diff --git a/nixos/tests/apparmor.nix b/nixos/tests/apparmor.nix index 99a5cd558eb02..be91e9632849c 100644 --- a/nixos/tests/apparmor.nix +++ b/nixos/tests/apparmor.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ pkgs, ... } : { +import ./make-test-python.nix ({ pkgs, lib, ... } : { name = "apparmor"; meta.maintainers = with lib.maintainers; [ julm ]; @@ -27,7 +27,7 @@ import ./make-test-python.nix ({ pkgs, ... } : { # 4. Using `diff` against the expected output. with subtest("apparmorRulesFromClosure"): machine.succeed( - "${pkgs.diffutils}/bin/diff ${pkgs.writeText "expected.rules" '' + "${pkgs.diffutils}/bin/diff -u ${pkgs.writeText "expected.rules" '' mr ${pkgs.bash}/lib/**.so*, r ${pkgs.bash}, r ${pkgs.bash}/etc/**, @@ -64,6 +64,12 @@ import ./make-test-python.nix ({ pkgs, ... } : { r ${pkgs.libunistring}/lib/**, r ${pkgs.libunistring}/share/**, x ${pkgs.libunistring}/foo/**, + mr ${pkgs.glibc.libgcc}/lib/**.so*, + r ${pkgs.glibc.libgcc}, + r ${pkgs.glibc.libgcc}/etc/**, + r ${pkgs.glibc.libgcc}/lib/**, + r ${pkgs.glibc.libgcc}/share/**, + x ${pkgs.glibc.libgcc}/foo/**, ''} ${pkgs.runCommand "actual.rules" { preferLocalBuild = true; } '' ${pkgs.gnused}/bin/sed -e 's:^[^ ]* ${builtins.storeDir}/[^,/-]*-\([^/,]*\):\1 \0:' ${ pkgs.apparmorRulesFromClosure { diff --git a/nixos/tests/nginx-http3.nix b/nixos/tests/nginx-http3.nix index f003130b46f54..fc9f31037f989 100644 --- a/nixos/tests/nginx-http3.nix +++ b/nixos/tests/nginx-http3.nix @@ -76,19 +76,19 @@ in server.wait_for_open_port(443) # Check http connections - client.succeed("curl --verbose --http3 https://acme.test | grep 'Hello World!'") + client.succeed("curl --verbose --http3-only https://acme.test | grep 'Hello World!'") # Check downloadings - client.succeed("curl --verbose --http3 https://acme.test/example.txt --output /tmp/example.txt") + client.succeed("curl --verbose --http3-only https://acme.test/example.txt --output /tmp/example.txt") client.succeed("cat /tmp/example.txt | grep 'Check http3 protocol.'") # Check header reading - client.succeed("curl --verbose --http3 --head https://acme.test | grep 'content-type'") - client.succeed("curl --verbose --http3 --head https://acme.test | grep 'HTTP/3 200'") - client.succeed("curl --verbose --http3 --head https://acme.test/error | grep 'HTTP/3 404'") + client.succeed("curl --verbose --http3-only --head https://acme.test | grep 'content-type'") + client.succeed("curl --verbose --http3-only --head https://acme.test | grep 'HTTP/3 200'") + client.succeed("curl --verbose --http3-only --head https://acme.test/error | grep 'HTTP/3 404'") # Check change User-Agent - client.succeed("curl --verbose --http3 --user-agent 'Curl test 3.0' https://acme.test") + client.succeed("curl --verbose --http3-only --user-agent 'Curl test 3.0' https://acme.test") server.succeed("cat /var/log/nginx/access.log | grep 'Curl test 3.0'") server.shutdown() diff --git a/nixos/tests/systemd-boot-ovmf-broken-fat-driver.patch b/nixos/tests/systemd-boot-ovmf-broken-fat-driver.patch new file mode 100644 index 0000000000000..ef547c02f9187 --- /dev/null +++ b/nixos/tests/systemd-boot-ovmf-broken-fat-driver.patch @@ -0,0 +1,25 @@ +From d87a7513c6f2f2824203032ef27caeb84892ed7e Mon Sep 17 00:00:00 2001 +From: Will Fancher +Date: Tue, 30 May 2023 16:53:20 -0400 +Subject: [PATCH] Intentionally break the fat driver + +--- + FatPkg/EnhancedFatDxe/ReadWrite.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/FatPkg/EnhancedFatDxe/ReadWrite.c b/FatPkg/EnhancedFatDxe/ReadWrite.c +index 8f525044d1f1..32c62ff7817b 100644 +--- a/FatPkg/EnhancedFatDxe/ReadWrite.c ++++ b/FatPkg/EnhancedFatDxe/ReadWrite.c +@@ -216,6 +216,11 @@ FatIFileAccess ( + Volume = OFile->Volume; + Task = NULL; + ++ if (*BufferSize > (10U * 1024U * 1024U)) { ++ IFile->Position += 10U * 1024U * 1024U; ++ return EFI_BAD_BUFFER_SIZE; ++ } ++ + // + // Write to a directory is unsupported + // diff --git a/nixos/tests/systemd-boot.nix b/nixos/tests/systemd-boot.nix index 94e269ff37bb8..1583b2f814717 100644 --- a/nixos/tests/systemd-boot.nix +++ b/nixos/tests/systemd-boot.nix @@ -251,4 +251,30 @@ in machine.succeed("test -e /boot/efi/nixos/.extra-files/efi/netbootxyz/netboot.xyz.efi") ''; }; + + # Some UEFI firmwares fail on large reads. Now that systemd-boot loads initrd + # itself, systems with such firmware won't boot without this fix + uefiLargeFileWorkaround = makeTest { + name = "uefi-large-file-workaround"; + + nodes.machine = { pkgs, ... }: { + imports = [common]; + virtualisation.efi.OVMF = pkgs.OVMF.overrideAttrs (old: { + # This patch deliberately breaks the FAT driver in EDK2 to + # exhibit (part of) the firmware bug that we are testing + # for. Files greater than 10MiB will fail to be read in a + # single Read() call, so systemd-boot will fail to load the + # initrd without a workaround. The number 10MiB was chosen + # because if it were smaller than the kernel size, even the + # LoadImage call would fail, which is not the failure mode + # we're testing for. It needs to be between the kernel size + # and the initrd size. + patches = old.patches or [] ++ [ ./systemd-boot-ovmf-broken-fat-driver.patch ]; + }); + }; + + testScript = '' + machine.wait_for_unit("multi-user.target") + ''; + }; } diff --git a/pkgs/applications/editors/thonny/default.nix b/pkgs/applications/editors/thonny/default.nix index 40ba0701ce717..a6d698b65a131 100644 --- a/pkgs/applications/editors/thonny/default.nix +++ b/pkgs/applications/editors/thonny/default.nix @@ -42,7 +42,6 @@ buildPythonApplication rec { preFixup = '' wrapProgram "$out/bin/thonny" \ - --set TK_LIBRARY "${tk}/lib/${tk.libPrefix}" \ --prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath ${python3.pkgs.jedi}) ''; @@ -64,6 +63,6 @@ buildPythonApplication rec { homepage = "https://www.thonny.org/"; license = licenses.mit; maintainers = with maintainers; [ leenaars ]; - platforms = platforms.linux; + platforms = platforms.unix; }; } diff --git a/pkgs/development/compilers/ghc/9.2.8.nix b/pkgs/development/compilers/ghc/9.2.8.nix new file mode 100644 index 0000000000000..13e787df8e4ae --- /dev/null +++ b/pkgs/development/compilers/ghc/9.2.8.nix @@ -0,0 +1,391 @@ +{ lib, stdenv, pkgsBuildTarget, pkgsHostTarget, targetPackages + +# build-tools +, bootPkgs +, autoconf, automake, coreutils, fetchpatch, fetchurl, perl, python3, m4, sphinx +, xattr, autoSignDarwinBinariesHook +, bash + +, libiconv ? null, ncurses +, glibcLocales ? null + +, # GHC can be built with system libffi or a bundled one. + libffi ? null + +, useLLVM ? !(stdenv.targetPlatform.isx86 + || stdenv.targetPlatform.isPower + || stdenv.targetPlatform.isSparc + || (stdenv.targetPlatform.isAarch64 && stdenv.targetPlatform.isDarwin)) +, # LLVM is conceptually a run-time-only dependency, but for + # non-x86, we need LLVM to bootstrap later stages, so it becomes a + # build-time dependency too. + buildTargetLlvmPackages, llvmPackages + +, # If enabled, GHC will be built with the GPL-free but slightly slower native + # bignum backend instead of the faster but GPLed gmp backend. + enableNativeBignum ? !(lib.meta.availableOn stdenv.hostPlatform gmp + && lib.meta.availableOn stdenv.targetPlatform gmp) +, gmp + +, # If enabled, use -fPIC when compiling static libs. + enableRelocatedStaticLibs ? stdenv.targetPlatform != stdenv.hostPlatform + + # aarch64 outputs otherwise exceed 2GB limit +, enableProfiledLibs ? !stdenv.targetPlatform.isAarch64 + +, # Whether to build dynamic libs for the standard library (on the target + # platform). Static libs are always built. + enableShared ? with stdenv.targetPlatform; !isWindows && !useiOSPrebuilt && !isStatic + +, # Whether to build terminfo. + enableTerminfo ? !stdenv.targetPlatform.isWindows + +, # What flavour to build. An empty string indicates no + # specific flavour and falls back to ghc default values. + ghcFlavour ? lib.optionalString (stdenv.targetPlatform != stdenv.hostPlatform) + (if useLLVM then "perf-cross" else "perf-cross-ncg") + +, # Whether to build sphinx documentation. + enableDocs ? ( + # Docs disabled for musl and cross because it's a large task to keep + # all `sphinx` dependencies building in those environments. + # `sphinx` pulls in among others: + # Ruby, Python, Perl, Rust, OpenGL, Xorg, gtk, LLVM. + (stdenv.targetPlatform == stdenv.hostPlatform) + && !stdenv.hostPlatform.isMusl + ) + +, enableHaddockProgram ? + # Disabled for cross; see note [HADDOCK_DOCS]. + (stdenv.targetPlatform == stdenv.hostPlatform) + +, # Whether to disable the large address space allocator + # necessary fix for iOS: https://www.reddit.com/r/haskell/comments/4ttdz1/building_an_osxi386_to_iosarm64_cross_compiler/d5qvd67/ + disableLargeAddressSpace ? stdenv.targetPlatform.isiOS +}: + +assert !enableNativeBignum -> gmp != null; + +# Cross cannot currently build the `haddock` program for silly reasons, +# see note [HADDOCK_DOCS]. +assert (stdenv.targetPlatform != stdenv.hostPlatform) -> !enableHaddockProgram; + +let + inherit (stdenv) buildPlatform hostPlatform targetPlatform; + + inherit (bootPkgs) ghc; + + # TODO(@Ericson2314) Make unconditional + targetPrefix = lib.optionalString + (targetPlatform != hostPlatform) + "${targetPlatform.config}-"; + + buildMK = '' + BuildFlavour = ${ghcFlavour} + ifneq \"\$(BuildFlavour)\" \"\" + include mk/flavours/\$(BuildFlavour).mk + endif + BUILD_SPHINX_HTML = ${if enableDocs then "YES" else "NO"} + BUILD_SPHINX_PDF = NO + '' + + # Note [HADDOCK_DOCS]: + # Unfortunately currently `HADDOCK_DOCS` controls both whether the `haddock` + # program is built (which we generally always want to have a complete GHC install) + # and whether it is run on the GHC sources to generate hyperlinked source code + # (which is impossible for cross-compilation); see: + # https://gitlab.haskell.org/ghc/ghc/-/issues/20077 + # This implies that currently a cross-compiled GHC will never have a `haddock` + # program, so it can never generate haddocks for any packages. + # If this is solved in the future, we'd like to unconditionally + # build the haddock program (removing the `enableHaddockProgram` option). + '' + HADDOCK_DOCS = ${if enableHaddockProgram then "YES" else "NO"} + # Build haddocks for boot packages with hyperlinking + EXTRA_HADDOCK_OPTS += --hyperlinked-source --quickjump + + DYNAMIC_GHC_PROGRAMS = ${if enableShared then "YES" else "NO"} + BIGNUM_BACKEND = ${if enableNativeBignum then "native" else "gmp"} + '' + lib.optionalString (targetPlatform != hostPlatform) '' + Stage1Only = ${if targetPlatform.system == hostPlatform.system then "NO" else "YES"} + CrossCompilePrefix = ${targetPrefix} + '' + lib.optionalString (!enableProfiledLibs) '' + GhcLibWays = "v dyn" + '' + + # -fexternal-dynamic-refs apparently (because it's not clear from the documentation) + # makes the GHC RTS able to load static libraries, which may be needed for TemplateHaskell. + # This solution was described in https://www.tweag.io/blog/2020-09-30-bazel-static-haskell + lib.optionalString enableRelocatedStaticLibs '' + GhcLibHcOpts += -fPIC -fexternal-dynamic-refs + GhcRtsHcOpts += -fPIC -fexternal-dynamic-refs + '' + lib.optionalString targetPlatform.useAndroidPrebuilt '' + EXTRA_CC_OPTS += -std=gnu99 + ''; + + # Splicer will pull out correct variations + libDeps = platform: lib.optional enableTerminfo ncurses + ++ [libffi] + ++ lib.optional (!enableNativeBignum) gmp + ++ lib.optional (platform.libc != "glibc" && !targetPlatform.isWindows) libiconv; + + # TODO(@sternenseemann): is buildTarget LLVM unnecessary? + # GHC doesn't seem to have {LLC,OPT}_HOST + toolsForTarget = [ + pkgsBuildTarget.targetPackages.stdenv.cc + ] ++ lib.optional useLLVM buildTargetLlvmPackages.llvm; + + targetCC = builtins.head toolsForTarget; + + # Sometimes we have to dispatch between the bintools wrapper and the unwrapped + # derivation for certain tools depending on the platform. + bintoolsFor = { + # GHC needs install_name_tool on all darwin platforms. On aarch64-darwin it is + # part of the bintools wrapper (due to codesigning requirements), but not on + # x86_64-darwin. + install_name_tool = + if stdenv.targetPlatform.isAarch64 + then targetCC.bintools + else targetCC.bintools.bintools; + # Same goes for strip. + strip = + # TODO(@sternenseemann): also use wrapper if linker == "bfd" or "gold" + if stdenv.targetPlatform.isAarch64 && stdenv.targetPlatform.isDarwin + then targetCC.bintools + else targetCC.bintools.bintools; + }; + + # Use gold either following the default, or to avoid the BFD linker due to some bugs / perf issues. + # But we cannot avoid BFD when using musl libc due to https://sourceware.org/bugzilla/show_bug.cgi?id=23856 + # see #84670 and #49071 for more background. + useLdGold = targetPlatform.linker == "gold" || + (targetPlatform.linker == "bfd" && (targetCC.bintools.bintools.hasGold or false) && !targetPlatform.isMusl); + + # Makes debugging easier to see which variant is at play in `nix-store -q --tree`. + variantSuffix = lib.concatStrings [ + (lib.optionalString stdenv.hostPlatform.isMusl "-musl") + (lib.optionalString enableNativeBignum "-native-bignum") + ]; + +in + +# C compiler, bintools and LLVM are used at build time, but will also leak into +# the resulting GHC's settings file and used at runtime. This means that we are +# currently only able to build GHC if hostPlatform == buildPlatform. +assert targetCC == pkgsHostTarget.targetPackages.stdenv.cc; +assert buildTargetLlvmPackages.llvm == llvmPackages.llvm; +assert stdenv.targetPlatform.isDarwin -> buildTargetLlvmPackages.clang == llvmPackages.clang; + +stdenv.mkDerivation (rec { + version = "9.2.8"; + pname = "${targetPrefix}ghc${variantSuffix}"; + + src = fetchurl { + url = "https://downloads.haskell.org/ghc/${version}/ghc-${version}-src.tar.xz"; + sha256 = "sha256-XxPReGv0/RL0tF+qN6vttbs/NtXlj32lMH6L/oilZ6E="; + }; + + enableParallelBuilding = true; + + outputs = [ "out" "doc" ]; + + patches = [ + # Fix docs build with sphinx >= 6.0 + # https://gitlab.haskell.org/ghc/ghc/-/issues/22766 + (fetchpatch { + name = "ghc-docs-sphinx-6.0.patch"; + url = "https://gitlab.haskell.org/ghc/ghc/-/commit/10e94a556b4f90769b7fd718b9790d58ae566600.patch"; + sha256 = "0kmhfamr16w8gch0lgln2912r8aryjky1hfcda3jkcwa5cdzgjdv"; + }) + # fix hyperlinked haddock sources: https://github.com/haskell/haddock/pull/1482 + (fetchpatch { + url = "https://patch-diff.githubusercontent.com/raw/haskell/haddock/pull/1482.patch"; + sha256 = "sha256-8w8QUCsODaTvknCDGgTfFNZa8ZmvIKaKS+2ZJZ9foYk="; + extraPrefix = "utils/haddock/"; + stripLen = 1; + }) + # Don't generate code that doesn't compile when --enable-relocatable is passed to Setup.hs + # Can be removed if the Cabal library included with ghc backports the linked fix + (fetchpatch { + url = "https://github.com/haskell/cabal/commit/6c796218c92f93c95e94d5ec2d077f6956f68e98.patch"; + stripLen = 1; + extraPrefix = "libraries/Cabal/"; + sha256 = "sha256-yRQ6YmMiwBwiYseC5BsrEtDgFbWvst+maGgDtdD0vAY="; + }) + ] ++ lib.optionals (stdenv.targetPlatform.isDarwin && stdenv.targetPlatform.isAarch64) [ + # Prevent the paths module from emitting symbols that we don't use + # when building with separate outputs. + # + # These cause problems as they're not eliminated by GHC's dead code + # elimination on aarch64-darwin. (see + # https://github.com/NixOS/nixpkgs/issues/140774 for details). + ./Cabal-3.6-paths-fix-cycle-aarch64-darwin.patch + ]; + + postPatch = "patchShebangs ."; + + # GHC needs the locale configured during the Haddock phase. + LANG = "en_US.UTF-8"; + + # GHC is a bit confused on its cross terminology. + # TODO(@sternenseemann): investigate coreutils dependencies and pass absolute paths + preConfigure = '' + for env in $(env | grep '^TARGET_' | sed -E 's|\+?=.*||'); do + export "''${env#TARGET_}=''${!env}" + done + # GHC is a bit confused on its cross terminology, as these would normally be + # the *host* tools. + export CC="${targetCC}/bin/${targetCC.targetPrefix}cc" + export CXX="${targetCC}/bin/${targetCC.targetPrefix}c++" + # Use gold to work around https://sourceware.org/bugzilla/show_bug.cgi?id=16177 + export LD="${targetCC.bintools}/bin/${targetCC.bintools.targetPrefix}ld${lib.optionalString useLdGold ".gold"}" + export AS="${targetCC.bintools.bintools}/bin/${targetCC.bintools.targetPrefix}as" + export AR="${targetCC.bintools.bintools}/bin/${targetCC.bintools.targetPrefix}ar" + export NM="${targetCC.bintools.bintools}/bin/${targetCC.bintools.targetPrefix}nm" + export RANLIB="${targetCC.bintools.bintools}/bin/${targetCC.bintools.targetPrefix}ranlib" + export READELF="${targetCC.bintools.bintools}/bin/${targetCC.bintools.targetPrefix}readelf" + export STRIP="${bintoolsFor.strip}/bin/${bintoolsFor.strip.targetPrefix}strip" + '' + lib.optionalString (stdenv.targetPlatform.linker == "cctools") '' + export OTOOL="${targetCC.bintools.bintools}/bin/${targetCC.bintools.targetPrefix}otool" + export INSTALL_NAME_TOOL="${bintoolsFor.install_name_tool}/bin/${bintoolsFor.install_name_tool.targetPrefix}install_name_tool" + '' + lib.optionalString useLLVM '' + export LLC="${lib.getBin buildTargetLlvmPackages.llvm}/bin/llc" + export OPT="${lib.getBin buildTargetLlvmPackages.llvm}/bin/opt" + '' + lib.optionalString (useLLVM && stdenv.targetPlatform.isDarwin) '' + # LLVM backend on Darwin needs clang: https://downloads.haskell.org/~ghc/latest/docs/html/users_guide/codegens.html#llvm-code-generator-fllvm + export CLANG="${buildTargetLlvmPackages.clang}/bin/${buildTargetLlvmPackages.clang.targetPrefix}clang" + '' + '' + echo -n "${buildMK}" > mk/build.mk + '' + lib.optionalString (stdenv.isLinux && hostPlatform.libc == "glibc") '' + export LOCALE_ARCHIVE="${glibcLocales}/lib/locale/locale-archive" + '' + lib.optionalString (!stdenv.isDarwin) '' + export NIX_LDFLAGS+=" -rpath $out/lib/ghc-${version}" + '' + lib.optionalString stdenv.isDarwin '' + export NIX_LDFLAGS+=" -no_dtrace_dof" + + # GHC tries the host xattr /usr/bin/xattr by default which fails since it expects python to be 2.7 + export XATTR=${lib.getBin xattr}/bin/xattr + '' + lib.optionalString targetPlatform.useAndroidPrebuilt '' + sed -i -e '5i ,("armv7a-unknown-linux-androideabi", ("e-m:e-p:32:32-i64:64-v128:64:128-a:0:32-n32-S64", "cortex-a8", ""))' llvm-targets + '' + lib.optionalString targetPlatform.isMusl '' + echo "patching llvm-targets for musl targets..." + echo "Cloning these existing '*-linux-gnu*' targets:" + grep linux-gnu llvm-targets | sed 's/^/ /' + echo "(go go gadget sed)" + sed -i 's,\(^.*linux-\)gnu\(.*\)$,\0\n\1musl\2,' llvm-targets + echo "llvm-targets now contains these '*-linux-musl*' targets:" + grep linux-musl llvm-targets | sed 's/^/ /' + + echo "And now patching to preserve '-musleabi' as done with '-gnueabi'" + # (aclocal.m4 is actual source, but patch configure as well since we don't re-gen) + for x in configure aclocal.m4; do + substituteInPlace $x \ + --replace '*-android*|*-gnueabi*)' \ + '*-android*|*-gnueabi*|*-musleabi*)' + done + ''; + + # TODO(@Ericson2314): Always pass "--target" and always prefix. + configurePlatforms = [ "build" "host" ] + ++ lib.optional (targetPlatform != hostPlatform) "target"; + + # `--with` flags for libraries needed for RTS linker + configureFlags = [ + "--datadir=$doc/share/doc/ghc" + "--with-curses-includes=${ncurses.dev}/include" "--with-curses-libraries=${ncurses.out}/lib" + ] ++ lib.optionals (libffi != null) [ + "--with-system-libffi" + "--with-ffi-includes=${targetPackages.libffi.dev}/include" + "--with-ffi-libraries=${targetPackages.libffi.out}/lib" + ] ++ lib.optionals (targetPlatform == hostPlatform && !enableNativeBignum) [ + "--with-gmp-includes=${targetPackages.gmp.dev}/include" + "--with-gmp-libraries=${targetPackages.gmp.out}/lib" + ] ++ lib.optionals (targetPlatform == hostPlatform && hostPlatform.libc != "glibc" && !targetPlatform.isWindows) [ + "--with-iconv-includes=${libiconv}/include" + "--with-iconv-libraries=${libiconv}/lib" + ] ++ lib.optionals (targetPlatform != hostPlatform) [ + "--enable-bootstrap-with-devel-snapshot" + ] ++ lib.optionals useLdGold [ + "CFLAGS=-fuse-ld=gold" + "CONF_GCC_LINKER_OPTS_STAGE1=-fuse-ld=gold" + "CONF_GCC_LINKER_OPTS_STAGE2=-fuse-ld=gold" + ] ++ lib.optionals (disableLargeAddressSpace) [ + "--disable-large-address-space" + ]; + + # Make sure we never relax`$PATH` and hooks support for compatibility. + strictDeps = true; + + # Don’t add -liconv to LDFLAGS automatically so that GHC will add it itself. + dontAddExtraLibs = true; + + nativeBuildInputs = [ + perl autoconf automake m4 python3 + ghc bootPkgs.alex bootPkgs.happy bootPkgs.hscolour + ] ++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [ + autoSignDarwinBinariesHook + ] ++ lib.optionals enableDocs [ + sphinx + ]; + + # For building runtime libs + depsBuildTarget = toolsForTarget; + + buildInputs = [ perl bash ] ++ (libDeps hostPlatform); + + depsTargetTarget = map lib.getDev (libDeps targetPlatform); + depsTargetTargetPropagated = map (lib.getOutput "out") (libDeps targetPlatform); + + # required, because otherwise all symbols from HSffi.o are stripped, and + # that in turn causes GHCi to abort + stripDebugFlags = [ "-S" ] ++ lib.optional (!targetPlatform.isDarwin) "--keep-file-symbols"; + + checkTarget = "test"; + + hardeningDisable = + [ "format" ] + # In nixpkgs, musl based builds currently enable `pie` hardening by default + # (see `defaultHardeningFlags` in `make-derivation.nix`). + # But GHC cannot currently produce outputs that are ready for `-pie` linking. + # Thus, disable `pie` hardening, otherwise `recompile with -fPIE` errors appear. + # See: + # * https://github.com/NixOS/nixpkgs/issues/129247 + # * https://gitlab.haskell.org/ghc/ghc/-/issues/19580 + ++ lib.optional stdenv.targetPlatform.isMusl "pie"; + + # big-parallel allows us to build with more than 2 cores on + # Hydra which already warrants a significant speedup + requiredSystemFeatures = [ "big-parallel" ]; + + postInstall = '' + # Install the bash completion file. + install -D -m 444 utils/completion/ghc.bash $out/share/bash-completion/completions/${targetPrefix}ghc + ''; + + passthru = { + inherit bootPkgs targetPrefix; + + inherit llvmPackages; + inherit enableShared; + + # This is used by the haskell builder to query + # the presence of the haddock program. + hasHaddock = enableHaddockProgram; + + # Our Cabal compiler name + haskellCompilerName = "ghc-${version}"; + }; + + meta = { + homepage = "http://haskell.org/ghc"; + description = "The Glasgow Haskell Compiler"; + maintainers = with lib.maintainers; [ + guibou + ] ++ lib.teams.haskell.members; + timeout = 24 * 3600; + inherit (ghc.meta) license platforms; + }; + +} // lib.optionalAttrs targetPlatform.useAndroidPrebuilt { + dontStrip = true; + dontPatchELF = true; + noAuditTmpdir = true; +}) diff --git a/pkgs/development/interpreters/lua-5/default.nix b/pkgs/development/interpreters/lua-5/default.nix index 139dd09e72a33..f4c622515d7d9 100644 --- a/pkgs/development/interpreters/lua-5/default.nix +++ b/pkgs/development/interpreters/lua-5/default.nix @@ -77,29 +77,12 @@ in rec { lua5_4 = callPackage ./interpreter.nix { self = lua5_4; - version = "5.4.4"; - hash = "sha256-Fkx4SWU7gK5nvsS3RzuIS/XMjS3KBWU0dewu0nuev2E="; + version = "5.4.6"; + hash = "sha256-fV6huctqoLWco93hxq3LV++DobqOVDLA7NBr9DmzrYg="; makeWrapper = makeBinaryWrapper; inherit passthruFun; - patches = lib.optional stdenv.isDarwin ./5.4.darwin.patch - ++ [ - (fetchpatch { - name = "CVE-2022-28805.patch"; - url = "https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa.patch"; - sha256 = "sha256-YTwoolSnRNJIHFPVijSO6ZDw35BG5oWYralZ8qOb9y8="; - stripLen = 1; - extraPrefix = "src/"; - excludes = [ "src/testes/*" ]; - }) - (fetchpatch { - name = "CVE-2022-33099.patch"; - url = "https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf.patch"; - sha256 = "sha256-qj1Dq1ojVoknALSa67jhgH3G3Kk4GtJP6ROFElVF+D0="; - stripLen = 1; - extraPrefix = "src/"; - }) - ]; + patches = lib.optional stdenv.isDarwin ./5.4.darwin.patch; }; lua5_4_compat = lua5_4.override({ diff --git a/pkgs/development/libraries/c-ares/default.nix b/pkgs/development/libraries/c-ares/default.nix index 9c024211a71bd..a48b6f4fa7f53 100644 --- a/pkgs/development/libraries/c-ares/default.nix +++ b/pkgs/development/libraries/c-ares/default.nix @@ -13,14 +13,15 @@ stdenv.mkDerivation rec { pname = "c-ares"; - version = "1.19.0"; - outputs = [ "out" "dev" ]; + version = "1.19.1"; src = fetchurl { url = "https://c-ares.haxx.se/download/${pname}-${version}.tar.gz"; - sha256 = "sha256-v866N+I/1TEpOCkALKwEAe9JptxVkj9/kiNlhbetHdM="; + sha256 = "sha256-MhcAOZty7Q4DfQB0xinndB9rLsLdqSlWq+PpZx0+Jo4="; }; + outputs = [ "out" "dev" "man" ]; + nativeBuildInputs = lib.optionals withCMake [ cmake ]; cmakeFlags = [] ++ lib.optionals stdenv.hostPlatform.isStatic [ diff --git a/pkgs/development/libraries/dav1d/default.nix b/pkgs/development/libraries/dav1d/default.nix index 54bd9a1095be5..8783233b5475e 100644 --- a/pkgs/development/libraries/dav1d/default.nix +++ b/pkgs/development/libraries/dav1d/default.nix @@ -10,13 +10,13 @@ assert useVulkan -> withExamples; stdenv.mkDerivation rec { pname = "dav1d"; - version = "1.1.0"; + version = "1.2.0"; src = fetchFromGitHub { owner = "videolan"; repo = pname; rev = version; - hash = "sha256-1k6TsaXI9nwrBXTj3hncblkQuN/bvDudWDCsx4E4iwY="; + hash = "sha256-Y9wqa6lIs0eKT+q+95gjzfHIc3pglXzLNaDjsWy1gok="; }; nativeBuildInputs = [ meson ninja nasm pkg-config ]; diff --git a/pkgs/development/libraries/ffmpeg/4.nix b/pkgs/development/libraries/ffmpeg/4.nix index 7882c19da8f3f..50298267ad5bb 100644 --- a/pkgs/development/libraries/ffmpeg/4.nix +++ b/pkgs/development/libraries/ffmpeg/4.nix @@ -1,4 +1,4 @@ import ./generic.nix rec { - version = "4.4.3"; - sha256 = "sha256-zZDzG1hD+0AHqElzeGR6OVm+H5wqtdktloSPmEUzT/c="; + version = "4.4.4"; + sha256 = "sha256-Q8bkuF/1uJfqttJJoObnnLX3BEduv+qxsvOrVhMvRjA="; } diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix index 92772c419c1e7..12e59c939afee 100644 --- a/pkgs/development/libraries/ffmpeg/generic.nix +++ b/pkgs/development/libraries/ffmpeg/generic.nix @@ -126,7 +126,6 @@ , withMultithread ? true # Multithreading via pthreads/win32 threads , withNetwork ? withHeadlessDeps # Network support , withPixelutils ? withHeadlessDeps # Pixel utils in libavutil -, withLTO ? false # build with link-time optimization /* * Program options */ @@ -384,7 +383,6 @@ stdenv.mkDerivation (finalAttrs: { (enableFeature withSmallBuild "small") (enableFeature withRuntimeCPUDetection "runtime-cpudetect") - (enableFeature withLTO "lto") (enableFeature withGrayscale "gray") (enableFeature withSwscaleAlpha "swscale-alpha") (enableFeature withHardcodedTables "hardcoded-tables") diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix index bb1acbe6fdb3e..174babe128349 100644 --- a/pkgs/development/libraries/gstreamer/bad/default.nix +++ b/pkgs/development/libraries/gstreamer/bad/default.nix @@ -23,7 +23,6 @@ , lcms2 , libnice , webrtc-audio-processing -, webrtc-audio-processing_1 , lilv , lv2 , serd @@ -108,13 +107,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-bad"; - version = "1.22.2"; + version = "1.22.3"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-PY+vHONALIU1zjqMThpslg5LVlXb2mtVlD25rHkCLQ8="; + hash = "sha256-4XmP7i2GEn8GN0gcYH+YMpO/D9garXClx7RyBa82Idg="; }; patches = [ @@ -361,6 +360,6 @@ stdenv.mkDerivation rec { ''; license = if enableGplPlugins then licenses.gpl2Plus else licenses.lgpl2Plus; platforms = platforms.linux ++ platforms.darwin; - maintainers = with maintainers; [ matthewbauer ]; + maintainers = with maintainers; [ matthewbauer lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix index 652f949f72261..370d868ec2c76 100644 --- a/pkgs/development/libraries/gstreamer/base/default.nix +++ b/pkgs/development/libraries/gstreamer/base/default.nix @@ -45,7 +45,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gst-plugins-base"; - version = "1.22.2"; + version = "1.22.3"; outputs = [ "out" "dev" ]; @@ -53,7 +53,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-62USDE7nm3oVPDwZctXAFYwhUYd8xR7Hclu6V0lnnUk="; + hash = "sha256-HFliiaDUIHOAIz66jDapMsTRrOuhmTKTfZtXwkzvifM="; }; strictDeps = true; @@ -168,6 +168,6 @@ stdenv.mkDerivation (finalAttrs: { "gstreamer-video-1.0" ]; platforms = platforms.unix; - maintainers = with maintainers; [ matthewbauer ]; + maintainers = with maintainers; [ matthewbauer lilyinstarlight ]; }; }) diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix index 88101ceea41d1..e6c9d2222d182 100644 --- a/pkgs/development/libraries/gstreamer/core/default.nix +++ b/pkgs/development/libraries/gstreamer/core/default.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "gstreamer"; - version = "1.22.2"; + version = "1.22.3"; outputs = [ "bin" @@ -36,7 +36,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) pname version; in fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-sq/nNgOSHGCLpIlp27fXQ3dnRL/l2AWeziQRN7f4jiE="; + hash = "sha256-n/6rlQU/n2mV6zs9oiXojyHBKc1g2gAtP3ldtw1tWXQ="; }; depsBuildBuild = [ @@ -120,6 +120,6 @@ stdenv.mkDerivation (finalAttrs: { "gstreamer-controller-1.0" ]; platforms = platforms.unix; - maintainers = with maintainers; [ ttuegel matthewbauer ]; + maintainers = with maintainers; [ ttuegel matthewbauer lilyinstarlight ]; }; }) diff --git a/pkgs/development/libraries/gstreamer/default.nix b/pkgs/development/libraries/gstreamer/default.nix index 6207cf4fc5665..662009005e36b 100644 --- a/pkgs/development/libraries/gstreamer/default.nix +++ b/pkgs/development/libraries/gstreamer/default.nix @@ -48,5 +48,5 @@ ipu6-camera-hal = ipu6ep-camera-hal; }; - # note: gst-python is in ./python/default.nix - called under pythonPackages + # note: gst-python is in ../../python-modules/gst-python - called under python3Packages } diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix index 471de787e197d..8837a0a0e93d7 100644 --- a/pkgs/development/libraries/gstreamer/devtools/default.nix +++ b/pkgs/development/libraries/gstreamer/devtools/default.nix @@ -17,11 +17,11 @@ stdenv.mkDerivation rec { pname = "gst-devtools"; - version = "1.22.2"; + version = "1.22.3"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-62JybT4nqHgjaaJP1jZKiIXtJGKzu9qwkd/8gTnuBtg="; + hash = "sha256-RGrJxC1QLL/ZCBc3zBuFOzwfUNt3ynzNAa6hD2h1UME="; }; outputs = [ @@ -65,5 +65,6 @@ stdenv.mkDerivation rec { homepage = "https://gstreamer.freedesktop.org"; license = licenses.lgpl2Plus; platforms = platforms.unix; + maintainers = with maintainers; [ lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix index 8beedddeeebba..e5f8ed02061a8 100644 --- a/pkgs/development/libraries/gstreamer/ges/default.nix +++ b/pkgs/development/libraries/gstreamer/ges/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "gst-editing-services"; - version = "1.22.2"; + version = "1.22.3"; outputs = [ "out" @@ -27,7 +27,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-RTsUZPw4V94mmnyw69lmr+Ahcdl772cqC4oKbUPgzr8="; + hash = "sha256-FaW85iUJseEl6FoJ7EHzIcD1SSZLUETACV/PstXAzqI="; }; nativeBuildInputs = [ @@ -69,5 +69,6 @@ stdenv.mkDerivation rec { homepage = "https://gstreamer.freedesktop.org"; license = licenses.lgpl2Plus; platforms = platforms.unix; + maintainers = with maintainers; [ lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix index c8efbbfd874c3..ef6143b36ec90 100644 --- a/pkgs/development/libraries/gstreamer/good/default.nix +++ b/pkgs/development/libraries/gstreamer/good/default.nix @@ -52,13 +52,13 @@ assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch64); stdenv.mkDerivation rec { pname = "gst-plugins-good"; - version = "1.22.2"; + version = "1.22.3"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-fIzFlCXysjL2DKfRPlbt1hXaT3Eec90Bp8/6Rua8DN0="; + hash = "sha256-r4EVSzou8/TS/ro5XyVpb+6m/RPsYsktPHqXNHBxAnM="; }; strictDeps = true; @@ -190,6 +190,6 @@ stdenv.mkDerivation rec { ''; license = licenses.lgpl2Plus; platforms = platforms.linux ++ platforms.darwin; - maintainers = with maintainers; [ matthewbauer ]; + maintainers = with maintainers; [ matthewbauer lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix index b51a103c0855e..a1271fab91f4b 100644 --- a/pkgs/development/libraries/gstreamer/libav/default.nix +++ b/pkgs/development/libraries/gstreamer/libav/default.nix @@ -18,11 +18,11 @@ stdenv.mkDerivation rec { pname = "gst-libav"; - version = "1.22.2"; + version = "1.22.3"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-/Kr5h4/o87yCMX7xOhVYgky2jfH4loxnl/VWxeM7z/0="; + hash = "sha256-LsXIBYCLQ3Gn4ysdoCAqHIprNrbOkFCAv1w0CX0SqSM="; }; outputs = [ "out" "dev" ]; @@ -57,5 +57,6 @@ stdenv.mkDerivation rec { homepage = "https://gstreamer.freedesktop.org"; license = licenses.lgpl2Plus; platforms = platforms.unix; + maintainers = with maintainers; [ lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/rs/default.nix b/pkgs/development/libraries/gstreamer/rs/default.nix index c73adcbe223d2..698be758ad3c4 100644 --- a/pkgs/development/libraries/gstreamer/rs/default.nix +++ b/pkgs/development/libraries/gstreamer/rs/default.nix @@ -1,7 +1,6 @@ { lib , stdenv , fetchFromGitLab -, fetchpatch , writeText , rustPlatform , meson @@ -27,11 +26,14 @@ , Security , gst-plugins-good , nix-update-script +# specifies a limited subset of plugins to build (the default `null` means all plugins supported on the stdenv platform) +, plugins ? null +# Checks meson.is_cross_build(), so even canExecute isn't enough. +, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform && plugins == null +, hotdoc # TODO: required for case-insensitivity hack below , yq , moreutils -# specify a limited set of plugins to build if not all supported plugins -, plugins ? null }: let @@ -94,7 +96,6 @@ let selectedPlugins = if plugins != null then lib.unique (lib.sort lib.lessThan plugins) else lib.subtractLists ( [ - "audiofx" # tests have race-y failure, see https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/issues/337 "csound" # tests have weird failure on x86, does not currently work on arm or darwin "livesync" # tests have suspicious intermittent failure, see https://gitlab.freedesktop.org/gstreamer/gst-plugins-rs/-/issues/357 ] ++ lib.optionals stdenv.isDarwin [ @@ -162,6 +163,8 @@ stdenv.mkDerivation rec { cargo cargo-c nasm + ] ++ lib.optionals enableDocumentation [ + hotdoc ]; buildInputs = [ @@ -178,7 +181,7 @@ stdenv.mkDerivation rec { map (plugin: lib.mesonEnable plugin true) selectedPlugins ) ++ [ (lib.mesonOption "sodium-source" "system") - (lib.mesonEnable "doc" false) # `hotdoc` not packaged in nixpkgs as of writing + (lib.mesonEnable "doc" enableDocumentation) ] ++ (let crossFile = writeText "cross-file.conf" '' [binaries] @@ -188,7 +191,7 @@ stdenv.mkDerivation rec { "--cross-file=${crossFile}" ]); - # turn off all auto plugins if a list is specified + # turn off all auto plugins since we use a list of plugins we generate mesonAutoFeatures = "disabled"; doCheck = true; diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix index 0f8a2f59c577c..2fe745e0329e7 100644 --- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix +++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix @@ -15,11 +15,11 @@ stdenv.mkDerivation rec { pname = "gst-rtsp-server"; - version = "1.22.2"; + version = "1.22.3"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-K+Suz7iHEBAOpxFe0CFkA+gJQ0Tr8UYJQnG41Nc4KL8="; + hash = "sha256-0Co536m9v5mj3S03jheUKzzkLf42+wwn4tCwFyL8Vh0="; }; outputs = [ @@ -62,6 +62,6 @@ stdenv.mkDerivation rec { ''; license = licenses.lgpl2Plus; platforms = platforms.unix; - maintainers = with maintainers; [ bkchr ]; + maintainers = with maintainers; [ bkchr lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix index 0ebc61565ba62..c0926dfc50679 100644 --- a/pkgs/development/libraries/gstreamer/ugly/default.nix +++ b/pkgs/development/libraries/gstreamer/ugly/default.nix @@ -26,13 +26,13 @@ stdenv.mkDerivation rec { pname = "gst-plugins-ugly"; - version = "1.22.2"; + version = "1.22.3"; outputs = [ "out" "dev" ]; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-jzD0TbC9BjcJv2++VROOOpivCry2HDYPNVgrvhDoBpE="; + hash = "sha256-PcmO1cIpM2izxObOVdib6DSgpi6b+I7xeSjPA7fVo2A="; }; nativeBuildInputs = [ @@ -93,6 +93,6 @@ stdenv.mkDerivation rec { ''; license = if enableGplPlugins then licenses.gpl2Plus else licenses.lgpl2Plus; platforms = platforms.unix; - maintainers = with maintainers; [ matthewbauer ]; + maintainers = with maintainers; [ matthewbauer lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix index b34581ed3435a..0662cdd8e4292 100644 --- a/pkgs/development/libraries/gstreamer/vaapi/default.nix +++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix @@ -24,11 +24,11 @@ stdenv.mkDerivation rec { pname = "gstreamer-vaapi"; - version = "1.22.2"; + version = "1.22.3"; src = fetchurl { url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-0uZC+XRfl9n3On9Qhedlmpox/iCbd05uRdrgQbQ13wY="; + hash = "sha256-onhnBi6LaTBfylt9PxPtfDGLcD59cnVslDlb0wXHsyw="; }; outputs = [ @@ -84,7 +84,7 @@ stdenv.mkDerivation rec { description = "Set of VAAPI GStreamer Plug-ins"; homepage = "https://gstreamer.freedesktop.org"; license = licenses.lgpl21Plus; - maintainers = with maintainers; [ ]; platforms = platforms.linux; + maintainers = with maintainers; [ lilyinstarlight ]; }; } diff --git a/pkgs/development/libraries/libssh2/default.nix b/pkgs/development/libraries/libssh2/default.nix index ce496637fcc20..091885a1f084a 100644 --- a/pkgs/development/libraries/libssh2/default.nix +++ b/pkgs/development/libraries/libssh2/default.nix @@ -2,22 +2,17 @@ stdenv.mkDerivation rec { pname = "libssh2"; - version = "1.10.0"; + version = "1.11.0"; src = fetchurl { url = "https://www.libssh2.org/download/libssh2-${version}.tar.gz"; - sha256 = "sha256-LWTpDz3tOUuR06LndMogOkF59prr7gMAPlpvpiHkHVE="; + sha256 = "sha256-NzYWHkHiaTMk3rOMJs/cPv5iCdY0ukJY2xzs/2pa1GE="; }; outputs = [ "out" "dev" "devdoc" ]; - patches = [ - # https://github.com/libssh2/libssh2/pull/700 - # openssl: add support for LibreSSL 3.5.x - ./openssl_add_support_for_libressl_3_5.patch - ]; - - buildInputs = [ openssl zlib ] + propagatedBuildInputs = [ openssl ]; # see Libs: in libssh2.pc + buildInputs = [ zlib ] ++ lib.optional stdenv.hostPlatform.isMinGW windows.mingw_w64; meta = with lib; { diff --git a/pkgs/development/libraries/libssh2/openssl_add_support_for_libressl_3_5.patch b/pkgs/development/libraries/libssh2/openssl_add_support_for_libressl_3_5.patch deleted file mode 100644 index d72a67a63403c..0000000000000 --- a/pkgs/development/libraries/libssh2/openssl_add_support_for_libressl_3_5.patch +++ /dev/null @@ -1,26 +0,0 @@ -From f0681a4573d7c7f7484d3157ddff7063a200295b Mon Sep 17 00:00:00 2001 -From: Viktor Szakats -Date: Thu, 19 May 2022 13:25:06 +0000 -Subject: [PATCH] openssl: add support for LibreSSL 3.5.x - -LibreSSL 3.5.0 made more structures opaque, so let's enable existing -support for that when building against these LibreSSL versions. - -Ref: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.0-relnotes.txt ---- - src/openssl.h | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/openssl.h b/src/openssl.h -index 658b040..1733b9e 100644 ---- a/src/openssl.h -+++ b/src/openssl.h -@@ -58,7 +58,8 @@ - #include - - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ -- !defined(LIBRESSL_VERSION_NUMBER) -+ !defined(LIBRESSL_VERSION_NUMBER) || \ -+ LIBRESSL_VERSION_NUMBER >= 0x3050000fL - # define HAVE_OPAQUE_STRUCTS 1 - #endif diff --git a/pkgs/development/libraries/nghttp3/default.nix b/pkgs/development/libraries/nghttp3/default.nix index e7d57d457bde6..38e996330e71d 100644 --- a/pkgs/development/libraries/nghttp3/default.nix +++ b/pkgs/development/libraries/nghttp3/default.nix @@ -6,13 +6,13 @@ stdenv.mkDerivation rec { pname = "nghttp3"; - version = "0.10.0"; + version = "0.11.0"; src = fetchFromGitHub { owner = "ngtcp2"; repo = pname; rev = "v${version}"; - hash = "sha256-V0g/d1B9uMn7KZU6ShzyPGXOSAYCbz4ZubnhAwz+Qsc="; + hash = "sha256-fZMFSQ8RCVxuoLrisa8lLqjNVe4fIuGqbyKtkC/u02M="; }; outputs = [ "out" "dev" "doc" ]; diff --git a/pkgs/development/libraries/ngtcp2/default.nix b/pkgs/development/libraries/ngtcp2/default.nix index af8ef8623d512..e85a7674a2634 100644 --- a/pkgs/development/libraries/ngtcp2/default.nix +++ b/pkgs/development/libraries/ngtcp2/default.nix @@ -8,13 +8,13 @@ stdenv.mkDerivation rec { pname = "ngtcp2"; - version = "0.14.1"; + version = "0.15.0"; src = fetchFromGitHub { owner = "ngtcp2"; repo = pname; rev = "v${version}"; - hash = "sha256-VsacRYvjTWVx2ga952s1vs02GElXIW6umgcYr3UCcgE="; + hash = "sha256-FWNWpRuCUyqTIyLZkBFKrd2urjSCqHp20mBAXOcJm14="; }; outputs = [ "out" "dev" "doc" ]; diff --git a/pkgs/development/libraries/opencv/4.x.nix b/pkgs/development/libraries/opencv/4.x.nix index 5f99488486181..3f120e2558f39 100644 --- a/pkgs/development/libraries/opencv/4.x.nix +++ b/pkgs/development/libraries/opencv/4.x.nix @@ -2,6 +2,7 @@ , stdenv , fetchurl , fetchFromGitHub +, fetchpatch , cmake , pkg-config , unzip @@ -275,6 +276,21 @@ stdenv.mkDerivation { # Ensures that we use the system OpenEXR rather than the vendored copy of the source included with OpenCV. patches = [ ./cmake-don-t-use-OpenCVFindOpenEXR.patch + ] ++ lib.optionals enableContrib [ + (fetchpatch { + name = "CVE-2023-2617.patch"; + url = "https://github.com/opencv/opencv_contrib/commit/ccc277247ac1a7aef0a90353edcdec35fbc5903c.patch"; + stripLen = 2; + extraPrefix = [ "opencv_contrib/" ]; + sha256 = "sha256-drZ+DVn+Pk4zAZJ+LgX5u3Tz7MU0AEI/73EVvxDP3AU="; + }) + (fetchpatch { + name = "CVE-2023-2618.patch"; + url = "https://github.com/opencv/opencv_contrib/commit/ec406fa4748fb4b0630c1b986469e7918d5e8953.patch"; + stripLen = 2; + extraPrefix = [ "opencv_contrib/" ]; + sha256 = "sha256-cB5Tsh2fDOsc0BNtSzd6U/QoCjkd9yMW1QutUU69JJ0="; + }) ] ++ lib.optional enableCuda ./cuda_opt_flow.patch; # This prevents cmake from using libraries in impure paths (which diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix index 303016ab86985..0449651090fe5 100644 --- a/pkgs/development/libraries/openssl/default.nix +++ b/pkgs/development/libraries/openssl/default.nix @@ -240,8 +240,8 @@ in { }; openssl_3 = common { - version = "3.0.8"; - sha256 = "sha256-bBPSvzj98x6sPOKjRwc2c/XWMmM5jx9p0N9KQSU+Sz4="; + version = "3.0.9"; + sha256 = "sha256-6xqwR4FHQ2D3fDGKuJ2MWgOrw45j1lpgPKu/GwCh3JA="; patches = [ ./3.0/nix-ssl-cert-file.patch diff --git a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json index 03c409a381969..20649c6f83a1d 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json +++ b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json @@ -16,8 +16,8 @@ }, "qtbase": { "url": "https://invent.kde.org/qt/qt/qtbase.git", - "rev": "d3b21bc8b70eaa1af848371dc1d34c4617c1f73c", - "sha256": "11yww09fgcqsxv4sk4cflxdsdpdqc0x9b3qw63asfpwrnv9qry0a" + "rev": "a196623892558623e467f20b67edb78794252a09", + "sha256": "0yna2k1w595xwh9bk268h31fjl2ff8cm185dmm0v5gr4w8h9yr4g" }, "qtcharts": { "url": "https://invent.kde.org/qt/qt/qtcharts.git", @@ -26,8 +26,8 @@ }, "qtconnectivity": { "url": "https://invent.kde.org/qt/qt/qtconnectivity.git", - "rev": "0f9e49cde3b7ca40cd94e63d2f5d29f5b586d3d6", - "sha256": "1iwqa98ihzqqpqgwsj0lm4zkfwgag9k634sxjnx6gxvfq0h6d4nx" + "rev": "e6d37133affc71451129d84790c6c22227e64aff", + "sha256": "1bc1d0h2f1q0xfvr8p5fq1580bl8cs0qhdncm600v590z56cyika" }, "qtdatavis3d": { "url": "https://invent.kde.org/qt/qt/qtdatavis3d.git", @@ -36,8 +36,8 @@ }, "qtdeclarative": { "url": "https://invent.kde.org/qt/qt/qtdeclarative.git", - "rev": "0e1bed3c3e27d44d86d6f68a8b93b96a4821575c", - "sha256": "0v4c3pls67ww6ffiscbp05yb2vv583zrxj8p4jcy3yxa06khniy5" + "rev": "039ce261b0f8061f8485f9c2eaf497a4d4395baa", + "sha256": "1kp2pnwfcwsxhy2w1sdg722d0kb1i6kx3a9r42gl1i9d73k8afi2" }, "qtdoc": { "url": "https://invent.kde.org/qt/qt/qtdoc.git", @@ -61,8 +61,8 @@ }, "qtlocation": { "url": "https://invent.kde.org/qt/qt/qtlocation.git", - "rev": "2a8a48e9101236f118c2c4f0d79fae9c9d7b3f2a", - "sha256": "0ajvlqkm2641ahms34kg6a2hykvql1hxlm5nsaba7233hnfv3nsy" + "rev": "30fb93cf8521f2c0b3803903153d9034b7d7bcc2", + "sha256": "1b027hfc1m2nz0v906w08srmpyci3362arxc18cin334yhgghbx1" }, "qtlottie": { "url": "https://invent.kde.org/qt/qt/qtlottie.git", @@ -101,8 +101,8 @@ }, "qtquickcontrols2": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git", - "rev": "86a84eaa74c4071e5750f23b6e9911762880d391", - "sha256": "1zywq3ll49bzzvl6rzn4zpp96a4mdx0b9l5ic0x6zc4dr8c8jk5m" + "rev": "68a48018e34322edaf611639710b3edbe389e8c2", + "sha256": "04hswsamjmwgn63gs3rhxygvwjfqx5f0qifzp3gp6q4fw8lkgwpf" }, "qtquicktimeline": { "url": "https://invent.kde.org/qt/qt/qtquicktimeline.git", @@ -146,8 +146,8 @@ }, "qtsvg": { "url": "https://invent.kde.org/qt/qt/qtsvg.git", - "rev": "9b5ab29cbba1908fd4928e2bda2b93e418e36187", - "sha256": "0vnwhbkk40wj9rfy3fhjm9slra3y3j1mk67n3vnrzvmzrmpl4443" + "rev": "837b5163e17edbd3a9f098e9a1ab73febab419b4", + "sha256": "082i9q36d44g5a3jbw3ahvmmxikfai50wd2yq8xvkh8kr8xr7n5z" }, "qttools": { "url": "https://invent.kde.org/qt/qt/qttools.git", diff --git a/pkgs/development/libraries/tk/8.6.nix b/pkgs/development/libraries/tk/8.6.nix index 3e3d8ad54011d..fbf4560517547 100644 --- a/pkgs/development/libraries/tk/8.6.nix +++ b/pkgs/development/libraries/tk/8.6.nix @@ -14,4 +14,8 @@ callPackage ./generic.nix (args // { sha256 = "sha256-LmX6BpojNlRAo8VsVWuGc7XjKig4ANjZslfj9YTOBnU="; }; + patches = [ + ./tk-8_6_13-find-library.patch + ]; + }) diff --git a/pkgs/development/libraries/tk/tk-8_6_13-find-library.patch b/pkgs/development/libraries/tk/tk-8_6_13-find-library.patch new file mode 100644 index 0000000000000..a055ade80cc07 --- /dev/null +++ b/pkgs/development/libraries/tk/tk-8_6_13-find-library.patch @@ -0,0 +1,25 @@ +diff --git a/generic/tkWindow.c b/generic/tkWindow.c +index fa25553..ad45598 100644 +--- a/generic/tkWindow.c ++++ b/generic/tkWindow.c +@@ -1045,6 +1045,7 @@ TkCreateMainWindow( + + Tcl_SetVar2(interp, "tk_patchLevel", NULL, TK_PATCH_LEVEL, TCL_GLOBAL_ONLY); + Tcl_SetVar2(interp, "tk_version", NULL, TK_VERSION, TCL_GLOBAL_ONLY); ++ Tcl_SetVar2(interp, "tk_library", NULL, TK_LIBRARY, TCL_GLOBAL_ONLY); + + tsdPtr->numMainWindows++; + return tkwin; +diff --git a/unix/Makefile.in b/unix/Makefile.in +index e98070e..f417753 100644 +--- a/unix/Makefile.in ++++ b/unix/Makefile.in +@@ -1033,7 +1033,7 @@ tkVisual.o: $(GENERIC_DIR)/tkVisual.c + $(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkVisual.c + + tkWindow.o: $(GENERIC_DIR)/tkWindow.c tkUuid.h +- $(CC) -c $(CC_SWITCHES) -I. $(GENERIC_DIR)/tkWindow.c ++ $(CC) -c $(CC_SWITCHES) -I. -DTK_LIBRARY=\"${TK_LIBRARY}\" $(GENERIC_DIR)/tkWindow.c + + tkButton.o: $(GENERIC_DIR)/tkButton.c + $(CC) -c $(CC_SWITCHES) $(GENERIC_DIR)/tkButton.c diff --git a/pkgs/development/python-modules/flask/default.nix b/pkgs/development/python-modules/flask/default.nix index 03b1873edc5f5..4bcb02880671e 100644 --- a/pkgs/development/python-modules/flask/default.nix +++ b/pkgs/development/python-modules/flask/default.nix @@ -19,12 +19,12 @@ buildPythonPackage rec { pname = "flask"; - version = "2.2.3"; + version = "2.2.5"; src = fetchPypi { pname = "Flask"; inherit version; - hash = "sha256-frNzmEvxx3ACP86dsWTtDDNTzQtT8TD0aT2gynVqLm0="; + hash = "sha256-7e6bCn/yZiG9WowQ/0hK4oc3okENmbC7mmhQx/uXeqA="; }; propagatedBuildInputs = [ diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix index 9c30ebc68159f..386dd82e8296e 100644 --- a/pkgs/development/python-modules/gst-python/default.nix +++ b/pkgs/development/python-modules/gst-python/default.nix @@ -14,7 +14,7 @@ buildPythonPackage rec { pname = "gst-python"; - version = "1.22.2"; + version = "1.22.3"; format = "other"; @@ -22,7 +22,7 @@ buildPythonPackage rec { src = fetchurl { url = "${meta.homepage}/src/gst-python/${pname}-${version}.tar.xz"; - hash = "sha256-vvKz2Czkvka3dbG7VjBcEAPuAbU1pTqC+f6JJJchU60="; + hash = "sha256-cL7T+r5jS8Yi723k5uscM7yc79ZL2rIA9voxa0aMcxw="; }; # Python 2.x is not supported. @@ -61,5 +61,6 @@ buildPythonPackage rec { homepage = "https://gstreamer.freedesktop.org"; description = "Python bindings for GStreamer"; license = licenses.lgpl2Plus; + maintainers = with maintainers; [ lilyinstarlight ]; }; } diff --git a/pkgs/development/python-modules/requests/default.nix b/pkgs/development/python-modules/requests/default.nix index 23506a63f1ae0..5a1759f8e85a4 100644 --- a/pkgs/development/python-modules/requests/default.nix +++ b/pkgs/development/python-modules/requests/default.nix @@ -30,6 +30,15 @@ buildPythonPackage rec { hash = "sha256-8uNKdfR0kBm7Dj7/tmaDYw5P/q91gZ+1G+vvG/Wu8Fk="; }; + pathes = [ + (fetchpatch { + # https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q + name = "CVE-2023-32681.patch"; + url = "https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5.patch"; + hash = "sha256-x8NJfu9Qta0ieAjk1VQn9zNyARInEcjR4MPTFUwANTc="; + }) + ]; + propagatedBuildInputs = [ brotlicffi certifi diff --git a/pkgs/development/tools/misc/binutils/CVE-2023-1972.patch b/pkgs/development/tools/misc/binutils/CVE-2023-1972.patch new file mode 100644 index 0000000000000..838fbf7227619 --- /dev/null +++ b/pkgs/development/tools/misc/binutils/CVE-2023-1972.patch @@ -0,0 +1,23 @@ +diff --git a/bfd/elf.c b/bfd/elf.c +index 027d0143735..185028cbd97 100644 +--- a/bfd/elf.c ++++ b/bfd/elf.c +@@ -9030,6 +9030,9 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return_verdef; + } ++ ++ if (amt == 0) ++ goto error_return_verdef; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return_verdef; +@@ -9133,6 +9136,8 @@ _bfd_elf_slurp_version_tables (bfd *abfd, bool default_imported_symver) + bfd_set_error (bfd_error_file_too_big); + goto error_return; + } ++ if (amt == 0) ++ goto error_return; + elf_tdata (abfd)->verdef = (Elf_Internal_Verdef *) bfd_zalloc (abfd, amt); + if (elf_tdata (abfd)->verdef == NULL) + goto error_return; diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 0db491f225c19..0a2610ffd2e71 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -88,6 +88,10 @@ stdenv.mkDerivation (finalAttrs: { # not need to know binutils' BINDIR at all. It's an absolute path # where libraries are stored. ./plugins-no-BINDIR.patch + + # CVE-2023-1972 fix to bfd/elf.c from: + # https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57 + ./CVE-2023-1972.patch ] ++ lib.optional targetPlatform.isiOS ./support-ios.patch # Adds AVR-specific options to "size" for compatibility with Atmel's downstream distribution diff --git a/pkgs/misc/cups/default.nix b/pkgs/misc/cups/default.nix index d9f136f81389f..75dab9a828d3d 100644 --- a/pkgs/misc/cups/default.nix +++ b/pkgs/misc/cups/default.nix @@ -33,6 +33,15 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "dev" "man" ]; + patches = [ + (fetchpatch { + # https://www.openwall.com/lists/oss-security/2023/06/01/1 + name = "CVE-2023-32324.patch"; + url = "https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e.patch"; + hash = "sha256-Q0Pw+MC7KE5VEiugY+GFtvPERG8x6ngNHUsWTEaDCHA="; + }) + ]; + postPatch = '' substituteInPlace cups/testfile.c \ --replace 'cupsFileFind("cat", "/bin' 'cupsFileFind("cat", "${coreutils}/bin' @@ -134,7 +143,12 @@ stdenv.mkDerivation rec { --replace "Exec=htmlview" "Exec=xdg-open" ''; - passthru.tests.nixos = nixosTests.printing; + passthru.tests = { + inherit (nixosTests) + printing-service + printing-socket + ; + }; meta = with lib; { homepage = "https://openprinting.github.io/cups/"; diff --git a/pkgs/os-specific/linux/apparmor/default.nix b/pkgs/os-specific/linux/apparmor/default.nix index c71980d94373d..33cdc0fb84500 100644 --- a/pkgs/os-specific/linux/apparmor/default.nix +++ b/pkgs/os-specific/linux/apparmor/default.nix @@ -22,7 +22,7 @@ }: let - apparmor-version = "3.1.3"; + apparmor-version = "3.1.4"; apparmor-meta = component: with lib; { homepage = "https://apparmor.net/"; @@ -36,7 +36,7 @@ let owner = "apparmor"; repo = "apparmor"; rev = "v${apparmor-version}"; - hash = "sha256-6N1BStOXKui6BxSriWVoOkvyGRUJ4btsloHh/SsG/JE="; + hash = "sha256-YWPdIUd+2x74tqiW+YX8NKh3jxSKhD+5zdiDMjhPzpE="; }; aa-teardown = writeShellScript "aa-teardown" '' diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix index a7843ee3894c4..abc116efdcb2e 100644 --- a/pkgs/os-specific/linux/ena/default.nix +++ b/pkgs/os-specific/linux/ena/default.nix @@ -1,16 +1,33 @@ -{ lib, stdenv, fetchFromGitHub, kernel }: +{ lib, stdenv, fetchFromGitHub, fetchpatch, kernel }: stdenv.mkDerivation rec { - version = "2.8.3"; + version = "2.8.6"; name = "ena-${version}-${kernel.version}"; src = fetchFromGitHub { owner = "amzn"; repo = "amzn-drivers"; rev = "ena_linux_${version}"; - sha256 = "sha256-Z5BCqqC4FNKHqpocJ6CsHwhh5sszj5QfxiN6+Dkaqek="; + hash = "sha256-clRu+ecK/Je0kvlAAm6qCJqMyvZv0C88YIGDImhRhKA="; }; + patches = + [ # https://github.com/amzn/amzn-drivers/issues/269#issuecomment-1552483792 + (fetchpatch { + url = "https://github.com/amzn/amzn-drivers/files/11504862/phc_kernel_6_2_fix.patch"; + hash = "sha256-/EBkISwXMd7t4WZjsG9KVP6vncFwcZq1QBsxQLXyWsY="; + }) + # https://github.com/amzn/amzn-drivers/issues/270#issuecomment-1561924754 + (fetchpatch { + url = "https://github.com/amzn/amzn-drivers/files/11559312/devlink_6_2_fix.patch"; + hash = "sha256-Nc71u91G0dL+ld6ovqjHaE6X2TxduWeQYr5K0KdoA3Q="; + }) + (fetchpatch { + url = "https://github.com/amzn/amzn-drivers/files/11559314/devlink_6_3_fix.patch"; + hash = "sha256-aEQTbwHC1DcDrtj188eoGzi3GU9MXnwIxuJW4L7qb/I="; + }) + ]; + hardeningDisable = [ "pic" ]; nativeBuildInputs = kernel.moduleBuildDependencies; diff --git a/pkgs/os-specific/linux/kernel/fix-em-ice-bonding.patch b/pkgs/os-specific/linux/kernel/fix-em-ice-bonding.patch deleted file mode 100644 index 2b59a508fdac0..0000000000000 --- a/pkgs/os-specific/linux/kernel/fix-em-ice-bonding.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 1640688018f329559c61352646f283f98938af31 Mon Sep 17 00:00:00 2001 -From: Cole Helbling -Date: Thu, 16 Feb 2023 09:30:21 -0800 -Subject: [PATCH] Revert "RDMA/irdma: Report the correct link speed" - -This reverts commit 425c9bd06b7a70796d880828d15c11321bdfb76d. - -Some Equinix Metal instances, such as a3.large.x86, m3.large.x86 -(specific hardware revisions), and n3.large.x86, use the `ice` kernel -driver for their network cards, in conjunction with bonded devices. -However, this commit caused a regression where these bonded devices -would deadlock. This was initially reported by Jaroslav Pulchart on -the netdev mailing list[1], and there were follow-up patches from Dave -Ertman[2][3] that attempted to fix this but were not up to snuff for -various reasons[4]. - -Specifically, v2 of the patch ([3]) appears to fix the issue on some -devices (tested with 8086:159B network cards), while it is still broken -on others (such as an 8086:1593 network card). - -We revert the patch exposing the issue until upstream has a working -solution in order to make Equinix Metal instances work reliably again. - -[1]: https://lore.kernel.org/netdev/CAK8fFZ6A_Gphw_3-QMGKEFQk=sfCw1Qmq0TVZK3rtAi7vb621A@mail.gmail.com/ -[2]: https://patchwork.ozlabs.org/project/intel-wired-lan/patch/20230111183145.1497367-1-david.m.ertman@intel.com/ -[3]: https://patchwork.ozlabs.org/project/intel-wired-lan/patch/20230215191757.1826508-1-david.m.ertman@intel.com/ -[4]: https://lore.kernel.org/netdev/cb31a911-ba80-e2dc-231f-851757cfd0b8@intel.com/T/#m6e53f8c43093693c10268140126abe99e082dc1c ---- - drivers/infiniband/hw/irdma/verbs.c | 35 ++++++++++++++++++++++++++--- - 1 file changed, 32 insertions(+), 3 deletions(-) - -diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c -index c5971a840b87..911902d2b93e 100644 ---- a/drivers/infiniband/hw/irdma/verbs.c -+++ b/drivers/infiniband/hw/irdma/verbs.c -@@ -60,6 +60,36 @@ static int irdma_query_device(struct ib_device *ibdev, - return 0; - } - -+/** -+ * irdma_get_eth_speed_and_width - Get IB port speed and width from netdev speed -+ * @link_speed: netdev phy link speed -+ * @active_speed: IB port speed -+ * @active_width: IB port width -+ */ -+static void irdma_get_eth_speed_and_width(u32 link_speed, u16 *active_speed, -+ u8 *active_width) -+{ -+ if (link_speed <= SPEED_1000) { -+ *active_width = IB_WIDTH_1X; -+ *active_speed = IB_SPEED_SDR; -+ } else if (link_speed <= SPEED_10000) { -+ *active_width = IB_WIDTH_1X; -+ *active_speed = IB_SPEED_FDR10; -+ } else if (link_speed <= SPEED_20000) { -+ *active_width = IB_WIDTH_4X; -+ *active_speed = IB_SPEED_DDR; -+ } else if (link_speed <= SPEED_25000) { -+ *active_width = IB_WIDTH_1X; -+ *active_speed = IB_SPEED_EDR; -+ } else if (link_speed <= SPEED_40000) { -+ *active_width = IB_WIDTH_4X; -+ *active_speed = IB_SPEED_FDR10; -+ } else { -+ *active_width = IB_WIDTH_4X; -+ *active_speed = IB_SPEED_EDR; -+ } -+} -+ - /** - * irdma_query_port - get port attributes - * @ibdev: device pointer from stack -@@ -87,9 +117,8 @@ static int irdma_query_port(struct ib_device *ibdev, u32 port, - props->state = IB_PORT_DOWN; - props->phys_state = IB_PORT_PHYS_STATE_DISABLED; - } -- -- ib_get_eth_speed(ibdev, port, &props->active_speed, -- &props->active_width); -+ irdma_get_eth_speed_and_width(SPEED_100000, &props->active_speed, -+ &props->active_width); - - if (rdma_protocol_roce(ibdev, 1)) { - props->gid_tbl_len = 32; --- -2.39.0 - diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 6d1ad766d6849..980c754c9e500 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -1,5 +1,5 @@ { lib, stdenv, buildPackages, runCommand, nettools, bc, bison, flex, perl, rsync, gmp, libmpc, mpfr, openssl -, libelf, cpio, elfutils, zstd, python3Minimal, zlib, pahole +, libelf, cpio, elfutils, zstd, python3Minimal, zlib, pahole, ubootTools , fetchpatch }: @@ -100,13 +100,13 @@ stdenv.mkDerivation ({ inherit version src; depsBuildBuild = [ buildPackages.stdenv.cc ]; - nativeBuildInputs = [ perl bc nettools openssl rsync gmp libmpc mpfr zstd python3Minimal ] - ++ optional (kernelConf.target == "uImage") buildPackages.ubootTools - ++ optional (lib.versionOlder version "5.8") libelf - ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ] - ++ optionals (lib.versionAtLeast version "5.2") [ cpio pahole zlib ] - ++ optional (lib.versionAtLeast version "5.8") elfutils - ; + nativeBuildInputs = [ + bc gmp libmpc mpfr nettools openssl perl python3Minimal rsync ubootTools + zstd + ] ++ optional (lib.versionOlder version "5.8") libelf + ++ optionals (lib.versionAtLeast version "4.16") [ bison flex ] + ++ optionals (lib.versionAtLeast version "5.2") [ cpio pahole zlib ] + ++ optional (lib.versionAtLeast version "5.8") elfutils; patches = map (p: p.patch) kernelPatches diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index f2225096dd5ca..972235c7f8522 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -58,11 +58,6 @@ patch = ./export-rt-sched-migrate.patch; }; - fix-em-ice-bonding = { - name = "fix-em-ice-bonding"; - patch = ./fix-em-ice-bonding.patch; - }; - CVE-2023-32233 = rec { name = "CVE-2023-32233"; patch = fetchpatch { diff --git a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch index c0d38c60202c2..08499a228344c 100644 --- a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch +++ b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch @@ -10,10 +10,10 @@ container, so checking early whether it exists will fail. 1 file changed, 2 insertions(+) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index a697ea5cb9..65d9e7e398 100644 +index 3dabe12672..e5aa4feb1e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c -@@ -5635,6 +5635,7 @@ static int run(int argc, char *argv[]) { +@@ -5638,6 +5638,7 @@ static int run(int argc, char *argv[]) { goto finish; } } else { @@ -21,7 +21,7 @@ index a697ea5cb9..65d9e7e398 100644 _cleanup_free_ char *p = NULL; if (arg_pivot_root_new) -@@ -5649,6 +5650,7 @@ static int run(int argc, char *argv[]) { +@@ -5652,6 +5653,7 @@ static int run(int argc, char *argv[]) { "Directory %s doesn't look like it has an OS tree (/usr/ directory is missing). Refusing.", arg_directory); goto finish; } diff --git a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch b/pkgs/os-specific/linux/systemd/0004-Add-some-NixOS-specific-unit-directories.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch rename to pkgs/os-specific/linux/systemd/0004-Add-some-NixOS-specific-unit-directories.patch diff --git a/pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch b/pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch deleted file mode 100644 index 617cef50cc3c6..0000000000000 --- a/pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Florian Klink -Date: Thu, 13 Apr 2023 22:54:54 +0200 -Subject: [PATCH] fsck: look for fsck binary not just in /sbin - -This removes remaining hardcoded occurences of `/sbin/fsck`, and instead -uses `find_executable` to find `fsck`. - -We also use `fsck_exists_for_fstype` to check for the `fsck.*` -executable, which also checks in `$PATH`, so it's fair to assume fsck -itself is also available. ---- - man/systemd-fsck@.service.xml | 8 ++++---- - src/fsck/fsck.c | 9 ++++++++- - src/home/homework-luks.c | 11 ++++++++++- - src/shared/dissect-image.c | 13 +++++++++++-- - 4 files changed, 33 insertions(+), 8 deletions(-) - -diff --git a/man/systemd-fsck@.service.xml b/man/systemd-fsck@.service.xml -index e928aebdb3..403286829e 100644 ---- a/man/systemd-fsck@.service.xml -+++ b/man/systemd-fsck@.service.xml -@@ -51,17 +51,17 @@ - systemd-fsck does not know any details - about specific filesystems, and simply executes file system - checkers specific to each filesystem type -- (/sbin/fsck.type). These checkers will decide if -+ (fsck.type). These checkers will decide if - the filesystem should actually be checked based on the time since - last check, number of mounts, unclean unmount, etc. - - systemd-fsck-root.service and systemd-fsck-usr.service -- will activate reboot.target if /sbin/fsck returns the "System -- should reboot" condition, or emergency.target if /sbin/fsck -+ will activate reboot.target if fsck returns the "System -+ should reboot" condition, or emergency.target if fsck - returns the "Filesystem errors left uncorrected" condition. - - systemd-fsck@.service will fail if -- /sbin/fsck returns with either "System should reboot" -+ fsck returns with either "System should reboot" - or "Filesystem errors left uncorrected" conditions. For filesystems - listed in /etc/fstab without nofail - or noauto options, local-fs.target -diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c -index e25c5d5efa..0e0e73c9ac 100644 ---- a/src/fsck/fsck.c -+++ b/src/fsck/fsck.c -@@ -351,6 +351,7 @@ static int run(int argc, char *argv[]) { - if (r == 0) { - char dash_c[STRLEN("-C") + DECIMAL_STR_MAX(int) + 1]; - int progress_socket = -1; -+ _cleanup_free_ char *fsck_path = NULL; - const char *cmdline[9]; - int i = 0; - -@@ -371,7 +372,13 @@ static int run(int argc, char *argv[]) { - } else - dash_c[0] = 0; - -- cmdline[i++] = "/sbin/fsck"; -+ r = find_executable("fsck", &fsck_path); -+ if (r < 0) { -+ log_error_errno(r, "Cannot find fsck binary: %m"); -+ _exit(FSCK_OPERATIONAL_ERROR); -+ } -+ -+ cmdline[i++] = fsck_path; - cmdline[i++] = arg_repair; - cmdline[i++] = "-T"; - -diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c -index 2ea9887853..e267457b8e 100644 ---- a/src/home/homework-luks.c -+++ b/src/home/homework-luks.c -@@ -215,6 +215,7 @@ static int block_get_size_by_path(const char *path, uint64_t *ret) { - static int run_fsck(const char *node, const char *fstype) { - int r, exit_status; - pid_t fsck_pid; -+ _cleanup_free_ char *fsck_path = NULL; - - assert(node); - assert(fstype); -@@ -227,6 +228,14 @@ static int run_fsck(const char *node, const char *fstype) { - return 0; - } - -+ r = find_executable("fsck", &fsck_path); -+ /* We proceed anyway if we can't determine whether the fsck -+ * binary for some specific fstype exists, -+ * but the lack of the main fsck binary should be considered -+ * an error. */ -+ if (r < 0) -+ return log_error_errno(r, "Cannot find fsck binary: %m"); -+ - r = safe_fork("(fsck)", - FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR|FORK_CLOSE_ALL_FDS, - &fsck_pid); -@@ -234,7 +243,7 @@ static int run_fsck(const char *node, const char *fstype) { - return r; - if (r == 0) { - /* Child */ -- execl("/sbin/fsck", "/sbin/fsck", "-aTl", node, NULL); -+ execl(fsck_path, fsck_path, "-aTl", node, NULL); - log_open(); - log_error_errno(errno, "Failed to execute fsck: %m"); - _exit(FSCK_OPERATIONAL_ERROR); -diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c -index 4749bdd230..2b6e1418dd 100644 ---- a/src/shared/dissect-image.c -+++ b/src/shared/dissect-image.c -@@ -1423,6 +1423,7 @@ static int is_loop_device(const char *path) { - static int run_fsck(int node_fd, const char *fstype) { - int r, exit_status; - pid_t pid; -+ _cleanup_free_ char *fsck_path = NULL; - - assert(node_fd >= 0); - assert(fstype); -@@ -1437,6 +1438,14 @@ static int run_fsck(int node_fd, const char *fstype) { - return 0; - } - -+ r = find_executable("fsck", &fsck_path); -+ /* We proceed anyway if we can't determine whether the fsck -+ * binary for some specific fstype exists, -+ * but the lack of the main fsck binary should be considered -+ * an error. */ -+ if (r < 0) -+ return log_error_errno(r, "Cannot find fsck binary: %m"); -+ - r = safe_fork_full( - "(fsck)", - &node_fd, 1, /* Leave the node fd open */ -@@ -1446,7 +1455,7 @@ static int run_fsck(int node_fd, const char *fstype) { - return log_debug_errno(r, "Failed to fork off fsck: %m"); - if (r == 0) { - /* Child */ -- execl("/sbin/fsck", "/sbin/fsck", "-aT", FORMAT_PROC_FD_PATH(node_fd), NULL); -+ execl(fsck_path, fsck_path, "-aT", FORMAT_PROC_FD_PATH(node_fd), NULL); - log_open(); - log_debug_errno(errno, "Failed to execl() fsck: %m"); - _exit(FSCK_OPERATIONAL_ERROR); -@@ -1454,7 +1463,7 @@ static int run_fsck(int node_fd, const char *fstype) { - - exit_status = wait_for_terminate_and_check("fsck", pid, 0); - if (exit_status < 0) -- return log_debug_errno(exit_status, "Failed to fork off /sbin/fsck: %m"); -+ return log_debug_errno(exit_status, "Failed to fork off %s: %m", fsck_path); - - if ((exit_status & ~FSCK_ERROR_CORRECTED) != FSCK_SUCCESS) { - log_debug("fsck failed with exit status %i.", exit_status); diff --git a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch similarity index 91% rename from pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch rename to pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch index 0a638dfbf0ea3..e9f73d7c7726b 100644 --- a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch +++ b/pkgs/os-specific/linux/systemd/0005-Get-rid-of-a-useless-message-in-user-sessions.patch @@ -13,10 +13,10 @@ in containers. 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/core/manager.c b/src/core/manager.c -index 380a4e30d7..817acb87b8 100644 +index 4bc8a06bd2..342892490e 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -1437,7 +1437,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) { +@@ -1486,7 +1486,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) { if (!unit_is_bound_by_inactive(u, &culprit)) continue; diff --git a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/pkgs/os-specific/linux/systemd/0006-hostnamed-localed-timedated-disable-methods-that-cha.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch rename to pkgs/os-specific/linux/systemd/0006-hostnamed-localed-timedated-disable-methods-that-cha.patch diff --git a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch b/pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch rename to pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch diff --git a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch similarity index 98% rename from pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch rename to pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch index 52733a4c49209..300906be04d97 100644 --- a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch +++ b/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch @@ -88,10 +88,10 @@ index 9e79f84691..1a1c75718c 100644 (void) mkdir_parents(etc_localtime, 0755); r = symlink_atomic(e, etc_localtime); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c -index 65d9e7e398..dd44d529ca 100644 +index e5aa4feb1e..a7a8fae860 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c -@@ -1915,8 +1915,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid +@@ -1918,8 +1918,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid static const char *timezone_from_path(const char *path) { return PATH_STARTSWITH_SET( path, diff --git a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch b/pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch rename to pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch diff --git a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch rename to pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch diff --git a/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch b/pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch rename to pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch diff --git a/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch similarity index 89% rename from pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch rename to pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch index 84ac0d882d6d0..9d0565a6e7672 100644 --- a/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch +++ b/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch @@ -10,10 +10,10 @@ This is needed for NixOS to use such scripts as systemd directory is immutable. 1 file changed, 1 insertion(+) diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c -index 42111d2772..53467ac229 100644 +index 5dee1b3a92..c08cf80548 100644 --- a/src/shutdown/shutdown.c +++ b/src/shutdown/shutdown.c -@@ -335,6 +335,7 @@ static void init_watchdog(void) { +@@ -339,6 +339,7 @@ static void init_watchdog(void) { int main(int argc, char *argv[]) { static const char* const dirs[] = { SYSTEM_SHUTDOWN_PATH, diff --git a/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch rename to pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch diff --git a/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch rename to pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch diff --git a/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch b/pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch rename to pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch diff --git a/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch similarity index 94% rename from pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch rename to pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch index 236af4b2c97ba..0f67abe795c31 100644 --- a/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch +++ b/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch @@ -16,10 +16,10 @@ executables that are being called from managers. 1 file changed, 8 insertions(+) diff --git a/src/core/manager.c b/src/core/manager.c -index 817acb87b8..3f31359f8a 100644 +index 342892490e..1117251fe0 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -3714,9 +3714,17 @@ static int build_generator_environment(Manager *m, char ***ret) { +@@ -3771,9 +3771,17 @@ static int build_generator_environment(Manager *m, char ***ret) { * adjust generated units to that. Let's pass down some bits of information that are easy for us to * determine (but a bit harder for generator scripts to determine), as environment variables. */ diff --git a/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch b/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch similarity index 92% rename from pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch rename to pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch index 18982ecd04bd1..f509eb39ece53 100644 --- a/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch +++ b/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch @@ -17,10 +17,10 @@ See also: https://github.com/systemd/systemd/issues/24191 1 file changed, 4 deletions(-) diff --git a/src/core/manager.c b/src/core/manager.c -index 3f31359f8a..0c4ec0b4fb 100644 +index 1117251fe0..bf5600a6cf 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -4556,10 +4556,6 @@ char* manager_taint_string(const Manager *m) { +@@ -4617,10 +4617,6 @@ char* manager_taint_string(const Manager *m) { if (m->taint_usr) stage[n++] = "split-usr"; diff --git a/pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch b/pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch similarity index 100% rename from pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch rename to pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch diff --git a/pkgs/os-specific/linux/systemd/0019-bootctl-also-print-efi-files-not-owned-by-systemd-in.patch b/pkgs/os-specific/linux/systemd/0019-bootctl-also-print-efi-files-not-owned-by-systemd-in.patch new file mode 100644 index 0000000000000..84fc6528b9847 --- /dev/null +++ b/pkgs/os-specific/linux/systemd/0019-bootctl-also-print-efi-files-not-owned-by-systemd-in.patch @@ -0,0 +1,46 @@ +From bc0f378a1149b59e88e9345e579d62fec7f50cdf Mon Sep 17 00:00:00 2001 +From: Arian van Putten +Date: Wed, 31 May 2023 13:27:13 +0200 +Subject: [PATCH] bootctl: also print efi files not owned by systemd in status + +We should not skip over unknown entries in EFI/BOOT/ but +also print them out in status so people are aware that they are there. + +(cherry picked from commit a680d4fb87bad829989949e5ea4fc6db90453456) +--- + src/boot/bootctl-status.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/src/boot/bootctl-status.c b/src/boot/bootctl-status.c +index 2e2bf1f7e1..f1ac4a9c8a 100644 +--- a/src/boot/bootctl-status.c ++++ b/src/boot/bootctl-status.c +@@ -225,9 +225,8 @@ static int enumerate_binaries( + return log_error_errno(errno, "Failed to open file '%s' for reading: %m", filename); + + r = get_file_version(fd, &v); +- if (r == -ESRCH) /* Not the file we are looking for. */ +- continue; +- if (r < 0) ++ ++ if (r < 0 && r != -ESRCH) + return r; + + if (*previous) { /* Let's output the previous entry now, since now we know that there will be +@@ -242,10 +241,10 @@ static int enumerate_binaries( + /* Do not output this entry immediately, but store what should be printed in a state + * variable, because we only will know the tree glyph to print (branch or final edge) once we + * read one more entry */ +- if (r > 0) +- r = asprintf(previous, "/%s/%s (%s%s%s)", path, de->d_name, ansi_highlight(), v, ansi_normal()); +- else ++ if (r == -ESRCH) /* No systemd-owned file but still interesting to print */ + r = asprintf(previous, "/%s/%s", path, de->d_name); ++ else /* if (r >= 0) */ ++ r = asprintf(previous, "/%s/%s (%s%s%s)", path, de->d_name, ansi_highlight(), v, ansi_normal()); + if (r < 0) + return log_oom(); + +-- +2.39.2 (Apple Git-143) + diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index fbf56b8c30af5..fd5ca2df5a94a 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -145,7 +145,7 @@ assert withUkify -> withEfi; let wantCurl = withRemote || withImportd; wantGcrypt = withResolved || withImportd; - version = "253.3"; + version = "253.5"; # Bump this variable on every (major) version change. See below (in the meson options list) for why. # command: @@ -162,7 +162,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "systemd"; repo = "systemd-stable"; rev = "v${version}"; - hash = "sha256-iy1kyqiVeXIhFJAQ+nYorrXm/xb2gfakyrEfMyNR5l8="; + hash = "sha256-B3A9AvpfZ8SYsiZvHnWO4RHs1/6EdczWF2NmrSqxQ7c="; }; # On major changes, or when otherwise required, you *must* reformat the patches, @@ -174,22 +174,22 @@ stdenv.mkDerivation (finalAttrs: { ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch ./0002-Don-t-try-to-unmount-nix-or-nix-store.patch ./0003-Fix-NixOS-containers.patch - ./0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch - ./0005-Add-some-NixOS-specific-unit-directories.patch - ./0006-Get-rid-of-a-useless-message-in-user-sessions.patch - ./0007-hostnamed-localed-timedated-disable-methods-that-cha.patch - ./0008-Fix-hwdb-paths.patch - ./0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch - ./0010-localectl-use-etc-X11-xkb-for-list-x11.patch - ./0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch - ./0012-add-rootprefix-to-lookup-dir-paths.patch - ./0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch - ./0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch - ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch - ./0016-pkg-config-derive-prefix-from-prefix.patch - ./0017-inherit-systemd-environment-when-calling-generators.patch - ./0018-core-don-t-taint-on-unmerged-usr.patch - ./0019-tpm2_context_init-fix-driver-name-checking.patch + ./0004-Add-some-NixOS-specific-unit-directories.patch + ./0005-Get-rid-of-a-useless-message-in-user-sessions.patch + ./0006-hostnamed-localed-timedated-disable-methods-that-cha.patch + ./0007-Fix-hwdb-paths.patch + ./0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch + ./0009-localectl-use-etc-X11-xkb-for-list-x11.patch + ./0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch + ./0011-add-rootprefix-to-lookup-dir-paths.patch + ./0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch + ./0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch + ./0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch + ./0015-pkg-config-derive-prefix-from-prefix.patch + ./0016-inherit-systemd-environment-when-calling-generators.patch + ./0017-core-don-t-taint-on-unmerged-usr.patch + ./0018-tpm2_context_init-fix-driver-name-checking.patch + ./0019-bootctl-also-print-efi-files-not-owned-by-systemd-in.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ( let oe-core = fetchzip { diff --git a/pkgs/servers/teleport/generic.nix b/pkgs/servers/teleport/generic.nix index 80a419cd70646..8ff61ce862b64 100644 --- a/pkgs/servers/teleport/generic.nix +++ b/pkgs/servers/teleport/generic.nix @@ -160,5 +160,8 @@ buildGoModule rec { license = licenses.asl20; maintainers = with maintainers; [ arianvp justinas sigma tomberek freezeboy ]; platforms = platforms.unix; + # go-libfido2 is broken on platforms with less than 64-bit because it defines an array + # which occupies more than 31 bits of address space. + broken = stdenv.hostPlatform.parsed.cpu.bits < 64; }; } diff --git a/pkgs/stdenv/generic/setup.sh b/pkgs/stdenv/generic/setup.sh index 734abb890c24f..d3009ae572a2f 100644 --- a/pkgs/stdenv/generic/setup.sh +++ b/pkgs/stdenv/generic/setup.sh @@ -29,13 +29,23 @@ if [ -n "$__structuredAttrs" ]; then export "$outputName=${outputs[$outputName]}" done + # Before Nix 2.4, $NIX_ATTRS_*_FILE was named differently: + # https://github.com/NixOS/nix/commit/27ce722 + if [[ -n "${ATTRS_JSON_FILE:-}" ]]; then + export NIX_ATTRS_JSON_FILE="$ATTRS_JSON_FILE" + fi + + if [[ -n "${ATTRS_SH_FILE:-}" ]]; then + export NIX_ATTRS_SH_FILE="$ATTRS_SH_FILE" + fi + # $NIX_ATTRS_JSON_FILE pointed to the wrong location in sandbox # https://github.com/NixOS/nix/issues/6736; please keep around until the # fix reaches *every patch version* that's >= lib/minver.nix - if ! [[ -e "$NIX_ATTRS_JSON_FILE" ]]; then + if ! [[ -e "${NIX_ATTRS_JSON_FILE:-}" ]]; then export NIX_ATTRS_JSON_FILE="$NIX_BUILD_TOP/.attrs.json" fi - if ! [[ -e "$NIX_ATTRS_SH_FILE" ]]; then + if ! [[ -e "${NIX_ATTRS_SH_FILE:-}" ]]; then export NIX_ATTRS_SH_FILE="$NIX_BUILD_TOP/.attrs.sh" fi else diff --git a/pkgs/tools/compression/lz4/default.nix b/pkgs/tools/compression/lz4/default.nix index 584b000a3e293..f745f4f091aba 100644 --- a/pkgs/tools/compression/lz4/default.nix +++ b/pkgs/tools/compression/lz4/default.nix @@ -38,6 +38,7 @@ stdenv.mkDerivation rec { ] # TODO make full dictionary ++ lib.optional stdenv.hostPlatform.isMinGW "TARGET_OS=MINGW" + ++ lib.optional stdenv.hostPlatform.isLinux "TARGET_OS=Linux" ; doCheck = false; # tests take a very long time diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 9bdf18c44fc68..5ff2aef0b8339 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -47,14 +47,14 @@ assert !((lib.count (x: x) [ gnutlsSupport opensslSupport wolfsslSupport rustlsS stdenv.mkDerivation (finalAttrs: { pname = "curl"; - version = "8.0.1"; + version = "8.1.1"; src = fetchurl { urls = [ "https://curl.haxx.se/download/curl-${finalAttrs.version}.tar.bz2" "https://github.com/curl/curl/releases/download/curl-${finalAttrs.version}/curl-${finalAttrs.version}.tar.bz2" ]; - hash = "sha256-m2selrdI0EuWh4a2vfQHqlx1q1Oj03wcjIHNtzZVXM8="; + hash = "sha256-UdKvcieZE7XUyrH+Hzi5RM9wkEyIvuJGtb1XWETnA1o="; }; patches = [ diff --git a/pkgs/top-level/haskell-packages.nix b/pkgs/top-level/haskell-packages.nix index 23648b58cfa5e..6001039689c4c 100644 --- a/pkgs/top-level/haskell-packages.nix +++ b/pkgs/top-level/haskell-packages.nix @@ -20,6 +20,7 @@ let "ghc925" "ghc926" "ghc927" + "ghc928" "ghc92" "ghc942" "ghc943" @@ -40,6 +41,7 @@ let "ghc925" "ghc926" "ghc927" + "ghc928" "ghc94" "ghc942" "ghc943" @@ -233,7 +235,24 @@ in { buildTargetLlvmPackages = pkgsBuildTarget.llvmPackages_12; llvmPackages = pkgs.llvmPackages_12; }; - ghc92 = ghc927; + ghc928 = callPackage ../development/compilers/ghc/9.2.8.nix { + bootPkgs = + # aarch64 ghc8107Binary exceeds max output size on hydra + if stdenv.hostPlatform.isAarch then + packages.ghc8107BinaryMinimal + else if stdenv.hostPlatform.isPower64 && stdenv.hostPlatform.isLittleEndian then + packages.ghc810 + else + packages.ghc8107Binary; + inherit (buildPackages.python3Packages) sphinx; + # Need to use apple's patched xattr until + # https://github.com/xattr/xattr/issues/44 and + # https://github.com/xattr/xattr/issues/55 are solved. + inherit (buildPackages.darwin) xattr autoSignDarwinBinariesHook; + buildTargetLlvmPackages = pkgsBuildTarget.llvmPackages_12; + llvmPackages = pkgs.llvmPackages_12; + }; + ghc92 = ghc928; ghc942 = callPackage ../development/compilers/ghc/9.4.2.nix { bootPkgs = # Building with 9.2 is broken due to @@ -507,7 +526,12 @@ in { ghc = bh.compiler.ghc927; compilerConfig = callPackage ../development/haskell-modules/configuration-ghc-9.2.x.nix { }; }; - ghc92 = ghc927; + ghc928 = callPackage ../development/haskell-modules { + buildHaskellPackages = bh.packages.ghc928; + ghc = bh.compiler.ghc928; + compilerConfig = callPackage ../development/haskell-modules/configuration-ghc-9.2.x.nix { }; + }; + ghc92 = ghc928; ghc942 = callPackage ../development/haskell-modules { buildHaskellPackages = bh.packages.ghc942; ghc = bh.compiler.ghc942; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index a602c2447fb37..f2fad5895edec 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -154,7 +154,6 @@ in { kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.request_key_helper - kernelPatches.fix-em-ice-bonding ]; }; @@ -170,7 +169,6 @@ in { kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.request_key_helper - kernelPatches.fix-em-ice-bonding ]; }; @@ -178,7 +176,6 @@ in { kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.request_key_helper - kernelPatches.fix-em-ice-bonding kernelPatches.export-rt-sched-migrate ]; }; @@ -187,7 +184,6 @@ in { kernelPatches = [ kernelPatches.bridge_stp_helper kernelPatches.request_key_helper - kernelPatches.fix-em-ice-bonding ]; }; diff --git a/pkgs/top-level/release-haskell.nix b/pkgs/top-level/release-haskell.nix index 82968a342d8f8..1891dec00ff65 100644 --- a/pkgs/top-level/release-haskell.nix +++ b/pkgs/top-level/release-haskell.nix @@ -67,6 +67,7 @@ let ghc925 ghc926 ghc927 + ghc928 ghc945 ghc961 ghc962 @@ -438,8 +439,8 @@ let ; }; - haskell.packages.native-bignum.ghc927 = { - inherit (packagePlatforms pkgs.pkgsStatic.haskell.packages.native-bignum.ghc927) + haskell.packages.native-bignum.ghc928 = { + inherit (packagePlatforms pkgs.pkgsStatic.haskell.packages.native-bignum.ghc928) hello lens random @@ -541,6 +542,7 @@ let compilerNames.ghc925 compilerNames.ghc926 compilerNames.ghc927 + compilerNames.ghc928 compilerNames.ghc945 ]; weeder = [ @@ -550,6 +552,7 @@ let compilerNames.ghc925 compilerNames.ghc926 compilerNames.ghc927 + compilerNames.ghc928 compilerNames.ghc945 ]; }) @@ -631,6 +634,7 @@ let jobs.pkgsMusl.haskell.compiler.ghc925 jobs.pkgsMusl.haskell.compiler.ghc926 jobs.pkgsMusl.haskell.compiler.ghc927 + jobs.pkgsMusl.haskell.compiler.ghc928 jobs.pkgsMusl.haskell.compiler.ghcHEAD jobs.pkgsMusl.haskell.compiler.integer-simple.ghc8107 jobs.pkgsMusl.haskell.compiler.native-bignum.ghc902 @@ -638,6 +642,7 @@ let jobs.pkgsMusl.haskell.compiler.native-bignum.ghc925 jobs.pkgsMusl.haskell.compiler.native-bignum.ghc926 jobs.pkgsMusl.haskell.compiler.native-bignum.ghc927 + jobs.pkgsMusl.haskell.compiler.native-bignum.ghc928 jobs.pkgsMusl.haskell.compiler.native-bignum.ghcHEAD ]; }; @@ -653,7 +658,7 @@ let }; constituents = accumulateDerivations [ jobs.pkgsStatic.haskellPackages - jobs.pkgsStatic.haskell.packages.native-bignum.ghc927 + jobs.pkgsStatic.haskell.packages.native-bignum.ghc928 ]; }; }