Merge branch 'staging'

Contains security fixes in X server and X libs.
On Hydra, the amount to rebuild on master is now higher than on staging;
the comparison looks OK.

pkgs/development/compilers/llvm/3.5/llvm.nix

@@ -33,6 +33,12 @@ in stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [ ncurses zlib ];
 
+  prePatch = ''
+    substituteInPlace CMakeLists.txt \
+      --replace 'set(CMAKE_INSTALL_NAME_DIR "@rpath")' "set(CMAKE_INSTALL_NAME_DIR "$out/lib")" \
+      --replace 'set(CMAKE_INSTALL_RPATH "@executable_path/../lib")' ""
+  '';
+
   # hacky fix: created binaries need to be run before installation
   preBuild = ''
     mkdir -p $out/

pkgs/development/compilers/llvm/3.8/llvm.nix

@@ -44,7 +44,11 @@ in stdenv.mkDerivation rec {
   # 10.9. This is a temporary measure until nixpkgs darwin support is
   # updated.
   postPatch = stdenv.lib.optionalString stdenv.isDarwin ''
-        sed -i 's/os_trace(\(.*\)");$/printf(\1\\n");/g' ./projects/compiler-rt/lib/sanitizer_common/sanitizer_mac.cc
+    sed -i 's/os_trace(\(.*\)");$/printf(\1\\n");/g' ./projects/compiler-rt/lib/sanitizer_common/sanitizer_mac.cc
+
+    substituteInPlace CMakeLists.txt \
+      --replace 'set(CMAKE_INSTALL_NAME_DIR "@rpath")' "set(CMAKE_INSTALL_NAME_DIR "$out/lib")" \
+      --replace 'set(CMAKE_INSTALL_RPATH "@executable_path/../lib")' ""
   '';
 
   # hacky fix: created binaries need to be run before installation
@@ -75,7 +79,6 @@ in stdenv.mkDerivation rec {
   '';
 
   postInstall = stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
-    install_name_tool -id $out/lib/libLLVM.dylib $out/lib/libLLVM.dylib
     ln -s $out/lib/libLLVM.dylib $out/lib/libLLVM-${version}.dylib
   '';
 

pkgs/development/compilers/llvm/3.9/llvm.nix

@@ -82,6 +82,10 @@ in stdenv.mkDerivation rec {
   + stdenv.lib.optionalString stdenv.isDarwin ''
     substituteInPlace ./projects/compiler-rt/cmake/config-ix.cmake \
       --replace 'set(COMPILER_RT_HAS_TSAN TRUE)' 'set(COMPILER_RT_HAS_TSAN FALSE)'
+
+    substituteInPlace CMakeLists.txt \
+      --replace 'set(CMAKE_INSTALL_NAME_DIR "@rpath")' "set(CMAKE_INSTALL_NAME_DIR "$lib/lib")" \
+      --replace 'set(CMAKE_INSTALL_RPATH "@executable_path/../lib")' ""
   ''
   # Patch llvm-config to return correct library path based on --link-{shared,static}.
   + stdenv.lib.optionalString (enableSharedLibraries) ''
@@ -130,8 +134,6 @@ in stdenv.mkDerivation rec {
   + stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
     substituteInPlace "$out/lib/cmake/llvm/LLVMExports-release.cmake" \
       --replace "\''${_IMPORT_PREFIX}/lib/libLLVM.dylib" "$lib/lib/libLLVM.dylib"
-    install_name_tool -id $lib/lib/libLLVM.dylib $lib/lib/libLLVM.dylib
-    install_name_tool -change @rpath/libLLVM.dylib $lib/lib/libLLVM.dylib $out/bin/llvm-config
     ln -s $lib/lib/libLLVM.dylib $lib/lib/libLLVM-${shortVersion}.dylib
     ln -s $lib/lib/libLLVM.dylib $lib/lib/libLLVM-${version}.dylib
   '';

pkgs/development/compilers/llvm/4/llvm.nix

@@ -58,6 +58,10 @@ in stdenv.mkDerivation rec {
   postPatch = stdenv.lib.optionalString stdenv.isDarwin ''
     substituteInPlace ./projects/compiler-rt/cmake/config-ix.cmake \
       --replace 'set(COMPILER_RT_HAS_TSAN TRUE)' 'set(COMPILER_RT_HAS_TSAN FALSE)'
+
+    substituteInPlace cmake/modules/AddLLVM.cmake \
+      --replace 'set(_install_name_dir INSTALL_NAME_DIR "@rpath")' "set(_install_name_dir INSTALL_NAME_DIR "$lib/lib")" \
+      --replace 'set(_install_rpath "@loader_path/../lib" ''${extra_libdir})' ""
   ''
   # Patch llvm-config to return correct library path based on --link-{shared,static}.
   + stdenv.lib.optionalString (enableSharedLibraries) ''
@@ -121,8 +125,6 @@ in stdenv.mkDerivation rec {
   + stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
     substituteInPlace "$out/lib/cmake/llvm/LLVMExports-${if debugVersion then "debug" else "release"}.cmake" \
       --replace "\''${_IMPORT_PREFIX}/lib/libLLVM.dylib" "$lib/lib/libLLVM.dylib"
-    install_name_tool -id $lib/lib/libLLVM.dylib $lib/lib/libLLVM.dylib
-    install_name_tool -change @rpath/libLLVM.dylib $lib/lib/libLLVM.dylib $out/bin/llvm-config
     ln -s $lib/lib/libLLVM.dylib $lib/lib/libLLVM-${shortVersion}.dylib
     ln -s $lib/lib/libLLVM.dylib $lib/lib/libLLVM-${release_version}.dylib
   '';

pkgs/development/compilers/llvm/5/llvm.nix

@@ -58,6 +58,10 @@ in stdenv.mkDerivation rec {
   postPatch = stdenv.lib.optionalString stdenv.isDarwin ''
     substituteInPlace ./projects/compiler-rt/cmake/config-ix.cmake \
       --replace 'set(COMPILER_RT_HAS_TSAN TRUE)' 'set(COMPILER_RT_HAS_TSAN FALSE)'
+
+    substituteInPlace cmake/modules/AddLLVM.cmake \
+      --replace 'set(_install_name_dir INSTALL_NAME_DIR "@rpath")' "set(_install_name_dir INSTALL_NAME_DIR "$lib/lib")" \
+      --replace 'set(_install_rpath "@loader_path/../lib" ''${extra_libdir})' ""
   ''
   # Patch llvm-config to return correct library path based on --link-{shared,static}.
   + stdenv.lib.optionalString (enableSharedLibraries) ''
@@ -129,8 +133,6 @@ in stdenv.mkDerivation rec {
   + stdenv.lib.optionalString (stdenv.isDarwin && enableSharedLibraries) ''
     substituteInPlace "$out/lib/cmake/llvm/LLVMExports-${if debugVersion then "debug" else "release"}.cmake" \
       --replace "\''${_IMPORT_PREFIX}/lib/libLLVM.dylib" "$lib/lib/libLLVM.dylib"
-    install_name_tool -id $lib/lib/libLLVM.dylib $lib/lib/libLLVM.dylib
-    install_name_tool -change @rpath/libLLVM.dylib $lib/lib/libLLVM.dylib $out/bin/llvm-config
     ln -s $lib/lib/libLLVM.dylib $lib/lib/libLLVM-${shortVersion}.dylib
     ln -s $lib/lib/libLLVM.dylib $lib/lib/libLLVM-${release_version}.dylib
   '';

pkgs/development/libraries/dbus/default.nix

@@ -6,8 +6,8 @@ assert x11Support -> libX11 != null
                   && libSM != null;
 
 let
-  version = "1.10.22";
-  sha256 = "15vv9gz5i4f5l7h0d045qz5iyvl89hjk2k83lb4vbizd7qg41cg2";
+  version = "1.10.24";
+  sha256 = "06ydmrg76l1kwl3190d72zpiy3qxy248x6gskxbj9qiqfsr4w63i";
 
 self = stdenv.mkDerivation {
     name = "dbus-${version}";

pkgs/development/libraries/drumstick/default.nix

@@ -15,25 +15,12 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  # Prevent the manpage builds from attempting to access the Internet.
-  prePatch = ''
-    substituteInPlace cmake_admin/CreateManpages.cmake --replace \
-      http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl \
-      ${docbook_xsl}/xml/xsl/docbook/manpages/docbook.xsl
-
-    for xml in doc/*.xml.in; do
-      substituteInPlace "$xml" --replace \
-        http://www.docbook.org/xml/4.5/docbookx.dtd \
-        ${docbook_xml_dtd_45}/xml/dtd/docbook/docbookx.dtd
-    done
-  '';
-
   #Temporarily remove drumstick-piano; Gives segment fault. Submitted ticket
   postInstall = ''
     rm $out/bin/drumstick-vpiano
     '';
 
-  nativeBuildInputs = [ cmake pkgconfig ];
+  nativeBuildInputs = [ cmake pkgconfig docbook_xsl docbook_xml_dtd_45 docbook_xml_dtd_45 ];
   buildInputs = [
     alsaLib doxygen fluidsynth qt5.qtbase qt5.qtsvg
   ];

pkgs/development/libraries/glib/default.nix

@@ -43,7 +43,7 @@ let
   '';
 
   ver_maj = "2.54";
-  ver_min = "0";
+  ver_min = "1";
 in
 
 stdenv.mkDerivation rec {
@@ -51,7 +51,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://gnome/sources/glib/${ver_maj}/${name}.tar.xz";
-    sha256 = "fe22998ff0394ec31e6e5511c379b74011bee61a4421bca7fcab223dfbe0fc6a";
+    sha256 = "50c01b1419324f10fbf9b9709ec2164b18586968bdce7540583bf32302cf47a3";
   };
 
   patches = optional stdenv.isDarwin ./darwin-compilation.patch

pkgs/development/libraries/gtk+/3.x.nix

@@ -13,7 +13,7 @@ with stdenv.lib;
 
 let
   ver_maj = "3.22";
-  ver_min = "21";
+  ver_min = "24";
   version = "${ver_maj}.${ver_min}";
 in
 stdenv.mkDerivation rec {
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://gnome/sources/gtk+/${ver_maj}/gtk+-${version}.tar.xz";
-    sha256 = "1bd3c1a85cfb4db112cabb5379abb05a1a94fe43052d309d573493fca00e6b87";
+    sha256 = "cbb16e4cfc928ab8f5f22f7290616f95f6ebc8c97cc724a2007b07ced833592b";
   };
 
   outputs = [ "out" "dev" ];

pkgs/development/libraries/libdrm/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1minzvsyz5hgm6ixpj8ysa6jsv7vm8qc8nx390jxdsk0v9ljd983";
   };
 
-  outputs = [ "out" "dev" ];
+  outputs = [ "out" "dev" "bin" ];
 
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ libpthreadstubs libpciaccess valgrind-light ];
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   preConfigure = stdenv.lib.optionalString stdenv.isDarwin
     "echo : \\\${ac_cv_func_clock_gettime=\'yes\'} > config.cache";
 
-  configureFlags = [ ]
+  configureFlags = [ "--enable-install-test-programs" ]
     ++ stdenv.lib.optionals (stdenv.isArm || stdenv.isAarch64) [ "--enable-tegra-experimental-api" "--enable-etnaviv-experimental-api" ]
     ++ stdenv.lib.optional stdenv.isDarwin "-C";
 

pkgs/development/libraries/libpng/default.nix

@@ -5,12 +5,12 @@
 assert zlib != null;
 
 let
-  version = "1.6.31";
-  patchVersion = "1.6.31";
-  sha256 = "0hcbxv9qf4f9q7brrk0ndag526glr8lii43grssv45j9w0nn0ai3";
+  version = "1.6.34";
+  patchVersion = "1.6.34";
+  sha256 = "1xjr0v34fyjgnhvaa1zixcpx5yvxcg4zwvfh0fyklfyfj86rc7ig";
   patch_src = fetchurl {
     url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz";
-    sha256 = "0f10ih658j514vpvsli0pk378vcmjn78g52cssyg92r4k1r19rla";
+    sha256 = "1ha4npf9mfrzp0srg8a5amks5ww84xzfpjbsj8k3yjjpai798qg6";
   };
   whenPatched = stdenv.lib.optionalString apngSupport;
 

pkgs/development/libraries/libuv/default.nix

@@ -2,14 +2,14 @@
 , ApplicationServices, CoreServices }:
 
 stdenv.mkDerivation rec {
-  version = "1.14.1";
+  version = "1.15.0";
   name = "libuv-${version}";
 
   src = fetchFromGitHub {
     owner = "libuv";
     repo = "libuv";
     rev = "v${version}";
-    sha256 = "1121qvnvpcabq1bl2k41jq8r2hn2x123csiaf7s9vrq66bbxgfdx";
+    sha256 = "092hxqjvbb6d03h3msc38359w2kixba1ansyrsbyqq8iqiqwnkw0";
   };
 
   postPatch = let

pkgs/development/libraries/mapnik/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchzip
+{ stdenv, fetchzip, fetchpatch
 , boost, cairo, freetype, gdal, harfbuzz, icu, libjpeg, libpng, libtiff
 , libwebp, libxml2, proj, python2, scons, sqlite, zlib
 
@@ -16,6 +16,12 @@ stdenv.mkDerivation rec {
     sha256 = "189wsd6l6awblkiha666l1sdyp7ifmnfsa87y0j37rvym6w4r065";
   };
 
+  patches = [(fetchpatch {
+    name = "icu-59.diff";
+    url = https://github.com/mapnik/mapnik/commit/9e58c890430d.diff;
+    sha256 = "0h546qq8g19gw9s4979hla9vkq5kcwh3q45ryajyjhmlr2z9fi6p";
+  })];
+
   # a distinct dev output makes python-mapnik fail
   outputs = [ "out" ];
 

pkgs/development/libraries/mesa/default.nix

@@ -1,10 +1,10 @@
 { stdenv, fetchurl, fetchpatch, lib
 , pkgconfig, intltool, autoreconfHook, substituteAll
-, file, expat, libdrm, xorg, wayland, openssl
+, file, expat, libdrm, xorg, wayland, wayland-protocols, openssl
 , llvmPackages, libffi, libomxil-bellagio, libva
-, libelf, libvdpau, valgrind-light
+, libelf, libvdpau, valgrind-light, python2
 , grsecEnabled ? false
-, enableRadv ? false
+, enableRadv ? true
 # Texture floats are patented, see docs/patents.txt, so we don't enable them for full Mesa.
 # It's overridden for mesa_drivers.
 , enableTextureFloats ? false
@@ -36,7 +36,7 @@ let
     then ["nouveau" "freedreno" "vc4" "etnaviv" "imx"]
     else if stdenv.isAarch64
     then ["nouveau" "vc4" ]
-    else ["i915" "r300" "r600" "radeonsi" "nouveau"];
+    else ["svga" "i915" "r300" "r600" "radeonsi" "nouveau"];
   defaultDriDrivers =
     if (stdenv.isArm || stdenv.isAarch64)
     then ["nouveau"]
@@ -51,8 +51,7 @@ let gallium_ = galliumDrivers; dri_ = driDrivers; vulkan_ = vulkanDrivers; in
 
 let
   galliumDrivers =
-    ["svga"]
-    ++ (if gallium_ == null
+    (if gallium_ == null
           then defaultGalliumDrivers
           else gallium_)
     ++ ["swrast"];
@@ -67,7 +66,7 @@ let
 in
 
 let
-  version = "17.1.10";
+  version = "17.2.2";
   branch  = head (splitString "." version);
   driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32";
 in
@@ -82,7 +81,7 @@ stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
       "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz"
     ];
-    sha256 = "cbc0d681cc4df47d8deb5a36f45b420978128522fd665b2cd4c7096316f11bdb";
+    sha256 = "10jplvxg7rlbp7569w08z0igwlsjjfb7q3n07zgfr8d5sr224lng";
   };
 
   prePatch = "patchShebangs .";
@@ -150,9 +149,9 @@ stdenv.mkDerivation {
     expat llvmPackages.llvm
     glproto dri2proto dri3proto presentproto
     libX11 libXext libxcb libXt libXfixes libxshmfence
-    libffi wayland libvdpau libelf libXvMC
+    libffi wayland wayland-protocols libvdpau libelf libXvMC
     libomxil-bellagio libva libpthreadstubs openssl/*or another sha1 provider*/
-    valgrind-light
+    valgrind-light python2
   ];
 
 

pkgs/development/tools/build-managers/cmake/default.nix

@@ -17,7 +17,7 @@ with stdenv.lib;
 let
   os = stdenv.lib.optionalString;
   majorVersion = "3.9";
-  minorVersion = "2";
+  minorVersion = "4";
   version = "${majorVersion}.${minorVersion}";
 in
 
@@ -28,8 +28,8 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "${meta.homepage}files/v${majorVersion}/cmake-${version}.tar.gz";
-    # from https://cmake.org/files/v3.9/cmake-3.9.2-SHA-256.txt
-    sha256 = "954a5801a456ee48e76f01107c9a4961677dd0f3e115275bbd18410dc22ba3c1";
+    # from https://cmake.org/files/v3.9/cmake-3.9.4-SHA-256.txt
+    sha256 = "b5d86f12ae0072db520fdbdad67405f799eb728b610ed66043c20a92b4906ca1";
   };
 
   prePatch = optionalString (!useSharedLibraries) ''

pkgs/development/tools/build-managers/meson/default.nix

@@ -1,12 +1,12 @@
 { lib, python3Packages }:
 python3Packages.buildPythonApplication rec {
-  version = "0.42.1";
+  version = "0.43.0";
   pname = "meson";
   name = "${pname}-${version}";
 
   src = python3Packages.fetchPypi {
     inherit pname version;
-    sha256 = "1phf1xpwm8m85qiiirkqhrf5aigx7ajaw0l59d6lzadf1fmgfx5v";
+    sha256 = "0qn5hyzvam3rimn7g3671s1igj7fbkwdnf5nc8jr4d5swy25mq61";
   };
 
   postFixup = ''

pkgs/development/tools/continuous-integration/drone/default.nix

@@ -53,10 +53,6 @@ buildGoPackage rec {
     go generate github.com/drone/drone/store/datastore/ddl
   '';
 
-  postInstall = stdenv.lib.optionalString stdenv.isDarwin ''
-    install_name_tool -delete_rpath $out/lib -add_rpath $bin $bin/bin/drone
-  '';
-
   src = fetchFromGitHub {
     owner = "drone";
     repo = "drone";

pkgs/development/tools/documentation/gtk-doc/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, perl, python, libxml2Python, libxslt, which
+{ stdenv, fetchurl, autoreconfHook, pkgconfig, perl, python, libxml2Python, libxslt, which
 , docbook_xml_dtd_43, docbook_xsl, gnome_doc_utils, dblatex, gettext, itstool }:
 
 stdenv.mkDerivation rec {
@@ -10,29 +10,20 @@ stdenv.mkDerivation rec {
     sha256 = "0hpxcij9xx9ny3gs9p0iz4r8zslw8wqymbyababiyl7603a6x90y";
   };
 
+  patches = [
+    ./respect-xml-catalog-files-var.patch
+  ];
+
   outputDevdoc = "out";
 
-  # maybe there is a better way to pass the needed dtd and xsl files
-  # "-//OASIS//DTD DocBook XML V4.1.2//EN" and "http://docbook.sourceforge.net/release/xsl/current/html/chunk.xsl"
-  preConfigure = ''
-    mkdir -p $out/nix-support
-    cat > $out/nix-support/catalog.xml << EOF
-    <?xml version="1.0"?>
-    <!DOCTYPE catalog PUBLIC "-//OASIS//DTD Entity Resolution XML Catalog V1.0//EN" "http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd">
-    <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
-      <nextCatalog  catalog="${docbook_xsl}/xml/xsl/docbook/catalog.xml" />
-      <nextCatalog  catalog="${docbook_xml_dtd_43}/xml/dtd/docbook/catalog.xml" />
-    </catalog>
-    EOF
-
-    configureFlags="--with-xml-catalog=$out/nix-support/catalog.xml --disable-scrollkeeper";
-  '';
-
+  nativeBuildInputs = [ autoreconfHook ];
   buildInputs =
    [ pkgconfig perl python libxml2Python libxslt docbook_xml_dtd_43 docbook_xsl
      gnome_doc_utils dblatex gettext which itstool
    ];
 
+  configureFlags = "--disable-scrollkeeper";
+
   meta = with stdenv.lib; {
     homepage = https://www.gtk.org/gtk-doc;
     description = "Tools to extract documentation embedded in GTK+ and GNOME source code";

pkgs/development/tools/documentation/gtk-doc/respect-xml-catalog-files-var.patch

@@ -0,0 +1,28 @@
+diff --git a/m4/gtkdoc_jh_check_xml_catalog.m4 b/m4/gtkdoc_jh_check_xml_catalog.m4
+index 618c1c9..1842a0d 100644
+--- a/m4/gtkdoc_jh_check_xml_catalog.m4
++++ b/m4/gtkdoc_jh_check_xml_catalog.m4
+@@ -10,7 +10,21 @@ AC_DEFUN([JH_CHECK_XML_CATALOG],
+ 		AC_MSG_RESULT([found])
+ 		ifelse([$3],,,[$3])
+ 	else
+-		AC_MSG_RESULT([not found])
+-		ifelse([$4],,[AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],[$4])
++		jh_check_xml_catalog_saved_ifs="$IFS"
++		IFS=' '
++		for f in $XML_CATALOG_FILES; do
++			if [[ -f "$f" ]] && \
++				AC_RUN_LOG([$XMLCATALOG --noout "$f" "$1" >&2]); then
++				jh_found_xmlcatalog=true
++				AC_MSG_RESULT([found])
++				ifelse([$3],,,[$3])
++				break
++			fi
++		done
++		IFS="$jh_check_xml_catalog_saved_ifs"
++		if ! $jh_found_xmlcatalog; then
++			AC_MSG_RESULT([not found])
++			ifelse([$4],,[AC_MSG_ERROR([could not find ifelse([$2],,[$1],[$2]) in XML catalog])],[$4])
++		fi
+ 	fi
+ ])

pkgs/development/tools/textql/default.nix

@@ -16,10 +16,6 @@ buildGoPackage rec {
 
   goDeps = ./deps.nix;
 
-  preFixup = stdenv.lib.optionalString stdenv.isDarwin ''
-    install_name_tool -delete_rpath $out/lib $bin/bin/textql
-  '';
-
   meta = with stdenv.lib; {
     description = "Execute SQL against structured text like CSV or TSV";
     homepage = https://github.com/dinedal/textql;