15 files changed, 185 insertions, 97 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml
index 9bc42edb49bc..c1107977db79 100644
--- a/nixos/doc/manual/release-notes/rl-1703.xml
+++ b/nixos/doc/manual/release-notes/rl-1703.xml
@@ -43,6 +43,15 @@ following incompatible changes:</para>
       <literal>radicale</literal>.
     </para>
   </listitem>
+
+  <listitem>
+    <para>
+      The Yama LSM is now enabled by default in the kernel,
+      which prevents ptracing non-child processes.
+      This means you will not be able to attach gdb to an existing process,
+      but will need to start that process from gdb (so it is a child).
+    </para>
+  </listitem>
 </itemizedlist>
 
 
diff --git a/nixos/modules/security/ca.nix b/nixos/modules/security/ca.nix
index 849530238e7e..67469be18b41 100644
--- a/nixos/modules/security/ca.nix
+++ b/nixos/modules/security/ca.nix
@@ -4,10 +4,16 @@ with lib;
 
 let
 
+  cfg = config.security.pki;
+
+  cacertPackage = pkgs.cacert.override {
+    blacklist = cfg.caCertificateBlacklist;
+  };
+
   caCertificates = pkgs.runCommand "ca-certificates.crt"
     { files =
-        config.security.pki.certificateFiles ++
-        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" config.security.pki.certificates)) ];
+        cfg.certificateFiles ++
+        [ (builtins.toFile "extra.crt" (concatStringsSep "\n" cfg.certificates)) ];
      }
     ''
       cat $files > $out
@@ -52,11 +58,27 @@ in
       '';
     };
 
+    security.pki.caCertificateBlacklist = mkOption {
+      type = types.listOf types.str;
+      default = [];
+      example = [
+        "WoSign" "WoSign China"
+        "CA WoSign ECC Root"
+        "Certification Authority of WoSign G2"
+      ];
+      description = ''
+        A list of blacklisted CA certificate names that won't be imported from
+        the Mozilla Trust Store into
+        <filename>/etc/ssl/certs/ca-certificates.crt</filename>. Use the
+        names from that file.
+      '';
+    };
+
   };
 
   config = {
 
-    security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
+    security.pki.certificateFiles = [ "${cacertPackage}/etc/ssl/certs/ca-bundle.crt" ];
 
     # NixOS canonical location + Debian/Ubuntu/Arch/Gentoo compatibility.
     environment.etc."ssl/certs/ca-certificates.crt".source = caCertificates;
diff --git a/pkgs/applications/audio/openmpt123/default.nix b/pkgs/applications/audio/openmpt123/default.nix
new file mode 100644
index 000000000000..d5e0ed1c4764
--- /dev/null
+++ b/pkgs/applications/audio/openmpt123/default.nix
@@ -0,0 +1,23 @@
+{ stdenv, fetchurl, SDL2, pkgconfig }:
+
+let
+  version = "0.2.7025-beta20.1";
+in stdenv.mkDerivation rec {
+  name = "openmpt123-${version}";
+  src = fetchurl {
+    url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}.tar.gz";
+    sha256 = "0qp2nnz6pnl1d7yv9hcjyim7q6yax5881k1jxm8jfgjqagmz5k6p";
+  };
+  buildInputs = [ SDL2 pkgconfig ];
+  makeFlags = [ "NO_LTDL=1 TEST=0 EXAMPLES=0" ]
+  ++ stdenv.lib.optional (stdenv.isDarwin) "SHARED_SONAME=0";
+  installFlags = "PREFIX=\${out}";
+
+  meta = with stdenv.lib; {
+    description = "A cross-platform command-line based module file player";
+    homepage = https://lib.openmpt.org/libopenmpt/;
+    license = licenses.bsd3;
+    maintainers = [ stdenv.lib.maintainers.gnidorah ];
+    platforms = stdenv.lib.platforms.unix;
+  };
+}
diff --git a/pkgs/applications/audio/uade123/default.nix b/pkgs/applications/audio/uade123/default.nix
new file mode 100644
index 000000000000..0a07e97270c4
--- /dev/null
+++ b/pkgs/applications/audio/uade123/default.nix
@@ -0,0 +1,20 @@
+{ stdenv, fetchurl, which, libao, pkgconfig }:
+
+let
+  version = "2.13";
+in stdenv.mkDerivation rec {
+  name = "uade123-${version}";
+  src = fetchurl {
+    url = "http://zakalwe.fi/uade/uade2/uade-${version}.tar.bz2";
+    sha256 = "04nn5li7xy4g5ysyjjngmv5d3ibxppkbb86m10vrvadzxdd4w69v";
+  };
+  buildInputs = [ which libao pkgconfig ];
+
+  meta = with stdenv.lib; {
+    description = "Plays old Amiga tunes through UAE emulation and cloned m68k-assembler Eagleplayer API";
+    homepage = http://zakalwe.fi/uade/;
+    license = licenses.gpl2;
+    maintainers = [ stdenv.lib.maintainers.gnidorah ];
+    platforms = stdenv.lib.platforms.unix;
+  };
+}
diff --git a/pkgs/applications/video/shotcut/default.nix b/pkgs/applications/video/shotcut/default.nix
index efab9703df3d..34c5650e9f78 100644
--- a/pkgs/applications/video/shotcut/default.nix
+++ b/pkgs/applications/video/shotcut/default.nix
@@ -5,11 +5,11 @@ qmakeHook, makeQtWrapper }:
 
 stdenv.mkDerivation rec {
   name = "shotcut-${version}";
-  version = "16.08";
+  version = "16.10";
 
   src = fetchurl {
     url = "https://github.com/mltframework/shotcut/archive/v${version}.tar.gz";
-    sha256 = "10f32mfj3f8mjp0yi0jb7wc5d3inycn5c1pvqdagjhyyv3rvx9zy";
+    sha256 = "0brskci86bwdj2ahjfvv3v254ligjn97bm0f6c8yg46r0jb8q5xw";
   };
 
   buildInputs = [ SDL frei0r gettext mlt pkgconfig qtbase qtmultimedia qtwebkit
diff --git a/pkgs/applications/window-managers/lemonbar/default.nix b/pkgs/applications/window-managers/lemonbar/default.nix
index 042abf09dad2..27cb564d2c6b 100644
--- a/pkgs/applications/window-managers/lemonbar/default.nix
+++ b/pkgs/applications/window-managers/lemonbar/default.nix
@@ -1,27 +1,22 @@
-{ stdenv, fetchFromGitHub, perl, libxcb }:
+{ stdenv, fetchurl, perl, libxcb }:
 
-let
-  version = "1.2pre";
-in
-  stdenv.mkDerivation rec {
-    name = "lemonbar-${version}";
+stdenv.mkDerivation rec {
+  name = "lemonbar-1.2";
   
-    src = fetchFromGitHub {
-      owner = "LemonBoy";
-      repo = "bar";
-      rev = "61985278f2af1e4e85d63a696ffedc5616b06bc0";
-      sha256 = "0a8djlayimjdg5fj50lpifsv6gkb577bca68wmk9wg9y9n27pgay";
-    };
+  src = fetchurl {
+    url    = "https://github.com/LemonBoy/bar/archive/v1.2.tar.gz";
+    sha256 = "1smz8lh930bnb6a4lrm07l3z2k071kc8p2pljk5wsrch3x2xhimq";
+  };
   
-    buildInputs = [ libxcb perl ];
+  buildInputs = [ libxcb perl ];
   
-    prePatch = ''sed -i "s@/usr@$out@" Makefile'';
+  prePatch = ''sed -i "s@/usr@$out@" Makefile'';
   
-    meta = with stdenv.lib; {
-      description = "A lightweight xcb based bar";
-      homepage = https://github.com/LemonBoy/bar;
-      maintainers = [ maintainers.meisternu ];
-      license = "Custom";   
-      platforms = platforms.linux;
-    };
+  meta = with stdenv.lib; {
+    description = "A lightweight xcb based bar";
+    homepage = https://github.com/LemonBoy/bar;
+    maintainers = [ maintainers.meisternu ];
+    license = "Custom";   
+    platforms = platforms.linux;
+  };
 }
diff --git a/pkgs/applications/window-managers/lemonbar/xft.nix b/pkgs/applications/window-managers/lemonbar/xft.nix
index f5dd944a43d2..132c10ae9733 100644
--- a/pkgs/applications/window-managers/lemonbar/xft.nix
+++ b/pkgs/applications/window-managers/lemonbar/xft.nix
@@ -1,27 +1,24 @@
 { stdenv, fetchFromGitHub, perl, libxcb, libXft }:
 
-let
-  version = "2015-07-23";
-in
-  stdenv.mkDerivation rec {
-    name = "bar-xft-git-${version}";
+stdenv.mkDerivation rec {
+  name = "lemonbar-xft-unstable-2016-02-17";
 
-    src = fetchFromGitHub {
-      owner = "krypt-n";
-      repo = "bar";
-      rev = "3020df19232153f9e98ae0c8111db3de938a2719";
-      sha256 = "0a54yr534jd4l5gjzpypc0y5lh2qb2wsrd662s84jjgq8bpss8av";
-    };
+  src = fetchFromGitHub {
+    owner  = "krypt-n";
+    repo   = "bar";
+    rev    = "a43b801ddc0f015ce8b1211f4c062fad12cd63a9";
+    sha256 = "0iqas07qjvabxyvna2m9aj5bcwnkdii1izl9jxha63vz0zlsc4gd";
+  };
 
-    buildInputs = [ libxcb libXft perl ];
+  buildInputs = [ libxcb libXft perl ];
 
-    prePatch = ''sed -i "s@/usr@$out@" Makefile'';
+  prePatch = ''sed -i "s@/usr@$out@" Makefile'';
 
-    meta = {
-      description = "A lightweight xcb based bar with XFT-support";
-      homepage = https://github.com/krypt-n/bar;
-      maintainers = [ stdenv.lib.maintainers.hiberno ];
-      license = "Custom";
-      platforms = stdenv.lib.platforms.linux;
-    };
+  meta = {
+    description = "A lightweight xcb based bar with XFT-support";
+    homepage = https://github.com/krypt-n/bar;
+    maintainers = [ stdenv.lib.maintainers.hiberno ];
+    license = "Custom";
+    platforms = stdenv.lib.platforms.linux;
+  };
 }
diff --git a/pkgs/data/fonts/input-fonts/default.nix b/pkgs/data/fonts/input-fonts/default.nix
index 0879db309eac..8cfda1a5e9c8 100644
--- a/pkgs/data/fonts/input-fonts/default.nix
+++ b/pkgs/data/fonts/input-fonts/default.nix
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
       characters — but without the limitations of a fixed width.
     '';
     homepage = http://input.fontbureau.com;
-    license = licenses.proprietary;
+    license = licenses.unfree;
     maintainers = with maintainers; [ romildo ];
     platforms = platforms.all;
   };
diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index 3ce6dc81a396..5095fce8958e 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -1,25 +1,49 @@
-{ stdenv, nss, curl, perl }:
+{ stdenv, fetchurl, writeText, nss, python
+, blacklist ? []
+, includeEmail ? false
+}:
+
+with stdenv.lib;
+
+let
+
+  certdata2pem = fetchurl {
+    name = "certdata2pem.py";
+    url = "https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/plain/mozilla/certdata2pem.py?h=debian/20160104";
+    sha256 = "0bw11mgfrf19qziyvdnq22kirp0nn54lfsanrg5h6djs6ig1c2im";
+  };
+
+in
 
 stdenv.mkDerivation rec {
   name = "nss-cacert-${nss.version}";
 
   src = nss.src;
 
-  postPatch = ''
-    unpackFile ${curl.src};
+  nativeBuildInputs = [ python ];
 
-    # Remove dependency on LWP, curl is enough. Also, since curl here
-    # is working on a local file it will not actually get a 200 OK, so
-    # remove that expectation.
-    substituteInPlace curl-*/lib/mk-ca-bundle.pl \
-      --replace 'use LWP::UserAgent;' "" \
-      --replace ' && $out[0] == 200' ""
-  '';
+  configurePhase = ''
+    ln -s nss/lib/ckfw/builtins/certdata.txt
+
+    cat << EOF > blacklist.txt
+    ${concatStringsSep "\n" (map (c: ''"${c}"'') blacklist)}
+    EOF
 
-  nativeBuildInputs = [ curl perl ];
+    cp ${certdata2pem} certdata2pem.py
+    ${optionalString includeEmail ''
+      # Disable CAs used for mail signing
+      substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] '''
+    ''}
+  '';
 
   buildPhase = ''
-    perl curl-*/lib/mk-ca-bundle.pl -d "file://$(pwd)/nss/lib/ckfw/builtins/certdata.txt" ca-bundle.crt
+    python certdata2pem.py | grep -vE '^(!|UNTRUSTED)'
+
+    for cert in *.crt; do
+      echo $cert | cut -d. -f1 | sed -e 's,_, ,g' >> ca-bundle.crt
+      cat $cert >> ca-bundle.crt
+      echo >> ca-bundle.crt
+    done
   '';
 
   installPhase = ''
@@ -27,10 +51,10 @@ stdenv.mkDerivation rec {
     cp -v ca-bundle.crt $out/etc/ssl/certs
   '';
 
-  meta = with stdenv.lib; {
+  meta = {
     homepage = http://curl.haxx.se/docs/caextract.html;
     description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
     platforms = platforms.all;
-    maintainers = with maintainers; [ wkennington ];
+    maintainers = with maintainers; [ wkennington fpletz ];
   };
 }
diff --git a/pkgs/development/compilers/kotlin/default.nix b/pkgs/development/compilers/kotlin/default.nix
index ba546f6f51fc..f0f8fa3b7ff2 100644
--- a/pkgs/development/compilers/kotlin/default.nix
+++ b/pkgs/development/compilers/kotlin/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, makeWrapper, jre, unzip }:
 
 stdenv.mkDerivation rec {
-  version = "1.0.3";
+  version = "1.0.4";
   name = "kotlin-${version}";
 
   src = fetchurl {
     url = "https://github.com/JetBrains/kotlin/releases/download/v${version}/kotlin-compiler-${version}.zip";
-    sha256 = "15ywjv46i2d7zgg2b3vdklc6agr62nvn0gkz7k9hql78ccfmyq9p";
+    sha512 = "39mcyw3rdgrhfkxl0xygh74idl2pvw3dy0n9d3z4aj6hq4pxkn1dclmpfbrfa333vjpzfhlqwl578vmly9vah7m6z6g4j12gkdijiyf";
   };
 
   propagatedBuildInputs = [ jre ] ;
diff --git a/pkgs/development/libraries/capstone/default.nix b/pkgs/development/libraries/capstone/default.nix
index 80f858254ffb..97a975232602 100644
--- a/pkgs/development/libraries/capstone/default.nix
+++ b/pkgs/development/libraries/capstone/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, bash, cmake }:
+{ stdenv, fetchurl, bash }:
 
 stdenv.mkDerivation rec {
   name    = "capstone-${version}";
@@ -9,7 +9,10 @@ stdenv.mkDerivation rec {
     sha256 = "1whl5c8j6vqvz2j6ay2pyszx0jg8d3x8hq66cvgghmjchvsssvax";
   };
 
-  buildInputs = [ cmake ];
+  configurePhase = '' patchShebangs make.sh '';
+  buildPhase = '' ./make.sh '';
+  installPhase = '' env PREFIX=$out ./make.sh install '';
+
   enableParallelBuilding = true;
 
   meta = {
diff --git a/pkgs/development/python-modules/matplotlib/default.nix b/pkgs/development/python-modules/matplotlib/default.nix
index 7c1b8b503a3a..5ba813deba60 100644
--- a/pkgs/development/python-modules/matplotlib/default.nix
+++ b/pkgs/development/python-modules/matplotlib/default.nix
@@ -18,11 +18,11 @@ assert enableTk -> (tcl != null)
 
 buildPythonPackage rec {
   name = "matplotlib-${version}";
-  version = "1.5.1";
+  version = "1.5.3";
 
   src = fetchurl {
     url = "mirror://pypi/m/matplotlib/${name}.tar.gz";
-    sha256 = "3ab8d968eac602145642d0db63dd8d67c85e9a5444ce0e2ecb2a8fedc7224d40";
+    sha256 = "1g7bhr6v3wdxyx29rfxgf57l9w19s79cdlpyi0h4y0c5ywwxr9d0";
   };
 
   NIX_CFLAGS_COMPILE = stdenv.lib.optionalString stdenv.isDarwin "-I${libcxx}/include/c++/v1";
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index c41e999ef78a..bdc243a149ec 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -284,7 +284,7 @@ with stdenv.lib;
   RANDOMIZE_BASE? y
   STRICT_DEVMEM y # Filter access to /dev/mem
   SECURITY_SELINUX_BOOTPARAM_VALUE 0 # Disable SELinux by default
-  SECURITY_YAMA y # Prevent processes from ptracing non-children processes
+  SECURITY_YAMA? y # Prevent processes from ptracing non-children processes
   DEVKMEM n # Disable /dev/kmem
   ${if versionOlder version "3.14" then ''
     CC_STACKPROTECTOR? y # Detect buffer overflows on the stack
diff --git a/pkgs/tools/text/zimreader/default.nix b/pkgs/tools/text/zimreader/default.nix
index 2e51e7d7f9ea..449b1e9c3398 100644
--- a/pkgs/tools/text/zimreader/default.nix
+++ b/pkgs/tools/text/zimreader/default.nix
@@ -1,36 +1,27 @@
-{ stdenv, fetchgit, fetchurl, automake, autoconf, libtool
-, zlib, openssl, zip, zimlib
+{ stdenv, fetchFromGitHub, fetchpatch, automake, autoconf, libtool
+, zlib, openssl, zip, zimlib, cxxtools, tntnet
 }:
 
-let
-  cxxtools = stdenv.mkDerivation rec {
-    name = "cxxtools-${version}";
-    version = "2.1.1";
-    src = fetchurl {
-      url = "http://www.tntnet.org/download/cxxtools-${version}.tar.gz";
-      sha256 = "0jh5wrk9mviz4xrp1wv617gwgl4b5mc21h21wr2688kjmc0i1q4d";
-    };
-  };
-  tntnet = stdenv.mkDerivation rec {
-    name = "tntnet-${version}";
-    version = "2.1";
-    src = fetchurl {
-      url = "http://www.tntnet.org/download/tntnet-${version}.tar.gz";
-      sha256 = "1dhs10yhpmdqyykyh8jc67m5xgsgm1wrpd58fdps2cp5g1gjf8w6";
-    };
-    buildInputs = [ zlib cxxtools openssl zip ];
-  };
+stdenv.mkDerivation rec {
+  name = "zimreader-0.92";
 
-in stdenv.mkDerivation rec {
-  name = "zimreader-${version}";
-  version = "20150710";
-
-  src = fetchgit {
-    url = https://gerrit.wikimedia.org/r/p/openzim.git;
-    rev = "165eab3e154c60b5b6436d653dc7c90f56cf7456";
-    sha256 = "076ixsq4lis0rkk7p049g02bidc7bggl9kf2wzmgmsnx396mqymf";
+  src = fetchFromGitHub {
+    owner = "wikimedia";
+    repo = "openzim";
+    rev = "r1.3"; # there multiple tools with different version in the repo
+    sha256 = "0x529137rxy6ld64xqa6xmn93121ripxvkf3sc7hv3wg6km182sw";
   };
 
+  patchFlags = "-p2";
+  patches = [
+    (fetchpatch {
+      name = "zimreader_tntnet221.patch";
+      url = "https://github.com/wikimedia/openzim/compare/r1.3...juliendehos:3ee5f11eaa811284d340451e6f466529c00f6ef2.patch";
+      sha256 = "0rc5n20svyyndqh7hsynjyblfraphgi0f6khw6f5jq89w9i1j1hd";
+    })
+  ];
+
+  enableParallelBuilding = true;
   buildInputs = [ automake autoconf libtool zimlib cxxtools tntnet ];
   setSourceRoot = "cd openzim-*/zimreader; export sourceRoot=`pwd`";
   preConfigurePhases = [ "./autogen.sh" ];
@@ -38,7 +29,7 @@ in stdenv.mkDerivation rec {
   meta = {
     description = "A tool to serve ZIM files using HTTP";
     homepage = http://git.wikimedia.org/log/openzim;
-    maintainers = with stdenv.lib.maintainers; [ robbinch ];
+    maintainers = with stdenv.lib.maintainers; [ robbinch juliendehos ];
     platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e339b6c545b9..953aceab6e58 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -13890,6 +13890,8 @@ in
 
   vivaldi = callPackage ../applications/networking/browsers/vivaldi {};
 
+  openmpt123 = callPackage ../applications/audio/openmpt123 {};
+
   opusfile = callPackage ../applications/audio/opusfile { };
 
   opusTools = callPackage ../applications/audio/opus-tools { };
@@ -14249,6 +14251,8 @@ in
   urxvt_font_size = callPackage ../applications/misc/rxvt_unicode-plugins/urxvt-font-size { };
   urxvt_theme_switch = callPackage ../applications/misc/rxvt_unicode-plugins/urxvt-theme-switch { };
 
+  uade123 = callPackage ../applications/audio/uade123 {};
+
   udevil = callPackage ../applications/misc/udevil {};
 
   udiskie = callPackage ../applications/misc/udiskie { };