Merge branch 'master.upstream' into staging.upstream

nixos/modules/services/hardware/tcsd.nix

@@ -17,8 +17,8 @@ let
     # what is available directly from the PCR registers.
     firmware_log_file = /sys/kernel/security/tpm0/binary_bios_measurements
     kernel_log_file = /sys/kernel/security/ima/binary_runtime_measurements
-    #firmware_pcrs = 0,1,2,3,4,5,6,7
+    firmware_pcrs = ${cfg.firmwarePCRs}
-    #kernel_pcrs = 10,11
+    kernel_pcrs = ${cfg.kernelPCRs}
     platform_cred = ${cfg.platformCred}
     conformance_cred = ${cfg.conformanceCred}
     endorsement_cred = ${cfg.endorsementCred}
@@ -60,20 +60,32 @@ in
       };
 
       stateDir = mkOption {
-	default = "/var/lib/tpm";
+        default = "/var/lib/tpm";
         type = types.path;
-	description = ''
+        description = ''
           The location of the system persistent storage file.
           The system persistent storage file holds keys and data across
           restarts of the TCSD and system reboots. 
-	'';
+        '';
+      };
+
+      firmwarePCRs = mkOption {
+        default = "0,1,2,3,4,5,6,7";
+        type = types.string;
+        description = "PCR indices used in the TPM for firmware measurements.";
+      };
+
+      kernelPCRs = mkOption {
+        default = "10,11";
+        type = types.string;
+        description = "PCR indices used in the TPM for kernel measurements.";
       };
 
       platformCred = mkOption {
         default = "${cfg.stateDir}/platform.cert";
         type = types.path;
         description = ''
-	  Path to the platform credential for your TPM. Your TPM
+          Path to the platform credential for your TPM. Your TPM
           manufacturer may have provided you with a set of credentials
           (certificates) that should be used when creating identities
           using your TPM. When a user of your TPM makes an identity,

nixos/modules/virtualisation/xen-dom0.nix

@@ -121,6 +121,10 @@ in
         "xenfs"
       ];
 
+    # The xenfs module is needed in system.activationScripts.xen, but
+    # the modprobe command there fails silently. Include xenfs in the
+    # initrd as a work around.
+    boot.initrd.kernelModules = [ "xenfs" ];
 
     # The radeonfb kernel module causes the screen to go black as soon
     # as it's loaded, so don't load it.
@@ -182,6 +186,9 @@ in
         { source = "${pkgs.xen}/etc/xen/scripts";
           target = "xen/scripts";
         }
+        { source = "${pkgs.xen}/etc/default/xendomains";
+          target = "default/xendomains";
+        }
       ];
 
     # Xen provides udev rules.
@@ -199,7 +206,8 @@ in
         rm -f "$XENSTORED_ROOTDIR"/tdb* &>/dev/null
 
         mkdir -p /var/run
-        ${optionalString cfg.trace "mkdir -p /var/log/xen"}
+        mkdir -p /var/log/xen # Running xl requires /var/log/xen and /var/lib/xen,
+        mkdir -p /var/lib/xen # so we create them here unconditionally.
         grep -q control_d /proc/xen/capabilities
         '';
       serviceConfig.ExecStart = ''

pkgs/applications/networking/mumble/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig
-, avahi, boost, libopus, libsndfile, protobuf, qt4, speex
+, avahi, boost, libopus, celt, libsndfile, protobuf, qt4, speex
 , jackSupport ? false, libjack2 ? null
 , speechdSupport ? false, speechd ? null
 , pulseSupport ? false, libpulseaudio ? null
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     "CONFIG+=no-update"
     "CONFIG+=no-server"
     "CONFIG+=no-embed-qt-translations"
-    "CONFIG+=bundled-celt"
+    "CONFIG+=no-bundled-celt"
     "CONFIG+=no-bundled-opus"
     "CONFIG+=no-bundled-speex"
   ] ++ optional (!speechdSupport) "CONFIG+=no-speechd"
@@ -43,7 +43,9 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkgconfig ];
 
-  buildInputs = [ avahi boost libopus libsndfile protobuf qt4 speex ]
+  NIX_CFLAGS_COMPILE = [ "-I${celt}/include/celt" ];
+
+  buildInputs = [ avahi boost libopus celt libsndfile protobuf qt4 speex ]
     ++ optional jackSupport libjack2
     ++ optional speechdSupport speechd
     ++ optional pulseSupport libpulseaudio;

pkgs/applications/version-management/mercurial/default.nix

@@ -3,7 +3,7 @@
 , ApplicationServices }:
 
 let
-  version = "3.3.3";
+  version = "3.4.2";
   name = "mercurial-${version}";
 in
 
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "http://mercurial.selenic.com/release/${name}.tar.gz";
-    sha256 = "04xfzwb7jabzsfv2r18c3w6vwag7cjrl79xzg5i3mbyb1mzkcid4";
+    sha256 = "1kcfznv990mj30y4yk59hz4wkd3050h0hg7iib69w53nhi50xjfw";
   };
 
   inherit python; # pass it so that the same version can be used in hg2git

pkgs/applications/video/makemkv/default.nix

@@ -4,17 +4,17 @@
 
 stdenv.mkDerivation rec {
   name = "makemkv-${ver}";
-  ver = "1.9.4";
+  ver = "1.9.5";
   builder = ./builder.sh;
 
   src_bin = fetchurl {
     url = "http://www.makemkv.com/download/makemkv-bin-${ver}.tar.gz";
-    sha256 = "0xr5bfbpzd1s9fyxbwj0crpgi57hm4wrm1dybx13lv4n6xdj2ww0";
+    sha256 = "1qzkdrij89s748rvmibx083g1irfm8dqx257skr45i2gsg2qqijp";
   };
 
   src_oss = fetchurl {
     url = "http://www.makemkv.com/download/makemkv-oss-${ver}.tar.gz";
-    sha256 = "0gpmyp2g44piaj47a52ik5i3sk5flbs8kqlqmjxnqkv16s01vfra";
+    sha256 = "1immnlx1rld8iw89fxgq2sk2l050sa8h046ka8mdwg8682d75lfg";
   };
 
   buildInputs = [openssl qt4 mesa zlib pkgconfig libav];

pkgs/applications/virtualization/xen/generic.nix

@@ -147,6 +147,9 @@ stdenv.mkDerivation {
         --replace /etc/xen/scripts/hotplugpath.sh $out/etc/xen/scripts/hotplugpath.sh \
         --replace /bin/ls ls
 
+      substituteInPlace tools/hotplug/Linux/xendomains \
+        --replace /bin/ls ls
+
       # Xen's tools and firmares need various git repositories that it
       # usually checks out at time using git.  We can't have that.
       ${flip concatMapStrings xenConfig.toolsGits (x: let src = fetchgit x.git; in ''

pkgs/development/libraries/libs3/default.nix

@@ -1,13 +1,13 @@
 { stdenv, fetchFromGitHub, curl, libxml2 }:
 
 stdenv.mkDerivation {
-  name = "libs3-2015-01-09";
+  name = "libs3-2015-04-23";
 
   src = fetchFromGitHub {
     owner = "bji";
     repo = "libs3";
-    rev = "4d21fdc0857b88c964649b321057d7105d1e4da3";
+    rev = "11a4e976c28ba525e7d61fbc3867c345a2af1519";
-    sha256 = "1c33h8lzlpmsbkymd2dac9g8hqhd6j6yzdjrhha8bcqyys6vcpy3";
+    sha256 = "0xjjwyw14sk9am6s2m25hxi55vmsrc2yiawd6ln2lvg59xjcr48i";
   };
 
   buildInputs = [ curl libxml2 ];
@@ -17,7 +17,7 @@ stdenv.mkDerivation {
   meta = with stdenv.lib; {
     homepage = https://github.com/bji/libs3;
     description = "A library for interfacing with amazon s3";
-    license = licenses.gpl3;
+    license = licenses.lgpl3;
     platforms = platforms.unix;
   };
 }

pkgs/development/libraries/nghttp2/default.nix

@@ -34,12 +34,12 @@ let
 in
 stdenv.mkDerivation rec {
   name = "${prefix}nghttp2-${version}";
-  version = "1.1.1";
+  version = "1.1.2";
 
   # Don't use fetchFromGitHub since this needs a bootstrap curl
   src = fetchurl {
     url = "http://pub.wak.io/nixos/tarballs/nghttp2-${version}.tar.bz2";
-    sha256 = "9659e8598c8481f1bf8e63ba4f828f5283053df62a51fa8324cb55ea7a51b80c";
+    sha256 = "5b218a0d27eeaa6898eb0757b6bbcc643ada2148696d864f185b3123c392904b";
   };
 
   # Configure script searches for a symbol which does not exist in jemalloc on Darwin

pkgs/games/minecraft-server/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name    = "minecraft-server-${version}";
-  version = "1.8.1";
+  version = "1.8.8";
 
   src  = fetchurl {
     url    = "http://s3.amazonaws.com/Minecraft.Download/versions/${version}/minecraft_server.${version}.jar";
-    sha256 = "0icqkcj28l69p618vh0aah9cnvpwgvwsqlw1n5cph23q38d5lpzg";
+    sha256 = "07pkdb8cnfnn8zywnhplpcdh9lrxdx8nmsgjarplf2akvhhggbir";
   };
 
   installPhase = ''

pkgs/tools/filesystems/ceph/0.80.nix

@@ -6,8 +6,7 @@ callPackage ./generic.nix (args // rec {
   src = fetchgit {
     url = "git://github.com/ceph/ceph.git";
     rev = "refs/tags/v${version}";
-    leaveDotGit = true;
+    sha256 = "1arajccczjdqp7igs17569xlq5cj4azcm5wwixg6ryypjr2grcbl";
-    sha256 = "0s81j6yj8y27hlx1hid9maz0l7bhjjskjxzxlhsikzmdc1j27m4r";
   };
 
   patches = [

pkgs/tools/filesystems/ceph/0.94.nix

@@ -6,8 +6,7 @@ callPackage ./generic.nix (args // rec {
   src = fetchgit {
     url = "https://github.com/ceph/ceph.git";
     rev = "refs/tags/v${version}";
-    leaveDotGit = true;
+    sha256 = "1nhqzmxv7bz93b8rbd88wgmw9icm2lhmc94dfscgh23kfpipyd6l";
-    sha256 = "094f9knxgx8vb9fb1yzld9ib4m0wpqwqgqjl3xqf0dzm48nxqd73";
   };
 
   patches = [

pkgs/tools/filesystems/ceph/dev.nix

@@ -6,8 +6,7 @@ callPackage ./generic.nix (args // rec {
   src = fetchgit {
     url = "https://github.com/ceph/ceph.git";
     rev = "refs/tags/v${version}";
-    leaveDotGit = true;
+    sha256 = "0kydjyvb1566mh33p6dlljfx1r4cfdj8ic4i19h5r9vavkc46nf0";
-    sha256 = "13iyv53kq2ka5py759cdiw0wmzpsycskvhmyr74qkpxmw9g6177y";
   };
 
   patches = [ ./fix-pythonpath.patch ];

pkgs/tools/filesystems/ceph/generic.nix

@@ -56,7 +56,7 @@ let
   optLibatomic_ops = shouldUsePkg libatomic_ops;
   optKinetic-cpp-client = shouldUsePkg kinetic-cpp-client;
   optRocksdb = shouldUsePkg rocksdb;
-  optLibs3 = shouldUsePkg libs3;
+  optLibs3 = if versionAtLeast version "10.0.0" then null else shouldUsePkg libs3;
 
   optJemalloc = shouldUsePkg jemalloc;
   optGperftools = shouldUsePkg gperftools;
@@ -195,8 +195,6 @@ stdenv.mkDerivation {
     (mkWith   hasKinetic                   "kinetic"             null)
     (mkWith   hasRocksdb                   "librocksdb"          null)
     (mkWith   false                        "librocksdb-static"   null)
-    (mkWith   (optLibs3 != null)           "system-libs3"        null)
-    (mkWith   true                         "rest-bench"          null)
   ] ++ optional stdenv.isLinux [
     (mkWith   (optLibaio != null)          "libaio"              null)
     (mkWith   (optLibxfs != null)          "libxfs"              null)
@@ -207,6 +205,9 @@ stdenv.mkDerivation {
   ] ++ optional (versionAtLeast version "9.0.2") [
     (mkWith   true                         "man-pages"           null)
     (mkWith   true                         "systemd-libexec-dir" "\${TMPDIR}")
+  ] ++ optional (versionOlder version "10.0.0") [
+    (mkWith   (optLibs3 != null)           "system-libs3"        null)
+    (mkWith   true                         "rest-bench"          null)
   ];
 
   preBuild = optionalString (versionAtLeast version "9.0.0") ''
@@ -234,15 +235,24 @@ stdenv.mkDerivation {
     for PY in $(find $lib/lib -name \*.py); do
       LIBS="$(sed -n "s/.*find_library('\([^)]*\)').*/\1/p" "$PY")"
 
+      # Delete any calls to find_library
+      sed -i '/find_library/d' "$PY"
+
       # Fix each find_library call
       for LIB in $LIBS; do
         REALLIB="$lib/lib/lib$LIB.so"
-        sed -i "s,find_library('$LIB'),'$REALLIB',g" "$PY"
+        sed -i "s,\(lib$LIB = CDLL(\).*,\1'$REALLIB'),g" "$PY"
       done
 
       # Reapply compilation optimizations
       NAME=$(basename -s .py "$PY")
-      (cd "$(dirname $PY)"; python -c "import $NAME"; python -O -c "import $NAME")
+      rm -f "$PY"{c,o}
+      pushd "$(dirname $PY)"
+      python -c "import $NAME"
+      python -O -c "import $NAME"
+      popd
+      test -f "$PY"c
+      test -f "$PY"o
     done
   '';
 

pkgs/tools/filesystems/ceph/git.nix

@@ -1,13 +1,12 @@
 { callPackage, fetchgit, ... } @ args:
 
 callPackage ./generic.nix (args // rec {
-  version = "2015-07-29";
+  version = "2015-07-31";
 
   src = fetchgit {
     url = "git://github.com/ceph/ceph.git";
-    rev = "338ead0f498238fd1b5b7f18d86ad407de6f347b";
+    rev = "ef86e29259d0e863e62115926bf67287dc9a7e41";
-    leaveDotGit = true;
+    sha256 = "14h387ngx3fmdm0b0sgl0l743j3d22gnp3lv68ah59yc4crfgdcx";
-    sha256 = "0ip62l4qkcmszbczwdnqhn93glnpgy0fhymf627x0vf49dgv3a6i";
   };
 
   patches = [ ./fix-pythonpath.patch ];

pkgs/tools/misc/cv/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   name = "cv-${version}";
-  version = "0.7.1";
+  version = "0.8";
 
   src = fetchFromGitHub {
     owner = "Xfennec";
     repo = "cv";
     rev = "v${version}";
-    sha256 = "1dcq45mz443mzzf344ap5dgsazhcrn3aislxs57jqbg4p5bbmh1b";
+    sha256 = "17vfcv0n1ib4rh1hdl126aid7cnnk94avzlk9yp7y855iml8xzs4";
   };
 
   buildInputs = [ ncurses ];

pkgs/tools/security/monkeysphere/default.nix

@@ -0,0 +1,44 @@
+{ stdenv, fetchurl, perl, makeWrapper, perlPackages }:
+
+stdenv.mkDerivation rec {
+  name = "monkeysphere-${version}";
+  version = "0.37";
+
+  src = fetchurl {
+    url = "http://archive.monkeysphere.info/debian/pool/monkeysphere/m/monkeysphere/monkeysphere_0.37.orig.tar.gz";
+    sha256 = "0nbfd220miflah5l2y20qlmgfpbqi0j8h7qgx1b06h7v2jjbh45m";
+  };
+
+  buildInputs = [ makeWrapper perl ];
+
+  patches = [ ./monkeysphere.patch ];
+
+  makeFlags = ''
+    PREFIX=/
+    DESTDIR=$(out)
+  '';
+
+  postInstall = ''
+    wrapProgram $out/bin/openpgp2ssh --prefix PERL5LIB : \
+      "${with perlPackages; stdenv.lib.makePerlPath [
+        CryptOpenSSLRSA
+        CryptOpenSSLBignum
+      ]}"
+  '';
+
+  meta = with stdenv.lib; {
+    homepage = http://web.monkeysphere.info/;
+    description = "Leverage the OpenPGP web of trust for SSH and TLS authentication";
+    longDescription = ''
+      The Monkeysphere project's goal is to extend OpenPGP's web of
+      trust to new areas of the Internet to help us securely identify
+      servers we connect to, as well as each other while we work online.
+      The suite of Monkeysphere utilities provides a framework to
+      transparently leverage the web of trust for authentication of
+      TLS/SSL communications through the normal use of tools you are
+      familiar with, such as your web browser0 or secure shell.
+    '';
+    license = licenses.gpl3;
+    platforms = platforms.all;
+  };
+}

pkgs/tools/security/monkeysphere/monkeysphere.patch

@@ -0,0 +1,92 @@
+diff -rupN monkeysphere-0.37/Makefile monkeysphere-0.37-patched/Makefile
+--- monkeysphere-0.37/Makefile	2014-08-06 19:27:38.000000000 +0200
++++ monkeysphere-0.37-patched/Makefile	2015-07-31 19:51:57.539373097 +0200
+@@ -42,11 +42,11 @@ install: all installman
+ 	mkdir -p $(DESTDIR)$(PREFIX)/share/doc/monkeysphere
+ 	printf "Monkeysphere %s\n" $(MONKEYSPHERE_VERSION) > $(DESTDIR)$(PREFIX)/share/monkeysphere/VERSION
+ 	install src/monkeysphere $(DESTDIR)$(PREFIX)/bin
+-	sed -i 's:__SYSSHAREDIR_PREFIX__:$(PREFIX):' $(DESTDIR)$(PREFIX)/bin/monkeysphere
++	sed -i 's:__SYSSHAREDIR_PREFIX__:$(DESTDIR):' $(DESTDIR)$(PREFIX)/bin/monkeysphere
+ 	install src/monkeysphere-host $(DESTDIR)$(PREFIX)/sbin
+-	sed -i 's:__SYSSHAREDIR_PREFIX__:$(PREFIX):' $(DESTDIR)$(PREFIX)/sbin/monkeysphere-host
++	sed -i 's:__SYSSHAREDIR_PREFIX__:$(DESTDIR):' $(DESTDIR)$(PREFIX)/sbin/monkeysphere-host
+ 	install src/monkeysphere-authentication $(DESTDIR)$(PREFIX)/sbin
+-	sed -i 's:__SYSSHAREDIR_PREFIX__:$(PREFIX):' $(DESTDIR)$(PREFIX)/sbin/monkeysphere-authentication
++	sed -i 's:__SYSSHAREDIR_PREFIX__:$(DESTDIR):' $(DESTDIR)$(PREFIX)/sbin/monkeysphere-authentication
+ 	install src/monkeysphere-authentication-keys-for-user $(DESTDIR)$(PREFIX)/share/monkeysphere
+ 	install -m 0755 src/share/common $(DESTDIR)$(PREFIX)/share/monkeysphere
+ 	install -m 0644 src/share/defaultenv $(DESTDIR)$(PREFIX)/share/monkeysphere
+@@ -59,8 +59,8 @@ install: all installman
+ 	ln -sf ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2pem
+ 	ln -sf ../share/monkeysphere/keytrans $(DESTDIR)$(PREFIX)/bin/openpgp2spki
+ 	install -m 0744 src/transitions/* $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions
+-	sed -i 's:__SYSSHAREDIR_PREFIX__:$(PREFIX):' $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions/0.23
+-	sed -i 's:__SYSSHAREDIR_PREFIX__:$(PREFIX):' $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions/0.28
++	sed -i 's:__SYSSHAREDIR_PREFIX__:$(DESTDIR):' $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions/0.23
++	sed -i 's:__SYSSHAREDIR_PREFIX__:$(DESTDIR):' $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions/0.28
+ 	install -m 0644 src/transitions/README.txt $(DESTDIR)$(PREFIX)/share/monkeysphere/transitions
+ 	install -m 0644 src/share/m/* $(DESTDIR)$(PREFIX)/share/monkeysphere/m
+ 	install -m 0644 src/share/mh/* $(DESTDIR)$(PREFIX)/share/monkeysphere/mh
+diff -rupN monkeysphere-0.37/src/share/checkperms monkeysphere-0.37-patched/src/share/checkperms
+--- monkeysphere-0.37/src/share/checkperms	2014-08-06 19:27:38.000000000 +0200
++++ monkeysphere-0.37-patched/src/share/checkperms	2015-07-31 19:52:18.170675985 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/perl -T
++#!/usr/bin/perl
+ 
+ # checkperms: ensure as best we can that a given file can only be
+ # modified by the given user (or the superuser, naturally).  This
+diff -rupN monkeysphere-0.37/src/share/keytrans monkeysphere-0.37-patched/src/share/keytrans
+--- monkeysphere-0.37/src/share/keytrans	2014-08-06 19:27:38.000000000 +0200
++++ monkeysphere-0.37-patched/src/share/keytrans	2015-07-31 20:13:36.664514290 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/perl -T
++#!/usr/bin/perl
+ 
+ # keytrans: this is an RSA key translation utility; it is capable of
+ # transforming RSA keys (both public keys and secret keys) between
+@@ -1069,7 +1069,7 @@ sub packetwalk {
+ 
+ 
+ for (basename($0)) {
+-  if (/^pem2openpgp$/) {
++  if (/pem2openpgp/) {
+     my $rsa;
+     my $stdin;
+ 
+@@ -1107,7 +1107,7 @@ for (basename($0)) {
+ 		      }
+ 		     );
+   }
+-  elsif (/^openpgp2ssh$/) {
++  elsif (/openpgp2ssh/) {
+       my $fpr = shift;
+       my $instream;
+       open($instream,'-');
+@@ -1123,7 +1123,7 @@ for (basename($0)) {
+ 	die "No matching key found.\n";
+       }
+   }
+-  elsif (/^openpgp2pem$/) {
++  elsif (/openpgp2pem/) {
+       my $fpr = shift;
+       my $instream;
+       open($instream,'-');
+@@ -1139,7 +1139,7 @@ for (basename($0)) {
+ 	die "No matching key found.\n";
+       }
+   }
+-  elsif (/^openpgp2spki$/) {
++  elsif (/openpgp2spki/) {
+       my $fpr = shift;
+       my $instream;
+       open($instream,'-');
+@@ -1151,7 +1151,7 @@ for (basename($0)) {
+ 	die "No matching key found.\n";
+       }
+   }
+-  elsif (/^keytrans$/) {
++  elsif (/keytrans/) {
+     # subcommands when keytrans is invoked directly are UNSUPPORTED,
+     # UNDOCUMENTED, and WILL NOT BE MAINTAINED.
+     my $subcommand = shift;

pkgs/top-level/all-packages.nix

@@ -12042,6 +12042,8 @@ let
 
   monkeysAudio = callPackage ../applications/audio/monkeys-audio { };
 
+  monkeysphere = callPackage ../tools/security/monkeysphere { };
+
   monodevelop = callPackage ../applications/editors/monodevelop {};
 
   monotone = callPackage ../applications/version-management/monotone {
@@ -12127,6 +12129,7 @@ let
     avahi = avahi.override {
       withLibdnssdCompat = true;
     };
+    celt = celt_0_7;
     jackSupport = config.mumble.jackSupport or false;
     speechdSupport = config.mumble.speechdSupport or false;
     pulseSupport = config.pulseaudio or false;