Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 8d4cb4e2142b
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: d41f20e9ccb5
Choose a head ref
  • 11 commits
  • 12 files changed
  • 6 contributors

Commits on Sep 23, 2017

  1. giv: 20150811-git (broken) -> 0.9.26 

    (cherry picked from commit 5da7552)
    @womfoo @globin
    womfoo authored and globin committed Sep 23, 2017

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    minijackson Rémi NICOLE
    GPG key ID: FEA888C9F5D64F62
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    99d7dcd View commit details

  2. trackballs: 1.1.4 (broken) -> 1.2.3 

    (cherry picked from commit 92ec5cd)
    @womfoo @globin
    womfoo authored and globin committed Sep 23, 2017
    Copy the full SHA
    06caa2a View commit details

  3. tor: enable parallel building 

    (cherry picked from commit fd3a9e6)
    @joachifm @globin
    joachifm authored and globin committed Sep 23, 2017
    Copy the full SHA
    a8120e1 View commit details

  4. snapper: 0.3.3 -> 0.5.0 

    (cherry picked from commit 6bf5665)
    @joachifm @globin
    joachifm authored and globin committed Sep 23, 2017
    Copy the full SHA
    6a17d11 View commit details

  5. nixos/hardened: simplify script 

    (cherry picked from commit 15a4f9d)
    @joachifm @globin
    joachifm authored and globin committed Sep 23, 2017
    Copy the full SHA
    ce59db3 View commit details

  6. nixos/hardened test: add failing test-case for deferred mounts 

    (cherry picked from commit bccaf63)
    @joachifm @globin
    joachifm authored and globin committed Sep 23, 2017
    Copy the full SHA
    cf4e7c0 View commit details

  7. nixos/lock-kernel-modules: fix deferred fileSystem mounts 

    Ensure that modules required by all declared fileSystems are explicitly
loaded.  A little ugly but fixes the deferred mount test.

See also #29019

(cherry picked from commit 1df6cf5)
    @joachifm @globin
    joachifm authored and globin committed Sep 23, 2017
    Copy the full SHA
    8dd308c View commit details

  8. ferm: 2.3.1 -> 2.4.1 

    (cherry picked from commit e9a56e7)
    @andir @globin
    andir authored and globin committed Sep 23, 2017
    Copy the full SHA
    7dda547 View commit details

  9. python.pkgs: alias dateutil to python-dateutil 

    (cherry picked from commit 5e91691)
    @FRidh @globin
    FRidh authored and globin committed Sep 23, 2017
    Copy the full SHA
    d5cc00e View commit details

  10. singular: use gcc5 

    Progress on: #28643
Fixes: #29682

(cherry picked from commit f7d7c7b)
    @7c6f434c @globin
    7c6f434c authored and globin committed Sep 23, 2017
    Copy the full SHA
    5cf35d7 View commit details

  11. dockerTools.buildImage: Switch to the format image generated by Skopeo 

    We were using 'Combined Image JSON + Filesystem Changeset Format' [1] to
unpack and pack image and this patch switches to the format used by the registry.

We used the 'repository' file which is not generated by Skopeo when it
pulls an image. Moreover, all information of this file are also in the
manifest.json file.
We then use the manifest.json file instead of 'repository' file. Note
also the manifest.json file is required to push an image with Skopeo.

Fix #29636

[1] https://github.com/moby/moby/blob/749d90e10f989802638ae542daf54257f3bf71f2/image/spec/v1.1.md#combined-image-json--filesystem-changeset-format

(cherry picked from commit 35f205a)
    @nlewo @globin
    nlewo authored and globin committed Sep 23, 2017
    Copy the full SHA
    d41f20e View commit details
12 changes: 10 additions & 2 deletions nixos/modules/security/lock-kernel-modules.nix
View file
Original file line number Diff line number Diff line change
@@ -17,19 +17,27 @@ with lib;
};

config = mkIf config.security.lockKernelModules {
boot.kernelModules = concatMap (x:
if x.device != null
then
if x.fsType == "vfat"
then [ "vfat" "nls-cp437" "nls-iso8859-1" ]
else [ x.fsType ]
else []) config.system.build.fileSystems;

systemd.services.disable-kernel-module-loading = rec {
description = "Disable kernel module loading";

wantedBy = [ config.systemd.defaultUnit ];
after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;

script = "echo -n 1 > /proc/sys/kernel/modules_disabled";
after = [ "systemd-udev-settle.service" "firewall.service" "systemd-modules-load.service" ] ++ wantedBy;

unitConfig.ConditionPathIsReadWrite = "/proc/sys/kernel";

serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "/bin/sh -c 'echo -n 1 >/proc/sys/kernel/modules_disabled'";
};
};
};
19 changes: 19 additions & 0 deletions nixos/tests/hardened.nix
View file
Original file line number Diff line number Diff line change
@@ -10,6 +10,17 @@ import ./make-test.nix ({ pkgs, ...} : {
{ users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; };
users.users.sybil = { isNormalUser = true; group = "wheel"; };
imports = [ ../modules/profiles/hardened.nix ];
virtualisation.emptyDiskImages = [ 4096 ];
boot.initrd.postDeviceCommands = ''
${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
'';
fileSystems = lib.mkVMOverride {
"/efi" = {
device = "/dev/disk/by-label/EFISYS";
fsType = "vfat";
options = [ "noauto" ];
};
};
};

testScript =
@@ -42,5 +53,13 @@ import ./make-test.nix ({ pkgs, ...} : {
subtest "kcore", sub {
$machine->fail("cat /proc/kcore");
};
# Test deferred mount
subtest "mount", sub {
$machine->fail("mountpoint -q /efi"); # was deferred
$machine->execute("mkdir -p /efi");
$machine->succeed("mount /dev/disk/by-label/EFISYS /efi");
$machine->succeed("mountpoint -q /efi"); # now mounted
};
'';
})
17 changes: 11 additions & 6 deletions pkgs/applications/graphics/giv/build.patch
View file
Original file line number Diff line number Diff line change
@@ -2,16 +2,21 @@ Get the environment propagated to scons forked childs, and correct the dicom plu
a typedef of size_t that failed at least on x86_64-linux.

diff --git a/SConstruct b/SConstruct
index 16eccd9..603e931 100644
index 9e752d6..f93f27f 100644
--- a/SConstruct
+++ b/SConstruct
@@ -7,8 +7,7 @@ else:
cppflags = ['-O2']
variant = 'Release'
@@ -9,13 +9,7 @@ else:

commit_id = os.popen('git rev-parse HEAD').read().replace('\n','')

-env = Environment(LIBPATH=[],
- CPPFLAGS = cppflags)
- CPPFLAGS = cppflags + ['-Wno-deprecated-declarations',
- '-Wno-reorder',
- '-Wno-unused-but-set-variable',
- '-Wno-unused-function'],
- CXXFLAGS=['-std=c++1y']
- )
+env = Environment(ENV = os.environ)

env['SBOX'] = False

env['COMMITIDSHORT'] = commit_id[0:6]
7 changes: 4 additions & 3 deletions pkgs/applications/graphics/giv/default.nix
View file
Original file line number Diff line number Diff line change
@@ -2,13 +2,14 @@
pcre, cfitsio, perl, gob2, vala_0_23, libtiff, json_glib }:

stdenv.mkDerivation rec {
name = "giv-20150811-git";
name = "giv-${version}";
version = "0.9.26";

src = fetchFromGitHub {
owner = "dov";
repo = "giv";
rev = "64648bfbbf10ec4a9adfbc939c96c7d1dbdce57a";
sha256 = "1sz2n7jbmg3g97bs613xxjpzqbsl5rvpg6v7g3x3ycyd35r8vsfp";
rev = "v${version}";
sha256 = "1sfm8j3hvqij6z3h8xz724d7hjqqbzljl2a6pp4yjpnnrxksnic2";
};

hardeningDisable = [ "format" ];
4 changes: 2 additions & 2 deletions pkgs/applications/science/math/singular/default.nix
View file
Original file line number Diff line number Diff line change
@@ -15,8 +15,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ autoconf bison pkgconfig ];

preConfigure = ''
find . -exec sed -e 's@/bin/rm@${coreutils}&@g' -i '{}' ';'
find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';'
find . -type f -exec sed -e 's@/bin/rm@${coreutils}&@g' -i '{}' ';'
find . -type f -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';'
${stdenv.lib.optionalString asLibsingular ''NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -DLIBSINGULAR"''}
'';

111 changes: 34 additions & 77 deletions pkgs/build-support/docker/default.nix
View file
Original file line number Diff line number Diff line change
@@ -135,7 +135,7 @@ rec {
};
inherit fromImage fromImageName fromImageTag;

buildInputs = [ utillinux e2fsprogs jshon rsync ];
buildInputs = [ utillinux e2fsprogs jshon rsync jq ];
} ''
rm -rf $out
@@ -144,44 +144,29 @@ rec {
mount /dev/${vmTools.hd} disk
cd disk
layers=""
if [[ -n "$fromImage" ]]; then
echo "Unpacking base image..."
mkdir image
tar -C image -xpf "$fromImage"
# If the image name isn't set, read it from the image repository json.
if [[ -z "$fromImageName" ]]; then
fromImageName=$(jshon -k < image/repositories | head -n 1)
echo "From-image name wasn't set. Read $fromImageName."
fi
# If the tag isn't set, use the name as an index into the json
# and read the first key found.
if [[ -z "$fromImageTag" ]]; then
fromImageTag=$(jshon -e $fromImageName -k < image/repositories \
| head -n1)
echo "From-image tag wasn't set. Read $fromImageTag."
fi
# Use the name and tag to get the parent ID field.
parentID=$(jshon -e $fromImageName -e $fromImageTag -u \
< image/repositories)
layers=$(jq -r '.[0].Layers | join(" ")' image/manifest.json)
fi
# Unpack all of the parent layers into the image.
# Unpack all of the layers into the image.
# Layer list is ordered starting from the base image
lowerdir=""
while [[ -n "$parentID" ]]; do
echo "Unpacking layer $parentID"
mkdir -p image/$parentID/layer
tar -C image/$parentID/layer -xpf image/$parentID/layer.tar
rm image/$parentID/layer.tar
for layer in $layers; do
echo "Unpacking layer $layer"
layerDir=image/$(echo $layer | cut -d':' -f2)"_unpacked"
mkdir -p $layerDir
tar -C $layerDir -xpf image/$layer
chmod a+w image/$layer
rm image/$layer
find image/$parentID/layer -name ".wh.*" -exec bash -c 'name="$(basename {}|sed "s/^.wh.//")"; mknod "$(dirname {})/$name" c 0 0; rm {}' \;
find $layerDir -name ".wh.*" -exec bash -c 'name="$(basename {}|sed "s/^.wh.//")"; mknod "$(dirname {})/$name" c 0 0; rm {}' \;
# Get the next lower directory and continue the loop.
lowerdir=$lowerdir''${lowerdir:+:}image/$parentID/layer
parentID=$(cat image/$parentID/json \
| (jshon -e parent -u 2>/dev/null || true))
lowerdir=$lowerdir''${lowerdir:+:}$layerDir
done
mkdir work
@@ -446,26 +431,17 @@ rec {
mkdir image
touch baseFiles
layers=""
if [[ -n "$fromImage" ]]; then
echo "Unpacking base image..."
tar -C image -xpf "$fromImage"
# Do not import the base image configuration and manifest
chmod a+w image image/*.json
rm -f image/*.json
if [[ -z "$fromImageName" ]]; then
fromImageName=$(jshon -k < image/repositories|head -n1)
fi
if [[ -z "$fromImageTag" ]]; then
fromImageTag=$(jshon -e $fromImageName -k \
< image/repositories|head -n1)
fi
parentID=$(jshon -e $fromImageName -e $fromImageTag -u \
< image/repositories)
for l in image/*/layer.tar; do
ls_tar $l >> baseFiles
config=$(jq -r '.[0].Config' image/manifest.json)
layers=$(jq -r '.[0].Layers | join(" ")' image/manifest.json)
for l in $layers; do
ls_tar image/$l >> baseFiles
done
chmod u+w image image/$config
rm image/$config
fi
chmod -R ug+rw image
@@ -492,47 +468,28 @@ rec {
tar -rpf temp/layer.tar --mtime="@$SOURCE_DATE_EPOCH" \
--owner=0 --group=0 --no-recursion --files-from newFiles
echo "Adding meta..."
# If we have a parentID, add it to the json metadata.
if [[ -n "$parentID" ]]; then
cat temp/json | jshon -s "$parentID" -i parent > tmpjson
mv tmpjson temp/json
fi
# Take the sha256 sum of the generated json and use it as the layer ID.
# Compute the size and add it to the json under the 'Size' field.
layerID=$(sha256sum temp/json|cut -d ' ' -f 1)
size=$(stat --printf="%s" temp/layer.tar)
cat temp/json | jshon -s "$layerID" -i id -n $size -i Size > tmpjson
mv tmpjson temp/json
# Use the temp folder we've been working on to create a new image.
mv temp image/$layerID
gzip temp/layer.tar
layerID="sha256:$(sha256sum temp/layer.tar.gz | cut -d ' ' -f 1)"
mv temp/layer.tar.gz image/$layerID
# Create image json and image manifest
echo "Generating image configuration and manifest..."
imageJson=$(cat ${baseJson} | jq ". + {\"rootfs\": {\"diff_ids\": [], \"type\": \"layers\"}}")
manifestJson=$(jq -n "[{\"RepoTags\":[\"$imageName:$imageTag\"]}]")
currentID=$layerID
while [[ -n "$currentID" ]]; do
layerChecksum=$(sha256sum image/$currentID/layer.tar | cut -d ' ' -f1)
imageJson=$(echo "$imageJson" | jq ".history |= [{\"created\": \"${created}\"}] + .")
imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= [\"sha256:$layerChecksum\"] + .")
manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= [\"$currentID/layer.tar\"] + .")
currentID=$(cat image/$currentID/json | (jshon -e parent -u 2>/dev/null || true))
# The layer list is ordered starting from the base image
layers=$(echo $layers $layerID)
for i in $(echo $layers); do
imageJson=$(echo "$imageJson" | jq ".history |= [{\"created\": \"${created}\"}] + .")
diffId=$(gzip -dc image/$i | sha256sum | cut -d" " -f1)
imageJson=$(echo "$imageJson" | jq ".rootfs.diff_ids |= [\"sha256:$diffId\"] + .")
manifestJson=$(echo "$manifestJson" | jq ".[0].Layers |= [\"$i\"] + .")
done
imageJsonChecksum=$(echo "$imageJson" | sha256sum | cut -d ' ' -f1)
echo "$imageJson" > "image/$imageJsonChecksum.json"
manifestJson=$(echo "$manifestJson" | jq ".[0].Config = \"$imageJsonChecksum.json\"")
echo "$imageJson" > "image/sha256:$imageJsonChecksum"
manifestJson=$(echo "$manifestJson" | jq ".[0].Config = \"sha256:$imageJsonChecksum\"")
echo "$manifestJson" > image/manifest.json
# Store the json under the name image/repositories.
jshon -n object \
-n object -s "$layerID" -i "$imageTag" \
-i "$imageName" > image/repositories
# Make the image read-only.
chmod -R a-w image
35 changes: 11 additions & 24 deletions pkgs/games/trackballs/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,35 +1,22 @@
{ stdenv, fetchurl, SDL, mesa, SDL_ttf, gettext, zlib, SDL_mixer, SDL_image, guile
, debug ? false }:
{ stdenv, fetchFromGitHub, cmake, SDL2, SDL2_ttf, gettext, zlib, SDL2_mixer, SDL2_image, guile, mesa }:

with stdenv.lib;

stdenv.mkDerivation rec {
name = "trackballs-1.1.4";

src = fetchurl {
url = mirror://sourceforge/trackballs/trackballs-1.1.4.tar.gz;
sha256 = "19ilnif59sxa8xmfisk90wngrd11pj8s86ixzypv8krm4znbm7a5";
name = "trackballs-${version}";
version = "1.2.3";

src = fetchFromGitHub {
owner = "trackballs";
repo = "trackballs";
rev = "v${version}";
sha256 = "13f28frni7fkalxx4wqvmkzz7ba3d8pic9f9sd2z9wa6gbjs9zrf";
};

buildInputs = [ zlib mesa SDL SDL_ttf SDL_mixer SDL_image guile gettext ];

hardeningDisable = [ "format" ];

CFLAGS = optionalString debug "-g -O0";
CXXFLAGS = CFLAGS;
dontStrip = debug;
postUnpack = optionalString debug
"mkdir -p $out/src; cp -R * $out/src ; cd $out/src";

NIX_CFLAGS_COMPILE = "-iquote ${SDL.dev}/include/SDL";
configureFlags = optionalString debug "--enable-debug";

patchPhase = ''
sed -i -e 's/images icons music/images music/' share/Makefile.in
'';
buildInputs = [ cmake zlib SDL2 SDL2_ttf SDL2_mixer SDL2_image guile gettext mesa ];

meta = {
homepage = http://trackballs.sourceforge.net/;
homepage = https://trackballs.github.io/;
description = "3D Marble Madness clone";
platforms = stdenv.lib.platforms.linux;
};
4 changes: 2 additions & 2 deletions pkgs/tools/misc/snapper/default.nix
View file
Original file line number Diff line number Diff line change
@@ -5,13 +5,13 @@

stdenv.mkDerivation rec {
name = "snapper-${version}";
version = "0.3.3";
version = "0.5.0";

src = fetchFromGitHub {
owner = "openSUSE";
repo = "snapper";
rev = "v${version}";
sha256 = "12c2ygaanr4gny4ixnly4vpi0kv7snbg3khr3i5zwridhmdzz9hm";
sha256 = "14hrv23film4iihyclcvc2r2dgxl8w3as50r81xjjc85iyp6yxkm";
};

nativeBuildInputs = [
6 changes: 3 additions & 3 deletions pkgs/tools/networking/ferm/default.nix
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
{ stdenv, fetchurl, makeWrapper, perl, ebtables, ipset, iptables }:

stdenv.mkDerivation rec {
version = "2.3.1";
version = "2.4.1";
name = "ferm-${version}";

src = fetchurl {
url = "http://ferm.foo-projects.org/download/2.3/ferm-${version}.tar.gz";
sha256 = "1scdnd2jk4787jyr6fxav2598g0x7hjic5b8bj77j8s0hki48m4a";
url = "http://ferm.foo-projects.org/download/2.4/ferm-${version}.tar.xz";
sha256 = "1fv8wk513yysp4q0i65rl2m0hg2lxwwgk9ppprsca1xcxrdpsvwa";
};

buildInputs = [ perl ipset ebtables iptables makeWrapper ];
2 changes: 2 additions & 0 deletions pkgs/tools/security/tor/default.nix
View file
Original file line number Diff line number Diff line change
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {

outputs = [ "out" "geoip" ];

enableParallelBuilding = true;

nativeBuildInputs = [ pkgconfig ];
buildInputs = [ libevent openssl zlib ] ++
stdenv.lib.optionals stdenv.isLinux [ libseccomp systemd libcap ];
10 changes: 5 additions & 5 deletions pkgs/top-level/all-packages.nix
View file
Original file line number Diff line number Diff line change
@@ -17709,10 +17709,7 @@ with pkgs;

tome4 = callPackage ../games/tome4 { };

trackballs = callPackage ../games/trackballs {
debug = false;
guile = guile_1_8;
};
trackballs = callPackage ../games/trackballs { };

tremulous = callPackage ../games/tremulous { };

@@ -18477,9 +18474,12 @@ with pkgs;
inherit (gnome3) gtksourceview;
};

singular = callPackage ../applications/science/math/singular {};
singular = callPackage ../applications/science/math/singular {
stdenv = overrideCC stdenv gcc5;
};
libsingular = callPackage ../applications/science/math/singular {
asLibsingular = true;
stdenv = overrideCC stdenv gcc5;
};

scilab = callPackage ../applications/science/math/scilab {
Loading