Merge branch 'hardened-stdenv' into staging

Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set

6 files changed, 17 insertions, 5 deletions

diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
index 2aa47d799c9a..7eef5af0adcb 100644
--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
   };
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./glib.patch ./cups_1.6.patch ];
 
   buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ];
diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
index 6aab400c60ae..be288b809d43 100644
--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@@ -2,12 +2,14 @@
 
 stdenv.mkDerivation {
   name = "libgtkhtml-2.11.1";
-  
+
   src = fetchurl {
     url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2;
     sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw";
   };
-  
+
   buildInputs = [ pkgconfig gtk gettext ];
   propagatedBuildInputs = [ libxml2 ];
+
+  hardeningDisable = [ "format" ];
 }
diff --git a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix
index 67229487085e..4cb0b7fb35ca 100644
--- a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix
+++ b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
                   gnome3.gnome_desktop gnome3.adwaita-icon-theme
                   gnome3.gsettings_desktop_schemas gnome3.dconf libnotify tracker libselinux ];
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./extension_dir.patch ];
 
   meta = with stdenv.lib; {
diff --git a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix
index 75c45634636c..2e5b0a4af840 100644
--- a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix
+++ b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ];
 
   meta = with stdenv.lib; {
diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
index 03e9dc9a007f..ed83dd03eca1 100644
--- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
+++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
@@ -1,18 +1,20 @@
-{ kde, cmake, smokeqt, ruby }:
+{ kde, cmake, smokeqt, ruby_2_2 }:
 
 kde {
 
  # TODO: scintilla2, qwt5
 
-  buildInputs = [ smokeqt ruby ];
+  buildInputs = [ smokeqt ruby_2_2 ];
 
   nativeBuildInputs = [ cmake ];
 
+  hardeningDisable = [ "all" ];
+
   # The patch is not ready for upstream submmission.
   # I should add an option() instead.
   patches = [ ./qtruby-install-prefix.patch ];
 
-  cmakeFlags="-DRUBY_ROOT_DIR=${ruby}";
+  cmakeFlags="-DRUBY_ROOT_DIR=${ruby_2_2}";
 
   meta = {
     description = "Ruby bindings for Qt library";
diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
index 603a68cc5f67..442690706094 100644
--- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
+++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}";
     description = "A command-line plugin";