Staging next with systemd privacy fix #107086
Conversation
Fixes NixOS/nix#2517 See also: boostorg/context#72 boostorg/fiber#193 These issues have been resolved by: boostorg/context#106 boostorg/context@d4608a4 which is merged into boost as of v1.71.0. This feature was introduced (with the bug) in boost v1.61 and was fixed in v1.71. So we apply the patch to all versions in that range.
upstream decided to make this non-configurable... Lets' revert to the version before.
The order of the entries in the manifest generated while installing rustc depends on the (parallel) build, so let's sort it to make it deterministic. Also remove install.log from the output. Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
topgrade: 6.0.1 -> 6.0.2
systemd: fix pc files
Fixes: CVE-2020-1971 Closes: #106218
openssh: fix static build
openbazaar-client: 2.4.8 -> 2.4.9
openssl: 1.1.1h -> 1.1.1i
gdk-pixbuf: 2.42.0 → 2.42.2
Backward incompatible changes: - Support for Python 3.5 has been removed due to low usage and maintenance burden. - The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte) initialization vectors. This change is to conform with an upcoming OpenSSL release that will no longer support sizes outside this window. - When deserializing asymmetric keys we now raise ValueError rather than UnsupportedAlgorithm when an unsupported cipher is used. This change is to conform with an upcoming OpenSSL release that will no longer distinguish between error types. - We no longer allow loading of finite field Diffie-Hellman parameters of less than 512 bits in length. This change is to conform with an upcoming OpenSSL release that no longer supports smaller sizes. These keys were already wildly insecure and should not have been used in any application outside of testing.
|
I think we should revert the cc wrapper and bintools changes instead. Everything else looked fine. Stdenv changes need to be tested better before being merged into staging. |
TBH, that would also be my preference, the fix for the dynamicLinker for darwin feels more like a hack to me. |
|
Depends if that's the only cause for a large rebuild (or for risk of regressions). IIRC systemd by itself doesn't cause such a huge rebuild (in comparison to stdenv stuff). |
32-bit cases are easy to miss (and considered rather minor generally) and darwin is hard to test for most people 🤷🏽 |
I agree with @FRidh here. Let's revert the cc wrapper and bintools changes, run another hydra evaluation, and get channels unblocked. The other changes can be re-introduced in a followup PR, and be more thoroughly tested. |
This reverts commit 241c391, reversing changes made to ab8c2b2. These toolchain changes are too problematic, so reverting for now; see #107086 (comment)
This reverts commit ccfd26e. These toolchain changes are too problematic, so reverting for now; see #107086 (comment)
…..." This reverts commit 0f25eb3, reversing changes made to df91ae1. These toolchain changes are too problematic, so reverting for now; see #107086 (comment)
|
Done. ^^ this amount of darwin rebuilds will surely take several days, but perhaps we can afford to merge before that finishes. |
|
I was going to ask why we'd need to wait for Darwin builds as the Darwin channel would just block for a few days until they're done which wouldn't be a huge issue but I just noticed that such channel does not exist. Is there a specific reason why we don't have one for unstable? It'd sure be convenient for cases like these. |
|
I'm not aware of any reason. I think I've already mentioned somewhere that it would be nice to remove this difference. There's |
|
I think there should be a channel per architecture target, see #83049 for similar issues with aarch64 |
|
This is not the place to discuss what channels we should have. |
|
@FRidh considering there's less than 500 queued jobs left for |
|
Okay, there's no more builds left for x86_64-linux. Let's merge this :-) |
|
Sorry if this is a basic question, I'm not fully familiar with the hydra pipeline. What's left for the |
|
nixos-unstable runs builds from master - this was in I just triggered https://hydra.nixos.org/jobset/nixos/unstable-small and https://hydra.nixos.org/jobset/nixos/trunk-combined, which should update the corresponding channels (once succeeded). |
|
All hydra jobsets populate cache.nixos.org, and same /nix/store hashes get reused. |
|
unfortunately, I get the same failure locally. |
|
#107275 is the PR that broke the test. |
|
Eval complete: https://hydra.nixos.org/eval/1637149?filter=tested&compare=1637089&full=#tabs-now-succeed Channel updated too! Thank you to everyone! |
Motivation for this change
Includes channel blocking fixes for systemd. Let's hope it won't break anything else.
https://hydra.nixos.org/job/nixpkgs/staging-next/unstable#tabs-constituents
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)