Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: abea6f461ae8
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 179b8146e668
Choose a head ref
  • 3 commits
  • 2 files changed
  • 2 contributors

Commits on Nov 4, 2018

  1. openjpeg: adding patch for CVE-2018-7648 

    (cherry picked from commit 3dc0838)
Forward-picking from staging-next.  The CVE is marked as critical,
and the amount of rebuilds isn't that high (~500 linux, ~100 darwin).
    @stammon @vcunat
    stammon authored and vcunat committed Nov 4, 2018
    Copy the full SHA
    058a3c0 View commit details

  2. Revert "systemd: 239 -> 239.20181031" 

    This reverts commit d1de23b.
The changes turned out to be too intrusive, so we'll patch instead.
Discussion: NixOS/systemd#24
    @vcunat
    vcunat committed Nov 4, 2018
    Copy the full SHA
    587c377 View commit details

  3. systemd: apply patches from Debian 

    There are some security fixes among those.
    @vcunat
    vcunat committed Nov 4, 2018
    Copy the full SHA
    179b814 View commit details
Showing with 28 additions and 5 deletions.
  1. +8 −0 pkgs/development/libraries/openjpeg/2.x.nix
  2. +20 −5 pkgs/os-specific/linux/systemd/default.nix
8 changes: 8 additions & 0 deletions pkgs/development/libraries/openjpeg/2.x.nix
View file
Original file line number Diff line number Diff line change
@@ -5,4 +5,12 @@ callPackage ./generic.nix (args // rec {
branch = "2.3";
revision = "v${version}";
sha256 = "08plxrnfl33sn2vh5nwbsngyv6b1sfpplvx881crm1v1ai10m2lz";

patches = [
(fetchpatch {
name = "CVE-2018-7648.patch";
url = "https://github.com/uclouvain/openjpeg/commit/cc3824767bde397fedb8a1ae4786a222ba860c8d.patch";
sha256 = "1j5nxmlgyfkxldk2f1ij6h850xw45q3b5brxqa04dxsfsv8cdj5j";
})
];
})
25 changes: 20 additions & 5 deletions pkgs/os-specific/linux/systemd/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap, kmod
{ stdenv, lib, fetchFromGitHub, fetchpatch, fetchurl, pkgconfig, intltool, gperf, libcap, kmod
, xz, pam, acl, libuuid, m4, utillinux, libffi
, glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor
, audit, lz4, bzip2, libmicrohttpd, pcre2
@@ -18,18 +18,34 @@ let
pythonLxmlEnv = buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ]);

in stdenv.mkDerivation rec {
version = "239.20181031";
version = "239";
name = "systemd-${version}";

# When updating, use https://github.com/systemd/systemd-stable tree, not the development one!
# Also fresh patches should be cherry-picked from that tree to our current one.
src = fetchFromGitHub {
owner = "NixOS";
repo = "systemd";
rev = "nixos-v${version}";
sha256 = "1rzl0iqrpa4ajvama5k3cb3yc7893c55kzcxkl3cyavpdzsw5505";
rev = "31859ddd35fc3fa82a583744caa836d356c31d7f";
sha256 = "1xci0491j95vdjgs397n618zii3sgwnvanirkblqqw6bcvcjvir1";
};

prePatch = let
# Upstream's maintenance branches are still too intrusive:
# https://github.com/systemd/systemd-stable/tree/v239-stable
patches-deb = fetchurl {
# When the URL disappears, it typically means that Debian has new patches
# (probably security) and updating to new tarball will apply them as well.
name = "systemd-debian-patches.tar.xz";
url = mirror://debian/pool/main/s/systemd/systemd_239-11~bpo9+1.debian.tar.xz;
sha256 = "136f6p4jbi4z94mf4g099dfcacwka8jwhza0wxxw2q5l5q3xiysh";
};
# Note that we skip debian-specific patches, i.e. ./debian/patches/debian/*
in ''
tar xf ${patches-deb}
patches="$patches $(cat debian/patches/series | grep -v '^debian/' | sed 's|^|debian/patches/|')"
'';

outputs = [ "out" "lib" "man" "dev" ];

nativeBuildInputs =
@@ -91,7 +107,6 @@ in stdenv.mkDerivation rec {
"-Dsulogin-path=${utillinux}/bin/sulogin"
"-Dmount-path=${utillinux}/bin/mount"
"-Dumount-path=${utillinux}/bin/umount"
"-Ddns-over-tls=false"
];

preConfigure = ''