diff options
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1703.xml | 9 | ||||
-rw-r--r-- | nixos/modules/security/ca.nix | 28 | ||||
-rw-r--r-- | pkgs/applications/audio/openmpt123/default.nix | 23 | ||||
-rw-r--r-- | pkgs/applications/audio/uade123/default.nix | 20 | ||||
-rw-r--r-- | pkgs/applications/video/shotcut/default.nix | 4 | ||||
-rw-r--r-- | pkgs/applications/window-managers/lemonbar/default.nix | 37 | ||||
-rw-r--r-- | pkgs/applications/window-managers/lemonbar/xft.nix | 37 | ||||
-rw-r--r-- | pkgs/data/fonts/input-fonts/default.nix | 2 | ||||
-rw-r--r-- | pkgs/data/misc/cacert/default.nix | 52 | ||||
-rw-r--r-- | pkgs/development/compilers/kotlin/default.nix | 4 | ||||
-rw-r--r-- | pkgs/development/libraries/capstone/default.nix | 7 | ||||
-rw-r--r-- | pkgs/development/python-modules/matplotlib/default.nix | 4 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 2 | ||||
-rw-r--r-- | pkgs/tools/text/zimreader/default.nix | 49 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 4 |
15 files changed, 185 insertions, 97 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 9bc42edb49bc..c1107977db79 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -43,6 +43,15 @@ following incompatible changes:</para> <literal>radicale</literal>. </para> </listitem> + + <listitem> + <para> + The Yama LSM is now enabled by default in the kernel, + which prevents ptracing non-child processes. + This means you will not be able to attach gdb to an existing process, + but will need to start that process from gdb (so it is a child). + </para> + </listitem> </itemizedlist> diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix index 849530238e7e..67469be18b41 100644 --- a/nixos/modules/security/ca.nix +++ b/nixos/modules/security/ca.nix @@ -4,10 +4,16 @@ with lib; let + cfg = config.security.pki; + + cacertPackage = pkgs.cacert.override { + blacklist = cfg.caCertificateBlacklist; + }; + caCertificates = pkgs.runCommand "ca-certificates.crt" { files = - config.security.pki.certificateFiles ++ - [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ]; + cfg.certificateFiles ++ + [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ]; } '' cat $files > $out @@ -52,11 +58,27 @@ in ''; }; + security.pki.caCertificateBlacklist = mkOption { + type = types.listOf types.str; + default = []; + example = [ + "WoSign" "WoSign China" + "CA WoSign ECC Root" + "Certification Authority of WoSign G2" + ]; + description = '' + A list of blacklisted CA certificate names that won't be imported from + the Mozilla Trust Store into + <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the + names from that file. + ''; + }; + }; config = { - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ]; # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility. environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates; diff --git a/pkgs/applications/audio/openmpt123/default.nix b/pkgs/applications/audio/openmpt123/default.nix new file mode 100644 index 000000000000..d5e0ed1c4764 --- /dev/null +++ b/pkgs/applications/audio/openmpt123/default.nix @@ -0,0 +1,23 @@ +{ stdenv, fetchurl, SDL2, pkgconfig }: + +let + version = "0.2.7025-beta20.1"; +in stdenv.mkDerivation rec { + name = "openmpt123-${version}"; + src = fetchurl { + url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}.tar.gz"; + sha256 = "0qp2nnz6pnl1d7yv9hcjyim7q6yax5881k1jxm8jfgjqagmz5k6p"; + }; + buildInputs = [ SDL2 pkgconfig ]; + makeFlags = [ "NO_LTDL=1 TEST=0 EXAMPLES=0" ] + ++ stdenv.lib.optional (stdenv.isDarwin) "SHARED_SONAME=0"; + installFlags = "PREFIX=\${out}"; + + meta = with stdenv.lib; { + description = "A cross-platform command-line based module file player"; + homepage = https://lib.openmpt.org/libopenmpt/; + license = licenses.bsd3; + maintainers = [ stdenv.lib.maintainers.gnidorah ]; + platforms = stdenv.lib.platforms.unix; + }; +} diff --git a/pkgs/applications/audio/uade123/default.nix b/pkgs/applications/audio/uade123/default.nix new file mode 100644 index 000000000000..0a07e97270c4 --- /dev/null +++ b/pkgs/applications/audio/uade123/default.nix @@ -0,0 +1,20 @@ +{ stdenv, fetchurl, which, libao, pkgconfig }: + +let + version = "2.13"; +in stdenv.mkDerivation rec { + name = "uade123-${version}"; + src = fetchurl { + url = "http://zakalwe.fi/uade/uade2/uade-${version}.tar.bz2"; + sha256 = "04nn5li7xy4g5ysyjjngmv5d3ibxppkbb86m10vrvadzxdd4w69v"; + }; + buildInputs = [ which libao pkgconfig ]; + + meta = with stdenv.lib; { + description = "Plays old Amiga tunes through UAE emulation and cloned m68k-assembler Eagleplayer API"; + homepage = http://zakalwe.fi/uade/; + license = licenses.gpl2; + maintainers = [ stdenv.lib.maintainers.gnidorah ]; + platforms = stdenv.lib.platforms.unix; + }; +} diff --git a/pkgs/applications/video/shotcut/default.nix b/pkgs/applications/video/shotcut/default.nix index efab9703df3d..34c5650e9f78 100644 --- a/pkgs/applications/video/shotcut/default.nix +++ b/pkgs/applications/video/shotcut/default.nix @@ -5,11 +5,11 @@ qmakeHook, makeQtWrapper }: stdenv.mkDerivation rec { name = "shotcut-${version}"; - version = "16.08"; + version = "16.10"; src = fetchurl { url = "https://github.com/mltframework/shotcut/archive/v${version}.tar.gz"; - sha256 = "10f32mfj3f8mjp0yi0jb7wc5d3inycn5c1pvqdagjhyyv3rvx9zy"; + sha256 = "0brskci86bwdj2ahjfvv3v254ligjn97bm0f6c8yg46r0jb8q5xw"; }; buildInputs = [ SDL frei0r gettext mlt pkgconfig qtbase qtmultimedia qtwebkit diff --git a/pkgs/applications/window-managers/lemonbar/default.nix b/pkgs/applications/window-managers/lemonbar/default.nix index 042abf09dad2..27cb564d2c6b 100644 --- a/pkgs/applications/window-managers/lemonbar/default.nix +++ b/pkgs/applications/window-managers/lemonbar/default.nix @@ -1,27 +1,22 @@ -{ stdenv, fetchFromGitHub, perl, libxcb }: +{ stdenv, fetchurl, perl, libxcb }: -let - version = "1.2pre"; -in - stdenv.mkDerivation rec { - name = "lemonbar-${version}"; +stdenv.mkDerivation rec { + name = "lemonbar-1.2"; - src = fetchFromGitHub { - owner = "LemonBoy"; - repo = "bar"; - rev = "61985278f2af1e4e85d63a696ffedc5616b06bc0"; - sha256 = "0a8djlayimjdg5fj50lpifsv6gkb577bca68wmk9wg9y9n27pgay"; - }; + src = fetchurl { + url = "https://github.com/LemonBoy/bar/archive/v1.2.tar.gz"; + sha256 = "1smz8lh930bnb6a4lrm07l3z2k071kc8p2pljk5wsrch3x2xhimq"; + }; - buildInputs = [ libxcb perl ]; + buildInputs = [ libxcb perl ]; - prePatch = ''sed -i "s@/usr@$out@" Makefile''; + prePatch = ''sed -i "s@/usr@$out@" Makefile''; - meta = with stdenv.lib; { - description = "A lightweight xcb based bar"; - homepage = https://github.com/LemonBoy/bar; - maintainers = [ maintainers.meisternu ]; - license = "Custom"; - platforms = platforms.linux; - }; + meta = with stdenv.lib; { + description = "A lightweight xcb based bar"; + homepage = https://github.com/LemonBoy/bar; + maintainers = [ maintainers.meisternu ]; + license = "Custom"; + platforms = platforms.linux; + }; } diff --git a/pkgs/applications/window-managers/lemonbar/xft.nix b/pkgs/applications/window-managers/lemonbar/xft.nix index f5dd944a43d2..132c10ae9733 100644 --- a/pkgs/applications/window-managers/lemonbar/xft.nix +++ b/pkgs/applications/window-managers/lemonbar/xft.nix @@ -1,27 +1,24 @@ { stdenv, fetchFromGitHub, perl, libxcb, libXft }: -let - version = "2015-07-23"; -in - stdenv.mkDerivation rec { - name = "bar-xft-git-${version}"; +stdenv.mkDerivation rec { + name = "lemonbar-xft-unstable-2016-02-17"; - src = fetchFromGitHub { - owner = "krypt-n"; - repo = "bar"; - rev = "3020df19232153f9e98ae0c8111db3de938a2719"; - sha256 = "0a54yr534jd4l5gjzpypc0y5lh2qb2wsrd662s84jjgq8bpss8av"; - }; + src = fetchFromGitHub { + owner = "krypt-n"; + repo = "bar"; + rev = "a43b801ddc0f015ce8b1211f4c062fad12cd63a9"; + sha256 = "0iqas07qjvabxyvna2m9aj5bcwnkdii1izl9jxha63vz0zlsc4gd"; + }; - buildInputs = [ libxcb libXft perl ]; + buildInputs = [ libxcb libXft perl ]; - prePatch = ''sed -i "s@/usr@$out@" Makefile''; + prePatch = ''sed -i "s@/usr@$out@" Makefile''; - meta = { - description = "A lightweight xcb based bar with XFT-support"; - homepage = https://github.com/krypt-n/bar; - maintainers = [ stdenv.lib.maintainers.hiberno ]; - license = "Custom"; - platforms = stdenv.lib.platforms.linux; - }; + meta = { + description = "A lightweight xcb based bar with XFT-support"; + homepage = https://github.com/krypt-n/bar; + maintainers = [ stdenv.lib.maintainers.hiberno ]; + license = "Custom"; + platforms = stdenv.lib.platforms.linux; + }; } diff --git a/pkgs/data/fonts/input-fonts/default.nix b/pkgs/data/fonts/input-fonts/default.nix index 0879db309eac..8cfda1a5e9c8 100644 --- a/pkgs/data/fonts/input-fonts/default.nix +++ b/pkgs/data/fonts/input-fonts/default.nix @@ -39,7 +39,7 @@ stdenv.mkDerivation rec { characters — but without the limitations of a fixed width. ''; homepage = http://input.fontbureau.com; - license = licenses.proprietary; + license = licenses.unfree; maintainers = with maintainers; [ romildo ]; platforms = platforms.all; }; diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix index 3ce6dc81a396..5095fce8958e 100644 --- a/pkgs/data/misc/cacert/default.nix +++ b/pkgs/data/misc/cacert/default.nix @@ -1,25 +1,49 @@ -{ stdenv, nss, curl, perl }: +{ stdenv, fetchurl, writeText, nss, python +, blacklist ? [] +, includeEmail ? false +}: + +with stdenv.lib; + +let + + certdata2pem = fetchurl { + name = "certdata2pem.py"; + url = "https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20160104"; + sha256 = "0bw11mgfrf19qziyvdnq22kirp0nn54lfsanrg5h6djs6ig1c2im"; + }; + +in stdenv.mkDerivation rec { name = "nss-cacert-${nss.version}"; src = nss.src; - postPatch = '' - unpackFile ${curl.src}; + nativeBuildInputs = [ python ]; - # Remove dependency on LWP, curl is enough. Also, since curl here - # is working on a local file it will not actually get a 200 OK, so - # remove that expectation. - substituteInPlace curl-*/lib/mk-ca-bundle.pl \ - --replace 'use LWP::UserAgent;' "" \ - --replace ' && $out[0] == 200' "" - ''; + configurePhase = '' + ln -s nss/lib/ckfw/builtins/certdata.txt + + cat << EOF > blacklist.txt + ${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)} + EOF - nativeBuildInputs = [ curl perl ]; + cp ${certdata2pem} certdata2pem.py + ${optionalString includeEmail '' + # Disable CAs used for mail signing + substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] ''' + ''} + ''; buildPhase = '' - perl curl-*/lib/mk-ca-bundle.pl -d "file://$(pwd)/nss/lib/ckfw/builtins/certdata.txt" ca-bundle.crt + python certdata2pem.py | grep -vE '^(!|UNTRUSTED)' + + for cert in *.crt; do + echo $cert | cut -d. -f1 | sed -e 's,_, ,g' >> ca-bundle.crt + cat $cert >> ca-bundle.crt + echo >> ca-bundle.crt + done ''; installPhase = '' @@ -27,10 +51,10 @@ stdenv.mkDerivation rec { cp -v ca-bundle.crt $out/etc/ssl/certs ''; - meta = with stdenv.lib; { + meta = { homepage = http://curl.haxx.se/docs/caextract.html; description = "A bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = platforms.all; - maintainers = with maintainers; [ wkennington ]; + maintainers = with maintainers; [ wkennington fpletz ]; }; } diff --git a/pkgs/development/compilers/kotlin/default.nix b/pkgs/development/compilers/kotlin/default.nix index ba546f6f51fc..f0f8fa3b7ff2 100644 --- a/pkgs/development/compilers/kotlin/default.nix +++ b/pkgs/development/compilers/kotlin/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, makeWrapper, jre, unzip }: stdenv.mkDerivation rec { - version = "1.0.3"; + version = "1.0.4"; name = "kotlin-${version}"; src = fetchurl { url = "https://github.com/JetBrains/kotlin/releases/download/v${version}/kotlin-compiler-${version}.zip"; - sha256 = "15ywjv46i2d7zgg2b3vdklc6agr62nvn0gkz7k9hql78ccfmyq9p"; + sha512 = "39mcyw3rdgrhfkxl0xygh74idl2pvw3dy0n9d3z4aj6hq4pxkn1dclmpfbrfa333vjpzfhlqwl578vmly9vah7m6z6g4j12gkdijiyf"; }; propagatedBuildInputs = [ jre ] ; diff --git a/pkgs/development/libraries/capstone/default.nix b/pkgs/development/libraries/capstone/default.nix index 80f858254ffb..97a975232602 100644 --- a/pkgs/development/libraries/capstone/default.nix +++ b/pkgs/development/libraries/capstone/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, bash, cmake }: +{ stdenv, fetchurl, bash }: stdenv.mkDerivation rec { name = "capstone-${version}"; @@ -9,7 +9,10 @@ stdenv.mkDerivation rec { sha256 = "1whl5c8j6vqvz2j6ay2pyszx0jg8d3x8hq66cvgghmjchvsssvax"; }; - buildInputs = [ cmake ]; + configurePhase = '' patchShebangs make.sh ''; + buildPhase = '' ./make.sh ''; + installPhase = '' env PREFIX=$out ./make.sh install ''; + enableParallelBuilding = true; meta = { diff --git a/pkgs/development/python-modules/matplotlib/default.nix b/pkgs/development/python-modules/matplotlib/default.nix index 7c1b8b503a3a..5ba813deba60 100644 --- a/pkgs/development/python-modules/matplotlib/default.nix +++ b/pkgs/development/python-modules/matplotlib/default.nix @@ -18,11 +18,11 @@ assert enableTk -> (tcl != null) buildPythonPackage rec { name = "matplotlib-${version}"; - version = "1.5.1"; + version = "1.5.3"; src = fetchurl { url = "mirror://pypi/m/matplotlib/${name}.tar.gz"; - sha256 = "3ab8d968eac602145642d0db63dd8d67c85e9a5444ce0e2ecb2a8fedc7224d40"; + sha256 = "1g7bhr6v3wdxyx29rfxgf57l9w19s79cdlpyi0h4y0c5ywwxr9d0"; }; NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.isDarwin "-I${libcxx}/include/c++/v1"; diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index c41e999ef78a..bdc243a149ec 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -284,7 +284,7 @@ with stdenv.lib; RANDOMIZE_BASE? y STRICT_DEVMEM y # Filter access to /dev/mem SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default - SECURITY_YAMA y # Prevent processes from ptracing non-children processes + SECURITY_YAMA? y # Prevent processes from ptracing non-children processes DEVKMEM n # Disable /dev/kmem ${if versionOlder version "3.14" then '' CC_STACKPROTECTOR? y # Detect buffer overflows on the stack diff --git a/pkgs/tools/text/zimreader/default.nix b/pkgs/tools/text/zimreader/default.nix index 2e51e7d7f9ea..449b1e9c3398 100644 --- a/pkgs/tools/text/zimreader/default.nix +++ b/pkgs/tools/text/zimreader/default.nix @@ -1,36 +1,27 @@ -{ stdenv, fetchgit, fetchurl, automake, autoconf, libtool -, zlib, openssl, zip, zimlib +{ stdenv, fetchFromGitHub, fetchpatch, automake, autoconf, libtool +, zlib, openssl, zip, zimlib, cxxtools, tntnet }: -let - cxxtools = stdenv.mkDerivation rec { - name = "cxxtools-${version}"; - version = "2.1.1"; - src = fetchurl { - url = "http://www.tntnet.org/download/cxxtools-${version}.tar.gz"; - sha256 = "0jh5wrk9mviz4xrp1wv617gwgl4b5mc21h21wr2688kjmc0i1q4d"; - }; - }; - tntnet = stdenv.mkDerivation rec { - name = "tntnet-${version}"; - version = "2.1"; - src = fetchurl { - url = "http://www.tntnet.org/download/tntnet-${version}.tar.gz"; - sha256 = "1dhs10yhpmdqyykyh8jc67m5xgsgm1wrpd58fdps2cp5g1gjf8w6"; - }; - buildInputs = [ zlib cxxtools openssl zip ]; - }; +stdenv.mkDerivation rec { + name = "zimreader-0.92"; -in stdenv.mkDerivation rec { - name = "zimreader-${version}"; - version = "20150710"; - - src = fetchgit { - url = https://gerrit.wikimedia.org/r/p/openzim.git; - rev = "165eab3e154c60b5b6436d653dc7c90f56cf7456"; - sha256 = "076ixsq4lis0rkk7p049g02bidc7bggl9kf2wzmgmsnx396mqymf"; + src = fetchFromGitHub { + owner = "wikimedia"; + repo = "openzim"; + rev = "r1.3"; # there multiple tools with different version in the repo + sha256 = "0x529137rxy6ld64xqa6xmn93121ripxvkf3sc7hv3wg6km182sw"; }; + patchFlags = "-p2"; + patches = [ + (fetchpatch { + name = "zimreader_tntnet221.patch"; + url = "https://github.com/wikimedia/openzim/compare/r1.3...juliendehos:3ee5f11eaa811284d340451e6f466529c00f6ef2.patch"; + sha256 = "0rc5n20svyyndqh7hsynjyblfraphgi0f6khw6f5jq89w9i1j1hd"; + }) + ]; + + enableParallelBuilding = true; buildInputs = [ automake autoconf libtool zimlib cxxtools tntnet ]; setSourceRoot = "cd openzim-*/zimreader; export sourceRoot=`pwd`"; preConfigurePhases = [ "./autogen.sh" ]; @@ -38,7 +29,7 @@ in stdenv.mkDerivation rec { meta = { description = "A tool to serve ZIM files using HTTP"; homepage = http://git.wikimedia.org/log/openzim; - maintainers = with stdenv.lib.maintainers; [ robbinch ]; + maintainers = with stdenv.lib.maintainers; [ robbinch juliendehos ]; platforms = [ "x86_64-linux" ]; }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e339b6c545b9..953aceab6e58 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -13890,6 +13890,8 @@ in vivaldi = callPackage ../applications/networking/browsers/vivaldi {}; + openmpt123 = callPackage ../applications/audio/openmpt123 {}; + opusfile = callPackage ../applications/audio/opusfile { }; opusTools = callPackage ../applications/audio/opus-tools { }; @@ -14249,6 +14251,8 @@ in urxvt_font_size = callPackage ../applications/misc/rxvt_unicode-plugins/urxvt-font-size { }; urxvt_theme_switch = callPackage ../applications/misc/rxvt_unicode-plugins/urxvt-theme-switch { }; + uade123 = callPackage ../applications/audio/uade123 {}; + udevil = callPackage ../applications/misc/udevil {}; udiskie = callPackage ../applications/misc/udiskie { }; |