| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
| |
This fixes a regression caused by commit f56ab9e
("nix-prefetch-git: Include the date in the machine-readable [...]")
where a couple of directory paths printed by pushd/popd appeared before
the JSON output on stdout (thus breaking it). Fix it by redirecting the
extraneous output to /dev/null.
Reported by Michael Alan Dorman <mdorman@ironicdesign.com>.
|
| |
|
|
|
|
|
| |
stdout, in strict ISO 8601 format.
This will be helpful for automatically updating fetchgit expressions
and the dates in version numbers associated with them.
|
| |\
| |
| |
| | |
This includes a security update of expat.
|
| | |\
| | |
| | |
| | | |
... from staging to master, reverted temporarily in aa9a04883e34.
|
| | | |
| | |
| | |
| | |
| | | |
Steam requires this variable or some games run incredibly slow.
See ValveSoftware/Dota-2#921 for more information.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Introduced by mistake
This reverts commit e71a5cb87841f0af4a2279517b77a9a07ba394c0.
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| | |
stripHash uses a global variable to communicate it's computation
results, but it's not necessary. You can just pipe to stdout in a
subshell. A function mostly behaves like just another command.
baseHash() also introduces a suffix-stripping capability since it's
something the users of the function tend to use.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The main output started to retain dependency on bootstrap-tools; see
https://github.com/NixOS/nixpkgs/pull/15867#issuecomment-227949096
This reverts commit c05d8295988697adbb920a7b4a999ae3670c5504, reversing
changes made to f073df60d60444c30c49cb26d6b187a4100b41fe.
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| | |
The tests need to expand passed variable and very carefully.
I could see no other easy way than to change single-quoting in
makeWrapper to double-quoting.
The tests now fail with the same problem as on master...
|
| | |\
| | |
| | |
| | | |
Hydra nixpkgs: ?compare=1279790
|
| | | |
| | |
| | |
| | |
| | | |
It's not completely clear to me why the path to libc headers is set
differently when cross building...
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Close #15803. This avoids the error:
while setting up the build environment: executing
‘/nix/store/7sb42axk5lrxqz45nldrb2pchlys14s1-bash-4.3-p42/bin/bash’:
Argument list too long
Note: I wanted to make it optional based on buildCommand length,
but that seems pointless as I'm sure it's less performant.
Amended by vcunat:
https://github.com/NixOS/nixpkgs/pull/15803#issuecomment-224841225
|
| | |\ \
| | | |
| | | |
| | | | |
... needed after closure-size merge (#7701)
|
| | | | |
| | | |
| | | |
| | | | |
(excluding darwin and mingw for now)
|
| | |\ \ \ |
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | | |
(required adding execv to libredirect)
|
| | | | | | |
|
| |\ \ \ \ \
| |_|_|_|/
|/| | | | |
Escape all shell arguments uniformly
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Rust and cargo improvements
|
| | | | | | | |
|
| |/ / / / / |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Rework grsecurity support
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel. This kernel is intended as a general
purpose kernel, tuned for casual desktop use.
Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors. It is impossible, however, to
effectively test and support that many options. This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised. More generally, it is
hopeless to anticipate imagined needs. It is better to start from a
solid foundation and possibly add more flavours on demand.
While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything. For some, the configuration will be either
too restrictive or too lenient. In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.
Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
extraConfig = ''
GRKERNSEC y
PAX y
# and so on ...
'';
}
```
The generic kernel should be usable both as a KVM guest and host. When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.
Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.
Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
problem, which implies we'd have to disable RAP as well for ZFS to
work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
|
| | |/ / / /
|/| | | |
| | | | |
| | | | | |
(cherry picked from commit fd60751ce0c85427423b78d8a46c3f78d65bd0e2)
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Used shellcheck (https://github.com/koalaman/shellcheck) to validate
the script and fixed any resulting escaping and ambiguity issues.
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
Improvements for FHS user chrootenv
|
| | | | | | |
|
| | | | | | |
|
| | | | | | |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.
This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.
This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
|
| |/ / / |
|
| | |/
|/|
| |
| |
| |
| |
| | |
1. When multiple versions of the same package are required
$revs is an array.
2. When cargo fetch is run it usually doesn't need a network
connection. But when it does SSL_CERT_FILE isn't set.
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | |
| | |
| | | |
Includes a security update of libxml2.
|
| | |\ \
| | | |
| | | |
| | | | |
... to get the systemd update (rebuilding ~7k jobs).
|
| | |\ \ \
| | | | |
| | | | |
| | | | | |
That's to get mesa rebuild from master, as it's nontrivial.
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
find fails when called with an inexistent search path.
That situation may arise when the output is created after by a postFixup hook.
vcunat amended the PR by clarifying one more `return` to `return 0`.
|
| | |_|/ /
|/| | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
(cherry picked from commit 2cf5dcd99a7d3aac8a39ab98c1738454dfa20bfb)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| | |/ /
|/| |
| | |
| | |
| | | |
(cherry picked from commit 00df301ac2fd1818fa1f96debcee23dbb979834d)
Signed-off-by: Domen Kožar <domen@dev.si>
|
| |/ /
| |
| |
| | |
Fixes https://github.com/NixOS/nixpkgs/issues/12406 for `.env`
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Checkinstall had two problems:
1. when it was called without a version (e.g. with a derivation created
by fetchFromGitHub) it would use `src` as debian version, which caused
dpkg to fail
2. when dpkg failed, it would invoke the pager with the log, which hangs
the build
So now
1. the default version is the dummy `0.0.0`
2. the used pager is `cat`
|
| | | |
|