about summary refs log tree commit diff
path: root/pkgs/build-support
diff options
context:
space:
mode:
authorVladimír Čunát <vcunat@gmail.com>2016-06-19 12:33:04 +0200
committerVladimír Čunát <vcunat@gmail.com>2016-06-19 12:33:04 +0200
commite75740455546f85cbf9849907b1f6520fdb487d8 (patch)
tree02ab162a81b88bcf1e116b6cbb180557c33ba9b9 /pkgs/build-support
parenta02e5ad9263e508b4df6a3e5841e95bace0e787b (diff)
parent410aad942fc82bbeb9c30a4fdf826ed33998a593 (diff)
downloadnixlib-e75740455546f85cbf9849907b1f6520fdb487d8.tar
nixlib-e75740455546f85cbf9849907b1f6520fdb487d8.tar.gz
nixlib-e75740455546f85cbf9849907b1f6520fdb487d8.tar.bz2
nixlib-e75740455546f85cbf9849907b1f6520fdb487d8.tar.lz
nixlib-e75740455546f85cbf9849907b1f6520fdb487d8.tar.xz
nixlib-e75740455546f85cbf9849907b1f6520fdb487d8.tar.zst
nixlib-e75740455546f85cbf9849907b1f6520fdb487d8.zip
Merge branch 'master' into staging
Hydra nixpkgs: ?compare=1279790
Diffstat (limited to 'pkgs/build-support')
-rw-r--r--pkgs/build-support/build-fhs-chrootenv/default.nix48
-rw-r--r--pkgs/build-support/build-fhs-chrootenv/destroy.sh.in22
-rw-r--r--pkgs/build-support/build-fhs-chrootenv/init.sh.in22
-rw-r--r--pkgs/build-support/build-fhs-chrootenv/load.sh.in13
-rw-r--r--pkgs/build-support/build-fhs-chrootenv/mount.sh.in34
-rw-r--r--pkgs/build-support/build-fhs-chrootenv/umount.sh.in6
-rwxr-xr-xpkgs/build-support/build-fhs-userenv/chroot-user.rb38
-rw-r--r--pkgs/build-support/build-fhs-userenv/default.nix31
-rw-r--r--pkgs/build-support/build-fhs-userenv/env.nix (renamed from pkgs/build-support/build-fhs-chrootenv/env.nix)85
-rw-r--r--pkgs/build-support/docker/default.nix4
-rwxr-xr-xpkgs/build-support/fetchgit/nix-prefetch-git73
-rw-r--r--pkgs/build-support/grsecurity/default.nix191
-rw-r--r--pkgs/build-support/grsecurity/flavors.nix17
-rw-r--r--pkgs/build-support/rust/default.nix6
-rw-r--r--pkgs/build-support/rust/fetchcargo.nix4
-rw-r--r--pkgs/build-support/vm/default.nix2
16 files changed, 148 insertions, 448 deletions
diff --git a/pkgs/build-support/build-fhs-chrootenv/default.nix b/pkgs/build-support/build-fhs-chrootenv/default.nix
deleted file mode 100644
index dfce8edcb23d..000000000000
--- a/pkgs/build-support/build-fhs-chrootenv/default.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{ stdenv } : { env, extraInstallCommands ? "" } :
-
-let
-  # References to shell scripts that set up or tear down the environment
-  initSh    = ./init.sh.in;
-  mountSh   = ./mount.sh.in;
-  loadSh    = ./load.sh.in;
-  umountSh  = ./umount.sh.in;
-  destroySh = ./destroy.sh.in;
-
-  name = env.pname;
-
-in stdenv.mkDerivation {
-  name = "${name}-chrootenv";
-  preferLocalBuild = true;
-  buildCommand = ''
-    mkdir -p $out/bin
-    cd $out/bin
-
-    sed -e "s|@chrootEnv@|${env}|g" \
-        -e "s|@name@|${name}|g" \
-        -e "s|@shell@|${stdenv.shell}|g" \
-        ${initSh} > init-${name}-chrootenv
-    chmod +x init-${name}-chrootenv
-
-    sed -e "s|@shell@|${stdenv.shell}|g" \
-        -e "s|@name@|${name}|g" \
-        ${mountSh} > mount-${name}-chrootenv
-    chmod +x mount-${name}-chrootenv
-
-    sed -e "s|@shell@|${stdenv.shell}|g" \
-        -e "s|@name@|${name}|g" \
-        ${loadSh} > load-${name}-chrootenv
-    chmod +x load-${name}-chrootenv
-
-    sed -e "s|@shell@|${stdenv.shell}|g" \
-        -e "s|@name@|${name}|g" \
-        ${umountSh} > umount-${name}-chrootenv
-    chmod +x umount-${name}-chrootenv
-
-    sed -e "s|@chrootEnv@|${env}|g" \
-        -e "s|@shell@|${stdenv.shell}|g" \
-        -e "s|@name@|${name}|g" \
-        ${destroySh} > destroy-${name}-chrootenv
-    chmod +x destroy-${name}-chrootenv
-    ${extraInstallCommands}
-  '';
-}
diff --git a/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in b/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in
deleted file mode 100644
index 015f742d85a5..000000000000
--- a/pkgs/build-support/build-fhs-chrootenv/destroy.sh.in
+++ /dev/null
@@ -1,22 +0,0 @@
-#! @shell@ -e
-
-chrootenvDest=/run/chrootenv/@name@
-
-# Remove bind mount points
-rmdir $chrootenvDest/{dev,nix/store,nix,proc,sys,host-etc,home,var,run,tmp}
-
-# Remove symlinks to the software that should be part of the chroot system profile
-for i in @chrootEnv@/*
-do
-    if [ "$i" != "@chrootEnv@/etc" ] && [ "$i" != "@chrootEnv@/var" ]
-    then
-        rm $chrootenvDest/$(basename $i)
-    fi
-done
-
-# Remove the remaining folders
-rm -Rf $chrootenvDest/{etc,root}
-rm -Rf /tmp/chrootenv-@name@
-
-# Remove the chroot environment folder
-rmdir $chrootenvDest
diff --git a/pkgs/build-support/build-fhs-chrootenv/init.sh.in b/pkgs/build-support/build-fhs-chrootenv/init.sh.in
deleted file mode 100644
index 9c85069a655c..000000000000
--- a/pkgs/build-support/build-fhs-chrootenv/init.sh.in
+++ /dev/null
@@ -1,22 +0,0 @@
-#! @shell@ -e
-
-chrootenvDest=/run/chrootenv/@name@
-
-# Create some mount points for stuff that must be bind mounted
-mkdir -p $chrootenvDest/{nix/store,dev,proc,sys,host-etc,host-tmp,home,var,run}
-
-# Symlink the software that should be part of the chroot system profile
-for i in @chrootEnv@/*
-do
-    if [ "$i" != "@chrootEnv@/var" ]
-    then
-        ln -s "$i" "$chrootenvDest"
-    fi
-done
-
-# Create root folder
-mkdir $chrootenvDest/root
-
-# Create tmp folder
-mkdir -m1777    $chrootenvDest/tmp
-mkdir -m1777 -p /tmp/chrootenv-@name@
diff --git a/pkgs/build-support/build-fhs-chrootenv/load.sh.in b/pkgs/build-support/build-fhs-chrootenv/load.sh.in
deleted file mode 100644
index f3a6d13e8ff7..000000000000
--- a/pkgs/build-support/build-fhs-chrootenv/load.sh.in
+++ /dev/null
@@ -1,13 +0,0 @@
-#! @shell@ -e
-
-chrootenvDest=/run/chrootenv/@name@
-
-# Enter the LFS chroot environment
-sudo chroot --userspec "$USER:${GROUPS[0]}" --groups "${GROUPS[0]}" $chrootenvDest /usr/bin/env -i \
-     TERM="$TERM" \
-     DISPLAY="$DISPLAY" \
-     HOME="$HOME" \
-     XDG_RUNTIME_DIR="$XDG_RUNTIME_DIR" \
-     LANG="$LANG" \
-     SSL_CERT_FILE="$SSL_CERT_FILE" \
-     /bin/bash --login
diff --git a/pkgs/build-support/build-fhs-chrootenv/mount.sh.in b/pkgs/build-support/build-fhs-chrootenv/mount.sh.in
deleted file mode 100644
index 24b28aae78f7..000000000000
--- a/pkgs/build-support/build-fhs-chrootenv/mount.sh.in
+++ /dev/null
@@ -1,34 +0,0 @@
-#! @shell@ -e
-
-chrootenvDest=/run/chrootenv/@name@
-
-# Bind mount the Nix store
-mount --bind /nix/store $chrootenvDest/nix/store
-
-# Bind mount some kernel related stuff
-mount --bind /dev $chrootenvDest/dev
-mount --bind /dev/pts $chrootenvDest/dev/pts
-mount --bind /dev/shm $chrootenvDest/dev/shm
-mount --bind /proc $chrootenvDest/proc
-mount --bind /sys $chrootenvDest/sys
-
-# Bind mount home directories
-mount --bind /home $chrootenvDest/home
-
-# Bind mount state directories
-mount --bind /var $chrootenvDest/var
-mount --rbind /run $chrootenvDest/run
-
-# Bind mount the host system's /etc
-mount --bind /etc $chrootenvDest/host-etc
-
-# Bind mount the host system's /tmp
-mount --bind /tmp $chrootenvDest/host-tmp
-
-# Bind mount /tmp
-mount --bind /tmp/chrootenv-@name@ $chrootenvDest/tmp
-
-# Expose sockets in /tmp
-for i in /tmp/.*-unix; do
-  ln -s "/host-tmp/$(basename "$i")" "$chrootenvDest/$i"
-done
diff --git a/pkgs/build-support/build-fhs-chrootenv/umount.sh.in b/pkgs/build-support/build-fhs-chrootenv/umount.sh.in
deleted file mode 100644
index 27000cff10a9..000000000000
--- a/pkgs/build-support/build-fhs-chrootenv/umount.sh.in
+++ /dev/null
@@ -1,6 +0,0 @@
-#! @shell@ -e
-
-chrootenvDest=/run/chrootenv/@name@
-
-# Unmount all (r)bind mounts
-umount -l $chrootenvDest/{dev/pts,dev/shm,dev,nix/store,proc,sys,host-etc,host-tmp,home,var,tmp,run}
diff --git a/pkgs/build-support/build-fhs-userenv/chroot-user.rb b/pkgs/build-support/build-fhs-userenv/chroot-user.rb
index 250e6a908434..e3b268d57af6 100755
--- a/pkgs/build-support/build-fhs-userenv/chroot-user.rb
+++ b/pkgs/build-support/build-fhs-userenv/chroot-user.rb
@@ -2,16 +2,15 @@
 
 # Bind mounts hierarchy: from => to (relative)
 # If 'to' is nil, path will be the same
-mounts = { '/nix/store' => nil,
-           '/dev' => nil,
+mounts = { '/' => 'host',
            '/proc' => nil,
            '/sys' => nil,
-           '/etc' => 'host-etc',
-           '/tmp' => 'host-tmp',
-           '/home' => nil,
+           '/nix' => nil,
+           '/tmp' => nil,
            '/var' => nil,
            '/run' => nil,
-           '/root' => nil,
+           '/dev' => nil,
+           '/home' => nil,
          }
 
 # Propagate environment variables
@@ -62,12 +61,15 @@ $mount = make_fcall 'mount', [Fiddle::TYPE_VOIDP,
                     Fiddle::TYPE_INT
 
 # Read command line args
-abort "Usage: chrootenv swdir program args..." unless ARGV.length >= 2
-swdir = Pathname.new ARGV[0]
-execp = ARGV.drop 1
+abort "Usage: chrootenv program args..." unless ARGV.length >= 1
+execp = ARGV
 
 # Populate extra mounts
 if not ENV["CHROOTENV_EXTRA_BINDS"].nil?
+  $stderr.puts "CHROOTENV_EXTRA_BINDS is discussed for deprecation."
+  $stderr.puts "If you have a usecase, please drop a note in issue #16030."
+  $stderr.puts "Notice that we now bind-mount host FS to '/host' and symlink all directories from it to '/' by default."
+
   for extra in ENV["CHROOTENV_EXTRA_BINDS"].split(':')
     paths = extra.split('=')
     if not paths.empty?
@@ -132,24 +134,6 @@ if $cpid == 0
   Dir.chroot root
   Dir.chdir '/'
 
-  # Symlink swdir hierarchy
-  mount_dirs = Set.new mounts.map { |_, v| Pathname.new v }
-  link_swdir = lambda do |swdir, prefix|
-    swdir.find do |path|
-      rel = prefix.join path.relative_path_from(swdir)
-      # Don't symlink anything in binded or symlinked directories
-      Find.prune if mount_dirs.include? rel or rel.symlink?
-      if not rel.directory?
-        # File does not exist; make a symlink and bail out
-        rel.make_symlink path
-        Find.prune
-      end
-      # Recursively follow symlinks
-      link_swdir.call path.readlink, rel if path.symlink?
-    end
-  end
-  link_swdir.call swdir, Pathname.new('')
-
   # New environment
   new_env = Hash[ envvars.map { |x| [x, ENV[x]] } ]
 
diff --git a/pkgs/build-support/build-fhs-userenv/default.nix b/pkgs/build-support/build-fhs-userenv/default.nix
index 94c72e29a225..233db39788b0 100644
--- a/pkgs/build-support/build-fhs-userenv/default.nix
+++ b/pkgs/build-support/build-fhs-userenv/default.nix
@@ -1,28 +1,29 @@
-{ runCommand, lib, writeText, writeScriptBin, stdenv, ruby } :
-{ env, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {} } :
+{ callPackage, runCommand, lib, writeScript, stdenv, coreutils, ruby }:
+
+let buildFHSEnv = callPackage ./env.nix { }; in
+
+args@{ name, runScript ? "bash", extraBindMounts ? [], extraInstallCommands ? "", meta ? {}, passthru ? {}, ... }:
 
 let
-  name = env.pname;
+  env = buildFHSEnv (removeAttrs args [ "runScript" "extraBindMounts" "extraInstallCommands" "meta" "passthru" ]);
 
   # Sandboxing script
-  chroot-user = writeScriptBin "chroot-user" ''
+  chroot-user = writeScript "chroot-user" ''
     #! ${ruby}/bin/ruby
     ${builtins.readFile ./chroot-user.rb}
   '';
 
-  init = run: writeText "${name}-init" ''
-    source /etc/profile
-
-    # Make /tmp directory
-    mkdir -m 1777 /tmp
-
-    # Expose sockets in /tmp
-    for i in /host-tmp/.*-unix; do
-      ln -s "$i" "/tmp/$(basename "$i")"
+  init = run: writeScript "${name}-init" ''
+    #! ${stdenv.shell}
+    for i in ${env}/* /host/*; do
+      path="/''${i##*/}"
+      [ -e "$path" ] || ${coreutils}/bin/ln -s "$i" "$path"
     done
 
     [ -d "$1" ] && [ -r "$1" ] && cd "$1"
     shift
+
+    source /etc/profile
     exec ${run} "$@"
   '';
 
@@ -32,7 +33,7 @@ in runCommand name {
     env = runCommand "${name}-shell-env" {
       shellHook = ''
         export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:$CHROOTENV_EXTRA_BINDS"
-        exec ${chroot-user}/bin/chroot-user ${env} bash ${init "bash"} "$(pwd)"
+        exec ${chroot-user} ${init "bash"} "$(pwd)"
       '';
     } ''
       echo >&2 ""
@@ -46,7 +47,7 @@ in runCommand name {
   cat <<EOF >$out/bin/${name}
   #! ${stdenv.shell}
   export CHROOTENV_EXTRA_BINDS="${lib.concatStringsSep ":" extraBindMounts}:\$CHROOTENV_EXTRA_BINDS"
-  exec ${chroot-user}/bin/chroot-user ${env} bash ${init runScript} "\$(pwd)" "\$@"
+  exec ${chroot-user} ${init runScript} "\$(pwd)" "\$@"
   EOF
   chmod +x $out/bin/${name}
   ${extraInstallCommands}
diff --git a/pkgs/build-support/build-fhs-chrootenv/env.nix b/pkgs/build-support/build-fhs-userenv/env.nix
index 0b2f8bcba6a4..1dc71987f543 100644
--- a/pkgs/build-support/build-fhs-chrootenv/env.nix
+++ b/pkgs/build-support/build-fhs-userenv/env.nix
@@ -1,7 +1,7 @@
-{ nixpkgs, nixpkgs_i686, system
-} :
+{ stdenv, buildEnv, writeText, pkgs, pkgsi686Linux, system }:
+
 { name, profile ? ""
-, pkgs ? null, targetPkgs ? pkgs: [], multiPkgs ? pkgs: []
+, targetPkgs ? pkgs: [], multiPkgs ? pkgs: []
 , extraBuildCommands ? "", extraBuildCommandsMulti ? ""
 , extraOutputsToInstall ? []
 }:
@@ -22,37 +22,32 @@
 # /lib will link to /lib32
 
 let
-  isMultiBuild  = pkgs == null && multiPkgs != null && system == "x86_64-linux";
+  is64Bit = system == "x86_64-linux";
+  isMultiBuild  = multiPkgs != null && is64Bit;
   isTargetBuild = !isMultiBuild;
 
-  # support deprecated "pkgs" option.
-  targetPkgs' =
-    if pkgs != null
-      then builtins.trace "buildFHSEnv: 'pkgs' option is deprecated, use 'targetPkgs'" (pkgs': pkgs)
-      else targetPkgs;
-
   # list of packages (usually programs) which are only be installed for the
   # host's architecture
-  targetPaths = targetPkgs' nixpkgs ++ (if multiPkgs == null then [] else multiPkgs nixpkgs);
+  targetPaths = targetPkgs pkgs ++ (if multiPkgs == null then [] else multiPkgs pkgs);
 
   # list of packages which are installed for both x86 and x86_64 on x86_64
   # systems
-  multiPaths = multiPkgs nixpkgs_i686;
+  multiPaths = multiPkgs pkgsi686Linux;
 
   # base packages of the chroot
   # these match the host's architecture, glibc_multi is used for multilib
   # builds.
-  basePkgs = with nixpkgs;
+  basePkgs = with pkgs;
     [ (if isMultiBuild then glibc_multi else glibc)
-      gcc.cc.lib bashInteractive coreutils less shadow su
+      (toString gcc.cc.lib) bashInteractive coreutils less shadow su
       gawk diffutils findutils gnused gnugrep
       gnutar gzip bzip2 xz glibcLocales
     ];
-  baseMultiPkgs = with nixpkgs_i686;
-    [ gcc.cc.lib
+  baseMultiPkgs = with pkgsi686Linux;
+    [ (toString gcc.cc.lib)
     ];
 
-  etcProfile = nixpkgs.writeText "profile" ''
+  etcProfile = writeText "profile" ''
     export PS1='${name}-chrootenv:\u@\h:\w\$ '
     export LOCALE_ARCHIVE='/usr/lib/locale/locale-archive'
     export LD_LIBRARY_PATH='/run/opengl-driver/lib:/run/opengl-driver-32/lib:/usr/lib:/usr/lib32'
@@ -67,7 +62,7 @@ let
   '';
 
   # Compose /etc for the chroot environment
-  etcPkg = nixpkgs.stdenv.mkDerivation {
+  etcPkg = stdenv.mkDerivation {
     name         = "${name}-chrootenv-etc";
     buildCommand = ''
       mkdir -p $out/etc
@@ -77,38 +72,38 @@ let
       ln -s ${etcProfile} profile
 
       # compatibility with NixOS
-      ln -s /host-etc/static static
+      ln -s /host/etc/static static
 
       # symlink some NSS stuff
-      ln -s /host-etc/passwd passwd
-      ln -s /host-etc/group group
-      ln -s /host-etc/shadow shadow
-      ln -s /host-etc/hosts hosts
-      ln -s /host-etc/resolv.conf resolv.conf
-      ln -s /host-etc/nsswitch.conf nsswitch.conf
+      ln -s /host/etc/passwd passwd
+      ln -s /host/etc/group group
+      ln -s /host/etc/shadow shadow
+      ln -s /host/etc/hosts hosts
+      ln -s /host/etc/resolv.conf resolv.conf
+      ln -s /host/etc/nsswitch.conf nsswitch.conf
 
       # symlink sudo and su stuff
-      ln -s /host-etc/login.defs login.defs
-      ln -s /host-etc/sudoers sudoers
-      ln -s /host-etc/sudoers.d sudoers.d
+      ln -s /host/etc/login.defs login.defs
+      ln -s /host/etc/sudoers sudoers
+      ln -s /host/etc/sudoers.d sudoers.d
 
       # symlink other core stuff
-      ln -s /host-etc/localtime localtime
-      ln -s /host-etc/machine-id machine-id
-      ln -s /host-etc/os-release os-release
+      ln -s /host/etc/localtime localtime
+      ln -s /host/etc/machine-id machine-id
+      ln -s /host/etc/os-release os-release
 
       # symlink PAM stuff
-      ln -s /host-etc/pam.d pam.d
+      ln -s /host/etc/pam.d pam.d
 
       # symlink fonts stuff
-      ln -s /host-etc/fonts fonts
+      ln -s /host/etc/fonts fonts
 
       # symlink ALSA stuff
-      ln -s /host-etc/asound.conf asound.conf
+      ln -s /host/etc/asound.conf asound.conf
 
       # symlink SSL certs
       mkdir -p ssl
-      ln -s /host-etc/ssl/certs ssl/certs
+      ln -s /host/etc/ssl/certs ssl/certs
 
       # symlink /etc/mtab -> /proc/mounts (compat for old userspace progs)
       ln -s /proc/mounts mtab
@@ -116,26 +111,25 @@ let
   };
 
   # Composes a /usr-like directory structure
-  staticUsrProfileTarget = nixpkgs.buildEnv {
+  staticUsrProfileTarget = buildEnv {
     name = "${name}-usr-target";
     paths = [ etcPkg ] ++ basePkgs ++ targetPaths;
-    extraOutputsToInstall = [ "lib" "out" ] ++ extraOutputsToInstall;
+    extraOutputsToInstall = [ "out" "lib" "bin" ] ++ extraOutputsToInstall;
     ignoreCollisions = true;
   };
 
-  staticUsrProfileMulti = nixpkgs.buildEnv {
+  staticUsrProfileMulti = buildEnv {
     name = "${name}-usr-multi";
     paths = baseMultiPkgs ++ multiPaths;
-    extraOutputsToInstall = [ "lib" "out" ] ++ extraOutputsToInstall;
+    extraOutputsToInstall = [ "out" "lib" ] ++ extraOutputsToInstall;
     ignoreCollisions = true;
   };
 
   # setup library paths only for the targeted architecture
   setupLibDirs_target = ''
-    mkdir -m0755 lib
-
-    # copy content of targetPaths
-    cp -rsHf ${staticUsrProfileTarget}/lib/* lib/
+    # link content of targetPaths
+    cp -rsHf ${staticUsrProfileTarget}/lib lib
+    ln -s lib lib${if is64Bit then "64" else "32"}
   '';
 
   # setup /lib, /lib32 and /lib64
@@ -184,7 +178,7 @@ let
     done
   '';
 
-in nixpkgs.stdenv.mkDerivation {
+in stdenv.mkDerivation {
   name         = "${name}-fhs";
   buildCommand = ''
     mkdir -p $out
@@ -196,7 +190,4 @@ in nixpkgs.stdenv.mkDerivation {
     ${if isMultiBuild then extraBuildCommandsMulti else ""}
   '';
   preferLocalBuild = true;
-  passthru = {
-    pname = name;
-  };
 }
diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix
index 5ead82dee8b5..4c5378ea73f3 100644
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, callPackage, runCommand, writeReferencesToFile, writeText, vmTools, writeScript
-, docker, shadow, utillinux, coreutils, jshon, e2fsprogs, goPackages, pigz }:
+, docker, shadow, utillinux, coreutils, jshon, e2fsprogs, go, pigz }:
 
 # WARNING: this API is unstable and may be subject to backwards-incompatible changes in the future.
   
@@ -10,7 +10,7 @@ rec {
   # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
   # And we cannot untar it, because then we cannot preserve permissions ecc.
   tarsum = runCommand "tarsum" {
-    buildInputs = [ goPackages.go ];
+    buildInputs = [ go ];
   } ''
     mkdir tarsum
     cd tarsum
diff --git a/pkgs/build-support/fetchgit/nix-prefetch-git b/pkgs/build-support/fetchgit/nix-prefetch-git
index 21359e060eca..9b330d821f85 100755
--- a/pkgs/build-support/fetchgit/nix-prefetch-git
+++ b/pkgs/build-support/fetchgit/nix-prefetch-git
@@ -12,6 +12,10 @@ fetchSubmodules=
 builder=
 branchName=$NIX_PREFETCH_GIT_BRANCH_NAME
 
+# ENV params
+out=${out:-}
+http_proxy=${http_proxy:-}
+
 # populated by clone_user_rev()
 fullRev=
 humanReadableRev=
@@ -64,7 +68,7 @@ for arg; do
             --builder) builder=true;;
             --help) usage; exit;;
             *)
-                argi=$(($argi + 1))
+                : $((++argi))
                 case $argi in
                     1) url=$arg;;
                     2) rev=$arg;;
@@ -76,7 +80,7 @@ for arg; do
     else
         case $argfun in
             set_*)
-                var=$(echo $argfun | sed 's,^set_,,')
+                var=${argfun#set_}
                 eval $var=$arg
                 ;;
         esac
@@ -92,8 +96,8 @@ fi
 init_remote(){
     local url=$1
     git init
-    git remote add origin $url
-    ( [ -n "$http_proxy" ] && git config http.proxy $http_proxy ) || true
+    git remote add origin "$url"
+    ( [ -n "$http_proxy" ] && git config http.proxy "$http_proxy" ) || true
 }
 
 # Return the reference of an hash if it exists on the remote repository.
@@ -116,12 +120,13 @@ url_to_name(){
     local url=$1
     local ref=$2
     # basename removes the / and .git suffixes
-    local base=$(basename "$url" .git)
+    local base
+    base=$(basename "$url" .git)
 
     if [[ $ref =~ ^[a-z0-9]+$ ]]; then
         echo "$base-${ref:0:7}"
     else
-        echo $base
+        echo "$base"
     fi
 }
 
@@ -131,11 +136,11 @@ checkout_hash(){
     local ref="$2"
 
     if test -z "$hash"; then
-        hash=$(hash_from_ref $ref)
+        hash=$(hash_from_ref "$ref")
     fi
 
     git fetch -t ${builder:+--progress} origin || return 1
-    git checkout -b $branchName $hash || return 1
+    git checkout -b "$branchName" "$hash" || return 1
 }
 
 # Fetch only a branch/tag and checkout it.
@@ -152,13 +157,13 @@ checkout_ref(){
     fi
 
     if test -z "$ref"; then
-        ref=$(ref_from_hash $hash)
+        ref=$(ref_from_hash "$hash")
     fi
 
     if test -n "$ref"; then
         # --depth option is ignored on http repository.
         git fetch ${builder:+--progress} --depth 1 origin +"$ref" || return 1
-        git checkout -b $branchName FETCH_HEAD || return 1
+        git checkout -b "$branchName" FETCH_HEAD || return 1
     else
         return 1
     fi
@@ -171,27 +176,32 @@ init_submodules(){
 
     # list submodule directories and their hashes
     git submodule status |
-    while read l; do
+    while read -r l; do
+        local hash
+        local dir
+        local name
+        local url
+
         # checkout each submodule
-        local hash=$(echo $l | awk '{print substr($1,2)}')
-        local dir=$(echo $l | awk '{print $2}')
-        local name=$(
+        hash=$(echo "$l" | awk '{print substr($1,2)}')
+        dir=$(echo "$l" | awk '{print $2}')
+        name=$(
             git config -f .gitmodules --get-regexp submodule\..*\.path |
             sed -n "s,^\(.*\)\.path $dir\$,\\1,p")
-        local url=$(git config --get ${name}.url)
+        url=$(git config --get "${name}.url")
 
         clone "$dir" "$url" "$hash" ""
     done
 }
 
 clone(){
-    local top=$(pwd)
+    local top=$PWD
     local dir="$1"
     local url="$2"
     local hash="$3"
     local ref="$4"
 
-    cd $dir
+    cd "$dir"
 
     # Initialize the repository.
     init_remote "$url"
@@ -208,9 +218,8 @@ clone(){
         init_submodules
     fi
 
-    if [ -z "$builder" -a -f .topdeps ]; then
-        if tg help 2>&1 > /dev/null
-        then
+    if [ -z "$builder" ] && [ -f .topdeps ]; then
+        if tg help &>/dev/null; then
             echo "populating TopGit branches..."
             tg remote --populate origin
         else
@@ -219,7 +228,7 @@ clone(){
         fi
     fi
 
-    cd $top
+    cd "$top"
 }
 
 # Remove all remote branches, remove tags not reachable from HEAD, do a full
@@ -236,14 +245,14 @@ make_deterministic_repo(){
         .git/refs/remotes/origin/HEAD .git/config
 
     # Remove all remote branches.
-    git branch -r | while read branch; do
+    git branch -r | while read -r branch; do
         git branch -rD "$branch" >&2
     done
 
     # Remove tags not reachable from HEAD. If we're exactly on a tag, don't
     # delete it.
     maybe_tag=$(git tag --points-at HEAD)
-    git tag --contains HEAD | while read tag; do
+    git tag --contains HEAD | while read -r tag; do
         if [ "$tag" != "$maybe_tag" ]; then
             git tag -d "$tag" >&2
         fi
@@ -270,7 +279,7 @@ _clone_user_rev() {
         HEAD|refs/*)
             clone "$dir" "$url" "" "$rev" 1>&2;;
         *)
-            if test -z "$(echo $rev | tr -d 0123456789abcdef)"; then
+            if test -z "$(echo "$rev" | tr -d 0123456789abcdef)"; then
                 clone "$dir" "$url" "$rev" "" 1>&2
             else
                 echo 1>&2 "Bad commit hash or bad reference."
@@ -278,9 +287,9 @@ _clone_user_rev() {
             fi;;
     esac
 
-    fullRev="$(cd $dir && (git rev-parse $rev 2> /dev/null || git rev-parse refs/heads/$branchName) | tail -n1)"
-    humanReadableRev="$(cd $dir && (git describe $fullRev 2> /dev/null || git describe --tags $fullRev 2> /dev/null || echo -- none --))"
-    commitDate="$(cd $dir && git show --no-patch --pretty=%ci $fullRev)"
+    fullRev="$(cd "$dir" && (git rev-parse "$rev" 2> /dev/null || git rev-parse "refs/heads/$branchName") | tail -n1)"
+    humanReadableRev="$(cd "$dir" && (git describe "$fullRev" 2> /dev/null || git describe --tags "$fullRev" 2> /dev/null || echo -- none --))"
+    commitDate="$(cd "$dir" && git show --no-patch --pretty=%ci "$fullRev")"
 
     # Allow doing additional processing before .git removal
     eval "$NIX_PREFETCH_GIT_CHECKOUT_HOOK"
@@ -288,7 +297,7 @@ _clone_user_rev() {
         echo "removing \`.git'..." >&2
         find "$dir" -name .git -print0 | xargs -0 rm -rf
     else
-        find "$dir" -name .git | while read gitdir; do
+        find "$dir" -name .git | while read -r gitdir; do
             make_deterministic_repo "$(readlink -f "$gitdir/..")"
         done
     fi
@@ -299,6 +308,7 @@ clone_user_rev() {
         _clone_user_rev "$@"
     else
         errfile="$(mktemp "${TMPDIR:-/tmp}/git-checkout-err-XXXXXXXX")"
+        # shellcheck disable=SC2064
         trap "rm -rf \"$errfile\"" EXIT
         _clone_user_rev "$@" 2> "$errfile" || (
             status="$?"
@@ -343,7 +353,7 @@ fi
 
 if test -n "$builder"; then
     test -n "$out" -a -n "$url" -a -n "$rev" || usage
-    mkdir -p $out
+    mkdir -p "$out"
     clone_user_rev "$out" "$url" "$rev"
 else
     if test -z "$hashType"; then
@@ -365,6 +375,7 @@ else
     if test -z "$finalPath"; then
 
         tmpPath="$(mktemp -d "${TMPDIR:-/tmp}/git-checkout-tmp-XXXXXXXX")"
+        # shellcheck disable=SC2064
         trap "rm -rf \"$tmpPath\"" EXIT
 
         tmpFile="$tmpPath/$(url_to_name "$url" "$rev")"
@@ -374,7 +385,7 @@ else
         clone_user_rev "$tmpFile" "$url" "$rev"
 
         # Compute the hash.
-        hash=$(nix-hash --type $hashType --base32 $tmpFile)
+        hash=$(nix-hash --type $hashType --base32 "$tmpFile")
 
         # Add the downloaded file to the Nix store.
         finalPath=$(nix-store --add-fixed --recursive "$hashType" "$tmpFile")
@@ -389,6 +400,6 @@ else
     print_results "$hash"
 
     if test -n "$PRINT_PATH"; then
-        echo $finalPath
+        echo "$finalPath"
     fi
 fi
diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
index 7777b6000628..8713f2d22c45 100644
--- a/pkgs/build-support/grsecurity/default.nix
+++ b/pkgs/build-support/grsecurity/default.nix
@@ -1,158 +1,33 @@
-{ grsecOptions, lib, pkgs }:
-
-with lib;
-
-let
-  cfg = {
-    kernelPatch = grsecOptions.kernelPatch;
-    config = {
-      mode = "auto";
-      sysctl = false;
-      denyChrootCaps = false;
-      denyChrootChmod = false;
-      denyUSB = false;
-      restrictProc = false;
-      restrictProcWithGroup = true;
-      unrestrictProcGid = 121; # Ugh, an awful hack. See grsecurity NixOS gid
-      disableRBAC = false;
-      disableSimultConnect = false;
-      redistKernel = true;
-      verboseVersion = false;
-      kernelExtraConfig = "";
-    } // grsecOptions.config;
-  };
-
-  vals = rec {
-
-    mkKernel = patch:
-        {
-          inherit patch;
-          inherit (patch) kernel patches grversion revision;
-        };
-
-    grKernel = mkKernel cfg.kernelPatch;
-
-    ## -- grsecurity configuration ---------------------------------------------
-
-    grsecPrioCfg =
-      if cfg.config.priority == "security" then
-        "GRKERNSEC_CONFIG_PRIORITY_SECURITY y"
-      else
-        "GRKERNSEC_CONFIG_PRIORITY_PERF y";
-
-    grsecSystemCfg =
-      if cfg.config.system == "desktop" then
-        "GRKERNSEC_CONFIG_DESKTOP y"
-      else
-        "GRKERNSEC_CONFIG_SERVER y";
-
-    grsecVirtCfg =
-      if cfg.config.virtualisationConfig == null then
-        "GRKERNSEC_CONFIG_VIRT_NONE y"
-      else if cfg.config.virtualisationConfig == "host" then
-        "GRKERNSEC_CONFIG_VIRT_HOST y"
-      else
-        "GRKERNSEC_CONFIG_VIRT_GUEST y";
-
-    grsecHwvirtCfg = if cfg.config.virtualisationConfig == null then "" else
-      if cfg.config.hardwareVirtualisation == true then
-        "GRKERNSEC_CONFIG_VIRT_EPT y"
-      else
-        "GRKERNSEC_CONFIG_VIRT_SOFT y";
-
-    grsecVirtswCfg =
-      let virtCfg = opt: "GRKERNSEC_CONFIG_VIRT_"+opt+" y";
-      in
-        if cfg.config.virtualisationConfig == null then ""
-        else if cfg.config.virtualisationSoftware == "xen"    then virtCfg "XEN"
-        else if cfg.config.virtualisationSoftware == "kvm"    then virtCfg "KVM"
-        else if cfg.config.virtualisationSoftware == "vmware" then virtCfg "VMWARE"
-        else                                                       virtCfg "VIRTUALBOX";
-
-    grsecMainConfig = if cfg.config.mode == "custom" then "" else ''
-      GRKERNSEC_CONFIG_AUTO y
-      ${grsecPrioCfg}
-      ${grsecSystemCfg}
-      ${grsecVirtCfg}
-      ${grsecHwvirtCfg}
-      ${grsecVirtswCfg}
-    '';
-
-    grsecConfig =
-      let boolToKernOpt = b: if b then "y" else "n";
-          # Disable RANDSTRUCT under virtualbox, as it has some kind of
-          # breakage with the vbox guest drivers
-          #randstruct = optionalString config.virtualisation.virtualbox.guest.enable
-          #  "GRKERNSEC_RANDSTRUCT n";
-
-          # Disable restricting links under the testing kernel, as something
-          # has changed causing it to fail miserably during boot.
-          #restrictLinks = optionalString cfg.testing
-          #  "GRKERNSEC_LINK n";
-      in ''
-        GRKERNSEC y
-        ${grsecMainConfig}
-
-        # Disable features rendered useless by redistributing the kernel
-        ${optionalString cfg.config.redistKernel ''
-          GRKERNSEC_RANDSTRUCT n
-          GRKERNSEC_HIDESYM n
-          ''}
-
-        # The paxmarks mechanism relies on ELF header markings, but the default
-        # grsecurity configuration only enables xattr markings
-        PAX_PT_PAX_FLAGS y
-
-        ${if cfg.config.restrictProc then
-            "GRKERNSEC_PROC_USER y"
-          else
-            optionalString cfg.config.restrictProcWithGroup ''
-              GRKERNSEC_PROC_USERGROUP y
-              GRKERNSEC_PROC_GID ${toString cfg.config.unrestrictProcGid}
-            ''
-        }
-
-        GRKERNSEC_SYSCTL ${boolToKernOpt cfg.config.sysctl}
-        GRKERNSEC_CHROOT_CAPS ${boolToKernOpt cfg.config.denyChrootCaps}
-        GRKERNSEC_CHROOT_CHMOD ${boolToKernOpt cfg.config.denyChrootChmod}
-        GRKERNSEC_DENYUSB ${boolToKernOpt cfg.config.denyUSB}
-        GRKERNSEC_NO_RBAC ${boolToKernOpt cfg.config.disableRBAC}
-        GRKERNSEC_NO_SIMULT_CONNECT ${boolToKernOpt cfg.config.disableSimultConnect}
-
-        ${cfg.config.kernelExtraConfig}
-      '';
-
-    ## -- grsecurity kernel packages -------------------------------------------
-
-    localver = grkern:
-      "-grsec" + optionalString cfg.config.verboseVersion
-         "-${grkern.grversion}-${grkern.revision}";
-
-    grsecurityOverrider = args: grkern: {
-      # additional build inputs for gcc plugins, required by some PaX/grsec features
-      nativeBuildInputs = args.nativeBuildInputs ++ (with pkgs; [ gmp libmpc mpfr ]);
-
-      preConfigure = (args.preConfigure or "") + ''
-        echo ${localver grkern} > localversion-grsec
-      '';
-    };
-
-    mkGrsecKern = grkern:
-      lowPrio (overrideDerivation (grkern.kernel.override (args: {
-        kernelPatches = args.kernelPatches ++ [ grkern.patch  ] ++ grkern.patches;
-        argsOverride = {
-          modDirVersion = "${grkern.kernel.modDirVersion}${localver grkern}";
-        };
-        extraConfig = grsecConfig;
-        features.grsecurity = true;
-        ignoreConfigErrors = true; # Too lazy to model the config options that work with grsecurity and don't for now
-      })) (args: grsecurityOverrider args grkern));
-
-    mkGrsecPkg = grkern: pkgs.linuxPackagesFor grkern (mkGrsecPkg grkern);
-
-    ## -- Kernel packages ------------------------------------------------------
-
-    grsecKernel  = mkGrsecKern grKernel;
-    grsecPackage = mkGrsecPkg grsecKernel;
-  };
-in vals
+{ stdenv
+, overrideDerivation
+
+# required for gcc plugins
+, gmp, libmpc, mpfr
+
+# the base kernel
+, kernel
+
+, grsecPatch
+, kernelPatches ? []
+
+, localver ? "-grsec"
+, modDirVersion ? "${kernel.version}${localver}"
+, extraConfig ? ""
+, ...
+} @ args:
+
+assert (kernel.version == grsecPatch.kver);
+
+overrideDerivation (kernel.override {
+  inherit modDirVersion;
+  kernelPatches = [ { inherit (grsecPatch) name patch; } ] ++ kernelPatches ++ (kernel.kernelPatches or []);
+  features = (kernel.features or {}) // { grsecurity = true; };
+  inherit extraConfig;
+  ignoreConfigErrors = true;
+}) (attrs: {
+  nativeBuildInputs = [ gmp libmpc mpfr ] ++ (attrs.nativeBuildInputs or []);
+  preConfigure = ''
+    echo ${localver} >localversion-grsec
+    ${attrs.preConfigure or ""}
+  '';
+})
diff --git a/pkgs/build-support/grsecurity/flavors.nix b/pkgs/build-support/grsecurity/flavors.nix
deleted file mode 100644
index 1281d60aa328..000000000000
--- a/pkgs/build-support/grsecurity/flavors.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-let
-  mkOpts = prio: sys: virt: swvirt: hwvirt:
-    { config.priority               = prio;
-      config.system                 = sys;
-      config.virtualisationConfig   = virt;
-      config.hardwareVirtualisation = hwvirt;
-      config.virtualisationSoftware = swvirt;
-    };
-in
-{
-  desktop =
-    mkOpts "performance" "desktop" "host" "kvm" true;
-  server  =
-    mkOpts "security" "server" "host" "kvm" true;
-  server_xen =
-    mkOpts "security" "server" "guest" "xen" true;
-}
diff --git a/pkgs/build-support/rust/default.nix b/pkgs/build-support/rust/default.nix
index b889c4f24583..bbea045f6371 100644
--- a/pkgs/build-support/rust/default.nix
+++ b/pkgs/build-support/rust/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, cacert, git, cargo, rustRegistry }:
+{ stdenv, cacert, git, rust, rustRegistry }:
 { name, depsSha256
 , src ? null
 , srcs ? null
@@ -10,7 +10,7 @@
 
 let
   fetchDeps = import ./fetchcargo.nix {
-    inherit stdenv cacert git cargo rustRegistry;
+    inherit stdenv cacert git rust rustRegistry;
   };
 
   cargoDeps = fetchDeps {
@@ -23,7 +23,7 @@ in stdenv.mkDerivation (args // {
 
   patchRegistryDeps = ./patch-registry-deps;
 
-  buildInputs = [ git cargo cargo.rustc ] ++ buildInputs;
+  buildInputs = [ git rust.cargo rust.rustc ] ++ buildInputs;
 
   configurePhase = args.configurePhase or "true";
 
diff --git a/pkgs/build-support/rust/fetchcargo.nix b/pkgs/build-support/rust/fetchcargo.nix
index 518420002622..1b4983e32597 100644
--- a/pkgs/build-support/rust/fetchcargo.nix
+++ b/pkgs/build-support/rust/fetchcargo.nix
@@ -1,9 +1,9 @@
-{ stdenv, cacert, git, cargo, rustRegistry }:
+{ stdenv, cacert, git, rust, rustRegistry }:
 { name ? "cargo-deps", src, srcs, sourceRoot, sha256, cargoUpdateHook ? "" }:
 
 stdenv.mkDerivation {
   name = "${name}-fetch";
-  buildInputs = [ cargo git ];
+  buildInputs = [ rust.cargo rust.rustc git ];
   inherit src srcs sourceRoot rustRegistry cargoUpdateHook;
 
   phases = "unpackPhase installPhase";
diff --git a/pkgs/build-support/vm/default.nix b/pkgs/build-support/vm/default.nix
index 7a3d816efc9e..23f781f104d4 100644
--- a/pkgs/build-support/vm/default.nix
+++ b/pkgs/build-support/vm/default.nix
@@ -1869,7 +1869,7 @@ rec {
       fullName = "Debian 8.4 Jessie (amd64)";
       packagesList = fetchurl {
         url = mirror://debian/dists/jessie/main/binary-amd64/Packages.xz;
-        sha256 = "0kipisyjkhczghzqj4a8y1n4az9c4c8lsj8sw7js13b053lpj6ga";
+        sha256 = "1vvl4k1c3wqvh4gj64vxj2iwb6s9ys5xrskwdpffhyjlslaylsnz";
       };
       urlPrefix = mirror://debian;
       packages = commonDebianPackages;
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-04 07:00:48 +0000