Merge branch 'master' into staging

* master: (80 commits) lkl: Supports aarch64 wimlib: nitpicks gitAndTools.git-codeowners: 0.1.1 -> 0.1.2 wimlib: init at 1.12.0 kernel: improve modDirVersion error message releaseTools.sourceTarball: Clean up temporary files dotnetPackages.SmartIrc4net: rehash source migmix: make it a fixed-output derivation vm: Create /dev/full samba: 4.6.8 -> 4.6.11 to address CVEs CVE-2017-14746 & CVE-2017-15275 microcodeIntel: 20170707 -> 20171117 sshd: Remove ripemd160 MACs kernel config: Enable MEDIA_CONTROLLER linux: 4.4.99 -> 4.4.100 linux: 4.9.63 -> 4.9.64 nix-bash-completions: 0.4 -> 0.5 linux: 4.14 -> 4.14.1 linux: 4.13.14 -> 4.13.15 nix-zsh-completions: 0.3.3 -> 0.3.5 dns-root-data: use a stable URL that I maintain anyway ...
NixOS · Nov 21, 2017 · b8e1e71 · b8e1e71 · orivej · Dec 1, 2017
2 parents 71a2a5a + 91d2cf9
commit b8e1e71
Show file tree

Hide file tree

Showing 81 changed files with 6,114 additions and 2,441 deletions.
diff --git a/lib/maintainers.nix b/lib/maintainers.nix
@@ -415,6 +415,7 @@
   michelk = "Michel Kuhlmann <michel@kuhlmanns.info>";
   midchildan = "midchildan <midchildan+nix@gmail.com>";
   mikefaille = "Michaël Faille <michael@faille.io>";
+  mikoim = "Eshin Kunishima <ek@esh.ink>";
   miltador = "Vasiliy Solovey <miltador@yandex.ua>";
   mimadrid = "Miguel Madrid <mimadrid@ucm.es>";
   mirdhyn = "Merlin Gaillard <mirdhyn@gmail.com>";

diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -72,6 +72,29 @@ following incompatible changes:</para>
       <option>services.pgmanage</option>.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      <emphasis role="strong">
+        The OpenSSH service no longer enables support for DSA keys by default,
+        which could cause a system lock out. Update your keys or, unfavorably,
+        re-enable DSA support manually.
+      </emphasis>
+    </para>
+
+    <para>
+      DSA support was
+      <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>,
+      due to it being too weak. To re-enable support, add
+      <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your
+      <option>services.openssh.extraConfig</option>.
+    </para>
+
+    <para>
+      After updating the keys to be stronger, anyone still on a pre-17.03
+      version is safe to jump to 17.03, as vetted
+      <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>.
+    </para>
+  </listitem>
 </itemizedlist>
 
 </section>

diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix
@@ -197,8 +197,9 @@ in
         fi
       '';
 
-    # Configuration for readline in bash.
-    environment.etc."inputrc".source = ./inputrc;
+    # Configuration for readline in bash. We use "option default"
+    # priority to allow user override using both .text and .source.
+    environment.etc."inputrc".source = mkOptionDefault ./inputrc;
 
     users.defaultUserShell = mkDefault pkgs.bashInteractive;
 

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
@@ -54,8 +54,6 @@ let
     ));
   in listToAttrs (map mkAuthKeyFile usersWithKeys);
 
-  supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
-
 in
 
 {
@@ -191,9 +189,6 @@ in
         default =
           [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
             { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-          ] ++ optionals supportOldHostKeys
-          [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
-            { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
           ];
         description = ''
           NixOS can automatically generate SSH host keys.  This option
@@ -363,14 +358,21 @@ in
           HostKey ${k.path}
         '')}
 
-        # Allow DSA client keys for now. (These were deprecated
-        # in OpenSSH 7.0.)
-        PubkeyAcceptedKeyTypes +ssh-dss
+        ### Recommended settings from both:
+        # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+        # and
+        # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
 
-        # Re-enable DSA host keys for now.
-        ${optionalString supportOldHostKeys ''
-          HostKeyAlgorithms +ssh-dss
-        ''}
+        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+        # LogLevel VERBOSE logs user's key fingerprint on login.
+        # Needed to have a clear audit track of which key was used to log in.
+        LogLevel VERBOSE
+
+        # Use kernel sandbox mechanisms where possible in unprivileged processes.
+        UsePrivilegeSeparation sandbox
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

diff --git a/pkgs/applications/altcoins/default.nix b/pkgs/applications/altcoins/default.nix
@@ -32,9 +32,6 @@ rec {
   };
   go-ethereum-classic = callPackage ./go-ethereum-classic { };
 
-  hivemind = callPackage ./hivemind.nix { withGui = true; };
-  hivemindd = callPackage ./hivemind.nix { withGui = false; };
-
   litecoin  = callPackage ./litecoin.nix { withGui = true; };
   litecoind = callPackage ./litecoin.nix { withGui = false; };
 

diff --git a/pkgs/applications/altcoins/hivemind.nix b/pkgs/applications/altcoins/hivemind.nix
diff --git a/pkgs/applications/audio/deadbeef/default.nix b/pkgs/applications/audio/deadbeef/default.nix
@@ -57,7 +57,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://sourceforge/project/deadbeef/${name}.tar.bz2";
-    sha256 = "0rwdxxn7h94vlgblbkswyvj6pm82488v8x5nrmlrcsbzjjf2pccw";
+    sha256 = "1168hgr1nf27pf24n1rlfh1kx1wiscwhpbhqw0rprwy203gsnqwa";
   };
 
   buildInputs = with stdenv.lib; [ jansson ]

diff --git a/pkgs/applications/audio/mopidy-iris/default.nix b/pkgs/applications/audio/mopidy-iris/default.nix
@@ -2,12 +2,12 @@
 
 pythonPackages.buildPythonApplication rec {
   name = "mopidy-iris-${version}";
-  version = "3.6.1";
+  version = "3.8.2";
 
   src = pythonPackages.fetchPypi {
     inherit version;
     pname = "Mopidy-Iris";
-    sha256 = "1mfi3qx7pvfq4rz0py39lnbzv7sq703b6k6mypzhj1gdzbisfn46";
+    sha256 = "051bzs8p2zz960mi9cmv51q1fmmm15nnb9apph9icicr0p8g7lif";
   };
 
   propagatedBuildInputs = [

diff --git a/pkgs/applications/audio/tomahawk/default.nix b/pkgs/applications/audio/tomahawk/default.nix
@@ -47,10 +47,9 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   meta = with stdenv.lib; {
-    description = "A multi-source music player";
+    description = "A multi-source music player (unmaintained)";
     homepage = http://tomahawk-player.org/;
     license = licenses.gpl3Plus;
     platforms = platforms.all;
-    maintainers = [ maintainers.aszlig ];
   };
 }
diff --git a/pkgs/applications/editors/emacs-modes/elpa-generated.nix b/pkgs/applications/editors/emacs-modes/elpa-generated.nix
@@ -755,10 +755,10 @@
     el-search = callPackage ({ elpaBuild, emacs, fetchurl, lib, stream }:
     elpaBuild {
         pname = "el-search";
-        version = "1.3.2";
+        version = "1.4";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/el-search-1.3.2.tar";
-          sha256 = "0lf0hk2pvy9yrb02sa3bg0hipshbgl9m4hx7db46jvmz5bf15nfq";
+          url = "https://elpa.gnu.org/packages/el-search-1.4.tar";
+          sha256 = "0fzsq1wdkb94dk67ligdwc7kyl0x9bifgl2qvvf0hsj4zws4pgjg";
         };
         packageRequires = [ emacs stream ];
         meta = {
@@ -1053,10 +1053,10 @@
       }) {};
     hyperbole = callPackage ({ elpaBuild, emacs, fetchurl, lib }: elpaBuild {
         pname = "hyperbole";
-        version = "6.0.2";
+        version = "7.0.0";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/hyperbole-6.0.2.tar";
-          sha256 = "0nyihi7j2061jpdzl4mf4pki840hkfpwj0m2sqz0nqxd689ckwpg";
+          url = "https://elpa.gnu.org/packages/hyperbole-7.0.0.tar";
+          sha256 = "07cy40yfxwka1r6i01pgrf9a3n9ms5xw2x486jd803dhfkm3113b";
         };
         packageRequires = [ emacs ];
         meta = {
@@ -1570,10 +1570,10 @@
       }) {};
     org = callPackage ({ elpaBuild, fetchurl, lib }: elpaBuild {
         pname = "org";
-        version = "20171113";
+        version = "20171120";
         src = fetchurl {
-          url = "https://elpa.gnu.org/packages/org-20171113.tar";
-          sha256 = "0yynbzxbsjv0z12ydjgz81ysbg2irq37d9pzar8wspdjij15dypb";
+          url = "https://elpa.gnu.org/packages/org-20171120.tar";
+          sha256 = "0hxy061g1qd77pvx8mq5rb9avx139x4z5nmjhdq518xhg7kxmq6a";
         };
         packageRequires = [];
         meta = {

diff --git a/pkgs/applications/editors/emacs-modes/elpa-packages.nix b/pkgs/applications/editors/emacs-modes/elpa-packages.nix
@@ -39,6 +39,7 @@ self:
       el-search = markBroken super.el-search; # requires emacs-25
       iterators = markBroken super.iterators; # requires emacs-25
       midi-kbd = markBroken super.midi-kbd; # requires emacs-25
+      rcirc-menu = markBroken super.rcirc-menu; # Missing file header
       stream = markBroken super.stream; # requires emacs-25
       cl-lib = null; # builtin
       tle = null; # builtin