Skip to content
This repository was archived by the owner on Apr 12, 2021. It is now read-only.
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 2fab43b409d8
Choose a base ref
...
head repository: NixOS/nixpkgs-channels
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 01423cbae4ef
Choose a head ref
  • 12 commits
  • 9 files changed
  • 6 contributors

Commits on Jan 2, 2020

  1. maintainers: add danderson 

    (cherry picked from commit c5c5baf)
    @danderson
    danderson committed Jan 2, 2020

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    GPG key ID: 4AEE18F83AFDEB23
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    e753695 View commit details

  2. nixos/pppd: init 

    (cherry picked from commit 997a6f6)
    @danderson
    danderson committed Jan 2, 2020
    Copy the full SHA
    b485113 View commit details

  3. nixos/tests/pppd: init 

    This test creates a PPPoE link between two machines, and verifies
that the machines can ping each other.

(cherry picked from commit ae02b3d)
    @danderson
    danderson committed Jan 2, 2020
    Copy the full SHA
    40b1860 View commit details

  4. nixos/pppd: add description for peers, unbreaks metrics job and channel 

    services.pppd.peers was lacking a description, causing a trace warning
resulting in a parse error in the metrics job.

(cherry picked from commit 0256080)
    @FRidh @danderson
    FRidh authored and danderson committed Jan 2, 2020
    Copy the full SHA
    b563ba0 View commit details

Commits on Jan 10, 2020

  1. lorri: unstable-2019-10-30 -> unstable-2020-01-09 

    `rustfmt` is now a compile time dependency because the varlink generated
code is formatted with it.

(cherry picked from commit c976dc1)
    @curiousleo
    curiousleo committed Jan 10, 2020
    Copy the full SHA
    80d1b7d View commit details

  2. firefoxPackages.tor-browser*: mark as vulnerable 

    They both base on firefox versions where support has ended some time
ago. With CVE-2019-17026 (and other vulnerabilities) out and exploited
in the wild, these should not be used anymore. tor-browser-bundle-bin is
a better alternative.
    @flokli
    flokli committed Jan 10, 2020
    Copy the full SHA
    8619936 View commit details

  3. Merge pull request #77456 from flokli/19.09-tor-mark-insecure 

    [19.09] firefoxPackages.tor-browser*: mark as vulnerable
    @flokli
    flokli authored Jan 10, 2020
    Copy the full SHA
    dfb4495 View commit details

  4. tor-browser-bundle-bin: 9.0.3 -> 9.0.4 

    (cherry picked from commit 05c0695)
    @emilazy
    emilazy committed Jan 10, 2020
    Copy the full SHA
    a4e4824 View commit details

  5. firefoxPackages.icecat: mark as insecure 

    It's based on 60.3.0, whose support ended around October 2019.

(cherry picked from commit 0e75514)
    @flokli
    flokli committed Jan 10, 2020
    Copy the full SHA
    7b5a1c9 View commit details

  6. Merge pull request #77464 from flokli/19.09-icecat-mark-insecure 

    [19.09] firefoxPackages.icecat: mark as insecure
    @andir
    andir authored Jan 10, 2020
    Copy the full SHA
    aecd49c View commit details

  7. Merge pull request #77432 from curiousleo/nixos-19.09-update-lorri 

    lorri: unstable-2019-10-30 -> unstable-2020-01-09 (backport to release-19.09)
    @flokli
    flokli authored Jan 10, 2020
    Copy the full SHA
    d5d1126 View commit details

  8. Merge pull request #71271 from danderson/release-19.09 

    [19.09] nixos/pppd: init
    @andir
    andir authored Jan 10, 2020
    Copy the full SHA
    01423cb View commit details
6 changes: 6 additions & 0 deletions maintainers/maintainer-list.nix
View file
Original file line number Diff line number Diff line change
@@ -1427,6 +1427,12 @@
githubId = 245394;
name = "Hannu Hartikainen";
};
danderson = {
email = "dave@natulte.net";
github = "danderson";
githubId = 1918;
name = "David Anderson";
};
danharaj = {
email = "dan@obsidian.systems";
github = "danharaj";
1 change: 1 addition & 0 deletions nixos/modules/module-list.nix
View file
Original file line number Diff line number Diff line change
@@ -664,6 +664,7 @@
./services/networking/polipo.nix
./services/networking/powerdns.nix
./services/networking/pdns-recursor.nix
./services/networking/pppd.nix
./services/networking/pptpd.nix
./services/networking/prayer.nix
./services/networking/privoxy.nix
134 changes: 134 additions & 0 deletions nixos/modules/services/networking/pppd.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
{ config, lib, pkgs, ... }:

with lib;

let
cfg = config.services.pppd;
in
{
meta = {
maintainers = with maintainers; [ danderson ];
};

options = {
services.pppd = {
enable = mkEnableOption "pppd";

package = mkOption {
default = pkgs.ppp;
defaultText = "pkgs.ppp";
type = types.package;
description = "pppd package to use.";
};

peers = mkOption {
default = {};
description = "pppd peers.";
type = types.attrsOf (types.submodule (
{ name, ... }:
{
options = {
name = mkOption {
type = types.str;
default = name;
example = "dialup";
description = "Name of the PPP peer.";
};

enable = mkOption {
type = types.bool;
default = true;
example = false;
description = "Whether to enable this PPP peer.";
};

autostart = mkOption {
type = types.bool;
default = true;
example = false;
description = "Whether the PPP session is automatically started at boot time.";
};

config = mkOption {
type = types.lines;
default = "";
description = "pppd configuration for this peer, see the pppd(8) man page.";
};
};
}));
};
};
};

config = let
enabledConfigs = filter (f: f.enable) (attrValues cfg.peers);

mkEtc = peerCfg: {
"ppp/peers/${peerCfg.name}".text = peerCfg.config;
};

mkSystemd = peerCfg: {
"pppd-${peerCfg.name}" = {
restartTriggers = [ config.environment.etc."ppp/peers/${peerCfg.name}".source ];
before = [ "network.target" ];
wants = [ "network.target" ];
after = [ "network-pre.target" ];
environment = {
# pppd likes to write directly into /var/run. This is rude
# on a modern system, so we use libredirect to transparently
# move those files into /run/pppd.
LD_PRELOAD = "${pkgs.libredirect}/lib/libredirect.so";
NIX_REDIRECTS = "/var/run=/run/pppd";
};
serviceConfig = {
ExecStart = "${getBin cfg.package}/sbin/pppd call ${peerCfg.name} nodetach nolog";
Restart = "always";
RestartSec = 5;

AmbientCapabilities = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
CapabilityBoundingSet = "CAP_SYS_TTY_CONFIG CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN";
KeyringMode = "private";
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
PrivateMounts = true;
PrivateTmp = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelModules = true;
# pppd can be configured to tweak kernel settings.
ProtectKernelTunables = false;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = "AF_PACKET AF_UNIX AF_PPPOX AF_ATMPVC AF_ATMSVC AF_INET AF_INET6 AF_IPX";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SecureBits = "no-setuid-fixup-locked noroot-locked";
SystemCallFilter = "@system-service";
SystemCallArchitectures = "native";

# All pppd instances on a system must share a runtime
# directory in order for PPP multilink to work correctly. So
# we give all instances the same /run/pppd directory to store
# things in.
#
# For the same reason, we can't set PrivateUsers=true, because
# all instances need to run as the same user to access the
# multilink database.
RuntimeDirectory = "pppd";
RuntimeDirectoryPreserve = true;
};
wantedBy = mkIf peerCfg.autostart [ "multi-user.target" ];
};
};

etcFiles = map mkEtc enabledConfigs;
systemdConfigs = map mkSystemd enabledConfigs;

in mkIf cfg.enable {
environment.etc = mkMerge etcFiles;
systemd.services = mkMerge systemdConfigs;
};
}
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
View file
Original file line number Diff line number Diff line change
@@ -227,6 +227,7 @@ in
postgresql = handleTest ./postgresql.nix {};
postgresql-wal-receiver = handleTest ./postgresql-wal-receiver.nix {};
powerdns = handleTest ./powerdns.nix {};
pppd = handleTest ./pppd.nix {};
predictable-interface-names = handleTest ./predictable-interface-names.nix {};
printing = handleTest ./printing.nix {};
prometheus = handleTest ./prometheus.nix {};
62 changes: 62 additions & 0 deletions nixos/tests/pppd.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
import ./make-test.nix (
let
chap-secrets = {
text = ''"flynn" * "reindeerflotilla" *'';
mode = "0640";
};
in {
nodes = {
server = {config, pkgs, ...}: {
config = {
# Run a PPPoE access concentrator server. It will spawn an
# appropriate PPP server process when a PPPoE client sets up a
# PPPoE session.
systemd.services.pppoe-server = {
restartTriggers = [
config.environment.etc."ppp/pppoe-server-options".source
config.environment.etc."ppp/chap-secrets".source
];
after = ["network.target"];
serviceConfig = {
ExecStart = "${pkgs.rpPPPoE}/sbin/pppoe-server -F -O /etc/ppp/pppoe-server-options -q ${pkgs.ppp}/sbin/pppd -I eth1 -L 192.0.2.1 -R 192.0.2.2";
};
wantedBy = ["multi-user.target"];
};
environment.etc = {
"ppp/pppoe-server-options".text = ''
lcp-echo-interval 10
lcp-echo-failure 2
plugin rp-pppoe.so
require-chap
nobsdcomp
noccp
novj
'';
"ppp/chap-secrets" = chap-secrets;
};
};
};
client = {config, pkgs, ...}: {
services.pppd = {
enable = true;
peers.test = {
config = ''
plugin rp-pppoe.so eth1
name "flynn"
noipdefault
persist
noauth
debug
'';
};
};
environment.etc."ppp/chap-secrets" = chap-secrets;
};
};

testScript = ''
startAll;
$client->waitUntilSucceeds("ping -c1 -W1 192.0.2.1");
$server->waitUntilSucceeds("ping -c1 -W1 192.0.2.2");
'';
})
3 changes: 3 additions & 0 deletions pkgs/applications/networking/browsers/firefox/packages.nix
View file
Original file line number Diff line number Diff line change
@@ -174,6 +174,7 @@ in {
./no-buildconfig.patch
missing-documentation-patch
];
meta.knownVulnerabilities = [ "Support ended around October 2019." ];
};

# Similarly to firefox-esr-52 above.
@@ -261,6 +262,7 @@ in rec {
rev = "95bb92d552876a1f4260edf68fda5faa3eb36ad8";
sha256 = "1ykn3yg4s36g2cpzxbz7s995c33ij8kgyvghx38z4i8siaqxdddy";
};
meta.knownVulnerabilities = [ "Support ended in August 2018." ];
}).override {
gtk3Support = false;
};
@@ -277,6 +279,7 @@ in rec {
rev = "0489ae3158cd8c0e16c2e78b94083d8cbf0209dc";
sha256 = "0y5s7d8pg8ak990dp8d801j9823igaibfhv9hsa79nib5yllifzs";
};
meta.knownVulnerabilities = [ "Support ended around October 2019." ];

patches = [
missing-documentation-patch
6 changes: 3 additions & 3 deletions pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
View file
Original file line number Diff line number Diff line change
@@ -89,19 +89,19 @@ let
fteLibPath = makeLibraryPath [ stdenv.cc.cc gmp ];

# Upstream source
version = "9.0.2";
version = "9.0.4";

lang = "en-US";

srcs = {
x86_64-linux = fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux64-${version}_${lang}.tar.xz";
sha256 = "1xdnqphsj7wzwyv927jwd3fi36srx0minydwl5jg5yyd3m3if9hb";
sha256 = "14zlf02i447hcdr4qap8af1k4aziznfp9m2ygqz05zsy8icm1j2k";
};

i686-linux = fetchurl {
url = "https://dist.torproject.org/torbrowser/${version}/tor-browser-linux32-${version}_${lang}.tar.xz";
sha256 = "1qk9fg5dvyyvbngsqla00by8a974mpvq9pnm2djif54lr2nfivwf";
sha256 = "1bmih91gsh698fp2mbnjcq8vmwhg822wanmn99r0xhkmgpi4zw2s";
};
};
in
10 changes: 5 additions & 5 deletions pkgs/tools/misc/lorri/default.nix
View file
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@

rustPlatform.buildRustPackage rec {
pname = "lorri";
version = "unstable-2019-10-30";
version = "unstable-2020-01-09";

meta = with stdenv.lib; {
description = "Your project's nix-env";
@@ -28,17 +28,17 @@ rustPlatform.buildRustPackage rec {
owner = "target";
repo = pname;
# Run `eval $(nix-build -A lorri.updater)` after updating the revision!
rev = "03f10395943449b1fc5026d3386ab8c94c520ee3";
sha256 = "0fcl79ndaziwd8d74mk1lsijz34p2inn64b4b4am3wsyk184brzq";
rev = "7b84837b9988d121dd72178e81afd440288106c5";
sha256 = "0rkga944jl6i0051vbsddfqbvzy12168cbg4ly2ng1rk0x97dbr8";
};

cargoSha256 = "1daff4plh7hwclfp21hkx4fiflh9r80y2c7k2sd3zm4lmpy0jpfz";
cargoSha256 = "0k7l0zhk2vzf4nlwv4xr207irqib2dqjxfdjk1fprff84c4kblx8";
doCheck = false;

BUILD_REV_COUNT = src.revCount or 1;
RUN_TIME_CLOSURE = pkgs.callPackage ./runtime.nix {};

nativeBuildInputs = with pkgs; [ nix direnv which ];
nativeBuildInputs = with pkgs; [ rustPackages.rustfmt ];
buildInputs =
stdenv.lib.optionals stdenv.isDarwin [ CoreServices Security cf-private ];

35 changes: 20 additions & 15 deletions pkgs/tools/misc/lorri/runtime.nix
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
{
# Plumbing tools:
closureInfo, runCommand, writeText, buildEnv,

# Actual dependencies to propagate:
bash, coreutils }:
closureInfo
, runCommand
, writeText
, buildEnv
, # Actual dependencies to propagate:
bash
, coreutils
}:
let
tools = buildEnv {
name = "lorri-runtime-tools";
@@ -15,19 +19,20 @@ let
};

closureToNix = runCommand "closure.nix" {}
''
(
echo '{ dep, ... }: ['
sed -E 's/^(.*)$/ (dep \1)/' ${runtimeClosureInfo}/store-paths
echo ']'
) > $out
'';
''
(
echo '{ dep, ... }: ['
sed -E 's/^(.*)$/ (dep \1)/' ${runtimeClosureInfo}/store-paths
echo ']'
) > $out
'';

runtimeClosureInfoAsNix = runCommand "runtime-closure.nix" {
runtime_closure_list = closureToNix;
tools_build_host = tools;
}
''
substituteAll ${./runtime-closure.nix.template} $out
'';
in runtimeClosureInfoAsNix
''
substituteAll ${./runtime-closure.nix.template} $out
'';
in
runtimeClosureInfoAsNix