Merge branch 'staging'

(Truly, this time :-)
2017-03-01 11:34:44 +01:00 · 2017-03-01 11:34:44 +01:00 · b43614a6bb
parent 150796d3b2 64d4bfd139
commit b43614a6bb
22 changed files with 269 additions and 87 deletions
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@ -641,6 +641,19 @@ community to help save time. No tool is preferred at the moment.
 - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas
 - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin
 ### Deterministic builds
 Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
 Minor modifications had to be made to the interpreters in order to generate
 deterministic bytecode. This has security implications and is relevant for
 those using Python in a `nix-shell`.
 When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1.
 The `buildPythonPackage` function sets `DETERMINISTIC_BUILD` as well as
 [PYTHONHASHSEED](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED).
 Both are also exported in `nix-shell`.
 ## FAQ
 ### How can I install a working Python environment?
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@ -271,6 +271,16 @@ following incompatible changes:</para>
    </para>
  </listitem>
  <listitem>
    <para>
      Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
      Minor modifications had to be made to the interpreters in order to generate
      deterministic bytecode. This has security implications and is relevant for
      those using Python in a <literal>nix-shell</literal>. See the Nixpkgs manual
      for details.
    </para>
  </listitem>
 </itemizedlist>
--- a/pkgs/build-support/setup-hooks/compress-man-pages.sh
+++ b/pkgs/build-support/setup-hooks/compress-man-pages.sh
@ -3,26 +3,30 @@ fixupOutputHooks+=('if [ -z "$dontGzipMan" ]; then compressManPages "$prefix"; f
 compressManPages() {
    local dir="$1"
-    if [ ! -d "$dir/share/man" ]; then return; fi
+    if [ -L "$dir"/share ] || [ -L "$dir"/share/man ] || [ ! -d "$dir/share/man" ]
-    echo "gzipping man pages in $dir"
+        then return
    fi
    echo "gzipping man pages under $dir/share/man/"
-    GLOBIGNORE=.:..:*.gz:*.bz2
+    # Compress all uncompressed manpages.  Don't follow symlinks, etc.
-
+    find "$dir"/share/man/ -type f -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \
-    for f in "$dir"/share/man/*/* "$dir"/share/man/*/*/*; do
+        | while IFS= read -r -d $'\0' f
-        if [ -f "$f" -a ! -L "$f" ]; then
+    do
        if gzip -c -n "$f" > "$f".gz; then
            rm "$f"
        else
            rm "$f".gz
        fi
        fi
    done
-    for f in "$dir"/share/man/*/* "$dir"/share/man/*/*/*; do
+    # Point symlinks to compressed manpages.
-        if [ -L "$f" -a -f `readlink -f "$f"`.gz ]; then
+    find "$dir"/share/man/ -type l -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \
-            ln -sf `readlink "$f"`.gz "$f".gz && rm "$f"
+        | while IFS= read -r -d $'\0' f
    do
        local target
        target="$(readlink -f "$f")"
        if [ -f "$target".gz ]; then
            ln -sf "$target".gz "$f".gz && rm "$f"
        fi
    done
    unset GLOBIGNORE
 }
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@ -178,6 +178,17 @@ in stdenv.mkDerivation {
        echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
        rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev
        # Determinism: Windows installers were not deterministic.
        # We're also not interested in building Windows installers.
        find "$out" -name 'wininst*.exe' | xargs -r rm -f
        # Determinism: rebuild all bytecode
        # We exclude lib2to3 because that's Python 2 code which fails
        # We rebuild three times, once for each optimization level
        find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i -
        find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i -
        find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i -
      '';
    passthru = let
@ -210,5 +221,8 @@ in stdenv.mkDerivation {
      license = stdenv.lib.licenses.psfl;
      platforms = stdenv.lib.platforms.all;
      maintainers = with stdenv.lib.maintainers; [ chaoflow domenkozar ];
      # Higher priority than Python 3.x so that `/bin/python` points to `/bin/python2`
      # in case both 2 and 3 are installed.
      priority = -100;
    };
  }
--- a/pkgs/development/interpreters/python/cpython/3.4/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix
@ -1,5 +1,7 @@
 { stdenv, fetchurl
 , bzip2
 , expat
 , libffi
 , gdbm
 , lzma
 , ncurses
@ -50,22 +52,44 @@ in stdenv.mkDerivation {
  NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s";
  # Determinism: The interpreter is patched to write null timestamps when compiling python files.
  # This way python doesn't try to update them when we freeze timestamps in nix store.
  DETERMINISTIC_BUILD=1;
  # Determinism: We fix the hashes of str, bytes and datetime objects.
  PYTHONHASHSEED=0;
  prePatch = optionalString stdenv.isDarwin ''
    substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"'
    substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' '
  '';
-  postPatch = optionalString (x11Support && (tix != null)) ''
+  postPatch = ''
    # Determinism
    substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])"
    # Determinism. This is done unconditionally
    substituteInPlace "Lib/importlib/_bootstrap.py" --replace "source_mtime = int(source_stats['mtime'])" "source_mtime = 1"
  '' + optionalString (x11Support && (tix != null)) ''
    substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'"
  ''
    # Avoid picking up getentropy() from glibc >= 2.25, as that would break
    # on older kernels.  http://bugs.python.org/issue29157
-    + optionalString stdenv.isLinux
+    + optionalString stdenv.isLinux ''
      ''
        substituteInPlace Python/random.c --replace 'defined(HAVE_GETENTROPY)' '0'
        cat Python/random.c
  '';
  CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}";
  LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}";
  LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}";
  configureFlags = [
    "--enable-shared"
    "--with-threads"
    "--without-ensurepip"
    "--with-system-expat"
    "--with-system-ffi"
  ];
  preConfigure = ''
    for i in /usr /sw /opt /pkg; do	# improve purity
      substituteInPlace ./setup.py --replace $i /no-such-path
@ -74,12 +98,6 @@ in stdenv.mkDerivation {
       export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2"
       export MACOSX_DEPLOYMENT_TARGET=10.6
     ''}
    configureFlagsArray=( --enable-shared --with-threads
                          CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"
                          LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"
                          LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"
                        )
  '';
  setupHook = ./setup-hook.sh;
@ -102,6 +120,10 @@ in stdenv.mkDerivation {
    # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
    echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
    # Determinism: Windows installers were not deterministic.
    # We're also not interested in building Windows installers.
    find "$out" -name 'wininst*.exe' | xargs -r rm -f
    # Use Python3 as default python
    ln -s "$out/bin/idle3" "$out/bin/idle"
    ln -s "$out/bin/pip3" "$out/bin/pip"
@ -109,6 +131,13 @@ in stdenv.mkDerivation {
    ln -s "$out/bin/python3" "$out/bin/python"
    ln -s "$out/bin/python3-config" "$out/bin/python-config"
    ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc"
    # Determinism: rebuild all bytecode
    # We exclude lib2to3 because that's Python 2 code which fails
    # We rebuild three times, once for each optimization level
    find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i -
  '';
  postFixup = ''
--- a/pkgs/development/interpreters/python/cpython/3.5/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix
@ -1,5 +1,7 @@
 { stdenv, fetchurl, fetchpatch
 , bzip2
 , expat
 , libffi
 , gdbm
 , lzma
 , ncurses
@ -32,7 +34,7 @@ let
  sitePackages = "lib/${libPrefix}/site-packages";
  buildInputs = filter (p: p != null) [
-    zlib bzip2 lzma gdbm sqlite readline ncurses openssl ]
+    zlib bzip2 expat lzma libffi gdbm sqlite readline ncurses openssl ]
    ++ optionals x11Support [ tcl tk libX11 xproto ]
    ++ optionals stdenv.isDarwin [ CF configd ];
@ -50,6 +52,12 @@ in stdenv.mkDerivation {
  NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s";
  # Determinism: The interpreter is patched to write null timestamps when compiling python files.
  # This way python doesn't try to update them when we freeze timestamps in nix store.
  DETERMINISTIC_BUILD=1;
  # Determinism: We fix the hashes of str, bytes and datetime objects.
  PYTHONHASHSEED=0;
  prePatch = optionalString stdenv.isDarwin ''
    substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"'
    substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' '
@ -63,10 +71,27 @@ in stdenv.mkDerivation {
    })
  ];
-  postPatch = optionalString (x11Support && (tix != null)) ''
+  postPatch = ''
    # Determinism
    substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])"
    # Determinism. This is done unconditionally
    substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1"
  '' + optionalString (x11Support && (tix != null)) ''
    substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'"
  '';
  CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}";
  LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}";
  LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}";
  configureFlags = [
    "--enable-shared"
    "--with-threads"
    "--without-ensurepip"
    "--with-system-expat"
    "--with-system-ffi"
  ];
  preConfigure = ''
    for i in /usr /sw /opt /pkg; do	# improve purity
      substituteInPlace ./setup.py --replace $i /no-such-path
@ -75,12 +100,6 @@ in stdenv.mkDerivation {
       export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2"
       export MACOSX_DEPLOYMENT_TARGET=10.6
     ''}
    configureFlagsArray=( --enable-shared --with-threads
                          CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"
                          LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"
                          LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"
                        )
  '';
  setupHook = ./setup-hook.sh;
@ -103,6 +122,10 @@ in stdenv.mkDerivation {
    # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
    echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
    # Determinism: Windows installers were not deterministic.
    # We're also not interested in building Windows installers.
    find "$out" -name 'wininst*.exe' | xargs -r rm -f
    # Use Python3 as default python
    ln -s "$out/bin/idle3" "$out/bin/idle"
    ln -s "$out/bin/pip3" "$out/bin/pip"
@ -110,6 +133,13 @@ in stdenv.mkDerivation {
    ln -s "$out/bin/python3" "$out/bin/python"
    ln -s "$out/bin/python3-config" "$out/bin/python-config"
    ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc"
    # Determinism: rebuild all bytecode
    # We exclude lib2to3 because that's Python 2 code which fails
    # We rebuild three times, once for each optimization level
    find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i -
  '';
  postFixup = ''
--- a/pkgs/development/interpreters/python/cpython/3.6/default.nix
+++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix
@ -1,6 +1,8 @@
 { stdenv, fetchurl, fetchpatch
 , glibc
 , bzip2
 , expat
 , libffi
 , gdbm
 , lzma
 , ncurses
@ -50,6 +52,12 @@ in stdenv.mkDerivation {
  NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s";
  # Determinism: The interpreter is patched to write null timestamps when compiling python files.
  # This way python doesn't try to update them when we freeze timestamps in nix store.
  DETERMINISTIC_BUILD=1;
  # Determinism: We fix the hashes of str, bytes and datetime objects.
  PYTHONHASHSEED=0;
  prePatch = optionalString stdenv.isDarwin ''
    substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"'
    substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' '
@ -63,10 +71,27 @@ in stdenv.mkDerivation {
    })
  ];
-  postPatch = optionalString (x11Support && (tix != null)) ''
+  postPatch = ''
    # Determinism
    substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])"
    # Determinism. This is done unconditionally
    substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1"
  '' + optionalString (x11Support && (tix != null)) ''
    substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'"
  '';
  CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}";
  LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}";
  LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}";
  configureFlags = [
    "--enable-shared"
    "--with-threads"
    "--without-ensurepip"
    "--with-system-expat"
    "--with-system-ffi"
  ];
  preConfigure = ''
    for i in /usr /sw /opt /pkg; do	# improve purity
      substituteInPlace ./setup.py --replace $i /no-such-path
@ -75,12 +100,6 @@ in stdenv.mkDerivation {
       export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2"
       export MACOSX_DEPLOYMENT_TARGET=10.6
     ''}
    configureFlagsArray=( --enable-shared --with-threads
                          CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"
                          LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"
                          LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"
                        )
  '';
  setupHook = ./setup-hook.sh;
@ -103,6 +122,10 @@ in stdenv.mkDerivation {
    # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484
    echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py
    # Determinism: Windows installers were not deterministic.
    # We're also not interested in building Windows installers.
    find "$out" -name 'wininst*.exe' | xargs -r rm -f
    # Use Python3 as default python
    ln -s "$out/bin/idle3" "$out/bin/idle"
    ln -s "$out/bin/pip3" "$out/bin/pip"
@ -110,6 +133,13 @@ in stdenv.mkDerivation {
    ln -s "$out/bin/python3" "$out/bin/python"
    ln -s "$out/bin/python3-config" "$out/bin/python-config"
    ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc"
    # Determinism: rebuild all bytecode
    # We exclude lib2to3 because that's Python 2 code which fails
    # We rebuild three times, once for each optimization level
    find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i -
    find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i -
  '';
  passthru = let
--- a/pkgs/development/interpreters/python/mk-python-derivation.nix
+++ b/pkgs/development/interpreters/python/mk-python-derivation.nix
@ -57,9 +57,12 @@ python.stdenv.mkDerivation (builtins.removeAttrs attrs ["disabled"] // {
  inherit pythonPath;
-  # patch python interpreter to write null timestamps when compiling python files
+
-  # this way python doesn't try to update them when we freeze timestamps in nix store
+  # Determinism: The interpreter is patched to write null timestamps when compiling python files.
  # This way python doesn't try to update them when we freeze timestamps in nix store.
  DETERMINISTIC_BUILD=1;
  # Determinism: We fix the hashes of str, bytes and datetime objects.
  PYTHONHASHSEED = 0;
  buildInputs = [ wrapPython ] ++ buildInputs ++ pythonPath
    ++ [ (ensureNewerSourcesHook { year = "1980"; }) ]
--- a/pkgs/development/libraries/libevent/default.nix
+++ b/pkgs/development/libraries/libevent/default.nix
@ -23,11 +23,21 @@ stdenv.mkDerivation {
                          | grep -v '^dh-autoreconf' | sed 's|^|debian/patches/|')"
    '';
-  outputs = [ "out" "dev" ];
+  # libevent_openssl is moved into its own output, so that openssl isn't present
  # in the default closure.
  outputs = [ "out" "dev" "openssl" ];
  outputBin = "dev";
  propagatedBuildOutputs = [ "out" "openssl" ];
  buildInputs = [ openssl ] ++ stdenv.lib.optional stdenv.isCygwin findutils;
  postInstall = ''
    moveToOutput "lib/libevent_openssl*" "$openssl"
    substituteInPlace "$dev/lib/pkgconfig/libevent_openssl.pc" \
      --replace "$out" "$openssl"
    sed "/^libdir=/s|$out|$openssl|" -i "$openssl"/lib/libevent_openssl.la
  '';
  meta = with stdenv.lib; {
    description = "Event notification library";
    longDescription = ''
--- a/pkgs/development/libraries/libuv/default.nix
+++ b/pkgs/development/libraries/libuv/default.nix
@ -17,7 +17,9 @@ stdenv.mkDerivation rec {
      "getnameinfo_basic" # probably network-dependent
      "spawn_setuid_fails" "spawn_setgid_fails" "fs_chown" # user namespaces
      "getaddrinfo_fail" "getaddrinfo_fail_sync"
-    ];
+    ]
      # sometimes: timeout (no output)
      ++ stdenv.lib.optional stdenv.isDarwin "process_title";
    tdRegexp = lib.concatStringsSep "\\|" toDisable;
    in lib.optionalString doCheck ''
      sed '/${tdRegexp}/d' -i test/test-list.h
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@ -27,7 +27,7 @@ if ! lists.elem stdenv.system platforms.mesaPlatforms then
 else
 let
-  version = "13.0.5";
+  version = "17.0.0";
  branch  = head (splitString "." version);
  driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32";
 in
@ -41,7 +41,7 @@ stdenv.mkDerivation {
      "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
      "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz"
    ];
-    sha256 = "bfcea7e2c801525a60895c8aff11aa68457ee9aa35d01a4638e1f310a3f5ef87";
+    sha256 = "10c4cvm6hhdch0idh2kn7qv1dq6zlw97sc3pz7bssn81f1ckvnrr";
  };
  prePatch = "patchShebangs .";
@ -54,11 +54,6 @@ stdenv.mkDerivation {
    ./symlink-drivers.patch
  ];
  postPatch = ''
    substituteInPlace src/egl/main/egldriver.c \
      --replace _EGL_DRIVER_SEARCH_DIR '"${driverLink}"'
  '';
  outputs = [ "out" "dev" "drivers" "osmesa" ];
  # TODO: Figure out how to enable opencl without having a runtime dependency on clang
@ -69,7 +64,7 @@ stdenv.mkDerivation {
    "--with-dri-searchpath=${driverLink}/lib/dri"
    "--with-egl-platforms=x11,wayland,drm"
  ] ++ (if stdenv.isArm || stdenv.isAarch64 then [
-      "--with-gallium-drivers=nouveau,freedreno,vc4,swrast"
+      "--with-gallium-drivers=nouveau,freedreno,vc4,etnaviv,swrast"
      "--with-dri-drivers=nouveau,swrast"
  ] else [
      "--with-gallium-drivers=svga,i915,ilo,r300,r600,radeonsi,nouveau,swrast"
--- a/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch
+++ b/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch
@ -1,7 +1,6 @@
-Index: qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in
+diff -Naur qttools-opensource-src-5.7.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in qttools-opensource-src-5.7.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in
-===================================================================
+--- qttools-opensource-src-5.7.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in	2016-11-03 09:31:16.000000000 +0100
--- qttools-opensource-src-5.5.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in
+++ qttools-opensource-src-5.7.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in	2017-02-28 16:37:20.130457615 +0100
 +++ qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in
@@ -2,11 +2,10 @@
 if (NOT TARGET Qt5::qcollectiongenerator)
     add_executable(Qt5::qcollectiongenerator IMPORTED)
@ -18,11 +17,26 @@ Index: qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake
     _qt5_Help_check_file_exists(${imported_location})
     set_target_properties(Qt5::qcollectiongenerator PROPERTIES
-Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in
+@@ -17,11 +16,10 @@
-===================================================================
+ if (NOT TARGET Qt5::qhelpgenerator)
--- qttools-opensource-src-5.5.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in
+     add_executable(Qt5::qhelpgenerator IMPORTED)
-+++ qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in
+ 
-@@ -44,11 +44,10 @@ endmacro()
+-!!IF isEmpty(CMAKE_BIN_DIR_IS_ABSOLUTE)
 -    set(imported_location \"${_qt5Help_install_prefix}/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\")
 -!!ELSE
 -    set(imported_location \"$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\")
 -!!ENDIF
 +    set(imported_location \"@NIX_OUT@/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\")
 +    if(NOT EXISTS \"${imported_location}\")
 +        set(imported_location \"@NIX_DEV@/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\")
 +    endif()
     _qt5_Help_check_file_exists(${imported_location})
     set_target_properties(Qt5::qhelpgenerator PROPERTIES
 diff -Naur qttools-opensource-src-5.7.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in qttools-opensource-src-5.7.1/src/linguist/Qt5LinguistToolsConfig.cmake.in
 --- qttools-opensource-src-5.7.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in	2016-11-03 09:31:16.000000000 +0100
 +++ qttools-opensource-src-5.7.1/src/linguist/Qt5LinguistToolsConfig.cmake.in	2017-02-28 16:35:40.470100681 +0100
@@ -44,11 +44,10 @@
 if (NOT TARGET Qt5::lrelease)
     add_executable(Qt5::lrelease IMPORTED)
@ -38,7 +52,7 @@ Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in
     _qt5_LinguistTools_check_file_exists(${imported_location})
     set_target_properties(Qt5::lrelease PROPERTIES
-@@ -59,11 +58,10 @@ endif()
+@@ -59,11 +58,10 @@
 if (NOT TARGET Qt5::lupdate)
     add_executable(Qt5::lupdate IMPORTED)
@ -54,7 +68,7 @@ Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in
     _qt5_LinguistTools_check_file_exists(${imported_location})
     set_target_properties(Qt5::lupdate PROPERTIES
-@@ -74,11 +72,10 @@ endif()
+@@ -74,11 +72,10 @@
 if (NOT TARGET Qt5::lconvert)
     add_executable(Qt5::lconvert IMPORTED)
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@ -81,8 +81,6 @@ stdenv.mkDerivation rec {
  enableParallelBuilding = true;
  postFixup = optionalString (cross == null) "ln -s $out/bin $dev/bin"; # tools needed for development
  meta = with stdenv.lib; {
    description = "Tools for manipulating binaries (linker, assembler, etc.)";
    longDescription = ''
--- a/pkgs/os-specific/linux/util-linux/default.nix
+++ b/pkgs/os-specific/linux/util-linux/default.nix
@ -6,11 +6,11 @@ stdenv.mkDerivation rec {
  version = lib.concatStringsSep "." ([ majorVersion ]
    ++ lib.optional (patchVersion != "") patchVersion);
  majorVersion = "2.29";
-  patchVersion = "";
+  patchVersion = "2";
  src = fetchurl {
    url = "mirror://kernel/linux/utils/util-linux/v${majorVersion}/${name}.tar.xz";
-    sha256 = "1rzrmdrz51p9sy7vlw5qmj8pmqazm7hgcch5yq242mkvrikyln9c";
+    sha256 = "1qz81w8vzrmy8xn9yx7ls4amkbgwx6vr62pl6kv9g7r0g3ba9kmc";
  };
  patches = [ ./rtcwake-search-PATH-for-shutdown.patch ];
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@ -669,11 +669,11 @@ let
  }) // {inherit windowswmproto libX11 libXext xextproto ;};
  libX11 = (mkDerivation "libX11" {
-    name = "libX11-1.6.4";
+    name = "libX11-1.6.5";
    builder = ./builder.sh;
    src = fetchurl {
-      url = mirror://xorg/individual/lib/libX11-1.6.4.tar.bz2;
+      url = mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2;
-      sha256 = "0hg46i6h92pmb7xp1cis2j43zq3fkdz89p0yv35w4vm17az4iixp";
+      sha256 = "0pa3cfp6h9rl2vxmkph65250gfqyki0ccqyaan6bl9d25gdr0f2d";
    };
    buildInputs = [pkgconfig inputproto kbproto libxcb xextproto xf86bigfontproto xproto xtrans ];
    meta.platforms = stdenv.lib.platforms.unix;
--- a/pkgs/servers/x11/xorg/tarballs-7.7.list
+++ b/pkgs/servers/x11/xorg/tarballs-7.7.list
@ -59,7 +59,7 @@ mirror://xorg/individual/lib/libICE-1.0.9.tar.bz2
 mirror://xorg/individual/lib/libpciaccess-0.13.4.tar.bz2
 mirror://xorg/individual/lib/libSM-1.2.2.tar.bz2
 mirror://xorg/X11R7.7/src/everything/libWindowsWM-1.0.1.tar.bz2
-mirror://xorg/individual/lib/libX11-1.6.4.tar.bz2
+mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2
 mirror://xorg/individual/lib/libXau-1.0.8.tar.bz2
 mirror://xorg/individual/lib/libXaw-1.0.13.tar.bz2
 mirror://xorg/individual/lib/libXcomposite-0.4.4.tar.bz2
--- a/pkgs/tools/graphics/ploticus/default.nix
+++ b/pkgs/tools/graphics/ploticus/default.nix
@ -15,6 +15,12 @@ stdenv.mkDerivation {
  patches = [ ./ploticus-install.patch ];
  # Make the symlink relative instead of absolute.
  # Otherwise it breaks when auto-moved to $out/share.
  preFixup = ''
    ln -sf pl.1 "$out"/man/man1/ploticus.1
  '';
  meta = with stdenv.lib; {
    description = "A non-interactive software package for producing plots and charts";
    longDescription = ''Ploticus is a free, GPL'd, non-interactive
--- a/pkgs/tools/misc/findutils/default.nix
+++ b/pkgs/tools/misc/findutils/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y";
  };
-  patches = [ ./memory-leak.patch ];
+  patches = [ ./memory-leak.patch ./no-install-statedir.patch ];
  buildInputs = [ coreutils ]; # bin/updatedb script needs to call sort
@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
  outputs = [ "out" "info" ];
  configureFlags = [ "--localstatedir=/var/cache" ];
  crossAttrs = {
    # Fix the 'buildInputs = [ coreutils ]' above - that adds the cross coreutils to PATH :(
    propagatedBuildInputs = [ ];
--- a/pkgs/tools/misc/findutils/no-install-statedir.patch
+++ b/pkgs/tools/misc/findutils/no-install-statedir.patch
@ -0,0 +1,11 @@
 --- a/locate/Makefile.in
 +++ b/locate/Makefile.in
@@ -2357,7 +2357,7 @@ updatedb: updatedb.sh Makefile
 	chmod +x $@
 install-data-hook:
 -	$(top_srcdir)/build-aux/mkinstalldirs $(DESTDIR)$(localstatedir)
 +	#$(top_srcdir)/build-aux/mkinstalldirs $(DESTDIR)$(localstatedir)
 dblocation.texi:
 	echo '@set LOCATE_DB $(LOCATE_DB)' > $@.tmp
--- a/pkgs/tools/networking/curl/default.nix
+++ b/pkgs/tools/networking/curl/default.nix
@ -21,11 +21,11 @@ assert scpSupport -> libssh2 != null;
 assert c-aresSupport -> c-ares != null;
 stdenv.mkDerivation rec {
-  name = "curl-7.53.0";
+  name = "curl-7.53.1";
  src = fetchurl {
    url = "http://curl.haxx.se/download/${name}.tar.bz2";
-    sha256 = "008833dd9w4l2277q9r0bsq1vqmm0fr7qqyzvqlw5d47xy5mld5j";
+    sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw";
  };
  patches = [ ];
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, expat, libevent }:
+{ stdenv, fetchurl, openssl, nettle, expat, libevent }:
 stdenv.mkDerivation rec {
  name = "unbound-${version}";
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
-  buildInputs = [ openssl expat libevent ];
+  buildInputs = [ openssl nettle expat libevent ];
  configureFlags = [
    "--with-ssl=${openssl.dev}"
@ -26,11 +26,21 @@ stdenv.mkDerivation rec {
  installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
  preFixup = stdenv.lib.optionalString stdenv.isLinux
    # Build libunbound again, but only against nettle instead of openssl.
    # This avoids gnutls.out -> unbound.lib -> openssl.out.
    # There was some problem with this on Darwin; let's not complicate non-Linux.
    ''
      configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
      configurePhase
      buildPhase
      installPhase
    ''
    # get rid of runtime dependencies on $dev outputs
-  postInstall = ''substituteInPlace "$lib/lib/libunbound.la" ''
+  + ''substituteInPlace "$lib/lib/libunbound.la" ''
    + stdenv.lib.concatMapStrings
      (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ")
-      [ openssl expat libevent ];
+      buildInputs;
  meta = with stdenv.lib; {
    description = "Validating, recursive, and caching DNS resolver";
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -20325,12 +20325,12 @@ in {
  };
  pygments = buildPythonPackage rec {
-    version = "2.1.3";
+    version = "2.2.0";
    name = "Pygments-${version}";
    src = pkgs.fetchurl {
      url = "mirror://pypi/P/Pygments/${name}.tar.gz";
-      sha256 = "10axnp2wpjnq9g8wg53fx0c70dfxqrz498jyz8mrdx9a3flwir48";
+      sha256 = "1k78qdvir1yb1c634nkv6rbga8wv4289xarghmsbbvzhvr311bnv";
    };
    propagatedBuildInputs = with self; [ docutils ];
@ -20807,11 +20807,11 @@ in {
  pyparsing = buildPythonPackage rec {
    name = "pyparsing-${version}";
-    version = "2.1.8";
+    version = "2.1.10";
    src = pkgs.fetchurl {
      url = "mirror://pypi/p/pyparsing/${name}.tar.gz";
-      sha256 = "0sy5fxhsvhf0fwk9h6nqlhn1lsjpdmg41jziw5z814rlkydqd903";
+      sha256 = "811c3e7b0031021137fc83e051795025fcb98674d07eb8fe922ba4de53d39188";
    };
    # Not everything necessary to run the tests is included in the distribution
@ -28976,7 +28976,8 @@ EOF
        --replace 'pyyaml==3.11' 'pyyaml' \
        --replace 'lxml==3.7.1' 'lxml' \
        --replace 'pyopenssl==16.2.0' 'pyopenssl' \
-        --replace 'requests[socks]==2.12.4' 'requests[socks]'
+        --replace 'requests[socks]==2.12.4' 'requests[socks]' \
        --replace 'pygments==2.1.3' 'pygments>=2.1,<3.0'
    '';
    propagatedBuildInputs = with self; [
@ -31899,10 +31900,10 @@ EOF
  };
  packaging = buildPythonPackage rec {
-    name = "packaging-16.7";
+    name = "packaging-16.8";
    src = pkgs.fetchurl {
      url = "mirror://pypi/p/packaging/${name}.tar.gz";
-      sha256 = "07h18mrpqs0lv2x4fl43pqi0xj6hdrmrnm6v9q634yliagg6q91f";
+      sha256 = "5d50835fdf0a7edf0b55e311b7c887786504efea1177abd7e69329a8e5ea619e";
    };
    propagatedBuildInputs = with self; [ pyparsing six ];
    buildInputs = with self; [ pytest pretend ];