Merge #132753: 'staging-next-21.05' into release-21.05

2021-08-05 17:26:53 +02:00 · 2021-08-05 17:26:53 +02:00 · 98d66e4541
commit 98d66e4541
parent b2d256095a f3cd217988
3 changed files with 29 additions and 9 deletions
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@ -27,9 +27,9 @@
 , sha256
 , passthruFun
 , static ? false
-, stripBytecode ? reproducibleBuild
+, stripBytecode ? true
 , rebuildBytecode ? true
-, reproducibleBuild ? true
+, reproducibleBuild ? false
 , enableOptimizations ? false
 , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
 }:
@ -48,6 +48,8 @@ assert lib.assertMsg (reproducibleBuild -> stripBytecode)
 assert lib.assertMsg (reproducibleBuild -> (!enableOptimizations))
  "Deterministic builds are not achieved when optimizations are enabled.";

+assert lib.assertMsg (reproducibleBuild -> (!rebuildBytecode))
+  "Deterministic builds are not achieved when (default unoptimized) bytecode is created.";

 with lib;

@ -296,8 +298,10 @@ in with passthru; stdenv.mkDerivation ({
        # First we delete all old bytecode.
        find $out -name "*.pyc" -delete
        '' + optionalString rebuildBytecode ''
-        # Then, we build for the two optimization levels.
-        # We do not build unoptimized bytecode, because its not entirely deterministic yet.
+        # We build 3 levels of optimized bytecode. Note the default level, without optimizations,
+        # is not reproducible yet. https://bugs.python.org/issue29708
+        # Not creating bytecode will result in a large performance loss however, so we do build it.
+        find $out -name "*.py" | ${pythonForBuildInterpreter} -m compileall -q -f -x "lib2to3" -i -
        find $out -name "*.py" | ${pythonForBuildInterpreter} -O  -m compileall -q -f -x "lib2to3" -i -
        find $out -name "*.py" | ${pythonForBuildInterpreter} -OO -m compileall -q -f -x "lib2to3" -i -
      '' + optionalString stdenv.hostPlatform.isCygwin ''
--- a/pkgs/development/interpreters/python/cpython/default.nix
+++ b/pkgs/development/interpreters/python/cpython/default.nix
@ -35,11 +35,11 @@
 , stripTests ? false
 , stripTkinter ? false
 , rebuildBytecode ? true
-, stripBytecode ? reproducibleBuild
+, stripBytecode ? true
 , includeSiteCustomize ? true
 , static ? stdenv.hostPlatform.isStatic
 , enableOptimizations ? false
-, reproducibleBuild ? true
+, reproducibleBuild ? false
 , pythonAttr ? "python${sourceVersion.major}${sourceVersion.minor}"
 }:

@ -66,6 +66,9 @@ assert lib.assertMsg (reproducibleBuild -> stripBytecode)
 assert lib.assertMsg (reproducibleBuild -> (!enableOptimizations))
  "Deterministic builds are not achieved when optimizations are enabled.";

+assert lib.assertMsg (reproducibleBuild -> (!rebuildBytecode))
+  "Deterministic builds are not achieved when (default unoptimized) bytecode is created.";
+
 with lib;

 let
@ -396,11 +399,14 @@ in with passthru; stdenv.mkDerivation {
    # First we delete all old bytecode.
    find $out -type d -name __pycache__ -print0 | xargs -0 -I {} rm -rf "{}"
    '' + optionalString rebuildBytecode ''
-    # Then, we build for the two optimization levels.
-    # We do not build unoptimized bytecode, because its not entirely deterministic yet.
    # Python 3.7 implements PEP 552, introducing support for deterministic bytecode.
-    # compileall uses this checked-hash method by default when `SOURCE_DATE_EPOCH` is set.
+    # compileall uses the therein introduced checked-hash method by default when
+    # `SOURCE_DATE_EPOCH` is set.
    # We exclude lib2to3 because that's Python 2 code which fails
+    # We build 3 levels of optimized bytecode. Note the default level, without optimizations,
+    # is not reproducible yet. https://bugs.python.org/issue29708
+    # Not creating bytecode will result in a large performance loss however, so we do build it.
+    find $out -name "*.py" | ${pythonForBuildInterpreter} -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | ${pythonForBuildInterpreter} -O  -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | ${pythonForBuildInterpreter} -OO -m compileall -q -f -x "lib2to3" -i -
  '';
--- a/pkgs/development/libraries/cairo/default.nix
+++ b/pkgs/development/libraries/cairo/default.nix
@ -35,6 +35,16 @@ in stdenv.mkDerivation rec {
      url    = "https://gitlab.freedesktop.org/cairo/cairo/commit/6edf572ebb27b00d3c371ba5ae267e39d27d5b6d.patch";
      sha256 = "112hgrrsmcwxh1r52brhi5lksq4pvrz4xhkzcf2iqp55jl2pb7n1";
    })
+
+    # Fixes CVE-2020-35492; see https://github.com/NixOS/nixpkgs/issues/120364.
+    # CVE information: https://nvd.nist.gov/vuln/detail/CVE-2020-35492
+    # Upstream PR: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/85
+    (fetchpatch {
+      name = "CVE-2020-35492.patch";
+      includes = [ "src/cairo-image-compositor.c" ];
+      url = "https://github.com/freedesktop/cairo/commit/78266cc8c0f7a595cfe8f3b694bfb9bcc3700b38.patch";
+      sha256 = "048nzfz7rkgqb9xs0dfs56qdw7ckkxr87nbj3p0qziqdq4nb6wki";
+    })
  ] ++ optionals stdenv.hostPlatform.isDarwin [
    # Workaround https://gitlab.freedesktop.org/cairo/cairo/-/issues/121
    ./skip-configure-stderr-check.patch