage ../build-support/fetchrepoproject { }; @@ -1613,6 +1614,7 @@ with pkgs; zlibSupport = true; sslSupport = zlibSupport; scpSupport = zlibSupport && !stdenv.isSunOS && !stdenv.isCygwin; + gssSupport = true; }; curl_unix_socket = callPackage ../tools/networking/curl-unix-socket rec { }; From bba5d625fbd08a8016a648c66655e3b2ef4dfee4 Mon Sep 17 00:00:00 2001 From: Dan Peebles Date: Mon, 18 Dec 2017 11:49:18 -0500 Subject: [PATCH 03/10] gnutar: 1.29 -> 1.30 --- .../archivers/gnutar/CVE-2016-6321.patch | 35 ------------------- pkgs/tools/archivers/gnutar/default.nix | 6 ++-- 2 files changed, 2 insertions(+), 39 deletions(-) delete mode 100644 pkgs/tools/archivers/gnutar/CVE-2016-6321.patch diff --git a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch b/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch deleted file mode 100644 index c53d92891fc..00000000000 --- a/pkgs/tools/archivers/gnutar/CVE-2016-6321.patch +++ /dev/null @@ -1,35 +0,0 @@ -commit 7340f67b9860ea0531c1450e5aa261c50f67165d -Author: Paul Eggert -Date: Sat Oct 29 21:04:40 2016 -0700 - - When extracting, skip ".." members - - * NEWS: Document this. - * src/extract.c (extract_archive): Skip members whose names - contain "..". - -diff --git a/src/extract.c b/src/extract.c -index f982433..7904148 100644 ---- a/src/extract.c -+++ b/src/extract.c -@@ -1629,12 +1629,20 @@ extract_archive (void) - { - char typeflag; - tar_extractor_t fun; -+ bool skip_dotdot_name; - - fatal_exit_hook = extract_finish; - - set_next_block_after (current_header); - -+ skip_dotdot_name = (!absolute_names_option -+ && contains_dot_dot (current_stat_info.orig_file_name)); -+ if (skip_dotdot_name) -+ ERROR ((0, 0, _("%s: Member name contains '..'"), -+ quotearg_colon (current_stat_info.orig_file_name))); -+ - if (!current_stat_info.file_name[0] -+ || skip_dotdot_name - || (interactive_option - && !confirm ("extract", current_stat_info.file_name))) - { diff --git a/pkgs/tools/archivers/gnutar/default.nix b/pkgs/tools/archivers/gnutar/default.nix index 447ef1f623f..4677ee45afb 100644 --- a/pkgs/tools/archivers/gnutar/default.nix +++ b/pkgs/tools/archivers/gnutar/default.nix @@ -2,15 +2,13 @@ stdenv.mkDerivation rec { name = "gnutar-${version}"; - version = "1.29"; + version = "1.30"; src = fetchurl { url = "mirror://gnu/tar/tar-${version}.tar.xz"; - sha256 = "097hx7sbzp8qirl4m930lw84kn0wmxhmq7v1qpra3mrg0b8cyba0"; + sha256 = "1lyjyk8z8hdddsxw0ikchrsfg3i0x3fsh7l63a8jgaz1n7dr5gzi"; }; - patches = [ ./CVE-2016-6321.patch ]; - # avoid retaining reference to CF during stdenv bootstrap configureFlags = stdenv.lib.optionals stdenv.isDarwin [ "gt_cv_func_CFPreferencesCopyAppValue=no" From 3c51628a4c94cefa766bc9eba7e8740d2d7ef6e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 17 Dec 2017 11:21:12 +0100 Subject: [PATCH 04/10] fetchurl: switch to the usual curl I verified that krb5 doesn't need yacc in lib-only build, simplifying the circular-reference cut. --- pkgs/development/libraries/kerberos/krb5.nix | 5 +++-- pkgs/top-level/all-packages.nix | 8 +++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/pkgs/development/libraries/kerberos/krb5.nix b/pkgs/development/libraries/kerberos/krb5.nix index 1e64a4d6600..64fa3d3d7d6 100644 --- a/pkgs/development/libraries/kerberos/krb5.nix +++ b/pkgs/development/libraries/kerberos/krb5.nix @@ -22,9 +22,10 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-tcl=no" "--localstatedir=/var/lib"] ++ optional stdenv.isFreeBSD ''WARN_CFLAGS=""''; - nativeBuildInputs = [ pkgconfig perl yacc ] + nativeBuildInputs = [ pkgconfig perl ] + ++ optional (!libOnly) yacc # Provides the mig command used by the build scripts - ++ optional stdenv.isDarwin bootstrap_cmds; + ++ optional (stdenv.isDarwin && !libOnly) bootstrap_cmds; buildInputs = [ openssl ] ++ optionals (!libOnly) [ openldap libedit ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index d6631d36074..f0b6947816f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -179,8 +179,7 @@ with pkgs; # `fetchurl' downloads a file from the network. fetchurl = import ../build-support/fetchurl { - inherit stdenv; - curl = curl.override { gssSupport = false; }; + inherit stdenv curl; }; fetchRepoProject = callPackage ../build-support/fetchrepoproject { }; @@ -8760,7 +8759,10 @@ with pkgs; krb5Full = callPackage ../development/libraries/kerberos/krb5.nix { inherit (darwin) bootstrap_cmds; }; - libkrb5 = krb5Full.override { type = "lib"; }; + libkrb5 = krb5Full.override { + fetchurl = fetchurlBoot; + type = "lib"; + }; languageMachines = recurseIntoAttrs (import ../development/libraries/languagemachines/packages.nix { inherit callPackage; }); From 13e6a5c56103cad7aa5ecdd8888aa9172d20a6ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 17 Dec 2017 14:51:32 +0100 Subject: [PATCH 05/10] kerberos: split headers into $dev --- pkgs/development/libraries/kerberos/krb5.nix | 30 +++++++++++++------- pkgs/development/libraries/serf/default.nix | 2 +- pkgs/os-specific/linux/nfs-utils/default.nix | 9 +++++- pkgs/servers/openafs-client/default.nix | 2 +- pkgs/tools/networking/curl/default.nix | 2 +- 5 files changed, 30 insertions(+), 15 deletions(-) diff --git a/pkgs/development/libraries/kerberos/krb5.nix b/pkgs/development/libraries/kerberos/krb5.nix index 64fa3d3d7d6..1c589be521e 100644 --- a/pkgs/development/libraries/kerberos/krb5.nix +++ b/pkgs/development/libraries/kerberos/krb5.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { sha256 = "0zn8s7anb10hw3nzwjz7vg10fgmmgvwnibn2zrn3nppjxn9f6f8n"; }; + outputs = [ "out" "dev" ]; + configureFlags = [ "--with-tcl=no" "--localstatedir=/var/lib"] ++ optional stdenv.isFreeBSD ''WARN_CFLAGS=""''; @@ -32,20 +34,26 @@ stdenv.mkDerivation rec { preConfigure = "cd ./src"; buildPhase = optionalString libOnly '' - (cd util; make -j $NIX_BUILD_CORES) - (cd include; make -j $NIX_BUILD_CORES) - (cd lib; make -j $NIX_BUILD_CORES) - (cd build-tools; make -j $NIX_BUILD_CORES) + MAKE="make -j $NIX_BUILD_CORES -l $NIX_BUILD_CORES" + (cd util; $MAKE) + (cd include; $MAKE) + (cd lib; $MAKE) + (cd build-tools; $MAKE) ''; installPhase = optionalString libOnly '' - mkdir -p $out/{bin,include/{gssapi,gssrpc,kadm5,krb5},lib/pkgconfig,sbin,share/{et,man/man1}} - (cd util; make -j $NIX_BUILD_CORES install) - (cd include; make -j $NIX_BUILD_CORES install) - (cd lib; make -j $NIX_BUILD_CORES install) - (cd build-tools; make -j $NIX_BUILD_CORES install) - rm -rf $out/{sbin,share} - find $out/bin -type f | grep -v 'krb5-config' | xargs rm + mkdir -p "$out"/{bin,sbin,lib/pkgconfig,share/{et,man/man1}} \ + "$dev"/include/{gssapi,gssrpc,kadm5,krb5} + (cd util; $MAKE install) + (cd include; $MAKE install) + (cd lib; $MAKE install) + (cd build-tools; $MAKE install) + ${postInstall} + ''; + + # not via outputBin, due to reference from libkrb5.so + postInstall = '' + moveToOutput bin "$dev" ''; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/serf/default.nix b/pkgs/development/libraries/serf/default.nix index 001199cd821..81dff49571d 100644 --- a/pkgs/development/libraries/serf/default.nix +++ b/pkgs/development/libraries/serf/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { APU="$(echo "${aprutil.dev}"/bin/*-config)" CC="${ if stdenv.cc.isClang then "clang" else "${stdenv.cc}/bin/gcc" }" ${ - if (stdenv.isDarwin || stdenv.isCygwin) then "" else "GSSAPI=\"${kerberos}\"" + if (stdenv.isDarwin || stdenv.isCygwin) then "" else "GSSAPI=\"${kerberos.dev}\"" } ''; diff --git a/pkgs/os-specific/linux/nfs-utils/default.nix b/pkgs/os-specific/linux/nfs-utils/default.nix index 294dde2a0a6..515a7d1d8f4 100644 --- a/pkgs/os-specific/linux/nfs-utils/default.nix +++ b/pkgs/os-specific/linux/nfs-utils/default.nix @@ -1,10 +1,17 @@ { stdenv, fetchurl, lib, pkgconfig, utillinux, libcap, libtirpc, libevent, libnfsidmap , sqlite, kerberos, kmod, libuuid, keyutils, lvm2, systemd, coreutils, tcp_wrappers +, buildEnv }: let statdPath = lib.makeBinPath [ systemd utillinux coreutils ]; + # Not nice; feel free to find a nicer solution. + kerberosEnv = buildEnv { + name = "kerberos-env-${kerberos.version}"; + paths = with lib; [ (getDev kerberos) (getLib kerberos) ]; + }; + in stdenv.mkDerivation rec { name = "nfs-utils-${version}"; version = "2.1.1"; @@ -26,7 +33,7 @@ in stdenv.mkDerivation rec { configureFlags = [ "--enable-gss" "--with-statedir=/var/lib/nfs" - "--with-krb5=${kerberos}" + "--with-krb5=${kerberosEnv}" "--with-systemd=$(out)/etc/systemd/system" "--enable-libmount-mount" ] diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 263df09ebb5..6eae365af01 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { ./regen.sh ${stdenv.lib.optionalString (kerberos != null) - "export KRB5_CONFIG=${kerberos}/bin/krb5-config"} + "export KRB5_CONFIG=${kerberos.dev}/bin/krb5-config"} configureFlagsArray=( "--with-linux-kernel-build=$TMP/linux" diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 814bc1c5ff3..52e902ec3a5 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -67,7 +67,7 @@ stdenv.mkDerivation rec { ( if idnSupport then "--with-libidn=${libidn.dev}" else "--without-libidn" ) ] ++ stdenv.lib.optional c-aresSupport "--enable-ares=${c-ares}" - ++ stdenv.lib.optional gssSupport "--with-gssapi=${kerberos}"; + ++ stdenv.lib.optional gssSupport "--with-gssapi=${kerberos.dev}"; CXX = "c++"; CXXCPP = "c++ -E"; From fb349c84e2ccdbf45ef3430392927586b76f4ed9 Mon Sep 17 00:00:00 2001 From: Orivej Desh Date: Wed, 20 Dec 2017 06:06:35 +0000 Subject: [PATCH 06/10] qt5.qttools: install macdeployqt on darwin --- pkgs/development/libraries/qt-5/modules/qttools.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/qt-5/modules/qttools.nix b/pkgs/development/libraries/qt-5/modules/qttools.nix index ae6bd18cb14..622d841b405 100644 --- a/pkgs/development/libraries/qt-5/modules/qttools.nix +++ b/pkgs/development/libraries/qt-5/modules/qttools.nix @@ -1,4 +1,4 @@ -{ qtModule, lib, qtbase }: +{ qtModule, stdenv, lib, qtbase }: with lib; @@ -28,6 +28,8 @@ qtModule { "bin/qhelpgenerator" "bin/qtplugininfo" "bin/qthelpconverter" + ] ++ optionals stdenv.isDarwin [ + "bin/macdeployqt" ]; setupHook = ../hooks/qttools-setup-hook.sh; From c9044dee321d4d81d2e59a107c5324a72de1e00d Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 20 Dec 2017 09:57:16 +0100 Subject: [PATCH 07/10] python36: 3.6.3 -> 3.6.4 --- pkgs/development/interpreters/python/cpython/3.6/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index b44e167b9f0..d5ac94c76e6 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -27,7 +27,7 @@ with stdenv.lib; let majorVersion = "3.6"; - minorVersion = "3"; + minorVersion = "4"; minorVersionSuffix = ""; pythonVersion = majorVersion; version = "${majorVersion}.${minorVersion}${minorVersionSuffix}"; @@ -48,7 +48,7 @@ in stdenv.mkDerivation { src = fetchurl { url = "https://www.python.org/ftp/python/${majorVersion}.${minorVersion}/Python-${version}.tar.xz"; - sha256 = "1nl1raaagr4car787a2hmjv2dw6gqny53xfd6wisbgx4r5kxk9yd"; + sha256 = "1fna7g8jxzl4kd2pqmmqhva5724c5m920x3fsrpsgskaylmr76qm"; }; NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; From c303047032c44927402cb85a4f2a8094230594ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 21 Dec 2017 09:33:06 +0100 Subject: [PATCH 08/10] fetchurl on Darwin: gssSupport = false (see 9b54a00160) I can't see a better way around the problem for now. --- pkgs/development/libraries/kerberos/krb5.nix | 2 +- pkgs/top-level/all-packages.nix | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/kerberos/krb5.nix b/pkgs/development/libraries/kerberos/krb5.nix index 1c589be521e..101c3aca07d 100644 --- a/pkgs/development/libraries/kerberos/krb5.nix +++ b/pkgs/development/libraries/kerberos/krb5.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig perl ] ++ optional (!libOnly) yacc # Provides the mig command used by the build scripts - ++ optional (stdenv.isDarwin && !libOnly) bootstrap_cmds; + ++ optional stdenv.isDarwin bootstrap_cmds; buildInputs = [ openssl ] ++ optionals (!libOnly) [ openldap libedit ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index bd592ec0e00..18928b26b2f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -184,7 +184,10 @@ with pkgs; # `fetchurl' downloads a file from the network. fetchurl = import ../build-support/fetchurl { - inherit stdenv curl; + inherit stdenv; + # On darwin, libkrb5 needs bootstrap_cmds which would require + # converting many packages to fetchurl_boot to avoid evaluation cycles. + curl = curl.override (lib.optionalAttrs stdenv.isDarwin { gssSupport = false; }); }; fetchRepoProject = callPackage ../build-support/fetchrepoproject { }; From d54ff360f511b03f4da6da4976d0df43a4796968 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 24 Dec 2017 11:08:30 +0100 Subject: [PATCH 09/10] python*Packages.gssapi: fixup after splitting libkrb /cc #29785. --- pkgs/development/python-modules/gssapi/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/gssapi/default.nix b/pkgs/development/python-modules/gssapi/default.nix index 7b90f10338c..3b13f8a2049 100644 --- a/pkgs/development/python-modules/gssapi/default.nix +++ b/pkgs/development/python-modules/gssapi/default.nix @@ -11,7 +11,13 @@ buildPythonPackage rec { sha256 = "1q6ccpz6anl9vggwxdq32wp6xjh2lyfbf7av6jqnmvmyqdfwh3b9"; }; - LD_LIBRARY_PATH="${pkgs.krb5Full}/lib"; + # It's used to locate headers + postPatch = '' + substituteInPlace setup.py \ + --replace "get_output('krb5-config gssapi --prefix')" "'${lib.getDev krb5Full}'" + ''; + + LD_LIBRARY_PATH = "${pkgs.krb5Full}/lib"; buildInputs = [ krb5Full which nose shouldbe ] ++ ( if stdenv.isDarwin then [ darwin.apple_sdk.frameworks.GSS ] else [ gss ] ); From ced4e5a6831e57b48f06abc6b4a0251d0ee8764f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 24 Dec 2017 11:09:24 +0100 Subject: [PATCH 10/10] darwin stdenv boostrap tools: use curl without kerberos /cc #29785. Otherwise we would have to put the lib in, etc. --- pkgs/stdenv/darwin/make-bootstrap-tools.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/stdenv/darwin/make-bootstrap-tools.nix b/pkgs/stdenv/darwin/make-bootstrap-tools.nix index 5d5a3a81d44..6fb37f24914 100644 --- a/pkgs/stdenv/darwin/make-bootstrap-tools.nix +++ b/pkgs/stdenv/darwin/make-bootstrap-tools.nix @@ -15,6 +15,9 @@ in rec { # Avoid debugging larger changes for now. bzip2_ = bzip2.override (args: { linkStatic = true; }); + # Avoid messing with libkrb5. + curl_ = curl.override (args: { gssSupport = false; }); + build = stdenv.mkDerivation { name = "stdenv-bootstrap-tools"; @@ -60,8 +63,8 @@ in rec { # This used to be in-nixpkgs, but now is in the bundle # because I can't be bothered to make it partially static - cp ${curl.bin}/bin/curl $out/bin - cp -d ${curl.out}/lib/libcurl*.dylib $out/lib + cp ${curl_.bin}/bin/curl $out/bin + cp -d ${curl_.out}/lib/libcurl*.dylib $out/lib cp -d ${libssh2.out}/lib/libssh*.dylib $out/lib cp -d ${openssl.out}/lib/*.dylib $out/lib