NixOS · Oct 15, 2019 · Oct 16, 2019 · Oct 16, 2019 · Oct 17, 2019 · Oct 17, 2019
Showing 348 changed files with 2,547 additions and 1,885 deletions.
diff --git a/README.md b/README.md
@@ -51,9 +51,7 @@ system, [Hydra](https://hydra.nixos.org/).
 Artifacts successfully built with Hydra are published to cache at
 https://cache.nixos.org/. When successful build and test criteria are
 met, the Nixpkgs expressions are distributed via [Nix
-channels](https://nixos.org/nix/manual/#sec-channels). The channels
-are provided via a read-only mirror of the Nixpkgs repository called
-[nixpkgs-channels](https://github.com/NixOS/nixpkgs-channels).
+channels](https://nixos.org/nix/manual/#sec-channels).
 
 # Contributing
 

diff --git a/doc/introduction.chapter.md b/doc/introduction.chapter.md
@@ -47,5 +47,5 @@ which also builds binary packages from the Nix expressions in Nixpkgs for
 The binaries are made available via a [binary cache](https://cache.nixos.org).
 
 The current Nix expressions of the channels are available in the
-[`nixpkgs-channels`](https://github.com/NixOS/nixpkgs-channels) repository,
-which has branches corresponding to the available channels.
+[`nixpkgs`](https://github.com/NixOS/nixpkgs) repository in branches
+that correspond to the channel names (e.g. `nixos-19.09-small`).
diff --git a/doc/reviewing-contributions.xml b/doc/reviewing-contributions.xml
@@ -115,19 +115,12 @@
       <para>
        It is possible to rebase the changes on nixos-unstable or nixpkgs-unstable for easier review by running the following commands from a nixpkgs clone.
 <screen>
-<prompt>$ </prompt>git remote add channels https://github.com/NixOS/nixpkgs-channels.git <co
-  xml:id='reviewing-rebase-1' />
-<prompt>$ </prompt>git fetch channels nixos-unstable <co xml:id='reviewing-rebase-2' />
+<prompt>$ </prompt>git fetch origin nixos-unstable <co xml:id='reviewing-rebase-2' />
 <prompt>$ </prompt>git fetch origin pull/PRNUMBER/head <co xml:id='reviewing-rebase-3' />
 <prompt>$ </prompt>git rebase --onto nixos-unstable BASEBRANCH FETCH_HEAD <co
   xml:id='reviewing-rebase-4' />
 </screen>
        <calloutlist>
-        <callout arearefs='reviewing-rebase-1'>
-         <para>
-          This should be done only once to be able to fetch channel branches from the nixpkgs-channels repository.
-         </para>
-        </callout>
         <callout arearefs='reviewing-rebase-2'>
          <para>
           Fetching the nixos-unstable branch.

diff --git a/nixos/doc/manual/development/sources.xml b/nixos/doc/manual/development/sources.xml
@@ -13,17 +13,16 @@
 <screen>
 <prompt>$ </prompt>git clone https://github.com/NixOS/nixpkgs
 <prompt>$ </prompt>cd nixpkgs
-<prompt>$ </prompt>git remote add channels https://github.com/NixOS/nixpkgs-channels
-<prompt>$ </prompt>git remote update channels
+<prompt>$ </prompt>git remote update origin
 </screen>
   This will check out the latest Nixpkgs sources to
   <filename>./nixpkgs</filename> the NixOS sources to
   <filename>./nixpkgs/nixos</filename>. (The NixOS source tree lives in a
-  subdirectory of the Nixpkgs repository.) The remote
-  <literal>channels</literal> refers to a read-only repository that tracks the
-  Nixpkgs/NixOS channels (see <xref linkend="sec-upgrading"/> for more
+  subdirectory of the Nixpkgs repository.) The
+  <literal>nixpkgs</literal> repository has branches that correspond
+  to each Nixpkgs/NixOS channel (see <xref linkend="sec-upgrading"/> for more
   information about channels). Thus, the Git branch
-  <literal>channels/nixos-17.03</literal> will contain the latest built and
+  <literal>origin/nixos-17.03</literal> will contain the latest built and
   tested version available in the <literal>nixos-17.03</literal> channel.
  </para>
  <para>
@@ -40,15 +39,15 @@
   Or, to base your local branch on the latest version available in a NixOS
   channel:
 <screen>
-<prompt>$ </prompt>git remote update channels
-<prompt>$ </prompt>git checkout -b local channels/nixos-17.03
+<prompt>$ </prompt>git remote update origin
+<prompt>$ </prompt>git checkout -b local origin/nixos-17.03
 </screen>
   (Replace <literal>nixos-17.03</literal> with the name of the channel you want
   to use.) You can use <command>git merge</command> or <command>git
   rebase</command> to keep your local branch in sync with the channel, e.g.
 <screen>
-<prompt>$ </prompt>git remote update channels
-<prompt>$ </prompt>git merge channels/nixos-17.03
+<prompt>$ </prompt>git remote update origin
+<prompt>$ </prompt>git merge origin/nixos-17.03
 </screen>
   You can use <command>git cherry-pick</command> to copy commits from your
   local branch to the upstream branch.

diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -84,6 +84,16 @@
   </para>
 
   <itemizedlist>
+   <listitem>
+    <para>
+      GnuPG is now built without support for a graphical passphrase entry
+      by default. Please enable the <literal>gpg-agent</literal> user service
+      via the NixOS option <literal>programs.gnupg.agent.enable</literal>.
+      Note that upstream recommends using <literal>gpg-agent</literal> and
+      will spawn a <literal>gpg-agent</literal> on the first invocation of
+      GnuPG anyway.
+    </para>
+   </listitem>
    <listitem>
     <para>
      The <literal>dynamicHosts</literal> option has been removed from the
@@ -129,6 +139,14 @@
    <listitem>
      <para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
    </listitem>
+   <listitem>
+    <para>
+     OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
+     but with potential incompatibilities.  Consult the
+     <link xlink:href="https://www.openssh.com/txt/release-8.1">
+     release announcement</link> for more information.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 </section>
diff --git a/nixos/modules/config/no-x-libs.nix b/nixos/modules/config/no-x-libs.nix
@@ -34,7 +34,6 @@ with lib;
       networkmanager-openvpn = super.networkmanager-openvpn.override { withGnome = false; };
       networkmanager-vpnc = super.networkmanager-vpnc.override { withGnome = false; };
       networkmanager-iodine = super.networkmanager-iodine.override { withGnome = false; };
-      pinentry = super.pinentry.override { gtk2 = null; gcr = null; qt4 = null; qt5 = null; };
       gobject-introspection = super.gobject-introspection.override { x11Support = false; };
     }));
   };

diff --git a/nixos/modules/installer/tools/tools.nix b/nixos/modules/installer/tools/tools.nix
@@ -120,7 +120,11 @@ in
         # Some programs need SUID wrappers, can be configured further or are
         # started in user sessions.
         # programs.mtr.enable = true;
-        # programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
+        # programs.gnupg.agent = {
+        #   enable = true;
+        #   enableSSHSupport = true;
+        #   flavour = "gnome3";
+        # };
 
         # List services that you want to enable:
 

diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix
@@ -31,9 +31,6 @@ with lib;
     # Let the user play Rogue on TTY 8 during the installation.
     #services.rogue.enable = true;
 
-    # Disable some other stuff we don't need.
-    services.udisks2.enable = mkDefault false;
-
     # Use less privileged nixos user
     users.users.nixos = {
       isNormalUser = true;

diff --git a/nixos/modules/programs/gnupg.nix b/nixos/modules/programs/gnupg.nix
@@ -6,6 +6,19 @@ let
 
   cfg = config.programs.gnupg;
 
+  xserverCfg = config.services.xserver;
+
+  defaultPinentryFlavor =
+    if xserverCfg.desktopManager.lxqt.enable
+    || xserverCfg.desktopManager.plasma5.enable then
+      "qt"
+    else if xserverCfg.desktopManager.xfce.enable then
+      "gtk2"
+    else if xserverCfg.enable then
+      "gnome3"
+    else
+      null;
+
 in
 
 {
@@ -54,6 +67,20 @@ in
       '';
     };
 
+    agent.pinentryFlavor = mkOption {
+      type = types.nullOr (types.enum pkgs.pinentry.flavors);
+      example = "gnome3";
+      description = ''
+        Which pinentry interface to use. If not null, the path to the
+        pinentry binary will be passed to gpg-agent via commandline and
+        thus overrides the pinentry option in gpg-agent.conf in the user's
+        home directory.
+        If not set at all, it'll pick an appropriate flavor depending on the
+        system configuration (qt flavor for lxqt and plasma5, gtk2 for xfce
+        4.12, gnome3 on all other systems with X enabled, ncurses otherwise).
+      '';
+    };
+
     dirmngr.enable = mkOption {
       type = types.bool;
       default = false;
@@ -64,6 +91,16 @@ in
   };
 
   config = mkIf cfg.agent.enable {
+    programs.gnupg.agent.pinentryFlavor = mkDefault defaultPinentryFlavor;
+
+    # This overrides the systemd user unit shipped with the gnupg package
+    systemd.user.services.gpg-agent = mkIf (cfg.agent.pinentryFlavor != null) {
+      serviceConfig.ExecStart = [ "" ''
+        ${pkgs.gnupg}/bin/gpg-agent --supervised \
+          --pinentry-program ${pkgs.pinentry.${cfg.agent.pinentryFlavor}}/bin/pinentry
+      '' ];
+    };
+
     systemd.user.sockets.gpg-agent = {
       wantedBy = [ "sockets.target" ];
     };
@@ -83,7 +120,7 @@ in
     systemd.user.sockets.dirmngr = mkIf cfg.dirmngr.enable {
       wantedBy = [ "sockets.target" ];
     };
-    
+
     environment.systemPackages = with pkgs; [ cfg.package ];
     systemd.packages = [ cfg.package ];
 

diff --git a/nixos/modules/services/hardware/udisks2.nix b/nixos/modules/services/hardware/udisks2.nix
@@ -34,10 +34,7 @@ with lib;
 
     services.dbus.packages = [ pkgs.udisks2 ];
 
-    system.activationScripts.udisks2 =
-      ''
-        mkdir -m 0755 -p /var/lib/udisks2
-      '';
+    systemd.tmpfiles.rules = [ "d /var/lib/udisks2 0755 root root -" ];
 
     services.udev.packages = [ pkgs.udisks2 ];
 

diff --git a/nixos/tests/installer.nix b/nixos/tests/installer.nix
@@ -54,8 +54,6 @@ let
 
         hardware.enableAllFirmware = lib.mkForce false;
 
-        services.udisks2.enable = lib.mkDefault false;
-
         ${replaceChars ["\n"] ["\n  "] extraConfig}
       }
     '';
@@ -295,8 +293,6 @@ let
               ++ optional (bootLoader == "grub" && grubVersion == 1) pkgs.grub
               ++ optionals (bootLoader == "grub" && grubVersion == 2) [ pkgs.grub2 pkgs.grub2_efi ];
 
-            services.udisks2.enable = mkDefault false;
-
             nix.binaryCaches = mkForce [ ];
             nix.extraOptions =
               ''

diff --git a/nixos/tests/os-prober.nix b/nixos/tests/os-prober.nix
@@ -51,12 +51,11 @@ let
       hashed-mirrors =
       connect-timeout = 1
     '';
-    services.udisks2.enable = lib.mkForce false;
   };
   # /etc/nixos/configuration.nix for the vm
   configFile = pkgs.writeText "configuration.nix"  ''
     {config, pkgs, ...}: ({
-    imports = 
+    imports =
           [ ./hardware-configuration.nix
             <nixpkgs/nixos/modules/testing/test-instrumentation.nix>
           ];

diff --git a/pkgs/applications/networking/browsers/firefox/packages.nix b/pkgs/applications/networking/browsers/firefox/packages.nix
@@ -17,10 +17,10 @@ rec {
 
   firefox = common rec {
     pname = "firefox";
-    ffversion = "69.0.2";
+    ffversion = "70.0";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${ffversion}/source/firefox-${ffversion}.source.tar.xz";
-      sha512 = "2ag1syrvlkch7vl151hkq8abf86p9v6b6gmgcbh26b8wfva1p1ss1x09h4w50zmcc6jq4q5mcxgf1sd9zna552jl90k1y4rqvrrzwl6";
+      sha512 = "1rjji7w0rf4b7h6hyllwav1xcbaiv37jmf5s0n0c3cwf9b76yhf8nhygm1a97m26f6rvbmhcv0dx4l8bh06cz9mcbbxy4lhsn43sr62";
     };
 
     patches = [

diff --git a/pkgs/development/compilers/go/1.13.nix b/pkgs/development/compilers/go/1.13.nix
@@ -30,11 +30,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "go";
-  version = "1.13.1";
+  version = "1.13.3";
 
   src = fetchurl {
     url = "https://dl.google.com/go/go${version}.src.tar.gz";
-    sha256 = "0n4k42bbrj5g9b1kczkfsih049v43vqzaps7n69gmfa4jpk59wc1";
+    sha256 = "1pz3423gw3z2zwcmk9l2c6v68w5is39gndq7502c9mbm8c226wag";
   };
 
   # perl is used for testing go vet

diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@@ -79,12 +79,6 @@ let
         sha256 = "0l9rw6r5r90iybdkp3hhl2pf0h0s1izc68h5d3ywrm92pq32wz57";
       })
 
-      (fetchpatch {
-        url = "https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13.patch";
-        name = "CVE-2018-20852.patch";
-        sha256 = "0p838ycssd6abxzby69rhngjqqm59cmlp07910mpjx7lmsz049pb";
-      })
-
       # Fix race-condition during pyc creation. Has a slight backwards
       # incompatible effect: pyc symlinks will now be overridden
       # (https://bugs.python.org/issue17222). Included in python >= 3.4,

diff --git a/pkgs/development/interpreters/python/cpython/2.7/python-2.7-distutils-C++.patch b/pkgs/development/interpreters/python/cpython/2.7/python-2.7-distutils-C++.patch
@@ -93,8 +93,8 @@
                  _osx_support.customize_compiler(_config_vars)
                  _config_vars['CUSTOMIZED_OSX_COMPILER'] = 'True'
 
--        (cc, cxx, opt, cflags, ccshared, ldshared, so_ext, ar, ar_flags) = \
--            get_config_vars('CC', 'CXX', 'OPT', 'CFLAGS',
+-        (cc, cxx, cflags, ccshared, ldshared, so_ext, ar, ar_flags) = \
+-            get_config_vars('CC', 'CXX', 'CFLAGS',
 -                            'CCSHARED', 'LDSHARED', 'SO', 'AR',
 -                            'ARFLAGS')
 +        (cc, cxx, ccshared, ldshared, ldcxxshared, so_ext, ar, ar_flags) = \
@@ -120,8 +120,7 @@
              ldshared = ldshared + ' ' + os.environ['LDFLAGS']
 +            ldcxxshared = ldcxxshared + ' ' + os.environ['LDFLAGS']
          if 'CFLAGS' in os.environ:
--            cflags = opt + ' ' + os.environ['CFLAGS']
-+            cflags = os.environ['CFLAGS']
+             cflags = cflags + ' ' + os.environ['CFLAGS']
              ldshared = ldshared + ' ' + os.environ['CFLAGS']
 +        if 'CXXFLAGS' in os.environ:
 +            cxxflags = os.environ['CXXFLAGS']

diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix
@@ -52,10 +52,10 @@ in {
     sourceVersion = {
       major = "2";
       minor = "7";
-      patch = "16";
+      patch = "17";
       suffix = "";
     };
-    sha256 = "1mqfcqp5y8r0bfyr7ppl74n0lig45p9mc4b8adlcpvj74rhfy8pj";
+    sha256 = "0hds28cg226m8j8sr394nm9yc4gxhvlv109w0avsf2mxrlrz0hsd";
     inherit (darwin) CF configd;
     inherit passthruFun;
   };
@@ -200,4 +200,9 @@ in {
     ncurses = ncurses5;
   };
 
+  graalpython37 = callPackage ./graalpython/default.nix {
+    self = pythonInterpreters.graalpython37;
+    inherit passthruFun;
+  };
+
 })
diff --git a/pkgs/development/interpreters/python/graalpython/default.nix b/pkgs/development/interpreters/python/graalpython/default.nix
@@ -0,0 +1,21 @@
+{ pkgs
+, lib
+, graalvm8
+, passthruFun
+, packageOverrides ? (self: super: {})
+, self
+}:
+
+let
+  passthru = passthruFun {
+    inherit self packageOverrides;
+    implementation = "graal";
+    sourceVersion = graalvm8.version;
+    pythonVersion = "3.7";
+    libPrefix = "graalvm";
+    sitePackages = "jre/languages/python/lib-python/3/site-packages";
+    executable = "graalpython";
+    hasDistutilsCxxPatch = false;
+    pythonForBuild = pkgs.buildPackages.pythonInterpreters.graalpython37;
+  };
+in lib.extendDerivation true passthru graalvm8