Merge pull request #18083 from NixOS/staging

Merge Staging

Contains compiler hardening by default as well as binutils version bump.

doc/languages-frameworks/python.md

@@ -632,7 +632,7 @@ Given a `default.nix`:
     src = ./.; }
 
 Running `nix-shell` with no arguments should give you
-the environment in which the package would be build with
+the environment in which the package would be built with
 `nix-build`.
 
 Shortcut to setup environments with C headers/libraries and python packages:

doc/stdenv.xml

@@ -1360,6 +1360,209 @@ in the default system locations.</para>
 
 </section>
 
+<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
+
+<para>There are flags available to harden packages at compile or link-time.
+These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
+<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
+</para>
+
+<para>The following flags are enabled by default and might require disabling
+if the program to package is incompatible.
+</para>
+
+<variablelist>
+
+  <varlistentry>
+    <term><varname>format</varname></term>
+    <listitem><para>Adds the <option>-Wformat -Wformat-security
+    -Werror=format-security</option> compiler options. At present,
+    this warns about calls to <varname>printf</varname> and
+    <varname>scanf</varname> functions where the format string is
+    not a string literal and there are no format arguments, as in
+    <literal>printf(foo);</literal>. This may be a security hole
+    if the format string came from untrusted input and contains
+    <literal>%n</literal>.</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
+         printf(help_message);
+                            ^
+cc1plus: some warnings being treated as errors
+    </programlisting></listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>stackprotector</varname></term>
+    <listitem>
+    <para>Adds the <option>-fstack-protector-strong
+    --param ssp-buffer-size=4</option>
+    compiler options. This adds safety checks against stack overwrites
+    rendering many potential code injection attacks into aborting situations.
+    In the best case this turns code injection vulnerabilities into denial
+    of service or into non-issues (depending on the application).</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+bin/blib.a(bios_console.o): In function `bios_handle_cup':
+/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
+    </programlisting></listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>fortify</varname></term>
+    <listitem>
+    <para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
+    options. During code generation the compiler knows a great deal of
+    information about buffer sizes (where possible), and attempts to replace
+    insecure unlimited length buffer function calls with length-limited ones.
+    This is especially useful for old, crufty code. Additionally, format
+    strings in writable memory that contain '%n' are blocked. If an application
+    depends on such a format string, it will need to be worked around.
+    </para>
+
+    <para>Addtionally, some warnings are enabled which might trigger build
+    failures if compiler warnings are treated as errors in the package build.
+    In this case, set <option>NIX_CFLAGS_COMPILE</option> to
+    <option>-Wno-error=warning-type</option>.</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+malloc.c:404:15: error: return type is an incomplete type
+malloc.c:410:19: error: storage size of 'ms' isn't known
+    </programlisting>
+    <programlisting>
+strdup.h:22:1: error: expected identifier or '(' before '__extension__'
+    </programlisting>
+    <programlisting>
+strsep.c:65:23: error: register name not specified for 'delim'
+    </programlisting>
+    <programlisting>
+installwatch.c:3751:5: error: conflicting types for '__open_2'
+    </programlisting>
+    <programlisting>
+fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
+    </programlisting>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>pic</varname></term>
+    <listitem>
+    <para>Adds the <option>-fPIC</option> compiler options. This options adds
+    support for position independant code in shared libraries and thus making
+    ASLR possible.</para>
+    <para>Most notably, the Linux kernel, kernel modules and other code
+    not running in an operating system environment like boot loaders won't
+    build with PIC enabled. The compiler will is most cases complain that
+    PIC is not supported for a specific build.
+    </para>
+
+    <para>This needs to be turned off or fixed for assembler errors similar to:</para>
+
+    <programlisting>
+ccbLfRgg.s: Assembler messages:
+ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
+    </programlisting>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>strictoverflow</varname></term>
+    <listitem>
+    <para>Signed integer overflow is undefined behaviour according to the C
+    standard. If it happens, it is an error in the program as it should check
+    for overflow before it can happen, not afterwards. GCC provides built-in
+    functions to perform arithmetic with overflow checking, which are correct
+    and faster than any custom implementation. As a workaround, the option
+    <option>-fno-strict-overflow</option> makes gcc behave as if signed
+    integer overflows were defined.
+    </para>
+
+    <para>This flag should not trigger any build or runtime errors.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>relro</varname></term>
+    <listitem>
+    <para>Adds the <option>-z relro</option> linker option. During program
+    load, several ELF memory sections need to be written to by the linker,
+    but can be turned read-only before turning over control to the program.
+    This prevents some GOT (and .dtors) overwrite attacks, but at least the
+    part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
+    </para>
+
+    <para>This flag can break dynamic shared object loading. For instance, the
+    module systems of Xorg and OpenCV are incompatible with this flag. In almost
+    all cases the <varname>bindnow</varname> flag must also be disabled and
+    incompatible programs typically fail with similar errors at runtime.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>bindnow</varname></term>
+    <listitem>
+    <para>Adds the <option>-z bindnow</option> linker option. During program
+    load, all dynamic symbols are resolved, allowing for the complete GOT to
+    be marked read-only (due to <varname>relro</varname>). This prevents GOT
+    overwrite attacks. For very large applications, this can incur some
+    performance loss during initial load while symbols are resolved, but this
+    shouldn't be an issue for daemons.
+    </para>
+
+    <para>This flag can break dynamic shared object loading. For instance, the
+    module systems of Xorg and PHP are incompatible with this flag. Programs
+    incompatible with this flag often fail at runtime due to missing symbols,
+    like:</para>
+
+    <programlisting>
+intel_drv.so: undefined symbol: vgaHWFreeHWRec
+    </programlisting>
+    </listitem>
+  </varlistentry>
+
+</variablelist>
+
+<para>The following flags are disabled by default and should be enabled
+for packages that take untrusted input, like network services.
+</para>
+
+<variablelist>
+
+  <varlistentry>
+    <term><varname>pie</varname></term>
+    <listitem>
+    <para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
+    linker options. Position Independent Executables are needed to take
+    advantage of Address Space Layout Randomization, supported by modern
+    kernel versions. While ASLR can already be enforced for data areas in
+    the stack and heap (brk and mmap), the code areas must be compiled as
+    position-independent. Shared libraries already do this with the
+    <varname>pic</varname> flag, so they gain ASLR automatically, but binary
+    .text regions need to be build with <varname>pie</varname> to gain ASLR.
+    When this happens, ROP attacks are much harder since there are no static
+    locations to bounce off of during a memory corruption attack.
+    </para>
+    </listitem>
+  </varlistentry>
+
+</variablelist>
+
+<para>For more in-depth information on these hardening flags and hardening in
+general, refer to the
+<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
+<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
+<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
+and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
+Arch Wiki</link>.
+</para>
+
+</section>
 
 </chapter>
 

nixos/modules/config/gnu.nix

@@ -37,6 +37,7 @@ with lib;
     services.openssh.enable = false;
     services.lshd.enable = true;
     programs.ssh.startAgent = false;
+    services.xserver.startGnuPGAgent = true;
 
     # TODO: GNU dico.
     # TODO: GNU Inetutils' inetd.

nixos/modules/system/boot/loader/grub/grub.nix

@@ -341,7 +341,7 @@ in
         default = false;
         type = types.bool;
         description = ''
-          Whether GRUB should be build against libzfs.
+          Whether GRUB should be built against libzfs.
           ZFS support is only available for GRUB v2.
           This option is ignored for GRUB v1.
         '';
@@ -351,7 +351,7 @@ in
         default = false;
         type = types.bool;
         description = ''
-          Whether GRUB should be build with EFI support.
+          Whether GRUB should be built with EFI support.
           EFI support is only available for GRUB v2.
           This option is ignored for GRUB v1.
         '';

nixos/tests/boot-stage1.nix

@@ -8,6 +8,7 @@ import ./make-test.nix ({ pkgs, ... }: {
         kdev = config.boot.kernelPackages.kernel.dev;
         kver = config.boot.kernelPackages.kernel.modDirVersion;
         ksrc = "${kdev}/lib/modules/${kver}/build";
+        hardeningDisable = [ "pic" ];
       } ''
         echo "obj-m += $name.o" > Makefile
         echo "$source" > "$name.c"

pkgs/applications/audio/aacgain/default.nix

@@ -2,6 +2,7 @@
 
 stdenv.mkDerivation {
   name = "aacgain-1.9.0";
+
   src = fetchFromGitHub {
     owner = "mulx";
     repo = "aacgain";
@@ -9,6 +10,8 @@ stdenv.mkDerivation {
     sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
   };
 
+  hardeningDisable = [ "format" ];
+
   configurePhase = ''
     cd mp4v2
     ./configure

pkgs/applications/audio/cdparanoia/default.nix

@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
   };
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = "unset CC";
 
   patches = stdenv.lib.optionals stdenv.isDarwin [

pkgs/applications/audio/csound/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "format" ];
+
   src = fetchurl {
     url = mirror://sourceforge/csound/Csound6.04.tar.gz;
     sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g";

pkgs/applications/audio/freewheeling/default.nix

@@ -19,6 +19,8 @@ stdenv.mkDerivation {
 
   patches = [ ./am_path_sdl.patch ./xml.patch ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "A live looping instrument with JACK and MIDI support";
     longDescription = ''

pkgs/applications/audio/gjay/default.nix

@@ -13,6 +13,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ mpd_clientlib dbus_glib audacious gtk gsl libaudclient ];
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "Generates playlists such that each song sounds good following the previous song";
     homepage = http://gjay.sourceforge.net/;

pkgs/applications/audio/jack-capture/default.nix

@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
     cp jack_capture $out/bin/
   '';
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "A program for recording soundfiles with jack";
     homepage = http://archive.notam02.no/arkiv/src;

pkgs/applications/audio/lingot/default.nix

@@ -8,6 +8,8 @@ stdenv.mkDerivation {
     sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
 
   configureFlags = "--disable-jack";

pkgs/applications/audio/mi2ly/default.nix

@@ -21,6 +21,8 @@ stdenv.mkDerivation {
 
   sourceRoot=".";
 
+  hardeningDisable = [ "format" ];
+
   buildPhase = "./cc";
   installPhase = ''
     mkdir -p "$out"/{bin,share/doc/mi2ly}

pkgs/applications/audio/mp3info/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ncurses pkgconfig gtk ];
 
+  hardeningDisable = [ "format" ];
+
   configurePhase =
     '' sed -i Makefile \
            -e "s|^prefix=.*$|prefix=$out|g ;

pkgs/applications/audio/mp3val/default.nix

@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
     install -Dv mp3val "$out/bin/mp3val"
   '';
 
+  hardeningDisable = [ "fortify" ];
+
   meta = {
     description = "A tool for validating and repairing MPEG audio streams";
     longDescription = ''

pkgs/applications/audio/mpg321/default.nix

@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = [
     ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
   ];

pkgs/applications/audio/musescore/default.nix

@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
     sha256 = "067f4li48qfhz2barj70zpf2d2mlii12npx07jx9xjkkgz84z4c9";
   };
 
+  hardeningDisable = [ "relro" "bindnow" ];
+
   makeFlags = [
     "PREFIX=$(out)"
   ];

pkgs/applications/audio/pd-plugins/cyclone/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     for file in `grep -r -l g_canvas.h`
       do

pkgs/applications/audio/pd-plugins/maxlib/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     for i in ${puredata}/include/pd/*; do
       ln -s $i .

pkgs/applications/audio/pd-plugins/mrpeach/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     for D in net osc
     do

pkgs/applications/audio/qmidinet/default.nix

@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ qt4 alsaLib libjack2 ];
 
   meta = with stdenv.lib; {

pkgs/applications/audio/rakarrack/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation  rec {
     sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
   };
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./fltk-path.patch ];
 
   buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg

pkgs/applications/audio/x42-plugins/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, fetchgit, ftgl, freefont_ttf, libjack2, mesa_glu, pkgconfig
-, libltc, libsndfile, libsamplerate
+, libltc, libsndfile, libsamplerate, xz
 , lv2, mesa, gtk2, cairo, pango, fftwFloat, zita-convolver }:
 
 stdenv.mkDerivation rec {
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "1ald0c5xbfkdq6g5xwyy8wmbi636m3k3gqrq16kbh46g0kld1as9";
   };
 
-  buildInputs = [ mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig  zita-convolver];
+  buildInputs = [ xz mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig  zita-convolver];
 
   makeFlags = [ "PREFIX=$(out)" "FONTFILE=${freefont_ttf}/share/fonts/truetype/FreeSansBold.ttf" "LIBZITACONVOLVER=${zita-convolver}/include/zita-convolver.h" ];
 

pkgs/applications/audio/zynaddsubfx/default.nix

@@ -14,6 +14,8 @@ stdenv.mkDerivation  rec {
   buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
   nativeBuildInputs = [ cmake pkgconfig ];
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "High quality software synthesizer";
     homepage = http://zynaddsubfx.sourceforge.net;

pkgs/applications/editors/bviplus/default.nix

@@ -1,19 +1,23 @@
-{ stdenv, lib, fetchurl, ncurses }:
+{ stdenv, fetchurl, ncurses }:
 
 stdenv.mkDerivation rec {
   name = "bviplus-${version}";
   version = "0.9.4";
+
   src = fetchurl {
     url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz";
     sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb";
   };
+
   buildInputs = [
     ncurses
   ];
+
   makeFlags = "PREFIX=$(out)";
+
   buildFlags = [ "CFLAGS=-fgnu89-inline" ];
 
-  meta = with lib; {
+  meta = with stdenv.lib; {
     description = "Ncurses based hex editor with a vim-like interface";
     homepage = http://bviplus.sourceforge.net;
     license = licenses.gpl3;

pkgs/applications/editors/emacs-25/default.nix

@@ -56,6 +56,8 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ];
 
+  hardeningDisable = [ "format" ];
+
   configureFlags =
     (if stdenv.isDarwin
       then [ "--with-ns" "--disable-ns-self-contained" ]

pkgs/applications/editors/ht/default.nix

@@ -3,13 +3,18 @@
 stdenv.mkDerivation rec {
   name = "ht-${version}";
   version = "2.1.0";
+
   src = fetchurl {
     url = "mirror://sourceforge/project/hte/ht-source/ht-${version}.tar.bz2";
     sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i";
   };
+
   buildInputs = [
     ncurses
   ];
+
+  hardeningDisable = [ "format" ];
+
   meta = with lib; {
     description = "File editor/viewer/analyzer for executables";
     homepage = "http://hte.sourceforge.net";

pkgs/applications/editors/leafpad/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ intltool pkgconfig gtk ];
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = [
     "--enable-chooser"
   ];

pkgs/applications/editors/nedit/default.nix

@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1v8y8vwj3kn91crsddqkz843y6csgw7wkjnd3zdcb4bcrf1pjrsk";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ xlibsWrapper motif libXpm ];
 
   buildFlags = if stdenv.isLinux then "linux" else

pkgs/applications/editors/neovim/default.nix

@@ -99,6 +99,9 @@ let
       "-DLUA_PRG=${luaPackages.lua}/bin/lua"
     ];
 
+    # triggers on buffer overflow bug while running tests
+    hardeningDisable = [ "fortify" ];
+
     preConfigure = ''
       substituteInPlace runtime/autoload/man.vim \
         --replace /usr/bin/man ${man}/bin/man

pkgs/applications/editors/vim/configurable.nix

@@ -192,6 +192,8 @@ composableDerivation {
 
   dontStrip = 1;
 
+  hardeningDisable = [ "fortify" ];
+
   meta = with stdenv.lib; {
     description = "The most popular clone of the VI editor";
     homepage    = http://www.vim.org;

pkgs/applications/editors/vim/default.nix

@@ -30,6 +30,8 @@ stdenv.mkDerivation rec {
     "--enable-nls"
   ];
 
+  hardeningDisable = [ "fortify" ];
+
   postInstall = ''
     ln -s $out/bin/vim $out/bin/vi
     mkdir -p $out/share/vim

pkgs/applications/graphics/cinepaint/default.nix

@@ -18,14 +18,14 @@ stdenv.mkDerivation rec {
     libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
   ];
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./install.patch ];
 
   nativeBuildInputs = [ cmake pkgconfig ];
 
   NIX_LDFLAGS = "-llcms -ljpeg -lX11";
 
-  # NIX_CFLAGS_COMPILE = "-I.";
-
   meta = {
     homepage = http://www.cinepaint.org/;
     license = stdenv.lib.licenses.free;

pkgs/applications/graphics/fontmatrix/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ cmake ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "Fontmatrix is a free/libre font explorer for Linux, Windows and Mac";
     homepage = http://fontmatrix.be/;

pkgs/applications/graphics/giv/default.nix

@@ -11,8 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "1sz2n7jbmg3g97bs613xxjpzqbsl5rvpg6v7g3x3ycyd35r8vsfp";
   };
 
-  # It built code to be put in a shared object without -fPIC
+  hardeningDisable = [ "format" ];
-  NIX_CFLAGS_COMPILE = "-fPIC";
 
   prePatch = ''
     sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl

pkgs/applications/graphics/gqview/default.nix

@@ -15,6 +15,8 @@ stdenv.mkDerivation {
 
   buildInputs = [pkgconfig gtk libpng];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "A fast image viewer";
     homepage = http://gqview.sourceforge.net;

pkgs/applications/graphics/kipi-plugins/default.nix

@@ -25,6 +25,6 @@ stdenv.mkDerivation rec {
     homepage = http://www.kipi-plugins.org;
     inherit (kdelibs.meta) platforms;
     maintainers = with stdenv.lib.maintainers; [ viric urkud ];
-    broken = true; # it should be build from digikam sources, perhaps together
+    broken = true; # it should be built from digikam sources, perhaps together
   };
 }

pkgs/applications/graphics/meshlab/default.nix

@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./include-unistd.diff ];
 
+  hardeningDisable = [ "format" ];
+
   buildPhase = ''
     mkdir -p "$out/include"
     export NIX_LDFLAGS="-rpath $out/opt/meshlab $NIX_LDFLAGS"

pkgs/applications/graphics/qtpfsgui/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
   nativeBuildInputs = [ qmake4Hook ];
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
   '';

pkgs/applications/graphics/tesseract/default.nix

@@ -38,6 +38,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
       ./autogen.sh
       substituteInPlace "configure" \

pkgs/applications/graphics/xaos/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "15cd1cx1dyygw6g2nhjqq3bsfdj8sj8m4va9n75i0f3ryww3x7wq";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [
     aalib gsl libpng libX11 xproto libXext xextproto
     libXt zlib gettext intltool perl

pkgs/applications/graphics/xfig/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ imake makeWrapper ];
 
+  hardeningDisable = [ "format" ];
+
   NIX_CFLAGS_COMPILE = "-I${libXpm.dev}/include/X11";
 
   patches =

pkgs/applications/graphics/zgv/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ SDL SDL_image pkgconfig libjpeg libpng libtiff ];
 
+  hardeningDisable = [ "format" ];
+
   makeFlags = [
     "BACKEND=SDL"
   ];

pkgs/applications/inferno/default.nix

@@ -46,6 +46,8 @@ stdenv.mkDerivation rec {
       --set INFERNO_ROOT "$out/share/inferno"
   '';
 
+  hardeningDisable = [ "fortify" ];
+
   meta = {
     description = "A compact distributed operating system for building cross-platform distributed systems";
     homepage = "http://inferno-os.org/";

pkgs/applications/misc/epdfview/default.nix

@@ -1,11 +1,17 @@
 { stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }:
+
 stdenv.mkDerivation rec {
   name = "epdfview-0.1.8";
+
   src = fetchurl {
     url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2";
     sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll";
   };
+
   buildInputs = [ pkgconfig gtk poppler ];
+
+  hardeningDisable = [ "format" ];
+
   patches = [ (fetchpatch {
                 name = "epdfview-0.1.8-glib2-headers.patch";
                 url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634";
@@ -17,6 +23,7 @@ stdenv.mkDerivation rec {
                 sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001";
               })
             ];
+
   meta = {
     homepage = http://trac.emma-soft.com/epdfview/;
     description = "A lightweight PDF document viewer using Poppler and GTK+";

pkgs/applications/misc/gkrellm/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
   buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]
     ++ stdenv.lib.optionals stdenv.isDarwin [ IOKit ];
 
+  hardeningDisable = [ "format" ];
+
   # Makefiles are patched to fix references to `/usr/X11R6' and to add
   # `-lX11' to make sure libX11's store path is in the RPATH.
   patchPhase = ''

pkgs/applications/misc/gksu/default.nix

@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
     libgksu
   ];
 
+  hardeningDisable = [ "format" ];
+
   patches = [
     # https://savannah.nongnu.org/bugs/index.php?36127
     ./gksu-2.0.2-glib-2.31.patch

pkgs/applications/misc/grip/default.nix

@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
     libid3tag ncurses libtool ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "GTK+-based audio CD player/ripper";
     homepage = "http://nostatic.org/grip";

pkgs/applications/misc/k2pdfopt/default.nix

@@ -31,6 +31,8 @@ in stdenv.mkDerivation rec {
                     openjpeg freetype jbig2dec djvulibre openssl ];
   NIX_LDFLAGS = "-lX11 -lXext";
 
+  hardeningDisable = [ "format" ];
+
   k2_pa = ./k2pdfopt.patch;
   tess_pa = ./tesseract.patch;
 

pkgs/applications/misc/milu/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     owner = "yuejia";
   };
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     sed -i 's#/usr/bin/##g' Makefile
     sed -i "s#-lclang#-L$(clang --print-search-dirs |

pkgs/applications/misc/navit/default.nix

@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ gtk SDL fontconfig freetype imlib2 SDL_image mesa
     libXmu freeglut python gettext quesoglc gd postgresql qt4 SDL_ttf fribidi ];
 

pkgs/applications/misc/posterazor/default.nix

@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
 
   unpackPhase = ''

pkgs/applications/misc/sdcv/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
     sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
   };
 
+  hardeningDisable = [ "format" ];
+
   patches = ( if stdenv.isDarwin
               then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
               else [ ./sdcv.cpp.patch ] );

pkgs/applications/misc/tasknc/default.nix

@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
   };
 
+  hardeningDisable = [ "format" ];
+
   #
   # I know this is ugly, but the Makefile does strange things in this package,
   # so we have to:

pkgs/applications/misc/vym/default.nix

@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1x4qp6wpszscbbs4czkfvskm7qjglvxm813nqv281bpy4y1hhvgs";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ pkgconfig qt4 qmake4Hook ];
 
   meta = with stdenv.lib; {

pkgs/applications/misc/wordnet/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   buildInputs = [tcl tk xlibsWrapper makeWrapper];
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
   '';

pkgs/applications/misc/xpdf/default.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation {
   # Debian uses '-fpermissive' to bypass some errors on char* constantness.
   CXXFLAGS = "-O2 -fpermissive";
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = "--enable-a4-paper";
 
   postInstall = stdenv.lib.optionalString (base14Fonts != null) ''

pkgs/applications/networking/browsers/vimprobable2/default.nix

@@ -11,9 +11,9 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
 
-  installPhase = ''
+  hardeningDisable = [ "format" ];
-    make PREFIX=/ DESTDIR=$out install
+
-  '';
+  installFlags = "PREFIX=/ DESTDIR=$(out)";
 
   preFixup = ''
     wrapProgram "$out/bin/vimprobable2" \

pkgs/applications/networking/browsers/w3m/default.nix

@@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
     ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
   '';
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = "--with-ssl=${openssl.dev} --with-gc=${boehmgc.dev}"
     + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
 

pkgs/applications/networking/ike/default.nix

@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
   installPhase = ''
     make install
     for file in "$out"/bin/* "$out"/sbin/*; do
-        wrapProgram $file --prefix LD_LIBRARY_PATH ":" "$out/lib:${stdenv.lib.makeLibraryPath [ openssl gcc.cc stdenv.glibc libedit qt4 ]}"
+        wrapProgram $file --prefix LD_LIBRARY_PATH ":" "$out/lib:${stdenv.lib.makeLibraryPath [ openssl gcc.cc stdenv.cc.libc libedit qt4 ]}"
     done
   '';
 

pkgs/applications/networking/instant-messengers/silc-client/default.nix

@@ -19,6 +19,8 @@ stdenv.mkDerivation {
 
   dontDisableStatic = true;
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = "--with-ncurses=${ncurses.dev}";
 
   preConfigure = stdenv.lib.optionalString enablePlugin ''

pkgs/applications/networking/instant-messengers/vacuum/default.nix

@@ -27,6 +27,8 @@ stdenv.mkDerivation rec {
     qmakeFlags="$qmakeFlags INSTALL_PREFIX=$out"
   '';
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "An XMPP client fully composed of plugins";
     maintainers = [ maintainers.raskin ];

pkgs/applications/networking/ipfs/default.nix

@@ -1,6 +1,6 @@
-{ stdenv, buildGo15Package, fetchFromGitHub }:
+{ stdenv, buildGoPackage, fetchFromGitHub }:
 
-buildGo15Package rec {
+buildGoPackage rec {
   name = "ipfs-${version}";
   version = "i20160112--${stdenv.lib.strings.substring 0 7 rev}";
   rev = "7070b4d878baad57dcc8da80080dd293aa46cabd";
@@ -17,5 +17,6 @@ buildGo15Package rec {
   meta = with stdenv.lib; {
     description = "A global, versioned, peer-to-peer filesystem";
     license = licenses.mit;
+    broken = true;
   };
 }

pkgs/applications/networking/iptraf-ng/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
                 --localstatedir=$out/var --sbindir=$out/bin
   '';
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "A console-based network monitoring utility (fork of iptraf)";
     longDescription = ''

pkgs/applications/networking/iptraf/default.nix

@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "12n059j9iihhpf6spmlaspqzxz3wqan6kkpnhmlj08jdijpnk84m";
   };
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     sed -i -e 's,#include <linux/if_tr.h>,#include <netinet/if_tr.h>,' src/*
   '';

pkgs/applications/networking/irc/bip/default.nix

@@ -30,10 +30,7 @@ in stdenv.mkDerivation {
     }
   ];
 
-  postPatch = ''
+  NIX_CFLAGS_COMPILE = "-Wno-error=unused-result";
-  '';
-
-  configureFlags = [ "--disable-pie" ];
 
   buildInputs = [ bison flex autoconf automake openssl ];
 

pkgs/applications/networking/irc/wraith/default.nix

@@ -10,6 +10,7 @@ mkDerivation rec {
     url = "mirror://sourceforge/wraithbotpack/wraith-v${version}.tar.gz";
     sha256 = "0h6liac5y7im0jfm2sj18mibvib7d1l727fjs82irsjj1v9kif3j";
   };
+  hardeningDisable = [ "format" ];
   buildInputs = [ openssl ];
   patches = [ ./configure.patch ./dlopen.patch ];
   postPatch = ''

pkgs/applications/networking/mailreaders/alpine/default.nix

@@ -1,37 +1,38 @@
 {stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos
 , openldap
 }:
+
 # NOTE: Please check if any changes here are applicable to ../realpine/ as well
 let
-  s = 
-  rec {
   version = "2.00";
+  baseName = "alpine";
+in
+stdenv.mkDerivation {
+  name = "${baseName}-${version}";
+
+  src = fetchurl {
     url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2";
     sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8";
-    baseName = "alpine";
-    name = "${baseName}-${version}";
   };
+
   buildInputs = [
     ncurses tcl openssl pam kerberos openldap
   ];
-in
+
-stdenv.mkDerivation {
+  hardeningDisable = [ "format" "fortify" ];
-  inherit (s) name version;
+
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
   configureFlags = [
     "--with-ssl-include-dir=${openssl.dev}/include/openssl"
     "--with-tcl-lib=${tcl.libPrefix}"
     "--with-passfile=.pine-passfile"
   ];
+
   preConfigure = ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
   '';
+
   meta = {
-    inherit (s) version;
+    description = "Console mail reader";
-    description = ''Console mail reader'';
     license = stdenv.lib.licenses.asl20;
     maintainers = [stdenv.lib.maintainers.raskin];
     platforms = stdenv.lib.platforms.linux;

pkgs/applications/networking/mailreaders/realpine/default.nix

@@ -3,35 +3,36 @@
 }:
 # NOTE: Please check if any changes here are applicable to ../alpine/ as well
 let
-  s = 
+  baseName = "re-alpine";
-  rec {
   version = "2.03";
+in
+stdenv.mkDerivation {
+  name = "${baseName}-${version}";
+  inherit version;
+
+  src = fetchurl {
     url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2";
     sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh";
-    baseName = "re-alpine";
-    name = "${baseName}-${version}";
   };
+
   buildInputs = [
     ncurses tcl openssl pam kerberos openldap
   ];
-in
+
-stdenv.mkDerivation {
+  hardeningDisable = [ "format" ];
-  inherit (s) name version;
+
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
   configureFlags = [
     "--with-ssl-include-dir=${openssl.dev}/include/openssl"
     "--with-tcl-lib=${tcl.libPrefix}"
     "--with-passfile=.pine-passfile"
   ];
+
   preConfigure = ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
   '';
+
   meta = {
-    inherit (s) version;
+    description = "Console mail reader";
-    description = ''Console mail reader'';
     license = stdenv.lib.licenses.asl20;
     maintainers = [stdenv.lib.maintainers.raskin];
     platforms = stdenv.lib.platforms.linux;

pkgs/applications/networking/remote/ssvnc/default.nix

@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   configurePhase = "makeFlags=PREFIX=$out";
 
+  hardeningDisable = [ "format" ];
+
   postInstall = ''
     sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
     sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer

pkgs/applications/science/electronics/caneda/default.nix

@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
   };
 
-  cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ];
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ cmake qt4 libxml2 libxslt ];
 

pkgs/applications/science/electronics/qfsm/default.nix

@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./drop-hardcoded-prefix.patch ];
 
+  hardeningDisable = [ "format" ];
+
   enableParallelBuilding = true;
 
   meta = {

pkgs/applications/science/geometry/drgeo/default.nix

@@ -5,6 +5,8 @@ stdenv.mkDerivation rec {
   name = "drgeo-${version}";
   version = "1.1.0";
 
+  hardeningDisable = [ "format" ];
+
   src = fetchurl {
     url = "mirror://sourceforge/ofset/${name}.tar.gz";
     sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc";

pkgs/applications/science/logic/boolector/default.nix

@@ -23,10 +23,11 @@ let
   license = with stdenv.lib.licenses; if useV16 then unfreeRedistributable else gpl3;
 in
 stdenv.mkDerivation (boolectorPkg // {
-  buildInputs = [ zlib ];
+  buildInputs = [
-  enableParallelBuilding = false;
+    zlib zlib.static (stdenv.lib.getOutput "static" stdenv.cc.libc)
+  ];
 
-  buildPhase = "./build.sh";
+  enableParallelBuilding = false;
 
   installPhase = ''
     mkdir -p $out/bin $out/lib $out/include

pkgs/applications/science/logic/ltl2ba/default.nix

@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
   };
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     substituteInPlace Makefile \
     --replace "CC=gcc" ""

pkgs/applications/science/logic/otter/default.nix

@@ -17,6 +17,9 @@ stdenv.mkDerivation {
   src = fetchurl {
     inherit (s) url sha256;
   };
+
+  hardeningDisable = [ "format" ];
+
   buildPhase = ''
     find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
     find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g"
@@ -32,11 +35,13 @@ stdenv.mkDerivation {
     make -C source/formed realclean
     make -C source/formed formed
   '';
+
   installPhase = ''
     mkdir -p "$out"/{bin,share/otter}
     cp bin/* source/formed/formed "$out/bin/"
     cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/"
   '';
+
   meta = {
     inherit (s) version;
     description = "A reliable first-order theorem prover";

pkgs/applications/science/logic/prover9/default.nix

@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
   };
 
-  phases = "unpackPhase patchPhase buildPhase installPhase";
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     RM=$(type -tp rm)
@@ -23,6 +23,8 @@ stdenv.mkDerivation {
 
   buildFlags = "all";
 
+  checkPhase = "make test1";
+
   installPhase = ''
     mkdir -p $out/bin
     cp bin/* $out/bin

pkgs/applications/science/math/cbc/default.nix

@@ -12,6 +12,8 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ zlib bzip2 ];
 
   # FIXME: move share/coin/Data to a separate output?

pkgs/applications/science/math/perseus/default.nix

@@ -5,6 +5,8 @@ stdenv.mkDerivation {
   version = "4-beta";
   buildInputs = [ unzip ];
 
+  hardeningDisable = [ "stackprotector" ];
+
   src = fetchurl {
     url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
     sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj";
@@ -30,7 +32,7 @@ stdenv.mkDerivation {
       around datasets arising from point samples, images, distance
       matrices and so forth.
     '';
-    homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html";
+    homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html";
     license = stdenv.lib.licenses.gpl3;
     maintainers = with stdenv.lib.maintainers; [erikryb];
     platforms = stdenv.lib.platforms.linux;

pkgs/applications/science/math/qalculate-gtk/default.nix

@@ -1,4 +1,5 @@
 { stdenv, fetchurl, intltool, autoreconfHook, pkgconfig, libqalculate, gtk3, wrapGAppsHook }:
+
 stdenv.mkDerivation rec {
   name = "qalculate-gtk-${version}";
   version = "0.9.9";
@@ -8,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0v9ibycilygmi9zzi7cxif7si56c85lfzdvbqnbf32whg8ydqqkg";
   };
 
+  hardeningDisable = [ "format" ];
+
   nativeBuildInputs = [ intltool pkgconfig autoreconfHook wrapGAppsHook ];
   buildInputs = [ libqalculate gtk3 ];
 

pkgs/applications/science/math/singular/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
     find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';'
   '';
 
+  hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector";
+
   postInstall = ''
     rm -rf "$out/LIB"
     cp -r Singular/LIB "$out"

pkgs/applications/science/math/yacas/default.nix

@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
   };
 
+  hardeningDisable = [ "format" ];
+
   # Perl is only for the documentation
   nativeBuildInputs = [ perl ];
 

pkgs/applications/science/misc/openmodelica/default.nix

@@ -20,6 +20,8 @@ stdenv.mkDerivation {
     doxygen boost openscenegraph gnome.gtkglext pangox_compat xorg.libXmu
     git gtk makeWrapper];
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     cp -fv ${fakegit}/bin/checkout-git.sh libraries/checkout-git.sh
     cp -fv ${fakegit}/bin/checkout-svn.sh libraries/checkout-svn.sh

pkgs/applications/version-management/bitkeeper/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "0lk4vydpq5bi52m81h327gvzdzybf8kkak7yjwmpj6kg1jn9blaz";
   };
 
+  hardeningDisable = [ "fortify" ];
+
   enableParallelBuilding = true;
 
   buildInputs = [

pkgs/applications/version-management/cvs/default.nix

@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   patches = [ ./getcwd-chroot.patch ];
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     # Apply the Debian patches.
     for p in "debian/patches/"*; do

pkgs/applications/version-management/git-and-tools/git/default.nix

@@ -22,6 +22,8 @@ stdenv.mkDerivation {
     sha256 = "0qzs681a64k3shh5p0rg41l1z16fbk5sj0xga45k34hp1hsp654z";
   };
 
+  hardeningDisable = [ "format" ];
+
   patches = [
     ./docbook2texi.patch
     ./symlinks-in-bin.patch

pkgs/applications/version-management/git-and-tools/qgit/default.nix

@@ -3,20 +3,13 @@
 stdenv.mkDerivation rec {
   name = "qgit-2.5";
 
-  meta =
+  src = fetchurl {
-  {
-    license = stdenv.lib.licenses.gpl2;
-    homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
-    description = "Graphical front-end to Git";
-    inherit (qt4.meta) platforms;
-  };
-
-  src = fetchurl
-  {
     url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz";
     sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ qt4 libXext libX11 ];
 
   nativeBuildInputs = [ qmake4Hook ];
@@ -24,4 +17,11 @@ stdenv.mkDerivation rec {
   installPhase = ''
     install -s -D -m 755 bin/qgit "$out/bin/qgit"
   '';
+
+  meta = {
+    license = stdenv.lib.licenses.gpl2;
+    homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
+    description = "Graphical front-end to Git";
+    inherit (qt4.meta) platforms;
+  };
 }

pkgs/applications/version-management/redmine/default.nix

@@ -11,6 +11,8 @@ in stdenv.mkDerivation rec {
     sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
   };
 
+  hardeningDisable = [ "format" ];
+
   # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
   # needed to separate run-time and build-time directories
   patches = [
@@ -18,6 +20,7 @@ in stdenv.mkDerivation rec {
     ./2004_FHS_plugins_assets.patch
     ./2003_externalize_session_config.patch
   ];
+
   postPatch = ''
     substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']"
     substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')"

pkgs/applications/video/aegisub/default.nix

@@ -43,6 +43,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "bindnow" "relro" ];
+
   postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
 
   meta = {

pkgs/applications/video/kino/default.nix

@@ -67,14 +67,11 @@ stdenv.mkDerivation {
       pkgconfig perl perlXMLParser libavc1394 libiec61883 intltool libXv gettext libX11 glib cairo ffmpeg libv4l ]; # TODOoptional packages 
 
   configureFlags = "--enable-local-ffmpeg=no";
-  #preConfigure = "
+
-  #  grep 11 env-vars
+  hardeningDisable = [ "format" ];
-  #  ex
-  #";
 
   patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ];
 
-
   postInstall = "
     rpath=`patchelf --print-rpath \$out/bin/kino`;
     for i in $\buildInputs; do
@@ -86,7 +83,6 @@ stdenv.mkDerivation {
     done
   ";
 
-
   meta = {
       description = "Non-linear DV editor for GNU/Linux";
       homepage = http://www.kinodv.org/;

pkgs/applications/video/subtitleeditor/default.nix

@@ -41,6 +41,8 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./subtitleeditor-0.52.1-build-fix.patch ];
 
   preConfigure = ''

pkgs/applications/virtualization/OVMF/default.nix

@@ -17,6 +17,8 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
   # TODO: properly include openssl for secureBoot
   buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
 
+  hardeningDisable = [ "stackprotector" "pic" "fortify" ];
+
   unpackPhase = ''
     for file in \
       "${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg};

pkgs/applications/virtualization/bochs/default.nix

@@ -146,6 +146,8 @@ stdenv.mkDerivation rec {
   NIX_CFLAGS_COMPILE="-I${gtk.dev}/include/gtk-2.0/ -I${libtool}/include/";
   NIX_LDFLAGS="-L${libtool.lib}/lib";
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "An open-source IA-32 (x86) PC emulator";
     longDescription = ''

pkgs/applications/virtualization/cbfstool/default.nix

@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl flex bison ];
 
+  hardeningDisable = [ "fortify" ];
+
   buildPhase = ''
     export LEX=${flex}/bin/flex
     make -C util/cbfstool

pkgs/applications/virtualization/qboot/default.nix

@@ -14,6 +14,8 @@ stdenv.mkDerivation {
     cp bios.bin* $out/.
   '';
 
+  hardeningDisable = [ "stackprotector" "pic" ];
+
   meta = {
     description = "A simple x86 firmware for booting Linux";
     homepage = https://github.com/bonzini/qboot;

pkgs/applications/virtualization/seabios/default.nix

@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl python ];
 
+  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
+
   configurePhase = ''
     # build SeaBIOS for CSM
     cat > .config << EOF

pkgs/applications/virtualization/virtualbox/default.nix

@@ -74,6 +74,8 @@ in stdenv.mkDerivation {
     ++ optional pythonBindings python
     ++ optional pulseSupport libpulseaudio;
 
+  hardeningDisable = [ "fortify" "pic" "stackprotector" ];
+
   prePatch = ''
     set -x
     MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build`

pkgs/applications/virtualization/virtualbox/guest-additions/default.nix

@@ -17,6 +17,8 @@ stdenv.mkDerivation {
 
   KERN_DIR = "${kernel.dev}/lib/modules/*/build";
 
+  hardeningDisable = [ "pic" ];
+
   buildInputs = [ patchelf cdrkit makeWrapper dbus ];
 
   installPhase = ''

pkgs/applications/virtualization/xen/generic.nix

@@ -48,6 +48,8 @@ stdenv.mkDerivation {
 
   pythonPath = [ pythonPackages.curses ];
 
+  hardeningDisable = [ "stackprotector" "fortify" "pic" ];
+
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 
   postPatch = ''
@@ -99,9 +101,6 @@ stdenv.mkDerivation {
         --replace /usr/sbin/vgs ${lvm2}/sbin/vgs \
         --replace /usr/sbin/lvs ${lvm2}/sbin/lvs
 
-      substituteInPlace tools/hotplug/Linux/network-bridge \
-        --replace /usr/bin/logger ${utillinux}/bin/logger
-
       substituteInPlace tools/xenmon/xenmon.py \
         --replace /usr/bin/pkill ${procps}/bin/pkill
 

pkgs/applications/window-managers/stalonetray/default.nix

@@ -3,12 +3,16 @@
 stdenv.mkDerivation rec {
   name = "stalonetray-${version}";
   version = "0.8.1";
+
   src = fetchurl {
     url = "mirror://sourceforge/stalonetray/${name}.tar.bz2";
     sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll";
   };
+
   buildInputs = [ libX11 xproto ];
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "Stand alone tray";
     maintainers = with maintainers; [ raskin ];