Merge #132753: 'staging-next-21.05' into release-21.05

This commit is contained in:
Vladimír Čunát 2021-08-05 17:26:53 +02:00
commit 98d66e4541
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
3 changed files with 29 additions and 9 deletions

View File

@ -27,9 +27,9 @@
, sha256
, passthruFun
, static ? false
, stripBytecode ? reproducibleBuild
, stripBytecode ? true
, rebuildBytecode ? true
, reproducibleBuild ? true
, reproducibleBuild ? false
, enableOptimizations ? false
, pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
}:
@ -48,6 +48,8 @@ assert lib.assertMsg (reproducibleBuild -> stripBytecode)
assert lib.assertMsg (reproducibleBuild -> (!enableOptimizations))
"Deterministic builds are not achieved when optimizations are enabled.";
assert lib.assertMsg (reproducibleBuild -> (!rebuildBytecode))
"Deterministic builds are not achieved when (default unoptimized) bytecode is created.";
with lib;
@ -296,8 +298,10 @@ in with passthru; stdenv.mkDerivation ({
# First we delete all old bytecode.
find $out -name "*.pyc" -delete
'' + optionalString rebuildBytecode ''
# Then, we build for the two optimization levels.
# We do not build unoptimized bytecode, because its not entirely deterministic yet.
# We build 3 levels of optimized bytecode. Note the default level, without optimizations,
# is not reproducible yet. https://bugs.python.org/issue29708
# Not creating bytecode will result in a large performance loss however, so we do build it.
find $out -name "*.py" | ${pythonForBuildInterpreter} -m compileall -q -f -x "lib2to3" -i -
find $out -name "*.py" | ${pythonForBuildInterpreter} -O -m compileall -q -f -x "lib2to3" -i -
find $out -name "*.py" | ${pythonForBuildInterpreter} -OO -m compileall -q -f -x "lib2to3" -i -
'' + optionalString stdenv.hostPlatform.isCygwin ''

View File

@ -35,11 +35,11 @@
, stripTests ? false
, stripTkinter ? false
, rebuildBytecode ? true
, stripBytecode ? reproducibleBuild
, stripBytecode ? true
, includeSiteCustomize ? true
, static ? stdenv.hostPlatform.isStatic
, enableOptimizations ? false
, reproducibleBuild ? true
, reproducibleBuild ? false
, pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
}:
@ -66,6 +66,9 @@ assert lib.assertMsg (reproducibleBuild -> stripBytecode)
assert lib.assertMsg (reproducibleBuild -> (!enableOptimizations))
"Deterministic builds are not achieved when optimizations are enabled.";
assert lib.assertMsg (reproducibleBuild -> (!rebuildBytecode))
"Deterministic builds are not achieved when (default unoptimized) bytecode is created.";
with lib;
let
@ -396,11 +399,14 @@ in with passthru; stdenv.mkDerivation {
# First we delete all old bytecode.
find $out -type d -name __pycache__ -print0 | xargs -0 -I {} rm -rf "{}"
'' + optionalString rebuildBytecode ''
# Then, we build for the two optimization levels.
# We do not build unoptimized bytecode, because its not entirely deterministic yet.
# Python 3.7 implements PEP 552, introducing support for deterministic bytecode.
# compileall uses this checked-hash method by default when `SOURCE_DATE_EPOCH` is set.
# compileall uses the therein introduced checked-hash method by default when
# `SOURCE_DATE_EPOCH` is set.
# We exclude lib2to3 because that's Python 2 code which fails
# We build 3 levels of optimized bytecode. Note the default level, without optimizations,
# is not reproducible yet. https://bugs.python.org/issue29708
# Not creating bytecode will result in a large performance loss however, so we do build it.
find $out -name "*.py" | ${pythonForBuildInterpreter} -m compileall -q -f -x "lib2to3" -i -
find $out -name "*.py" | ${pythonForBuildInterpreter} -O -m compileall -q -f -x "lib2to3" -i -
find $out -name "*.py" | ${pythonForBuildInterpreter} -OO -m compileall -q -f -x "lib2to3" -i -
'';

View File

@ -35,6 +35,16 @@ in stdenv.mkDerivation rec {
url = "https://gitlab.freedesktop.org/cairo/cairo/commit/6edf572ebb27b00d3c371ba5ae267e39d27d5b6d.patch";
sha256 = "112hgrrsmcwxh1r52brhi5lksq4pvrz4xhkzcf2iqp55jl2pb7n1";
})
# Fixes CVE-2020-35492; see https://github.com/NixOS/nixpkgs/issues/120364.
# CVE information: https://nvd.nist.gov/vuln/detail/CVE-2020-35492
# Upstream PR: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/85
(fetchpatch {
name = "CVE-2020-35492.patch";
includes = [ "src/cairo-image-compositor.c" ];
url = "https://github.com/freedesktop/cairo/commit/78266cc8c0f7a595cfe8f3b694bfb9bcc3700b38.patch";
sha256 = "048nzfz7rkgqb9xs0dfs56qdw7ckkxr87nbj3p0qziqdq4nb6wki";
})
] ++ optionals stdenv.hostPlatform.isDarwin [
# Workaround https://gitlab.freedesktop.org/cairo/cairo/-/issues/121
./skip-configure-stderr-check.patch