From 82fda1612871f23341857e31a8000fca48174483 Mon Sep 17 00:00:00 2001 From: Connor Baker Date: Thu, 7 Dec 2023 19:26:39 +0000 Subject: [PATCH 01/21] auto-patchelf: add support for __structuredAttrs (cherry picked from commit 9faad7fb0b2a3a20aa0632573e78af02ff928f29) --- pkgs/build-support/setup-hooks/auto-patchelf.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh index 371389df427bc..6930fcec9d1d4 100644 --- a/pkgs/build-support/setup-hooks/auto-patchelf.sh +++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh @@ -53,7 +53,18 @@ autoPatchelf() { esac done - readarray -td' ' ignoreMissingDepsArray < <(echo -n "$autoPatchelfIgnoreMissingDeps") + if [ -n "$__structuredAttrs" ]; then + local ignoreMissingDepsArray=( "${autoPatchelfIgnoreMissingDeps[@]}" ) + local appendRunpathsArray=( "${appendRunpaths[@]}" ) + local runtimeDependenciesArray=( "${runtimeDependencies[@]}" ) + local patchelfFlagsArray=( "${patchelfFlags[@]}" ) + else + readarray -td' ' ignoreMissingDepsArray < <(echo -n "$autoPatchelfIgnoreMissingDeps") + local appendRunpathsArray=($appendRunpaths) + local runtimeDependenciesArray=($runtimeDependencies) + local patchelfFlagsArray=($patchelfFlags) + fi + if [ "$autoPatchelfIgnoreMissingDeps" == "1" ]; then echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \ "= true;' is deprecated and will be removed in a future release." \ @@ -61,9 +72,6 @@ autoPatchelf() { ignoreMissingDepsArray=( "*" ) fi - local appendRunpathsArray=($appendRunpaths) - local runtimeDependenciesArray=($runtimeDependencies) - local patchelfFlagsArray=($patchelfFlags) @pythonInterpreter@ @autoPatchelfScript@ \ ${norecurse:+--no-recurse} \ --ignore-missing "${ignoreMissingDepsArray[@]}" \ From efe033a562eb2f65001231d2eb4a043802edd558 Mon Sep 17 00:00:00 2001 From: Connor Baker Date: Thu, 14 Dec 2023 16:53:34 +0000 Subject: [PATCH 02/21] auto-patchelf: improve deprecation check by searching all elements (cherry picked from commit 45901c42fc91c1d1d46a811b9578b4d92da98135) --- pkgs/build-support/setup-hooks/auto-patchelf.sh | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh index 6930fcec9d1d4..9f6366b3feaed 100644 --- a/pkgs/build-support/setup-hooks/auto-patchelf.sh +++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh @@ -65,12 +65,17 @@ autoPatchelf() { local patchelfFlagsArray=($patchelfFlags) fi - if [ "$autoPatchelfIgnoreMissingDeps" == "1" ]; then - echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \ - "= true;' is deprecated and will be removed in a future release." \ - "Use 'autoPatchelfIgnoreMissingDeps = [ \"*\" ];' instead." >&2 - ignoreMissingDepsArray=( "*" ) - fi + # Check if ignoreMissingDepsArray contains "1" and if so, replace it with + # "*", printing a deprecation warning. + for dep in "${ignoreMissingDepsArray[@]}"; do + if [ "$dep" == "1" ]; then + echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \ + "= true;' is deprecated and will be removed in a future release." \ + "Use 'autoPatchelfIgnoreMissingDeps = [ \"*\" ];' instead." >&2 + ignoreMissingDepsArray=( "*" ) + break + fi + done @pythonInterpreter@ @autoPatchelfScript@ \ ${norecurse:+--no-recurse} \ From 16dcac4ab46b47aa2d36738ba633f3044ad9fce3 Mon Sep 17 00:00:00 2001 From: Yann Hamdaoui Date: Wed, 20 Dec 2023 18:08:22 +0100 Subject: [PATCH 03/21] Test __structuredAttrs support in autoPatchelf This commit adds a test for the newly added support for __structuredAttrs in autoPatchelf(hook). It copied a reasonably small-closure binary derivation that makes use of autoPatchelf, stripped it down for the purpose of the test, and check that autoPatchelf correctly set the interpreter and runpath whether __structuredAttrs is set to true or not. (cherry picked from commit 00d0418804e96e381d40a07bf784e408c4d206f4) --- pkgs/test/auto-patchelf-hook/default.nix | 6 ++ pkgs/test/auto-patchelf-hook/package.nix | 96 ++++++++++++++++++++++++ pkgs/test/default.nix | 2 + 3 files changed, 104 insertions(+) create mode 100644 pkgs/test/auto-patchelf-hook/default.nix create mode 100644 pkgs/test/auto-patchelf-hook/package.nix diff --git a/pkgs/test/auto-patchelf-hook/default.nix b/pkgs/test/auto-patchelf-hook/default.nix new file mode 100644 index 0000000000000..6e05e729fba84 --- /dev/null +++ b/pkgs/test/auto-patchelf-hook/default.nix @@ -0,0 +1,6 @@ +{ lib, callPackage }: + +lib.recurseIntoAttrs { + withStructuredAttrs = callPackage ./package.nix { __structuredAttrs = true; }; + withoutStructuredAttrs = callPackage ./package.nix { __structuredAttrs = false; }; +} diff --git a/pkgs/test/auto-patchelf-hook/package.nix b/pkgs/test/auto-patchelf-hook/package.nix new file mode 100644 index 0000000000000..be03ee68c0391 --- /dev/null +++ b/pkgs/test/auto-patchelf-hook/package.nix @@ -0,0 +1,96 @@ +# This is a test for autoPatchelfHook. To test it, we just need a simple binary +# which uses the hook. We took the derivation from tonelib-jam, which sounds +# like a good candidate with a small closure, and trimmed it down. + +{ stdenv +, lib +, fetchurl +, autoPatchelfHook +, dpkg +, freetype +, curl +# This test checks that the behavior of autoPatchelfHook is correct whether +# __structuredAttrs +# (https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-structuredAttrs) +# is set or not. Hence __structuredAttrs is provided as a parameter. +, __structuredAttrs +}: + +let runtimeDependencies = [ + (lib.getLib curl) + "/some/dep" + "/some/other/dep" +] +# A dependency with space only works with __structuredAttrs set to true. +++ lib.lists.optional __structuredAttrs "/some/dep with space"; +in + +stdenv.mkDerivation { + name = "auto-patchelf-test"; + + src = fetchurl { + url = "https://tonelib.net/download/221222/ToneLib-Jam-amd64.deb"; + sha256 = "sha256-c6At2lRPngQPpE7O+VY/Hsfw+QfIb3COIuHfbqqIEuM="; + }; + + unpackCmd = '' + dpkg -x $curSrc source + ''; + + nativeBuildInputs = [ + dpkg + autoPatchelfHook + ]; + + installPhase = '' + mv usr $out + ''; + + buildInputs = [ + freetype + ]; + + autoPatchelfIgnoreMissingDeps = [ + "libGL.so.1" + "libasound.so.2" + ]; + + inherit runtimeDependencies; + + # Additional phase performing the actual test. + installCheckPhase = + let allDeps = runtimeDependencies ++ [ (lib.getLib freetype) ]; + in + '' + local binary="$out/bin/ToneLib-Jam" + local interpreter=$(patchelf --print-interpreter $binary) + local runpath=$(patchelf --print-rpath $binary) + local glibcStorePath="${stdenv.cc.libc}" + + # Check that the glibc path is a prefix of the interpreter. If + # autoPatchelfHook ran correctly, the binary should have set the interpreter + # to point to the store. + echo "[auto-patchelf-hook-test]: Check that the interpreter is in the store" + test "''${interpreter#$glibcStorePath}" != "$interpreter" + + readarray -td':' runpathArray < <(echo -n "$runpath") + + echo "[auto-patchelf-hook-test]: Check that the runpath has the right number of entries" + test "''${#runpathArray[@]}" -eq ${builtins.toString (builtins.length allDeps)} + + echo "[auto-patchelf-hook-test]: Check that the runpath contains the expected runtime deps" + '' + + lib.strings.concatStringsSep "\n" + (lib.lists.imap0 + (i: path: + let iAsStr = builtins.toString i; in + '' + echo "[auto-patchelf-hook-test]: Check that entry ${iAsStr} is ${path}" + test "''${paths[${iAsStr}]}" = "$path" + '') + allDeps + ); + + doInstallCheck = true; + inherit __structuredAttrs; +} diff --git a/pkgs/test/default.nix b/pkgs/test/default.nix index 9543e165a8053..ea995477ae71d 100644 --- a/pkgs/test/default.nix +++ b/pkgs/test/default.nix @@ -171,4 +171,6 @@ with pkgs; pkgs-lib = recurseIntoAttrs (import ../pkgs-lib/tests { inherit pkgs; }); nixpkgs-check-by-name = callPackage ./nixpkgs-check-by-name { }; + + auto-patchelf-hook = callPackage ./auto-patchelf-hook { }; } From c127bbb82f95417947623ec69b0be44876bf756e Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 16 Nov 2023 08:55:02 +0000 Subject: [PATCH 04/21] shared-mime-info: 2.3 -> 2.4 Changes: https://gitlab.freedesktop.org/xdg/shared-mime-info/-/releases/2.4 (cherry picked from commit f0c56657a4f72a459e0392d464cebbfdc3fe6af4) --- pkgs/data/misc/shared-mime-info/default.nix | 11 ++----- .../shared-mime-info/fix-clang-warnings.patch | 31 ------------------- 2 files changed, 2 insertions(+), 40 deletions(-) delete mode 100644 pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch diff --git a/pkgs/data/misc/shared-mime-info/default.nix b/pkgs/data/misc/shared-mime-info/default.nix index 8de13f2eaf368..6bad73e683927 100644 --- a/pkgs/data/misc/shared-mime-info/default.nix +++ b/pkgs/data/misc/shared-mime-info/default.nix @@ -1,7 +1,6 @@ { stdenv , lib , fetchFromGitLab -, fetchpatch , meson , ninja , pkg-config @@ -14,7 +13,7 @@ stdenv.mkDerivation rec { pname = "shared-mime-info"; - version = "2.3"; + version = "2.4"; outputs = [ "out" "dev" ]; @@ -23,15 +22,9 @@ stdenv.mkDerivation rec { owner = "xdg"; repo = pname; rev = version; - sha256 = "sha256-cEfknRVtOJykEO9Iqlb0UoiayYtu+ugvmmZqAD5cGnE="; + hash = "sha256-5eyMkfSBUOD7p8woIYTgz5C/L8uQMXyr0fhL0l23VMA="; }; - patches = [ - # Submitted upstream at - # https://gitlab.freedesktop.org/xdg/shared-mime-info/-/issues/211 - ./fix-clang-warnings.patch - ]; - nativeBuildInputs = [ meson ninja diff --git a/pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch b/pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch deleted file mode 100644 index 2d185549c4e6b..0000000000000 --- a/pkgs/data/misc/shared-mime-info/fix-clang-warnings.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff --git a/meson.build b/meson.build -index 1780c44..7998a51 100644 ---- a/meson.build -+++ b/meson.build -@@ -49,12 +49,7 @@ endif - ############################################################################### - # Dependencies - --check_functions = [ -- 'fdatasync', --] --foreach function : check_functions -- config.set('HAVE_'+function.to_upper(), cc.has_function(function)) --endforeach -+config.set('HAVE_FDATASYNC', cc.has_function('fdatasync', prefix: '#include ')) - - - if get_option('build-translations') -diff --git a/src/update-mime-database.cpp b/src/update-mime-database.cpp -index 733ba06..4ca6d06 100644 ---- a/src/update-mime-database.cpp -+++ b/src/update-mime-database.cpp -@@ -2158,7 +2158,7 @@ static void check_in_path_xdg_data(const char *mime_path) - - env = getenv("XDG_DATA_DIRS"); - if (!env) -- env = "/usr/local/share/"PATH_SEPARATOR"/usr/share/"; -+ env = "/usr/local/share/" PATH_SEPARATOR "/usr/share/"; - dirs = g_strsplit(env, PATH_SEPARATOR, 0); - g_return_if_fail(dirs != NULL); - for (n = 0; dirs[n]; n++) From 9cc3559a406209a55b4a78ae473214b378a8a029 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 22 Nov 2023 07:17:36 +0000 Subject: [PATCH 05/21] readline: 8.2p1 -> 8.2p7 (cherry picked from commit 9e8a41f187336cce5533def8a825871c46f6c2cc) --- .../development/libraries/readline/readline-8.2-patches.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/libraries/readline/readline-8.2-patches.nix b/pkgs/development/libraries/readline/readline-8.2-patches.nix index 48d2bd14badb0..bc075df237c7b 100644 --- a/pkgs/development/libraries/readline/readline-8.2-patches.nix +++ b/pkgs/development/libraries/readline/readline-8.2-patches.nix @@ -2,4 +2,10 @@ patch: [ (patch "001" "1xxgfgr6hn3ads8m8xsrdi1kbx1f3s69k0danpd9x4haqhg7zydv") +(patch "002" "0ly0siy6qy3l7hv12847adpfa34yq1w4qz9qkw6vrxv25j106rg0") +(patch "003" "1c5cwvvkx9mfmpaapymq9cavmzh4fnagkjlchsqx4vml8sx8gx94") +(patch "004" "1b15sndx9v5vj3x1f3h73099nlagknx4rbfpd5ldrbw2xgm2wmvr") +(patch "005" "16ac25jz1a1mgkpfp1sydqf6qpsfh0s0dcmrnjpqbhg5va3s6av2") +(patch "006" "18gmh6y3klh0vv28cyqz4is3rlb32pl7f1kf5r482kfjq3w5zd67") +(patch "007" "1xmnpahs983n4w0gn3j0wr8nh1dpva33yj7fvfmhm46ph2wsa4ar") ] From 2aa04fd0c0f5371fa1518ea0918392d281af96df Mon Sep 17 00:00:00 2001 From: Jan Tojnar Date: Wed, 20 Dec 2023 18:38:05 +0000 Subject: [PATCH 06/21] =?UTF-8?q?gtk3:=203.24.38=20=E2=86=92=203.24.39?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://gitlab.gnome.org/GNOME/gtk/-/compare/3.24.38...3.24.39 (cherry picked from commit 575e82058e1fb6a824182339a66534040aba360b) --- pkgs/development/libraries/gtk/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gtk/3.x.nix b/pkgs/development/libraries/gtk/3.x.nix index 27afba7833e8a..c244414c55087 100644 --- a/pkgs/development/libraries/gtk/3.x.nix +++ b/pkgs/development/libraries/gtk/3.x.nix @@ -64,7 +64,7 @@ in stdenv.mkDerivation (finalAttrs: { pname = "gtk+3"; - version = "3.24.38"; + version = "3.24.39"; outputs = [ "out" "dev" ] ++ lib.optional withIntrospection "devdoc"; outputBin = "dev"; @@ -78,7 +78,7 @@ stdenv.mkDerivation (finalAttrs: { inherit (finalAttrs) version; in fetchurl { url = "mirror://gnome/sources/gtk+/${lib.versions.majorMinor version}/gtk+-${version}.tar.xz"; - sha256 = "sha256-zhHezwGLJb3YUFVEpPhyQoVOyIvgVNmt5fOiBETdjuc="; + sha256 = "sha256-HKw+VmubLzZTpFjAjC3N/cqfkIA3rAPJ2FZLQpV3jXk="; }; patches = [ From 0d807a51c4440bbd2402a9d7ef27bbdc9f49747d Mon Sep 17 00:00:00 2001 From: John Ericson Date: Wed, 10 Jan 2024 19:26:03 -0500 Subject: [PATCH 07/21] readline: Get rid of temporary patch downgrade #280145 on staging-23.11 Companion to #280145 reverting it on `staging-23.11`. On staging `staging-23.11` we are on `readline-8.2p7`, not `readline-8.2p1`, and we can use the never version of the patch. This reverts commit cd76713d42c93b125e4b935e9e3a133754056d90. --- pkgs/development/libraries/readline/8.2.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/readline/8.2.nix b/pkgs/development/libraries/readline/8.2.nix index 274938145ccd8..72e3370576e72 100644 --- a/pkgs/development/libraries/readline/8.2.nix +++ b/pkgs/development/libraries/readline/8.2.nix @@ -54,9 +54,9 @@ stdenv.mkDerivation rec { }) (fetchpatch { name = "0003-fd_set.patch"; - url = "https://github.com/msys2/MINGW-packages/raw/90e7536e3b9c3af55c336d929cfcc32468b2f135/mingw-w64-readline/0003-fd_set.patch"; + url = "https://github.com/msys2/MINGW-packages/raw/35830ab27e5ed35c2a8d486961ab607109f5af50/mingw-w64-readline/0003-fd_set.patch"; stripLen = 1; - hash = "sha256-MlsX5JYp1PHD25uuVnDKJWEquegUN3dkj9fhjQX51/M="; + hash = "sha256-UiaXZRPjKecpSaflBMCphI2kqOlcz1JkymlCrtpMng4="; }) (fetchpatch { name = "0004-locale.patch"; From 2507a4c9d21875086136f71d38f60ccba757e45b Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Wed, 10 Jan 2024 21:41:00 +0100 Subject: [PATCH 08/21] redis: 7.2.3 -> 7.2.4 Fixes CVE-2023-41056. https://github.com/redis/redis/releases/tag/7.2.4 (cherry picked from commit 08e61ec0c320c10ede227766e4a3dc0fdcef7517) --- pkgs/servers/nosql/redis/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/nosql/redis/default.nix b/pkgs/servers/nosql/redis/default.nix index c3ac0ebbf969b..8fd23ae186c48 100644 --- a/pkgs/servers/nosql/redis/default.nix +++ b/pkgs/servers/nosql/redis/default.nix @@ -12,11 +12,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "redis"; - version = "7.2.3"; + version = "7.2.4"; src = fetchurl { url = "https://download.redis.io/releases/redis-${finalAttrs.version}.tar.gz"; - hash = "sha256-PisZbW603bnnQwiL/CkVzLtC1A9aij7djLaccW7DS+c="; + hash = "sha256-jRBMJqFUsp/WfWVotPN1ISISrUHgwsqj1mSA5429O1k="; }; patches = lib.optionals useSystemJemalloc [ From e497ab9708a492dfdffb7fd0e266a1a4b9d9b926 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 12 Jan 2024 04:39:43 +0000 Subject: [PATCH 09/21] pipewire: 1.0.0 -> 1.0.1 (cherry picked from commit 182459799640e0ac73d2d98eceb779c585ad3192) --- pkgs/development/libraries/pipewire/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/pipewire/default.nix b/pkgs/development/libraries/pipewire/default.nix index fa5cb97b214fa..0d1e3b03a09a8 100644 --- a/pkgs/development/libraries/pipewire/default.nix +++ b/pkgs/development/libraries/pipewire/default.nix @@ -81,7 +81,7 @@ let self = stdenv.mkDerivation rec { pname = "pipewire"; - version = "1.0.0"; + version = "1.0.1"; outputs = [ "out" @@ -97,7 +97,7 @@ let owner = "pipewire"; repo = "pipewire"; rev = version; - sha256 = "sha256-mfnMluxJAxDbB6JlIM6HJ0zg7e1q3ia3uFbht6zeHCk="; + sha256 = "sha256-rvf0sZRgDDLcqroLg7hcMUqXD/4JT+3lBRX6/m+3Ry8="; }; patches = [ From 32a3b1b308da96d9020d4ab55b7807b6f2ce8371 Mon Sep 17 00:00:00 2001 From: Henri Menke Date: Thu, 11 Jan 2024 17:23:27 +0100 Subject: [PATCH 10/21] libzip: backport patch for pkgconfig file (cherry picked from commit ba653c4def9fc5851c9f85808052e2051463cc0b) --- pkgs/development/libraries/libzip/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/pkgs/development/libraries/libzip/default.nix b/pkgs/development/libraries/libzip/default.nix index 14e2f44808242..b343184760330 100644 --- a/pkgs/development/libraries/libzip/default.nix +++ b/pkgs/development/libraries/libzip/default.nix @@ -1,5 +1,6 @@ { lib, stdenv , cmake +, fetchpatch2 , fetchurl , perl , zlib @@ -24,6 +25,15 @@ stdenv.mkDerivation (finalAttrs: { sha256 = "sha256-lmmuXf46xbOJdTbchGaodMjPLA47H90I11snOIQpk2M="; }; + patches = [ + # https://github.com/nih-at/libzip/issues/404 + (fetchpatch2 { + name = "Check-for-zstd_TARGET-before-using-it-in-a-regex.patch"; + url = "https://github.com/nih-at/libzip/commit/c719428916b4d19e838f873b1a177b126a080d61.patch"; + hash = "sha256-4ksbXEM8kNvs3wtbIaXLEQNSKaxl0es/sIg0EINaTHE="; + }) + ]; + outputs = [ "out" "dev" "man" ]; nativeBuildInputs = [ cmake perl groff ]; From 859094a39d5391f733905addc988e1edcd0e818b Mon Sep 17 00:00:00 2001 From: annalee <150648636+a-n-n-a-l-e-e@users.noreply.github.com> Date: Wed, 3 Jan 2024 19:28:31 +0000 Subject: [PATCH 11/21] llvmPackages_{15,16,17,git}.libcxx: fix darwin link flags This change applies the upstream PR https://github.com/llvm/llvm-project/pull/77218 so the same link flags on darwin are used as when LIBCXX_CXX_ABI=libcxxabi. Specifically, this adds "-Wl,-force_symbols_not_weak_list,${CMAKE_CURRENT_SOURCE_DIR}/../lib/notweak.exp" which prevents libcxx from segfaulting on darwin (cherry picked from commit 7b62547409025b299d01eaabb384878ce94870d5) --- .../compilers/llvm/15/libcxx/default.nix | 8 ++++++++ .../compilers/llvm/16/libcxx/default.nix | 10 +++++++++- .../compilers/llvm/17/libcxx/default.nix | 13 ++++++++++++- .../compilers/llvm/git/libcxx/default.nix | 13 ++++++++++++- 4 files changed, 41 insertions(+), 3 deletions(-) diff --git a/pkgs/development/compilers/llvm/15/libcxx/default.nix b/pkgs/development/compilers/llvm/15/libcxx/default.nix index ed5f48e8c38fe..be56770039d80 100644 --- a/pkgs/development/compilers/llvm/15/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/15/libcxx/default.nix @@ -56,6 +56,14 @@ stdenv.mkDerivation rec { hash = "sha256-AaM9A6tQ4YAw7uDqCIV4VaiUyLZv+unwcOqbakwW9/k="; relative = "libcxx"; }) + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) ] ++ lib.optionals stdenv.hostPlatform.isMusl [ ../../libcxx-0001-musl-hacks.patch ]; diff --git a/pkgs/development/compilers/llvm/16/libcxx/default.nix b/pkgs/development/compilers/llvm/16/libcxx/default.nix index 78cd632024cda..d6c8c57c17437 100644 --- a/pkgs/development/compilers/llvm/16/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/16/libcxx/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, llvm_meta -, monorepoSrc, runCommand +, monorepoSrc, runCommand, fetchpatch , cmake, ninja, python3, fixDarwinDylibNames, version , cxxabi ? if stdenv.hostPlatform.isFreeBSD then libcxxrt else libcxxabi , libcxxabi, libcxxrt, libunwind @@ -47,6 +47,14 @@ stdenv.mkDerivation rec { patches = [ ./gnu-install-dirs.patch + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) ]; postPatch = '' diff --git a/pkgs/development/compilers/llvm/17/libcxx/default.nix b/pkgs/development/compilers/llvm/17/libcxx/default.nix index 7b99966416638..8a5272ea07af0 100644 --- a/pkgs/development/compilers/llvm/17/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/17/libcxx/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, llvm_meta -, monorepoSrc, runCommand +, monorepoSrc, runCommand, fetchpatch , cmake, ninja, python3, fixDarwinDylibNames, version , cxxabi ? if stdenv.hostPlatform.isFreeBSD then libcxxrt else libcxxabi , libcxxabi, libcxxrt, libunwind @@ -45,6 +45,17 @@ stdenv.mkDerivation rec { chmod -R u+w . ''; + patches = [ + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) + ]; + postPatch = '' cd ../runtimes ''; diff --git a/pkgs/development/compilers/llvm/git/libcxx/default.nix b/pkgs/development/compilers/llvm/git/libcxx/default.nix index 7b99966416638..8a5272ea07af0 100644 --- a/pkgs/development/compilers/llvm/git/libcxx/default.nix +++ b/pkgs/development/compilers/llvm/git/libcxx/default.nix @@ -1,5 +1,5 @@ { lib, stdenv, llvm_meta -, monorepoSrc, runCommand +, monorepoSrc, runCommand, fetchpatch , cmake, ninja, python3, fixDarwinDylibNames, version , cxxabi ? if stdenv.hostPlatform.isFreeBSD then libcxxrt else libcxxabi , libcxxabi, libcxxrt, libunwind @@ -45,6 +45,17 @@ stdenv.mkDerivation rec { chmod -R u+w . ''; + patches = [ + # fix for https://github.com/NixOS/nixpkgs/issues/269548 + # https://github.com/llvm/llvm-project/pull/77218 + (fetchpatch { + name = "darwin-system-libcxxabi-link-flags.patch"; + url = "https://github.com/llvm/llvm-project/commit/c5b89b29ee6e3c444a355fd1cf733ce7ab2e316a.patch"; + hash = "sha256-LNoPg1KCoP8RWxU/AzHR52f4Dww24I9BGQJedMhFxyQ="; + relative = "libcxx"; + }) + ]; + postPatch = '' cd ../runtimes ''; From 673f28f48f4d1bf32a39df5f0301ae0a6571ce74 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Wed, 22 Nov 2023 07:25:42 +0000 Subject: [PATCH 12/21] libdrm: 2.4.117 -> 2.4.118 Changes: https://gitlab.freedesktop.org/mesa/drm/-/compare/libdrm-2.4.117...libdrm-2.4.118?from_project_id=177&straight=false (cherry picked from commit e874a50b42201ac2a389d587f4e32adbb3eb3e73) --- pkgs/development/libraries/libdrm/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libdrm/default.nix b/pkgs/development/libraries/libdrm/default.nix index 63a8522bd073c..a7ead8f227472 100644 --- a/pkgs/development/libraries/libdrm/default.nix +++ b/pkgs/development/libraries/libdrm/default.nix @@ -6,11 +6,11 @@ stdenv.mkDerivation rec { pname = "libdrm"; - version = "2.4.117"; + version = "2.4.118"; src = fetchurl { url = "https://dri.freedesktop.org/${pname}/${pname}-${version}.tar.xz"; - hash = "sha256-ooiNaePrHIp3rcCKdaYPuuAfDSCNJvA00aEuNiNhJCs="; + hash = "sha256-p3e9hfK1/JxX+IbIIFgwBXgxfK/bx30Kdp1+mpVnq4g="; }; outputs = [ "out" "dev" "bin" ]; From 19879dd31b40ebbf131d4ab41d51f2e8a9f1ea47 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 14 Jan 2024 11:39:06 +0000 Subject: [PATCH 13/21] python3Packages.fonttools: add patch for CVE-2023-45139 --- pkgs/development/python-modules/fonttools/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/python-modules/fonttools/default.nix b/pkgs/development/python-modules/fonttools/default.nix index 3c167debba37c..07f60371d96b9 100644 --- a/pkgs/development/python-modules/fonttools/default.nix +++ b/pkgs/development/python-modules/fonttools/default.nix @@ -4,6 +4,7 @@ , pythonOlder , isPyPy , fetchFromGitHub +, fetchpatch , setuptools-scm , fs , lxml @@ -36,6 +37,14 @@ buildPythonPackage rec { hash = "sha256-fcFFJi9Hr0m74LwFIhhhm/bMfxepAvg4/ymU53MmsPg="; }; + patches = [ + (fetchpatch { + name = "CVE-2023-45139.patch"; + url = "https://github.com/fonttools/fonttools/commit/9f61271dc1ca82ed91f529b130fe5dc5c9bf1f4c.patch"; + hash = "sha256-29OB21B8S4hGZlvNJnOTYTFAmEii+z5oK6tycoK3PXc="; + }) + ]; + nativeBuildInputs = [ setuptools-scm ]; passthru.optional-dependencies = let From 42244189feae7d73bea775d6e9d856cf42958bdf Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 11 Jan 2024 00:28:28 +0100 Subject: [PATCH 14/21] python311Packages.jinja2: 3.1.2 -> 3.1.3 https://github.com/pallets/jinja/releases/tag/3.1.3 https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95 (cherry picked from commit 221464d5df7e0f5af986f4b873aed9fa2e886b10) --- pkgs/development/python-modules/jinja2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/jinja2/default.nix b/pkgs/development/python-modules/jinja2/default.nix index 1fb7b26db5b3b..e3328c7d766fb 100644 --- a/pkgs/development/python-modules/jinja2/default.nix +++ b/pkgs/development/python-modules/jinja2/default.nix @@ -15,14 +15,14 @@ buildPythonPackage rec { pname = "Jinja2"; - version = "3.1.2"; + version = "3.1.3"; outputs = [ "out" ] ++ lib.optional enableDocumentation "doc"; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-MTUacCpAip51laj8YVD8P0O7a/fjGXcMvA2535Q36FI="; + hash = "sha256-rIvWVE1Lssl5K/OhWegLuo/afwfoG8Ou1WVDLVklupA="; }; patches = lib.optionals enableDocumentation [ ./patches/import-order.patch ]; From 72b445072a3ae6a8fa8d79d302135e62660fcb00 Mon Sep 17 00:00:00 2001 From: K900 Date: Sun, 7 Jan 2024 22:54:59 +0300 Subject: [PATCH 15/21] python311Packages.afdko: fix tests due to new year (partial cherry pick from commit 9dbb6cc654601658c33773206382f2db008a056a) --- pkgs/development/python-modules/afdko/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/python-modules/afdko/default.nix b/pkgs/development/python-modules/afdko/default.nix index 556261277ea09..398200eb593d3 100644 --- a/pkgs/development/python-modules/afdko/default.nix +++ b/pkgs/development/python-modules/afdko/default.nix @@ -64,6 +64,11 @@ buildPythonPackage rec { ./use-dynamic-system-antlr4-runtime.patch ]; + # Happy new year + postPatch = '' + substituteInPlace tests/tx_data/expected_output/alt-missing-glif.pfb --replace 2023 2024 + ''; + env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang (toString [ "-Wno-error=incompatible-function-pointer-types" "-Wno-error=int-conversion" From f05cd383ad3a342d3496a1d2e7c117bf1e86ae15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 8 Jan 2024 13:17:58 -0800 Subject: [PATCH 16/21] imagemagick: 7.1.1-25 -> 7.1.1-26 Diff: https://github.com/ImageMagick/ImageMagick/compare/7.1.1-25...7.1.1-26 Changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md (cherry picked from commit 751a9553243b4220c74894fe9cd867be5cf07103) --- pkgs/applications/graphics/ImageMagick/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 8ac0496488895..b2d5dacb20fc4 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -49,13 +49,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.1-25"; + version = "7.1.1-26"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; rev = finalAttrs.version; - hash = "sha256-HKDeeh8DNj0y7wS4DqctXhmNaOqZ02JeBXRFrEpH0M4="; + hash = "sha256-diJhCRDT0SbAYZdBPoxZJWlrUW2Nz4/d7H0Nnybw0Yw="; }; outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big From aa4f4c070e1437c2570a1e080141dc678d81427a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 17 Jan 2024 07:18:59 +0100 Subject: [PATCH 17/21] gnutls: 3.8.2 -> 3.8.3 Fixes CVE-2024-0553 and CVE-2024-0567 https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html (cherry picked from commit 1a9b407e593cddb112ba772578dfc2298c8a4983) --- pkgs/development/libraries/gnutls/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index bbbdf19a19095..b8c95653e366b 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -35,11 +35,11 @@ in stdenv.mkDerivation rec { pname = "gnutls"; - version = "3.8.2"; + version = "3.8.3"; src = fetchurl { url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; - hash = "sha256-52XlAW/6m53SQ+NjoEYNV3B0RE7iSRJn2y6WycKt73c="; + hash = "sha256-90/FlUsn1Oxt+7Ed6ph4iLWxJCiaNwOvytoO5SD0Fz4="; }; outputs = [ "bin" "dev" "out" "man" "devdoc" ]; From 771eada2e2d24b96108ffa2eb068eebefaa719e5 Mon Sep 17 00:00:00 2001 From: Lin Jian Date: Thu, 18 Jan 2024 22:14:53 +0800 Subject: [PATCH 18/21] emacs: 29.1 -> 29.2 (cherry picked from commit c58d060c232c5affcc8fa9fde5f0f88ac660be76) --- pkgs/applications/editors/emacs/sources.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/editors/emacs/sources.nix b/pkgs/applications/editors/emacs/sources.nix index 37bab4923bfc3..aa73fa29b0d19 100644 --- a/pkgs/applications/editors/emacs/sources.nix +++ b/pkgs/applications/editors/emacs/sources.nix @@ -77,10 +77,10 @@ in emacs29 = import ./make-emacs.nix (mkArgs { pname = "emacs"; - version = "29.1"; + version = "29.2"; variant = "mainline"; - rev = "29.1"; - hash = "sha256-3HDCwtOKvkXwSULf3W7YgTz4GV8zvYnh2RrL28qzGKg="; + rev = "29.2"; + hash = "sha256-qSQmQzVyEGSr4GAI6rqnEwBvhl09D2D8MNasHqZQPL8="; }); emacs28-macport = import ./make-emacs.nix (mkArgs { From 8ee66d1a234f7dc40b63eaf04545fc9ee89e3580 Mon Sep 17 00:00:00 2001 From: K900 Date: Sun, 3 Dec 2023 16:24:48 +0300 Subject: [PATCH 19/21] bluez: cherry-pick upstream fix for devices not pairing sometimes (cherry picked from commit c583ee748a91b1da9ef36e8da5e565b7f114703f) --- pkgs/os-specific/linux/bluez/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/os-specific/linux/bluez/default.nix b/pkgs/os-specific/linux/bluez/default.nix index af3e4391f75db..d864f30096d7c 100644 --- a/pkgs/os-specific/linux/bluez/default.nix +++ b/pkgs/os-specific/linux/bluez/default.nix @@ -36,6 +36,12 @@ in stdenv.mkDerivation rec { url = "https://git.alpinelinux.org/aports/plain/main/bluez/max-input.patch?id=32b31b484cb13009bd8081c4106e4cf064ec2f1f"; sha256 = "sha256-SczbXtsxBkCO+izH8XOBcrJEO2f7MdtYVT3+2fCV8wU="; }) + # Fix device pairing regression + # FIXME: remove in next release + (fetchpatch { + url = "https://github.com/bluez/bluez/commit/3a9c637010f8dc1ba3e8382abe01065761d4f5bb.patch"; + hash = "sha256-UUmYMHnxYrw663nEEC2mv3zj5e0omkLNejmmPUtgS3c="; + }) # CVE-2023-45866 / https://github.com/skysafe/reblog/tree/main/cve-2023-45866 (fetchpatch { name = "CVE-2023-45866.patch"; From 83233011b3e6b0b51e3e2715927094e49c62e8f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Fran=C3=A7ois=20Roche?= Date: Tue, 23 Jan 2024 11:05:12 +0100 Subject: [PATCH 20/21] nix: fix installCheckPhase crashes on Darwin While building nix on Darwin, I encountered an error in the `installCheckPhase`: ``` nix> building '/private/tmp/nix-build-nix-2.17.1.drv-1/nix-test/tests/fetchurl/store/mkc9z3arar02wi5jii655cjhdinx4npy-fetchurl.sh.drv'... nix> waiting for children nix> building of '/private/tmp/nix-build-nix-2.17.1.drv-1/nix-test/tests/fetchurl/store/mkc9z3arar02wi5jii655cjhdinx4npy-fetchurl.sh.drv^out' from .drv file: read 377 bytes nix> objc[70707]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. nix> objc[70707]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug. nix> waiting for children ``` I noticed that #278802 should have addressed this problem, but it didn't. The solution for me was to replace `yes` with `YES`. As it turns out, most of the references to `OBJC_DISABLE_INITIALIZE_FORK_SAFETY` use `YES` instead of `yes`. https://airflow.apache.org/blog/airflow-1.10.10/#running-airflow-on-macos http://sealiesoftware.com/blog/archive/2017/6/5/Objective-C_and_fork_in_macOS_1013.html The objective C code that parses the environment variable is defined in the function `environ_init` in [here](https://github.com/opensource-apple/objc4/blob/cd5e62a5597ea7a31dccef089317abb3a661c154/runtime/objc-runtime.mm#L265) and it does `*opt->var = (0 == strcmp(value, "YES"));`. ``` % nix-info -m - system: `"aarch64-darwin"` - host os: `Darwin 21.3.0, macOS 12.2.1` - multi-user?: `yes` - sandbox: `yes` - version: `nix-env (Nix) 2.19.2` - channels(hetzner): `"darwin, nixpkgs-22.05-darwin"` - channels(root): `"darwin, nixpkgs-23.05-darwin"` - nixpkgs: `/Users/hetzner/git/nixpkgs` ``` (cherry picked from commit 4844b997d434affa8b6caf9b1b59b7850c276b22) --- pkgs/tools/package-management/nix/common.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/package-management/nix/common.nix b/pkgs/tools/package-management/nix/common.nix index 7aa7b1cc1a1da..11fb90ee1a9f2 100644 --- a/pkgs/tools/package-management/nix/common.nix +++ b/pkgs/tools/package-management/nix/common.nix @@ -216,7 +216,7 @@ self = stdenv.mkDerivation { # Prevent crashes in libcurl due to invoking Objective-C `+initialize` methods after `fork`. # See http://sealiesoftware.com/blog/archive/2017/6/5/Objective-C_and_fork_in_macOS_1013.html. + lib.optionalString stdenv.isDarwin '' - export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=yes + export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES '' # See https://github.com/NixOS/nix/issues/5687 + lib.optionalString (atLeast25 && stdenv.isDarwin) '' From 3e1c808cd7225695a40bfc84fb9a04228cc19675 Mon Sep 17 00:00:00 2001 From: Sporesirius Date: Fri, 8 Dec 2023 21:56:47 +0100 Subject: [PATCH 21/21] alsa-ucm-conf: apply patch to fix SplitPCM: Device argument may not be set (cherry picked from commit 92605d2155a8eda40f781dd65733a09957ea9b69) --- pkgs/by-name/al/alsa-ucm-conf/package.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/al/alsa-ucm-conf/package.nix b/pkgs/by-name/al/alsa-ucm-conf/package.nix index b7203a7376387..cb3bf00a00380 100644 --- a/pkgs/by-name/al/alsa-ucm-conf/package.nix +++ b/pkgs/by-name/al/alsa-ucm-conf/package.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl }: +{ lib, stdenv, fetchurl, fetchpatch }: stdenv.mkDerivation rec { pname = "alsa-ucm-conf"; @@ -9,6 +9,16 @@ stdenv.mkDerivation rec { hash = "sha256-nCHj8B/wC6p1jfF+hnzTbiTrtBpr7ElzfpkQXhbyrpc="; }; + patches = [ + (fetchpatch { + # ToDo: Remove this patch in the next package upgrade + # Fixes SplitPCM to make some audio devices work with alsa-ucm-conf v1.2.10 again + name = "alsa-ucm-conf-splitpcm-device-argument-fix.patch"; + url = "https://github.com/alsa-project/alsa-ucm-conf/commit/b68aa52acdd2763fedad5eec0f435fbf43e5ccc6.patch"; + hash = "sha256-8WE4+uhi4W7cCSZYmL7uFpcHJ9muX09UkGXyZIpEd9I="; + }) + ]; + dontBuild = true; installPhase = ''