From 954e9903adc837c201a7bd70eede50d874aadbf6 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 23 Dec 2015 02:59:47 +0100 Subject: [PATCH 001/603] Use a hardened stdenv by default --- pkgs/applications/audio/cdparanoia/default.nix | 2 ++ pkgs/applications/audio/mpg321/default.nix | 2 ++ .../networking/browsers/w3m/default.nix | 2 ++ .../git-and-tools/git/default.nix | 2 ++ pkgs/applications/virtualization/xen/generic.nix | 2 ++ .../gnome-2/platform/libgnomecups/default.nix | 2 ++ .../gnome-2/platform/libgtkhtml/default.nix | 6 ++++-- pkgs/development/compilers/dev86/default.nix | 2 ++ pkgs/development/compilers/gcc/4.5/default.nix | 2 ++ pkgs/development/compilers/gcc/4.9/default.nix | 2 ++ pkgs/development/compilers/go/1.4.nix | 2 ++ pkgs/development/compilers/go/1.5.nix | 2 ++ .../haskell-modules/configuration-common.nix | 6 +++++- pkgs/development/libraries/CoinMP/default.nix | 2 ++ .../libraries/audio/libbs2b/default.nix | 2 ++ pkgs/development/libraries/fribidi/default.nix | 4 +++- pkgs/development/libraries/gd/default.nix | 6 ++++-- pkgs/development/libraries/gettext/default.nix | 2 ++ pkgs/development/libraries/giflib/libungif.nix | 2 ++ pkgs/development/libraries/glibc/common.nix | 4 ++++ pkgs/development/libraries/glibc/default.nix | 2 ++ pkgs/development/libraries/gnu-efi/default.nix | 2 ++ .../development/libraries/libgphoto2/default.nix | 2 ++ pkgs/development/libraries/libvisual/default.nix | 2 ++ pkgs/development/libraries/pupnp/default.nix | 2 ++ pkgs/development/libraries/speechd/default.nix | 2 ++ pkgs/development/tools/misc/elfutils/default.nix | 2 ++ pkgs/os-specific/linux/acpi-call/default.nix | 4 +++- pkgs/os-specific/linux/busybox/default.nix | 2 ++ pkgs/os-specific/linux/gogoclient/default.nix | 2 ++ pkgs/os-specific/linux/jool/default.nix | 2 ++ pkgs/os-specific/linux/kernel/manual-config.nix | 6 ++++++ pkgs/os-specific/linux/kexectools/default.nix | 2 ++ pkgs/os-specific/linux/numad/default.nix | 2 ++ pkgs/servers/gpm/default.nix | 2 ++ pkgs/shells/dash/default.nix | 2 ++ pkgs/stdenv/adapters.nix | 16 ++++++++++++++++ pkgs/tools/admin/tightvnc/default.nix | 2 ++ pkgs/tools/archivers/sharutils/default.nix | 2 ++ pkgs/tools/archivers/unzip/default.nix | 2 ++ pkgs/tools/archivers/zip/default.nix | 2 ++ pkgs/tools/cd-dvd/cdrkit/default.nix | 2 ++ pkgs/tools/graphics/graphviz/default.nix | 2 ++ pkgs/tools/graphics/transfig/default.nix | 2 ++ pkgs/tools/misc/expect/default.nix | 2 ++ pkgs/tools/misc/grub/2.0x.nix | 2 ++ pkgs/tools/misc/gummiboot/default.nix | 2 ++ pkgs/tools/networking/iperf/2.nix | 2 ++ pkgs/tools/networking/vde2/default.nix | 2 ++ pkgs/tools/typesetting/tex/texlive-new/bin.nix | 2 ++ pkgs/top-level/all-packages.nix | 4 ++-- 51 files changed, 131 insertions(+), 9 deletions(-) diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 1658d9c7449..c19b261016d 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; + noHardening_format = true; + preConfigure = "unset CC"; patches = stdenv.lib.optionals stdenv.isDarwin [ diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index 489831dc464..e833784ee76 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; + noHardening_format = true; + configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) ]; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index 076b3faf11f..d849b10daee 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,6 +50,8 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; + noHardening_format = true; + configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 49ecce0456b..a5df0dbe08e 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs"; }; + noHardening_format = true; + patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 6774675266c..c742ffb5002 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,6 +75,8 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; + noHardening_all = true; + patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; postPatch = '' diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 2aa47d799c9..ec7b9ff8a8b 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; + noHardening_format = true; + patches = [ ./glib.patch ./cups_1.6.patch ]; buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 6aab400c60a..5044dbabd2f 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation { name = "libgtkhtml-2.11.1"; - + src = fetchurl { url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2; sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw"; }; - + buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; + + noHardening_format = true; } diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index f37dae80830..b8083c9ed6b 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; + noHardening_format = true; + makeFlags = "PREFIX=$(out)"; # Awful hackery to get dev86 to compile with recent gcc/binutils. diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 6cde7aba92a..4f1b017302a 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,6 +134,8 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + noHardening_all = true; + patches = [ ] ++ optional (cross != null) ../libstdc++-target.patch diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index add9b30fb62..c7d63099be1 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -218,6 +218,8 @@ stdenv.mkDerivation ({ inherit patches; + noHardening_format = true; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index d2500169744..fdfc9d45646 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; + noHardening_all = true; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 54c8cf219d5..26ffabced6a 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + noHardening_all = true; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 1f746802c7b..1982ca21802 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -44,7 +44,11 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs; + c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: { + noHardening_format = true; + doCheck = false; + }); + in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_; # The package doesn't compile with ruby 1.9, which is our default at the moment. hruby = super.hruby.override { ruby = pkgs.ruby_2_1; }; diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index e819078f786..bdd380fd4b8 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; + noHardening_format = true; + meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL"; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index e43a5acb6bd..e9a13b6ff87 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; + noHardening_format = true; + meta = { homepage = "http://bs2b.sourceforge.net/"; description = "Bauer stereophonic-to-binaural DSP library"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 23795e9633e..5d0e451c54c 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -3,12 +3,14 @@ stdenv.mkDerivation rec { name = "fribidi-${version}"; version = "0.19.6"; - + src = fetchurl { url = "http://fribidi.org/download/${name}.tar.bz2"; sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; + noHardening_format = true; + meta = with stdenv.lib; { homepage = http://fribidi.org/; description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)"; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 7c3c53626b5..5ca1de273b4 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -2,16 +2,18 @@ stdenv.mkDerivation { name = "gd-2.0.35"; - + src = fetchurl { url = http://www.libgd.org/releases/gd-2.0.35.tar.bz2; sha256 = "1y80lcmb8qbzf0a28841zxhq9ndfapmh2fsrqfd9lalxfj8288mz"; }; - + buildInputs = [zlib libpng freetype]; propagatedBuildInputs = [libjpeg fontconfig]; # urgh + noHardening_format = true; + configureFlags = "--without-x"; meta = { diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 3d7cfc0ca31..cbdb448723a 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation (rec { outputs = [ "out" "doc" ]; + noHardening_format = true; + LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; configureFlags = [ "--disable-csharp" "--with-xz" ] diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index f3302f8f333..45384b825c1 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -6,5 +6,7 @@ stdenv.mkDerivation { url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz; md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; + + noHardening_format = true; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 26d2f2454b4..6e9aa497f77 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -213,6 +213,10 @@ stdenv.mkDerivation ({ preBuild = "unset NIX_DONT_SET_RPATH"; } +// stdenv.lib.optionalAttrs (name == "glibc-locales") { + noHardening_stackprotector = true; +} + // stdenv.lib.optionalAttrs (hurdHeaders != null) { # Work around the fact that the configure snippet that looks for # does not honor `--with-headers=$sysheaders' and that diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 08eaf555e02..a2ecedbe7e9 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -25,6 +25,8 @@ in builder = ./builder.sh; + noHardening_all = true; + # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new # store path than that determined when built (as a source for the diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index e674aae2b58..e6209ad93f6 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65"; }; + noHardening_all = true; + buildInputs = [ pciutils ]; makeFlags = [ diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index e25cdb61d86..3df793df73f 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; + noHardening_format = true; + meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; description = "A library for accessing digital cameras"; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index dc2f0338b48..a2c9c52937e 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; + noHardening_format = true; + meta = { description = "An abstraction library for audio visualisations"; homepage = "http://sourceforge.net/projects/libvisual/"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index c5e26c1dfad..267b434da52 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; + noHardening_all = true; + meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index 5104532ea91..cbd731aef68 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; + noHardening_format = true; + meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 0a62859d207..a412d7e537c 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; + noHardening_format = true; + # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. nativeBuildInputs = [ m4 bison flex gettext bzip2 ]; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 289b54f1b54..1187bf10d14 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation { rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - + + noHardening_pic = true; + preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index fa6591701a6..86551f4eecb 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; + noHardening_format = true; + patches = [ ./busybox-in-store.patch ]; configurePhase = '' diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index a627a8cbcc9..38762a5f1fe 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; + noHardening_format = true; + buildInputs = [openssl]; preFixup = '' diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index fdb2f041a65..f5e76c0df50 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { src = sourceAttrs.src; + noHardening_pic = true; + prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile ''; diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 4a826ff7ae3..8c537d67551 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -224,10 +224,16 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); + noHardening_format = true; + noHardening_fortify = true; + noHardening_stackprotector = true; + makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; + noHardening_pic = true; + karch = stdenv.platform.kernelArch; crossAttrs = let cp = stdenv.cross.platform; in diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 2199524154d..5255b331bb1 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; + noHardening_format = true; + buildInputs = [ zlib ]; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 2e88e2c794e..fa7e5110de9 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; + noHardening_format = true; + patches = [ ./numad-linker-flags.patch ]; diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index a9fac485f90..c496ff3fdbb 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; + noHardening_format = true; + preConfigure = '' ./autogen.sh ''; diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index d3104439e57..ab49613a39c 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; + noHardening_format = true; + meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible"; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 836dedf1cb1..58e1c157b93 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,6 +236,22 @@ rec { }); }; + useHardenFlags = stdenv: stdenv // + { mkDerivation = args: stdenv.mkDerivation (args // { + NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + + stdenv.lib.optionalString (!(args.noHardening_all or false)) ( + stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2" + + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all" + + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie" + + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC" + + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro" + + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now" + + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow" + + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security" + ); + }); + }; + dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 22b8a607fd3..1e562ee3ecf 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; + noHardening_format = true; + buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index e806a962eab..5d60c449173 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; + noHardening_format = true; + preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the # gnulib in sharutils is updated. diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index b5d03bc18b2..dcc51320bbd 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; + noHardening_format = true; + patches = [ ./CVE-2014-8139.diff ./CVE-2014-8140.diff diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 431ed354d21..f9349937b8f 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; + noHardening_format = true; + makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; installFlags = "prefix=$(out) INSTALL=cp"; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index bcf9ec2c0cc..5fcccbee02c 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; + noHardening_format = true; + # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 5635e3a69ff..090af09fca0 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; + noHardening_all = true; + patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index f540029cbc7..bcbbe71b897 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; + noHardening_format = true; + patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; prefixPatch1 = diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index a50717d5399..4efa9461232 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; + noHardening_format = true; + patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure ''; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index 8e52adc7699..abe690ca0e4 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; + noHardening_all = true; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index 9d9b7700c90..e831bbdab6f 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; + noHardening_all = true; + # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ "--with-efi-includedir=${gnu-efi}/include" diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd63..6d9fe64f169 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + noHardening_format = true; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 72a31262e26..4aecc41aa3d 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + noHardening_format = true; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 431f3926a13..37c19319ef7 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec { perl ]; + noHardening_format = true; + preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c8dc32920e2..0e658228f2f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -214,12 +214,12 @@ let allPackages = args: import ./all-packages.nix ({ inherit config system; } // args); }; - defaultStdenv = allStdenvs.stdenv // { inherit platform; }; + defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; }); stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then (bootStdenv // {inherit platform;}) else + if bootStdenv != null then (stdenvAdapters.useHardenFlags bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else From f6d3b7a2ae01ccd9934a6437915acd3eade2a184 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 23 Jan 2016 21:19:59 +0000 Subject: [PATCH 002/603] switch hardening flags --- .../applications/audio/cdparanoia/default.nix | 2 +- pkgs/applications/audio/mpg321/default.nix | 2 +- .../networking/browsers/w3m/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../virtualization/xen/generic.nix | 2 +- .../gnome-2/platform/libgnomecups/default.nix | 2 +- .../gnome-2/platform/libgtkhtml/default.nix | 2 +- pkgs/development/compilers/dev86/default.nix | 2 +- .../development/compilers/gcc/4.5/default.nix | 2 +- .../development/compilers/gcc/4.9/default.nix | 2 +- pkgs/development/compilers/go/1.4.nix | 2 +- pkgs/development/compilers/go/1.5.nix | 2 +- .../haskell-modules/configuration-common.nix | 2 +- pkgs/development/libraries/CoinMP/default.nix | 2 +- .../libraries/audio/libbs2b/default.nix | 2 +- .../development/libraries/fribidi/default.nix | 2 +- pkgs/development/libraries/gd/default.nix | 2 +- .../development/libraries/gettext/default.nix | 2 +- .../development/libraries/giflib/libungif.nix | 2 +- pkgs/development/libraries/glibc/common.nix | 2 +- pkgs/development/libraries/glibc/default.nix | 3 ++- .../development/libraries/gnu-efi/default.nix | 2 -- pkgs/development/libraries/libelf/default.nix | 2 +- .../libraries/libgphoto2/default.nix | 2 +- .../libraries/libvisual/default.nix | 2 +- pkgs/development/libraries/pupnp/default.nix | 2 +- .../development/libraries/speechd/default.nix | 2 +- .../tools/misc/elfutils/default.nix | 2 +- pkgs/os-specific/linux/acpi-call/default.nix | 2 +- pkgs/os-specific/linux/busybox/default.nix | 2 +- pkgs/os-specific/linux/gogoclient/default.nix | 2 +- pkgs/os-specific/linux/jool/default.nix | 2 +- .../linux/kernel/manual-config.nix | 8 +++---- pkgs/os-specific/linux/kexectools/default.nix | 2 +- pkgs/os-specific/linux/numad/default.nix | 2 +- pkgs/servers/gpm/default.nix | 2 +- pkgs/shells/dash/default.nix | 2 +- pkgs/stdenv/adapters.nix | 24 ++++++++++++------- pkgs/tools/admin/tightvnc/default.nix | 2 +- pkgs/tools/archivers/sharutils/default.nix | 2 +- pkgs/tools/archivers/unzip/default.nix | 2 +- pkgs/tools/archivers/zip/default.nix | 2 +- pkgs/tools/cd-dvd/cdrkit/default.nix | 2 +- pkgs/tools/graphics/graphviz/default.nix | 2 +- pkgs/tools/graphics/transfig/default.nix | 2 +- pkgs/tools/misc/expect/default.nix | 2 +- pkgs/tools/misc/grub/2.0x.nix | 2 +- pkgs/tools/misc/gummiboot/default.nix | 2 +- pkgs/tools/networking/iperf/2.nix | 2 +- pkgs/tools/networking/vde2/default.nix | 2 +- .../tools/typesetting/tex/texlive-new/bin.nix | 2 +- 51 files changed, 68 insertions(+), 63 deletions(-) diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index c19b261016d..9de3bef62ad 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; - noHardening_format = true; + hardening_format = false; preConfigure = "unset CC"; diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index e833784ee76..c5bcd5ab4e4 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; - noHardening_format = true; + hardening_format = false; configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index d849b10daee..cc3e55f02e9 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; - noHardening_format = true; + hardening_format = false; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index a5df0dbe08e..08905ea4881 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./docbook2texi.patch diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index c742ffb5002..ce6753ed165 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,7 +75,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; - noHardening_all = true; + #hardening_all = false; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index ec7b9ff8a8b..9dc8d6f8ef1 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./glib.patch ./cups_1.6.patch ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 5044dbabd2f..d766957f0d7 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -11,5 +11,5 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; - noHardening_format = true; + hardening_format = false; } diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index b8083c9ed6b..0ee0a622b1e 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; - noHardening_format = true; + hardening_format = false; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 4f1b017302a..8c4afb31c50 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,7 +134,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - noHardening_all = true; + #hardening_all = false; patches = [ ] diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index c7d63099be1..1d97a66008c 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -218,7 +218,7 @@ stdenv.mkDerivation ({ inherit patches; - noHardening_format = true; + hardening_format = false; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index fdfc9d45646..0d2d2ae2857 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - noHardening_all = true; + #hardening_all = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 26ffabced6a..750aec567a8 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - noHardening_all = true; + #hardening_all = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 1982ca21802..25f2f1b6440 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -45,7 +45,7 @@ self: super: { options = dontCheck super.options; statistics = dontCheck super.statistics; c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: { - noHardening_format = true; + hardening_format = false; doCheck = false; }); in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_; diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index bdd380fd4b8..be44ef62885 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; - noHardening_format = true; + hardening_format = false; meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index e9a13b6ff87..4a64bc260bd 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; - noHardening_format = true; + hardening_format = false; meta = { homepage = "http://bs2b.sourceforge.net/"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 5d0e451c54c..09828665541 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; - noHardening_format = true; + hardening_format = false; meta = with stdenv.lib; { homepage = http://fribidi.org/; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 5ca1de273b4..a24a8416866 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { propagatedBuildInputs = [libjpeg fontconfig]; # urgh - noHardening_format = true; + hardening_format = false; configureFlags = "--without-x"; diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index cbdb448723a..566263c15ed 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation (rec { outputs = [ "out" "doc" ]; - noHardening_format = true; + hardening_format = false; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index 45384b825c1..1cc4ae0201b 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -7,6 +7,6 @@ stdenv.mkDerivation { md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; - noHardening_format = true; + hardening_format = false; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 6e9aa497f77..2c13ac59146 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -214,7 +214,7 @@ stdenv.mkDerivation ({ } // stdenv.lib.optionalAttrs (name == "glibc-locales") { - noHardening_stackprotector = true; + hardening_stackprotector = false; } // stdenv.lib.optionalAttrs (hurdHeaders != null) { diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index a2ecedbe7e9..f9096084bd2 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -25,7 +25,8 @@ in builder = ./builder.sh; - noHardening_all = true; + hardening_stackprotector = false; + hardening_fortify = false; # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index e6209ad93f6..e674aae2b58 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -9,8 +9,6 @@ stdenv.mkDerivation rec { sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65"; }; - noHardening_all = true; - buildInputs = [ pciutils ]; makeFlags = [ diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 048902f4fc4..88bce7f8661 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation (rec { }; doCheck = true; - + # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { nativeBuildInputs = [ glibc ]; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index 3df793df73f..682a42e2db9 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; - noHardening_format = true; + hardening_format = false; meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index a2c9c52937e..a9320f1af7b 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; - noHardening_format = true; + hardening_format = false; meta = { description = "An abstraction library for audio visualisations"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 267b434da52..430a09aeede 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; - noHardening_all = true; + #hardening_all = false; meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index cbd731aef68..d94b4159e93 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; - noHardening_format = true; + hardening_format = false; meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index a412d7e537c..464ad791095 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; - noHardening_format = true; + hardening_format = false; # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 1187bf10d14..05a5549fae2 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - noHardening_pic = true; + hardening_pic = false; preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 86551f4eecb..cc3cfe2465d 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./busybox-in-store.patch ]; diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index 38762a5f1fe..93c334b9593 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; - noHardening_format = true; + hardening_format = false; buildInputs = [openssl]; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index f5e76c0df50..7c956e3c244 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { src = sourceAttrs.src; - noHardening_pic = true; + hardening_pic = false; prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 8c537d67551..ccbd29d3d1f 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -224,15 +224,15 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - noHardening_format = true; - noHardening_fortify = true; - noHardening_stackprotector = true; + hardening_format = false; + hardening_fortify = false; + hardening_stackprotector = false; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; - noHardening_pic = true; + hardening_pic = false; karch = stdenv.platform.kernelArch; diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 5255b331bb1..98593ea85a9 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; - noHardening_format = true; + hardening_format = false; buildInputs = [ zlib ]; diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index fa7e5110de9..959de19ead2 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./numad-linker-flags.patch diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index c496ff3fdbb..99b6ce2a832 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; - noHardening_format = true; + hardening_format = false; preConfigure = '' ./autogen.sh diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index ab49613a39c..ba6a076f1f0 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; - noHardening_format = true; + hardening_format = false; meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 58e1c157b93..5a5550ebb04 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -239,16 +239,22 @@ rec { useHardenFlags = stdenv: stdenv // { mkDerivation = args: stdenv.mkDerivation (args // { NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") - + stdenv.lib.optionalString (!(args.noHardening_all or false)) ( - stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all" - + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie" - + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC" - + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro" - + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now" - + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow" - + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security" + + stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" + + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all" + + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" + + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" + + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro" + + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now" + + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" + + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" ); + NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "") + + stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_relro or true) " -z relro" + + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now" + ); + }); }; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 1e562ee3ecf..24fec4e33bb 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - noHardening_format = true; + hardening_format = false; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index 5d60c449173..d1f13b77f0c 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - noHardening_format = true; + hardening_format = false; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index dcc51320bbd..20f7038067d 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - noHardening_format = true; + hardening_format = false; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index f9349937b8f..8be743c8dd0 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - noHardening_format = true; + hardening_format = false; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 5fcccbee02c..34bb109a171 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - noHardening_format = true; + hardening_format = false; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 090af09fca0..bb0d54a7ec2 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - noHardening_all = true; + #hardening_all = false; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index bcbbe71b897..c584ed282d6 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - noHardening_format = true; + hardening_format = false; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index 4efa9461232..f99b83a2a0a 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - noHardening_format = true; + hardening_format = false; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index abe690ca0e4..f3c09ef686a 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - noHardening_all = true; + hardening_all = false; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index e831bbdab6f..d25b4f65ad7 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - noHardening_all = true; + #hardening_all = false; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 6d9fe64f169..414ff692d10 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - noHardening_format = true; + hardening_format = false; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 4aecc41aa3d..ba9552d4fae 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - noHardening_format = true; + hardening_format = false; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 37c19319ef7..4a788cfa8fe 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - noHardening_format = true; + hardening_format = false; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ From 729870467a97382e2252defe4ae3b04765b9451b Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 26 Jan 2016 00:41:10 +0100 Subject: [PATCH 003/603] Switch to GCC 5 --- pkgs/stdenv/linux/default.nix | 9 ++------- pkgs/top-level/all-packages.nix | 4 ++-- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix index 12fc3fed5a5..573e7139aac 100644 --- a/pkgs/stdenv/linux/default.nix +++ b/pkgs/stdenv/linux/default.nix @@ -210,14 +210,9 @@ rec { gmp = pkgs.gmp.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; mpfr = pkgs.mpfr.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; libmpc = pkgs.libmpc.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; - isl_0_11 = pkgs.isl_0_11.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; - cloog_0_18_0 = pkgs.cloog_0_18_0.override { - stdenv = pkgs.makeStaticLibraries pkgs.stdenv; - isl = isl_0_11; - }; + isl = pkgs.isl.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; gccPlain = pkgs.gcc.cc.override { - isl = isl_0_11; - cloog = cloog_0_18_0; + isl = isl; }; }; extraBuildInputs = [ stage2.pkgs.patchelf stage2.pkgs.paxctl ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 0e658228f2f..bd9ef8d47f3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3920,7 +3920,7 @@ let gambit = callPackage ../development/compilers/gambit { }; - gcc = gcc49; + gcc = gcc5; gcc_multi = if system == "x86_64-linux" then lowPrio ( @@ -4068,7 +4068,7 @@ let cross = null; libcCross = if crossSystem != null then libcCross else null; - isl = isl_0_14; + isl = isl_0_15; })); gfortran = if !stdenv.isDarwin then gfortran49 From c0f673af320b8674ad19ed1d66bf7705ee7513cc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 25 Jan 2016 23:50:36 +0000 Subject: [PATCH 004/603] gcc5: switch off hardening_format --- pkgs/development/compilers/gcc/5/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 3b105143c0b..47a272ac534 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -216,6 +216,8 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; + hardening_format = false; + inherit patches; postPatch = From e96ea9712c1d441b72510f62769ddbfff4c8d7c5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 26 Jan 2016 00:15:30 +0000 Subject: [PATCH 005/603] ruby: add patch for RAND_egd --- .../interpreters/ruby/patchsets.nix | 6 +++ .../interpreters/ruby/rand-egd.patch | 42 +++++++++++++++++++ .../interpreters/ruby/ruby22-rand-egd.patch | 42 +++++++++++++++++++ 3 files changed, 90 insertions(+) create mode 100644 pkgs/development/interpreters/ruby/rand-egd.patch create mode 100644 pkgs/development/interpreters/ruby/ruby22-rand-egd.patch diff --git a/pkgs/development/interpreters/ruby/patchsets.nix b/pkgs/development/interpreters/ruby/patchsets.nix index 286301dc0a5..1d040531213 100644 --- a/pkgs/development/interpreters/ruby/patchsets.nix +++ b/pkgs/development/interpreters/ruby/patchsets.nix @@ -3,6 +3,7 @@ rec { "1.9.3" = [ ./ssl_v3.patch + ./rand-egd.patch ./ruby19-parallel-install.patch ./bitperfect-rdoc.patch ] ++ ops useRailsExpress [ @@ -28,6 +29,7 @@ rec { ]; "2.0.0" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/02-railsexpress-gc.patch" @@ -81,6 +83,7 @@ rec { ]; "2.1.3" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.3/railsexpress/02-improve-gc-stats.patch" @@ -106,6 +109,7 @@ rec { ]; "2.1.7" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.7/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.7/railsexpress/02-improve-gc-stats.patch" @@ -128,6 +132,7 @@ rec { ]; "2.2.2" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.2/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.2/railsexpress/02-improve-gc-stats.patch" @@ -136,6 +141,7 @@ rec { ]; "2.2.3" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.3/railsexpress/02-improve-gc-stats.patch" diff --git a/pkgs/development/interpreters/ruby/rand-egd.patch b/pkgs/development/interpreters/ruby/rand-egd.patch new file mode 100644 index 00000000000..e4f6452000c --- /dev/null +++ b/pkgs/development/interpreters/ruby/rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,7 +221,9 @@ Init_ossl_rand(void) + DEFMETH(mRandom, "write_random_file", ossl_rand_write_file, 1); + DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1); + DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + DEFMETH(mRandom, "egd", ossl_rand_egd, 1); + DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + DEFMETH(mRandom, "status?", ossl_rand_status, 0) + } diff --git a/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch new file mode 100644 index 00000000000..ebf2bf56fcf --- /dev/null +++ b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,8 +221,10 @@ Init_ossl_rand(void) + rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1); + rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1); + rb_define_module_function(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1); + rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + rb_define_module_function(mRandom, "status?", ossl_rand_status, 0); + } From 936dfeb700d185b3299a17308b548746f95e8900 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 26 Jan 2016 02:04:05 +0100 Subject: [PATCH 006/603] xorg.sessreg: Fix build on gcc-5 --- pkgs/servers/x11/xorg/overrides.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 7bd179067cd..b3d13c9c258 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -440,4 +440,8 @@ in configureFlags = "--with-cpp=${args.mcpp}/bin/mcpp"; }; + sessreg = attrs: attrs // { + preBuild = "sed -i 's|gcc -E|gcc -E -P|' man/Makefile"; + }; + } From c4537af1dc06ff056d321849652c1e528d349560 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 26 Jan 2016 02:19:35 +0100 Subject: [PATCH 007/603] go: Disable stackprotector --- pkgs/development/compilers/go/1.4.nix | 2 +- pkgs/development/compilers/go/1.5.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 0d2d2ae2857..542fcba2144 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - #hardening_all = false; + hardening_stackprotector = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 750aec567a8..4928bacaebd 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - #hardening_all = false; + hardening_stackprotector = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. From aacc390769bd339c7d6b674ee8f3e3941a99f429 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 26 Jan 2016 02:58:17 +0100 Subject: [PATCH 008/603] ncat: Remove old package, available in nmap --- pkgs/tools/networking/ncat/default.nix | 25 ------------ pkgs/tools/networking/ncat/ncat-0.10rc3.patch | 38 ------------------- pkgs/top-level/all-packages.nix | 3 +- pkgs/top-level/release-small.nix | 1 - pkgs/top-level/release.nix | 1 - 5 files changed, 1 insertion(+), 67 deletions(-) delete mode 100644 pkgs/tools/networking/ncat/default.nix delete mode 100644 pkgs/tools/networking/ncat/ncat-0.10rc3.patch diff --git a/pkgs/tools/networking/ncat/default.nix b/pkgs/tools/networking/ncat/default.nix deleted file mode 100644 index 8f81e9284b6..00000000000 --- a/pkgs/tools/networking/ncat/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{stdenv, fetchurl, openssl}: - -stdenv.mkDerivation { - name = "ncat-0.10rc3"; - - src = fetchurl { - url = mirror://sourceforge/nmap-ncat/ncat-0.10rc3.tar.gz; - sha256 = "1yb26ipxwhqkfannji90jxi38k35fal4ffx0jm5clr1a1rndjjzb"; - }; - - patches = [./ncat-0.10rc3.patch]; - - buildInputs = [openssl]; - - CFLAGS = "-g"; - - postInstall = '' - install -D ncat $out/bin/ncat - install -D docs/man/ncat.1 $out/man/ncat.1 - ''; - - meta = { - description = "A netcat implementation with IPv6 support"; - }; -} diff --git a/pkgs/tools/networking/ncat/ncat-0.10rc3.patch b/pkgs/tools/networking/ncat/ncat-0.10rc3.patch deleted file mode 100644 index ed4c93673aa..00000000000 --- a/pkgs/tools/networking/ncat/ncat-0.10rc3.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -urN ncat-0.10rc3/ncat_main.c ncat-0.10rc3-fixed/ncat_main.c ---- ncat-0.10rc3/ncat_main.c 2006-01-10 03:29:08.000000000 +0300 -+++ ncat-0.10rc3-fixed/ncat_main.c 2007-07-09 09:58:58.000000000 +0400 -@@ -23,6 +23,7 @@ - { - struct sockaddr_in ss; - struct sockaddr_in6 ss6; -+ struct sockaddr_storage sst; - - struct conn_state cs; - -@@ -271,7 +272,7 @@ - } - - /* resolve hostname */ -- if (!resolve(argv[optind], (struct sockaddr_storage *) &ss)) { -+ if (!resolve(argv[optind], (struct sockaddr_storage *) &sst)) { - /* host failed to resolve :( */ - fprintf(stderr, - "%s: Could not resolve target hostname %s. QUITTING.\n", -@@ -297,6 +298,8 @@ - - /* IPv6 connect() */ - if (oipv == 6) { -+ memcpy(&ss6,&sst,sizeof(ss6)); -+ - ss6.sin6_family = AF_INET6; - ss_len = sizeof(struct sockaddr_in6); - -@@ -329,6 +332,8 @@ - } - /* IPv4 connect() - default. */ - else { -+ memcpy(&ss,&sst,sizeof(ss)); -+ - ss.sin_family = AF_INET; - ss_len = sizeof(struct sockaddr_in); - diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index bd9ef8d47f3..06011dcd4bb 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2400,8 +2400,6 @@ let nc6 = callPackage ../tools/networking/nc6 { }; - ncat = callPackage ../tools/networking/ncat { }; - ncftp = callPackage ../tools/networking/ncftp { }; ncompress = callPackage ../tools/compression/ncompress { }; @@ -15950,6 +15948,7 @@ aliases = with self; rec { midoriWrapper = midori; # added 2015-01 mlt-qt5 = qt5.mlt; # added 2015-12-19 multipath_tools = multipath-tools; # added 2016-01-21 + ncat = nmap; # added 2016-01-26 nfsUtils = nfs-utils; # added 2014-12-06 phonon_qt5 = qt5.phonon; # added 2015-12-19 phonon_qt5_backend_gstreamer = qt5.phonon-backend-gstreamer; # added 2015-12-19 diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index fc428a73743..409213e09e6 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -112,7 +112,6 @@ with import ./release-lib.nix { inherit supportedSystems; }; mpg321 = linux; mutt = linux; mysql = linux; - ncat = linux; netcat = all; nfs-utils = linux; nix = all; diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index a555dcbf4fa..1eff71f673f 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -165,7 +165,6 @@ let mupen64plus = linux; mutt = linux; nano = allBut cygwin; - ncat = linux; netcat = all; nss_ldap = linux; nssmdns = linux; From 393977d800b5a1be040e111fd6da3d52b007ee0d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 26 Jan 2016 03:42:26 +0100 Subject: [PATCH 009/603] Remove qcmm, strategoxt, aterm, bibtextools These packages are very old and their tarballs or web pages are not available anymore. Furthermore, they break with recent compilers like GCC 5. --- pkgs/development/compilers/qcmm/default.nix | 12 -- .../development/compilers/strategoxt/0.16.nix | 47 ------- .../development/compilers/strategoxt/0.17.nix | 112 ---------------- .../development/compilers/strategoxt/0.18.nix | 124 ------------------ pkgs/development/libraries/aterm/2.5.nix | 33 ----- .../libraries/aterm/max-long.patch | 77 ----------- pkgs/development/libraries/aterm/sizeof.patch | 56 -------- .../typesetting/bibtex-tools/default.nix | 17 --- pkgs/top-level/all-packages.nix | 27 ---- 9 files changed, 505 deletions(-) delete mode 100644 pkgs/development/compilers/qcmm/default.nix delete mode 100644 pkgs/development/compilers/strategoxt/0.16.nix delete mode 100644 pkgs/development/compilers/strategoxt/0.17.nix delete mode 100644 pkgs/development/compilers/strategoxt/0.18.nix delete mode 100644 pkgs/development/libraries/aterm/2.5.nix delete mode 100644 pkgs/development/libraries/aterm/max-long.patch delete mode 100644 pkgs/development/libraries/aterm/sizeof.patch delete mode 100644 pkgs/tools/typesetting/bibtex-tools/default.nix diff --git a/pkgs/development/compilers/qcmm/default.nix b/pkgs/development/compilers/qcmm/default.nix deleted file mode 100644 index a221ae29f04..00000000000 --- a/pkgs/development/compilers/qcmm/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{stdenv, fetchurl, mk, ocaml, noweb, lua, groff }: -stdenv.mkDerivation { - name = "qcmm-2006-01-31"; - src = fetchurl { - url = http://tarballs.nixos.org/qc--20060131.tar.gz; - md5 = "9097830775bcf22c9bad54f389f5db23"; - }; - buildInputs = [ mk ocaml noweb groff ]; - patches = [ ./qcmm.patch ]; - builder = ./builder.sh; - inherit lua; -} diff --git a/pkgs/development/compilers/strategoxt/0.16.nix b/pkgs/development/compilers/strategoxt/0.16.nix deleted file mode 100644 index 4cfa2c79892..00000000000 --- a/pkgs/development/compilers/strategoxt/0.16.nix +++ /dev/null @@ -1,47 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation rec { - name = "sdf2-bundle-2.3.3"; - - src = fetchurl { - url = ftp://ftp.stratego-language.org/pub/stratego/sdf2/sdf2-bundle-2.3.3/sdf2-bundle-2.3.3.tar.gz; - md5 = "62ecabe5fbb8bbe043ee18470107ef88"; - }; - - buildInputs = [pkgconfig aterm getopt]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - }; - - - strategoxt = stdenv.mkDerivation { - name = "strategoxt-0.16"; - - src = fetchurl { - url = ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.16/strategoxt-0.16.tar.gz; - md5 = "8b8eabbd785faa84ec20134b63d4829e"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - -} diff --git a/pkgs/development/compilers/strategoxt/0.17.nix b/pkgs/development/compilers/strategoxt/0.17.nix deleted file mode 100644 index d621cbf5f0c..00000000000 --- a/pkgs/development/compilers/strategoxt/0.17.nix +++ /dev/null @@ -1,112 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, readline, ncurses}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-0.17"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/strategoxt-0.17.tar.gz"; - sha256 = "70355576c3ce3c5a8a26435705a49cf7d13e91eada974a654534d63e0d34acdb"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/java-front/java-front-0.9/java-front-0.9.tar.gz"; - sha256 = "96f40bf31486d3ced3ecebdcc0067e83ce6acbdbe57e3c847136ac3d7b62cc3c"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/strategoxt/0.18.nix b/pkgs/development/compilers/strategoxt/0.18.nix deleted file mode 100644 index 611586c5d93..00000000000 --- a/pkgs/development/compilers/strategoxt/0.18.nix +++ /dev/null @@ -1,124 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, makeStaticBinaries, readline, ncurses}: - -rec { - - inherit aterm; - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-1.8pre24429"; - - src = fetchurl { - url = http://hydra.nixos.org/build/2175544/download/1/strategoxt-1.8pre24429.tar.gz; - sha256 = "124f1d61a440b94c38b731c2e7015340dbbc1deb6d442b31dbecb46b0a00fa83"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - broken = true; - }; - }; - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9.1pre20122"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/766286/download/1/java-front-0.9.1pre20122.tar.gz"; - sha256 = "ef85d3af962fcd54e028ea501e64220b86af335a49143f2819bd3f4789bef7e6"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - aspectjfront = stdenv.mkDerivation (rec { - name = "aspectj-front-0.2pre20035"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/175690/download/1/aspectj-front-0.2pre20035.tar.gz"; - sha256 = "48f6cda6f9f19436e9553e8d27e6bb42500d08370332e3ad214affb49851e58e"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt javafront]; - - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - broken = true; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/libraries/aterm/2.5.nix b/pkgs/development/libraries/aterm/2.5.nix deleted file mode 100644 index ef53a76d20b..00000000000 --- a/pkgs/development/libraries/aterm/2.5.nix +++ /dev/null @@ -1,33 +0,0 @@ -{stdenv, fetchurl}: - -stdenv.mkDerivation { - name = "aterm-2.5-r21238"; - - src = fetchurl { - url = http://buildfarm.st.ewi.tudelft.nl/releases/meta-environment/aterm-2.5pre21238-l2q7rg38/aterm-2.5.tar.gz; - md5 = "33ddcb1a229baf406ad1f603eb1d5995"; - }; - - patches = [ - # Fix for http://bugzilla.sen.cwi.nl:8080/show_bug.cgi?id=841 - ./max-long.patch - - # Patch the ATerm header files so that they don't rely on - # SIZEOF_LONG, SIZEOF_INT and SIZEOF_VOID_P being set. - ./sizeof.patch - ]; - - doCheck = true; - - dontDisableStatic = true; - - NIX_CFLAGS_COMPILE = "-D__USE_BSD"; - - meta = { - homepage = http://www.cwi.nl/htbin/sen1/twiki/bin/view/SEN1/ATerm; - license = "LGPL"; - description = "Library for manipulation of term data structures in C"; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; - maintainers = [ stdenv.lib.maintainers.eelco ]; - }; -} diff --git a/pkgs/development/libraries/aterm/max-long.patch b/pkgs/development/libraries/aterm/max-long.patch deleted file mode 100644 index a2f260b970b..00000000000 --- a/pkgs/development/libraries/aterm/max-long.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -rc aterm-2.8-orig/aterm/hash.c aterm-2.8/aterm/hash.c -*** aterm-2.8-orig/aterm/hash.c 2008-11-10 13:54:22.000000000 +0100 ---- aterm-2.8/aterm/hash.c 2009-01-27 18:14:14.000000000 +0100 -*************** -*** 93,146 **** - } - - /*}}} */ -- /*{{{ static long calc_long_max() */ -- static long calc_long_max() -- { -- long try_long_max; -- long long_max; -- long delta; -- -- try_long_max = 1; -- do { -- long_max = try_long_max; -- try_long_max = long_max * 2; -- } while (try_long_max > 0); -- -- delta = long_max; -- while (delta > 1) { -- while (long_max + delta < 0) { -- delta /= 2; -- } -- long_max += delta; -- } -- -- return long_max; -- -- } -- /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { -- -- /* Hack: LONG_MAX (limits.h) is often unreliable, we need to find -- * out the maximum possible value of a signed long dynamically. -- */ -- static long st_long_max = 0; -- -- /* the resulting length has the form 2^k-1 */ -- - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (st_long_max == 0) { -! st_long_max = calc_long_max(); -! } -! -! if (sizeMinus1 > st_long_max / 2) { -! return st_long_max-1; - } - - return (2*sizeMinus1)+1; ---- 93,109 ---- - } - - /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (sizeMinus1 > LONG_MAX / 2) { -! return LONG_MAX-1; - } - - return (2*sizeMinus1)+1; diff --git a/pkgs/development/libraries/aterm/sizeof.patch b/pkgs/development/libraries/aterm/sizeof.patch deleted file mode 100644 index 2649cc56491..00000000000 --- a/pkgs/development/libraries/aterm/sizeof.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -rc -x '*~' aterm-2.5-orig/aterm/aterm.c aterm-2.5/aterm/aterm.c -*** aterm-2.5-orig/aterm/aterm.c 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/aterm.c 2010-02-23 15:10:38.000000000 +0100 -*************** -*** 150,155 **** ---- 150,157 ---- - if (initialized) - return; - -+ assert(sizeof(long) == sizeof(void *)); -+ - /*{{{ Handle arguments */ - - for (lcv=1; lcv < argc; lcv++) { -diff -rc -x '*~' aterm-2.5-orig/aterm/encoding.h aterm-2.5/aterm/encoding.h -*** aterm-2.5-orig/aterm/encoding.h 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/encoding.h 2010-02-23 15:36:05.000000000 +0100 -*************** -*** 10,24 **** - { - #endif/* __cplusplus */ - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if SIZEOF_LONG != SIZEOF_VOID_P -! #error Size of long is not the same as the size of a pointer - #endif - -! #if SIZEOF_INT > 4 - #error Size of int is not 32 bits - #endif - ---- 10,30 ---- - { - #endif/* __cplusplus */ - -! #include -! -! #ifndef SIZEOF_LONG -! #if ULONG_MAX > 4294967295 -! #define SIZEOF_LONG 8 -! #else -! #define SIZEOF_LONG 4 -! #endif - #endif - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if UINT_MAX > 4294967295 - #error Size of int is not 32 bits - #endif - diff --git a/pkgs/tools/typesetting/bibtex-tools/default.nix b/pkgs/tools/typesetting/bibtex-tools/default.nix deleted file mode 100644 index a822a181a65..00000000000 --- a/pkgs/tools/typesetting/bibtex-tools/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{stdenv, fetchurl, hevea, tetex, strategoxt, aterm, sdf}: - -stdenv.mkDerivation { - name = "bibtex-tools-0.2pre13026"; - src = fetchurl { - url = http://tarballs.nixos.org/bibtex-tools-0.2pre13026.tar.gz; - md5 = "2d8a5de7c53eb670307048eb3d14cdd6"; - }; - configureFlags = " - --with-aterm=${aterm} - --with-sdf=${sdf} - --with-strategoxt=${strategoxt} - --with-hevea=${hevea} - --with-latex=${tetex}"; - buildInputs = [aterm sdf strategoxt hevea]; - meta.broken = true; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 06011dcd4bb..2a01196be09 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -995,10 +995,6 @@ let UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter; }; - bibtextools = callPackage ../tools/typesetting/bibtex-tools { - inherit (strategoPackages016) strategoxt sdf; - }; - bittornado = callPackage ../tools/networking/p2p/bit-tornado { }; blueman = callPackage ../tools/bluetooth/blueman { @@ -4911,11 +4907,6 @@ let llvm = llvm_36; }; - qcmm = callPackage ../development/compilers/qcmm { - lua = lua4; - ocaml = ocaml_3_08_0; - }; - rtags = callPackage ../development/tools/rtags/default.nix {}; rustcMaster = callPackage ../development/compilers/rustc/head.nix {}; @@ -4980,20 +4971,6 @@ let stalin = callPackage ../development/compilers/stalin { }; - strategoPackages = recurseIntoAttrs strategoPackages018; - - strategoPackages016 = callPackage ../development/compilers/strategoxt/0.16.nix { - stdenv = overrideInStdenv stdenv [gnumake380]; - }; - - strategoPackages017 = callPackage ../development/compilers/strategoxt/0.17.nix { - readline = readline5; - }; - - strategoPackages018 = callPackage ../development/compilers/strategoxt/0.18.nix { - readline = readline5; - }; - metaBuildEnv = callPackage ../development/compilers/meta-environment/meta-build-env { }; swiProlog = callPackage ../development/compilers/swi-prolog { }; @@ -6194,10 +6171,6 @@ let aspellDicts = recurseIntoAttrs (callPackages ../development/libraries/aspell/dictionaries.nix {}); - aterm = aterm25; - - aterm25 = callPackage ../development/libraries/aterm/2.5.nix { }; - attica = callPackage ../development/libraries/attica { }; attr = callPackage ../development/libraries/attr { }; From 73f4c2bdf89ca02d70e614631531af307d056fef Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 26 Jan 2016 04:25:30 +0100 Subject: [PATCH 010/603] Remove lsh, broken & unmaintained --- nixos/modules/config/gnu.nix | 9 +- .../modules/services/networking/ssh/lshd.nix | 176 ------------------ pkgs/tools/networking/lsh/default.nix | 49 ----- .../networking/lsh/lshd-no-root-login.patch | 16 -- .../networking/lsh/pam-service-name.patch | 14 -- pkgs/top-level/all-packages.nix | 4 - 6 files changed, 1 insertion(+), 267 deletions(-) delete mode 100644 nixos/modules/services/networking/ssh/lshd.nix delete mode 100644 pkgs/tools/networking/lsh/default.nix delete mode 100644 pkgs/tools/networking/lsh/lshd-no-root-login.patch delete mode 100644 pkgs/tools/networking/lsh/pam-service-name.patch diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index f8c35b440d1..5cc41ce8690 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -9,8 +9,7 @@ with lib; default = false; description = '' When enabled, GNU software is chosen by default whenever a there is - a choice between GNU and non-GNU software (e.g., GNU lsh - vs. OpenSSH). + a choice between GNU and non-GNU software. ''; }; }; @@ -33,12 +32,6 @@ with lib; boot.loader.grub.enable = !pkgs.stdenv.isArm; boot.loader.grub.version = 2; - # GNU lsh. - services.openssh.enable = false; - services.lshd.enable = true; - programs.ssh.startAgent = false; - services.xserver.startGnuPGAgent = true; - # TODO: GNU dico. # TODO: GNU Inetutils' inetd. # TODO: GNU Pies. diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix deleted file mode 100644 index 661a6a52463..00000000000 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) lsh; - - cfg = config.services.lshd; - -in - -{ - - ###### interface - - options = { - - services.lshd = { - - enable = mkOption { - default = false; - description = '' - Whether to enable the GNU lshd SSH2 daemon, which allows - secure remote login. - ''; - }; - - portNumber = mkOption { - default = 22; - description = '' - The port on which to listen for connections. - ''; - }; - - interfaces = mkOption { - default = []; - description = '' - List of network interfaces where listening for connections. - When providing the empty list, `[]', lshd listens on all - network interfaces. - ''; - example = [ "localhost" "1.2.3.4:443" ]; - }; - - hostKey = mkOption { - default = "/etc/lsh/host-key"; - description = '' - Path to the server's private key. Note that this key must - have been created, e.g., using "lsh-keygen --server | - lsh-writekey --server", so that you can run lshd. - ''; - }; - - syslog = mkOption { - default = true; - description = ''Whether to enable syslog output.''; - }; - - passwordAuthentication = mkOption { - default = true; - description = ''Whether to enable password authentication.''; - }; - - publicKeyAuthentication = mkOption { - default = true; - description = ''Whether to enable public key authentication.''; - }; - - rootLogin = mkOption { - default = false; - description = ''Whether to enable remote root login.''; - }; - - loginShell = mkOption { - default = null; - description = '' - If non-null, override the default login shell with the - specified value. - ''; - example = "/nix/store/xyz-bash-10.0/bin/bash10"; - }; - - srpKeyExchange = mkOption { - default = false; - description = '' - Whether to enable SRP key exchange and user authentication. - ''; - }; - - tcpForwarding = mkOption { - default = true; - description = ''Whether to enable TCP/IP forwarding.''; - }; - - x11Forwarding = mkOption { - default = true; - description = ''Whether to enable X11 forwarding.''; - }; - - subsystems = mkOption { - description = '' - List of subsystem-path pairs, where the head of the pair - denotes the subsystem name, and the tail denotes the path to - an executable implementing it. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; - - systemd.services.lshd = { - description = "GNU lshd SSH2 daemon"; - - after = [ "network-interfaces.target" ]; - - wantedBy = [ "multi-user.target" ]; - - environment = { - LD_LIBRARY_PATH = config.system.nssModules.path; - }; - - preStart = '' - test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh - test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh - - if ! test -f /var/spool/lsh/yarrow-seed-file - then - # XXX: It would be nice to provide feedback to the - # user when this fails, so that they can retry it - # manually. - ${lsh}/bin/lsh-make-seed --sloppy \ - -o /var/spool/lsh/yarrow-seed-file - fi - - if ! test -f "${cfg.hostKey}" - then - ${lsh}/bin/lsh-keygen --server | \ - ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" - fi - ''; - - script = with cfg; '' - ${lsh}/sbin/lshd --daemonic \ - --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ - -p ${toString portNumber} \ - ${if interfaces == [] then "" - else (concatStrings (map (i: "--interface=\"${i}\"") - interfaces))} \ - -h "${hostKey}" \ - ${if !syslog then "--no-syslog" else ""} \ - ${if passwordAuthentication then "--password" else "--no-password" } \ - ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ - ${if rootLogin then "--root-login" else "--no-root-login" } \ - ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ - ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ - ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ - ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ - --subsystems=${concatStringsSep "," - (map (pair: (head pair) + "=" + - (head (tail pair))) - subsystems)} - ''; - }; - - security.pam.services.lshd = {}; - }; -} diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix deleted file mode 100644 index 77d268f3a47..00000000000 --- a/pkgs/tools/networking/lsh/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam -, nettools, lsof, procps }: - -stdenv.mkDerivation rec { - name = "lsh-2.0.4"; - src = fetchurl { - url = "mirror://gnu/lsh/${name}.tar.gz"; - sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; - }; - - patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; - - preConfigure = '' - # Patch `lsh-make-seed' so that it can gather enough entropy. - sed -i "src/lsh-make-seed.c" \ - -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; - s|/usr/bin/netstat|${nettools}/bin/netstat|g ; - s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; - s|/bin/vmstat|${procps}/bin/vmstat|g ; - s|/bin/ps|${procps}/bin/sp|g ; - s|/usr/bin/w|${procps}/bin/w|g ; - s|/usr/bin/df|$(type -P df)|g ; - s|/usr/bin/ipcs|$(type -P ipcs)|g ; - s|/usr/bin/uptime|$(type -P uptime)|g" - - # Skip the `configure' script that checks whether /dev/ptmx & co. work as - # expected, because it relies on impurities (for instance, /dev/pts may - # be unavailable in chroots.) - export lsh_cv_sys_unix98_ptys=yes - ''; - - buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; - - meta = { - description = "GPL'd implementation of the SSH protocol"; - - longDescription = '' - lsh is a free implementation (in the GNU sense) of the ssh - version 2 protocol, currently being standardised by the IETF - SECSH working group. - ''; - - homepage = http://www.lysator.liu.se/~nisse/lsh/; - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch deleted file mode 100644 index 9dd81de3fbc..00000000000 --- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch +++ /dev/null @@ -1,16 +0,0 @@ -Correctly handle the `--no-root-login' option. - ---- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 -+++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 -@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str - self->allow_root = 1; - break; - -+ case OPT_NO_ROOT_LOGIN: -+ self->allow_root = 0; -+ break; -+ - case OPT_KERBEROS_PASSWD: - self->pw_helper = PATH_KERBEROS_HELPER; - break; - diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch deleted file mode 100644 index 6a6156855c5..00000000000 --- a/pkgs/tools/networking/lsh/pam-service-name.patch +++ /dev/null @@ -1,14 +0,0 @@ -Tell `lsh-pam-checkpw', the PAM password helper program, to use a more -descriptive service name. - ---- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 -+++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 -@@ -38,7 +38,7 @@ - #include - - #define PWD_MAXLEN 1024 --#define SERVICE_NAME "other" -+#define SERVICE_NAME "lshd" - #define TIMEOUT 600 - - static int diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2a01196be09..4031575e12e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2212,10 +2212,6 @@ let lrzip = callPackage ../tools/compression/lrzip { }; - # lsh installs `bin/nettle-lfib-stream' and so does Nettle. Give the - # former a lower priority than Nettle. - lsh = lowPrio (callPackage ../tools/networking/lsh { }); - lshw = callPackage ../tools/system/lshw { }; lxc = callPackage ../os-specific/linux/lxc { }; From 1581f25a07dda0639d1ef8a5d40b1904fec9ca95 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 26 Jan 2016 17:34:17 +0000 Subject: [PATCH 011/603] multipath-tools: no format hardening --- pkgs/os-specific/linux/multipath-tools/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index ba69b421c3d..8aee4b73fdd 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; + hardening_format = false; + postPatch = '' sed -i -re ' s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", From c10ca363c6c12e7fc2455e0599bba23b0291a290 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 26 Jan 2016 20:51:11 +0000 Subject: [PATCH 012/603] graphviz: no fortify hardening --- pkgs/tools/graphics/graphviz/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index bb0d54a7ec2..9a9621dd784 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,11 +12,11 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - #hardening_all = false; + hardening_fortify = false; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch - + # NOTE: Once this patch is removed, flex can probably be removed from # buildInputs. ./cve-2014-9157.patch From 8329066d5e9bb2888c4a194605d11ef09534aaf2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 28 Jan 2016 01:46:45 +0000 Subject: [PATCH 013/603] lsh: remove last references --- nixos/modules/module-list.nix | 1 - pkgs/top-level/guile-2-test.nix | 1 - pkgs/top-level/release-cross.nix | 1 - pkgs/top-level/release-small.nix | 1 - 4 files changed, 4 deletions(-) diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 2ff61877c23..fda28fcf27b 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -358,7 +358,6 @@ ./services/networking/softether.nix ./services/networking/spiped.nix ./services/networking/sslh.nix - ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix ./services/networking/strongswan.nix ./services/networking/supplicant.nix diff --git a/pkgs/top-level/guile-2-test.nix b/pkgs/top-level/guile-2-test.nix index 802277d474a..3219fc9108a 100644 --- a/pkgs/top-level/guile-2-test.nix +++ b/pkgs/top-level/guile-2-test.nix @@ -56,7 +56,6 @@ in (mapTestOn { guile = linux; autogen = linux; - lsh = linux; mailutils = linux; mcron = linux; texmacs = linux; diff --git a/pkgs/top-level/release-cross.nix b/pkgs/top-level/release-cross.nix index ced90c0489c..fe7b88d813c 100644 --- a/pkgs/top-level/release-cross.nix +++ b/pkgs/top-level/release-cross.nix @@ -219,7 +219,6 @@ in { libffi.crossDrv = nativePlatforms; libtool.crossDrv = nativePlatforms; libunistring.crossDrv = nativePlatforms; - lsh.crossDrv = nativePlatforms; nixUnstable.crossDrv = nativePlatforms; openssl.crossDrv = nativePlatforms; # dependency of Nix patch.crossDrv = nativePlatforms; diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index 409213e09e6..f58626220bc 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -89,7 +89,6 @@ with import ./release-lib.nix { inherit supportedSystems; }; libxml2 = all; libxslt = all; lout = linux; - lsh = linux; lsof = linux; ltrace = linux; lvm2 = linux; From acb408646e1151cd2d0ee188d5a36424bfc2ea00 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 28 Jan 2016 01:46:59 +0000 Subject: [PATCH 014/603] remove local pic flags, now set by hardened stdenv --- pkgs/development/libraries/a52dec/default.nix | 2 -- pkgs/development/libraries/cgui/default.nix | 1 - pkgs/development/libraries/gsm/default.nix | 2 -- pkgs/development/libraries/hspell/default.nix | 2 -- pkgs/development/libraries/itk/default.nix | 1 - pkgs/development/libraries/libdnet/default.nix | 2 -- pkgs/development/libraries/libunwind/default.nix | 1 - pkgs/development/libraries/libyaml-cpp/default.nix | 4 +--- pkgs/development/libraries/phonon/qt5/default.nix | 2 -- pkgs/development/libraries/plib/default.nix | 5 +---- pkgs/development/libraries/science/math/atlas/default.nix | 4 ---- .../libraries/science/math/suitesparse/default.nix | 2 -- pkgs/development/libraries/zlib/default.nix | 3 +-- pkgs/development/tools/toluapp/default.nix | 2 -- pkgs/tools/graphics/netpbm/default.nix | 2 -- 15 files changed, 3 insertions(+), 32 deletions(-) diff --git a/pkgs/development/libraries/a52dec/default.nix b/pkgs/development/libraries/a52dec/default.nix index 7d5c5fab393..5a47d50284f 100644 --- a/pkgs/development/libraries/a52dec/default.nix +++ b/pkgs/development/libraries/a52dec/default.nix @@ -8,8 +8,6 @@ stdenv.mkDerivation rec { sha256 = "0czccp4fcpf2ykp16xcrzdfmnircz1ynhls334q374xknd5747d2"; }; - NIX_CFLAGS_COMPILE = "-fpic"; - # From Handbrake patches = [ ./A00-a52-state-t-public.patch diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 0f117862236..29413b1c845 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -12,7 +12,6 @@ stdenv.mkDerivation rec { buildInputs = [ texinfo allegro perl ]; configurePhase = '' - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fPIC" sh fix.sh unix ''; diff --git a/pkgs/development/libraries/gsm/default.nix b/pkgs/development/libraries/gsm/default.nix index fb9ff8eb0fb..42d36b8406e 100644 --- a/pkgs/development/libraries/gsm/default.nix +++ b/pkgs/development/libraries/gsm/default.nix @@ -41,8 +41,6 @@ stdenv.mkDerivation rec { preInstall = "mkdir -p $out/{bin,lib,man/man1,man/man3,include/gsm}"; - NIX_CFLAGS_COMPILE = optional (!staticSupport) "-fPIC"; - parallelBuild = false; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/hspell/default.nix b/pkgs/development/libraries/hspell/default.nix index 9b44d12c293..eebd105a00d 100644 --- a/pkgs/development/libraries/hspell/default.nix +++ b/pkgs/development/libraries/hspell/default.nix @@ -16,8 +16,6 @@ stdenv.mkDerivation rec { patchPhase = ''patchShebangs .''; buildInputs = [ perl zlib ]; - makeFlags = "CFLAGS=-fPIC"; - meta = { description = "Hebrew spell checker"; homepage = http://hspell.ivrix.org.il/; diff --git a/pkgs/development/libraries/itk/default.nix b/pkgs/development/libraries/itk/default.nix index 7b4e3834af7..eda9434ab65 100644 --- a/pkgs/development/libraries/itk/default.nix +++ b/pkgs/development/libraries/itk/default.nix @@ -12,7 +12,6 @@ stdenv.mkDerivation rec { "-DBUILD_TESTING=OFF" "-DBUILD_EXAMPLES=OFF" "-DBUILD_SHARED_LIBS=ON" - "-DCMAKE_CXX_FLAGS=-fPIC" ]; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/libdnet/default.nix b/pkgs/development/libraries/libdnet/default.nix index 8911539d7b0..dbda4107c48 100644 --- a/pkgs/development/libraries/libdnet/default.nix +++ b/pkgs/development/libraries/libdnet/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation { buildInputs = [ automake autoconf libtool ]; - CFLAGS="-fPIC"; - # .so endings are missing (quick and dirty fix) postInstall = '' for i in $out/lib/*; do diff --git a/pkgs/development/libraries/libunwind/default.nix b/pkgs/development/libraries/libunwind/default.nix index 3fc8b508559..86f0c50dd20 100644 --- a/pkgs/development/libraries/libunwind/default.nix +++ b/pkgs/development/libraries/libunwind/default.nix @@ -22,7 +22,6 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ xz ]; - NIX_CFLAGS_COMPILE = if stdenv.system == "x86_64-linux" then "-fPIC" else ""; preInstall = '' mkdir -p "$out/lib" touch "$out/lib/libunwind-generic.so" diff --git a/pkgs/development/libraries/libyaml-cpp/default.nix b/pkgs/development/libraries/libyaml-cpp/default.nix index f56bf77abfe..1ba31a7a6d5 100644 --- a/pkgs/development/libraries/libyaml-cpp/default.nix +++ b/pkgs/development/libraries/libyaml-cpp/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, cmake, boost, makePIC ? false }: +{ stdenv, fetchurl, cmake, boost }: stdenv.mkDerivation { name = "libyaml-cpp-0.5.1"; @@ -10,8 +10,6 @@ stdenv.mkDerivation { buildInputs = [ cmake boost ]; - cmakeFlags = stdenv.lib.optionals makePIC [ "-DCMAKE_C_FLAGS=-fPIC" "-DCMAKE_CXX_FLAGS=-fPIC" ]; - meta = with stdenv.lib; { homepage = http://code.google.com/p/yaml-cpp/; description = "A YAML parser and emitter for C++"; diff --git a/pkgs/development/libraries/phonon/qt5/default.nix b/pkgs/development/libraries/phonon/qt5/default.nix index fc07344d2d1..c7baeb2e340 100644 --- a/pkgs/development/libraries/phonon/qt5/default.nix +++ b/pkgs/development/libraries/phonon/qt5/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake pkgconfig ]; - NIX_CFLAGS_COMPILE = "-fPIC"; - cmakeFlags = [ "-DCMAKE_BUILD_TYPE=${if debug then "Debug" else "Release"}" "-DPHONON_BUILD_PHONON4QT5=ON" diff --git a/pkgs/development/libraries/plib/default.nix b/pkgs/development/libraries/plib/default.nix index ff60e62cad3..dc75a407e92 100644 --- a/pkgs/development/libraries/plib/default.nix +++ b/pkgs/development/libraries/plib/default.nix @@ -1,6 +1,5 @@ { fetchurl, stdenv, mesa, freeglut, SDL -, libXi, libSM, libXmu, libXext, libX11, -enablePIC ? false }: +, libXi, libSM, libXmu, libXext, libX11 }: stdenv.mkDerivation rec { name = "plib-1.8.5"; @@ -13,8 +12,6 @@ stdenv.mkDerivation rec { patches = [ ./CVE-2012-4552.patch ]; - NIX_CFLAGS_COMPILE = if enablePIC then "-fPIC" else ""; - propagatedBuildInputs = [ mesa freeglut SDL diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix index 1fa48ffea91..9779af6addc 100644 --- a/pkgs/development/libraries/science/math/atlas/default.nix +++ b/pkgs/development/libraries/science/math/atlas/default.nix @@ -73,14 +73,10 @@ stdenv.mkDerivation { configureScript=../configure ''; - # * -fPIC is passed even in non-shared builds so that the ATLAS code can be - # used to inside of shared libraries, like Octave does. - # # * -t 0 disables use of multi-threading. It's not quite clear what the # consequences of that setting are and whether it's necessary or not. configureFlags = [ "-Fa alg" - "-fPIC" "-t ${threads}" cpuConfig ] ++ optional shared "--shared" diff --git a/pkgs/development/libraries/science/math/suitesparse/default.nix b/pkgs/development/libraries/science/math/suitesparse/default.nix index e32b8b34426..b4b9a6970ff 100644 --- a/pkgs/development/libraries/science/math/suitesparse/default.nix +++ b/pkgs/development/libraries/science/math/suitesparse/default.nix @@ -33,8 +33,6 @@ stdenv.mkDerivation { "LAPACK=" ]; - NIX_CFLAGS = "-fPIC"; - postInstall = '' # Build and install shared library ( diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 7a6f480215c..93474d14344 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -31,8 +31,7 @@ stdenv.mkDerivation (rec { # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) - NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc " - + stdenv.lib.optionalString (stdenv.isFreeBSD) "-fPIC"; + NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc"; crossAttrs = { dontStrip = static; diff --git a/pkgs/development/tools/toluapp/default.nix b/pkgs/development/tools/toluapp/default.nix index 73a8b64ed22..69dfa0280e5 100644 --- a/pkgs/development/tools/toluapp/default.nix +++ b/pkgs/development/tools/toluapp/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { --replace /usr/local $out ''; - NIX_CFLAGS_COMPILE = "-fPIC"; - buildPhase = ''scons''; installPhase = ''scons install''; diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix index e69a73ff321..853b298f158 100644 --- a/pkgs/tools/graphics/netpbm/default.nix +++ b/pkgs/tools/graphics/netpbm/default.nix @@ -15,8 +15,6 @@ stdenv.mkDerivation rec { --replace '"-DSAFER"' '"-DPARANOIDSAFER"' ''; - NIX_CFLAGS_COMPILE = "-fPIC"; # Gentoo adds this on every platform - buildInputs = [ pkgconfig flex zlib perl libpng libjpeg libxml2 makeWrapper libtiff ] ++ lib.optional enableX11 libX11; From 8f7ffe9ba3f19103ab8f5f0f812b3ebcaa169460 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 29 Jan 2016 04:02:59 +0000 Subject: [PATCH 015/603] netpbm: 10.66.00 -> 10.70.00 --- pkgs/tools/graphics/netpbm/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix index 853b298f158..9f0253d1462 100644 --- a/pkgs/tools/graphics/netpbm/default.nix +++ b/pkgs/tools/graphics/netpbm/default.nix @@ -3,11 +3,11 @@ , enableX11 ? false, libX11 }: stdenv.mkDerivation rec { - name = "netpbm-10.66.00"; + name = "netpbm-10.70.00"; src = fetchurl { url = "mirror://gentoo/distfiles/${name}.tar.xz"; - sha256 = "1z33pxdir92m7jlvp5c2q44gxwj7jyf8skiqkr71kgirw4w4zsbz"; + sha256 = "14vxmzbwsy4rzrqjnzr4cvz1s0amacq69faps3v1j1kr05lcns0j"; }; postPatch = /* CVE-2005-2471, from Arch */ '' From 1ff7179925f2948cf10b2674cc823b5c61f91f20 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 29 Jan 2016 04:16:15 +0000 Subject: [PATCH 016/603] libupnp: no fortify hardening --- pkgs/development/libraries/pupnp/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 430a09aeede..22dbef1bac2 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; - #hardening_all = false; + hardening_fortify = false; meta = { description = "libupnp, an open source UPnP development kit for Linux"; From 78a1ae85ed70454d5697d73ba8d1c1eebc66c173 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 29 Jan 2016 04:50:46 +0000 Subject: [PATCH 017/603] drbd: set DESTDIR --- pkgs/os-specific/linux/drbd/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/drbd/default.nix b/pkgs/os-specific/linux/drbd/default.nix index 4c945a7fbac..d90d6faac39 100644 --- a/pkgs/os-specific/linux/drbd/default.nix +++ b/pkgs/os-specific/linux/drbd/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { makeFlags = "SHELL=${stdenv.shell}"; - installFlags = "localstatedir=$(TMPDIR)/var sysconfdir=$(out)/etc INITDIR=$(out)/etc/init.d"; + installFlags = "localstatedir=$(TMPDIR)/var sysconfdir=$(out)/etc INITDIR=$(out)/etc/init.d DESTDIR=$(out)"; meta = { homepage = http://www.drbd.org/; From e721382448fdbf8002e9b0121c3ae11f5701261e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 29 Jan 2016 05:08:57 +0000 Subject: [PATCH 018/603] jfsutils: add patch to build with format hardening --- pkgs/tools/filesystems/jfsutils/default.nix | 2 +- .../jfsutils/hardening-format.patch | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 pkgs/tools/filesystems/jfsutils/hardening-format.patch diff --git a/pkgs/tools/filesystems/jfsutils/default.nix b/pkgs/tools/filesystems/jfsutils/default.nix index 46ded088c69..16d95bd1933 100644 --- a/pkgs/tools/filesystems/jfsutils/default.nix +++ b/pkgs/tools/filesystems/jfsutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha1 = "291e8bd9d615cf3d27e4000117c81a3602484a50"; }; - patches = [ ./types.patch ]; + patches = [ ./types.patch ./hardening-format.patch ]; buildInputs = [ libuuid ]; diff --git a/pkgs/tools/filesystems/jfsutils/hardening-format.patch b/pkgs/tools/filesystems/jfsutils/hardening-format.patch new file mode 100644 index 00000000000..dd2a93a81ec --- /dev/null +++ b/pkgs/tools/filesystems/jfsutils/hardening-format.patch @@ -0,0 +1,37 @@ +--- a/fscklog/fscklog.c 2016-01-29 04:59:54.102223291 +0000 ++++ b/fscklog/fscklog.c 2016-01-29 05:00:10.707552565 +0000 +@@ -252,8 +252,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", basename(file_name), line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } +--- a/fscklog/display.c 2016-01-29 05:05:42.582133444 +0000 ++++ b/fscklog/display.c 2016-01-29 05:05:47.541231780 +0000 +@@ -182,7 +182,7 @@ + } else { + /* the record looks ok */ + msg_txt = &log_entry[log_entry_pos]; +- printf(msg_txt); ++ printf("%s", msg_txt); + /* + * set up for the next record + */ +--- a/logdump/helpers.c 2016-01-29 05:06:26.081996021 +0000 ++++ b/logdump/helpers.c 2016-01-29 05:06:43.097333425 +0000 +@@ -95,8 +95,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", file_name, line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } From cce1bad2e17d37d2d9ca198e2b3fb1b658fdcdb4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 29 Jan 2016 05:25:51 +0000 Subject: [PATCH 019/603] dmraid: add patch to build with format hardening --- pkgs/os-specific/linux/dmraid/default.nix | 2 ++ .../linux/dmraid/hardening-format.patch | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 pkgs/os-specific/linux/dmraid/hardening-format.patch diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix index 9e7e2a6bb8e..9412747d6bc 100644 --- a/pkgs/os-specific/linux/dmraid/default.nix +++ b/pkgs/os-specific/linux/dmraid/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq"; }; + patches = [ ./hardening-format.patch ]; + postPatch = '' sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in ''; diff --git a/pkgs/os-specific/linux/dmraid/hardening-format.patch b/pkgs/os-specific/linux/dmraid/hardening-format.patch new file mode 100644 index 00000000000..f91a7fb18aa --- /dev/null +++ b/pkgs/os-specific/linux/dmraid/hardening-format.patch @@ -0,0 +1,18 @@ +--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:16:57.455425454 +0000 ++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:17:55.520564013 +0000 +@@ -838,13 +838,13 @@ + + sz = _log_all_devs(log_type, rs, NULL, 0); + if (!sz) { +- syslog(LOG_ERR, msg[0]); ++ syslog(LOG_ERR, "%s", msg[0]); + return; + } + + str = dm_malloc(++sz); + if (!str) { +- syslog(LOG_ERR, msg[1]); ++ syslog(LOG_ERR, "%s", msg[1]); + return; + } + From f4572b552df2b80000ee7bddfd70ebae2b293d04 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 29 Jan 2016 10:06:07 +0000 Subject: [PATCH 020/603] gcc45: turn off format hardening --- pkgs/development/compilers/gcc/4.5/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 8c4afb31c50..69c4db63e5b 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,7 +134,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - #hardening_all = false; + hardening_format = false; patches = [ ] From 359b1726a57192277eba54931e5e24674093c195 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 30 Jan 2016 14:32:58 +0000 Subject: [PATCH 021/603] xen: turn off stackprotector hardening --- pkgs/applications/virtualization/xen/generic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index ce6753ed165..1f5553beb04 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,7 +75,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; - #hardening_all = false; + hardening_stackprotector = false; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; From 051662610104c2c57b89783084b9f31f5e978c71 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 30 Jan 2016 14:33:22 +0000 Subject: [PATCH 022/603] go: turn off all hardening --- pkgs/development/compilers/go/1.5.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 4928bacaebd..d64b9a1d11c 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_stackprotector = false; + hardening_all = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. From bd2d04975013341e8402f04ff5e53502e40a6d32 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 13:09:11 +0000 Subject: [PATCH 023/603] texlive-core-big: turn off format hardening --- pkgs/tools/typesetting/tex/texlive-new/bin.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 4a788cfa8fe..3585c4d04af 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -123,6 +123,8 @@ core-big = stdenv.mkDerivation { inherit (common) src; + hardening_format = false; + buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; configureFlags = common.configureFlags From 79219c1981d3c870dbb1f88da843378e02e49ce8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 15:07:42 +0000 Subject: [PATCH 024/603] patchutils: turn off format hardening --- pkgs/tools/text/patchutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 4df52eef669..98f9c0483c2 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one + hardening_format = false; + meta = with stdenv.lib; { description = "Tools to manipulate patch files"; homepage = http://cyberelk.net/tim/software/patchutils; From 08caf7b6e43df52395ef86ed8192a7232a46f2e4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 15:27:57 +0000 Subject: [PATCH 025/603] librsync_0_9: turn off format hardening --- pkgs/development/libraries/librsync/0.9.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index 76daf7d748b..d3dd293f975 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -1,13 +1,15 @@ -{stdenv, fetchurl}: +{ stdenv, fetchurl }: stdenv.mkDerivation { name = "librsync-0.9.7"; - + src = fetchurl { url = mirror://sourceforge/librsync/librsync-0.9.7.tar.gz; sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; + hardening_format = false; + configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; crossAttrs = { From 955a9a3be72c9911b5b4bf3dde72d14e362fe450 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 15:49:09 +0000 Subject: [PATCH 026/603] avrgcclibc: turn off format hardening --- .../misc/avr-gcc-with-avr-libc/default.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index cbd38903aac..b27a6659004 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -19,20 +19,22 @@ stdenv.mkDerivation { sha256 = "0sd9qkvhmk9av4g1f8dsjwc309hf1g0731bhvicnjb3b3d42l1n3"; }) ]; - + sourceRoot = "."; nativeBuildInputs = [ texinfo ]; - + buildInputs = [ gmp mpfr libmpc zlib ]; - + + hardening_format = false; + # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; - + installPhase = '' # important, without this gcc won't find the binutils executables export PATH=$PATH:$out/bin - + # Binutils. pushd binutils-*/ mkdir obj-avr @@ -64,7 +66,7 @@ stdenv.mkDerivation { make install popd ''; - + meta = with stdenv.lib; { description = "AVR development environment including binutils, avr-gcc and avr-libc"; # I've tried compiling the packages separately.. too much hassle. This just works. Fine. From 56ae3db53fefd363306e9c826bfc5e771e6ed599 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 16:06:56 +0000 Subject: [PATCH 027/603] bviplus: fix build with gcc5 (inline semantics) --- pkgs/applications/editors/bviplus/default.nix | 12 +++++++++--- pkgs/applications/editors/bviplus/gcc5.diff | 11 +++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 pkgs/applications/editors/bviplus/gcc5.diff diff --git a/pkgs/applications/editors/bviplus/default.nix b/pkgs/applications/editors/bviplus/default.nix index 0a8d7081b23..d61fa182379 100644 --- a/pkgs/applications/editors/bviplus/default.nix +++ b/pkgs/applications/editors/bviplus/default.nix @@ -1,17 +1,23 @@ -{ stdenv, lib, fetchurl, ncurses }: +{ stdenv, fetchurl, ncurses }: stdenv.mkDerivation rec { name = "bviplus-${version}"; version = "0.9.4"; + src = fetchurl { - url = "http://downloads.sourceforge.net/project/bviplus/bviplus/${version}/bviplus-${version}.tgz"; + url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz"; sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb"; }; + buildInputs = [ ncurses ]; + + patches = [ ./gcc5.diff ]; + makeFlags = "PREFIX=$(out)"; - meta = with lib; { + + meta = with stdenv.lib; { description = "ncurses based hex editor with a vim-like interface"; homepage = "http://bviplus.sourceforge.net"; license = licenses.gpl3; diff --git a/pkgs/applications/editors/bviplus/gcc5.diff b/pkgs/applications/editors/bviplus/gcc5.diff new file mode 100644 index 00000000000..75dc57151dd --- /dev/null +++ b/pkgs/applications/editors/bviplus/gcc5.diff @@ -0,0 +1,11 @@ +--- bviplus-0.9.4/vf_backend.c 2016-02-07 15:58:47.265405962 +0000 ++++ bviplus-0.9.4/vf_backend.c 2016-02-07 16:04:30.020004919 +0000 +@@ -253,7 +253,7 @@ + /*--------------------------- + + ---------------------------*/ +-inline void compute_percent_complete(off_t offset, off_t size, int *complete) ++extern void compute_percent_complete(off_t offset, off_t size, int *complete) + { + if (size == 0) + { From 89316e726ca9932a375fa7d0a26cf0b63ea0b3f1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 16:20:07 +0000 Subject: [PATCH 028/603] db4: turn off format hardening --- pkgs/development/libraries/db/db-4.8.nix | 1 + pkgs/development/libraries/db/generic.nix | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 6a161b0b72d..78c0a15c4e0 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; + drvArgs = { hardening_format = false; }; }) diff --git a/pkgs/development/libraries/db/generic.nix b/pkgs/development/libraries/db/generic.nix index f5ee4e440ff..fdc828effdf 100644 --- a/pkgs/development/libraries/db/generic.nix +++ b/pkgs/development/libraries/db/generic.nix @@ -7,9 +7,10 @@ , extraPatches ? [ ] , license ? stdenv.lib.licenses.sleepycat , branch ? null +, drvArgs ? {} }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (rec { name = "db-${version}"; src = fetchurl { @@ -42,4 +43,4 @@ stdenv.mkDerivation rec { platforms = platforms.unix; branch = branch; }; -} +} // drvArgs) From 2b1f9509a16a94ebab4a526203e9d60ef6e0c556 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 16:22:44 +0000 Subject: [PATCH 029/603] freetds: turn off format hardening --- pkgs/development/libraries/freetds/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index 695abcfbba2..bb4aeaeee27 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; + hardening_format = false; + buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; configureFlags = stdenv.lib.optionalString odbcSupport "--with-odbc=${unixODBC}"; From 4b82ba013d1aed89795537095f827140ab6b43d8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 16:31:59 +0000 Subject: [PATCH 030/603] libgeotiff: turn off format hardening --- pkgs/development/libraries/libgeotiff/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index d07aae3ab80..4d9fa09ad75 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; + hardening_format = false; + meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; homepage = http://www.remotesensing.org/geotiff/geotiff.html; From 321c57d69e83fb9268bfcaca090c0346b5a54979 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 16:34:05 +0000 Subject: [PATCH 031/603] ltl2ba: turn off format hardening --- pkgs/applications/science/logic/ltl2ba/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index cdadd18ac9f..4ba773756e5 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; + hardening_format = false; + installPhase = '' mkdir -p $out/bin mv ltl2ba $out/bin From 0b93c68eb1699a82dc3bd94f03790e17f47e1a8d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 19:18:57 +0000 Subject: [PATCH 032/603] opencv: turn off bindnow and relro hardening --- pkgs/development/libraries/opencv/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index 4ce1787dbac..d5904e742b6 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -20,6 +20,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_bindnow = false; + hardening_relro = false; + meta = { description = "Open Computer Vision Library with more than 500 algorithms"; homepage = http://opencv.org/; From 53e3de101b35ee17c28c5dbabb8df528f480debe Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 19:23:40 +0000 Subject: [PATCH 033/603] cvs: turn off format hardening --- pkgs/applications/version-management/cvs/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index e9de202a809..4912ce0b3e6 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; + hardening_format = false; + preConfigure = '' # Apply the Debian patches. for p in "debian/patches/"*; do From d12ff64f254fd6d80dbbfa9adfa1849c7fef7b94 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 19:24:01 +0000 Subject: [PATCH 034/603] ccl: fix hash --- pkgs/development/compilers/ccl/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/ccl/default.nix b/pkgs/development/compilers/ccl/default.nix index e5e07705a18..ee0153c13b0 100644 --- a/pkgs/development/compilers/ccl/default.nix +++ b/pkgs/development/compilers/ccl/default.nix @@ -5,7 +5,7 @@ let /* TODO: there are also MacOS, FreeBSD and Windows versions */ x86_64-linux = { arch = "linuxx86"; - sha256 = "0d2vhp5n74yhwixnvlsnp7dzaf9aj6zd2894hr2728djyd8x9fx6"; + sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq"; runtime = "lx86cl64"; kernel = "linuxx8664"; }; From 543dfcc686f7fca501b7f10245408ccb7fabbf75 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 19:26:33 +0000 Subject: [PATCH 035/603] disk_indicator: turn off hardening fortify --- pkgs/os-specific/linux/disk-indicator/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index 406492db236..8eba742ebfb 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -19,6 +19,7 @@ stdenv.mkDerivation { buildPhase = "make -f makefile"; NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardening_fortify = false; installPhase = '' mkdir -p "$out/bin" From 43545db1873a1110cd1bd9982bbcd61f3a149063 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 19:53:34 +0000 Subject: [PATCH 036/603] gdome2: turn off hardening fortify --- pkgs/development/libraries/gdome2/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index cc8f76949ee..e9c32da2069 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; + hardening_format = false; + buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; patches = [ ./xml-document.patch ]; From 179ae282e07adc3975dd4e3198db47fd1185b408 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 19:59:43 +0000 Subject: [PATCH 037/603] go_1_4: turn off all hardening --- pkgs/development/compilers/go/1.4.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 542fcba2144..9dadf06b3b5 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - hardening_stackprotector = false; + hardening_all = false; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. From d4066220523661496b026e9a0530c6d10feb2ccf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 20:40:46 +0000 Subject: [PATCH 038/603] csound: turn off format hardening --- pkgs/applications/audio/csound/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index afca63a2a8a..1cc0e56fe7e 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardening_format = false; + src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g"; From 49d77a685fccdb01364959c390e1e893bee895d6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 20:43:42 +0000 Subject: [PATCH 039/603] gdmap: turn off format hardening --- pkgs/tools/system/gdmap/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 3d3809610e4..1456b6fca7c 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "gdmap-0.8.1"; - + src = fetchurl { url = "mirror://sourceforge/gdmap/${name}.tar.gz"; sha256 = "0nr8l88cg19zj585hczj8v73yh21k7j13xivhlzl8jdk0j0cj052"; @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; + hardening_format = false; + meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; description = "Recursive rectangle map of disk usage"; From 818509044972166b4ef0378572070399ddde54be Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 20:44:18 +0000 Subject: [PATCH 040/603] smpeg: turn off format hardening --- pkgs/development/libraries/smpeg/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index c2473ae2c5d..49d889f8b6a 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + buildInputs = [ SDL gtk mesa ]; nativeBuildInputs = [ autoconf automake libtool m4 pkgconfig makeWrapper ]; From d1172548229971c95819a185a73e18af841728b5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 20:54:52 +0000 Subject: [PATCH 041/603] drgeo: turn off format hardening --- pkgs/applications/science/geometry/drgeo/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index f0be5258ce4..c5c2cee62e8 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; + hardening_format = false; + src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc"; From 70bcd8ace8ebd0f2e660b23b96c72c3da25194b5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 20:56:33 +0000 Subject: [PATCH 042/603] vncrec: turn off format hardening --- pkgs/tools/video/vncrec/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index 4654d5902cb..a16dc169b98 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; + hardening_format = false; + buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw libXext xextproto libSM libICE libXpm libXp From e353185cebc483e3f16993a9f5935a6c91977caa Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 21:17:34 +0000 Subject: [PATCH 043/603] wxPython: turn off format hardening --- pkgs/development/python-modules/wxPython/generic.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 3151dbcfac3..385980b2848 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -11,6 +11,10 @@ stdenv.mkDerivation rec { disabled = isPy3k || isPyPy; doCheck = false; + sourceRoot = "wxPython-src-${version}/wxPython"; + + hardening_format = false; + src = fetchurl { url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2"; inherit sha256; @@ -18,7 +22,6 @@ stdenv.mkDerivation rec { pythonPath = [ python setuptools ]; buildInputs = [ python setuptools pkgconfig wxGTK (wxGTK.gtk) wrapPython ] ++ stdenv.lib.optional openglSupport pyopengl; - preConfigure = "cd wxPython"; installPhase = '' ${python.interpreter} setup.py install WXPORT=gtk2 NO_HEADERS=1 BUILD_GLCANVAS=${if openglSupport then "1" else "0"} UNICODE=1 --prefix=$out From 0f2e638fe76619ac62475123c78be3dd3474492c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 21:40:37 +0000 Subject: [PATCH 044/603] gcc46: turn off format hardening --- pkgs/development/compilers/gcc/4.6/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index b3caad11b71..323fd8b921b 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -189,6 +189,8 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; + hardening_format = false; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' From f43398c91fc46389a13d97d2edda8326db52b3f8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:19:05 +0000 Subject: [PATCH 045/603] libcli: add patch for gcc5 --- pkgs/development/libraries/libcli/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libcli/default.nix b/pkgs/development/libraries/libcli/default.nix index 1c247f6faa8..cf1b21ceaa9 100644 --- a/pkgs/development/libraries/libcli/default.nix +++ b/pkgs/development/libraries/libcli/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub }: +{ stdenv, fetchFromGitHub, fetchpatch }: stdenv.mkDerivation rec { name = "libcli-${version}"; @@ -11,6 +11,13 @@ stdenv.mkDerivation rec { owner = "dparrish"; }; + patches = [ + (fetchpatch { + url = https://patch-diff.githubusercontent.com/raw/dparrish/libcli/pull/21.diff; + sha256 = "150nm33xi3992zx8a9smjzd8zs7pavrwg1pijah6nyl22q9gxm21"; + }) + ]; + enableParallelBuilding = true; makeFlags = [ "PREFIX=$(out)" ]; From 09a5af76b51cbbd3ac4dd58cd742ba475c9bc0eb Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:24:47 +0000 Subject: [PATCH 046/603] gcc48: turn off format hardening --- pkgs/development/compilers/gcc/4.8/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index fd80f4ec8c5..58074e173ae 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -218,6 +218,8 @@ stdenv.mkDerivation ({ inherit patches; + hardening_format = false; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' From 5f752303682beffedfe9e81bfd899b74aac323e5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:26:07 +0000 Subject: [PATCH 047/603] sutils: turn off format hardening --- pkgs/tools/misc/sutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index d0576cc069a..48c47cc3d8d 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; + hardening_format = false; + prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; meta = { From 65e6aa4a31ea05a651ead1a50bd8af7bb4e42438 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:28:15 +0000 Subject: [PATCH 048/603] uwimap: turn off format hardening --- pkgs/tools/networking/uwimap/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1da9ca96984..1c7c946000e 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardening_format = false; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; From 046b40f57311bbadc3241f3b14c77f045ea7e30c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:30:22 +0000 Subject: [PATCH 049/603] xconq: turn off format hardening --- pkgs/games/xconq/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index 53c3ec7dec8..cace72b5aac 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -3,9 +3,9 @@ stdenv.mkDerivation rec { name = "${baseName}-${version}"; - baseName="xconq"; + baseName = "xconq"; version = "7.5.0-0pre.0.20050612"; - + src = fetchurl { url = "mirror://sourceforge/project/${baseName}/${baseName}/${name}/${name}.tar.gz"; sha256 = "1za78yx57mgwcmmi33wx3533yz1x093dnqis8q2qmqivxav51lca"; @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; + hardening_format = false; + patchPhase = '' # Fix Makefiles find . -name 'Makefile.in' -exec sed -re 's@^ ( *)(cd|[&][&])@ \1\2@' -i '{}' ';' From dc2b5489552be04791ebb1eb5de60f216ad35cad Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:39:11 +0000 Subject: [PATCH 050/603] nodePackages.oauth: use fetchFromGitHub fixup to 9a5a967 --- pkgs/top-level/node-packages-generated.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkgs/top-level/node-packages-generated.nix b/pkgs/top-level/node-packages-generated.nix index 1c68d1badc8..12d0aff2616 100644 --- a/pkgs/top-level/node-packages-generated.nix +++ b/pkgs/top-level/node-packages-generated.nix @@ -1,4 +1,4 @@ -{ self, fetchurl, fetchgit ? null, lib }: +{ self, fetchurl, fetchgit ? null, fetchFromGitHub, lib }: { by-spec."Base64"."~0.2.0" = @@ -29314,10 +29314,11 @@ name = "oauth-0.9.12"; version = "0.9.12"; bin = false; - src = fetchurl { - url = "https://github.com/ciaranj/node-oauth/tarball/0.9.12"; - name = "oauth-0.9.12.tgz"; - sha256 = "e06c3c3537e9c802c8ad00640b9f91bf2857cf8cc91209e355b5646f4da8b3e7"; + src = fetchFromGitHub { + owner = "ciaranj"; + repo = "node-oauth"; + rev = "0.9.12"; + sha256 = "1c67nq1q5isfcvyp520q02w5c527s1wsfiyknzfvvp22sf2yn7k6"; }; deps = { }; From 33a0e63fbff73fe49f6b03dca947f5ba65e3fe42 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:43:01 +0000 Subject: [PATCH 051/603] linuxPackages.v4l2loopback: no format/pic hardening --- pkgs/os-specific/linux/v4l2loopback/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 13617360d2d..8b44f3388d3 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -8,7 +8,10 @@ stdenv.mkDerivation rec { url = "https://github.com/umlaeute/v4l2loopback/archive/v${version}.tar.gz"; sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - + + hardening_pic = false; + hardening_format = false; + preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" sed -i '/depmod/d' Makefile @@ -16,7 +19,7 @@ stdenv.mkDerivation rec { ''; buildInputs = [ kmod ]; - + makeFlags = [ "KERNELRELEASE=${kernel.modDirVersion}" "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" From 859a150373579a5ec4b7e913cb1aca71dc946e3a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:43:59 +0000 Subject: [PATCH 052/603] linuxPackages.virtualboxGuestAdditions: no pic hardening --- .../virtualization/virtualbox/guest-additions/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index 43f591cf6aa..0ef00550ee4 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; + hardening_pic = false; + buildInputs = [ patchelf cdrkit makeWrapper dbus ]; installPhase = '' From 7c206e8c4c5cfbdee05daf0767548edc9b66cd40 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:44:42 +0000 Subject: [PATCH 053/603] linuxPackages.spl: no pic hardening --- pkgs/os-specific/linux/spl/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 959523ec597..67e2f16848b 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool ]; + hardening_pic = false; + preConfigure = '' ./autogen.sh From 5808bfb9773a4d6e39bc35bf18ae271954811f8a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 22:51:21 +0000 Subject: [PATCH 054/603] yacas: no format hardening --- pkgs/applications/science/math/yacas/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index 2c9d63be1b4..af284a2f82e 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; + hardening_format = false; + # Perl is only for the documentation nativeBuildInputs = [ perl ]; @@ -32,7 +34,7 @@ stdenv.mkDerivation rec { ''; }; - meta = { + meta = { description = "Easy to use, general purpose Computer Algebra System"; homepage = http://yacas.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; From 0c5b86b607b3a40a468c45d6a98d9c2b86860e80 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 23:07:12 +0000 Subject: [PATCH 055/603] eggdrop: use git rev to fix compiling with gcc5 --- pkgs/tools/networking/eggdrop/default.nix | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index cf7fb20df68..90bc8b54f28 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,16 +1,20 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; + hardening_format = false; + preConfigure = '' prefix=$out/eggdrop mkdir -p $prefix From 801b80299c0fad477b906b9fe921f988a237cdb5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 23:27:47 +0000 Subject: [PATCH 056/603] udftools: fix compiling with gcc5 and turn off fortify --- pkgs/tools/filesystems/udftools/default.nix | 3 +++ pkgs/tools/filesystems/udftools/gcc5.patch | 17 +++++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 pkgs/tools/filesystems/udftools/gcc5.patch diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index 329950f8969..d3964b1e427 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; + patches = [ ./gcc5.patch ]; + hardening_fortify = false; + preConfigure = '' sed -e '1i#include ' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c sed -e 's@[(]char[*][)]spm [+]=@spm = ((char*) spm) + @' -i wrudf/wrudf.c diff --git a/pkgs/tools/filesystems/udftools/gcc5.patch b/pkgs/tools/filesystems/udftools/gcc5.patch new file mode 100644 index 00000000000..2c57ff20e13 --- /dev/null +++ b/pkgs/tools/filesystems/udftools/gcc5.patch @@ -0,0 +1,17 @@ +--- udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:38.595391610 +0000 ++++ udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:57.759756269 +0000 +@@ -34,12 +34,12 @@ + #include "libudffs.h" + #include "config.h" + +-inline struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) ++extern struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) + { + return (struct impUseVolDescImpUse *)disc->udf_iuvd[0]->impUse; + } + +-inline struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) ++extern struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) + { + return (struct logicalVolIntegrityDescImpUse *)&(disc->udf_lvid->impUse[le32_to_cpu(disc->udf_lvd[0]->numPartitionMaps) * 2 * sizeof(uint32_t)]); + } From d2f8058cacec7d8841855f52bd0b108cee1c7fb3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 7 Feb 2016 23:54:10 +0000 Subject: [PATCH 057/603] vxl: update to git version to build with gcc5 --- pkgs/development/libraries/vxl/default.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix index e181ade4d6c..b9f3c0e64d6 100644 --- a/pkgs/development/libraries/vxl/default.nix +++ b/pkgs/development/libraries/vxl/default.nix @@ -1,10 +1,12 @@ -{ stdenv, fetchurl, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: +{ stdenv, fetchFromGitHub, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: stdenv.mkDerivation { - name = "vxl-1.17.0"; + name = "vxl-1.17.0-nix1"; - src = fetchurl { - url = mirror://sourceforge/vxl/vxl-1.17.0.zip; - sha256 = "1qg7i8h201pa8jljg7vph4rlxk6n5cj9f9gd1hkkmbw6fh44lsxh"; + src = fetchFromGitHub { + owner = "vxl"; + repo = "vxl"; + rev = "777c0beb7c8b30117400f6fc9a6d63bf8cb7c67a"; + sha256 = "0xpkwwb93ka6c3da8zjhfg9jk5ssmh9ifdh1by54sz6c7mbp55m8"; }; buildInputs = [ cmake unzip libtiff expat zlib libpng libjpeg ]; From 94a74cb14db58c001124283defe3456a0fde51d1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:18:44 +0000 Subject: [PATCH 058/603] spidermonkey: turn off format hardening --- pkgs/development/interpreters/spidermonkey/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index b7744ea53c3..81071aafe4e 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; + hardening_format = false; + buildInputs = [ readline ]; postUnpack = "sourceRoot=\${sourceRoot}/src"; From ef0d652f2bb4e6e2f3b93043d5cc4572e2d10b65 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:20:53 +0000 Subject: [PATCH 059/603] uucp: turn off format hardening --- pkgs/tools/misc/uucp/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index bf73dbcbf2f..cba343863be 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - doCheck = true; + hardening_format = false; meta = { description = "Unix-unix cp over serial line, also includes cu program"; From 548d670f949aab1caa56601c6eb16ce5c9ec9216 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:21:29 +0000 Subject: [PATCH 060/603] tasknc: turn off format hardening --- pkgs/applications/misc/tasknc/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index f7460618d96..d725bba0307 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; + hardening_format = false; + # # I know this is ugly, but the Makefile does strange things in this package, # so we have to: From d13d46fea03a6b60cb9caf0c5ca2bde1355d9f87 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:28:41 +0000 Subject: [PATCH 061/603] wordnet: turn off format hardening --- pkgs/applications/misc/wordnet/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index b244e9c1bfc..d5edf2a4d58 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; + hardening_format = false; + patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c ''; From e6345523f2de0b1b201f9b173171bf1a721e4528 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:39:17 +0000 Subject: [PATCH 062/603] john: add patch to build with gcc5 --- pkgs/tools/security/john/default.nix | 2 ++ pkgs/tools/security/john/gcc5.patch | 14 ++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 pkgs/tools/security/john/gcc5.patch diff --git a/pkgs/tools/security/john/default.nix b/pkgs/tools/security/john/default.nix index 2e99208fe11..dfaa56f0c77 100644 --- a/pkgs/tools/security/john/default.nix +++ b/pkgs/tools/security/john/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "08q92sfdvkz47rx6qjn7qv57cmlpy7i7rgddapq5384mb413vjds"; }; + patches = [ ./gcc5.patch ]; + postPatch = '' sed -ri -e ' s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/! diff --git a/pkgs/tools/security/john/gcc5.patch b/pkgs/tools/security/john/gcc5.patch new file mode 100644 index 00000000000..73da83483f9 --- /dev/null +++ b/pkgs/tools/security/john/gcc5.patch @@ -0,0 +1,14 @@ +diff --git a/src/common.h b/src/common.h +--- a/src/common.h ++++ b/src/common.h +@@ -31,7 +31,9 @@ typedef unsigned long long ARCH_WORD_64; + #define is_aligned(PTR, CNT) ((((ARCH_WORD)(const void *)(PTR))&(CNT-1))==0) + + #ifdef __GNUC__ +-#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) ++#if __GNUC__ >= 5 ++#define MAYBE_INLINE __attribute__((gnu_inline)) inline ++#elif __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) + #define MAYBE_INLINE __attribute__((always_inline)) inline + #elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1) + #define MAYBE_INLINE __attribute__((always_inline)) From 7eb16a4eb822e3c83ebe66b08cbdaa52a8a6f49e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:41:02 +0000 Subject: [PATCH 063/603] pngcheck: turn off format hardening --- pkgs/tools/graphics/pngcheck/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index 160badaf668..f67e7202521 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - # configurePhase = '' - # sed -i s,/usr,$out, Makefile - # ''; + hardening_format = false; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; From 457f340785626eb9ec0039aeb1cb4e3dd1ea7071 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:44:00 +0000 Subject: [PATCH 064/603] prover9: turn off format hardening --- pkgs/applications/science/logic/prover9/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index d92c7887210..f6ec3b840ac 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - phases = "unpackPhase patchPhase buildPhase installPhase"; + hardening_format = false; patchPhase = '' RM=$(type -tp rm) @@ -23,6 +23,8 @@ stdenv.mkDerivation { buildFlags = "all"; + checkPhase = "make test1"; + installPhase = '' mkdir -p $out/bin cp bin/* $out/bin From c3d9533c80dbe68fccba2a9aeb663ab08f159be4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 00:45:24 +0000 Subject: [PATCH 065/603] vorbisgain: turn off format hardening --- pkgs/tools/misc/vorbisgain/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index ea61e063328..292023a1b58 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,11 +8,14 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; + hardening_format = false; + buildInputs = [ unzip libogg libvorbis ]; + patchPhase = '' chmod -v +x configure configureFlags="--mandir=$out/share/man" - ''; + ''; meta = with stdenv.lib; { homepage = http://sjeng.org/vorbisgain.html; From 88b976e0db524be526cafc8a6d53b7b26a3fe98e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 09:52:09 +0000 Subject: [PATCH 066/603] allegro: turn off format hardening --- pkgs/development/libraries/allegro/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index deb3a6877e8..50d3eec4f3f 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; + hardening_format = false; + cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; meta = with stdenv.lib; { From ceae7fc2929cfc1c3b7f350f3a79f818a60a9fcf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 09:52:31 +0000 Subject: [PATCH 067/603] giflib_4_1: turn off format hardening --- pkgs/development/libraries/giflib/4.1.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 13cd1c79b6a..114e0e587b6 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -2,10 +2,14 @@ stdenv.mkDerivation { name = "giflib-4.1.6"; + src = fetchurl { url = mirror://sourceforge/giflib/giflib-4.1.6.tar.bz2; sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; + + hardening_format = false; + meta = { branch = "4.1"; }; From ee20b0d6a0b0708913f6e81695f855d9ae6ec5aa Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 09:52:47 +0000 Subject: [PATCH 068/603] wv: turn off format hardening --- pkgs/tools/misc/wv/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index dbb46cea832..3d828a55121 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; + hardening_format = false; + meta = { description = "Converter from Microsoft Word formats to human-editable ones"; }; From b457f695d99ad040bb72b0f3de6cfaefc68ae12c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 09:55:18 +0000 Subject: [PATCH 069/603] clean: turn off format and pic hardening --- pkgs/development/compilers/clean/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index 7f3e679e847..dcb7350fbbb 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,6 +14,9 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; + hardening_format = false; + hardening_pic = false; + # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This # makes clm try to rebuild the library modules (and fail due to absence of write permission From 6c683ef004080b7bc3bfa860f4613df11cd94f8e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 10:15:32 +0000 Subject: [PATCH 070/603] gkrellm: turn off format hardening --- pkgs/applications/misc/gkrellm/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index 934a7c69c99..7c755a4f3d3 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; + hardening_format = false; + # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. patchPhase = '' From 1cf63c85be3a8001ef28cb14ac46ab227c6f37d9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 15:43:12 +0000 Subject: [PATCH 071/603] aacgain: turn off format hardening --- pkgs/applications/audio/aacgain/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 69cc798ec0f..80e3c5dc40a 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -2,6 +2,7 @@ stdenv.mkDerivation { name = "aacgain-1.9.0"; + src = fetchFromGitHub { owner = "mulx"; repo = "aacgain"; @@ -9,6 +10,8 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; + hardening_format = false; + configurePhase = '' cd mp4v2 ./configure @@ -28,7 +31,7 @@ stdenv.mkDerivation { make LDFLAGS=-static cd .. - make + make ''; installPhase = '' From cccd32b7a1a7883f89cfa876d1c0760c8eee8d1a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 17:19:49 +0000 Subject: [PATCH 072/603] cdrdao: turn off format hardening --- pkgs/tools/cd-dvd/cdrdao/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 375bbcda7e4..2de5736a4c2 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; + hardening_format = false; + # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. patches = [ ./adjust-includes-for-glibc-212.patch ]; From cbc82aed2244c207e9edfdcc29a10e4311e35faf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 17:27:52 +0000 Subject: [PATCH 073/603] beanstalkd: turn off fortify --- pkgs/servers/beanstalkd/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index cea7ca0b337..f5693e45168 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; + hardening_fortify = false; + meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; description = "A simple, fast work queue"; From 8fb28b21b461468a0eb72ba847da5cfe9e474ae9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 22:52:35 +0000 Subject: [PATCH 074/603] bsdgames: turn off format hardening --- pkgs/games/bsdgames/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 0709692552c..6e138511d03 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { }) ]; + hardening_format = false; + preConfigure = '' cat > config.params << EOF bsd_games_cfg_man6dir=$out/share/man/man6 From b0eedc4ecb97c8608cc9a7612a4c609a2abf62bf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 23:07:09 +0000 Subject: [PATCH 075/603] edk2: turn off fortify & format hardening --- pkgs/development/compilers/edk2/default.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index f68681e6023..cf4d0e4f02a 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -11,7 +11,7 @@ else edk2 = stdenv.mkDerivation { name = "edk2-2014-12-10"; - + src = fetchgit { url = git://github.com/tianocore/edk2; rev = "684a565a04"; @@ -20,9 +20,10 @@ edk2 = stdenv.mkDerivation { buildInputs = [ libuuid pythonFull ]; - buildPhase = '' - make -C BaseTools - ''; + makeFlags = "-C BaseTools"; + + hardening_fortify = false; + hardening_format = false; installPhase = '' mkdir -vp $out From 3fcb0285b2195ed9e3d176338440a96b4cee18fc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 23:15:13 +0000 Subject: [PATCH 076/603] QmidiNet: turn off format hardening --- pkgs/applications/audio/QmidiNet/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix index 4e89f125dd9..c7e282648ad 100644 --- a/pkgs/applications/audio/QmidiNet/default.nix +++ b/pkgs/applications/audio/QmidiNet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; + hardening_format = false; + buildInputs = [ qt4 alsaLib libjack2 ]; meta = with stdenv.lib; { From 2f1567ad33d585f93e5314b161fbd2a60fa66e64 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 23:18:03 +0000 Subject: [PATCH 077/603] OVMF: no stackprotector/pic/fortify hardening --- pkgs/applications/virtualization/OVMF/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 479d625c7de..513242271a1 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,6 +17,10 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; + hardening_stackprotector = false; + hardening_pic = false; + hardening_fortify = false; + unpackPhase = '' for file in \ "${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg}; From 37918bdc7a09e34985c57a3fe64000edf92362b3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 8 Feb 2016 23:27:06 +0000 Subject: [PATCH 078/603] abook: fix compiling with gcc5 --- pkgs/applications/misc/abook/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/applications/misc/abook/default.nix b/pkgs/applications/misc/abook/default.nix index 77e48e49dd8..b8e662a42cd 100644 --- a/pkgs/applications/misc/abook/default.nix +++ b/pkgs/applications/misc/abook/default.nix @@ -11,6 +11,11 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig ncurses readline ]; + # Changed inline semantics in GCC5, need to export symbols for inline funcs + postPatch = '' + substituteInPlace database.c --replace inline extern + ''; + meta = { homepage = "http://abook.sourceforge.net/"; description = "Text-based addressbook program designed to use with mutt mail client"; From 09a3349a7916366ab63063625806cff7a86cb25d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 00:08:56 +0000 Subject: [PATCH 079/603] tetex: turn off format hardening --- pkgs/tools/typesetting/tex/tetex/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index 8d6c88a0004..cffe0b39d22 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation { name = "tetex-3.0"; - + src = fetchurl { url = ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-3.0.tar.gz; md5 = "944a4641e79e61043fdaf8f38ecbb4b3"; @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; + hardening_format = false; + # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 57d texk/kpathsea/c-std.h From 2ff12752921b558d0e7f8953f02c2db813eccc61 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 00:45:13 +0000 Subject: [PATCH 080/603] bloodspilot-server: fix on gcc5 --- pkgs/games/xpilot/bloodspilot-server.nix | 34 +++++++------ pkgs/games/xpilot/server-gcc5.patch | 65 ++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 15 deletions(-) create mode 100644 pkgs/games/xpilot/server-gcc5.patch diff --git a/pkgs/games/xpilot/bloodspilot-server.nix b/pkgs/games/xpilot/bloodspilot-server.nix index 3c811f1ba2e..42bcb326316 100644 --- a/pkgs/games/xpilot/bloodspilot-server.nix +++ b/pkgs/games/xpilot/bloodspilot-server.nix @@ -1,23 +1,27 @@ -{stdenv, fetchurl, expat}: -let - buildInputs = [ - expat - ]; -in +{ stdenv, fetchurl, expat }: + stdenv.mkDerivation rec { - version = "1.4.6"; name = "bloodspilot-xpilot-fxi-server-${version}"; - inherit buildInputs; + version = "1.4.6"; + src = fetchurl { url = "mirror://sourceforge/project/bloodspilot/server/server%20v${version}/xpilot-${version}fxi.tar.gz"; sha256 = "0d7hnpshifq6gy9a0g6il6h1hgqqjyys36n8w84hr8d4nhg4d1ji"; }; - meta = { - inherit version; - description = ''A multiplayer X11 space combat game (server part)''; - homepage = "http://bloodspilot.sf.net/"; - license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; - platforms = stdenv.lib.platforms.linux; + + buildInputs = [ + expat + ]; + + patches = [ + ./server-gcc5.patch + ]; + + meta = with stdenv.lib; { + description = "A multiplayer X11 space combat game (server part)"; + homepage = http://bloodspilot.sf.net/; + license = licenses.gpl2Plus ; + maintainers = [ maintainers.raskin ]; + platforms = platforms.linux; }; } diff --git a/pkgs/games/xpilot/server-gcc5.patch b/pkgs/games/xpilot/server-gcc5.patch new file mode 100644 index 00000000000..5618399bfec --- /dev/null +++ b/pkgs/games/xpilot/server-gcc5.patch @@ -0,0 +1,65 @@ +--- xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:20:43.531714342 +0000 ++++ xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:21:15.301331053 +0000 +@@ -608,9 +608,9 @@ + } + + #if STDVA +-inline int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) ++extern int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) + #else +-inline int32_t Packet_scanf(va_alist) ++extern int32_t Packet_scanf(va_alist) + va_dcl + #endif + { +--- xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:29.581784405 +0000 ++++ xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:38.152952500 +0000 +@@ -71,7 +71,7 @@ + * p: first object, q: second object + */ + +-inline int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, ++extern int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, + int32_t q1x, int32_t q1y, int32_t q2x, int32_t q2y, int32_t r) + { + int32_t fac1, fac2; /* contraction between the distance between the x and y coordinates of objects */ +--- xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:29.546313808 +0000 ++++ xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:40.464527932 +0000 +@@ -1411,12 +1411,12 @@ + return NULL; + } + +-inline bool Player_idle_timed_out(player_t *pl) ++extern bool Player_idle_timed_out(player_t *pl) + { + return (frame_loops - pl->frame_last_busy > MAX_PLAYER_IDLE_TICKS && (NumPlayers > 1)) ? true : false; + } + +-inline bool Player_is_recovered(player_t *pl) ++extern bool Player_is_recovered(player_t *pl) + { + return (pl->recovery_count <= 0.0) ? true : false; + } +--- xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:21:45.659923025 +0000 ++++ xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:22:07.224345939 +0000 +@@ -24,17 +24,17 @@ + char msg[MSG_LEN]; + + +-inline double Get_Score(player_t *pl) ++extern double Get_Score(player_t *pl) + { + return pl->score; + } + +-inline void Score_set(player_t * pl, double score) ++extern void Score_set(player_t * pl, double score) + { + pl->score = score; + } + +-inline void Score_add(player_t * pl, double score) ++extern void Score_add(player_t * pl, double score) + { + pl->score += score; + } From 5b535580fdba11419088c94cc6ce68bf333121a1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:00:21 +0000 Subject: [PATCH 081/603] cbfstool: turn off fortify --- pkgs/applications/virtualization/cbfstool/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index d99f569d7e6..01832b55292 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; + hardening_fortify = false; + buildPhase = '' export LEX=${flex}/bin/flex make -C util/cbfstool From 9c3ab539606718e13eda16849c6140966043d6fa Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:02:56 +0000 Subject: [PATCH 082/603] cccc: turn off format hardening --- pkgs/development/tools/analysis/cccc/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index c672c7964e7..a4d88f5d2ea 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -11,7 +11,11 @@ stdenv.mkDerivation { url = "mirror://sourceforge/${name}/${version}/${name}-${version}.tar.gz"; sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; + + hardening_format = false; + patches = [ ./cccc.patch ]; + preConfigure = '' substituteInPlace install/install.mak --replace /usr/local/bin $out/bin substituteInPlace install/install.mak --replace MKDIR=mkdir "MKDIR=mkdir -p" From 6be9164b973d122313c4cebdf1f88d3a0ee885aa Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:03:24 +0000 Subject: [PATCH 083/603] checkinstall: turn off fortify --- pkgs/tools/package-management/checkinstall/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index dc3373c3b6f..f1d7985e9a5 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation { buildInputs = [gettext]; + hardening_fortify = false; + preBuild = '' makeFlagsArray=(PREFIX=$out) From 82daf82e61e0dd67eea17fc232b2e37f68191cf7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:10:57 +0000 Subject: [PATCH 084/603] xen: turn off fortify --- pkgs/applications/virtualization/xen/generic.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 1f5553beb04..e7b34be74be 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -76,6 +76,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; hardening_stackprotector = false; + hardening_fortify = false; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; From f39da3be76576a121ad0ea43cfd20f4ce64e8d2a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:20:59 +0000 Subject: [PATCH 085/603] valgrind: turn off stackprotector --- pkgs/development/tools/analysis/valgrind/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index b4b56be9c6d..2896f4ff271 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + hardening_stackprotector = false; + # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. nativeBuildInputs = [ perl ]; From 70e6a117fa30a21f5105f9b735a1bac60c352099 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:22:40 +0000 Subject: [PATCH 086/603] cwiid: reformat and turn off format hardening --- pkgs/development/libraries/cwiid/default.nix | 52 +++++++++++--------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index a86bdc8e035..0b7d96b5cc1 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -1,26 +1,34 @@ { stdenv, autoreconfHook, fetchgit, bison, flex, bluez, pkgconfig, gtk }: stdenv.mkDerivation rec { - name = "cwiid-2010-02-21-git"; - src = fetchgit { - url = https://github.com/abstrakraft/cwiid; - sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06"; - rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; - }; - configureFlags = "--without-python"; - prePatch = '' - sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in - ''; - buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; - postInstall = '' - # Some programs (for example, cabal-install) have problems with the double 0 - sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc - ''; - meta = { - description = "Linux Nintendo Wiimote interface"; - homepage = http://cwiid.org; - license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ stdenv.lib.maintainers.bennofs ]; - platforms = stdenv.lib.platforms.linux; - }; + name = "cwiid-2010-02-21-git"; + + src = fetchgit { + url = https://github.com/abstrakraft/cwiid; + sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06"; + rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; + }; + + hardening_format = false; + + configureFlags = "--without-python"; + + prePatch = '' + sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in + ''; + + buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; + + postInstall = '' + # Some programs (for example, cabal-install) have problems with the double 0 + sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc + ''; + + meta = { + description = "Linux Nintendo Wiimote interface"; + homepage = http://cwiid.org; + license = stdenv.lib.licenses.gpl2Plus; + maintainers = [ stdenv.lib.maintainers.bennofs ]; + platforms = stdenv.lib.platforms.linux; + }; } From e06726ba15d424f762c6fcc63e77270f3bcab7ba Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:23:58 +0000 Subject: [PATCH 087/603] rcs: use std=gnu99 to compile with gcc5 --- pkgs/applications/version-management/rcs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/version-management/rcs/default.nix b/pkgs/applications/version-management/rcs/default.nix index a829af8aa23..3e66f85ff73 100644 --- a/pkgs/applications/version-management/rcs/default.nix +++ b/pkgs/applications/version-management/rcs/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { doCheck = true; - NIX_CFLAGS_COMPILE = if stdenv.isDarwin then "-std=gnu99" else null; + NIX_CFLAGS_COMPILE = "-std=gnu99"; meta = { homepage = http://www.gnu.org/software/rcs/; From e046d4fcea85f8b59267565ce2d14ae467e7f474 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:26:02 +0000 Subject: [PATCH 088/603] cyclone: turn off format hardening --- pkgs/applications/audio/pd-plugins/cyclone/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index b90c6a0ea36..721ef89515e 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardening_format = false; + patchPhase = '' for file in `grep -r -l g_canvas.h` do From 3fb8ce5aaed6899176611026471f7270c312d5e0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:26:35 +0000 Subject: [PATCH 089/603] db44, db47: turn off format hardening --- pkgs/development/libraries/db/db-4.4.nix | 1 + pkgs/development/libraries/db/db-4.7.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 757b1f71405..327da38e986 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; + drvArgs = { hardening_format = false; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 9a7d586cd04..0735099729a 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,4 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; + drvArgs = { hardening_format = false; }; }) From dda7a039b73688e56fed6f549171cf2b87bbdb6b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:32:47 +0000 Subject: [PATCH 090/603] ddccontrol: turn off format hardening --- pkgs/tools/misc/ddccontrol/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index 2d5d10054b5..d537c0f506f 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -16,10 +16,12 @@ let version = "0.4.2"; in stdenv.mkDerivation { name = "ddccontrol-${version}"; + src = fetchurl { url = "mirror://sourceforge/ddccontrol/ddccontrol-${version}.tar.bz2"; sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1"; }; + buildInputs = [ intltool @@ -35,6 +37,8 @@ stdenv.mkDerivation { ddccontrol-db ]; + hardening_format = false; + prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") mv configure.ac configure.ac.old From 0afc644cfdb790f9405956e3551eadcdf6b2ba79 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:35:33 +0000 Subject: [PATCH 091/603] cbc: turn off format hardening --- pkgs/applications/science/math/cbc/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index 0d1ef26092e..f294750928e 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardening_format = false; + buildInputs = [ zlib bzip2 ]; # FIXME: move share/coin/Data to a separate output? From 3e8a2e73a6c5c31d1a6e43be7a21fd4222e4daab Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 01:55:15 +0000 Subject: [PATCH 092/603] editres: turn off format hardening --- pkgs/tools/graphics/editres/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index 64222185044..c3d9a859f3f 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -10,7 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libXt libXaw libXres utilmacros ]; - preConfigure = "configureFlags=--with-appdefaultdir=$out/share/X11/app-defaults/editres"; + configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; + + hardening_format = false; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; From 6951a7d1c1838bb6fd1c6f9a161a145ae5476747 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 02:03:28 +0000 Subject: [PATCH 093/603] epdfview: turn off format hardening --- pkgs/applications/misc/epdfview/default.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index da198e6d88b..7810284973f 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -1,11 +1,17 @@ { stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }: + stdenv.mkDerivation rec { name = "epdfview-0.1.8"; + src = fetchurl { url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2"; sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll"; }; + buildInputs = [ pkgconfig gtk poppler ]; + + hardening_format = false; + patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634"; @@ -17,13 +23,14 @@ stdenv.mkDerivation rec { sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001"; }) ]; + meta = { homepage = http://trac.emma-soft.com/epdfview/; description = "A lightweight PDF document viewer using Poppler and GTK+"; longDescription = '' ePDFView is a free lightweight PDF document viewer using Poppler and GTK+ libraries. The aim of ePDFView is to make a simple PDF document - viewer, in the lines of Evince but without using the Gnome libraries. + viewer, in the lines of Evince but without using the Gnome libraries. ''; license = stdenv.lib.licenses.gpl2; maintainers = with stdenv.lib.maintainers; [ astsmtl ]; From a626fc981348bb7a2b2af5873be36eb32a9e5531 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 02:14:32 +0000 Subject: [PATCH 094/603] a2ps: turn off format hardening --- pkgs/tools/text/a2ps/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index 7de6a8dd574..bcbf2b66a86 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; + hardening_format = false; + meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; longDescription = '' From a2bc57b15a099fbe6395f50c519f6ff9e0e0ecdf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 02:21:31 +0000 Subject: [PATCH 095/603] firebird: turn off format hardening --- pkgs/servers/firebird/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index 3e778317169..e557a2a0061 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; + hardening_format = false; + # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh # sh autogen.sh $configureFlags --prefix=$out From 75f8122c2c49dfb07c56a95f161920851e805705 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 02:24:58 +0000 Subject: [PATCH 096/603] cinepaint: turn off format hardening --- pkgs/applications/graphics/cinepaint/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index f1ca27eed80..7b8281b4e3c 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,14 +18,14 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; + hardening_format = false; + patches = [ ./install.patch ]; nativeBuildInputs = [ cmake pkgconfig ]; NIX_LDFLAGS = "-llcms -ljpeg -lX11"; - # NIX_CFLAGS_COMPILE = "-I."; - meta = { homepage = http://www.cinepaint.org/; license = stdenv.lib.licenses.free; From 37cdc1678066bc7bfd4095bc13351a61d9cd6a06 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 10:29:15 +0000 Subject: [PATCH 097/603] alpine: turn off fortify/format hardening --- .../networking/mailreaders/alpine/default.nix | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index 03c2c21aed0..c77b51d7064 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -1,35 +1,37 @@ {stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos , openldap }: + let - s = - rec { - version = "2.00"; + version = "2.00"; + baseName = "alpine"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + + src = fetchurl { url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2"; sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8"; - baseName = "alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_format = false; + hardening_fortify = false; + configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; From e264f1077bddb05aaa3c86625db6b9a014074996 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 10:29:34 +0000 Subject: [PATCH 098/603] bochs: turn off format hardening --- pkgs/applications/virtualization/bochs/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index b876403d632..f5740dda4e9 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -145,7 +145,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool}/lib"; - + + hardening_format = false; + meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; longDescription = '' From a29786ebf6fed781ce84a1bfef0ddea1911e0572 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 10:59:09 +0000 Subject: [PATCH 099/603] boost-build: turn off format hardening --- pkgs/development/tools/boost-build/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index 723219336bb..aa590543e00 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; + hardening_format = false; + patchPhase = '' grep -r '/usr/share/boost-build' \ | awk '{split($0,a,":"); print a[1];}' \ From 99fdd5694e7acc6bc7576579ee1f62f0a96218c3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 11:00:12 +0000 Subject: [PATCH 100/603] gcc44: turn off format hardening --- pkgs/development/compilers/gcc/4.4/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix index 47c8c86a95d..fe79e9bcd72 100644 --- a/pkgs/development/compilers/gcc/4.4/default.nix +++ b/pkgs/development/compilers/gcc/4.4/default.nix @@ -103,6 +103,8 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + hardening_format = false; + patches = [ ./pass-cxxcpp.patch From c9aceaea8643ddeecd5d6989be190ea3e95c6284 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 11:04:13 +0000 Subject: [PATCH 101/603] gitAndTools.qgit: turn off format hardening --- .../git-and-tools/qgit/default.nix | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index a7e6a62ce5f..6240baac8f1 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -2,21 +2,26 @@ stdenv.mkDerivation rec { name = "qgit-2.5"; - meta = - { + + src = fetchurl { + url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz"; + sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499"; + }; + + buildInputs = [qt libXext libX11]; + + hardening_format = false; + + configurePhase = "qmake PREFIX=$out"; + + installPhase = '' + install -s -D -m 755 bin/qgit "$out/bin/qgit" + ''; + + meta = { license = stdenv.lib.licenses.gpl2; homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; description = "Graphical front-end to Git"; inherit (qt.meta) platforms; }; - src = fetchurl - { - url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz"; - sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499"; - }; - buildInputs = [qt libXext libX11]; - configurePhase = "qmake PREFIX=$out"; - installPhase = '' - install -s -D -m 755 bin/qgit "$out/bin/qgit" - ''; } From 0e28c9abd8ab816cf024c771409cef2835d25b80 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 11:10:09 +0000 Subject: [PATCH 102/603] giv: turn off format hardening --- pkgs/applications/graphics/giv/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index 2e9d55a3f3f..c33da655222 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -9,8 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly"; }; - # It built code to be put in a shared object without -fPIC - NIX_CFLAGS_COMPILE = "-fPIC"; + hardening_format = false; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl From 9b597ee8a5650fa75818e38860a96b5b2b3ff532 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 14:09:15 +0000 Subject: [PATCH 103/603] gnome3.libgda: turn off format hardening --- pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix index 1fcb411d120..6f10f6ea920 100644 --- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix @@ -17,6 +17,8 @@ in stdenv.mkDerivation rec { "--enable-gi-system-install=no" ]; + hardening_format = false; + enableParallelBuilding = true; buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ]; From a462683d10cb456dbc232f34e2f6c7aef64f8db4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 14:32:47 +0000 Subject: [PATCH 104/603] aegisub: turn off bindnow/relro hardening --- pkgs/applications/video/aegisub/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index a5c14d0888f..49e2662adb4 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,6 +43,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_bindnow = false; + hardening_relro = false; + postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; meta = { From f8963e2ea708140d4c2881c9307563450d472098 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 14:41:11 +0000 Subject: [PATCH 105/603] haskell builder: allow disabling fortify hardening --- pkgs/development/haskell-modules/generic-builder.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/haskell-modules/generic-builder.nix b/pkgs/development/haskell-modules/generic-builder.nix index e3847528ad0..fd94d9d67a6 100644 --- a/pkgs/development/haskell-modules/generic-builder.nix +++ b/pkgs/development/haskell-modules/generic-builder.nix @@ -44,6 +44,7 @@ , checkPhase ? "", preCheck ? "", postCheck ? "" , preFixup ? "", postFixup ? "" , shellHook ? "" +, hardening_fortify ? true , coreSetup ? false # Use only core packages to build Setup.hs. , useCpphs ? false } @ args: @@ -314,5 +315,6 @@ stdenv.mkDerivation ({ // optionalAttrs (preFixup != "") { inherit preFixup; } // optionalAttrs (postFixup != "") { inherit postFixup; } // optionalAttrs (dontStrip) { inherit dontStrip; } +// optionalAttrs (!hardening_fortify) { inherit hardening_fortify; } // optionalAttrs (stdenv.isLinux) { LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive"; } ) From 20d568aed5dfc09c5942aa5da638ef7a436b9e74 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 14:41:48 +0000 Subject: [PATCH 106/603] haskellPackages.glib: turn off fortify hardening --- pkgs/development/haskell-modules/configuration-common.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 18a944b78f8..4ffaf84f0a4 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -246,7 +246,9 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = addPkgconfigDepend super.glib pkgs.glib; + glib = addPkgconfigDepend (overrideCabal super.glib (drv: { + hardening_fortify = false; + })) pkgs.glib; gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; From 9620a43228323f2324d045ea4a8b7bdb2d516c84 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 22:47:47 +0000 Subject: [PATCH 107/603] linuxPackages.batman_adv: turn off pic hardening --- pkgs/os-specific/linux/batman-adv/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index b8bef1b5a9a..41c4f48ddb8 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; + hardening_pic = false; + preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \ From 9f8dc7d0fe1709da23823420e352e1365e59fdef Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 22:58:58 +0000 Subject: [PATCH 108/603] realpine: turn off format hardening --- .../mailreaders/realpine/default.nix | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index c1835992158..1ee42531465 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -2,34 +2,35 @@ , openldap }: let - s = - rec { - version = "2.03"; + baseName = "re-alpine"; + version = "2.03"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + inherit version; + + src = fetchurl { url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2"; sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh"; - baseName = "re-alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_format = false; + configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; From e37e38903d4169405948944062a0981c567ade1f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 23:06:16 +0000 Subject: [PATCH 109/603] maxlib: turn off format hardening --- pkgs/applications/audio/pd-plugins/maxlib/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index dc4d0375961..9968b5fe0ed 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardening_format = false; + patchPhase = '' for i in ${puredata}/include/pd/*; do ln -s $i . From 332c84196c3d8814fbd244b42d8dabc68917f1e4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 23:17:13 +0000 Subject: [PATCH 110/603] linuxPackages.perf: set -Wno-error=bool-compare --- pkgs/os-specific/linux/kernel/perf.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix index 1e5c64ccb8a..ad80d2ed93c 100644 --- a/pkgs/os-specific/linux/kernel/perf.nix +++ b/pkgs/os-specific/linux/kernel/perf.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation { # Note: we don't add elfutils to buildInputs, since it provides a # bad `ld' and other stuff. - NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp"; + NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare"; NIX_CFLAGS_LINK = "-L${elfutils}/lib"; installFlags = "install install-man ASCIIDOC8=1"; From f0e6c6ec0ea23d1d72743e45c59d3618237efd99 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 23:35:35 +0000 Subject: [PATCH 111/603] linuxPackages.zfs: turn off pic hardening --- pkgs/os-specific/linux/zfs/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 42da97a7a7b..0a61bdcea85 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; + hardening_pic = false; + preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" substituteInPlace ./module/zfs/zfs_ctldir.c --replace "mount -t zfs" "${utillinux}/bin/mount -t zfs" From da9808fe5cd55c827cbf8019ab4896d1cb8f953e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 9 Feb 2016 23:37:07 +0000 Subject: [PATCH 112/603] Revert "Switch to GCC 5" This reverts commit 729870467a97382e2252defe4ae3b04765b9451b. --- pkgs/stdenv/linux/default.nix | 9 +++++++-- pkgs/top-level/all-packages.nix | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix index 573e7139aac..12fc3fed5a5 100644 --- a/pkgs/stdenv/linux/default.nix +++ b/pkgs/stdenv/linux/default.nix @@ -210,9 +210,14 @@ rec { gmp = pkgs.gmp.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; mpfr = pkgs.mpfr.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; libmpc = pkgs.libmpc.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; - isl = pkgs.isl.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; + isl_0_11 = pkgs.isl_0_11.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; }; + cloog_0_18_0 = pkgs.cloog_0_18_0.override { + stdenv = pkgs.makeStaticLibraries pkgs.stdenv; + isl = isl_0_11; + }; gccPlain = pkgs.gcc.cc.override { - isl = isl; + isl = isl_0_11; + cloog = cloog_0_18_0; }; }; extraBuildInputs = [ stage2.pkgs.patchelf stage2.pkgs.paxctl ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b2eb7191aeb..6eeefe62b9a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3944,7 +3944,7 @@ let gambit = callPackage ../development/compilers/gambit { }; - gcc = gcc5; + gcc = gcc49; gcc_multi = if system == "x86_64-linux" then lowPrio ( @@ -4092,7 +4092,7 @@ let cross = null; libcCross = if crossSystem != null then libcCross else null; - isl = isl_0_15; + isl = isl_0_14; })); gfortran = if !stdenv.isDarwin then gfortran49 From 0609154a1979a3a256be4762ee473b5a2badcbc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 9 Feb 2016 18:19:56 +0100 Subject: [PATCH 113/603] wrapFirefox: add enableAdobeReader So far we only have 32-bit package. It will be silently missed on 64-bit ATM. --- pkgs/applications/misc/adobe-reader/default.nix | 2 ++ pkgs/applications/networking/browsers/firefox/wrapper.nix | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/misc/adobe-reader/default.nix b/pkgs/applications/misc/adobe-reader/default.nix index 6bb16a02402..d31e9234e09 100644 --- a/pkgs/applications/misc/adobe-reader/default.nix +++ b/pkgs/applications/misc/adobe-reader/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation { libPath = stdenv.lib.makeLibraryPath [ stdenv.cc.cc libX11 zlib libxml2 cups pango atk gtk glib gdk_pixbuf ]; + passthru.mozillaPlugin = "/libexec/adobe-reader/Browser/intellinux"; + meta = { description = "Adobe Reader, a viewer for PDF documents"; homepage = http://www.adobe.com/products/reader; diff --git a/pkgs/applications/networking/browsers/firefox/wrapper.nix b/pkgs/applications/networking/browsers/firefox/wrapper.nix index 8c805b0bf5f..91486b608b2 100644 --- a/pkgs/applications/networking/browsers/firefox/wrapper.nix +++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix @@ -4,7 +4,7 @@ , gnash, flashplayer, hal-flash , MPlayerPlugin, gecko_mediaplayer, gst_all, xorg, libpulseaudio, libcanberra , supportsJDK, jrePlugin, icedtea_web -, trezor-bridge, bluejeans, djview4 +, trezor-bridge, bluejeans, djview4, adobe-reader , google_talk_plugin, fribid, gnome3/*.gnome_shell*/ }: @@ -41,6 +41,7 @@ let ++ lib.optional (cfg.enableGnomeExtensions or false) gnome3.gnome_shell ++ lib.optional (cfg.enableTrezor or false) trezor-bridge ++ lib.optional (cfg.enableBluejeans or false) bluejeans + ++ lib.optional (cfg.enableAdobeReader or false) adobe-reader ); libs = [ gst_all.gstreamer gst_all.gst-plugins-base ] ++ lib.optionals (cfg.enableQuakeLive or false) From 1ce5c9e78dd036a2291c8625a9a8179a0e8e5b4b Mon Sep 17 00:00:00 2001 From: zimbatm Date: Tue, 9 Feb 2016 14:26:11 +0000 Subject: [PATCH 114/603] atom: 1.4.0 -> 1.4.3 --- pkgs/applications/editors/atom/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/editors/atom/default.nix b/pkgs/applications/editors/atom/default.nix index 7120b8f43ee..87a36a36f90 100644 --- a/pkgs/applications/editors/atom/default.nix +++ b/pkgs/applications/editors/atom/default.nix @@ -16,11 +16,11 @@ let }; in stdenv.mkDerivation rec { name = "atom-${version}"; - version = "1.4.0"; + version = "1.4.3"; src = fetchurl { url = "https://github.com/atom/atom/releases/download/v${version}/atom-amd64.deb"; - sha256 = "0dipww58p0sm99jn1ariisha9wsnhl7rnd8achpxqkf4b3vwi5iz"; + sha256 = "15ix5ww3ny5ylgmmxpkc32li6af2vc4a2p6aymx9c472fra0c41x"; name = "${name}.deb"; }; From d98f0ea720decce5c0262adbcbca39e7dbc90e8d Mon Sep 17 00:00:00 2001 From: Pascal Wittmann Date: Tue, 9 Feb 2016 21:49:45 +0100 Subject: [PATCH 115/603] progress: 0.12.1 -> 0.13 --- pkgs/tools/misc/progress/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/misc/progress/default.nix b/pkgs/tools/misc/progress/default.nix index 3d0d03f6c4a..ab72dc69fa4 100644 --- a/pkgs/tools/misc/progress/default.nix +++ b/pkgs/tools/misc/progress/default.nix @@ -1,16 +1,17 @@ -{ stdenv, fetchFromGitHub, ncurses }: +{ stdenv, fetchFromGitHub, pkgconfig, ncurses }: stdenv.mkDerivation rec { name = "progress-${version}"; - version = "0.12.1"; + version = "0.13"; src = fetchFromGitHub { owner = "Xfennec"; repo = "progress"; rev = "v${version}"; - sha256 = "0lwj0zdcdsl1wczk3yq7wfpyw3zi87h8x2z8yjp0wgnr45bbqibl"; + sha256 = "0xzpcvz4n0h8m0mhxgpvn1qg8993naip3asjbk3nmk3d4lbyh0b3"; }; + nativeBuildInputs = [ pkgconfig ]; buildInputs = [ ncurses ]; makeFlags = [ "PREFIX=$(out)" ]; From c8ca34e2693ff77f761fc540789f1d1f328a0e7e Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Mon, 8 Feb 2016 20:47:55 +0300 Subject: [PATCH 116/603] init-script-builder: handle containers without a kernel --- .../boot/loader/init-script/init-script-builder.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/modules/system/boot/loader/init-script/init-script-builder.sh b/nixos/modules/system/boot/loader/init-script/init-script-builder.sh index 502b3b63af2..08d4ab14c9c 100644 --- a/nixos/modules/system/boot/loader/init-script/init-script-builder.sh +++ b/nixos/modules/system/boot/loader/init-script/init-script-builder.sh @@ -80,8 +80,13 @@ for generation in $( | sort -n -r); do link=/nix/var/nix/profiles/system-$generation-link date=$(stat --printf="%y\n" $link | sed 's/\..*//') - kernelVersion=$(cd $(dirname $(readlink -f $link/kernel))/lib/modules && echo *) - addEntry "NixOS - Configuration $generation ($date - $kernelVersion)" $link "$generation ($date)" + if [ -d $link/kernel ]; then + kernelVersion=$(cd $(dirname $(readlink -f $link/kernel))/lib/modules && echo *) + suffix="($date - $kernelVersion)" + else + suffix="($date)" + fi + addEntry "NixOS - Configuration $generation $suffix" $link "$generation ($date)" done mv $tmpOther $targetOther From b12646cb791f08e181b543809dffc1bcc18ec0f3 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 9 Feb 2016 12:57:42 +0300 Subject: [PATCH 117/603] postsrsd: fix secret generation --- nixos/modules/services/mail/postsrsd.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/mail/postsrsd.nix b/nixos/modules/services/mail/postsrsd.nix index 36a0f8218d8..68a4c101206 100644 --- a/nixos/modules/services/mail/postsrsd.nix +++ b/nixos/modules/services/mail/postsrsd.nix @@ -95,7 +95,11 @@ in { preStart = '' if [ ! -e "${cfg.secretsFile}" ]; then echo "WARNING: secrets file not found, autogenerating!" - mkdir -p -m750 "$(dirname "${cfg.secretsFile}")" + DIR="$(dirname "${cfg.secretsFile}")" + if [ ! -d "$DIR" ]; then + mkdir -p -m750 "$DIR" + chown "${cfg.user}:${cfg.group}" "$DIR" + fi dd if=/dev/random bs=18 count=1 | base64 > "${cfg.secretsFile}" chmod 600 "${cfg.secretsFile}" fi From 92faa327b8899a1c18391e7de1efb7c8af9b8bbd Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 9 Feb 2016 23:37:02 +0300 Subject: [PATCH 118/603] acme service: update plugins enum --- nixos/modules/security/acme.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index 15e5b49878f..3d25e811e67 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -56,8 +56,8 @@ let plugins = mkOption { type = types.listOf (types.enum [ - "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh" - "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json" + "cert.der" "cert.pem" "chain.pem" "external_pem.sh" + "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json" ]); default = [ "fullchain.pem" "key.pem" "account_key.json" ]; description = '' From ef92a19fd3015397c839e8b3c5afb1bb37aed51c Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 10 Feb 2016 00:56:24 +0300 Subject: [PATCH 119/603] dovecot service: add sendmail_path --- nixos/modules/services/mail/dovecot.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix index 11e8b26c75e..333a03315bc 100644 --- a/nixos/modules/services/mail/dovecot.nix +++ b/nixos/modules/services/mail/dovecot.nix @@ -13,6 +13,7 @@ let '' base_dir = ${baseDir} protocols = ${concatStringsSep " " cfg.protocols} + sendmail_path = /var/setuid-wrappers/sendmail '' (if isNull cfg.sslServerCert then '' From c7855bc09917f5dac3e301f02b47f9aa2c1eb2b8 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Wed, 10 Feb 2016 00:05:46 +0100 Subject: [PATCH 120/603] mcelog: 129 -> 130 Fixes https://github.com/andikleen/mcelog/issues/31. --- pkgs/os-specific/linux/mcelog/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/mcelog/default.nix b/pkgs/os-specific/linux/mcelog/default.nix index 113d59d641d..9abd6397e85 100644 --- a/pkgs/os-specific/linux/mcelog/default.nix +++ b/pkgs/os-specific/linux/mcelog/default.nix @@ -2,10 +2,10 @@ stdenv.mkDerivation rec { name = "mcelog-${version}"; - version = "129"; + version = "130"; src = fetchFromGitHub { - sha256 = "143xh5zvgax88yhg6mg6img64nrda85yybf76fgsk7a8gc57ghyk"; + sha256 = "05yszlhd6kljx371nlgrzjs0fi44wwgxcv2j5rwwgklm6ifp2zza"; rev = "v${version}"; repo = "mcelog"; owner = "andikleen"; From 1b1ae14512302633499b187ee2e67536b79c00fd Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 10 Feb 2016 02:58:55 +0300 Subject: [PATCH 121/603] postfix module: fix link to postfix-files --- nixos/modules/services/mail/postfix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix index f2d8189de6e..56c89aca8b2 100644 --- a/nixos/modules/services/mail/postfix.nix +++ b/nixos/modules/services/mail/postfix.nix @@ -461,7 +461,7 @@ in rm -rf /var/lib/postfix/conf mkdir -p /var/lib/postfix/conf chmod 0755 /var/lib/postfix/conf - ln -sf ${pkgs.postfix}/etc/postfix/postfix-files + ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf From ff58b07fc8fb3e57be57f891f4d57d8c1d346fa8 Mon Sep 17 00:00:00 2001 From: Eric Sagnes Date: Sun, 7 Feb 2016 18:51:28 +0900 Subject: [PATCH 122/603] cmst: 2014.12.05 -> 2016.01.28 --- pkgs/tools/networking/cmst/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkgs/tools/networking/cmst/default.nix b/pkgs/tools/networking/cmst/default.nix index 1b5767653fe..24010e20f37 100644 --- a/pkgs/tools/networking/cmst/default.nix +++ b/pkgs/tools/networking/cmst/default.nix @@ -1,12 +1,13 @@ -{ stdenv, fetchgit, qtbase, makeWrapper, libX11 }: +{ stdenv, fetchFromGitHub, qtbase, makeWrapper, libX11 }: stdenv.mkDerivation rec { - name = "cmst-2014.12.05"; - rev = "refs/tags/${name}"; - src = fetchgit { - url = "git://github.com/andrew-bibb/cmst.git"; - inherit rev; - sha256 = "070rxv3kyn41ra7nnk1wbqvy6fjg38h7hrdv4dn71b201kmzd194"; + name = "cmst-2016.01.28"; + + src = fetchFromGitHub { + sha256 = "1zf4jnrnbi05mrq1fnsji5zx60h1knrkr64pwcz2c7q8p59k4646"; + rev = name; + repo = "cmst"; + owner = "andrew-bibb"; }; buildInputs = [ qtbase makeWrapper ]; @@ -27,7 +28,6 @@ stdenv.mkDerivation rec { substituteInPlace ./apps/rootapp/rootapp.pro \ --replace "/etc" "$out/etc" \ --replace "/usr/share" "$out/share" - ''; buildPhase = '' From 85c0d55d1de81f39b6a4bf4b264d3f3b4bc1938f Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Tue, 9 Feb 2016 21:43:50 +0100 Subject: [PATCH 123/603] beets: 1.3.16 -> 1.3.17 one test fails, see the source comment --- pkgs/tools/audio/beets/default.nix | 34 +++++++++++++++++------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/pkgs/tools/audio/beets/default.nix b/pkgs/tools/audio/beets/default.nix index c1945ca5de0..6a3345e1d3c 100644 --- a/pkgs/tools/audio/beets/default.nix +++ b/pkgs/tools/audio/beets/default.nix @@ -1,17 +1,18 @@ { stdenv, fetchFromGitHub, writeScript, glibcLocales , buildPythonPackage, pythonPackages, python, imagemagick -, enableAcoustid ? true -, enableBadfiles ? true, flac ? null, mp3val ? null -, enableDiscogs ? true -, enableEchonest ? true -, enableEmbyupdate ? true -, enableFetchart ? true -, enableLastfm ? true -, enableMpd ? true -, enableReplaygain ? true, bs1770gain ? null -, enableThumbnails ? true -, enableWeb ? true +, enableAcousticbrainz ? true +, enableAcoustid ? true +, enableBadfiles ? true, flac ? null, mp3val ? null +, enableDiscogs ? true +, enableEchonest ? true +, enableEmbyupdate ? true +, enableFetchart ? true +, enableLastfm ? true +, enableMpd ? true +, enableReplaygain ? true, bs1770gain ? null +, enableThumbnails ? true +, enableWeb ? true # External plugins , enableAlternatives ? false @@ -34,6 +35,7 @@ with stdenv.lib; let optionalPlugins = { + acousticbrainz = enableAcousticbrainz; badfiles = enableBadfiles; chroma = enableAcoustid; discogs = enableDiscogs; @@ -68,14 +70,14 @@ let in buildPythonPackage rec { name = "beets-${version}"; - version = "1.3.16"; + version = "1.3.17"; namePrefix = ""; src = fetchFromGitHub { owner = "sampsyo"; repo = "beets"; rev = "v${version}"; - sha256 = "1grjcgr419yq756wwxjpzyfjdf8n51bg6i0agm465lb7l3jgqy6k"; + sha256 = "1fskxx5xxjqf4xmfjrinh7idjiq6qncb24hiyccv09l47fr1yipc"; }; propagatedBuildInputs = [ @@ -91,7 +93,9 @@ in buildPythonPackage rec { python.modules.readline ] ++ optional enableAcoustid pythonPackages.pyacoustid ++ optional (enableFetchart - || enableEmbyupdate) pythonPackages.requests2 + || enableEmbyupdate + || enableAcousticbrainz) + pythonPackages.requests2 ++ optional enableDiscogs pythonPackages.discogs_client ++ optional enableEchonest pythonPackages.pyechonest ++ optional enableLastfm pythonPackages.pylast @@ -135,7 +139,7 @@ in buildPythonPackage rec { test/test_replaygain.py ''; - doCheck = true; + doCheck = false; # TODO, see https://github.com/beetbox/beets/issues/1876#issuecomment-182010438 preCheck = '' (${concatMapStrings (s: "echo \"${s}\";") allPlugins}) \ From 2d25ab3a03ea8a8100eef6a148a894799f33d69b Mon Sep 17 00:00:00 2001 From: aszlig Date: Wed, 10 Feb 2016 02:41:15 +0100 Subject: [PATCH 124/603] beets: Re-enable tests The reason why the completion tests didn't pass was because we had it already disabled in 2acc258dff1a37974edd6475851e218bb09e281a. Meanwhile, beetbox/beets@a07cb83 has moved the file from test/test_completion.sh to test/rsrc/test_completion.sh. So this has silently re-enabled the completion tests, which we need to investigate on our side why they failed in the first place. Signed-off-by: aszlig --- pkgs/tools/audio/beets/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/audio/beets/default.nix b/pkgs/tools/audio/beets/default.nix index 6a3345e1d3c..91407331d7c 100644 --- a/pkgs/tools/audio/beets/default.nix +++ b/pkgs/tools/audio/beets/default.nix @@ -121,7 +121,7 @@ in buildPythonPackage rec { postPatch = '' sed -i -e '/assertIn.*item.*path/d' test/test_info.py - echo echo completion tests passed > test/test_completion.sh + echo echo completion tests passed > test/rsrc/test_completion.sh sed -i -e '/^BASH_COMPLETION_PATHS *=/,/^])$/ { /^])$/i u"${completion}" @@ -139,7 +139,7 @@ in buildPythonPackage rec { test/test_replaygain.py ''; - doCheck = false; # TODO, see https://github.com/beetbox/beets/issues/1876#issuecomment-182010438 + doCheck = true; preCheck = '' (${concatMapStrings (s: "echo \"${s}\";") allPlugins}) \ From 280033235e10f08e4479d0960116b2fcd637a384 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Mon, 26 Oct 2015 19:47:23 +0100 Subject: [PATCH 125/603] grsecurity: use source URL from a scraped repository as grsecurity.net only has the latest version --- pkgs/os-specific/linux/kernel/patches.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 7e95f1dedb1..3f7afd90322 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -22,7 +22,7 @@ let { name = "grsecurity-${grversion}-${kversion}"; inherit grversion kversion revision; patch = fetchurl { - url = "http://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch"; + url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true"; inherit sha256; }; features.grsecurity = true; From 874db98e895de23ae8623ee0a51cfabd12a79700 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Tue, 9 Feb 2016 20:35:17 +0100 Subject: [PATCH 126/603] pythonPackages.pandas: fix tests --- pkgs/top-level/python-packages.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index b9343e54a2e..8c28c97fd33 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -14229,7 +14229,8 @@ in modules // { checkPhase = let testsToSkip = ["test_data" "test_excel" "test_html" "test_json" "test_frequencies" "test_frame" - "test_read_clipboard_infer_excel"] ++ + "test_read_clipboard_infer_excel" + "test_interp_alt_scipy" "test_nanops" "test_stats"] ++ optional isPy35 "test_sql"; in '' runHook preCheck From 33d03b4c2e41a3dd05419e88d939f54f368f6449 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 10 Feb 2016 08:31:51 +0100 Subject: [PATCH 127/603] pythonPackages.blaze: add missing dependency --- pkgs/top-level/python-packages.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 8c28c97fd33..76d7004a7da 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -2051,6 +2051,7 @@ in modules // { cytoolz datashape flask + flask-cors h5py multipledispatch numba From b6c86d642f138a3b9b7a0e6bd8042da524cfb14f Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 10 Feb 2016 08:32:04 +0100 Subject: [PATCH 128/603] pythonPackages.flask-cors: init at 2.1.2 --- pkgs/top-level/python-packages.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 76d7004a7da..e3096cff69e 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -8606,6 +8606,25 @@ in modules // { }; }; + flask-cors = buildPythonPackage rec { + name = "Flask-Cors-${version}"; + version = "2.1.2"; + + src = pkgs.fetchurl { + url = "https://pypi.python.org/packages/source/F/Flask-Cors/${name}.tar.gz"; + sha256 = "0fd618a4f88ykqx4x55viz47cm9rl214q1b45a0b4mz5vhxffqpj"; + }; + + buildInputs = with self; [ nose ]; + propagatedBuildInputs = with self; [ flask six ]; + + meta = { + description = "A Flask extension adding a decorator for CORS support"; + homepage = https://github.com/corydolphin/flask-cors; + license = with licenses; [ mit ]; + }; + }; + flask-pymongo = buildPythonPackage rec { name = "Flask-PyMongo-${version}"; version = "0.3.1"; From 2d9d8ae5fb3ffb9abfee60ade4399cff9df46695 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 10 Feb 2016 08:32:18 +0100 Subject: [PATCH 129/603] pythonPackages.scikitlearn: fix tests --- pkgs/top-level/python-packages.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index e3096cff69e..1edeb9d84d3 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -18549,6 +18549,13 @@ in modules // { LC_ALL="en_US.UTF-8"; + # Exclude "test_image.py" because the Lena function/image was removed from SciPy since 0.17 + # Should be fixed in next release. + # Using the -I switch broke nosetests...? + patchPhase = '' + rm sklearn/feature_extraction/tests/test_image.py + ''; + checkPhase = '' HOME=$TMPDIR OMP_NUM_THREADS=1 nosetests $out/${python.sitePackages}/sklearn/ ''; From 8da01f220fb43c6cb56ca42979c96f0e7d21e323 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Mon, 8 Feb 2016 20:47:36 +0300 Subject: [PATCH 130/603] nixos-install: don't check that /mnt is a mount point --- nixos/modules/installer/tools/nixos-install.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 4e10615f902..c23d7e5b509 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -73,11 +73,6 @@ if ! test -e "$mountPoint"; then exit 1 fi -if ! grep -F -q " $mountPoint " /proc/mounts; then - echo "$mountPoint doesn't appear to be a mount point" - exit 1 -fi - # Mount some stuff in the target root directory. mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home From a006778e5fec989b57376ec938711ba6c94bb647 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 9 Feb 2016 03:00:53 +0300 Subject: [PATCH 131/603] kbd module: don't setup vconsoles if we are in a container --- nixos/modules/tasks/kbd.nix | 45 ++++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix index e1574fa68ad..02721bb3bea 100644 --- a/nixos/modules/tasks/kbd.nix +++ b/nixos/modules/tasks/kbd.nix @@ -12,6 +12,8 @@ let FONT=${config.i18n.consoleFont} ${colors} ''; + + setVconsole = !config.boot.isContainer; in { @@ -41,26 +43,33 @@ in ###### implementation - config = { + config = mkMerge [ + (mkIf (!setVconsole) { + systemd.services."systemd-vconsole-setup".enable = false; + }) - environment.systemPackages = [ pkgs.kbd ]; + (mkIf setVconsole { + environment.systemPackages = [ pkgs.kbd ]; - # Let systemd-vconsole-setup.service do the work of setting up the - # virtual consoles. FIXME: trigger a restart of - # systemd-vconsole-setup.service if /etc/vconsole.conf changes. - environment.etc."vconsole.conf".source = vconsoleConf; + # Let systemd-vconsole-setup.service do the work of setting up the + # virtual consoles. FIXME: trigger a restart of + # systemd-vconsole-setup.service if /etc/vconsole.conf changes. + environment.etc = [ { + target = "vconsole.conf"; + source = vconsoleConf; + } ]; - # This is identical to the systemd-vconsole-setup.service unit - # shipped with systemd, except that it uses /dev/tty1 instead of - # /dev/tty0 to prevent putting the X server in non-raw mode, and - # it has a restart trigger. - systemd.services."systemd-vconsole-setup" = - { wantedBy = [ "multi-user.target" ]; - before = [ "display-manager.service" ]; - after = [ "systemd-udev-settle.service" ]; - restartTriggers = [ vconsoleConf ]; - }; - - }; + # This is identical to the systemd-vconsole-setup.service unit + # shipped with systemd, except that it uses /dev/tty1 instead of + # /dev/tty0 to prevent putting the X server in non-raw mode, and + # it has a restart trigger. + systemd.services."systemd-vconsole-setup" = + { wantedBy = [ "multi-user.target" ]; + before = [ "display-manager.service" ]; + after = [ "systemd-udev-settle.service" ]; + restartTriggers = [ vconsoleConf ]; + }; + }) + ]; } From aff38b2040f3a1ad86dd512bd4ec49ee01f1e6c2 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 9 Feb 2016 03:07:23 +0300 Subject: [PATCH 132/603] postgresql service: don't use su --- .../modules/services/databases/postgresql.nix | 36 ++++++++++--------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix index c2045a5859c..957fb4723a5 100644 --- a/nixos/modules/services/databases/postgresql.nix +++ b/nixos/modules/services/databases/postgresql.nix @@ -177,7 +177,7 @@ in users.extraGroups.postgres.gid = config.ids.gids.postgres; - environment.systemPackages = [postgresql]; + environment.systemPackages = [ postgresql ]; systemd.services.postgresql = { description = "PostgreSQL Server"; @@ -187,35 +187,37 @@ in environment.PGDATA = cfg.dataDir; - path = [ pkgs.su postgresql ]; + path = [ postgresql ]; preStart = + '' + # Create data directory. + if ! test -e ${cfg.dataDir}/PG_VERSION; then + mkdir -m 0700 -p ${cfg.dataDir} + rm -f ${cfg.dataDir}/*.conf + chown -R postgres:postgres ${cfg.dataDir} + fi + ''; # */ + + script = '' # Initialise the database. if ! test -e ${cfg.dataDir}/PG_VERSION; then - mkdir -m 0700 -p ${cfg.dataDir} - rm -f ${cfg.dataDir}/*.conf - if [ "$(id -u)" = 0 ]; then - chown -R postgres ${cfg.dataDir} - su -s ${pkgs.stdenv.shell} postgres -c 'initdb -U root' - else - # For non-root operation. - initdb - fi - # See postStart! - touch "${cfg.dataDir}/.first_startup" + initdb -U root + # See postStart! + touch "${cfg.dataDir}/.first_startup" fi - ln -sfn "${configFile}" "${cfg.dataDir}/postgresql.conf" ${optionalString (cfg.recoveryConfig != null) '' ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \ "${cfg.dataDir}/recovery.conf" ''} - ''; # */ + + exec postgres ${toString flags} + ''; serviceConfig = - { ExecStart = "@${postgresql}/bin/postgres postgres ${toString flags}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; User = "postgres"; Group = "postgres"; PermissionsStartOnly = true; From db6f59619dd14b2d35da18a738975c992675396e Mon Sep 17 00:00:00 2001 From: Michael Fellinger Date: Tue, 9 Feb 2016 23:47:41 +0100 Subject: [PATCH 133/603] bundix: 1.0.4 -> 2.0.4 --- .../interpreters/ruby/bundix/default.nix | 54 +++++++++++++------ 1 file changed, 39 insertions(+), 15 deletions(-) diff --git a/pkgs/development/interpreters/ruby/bundix/default.nix b/pkgs/development/interpreters/ruby/bundix/default.nix index b5a49043c60..88679f74753 100644 --- a/pkgs/development/interpreters/ruby/bundix/default.nix +++ b/pkgs/development/interpreters/ruby/bundix/default.nix @@ -1,20 +1,44 @@ -{ ruby, fetchgit, buildRubyGem, bundler }: +{ buildRubyGem, lib, bundler, ruby, nix, nix-prefetch-scripts }: -let - thor = buildRubyGem { - gemName = "thor"; - version = "0.19.1"; - type = "gem"; - sha256 = "08p5gx18yrbnwc6xc0mxvsfaxzgy2y9i78xq7ds0qmdm67q39y4z"; - }; +buildRubyGem rec { + inherit ruby; -in buildRubyGem { + name = "${gemName}-${version}"; gemName = "bundix"; - version = "1.0.4"; - gemPath = [ thor bundler ]; - src = fetchgit { - url = "https://github.com/cstrahan/bundix.git"; - rev = "6dcf1f71c61584f5c9b919ee9df7b0c554862076"; - sha256 = "1w17bvc9srcgr4ry81ispcj35g9kxihbyknmqp8rnd4h5090b7b2"; + version = "2.0.4"; + + sha256 = "0i7fdxi6w29yxnblpckczazb79m5x03hja8sfnabndg4yjc868qs"; + + buildInputs = [bundler]; + + postInstall = '' + gem_root=$GEM_HOME/gems/${gemName}-${version} + sed \ + -e 's|NIX_INSTANTIATE =.*|NIX_INSTANTIATE = "${nix}/bin/nix-instantiate"|' \ + -i $gem_root/lib/bundix.rb + sed \ + -e 's|NIX_HASH =.*|NIX_HASH = "${nix}/bin/nix-hash"|' \ + -i $gem_root/lib/bundix.rb + sed \ + -e 's|NIX_PREFETCH_URL =.*|NIX_PREFETCH_URL = "${nix}/bin/nix-prefetch-url"|' \ + -i $gem_root/lib/bundix.rb + sed \ + -e 's|NIX_PREFETCH_GIT =.*|NIX_PREFETCH_GIT = "${nix-prefetch-scripts}/bin/nix-prefetch-git"|' \ + -i $gem_root/lib/bundix.rb + ''; + + meta = { + inherit version; + description = "Creates Nix packages from Gemfiles"; + longDescription = '' + This is a tool that converts Gemfile.lock files to nix expressions. + + The output is then usable by the bundlerEnv derivation to list all the + dependencies of a ruby package. + ''; + homepage = "https://github.com/manveru/bundix"; + license = "MIT"; + maintainers = with lib.maintainers; [ manveru zimbatm ]; + platforms = lib.platforms.all; }; } From 25592873530d7152bed62ccc004e882bcba69705 Mon Sep 17 00:00:00 2001 From: Profpatsch Date: Wed, 10 Feb 2016 02:00:18 +0100 Subject: [PATCH 134/603] alot: 0.3.6 -> 0.3.7, fixes #12914 Version bump. The checks are back again, so far alot has no tests at all. Add urwidtrees dependency. The themes are copied to the derivation and set as default directory. --- pkgs/top-level/python-packages.nix | 47 +++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 1edeb9d84d3..fa2abffd552 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -554,28 +554,35 @@ in modules // { alot = buildPythonPackage rec { - rev = "0.3.6"; - name = "alot-0.3.6"; + rev = "0.3.7"; + name = "alot-${rev}"; - src = pkgs.fetchurl { - url = "https://github.com/pazz/alot/tarball/${rev}"; - name = "${name}.tar.bz"; - sha256 = "1rzy70w4isvypa94310xw403vq5him21q8rlx4laa0z530phkrmq"; + src = pkgs.fetchFromGitHub { + owner = "pazz"; + repo = "alot"; + inherit rev; + sha256 = "0sscmmf42gsrjbisi6wm01alzlnq6wqhpwkm8pc557075jfg19il"; }; - # error: invalid command 'test' - doCheck = false; + postPatch = '' + substituteInPlace alot/defaults/alot.rc.spec \ + --replace "themes_dir = string(default=None)" \ + "themes_dir = string(default='$out/share/themes')" + ''; propagatedBuildInputs = [ self.notmuch self.urwid + self.urwidtrees self.twisted - self.magic + self.python_magic self.configobj self.pygpgme ]; postInstall = '' + mkdir -p $out/share + cp -r extra/themes $out/share wrapProgram $out/bin/alot \ --prefix LD_LIBRARY_PATH : ${pkgs.notmuch}/lib:${pkgs.file}/lib:${pkgs.gpgme}/lib ''; @@ -583,7 +590,7 @@ in modules // { meta = { homepage = https://github.com/pazz/alot; description = "Terminal MUA using notmuch mail"; - maintainers = with maintainers; [ garbas ]; + maintainers = with maintainers; [ garbas profpatsch ]; }; }; @@ -21060,6 +21067,26 @@ in modules // { }; }); + urwidtrees = buildPythonPackage rec { + name = "urwidtrees-${rev}"; + rev = "1.0"; + + src = pkgs.fetchFromGitHub { + owner = "pazz"; + repo = "urwidtrees"; + inherit rev; + sha256 = "03gpcdi45z2idy1fd9zv8v9naivmpfx65hshm8r984k9wklv1dsa"; + }; + + propagatedBuildInputs = with self; [ urwid ]; + + meta = { + description = "Tree widgets for urwid"; + license = licenses.gpl3; + maintainer = with maintainters; [ profpatsch ]; + }; + }; + pyuv = buildPythonPackage rec { name = "pyuv-0.11.5"; disabled = isPyPy; # see https://github.com/saghul/pyuv/issues/49 From dafe0f3dd33fd304e5efec650fc426a8096f0913 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 10 Feb 2016 16:53:59 +0300 Subject: [PATCH 135/603] dwarf-fortress-packages.phoebus-theme: 20160118 -> 20160128 --- pkgs/games/dwarf-fortress/themes/phoebus.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/games/dwarf-fortress/themes/phoebus.nix b/pkgs/games/dwarf-fortress/themes/phoebus.nix index 2183a6245c0..ca459c6ef76 100644 --- a/pkgs/games/dwarf-fortress/themes/phoebus.nix +++ b/pkgs/games/dwarf-fortress/themes/phoebus.nix @@ -1,16 +1,16 @@ { stdenv, fetchFromGitHub }: -# On upgrade check https://github.com/fricy/Phoebus/blob/master/manifest.json +# On upgrade check https://github.com/DFgraphics/Phoebus/blob/master/manifest.json # for compatibility information. stdenv.mkDerivation { - name = "phoebus-theme-20160118"; + name = "phoebus-theme-20160128"; src = fetchFromGitHub { - owner = "fricy"; + owner = "DFgraphics"; repo = "Phoebus"; - rev = "2c5777b0f307b1d752a8a484c6a05b67531c84a9"; - sha256 = "0a5ixm181wz7crr3rpa2mh0drb371j5hvizqninvdnhah2mypz8v"; + rev = "52b19b69c7323f9002ad195ecd68ac02ff0099a2"; + sha256 = "1pw5l5v7l1bvxzjf4fivmagpmghffvz0wlws2ksc7d5vy48ybcmg"; }; installPhase = '' From 3ff05a5bf4c61df96331892adc86b3012a707546 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 10 Feb 2016 16:54:55 +0300 Subject: [PATCH 136/603] dwarf-fortress-packages.cla-theme: init at 20160128 --- pkgs/games/dwarf-fortress/default.nix | 3 +++ pkgs/games/dwarf-fortress/themes/cla.nix | 32 ++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 pkgs/games/dwarf-fortress/themes/cla.nix diff --git a/pkgs/games/dwarf-fortress/default.nix b/pkgs/games/dwarf-fortress/default.nix index d91c110c34c..bc0b97b139b 100644 --- a/pkgs/games/dwarf-fortress/default.nix +++ b/pkgs/games/dwarf-fortress/default.nix @@ -16,6 +16,7 @@ let dwarf-fortress = callPackage ./wrapper { themes = { "phoebus" = phoebus-theme; + "cla" = cla-theme; }; }; @@ -28,6 +29,8 @@ let dwarf-therapist = callPackage ./dwarf-therapist/wrapper.nix { }; phoebus-theme = callPackage ./themes/phoebus.nix { }; + + cla-theme = callPackage ./themes/cla.nix { }; }; in self diff --git a/pkgs/games/dwarf-fortress/themes/cla.nix b/pkgs/games/dwarf-fortress/themes/cla.nix new file mode 100644 index 00000000000..f3c6b7dd279 --- /dev/null +++ b/pkgs/games/dwarf-fortress/themes/cla.nix @@ -0,0 +1,32 @@ +{ stdenv, fetchFromGitHub }: + +# On upgrade check https://github.com/fricy/Phoebus/blob/master/manifest.json +# for compatibility information. + +stdenv.mkDerivation { + name = "cla-theme-20160128"; + + src = fetchFromGitHub { + owner = "DFgraphics"; + repo = "CLA"; + rev = "94088b778ed6f91cbddcd3e33aa1e5efa67f3101"; + sha256 = "0rx1375x9s791k9wzvj7sxcrv4xaggibxymzirayznvavr7zcsv1"; + }; + + installPhase = '' + mkdir $out + cp -r data raw $out + ''; + + passthru.dfVersion = "0.42.05"; + + preferLocalBuild = true; + + meta = with stdenv.lib; { + description = "CLA graphics set for Dwarf Fortress"; + homepage = "http://www.bay12forums.com/smf/index.php?topic=105376.0"; + platforms = platforms.all; + maintainers = with maintainers; [ abbradar ]; + license = licenses.free; + }; +} From e2eca0c24ccba93eea431fb510bbda29540b1b02 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 10 Feb 2016 14:59:36 +0100 Subject: [PATCH 137/603] Fix misspelled meta.maintainers attributes --- .../color-theme-solarized/default.nix | 2 +- .../pidgin-plugins/otr/default.nix | 2 +- .../pidgin-opensteamworks/default.nix | 2 +- .../purple-plugin-pack/default.nix | 2 +- .../telegram/cutegram/default.nix | 2 +- .../libqtelegram-aseman-edition/default.nix | 2 +- .../telegram/telegram-qml/default.nix | 2 +- .../window-managers/compton/git.nix | 2 +- pkgs/data/fonts/google-fonts/default.nix | 2 +- pkgs/data/fonts/powerline-fonts/default.nix | 2 +- pkgs/data/misc/media-player-info/default.nix | 2 +- .../libraries/openjpeg/generic.nix | 2 +- .../phonon-backend-gstreamer/qt5/default.nix | 2 +- .../tools/ocaml/ocaml-top/default.nix | 2 +- pkgs/games/gzdoom/default.nix | 2 +- pkgs/games/zandronum/bin.nix | 2 +- pkgs/games/zandronum/default.nix | 2 +- pkgs/games/zdoom/default.nix | 2 +- pkgs/misc/themes/vertex/default.nix | 2 +- pkgs/os-specific/linux/kernel/linux-mptcp.nix | 2 +- pkgs/servers/mail/rmilter/default.nix | 2 +- pkgs/servers/mail/rspamd/default.nix | 2 +- pkgs/tools/misc/cpulimit/default.nix | 2 +- pkgs/tools/misc/trash-cli/default.nix | 2 +- pkgs/tools/networking/nethogs/default.nix | 2 +- pkgs/tools/text/colordiff/default.nix | 2 +- pkgs/top-level/python-packages.nix | 30 +++++++++---------- 27 files changed, 41 insertions(+), 41 deletions(-) diff --git a/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix b/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix index 9a0f6855567..ef006439a55 100644 --- a/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix +++ b/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { meta = { description = "Precision colors for machines and people"; homepage = http://ethanschoonover.com/solarized; - maintainer = "Samuel Rivas "; + maintainers = "Samuel Rivas "; license = stdenv.lib.licenses.mit; platforms = stdenv.lib.platforms.all; diff --git a/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix b/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix index 7b80ec85661..c6801105a84 100644 --- a/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix +++ b/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix @@ -16,6 +16,6 @@ stdenv.mkDerivation rec { description = "Plugin for Pidgin 2.x which implements OTR Messaging"; license = licenses.gpl2; platforms = platforms.linux; - maintainters = with maintainers; [ abbradar ]; + maintainers = with maintainers; [ abbradar ]; }; } diff --git a/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix b/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix index e03b61b6182..e4c0697605d 100644 --- a/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix +++ b/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix @@ -26,6 +26,6 @@ stdenv.mkDerivation rec { description = "Plugin for Pidgin 2.x which implements Steam Friends/Steam IM compatibility"; license = licenses.gpl3; platforms = platforms.linux; - maintainters = with maintainers; [ arobyn ]; + maintainers = with maintainers; [ arobyn ]; }; } diff --git a/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix b/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix index 149f62bb981..8022d32a081 100644 --- a/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix +++ b/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix @@ -14,6 +14,6 @@ stdenv.mkDerivation rec { description = "Plugin pack for Pidgin 2.x"; license = licenses.gpl2; platforms = platforms.linux; - maintainters = with maintainers; [ bdimcheff ]; + maintainers = with maintainers; [ bdimcheff ]; }; } diff --git a/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix b/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix index 26a7eb49279..507094f7c05 100644 --- a/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix +++ b/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation rec { description = "Telegram client forked from sigram"; homepage = "http://aseman.co/en/products/cutegram/"; license = licenses.gpl3; - maintainer = [ maintainers.profpatsch ]; + maintainers = [ maintainers.profpatsch ]; }; } diff --git a/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix b/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix index 3149ac3279a..8166514bb3a 100644 --- a/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix +++ b/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { description = "A fork of libqtelegram by Aseman, using qmake"; homepage = src.meta.homepage; license = stdenv.lib.licenses.gpl3; - maintainer = [ maintainers.profpatsch ]; + maintainers = [ maintainers.profpatsch ]; }; } diff --git a/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix b/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix index b51f8435ce1..6bf550d4766 100644 --- a/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix +++ b/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { description = "Telegram API tools for QtQml and Qml"; homepage = src.meta.homepage; license = stdenv.lib.licenses.gpl3; - maintainer = [ maintainers.profpatsch ]; + maintainers = [ maintainers.profpatsch ]; }; } diff --git a/pkgs/applications/window-managers/compton/git.nix b/pkgs/applications/window-managers/compton/git.nix index be2586c9e27..b715b3a4cf3 100644 --- a/pkgs/applications/window-managers/compton/git.nix +++ b/pkgs/applications/window-managers/compton/git.nix @@ -48,7 +48,7 @@ stdenv.mkDerivation { additional features, such as additional effects, and a fork at a well-defined and proper place. ''; - maintainer = maintainers.ertes; + maintainers = maintainers.ertes; platforms = platforms.linux; }; } diff --git a/pkgs/data/fonts/google-fonts/default.nix b/pkgs/data/fonts/google-fonts/default.nix index 9f14f945e35..e4c655877c8 100644 --- a/pkgs/data/fonts/google-fonts/default.nix +++ b/pkgs/data/fonts/google-fonts/default.nix @@ -21,6 +21,6 @@ stdenv.mkDerivation rec { description = "Font files available from Google Font"; license = with licenses; [ asl20 ofl ufl ]; platforms = platforms.all; - maintainer = with maintainers; [ manveru ]; + maintainers = with maintainers; [ manveru ]; }; } diff --git a/pkgs/data/fonts/powerline-fonts/default.nix b/pkgs/data/fonts/powerline-fonts/default.nix index 6d620c09f06..2e576cf6dc8 100644 --- a/pkgs/data/fonts/powerline-fonts/default.nix +++ b/pkgs/data/fonts/powerline-fonts/default.nix @@ -38,6 +38,6 @@ stdenv.mkDerivation { ''; license = with licenses; [ asl20 free ofl ]; platforms = platforms.all; - maintainer = with maintainers; [ malyn ]; + maintainers = with maintainers; [ malyn ]; }; } diff --git a/pkgs/data/misc/media-player-info/default.nix b/pkgs/data/misc/media-player-info/default.nix index 9abe5d6ea8e..f31c7c503a2 100644 --- a/pkgs/data/misc/media-player-info/default.nix +++ b/pkgs/data/misc/media-player-info/default.nix @@ -27,6 +27,6 @@ in description = "A repository of data files describing media player capabilities"; homepage = "http://www.freedesktop.org/wiki/Software/media-player-info/"; license = licenses.bsd3; - maintainer = with maintainers; [ ttuegel ]; + maintainers = with maintainers; [ ttuegel ]; }; } diff --git a/pkgs/development/libraries/openjpeg/generic.nix b/pkgs/development/libraries/openjpeg/generic.nix index 717e5a4de2c..1b4b4af7f41 100644 --- a/pkgs/development/libraries/openjpeg/generic.nix +++ b/pkgs/development/libraries/openjpeg/generic.nix @@ -64,7 +64,7 @@ stdenv.mkDerivation rec { description = "Open-source JPEG 2000 codec written in C language"; homepage = http://www.openjpeg.org/; license = licenses.bsd2; - maintainer = with maintainers; [ codyopel ]; + maintainers = with maintainers; [ codyopel ]; platforms = platforms.all; }; } diff --git a/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix b/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix index 9866c0a67ce..98aa7d81b36 100644 --- a/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix +++ b/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix @@ -34,6 +34,6 @@ stdenv.mkDerivation rec { homepage = http://phonon.kde.org/; description = "GStreamer backend for Phonon"; platforms = platforms.linux; - maintainer = with maintainers; [ ttuegel ]; + maintainers = with maintainers; [ ttuegel ]; }; } diff --git a/pkgs/development/tools/ocaml/ocaml-top/default.nix b/pkgs/development/tools/ocaml/ocaml-top/default.nix index cf0a16cef68..79c81c5c447 100644 --- a/pkgs/development/tools/ocaml/ocaml-top/default.nix +++ b/pkgs/development/tools/ocaml/ocaml-top/default.nix @@ -26,6 +26,6 @@ stdenv.mkDerivation { license = stdenv.lib.licenses.gpl3; description = "A simple cross-platform OCaml code editor built for top-level evaluation"; platforms = ocamlPackages.ocaml.meta.platforms; - maintainer = with stdenv.lib.maintainers; [ vbgl ]; + maintainers = with stdenv.lib.maintainers; [ vbgl ]; }; } diff --git a/pkgs/games/gzdoom/default.nix b/pkgs/games/gzdoom/default.nix index 66d01905aaf..3f8744d75cb 100644 --- a/pkgs/games/gzdoom/default.nix +++ b/pkgs/games/gzdoom/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation { meta = { homepage = https://github.com/coelckers/gzdoom; description = "A Doom source port based on ZDoom. It features an OpenGL renderer and lots of new features"; - maintainer = [ stdenv.lib.maintainers.lassulus ]; + maintainers = [ stdenv.lib.maintainers.lassulus ]; }; } diff --git a/pkgs/games/zandronum/bin.nix b/pkgs/games/zandronum/bin.nix index 92f93d8f778..ae6ab99dad2 100644 --- a/pkgs/games/zandronum/bin.nix +++ b/pkgs/games/zandronum/bin.nix @@ -75,7 +75,7 @@ stdenv.mkDerivation rec { meta = { homepage = http://zandronum.com/; description = "multiplayer oriented port, based off Skulltag, for Doom and Doom II by id Software. Binary version for online play."; - maintainer = [ stdenv.lib.maintainers.lassulus ]; + maintainers = [ stdenv.lib.maintainers.lassulus ]; # Binary version has different version string than source code version. license = stdenv.lib.licenses.unfreeRedistributable; platforms = [ "x86_64-linux" ]; diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index ecdf8cfdbd2..479a6abe9a4 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -54,7 +54,7 @@ in stdenv.mkDerivation { meta = with stdenv.lib; { homepage = http://zandronum.com/; description = "Multiplayer oriented port, based off Skulltag, for Doom and Doom II by id Software."; - maintainer = with maintainers; [ lassulus ]; + maintainers = with maintainers; [ lassulus ]; platforms = platforms.linux; license = licenses.bsdOriginal; }; diff --git a/pkgs/games/zdoom/default.nix b/pkgs/games/zdoom/default.nix index 0bc63855299..8feb78ad969 100644 --- a/pkgs/games/zdoom/default.nix +++ b/pkgs/games/zdoom/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation { meta = { homepage = http://zdoom.org/; description = "Enhanced port of the official DOOM source code"; - maintainer = [ stdenv.lib.maintainers.lassulus ]; + maintainers = [ stdenv.lib.maintainers.lassulus ]; }; } diff --git a/pkgs/misc/themes/vertex/default.nix b/pkgs/misc/themes/vertex/default.nix index 60269c8dfbf..ea79426d47e 100644 --- a/pkgs/misc/themes/vertex/default.nix +++ b/pkgs/misc/themes/vertex/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { inherit (src.meta) homepage; description = "Theme for GTK 3, GTK 2, Gnome-Shell, and Cinnamon"; license = licenses.gpl3; - maintainer = [ maintainers.rycee ]; + maintainers = [ maintainers.rycee ]; platforms = platforms.unix; }; } diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix index 2b0e3017979..6a1d8da5a92 100644 --- a/pkgs/os-specific/linux/kernel/linux-mptcp.nix +++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix @@ -7,7 +7,7 @@ import ./generic.nix (args // rec { extraMeta = { branch = "3.18"; - maintainer = stdenv.lib.maintainers.layus; + maintainers = stdenv.lib.maintainers.layus; }; src = fetchurl { diff --git a/pkgs/servers/mail/rmilter/default.nix b/pkgs/servers/mail/rmilter/default.nix index 45c62546628..ad40b57f8a6 100644 --- a/pkgs/servers/mail/rmilter/default.nix +++ b/pkgs/servers/mail/rmilter/default.nix @@ -17,6 +17,6 @@ stdenv.mkDerivation rec { homepage = "https://github.com/vstakhov/rmilter"; license = licenses.bsd2; description = "server, used to integrate rspamd and milter compatible MTA, for example postfix or sendmail"; - maintainer = maintainers.avnik; + maintainers = maintainers.avnik; }; } diff --git a/pkgs/servers/mail/rspamd/default.nix b/pkgs/servers/mail/rspamd/default.nix index a3b20820a6e..1f9c36b7377 100644 --- a/pkgs/servers/mail/rspamd/default.nix +++ b/pkgs/servers/mail/rspamd/default.nix @@ -33,6 +33,6 @@ stdenv.mkDerivation rec { homepage = "https://github.com/vstakhov/rspamd"; license = licenses.bsd2; description = "advanced spam filtering system"; - maintainer = maintainers.avnik; + maintainers = maintainers.avnik; }; } diff --git a/pkgs/tools/misc/cpulimit/default.nix b/pkgs/tools/misc/cpulimit/default.nix index 72656d2969d..1bae4b16bd8 100644 --- a/pkgs/tools/misc/cpulimit/default.nix +++ b/pkgs/tools/misc/cpulimit/default.nix @@ -21,6 +21,6 @@ stdenv.mkDerivation rec { description = "A tool to throttle the CPU usage of programs"; platforms = with platforms; linux ++ freebsd; license = licenses.gpl2; - maintainer = [maintainers.rycee]; + maintainers = [maintainers.rycee]; }; } diff --git a/pkgs/tools/misc/trash-cli/default.nix b/pkgs/tools/misc/trash-cli/default.nix index 1c8a2e495b6..78835afddef 100644 --- a/pkgs/tools/misc/trash-cli/default.nix +++ b/pkgs/tools/misc/trash-cli/default.nix @@ -34,7 +34,7 @@ python2Packages.buildPythonPackage rec { meta = with stdenv.lib; { homepage = https://github.com/andreafrancia/trash-cli; description = "Command line tool for the desktop trash can"; - maintainer = [ maintainers.rycee ]; + maintainers = [ maintainers.rycee ]; license = licenses.gpl2; }; } diff --git a/pkgs/tools/networking/nethogs/default.nix b/pkgs/tools/networking/nethogs/default.nix index c8ff0c7a160..dfa9b26a38e 100644 --- a/pkgs/tools/networking/nethogs/default.nix +++ b/pkgs/tools/networking/nethogs/default.nix @@ -29,6 +29,6 @@ stdenv.mkDerivation rec { license = licenses.gpl2Plus; homepage = http://nethogs.sourceforge.net/; platforms = platforms.linux; - maintainer = [ maintainers.rycee ]; + maintainers = [ maintainers.rycee ]; }; } diff --git a/pkgs/tools/text/colordiff/default.nix b/pkgs/tools/text/colordiff/default.nix index 53e683561fb..b22a1da2264 100644 --- a/pkgs/tools/text/colordiff/default.nix +++ b/pkgs/tools/text/colordiff/default.nix @@ -22,6 +22,6 @@ stdenv.mkDerivation rec { homepage = http://www.colordiff.org/; license = licenses.gpl3; platforms = platforms.linux ++ platforms.darwin; - maintainer = with maintainers; [ nckx ]; + maintainers = with maintainers; [ nckx ]; }; } diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index fa2abffd552..717604a7278 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -1815,7 +1815,7 @@ in modules // { description = "Composable style cycles"; homepage = http://github.com/matplotlib/cycler; license = licenses.bsd3; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; }; @@ -10664,7 +10664,7 @@ in modules // { description = "Line-by-line profiler"; homepage = https://github.com/rkern/line_profiler; license = licenses.bsd3; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; }; @@ -12589,7 +12589,7 @@ in modules // { meta = { description = "Numerical traits for Python objects"; license = licenses.bsd2; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; homepage = https://github.com/astrofrog/numtraits; }; }; @@ -14905,7 +14905,7 @@ in modules // { description = "An audio library based on libsndfile, CFFI and NumPy"; license = licenses.bsd3; homepage = https://github.com/bastibe/PySoundFile; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; prePatch = '' @@ -15994,7 +15994,7 @@ in modules // { description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms"; homepage = http://hgomersall.github.com/pyFFTW/; license = with licenses; [ bsd2 bsd3 ]; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; }; @@ -17727,7 +17727,7 @@ in modules // { description = "A docutils-compatibility bridge to CommonMark"; homepage = https://github.com/rtfd/recommonmark; license = licenses.mit; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; }; @@ -19794,7 +19794,7 @@ in modules // { description = "Statistical computations and models for use with SciPy"; homepage = "https://www.github.com/statsmodels/statsmodels"; license = licenses.bsd3; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; # Many tests fail when using latest numpy and pandas. @@ -20072,7 +20072,7 @@ in modules // { description = "Pretty-print tabular data"; homepage = https://bitbucket.org/astanin/python-tabulate; license = licenses.mit; - maintainer = with maintainers; [ fridh ]; + maintainers = with maintainers; [ fridh ]; }; }; @@ -21083,7 +21083,7 @@ in modules // { meta = { description = "Tree widgets for urwid"; license = licenses.gpl3; - maintainer = with maintainters; [ profpatsch ]; + maintainers = with maintainers; [ profpatsch ]; }; }; @@ -25019,7 +25019,7 @@ in modules // { # license can actually be either bsd3 or gpl3 # see https://github.com/trezor/cython-hidapi/blob/master/LICENSE-orig.txt license = licenses.bsd3; - maintainer = with maintainers; [ np ]; + maintainers = with maintainers; [ np ]; }; }; @@ -25038,7 +25038,7 @@ in modules // { description = "Implementation of Bitcoin BIP-0039"; homepage = https://github.com/trezor/python-mnemonic; license = licenses.mit; - maintainer = with maintainers; [ np ]; + maintainers = with maintainers; [ np ]; }; }; @@ -25062,7 +25062,7 @@ in modules // { description = "Python library for communicating with TREZOR Bitcoin Hardware Wallet"; homepage = https://github.com/trezor/python-trezor; license = licenses.gpl3; - maintainer = with maintainers; [ np ]; + maintainers = with maintainers; [ np ]; }; }; @@ -25086,7 +25086,7 @@ in modules // { description = "KeepKey Python client"; homepage = https://github.com/keepkey/python-keepkey; license = licenses.gpl3; - maintainer = with maintainers; [ np ]; + maintainers = with maintainers; [ np ]; }; }; @@ -25139,7 +25139,7 @@ in modules // { description = "Using Trezor as hardware SSH agent"; homepage = https://github.com/romanz/trezor-agent; license = licenses.gpl3; - maintainer = with maintainers; [ np ]; + maintainers = with maintainers; [ np ]; }; }; @@ -25156,7 +25156,7 @@ in modules // { description = "Binding for X11 proof of work hashing"; homepage = https://github.com/mazaclub/x11_hash; license = licenses.mit; - maintainer = with maintainers; [ np ]; + maintainers = with maintainers; [ np ]; }; }; From f106461cce2e97c69fe501d9cd1aaff323ddf674 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 10 Feb 2016 17:02:07 +0300 Subject: [PATCH 138/603] dwarf-fortress-packages.cla-theme: fix comment --- pkgs/games/dwarf-fortress/themes/cla.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/games/dwarf-fortress/themes/cla.nix b/pkgs/games/dwarf-fortress/themes/cla.nix index f3c6b7dd279..09b2cc8b647 100644 --- a/pkgs/games/dwarf-fortress/themes/cla.nix +++ b/pkgs/games/dwarf-fortress/themes/cla.nix @@ -1,6 +1,6 @@ { stdenv, fetchFromGitHub }: -# On upgrade check https://github.com/fricy/Phoebus/blob/master/manifest.json +# On upgrade check https://github.com/DFgraphics/CLA/blob/master/manifest.json # for compatibility information. stdenv.mkDerivation { From d008513af25f264accdbd4f496bfe13803e28190 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 10 Feb 2016 13:50:31 +0100 Subject: [PATCH 139/603] Reduce the size of the Nixpkgs/NixOS jobsets This cuts nixpkgs:trunk from 78K to 31K jobs by disabling builds of {node,go,python,emacs,coq,r,ocaml,perl}Packages. Thus these are now only built if they are dependencies of top-level packages (such as end-user applications). I left haskellPackages because they take typically longer to build than the others (which are mostly interpreted languages), so disabling them would be more painful to users. This is a temporary measure until we have a binary cache based Hydra running on faster hardware, necessitated by the fact that evaluations now regularly time out after 6 hours. --- pkgs/top-level/all-packages.nix | 24 ++++++++++++------------ pkgs/top-level/release.nix | 16 +++++++++++----- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 6eeefe62b9a..4b3bbceab6d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2151,7 +2151,7 @@ let nodePackages_5_x = callPackage ./node-packages.nix { self = nodePackages_5_x; nodejs = nodejs-5_x; }; - nodePackages_4_x = recurseIntoAttrs (callPackage ./node-packages.nix { self = nodePackages_4_x; nodejs = nodejs-4_x; }); + nodePackages_4_x = callPackage ./node-packages.nix { self = nodePackages_4_x; nodejs = nodejs-4_x; }; nodePackages_0_10 = callPackage ./node-packages.nix { self = nodePackages_0_10; nodejs = nodejs-0_10; }; @@ -9001,23 +9001,23 @@ let ### DEVELOPMENT / GO MODULES - go14Packages = recurseIntoAttrs (callPackage ./go-packages.nix { + go14Packages = callPackage ./go-packages.nix { go = go_1_4; buildGoPackage = callPackage ../development/go-modules/generic { go = go_1_4; govers = go14Packages.govers.bin; }; overrides = (config.goPackageOverrides or (p: {})) pkgs; - }); + }; - go15Packages = recurseIntoAttrs (callPackage ./go-packages.nix { + go15Packages = callPackage ./go-packages.nix { go = go_1_5; buildGoPackage = callPackage ../development/go-modules/generic { go = go_1_5; govers = go15Packages.govers.bin; }; overrides = (config.goPackageOverrides or (p: {})) pkgs; - }); + }; goPackages = go15Packages; @@ -9091,20 +9091,20 @@ let self = python33Packages; }; - python34Packages = recurseIntoAttrs (callPackage ./python-packages.nix { + python34Packages = callPackage ./python-packages.nix { python = python34; self = python34Packages; - }); + }; python35Packages = recurseIntoAttrs (callPackage ./python-packages.nix { python = python35; self = python35Packages; }); - pypyPackages = recurseIntoAttrs (callPackage ./python-packages.nix { + pypyPackages = callPackage ./python-packages.nix { python = pypy; self = pypyPackages; - }); + }; bsddb3 = pythonPackages.bsddb3; @@ -11798,7 +11798,7 @@ let cask = callPackage ../applications/editors/emacs-modes/cask { }; }; - emacs24Packages = recurseIntoAttrs (emacsPackagesGen emacs24 pkgs.emacs24Packages); + emacs24Packages = emacsPackagesGen emacs24 pkgs.emacs24Packages; emacsPackagesNgGen = emacs: import ./emacs-packages.nix { overrides = (config.emacsPackageOverrides or (p: {})) pkgs; @@ -15140,8 +15140,8 @@ let }; - coqPackages = recurseIntoAttrs (mkCoqPackages_8_4 coqPackages); - coqPackages_8_5 = recurseIntoAttrs (mkCoqPackages_8_5 coqPackages_8_5); + coqPackages = mkCoqPackages_8_4 coqPackages; + coqPackages_8_5 = mkCoqPackages_8_5 coqPackages_8_5; cvc3 = callPackage ../applications/science/logic/cvc3 { gmp = lib.overrideDerivation gmp (a: { dontDisableStatic = true; }); diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index 1eff71f673f..34360a064ef 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -232,7 +232,7 @@ let zsh = linux; zsnes = ["i686-linux"]; - emacs24PackagesNg = packagePlatforms pkgs.emacs24PackagesNg; + #emacs24PackagesNg = packagePlatforms pkgs.emacs24PackagesNg; gnome = { gnome_panel = linux; @@ -243,7 +243,7 @@ let haskell.compiler = packagePlatforms pkgs.haskell.compiler; haskellPackages = packagePlatforms pkgs.haskellPackages; - rPackages = packagePlatforms pkgs.rPackages; + #rPackages = packagePlatforms pkgs.rPackages; strategoPackages = { sdf = linux; @@ -253,9 +253,15 @@ let dryad = linux; }; - pythonPackages = { - zfec = linux; - }; + ocamlPackages = { }; + + perlPackages = { }; + + pythonPackages = { }; + python2Packages = { }; + python27Packages = { }; + python3Packages = { }; + python35Packages = { }; xorg = { fontadobe100dpi = linux ++ darwin; From 11b9ed9e6323a82916b95538d40da2858fa99b03 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Wed, 10 Feb 2016 19:42:31 +0300 Subject: [PATCH 140/603] zathura: use mupdf by default --- pkgs/top-level/all-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4b3bbceab6d..707b0591ae2 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14041,7 +14041,7 @@ let zathuraCollection = recurseIntoAttrs (callPackage ../applications/misc/zathura { callPackage = newScope pkgs.zathuraCollection; - useMupdf = config.zathura.useMupdf or false; + useMupdf = config.zathura.useMupdf or true; }); zathura = zathuraCollection.zathuraWrapper; From 11b6e9a2f88fb4ff14b75bc5d32da0043a8e8788 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Sat, 24 Oct 2015 01:32:20 +0200 Subject: [PATCH 141/603] wayland window managers: orbment, sway, velox --- pkgs/applications/misc/dmenu/wayland.nix | 34 +++++++++++ pkgs/applications/misc/st/wayland.nix | 34 +++++++++++ .../window-managers/orbment/default.nix | 57 ++++++++++++++++++ .../window-managers/sway/default.nix | 38 ++++++++++++ .../window-managers/velox/default.nix | 29 ++++++++++ pkgs/development/libraries/swc/default.nix | 30 ++++++++++ pkgs/development/libraries/wlc/default.nix | 58 +++++++++++++++++++ pkgs/development/libraries/wld/default.nix | 30 ++++++++++ pkgs/top-level/all-packages.nix | 14 +++++ 9 files changed, 324 insertions(+) create mode 100644 pkgs/applications/misc/dmenu/wayland.nix create mode 100644 pkgs/applications/misc/st/wayland.nix create mode 100644 pkgs/applications/window-managers/orbment/default.nix create mode 100644 pkgs/applications/window-managers/sway/default.nix create mode 100644 pkgs/applications/window-managers/velox/default.nix create mode 100644 pkgs/development/libraries/swc/default.nix create mode 100644 pkgs/development/libraries/wlc/default.nix create mode 100644 pkgs/development/libraries/wld/default.nix diff --git a/pkgs/applications/misc/dmenu/wayland.nix b/pkgs/applications/misc/dmenu/wayland.nix new file mode 100644 index 00000000000..d55e22c5a3b --- /dev/null +++ b/pkgs/applications/misc/dmenu/wayland.nix @@ -0,0 +1,34 @@ +{stdenv, fetchurl #, libX11, libXinerama, enableXft, libXft, zlib +, swc, wld, wayland, libxkbcommon, pixman, fontconfig +}: + +with stdenv.lib; + +stdenv.mkDerivation rec { + name = "dmenu-wayland-${version}"; + version = "git-2014-11-02"; + rev = "6e08b77428cc3c406ed2e90d4cae6c41df76341e"; + + src = fetchurl { + url = "https://github.com/michaelforney/dmenu/archive/${rev}.tar.gz"; + sha256 = "d0f73e442baf44a93a3b9d41a72e9cfa14f54af6049c90549f516722e3f88019"; + }; + + buildInputs = [ swc wld wayland libxkbcommon pixman fontconfig ]; + + postPatch = '' + sed -ri -e 's!\<(dmenu|dmenu_path)\>!'"$out/bin"'/&!g' dmenu_run + ''; + + preConfigure = [ + ''sed -i "s@PREFIX = /usr/local@PREFIX = $out@g; s@/usr/share/swc@$(echo "$nativeBuildInputs" | grep -o '[^ ]*-swc-[^ ]*')/share/swc@g" config.mk'' + ]; + + meta = { + description = "a generic, highly customizable, and efficient menu for the X Window System"; + homepage = http://tools.suckless.org/dmenu; + license = stdenv.lib.licenses.mit; + maintainers = with stdenv.lib.maintainers; [ ]; + platforms = with stdenv.lib.platforms; all; + }; +} diff --git a/pkgs/applications/misc/st/wayland.nix b/pkgs/applications/misc/st/wayland.nix new file mode 100644 index 00000000000..ed7e0cf7ca1 --- /dev/null +++ b/pkgs/applications/misc/st/wayland.nix @@ -0,0 +1,34 @@ +{ stdenv, fetchurl, pkgconfig, writeText +, ncurses, wayland, wld, libxkbcommon, fontconfig, pixman +, conf? null}: + +with stdenv.lib; + +stdenv.mkDerivation rec { + name = "st-wayland-${version}"; + version = "git-2015-08-29"; + rev = "61b47b76a09599c8093214e28c48938f5b424daa"; + + src = fetchurl { + url = "https://github.com/michaelforney/st/archive/${rev}.tar.gz"; + sha256 = "7164da135f02405dba5ae3131dfd896e072df29ac6c0928f3b887beffb8a7d97"; + }; + + configFile = optionalString (conf!=null) (writeText "config.def.h" conf); + preBuild = optionalString (conf!=null) "cp ${configFile} config.def.h"; + + buildInputs = [ pkgconfig ncurses wayland wld libxkbcommon fontconfig pixman ]; + + NIX_LDFLAGS = "-lfontconfig"; + + installPhase = '' + TERMINFO=$out/share/terminfo make install PREFIX=$out + ''; + + meta = { + homepage = http://st.suckless.org/; + license = stdenv.lib.licenses.mit; + maintainers = with maintainers; [ ]; + platforms = with platforms; linux; + }; +} diff --git a/pkgs/applications/window-managers/orbment/default.nix b/pkgs/applications/window-managers/orbment/default.nix new file mode 100644 index 00000000000..567903f589c --- /dev/null +++ b/pkgs/applications/window-managers/orbment/default.nix @@ -0,0 +1,57 @@ +{ lib, stdenv, fetchurl, makeWrapper, cmake, pkgconfig +, wlc, dbus_libs, wayland, libxkbcommon, pixman, libinput, udev, zlib, libpng, libdrm, libX11 +}: + +stdenv.mkDerivation rec { + name = "orbment-${version}"; + version = "git-2015-09-30"; + repo = "https://github.com/Cloudef/orbment"; + rev = "229a870dbbb9dbc66c137cf2747eab11acdf1a95"; + + chck_repo = "https://github.com/Cloudef/chck"; + chck_rev = "6191a69572952291c137294317874c06c9c0d6a9"; + inihck_repo = "https://github.com/Cloudef/inihck"; + inihck_rev = "462cbd5fd67226714ac2bdfe4ceaec8e251b2d9c"; + + srcs = [ + (fetchurl { + url = "${repo}/archive/${rev}.tar.gz"; + sha256 = "7aaa0262d078adaf47abdf500b9ea581f6bec164c195a44a3c165a865414ca2c"; + }) + (fetchurl { + url = "${chck_repo}/archive/${chck_rev}.tar.gz"; + sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160"; + }) + (fetchurl { + url = "${inihck_repo}/archive/${inihck_rev}.tar.gz"; + sha256 = "d21f2ac25eafed285614f5f0ef7a1014d629ba382f4e64bc89fe2c3e98c2777f"; + }) + ]; + + sourceRoot = "orbment-${rev}"; + postUnpack = '' + rm -rf orbment-${rev}/lib/chck orbment-${rev}/lib/inihck + ln -s ../../chck-${chck_rev} orbment-${rev}/lib/chck + ln -s ../../inihck-${inihck_rev} orbment-${rev}/lib/inihck + ''; + + nativeBuildInputs = [ cmake pkgconfig ]; + + buildInputs = [ makeWrapper wlc dbus_libs wayland libxkbcommon pixman libinput udev zlib libpng libX11 libdrm ]; + makeFlags = "PREFIX=$(out)"; + installPhase = "PREFIX=$out make install"; + + LD_LIBRARY_PATH = lib.makeLibraryPath [ libX11 libdrm dbus_libs ]; + preFixup = '' + wrapProgram $out/bin/orbment \ + --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}"; + ''; + + meta = { + description = "Modular Wayland compositor"; + homepage = repo; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix new file mode 100644 index 00000000000..cec48fad4e5 --- /dev/null +++ b/pkgs/applications/window-managers/sway/default.nix @@ -0,0 +1,38 @@ +{ lib, stdenv, fetchurl, makeWrapper, cmake, pkgconfig +, wayland, wlc, libxkbcommon, pixman, fontconfig, pcre, json_c, asciidoc, libxslt, dbus_libs +}: + +stdenv.mkDerivation rec { + name = "sway-${version}"; + version = "git-2015-10-16"; + + src = fetchurl { + url = "https://github.com/SirCmpwn/sway/archive/16e904634c65128610537bed7fcb16ac3bb45165.tar.gz"; + sha256 = "52d6c4b49fea69e2a2c1b44b858908b7736301bdb9ed483c294bc54bb40e872e"; + }; + + nativeBuildInputs = [ cmake pkgconfig ]; + + buildInputs = [ makeWrapper wayland wlc libxkbcommon pixman fontconfig pcre json_c asciidoc libxslt dbus_libs ]; + + patchPhase = '' + sed -i s@/etc/sway@$out/etc/sway@g CMakeLists.txt; + ''; + + makeFlags = "PREFIX=$(out)"; + installPhase = "PREFIX=$out make install"; + + LD_LIBRARY_PATH = lib.makeLibraryPath [ wlc dbus_libs ]; + preFixup = '' + wrapProgram $out/bin/sway \ + --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}"; + ''; + + meta = { + description = "i3-compatible window manager for Wayland"; + homepage = "http://swaywm.org"; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/pkgs/applications/window-managers/velox/default.nix b/pkgs/applications/window-managers/velox/default.nix new file mode 100644 index 00000000000..8823b32ee3c --- /dev/null +++ b/pkgs/applications/window-managers/velox/default.nix @@ -0,0 +1,29 @@ +{ lib, stdenv, fetchurl, fetchFromGitHub, pkgconfig +, swc, libxkbcommon +, wld, wayland, pixman, fontconfig +}: + +stdenv.mkDerivation rec { + name = "velox-${version}"; + version = "git-2015-09-23"; + + src = fetchurl { + url = "https://github.com/michaelforney/velox/archive/499768b5834967727e3d91139b4013b6aca95762.tar.gz"; + sha256 = "252959f0f0ff593c187449b61c234c214fdf321e3f4e8b5d9e3c2949d932a0a2"; + }; + + nativeBuildInputs = [ pkgconfig ]; + + buildInputs = [ swc libxkbcommon wld wayland pixman fontconfig ]; + + makeFlags = "PREFIX=$(out)"; + installPhase = "PREFIX=$out make install"; + + meta = { + description = "velox window manager"; + homepage = "https://github.com/michaelforney/velox"; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/pkgs/development/libraries/swc/default.nix b/pkgs/development/libraries/swc/default.nix new file mode 100644 index 00000000000..448459d0275 --- /dev/null +++ b/pkgs/development/libraries/swc/default.nix @@ -0,0 +1,30 @@ +{ lib, stdenv, fetchurl, pkgconfig +, wld, wayland, xwayland, fontconfig, pixman, libdrm, libinput, libevdev, libxkbcommon, libxcb, xcbutilwm +}: + +stdenv.mkDerivation rec { + name = "swc-${version}"; + version = "git-2015-09-05"; + repo = "https://github.com/michaelforney/swc"; + rev = "0dff35ad9b80fc62e6b48417f78c24df6648c9d2"; + + src = fetchurl { + url = "${repo}/archive/${rev}.tar.gz"; + sha256 = "7af5655b5bb5fe59bb8e6643e35f794419850463b1d7f44f29b45ab6aee01ae9"; + }; + + nativeBuildInputs = [ pkgconfig ]; + + buildInputs = [ wld wayland xwayland fontconfig pixman libdrm libinput libevdev libxkbcommon libxcb xcbutilwm ]; + + makeFlags = "PREFIX=$(out)"; + installPhase = "PREFIX=$out make install"; + + meta = { + description = "A library for making a simple Wayland compositor"; + homepage = repo; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix new file mode 100644 index 00000000000..a0b592df4a3 --- /dev/null +++ b/pkgs/development/libraries/wlc/default.nix @@ -0,0 +1,58 @@ +{ lib, stdenv, fetchurl, cmake, pkgconfig +, glibc, wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa, libdrm, udev, systemd, dbus_libs +, libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm, linuxPackages_4_2 +}: + +stdenv.mkDerivation rec { + name = "wlc-${version}"; + version = "git-2015-10-04"; + repo = "https://github.com/Cloudef/wlc"; + rev = "74d978cc54fd8256777c8d39327cb677523cddff"; + + chck_repo = "https://github.com/Cloudef/chck"; + chck_rev = "6191a69572952291c137294317874c06c9c0d6a9"; + + srcs = [ + (fetchurl { + url = "${repo}/archive/${rev}.tar.gz"; + sha256 = "a3641e79252a140be089dd2e829b4d21a3b5ff10866951568d54bd4600597254"; + }) + (fetchurl { + url = "${chck_repo}/archive/${chck_rev}.tar.gz"; + sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160"; + }) + ]; + + sourceRoot = "wlc-${rev}"; + postUnpack = '' + rm -rf wlc-${rev}/lib/chck + ln -s ../../chck-${chck_rev} wlc-${rev}/lib/chck + ''; + + patchPhase = '' + ( echo '#include '; + echo '#include '; + cat src/platform/backend/drm.c + ) >src/platform/backend/drm.c-fix; + mv src/platform/backend/drm.c-fix src/platform/backend/drm.c; + ''; + + nativeBuildInputs = [ cmake pkgconfig ]; + + buildInputs = [ + wayland pixman libxkbcommon libinput libxcb xcbutilwm xcbutilimage mesa libdrm udev + libpthreadstubs libX11 libXau libXdmcp libXext libXdamage libxshmfence libXxf86vm + systemd dbus_libs + ]; + + makeFlags = "PREFIX=$(out) -lchck"; + installPhase = "PREFIX=$out make install"; + + meta = { + description = "A library for making a simple Wayland compositor"; + homepage = repo; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/pkgs/development/libraries/wld/default.nix b/pkgs/development/libraries/wld/default.nix new file mode 100644 index 00000000000..1dd5858ec72 --- /dev/null +++ b/pkgs/development/libraries/wld/default.nix @@ -0,0 +1,30 @@ +{ lib, stdenv, fetchurl, pkgconfig +, wayland, fontconfig, pixman, freetype, libdrm +}: + +stdenv.mkDerivation rec { + name = "wld-${version}"; + version = "git-2015-09-01"; + repo = "https://github.com/michaelforney/wld"; + rev = "efe0a1ed1856a2e4a1893ed0f2d7dde43b5627f0"; + + src = fetchurl { + url = "${repo}/archive/${rev}.tar.gz"; + sha256 = "09388f7828e18c75e7b8d41454903886a725d7a868f60e66c128bd7d2e953ee1"; + }; + + nativeBuildInputs = [ pkgconfig ]; + + buildInputs = [ wayland fontconfig pixman freetype libdrm ]; + + makeFlags = "PREFIX=$(out)"; + installPhase = "PREFIX=$out make install"; + + meta = { + description = "A primitive drawing library targeted at Wayland"; + homepage = repo; + license = lib.licenses.mit; + platforms = lib.platforms.linux; + maintainers = with lib.maintainers; [ ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 707b0591ae2..b6220b3e2ac 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11546,6 +11546,8 @@ let dmenu = callPackage ../applications/misc/dmenu { }; + dmenu-wayland = callPackage ../applications/misc/dmenu/wayland.nix { }; + dmenu2 = callPackage ../applications/misc/dmenu2 { }; dmtx = dmtx-utils; @@ -12266,6 +12268,14 @@ let spectrwm = callPackage ../applications/window-managers/spectrwm { }; + wlc = callPackage ../development/libraries/wlc { }; + orbment = callPackage ../applications/window-managers/orbment { }; + sway = callPackage ../applications/window-managers/sway { }; + + swc = callPackage ../development/libraries/swc { }; + wld = callPackage ../development/libraries/wld { }; + velox = callPackage ../applications/window-managers/velox { }; + i3 = callPackage ../applications/window-managers/i3 { xcb-util-cursor = if stdenv.isDarwin then xcb-util-cursor-HEAD else xcb-util-cursor; }; @@ -13262,6 +13272,10 @@ let conf = config.st.conf or null; }; + st-wayland = callPackage ../applications/misc/st/wayland.nix { + conf = config.st.conf or null; + }; + stag = callPackage ../applications/misc/stag { curses = ncurses; }; From 7c810fb5a7c8f8503083b5665069cb367da3aa09 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Tue, 9 Feb 2016 23:41:01 +0100 Subject: [PATCH 142/603] wayland window managers: orbment, sway, velox -> latest git --- .../window-managers/orbment/default.nix | 10 ++++---- .../window-managers/sway/default.nix | 6 +++-- .../window-managers/velox/default.nix | 8 ++++--- pkgs/development/libraries/swc/default.nix | 6 ++--- pkgs/development/libraries/wlc/default.nix | 24 +++++++++++++------ 5 files changed, 34 insertions(+), 20 deletions(-) diff --git a/pkgs/applications/window-managers/orbment/default.nix b/pkgs/applications/window-managers/orbment/default.nix index 567903f589c..e7cbd004087 100644 --- a/pkgs/applications/window-managers/orbment/default.nix +++ b/pkgs/applications/window-managers/orbment/default.nix @@ -4,23 +4,23 @@ stdenv.mkDerivation rec { name = "orbment-${version}"; - version = "git-2015-09-30"; + version = "git-2016-01-31"; repo = "https://github.com/Cloudef/orbment"; - rev = "229a870dbbb9dbc66c137cf2747eab11acdf1a95"; + rev = "7f649fb76649f826dd29578a5ec41bb561b116eb"; chck_repo = "https://github.com/Cloudef/chck"; - chck_rev = "6191a69572952291c137294317874c06c9c0d6a9"; + chck_rev = "fe5e2606b7242aa5d89af2ea9fd048821128d2bc"; inihck_repo = "https://github.com/Cloudef/inihck"; inihck_rev = "462cbd5fd67226714ac2bdfe4ceaec8e251b2d9c"; srcs = [ (fetchurl { url = "${repo}/archive/${rev}.tar.gz"; - sha256 = "7aaa0262d078adaf47abdf500b9ea581f6bec164c195a44a3c165a865414ca2c"; + sha256 = "5a426da0d5f4487911cfe9226865ed0cd1a7cdf253eec19d5eadc4b0d14a2ea0"; }) (fetchurl { url = "${chck_repo}/archive/${chck_rev}.tar.gz"; - sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160"; + sha256 = "ca316b544c48e837c32f08d613be42da10e0a3251e8e4488d1848b91ef92ab9e"; }) (fetchurl { url = "${inihck_repo}/archive/${inihck_rev}.tar.gz"; diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix index cec48fad4e5..fa81971885a 100644 --- a/pkgs/applications/window-managers/sway/default.nix +++ b/pkgs/applications/window-managers/sway/default.nix @@ -4,10 +4,12 @@ stdenv.mkDerivation rec { name = "sway-${version}"; - version = "git-2015-10-16"; + version = "git-2016-02-08"; + repo = "https://github.com/SirCmpwn/sway"; + rev = "16e904634c65128610537bed7fcb16ac3bb45165"; src = fetchurl { - url = "https://github.com/SirCmpwn/sway/archive/16e904634c65128610537bed7fcb16ac3bb45165.tar.gz"; + url = "${repo}/archive/${rev}.tar.gz"; sha256 = "52d6c4b49fea69e2a2c1b44b858908b7736301bdb9ed483c294bc54bb40e872e"; }; diff --git a/pkgs/applications/window-managers/velox/default.nix b/pkgs/applications/window-managers/velox/default.nix index 8823b32ee3c..789f074aecd 100644 --- a/pkgs/applications/window-managers/velox/default.nix +++ b/pkgs/applications/window-managers/velox/default.nix @@ -5,11 +5,13 @@ stdenv.mkDerivation rec { name = "velox-${version}"; - version = "git-2015-09-23"; + version = "git-2015-11-03"; + repo = "https://github.com/michaelforney/velox"; + rev = "53b41348df7e37886cab012609923255e4397419"; src = fetchurl { - url = "https://github.com/michaelforney/velox/archive/499768b5834967727e3d91139b4013b6aca95762.tar.gz"; - sha256 = "252959f0f0ff593c187449b61c234c214fdf321e3f4e8b5d9e3c2949d932a0a2"; + url = "${repo}/archive/${rev}.tar.gz"; + sha256 = "e49583efbbe62ea30f0084491ff757dff683f35eef6e9b68aa413e0b50c4bf20"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/development/libraries/swc/default.nix b/pkgs/development/libraries/swc/default.nix index 448459d0275..48e1524e36f 100644 --- a/pkgs/development/libraries/swc/default.nix +++ b/pkgs/development/libraries/swc/default.nix @@ -4,13 +4,13 @@ stdenv.mkDerivation rec { name = "swc-${version}"; - version = "git-2015-09-05"; + version = "git-2016-02-09"; repo = "https://github.com/michaelforney/swc"; - rev = "0dff35ad9b80fc62e6b48417f78c24df6648c9d2"; + rev = "1da0ef13fddc572accea12439a4471b4d2f64ddd"; src = fetchurl { url = "${repo}/archive/${rev}.tar.gz"; - sha256 = "7af5655b5bb5fe59bb8e6643e35f794419850463b1d7f44f29b45ab6aee01ae9"; + sha256 = "d1894612d8aa1ce828efb78f1570290f84bba6563e21eb777e08c3c3859b7bbe"; }; nativeBuildInputs = [ pkgconfig ]; diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix index a0b592df4a3..9b5fa32bf00 100644 --- a/pkgs/development/libraries/wlc/default.nix +++ b/pkgs/development/libraries/wlc/default.nix @@ -1,32 +1,42 @@ -{ lib, stdenv, fetchurl, cmake, pkgconfig +{ lib, stdenv, fetchurl, fetchgit, cmake, pkgconfig , glibc, wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa, libdrm, udev, systemd, dbus_libs , libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm, linuxPackages_4_2 }: stdenv.mkDerivation rec { name = "wlc-${version}"; - version = "git-2015-10-04"; + version = "git-2016-01-31"; repo = "https://github.com/Cloudef/wlc"; - rev = "74d978cc54fd8256777c8d39327cb677523cddff"; + rev = "faa4d3cba670576c202b0844e087b13538f772c5"; chck_repo = "https://github.com/Cloudef/chck"; - chck_rev = "6191a69572952291c137294317874c06c9c0d6a9"; + chck_rev = "fe5e2606b7242aa5d89af2ea9fd048821128d2bc"; + + wl_protos_repo = "git://anongit.freedesktop.org/wayland/wayland-protocols"; + wl_protos_rev = "0b05b70f9da245582f01581be4ca36db683682b8"; + wl_protos_rev_short = "0b05b70"; srcs = [ (fetchurl { url = "${repo}/archive/${rev}.tar.gz"; - sha256 = "a3641e79252a140be089dd2e829b4d21a3b5ff10866951568d54bd4600597254"; + sha256 = "cdf6a772dc90060d57aa1a915a4daff0f79802c141fec92ef2710245d727af67"; }) (fetchurl { url = "${chck_repo}/archive/${chck_rev}.tar.gz"; - sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160"; + sha256 = "ca316b544c48e837c32f08d613be42da10e0a3251e8e4488d1848b91ef92ab9e"; + }) + (fetchgit { + url = "${wl_protos_repo}"; + rev = "${wl_protos_rev}"; + sha256 = "9c1cfbb570142b2109ecef4d11b17f25e94ed2e0569f522ea56f244c60465224"; }) ]; sourceRoot = "wlc-${rev}"; postUnpack = '' - rm -rf wlc-${rev}/lib/chck + rm -rf wlc-${rev}/lib/chck wlc-${rev}/protos/wayland-protocols ln -s ../../chck-${chck_rev} wlc-${rev}/lib/chck + ln -s ../../wayland-protocols-${wl_protos_rev_short} wlc-${rev}/protos/wayland-protocols ''; patchPhase = '' From c3ff97154c8a95031d528d3d07bcee5fcf7c4ee0 Mon Sep 17 00:00:00 2001 From: "tg(x)" <*@tg-x.net> Date: Wed, 10 Feb 2016 17:03:21 +0100 Subject: [PATCH 143/603] wlc: remove linuxPackages_4_2 --- pkgs/development/libraries/wlc/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix index 9b5fa32bf00..b219bd2f44d 100644 --- a/pkgs/development/libraries/wlc/default.nix +++ b/pkgs/development/libraries/wlc/default.nix @@ -1,6 +1,6 @@ { lib, stdenv, fetchurl, fetchgit, cmake, pkgconfig , glibc, wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa, libdrm, udev, systemd, dbus_libs -, libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm, linuxPackages_4_2 +, libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm }: stdenv.mkDerivation rec { From 077e24c10d4d5578aedc849f968562e178715743 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 17:14:12 +0000 Subject: [PATCH 144/603] Revert "linuxPackages.perf: set -Wno-error=bool-compare" This reverts commit 332c84196c3d8814fbd244b42d8dabc68917f1e4. only works on gcc5 --- pkgs/os-specific/linux/kernel/perf.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix index ad80d2ed93c..1e5c64ccb8a 100644 --- a/pkgs/os-specific/linux/kernel/perf.nix +++ b/pkgs/os-specific/linux/kernel/perf.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation { # Note: we don't add elfutils to buildInputs, since it provides a # bad `ld' and other stuff. - NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare"; + NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp"; NIX_CFLAGS_LINK = "-L${elfutils}/lib"; installFlags = "install install-man ASCIIDOC8=1"; From 63d4e59addd19c24a618049fcc797f8db7185c6d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 22:28:44 +0000 Subject: [PATCH 145/603] seabios: turn off pic and stackprotector hardening --- pkgs/applications/virtualization/seabios/default.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index 8e6a7fcb0d2..a06523973b7 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; + hardening_pic = false; + hardening_stackprotector = false; + configurePhase = '' # build SeaBIOS for CSM cat > .config << EOF @@ -21,12 +24,12 @@ stdenv.mkDerivation rec { EOF make olddefconfig - ''; + ''; installPhase = '' mkdir $out cp out/Csm16.bin $out/Csm16.bin - ''; + ''; meta = with stdenv.lib; { description = "Open source implementation of a 16bit X86 BIOS"; From e339a9a20e0da78e2b0ec474f9d6ef4d30571571 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 22:38:40 +0000 Subject: [PATCH 146/603] barcode: turn off format hardening --- pkgs/tools/graphics/barcode/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index b35b929da40..7e6c9931341 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,13 +9,14 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; + hardening_format = false; + meta = with stdenv.lib; { description = "GNU barcode generator"; maintainers = with maintainers; [ raskin ]; platforms = with platforms; allBut darwin; downloadPage = "http://ftp.gnu.org/gnu/barcode/"; updateWalker = true; - inherit version; homepage = http://ftp.gnu.org/gnu/barcode/; }; } From 2fdd13234e133d8f5bdd1c383824c4b6530fd64a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 22:40:16 +0000 Subject: [PATCH 147/603] mp3val: turn off format hardening --- pkgs/applications/audio/mp3val/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index 0957420b658..abea5521571 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; + hardening_fortify = false; + meta = { description = "A tool for validating and repairing MPEG audio streams"; longDescription = '' From e5fb9eb27cdbd7ad9366fc06b0c57cd4f48bec1c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 22:44:23 +0000 Subject: [PATCH 148/603] asc: turn off format hardening --- pkgs/games/asc/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index b2f251bfecb..82d4748a979 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,6 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems + hardening_format = false; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat From 16c81c9f74fed7ced6580875c36555fd8f640325 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 22:44:32 +0000 Subject: [PATCH 149/603] charybdis: turn off format hardening --- pkgs/servers/irc/charybdis/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index a38a25c8a5c..d42f69d078b 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; + hardening_format = false; + buildInputs = [ bison flex openssl ]; meta = { From 2c1357d7c2cb115737a50825473a9afed595f85a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 22:49:59 +0000 Subject: [PATCH 150/603] cgui: turn off format hardening --- pkgs/development/libraries/cgui/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 29413b1c845..3e5076d2509 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { sh fix.sh unix ''; + hardening_format = false; + makeFlags = [ "SYSTEM_DIR=$(out)" ]; meta = with stdenv.lib; { From ef3636188b0ba33dd22d86bf74eed66a48c7dd7b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:04:10 +0000 Subject: [PATCH 151/603] crack_attack: turn off format hardening --- pkgs/games/crack-attack/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 538efebf833..9a4b1d04916 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; + hardening_format = false; + meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; homepage = http://www.nongnu.org/crack-attack/; From 80df5752f72e4c21c5cef88a3f71f47f6b6dee60 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:08:47 +0000 Subject: [PATCH 152/603] db45: turn off format hardening --- pkgs/development/libraries/db/db-4.5.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index b1e4b2c4708..6d3b15d256e 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; + drvArgs = { hardening_format = false; }; }) From 2275eb6210f679e48f18ceb45f59d5553e035918 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:09:09 +0000 Subject: [PATCH 153/603] criu: turn off stackprotector hardening --- pkgs/os-specific/linux/criu/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index 433cc2c81d7..aacdfc496ee 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -21,7 +21,9 @@ stdenv.mkDerivation rec { ''; configurePhase = "make config PREFIX=$out"; - buildPhase = "make PREFIX=$out"; + + makeFlags = "PREFIX=$(out)"; + hardening_stackprotector = false; installPhase = '' mkdir -p $out/etc/logrotate.d From 667518fc3bd489841ab0892c53366e2522a851ed Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:18:42 +0000 Subject: [PATCH 154/603] detox: turn off format hardening --- pkgs/tools/misc/detox/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index bdc018aec34..4475010f3b8 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [flex]; + hardening_format = false; + meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; description = "Utility designed to clean up filenames"; From 1c156b9b59257810c5ef3e6e1448422cfc920705 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:25:41 +0000 Subject: [PATCH 155/603] dosbox: turn off format hardening --- pkgs/misc/emulators/dosbox/default.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index 2525cafc28b..bbaa565e352 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "dosbox-0.74"; - + src = fetchurl { url = "mirror://sourceforge/dosbox/${name}.tar.gz"; sha256 = "01cfjc5bs08m4w79nbxyv7rnvzq2yckmgrbq36njn06lw8b4kxqk"; @@ -17,9 +17,11 @@ stdenv.mkDerivation rec { ]; patchFlags = "-p0"; - + buildInputs = [ SDL ]; - + + hardening_format = false; + desktopItem = makeDesktopItem { name = "dosbox"; exec = "dosbox"; From b4e77c34e7fba4eafcd07b867528aa1b1c89f5b4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:37:25 +0000 Subject: [PATCH 156/603] foremost: turn off format hardening --- pkgs/tools/system/foremost/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index cfac8923779..0696af07166 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + preInstall = '' mkdir -p $out/{bin,share/man/man8} ''; From 58c571be65c73b20a8afae3d4f5ce3e17f460b3e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:47:59 +0000 Subject: [PATCH 157/603] fox: turn off format hardening --- pkgs/development/libraries/fox/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 2d44444ab40..78b7e9a63fc 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + meta = { description = "C++ based class library for building Graphical User Interfaces"; longDescription = '' From bfb622cfaeb172aeccd8c10cacb9ed8fdfa6254a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:48:11 +0000 Subject: [PATCH 158/603] fox_1_9: turn off format hardening --- pkgs/development/libraries/fox/fox-1.6.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 3c823adf91b..007609403e2 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + meta = { branch = "1.6"; description = "A C++ based class library for building Graphical User Interfaces"; From 8a018e730f5bbbc1165689fe61e1c4040bf9345f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 10 Feb 2016 23:56:27 +0000 Subject: [PATCH 159/603] fprint_demo: turn off format hardening --- pkgs/tools/security/fprint_demo/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 282c3541dde..273d692ebaa 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; + hardening_format = false; + meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; description = "A simple GTK+ application to demonstrate and test libfprint's capabilities"; From c648eeda49165e18285880ef01007dcd76d45524 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:03:11 +0000 Subject: [PATCH 160/603] libf2c: turn off format hardening --- pkgs/development/libraries/libf2c/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 3123bb33d45..8edc53cb7ee 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "libf2c-20100903"; - + src = fetchurl { url = http://www.netlib.org/f2c/libf2c.zip; sha256 = "1mcp1lh7gay7hm186dr0wvwd2bc05xydhnc1qy3dqs4n3r102g7i"; @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; + hardening_format = false; + meta = { description = "F2c converts Fortran 77 source code to C"; homepage = http://www.netlib.org/f2c/; From f85ec68cc875a56437ed40d06064b68f788a88b5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:21:20 +0000 Subject: [PATCH 161/603] portmidi: turn off format hardening --- pkgs/development/libraries/portmidi/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 518eeee9253..4b55cffe94f 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,6 +46,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; + hardening_format = false; + meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; description = "Platform independent library for MIDI I/O"; From bc30a0ee717bdb37a78d49e4e2b2139dfb8b2fce Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:25:47 +0000 Subject: [PATCH 162/603] gbdfed: turn off format hardening --- pkgs/tools/misc/gbdfed/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index 104d3fad8d0..d3b62149bdf 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; + hardening_format = false; + meta = { description = "Bitmap Font Editor"; longDescription = '' From fbe6858cd3676fee71f4215c4a61069ba53765ac Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:28:00 +0000 Subject: [PATCH 163/603] freewheeling: turn off format hardening --- pkgs/applications/audio/freewheeling/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index f7330ee12f9..eae7ce390c0 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; + hardening_format = false; + meta = { description = "A live looping instrument with JACK and MIDI support"; longDescription = '' From e00052b3347fd19ff5e14409fc1405529e34edd5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:30:51 +0000 Subject: [PATCH 164/603] geoclue: turn off format hardening --- pkgs/development/libraries/geoclue/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index 1b703e2fdba..e8d43e6652f 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; + hardening_format = false; + preConfigure = '' sed -e '/-Werror/d' -i configure ''; From dbf93c177296aa9545589ae6bd60fcc91f15a810 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:36:52 +0000 Subject: [PATCH 165/603] fusesmb: turn off format hardening --- pkgs/tools/filesystems/fusesmb/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index 4ddab385a42..c53400e6afd 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; + hardening_format = false; + meta = { description = "Samba mounted via FUSE"; homepage = http://www.ricardis.tudelft.nl/~vincent/fusesmb/; From a9de8d4f18ebe0935041f54047c0f4114ad69248 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:43:52 +0000 Subject: [PATCH 166/603] gqview: turn off format hardening --- pkgs/applications/graphics/gqview/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index a8132e30c72..ff069d0d972 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; + hardening_format = false; + meta = { description = "A fast image viewer"; homepage = http://gqview.sourceforge.net; From 83e069908ebae7b85a2761786abf7063977017e5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:44:25 +0000 Subject: [PATCH 167/603] ggobi: turn off format hardening --- pkgs/tools/graphics/ggobi/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index cf2c5598d2a..03326aa4562 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; + hardening_format = false; + meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; homepage = http://www.ggobi.org/; From 4407e5a60cb5747f0ca098d4f0052d080ecdb001 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:47:33 +0000 Subject: [PATCH 168/603] grip: turn off format hardening --- pkgs/applications/misc/grip/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index 39621536e68..86127d56b01 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; + hardening_format = false; + meta = { description = "GTK+-based audio CD player/ripper"; homepage = "http://nostatic.org/grip"; From 4f681787553278949250a0c1709d965560b61b1c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 00:57:17 +0000 Subject: [PATCH 169/603] ht: turn off format hardening --- pkgs/applications/editors/ht/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index b7acdb7f1d5..5ddcf34995f 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -3,13 +3,18 @@ stdenv.mkDerivation rec { name = "ht-${version}"; version = "2.1.0"; + src = fetchurl { url = "http://sourceforge.net/projects/hte/files/ht-source/ht-${version}.tar.bz2"; sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i"; }; + buildInputs = [ ncurses ]; + + hardening_format = false; + meta = with lib; { description = "File editor/viewer/analyzer for executables"; homepage = "http://hte.sourceforge.net"; From d287f926bd79288494ff2f336fc5f46977203a73 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:00:03 +0000 Subject: [PATCH 170/603] mp4v2: turn off format hardening --- pkgs/development/libraries/mp4v2/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 06e8c8e5ac3..5281ab2c480 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; + hardening_format = false; + meta = { homepage = http://code.google.com/p/mp4v2; maintainers = [ stdenv.lib.maintainers.urkud ]; From 4807ecdef060cbb4475a7a92288491537921bc4a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:02:32 +0000 Subject: [PATCH 171/603] ifenslave: turn off format hardening --- pkgs/os-specific/linux/ifenslave/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index d8985003b41..a5cd2411819 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; + hardening_format = false; + meta = { description = "Utility for enslaving networking interfaces under a bond"; license = stdenv.lib.licenses.gpl2; From a333a7910cf7e0a6445cce31320581da33564777 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:02:46 +0000 Subject: [PATCH 172/603] tidyp: turn off format hardening --- pkgs/development/libraries/tidyp/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index fee74f3d6f9..818029dbb24 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; + hardening_format = false; + meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; homepage = http://tidyp.com/; From 4b127d9f9dd5f3edd37d619a0e1454b40a9ff69e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:04:42 +0000 Subject: [PATCH 173/603] iptraf-ng: turn off format hardening --- pkgs/applications/networking/iptraf-ng/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 368d78a36f9..8084d5133f1 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; + hardening_format = false; + meta = { description = "A console-based network monitoring utility (fork of iptraf)"; longDescription = '' From 76ee9e0f467471a090aa6a5400d5a49dd9182747 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:09:53 +0000 Subject: [PATCH 174/603] jack_capture: turn off format hardening --- pkgs/applications/audio/jack-capture/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index ef6d13e5696..7a5095f3788 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,9 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - meta = with stdenv.lib; { + hardening_format = false; + + meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; homepage = http://archive.notam02.no/arkiv/src; license = licenses.gpl2; From 7517563efb783ae05c846d5266d08294d22b91c9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:35:33 +0000 Subject: [PATCH 175/603] k2pdfopt: turn off format hardening --- pkgs/applications/misc/k2pdfopt/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index ce57db371dd..dac597fe67c 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,6 +31,8 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; + hardening_format = false; + k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; @@ -96,7 +98,7 @@ in stdenv.mkDerivation rec { -ljbig2dec -ljpeg -lopenjp2 -lpng -lfreetype -lpthread -lmujs \ -lPgm2asc -llept -ltesseract -lcrypto - mkdir -p $out/bin + mkdir -p $out/bin cp k2pdfopt $out/bin ''; From 8e2adea08a19b30c932026e48222e6beeca21ac8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:35:53 +0000 Subject: [PATCH 176/603] gdal: turn off format hardening --- pkgs/development/libraries/gdal/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index 8cf84eb08c3..582ab53800e 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -14,6 +14,8 @@ composableDerivation.composableDerivation {} (fixed: rec { buildInputs = [ unzip libjpeg libtiff libpng proj openssl ] ++ (with pythonPackages; [ python numpy wrapPython ]); + hardening_format = false; + patches = [ # This ensures that the python package is installed into gdal's prefix, # rather than trying to install into python's prefix. From 2220f46e20e3be7d13ea701325e2834c1130485e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:36:07 +0000 Subject: [PATCH 177/603] qtscriptgenerator: turn off format hardening --- .../libraries/qtscriptgenerator/default.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index b8ed81de487..de87c6b73c6 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation { buildInputs = [ qt4 ]; patches = [ ./qtscriptgenerator.gcc-4.4.patch ./qt-4.8.patch ]; - + # Why isn't the author providing proper Makefile or a CMakeLists.txt ? buildPhase = '' # remove phonon stuff which causes errors (thanks to Gentoo bug reports) sed -i "/typesystem_phonon.xml/d" generator/generator.qrc - sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro - + sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro + cd generator qmake make @@ -25,13 +25,15 @@ stdenv.mkDerivation { qmake make ''; - + installPhase = '' cd .. mkdir -p $out/lib/qt4/plugins/script cp -av plugins/script/* $out/lib/qt4/plugins/script ''; + hardening_format = false; + meta = { description = "QtScript bindings generator"; homepage = http://code.google.com/p/qtscriptgenerator/; From fc71f3f5706a64b676b137256079bc32cb325db5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:38:14 +0000 Subject: [PATCH 178/603] freeswitch: turn off format hardening --- pkgs/servers/sip/freeswitch/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index efa70875549..cb77ebd9c89 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardening_format = false; + meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; homepage = http://freeswitch.org/; From a53bd9daa889bb5b16561462acf5e761e7b358f1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 11 Feb 2016 01:44:23 +0000 Subject: [PATCH 179/603] xen: turn off pic hardening --- pkgs/applications/virtualization/xen/generic.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index e7b34be74be..0a3bd3898c2 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -77,6 +77,7 @@ stdenv.mkDerivation { hardening_stackprotector = false; hardening_fortify = false; + hardening_pic = false; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; From 162982544a672e7389faadfcff871569954c612c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 00:40:58 +0000 Subject: [PATCH 180/603] dhcpdump: turn off fortify hardening --- pkgs/tools/networking/dhcpdump/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed..915562bd779 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardening_fortify = false; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin From 3dff59b81884072efb29e7176ed9dd275ca69cdb Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 00:48:14 +0000 Subject: [PATCH 181/603] dietlibc: turn off stackprotector hardening --- pkgs/os-specific/linux/dietlibc/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index b795cb60da6..3d206cb5f77 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -9,9 +9,10 @@ stdenv.mkDerivation { md5 = "2465d652fff6f1fad3da3b98e60e83c9"; }; builder = ./builder.sh; - + inherit glibc; kernelHeaders = glibc.kernelHeaders; + hardening_stackprotector = false; patches = [ From d0c38a0cef9faf2d47492286f1997848a6b9db59 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:01:37 +0000 Subject: [PATCH 182/603] ecl: turn off format hardening --- pkgs/development/compilers/ecl/default.nix | 50 +++++++++++----------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index f863565ab07..bd99335192b 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -1,47 +1,45 @@ {stdenv, fetchurl , libtool, autoconf, automake , gmp, mpfr, libffi -, noUnicode ? false, +, noUnicode ? false, }: + let - s = # Generated upstream information - rec { - baseName="ecl"; - version="16.0.0"; - name="${baseName}-${version}"; - hash="0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil"; - url="https://common-lisp.net/project/ecl/files/ecl-16.0.0.tgz"; - sha256="0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil"; - }; - buildInputs = [ - libtool autoconf automake - ]; - propagatedBuildInputs = [ - libffi gmp mpfr - ]; + baseName = "ecl"; + version = "16.0.0"; in stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs propagatedBuildInputs; + name = "${baseName}-${version}"; + inherit version; + src = fetchurl { - inherit (s) url sha256; + url = "https://common-lisp.net/project/ecl/files/ecl-16.0.0.tgz"; + sha256 = "0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil"; }; + configureFlags = [ "--enable-threads" "--with-gmp-prefix=${gmp}" "--with-libffi-prefix=${libffi}" - ] - ++ - (stdenv.lib.optional (! noUnicode) - "--enable-unicode") - ; + ] ++ (stdenv.lib.optional (!noUnicode) "--enable-unicode"); + + buildInputs = [ + libtool autoconf automake + ]; + + propagatedBuildInputs = [ + libffi gmp mpfr + ]; + + hardening_format = false; + postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config ''; + meta = { - inherit (s) version; description = "Lisp implementation aiming to be small, fast and easy to embed"; - license = stdenv.lib.licenses.mit ; + license = stdenv.lib.licenses.mit; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; }; From 40b7aa3d695f5ba4b29edb1bc85d27a08cfd798b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:04:15 +0000 Subject: [PATCH 183/603] erlangR14: turn off format hardening --- pkgs/development/interpreters/erlang/R14.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix index 773ad698629..e77300c0f84 100644 --- a/pkgs/development/interpreters/erlang/R14.nix +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation { configureFlags = "--with-ssl=${openssl}"; + hardening_format = false; + postInstall = let manpages = fetchurl { url = "http://www.erlang.org/download/otp_doc_man_R${version}.tar.gz"; From dcc046f5c76029640b8184774b55671d20021686 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:10:08 +0000 Subject: [PATCH 184/603] gdal_1_11: turn off format hardening --- pkgs/development/libraries/gdal/gdal-1_11.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 0e4b4d03541..4c6ec24a16c 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,6 +19,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; + hardening_format = false; + # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. preConfigure = "export CFLAGS=-O0 CXXFLAGS=-O0; unset CC CXX"; From 7f4f7fbb93028d49159c48023cc128dad31de6b5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:16:19 +0000 Subject: [PATCH 185/603] gnat: turn off some hardening --- pkgs/development/compilers/gcc/4.5/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 69c4db63e5b..f3c3de3950f 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -135,6 +135,10 @@ stdenv.mkDerivation ({ }; hardening_format = false; + hardening_relro = name != "gnat"; + hardening_bindnow = name != "gnat"; + hardening_stackprotector = name != "gnat"; + hardening_strictoverflow = name != "gnat"; patches = [ ] @@ -209,7 +213,7 @@ stdenv.mkDerivation ({ nativeBuildInputs = [ texinfo which ] ++ optional (perl != null) perl; - + buildInputs = [ gmp mpfr libmpc libelf gettext ] ++ (optional (ppl != null) ppl) ++ (optional (cloogppl != null) cloogppl) From 071bdd46396b52859bdb8b7e5975932a4cad9831 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:25:17 +0000 Subject: [PATCH 186/603] graphviz: turn off fortify hardening --- pkgs/tools/graphics/graphviz/2.32.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 2743bd78aa7..7f11f076dcc 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; + hardening_fortify = false; + preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile ''; From 3c4729e980032d6aa53eaae3fecd3ede79d12e3d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:35:37 +0000 Subject: [PATCH 187/603] kde4.qtruby: pin to ruby_2_2 --- pkgs/desktops/kde-4.14/kdebindings/qtruby.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index 03e9dc9a007..c80bd67f404 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -1,18 +1,20 @@ -{ kde, cmake, smokeqt, ruby }: +{ kde, cmake, smokeqt, ruby_2_2 }: kde { # TODO: scintilla2, qwt5 - buildInputs = [ smokeqt ruby ]; + buildInputs = [ smokeqt ruby_2_2 ]; nativeBuildInputs = [ cmake ]; + hardening_all = false; + # The patch is not ready for upstream submmission. # I should add an option() instead. patches = [ ./qtruby-install-prefix.patch ]; - cmakeFlags="-DRUBY_ROOT_DIR=${ruby}"; + cmakeFlags="-DRUBY_ROOT_DIR=${ruby_2_2}"; meta = { description = "Ruby bindings for Qt library"; From d8f3d2ede1ee789c4277257bc0d099b781aa35a8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 01:41:52 +0000 Subject: [PATCH 188/603] syslinux: turn off stackprotector/pic hardening --- pkgs/os-specific/linux/syslinux/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index c051aac4312..3ace0f5c5ed 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' + hardening_stackprotector = false; + hardening_pic = false; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) From c72652baee8f73c50652c9f0cd8d590702950134 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:12:16 +0000 Subject: [PATCH 189/603] dvdisaster: turn off fortify hardening --- pkgs/tools/cd-dvd/dvdisaster/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 7cb1bf7506d..38e86c8ff1f 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; + hardening_fortify = false; + nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; From c3a98e7521f2afd8e10ccee0716bd23ce86966d3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:14:52 +0000 Subject: [PATCH 190/603] linuxPackages.bbswitch: turn off pic hardening --- pkgs/os-specific/linux/bbswitch/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index ec1e5f2e20b..2c91bfbd10f 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; + hardening_pic = false; + preBuild = '' substituteInPlace Makefile \ --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \ From 77c020f754b66f31e2e68e584aa2bb6d8617e1af Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:21:37 +0000 Subject: [PATCH 191/603] linuxPackages.accelio: turn off pic/format hardening --- pkgs/development/libraries/accelio/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 637976977b1..9ca9db1e451 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; + hardening_pic = false; + hardening_format = false; + patches = [ ./fix-printfs.patch ]; postPatch = '' From 3acfaa6716561160ac7d50ec9b297a77c3a5be6f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:25:57 +0000 Subject: [PATCH 192/603] linuxPackages.lttng-modules: turn off pic hardening --- pkgs/os-specific/linux/lttng-modules/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index dc21176fa3c..f6a5e30afa0 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; + hardening_pic = false; + preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" export INSTALL_MOD_PATH="$out" From d04b9381cc21152002f60edef8bef391eec994ff Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:46:35 +0000 Subject: [PATCH 193/603] linuxPackages.netatop: turn off pic hardening --- pkgs/os-specific/linux/netatop/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index 1e74cd94c55..e95cd4e133c 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; + hardening_pic = false; + preConfigure = '' patchShebangs mkversion sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \ From 72a9d9a4a7aa6ea26a41bb049524349cd0a498d0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:48:09 +0000 Subject: [PATCH 194/603] plotutils: turn off format hardening --- pkgs/tools/graphics/plotutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index 6a7a6745c87..dc145a0d862 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit + hardening_format = false; + doCheck = true; meta = { From b73c8a5d91d9d3a17afe389f5632468b406c05e0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:51:04 +0000 Subject: [PATCH 195/603] linuxPackages.rtl8812au: turn off pic hardening --- pkgs/os-specific/linux/rtl8812au/default.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index a16e102bc08..64c0c9fea5c 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -3,29 +3,31 @@ stdenv.mkDerivation rec { name = "rtl8812au-${kernel.version}-${version}"; version = "4.2.2-1"; - + src = fetchFromGitHub { owner = "csssuf"; repo = "rtl8812au"; rev = "874906aec694c800bfc29b146737b88dae767832"; sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - + + hardening_pic = false; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" substituteInPlace ./Makefile --replace /sbin/depmod # substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + meta = { description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod."; homepage = "https://github.com/csssuf/rtl8812au"; license = stdenv.lib.licenses.gpl2; platforms = [ "x86_64-linux" "i686-linux" ]; }; -} \ No newline at end of file +} From 3ddb973b484cfc988357cceb8a018b347a53680d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:53:32 +0000 Subject: [PATCH 196/603] linuxPackages.tp_smapi: turn off pic hardening --- pkgs/os-specific/linux/tp_smapi/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 40d9e7c1068..116a0344450 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666"; }; + hardening_pic = false; + makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" "SHELL=/bin/sh" From 5c297e8b5a9c748e2b8387391607d5de5f28141e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:53:54 +0000 Subject: [PATCH 197/603] linuxPackages.openafs-client: turn off pic hardening --- pkgs/servers/openafs-client/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 5d8e255f47f..1ff9b79e383 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation { buildInputs = [ autoconf automake flex yacc ncurses perl which ]; + hardening_pic = false; + preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux From e3a4f0920f1c22c8381a1be76b2a3cdca0f649a2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 02:58:58 +0000 Subject: [PATCH 198/603] linuxPackages.klib: turn off format/stackprotector hardening --- pkgs/os-specific/linux/klibc/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index b948dbff2c1..b05b0dc4463 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -21,6 +21,9 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardening_format = false; + hardening_stackprotector = false; + makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" "KLIBCKERNELSRC=${kernelHeaders}" From 7854ca7170b1eaa6eaa5668c197fbd25568d2b32 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:00:35 +0000 Subject: [PATCH 199/603] linuxPackages.sysdig: turn off pic hardening --- pkgs/os-specific/linux/sysdig/default.nix | 28 +++++++++++------------ 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 62e2a48adc9..0316d9b0967 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -1,32 +1,33 @@ {stdenv, fetchurl, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: let inherit (stdenv.lib) optional optionalString; - s = rec { - baseName="sysdig"; - version = "0.6.0"; - name="${baseName}-${version}"; - url="https://github.com/draios/sysdig/archive/${version}.tar.gz"; + baseName = "sysdig"; + version = "0.6.0"; +in +stdenv.mkDerivation { + name="${baseName}-${version}"; + + src = fetchurl { + url = "https://github.com/draios/sysdig/archive/${version}.tar.gz"; sha256 = "0729mjs9gpd7kb495q80zlp23zczm8ka3xcq4571c0sm732sa3g3"; }; + buildInputs = [ cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_pic = false; cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF"; + preConfigure = '' export INSTALL_MOD_PATH="$out" '' + optionalString (kernel != null) '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ''; + postInstall = optionalString (kernel != null) '' make install_driver kernel_dev=${kernel.dev} @@ -36,8 +37,7 @@ stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit (s) version; - description = ''A tracepoint-based system tracing tool for Linux (with clients for other OSes)''; + description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)"; license = licenses.gpl2; maintainers = [maintainers.raskin]; platforms = platforms.linux ++ platforms.darwin; From 4c30616dc342b832098d1bb5a3c1accc7fe47520 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:01:00 +0000 Subject: [PATCH 200/603] linuxPackages.v86d: turn off stackprotector hardening --- pkgs/os-specific/linux/v86d/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 0ef992a4b44..17255aa1283 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; + hardening_stackprotector = false; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" "DESTDIR=$(out)" From 7d86b0331110886a6fb8a280b3a6c890a9a25a9a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:50:09 +0000 Subject: [PATCH 201/603] leafpad: turn off format hardening --- pkgs/applications/editors/leafpad/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index fc35a993bad..f3755db448c 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; + hardening_format = false; + configureFlags = [ "--enable-chooser" ]; From 5e9df54d194f11da1616e80dc0a1dbd454e870de Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:50:20 +0000 Subject: [PATCH 202/603] gnat: turn off all hardening --- pkgs/development/compilers/gcc/4.5/default.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index f3c3de3950f..2493593f357 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -135,10 +135,7 @@ stdenv.mkDerivation ({ }; hardening_format = false; - hardening_relro = name != "gnat"; - hardening_bindnow = name != "gnat"; - hardening_stackprotector = name != "gnat"; - hardening_strictoverflow = name != "gnat"; + hardening_all = name != "gnat"; patches = [ ] From 322e086e4d1d11804b8a2a6b986caf0fc0537db6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:55:41 +0000 Subject: [PATCH 203/603] linuxPackages.blcr: turn off pic hardening --- pkgs/os-specific/linux/blcr/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index bc7523858fe..78a576234ac 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; + hardening_pic = false; + preConfigure = '' configureFlagsArray=( --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build @@ -33,7 +35,7 @@ stdenv.mkDerivation { wrapProgram "$prog" --prefix LD_LIBRARY_PATH ":" "$out/lib" done ''; - + meta = { description = "Berkeley Lab Checkpoint/Restart for Linux (BLCR)"; homepage = https://ftg.lbl.gov/projects/CheckpointRestart/; From f1e4a8c966bb492b0fadc04215bdfc7207c04a18 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:56:06 +0000 Subject: [PATCH 204/603] linuxPackages.phc-intel: turn off pic hardening --- pkgs/os-specific/linux/phc-intel/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 2b86238b2df..56ff6c473b4 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,6 +21,8 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; + hardening_pic = false; + makeFlags = with kernel; [ "DESTDIR=$(out)" "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build" From 6e13bcd43614c36818723136893dcbcf348f6547 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:58:23 +0000 Subject: [PATCH 205/603] liquidwar: turn off format hardening --- pkgs/games/liquidwar/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index ce346459201..d374ed85b2d 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; + hardening_format = false; + # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ]; From 7e644980ccfd63fd6f487a4d1965b1014996676c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 03:58:56 +0000 Subject: [PATCH 206/603] mailutils: turn off format hardening --- pkgs/tools/networking/mailutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index cbca408f084..53e17e6cecd 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardening_format = false; + patches = [ ./path-to-cat.patch ./no-gets.patch ]; configureFlags = "--with-path-sendmail=${sendmailPath}"; From 7b37bbedc4fea353e45484b164b375b16c67df24 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 12:32:24 +0000 Subject: [PATCH 207/603] mi2ly: turn off format hardening --- pkgs/applications/audio/mi2ly/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 1d736b06938..67ac74f5f5a 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sourceRoot="."; + hardening_format = false; + buildPhase = "./cc"; installPhase = '' mkdir -p "$out"/{bin,share/doc/mi2ly} From 548c1404d5159fda1c39d62362f6817354a2b5c6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 12:34:15 +0000 Subject: [PATCH 208/603] mp3info: turn off format hardening --- pkgs/applications/audio/mp3info/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index e4c45c613ee..f2434619c47 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; + hardening_format = false; + configurePhase = '' sed -i Makefile \ -e "s|^prefix=.*$|prefix=$out|g ; From 5cf5e6e9c4ec026a6d1b5dffe875b1cbdeb19100 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 12:35:48 +0000 Subject: [PATCH 209/603] mrpeach: turn off format hardening --- pkgs/applications/audio/pd-plugins/mrpeach/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 5f76b208e14..207967a978f 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -14,7 +14,9 @@ stdenv.mkDerivation rec { sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x"; }; - buildInputs = [puredata ]; + buildInputs = [ puredata ]; + + hardening_format = false; patchPhase = '' for D in net osc From af07fd6e1b82ce44b41ef631298adb4022d81073 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 12:44:15 +0000 Subject: [PATCH 210/603] mkcl: turn off format hardening --- pkgs/development/compilers/mkcl/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index f6ab05bd29b..e57151b077f 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; + hardening_format = false; + configureFlags = [ "GMP_CFLAGS=-I${gmp}/include" "GMP_LDFLAGS=-L${gmp}/lib" From 136562adab750df73f0f646fdc679bc71dcb9a68 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 12:50:38 +0000 Subject: [PATCH 211/603] meshlab: turn off format hardening --- pkgs/applications/graphics/meshlab/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index 49bfb47c85a..c3aed10d00c 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; + hardening_format = false; + buildPhase = '' mkdir -p "$out/include" cp -r vcglib "$out/include" From 64e6f69b70b6daf552984cb967ea116519529d23 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 12:50:49 +0000 Subject: [PATCH 212/603] mupen64plus: turn off format hardening --- pkgs/misc/emulators/mupen64plus/default.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index 571e14347b4..dc3c1412856 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -6,9 +6,11 @@ stdenv.mkDerivation { url = http://mupen64plus.googlecode.com/files/Mupen64Plus-1-5-src.tar.gz; sha256 = "0gygfgyr2sg4yx77ijk133d1ra0v1yxi4xjxrg6kp3zdjmhdmcjq"; }; - + buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - + + hardening_format = false; + preConfigure = '' # Some C++ incompatibility fixes sed -i -e 's|char \* extstr = strstr|const char * extstr = strstr|' glide64/Main.cpp @@ -20,10 +22,10 @@ stdenv.mkDerivation { # Remove PATH environment variable from install script sed -i -e "s|export PATH=|#export PATH=|" ./install.sh ''; - + buildPhase = "make all"; installPhase = "PREFIX=$out make install"; - + meta = { description = "A Nintendo 64 Emulator"; license = stdenv.lib.licenses.gpl2Plus; From 9f644ee546c6fa037bcf6ce65421924f7aac8a4c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:04:31 +0000 Subject: [PATCH 213/603] navit: turn off format hardening --- pkgs/applications/misc/navit/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 1be39c66642..67f474cefac 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; + hardening_format = false; + # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ]; From 663ec96a9a8891a0bbe7b74cac1d0eb5566085e8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:07:20 +0000 Subject: [PATCH 214/603] netboot: turn off format hardening --- pkgs/tools/networking/netboot/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69..349dba12538 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardening_format = false; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} From 86e8cad2cf2c4fa067d9523ad36c02d9dbdcb554 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:08:56 +0000 Subject: [PATCH 215/603] nestopia: turn off format hardening --- pkgs/misc/emulators/nestopia/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index fc64caf1053..3ed455bd350 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; + hardening_format = false; + buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; From 668176fe815570bee7e0cba9a791e88e61eed024 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:10:01 +0000 Subject: [PATCH 216/603] nvidia-texture-tools: turn off format hardening --- pkgs/development/libraries/nvidia-texture-tools/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index 754ab4233e5..cd8268faa65 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; + hardening_format = false; + patchPhase = '' # Fix build due to missing dependnecies. echo 'target_link_libraries(bc7 nvmath)' >> src/nvtt/bc7/CMakeLists.txt From 88d3b081bae0f6208fa7679561959e3ecf800f36 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:26:34 +0000 Subject: [PATCH 217/603] omniorb: turn off format hardening --- pkgs/development/tools/omniorb/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 180e714b81e..5553d028cb6 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; + hardening_format = false; + meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant."; homepage = "http://omniorb.sourceforge.net/"; From 200dedf2cd88a38acab08c37b819c65d582fa469 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:27:00 +0000 Subject: [PATCH 218/603] nifskope: turn off format hardening --- pkgs/tools/graphics/nifskope/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index 13dc27921a4..e28a2e16488 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + # Inspired by linux-install/nifskope.spec.in. installPhase = '' From 7e01cafa4bf98eedb025917f502ff85c86400b95 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:46:50 +0000 Subject: [PATCH 219/603] openfortivpn: turn off format hardening and use autoreconfHook --- pkgs/tools/networking/openfortivpn/default.nix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 50fde6a7794..25af3e11caf 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "0kwl8hv3nydd34xp1489jpjdj4bmknfl9xrgynij0vf5qx29xv7m"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; + + hardening_format = false; preConfigure = '' - aclocal - autoconf - automake --add-missing - substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; From 0ea02595f760d2b61129f2a1c7672c4ae45e87f0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:51:05 +0000 Subject: [PATCH 220/603] otter: turn off format hardening --- pkgs/applications/science/logic/otter/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index 398f6c9a3e2..b0b001f7b3c 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation { src = fetchurl { inherit (s) url sha256; }; + + hardening_format = false; + buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g" @@ -32,11 +35,13 @@ stdenv.mkDerivation { make -C source/formed realclean make -C source/formed formed ''; + installPhase = '' mkdir -p "$out"/{bin,share/otter} cp bin/* source/formed/formed "$out/bin/" cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/" ''; + meta = { inherit (s) version; description = "A reliable first-order theorem prover"; From 37cd2e6e21426db31a28c4fe9c15fcfd6a2ff121 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 13:53:04 +0000 Subject: [PATCH 221/603] pal: turn off format hardening --- pkgs/tools/misc/pal/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index ff7279d0d57..a65bd1fe8ec 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -12,12 +12,12 @@ stdenv.mkDerivation rec { sed -i -e 's,/etc/pal\.conf,'$out/etc/pal.conf, src/input.c ''; - preBuild = '' - export makeFlags="prefix=$out" - ''; + makeFlags = "prefix=$(out)"; buildInputs = [ glib gettext readline pkgconfig ]; + hardening_format = false; + meta = { homepage = http://palcal.sourceforge.net/; description = "Command-line calendar program that can keep track of events"; From e5fa454ad3498db09418e5fe030e53b83efa493f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 14:04:24 +0000 Subject: [PATCH 222/603] qhull: turn off format hardening --- pkgs/development/libraries/qhull/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index 76ceb12b401..e8a67d3bc42 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; + hardening_format = false; + meta = { homepage = http://www.qhull.org/; description = "Computes the convex hull, Delaunay triangulation, Voronoi diagram and more"; From 295602945ea4e0d1ea3a48ce60ebb044cfa2a8ca Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 14:10:31 +0000 Subject: [PATCH 223/603] pioneers: turn off format hardening --- pkgs/games/pioneers/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index af9900cede5..41780dd64f6 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; + hardening_format = false; + meta = { homepage = http://pio.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; From 5be387da19950076474fa185e1bafeaaa9c7477c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 14:15:00 +0000 Subject: [PATCH 224/603] opencv3: turn off format hardening --- pkgs/development/libraries/opencv/3.x.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 4a58ae43bb7..16765083c55 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -49,6 +49,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_bindnow = false; + hardening_relro = false; + meta = { description = "Open Computer Vision Library with more than 500 algorithms"; homepage = http://opencv.org/; From 0a3b3559b19ebfc999b151d0916f57fb05fd3398 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 14:55:59 +0000 Subject: [PATCH 225/603] riak: turn off format hardening --- pkgs/servers/nosql/riak/1.3.1.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix index df85044b8d1..ffa2056d5a9 100644 --- a/pkgs/servers/nosql/riak/1.3.1.nix +++ b/pkgs/servers/nosql/riak/1.3.1.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ]; + hardening_format = false; + postUnpack = '' mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb cp -r ${srcs.leveldb}/* $sourceRoot/deps/eleveldb/c_src/leveldb From e558a7f25231c6cfdc34cfe58add92fa9cceca5d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:10:11 +0000 Subject: [PATCH 226/603] radare: turn off format hardening --- pkgs/development/tools/analysis/radare/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 3c83f0e9d49..8324d899147 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -8,8 +8,8 @@ assert useX11 -> (gtk != null && vte != null && gtkdialog != null); assert rubyBindings -> ruby != null; assert pythonBindings -> python != null; -let - optional = stdenv.lib.optional; +let + inherit (stdenv.lib) optional; in stdenv.mkDerivation rec { name = "radare-1.5.2"; @@ -19,6 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; + hardening_format = false; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] From 7c7d9c10ace59a158b2cb27bc3a580e97f11378d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:10:52 +0000 Subject: [PATCH 227/603] qt3: turn off format hardening --- pkgs/development/libraries/qt-3/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 08d8f141deb..8a11cc7087b 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; + hardening_format = false; + configureFlags = " -v -system-zlib -system-libpng -system-libjpeg From a514ba1b1c9984b4c9fefbde71c61ee0bcdc5add Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:12:42 +0000 Subject: [PATCH 228/603] rakarrack: turn off format hardening --- pkgs/applications/audio/rakarrack/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index b746cccd113..647ed9036dc 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; + hardening_format = false; + patches = [ ./fltk-path.patch ]; buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg From 9375cd8e4db494d6d2686061b59a8c6c1d863b50 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:14:12 +0000 Subject: [PATCH 229/603] untex: turn off format hardening --- pkgs/tools/text/untex/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index e2f6142a2a0..33f72b029a1 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; + hardening_format = false; + unpackPhase = "tar xf $src"; installTargets = "install install.man"; installFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man/man1"; From 969ed1610a6025f7a908a9beb21e13c5055a5b49 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:22:56 +0000 Subject: [PATCH 230/603] qrcode: turn off fortify hardening --- pkgs/tools/graphics/qrcode/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index e5bc5517b89..a1aefbff33c 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchgit}: +{ stdenv, fetchgit }: let s = rec { @@ -16,14 +16,19 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs; + src = fetchgit { inherit (s) rev url sha256; }; + + hardening_fortify = false; + installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} cp qrcode "$out/bin" cp DOCUMENTATION LICENCE "$out/share/doc/qrcode" ''; + meta = { inherit (s) version; description = ''A small QR-code tool''; From 059ac0e03b3be71e917010507c419633a184eb85 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:29:23 +0000 Subject: [PATCH 231/603] postfix28: turn off format hardening --- pkgs/servers/mail/postfix/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 838ca7a8d8d..578453c8c56 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [db openssl cyrus_sasl bison perl]; + hardening_format = false; + patches = [ ./postfix-2.2.9-db.patch ./postfix-2.2.9-lib.patch From 33ca7682c75f8be15b23c1609cad540c8623d419 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:39:09 +0000 Subject: [PATCH 232/603] posterazor: turn off format hardening --- pkgs/applications/misc/posterazor/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index f55af543f18..43da0c92a42 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; + hardening_format = false; + buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; unpackPhase = '' From b108c351f0e38220c4371c358c1c6d6e2088cb9d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:44:45 +0000 Subject: [PATCH 233/603] lingot: turn off format hardening --- pkgs/applications/audio/lingot/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 4b07c84b0be..92e39f7bb11 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; + hardening_format = false; + buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; configureFlags = "--disable-jack"; From 242b8aba7c1b75130214f6dd93f6b057ee6efe26 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:59:08 +0000 Subject: [PATCH 234/603] lincityNg: turn off format hardening --- pkgs/games/lincity/ng.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 8807831ef01..0c3fc7055b7 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -15,13 +15,15 @@ let s = # Generated upstream information }; buildInputs = [zlib jam pkgconfig gettext libxml2 libxslt xproto libX11 mesa SDL SDL_mixer SDL_image SDL_ttf SDL_gfx physfs]; -in +in stdenv.mkDerivation rec { inherit (s) name version; src = fetchurl { inherit (s) url sha256; }; + hardening_format = false; + inherit buildInputs; buildPhase = "jam"; From 7ebac5576a76db2461c1e43fe119540daab77e21 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 15:59:46 +0000 Subject: [PATCH 235/603] opencascade_6_5: turn off format hardening --- pkgs/development/libraries/opencascade/6.5.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index 4228c285dfd..a1143757c77 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; + hardening_format = false; + configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ]; postInstall = '' From 147d861d92f8fd2ab6860e0aa7b97db07bd63c62 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 16:10:06 +0000 Subject: [PATCH 236/603] opencascade: turn off format hardening --- pkgs/development/libraries/opencascade/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index ec15d9d631e..bcf1b747180 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; + hardening_format = false; + postInstall = '' mv $out/inc $out/include mkdir -p $out/share/doc/${name} From c572cc515954e9855cb42dd72af889934423163e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 16:16:52 +0000 Subject: [PATCH 237/603] qalculate-gtk: turn off format hardening --- pkgs/applications/science/math/qalculate-gtk/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index 6bc5d874bc0..77026eb490a 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4"; }; + hardening_format = false; + nativeBuildInputs = [ intltool pkgconfig ]; buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ]; From f3dd927336bf9cc115480123b9847d0b982b60c2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 16:21:42 +0000 Subject: [PATCH 238/603] musescore: turn off bindnow/relro hardening --- pkgs/applications/audio/musescore/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index e1f0472ce9e..b6a98268a9b 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw"; }; + hardening_bindnow = false; + hardening_relro = false; + makeFlags = [ "PREFIX=$(out)" ]; From 359ba5c971ec8aab1b62cc295e33da8f780b80ce Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 15 Feb 2016 19:58:45 +0100 Subject: [PATCH 239/603] strategoPackages: Not available anymore See 393977d800b5a1be040e111fd6da3d52b007ee0d. --- pkgs/development/compilers/webdsl/default.nix | 24 ------------------- pkgs/top-level/all-packages.nix | 2 -- pkgs/top-level/release.nix | 8 ------- 3 files changed, 34 deletions(-) delete mode 100644 pkgs/development/compilers/webdsl/default.nix diff --git a/pkgs/development/compilers/webdsl/default.nix b/pkgs/development/compilers/webdsl/default.nix deleted file mode 100644 index a0122319aed..00000000000 --- a/pkgs/development/compilers/webdsl/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, fetchurl, pkgconfig, strategoPackages }: - -stdenv.mkDerivation rec { - name = "webdsl-9.7pre4168"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/654196/download/1/${name}.tar.gz"; - sha256 = "08bec3ba02254ec7474ce70206b7be4390fe07456cfc57d927d96a21dd6dcb33"; - }; - - buildInputs = - [ pkgconfig strategoPackages.aterm strategoPackages.sdf - strategoPackages.strategoxt strategoPackages.javafront - ]; - - # This corrected a failing build on at least one 64 bit Linux system. - # See the comment about this here: http://webdsl.org/selectpage/Download/WebDSLOnLinux - preBuild = (if stdenv.system == "x86_64-linux" then "ulimit -s unlimited" else ""); - - meta = { - homepage = http://webdsl.org/; - description = "A domain-specific language for developing dynamic web applications with a rich data model"; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b6220b3e2ac..88a085d6435 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5041,8 +5041,6 @@ let vs90wrapper = callPackage ../development/compilers/vs90wrapper { }; - webdsl = callPackage ../development/compilers/webdsl { }; - win32hello = callPackage ../development/compilers/visual-c++/test { }; wrapCCWith = ccWrapper: libc: extraBuildCommands: baseCC: ccWrapper { diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index 34360a064ef..81bab2d6c0c 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -245,14 +245,6 @@ let #rPackages = packagePlatforms pkgs.rPackages; - strategoPackages = { - sdf = linux; - strategoxt = linux; - javafront = linux; - strategoShell = linux ++ darwin; - dryad = linux; - }; - ocamlPackages = { }; perlPackages = { }; From 92e7adef40ca203de5e99d3a26b508bbd8da5199 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 17:56:38 +0000 Subject: [PATCH 240/603] sct: fix hash --- pkgs/tools/X11/sct/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/X11/sct/default.nix b/pkgs/tools/X11/sct/default.nix index 4bf62e53f55..2eed4335af1 100644 --- a/pkgs/tools/X11/sct/default.nix +++ b/pkgs/tools/X11/sct/default.nix @@ -4,7 +4,7 @@ stdenv.mkDerivation rec { buildInputs = [libX11 libXrandr]; src = fetchurl { url = http://www.tedunangst.com/flak/files/sct.c; - sha256 = "1bivy0sl5v1jsq4jbq6p9hplz6cvw4nx9rc96p2kxsg506rqllc5"; + sha256 = "01f3ndx3s6d2qh2xmbpmhd4962dyh8yp95l87xwrs4plqdz6knhd"; }; phases = ["patchPhase" "buildPhase" "installPhase"]; patchPhase = '' From 7eb42d9513b39ad6a64e133bb35809e7c29db653 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:02:25 +0000 Subject: [PATCH 241/603] setools: turn off format hardening --- pkgs/os-specific/linux/setools/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index bb17683800f..6e8d9d3cf7a 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; + hardening_format = false; + NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; From 8483edcda09461641c1641188d861d04dfc57761 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:25:14 +0000 Subject: [PATCH 242/603] silc-client: turn off format hardening --- .../networking/instant-messengers/silc-client/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 133a15aebf8..156b138f290 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { dontDisableStatic = true; + hardening_format = false; + configureFlags = "--with-ncurses=${ncurses}"; preConfigure = stdenv.lib.optionalString enablePlugin '' From 0782c5e810b5aa36eaefbae8c3e88e6857bc95db Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:27:08 +0000 Subject: [PATCH 243/603] sdcv: turn off format hardening --- pkgs/applications/misc/sdcv/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 3859d2c82ab..6a768d44958 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; + hardening_format = false; + patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] else [ ./sdcv.cpp.patch ] ); From 24a5b240c8022a92449cfc0e933e42a8e289d619 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:30:46 +0000 Subject: [PATCH 244/603] squeak: turn off format hardening --- pkgs/development/compilers/squeak/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 8aa980b72e6..341b8155c41 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,6 +27,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; longDescription = '' From 983093cf4f8d137e62131384a04d5a34cafedeb6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:40:07 +0000 Subject: [PATCH 245/603] puremapping: 1.01 -> 20160130 old version was taken down --- pkgs/applications/audio/pd-plugins/puremapping/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/audio/pd-plugins/puremapping/default.nix b/pkgs/applications/audio/pd-plugins/puremapping/default.nix index 2e9a37a2f0d..9300d7461fe 100644 --- a/pkgs/applications/audio/pd-plugins/puremapping/default.nix +++ b/pkgs/applications/audio/pd-plugins/puremapping/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, unzip, puredata }: stdenv.mkDerivation rec { - name = "puremapping-1.01"; + name = "puremapping-20160130"; src = fetchurl { - url = "http://www.chnry.net/ch/IMG/zip/puremapping-libdir-generic.zip"; + url = "http://www.chnry.net/data/puremapping-20160130-generic.zip"; name = "puremapping"; - sha256 = "1ygzxsfj3rnzjkpmgi4wch810q8s5vm1gdam6a938hbbvamafgvc"; + sha256 = "1h7qgqd8srrxw2y1rkdw5js4k6f5vc8x6nlm2mq9mq9vjck7n1j7"; }; buildInputs = [ unzip puredata ]; From cdb220fd6f9306d518af73e7983d228c79c07efd Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:41:43 +0000 Subject: [PATCH 246/603] rsyslog: turn off format hardening --- pkgs/tools/system/rsyslog/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index 5d3dbd861aa..ef54bde3db5 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; + hardening_format = false; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" From ea84b3a915987edea0fca8545b0136867da16844 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Feb 2016 18:50:28 +0000 Subject: [PATCH 247/603] clib: turn off fortify hardening --- pkgs/tools/package-management/clib/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index ae1213aee7c..d52243dcea5 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; + hardening_fortify = false; + makeFlags = "PREFIX=$(out)"; buildInputs = [ curl ]; From 7204e10e4e8b776c073809849403ff5e1fabaf35 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 21:51:26 +0000 Subject: [PATCH 248/603] zynaddsubfx: turn off format hardening --- pkgs/applications/audio/zynaddsubfx/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index 84a62d34fa6..c784b33700e 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; + hardening_format = false; + meta = with stdenv.lib; { description = "High quality software synthesizer"; homepage = http://zynaddsubfx.sourceforge.net; From e370a9cf842c81ca8e5971b1d2fd628596dc99cf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 21:55:18 +0000 Subject: [PATCH 249/603] xmlrpc_c: turn off format hardening --- pkgs/development/libraries/xmlrpc-c/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 56bcba8297d..0d787092a3c 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; + hardening_format = false; + meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; homepage = http://xmlrpc-c.sourceforge.net/; From 00c53f31c23bdb1a0c8d45148c3345b5574df7ea Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 21:58:30 +0000 Subject: [PATCH 250/603] xfstests: turn off format hardening --- pkgs/tools/misc/xfstests/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index b7c1795c037..cef5fee9cf9 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; + hardening_format = false; + patchPhase = '' # Patch the destination directory sed -i include/builddefs.in -e "s|^PKG_LIB_DIR\s*=.*|PKG_LIB_DIR=$out/lib/xfstests|" From 55b83dc0a01b62a5170893feb527e2f16c606971 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 22:00:56 +0000 Subject: [PATCH 251/603] xfig: turn off format hardening --- pkgs/applications/graphics/xfig/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index 9e53fe3efe2..4f8f3ac16f4 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; + hardening_format = false; + NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11"; patches = From 8641b9dec4d6d66c7414f4c64f38e70be89b2af7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 22:17:54 +0000 Subject: [PATCH 252/603] mjpegtools: turn off format hardening --- pkgs/tools/video/mjpegtools/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 33b497fa3eb..989649c580f 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -7,9 +7,13 @@ stdenv.mkDerivation rec { name = "mjpegtools-2.1.0"; + src = fetchurl { url = "mirror://sourceforge/mjpeg/${name}.tar.gz"; sha256 = "01y4xpfdvd4zgv6fmcjny9mr1gbfd4y2i4adp657ydw6fqyi8kw6"; }; + buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; + + hardening_format = false; } From ea1de67f359fce9bf6308a6736df6cfeb70d8339 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 22:33:10 +0000 Subject: [PATCH 253/603] tesseract: turn off format hardening --- pkgs/applications/graphics/tesseract/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b531c41e2d8..b3db2fde4cb 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; + hardening_format = false; + preConfigure = '' ./autogen.sh substituteInPlace "configure" \ From f2d5bda7c9f7610810588ade440d37c69b613e20 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 20 Feb 2016 22:34:06 +0000 Subject: [PATCH 254/603] vimprobable2: turn off format hardening --- .../networking/browsers/vimprobable2/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 6f8eede9b3f..3d40aa1f60c 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,9 +11,9 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - installPhase = '' - make PREFIX=/ DESTDIR=$out install - ''; + hardening_format = false; + + installFlags = "PREFIX=/ DESTDIR=$(out)"; preFixup = '' wrapProgram "$out/bin/vimprobable2" \ @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { GTK bindings). The goal of Vimprobable is to build a completely keyboard-driven, efficient and pleasurable browsing-experience. Its featureset might be considered "minimalistic", but not as minimalistic as - being completely featureless. + being completely featureless. ''; homepage = "http://sourceforge.net/apps/trac/vimprobable"; license = stdenv.lib.licenses.mit; From 99087d92166731e74a0e16e01f9ea3ab60ab36c6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 09:44:40 +0000 Subject: [PATCH 255/603] trickle: turn off format hardening --- pkgs/tools/networking/trickle/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc87..22f991d8fe2 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardening_format = false; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; From 3fead71a0e53fabd568495a771ee518ebdb8d051 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 10:01:22 +0000 Subject: [PATCH 256/603] facter: remove obsolete PIC handling (default now) --- pkgs/tools/system/facter/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/tools/system/facter/default.nix b/pkgs/tools/system/facter/default.nix index c0328636536..117a3c1c1a2 100644 --- a/pkgs/tools/system/facter/default.nix +++ b/pkgs/tools/system/facter/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1ngp3xjdh6x1w7lsi4lji2xzqp0x950jngcdlq11lcr0wfnzwyxj"; }; - libyamlcpp_ = libyamlcpp.override { makePIC = true; }; - - buildInputs = [ boost cmake curl libyamlcpp_ openssl utillinux ]; + buildInputs = [ boost cmake curl libyamlcpp openssl utillinux ]; meta = with stdenv.lib; { homepage = https://github.com/puppetlabs/facter; From 58c377b9aa7a54f6e3f216c228a8556dff9a6929 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 10:06:49 +0000 Subject: [PATCH 257/603] kde5.calamares: 1.0 -> 1.1.4.2 fixes build and removes obsolete PIC handling --- pkgs/tools/misc/calamares/default.nix | 15 ++++++++------- pkgs/top-level/all-packages.nix | 9 ++++----- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/pkgs/tools/misc/calamares/default.nix b/pkgs/tools/misc/calamares/default.nix index ab00d52c777..075f925c92f 100644 --- a/pkgs/tools/misc/calamares/default.nix +++ b/pkgs/tools/misc/calamares/default.nix @@ -1,15 +1,16 @@ -{ stdenv, fetchgit, cmake, polkit-qt, libyamlcpp, python, boost, parted +{ stdenv, fetchurl, cmake, polkit-qt, libyamlcpp, python, boost, parted , extra-cmake-modules, kconfig, ki18n, kcoreaddons, solid, utillinux, libatasmart , ckbcomp, glibc, tzdata, xkeyboard_config, qtbase, qtquick1, qtsvg, qttools }: stdenv.mkDerivation rec { - name = "calamares-${version}"; - version = "1.0"; + name = "${pname}-${version}"; + pname = "calamares"; + version = "1.1.4.2"; - src = fetchgit { - url = "https://github.com/calamares/calamares.git"; - rev = "dabfb68a68cb012a90cd7b94a22e1ea08f7dd8ad"; - sha256 = "2851ce487aaac61d2df342a47f91ec87fe52ff036227ef697caa7056fe5f188c"; + # release including submodule + src = fetchurl { + url = "https://github.com/${pname}/${pname}/releases/download/v${version}/${name}.tar.gz"; + sha256 = "1mh0nmzc3i1aqcj79q2s3vpccn0mirlfbj26sfyb0v6gcrvf707d"; }; buildInputs = [ diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4df41032847..65789fd040d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14964,18 +14964,17 @@ let calamares = callPackage ../tools/misc/calamares rec { python = python3; - boost = pkgs.boost.override { python=python3; }; - libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; }; + boost = pkgs.boost.override { python = python3; }; + libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost = boost; }; }; dfilemanager = callPackage ../applications/misc/dfilemanager { }; fcitx-qt5 = callPackage ../tools/inputmethods/fcitx/fcitx-qt5.nix { }; - k9copy = callPackage ../applications/video/k9copy {}; + k9copy = callPackage ../applications/video/k9copy { }; - konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { - }; + konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { }; quassel = callPackage ../applications/networking/irc/quassel/qt-5.nix { monolithic = true; From 289599367d5aae16e6e1bd360fc297deca5058ed Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 10:23:57 +0000 Subject: [PATCH 258/603] stress-ng: 0.05.00 -> 0.05.18 fixes build after broken hash --- pkgs/tools/system/stress-ng/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/system/stress-ng/default.nix b/pkgs/tools/system/stress-ng/default.nix index a973d143fa9..692fd250f83 100644 --- a/pkgs/tools/system/stress-ng/default.nix +++ b/pkgs/tools/system/stress-ng/default.nix @@ -2,10 +2,10 @@ stdenv.mkDerivation rec { name = "stress-ng-${version}"; - version = "0.05.00"; + version = "0.05.18"; src = fetchurl { - sha256 = "0ppri86z6fj48nm5l0x1r8mh7mwaf7bvhmi10jz6a8w7apnc181w"; + sha256 = "13x0cc4gfakz7vikc6b2vjbk1gw5awyp9i6843di7lnkx1ba177r"; url = "http://kernel.ubuntu.com/~cking/tarballs/stress-ng/${name}.tar.gz"; }; From 25dfa39faca704bc8a594db151d34dec0aa3158e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 10:40:34 +0000 Subject: [PATCH 259/603] facetimehd: turn off PIC hardening --- pkgs/os-specific/linux/facetimehd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index 06e6abfe417..48494bd6b18 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -4,7 +4,6 @@ assert stdenv.lib.versionAtLeast kernel.version "3.19"; stdenv.mkDerivation rec { - name = "facetimehd-${version}-${kernel.version}"; version = "git-20160127"; @@ -19,6 +18,8 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; + hardening_pic = false; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ]; @@ -30,5 +31,4 @@ stdenv.mkDerivation rec { maintainers = [ maintainers.womfoo ]; platforms = platforms.linux; }; - } From 27e8d31b1afba4aa9deca84948def09971c3574c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 10:53:04 +0000 Subject: [PATCH 260/603] torcs: turn off format hardening and remove obsolete flag --- pkgs/games/torcs/default.nix | 2 ++ pkgs/top-level/all-packages.nix | 6 +----- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index e6370d6e7c6..fd320a32180 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; + hardening_format = false; + meta = { description = "Car racing game"; homepage = http://torcs.sourceforge.net/; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 65789fd040d..9a35d98bef3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14582,11 +14582,7 @@ let libpng = libpng12; }; - torcs = callPackage ../games/torcs { - # Torcs wants to make shared libraries linked with plib libraries (it provides static). - # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; - }; + torcs = callPackage ../games/torcs { }; trigger = callPackage ../games/trigger { }; From 0102e6970720c2f24ad495ba0416b28975450804 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 11:39:41 +0000 Subject: [PATCH 261/603] haskellPackages.c2hs: fix evaluation --- pkgs/development/haskell-modules/configuration-common.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index f163874f236..f6eae83a20c 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -44,11 +44,9 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: { - hardening_format = false; - doCheck = false; - }); - in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_; + c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: { + hardening_format = false; + }); # The package doesn't compile with ruby 1.9, which is our default at the moment. hruby = super.hruby.override { ruby = pkgs.ruby_2_1; }; From 1eed9435d55fbe12b36f58a924f9448f727ca8ab Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 11:40:16 +0000 Subject: [PATCH 262/603] haskellPackages.glib: simplify --- pkgs/development/haskell-modules/configuration-common.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index f6eae83a20c..eca1343e513 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -244,9 +244,9 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = addPkgconfigDepend (overrideCabal super.glib (drv: { + glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { hardening_fortify = false; - })) pkgs.glib; + }); gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; From 23b4e6e19d346c2e96a8f665678184cddda44721 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 11:41:04 +0000 Subject: [PATCH 263/603] haskellPackages: remove unnecessary hardening handling --- pkgs/development/haskell-modules/generic-builder.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/haskell-modules/generic-builder.nix b/pkgs/development/haskell-modules/generic-builder.nix index fb8781bd750..b871b7d73fa 100644 --- a/pkgs/development/haskell-modules/generic-builder.nix +++ b/pkgs/development/haskell-modules/generic-builder.nix @@ -45,7 +45,6 @@ , checkPhase ? "", preCheck ? "", postCheck ? "" , preFixup ? "", postFixup ? "" , shellHook ? "" -, hardening_fortify ? true , coreSetup ? false # Use only core packages to build Setup.hs. , useCpphs ? false } @ args: @@ -320,6 +319,5 @@ stdenv.mkDerivation ({ // optionalAttrs (preFixup != "") { inherit preFixup; } // optionalAttrs (postFixup != "") { inherit postFixup; } // optionalAttrs (dontStrip) { inherit dontStrip; } -// optionalAttrs (!hardening_fortify) { inherit hardening_fortify; } // optionalAttrs (stdenv.isLinux) { LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive"; } ) From e0fa05f66215ee7b262f4adf9f9049806ee17372 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 22:53:24 +0000 Subject: [PATCH 264/603] telnet: turn off format hardening --- pkgs/tools/networking/telnet/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4..3fe6144b72c 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardening_format = false; + buildInputs = [ncurses]; meta = { From 00903f48201307d8995386f9fc50cd12e24d5d40 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 21 Feb 2016 23:56:49 +0000 Subject: [PATCH 265/603] jbig2enc: add upstream patch to fix build --- pkgs/tools/graphics/jbig2enc/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix index 71f0789286a..a6f6c437612 100644 --- a/pkgs/tools/graphics/jbig2enc/default.nix +++ b/pkgs/tools/graphics/jbig2enc/default.nix @@ -1,4 +1,6 @@ -{stdenv, fetchurl, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: stdenv.mkDerivation { +{ stdenv, fetchurl, fetchpatch, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: + +stdenv.mkDerivation { name = "jbig2enc-0.28"; src = fetchurl { @@ -6,6 +8,13 @@ sha256 = "1wc0lmqz4jag3rhhk1xczlqpfv2qqp3fz7wzic2lba3vsbi1rrw3"; }; + patches = [ + (fetchpatch { + url = "https://github.com/agl/jbig2enc/commit/53ce5fe7e73d7ed95c9e12b52dd4984723f865fa.diff"; + sha256 = "0n6s24i1fy9xspawns3r0kmx2fl0q3wqp68l1yai36jhfw08i3n4"; + }) + ]; + propagatedBuildInputs = [ leptonica zlib libwebp giflib libjpeg libpng libtiff ]; # This is necessary, because the resulting library has From 1d713761d948c7c93f4405338e3a5b3eac1b59ba Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 00:21:26 +0000 Subject: [PATCH 266/603] ldm: add include to fix build --- pkgs/os-specific/linux/ldm/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix index c5e94ed81e9..5332fc0bf3d 100644 --- a/pkgs/os-specific/linux/ldm/default.nix +++ b/pkgs/os-specific/linux/ldm/default.nix @@ -19,12 +19,13 @@ stdenv.mkDerivation rec { buildInputs = [ udev utillinux ]; - preBuild = '' + postPatch = '' + sed -i '1i#include ' ldm.c substituteInPlace ldm.c \ --replace "/mnt/" "${mountPath}" ''; - buildPhase = "make ldm"; + buildFlags = "ldm"; installPhase = '' mkdir -p $out/bin From 5923f792e15ad4176980ebab6645af217300b102 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 00:22:28 +0000 Subject: [PATCH 267/603] uae: turn off format hardening --- pkgs/misc/emulators/uae/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index f877eff5c64..54620699f2d 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -2,13 +2,18 @@ stdenv.mkDerivation rec { name = "uae-0.8.29"; + src = fetchurl { url = "http://web.archive.org/web/20130905032631/http://www.amigaemulator.org/files/sources/develop/${name}.tar.bz2"; sha256 = "05s3cd1rd5a970s938qf4c2xm3l7f54g5iaqw56v8smk355m4qr4"; }; + configureFlags = [ "--with-sdl" "--with-sdl-sound" "--with-sdl-gfx" "--with-alsa" ]; + buildInputs = [ pkgconfig gtk alsaLib SDL ]; - + + hardening_format = false; + meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; license = stdenv.lib.licenses.gpl2Plus; From 911d22f88dd4b24230caa120cdaf8b02cf0eb427 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 00:23:15 +0000 Subject: [PATCH 268/603] nixpkgs docs: format hardening --- doc/stdenv.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/doc/stdenv.xml b/doc/stdenv.xml index f8d9acb2fb0..0c2bb033957 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1317,6 +1317,33 @@ in the default system locations. +
Hardening in Nixpkgs + +By default some flags to harden packages at compile or link-time are set: + + + + + hardening_format + Adds the compiler options. At present, + this warns about calls to printf and scanf functions where the + format string is not a string literal and there are no format + arguments, as in printf(foo);. This may be + a security hole if the format string came from untrusted input + and contains %n. + + This needs to be turned off or fixed for errors similar to: + + +/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security] + printf(help_message); + ^ +cc1plus: some warnings being treated as errors + + + +
From fda63b8b579aff758ae92e7e1a65a5a480231c6b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 00:33:01 +0000 Subject: [PATCH 269/603] nixpkgs docs: stackprotector hardening --- doc/stdenv.xml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 0c2bb033957..51a27dcdbc0 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1342,6 +1342,22 @@ in the default system locations. cc1plus: some warnings being treated as errors + + + hardening_stackprotector + Adds the + compiler options. This adds safety checks against stack overwrites + rendering many potential code injection attacks into aborting situations. + In the best case this turns code injection vulnerabilities into denial + of service or into non-issues (depending on the application). + + This needs to be turned off or fixed for errors similar to: + + +bin/blib.a(bios_console.o): In function `bios_handle_cup': +/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail' + + From 828b408f7fc7b489514e287ed7d720f423c98a41 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 00:44:58 +0000 Subject: [PATCH 270/603] ipxe: turn off pic/stackprotector hardening --- pkgs/tools/misc/ipxe/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index e4c161b2e51..0830eb51b3c 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -18,6 +18,10 @@ stdenv.mkDerivation { preConfigure = "cd src"; + # not possible due to assembler code + hardening_pic = false; + hardening_stackprotector = false; + makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. "ISOLINUX_BIN_LIST=${syslinux}/share/syslinux/isolinux.bin" From abac1eb91893a67a20dae8710ac41a76061e6b36 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 01:43:25 +0000 Subject: [PATCH 271/603] inferno: turn off fortify hardening --- pkgs/applications/inferno/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index a0e2796a302..a1c4bd912f2 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -54,6 +54,8 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; + hardening_fortify = false; + meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; homepage = "http://inferno-os.org/"; From 9b4c99edc65fa5278d8ffed2aa2c7cfa6c8367b8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 08:47:25 +0000 Subject: [PATCH 272/603] gcc43/ghdl: turn off format hardening --- pkgs/development/compilers/gcc/4.3/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix index 3db8ee5f3ea..0ad156c53e5 100644 --- a/pkgs/development/compilers/gcc/4.3/default.nix +++ b/pkgs/development/compilers/gcc/4.3/default.nix @@ -82,7 +82,7 @@ stdenv.mkDerivation ({ ++ optional langJava ./java-jvgenmain-link.patch ++ optional langVhdl ./ghdl-ortho-cflags.patch ++ optional langVhdl ./ghdl-runtime-o2.patch; - + inherit noSysDirs profiledCompiler staticCompiler crossStageStatic binutilsCross libcCross; targetConfig = if cross != null then cross.config else null; @@ -95,6 +95,8 @@ stdenv.mkDerivation ({ ++ (optionals langVhdl [gnat]) ; + hardening_format = false; + configureFlags = " ${if enableMultilib then "" else "--disable-multilib"} ${if enableShared then "" else "--disable-shared"} @@ -124,7 +126,7 @@ stdenv.mkDerivation ({ NIX_EXTRA_LDFLAGS = if staticCompiler then "-static" else ""; inherit gmp mpfr; - + passthru = { inherit langC langCC langFortran langVhdl langTreelang enableMultilib; }; From 95325aa96ff1070292877b3ab5d30f84dea53773 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 08:57:20 +0000 Subject: [PATCH 273/603] vacuum: use mkDerivation and turn off format hardening --- .../instant-messengers/vacuum/default.nix | 65 ++++++------------- 1 file changed, 20 insertions(+), 45 deletions(-) diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index 205c21adab4..181cd3301e3 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -1,56 +1,31 @@ -x@{builderDefsPackage - , qt4, openssl - , xproto, libX11, libXScrnSaver, scrnsaverproto - , xz - , ...}: -builderDefsPackage -(a : -let - helperArgNames = ["stdenv" "fetchurl" "builderDefsPackage"] ++ - []; +{ stdenv, fetchurl, qt4, openssl, xproto, libX11 +, libXScrnSaver, scrnsaverproto, xz +}: - buildInputs = map (n: builtins.getAttr n x) - (builtins.attrNames (builtins.removeAttrs x helperArgNames)); - sourceInfo = rec { - version="1.2.4"; - baseName="vacuum-im"; - name="${baseName}-${version}"; +stdenv.mkDerivation rec { + name="${baseName}-${version}"; + baseName = "vacuum-im"; + version = "1.2.4"; + + src = fetchurl { url="https://googledrive.com/host/0B7A5K_290X8-d1hjQmJaSGZmTTA/vacuum-1.2.4.tar.gz"; sha256="10qxpfbbaagqcalhk0nagvi5irbbz5hk31w19lba8hxf6pfylrhf"; }; -in -rec { - src = a.fetchurl { - url = sourceInfo.url; - sha256 = sourceInfo.sha256; - }; - inherit (sourceInfo) name version; - inherit buildInputs; + configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro"; - /* doConfigure should be removed if not needed */ - phaseNames = ["addInputs" "doQMake" "doMakeInstall"]; + hardening_format = false; - doQMake = a.fullDepEntry ('' - qmake INSTALL_PREFIX=$out -recursive vacuum.pro - '') ["doUnpack" "addInputs"]; - - meta = { + buildInputs = [ + qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz + ]; + + meta = with stdenv.lib; { description = "An XMPP client fully composed of plugins"; - maintainers = with a.lib.maintainers; - [ - raskin - ]; - platforms = with a.lib.platforms; - linux; - license = with a.lib.licenses; - gpl3; + maintainers = with maintainers; [ raskin ]; + platforms = with platforms; linux; + license = with licenses; gpl3; homepage = "http://code.google.com/p/vacuum-im/"; }; - passthru = { - updateInfo = { - downloadPage = "http://code.google.com/p/vacuum-im/downloads/list?can=2&q=&colspec=Filename"; - }; - }; -}) x +} From 35f92d9810f334cd16e4cb5f2a5f968a4a7c2093 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 09:45:31 +0000 Subject: [PATCH 274/603] xfce4-12.xfce4_verve_plugin: turn off format hardening --- pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 603a68cc5f6..415c6bc6cfb 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; + hardening_format = false; + meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; description = "A command-line plugin"; From 57d6a38ed513e80fbd4135b7c2d3a9326a2649fc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 18:31:04 +0000 Subject: [PATCH 275/603] stdenv: change hardening flags * remove relro/bindnow from compile flags as they break clang * use fstackprotector-strong instead of fstackprotector-all for speed --- pkgs/stdenv/adapters.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 5a5550ebb04..4f092ee1d97 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -241,11 +241,9 @@ rec { NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + stdenv.lib.optionalString (args.hardening_all or true) ( stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all" + + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong" + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" - + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro" - + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now" + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" ); From 402d57ee8e54f5f5e9398f61d1934de3ff66cf3c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 22 Feb 2016 18:32:53 +0000 Subject: [PATCH 276/603] bootstrap env: disable stackprotector hardening until gcc >=4.9 --- pkgs/development/compilers/gcc/4.9/default.nix | 4 +++- pkgs/development/interpreters/perl/5.20/default.nix | 3 +++ pkgs/development/libraries/cloog/0.18.0.nix | 3 +++ pkgs/development/libraries/gettext/default.nix | 2 ++ pkgs/development/libraries/gmp/5.1.x.nix | 3 +++ pkgs/development/libraries/isl/0.11.1.nix | 3 +++ pkgs/development/libraries/libelf/default.nix | 3 +++ pkgs/development/libraries/libmpc/default.nix | 3 +++ pkgs/development/libraries/mpfr/default.nix | 3 +++ pkgs/development/libraries/zlib/default.nix | 3 +++ pkgs/development/tools/misc/binutils/default.nix | 3 +++ pkgs/development/tools/misc/gnum4/default.nix | 3 +++ pkgs/development/tools/misc/patchelf/default.nix | 3 +++ pkgs/development/tools/misc/texinfo/6.0.nix | 3 +++ pkgs/development/tools/parsing/bison/3.x.nix | 3 +++ pkgs/os-specific/linux/kernel-headers/3.18.nix | 3 +++ pkgs/os-specific/linux/paxctl/default.nix | 3 +++ pkgs/tools/compression/xz/default.nix | 3 +++ pkgs/tools/misc/coreutils/default.nix | 3 +++ pkgs/tools/system/which/default.nix | 5 ++++- 20 files changed, 60 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index f58daaa5377..fe1f4066110 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -74,7 +74,7 @@ let version = "4.9.3"; ++ optional langFortran ../gfortran-driving.patch # The NXConstStr.patch can be removed at 4.9.4 ++ optional stdenv.isDarwin ../gfortran-darwin-NXConstStr.patch; - + javaEcj = fetchurl { # The `$(top_srcdir)/ecj.jar' file is automatically picked up at # `configure' time. @@ -220,6 +220,8 @@ stdenv.mkDerivation ({ inherit patches; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; hardening_format = false; postPatch = diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix index c91a43963d4..bc446a25d0f 100644 --- a/pkgs/development/interpreters/perl/5.20/default.nix +++ b/pkgs/development/interpreters/perl/5.20/default.nix @@ -30,6 +30,9 @@ stdenv.mkDerivation rec { outputs = [ "out" "man" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + patches = [ # Do not look in /usr etc. for dependencies. ./no-sys-dirs.patch diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index ccd93828319..3dc9587c921 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index ff7e9bc5bfd..9962e75e2f9 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation (rec { outputs = [ "out" "doc" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; hardening_format = false; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 7b393067ff5..0db619b3658 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; configureFlags = diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix index 63140dba37f..c56c5b3892a 100644 --- a/pkgs/development/libraries/isl/0.11.1.nix +++ b/pkgs/development/libraries/isl/0.11.1.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 88bce7f8661..cb0c8a7f5c1 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation (rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { nativeBuildInputs = [ glibc ]; diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index 1e8ea0ffa13..cc883ba67b2 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -16,6 +16,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 581f956b0af..2c643885727 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { # mpfr.h requires gmp.h propagatedBuildInputs = [ gmp ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ stdenv.lib.optional stdenv.is64bit "--with-pic"; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 93474d14344..2871985a082 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -29,6 +29,9 @@ stdenv.mkDerivation (rec { fi ''; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc"; diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 86d69d8da8c..78adfe48751 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -39,6 +39,9 @@ stdenv.mkDerivation rec { inherit noSysDirs; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + preConfigure = '' # Clear the default library search path. if test "$noSysDirs" = "1"; then diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index 7216e1e169d..e610858838d 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { # Upstream is aware of it; it may be in the next release. patches = [ ./s_isdir.patch ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://www.gnu.org/software/m4/; description = "GNU M4, a macro processor"; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 5aa81e46bed..91658a5d4d9 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://nixos.org/patchelf.html; license = "GPL"; diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 507ca22cd1a..786998c6af7 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index ee007414017..0062bc36561 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -11,6 +11,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man; propagatedBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = "http://www.gnu.org/software/bison/"; description = "Yacc-compatible parser generator"; diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index 0cc38a0548c..be54d7a4e6a 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -34,6 +34,9 @@ stdenv.mkDerivation { buildInputs = [perl]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + extraIncludeDirs = if cross != null then (if cross.arch == "powerpc" then ["ppc"] else []) diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index afb342768c3..50aa77104c2 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { "MANDIR=share/man/man1" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + setupHook = ./setup-hook.sh; meta = with stdenv.lib; { diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 5f5ee28ca06..6ddebe6b99d 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; description = "XZ, general-purpose data compression software, successor of LZMA"; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index baa3900ad97..8833f32c5a8 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,6 +20,9 @@ let sha256 = "0w11jw3fb5sslf0f72kxy7llxgk1ia3a6bcw0c9kmvxrlj355mx2"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + patches = if stdenv.isCygwin then ./coreutils-8.23-4.cygwin.patch else (if stdenv.isArm then (fetchurl { url = "http://git.savannah.gnu.org/cgit/coreutils.git/patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0"; diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index e9199a8f063..956fd590b14 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -2,12 +2,15 @@ stdenv.mkDerivation rec { name = "which-2.21"; - + src = fetchurl { url = "mirror://gnu/which/${name}.tar.gz"; sha256 = "1bgafvy3ypbhhfznwjv1lxmd6mci3x1byilnnkc7gcr486wlb8pl"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; platforms = platforms.all; From 928c904a5bcab74437cda6507d2b144f60b508a5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Feb 2016 00:57:11 +0000 Subject: [PATCH 277/603] stalonetray: disable format hardening --- pkgs/applications/window-managers/stalonetray/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 5ef5ba769c4..43d0804222c 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { name = "stalonetray-${version}"; version = "0.8.1"; + src = fetchurl { url = "mirror://sourceforge/stalonetray/${name}.tar.bz2"; sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll"; }; + buildInputs = [ libX11 xproto ]; + hardening_format = false; + meta = with stdenv.lib; { description = "Stand alone tray"; maintainers = with maintainers; [ raskin ]; From 087cb7ba5b3b51c1cdd95de6a096a4b9d4781325 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Feb 2016 07:54:51 +0000 Subject: [PATCH 278/603] gcc43: disable stackprotector hardening --- pkgs/development/compilers/gcc/4.3/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix index 0ad156c53e5..6114c960ffd 100644 --- a/pkgs/development/compilers/gcc/4.3/default.nix +++ b/pkgs/development/compilers/gcc/4.3/default.nix @@ -96,6 +96,7 @@ stdenv.mkDerivation ({ ; hardening_format = false; + hardening_stackprotector = false; configureFlags = " ${if enableMultilib then "" else "--disable-multilib"} From 4bf29b83f8ea14d000662473e887e2182bb03fa4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Feb 2016 15:03:14 +0000 Subject: [PATCH 279/603] graphviz_2_0: disable format/fortify hardening --- pkgs/tools/graphics/graphviz/2.0.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index 04fff805381..e08b1309d41 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -13,7 +13,10 @@ stdenv.mkDerivation rec { }; buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - + + hardening_format = false; + hardening_fortify = false; + configureFlags = [ "--with-pngincludedir=${libpng}/include" "--with-pnglibdir=${libpng}/lib" From 4447e42f02722310dc3af218e59fb7634ad7396e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 15:17:41 +0000 Subject: [PATCH 280/603] zbar: disable fortify hardening --- pkgs/tools/graphics/zbar/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index 48e3316a4a2..f0e53696fc5 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -15,7 +15,9 @@ stdenv.mkDerivation rec { [ imagemagickBig pkgconfig python pygtk perl libX11 libv4l qt4 lzma gtk2 ]; - configureFlags = ["--disable-video"]; + configureFlags = [ "--disable-video" ]; + + hardening_fortify = false; meta = with stdenv.lib; { description = "Bar code reader"; From c88376bc3630564ef023dc054763be5ba72a1c46 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 15:39:30 +0000 Subject: [PATCH 281/603] zam-plugins: fix hash --- pkgs/applications/audio/zam-plugins/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/audio/zam-plugins/default.nix b/pkgs/applications/audio/zam-plugins/default.nix index 48f559dfd86..3c9e80494d1 100644 --- a/pkgs/applications/audio/zam-plugins/default.nix +++ b/pkgs/applications/audio/zam-plugins/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { url = "https://github.com/zamaudio/zam-plugins.git"; deepClone = true; rev = "91fe56931a3e57b80f18c740d2dde6b44f962aee"; - sha256 = "0n29zxg4l2m3jsnfw6q2alyzaw7ibbv9nvk57k07sv3lh2yy3f30"; + sha256 = "1d8w3086xshl61yqaxg6lrvqb7bww30dsdzcd0mnii49wyzjpj0b"; }; buildInputs = [ boost libX11 mesa liblo libjack2 ladspaH lv2 pkgconfig rubberband libsndfile ]; From 1b6fd9abb72d149ca5445f043eefa1a228aa82f8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 15:40:14 +0000 Subject: [PATCH 282/603] zandronum-server: disable format hardening --- pkgs/games/zandronum/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index 479a6abe9a4..7cb1ed4d9ed 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -33,6 +33,8 @@ in stdenv.mkDerivation { enableParallelBuilding = true; + hardening_format = false; + installPhase = '' mkdir -p $out/bin mkdir -p $out/share/zandronum From 81bb9407f9b9e5b0d6792ba043a0a3a6d7aa2cb7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 15:43:35 +0000 Subject: [PATCH 283/603] xf86_video_nested: disable fortify hardening --- pkgs/os-specific/linux/xf86-video-nested/default.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 0f9e0591a06..96f353a64da 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,10 +16,9 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; + hardening_fortify = false; - configurePhase = '' - ./configure --prefix=$out CFLAGS="-I${pixman}/include/pixman-1" - ''; + CFLAGS = "-I${pixman}/include/pixman-1"; meta = { homepage = http://cgit.freedesktop.org/xorg/driver/xf86-video-nested; From 21b1e9e3dad8015d255e220ffe03ad2d7af31d4f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 16:00:25 +0000 Subject: [PATCH 284/603] xbindkeys-config: disable format hardening --- pkgs/tools/X11/xbindkeys-config/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index 57d8d82759c..b4fc755bd84 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; + hardening_format = false; + meta = { homepage = https://packages.debian.org/source/xbindkeys-config; description = "Graphical interface for configuring xbindkeys"; From 8cbb8331a71ea76a01ee11eb52307c4848fe9ab6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 16:01:51 +0000 Subject: [PATCH 285/603] xarchive: disable format hardening --- pkgs/tools/archivers/xarchive/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index ed60e3147a8..6407fe4f350 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; + hardening_format = false; + meta = { description = "A GTK+ front-end for command line archiving tools"; maintainers = [ stdenv.lib.maintainers.iElectric ]; From 3d169b83cfd2eb378df2eae8f732e369299e99ab Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 16:06:55 +0000 Subject: [PATCH 286/603] vym: disable format hardening --- pkgs/applications/misc/vym/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index b1cfbd5d9ac..5904a2a5ffd 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig qt4 ]; + hardening_format = false; + configurePhase = '' qmake PREFIX="$out" ''; @@ -22,7 +24,7 @@ stdenv.mkDerivation rec { Such maps can help you to improve your creativity and effectivity. You can use them for time management, to organize tasks, to get an overview over complex contexts, to sort your ideas etc. - + Maps can be drawn by hand on paper or a flip chart and help to structure your thoughs. While a tree like structure like shown on this page can be drawn by hand or any drawing software vym offers much more features to work with such maps. From eff4faf7f30e3aa7063429c8d3abf085f3624fe1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 16:07:13 +0000 Subject: [PATCH 287/603] swt: disable format hardening --- pkgs/development/libraries/java/swt/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index d942dd7b692..855b800ba9f 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -28,6 +28,8 @@ in stdenv.mkDerivation rec { builder = ./builder.sh; + hardening_format = false; + # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract # "src.zip" from that. From e7f9e8a26fdfb863b3c7e004a27ada56dac85fa2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 16:54:49 +0000 Subject: [PATCH 288/603] trustedGrub: disable stackprotector/pic hardening --- pkgs/tools/misc/grub/trusted.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 694f45599f3..39c1ce9c0c1 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,6 +47,9 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; + hardening_stackprotector = false; + hardening_pic = false; + preConfigure = '' for i in "tests/util/"*.in do From c884697acc081f6884e3486c0476ec78e3684e6d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 17:01:37 +0000 Subject: [PATCH 289/603] tboot: disable stackprotector/pic hardening --- pkgs/tools/security/tboot/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 854f67f2aee..1a2bc6a3108 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,12 +12,16 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; + hardening_pic = false; + hardening_stackprotector = false; + configurePhase = '' for a in lcptools utils tb_polgen; do substituteInPlace $a/Makefile --replace /usr/sbin /sbin done substituteInPlace docs/Makefile --replace /usr/share /share ''; + installFlags = "DESTDIR=$(out)"; meta = with stdenv.lib; { From 282d03c4b0b97ba3e4eeb08cbb57aa1375e82607 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 17:10:58 +0000 Subject: [PATCH 290/603] swiProlog: disable format hardening --- pkgs/development/compilers/swi-prolog/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index 1f38198b30b..3c257dfc7df 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; + hardening_format = false; + configureFlags = "--with-world --enable-gmp --enable-shared"; buildFlags = "world"; From dcf103284ff67bf4fc2a94783d29418dcc4332c4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 17:13:08 +0000 Subject: [PATCH 291/603] stardust: disable format hardening --- pkgs/games/stardust/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index aa68da6b73d..94da81533c1 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; + hardening_format = false; + postConfigure = '' substituteInPlace config.h \ --replace '#define PACKAGE ""' '#define PACKAGE "stardust"' From 18adc96e0f8410e49d4deba1651638898d0ea79c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 21:29:55 +0000 Subject: [PATCH 292/603] supercollider: disable fortify hardening --- .../development/interpreters/supercollider/default.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index f44347c61b7..cb60a41a690 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -3,10 +3,10 @@ , libXt, qt, readline , useSCEL ? false, emacs }: - + let optional = stdenv.lib.optional; in -stdenv.mkDerivation rec { +stdenv.mkDerivation rec { name = "supercollider-3.6.6"; meta = { @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr"; }; + hardening_stackprotector = false; + # QGtkStyle unavailable patchPhase = '' substituteInPlace editors/sc-ide/widgets/code_editor/autocompleter.cpp \ @@ -29,12 +31,12 @@ stdenv.mkDerivation rec { cmakeFlags = '' -DSC_WII=OFF - -DSC_EL=${if useSCEL then "ON" else "OFF"} + -DSC_EL=${if useSCEL then "ON" else "OFF"} ''; nativeBuildInputs = [ cmake pkgconfig ]; - buildInputs = [ + buildInputs = [ gcc libjack2 libsndfile fftw curl libXt qt readline ] ++ optional useSCEL emacs; } From 2fbbd71861374990a8cab7ff9e0542993e56adc6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 21:36:26 +0000 Subject: [PATCH 293/603] riak2: disable format hardening --- pkgs/servers/nosql/riak/2.1.1.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index c62cea180be..05cf4270f9f 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,6 +34,8 @@ stdenv.mkDerivation rec { src = srcs.riak; + hardening_format = false; + postPatch = '' sed -i deps/node_package/priv/base/env.sh \ -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/riak}@' \ From 8edbf1cb031c380c66ad5775152d07062d2ddb4a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 21:45:16 +0000 Subject: [PATCH 294/603] qtpfsgui: disable format hardening --- pkgs/applications/graphics/qtpfsgui/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index efa245cc7e9..da6521199c5 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; + hardening_format = false; + configurePhase = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" qmake PREFIX=$out EXIV2PATH=${exiv2}/include/exiv2 \ From f4405557c74430c11c1364cf87bcb6c60ece9037 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 22:00:30 +0000 Subject: [PATCH 295/603] mxt-app: disable fortify hardening --- pkgs/misc/mxt-app/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index cfcba8a3a8b..e1db07bfff2 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; + hardening_fortify = false; + meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; homepage = http://github.com/atmel-maxtouch/mxt-app; From 2700dac7deaf1aa22fe0a60e79f5f65ee1521e1c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 22:17:45 +0000 Subject: [PATCH 296/603] lush: disable pic hardening --- .../development/interpreters/lush/default.nix | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 63cf85bc506..7a4e5c1a336 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -1,32 +1,29 @@ {stdenv, fetchurl, libX11, xproto, indent, readline, gsl, freeglut, mesa, SDL , blas, binutils, intltool, gettext, zlib}: -let - s = # Generated upstream information - rec { - baseName="lush"; - version="2.0.1"; - name="${baseName}-${version}"; - hash="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; + +stdenv.mkDerivation rec { + baseName = "lush"; + version = "2.0.1"; + name = "${baseName}-${version}"; + + src = fetchurl { url="mirror://sourceforge/project/lush/lush2/lush-2.0.1.tar.gz"; sha256="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; }; + buildInputs = [ libX11 xproto indent readline gsl freeglut mesa SDL blas binutils intltool gettext zlib ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_pic = false; + NIX_LDFLAGS=" -lz "; + meta = { - inherit (s) version; - description = ''Lisp Universal SHell''; + description = "Lisp Universal SHell"; license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; + maintainers = [ stdenv.lib.maintainers.raskin ]; platforms = stdenv.lib.platforms.linux; }; } From d9b4391717eca6283522a5e5b76cbdef0d7495f1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 22:54:34 +0000 Subject: [PATCH 297/603] grub: disable stackprotector hardening --- pkgs/tools/misc/grub/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index d6534fc5ee6..c0579b91816 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,6 +36,8 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; + hardening_stackprotector = false; + prePatch = '' unpackFile $gentooPatches rm patch/400_all_grub-0.97-reiser4-20050808-gentoo.patch From c677109fcd897e3b7ce797df1097ca80b6ccb841 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Feb 2016 22:56:56 +0000 Subject: [PATCH 298/603] go_1_6: disable all hardening --- pkgs/development/compilers/go/1.6.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index cb1d396f50a..e43d6b18473 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardening_all = false; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' From 56ceca9d46bd5d7001141df360742543c6204200 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 00:55:53 +0000 Subject: [PATCH 299/603] cromfs: use default gcc --- pkgs/tools/archivers/cromfs/default.nix | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/pkgs/tools/archivers/cromfs/default.nix b/pkgs/tools/archivers/cromfs/default.nix index cd151698f25..042880b39c9 100644 --- a/pkgs/tools/archivers/cromfs/default.nix +++ b/pkgs/tools/archivers/cromfs/default.nix @@ -1,18 +1,15 @@ -{ stdenv, fetchurl, pkgconfig, fuse, perl, gcc48 }: +{ stdenv, fetchurl, pkgconfig, fuse, perl }: stdenv.mkDerivation rec { name = "cromfs-1.5.10.2"; - + src = fetchurl { url = "http://bisqwit.iki.fi/src/arch/${name}.tar.bz2"; sha256 = "0xy2x1ws1qqfp7hfj6yzm80zhrxzmhn0w2yns77im1lmd2h18817"; }; - patchPhase = ''sed -i 's@/bin/bash@/bin/sh@g' configure''; + postPatch = "patchShebangs configure"; - # Removing the static linking, as it doesn't compile in x86_64. - makeFlags = "cromfs-driver util/mkcromfs util/unmkcromfs util/cvcromfs"; - installPhase = '' install -d $out/bin install cromfs-driver $out/bin @@ -21,7 +18,7 @@ stdenv.mkDerivation rec { install util/unmkcromfs $out/bin ''; - buildInputs = [ pkgconfig fuse perl gcc48 ]; + buildInputs = [ pkgconfig fuse perl ]; meta = { description = "FUSE Compressed ROM filesystem with lzma"; From 0f4ecfad68f9ed35beaf9e26df22bb0fb799f645 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 01:27:43 +0000 Subject: [PATCH 300/603] certificate-transparency: clean up and use newer clang --- .../certificate-transparency/default.nix | 50 +++++++++---------- 1 file changed, 24 insertions(+), 26 deletions(-) diff --git a/pkgs/servers/certificate-transparency/default.nix b/pkgs/servers/certificate-transparency/default.nix index 80fae89c76d..a7c2be4e286 100644 --- a/pkgs/servers/certificate-transparency/default.nix +++ b/pkgs/servers/certificate-transparency/default.nix @@ -1,4 +1,7 @@ -{ stdenv, pkgs, ...}: +{ stdenv, fetchFromGitHub, autoreconfHook, clang, pkgconfig +, glog, gmock, gtest, google-gflags, gperftools, json_c, leveldb +, libevent, libevhtp, openssl, protobuf, sqlite +}: stdenv.mkDerivation rec { name = "certificate-transparency-${version}"; @@ -6,15 +9,7 @@ stdenv.mkDerivation rec { version = "2016-01-14"; rev = "250672b5aef3666edbdfc9a75b95a09e7a57ed08"; - meta = with stdenv.lib; { - homepage = https://www.certificate-transparency.org/; - description = "Auditing for TLS certificates."; - license = licenses.asl20; - platforms = platforms.unix; - maintainers = with maintainers; [ philandstuff ]; - }; - - src = pkgs.fetchFromGitHub { + src = fetchFromGitHub { owner = "google"; repo = "certificate-transparency"; rev = rev; @@ -22,13 +17,13 @@ stdenv.mkDerivation rec { }; # need to disable regex support in evhtp or building will fail - libevhtp_without_regex = stdenv.lib.overrideDerivation pkgs.libevhtp + libevhtp_without_regex = stdenv.lib.overrideDerivation libevhtp (oldAttrs: { - cmakeFlags="-DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC"; + cmakeFlags = "-DEVHTP_DISABLE_REGEX:STRING=ON"; }); - buildInputs = with pkgs; [ - autoconf automake clang_34 pkgconfig + buildInputs = [ + autoreconfHook clang pkgconfig glog gmock google-gflags gperftools gtest json_c leveldb libevent libevhtp_without_regex openssl protobuf sqlite ]; @@ -37,21 +32,24 @@ stdenv.mkDerivation rec { ./protobuf-include-from-env.patch ]; - doCheck = false; - - preConfigure = '' - ./autogen.sh - configureFlagsArray=( - CC=clang - CXX=clang++ - GMOCK_DIR=${pkgs.gmock} - GTEST_DIR=${pkgs.gtest} - ) - ''; + configureFlags = [ + "CC=clang" + "CXX=clang++" + "GMOCK_DIR=${gmock}" + "GTEST_DIR=${gtest}" + ]; # the default Makefile constructs BUILD_VERSION from `git describe` # which isn't available in the nix build environment makeFlags = "BUILD_VERSION=${version}-${rev}"; - protocFlags = "-I ${pkgs.protobuf}/include"; + protocFlags = "-I ${protobuf}/include"; + + meta = with stdenv.lib; { + homepage = https://www.certificate-transparency.org/; + description = "Auditing for TLS certificates."; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; } From 7561c1c9e7352688f7541e88547293599efcd533 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 02:10:33 +0000 Subject: [PATCH 301/603] gcl: clean up and disable pic hardening --- pkgs/development/compilers/gcl/default.nix | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index 25b1599fbea..008f426d74a 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -27,22 +27,7 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - # Upstream bug submitted - http://savannah.gnu.org/bugs/index.php?30371 - # $TMPDIR must have no extension - # setVars = a.noDepEntry '' - # export TMPDIR="''${TMPDIR:-''${TMP:-''${TEMP}}}/tmp-for-gcl" - # mkdir -p "$TMPDIR" - # ''; - - preBuild = '' - # sed -re "s@/bin/cat@$(which cat)@g" -i configure */configure - # sed -re "s@if test -d /proc/self @if false @" -i configure - # sed -re 's^([ \t])cpp ^\1cpp -I${stdenv.cc.cc}/include -I${stdenv.cc.libc}/include ^g' -i makefile - ''; - - /* doConfigure should be removed if not needed */ - # phaseNames = ["setVars" "doUnpack" "preBuild" - # "doConfigure" "doMakeInstall"]; + hardening_pic = false; meta = { description = "GNU Common Lisp compiler working via GCC"; From 6619c68e0a1db9d0cf2b82c6fe2e3ca8c4359f06 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 02:20:27 +0000 Subject: [PATCH 302/603] teylus: disable format hardening --- pkgs/development/compilers/teyjus/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index b16b32a6a06..1e63b2d2be0 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; + hardening_format = false; + buildPhase = "omake all"; checkPhase = "omake check"; From 710f4cff7a82d1693a9735999c3a6413013124ae Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 02:25:49 +0000 Subject: [PATCH 303/603] wvstreams: use newer gcc --- pkgs/development/libraries/wvstreams/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/wvstreams/default.nix b/pkgs/development/libraries/wvstreams/default.nix index b879cf37a31..ecfc9b88a0e 100644 --- a/pkgs/development/libraries/wvstreams/default.nix +++ b/pkgs/development/libraries/wvstreams/default.nix @@ -1,4 +1,4 @@ -{ stdenv, gcc46, fetchurl, qt4, dbus, zlib, openssl, readline, perl }: +{ stdenv, fetchurl, qt4, dbus, zlib, openssl, readline, perl }: stdenv.mkDerivation { name = "wvstreams-4.6.1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation { sed -e '1i#include ' -i $(find . -name '*.c' -o -name '*.cc') ''; - buildInputs = [ gcc46 qt4 dbus zlib openssl readline perl ]; + buildInputs = [ qt4 dbus zlib openssl readline perl ]; meta = { description = "Network programming library in C++"; From da9352ee736b7e4344a338b08c23e35b39d70c9b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 10:22:10 +0000 Subject: [PATCH 304/603] haskell.compilers.ghc6104: turn off format hardening --- pkgs/development/compilers/ghc/6.10.4.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index d8157673fbc..4f95e859292 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; + hardening_format = false; + configureFlags = [ "--with-gmp-libraries=${gmp}/lib" "--with-gmp-includes=${gmp}/include" From e0200a507bb68222673caed2e689130285fc017b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Feb 2016 20:06:54 +0000 Subject: [PATCH 305/603] ssvnc: turn off format hardening --- pkgs/applications/networking/remote/ssvnc/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 956391b71f8..681ace6ab8f 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; + hardening_format = false; + postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer From 7412bffd9e85a4038b8065ed7455dd9052a8cdfc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 15:42:23 +0000 Subject: [PATCH 306/603] self: use default compiler --- pkgs/development/interpreters/self/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/self/default.nix b/pkgs/development/interpreters/self/default.nix index d37d6099394..c00298c0fdc 100644 --- a/pkgs/development/interpreters/self/default.nix +++ b/pkgs/development/interpreters/self/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, fetchgit, stdenv, xorg, gcc44, makeWrapper, ncurses, cmake }: +{ fetchurl, fetchgit, stdenv, xorg, makeWrapper, ncurses, cmake }: stdenv.mkDerivation rec { # The Self wrapper stores source in $XDG_DATA_HOME/self or ~/.local/share/self @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { }; # gcc 4.6 and above causes crashes on Self startup but gcc 4.4 works. - buildInputs = [ gcc44 ncurses xorg.libX11 xorg.libXext makeWrapper cmake ]; + buildInputs = [ ncurses xorg.libX11 xorg.libXext makeWrapper cmake ]; selfWrapper = ./self; From 351173c2ddf98b9d8ac64f64784835c91dc45571 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 15:51:08 +0000 Subject: [PATCH 307/603] stunnel: 5.29 -> 5.30 --- pkgs/tools/networking/stunnel/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index e8b56ed7d96..b3a493c9375 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.30"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "0w05sqwg3jn7n469w2yxj0cxx7az7jpd8wbcrwxlp5d1ys4v6vkx"; }; buildInputs = [ openssl ]; From 46b0d5163669f1368523cdae25420db2b043ae0a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 15:59:24 +0000 Subject: [PATCH 308/603] flow: 0.18 -> 0.22 --- pkgs/development/tools/analysis/flow/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/analysis/flow/default.nix b/pkgs/development/tools/analysis/flow/default.nix index 938f6e9c2b9..3ed7434e4a8 100644 --- a/pkgs/development/tools/analysis/flow/default.nix +++ b/pkgs/development/tools/analysis/flow/default.nix @@ -3,13 +3,13 @@ with lib; stdenv.mkDerivation rec { - version = "0.18.1"; + version = "0.22.0"; name = "flow-${version}"; src = fetchFromGitHub { owner = "facebook"; repo = "flow"; rev = "v${version}"; - sha256 = "00pmrk577p6ngqif4rvhwybb4gyw70vsgxcxxwj995dg4hf196s1"; + sha256 = "1p8a5cf85ydz6g04zsvsa6sh2b4p94mj9cqj7k6llf0dsiihrv54"; }; installPhase = '' From c045d2de37261fcfb1d83f427b364684e715e842 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 16:08:51 +0000 Subject: [PATCH 309/603] signing-party: 2.1 -> 2.2 --- pkgs/tools/security/signing-party/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/signing-party/default.nix b/pkgs/tools/security/signing-party/default.nix index dfd5cd6c7d7..e2e3955628d 100644 --- a/pkgs/tools/security/signing-party/default.nix +++ b/pkgs/tools/security/signing-party/default.nix @@ -1,12 +1,12 @@ {stdenv, fetchurl, gnupg, perl, automake111x, autoconf}: stdenv.mkDerivation rec { - version = "2.1"; + version = "2.2"; basename = "signing-party"; name = "${basename}-${version}"; src = fetchurl { url = "mirror://debian/pool/main/s/${basename}/${basename}_${version}.orig.tar.gz"; - sha256 = "0pcni3mf92503bqknwlsvv1f5gz23dmzwas2j8g2fk7afjd891ya"; + sha256 = "13qncdyadw1cnslc2xss9s2rpkalm7rz572b23p7mqcdqp30cpdd"; }; sourceRoot = "."; From b6279950bdec2614454bf41ec6ab999ad9b1a0ed Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 16:30:26 +0000 Subject: [PATCH 310/603] openssh: enable pie hardening --- pkgs/tools/networking/openssh/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index a6aed5169c8..67c0f3ec89e 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -71,6 +71,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_pie = true; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ From 310fa567881422cc8c95bb977c8f6b70e1e06304 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 16:38:26 +0000 Subject: [PATCH 311/603] nginx: enable pie hardening --- pkgs/servers/http/nginx/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 6944a89477a..3dbb34f9b02 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -55,6 +55,8 @@ stdenv.mkDerivation rec { preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + hardening_pie = true; + meta = { description = "A reverse proxy and lightweight webserver"; homepage = http://nginx.org; From a73762200daa5fe2c3fb9ab917fbab0c1fc34a20 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 16:45:49 +0000 Subject: [PATCH 312/603] socat: enable pie hardening --- pkgs/tools/networking/socat/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index c672801262b..b2704c2a203 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardening_pie = true; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; From 631c09bbe5946ca0e1b5a58f0ad37b7616481616 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 17:26:03 +0000 Subject: [PATCH 313/603] checksec: clean up --- pkgs/os-specific/linux/checksec/default.nix | 9 ++++----- pkgs/tools/networking/ntp/default.nix | 2 ++ 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index b423dc3a086..5752bbb72bc 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -3,6 +3,7 @@ stdenv.mkDerivation rec { name = "checksec-${version}"; version = "1.5"; + src = fetchurl { url = "http://www.trapkit.de/tools/checksec.sh"; sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p"; @@ -11,9 +12,9 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ]; unpackPhase = '' - mkdir ${name}-${version} - cp $src ${name}-${version}/checksec.sh - cd ${name}-${version} + mkdir ${name} + cp $src ${name}/checksec.sh + cd ${name} ''; installPhase = '' @@ -32,8 +33,6 @@ stdenv.mkDerivation rec { substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" ''; - phases = "unpackPhase patchPhase installPhase"; - meta = { description = "A tool for checking security bits on executables"; homepage = "http://www.trapkit.de/tools/checksec.html"; diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 8a23eeb60f4..4e1e8931f0a 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardening_pie = true; + postInstall = '' rm -rf $out/share/doc ''; From 87e64f153b792d0b07f1d6a0cd0e8b5dd0c21424 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 17:27:28 +0000 Subject: [PATCH 314/603] cron: enable pie hardening --- pkgs/tools/system/cron/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 998be45d9c6..805336cfe44 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; + hardening_pie = true; + preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 makeFlags="DESTROOT=$out" From 62f65d15ca1ffaee1675a94d174259f4eca853b8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 17:54:46 +0000 Subject: [PATCH 315/603] chrony: enable pie hardening --- pkgs/tools/networking/chrony/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index dca92c565af..57981fdaa66 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardening_pie = true; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; From e392824fb3cc7cc7f7bbe86997f46116ac9985e1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 17:55:51 +0000 Subject: [PATCH 316/603] dnsmasq: enable pie hardening --- pkgs/tools/networking/dnsmasq/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 63720faf707..6032e53f0ba 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardening_pie = true; + postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt ''; From 8b9eccbf2dbc20672a21edccc02abf2a2728ebdd Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 23:03:00 +0000 Subject: [PATCH 317/603] radvd: enable pie hardening --- pkgs/tools/networking/radvd/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 63f82f12787..0dbbd759911 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "radvd-2.11"; - + src = fetchurl { url = "http://www.litech.org/radvd/dist/${name}.tar.xz"; sha256 = "1k2sbfs4w2lkgz2mh4zh66fgahjrn2hvxcpfc091bykrzj464qq4"; @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardening_pie = true; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; From 1a31447c4c95496e63f23151de2849c641e28d89 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 23:06:53 +0000 Subject: [PATCH 318/603] icecast: enable pie hardening --- pkgs/servers/icecast/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index 4a89c5ad83b..d0e238786e2 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; + hardening_pie = true; + meta = { description = "Server software for streaming multimedia"; From b4dadff5429d0bf47bcdafff14dd3d0032039699 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Feb 2016 23:13:13 +0000 Subject: [PATCH 319/603] memcached: enable pie hardening --- pkgs/servers/memcached/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index 9d110d9c146..cac568f8fc9 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; + hardening_pie = true; + meta = with stdenv.lib; { description = "A distributed memory object caching system"; repositories.git = https://github.com/memcached/memcached.git; From b3d9562fc853282702c82884edc8ded50fd517c1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 00:43:49 +0000 Subject: [PATCH 320/603] fix evaluation --- pkgs/top-level/all-packages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 376fde4a8b0..d3aca452704 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -198,14 +198,14 @@ let }; # We use pkgs_ because accessing pkgs would lead to an infinite recursion in stdenvOverrides - defaultStdenv = stdenvAdapters.useHardenFlags ( + defaultStdenv = (import ../stdenv/adapters.nix pkgs_).useHardenFlags ( pkgs_.allStdenvs.stdenv // { inherit platform; } ); stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then (stdenvAdapters.useHardenFlags bootStdenv // {inherit platform;}) else + if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else From 5176e7ac770714afb031553fa1d25bb08b027dfa Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 00:48:49 +0000 Subject: [PATCH 321/603] mongodb: enable pie hardening --- pkgs/servers/nosql/mongodb/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 2ea255e4432..141e8e0929d 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -19,6 +19,7 @@ let version = "3.2.1"; #"stemmer" -- not nice to package yet (no versioning, no makefile, no shared libs). "yaml" ] ++ optionals stdenv.isLinux [ "tcmalloc" ]; + buildInputs = [ sasl boost gperftools pcre snappy zlib libyamlcpp sasl openssl libpcap @@ -79,6 +80,8 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_pie = true; + meta = { description = "a scalable, high-performance, open source NoSQL database"; homepage = http://www.mongodb.org; From 83bf03e1a361740ba07bde619628e110db67d891 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 08:20:53 +0000 Subject: [PATCH 322/603] glibc: disable stackprotector hardening --- pkgs/development/libraries/glibc/common.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 3ddc37af44d..7bbf5562f7c 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -165,7 +165,8 @@ stdenv.mkDerivation ({ preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; - hardening_stackprotector = name != "glibc-locales"; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; meta = { homepage = http://www.gnu.org/software/libc/; From d3fb7acb3a653c8a24dc5ea4de6b4da0f4c346ac Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 09:29:15 +0000 Subject: [PATCH 323/603] dietlibc: fix merge failure --- pkgs/os-specific/linux/dietlibc/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index 3d206cb5f77..09d7651c249 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { builder = ./builder.sh; inherit glibc; - kernelHeaders = glibc.kernelHeaders; + kernelHeaders = glibc.linuxHeaders; hardening_stackprotector = false; patches = [ From 14177f5e0bea88d75a5beaf167a4ba5744c06758 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 09:38:51 +0000 Subject: [PATCH 324/603] speed_dreams: remove obsolete variable --- pkgs/top-level/all-packages.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index abb06530f15..31d87960ed7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14671,7 +14671,6 @@ let speed_dreams = callPackage ../games/speed-dreams { # Torcs wants to make shared libraries linked with plib libraries (it provides static). # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; libpng = libpng12; }; From cfffac2a904fb717b4843d6f9378ef3f3010a47e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 11:50:34 +0000 Subject: [PATCH 325/603] postfix: use hardening flags from stdenv --- pkgs/servers/mail/postfix/2.11.nix | 5 ++--- pkgs/servers/mail/postfix/3.0.nix | 5 +++-- pkgs/servers/mail/postfix/default.nix | 3 ++- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/pkgs/servers/mail/postfix/2.11.nix b/pkgs/servers/mail/postfix/2.11.nix index 7c936bf1244..f2f155cbf3f 100644 --- a/pkgs/servers/mail/postfix/2.11.nix +++ b/pkgs/servers/mail/postfix/2.11.nix @@ -36,9 +36,8 @@ stdenv.mkDerivation rec { export sendmail_path=$out/bin/sendmail make makefiles \ - CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl \ - -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' \ - AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl -pie -Wl,-z,relro,-z,now' + CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' \ + AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl' ''; installTargets = [ "non-interactive-package" ]; diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix index 9ea151e597b..8f102c330dd 100644 --- a/pkgs/servers/mail/postfix/3.0.nix +++ b/pkgs/servers/mail/postfix/3.0.nix @@ -9,12 +9,11 @@ let ccargs = lib.concatStringsSep " " ([ "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl}/include/sasl" "-DHAS_DB_BYPASS_MAKEDEFS_CHECK" - "-fPIE" "-fstack-protector-all" "--param" "ssp-buffer-size=4" "-O2" "-D_FORTIFY_SOURCE=2" ] ++ lib.optional withPgSQL "-DHAS_PGSQL" ++ lib.optionals withMySQL [ "-DHAS_MYSQL" "-I${libmysql}/include/mysql" ] ++ lib.optional withSQLite "-DHAS_SQLITE"); auxlibs = lib.concatStringsSep " " ([ - "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" "-pie" "-Wl,-z,relro,-z,now" + "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" ] ++ lib.optional withPgSQL "-lpq" ++ lib.optional withMySQL "-lmysqlclient" ++ lib.optional withSQLite "-lsqlite3"); @@ -37,6 +36,8 @@ in stdenv.mkDerivation rec { patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ./post-install-script.patch ]; + hardening_pie = true; + preBuild = '' sed -e '/^PATH=/d' -i postfix-install sed -e "s|@PACKAGE@|$out|" -i conf/post-install diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 578453c8c56..42355b46021 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -15,6 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [db openssl cyrus_sasl bison perl]; hardening_format = false; + hardening_pie = true; patches = [ ./postfix-2.2.9-db.patch @@ -41,7 +42,7 @@ stdenv.mkDerivation rec { export sample_directory=$out/share/postfix/doc/samples export readme_directory=$out/share/postfix/doc - make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl -pie -Wl,-z,relro,-z,now' + make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl' ''; installPhase = '' From 8615f026a48cbf3f1c37b30e9b70bba6af013a12 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Feb 2016 12:16:00 +0000 Subject: [PATCH 326/603] v8_3_16_14: use default stdenv --- pkgs/top-level/all-packages.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 31d87960ed7..3c00d256740 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -8826,8 +8826,6 @@ let v8_3_16_14 = callPackage ../development/libraries/v8/3.16.14.nix { inherit (pythonPackages) gyp; - # The build succeeds using gcc5 but it fails to build pkgs.consul-ui - stdenv = overrideCC stdenv gcc48; }; v8_3_24_10 = callPackage ../development/libraries/v8/3.24.10.nix { From 4d6db3c64cf7eff77d29d05d0e6e78b238ef7846 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Feb 2016 19:45:02 +0000 Subject: [PATCH 327/603] perl520: fix bootstrap compilation by disabling fortify hardening --- pkgs/development/interpreters/perl/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index d9158ad55ab..6e416a35150 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -71,6 +71,9 @@ let enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + preConfigure = '' configureFlags="$configureFlags -Dprefix=$out -Dman1dir=$out/share/man/man1 -Dman3dir=$out/share/man/man3" From 85515f0be84a21fb4ff84be8b51bbeecff8e6fa3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Feb 2016 09:44:42 +0000 Subject: [PATCH 328/603] clisp_2_44_1: disable format hardening --- pkgs/development/interpreters/clisp/2.44.1.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index 66f53831374..fa8c8309a7a 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, libsigsegv, gettext, ncurses, readline, libX11 , libXau, libXt, pcre, zlib, libXpm, xproto, libXext, xextproto , libffi, libffcall, coreutils }: - + stdenv.mkDerivation rec { v = "2.44.1"; name = "clisp-${v}"; - + src = fetchurl { url = "mirror://gnu/clisp/release/${v}/${name}.tar.gz"; sha256 = "0rkp6j6rih4s5d9acifh7pi4b9xfgcspif512l269dqy9qgyy4j1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { zlib libXpm xproto libXext xextproto libffi libffcall ]; patches = [ ./bits_ipctypes_to_sys_ipc.patch ]; # from Gentoo - + # First, replace port 9090 (rather low, can be used) # with 64237 (much higher, IANA private area, not # anything rememberable). @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { substituteInPlace modules/bindings/glibc/linux.lisp --replace "(def-c-type __swblk_t)" "" ''; - + configureFlags = '' --with-readline builddir --with-dynamic-ffi @@ -45,6 +45,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-O0"; + hardening_format = false; + # TODO : make mod-check fails doCheck = false; From 2d17e81d2d482c453074efb51482278455024e2f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Feb 2016 12:31:59 +0000 Subject: [PATCH 329/603] clang-analyzer: use default clang --- pkgs/top-level/all-packages.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 70b6b95e491..0f2a40a548e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -3998,10 +3998,7 @@ let clang_34 = wrapCC llvmPackages_34.clang; clang_33 = wrapCC (clangUnwrapped llvm_33 ../development/compilers/llvm/3.3/clang.nix); - clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { - clang = clang_34; - llvmPackages = llvmPackages_34; - }; + clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { }; clangUnwrapped = llvm: pkg: callPackage pkg { inherit llvm; }; From 4f0608abdb1c3c9239808eca6de9c58de8bced80 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Feb 2016 12:51:28 +0000 Subject: [PATCH 330/603] perseus: disable stackprotector hardening --- pkgs/applications/science/math/perseus/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix index 94029a04349..d2694392efa 100644 --- a/pkgs/applications/science/math/perseus/default.nix +++ b/pkgs/applications/science/math/perseus/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation { version = "4-beta"; buildInputs = [unzip gcc48]; + hardening_stackprotector = false; + src = fetchurl { url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip"; sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj"; @@ -30,7 +32,7 @@ stdenv.mkDerivation { around datasets arising from point samples, images, distance matrices and so forth. ''; - homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html"; + homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html"; license = stdenv.lib.licenses.gpl3; maintainers = with stdenv.lib.maintainers; [erikryb]; platforms = stdenv.lib.platforms.linux; From 1bbb2f0cf3f1303abd40e7bc801e7582b74f3c62 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 1 Mar 2016 12:28:06 +0000 Subject: [PATCH 331/603] pdf2xml: disable format hardening --- pkgs/development/libraries/pdf2xml/default.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix index c7c5aff2455..b73be062623 100644 --- a/pkgs/development/libraries/pdf2xml/default.nix +++ b/pkgs/development/libraries/pdf2xml/default.nix @@ -2,20 +2,22 @@ stdenv.mkDerivation { name = "pdf2xml"; - + src = fetchurl { url = http://tarballs.nixos.org/pdf2xml.tar.gz; sha256 = "04rl7ppxqgnvxvvws669cxp478lnrdmiqj0g3m4p69bawfjc4z3w"; }; sourceRoot = "pdf2xml/pdf2xml"; - + buildInputs = [libxml2 libxpdf]; patches = [./pdf2xml.patch]; + hardening_format = false; + preBuild = '' cp Makefile.linux Makefile - + sed -i 's|/usr/include/libxml2|${libxml2}/include/libxml2|' Makefile sed -i 's|-lxml2|-lxml2 -L${libxml2}/lib|' Makefile sed -i 's|XPDF = xpdf_3.01|XPDF = ${libxpdf}/lib|' Makefile @@ -24,7 +26,7 @@ stdenv.mkDerivation { buildFlags+=" CXX=$CXX" ''; - + installPhase = '' mkdir -p $out/bin cp exe/* $out/bin From 9ba6bd4dea6dde2aa50dc118d177db0697176811 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 1 Mar 2016 22:09:15 +0000 Subject: [PATCH 332/603] caneda: disable format hardening --- pkgs/applications/science/electronics/caneda/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix index 404ffc5010b..152aec27d83 100644 --- a/pkgs/applications/science/electronics/caneda/default.nix +++ b/pkgs/applications/science/electronics/caneda/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8"; }; - cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ]; + hardening_format = false; buildInputs = [ cmake qt4 libxml2 libxslt ]; From a6dae3b5adff94b13a0f63a4563b8d2aacf6e1d3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 1 Mar 2016 22:20:50 +0000 Subject: [PATCH 333/603] gnu-efi: disable stackprotector hardening --- pkgs/development/libraries/gnu-efi/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index e674aae2b58..21be466a9b2 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pciutils ]; + hardening_stackprotector = false; + makeFlags = [ "PREFIX=\${out}" "CC=gcc" From a12ecfc4054db18fbb6c9208c284443717f4e5d6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 1 Mar 2016 22:21:08 +0000 Subject: [PATCH 334/603] refind: disable stackprotector hardening --- pkgs/tools/bootloaders/refind/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index 110e00976e8..f27dd3c5be6 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; + hardening_stackprotector = false; + HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" else if stdenv.system == "i686-linux" then "ia32" From 2f7e9f26d84b79e9c5a0bd9e7647f10b5d02817e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 1 Mar 2016 22:21:21 +0000 Subject: [PATCH 335/603] gummiboot: disable stackprotector hardening --- pkgs/tools/misc/gummiboot/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index d25b4f65ad7..b73d83201e0 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - #hardening_all = false; + hardening_stackprotector = false; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ From 4c9c4c4dcdf406adb235682ab4d50985513f92e3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 1 Mar 2016 22:47:29 +0000 Subject: [PATCH 336/603] redmine: disable format hardening --- pkgs/applications/version-management/redmine/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix index 3a8df10f166..982dcb1d56b 100644 --- a/pkgs/applications/version-management/redmine/default.nix +++ b/pkgs/applications/version-management/redmine/default.nix @@ -11,6 +11,8 @@ in stdenv.mkDerivation rec { sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0"; }; + hardening_format = false; + # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports # needed to separate run-time and build-time directories patches = [ @@ -18,6 +20,7 @@ in stdenv.mkDerivation rec { ./2004_FHS_plugins_assets.patch ./2003_externalize_session_config.patch ]; + postPatch = '' substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']" substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')" From 84cc00b4036b052fa39e74e8684cc6055b3fcf47 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 3 Mar 2016 16:55:17 +0000 Subject: [PATCH 337/603] ceph: possible fix for zip timestamps --- pkgs/tools/filesystems/ceph/generic.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/filesystems/ceph/generic.nix b/pkgs/tools/filesystems/ceph/generic.nix index 1673e69679b..19457e13655 100644 --- a/pkgs/tools/filesystems/ceph/generic.nix +++ b/pkgs/tools/filesystems/ceph/generic.nix @@ -1,4 +1,5 @@ -{ stdenv, autoconf, automake, makeWrapper, pkgconfig, libtool, which, git +{ stdenv, ensureNewerSourcesHook, autoconf, automake, makeWrapper, pkgconfig +, libtool, which, git , boost, python, pythonPackages, libxml2, zlib # Optional Dependencies @@ -111,7 +112,10 @@ stdenv.mkDerivation { ./0001-Makefile-env-Don-t-force-sbin.patch ]; - nativeBuildInputs = [ autoconf automake makeWrapper pkgconfig libtool which git ] + nativeBuildInputs = [ + autoconf automake makeWrapper pkgconfig libtool which git + (ensureNewerSourcesHook { year = "1980"; }) + ] ++ optionals (versionAtLeast version "9.0.2") [ pythonPackages.setuptools pythonPackages.argparse ]; From 23d85c7c902b98b93d377ecf236a374e6a9b62bb Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 3 Mar 2016 18:53:49 +0000 Subject: [PATCH 338/603] spark: fix hash --- pkgs/applications/networking/cluster/spark/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/networking/cluster/spark/default.nix b/pkgs/applications/networking/cluster/spark/default.nix index a0abe4f3142..79074d2d28e 100644 --- a/pkgs/applications/networking/cluster/spark/default.nix +++ b/pkgs/applications/networking/cluster/spark/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { src = fetchzip { url = "mirror://apache/spark/${name}/${name}-bin-cdh4.tgz"; - sha256 = "0waq8xx4bjj1yvfbadv1gdvz8s4kh5zasicv2n5623ld6lj7zgad"; + sha256 = "19ycx1r8g82vkvzmn9wxkssmv2damrg72yfmrgzpc6xyh071g91c"; }; buildInputs = [ makeWrapper jre pythonPackages.python pythonPackages.numpy ] From 745fa2fbc8c9dfa8eeccb57d3b60aa3d4871c86f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 3 Mar 2016 19:01:21 +0000 Subject: [PATCH 339/603] pharo-vm5: disable format hardening --- pkgs/development/pharo/vm/build-vm.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 3dfe913145c..9665b78d3b2 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { mimeType = "application/x-pharo-image"; }; + hardening_format = false; + # Building preConfigure = '' cd build/ From c3096a4160b6122a4b6ee8bd66769458775b357c Mon Sep 17 00:00:00 2001 From: Tristan Helmich Date: Fri, 4 Mar 2016 14:48:06 +0100 Subject: [PATCH 340/603] memtest86+: disable pic/stackprotector hardening --- pkgs/tools/misc/memtest86+/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 7e382426336..097c26071fc 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,6 +22,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; + hardening_pic = false; + hardening_stackprotector = false; + buildFlags = "memtest.bin"; installPhase = '' From e43a3841b02134c1576b03ae86e14bd46030d953 Mon Sep 17 00:00:00 2001 From: Tristan Helmich Date: Fri, 4 Mar 2016 14:51:07 +0100 Subject: [PATCH 341/603] faac: disable format hardening --- pkgs/development/libraries/faac/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix index 802aafc444c..505f0053287 100644 --- a/pkgs/development/libraries/faac/default.nix +++ b/pkgs/development/libraries/faac/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { ++ optional mp4v2Support "--with-mp4v2" ++ optional drmSupport "--enable-drm"; + hardening_format = false; + buildInputs = [ ] ++ optional mp4v2Support mp4v2; From d4ece75fd6df3410b8f038db152b04fb8014496d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 26 Feb 2016 18:39:28 +0100 Subject: [PATCH 342/603] haskellPackages.epanet-haskell: Turn format hardening off --- pkgs/development/haskell-modules/configuration-common.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 80047f0ca1e..e948d1833b8 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -44,6 +44,9 @@ self: super: { c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: { hardening_format = false; }); + epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: { + hardening_format = false; + }); # The package doesn't compile with ruby 1.9, which is our default at the moment. hruby = super.hruby.override { ruby = pkgs.ruby_2_1; }; From a2e449e43e82e258b94c723d92a5e9af641967e7 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 14 Nov 2015 06:24:15 +0100 Subject: [PATCH 343/603] coreutils: Skip some tests (filenames too long) --- pkgs/tools/misc/coreutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 4a944f69878..6e7c6daca56 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -28,6 +28,8 @@ let postPatch = optionalString (!stdenv.isDarwin) '' sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh + sed '2i echo Skipping rm deep-2 test && exit 0' -i ./tests/rm/deep-2.sh + sed '2i echo Skipping du long-from-unreadable test && exit 0' -i ./tests/du/long-from-unreadable.sh ''; configureFlags = optionalString stdenv.isSunOS "ac_cv_func_inotify_init=no"; From aff1f4ab948b921ceaf2b81610f2f82454302b4b Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 26 Feb 2016 18:38:15 +0100 Subject: [PATCH 344/603] Use general hardening flag toggle lists The following parameters are now available: * hardeningDisable To disable specific hardening flags * hardeningEnable To enable specific hardening flags Only the cc-wrapper supports this right now, but these may be reused by other wrappers, builders or setup hooks. cc-wrapper supports the following flags: * fortify * stackprotector * pie (disabled by default) * pic * strictoverflow * format * relro * bindnow --- pkgs/applications/audio/QmidiNet/default.nix | 2 +- pkgs/applications/audio/aacgain/default.nix | 2 +- .../applications/audio/cdparanoia/default.nix | 2 +- pkgs/applications/audio/csound/default.nix | 2 +- .../audio/freewheeling/default.nix | 2 +- .../audio/jack-capture/default.nix | 2 +- pkgs/applications/audio/lingot/default.nix | 2 +- pkgs/applications/audio/mi2ly/default.nix | 2 +- pkgs/applications/audio/mp3info/default.nix | 2 +- pkgs/applications/audio/mp3val/default.nix | 2 +- pkgs/applications/audio/mpg321/default.nix | 2 +- pkgs/applications/audio/musescore/default.nix | 3 +- .../audio/pd-plugins/cyclone/default.nix | 2 +- .../audio/pd-plugins/maxlib/default.nix | 2 +- .../audio/pd-plugins/mrpeach/default.nix | 2 +- pkgs/applications/audio/rakarrack/default.nix | 2 +- .../audio/zynaddsubfx/default.nix | 2 +- pkgs/applications/editors/ht/default.nix | 2 +- pkgs/applications/editors/leafpad/default.nix | 2 +- .../graphics/cinepaint/default.nix | 2 +- pkgs/applications/graphics/giv/default.nix | 2 +- pkgs/applications/graphics/gqview/default.nix | 2 +- .../applications/graphics/meshlab/default.nix | 2 +- .../graphics/qtpfsgui/default.nix | 2 +- .../graphics/tesseract/default.nix | 2 +- pkgs/applications/graphics/xfig/default.nix | 2 +- pkgs/applications/inferno/default.nix | 2 +- pkgs/applications/misc/epdfview/default.nix | 2 +- pkgs/applications/misc/gkrellm/default.nix | 2 +- pkgs/applications/misc/grip/default.nix | 2 +- pkgs/applications/misc/k2pdfopt/default.nix | 2 +- pkgs/applications/misc/navit/default.nix | 2 +- pkgs/applications/misc/posterazor/default.nix | 2 +- pkgs/applications/misc/sdcv/default.nix | 2 +- pkgs/applications/misc/tasknc/default.nix | 2 +- pkgs/applications/misc/vym/default.nix | 2 +- pkgs/applications/misc/wordnet/default.nix | 2 +- .../browsers/vimprobable2/default.nix | 2 +- .../networking/browsers/w3m/default.nix | 2 +- .../silc-client/default.nix | 2 +- .../instant-messengers/vacuum/default.nix | 2 +- .../networking/iptraf-ng/default.nix | 2 +- .../networking/mailreaders/alpine/default.nix | 3 +- .../mailreaders/realpine/default.nix | 2 +- .../networking/remote/ssvnc/default.nix | 2 +- .../science/electronics/caneda/default.nix | 2 +- .../science/geometry/drgeo/default.nix | 2 +- .../science/logic/ltl2ba/default.nix | 2 +- .../science/logic/otter/default.nix | 2 +- .../science/logic/prover9/default.nix | 2 +- .../applications/science/math/cbc/default.nix | 2 +- .../science/math/perseus/default.nix | 2 +- .../science/math/qalculate-gtk/default.nix | 2 +- .../science/math/yacas/default.nix | 2 +- .../version-management/cvs/default.nix | 2 +- .../git-and-tools/git/default.nix | 2 +- .../git-and-tools/qgit/default.nix | 2 +- .../version-management/redmine/default.nix | 2 +- pkgs/applications/video/aegisub/default.nix | 3 +- .../virtualization/OVMF/default.nix | 4 +- .../virtualization/bochs/default.nix | 2 +- .../virtualization/cbfstool/default.nix | 2 +- .../virtualization/seabios/default.nix | 3 +- .../virtualbox/guest-additions/default.nix | 2 +- .../virtualization/xen/generic.nix | 4 +- .../window-managers/stalonetray/default.nix | 2 +- pkgs/build-support/cc-wrapper/add-hardening | 41 +++++++++++++++++++ pkgs/build-support/cc-wrapper/cc-wrapper.sh | 10 ++--- pkgs/build-support/cc-wrapper/default.nix | 1 + pkgs/build-support/cc-wrapper/ld-wrapper.sh | 5 ++- .../gnome-2/platform/libgnomecups/default.nix | 2 +- .../gnome-2/platform/libgtkhtml/default.nix | 2 +- .../gnome-3/3.18/misc/libgda/default.nix | 2 +- pkgs/desktops/kde-4.14/kdebindings/qtruby.nix | 2 +- .../xfce/panel-plugins/xfce4-verve-plugin.nix | 2 +- pkgs/development/compilers/clean/default.nix | 3 +- pkgs/development/compilers/dev86/default.nix | 2 +- pkgs/development/compilers/ecl/default.nix | 2 +- pkgs/development/compilers/edk2/default.nix | 3 +- .../development/compilers/gcc/4.3/default.nix | 3 +- .../development/compilers/gcc/4.4/default.nix | 2 +- .../development/compilers/gcc/4.5/default.nix | 3 +- .../development/compilers/gcc/4.6/default.nix | 2 +- .../development/compilers/gcc/4.8/default.nix | 2 +- .../development/compilers/gcc/4.9/default.nix | 5 +-- pkgs/development/compilers/gcc/5/default.nix | 2 +- pkgs/development/compilers/gcl/default.nix | 2 +- pkgs/development/compilers/ghc/6.10.4.nix | 2 +- pkgs/development/compilers/go/1.4.nix | 2 +- pkgs/development/compilers/go/1.5.nix | 2 +- pkgs/development/compilers/go/1.6.nix | 2 +- pkgs/development/compilers/mkcl/default.nix | 2 +- pkgs/development/compilers/squeak/default.nix | 2 +- .../compilers/swi-prolog/default.nix | 2 +- pkgs/development/compilers/teyjus/default.nix | 2 +- .../haskell-modules/configuration-common.nix | 12 ++---- .../development/interpreters/clisp/2.44.1.nix | 2 +- pkgs/development/interpreters/erlang/R14.nix | 2 +- .../development/interpreters/lush/default.nix | 2 +- .../development/interpreters/perl/default.nix | 2 +- .../interpreters/spidermonkey/default.nix | 2 +- .../interpreters/supercollider/default.nix | 2 +- pkgs/development/libraries/CoinMP/default.nix | 2 +- .../development/libraries/accelio/default.nix | 3 +- .../development/libraries/allegro/default.nix | 2 +- .../libraries/audio/libbs2b/default.nix | 2 +- pkgs/development/libraries/cgui/default.nix | 2 +- pkgs/development/libraries/cloog/0.18.0.nix | 2 +- pkgs/development/libraries/cwiid/default.nix | 2 +- pkgs/development/libraries/db/db-4.4.nix | 2 +- pkgs/development/libraries/db/db-4.5.nix | 2 +- pkgs/development/libraries/db/db-4.7.nix | 2 +- pkgs/development/libraries/db/db-4.8.nix | 2 +- pkgs/development/libraries/faac/default.nix | 2 +- pkgs/development/libraries/fox/default.nix | 2 +- pkgs/development/libraries/fox/fox-1.6.nix | 2 +- .../development/libraries/freetds/default.nix | 2 +- .../development/libraries/fribidi/default.nix | 2 +- pkgs/development/libraries/gd/default.nix | 2 +- pkgs/development/libraries/gdal/default.nix | 2 +- pkgs/development/libraries/gdal/gdal-1_11.nix | 2 +- pkgs/development/libraries/gdome2/default.nix | 2 +- .../development/libraries/geoclue/default.nix | 2 +- .../development/libraries/gettext/default.nix | 5 +-- pkgs/development/libraries/giflib/4.1.nix | 2 +- .../development/libraries/giflib/libungif.nix | 2 +- pkgs/development/libraries/glibc/common.nix | 2 +- pkgs/development/libraries/glibc/default.nix | 3 +- pkgs/development/libraries/gmp/5.1.x.nix | 2 +- .../development/libraries/gnu-efi/default.nix | 2 +- pkgs/development/libraries/isl/0.11.1.nix | 2 +- .../libraries/java/swt/default.nix | 2 +- pkgs/development/libraries/libelf/default.nix | 2 +- pkgs/development/libraries/libf2c/default.nix | 2 +- .../libraries/libgeotiff/default.nix | 2 +- .../libraries/libgphoto2/default.nix | 2 +- pkgs/development/libraries/libmpc/default.nix | 2 +- pkgs/development/libraries/librsync/0.9.nix | 2 +- .../libraries/libvisual/default.nix | 2 +- pkgs/development/libraries/mp4v2/default.nix | 2 +- pkgs/development/libraries/mpfr/default.nix | 2 +- .../nvidia-texture-tools/default.nix | 2 +- .../development/libraries/opencascade/6.5.nix | 2 +- .../libraries/opencascade/default.nix | 2 +- pkgs/development/libraries/opencv/3.x.nix | 3 +- pkgs/development/libraries/opencv/default.nix | 3 +- .../development/libraries/pdf2xml/default.nix | 2 +- .../libraries/portmidi/default.nix | 2 +- pkgs/development/libraries/pupnp/default.nix | 2 +- pkgs/development/libraries/qhull/default.nix | 2 +- pkgs/development/libraries/qt-3/default.nix | 2 +- .../libraries/qtscriptgenerator/default.nix | 2 +- pkgs/development/libraries/smpeg/default.nix | 2 +- .../development/libraries/speechd/default.nix | 2 +- pkgs/development/libraries/tidyp/default.nix | 2 +- .../libraries/xmlrpc-c/default.nix | 2 +- pkgs/development/libraries/zlib/default.nix | 2 +- .../misc/avr-gcc-with-avr-libc/default.nix | 2 +- pkgs/development/pharo/vm/build-vm.nix | 2 +- .../python-modules/wxPython/generic.nix | 2 +- .../tools/analysis/cccc/default.nix | 2 +- .../tools/analysis/radare/default.nix | 2 +- .../tools/analysis/valgrind/default.nix | 2 +- .../development/tools/boost-build/default.nix | 2 +- .../tools/misc/binutils/default.nix | 2 +- .../tools/misc/elfutils/default.nix | 2 +- pkgs/development/tools/misc/gnum4/default.nix | 2 +- .../tools/misc/patchelf/default.nix | 2 +- pkgs/development/tools/misc/texinfo/6.0.nix | 2 +- pkgs/development/tools/omniorb/default.nix | 2 +- pkgs/development/tools/parsing/bison/3.x.nix | 2 +- pkgs/games/asc/default.nix | 2 +- pkgs/games/bsdgames/default.nix | 2 +- pkgs/games/crack-attack/default.nix | 2 +- pkgs/games/lincity/ng.nix | 2 +- pkgs/games/liquidwar/default.nix | 2 +- pkgs/games/pioneers/default.nix | 2 +- pkgs/games/stardust/default.nix | 2 +- pkgs/games/torcs/default.nix | 2 +- pkgs/games/xconq/default.nix | 2 +- pkgs/games/zandronum/default.nix | 2 +- pkgs/misc/emulators/dosbox/default.nix | 2 +- pkgs/misc/emulators/mupen64plus/default.nix | 2 +- pkgs/misc/emulators/nestopia/default.nix | 2 +- pkgs/misc/emulators/uae/default.nix | 2 +- pkgs/misc/mxt-app/default.nix | 2 +- pkgs/os-specific/linux/acpi-call/default.nix | 2 +- pkgs/os-specific/linux/batman-adv/default.nix | 2 +- pkgs/os-specific/linux/bbswitch/default.nix | 2 +- pkgs/os-specific/linux/blcr/default.nix | 2 +- pkgs/os-specific/linux/busybox/default.nix | 2 +- pkgs/os-specific/linux/criu/default.nix | 3 +- pkgs/os-specific/linux/dietlibc/default.nix | 3 +- .../linux/disk-indicator/default.nix | 3 +- pkgs/os-specific/linux/facetimehd/default.nix | 2 +- pkgs/os-specific/linux/gogoclient/default.nix | 2 +- pkgs/os-specific/linux/ifenslave/default.nix | 2 +- pkgs/os-specific/linux/jool/default.nix | 2 +- .../os-specific/linux/kernel-headers/3.18.nix | 2 +- .../linux/kernel/manual-config.nix | 6 +-- pkgs/os-specific/linux/kexectools/default.nix | 2 +- pkgs/os-specific/linux/klibc/default.nix | 3 +- .../linux/lttng-modules/default.nix | 2 +- .../linux/multipath-tools/default.nix | 2 +- pkgs/os-specific/linux/netatop/default.nix | 2 +- pkgs/os-specific/linux/numad/default.nix | 2 +- pkgs/os-specific/linux/paxctl/default.nix | 2 +- pkgs/os-specific/linux/phc-intel/default.nix | 2 +- pkgs/os-specific/linux/rtl8812au/default.nix | 2 +- pkgs/os-specific/linux/setools/default.nix | 2 +- pkgs/os-specific/linux/spl/default.nix | 2 +- pkgs/os-specific/linux/sysdig/default.nix | 2 +- pkgs/os-specific/linux/syslinux/default.nix | 3 +- pkgs/os-specific/linux/tp_smapi/default.nix | 2 +- .../linux/v4l2loopback/default.nix | 3 +- pkgs/os-specific/linux/v86d/default.nix | 2 +- .../linux/xf86-video-nested/default.nix | 2 +- pkgs/os-specific/linux/zfs/default.nix | 2 +- pkgs/servers/beanstalkd/default.nix | 2 +- pkgs/servers/firebird/default.nix | 2 +- pkgs/servers/gpm/default.nix | 2 +- pkgs/servers/http/nginx/default.nix | 2 +- pkgs/servers/icecast/default.nix | 2 +- pkgs/servers/irc/charybdis/default.nix | 2 +- pkgs/servers/mail/postfix/3.0.nix | 2 +- pkgs/servers/mail/postfix/default.nix | 4 +- pkgs/servers/memcached/default.nix | 2 +- pkgs/servers/nosql/mongodb/default.nix | 2 +- pkgs/servers/nosql/riak/1.3.1.nix | 2 +- pkgs/servers/nosql/riak/2.1.1.nix | 2 +- pkgs/servers/openafs-client/default.nix | 2 +- pkgs/servers/sip/freeswitch/default.nix | 2 +- pkgs/shells/dash/default.nix | 2 +- pkgs/stdenv/adapters.nix | 20 --------- pkgs/tools/X11/xbindkeys-config/default.nix | 2 +- pkgs/tools/admin/tightvnc/default.nix | 2 +- pkgs/tools/archivers/sharutils/default.nix | 2 +- pkgs/tools/archivers/unzip/default.nix | 2 +- pkgs/tools/archivers/xarchive/default.nix | 2 +- pkgs/tools/archivers/zip/default.nix | 2 +- pkgs/tools/bootloaders/refind/default.nix | 2 +- pkgs/tools/cd-dvd/cdrdao/default.nix | 2 +- pkgs/tools/cd-dvd/cdrkit/default.nix | 2 +- pkgs/tools/cd-dvd/dvdisaster/default.nix | 2 +- pkgs/tools/compression/xz/default.nix | 2 +- pkgs/tools/filesystems/fusesmb/default.nix | 2 +- pkgs/tools/filesystems/udftools/default.nix | 3 +- pkgs/tools/graphics/barcode/default.nix | 2 +- pkgs/tools/graphics/editres/default.nix | 2 +- pkgs/tools/graphics/ggobi/default.nix | 2 +- pkgs/tools/graphics/graphviz/2.0.nix | 3 +- pkgs/tools/graphics/graphviz/2.32.nix | 2 +- pkgs/tools/graphics/graphviz/default.nix | 2 +- pkgs/tools/graphics/nifskope/default.nix | 2 +- pkgs/tools/graphics/plotutils/default.nix | 2 +- pkgs/tools/graphics/pngcheck/default.nix | 2 +- pkgs/tools/graphics/qrcode/default.nix | 2 +- pkgs/tools/graphics/transfig/default.nix | 2 +- pkgs/tools/graphics/zbar/default.nix | 2 +- pkgs/tools/misc/coreutils/default.nix | 2 +- pkgs/tools/misc/ddccontrol/default.nix | 2 +- pkgs/tools/misc/detox/default.nix | 2 +- pkgs/tools/misc/expect/default.nix | 2 +- pkgs/tools/misc/gbdfed/default.nix | 2 +- pkgs/tools/misc/grub/2.0x.nix | 2 +- pkgs/tools/misc/grub/default.nix | 2 +- pkgs/tools/misc/grub/trusted.nix | 3 +- pkgs/tools/misc/gummiboot/default.nix | 2 +- pkgs/tools/misc/ipxe/default.nix | 3 +- pkgs/tools/misc/memtest86+/default.nix | 3 +- pkgs/tools/misc/pal/default.nix | 2 +- pkgs/tools/misc/sutils/default.nix | 2 +- pkgs/tools/misc/uucp/default.nix | 2 +- pkgs/tools/misc/vorbisgain/default.nix | 2 +- pkgs/tools/misc/wv/default.nix | 2 +- pkgs/tools/misc/xfstests/default.nix | 2 +- pkgs/tools/networking/chrony/default.nix | 2 +- pkgs/tools/networking/dhcpdump/default.nix | 2 +- pkgs/tools/networking/dnsmasq/default.nix | 2 +- pkgs/tools/networking/eggdrop/default.nix | 2 +- pkgs/tools/networking/iperf/2.nix | 2 +- pkgs/tools/networking/mailutils/default.nix | 2 +- pkgs/tools/networking/netboot/default.nix | 2 +- pkgs/tools/networking/ntp/default.nix | 2 +- .../tools/networking/openfortivpn/default.nix | 2 +- pkgs/tools/networking/openssh/default.nix | 2 +- pkgs/tools/networking/radvd/default.nix | 2 +- pkgs/tools/networking/socat/default.nix | 2 +- pkgs/tools/networking/telnet/default.nix | 2 +- pkgs/tools/networking/trickle/default.nix | 2 +- pkgs/tools/networking/uwimap/default.nix | 2 +- pkgs/tools/networking/vde2/default.nix | 2 +- .../checkinstall/default.nix | 2 +- .../tools/package-management/clib/default.nix | 2 +- pkgs/tools/security/fprint_demo/default.nix | 2 +- pkgs/tools/security/tboot/default.nix | 3 +- pkgs/tools/system/cron/default.nix | 2 +- pkgs/tools/system/foremost/default.nix | 2 +- pkgs/tools/system/gdmap/default.nix | 2 +- pkgs/tools/system/rsyslog/default.nix | 2 +- pkgs/tools/system/which/default.nix | 2 +- pkgs/tools/text/a2ps/default.nix | 2 +- pkgs/tools/text/patchutils/default.nix | 2 +- pkgs/tools/text/untex/default.nix | 2 +- pkgs/tools/typesetting/tex/tetex/default.nix | 2 +- .../tools/typesetting/tex/texlive-new/bin.nix | 4 +- pkgs/tools/video/mjpegtools/default.nix | 2 +- pkgs/tools/video/vncrec/default.nix | 2 +- pkgs/top-level/all-packages.nix | 4 +- 309 files changed, 366 insertions(+), 373 deletions(-) create mode 100644 pkgs/build-support/cc-wrapper/add-hardening diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix index c0879e58aca..42c98cbb110 100644 --- a/pkgs/applications/audio/QmidiNet/default.nix +++ b/pkgs/applications/audio/QmidiNet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ qt4 alsaLib libjack2 ]; diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 80e3c5dc40a..a22866dc031 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' cd mp4v2 diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 9de3bef62ad..abe679f10bc 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = "unset CC"; diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index 1cc0e56fe7e..e1c063d823d 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index eae7ce390c0..1611975182b 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A live looping instrument with JACK and MIDI support"; diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index 7a5095f3788..ec7f7a5c32d 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 92e39f7bb11..22ab37dc98a 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 67ac74f5f5a..fa4ea6343e9 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sourceRoot="."; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = "./cc"; installPhase = '' diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index f2434619c47..d28cd7c9e06 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' sed -i Makefile \ diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index abea5521571..7477bea7602 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "A tool for validating and repairing MPEG audio streams"; diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index c5bcd5ab4e4..b68c44278ee 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index b6a98268a9b..b89278a7fd9 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,8 +13,7 @@ stdenv.mkDerivation rec { sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw"; }; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "relro" "bindnow" ]; makeFlags = [ "PREFIX=$(out)" diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index 460745ddddb..e4ec281cacb 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for file in `grep -r -l g_canvas.h` diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index 1eb0e1be654..3b836d9eb33 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for i in ${puredata}/include/pd/*; do diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 207967a978f..972a162b73f 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' for D in net osc diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index 647ed9036dc..822e0d5548b 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./fltk-path.patch ]; diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index c784b33700e..ece3cbef596 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "High quality software synthesizer"; diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index 5ddcf34995f..2817bd168de 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { ncurses ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with lib; { description = "File editor/viewer/analyzer for executables"; diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index f3755db448c..a5b0f2e400a 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--enable-chooser" diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index 7b8281b4e3c..4866ba92add 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./install.patch ]; diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index c33da655222..bd1a8d03ec4 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index ff069d0d972..822ef8ad435 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A fast image viewer"; diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index c3aed10d00c..fa1958059b8 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = '' mkdir -p "$out/include" diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index da6521199c5..e6a0453e533 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b3db2fde4cb..375b0999548 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index 4f8f3ac16f4..6903837e5ad 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11"; diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index 3c970e40b48..b1574ea6963 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index 7810284973f..782ef4ae366 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig gtk poppler ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index 7c755a4f3d3..cf7fdafd742 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index 86127d56b01..e0ece09db18 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "GTK+-based audio CD player/ripper"; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index dac597fe67c..7c0d615f366 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,7 +31,7 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; - hardening_format = false; + hardeningDisable = [ "format" ]; k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 67f474cefac..5f70d4b5c44 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index 43da0c92a42..b6d46cf9ed1 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 6a768d44958..8e781cd1c02 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index d725bba0307..b7b9d36b4cb 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # # I know this is ugly, but the Makefile does strange things in this package, diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index a62f7cd2aa6..e595d771ec0 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig qt4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = '' qmake PREFIX="$out" diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index d5edf2a4d58..2f98bc66e9b 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 3d40aa1f60c..2415c06dba4 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - hardening_format = false; + hardeningDisable = [ "format" ]; installFlags = "PREFIX=/ DESTDIR=$(out)"; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index cc3e55f02e9..ae1bf5bffea 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,7 +50,7 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 156b138f290..b765c97fb8e 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { dontDisableStatic = true; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-ncurses=${ncurses}"; diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index 181cd3301e3..12466379bf9 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 8084d5133f1..746d79805f5 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A console-based network monitoring utility (fork of iptraf)"; diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index c77b51d7064..b86de98f950 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -18,8 +18,7 @@ stdenv.mkDerivation { ncurses tcl openssl pam kerberos openldap ]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index 1ee42531465..3ff690a244b 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { ncurses tcl openssl pam kerberos openldap ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 681ace6ab8f..ed64629fe24 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix index 152aec27d83..dc00cef8898 100644 --- a/pkgs/applications/science/electronics/caneda/default.nix +++ b/pkgs/applications/science/electronics/caneda/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ cmake qt4 libxml2 libxslt ]; diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index c5c2cee62e8..22e64ee0566 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index cb0c308b129..8eedafcd68b 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace Makefile \ diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index b0b001f7b3c..dd383f1fff6 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { inherit (s) url sha256; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index f6ec3b840ac..9c09ea3db98 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' RM=$(type -tp rm) diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index f294750928e..7643c912db4 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ zlib bzip2 ]; diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix index d2694392efa..ae63716f106 100644 --- a/pkgs/applications/science/math/perseus/default.nix +++ b/pkgs/applications/science/math/perseus/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation { version = "4-beta"; buildInputs = [unzip gcc48]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; src = fetchurl { url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip"; diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index 77026eb490a..d27f998b793 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; nativeBuildInputs = [ intltool pkgconfig ]; buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ]; diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index af284a2f82e..adf87c4ee5b 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # Perl is only for the documentation nativeBuildInputs = [ perl ]; diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index 4912ce0b3e6..20d027da1f3 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Apply the Debian patches. diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 2799c25527b..4e86e9328c8 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./docbook2texi.patch diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index 6240baac8f1..6cafe4f9624 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [qt libXext libX11]; - hardening_format = false; + hardeningDisable = [ "format" ]; configurePhase = "qmake PREFIX=$out"; diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix index 982dcb1d56b..2f03d582a94 100644 --- a/pkgs/applications/version-management/redmine/default.nix +++ b/pkgs/applications/version-management/redmine/default.nix @@ -11,7 +11,7 @@ in stdenv.mkDerivation rec { sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports # needed to separate run-time and build-time directories diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index 49e2662adb4..cbaea3eb18b 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,8 +43,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 513242271a1..fc3c679d414 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; - hardening_stackprotector = false; - hardening_pic = false; - hardening_fortify = false; + hardeningDisable = [ "stackprotector" "pic" "fortify" ]; unpackPhase = '' for file in \ diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index 705691b1682..952ae1f922d 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -146,7 +146,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool}/lib"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index 01832b55292..dc78236677f 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; buildPhase = '' export LEX=${flex}/bin/flex diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index a06523973b7..3bc95a1c392 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' # build SeaBIOS for CSM diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index d579a6445d1..1c85723c395 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; - hardening_pic = false; + hardeningDisable = [ "pic" ]; buildInputs = [ patchelf cdrkit makeWrapper dbus ]; diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 0a3bd3898c2..23c4f34a553 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,9 +75,7 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; - hardening_stackprotector = false; - hardening_fortify = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "fortify" "pic" ]; patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 43d0804222c..3b5af42a8be 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ libX11 xproto ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Stand alone tray"; diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening new file mode 100644 index 00000000000..08fdd52be08 --- /dev/null +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -0,0 +1,41 @@ +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags+=("${hardeningEnable[@]}") +hardeningCFlags=() +hardeningLDFlags=() + +if [[ ! $hardeningDisable == "all" ]]; then + for flag in "${hardeningFlags[@]}" + do + if [[ ! "$hardeningDisable" =~ "$flag" ]]; then + case $flag in + fortify) + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + hardeningCFlags+=('-fstack-protector-strong') + ;; + pie) + hardeningCFlags+=('-fPIE' '-pie') + ;; + pic) + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + relro) + hardeningLDFlags+=('-z relro') + ;; + bindnow) + hardeningLDFlags+=('-z now') + ;; + *) + echo "Hardening flag unknown: $flag" + ;; + esac + fi + done +fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 6e12a0d8bc8..a8a08e5e144 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then dontLink=1 fi - # Optionally filter out paths not refering to the store. params=("$@") if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then @@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then fi fi -# Add the flags for the C compiler proper. -extraAfter=($NIX_CFLAGS_COMPILE) -extraBefore=() +source @out@/nix-support/add-hardening.sh +# Add the flags for the C compiler proper. +extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]}) +extraBefore=() if [ "$dontLink" != 1 ]; then # Add the flags that should only be passed to the compiler when # linking. - extraAfter+=($NIX_CFLAGS_LINK) + extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]}) # Add the flags that should be passed to the linker (and prevent # `ld-wrapper' from adding NIX_LDFLAGS again). diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 110f5189141..2bf07747337 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -234,6 +234,7 @@ stdenv.mkDerivation { rm $out/nix-support/setup-hook.tmp substituteAll ${./add-flags} $out/nix-support/add-flags.sh + cp -p ${./add-hardening} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 6ef06eb7034..12c0709570b 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +source @out@/nix-support/add-hardening.sh -extra=() +extra=(${hardeningLDFlags[@]}) extraBefore=() if [ -z "$NIX_LDFLAGS_SET" ]; then @@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then extraBefore+=($NIX_LDFLAGS_BEFORE) fi -extra+=($NIX_LDFLAGS_AFTER) +extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN) # Add all used dynamic libraries to the rpath. diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 9dc8d6f8ef1..7eef5af0adc 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./glib.patch ./cups_1.6.patch ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index d766957f0d7..be288b809d4 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -11,5 +11,5 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix index 6f10f6ea920..5c13260aac9 100644 --- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation rec { "--enable-gi-system-install=no" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; enableParallelBuilding = true; diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index c80bd67f404..ed83dd03eca 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -8,7 +8,7 @@ kde { nativeBuildInputs = [ cmake ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # The patch is not ready for upstream submmission. # I should add an option() instead. diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 415c6bc6cfb..44269070609 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index dcb7350fbbb..3fed2289f95 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; - hardening_format = false; - hardening_pic = false; + hardeningDisable = [ "format" "pic" ]; # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index 0ee0a622b1e..900cb92ab80 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index 2208d844049..1b8b8d862cf 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation { "--enable-unicode") ; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index cf4d0e4f02a..da178e80a1a 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation { makeFlags = "-C BaseTools"; - hardening_fortify = false; - hardening_format = false; + hardeningDisable = [ "format" "fortify" ]; installPhase = '' mkdir -vp $out diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix index 6114c960ffd..ecd841ca636 100644 --- a/pkgs/development/compilers/gcc/4.3/default.nix +++ b/pkgs/development/compilers/gcc/4.3/default.nix @@ -95,8 +95,7 @@ stdenv.mkDerivation ({ ++ (optionals langVhdl [gnat]) ; - hardening_format = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "stackprotector" ]; configureFlags = " ${if enableMultilib then "" else "--disable-multilib"} diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix index fe79e9bcd72..7f8b38e1ee6 100644 --- a/pkgs/development/compilers/gcc/4.4/default.nix +++ b/pkgs/development/compilers/gcc/4.4/default.nix @@ -103,7 +103,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./pass-cxxcpp.patch diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 2493593f357..7d84cb24516 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,8 +134,7 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; - hardening_format = false; - hardening_all = name != "gnat"; + hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all"; patches = [ ] diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index 323fd8b921b..d6307542443 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -189,7 +189,7 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 58074e173ae..649312b1c1b 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -218,7 +218,7 @@ stdenv.mkDerivation ({ inherit patches; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index fe1f4066110..d4c8d018ff2 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -220,9 +220,8 @@ stdenv.mkDerivation ({ inherit patches; - # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; - hardening_format = false; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 47a272ac534..ca6b6c52d99 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -216,7 +216,7 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; inherit patches; diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index 008f426d74a..e57abec2c1b 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; meta = { description = "GNU Common Lisp compiler working via GCC"; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index 4f95e859292..def807971c0 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-gmp-libraries=${gmp}/lib" diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 0d3a60b9100..f25e6244768 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index 9f84768fb93..7f7abd8a6e7 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index 807d7424920..d3739ddef5c 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { Security Foundation ]; - hardening_all = false; + hardeningDisable = [ "all" ]; # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index e57151b077f..4299b50ea6d 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "GMP_CFLAGS=-I${gmp}/include" diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 341b8155c41..69529ab762b 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index 3c257dfc7df..954ef692462 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--with-world --enable-gmp --enable-shared"; diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index 1e63b2d2be0..301915b7a26 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildPhase = "omake all"; diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index e948d1833b8..9dbb08737aa 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -41,11 +41,9 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: { - hardening_format = false; - }); - epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: { - hardening_format = false; + c2hs = dontCheck super.c2hs; + epanet-haskell = super.epanet-haskell.overrideDerivation (drv: { + hardeningDisable = [ "format" ]; }); # The package doesn't compile with ruby 1.9, which is our default at the moment. @@ -244,9 +242,7 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { - hardening_fortify = false; - }); + glib = addPkgconfigDepend super.glib pkgs.glib; gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index fa8c8309a7a..42709abc143 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-O0"; - hardening_format = false; + hardeningDisable = [ "format" ]; # TODO : make mod-check fails doCheck = false; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix index e77300c0f84..cf4355a38e1 100644 --- a/pkgs/development/interpreters/erlang/R14.nix +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation { configureFlags = "--with-ssl=${openssl}"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = let manpages = fetchurl { diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 7a4e5c1a336..dcfdc11c7a9 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { intltool gettext zlib ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; NIX_LDFLAGS=" -lz "; diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index 6e416a35150..1e14d386b13 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -72,7 +72,7 @@ let enableParallelBuilding = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index 81071aafe4e..a7482f269db 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ readline ]; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index cb60a41a690..c1a4c17707c 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr"; }; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # QGtkStyle unavailable patchPhase = '' diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index be44ef62885..079c0a5cf6f 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 9ca9db1e451..faf3a0c7325 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,8 +15,7 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; - hardening_pic = false; - hardening_format = false; + hardeningDisable = [ "format" "pic" ]; patches = [ ./fix-printfs.patch ]; diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index 50d3eec4f3f..997a8d22305 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; - hardening_format = false; + hardeningDisable = [ "format" ]; cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index 4a64bc260bd..7195110b0bb 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://bs2b.sourceforge.net/"; diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 3e5076d2509..da9d1122cc5 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { sh fix.sh unix ''; - hardening_format = false; + hardeningDisable = [ "format" ]; makeFlags = [ "SYSTEM_DIR=$(out)" ]; diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index 3dc9587c921..359bde2e058 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index 0b7d96b5cc1..5af34145197 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--without-python"; diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 327da38e986..00875d73f41 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index 6d3b15d256e..84b5ea67420 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 0735099729a..6016d112d51 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,5 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 78c0a15c4e0..40869a865ae 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,5 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; - drvArgs = { hardening_format = false; }; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix index 505f0053287..1ab01033f4d 100644 --- a/pkgs/development/libraries/faac/default.nix +++ b/pkgs/development/libraries/faac/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { ++ optional mp4v2Support "--with-mp4v2" ++ optional drmSupport "--enable-drm"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ ] ++ optional mp4v2Support mp4v2; diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 78b7e9a63fc..d47a028cbf8 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "C++ based class library for building Graphical User Interfaces"; diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 007609403e2..ce778e4a347 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { branch = "1.6"; diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index bb4aeaeee27..3ed308a3492 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 09828665541..d138015e6bb 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://fribidi.org/; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index a24a8416866..b581bce24b1 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { propagatedBuildInputs = [libjpeg fontconfig]; # urgh - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = "--without-x"; diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index 829c395cc7b..8f00bee8911 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -18,7 +18,7 @@ composableDerivation.composableDerivation {} (fixed: rec { ++ (with pythonPackages; [ python numpy wrapPython ]) ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]); - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ # This ensures that the python package is installed into gdal's prefix, diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 4c6ec24a16c..2640159725a 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,7 +19,7 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index e9c32da2069..e9643da221e 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index e8d43e6652f..754c85ecf03 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' sed -e '/-Werror/d' -i configure diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 9b24ccc79e8..2fcd5dd1a80 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -12,9 +12,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; - # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; - hardening_format = false; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 114e0e587b6..59204e7e7e5 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { branch = "4.1"; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index 1cc4ae0201b..fd9d4b7e81a 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -7,6 +7,6 @@ stdenv.mkDerivation { md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 7bbf5562f7c..50be7d8a734 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -166,7 +166,7 @@ stdenv.mkDerivation ({ preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.gnu.org/software/libc/; diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 85a49999b48..c2109bd4158 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -22,8 +22,7 @@ in builder = ./builder.sh; - hardening_stackprotector = false; - hardening_fortify = false; + hardeningDisable = [ "stackprotector" "fortify" ]; # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 0db619b3658..e803c7c56ac 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index 21be466a9b2..e2861a880c8 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ pciutils ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; makeFlags = [ "PREFIX=\${out}" diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix index c56c5b3892a..f62d898cff7 100644 --- a/pkgs/development/libraries/isl/0.11.1.nix +++ b/pkgs/development/libraries/isl/0.11.1.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.kotnet.org/~skimo/isl/; diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index 855b800ba9f..9fcffb1edb2 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -28,7 +28,7 @@ in stdenv.mkDerivation rec { builder = ./builder.sh; - hardening_format = false; + hardeningDisable = [ "format" ]; # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index cb0c8a7f5c1..309f17b8142 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation (rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 8edc53cb7ee..0d9d89589ff 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "F2c converts Fortran 77 source code to C"; diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index 4d9fa09ad75..d30ea6e5324 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index 682a42e2db9..a8511006d04 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index cc883ba67b2..95e8dd9af48 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { doCheck = true; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index d3dd293f975..5f249582610 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index a9320f1af7b..50a1f5ac337 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "An abstraction library for audio visualisations"; diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 5281ab2c480..ab3c3ed8c5a 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://code.google.com/p/mp4v2; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 2c643885727..c63dc2c3dee 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ gmp ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index cd8268faa65..f35d363e575 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Fix build due to missing dependnecies. diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index a1143757c77..86ab85cbb9a 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ]; diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index bcf1b747180..79c24be7514 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; - hardening_format = false; + hardeningDisable = [ "format" ]; postInstall = '' mv $out/inc $out/include diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 16765083c55..4f0ed3cd0ea 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -49,8 +49,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; meta = { description = "Open Computer Vision Library with more than 500 algorithms"; diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index d5904e742b6..4259e9d4d69 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -20,8 +20,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_bindnow = false; - hardening_relro = false; + hardeningDisable = [ "bindnow" "relro" ]; meta = { description = "Open Computer Vision Library with more than 500 algorithms"; diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix index b73be062623..2d15e632152 100644 --- a/pkgs/development/libraries/pdf2xml/default.nix +++ b/pkgs/development/libraries/pdf2xml/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { patches = [./pdf2xml.patch]; - hardening_format = false; + hardeningDisable = [ "format" ]; preBuild = '' cp Makefile.linux Makefile diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 4b55cffe94f..5c056762a39 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,7 +46,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 22dbef1bac2..ad864410b16 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index e8a67d3bc42..011e133720f 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://www.qhull.org/; diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 8a11cc7087b..728d220bb42 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = " -v diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index de87c6b73c6..499c6f18453 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation { cp -av plugins/script/* $out/lib/qt4/plugins/script ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "QtScript bindings generator"; diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index 49d889f8b6a..fe52571e147 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ SDL gtk mesa ]; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index d94b4159e93..94489e992a6 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index 818029dbb24..ba95da77b72 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 0d787092a3c..0b5f08bdf9b 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 2871985a082..77ab0f8ffa9 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation (rec { ''; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index b27a6659004..108f3616e64 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -26,7 +26,7 @@ stdenv.mkDerivation { buildInputs = [ gmp mpfr libmpc zlib ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 9665b78d3b2..8265e1dc776 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { mimeType = "application/x-pharo-image"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # Building preConfigure = '' diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 385980b2848..36051cc2e12 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { sourceRoot = "wxPython-src-${version}/wxPython"; - hardening_format = false; + hardeningDisable = [ "format" ]; src = fetchurl { url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2"; diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index a4d88f5d2ea..b63bc66fabd 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./cccc.patch ]; diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 8324d899147..d42227198ce 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index 2896f4ff271..0e0e44183f6 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index aa590543e00..240d24961e0 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' grep -r '/usr/share/boost-build' \ diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 78adfe48751..7ffa6ed867c 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -40,7 +40,7 @@ stdenv.mkDerivation rec { inherit noSysDirs; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preConfigure = '' # Clear the default library search path. diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 464ad791095..d4a2f80599f 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index e610858838d..79f7445af47 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { patches = [ ./s_isdir.patch ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://www.gnu.org/software/m4/; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 91658a5d4d9..e999aa4eb2c 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = http://nixos.org/patchelf.html; diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 786998c6af7..cf62d906f3c 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; preInstall = '' installFlags="TEXMF=$out/texmf-dist"; diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 192e0585217..da6760897ad 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index 0062bc36561..97a66490bf9 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = { homepage = "http://www.gnu.org/software/bison/"; diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index 82d4748a979..e67b92afa76 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 6e138511d03..599588e6f0e 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { }) ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' cat > config.params << EOF diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 9a4b1d04916..eb20c0b329e 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 0c3fc7055b7..b6574eaf39e 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { inherit (s) url sha256; }; - hardening_format = false; + hardeningDisable = [ "format" ]; inherit buildInputs; diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index d374ed85b2d..532c4c635fb 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ]; diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index 41780dd64f6..3f1735c31aa 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://pio.sourceforge.net/; diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index 94da81533c1..74d9bdcb35d 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; postConfigure = '' substituteInPlace config.h \ diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index fd320a32180..1b1e877d274 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Car racing game"; diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index cace72b5aac..e6e23752953 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Fix Makefiles diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index fa4c17649ac..18abf280a81 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -33,7 +33,7 @@ in stdenv.mkDerivation { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index bbaa565e352..d57ef5ae16d 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { buildInputs = [ SDL ]; - hardening_format = false; + hardeningDisable = [ "format" ]; desktopItem = makeDesktopItem { name = "dosbox"; diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index dc3c1412856..1abf621fe7e 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Some C++ incompatibility fixes diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index 3ed455bd350..6620018c337 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index 54620699f2d..9e773b18f7d 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig gtk alsaLib SDL ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index e1db07bfff2..2873225b26f 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 05a5549fae2..65223a32bad 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index 41c4f48ddb8..aabd36f945f 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index 2c91bfbd10f..67b843fac4d 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preBuild = '' substituteInPlace Makefile \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index 78a576234ac..c2e3fa4b9e1 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' configureFlagsArray=( diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index cc3cfe2465d..2785a57ac8a 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./busybox-in-store.patch ]; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index aacdfc496ee..6567e478636 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -23,7 +23,8 @@ stdenv.mkDerivation rec { configurePhase = "make config PREFIX=$out"; makeFlags = "PREFIX=$(out)"; - hardening_stackprotector = false; + + hardeningDisable = [ "stackprotector" ]; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index 09d7651c249..7a2d94100fa 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -12,7 +12,8 @@ stdenv.mkDerivation { inherit glibc; kernelHeaders = glibc.linuxHeaders; - hardening_stackprotector = false; + + hardeningDisable = [ "stackprotector" ]; patches = [ diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index 8eba742ebfb..4c2d0c88576 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -19,7 +19,8 @@ stdenv.mkDerivation { buildPhase = "make -f makefile"; NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out/bin" diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index 48494bd6b18..b25a65b2ab4 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index 93c334b9593..e86c751331b 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [openssl]; diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index a5cd2411819..b9390d1d589 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Utility for enslaving networking interfaces under a bond"; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 7c956e3c244..79094ebb3e3 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { src = sourceAttrs.src; - hardening_pic = false; + hardeningDisable = [ "pic" ]; prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index be54d7a4e6a..22650747ba2 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -35,7 +35,7 @@ stdenv.mkDerivation { buildInputs = [perl]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; extraIncludeDirs = if cross != null then diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 5a22b5e2432..85a4b98982a 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -225,16 +225,12 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - hardening_format = false; - hardening_fortify = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ]; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; - hardening_pic = false; - karch = stdenv.platform.kernelArch; crossAttrs = let cp = stdenv.cross.platform; in diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 98593ea85a9..d1a2fabf814 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ zlib ]; diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index b05b0dc4463..ffa381d0f29 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -21,8 +21,7 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; - hardening_format = false; - hardening_stackprotector = false; + hardeningDisable = [ "format" "stackprotector" ]; makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index f6a5e30afa0..0bcc6dd5143 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index 8aee4b73fdd..409eb31e14f 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = '' sed -i -re ' diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index e95cd4e133c..35781dc7f95 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' patchShebangs mkversion diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 959de19ead2..7310e7e36ad 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./numad-linker-flags.patch diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index 50aa77104c2..7ef98eb2353 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { ]; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; setupHook = ./setup-hook.sh; diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 56ff6c473b4..56c12e9a4f0 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,7 +21,7 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = with kernel; [ "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 5a03df98346..102b935be29 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index 6e8d9d3cf7a..5f539b9a97e 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 67e2f16848b..3fbfa4fdc53 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,7 +30,7 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 00f9a66f0cd..358f7d38efa 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index 3ace0f5c5ed..a68ab9c478c 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,8 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "pic" "stackprotector" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 116a0344450..dceb777ad72 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666"; }; - hardening_pic = false; + hardeningDisable = [ "pic" ]; makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 8b44f3388d3..376a407d993 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -9,8 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - hardening_pic = false; - hardening_format = false; + hardeningDisable = [ "format" "pic" ]; preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 17255aa1283..073a6ded998 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 96f353a64da..8b712553be9 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; CFLAGS = "-I${pixman}/include/pixman-1"; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 0a61bdcea85..c49f393dd16 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index f5693e45168..ef4621fb9a6 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index e557a2a0061..414582b69ef 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -65,7 +65,7 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index 99b6ce2a832..ac5e0b7c1b1 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' ./autogen.sh diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 3dbb34f9b02..aaa858e302c 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -55,7 +55,7 @@ stdenv.mkDerivation rec { preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A reverse proxy and lightweight webserver"; diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index d0e238786e2..dc3fef6125c 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "Server software for streaming multimedia"; diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index d42f69d078b..d00bcb7ef1a 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -20,7 +20,7 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ bison flex openssl ]; diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix index 3a0f2e0954d..9d208e8af4d 100644 --- a/pkgs/servers/mail/postfix/3.0.nix +++ b/pkgs/servers/mail/postfix/3.0.nix @@ -41,7 +41,7 @@ in stdenv.mkDerivation rec { ./relative-symlinks.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' sed -e '/^PATH=/d' -i postfix-install diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 42355b46021..886412b24cd 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -14,8 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [db openssl cyrus_sasl bison perl]; - hardening_format = false; - hardening_pie = true; + hardeningDisable = [ "format" ]; + hardeningEnable = [ "pie" ]; patches = [ ./postfix-2.2.9-db.patch diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index cac568f8fc9..5e4edd0b032 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { description = "A distributed memory object caching system"; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 141e8e0929d..913b312a54a 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -80,7 +80,7 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "a scalable, high-performance, open source NoSQL database"; diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix index ffa2056d5a9..565ed226ab4 100644 --- a/pkgs/servers/nosql/riak/1.3.1.nix +++ b/pkgs/servers/nosql/riak/1.3.1.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation rec { patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; postUnpack = '' mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index 05cf4270f9f..b66e99f0afb 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,7 +34,7 @@ stdenv.mkDerivation rec { src = srcs.riak; - hardening_format = false; + hardeningDisable = [ "format" ]; postPatch = '' sed -i deps/node_package/priv/base/env.sh \ diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 1ff9b79e383..aab4ee9059f 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation { buildInputs = [ autoconf automake flex yacc ncurses perl which ]; - hardening_pic = false; + hardeningDisable = [ "pic" ]; preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index cb77ebd9c89..e4e1d393a52 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index ba6a076f1f0..0d685a3f4d3 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 4f092ee1d97..836dedf1cb1 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,26 +236,6 @@ rec { }); }; - useHardenFlags = stdenv: stdenv // - { mkDerivation = args: stdenv.mkDerivation (args // { - NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") - + stdenv.lib.optionalString (args.hardening_all or true) ( - stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" - + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong" - + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" - + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" - + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" - + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" - ); - NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "") - + stdenv.lib.optionalString (args.hardening_all or true) ( - stdenv.lib.optionalString (args.hardening_relro or true) " -z relro" - + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now" - ); - - }); - }; - dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index b4fc755bd84..cef071bb3b6 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = https://packages.debian.org/source/xbindkeys-config; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 24fec4e33bb..e7164bf07b6 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index d1f13b77f0c..41043cda5b6 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index 20f7038067d..da0983fc097 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./CVE-2014-8139.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 6407fe4f350..115fc8e3aff 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "A GTK+ front-end for command line archiving tools"; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 8be743c8dd0..145b81c95bc 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index f27dd3c5be6..f38b24c0fc0 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 2de5736a4c2..7e7558f69e6 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 34bb109a171..0b10f30497d 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; - hardening_format = false; + hardeningDisable = [ "format" ]; # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 38e86c8ff1f..7db35e2b80e 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 6ddebe6b99d..986f940b906 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index c53400e6afd..5a3451810a1 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Samba mounted via FUSE"; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index d3964b1e427..5613bac9b1a 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -11,7 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; patches = [ ./gcc5.patch ]; - hardening_fortify = false; + + hardeningDisable = [ "fortify" ]; preConfigure = '' sed -e '1i#include ' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index 7e6c9931341..d6a31bd5c7f 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "GNU barcode generator"; diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index c3d9a859f3f..cdf38d1218a 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index 03326aa4562..e7fb3e773c1 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index e08b1309d41..6f236509a31 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -14,8 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - hardening_format = false; - hardening_fortify = false; + hardeningDisable = [ "format" "fortify" ]; configureFlags = [ "--with-pngincludedir=${libpng}/include" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 7f11f076dcc..ede6624ac59 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,7 +31,7 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 9a9621dd784..82f958321bd 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index e28a2e16488..392527a2119 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; # Inspired by linux-install/nifskope.spec.in. installPhase = diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index dc145a0d862..abcbabea596 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit - hardening_format = false; + hardeningDisable = [ "format" ]; doCheck = true; diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index f67e7202521..496b1d35572 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index a1aefbff33c..f2a85c73c2a 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { inherit (s) rev url sha256; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index c584ed282d6..898031cbaf3 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index f0e53696fc5..b96c469e346 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-video" ]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 6e7c6daca56..a06d3d0729a 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,7 +20,7 @@ let }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index d537c0f506f..132707106af 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -37,7 +37,7 @@ stdenv.mkDerivation { ddccontrol-db ]; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index 4475010f3b8..7d17dee8b53 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation { buildInputs = [flex]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index f99b83a2a0a..80fb3c6a694 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index d3b62149bdf..1ba4bceb787 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Bitmap Font Editor"; diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index f3c09ef686a..d56f9b3ce0f 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,7 +52,7 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; - hardening_all = false; + hardeningDisable = [ "all" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index c0579b91816..a690ef2084b 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,7 +36,7 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; prePatch = '' unpackFile $gentooPatches diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 39c1ce9c0c1..fc8784decc5 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,8 +47,7 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; - hardening_stackprotector = false; - hardening_pic = false; + hardeningDisable = [ "stackprotector" "pic" ]; preConfigure = '' for i in "tests/util/"*.in diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index b73d83201e0..7946a3b062f 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,7 +5,7 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index 0830eb51b3c..78f49588e8c 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -19,8 +19,7 @@ stdenv.mkDerivation { preConfigure = "cd src"; # not possible due to assembler code - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 097c26071fc..62d490ea4f9 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,8 +22,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" "pic" ]; buildFlags = "memtest.bin"; diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index a65bd1fe8ec..f92069e7b9f 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ glib gettext readline pkgconfig ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://palcal.sourceforge.net/; diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index 48c47cc3d8d..8d4f00ee847 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index cba343863be..4ef050b409e 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index 292023a1b58..567783f6313 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ unzip libogg libvorbis ]; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 3d828a55121..debc2c239ad 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Converter from Microsoft Word formats to human-editable ones"; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index cef5fee9cf9..31b6e74917e 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; patchPhase = '' # Patch the destination directory diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 0729f35db59..d262f7fc9e0 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 915562bd779..91232b4ffa7 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; installPhase = '' mkdir -pv $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6032e53f0ba..b05f4e8e80e 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 90bc8b54f28..a9f2419b136 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 414ff692d10..13f8cedc673 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 53e17e6cecd..140d58e3163 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; patches = [ ./path-to-cat.patch ./no-gets.patch ]; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 349dba12538..7a1eac59eea 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Mini PXE server"; diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 47fa2708821..b2242fe5454 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' rm -rf $out/share/doc diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 25af3e11caf..c1f78c911a1 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation { buildInputs = [ openssl ppp autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 7ade847b97b..6e497a0093e 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -63,7 +63,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_pie = true; + hardeningEnable = [ "pie" ]; postInstall = '' # Install ssh-copy-id, it's very useful. diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 8b0b3d9a736..fc4ca793199 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index e59e6d46080..36c6a2deead 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; - hardening_pie = true; + hardeningEnable = [ "pie" ]; meta = { description = "A utility for bidirectional data transfer between two independent data channels"; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 3fe6144b72c..3a5117653c8 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ncurses]; diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index 22f991d8fe2..1c8829a07b2 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -22,7 +22,7 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { description = "Lightweight userspace bandwidth shaper"; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1c7c946000e..e7c77161848 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index ba9552d4fae..81d43fa501c 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = { homepage = http://vde.sourceforge.net/; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index f1d7985e9a5..c47f1664cd6 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation { buildInputs = [gettext]; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index d52243dcea5..cb365b9b4f7 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; - hardening_fortify = false; + hardeningDisable = [ "fortify" ]; makeFlags = "PREFIX=$(out)"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 273d692ebaa..8efd04690db 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 1a2bc6a3108..506b1d398d5 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,8 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; - hardening_pic = false; - hardening_stackprotector = false; + hardeningDisable = [ "pic" "stackprotector" ]; configurePhase = '' for a in lcptools utils tb_polgen; do diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 805336cfe44..26f088fd54a 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; - hardening_pie = true; + hardeningEnable = [ "pie" ]; preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index 0696af07166..0114c1d41ff 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - hardening_format = false; + hardeningDisable = [ "format" ]; preInstall = '' mkdir -p $out/{bin,share/man/man8} diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 1456b6fca7c..7800bfa0831 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index ef54bde3db5..e19dbb02847 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,7 +28,7 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; - hardening_format = false; + hardeningDisable = [ "format" ]; configureFlags = [ "--sysconfdir=/etc" diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index 956fd590b14..fc0889012c2 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { }; # FIXME needs gcc 4.9 in bootstrap tools - hardening_stackprotector = false; + hardeningDisable = [ "stackprotector" ]; meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index bcbf2b66a86..4a32e972a5b 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 98f9c0483c2..75922a6c830 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one - hardening_format = false; + hardeningDisable = [ "format" ]; meta = with stdenv.lib; { description = "Tools to manipulate patch files"; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index 33f72b029a1..ec99e8b4a27 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; unpackPhase = "tar xf $src"; installTargets = "install install.man"; diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index cffe0b39d22..c3d226a2acb 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; - hardening_format = false; + hardeningDisable = [ "format" ]; # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 3585c4d04af..2cc67393903 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec { perl ]; - hardening_format = false; + hardeningDisable = [ "format" ]; preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ @@ -123,7 +123,7 @@ core-big = stdenv.mkDerivation { inherit (common) src; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 989649c580f..bfffbae65b5 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,5 +15,5 @@ stdenv.mkDerivation rec { buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; - hardening_format = false; + hardeningDisable = [ "format" ]; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index a16dc169b98..81860f22e89 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; - hardening_format = false; + hardeningDisable = [ "format" ]; buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9a10236a419..63a8e1485d1 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -214,12 +214,12 @@ let allPackages = args: import ./all-packages.nix ({ inherit config system; } // args); }; - defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; }); + defaultStdenv = allStdenvs.stdenv // { inherit platform; }; stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else + if bootStdenv != null then (bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else From 034b2ec2ed00e7d099a7810a284ca6b7dbe81dd9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 5 Mar 2016 19:47:04 +0100 Subject: [PATCH 345/603] glibc: stackprotector is already disabled in default.nix This overwrites the hardeningDisable attribute and removes disabling the fortify flag. --- pkgs/development/libraries/glibc/common.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 50be7d8a734..13d5adcd9b1 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -165,9 +165,6 @@ stdenv.mkDerivation ({ preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; - # FIXME needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "stackprotector" ]; - meta = { homepage = http://www.gnu.org/software/libc/; description = "The GNU C Library"; From 0cad2e7af170b9f9109fa515224e4aaab57d09c1 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 5 Mar 2016 21:39:38 +0100 Subject: [PATCH 346/603] vim: Disable hardening flag fortify Fortify hardening detects a probable buffer overflow in vim at runtime. This has to be fixed upstream. Debian also disables fortify: https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/rules#n6 --- pkgs/applications/editors/vim/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 1249b0b9564..01ba9abe9d9 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { "--enable-nls" ]; + hardeningDisable = [ "fortify" ]; + postInstall = '' ln -s $out/bin/vim $out/bin/vi mkdir -p $out/share/vim From 05a02c53a06043f6138a910adf073723a3f066d3 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 6 Mar 2016 00:14:55 +0100 Subject: [PATCH 347/603] cc-wrapper: -pie is a ldflag --- pkgs/build-support/cc-wrapper/add-hardening | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index 08fdd52be08..f211d11ab3e 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -15,7 +15,8 @@ if [[ ! $hardeningDisable == "all" ]]; then hardeningCFlags+=('-fstack-protector-strong') ;; pie) - hardeningCFlags+=('-fPIE' '-pie') + hardeningCFlags+=('-fPIE') + hardeningLDFlags+=('-pie') ;; pic) hardeningCFlags+=('-fPIC') From fb57bfbd4f66943b59ed67499aa8cb0c8f4f9e6f Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 6 Mar 2016 00:15:18 +0100 Subject: [PATCH 348/603] php: enable PIE hardening --- pkgs/development/interpreters/php/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix index 5503ee9c887..0c28d9cb299 100644 --- a/pkgs/development/interpreters/php/default.nix +++ b/pkgs/development/interpreters/php/default.nix @@ -249,6 +249,8 @@ let calendarSupport = config.php.calendar or true; }; + hardeningEnable = [ "pie" ]; + configurePhase = '' # Don't record the configure flags since this causes unnecessary # runtime dependencies. From 6473000edd8cda46bf891827b56999ab80e3478d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 6 Mar 2016 00:15:35 +0100 Subject: [PATCH 349/603] opendkim: enable PIE hardening --- pkgs/development/libraries/opendkim/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/opendkim/default.nix b/pkgs/development/libraries/opendkim/default.nix index e89cd880df1..752ff6be388 100644 --- a/pkgs/development/libraries/opendkim/default.nix +++ b/pkgs/development/libraries/opendkim/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { configureFlags= [ "--with-milter=${libmilter}" ]; + hardeningEnable = [ "pie" ]; + nativeBuildInputs = [ pkgconfig makeWrapper ]; buildInputs = [ libbsd openssl libmilter perl ]; From 1fb09c1e7d8a86aa46cfb18fc1aa3b91c9633199 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 6 Mar 2016 00:15:49 +0100 Subject: [PATCH 350/603] dhcpcd: enable PIE hardening --- pkgs/tools/networking/dhcpcd/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/dhcpcd/default.nix b/pkgs/tools/networking/dhcpcd/default.nix index 856f75f0633..1d1f927001f 100644 --- a/pkgs/tools/networking/dhcpcd/default.nix +++ b/pkgs/tools/networking/dhcpcd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig udev ]; + hardeningEnable = [ "pie" ]; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" From 1b4ec4b4959fbae154ea079f1ec8d15bcf6ff707 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 6 Mar 2016 15:45:44 +0000 Subject: [PATCH 351/603] linuxPackages.virtualbox: disable fortify/pic/stackprotector --- pkgs/applications/virtualization/virtualbox/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index c0fd8214b31..e7232f056da 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -74,6 +74,8 @@ in stdenv.mkDerivation { ++ optional pythonBindings python ++ optional pulseSupport libpulseaudio; + hardeningDisable = [ "fortify" "pic" "stackprotector" ]; + prePatch = '' set -x MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build` From 2013614e1d74ad6b0f2d5ab76f3e2b77183806fe Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 6 Mar 2016 16:56:29 +0000 Subject: [PATCH 352/603] vim-configurable: Disable hardening flag fortify Fortify hardening detects a probable buffer overflow in vim at runtime. This has to be fixed upstream. Debian also disables fortify: https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/rules#n6 --- pkgs/applications/editors/vim/configurable.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/editors/vim/configurable.nix b/pkgs/applications/editors/vim/configurable.nix index 2a80f5d42ad..d041295ee9f 100644 --- a/pkgs/applications/editors/vim/configurable.nix +++ b/pkgs/applications/editors/vim/configurable.nix @@ -191,6 +191,8 @@ composableDerivation { dontStrip = 1; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "The most popular clone of the VI editor"; homepage = http://www.vim.org; From 63f60b6a13985645a821a9674ce23799d272eb16 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 6 Mar 2016 15:27:41 +0100 Subject: [PATCH 353/603] cc-wrapper: Disable pie when linking shared libraries --- pkgs/build-support/cc-wrapper/add-hardening | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index f211d11ab3e..ba6fd4f77a9 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -16,7 +16,9 @@ if [[ ! $hardeningDisable == "all" ]]; then ;; pie) hardeningCFlags+=('-fPIE') - hardeningLDFlags+=('-pie') + if [[ ! "$*" =~ "-shared" ]]; then + hardeningLDFlags+=('-pie') + fi ;; pic) hardeningCFlags+=('-fPIC') From ab1092875a6292e6fc5fb34d48436cf02374e00c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sun, 6 Mar 2016 18:03:57 +0100 Subject: [PATCH 354/603] cc-wrapper: Disable pie for linking static libs --- pkgs/build-support/cc-wrapper/add-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index ba6fd4f77a9..92e10db3ea4 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -16,7 +16,7 @@ if [[ ! $hardeningDisable == "all" ]]; then ;; pie) hardeningCFlags+=('-fPIE') - if [[ ! "$*" =~ "-shared" ]]; then + if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then hardeningLDFlags+=('-pie') fi ;; From b2b499e6c40a36ff8cdbfd8d27096592d0f394cb Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 7 Mar 2016 01:29:11 +0100 Subject: [PATCH 355/603] cc-wrapper: Increase number of functions for stackprotector --- pkgs/build-support/cc-wrapper/add-hardening | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index 92e10db3ea4..966d68e1948 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -12,7 +12,7 @@ if [[ ! $hardeningDisable == "all" ]]; then hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') ;; stackprotector) - hardeningCFlags+=('-fstack-protector-strong') + hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') ;; pie) hardeningCFlags+=('-fPIE') From baee91ec60ca724b00027033a8e0d7f97cf376a7 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 7 Mar 2016 21:39:26 +0100 Subject: [PATCH 356/603] cc-wrapper: Check if ld supports -z, fixes darwin --- pkgs/build-support/cc-wrapper/add-hardening | 7 ++++++- pkgs/build-support/cc-wrapper/cc-wrapper.sh | 1 + pkgs/build-support/cc-wrapper/ld-wrapper.sh | 1 + pkgs/development/libraries/gmp/5.1.x.nix | 2 +- pkgs/shells/bash/default.nix | 2 ++ 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index 966d68e1948..ab8ce610e27 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -2,11 +2,16 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) hardeningFlags+=("${hardeningEnable[@]}") hardeningCFlags=() hardeningLDFlags=() +hardeningDisable=(${hardeningDisable[@]}) + +if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then + hardeningDisable+=(bindnow relro) +fi if [[ ! $hardeningDisable == "all" ]]; then for flag in "${hardeningFlags[@]}" do - if [[ ! "$hardeningDisable" =~ "$flag" ]]; then + if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then case $flag in fortify) hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index a8a08e5e144..e07eb8b41dc 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -89,6 +89,7 @@ if [[ "@prog@" = *++ ]]; then fi fi +LD=@ldPath@/ld source @out@/nix-support/add-hardening.sh # Add the flags for the C compiler proper. diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 12c0709570b..09e87975437 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,6 +47,7 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +LD=@prog@ source @out@/nix-support/add-hardening.sh extra=(${hardeningLDFlags[@]}) diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index e803c7c56ac..5f20d66768e 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; # FIXME needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "stackprotector" ]; + hardeningDisable = [ "format" "stackprotector" ]; patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; diff --git a/pkgs/shells/bash/default.nix b/pkgs/shells/bash/default.nix index 60504ecaa9b..c9eee56b905 100644 --- a/pkgs/shells/bash/default.nix +++ b/pkgs/shells/bash/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { inherit sha256; }; + hardeningDisable = [ "format" ]; + outputs = [ "out" "doc" ]; NIX_CFLAGS_COMPILE = '' From fedf31660dd637aa9a4374c0afc2f7c620bf232a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 8 Mar 2016 00:39:07 +0100 Subject: [PATCH 357/603] nginx: Rmove custom hardening, now enabled by default --- pkgs/servers/http/nginx/default.nix | 9 +-------- pkgs/servers/http/nginx/unstable.nix | 11 +++-------- 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 1aaa2412702..22ce5e75445 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -54,14 +54,7 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized"; - preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) - + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' - configureFlagsArray=( - --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" - --with-ld-opt="-pie -Wl,-z,relro,-z,now" - ) - '' - ; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); hardeningEnable = [ "pie" ]; diff --git a/pkgs/servers/http/nginx/unstable.nix b/pkgs/servers/http/nginx/unstable.nix index e85fb96d2ed..5adfb55cb2f 100644 --- a/pkgs/servers/http/nginx/unstable.nix +++ b/pkgs/servers/http/nginx/unstable.nix @@ -52,14 +52,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; - preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) - + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' - configureFlagsArray=( - --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" - --with-ld-opt="-pie -Wl,-z,relro,-z,now" - ) - '' - ; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); + + hardeningEnable = [ "pie" ]; postInstall = '' mv $out/sbin $out/bin From ac73835b54b3145ee9dcd3f4abb5107c95d8ca6e Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 8 Mar 2016 00:39:39 +0100 Subject: [PATCH 358/603] quicktun: Remove custom hardening, now enabled by default --- pkgs/tools/networking/quicktun/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix index f07cfe4d072..ed559f5d5c9 100644 --- a/pkgs/tools/networking/quicktun/default.nix +++ b/pkgs/tools/networking/quicktun/default.nix @@ -11,8 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i"; }; - CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"; - buildInputs = [ libsodium ]; phases = [ "unpackPhase" "buildPhase" "installPhase" ]; From 965abb6d54b57b3f4839f9a472f2a60ca2f4de12 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 8 Mar 2016 21:45:55 +0100 Subject: [PATCH 359/603] libxml2: Disable bindnow hardening --- pkgs/development/libraries/libxml2/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index cac8f10d37a..1bb487fd8cd 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation (rec { sha256 = "0bd17g6znn2r98gzpjppsqjg33iraky4px923j3k8kdl8qgy7sad"; }; + hardeningDisable = [ "bindnow" ]; + outputs = [ "out" "doc" ]; buildInputs = stdenv.lib.optional pythonSupport python From 9a5b070b4591a554b9cf36490d54c0ae28f5c22e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 8 Mar 2016 20:51:35 +0000 Subject: [PATCH 360/603] hardening: debug with NIX_DEBUG --- pkgs/build-support/cc-wrapper/add-hardening | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index ab8ce610e27..abfd49766db 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -14,30 +14,39 @@ if [[ ! $hardeningDisable == "all" ]]; then if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then case $flag in fortify) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling fortify; fi hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') ;; stackprotector) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling stackprotector; fi hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') ;; pie) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling CFlags -fPIE; fi hardeningCFlags+=('-fPIE') if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling LDFlags -pie; fi hardeningLDFlags+=('-pie') fi ;; pic) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling pic; fi hardeningCFlags+=('-fPIC') ;; strictoverflow) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling strictoverflow; fi hardeningCFlags+=('-fno-strict-overflow') ;; format) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling format; fi hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') ;; relro) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling relro; fi hardeningLDFlags+=('-z relro') ;; bindnow) + if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling bindnow; fi hardeningLDFlags+=('-z now') ;; *) From 514a478e614f0ac439f84f72e2f9814f2bc1d01f Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 9 Mar 2016 10:08:07 +0100 Subject: [PATCH 361/603] cc-wrapper: Fix if syntax --- pkgs/build-support/cc-wrapper/add-hardening | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index abfd49766db..82477c6b7d9 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -14,39 +14,39 @@ if [[ ! $hardeningDisable == "all" ]]; then if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then case $flag in fortify) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling fortify; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify; fi hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') ;; stackprotector) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling stackprotector; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector; fi hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') ;; pie) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling CFlags -fPIE; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE; fi hardeningCFlags+=('-fPIE') if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling LDFlags -pie; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie; fi hardeningLDFlags+=('-pie') fi ;; pic) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling pic; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic; fi hardeningCFlags+=('-fPIC') ;; strictoverflow) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling strictoverflow; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow; fi hardeningCFlags+=('-fno-strict-overflow') ;; format) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling format; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format; fi hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') ;; relro) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling relro; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro; fi hardeningLDFlags+=('-z relro') ;; bindnow) - if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling bindnow; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow; fi hardeningLDFlags+=('-z now') ;; *) From 7e2e0dfe7a4f9977ae0b6d74c821f8ffe7739efa Mon Sep 17 00:00:00 2001 From: Tristan Helmich Date: Thu, 10 Mar 2016 15:47:55 +0100 Subject: [PATCH 362/603] cc-wrapper: Use stderr for NIX_DEBUG output Otherwise configure scripts might break when looking for the path to ld --- pkgs/build-support/cc-wrapper/add-hardening | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index 82477c6b7d9..cd7718801ef 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -14,43 +14,43 @@ if [[ ! $hardeningDisable == "all" ]]; then if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then case $flag in fortify) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') ;; stackprotector) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') ;; pie) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi hardeningCFlags+=('-fPIE') if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi hardeningLDFlags+=('-pie') fi ;; pic) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi hardeningCFlags+=('-fPIC') ;; strictoverflow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi hardeningCFlags+=('-fno-strict-overflow') ;; format) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') ;; relro) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi hardeningLDFlags+=('-z relro') ;; bindnow) - if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow; fi + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi hardeningLDFlags+=('-z now') ;; *) - echo "Hardening flag unknown: $flag" + echo "Hardening flag unknown: $flag" >&2 ;; esac fi From 1a5acdb6956e58111cadcd15e6220fdffc9d4b64 Mon Sep 17 00:00:00 2001 From: Tristan Helmich Date: Fri, 11 Mar 2016 14:02:07 +0100 Subject: [PATCH 363/603] cc-wrapper: Add additional NIX_DEBUG statements --- pkgs/build-support/cc-wrapper/add-hardening | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index cd7718801ef..219aa74894c 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -8,7 +8,10 @@ if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then hardeningDisable+=(bindnow relro) fi +if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi + if [[ ! $hardeningDisable == "all" ]]; then + if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then From a9b942c0617b1cd5f0732d05eadad0114a178f37 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 14 Mar 2016 00:26:52 +0000 Subject: [PATCH 364/603] cc-wrapper: treat hardeningDisable as string This fixes passing the env variable to the ld-wrapper through the gcc call. Wtf?! --- pkgs/build-support/cc-wrapper/add-hardening | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening index 219aa74894c..d5966136b9d 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -2,10 +2,10 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) hardeningFlags+=("${hardeningEnable[@]}") hardeningCFlags=() hardeningLDFlags=() -hardeningDisable=(${hardeningDisable[@]}) +hardeningDisable=${hardeningDisable:-""} if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then - hardeningDisable+=(bindnow relro) + hardeningDisable+=" bindnow relro" fi if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi @@ -14,7 +14,7 @@ if [[ ! $hardeningDisable == "all" ]]; then if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do - if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then + if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then case $flag in fortify) if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi From 7dea0e91acb14b64f7c941399360fcf3a783f552 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 28 Mar 2016 19:17:23 +0000 Subject: [PATCH 365/603] gcc/isl: move bootstrap hardening flags to new bootstrap env --- pkgs/development/compilers/gcc/4.9/default.nix | 3 +-- pkgs/development/compilers/gcc/5/default.nix | 3 ++- pkgs/development/libraries/isl/0.11.1.nix | 3 --- pkgs/development/libraries/isl/0.14.1.nix | 3 +++ 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index d4c8d018ff2..02d48bc76f1 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -220,8 +220,7 @@ stdenv.mkDerivation ({ inherit patches; - # FIXME stackprotector needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "format" "stackprotector" ]; + hardeningDisable = [ "format" ]; postPatch = if (stdenv.isGNU diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index ed872703db8..f0a0b8e3464 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -216,7 +216,8 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; - hardeningDisable = [ "format" ]; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" "format" ]; inherit patches; diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix index f62d898cff7..63140dba37f 100644 --- a/pkgs/development/libraries/isl/0.11.1.nix +++ b/pkgs/development/libraries/isl/0.11.1.nix @@ -13,9 +13,6 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - # FIXME needs gcc 4.9 in bootstrap tools - hardeningDisable = [ "stackprotector" ]; - meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/development/libraries/isl/0.14.1.nix b/pkgs/development/libraries/isl/0.14.1.nix index 8196dec283a..77ba20cbb20 100644 --- a/pkgs/development/libraries/isl/0.14.1.nix +++ b/pkgs/development/libraries/isl/0.14.1.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; From 247bc1ac9e921215b44dad3eb643ec7da5c50cf2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 28 Mar 2016 20:20:38 +0000 Subject: [PATCH 366/603] libidn: disable format hardening --- pkgs/development/libraries/libidn/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libidn/default.nix b/pkgs/development/libraries/libidn/default.nix index c3c6c13c98f..713e1d39954 100644 --- a/pkgs/development/libraries/libidn/default.nix +++ b/pkgs/development/libraries/libidn/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { doCheck = ! stdenv.isDarwin; + hardeningDisable = [ "format" ]; + buildInputs = stdenv.lib.optional stdenv.isDarwin libiconv; meta = { From 97782aa79e2dad52697023e189826d8b9b39723e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 28 Mar 2016 22:14:14 +0000 Subject: [PATCH 367/603] opendkim: don't enable pie hardening --- pkgs/development/libraries/opendkim/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/libraries/opendkim/default.nix b/pkgs/development/libraries/opendkim/default.nix index 752ff6be388..e89cd880df1 100644 --- a/pkgs/development/libraries/opendkim/default.nix +++ b/pkgs/development/libraries/opendkim/default.nix @@ -10,8 +10,6 @@ stdenv.mkDerivation rec { configureFlags= [ "--with-milter=${libmilter}" ]; - hardeningEnable = [ "pie" ]; - nativeBuildInputs = [ pkgconfig makeWrapper ]; buildInputs = [ libbsd openssl libmilter perl ]; From b8e0cb3fe74f08f2431877a0789262d6afdf1718 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 28 Mar 2016 23:09:19 +0000 Subject: [PATCH 368/603] jbig2enc: fix merge --- pkgs/tools/graphics/jbig2enc/default.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix index 62c29a6192f..0bb0bb00efa 100644 --- a/pkgs/tools/graphics/jbig2enc/default.nix +++ b/pkgs/tools/graphics/jbig2enc/default.nix @@ -8,13 +8,6 @@ stdenv.mkDerivation { sha256 = "1wc0lmqz4jag3rhhk1xczlqpfv2qqp3fz7wzic2lba3vsbi1rrw3"; }; - patches = [ - (fetchpatch { - url = "https://github.com/agl/jbig2enc/commit/53ce5fe7e73d7ed95c9e12b52dd4984723f865fa.diff"; - sha256 = "0n6s24i1fy9xspawns3r0kmx2fl0q3wqp68l1yai36jhfw08i3n4"; - }) - ]; - propagatedBuildInputs = [ leptonica zlib libwebp giflib libjpeg libpng libtiff ]; patches = [ From 4c55a0dbc5aafb1057ceeefbc3e2d343749caf3b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 28 Mar 2016 23:40:52 +0000 Subject: [PATCH 369/603] qcmm: fix merge --- pkgs/development/compilers/qcmm/builder.sh | 29 ----- pkgs/development/compilers/qcmm/qcmm.patch | 121 --------------------- pkgs/top-level/all-packages.nix | 5 - 3 files changed, 155 deletions(-) delete mode 100644 pkgs/development/compilers/qcmm/builder.sh delete mode 100644 pkgs/development/compilers/qcmm/qcmm.patch diff --git a/pkgs/development/compilers/qcmm/builder.sh b/pkgs/development/compilers/qcmm/builder.sh deleted file mode 100644 index acdfbaa08dc..00000000000 --- a/pkgs/development/compilers/qcmm/builder.sh +++ /dev/null @@ -1,29 +0,0 @@ -source $stdenv/setup - -configureFlags="--with-lua=$lua" - -MKFLAGS="-w$lua/include/lauxlib.h,$lua/include/luadebug.h,$lua/include/lua.h,$lua/include/lualib.h" - -buildPhase() { - mk timestamps - mk $MKFLAGS all.opt -} - -installPhase() { - mk $MKFLAGS install.opt - - for file in $out/bin/*.opt; do - mv $file ${file%.opt} - done - - find $out/man -type f -exec gzip -9n {} \; - - find $out -name \*.a -exec echo stripping {} \; \ - -exec strip -S {} \; - - patchELF $out -} - -checkPhase="mk $MKFLAGS test.opt" - -genericBuild diff --git a/pkgs/development/compilers/qcmm/qcmm.patch b/pkgs/development/compilers/qcmm/qcmm.patch deleted file mode 100644 index 414f18a9f73..00000000000 --- a/pkgs/development/compilers/qcmm/qcmm.patch +++ /dev/null @@ -1,121 +0,0 @@ -diff -ur qc--20060131.orig/configure qc--20060131/configure ---- qc--20060131.orig/configure 2005-11-05 22:15:24.000000000 +0100 -+++ qc--20060131/configure 2006-02-02 14:29:07.000000000 +0100 -@@ -93,7 +93,22 @@ - # for file in dirs and return, full path, if found, and "" otherwise. - # - --sub search { search_with( sub($) { return (-f shift) }, @_) } -+sub combine { -+ my $base = shift; -+ my $file = shift; -+ return ("$base/$file") -+}; -+ -+sub search { search_with( sub($) { return (-f shift) }, \&combine, @_) } -+ -+sub search_suffix { -+ my $f = sub($) { -+ my $suffix = shift; -+ my $base = shift; -+ return ($base . $suffix); -+ }; -+ search_with(sub($) { return (-f shift) }, $f, @_) -+} - - sub searchx { - my $f = sub($) { -@@ -105,16 +120,17 @@ - } - return (1==2); # how do you write false in perl? - }; -- search_with($f, @_) -+ search_with($f, \&combine, @_) - } - - sub search_with { - my $p = shift; -+ my $com = shift; - my $file = shift; - -- printf(LOG "searching for %-20s", $file); -+ printf(LOG "searching for %-20s ", $file); - while ($f = shift (@_)) { -- my $x = "$f/$file"; -+ my $x = &$com($f, $file); - if (&$p($x)) { - print LOG "found $x\n"; - return $x -@@ -124,6 +140,20 @@ - return ""; - } - -+#configure lua based on some known installation prefix -+sub config_lua { -+ my $base = shift; -+ @libsuffix = ( ".so", "40.so", ".a", "40.a" ); -+ -+ $x{lua_h} = "$base/include/lua.h"; -+ $x{lualib_h} = "$base/include/lualib.h"; -+ $x{liblua} = search_suffix("$base/lib/liblua", @libsuffix); -+ $x{liblualib} = search_suffix("$base/lib/liblualib", @libsuffix); -+ $x{lua_inc} = "-I$base/include"; -+ $x{lua_lib} = "-L$base/lib/"; -+ $x{lua_libs} = "-llua -llualib"; -+} -+ - - # - # compile and run a small C program to find out about architecture -@@ -183,6 +213,8 @@ - - ./configure [options] - -+ --with-lua=/lua/path lua is installed in /lua/path the default -+ is to search for standard locations - --prefix=/usr/local install into the /usr/local hierarchy which - is also the default - -h, --help this summary -@@ -224,15 +256,15 @@ - # We start from here with reading the command line - # ------------------------------------------------------------------ - -+open (LOG, ">$configure_log") || die "cannot write configure.log: $!"; -+ - foreach (@ARGV) { - if (/^--?prefix=(.*)$/) { $x{prefix}=$1 } - elsif (/^--?h(elp?)$/) { usage(); exit 0 } -+ elsif (/^--?with-lua=(.*)$/) { config_lua($1) } - else { usage(); exit 1 } - } - -- --open (LOG, ">$configure_log") || die "cannot write configure.log: $!"; -- - # check for various executables and versions. Only update variable if - # it is not already set. - # -diff -ur qc--20060131.orig/doc/mkfile qc--20060131/doc/mkfile ---- qc--20060131.orig/doc/mkfile 2005-11-07 01:41:21.000000000 +0100 -+++ qc--20060131/doc/mkfile 2006-02-02 00:38:00.000000000 +0100 -@@ -92,7 +92,7 @@ - # and accessible from Lua as This.manual. - - qc--.man:D: qc--.1 -- GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 | ul -t dump > $target -+ GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 > $target - - release.tex:D: release.nw - noweave -delay $prereq > $target -diff -ur qc--20060131.orig/mkfile qc--20060131/mkfile ---- qc--20060131.orig/mkfile 2005-07-01 22:29:52.000000000 +0200 -+++ qc--20060131/mkfile 2006-02-02 19:15:53.000000000 +0100 -@@ -97,7 +97,7 @@ - cd test2 && NPROC=1 mk $MKFLAGS all - - test.opt:V: all.opt -- cd test2 && NPROC=1 mk QC=../bin/qc--.opt $MKFLAGS all -+ cd test2 && NPROC=1 mk $MKFLAGS QC=../bin/qc--.opt all - - coverage: test2/ocamlprof.dump - rm -f $target diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 2ed708b1c51..ab44630120c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4976,11 +4976,6 @@ in llvm = llvm_36; }; - qcmm = callPackage ../development/compilers/qcmm { - lua = lua4; - ocaml = ocaml_3_08_0; - }; - rgbds = callPackage ../development/compilers/rgbds { }; rtags = callPackage ../development/tools/rtags/default.nix {}; From 0fc7905db32e82863f401a9c76e3d1bf9018358b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 29 Mar 2016 00:26:35 +0000 Subject: [PATCH 370/603] dhcpcd: do not enable pie hardening --- pkgs/tools/networking/dhcpcd/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/tools/networking/dhcpcd/default.nix b/pkgs/tools/networking/dhcpcd/default.nix index 1d1f927001f..856f75f0633 100644 --- a/pkgs/tools/networking/dhcpcd/default.nix +++ b/pkgs/tools/networking/dhcpcd/default.nix @@ -10,8 +10,6 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig udev ]; - hardeningEnable = [ "pie" ]; - configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" From c9ebdd4cac5d0170c9c4368a0c978a83a008c00f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 29 Mar 2016 00:34:20 +0000 Subject: [PATCH 371/603] libaio.i686: disable stackprotector hardening --- pkgs/os-specific/linux/libaio/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix index b3df129912e..1e85182d6c3 100644 --- a/pkgs/os-specific/linux/libaio/default.nix +++ b/pkgs/os-specific/linux/libaio/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { makeFlags = "prefix=$(out)"; + hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector"; + meta = { description = "Library for asynchronous I/O in Linux"; homepage = http://lse.sourceforge.net/io/aio.html; From 8f94246e07bdf91675b69b45f73e033e81bb3818 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 29 Mar 2016 10:22:14 +0000 Subject: [PATCH 372/603] linuxPackages.mxu11x0: disable pic hardening --- pkgs/os-specific/linux/mxu11x0/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix index 4af40432403..ed88fc643fd 100644 --- a/pkgs/os-specific/linux/mxu11x0/default.nix +++ b/pkgs/os-specific/linux/mxu11x0/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + meta = with stdenv.lib; { description = "MOXA UPort 11x0 USB to Serial Hub driver"; homepage = "https://github.com/ellysh/mxu11x0"; From ba3399b92fb7bc1a81c91afeb307ed5ea95b06be Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 29 Mar 2016 10:25:06 +0000 Subject: [PATCH 373/603] linuxPackages.rtl8723bs: disable pic hardening --- pkgs/os-specific/linux/rtl8723bs/default.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/pkgs/os-specific/linux/rtl8723bs/default.nix b/pkgs/os-specific/linux/rtl8723bs/default.nix index 6d55c5522f4..2adbb4b743c 100644 --- a/pkgs/os-specific/linux/rtl8723bs/default.nix +++ b/pkgs/os-specific/linux/rtl8723bs/default.nix @@ -5,14 +5,16 @@ let in stdenv.mkDerivation rec { name = "rtl8723bs-${kernel.version}-c517f2b"; - + src = fetchFromGitHub { owner = "hadess"; repo = "rtl8723bs"; rev = "c517f2bf8bcc3d57311252ea7cd49ae81466eead"; sha256 = "0phzrhq85g52pi2b74a9sr9l2x6dzlz714k3pix486w2x5axw4xb"; }; - + + hardeningDisable = [ "pic" ]; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" @@ -20,12 +22,12 @@ stdenv.mkDerivation rec { substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" substituteInPlace ./Makefile --replace '/lib/firmware' "$out/lib/firmware" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" mkdir -p "$out/lib/firmware/rtlwifi" ''; - + meta = { description = "Realtek SDIO Wi-Fi driver"; homepage = "https://github.com/hadess/rtl8723bs"; From 4666eca4877f2fda81b40cf863d963e1ed4b7d49 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 29 Mar 2016 10:26:32 +0000 Subject: [PATCH 374/603] linuxPackages.mba6x_bl: disable pic hardening --- pkgs/os-specific/linux/mba6x_bl/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/mba6x_bl/default.nix b/pkgs/os-specific/linux/mba6x_bl/default.nix index 010bda4bb15..2a0e53b3925 100644 --- a/pkgs/os-specific/linux/mba6x_bl/default.nix +++ b/pkgs/os-specific/linux/mba6x_bl/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" "INSTALL_MOD_PATH=$(out)" From 9c3518bd6dc27cfe955d465c1cf51519dd1d917e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 29 Mar 2016 10:58:19 +0000 Subject: [PATCH 375/603] freeswitch: 1.2.3 -> 1.6.6 --- pkgs/servers/sip/freeswitch/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index e4e1d393a52..1cce4c518ea 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -1,18 +1,18 @@ { fetchurl, stdenv, ncurses, curl, pkgconfig, gnutls, readline, openssl, perl, libjpeg -, libzrtpcpp, gcc48 }: +, libzrtpcpp }: stdenv.mkDerivation rec { - name = "freeswitch-1.2.3"; + name = "freeswitch-1.6.6"; src = fetchurl { - url = http://files.freeswitch.org/freeswitch-1.2.3.tar.bz2; + url = "http://files.freeswitch.org/releases/freeswitch/${name}.tar.bz2"; sha256 = "0kfvn5f75c6r6yp18almjz9p6llvpm66gpbxcjswrg3ddgbkzg0k"; }; buildInputs = [ ncurses curl pkgconfig gnutls readline openssl perl libjpeg - libzrtpcpp gcc48 ]; + libzrtpcpp ]; - NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + NIX_CFLAGS_COMPILE = "-Wno-error"; hardeningDisable = [ "format" ]; From a56d90efda33d613a71d8ec7fcf3dadf0fff1be8 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 30 Mar 2016 20:45:31 +0200 Subject: [PATCH 376/603] php: Disable bindnow hardening flag Fixes dynamic linking against i.e. mysql. --- pkgs/development/interpreters/php/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix index 91beac4cd28..6fe6b18e0bf 100644 --- a/pkgs/development/interpreters/php/default.nix +++ b/pkgs/development/interpreters/php/default.nix @@ -250,6 +250,7 @@ let }; hardeningEnable = [ "pie" ]; + hardeningDisable = [ "bindnow" ]; configurePhase = '' # Don't record the configure flags since this causes unnecessary From 753086cd47271260bfef388db6696c1415cb0175 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 31 Mar 2016 09:48:09 +0200 Subject: [PATCH 377/603] wxPython: Fix build --- pkgs/development/python-modules/wxPython/generic.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 334dd975e48..a5e0552a8c1 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -22,7 +22,6 @@ stdenv.mkDerivation rec { pythonPath = [ python setuptools ]; buildInputs = [ python setuptools pkgconfig wxGTK (wxGTK.gtk) wrapPython libX11 ] ++ stdenv.lib.optional openglSupport pyopengl; - preConfigure = "cd wxPython"; NIX_LDFLAGS = "-lX11 -lgdk-x11-2.0"; From 5df521abdabe5d294811b9824a5839b1ebbd3127 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 31 Mar 2016 13:57:06 +0200 Subject: [PATCH 378/603] gst-python: Disable bindnow hardening flag Fixes dynamic linking against libxml2. --- .../libraries/gstreamer/legacy/gst-python/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix index 889f55e5000..c8f928ec452 100644 --- a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix +++ b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "0y1i4n5m1diljqr9dsq12anwazrhbs70jziich47gkdwllcza9lg"; }; + hardeningDisable = [ "bindnow" ]; + # Need to disable the testFake test case due to bug in pygobject. # See https://bugzilla.gnome.org/show_bug.cgi?id=692479 patches = [ ./disable-testFake.patch ]; From d326ca40a80fe9de9eccb54f3afb071dd623476c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 11:36:13 +0000 Subject: [PATCH 379/603] stunnel: 5.30 -> 5.31 fixes tarball 404 --- pkgs/tools/networking/stunnel/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index b3a493c9375..48e3c562583 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.30"; + version = "5.31"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0w05sqwg3jn7n469w2yxj0cxx7az7jpd8wbcrwxlp5d1ys4v6vkx"; + sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7"; }; buildInputs = [ openssl ]; From 3437b52e6bd510bfd586eede8e52a30a3fef3ba6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 11:41:30 +0000 Subject: [PATCH 380/603] qboot: turn off stackprotector and pic hardening --- pkgs/applications/virtualization/qboot/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/qboot/default.nix b/pkgs/applications/virtualization/qboot/default.nix index e4439ec124f..0c6e3991b1c 100644 --- a/pkgs/applications/virtualization/qboot/default.nix +++ b/pkgs/applications/virtualization/qboot/default.nix @@ -12,7 +12,9 @@ stdenv.mkDerivation { installPhase = '' mkdir -p $out cp bios.bin* $out/. - ''; + ''; + + hardeningDisable = [ "stackprotector" "pic" ]; meta = { description = "A simple x86 firmware for booting Linux"; From f3f9145d230963962942413e21d60e14c9960c6b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 11:49:13 +0000 Subject: [PATCH 381/603] spidermonkey.i686-linux: turn off stackprotector hardening --- pkgs/development/interpreters/spidermonkey/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index a7482f269db..fdd8209407c 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,7 +8,8 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; - hardeningDisable = [ "format" ]; + hardeningDisable = [ "format" ] + ++ stdenv.lib.optional stdenv.isi686 "stackprotector"; buildInputs = [ readline ]; From 025cedc6067e60533cea7afb467042f9ac2e65a8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 12:25:05 +0000 Subject: [PATCH 382/603] singular.i686-linux: turn off stackprotector hardening --- pkgs/applications/science/math/singular/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/math/singular/default.nix b/pkgs/applications/science/math/singular/default.nix index 8bae1d6206d..a0fdf7c8239 100644 --- a/pkgs/applications/science/math/singular/default.nix +++ b/pkgs/applications/science/math/singular/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';' ''; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + postInstall = '' rm -rf "$out/LIB" cp -r Singular/LIB "$out" From 1f978b7422061b055cbb092789d2bc4792fe8940 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 12:27:29 +0000 Subject: [PATCH 383/603] Revert "abook: fix compiling with gcc5" This reverts commit 37918bdc7a09e34985c57a3fe64000edf92362b3. has been fixed on master differently --- pkgs/applications/misc/abook/default.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkgs/applications/misc/abook/default.nix b/pkgs/applications/misc/abook/default.nix index c9d35efc6cd..2c4bc0f2128 100644 --- a/pkgs/applications/misc/abook/default.nix +++ b/pkgs/applications/misc/abook/default.nix @@ -19,11 +19,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkgconfig ]; buildInputs = [ ncurses readline ]; - # Changed inline semantics in GCC5, need to export symbols for inline funcs - postPatch = '' - substituteInPlace database.c --replace inline extern - ''; - meta = { homepage = "http://abook.sourceforge.net/"; description = "Text-based addressbook program designed to use with mutt mail client"; From 4ee2b2ab7b6d23e4bc67f9bc5fa42819c099972a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 12:37:35 +0000 Subject: [PATCH 384/603] rr: set Wno-error and turn off fortify hardening --- pkgs/development/tools/analysis/rr/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/tools/analysis/rr/default.nix b/pkgs/development/tools/analysis/rr/default.nix index ea733b5b461..b0950fb8cb2 100644 --- a/pkgs/development/tools/analysis/rr/default.nix +++ b/pkgs/development/tools/analysis/rr/default.nix @@ -19,6 +19,11 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpfm zlib python pkgconfig pythonPackages.pexpect which procps gdb ]; cmakeFlags = "-DCMAKE_C_FLAGS_RELEASE:STRING= -DCMAKE_CXX_FLAGS_RELEASE:STRING="; + # we turn on additional warnings due to hardening + NIX_CFLAGS_COMPILE = "-Wno-error"; + + hardeningDisable = [ "fortify" ]; + enableParallelBuilding = true; # FIXME From fbb8067aa12e2e74b60c255e3194942eb46770e4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 12:49:18 +0000 Subject: [PATCH 385/603] dietlibc.i686-linux: disable pic --- pkgs/os-specific/linux/dietlibc/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index 7a2d94100fa..12ffbfbc5ce 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -13,7 +13,8 @@ stdenv.mkDerivation { inherit glibc; kernelHeaders = glibc.linuxHeaders; - hardeningDisable = [ "stackprotector" ]; + hardeningDisable = [ "stackprotector" ] + ++ stdenv.lib.optional stdenv.isi686 "pic"; patches = [ From 59781091940fe6fced7dd880f40501deb192f69d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 12:51:54 +0000 Subject: [PATCH 386/603] syslinux: disable fortify hardening --- pkgs/os-specific/linux/syslinux/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index a68ab9c478c..f4ad94b5085 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' - hardeningDisable = [ "pic" "stackprotector" ]; + hardeningDisable = [ "pic" "stackprotector" "fortify" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) From df72d621f15373de4670a6ee4828e20734323ca2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 13:31:15 +0000 Subject: [PATCH 387/603] Revert "php: enable PIE hardening" This reverts commit fb57bfbd4f66943b59ed67499aa8cb0c8f4f9e6f. --- pkgs/development/interpreters/php/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix index c890a3fc90f..cec808ff862 100644 --- a/pkgs/development/interpreters/php/default.nix +++ b/pkgs/development/interpreters/php/default.nix @@ -249,7 +249,6 @@ let calendarSupport = config.php.calendar or true; }; - hardeningEnable = [ "pie" ]; hardeningDisable = [ "bindnow" ]; configurePhase = '' From db6c023df0f2288fe3811bf14a84deb531e9999f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 3 Apr 2016 13:31:29 +0000 Subject: [PATCH 388/603] Revert "libxml2: Disable bindnow hardening" This reverts commit 965abb6d54b57b3f4839f9a472f2a60ca2f4de12. --- pkgs/development/libraries/libxml2/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 1bb487fd8cd..cac8f10d37a 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -13,8 +13,6 @@ stdenv.mkDerivation (rec { sha256 = "0bd17g6znn2r98gzpjppsqjg33iraky4px923j3k8kdl8qgy7sad"; }; - hardeningDisable = [ "bindnow" ]; - outputs = [ "out" "doc" ]; buildInputs = stdenv.lib.optional pythonSupport python From f519a255a56e7c42d04d1beb666d685078cc7e18 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 4 Apr 2016 14:08:53 +0000 Subject: [PATCH 389/603] xorg: switch off bindnow hardening for all packages X otherwise fails to load modules. --- pkgs/servers/x11/xorg/builder.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/x11/xorg/builder.sh b/pkgs/servers/x11/xorg/builder.sh index f5b8803a98a..aabc34dce60 100644 --- a/pkgs/servers/x11/xorg/builder.sh +++ b/pkgs/servers/x11/xorg/builder.sh @@ -50,5 +50,7 @@ fi enableParallelBuilding=1 +# breaks module loading +hardeningDisable="bindnow" genericBuild From bdbce02057e2c172f9629c6238d2048d1949ddb9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 4 Apr 2016 16:17:14 +0000 Subject: [PATCH 390/603] eggdrop: fix build --- pkgs/tools/networking/eggdrop/default.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 0ad394b0291..a9f2419b136 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -13,14 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; - hardeningDisable = [ "format" ]; - patches = [ - # https://github.com/eggheads/eggdrop/issues/123 - ./b34a33255f56bbd2317c26da12d702796d67ed50.patch - ]; - preConfigure = '' prefix=$out/eggdrop mkdir -p $prefix From d00784602d8100bcca8df5e78552eb25386939eb Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 5 Apr 2016 16:21:15 +0000 Subject: [PATCH 391/603] ccrypt: disable format hardening --- pkgs/tools/security/ccrypt/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/security/ccrypt/default.nix b/pkgs/tools/security/ccrypt/default.nix index e6a63a2f288..0afa9108689 100644 --- a/pkgs/tools/security/ccrypt/default.nix +++ b/pkgs/tools/security/ccrypt/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://ccrypt.sourceforge.net/; description = "Utility for encrypting and decrypting files and streams with AES-256"; From d8d6f0bfcb827ad7f852556fcd50b48c1e2eb184 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 5 Apr 2016 16:29:55 +0000 Subject: [PATCH 392/603] grub4dos: disable stackprotector hardening --- pkgs/tools/misc/grub4dos/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/grub4dos/default.nix b/pkgs/tools/misc/grub4dos/default.nix index c59869c0dc7..f0ac6b5f7c9 100644 --- a/pkgs/tools/misc/grub4dos/default.nix +++ b/pkgs/tools/misc/grub4dos/default.nix @@ -14,6 +14,8 @@ in stdenv.mkDerivation { nativeBuildInputs = [ unzip nasm ]; + hardeningDisable = [ "stackprotector" ]; + configureFlags = [ "--host=${arch}-pc-linux-gnu" ]; postInstall = '' From 9893a43dc3704d05417eac42af676a47e4f058f6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 5 Apr 2016 16:43:31 +0000 Subject: [PATCH 393/603] gfortran-darwin: disable format hardening --- pkgs/development/compilers/gcc/gfortran-darwin.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/gcc/gfortran-darwin.nix b/pkgs/development/compilers/gcc/gfortran-darwin.nix index 66f273482cf..5162f311e4e 100644 --- a/pkgs/development/compilers/gcc/gfortran-darwin.nix +++ b/pkgs/development/compilers/gcc/gfortran-darwin.nix @@ -7,12 +7,18 @@ stdenv.mkDerivation rec { name = "gfortran-${version}"; version = "5.1.0"; - buildInputs = [gmp mpfr libmpc isl_0_14 cloog zlib]; + + buildInputs = [ gmp mpfr libmpc isl_0_14 cloog zlib ]; + src = fetchurl { url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2"; sha256 = "1bd5vj4px3s8nlakbgrh38ynxq4s654m6nxz7lrj03mvkkwgvnmp"; }; + patches = ./gfortran-darwin.patch; + + hardeningDisable = [ "format" ]; + configureFlags = '' --disable-bootstrap --disable-cloog-version-check @@ -28,11 +34,15 @@ stdenv.mkDerivation rec { --with-native-system-header-dir=${Libsystem}/include --with-system-zlib ''; + postConfigure = '' export DYLD_LIBRARY_PATH=`pwd`/`uname -m`-apple-darwin`uname -r`/libgcc ''; - makeFlags = ["CC=clang"]; + + makeFlags = [ "CC=clang" ]; + passthru.cc = stdenv.cc.cc; + meta = with stdenv.lib; { description = "GNU Fortran compiler, part of the GNU Compiler Collection"; homepage = "https://gcc.gnu.org/fortran/"; From 4d4610ac0fb98d013a987342d9b0004a9a6e8a5a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 5 Apr 2016 16:44:02 +0000 Subject: [PATCH 394/603] gprolog.i686-linux: disable pic hardening --- pkgs/development/compilers/gprolog/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/gprolog/default.nix b/pkgs/development/compilers/gprolog/default.nix index f2b5a04df98..c63cb85f5f1 100644 --- a/pkgs/development/compilers/gprolog/default.nix +++ b/pkgs/development/compilers/gprolog/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "13miyas47bmijmadm68cbvb21n4s156gjafz7kfx9brk9djfkh0q"; }; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "pic"; + patchPhase = '' sed -i -e "s|/tmp/make.log|$TMPDIR/make.log|g" src/Pl2Wam/check_boot ''; From f791c1074dc53fdbf24fae4d93745b0641c576d9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 5 Apr 2016 16:44:30 +0000 Subject: [PATCH 395/603] lua.i686-linux: disable stackprotector hardening --- pkgs/development/interpreters/lua-4/default.nix | 2 ++ pkgs/development/interpreters/lua-5/sec.nix | 2 ++ 2 files changed, 4 insertions(+) diff --git a/pkgs/development/interpreters/lua-4/default.nix b/pkgs/development/interpreters/lua-4/default.nix index 2d216389bd7..d6f385f5b50 100644 --- a/pkgs/development/interpreters/lua-4/default.nix +++ b/pkgs/development/interpreters/lua-4/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildFlags = "all so sobin"; installFlags = "INSTALL_ROOT=$$out"; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + meta = { homepage = "http://www.lua.org"; description = "Powerful, fast, lightweight, embeddable scripting language"; diff --git a/pkgs/development/interpreters/lua-5/sec.nix b/pkgs/development/interpreters/lua-5/sec.nix index 08eb1c89308..7af17ae200c 100644 --- a/pkgs/development/interpreters/lua-5/sec.nix +++ b/pkgs/development/interpreters/lua-5/sec.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ lua5 openssl ]; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + preBuild = '' makeFlagsArray=( linux From ad9376dc74e1e67a2391d1ba7afb23892906afde Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 5 Apr 2016 16:49:28 +0000 Subject: [PATCH 396/603] hunspell: disable format hardening --- pkgs/development/libraries/hunspell/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/hunspell/default.nix b/pkgs/development/libraries/hunspell/default.nix index 98f6511f391..14d36ef5315 100644 --- a/pkgs/development/libraries/hunspell/default.nix +++ b/pkgs/development/libraries/hunspell/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ ncurses readline ]; configureFlags = "--with-ui --with-readline"; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://hunspell.sourceforge.net; description = "Spell checker"; From 057a899791d6f346381961932625be8f31736d0e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 08:18:14 +0000 Subject: [PATCH 397/603] haskellPackages.glib: disable fortify hardening --- pkgs/development/haskell-modules/configuration-common.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index c0282648a39..49a0a3eff15 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -240,7 +240,9 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = addPkgconfigDepend super.glib pkgs.glib; + glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { + hardeningDisable = [ "fortify" ]; + }); gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; From 58a73d3f4be799a025347406d3a867c25555a8d1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 08:26:01 +0000 Subject: [PATCH 398/603] haskellPackages.lvmrun: disable format hardening --- pkgs/development/haskell-modules/configuration-common.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 49a0a3eff15..f1c1abfedb5 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -440,7 +440,9 @@ self: super: { lensref = dontCheck super.lensref; liquidhaskell = dontCheck super.liquidhaskell; lucid = dontCheck super.lucid; #https://github.com/chrisdone/lucid/issues/25 - lvmrun = dontCheck super.lvmrun; + lvmrun = pkgs.lib.overrideDerivation (dontCheck super.lvmrun) (drv: { + hardeningDisable = [ "format" ]; + }); memcache = dontCheck super.memcache; milena = dontCheck super.milena; nats-queue = dontCheck super.nats-queue; From 0086c6d4014851f2d1a8a99338faeed92cbf9e51 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 08:54:48 +0000 Subject: [PATCH 399/603] lrzsz: disable format hardening --- pkgs/tools/misc/lrzsz/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/lrzsz/default.nix b/pkgs/tools/misc/lrzsz/default.nix index 729faa7a95d..11351790bec 100644 --- a/pkgs/tools/misc/lrzsz/default.nix +++ b/pkgs/tools/misc/lrzsz/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1wcgfa9fsigf1gri74gq0pa7pyajk12m4z69x7ci9c6x9fqkd2y2"; }; + hardeningDisable = [ "format" ]; + configureFlags = [ "--program-transform-name=s/^l//" ]; meta = with stdenv.lib; { From 8bdd73291d35c03fcfaa959427bef437c5dfa81e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 09:12:12 +0000 Subject: [PATCH 400/603] wla-dx: disable format hardening --- pkgs/development/compilers/wla-dx/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/compilers/wla-dx/default.nix b/pkgs/development/compilers/wla-dx/default.nix index 535868bee3b..f91c555b6b9 100644 --- a/pkgs/development/compilers/wla-dx/default.nix +++ b/pkgs/development/compilers/wla-dx/default.nix @@ -2,16 +2,21 @@ stdenv.mkDerivation rec { name = "wla-dx-git-2016-02-27"; + src = fetchFromGitHub { owner = "vhelin"; repo = "wla-dx"; rev = "8189fe8d5620584ea16563875ff3c5430527c86a"; sha256 = "02zgkcyfx7y8j6jvyi12lm29fydnd7m3rxv6g2psv23fyzmpkkir"; }; + + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin install binaries/* $out/bin ''; + nativeBuildInputs = [ cmake ]; meta = with stdenv.lib; { From 812e25c86b1abffa1d7109d269877d3902455fed Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 09:12:20 +0000 Subject: [PATCH 401/603] mksh: disable format hardening --- pkgs/shells/mksh/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/shells/mksh/default.nix b/pkgs/shells/mksh/default.nix index 696777c7f1f..3037552dab6 100644 --- a/pkgs/shells/mksh/default.nix +++ b/pkgs/shells/mksh/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ groff ]; + hardeningDisable = [ "format" ]; + buildPhase = '' mkdir build-dir/ cp mksh.1 dot.mkshrc build-dir/ From 7a347f608207afc4aeb5086e97489999ed6a3f40 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 09:15:19 +0000 Subject: [PATCH 402/603] wml: disable format hardening --- pkgs/development/web/wml/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/wml/default.nix b/pkgs/development/web/wml/default.nix index 22cc5001c92..be53724636b 100644 --- a/pkgs/development/web/wml/default.nix +++ b/pkgs/development/web/wml/default.nix @@ -19,12 +19,14 @@ perlPackages.buildPerlPackage rec { sed -i 's/ doc / /g' wml_backend/p2_mp4h/Makefile.in sed -i '/p2_mp4h\/doc/d' Makefile.in ''; - + buildInputs = with perlPackages; [ perl TermReadKey GD BitVector ncurses lynx makeWrapper ImageSize ]; patches = [ ./redhat-with-thr.patch ./dynaloader.patch ./no_bitvector.patch ]; - + + hardeningDisable = [ "format" ]; + postPatch = '' substituteInPlace wml_frontend/wml.src \ --replace "File::PathConvert::realpath" "Cwd::realpath" \ From 88b49cc74815077a942e5f319bb345a31038fbed Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 09:23:57 +0000 Subject: [PATCH 403/603] tinycc: disable fortify hardening --- pkgs/development/compilers/tinycc/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix index f1a52f5de91..96844b2b1f1 100644 --- a/pkgs/development/compilers/tinycc/default.nix +++ b/pkgs/development/compilers/tinycc/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl texinfo ]; + hardeningDisable = [ "fortify" ]; + postPatch = '' substituteInPlace "texi2pod.pl" \ --replace "/usr/bin/perl" "${perl}/bin/perl" From 8d4443a89a7b3dc9921bf759cce9c9912dc297fe Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 09:36:58 +0000 Subject: [PATCH 404/603] recutils: disable format hardening --- pkgs/tools/misc/recutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/recutils/default.nix b/pkgs/tools/misc/recutils/default.nix index 4d6829e99a4..6dd40e8476f 100644 --- a/pkgs/tools/misc/recutils/default.nix +++ b/pkgs/tools/misc/recutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { doCheck = true; + hardeningDisable = [ "format" ]; + buildInputs = [ curl emacs ] ++ (stdenv.lib.optionals doCheck [ check bc ]); meta = { From 5ca99ae7a7d685980048dff05b5db18d31202ebe Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 14:16:42 +0000 Subject: [PATCH 405/603] kernel.i686-linux: disable bindnow hardening --- pkgs/os-specific/linux/kernel/manual-config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 85a4b98982a..348221ce05d 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -225,7 +225,8 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ]; + hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ] + ++ stdenv.lib.optional stdenv.isi686 "bindnow"; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" From a73a28de7b16734d8e28da8be43a06b92eeb6bc3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 6 Apr 2016 16:16:23 +0000 Subject: [PATCH 406/603] fix grammar errors --- doc/languages-frameworks/python.md | 2 +- nixos/modules/system/boot/loader/grub/grub.nix | 4 ++-- pkgs/applications/graphics/kipi-plugins/default.nix | 4 ++-- pkgs/servers/firebird/default.nix | 2 +- pkgs/servers/sql/virtuoso/7.x.nix | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/languages-frameworks/python.md b/doc/languages-frameworks/python.md index fc0a0ba987a..3ee25669f74 100644 --- a/doc/languages-frameworks/python.md +++ b/doc/languages-frameworks/python.md @@ -599,7 +599,7 @@ Given a `default.nix`: src = ./.; } Running `nix-shell` with no arguments should give you -the environment in which the package would be build with +the environment in which the package would be built with `nix-build`. Shortcut to setup environments with C headers/libraries and python packages: diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index d9f6f51f13a..6b201fcce63 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -348,7 +348,7 @@ in default = false; type = types.bool; description = '' - Whether GRUB should be build against libzfs. + Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1. ''; @@ -358,7 +358,7 @@ in default = false; type = types.bool; description = '' - Whether GRUB should be build with EFI support. + Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1. ''; diff --git a/pkgs/applications/graphics/kipi-plugins/default.nix b/pkgs/applications/graphics/kipi-plugins/default.nix index 6a38698370d..b69105fba7c 100644 --- a/pkgs/applications/graphics/kipi-plugins/default.nix +++ b/pkgs/applications/graphics/kipi-plugins/default.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { name = "kipi-plugins-1.9.0"; - src = fetchurl { + src = fetchurl { url = "mirror://sourceforge/kipi/${name}.tar.bz2"; sha256 = "0k4k9v1rj7129n0s0i5pvv4rabx0prxqs6sca642fj95cxc6c96m"; }; @@ -25,6 +25,6 @@ stdenv.mkDerivation rec { homepage = http://www.kipi-plugins.org; inherit (kdelibs.meta) platforms; maintainers = with stdenv.lib.maintainers; [ viric urkud ]; - broken = true; # it should be build from digikam sources, perhaps together + broken = true; # it should be built from digikam sources, perhaps together }; } diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index 414582b69ef..3e258ee6d3f 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -11,7 +11,7 @@ # icu version missmatch may cause such error when selecting from a table: # "Collation unicode for character set utf8 is not installed" - # icu 3.0 can still be build easily by nix (by dropping the #elif case and + # icu 3.0 can still be built easily by nix (by dropping the #elif case and # make | make) icu ? null diff --git a/pkgs/servers/sql/virtuoso/7.x.nix b/pkgs/servers/sql/virtuoso/7.x.nix index de610f9a729..afb91602d76 100644 --- a/pkgs/servers/sql/virtuoso/7.x.nix +++ b/pkgs/servers/sql/virtuoso/7.x.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "SQL/RDF database used by, e.g., KDE-nepomuk"; homepage = http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/; - #configure: The current version [...] can only be build on 64bit platforms + #configure: The current version [...] can only be built on 64bit platforms platforms = [ "x86_64-linux" "x86_64-darwin" ]; maintainers = [ maintainers.urkud ]; }; From a36f51f77327b3ecdb09184c09f5e1970a31492a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 19 Apr 2016 02:05:50 +0000 Subject: [PATCH 407/603] neovim: disable fortify hardening --- pkgs/applications/editors/neovim/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/applications/editors/neovim/default.nix b/pkgs/applications/editors/neovim/default.nix index 7d23ae5bbbd..064e68cae9f 100644 --- a/pkgs/applications/editors/neovim/default.nix +++ b/pkgs/applications/editors/neovim/default.nix @@ -98,6 +98,9 @@ let LUA_CPATH="${lpeg}/lib/lua/${lua.luaversion}/?.so;${luabitop}/lib/lua/5.2/?.so"; LUA_PATH="${luaMessagePack}/share/lua/5.1/?.lua"; + # triggers on buffer overflow bug while running tests + hardeningDisable = [ "fortify" ]; + preConfigure = stdenv.lib.optionalString stdenv.isDarwin '' export DYLD_LIBRARY_PATH=${jemalloc}/lib substituteInPlace src/nvim/CMakeLists.txt --replace " util" "" From b59a6aa93a64629e02750de7120a3423b93384e2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 19 Apr 2016 02:21:57 +0000 Subject: [PATCH 408/603] kernel: turn off bindnow hardening --- pkgs/os-specific/linux/kernel/manual-config.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 1fb702d5746..7ba01d66729 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -216,8 +216,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); - hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ] - ++ stdenv.lib.optional stdenv.isi686 "bindnow"; + hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ]; makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" From fd77c5c5a0daa0f1fd2cfa64085b9a27e40495f0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 19 Apr 2016 10:56:55 +0000 Subject: [PATCH 409/603] haskellPackages.gio: turn off fortify hardening --- pkgs/development/haskell-modules/configuration-common.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 16944c2d5a3..af25acfc3ae 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -235,7 +235,9 @@ self: super: { jwt = dontCheck super.jwt; # https://github.com/NixOS/cabal2nix/issues/136 - gio = addPkgconfigDepend super.gio pkgs.glib; + gio = pkgs.lib.overrideDerivation (addPkgconfigDepend super.gio pkgs.glib) (drv: { + hardeningDisable = [ "fortify" ]; + }); gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; From 33ef14fb62d0d651b972dc1c18aa53dd95c2b9e4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 19 Apr 2016 12:15:23 +0000 Subject: [PATCH 410/603] haskellPackages: clean up unnecessary overrides --- .../haskell-modules/configuration-common.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index af25acfc3ae..2e4b53d415b 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -255,9 +255,6 @@ self: super: { webkitgtk3-javascriptcore = super.webkitgtk3-javascriptcore.override { webkit = pkgs.webkitgtk24x; }; websnap = super.websnap.override { webkit = pkgs.webkitgtk24x; }; - # While waiting for https://github.com/jwiegley/gitlib/pull/53 to be merged - hlibgit2 = addBuildTool super.hlibgit2 pkgs.git; - # https://github.com/mvoidex/hsdev/issues/11 hsdev = dontHaddock super.hsdev; @@ -270,9 +267,6 @@ self: super: { # Upstream notified by e-mail. permutation = dontCheck super.permutation; - # https://github.com/vincenthz/hs-tls/issues/102 - tls = dontCheck super.tls; - # https://github.com/jputcu/serialport/issues/25 serialport = dontCheck super.serialport; @@ -282,9 +276,6 @@ self: super: { # Fails no apparent reason. Upstream has been notified by e-mail. assertions = dontCheck super.assertions; - # https://github.com/vincenthz/tasty-kat/issues/1 - tasty-kat = dontCheck super.tasty-kat; - # These packages try to execute non-existent external programs. cmaes = dontCheck super.cmaes; # http://hydra.cryp.to/build/498725/log/raw dbmigrations = dontCheck super.dbmigrations; @@ -309,7 +300,6 @@ self: super: { test-sandbox = dontCheck super.test-sandbox; users-postgresql-simple = dontCheck super.users-postgresql-simple; wai-middleware-hmac = dontCheck super.wai-middleware-hmac; - wai-middleware-throttle = dontCheck super.wai-middleware-throttle; # https://github.com/creichert/wai-middleware-throttle/issues/1 xkbcommon = dontCheck super.xkbcommon; xmlgen = dontCheck super.xmlgen; hapistrano = dontCheck super.hapistrano; From 9a8a9c43b48afa670273a2276de6d8134297c095 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 19 Apr 2016 12:21:06 +0000 Subject: [PATCH 411/603] haskellPackages.pango: turn off fortify hardening --- pkgs/development/haskell-modules/configuration-common.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 2e4b53d415b..1cbda56844b 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -43,9 +43,14 @@ self: super: { options = dontCheck super.options; statistics = dontCheck super.statistics; c2hs = dontCheck super.c2hs; + + # fix errors caused by hardening flags epanet-haskell = super.epanet-haskell.overrideDerivation (drv: { hardeningDisable = [ "format" ]; }); + pango = super.pango.overrideDerivation (drv: { + hardeningDisable = [ "fortify" ]; + }); # Use the default version of mysql to build this package (which is actually mariadb). mysql = super.mysql.override { mysql = pkgs.mysql.lib; }; From 0fdde5efd08c036fe9d73b4e65f2ba9797053d0f Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 19 Apr 2016 12:33:01 +0000 Subject: [PATCH 412/603] rowhammer-test.isi686-linux: no Werror for format --- pkgs/tools/system/rowhammer-test/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/system/rowhammer-test/default.nix b/pkgs/tools/system/rowhammer-test/default.nix index 728b15bb298..226ec4351ea 100644 --- a/pkgs/tools/system/rowhammer-test/default.nix +++ b/pkgs/tools/system/rowhammer-test/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { sha256 = "1fbfcnm5gjish47wdvikcsgzlb5vnlfqlzzm6mwiw2j5qkq0914i"; }; + NIX_CFLAGS_COMPILE = stdenv.lib.optional stdenv.isi686 "-Wno-error=format"; + buildPhase = "sh -e make.sh"; installPhase = '' From 9fbc20e2f89bc045efac7ade41949a2c2d571dec Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 3 May 2016 00:13:15 +0000 Subject: [PATCH 413/603] fix merge (webdsl removal) --- pkgs/top-level/all-packages.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e2753f19733..01728916fce 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5203,8 +5203,6 @@ in vs90wrapper = callPackage ../development/compilers/vs90wrapper { }; - webdsl = callPackage ../development/compilers/webdsl { }; - wla-dx = callPackage ../development/compilers/wla-dx { }; wrapCCWith = ccWrapper: libc: extraBuildCommands: baseCC: ccWrapper { From 527a605ad7313bb336b280ed0aae51b434b51389 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 9 May 2016 22:06:58 +0000 Subject: [PATCH 414/603] dar: disable format hardening --- pkgs/tools/archivers/dar/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/archivers/dar/default.nix b/pkgs/tools/archivers/dar/default.nix index 92a81f9e5d6..b64b6e4ca0a 100644 --- a/pkgs/tools/archivers/dar/default.nix +++ b/pkgs/tools/archivers/dar/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { homepage = http://dar.linux.free.fr/; description = "Disk ARchiver, allows backing up files into indexed archives"; From eb6809eafd114404327b1b04133c7caaa7283b76 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 9 May 2016 22:09:22 +0000 Subject: [PATCH 415/603] emacs25pre: disable format hardening --- pkgs/applications/editors/emacs-25/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/editors/emacs-25/default.nix b/pkgs/applications/editors/emacs-25/default.nix index 019015785e6..e591a48781a 100644 --- a/pkgs/applications/editors/emacs-25/default.nix +++ b/pkgs/applications/editors/emacs-25/default.nix @@ -53,6 +53,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ]; + hardeningDisable = [ "format" ]; + configureFlags = if stdenv.isDarwin then [ "--with-ns" "--disable-ns-self-contained" ] From 365379857fb561df949fc841e80458e317a1d682 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 9 May 2016 22:21:57 +0000 Subject: [PATCH 416/603] gcl: disable bindnow hardening --- pkgs/development/compilers/gcl/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index cf25f989c7c..0e4d5bed051 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - hardeningDisable = [ "pic" ]; + hardeningDisable = [ "pic" "bindnow" ]; NIX_CFLAGS_COMPILE = "-fgnu89-inline"; From 2382084e3b526c1d76ceaa1a2ac60df377fb3c80 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 31 May 2016 12:22:17 +0000 Subject: [PATCH 417/603] haskellPackages.gtk{,3}: disable fortify hardening --- pkgs/development/haskell-modules/configuration-common.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 7a9c28e516c..47862bd7513 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -246,8 +246,12 @@ self: super: { glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { hardeningDisable = [ "fortify" ]; }); - gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; - gtk = addPkgconfigDepend super.gtk pkgs.gtk; + gtk3 = pkgs.lib.overrideDerivation (super.gtk3.override { inherit (pkgs) gtk3; }) (drv: { + hardeningDisable = [ "fortify" ]; + }); + gtk = pkgs.lib.overrideDerivation (addPkgconfigDepend super.gtk pkgs.gtk) (drv: { + hardeningDisable = [ "fortify" ]; + }); gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; gtksourceview3 = super.gtksourceview3.override { inherit (pkgs.gnome3) gtksourceview; }; From a78316ce4785b9791a2103c1f4c8dfd95abf290c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 31 May 2016 12:28:59 +0000 Subject: [PATCH 418/603] milu: disable format hardening --- pkgs/applications/misc/milu/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/milu/default.nix b/pkgs/applications/misc/milu/default.nix index 8b7fb6787d7..b8ccbe77cf5 100644 --- a/pkgs/applications/misc/milu/default.nix +++ b/pkgs/applications/misc/milu/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { owner = "yuejia"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' sed -i 's#/usr/bin/##g' Makefile sed -i "s#-lclang#-L$(clang --print-search-dirs | From 878e24b35a40fcc9c294a31ed0ab0336db914635 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 31 May 2016 12:35:54 +0000 Subject: [PATCH 419/603] linuxPackages.dpdk: disable pic hardening --- pkgs/os-specific/linux/dpdk/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix index 479188b365f..81b3874cb2c 100644 --- a/pkgs/os-specific/linux/dpdk/default.nix +++ b/pkgs/os-specific/linux/dpdk/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; outputs = [ "out" "examples" ]; + hardeningDisable = [ "pic" ]; + buildPhase = '' make T=x86_64-native-linuxapp-gcc config make T=x86_64-native-linuxapp-gcc install From e7be1168ba1211b6196c0f2597ddbb7d02323370 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 31 May 2016 12:57:28 +0000 Subject: [PATCH 420/603] picat: disable format hardening --- pkgs/development/compilers/picat/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/picat/default.nix b/pkgs/development/compilers/picat/default.nix index 7f2f6158dd8..e86f3869e49 100644 --- a/pkgs/development/compilers/picat/default.nix +++ b/pkgs/development/compilers/picat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { else if stdenv.system == "x86_64-linux" then "linux64" else throw "Unsupported system"; + hardeningDisable = [ "format" ]; + buildPhase = '' cd emu make -f Makefile.picat.$ARCH From 8f1e9d91bebe456beb31484eb9c76a21b8ccf906 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 31 May 2016 12:57:57 +0000 Subject: [PATCH 421/603] subtitleeditor: disable format hardening --- pkgs/applications/video/subtitleeditor/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/video/subtitleeditor/default.nix b/pkgs/applications/video/subtitleeditor/default.nix index c9655e2a4f2..e3cd242bd73 100644 --- a/pkgs/applications/video/subtitleeditor/default.nix +++ b/pkgs/applications/video/subtitleeditor/default.nix @@ -41,6 +41,8 @@ stdenv.mkDerivation rec { doCheck = true; + hardeningDisable = [ "format" ]; + patches = [ ./subtitleeditor-0.52.1-build-fix.patch ]; preConfigure = '' From 2a5e64b69c83592caf900cb0b7213235e96368de Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 31 May 2016 12:58:10 +0000 Subject: [PATCH 422/603] maude: disable stackprotector hardening segfaults during tests --- pkgs/development/interpreters/maude/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/maude/default.nix b/pkgs/development/interpreters/maude/default.nix index 3473a11e819..e5281c48f93 100644 --- a/pkgs/development/interpreters/maude/default.nix +++ b/pkgs/development/interpreters/maude/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [flex bison ncurses buddy tecla gmpxx libsigsegv makeWrapper]; + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlagsArray=( --datadir=$out/share/maude From 851446e26ecfda12be4fbda6809eec8b62e854c2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 11 Jun 2016 10:07:46 +0000 Subject: [PATCH 423/603] fix merge failure --- pkgs/top-level/all-packages.nix | 2 -- pkgs/top-level/rust-packages.nix | 6 +++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b1d71099247..b3a85bc1590 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -935,8 +935,6 @@ in UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter; }; - bittornado = callPackage ../tools/networking/p2p/bit-tornado { }; - bibtextools = callPackage ../tools/typesetting/bibtex-tools { inherit (strategoPackages016) strategoxt sdf; }; diff --git a/pkgs/top-level/rust-packages.nix b/pkgs/top-level/rust-packages.nix index 31eb3007daa..26513a6b862 100644 --- a/pkgs/top-level/rust-packages.nix +++ b/pkgs/top-level/rust-packages.nix @@ -7,15 +7,15 @@ { runCommand, fetchFromGitHub, git }: let - version = "2016-05-28"; - rev = "eb354be1bc4c368e4ed885bd126f625f371b4bfa"; + version = "2016-06-10"; + rev = "18a44fdb7bd193c4cf62a0f3a9b807daf8620546"; src = fetchFromGitHub { inherit rev; owner = "rust-lang"; repo = "crates.io-index"; - sha256 = "1scbfraj2cgpi5q1bkhhj18jv58hkyl9pms8qnx3fvxs6yq68ba9"; + sha256 = "0jrawwdw1znw7z4hxivlssc3g90h05f3zmwm10ap4qhjpy4rrc1z"; }; in From 56b56c21384980ce4d83f4a5b3bcd3cedf759bdc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 13 Jun 2016 11:06:15 +0000 Subject: [PATCH 424/603] fix merge failure (2) --- pkgs/top-level/all-packages.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b3a85bc1590..4a1f70889e6 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -935,10 +935,6 @@ in UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter; }; - bibtextools = callPackage ../tools/typesetting/bibtex-tools { - inherit (strategoPackages016) strategoxt sdf; - }; - blueman = callPackage ../tools/bluetooth/blueman { inherit (gnome3) dconf gsettings_desktop_schemas; withPulseAudio = config.pulseaudio or true; From 99cc3fa6cad876a4bddb0fb33e0835570206f4ea Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 31 May 2016 18:05:12 +0200 Subject: [PATCH 425/603] systemd: Disable stackprotector hardening flag --- pkgs/os-specific/linux/systemd/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 0ba6c431c9f..748f180fe37 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -82,6 +82,8 @@ stdenv.mkDerivation rec { "--with-rc-local-script-path-stop=/etc/halt.local" ] ++ (if enableKDbus then [ "--enable-kdbus" ] else [ "--disable-kdbus" ]); + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' ./autogen.sh From 06ed2353479098d6ecd4ef49f4aeb6315aee3109 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 14 Jun 2016 11:45:47 +0000 Subject: [PATCH 426/603] gcc6: disable format hardening flag --- pkgs/development/compilers/gcc/6/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index 6ca0f2f59f4..5a9e615645e 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -223,6 +223,8 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; + hardeningDisable = [ "format" ]; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' From 2fa03127c8cff7d6170a8859b1aa70ba37c7ec48 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 14 Jun 2016 11:46:09 +0000 Subject: [PATCH 427/603] libdwg: disable format hardening flag --- pkgs/development/libraries/libdwg/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libdwg/default.nix b/pkgs/development/libraries/libdwg/default.nix index 8ffa1ff8192..2ee4e1fdb68 100644 --- a/pkgs/development/libraries/libdwg/default.nix +++ b/pkgs/development/libraries/libdwg/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ indent ]; + hardeningDisable = [ "format" ]; + meta = { description = "library reading dwg files"; homepage = http://libdwg.sourceforge.net/en/; From d9e5fd3b07ec836ed394356b596fe3a7ee7509d3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 18 Jun 2016 11:49:54 +0000 Subject: [PATCH 428/603] gnome3_20.nautilus: disable format hardening flag --- pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix index 67229487085..4cb0b7fb35c 100644 --- a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix +++ b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { gnome3.gnome_desktop gnome3.adwaita-icon-theme gnome3.gsettings_desktop_schemas gnome3.dconf libnotify tracker libselinux ]; + hardeningDisable = [ "format" ]; + patches = [ ./extension_dir.patch ]; meta = with stdenv.lib; { From 07615735077db344539eb9131823600593f0eddf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 18 Jun 2016 11:50:23 +0000 Subject: [PATCH 429/603] gnome3_20.libgda: disable format hardening flag --- pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix index 75c45634636..2e5b0a4af84 100644 --- a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ]; meta = with stdenv.lib; { From f597e97236c9aad0470cc4744353e3e4c4c217b0 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 13 Jul 2016 19:27:26 +0200 Subject: [PATCH 430/603] atlas: Fix hardening --- pkgs/development/libraries/science/math/atlas/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix index db8aff49c00..6ff7e387ec1 100644 --- a/pkgs/development/libraries/science/math/atlas/default.nix +++ b/pkgs/development/libraries/science/math/atlas/default.nix @@ -66,6 +66,8 @@ stdenv.mkDerivation { patches = optional tolerateCpuTimingInaccuracy ./disable-timing-accuracy-check.patch ++ optional stdenv.isDarwin ./tmpdir.patch; + hardeningDisable = [ "format" ]; + # Configure outside of the source directory. preConfigure = '' mkdir build @@ -76,7 +78,6 @@ stdenv.mkDerivation { # * -t 0 disables use of multi-threading. It's not quite clear what the # consequences of that setting are and whether it's necessary or not. configureFlags = [ - "-Fa alg" "-t ${threads}" cpuConfig ] ++ optional shared "--shared" From 04d873a626c93d9d0dbd21a6f4989194dc0fc61e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 16 Jul 2016 21:34:13 +0000 Subject: [PATCH 431/603] osx-private-sdk: Fix hash --- pkgs/os-specific/darwin/osx-private-sdk/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/darwin/osx-private-sdk/default.nix b/pkgs/os-specific/darwin/osx-private-sdk/default.nix index 1b8f37fdb8d..ae8dc52a402 100644 --- a/pkgs/os-specific/darwin/osx-private-sdk/default.nix +++ b/pkgs/os-specific/darwin/osx-private-sdk/default.nix @@ -3,5 +3,5 @@ fetchgit { url = "https://github.com/samdmarshall/OSXPrivateSDK.git"; rev = "f4d52b60e86b496abfaffa119a7d299562d99783"; - sha256 = "0v1l11fqpqnzd5l2vq5c63jm1vrba56r06zpqnag87j5p1gic8lp"; + sha256 = "0bv0884yxpvk2ishxj8gdy1w6wb0gwfq55q5qjp0s8z0z7f63zqh"; } From cc540843fe88a5e490e07e861f8dbb8f4714ece7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 21 Jul 2016 00:01:20 +0000 Subject: [PATCH 432/603] linuxPackages.wireguard: disable pic --- pkgs/os-specific/linux/wireguard/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix index 3e5f6ae7480..c023e4f3d6d 100644 --- a/pkgs/os-specific/linux/wireguard/default.nix +++ b/pkgs/os-specific/linux/wireguard/default.nix @@ -26,6 +26,8 @@ let sed -i '/depmod/,+1d' Makefile ''; + hardeningDisable = [ "pic" ]; + KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; INSTALL_MOD_PATH = "\${out}"; From 43ba8d295f414ab985bd3fc5d5125421bd8bd0ad Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 31 Jul 2016 20:28:29 +0000 Subject: [PATCH 433/603] nvidia-x11: disable pic/format hardening --- pkgs/os-specific/linux/nvidia-x11/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix index e3be760700b..30a3a912d43 100644 --- a/pkgs/os-specific/linux/nvidia-x11/default.nix +++ b/pkgs/os-specific/linux/nvidia-x11/default.nix @@ -55,6 +55,8 @@ stdenv.mkDerivation { buildInputs = [ perl nukeReferences ]; + hardeningDisable = [ "pic" "format" ]; + disallowedReferences = if libsOnly then [] else [ kernel.dev ]; meta = with stdenv.lib.meta; { From 68a953cdc3f61fd99ebf01734537b2659154826d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 28 Jul 2016 03:50:29 +0200 Subject: [PATCH 434/603] nedit: disable format hardening --- pkgs/applications/editors/nedit/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/editors/nedit/default.nix b/pkgs/applications/editors/nedit/default.nix index 14220956698..e59214395e4 100644 --- a/pkgs/applications/editors/nedit/default.nix +++ b/pkgs/applications/editors/nedit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1v8y8vwj3kn91crsddqkz843y6csgw7wkjnd3zdcb4bcrf1pjrsk"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ xlibsWrapper motif libXpm ]; buildFlags = if stdenv.isLinux then "linux" else ""; From 1005f464dd37cc35a4cc476a4ce4280df53d5671 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 28 Jul 2016 03:42:58 +0200 Subject: [PATCH 435/603] xpdf: disable format hardening --- pkgs/applications/misc/xpdf/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/xpdf/default.nix b/pkgs/applications/misc/xpdf/default.nix index a7d288162e3..739f1f0a975 100644 --- a/pkgs/applications/misc/xpdf/default.nix +++ b/pkgs/applications/misc/xpdf/default.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation { # Debian uses '-fpermissive' to bypass some errors on char* constantness. CXXFLAGS = "-O2 -fpermissive"; + hardeningDisable = [ "format" ]; + configureFlags = "--enable-a4-paper"; postInstall = stdenv.lib.optionalString (base14Fonts != null) '' From 44b24cc6510f6e9031880c8d20782cb0afccd7c2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 2 Aug 2016 15:04:52 +0000 Subject: [PATCH 436/603] motif: disable format hardening --- pkgs/development/libraries/motif/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/motif/default.nix b/pkgs/development/libraries/motif/default.nix index 9d50fb3d3d1..4d9f1d56b3e 100644 --- a/pkgs/development/libraries/motif/default.nix +++ b/pkgs/development/libraries/motif/default.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ libXp libXau ]; + hardeningDisable = [ "format" ]; + makeFlags = [ "CFLAGS=-fno-strict-aliasing" ]; patchPhase = '' From 15b8491af31c7bb2e9ae0a78a097f8f34fcb7198 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 17:38:25 +0200 Subject: [PATCH 437/603] seabios: disable fortify hardening --- pkgs/applications/virtualization/seabios/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index 82ed4b7fe76..852121b1836 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; - hardeningDisable = [ "pic" "stackprotector" ]; + hardeningDisable = [ "pic" "stackprotector" "fortify" ]; configurePhase = '' # build SeaBIOS for CSM From cbc8fc239a79d35722eadb5e99d4b5f816710807 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 2 Aug 2016 15:30:36 +0000 Subject: [PATCH 438/603] zgv: disable format hardening --- pkgs/applications/graphics/zgv/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/zgv/default.nix b/pkgs/applications/graphics/zgv/default.nix index 46d3e117d0e..e06b76e35b1 100644 --- a/pkgs/applications/graphics/zgv/default.nix +++ b/pkgs/applications/graphics/zgv/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ SDL SDL_image pkgconfig libjpeg libpng libtiff ]; + hardeningDisable = [ "format" ]; + makeFlags = [ "BACKEND=SDL" ]; From b9152cf5a09a495666b05c4e6e03c34d1ce37223 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 2 Aug 2016 15:30:50 +0000 Subject: [PATCH 439/603] yabar: disable format hardening --- pkgs/applications/window-managers/yabar/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/window-managers/yabar/default.nix b/pkgs/applications/window-managers/yabar/default.nix index 2f4a7f0e06c..c199cf6c01b 100644 --- a/pkgs/applications/window-managers/yabar/default.nix +++ b/pkgs/applications/window-managers/yabar/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ cairo gdk_pixbuf libconfig pango pkgconfig xcbutilwm ]; + hardeningDisable = [ "format" ]; + postPatch = '' substituteInPlace ./Makefile --replace "\$(shell git describe)" "${version}" ''; From c0830c1764de07fe8c18ac9b112e1081afcae4b9 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 2 Aug 2016 15:31:03 +0000 Subject: [PATCH 440/603] wasm: disable format hardening --- pkgs/development/interpreters/wasm/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/interpreters/wasm/default.nix b/pkgs/development/interpreters/wasm/default.nix index 56eebbf89a2..9a30ae7d8a8 100644 --- a/pkgs/development/interpreters/wasm/default.nix +++ b/pkgs/development/interpreters/wasm/default.nix @@ -17,6 +17,9 @@ let buildInputs = [ cmake clang python ]; buildPhase = "make clang-debug-no-tests"; + + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin cp out/clang/Debug/no-tests/sexpr-wasm $out/bin From 0eb6023d9c0d399595d1568a6af038d62bf7354a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 2 Aug 2016 15:31:10 +0000 Subject: [PATCH 441/603] libjson_rpc_cpp: disable format hardening --- pkgs/development/libraries/libjson-rpc-cpp/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libjson-rpc-cpp/default.nix b/pkgs/development/libraries/libjson-rpc-cpp/default.nix index 2cfede1eb6e..ca60f1570bc 100644 --- a/pkgs/development/libraries/libjson-rpc-cpp/default.nix +++ b/pkgs/development/libraries/libjson-rpc-cpp/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { rev = "c6e3d7195060774bf95afc6df9c9588922076d3e"; }; + hardeningDisable = [ "format" ]; + patchPhase = '' for f in cmake/FindArgtable.cmake \ src/stubgenerator/stubgenerator.cpp \ From b0d748e244df6c977b2a1db3873ffdc271e59615 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 17:49:08 +0200 Subject: [PATCH 442/603] bitkeeper: disable fortify hardening --- pkgs/applications/version-management/bitkeeper/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/version-management/bitkeeper/default.nix b/pkgs/applications/version-management/bitkeeper/default.nix index 76083292482..e5937977994 100644 --- a/pkgs/applications/version-management/bitkeeper/default.nix +++ b/pkgs/applications/version-management/bitkeeper/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0lk4vydpq5bi52m81h327gvzdzybf8kkak7yjwmpj6kg1jn9blaz"; }; + hardeningDisable = [ "fortify" ]; + enableParallelBuilding = true; buildInputs = [ From f2a66d4c16d19e671dc0a39956c08de2852e42a3 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 17:52:51 +0200 Subject: [PATCH 443/603] criu: fix merge fail d020caa5b2eca90ea051403fbb4c52b99ee071b9 vs. e3d0fe898bb0451b2485ccc0be42354614f4fba3 --- pkgs/os-specific/linux/criu/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index fb25ef27378..efca4c7bbb5 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto ''; - configurePhase = "make config PREFIX=$out"; + buildPhase = "make PREFIX=$out"; makeFlags = "PREFIX=$(out)"; From 0751027b3155406a4cd61568bc8393f9e34b5fa0 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 31 May 2016 16:24:38 +0200 Subject: [PATCH 444/603] wxPython: Disable format hardening --- pkgs/development/python-modules/wxPython/3.0.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/wxPython/3.0.nix b/pkgs/development/python-modules/wxPython/3.0.nix index 7c225a95f2a..5f224428fce 100644 --- a/pkgs/development/python-modules/wxPython/3.0.nix +++ b/pkgs/development/python-modules/wxPython/3.0.nix @@ -23,6 +23,8 @@ buildPythonPackage rec { sha256 = "0qfzx3sqx4mwxv99sfybhsij4b5pc03ricl73h4vhkzazgjjjhfm"; }; + hardeningDisable = [ "format" ]; + propagatedBuildInputs = [ pkgconfig wxGTK (wxGTK.gtk) libX11 ] ++ lib.optional openglSupport pyopengl; preConfigure = "cd wxPython"; From c22c137c6cf3616b30f87028d92eb9d5fca35fec Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 18:01:21 +0200 Subject: [PATCH 445/603] ruby_2_0: disable format hardening --- pkgs/development/interpreters/ruby/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix index 8db9dd4eaf9..446013faafd 100644 --- a/pkgs/development/interpreters/ruby/default.nix +++ b/pkgs/development/interpreters/ruby/default.nix @@ -22,6 +22,7 @@ let then version else versionNoPatch; tag = "v" + stdenv.lib.replaceChars ["." "p" "-"] ["_" "_" ""] fullVersionName; + isRuby20 = majorVersion == "2" && minorVersion == "0"; isRuby21 = majorVersion == "2" && minorVersion == "1"; baseruby = self.override { useRailsExpress = false; }; self = lib.makeOverridable ( @@ -81,6 +82,8 @@ let enableParallelBuilding = true; + hardeningDisable = lib.optional isRuby20 [ "format" ]; + patches = [ ./gem_hook.patch ] ++ (import ./patchsets.nix { From fbbd50dbab794c7fcf748f54517596a6a96df96e Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 18:42:47 +0200 Subject: [PATCH 446/603] unicon-lang: disable fortify hardening Detects buffer overflow in a tool used at link time. --- pkgs/development/interpreters/unicon-lang/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/unicon-lang/default.nix b/pkgs/development/interpreters/unicon-lang/default.nix index 7487aa63313..a6dfec49b2a 100644 --- a/pkgs/development/interpreters/unicon-lang/default.nix +++ b/pkgs/development/interpreters/unicon-lang/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { }; buildInputs = [ libX11 libXt unzip ]; + hardeningDisable = [ "fortify" ]; + sourceRoot = "."; configurePhase = '' From f0d0164a3811a4cd570dc64ffe8c56824c736f06 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 19:11:29 +0200 Subject: [PATCH 447/603] tracefilesim: disable fortify hardening --- .../tools/analysis/garcosim/tracefilesim/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix b/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix index 740d51cc134..7a6f3481d53 100644 --- a/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix +++ b/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { sha256 = "156m92k38ap4bzidbr8dzl065rni8lrib71ih88myk9z5y1x5nxm"; }; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir --parents "$out/bin" cp ./traceFileSim "$out/bin" From c1f1fd68cc0342ebb55c6ed004f71dffbcbfaa0c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 2 Aug 2016 20:02:50 +0200 Subject: [PATCH 448/603] gegl_0_3: disable format hardening, add autoreconfHook --- pkgs/development/libraries/gegl/3.0.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkgs/development/libraries/gegl/3.0.nix b/pkgs/development/libraries/gegl/3.0.nix index 1ca0a2b5925..ab05715feb7 100644 --- a/pkgs/development/libraries/gegl/3.0.nix +++ b/pkgs/development/libraries/gegl/3.0.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, glib, babl, libpng, cairo, libjpeg, which -, librsvg, pango, gtk, bzip2, intltool, libtool, automake, autoconf, json_glib }: +, librsvg, pango, gtk, bzip2, json_glib, intltool, autoreconfHook }: stdenv.mkDerivation rec { name = "gegl-0.3.6"; @@ -9,17 +9,18 @@ stdenv.mkDerivation rec { sha256 = "08m7dlf2kwmp7jw3qskwxas192swhn1g4jcd8aldg9drfjygprvh"; }; - configureScript = "./autogen.sh"; + hardeningDisable = [ "format" ]; # needs fonts otherwise don't know how to pass them configureFlags = "--disable-docs"; - buildInputs = [ babl libpng cairo libjpeg librsvg pango gtk bzip2 intltool - autoconf automake libtool which json_glib ]; + buildInputs = [ + babl libpng cairo libjpeg librsvg pango gtk bzip2 which json_glib intltool + ]; - nativeBuildInputs = [ pkgconfig ]; + nativeBuildInputs = [ pkgconfig autoreconfHook ]; - meta = { + meta = { description = "Graph-based image processing framework"; homepage = http://www.gegl.org; license = stdenv.lib.licenses.gpl3; From 98473cdb15d18e5f0b862a72ac7e629a433481fc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 13:08:05 +0000 Subject: [PATCH 449/603] x42-plugins: fix unpacking --- pkgs/applications/audio/x42-plugins/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/audio/x42-plugins/default.nix b/pkgs/applications/audio/x42-plugins/default.nix index f3a72050810..9ca78ee1a3f 100644 --- a/pkgs/applications/audio/x42-plugins/default.nix +++ b/pkgs/applications/audio/x42-plugins/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, fetchgit, ftgl, freefont_ttf, libjack2, mesa_glu, pkgconfig -, libltc, libsndfile, libsamplerate +, libltc, libsndfile, libsamplerate, xz , lv2, mesa, gtk2, cairo, pango, fftwFloat, zita-convolver }: stdenv.mkDerivation rec { @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1ald0c5xbfkdq6g5xwyy8wmbi636m3k3gqrq16kbh46g0kld1as9"; }; - buildInputs = [ mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver]; + buildInputs = [ xz mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver]; makeFlags = [ "PREFIX=$(out)" "FONTFILE=${freefont_ttf}/share/fonts/truetype/FreeSansBold.ttf" "LIBZITACONVOLVER=${zita-convolver}/include/zita-convolver.h" ]; From 3f9e8601f2a8537de90f04375400538049bbdaf2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 13:19:52 +0000 Subject: [PATCH 450/603] vxl: remove obsolete patch --- pkgs/development/libraries/vxl/default.nix | 2 -- pkgs/development/libraries/vxl/gcc5.patch | 15 --------------- 2 files changed, 17 deletions(-) delete mode 100644 pkgs/development/libraries/vxl/gcc5.patch diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix index faed2052fa5..b9f3c0e64d6 100644 --- a/pkgs/development/libraries/vxl/default.nix +++ b/pkgs/development/libraries/vxl/default.nix @@ -22,8 +22,6 @@ stdenv.mkDerivation { enableParallelBuilding = true; - patches = [ ./gcc5.patch ]; - meta = { description = "C++ Libraries for Computer Vision Research and Implementation"; homepage = http://vxl.sourceforge.net/; diff --git a/pkgs/development/libraries/vxl/gcc5.patch b/pkgs/development/libraries/vxl/gcc5.patch deleted file mode 100644 index 4660f9e8f48..00000000000 --- a/pkgs/development/libraries/vxl/gcc5.patch +++ /dev/null @@ -1,15 +0,0 @@ -https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20150216/1511118.html - ---- vxl-git4e07960/vcl/vcl_compiler.h~ 2012-11-02 12:08:21.000000000 +0100 -+++ vxl-git4e07960/vcl/vcl_compiler.h 2015-02-15 13:50:46.376329878 +0100 -@@ -119,6 +119,10 @@ - # else - # define VCL_GCC_40 - # endif -+# elif (__GNUC__== 5) -+// pretend GCC 5 to be GCC 4 -+# define VCL_GCC_4 -+# define VCL_GCC_41 - # else - # error "Dunno about this gcc" - # endif From a132aa46d6e817bb6fcb68254a554dc3f5f0ecae Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:02:44 +0000 Subject: [PATCH 451/603] gjay: disable format hardening --- pkgs/applications/audio/gjay/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/audio/gjay/default.nix b/pkgs/applications/audio/gjay/default.nix index 93b23b2f763..7486ec3e081 100644 --- a/pkgs/applications/audio/gjay/default.nix +++ b/pkgs/applications/audio/gjay/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ mpd_clientlib dbus_glib audacious gtk gsl libaudclient ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Generates playlists such that each song sounds good following the previous song"; homepage = http://gjay.sourceforge.net/; From c95ab0a2d192aae427213e17d79ed83d8cea3fa1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:03:04 +0000 Subject: [PATCH 452/603] gnumake380: disable format hardening --- .../development/tools/build-managers/gnumake/3.80/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/tools/build-managers/gnumake/3.80/default.nix b/pkgs/development/tools/build-managers/gnumake/3.80/default.nix index 9422a74aedd..08dd0acb42b 100644 --- a/pkgs/development/tools/build-managers/gnumake/3.80/default.nix +++ b/pkgs/development/tools/build-managers/gnumake/3.80/default.nix @@ -2,12 +2,16 @@ stdenv.mkDerivation { name = "gnumake-3.80"; + src = fetchurl { url = http://tarballs.nixos.org/make-3.80.tar.bz2; md5 = "0bbd1df101bc0294d440471e50feca71"; }; + patches = [./log.patch]; + hardeningDisable = [ "format" ]; + meta = { platforms = stdenv.lib.platforms.unix; }; From 08928dc57a73bf56560a9487e1f398eae34b1436 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:03:18 +0000 Subject: [PATCH 453/603] kconfig-frontends: disable format hardening --- pkgs/development/tools/misc/kconfig-frontends/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/misc/kconfig-frontends/default.nix b/pkgs/development/tools/misc/kconfig-frontends/default.nix index 13e02fb9272..8449cf9b6f3 100644 --- a/pkgs/development/tools/misc/kconfig-frontends/default.nix +++ b/pkgs/development/tools/misc/kconfig-frontends/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ bison flex gperf ncurses pkgconfig ]; + hardeningDisable = [ "format" ]; + configureFlags = [ "--enable-frontends=conf,mconf,nconf" ]; From e266c6a2c15668f4de7fc66991fc308c880ae9e3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:03:36 +0000 Subject: [PATCH 454/603] eboard: disable format hardening --- pkgs/games/eboard/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/eboard/default.nix b/pkgs/games/eboard/default.nix index 1a99fcd9c24..7915822589c 100644 --- a/pkgs/games/eboard/default.nix +++ b/pkgs/games/eboard/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ gtk ]; nativeBuildInputs = [ perl pkgconfig ]; + hardeningDisable = [ "format" ]; + preConfigure = '' patchShebangs ./configure ''; From 847f9994e46f2fc959f5db01ec3d4b3f448b5b00 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:04:03 +0000 Subject: [PATCH 455/603] gnugo: disable format hardening --- pkgs/games/gnugo/default.nix | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/pkgs/games/gnugo/default.nix b/pkgs/games/gnugo/default.nix index 4e6163d7163..827388691af 100644 --- a/pkgs/games/gnugo/default.nix +++ b/pkgs/games/gnugo/default.nix @@ -1,25 +1,20 @@ { stdenv, fetchurl }: -let - - versionNumber = "3.8"; - -in - -stdenv.mkDerivation { - - name = "gnugo-${versionNumber}"; +stdenv.mkDerivation rec { + name = "gnugo-${version}"; + version = "3.8"; src = fetchurl { - url = "mirror://gnu/gnugo/gnugo-${versionNumber}.tar.gz"; + url = "mirror://gnu/gnugo/gnugo-${version}.tar.gz"; sha256 = "0wkahvqpzq6lzl5r49a4sd4p52frdmphnqsfdv7gdp24bykdfs6s"; }; + hardeningDisable = [ "format" ]; + meta = { description = "GNU Go - A computer go player"; homepage = "http://http://www.gnu.org/software/gnugo/"; license = stdenv.lib.licenses.gpl3; platforms = stdenv.lib.platforms.unix; }; - } From 7423e029a22b0f451665caf4c2ac82a773736c43 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:04:28 +0000 Subject: [PATCH 456/603] convertlit: disable format hardening --- pkgs/tools/text/convertlit/default.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/pkgs/tools/text/convertlit/default.nix b/pkgs/tools/text/convertlit/default.nix index 331fc3fea35..ffc2dc1c4d5 100644 --- a/pkgs/tools/text/convertlit/default.nix +++ b/pkgs/tools/text/convertlit/default.nix @@ -1,22 +1,24 @@ -{stdenv, fetchurl, unzip, libtommath}: +{stdenv, fetchzip, libtommath}: stdenv.mkDerivation { name = "convertlit-1.8"; - - src = fetchurl { + + src = fetchzip { url = http://www.convertlit.com/convertlit18src.zip; - sha256 = "1fjpwncyc2r3ipav7c9m7jxy6i7mphbyqj3gsm046425p7sqa2np"; + sha256 = "182nsin7qscgbw2h92m0zadh3h8q410h5cza6v486yjfvla3dxjx"; + stripRoot = false; }; - buildInputs = [unzip libtommath]; + buildInputs = [libtommath]; - sourceRoot = "."; + hardeningDisable = [ "format" ]; buildPhase = '' cd lib make cd ../clit18 - substituteInPlace Makefile --replace ../libtommath-0.30/libtommath.a -ltommath + substituteInPlace Makefile \ + --replace ../libtommath-0.30/libtommath.a -ltommath make ''; From 708653a6342de33689c853eb3b59c5f85202c0e8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:08:54 +0000 Subject: [PATCH 457/603] kino: disable format hardening --- pkgs/applications/video/kino/default.nix | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/pkgs/applications/video/kino/default.nix b/pkgs/applications/video/kino/default.nix index 2503d78183f..ea515827087 100644 --- a/pkgs/applications/video/kino/default.nix +++ b/pkgs/applications/video/kino/default.nix @@ -67,14 +67,11 @@ stdenv.mkDerivation { pkgconfig perl perlXMLParser libavc1394 libiec61883 intltool libXv gettext libX11 glib cairo ffmpeg libv4l ]; # TODOoptional packages configureFlags = "--enable-local-ffmpeg=no"; - #preConfigure = " - # grep 11 env-vars - # ex - #"; + + hardeningDisable = [ "format" ]; patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ]; - postInstall = " rpath=`patchelf --print-rpath \$out/bin/kino`; for i in $\buildInputs; do @@ -86,8 +83,7 @@ stdenv.mkDerivation { done "; - - meta = { + meta = { description = "Non-linear DV editor for GNU/Linux"; homepage = http://www.kinodv.org/; license = stdenv.lib.licenses.gpl2; From bfa5a27ed9f87307f688fdece77a99e79b4bbee8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:13:49 +0000 Subject: [PATCH 458/603] pfixtools: set -Wno-error=unused-result hardening enables further warnings breaking the build --- pkgs/servers/mail/postfix/pfixtools.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/mail/postfix/pfixtools.nix b/pkgs/servers/mail/postfix/pfixtools.nix index 3e7ef9f23db..b17beeb095f 100644 --- a/pkgs/servers/mail/postfix/pfixtools.nix +++ b/pkgs/servers/mail/postfix/pfixtools.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation { --replace /bin/bash ${bash}/bin/bash; ''; + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; + makeFlags = "DESTDIR=$(out) prefix="; meta = { From a3a2d52595b4173b51678044702ed68223bd347d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:19:41 +0000 Subject: [PATCH 459/603] rman: disable format hardening --- pkgs/development/tools/misc/rman/default.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/development/tools/misc/rman/default.nix b/pkgs/development/tools/misc/rman/default.nix index 01e4b22e5f1..702dabcf395 100644 --- a/pkgs/development/tools/misc/rman/default.nix +++ b/pkgs/development/tools/misc/rman/default.nix @@ -2,16 +2,21 @@ stdenv.mkDerivation { name = "rman-3.2"; + src = fetchurl { url = mirror://sourceforge/polyglotman/3.2/rman-3.2.tar.gz; sha256 = "0prdld6nbkdlkcgc2r1zp13h2fh8r0mlwxx423dnc695ddlk18b8"; }; + makeFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man"; + preInstall = '' mkdir -p $out/bin mkdir -p $out/share/man ''; - + + hardeningDisable = [ "format" ]; + meta = { description = "Parse formatted man pages and man page source from most flavors of UNIX and converts them to HTML, ASCII, TkMan, DocBook, and other formats"; license = "artistic"; From 4f6bd094fbee12c469b7049292ce2d2638833048 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:24:53 +0000 Subject: [PATCH 460/603] spidermonkey_1_8_0rc1: disable format hardening --- pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix index 46dedb36de9..41d37d3e39a 100644 --- a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix +++ b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix @@ -13,9 +13,11 @@ stdenv.mkDerivation rec { postUnpack = "sourceRoot=\${sourceRoot}/src"; + hardeningDisable = [ "format" ]; + makefileExtra = ./Makefile.extra; makefile = "Makefile.ref"; - + patchPhase = '' cat ${makefileExtra} >> ${makefile} From 552a8c421943ce48c4bf964ebbf56f4362493aa4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:28:05 +0000 Subject: [PATCH 461/603] talkfilters: disable format hardening --- pkgs/misc/talkfilters/default.nix | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/pkgs/misc/talkfilters/default.nix b/pkgs/misc/talkfilters/default.nix index 7447620e71b..4b3158b7a3d 100644 --- a/pkgs/misc/talkfilters/default.nix +++ b/pkgs/misc/talkfilters/default.nix @@ -1,21 +1,23 @@ { stdenv, fetchurl }: -let - name = "talkfilters"; +let + pname = "talkfilters"; version = "2.3.8"; in stdenv.mkDerivation { - name = "${name}"; + name = "${pname}-${version}"; src = fetchurl { - url = "http://www.hyperrealm.com/${name}/${name}-${version}.tar.gz"; + url = "http://www.hyperrealm.com/${pname}/${pname}-${version}.tar.gz"; sha256 = "19nc5vq4bnkjvhk8srqddzhcs93jyvpm9r6lzjzwc1mgf08yg0a6"; }; - meta = { + hardeningDisable = [ "format" ]; + + meta = { description = "Converts English text into text that mimics a stereotyped or humorous dialect"; - homepage = "http://http://www.hyperrealm.com/${name}"; + homepage = "http://http://www.hyperrealm.com/${pname}"; license = stdenv.lib.licenses.gpl2; maintainers = with stdenv.lib.maintainers; [ ikervagyok ]; platforms = with stdenv.lib.platforms; unix; From 7ab971a25200041e959ba65eb87528e2b116f8b3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 3 Aug 2016 20:32:34 +0000 Subject: [PATCH 462/603] scummvm: disable format hardening --- pkgs/games/scummvm/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/games/scummvm/default.nix b/pkgs/games/scummvm/default.nix index a51b51395db..91c3114694b 100644 --- a/pkgs/games/scummvm/default.nix +++ b/pkgs/games/scummvm/default.nix @@ -2,14 +2,16 @@ stdenv.mkDerivation rec { name = "scummvm-1.8.0"; - + src = fetchurl { url = "mirror://sourceforge/scummvm/${name}.tar.bz2"; sha256 = "0f3zgvz886lk9ps0v333aq74vx6grlx68hg14gfaxcvj55g73v01"; }; - + buildInputs = [ SDL zlib libmpeg2 libmad libogg libvorbis flac alsaLib ]; + hardeningDisable = [ "format" ]; + crossAttrs = { preConfigure = '' # Remove the --build flag set by the gcc cross wrapper setup From 46323899bc73a743b87ed16fe764fb038b0e7709 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:24:24 +0000 Subject: [PATCH 463/603] ctpp2: use default gcc --- pkgs/development/libraries/ctpp2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ctpp2/default.nix b/pkgs/development/libraries/ctpp2/default.nix index 00b5f7a8f13..905121286c8 100644 --- a/pkgs/development/libraries/ctpp2/default.nix +++ b/pkgs/development/libraries/ctpp2/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, cmake, gcc48 }: +{ stdenv, fetchurl, cmake }: stdenv.mkDerivation rec { name = "ctpp2"; @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1z22zfw9lb86z4hcan9hlvji49c9b7vznh7gjm95gnvsh43zsgx8"; }; - buildInputs = [ cmake gcc48 ]; + buildInputs = [ cmake ]; patchPhase = '' # include to fix undefined getcwd From 7e81a4294d0a9bd11f44c6fa2d8e1a20f54f979b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:25:56 +0000 Subject: [PATCH 464/603] dlx: disable format hardening --- pkgs/misc/emulators/dlx/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/misc/emulators/dlx/default.nix b/pkgs/misc/emulators/dlx/default.nix index 01c5f866e1b..feb474a1376 100644 --- a/pkgs/misc/emulators/dlx/default.nix +++ b/pkgs/misc/emulators/dlx/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { makeFlags = "LINK=gcc CFLAGS=-O2"; + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/include/dlx $out/share/dlx/{examples,doc} $out/bin mv -v masm mon dasm $out/bin/ From a748f315db7ef195ae29d868009791fbeef7458b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:26:31 +0000 Subject: [PATCH 465/603] fakenes: disable format hardening --- pkgs/misc/emulators/fakenes/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/misc/emulators/fakenes/default.nix b/pkgs/misc/emulators/fakenes/default.nix index 1f986430b81..6e9253b299e 100644 --- a/pkgs/misc/emulators/fakenes/default.nix +++ b/pkgs/misc/emulators/fakenes/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ allegro openal mesa zlib hawknl freeglut libX11 libXxf86vm libXcursor libXpm ]; + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin cp fakenes $out/bin From a2ce15318bc8087903060a03b53639b8537d21d2 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:30:30 +0000 Subject: [PATCH 466/603] fondu: disable fortify hardening --- pkgs/tools/misc/fondu/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/tools/misc/fondu/default.nix b/pkgs/tools/misc/fondu/default.nix index 516abfd2eb5..7610bb88f39 100644 --- a/pkgs/tools/misc/fondu/default.nix +++ b/pkgs/tools/misc/fondu/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { version = "060102"; name = "fondu-${version}"; + src = fetchurl { url = "http://fondu.sourceforge.net/fondu_src-${version}.tgz"; sha256 = "152prqad9jszjmm4wwqrq83zk13ypsz09n02nrk1gg0fcxfm7fr2"; }; + makeFlags = "DESTDIR=$(out)"; + hardeningDisable = [ "fortify" ]; + meta = { platforms = stdenv.lib.platforms.unix; }; From 56e69fcc0ee9412e80f8ce83a08ad5a8897d5fc4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:40:02 +0000 Subject: [PATCH 467/603] iptraf: disable fortify hardening --- pkgs/applications/networking/iptraf/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/iptraf/default.nix b/pkgs/applications/networking/iptraf/default.nix index 1d67fa3dcf5..d1a0b2d4b02 100644 --- a/pkgs/applications/networking/iptraf/default.nix +++ b/pkgs/applications/networking/iptraf/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation rec { name = "iptraf-3.0.1"; - + src = fetchurl { url = ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.1.tar.gz; sha256 = "12n059j9iihhpf6spmlaspqzxz3wqan6kkpnhmlj08jdijpnk84m"; }; + hardeningDisable = [ "format" ]; + patchPhase = '' sed -i -e 's,#include ,#include ,' src/* ''; @@ -18,7 +20,7 @@ stdenv.mkDerivation rec { mkdir -p $out/bin cp iptraf $out/bin ''; - + buildInputs = [ncurses]; meta = { From e2844fcfc3d0c984a9356fb4cf82ebab8002841e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:40:28 +0000 Subject: [PATCH 468/603] fontmatrix: disable fortify hardening --- pkgs/applications/graphics/fontmatrix/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/graphics/fontmatrix/default.nix b/pkgs/applications/graphics/fontmatrix/default.nix index 14ab9c26d7d..fc30a355910 100644 --- a/pkgs/applications/graphics/fontmatrix/default.nix +++ b/pkgs/applications/graphics/fontmatrix/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake ]; + hardeningDisable = [ "format" ]; + meta = { description = "Fontmatrix is a free/libre font explorer for Linux, Windows and Mac"; homepage = http://fontmatrix.be/; From 3bff87331422d8a9cbad920b91e60c2681b4dc8b Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:44:43 +0000 Subject: [PATCH 469/603] libgksu: disable fortify hardening --- pkgs/development/libraries/libgksu/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index 90d1b21cd3f..b86eba685bb 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + patches = [ # Patches from the gentoo ebuild From 78fc5dde2888279475bb5ccdfd2e9a065a870036 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:47:05 +0000 Subject: [PATCH 470/603] mmv: disable fortify hardening --- pkgs/tools/misc/mmv/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/mmv/default.nix b/pkgs/tools/misc/mmv/default.nix index ed2f54d693d..417583ecc9e 100644 --- a/pkgs/tools/misc/mmv/default.nix +++ b/pkgs/tools/misc/mmv/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0399c027ea1e51fd607266c1e33573866d4db89f64a74be8b4a1d2d1ff1fdeef"; }; + hardeningDisable = [ "format" ]; + patches = [ # Use Debian patched version, as upstream is no longer maintained and it # contains a _lot_ of fixes. From dd7e09114f155e4e142792e80a4195901c398251 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 4 Aug 2016 07:21:15 +0000 Subject: [PATCH 471/603] bip: set -Wno-error=unused-result, remove --disable-pie --- pkgs/applications/networking/irc/bip/default.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkgs/applications/networking/irc/bip/default.nix b/pkgs/applications/networking/irc/bip/default.nix index ee9a6392e07..e391f0074c5 100644 --- a/pkgs/applications/networking/irc/bip/default.nix +++ b/pkgs/applications/networking/irc/bip/default.nix @@ -30,10 +30,7 @@ in stdenv.mkDerivation { } ]; - postPatch = '' - ''; - - configureFlags = [ "--disable-pie" ]; + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; buildInputs = [ bison flex autoconf automake openssl ]; From 05dbbae47cfc9c03badfe4616be84d17acf44fbc Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:03:28 +0200 Subject: [PATCH 472/603] vlan: disable format hardening --- pkgs/tools/networking/vlan/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/vlan/default.nix b/pkgs/tools/networking/vlan/default.nix index 9c9376550df..41ece0537ab 100644 --- a/pkgs/tools/networking/vlan/default.nix +++ b/pkgs/tools/networking/vlan/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1jjc5f26hj7bk8nkjxsa8znfxcf8pgry2ipnwmj2fr6ky0dhm3rv"; }; + hardeningDisable = [ "format" ]; + preBuild = '' # Ouch, the tarball contains pre-compiled binaries. @@ -18,12 +20,12 @@ stdenv.mkDerivation rec { '' mkdir -p $out/sbin cp vconfig $out/sbin/ - + mkdir -p $out/share/man/man8 cp vconfig.8 $out/share/man/man8/ ''; - meta = { + meta = { description = "User mode programs to enable VLANs on Ethernet devices"; platforms = stdenv.lib.platforms.linux; }; From 1f06067b0102f5d194f2a0f0b6554536e7a28d2c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:05:29 +0200 Subject: [PATCH 473/603] x2x: disable format hardening --- pkgs/tools/X11/x2x/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/X11/x2x/default.nix b/pkgs/tools/X11/x2x/default.nix index 06d08195688..dd529011557 100644 --- a/pkgs/tools/X11/x2x/default.nix +++ b/pkgs/tools/X11/x2x/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ imake libX11 libXtst libXext ]; + hardeningDisable = [ "format" ]; + configurePhase = '' xmkmf makeFlags="BINDIR=$out/bin x2x" From b898fdaceb7288cc74f5166d2ee84a9723b64a17 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:05:45 +0200 Subject: [PATCH 474/603] xmlroff: disable format hardening --- pkgs/tools/typesetting/xmlroff/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/typesetting/xmlroff/default.nix b/pkgs/tools/typesetting/xmlroff/default.nix index 7bd34f40250..daa79d8e352 100644 --- a/pkgs/tools/typesetting/xmlroff/default.nix +++ b/pkgs/tools/typesetting/xmlroff/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { configureFlags = "--disable-pangoxsl --disable-gp"; + hardeningDisable = [ "format" ]; + preBuild = '' substituteInPlace tools/insert-file-as-string.pl --replace "/usr/bin/perl" "${perl}/bin/perl" substituteInPlace Makefile --replace "docs" "" From f993dff52b22e5ddc7c5d1aeeb0b29f5f469044a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:09:14 +0200 Subject: [PATCH 475/603] trackballs: disable format hardening --- pkgs/games/trackballs/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/trackballs/default.nix b/pkgs/games/trackballs/default.nix index 65e8f82178e..5606be6a594 100644 --- a/pkgs/games/trackballs/default.nix +++ b/pkgs/games/trackballs/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ zlib mesa SDL SDL_ttf SDL_mixer SDL_image guile gettext ]; + hardeningDisable = [ "format" ]; + CFLAGS = optionalString debug "-g -O0"; CXXFLAGS = CFLAGS; dontStrip = debug; From 56f03166e1d4ee027b9f313c53c5e86d16c2d357 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:09:27 +0200 Subject: [PATCH 476/603] reiser4progs: disable format hardening --- pkgs/tools/filesystems/reiser4progs/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/filesystems/reiser4progs/default.nix b/pkgs/tools/filesystems/reiser4progs/default.nix index cd32025e5b6..681fc1c80ef 100644 --- a/pkgs/tools/filesystems/reiser4progs/default.nix +++ b/pkgs/tools/filesystems/reiser4progs/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [libaal]; + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace configure --replace " -static" "" ''; From 8b7dc1a3d6facdbfd264288aa7ba675aefc81c49 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:09:43 +0200 Subject: [PATCH 477/603] ploticus: disable format hardening --- pkgs/tools/graphics/ploticus/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/graphics/ploticus/default.nix b/pkgs/tools/graphics/ploticus/default.nix index ff28959148f..b855410f37f 100644 --- a/pkgs/tools/graphics/ploticus/default.nix +++ b/pkgs/tools/graphics/ploticus/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ zlib libX11 libpng ]; + hardeningDisable = [ "format" ]; + patches = [ ./ploticus-install.patch ]; meta = with stdenv.lib; { From 0c7f045a7a265cc7a6f6ff2c298d22b522c71bd3 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:09:57 +0200 Subject: [PATCH 478/603] tex4ht: disable format hardening --- pkgs/tools/typesetting/tex/tex4ht/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/typesetting/tex/tex4ht/default.nix b/pkgs/tools/typesetting/tex/tex4ht/default.nix index 8380abf2e94..5aaae2c06b2 100644 --- a/pkgs/tools/typesetting/tex/tex4ht/default.nix +++ b/pkgs/tools/typesetting/tex/tex4ht/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ tetex unzip ]; + hardeningDisable = [ "format" ]; + buildPhase = '' cd src for f in tex4ht t4ht htcmd ; do From 1f1637f6a04c9a899f88a6e0e526ddfcf9f49bd1 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 4 Aug 2016 11:12:20 +0200 Subject: [PATCH 479/603] lprof: disable format hardening --- pkgs/tools/graphics/lprof/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/graphics/lprof/default.nix b/pkgs/tools/graphics/lprof/default.nix index 0aee233e79b..7f6a15da33d 100644 --- a/pkgs/tools/graphics/lprof/default.nix +++ b/pkgs/tools/graphics/lprof/default.nix @@ -7,6 +7,8 @@ stdenv.mkDerivation { name = "lprof-1.11.4.1"; buildInputs = [ scons qt3 lcms1 libtiff vigra ]; + hardeningDisable = [ "format" ]; + preConfigure = '' export QTDIR=${qt3} export qt_directory=${qt3} From 19f5e2a1cfb86579855806513789d5c9db9d3afa Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 5 Aug 2016 18:09:35 +0000 Subject: [PATCH 480/603] x2vnc: disable format hardening --- pkgs/tools/X11/x2vnc/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/X11/x2vnc/default.nix b/pkgs/tools/X11/x2vnc/default.nix index a0d1013b872..31ad524cf8f 100644 --- a/pkgs/tools/X11/x2vnc/default.nix +++ b/pkgs/tools/X11/x2vnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { xorg.libXrandr xorg.randrproto ]; - preInstall = "mkdir -p $out"; + hardeningDisable = [ "format" ]; meta = { homepage = http://fredrik.hubbe.net/x2vnc.html; From bc025e83bd6c44df38851ef23da53359a0e62841 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 5 Aug 2016 18:15:27 +0000 Subject: [PATCH 481/603] uclibc: disable stackprotector hardening --- pkgs/os-specific/linux/uclibc/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix index ab5f149c512..c64297f0529 100644 --- a/pkgs/os-specific/linux/uclibc/default.nix +++ b/pkgs/os-specific/linux/uclibc/default.nix @@ -79,6 +79,8 @@ stdenv.mkDerivation { make oldconfig ''; + hardeningDisable = [ "stackprotector" ]; + # Cross stripping hurts. dontStrip = cross != null; From f7da99c7ff49e149a3f3bae57b80f52df53d63b3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Aug 2016 11:56:58 +0000 Subject: [PATCH 482/603] xorg.xorgserver: disable relro hardening Fixes modesetting module loading. --- pkgs/servers/x11/xorg/overrides.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 5660957011c..bcef1a5419f 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -430,6 +430,7 @@ in # and there are no fonts in this package anyway "--enable-glamor" ]; + hardeningDisable = [ "relro" ]; postInstall = '' rm -fr $out/share/X11/xkb/compiled ln -s /var/tmp $out/share/X11/xkb/compiled From d1b2c34750416d1e739cc6626342caf8d25c8b5d Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 12 Aug 2016 18:10:47 +0200 Subject: [PATCH 483/603] qrcode: enable fortify hardening, disable warning --- pkgs/tools/graphics/qrcode/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index f39071b394c..606e546af29 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -21,7 +21,7 @@ stdenv.mkDerivation { inherit (s) rev url sha256; }; - hardeningDisable = [ "fortify" ]; + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} From 55966c2189e29de1d8c3b0294f739e41ab45bf0e Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 12 Aug 2016 18:11:21 +0200 Subject: [PATCH 484/603] doc: complete the hardening documentation --- doc/stdenv.xml | 178 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 169 insertions(+), 9 deletions(-) diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 034e0bb7590..a6359a9cff3 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1362,19 +1362,27 @@ in the default system locations.
Hardening in Nixpkgs -By default some flags to harden packages at compile or link-time are set: +There are flags available to harden packages at compile or link-time. +These can be toggled using the stdenv.mkDerivation parameters +hardeningDisable and hardeningEnable. + + +The following flags are enabled by default and might require disabling +if the program to package is incompatible. + - hardening_format + format Adds the compiler options. At present, - this warns about calls to printf and scanf functions where the - format string is not a string literal and there are no format - arguments, as in printf(foo);. This may be - a security hole if the format string came from untrusted input - and contains %n. + this warns about calls to printf and + scanf functions where the format string is + not a string literal and there are no format arguments, as in + printf(foo);. This may be a security hole + if the format string came from untrusted input and contains + %n. This needs to be turned off or fixed for errors similar to: @@ -1387,8 +1395,10 @@ cc1plus: some warnings being treated as errors - hardening_stackprotector - Adds the + stackprotector + + Adds the compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial @@ -1401,7 +1411,157 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup': /tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail' + + + fortify + + Adds the compiler + options. During code generation the compiler knows a great deal of + information about buffer sizes (where possible), and attempts to replace + insecure unlimited length buffer function calls with length-limited ones. + This is especially useful for old, crufty code. Additionally, format + strings in writable memory that contain '%n' are blocked. If an application + depends on such a format string, it will need to be worked around. + + + Addtionally, some warnings are enabled which might trigger build + failures if compiler warnings are treated as errors in the packsge build. + In this case, set to + . + + This needs to be turned off or fixed for errors similar to: + + +malloc.c:404:15: error: return type is an incomplete type +malloc.c:410:19: error: storage size of 'ms' isn't known + + +strdup.h:22:1: error: expected identifier or '(' before '__extension__' + + +strsep.c:65:23: error: register name not specified for 'delim' + + +installwatch.c:3751:5: error: conflicting types for '__open_2' + + +fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments + + + + + + pic + + Adds the compiler options. This options adds + support for position independant code in shared libraries and thus making + ASLR possible. + Most notably, the Linux kernel, kernel modules and other code + not running in an operating system environment like boot loaders won't + build with PIC enabled. The compiler will is most cases complain that + PIC is not supported for a specific build. + + + This needs to be turned off or fixed for assembler errors similar to: + + +ccbLfRgg.s: Assembler messages: +ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF' + + + + + + strictoverflow + + Signed integer overflow is undefined behaviour according to the C + standard. If it happens, it is an error in the program as it should check + for overflow before it can happen, not afterwards. GCC provides built-in + functions to perform arithmetic with overflow checking, which are correct + and faster than any custom implementation. As a workaround, the option + makes gcc behave as if signed + integer overflows were defined. + + + This flag should not trigger any build or runtime errors. + + + + + relro + + Adds the linker option. During program + load, several ELF memory sections need to be written to by the linker, + but can be turned read-only before turning over control to the program. + This prevents some GOT (and .dtors) overwrite attacks, but at least the + part of the GOT used by the dynamic linker (.got.plt) is still vulnerable. + + + This flag can break dynamic shared object loading. For instance, the + module systems of Xorg and OpenCV are incompatible with this flag. In almost + all cases the bindnow flag must also be disabled and + incompatible programs typically fail with similar errors at runtime. + + + + + bindnow + + Adds the linker option. During program + load, all dynamic symbols are resolved, allowing for the complete GOT to + be marked read-only (due to relro). This prevents GOT + overwrite attacks. For very large applications, this can incur some + performance loss during initial load while symbols are resolved, but this + shouldn't be an issue for daemons. + + + This flag can break dynamic shared object loading. For instance, the + module systems of Xorg and PHP are incompatible with this flag. Programs + incompatible with this flag often fail at runtime due to missing symbols, + like: + + +intel_drv.so: undefined symbol: vgaHWFreeHWRec + + + + + +The following flags are disabled by default and should be enabled +for packages that take untrusted input, like network services. + + + + + + pie + + Adds the compiler and + linker options. Position Independent Executables are needed to take + advantage of Address Space Layout Randomization, supported by modern + kernel versions. While ASLR can already be enforced for data areas in + the stack and heap (brk and mmap), the code areas must be compiled as + position-independent. Shared libraries already do this with the + pic flag, so they gain ASLR automatically, but binary + .text regions need to be build with pie to gain ASLR. + When this happens, ROP attacks are much harder since there are no static + locations to bounce off of during a memory corruption attack. + + + + + + +For more in-depth information on these hardening flags and hardening in +general, refer to the +Debian Wiki, +Ubuntu Wiki, +Gentoo Wiki, +and the +Arch Wiki. + +
From 7a56781b35a859b36f523a10b4f3983935eeecc5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Aug 2016 15:12:34 +0000 Subject: [PATCH 485/603] dvdisaster: remove obsolete fortify disabling builds with fortify enabled by now --- pkgs/tools/cd-dvd/dvdisaster/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 82a57c6684f..08da13b569a 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; - hardeningDisable = [ "fortify" ]; - nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; From 572490bce93a34e7b0dc448bd71cac8f1a42cf00 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 12 Aug 2016 15:23:00 +0000 Subject: [PATCH 486/603] udftools: remove obsolete gcc5 patch fixed by setting C compiler standard --- pkgs/tools/filesystems/udftools/default.nix | 2 -- pkgs/tools/filesystems/udftools/gcc5.patch | 17 ----------------- 2 files changed, 19 deletions(-) delete mode 100644 pkgs/tools/filesystems/udftools/gcc5.patch diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index 75e37f77949..b912bab6826 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -10,8 +10,6 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; - patches = [ ./gcc5.patch ]; - hardeningDisable = [ "fortify" ]; NIX_CFLAGS_COMPILE = "-std=gnu90"; diff --git a/pkgs/tools/filesystems/udftools/gcc5.patch b/pkgs/tools/filesystems/udftools/gcc5.patch deleted file mode 100644 index 2c57ff20e13..00000000000 --- a/pkgs/tools/filesystems/udftools/gcc5.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:38.595391610 +0000 -+++ udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:57.759756269 +0000 -@@ -34,12 +34,12 @@ - #include "libudffs.h" - #include "config.h" - --inline struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) -+extern struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) - { - return (struct impUseVolDescImpUse *)disc->udf_iuvd[0]->impUse; - } - --inline struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) -+extern struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) - { - return (struct logicalVolIntegrityDescImpUse *)&(disc->udf_lvid->impUse[le32_to_cpu(disc->udf_lvd[0]->numPartitionMaps) * 2 * sizeof(uint32_t)]); - } From bea8972d967e6599aa28f7c0e30b9fc1fc589328 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 13 Aug 2016 09:45:48 +0000 Subject: [PATCH 487/603] nixos.tests.boot-stage1: disable pic for kernel module --- nixos/tests/boot-stage1.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/tests/boot-stage1.nix b/nixos/tests/boot-stage1.nix index ad253d23c54..ccd8394a1f0 100644 --- a/nixos/tests/boot-stage1.nix +++ b/nixos/tests/boot-stage1.nix @@ -8,6 +8,7 @@ import ./make-test.nix ({ pkgs, ... }: { kdev = config.boot.kernelPackages.kernel.dev; kver = config.boot.kernelPackages.kernel.modDirVersion; ksrc = "${kdev}/lib/modules/${kver}/build"; + hardeningDisable = [ "pic" ]; } '' echo "obj-m += $name.o" > Makefile echo "$source" > "$name.c" From af04b6d5a56a66866a66c6343e38e0d92228986a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 13 Aug 2016 10:06:00 +0000 Subject: [PATCH 488/603] hardening docs: fix typo --- doc/stdenv.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/stdenv.xml b/doc/stdenv.xml index a6359a9cff3..5be57fc5a97 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1425,7 +1425,7 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup': Addtionally, some warnings are enabled which might trigger build - failures if compiler warnings are treated as errors in the packsge build. + failures if compiler warnings are treated as errors in the package build. In this case, set to . From 0f274be2fd4e0cfa9bf69e92c8e95ca0a0086784 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 13 Aug 2016 10:11:40 +0000 Subject: [PATCH 489/603] linuxPackages.ena: disable pic --- pkgs/os-specific/linux/ena/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix index 7a047e9f233..051725d32d9 100644 --- a/pkgs/os-specific/linux/ena/default.nix +++ b/pkgs/os-specific/linux/ena/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "03w6xgv3lfn28n38mj9cdi3px5zjyrbxnflpd3ggivkv6grf9fp7"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd kernel/linux/ena @@ -30,5 +32,6 @@ stdenv.mkDerivation rec { homepage = https://github.com/amzn/amzn-drivers; license = lib.licenses.gpl2; maintainers = [ lib.maintainers.eelco ]; + platforms = lib.platforms.linux; }; } From 7d9d2d6872703127ee0f3d75e85035ccbf4611f7 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:02:02 +0200 Subject: [PATCH 490/603] linuxPackages.broadcom_sta: disable pic hardening --- pkgs/os-specific/linux/broadcom-sta/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix index 28b23a61ff0..e36512e0076 100644 --- a/pkgs/os-specific/linux/broadcom-sta/default.nix +++ b/pkgs/os-specific/linux/broadcom-sta/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { sha256 = hashes.${stdenv.system}; }; + hardeningDisable = [ "pic" ]; + patches = [ ./i686-build-failure.patch ./license.patch From a8deb8d6470ce74bd3f5de4afb0d8d1390657767 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:03:32 +0200 Subject: [PATCH 491/603] linuxPackages.frandom: disable pic hardening --- pkgs/os-specific/linux/frandom/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/frandom/default.nix b/pkgs/os-specific/linux/frandom/default.nix index 80ad483b367..dfdc79c2005 100644 --- a/pkgs/os-specific/linux/frandom/default.nix +++ b/pkgs/os-specific/linux/frandom/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "15rgyk4hfawqg7z1spk2xlk1nn6rcdls8gdhc70f91shrc9pvlls"; }; + hardeningDisable = [ "pic" ]; + preBuild = '' kernelVersion=${kernel.modDirVersion} substituteInPlace Makefile \ From f5c9f99877ced1b63d12a9c3ce327b46fae754bb Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:06:57 +0200 Subject: [PATCH 492/603] linuxPackages.ati_drivers_x11: disable pic & format hardening --- pkgs/os-specific/linux/ati-drivers/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix index e5eb9b8c6c3..902f0e37e35 100644 --- a/pkgs/os-specific/linux/ati-drivers/default.nix +++ b/pkgs/os-specific/linux/ati-drivers/default.nix @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { curlOpts = "--referer http://support.amd.com/en-us/download/desktop?os=Linux+x86_64"; }; + hardeningDisable = [ "pic" "format" ]; + patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}"; patches = [ ./patches/15.12-xstate-fp.patch From d836b811cb533c4cacba9a932d4906cbb41abc7c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:24:38 +0200 Subject: [PATCH 493/603] linuxPackages.cryptodev: 1.6 -> 1.8, disable pic hardening --- pkgs/os-specific/linux/cryptodev/default.nix | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix index 4ea9295ef4f..f3c26223122 100644 --- a/pkgs/os-specific/linux/cryptodev/default.nix +++ b/pkgs/os-specific/linux/cryptodev/default.nix @@ -1,26 +1,19 @@ { fetchurl, stdenv, kernel, onlyHeaders ? false }: stdenv.mkDerivation rec { - pname = "cryptodev-linux-1.6"; + pname = "cryptodev-linux-1.8"; name = "${pname}-${kernel.version}"; src = fetchurl { url = "http://download.gna.org/cryptodev-linux/${pname}.tar.gz"; - sha256 = "0bryzdb4xz3fp2q00a0mlqkj629md825lnlh4gjwmy51irf45wbm"; + sha256 = "0xhkhcdlds9aiz0hams93dv0zkgcn2abaiagdjlqdck7zglvvyk7"; }; - buildPhase = if !onlyHeaders then '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - SUBDIRS=`pwd` INSTALL_PATH=$out - '' else ":"; + hardeningDisable = [ "pic" ]; - installPhase = stdenv.lib.optionalString (!onlyHeaders) '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install - '' + '' - mkdir -p $out/include/crypto - cp crypto/cryptodev.h $out/include/crypto - ''; + KERNEL_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; + INSTALL_MOD_PATH = "\${out}"; + PREFIX = "\${out}"; meta = { description = "Device that allows access to Linux kernel cryptographic drivers"; From 5e085b7fea7bbcb425f6be6aab912cbd03859235 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:25:29 +0200 Subject: [PATCH 494/603] linuxPackages.e1000e: disable pic hardening --- pkgs/os-specific/linux/e1000e/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix index 0b67a5382f7..5406c37522e 100644 --- a/pkgs/os-specific/linux/e1000e/default.nix +++ b/pkgs/os-specific/linux/e1000e/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "07hg6xxqgqshnys1qs9wbl9qr7d4ixdkd1y1fj27cg6bn8s2n797"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd src kernel_version=${kernel.modDirVersion} From f55fd87c8adfc58b6ab97fb965bd2d0de829f170 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:30:35 +0200 Subject: [PATCH 495/603] linuxPackages.ixgbevf: disable pic hardening --- pkgs/os-specific/linux/ixgbevf/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/ixgbevf/default.nix b/pkgs/os-specific/linux/ixgbevf/default.nix index eb90c9fb1eb..1f8ced6c2d2 100644 --- a/pkgs/os-specific/linux/ixgbevf/default.nix +++ b/pkgs/os-specific/linux/ixgbevf/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1i6ry3vd77190sxb47xhbz3v30gighwax6prav4ggs3q80a389c8"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd src makeFlagsArray+=(KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build INSTALL_MOD_PATH=$out MANDIR=/share/man) From 62e6bc0bd9623da6559300a42aafdbb6b5ea4d26 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:40:42 +0200 Subject: [PATCH 496/603] linuxPackages.prl-tools: disable pic hardening --- pkgs/os-specific/linux/prl-tools/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/prl-tools/default.nix b/pkgs/os-specific/linux/prl-tools/default.nix index da5d7d5f607..9ca48ccaf05 100644 --- a/pkgs/os-specific/linux/prl-tools/default.nix +++ b/pkgs/os-specific/linux/prl-tools/default.nix @@ -47,6 +47,8 @@ stdenv.mkDerivation rec { ''; }; + hardeningDisable = [ "pic" ]; + # also maybe python2 to generate xorg.conf nativeBuildInputs = [ p7zip ] ++ lib.optionals (!libsOnly) [ makeWrapper ]; From 73a9ce2ce31be4d3db810a9ce7c29e722155401b Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:42:35 +0200 Subject: [PATCH 497/603] linuxPackages.psmouse_alps: remove, driver in kernel since 3.9 --- .../linux/psmouse-alps/default.nix | 40 ------------------- pkgs/top-level/all-packages.nix | 2 - 2 files changed, 42 deletions(-) delete mode 100644 pkgs/os-specific/linux/psmouse-alps/default.nix diff --git a/pkgs/os-specific/linux/psmouse-alps/default.nix b/pkgs/os-specific/linux/psmouse-alps/default.nix deleted file mode 100644 index 9dd78f5885a..00000000000 --- a/pkgs/os-specific/linux/psmouse-alps/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchurl, kernel, zlib }: - -/* Only useful for kernels 3.2 to 3.5. - Fails to build in 3.8. - 3.9 upstream already includes a proper alps driver for this */ - -assert builtins.compareVersions "3.8" kernel.version == 1; - -let - ver = "1.3"; - bname = "psmouse-alps-${ver}"; -in -stdenv.mkDerivation { - name = "psmouse-alps-${kernel.version}-${ver}"; - - src = fetchurl { - url = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/at_download/file; - name = "${bname}-alt.tar.bz2"; - sha256 = "1ghr8xcyidz31isxbwrbcr9rvxi4ad2idwmb3byar9n2ig116cxp"; - }; - - buildPhase = '' - cd src/${bname}/src - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - SUBDIRS=`pwd` INSTALL_PATH=$out - ''; - - installPhase = '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install - ''; - - meta = { - description = "ALPS dlkm driver with all known touchpads"; - homepage = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/view; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; - maintainers = with stdenv.lib.maintainers; [viric]; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index a3a2c310d6a..b65c2336ee7 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11247,8 +11247,6 @@ in prl-tools = callPackage ../os-specific/linux/prl-tools { }; - psmouse_alps = callPackage ../os-specific/linux/psmouse-alps { }; - seturgent = callPackage ../os-specific/linux/seturgent { }; spl = callPackage ../os-specific/linux/spl { From 5103e70a373698321253cbb0f5ad595d3ee2880c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:44:39 +0200 Subject: [PATCH 498/603] linuxPackages.nvidiabl: disable pic hardening --- pkgs/os-specific/linux/nvidiabl/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/nvidiabl/default.nix b/pkgs/os-specific/linux/nvidiabl/default.nix index a6797608664..881c29c1ce0 100644 --- a/pkgs/os-specific/linux/nvidiabl/default.nix +++ b/pkgs/os-specific/linux/nvidiabl/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "1c7ar39wc8jpqh67sw03lwnyp0m9l6dad469ybqrgcywdiwxspwj"; }; + hardeningDisable = [ "pic" ]; + patches = [ ./linux4compat.patch ]; preConfigure = '' From 9e7d118ea2252dbf74ee42636ec723faf85cdb4a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:49:42 +0200 Subject: [PATCH 499/603] linuxPackages.nvidia-x11: disable pic & format hardening --- pkgs/os-specific/linux/nvidia-x11/beta.nix | 2 ++ pkgs/os-specific/linux/nvidia-x11/default.nix | 4 ++-- pkgs/os-specific/linux/nvidia-x11/legacy173.nix | 2 ++ pkgs/os-specific/linux/nvidia-x11/legacy304.nix | 2 ++ pkgs/os-specific/linux/nvidia-x11/legacy340.nix | 2 ++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/nvidia-x11/beta.nix b/pkgs/os-specific/linux/nvidia-x11/beta.nix index d3111a4f75a..6fd5fb6c0b6 100644 --- a/pkgs/os-specific/linux/nvidia-x11/beta.nix +++ b/pkgs/os-specific/linux/nvidia-x11/beta.nix @@ -41,6 +41,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix index 139185e7f03..f561c0addc8 100644 --- a/pkgs/os-specific/linux/nvidia-x11/default.nix +++ b/pkgs/os-specific/linux/nvidia-x11/default.nix @@ -42,6 +42,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; @@ -57,8 +59,6 @@ stdenv.mkDerivation { buildInputs = [ perl nukeReferences ]; - hardeningDisable = [ "pic" "format" ]; - disallowedReferences = if libsOnly then [] else [ kernel.dev ]; meta = with stdenv.lib.meta; { diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix index 91813d67e1c..27c963f4bd9 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation { kernel = kernel.dev; + hardeningDisable = [ "pic" "format" ]; + inherit versionNumber; dontStrip = true; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix index 5cf3583e873..65cf42333e0 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = stdenv.lib.makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix index fa9d6442e42..0682954d558 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix @@ -42,6 +42,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; From b2c6d28a1de700d7ab6cb2a1aa4bf20cd86907f9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:38:54 +0200 Subject: [PATCH 500/603] linuxPackages.ndiswrapper: disable pic hardening (still broken) --- pkgs/os-specific/linux/ndiswrapper/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix index f95de433564..eabc2840881 100644 --- a/pkgs/os-specific/linux/ndiswrapper/default.nix +++ b/pkgs/os-specific/linux/ndiswrapper/default.nix @@ -3,6 +3,8 @@ stdenv.mkDerivation { name = "ndiswrapper-1.59-${kernel.version}"; + hardeningDisable = [ "pic" ]; + patches = [ ./no-sbin.patch ]; # need at least .config and include From fa3a35b241def2f837d72b5de736c513d6856cf9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Sat, 13 Aug 2016 16:54:58 +0200 Subject: [PATCH 501/603] linuxPackages.fusionio-vsl: disable pic hardening (still broken) --- pkgs/os-specific/linux/fusionio/vsl.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/fusionio/vsl.nix b/pkgs/os-specific/linux/fusionio/vsl.nix index 8e24b5061cd..665c4b4d081 100644 --- a/pkgs/os-specific/linux/fusionio/vsl.nix +++ b/pkgs/os-specific/linux/fusionio/vsl.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { src = srcs.vsl; + hardeningDisable = [ "pic" ]; + prePatch = '' cd root/usr/src/iomemory-vsl-* ''; From 2676cf9525c38ac8c6cb85a7d95f2e57e2760c3d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 13 Aug 2016 11:19:15 +0000 Subject: [PATCH 502/603] linuxPackages.lttng-modules: fix build --- pkgs/os-specific/linux/lttng-modules/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index b3a67e70a1d..eeef64c7083 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { hardeningDisable = [ "pic" ]; + NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration"; + preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" export INSTALL_MOD_PATH="$out" From 8071cafe661294cc9ff5f9451974c4a4fac9140a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 13 Aug 2016 11:20:12 +0000 Subject: [PATCH 503/603] linuxPackages.rtl8812au: fix build --- pkgs/os-specific/linux/rtl8812au/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 75c01cfe1f7..c38fa8843f4 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { hardeningDisable = [ "pic" ]; + NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types"; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" From 27b9f5d65ee452c9a1a49a2e245b2a45ee1d65ab Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 14 Aug 2016 02:13:16 +0000 Subject: [PATCH 504/603] xorg.*: disable relro/bindnow hardening Breaks the module system at runtime otherwise. --- pkgs/servers/x11/xorg/builder.sh | 3 --- pkgs/servers/x11/xorg/default.nix | 4 +++- pkgs/servers/x11/xorg/overrides.nix | 1 - 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/servers/x11/xorg/builder.sh b/pkgs/servers/x11/xorg/builder.sh index 15da0b51795..055886374df 100644 --- a/pkgs/servers/x11/xorg/builder.sh +++ b/pkgs/servers/x11/xorg/builder.sh @@ -46,7 +46,4 @@ fi enableParallelBuilding=1 -# breaks module loading -hardeningDisable="bindnow" - genericBuild diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index 4a2ac2469d8..24b6cafd1bc 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -9,7 +9,9 @@ let mkDerivation = name: attrs: let newAttrs = (overrides."${name}" or (x: x)) attrs; stdenv = newAttrs.stdenv or args.stdenv; - in stdenv.mkDerivation (removeAttrs newAttrs [ "stdenv" ]); + in stdenv.mkDerivation ((removeAttrs newAttrs [ "stdenv" ]) // { + hardeningDisable = [ "bindnow" "relro" ]; + }); overrides = import ./overrides.nix {inherit args xorg;}; diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index bcef1a5419f..5660957011c 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -430,7 +430,6 @@ in # and there are no fonts in this package anyway "--enable-glamor" ]; - hardeningDisable = [ "relro" ]; postInstall = '' rm -fr $out/share/X11/xkb/compiled ln -s /var/tmp $out/share/X11/xkb/compiled From 1747d28e5ada05ec07c4b1d35048ea5b194bde64 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 15 Aug 2016 12:00:51 +0000 Subject: [PATCH 505/603] glibc: add patch to fix segfault in forkpty --- pkgs/development/libraries/glibc/common.nix | 3 + .../development/libraries/glibc/forkpty.patch | 75 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 pkgs/development/libraries/glibc/forkpty.patch diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index e90fdc4ad7b..24890e56023 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -55,6 +55,9 @@ stdenv.mkDerivation ({ ./cve-2016-1234.patch ./cve-2016-3706.patch ./fix_warnings.patch + + # Fixes segfault when calling pty.fork() in python + ./forkpty.patch ]; postPatch = diff --git a/pkgs/development/libraries/glibc/forkpty.patch b/pkgs/development/libraries/glibc/forkpty.patch new file mode 100644 index 00000000000..fe700e5797b --- /dev/null +++ b/pkgs/development/libraries/glibc/forkpty.patch @@ -0,0 +1,75 @@ +From f06f3f05b48c72e2c9b0fa78671f94fd22d67da8 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Wed, 1 Jun 2016 07:14:42 +0200 +Subject: [PATCH] fork in libpthread cannot use IFUNC resolver [BZ #19861] + +This commit only addresses the fork case, the vfork case has to be a +tail call, which is why the generic code needs an IFUNC resolver +there. + +diff --git a/nptl/pt-fork.c b/nptl/pt-fork.c +index b65d6b4..db9b61d 100644 +--- a/nptl/pt-fork.c ++++ b/nptl/pt-fork.c +@@ -25,33 +25,14 @@ + the historical ABI requires it. For static linking, there is no need to + provide anything here--the libc version will be linked in. For shared + library ABI compatibility, there must be __fork and fork symbols in +- libpthread.so; so we define them using IFUNC to redirect to the libc +- function. */ ++ libpthread.so. + +-#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22) +- +-# if HAVE_IFUNC +- +-static __typeof (fork) * +-__attribute__ ((used)) +-fork_resolve (void) +-{ +- return &__libc_fork; +-} ++ With an IFUNC resolver, it would be possible to avoid the ++ indirection, but the IFUNC resolver might run before the ++ __libc_fork symbol has been relocated, in which case the IFUNC ++ resolver would not be able to provide the correct address. */ + +-# ifdef HAVE_ASM_SET_DIRECTIVE +-# define DEFINE_FORK(name) \ +- asm (".set " #name ", fork_resolve\n" \ +- ".globl " #name "\n" \ +- ".type " #name ", %gnu_indirect_function"); +-# else +-# define DEFINE_FORK(name) \ +- asm (#name " = fork_resolve\n" \ +- ".globl " #name "\n" \ +- ".type " #name ", %gnu_indirect_function"); +-# endif +- +-# else /* !HAVE_IFUNC */ ++#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22) + + static pid_t __attribute__ ((used)) + fork_compat (void) +@@ -59,14 +40,10 @@ fork_compat (void) + return __libc_fork (); + } + +-# define DEFINE_FORK(name) strong_alias (fork_compat, name) +- +-# endif /* HAVE_IFUNC */ +- +-DEFINE_FORK (fork_ifunc) +-compat_symbol (libpthread, fork_ifunc, fork, GLIBC_2_0); ++strong_alias (fork_compat, fork_alias) ++compat_symbol (libpthread, fork_alias, fork, GLIBC_2_0); + +-DEFINE_FORK (__fork_ifunc) +-compat_symbol (libpthread, __fork_ifunc, __fork, GLIBC_2_0); ++strong_alias (fork_compat, __fork_alias) ++compat_symbol (libpthread, __fork_alias, __fork, GLIBC_2_0); + + #endif +-- +1.7.1 + From e0f124a9f814985b44a7216f010e928820ed2686 Mon Sep 17 00:00:00 2001 From: obadz Date: Wed, 17 Aug 2016 18:05:17 +0100 Subject: [PATCH 506/603] calamares/tarball test: fix eval error See also acb4086 cc @ttuegel @globin --- pkgs/top-level/all-packages.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 8e57aca9503..4117cfc5936 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -667,7 +667,7 @@ in calamares = qt5.callPackage ../tools/misc/calamares rec { python = python3; boost = pkgs.boost.override { python=python3; }; - libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; }; + libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost=boost; }; }; capstone = callPackage ../development/libraries/capstone { }; From b092538811a2bd4454ed9b056952c0a10f091076 Mon Sep 17 00:00:00 2001 From: obadz Date: Sat, 20 Aug 2016 22:39:05 +0100 Subject: [PATCH 507/603] Revert "glibc: add patch to fix segfault in forkpty" This reverts commit 1747d28e5ada05ec07c4b1d35048ea5b194bde64. Was fixed upstream in glibc 2.24 --- pkgs/development/libraries/glibc/common.nix | 3 - .../development/libraries/glibc/forkpty.patch | 75 ------------------- 2 files changed, 78 deletions(-) delete mode 100644 pkgs/development/libraries/glibc/forkpty.patch diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 24890e56023..e90fdc4ad7b 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -55,9 +55,6 @@ stdenv.mkDerivation ({ ./cve-2016-1234.patch ./cve-2016-3706.patch ./fix_warnings.patch - - # Fixes segfault when calling pty.fork() in python - ./forkpty.patch ]; postPatch = diff --git a/pkgs/development/libraries/glibc/forkpty.patch b/pkgs/development/libraries/glibc/forkpty.patch deleted file mode 100644 index fe700e5797b..00000000000 --- a/pkgs/development/libraries/glibc/forkpty.patch +++ /dev/null @@ -1,75 +0,0 @@ -From f06f3f05b48c72e2c9b0fa78671f94fd22d67da8 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Wed, 1 Jun 2016 07:14:42 +0200 -Subject: [PATCH] fork in libpthread cannot use IFUNC resolver [BZ #19861] - -This commit only addresses the fork case, the vfork case has to be a -tail call, which is why the generic code needs an IFUNC resolver -there. - -diff --git a/nptl/pt-fork.c b/nptl/pt-fork.c -index b65d6b4..db9b61d 100644 ---- a/nptl/pt-fork.c -+++ b/nptl/pt-fork.c -@@ -25,33 +25,14 @@ - the historical ABI requires it. For static linking, there is no need to - provide anything here--the libc version will be linked in. For shared - library ABI compatibility, there must be __fork and fork symbols in -- libpthread.so; so we define them using IFUNC to redirect to the libc -- function. */ -+ libpthread.so. - --#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22) -- --# if HAVE_IFUNC -- --static __typeof (fork) * --__attribute__ ((used)) --fork_resolve (void) --{ -- return &__libc_fork; --} -+ With an IFUNC resolver, it would be possible to avoid the -+ indirection, but the IFUNC resolver might run before the -+ __libc_fork symbol has been relocated, in which case the IFUNC -+ resolver would not be able to provide the correct address. */ - --# ifdef HAVE_ASM_SET_DIRECTIVE --# define DEFINE_FORK(name) \ -- asm (".set " #name ", fork_resolve\n" \ -- ".globl " #name "\n" \ -- ".type " #name ", %gnu_indirect_function"); --# else --# define DEFINE_FORK(name) \ -- asm (#name " = fork_resolve\n" \ -- ".globl " #name "\n" \ -- ".type " #name ", %gnu_indirect_function"); --# endif -- --# else /* !HAVE_IFUNC */ -+#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22) - - static pid_t __attribute__ ((used)) - fork_compat (void) -@@ -59,14 +40,10 @@ fork_compat (void) - return __libc_fork (); - } - --# define DEFINE_FORK(name) strong_alias (fork_compat, name) -- --# endif /* HAVE_IFUNC */ -- --DEFINE_FORK (fork_ifunc) --compat_symbol (libpthread, fork_ifunc, fork, GLIBC_2_0); -+strong_alias (fork_compat, fork_alias) -+compat_symbol (libpthread, fork_alias, fork, GLIBC_2_0); - --DEFINE_FORK (__fork_ifunc) --compat_symbol (libpthread, __fork_ifunc, __fork, GLIBC_2_0); -+strong_alias (fork_compat, __fork_alias) -+compat_symbol (libpthread, __fork_alias, __fork, GLIBC_2_0); - - #endif --- -1.7.1 - From 88949e6d134c023f545e7f3324a70aa5327e68de Mon Sep 17 00:00:00 2001 From: Lancelot SIX Date: Sun, 21 Aug 2016 14:33:29 +0200 Subject: [PATCH 508/603] diffutils: 3.3 -> 3.5 Releases announcements: 3.4: http://lists.gnu.org/archive/html/info-gnu/2016-08/msg00004.html 3.5: http://lists.gnu.org/archive/html/info-gnu/2016-08/msg00010.html --- pkgs/tools/text/diffutils/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/text/diffutils/default.nix b/pkgs/tools/text/diffutils/default.nix index 420e0a37ba7..587c89554aa 100644 --- a/pkgs/tools/text/diffutils/default.nix +++ b/pkgs/tools/text/diffutils/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, xz, coreutils ? null }: stdenv.mkDerivation rec { - name = "diffutils-3.3"; + name = "diffutils-3.5"; src = fetchurl { url = "mirror://gnu/diffutils/${name}.tar.xz"; - sha256 = "1761vymxbp4wb5rzjvabhdkskk95pghnn67464byvzb5mfl8jpm2"; + sha256 = "0csmqfz8ks23kdjsq0v2ll1acqiz8lva06dj19mwmymrsp69ilys"; }; outputs = [ "out" "info" ]; From 6e7ca9272e96eec503b44db358c4f683e470f9b4 Mon Sep 17 00:00:00 2001 From: Alexey Shmalko Date: Tue, 23 Aug 2016 03:39:02 +0300 Subject: [PATCH 509/603] openssl: fix CVE-2016-2177 --- .../openssl/1.0.1-CVE-2016-2177.diff | 256 ++++++++++++++++ .../openssl/1.0.2-CVE-2016-2177.diff | 279 ++++++++++++++++++ .../development/libraries/openssl/default.nix | 13 +- 3 files changed, 546 insertions(+), 2 deletions(-) create mode 100644 pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff create mode 100644 pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff diff --git a/pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff b/pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff new file mode 100644 index 00000000000..f8a4b7c2257 --- /dev/null +++ b/pkgs/development/libraries/openssl/1.0.1-CVE-2016-2177.diff @@ -0,0 +1,256 @@ +From 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 May 2016 11:10:26 +0100 +Subject: [PATCH] Avoid some undefined pointer arithmetic + +A common idiom in the codebase is: + +if (p + len > limit) +{ + return; /* Too long */ +} + +Where "p" points to some malloc'd data of SIZE bytes and +limit == p + SIZE + +"len" here could be from some externally supplied data (e.g. from a TLS +message). + +The rules of C pointer arithmetic are such that "p + len" is only well +defined where len <= SIZE. Therefore the above idiom is actually +undefined behaviour. + +For example this could cause problems if some malloc implementation +provides an address for "p" such that "p + len" actually overflows for +values of len that are too big and therefore p + len < limit! + +Issue reported by Guido Vranken. + +CVE-2016-2177 + +Reviewed-by: Rich Salz +--- + ssl/s3_srvr.c | 14 +++++++------- + ssl/ssl_sess.c | 2 +- + ssl/t1_lib.c | 48 ++++++++++++++++++++++++++---------------------- + 3 files changed, 34 insertions(+), 30 deletions(-) + +diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c +index 04cf93a..6c74caa 100644 +--- a/ssl/s3_srvr.c ++++ b/ssl/s3_srvr.c +@@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s) + + session_length = *(p + SSL3_RANDOM_SIZE); + +- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s) + /* get the session-id */ + j = *(p++); + +- if (p + j > d + n) { ++ if ((d + n) - p < j) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s) + + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { + /* cookie stuff */ +- if (p + 1 > d + n) { ++ if ((d + n) - p < 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + cookie_len = *(p++); + +- if (p + cookie_len > d + n) { ++ if ((d + n ) - p < cookie_len) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s) + p += cookie_len; + } + +- if (p + 2 > d + n) { ++ if ((d + n ) - p < 2) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s) + } + + /* i bytes of cipher data + 1 byte for compression length later */ +- if ((p + i + 1) > (d + n)) { ++ if ((d + n) - p < i + 1) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +@@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s) + + /* compression */ + i = *(p++); +- if ((p + i) > (d + n)) { ++ if ((d + n) - p < i) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index 48fc451..a97d060 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, + int r; + #endif + +- if (session_id + len > limit) { ++ if (limit - session_id < len) { + fatal = 1; + goto err; + } +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 0bdb77d..8ed1793 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + +- if (data >= (limit - 2)) ++ if (limit - data <= 2) + return; + data += 2; + +- if (data > (limit - 4)) ++ if (limit - data < 4) + return; + n2s(data, type); + n2s(data, size); +@@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + if (type != TLSEXT_TYPE_server_name) + return; + +- if (data + size > limit) ++ if (limit - data < size) + return; + data += size; + +@@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + +- if (data + len1 + len2 != limit) ++ if (limit - data != (int)(len1 + len2)) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; +@@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + } else { + const size_t len = sizeof(kSafariExtensionsBlock); + +- if (data + len != limit) ++ if (limit - data != (int)(len)) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; +@@ -1019,19 +1019,19 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, + if (data == limit) + goto ri_check; + +- if (data > (limit - 2)) ++ if (limit - data < 2) + goto err; + + n2s(data, len); + +- if (data + len != limit) ++ if (limit - data != len) + goto err; + +- while (data <= (limit - 4)) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (limit)) ++ if (limit - data < size) + goto err; + # if 0 + fprintf(stderr, "Received extension type %d size %d\n", type, size); +@@ -1460,20 +1460,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + # endif + +- if (data >= (d + n - 2)) ++ if ((d + n) - data <= 2) + goto ri_check; + + n2s(data, length); +- if (data + length != d + n) { ++ if ((d + n) - data != length) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + +- while (data <= (d + n - 4)) { ++ while ((d + n) - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (d + n)) ++ if ((d + n) - data < size) + goto ri_check; + + if (s->tlsext_debug_cb) +@@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, + /* Skip past DTLS cookie */ + if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { + i = *(p++); +- p += i; +- if (p >= limit) ++ ++ if (limit - p <= i) + return -1; ++ ++ p += i; + } + /* Skip past cipher list */ + n2s(p, i); +- p += i; +- if (p >= limit) ++ if (limit - p <= i) + return -1; ++ p += i; ++ + /* Skip past compression algorithm list */ + i = *(p++); +- p += i; +- if (p > limit) ++ if (limit - p < i) + return -1; ++ p += i; ++ + /* Now at start of extensions */ +- if ((p + 2) >= limit) ++ if (limit - p <= 2) + return 0; + n2s(p, i); +- while ((p + 4) <= limit) { ++ while (limit - p >= 4) { + unsigned short type, size; + n2s(p, type); + n2s(p, size); +- if (p + size > limit) ++ if (limit - p < size) + return 0; + if (type == TLSEXT_TYPE_session_ticket) { + int r; +-- +1.9.1 + diff --git a/pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff b/pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff new file mode 100644 index 00000000000..ca934c20a67 --- /dev/null +++ b/pkgs/development/libraries/openssl/1.0.2-CVE-2016-2177.diff @@ -0,0 +1,279 @@ +From a004e72b95835136d3f1ea90517f706c24c03da7 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 5 May 2016 11:10:26 +0100 +Subject: [PATCH] Avoid some undefined pointer arithmetic + +A common idiom in the codebase is: + +if (p + len > limit) +{ + return; /* Too long */ +} + +Where "p" points to some malloc'd data of SIZE bytes and +limit == p + SIZE + +"len" here could be from some externally supplied data (e.g. from a TLS +message). + +The rules of C pointer arithmetic are such that "p + len" is only well +defined where len <= SIZE. Therefore the above idiom is actually +undefined behaviour. + +For example this could cause problems if some malloc implementation +provides an address for "p" such that "p + len" actually overflows for +values of len that are too big and therefore p + len < limit! + +Issue reported by Guido Vranken. + +CVE-2016-2177 + +Reviewed-by: Rich Salz +--- + ssl/s3_srvr.c | 14 +++++++------- + ssl/ssl_sess.c | 2 +- + ssl/t1_lib.c | 56 ++++++++++++++++++++++++++++++-------------------------- + 3 files changed, 38 insertions(+), 34 deletions(-) + +diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c +index ab28702..ab7f690 100644 +--- a/ssl/s3_srvr.c ++++ b/ssl/s3_srvr.c +@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) + + session_length = *(p + SSL3_RANDOM_SIZE); + +- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { ++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) + /* get the session-id */ + j = *(p++); + +- if (p + j > d + n) { ++ if ((d + n) - p < j) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) + + if (SSL_IS_DTLS(s)) { + /* cookie stuff */ +- if (p + 1 > d + n) { ++ if ((d + n) - p < 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + cookie_len = *(p++); + +- if (p + cookie_len > d + n) { ++ if ((d + n ) - p < cookie_len) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) + } + } + +- if (p + 2 > d + n) { ++ if ((d + n ) - p < 2) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; +@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) + } + + /* i bytes of cipher data + 1 byte for compression length later */ +- if ((p + i + 1) > (d + n)) { ++ if ((d + n) - p < i + 1) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) + + /* compression */ + i = *(p++); +- if ((p + i) > (d + n)) { ++ if ((d + n) - p < i) { + /* not enough data */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index b182998..54ee783 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, + int r; + #endif + +- if (session_id + len > limit) { ++ if (limit - session_id < len) { + fatal = 1; + goto err; + } +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fb64607..cdac011 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + 0x02, 0x03, /* SHA-1/ECDSA */ + }; + +- if (data >= (limit - 2)) ++ if (limit - data <= 2) + return; + data += 2; + +- if (data > (limit - 4)) ++ if (limit - data < 4) + return; + n2s(data, type); + n2s(data, size); +@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + if (type != TLSEXT_TYPE_server_name) + return; + +- if (data + size > limit) ++ if (limit - data < size) + return; + data += size; + +@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + const size_t len1 = sizeof(kSafariExtensionsBlock); + const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); + +- if (data + len1 + len2 != limit) ++ if (limit - data != (int)(len1 + len2)) + return; + if (memcmp(data, kSafariExtensionsBlock, len1) != 0) + return; +@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, + } else { + const size_t len = sizeof(kSafariExtensionsBlock); + +- if (data + len != limit) ++ if (limit - data != (int)(len)) + return; + if (memcmp(data, kSafariExtensionsBlock, len) != 0) + return; +@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, + if (data == limit) + goto ri_check; + +- if (data > (limit - 2)) ++ if (limit - data < 2) + goto err; + + n2s(data, len); + +- if (data + len != limit) ++ if (limit - data != len) + goto err; + +- while (data <= (limit - 4)) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (limit)) ++ if (limit - data < size) + goto err; + # if 0 + fprintf(stderr, "Received extension type %d size %d\n", type, size); +@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, + if (s->hit || s->cert->srv_ext.meths_count == 0) + return 1; + +- if (data >= limit - 2) ++ if (limit - data <= 2) + return 1; + n2s(data, len); + +- if (data > limit - len) ++ if (limit - data < len) + return 1; + +- while (data <= limit - 4) { ++ while (limit - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > limit) ++ if (limit - data < size) + return 1; + if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) + return 0; +@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, + SSL_TLSEXT_HB_DONT_SEND_REQUESTS); + # endif + +- if (data >= (d + n - 2)) ++ if ((d + n) - data <= 2) + goto ri_check; + + n2s(data, length); +- if (data + length != d + n) { ++ if ((d + n) - data != length) { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + +- while (data <= (d + n - 4)) { ++ while ((d + n) - data >= 4) { + n2s(data, type); + n2s(data, size); + +- if (data + size > (d + n)) ++ if ((d + n) - data < size) + goto ri_check; + + if (s->tlsext_debug_cb) +@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, + /* Skip past DTLS cookie */ + if (SSL_IS_DTLS(s)) { + i = *(p++); +- p += i; +- if (p >= limit) ++ ++ if (limit - p <= i) + return -1; ++ ++ p += i; + } + /* Skip past cipher list */ + n2s(p, i); +- p += i; +- if (p >= limit) ++ if (limit - p <= i) + return -1; ++ p += i; ++ + /* Skip past compression algorithm list */ + i = *(p++); +- p += i; +- if (p > limit) ++ if (limit - p < i) + return -1; ++ p += i; ++ + /* Now at start of extensions */ +- if ((p + 2) >= limit) ++ if (limit - p <= 2) + return 0; + n2s(p, i); +- while ((p + 4) <= limit) { ++ while (limit - p >= 4) { + unsigned short type, size; + n2s(p, type); + n2s(p, size); +- if (p + size > limit) ++ if (limit - p < size) + return 0; + if (type == TLSEXT_TYPE_session_ticket) { + int r; +-- +1.9.1 + diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 8c0ad107d77..5b8a36444eb 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -8,7 +8,7 @@ let opensslCrossSystem = stdenv.cross.openssl.system or (throw "openssl needs its platform name cross building"); - common = { version, sha256 }: stdenv.mkDerivation rec { + common = args@{ version, sha256, patches ? [] }: stdenv.mkDerivation rec { name = "openssl-${version}"; src = fetchurl { @@ -17,7 +17,8 @@ let }; patches = - [ ./use-etc-ssl-certs.patch ] + args.patches + ++ [ ./use-etc-ssl-certs.patch ] ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch ++ optional (versionOlder version "1.0.2" && (stdenv.isDarwin || (stdenv ? cross && stdenv.cross.libc == "libSystem"))) @@ -107,11 +108,19 @@ in { openssl_1_0_1 = common { version = "1.0.1t"; sha256 = "4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088"; + patches = [ + # https://git.openssl.org/?p=openssl.git;a=commit;h=6f35f6deb5ca7daebe289f86477e061ce3ee5f46 + ./1.0.1-CVE-2016-2177.diff + ]; }; openssl_1_0_2 = common { version = "1.0.2h"; sha256 = "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"; + patches = [ + # https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7 + ./1.0.2-CVE-2016-2177.diff + ]; }; } From 13c04c837db0f69705cfa4478c513b2230243ca2 Mon Sep 17 00:00:00 2001 From: Nikolay Amiantov Date: Tue, 23 Aug 2016 17:54:11 +0300 Subject: [PATCH 510/603] wrapPython: fix replace of env invokations --- pkgs/development/python-modules/generic/wrap.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/development/python-modules/generic/wrap.sh b/pkgs/development/python-modules/generic/wrap.sh index ca73a473ed5..f4b63b82640 100644 --- a/pkgs/development/python-modules/generic/wrap.sh +++ b/pkgs/development/python-modules/generic/wrap.sh @@ -8,7 +8,6 @@ wrapPythonPrograms() { # of dependencies. buildPythonPath() { local pythonPath="$1" - local python="@executable@" local path # Create an empty table of python paths (see doc on _addToPythonPath @@ -51,9 +50,9 @@ wrapPythonProgramsIn() { for f in $(find "$dir" -type f -perm -0100); do # Rewrite "#! .../env python" to "#! /nix/store/.../python". # Strip suffix, like "3" or "2.7m" -- we don't have any choice on which - # Python to use besides one in $python anyway. + # Python to use besides one with this hook anyway. if head -n1 "$f" | grep -q '#!.*/env.*\(python\|pypy\)'; then - sed -i "$f" -e "1 s^.*/env[ ]*\(python\|pypy\)[^ ]*^#! $python^" + sed -i "$f" -e "1 s^.*/env[ ]*\(python\|pypy\)[^ ]*^#! @executable@^" fi # catch /python and /.python-wrapped From 335d0097cfad5dbda85a810b44be7d88082a036d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Aug 2016 15:17:32 +0000 Subject: [PATCH 511/603] cc-wrapper: add-{flags,hardening} -> add-{flags,hardening}.sh --- pkgs/build-support/cc-wrapper/{add-flags => add-flags.sh} | 0 .../cc-wrapper/{add-hardening => add-hardening.sh} | 0 pkgs/build-support/cc-wrapper/default.nix | 4 ++-- 3 files changed, 2 insertions(+), 2 deletions(-) rename pkgs/build-support/cc-wrapper/{add-flags => add-flags.sh} (100%) rename pkgs/build-support/cc-wrapper/{add-hardening => add-hardening.sh} (100%) diff --git a/pkgs/build-support/cc-wrapper/add-flags b/pkgs/build-support/cc-wrapper/add-flags.sh similarity index 100% rename from pkgs/build-support/cc-wrapper/add-flags rename to pkgs/build-support/cc-wrapper/add-flags.sh diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening.sh similarity index 100% rename from pkgs/build-support/cc-wrapper/add-hardening rename to pkgs/build-support/cc-wrapper/add-hardening.sh diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 14ece26f6af..10bd5f77f72 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -237,8 +237,8 @@ stdenv.mkDerivation { cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook rm $out/nix-support/setup-hook.tmp - substituteAll ${./add-flags} $out/nix-support/add-flags.sh - cp -p ${./add-hardening} $out/nix-support/add-hardening.sh + substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh + cp -p ${./add-hardening.sh} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; From 07604ad63178026001e4d1ee40c33bcbba3ff046 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Aug 2016 15:25:26 +0000 Subject: [PATCH 512/603] add-hardening.sh: fix quotation --- pkgs/build-support/cc-wrapper/add-hardening.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index d5966136b9d..be15bc692a2 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -46,11 +46,11 @@ if [[ ! $hardeningDisable == "all" ]]; then ;; relro) if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi - hardeningLDFlags+=('-z relro') + hardeningLDFlags+=('-z' 'relro') ;; bindnow) if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi - hardeningLDFlags+=('-z now') + hardeningLDFlags+=('-z' 'now') ;; *) echo "Hardening flag unknown: $flag" >&2 From 3a18f06eab4061b11f8a83cadd908fe39d308c33 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Aug 2016 15:31:33 +0000 Subject: [PATCH 513/603] Revert "lsh: remove last references" This reverts commit 8329066d5e9bb2888c4a194605d11ef09534aaf2. --- nixos/modules/module-list.nix | 1 + pkgs/top-level/guile-2-test.nix | 1 + pkgs/top-level/release-small.nix | 1 + 3 files changed, 3 insertions(+) diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index a5452d1e998..c848a3b95e8 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -402,6 +402,7 @@ ./services/networking/softether.nix ./services/networking/spiped.nix ./services/networking/sslh.nix + ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix ./services/networking/strongswan.nix ./services/networking/supplicant.nix diff --git a/pkgs/top-level/guile-2-test.nix b/pkgs/top-level/guile-2-test.nix index 70ec6c0dc0c..9d2fbcbef5c 100644 --- a/pkgs/top-level/guile-2-test.nix +++ b/pkgs/top-level/guile-2-test.nix @@ -56,6 +56,7 @@ in (mapTestOn { guile = linux; autogen = linux; + lsh = linux; mailutils = linux; mcron = linux; texmacs = linux; diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index 77efcc2e021..2774ff66f57 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -88,6 +88,7 @@ with import ./release-lib.nix { inherit supportedSystems; }; libxml2 = all; libxslt = all; lout = linux; + lsh = linux; lsof = linux; ltrace = linux; lvm2 = linux; From 7413278f9bda2665eb487c44aa243572cc018df3 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Aug 2016 15:32:41 +0000 Subject: [PATCH 514/603] Revert "Remove lsh, broken & unmaintained" This reverts commit 73f4c2bdf89ca02d70e614631531af307d056fef. --- nixos/modules/config/gnu.nix | 9 +- .../modules/services/networking/ssh/lshd.nix | 176 ++++++++++++++++++ pkgs/tools/networking/lsh/default.nix | 49 +++++ .../networking/lsh/lshd-no-root-login.patch | 16 ++ .../networking/lsh/pam-service-name.patch | 14 ++ pkgs/top-level/all-packages.nix | 4 + 6 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/services/networking/ssh/lshd.nix create mode 100644 pkgs/tools/networking/lsh/default.nix create mode 100644 pkgs/tools/networking/lsh/lshd-no-root-login.patch create mode 100644 pkgs/tools/networking/lsh/pam-service-name.patch diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index 5cc41ce8690..f8c35b440d1 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -9,7 +9,8 @@ with lib; default = false; description = '' When enabled, GNU software is chosen by default whenever a there is - a choice between GNU and non-GNU software. + a choice between GNU and non-GNU software (e.g., GNU lsh + vs. OpenSSH). ''; }; }; @@ -32,6 +33,12 @@ with lib; boot.loader.grub.enable = !pkgs.stdenv.isArm; boot.loader.grub.version = 2; + # GNU lsh. + services.openssh.enable = false; + services.lshd.enable = true; + programs.ssh.startAgent = false; + services.xserver.startGnuPGAgent = true; + # TODO: GNU dico. # TODO: GNU Inetutils' inetd. # TODO: GNU Pies. diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix new file mode 100644 index 00000000000..661a6a52463 --- /dev/null +++ b/nixos/modules/services/networking/ssh/lshd.nix @@ -0,0 +1,176 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + + inherit (pkgs) lsh; + + cfg = config.services.lshd; + +in + +{ + + ###### interface + + options = { + + services.lshd = { + + enable = mkOption { + default = false; + description = '' + Whether to enable the GNU lshd SSH2 daemon, which allows + secure remote login. + ''; + }; + + portNumber = mkOption { + default = 22; + description = '' + The port on which to listen for connections. + ''; + }; + + interfaces = mkOption { + default = []; + description = '' + List of network interfaces where listening for connections. + When providing the empty list, `[]', lshd listens on all + network interfaces. + ''; + example = [ "localhost" "1.2.3.4:443" ]; + }; + + hostKey = mkOption { + default = "/etc/lsh/host-key"; + description = '' + Path to the server's private key. Note that this key must + have been created, e.g., using "lsh-keygen --server | + lsh-writekey --server", so that you can run lshd. + ''; + }; + + syslog = mkOption { + default = true; + description = ''Whether to enable syslog output.''; + }; + + passwordAuthentication = mkOption { + default = true; + description = ''Whether to enable password authentication.''; + }; + + publicKeyAuthentication = mkOption { + default = true; + description = ''Whether to enable public key authentication.''; + }; + + rootLogin = mkOption { + default = false; + description = ''Whether to enable remote root login.''; + }; + + loginShell = mkOption { + default = null; + description = '' + If non-null, override the default login shell with the + specified value. + ''; + example = "/nix/store/xyz-bash-10.0/bin/bash10"; + }; + + srpKeyExchange = mkOption { + default = false; + description = '' + Whether to enable SRP key exchange and user authentication. + ''; + }; + + tcpForwarding = mkOption { + default = true; + description = ''Whether to enable TCP/IP forwarding.''; + }; + + x11Forwarding = mkOption { + default = true; + description = ''Whether to enable X11 forwarding.''; + }; + + subsystems = mkOption { + description = '' + List of subsystem-path pairs, where the head of the pair + denotes the subsystem name, and the tail denotes the path to + an executable implementing it. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable { + + services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; + + systemd.services.lshd = { + description = "GNU lshd SSH2 daemon"; + + after = [ "network-interfaces.target" ]; + + wantedBy = [ "multi-user.target" ]; + + environment = { + LD_LIBRARY_PATH = config.system.nssModules.path; + }; + + preStart = '' + test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh + test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh + + if ! test -f /var/spool/lsh/yarrow-seed-file + then + # XXX: It would be nice to provide feedback to the + # user when this fails, so that they can retry it + # manually. + ${lsh}/bin/lsh-make-seed --sloppy \ + -o /var/spool/lsh/yarrow-seed-file + fi + + if ! test -f "${cfg.hostKey}" + then + ${lsh}/bin/lsh-keygen --server | \ + ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" + fi + ''; + + script = with cfg; '' + ${lsh}/sbin/lshd --daemonic \ + --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ + -p ${toString portNumber} \ + ${if interfaces == [] then "" + else (concatStrings (map (i: "--interface=\"${i}\"") + interfaces))} \ + -h "${hostKey}" \ + ${if !syslog then "--no-syslog" else ""} \ + ${if passwordAuthentication then "--password" else "--no-password" } \ + ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ + ${if rootLogin then "--root-login" else "--no-root-login" } \ + ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ + ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ + ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ + ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ + --subsystems=${concatStringsSep "," + (map (pair: (head pair) + "=" + + (head (tail pair))) + subsystems)} + ''; + }; + + security.pam.services.lshd = {}; + }; +} diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix new file mode 100644 index 00000000000..77d268f3a47 --- /dev/null +++ b/pkgs/tools/networking/lsh/default.nix @@ -0,0 +1,49 @@ +{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam +, nettools, lsof, procps }: + +stdenv.mkDerivation rec { + name = "lsh-2.0.4"; + src = fetchurl { + url = "mirror://gnu/lsh/${name}.tar.gz"; + sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; + }; + + patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; + + preConfigure = '' + # Patch `lsh-make-seed' so that it can gather enough entropy. + sed -i "src/lsh-make-seed.c" \ + -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; + s|/usr/bin/netstat|${nettools}/bin/netstat|g ; + s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; + s|/bin/vmstat|${procps}/bin/vmstat|g ; + s|/bin/ps|${procps}/bin/sp|g ; + s|/usr/bin/w|${procps}/bin/w|g ; + s|/usr/bin/df|$(type -P df)|g ; + s|/usr/bin/ipcs|$(type -P ipcs)|g ; + s|/usr/bin/uptime|$(type -P uptime)|g" + + # Skip the `configure' script that checks whether /dev/ptmx & co. work as + # expected, because it relies on impurities (for instance, /dev/pts may + # be unavailable in chroots.) + export lsh_cv_sys_unix98_ptys=yes + ''; + + buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; + + meta = { + description = "GPL'd implementation of the SSH protocol"; + + longDescription = '' + lsh is a free implementation (in the GNU sense) of the ssh + version 2 protocol, currently being standardised by the IETF + SECSH working group. + ''; + + homepage = http://www.lysator.liu.se/~nisse/lsh/; + license = stdenv.lib.licenses.gpl2Plus; + + maintainers = [ ]; + platforms = [ "x86_64-linux" ]; + }; +} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch new file mode 100644 index 00000000000..9dd81de3fbc --- /dev/null +++ b/pkgs/tools/networking/lsh/lshd-no-root-login.patch @@ -0,0 +1,16 @@ +Correctly handle the `--no-root-login' option. + +--- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 ++++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 +@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str + self->allow_root = 1; + break; + ++ case OPT_NO_ROOT_LOGIN: ++ self->allow_root = 0; ++ break; ++ + case OPT_KERBEROS_PASSWD: + self->pw_helper = PATH_KERBEROS_HELPER; + break; + diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch new file mode 100644 index 00000000000..6a6156855c5 --- /dev/null +++ b/pkgs/tools/networking/lsh/pam-service-name.patch @@ -0,0 +1,14 @@ +Tell `lsh-pam-checkpw', the PAM password helper program, to use a more +descriptive service name. + +--- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 ++++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 +@@ -38,7 +38,7 @@ + #include + + #define PWD_MAXLEN 1024 +-#define SERVICE_NAME "other" ++#define SERVICE_NAME "lshd" + #define TIMEOUT 600 + + static int diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index a4dbe1aca1b..81df0d777a6 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -2452,6 +2452,10 @@ in lsb-release = callPackage ../os-specific/linux/lsb-release { }; + # lsh installs `bin/nettle-lfib-stream' and so does Nettle. Give the + # former a lower priority than Nettle. + lsh = lowPrio (callPackage ../tools/networking/lsh { }); + lshw = callPackage ../tools/system/lshw { }; lxc = callPackage ../os-specific/linux/lxc { }; From 8ab400988c211b39c106ed2c49908d520677113b Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Mon, 28 Mar 2016 18:59:34 +0200 Subject: [PATCH 515/603] lsh: fix gcc5 build The build fails with c11 (also tested c99), but works with gnu90. --- pkgs/tools/networking/lsh/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix index 77d268f3a47..5d788af1682 100644 --- a/pkgs/tools/networking/lsh/default.nix +++ b/pkgs/tools/networking/lsh/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { export lsh_cv_sys_unix98_ptys=yes ''; + NIX_CFLAGS_COMPILE = "-std=gnu90"; + buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; meta = { From 9e211203da6386ccb811cea78a190484e55ee0e4 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Tue, 23 Aug 2016 15:51:26 +0000 Subject: [PATCH 516/603] czmq: fix build Uses -Werror, failing with additionally enabled warnings from hardening. --- pkgs/development/libraries/czmq/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/czmq/default.nix b/pkgs/development/libraries/czmq/default.nix index 5e2081e750d..a28b0dd0a63 100644 --- a/pkgs/development/libraries/czmq/default.nix +++ b/pkgs/development/libraries/czmq/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { # Needs to be propagated for the .pc file to work propagatedBuildInputs = [ zeromq ]; + NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations"; + meta = with stdenv.lib; { homepage = "http://czmq.zeromq.org/"; description = "High-level C Binding for ZeroMQ"; From 3c06e5f6f792299a496b1c30a75583c1685a3581 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 23 Aug 2016 18:13:31 +0200 Subject: [PATCH 517/603] cc-wrapper: check ld hardening capabilities in stdenv --- pkgs/build-support/cc-wrapper/add-hardening.sh | 8 ++++++-- pkgs/build-support/cc-wrapper/default.nix | 6 +++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index be15bc692a2..60e62ffad60 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -4,8 +4,12 @@ hardeningCFlags=() hardeningLDFlags=() hardeningDisable=${hardeningDisable:-""} -if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then - hardeningDisable+=" bindnow relro" +if [[ -z "@ld_supports_bindnow@" ]]; then + hardeningDisable+=" bindnow" +fi + +if [[ -z "@ld_supports_relro@" ]]; then + hardeningDisable+=" relro" fi if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 10bd5f77f72..08ca8195b68 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -237,8 +237,12 @@ stdenv.mkDerivation { cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook rm $out/nix-support/setup-hook.tmp + # some linkers on some platforms don't support -z + export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]]) + export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]]) + substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh - cp -p ${./add-hardening.sh} $out/nix-support/add-hardening.sh + substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; From 17234ca0732b7b7ecadd635ee258da98dd5b36a8 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 23 Aug 2016 18:28:23 +0200 Subject: [PATCH 518/603] ccl: fix hash --- pkgs/development/compilers/ccl/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/ccl/default.nix b/pkgs/development/compilers/ccl/default.nix index ee0153c13b0..3e1784424e3 100644 --- a/pkgs/development/compilers/ccl/default.nix +++ b/pkgs/development/compilers/ccl/default.nix @@ -5,7 +5,7 @@ let /* TODO: there are also MacOS, FreeBSD and Windows versions */ x86_64-linux = { arch = "linuxx86"; - sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq"; + sha256 = "0g6mkl207ri3ib9w85i9w0sv7srz784pbxidz0d95p6qkvg6shba"; runtime = "lx86cl64"; kernel = "linuxx8664"; }; From 6303b6eb1c6b468010d85ad717e72030b43c6f5a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Tue, 23 Aug 2016 20:01:14 +0200 Subject: [PATCH 519/603] czmq: fix bad merge 9db5362270a9d54b98f76acdefdd793706da7ba3 vs. 9e211203da6386ccb811cea78a190484e55ee0e4 --- pkgs/development/libraries/czmq/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/libraries/czmq/default.nix b/pkgs/development/libraries/czmq/default.nix index 3feac77896a..69b64629bd8 100644 --- a/pkgs/development/libraries/czmq/default.nix +++ b/pkgs/development/libraries/czmq/default.nix @@ -15,8 +15,6 @@ stdenv.mkDerivation rec { # Needs to be propagated for the .pc file to work propagatedBuildInputs = [ zeromq ]; - NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations"; - meta = with stdenv.lib; { homepage = "http://czmq.zeromq.org/"; description = "High-level C Binding for ZeroMQ"; From 8576aea57c1d23d7f65bf3b4f1cace2d656a960a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 10:59:52 +0200 Subject: [PATCH 520/603] cc-wrapper: fix detection of unsupported linker flags --- pkgs/build-support/cc-wrapper/add-hardening.sh | 10 ++-------- pkgs/build-support/cc-wrapper/default.nix | 11 ++++++++--- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh index 60e62ffad60..b98833b3513 100644 --- a/pkgs/build-support/cc-wrapper/add-hardening.sh +++ b/pkgs/build-support/cc-wrapper/add-hardening.sh @@ -4,17 +4,11 @@ hardeningCFlags=() hardeningLDFlags=() hardeningDisable=${hardeningDisable:-""} -if [[ -z "@ld_supports_bindnow@" ]]; then - hardeningDisable+=" bindnow" -fi - -if [[ -z "@ld_supports_relro@" ]]; then - hardeningDisable+=" relro" -fi +hardeningDisable+=" @hardening_unsupported_flags@" if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi -if [[ ! $hardeningDisable == "all" ]]; then +if [[ ! $hardeningDisable =~ "all" ]]; then if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi for flag in "${hardeningFlags[@]}" do diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 08ca8195b68..8a746ea016e 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -237,9 +237,14 @@ stdenv.mkDerivation { cat $out/nix-support/setup-hook.tmp >> $out/nix-support/setup-hook rm $out/nix-support/setup-hook.tmp - # some linkers on some platforms don't support -z - export ld_supports_bindnow=$([[ "$($ldPath/ld -z now 2>&1 || true)" =~ "un(known|recognized) option" ]]) - export ld_supports_relro=$([[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "un(known|recognized) option" ]]) + # some linkers on some platforms don't support specific -z flags + hardening_unsupported_flags="" + if [[ "$($ldPath/ld -z now 2>&1 || true)" =~ "unknown option" ]]; then + hardening_unsupported_flags+=" bindnow" + fi + if [[ "$($ldPath/ld -z relro 2>&1 || true)" =~ "unknown option" ]]; then + hardening_unsupported_flags+=" relro" + fi substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh substituteAll ${./add-hardening.sh} $out/nix-support/add-hardening.sh From 8b9b9fad3145a5460ce390ac1c155a5073b9bf65 Mon Sep 17 00:00:00 2001 From: Shea Levy Date: Wed, 24 Aug 2016 07:35:30 -0400 Subject: [PATCH 521/603] Revert "Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs"" Revert a revert of a merge that shouldn't have been in master but was intentionally in staging. Next time I'll do this right after the revert instead of so far down the line... This reverts commit 9adad8612b082bcbae30c81678a04b79a44079a4. --- pkgs/development/libraries/fftw/default.nix | 22 +-- pkgs/development/libraries/libdrm/default.nix | 4 +- pkgs/development/libraries/mesa/default.nix | 125 +++++++++--------- .../python-modules/generic/run_setup.py | 2 + .../apple-source-releases/Libc/default.nix | 4 +- .../Libsystem/default.nix | 69 +--------- .../apple-source-releases/configd/default.nix | 15 ++- .../darwin/apple-source-releases/default.nix | 25 ++-- .../libpthread/default.nix | 10 +- .../apple-source-releases/xnu/default.nix | 25 +++- .../darwin/swift-corefoundation/default.nix | 32 +++++ pkgs/stdenv/darwin/make-bootstrap-tools.nix | 3 +- pkgs/top-level/all-packages.nix | 2 + 13 files changed, 169 insertions(+), 169 deletions(-) create mode 100644 pkgs/os-specific/darwin/swift-corefoundation/default.nix diff --git a/pkgs/development/libraries/fftw/default.nix b/pkgs/development/libraries/fftw/default.nix index 68d1e62244c..6e92f2bd384 100644 --- a/pkgs/development/libraries/fftw/default.nix +++ b/pkgs/development/libraries/fftw/default.nix @@ -1,34 +1,24 @@ -{ fetchFromGitHub , stdenv, lib, ocaml, perl, indent, transfig, ghostscript, texinfo, libtool, gettext, automake, autoconf, precision ? "double" }: +{ fetchurl, stdenv, lib, precision ? "double" }: with lib; assert elem precision [ "single" "double" "long-double" "quad-precision" ]; -let version = "3.3.5-rc1"; in +let version = "3.3.5"; in stdenv.mkDerivation rec { name = "fftw-${precision}-${version}"; - src = fetchFromGitHub { - owner = "FFTW"; - repo = "fftw3"; - rev = "fftw-${version}"; - sha256 = "1gc57xvdqbapq30ylj3fxwkv61la4kzyf7ji0q0xqjwpji2ynqi4"; + src = fetchurl { + url = "ftp://ftp.fftw.org/pub/fftw/fftw-${version}.tar.gz"; + sha256 = "1kwbx92ps0r7s2mqy7lxbxanslxdzj7dp7r7gmdkzv1j8yqf3kwf"; }; - nativeBuildInputs = [ ocaml perl indent transfig ghostscript texinfo libtool gettext automake autoconf ]; - - # remove the ./configure lines, so we can use nix's configureFlags - patchPhase = "sed -e '27,29d' -i bootstrap.sh"; - - preConfigurePhases = "./bootstrap.sh"; - outputs = [ "dev" "out" "doc" ]; # it's dev-doc only outputBin = "dev"; # fftw-wisdom configureFlags = - [ "--enable-maintainer-mode" - "--enable-shared" "--disable-static" + [ "--enable-shared" "--disable-static" "--enable-threads" ] ++ optional (precision != "double") "--enable-${precision}" diff --git a/pkgs/development/libraries/libdrm/default.nix b/pkgs/development/libraries/libdrm/default.nix index d2bb05a3bb6..13a7cfe0fb9 100644 --- a/pkgs/development/libraries/libdrm/default.nix +++ b/pkgs/development/libraries/libdrm/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, pkgconfig, libpthreadstubs, libpciaccess, udev, valgrind }: stdenv.mkDerivation rec { - name = "libdrm-2.4.68"; + name = "libdrm-2.4.70"; src = fetchurl { url = "http://dri.freedesktop.org/libdrm/${name}.tar.bz2"; - sha256 = "5b4bd9a5922929bc716411cb74061fbf31b06ba36feb89bc1358a91a8d0ca9df"; + sha256 = "b17d4b39ed97ca0e4cffa0db06ff609e617bac94646ec38e8e0579d530540e7b"; }; outputs = [ "dev" "out" ]; diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index 4ed47f46a32..8f037d239d0 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -1,13 +1,12 @@ -{ stdenv, fetchurl, fetchpatch, pkgconfig, intltool, autoreconfHook, substituteAll -, file, expat, libdrm, xorg, wayland, libudev, llvmPackages, libffi, libomxil-bellagio -, libvdpau, libelf, libva -, grsecEnabled +{ stdenv, fetchurl, fetchpatch +, pkgconfig, intltool, autoreconfHook, substituteAll +, file, expat, libdrm, xorg, wayland, libudev +, llvmPackages, libffi, libomxil-bellagio, libva +, libelf, libvdpau, python +, grsecEnabled ? false , enableTextureFloats ? false # Texture floats are patented, see docs/patents.txt }: -if ! stdenv.lib.lists.elem stdenv.system stdenv.lib.platforms.mesaPlatforms then - throw "unsupported platform for Mesa" -else /** Packaging design: - The basic mesa ($out) contains headers and libraries (GLU is in mesa_glu now). @@ -20,11 +19,15 @@ else - libOSMesa is in $osmesa (~4 MB) */ -with { inherit (stdenv.lib) optional optionalString; }; +with stdenv.lib; + +if ! lists.elem stdenv.system platforms.mesaPlatforms then + throw "unsupported platform for Mesa" +else let - version = "11.2.2"; - # this is the default search path for DRI drivers + version = "12.0.1"; + branch = head (splitString "." version); driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32"; in @@ -34,20 +37,20 @@ stdenv.mkDerivation { src = fetchurl { urls = [ "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz" - (with stdenv.lib; ''ftp://ftp.freedesktop.org/pub/mesa/older-versions/'' - + head (splitString "." version) + ''.x/${version}/mesa-${version}.tar.xz'') + "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz" "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz" ]; - sha256 = "40e148812388ec7c6d7b6657d5a16e2e8dabba8b97ddfceea5197947647bdfb4"; + sha256 = "12b3i59xdn2in2hchrkgh4fwij8zhznibx976l3pdj3qkyvlzcms"; }; prePatch = "patchShebangs ."; + # TODO: + # revive ./dricore-gallium.patch when it gets ported (from Ubuntu), as it saved + # ~35 MB in $drivers; watch https://launchpad.net/ubuntu/+source/mesa/+changelog patches = [ ./glx_ro_text_segm.patch # fix for grsecurity/PaX ./symlink-drivers.patch - # TODO: revive ./dricore-gallium.patch when it gets ported (from Ubuntu), - # as it saved ~35 MB in $drivers; watch https://launchpad.net/ubuntu/+source/mesa/+changelog ] ++ optional stdenv.isLinux (substituteAll { src = ./dlopen-absolute-paths.diff; @@ -61,61 +64,59 @@ stdenv.mkDerivation { outputs = [ "dev" "out" "drivers" "osmesa" ]; + # TODO: Figure out how to enable opencl without having a runtime dependency on clang configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" "--with-dri-driverdir=$(drivers)/lib/dri" "--with-dri-searchpath=${driverLink}/lib/dri" + "--with-egl-platforms=x11,wayland,drm" + (optionalString (stdenv.system != "armv7l-linux") + "--with-gallium-drivers=svga,i915,ilo,r300,r600,radeonsi,nouveau,freedreno,swrast") + (optionalString (stdenv.system != "armv7l-linux") + "--with-dri-drivers=i915,i965,nouveau,radeon,r200,swrast") + (enableFeature enableTextureFloats "texture-float") + (enableFeature grsecEnabled "glx-rts") + (enableFeature stdenv.isLinux "dri3") + (enableFeature stdenv.isLinux "nine") # Direct3D in Wine + "--enable-dri" + "--enable-driglx-direct" "--enable-gles1" "--enable-gles2" - "--enable-dri" - ] ++ optional stdenv.isLinux "--enable-dri3" - ++ [ "--enable-glx" + "--enable-glx-tls" "--enable-gallium-osmesa" # used by wine + "--enable-gallium-llvm" "--enable-egl" "--enable-xa" # used in vmware driver "--enable-gbm" - ] ++ optional stdenv.isLinux "--enable-nine" # Direct3D in Wine - ++ [ "--enable-xvmc" "--enable-vdpau" - #"--enable-omx" - #"--enable-va" - - # TODO: Figure out how to enable opencl without having a runtime dependency on clang - "--disable-opencl" - - (if "armv7l-linux" == stdenv.system - then null - else "--with-gallium-drivers=svga,i915,ilo,r300,r600,radeonsi,nouveau,freedreno,swrast") "--enable-shared-glapi" "--enable-sysfs" - "--enable-driglx-direct" # seems enabled anyway - "--enable-glx-tls" - (if "armv7l-linux" == stdenv.system - then "--with-dri-drivers=" - else "--with-dri-drivers=i915,i965,nouveau,radeon,r200,swrast") - "--with-egl-platforms=x11,wayland,drm" - - "--enable-gallium-llvm" "--enable-llvm-shared-libs" - ] ++ optional enableTextureFloats "--enable-texture-float" - ++ optional grsecEnabled "--enable-glx-rts"; # slight performance degradation, enable only for grsec + "--enable-omx" + "--enable-va" + "--disable-opencl" + ]; nativeBuildInputs = [ pkgconfig file ]; - propagatedBuildInputs = with xorg; [ libXdamage libXxf86vm ] + propagatedBuildInputs = with xorg; + [ libXdamage libXxf86vm ] ++ optional stdenv.isLinux libdrm; buildInputs = with xorg; [ autoreconfHook intltool expat llvmPackages.llvm glproto dri2proto dri3proto presentproto libX11 libXext libxcb libXt libXfixes libxshmfence - libffi wayland libvdpau libelf libXvMC /* libomxil-bellagio libva */ + libffi wayland libvdpau libelf libXvMC + libomxil-bellagio libva libpthreadstubs + (python.withPackages (ps: [ ps.Mako ])) ] ++ optional stdenv.isLinux libudev; + enableParallelBuilding = true; doCheck = false; @@ -124,42 +125,42 @@ stdenv.mkDerivation { "localstatedir=\${TMPDIR}" ]; - # move gallium-related stuff to $drivers, so $out doesn't depend on LLVM; - # also move libOSMesa to $osmesa, as it's relatively big - # ToDo: probably not all .la files are completely fixed, but it shouldn't matter - postInstall = with stdenv.lib; '' - mv -t "$drivers/lib/" \ - $out/lib/libXvMC* \ - $out/lib/d3d \ - $out/lib/vdpau \ - $out/lib/libxatracker* + # TODO: probably not all .la files are completely fixed, but it shouldn't matter; + postInstall = '' + # move gallium-related stuff to $drivers, so $out doesn't depend on LLVM + mv -t "$drivers/lib/" \ + $out/lib/libXvMC* \ + $out/lib/d3d \ + $out/lib/vdpau \ + $out/lib/bellagio \ + $out/lib/libxatracker* \ + mv $out/lib/dri/* $drivers/lib/dri + + # move libOSMesa to $osmesa, as it's relatively big mkdir -p {$osmesa,$drivers}/lib/ - mv -t $osmesa/lib/ \ - $out/lib/libOSMesa* + mv -t $osmesa/lib/ $out/lib/libOSMesa* - '' + /* now fix references in .la files */ '' - sed "/^libdir=/s,$out,$osmesa," -i \ - $osmesa/lib/libOSMesa*.la + # now fix references in .la files + sed "/^libdir=/s,$out,$osmesa," -i $osmesa/lib/libOSMesa*.la - '' + /* set the default search path for DRI drivers; used e.g. by X server */ '' + # set the default search path for DRI drivers; used e.g. by X server substituteInPlace "$dev/lib/pkgconfig/dri.pc" --replace '$(drivers)' "${driverLink}" ''; - #ToDo: @vcunat isn't sure if drirc will be found when in $out/etc/, but it doesn't seem important ATM */ - postFixup = + # TODO: + # @vcunat isn't sure if drirc will be found when in $out/etc/; + # check $out doesn't depend on llvm: builder failures are ignored + # for some reason grep -qv '${llvmPackages.llvm}' -R "$out"; + postFixup = '' # add RPATH so the drivers can find the moved libgallium and libdricore9 # moved here to avoid problems with stripping patchelfed files - '' for lib in $drivers/lib/*.so* $drivers/lib/*/*.so*; do if [[ ! -L "$lib" ]]; then patchelf --set-rpath "$(patchelf --print-rpath $lib):$drivers/lib" "$lib" fi done ''; - # ToDo + /* check $out doesn't depend on llvm */ '' - # builder failures are ignored for some reason - # grep -qv '${llvmPackages.llvm}' -R "$out" passthru = { inherit libdrm version driverLink; }; diff --git a/pkgs/development/python-modules/generic/run_setup.py b/pkgs/development/python-modules/generic/run_setup.py index d980ac7d23d..e3a530eb0cb 100644 --- a/pkgs/development/python-modules/generic/run_setup.py +++ b/pkgs/development/python-modules/generic/run_setup.py @@ -1,3 +1,5 @@ +# -*- coding: utf-8 -*- + import setuptools import tokenize diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix index 16cfa9e554b..ce04be0e083 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/Libc/default.nix @@ -1,4 +1,4 @@ -{ stdenv, appleDerivation, ed, unifdef, Libc_old }: +{ stdenv, appleDerivation, ed, unifdef, Libc_old, Libc_10-9 }: appleDerivation { phases = [ "unpackPhase" "installPhase" ]; @@ -13,6 +13,8 @@ appleDerivation { export PRIVATE_HEADERS_FOLDER_PATH=include bash xcodescripts/headers.sh + cp ${Libc_10-9}/include/NSSystemDirectories.h $out/include + # Ugh Apple stopped releasing this stuff so we need an older one... cp ${Libc_old}/include/spawn.h $out/include cp ${Libc_old}/include/setjmp.h $out/include diff --git a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix index 1c9b5879e6e..27d2360a980 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/Libsystem/default.nix @@ -5,42 +5,7 @@ appleDerivation rec { phases = [ "unpackPhase" "installPhase" ]; - buildInputs = [ cpio libpthread ]; - - systemlibs = [ "cache" - "commonCrypto" - "compiler_rt" - "copyfile" - "corecrypto" - "dispatch" - "dyld" - "keymgr" - "kxld" - "launch" - "macho" - "quarantine" - "removefile" - "system_asl" - "system_blocks" - # "system_c" # special re-export here to hide newer functions - "system_configuration" - "system_dnssd" - "system_info" - # "system_kernel" # special re-export here to hide newer functions - "system_m" - "system_malloc" - "system_network" - "system_notify" - "system_platform" - "system_pthread" - "system_sandbox" - # does not exist in El Capitan beta - # FIXME: does anything on yosemite actually need this? - # "system_stats" - "unc" - "unwind" - "xpc" - ]; + buildInputs = [ cpio ]; installPhase = '' export NIX_ENFORCE_PURITY= @@ -54,7 +19,7 @@ appleDerivation rec { for dep in ${Libc} ${Libm} ${Libinfo} ${dyld} ${architecture} ${libclosure} ${CarbonHeaders} \ ${libdispatch} ${ncurses.dev} ${CommonCrypto} ${copyfile} ${removefile} ${libresolv} \ - ${Libnotify} ${mDNSResponder} ${launchd} ${libutil}; do + ${Libnotify} ${mDNSResponder} ${launchd} ${libutil} ${libpthread}; do (cd $dep/include && find . -name '*.h' | cpio -pdm $out/include) done @@ -91,33 +56,9 @@ appleDerivation rec { # The startup object files cp ${Csu}/lib/* $out/lib - # selectively re-export functions from libsystem_c and libsystem_kernel - # to provide a consistent interface across OSX verions - mkdir -p $out/lib/system - ld -macosx_version_min 10.7 -arch x86_64 -dylib \ - -o $out/lib/system/libsystem_c.dylib \ - /usr/lib/libSystem.dylib \ - -reexported_symbols_list ${./system_c_symbols} - - ld -macosx_version_min 10.7 -arch x86_64 -dylib \ - -o $out/lib/system/libsystem_kernel.dylib \ - /usr/lib/libSystem.dylib \ - -reexported_symbols_list ${./system_kernel_symbols} - - # Set up the actual library link - clang -c -o CompatibilityHacks.o -Os CompatibilityHacks.c - clang -c -o init.o -Os init.c - ld -macosx_version_min 10.7 \ - -arch x86_64 \ - -dylib \ - -o $out/lib/libSystem.dylib \ - CompatibilityHacks.o init.o \ - -compatibility_version 1.0 \ - -current_version 1197.1.1 \ - -reexport_library $out/lib/system/libsystem_c.dylib \ - -reexport_library $out/lib/system/libsystem_kernel.dylib \ - ${stdenv.lib.concatStringsSep " " - (map (l: "-reexport_library /usr/lib/system/lib${l}.dylib") systemlibs)} + # OMG impurity + ln -s /usr/lib/libSystem.B.dylib $out/lib/libSystem.B.dylib + ln -s /usr/lib/libSystem.dylib $out/lib/libSystem.dylib # Set up links to pretend we work like a conventional unix (Apple's design, not mine!) for name in c dbm dl info m mx poll proc pthread rpcsvc util gcc_s.10.4 gcc_s.10.5; do diff --git a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix index 1fbacfb9284..24797fc286a 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/configd/default.nix @@ -3,7 +3,7 @@ appleDerivation { meta.broken = stdenv.cc.nativeLibc; - buildInputs = [ launchd bootstrap_cmds xnu ppp IOKit eap8021x ]; + buildInputs = [ launchd bootstrap_cmds ppp IOKit eap8021x ]; propagatedBuildInputs = [ Security ]; @@ -12,6 +12,11 @@ appleDerivation { ''; patchPhase = '' + HACK=$PWD/hack + mkdir $HACK + cp -r ${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders/net $HACK + + substituteInPlace SystemConfiguration.fproj/SCNetworkReachabilityInternal.h \ --replace '#include ' "" @@ -172,9 +177,9 @@ appleDerivation { cc -I. -Ihelper -Iderived -F. -c DHCP.c -o DHCP.o cc -I. -Ihelper -Iderived -F. -c moh.c -o moh.o cc -I. -Ihelper -Iderived -F. -c DeviceOnHold.c -o DeviceOnHold.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c LinkConfiguration.c -o LinkConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c LinkConfiguration.c -o LinkConfiguration.o cc -I. -Ihelper -Iderived -F. -c dy_framework.c -o dy_framework.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c VLANConfiguration.c -o VLANConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c VLANConfiguration.c -o VLANConfiguration.o cc -I. -Ihelper -Iderived -F. -c derived/configUser.c -o configUser.o cc -I. -Ihelper -Iderived -F. -c SCPreferencesPathKey.c -o SCPreferencesPathKey.o cc -I. -Ihelper -Iderived -I../dnsinfo -F. -c derived/shared_dns_infoUser.c -o shared_dns_infoUser.o @@ -183,8 +188,8 @@ appleDerivation { cc -I. -Ihelper -Iderived -F. -c SCNetworkProtocol.c -o SCNetworkProtocol.o cc -I. -Ihelper -Iderived -F. -c SCNetworkService.c -o SCNetworkService.o cc -I. -Ihelper -Iderived -F. -c SCNetworkSet.c -o SCNetworkSet.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c BondConfiguration.c -o BondConfiguration.o - cc -I. -Ihelper -Iderived -I${xnu}/Library/Frameworks/System.framework/Versions/B/PrivateHeaders -F. -c BridgeConfiguration.c -o BridgeConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c BondConfiguration.c -o BondConfiguration.o + cc -I. -Ihelper -Iderived -I $HACK -F. -c BridgeConfiguration.c -o BridgeConfiguration.o cc -I. -Ihelper -Iderived -F. -c helper/SCHelper_client.c -o SCHelper_client.o cc -I. -Ihelper -Iderived -F. -c SCPreferencesKeychainPrivate.c -o SCPreferencesKeychainPrivate.o cc -I. -Ihelper -Iderived -F. -c SCNetworkSignature.c -o SCNetworkSignature.o diff --git a/pkgs/os-specific/darwin/apple-source-releases/default.nix b/pkgs/os-specific/darwin/apple-source-releases/default.nix index ce128f14530..d7710abf291 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, pkgs }: +{ stdenv, fetchurl, fetchzip, pkgs }: let # This attrset can in theory be computed automatically, but for that to work nicely we need @@ -6,9 +6,13 @@ let # a stdenv out of something like this. With some care we can probably get rid of this, but for # now it's staying here. versions = { - "osx-10.11.2" = { - dtrace = "168"; - xnu = "3248.20.55"; + "osx-10.11.6" = { + dtrace = "168"; + xnu = "3248.60.10"; + libpthread = "138.10.4"; + }; + "osx-10.11.5" = { + Libc = "1082.50.1"; # 10.11.6 still unreleased :/ }; "osx-10.10.5" = { adv_cmds = "158"; @@ -185,13 +189,18 @@ let CoreOSMakefiles = applePackage "CoreOSMakefiles" "osx-10.5" "0kxp53spbn7109l7cvhi88pmfsi81lwmbws819b6wr3hm16v84f4" {}; Csu = applePackage "Csu" "osx-10.10.5" "0yh5mslyx28xzpv8qww14infkylvc1ssi57imhi471fs91sisagj" {}; dtrace = applePackage "dtrace" "osx-10.10.5" "0pp5x8dgvzmg9vvg32hpy2brm17dpmbwrcr4prsmdmfvd4767wcf" {}; - dtracen = applePackage "dtrace" "osx-10.11.2" "04mi0jy8gy0w59rk9i9dqznysv6fzz1v5mq779s41cp308yi0h1c" {}; + dtracen = applePackage "dtrace" "osx-10.11.6" "04mi0jy8gy0w59rk9i9dqznysv6fzz1v5mq779s41cp308yi0h1c" {}; dyld = applePackage "dyld" "osx-10.10.5" "167f74ln8pmfimwn6kwh199ylvy3fw72fd15da94mf34ii0zar6k" {}; eap8021x = applePackage "eap8021x" "osx-10.10.5" "1f37dpbcgrd1b14nrv2lpqrkap74myjbparz9masx92df6kcn7l2" {}; IOKit = applePackage "IOKit" "osx-10.10.5" "0kcbrlyxcyirvg5p95hjd9k8a01k161zg0bsfgfhkb90kh2s8x0m" { inherit IOKitSrcs; }; launchd = applePackage "launchd" "osx-10.9.5" "0w30hvwqq8j5n90s3qyp0fccxflvrmmjnicjri4i1vd2g196jdgj" {}; libauto = applePackage "libauto" "osx-10.9.5" "17z27yq5d7zfkwr49r7f0vn9pxvj95884sd2k6lq6rfaz9gxqhy3" {}; - Libc = applePackage "Libc" "osx-10.9.5" "1jz5bx9l4q484vn28c6n9b28psja3rpxiqbj6zwrwvlndzmq1yz5" {}; + Libc = applePackage "Libc" "osx-10.11.5" "1qv7r0dgz06jy9i5agbqzxgdibb0m8ylki6g5n5pary88lzrawfd" { + Libc_10-9 = fetchzip { + url = "http://www.opensource.apple.com/tarballs/Libc/Libc-997.90.3.tar.gz"; + sha256 = "1xchgxkxg5288r2b9yfrqji2gsgdap92k4wx2dbjwslixws12pq7"; + }; + }; Libc_old = applePackage "Libc/825_40_1.nix" "osx-10.8.5" "0xsx1im52gwlmcrv4lnhhhn9dyk5ci6g27k6yvibn9vj8fzjxwcf" {}; libclosure = applePackage "libclosure" "osx-10.10.5" "1zqy1zvra46cmqv6vsf1mcsz3a76r9bky145phfwh4ab6y15vjpq" {}; libdispatch = applePackage "libdispatch" "osx-10.9.5" "1lc5033cmkwxy3r26gh9plimxshxfcbgw6i0j7mgjlnpk86iy5bk" {}; @@ -199,7 +208,7 @@ let Libinfo = applePackage "Libinfo" "osx-10.10.5" "19n72s652rrqnc9hzlh4xq3h7xsfyjyklmcgyzyj0v0z68ww3z6h" {}; Libm = applePackage "Libm" "osx-10.7.4" "02sd82ig2jvvyyfschmb4gpz6psnizri8sh6i982v341x6y4ysl7" {}; Libnotify = applePackage "Libnotify" "osx-10.9.5" "164rx4za5z74s0mk9x0m1815r1m9kfal8dz3bfaw7figyjd6nqad" {}; - libpthread = applePackage "libpthread" "osx-10.10.5" "1p2y6xvsfqyakivr6d48fgrd163b5m9r045cxyfwrf8w0r33nfn3" {}; + libpthread = applePackage "libpthread" "osx-10.11.6" "1kbw738cmr9pa7pz1igmajs307clfq7gv2vm1sqdzhcnnjxbl28w" {}; libresolv = applePackage "libresolv" "osx-10.10.5" "0nvssf4qaqgs1dxwayzdy66757k99969f6c7n68n58n2yh6f5f6a" {}; Libsystem = applePackage "Libsystem" "osx-10.9.5" "1yfj2qdrf9vrzs7p9m4wlb7zzxcrim1gw43x4lvz4qydpp5kg2rh" {}; libutil = applePackage "libutil" "osx-10.10.5" "12gsvmj342n5d81kqwba68bmz3zf2757442g1sz2y5xmcapa3g5f" {}; @@ -209,7 +218,7 @@ let ppp = applePackage "ppp" "osx-10.10.5" "01v7i0xds185glv8psvlffylfcfhbx1wgsfg74kx5rh3lyrigwrb" {}; removefile = applePackage "removefile" "osx-10.10.5" "1f2jw5irq6fz2jv5pag1w2ivfp8659v74f0h8kh0yx0rqw4asm33" {}; Security = applePackage "Security" "osx-10.9.5" "1nv0dczf67dhk17hscx52izgdcyacgyy12ag0jh6nl5hmfzsn8yy" {}; - xnu = applePackage "xnu" "osx-10.9.5" "1ssw5fzvgix20bw6y13c39ib0zs7ykpig3irlwbaccpjpci5jl0s" {}; + xnu = applePackage "xnu" "osx-10.11.6" "0yhziq4dqqcbjpf6vyqn8xhwva2zb525gndkx8cp8alzwp76jnr9" {}; # Pending work... we can't change the above packages in place because the bootstrap depends on them, so we detach the expressions # here so we can work on them. diff --git a/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix b/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix index 027784e2ea6..c9d4b654a58 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/libpthread/default.nix @@ -6,8 +6,14 @@ appleDerivation { propagatedBuildInputs = [ libdispatch xnu ]; installPhase = '' - mkdir -p $out/include/pthread + mkdir -p $out/include/pthread/ + mkdir -p $out/include/sys/_types cp pthread/*.h $out/include/pthread/ - cp private/*.h $out/include/pthread/ + + # This overwrites qos.h, and is probably not necessary, but I'll leave it here for now + # cp private/*.h $out/include/pthread/ + + cp -r sys $out/include + cp -r sys/_pthread/*.h $out/include/sys/_types/ ''; } diff --git a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix index 4933f94d4a9..0ce9c54e48c 100644 --- a/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix +++ b/pkgs/os-specific/darwin/apple-source-releases/xnu/default.nix @@ -30,11 +30,12 @@ appleDerivation { substituteInPlace libsyscall/xcodescripts/mach_install_mig.sh \ --replace "/usr/include" "/include" \ --replace "/usr/local/include" "/include" \ - --replace "MIG=" "# " \ - --replace "MIGCC=" "# " \ + --replace 'MIG=`' "# " \ + --replace 'MIGCC=`' "# " \ --replace " -o 0" "" \ --replace '$SRC/$mig' '-I$DSTROOT/include $SRC/$mig' \ - --replace '$SRC/servers/netname.defs' '-I$DSTROOT/include $SRC/servers/netname.defs' + --replace '$SRC/servers/netname.defs' '-I$DSTROOT/include $SRC/servers/netname.defs' \ + --replace '$BUILT_PRODUCTS_DIR/mig_hdr' '$BUILT_PRODUCTS_DIR' patchShebangs . ''; @@ -46,9 +47,9 @@ appleDerivation { cat > sdk/usr/local/libexec/availability.pl < Date: Wed, 24 Aug 2016 16:52:16 +0200 Subject: [PATCH 522/603] go_1_7: disable all hardening --- pkgs/development/compilers/go/1.7.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/compilers/go/1.7.nix b/pkgs/development/compilers/go/1.7.nix index 61d6a5e8391..a65b1dd6b78 100644 --- a/pkgs/development/compilers/go/1.7.nix +++ b/pkgs/development/compilers/go/1.7.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' From 9e47acb89d2bb4d734750f90b1320e23814e7a36 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 17:19:43 +0000 Subject: [PATCH 523/603] otpw: disable stackprotector hardening --- pkgs/os-specific/linux/otpw/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/otpw/default.nix b/pkgs/os-specific/linux/otpw/default.nix index ff5367b9839..69c6dd1510c 100644 --- a/pkgs/os-specific/linux/otpw/default.nix +++ b/pkgs/os-specific/linux/otpw/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { buildInputs = [ pam ]; + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.cl.cam.ac.uk/~mgk25/otpw.html; description = "A one-time password login package"; From 647b2ce168bf8ae3773d133cd7a98aaab4193aa4 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 19:24:48 +0200 Subject: [PATCH 524/603] lua5_0: disable stackprotector hardening on i686 --- pkgs/development/interpreters/lua-5/5.0.3.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/lua-5/5.0.3.nix b/pkgs/development/interpreters/lua-5/5.0.3.nix index 76e02f90f5f..773883ef34a 100644 --- a/pkgs/development/interpreters/lua-5/5.0.3.nix +++ b/pkgs/development/interpreters/lua-5/5.0.3.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "1193a61b0e08acaa6eee0eecf29709179ee49c71baebc59b682a25c3b5a45671"; }; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + configurePhase = "sed -i -e 's/MYCFLAGS=.*/MYCFLAGS=-O3 -fomit-frame-pointer -fPIC/' config"; buildFlags = "all so sobin"; installFlags = "INSTALL_ROOT=$$out"; From bfe1c24eac1c85108eb377ea79e9eccabeeba1af Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:16:48 +0200 Subject: [PATCH 525/603] dico: disable format hardening --- pkgs/servers/dico/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/dico/default.nix b/pkgs/servers/dico/default.nix index 2078e2e2d42..7c2af1dd25e 100644 --- a/pkgs/servers/dico/default.nix +++ b/pkgs/servers/dico/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "13by0zimx90v2j8v7n4k9y3xwmh4q9jdc2f4f8yjs3x7f5bzm2pk"; }; + hardeningDisable = [ "format" ]; + # XXX: Add support for GNU SASL. buildInputs = [ libtool gettext zlib readline gsasl guile python pcre libffi groff ]; From e8d9e31a0846455b45809e8c124d061f968a037a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:18:46 +0200 Subject: [PATCH 526/603] valum: 0.2.0 -> 0.2.16, fixes hardened build --- pkgs/development/web/valum/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/valum/default.nix b/pkgs/development/web/valum/default.nix index 21881fe6a31..c700fd81a24 100644 --- a/pkgs/development/web/valum/default.nix +++ b/pkgs/development/web/valum/default.nix @@ -3,13 +3,13 @@ stdenv.mkDerivation rec { name = "valum-${version}"; - version = "0.2.0"; + version = "0.2.16"; src = fetchFromGitHub { owner = "valum-framework"; repo = "valum"; rev = "v${version}"; - sha256 = "1lciwqk4k9sf1hl4drl207g0ydlxl906kx9lx5fqhfb8gwcfqh2g"; + sha256 = "0ca067gg5z1798bazwzgg2yd2mbysvk8i2q2v3i8d0d188y2hj84"; }; buildInputs = [ python pkgconfig glib vala_0_28 ctpl libgee libsoup fcgi ]; From bd44c7fd70b675e98ab47a85adb8c50c0b766f46 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 18:19:09 +0000 Subject: [PATCH 527/603] boolector: fix build with multiple outputs --- pkgs/applications/science/logic/boolector/default.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/applications/science/logic/boolector/default.nix b/pkgs/applications/science/logic/boolector/default.nix index 3879ee8ef47..52c839130bb 100644 --- a/pkgs/applications/science/logic/boolector/default.nix +++ b/pkgs/applications/science/logic/boolector/default.nix @@ -23,11 +23,9 @@ let license = with stdenv.lib.licenses; if useV16 then unfreeRedistributable else gpl3; in stdenv.mkDerivation (boolectorPkg // { - buildInputs = [ zlib ]; + buildInputs = [ zlib stdenv.glibc.static zlib.static ]; enableParallelBuilding = false; - buildPhase = "./build.sh"; - installPhase = '' mkdir -p $out/bin $out/lib $out/include cp boolector/boolector $out/bin From 2b4438c294daa9a1604b68b965b86fe1ae8b32e8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 18:29:36 +0000 Subject: [PATCH 528/603] maude: disable pic and fortify hardening on i686 --- pkgs/development/interpreters/maude/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/maude/default.nix b/pkgs/development/interpreters/maude/default.nix index 4493b2c7b85..13403d50759 100644 --- a/pkgs/development/interpreters/maude/default.nix +++ b/pkgs/development/interpreters/maude/default.nix @@ -15,7 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [flex bison ncurses buddy tecla gmpxx libsigsegv makeWrapper]; - hardeningDisable = [ "stackprotector" ]; + hardeningDisable = [ "stackprotector" ] ++ + stdenv.lib.optionals stdenv.isi686 [ "pic" "fortify" ]; preConfigure = '' configureFlagsArray=( From 210b94da497a464ed8a83fcc5a5c10f03b3884f5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 18:31:30 +0000 Subject: [PATCH 529/603] belle-sip: 1.4.1 -> 1.4.2 and fix with new glibc --- pkgs/development/libraries/belle-sip/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/belle-sip/default.nix b/pkgs/development/libraries/belle-sip/default.nix index 5975a61ff77..8ba0f6fcc2d 100644 --- a/pkgs/development/libraries/belle-sip/default.nix +++ b/pkgs/development/libraries/belle-sip/default.nix @@ -9,15 +9,17 @@ let }; in stdenv.mkDerivation rec { - name = "belle-sip-1.4.1"; + name = "belle-sip-1.4.2"; src = fetchurl { url = "mirror://savannah/linphone/belle-sip/${name}.tar.gz"; - sha256 = "0q1d3fqsrxi3kxcjcibr376js25h6in8c1hm7c53wz252jx6f42b"; + sha256 = "0c48jh3kjz58swvx1m63ijx5x0c0hf37d803d99flk2l10kbfb42"; }; nativeBuildInputs = [ jre ]; + NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations"; + # belle-sip.pc doesn't have a library path for antlr3c or polarssl propagatedBuildInputs = [ libantlr3c polarssl ]; From 0e1b611a5bf74cb8e8bc7d5224e32669f114b619 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 19:00:11 +0000 Subject: [PATCH 530/603] flannel: disable fortify hardening --- pkgs/tools/networking/flannel/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/networking/flannel/default.nix b/pkgs/tools/networking/flannel/default.nix index 53b5e4839ba..2eea08b9238 100644 --- a/pkgs/tools/networking/flannel/default.nix +++ b/pkgs/tools/networking/flannel/default.nix @@ -7,6 +7,8 @@ buildGoPackage rec { goPackagePath = "github.com/coreos/flannel"; + hardeningDisable = [ "fortify" ]; + src = fetchFromGitHub { inherit rev; owner = "coreos"; From 5d51614620e5a891a185f155462106712ac922cc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 19:06:00 +0000 Subject: [PATCH 531/603] crawl: fix build with multiple outputs --- pkgs/games/crawl/crawl_purify.patch | 2 +- pkgs/games/crawl/default.nix | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/games/crawl/crawl_purify.patch b/pkgs/games/crawl/crawl_purify.patch index bae82bebfb7..eaff3d74b98 100644 --- a/pkgs/games/crawl/crawl_purify.patch +++ b/pkgs/games/crawl/crawl_purify.patch @@ -7,7 +7,7 @@ index b7e2fbf..5ff23db 100644 ifndef CROSSHOST - SQLITE_INCLUDE_DIR := /usr/include -+ SQLITE_INCLUDE_DIR := ${sqlite.dev}/include ++ SQLITE_INCLUDE_DIR := @sqliteDev@/include else # This is totally wrong, works only with some old-style setups, and # on some architectures of Debian/new FHS multiarch -- excluding, for diff --git a/pkgs/games/crawl/default.nix b/pkgs/games/crawl/default.nix index edaa3ef1fcc..18eb50b2815 100644 --- a/pkgs/games/crawl/default.nix +++ b/pkgs/games/crawl/default.nix @@ -30,10 +30,12 @@ stdenv.mkDerivation rec { patchShebangs $i done patchShebangs util/gen-mi-enum + substituteInPlace Makefile \ + --subst-var-by sqliteDev ${sqlite.dev} ''; makeFlags = [ "prefix=$(out)" "FORCE_CC=gcc" "FORCE_CXX=g++" "HOSTCXX=g++" - "SAVEDIR=~/.crawl" "sqlite=${sqlite.dev}" ] + "SAVEDIR=~/.crawl" ] ++ stdenv.lib.optionals tileMode [ "TILES=y" "dejavu_fonts=${dejavu_fonts}" ]; postInstall = if tileMode then "mv $out/bin/crawl $out/bin/crawl-tiles" else ""; From c26de115510a0921057356a984d466cf19ba80f6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 19:19:02 +0000 Subject: [PATCH 532/603] linuxPackages.perf: fix build with new glibc and remove hack elfutils now adds a eu- prefix to avoid collisions --- pkgs/os-specific/linux/kernel/perf.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix index d1544cc17f1..4b1120afa4e 100644 --- a/pkgs/os-specific/linux/kernel/perf.nix +++ b/pkgs/os-specific/linux/kernel/perf.nix @@ -25,18 +25,15 @@ stdenv.mkDerivation { # binutils is required for libbfd. nativeBuildInputs = [ asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt flex bison libiberty ]; - buildInputs = [ python perl newt slang pkgconfig libunwind binutils zlib ] ++ + buildInputs = [ elfutils python perl newt slang pkgconfig libunwind binutils zlib ] ++ stdenv.lib.optional withGtk gtk; # Note: we don't add elfutils to buildInputs, since it provides a # bad `ld' and other stuff. - NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare"; - NIX_CFLAGS_LINK = "-L${elfutils}/lib"; + NIX_CFLAGS_COMPILE = "-Wno-error=cpp -Wno-error=bool-compare -Wno-error=deprecated-declarations"; installFlags = "install install-man ASCIIDOC8=1"; - inherit elfutils; - crossAttrs = { /* I don't want cross-python or cross-perl - I don't know if cross-python even works */ From 8cd050f6ba08dfe93c3f1b638e222f59a5b428d5 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 19:23:42 +0000 Subject: [PATCH 533/603] rpm: remove hack elfutils now adds a eu- prefix to avoid collisions --- pkgs/tools/package-management/rpm/default.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pkgs/tools/package-management/rpm/default.nix b/pkgs/tools/package-management/rpm/default.nix index c0a4f7f693d..f4a7273d8cc 100644 --- a/pkgs/tools/package-management/rpm/default.nix +++ b/pkgs/tools/package-management/rpm/default.nix @@ -11,13 +11,9 @@ stdenv.mkDerivation rec { buildInputs = [ cpio zlib bzip2 file libarchive nspr nss db xz python lua pkgconfig autoreconfHook ]; # rpm/rpmlib.h includes popt.h, and then the pkg-config file mentions these as linkage requirements - propagatedBuildInputs = [ popt nss db bzip2 libarchive ]; + propagatedBuildInputs = [ popt elfutils nss db bzip2 libarchive ]; - # Note: we don't add elfutils to buildInputs, since it provides a - # bad `ld' and other stuff. - NIX_CFLAGS_COMPILE = "-I${nspr.dev}/include/nspr -I${nss.dev}/include/nss -I${elfutils}/include"; - - NIX_CFLAGS_LINK = "-L${elfutils}/lib"; + NIX_CFLAGS_COMPILE = "-I${nspr.dev}/include/nspr -I${nss.dev}/include/nss"; postPatch = '' # For Python3, the original expression evaluates as 'python3.4' but we want 'python3.4m' here From b59df0f871892981cdb77ee26296601b6efd2173 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 19:26:55 +0000 Subject: [PATCH 534/603] rpm: remove hack elfutils now adds a eu- prefix to avoid collisions and has now therefore been added to rpm as propagatedBuildInput --- pkgs/tools/misc/rpm-ostree/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/tools/misc/rpm-ostree/default.nix b/pkgs/tools/misc/rpm-ostree/default.nix index 997d8279e04..f96e70650b7 100644 --- a/pkgs/tools/misc/rpm-ostree/default.nix +++ b/pkgs/tools/misc/rpm-ostree/default.nix @@ -20,8 +20,6 @@ in stdenv.mkDerivation rec { sha256 = "19jvnmy9zinx0j5nvy3h5abfv9d988kvyza09gljx16gll8qkbbf"; }; - NIX_CFLAGS_LINK = "-L${elfutils}/lib"; - buildInputs = [ which autoconf automake pkgconfig libtool libcap ostree rpm glib libgsystem json_glib libarchive libhif librepo gtk_doc libxslt docbook_xsl docbook_xml_dtd_42 From 237320190e8efacbb84f3a2b22dbb45f8073b22c Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 17:33:49 +0200 Subject: [PATCH 535/603] haskellPackages.git-annex: fix hash --- pkgs/development/haskell-modules/configuration-common.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 6af3d16c35a..b84307a9dbf 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -44,7 +44,7 @@ self: super: { src = pkgs.fetchFromGitHub { owner = "joeyh"; repo = "git-annex"; - sha256 = "1b4yw305h7ca28x8s2jnkcc9cwn3rygnjyarib33dk4z066lsg7s"; + sha256 = "1frdld9kgnfd4ll8yx086lwmbqxa5k56y567qw2zy9kz1iiz2fpi"; rev = drv.version; }; })).override { From d5189fb7addb648a98105a59747116b737f2220a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:04:09 +0200 Subject: [PATCH 536/603] lxc: 2.0.3 -> 2.0.4, fixes hardened build --- pkgs/os-specific/linux/lxc/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/lxc/default.nix b/pkgs/os-specific/linux/lxc/default.nix index f15f72ca5bc..aad73844a66 100644 --- a/pkgs/os-specific/linux/lxc/default.nix +++ b/pkgs/os-specific/linux/lxc/default.nix @@ -12,11 +12,11 @@ in with stdenv.lib; stdenv.mkDerivation rec { name = "lxc-${version}"; - version = "2.0.3"; + version = "2.0.4"; src = fetchurl { url = "https://linuxcontainers.org/downloads/lxc/lxc-${version}.tar.gz"; - sha256 = "1mp83r1v9bcxjl7a441sm6plipj8aglhnmkxczp3jinlrnh41pw2"; + sha256 = "10lm7vfw4j7arcynmgyjqd8v2fqn7spbablj42j26kmzljcydj8l"; }; nativeBuildInputs = [ From e74edb35a913bf5c57d786fae08749a278dc4dd5 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:04:38 +0200 Subject: [PATCH 537/603] mstflint: 3.7.0-1.18 -> 4.4.0-1.12 --- pkgs/tools/misc/mstflint/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/misc/mstflint/default.nix b/pkgs/tools/misc/mstflint/default.nix index 32953483daa..1d1ff991f3b 100644 --- a/pkgs/tools/misc/mstflint/default.nix +++ b/pkgs/tools/misc/mstflint/default.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, zlib, libibmad }: -stdenv.mkDerivation { - name = "mstflint-3.7.0-1.18"; +stdenv.mkDerivation rec { + name = "mstflint-4.4.0-1.12.gd1edd58"; src = fetchurl { - url = "https://www.openfabrics.org/downloads/mstflint/mstflint-3.7.0-1.18.gcdb9f80.tar.gz"; - sha256 = "10x4l3i58ynnni18i8qq1gfbqd2028r4jd3frshiwrl9yrj7sxn2"; + url = "https://www.openfabrics.org/downloads/mstflint/${name}.tar.gz"; + sha256 = "0kg33i5s5zdc7kigww62r0b824zfw06r757fl6jwrq7lj91j0380"; }; buildInputs = [ zlib libibmad ]; From 06a5aaacabd1f1d0a47345b12b29ef4eb6c16207 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:09:17 +0200 Subject: [PATCH 538/603] ttyrec: fix build --- pkgs/tools/misc/ttyrec/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/ttyrec/default.nix b/pkgs/tools/misc/ttyrec/default.nix index 63b91adb493..a836a2a0d0e 100644 --- a/pkgs/tools/misc/ttyrec/default.nix +++ b/pkgs/tools/misc/ttyrec/default.nix @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { patches = [ ./clang-fixes.patch ]; - makeFlags = [] + makeFlags = [ "CFLAGS=-DSVR4" ] ++ stdenv.lib.optional stdenv.cc.isClang "CC=clang"; installPhase = '' From a30bf645f2a83612e02bfda27414d08caeb1d546 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:45:30 +0200 Subject: [PATCH 539/603] sinit: 0.9.2 -> 1.0, fix glibc static linking --- pkgs/os-specific/linux/sinit/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/sinit/default.nix b/pkgs/os-specific/linux/sinit/default.nix index 783e5fa2063..0c56a21d6c1 100644 --- a/pkgs/os-specific/linux/sinit/default.nix +++ b/pkgs/os-specific/linux/sinit/default.nix @@ -3,13 +3,14 @@ let s = # Generated upstream information rec { baseName="sinit"; - version="0.9.2"; + version="1.0"; name="${baseName}-${version}"; url="http://git.suckless.org/sinit/"; - sha256="0nncyzwnszwlqcvx1jf42rn1n2dd5vcxkndqb1b546pgpifniivp"; + sha256="0cf8yylgrrj1wxm5v6jdlbnxpx97m38yxrc9nmv1l8hldjqsj9pc"; rev = "refs/tags/v${version}"; }; buildInputs = [ + stdenv.glibc.static ]; in stdenv.mkDerivation { From 1bb15303cab41ef6ade059e50dd18b4b239c1897 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:48:02 +0200 Subject: [PATCH 540/603] prelink: fix glibc static linking --- pkgs/development/tools/misc/prelink/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/tools/misc/prelink/default.nix b/pkgs/development/tools/misc/prelink/default.nix index 15abc1f48c1..b6645991c7b 100644 --- a/pkgs/development/tools/misc/prelink/default.nix +++ b/pkgs/development/tools/misc/prelink/default.nix @@ -6,7 +6,7 @@ in stdenv.mkDerivation rec { name = "prelink-${version}"; - buildInputs = [ libelf ]; + buildInputs = [ libelf stdenv.glibc stdenv.glibc.static ]; src = fetchurl { url = "http://people.redhat.com/jakub/prelink/prelink-${version}.tar.bz2"; From 15a1c8a6a8829bf3bb65d1e75dc1145aa5fe63b9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 20:53:12 +0200 Subject: [PATCH 541/603] sam-ba: disable build for i686-linux --- pkgs/tools/misc/sam-ba/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/sam-ba/default.nix b/pkgs/tools/misc/sam-ba/default.nix index 1b7315ebedf..cca18007c58 100644 --- a/pkgs/tools/misc/sam-ba/default.nix +++ b/pkgs/tools/misc/sam-ba/default.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation rec { homepage = "http://www.at91.com/linux4sam/bin/view/Linux4SAM/SoftwareTools"; # License in /doc/readme.txt license = "BSD-like (partly binary-only)"; # according to Buildroot - platforms = [ "i686-linux" "x86_64-linux" ]; + platforms = [ "x86_64-linux" ]; # patchelf fails on i686-linux maintainers = [ maintainers.bjornfor ]; }; } From 6be25ae545bdef2536afb244b0063ee59e942237 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 21:06:51 +0200 Subject: [PATCH 542/603] partclone: stable -> 0.2.89, cleanups --- pkgs/tools/backup/partclone/default.nix | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/pkgs/tools/backup/partclone/default.nix b/pkgs/tools/backup/partclone/default.nix index 9aea0c80c6f..6bac8884ab4 100644 --- a/pkgs/tools/backup/partclone/default.nix +++ b/pkgs/tools/backup/partclone/default.nix @@ -1,21 +1,22 @@ -{stdenv, fetchFromGitHub -, pkgconfig, libuuid -, e2fsprogs, automake, autoconf +{ stdenv, fetchFromGitHub, autoreconfHook +, pkgconfig, libuuid, e2fsprogs }: -stdenv.mkDerivation { - name = "partclone-stable"; - enableParallelBuilding = true; + +stdenv.mkDerivation rec { + name = "partclone-${version}"; + version = "0.2.89"; src = fetchFromGitHub { owner = "Thomas-Tsai"; repo = "partclone"; - rev = "stable"; - sha256 = "0q3brjmnldpr89nhbiajxg3gncz0nagc34n7q2723lpz7bn28w3z"; + rev = version; + sha256 = "0gw47pchqshhm00yf34qgxh6bh2jfryv0sm7ghwn77bv5gzwr481"; }; - buildInputs = [e2fsprogs pkgconfig libuuid automake autoconf]; + nativeBuildInputs = [ autoreconfHook pkgconfig ]; + buildInputs = [ e2fsprogs libuuid stdenv.glibc stdenv.glibc.static ]; - installPhase = ''make INSTPREFIX=$out install''; + enableParallelBuilding = true; meta = { description = "Utilities to save and restore used blocks on a partition"; From f29214caed21438df6b4d961856ca3fcc4ec6e1b Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 21:27:51 +0200 Subject: [PATCH 543/603] plotutils: disable failing test on i686 --- pkgs/tools/graphics/plotutils/default.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index abcbabea596..47cf0a60c2f 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -13,7 +13,12 @@ stdenv.mkDerivation rec { sha256 = "1arkyizn5wbgvbh53aziv3s6lmd3wm9lqzkhxb3hijlp1y124hjg"; }; - buildInputs = [libpng]; + buildInputs = [ libpng ]; + + # disable failing test on i686 + prePatch = stdenv.lib.optionalString stdenv.isi686 '' + substituteInPlace test/Makefile.in --replace 'spline.test' ' ' + ''; patches = map fetchurl (import ./debian-patches.nix); @@ -45,9 +50,7 @@ stdenv.mkDerivation rec { homepage = http://www.gnu.org/software/plotutils/; license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ - stdenv.lib.maintainers.marcweber - ]; + maintainers = [ stdenv.lib.maintainers.marcweber ]; platforms = stdenv.lib.platforms.gnu; }; } From 35d836660f50ce1dad06fbd07cf5c4d2fa969780 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Wed, 24 Aug 2016 21:42:08 +0200 Subject: [PATCH 544/603] memcached: disable treating warnings as errors on darwin PIE hardening is not available on darwin but it's just a warning. --- pkgs/servers/memcached/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index 5e4edd0b032..72b12d5aad5 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { hardeningEnable = [ "pie" ]; + NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.isDarwin "-Wno-error"; + meta = with stdenv.lib; { description = "A distributed memory object caching system"; repositories.git = https://github.com/memcached/memcached.git; From d8679e49576e0e4764042a596bbbe5c3688f7ada Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 19:35:08 +0000 Subject: [PATCH 545/603] easyrsa: use autoreconfHook --- pkgs/tools/networking/easyrsa/2.x.nix | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/pkgs/tools/networking/easyrsa/2.x.nix b/pkgs/tools/networking/easyrsa/2.x.nix index 493243cf81c..b33034515fb 100644 --- a/pkgs/tools/networking/easyrsa/2.x.nix +++ b/pkgs/tools/networking/easyrsa/2.x.nix @@ -1,5 +1,5 @@ -{ stdenv, fetchurl, autoconf, automake111x, makeWrapper -, gnugrep, openssl}: +{ stdenv, fetchurl, autoreconfHook, makeWrapper +, gnugrep, openssl }: stdenv.mkDerivation rec { name = "easyrsa-2.2.0"; @@ -9,20 +9,12 @@ stdenv.mkDerivation rec { sha256 = "1xq4by5frb6ikn53ss3y8v7ss639dccxfq8jfrbk07ynkmk668qk"; }; - # Copy missing files and autoreconf - preConfigure = '' - cp ${automake111x}/share/automake/install-sh . - cp ${automake111x}/share/automake/missing . - - autoreconf - ''; - preBuild = '' mkdir -p $out/share/easy-rsa ''; - nativeBuildInputs = [ autoconf makeWrapper automake111x ]; - buildInputs = [ gnugrep openssl]; + nativeBuildInputs = [ autoreconfHook makeWrapper ]; + buildInputs = [ gnugrep openssl ]; # Make sane defaults and patch default config vars postInstall = '' From c4ba389a9faad46fe24b0969bf26fff1d29e7e8e Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 20:03:09 +0000 Subject: [PATCH 546/603] ibus-engines.m17n: use autoreconfHook --- .../tools/inputmethods/ibus-engines/ibus-m17n/default.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix b/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix index 81bfffb2546..2dbab712955 100644 --- a/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix +++ b/pkgs/tools/inputmethods/ibus-engines/ibus-m17n/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchFromGitHub -, automake, autoconf, libtool, pkgconfig +, autoreconfHook, pkgconfig , ibus, m17n_lib, m17n_db, gettext, python3, pygobject3 }: @@ -19,11 +19,7 @@ stdenv.mkDerivation rec { python3 pygobject3 ]; - nativeBuildInputs = [ automake autoconf libtool pkgconfig ]; - - preConfigure = '' - autoreconf --verbose --force --install - ''; + nativeBuildInputs = [ autoreconfHook pkgconfig ]; meta = with stdenv.lib; { isIbusEngine = true; From cc69ea38a55e0b032b1c2059ab6af9baf8ed5293 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 20:15:59 +0000 Subject: [PATCH 547/603] Revert "crawl: fix build with multiple outputs" This reverts commit 5d51614620e5a891a185f155462106712ac922cc. Fixed on master already --- pkgs/games/crawl/crawl_purify.patch | 2 +- pkgs/games/crawl/default.nix | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/pkgs/games/crawl/crawl_purify.patch b/pkgs/games/crawl/crawl_purify.patch index eaff3d74b98..bae82bebfb7 100644 --- a/pkgs/games/crawl/crawl_purify.patch +++ b/pkgs/games/crawl/crawl_purify.patch @@ -7,7 +7,7 @@ index b7e2fbf..5ff23db 100644 ifndef CROSSHOST - SQLITE_INCLUDE_DIR := /usr/include -+ SQLITE_INCLUDE_DIR := @sqliteDev@/include ++ SQLITE_INCLUDE_DIR := ${sqlite.dev}/include else # This is totally wrong, works only with some old-style setups, and # on some architectures of Debian/new FHS multiarch -- excluding, for diff --git a/pkgs/games/crawl/default.nix b/pkgs/games/crawl/default.nix index 18eb50b2815..edaa3ef1fcc 100644 --- a/pkgs/games/crawl/default.nix +++ b/pkgs/games/crawl/default.nix @@ -30,12 +30,10 @@ stdenv.mkDerivation rec { patchShebangs $i done patchShebangs util/gen-mi-enum - substituteInPlace Makefile \ - --subst-var-by sqliteDev ${sqlite.dev} ''; makeFlags = [ "prefix=$(out)" "FORCE_CC=gcc" "FORCE_CXX=g++" "HOSTCXX=g++" - "SAVEDIR=~/.crawl" ] + "SAVEDIR=~/.crawl" "sqlite=${sqlite.dev}" ] ++ stdenv.lib.optionals tileMode [ "TILES=y" "dejavu_fonts=${dejavu_fonts}" ]; postInstall = if tileMode then "mv $out/bin/crawl $out/bin/crawl-tiles" else ""; From 4370f487fa9f126490a34769e8f83e5bd65e88f8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 21:06:43 +0000 Subject: [PATCH 548/603] ddccontrol: use autoreconfHook and fix for newer automake --- pkgs/tools/misc/ddccontrol/automake.patch | 14 ++++++++ pkgs/tools/misc/ddccontrol/default.nix | 39 ++++++----------------- 2 files changed, 23 insertions(+), 30 deletions(-) create mode 100644 pkgs/tools/misc/ddccontrol/automake.patch diff --git a/pkgs/tools/misc/ddccontrol/automake.patch b/pkgs/tools/misc/ddccontrol/automake.patch new file mode 100644 index 00000000000..a890654ca7c --- /dev/null +++ b/pkgs/tools/misc/ddccontrol/automake.patch @@ -0,0 +1,14 @@ +diff --git a/src/gnome-ddcc-applet/Makefile.am b/src/gnome-ddcc-applet/Makefile.am +index d85ff56..b13e74c 100644 +--- a/src/gnome-ddcc-applet/Makefile.am ++++ b/src/gnome-ddcc-applet/Makefile.am +@@ -6,7 +6,8 @@ DDCC_LDADD = ../lib/libddccontrol.la + + EXTRA_DIST = GNOME_ddcc-applet.server.in.in GNOME_ddcc-applet.xml + +-pkglib_PROGRAMS = ddcc-applet ++programfilesdir = $(pkglibdir) ++programfiles_PROGRAMS = ddcc-applet + ddcc_applet_SOURCES = ddcc-applet.c ddcc-applet.h + + ddcc_applet_LDADD = $(GNOME_LDFLAGS) $(DDCC_LDADD) diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index 132707106af..fb11a3b8756 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -1,16 +1,5 @@ -{ stdenv -, fetchurl -, intltool -, libtool -, autoconf -, automake110x -, perl -, perlPackages -, libxml2 -, pciutils -, pkgconfig -, gtk -, ddccontrol-db +{ stdenv, fetchurl, autoreconfHook, intltool, perl, perlPackages, libxml2 +, pciutils, pkgconfig, gtk, ddccontrol-db }: let version = "0.4.2"; in @@ -22,20 +11,13 @@ stdenv.mkDerivation { sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1"; }; - buildInputs = - [ - intltool - libtool - autoconf - automake110x - perl - perlPackages.libxml_perl - libxml2 - pciutils - pkgconfig - gtk - ddccontrol-db - ]; + nativeBuildInputs = [ autoreconfHook intltool pkgconfig ]; + + buildInputs = [ + perl perlPackages.libxml_perl libxml2 pciutils gtk ddccontrol-db + ]; + + patches = [ ./automake.patch ]; hardeningDisable = [ "format" ]; @@ -47,9 +29,6 @@ stdenv.mkDerivation { sed "s/$oldPath/$newPath/" configure.ac rm configure.ac.old ''; - preConfigure = '' - autoreconf --install - ''; meta = with stdenv.lib; { description = "A program used to control monitor parameters by software"; From 423e67b299c3e06d1bf7c4067f5a26ffa706e775 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Wed, 24 Aug 2016 21:07:59 +0000 Subject: [PATCH 549/603] automake110x: remove unused package --- .../tools/misc/automake/automake-1.10.x.nix | 47 ------------------- pkgs/top-level/all-packages.nix | 2 - 2 files changed, 49 deletions(-) delete mode 100644 pkgs/development/tools/misc/automake/automake-1.10.x.nix diff --git a/pkgs/development/tools/misc/automake/automake-1.10.x.nix b/pkgs/development/tools/misc/automake/automake-1.10.x.nix deleted file mode 100644 index 2d9937bc48c..00000000000 --- a/pkgs/development/tools/misc/automake/automake-1.10.x.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ stdenv, fetchurl, perl, autoconf, makeWrapper }: - -stdenv.mkDerivation rec { - name = "automake-1.10.3"; - - # TODO: Remove the `aclocal' wrapper when $ACLOCAL_PATH support is - # available upstream; see - # . - builder = ./builder.sh; - - setupHook = ./setup-hook.sh; - - src = fetchurl { - url = "mirror://gnu/automake/${name}.tar.gz"; - sha256 = "fda9b22ec8705780c8292510b3376bb45977f45a4f7eb3578c5ad126d7758028"; - }; - - buildInputs = [perl autoconf makeWrapper]; - - # Disable indented log output from Make, otherwise "make.test" will - # fail. - preCheck = "unset NIX_INDENT_MAKE"; - - # Don't fixup "#! /bin/sh" in Libtool, otherwise it will use the - # "fixed" path in generated files! - dontPatchShebangs = true; - - # Run the test suite in parallel. - enableParallelBuilding = true; - - meta = { - branch = "1.10"; - homepage = http://www.gnu.org/software/automake/; - description = "GNU standard-compliant makefile generator"; - - longDescription = '' - GNU Automake is a tool for automatically generating - `Makefile.in' files compliant with the GNU Coding - Standards. Automake requires the use of Autoconf. - ''; - - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = stdenv.lib.platforms.unix; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1afd5c6e4cf..ff421bd6c79 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6128,8 +6128,6 @@ in automake = self.automake115x; - automake110x = callPackage ../development/tools/misc/automake/automake-1.10.x.nix { }; - automake111x = callPackage ../development/tools/misc/automake/automake-1.11.x.nix { }; automake112x = callPackage ../development/tools/misc/automake/automake-1.12.x.nix { }; From bd739d1fae0bcae3d61e6ab8266ca40773f63a6f Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 00:35:52 +0200 Subject: [PATCH 550/603] pypy: disable pic hardening on i686 --- pkgs/development/interpreters/python/pypy/2.7/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/interpreters/python/pypy/2.7/default.nix b/pkgs/development/interpreters/python/pypy/2.7/default.nix index 2e54e953e67..76464d5412e 100644 --- a/pkgs/development/interpreters/python/pypy/2.7/default.nix +++ b/pkgs/development/interpreters/python/pypy/2.7/default.nix @@ -36,6 +36,8 @@ let ++ stdenv.lib.optional (stdenv ? cc && stdenv.cc.libc != null) stdenv.cc.libc ++ stdenv.lib.optional zlibSupport zlib; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "pic"; + C_INCLUDE_PATH = stdenv.lib.makeSearchPathOutput "dev" "include" buildInputs; LIBRARY_PATH = stdenv.lib.makeLibraryPath buildInputs; LD_LIBRARY_PATH = stdenv.lib.makeLibraryPath (stdenv.lib.filter (x : x.outPath != stdenv.cc.libc.outPath or "") buildInputs); From 3ce7b77517adbfe28be345df45e397401bd4310f Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 01:14:18 +0200 Subject: [PATCH 551/603] libnl: 3.2.27 -> 3.2.28 --- pkgs/os-specific/linux/libnl/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/libnl/default.nix b/pkgs/os-specific/linux/libnl/default.nix index 6e5c63a2722..7e6fd1d1990 100644 --- a/pkgs/os-specific/linux/libnl/default.nix +++ b/pkgs/os-specific/linux/libnl/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchFromGitHub, autoreconfHook, bison, flex, pkgconfig }: -let version = "3.2.27"; in +let version = "3.2.28"; in stdenv.mkDerivation { name = "libnl-${version}"; src = fetchFromGitHub { - sha256 = "1rc8plgl2ijq2pwlzinpfr06kiggjyx71r3lw505m6rvxvdac82r"; - rev = "libnl3_2_27"; + sha256 = "02cm57z4h7rhjlxza07zhk02924acfz6m5gbmm5lbkkp6qh81328"; + rev = "libnl3_2_28"; repo = "libnl"; owner = "thom311"; }; From 9de5d8ff0f0f66f14079d44a25485bc658e0322e Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 01:06:22 +0200 Subject: [PATCH 552/603] libseccomp: 2.3.0 -> 2.3.1 --- pkgs/development/libraries/libseccomp/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libseccomp/default.nix b/pkgs/development/libraries/libseccomp/default.nix index e30271aaa38..a086ae890bd 100644 --- a/pkgs/development/libraries/libseccomp/default.nix +++ b/pkgs/development/libraries/libseccomp/default.nix @@ -1,13 +1,13 @@ { stdenv, fetchurl, getopt }: -let version = "2.3.0"; in +let version = "2.3.1"; in stdenv.mkDerivation rec { name = "libseccomp-${version}"; src = fetchurl { url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz"; - sha256 = "07chdgr87aayn6sjm94y6gisl4j6si1hr9cqhs09l9bqfnky6mnp"; + sha256 = "0asnlkzqms520r0dra08dzcz5hh6hs7lkajfw9wij3vrd0hxsnzz"; }; buildInputs = [ getopt ]; From f0f95d03cad3632c7bde3e5136f1b4b8bce44f19 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 01:02:50 +0200 Subject: [PATCH 553/603] utillinux: 2.28 -> 2.28.1 --- pkgs/os-specific/linux/util-linux/default.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 5c3a0d78d99..4d4a22fc720 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -2,11 +2,14 @@ stdenv.mkDerivation rec { name = "util-linux-${version}"; - version = "2.28"; + version = stdenv.lib.concatStringsSep "." ([ majorVersion ] + ++ stdenv.lib.optional (patchVersion != "") patchVersion); + majorVersion = "2.28"; + patchVersion = "1"; src = fetchurl { - url = "mirror://kernel/linux/utils/util-linux/v${version}/${name}.tar.xz"; - sha256 = "1fql204qn3098j34yd358l85ffp7a4kqjf7jf1qk2b4al7i4fn1r"; + url = "mirror://kernel/linux/utils/util-linux/v${majorVersion}/${name}.tar.xz"; + sha256 = "03xnaw3c7pavxvvh1vnimcr44hlhhf25whawiyv8dxsflfj4xkiy"; }; patches = [ From 447207d21d63e285dccdb992751a5e72f339e3e0 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 00:46:56 +0200 Subject: [PATCH 554/603] gnupg: 2.1.14 -> 2.1.15 --- pkgs/tools/security/gnupg/21.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/security/gnupg/21.nix b/pkgs/tools/security/gnupg/21.nix index 418f622fafd..cb0f8590ce3 100644 --- a/pkgs/tools/security/gnupg/21.nix +++ b/pkgs/tools/security/gnupg/21.nix @@ -15,11 +15,11 @@ assert x11Support -> pinentry != null; stdenv.mkDerivation rec { name = "gnupg-${version}"; - version = "2.1.14"; + version = "2.1.15"; src = fetchurl { url = "mirror://gnupg/gnupg/${name}.tar.bz2"; - sha256 = "0hmsiscpdpdqd8kcjpzkz2gzcc3cnrvswk9p1jzi4sivd7lxwl4l"; + sha256 = "1pgz02gd84ab94w4xdg67p9z8kvkyr9d523bvcxxd2hviwh1m362"; }; buildInputs = [ From df275f5b856501e980fe41d9de2d9a8558bdfce3 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 02:49:43 +0200 Subject: [PATCH 555/603] treewide: fix darwin builds by referring to stdenv's libc --- pkgs/applications/networking/ike/default.nix | 2 +- pkgs/applications/science/logic/boolector/default.nix | 2 +- pkgs/development/tools/misc/prelink/default.nix | 2 +- pkgs/os-specific/linux/busybox/default.nix | 2 +- pkgs/os-specific/linux/sinit/default.nix | 2 +- pkgs/tools/backup/partclone/default.nix | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkgs/applications/networking/ike/default.nix b/pkgs/applications/networking/ike/default.nix index 0cd603996c1..a5c21e28c3d 100644 --- a/pkgs/applications/networking/ike/default.nix +++ b/pkgs/applications/networking/ike/default.nix @@ -33,7 +33,7 @@ stdenv.mkDerivation rec { installPhase = '' make install for file in "$out"/bin/* "$out"/sbin/*; do - wrapProgram $file --prefix LD_LIBRARY_PATH ":" "$out/lib:${stdenv.lib.makeLibraryPath [ openssl gcc.cc stdenv.glibc libedit qt4 ]}" + wrapProgram $file --prefix LD_LIBRARY_PATH ":" "$out/lib:${stdenv.lib.makeLibraryPath [ openssl gcc.cc stdenv.cc.libc libedit qt4 ]}" done ''; diff --git a/pkgs/applications/science/logic/boolector/default.nix b/pkgs/applications/science/logic/boolector/default.nix index 52c839130bb..dec7989ae54 100644 --- a/pkgs/applications/science/logic/boolector/default.nix +++ b/pkgs/applications/science/logic/boolector/default.nix @@ -23,7 +23,7 @@ let license = with stdenv.lib.licenses; if useV16 then unfreeRedistributable else gpl3; in stdenv.mkDerivation (boolectorPkg // { - buildInputs = [ zlib stdenv.glibc.static zlib.static ]; + buildInputs = [ zlib stdenv.cc.libc.static zlib.static ]; enableParallelBuilding = false; installPhase = '' diff --git a/pkgs/development/tools/misc/prelink/default.nix b/pkgs/development/tools/misc/prelink/default.nix index b6645991c7b..28b3aba8e5e 100644 --- a/pkgs/development/tools/misc/prelink/default.nix +++ b/pkgs/development/tools/misc/prelink/default.nix @@ -6,7 +6,7 @@ in stdenv.mkDerivation rec { name = "prelink-${version}"; - buildInputs = [ libelf stdenv.glibc stdenv.glibc.static ]; + buildInputs = [ libelf stdenv.cc.libc stdenv.cc.libc.static ]; src = fetchurl { url = "http://people.redhat.com/jakub/prelink/prelink-${version}.tar.bz2"; diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index eaf45745f02..efb06ba845e 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -74,7 +74,7 @@ stdenv.mkDerivation rec { makeFlagsArray+=("CC=gcc -isystem ${musl}/include -B${musl}/lib -L${musl}/lib") ''; - buildInputs = lib.optionals (enableStatic && !useMusl) [ glibc glibc.static ]; + buildInputs = lib.optionals (enableStatic && !useMusl) [ stdenv.cc.libc stdenv.cc.libc.static ]; crossAttrs = { extraCrossConfig = '' diff --git a/pkgs/os-specific/linux/sinit/default.nix b/pkgs/os-specific/linux/sinit/default.nix index 0c56a21d6c1..69ffbd61760 100644 --- a/pkgs/os-specific/linux/sinit/default.nix +++ b/pkgs/os-specific/linux/sinit/default.nix @@ -10,7 +10,7 @@ let rev = "refs/tags/v${version}"; }; buildInputs = [ - stdenv.glibc.static + stdenv.cc.libc.static ]; in stdenv.mkDerivation { diff --git a/pkgs/tools/backup/partclone/default.nix b/pkgs/tools/backup/partclone/default.nix index 6bac8884ab4..87c7d61d836 100644 --- a/pkgs/tools/backup/partclone/default.nix +++ b/pkgs/tools/backup/partclone/default.nix @@ -14,7 +14,7 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ autoreconfHook pkgconfig ]; - buildInputs = [ e2fsprogs libuuid stdenv.glibc stdenv.glibc.static ]; + buildInputs = [ e2fsprogs libuuid stdenv.cc.libc stdenv.cc.libc.static ]; enableParallelBuilding = true; From 4f46913bf7eeb536219526d9684cac79ef2485e8 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 03:32:09 +0200 Subject: [PATCH 556/603] wraith: disable format hardening --- pkgs/applications/networking/irc/wraith/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/applications/networking/irc/wraith/default.nix b/pkgs/applications/networking/irc/wraith/default.nix index 16346bcf720..add52d85d8b 100644 --- a/pkgs/applications/networking/irc/wraith/default.nix +++ b/pkgs/applications/networking/irc/wraith/default.nix @@ -10,6 +10,7 @@ mkDerivation rec { url = "mirror://sourceforge/wraithbotpack/wraith-v${version}.tar.gz"; sha256 = "0h6liac5y7im0jfm2sj18mibvib7d1l727fjs82irsjj1v9kif3j"; }; + hardeningDisable = [ "format" ]; buildInputs = [ openssl ]; patches = [ ./configure.patch ./dlopen.patch ]; postPatch = '' From 1054399bef7651a29e3e2e3ad304fea8508deb60 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 03:35:57 +0200 Subject: [PATCH 557/603] moltengamepad: disable format hardening --- pkgs/misc/drivers/moltengamepad/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/misc/drivers/moltengamepad/default.nix b/pkgs/misc/drivers/moltengamepad/default.nix index 61d7810c2d4..590441bb6dd 100644 --- a/pkgs/misc/drivers/moltengamepad/default.nix +++ b/pkgs/misc/drivers/moltengamepad/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "05cpxfzxgm86kxx0a9f76bshjwpz9w1g8bn30ib1i5a3fv7bmirl"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ libudev ]; buildPhase = '' From 6324e8ef15c037ce470d203e5ce0d2fc52b626b9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 04:38:18 +0200 Subject: [PATCH 558/603] stress-ng: 0.06.11 -> 0.06.14, fix i686 build --- pkgs/tools/system/stress-ng/default.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/system/stress-ng/default.nix b/pkgs/tools/system/stress-ng/default.nix index c45cc8a596b..cdc7122fcc4 100644 --- a/pkgs/tools/system/stress-ng/default.nix +++ b/pkgs/tools/system/stress-ng/default.nix @@ -2,10 +2,10 @@ stdenv.mkDerivation rec { name = "stress-ng-${version}"; - version = "0.06.11"; + version = "0.06.14"; src = fetchurl { - sha256 = "0481aji9hdq8qbslrrc87r2p2pn8jxf913ac8wm5kxj02yqf7ccv"; + sha256 = "06kycxfwkdrm2vs9xk8cb6c1mki29ymrrqwwxxqx4icnwvq135hv"; url = "http://kernel.ubuntu.com/~cking/tarballs/stress-ng/${name}.tar.gz"; }; @@ -15,7 +15,11 @@ stdenv.mkDerivation rec { substituteInPlace Makefile --replace "/usr" "" ''; - enableParallelBuilding = true; + # Won't build on i686 because the binary will be linked again in the + # install phase without checking the dependencies. This will prevent + # triggering the rebuild. Why this only happens on i686 remains a + # mystery, though. :-( + enableParallelBuilding = (!stdenv.isi686); installFlags = [ "DESTDIR=$(out)" ]; From 113fbe910ebc483b140ba60c0dbd0b37f7f623f6 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 25 Aug 2016 04:55:05 +0200 Subject: [PATCH 559/603] spidermonkey_1_8_0rc1: disable pic hardening on i686 --- pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix index 41d37d3e39a..24ba479186e 100644 --- a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix +++ b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { postUnpack = "sourceRoot=\${sourceRoot}/src"; - hardeningDisable = [ "format" ]; + hardeningDisable = [ "format" ] ++ stdenv.lib.optional stdenv.isi686 "pic"; makefileExtra = ./Makefile.extra; makefile = "Makefile.ref"; From eddc0a554900b5868de73971c415bcb0e9c52aec Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Thu, 25 Aug 2016 08:44:20 +0000 Subject: [PATCH 560/603] treewide: fix darwin builds by using getOutput This fixes eval for pkgs referring to optional static output --- pkgs/applications/science/logic/boolector/default.nix | 5 ++++- pkgs/development/tools/misc/prelink/default.nix | 4 +++- pkgs/os-specific/linux/sinit/default.nix | 2 +- pkgs/tools/backup/partclone/default.nix | 5 ++++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/science/logic/boolector/default.nix b/pkgs/applications/science/logic/boolector/default.nix index dec7989ae54..37d25c9e947 100644 --- a/pkgs/applications/science/logic/boolector/default.nix +++ b/pkgs/applications/science/logic/boolector/default.nix @@ -23,7 +23,10 @@ let license = with stdenv.lib.licenses; if useV16 then unfreeRedistributable else gpl3; in stdenv.mkDerivation (boolectorPkg // { - buildInputs = [ zlib stdenv.cc.libc.static zlib.static ]; + buildInputs = [ + zlib zlib.static (stdenv.lib.getOutput "static" stdenv.cc.libc) + ]; + enableParallelBuilding = false; installPhase = '' diff --git a/pkgs/development/tools/misc/prelink/default.nix b/pkgs/development/tools/misc/prelink/default.nix index 28b3aba8e5e..f2c5208d7ae 100644 --- a/pkgs/development/tools/misc/prelink/default.nix +++ b/pkgs/development/tools/misc/prelink/default.nix @@ -6,7 +6,9 @@ in stdenv.mkDerivation rec { name = "prelink-${version}"; - buildInputs = [ libelf stdenv.cc.libc stdenv.cc.libc.static ]; + buildInputs = [ + libelf stdenv.cc.libc (stdenv.lib.getOutput "static" stdenv.cc.libc) + ]; src = fetchurl { url = "http://people.redhat.com/jakub/prelink/prelink-${version}.tar.bz2"; diff --git a/pkgs/os-specific/linux/sinit/default.nix b/pkgs/os-specific/linux/sinit/default.nix index 69ffbd61760..bf8367fcd45 100644 --- a/pkgs/os-specific/linux/sinit/default.nix +++ b/pkgs/os-specific/linux/sinit/default.nix @@ -10,7 +10,7 @@ let rev = "refs/tags/v${version}"; }; buildInputs = [ - stdenv.cc.libc.static + (stdenv.lib.getOutput "static" stdenv.cc.libc) ]; in stdenv.mkDerivation { diff --git a/pkgs/tools/backup/partclone/default.nix b/pkgs/tools/backup/partclone/default.nix index 87c7d61d836..54756a29cd6 100644 --- a/pkgs/tools/backup/partclone/default.nix +++ b/pkgs/tools/backup/partclone/default.nix @@ -14,7 +14,10 @@ stdenv.mkDerivation rec { }; nativeBuildInputs = [ autoreconfHook pkgconfig ]; - buildInputs = [ e2fsprogs libuuid stdenv.cc.libc stdenv.cc.libc.static ]; + buildInputs = [ + e2fsprogs libuuid stdenv.cc.libc + (stdenv.lib.getOutput "static" stdenv.cc.libc) + ]; enableParallelBuilding = true; From 9ed6e8a01dae7ee6cd26cb6068bbf2eb8b8ad4ec Mon Sep 17 00:00:00 2001 From: Lancelot SIX Date: Sat, 20 Aug 2016 21:28:34 +0200 Subject: [PATCH 561/603] gnupg21: Removes previously backported patch fix-gpgsm-linking.patch was backported from gnupg master for 2.1.14. It is included in 2.1.15, making the patch un applicable. Fixes 447207d21d63e285dccdb992751a5e72f339e3e0 --- pkgs/tools/security/gnupg/21.nix | 4 ---- pkgs/tools/security/gnupg/fix-gpgsm-linking.patch | 11 ----------- 2 files changed, 15 deletions(-) delete mode 100644 pkgs/tools/security/gnupg/fix-gpgsm-linking.patch diff --git a/pkgs/tools/security/gnupg/21.nix b/pkgs/tools/security/gnupg/21.nix index cb0f8590ce3..34042d802cc 100644 --- a/pkgs/tools/security/gnupg/21.nix +++ b/pkgs/tools/security/gnupg/21.nix @@ -27,10 +27,6 @@ stdenv.mkDerivation rec { readline libusb gnutls adns openldap zlib bzip2 ]; - # gpgsm-linking is fixed by commit (c49c43d7) in the gnupg master branch; - # fix-gpgsm-linking.patch should be dropped after gnupg 2.1.15 is released - patches = [ ./fix-gpgsm-linking.patch ]; - postPatch = stdenv.lib.optionalString stdenv.isLinux '' sed -i 's,"libpcsclite\.so[^"]*","${pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c ''; #" fix Emacs syntax highlighting :-( diff --git a/pkgs/tools/security/gnupg/fix-gpgsm-linking.patch b/pkgs/tools/security/gnupg/fix-gpgsm-linking.patch deleted file mode 100644 index 290d43f5b0d..00000000000 --- a/pkgs/tools/security/gnupg/fix-gpgsm-linking.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/tests/gpgscm/Makefile.in -+++ b/tests/gpgscm/Makefile.in -@@ -457,7 +457,7 @@ - scheme-config.h opdefines.h scheme.c scheme.h scheme-private.h - - gpgscm_LDADD = $(LDADD) $(common_libs) \ -- $(NETLIBS) $(LIBICONV) $(LIBREADLINE) \ -+ $(NETLIBS) $(LIBICONV) $(LIBREADLINE) $(LIBINTL) \ - $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) - - t_child_SOURCES = t-child.c From 0c12ae56158e991c62b83142c44a720d5dd2151e Mon Sep 17 00:00:00 2001 From: Lancelot SIX Date: Fri, 26 Aug 2016 08:51:09 +0200 Subject: [PATCH 562/603] binutils: 2.26.1 -> 2.27 Release announcement at http://lists.gnu.org/archive/html/info-gnu/2016-08/msg00012.html --- pkgs/development/tools/misc/binutils/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 93b0b35c815..667a9aa88c8 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -2,7 +2,7 @@ , cross ? null, gold ? true, bison ? null }: -let basename = "binutils-2.26.1"; in +let basename = "binutils-2.27"; in with { inherit (stdenv.lib) optional optionals optionalString; }; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnu/binutils/${basename}.tar.bz2"; - sha256 = "1n4zjibdvqwz63kkzkjdqdp1nh993pn0lml6yyr19yx4gb44dhrr"; + sha256 = "125clslv17xh1sab74343fg6v31msavpmaa1c1394zsqa773g5rn"; }; patches = [ From e39a3237e6a24047304184e3d2da813683992e78 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 26 Aug 2016 16:36:07 +0200 Subject: [PATCH 563/603] bash: 4.3-p42 -> 4.3-p46 --- pkgs/shells/bash/bash-4.3-patches.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/shells/bash/bash-4.3-patches.nix b/pkgs/shells/bash/bash-4.3-patches.nix index f84ac836e94..83743938de3 100644 --- a/pkgs/shells/bash/bash-4.3-patches.nix +++ b/pkgs/shells/bash/bash-4.3-patches.nix @@ -43,4 +43,8 @@ patch: [ (patch "040" "0sypv66vsldmc95gwvf7ylz1k7y37vnvdsjg8ajjr6b2j9mkkfw4") (patch "041" "06ic2gdpbi1afik3wqf9d4vh95if4bz8bmhcgr555621dsb35i2f") (patch "042" "06a90k0p6bqc4wk2dsmapna69124an76xvlnlj3xm497vci968dc") +(patch "043" "1031g97w8gamimb41jr9r2qm7mn10k5mr3sd3y12avml0p0a7a27") +(patch "044" "16bzaq9fs2kaw2n2k6vvljkjw5k5kx06isnq8hxkfrxz60384f4k") +(patch "045" "08q02mj9imp2njpgm6f5q5m61i7qzp33rbxxzarixalyisbw6vms") +(patch "046" "13v8dymwj83wcvrfayjqrs5kqar05bcj4zpiacrjkkchnsk5dd5k") ] From 77473cda6b5f9d7dc72a01df195536b14b2f9b02 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Aug 2016 14:56:03 +0000 Subject: [PATCH 564/603] ghc: add relocation patch for all versions --- pkgs/development/compilers/ghc/7.0.4.nix | 2 +- pkgs/development/compilers/ghc/7.10.2.nix | 2 ++ pkgs/development/compilers/ghc/7.10.3.nix | 1 + pkgs/development/compilers/ghc/7.2.2.nix | 2 +- pkgs/development/compilers/ghc/7.4.2.nix | 2 +- pkgs/development/compilers/ghc/7.6.3.nix | 2 +- pkgs/development/compilers/ghc/7.8.3.nix | 2 ++ pkgs/development/compilers/ghc/7.8.4.nix | 2 ++ pkgs/development/compilers/ghc/8.0.1.nix | 1 + pkgs/development/compilers/ghc/head.nix | 1 + pkgs/development/compilers/ghc/nokinds.nix | 2 ++ .../compilers/ghc/relocation.patch | 19 +++++++++++++++++++ 12 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 pkgs/development/compilers/ghc/relocation.patch diff --git a/pkgs/development/compilers/ghc/7.0.4.nix b/pkgs/development/compilers/ghc/7.0.4.nix index 7442c5ca53c..099f1376c77 100644 --- a/pkgs/development/compilers/ghc/7.0.4.nix +++ b/pkgs/development/compilers/ghc/7.0.4.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1a9b78d9d66c9c21de6c0932e36bb87406a4856f1611bf83bd44539bdc6ed0ed"; }; - patches = [ ./fix-7.0.4-clang.patch ]; + patches = [ ./fix-7.0.4-clang.patch ./relocation.patch ]; buildInputs = [ ghc perl gmp ncurses ]; diff --git a/pkgs/development/compilers/ghc/7.10.2.nix b/pkgs/development/compilers/ghc/7.10.2.nix index 2e96c999b9e..e384a42a51f 100644 --- a/pkgs/development/compilers/ghc/7.10.2.nix +++ b/pkgs/development/compilers/ghc/7.10.2.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { buildInputs = [ ghc perl libxml2 libxslt docbook_xsl docbook_xml_dtd_45 docbook_xml_dtd_42 hscolour ]; + patches = [ ./relocation.patch ]; + enableParallelBuilding = true; outputs = [ "out" "doc" ]; diff --git a/pkgs/development/compilers/ghc/7.10.3.nix b/pkgs/development/compilers/ghc/7.10.3.nix index c059a89bde3..31cf0b3c8bd 100644 --- a/pkgs/development/compilers/ghc/7.10.3.nix +++ b/pkgs/development/compilers/ghc/7.10.3.nix @@ -23,6 +23,7 @@ stdenv.mkDerivation rec { patches = [ docFixes + ./relocation.patch ./ghc-7.x-dont-pass-linker-flags-via-response-files.patch # https://github.com/NixOS/nixpkgs/issues/10752 ]; diff --git a/pkgs/development/compilers/ghc/7.2.2.nix b/pkgs/development/compilers/ghc/7.2.2.nix index 06f7cb9af2c..31cac49135f 100644 --- a/pkgs/development/compilers/ghc/7.2.2.nix +++ b/pkgs/development/compilers/ghc/7.2.2.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "0g87d3z9275dniaqzkf56qfgzp1msd89nqqhhm2gkc6iga072spz"; }; - patches = [ ./fix-7.2.2-clang.patch ]; + patches = [ ./fix-7.2.2-clang.patch ./relocation.patch ]; buildInputs = [ ghc perl gmp ncurses ]; diff --git a/pkgs/development/compilers/ghc/7.4.2.nix b/pkgs/development/compilers/ghc/7.4.2.nix index c74461a064e..63ce7ddfacc 100644 --- a/pkgs/development/compilers/ghc/7.4.2.nix +++ b/pkgs/development/compilers/ghc/7.4.2.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0vc3zmxqi4gflssmj35n5c8idbvyrhd88abi50whbirwlf4i5vpj"; }; - patches = [ ./fix-7.4.2-clang.patch ]; + patches = [ ./fix-7.4.2-clang.patch ./relocation.patch ]; buildInputs = [ ghc perl gmp ncurses ]; diff --git a/pkgs/development/compilers/ghc/7.6.3.nix b/pkgs/development/compilers/ghc/7.6.3.nix index 6ee629cc980..5a933a23aa8 100644 --- a/pkgs/development/compilers/ghc/7.6.3.nix +++ b/pkgs/development/compilers/ghc/7.6.3.nix @@ -17,7 +17,7 @@ in stdenv.mkDerivation rec { sha256 = "1669m8k9q72rpd2mzs0bh2q6lcwqiwd1ax3vrard1dgn64yq4hxx"; }; - patches = [ ./fix-7.6.3-clang.patch ]; + patches = [ ./fix-7.6.3-clang.patch ./relocation.patch ]; buildInputs = [ ghc perl gmp ncurses ]; diff --git a/pkgs/development/compilers/ghc/7.8.3.nix b/pkgs/development/compilers/ghc/7.8.3.nix index 55f8655c700..f631ad92356 100644 --- a/pkgs/development/compilers/ghc/7.8.3.nix +++ b/pkgs/development/compilers/ghc/7.8.3.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0n5rhwl83yv8qm0zrbaxnyrf8x1i3b6si927518mwfxs96jrdkdh"; }; + patches = [ ./relocation.patch ]; + buildInputs = [ ghc perl gmp ncurses ]; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/ghc/7.8.4.nix b/pkgs/development/compilers/ghc/7.8.4.nix index 6e10b1443c8..f41a1cf7d98 100644 --- a/pkgs/development/compilers/ghc/7.8.4.nix +++ b/pkgs/development/compilers/ghc/7.8.4.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation (rec { sha256 = "1i4254akbb4ym437rf469gc0m40bxm31blp6s1z1g15jmnacs6f3"; }; + patches = [ ./relocation.patch ]; + buildInputs = [ ghc perl gmp ncurses ]; enableParallelBuilding = true; diff --git a/pkgs/development/compilers/ghc/8.0.1.nix b/pkgs/development/compilers/ghc/8.0.1.nix index 8341fca9f42..02a78f60550 100644 --- a/pkgs/development/compilers/ghc/8.0.1.nix +++ b/pkgs/development/compilers/ghc/8.0.1.nix @@ -23,6 +23,7 @@ stdenv.mkDerivation rec { patches = [ ./ghc-8.x-dont-pass-linker-flags-via-response-files.patch # https://github.com/NixOS/nixpkgs/issues/10752 + ./relocation.patch # Fix https://ghc.haskell.org/trac/ghc/ticket/12130 (fetchFilteredPatch { url = https://git.haskell.org/ghc.git/patch/4d71cc89b4e9648f3fbb29c8fcd25d725616e265; sha256 = "0syaxb4y4s2dc440qmrggb4vagvqqhb55m6mx12rip4i9qhxl8k0"; }) diff --git a/pkgs/development/compilers/ghc/head.nix b/pkgs/development/compilers/ghc/head.nix index 0f3b57949b7..b214c1feb23 100644 --- a/pkgs/development/compilers/ghc/head.nix +++ b/pkgs/development/compilers/ghc/head.nix @@ -18,6 +18,7 @@ in stdenv.mkDerivation rec { patches = [ ./ghc-7.x-dont-pass-linker-flags-via-response-files.patch # https://github.com/NixOS/nixpkgs/issues/10752 + ./relocation.patch ]; postUnpack = '' diff --git a/pkgs/development/compilers/ghc/nokinds.nix b/pkgs/development/compilers/ghc/nokinds.nix index ca0a78eb0b6..a041ff02f93 100644 --- a/pkgs/development/compilers/ghc/nokinds.nix +++ b/pkgs/development/compilers/ghc/nokinds.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { sha256 = "183l4v6aw52r3ydwl8bxg1lh3cwfakb35rpy6mjg23dqmqsynmcn"; }; + patches = [ ./relocation.patch ]; + postUnpack = '' pushd ghc-${builtins.substring 0 7 rev} echo ${version} >VERSION diff --git a/pkgs/development/compilers/ghc/relocation.patch b/pkgs/development/compilers/ghc/relocation.patch new file mode 100644 index 00000000000..c5b1f6c560d --- /dev/null +++ b/pkgs/development/compilers/ghc/relocation.patch @@ -0,0 +1,19 @@ +diff --git a/rts/Linker.c b/rts/Linker.c +--- a/rts/Linker.c ++++ b/rts/Linker.c +@@ -5681,7 +5681,13 @@ + *(Elf64_Sword *)P = (Elf64_Sword)value; + #endif + break; +- ++/* These two relocations were introduced in glibc 2.23 and binutils 2.26. ++ But in order to use them the system which compiles the bindist for GHC needs ++ to have glibc >= 2.23. So only use them if they're defined. */ ++#if defined(R_X86_64_REX_GOTPCRELX) && defined(R_X86_64_GOTPCRELX) ++ case R_X86_64_REX_GOTPCRELX: ++ case R_X86_64_GOTPCRELX: ++#endif + case R_X86_64_GOTPCREL: + { + StgInt64 gotAddress = (StgInt64) &makeSymbolExtra(oc, ELF_R_SYM(info), S)->addr; + From 36e75a2285feaff2e0c00e457e2a308e74a553c9 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 26 Aug 2016 17:06:45 +0200 Subject: [PATCH 565/603] Revert "bash: 4.3-p42 -> 4.3-p46" This reverts commit e39a3237e6a24047304184e3d2da813683992e78. --- pkgs/shells/bash/bash-4.3-patches.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/shells/bash/bash-4.3-patches.nix b/pkgs/shells/bash/bash-4.3-patches.nix index 83743938de3..f84ac836e94 100644 --- a/pkgs/shells/bash/bash-4.3-patches.nix +++ b/pkgs/shells/bash/bash-4.3-patches.nix @@ -43,8 +43,4 @@ patch: [ (patch "040" "0sypv66vsldmc95gwvf7ylz1k7y37vnvdsjg8ajjr6b2j9mkkfw4") (patch "041" "06ic2gdpbi1afik3wqf9d4vh95if4bz8bmhcgr555621dsb35i2f") (patch "042" "06a90k0p6bqc4wk2dsmapna69124an76xvlnlj3xm497vci968dc") -(patch "043" "1031g97w8gamimb41jr9r2qm7mn10k5mr3sd3y12avml0p0a7a27") -(patch "044" "16bzaq9fs2kaw2n2k6vvljkjw5k5kx06isnq8hxkfrxz60384f4k") -(patch "045" "08q02mj9imp2njpgm6f5q5m61i7qzp33rbxxzarixalyisbw6vms") -(patch "046" "13v8dymwj83wcvrfayjqrs5kqar05bcj4zpiacrjkkchnsk5dd5k") ] From 1585e0f09baa1185cec7f8c7eb64009606d4dc12 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 26 Aug 2016 17:08:04 +0200 Subject: [PATCH 566/603] sqlite: 3.13.0 -> 3.14.1 --- pkgs/development/libraries/sqlite/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix index 1e59745b34a..c834c47ba94 100644 --- a/pkgs/development/libraries/sqlite/default.nix +++ b/pkgs/development/libraries/sqlite/default.nix @@ -3,11 +3,11 @@ assert interactive -> readline != null && ncurses != null; stdenv.mkDerivation { - name = "sqlite-3.13.0"; + name = "sqlite-3.14.1"; src = fetchurl { - url = "http://sqlite.org/2016/sqlite-autoconf-3130000.tar.gz"; - sha256 = "0sq88jbwsk48i41f7m7rkw9xvijq011nsbs7pl49s31inck70yg2"; + url = "http://sqlite.org/2016/sqlite-autoconf-3140100.tar.gz"; + sha256 = "19j73j44akqgc6m82wm98yvnmm3mfzmfqr8mp3n7n080d53q4wdw"; }; outputs = [ "dev" "out" "bin" ]; From 098680e78e871d7eb699bc750d436ea24796f818 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 26 Aug 2016 17:08:58 +0200 Subject: [PATCH 567/603] Revert "Revert "bash: 4.3-p42 -> 4.3-p46"" This reverts commit 36e75a2285feaff2e0c00e457e2a308e74a553c9. Sorry, had bash reverted temporarily to test the build of the sqlite bump and forgot to remove that commit. --- pkgs/shells/bash/bash-4.3-patches.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/shells/bash/bash-4.3-patches.nix b/pkgs/shells/bash/bash-4.3-patches.nix index f84ac836e94..83743938de3 100644 --- a/pkgs/shells/bash/bash-4.3-patches.nix +++ b/pkgs/shells/bash/bash-4.3-patches.nix @@ -43,4 +43,8 @@ patch: [ (patch "040" "0sypv66vsldmc95gwvf7ylz1k7y37vnvdsjg8ajjr6b2j9mkkfw4") (patch "041" "06ic2gdpbi1afik3wqf9d4vh95if4bz8bmhcgr555621dsb35i2f") (patch "042" "06a90k0p6bqc4wk2dsmapna69124an76xvlnlj3xm497vci968dc") +(patch "043" "1031g97w8gamimb41jr9r2qm7mn10k5mr3sd3y12avml0p0a7a27") +(patch "044" "16bzaq9fs2kaw2n2k6vvljkjw5k5kx06isnq8hxkfrxz60384f4k") +(patch "045" "08q02mj9imp2njpgm6f5q5m61i7qzp33rbxxzarixalyisbw6vms") +(patch "046" "13v8dymwj83wcvrfayjqrs5kqar05bcj4zpiacrjkkchnsk5dd5k") ] From e0deed0110ce2627d19eae04c16e8341f1d81269 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Fri, 26 Aug 2016 15:19:37 +0000 Subject: [PATCH 568/603] ghc: add comment to relocation patch --- pkgs/applications/graphics/xaos/default.nix | 2 ++ pkgs/development/compilers/ghc/relocation.patch | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/pkgs/applications/graphics/xaos/default.nix b/pkgs/applications/graphics/xaos/default.nix index 1f3a9967b02..a6f97bb5334 100644 --- a/pkgs/applications/graphics/xaos/default.nix +++ b/pkgs/applications/graphics/xaos/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "15cd1cx1dyygw6g2nhjqq3bsfdj8sj8m4va9n75i0f3ryww3x7wq"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ aalib gsl libpng libX11 xproto libXext xextproto libXt zlib gettext intltool perl diff --git a/pkgs/development/compilers/ghc/relocation.patch b/pkgs/development/compilers/ghc/relocation.patch index c5b1f6c560d..b9becfc86b5 100644 --- a/pkgs/development/compilers/ghc/relocation.patch +++ b/pkgs/development/compilers/ghc/relocation.patch @@ -1,3 +1,11 @@ +Adding support for the R_X86_64_REX_GOTPCRELX relocation type. +This relocation is treated by the linker the same as the R_X86_64_GOTPCRELX type +G + GOT + A - P to generate relative offsets to the GOT. +The REX prefix has no influence in this stage. + +This caused breakage when enabling relro/bindnow hardening e.g. in ghcPaclages.vector + +Source: https://phabricator.haskell.org/D2303#67070 diff --git a/rts/Linker.c b/rts/Linker.c --- a/rts/Linker.c +++ b/rts/Linker.c From b6c204f088cff9cd50d203b6799bd30a98a14179 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 1 Aug 2016 07:33:39 +0000 Subject: [PATCH 569/603] stdenv substitute: fail on non-existant input file fixes #9744 --- pkgs/stdenv/generic/setup.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 5b50167d9b9..f704395f147 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -389,6 +389,11 @@ substitute() { local input="$1" local output="$2" + if [ ! -f "$input" ]; then + echo "substitute: File \"$input\" does not exist" + return 1 + fi + local -a params=("$@") local n p pattern replacement varName content From 8a84fc0217344990b646cbfbf01037b935407a40 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 26 Aug 2016 18:58:49 +0200 Subject: [PATCH 570/603] Tweak error message --- pkgs/stdenv/generic/setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index f704395f147..c478c375323 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -390,7 +390,7 @@ substitute() { local output="$2" if [ ! -f "$input" ]; then - echo "substitute: File \"$input\" does not exist" + echo "substitute(): file '$input' does not exist" return 1 fi From e646d2c07cc9f643811993908f5db72d3bc57682 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 08:00:20 +0000 Subject: [PATCH 571/603] gnome3.gtk: fix build on darwin The .la file does not exist on darwin. --- pkgs/development/libraries/gtk+/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gtk+/3.x.nix b/pkgs/development/libraries/gtk+/3.x.nix index b0409ee2808..249f2651517 100644 --- a/pkgs/development/libraries/gtk+/3.x.nix +++ b/pkgs/development/libraries/gtk+/3.x.nix @@ -41,7 +41,7 @@ stdenv.mkDerivation rec { ++ optional cupsSupport cups; #TODO: colord? - NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isDarwin "-lintl"; + NIX_LDFLAGS = optionalString stdenv.isDarwin "-lintl"; # demos fail to install, no idea where's the problem preConfigure = "sed '/^SRC_SUBDIRS /s/demos//' -i Makefile.in"; @@ -60,7 +60,7 @@ stdenv.mkDerivation rec { "--enable-wayland-backend" ]; - postInstall = '' + postInstall = optionalString (!stdenv.isDarwin) '' substituteInPlace "$out/lib/gtk-3.0/3.0.0/printbackends/libprintbackend-cups.la" \ --replace '-L${gmp.dev}/lib' '-L${gmp.out}/lib' ''; From a2a337c562789a6d5ed25c15f21d9e0ee8dd1ac6 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:13:03 +0000 Subject: [PATCH 572/603] gksu: disable format hardening --- pkgs/applications/misc/gksu/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/misc/gksu/default.nix b/pkgs/applications/misc/gksu/default.nix index a6e06c85ac7..c3f78efd412 100644 --- a/pkgs/applications/misc/gksu/default.nix +++ b/pkgs/applications/misc/gksu/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { libgksu ]; + hardeningDisable = [ "format" ]; + patches = [ # https://savannah.nongnu.org/bugs/index.php?36127 ./gksu-2.0.2-glib-2.31.patch From c0e42fe74170fb6bc8a3c8040b3ddeb84a4a13cf Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:53:27 +0000 Subject: [PATCH 573/603] imv: add fontconfig dependency --- pkgs/applications/graphics/imv/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/imv/default.nix b/pkgs/applications/graphics/imv/default.nix index dc9df2fb852..16a05607da3 100644 --- a/pkgs/applications/graphics/imv/default.nix +++ b/pkgs/applications/graphics/imv/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchgit, SDL2, SDL2_ttf, freeimage }: +{ stdenv, fetchgit, SDL2, SDL2_ttf, freeimage, fontconfig }: stdenv.mkDerivation rec { name = "imv-${version}"; @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { sha256 = "0fhc944g7b61jrkd4wn1piq6dkpabsbxpm80pifx9dqmj16sf0pf"; }; - buildInputs = [ SDL2 SDL2_ttf freeimage ]; + buildInputs = [ SDL2 SDL2_ttf freeimage fontconfig ]; configurePhase = "substituteInPlace Makefile --replace /usr $out"; From 191896e63ab90cf6a4a496d02f3abcb429502451 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:53:49 +0000 Subject: [PATCH 574/603] qfsm: disable format hardening --- pkgs/applications/science/electronics/qfsm/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/electronics/qfsm/default.nix b/pkgs/applications/science/electronics/qfsm/default.nix index 95b312a4438..4b4d21aca00 100644 --- a/pkgs/applications/science/electronics/qfsm/default.nix +++ b/pkgs/applications/science/electronics/qfsm/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./drop-hardcoded-prefix.patch ]; + hardeningDisable = [ "format" ]; + enableParallelBuilding = true; meta = { From 9f80e554288e3c14816bebb25db0bffcff974d4c Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:54:17 +0000 Subject: [PATCH 575/603] openmodelica: disable format hardening --- pkgs/applications/science/misc/openmodelica/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/applications/science/misc/openmodelica/default.nix b/pkgs/applications/science/misc/openmodelica/default.nix index 8ea670c3818..8b413f20b1e 100644 --- a/pkgs/applications/science/misc/openmodelica/default.nix +++ b/pkgs/applications/science/misc/openmodelica/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { doxygen boost openscenegraph gnome.gtkglext pangox_compat xorg.libXmu git gtk makeWrapper]; + hardeningDisable = [ "format" ]; + patchPhase = '' cp -fv ${fakegit}/bin/checkout-git.sh libraries/checkout-git.sh cp -fv ${fakegit}/bin/checkout-svn.sh libraries/checkout-svn.sh From 29c5ccea4a6b93210ce2f4669b6e2c62e393a704 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:54:30 +0000 Subject: [PATCH 576/603] xen: remove obsolete substituteInPlace --- pkgs/applications/virtualization/xen/generic.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index a036cd8d564..4b0201bc189 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -101,9 +101,6 @@ stdenv.mkDerivation { --replace /usr/sbin/vgs ${lvm2}/sbin/vgs \ --replace /usr/sbin/lvs ${lvm2}/sbin/lvs - substituteInPlace tools/hotplug/Linux/network-bridge \ - --replace /usr/bin/logger ${utillinux}/bin/logger - substituteInPlace tools/xenmon/xenmon.py \ --replace /usr/bin/pkill ${procps}/bin/pkill From 193a57fa4802909e9e4c3fe6e3c85bd8e170e263 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:54:55 +0000 Subject: [PATCH 577/603] noweb: remove obsolete substituteInPlace --- pkgs/development/tools/literate-programming/noweb/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/tools/literate-programming/noweb/default.nix b/pkgs/development/tools/literate-programming/noweb/default.nix index 756da8a8539..44df2b1e153 100644 --- a/pkgs/development/tools/literate-programming/noweb/default.nix +++ b/pkgs/development/tools/literate-programming/noweb/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { postInstall= '' substituteInPlace $out/bin/cpif --replace "PATH=/bin:/usr/bin" "" for f in $out/bin/{noweb,nountangle,noroots,noroff,noindex} \ - $out/lib/noweb/{toroff,btdefn,totex,pipedoc,noidx,unmarkup,toascii,tohtml,emptydefn}; do + $out/lib/noweb/{toroff,btdefn,totex,noidx,unmarkup,toascii,tohtml,emptydefn}; do substituteInPlace $f --replace "nawk" "${gawk}/bin/awk" done ''; From 3f4caa111f941294beb31f592577c7696a98e3b0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:55:19 +0000 Subject: [PATCH 578/603] scrypt: remove obsolete substituteInPlace --- pkgs/tools/security/scrypt/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/tools/security/scrypt/default.nix b/pkgs/tools/security/scrypt/default.nix index 893b7b31900..1835dbdb620 100644 --- a/pkgs/tools/security/scrypt/default.nix +++ b/pkgs/tools/security/scrypt/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation rec { buildInputs = [ openssl ]; patchPhase = '' - substituteInPlace Makefile \ - --replace "command -p mv" "mv" substituteInPlace Makefile.in \ --replace "command -p mv" "mv" substituteInPlace autocrap/Makefile.am \ From d80ad66701040ab1ff172dc0a0caae22fa9c34a8 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:55:37 +0000 Subject: [PATCH 579/603] svtplay-dl: fix path to test runner --- pkgs/tools/misc/svtplay-dl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/misc/svtplay-dl/default.nix b/pkgs/tools/misc/svtplay-dl/default.nix index 1169752b9ca..d3d1197943e 100644 --- a/pkgs/tools/misc/svtplay-dl/default.nix +++ b/pkgs/tools/misc/svtplay-dl/default.nix @@ -22,7 +22,7 @@ in stdenv.mkDerivation rec { substituteInPlace lib/svtplay_dl/fetcher/rtmp.py \ --replace '"rtmpdump"' '"${rtmpdump}/bin/rtmpdump"' - substituteInPlace run-tests.sh \ + substituteInPlace scripts/run-tests.sh \ --replace 'PYTHONPATH=lib' 'PYTHONPATH=lib:$PYTHONPATH' ''; @@ -34,7 +34,7 @@ in stdenv.mkDerivation rec { ''; doCheck = true; - checkPhase = "sh run-tests.sh -2"; + checkPhase = "sh scripts/run-tests.sh -2"; meta = with stdenv.lib; { homepage = https://github.com/spaam/svtplay-dl; From c30d4c732e10bfdd6dc77cb1739de86b51038c16 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:55:58 +0000 Subject: [PATCH 580/603] liquidwar: fix build after glibc upgrade --- pkgs/games/liquidwar/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index ccab07308fd..04640095ec0 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { hardeningDisable = [ "format" ]; + NIX_CFLAGS_COMPILE = "-Wno-error=deprecated-declarations"; + # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL.dev}/include/SDL" ]; From 6f9d474db120e29a0d80fb2cb26965c2fc40f6e1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:56:33 +0000 Subject: [PATCH 581/603] njam: disable format hardening --- pkgs/games/njam/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/games/njam/default.nix b/pkgs/games/njam/default.nix index ba17fe28e35..bcbbc9e7756 100644 --- a/pkgs/games/njam/default.nix +++ b/pkgs/games/njam/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ SDL SDL_image SDL_mixer SDL_net ]; + hardeningDisable = [ "format" ]; + patches = [ ./logfile.patch ]; meta = { From b37460ec6357335a599beb36b51a17b186276d52 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 21:56:45 +0000 Subject: [PATCH 582/603] xtreemfs: fix substituteInPlace paths --- pkgs/tools/filesystems/xtreemfs/default.nix | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/filesystems/xtreemfs/default.nix b/pkgs/tools/filesystems/xtreemfs/default.nix index adee80d9c5d..2a85adb60b5 100644 --- a/pkgs/tools/filesystems/xtreemfs/default.nix +++ b/pkgs/tools/filesystems/xtreemfs/default.nix @@ -42,15 +42,19 @@ stdenv.mkDerivation rec { substituteInPlace etc/init.d/generate_initd_scripts.sh \ --replace "/bin/bash" "${stdenv.shell}" + substituteInPlace cpp/thirdparty/gtest-1.7.0/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + substituteInPlace cpp/thirdparty/protobuf-2.5.0/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + substituteInPlace cpp/thirdparty/protobuf-2.5.0/gtest/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + # do not put cmake into buildInputs export PATH="$PATH:${cmake}/bin" ''; - preBuild = '' - substituteInPlace configure \ - --replace "/usr/bin/file" "${file}/bin/file" - ''; - doCheck = false; postInstall = '' From 132571454c8162cdefe9e94613137d6a13b950b7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sat, 27 Aug 2016 22:08:20 +0000 Subject: [PATCH 583/603] springlobby: remove obsolete `substituteInPlace`s --- pkgs/games/spring/springlobby.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pkgs/games/spring/springlobby.nix b/pkgs/games/spring/springlobby.nix index 2cd9f24721f..efab1defbed 100644 --- a/pkgs/games/spring/springlobby.nix +++ b/pkgs/games/spring/springlobby.nix @@ -1,8 +1,8 @@ { stdenv, fetchurl, cmake, wxGTK30, openal, pkgconfig, curl, libtorrentRasterbar , libpng, libX11, gettext, bash, gawk, boost, libnotify, gtk, doxygen, spring , makeWrapper, glib, minizip, alure, pcre, jsoncpp }: -stdenv.mkDerivation rec { +stdenv.mkDerivation rec { name = "springlobby-${version}"; version = "0.247"; @@ -16,12 +16,6 @@ stdenv.mkDerivation rec { boost libpng libX11 libnotify gtk doxygen makeWrapper glib minizip alure ]; - prePatch = '' - substituteInPlace tools/regen_config_header.sh --replace "#!/usr/bin/env bash" "#!${bash}/bin/bash" - substituteInPlace tools/test-susynclib.awk --replace "#!/usr/bin/awk" "#!${gawk}/bin/awk" - substituteInPlace CMakeLists.txt --replace "boost_system-mt" "boost_system" - ''; - enableParallelBuilding = true; postInstall = '' From ed01e0ca4f57d8abc8fbb16f7387a4f553d3fc8a Mon Sep 17 00:00:00 2001 From: obadz Date: Sun, 28 Aug 2016 03:53:13 +0100 Subject: [PATCH 584/603] openssl: fix merge conflict between b6dabe3 and 6e7ca92 --- pkgs/development/libraries/openssl/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index f706ba97f7f..0c32bf03438 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -17,7 +17,7 @@ let }; patches = - args.patches + (args.patches or []) ++ optional (versionOlder version "1.1.0") ./use-etc-ssl-certs.patch ++ optional stdenv.isCygwin ./1.0.1-cygwin64.patch ++ optional From 6eb40148742de9010f2f7f6eec26df15f54e9afc Mon Sep 17 00:00:00 2001 From: obadz Date: Sun, 28 Aug 2016 13:26:19 +0100 Subject: [PATCH 585/603] go_1_4: set CGO_ENABLED=0 to cope with binutils 2.27 version bump See also https://github.com/golang/go/issues/16906 cc @cstrahan @edolstra @lancelotsix @globin @fpletz --- pkgs/development/compilers/go/1.4.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 5b6af31d684..273d768ce21 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -100,7 +100,7 @@ stdenv.mkDerivation rec { else throw "Unsupported system"; GOARM = stdenv.lib.optionalString (stdenv.system == "armv5tel-linux") "5"; GO386 = 387; # from Arch: don't assume sse2 on i686 - CGO_ENABLED = 1; + CGO_ENABLED = 0; # The go build actually checks for CC=*/clang and does something different, so we don't # just want the generic `cc` here. From b46b0381b6c5555297093655e6f8a1b8f55e75e0 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Aug 2016 14:02:22 +0000 Subject: [PATCH 586/603] evemu: remove obsolete substituteInPlace and use autoreconfHook --- pkgs/tools/system/evemu/default.nix | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/pkgs/tools/system/evemu/default.nix b/pkgs/tools/system/evemu/default.nix index 2a2340a2152..873abd4812c 100644 --- a/pkgs/tools/system/evemu/default.nix +++ b/pkgs/tools/system/evemu/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchgit, automake, autoconf, libtool, pkgconfig, pythonPackages +{ stdenv, fetchgit, autoreconfHook, pkgconfig, pythonPackages , libevdev, linuxHeaders }: @@ -14,18 +14,9 @@ stdenv.mkDerivation rec { sha256 = "07iha13xrpf4z59rzl9cm2h1zkc5xhyipbd3ajd3c1d4hhpn9w9s"; }; - buildInputs = [ - automake autoconf libtool pkgconfig pythonPackages.python - pythonPackages.evdev libevdev - ]; + nativeBuildInputs = [ pkgconfig autoreconfHook ]; - preConfigure = '' - ./autogen.sh --prefix=$out - ''; - - postPatch = '' - substituteInPlace src/make-event-names.py --replace "/usr/include/linux/input.h" "${linuxHeaders}/include/linux/input.h" - ''; + buildInputs = [ pythonPackages.python pythonPackages.evdev libevdev ]; meta = with stdenv.lib; { description = "Records and replays device descriptions and events to emulate input devices through the kernel's input system"; From f86c5bc6fae4e1dc1e765b05ee8405909c14e0b7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Aug 2016 14:03:12 +0000 Subject: [PATCH 587/603] ghcHEAD: remove included patch --- pkgs/development/compilers/ghc/head.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/development/compilers/ghc/head.nix b/pkgs/development/compilers/ghc/head.nix index 43a7e767c6a..eebdaca5f83 100644 --- a/pkgs/development/compilers/ghc/head.nix +++ b/pkgs/development/compilers/ghc/head.nix @@ -18,7 +18,6 @@ in stdenv.mkDerivation rec { patches = [ ./ghc-8.x-dont-pass-linker-flags-via-response-files.patch # https://github.com/NixOS/nixpkgs/issues/10752 - ./relocation.patch ]; postUnpack = '' From 69b71d3eac110a1b1e510ad70af4f160843d0147 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Aug 2016 14:06:55 +0000 Subject: [PATCH 588/603] liquidwar5: disable format hardening --- pkgs/games/liquidwar/5.nix | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/pkgs/games/liquidwar/5.nix b/pkgs/games/liquidwar/5.nix index ac24f3bac74..dfb2934cf77 100644 --- a/pkgs/games/liquidwar/5.nix +++ b/pkgs/games/liquidwar/5.nix @@ -7,18 +7,16 @@ stdenv.mkDerivation rec { sha256 = "18wkbfzp07yckg05b5gjy67rw06z9lxp0hzg0zwj7rz8i12jxi9j"; }; - buildInputs = [ - allegro - ]; + buildInputs = [ allegro ]; - configureFlags = - (stdenv.lib.optional stdenv.isx86_64 "--disable-asm") - ; + configureFlags = stdenv.lib.optional stdenv.isx86_64 "--disable-asm"; - meta = with stdenv.lib; { - description = ''The classic version of a quick tactics game LiquidWar''; - maintainers = [ maintainers.raskin ]; - license = licenses.gpl2Plus; - platforms = platforms.linux; - }; + hardeningDisable = [ "format" ]; + + meta = with stdenv.lib; { + description = ''The classic version of a quick tactics game LiquidWar''; + maintainers = [ maintainers.raskin ]; + license = licenses.gpl2Plus; + platforms = platforms.linux; + }; } From 9145ba0d90239afdae7a721c7a9105b36c59f772 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Aug 2016 22:51:34 +0000 Subject: [PATCH 589/603] docker: build with default go Fixes build after binutils update --- pkgs/top-level/all-packages.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 5453d01fe78..d68fd58024c 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12704,7 +12704,6 @@ in docker = callPackage ../applications/virtualization/docker { btrfs-progs = btrfs-progs_4_4_1; - go = go_1_4; }; docker-gc = callPackage ../applications/virtualization/docker/gc.nix { }; From db2582de815624a54599bd3412c3aed59fad687d Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Aug 2016 23:27:09 +0000 Subject: [PATCH 590/603] pythonPackages.googleplaydownloader: remove Source and project homepage are offline --- pkgs/top-level/python-packages.nix | 31 ------------------------------ 1 file changed, 31 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index c51bcfe98c3..1a548dbe070 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -6634,37 +6634,6 @@ in modules // { propagatedBuildInputs = with self; [ gdata ]; }; - googleplaydownloader = buildPythonPackage rec { - version = "1.8"; - name = "googleplaydownloader-${version}"; - - src = pkgs.fetchurl { - url = "https://codingteam.net/project/googleplaydownloader/download/file/googleplaydownloader_${version}.orig.tar.gz"; - sha256 = "1hxl4wdbiyq8ay6vnf3m7789jg0kc63kycjj01x1wm4gcm4qvbkx"; - }; - - disabled = ! isPy27; - - propagatedBuildInputs = with self; [ configparser pyasn1 ndg-httpsclient requests protobuf wxPython]; - - preBuild = '' - substituteInPlace googleplaydownloader/__init__.py --replace \ - 'open(os.path.join(HERE, "googleplaydownloader"' \ - 'open(os.path.join(HERE' - ''; - - postInstall = '' - cp -R googleplaydownloader/ext_libs $out/${python.sitePackages}/ - ''; - - meta = { - homepage = https://codingteam.net/project/googleplaydownloader; - description = "Graphical software to download APKs from the Google Play store"; - license = licenses.agpl3; - maintainers = with maintainers; [ DamienCassou ]; - }; - }; - gplaycli = buildPythonPackage rec { version = "0.1.2"; name = "gplaycli-${version}"; From 2958ec7d6fe1fb7c5e90bac0b3164df5b4c177cc Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Sun, 28 Aug 2016 23:35:49 +0000 Subject: [PATCH 591/603] pythonPackages.fake_factory: 0.5.7 -> 0.6.0 fixes build --- pkgs/top-level/python-packages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 1a548dbe070..1646b65fa96 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -6140,11 +6140,11 @@ in modules // { fake_factory = buildPythonPackage rec { name = "fake-factory-${version}"; - version = "0.5.7"; + version = "0.6.0"; src = pkgs.fetchurl { url = "mirror://pypi/f/fake-factory/${name}.tar.gz"; - sha256 = "1chmarnrdzn4r017n8qlic0m0bbnhw04s3hkwribjvm3mqpb6pa0"; + sha256 = "09sgk0kylsshs64a1xsz3qr187sbnqrbf4z8k3dgsy32lsgyffv2"; }; propagatedBuildInputs = with self; [ six dateutil ipaddress mock ]; From 675848419e9ebead75a5ed114aff001ad893df27 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Mon, 29 Aug 2016 02:54:33 +0200 Subject: [PATCH 592/603] go_1_5: set CGO_ENABLED=0 to cope with binutils 2.27 version bump See 6eb40148742de9010f2f7f6eec26df15f54e9afc and https://github.com/golang/go/issues/16906. cc @obadz @cstrahan @edolstra @lancelotsix @globin --- pkgs/development/compilers/go/1.5.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index e6060f3ecec..03caec9c3b4 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -107,7 +107,7 @@ stdenv.mkDerivation rec { else throw "Unsupported system"; GOARM = stdenv.lib.optionalString (stdenv.system == "armv5tel-linux") "5"; GO386 = 387; # from Arch: don't assume sse2 on i686 - CGO_ENABLED = 1; + CGO_ENABLED = 0; GOROOT_BOOTSTRAP = "${goBootstrap}/share/go"; # The go build actually checks for CC=*/clang and does something different, so we don't From a2dd51e6a2d57b07c49c9abc831ab4256ca1b96a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:28:15 +0000 Subject: [PATCH 593/603] ocamlPackages.menhir: remove unnecessary substitution --- pkgs/development/ocaml-modules/menhir/generic.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/development/ocaml-modules/menhir/generic.nix b/pkgs/development/ocaml-modules/menhir/generic.nix index 088c2db061b..c182d210049 100644 --- a/pkgs/development/ocaml-modules/menhir/generic.nix +++ b/pkgs/development/ocaml-modules/menhir/generic.nix @@ -13,16 +13,14 @@ stdenv.mkDerivation { createFindlibDestdir = true; preBuild = '' - #Fix makefiles. + # fix makefiles. RM=$(type -p rm) CHMOD=$(type -p chmod) - ENV=$(type -p env) - for f in src/Makefile demos/OMakefile* demos/Makefile* demos/ocamldep.wrapper + for f in src/Makefile demos/OMakefile* demos/Makefile* do substituteInPlace $f \ --replace /bin/rm $RM \ - --replace /bin/chmod $CHMOD \ - --replace /usr/bin/env $ENV + --replace /bin/chmod $CHMOD done export PREFIX=$out From 306cd03cdba889b34ebe539396a0ec2c2b20c8c1 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:29:00 +0000 Subject: [PATCH 594/603] indent: disable format hardening --- pkgs/development/tools/misc/indent/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/tools/misc/indent/default.nix b/pkgs/development/tools/misc/indent/default.nix index 594bef7e16a..996043c16d8 100644 --- a/pkgs/development/tools/misc/indent/default.nix +++ b/pkgs/development/tools/misc/indent/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sed -i 's|#include |#include |' ./man/texinfo2man.c ''; + hardeningDisable = [ "format" ]; + meta = { homepage = https://www.gnu.org/software/indent/; description = "A source code reformatter"; From beff32f61e4e7b9f07c9bc8daaafff13dea28d24 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:31:47 +0000 Subject: [PATCH 595/603] ucommon: disable flaky networking test --- pkgs/development/libraries/ucommon/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/libraries/ucommon/default.nix b/pkgs/development/libraries/ucommon/default.nix index 50d8f5e8745..4d140932402 100644 --- a/pkgs/development/libraries/ucommon/default.nix +++ b/pkgs/development/libraries/ucommon/default.nix @@ -19,6 +19,12 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig ]; + # disable flaky networking test + postPatch = '' + substituteInPlace test/stream.cpp \ + --replace 'ifndef UCOMMON_SYSRUNTIME' 'if 0' + ''; + # ucommon.pc has link time depdendencies on -lssl, -lcrypto, -lz, -lgnutls propagatedBuildInputs = [ openssl zlib gnutls ]; From df935b01e770682c02d73d114742fc2f498f0347 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:44:55 +0000 Subject: [PATCH 596/603] go_1_5: remove --- pkgs/development/compilers/go/1.5.nix | 143 -------------------------- pkgs/top-level/all-packages.nix | 8 -- 2 files changed, 151 deletions(-) delete mode 100644 pkgs/development/compilers/go/1.5.nix diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix deleted file mode 100644 index 03caec9c3b4..00000000000 --- a/pkgs/development/compilers/go/1.5.nix +++ /dev/null @@ -1,143 +0,0 @@ -{ stdenv, lib, fetchFromGitHub, tzdata, iana_etc, go_1_4, runCommand -, perl, which, pkgconfig, patch -, pcre -, Security, Foundation }: - -let - goBootstrap = runCommand "go-bootstrap" {} '' - mkdir $out - cp -rf ${go_1_4}/* $out/ - chmod -R u+w $out - find $out -name "*.c" -delete - cp -rf $out/bin/* $out/share/go/bin/ - ''; -in - -stdenv.mkDerivation rec { - name = "go-${version}"; - version = "1.5.4"; - - src = fetchFromGitHub { - owner = "golang"; - repo = "go"; - rev = "go${version}"; - sha256 = "1lvk9awmkjbz5z4snv3q3b3r7ijfz97kig2wkqz6jmr7b0lp1fcy"; - }; - - # perl is used for testing go vet - nativeBuildInputs = [ perl which pkgconfig patch ]; - buildInputs = [ pcre ]; - propagatedBuildInputs = lib.optionals stdenv.isDarwin [ - Security Foundation - ]; - - hardeningDisable = [ "all" ]; - - # I'm not sure what go wants from its 'src', but the go installation manual - # describes an installation keeping the src. - preUnpack = '' - mkdir -p $out/share - cd $out/share - ''; - - prePatch = '' - # Ensure that the source directory is named go - cd .. - if [ ! -d go ]; then - mv * go - fi - - cd go - patchShebangs ./ # replace /bin/bash - - # Disabling the 'os/http/net' tests (they want files not available in - # chroot builds) - rm src/net/{listen_test.go,parse_test.go,port_test.go} - rm src/syscall/exec_linux_test.go - # !!! substituteInPlace does not seems to be effective. - # The os test wants to read files in an existing path. Just don't let it be /usr/bin. - sed -i 's,/usr/bin,'"`pwd`", src/os/os_test.go - sed -i 's,/bin/pwd,'"`type -P pwd`", src/os/os_test.go - # Disable the unix socket test - sed -i '/TestShutdownUnix/areturn' src/net/net_test.go - # Disable the hostname test - sed -i '/TestHostname/areturn' src/os/os_test.go - # ParseInLocation fails the test - sed -i '/TestParseInSydney/areturn' src/time/format_test.go - # Remove the api check as it never worked - sed -i '/src\/cmd\/api\/run.go/ireturn nil' src/cmd/dist/test.go - # Remove the coverage test as we have removed this utility - sed -i '/TestCoverageWithCgo/areturn' src/cmd/go/go_test.go - - sed -i 's,/etc/protocols,${iana_etc}/etc/protocols,' src/net/lookup_unix.go - '' + lib.optionalString stdenv.isLinux '' - sed -i 's,/usr/share/zoneinfo/,${tzdata}/share/zoneinfo/,' src/time/zoneinfo_unix.go - '' + lib.optionalString stdenv.isDarwin '' - substituteInPlace src/race.bash --replace \ - "sysctl machdep.cpu.extfeatures | grep -qv EM64T" true - sed -i 's,strings.Contains(.*sysctl.*,true {,' src/cmd/dist/util.go - sed -i 's,"/etc","'"$TMPDIR"'",' src/os/os_test.go - sed -i 's,/_go_os_test,'"$TMPDIR"'/_go_os_test,' src/os/path_test.go - sed -i '/TestCgoLookupIP/areturn' src/net/cgo_unix_test.go - sed -i '/TestChdirAndGetwd/areturn' src/os/os_test.go - sed -i '/TestRead0/areturn' src/os/os_test.go - sed -i '/TestNohup/areturn' src/os/signal/signal_test.go - sed -i '/TestSystemRoots/areturn' src/crypto/x509/root_darwin_test.go - - sed -i '/TestGoInstallRebuildsStalePackagesInOtherGOPATH/areturn' src/cmd/go/go_test.go - sed -i '/TestBuildDashIInstallsDependencies/areturn' src/cmd/go/go_test.go - - sed -i '/TestDisasmExtld/areturn' src/cmd/objdump/objdump_test.go - - touch $TMPDIR/group $TMPDIR/hosts $TMPDIR/passwd - ''; - - patches = [ - ./remove-tools-1.5.patch - ] - # -ldflags=-s is required to compile on Darwin, see - # https://github.com/golang/go/issues/11994 - ++ stdenv.lib.optional stdenv.isDarwin ./strip.patch; - - GOOS = if stdenv.isDarwin then "darwin" else "linux"; - GOARCH = if stdenv.isDarwin then "amd64" - else if stdenv.system == "i686-linux" then "386" - else if stdenv.system == "x86_64-linux" then "amd64" - else if stdenv.isArm then "arm" - else throw "Unsupported system"; - GOARM = stdenv.lib.optionalString (stdenv.system == "armv5tel-linux") "5"; - GO386 = 387; # from Arch: don't assume sse2 on i686 - CGO_ENABLED = 0; - GOROOT_BOOTSTRAP = "${goBootstrap}/share/go"; - - # The go build actually checks for CC=*/clang and does something different, so we don't - # just want the generic `cc` here. - CC = if stdenv.isDarwin then "clang" else "cc"; - - installPhase = '' - mkdir -p "$out/bin" - export GOROOT="$(pwd)/" - export GOBIN="$out/bin" - export PATH="$GOBIN:$PATH" - cd ./src - echo Building - ./all.bash - ''; - - preFixup = '' - rm -r $out/share/go/pkg/bootstrap - ''; - - setupHook = ./setup-hook.sh; - - disallowedReferences = [ go_1_4 ]; - - meta = with stdenv.lib; { - branch = "1.5"; - homepage = http://golang.org/; - description = "The Go Programming language"; - license = licenses.bsd3; - maintainers = with maintainers; [ cstrahan wkennington ]; - platforms = platforms.linux ++ platforms.darwin; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 61a3c0abcc6..88b5a1e027d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4729,10 +4729,6 @@ in inherit (darwin.apple_sdk.frameworks) Security; }; - go_1_5 = callPackage ../development/compilers/go/1.5.nix { - inherit (darwin.apple_sdk.frameworks) Security Foundation; - }; - go_1_6 = callPackage ../development/compilers/go/1.6.nix { inherit (darwin.apple_sdk.frameworks) Security Foundation; }; @@ -9978,10 +9974,6 @@ in go = go_1_4; }; - buildGo15Package = callPackage ../development/go-modules/generic { - go = go_1_5; - }; - buildGo16Package = callPackage ../development/go-modules/generic { go = go_1_6; }; From 06d63f6652863e492838f8f2aed8c380e559a4ee Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:47:38 +0000 Subject: [PATCH 597/603] ipfs: build with generic go; mark as broken This does not build after the binutils update due to go 1.5 failing and ifps needs an upgrade to build with newer go. cc packager @kamilchm --- pkgs/applications/networking/ipfs/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/ipfs/default.nix b/pkgs/applications/networking/ipfs/default.nix index a08a347ab28..79e2185f04e 100644 --- a/pkgs/applications/networking/ipfs/default.nix +++ b/pkgs/applications/networking/ipfs/default.nix @@ -1,6 +1,6 @@ -{ stdenv, buildGo15Package, fetchFromGitHub }: +{ stdenv, buildGoPackage, fetchFromGitHub }: -buildGo15Package rec { +buildGoPackage rec { name = "ipfs-${version}"; version = "i20160112--${stdenv.lib.strings.substring 0 7 rev}"; rev = "7070b4d878baad57dcc8da80080dd293aa46cabd"; @@ -17,5 +17,6 @@ buildGo15Package rec { meta = with stdenv.lib; { description = "A global, versioned, peer-to-peer filesystem"; license = licenses.mit; + broken = true; }; } From f81b2da3d4f0ece6fc33d8d2ec0eda87437202df Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:48:55 +0000 Subject: [PATCH 598/603] go_1_4: rename to go_bootstrap and remove refs This has cgo disabled, so only use this for bootstrapping. --- pkgs/development/compilers/go/1.6.nix | 6 +++--- pkgs/development/compilers/go/1.7.nix | 6 +++--- pkgs/top-level/all-packages.nix | 6 +----- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index bbf2a946ece..38b114d8d07 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchurl, tzdata, iana_etc, go_1_4, runCommand +{ stdenv, lib, fetchurl, tzdata, iana_etc, go_bootstrap, runCommand , perl, which, pkgconfig, patch, fetchpatch , pcre , Security, Foundation, bash }: @@ -6,7 +6,7 @@ let goBootstrap = runCommand "go-bootstrap" {} '' mkdir $out - cp -rf ${go_1_4}/* $out/ + cp -rf ${go_bootstrap}/* $out/ chmod -R u+w $out find $out -name "*.c" -delete cp -rf $out/bin/* $out/share/go/bin/ @@ -143,7 +143,7 @@ stdenv.mkDerivation rec { setupHook = ./setup-hook.sh; - disallowedReferences = [ go_1_4 ]; + disallowedReferences = [ go_bootstrap ]; meta = with stdenv.lib; { branch = "1.6"; diff --git a/pkgs/development/compilers/go/1.7.nix b/pkgs/development/compilers/go/1.7.nix index 89f56a2438c..bc298924eb8 100644 --- a/pkgs/development/compilers/go/1.7.nix +++ b/pkgs/development/compilers/go/1.7.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchFromGitHub, tzdata, iana_etc, go_1_4, runCommand +{ stdenv, lib, fetchFromGitHub, tzdata, iana_etc, go_bootstrap, runCommand , perl, which, pkgconfig, patch, fetchpatch , pcre , Security, Foundation, bash }: @@ -6,7 +6,7 @@ let goBootstrap = runCommand "go-bootstrap" {} '' mkdir $out - cp -rf ${go_1_4}/* $out/ + cp -rf ${go_bootstrap}/* $out/ chmod -R u+w $out find $out -name "*.c" -delete cp -rf $out/bin/* $out/share/go/bin/ @@ -153,7 +153,7 @@ stdenv.mkDerivation rec { setupHook = ./setup-hook.sh; - disallowedReferences = [ go_1_4 ]; + disallowedReferences = [ go_bootstrap ]; meta = with stdenv.lib; { branch = "1.7"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 88b5a1e027d..61e0a32f5e5 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4725,7 +4725,7 @@ in dotnetPackages = recurseIntoAttrs (callPackage ./dotnet-packages.nix {}); - go_1_4 = callPackage ../development/compilers/go/1.4.nix { + go_bootstrap = callPackage ../development/compilers/go/1.4.nix { inherit (darwin.apple_sdk.frameworks) Security; }; @@ -9970,10 +9970,6 @@ in ### DEVELOPMENT / GO MODULES - buildGo14Package = callPackage ../development/go-modules/generic { - go = go_1_4; - }; - buildGo16Package = callPackage ../development/go-modules/generic { go = go_1_6; }; From 56158004b5b01c77fa12dae03a15aa7b3a9f979a Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 01:58:16 +0000 Subject: [PATCH 599/603] lprof: add hardeningDisable to environment during build --- pkgs/tools/graphics/lprof/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/tools/graphics/lprof/default.nix b/pkgs/tools/graphics/lprof/default.nix index 7f6a15da33d..cbce8bb61f7 100644 --- a/pkgs/tools/graphics/lprof/default.nix +++ b/pkgs/tools/graphics/lprof/default.nix @@ -30,6 +30,7 @@ stdenv.mkDerivation { -e "s/not config.CheckHeader('tiff.h')/False/" \ -e "s/not config.CheckCXXHeader('vigra\/impex.hxx')/False/" \ \ + -e "s/^\( 'LDFLAGS'.*\)/\1\n,'hardeningDisable' : os.environ['hardeningDisable']/" \ -e "s/^\( 'LDFLAGS'.*\)/\1\n,'NIX_CFLAGS_COMPILE' : os.environ['NIX_CFLAGS_COMPILE']/" \ -e "s/^\( 'LDFLAGS'.*\)/\1\n,'NIX_LDFLAGS' : os.environ['NIX_LDFLAGS']/" From 0865e22567d9b80f72318885f9a9c4128816ed06 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 08:25:12 +0000 Subject: [PATCH 600/603] xorg.xf86videoxgi: add patch to fix build --- pkgs/servers/x11/xorg/overrides.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 10b0b3ce2ad..acbfe69ee43 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -541,6 +541,17 @@ in nativeBuildInputs = [args.autoreconfHook xorg.utilmacros]; }; + xf86videoxgi = attrs: attrs // { + patches = [ + # fixes invalid open mode + # https://cgit.freedesktop.org/xorg/driver/xf86-video-xgi/commit/?id=bd94c475035739b42294477cff108e0c5f15ef67 + (args.fetchpatch { + url = "https://cgit.freedesktop.org/xorg/driver/xf86-video-xgi/patch/?id=bd94c475035739b42294477cff108e0c5f15ef67"; + sha256 = "0myfry07655adhrpypa9rqigd6rfx57pqagcwibxw7ab3wjay9f6"; + }) + ]; + }; + xwd = attrs: attrs // { buildInputs = with xorg; attrs.buildInputs ++ [libXt libxkbfile]; }; From b0b2a947519d6154e75279a381585f88a2ad4abd Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 09:02:03 +0000 Subject: [PATCH 601/603] pdftk: disable format/fortify hardening --- pkgs/tools/typesetting/pdftk/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/typesetting/pdftk/default.nix b/pkgs/tools/typesetting/pdftk/default.nix index 84a853bb0df..73bf0b9e128 100644 --- a/pkgs/tools/typesetting/pdftk/default.nix +++ b/pkgs/tools/typesetting/pdftk/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ gcj unzip ]; + hardeningDisable = [ "fortify" "format" ]; + preBuild = '' cd pdftk sed -e 's@/usr/bin/@@g' -i Makefile.* From f3c994ca11ecfdf1966a143abe7a5007cc1c84e7 Mon Sep 17 00:00:00 2001 From: Robin Gloster Date: Mon, 29 Aug 2016 09:08:03 +0000 Subject: [PATCH 602/603] rhino: disable format/fortify hardening --- pkgs/development/libraries/java/rhino/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/libraries/java/rhino/default.nix b/pkgs/development/libraries/java/rhino/default.nix index 37ab6b4f8fd..f106bbe6ebc 100644 --- a/pkgs/development/libraries/java/rhino/default.nix +++ b/pkgs/development/libraries/java/rhino/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { patches = [ ./gcj-type-mismatch.patch ]; + hardeningDisable = [ "fortify" "format" ]; + preConfigure = '' find -name \*.jar -or -name \*.class -exec rm -v {} \; From 0e9d35539733565b202a7c2098adb721fcaa8745 Mon Sep 17 00:00:00 2001 From: obadz Date: Mon, 29 Aug 2016 13:04:29 +0100 Subject: [PATCH 603/603] musl: disable stackprotector hardening Prevents busybox segfault --- pkgs/os-specific/linux/musl/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/os-specific/linux/musl/default.nix b/pkgs/os-specific/linux/musl/default.nix index a8055df92fd..ae0c7703de6 100644 --- a/pkgs/os-specific/linux/musl/default.nix +++ b/pkgs/os-specific/linux/musl/default.nix @@ -11,6 +11,10 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # required to avoid busybox segfaulting on startup when invoking + # nix-build "" + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlagsArray+=("--syslibdir=$out/lib") '';