From 954e9903adc837c201a7bd70eede50d874aadbf6 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 23 Dec 2015 02:59:47 +0100
Subject: [PATCH 001/507] Use a hardened stdenv by default

---
 pkgs/applications/audio/cdparanoia/default.nix   |  2 ++
 pkgs/applications/audio/mpg321/default.nix       |  2 ++
 .../networking/browsers/w3m/default.nix          |  2 ++
 .../git-and-tools/git/default.nix                |  2 ++
 pkgs/applications/virtualization/xen/generic.nix |  2 ++
 .../gnome-2/platform/libgnomecups/default.nix    |  2 ++
 .../gnome-2/platform/libgtkhtml/default.nix      |  6 ++++--
 pkgs/development/compilers/dev86/default.nix     |  2 ++
 pkgs/development/compilers/gcc/4.5/default.nix   |  2 ++
 pkgs/development/compilers/gcc/4.9/default.nix   |  2 ++
 pkgs/development/compilers/go/1.4.nix            |  2 ++
 pkgs/development/compilers/go/1.5.nix            |  2 ++
 .../haskell-modules/configuration-common.nix     |  6 +++++-
 pkgs/development/libraries/CoinMP/default.nix    |  2 ++
 .../libraries/audio/libbs2b/default.nix          |  2 ++
 pkgs/development/libraries/fribidi/default.nix   |  4 +++-
 pkgs/development/libraries/gd/default.nix        |  6 ++++--
 pkgs/development/libraries/gettext/default.nix   |  2 ++
 pkgs/development/libraries/giflib/libungif.nix   |  2 ++
 pkgs/development/libraries/glibc/common.nix      |  4 ++++
 pkgs/development/libraries/glibc/default.nix     |  2 ++
 pkgs/development/libraries/gnu-efi/default.nix   |  2 ++
 .../development/libraries/libgphoto2/default.nix |  2 ++
 pkgs/development/libraries/libvisual/default.nix |  2 ++
 pkgs/development/libraries/pupnp/default.nix     |  2 ++
 pkgs/development/libraries/speechd/default.nix   |  2 ++
 pkgs/development/tools/misc/elfutils/default.nix |  2 ++
 pkgs/os-specific/linux/acpi-call/default.nix     |  4 +++-
 pkgs/os-specific/linux/busybox/default.nix       |  2 ++
 pkgs/os-specific/linux/gogoclient/default.nix    |  2 ++
 pkgs/os-specific/linux/jool/default.nix          |  2 ++
 pkgs/os-specific/linux/kernel/manual-config.nix  |  6 ++++++
 pkgs/os-specific/linux/kexectools/default.nix    |  2 ++
 pkgs/os-specific/linux/numad/default.nix         |  2 ++
 pkgs/servers/gpm/default.nix                     |  2 ++
 pkgs/shells/dash/default.nix                     |  2 ++
 pkgs/stdenv/adapters.nix                         | 16 ++++++++++++++++
 pkgs/tools/admin/tightvnc/default.nix            |  2 ++
 pkgs/tools/archivers/sharutils/default.nix       |  2 ++
 pkgs/tools/archivers/unzip/default.nix           |  2 ++
 pkgs/tools/archivers/zip/default.nix             |  2 ++
 pkgs/tools/cd-dvd/cdrkit/default.nix             |  2 ++
 pkgs/tools/graphics/graphviz/default.nix         |  2 ++
 pkgs/tools/graphics/transfig/default.nix         |  2 ++
 pkgs/tools/misc/expect/default.nix               |  2 ++
 pkgs/tools/misc/grub/2.0x.nix                    |  2 ++
 pkgs/tools/misc/gummiboot/default.nix            |  2 ++
 pkgs/tools/networking/iperf/2.nix                |  2 ++
 pkgs/tools/networking/vde2/default.nix           |  2 ++
 pkgs/tools/typesetting/tex/texlive-new/bin.nix   |  2 ++
 pkgs/top-level/all-packages.nix                  |  4 ++--
 51 files changed, 131 insertions(+), 9 deletions(-)

diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix
index 1658d9c7449b..c19b261016df 100644
--- a/pkgs/applications/audio/cdparanoia/default.nix
+++ b/pkgs/applications/audio/cdparanoia/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
   };
 
+  noHardening_format = true;
+
   preConfigure = "unset CC";
 
   patches = stdenv.lib.optionals stdenv.isDarwin [
diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix
index 489831dc4641..e833784ee76c 100644
--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
+  noHardening_format = true;
+
   configureFlags = [
     ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
   ];
diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix
index 076b3faf11f5..d849b10daee5 100644
--- a/pkgs/applications/networking/browsers/w3m/default.nix
+++ b/pkgs/applications/networking/browsers/w3m/default.nix
@@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
     ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
   '';
 
+  noHardening_format = true;
+
   configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
     + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
 
diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix
index 49ecce0456b2..a5df0dbe08e2 100644
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation {
     sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs";
   };
 
+  noHardening_format = true;
+
   patches = [
     ./docbook2texi.patch
     ./symlinks-in-bin.patch
diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index 6774675266c4..c742ffb50022 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -75,6 +75,8 @@ stdenv.mkDerivation {
 
   pythonPath = [ pythonPackages.curses ];
 
+  noHardening_all = true;
+
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 
   postPatch = ''
diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
index 2aa47d799c9a..ec7b9ff8a8bd 100644
--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
   };
 
+  noHardening_format = true;
+
   patches = [ ./glib.patch ./cups_1.6.patch ];
 
   buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ];
diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
index 6aab400c60ae..5044dbabd2f3 100644
--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@@ -2,12 +2,14 @@
 
 stdenv.mkDerivation {
   name = "libgtkhtml-2.11.1";
-  
+
   src = fetchurl {
     url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2;
     sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw";
   };
-  
+
   buildInputs = [ pkgconfig gtk gettext ];
   propagatedBuildInputs = [ libxml2 ];
+
+  noHardening_format = true;
 }
diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix
index f37dae808301..b8083c9ed6b8 100644
--- a/pkgs/development/compilers/dev86/default.nix
+++ b/pkgs/development/compilers/dev86/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation {
     sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
   };
 
+  noHardening_format = true;
+
   makeFlags = "PREFIX=$(out)";
 
   # Awful hackery to get dev86 to compile with recent gcc/binutils.
diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index 6cde7aba92a0..4f1b017302a6 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -134,6 +134,8 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
+  noHardening_all = true;
+
   patches =
     [ ]
     ++ optional (cross != null) ../libstdc++-target.patch
diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index add9b30fb629..c7d63099be1f 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -218,6 +218,8 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
+  noHardening_format = true;
+
   postPatch =
     if (stdenv.isGNU
         || (libcCross != null                  # e.g., building `gcc.crossDrv'
diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix
index d25001697443..fdfc9d456466 100644
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ pcre ];
   propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
 
+  noHardening_all = true;
+
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
   preUnpack = ''
diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix
index 54c8cf219d5f..26ffabced6a6 100644
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@@ -29,6 +29,8 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
+  noHardening_all = true;
+
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
   preUnpack = ''
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 1f746802c7b0..1982ca218024 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -44,7 +44,11 @@ self: super: {
   options_1_2 = dontCheck super.options_1_2;
   options = dontCheck super.options;
   statistics = dontCheck super.statistics;
-  c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs;
+  c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: {
+        noHardening_format = true;
+        doCheck = false;
+      });
+    in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_;
 
   # The package doesn't compile with ruby 1.9, which is our default at the moment.
   hruby = super.hruby.override { ruby = pkgs.ruby_2_1; };
diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix
index e819078f7868..bdd380fd4b80 100644
--- a/pkgs/development/libraries/CoinMP/default.nix
+++ b/pkgs/development/libraries/CoinMP/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6";
   };
 
+  noHardening_format = true;
+
   meta = with stdenv.lib; {
     homepage = https://projects.coin-or.org/CoinMP/;
     description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL";
diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix
index e43a5acb6bdb..e9a13b6ff876 100644
--- a/pkgs/development/libraries/audio/libbs2b/default.nix
+++ b/pkgs/development/libraries/audio/libbs2b/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libsndfile ];
 
+  noHardening_format = true;
+
   meta = {
     homepage = "http://bs2b.sourceforge.net/";
     description = "Bauer stereophonic-to-binaural DSP library";
diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix
index 23795e9633ed..5d0e451c54c9 100644
--- a/pkgs/development/libraries/fribidi/default.nix
+++ b/pkgs/development/libraries/fribidi/default.nix
@@ -3,12 +3,14 @@
 stdenv.mkDerivation rec {
   name = "fribidi-${version}";
   version = "0.19.6";
-  
+
   src = fetchurl {
     url = "http://fribidi.org/download/${name}.tar.bz2";
     sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b";
   };
 
+  noHardening_format = true;
+
   meta = with stdenv.lib; {
     homepage = http://fribidi.org/;
     description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)";
diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix
index 7c3c53626b5d..5ca1de273b4e 100644
--- a/pkgs/development/libraries/gd/default.nix
+++ b/pkgs/development/libraries/gd/default.nix
@@ -2,16 +2,18 @@
 
 stdenv.mkDerivation {
   name = "gd-2.0.35";
-  
+
   src = fetchurl {
     url = http://www.libgd.org/releases/gd-2.0.35.tar.bz2;
     sha256 = "1y80lcmb8qbzf0a28841zxhq9ndfapmh2fsrqfd9lalxfj8288mz";
   };
-  
+
   buildInputs = [zlib libpng freetype];
 
   propagatedBuildInputs = [libjpeg fontconfig]; # urgh
 
+  noHardening_format = true;
+
   configureFlags = "--without-x";
 
   meta = {
diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix
index 3d7cfc0ca310..cbdb448723a7 100644
--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation (rec {
 
   outputs = [ "out" "doc" ];
 
+  noHardening_format = true;
+
   LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";
 
   configureFlags = [ "--disable-csharp" "--with-xz" ]
diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix
index f3302f8f3337..45384b825c13 100644
--- a/pkgs/development/libraries/giflib/libungif.nix
+++ b/pkgs/development/libraries/giflib/libungif.nix
@@ -6,5 +6,7 @@ stdenv.mkDerivation {
     url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz;
     md5 = "efdfcf8e32e35740288a8c5625a70ccb";
   };
+
+  noHardening_format = true;
 }
 
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 26d2f2454b45..6e9aa497f77f 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -213,6 +213,10 @@ stdenv.mkDerivation ({
   preBuild = "unset NIX_DONT_SET_RPATH";
 }
 
+// stdenv.lib.optionalAttrs (name == "glibc-locales") {
+  noHardening_stackprotector = true;
+}
+
 // stdenv.lib.optionalAttrs (hurdHeaders != null) {
   # Work around the fact that the configure snippet that looks for
   # <hurd/version.h> does not honor `--with-headers=$sysheaders' and that
diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
index 08eaf555e02d..a2ecedbe7e95 100644
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@@ -25,6 +25,8 @@ in
 
     builder = ./builder.sh;
 
+    noHardening_all = true;
+
     # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
     # any program we run, because the gcc will have been placed at a new
     # store path than that determined when built (as a source for the
diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix
index e674aae2b58a..e6209ad93f6f 100644
--- a/pkgs/development/libraries/gnu-efi/default.nix
+++ b/pkgs/development/libraries/gnu-efi/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65";
   };
 
+  noHardening_all = true;
+
   buildInputs = [ pciutils ];
 
   makeFlags = [
diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix
index e25cdb61d86a..3df793df73fd 100644
--- a/pkgs/development/libraries/libgphoto2/default.nix
+++ b/pkgs/development/libraries/libgphoto2/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
   # These are mentioned in the Requires line of libgphoto's pkg-config file.
   propagatedBuildInputs = [ libexif ];
 
+  noHardening_format = true;
+
   meta = {
     homepage = http://www.gphoto.org/proj/libgphoto2/;
     description = "A library for accessing digital cameras";
diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix
index dc2f0338b483..a2c9c52937ec 100644
--- a/pkgs/development/libraries/libvisual/default.nix
+++ b/pkgs/development/libraries/libvisual/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig glib ];
 
+  noHardening_format = true;
+
   meta = {
     description = "An abstraction library for audio visualisations";
     homepage = "http://sourceforge.net/projects/libvisual/";
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index c5e26c1dfad5..267b434da525 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
   };
 
+  noHardening_all = true;
+
   meta = {
     description = "libupnp, an open source UPnP development kit for Linux";
 
diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix
index 5104532ea91e..cbd731aef688 100644
--- a/pkgs/development/libraries/speechd/default.nix
+++ b/pkgs/development/libraries/speechd/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ dotconf glib pkgconfig ];
 
+  noHardening_format = true;
+
   meta = {
     description = "Common interface to speech synthesis";
 
diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix
index 0a62859d2075..a412d7e537c7 100644
--- a/pkgs/development/tools/misc/elfutils/default.nix
+++ b/pkgs/development/tools/misc/elfutils/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./glibc-2.21.patch ];
 
+  noHardening_format = true;
+
   # We need bzip2 in NativeInputs because otherwise we can't unpack the src,
   # as the host-bzip2 will be in the path.
   nativeBuildInputs = [ m4 bison flex gettext bzip2 ];
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index 289b54f1b54c..1187bf10d14b 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -8,7 +8,9 @@ stdenv.mkDerivation {
     rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51";
     sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
   };
-  
+
+  noHardening_pic = true;
+
   preBuild = ''
     sed -e 's/break/true/' -i examples/turn_off_gpu.sh
     sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index fa6591701a69..86551f4eecb4 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -33,6 +33,8 @@ stdenv.mkDerivation rec {
     sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
   };
 
+  noHardening_format = true;
+
   patches = [ ./busybox-in-store.patch ];
 
   configurePhase = ''
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index a627a8cbcc94..38762a5f1fe9 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
   makeFlags = ["target=linux"];
   installFlags = ["installdir=$(out)"];
 
+  noHardening_format = true;
+
   buildInputs = [openssl];
 
   preFixup = ''
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index fdb2f041a658..f5e76c0df501 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
+  noHardening_pic = true;
+
   prePatch = ''
     sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
   '';
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 4a826ff7ae3d..8c537d675510 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -224,10 +224,16 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
+  noHardening_format = true;
+  noHardening_fortify = true;
+  noHardening_stackprotector = true;
+
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"
   ];
 
+  noHardening_pic = true;
+
   karch = stdenv.platform.kernelArch;
 
   crossAttrs = let cp = stdenv.cross.platform; in
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index 2199524154d9..5255b331bb12 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
   };
 
+  noHardening_format = true;
+
   buildInputs = [ zlib ];
 
   meta = with stdenv.lib; {
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index 2e88e2c794e7..fa7e5110de9d 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
   };
 
+  noHardening_format = true;
+
   patches = [
     ./numad-linker-flags.patch
   ];
diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix
index a9fac485f905..c496ff3fdbba 100644
--- a/pkgs/servers/gpm/default.nix
+++ b/pkgs/servers/gpm/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ];
   buildInputs = [ ncurses ];
 
+  noHardening_format = true;
+
   preConfigure = ''
     ./autogen.sh
   '';
diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix
index d3104439e578..ab49613a39c5 100644
--- a/pkgs/shells/dash/default.nix
+++ b/pkgs/shells/dash/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6";
   };
 
+  noHardening_format = true;
+
   meta = {
     homepage = http://gondor.apana.org.au/~herbert/dash/;
     description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible";
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 836dedf1cb18..58e1c157b938 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -236,6 +236,22 @@ rec {
       });
     };
 
+  useHardenFlags = stdenv: stdenv //
+    { mkDerivation = args: stdenv.mkDerivation (args // {
+        NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
+          + stdenv.lib.optionalString (!(args.noHardening_all or false)) (
+            stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2"
+            + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all"
+            + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie"
+            + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC"
+            + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro"
+            + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now"
+            + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow"
+            + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security"
+          );
+      });
+    };
+
   dropCxx = drv: drv.override {
     stdenv = if pkgs.stdenv.isDarwin
       then pkgs.allStdenvs.stdenvDarwinNaked
diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix
index 22b8a607fd34..1e562ee3ecf1 100644
--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation {
   inherit xauth fontDirectories perl;
   gcc = stdenv.cc.cc;
 
+  noHardening_format = true;
+
   buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw
                   libXpm libXp xauth openssh ];
 
diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix
index e806a962eabb..5d60c449173e 100644
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g";
   };
 
+  noHardening_format = true;
+
   preConfigure = ''
      # Fix for building on Glibc 2.16.  Won't be needed once the
      # gnulib in sharutils is updated.
diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix
index b5d03bc18b27..dcc51320bbd1 100644
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation {
     sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
   };
 
+  noHardening_format = true;
+
   patches = [
     ./CVE-2014-8139.diff
     ./CVE-2014-8140.diff
diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix
index 431ed354d21c..f9349937b8f9 100644
--- a/pkgs/tools/archivers/zip/default.nix
+++ b/pkgs/tools/archivers/zip/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation {
     sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h";
   };
 
+  noHardening_format = true;
+
   makefile = "unix/Makefile";
   buildFlags = if stdenv.isCygwin then "cygwin" else "generic";
   installFlags = "prefix=$(out) INSTALL=cp";
diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix
index bcf9ec2c0cc3..5fcccbee02cf 100644
--- a/pkgs/tools/cd-dvd/cdrkit/default.nix
+++ b/pkgs/tools/cd-dvd/cdrkit/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [cmake libcap zlib bzip2];
 
+  noHardening_format = true;
+
   # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244
   patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ];
 
diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index 5635e3a69ff7..090af09fca0c 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
   };
 
+  noHardening_all = true;
+
   patches =
     [ ./0001-vimdot-lookup-vim-in-PATH.patch
     
diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix
index f540029cbc73..bcbbe71b897f 100644
--- a/pkgs/tools/graphics/transfig/default.nix
+++ b/pkgs/tools/graphics/transfig/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
   buildInputs = [zlib libjpeg libpng imake];
   inherit libpng;
 
+  noHardening_format = true;
+
   patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch];
 
   prefixPatch1 =
diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix
index a50717d53992..4efa94612322 100644
--- a/pkgs/tools/misc/expect/default.nix
+++ b/pkgs/tools/misc/expect/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ tcl ];
   nativeBuildInputs = [ makeWrapper ];
 
+  noHardening_format = true;
+
   patchPhase = ''
     sed -i "s,/bin/stty,$(type -p stty),g" configure
   '';
diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix
index 8e52adc76991..abe690ca0e45 100644
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@@ -52,6 +52,8 @@ stdenv.mkDerivation rec {
     ++ optional doCheck qemu
     ++ optional zfsSupport zfs;
 
+  noHardening_all = true;
+
   preConfigure =
     '' for i in "tests/util/"*.in
        do
diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix
index 9d9b7700c90b..e831bbdab6f5 100644
--- a/pkgs/tools/misc/gummiboot/default.nix
+++ b/pkgs/tools/misc/gummiboot/default.nix
@@ -5,6 +5,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];
 
+  noHardening_all = true;
+
   # Sigh, gummiboot should be able to find this in buildInputs
   configureFlags = [
     "--with-efi-includedir=${gnu-efi}/include"
diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix
index 33d8ee2fd636..6d9fe64f1694 100644
--- a/pkgs/tools/networking/iperf/2.nix
+++ b/pkgs/tools/networking/iperf/2.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
   };
 
+  noHardening_format = true;
+
   meta = with stdenv.lib; {
     homepage = "http://sourceforge.net/projects/iperf/"; 
     description = "Tool to measure IP bandwidth using UDP or TCP";
diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix
index 72a31262e26f..4aecc41aa3db 100644
--- a/pkgs/tools/networking/vde2/default.nix
+++ b/pkgs/tools/networking/vde2/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libpcap python ];
 
+  noHardening_format = true;
+
   meta = {
     homepage = http://vde.sourceforge.net/;
     description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network";
diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
index 431f3926a13e..37c19319ef76 100644
--- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
@@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec {
     perl
   ];
 
+  noHardening_format = true;
+
   preConfigure = ''
     rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \
       libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index c8dc32920e2e..0e658228f2f0 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -214,12 +214,12 @@ let
     allPackages = args: import ./all-packages.nix ({ inherit config system; } // args);
   };
 
-  defaultStdenv = allStdenvs.stdenv // { inherit platform; };
+  defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; });
 
   stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal);
 
   stdenv =
-    if bootStdenv != null then (bootStdenv // {inherit platform;}) else
+    if bootStdenv != null then (stdenvAdapters.useHardenFlags bootStdenv // {inherit platform;}) else
       if crossSystem != null then
         stdenvCross
       else

From f6d3b7a2ae01ccd9934a6437915acd3eade2a184 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 23 Jan 2016 21:19:59 +0000
Subject: [PATCH 002/507] switch hardening flags

---
 .../applications/audio/cdparanoia/default.nix |  2 +-
 pkgs/applications/audio/mpg321/default.nix    |  2 +-
 .../networking/browsers/w3m/default.nix       |  2 +-
 .../git-and-tools/git/default.nix             |  2 +-
 .../virtualization/xen/generic.nix            |  2 +-
 .../gnome-2/platform/libgnomecups/default.nix |  2 +-
 .../gnome-2/platform/libgtkhtml/default.nix   |  2 +-
 pkgs/development/compilers/dev86/default.nix  |  2 +-
 .../development/compilers/gcc/4.5/default.nix |  2 +-
 .../development/compilers/gcc/4.9/default.nix |  2 +-
 pkgs/development/compilers/go/1.4.nix         |  2 +-
 pkgs/development/compilers/go/1.5.nix         |  2 +-
 .../haskell-modules/configuration-common.nix  |  2 +-
 pkgs/development/libraries/CoinMP/default.nix |  2 +-
 .../libraries/audio/libbs2b/default.nix       |  2 +-
 .../development/libraries/fribidi/default.nix |  2 +-
 pkgs/development/libraries/gd/default.nix     |  2 +-
 .../development/libraries/gettext/default.nix |  2 +-
 .../development/libraries/giflib/libungif.nix |  2 +-
 pkgs/development/libraries/glibc/common.nix   |  2 +-
 pkgs/development/libraries/glibc/default.nix  |  3 ++-
 .../development/libraries/gnu-efi/default.nix |  2 --
 pkgs/development/libraries/libelf/default.nix |  2 +-
 .../libraries/libgphoto2/default.nix          |  2 +-
 .../libraries/libvisual/default.nix           |  2 +-
 pkgs/development/libraries/pupnp/default.nix  |  2 +-
 .../development/libraries/speechd/default.nix |  2 +-
 .../tools/misc/elfutils/default.nix           |  2 +-
 pkgs/os-specific/linux/acpi-call/default.nix  |  2 +-
 pkgs/os-specific/linux/busybox/default.nix    |  2 +-
 pkgs/os-specific/linux/gogoclient/default.nix |  2 +-
 pkgs/os-specific/linux/jool/default.nix       |  2 +-
 .../linux/kernel/manual-config.nix            |  8 +++----
 pkgs/os-specific/linux/kexectools/default.nix |  2 +-
 pkgs/os-specific/linux/numad/default.nix      |  2 +-
 pkgs/servers/gpm/default.nix                  |  2 +-
 pkgs/shells/dash/default.nix                  |  2 +-
 pkgs/stdenv/adapters.nix                      | 24 ++++++++++++-------
 pkgs/tools/admin/tightvnc/default.nix         |  2 +-
 pkgs/tools/archivers/sharutils/default.nix    |  2 +-
 pkgs/tools/archivers/unzip/default.nix        |  2 +-
 pkgs/tools/archivers/zip/default.nix          |  2 +-
 pkgs/tools/cd-dvd/cdrkit/default.nix          |  2 +-
 pkgs/tools/graphics/graphviz/default.nix      |  2 +-
 pkgs/tools/graphics/transfig/default.nix      |  2 +-
 pkgs/tools/misc/expect/default.nix            |  2 +-
 pkgs/tools/misc/grub/2.0x.nix                 |  2 +-
 pkgs/tools/misc/gummiboot/default.nix         |  2 +-
 pkgs/tools/networking/iperf/2.nix             |  2 +-
 pkgs/tools/networking/vde2/default.nix        |  2 +-
 .../tools/typesetting/tex/texlive-new/bin.nix |  2 +-
 51 files changed, 68 insertions(+), 63 deletions(-)

diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix
index c19b261016df..9de3bef62ad3 100644
--- a/pkgs/applications/audio/cdparanoia/default.nix
+++ b/pkgs/applications/audio/cdparanoia/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = "unset CC";
 
diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix
index e833784ee76c..c5bcd5ab4e41 100644
--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   configureFlags = [
     ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix
index d849b10daee5..cc3e55f02e91 100644
--- a/pkgs/applications/networking/browsers/w3m/default.nix
+++ b/pkgs/applications/networking/browsers/w3m/default.nix
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
     ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
   '';
 
-  noHardening_format = true;
+  hardening_format = false;
 
   configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
     + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix
index a5df0dbe08e2..08905ea48813 100644
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
     sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [
     ./docbook2texi.patch
diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index c742ffb50022..ce6753ed165d 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -75,7 +75,7 @@ stdenv.mkDerivation {
 
   pythonPath = [ pythonPackages.curses ];
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 
diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
index ec7b9ff8a8bd..9dc8d6f8ef1b 100644
--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [ ./glib.patch ./cups_1.6.patch ];
 
diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
index 5044dbabd2f3..d766957f0d79 100644
--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@@ -11,5 +11,5 @@ stdenv.mkDerivation {
   buildInputs = [ pkgconfig gtk gettext ];
   propagatedBuildInputs = [ libxml2 ];
 
-  noHardening_format = true;
+  hardening_format = false;
 }
diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix
index b8083c9ed6b8..0ee0a622b1e6 100644
--- a/pkgs/development/compilers/dev86/default.nix
+++ b/pkgs/development/compilers/dev86/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   makeFlags = "PREFIX=$(out)";
 
diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index 4f1b017302a6..8c4afb31c50d 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -134,7 +134,7 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   patches =
     [ ]
diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index c7d63099be1f..1d97a66008cd 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -218,7 +218,7 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  noHardening_format = true;
+  hardening_format = false;
 
   postPatch =
     if (stdenv.isGNU
diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix
index fdfc9d456466..0d2d2ae2857b 100644
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ pcre ];
   propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix
index 26ffabced6a6..750aec567a8c 100644
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 1982ca218024..25f2f1b64408 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -45,7 +45,7 @@ self: super: {
   options = dontCheck super.options;
   statistics = dontCheck super.statistics;
   c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: {
-        noHardening_format = true;
+        hardening_format = false;
         doCheck = false;
       });
     in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_;
diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix
index bdd380fd4b80..be44ef628853 100644
--- a/pkgs/development/libraries/CoinMP/default.nix
+++ b/pkgs/development/libraries/CoinMP/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = with stdenv.lib; {
     homepage = https://projects.coin-or.org/CoinMP/;
diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix
index e9a13b6ff876..4a64bc260bd8 100644
--- a/pkgs/development/libraries/audio/libbs2b/default.nix
+++ b/pkgs/development/libraries/audio/libbs2b/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libsndfile ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = "http://bs2b.sourceforge.net/";
diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix
index 5d0e451c54c9..09828665541b 100644
--- a/pkgs/development/libraries/fribidi/default.nix
+++ b/pkgs/development/libraries/fribidi/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = with stdenv.lib; {
     homepage = http://fribidi.org/;
diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix
index 5ca1de273b4e..a24a84168668 100644
--- a/pkgs/development/libraries/gd/default.nix
+++ b/pkgs/development/libraries/gd/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   propagatedBuildInputs = [libjpeg fontconfig]; # urgh
 
-  noHardening_format = true;
+  hardening_format = false;
 
   configureFlags = "--without-x";
 
diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix
index cbdb448723a7..566263c15ed0 100644
--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation (rec {
 
   outputs = [ "out" "doc" ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";
 
diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix
index 45384b825c13..1cc4ae0201b9 100644
--- a/pkgs/development/libraries/giflib/libungif.nix
+++ b/pkgs/development/libraries/giflib/libungif.nix
@@ -7,6 +7,6 @@ stdenv.mkDerivation {
     md5 = "efdfcf8e32e35740288a8c5625a70ccb";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 }
 
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 6e9aa497f77f..2c13ac59146f 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -214,7 +214,7 @@ stdenv.mkDerivation ({
 }
 
 // stdenv.lib.optionalAttrs (name == "glibc-locales") {
-  noHardening_stackprotector = true;
+  hardening_stackprotector = false;
 }
 
 // stdenv.lib.optionalAttrs (hurdHeaders != null) {
diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
index a2ecedbe7e95..f9096084bd23 100644
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@@ -25,7 +25,8 @@ in
 
     builder = ./builder.sh;
 
-    noHardening_all = true;
+    hardening_stackprotector = false;
+    hardening_fortify = false;
 
     # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
     # any program we run, because the gcc will have been placed at a new
diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix
index e6209ad93f6f..e674aae2b58a 100644
--- a/pkgs/development/libraries/gnu-efi/default.nix
+++ b/pkgs/development/libraries/gnu-efi/default.nix
@@ -9,8 +9,6 @@ stdenv.mkDerivation rec {
     sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65";
   };
 
-  noHardening_all = true;
-
   buildInputs = [ pciutils ];
 
   makeFlags = [
diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix
index 048902f4fc49..88bce7f86614 100644
--- a/pkgs/development/libraries/libelf/default.nix
+++ b/pkgs/development/libraries/libelf/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation (rec {
   };
 
   doCheck = true;
-  
+
   # For cross-compiling, native glibc is needed for the "gencat" program.
   crossAttrs = {
     nativeBuildInputs = [ glibc ];
diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix
index 3df793df73fd..682a42e2db9d 100644
--- a/pkgs/development/libraries/libgphoto2/default.nix
+++ b/pkgs/development/libraries/libgphoto2/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   # These are mentioned in the Requires line of libgphoto's pkg-config file.
   propagatedBuildInputs = [ libexif ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = http://www.gphoto.org/proj/libgphoto2/;
diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix
index a2c9c52937ec..a9320f1af7b0 100644
--- a/pkgs/development/libraries/libvisual/default.nix
+++ b/pkgs/development/libraries/libvisual/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig glib ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     description = "An abstraction library for audio visualisations";
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index 267b434da525..430a09aeede6 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
   };
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   meta = {
     description = "libupnp, an open source UPnP development kit for Linux";
diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix
index cbd731aef688..d94b4159e93e 100644
--- a/pkgs/development/libraries/speechd/default.nix
+++ b/pkgs/development/libraries/speechd/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ dotconf glib pkgconfig ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     description = "Common interface to speech synthesis";
diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix
index a412d7e537c7..464ad7910952 100644
--- a/pkgs/development/tools/misc/elfutils/default.nix
+++ b/pkgs/development/tools/misc/elfutils/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./glibc-2.21.patch ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   # We need bzip2 in NativeInputs because otherwise we can't unpack the src,
   # as the host-bzip2 will be in the path.
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index 1187bf10d14b..05a5549fae28 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
   };
 
-  noHardening_pic = true;
+  hardening_pic = false;
 
   preBuild = ''
     sed -e 's/break/true/' -i examples/turn_off_gpu.sh
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index 86551f4eecb4..cc3cfe2465d5 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [ ./busybox-in-store.patch ];
 
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index 38762a5f1fe9..93c334b95937 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   makeFlags = ["target=linux"];
   installFlags = ["installdir=$(out)"];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   buildInputs = [openssl];
 
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index f5e76c0df501..7c956e3c2442 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
-  noHardening_pic = true;
+  hardening_pic = false;
 
   prePatch = ''
     sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 8c537d675510..ccbd29d3d1f7 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -224,15 +224,15 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
-  noHardening_format = true;
-  noHardening_fortify = true;
-  noHardening_stackprotector = true;
+  hardening_format = false;
+  hardening_fortify = false;
+  hardening_stackprotector = false;
 
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"
   ];
 
-  noHardening_pic = true;
+  hardening_pic = false;
 
   karch = stdenv.platform.kernelArch;
 
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index 5255b331bb12..98593ea85a9c 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   buildInputs = [ zlib ];
 
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index fa7e5110de9d..959de19ead26 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [
     ./numad-linker-flags.patch
diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix
index c496ff3fdbba..99b6ce2a832d 100644
--- a/pkgs/servers/gpm/default.nix
+++ b/pkgs/servers/gpm/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ];
   buildInputs = [ ncurses ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = ''
     ./autogen.sh
diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix
index ab49613a39c5..ba6a076f1f0e 100644
--- a/pkgs/shells/dash/default.nix
+++ b/pkgs/shells/dash/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = http://gondor.apana.org.au/~herbert/dash/;
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 58e1c157b938..5a5550ebb049 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -239,16 +239,22 @@ rec {
   useHardenFlags = stdenv: stdenv //
     { mkDerivation = args: stdenv.mkDerivation (args // {
         NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
-          + stdenv.lib.optionalString (!(args.noHardening_all or false)) (
-            stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all"
-            + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie"
-            + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC"
-            + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro"
-            + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now"
-            + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow"
-            + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security"
+          + stdenv.lib.optionalString (args.hardening_all or true) (
+            stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
+            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+            + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
+            + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
+            + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
+            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
+            + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
+            + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
           );
+        NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "")
+          + stdenv.lib.optionalString (args.hardening_all or true) (
+              stdenv.lib.optionalString (args.hardening_relro or true) " -z relro"
+            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now"
+          );
+
       });
     };
 
diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix
index 1e562ee3ecf1..24fec4e33bbd 100644
--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   inherit xauth fontDirectories perl;
   gcc = stdenv.cc.cc;
 
-  noHardening_format = true;
+  hardening_format = false;
 
   buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw
                   libXpm libXp xauth openssh ];
diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix
index 5d60c449173e..d1f13b77f0c1 100644
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = ''
      # Fix for building on Glibc 2.16.  Won't be needed once the
diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix
index dcc51320bbd1..20f7038067db 100644
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [
     ./CVE-2014-8139.diff
diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix
index f9349937b8f9..8be743c8dd0a 100644
--- a/pkgs/tools/archivers/zip/default.nix
+++ b/pkgs/tools/archivers/zip/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
     sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   makefile = "unix/Makefile";
   buildFlags = if stdenv.isCygwin then "cygwin" else "generic";
diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix
index 5fcccbee02cf..34bb109a1715 100644
--- a/pkgs/tools/cd-dvd/cdrkit/default.nix
+++ b/pkgs/tools/cd-dvd/cdrkit/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [cmake libcap zlib bzip2];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244
   patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ];
diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index 090af09fca0c..bb0d54a7ec29 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
   };
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   patches =
     [ ./0001-vimdot-lookup-vim-in-PATH.patch
diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix
index bcbbe71b897f..c584ed282d6b 100644
--- a/pkgs/tools/graphics/transfig/default.nix
+++ b/pkgs/tools/graphics/transfig/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   buildInputs = [zlib libjpeg libpng imake];
   inherit libpng;
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch];
 
diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix
index 4efa94612322..f99b83a2a0a5 100644
--- a/pkgs/tools/misc/expect/default.nix
+++ b/pkgs/tools/misc/expect/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ tcl ];
   nativeBuildInputs = [ makeWrapper ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   patchPhase = ''
     sed -i "s,/bin/stty,$(type -p stty),g" configure
diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix
index abe690ca0e45..f3c09ef686a9 100644
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
     ++ optional doCheck qemu
     ++ optional zfsSupport zfs;
 
-  noHardening_all = true;
+  hardening_all = false;
 
   preConfigure =
     '' for i in "tests/util/"*.in
diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix
index e831bbdab6f5..d25b4f65ad7f 100644
--- a/pkgs/tools/misc/gummiboot/default.nix
+++ b/pkgs/tools/misc/gummiboot/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];
 
-  noHardening_all = true;
+  #hardening_all = false;
 
   # Sigh, gummiboot should be able to find this in buildInputs
   configureFlags = [
diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix
index 6d9fe64f1694..414ff692d10d 100644
--- a/pkgs/tools/networking/iperf/2.nix
+++ b/pkgs/tools/networking/iperf/2.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
   };
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = with stdenv.lib; {
     homepage = "http://sourceforge.net/projects/iperf/"; 
diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix
index 4aecc41aa3db..ba9552d4faea 100644
--- a/pkgs/tools/networking/vde2/default.nix
+++ b/pkgs/tools/networking/vde2/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libpcap python ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   meta = {
     homepage = http://vde.sourceforge.net/;
diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
index 37c19319ef76..4a788cfa8fe5 100644
--- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
@@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec {
     perl
   ];
 
-  noHardening_format = true;
+  hardening_format = false;
 
   preConfigure = ''
     rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \

From 729870467a97382e2252defe4ae3b04765b9451b Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 26 Jan 2016 00:41:10 +0100
Subject: [PATCH 003/507] Switch to GCC 5

---
 pkgs/stdenv/linux/default.nix   | 9 ++-------
 pkgs/top-level/all-packages.nix | 4 ++--
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index 12fc3fed5a5a..573e7139aac8 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -210,14 +210,9 @@ rec {
       gmp = pkgs.gmp.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
       mpfr = pkgs.mpfr.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
       libmpc = pkgs.libmpc.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
-      isl_0_11 = pkgs.isl_0_11.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
-      cloog_0_18_0 = pkgs.cloog_0_18_0.override {
-        stdenv = pkgs.makeStaticLibraries pkgs.stdenv;
-        isl = isl_0_11;
-      };
+      isl = pkgs.isl.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
       gccPlain = pkgs.gcc.cc.override {
-        isl = isl_0_11;
-        cloog = cloog_0_18_0;
+        isl = isl;
       };
     };
     extraBuildInputs = [ stage2.pkgs.patchelf stage2.pkgs.paxctl ];
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 0e658228f2f0..bd9ef8d47f3c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3920,7 +3920,7 @@ let
 
   gambit = callPackage ../development/compilers/gambit { };
 
-  gcc = gcc49;
+  gcc = gcc5;
 
   gcc_multi =
     if system == "x86_64-linux" then lowPrio (
@@ -4068,7 +4068,7 @@ let
     cross = null;
     libcCross = if crossSystem != null then libcCross else null;
 
-    isl = isl_0_14;
+    isl = isl_0_15;
   }));
 
   gfortran = if !stdenv.isDarwin then gfortran49

From c0f673af320b8674ad19ed1d66bf7705ee7513cc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 25 Jan 2016 23:50:36 +0000
Subject: [PATCH 004/507] gcc5: switch off hardening_format

---
 pkgs/development/compilers/gcc/5/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix
index 3b105143c0bf..47a272ac534e 100644
--- a/pkgs/development/compilers/gcc/5/default.nix
+++ b/pkgs/development/compilers/gcc/5/default.nix
@@ -216,6 +216,8 @@ stdenv.mkDerivation ({
     sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq";
   };
 
+  hardening_format = false;
+
   inherit patches;
 
   postPatch =

From e96ea9712c1d441b72510f62769ddbfff4c8d7c5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 26 Jan 2016 00:15:30 +0000
Subject: [PATCH 005/507] ruby: add patch for RAND_egd

---
 .../interpreters/ruby/patchsets.nix           |  6 +++
 .../interpreters/ruby/rand-egd.patch          | 42 +++++++++++++++++++
 .../interpreters/ruby/ruby22-rand-egd.patch   | 42 +++++++++++++++++++
 3 files changed, 90 insertions(+)
 create mode 100644 pkgs/development/interpreters/ruby/rand-egd.patch
 create mode 100644 pkgs/development/interpreters/ruby/ruby22-rand-egd.patch

diff --git a/pkgs/development/interpreters/ruby/patchsets.nix b/pkgs/development/interpreters/ruby/patchsets.nix
index 286301dc0a5d..1d0405312130 100644
--- a/pkgs/development/interpreters/ruby/patchsets.nix
+++ b/pkgs/development/interpreters/ruby/patchsets.nix
@@ -3,6 +3,7 @@
 rec {
   "1.9.3" = [
     ./ssl_v3.patch
+    ./rand-egd.patch
     ./ruby19-parallel-install.patch
     ./bitperfect-rdoc.patch
   ] ++ ops useRailsExpress [
@@ -28,6 +29,7 @@ rec {
   ];
   "2.0.0" = [
     ./ssl_v3.patch
+    ./rand-egd.patch
   ] ++ ops useRailsExpress [
     "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/01-zero-broken-tests.patch"
     "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/02-railsexpress-gc.patch"
@@ -81,6 +83,7 @@ rec {
   ];
   "2.1.3" = [
     ./ssl_v3.patch
+    ./rand-egd.patch
   ] ++ ops useRailsExpress [
     "${patchSet}/patches/ruby/2.1.3/railsexpress/01-zero-broken-tests.patch"
     "${patchSet}/patches/ruby/2.1.3/railsexpress/02-improve-gc-stats.patch"
@@ -106,6 +109,7 @@ rec {
   ];
   "2.1.7" = [
     ./ssl_v3.patch
+    ./rand-egd.patch
   ] ++ ops useRailsExpress [
     "${patchSet}/patches/ruby/2.1.7/railsexpress/01-zero-broken-tests.patch"
     "${patchSet}/patches/ruby/2.1.7/railsexpress/02-improve-gc-stats.patch"
@@ -128,6 +132,7 @@ rec {
   ];
   "2.2.2" = [
     ./ssl_v3.patch
+    ./ruby22-rand-egd.patch
   ] ++ ops useRailsExpress [
     "${patchSet}/patches/ruby/2.2.2/railsexpress/01-zero-broken-tests.patch"
     "${patchSet}/patches/ruby/2.2.2/railsexpress/02-improve-gc-stats.patch"
@@ -136,6 +141,7 @@ rec {
   ];
   "2.2.3" = [
     ./ssl_v3.patch
+    ./ruby22-rand-egd.patch
   ] ++ ops useRailsExpress [
     "${patchSet}/patches/ruby/2.2.3/railsexpress/01-zero-broken-tests.patch"
     "${patchSet}/patches/ruby/2.2.3/railsexpress/02-improve-gc-stats.patch"
diff --git a/pkgs/development/interpreters/ruby/rand-egd.patch b/pkgs/development/interpreters/ruby/rand-egd.patch
new file mode 100644
index 000000000000..e4f6452000c2
--- /dev/null
+++ b/pkgs/development/interpreters/ruby/rand-egd.patch
@@ -0,0 +1,42 @@
+diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
+index e272cba..3a1fa71 100644
+--- a/ext/openssl/extconf.rb
++++ b/ext/openssl/extconf.rb
+@@ -87,6 +87,7 @@
+ have_func("PEM_def_callback")
+ have_func("PKCS5_PBKDF2_HMAC")
+ have_func("PKCS5_PBKDF2_HMAC_SHA1")
++have_func("RAND_egd")
+ have_func("X509V3_set_nconf")
+ have_func("X509V3_EXT_nconf_nid")
+ have_func("X509_CRL_add0_revoked")
+diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c
+index 29cbf8c..27466fe 100644
+--- a/ext/openssl/ossl_rand.c
++++ b/ext/openssl/ossl_rand.c
+@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len)
+     return str;
+ }
+ 
++#ifdef HAVE_RAND_EGD
+ /*
+  *  call-seq:
+  *     egd(filename) -> true
+@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len)
+     }
+     return Qtrue;
+ }
++#endif /* HAVE_RAND_EGD */
+ 
+ /*
+  *  call-seq:
+@@ -219,7 +221,9 @@ Init_ossl_rand(void)
+     DEFMETH(mRandom, "write_random_file", ossl_rand_write_file, 1);
+     DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1);
+     DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1);
++#ifdef HAVE_RAND_EGD
+     DEFMETH(mRandom, "egd", ossl_rand_egd, 1);
+     DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);
++#endif /* HAVE_RAND_EGD */
+     DEFMETH(mRandom, "status?", ossl_rand_status, 0)
+ }
diff --git a/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch
new file mode 100644
index 000000000000..ebf2bf56fcfa
--- /dev/null
+++ b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch
@@ -0,0 +1,42 @@
+diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
+index e272cba..3a1fa71 100644
+--- a/ext/openssl/extconf.rb
++++ b/ext/openssl/extconf.rb
+@@ -87,6 +87,7 @@
+ have_func("PEM_def_callback")
+ have_func("PKCS5_PBKDF2_HMAC")
+ have_func("PKCS5_PBKDF2_HMAC_SHA1")
++have_func("RAND_egd")
+ have_func("X509V3_set_nconf")
+ have_func("X509V3_EXT_nconf_nid")
+ have_func("X509_CRL_add0_revoked")
+diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c
+index 29cbf8c..27466fe 100644
+--- a/ext/openssl/ossl_rand.c
++++ b/ext/openssl/ossl_rand.c
+@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len)
+     return str;
+ }
+ 
++#ifdef HAVE_RAND_EGD
+ /*
+  *  call-seq:
+  *     egd(filename) -> true
+@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len)
+     }
+     return Qtrue;
+ }
++#endif /* HAVE_RAND_EGD */
+ 
+ /*
+  *  call-seq:
+@@ -219,8 +221,10 @@ Init_ossl_rand(void)
+     rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1);
+     rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1);
+     rb_define_module_function(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1);
++#ifdef HAVE_RAND_EGD
+     rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1);
+     rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2);
++#endif /* HAVE_RAND_EGD */
+     rb_define_module_function(mRandom, "status?", ossl_rand_status, 0);
+ }

From 936dfeb700d185b3299a17308b548746f95e8900 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 26 Jan 2016 02:04:05 +0100
Subject: [PATCH 006/507] xorg.sessreg: Fix build on gcc-5

---
 pkgs/servers/x11/xorg/overrides.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix
index 7bd179067cd0..b3d13c9c2589 100644
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@@ -440,4 +440,8 @@ in
     configureFlags = "--with-cpp=${args.mcpp}/bin/mcpp";
   };
 
+  sessreg = attrs: attrs // {
+    preBuild = "sed -i 's|gcc -E|gcc -E -P|' man/Makefile";
+  };
+
 }

From c4537af1dc06ff056d321849652c1e528d349560 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 26 Jan 2016 02:19:35 +0100
Subject: [PATCH 007/507] go: Disable stackprotector

---
 pkgs/development/compilers/go/1.4.nix | 2 +-
 pkgs/development/compilers/go/1.5.nix | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix
index 0d2d2ae2857b..542fcba2144d 100644
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ pcre ];
   propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
 
-  #hardening_all = false;
+  hardening_stackprotector = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix
index 750aec567a8c..4928bacaebdf 100644
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
-  #hardening_all = false;
+  hardening_stackprotector = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.

From aacc390769bd339c7d6b674ee8f3e3941a99f429 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 26 Jan 2016 02:58:17 +0100
Subject: [PATCH 008/507] ncat: Remove old package, available in nmap

---
 pkgs/tools/networking/ncat/default.nix        | 25 ------------
 pkgs/tools/networking/ncat/ncat-0.10rc3.patch | 38 -------------------
 pkgs/top-level/all-packages.nix               |  3 +-
 pkgs/top-level/release-small.nix              |  1 -
 pkgs/top-level/release.nix                    |  1 -
 5 files changed, 1 insertion(+), 67 deletions(-)
 delete mode 100644 pkgs/tools/networking/ncat/default.nix
 delete mode 100644 pkgs/tools/networking/ncat/ncat-0.10rc3.patch

diff --git a/pkgs/tools/networking/ncat/default.nix b/pkgs/tools/networking/ncat/default.nix
deleted file mode 100644
index 8f81e9284b60..000000000000
--- a/pkgs/tools/networking/ncat/default.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{stdenv, fetchurl, openssl}:
-
-stdenv.mkDerivation {
-  name = "ncat-0.10rc3";
-
-  src = fetchurl {
-    url = mirror://sourceforge/nmap-ncat/ncat-0.10rc3.tar.gz;
-    sha256 = "1yb26ipxwhqkfannji90jxi38k35fal4ffx0jm5clr1a1rndjjzb";
-  };
-
-  patches = [./ncat-0.10rc3.patch];
-
-  buildInputs = [openssl];
-
-  CFLAGS = "-g";
-
-  postInstall = ''
-    install -D ncat $out/bin/ncat
-    install -D docs/man/ncat.1 $out/man/ncat.1
-  '';
-
-  meta = {
-    description = "A netcat implementation with IPv6 support";
-  };
-}
diff --git a/pkgs/tools/networking/ncat/ncat-0.10rc3.patch b/pkgs/tools/networking/ncat/ncat-0.10rc3.patch
deleted file mode 100644
index ed4c93673aa6..000000000000
--- a/pkgs/tools/networking/ncat/ncat-0.10rc3.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -urN ncat-0.10rc3/ncat_main.c ncat-0.10rc3-fixed/ncat_main.c
---- ncat-0.10rc3/ncat_main.c	2006-01-10 03:29:08.000000000 +0300
-+++ ncat-0.10rc3-fixed/ncat_main.c	2007-07-09 09:58:58.000000000 +0400
-@@ -23,6 +23,7 @@
- {
-     struct sockaddr_in ss;
-     struct sockaddr_in6 ss6;
-+    struct sockaddr_storage sst;
-     
-     struct conn_state cs;
- 
-@@ -271,7 +272,7 @@
- 	}
- 
- 	/* resolve hostname */
--	if (!resolve(argv[optind], (struct sockaddr_storage *) &ss)) {
-+	if (!resolve(argv[optind], (struct sockaddr_storage *) &sst)) {
- 	    /* host failed to resolve :( */
- 	    fprintf(stderr,
- 		    "%s: Could not resolve target hostname %s. QUITTING.\n",
-@@ -297,6 +298,8 @@
- 
- 	/* IPv6 connect() */
- 	if (oipv == 6) {
-+            memcpy(&ss6,&sst,sizeof(ss6));
-+	
- 	    ss6.sin6_family = AF_INET6;
- 	    ss_len = sizeof(struct sockaddr_in6);
- 
-@@ -329,6 +332,8 @@
- 	}
- 	/* IPv4 connect() - default. */
- 	else {
-+            memcpy(&ss,&sst,sizeof(ss)); 
-+
- 	    ss.sin_family = AF_INET;
- 	    ss_len = sizeof(struct sockaddr_in);
- 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index bd9ef8d47f3c..06011dcd4bbf 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2400,8 +2400,6 @@ let
 
   nc6 = callPackage ../tools/networking/nc6 { };
 
-  ncat = callPackage ../tools/networking/ncat { };
-
   ncftp = callPackage ../tools/networking/ncftp { };
 
   ncompress = callPackage ../tools/compression/ncompress { };
@@ -15950,6 +15948,7 @@ aliases = with self; rec {
   midoriWrapper = midori; # added 2015-01
   mlt-qt5 = qt5.mlt;  # added 2015-12-19
   multipath_tools = multipath-tools;  # added 2016-01-21
+  ncat = nmap;  # added 2016-01-26
   nfsUtils = nfs-utils;  # added 2014-12-06
   phonon_qt5 = qt5.phonon;  # added 2015-12-19
   phonon_qt5_backend_gstreamer = qt5.phonon-backend-gstreamer;  # added 2015-12-19
diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix
index fc428a73743b..409213e09e64 100644
--- a/pkgs/top-level/release-small.nix
+++ b/pkgs/top-level/release-small.nix
@@ -112,7 +112,6 @@ with import ./release-lib.nix { inherit supportedSystems; };
   mpg321 = linux;
   mutt = linux;
   mysql = linux;
-  ncat = linux;
   netcat = all;
   nfs-utils = linux;
   nix = all;
diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix
index a555dcbf4fa3..1eff71f673f0 100644
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@@ -165,7 +165,6 @@ let
       mupen64plus = linux;
       mutt = linux;
       nano = allBut cygwin;
-      ncat = linux;
       netcat = all;
       nss_ldap = linux;
       nssmdns = linux;

From 393977d800b5a1be040e111fd6da3d52b007ee0d Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 26 Jan 2016 03:42:26 +0100
Subject: [PATCH 009/507] Remove qcmm, strategoxt, aterm, bibtextools

These packages are very old and their tarballs or web pages are not
available anymore. Furthermore, they break with recent compilers like
GCC 5.
---
 pkgs/development/compilers/qcmm/default.nix   |  12 --
 .../development/compilers/strategoxt/0.16.nix |  47 -------
 .../development/compilers/strategoxt/0.17.nix | 112 ----------------
 .../development/compilers/strategoxt/0.18.nix | 124 ------------------
 pkgs/development/libraries/aterm/2.5.nix      |  33 -----
 .../libraries/aterm/max-long.patch            |  77 -----------
 pkgs/development/libraries/aterm/sizeof.patch |  56 --------
 .../typesetting/bibtex-tools/default.nix      |  17 ---
 pkgs/top-level/all-packages.nix               |  27 ----
 9 files changed, 505 deletions(-)
 delete mode 100644 pkgs/development/compilers/qcmm/default.nix
 delete mode 100644 pkgs/development/compilers/strategoxt/0.16.nix
 delete mode 100644 pkgs/development/compilers/strategoxt/0.17.nix
 delete mode 100644 pkgs/development/compilers/strategoxt/0.18.nix
 delete mode 100644 pkgs/development/libraries/aterm/2.5.nix
 delete mode 100644 pkgs/development/libraries/aterm/max-long.patch
 delete mode 100644 pkgs/development/libraries/aterm/sizeof.patch
 delete mode 100644 pkgs/tools/typesetting/bibtex-tools/default.nix

diff --git a/pkgs/development/compilers/qcmm/default.nix b/pkgs/development/compilers/qcmm/default.nix
deleted file mode 100644
index a221ae29f04d..000000000000
--- a/pkgs/development/compilers/qcmm/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{stdenv, fetchurl, mk, ocaml, noweb, lua, groff }: 
-stdenv.mkDerivation {
-  name = "qcmm-2006-01-31";
-  src = fetchurl {
-    url = http://tarballs.nixos.org/qc--20060131.tar.gz;
-    md5 = "9097830775bcf22c9bad54f389f5db23";
-  };
-  buildInputs = [ mk ocaml noweb groff ];
-  patches = [ ./qcmm.patch ];
-  builder = ./builder.sh;
-  inherit lua;
-}
diff --git a/pkgs/development/compilers/strategoxt/0.16.nix b/pkgs/development/compilers/strategoxt/0.16.nix
deleted file mode 100644
index 4cfa2c798920..000000000000
--- a/pkgs/development/compilers/strategoxt/0.16.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{stdenv, fetchurl, aterm, pkgconfig, getopt}:
-
-rec {
-
-  inherit aterm;
-  
-
-  sdf = stdenv.mkDerivation rec {
-    name = "sdf2-bundle-2.3.3";
-
-    src = fetchurl {
-      url = ftp://ftp.stratego-language.org/pub/stratego/sdf2/sdf2-bundle-2.3.3/sdf2-bundle-2.3.3.tar.gz;
-      md5 = "62ecabe5fbb8bbe043ee18470107ef88";
-    };
-
-    buildInputs = [pkgconfig aterm getopt];
-
-    preConfigure = ''
-      substituteInPlace pgen/src/sdf2table.src \
-        --replace getopt ${getopt}/bin/getopt
-    '';
-
-    meta = {
-      homepage = http://www.program-transformation.org/Sdf/SdfBundle;
-      meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser";
-    };
-  };
-
-  
-  strategoxt = stdenv.mkDerivation {
-    name = "strategoxt-0.16";
-
-    src = fetchurl {
-      url = ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.16/strategoxt-0.16.tar.gz;
-      md5 = "8b8eabbd785faa84ec20134b63d4829e";
-    };
-
-    buildInputs = [pkgconfig aterm sdf getopt];
-
-    meta = {
-      homepage = http://strategoxt.org/;
-      meta = "A language and toolset for program transformation";
-    };
-  };
-  
-    
-}
diff --git a/pkgs/development/compilers/strategoxt/0.17.nix b/pkgs/development/compilers/strategoxt/0.17.nix
deleted file mode 100644
index d621cbf5f0c2..000000000000
--- a/pkgs/development/compilers/strategoxt/0.17.nix
+++ /dev/null
@@ -1,112 +0,0 @@
-{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, readline, ncurses}:
-
-rec {
-
-  inherit aterm;
-
-  
-  sdf = stdenv.mkDerivation ( rec {
-    name = "sdf2-bundle-2.4";
-
-    src = fetchurl {
-      url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz";
-      sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11";
-    };
-
-    buildInputs = [pkgconfig aterm];
-
-    preConfigure = ''
-      substituteInPlace pgen/src/sdf2table.src \
-        --replace getopt ${getopt}/bin/getopt
-    '';
-
-    meta = {
-      homepage = http://www.program-transformation.org/Sdf/SdfBundle;
-      meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser";
-    };
-  } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ;
-
-  
-  strategoxt = stdenv.mkDerivation rec {
-    name = "strategoxt-0.17";
-
-    src = fetchurl {
-      url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/strategoxt-0.17.tar.gz";
-      sha256 = "70355576c3ce3c5a8a26435705a49cf7d13e91eada974a654534d63e0d34acdb";
-    };
-
-    buildInputs = [pkgconfig aterm sdf getopt];
-
-    meta = {
-      homepage = http://strategoxt.org/;
-      meta = "A language and toolset for program transformation";
-    };
-  };
-
-  strategoShell = stdenv.mkDerivation rec {
-    name = "stratego-shell-0.7";
-
-    src = fetchurl {
-      url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz";
-      sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck";
-    };
-
-    buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses];
-
-    meta = {
-      homepage = http://strategoxt.org/;
-      meta = "A language and toolset for program transformation";
-    };
-  };
-
-
-  javafront = stdenv.mkDerivation (rec {
-    name = "java-front-0.9";
-
-    src = fetchurl {
-      url = "ftp://ftp.strategoxt.org/pub/stratego/java-front/java-front-0.9/java-front-0.9.tar.gz";
-      sha256 = "96f40bf31486d3ced3ecebdcc0067e83ce6acbdbe57e3c847136ac3d7b62cc3c";
-    };
-
-    buildInputs = [pkgconfig aterm sdf strategoxt];
-
-    # !!! The explicit `--with-strategoxt' is necessary; otherwise we
-    # get an XTC registration that refers to "/share/strategoxt/XTC".
-    configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}";
-
-    meta = {
-      homepage = http://strategoxt.org/Stratego/JavaFront;
-      meta = "Tools for generating or transforming Java code";
-    };
-  } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ;
-
-
-  dryad = stdenv.mkDerivation rec {
-    name = "dryad-0.2pre18355";
-
-    src = fetchurl {
-      url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz";
-      sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab";
-    };
-
-    buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront];
-
-    meta = {
-      homepage = http://strategoxt.org/Stratego/TheDryad;
-      meta = "A collection of tools for developing transformation systems for Java source and bytecode";
-    };
-  };
-
-
-  /*
-  libraries = ... {
-    configureFlags =
-      if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else "";
-
-    # avoids loads of warnings about too big description fields because of a broken debug format
-    CFLAGS =
-      if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null;
-  };
-  */
-  
-}
diff --git a/pkgs/development/compilers/strategoxt/0.18.nix b/pkgs/development/compilers/strategoxt/0.18.nix
deleted file mode 100644
index 611586c5d932..000000000000
--- a/pkgs/development/compilers/strategoxt/0.18.nix
+++ /dev/null
@@ -1,124 +0,0 @@
-{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, makeStaticBinaries, readline, ncurses}:
-
-rec {
-
-  inherit aterm;
-
-  sdf = stdenv.mkDerivation ( rec {
-    name = "sdf2-bundle-2.4";
-
-    src = fetchurl {
-      url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz";
-      sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11";
-    };
-
-    buildInputs = [pkgconfig aterm];
-
-    preConfigure = ''
-      substituteInPlace pgen/src/sdf2table.src \
-        --replace getopt ${getopt}/bin/getopt
-    '';
-
-    meta = {
-      homepage = http://www.program-transformation.org/Sdf/SdfBundle;
-      meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser";
-    };
-  } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ;
-
-  
-  strategoxt = stdenv.mkDerivation rec {
-    name = "strategoxt-1.8pre24429";
-
-    src = fetchurl {
-      url = http://hydra.nixos.org/build/2175544/download/1/strategoxt-1.8pre24429.tar.gz;
-      sha256 = "124f1d61a440b94c38b731c2e7015340dbbc1deb6d442b31dbecb46b0a00fa83";
-    };
-
-    buildInputs = [pkgconfig aterm sdf getopt];
-
-    meta = {
-      homepage = http://strategoxt.org/;
-      meta = "A language and toolset for program transformation";
-    };
-  };
-
-  strategoShell = stdenv.mkDerivation rec {
-    name = "stratego-shell-0.7";
-
-    src = fetchurl {
-      url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz";
-      sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck";
-    };
-
-    buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses];
-
-    meta = {
-      homepage = http://strategoxt.org/;
-      meta = "A language and toolset for program transformation";
-      broken = true;
-    };
-  };
-
-  javafront = stdenv.mkDerivation (rec {
-    name = "java-front-0.9.1pre20122";
-
-    src = fetchurl {
-      url = "http://hydra.nixos.org/build/766286/download/1/java-front-0.9.1pre20122.tar.gz";
-      sha256 = "ef85d3af962fcd54e028ea501e64220b86af335a49143f2819bd3f4789bef7e6";
-    };
-
-    buildInputs = [pkgconfig aterm sdf strategoxt];
-
-    # !!! The explicit `--with-strategoxt' is necessary; otherwise we
-    # get an XTC registration that refers to "/share/strategoxt/XTC".
-    configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}";
-
-    meta = {
-      homepage = http://strategoxt.org/Stratego/JavaFront;
-      meta = "Tools for generating or transforming Java code";
-    };
-  } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ;
-
-
-  aspectjfront = stdenv.mkDerivation (rec {
-    name = "aspectj-front-0.2pre20035";
-
-    src = fetchurl {
-      url = "http://hydra.nixos.org/build/175690/download/1/aspectj-front-0.2pre20035.tar.gz";
-      sha256 = "48f6cda6f9f19436e9553e8d27e6bb42500d08370332e3ad214affb49851e58e";
-    };
-
-    buildInputs = [pkgconfig aterm sdf strategoxt javafront];
-
-  } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ;
-
-  dryad = stdenv.mkDerivation rec {
-    name = "dryad-0.2pre18355";
-
-    src = fetchurl {
-      url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz";
-      sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab";
-    };
-
-    buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront];
-
-    meta = {
-      homepage = http://strategoxt.org/Stratego/TheDryad;
-      meta = "A collection of tools for developing transformation systems for Java source and bytecode";
-      broken = true;
-    };
-  };
-
-
-  /*
-  libraries = ... {
-    configureFlags =
-      if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else "";
-
-    # avoids loads of warnings about too big description fields because of a broken debug format
-    CFLAGS =
-      if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null;
-  };
-  */
-  
-}
diff --git a/pkgs/development/libraries/aterm/2.5.nix b/pkgs/development/libraries/aterm/2.5.nix
deleted file mode 100644
index ef53a76d20ba..000000000000
--- a/pkgs/development/libraries/aterm/2.5.nix
+++ /dev/null
@@ -1,33 +0,0 @@
-{stdenv, fetchurl}:
-
-stdenv.mkDerivation {
-  name = "aterm-2.5-r21238";
-
-  src = fetchurl {
-    url = http://buildfarm.st.ewi.tudelft.nl/releases/meta-environment/aterm-2.5pre21238-l2q7rg38/aterm-2.5.tar.gz;
-    md5 = "33ddcb1a229baf406ad1f603eb1d5995";
-  };
-
-  patches = [
-    # Fix for http://bugzilla.sen.cwi.nl:8080/show_bug.cgi?id=841
-    ./max-long.patch
-
-    # Patch the ATerm header files so that they don't rely on
-    # SIZEOF_LONG, SIZEOF_INT and SIZEOF_VOID_P being set.
-    ./sizeof.patch
-  ];
-
-  doCheck = true;
-
-  dontDisableStatic = true;
-
-  NIX_CFLAGS_COMPILE = "-D__USE_BSD";
-
-  meta = {
-    homepage = http://www.cwi.nl/htbin/sen1/twiki/bin/view/SEN1/ATerm;
-    license = "LGPL";
-    description = "Library for manipulation of term data structures in C";
-    platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
-    maintainers = [ stdenv.lib.maintainers.eelco ];
-  };
-}
diff --git a/pkgs/development/libraries/aterm/max-long.patch b/pkgs/development/libraries/aterm/max-long.patch
deleted file mode 100644
index a2f260b970b3..000000000000
--- a/pkgs/development/libraries/aterm/max-long.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-diff -rc aterm-2.8-orig/aterm/hash.c aterm-2.8/aterm/hash.c
-*** aterm-2.8-orig/aterm/hash.c	2008-11-10 13:54:22.000000000 +0100
---- aterm-2.8/aterm/hash.c	2009-01-27 18:14:14.000000000 +0100
-***************
-*** 93,146 ****
-  }
-  
-  /*}}}  */
-- /*{{{  static long calc_long_max() */
-- static long calc_long_max()
-- {
--   long try_long_max;
--   long long_max;
--   long delta;
-- 
--   try_long_max = 1;
--   do {
--     long_max = try_long_max;
--     try_long_max = long_max * 2;
--   } while (try_long_max > 0);
-- 
--   delta = long_max;
--   while (delta > 1) {
--     while (long_max + delta < 0) {
--       delta /= 2;
--     }
--     long_max += delta;
--   }
-- 
--   return long_max;
-- 
-- }
-- /*}}}  */
-  /*{{{  static long calculateNewSize(sizeMinus1, nrdel, nrentries) */
-  
-  static long calculateNewSize
-  (long sizeMinus1, long nr_deletions, long nr_entries)
-  { 
-- 
--   /* Hack: LONG_MAX (limits.h) is often unreliable, we need to find
--    * out the maximum possible value of a signed long dynamically.
--    */
--   static long st_long_max = 0;
-- 
--   /* the resulting length has the form 2^k-1 */
-- 
-    if (nr_deletions >= nr_entries/2) { 
-      return sizeMinus1;
-    }
-  
-!   if (st_long_max == 0) {
-!     st_long_max = calc_long_max();
-!   }
-! 
-!   if (sizeMinus1 > st_long_max / 2) {
-!     return st_long_max-1;
-    }
-  
-    return (2*sizeMinus1)+1;
---- 93,109 ----
-  }
-  
-  /*}}}  */
-  /*{{{  static long calculateNewSize(sizeMinus1, nrdel, nrentries) */
-  
-  static long calculateNewSize
-  (long sizeMinus1, long nr_deletions, long nr_entries)
-  { 
-    if (nr_deletions >= nr_entries/2) { 
-      return sizeMinus1;
-    }
-  
-!   if (sizeMinus1 > LONG_MAX / 2) {
-!     return LONG_MAX-1;
-    }
-  
-    return (2*sizeMinus1)+1;
diff --git a/pkgs/development/libraries/aterm/sizeof.patch b/pkgs/development/libraries/aterm/sizeof.patch
deleted file mode 100644
index 2649cc564913..000000000000
--- a/pkgs/development/libraries/aterm/sizeof.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-diff -rc -x '*~' aterm-2.5-orig/aterm/aterm.c aterm-2.5/aterm/aterm.c
-*** aterm-2.5-orig/aterm/aterm.c	2007-02-27 23:41:31.000000000 +0100
---- aterm-2.5/aterm/aterm.c	2010-02-23 15:10:38.000000000 +0100
-***************
-*** 150,155 ****
---- 150,157 ----
-    if (initialized)
-      return;
-  
-+   assert(sizeof(long) == sizeof(void *));
-+ 
-    /*{{{  Handle arguments */
-  
-    for (lcv=1; lcv < argc; lcv++) {
-diff -rc -x '*~' aterm-2.5-orig/aterm/encoding.h aterm-2.5/aterm/encoding.h
-*** aterm-2.5-orig/aterm/encoding.h	2007-02-27 23:41:31.000000000 +0100
---- aterm-2.5/aterm/encoding.h	2010-02-23 15:36:05.000000000 +0100
-***************
-*** 10,24 ****
-  {
-  #endif/* __cplusplus */
-  
-! #if SIZEOF_LONG > 4
-! #define AT_64BIT
-  #endif
-  
-! #if SIZEOF_LONG != SIZEOF_VOID_P
-! #error Size of long is not the same as the size of a pointer
-  #endif
-  
-! #if SIZEOF_INT > 4
-  #error Size of int is not 32 bits
-  #endif
-  
---- 10,30 ----
-  {
-  #endif/* __cplusplus */
-  
-! #include <limits.h>
-! 
-! #ifndef SIZEOF_LONG
-! #if ULONG_MAX > 4294967295
-! #define SIZEOF_LONG 8
-! #else
-! #define SIZEOF_LONG 4
-! #endif
-  #endif
-  
-! #if SIZEOF_LONG > 4
-! #define AT_64BIT
-  #endif
-  
-! #if UINT_MAX > 4294967295
-  #error Size of int is not 32 bits
-  #endif
-  
diff --git a/pkgs/tools/typesetting/bibtex-tools/default.nix b/pkgs/tools/typesetting/bibtex-tools/default.nix
deleted file mode 100644
index a822a181a653..000000000000
--- a/pkgs/tools/typesetting/bibtex-tools/default.nix
+++ /dev/null
@@ -1,17 +0,0 @@
-{stdenv, fetchurl, hevea, tetex, strategoxt, aterm, sdf}: 
-
-stdenv.mkDerivation {
-  name = "bibtex-tools-0.2pre13026";
-  src = fetchurl {
-    url = http://tarballs.nixos.org/bibtex-tools-0.2pre13026.tar.gz;
-    md5 = "2d8a5de7c53eb670307048eb3d14cdd6";
-  };
-  configureFlags = "
-    --with-aterm=${aterm}
-    --with-sdf=${sdf}
-    --with-strategoxt=${strategoxt}
-    --with-hevea=${hevea}
-    --with-latex=${tetex}";
-  buildInputs = [aterm sdf strategoxt hevea];
-  meta.broken = true;
-}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 06011dcd4bbf..2a01196be09c 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -995,10 +995,6 @@ let
       UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter;
   };
 
-  bibtextools = callPackage ../tools/typesetting/bibtex-tools {
-    inherit (strategoPackages016) strategoxt sdf;
-  };
-
   bittornado = callPackage ../tools/networking/p2p/bit-tornado { };
 
   blueman = callPackage ../tools/bluetooth/blueman {
@@ -4911,11 +4907,6 @@ let
     llvm = llvm_36;
   };
 
-  qcmm = callPackage ../development/compilers/qcmm {
-    lua   = lua4;
-    ocaml = ocaml_3_08_0;
-  };
-
   rtags = callPackage ../development/tools/rtags/default.nix {};
 
   rustcMaster = callPackage ../development/compilers/rustc/head.nix {};
@@ -4980,20 +4971,6 @@ let
 
   stalin = callPackage ../development/compilers/stalin { };
 
-  strategoPackages = recurseIntoAttrs strategoPackages018;
-
-  strategoPackages016 = callPackage ../development/compilers/strategoxt/0.16.nix {
-    stdenv = overrideInStdenv stdenv [gnumake380];
-  };
-
-  strategoPackages017 = callPackage ../development/compilers/strategoxt/0.17.nix {
-    readline = readline5;
-  };
-
-  strategoPackages018 = callPackage ../development/compilers/strategoxt/0.18.nix {
-    readline = readline5;
-  };
-
   metaBuildEnv = callPackage ../development/compilers/meta-environment/meta-build-env { };
 
   swiProlog = callPackage ../development/compilers/swi-prolog { };
@@ -6194,10 +6171,6 @@ let
 
   aspellDicts = recurseIntoAttrs (callPackages ../development/libraries/aspell/dictionaries.nix {});
 
-  aterm = aterm25;
-
-  aterm25 = callPackage ../development/libraries/aterm/2.5.nix { };
-
   attica = callPackage ../development/libraries/attica { };
 
   attr = callPackage ../development/libraries/attr { };

From 73f4c2bdf89ca02d70e614631531af307d056fef Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 26 Jan 2016 04:25:30 +0100
Subject: [PATCH 010/507] Remove lsh, broken & unmaintained

---
 nixos/modules/config/gnu.nix                  |   9 +-
 .../modules/services/networking/ssh/lshd.nix  | 176 ------------------
 pkgs/tools/networking/lsh/default.nix         |  49 -----
 .../networking/lsh/lshd-no-root-login.patch   |  16 --
 .../networking/lsh/pam-service-name.patch     |  14 --
 pkgs/top-level/all-packages.nix               |   4 -
 6 files changed, 1 insertion(+), 267 deletions(-)
 delete mode 100644 nixos/modules/services/networking/ssh/lshd.nix
 delete mode 100644 pkgs/tools/networking/lsh/default.nix
 delete mode 100644 pkgs/tools/networking/lsh/lshd-no-root-login.patch
 delete mode 100644 pkgs/tools/networking/lsh/pam-service-name.patch

diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix
index f8c35b440d12..5cc41ce8690f 100644
--- a/nixos/modules/config/gnu.nix
+++ b/nixos/modules/config/gnu.nix
@@ -9,8 +9,7 @@ with lib;
       default = false;
       description =
         '' When enabled, GNU software is chosen by default whenever a there is
-           a choice between GNU and non-GNU software (e.g., GNU lsh
-           vs. OpenSSH).
+           a choice between GNU and non-GNU software.
         '';
     };
   };
@@ -33,12 +32,6 @@ with lib;
     boot.loader.grub.enable = !pkgs.stdenv.isArm;
     boot.loader.grub.version = 2;
 
-    # GNU lsh.
-    services.openssh.enable = false;
-    services.lshd.enable = true;
-    programs.ssh.startAgent = false;
-    services.xserver.startGnuPGAgent = true;
-
     # TODO: GNU dico.
     # TODO: GNU Inetutils' inetd.
     # TODO: GNU Pies.
diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix
deleted file mode 100644
index 661a6a524631..000000000000
--- a/nixos/modules/services/networking/ssh/lshd.nix
+++ /dev/null
@@ -1,176 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-
-  inherit (pkgs) lsh;
-
-  cfg = config.services.lshd;
-
-in
-
-{
-
-  ###### interface
-
-  options = {
-
-    services.lshd = {
-
-      enable = mkOption {
-        default = false;
-        description = ''
-          Whether to enable the GNU lshd SSH2 daemon, which allows
-          secure remote login.
-        '';
-      };
-
-      portNumber = mkOption {
-        default = 22;
-        description = ''
-          The port on which to listen for connections.
-        '';
-      };
-
-      interfaces = mkOption {
-        default = [];
-        description = ''
-          List of network interfaces where listening for connections.
-          When providing the empty list, `[]', lshd listens on all
-          network interfaces.
-        '';
-        example = [ "localhost" "1.2.3.4:443" ];
-      };
-
-      hostKey = mkOption {
-        default = "/etc/lsh/host-key";
-        description = ''
-          Path to the server's private key.  Note that this key must
-          have been created, e.g., using "lsh-keygen --server |
-          lsh-writekey --server", so that you can run lshd.
-        '';
-      };
-
-      syslog = mkOption {
-        default = true;
-        description = ''Whether to enable syslog output.'';
-      };
-
-      passwordAuthentication = mkOption {
-        default = true;
-        description = ''Whether to enable password authentication.'';
-      };
-
-      publicKeyAuthentication = mkOption {
-        default = true;
-        description = ''Whether to enable public key authentication.'';
-      };
-
-      rootLogin = mkOption {
-        default = false;
-        description = ''Whether to enable remote root login.'';
-      };
-
-      loginShell = mkOption {
-        default = null;
-        description = ''
-          If non-null, override the default login shell with the
-          specified value.
-        '';
-        example = "/nix/store/xyz-bash-10.0/bin/bash10";
-      };
-
-      srpKeyExchange = mkOption {
-        default = false;
-        description = ''
-          Whether to enable SRP key exchange and user authentication.
-        '';
-      };
-
-      tcpForwarding = mkOption {
-        default = true;
-        description = ''Whether to enable TCP/IP forwarding.'';
-      };
-
-      x11Forwarding = mkOption {
-        default = true;
-        description = ''Whether to enable X11 forwarding.'';
-      };
-
-      subsystems = mkOption {
-        description = ''
-          List of subsystem-path pairs, where the head of the pair
-          denotes the subsystem name, and the tail denotes the path to
-          an executable implementing it.
-        '';
-      };
-
-    };
-
-  };
-
-
-  ###### implementation
-
-  config = mkIf cfg.enable {
-
-    services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
-
-    systemd.services.lshd = {
-      description = "GNU lshd SSH2 daemon";
-
-      after = [ "network-interfaces.target" ];
-
-      wantedBy = [ "multi-user.target" ];
-
-      environment = {
-        LD_LIBRARY_PATH = config.system.nssModules.path;
-      };
-
-      preStart = ''
-        test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh
-        test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh
-
-        if ! test -f /var/spool/lsh/yarrow-seed-file
-        then
-            # XXX: It would be nice to provide feedback to the
-            # user when this fails, so that they can retry it
-            # manually.
-            ${lsh}/bin/lsh-make-seed --sloppy \
-               -o /var/spool/lsh/yarrow-seed-file
-        fi
-
-        if ! test -f "${cfg.hostKey}"
-        then
-            ${lsh}/bin/lsh-keygen --server | \
-            ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}"
-        fi
-      '';
-
-      script = with cfg; ''
-        ${lsh}/sbin/lshd --daemonic \
-          --password-helper="${lsh}/sbin/lsh-pam-checkpw" \
-          -p ${toString portNumber} \
-          ${if interfaces == [] then ""
-            else (concatStrings (map (i: "--interface=\"${i}\"")
-                                     interfaces))} \
-          -h "${hostKey}" \
-          ${if !syslog then "--no-syslog" else ""} \
-          ${if passwordAuthentication then "--password" else "--no-password" } \
-          ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \
-          ${if rootLogin then "--root-login" else "--no-root-login" } \
-          ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \
-          ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \
-          ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \
-          ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \
-          --subsystems=${concatStringsSep ","
-                                          (map (pair: (head pair) + "=" +
-                                                      (head (tail pair)))
-                                               subsystems)}
-      '';
-    };
-
-    security.pam.services.lshd = {};
-  };
-}
diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix
deleted file mode 100644
index 77d268f3a47c..000000000000
--- a/pkgs/tools/networking/lsh/default.nix
+++ /dev/null
@@ -1,49 +0,0 @@
-{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam
-, nettools, lsof, procps }:
-
-stdenv.mkDerivation rec {
-  name = "lsh-2.0.4";
-  src = fetchurl {
-    url = "mirror://gnu/lsh/${name}.tar.gz";
-    sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091";
-  };
-
-  patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ];
-
-  preConfigure = ''
-    # Patch `lsh-make-seed' so that it can gather enough entropy.
-    sed -i "src/lsh-make-seed.c" \
-        -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ;
-            s|/usr/bin/netstat|${nettools}/bin/netstat|g ;
-            s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ;
-            s|/bin/vmstat|${procps}/bin/vmstat|g ;
-            s|/bin/ps|${procps}/bin/sp|g ;
-            s|/usr/bin/w|${procps}/bin/w|g ;
-            s|/usr/bin/df|$(type -P df)|g ;
-            s|/usr/bin/ipcs|$(type -P ipcs)|g ;
-            s|/usr/bin/uptime|$(type -P uptime)|g"
-
-    # Skip the `configure' script that checks whether /dev/ptmx & co. work as
-    # expected, because it relies on impurities (for instance, /dev/pts may
-    # be unavailable in chroots.)
-    export lsh_cv_sys_unix98_ptys=yes
-  '';
-
-  buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ];
-
-  meta = {
-    description = "GPL'd implementation of the SSH protocol";
-
-    longDescription = ''
-      lsh is a free implementation (in the GNU sense) of the ssh
-      version 2 protocol, currently being standardised by the IETF
-      SECSH working group.
-    '';
-
-    homepage = http://www.lysator.liu.se/~nisse/lsh/;
-    license = stdenv.lib.licenses.gpl2Plus;
-
-    maintainers = [ ];
-    platforms = [ "x86_64-linux" ];
-  };
-}
diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch
deleted file mode 100644
index 9dd81de3fbc1..000000000000
--- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Correctly handle the `--no-root-login' option.
-
---- lsh-2.0.4/src/lshd.c	2006-05-01 13:47:44.000000000 +0200
-+++ lsh-2.0.4/src/lshd.c	2009-09-08 12:20:36.000000000 +0200
-@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str
-       self->allow_root = 1;
-       break;
- 
-+    case OPT_NO_ROOT_LOGIN:
-+      self->allow_root = 0;
-+      break;
-+
-     case OPT_KERBEROS_PASSWD:
-       self->pw_helper = PATH_KERBEROS_HELPER;
-       break;
-
diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch
deleted file mode 100644
index 6a6156855c51..000000000000
--- a/pkgs/tools/networking/lsh/pam-service-name.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Tell `lsh-pam-checkpw', the PAM password helper program, to use a more
-descriptive service name.
-
---- lsh-2.0.4/src/lsh-pam-checkpw.c	2003-02-16 22:30:10.000000000 +0100
-+++ lsh-2.0.4/src/lsh-pam-checkpw.c	2008-11-28 16:16:58.000000000 +0100
-@@ -38,7 +38,7 @@
- #include <security/pam_appl.h>
- 
- #define PWD_MAXLEN 1024
--#define SERVICE_NAME "other"
-+#define SERVICE_NAME "lshd"
- #define TIMEOUT 600 
- 
- static int
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 2a01196be09c..4031575e12eb 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2212,10 +2212,6 @@ let
 
   lrzip = callPackage ../tools/compression/lrzip { };
 
-  # lsh installs `bin/nettle-lfib-stream' and so does Nettle.  Give the
-  # former a lower priority than Nettle.
-  lsh = lowPrio (callPackage ../tools/networking/lsh { });
-
   lshw = callPackage ../tools/system/lshw { };
 
   lxc = callPackage ../os-specific/linux/lxc { };

From 1581f25a07dda0639d1ef8a5d40b1904fec9ca95 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 26 Jan 2016 17:34:17 +0000
Subject: [PATCH 011/507] multipath-tools: no format hardening

---
 pkgs/os-specific/linux/multipath-tools/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix
index ba69b421c3d3..8aee4b73fdde 100644
--- a/pkgs/os-specific/linux/multipath-tools/default.nix
+++ b/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i";
   };
 
+  hardening_format = false;
+
   postPatch = ''
     sed -i -re '
       s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'",

From c10ca363c6c12e7fc2455e0599bba23b0291a290 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 26 Jan 2016 20:51:11 +0000
Subject: [PATCH 012/507] graphviz: no fortify hardening

---
 pkgs/tools/graphics/graphviz/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index bb0d54a7ec29..9a9621dd784e 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -12,11 +12,11 @@ stdenv.mkDerivation rec {
     sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
   };
 
-  #hardening_all = false;
+  hardening_fortify = false;
 
   patches =
     [ ./0001-vimdot-lookup-vim-in-PATH.patch
-    
+
       # NOTE: Once this patch is removed, flex can probably be removed from
       # buildInputs.
       ./cve-2014-9157.patch

From 8329066d5e9bb2888c4a194605d11ef09534aaf2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 28 Jan 2016 01:46:45 +0000
Subject: [PATCH 013/507] lsh: remove last references

---
 nixos/modules/module-list.nix    | 1 -
 pkgs/top-level/guile-2-test.nix  | 1 -
 pkgs/top-level/release-cross.nix | 1 -
 pkgs/top-level/release-small.nix | 1 -
 4 files changed, 4 deletions(-)

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 2ff61877c23d..fda28fcf27b2 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -358,7 +358,6 @@
   ./services/networking/softether.nix
   ./services/networking/spiped.nix
   ./services/networking/sslh.nix
-  ./services/networking/ssh/lshd.nix
   ./services/networking/ssh/sshd.nix
   ./services/networking/strongswan.nix
   ./services/networking/supplicant.nix
diff --git a/pkgs/top-level/guile-2-test.nix b/pkgs/top-level/guile-2-test.nix
index 802277d474a1..3219fc9108a4 100644
--- a/pkgs/top-level/guile-2-test.nix
+++ b/pkgs/top-level/guile-2-test.nix
@@ -56,7 +56,6 @@ in (mapTestOn {
   guile = linux;
 
   autogen = linux;
-  lsh = linux;
   mailutils = linux;
   mcron = linux;
   texmacs = linux;
diff --git a/pkgs/top-level/release-cross.nix b/pkgs/top-level/release-cross.nix
index ced90c0489ca..fe7b88d813cb 100644
--- a/pkgs/top-level/release-cross.nix
+++ b/pkgs/top-level/release-cross.nix
@@ -219,7 +219,6 @@ in {
     libffi.crossDrv = nativePlatforms;
     libtool.crossDrv = nativePlatforms;
     libunistring.crossDrv = nativePlatforms;
-    lsh.crossDrv = nativePlatforms;
     nixUnstable.crossDrv = nativePlatforms;
     openssl.crossDrv = nativePlatforms;            # dependency of Nix
     patch.crossDrv = nativePlatforms;
diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix
index 409213e09e64..f58626220bcd 100644
--- a/pkgs/top-level/release-small.nix
+++ b/pkgs/top-level/release-small.nix
@@ -89,7 +89,6 @@ with import ./release-lib.nix { inherit supportedSystems; };
   libxml2 = all;
   libxslt = all;
   lout = linux;
-  lsh = linux;
   lsof = linux;
   ltrace = linux;
   lvm2 = linux;

From acb408646e1151cd2d0ee188d5a36424bfc2ea00 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 28 Jan 2016 01:46:59 +0000
Subject: [PATCH 014/507] remove local pic flags, now set by hardened stdenv

---
 pkgs/development/libraries/a52dec/default.nix                | 2 --
 pkgs/development/libraries/cgui/default.nix                  | 1 -
 pkgs/development/libraries/gsm/default.nix                   | 2 --
 pkgs/development/libraries/hspell/default.nix                | 2 --
 pkgs/development/libraries/itk/default.nix                   | 1 -
 pkgs/development/libraries/libdnet/default.nix               | 2 --
 pkgs/development/libraries/libunwind/default.nix             | 1 -
 pkgs/development/libraries/libyaml-cpp/default.nix           | 4 +---
 pkgs/development/libraries/phonon/qt5/default.nix            | 2 --
 pkgs/development/libraries/plib/default.nix                  | 5 +----
 pkgs/development/libraries/science/math/atlas/default.nix    | 4 ----
 .../libraries/science/math/suitesparse/default.nix           | 2 --
 pkgs/development/libraries/zlib/default.nix                  | 3 +--
 pkgs/development/tools/toluapp/default.nix                   | 2 --
 pkgs/tools/graphics/netpbm/default.nix                       | 2 --
 15 files changed, 3 insertions(+), 32 deletions(-)

diff --git a/pkgs/development/libraries/a52dec/default.nix b/pkgs/development/libraries/a52dec/default.nix
index 7d5c5fab3934..5a47d50284f5 100644
--- a/pkgs/development/libraries/a52dec/default.nix
+++ b/pkgs/development/libraries/a52dec/default.nix
@@ -8,8 +8,6 @@ stdenv.mkDerivation rec {
     sha256 = "0czccp4fcpf2ykp16xcrzdfmnircz1ynhls334q374xknd5747d2";
   };
 
-  NIX_CFLAGS_COMPILE = "-fpic";
-
   # From Handbrake
   patches = [
     ./A00-a52-state-t-public.patch
diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix
index 0f1178622360..29413b1c845e 100644
--- a/pkgs/development/libraries/cgui/default.nix
+++ b/pkgs/development/libraries/cgui/default.nix
@@ -12,7 +12,6 @@ stdenv.mkDerivation rec {
   buildInputs = [ texinfo allegro perl ];
 
   configurePhase = ''
-    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fPIC"
     sh fix.sh unix
   '';
 
diff --git a/pkgs/development/libraries/gsm/default.nix b/pkgs/development/libraries/gsm/default.nix
index fb9ff8eb0fbc..42d36b8406e2 100644
--- a/pkgs/development/libraries/gsm/default.nix
+++ b/pkgs/development/libraries/gsm/default.nix
@@ -41,8 +41,6 @@ stdenv.mkDerivation rec {
 
   preInstall = "mkdir -p $out/{bin,lib,man/man1,man/man3,include/gsm}";
 
-  NIX_CFLAGS_COMPILE = optional (!staticSupport) "-fPIC";
-
   parallelBuild = false;
 
   meta = with stdenv.lib; {
diff --git a/pkgs/development/libraries/hspell/default.nix b/pkgs/development/libraries/hspell/default.nix
index 9b44d12c2934..eebd105a00db 100644
--- a/pkgs/development/libraries/hspell/default.nix
+++ b/pkgs/development/libraries/hspell/default.nix
@@ -16,8 +16,6 @@ stdenv.mkDerivation rec {
   patchPhase = ''patchShebangs .'';
   buildInputs = [ perl zlib ];
 
-  makeFlags = "CFLAGS=-fPIC";
-
   meta = {
     description = "Hebrew spell checker";
     homepage = http://hspell.ivrix.org.il/;
diff --git a/pkgs/development/libraries/itk/default.nix b/pkgs/development/libraries/itk/default.nix
index 7b4e3834af76..eda9434ab657 100644
--- a/pkgs/development/libraries/itk/default.nix
+++ b/pkgs/development/libraries/itk/default.nix
@@ -12,7 +12,6 @@ stdenv.mkDerivation rec {
     "-DBUILD_TESTING=OFF"
     "-DBUILD_EXAMPLES=OFF"
     "-DBUILD_SHARED_LIBS=ON"
-    "-DCMAKE_CXX_FLAGS=-fPIC"
   ];
 
   enableParallelBuilding = true;
diff --git a/pkgs/development/libraries/libdnet/default.nix b/pkgs/development/libraries/libdnet/default.nix
index 8911539d7b02..dbda4107c485 100644
--- a/pkgs/development/libraries/libdnet/default.nix
+++ b/pkgs/development/libraries/libdnet/default.nix
@@ -12,8 +12,6 @@ stdenv.mkDerivation {
 
   buildInputs = [ automake autoconf libtool ];
 
-  CFLAGS="-fPIC";
-
   # .so endings are missing (quick and dirty fix)
   postInstall = ''
     for i in $out/lib/*; do
diff --git a/pkgs/development/libraries/libunwind/default.nix b/pkgs/development/libraries/libunwind/default.nix
index 3fc8b5085590..86f0c50dd207 100644
--- a/pkgs/development/libraries/libunwind/default.nix
+++ b/pkgs/development/libraries/libunwind/default.nix
@@ -22,7 +22,6 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [ xz ];
 
-  NIX_CFLAGS_COMPILE = if stdenv.system == "x86_64-linux" then "-fPIC" else "";
   preInstall = ''
     mkdir -p "$out/lib"
     touch "$out/lib/libunwind-generic.so"
diff --git a/pkgs/development/libraries/libyaml-cpp/default.nix b/pkgs/development/libraries/libyaml-cpp/default.nix
index f56bf77abfea..1ba31a7a6d52 100644
--- a/pkgs/development/libraries/libyaml-cpp/default.nix
+++ b/pkgs/development/libraries/libyaml-cpp/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cmake, boost, makePIC ? false }:
+{ stdenv, fetchurl, cmake, boost }:
 
 stdenv.mkDerivation {
   name = "libyaml-cpp-0.5.1";
@@ -10,8 +10,6 @@ stdenv.mkDerivation {
 
   buildInputs = [ cmake boost ];
 
-  cmakeFlags = stdenv.lib.optionals makePIC [ "-DCMAKE_C_FLAGS=-fPIC" "-DCMAKE_CXX_FLAGS=-fPIC" ];
-
   meta = with stdenv.lib; {
     homepage = http://code.google.com/p/yaml-cpp/;
     description = "A YAML parser and emitter for C++";
diff --git a/pkgs/development/libraries/phonon/qt5/default.nix b/pkgs/development/libraries/phonon/qt5/default.nix
index fc07344d2d1a..c7baeb2e3404 100644
--- a/pkgs/development/libraries/phonon/qt5/default.nix
+++ b/pkgs/development/libraries/phonon/qt5/default.nix
@@ -20,8 +20,6 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ cmake pkgconfig ];
 
-  NIX_CFLAGS_COMPILE = "-fPIC";
-
   cmakeFlags = [
     "-DCMAKE_BUILD_TYPE=${if debug then "Debug" else "Release"}"
     "-DPHONON_BUILD_PHONON4QT5=ON"
diff --git a/pkgs/development/libraries/plib/default.nix b/pkgs/development/libraries/plib/default.nix
index ff60e62cad3f..dc75a407e92a 100644
--- a/pkgs/development/libraries/plib/default.nix
+++ b/pkgs/development/libraries/plib/default.nix
@@ -1,6 +1,5 @@
 { fetchurl, stdenv, mesa, freeglut, SDL
-, libXi, libSM, libXmu, libXext, libX11,
-enablePIC ? false }:
+, libXi, libSM, libXmu, libXext, libX11 }:
 
 stdenv.mkDerivation rec {
   name = "plib-1.8.5";
@@ -13,8 +12,6 @@ stdenv.mkDerivation rec {
 
   patches = [ ./CVE-2012-4552.patch ];
 
-  NIX_CFLAGS_COMPILE = if enablePIC then "-fPIC" else "";
-
   propagatedBuildInputs = [
     mesa freeglut SDL
 
diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix
index 1fa48ffea91c..9779af6addcc 100644
--- a/pkgs/development/libraries/science/math/atlas/default.nix
+++ b/pkgs/development/libraries/science/math/atlas/default.nix
@@ -73,14 +73,10 @@ stdenv.mkDerivation {
     configureScript=../configure
   '';
 
-  # * -fPIC is passed even in non-shared builds so that the ATLAS code can be
-  #   used to inside of shared libraries, like Octave does.
-  #
   # * -t 0 disables use of multi-threading. It's not quite clear what the
   #   consequences of that setting are and whether it's necessary or not.
   configureFlags = [
     "-Fa alg"
-    "-fPIC"
     "-t ${threads}"
     cpuConfig
   ] ++ optional shared "--shared"
diff --git a/pkgs/development/libraries/science/math/suitesparse/default.nix b/pkgs/development/libraries/science/math/suitesparse/default.nix
index e32b8b344267..b4b9a6970ff8 100644
--- a/pkgs/development/libraries/science/math/suitesparse/default.nix
+++ b/pkgs/development/libraries/science/math/suitesparse/default.nix
@@ -33,8 +33,6 @@ stdenv.mkDerivation {
     "LAPACK="
   ];
 
-  NIX_CFLAGS = "-fPIC";
-
   postInstall = ''
     # Build and install shared library
     (
diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix
index 7a6f480215c7..93474d14344e 100644
--- a/pkgs/development/libraries/zlib/default.nix
+++ b/pkgs/development/libraries/zlib/default.nix
@@ -31,8 +31,7 @@ stdenv.mkDerivation (rec {
 
   # As zlib takes part in the stdenv building, we don't want references
   # to the bootstrap-tools libgcc (as uses to happen on arm/mips)
-  NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc "
-                     + stdenv.lib.optionalString (stdenv.isFreeBSD) "-fPIC";
+  NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc";
 
   crossAttrs = {
     dontStrip = static;
diff --git a/pkgs/development/tools/toluapp/default.nix b/pkgs/development/tools/toluapp/default.nix
index 73a8b64ed22a..69dfa0280e50 100644
--- a/pkgs/development/tools/toluapp/default.nix
+++ b/pkgs/development/tools/toluapp/default.nix
@@ -20,8 +20,6 @@ stdenv.mkDerivation rec {
       --replace /usr/local $out
   '';
 
-  NIX_CFLAGS_COMPILE = "-fPIC";
-
   buildPhase = ''scons'';
 
   installPhase = ''scons install'';
diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix
index e69a73ff321e..853b298f158a 100644
--- a/pkgs/tools/graphics/netpbm/default.nix
+++ b/pkgs/tools/graphics/netpbm/default.nix
@@ -15,8 +15,6 @@ stdenv.mkDerivation rec {
       --replace '"-DSAFER"' '"-DPARANOIDSAFER"'
   '';
 
-  NIX_CFLAGS_COMPILE = "-fPIC"; # Gentoo adds this on every platform
-
   buildInputs =
     [ pkgconfig flex zlib perl libpng libjpeg libxml2 makeWrapper libtiff ]
     ++ lib.optional enableX11 libX11;

From 8f7ffe9ba3f19103ab8f5f0f812b3ebcaa169460 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 29 Jan 2016 04:02:59 +0000
Subject: [PATCH 015/507] netpbm: 10.66.00 -> 10.70.00

---
 pkgs/tools/graphics/netpbm/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix
index 853b298f158a..9f0253d14623 100644
--- a/pkgs/tools/graphics/netpbm/default.nix
+++ b/pkgs/tools/graphics/netpbm/default.nix
@@ -3,11 +3,11 @@
 , enableX11 ? false, libX11 }:
 
 stdenv.mkDerivation rec {
-  name = "netpbm-10.66.00";
+  name = "netpbm-10.70.00";
 
   src = fetchurl {
     url = "mirror://gentoo/distfiles/${name}.tar.xz";
-    sha256 = "1z33pxdir92m7jlvp5c2q44gxwj7jyf8skiqkr71kgirw4w4zsbz";
+    sha256 = "14vxmzbwsy4rzrqjnzr4cvz1s0amacq69faps3v1j1kr05lcns0j";
   };
 
   postPatch = /* CVE-2005-2471, from Arch */ ''

From 1ff7179925f2948cf10b2674cc823b5c61f91f20 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 29 Jan 2016 04:16:15 +0000
Subject: [PATCH 016/507] libupnp: no fortify hardening

---
 pkgs/development/libraries/pupnp/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index 430a09aeede6..22dbef1bac2d 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
   };
 
-  #hardening_all = false;
+  hardening_fortify = false;
 
   meta = {
     description = "libupnp, an open source UPnP development kit for Linux";

From 78a1ae85ed70454d5697d73ba8d1c1eebc66c173 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 29 Jan 2016 04:50:46 +0000
Subject: [PATCH 017/507] drbd: set DESTDIR

---
 pkgs/os-specific/linux/drbd/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/drbd/default.nix b/pkgs/os-specific/linux/drbd/default.nix
index 4c945a7fbac7..d90d6faac396 100644
--- a/pkgs/os-specific/linux/drbd/default.nix
+++ b/pkgs/os-specific/linux/drbd/default.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = "SHELL=${stdenv.shell}";
 
-  installFlags = "localstatedir=$(TMPDIR)/var sysconfdir=$(out)/etc INITDIR=$(out)/etc/init.d";
+  installFlags = "localstatedir=$(TMPDIR)/var sysconfdir=$(out)/etc INITDIR=$(out)/etc/init.d DESTDIR=$(out)";
 
   meta = {
     homepage = http://www.drbd.org/;

From e721382448fdbf8002e9b0121c3ae11f5701261e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 29 Jan 2016 05:08:57 +0000
Subject: [PATCH 018/507] jfsutils: add patch to build with format hardening

---
 pkgs/tools/filesystems/jfsutils/default.nix   |  2 +-
 .../jfsutils/hardening-format.patch           | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/tools/filesystems/jfsutils/hardening-format.patch

diff --git a/pkgs/tools/filesystems/jfsutils/default.nix b/pkgs/tools/filesystems/jfsutils/default.nix
index 46ded088c696..16d95bd19336 100644
--- a/pkgs/tools/filesystems/jfsutils/default.nix
+++ b/pkgs/tools/filesystems/jfsutils/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha1 = "291e8bd9d615cf3d27e4000117c81a3602484a50";
   };
 
-  patches = [ ./types.patch ];
+  patches = [ ./types.patch ./hardening-format.patch ];
 
   buildInputs = [ libuuid ];
 
diff --git a/pkgs/tools/filesystems/jfsutils/hardening-format.patch b/pkgs/tools/filesystems/jfsutils/hardening-format.patch
new file mode 100644
index 000000000000..dd2a93a81ec6
--- /dev/null
+++ b/pkgs/tools/filesystems/jfsutils/hardening-format.patch
@@ -0,0 +1,37 @@
+--- a/fscklog/fscklog.c	2016-01-29 04:59:54.102223291 +0000
++++ b/fscklog/fscklog.c	2016-01-29 05:00:10.707552565 +0000
+@@ -252,8 +252,8 @@
+ 
+ 	sprintf(debug_detail, " [%s:%d]\n", basename(file_name), line_number);
+ 
+-	printf(msg_string);
+-	printf(debug_detail);
++	printf("%s", msg_string);
++	printf("%s", debug_detail);
+ 
+ 	return 0;
+ }
+--- a/fscklog/display.c	2016-01-29 05:05:42.582133444 +0000
++++ b/fscklog/display.c	2016-01-29 05:05:47.541231780 +0000
+@@ -182,7 +182,7 @@
+ 				} else {
+ 					/* the record looks ok */
+ 					msg_txt = &log_entry[log_entry_pos];
+-					printf(msg_txt);
++					printf("%s", msg_txt);
+ 					/*
+ 					 * set up for the next record
+ 					 */
+--- a/logdump/helpers.c	2016-01-29 05:06:26.081996021 +0000
++++ b/logdump/helpers.c	2016-01-29 05:06:43.097333425 +0000
+@@ -95,8 +95,8 @@
+ 
+ 	sprintf(debug_detail, " [%s:%d]\n", file_name, line_number);
+ 
+-	printf(msg_string);
+-	printf(debug_detail);
++	printf("%s", msg_string);
++	printf("%s", debug_detail);
+ 
+ 	return 0;
+ }

From cce1bad2e17d37d2d9ca198e2b3fb1b658fdcdb4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 29 Jan 2016 05:25:51 +0000
Subject: [PATCH 019/507] dmraid: add patch to build with format hardening

---
 pkgs/os-specific/linux/dmraid/default.nix      |  2 ++
 .../linux/dmraid/hardening-format.patch        | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 pkgs/os-specific/linux/dmraid/hardening-format.patch

diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix
index 9e7e2a6bb8e4..9412747d6bc5 100644
--- a/pkgs/os-specific/linux/dmraid/default.nix
+++ b/pkgs/os-specific/linux/dmraid/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq";
   };
 
+  patches = [ ./hardening-format.patch ];
+
   postPatch = ''
     sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in
   '';
diff --git a/pkgs/os-specific/linux/dmraid/hardening-format.patch b/pkgs/os-specific/linux/dmraid/hardening-format.patch
new file mode 100644
index 000000000000..f91a7fb18aa0
--- /dev/null
+++ b/pkgs/os-specific/linux/dmraid/hardening-format.patch
@@ -0,0 +1,18 @@
+--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c	2016-01-29 05:16:57.455425454 +0000
++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c	2016-01-29 05:17:55.520564013 +0000
+@@ -838,13 +838,13 @@
+ 
+ 	sz = _log_all_devs(log_type, rs, NULL, 0);
+ 	if (!sz) {
+-		syslog(LOG_ERR, msg[0]);
++		syslog(LOG_ERR, "%s", msg[0]);
+ 		return;
+ 	}
+ 
+ 	str = dm_malloc(++sz);
+ 	if (!str) {
+-		syslog(LOG_ERR, msg[1]);
++		syslog(LOG_ERR, "%s", msg[1]);
+ 		return;
+ 	}
+ 

From f4572b552df2b80000ee7bddfd70ebae2b293d04 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 29 Jan 2016 10:06:07 +0000
Subject: [PATCH 020/507] gcc45: turn off format hardening

---
 pkgs/development/compilers/gcc/4.5/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index 8c4afb31c50d..69c4db63e5bd 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -134,7 +134,7 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
-  #hardening_all = false;
+  hardening_format = false;
 
   patches =
     [ ]

From 359b1726a57192277eba54931e5e24674093c195 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 30 Jan 2016 14:32:58 +0000
Subject: [PATCH 021/507] xen: turn off stackprotector hardening

---
 pkgs/applications/virtualization/xen/generic.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index ce6753ed165d..1f5553beb047 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -75,7 +75,7 @@ stdenv.mkDerivation {
 
   pythonPath = [ pythonPackages.curses ];
 
-  #hardening_all = false;
+  hardening_stackprotector = false;
 
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 

From 051662610104c2c57b89783084b9f31f5e978c71 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 30 Jan 2016 14:33:22 +0000
Subject: [PATCH 022/507] go: turn off all hardening

---
 pkgs/development/compilers/go/1.5.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix
index 4928bacaebdf..d64b9a1d11c9 100644
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
-  hardening_stackprotector = false;
+  hardening_all = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.

From bd2d04975013341e8402f04ff5e53502e40a6d32 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 13:09:11 +0000
Subject: [PATCH 023/507] texlive-core-big: turn off format hardening

---
 pkgs/tools/typesetting/tex/texlive-new/bin.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
index 4a788cfa8fe5..3585c4d04af8 100644
--- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
@@ -123,6 +123,8 @@ core-big = stdenv.mkDerivation {
 
   inherit (common) src;
 
+  hardening_format = false;
+
   buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ];
 
   configureFlags = common.configureFlags

From 79219c1981d3c870dbb1f88da843378e02e49ce8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 15:07:42 +0000
Subject: [PATCH 024/507] patchutils: turn off format hardening

---
 pkgs/tools/text/patchutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix
index 4df52eef669e..98f9c0483c2d 100644
--- a/pkgs/tools/text/patchutils/default.nix
+++ b/pkgs/tools/text/patchutils/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "Tools to manipulate patch files";
     homepage = http://cyberelk.net/tim/software/patchutils;

From 08caf7b6e43df52395ef86ed8192a7232a46f2e4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 15:27:57 +0000
Subject: [PATCH 025/507] librsync_0_9: turn off format hardening

---
 pkgs/development/libraries/librsync/0.9.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix
index 76daf7d748bf..d3dd293f975b 100644
--- a/pkgs/development/libraries/librsync/0.9.nix
+++ b/pkgs/development/libraries/librsync/0.9.nix
@@ -1,13 +1,15 @@
-{stdenv, fetchurl}:
+{ stdenv, fetchurl }:
 
 stdenv.mkDerivation {
   name = "librsync-0.9.7";
-  
+
   src = fetchurl {
     url = mirror://sourceforge/librsync/librsync-0.9.7.tar.gz;
     sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6";
   };
 
+  hardening_format = false;
+
   configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared";
 
   crossAttrs = {

From 955a9a3be72c9911b5b4bf3dde72d14e362fe450 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 15:49:09 +0000
Subject: [PATCH 026/507] avrgcclibc: turn off format hardening

---
 .../misc/avr-gcc-with-avr-libc/default.nix         | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix
index cbd38903aac8..b27a6659004d 100644
--- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix
+++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix
@@ -19,20 +19,22 @@ stdenv.mkDerivation {
         sha256 = "0sd9qkvhmk9av4g1f8dsjwc309hf1g0731bhvicnjb3b3d42l1n3";
     })
   ];
-  
+
   sourceRoot = ".";
 
   nativeBuildInputs = [ texinfo ];
-  
+
   buildInputs = [ gmp mpfr libmpc zlib ];
-  
+
+  hardening_format = false;
+
   # Make sure we don't strip the libraries in lib/gcc/avr.
   stripDebugList= [ "bin" "avr/bin" "libexec" ];
-  
+
   installPhase = ''
     # important, without this gcc won't find the binutils executables
     export PATH=$PATH:$out/bin
-    
+
     # Binutils.
     pushd binutils-*/
     mkdir obj-avr
@@ -64,7 +66,7 @@ stdenv.mkDerivation {
     make install
     popd
   '';
-  
+
   meta = with stdenv.lib; {
     description = "AVR development environment including binutils, avr-gcc and avr-libc";
     # I've tried compiling the packages separately.. too much hassle. This just works. Fine.

From 56ae3db53fefd363306e9c826bfc5e771e6ed599 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 16:06:56 +0000
Subject: [PATCH 027/507] bviplus: fix build with gcc5 (inline semantics)

---
 pkgs/applications/editors/bviplus/default.nix | 12 +++++++++---
 pkgs/applications/editors/bviplus/gcc5.diff   | 11 +++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 pkgs/applications/editors/bviplus/gcc5.diff

diff --git a/pkgs/applications/editors/bviplus/default.nix b/pkgs/applications/editors/bviplus/default.nix
index 0a8d7081b230..d61fa182379b 100644
--- a/pkgs/applications/editors/bviplus/default.nix
+++ b/pkgs/applications/editors/bviplus/default.nix
@@ -1,17 +1,23 @@
-{ stdenv, lib, fetchurl, ncurses }:
+{ stdenv, fetchurl, ncurses }:
 
 stdenv.mkDerivation rec {
   name = "bviplus-${version}";
   version = "0.9.4";
+
   src = fetchurl {
-    url = "http://downloads.sourceforge.net/project/bviplus/bviplus/${version}/bviplus-${version}.tgz";
+    url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz";
     sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb";
   };
+
   buildInputs = [
     ncurses
   ];
+
+  patches = [ ./gcc5.diff ];
+
   makeFlags = "PREFIX=$(out)";
-  meta = with lib; {
+
+  meta = with stdenv.lib; {
     description = "ncurses based hex editor with a vim-like interface";
     homepage = "http://bviplus.sourceforge.net";
     license = licenses.gpl3;
diff --git a/pkgs/applications/editors/bviplus/gcc5.diff b/pkgs/applications/editors/bviplus/gcc5.diff
new file mode 100644
index 000000000000..75dc57151dd5
--- /dev/null
+++ b/pkgs/applications/editors/bviplus/gcc5.diff
@@ -0,0 +1,11 @@
+--- bviplus-0.9.4/vf_backend.c	2016-02-07 15:58:47.265405962 +0000
++++ bviplus-0.9.4/vf_backend.c	2016-02-07 16:04:30.020004919 +0000
+@@ -253,7 +253,7 @@
+ /*---------------------------
+ 
+   ---------------------------*/
+-inline void compute_percent_complete(off_t offset, off_t size, int *complete)
++extern void compute_percent_complete(off_t offset, off_t size, int *complete)
+ {
+   if (size == 0)
+   {

From 89316e726ca9932a375fa7d0a26cf0b63ea0b3f1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 16:20:07 +0000
Subject: [PATCH 028/507] db4: turn off format hardening

---
 pkgs/development/libraries/db/db-4.8.nix  | 1 +
 pkgs/development/libraries/db/generic.nix | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix
index 6a161b0b72d8..78c0a15c4e0b 100644
--- a/pkgs/development/libraries/db/db-4.8.nix
+++ b/pkgs/development/libraries/db/db-4.8.nix
@@ -5,4 +5,5 @@ import ./generic.nix (args // rec {
   extraPatches = [ ./clang-4.8.patch ];
   sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0";
   branch = "4.8";
+  drvArgs = { hardening_format = false; };
 })
diff --git a/pkgs/development/libraries/db/generic.nix b/pkgs/development/libraries/db/generic.nix
index f5ee4e440ff0..fdc828effdfb 100644
--- a/pkgs/development/libraries/db/generic.nix
+++ b/pkgs/development/libraries/db/generic.nix
@@ -7,9 +7,10 @@
 , extraPatches ? [ ]
 , license ? stdenv.lib.licenses.sleepycat
 , branch ? null
+, drvArgs ? {}
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (rec {
   name = "db-${version}";
 
   src = fetchurl {
@@ -42,4 +43,4 @@ stdenv.mkDerivation rec {
     platforms = platforms.unix;
     branch = branch;
   };
-}
+} // drvArgs)

From 2b1f9509a16a94ebab4a526203e9d60ef6e0c556 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 16:22:44 +0000
Subject: [PATCH 029/507] freetds: turn off format hardening

---
 pkgs/development/libraries/freetds/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix
index 695abcfbba2b..bb4aeaeee27f 100644
--- a/pkgs/development/libraries/freetds/default.nix
+++ b/pkgs/development/libraries/freetds/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba";
   };
 
+  hardening_format = false;
+
   buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ];
 
   configureFlags = stdenv.lib.optionalString odbcSupport "--with-odbc=${unixODBC}";

From 4b82ba013d1aed89795537095f827140ab6b43d8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 16:31:59 +0000
Subject: [PATCH 030/507] libgeotiff: turn off format hardening

---
 pkgs/development/libraries/libgeotiff/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix
index d07aae3ab807..4d9fa09ad752 100644
--- a/pkgs/development/libraries/libgeotiff/default.nix
+++ b/pkgs/development/libraries/libgeotiff/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ libtiff ];
 
+  hardening_format = false;
+
   meta = {
     description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery";
     homepage = http://www.remotesensing.org/geotiff/geotiff.html;

From 321c57d69e83fb9268bfcaca090c0346b5a54979 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 16:34:05 +0000
Subject: [PATCH 031/507] ltl2ba: turn off format hardening

---
 pkgs/applications/science/logic/ltl2ba/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix
index cdadd18ac9f5..4ba773756e5f 100644
--- a/pkgs/applications/science/logic/ltl2ba/default.nix
+++ b/pkgs/applications/science/logic/ltl2ba/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
   };
 
+  hardening_format = false;
+
   installPhase = ''
     mkdir -p $out/bin
     mv ltl2ba $out/bin

From 0b93c68eb1699a82dc3bd94f03790e17f47e1a8d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 19:18:57 +0000
Subject: [PATCH 032/507] opencv: turn off bindnow and relro hardening

---
 pkgs/development/libraries/opencv/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix
index 4ce1787dbac6..d5904e742b63 100644
--- a/pkgs/development/libraries/opencv/default.nix
+++ b/pkgs/development/libraries/opencv/default.nix
@@ -20,6 +20,9 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_bindnow = false;
+  hardening_relro = false;
+
   meta = {
     description = "Open Computer Vision Library with more than 500 algorithms";
     homepage = http://opencv.org/;

From 53e3de101b35ee17c28c5dbabb8df528f480debe Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 19:23:40 +0000
Subject: [PATCH 033/507] cvs: turn off format hardening

---
 pkgs/applications/version-management/cvs/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix
index e9de202a8092..4912ce0b3e68 100644
--- a/pkgs/applications/version-management/cvs/default.nix
+++ b/pkgs/applications/version-management/cvs/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   patches = [ ./getcwd-chroot.patch ];
 
+  hardening_format = false;
+
   preConfigure = ''
     # Apply the Debian patches.
     for p in "debian/patches/"*; do

From d12ff64f254fd6d80dbbfa9adfa1849c7fef7b94 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 19:24:01 +0000
Subject: [PATCH 034/507] ccl: fix hash

---
 pkgs/development/compilers/ccl/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/ccl/default.nix b/pkgs/development/compilers/ccl/default.nix
index e5e07705a18b..ee0153c13b0f 100644
--- a/pkgs/development/compilers/ccl/default.nix
+++ b/pkgs/development/compilers/ccl/default.nix
@@ -5,7 +5,7 @@ let
     /* TODO: there are also MacOS, FreeBSD and Windows versions */
     x86_64-linux = {
       arch = "linuxx86";
-      sha256 = "0d2vhp5n74yhwixnvlsnp7dzaf9aj6zd2894hr2728djyd8x9fx6";
+      sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq";
       runtime = "lx86cl64";
       kernel = "linuxx8664";
     };

From 543dfcc686f7fca501b7f10245408ccb7fabbf75 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 19:26:33 +0000
Subject: [PATCH 035/507] disk_indicator: turn off hardening fortify

---
 pkgs/os-specific/linux/disk-indicator/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix
index 406492db2368..8eba742ebfb8 100644
--- a/pkgs/os-specific/linux/disk-indicator/default.nix
+++ b/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -19,6 +19,7 @@ stdenv.mkDerivation {
   buildPhase = "make -f makefile";
 
   NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
+  hardening_fortify = false;
 
   installPhase = ''
     mkdir -p "$out/bin"

From 43545db1873a1110cd1bd9982bbcd61f3a149063 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 19:53:34 +0000
Subject: [PATCH 036/507] gdome2: turn off hardening fortify

---
 pkgs/development/libraries/gdome2/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix
index cc8f76949eea..e9c32da20692 100644
--- a/pkgs/development/libraries/gdome2/default.nix
+++ b/pkgs/development/libraries/gdome2/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation {
     sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl";
   };
 
+  hardening_format = false;
+
   buildInputs = [pkgconfig glib libxml2 gtkdoc];
   propagatedBuildInputs = [glib libxml2];
   patches = [ ./xml-document.patch ];

From 179ae282e07adc3975dd4e3198db47fd1185b408 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 19:59:43 +0000
Subject: [PATCH 037/507] go_1_4: turn off all hardening

---
 pkgs/development/compilers/go/1.4.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix
index 542fcba2144d..9dadf06b3b54 100644
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ pcre ];
   propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
 
-  hardening_stackprotector = false;
+  hardening_all = false;
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.

From d4066220523661496b026e9a0530c6d10feb2ccf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 20:40:46 +0000
Subject: [PATCH 038/507] csound: turn off format hardening

---
 pkgs/applications/audio/csound/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix
index afca63a2a8a2..1cc0e56fe7e6 100644
--- a/pkgs/applications/audio/csound/default.nix
+++ b/pkgs/applications/audio/csound/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   src = fetchurl {
     url = mirror://sourceforge/csound/Csound6.04.tar.gz;
     sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g";

From 49d77a685fccdb01364959c390e1e893bee895d6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 20:43:42 +0000
Subject: [PATCH 039/507] gdmap: turn off format hardening

---
 pkgs/tools/system/gdmap/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix
index 3d3809610e4d..1456b6fca7c4 100644
--- a/pkgs/tools/system/gdmap/default.nix
+++ b/pkgs/tools/system/gdmap/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   name = "gdmap-0.8.1";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/gdmap/${name}.tar.gz";
     sha256 = "0nr8l88cg19zj585hczj8v73yh21k7j13xivhlzl8jdk0j0cj052";
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./get_sensitive.patch ./set_flags.patch ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     homepage = http://gdmap.sourceforge.net;
     description = "Recursive rectangle map of disk usage";

From 818509044972166b4ef0378572070399ddde54be Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 20:44:18 +0000
Subject: [PATCH 040/507] smpeg: turn off format hardening

---
 pkgs/development/libraries/smpeg/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix
index c2473ae2c5db..49d889f8b6ac 100644
--- a/pkgs/development/libraries/smpeg/default.nix
+++ b/pkgs/development/libraries/smpeg/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   buildInputs = [ SDL gtk mesa ];
 
   nativeBuildInputs = [ autoconf automake libtool m4 pkgconfig makeWrapper ];

From d1172548229971c95819a185a73e18af841728b5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 20:54:52 +0000
Subject: [PATCH 041/507] drgeo: turn off format hardening

---
 pkgs/applications/science/geometry/drgeo/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix
index f0be5258ce45..c5c2cee62e81 100644
--- a/pkgs/applications/science/geometry/drgeo/default.nix
+++ b/pkgs/applications/science/geometry/drgeo/default.nix
@@ -5,6 +5,8 @@ stdenv.mkDerivation rec {
   name = "drgeo-${version}";
   version = "1.1.0";
 
+  hardening_format = false;
+
   src = fetchurl {
     url = "mirror://sourceforge/ofset/${name}.tar.gz";
     sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc";

From 70bcd8ace8ebd0f2e660b23b96c72c3da25194b5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 20:56:33 +0000
Subject: [PATCH 042/507] vncrec: turn off format hardening

---
 pkgs/tools/video/vncrec/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix
index 4654d5902cb0..a16dc169b98e 100644
--- a/pkgs/tools/video/vncrec/default.nix
+++ b/pkgs/tools/video/vncrec/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc";
   };
 
+  hardening_format = false;
+
   buildInputs = [
     libX11 xproto imake gccmakedep libXt libXmu libXaw
     libXext xextproto libSM libICE libXpm libXp

From e353185cebc483e3f16993a9f5935a6c91977caa Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 21:17:34 +0000
Subject: [PATCH 043/507] wxPython: turn off format hardening

---
 pkgs/development/python-modules/wxPython/generic.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix
index 3151dbcfac3d..385980b28484 100644
--- a/pkgs/development/python-modules/wxPython/generic.nix
+++ b/pkgs/development/python-modules/wxPython/generic.nix
@@ -11,6 +11,10 @@ stdenv.mkDerivation rec {
   disabled = isPy3k || isPyPy;
   doCheck = false;
 
+  sourceRoot = "wxPython-src-${version}/wxPython";
+
+  hardening_format = false;
+
   src = fetchurl {
     url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2";
     inherit sha256;
@@ -18,7 +22,6 @@ stdenv.mkDerivation rec {
 
   pythonPath = [ python setuptools ];
   buildInputs = [ python setuptools pkgconfig wxGTK (wxGTK.gtk) wrapPython ]  ++ stdenv.lib.optional openglSupport pyopengl;
-  preConfigure = "cd wxPython";
 
   installPhase = ''
     ${python.interpreter} setup.py install WXPORT=gtk2 NO_HEADERS=1 BUILD_GLCANVAS=${if openglSupport then "1" else "0"} UNICODE=1 --prefix=$out

From 0f2e638fe76619ac62475123c78be3dd3474492c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 21:40:37 +0000
Subject: [PATCH 044/507] gcc46: turn off format hardening

---
 pkgs/development/compilers/gcc/4.6/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix
index b3caad11b716..323fd8b921b3 100644
--- a/pkgs/development/compilers/gcc/4.6/default.nix
+++ b/pkgs/development/compilers/gcc/4.6/default.nix
@@ -189,6 +189,8 @@ stdenv.mkDerivation ({
 
   inherit patches enableMultilib;
 
+  hardening_format = false;
+
   postPatch =
     if (stdenv.isGNU
         || (libcCross != null                  # e.g., building `gcc.crossDrv'

From f43398c91fc46389a13d97d2edda8326db52b3f8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:19:05 +0000
Subject: [PATCH 045/507] libcli: add patch for gcc5

---
 pkgs/development/libraries/libcli/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/libcli/default.nix b/pkgs/development/libraries/libcli/default.nix
index 1c247f6faa88..cf1b21ceaa97 100644
--- a/pkgs/development/libraries/libcli/default.nix
+++ b/pkgs/development/libraries/libcli/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub }:
+{ stdenv, fetchFromGitHub, fetchpatch }:
 
 stdenv.mkDerivation rec {
   name = "libcli-${version}";
@@ -11,6 +11,13 @@ stdenv.mkDerivation rec {
     owner = "dparrish";
   };
 
+  patches = [
+    (fetchpatch {
+      url = https://patch-diff.githubusercontent.com/raw/dparrish/libcli/pull/21.diff;
+      sha256 = "150nm33xi3992zx8a9smjzd8zs7pavrwg1pijah6nyl22q9gxm21";
+    })
+  ];
+
   enableParallelBuilding = true;
 
   makeFlags = [ "PREFIX=$(out)" ];

From 09a5af76b51cbbd3ac4dd58cd742ba475c9bc0eb Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:24:47 +0000
Subject: [PATCH 046/507] gcc48: turn off format hardening

---
 pkgs/development/compilers/gcc/4.8/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix
index fd80f4ec8c5f..58074e173aed 100644
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@@ -218,6 +218,8 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
+  hardening_format = false;
+
   postPatch =
     if (stdenv.isGNU
         || (libcCross != null                  # e.g., building `gcc.crossDrv'

From 5f752303682beffedfe9e81bfd899b74aac323e5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:26:07 +0000
Subject: [PATCH 047/507] sutils: turn off format hardening

---
 pkgs/tools/misc/sutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix
index d0576cc069a7..48c47cc3d8db 100644
--- a/pkgs/tools/misc/sutils/default.nix
+++ b/pkgs/tools/misc/sutils/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
      sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8";
    };
 
+   hardening_format = false;
+
    prePatch = ''sed -i "s@/usr/local@$out@" Makefile'';
 
    meta = {

From 65e6aa4a31ea05a651ead1a50bd8af7bb4e42438 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:28:15 +0000
Subject: [PATCH 048/507] uwimap: turn off format hardening

---
 pkgs/tools/networking/uwimap/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix
index 1da9ca969841..1c7c946000eb 100644
--- a/pkgs/tools/networking/uwimap/default.nix
+++ b/pkgs/tools/networking/uwimap/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation {
     # -fPIC is required to compile php with imap on x86_64 systems
     + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC";
 
+  hardening_format = false;
+
   buildInputs = [ openssl ]
     ++ stdenv.lib.optional (!stdenv.isDarwin) pam;
 

From 046b40f57311bbadc3241f3b14c77f045ea7e30c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:30:22 +0000
Subject: [PATCH 049/507] xconq: turn off format hardening

---
 pkgs/games/xconq/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix
index 53c3ec7dec85..cace72b5aacf 100644
--- a/pkgs/games/xconq/default.nix
+++ b/pkgs/games/xconq/default.nix
@@ -3,9 +3,9 @@
 
 stdenv.mkDerivation rec {
   name = "${baseName}-${version}";
-  baseName="xconq";
+  baseName = "xconq";
   version = "7.5.0-0pre.0.20050612";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/project/${baseName}/${baseName}/${name}/${name}.tar.gz";
     sha256 = "1za78yx57mgwcmmi33wx3533yz1x093dnqis8q2qmqivxav51lca";
@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
     "--with-tkconfig=${tk}/lib"
   ];
 
+  hardening_format = false;
+
   patchPhase = ''
     # Fix Makefiles
     find . -name 'Makefile.in' -exec sed -re 's@^        ( *)(cd|[&][&])@	\1\2@' -i '{}' ';'

From dc2b5489552be04791ebb1eb5de60f216ad35cad Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:39:11 +0000
Subject: [PATCH 050/507] nodePackages.oauth: use fetchFromGitHub

fixup to 9a5a967
---
 pkgs/top-level/node-packages-generated.nix | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/pkgs/top-level/node-packages-generated.nix b/pkgs/top-level/node-packages-generated.nix
index 1c68d1badc84..12d0aff2616e 100644
--- a/pkgs/top-level/node-packages-generated.nix
+++ b/pkgs/top-level/node-packages-generated.nix
@@ -1,4 +1,4 @@
-{ self, fetchurl, fetchgit ? null, lib }:
+{ self, fetchurl, fetchgit ? null, fetchFromGitHub, lib }:
 
 {
   by-spec."Base64"."~0.2.0" =
@@ -29314,10 +29314,11 @@
     name = "oauth-0.9.12";
     version = "0.9.12";
     bin = false;
-    src = fetchurl {
-      url = "https://github.com/ciaranj/node-oauth/tarball/0.9.12";
-      name = "oauth-0.9.12.tgz";
-      sha256 = "e06c3c3537e9c802c8ad00640b9f91bf2857cf8cc91209e355b5646f4da8b3e7";
+    src = fetchFromGitHub {
+      owner = "ciaranj";
+      repo = "node-oauth";
+      rev = "0.9.12";
+      sha256 = "1c67nq1q5isfcvyp520q02w5c527s1wsfiyknzfvvp22sf2yn7k6";
     };
     deps = {
     };

From 33a0e63fbff73fe49f6b03dca947f5ba65e3fe42 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:43:01 +0000
Subject: [PATCH 051/507] linuxPackages.v4l2loopback: no format/pic hardening

---
 pkgs/os-specific/linux/v4l2loopback/default.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix
index 13617360d2d4..8b44f3388d3f 100644
--- a/pkgs/os-specific/linux/v4l2loopback/default.nix
+++ b/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -8,7 +8,10 @@ stdenv.mkDerivation rec {
     url = "https://github.com/umlaeute/v4l2loopback/archive/v${version}.tar.gz";
     sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568";
   };
-  
+
+  hardening_pic = false;
+  hardening_format = false;
+
   preBuild = ''
     substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
     sed -i '/depmod/d' Makefile
@@ -16,7 +19,7 @@ stdenv.mkDerivation rec {
   '';
 
   buildInputs = [ kmod ];
-  
+
   makeFlags = [
     "KERNELRELEASE=${kernel.modDirVersion}"
     "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"

From 859a150373579a5ec4b7e913cb1aca71dc946e3a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:43:59 +0000
Subject: [PATCH 052/507] linuxPackages.virtualboxGuestAdditions: no pic
 hardening

---
 .../virtualization/virtualbox/guest-additions/default.nix       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
index 43f591cf6aad..0ef00550ee48 100644
--- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
+++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation {
 
   KERN_DIR = "${kernel.dev}/lib/modules/*/build";
 
+  hardening_pic = false;
+
   buildInputs = [ patchelf cdrkit makeWrapper dbus ];
 
   installPhase = ''

From 7c206e8c4c5cfbdee05daf0767548edc9b66cd40 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:44:42 +0000
Subject: [PATCH 053/507] linuxPackages.spl: no pic hardening

---
 pkgs/os-specific/linux/spl/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix
index 959523ec5971..67e2f16848bd 100644
--- a/pkgs/os-specific/linux/spl/default.nix
+++ b/pkgs/os-specific/linux/spl/default.nix
@@ -30,6 +30,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool ];
 
+  hardening_pic = false;
+
   preConfigure = ''
     ./autogen.sh
 

From 5808bfb9773a4d6e39bc35bf18ae271954811f8a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 22:51:21 +0000
Subject: [PATCH 054/507] yacas: no format hardening

---
 pkgs/applications/science/math/yacas/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix
index 2c9d63be1b4d..af284a2f82e0 100644
--- a/pkgs/applications/science/math/yacas/default.nix
+++ b/pkgs/applications/science/math/yacas/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
   };
 
+  hardening_format = false;
+
   # Perl is only for the documentation
   nativeBuildInputs = [ perl ];
 
@@ -32,7 +34,7 @@ stdenv.mkDerivation rec {
     '';
   };
 
-  meta = { 
+  meta = {
       description = "Easy to use, general purpose Computer Algebra System";
       homepage = http://yacas.sourceforge.net/;
       license = stdenv.lib.licenses.gpl2Plus;

From 0c5b86b607b3a40a468c45d6a98d9c2b86860e80 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 23:07:12 +0000
Subject: [PATCH 055/507] eggdrop: use git rev to fix compiling with gcc5

---
 pkgs/tools/networking/eggdrop/default.nix | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix
index cf7fb20df68b..90bc8b54f28f 100644
--- a/pkgs/tools/networking/eggdrop/default.nix
+++ b/pkgs/tools/networking/eggdrop/default.nix
@@ -1,16 +1,20 @@
-{ stdenv, fetchurl, tcl }:
+{ stdenv, fetchFromGitHub, tcl }:
 
 stdenv.mkDerivation rec {
   name = "eggdrop-${version}";
-  version = "1.6.21";
+  version = "1.6.21-nix1";
 
-  src = fetchurl {
-    url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz";
-    sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs";
+  src = fetchFromGitHub {
+    owner = "eggheads";
+    repo = "eggdrop";
+    rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331";
+    sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5";
   };
 
   buildInputs = [ tcl ];
 
+  hardening_format = false;
+
   preConfigure = ''
     prefix=$out/eggdrop
     mkdir -p $prefix

From 801b80299c0fad477b906b9fe921f988a237cdb5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 23:27:47 +0000
Subject: [PATCH 056/507] udftools: fix compiling with gcc5 and turn off
 fortify

---
 pkgs/tools/filesystems/udftools/default.nix |  3 +++
 pkgs/tools/filesystems/udftools/gcc5.patch  | 17 +++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 pkgs/tools/filesystems/udftools/gcc5.patch

diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix
index 329950f8969b..d3964b1e4275 100644
--- a/pkgs/tools/filesystems/udftools/default.nix
+++ b/pkgs/tools/filesystems/udftools/default.nix
@@ -10,6 +10,9 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ncurses readline ];
 
+  patches = [ ./gcc5.patch ];
+  hardening_fortify = false;
+
   preConfigure = ''
     sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c
     sed -e 's@[(]char[*][)]spm [+]=@spm = ((char*) spm) + @' -i wrudf/wrudf.c
diff --git a/pkgs/tools/filesystems/udftools/gcc5.patch b/pkgs/tools/filesystems/udftools/gcc5.patch
new file mode 100644
index 000000000000..2c57ff20e135
--- /dev/null
+++ b/pkgs/tools/filesystems/udftools/gcc5.patch
@@ -0,0 +1,17 @@
+--- udftools-1.0.0b3/libudffs/desc.c	2016-02-07 23:21:38.595391610 +0000
++++ udftools-1.0.0b3/libudffs/desc.c	2016-02-07 23:21:57.759756269 +0000
+@@ -34,12 +34,12 @@
+ #include "libudffs.h"
+ #include "config.h"
+ 
+-inline struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc)
++extern struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc)
+ {
+ 	return (struct impUseVolDescImpUse *)disc->udf_iuvd[0]->impUse;
+ }
+ 
+-inline struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc)
++extern struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc)
+ {
+ 	return (struct logicalVolIntegrityDescImpUse *)&(disc->udf_lvid->impUse[le32_to_cpu(disc->udf_lvd[0]->numPartitionMaps) * 2 * sizeof(uint32_t)]);
+ }

From d2f8058cacec7d8841855f52bd0b108cee1c7fb3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 7 Feb 2016 23:54:10 +0000
Subject: [PATCH 057/507] vxl: update to git version to build with gcc5

---
 pkgs/development/libraries/vxl/default.nix | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix
index e181ade4d6c4..b9f3c0e64d6c 100644
--- a/pkgs/development/libraries/vxl/default.nix
+++ b/pkgs/development/libraries/vxl/default.nix
@@ -1,10 +1,12 @@
-{ stdenv, fetchurl, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }:
+{ stdenv, fetchFromGitHub, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }:
 stdenv.mkDerivation {
-  name = "vxl-1.17.0";
+  name = "vxl-1.17.0-nix1";
 
-  src = fetchurl {
-    url = mirror://sourceforge/vxl/vxl-1.17.0.zip;
-    sha256 = "1qg7i8h201pa8jljg7vph4rlxk6n5cj9f9gd1hkkmbw6fh44lsxh";
+  src = fetchFromGitHub {
+    owner = "vxl";
+    repo = "vxl";
+    rev = "777c0beb7c8b30117400f6fc9a6d63bf8cb7c67a";
+    sha256 = "0xpkwwb93ka6c3da8zjhfg9jk5ssmh9ifdh1by54sz6c7mbp55m8";
   };
 
   buildInputs = [ cmake unzip libtiff expat zlib libpng libjpeg ];

From 94a74cb14db58c001124283defe3456a0fde51d1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:18:44 +0000
Subject: [PATCH 058/507] spidermonkey: turn off format hardening

---
 pkgs/development/interpreters/spidermonkey/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix
index b7744ea53c38..81071aafe4ee 100644
--- a/pkgs/development/interpreters/spidermonkey/default.nix
+++ b/pkgs/development/interpreters/spidermonkey/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4";
   };
 
+  hardening_format = false;
+
   buildInputs = [ readline ];
 
   postUnpack = "sourceRoot=\${sourceRoot}/src";

From ef0d652f2bb4e6e2f3b93043d5cc4572e2d10b65 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:20:53 +0000
Subject: [PATCH 059/507] uucp: turn off format hardening

---
 pkgs/tools/misc/uucp/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix
index bf73dbcbf2fc..cba343863bef 100644
--- a/pkgs/tools/misc/uucp/default.nix
+++ b/pkgs/tools/misc/uucp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306";
   };
 
-  doCheck = true;
+  hardening_format = false;
 
   meta = {
     description = "Unix-unix cp over serial line, also includes cu program";

From 548d670f949aab1caa56601c6eb16ce5c9ec9216 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:21:29 +0000
Subject: [PATCH 060/507] tasknc: turn off format hardening

---
 pkgs/applications/misc/tasknc/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix
index f7460618d964..d725bba03079 100644
--- a/pkgs/applications/misc/tasknc/default.nix
+++ b/pkgs/applications/misc/tasknc/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
   };
 
+  hardening_format = false;
+
   #
   # I know this is ugly, but the Makefile does strange things in this package,
   # so we have to:

From d13d46fea03a6b60cb9caf0c5ca2bde1355d9f87 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:28:41 +0000
Subject: [PATCH 061/507] wordnet: turn off format hardening

---
 pkgs/applications/misc/wordnet/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix
index b244e9c1bfce..d5edf2a4d584 100644
--- a/pkgs/applications/misc/wordnet/default.nix
+++ b/pkgs/applications/misc/wordnet/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   buildInputs = [tcl tk xlibsWrapper makeWrapper];
 
+  hardening_format = false;
+
   patchPhase = ''
     sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
   '';

From e6345523f2de0b1b201f9b173171bf1a721e4528 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:39:17 +0000
Subject: [PATCH 062/507] john: add patch to build with gcc5

---
 pkgs/tools/security/john/default.nix |  2 ++
 pkgs/tools/security/john/gcc5.patch  | 14 ++++++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 pkgs/tools/security/john/gcc5.patch

diff --git a/pkgs/tools/security/john/default.nix b/pkgs/tools/security/john/default.nix
index 2e99208fe114..dfaa56f0c772 100644
--- a/pkgs/tools/security/john/default.nix
+++ b/pkgs/tools/security/john/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
     sha256 = "08q92sfdvkz47rx6qjn7qv57cmlpy7i7rgddapq5384mb413vjds";
   };
 
+  patches = [ ./gcc5.patch ];
+
   postPatch = ''
     sed -ri -e '
       s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/!
diff --git a/pkgs/tools/security/john/gcc5.patch b/pkgs/tools/security/john/gcc5.patch
new file mode 100644
index 000000000000..73da83483f90
--- /dev/null
+++ b/pkgs/tools/security/john/gcc5.patch
@@ -0,0 +1,14 @@
+diff --git a/src/common.h b/src/common.h
+--- a/src/common.h
++++ b/src/common.h
+@@ -31,7 +31,9 @@ typedef unsigned long long ARCH_WORD_64;
+ #define is_aligned(PTR, CNT) ((((ARCH_WORD)(const void *)(PTR))&(CNT-1))==0)
+ 
+ #ifdef __GNUC__
+-#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER)
++#if __GNUC__ >= 5
++#define MAYBE_INLINE __attribute__((gnu_inline)) inline
++#elif __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER)
+ #define MAYBE_INLINE __attribute__((always_inline)) inline
+ #elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1)
+ #define MAYBE_INLINE __attribute__((always_inline))

From 7eb16a4eb822e3c83ebe66b08cbdaa52a8a6f49e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:41:02 +0000
Subject: [PATCH 063/507] pngcheck: turn off format hardening

---
 pkgs/tools/graphics/pngcheck/default.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix
index 160badaf668b..f67e7202521b 100644
--- a/pkgs/tools/graphics/pngcheck/default.nix
+++ b/pkgs/tools/graphics/pngcheck/default.nix
@@ -8,9 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p";
   };
 
-  # configurePhase = ''
-  #   sed -i s,/usr,$out, Makefile
-  # '';
+  hardening_format = false;
 
   makefile = "Makefile.unx";
   makeFlags = "ZPATH=${zlib}/lib";

From 457f340785626eb9ec0039aeb1cb4e3dd1ea7071 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:44:00 +0000
Subject: [PATCH 064/507] prover9: turn off format hardening

---
 pkgs/applications/science/logic/prover9/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix
index d92c7887210e..f6ec3b840ac5 100644
--- a/pkgs/applications/science/logic/prover9/default.nix
+++ b/pkgs/applications/science/logic/prover9/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
   };
 
-  phases = "unpackPhase patchPhase buildPhase installPhase";
+  hardening_format = false;
 
   patchPhase = ''
     RM=$(type -tp rm)
@@ -23,6 +23,8 @@ stdenv.mkDerivation {
 
   buildFlags = "all";
 
+  checkPhase = "make test1";
+
   installPhase = ''
     mkdir -p $out/bin
     cp bin/* $out/bin

From c3d9533c80dbe68fccba2a9aeb663ab08f159be4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 00:45:24 +0000
Subject: [PATCH 065/507] vorbisgain: turn off format hardening

---
 pkgs/tools/misc/vorbisgain/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix
index ea61e0633282..292023a1b582 100644
--- a/pkgs/tools/misc/vorbisgain/default.nix
+++ b/pkgs/tools/misc/vorbisgain/default.nix
@@ -8,11 +8,14 @@ stdenv.mkDerivation rec {
     sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx";
   };
 
+  hardening_format = false;
+
   buildInputs = [ unzip libogg libvorbis ];
+
   patchPhase = ''
     chmod -v +x configure
     configureFlags="--mandir=$out/share/man"
-    '';
+  '';
 
   meta = with stdenv.lib; {
     homepage = http://sjeng.org/vorbisgain.html;

From 88b976e0db524be526cafc8a6d53b7b26a3fe98e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 09:52:09 +0000
Subject: [PATCH 066/507] allegro: turn off format hardening

---
 pkgs/development/libraries/allegro/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix
index deb3a6877e89..50d3eec4f3f7 100644
--- a/pkgs/development/libraries/allegro/default.nix
+++ b/pkgs/development/libraries/allegro/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
     xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa
   ];
 
+  hardening_format = false;
+
   cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ];
 
   meta = with stdenv.lib; {

From ceae7fc2929cfc1c3b7f350f3a79f818a60a9fcf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 09:52:31 +0000
Subject: [PATCH 067/507] giflib_4_1: turn off format hardening

---
 pkgs/development/libraries/giflib/4.1.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix
index 13cd1c79b6a7..114e0e587b66 100644
--- a/pkgs/development/libraries/giflib/4.1.nix
+++ b/pkgs/development/libraries/giflib/4.1.nix
@@ -2,10 +2,14 @@
 
 stdenv.mkDerivation {
   name = "giflib-4.1.6";
+
   src = fetchurl {
     url = mirror://sourceforge/giflib/giflib-4.1.6.tar.bz2;
     sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1";
   };
+
+  hardening_format = false;
+
   meta = {
     branch = "4.1";
   };

From ee20b0d6a0b0708913f6e81695f855d9ae6ec5aa Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 09:52:47 +0000
Subject: [PATCH 068/507] wv: turn off format hardening

---
 pkgs/tools/misc/wv/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix
index dbb46cea832a..3d828a55121e 100644
--- a/pkgs/tools/misc/wv/default.nix
+++ b/pkgs/tools/misc/wv/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ];
 
+  hardening_format = false;
+
   meta = {
     description = "Converter from Microsoft Word formats to human-editable ones";
   };

From b457f695d99ad040bb72b0f3de6cfaefc68ae12c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 09:55:18 +0000
Subject: [PATCH 069/507] clean: turn off format and pic hardening

---
 pkgs/development/compilers/clean/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix
index 7f3e679e8476..dcb7350fbbb2 100644
--- a/pkgs/development/compilers/clean/default.nix
+++ b/pkgs/development/compilers/clean/default.nix
@@ -14,6 +14,9 @@ stdenv.mkDerivation rec {
     })
     else throw "Architecture not supported";
 
+  hardening_format = false;
+  hardening_pic = false;
+
   # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild
   # and for chroot builds all of the library files will have equal timestamps.  This
   # makes clm try to rebuild the library modules (and fail due to absence of write permission

From 6c683ef004080b7bc3bfa860f4613df11cd94f8e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 10:15:32 +0000
Subject: [PATCH 070/507] gkrellm: turn off format hardening

---
 pkgs/applications/misc/gkrellm/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix
index 934a7c69c993..7c755a4f3d3e 100644
--- a/pkgs/applications/misc/gkrellm/default.nix
+++ b/pkgs/applications/misc/gkrellm/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
 
+  hardening_format = false;
+
   # Makefiles are patched to fix references to `/usr/X11R6' and to add
   # `-lX11' to make sure libX11's store path is in the RPATH.
   patchPhase = ''

From 1cf63c85be3a8001ef28cb14ac46ab227c6f37d9 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 15:43:12 +0000
Subject: [PATCH 071/507] aacgain: turn off format hardening

---
 pkgs/applications/audio/aacgain/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix
index 69cc798ec0f9..80e3c5dc40a7 100644
--- a/pkgs/applications/audio/aacgain/default.nix
+++ b/pkgs/applications/audio/aacgain/default.nix
@@ -2,6 +2,7 @@
 
 stdenv.mkDerivation {
   name = "aacgain-1.9.0";
+
   src = fetchFromGitHub {
     owner = "mulx";
     repo = "aacgain";
@@ -9,6 +10,8 @@ stdenv.mkDerivation {
     sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
   };
 
+  hardening_format = false;
+
   configurePhase = ''
     cd mp4v2
     ./configure
@@ -28,7 +31,7 @@ stdenv.mkDerivation {
     make LDFLAGS=-static
 
     cd ..
-    make   
+    make
   '';
 
   installPhase = ''

From cccd32b7a1a7883f89cfa876d1c0760c8eee8d1a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 17:19:49 +0000
Subject: [PATCH 072/507] cdrdao: turn off format hardening

---
 pkgs/tools/cd-dvd/cdrdao/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix
index 375bbcda7e4d..2de5736a4c22 100644
--- a/pkgs/tools/cd-dvd/cdrdao/default.nix
+++ b/pkgs/tools/cd-dvd/cdrdao/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ lame libvorbis libmad pkgconfig libao ];
 
+  hardening_format = false;
+
   # Adjust some headers to match glibc 2.12 ... patch is a diff between
   # the cdrdao CVS head and the 1.2.3 release.
   patches = [ ./adjust-includes-for-glibc-212.patch ];

From cbc82aed2244c207e9edfdcc29a10e4311e35faf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 17:27:52 +0000
Subject: [PATCH 073/507] beanstalkd: turn off fortify

---
 pkgs/servers/beanstalkd/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix
index cea7ca0b337f..f5693e451684 100644
--- a/pkgs/servers/beanstalkd/default.nix
+++ b/pkgs/servers/beanstalkd/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj";
   };
 
+  hardening_fortify = false;
+
   meta = with stdenv.lib; {
     homepage = http://kr.github.io/beanstalkd/;
     description = "A simple, fast work queue";

From 8fb28b21b461468a0eb72ba847da5cfe9e474ae9 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 22:52:35 +0000
Subject: [PATCH 074/507] bsdgames: turn off format hardening

---
 pkgs/games/bsdgames/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix
index 0709692552c2..6e138511d03d 100644
--- a/pkgs/games/bsdgames/default.nix
+++ b/pkgs/games/bsdgames/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation {
     })
   ];
 
+  hardening_format = false;
+
   preConfigure = ''
     cat > config.params << EOF
     bsd_games_cfg_man6dir=$out/share/man/man6

From b0eedc4ecb97c8608cc9a7612a4c609a2abf62bf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 23:07:09 +0000
Subject: [PATCH 075/507] edk2: turn off fortify & format hardening

---
 pkgs/development/compilers/edk2/default.nix | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix
index f68681e60232..cf4d0e4f02aa 100644
--- a/pkgs/development/compilers/edk2/default.nix
+++ b/pkgs/development/compilers/edk2/default.nix
@@ -11,7 +11,7 @@ else
 
 edk2 = stdenv.mkDerivation {
   name = "edk2-2014-12-10";
-  
+
   src = fetchgit {
     url = git://github.com/tianocore/edk2;
     rev = "684a565a04";
@@ -20,9 +20,10 @@ edk2 = stdenv.mkDerivation {
 
   buildInputs = [ libuuid pythonFull ];
 
-  buildPhase = ''
-    make -C BaseTools
-  '';
+  makeFlags = "-C BaseTools";
+
+  hardening_fortify = false;
+  hardening_format = false;
 
   installPhase = ''
     mkdir -vp $out

From 3fcb0285b2195ed9e3d176338440a96b4cee18fc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 23:15:13 +0000
Subject: [PATCH 076/507] QmidiNet: turn off format hardening

---
 pkgs/applications/audio/QmidiNet/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix
index 4e89f125dd9b..c7e282648ad2 100644
--- a/pkgs/applications/audio/QmidiNet/default.nix
+++ b/pkgs/applications/audio/QmidiNet/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
   };
 
+  hardening_format = false;
+
   buildInputs = [ qt4 alsaLib libjack2 ];
 
   meta = with stdenv.lib; {

From 2f1567ad33d585f93e5314b161fbd2a60fa66e64 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 23:18:03 +0000
Subject: [PATCH 077/507] OVMF: no stackprotector/pic/fortify hardening

---
 pkgs/applications/virtualization/OVMF/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix
index 479d625c7de7..513242271a18 100644
--- a/pkgs/applications/virtualization/OVMF/default.nix
+++ b/pkgs/applications/virtualization/OVMF/default.nix
@@ -17,6 +17,10 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
   # TODO: properly include openssl for secureBoot
   buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
 
+  hardening_stackprotector = false;
+  hardening_pic = false;
+  hardening_fortify = false;
+
   unpackPhase = ''
     for file in \
       "${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg};

From 37918bdc7a09e34985c57a3fe64000edf92362b3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 8 Feb 2016 23:27:06 +0000
Subject: [PATCH 078/507] abook: fix compiling with gcc5

---
 pkgs/applications/misc/abook/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/applications/misc/abook/default.nix b/pkgs/applications/misc/abook/default.nix
index 77e48e49dd89..b8e662a42cdc 100644
--- a/pkgs/applications/misc/abook/default.nix
+++ b/pkgs/applications/misc/abook/default.nix
@@ -11,6 +11,11 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig ncurses readline ];
 
+  # Changed inline semantics in GCC5, need to export symbols for inline funcs
+  postPatch = ''
+    substituteInPlace database.c --replace inline extern
+  '';
+
   meta = {
     homepage = "http://abook.sourceforge.net/";
     description = "Text-based addressbook program designed to use with mutt mail client";

From 09a3349a7916366ab63063625806cff7a86cb25d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 00:08:56 +0000
Subject: [PATCH 079/507] tetex: turn off format hardening

---
 pkgs/tools/typesetting/tex/tetex/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix
index 8d6c88a0004e..cffe0b39d229 100644
--- a/pkgs/tools/typesetting/tex/tetex/default.nix
+++ b/pkgs/tools/typesetting/tex/tetex/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation {
   name = "tetex-3.0";
-  
+
   src = fetchurl {
     url = ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-3.0.tar.gz;
     md5 = "944a4641e79e61043fdaf8f38ecbb4b3";
@@ -15,6 +15,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ flex bison zlib libpng ncurses ed ];
 
+  hardening_format = false;
+
   # fixes "error: conflicting types for 'calloc'", etc.
   preBuild = stdenv.lib.optionalString stdenv.isDarwin ''
     sed -i 57d texk/kpathsea/c-std.h

From 2ff12752921b558d0e7f8953f02c2db813eccc61 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 00:45:13 +0000
Subject: [PATCH 080/507] bloodspilot-server: fix on gcc5

---
 pkgs/games/xpilot/bloodspilot-server.nix | 34 +++++++------
 pkgs/games/xpilot/server-gcc5.patch      | 65 ++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 15 deletions(-)
 create mode 100644 pkgs/games/xpilot/server-gcc5.patch

diff --git a/pkgs/games/xpilot/bloodspilot-server.nix b/pkgs/games/xpilot/bloodspilot-server.nix
index 3c811f1ba2ef..42bcb3263169 100644
--- a/pkgs/games/xpilot/bloodspilot-server.nix
+++ b/pkgs/games/xpilot/bloodspilot-server.nix
@@ -1,23 +1,27 @@
-{stdenv, fetchurl, expat}:
-let
-  buildInputs = [
-    expat
-  ];
-in
+{ stdenv, fetchurl, expat }:
+
 stdenv.mkDerivation rec {
-  version = "1.4.6";
   name = "bloodspilot-xpilot-fxi-server-${version}";
-  inherit buildInputs;
+  version = "1.4.6";
+
   src = fetchurl {
     url = "mirror://sourceforge/project/bloodspilot/server/server%20v${version}/xpilot-${version}fxi.tar.gz";
     sha256 = "0d7hnpshifq6gy9a0g6il6h1hgqqjyys36n8w84hr8d4nhg4d1ji";
   };
-  meta = {
-    inherit version;
-    description = ''A multiplayer X11 space combat game (server part)'';
-    homepage = "http://bloodspilot.sf.net/";
-    license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
-    platforms = stdenv.lib.platforms.linux;
+
+  buildInputs = [
+    expat
+  ];
+
+  patches = [
+    ./server-gcc5.patch
+  ];
+
+  meta = with stdenv.lib; {
+    description = "A multiplayer X11 space combat game (server part)";
+    homepage = http://bloodspilot.sf.net/;
+    license = licenses.gpl2Plus ;
+    maintainers = [ maintainers.raskin ];
+    platforms = platforms.linux;
   };
 }
diff --git a/pkgs/games/xpilot/server-gcc5.patch b/pkgs/games/xpilot/server-gcc5.patch
new file mode 100644
index 000000000000..5618399bfecd
--- /dev/null
+++ b/pkgs/games/xpilot/server-gcc5.patch
@@ -0,0 +1,65 @@
+--- xpilot-1.4.6fxi/src/common/net.c	2016-02-09 00:20:43.531714342 +0000
++++ xpilot-1.4.6fxi/src/common/net.c	2016-02-09 00:21:15.301331053 +0000
+@@ -608,9 +608,9 @@
+ }
+ 
+ #if STDVA
+-inline int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...)
++extern int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...)
+ #else
+-inline int32_t Packet_scanf(va_alist)
++extern int32_t Packet_scanf(va_alist)
+ va_dcl
+ #endif
+ {
+--- xpilot-1.4.6fxi/src/server/collision.c	2016-02-09 00:22:29.581784405 +0000
++++ xpilot-1.4.6fxi/src/server/collision.c	2016-02-09 00:22:38.152952500 +0000
+@@ -71,7 +71,7 @@
+  * p: first object, q: second object
+  */
+ 
+-inline int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y,
++extern int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y,
+ 		int32_t q1x, int32_t q1y, int32_t q2x, int32_t q2y, int32_t r)
+ {
+ 	int32_t fac1, fac2;	/* contraction between the distance between the x and y coordinates of objects */
+--- xpilot-1.4.6fxi/src/server/player.c	2016-02-09 00:25:29.546313808 +0000
++++ xpilot-1.4.6fxi/src/server/player.c	2016-02-09 00:25:40.464527932 +0000
+@@ -1411,12 +1411,12 @@
+ 	return NULL;
+ }
+ 
+-inline bool Player_idle_timed_out(player_t *pl)
++extern bool Player_idle_timed_out(player_t *pl)
+ {
+ 	return (frame_loops - pl->frame_last_busy > MAX_PLAYER_IDLE_TICKS && (NumPlayers > 1)) ? true : false;
+ }
+ 
+-inline bool Player_is_recovered(player_t *pl)
++extern bool Player_is_recovered(player_t *pl)
+ {
+ 	return (pl->recovery_count <= 0.0) ? true : false;
+ }
+--- xpilot-1.4.6fxi/src/server/score.c	2016-02-09 00:21:45.659923025 +0000
++++ xpilot-1.4.6fxi/src/server/score.c	2016-02-09 00:22:07.224345939 +0000
+@@ -24,17 +24,17 @@
+ char msg[MSG_LEN];
+ 
+ 
+-inline double Get_Score(player_t *pl)
++extern double Get_Score(player_t *pl)
+ {
+     return pl->score;
+ }
+ 
+-inline void Score_set(player_t * pl, double score)
++extern void Score_set(player_t * pl, double score)
+ {
+     pl->score = score;
+ }
+ 
+-inline void Score_add(player_t * pl, double score)
++extern void Score_add(player_t * pl, double score)
+ {
+     pl->score += score;
+ }

From 5b535580fdba11419088c94cc6ce68bf333121a1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:00:21 +0000
Subject: [PATCH 081/507] cbfstool: turn off fortify

---
 pkgs/applications/virtualization/cbfstool/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix
index d99f569d7e6b..01832b552925 100644
--- a/pkgs/applications/virtualization/cbfstool/default.nix
+++ b/pkgs/applications/virtualization/cbfstool/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl flex bison ];
 
+  hardening_fortify = false;
+
   buildPhase = ''
     export LEX=${flex}/bin/flex
     make -C util/cbfstool

From 9c3ab539606718e13eda16849c6140966043d6fa Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:02:56 +0000
Subject: [PATCH 082/507] cccc: turn off format hardening

---
 pkgs/development/tools/analysis/cccc/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix
index c672c7964e75..a4d88f5d2ea4 100644
--- a/pkgs/development/tools/analysis/cccc/default.nix
+++ b/pkgs/development/tools/analysis/cccc/default.nix
@@ -11,7 +11,11 @@ stdenv.mkDerivation {
     url = "mirror://sourceforge/${name}/${version}/${name}-${version}.tar.gz";
     sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7";
   };
+
+  hardening_format = false;
+
   patches = [ ./cccc.patch ];
+
   preConfigure = ''
     substituteInPlace install/install.mak --replace /usr/local/bin $out/bin
     substituteInPlace install/install.mak --replace MKDIR=mkdir "MKDIR=mkdir -p"

From 6be9164b973d122313c4cebdf1f88d3a0ee885aa Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:03:24 +0000
Subject: [PATCH 083/507] checkinstall: turn off fortify

---
 pkgs/tools/package-management/checkinstall/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix
index dc3373c3b6fc..f1d7985e9a50 100644
--- a/pkgs/tools/package-management/checkinstall/default.nix
+++ b/pkgs/tools/package-management/checkinstall/default.nix
@@ -44,6 +44,8 @@ stdenv.mkDerivation {
 
   buildInputs = [gettext];
 
+  hardening_fortify = false;
+
   preBuild = ''
     makeFlagsArray=(PREFIX=$out)
 

From 82daf82e61e0dd67eea17fc232b2e37f68191cf7 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:10:57 +0000
Subject: [PATCH 084/507] xen: turn off fortify

---
 pkgs/applications/virtualization/xen/generic.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index 1f5553beb047..e7b34be74be1 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -76,6 +76,7 @@ stdenv.mkDerivation {
   pythonPath = [ pythonPackages.curses ];
 
   hardening_stackprotector = false;
+  hardening_fortify = false;
 
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 

From f39da3be76576a121ad0ea43cfd20f4ce64e8d2a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:20:59 +0000
Subject: [PATCH 085/507] valgrind: turn off stackprotector

---
 pkgs/development/tools/analysis/valgrind/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix
index b4b56be9c6d9..2896f4ff2716 100644
--- a/pkgs/development/tools/analysis/valgrind/default.nix
+++ b/pkgs/development/tools/analysis/valgrind/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "doc" ];
 
+  hardening_stackprotector = false;
+
   # Perl is needed for `cg_annotate'.
   # GDB is needed to provide a sane default for `--db-command'.
   nativeBuildInputs = [ perl ];

From 70e6a117fa30a21f5105f9b735a1bac60c352099 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:22:40 +0000
Subject: [PATCH 086/507] cwiid: reformat and turn off format hardening

---
 pkgs/development/libraries/cwiid/default.nix | 52 +++++++++++---------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix
index a86bdc8e035b..0b7d96b5cc18 100644
--- a/pkgs/development/libraries/cwiid/default.nix
+++ b/pkgs/development/libraries/cwiid/default.nix
@@ -1,26 +1,34 @@
 { stdenv, autoreconfHook, fetchgit, bison, flex, bluez, pkgconfig, gtk }:
 
 stdenv.mkDerivation rec {
-    name = "cwiid-2010-02-21-git";
-    src = fetchgit {
-        url = https://github.com/abstrakraft/cwiid;
-        sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06";
-        rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82";
-    };
-    configureFlags = "--without-python";
-    prePatch = ''
-        sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in
-    '';
-    buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ];
-    postInstall = ''
-        # Some programs (for example, cabal-install) have problems with the double 0
-        sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc
-    '';
-    meta = {
-        description = "Linux Nintendo Wiimote interface";
-        homepage = http://cwiid.org;
-        license = stdenv.lib.licenses.gpl2Plus;
-        maintainers = [ stdenv.lib.maintainers.bennofs ];
-        platforms = stdenv.lib.platforms.linux; 
-    };   
+  name = "cwiid-2010-02-21-git";
+
+  src = fetchgit {
+    url = https://github.com/abstrakraft/cwiid;
+    sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06";
+    rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82";
+  };
+
+  hardening_format = false;
+
+  configureFlags = "--without-python";
+
+  prePatch = ''
+    sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in
+  '';
+
+  buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ];
+
+  postInstall = ''
+    # Some programs (for example, cabal-install) have problems with the double 0
+    sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc
+  '';
+
+  meta = {
+    description = "Linux Nintendo Wiimote interface";
+    homepage = http://cwiid.org;
+    license = stdenv.lib.licenses.gpl2Plus;
+    maintainers = [ stdenv.lib.maintainers.bennofs ];
+    platforms = stdenv.lib.platforms.linux;
+  };
 }

From e06726ba15d424f762c6fcc63e77270f3bcab7ba Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:23:58 +0000
Subject: [PATCH 087/507] rcs: use std=gnu99 to compile with gcc5

---
 pkgs/applications/version-management/rcs/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/version-management/rcs/default.nix b/pkgs/applications/version-management/rcs/default.nix
index a829af8aa235..3e66f85ff73d 100644
--- a/pkgs/applications/version-management/rcs/default.nix
+++ b/pkgs/applications/version-management/rcs/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  NIX_CFLAGS_COMPILE = if stdenv.isDarwin then "-std=gnu99" else null;
+  NIX_CFLAGS_COMPILE = "-std=gnu99";
 
   meta = {
     homepage = http://www.gnu.org/software/rcs/;

From e046d4fcea85f8b59267565ce2d14ae467e7f474 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:26:02 +0000
Subject: [PATCH 088/507] cyclone: turn off format hardening

---
 pkgs/applications/audio/pd-plugins/cyclone/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix
index b90c6a0ea369..721ef89515ed 100644
--- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix
+++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
+  hardening_format = false;
+
   patchPhase = ''
     for file in `grep -r -l g_canvas.h`
       do

From 3fb8ce5aaed6899176611026471f7270c312d5e0 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:26:35 +0000
Subject: [PATCH 089/507] db44, db47: turn off format hardening

---
 pkgs/development/libraries/db/db-4.4.nix | 1 +
 pkgs/development/libraries/db/db-4.7.nix | 1 +
 2 files changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix
index 757b1f71405b..327da38e986a 100644
--- a/pkgs/development/libraries/db/db-4.4.nix
+++ b/pkgs/development/libraries/db/db-4.4.nix
@@ -5,4 +5,5 @@ import ./generic.nix (args // rec {
   extraPatches = [ ./cygwin-4.4.patch ];
   sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9";
   branch = "4.4";
+  drvArgs = { hardening_format = false; };
 })
diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix
index 9a7d586cd042..0735099729a6 100644
--- a/pkgs/development/libraries/db/db-4.7.nix
+++ b/pkgs/development/libraries/db/db-4.7.nix
@@ -4,4 +4,5 @@ import ./generic.nix (args // rec {
   version = "4.7.25";
   sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi";
   branch = "4.7";
+  drvArgs = { hardening_format = false; };
 })

From dda7a039b73688e56fed6f549171cf2b87bbdb6b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:32:47 +0000
Subject: [PATCH 090/507] ddccontrol: turn off format hardening

---
 pkgs/tools/misc/ddccontrol/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix
index 2d5d10054b5b..d537c0f506fc 100644
--- a/pkgs/tools/misc/ddccontrol/default.nix
+++ b/pkgs/tools/misc/ddccontrol/default.nix
@@ -16,10 +16,12 @@
 let version = "0.4.2"; in
 stdenv.mkDerivation {
   name = "ddccontrol-${version}";
+
   src = fetchurl {
     url = "mirror://sourceforge/ddccontrol/ddccontrol-${version}.tar.bz2";
     sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1";
   };
+
   buildInputs =
     [
       intltool
@@ -35,6 +37,8 @@ stdenv.mkDerivation {
       ddccontrol-db
     ];
 
+  hardening_format = false;
+
   prePatch = ''
       newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g")
       mv configure.ac configure.ac.old

From 0afc644cfdb790f9405956e3551eadcdf6b2ba79 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:35:33 +0000
Subject: [PATCH 091/507] cbc: turn off format hardening

---
 pkgs/applications/science/math/cbc/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix
index 0d1ef26092e2..f294750928ed 100644
--- a/pkgs/applications/science/math/cbc/default.nix
+++ b/pkgs/applications/science/math/cbc/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   buildInputs = [ zlib bzip2 ];
 
   # FIXME: move share/coin/Data to a separate output?

From 3e8a2e73a6c5c31d1a6e43be7a21fd4222e4daab Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 01:55:15 +0000
Subject: [PATCH 092/507] editres: turn off format hardening

---
 pkgs/tools/graphics/editres/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix
index 64222185044d..c3d9a859f3ff 100644
--- a/pkgs/tools/graphics/editres/default.nix
+++ b/pkgs/tools/graphics/editres/default.nix
@@ -10,7 +10,9 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libXt libXaw libXres utilmacros ];
 
-  preConfigure = "configureFlags=--with-appdefaultdir=$out/share/X11/app-defaults/editres";
+  configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres";
+
+  hardening_format = false;
 
   meta = {
     homepage = "http://cgit.freedesktop.org/xorg/app/editres/";

From 6951a7d1c1838bb6fd1c6f9a161a145ae5476747 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 02:03:28 +0000
Subject: [PATCH 093/507] epdfview: turn off format hardening

---
 pkgs/applications/misc/epdfview/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix
index da198e6d88b0..7810284973f3 100644
--- a/pkgs/applications/misc/epdfview/default.nix
+++ b/pkgs/applications/misc/epdfview/default.nix
@@ -1,11 +1,17 @@
 { stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }:
+
 stdenv.mkDerivation rec {
   name = "epdfview-0.1.8";
+
   src = fetchurl {
     url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2";
     sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll";
   };
+
   buildInputs = [ pkgconfig gtk poppler ];
+
+  hardening_format = false;
+
   patches = [ (fetchpatch {
                 name = "epdfview-0.1.8-glib2-headers.patch";
                 url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634";
@@ -17,13 +23,14 @@ stdenv.mkDerivation rec {
                 sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001";
               })
             ];
+
   meta = {
     homepage = http://trac.emma-soft.com/epdfview/;
     description = "A lightweight PDF document viewer using Poppler and GTK+";
     longDescription = ''
         ePDFView is a free lightweight PDF document viewer using Poppler and
         GTK+ libraries. The aim of ePDFView is to make a simple PDF document
-        viewer, in the lines of Evince but without using the Gnome libraries. 
+        viewer, in the lines of Evince but without using the Gnome libraries.
     '';
     license = stdenv.lib.licenses.gpl2;
     maintainers = with stdenv.lib.maintainers; [ astsmtl ];

From a626fc981348bb7a2b2af5873be36eb32a9e5531 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 02:14:32 +0000
Subject: [PATCH 094/507] a2ps: turn off format hardening

---
 pkgs/tools/text/a2ps/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix
index 7de6a8dd5745..bcbf2b66a860 100644
--- a/pkgs/tools/text/a2ps/default.nix
+++ b/pkgs/tools/text/a2ps/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libpaper gperf file ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "An Anyithing to PostScript converter and pretty-printer";
     longDescription = ''

From a2bc57b15a099fbe6395f50c519f6ff9e0e0ecdf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 02:21:31 +0000
Subject: [PATCH 095/507] firebird: turn off format hardening

---
 pkgs/servers/firebird/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix
index 3e778317169c..e557a2a0061c 100644
--- a/pkgs/servers/firebird/default.nix
+++ b/pkgs/servers/firebird/default.nix
@@ -65,6 +65,8 @@ stdenv.mkDerivation rec {
     sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv";
   };
 
+  hardening_format = false;
+
   # configurePhase = ''
   #   sed -i 's@cp /usr/share/automake-.*@@' autogen.sh
   #   sh autogen.sh $configureFlags --prefix=$out

From 75f8122c2c49dfb07c56a95f161920851e805705 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 02:24:58 +0000
Subject: [PATCH 096/507] cinepaint: turn off format hardening

---
 pkgs/applications/graphics/cinepaint/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix
index f1ca27eed803..7b8281b4e3c6 100644
--- a/pkgs/applications/graphics/cinepaint/default.nix
+++ b/pkgs/applications/graphics/cinepaint/default.nix
@@ -18,14 +18,14 @@ stdenv.mkDerivation rec {
     libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
   ];
 
+  hardening_format = false;
+
   patches = [ ./install.patch ];
 
   nativeBuildInputs = [ cmake pkgconfig ];
 
   NIX_LDFLAGS = "-llcms -ljpeg -lX11";
 
-  # NIX_CFLAGS_COMPILE = "-I.";
-
   meta = {
     homepage = http://www.cinepaint.org/;
     license = stdenv.lib.licenses.free;

From 37cdc1678066bc7bfd4095bc13351a61d9cd6a06 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 10:29:15 +0000
Subject: [PATCH 097/507] alpine: turn off fortify/format hardening

---
 .../networking/mailreaders/alpine/default.nix | 32 ++++++++++---------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix
index 03c2c21aed05..c77b51d70648 100644
--- a/pkgs/applications/networking/mailreaders/alpine/default.nix
+++ b/pkgs/applications/networking/mailreaders/alpine/default.nix
@@ -1,35 +1,37 @@
 {stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos
 , openldap
 }:
+
 let
-  s = 
-  rec {
-    version = "2.00";
+  version = "2.00";
+  baseName = "alpine";
+in
+stdenv.mkDerivation {
+  name = "${baseName}-${version}";
+
+  src = fetchurl {
     url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2";
     sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8";
-    baseName = "alpine";
-    name = "${baseName}-${version}";
   };
+
   buildInputs = [
     ncurses tcl openssl pam kerberos openldap
   ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
+
+  hardening_format = false;
+  hardening_fortify = false;
+
   configureFlags = [
     "--with-ssl-include-dir=${openssl}/include/openssl"
     "--with-tcl-lib=${tcl.libPrefix}"
-    ];
+  ];
+
   preConfigure = ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
   '';
+
   meta = {
-    inherit (s) version;
-    description = ''Console mail reader'';
+    description = "Console mail reader";
     license = stdenv.lib.licenses.asl20;
     maintainers = [stdenv.lib.maintainers.raskin];
     platforms = stdenv.lib.platforms.linux;

From e264f1077bddb05aaa3c86625db6b9a014074996 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 10:29:34 +0000
Subject: [PATCH 098/507] bochs: turn off format hardening

---
 pkgs/applications/virtualization/bochs/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix
index b876403d6327..f5740dda4e9b 100644
--- a/pkgs/applications/virtualization/bochs/default.nix
+++ b/pkgs/applications/virtualization/bochs/default.nix
@@ -145,7 +145,9 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/";
   NIX_LDFLAGS="-L${libtool}/lib";
-	
+
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "An open-source IA-32 (x86) PC emulator";
     longDescription = ''

From a29786ebf6fed781ce84a1bfef0ddea1911e0572 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 10:59:09 +0000
Subject: [PATCH 099/507] boost-build: turn off format hardening

---
 pkgs/development/tools/boost-build/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix
index 723219336bb9..aa590543e00e 100644
--- a/pkgs/development/tools/boost-build/default.nix
+++ b/pkgs/development/tools/boost-build/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca";
   };
 
+  hardening_format = false;
+
   patchPhase = ''
     grep -r '/usr/share/boost-build' \
       | awk '{split($0,a,":"); print a[1];}' \

From 99fdd5694e7acc6bc7576579ee1f62f0a96218c3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 11:00:12 +0000
Subject: [PATCH 100/507] gcc44: turn off format hardening

---
 pkgs/development/compilers/gcc/4.4/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix
index 47c8c86a95d5..fe79e9bcd72b 100644
--- a/pkgs/development/compilers/gcc/4.4/default.nix
+++ b/pkgs/development/compilers/gcc/4.4/default.nix
@@ -103,6 +103,8 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
+  hardening_format = false;
+
   patches =
     [ ./pass-cxxcpp.patch
 

From c9aceaea8643ddeecd5d6989be190ea3e95c6284 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 11:04:13 +0000
Subject: [PATCH 101/507] gitAndTools.qgit: turn off format hardening

---
 .../git-and-tools/qgit/default.nix            | 29 +++++++++++--------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix
index a7e6a62ce5f5..6240baac8f19 100644
--- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix
@@ -2,21 +2,26 @@
 
 stdenv.mkDerivation rec {
   name = "qgit-2.5";
-  meta =
-  {
+
+  src = fetchurl {
+    url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz";
+    sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499";
+  };
+
+  buildInputs = [qt libXext libX11];
+
+  hardening_format = false;
+
+  configurePhase = "qmake PREFIX=$out";
+
+  installPhase = ''
+    install -s -D -m 755 bin/qgit "$out/bin/qgit"
+  '';
+
+  meta = {
     license = stdenv.lib.licenses.gpl2;
     homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
     description = "Graphical front-end to Git";
     inherit (qt.meta) platforms;
   };
-  src = fetchurl
-  {
-    url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz";
-    sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499";
-  };
-  buildInputs = [qt libXext libX11];
-  configurePhase = "qmake PREFIX=$out";
-  installPhase = ''
-    install -s -D -m 755 bin/qgit "$out/bin/qgit"
-  '';
 }

From 0e28c9abd8ab816cf024c771409cef2835d25b80 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 11:10:09 +0000
Subject: [PATCH 102/507] giv: turn off format hardening

---
 pkgs/applications/graphics/giv/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix
index 2e9d55a3f3f2..c33da6552220 100644
--- a/pkgs/applications/graphics/giv/default.nix
+++ b/pkgs/applications/graphics/giv/default.nix
@@ -9,8 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly";
   };
 
-  # It built code to be put in a shared object without -fPIC
-  NIX_CFLAGS_COMPILE = "-fPIC";
+  hardening_format = false;
 
   prePatch = ''
     sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl

From 9b597ee8a5650fa75818e38860a96b5b2b3ff532 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 14:09:15 +0000
Subject: [PATCH 103/507] gnome3.libgda: turn off format hardening

---
 pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
index 1fcb411d120d..6f10f6ea9203 100644
--- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
+++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
@@ -17,6 +17,8 @@ in stdenv.mkDerivation rec {
     "--enable-gi-system-install=no"
   ];
 
+  hardening_format = false;
+
   enableParallelBuilding = true;
 
   buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ];

From a462683d10cb456dbc232f34e2f6c7aef64f8db4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 14:32:47 +0000
Subject: [PATCH 104/507] aegisub: turn off bindnow/relro hardening

---
 pkgs/applications/video/aegisub/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix
index a5c14d0888ff..49e2662adb41 100644
--- a/pkgs/applications/video/aegisub/default.nix
+++ b/pkgs/applications/video/aegisub/default.nix
@@ -43,6 +43,9 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_bindnow = false;
+  hardening_relro = false;
+
   postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
 
   meta = {

From f8963e2ea708140d4c2881c9307563450d472098 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 14:41:11 +0000
Subject: [PATCH 105/507] haskell builder: allow disabling fortify hardening

---
 pkgs/development/haskell-modules/generic-builder.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/haskell-modules/generic-builder.nix b/pkgs/development/haskell-modules/generic-builder.nix
index e3847528ad00..fd94d9d67a63 100644
--- a/pkgs/development/haskell-modules/generic-builder.nix
+++ b/pkgs/development/haskell-modules/generic-builder.nix
@@ -44,6 +44,7 @@
 , checkPhase ? "", preCheck ? "", postCheck ? ""
 , preFixup ? "", postFixup ? ""
 , shellHook ? ""
+, hardening_fortify ? true
 , coreSetup ? false # Use only core packages to build Setup.hs.
 , useCpphs ? false
 } @ args:
@@ -314,5 +315,6 @@ stdenv.mkDerivation ({
 // optionalAttrs (preFixup != "")       { inherit preFixup; }
 // optionalAttrs (postFixup != "")      { inherit postFixup; }
 // optionalAttrs (dontStrip)            { inherit dontStrip; }
+// optionalAttrs (!hardening_fortify)   { inherit hardening_fortify; }
 // optionalAttrs (stdenv.isLinux)       { LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive"; }
 )

From 20d568aed5dfc09c5942aa5da638ef7a436b9e74 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 14:41:48 +0000
Subject: [PATCH 106/507] haskellPackages.glib: turn off fortify hardening

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 18a944b78f83..4ffaf84f0a4a 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -246,7 +246,9 @@ self: super: {
   gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
   gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
   gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
-  glib = addPkgconfigDepend super.glib pkgs.glib;
+  glib = addPkgconfigDepend (overrideCabal super.glib (drv: {
+     hardening_fortify = false;
+  })) pkgs.glib;
   gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
   gtk = addPkgconfigDepend super.gtk pkgs.gtk;
   gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };

From 9620a43228323f2324d045ea4a8b7bdb2d516c84 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 22:47:47 +0000
Subject: [PATCH 107/507] linuxPackages.batman_adv: turn off pic hardening

---
 pkgs/os-specific/linux/batman-adv/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix
index b8bef1b5a9a4..41c4f48ddb82 100644
--- a/pkgs/os-specific/linux/batman-adv/default.nix
+++ b/pkgs/os-specific/linux/batman-adv/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz";
   };
 
+  hardening_pic = false;
+
   preBuild = ''
     makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \

From 9f8dc7d0fe1709da23823420e352e1365e59fdef Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 22:58:58 +0000
Subject: [PATCH 108/507] realpine: turn off format hardening

---
 .../mailreaders/realpine/default.nix          | 31 ++++++++++---------
 1 file changed, 16 insertions(+), 15 deletions(-)

diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix
index c18359921581..1ee425314650 100644
--- a/pkgs/applications/networking/mailreaders/realpine/default.nix
+++ b/pkgs/applications/networking/mailreaders/realpine/default.nix
@@ -2,34 +2,35 @@
 , openldap
 }:
 let
-  s = 
-  rec {
-    version = "2.03";
+  baseName = "re-alpine";
+  version = "2.03";
+in
+stdenv.mkDerivation {
+  name = "${baseName}-${version}";
+  inherit version;
+
+  src = fetchurl {
     url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2";
     sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh";
-    baseName = "re-alpine";
-    name = "${baseName}-${version}";
   };
+
   buildInputs = [
     ncurses tcl openssl pam kerberos openldap
   ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
+
+  hardening_format = false;
+
   configureFlags = [
     "--with-ssl-include-dir=${openssl}/include/openssl"
     "--with-tcl-lib=${tcl.libPrefix}"
-    ];
+  ];
+
   preConfigure = ''
     export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
   '';
+
   meta = {
-    inherit (s) version;
-    description = ''Console mail reader'';
+    description = "Console mail reader";
     license = stdenv.lib.licenses.asl20;
     maintainers = [stdenv.lib.maintainers.raskin];
     platforms = stdenv.lib.platforms.linux;

From e37e38903d4169405948944062a0981c567ade1f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 23:06:16 +0000
Subject: [PATCH 109/507] maxlib: turn off format hardening

---
 pkgs/applications/audio/pd-plugins/maxlib/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix
index dc4d03759616..9968b5fe0ed4 100644
--- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix
+++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
+  hardening_format = false;
+
   patchPhase = ''
     for i in ${puredata}/include/pd/*; do
       ln -s $i .

From 332c84196c3d8814fbd244b42d8dabc68917f1e4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 23:17:13 +0000
Subject: [PATCH 110/507] linuxPackages.perf: set -Wno-error=bool-compare

---
 pkgs/os-specific/linux/kernel/perf.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix
index 1e5c64ccb8a8..ad80d2ed93c2 100644
--- a/pkgs/os-specific/linux/kernel/perf.nix
+++ b/pkgs/os-specific/linux/kernel/perf.nix
@@ -28,7 +28,7 @@ stdenv.mkDerivation {
 
   # Note: we don't add elfutils to buildInputs, since it provides a
   # bad `ld' and other stuff.
-  NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp";
+  NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare";
   NIX_CFLAGS_LINK = "-L${elfutils}/lib";
 
   installFlags = "install install-man ASCIIDOC8=1";

From f0e6c6ec0ea23d1d72743e45c59d3618237efd99 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 23:35:35 +0000
Subject: [PATCH 111/507] linuxPackages.zfs: turn off pic hardening

---
 pkgs/os-specific/linux/zfs/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix
index 42da97a7a7b7..0a61bdcea850 100644
--- a/pkgs/os-specific/linux/zfs/default.nix
+++ b/pkgs/os-specific/linux/zfs/default.nix
@@ -38,6 +38,8 @@ stdenv.mkDerivation rec {
   # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work
   NIX_CFLAGS_LINK = "-lgcc_s";
 
+  hardening_pic = false;
+
   preConfigure = ''
     substituteInPlace ./module/zfs/zfs_ctldir.c   --replace "umount -t zfs"           "${utillinux}/bin/umount -t zfs"
     substituteInPlace ./module/zfs/zfs_ctldir.c   --replace "mount -t zfs"            "${utillinux}/bin/mount -t zfs"

From da9808fe5cd55c827cbf8019ab4896d1cb8f953e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 9 Feb 2016 23:37:07 +0000
Subject: [PATCH 112/507] Revert "Switch to GCC 5"

This reverts commit 729870467a97382e2252defe4ae3b04765b9451b.
---
 pkgs/stdenv/linux/default.nix   | 9 +++++++--
 pkgs/top-level/all-packages.nix | 4 ++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index 573e7139aac8..12fc3fed5a5a 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -210,9 +210,14 @@ rec {
       gmp = pkgs.gmp.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
       mpfr = pkgs.mpfr.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
       libmpc = pkgs.libmpc.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
-      isl = pkgs.isl.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
+      isl_0_11 = pkgs.isl_0_11.override { stdenv = pkgs.makeStaticLibraries pkgs.stdenv; };
+      cloog_0_18_0 = pkgs.cloog_0_18_0.override {
+        stdenv = pkgs.makeStaticLibraries pkgs.stdenv;
+        isl = isl_0_11;
+      };
       gccPlain = pkgs.gcc.cc.override {
-        isl = isl;
+        isl = isl_0_11;
+        cloog = cloog_0_18_0;
       };
     };
     extraBuildInputs = [ stage2.pkgs.patchelf stage2.pkgs.paxctl ];
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b2eb7191aeb2..6eeefe62b9a0 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3944,7 +3944,7 @@ let
 
   gambit = callPackage ../development/compilers/gambit { };
 
-  gcc = gcc5;
+  gcc = gcc49;
 
   gcc_multi =
     if system == "x86_64-linux" then lowPrio (
@@ -4092,7 +4092,7 @@ let
     cross = null;
     libcCross = if crossSystem != null then libcCross else null;
 
-    isl = isl_0_15;
+    isl = isl_0_14;
   }));
 
   gfortran = if !stdenv.isDarwin then gfortran49

From 0609154a1979a3a256be4762ee473b5a2badcbc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Tue, 9 Feb 2016 18:19:56 +0100
Subject: [PATCH 113/507] wrapFirefox: add enableAdobeReader

So far we only have 32-bit package.
It will be silently missed on 64-bit ATM.
---
 pkgs/applications/misc/adobe-reader/default.nix           | 2 ++
 pkgs/applications/networking/browsers/firefox/wrapper.nix | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/misc/adobe-reader/default.nix b/pkgs/applications/misc/adobe-reader/default.nix
index 6bb16a02402c..d31e9234e094 100644
--- a/pkgs/applications/misc/adobe-reader/default.nix
+++ b/pkgs/applications/misc/adobe-reader/default.nix
@@ -22,6 +22,8 @@ stdenv.mkDerivation {
   libPath = stdenv.lib.makeLibraryPath
     [ stdenv.cc.cc libX11 zlib libxml2 cups pango atk gtk glib gdk_pixbuf ];
 
+  passthru.mozillaPlugin = "/libexec/adobe-reader/Browser/intellinux";
+
   meta = {
     description = "Adobe Reader, a viewer for PDF documents";
     homepage = http://www.adobe.com/products/reader;
diff --git a/pkgs/applications/networking/browsers/firefox/wrapper.nix b/pkgs/applications/networking/browsers/firefox/wrapper.nix
index 8c805b0bf5fe..91486b608b2c 100644
--- a/pkgs/applications/networking/browsers/firefox/wrapper.nix
+++ b/pkgs/applications/networking/browsers/firefox/wrapper.nix
@@ -4,7 +4,7 @@
 , gnash, flashplayer, hal-flash
 , MPlayerPlugin, gecko_mediaplayer, gst_all, xorg, libpulseaudio, libcanberra
 , supportsJDK, jrePlugin, icedtea_web
-, trezor-bridge, bluejeans, djview4
+, trezor-bridge, bluejeans, djview4, adobe-reader
 , google_talk_plugin, fribid, gnome3/*.gnome_shell*/
 }:
 
@@ -41,6 +41,7 @@ let
       ++ lib.optional (cfg.enableGnomeExtensions or false) gnome3.gnome_shell
       ++ lib.optional (cfg.enableTrezor or false) trezor-bridge
       ++ lib.optional (cfg.enableBluejeans or false) bluejeans
+      ++ lib.optional (cfg.enableAdobeReader or false) adobe-reader
      );
   libs = [ gst_all.gstreamer gst_all.gst-plugins-base ]
          ++ lib.optionals (cfg.enableQuakeLive or false)

From 1ce5c9e78dd036a2291c8625a9a8179a0e8e5b4b Mon Sep 17 00:00:00 2001
From: zimbatm <zimbatm@zimbatm.com>
Date: Tue, 9 Feb 2016 14:26:11 +0000
Subject: [PATCH 114/507] atom: 1.4.0 -> 1.4.3

---
 pkgs/applications/editors/atom/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/editors/atom/default.nix b/pkgs/applications/editors/atom/default.nix
index 7120b8f43ee9..87a36a36f90a 100644
--- a/pkgs/applications/editors/atom/default.nix
+++ b/pkgs/applications/editors/atom/default.nix
@@ -16,11 +16,11 @@ let
   };
 in stdenv.mkDerivation rec {
   name = "atom-${version}";
-  version = "1.4.0";
+  version = "1.4.3";
 
   src = fetchurl {
     url = "https://github.com/atom/atom/releases/download/v${version}/atom-amd64.deb";
-    sha256 = "0dipww58p0sm99jn1ariisha9wsnhl7rnd8achpxqkf4b3vwi5iz";
+    sha256 = "15ix5ww3ny5ylgmmxpkc32li6af2vc4a2p6aymx9c472fra0c41x";
     name = "${name}.deb";
   };
 

From d98f0ea720decce5c0262adbcbca39e7dbc90e8d Mon Sep 17 00:00:00 2001
From: Pascal Wittmann <mail@pascal-wittmann.de>
Date: Tue, 9 Feb 2016 21:49:45 +0100
Subject: [PATCH 115/507] progress: 0.12.1 -> 0.13

---
 pkgs/tools/misc/progress/default.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/misc/progress/default.nix b/pkgs/tools/misc/progress/default.nix
index 3d0d03f6c4a2..ab72dc69fa47 100644
--- a/pkgs/tools/misc/progress/default.nix
+++ b/pkgs/tools/misc/progress/default.nix
@@ -1,16 +1,17 @@
-{ stdenv, fetchFromGitHub, ncurses }:
+{ stdenv, fetchFromGitHub, pkgconfig, ncurses }:
 
 stdenv.mkDerivation rec {
   name = "progress-${version}";
-  version = "0.12.1";
+  version = "0.13";
 
   src = fetchFromGitHub {
     owner = "Xfennec";
     repo = "progress";
     rev = "v${version}";
-    sha256 = "0lwj0zdcdsl1wczk3yq7wfpyw3zi87h8x2z8yjp0wgnr45bbqibl";
+    sha256 = "0xzpcvz4n0h8m0mhxgpvn1qg8993naip3asjbk3nmk3d4lbyh0b3";
   };
 
+  nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ ncurses ];
 
   makeFlags = [ "PREFIX=$(out)" ];

From c8ca34e2693ff77f761fc540789f1d1f328a0e7e Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Mon, 8 Feb 2016 20:47:55 +0300
Subject: [PATCH 116/507] init-script-builder: handle containers without a
 kernel

---
 .../boot/loader/init-script/init-script-builder.sh       | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/system/boot/loader/init-script/init-script-builder.sh b/nixos/modules/system/boot/loader/init-script/init-script-builder.sh
index 502b3b63af2f..08d4ab14c9ca 100644
--- a/nixos/modules/system/boot/loader/init-script/init-script-builder.sh
+++ b/nixos/modules/system/boot/loader/init-script/init-script-builder.sh
@@ -80,8 +80,13 @@ for generation in $(
     | sort -n -r); do
     link=/nix/var/nix/profiles/system-$generation-link
     date=$(stat --printf="%y\n" $link | sed 's/\..*//')
-    kernelVersion=$(cd $(dirname $(readlink -f $link/kernel))/lib/modules && echo *)
-    addEntry "NixOS - Configuration $generation ($date - $kernelVersion)" $link "$generation ($date)"
+    if [ -d $link/kernel ]; then
+      kernelVersion=$(cd $(dirname $(readlink -f $link/kernel))/lib/modules && echo *)
+      suffix="($date - $kernelVersion)"
+    else
+      suffix="($date)"
+    fi
+    addEntry "NixOS - Configuration $generation $suffix" $link "$generation ($date)"
 done
 
 mv $tmpOther $targetOther

From b12646cb791f08e181b543809dffc1bcc18ec0f3 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Tue, 9 Feb 2016 12:57:42 +0300
Subject: [PATCH 117/507] postsrsd: fix secret generation

---
 nixos/modules/services/mail/postsrsd.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/mail/postsrsd.nix b/nixos/modules/services/mail/postsrsd.nix
index 36a0f8218d88..68a4c1012064 100644
--- a/nixos/modules/services/mail/postsrsd.nix
+++ b/nixos/modules/services/mail/postsrsd.nix
@@ -95,7 +95,11 @@ in {
       preStart = ''
         if [ ! -e "${cfg.secretsFile}" ]; then
           echo "WARNING: secrets file not found, autogenerating!"
-          mkdir -p -m750 "$(dirname "${cfg.secretsFile}")"
+          DIR="$(dirname "${cfg.secretsFile}")"
+          if [ ! -d "$DIR" ]; then
+            mkdir -p -m750 "$DIR"
+            chown "${cfg.user}:${cfg.group}" "$DIR"
+          fi
           dd if=/dev/random bs=18 count=1 | base64 > "${cfg.secretsFile}"
           chmod 600 "${cfg.secretsFile}"
         fi

From 92faa327b8899a1c18391e7de1efb7c8af9b8bbd Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Tue, 9 Feb 2016 23:37:02 +0300
Subject: [PATCH 118/507] acme service: update plugins enum

---
 nixos/modules/security/acme.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 15e5b49878f6..3d25e811e670 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -56,8 +56,8 @@ let
 
       plugins = mkOption {
         type = types.listOf (types.enum [
-          "cert.der" "cert.pem" "chain.der" "chain.pem" "external_pem.sh"
-          "fullchain.der" "fullchain.pem" "key.der" "key.pem" "account_key.json"
+          "cert.der" "cert.pem" "chain.pem" "external_pem.sh"
+          "fullchain.pem" "full.pem" "key.der" "key.pem" "account_key.json"
         ]);
         default = [ "fullchain.pem" "key.pem" "account_key.json" ];
         description = ''

From ef92a19fd3015397c839e8b3c5afb1bb37aed51c Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Wed, 10 Feb 2016 00:56:24 +0300
Subject: [PATCH 119/507] dovecot service: add sendmail_path

---
 nixos/modules/services/mail/dovecot.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/mail/dovecot.nix b/nixos/modules/services/mail/dovecot.nix
index 11e8b26c75ef..333a03315bca 100644
--- a/nixos/modules/services/mail/dovecot.nix
+++ b/nixos/modules/services/mail/dovecot.nix
@@ -13,6 +13,7 @@ let
     ''
       base_dir = ${baseDir}
       protocols = ${concatStringsSep " " cfg.protocols}
+      sendmail_path = /var/setuid-wrappers/sendmail
     ''
 
     (if isNull cfg.sslServerCert then ''

From c7855bc09917f5dac3e301f02b47f9aa2c1eb2b8 Mon Sep 17 00:00:00 2001
From: Tobias Geerinckx-Rice <tobias.geerinckx.rice@gmail.com>
Date: Wed, 10 Feb 2016 00:05:46 +0100
Subject: [PATCH 120/507] mcelog: 129 -> 130

Fixes https://github.com/andikleen/mcelog/issues/31.
---
 pkgs/os-specific/linux/mcelog/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/mcelog/default.nix b/pkgs/os-specific/linux/mcelog/default.nix
index 113d59d641dc..9abd6397e85c 100644
--- a/pkgs/os-specific/linux/mcelog/default.nix
+++ b/pkgs/os-specific/linux/mcelog/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   name = "mcelog-${version}";
-  version = "129";
+  version = "130";
 
   src = fetchFromGitHub {
-    sha256 = "143xh5zvgax88yhg6mg6img64nrda85yybf76fgsk7a8gc57ghyk";
+    sha256 = "05yszlhd6kljx371nlgrzjs0fi44wwgxcv2j5rwwgklm6ifp2zza";
     rev = "v${version}";
     repo = "mcelog";
     owner = "andikleen";

From 1b1ae14512302633499b187ee2e67536b79c00fd Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Wed, 10 Feb 2016 02:58:55 +0300
Subject: [PATCH 121/507] postfix module: fix link to postfix-files

---
 nixos/modules/services/mail/postfix.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index f2d8189de6ef..56c89aca8b23 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -461,7 +461,7 @@ in
             rm -rf /var/lib/postfix/conf
             mkdir -p /var/lib/postfix/conf
             chmod 0755 /var/lib/postfix/conf
-            ln -sf ${pkgs.postfix}/etc/postfix/postfix-files
+            ln -sf ${pkgs.postfix}/etc/postfix/postfix-files /var/lib/postfix/conf/postfix-files
             ln -sf ${mainCfFile} /var/lib/postfix/conf/main.cf
             ln -sf ${masterCfFile} /var/lib/postfix/conf/master.cf
 

From ff58b07fc8fb3e57be57f891f4d57d8c1d346fa8 Mon Sep 17 00:00:00 2001
From: Eric Sagnes <eric.sagnes@gmail.com>
Date: Sun, 7 Feb 2016 18:51:28 +0900
Subject: [PATCH 122/507] cmst: 2014.12.05 -> 2016.01.28

---
 pkgs/tools/networking/cmst/default.nix | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/pkgs/tools/networking/cmst/default.nix b/pkgs/tools/networking/cmst/default.nix
index 1b5767653fe2..24010e20f374 100644
--- a/pkgs/tools/networking/cmst/default.nix
+++ b/pkgs/tools/networking/cmst/default.nix
@@ -1,12 +1,13 @@
-{ stdenv, fetchgit, qtbase, makeWrapper, libX11 }:
+{ stdenv, fetchFromGitHub, qtbase, makeWrapper, libX11 }:
 
 stdenv.mkDerivation rec {
-  name = "cmst-2014.12.05";
-  rev = "refs/tags/${name}";
-  src = fetchgit {
-    url = "git://github.com/andrew-bibb/cmst.git";
-    inherit rev;
-    sha256 = "070rxv3kyn41ra7nnk1wbqvy6fjg38h7hrdv4dn71b201kmzd194";
+  name = "cmst-2016.01.28";
+
+  src = fetchFromGitHub {
+    sha256 = "1zf4jnrnbi05mrq1fnsji5zx60h1knrkr64pwcz2c7q8p59k4646";
+    rev    = name;
+    repo   = "cmst";
+    owner  = "andrew-bibb";
   };
 
   buildInputs = [ qtbase makeWrapper ];
@@ -27,7 +28,6 @@ stdenv.mkDerivation rec {
     substituteInPlace ./apps/rootapp/rootapp.pro \
       --replace "/etc" "$out/etc" \
       --replace "/usr/share" "$out/share"
-
   '';
 
   buildPhase = ''

From 85c0d55d1de81f39b6a4bf4b264d3f3b4bc1938f Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Tue, 9 Feb 2016 21:43:50 +0100
Subject: [PATCH 123/507] beets: 1.3.16 -> 1.3.17

one test fails, see the source comment
---
 pkgs/tools/audio/beets/default.nix | 34 +++++++++++++++++-------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/pkgs/tools/audio/beets/default.nix b/pkgs/tools/audio/beets/default.nix
index c1945ca5de0a..6a3345e1d3c9 100644
--- a/pkgs/tools/audio/beets/default.nix
+++ b/pkgs/tools/audio/beets/default.nix
@@ -1,17 +1,18 @@
 { stdenv, fetchFromGitHub, writeScript, glibcLocales
 , buildPythonPackage, pythonPackages, python, imagemagick
 
-, enableAcoustid   ? true
-, enableBadfiles   ? true, flac ? null, mp3val ? null
-, enableDiscogs    ? true
-, enableEchonest   ? true
-, enableEmbyupdate ? true
-, enableFetchart   ? true
-, enableLastfm     ? true
-, enableMpd        ? true
-, enableReplaygain ? true, bs1770gain ? null
-, enableThumbnails ? true
-, enableWeb        ? true
+, enableAcousticbrainz ? true
+, enableAcoustid       ? true
+, enableBadfiles       ? true, flac ? null, mp3val ? null
+, enableDiscogs        ? true
+, enableEchonest       ? true
+, enableEmbyupdate     ? true
+, enableFetchart       ? true
+, enableLastfm         ? true
+, enableMpd            ? true
+, enableReplaygain     ? true, bs1770gain ? null
+, enableThumbnails     ? true
+, enableWeb            ? true
 
 # External plugins
 , enableAlternatives ? false
@@ -34,6 +35,7 @@ with stdenv.lib;
 
 let
   optionalPlugins = {
+    acousticbrainz = enableAcousticbrainz;
     badfiles = enableBadfiles;
     chroma = enableAcoustid;
     discogs = enableDiscogs;
@@ -68,14 +70,14 @@ let
 
 in buildPythonPackage rec {
   name = "beets-${version}";
-  version = "1.3.16";
+  version = "1.3.17";
   namePrefix = "";
 
   src = fetchFromGitHub {
     owner = "sampsyo";
     repo = "beets";
     rev = "v${version}";
-    sha256 = "1grjcgr419yq756wwxjpzyfjdf8n51bg6i0agm465lb7l3jgqy6k";
+    sha256 = "1fskxx5xxjqf4xmfjrinh7idjiq6qncb24hiyccv09l47fr1yipc";
   };
 
   propagatedBuildInputs = [
@@ -91,7 +93,9 @@ in buildPythonPackage rec {
     python.modules.readline
   ] ++ optional enableAcoustid     pythonPackages.pyacoustid
     ++ optional (enableFetchart
-              || enableEmbyupdate) pythonPackages.requests2
+              || enableEmbyupdate
+              || enableAcousticbrainz)
+                                   pythonPackages.requests2
     ++ optional enableDiscogs      pythonPackages.discogs_client
     ++ optional enableEchonest     pythonPackages.pyechonest
     ++ optional enableLastfm       pythonPackages.pylast
@@ -135,7 +139,7 @@ in buildPythonPackage rec {
       test/test_replaygain.py
   '';
 
-  doCheck = true;
+  doCheck = false; # TODO, see https://github.com/beetbox/beets/issues/1876#issuecomment-182010438
 
   preCheck = ''
     (${concatMapStrings (s: "echo \"${s}\";") allPlugins}) \

From 2d25ab3a03ea8a8100eef6a148a894799f33d69b Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Wed, 10 Feb 2016 02:41:15 +0100
Subject: [PATCH 124/507] beets: Re-enable tests

The reason why the completion tests didn't pass was because we had it
already disabled in 2acc258dff1a37974edd6475851e218bb09e281a.

Meanwhile, beetbox/beets@a07cb83 has moved the file from
test/test_completion.sh to test/rsrc/test_completion.sh.

So this has silently re-enabled the completion tests, which we need to
investigate on our side why they failed in the first place.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 pkgs/tools/audio/beets/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/audio/beets/default.nix b/pkgs/tools/audio/beets/default.nix
index 6a3345e1d3c9..91407331d7ca 100644
--- a/pkgs/tools/audio/beets/default.nix
+++ b/pkgs/tools/audio/beets/default.nix
@@ -121,7 +121,7 @@ in buildPythonPackage rec {
 
   postPatch = ''
     sed -i -e '/assertIn.*item.*path/d' test/test_info.py
-    echo echo completion tests passed > test/test_completion.sh
+    echo echo completion tests passed > test/rsrc/test_completion.sh
 
     sed -i -e '/^BASH_COMPLETION_PATHS *=/,/^])$/ {
       /^])$/i u"${completion}"
@@ -139,7 +139,7 @@ in buildPythonPackage rec {
       test/test_replaygain.py
   '';
 
-  doCheck = false; # TODO, see https://github.com/beetbox/beets/issues/1876#issuecomment-182010438
+  doCheck = true;
 
   preCheck = ''
     (${concatMapStrings (s: "echo \"${s}\";") allPlugins}) \

From 280033235e10f08e4479d0960116b2fcd637a384 Mon Sep 17 00:00:00 2001
From: "tg(x)" <*@tg-x.net>
Date: Mon, 26 Oct 2015 19:47:23 +0100
Subject: [PATCH 125/507] grsecurity: use source URL from a scraped repository
 as grsecurity.net only has the latest version

---
 pkgs/os-specific/linux/kernel/patches.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 7e95f1dedb1a..3f7afd903226 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -22,7 +22,7 @@ let
     { name = "grsecurity-${grversion}-${kversion}";
       inherit grversion kversion revision;
       patch = fetchurl {
-        url = "http://grsecurity.net/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch";
+        url = "https://github.com/slashbeast/grsecurity-scrape/blob/master/${branch}/grsecurity-${grversion}-${kversion}-${revision}.patch?raw=true";
         inherit sha256;
       };
       features.grsecurity = true;

From 874db98e895de23ae8623ee0a51cfabd12a79700 Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Tue, 9 Feb 2016 20:35:17 +0100
Subject: [PATCH 126/507] pythonPackages.pandas: fix tests

---
 pkgs/top-level/python-packages.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index b9343e54a2e3..8c28c97fd334 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -14229,7 +14229,8 @@ in modules // {
     checkPhase = let
       testsToSkip = ["test_data" "test_excel" "test_html" "test_json"
                      "test_frequencies" "test_frame"
-                     "test_read_clipboard_infer_excel"] ++
+                     "test_read_clipboard_infer_excel"
+                     "test_interp_alt_scipy" "test_nanops" "test_stats"] ++
                     optional isPy35 "test_sql";
     in ''
       runHook preCheck

From 33d03b4c2e41a3dd05419e88d939f54f368f6449 Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Wed, 10 Feb 2016 08:31:51 +0100
Subject: [PATCH 127/507] pythonPackages.blaze: add missing dependency

---
 pkgs/top-level/python-packages.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 8c28c97fd334..76d7004a7dac 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -2051,6 +2051,7 @@ in modules // {
       cytoolz
       datashape
       flask
+      flask-cors
       h5py
       multipledispatch
       numba

From b6c86d642f138a3b9b7a0e6bd8042da524cfb14f Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Wed, 10 Feb 2016 08:32:04 +0100
Subject: [PATCH 128/507] pythonPackages.flask-cors: init at 2.1.2

---
 pkgs/top-level/python-packages.nix | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 76d7004a7dac..e3096cff69e5 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -8606,6 +8606,25 @@ in modules // {
     };
   };
 
+  flask-cors = buildPythonPackage rec {
+    name = "Flask-Cors-${version}";
+    version = "2.1.2";
+
+    src = pkgs.fetchurl {
+      url = "https://pypi.python.org/packages/source/F/Flask-Cors/${name}.tar.gz";
+      sha256 = "0fd618a4f88ykqx4x55viz47cm9rl214q1b45a0b4mz5vhxffqpj";
+    };
+
+    buildInputs = with self; [ nose ];
+    propagatedBuildInputs = with self; [ flask six ];
+
+    meta = {
+      description = "A Flask extension adding a decorator for CORS support";
+      homepage = https://github.com/corydolphin/flask-cors;
+      license = with licenses; [ mit ];
+    };
+  };
+
   flask-pymongo = buildPythonPackage rec {
     name = "Flask-PyMongo-${version}";
     version = "0.3.1";

From 2d9d8ae5fb3ffb9abfee60ade4399cff9df46695 Mon Sep 17 00:00:00 2001
From: Frederik Rietdijk <fridh@fridh.nl>
Date: Wed, 10 Feb 2016 08:32:18 +0100
Subject: [PATCH 129/507] pythonPackages.scikitlearn: fix tests

---
 pkgs/top-level/python-packages.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index e3096cff69e5..1edeb9d84d30 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -18549,6 +18549,13 @@ in modules // {
 
     LC_ALL="en_US.UTF-8";
 
+    # Exclude "test_image.py" because the Lena function/image was removed from SciPy since 0.17
+    # Should be fixed in next release.
+    # Using the -I switch broke nosetests...?
+    patchPhase = ''
+      rm sklearn/feature_extraction/tests/test_image.py
+    '';
+
     checkPhase = ''
       HOME=$TMPDIR OMP_NUM_THREADS=1 nosetests $out/${python.sitePackages}/sklearn/
     '';

From 8da01f220fb43c6cb56ca42979c96f0e7d21e323 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Mon, 8 Feb 2016 20:47:36 +0300
Subject: [PATCH 130/507] nixos-install: don't check that /mnt is a mount point

---
 nixos/modules/installer/tools/nixos-install.sh | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh
index 4e10615f902f..c23d7e5b509d 100644
--- a/nixos/modules/installer/tools/nixos-install.sh
+++ b/nixos/modules/installer/tools/nixos-install.sh
@@ -73,11 +73,6 @@ if ! test -e "$mountPoint"; then
     exit 1
 fi
 
-if ! grep -F -q " $mountPoint " /proc/mounts; then
-    echo "$mountPoint doesn't appear to be a mount point"
-    exit 1
-fi
-
 
 # Mount some stuff in the target root directory.
 mkdir -m 0755 -p $mountPoint/dev $mountPoint/proc $mountPoint/sys $mountPoint/etc $mountPoint/run $mountPoint/home

From a006778e5fec989b57376ec938711ba6c94bb647 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Tue, 9 Feb 2016 03:00:53 +0300
Subject: [PATCH 131/507] kbd module: don't setup vconsoles if we are in a
 container

---
 nixos/modules/tasks/kbd.nix | 45 ++++++++++++++++++++++---------------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/nixos/modules/tasks/kbd.nix b/nixos/modules/tasks/kbd.nix
index e1574fa68ad9..02721bb3bea2 100644
--- a/nixos/modules/tasks/kbd.nix
+++ b/nixos/modules/tasks/kbd.nix
@@ -12,6 +12,8 @@ let
     FONT=${config.i18n.consoleFont}
     ${colors}
   '';
+
+  setVconsole = !config.boot.isContainer;
 in
 
 {
@@ -41,26 +43,33 @@ in
 
   ###### implementation
 
-  config = {
+  config = mkMerge [
+    (mkIf (!setVconsole) {
+      systemd.services."systemd-vconsole-setup".enable = false;
+    })
 
-    environment.systemPackages = [ pkgs.kbd ];
+    (mkIf setVconsole {
+      environment.systemPackages = [ pkgs.kbd ];
 
-    # Let systemd-vconsole-setup.service do the work of setting up the
-    # virtual consoles.  FIXME: trigger a restart of
-    # systemd-vconsole-setup.service if /etc/vconsole.conf changes.
-    environment.etc."vconsole.conf".source = vconsoleConf;
+      # Let systemd-vconsole-setup.service do the work of setting up the
+      # virtual consoles.  FIXME: trigger a restart of
+      # systemd-vconsole-setup.service if /etc/vconsole.conf changes.
+      environment.etc = [ {
+        target = "vconsole.conf";
+        source = vconsoleConf;
+      } ];
 
-    # This is identical to the systemd-vconsole-setup.service unit
-    # shipped with systemd, except that it uses /dev/tty1 instead of
-    # /dev/tty0 to prevent putting the X server in non-raw mode, and
-    # it has a restart trigger.
-    systemd.services."systemd-vconsole-setup" =
-      { wantedBy = [ "multi-user.target" ];
-        before = [ "display-manager.service" ];
-        after = [ "systemd-udev-settle.service" ];
-        restartTriggers = [ vconsoleConf ];
-      };
-
-  };
+      # This is identical to the systemd-vconsole-setup.service unit
+      # shipped with systemd, except that it uses /dev/tty1 instead of
+      # /dev/tty0 to prevent putting the X server in non-raw mode, and
+      # it has a restart trigger.
+      systemd.services."systemd-vconsole-setup" =
+        { wantedBy = [ "multi-user.target" ];
+          before = [ "display-manager.service" ];
+          after = [ "systemd-udev-settle.service" ];
+          restartTriggers = [ vconsoleConf ];
+        };
+    })
+  ];
 
 }

From aff38b2040f3a1ad86dd512bd4ec49ee01f1e6c2 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Tue, 9 Feb 2016 03:07:23 +0300
Subject: [PATCH 132/507] postgresql service: don't use su

---
 .../modules/services/databases/postgresql.nix | 36 ++++++++++---------
 1 file changed, 19 insertions(+), 17 deletions(-)

diff --git a/nixos/modules/services/databases/postgresql.nix b/nixos/modules/services/databases/postgresql.nix
index c2045a5859c5..957fb4723a5c 100644
--- a/nixos/modules/services/databases/postgresql.nix
+++ b/nixos/modules/services/databases/postgresql.nix
@@ -177,7 +177,7 @@ in
 
     users.extraGroups.postgres.gid = config.ids.gids.postgres;
 
-    environment.systemPackages = [postgresql];
+    environment.systemPackages = [ postgresql ];
 
     systemd.services.postgresql =
       { description = "PostgreSQL Server";
@@ -187,35 +187,37 @@ in
 
         environment.PGDATA = cfg.dataDir;
 
-        path = [ pkgs.su postgresql ];
+        path = [ postgresql ];
 
         preStart =
+          ''
+            # Create data directory.
+            if ! test -e ${cfg.dataDir}/PG_VERSION; then
+              mkdir -m 0700 -p ${cfg.dataDir}
+              rm -f ${cfg.dataDir}/*.conf
+              chown -R postgres:postgres ${cfg.dataDir}
+            fi
+          ''; # */
+
+        script =
           ''
             # Initialise the database.
             if ! test -e ${cfg.dataDir}/PG_VERSION; then
-                mkdir -m 0700 -p ${cfg.dataDir}
-                rm -f ${cfg.dataDir}/*.conf
-                if [ "$(id -u)" = 0 ]; then
-                  chown -R postgres ${cfg.dataDir}
-                  su -s ${pkgs.stdenv.shell} postgres -c 'initdb -U root'
-                else
-                  # For non-root operation.
-                  initdb
-                fi
-                # See postStart!
-                touch "${cfg.dataDir}/.first_startup"
+              initdb -U root
+              # See postStart!
+              touch "${cfg.dataDir}/.first_startup"
             fi
-
             ln -sfn "${configFile}" "${cfg.dataDir}/postgresql.conf"
             ${optionalString (cfg.recoveryConfig != null) ''
               ln -sfn "${pkgs.writeText "recovery.conf" cfg.recoveryConfig}" \
                 "${cfg.dataDir}/recovery.conf"
             ''}
-          ''; # */
+
+             exec postgres ${toString flags}
+          '';
 
         serviceConfig =
-          { ExecStart = "@${postgresql}/bin/postgres postgres ${toString flags}";
-            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+          { ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
             User = "postgres";
             Group = "postgres";
             PermissionsStartOnly = true;

From db6f59619dd14b2d35da18a738975c992675396e Mon Sep 17 00:00:00 2001
From: Michael Fellinger <m.fellinger@gmail.com>
Date: Tue, 9 Feb 2016 23:47:41 +0100
Subject: [PATCH 133/507] bundix: 1.0.4 -> 2.0.4

---
 .../interpreters/ruby/bundix/default.nix      | 54 +++++++++++++------
 1 file changed, 39 insertions(+), 15 deletions(-)

diff --git a/pkgs/development/interpreters/ruby/bundix/default.nix b/pkgs/development/interpreters/ruby/bundix/default.nix
index b5a49043c60b..88679f74753d 100644
--- a/pkgs/development/interpreters/ruby/bundix/default.nix
+++ b/pkgs/development/interpreters/ruby/bundix/default.nix
@@ -1,20 +1,44 @@
-{ ruby, fetchgit, buildRubyGem, bundler }:
+{ buildRubyGem, lib, bundler, ruby, nix, nix-prefetch-scripts }:
 
-let
-  thor = buildRubyGem {
-    gemName = "thor";
-    version = "0.19.1";
-    type = "gem";
-    sha256 = "08p5gx18yrbnwc6xc0mxvsfaxzgy2y9i78xq7ds0qmdm67q39y4z";
-  };
+buildRubyGem rec {
+  inherit ruby;
 
-in buildRubyGem {
+  name = "${gemName}-${version}";
   gemName = "bundix";
-  version = "1.0.4";
-  gemPath = [ thor bundler ];
-  src = fetchgit {
-    url = "https://github.com/cstrahan/bundix.git";
-    rev = "6dcf1f71c61584f5c9b919ee9df7b0c554862076";
-    sha256 = "1w17bvc9srcgr4ry81ispcj35g9kxihbyknmqp8rnd4h5090b7b2";
+  version = "2.0.4";
+
+  sha256 = "0i7fdxi6w29yxnblpckczazb79m5x03hja8sfnabndg4yjc868qs";
+
+  buildInputs = [bundler];
+
+  postInstall = ''
+    gem_root=$GEM_HOME/gems/${gemName}-${version}
+    sed \
+      -e 's|NIX_INSTANTIATE =.*|NIX_INSTANTIATE = "${nix}/bin/nix-instantiate"|' \
+      -i $gem_root/lib/bundix.rb
+    sed \
+      -e 's|NIX_HASH =.*|NIX_HASH = "${nix}/bin/nix-hash"|' \
+      -i $gem_root/lib/bundix.rb
+    sed \
+      -e 's|NIX_PREFETCH_URL =.*|NIX_PREFETCH_URL = "${nix}/bin/nix-prefetch-url"|' \
+      -i $gem_root/lib/bundix.rb
+    sed \
+      -e 's|NIX_PREFETCH_GIT =.*|NIX_PREFETCH_GIT = "${nix-prefetch-scripts}/bin/nix-prefetch-git"|' \
+      -i $gem_root/lib/bundix.rb
+  '';
+
+  meta = {
+    inherit version;
+    description = "Creates Nix packages from Gemfiles";
+    longDescription = ''
+      This is a tool that converts Gemfile.lock files to nix expressions.
+
+      The output is then usable by the bundlerEnv derivation to list all the
+      dependencies of a ruby package.
+    '';
+    homepage = "https://github.com/manveru/bundix";
+    license = "MIT";
+    maintainers = with lib.maintainers; [ manveru zimbatm ];
+    platforms = lib.platforms.all;
   };
 }

From 25592873530d7152bed62ccc004e882bcba69705 Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Wed, 10 Feb 2016 02:00:18 +0100
Subject: [PATCH 134/507] alot: 0.3.6 -> 0.3.7, fixes #12914

Version bump.
The checks are back again, so far alot has no tests at all.
Add urwidtrees dependency.

The themes are copied to the derivation and set as default directory.
---
 pkgs/top-level/python-packages.nix | 47 +++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 10 deletions(-)

diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 1edeb9d84d30..fa2abffd552d 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -554,28 +554,35 @@ in modules // {
 
 
   alot = buildPythonPackage rec {
-    rev = "0.3.6";
-    name = "alot-0.3.6";
+    rev = "0.3.7";
+    name = "alot-${rev}";
 
-    src = pkgs.fetchurl {
-      url = "https://github.com/pazz/alot/tarball/${rev}";
-      name = "${name}.tar.bz";
-      sha256 = "1rzy70w4isvypa94310xw403vq5him21q8rlx4laa0z530phkrmq";
+    src = pkgs.fetchFromGitHub {
+      owner = "pazz";
+      repo = "alot";
+      inherit rev;
+      sha256 = "0sscmmf42gsrjbisi6wm01alzlnq6wqhpwkm8pc557075jfg19il";
     };
 
-    # error: invalid command 'test'
-    doCheck = false;
+    postPatch = ''
+      substituteInPlace alot/defaults/alot.rc.spec \
+        --replace "themes_dir = string(default=None)" \
+                  "themes_dir = string(default='$out/share/themes')"
+    '';
 
     propagatedBuildInputs =
       [ self.notmuch
         self.urwid
+        self.urwidtrees
         self.twisted
-        self.magic
+        self.python_magic
         self.configobj
         self.pygpgme
       ];
 
     postInstall = ''
+      mkdir -p $out/share
+      cp -r extra/themes $out/share
       wrapProgram $out/bin/alot \
         --prefix LD_LIBRARY_PATH : ${pkgs.notmuch}/lib:${pkgs.file}/lib:${pkgs.gpgme}/lib
     '';
@@ -583,7 +590,7 @@ in modules // {
     meta = {
       homepage = https://github.com/pazz/alot;
       description = "Terminal MUA using notmuch mail";
-      maintainers = with maintainers; [ garbas ];
+      maintainers = with maintainers; [ garbas profpatsch ];
     };
   };
 
@@ -21060,6 +21067,26 @@ in modules // {
     };
   });
 
+  urwidtrees = buildPythonPackage rec {
+    name = "urwidtrees-${rev}";
+    rev = "1.0";
+
+    src = pkgs.fetchFromGitHub {
+      owner = "pazz";
+      repo = "urwidtrees";
+      inherit rev;
+      sha256 = "03gpcdi45z2idy1fd9zv8v9naivmpfx65hshm8r984k9wklv1dsa";
+    };
+
+    propagatedBuildInputs = with self; [ urwid ];
+
+    meta = {
+      description = "Tree widgets for urwid";
+      license = licenses.gpl3;
+      maintainer = with maintainters; [ profpatsch ];
+    };
+  };
+
   pyuv = buildPythonPackage rec {
     name = "pyuv-0.11.5";
     disabled = isPyPy;  # see https://github.com/saghul/pyuv/issues/49

From dafe0f3dd33fd304e5efec650fc426a8096f0913 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Wed, 10 Feb 2016 16:53:59 +0300
Subject: [PATCH 135/507] dwarf-fortress-packages.phoebus-theme: 20160118 ->
 20160128

---
 pkgs/games/dwarf-fortress/themes/phoebus.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/games/dwarf-fortress/themes/phoebus.nix b/pkgs/games/dwarf-fortress/themes/phoebus.nix
index 2183a6245c0c..ca459c6ef76e 100644
--- a/pkgs/games/dwarf-fortress/themes/phoebus.nix
+++ b/pkgs/games/dwarf-fortress/themes/phoebus.nix
@@ -1,16 +1,16 @@
 { stdenv, fetchFromGitHub }:
 
-# On upgrade check https://github.com/fricy/Phoebus/blob/master/manifest.json
+# On upgrade check https://github.com/DFgraphics/Phoebus/blob/master/manifest.json
 # for compatibility information.
 
 stdenv.mkDerivation {
-  name = "phoebus-theme-20160118";
+  name = "phoebus-theme-20160128";
 
   src = fetchFromGitHub {
-    owner = "fricy";
+    owner = "DFgraphics";
     repo = "Phoebus";
-    rev = "2c5777b0f307b1d752a8a484c6a05b67531c84a9";
-    sha256 = "0a5ixm181wz7crr3rpa2mh0drb371j5hvizqninvdnhah2mypz8v";
+    rev = "52b19b69c7323f9002ad195ecd68ac02ff0099a2";
+    sha256 = "1pw5l5v7l1bvxzjf4fivmagpmghffvz0wlws2ksc7d5vy48ybcmg";
   };
 
   installPhase = ''

From 3ff05a5bf4c61df96331892adc86b3012a707546 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Wed, 10 Feb 2016 16:54:55 +0300
Subject: [PATCH 136/507] dwarf-fortress-packages.cla-theme: init at 20160128

---
 pkgs/games/dwarf-fortress/default.nix    |  3 +++
 pkgs/games/dwarf-fortress/themes/cla.nix | 32 ++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 pkgs/games/dwarf-fortress/themes/cla.nix

diff --git a/pkgs/games/dwarf-fortress/default.nix b/pkgs/games/dwarf-fortress/default.nix
index d91c110c34c0..bc0b97b139b9 100644
--- a/pkgs/games/dwarf-fortress/default.nix
+++ b/pkgs/games/dwarf-fortress/default.nix
@@ -16,6 +16,7 @@ let
     dwarf-fortress = callPackage ./wrapper {
       themes = {
         "phoebus" = phoebus-theme;
+        "cla" = cla-theme;
       };
     };
 
@@ -28,6 +29,8 @@ let
     dwarf-therapist = callPackage ./dwarf-therapist/wrapper.nix { };
 
     phoebus-theme = callPackage ./themes/phoebus.nix { };
+
+    cla-theme = callPackage ./themes/cla.nix { };
   };
 
 in self
diff --git a/pkgs/games/dwarf-fortress/themes/cla.nix b/pkgs/games/dwarf-fortress/themes/cla.nix
new file mode 100644
index 000000000000..f3c6b7dd279a
--- /dev/null
+++ b/pkgs/games/dwarf-fortress/themes/cla.nix
@@ -0,0 +1,32 @@
+{ stdenv, fetchFromGitHub }:
+
+# On upgrade check https://github.com/fricy/Phoebus/blob/master/manifest.json
+# for compatibility information.
+
+stdenv.mkDerivation {
+  name = "cla-theme-20160128";
+
+  src = fetchFromGitHub {
+    owner = "DFgraphics";
+    repo = "CLA";
+    rev = "94088b778ed6f91cbddcd3e33aa1e5efa67f3101";
+    sha256 = "0rx1375x9s791k9wzvj7sxcrv4xaggibxymzirayznvavr7zcsv1";
+  };
+
+  installPhase = ''
+    mkdir $out
+    cp -r data raw $out
+  '';
+
+  passthru.dfVersion = "0.42.05";
+
+  preferLocalBuild = true;
+
+  meta = with stdenv.lib; {
+    description = "CLA graphics set for Dwarf Fortress";
+    homepage = "http://www.bay12forums.com/smf/index.php?topic=105376.0";
+    platforms = platforms.all;
+    maintainers = with maintainers; [ abbradar ];
+    license = licenses.free;
+  };
+}

From e2eca0c24ccba93eea431fb510bbda29540b1b02 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 10 Feb 2016 14:59:36 +0100
Subject: [PATCH 137/507] Fix misspelled meta.maintainers attributes

---
 .../color-theme-solarized/default.nix         |  2 +-
 .../pidgin-plugins/otr/default.nix            |  2 +-
 .../pidgin-opensteamworks/default.nix         |  2 +-
 .../purple-plugin-pack/default.nix            |  2 +-
 .../telegram/cutegram/default.nix             |  2 +-
 .../libqtelegram-aseman-edition/default.nix   |  2 +-
 .../telegram/telegram-qml/default.nix         |  2 +-
 .../window-managers/compton/git.nix           |  2 +-
 pkgs/data/fonts/google-fonts/default.nix      |  2 +-
 pkgs/data/fonts/powerline-fonts/default.nix   |  2 +-
 pkgs/data/misc/media-player-info/default.nix  |  2 +-
 .../libraries/openjpeg/generic.nix            |  2 +-
 .../phonon-backend-gstreamer/qt5/default.nix  |  2 +-
 .../tools/ocaml/ocaml-top/default.nix         |  2 +-
 pkgs/games/gzdoom/default.nix                 |  2 +-
 pkgs/games/zandronum/bin.nix                  |  2 +-
 pkgs/games/zandronum/default.nix              |  2 +-
 pkgs/games/zdoom/default.nix                  |  2 +-
 pkgs/misc/themes/vertex/default.nix           |  2 +-
 pkgs/os-specific/linux/kernel/linux-mptcp.nix |  2 +-
 pkgs/servers/mail/rmilter/default.nix         |  2 +-
 pkgs/servers/mail/rspamd/default.nix          |  2 +-
 pkgs/tools/misc/cpulimit/default.nix          |  2 +-
 pkgs/tools/misc/trash-cli/default.nix         |  2 +-
 pkgs/tools/networking/nethogs/default.nix     |  2 +-
 pkgs/tools/text/colordiff/default.nix         |  2 +-
 pkgs/top-level/python-packages.nix            | 30 +++++++++----------
 27 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix b/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix
index 9a0f6855567c..ef006439a555 100644
--- a/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix
+++ b/pkgs/applications/editors/emacs-modes/color-theme-solarized/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
   meta = {
     description = "Precision colors for machines and people";
     homepage = http://ethanschoonover.com/solarized;
-    maintainer = "Samuel Rivas <samuelrivas@gmail.com>";
+    maintainers = "Samuel Rivas <samuelrivas@gmail.com>";
     license = stdenv.lib.licenses.mit;
 
     platforms = stdenv.lib.platforms.all;
diff --git a/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix b/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix
index 7b80ec85661a..c6801105a84a 100644
--- a/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix
+++ b/pkgs/applications/networking/instant-messengers/pidgin-plugins/otr/default.nix
@@ -16,6 +16,6 @@ stdenv.mkDerivation rec {
     description = "Plugin for Pidgin 2.x which implements OTR Messaging";
     license = licenses.gpl2;
     platforms = platforms.linux;
-    maintainters = with maintainers; [ abbradar ];
+    maintainers = with maintainers; [ abbradar ];
   };
 }
diff --git a/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix b/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix
index e03b61b61824..e4c0697605d6 100644
--- a/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix
+++ b/pkgs/applications/networking/instant-messengers/pidgin-plugins/pidgin-opensteamworks/default.nix
@@ -26,6 +26,6 @@ stdenv.mkDerivation rec {
     description = "Plugin for Pidgin 2.x which implements Steam Friends/Steam IM compatibility";
     license = licenses.gpl3;
     platforms = platforms.linux;
-    maintainters = with maintainers; [ arobyn ];
+    maintainers = with maintainers; [ arobyn ];
   };
 }
diff --git a/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix b/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix
index 149f62bb9816..8022d32a081a 100644
--- a/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix
+++ b/pkgs/applications/networking/instant-messengers/pidgin-plugins/purple-plugin-pack/default.nix
@@ -14,6 +14,6 @@ stdenv.mkDerivation rec {
     description = "Plugin pack for Pidgin 2.x";
     license = licenses.gpl2;
     platforms = platforms.linux;
-    maintainters = with maintainers; [ bdimcheff ];
+    maintainers = with maintainers; [ bdimcheff ];
   };
 }
diff --git a/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix b/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix
index 26a7eb49279b..507094f7c055 100644
--- a/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix
+++ b/pkgs/applications/networking/instant-messengers/telegram/cutegram/default.nix
@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
     description = "Telegram client forked from sigram";
     homepage = "http://aseman.co/en/products/cutegram/";
     license = licenses.gpl3;
-    maintainer = [ maintainers.profpatsch ];
+    maintainers = [ maintainers.profpatsch ];
   };
 
 }
diff --git a/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix b/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix
index 3149ac3279af..8166514bb3ac 100644
--- a/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix
+++ b/pkgs/applications/networking/instant-messengers/telegram/libqtelegram-aseman-edition/default.nix
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     description = "A fork of libqtelegram by Aseman, using qmake";
     homepage = src.meta.homepage;
     license = stdenv.lib.licenses.gpl3;
-    maintainer = [ maintainers.profpatsch ];
+    maintainers = [ maintainers.profpatsch ];
   };
 
 }
diff --git a/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix b/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix
index b51f8435ce13..6bf550d4766b 100644
--- a/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix
+++ b/pkgs/applications/networking/instant-messengers/telegram/telegram-qml/default.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     description = "Telegram API tools for QtQml and Qml";
     homepage = src.meta.homepage;
     license = stdenv.lib.licenses.gpl3;
-    maintainer = [ maintainers.profpatsch ];
+    maintainers = [ maintainers.profpatsch ];
   };
 
 }
diff --git a/pkgs/applications/window-managers/compton/git.nix b/pkgs/applications/window-managers/compton/git.nix
index be2586c9e270..b715b3a4cf31 100644
--- a/pkgs/applications/window-managers/compton/git.nix
+++ b/pkgs/applications/window-managers/compton/git.nix
@@ -48,7 +48,7 @@ stdenv.mkDerivation {
       additional features, such as additional effects, and a fork at a
       well-defined and proper place.
     '';
-    maintainer = maintainers.ertes;
+    maintainers = maintainers.ertes;
     platforms = platforms.linux;
   };
 }
diff --git a/pkgs/data/fonts/google-fonts/default.nix b/pkgs/data/fonts/google-fonts/default.nix
index 9f14f945e353..e4c655877c8b 100644
--- a/pkgs/data/fonts/google-fonts/default.nix
+++ b/pkgs/data/fonts/google-fonts/default.nix
@@ -21,6 +21,6 @@ stdenv.mkDerivation rec {
     description = "Font files available from Google Font";
     license = with licenses; [ asl20 ofl ufl ];
     platforms = platforms.all;
-    maintainer = with maintainers; [ manveru ];
+    maintainers = with maintainers; [ manveru ];
   };
 }
diff --git a/pkgs/data/fonts/powerline-fonts/default.nix b/pkgs/data/fonts/powerline-fonts/default.nix
index 6d620c09f06d..2e576cf6dc8b 100644
--- a/pkgs/data/fonts/powerline-fonts/default.nix
+++ b/pkgs/data/fonts/powerline-fonts/default.nix
@@ -38,6 +38,6 @@ stdenv.mkDerivation {
     '';
     license = with licenses; [ asl20 free ofl ];
     platforms = platforms.all;
-    maintainer = with maintainers; [ malyn ];
+    maintainers = with maintainers; [ malyn ];
   };
 }
diff --git a/pkgs/data/misc/media-player-info/default.nix b/pkgs/data/misc/media-player-info/default.nix
index 9abe5d6ea8e7..f31c7c503a29 100644
--- a/pkgs/data/misc/media-player-info/default.nix
+++ b/pkgs/data/misc/media-player-info/default.nix
@@ -27,6 +27,6 @@ in
       description = "A repository of data files describing media player capabilities";
       homepage = "http://www.freedesktop.org/wiki/Software/media-player-info/";
       license = licenses.bsd3;
-      maintainer = with maintainers; [ ttuegel ];
+      maintainers = with maintainers; [ ttuegel ];
     };
   }
diff --git a/pkgs/development/libraries/openjpeg/generic.nix b/pkgs/development/libraries/openjpeg/generic.nix
index 717e5a4de2cf..1b4b4af7f41c 100644
--- a/pkgs/development/libraries/openjpeg/generic.nix
+++ b/pkgs/development/libraries/openjpeg/generic.nix
@@ -64,7 +64,7 @@ stdenv.mkDerivation rec {
     description = "Open-source JPEG 2000 codec written in C language";
     homepage = http://www.openjpeg.org/;
     license = licenses.bsd2;
-    maintainer = with maintainers; [ codyopel ];
+    maintainers = with maintainers; [ codyopel ];
     platforms = platforms.all;
   };
 }
diff --git a/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix b/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix
index 9866c0a67ce3..98aa7d81b368 100644
--- a/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix
+++ b/pkgs/development/libraries/phonon-backend-gstreamer/qt5/default.nix
@@ -34,6 +34,6 @@ stdenv.mkDerivation rec {
     homepage = http://phonon.kde.org/;
     description = "GStreamer backend for Phonon";
     platforms = platforms.linux;
-    maintainer = with maintainers; [ ttuegel ];
+    maintainers = with maintainers; [ ttuegel ];
   };
 }
diff --git a/pkgs/development/tools/ocaml/ocaml-top/default.nix b/pkgs/development/tools/ocaml/ocaml-top/default.nix
index cf0a16cef68d..79c81c5c447c 100644
--- a/pkgs/development/tools/ocaml/ocaml-top/default.nix
+++ b/pkgs/development/tools/ocaml/ocaml-top/default.nix
@@ -26,6 +26,6 @@ stdenv.mkDerivation {
     license = stdenv.lib.licenses.gpl3;
     description = "A simple cross-platform OCaml code editor built for top-level evaluation";
     platforms = ocamlPackages.ocaml.meta.platforms;
-    maintainer = with stdenv.lib.maintainers; [ vbgl ];
+    maintainers = with stdenv.lib.maintainers; [ vbgl ];
   };
 }
diff --git a/pkgs/games/gzdoom/default.nix b/pkgs/games/gzdoom/default.nix
index 66d01905aaf3..3f8744d75cb2 100644
--- a/pkgs/games/gzdoom/default.nix
+++ b/pkgs/games/gzdoom/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = https://github.com/coelckers/gzdoom;
     description = "A Doom source port based on ZDoom. It features an OpenGL renderer and lots of new features";
-    maintainer = [ stdenv.lib.maintainers.lassulus ];
+    maintainers = [ stdenv.lib.maintainers.lassulus ];
   };
 }
 
diff --git a/pkgs/games/zandronum/bin.nix b/pkgs/games/zandronum/bin.nix
index 92f93d8f7785..ae6ab99dad29 100644
--- a/pkgs/games/zandronum/bin.nix
+++ b/pkgs/games/zandronum/bin.nix
@@ -75,7 +75,7 @@ stdenv.mkDerivation rec {
   meta = {
     homepage = http://zandronum.com/;
     description = "multiplayer oriented port, based off Skulltag, for Doom and Doom II by id Software. Binary version for online play.";
-    maintainer = [ stdenv.lib.maintainers.lassulus ];
+    maintainers = [ stdenv.lib.maintainers.lassulus ];
     # Binary version has different version string than source code version.
     license = stdenv.lib.licenses.unfreeRedistributable;
     platforms = [ "x86_64-linux" ];
diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix
index ecdf8cfdbd22..479a6abe9a47 100644
--- a/pkgs/games/zandronum/default.nix
+++ b/pkgs/games/zandronum/default.nix
@@ -54,7 +54,7 @@ in stdenv.mkDerivation {
   meta = with stdenv.lib; {
     homepage = http://zandronum.com/;
     description = "Multiplayer oriented port, based off Skulltag, for Doom and Doom II by id Software.";
-    maintainer = with maintainers; [ lassulus ];
+    maintainers = with maintainers; [ lassulus ];
     platforms = platforms.linux;
     license = licenses.bsdOriginal;
   };
diff --git a/pkgs/games/zdoom/default.nix b/pkgs/games/zdoom/default.nix
index 0bc63855299e..8feb78ad9693 100644
--- a/pkgs/games/zdoom/default.nix
+++ b/pkgs/games/zdoom/default.nix
@@ -33,7 +33,7 @@ stdenv.mkDerivation {
   meta = {
     homepage = http://zdoom.org/;
     description = "Enhanced port of the official DOOM source code";
-    maintainer = [ stdenv.lib.maintainers.lassulus ];
+    maintainers = [ stdenv.lib.maintainers.lassulus ];
   };
 }
 
diff --git a/pkgs/misc/themes/vertex/default.nix b/pkgs/misc/themes/vertex/default.nix
index 60269c8dfbf6..ea79426d47e4 100644
--- a/pkgs/misc/themes/vertex/default.nix
+++ b/pkgs/misc/themes/vertex/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
     inherit (src.meta) homepage;
     description = "Theme for GTK 3, GTK 2, Gnome-Shell, and Cinnamon";
     license = licenses.gpl3;
-    maintainer = [ maintainers.rycee ];
+    maintainers = [ maintainers.rycee ];
     platforms = platforms.unix;
   };
 }
diff --git a/pkgs/os-specific/linux/kernel/linux-mptcp.nix b/pkgs/os-specific/linux/kernel/linux-mptcp.nix
index 2b0e3017979f..6a1d8da5a92b 100644
--- a/pkgs/os-specific/linux/kernel/linux-mptcp.nix
+++ b/pkgs/os-specific/linux/kernel/linux-mptcp.nix
@@ -7,7 +7,7 @@ import ./generic.nix (args // rec {
 
   extraMeta = {
     branch = "3.18";
-    maintainer = stdenv.lib.maintainers.layus;
+    maintainers = stdenv.lib.maintainers.layus;
   };
 
   src = fetchurl {
diff --git a/pkgs/servers/mail/rmilter/default.nix b/pkgs/servers/mail/rmilter/default.nix
index 45c625466280..ad40b57f8a60 100644
--- a/pkgs/servers/mail/rmilter/default.nix
+++ b/pkgs/servers/mail/rmilter/default.nix
@@ -17,6 +17,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/vstakhov/rmilter";
     license = licenses.bsd2; 
     description = "server, used to integrate rspamd and milter compatible MTA, for example postfix or sendmail";
-    maintainer = maintainers.avnik;
+    maintainers = maintainers.avnik;
   };
 }
diff --git a/pkgs/servers/mail/rspamd/default.nix b/pkgs/servers/mail/rspamd/default.nix
index a3b20820a6e0..1f9c36b73777 100644
--- a/pkgs/servers/mail/rspamd/default.nix
+++ b/pkgs/servers/mail/rspamd/default.nix
@@ -33,6 +33,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/vstakhov/rspamd";
     license = licenses.bsd2; 
     description = "advanced spam filtering system";
-    maintainer = maintainers.avnik;
+    maintainers = maintainers.avnik;
   };
 }
diff --git a/pkgs/tools/misc/cpulimit/default.nix b/pkgs/tools/misc/cpulimit/default.nix
index 72656d2969de..1bae4b16bd82 100644
--- a/pkgs/tools/misc/cpulimit/default.nix
+++ b/pkgs/tools/misc/cpulimit/default.nix
@@ -21,6 +21,6 @@ stdenv.mkDerivation rec {
     description = "A tool to throttle the CPU usage of programs";
     platforms = with platforms; linux ++ freebsd;
     license = licenses.gpl2;
-    maintainer = [maintainers.rycee];
+    maintainers = [maintainers.rycee];
   };
 }
diff --git a/pkgs/tools/misc/trash-cli/default.nix b/pkgs/tools/misc/trash-cli/default.nix
index 1c8a2e495b69..78835afddef5 100644
--- a/pkgs/tools/misc/trash-cli/default.nix
+++ b/pkgs/tools/misc/trash-cli/default.nix
@@ -34,7 +34,7 @@ python2Packages.buildPythonPackage rec {
   meta = with stdenv.lib; {
     homepage = https://github.com/andreafrancia/trash-cli;
     description = "Command line tool for the desktop trash can";
-    maintainer = [ maintainers.rycee ];
+    maintainers = [ maintainers.rycee ];
     license = licenses.gpl2;
   };
 }
diff --git a/pkgs/tools/networking/nethogs/default.nix b/pkgs/tools/networking/nethogs/default.nix
index c8ff0c7a1609..dfa9b26a38e8 100644
--- a/pkgs/tools/networking/nethogs/default.nix
+++ b/pkgs/tools/networking/nethogs/default.nix
@@ -29,6 +29,6 @@ stdenv.mkDerivation rec {
     license = licenses.gpl2Plus;
     homepage = http://nethogs.sourceforge.net/;
     platforms = platforms.linux;
-    maintainer = [ maintainers.rycee ];
+    maintainers = [ maintainers.rycee ];
   };
 }
diff --git a/pkgs/tools/text/colordiff/default.nix b/pkgs/tools/text/colordiff/default.nix
index 53e683561fb8..b22a1da22641 100644
--- a/pkgs/tools/text/colordiff/default.nix
+++ b/pkgs/tools/text/colordiff/default.nix
@@ -22,6 +22,6 @@ stdenv.mkDerivation rec {
     homepage = http://www.colordiff.org/;
     license = licenses.gpl3;
     platforms = platforms.linux ++ platforms.darwin;
-    maintainer = with maintainers; [ nckx ];
+    maintainers = with maintainers; [ nckx ];
   };
 }
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index fa2abffd552d..717604a7278c 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -1815,7 +1815,7 @@ in modules // {
       description = "Composable style cycles";
       homepage = http://github.com/matplotlib/cycler;
       license = licenses.bsd3;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
   };
 
@@ -10664,7 +10664,7 @@ in modules // {
       description = "Line-by-line profiler";
       homepage = https://github.com/rkern/line_profiler;
       license = licenses.bsd3;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
   };
 
@@ -12589,7 +12589,7 @@ in modules // {
     meta = {
       description = "Numerical traits for Python objects";
       license = licenses.bsd2;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
       homepage = https://github.com/astrofrog/numtraits;
     };
   };
@@ -14905,7 +14905,7 @@ in modules // {
       description = "An audio library based on libsndfile, CFFI and NumPy";
       license = licenses.bsd3;
       homepage = https://github.com/bastibe/PySoundFile;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
 
     prePatch = ''
@@ -15994,7 +15994,7 @@ in modules // {
       description = "A pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
       homepage = http://hgomersall.github.com/pyFFTW/;
       license = with licenses; [ bsd2 bsd3 ];
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
   };
 
@@ -17727,7 +17727,7 @@ in modules // {
       description = "A docutils-compatibility bridge to CommonMark";
       homepage = https://github.com/rtfd/recommonmark;
       license = licenses.mit;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
 
   };
@@ -19794,7 +19794,7 @@ in modules // {
       description = "Statistical computations and models for use with SciPy";
       homepage = "https://www.github.com/statsmodels/statsmodels";
       license = licenses.bsd3;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
 
     # Many tests fail when using latest numpy and pandas.
@@ -20072,7 +20072,7 @@ in modules // {
       description = "Pretty-print tabular data";
       homepage = https://bitbucket.org/astanin/python-tabulate;
       license = licenses.mit;
-      maintainer = with maintainers; [ fridh ];
+      maintainers = with maintainers; [ fridh ];
     };
 
   };
@@ -21083,7 +21083,7 @@ in modules // {
     meta = {
       description = "Tree widgets for urwid";
       license = licenses.gpl3;
-      maintainer = with maintainters; [ profpatsch ];
+      maintainers = with maintainers; [ profpatsch ];
     };
   };
 
@@ -25019,7 +25019,7 @@ in modules // {
       # license can actually be either bsd3 or gpl3
       # see https://github.com/trezor/cython-hidapi/blob/master/LICENSE-orig.txt
       license = licenses.bsd3;
-      maintainer = with maintainers; [ np ];
+      maintainers = with maintainers; [ np ];
     };
   };
 
@@ -25038,7 +25038,7 @@ in modules // {
       description = "Implementation of Bitcoin BIP-0039";
       homepage = https://github.com/trezor/python-mnemonic;
       license = licenses.mit;
-      maintainer = with maintainers; [ np ];
+      maintainers = with maintainers; [ np ];
     };
   };
 
@@ -25062,7 +25062,7 @@ in modules // {
       description = "Python library for communicating with TREZOR Bitcoin Hardware Wallet";
       homepage = https://github.com/trezor/python-trezor;
       license = licenses.gpl3;
-      maintainer = with maintainers; [ np ];
+      maintainers = with maintainers; [ np ];
     };
   };
 
@@ -25086,7 +25086,7 @@ in modules // {
       description = "KeepKey Python client";
       homepage = https://github.com/keepkey/python-keepkey;
       license = licenses.gpl3;
-      maintainer = with maintainers; [ np ];
+      maintainers = with maintainers; [ np ];
     };
   };
 
@@ -25139,7 +25139,7 @@ in modules // {
       description = "Using Trezor as hardware SSH agent";
       homepage = https://github.com/romanz/trezor-agent;
       license = licenses.gpl3;
-      maintainer = with maintainers; [ np ];
+      maintainers = with maintainers; [ np ];
     };
   };
 
@@ -25156,7 +25156,7 @@ in modules // {
       description = "Binding for X11 proof of work hashing";
       homepage = https://github.com/mazaclub/x11_hash;
       license = licenses.mit;
-      maintainer = with maintainers; [ np ];
+      maintainers = with maintainers; [ np ];
     };
   };
 

From f106461cce2e97c69fe501d9cd1aaff323ddf674 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Wed, 10 Feb 2016 17:02:07 +0300
Subject: [PATCH 138/507] dwarf-fortress-packages.cla-theme: fix comment

---
 pkgs/games/dwarf-fortress/themes/cla.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/games/dwarf-fortress/themes/cla.nix b/pkgs/games/dwarf-fortress/themes/cla.nix
index f3c6b7dd279a..09b2cc8b647b 100644
--- a/pkgs/games/dwarf-fortress/themes/cla.nix
+++ b/pkgs/games/dwarf-fortress/themes/cla.nix
@@ -1,6 +1,6 @@
 { stdenv, fetchFromGitHub }:
 
-# On upgrade check https://github.com/fricy/Phoebus/blob/master/manifest.json
+# On upgrade check https://github.com/DFgraphics/CLA/blob/master/manifest.json
 # for compatibility information.
 
 stdenv.mkDerivation {

From d008513af25f264accdbd4f496bfe13803e28190 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Wed, 10 Feb 2016 13:50:31 +0100
Subject: [PATCH 139/507] Reduce the size of the Nixpkgs/NixOS jobsets

This cuts nixpkgs:trunk from 78K to 31K jobs by disabling builds of
{node,go,python,emacs,coq,r,ocaml,perl}Packages. Thus these are now
only built if they are dependencies of top-level packages (such as
end-user applications). I left haskellPackages because they take
typically longer to build than the others (which are mostly
interpreted languages), so disabling them would be more painful to
users.

This is a temporary measure until we have a binary cache based Hydra
running on faster hardware, necessitated by the fact that evaluations
now regularly time out after 6 hours.
---
 pkgs/top-level/all-packages.nix | 24 ++++++++++++------------
 pkgs/top-level/release.nix      | 16 +++++++++++-----
 2 files changed, 23 insertions(+), 17 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6eeefe62b9a0..4b3bbceab6de 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2151,7 +2151,7 @@ let
 
   nodePackages_5_x = callPackage ./node-packages.nix { self = nodePackages_5_x; nodejs = nodejs-5_x; };
 
-  nodePackages_4_x = recurseIntoAttrs (callPackage ./node-packages.nix { self = nodePackages_4_x; nodejs = nodejs-4_x; });
+  nodePackages_4_x = callPackage ./node-packages.nix { self = nodePackages_4_x; nodejs = nodejs-4_x; };
 
   nodePackages_0_10 = callPackage ./node-packages.nix { self = nodePackages_0_10; nodejs = nodejs-0_10; };
 
@@ -9001,23 +9001,23 @@ let
 
   ### DEVELOPMENT / GO MODULES
 
-  go14Packages = recurseIntoAttrs (callPackage ./go-packages.nix {
+  go14Packages = callPackage ./go-packages.nix {
     go = go_1_4;
     buildGoPackage = callPackage ../development/go-modules/generic {
       go = go_1_4;
       govers = go14Packages.govers.bin;
     };
     overrides = (config.goPackageOverrides or (p: {})) pkgs;
-  });
+  };
 
-  go15Packages = recurseIntoAttrs (callPackage ./go-packages.nix {
+  go15Packages = callPackage ./go-packages.nix {
     go = go_1_5;
     buildGoPackage = callPackage ../development/go-modules/generic {
       go = go_1_5;
       govers = go15Packages.govers.bin;
     };
     overrides = (config.goPackageOverrides or (p: {})) pkgs;
-  });
+  };
 
   goPackages = go15Packages;
 
@@ -9091,20 +9091,20 @@ let
     self = python33Packages;
   };
 
-  python34Packages = recurseIntoAttrs (callPackage ./python-packages.nix {
+  python34Packages = callPackage ./python-packages.nix {
     python = python34;
     self = python34Packages;
-  });
+  };
 
   python35Packages = recurseIntoAttrs (callPackage ./python-packages.nix {
     python = python35;
     self = python35Packages;
   });
 
-  pypyPackages = recurseIntoAttrs (callPackage ./python-packages.nix {
+  pypyPackages = callPackage ./python-packages.nix {
     python = pypy;
     self = pypyPackages;
-  });
+  };
 
   bsddb3 = pythonPackages.bsddb3;
 
@@ -11798,7 +11798,7 @@ let
     cask = callPackage ../applications/editors/emacs-modes/cask { };
   };
 
-  emacs24Packages = recurseIntoAttrs (emacsPackagesGen emacs24 pkgs.emacs24Packages);
+  emacs24Packages = emacsPackagesGen emacs24 pkgs.emacs24Packages;
 
   emacsPackagesNgGen = emacs: import ./emacs-packages.nix {
     overrides = (config.emacsPackageOverrides or (p: {})) pkgs;
@@ -15140,8 +15140,8 @@ let
 
   };
 
-  coqPackages = recurseIntoAttrs (mkCoqPackages_8_4 coqPackages);
-  coqPackages_8_5 = recurseIntoAttrs (mkCoqPackages_8_5 coqPackages_8_5);
+  coqPackages = mkCoqPackages_8_4 coqPackages;
+  coqPackages_8_5 = mkCoqPackages_8_5 coqPackages_8_5;
 
   cvc3 = callPackage ../applications/science/logic/cvc3 {
     gmp = lib.overrideDerivation gmp (a: { dontDisableStatic = true; });
diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix
index 1eff71f673f0..34360a064efb 100644
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@@ -232,7 +232,7 @@ let
       zsh = linux;
       zsnes = ["i686-linux"];
 
-      emacs24PackagesNg = packagePlatforms pkgs.emacs24PackagesNg;
+      #emacs24PackagesNg = packagePlatforms pkgs.emacs24PackagesNg;
 
       gnome = {
         gnome_panel = linux;
@@ -243,7 +243,7 @@ let
       haskell.compiler = packagePlatforms pkgs.haskell.compiler;
       haskellPackages = packagePlatforms pkgs.haskellPackages;
 
-      rPackages = packagePlatforms pkgs.rPackages;
+      #rPackages = packagePlatforms pkgs.rPackages;
 
       strategoPackages = {
         sdf = linux;
@@ -253,9 +253,15 @@ let
         dryad = linux;
       };
 
-      pythonPackages = {
-        zfec = linux;
-      };
+      ocamlPackages = { };
+
+      perlPackages = { };
+
+      pythonPackages = { };
+      python2Packages = { };
+      python27Packages = { };
+      python3Packages = { };
+      python35Packages = { };
 
       xorg = {
         fontadobe100dpi = linux ++ darwin;

From 11b9ed9e6323a82916b95538d40da2858fa99b03 Mon Sep 17 00:00:00 2001
From: Nikolay Amiantov <ab@fmap.me>
Date: Wed, 10 Feb 2016 19:42:31 +0300
Subject: [PATCH 140/507] zathura: use mupdf by default

---
 pkgs/top-level/all-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 4b3bbceab6de..707b0591ae27 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14041,7 +14041,7 @@ let
   zathuraCollection = recurseIntoAttrs
     (callPackage ../applications/misc/zathura {
         callPackage = newScope pkgs.zathuraCollection;
-        useMupdf = config.zathura.useMupdf or false;
+        useMupdf = config.zathura.useMupdf or true;
       });
 
   zathura = zathuraCollection.zathuraWrapper;

From 11b6e9a2f88fb4ff14b75bc5d32da0043a8e8788 Mon Sep 17 00:00:00 2001
From: "tg(x)" <*@tg-x.net>
Date: Sat, 24 Oct 2015 01:32:20 +0200
Subject: [PATCH 141/507] wayland window managers: orbment, sway, velox

---
 pkgs/applications/misc/dmenu/wayland.nix      | 34 +++++++++++
 pkgs/applications/misc/st/wayland.nix         | 34 +++++++++++
 .../window-managers/orbment/default.nix       | 57 ++++++++++++++++++
 .../window-managers/sway/default.nix          | 38 ++++++++++++
 .../window-managers/velox/default.nix         | 29 ++++++++++
 pkgs/development/libraries/swc/default.nix    | 30 ++++++++++
 pkgs/development/libraries/wlc/default.nix    | 58 +++++++++++++++++++
 pkgs/development/libraries/wld/default.nix    | 30 ++++++++++
 pkgs/top-level/all-packages.nix               | 14 +++++
 9 files changed, 324 insertions(+)
 create mode 100644 pkgs/applications/misc/dmenu/wayland.nix
 create mode 100644 pkgs/applications/misc/st/wayland.nix
 create mode 100644 pkgs/applications/window-managers/orbment/default.nix
 create mode 100644 pkgs/applications/window-managers/sway/default.nix
 create mode 100644 pkgs/applications/window-managers/velox/default.nix
 create mode 100644 pkgs/development/libraries/swc/default.nix
 create mode 100644 pkgs/development/libraries/wlc/default.nix
 create mode 100644 pkgs/development/libraries/wld/default.nix

diff --git a/pkgs/applications/misc/dmenu/wayland.nix b/pkgs/applications/misc/dmenu/wayland.nix
new file mode 100644
index 000000000000..d55e22c5a3b8
--- /dev/null
+++ b/pkgs/applications/misc/dmenu/wayland.nix
@@ -0,0 +1,34 @@
+{stdenv, fetchurl #, libX11, libXinerama, enableXft, libXft, zlib
+, swc, wld, wayland, libxkbcommon, pixman, fontconfig
+}:
+
+with stdenv.lib;
+
+stdenv.mkDerivation rec {
+  name = "dmenu-wayland-${version}";
+  version = "git-2014-11-02";
+  rev = "6e08b77428cc3c406ed2e90d4cae6c41df76341e";
+
+  src = fetchurl {
+    url = "https://github.com/michaelforney/dmenu/archive/${rev}.tar.gz";
+    sha256 = "d0f73e442baf44a93a3b9d41a72e9cfa14f54af6049c90549f516722e3f88019";
+  };
+
+  buildInputs = [ swc wld wayland libxkbcommon pixman fontconfig ];
+
+  postPatch = ''
+    sed -ri -e 's!\<(dmenu|dmenu_path)\>!'"$out/bin"'/&!g' dmenu_run
+  '';
+
+  preConfigure = [
+    ''sed -i "s@PREFIX = /usr/local@PREFIX = $out@g; s@/usr/share/swc@$(echo "$nativeBuildInputs" | grep -o '[^ ]*-swc-[^ ]*')/share/swc@g" config.mk''
+  ];
+
+  meta = {
+      description = "a generic, highly customizable, and efficient menu for the X Window System";
+      homepage = http://tools.suckless.org/dmenu;
+      license = stdenv.lib.licenses.mit;
+      maintainers = with stdenv.lib.maintainers; [ ];
+      platforms = with stdenv.lib.platforms; all;
+  };
+}
diff --git a/pkgs/applications/misc/st/wayland.nix b/pkgs/applications/misc/st/wayland.nix
new file mode 100644
index 000000000000..ed7e0cf7ca1d
--- /dev/null
+++ b/pkgs/applications/misc/st/wayland.nix
@@ -0,0 +1,34 @@
+{ stdenv, fetchurl, pkgconfig, writeText
+, ncurses, wayland, wld, libxkbcommon, fontconfig, pixman
+, conf? null}:
+
+with stdenv.lib;
+
+stdenv.mkDerivation rec {
+  name = "st-wayland-${version}";
+  version = "git-2015-08-29";
+  rev = "61b47b76a09599c8093214e28c48938f5b424daa";
+
+  src = fetchurl {
+    url = "https://github.com/michaelforney/st/archive/${rev}.tar.gz";
+    sha256 = "7164da135f02405dba5ae3131dfd896e072df29ac6c0928f3b887beffb8a7d97";
+  };
+
+  configFile = optionalString (conf!=null) (writeText "config.def.h" conf);
+  preBuild = optionalString (conf!=null) "cp ${configFile} config.def.h";
+
+  buildInputs = [ pkgconfig ncurses wayland wld libxkbcommon fontconfig pixman ];
+
+  NIX_LDFLAGS = "-lfontconfig";
+
+  installPhase = ''
+    TERMINFO=$out/share/terminfo make install PREFIX=$out
+  '';
+
+  meta = {
+    homepage = http://st.suckless.org/;
+    license = stdenv.lib.licenses.mit;
+    maintainers = with maintainers; [ ];
+    platforms = with platforms; linux;
+  };
+}
diff --git a/pkgs/applications/window-managers/orbment/default.nix b/pkgs/applications/window-managers/orbment/default.nix
new file mode 100644
index 000000000000..567903f589c5
--- /dev/null
+++ b/pkgs/applications/window-managers/orbment/default.nix
@@ -0,0 +1,57 @@
+{ lib, stdenv, fetchurl, makeWrapper, cmake, pkgconfig
+, wlc, dbus_libs, wayland, libxkbcommon, pixman, libinput, udev, zlib, libpng, libdrm, libX11
+}:
+
+stdenv.mkDerivation rec {
+  name = "orbment-${version}";
+  version = "git-2015-09-30";
+  repo = "https://github.com/Cloudef/orbment";
+  rev = "229a870dbbb9dbc66c137cf2747eab11acdf1a95";
+
+  chck_repo = "https://github.com/Cloudef/chck";
+  chck_rev = "6191a69572952291c137294317874c06c9c0d6a9";
+  inihck_repo = "https://github.com/Cloudef/inihck";
+  inihck_rev = "462cbd5fd67226714ac2bdfe4ceaec8e251b2d9c";
+
+  srcs = [
+   (fetchurl {
+     url = "${repo}/archive/${rev}.tar.gz";
+     sha256 = "7aaa0262d078adaf47abdf500b9ea581f6bec164c195a44a3c165a865414ca2c";
+   })
+   (fetchurl {
+     url = "${chck_repo}/archive/${chck_rev}.tar.gz";
+     sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160";
+   })
+   (fetchurl {
+     url = "${inihck_repo}/archive/${inihck_rev}.tar.gz";
+     sha256 = "d21f2ac25eafed285614f5f0ef7a1014d629ba382f4e64bc89fe2c3e98c2777f";
+   })
+  ];
+
+  sourceRoot = "orbment-${rev}";
+  postUnpack = ''
+    rm -rf orbment-${rev}/lib/chck orbment-${rev}/lib/inihck
+    ln -s ../../chck-${chck_rev} orbment-${rev}/lib/chck
+    ln -s ../../inihck-${inihck_rev} orbment-${rev}/lib/inihck
+  '';
+
+  nativeBuildInputs = [ cmake pkgconfig ];
+
+  buildInputs = [ makeWrapper wlc dbus_libs wayland libxkbcommon pixman libinput udev zlib libpng libX11 libdrm ];
+  makeFlags = "PREFIX=$(out)";
+  installPhase = "PREFIX=$out make install";
+
+  LD_LIBRARY_PATH = lib.makeLibraryPath [ libX11 libdrm dbus_libs ];
+  preFixup = ''
+    wrapProgram $out/bin/orbment \
+      --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}";
+  '';
+
+  meta = {
+    description = "Modular Wayland compositor";
+    homepage    = repo;
+    license     = lib.licenses.mit;
+    platforms   = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix
new file mode 100644
index 000000000000..cec48fad4e56
--- /dev/null
+++ b/pkgs/applications/window-managers/sway/default.nix
@@ -0,0 +1,38 @@
+{ lib, stdenv, fetchurl, makeWrapper, cmake, pkgconfig
+, wayland, wlc, libxkbcommon, pixman, fontconfig, pcre, json_c, asciidoc, libxslt, dbus_libs
+}:
+
+stdenv.mkDerivation rec {
+  name = "sway-${version}";
+  version = "git-2015-10-16";
+
+  src = fetchurl {
+    url = "https://github.com/SirCmpwn/sway/archive/16e904634c65128610537bed7fcb16ac3bb45165.tar.gz";
+    sha256 = "52d6c4b49fea69e2a2c1b44b858908b7736301bdb9ed483c294bc54bb40e872e";
+  };
+
+  nativeBuildInputs = [ cmake pkgconfig ];
+
+  buildInputs = [ makeWrapper wayland wlc libxkbcommon pixman fontconfig pcre json_c asciidoc libxslt dbus_libs ];
+
+  patchPhase = ''
+    sed -i s@/etc/sway@$out/etc/sway@g CMakeLists.txt;
+  '';
+
+  makeFlags = "PREFIX=$(out)";
+  installPhase = "PREFIX=$out make install";
+
+  LD_LIBRARY_PATH = lib.makeLibraryPath [ wlc dbus_libs ];
+  preFixup = ''
+    wrapProgram $out/bin/sway \
+      --prefix LD_LIBRARY_PATH : "${LD_LIBRARY_PATH}";
+  '';
+
+  meta = {
+    description = "i3-compatible window manager for Wayland";
+    homepage    = "http://swaywm.org";
+    license     = lib.licenses.mit;
+    platforms   = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/pkgs/applications/window-managers/velox/default.nix b/pkgs/applications/window-managers/velox/default.nix
new file mode 100644
index 000000000000..8823b32ee3ce
--- /dev/null
+++ b/pkgs/applications/window-managers/velox/default.nix
@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchurl, fetchFromGitHub, pkgconfig
+, swc, libxkbcommon
+, wld, wayland, pixman, fontconfig
+}:
+
+stdenv.mkDerivation rec {
+  name = "velox-${version}";
+  version = "git-2015-09-23";
+
+  src = fetchurl {
+    url = "https://github.com/michaelforney/velox/archive/499768b5834967727e3d91139b4013b6aca95762.tar.gz";
+    sha256 = "252959f0f0ff593c187449b61c234c214fdf321e3f4e8b5d9e3c2949d932a0a2";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+
+  buildInputs = [ swc libxkbcommon wld wayland pixman fontconfig ];
+
+  makeFlags = "PREFIX=$(out)";
+  installPhase = "PREFIX=$out make install";
+
+  meta = {
+    description = "velox window manager";
+    homepage    = "https://github.com/michaelforney/velox";
+    license     = lib.licenses.mit;
+    platforms   = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/pkgs/development/libraries/swc/default.nix b/pkgs/development/libraries/swc/default.nix
new file mode 100644
index 000000000000..448459d02750
--- /dev/null
+++ b/pkgs/development/libraries/swc/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, pkgconfig
+, wld, wayland, xwayland, fontconfig, pixman, libdrm, libinput, libevdev, libxkbcommon, libxcb, xcbutilwm
+}:
+
+stdenv.mkDerivation rec {
+  name = "swc-${version}";
+  version = "git-2015-09-05";
+  repo = "https://github.com/michaelforney/swc";
+  rev = "0dff35ad9b80fc62e6b48417f78c24df6648c9d2";
+
+  src = fetchurl {
+    url = "${repo}/archive/${rev}.tar.gz";
+    sha256 = "7af5655b5bb5fe59bb8e6643e35f794419850463b1d7f44f29b45ab6aee01ae9";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+
+  buildInputs = [ wld wayland xwayland fontconfig pixman libdrm libinput libevdev libxkbcommon libxcb xcbutilwm ];
+
+  makeFlags = "PREFIX=$(out)";
+  installPhase = "PREFIX=$out make install";
+
+  meta = {
+    description = "A library for making a simple Wayland compositor";
+    homepage    = repo;
+    license     = lib.licenses.mit;
+    platforms   = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix
new file mode 100644
index 000000000000..a0b592df4a35
--- /dev/null
+++ b/pkgs/development/libraries/wlc/default.nix
@@ -0,0 +1,58 @@
+{ lib, stdenv, fetchurl, cmake, pkgconfig
+, glibc, wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa, libdrm, udev, systemd, dbus_libs
+, libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm, linuxPackages_4_2
+}:
+
+stdenv.mkDerivation rec {
+  name = "wlc-${version}";
+  version = "git-2015-10-04";
+  repo = "https://github.com/Cloudef/wlc";
+  rev = "74d978cc54fd8256777c8d39327cb677523cddff";
+
+  chck_repo = "https://github.com/Cloudef/chck";
+  chck_rev = "6191a69572952291c137294317874c06c9c0d6a9";
+
+  srcs = [
+   (fetchurl {
+     url = "${repo}/archive/${rev}.tar.gz";
+     sha256 = "a3641e79252a140be089dd2e829b4d21a3b5ff10866951568d54bd4600597254";
+   })
+   (fetchurl {
+     url = "${chck_repo}/archive/${chck_rev}.tar.gz";
+     sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160";
+   })
+  ];
+
+  sourceRoot = "wlc-${rev}";
+  postUnpack = ''
+    rm -rf wlc-${rev}/lib/chck
+    ln -s ../../chck-${chck_rev} wlc-${rev}/lib/chck
+  '';
+
+  patchPhase = ''
+    ( echo '#include <stdlib.h>';
+      echo '#include <libdrm/drm.h>';
+      cat src/platform/backend/drm.c
+    ) >src/platform/backend/drm.c-fix;
+    mv src/platform/backend/drm.c-fix src/platform/backend/drm.c;
+  '';
+
+  nativeBuildInputs = [ cmake pkgconfig ];
+
+  buildInputs = [
+    wayland pixman libxkbcommon libinput libxcb xcbutilwm xcbutilimage mesa libdrm udev
+    libpthreadstubs libX11 libXau libXdmcp libXext libXdamage libxshmfence libXxf86vm
+    systemd dbus_libs
+  ];
+
+  makeFlags = "PREFIX=$(out) -lchck";
+  installPhase = "PREFIX=$out make install";
+
+  meta = {
+    description = "A library for making a simple Wayland compositor";
+    homepage    = repo;
+    license     = lib.licenses.mit;
+    platforms   = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/pkgs/development/libraries/wld/default.nix b/pkgs/development/libraries/wld/default.nix
new file mode 100644
index 000000000000..1dd5858ec720
--- /dev/null
+++ b/pkgs/development/libraries/wld/default.nix
@@ -0,0 +1,30 @@
+{ lib, stdenv, fetchurl, pkgconfig
+, wayland, fontconfig, pixman, freetype, libdrm
+}:
+
+stdenv.mkDerivation rec {
+  name = "wld-${version}";
+  version = "git-2015-09-01";
+  repo = "https://github.com/michaelforney/wld";
+  rev = "efe0a1ed1856a2e4a1893ed0f2d7dde43b5627f0";
+
+  src = fetchurl {
+    url = "${repo}/archive/${rev}.tar.gz";
+    sha256 = "09388f7828e18c75e7b8d41454903886a725d7a868f60e66c128bd7d2e953ee1";
+  };
+
+  nativeBuildInputs = [ pkgconfig ];
+
+  buildInputs = [ wayland fontconfig pixman freetype libdrm ];
+
+  makeFlags = "PREFIX=$(out)";
+  installPhase = "PREFIX=$out make install";
+
+  meta = {
+    description = "A primitive drawing library targeted at Wayland";
+    homepage    = repo;
+    license     = lib.licenses.mit;
+    platforms   = lib.platforms.linux;
+    maintainers = with lib.maintainers; [ ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 707b0591ae27..b6220b3e2ac5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11546,6 +11546,8 @@ let
 
   dmenu = callPackage ../applications/misc/dmenu { };
 
+  dmenu-wayland = callPackage ../applications/misc/dmenu/wayland.nix { };
+
   dmenu2 = callPackage ../applications/misc/dmenu2 { };
 
   dmtx = dmtx-utils;
@@ -12266,6 +12268,14 @@ let
 
   spectrwm = callPackage ../applications/window-managers/spectrwm { };
 
+  wlc = callPackage ../development/libraries/wlc { };
+  orbment = callPackage ../applications/window-managers/orbment { };
+  sway = callPackage ../applications/window-managers/sway { };
+
+  swc = callPackage ../development/libraries/swc { };
+  wld = callPackage ../development/libraries/wld { };
+  velox = callPackage ../applications/window-managers/velox { };
+
   i3 = callPackage ../applications/window-managers/i3 {
     xcb-util-cursor = if stdenv.isDarwin then xcb-util-cursor-HEAD else xcb-util-cursor;
   };
@@ -13262,6 +13272,10 @@ let
     conf = config.st.conf or null;
   };
 
+  st-wayland = callPackage ../applications/misc/st/wayland.nix {
+    conf = config.st.conf or null;
+  };
+
   stag = callPackage ../applications/misc/stag {
     curses = ncurses;
   };

From 7c810fb5a7c8f8503083b5665069cb367da3aa09 Mon Sep 17 00:00:00 2001
From: "tg(x)" <*@tg-x.net>
Date: Tue, 9 Feb 2016 23:41:01 +0100
Subject: [PATCH 142/507] wayland window managers: orbment, sway, velox ->
 latest git

---
 .../window-managers/orbment/default.nix       | 10 ++++----
 .../window-managers/sway/default.nix          |  6 +++--
 .../window-managers/velox/default.nix         |  8 ++++---
 pkgs/development/libraries/swc/default.nix    |  6 ++---
 pkgs/development/libraries/wlc/default.nix    | 24 +++++++++++++------
 5 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/pkgs/applications/window-managers/orbment/default.nix b/pkgs/applications/window-managers/orbment/default.nix
index 567903f589c5..e7cbd004087e 100644
--- a/pkgs/applications/window-managers/orbment/default.nix
+++ b/pkgs/applications/window-managers/orbment/default.nix
@@ -4,23 +4,23 @@
 
 stdenv.mkDerivation rec {
   name = "orbment-${version}";
-  version = "git-2015-09-30";
+  version = "git-2016-01-31";
   repo = "https://github.com/Cloudef/orbment";
-  rev = "229a870dbbb9dbc66c137cf2747eab11acdf1a95";
+  rev = "7f649fb76649f826dd29578a5ec41bb561b116eb";
 
   chck_repo = "https://github.com/Cloudef/chck";
-  chck_rev = "6191a69572952291c137294317874c06c9c0d6a9";
+  chck_rev = "fe5e2606b7242aa5d89af2ea9fd048821128d2bc";
   inihck_repo = "https://github.com/Cloudef/inihck";
   inihck_rev = "462cbd5fd67226714ac2bdfe4ceaec8e251b2d9c";
 
   srcs = [
    (fetchurl {
      url = "${repo}/archive/${rev}.tar.gz";
-     sha256 = "7aaa0262d078adaf47abdf500b9ea581f6bec164c195a44a3c165a865414ca2c";
+     sha256 = "5a426da0d5f4487911cfe9226865ed0cd1a7cdf253eec19d5eadc4b0d14a2ea0";
    })
    (fetchurl {
      url = "${chck_repo}/archive/${chck_rev}.tar.gz";
-     sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160";
+     sha256 = "ca316b544c48e837c32f08d613be42da10e0a3251e8e4488d1848b91ef92ab9e";
    })
    (fetchurl {
      url = "${inihck_repo}/archive/${inihck_rev}.tar.gz";
diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix
index cec48fad4e56..fa81971885a4 100644
--- a/pkgs/applications/window-managers/sway/default.nix
+++ b/pkgs/applications/window-managers/sway/default.nix
@@ -4,10 +4,12 @@
 
 stdenv.mkDerivation rec {
   name = "sway-${version}";
-  version = "git-2015-10-16";
+  version = "git-2016-02-08";
+  repo = "https://github.com/SirCmpwn/sway";
+  rev = "16e904634c65128610537bed7fcb16ac3bb45165";
 
   src = fetchurl {
-    url = "https://github.com/SirCmpwn/sway/archive/16e904634c65128610537bed7fcb16ac3bb45165.tar.gz";
+    url = "${repo}/archive/${rev}.tar.gz";
     sha256 = "52d6c4b49fea69e2a2c1b44b858908b7736301bdb9ed483c294bc54bb40e872e";
   };
 
diff --git a/pkgs/applications/window-managers/velox/default.nix b/pkgs/applications/window-managers/velox/default.nix
index 8823b32ee3ce..789f074aecdf 100644
--- a/pkgs/applications/window-managers/velox/default.nix
+++ b/pkgs/applications/window-managers/velox/default.nix
@@ -5,11 +5,13 @@
 
 stdenv.mkDerivation rec {
   name = "velox-${version}";
-  version = "git-2015-09-23";
+  version = "git-2015-11-03";
+  repo = "https://github.com/michaelforney/velox";
+  rev = "53b41348df7e37886cab012609923255e4397419";
 
   src = fetchurl {
-    url = "https://github.com/michaelforney/velox/archive/499768b5834967727e3d91139b4013b6aca95762.tar.gz";
-    sha256 = "252959f0f0ff593c187449b61c234c214fdf321e3f4e8b5d9e3c2949d932a0a2";
+    url = "${repo}/archive/${rev}.tar.gz";
+    sha256 = "e49583efbbe62ea30f0084491ff757dff683f35eef6e9b68aa413e0b50c4bf20";
   };
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/development/libraries/swc/default.nix b/pkgs/development/libraries/swc/default.nix
index 448459d02750..48e1524e36fc 100644
--- a/pkgs/development/libraries/swc/default.nix
+++ b/pkgs/development/libraries/swc/default.nix
@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   name = "swc-${version}";
-  version = "git-2015-09-05";
+  version = "git-2016-02-09";
   repo = "https://github.com/michaelforney/swc";
-  rev = "0dff35ad9b80fc62e6b48417f78c24df6648c9d2";
+  rev = "1da0ef13fddc572accea12439a4471b4d2f64ddd";
 
   src = fetchurl {
     url = "${repo}/archive/${rev}.tar.gz";
-    sha256 = "7af5655b5bb5fe59bb8e6643e35f794419850463b1d7f44f29b45ab6aee01ae9";
+    sha256 = "d1894612d8aa1ce828efb78f1570290f84bba6563e21eb777e08c3c3859b7bbe";
   };
 
   nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix
index a0b592df4a35..9b5fa32bf00f 100644
--- a/pkgs/development/libraries/wlc/default.nix
+++ b/pkgs/development/libraries/wlc/default.nix
@@ -1,32 +1,42 @@
-{ lib, stdenv, fetchurl, cmake, pkgconfig
+{ lib, stdenv, fetchurl, fetchgit, cmake, pkgconfig
 , glibc, wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa, libdrm, udev, systemd, dbus_libs
 , libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm, linuxPackages_4_2
 }:
 
 stdenv.mkDerivation rec {
   name = "wlc-${version}";
-  version = "git-2015-10-04";
+  version = "git-2016-01-31";
   repo = "https://github.com/Cloudef/wlc";
-  rev = "74d978cc54fd8256777c8d39327cb677523cddff";
+  rev = "faa4d3cba670576c202b0844e087b13538f772c5";
 
   chck_repo = "https://github.com/Cloudef/chck";
-  chck_rev = "6191a69572952291c137294317874c06c9c0d6a9";
+  chck_rev = "fe5e2606b7242aa5d89af2ea9fd048821128d2bc";
+
+  wl_protos_repo = "git://anongit.freedesktop.org/wayland/wayland-protocols";
+  wl_protos_rev = "0b05b70f9da245582f01581be4ca36db683682b8";
+  wl_protos_rev_short = "0b05b70";
 
   srcs = [
    (fetchurl {
      url = "${repo}/archive/${rev}.tar.gz";
-     sha256 = "a3641e79252a140be089dd2e829b4d21a3b5ff10866951568d54bd4600597254";
+     sha256 = "cdf6a772dc90060d57aa1a915a4daff0f79802c141fec92ef2710245d727af67";
    })
    (fetchurl {
      url = "${chck_repo}/archive/${chck_rev}.tar.gz";
-     sha256 = "26b4af1390bf67c674732cad69fc94fb027a3d269241d0bd862f42fb80bd5160";
+     sha256 = "ca316b544c48e837c32f08d613be42da10e0a3251e8e4488d1848b91ef92ab9e";
+   })
+   (fetchgit {
+     url = "${wl_protos_repo}";
+     rev = "${wl_protos_rev}";
+     sha256 = "9c1cfbb570142b2109ecef4d11b17f25e94ed2e0569f522ea56f244c60465224";
    })
   ];
 
   sourceRoot = "wlc-${rev}";
   postUnpack = ''
-    rm -rf wlc-${rev}/lib/chck
+    rm -rf wlc-${rev}/lib/chck wlc-${rev}/protos/wayland-protocols
     ln -s ../../chck-${chck_rev} wlc-${rev}/lib/chck
+    ln -s ../../wayland-protocols-${wl_protos_rev_short} wlc-${rev}/protos/wayland-protocols
   '';
 
   patchPhase = ''

From c3ff97154c8a95031d528d3d07bcee5fcf7c4ee0 Mon Sep 17 00:00:00 2001
From: "tg(x)" <*@tg-x.net>
Date: Wed, 10 Feb 2016 17:03:21 +0100
Subject: [PATCH 143/507] wlc: remove linuxPackages_4_2

---
 pkgs/development/libraries/wlc/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/wlc/default.nix b/pkgs/development/libraries/wlc/default.nix
index 9b5fa32bf00f..b219bd2f44d7 100644
--- a/pkgs/development/libraries/wlc/default.nix
+++ b/pkgs/development/libraries/wlc/default.nix
@@ -1,6 +1,6 @@
 { lib, stdenv, fetchurl, fetchgit, cmake, pkgconfig
 , glibc, wayland, pixman, libxkbcommon, libinput, libxcb, xcbutilwm, xcbutilimage, mesa, libdrm, udev, systemd, dbus_libs
-, libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm, linuxPackages_4_2
+, libpthreadstubs, libX11, libXau, libXdmcp, libXext, libXdamage, libxshmfence, libXxf86vm
 }:
 
 stdenv.mkDerivation rec {

From 077e24c10d4d5578aedc849f968562e178715743 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 17:14:12 +0000
Subject: [PATCH 144/507] Revert "linuxPackages.perf: set
 -Wno-error=bool-compare"

This reverts commit 332c84196c3d8814fbd244b42d8dabc68917f1e4.

only works on gcc5
---
 pkgs/os-specific/linux/kernel/perf.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/kernel/perf.nix b/pkgs/os-specific/linux/kernel/perf.nix
index ad80d2ed93c2..1e5c64ccb8a8 100644
--- a/pkgs/os-specific/linux/kernel/perf.nix
+++ b/pkgs/os-specific/linux/kernel/perf.nix
@@ -28,7 +28,7 @@ stdenv.mkDerivation {
 
   # Note: we don't add elfutils to buildInputs, since it provides a
   # bad `ld' and other stuff.
-  NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp -Wno-error=bool-compare";
+  NIX_CFLAGS_COMPILE = "-I${elfutils}/include -Wno-error=cpp";
   NIX_CFLAGS_LINK = "-L${elfutils}/lib";
 
   installFlags = "install install-man ASCIIDOC8=1";

From 63d4e59addd19c24a618049fcc797f8db7185c6d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 22:28:44 +0000
Subject: [PATCH 145/507] seabios: turn off pic and stackprotector hardening

---
 pkgs/applications/virtualization/seabios/default.nix | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix
index 8e6a7fcb0d26..a06523973b72 100644
--- a/pkgs/applications/virtualization/seabios/default.nix
+++ b/pkgs/applications/virtualization/seabios/default.nix
@@ -12,6 +12,9 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl python ];
 
+  hardening_pic = false;
+  hardening_stackprotector = false;
+
   configurePhase = ''
     # build SeaBIOS for CSM
     cat > .config << EOF
@@ -21,12 +24,12 @@ stdenv.mkDerivation rec {
     EOF
 
     make olddefconfig
-    '';
+  '';
 
   installPhase = ''
     mkdir $out
     cp out/Csm16.bin $out/Csm16.bin
-    '';
+  '';
 
   meta = with stdenv.lib; {
     description = "Open source implementation of a 16bit X86 BIOS";

From e339a9a20e0da78e2b0ec474f9d6ef4d30571571 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 22:38:40 +0000
Subject: [PATCH 146/507] barcode: turn off format hardening

---
 pkgs/tools/graphics/barcode/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix
index b35b929da404..7e6c99313418 100644
--- a/pkgs/tools/graphics/barcode/default.nix
+++ b/pkgs/tools/graphics/barcode/default.nix
@@ -9,13 +9,14 @@ stdenv.mkDerivation rec {
     sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8";
   };
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "GNU barcode generator";
     maintainers = with maintainers; [ raskin ];
     platforms = with platforms; allBut darwin;
     downloadPage = "http://ftp.gnu.org/gnu/barcode/";
     updateWalker = true;
-    inherit version;
     homepage = http://ftp.gnu.org/gnu/barcode/;
   };
 }

From 2fdd13234e133d8f5bdd1c383824c4b6530fd64a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 22:40:16 +0000
Subject: [PATCH 147/507] mp3val: turn off format hardening

---
 pkgs/applications/audio/mp3val/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix
index 0957420b6585..abea55215715 100644
--- a/pkgs/applications/audio/mp3val/default.nix
+++ b/pkgs/applications/audio/mp3val/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
     install -Dv mp3val "$out/bin/mp3val"
   '';
 
+  hardening_fortify = false;
+
   meta = {
     description = "A tool for validating and repairing MPEG audio streams";
     longDescription = ''

From e5fb9eb27cdbd7ad9366fc06b0c57cd4f48bec1c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 22:44:23 +0000
Subject: [PATCH 148/507] asc: turn off format hardening

---
 pkgs/games/asc/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix
index b2f251bfecb8..82d4748a9796 100644
--- a/pkgs/games/asc/default.nix
+++ b/pkgs/games/asc/default.nix
@@ -13,6 +13,7 @@ stdenv.mkDerivation rec {
   configureFlags = [ "--disable-paragui" "--disable-paraguitest" ];
 
   NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems
+  hardening_format = false;
 
   buildInputs = [
     SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat

From 16c81c9f74fed7ced6580875c36555fd8f640325 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 22:44:32 +0000
Subject: [PATCH 149/507] charybdis: turn off format hardening

---
 pkgs/servers/irc/charybdis/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix
index a38a25c8a5cb..d42f69d078bc 100644
--- a/pkgs/servers/irc/charybdis/default.nix
+++ b/pkgs/servers/irc/charybdis/default.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
     "--with-program-prefix=charybdis-"
   ];
 
+  hardening_format = false;
+
   buildInputs = [ bison flex openssl ];
 
   meta = {

From 2c1357d7c2cb115737a50825473a9afed595f85a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 22:49:59 +0000
Subject: [PATCH 150/507] cgui: turn off format hardening

---
 pkgs/development/libraries/cgui/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix
index 29413b1c845e..3e5076d2509d 100644
--- a/pkgs/development/libraries/cgui/default.nix
+++ b/pkgs/development/libraries/cgui/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
     sh fix.sh unix
   '';
 
+  hardening_format = false;
+
   makeFlags = [ "SYSTEM_DIR=$(out)" ];
 
   meta = with stdenv.lib; {

From ef3636188b0ba33dd22d86bf74eed66a48c7dd7b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:04:10 +0000
Subject: [PATCH 151/507] crack_attack: turn off format hardening

---
 pkgs/games/crack-attack/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix
index 538efebf8334..9a4b1d049163 100644
--- a/pkgs/games/crack-attack/default.nix
+++ b/pkgs/games/crack-attack/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ];
 
+  hardening_format = false;
+
   meta = {
     description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!";
     homepage = http://www.nongnu.org/crack-attack/;

From 80df5752f72e4c21c5cef88a3f71f47f6b6dee60 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:08:47 +0000
Subject: [PATCH 152/507] db45: turn off format hardening

---
 pkgs/development/libraries/db/db-4.5.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix
index b1e4b2c47085..6d3b15d256e6 100644
--- a/pkgs/development/libraries/db/db-4.5.nix
+++ b/pkgs/development/libraries/db/db-4.5.nix
@@ -5,4 +5,5 @@ import ./generic.nix (args // rec {
   extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ];
   sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m";
   branch = "4.5";
+  drvArgs = { hardening_format = false; };
 })

From 2275eb6210f679e48f18ceb45f59d5553e035918 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:09:09 +0000
Subject: [PATCH 153/507] criu: turn off stackprotector hardening

---
 pkgs/os-specific/linux/criu/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index 433cc2c81d7a..aacdfc496ee8 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -21,7 +21,9 @@ stdenv.mkDerivation rec {
   '';
 
   configurePhase = "make config PREFIX=$out";
-  buildPhase     = "make PREFIX=$out";
+
+  makeFlags = "PREFIX=$(out)";
+  hardening_stackprotector = false;
 
   installPhase = ''
     mkdir -p $out/etc/logrotate.d

From 667518fc3bd489841ab0892c53366e2522a851ed Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:18:42 +0000
Subject: [PATCH 154/507] detox: turn off format hardening

---
 pkgs/tools/misc/detox/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix
index bdc018aec34a..4475010f3b85 100644
--- a/pkgs/tools/misc/detox/default.nix
+++ b/pkgs/tools/misc/detox/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   buildInputs = [flex];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     homepage = http://detox.sourceforge.net/;
     description = "Utility designed to clean up filenames";

From 1c156b9b59257810c5ef3e6e1448422cfc920705 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:25:41 +0000
Subject: [PATCH 155/507] dosbox: turn off format hardening

---
 pkgs/misc/emulators/dosbox/default.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix
index 2525cafc28b6..bbaa565e352e 100644
--- a/pkgs/misc/emulators/dosbox/default.nix
+++ b/pkgs/misc/emulators/dosbox/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec { 
   name = "dosbox-0.74";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/dosbox/${name}.tar.gz";
     sha256 = "01cfjc5bs08m4w79nbxyv7rnvzq2yckmgrbq36njn06lw8b4kxqk";
@@ -17,9 +17,11 @@ stdenv.mkDerivation rec {
     ];
 
   patchFlags = "-p0";
-  
+
   buildInputs = [ SDL ];
-    
+
+  hardening_format = false;
+
   desktopItem = makeDesktopItem {
     name = "dosbox";
     exec = "dosbox";

From b4e77c34e7fba4eafcd07b867528aa1b1c89f5b4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:37:25 +0000
Subject: [PATCH 156/507] foremost: turn off format hardening

---
 pkgs/tools/system/foremost/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix
index cfac89237795..0696af07166b 100644
--- a/pkgs/tools/system/foremost/default.nix
+++ b/pkgs/tools/system/foremost/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   preInstall = ''
     mkdir -p $out/{bin,share/man/man8}
   '';

From 58c571be65c73b20a8afae3d4f5ce3e17f460b3e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:47:59 +0000
Subject: [PATCH 157/507] fox: turn off format hardening

---
 pkgs/development/libraries/fox/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix
index 2d44444ab40d..78b7e9a63fc0 100644
--- a/pkgs/development/libraries/fox/default.nix
+++ b/pkgs/development/libraries/fox/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   meta = {
     description = "C++ based class library for building Graphical User Interfaces";
     longDescription = ''

From bfb622cfaeb172aeccd8c10cacb9ed8fdfa6254a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:48:11 +0000
Subject: [PATCH 158/507] fox_1_9: turn off format hardening

---
 pkgs/development/libraries/fox/fox-1.6.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix
index 3c823adf91b6..007609403e2e 100644
--- a/pkgs/development/libraries/fox/fox-1.6.nix
+++ b/pkgs/development/libraries/fox/fox-1.6.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   meta = {
     branch = "1.6";
     description = "A C++ based class library for building Graphical User Interfaces";

From 8a018e730f5bbbc1165689fe61e1c4040bf9345f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 10 Feb 2016 23:56:27 +0000
Subject: [PATCH 159/507] fprint_demo: turn off format hardening

---
 pkgs/tools/security/fprint_demo/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix
index 282c3541dde5..273d692ebaa6 100644
--- a/pkgs/tools/security/fprint_demo/default.nix
+++ b/pkgs/tools/security/fprint_demo/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ libfprint gtk2 ];
   nativeBuildInputs = [ pkgconfig autoreconfHook ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/";
     description = "A simple GTK+ application to demonstrate and test libfprint's capabilities";

From c648eeda49165e18285880ef01007dcd76d45524 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:03:11 +0000
Subject: [PATCH 160/507] libf2c: turn off format hardening

---
 pkgs/development/libraries/libf2c/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix
index 3123bb33d45b..8edc53cb7eec 100644
--- a/pkgs/development/libraries/libf2c/default.nix
+++ b/pkgs/development/libraries/libf2c/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   name = "libf2c-20100903";
-  
+
   src = fetchurl {
     url = http://www.netlib.org/f2c/libf2c.zip;
     sha256 = "1mcp1lh7gay7hm186dr0wvwd2bc05xydhnc1qy3dqs4n3r102g7i";
@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ unzip ];
 
+  hardening_format = false;
+
   meta = {
     description = "F2c converts Fortran 77 source code to C";
     homepage = http://www.netlib.org/f2c/;

From f85ec68cc875a56437ed40d06064b68f788a88b5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:21:20 +0000
Subject: [PATCH 161/507] portmidi: turn off format hardening

---
 pkgs/development/libraries/portmidi/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix
index 518eeee92538..4b55cffe94ff 100644
--- a/pkgs/development/libraries/portmidi/default.nix
+++ b/pkgs/development/libraries/portmidi/default.nix
@@ -46,6 +46,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ unzip cmake /*jdk*/ alsaLib ];
 
+  hardening_format = false;
+
   meta = {
     homepage = "http://portmedia.sourceforge.net/portmidi/";
     description = "Platform independent library for MIDI I/O";

From bc30a0ee717bdb37a78d49e4e2b2139dfb8b2fce Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:25:47 +0000
Subject: [PATCH 162/507] gbdfed: turn off format hardening

---
 pkgs/tools/misc/gbdfed/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix
index 104d3fad8d09..d3b62149bdf3 100644
--- a/pkgs/tools/misc/gbdfed/default.nix
+++ b/pkgs/tools/misc/gbdfed/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./Makefile.patch ];
 
+  hardening_format = false;
+
   meta = {
     description = "Bitmap Font Editor";
     longDescription = ''

From fbe6858cd3676fee71f4215c4a61069ba53765ac Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:28:00 +0000
Subject: [PATCH 163/507] freewheeling: turn off format hardening

---
 pkgs/applications/audio/freewheeling/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix
index f7330ee12f91..eae7ce390c01 100644
--- a/pkgs/applications/audio/freewheeling/default.nix
+++ b/pkgs/applications/audio/freewheeling/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation {
 
   patches = [ ./am_path_sdl.patch ./xml.patch ];
 
+  hardening_format = false;
+
   meta = {
     description = "A live looping instrument with JACK and MIDI support";
     longDescription = ''

From e00052b3347fd19ff5e14409fc1405529e34edd5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:30:51 +0000
Subject: [PATCH 164/507] geoclue: turn off format hardening

---
 pkgs/development/libraries/geoclue/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix
index 1b703e2fdba8..e8d43e6652f1 100644
--- a/pkgs/development/libraries/geoclue/default.nix
+++ b/pkgs/development/libraries/geoclue/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [dbus glib dbus_glib];
 
+  hardening_format = false;
+
   preConfigure = ''
     sed -e '/-Werror/d' -i configure
   '';

From dbf93c177296aa9545589ae6bd60fcc91f15a810 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:36:52 +0000
Subject: [PATCH 165/507] fusesmb: turn off format hardening

---
 pkgs/tools/filesystems/fusesmb/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix
index 4ddab385a427..c53400e6afdd 100644
--- a/pkgs/tools/filesystems/fusesmb/default.nix
+++ b/pkgs/tools/filesystems/fusesmb/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
       ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0
     '';
 
+  hardening_format = false;
+
   meta = {
     description = "Samba mounted via FUSE";
     homepage = http://www.ricardis.tudelft.nl/~vincent/fusesmb/;

From a9de8d4f18ebe0935041f54047c0f4114ad69248 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:43:52 +0000
Subject: [PATCH 166/507] gqview: turn off format hardening

---
 pkgs/applications/graphics/gqview/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix
index a8132e30c724..ff069d0d9727 100644
--- a/pkgs/applications/graphics/gqview/default.nix
+++ b/pkgs/applications/graphics/gqview/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation {
 
   buildInputs = [pkgconfig gtk libpng];
 
+  hardening_format = false;
+
   meta = {
     description = "A fast image viewer";
     homepage = http://gqview.sourceforge.net;

From 83e069908ebae7b85a2761786abf7063977017e5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:44:25 +0000
Subject: [PATCH 167/507] ggobi: turn off format hardening

---
 pkgs/tools/graphics/ggobi/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix
index cf2c5598d2a9..03326aa4562f 100644
--- a/pkgs/tools/graphics/ggobi/default.nix
+++ b/pkgs/tools/graphics/ggobi/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--with-all-plugins";
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "Visualization program for exploring high-dimensional data";
     homepage = http://www.ggobi.org/;

From 4407e5a60cb5747f0ca098d4f0052d080ecdb001 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:47:33 +0000
Subject: [PATCH 168/507] grip: turn off format hardening

---
 pkgs/applications/misc/grip/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix
index 39621536e688..86127d56b01c 100644
--- a/pkgs/applications/misc/grip/default.nix
+++ b/pkgs/applications/misc/grip/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
     libid3tag ncurses libtool ];
 
+  hardening_format = false;
+
   meta = {
     description = "GTK+-based audio CD player/ripper";
     homepage = "http://nostatic.org/grip";

From 4f681787553278949250a0c1709d965560b61b1c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 00:57:17 +0000
Subject: [PATCH 169/507] ht: turn off format hardening

---
 pkgs/applications/editors/ht/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix
index b7acdb7f1d53..5ddcf34995f7 100644
--- a/pkgs/applications/editors/ht/default.nix
+++ b/pkgs/applications/editors/ht/default.nix
@@ -3,13 +3,18 @@
 stdenv.mkDerivation rec {
   name = "ht-${version}";
   version = "2.1.0";
+
   src = fetchurl {
     url = "http://sourceforge.net/projects/hte/files/ht-source/ht-${version}.tar.bz2";
     sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i";
   };
+
   buildInputs = [
     ncurses
   ];
+
+  hardening_format = false;
+
   meta = with lib; {
     description = "File editor/viewer/analyzer for executables";
     homepage = "http://hte.sourceforge.net";

From d287f926bd79288494ff2f336fc5f46977203a73 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:00:03 +0000
Subject: [PATCH 170/507] mp4v2: turn off format hardening

---
 pkgs/development/libraries/mp4v2/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix
index 06e8c8e5ac35..5281ab2c480b 100644
--- a/pkgs/development/libraries/mp4v2/default.nix
+++ b/pkgs/development/libraries/mp4v2/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
   # `faac' expects `mp4.h'.
   postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h";
 
+  hardening_format = false;
+
   meta = {
     homepage = http://code.google.com/p/mp4v2;
     maintainers = [ stdenv.lib.maintainers.urkud ];

From 4807ecdef060cbb4475a7a92288491537921bc4a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:02:32 +0000
Subject: [PATCH 171/507] ifenslave: turn off format hardening

---
 pkgs/os-specific/linux/ifenslave/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix
index d8985003b41a..a5cd24118191 100644
--- a/pkgs/os-specific/linux/ifenslave/default.nix
+++ b/pkgs/os-specific/linux/ifenslave/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
     cp -a ifenslave $out/bin
   '';
 
+  hardening_format = false;
+
   meta = {
     description = "Utility for enslaving networking interfaces under a bond";
     license = stdenv.lib.licenses.gpl2;

From a333a7910cf7e0a6445cce31320581da33564777 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:02:46 +0000
Subject: [PATCH 172/507] tidyp: turn off format hardening

---
 pkgs/development/libraries/tidyp/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix
index fee74f3d6f9e..818029dbb248 100644
--- a/pkgs/development/libraries/tidyp/default.nix
+++ b/pkgs/development/libraries/tidyp/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10";
   };
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "A program that can validate your HTML, as well as modify it to be more clean and standard";
     homepage = http://tidyp.com/;

From 4b127d9f9dd5f3edd37d619a0e1454b40a9ff69e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:04:42 +0000
Subject: [PATCH 173/507] iptraf-ng: turn off format hardening

---
 pkgs/applications/networking/iptraf-ng/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix
index 368d78a36f90..8084d5133f16 100644
--- a/pkgs/applications/networking/iptraf-ng/default.nix
+++ b/pkgs/applications/networking/iptraf-ng/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
                 --localstatedir=$out/var --sbindir=$out/bin
   '';
 
+  hardening_format = false;
+
   meta = {
     description = "A console-based network monitoring utility (fork of iptraf)";
     longDescription = ''

From 76ee9e0f467471a090aa6a5400d5a49dd9182747 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:09:53 +0000
Subject: [PATCH 174/507] jack_capture: turn off format hardening

---
 pkgs/applications/audio/jack-capture/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix
index ef6d13e56966..7a5095f37887 100644
--- a/pkgs/applications/audio/jack-capture/default.nix
+++ b/pkgs/applications/audio/jack-capture/default.nix
@@ -18,7 +18,9 @@ stdenv.mkDerivation rec {
     cp jack_capture $out/bin/
   '';
 
-  meta = with stdenv.lib; { 
+  hardening_format = false;
+
+  meta = with stdenv.lib; {
     description = "A program for recording soundfiles with jack";
     homepage = http://archive.notam02.no/arkiv/src;
     license = licenses.gpl2;

From 7517563efb783ae05c846d5266d08294d22b91c9 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:35:33 +0000
Subject: [PATCH 175/507] k2pdfopt: turn off format hardening

---
 pkgs/applications/misc/k2pdfopt/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix
index ce57db371dde..dac597fe67cd 100644
--- a/pkgs/applications/misc/k2pdfopt/default.nix
+++ b/pkgs/applications/misc/k2pdfopt/default.nix
@@ -31,6 +31,8 @@ in stdenv.mkDerivation rec {
                     openjpeg freetype jbig2dec djvulibre openssl ];
   NIX_LDFLAGS = "-lX11 -lXext";
 
+  hardening_format = false;
+
   k2_pa = ./k2pdfopt.patch;
   tess_pa = ./tesseract.patch;
 
@@ -96,7 +98,7 @@ in stdenv.mkDerivation rec {
             -ljbig2dec -ljpeg -lopenjp2 -lpng -lfreetype -lpthread -lmujs \
             -lPgm2asc -llept -ltesseract -lcrypto
 
-    mkdir -p $out/bin 
+    mkdir -p $out/bin
     cp k2pdfopt $out/bin
   '';
 

From 8e2adea08a19b30c932026e48222e6beeca21ac8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:35:53 +0000
Subject: [PATCH 176/507] gdal: turn off format hardening

---
 pkgs/development/libraries/gdal/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix
index 8cf84eb08c3d..582ab53800eb 100644
--- a/pkgs/development/libraries/gdal/default.nix
+++ b/pkgs/development/libraries/gdal/default.nix
@@ -14,6 +14,8 @@ composableDerivation.composableDerivation {} (fixed: rec {
   buildInputs = [ unzip libjpeg libtiff libpng proj openssl ]
   ++ (with pythonPackages; [ python numpy wrapPython ]);
 
+  hardening_format = false;
+
   patches = [
     # This ensures that the python package is installed into gdal's prefix,
     # rather than trying to install into python's prefix.

From 2220f46e20e3be7d13ea701325e2834c1130485e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:36:07 +0000
Subject: [PATCH 177/507] qtscriptgenerator: turn off format hardening

---
 .../libraries/qtscriptgenerator/default.nix            | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix
index b8ed81de487b..de87c6b73c6f 100644
--- a/pkgs/development/libraries/qtscriptgenerator/default.nix
+++ b/pkgs/development/libraries/qtscriptgenerator/default.nix
@@ -9,13 +9,13 @@ stdenv.mkDerivation {
   buildInputs = [ qt4 ];
 
   patches = [ ./qtscriptgenerator.gcc-4.4.patch ./qt-4.8.patch ];
-  
+
   # Why isn't the author providing proper Makefile or a CMakeLists.txt ?
   buildPhase = ''
     # remove phonon stuff which causes errors (thanks to Gentoo bug reports)
     sed -i "/typesystem_phonon.xml/d" generator/generator.qrc
-    sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro	    
-  
+    sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro
+
     cd generator
     qmake
     make
@@ -25,13 +25,15 @@ stdenv.mkDerivation {
     qmake
     make
   '';
-  
+
   installPhase = ''
     cd ..
     mkdir -p $out/lib/qt4/plugins/script
     cp -av plugins/script/* $out/lib/qt4/plugins/script
   '';
 
+  hardening_format = false;
+
   meta = {
     description = "QtScript bindings generator";
     homepage = http://code.google.com/p/qtscriptgenerator/;

From fc71f3f5706a64b676b137256079bc32cb325db5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:38:14 +0000
Subject: [PATCH 178/507] freeswitch: turn off format hardening

---
 pkgs/servers/sip/freeswitch/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix
index efa70875549f..cb77ebd9c895 100644
--- a/pkgs/servers/sip/freeswitch/default.nix
+++ b/pkgs/servers/sip/freeswitch/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
 
+  hardening_format = false;
+
   meta = {
     description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch";
     homepage = http://freeswitch.org/;

From a53bd9daa889bb5b16561462acf5e761e7b358f1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 11 Feb 2016 01:44:23 +0000
Subject: [PATCH 179/507] xen: turn off pic hardening

---
 pkgs/applications/virtualization/xen/generic.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index e7b34be74be1..0a3bd3898c2c 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -77,6 +77,7 @@ stdenv.mkDerivation {
 
   hardening_stackprotector = false;
   hardening_fortify = false;
+  hardening_pic = false;
 
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 

From 162982544a672e7389faadfcff871569954c612c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 00:40:58 +0000
Subject: [PATCH 180/507] dhcpdump: turn off fortify hardening

---
 pkgs/tools/networking/dhcpdump/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix
index 778cfc3b5ed6..915562bd7791 100644
--- a/pkgs/tools/networking/dhcpdump/default.nix
+++ b/pkgs/tools/networking/dhcpdump/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [libpcap perl];
 
+  hardening_fortify = false;
+
   installPhase = ''
     mkdir -pv $out/bin
     cp dhcpdump $out/bin

From 3dff59b81884072efb29e7176ed9dd275ca69cdb Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 00:48:14 +0000
Subject: [PATCH 181/507] dietlibc: turn off stackprotector hardening

---
 pkgs/os-specific/linux/dietlibc/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix
index b795cb60da6e..3d206cb5f779 100644
--- a/pkgs/os-specific/linux/dietlibc/default.nix
+++ b/pkgs/os-specific/linux/dietlibc/default.nix
@@ -9,9 +9,10 @@ stdenv.mkDerivation {
     md5 = "2465d652fff6f1fad3da3b98e60e83c9";
   };
   builder = ./builder.sh;
-  
+
   inherit glibc;
   kernelHeaders = glibc.kernelHeaders;
+  hardening_stackprotector = false;
 
   patches = [
 

From d0c38a0cef9faf2d47492286f1997848a6b9db59 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:01:37 +0000
Subject: [PATCH 182/507] ecl: turn off format hardening

---
 pkgs/development/compilers/ecl/default.nix | 50 +++++++++++-----------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix
index f863565ab072..bd99335192b0 100644
--- a/pkgs/development/compilers/ecl/default.nix
+++ b/pkgs/development/compilers/ecl/default.nix
@@ -1,47 +1,45 @@
 {stdenv, fetchurl
 , libtool, autoconf, automake
 , gmp, mpfr, libffi
-, noUnicode ? false, 
+, noUnicode ? false,
 }:
+
 let
-  s = # Generated upstream information
-  rec {
-    baseName="ecl";
-    version="16.0.0";
-    name="${baseName}-${version}";
-    hash="0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil";
-    url="https://common-lisp.net/project/ecl/files/ecl-16.0.0.tgz";
-    sha256="0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil";
-  };
-  buildInputs = [
-    libtool autoconf automake
-  ];
-  propagatedBuildInputs = [
-    libffi gmp mpfr
-  ];
+  baseName = "ecl";
+  version = "16.0.0";
 in
 stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs propagatedBuildInputs;
+  name = "${baseName}-${version}";
+  inherit version;
+
   src = fetchurl {
-    inherit (s) url sha256;
+    url = "https://common-lisp.net/project/ecl/files/ecl-16.0.0.tgz";
+    sha256 = "0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil";
   };
+
   configureFlags = [
     "--enable-threads"
     "--with-gmp-prefix=${gmp}"
     "--with-libffi-prefix=${libffi}"
-    ]
-    ++
-    (stdenv.lib.optional (! noUnicode)
-      "--enable-unicode")
-    ;
+  ] ++ (stdenv.lib.optional (!noUnicode) "--enable-unicode");
+
+  buildInputs = [
+    libtool autoconf automake
+  ];
+
+  propagatedBuildInputs = [
+    libffi gmp mpfr
+  ];
+
+  hardening_format = false;
+
   postInstall = ''
     sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config
   '';
+
   meta = {
-    inherit (s) version;
     description = "Lisp implementation aiming to be small, fast and easy to embed";
-    license = stdenv.lib.licenses.mit ;
+    license = stdenv.lib.licenses.mit;
     maintainers = [stdenv.lib.maintainers.raskin];
     platforms = stdenv.lib.platforms.linux;
   };

From 40b7aa3d695f5ba4b29edb1bc85d27a08cfd798b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:04:15 +0000
Subject: [PATCH 183/507] erlangR14: turn off format hardening

---
 pkgs/development/interpreters/erlang/R14.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix
index 773ad6986292..e77300c0f84d 100644
--- a/pkgs/development/interpreters/erlang/R14.nix
+++ b/pkgs/development/interpreters/erlang/R14.nix
@@ -22,6 +22,8 @@ stdenv.mkDerivation {
 
   configureFlags = "--with-ssl=${openssl}";
 
+  hardening_format = false;
+
   postInstall = let
     manpages = fetchurl {
       url = "http://www.erlang.org/download/otp_doc_man_R${version}.tar.gz";

From dcc046f5c76029640b8184774b55671d20021686 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:10:08 +0000
Subject: [PATCH 184/507] gdal_1_11: turn off format hardening

---
 pkgs/development/libraries/gdal/gdal-1_11.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix
index 0e4b4d03541c..4c6ec24a16c6 100644
--- a/pkgs/development/libraries/gdal/gdal-1_11.nix
+++ b/pkgs/development/libraries/gdal/gdal-1_11.nix
@@ -19,6 +19,8 @@ composableDerivation.composableDerivation {} (fixed: rec {
     ./python.patch
   ];
 
+  hardening_format = false;
+
   # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults.
   # Unset CC and CXX as they confuse libtool.
   preConfigure = "export CFLAGS=-O0 CXXFLAGS=-O0; unset CC CXX";

From 7f4f7fbb93028d49159c48023cc128dad31de6b5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:16:19 +0000
Subject: [PATCH 185/507] gnat: turn off some hardening

---
 pkgs/development/compilers/gcc/4.5/default.nix | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index 69c4db63e5bd..f3c3de3950ff 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -135,6 +135,10 @@ stdenv.mkDerivation ({
   };
 
   hardening_format = false;
+  hardening_relro = name != "gnat";
+  hardening_bindnow = name != "gnat";
+  hardening_stackprotector = name != "gnat";
+  hardening_strictoverflow = name != "gnat";
 
   patches =
     [ ]
@@ -209,7 +213,7 @@ stdenv.mkDerivation ({
 
   nativeBuildInputs = [ texinfo which ]
     ++ optional (perl != null) perl;
-    
+
   buildInputs = [ gmp mpfr libmpc libelf gettext ]
     ++ (optional (ppl != null) ppl)
     ++ (optional (cloogppl != null) cloogppl)

From 071bdd46396b52859bdb8b7e5975932a4cad9831 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:25:17 +0000
Subject: [PATCH 186/507] graphviz: turn off fortify hardening

---
 pkgs/tools/graphics/graphviz/2.32.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix
index 2743bd78aa7c..7f11f076dcc8 100644
--- a/pkgs/tools/graphics/graphviz/2.32.nix
+++ b/pkgs/tools/graphics/graphviz/2.32.nix
@@ -31,6 +31,8 @@ stdenv.mkDerivation rec {
     ]
     ++ stdenv.lib.optional (xorg == null) "--without-x";
 
+  hardening_fortify = false;
+
   preBuild = ''
     sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile
   '';

From 3c4729e980032d6aa53eaae3fecd3ede79d12e3d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:35:37 +0000
Subject: [PATCH 187/507] kde4.qtruby: pin to ruby_2_2

---
 pkgs/desktops/kde-4.14/kdebindings/qtruby.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
index 03e9dc9a007f..c80bd67f404f 100644
--- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
+++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
@@ -1,18 +1,20 @@
-{ kde, cmake, smokeqt, ruby }:
+{ kde, cmake, smokeqt, ruby_2_2 }:
 
 kde {
 
  # TODO: scintilla2, qwt5
 
-  buildInputs = [ smokeqt ruby ];
+  buildInputs = [ smokeqt ruby_2_2 ];
 
   nativeBuildInputs = [ cmake ];
 
+  hardening_all = false;
+
   # The patch is not ready for upstream submmission.
   # I should add an option() instead.
   patches = [ ./qtruby-install-prefix.patch ];
 
-  cmakeFlags="-DRUBY_ROOT_DIR=${ruby}";
+  cmakeFlags="-DRUBY_ROOT_DIR=${ruby_2_2}";
 
   meta = {
     description = "Ruby bindings for Qt library";

From d8f3d2ede1ee789c4277257bc0d099b781aa35a8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 01:41:52 +0000
Subject: [PATCH 188/507] syslinux: turn off stackprotector/pic hardening

---
 pkgs/os-specific/linux/syslinux/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index c051aac43126..3ace0f5c5edc 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ libuuid makeWrapper ];
 
   enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
+  hardening_stackprotector = false;
+  hardening_pic = false;
 
   preBuild = ''
     substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)

From c72652baee8f73c50652c9f0cd8d590702950134 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:12:16 +0000
Subject: [PATCH 189/507] dvdisaster: turn off fortify hardening

---
 pkgs/tools/cd-dvd/dvdisaster/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix
index 7cb1bf7506da..38e86c8ff1f2 100644
--- a/pkgs/tools/cd-dvd/dvdisaster/default.nix
+++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
     sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w";
   };
 
+  hardening_fortify = false;
+
   nativeBuildInputs = [ gettext pkgconfig which ];
   buildInputs = [ glib gtk2 ];
 

From c3a98e7521f2afd8e10ccee0716bd23ce86966d3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:14:52 +0000
Subject: [PATCH 190/507] linuxPackages.bbswitch: turn off pic hardening

---
 pkgs/os-specific/linux/bbswitch/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix
index ec1e5f2e20bc..2c91bfbd10fb 100644
--- a/pkgs/os-specific/linux/bbswitch/default.nix
+++ b/pkgs/os-specific/linux/bbswitch/default.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation {
     sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m";
   }) ];
 
+  hardening_pic = false;
+
   preBuild = ''
     substituteInPlace Makefile \
       --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \

From 77c020f754b66f31e2e68e584aa2bb6d8617e1af Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:21:37 +0000
Subject: [PATCH 191/507] linuxPackages.accelio: turn off pic/format hardening

---
 pkgs/development/libraries/accelio/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix
index 637976977b14..9ca9db1e4511 100644
--- a/pkgs/development/libraries/accelio/default.nix
+++ b/pkgs/development/libraries/accelio/default.nix
@@ -15,6 +15,9 @@ stdenv.mkDerivation rec {
     sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7";
   };
 
+  hardening_pic = false;
+  hardening_format = false;
+
   patches = [ ./fix-printfs.patch ];
 
   postPatch = ''

From 3acfaa6716561160ac7d50ec9b297a77c3a5be6f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:25:57 +0000
Subject: [PATCH 192/507] linuxPackages.lttng-modules: turn off pic hardening

---
 pkgs/os-specific/linux/lttng-modules/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index dc21176fa3ca..f6a5e30afa08 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx";
   };
 
+  hardening_pic = false;
+
   preConfigure = ''
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     export INSTALL_MOD_PATH="$out"

From d04b9381cc21152002f60edef8bef391eec994ff Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:46:35 +0000
Subject: [PATCH 193/507] linuxPackages.netatop: turn off pic hardening

---
 pkgs/os-specific/linux/netatop/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix
index 1e74cd94c55b..e95cd4e133cf 100644
--- a/pkgs/os-specific/linux/netatop/default.nix
+++ b/pkgs/os-specific/linux/netatop/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ zlib ];
 
+  hardening_pic = false;
+
   preConfigure = ''
     patchShebangs mkversion
     sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \

From 72a9d9a4a7aa6ea26a41bb049524349cd0a498d0 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:48:09 +0000
Subject: [PATCH 194/507] plotutils: turn off format hardening

---
 pkgs/tools/graphics/plotutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix
index 6a7a6745c87c..dc145a0d8623 100644
--- a/pkgs/tools/graphics/plotutils/default.nix
+++ b/pkgs/tools/graphics/plotutils/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--enable-libplotter"; # required for pstoedit
 
+  hardening_format = false;
+
   doCheck = true;
 
   meta = {

From b73c8a5d91d9d3a17afe389f5632468b406c05e0 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:51:04 +0000
Subject: [PATCH 195/507] linuxPackages.rtl8812au: turn off pic hardening

---
 pkgs/os-specific/linux/rtl8812au/default.nix | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index a16e102bc088..64c0c9fea5ca 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -3,29 +3,31 @@
 stdenv.mkDerivation rec {
   name = "rtl8812au-${kernel.version}-${version}";
   version = "4.2.2-1";
-  
+
   src = fetchFromGitHub {
     owner = "csssuf";
     repo = "rtl8812au";
     rev = "874906aec694c800bfc29b146737b88dae767832";
     sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj";
   };
-  
+
+  hardening_pic = false;
+
   patchPhase = ''
     substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
     substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}"
     substituteInPlace ./Makefile --replace /sbin/depmod #
     substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
-  
+
   preInstall = ''
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
   '';
-   
+
   meta = {
     description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod.";
     homepage = "https://github.com/csssuf/rtl8812au";
     license = stdenv.lib.licenses.gpl2;
     platforms = [ "x86_64-linux" "i686-linux" ];
   };
-}
\ No newline at end of file
+}

From 3ddb973b484cfc988357cceb8a018b347a53680d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:53:32 +0000
Subject: [PATCH 196/507] linuxPackages.tp_smapi: turn off pic hardening

---
 pkgs/os-specific/linux/tp_smapi/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix
index 40d9e7c10682..116a03444507 100644
--- a/pkgs/os-specific/linux/tp_smapi/default.nix
+++ b/pkgs/os-specific/linux/tp_smapi/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation {
     sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666";
   };
 
+  hardening_pic = false;
+
   makeFlags = [
     "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
     "SHELL=/bin/sh"

From 5c297e8b5a9c748e2b8387391607d5de5f28141e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:53:54 +0000
Subject: [PATCH 197/507] linuxPackages.openafs-client: turn off pic hardening

---
 pkgs/servers/openafs-client/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix
index 5d8e255f47f1..1ff9b79e3835 100644
--- a/pkgs/servers/openafs-client/default.nix
+++ b/pkgs/servers/openafs-client/default.nix
@@ -23,6 +23,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ autoconf automake flex yacc ncurses perl which ];
 
+  hardening_pic = false;
+
   preConfigure = ''
     ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux
 

From e3a4f0920f1c22c8381a1be76b2a3cdca0f649a2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 02:58:58 +0000
Subject: [PATCH 198/507] linuxPackages.klib: turn off format/stackprotector
 hardening

---
 pkgs/os-specific/linux/klibc/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix
index b948dbff2c1d..b05b0dc44637 100644
--- a/pkgs/os-specific/linux/klibc/default.nix
+++ b/pkgs/os-specific/linux/klibc/default.nix
@@ -21,6 +21,9 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ perl ];
 
+  hardening_format = false;
+  hardening_stackprotector = false;
+
   makeFlags = commonMakeFlags ++ [
     "KLIBCARCH=${stdenv.platform.kernelArch}"
     "KLIBCKERNELSRC=${kernelHeaders}"

From 7854ca7170b1eaa6eaa5668c197fbd25568d2b32 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:00:35 +0000
Subject: [PATCH 199/507] linuxPackages.sysdig: turn off pic hardening

---
 pkgs/os-specific/linux/sysdig/default.nix | 28 +++++++++++------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index 62e2a48adc96..0316d9b09670 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -1,32 +1,33 @@
 {stdenv, fetchurl, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}:
 let
   inherit (stdenv.lib) optional optionalString;
-  s = rec {
-    baseName="sysdig";
-    version = "0.6.0";
-    name="${baseName}-${version}";
-    url="https://github.com/draios/sysdig/archive/${version}.tar.gz";
+  baseName = "sysdig";
+  version = "0.6.0";
+in
+stdenv.mkDerivation {
+  name="${baseName}-${version}";
+
+  src = fetchurl {
+    url = "https://github.com/draios/sysdig/archive/${version}.tar.gz";
     sha256 = "0729mjs9gpd7kb495q80zlp23zczm8ka3xcq4571c0sm732sa3g3";
   };
+
   buildInputs = [
     cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl
   ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
+
+  hardening_pic = false;
 
   cmakeFlags = [
     "-DUSE_BUNDLED_DEPS=OFF"
   ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF";
+
   preConfigure = ''
     export INSTALL_MOD_PATH="$out"
   '' + optionalString (kernel != null) ''
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   '';
+
   postInstall = optionalString (kernel != null) ''
     make install_driver
     kernel_dev=${kernel.dev}
@@ -36,8 +37,7 @@ stdenv.mkDerivation {
   '';
 
   meta = with stdenv.lib; {
-    inherit (s) version;
-    description = ''A tracepoint-based system tracing tool for Linux (with clients for other OSes)'';
+    description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)";
     license = licenses.gpl2;
     maintainers = [maintainers.raskin];
     platforms = platforms.linux ++ platforms.darwin;

From 4c30616dc342b832098d1bb5a3c1accc7fe47520 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:01:00 +0000
Subject: [PATCH 200/507] linuxPackages.v86d: turn off stackprotector hardening

---
 pkgs/os-specific/linux/v86d/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix
index 0ef992a4b44c..17255aa12831 100644
--- a/pkgs/os-specific/linux/v86d/default.nix
+++ b/pkgs/os-specific/linux/v86d/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--with-klibc" "--with-x86emu" ];
 
+  hardening_stackprotector = false;
+
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
     "DESTDIR=$(out)"

From 7d86b0331110886a6fb8a280b3a6c890a9a25a9a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:50:09 +0000
Subject: [PATCH 201/507] leafpad: turn off format hardening

---
 pkgs/applications/editors/leafpad/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix
index fc35a993badf..f3755db448cd 100644
--- a/pkgs/applications/editors/leafpad/default.nix
+++ b/pkgs/applications/editors/leafpad/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ intltool pkgconfig gtk ];
 
+  hardening_format = false;
+
   configureFlags = [
     "--enable-chooser"
   ];

From 5e9df54d194f11da1616e80dc0a1dbd454e870de Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:50:20 +0000
Subject: [PATCH 202/507] gnat: turn off all hardening

---
 pkgs/development/compilers/gcc/4.5/default.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index f3c3de3950ff..2493593f3575 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -135,10 +135,7 @@ stdenv.mkDerivation ({
   };
 
   hardening_format = false;
-  hardening_relro = name != "gnat";
-  hardening_bindnow = name != "gnat";
-  hardening_stackprotector = name != "gnat";
-  hardening_strictoverflow = name != "gnat";
+  hardening_all = name != "gnat";
 
   patches =
     [ ]

From 322e086e4d1d11804b8a2a6b986caf0fc0537db6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:55:41 +0000
Subject: [PATCH 203/507] linuxPackages.blcr: turn off pic hardening

---
 pkgs/os-specific/linux/blcr/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix
index bc7523858fe1..78a576234aca 100644
--- a/pkgs/os-specific/linux/blcr/default.nix
+++ b/pkgs/os-specific/linux/blcr/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ perl makeWrapper ];
 
+  hardening_pic = false;
+
   preConfigure = ''
     configureFlagsArray=(
       --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build
@@ -33,7 +35,7 @@ stdenv.mkDerivation {
       wrapProgram "$prog" --prefix LD_LIBRARY_PATH ":" "$out/lib"
     done
   '';
-      
+
   meta = {
     description = "Berkeley Lab Checkpoint/Restart for Linux (BLCR)";
     homepage = https://ftg.lbl.gov/projects/CheckpointRestart/;

From f1e4a8c966bb492b0fadc04215bdfc7207c04a18 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:56:06 +0000
Subject: [PATCH 204/507] linuxPackages.phc-intel: turn off pic hardening

---
 pkgs/os-specific/linux/phc-intel/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix
index 2b86238b2df5..56ff6c473b40 100644
--- a/pkgs/os-specific/linux/phc-intel/default.nix
+++ b/pkgs/os-specific/linux/phc-intel/default.nix
@@ -21,6 +21,8 @@ in stdenv.mkDerivation rec {
 
   buildInputs = [ which ];
 
+  hardening_pic = false;
+
   makeFlags = with kernel; [
     "DESTDIR=$(out)"
     "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build"

From 6e13bcd43614c36818723136893dcbcf348f6547 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:58:23 +0000
Subject: [PATCH 205/507] liquidwar: turn off format hardening

---
 pkgs/games/liquidwar/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix
index ce346459201d..d374ed85b2db 100644
--- a/pkgs/games/liquidwar/default.nix
+++ b/pkgs/games/liquidwar/default.nix
@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
     libXrender libcaca cunit
   ];
 
+  hardening_format = false;
+
   # To avoid problems finding SDL_types.h.
   configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ];
 

From 7e644980ccfd63fd6f487a4d1965b1014996676c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 03:58:56 +0000
Subject: [PATCH 206/507] mailutils: turn off format hardening

---
 pkgs/tools/networking/mailutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix
index cbca408f0842..53e17e6cecdc 100644
--- a/pkgs/tools/networking/mailutils/default.nix
+++ b/pkgs/tools/networking/mailutils/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65";
   };
 
+  hardening_format = false;
+
   patches = [ ./path-to-cat.patch ./no-gets.patch ];
 
   configureFlags = "--with-path-sendmail=${sendmailPath}";

From 7b37bbedc4fea353e45484b164b375b16c67df24 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 12:32:24 +0000
Subject: [PATCH 207/507] mi2ly: turn off format hardening

---
 pkgs/applications/audio/mi2ly/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix
index 1d736b06938a..67ac74f5f5a2 100644
--- a/pkgs/applications/audio/mi2ly/default.nix
+++ b/pkgs/applications/audio/mi2ly/default.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation {
 
   sourceRoot=".";
 
+  hardening_format = false;
+
   buildPhase = "./cc";
   installPhase = ''
     mkdir -p "$out"/{bin,share/doc/mi2ly}

From 548c1404d5159fda1c39d62362f6817354a2b5c6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 12:34:15 +0000
Subject: [PATCH 208/507] mp3info: turn off format hardening

---
 pkgs/applications/audio/mp3info/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix
index e4c45c613ee8..f2434619c475 100644
--- a/pkgs/applications/audio/mp3info/default.nix
+++ b/pkgs/applications/audio/mp3info/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ncurses pkgconfig gtk ];
 
+  hardening_format = false;
+
   configurePhase =
     '' sed -i Makefile \
            -e "s|^prefix=.*$|prefix=$out|g ;

From 5cf5e6e9c4ec026a6d1b5dffe875b1cbdeb19100 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 12:35:48 +0000
Subject: [PATCH 209/507] mrpeach: turn off format hardening

---
 pkgs/applications/audio/pd-plugins/mrpeach/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
index 5f76b208e143..207967a978f5 100644
--- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
+++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
@@ -14,7 +14,9 @@ stdenv.mkDerivation rec {
     sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x";
   };
 
-  buildInputs = [puredata ];
+  buildInputs = [ puredata ];
+
+  hardening_format = false;
 
   patchPhase = ''
     for D in net osc

From af07fd6e1b82ce44b41ef631298adb4022d81073 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 12:44:15 +0000
Subject: [PATCH 210/507] mkcl: turn off format hardening

---
 pkgs/development/compilers/mkcl/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix
index f6ab05bd29ba..e57151b077fa 100644
--- a/pkgs/development/compilers/mkcl/default.nix
+++ b/pkgs/development/compilers/mkcl/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ makeWrapper ];
   propagatedBuildInputs = [ gmp ];
 
+  hardening_format = false;
+
   configureFlags = [
     "GMP_CFLAGS=-I${gmp}/include"
     "GMP_LDFLAGS=-L${gmp}/lib"

From 136562adab750df73f0f646fdc679bc71dcb9a68 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 12:50:38 +0000
Subject: [PATCH 211/507] meshlab: turn off format hardening

---
 pkgs/applications/graphics/meshlab/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix
index 49bfb47c85a4..c3aed10d00ca 100644
--- a/pkgs/applications/graphics/meshlab/default.nix
+++ b/pkgs/applications/graphics/meshlab/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./include-unistd.diff ];
 
+  hardening_format = false;
+
   buildPhase = ''
     mkdir -p "$out/include"
     cp -r vcglib "$out/include"

From 64e6f69b70b6daf552984cb967ea116519529d23 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 12:50:49 +0000
Subject: [PATCH 212/507] mupen64plus: turn off format hardening

---
 pkgs/misc/emulators/mupen64plus/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix
index 571e14347b49..dc3c14128566 100644
--- a/pkgs/misc/emulators/mupen64plus/default.nix
+++ b/pkgs/misc/emulators/mupen64plus/default.nix
@@ -6,9 +6,11 @@ stdenv.mkDerivation {
     url = http://mupen64plus.googlecode.com/files/Mupen64Plus-1-5-src.tar.gz;
     sha256 = "0gygfgyr2sg4yx77ijk133d1ra0v1yxi4xjxrg6kp3zdjmhdmcjq";
   };
-  
+
   buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ];
-  
+
+  hardening_format = false;
+
   preConfigure = ''
     # Some C++ incompatibility fixes
     sed -i -e 's|char \* extstr = strstr|const char * extstr = strstr|' glide64/Main.cpp
@@ -20,10 +22,10 @@ stdenv.mkDerivation {
     # Remove PATH environment variable from install script
     sed -i -e "s|export PATH=|#export PATH=|" ./install.sh
   '';
-  
+
   buildPhase = "make all";
   installPhase = "PREFIX=$out make install";
-  
+
   meta = {
     description = "A Nintendo 64 Emulator";
     license = stdenv.lib.licenses.gpl2Plus;

From 9f644ee546c6fa037bcf6ce65421924f7aac8a4c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:04:31 +0000
Subject: [PATCH 213/507] navit: turn off format hardening

---
 pkgs/applications/misc/navit/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix
index 1be39c666421..67f474cefac8 100644
--- a/pkgs/applications/misc/navit/default.nix
+++ b/pkgs/applications/misc/navit/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
   };
 
+  hardening_format = false;
+
   # 'cvs' is only for the autogen
   buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa
     libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ];

From 663ec96a9a8891a0bbe7b74cac1d0eb5566085e8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:07:20 +0000
Subject: [PATCH 214/507] netboot: turn off format hardening

---
 pkgs/tools/networking/netboot/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix
index 0f75bd44d69b..349dba12538c 100644
--- a/pkgs/tools/networking/netboot/default.nix
+++ b/pkgs/tools/networking/netboot/default.nix
@@ -9,10 +9,12 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ yacc lzo db4 ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "Mini PXE server";
     maintainers = [ maintainers.raskin ];
     platforms = ["x86_64-linux"];
     license = stdenv.lib.licenses.free;
   };
-}
\ No newline at end of file
+}

From 86e8cad2cf2c4fa067d9523ad36c02d9dbdcb554 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:08:56 +0000
Subject: [PATCH 215/507] nestopia: turn off format hardening

---
 pkgs/misc/emulators/nestopia/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix
index fc64caf1053d..3ed455bd350f 100644
--- a/pkgs/misc/emulators/nestopia/default.nix
+++ b/pkgs/misc/emulators/nestopia/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
   # nondeterministic failures when creating directories
   enableParallelBuilding = false;
 
+  hardening_format = false;
+
   buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper
                   libarchive libao unzip xdg_utils gsettings_desktop_schemas ];
 

From 668176fe815570bee7e0cba9a791e88e61eed024 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:10:01 +0000
Subject: [PATCH 216/507] nvidia-texture-tools: turn off format hardening

---
 pkgs/development/libraries/nvidia-texture-tools/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix
index 754ab4233e58..cd8268faa658 100644
--- a/pkgs/development/libraries/nvidia-texture-tools/default.nix
+++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ];
 
+  hardening_format = false;
+
   patchPhase = ''
     # Fix build due to missing dependnecies.
     echo 'target_link_libraries(bc7 nvmath)' >> src/nvtt/bc7/CMakeLists.txt

From 88d3b081bae0f6208fa7679561959e3ecf800f36 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:26:34 +0000
Subject: [PATCH 217/507] omniorb: turn off format hardening

---
 pkgs/development/tools/omniorb/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix
index 180e714b81e0..5553d028cb63 100644
--- a/pkgs/development/tools/omniorb/default.nix
+++ b/pkgs/development/tools/omniorb/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ python ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant.";
     homepage    = "http://omniorb.sourceforge.net/";

From 200dedf2cd88a38acab08c37b819c65d582fa469 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:27:00 +0000
Subject: [PATCH 218/507] nifskope: turn off format hardening

---
 pkgs/tools/graphics/nifskope/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix
index 13dc27921a43..e28a2e164885 100644
--- a/pkgs/tools/graphics/nifskope/default.nix
+++ b/pkgs/tools/graphics/nifskope/default.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   # Inspired by linux-install/nifskope.spec.in.
   installPhase =
     ''

From 7e01cafa4bf98eedb025917f502ff85c86400b95 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:46:50 +0000
Subject: [PATCH 219/507] openfortivpn: turn off format hardening and use
 autoreconfHook

---
 pkgs/tools/networking/openfortivpn/default.nix | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix
index 50fde6a77944..25af3e11cafb 100644
--- a/pkgs/tools/networking/openfortivpn/default.nix
+++ b/pkgs/tools/networking/openfortivpn/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }:
+{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }:
 
 with stdenv.lib;
 
@@ -15,13 +15,11 @@ in stdenv.mkDerivation {
     sha256 = "0kwl8hv3nydd34xp1489jpjdj4bmknfl9xrgynij0vf5qx29xv7m";
   };
 
-  buildInputs = [ openssl automake autoconf ppp ];
+  buildInputs = [ openssl ppp autoreconfHook ];
+
+  hardening_format = false;
 
   preConfigure = ''
-    aclocal
-    autoconf
-    automake --add-missing
-
     substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd"
   '';
 

From 0ea02595f760d2b61129f2a1c7672c4ae45e87f0 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:51:05 +0000
Subject: [PATCH 220/507] otter: turn off format hardening

---
 pkgs/applications/science/logic/otter/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix
index 398f6c9a3e22..b0b001f7b3c4 100644
--- a/pkgs/applications/science/logic/otter/default.nix
+++ b/pkgs/applications/science/logic/otter/default.nix
@@ -17,6 +17,9 @@ stdenv.mkDerivation {
   src = fetchurl {
     inherit (s) url sha256;
   };
+
+  hardening_format = false;
+
   buildPhase = ''
     find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
     find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g"
@@ -32,11 +35,13 @@ stdenv.mkDerivation {
     make -C source/formed realclean
     make -C source/formed formed
   '';
+
   installPhase = ''
     mkdir -p "$out"/{bin,share/otter}
     cp bin/* source/formed/formed "$out/bin/"
     cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/"
   '';
+
   meta = {
     inherit (s) version;
     description = "A reliable first-order theorem prover";

From 37cd2e6e21426db31a28c4fe9c15fcfd6a2ff121 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 13:53:04 +0000
Subject: [PATCH 221/507] pal: turn off format hardening

---
 pkgs/tools/misc/pal/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix
index ff7279d0d57c..a65bd1fe8ec1 100644
--- a/pkgs/tools/misc/pal/default.nix
+++ b/pkgs/tools/misc/pal/default.nix
@@ -12,12 +12,12 @@ stdenv.mkDerivation rec {
     sed -i -e 's,/etc/pal\.conf,'$out/etc/pal.conf, src/input.c
   '';
 
-  preBuild = ''
-    export makeFlags="prefix=$out"
-  '';
+  makeFlags = "prefix=$(out)";
 
   buildInputs = [ glib gettext readline pkgconfig ];
 
+  hardening_format = false;
+
   meta = {
     homepage = http://palcal.sourceforge.net/;
     description = "Command-line calendar program that can keep track of events";

From e5fa454ad3498db09418e5fe030e53b83efa493f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 14:04:24 +0000
Subject: [PATCH 222/507] qhull: turn off format hardening

---
 pkgs/development/libraries/qhull/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix
index 76ceb12b401f..e8a67d3bc42a 100644
--- a/pkgs/development/libraries/qhull/default.nix
+++ b/pkgs/development/libraries/qhull/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull";
 
+  hardening_format = false;
+
   meta = {
     homepage = http://www.qhull.org/;
     description = "Computes the convex hull, Delaunay triangulation, Voronoi diagram and more";

From 295602945ea4e0d1ea3a48ce60ebb044cfa2a8ca Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 14:10:31 +0000
Subject: [PATCH 223/507] pioneers: turn off format hardening

---
 pkgs/games/pioneers/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix
index af9900cede53..41780dd64f6d 100644
--- a/pkgs/games/pioneers/default.nix
+++ b/pkgs/games/pioneers/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gtk pkgconfig intltool ];
 
+  hardening_format = false;
+
   meta = {
     homepage = http://pio.sourceforge.net/;
     license = stdenv.lib.licenses.gpl2Plus;

From 5be387da19950076474fa185e1bafeaaa9c7477c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 14:15:00 +0000
Subject: [PATCH 224/507] opencv3: turn off format hardening

---
 pkgs/development/libraries/opencv/3.x.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix
index 4a58ae43bb7a..16765083c55c 100644
--- a/pkgs/development/libraries/opencv/3.x.nix
+++ b/pkgs/development/libraries/opencv/3.x.nix
@@ -49,6 +49,9 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_bindnow = false;
+  hardening_relro = false;
+
   meta = {
     description = "Open Computer Vision Library with more than 500 algorithms";
     homepage = http://opencv.org/;

From 0a3b3559b19ebfc999b151d0916f57fb05fd3398 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 14:55:59 +0000
Subject: [PATCH 225/507] riak: turn off format hardening

---
 pkgs/servers/nosql/riak/1.3.1.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix
index df85044b8d1a..ffa2056d5a9c 100644
--- a/pkgs/servers/nosql/riak/1.3.1.nix
+++ b/pkgs/servers/nosql/riak/1.3.1.nix
@@ -23,6 +23,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ];
 
+  hardening_format = false;
+
   postUnpack = ''
     mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb
     cp -r ${srcs.leveldb}/* $sourceRoot/deps/eleveldb/c_src/leveldb

From e558a7f25231c6cfdc34cfe58add92fa9cceca5d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:10:11 +0000
Subject: [PATCH 226/507] radare: turn off format hardening

---
 pkgs/development/tools/analysis/radare/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix
index 3c83f0e9d495..8324d8991478 100644
--- a/pkgs/development/tools/analysis/radare/default.nix
+++ b/pkgs/development/tools/analysis/radare/default.nix
@@ -8,8 +8,8 @@ assert useX11 -> (gtk != null && vte != null && gtkdialog != null);
 assert rubyBindings -> ruby != null;
 assert pythonBindings -> python != null;
 
-let 
-  optional = stdenv.lib.optional;
+let
+  inherit (stdenv.lib) optional;
 in
 stdenv.mkDerivation rec {
   name = "radare-1.5.2";
@@ -19,6 +19,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd";
   };
 
+  hardening_format = false;
 
   buildInputs = [pkgconfig readline libusb perl]
     ++ optional useX11 [gtkdialog vte gtk]

From 7c7d9c10ace59a158b2cb27bc3a580e97f11378d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:10:52 +0000
Subject: [PATCH 227/507] qt3: turn off format hardening

---
 pkgs/development/libraries/qt-3/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix
index 08d8f141deb0..8a11cc7087bb 100644
--- a/pkgs/development/libraries/qt-3/default.nix
+++ b/pkgs/development/libraries/qt-3/default.nix
@@ -32,6 +32,8 @@ stdenv.mkDerivation {
   nativeBuildInputs = [ which ];
   propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg];
 
+  hardening_format = false;
+
   configureFlags = "
     -v
     -system-zlib -system-libpng -system-libjpeg

From a514ba1b1c9984b4c9fefbde71c61ee0bcdc5add Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:12:42 +0000
Subject: [PATCH 228/507] rakarrack: turn off format hardening

---
 pkgs/applications/audio/rakarrack/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix
index b746cccd113d..647ed9036dc2 100644
--- a/pkgs/applications/audio/rakarrack/default.nix
+++ b/pkgs/applications/audio/rakarrack/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation  rec {
     sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
   };
 
+  hardening_format = false;
+
   patches = [ ./fltk-path.patch ];
 
   buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg

From 9375cd8e4db494d6d2686061b59a8c6c1d863b50 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:14:12 +0000
Subject: [PATCH 229/507] untex: turn off format hardening

---
 pkgs/tools/text/untex/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix
index e2f6142a2a0f..33f72b029a1e 100644
--- a/pkgs/tools/text/untex/default.nix
+++ b/pkgs/tools/text/untex/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy";
   };
 
+  hardening_format = false;
+
   unpackPhase = "tar xf $src";
   installTargets = "install install.man";
   installFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man/man1";

From 969ed1610a6025f7a908a9beb21e13c5055a5b49 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:22:56 +0000
Subject: [PATCH 230/507] qrcode: turn off fortify hardening

---
 pkgs/tools/graphics/qrcode/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix
index e5bc5517b89e..a1aefbff33c6 100644
--- a/pkgs/tools/graphics/qrcode/default.nix
+++ b/pkgs/tools/graphics/qrcode/default.nix
@@ -1,4 +1,4 @@
-{stdenv, fetchgit}:
+{ stdenv, fetchgit }:
 let
   s =
   rec {
@@ -16,14 +16,19 @@ in
 stdenv.mkDerivation {
   inherit (s) name version;
   inherit buildInputs;
+
   src = fetchgit {
     inherit (s) rev url sha256;
   };
+
+  hardening_fortify = false;
+
   installPhase = ''
     mkdir -p "$out"/{bin,share/doc/qrcode}
     cp qrcode "$out/bin"
     cp DOCUMENTATION LICENCE "$out/share/doc/qrcode"
   '';
+
   meta = {
     inherit (s) version;
     description = ''A small QR-code tool'';

From 059ac0e03b3be71e917010507c419633a184eb85 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:29:23 +0000
Subject: [PATCH 231/507] postfix28: turn off format hardening

---
 pkgs/servers/mail/postfix/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix
index 838ca7a8d8df..578453c8c56f 100644
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [db openssl cyrus_sasl bison perl];
 
+  hardening_format = false;
+
   patches = [
     ./postfix-2.2.9-db.patch
     ./postfix-2.2.9-lib.patch

From 33ca7682c75f8be15b23c1609cad540c8623d419 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:39:09 +0000
Subject: [PATCH 232/507] posterazor: turn off format hardening

---
 pkgs/applications/misc/posterazor/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix
index f55af543f18d..43da0c92a42f 100644
--- a/pkgs/applications/misc/posterazor/default.nix
+++ b/pkgs/applications/misc/posterazor/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
   };
 
+  hardening_format = false;
+
   buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
 
   unpackPhase = ''

From b108c351f0e38220c4371c358c1c6d6e2088cb9d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:44:45 +0000
Subject: [PATCH 233/507] lingot: turn off format hardening

---
 pkgs/applications/audio/lingot/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix
index 4b07c84b0be8..92e39f7bb114 100644
--- a/pkgs/applications/audio/lingot/default.nix
+++ b/pkgs/applications/audio/lingot/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation {
     sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
   };
 
+  hardening_format = false;
+
   buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
 
   configureFlags = "--disable-jack";

From 242b8aba7c1b75130214f6dd93f6b057ee6efe26 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:59:08 +0000
Subject: [PATCH 234/507] lincityNg: turn off format hardening

---
 pkgs/games/lincity/ng.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix
index 8807831ef014..0c3fc7055b7c 100644
--- a/pkgs/games/lincity/ng.nix
+++ b/pkgs/games/lincity/ng.nix
@@ -15,13 +15,15 @@ let s = # Generated upstream information
   };
   buildInputs = [zlib jam pkgconfig gettext libxml2 libxslt xproto libX11 mesa 
     SDL SDL_mixer SDL_image SDL_ttf SDL_gfx physfs];
-in 
+in
 stdenv.mkDerivation rec {
   inherit (s) name version;
   src = fetchurl {
     inherit (s) url sha256;
   };
 
+  hardening_format = false;
+
   inherit buildInputs;
 
   buildPhase = "jam";

From 7ebac5576a76db2461c1e43fe119540daab77e21 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 15:59:46 +0000
Subject: [PATCH 235/507] opencascade_6_5: turn off format hardening

---
 pkgs/development/libraries/opencascade/6.5.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix
index 4228c285dfd5..a1143757c77e 100644
--- a/pkgs/development/libraries/opencascade/6.5.nix
+++ b/pkgs/development/libraries/opencascade/6.5.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
   # https://bugs.freedesktop.org/show_bug.cgi?id=83631
     + " -DGLX_GLXEXT_LEGACY";
 
+  hardening_format = false;
+
   configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ];
 
   postInstall = ''

From 147d861d92f8fd2ab6860e0aa7b97db07bd63c62 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 16:10:06 +0000
Subject: [PATCH 236/507] opencascade: turn off format hardening

---
 pkgs/development/libraries/opencascade/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix
index ec15d9d631e6..bcf1b747180e 100644
--- a/pkgs/development/libraries/opencascade/default.nix
+++ b/pkgs/development/libraries/opencascade/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
   # https://bugs.freedesktop.org/show_bug.cgi?id=83631
   NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY";
 
+  hardening_format = false;
+
   postInstall = ''
     mv $out/inc $out/include
     mkdir -p $out/share/doc/${name}

From c572cc515954e9855cb42dd72af889934423163e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 16:16:52 +0000
Subject: [PATCH 237/507] qalculate-gtk: turn off format hardening

---
 pkgs/applications/science/math/qalculate-gtk/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix
index 6bc5d874bc0d..77026eb490a1 100644
--- a/pkgs/applications/science/math/qalculate-gtk/default.nix
+++ b/pkgs/applications/science/math/qalculate-gtk/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4";
   };
 
+  hardening_format = false;
+
   nativeBuildInputs = [ intltool pkgconfig ];
   buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ];
 

From f3dd927336bf9cc115480123b9847d0b982b60c2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 16:21:42 +0000
Subject: [PATCH 238/507] musescore: turn off bindnow/relro hardening

---
 pkgs/applications/audio/musescore/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix
index e1f0472ce9e4..b6a98268a9bc 100644
--- a/pkgs/applications/audio/musescore/default.nix
+++ b/pkgs/applications/audio/musescore/default.nix
@@ -13,6 +13,9 @@ stdenv.mkDerivation rec {
     sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw";
   };
 
+  hardening_bindnow = false;
+  hardening_relro = false;
+
   makeFlags = [
     "PREFIX=$(out)"
   ];

From 359ba5c971ec8aab1b62cc295e33da8f780b80ce Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 15 Feb 2016 19:58:45 +0100
Subject: [PATCH 239/507] strategoPackages: Not available anymore

See 393977d800b5a1be040e111fd6da3d52b007ee0d.
---
 pkgs/development/compilers/webdsl/default.nix | 24 -------------------
 pkgs/top-level/all-packages.nix               |  2 --
 pkgs/top-level/release.nix                    |  8 -------
 3 files changed, 34 deletions(-)
 delete mode 100644 pkgs/development/compilers/webdsl/default.nix

diff --git a/pkgs/development/compilers/webdsl/default.nix b/pkgs/development/compilers/webdsl/default.nix
deleted file mode 100644
index a0122319aed7..000000000000
--- a/pkgs/development/compilers/webdsl/default.nix
+++ /dev/null
@@ -1,24 +0,0 @@
-{ stdenv, fetchurl, pkgconfig, strategoPackages }:
-
-stdenv.mkDerivation rec {
-  name = "webdsl-9.7pre4168";
-
-  src = fetchurl {
-    url = "http://hydra.nixos.org/build/654196/download/1/${name}.tar.gz";
-    sha256 = "08bec3ba02254ec7474ce70206b7be4390fe07456cfc57d927d96a21dd6dcb33";
-  };
-
-  buildInputs =
-    [ pkgconfig strategoPackages.aterm strategoPackages.sdf
-      strategoPackages.strategoxt strategoPackages.javafront
-    ];
-
-  # This corrected a failing build on at least one 64 bit Linux system.
-  # See the comment about this here: http://webdsl.org/selectpage/Download/WebDSLOnLinux
-  preBuild = (if stdenv.system == "x86_64-linux" then "ulimit -s unlimited" else "");
-
-  meta = {
-    homepage = http://webdsl.org/;
-    description = "A domain-specific language for developing dynamic web applications with a rich data model";
-  };
-}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b6220b3e2ac5..88a085d6435b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5041,8 +5041,6 @@ let
 
   vs90wrapper = callPackage ../development/compilers/vs90wrapper { };
 
-  webdsl = callPackage ../development/compilers/webdsl { };
-
   win32hello = callPackage ../development/compilers/visual-c++/test { };
 
   wrapCCWith = ccWrapper: libc: extraBuildCommands: baseCC: ccWrapper {
diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix
index 34360a064efb..81bab2d6c0ce 100644
--- a/pkgs/top-level/release.nix
+++ b/pkgs/top-level/release.nix
@@ -245,14 +245,6 @@ let
 
       #rPackages = packagePlatforms pkgs.rPackages;
 
-      strategoPackages = {
-        sdf = linux;
-        strategoxt = linux;
-        javafront = linux;
-        strategoShell = linux ++ darwin;
-        dryad = linux;
-      };
-
       ocamlPackages = { };
 
       perlPackages = { };

From 92e7adef40ca203de5e99d3a26b508bbd8da5199 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 17:56:38 +0000
Subject: [PATCH 240/507] sct: fix hash

---
 pkgs/tools/X11/sct/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/X11/sct/default.nix b/pkgs/tools/X11/sct/default.nix
index 4bf62e53f55b..2eed4335af12 100644
--- a/pkgs/tools/X11/sct/default.nix
+++ b/pkgs/tools/X11/sct/default.nix
@@ -4,7 +4,7 @@ stdenv.mkDerivation rec {
   buildInputs = [libX11 libXrandr];
   src = fetchurl {
     url = http://www.tedunangst.com/flak/files/sct.c;
-    sha256 = "1bivy0sl5v1jsq4jbq6p9hplz6cvw4nx9rc96p2kxsg506rqllc5";
+    sha256 = "01f3ndx3s6d2qh2xmbpmhd4962dyh8yp95l87xwrs4plqdz6knhd";
   };
   phases = ["patchPhase" "buildPhase" "installPhase"];
   patchPhase = ''

From 7eb42d9513b39ad6a64e133bb35809e7c29db653 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:02:25 +0000
Subject: [PATCH 241/507] setools: turn off format hardening

---
 pkgs/os-specific/linux/setools/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index bb17683800f1..6e8d9d3cf7a6 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
     "--with-tcl=${tcl}/lib"
   ];
 
+  hardening_format = false;
+
   NIX_CFLAGS_COMPILE = "-fstack-protector-all";
   NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib";
 

From 8483edcda09461641c1641188d861d04dfc57761 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:25:14 +0000
Subject: [PATCH 242/507] silc-client: turn off format hardening

---
 .../networking/instant-messengers/silc-client/default.nix       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix
index 133a15aebf8a..156b138f290f 100644
--- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix
+++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation {
 
   dontDisableStatic = true;
 
+  hardening_format = false;
+
   configureFlags = "--with-ncurses=${ncurses}";
 
   preConfigure = stdenv.lib.optionalString enablePlugin ''

From 0782c5e810b5aa36eaefbae8c3e88e6857bc95db Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:27:08 +0000
Subject: [PATCH 243/507] sdcv: turn off format hardening

---
 pkgs/applications/misc/sdcv/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix
index 3859d2c82abd..6a768d449582 100644
--- a/pkgs/applications/misc/sdcv/default.nix
+++ b/pkgs/applications/misc/sdcv/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
     sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
   };
 
+  hardening_format = false;
+
   patches = ( if stdenv.isDarwin
               then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
               else [ ./sdcv.cpp.patch ] );

From 24a5b240c8022a92449cfc0e933e42a8e289d619 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:30:46 +0000
Subject: [PATCH 244/507] squeak: turn off format hardening

---
 pkgs/development/compilers/squeak/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix
index 8aa980b72e60..341b8155c417 100644
--- a/pkgs/development/compilers/squeak/default.nix
+++ b/pkgs/development/compilers/squeak/default.nix
@@ -27,6 +27,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "Smalltalk programming language and environment";
     longDescription = ''

From 983093cf4f8d137e62131384a04d5a34cafedeb6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:40:07 +0000
Subject: [PATCH 245/507] puremapping: 1.01 -> 20160130

old version was taken down
---
 pkgs/applications/audio/pd-plugins/puremapping/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/audio/pd-plugins/puremapping/default.nix b/pkgs/applications/audio/pd-plugins/puremapping/default.nix
index 2e9a37a2f0dd..9300d7461fec 100644
--- a/pkgs/applications/audio/pd-plugins/puremapping/default.nix
+++ b/pkgs/applications/audio/pd-plugins/puremapping/default.nix
@@ -1,12 +1,12 @@
 { stdenv, fetchurl, unzip, puredata }:
 
 stdenv.mkDerivation rec {
-  name = "puremapping-1.01";
+  name = "puremapping-20160130";
 
   src = fetchurl {
-    url = "http://www.chnry.net/ch/IMG/zip/puremapping-libdir-generic.zip";
+    url = "http://www.chnry.net/data/puremapping-20160130-generic.zip";
     name = "puremapping";
-    sha256 = "1ygzxsfj3rnzjkpmgi4wch810q8s5vm1gdam6a938hbbvamafgvc";
+    sha256 = "1h7qgqd8srrxw2y1rkdw5js4k6f5vc8x6nlm2mq9mq9vjck7n1j7";
   };
 
   buildInputs = [ unzip puredata ];

From cdb220fd6f9306d518af73e7983d228c79c07efd Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:41:43 +0000
Subject: [PATCH 246/507] rsyslog: turn off format hardening

---
 pkgs/tools/system/rsyslog/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix
index 5d3dbd861aa1..ef54bde3db56 100644
--- a/pkgs/tools/system/rsyslog/default.nix
+++ b/pkgs/tools/system/rsyslog/default.nix
@@ -28,6 +28,8 @@ stdenv.mkDerivation rec {
     rabbitmq-c hiredis
   ] ++ stdenv.lib.optional stdenv.isLinux systemd;
 
+  hardening_format = false;
+
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"

From ea84b3a915987edea0fca8545b0136867da16844 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Feb 2016 18:50:28 +0000
Subject: [PATCH 247/507] clib: turn off fortify hardening

---
 pkgs/tools/package-management/clib/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix
index ae1213aee7c3..d52243dcea5c 100644
--- a/pkgs/tools/package-management/clib/default.nix
+++ b/pkgs/tools/package-management/clib/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm";
   };
 
+  hardening_fortify = false;
+
   makeFlags = "PREFIX=$(out)";
 
   buildInputs = [ curl ];

From 7204e10e4e8b776c073809849403ff5e1fabaf35 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 21:51:26 +0000
Subject: [PATCH 248/507] zynaddsubfx: turn off format hardening

---
 pkgs/applications/audio/zynaddsubfx/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix
index 84a62d34fa63..c784b33700e7 100644
--- a/pkgs/applications/audio/zynaddsubfx/default.nix
+++ b/pkgs/applications/audio/zynaddsubfx/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation  rec {
   buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
   nativeBuildInputs = [ cmake pkgconfig ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "High quality software synthesizer";
     homepage = http://zynaddsubfx.sourceforge.net;

From e370a9cf842c81ca8e5971b1d2fd628596dc99cf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 21:55:18 +0000
Subject: [PATCH 249/507] xmlrpc_c: turn off format hardening

---
 pkgs/development/libraries/xmlrpc-c/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix
index 56bcba8297de..0d787092a3cd 100644
--- a/pkgs/development/libraries/xmlrpc-c/default.nix
+++ b/pkgs/development/libraries/xmlrpc-c/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
     (cd tools/xmlrpc && make && make install)
   '';
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "A lightweight RPC library based on XML and HTTP";
     homepage = http://xmlrpc-c.sourceforge.net/;

From 00c53f31c23bdb1a0c8d45148c3345b5574df7ea Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 21:58:30 +0000
Subject: [PATCH 250/507] xfstests: turn off format hardening

---
 pkgs/tools/misc/xfstests/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix
index b7c1795c0372..cef5fee9cf93 100644
--- a/pkgs/tools/misc/xfstests/default.nix
+++ b/pkgs/tools/misc/xfstests/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ];
 
+  hardening_format = false;
+
   patchPhase = ''
     # Patch the destination directory
     sed -i include/builddefs.in -e "s|^PKG_LIB_DIR\s*=.*|PKG_LIB_DIR=$out/lib/xfstests|"

From 55b83dc0a01b62a5170893feb527e2f16c606971 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 22:00:56 +0000
Subject: [PATCH 251/507] xfig: turn off format hardening

---
 pkgs/applications/graphics/xfig/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix
index 9e53fe3efe2c..4f8f3ac16f4b 100644
--- a/pkgs/applications/graphics/xfig/default.nix
+++ b/pkgs/applications/graphics/xfig/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ imake makeWrapper ];
 
+  hardening_format = false;
+
   NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11";
 
   patches =

From 8641b9dec4d6d66c7414f4c64f38e70be89b2af7 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 22:17:54 +0000
Subject: [PATCH 252/507] mjpegtools: turn off format hardening

---
 pkgs/tools/video/mjpegtools/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix
index 33b497fa3eb4..989649c580f2 100644
--- a/pkgs/tools/video/mjpegtools/default.nix
+++ b/pkgs/tools/video/mjpegtools/default.nix
@@ -7,9 +7,13 @@
 
 stdenv.mkDerivation rec {
   name = "mjpegtools-2.1.0";
+
   src = fetchurl {
     url = "mirror://sourceforge/mjpeg/${name}.tar.gz";
     sha256 = "01y4xpfdvd4zgv6fmcjny9mr1gbfd4y2i4adp657ydw6fqyi8kw6";
   };
+
   buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ];
+
+  hardening_format = false;
 }

From ea1de67f359fce9bf6308a6736df6cfeb70d8339 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 22:33:10 +0000
Subject: [PATCH 253/507] tesseract: turn off format hardening

---
 pkgs/applications/graphics/tesseract/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix
index b531c41e2d8a..b3db2fde4cb2 100644
--- a/pkgs/applications/graphics/tesseract/default.nix
+++ b/pkgs/applications/graphics/tesseract/default.nix
@@ -38,6 +38,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
 
+  hardening_format = false;
+
   preConfigure = ''
       ./autogen.sh
       substituteInPlace "configure" \

From f2d5bda7c9f7610810588ade440d37c69b613e20 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 20 Feb 2016 22:34:06 +0000
Subject: [PATCH 254/507] vimprobable2: turn off format hardening

---
 .../networking/browsers/vimprobable2/default.nix          | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix
index 6f8eede9b3f8..3d40aa1f60cc 100644
--- a/pkgs/applications/networking/browsers/vimprobable2/default.nix
+++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix
@@ -11,9 +11,9 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
 
-  installPhase = ''
-    make PREFIX=/ DESTDIR=$out install
-  '';
+  hardening_format = false;
+
+  installFlags = "PREFIX=/ DESTDIR=$(out)";
 
   preFixup = ''
     wrapProgram "$out/bin/vimprobable2" \
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
       GTK bindings). The goal of Vimprobable is to build a completely
       keyboard-driven, efficient and pleasurable browsing-experience. Its
       featureset might be considered "minimalistic", but not as minimalistic as
-      being completely featureless. 
+      being completely featureless.
     '';
     homepage = "http://sourceforge.net/apps/trac/vimprobable";
     license = stdenv.lib.licenses.mit;

From 99087d92166731e74a0e16e01f9ea3ab60ab36c6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 09:44:40 +0000
Subject: [PATCH 255/507] trickle: turn off format hardening

---
 pkgs/tools/networking/trickle/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix
index d10e645dc874..22f991d8fe2a 100644
--- a/pkgs/tools/networking/trickle/default.nix
+++ b/pkgs/tools/networking/trickle/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx";
   };
 
-  buildInputs = [libevent];
+  buildInputs = [ libevent ];
 
   preConfigure = ''
     sed -i 's|libevent.a|libevent.so|' configure
@@ -22,6 +22,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--with-libevent";
 
+  hardening_format = false;
+
   meta = {
     description = "Lightweight userspace bandwidth shaper";
     license = stdenv.lib.licenses.bsd3;

From 3fead71a0e53fabd568495a771ee518ebdb8d051 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 10:01:22 +0000
Subject: [PATCH 256/507] facter: remove obsolete PIC handling (default now)

---
 pkgs/tools/system/facter/default.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkgs/tools/system/facter/default.nix b/pkgs/tools/system/facter/default.nix
index c0328636536c..117a3c1c1a2d 100644
--- a/pkgs/tools/system/facter/default.nix
+++ b/pkgs/tools/system/facter/default.nix
@@ -8,9 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1ngp3xjdh6x1w7lsi4lji2xzqp0x950jngcdlq11lcr0wfnzwyxj";
   };
 
-  libyamlcpp_ = libyamlcpp.override { makePIC = true; };
-
-  buildInputs = [ boost cmake curl libyamlcpp_ openssl utillinux ];
+  buildInputs = [ boost cmake curl libyamlcpp openssl utillinux ];
 
   meta = with stdenv.lib; {
     homepage = https://github.com/puppetlabs/facter;

From 58c377b9aa7a54f6e3f216c228a8556dff9a6929 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 10:06:49 +0000
Subject: [PATCH 257/507] kde5.calamares: 1.0 -> 1.1.4.2

fixes build and removes obsolete PIC handling
---
 pkgs/tools/misc/calamares/default.nix | 15 ++++++++-------
 pkgs/top-level/all-packages.nix       |  9 ++++-----
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/pkgs/tools/misc/calamares/default.nix b/pkgs/tools/misc/calamares/default.nix
index ab00d52c7779..075f925c92f2 100644
--- a/pkgs/tools/misc/calamares/default.nix
+++ b/pkgs/tools/misc/calamares/default.nix
@@ -1,15 +1,16 @@
-{ stdenv, fetchgit, cmake, polkit-qt, libyamlcpp, python, boost, parted
+{ stdenv, fetchurl, cmake, polkit-qt, libyamlcpp, python, boost, parted
 , extra-cmake-modules, kconfig, ki18n, kcoreaddons, solid, utillinux, libatasmart
 , ckbcomp, glibc, tzdata, xkeyboard_config, qtbase, qtquick1, qtsvg, qttools }:
 
 stdenv.mkDerivation rec {
-  name = "calamares-${version}";
-  version = "1.0";
+  name = "${pname}-${version}";
+  pname = "calamares";
+  version = "1.1.4.2";
 
-  src = fetchgit {
-    url = "https://github.com/calamares/calamares.git";
-    rev = "dabfb68a68cb012a90cd7b94a22e1ea08f7dd8ad";
-    sha256 = "2851ce487aaac61d2df342a47f91ec87fe52ff036227ef697caa7056fe5f188c";
+  # release including submodule
+  src = fetchurl {
+    url = "https://github.com/${pname}/${pname}/releases/download/v${version}/${name}.tar.gz";
+    sha256 = "1mh0nmzc3i1aqcj79q2s3vpccn0mirlfbj26sfyb0v6gcrvf707d";
   };
 
   buildInputs = [
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 4df410328473..65789fd040db 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14964,18 +14964,17 @@ let
 
     calamares = callPackage ../tools/misc/calamares rec {
       python = python3;
-      boost = pkgs.boost.override { python=python3; };
-      libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; };
+      boost = pkgs.boost.override { python = python3; };
+      libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost = boost; };
     };
 
     dfilemanager = callPackage ../applications/misc/dfilemanager { };
 
     fcitx-qt5 = callPackage ../tools/inputmethods/fcitx/fcitx-qt5.nix { };
 
-    k9copy = callPackage ../applications/video/k9copy {};
+    k9copy = callPackage ../applications/video/k9copy { };
 
-    konversation = callPackage ../applications/networking/irc/konversation/1.6.nix {
-    };
+    konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { };
 
     quassel = callPackage ../applications/networking/irc/quassel/qt-5.nix {
       monolithic = true;

From 289599367d5aae16e6e1bd360fc297deca5058ed Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 10:23:57 +0000
Subject: [PATCH 258/507] stress-ng: 0.05.00 -> 0.05.18

fixes build after broken hash
---
 pkgs/tools/system/stress-ng/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/system/stress-ng/default.nix b/pkgs/tools/system/stress-ng/default.nix
index a973d143fa97..692fd250f836 100644
--- a/pkgs/tools/system/stress-ng/default.nix
+++ b/pkgs/tools/system/stress-ng/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   name = "stress-ng-${version}";
-  version = "0.05.00";
+  version = "0.05.18";
 
   src = fetchurl {
-    sha256 = "0ppri86z6fj48nm5l0x1r8mh7mwaf7bvhmi10jz6a8w7apnc181w";
+    sha256 = "13x0cc4gfakz7vikc6b2vjbk1gw5awyp9i6843di7lnkx1ba177r";
     url = "http://kernel.ubuntu.com/~cking/tarballs/stress-ng/${name}.tar.gz";
   };
 

From 25dfa39faca704bc8a594db151d34dec0aa3158e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 10:40:34 +0000
Subject: [PATCH 259/507] facetimehd: turn off PIC hardening

---
 pkgs/os-specific/linux/facetimehd/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix
index 06e6abfe4177..48494bd6b187 100644
--- a/pkgs/os-specific/linux/facetimehd/default.nix
+++ b/pkgs/os-specific/linux/facetimehd/default.nix
@@ -4,7 +4,6 @@
 assert stdenv.lib.versionAtLeast kernel.version "3.19";
 
 stdenv.mkDerivation rec {
-
   name = "facetimehd-${version}-${kernel.version}";
   version = "git-20160127";
 
@@ -19,6 +18,8 @@ stdenv.mkDerivation rec {
     export INSTALL_MOD_PATH="$out"
   '';
 
+  hardening_pic = false;
+
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
   ];
@@ -30,5 +31,4 @@ stdenv.mkDerivation rec {
     maintainers = [ maintainers.womfoo ];
     platforms = platforms.linux;
   };
-
 }

From 27e8d31b1afba4aa9deca84948def09971c3574c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 10:53:04 +0000
Subject: [PATCH 260/507] torcs: turn off format hardening and remove obsolete
 flag

---
 pkgs/games/torcs/default.nix    | 2 ++
 pkgs/top-level/all-packages.nix | 6 +-----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix
index e6370d6e7c61..fd320a32180e 100644
--- a/pkgs/games/torcs/default.nix
+++ b/pkgs/games/torcs/default.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation rec {
 
   installTargets = "install datainstall";
 
+  hardening_format = false;
+
   meta = {
     description = "Car racing game";
     homepage = http://torcs.sourceforge.net/;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 65789fd040db..9a35d98bef38 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14582,11 +14582,7 @@ let
     libpng = libpng12;
   };
 
-  torcs = callPackage ../games/torcs {
-    # Torcs wants to make shared libraries linked with plib libraries (it provides static).
-    # i686 is the only platform I know than can do that linking without plib built with -fPIC
-    plib = plib.override { enablePIC = !stdenv.isi686; };
-  };
+  torcs = callPackage ../games/torcs { };
 
   trigger = callPackage ../games/trigger { };
 

From 0102e6970720c2f24ad495ba0416b28975450804 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 11:39:41 +0000
Subject: [PATCH 261/507] haskellPackages.c2hs: fix evaluation

---
 pkgs/development/haskell-modules/configuration-common.nix | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index f163874f2361..f6eae83a20c5 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -44,11 +44,9 @@ self: super: {
   options_1_2 = dontCheck super.options_1_2;
   options = dontCheck super.options;
   statistics = dontCheck super.statistics;
-  c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: {
-        hardening_format = false;
-        doCheck = false;
-      });
-    in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_;
+  c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: {
+    hardening_format = false;
+  });
 
   # The package doesn't compile with ruby 1.9, which is our default at the moment.
   hruby = super.hruby.override { ruby = pkgs.ruby_2_1; };

From 1eed9435d55fbe12b36f58a924f9448f727ca8ab Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 11:40:16 +0000
Subject: [PATCH 262/507] haskellPackages.glib: simplify

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index f6eae83a20c5..eca1343e5137 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -244,9 +244,9 @@ self: super: {
   gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
   gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
   gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
-  glib = addPkgconfigDepend (overrideCabal super.glib (drv: {
+  glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
      hardening_fortify = false;
-  })) pkgs.glib;
+  });
   gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
   gtk = addPkgconfigDepend super.gtk pkgs.gtk;
   gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };

From 23b4e6e19d346c2e96a8f665678184cddda44721 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 11:41:04 +0000
Subject: [PATCH 263/507] haskellPackages: remove unnecessary hardening
 handling

---
 pkgs/development/haskell-modules/generic-builder.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/development/haskell-modules/generic-builder.nix b/pkgs/development/haskell-modules/generic-builder.nix
index fb8781bd7504..b871b7d73faa 100644
--- a/pkgs/development/haskell-modules/generic-builder.nix
+++ b/pkgs/development/haskell-modules/generic-builder.nix
@@ -45,7 +45,6 @@
 , checkPhase ? "", preCheck ? "", postCheck ? ""
 , preFixup ? "", postFixup ? ""
 , shellHook ? ""
-, hardening_fortify ? true
 , coreSetup ? false # Use only core packages to build Setup.hs.
 , useCpphs ? false
 } @ args:
@@ -320,6 +319,5 @@ stdenv.mkDerivation ({
 // optionalAttrs (preFixup != "")       { inherit preFixup; }
 // optionalAttrs (postFixup != "")      { inherit postFixup; }
 // optionalAttrs (dontStrip)            { inherit dontStrip; }
-// optionalAttrs (!hardening_fortify)   { inherit hardening_fortify; }
 // optionalAttrs (stdenv.isLinux)       { LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive"; }
 )

From e0fa05f66215ee7b262f4adf9f9049806ee17372 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 22:53:24 +0000
Subject: [PATCH 264/507] telnet: turn off format hardening

---
 pkgs/tools/networking/telnet/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix
index 9827b62c6c4a..3fe6144b72ca 100644
--- a/pkgs/tools/networking/telnet/default.nix
+++ b/pkgs/tools/networking/telnet/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation {
     sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn";
   };
 
+  hardening_format = false;
+
   buildInputs = [ncurses];
 
   meta = {

From 00903f48201307d8995386f9fc50cd12e24d5d40 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 21 Feb 2016 23:56:49 +0000
Subject: [PATCH 265/507] jbig2enc: add upstream patch to fix build

---
 pkgs/tools/graphics/jbig2enc/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix
index 71f0789286a1..a6f6c437612f 100644
--- a/pkgs/tools/graphics/jbig2enc/default.nix
+++ b/pkgs/tools/graphics/jbig2enc/default.nix
@@ -1,4 +1,6 @@
-{stdenv, fetchurl, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: stdenv.mkDerivation {
+{ stdenv, fetchurl, fetchpatch, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }:
+
+stdenv.mkDerivation {
   name = "jbig2enc-0.28";
 
   src = fetchurl {
@@ -6,6 +8,13 @@
     sha256 = "1wc0lmqz4jag3rhhk1xczlqpfv2qqp3fz7wzic2lba3vsbi1rrw3";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://github.com/agl/jbig2enc/commit/53ce5fe7e73d7ed95c9e12b52dd4984723f865fa.diff";
+      sha256 = "0n6s24i1fy9xspawns3r0kmx2fl0q3wqp68l1yai36jhfw08i3n4";
+    })
+  ];
+
   propagatedBuildInputs = [ leptonica zlib libwebp giflib libjpeg libpng libtiff ];
 
   # This is necessary, because the resulting library has

From 1d713761d948c7c93f4405338e3a5b3eac1b59ba Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 00:21:26 +0000
Subject: [PATCH 266/507] ldm: add include to fix build

---
 pkgs/os-specific/linux/ldm/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix
index c5e94ed81e9a..5332fc0bf3d4 100644
--- a/pkgs/os-specific/linux/ldm/default.nix
+++ b/pkgs/os-specific/linux/ldm/default.nix
@@ -19,12 +19,13 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ udev utillinux ];
 
-  preBuild = ''
+  postPatch = ''
+    sed -i '1i#include <sys/stat.h>' ldm.c
     substituteInPlace ldm.c \
       --replace "/mnt/" "${mountPath}"
   '';
 
-  buildPhase = "make ldm";
+  buildFlags = "ldm";
 
   installPhase = ''
     mkdir -p $out/bin

From 5923f792e15ad4176980ebab6645af217300b102 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 00:22:28 +0000
Subject: [PATCH 267/507] uae: turn off format hardening

---
 pkgs/misc/emulators/uae/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix
index f877eff5c641..54620699f2d8 100644
--- a/pkgs/misc/emulators/uae/default.nix
+++ b/pkgs/misc/emulators/uae/default.nix
@@ -2,13 +2,18 @@
 
 stdenv.mkDerivation rec {
   name = "uae-0.8.29";
+
   src = fetchurl {
     url = "http://web.archive.org/web/20130905032631/http://www.amigaemulator.org/files/sources/develop/${name}.tar.bz2";
     sha256 = "05s3cd1rd5a970s938qf4c2xm3l7f54g5iaqw56v8smk355m4qr4";
   };
+
   configureFlags = [ "--with-sdl" "--with-sdl-sound" "--with-sdl-gfx" "--with-alsa" ];
+
   buildInputs = [ pkgconfig gtk alsaLib SDL ];
-  
+
+  hardening_format = false;
+
   meta = {
     description = "Ultimate/Unix/Unusable Amiga Emulator";
     license = stdenv.lib.licenses.gpl2Plus;

From 911d22f88dd4b24230caa120cdaf8b02cf0eb427 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 00:23:15 +0000
Subject: [PATCH 268/507] nixpkgs docs: format hardening

---
 doc/stdenv.xml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index f8d9acb2fb0c..0c2bb0339578 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1317,6 +1317,33 @@ in the default system locations.</para>
 
 </section>
 
+<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
+
+<para>By default some flags to harden packages at compile or link-time are set:</para>
+
+<variablelist>
+
+  <varlistentry>
+    <term><varname>hardening_format</varname></term>
+    <listitem><para>Adds the <option>-Wformat -Wformat-security
+    -Werror=format-security</option> compiler options. At present,
+    this warns about calls to printf and scanf functions where the
+    format string is not a string literal and there are no format
+    arguments, as in <literal>printf(foo);</literal>. This may be
+    a security hole if the format string came from untrusted input
+    and contains <literal>%n</literal>.</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
+         printf(help_message);
+                            ^
+cc1plus: some warnings being treated as errors
+    </programlisting></listitem>
+  </varlistentry>
+</variablelist>
+</section>
 
 </chapter>
 

From fda63b8b579aff758ae92e7e1a65a5a480231c6b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 00:33:01 +0000
Subject: [PATCH 269/507] nixpkgs docs: stackprotector hardening

---
 doc/stdenv.xml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index 0c2bb0339578..51a27dcdbc08 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1342,6 +1342,22 @@ in the default system locations.</para>
 cc1plus: some warnings being treated as errors
     </programlisting></listitem>
   </varlistentry>
+
+  <varlistentry>
+    <term><varname>hardening_stackprotector</varname></term>
+    <listitem><para>Adds the <option>-fstack-protector-strong</option>
+    compiler options. This adds safety checks against stack overwrites
+    rendering many potential code injection attacks into aborting situations.
+    In the best case this turns code injection vulnerabilities into denial
+    of service or into non-issues (depending on the application).</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+bin/blib.a(bios_console.o): In function `bios_handle_cup':
+/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
+    </programlisting></listitem>
+  </varlistentry>
 </variablelist>
 </section>
 

From 828b408f7fc7b489514e287ed7d720f423c98a41 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 00:44:58 +0000
Subject: [PATCH 270/507] ipxe: turn off pic/stackprotector hardening

---
 pkgs/tools/misc/ipxe/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix
index e4c161b2e51c..0830eb51b3ca 100644
--- a/pkgs/tools/misc/ipxe/default.nix
+++ b/pkgs/tools/misc/ipxe/default.nix
@@ -18,6 +18,10 @@ stdenv.mkDerivation {
 
   preConfigure = "cd src";
 
+  # not possible due to assembler code
+  hardening_pic = false;
+  hardening_stackprotector = false;
+
   makeFlags =
     [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here.
       "ISOLINUX_BIN_LIST=${syslinux}/share/syslinux/isolinux.bin"

From abac1eb91893a67a20dae8710ac41a76061e6b36 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 01:43:25 +0000
Subject: [PATCH 271/507] inferno: turn off fortify hardening

---
 pkgs/applications/inferno/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix
index a0e2796a3025..a1c4bd912f29 100644
--- a/pkgs/applications/inferno/default.nix
+++ b/pkgs/applications/inferno/default.nix
@@ -54,6 +54,8 @@ stdenv.mkDerivation rec {
       --set INFERNO_ROOT "$out/share/inferno"
   '';
 
+  hardening_fortify = false;
+
   meta = {
     description = "A compact distributed operating system for building cross-platform distributed systems";
     homepage = "http://inferno-os.org/";

From 9b4c99edc65fa5278d8ffed2aa2c7cfa6c8367b8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 08:47:25 +0000
Subject: [PATCH 272/507] gcc43/ghdl: turn off format hardening

---
 pkgs/development/compilers/gcc/4.3/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix
index 3db8ee5f3ea7..0ad156c53e5c 100644
--- a/pkgs/development/compilers/gcc/4.3/default.nix
+++ b/pkgs/development/compilers/gcc/4.3/default.nix
@@ -82,7 +82,7 @@ stdenv.mkDerivation ({
     ++ optional langJava ./java-jvgenmain-link.patch
     ++ optional langVhdl ./ghdl-ortho-cflags.patch
     ++ optional langVhdl ./ghdl-runtime-o2.patch;
-    
+
   inherit noSysDirs profiledCompiler staticCompiler crossStageStatic
     binutilsCross libcCross;
   targetConfig = if cross != null then cross.config else null;
@@ -95,6 +95,8 @@ stdenv.mkDerivation ({
     ++ (optionals langVhdl [gnat])
     ;
 
+  hardening_format = false;
+
   configureFlags = "
     ${if enableMultilib then "" else "--disable-multilib"}
     ${if enableShared then "" else "--disable-shared"}
@@ -124,7 +126,7 @@ stdenv.mkDerivation ({
   NIX_EXTRA_LDFLAGS = if staticCompiler then "-static" else "";
 
   inherit gmp mpfr;
-  
+
   passthru = { inherit langC langCC langFortran langVhdl langTreelang
       enableMultilib; };
 

From 95325aa96ff1070292877b3ab5d30f84dea53773 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 08:57:20 +0000
Subject: [PATCH 273/507] vacuum: use mkDerivation and turn off format
 hardening

---
 .../instant-messengers/vacuum/default.nix     | 65 ++++++-------------
 1 file changed, 20 insertions(+), 45 deletions(-)

diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix
index 205c21adab42..181cd3301e38 100644
--- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix
+++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix
@@ -1,56 +1,31 @@
-x@{builderDefsPackage
-  , qt4, openssl
-  , xproto, libX11, libXScrnSaver, scrnsaverproto
-  , xz
-  , ...}:
-builderDefsPackage
-(a :  
-let 
-  helperArgNames = ["stdenv" "fetchurl" "builderDefsPackage"] ++ 
-    [];
+{ stdenv, fetchurl, qt4, openssl, xproto, libX11
+, libXScrnSaver, scrnsaverproto, xz
+}:
 
-  buildInputs = map (n: builtins.getAttr n x)
-    (builtins.attrNames (builtins.removeAttrs x helperArgNames));
-  sourceInfo = rec {
-    version="1.2.4";
-    baseName="vacuum-im";
-    name="${baseName}-${version}";
+stdenv.mkDerivation rec {
+  name="${baseName}-${version}";
+  baseName = "vacuum-im";
+  version = "1.2.4";
+
+  src = fetchurl {
     url="https://googledrive.com/host/0B7A5K_290X8-d1hjQmJaSGZmTTA/vacuum-1.2.4.tar.gz";
     sha256="10qxpfbbaagqcalhk0nagvi5irbbz5hk31w19lba8hxf6pfylrhf";
   };
-in
-rec {
-  src = a.fetchurl {
-    url = sourceInfo.url;
-    sha256 = sourceInfo.sha256;
-  };
 
-  inherit (sourceInfo) name version;
-  inherit buildInputs;
+  configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro";
 
-  /* doConfigure should be removed if not needed */
-  phaseNames = ["addInputs" "doQMake" "doMakeInstall"];
+  hardening_format = false;
 
-  doQMake = a.fullDepEntry (''
-    qmake INSTALL_PREFIX=$out -recursive vacuum.pro
-  '') ["doUnpack" "addInputs"];
-      
-  meta = {
+  buildInputs = [
+    qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz
+  ];
+
+  meta = with stdenv.lib; {
     description = "An XMPP client fully composed of plugins";
-    maintainers = with a.lib.maintainers;
-    [
-      raskin
-    ];
-    platforms = with a.lib.platforms;
-      linux;
-    license = with a.lib.licenses;
-      gpl3;
+    maintainers = with maintainers; [ raskin ];
+    platforms = with platforms; linux;
+    license = with licenses; gpl3;
     homepage = "http://code.google.com/p/vacuum-im/";
   };
-  passthru = {
-    updateInfo = {
-      downloadPage = "http://code.google.com/p/vacuum-im/downloads/list?can=2&q=&colspec=Filename";
-    };
-  };
-}) x
+}
 

From 35f92d9810f334cd16e4cb5f2a5f968a4a7c2093 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 09:45:31 +0000
Subject: [PATCH 274/507] xfce4-12.xfce4_verve_plugin: turn off format
 hardening

---
 pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
index 603a68cc5f67..415c6bc6cfb7 100644
--- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
+++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ];
 
+  hardening_format = false;
+
   meta = {
     homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}";
     description = "A command-line plugin";

From 57d6a38ed513e80fbd4135b7c2d3a9326a2649fc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 18:31:04 +0000
Subject: [PATCH 275/507] stdenv: change hardening flags

 * remove relro/bindnow from compile flags as they break clang
 * use fstackprotector-strong instead of fstackprotector-all for speed
---
 pkgs/stdenv/adapters.nix | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 5a5550ebb049..4f092ee1d97c 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -241,11 +241,9 @@ rec {
         NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
           + stdenv.lib.optionalString (args.hardening_all or true) (
             stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
             + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
             + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
-            + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
-            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
             + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
             + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
           );

From 402d57ee8e54f5f5e9398f61d1934de3ff66cf3c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 22 Feb 2016 18:32:53 +0000
Subject: [PATCH 276/507] bootstrap env: disable stackprotector hardening until
 gcc >=4.9

---
 pkgs/development/compilers/gcc/4.9/default.nix      | 4 +++-
 pkgs/development/interpreters/perl/5.20/default.nix | 3 +++
 pkgs/development/libraries/cloog/0.18.0.nix         | 3 +++
 pkgs/development/libraries/gettext/default.nix      | 2 ++
 pkgs/development/libraries/gmp/5.1.x.nix            | 3 +++
 pkgs/development/libraries/isl/0.11.1.nix           | 3 +++
 pkgs/development/libraries/libelf/default.nix       | 3 +++
 pkgs/development/libraries/libmpc/default.nix       | 3 +++
 pkgs/development/libraries/mpfr/default.nix         | 3 +++
 pkgs/development/libraries/zlib/default.nix         | 3 +++
 pkgs/development/tools/misc/binutils/default.nix    | 3 +++
 pkgs/development/tools/misc/gnum4/default.nix       | 3 +++
 pkgs/development/tools/misc/patchelf/default.nix    | 3 +++
 pkgs/development/tools/misc/texinfo/6.0.nix         | 3 +++
 pkgs/development/tools/parsing/bison/3.x.nix        | 3 +++
 pkgs/os-specific/linux/kernel-headers/3.18.nix      | 3 +++
 pkgs/os-specific/linux/paxctl/default.nix           | 3 +++
 pkgs/tools/compression/xz/default.nix               | 3 +++
 pkgs/tools/misc/coreutils/default.nix               | 3 +++
 pkgs/tools/system/which/default.nix                 | 5 ++++-
 20 files changed, 60 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index f58daaa5377a..fe1f4066110e 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -74,7 +74,7 @@ let version = "4.9.3";
       ++ optional langFortran ../gfortran-driving.patch
       # The NXConstStr.patch can be removed at 4.9.4
       ++ optional stdenv.isDarwin ../gfortran-darwin-NXConstStr.patch; 
-	  
+
     javaEcj = fetchurl {
       # The `$(top_srcdir)/ecj.jar' file is automatically picked up at
       # `configure' time.
@@ -220,6 +220,8 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
   hardening_format = false;
 
   postPatch =
diff --git a/pkgs/development/interpreters/perl/5.20/default.nix b/pkgs/development/interpreters/perl/5.20/default.nix
index c91a43963d49..bc446a25d0f4 100644
--- a/pkgs/development/interpreters/perl/5.20/default.nix
+++ b/pkgs/development/interpreters/perl/5.20/default.nix
@@ -30,6 +30,9 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "man" ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   patches =
     [ # Do not look in /usr etc. for dependencies.
       ./no-sys-dirs.patch
diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix
index ccd938283199..3dc9587c9215 100644
--- a/pkgs/development/libraries/cloog/0.18.0.nix
+++ b/pkgs/development/libraries/cloog/0.18.0.nix
@@ -18,6 +18,9 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = {
     description = "Library that generates loops for scanning polyhedra";
 
diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix
index ff7e9bc5bfd0..9962e75e2f9c 100644
--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation (rec {
 
   outputs = [ "out" "doc" ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
   hardening_format = false;
 
   LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";
diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix
index 7b393067ff52..0db619b36586 100644
--- a/pkgs/development/libraries/gmp/5.1.x.nix
+++ b/pkgs/development/libraries/gmp/5.1.x.nix
@@ -12,6 +12,9 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ m4 ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null;
 
   configureFlags =
diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix
index 63140dba37f7..c56c5b3892af 100644
--- a/pkgs/development/libraries/isl/0.11.1.nix
+++ b/pkgs/development/libraries/isl/0.11.1.nix
@@ -13,6 +13,9 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = {
     homepage = http://www.kotnet.org/~skimo/isl/;
     license = stdenv.lib.licenses.lgpl21;
diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix
index 88bce7f86614..cb0c8a7f5c17 100644
--- a/pkgs/development/libraries/libelf/default.nix
+++ b/pkgs/development/libraries/libelf/default.nix
@@ -10,6 +10,9 @@ stdenv.mkDerivation (rec {
 
   doCheck = true;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   # For cross-compiling, native glibc is needed for the "gencat" program.
   crossAttrs = {
     nativeBuildInputs = [ glibc ];
diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix
index 1e8ea0ffa138..cc883ba67b29 100644
--- a/pkgs/development/libraries/libmpc/default.nix
+++ b/pkgs/development/libraries/libmpc/default.nix
@@ -16,6 +16,9 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = {
     description = "Library for multiprecision complex arithmetic with exact rounding";
 
diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix
index 581f956b0afd..2c6438857272 100644
--- a/pkgs/development/libraries/mpfr/default.nix
+++ b/pkgs/development/libraries/mpfr/default.nix
@@ -13,6 +13,9 @@ stdenv.mkDerivation rec {
   # mpfr.h requires gmp.h
   propagatedBuildInputs = [ gmp ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   configureFlags =
     stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++
     stdenv.lib.optional stdenv.is64bit "--with-pic";
diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix
index 93474d14344e..2871985a0826 100644
--- a/pkgs/development/libraries/zlib/default.nix
+++ b/pkgs/development/libraries/zlib/default.nix
@@ -29,6 +29,9 @@ stdenv.mkDerivation (rec {
     fi
   '';
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+    hardening_stackprotector = false;
+
   # As zlib takes part in the stdenv building, we don't want references
   # to the bootstrap-tools libgcc (as uses to happen on arm/mips)
   NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc";
diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix
index 86d69d8da8ce..78adfe487517 100644
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@@ -39,6 +39,9 @@ stdenv.mkDerivation rec {
 
   inherit noSysDirs;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   preConfigure = ''
     # Clear the default library search path.
     if test "$noSysDirs" = "1"; then
diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix
index 7216e1e169d0..e610858838de 100644
--- a/pkgs/development/tools/misc/gnum4/default.nix
+++ b/pkgs/development/tools/misc/gnum4/default.nix
@@ -18,6 +18,9 @@ stdenv.mkDerivation rec {
   # Upstream is aware of it; it may be in the next release.
   patches = [ ./s_isdir.patch ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = {
     homepage = http://www.gnu.org/software/m4/;
     description = "GNU M4, a macro processor";
diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix
index 5aa81e46bed1..91658a5d4d9b 100644
--- a/pkgs/development/tools/misc/patchelf/default.nix
+++ b/pkgs/development/tools/misc/patchelf/default.nix
@@ -10,6 +10,9 @@ stdenv.mkDerivation rec {
 
   setupHook = [ ./setup-hook.sh ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = {
     homepage = http://nixos.org/patchelf.html;
     license = "GPL";
diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix
index 507ca22cd1ae..786998c6af76 100644
--- a/pkgs/development/tools/misc/texinfo/6.0.nix
+++ b/pkgs/development/tools/misc/texinfo/6.0.nix
@@ -17,6 +17,9 @@ stdenv.mkDerivation rec {
 
   configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk";
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   preInstall = ''
     installFlags="TEXMF=$out/texmf-dist";
     installTargets="install install-tex";
diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix
index ee0074140178..0062bc36561b 100644
--- a/pkgs/development/tools/parsing/bison/3.x.nix
+++ b/pkgs/development/tools/parsing/bison/3.x.nix
@@ -11,6 +11,9 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man;
   propagatedBuildInputs = [ m4 ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = {
     homepage = "http://www.gnu.org/software/bison/";
     description = "Yacc-compatible parser generator";
diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix
index 0cc38a0548ca..be54d7a4e6a7 100644
--- a/pkgs/os-specific/linux/kernel-headers/3.18.nix
+++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix
@@ -34,6 +34,9 @@ stdenv.mkDerivation {
 
   buildInputs = [perl];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   extraIncludeDirs =
     if cross != null then
         (if cross.arch == "powerpc" then ["ppc"] else [])
diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix
index afb342768c33..50aa77104c28 100644
--- a/pkgs/os-specific/linux/paxctl/default.nix
+++ b/pkgs/os-specific/linux/paxctl/default.nix
@@ -18,6 +18,9 @@ stdenv.mkDerivation rec {
     "MANDIR=share/man/man1"
   ];
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   setupHook = ./setup-hook.sh;
 
   meta = with stdenv.lib; {
diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix
index 5f5ee28ca063..6ddebe6b99d0 100644
--- a/pkgs/tools/compression/xz/default.nix
+++ b/pkgs/tools/compression/xz/default.nix
@@ -15,6 +15,9 @@ stdenv.mkDerivation rec {
 
   postInstall = "rm -rf $out/share/doc";
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = with stdenv.lib; {
     homepage = http://tukaani.org/xz/;
     description = "XZ, general-purpose data compression software, successor of LZMA";
diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix
index baa3900ad97a..8833f32c5a85 100644
--- a/pkgs/tools/misc/coreutils/default.nix
+++ b/pkgs/tools/misc/coreutils/default.nix
@@ -20,6 +20,9 @@ let
       sha256 = "0w11jw3fb5sslf0f72kxy7llxgk1ia3a6bcw0c9kmvxrlj355mx2";
     };
 
+    # FIXME needs gcc 4.9 in bootstrap tools
+    hardening_stackprotector = false;
+
     patches = if stdenv.isCygwin then ./coreutils-8.23-4.cygwin.patch else
               (if stdenv.isArm then (fetchurl {
                   url = "http://git.savannah.gnu.org/cgit/coreutils.git/patch/?id=3ba68f9e64fa2eb8af22d510437a0c6441feb5e0";
diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix
index e9199a8f0632..956fd590b14c 100644
--- a/pkgs/tools/system/which/default.nix
+++ b/pkgs/tools/system/which/default.nix
@@ -2,12 +2,15 @@
 
 stdenv.mkDerivation rec {
   name = "which-2.21";
-  
+
   src = fetchurl {
     url = "mirror://gnu/which/${name}.tar.gz";
     sha256 = "1bgafvy3ypbhhfznwjv1lxmd6mci3x1byilnnkc7gcr486wlb8pl";
   };
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
+
   meta = with stdenv.lib; {
     homepage = http://ftp.gnu.org/gnu/which/;
     platforms = platforms.all;

From 928c904a5bcab74437cda6507d2b144f60b508a5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 23 Feb 2016 00:57:11 +0000
Subject: [PATCH 277/507] stalonetray: disable format hardening

---
 pkgs/applications/window-managers/stalonetray/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix
index 5ef5ba769c42..43d0804222c7 100644
--- a/pkgs/applications/window-managers/stalonetray/default.nix
+++ b/pkgs/applications/window-managers/stalonetray/default.nix
@@ -3,12 +3,16 @@
 stdenv.mkDerivation rec {
   name = "stalonetray-${version}";
   version = "0.8.1";
+
   src = fetchurl {
     url = "mirror://sourceforge/stalonetray/${name}.tar.bz2";
     sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll";
   };
+
   buildInputs = [ libX11 xproto ];
 
+  hardening_format = false;
+
   meta = with stdenv.lib; {
     description = "Stand alone tray";
     maintainers = with maintainers; [ raskin ];

From 087cb7ba5b3b51c1cdd95de6a096a4b9d4781325 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 23 Feb 2016 07:54:51 +0000
Subject: [PATCH 278/507] gcc43: disable stackprotector hardening

---
 pkgs/development/compilers/gcc/4.3/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix
index 0ad156c53e5c..6114c960ffdd 100644
--- a/pkgs/development/compilers/gcc/4.3/default.nix
+++ b/pkgs/development/compilers/gcc/4.3/default.nix
@@ -96,6 +96,7 @@ stdenv.mkDerivation ({
     ;
 
   hardening_format = false;
+  hardening_stackprotector = false;
 
   configureFlags = "
     ${if enableMultilib then "" else "--disable-multilib"}

From 4bf29b83f8ea14d000662473e887e2182bb03fa4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 23 Feb 2016 15:03:14 +0000
Subject: [PATCH 279/507] graphviz_2_0: disable format/fortify hardening

---
 pkgs/tools/graphics/graphviz/2.0.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix
index 04fff8053819..e08b1309d414 100644
--- a/pkgs/tools/graphics/graphviz/2.0.nix
+++ b/pkgs/tools/graphics/graphviz/2.0.nix
@@ -13,7 +13,10 @@ stdenv.mkDerivation rec {
   };
 
   buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd];
-  
+
+  hardening_format = false;
+  hardening_fortify = false;
+
   configureFlags =
     [ "--with-pngincludedir=${libpng}/include"
       "--with-pnglibdir=${libpng}/lib"

From 4447e42f02722310dc3af218e59fb7634ad7396e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 15:17:41 +0000
Subject: [PATCH 280/507] zbar: disable fortify hardening

---
 pkgs/tools/graphics/zbar/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix
index 48e3316a4a24..f0e53696fc5c 100644
--- a/pkgs/tools/graphics/zbar/default.nix
+++ b/pkgs/tools/graphics/zbar/default.nix
@@ -15,7 +15,9 @@ stdenv.mkDerivation rec {
     [ imagemagickBig pkgconfig python pygtk perl libX11
       libv4l qt4 lzma gtk2 ];
 
-  configureFlags = ["--disable-video"];
+  configureFlags = [ "--disable-video" ];
+
+  hardening_fortify = false;
 
   meta = with stdenv.lib; {
     description = "Bar code reader";

From c88376bc3630564ef023dc054763be5ba72a1c46 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 15:39:30 +0000
Subject: [PATCH 281/507] zam-plugins: fix hash

---
 pkgs/applications/audio/zam-plugins/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/audio/zam-plugins/default.nix b/pkgs/applications/audio/zam-plugins/default.nix
index 48f559dfd86d..3c9e80494d1f 100644
--- a/pkgs/applications/audio/zam-plugins/default.nix
+++ b/pkgs/applications/audio/zam-plugins/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     url = "https://github.com/zamaudio/zam-plugins.git";
     deepClone = true;
     rev = "91fe56931a3e57b80f18c740d2dde6b44f962aee";
-    sha256 = "0n29zxg4l2m3jsnfw6q2alyzaw7ibbv9nvk57k07sv3lh2yy3f30";
+    sha256 = "1d8w3086xshl61yqaxg6lrvqb7bww30dsdzcd0mnii49wyzjpj0b";
   };
 
   buildInputs = [ boost libX11 mesa liblo libjack2 ladspaH lv2 pkgconfig rubberband libsndfile ];

From 1b6fd9abb72d149ca5445f043eefa1a228aa82f8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 15:40:14 +0000
Subject: [PATCH 282/507] zandronum-server: disable format hardening

---
 pkgs/games/zandronum/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix
index 479a6abe9a47..7cb1ed4d9edc 100644
--- a/pkgs/games/zandronum/default.nix
+++ b/pkgs/games/zandronum/default.nix
@@ -33,6 +33,8 @@ in stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  hardening_format = false;
+
   installPhase = ''
     mkdir -p $out/bin
     mkdir -p $out/share/zandronum

From 81bb9407f9b9e5b0d6792ba043a0a3a6d7aa2cb7 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 15:43:35 +0000
Subject: [PATCH 283/507] xf86_video_nested: disable fortify hardening

---
 pkgs/os-specific/linux/xf86-video-nested/default.nix | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix
index 0f9e0591a060..96f353a64da2 100644
--- a/pkgs/os-specific/linux/xf86-video-nested/default.nix
+++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix
@@ -16,10 +16,9 @@ stdenv.mkDerivation {
       pkgconfig renderproto utilmacros xorgserver
     ];
 
+  hardening_fortify = false;
 
-  configurePhase = ''
-    ./configure --prefix=$out CFLAGS="-I${pixman}/include/pixman-1"
-  '';
+  CFLAGS = "-I${pixman}/include/pixman-1";
 
   meta = {
     homepage = http://cgit.freedesktop.org/xorg/driver/xf86-video-nested;

From 21b1e9e3dad8015d255e220ffe03ad2d7af31d4f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 16:00:25 +0000
Subject: [PATCH 284/507] xbindkeys-config: disable format hardening

---
 pkgs/tools/X11/xbindkeys-config/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix
index 57d8d82759ce..b4fc755bd84a 100644
--- a/pkgs/tools/X11/xbindkeys-config/default.nix
+++ b/pkgs/tools/X11/xbindkeys-config/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda";
   };
 
+  hardening_format = false;
+
   meta = {
     homepage = https://packages.debian.org/source/xbindkeys-config;
     description = "Graphical interface for configuring xbindkeys";

From 8cbb8331a71ea76a01ee11eb52307c4848fe9ab6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 16:01:51 +0000
Subject: [PATCH 285/507] xarchive: disable format hardening

---
 pkgs/tools/archivers/xarchive/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix
index ed60e3147a8f..6407fe4f350b 100644
--- a/pkgs/tools/archivers/xarchive/default.nix
+++ b/pkgs/tools/archivers/xarchive/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gtk2 pkgconfig ];
 
+  hardening_format = false;
+
   meta = {
     description = "A GTK+ front-end for command line archiving tools";
     maintainers = [ stdenv.lib.maintainers.iElectric ];

From 3d169b83cfd2eb378df2eae8f732e369299e99ab Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 16:06:55 +0000
Subject: [PATCH 286/507] vym: disable format hardening

---
 pkgs/applications/misc/vym/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix
index b1cfbd5d9ac4..5904a2a5ffd3 100644
--- a/pkgs/applications/misc/vym/default.nix
+++ b/pkgs/applications/misc/vym/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig qt4 ];
 
+  hardening_format = false;
+
   configurePhase = ''
     qmake PREFIX="$out"
   '';
@@ -22,7 +24,7 @@ stdenv.mkDerivation rec {
       Such maps can help you to improve your creativity and effectivity. You can use them
       for time management, to organize tasks, to get an overview over complex contexts,
       to sort your ideas etc.
-      
+
       Maps can be drawn by hand on paper or a flip chart and help to structure your thoughs.
       While a tree like structure like shown on this page can be drawn by hand or any drawing software
       vym offers much more features to work with such maps.

From eff4faf7f30e3aa7063429c8d3abf085f3624fe1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 16:07:13 +0000
Subject: [PATCH 287/507] swt: disable format hardening

---
 pkgs/development/libraries/java/swt/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix
index d942dd7b692f..855b800ba9f3 100644
--- a/pkgs/development/libraries/java/swt/default.nix
+++ b/pkgs/development/libraries/java/swt/default.nix
@@ -28,6 +28,8 @@ in stdenv.mkDerivation rec {
 
   builder = ./builder.sh;
 
+  hardening_format = false;
+
   # Alas, the Eclipse Project apparently doesn't produce source-only
   # releases of SWT.  So we just grab a binary release and extract
   # "src.zip" from that.

From e7f9e8a26fdfb863b3c7e004a27ada56dac85fa2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 16:54:49 +0000
Subject: [PATCH 288/507] trustedGrub: disable stackprotector/pic hardening

---
 pkgs/tools/misc/grub/trusted.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix
index 694f45599f30..39c1ce9c0c11 100644
--- a/pkgs/tools/misc/grub/trusted.nix
+++ b/pkgs/tools/misc/grub/trusted.nix
@@ -47,6 +47,9 @@ stdenv.mkDerivation rec {
   buildInputs = [ ncurses libusb freetype gettext devicemapper ]
     ++ optional doCheck qemu;
 
+  hardening_stackprotector = false;
+  hardening_pic = false;
+
   preConfigure =
     '' for i in "tests/util/"*.in
        do

From c884697acc081f6884e3486c0476ec78e3684e6d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 17:01:37 +0000
Subject: [PATCH 289/507] tboot: disable stackprotector/pic hardening

---
 pkgs/tools/security/tboot/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix
index 854f67f2aeec..1a2bc6a31082 100644
--- a/pkgs/tools/security/tboot/default.nix
+++ b/pkgs/tools/security/tboot/default.nix
@@ -12,12 +12,16 @@ stdenv.mkDerivation rec {
 
   patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ];
 
+  hardening_pic = false;
+  hardening_stackprotector = false;
+
   configurePhase = ''
     for a in lcptools utils tb_polgen; do
       substituteInPlace $a/Makefile --replace /usr/sbin /sbin
     done
     substituteInPlace docs/Makefile --replace /usr/share /share
   '';
+
   installFlags = "DESTDIR=$(out)";
 
   meta = with stdenv.lib; {

From 282d03c4b0b97ba3e4eeb08cbb57aa1375e82607 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 17:10:58 +0000
Subject: [PATCH 290/507] swiProlog: disable format hardening

---
 pkgs/development/compilers/swi-prolog/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix
index 1f38198b30b5..3c257dfc7df6 100644
--- a/pkgs/development/compilers/swi-prolog/default.nix
+++ b/pkgs/development/compilers/swi-prolog/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation {
   buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama
     libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ];
 
+  hardening_format = false;
+
   configureFlags = "--with-world --enable-gmp --enable-shared";
 
   buildFlags = "world";

From dcf103284ff67bf4fc2a94783d29418dcc4332c4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 17:13:08 +0000
Subject: [PATCH 291/507] stardust: disable format hardening

---
 pkgs/games/stardust/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix
index aa68da6b73d0..94da81533c13 100644
--- a/pkgs/games/stardust/default.nix
+++ b/pkgs/games/stardust/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "bindir=\${out}/bin" ];
 
+  hardening_format = false;
+
   postConfigure = ''
     substituteInPlace config.h \
       --replace '#define PACKAGE ""' '#define PACKAGE "stardust"'

From 18adc96e0f8410e49d4deba1651638898d0ea79c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 21:29:55 +0000
Subject: [PATCH 292/507] supercollider: disable fortify hardening

---
 .../development/interpreters/supercollider/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix
index f44347c61b74..cb60a41a6903 100644
--- a/pkgs/development/interpreters/supercollider/default.nix
+++ b/pkgs/development/interpreters/supercollider/default.nix
@@ -3,10 +3,10 @@
 , libXt, qt, readline
 , useSCEL ? false, emacs
 }:
-  
+
 let optional = stdenv.lib.optional; in
 
-stdenv.mkDerivation rec {  
+stdenv.mkDerivation rec {
   name = "supercollider-3.6.6";
 
   meta = {
@@ -21,6 +21,8 @@ stdenv.mkDerivation rec {
     sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr";
   };
 
+  hardening_stackprotector = false;
+
   # QGtkStyle unavailable
   patchPhase = ''
     substituteInPlace editors/sc-ide/widgets/code_editor/autocompleter.cpp \
@@ -29,12 +31,12 @@ stdenv.mkDerivation rec {
 
   cmakeFlags = ''
     -DSC_WII=OFF
-    -DSC_EL=${if useSCEL then "ON" else "OFF"} 
+    -DSC_EL=${if useSCEL then "ON" else "OFF"}
   '';
 
   nativeBuildInputs = [ cmake pkgconfig ];
 
-  buildInputs = [ 
+  buildInputs = [
     gcc libjack2 libsndfile fftw curl libXt qt readline ]
     ++ optional useSCEL emacs;
 }

From 2fbbd71861374990a8cab7ff9e0542993e56adc6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 21:36:26 +0000
Subject: [PATCH 293/507] riak2: disable format hardening

---
 pkgs/servers/nosql/riak/2.1.1.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix
index c62cea180be7..05cf4270f9f8 100644
--- a/pkgs/servers/nosql/riak/2.1.1.nix
+++ b/pkgs/servers/nosql/riak/2.1.1.nix
@@ -34,6 +34,8 @@ stdenv.mkDerivation rec {
 
   src = srcs.riak;
 
+  hardening_format = false;
+
   postPatch = ''
     sed -i deps/node_package/priv/base/env.sh \
       -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/riak}@' \

From 8edbf1cb031c380c66ad5775152d07062d2ddb4a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 21:45:16 +0000
Subject: [PATCH 294/507] qtpfsgui: disable format hardening

---
 pkgs/applications/graphics/qtpfsgui/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix
index efa245cc7e9a..da6521199c5a 100644
--- a/pkgs/applications/graphics/qtpfsgui/default.nix
+++ b/pkgs/applications/graphics/qtpfsgui/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
 
+  hardening_format = false;
+
   configurePhase = ''
     export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
     qmake PREFIX=$out EXIV2PATH=${exiv2}/include/exiv2  \

From f4405557c74430c11c1364cf87bcb6c60ece9037 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 22:00:30 +0000
Subject: [PATCH 295/507] mxt-app: disable fortify hardening

---
 pkgs/misc/mxt-app/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix
index cfcba8a3a8ba..e1db07bfff2b 100644
--- a/pkgs/misc/mxt-app/default.nix
+++ b/pkgs/misc/mxt-app/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec{
   buildInputs = [ autoconf automake libtool ];
   preConfigure = "./autogen.sh";
 
+  hardening_fortify = false;
+
   meta = with stdenv.lib; {
     description = "Command line utility for Atmel maXTouch devices";
     homepage = http://github.com/atmel-maxtouch/mxt-app;

From 2700dac7deaf1aa22fe0a60e79f5f65ee1521e1c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 22:17:45 +0000
Subject: [PATCH 296/507] lush: disable pic hardening

---
 .../development/interpreters/lush/default.nix | 31 +++++++++----------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix
index 63cf85bc506b..7a4e5c1a336d 100644
--- a/pkgs/development/interpreters/lush/default.nix
+++ b/pkgs/development/interpreters/lush/default.nix
@@ -1,32 +1,29 @@
 {stdenv, fetchurl, libX11, xproto, indent, readline, gsl, freeglut, mesa, SDL
 , blas, binutils, intltool, gettext, zlib}:
-let
-  s = # Generated upstream information
-  rec {
-    baseName="lush";
-    version="2.0.1";
-    name="${baseName}-${version}";
-    hash="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k";
+
+stdenv.mkDerivation rec {
+  baseName = "lush";
+  version = "2.0.1";
+  name = "${baseName}-${version}";
+
+  src = fetchurl {
     url="mirror://sourceforge/project/lush/lush2/lush-2.0.1.tar.gz";
     sha256="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k";
   };
+
   buildInputs = [
     libX11 xproto indent readline gsl freeglut mesa SDL blas binutils
     intltool gettext zlib
   ];
-in
-stdenv.mkDerivation {
-  inherit (s) name version;
-  inherit buildInputs;
-  src = fetchurl {
-    inherit (s) url sha256;
-  };
+
+  hardening_pic = false;
+
   NIX_LDFLAGS=" -lz ";
+
   meta = {
-    inherit (s) version;
-    description = ''Lisp Universal SHell'';
+    description = "Lisp Universal SHell";
     license = stdenv.lib.licenses.gpl2Plus ;
-    maintainers = [stdenv.lib.maintainers.raskin];
+    maintainers = [ stdenv.lib.maintainers.raskin ];
     platforms = stdenv.lib.platforms.linux;
   };
 }

From d9b4391717eca6283522a5e5b76cbdef0d7495f1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 22:54:34 +0000
Subject: [PATCH 297/507] grub: disable stackprotector hardening

---
 pkgs/tools/misc/grub/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix
index d6534fc5ee61..c0579b918164 100644
--- a/pkgs/tools/misc/grub/default.nix
+++ b/pkgs/tools/misc/grub/default.nix
@@ -36,6 +36,8 @@ stdenv.mkDerivation {
   # autoreconfHook required for the splashimage patch.
   buildInputs = [ autoreconfHook texinfo ];
 
+  hardening_stackprotector = false;
+
   prePatch = ''
     unpackFile $gentooPatches
     rm patch/400_all_grub-0.97-reiser4-20050808-gentoo.patch

From c677109fcd897e3b7ce797df1097ca80b6ccb841 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 24 Feb 2016 22:56:56 +0000
Subject: [PATCH 298/507] go_1_6: disable all hardening

---
 pkgs/development/compilers/go/1.6.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix
index cb1d396f50a1..e43d6b184734 100644
--- a/pkgs/development/compilers/go/1.6.nix
+++ b/pkgs/development/compilers/go/1.6.nix
@@ -29,6 +29,8 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
+  hardening_all = false;
+
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
   preUnpack = ''

From 56ceca9d46bd5d7001141df360742543c6204200 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 00:55:53 +0000
Subject: [PATCH 299/507] cromfs: use default gcc

---
 pkgs/tools/archivers/cromfs/default.nix | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/pkgs/tools/archivers/cromfs/default.nix b/pkgs/tools/archivers/cromfs/default.nix
index cd151698f250..042880b39c9b 100644
--- a/pkgs/tools/archivers/cromfs/default.nix
+++ b/pkgs/tools/archivers/cromfs/default.nix
@@ -1,18 +1,15 @@
-{ stdenv, fetchurl, pkgconfig, fuse, perl, gcc48 }:
+{ stdenv, fetchurl, pkgconfig, fuse, perl }:
 
 stdenv.mkDerivation rec {
   name = "cromfs-1.5.10.2";
-  
+
   src = fetchurl {
     url = "http://bisqwit.iki.fi/src/arch/${name}.tar.bz2";
     sha256 = "0xy2x1ws1qqfp7hfj6yzm80zhrxzmhn0w2yns77im1lmd2h18817";
   };
 
-  patchPhase = ''sed -i 's@/bin/bash@/bin/sh@g' configure'';
+  postPatch = "patchShebangs configure";
 
-  # Removing the static linking, as it doesn't compile in x86_64.
-  makeFlags = "cromfs-driver util/mkcromfs util/unmkcromfs util/cvcromfs";
-  
   installPhase = ''
     install -d $out/bin
     install cromfs-driver $out/bin
@@ -21,7 +18,7 @@ stdenv.mkDerivation rec {
     install util/unmkcromfs $out/bin
   '';
 
-  buildInputs = [ pkgconfig fuse perl gcc48 ];
+  buildInputs = [ pkgconfig fuse perl ];
 
   meta = {
     description = "FUSE Compressed ROM filesystem with lzma";

From 0f4ecfad68f9ed35beaf9e26df22bb0fb799f645 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 01:27:43 +0000
Subject: [PATCH 300/507] certificate-transparency: clean up and use newer
 clang

---
 .../certificate-transparency/default.nix      | 50 +++++++++----------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/pkgs/servers/certificate-transparency/default.nix b/pkgs/servers/certificate-transparency/default.nix
index 80fae89c76d8..a7c2be4e2861 100644
--- a/pkgs/servers/certificate-transparency/default.nix
+++ b/pkgs/servers/certificate-transparency/default.nix
@@ -1,4 +1,7 @@
-{ stdenv, pkgs, ...}:
+{ stdenv, fetchFromGitHub, autoreconfHook, clang, pkgconfig
+, glog, gmock, gtest, google-gflags, gperftools, json_c, leveldb
+, libevent, libevhtp, openssl, protobuf, sqlite
+}:
 
 stdenv.mkDerivation rec {
   name = "certificate-transparency-${version}";
@@ -6,15 +9,7 @@ stdenv.mkDerivation rec {
   version = "2016-01-14";
   rev = "250672b5aef3666edbdfc9a75b95a09e7a57ed08";
 
-  meta = with stdenv.lib; {
-    homepage = https://www.certificate-transparency.org/;
-    description = "Auditing for TLS certificates.";
-    license = licenses.asl20;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ philandstuff ];
-  };
-
-  src = pkgs.fetchFromGitHub {
+  src = fetchFromGitHub {
     owner = "google";
     repo  = "certificate-transparency";
     rev   = rev;
@@ -22,13 +17,13 @@ stdenv.mkDerivation rec {
   };
 
   # need to disable regex support in evhtp or building will fail
-  libevhtp_without_regex = stdenv.lib.overrideDerivation pkgs.libevhtp
+  libevhtp_without_regex = stdenv.lib.overrideDerivation libevhtp
     (oldAttrs: {
-      cmakeFlags="-DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC";
+      cmakeFlags = "-DEVHTP_DISABLE_REGEX:STRING=ON";
     });
 
-  buildInputs = with pkgs; [
-    autoconf automake clang_34 pkgconfig
+  buildInputs = [
+    autoreconfHook clang pkgconfig
     glog gmock google-gflags gperftools gtest json_c leveldb
     libevent libevhtp_without_regex openssl protobuf sqlite
   ];
@@ -37,21 +32,24 @@ stdenv.mkDerivation rec {
     ./protobuf-include-from-env.patch
   ];
 
-  doCheck = false;
-
-  preConfigure = ''
-    ./autogen.sh
-    configureFlagsArray=(
-      CC=clang
-      CXX=clang++
-      GMOCK_DIR=${pkgs.gmock}
-      GTEST_DIR=${pkgs.gtest}
-    )
-  '';
+  configureFlags = [
+    "CC=clang"
+    "CXX=clang++"
+    "GMOCK_DIR=${gmock}"
+    "GTEST_DIR=${gtest}"
+  ];
 
   # the default Makefile constructs BUILD_VERSION from `git describe`
   # which isn't available in the nix build environment
   makeFlags = "BUILD_VERSION=${version}-${rev}";
 
-  protocFlags = "-I ${pkgs.protobuf}/include";
+  protocFlags = "-I ${protobuf}/include";
+
+  meta = with stdenv.lib; {
+    homepage = https://www.certificate-transparency.org/;
+    description = "Auditing for TLS certificates.";
+    license = licenses.asl20;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ philandstuff ];
+  };
 }

From 7561c1c9e7352688f7541e88547293599efcd533 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 02:10:33 +0000
Subject: [PATCH 301/507] gcl: clean up and disable pic hardening

---
 pkgs/development/compilers/gcl/default.nix | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix
index 25b1599fbea0..008f426d74a1 100644
--- a/pkgs/development/compilers/gcl/default.nix
+++ b/pkgs/development/compilers/gcl/default.nix
@@ -27,22 +27,7 @@ stdenv.mkDerivation rec {
     "--enable-ansi"
   ];
 
-  # Upstream bug submitted - http://savannah.gnu.org/bugs/index.php?30371
-  # $TMPDIR must have no extension
-  # setVars = a.noDepEntry ''
-  #   export TMPDIR="''${TMPDIR:-''${TMP:-''${TEMP}}}/tmp-for-gcl"
-  #   mkdir -p "$TMPDIR"
-  # '';
-
-  preBuild = ''
-    # sed -re "s@/bin/cat@$(which cat)@g" -i configure */configure
-    # sed -re "s@if test -d /proc/self @if false @" -i configure
-    # sed -re 's^([ \t])cpp ^\1cpp -I${stdenv.cc.cc}/include -I${stdenv.cc.libc}/include ^g' -i makefile
-  '';
-
-  /* doConfigure should be removed if not needed */
-  # phaseNames = ["setVars" "doUnpack" "preBuild"
-  #   "doConfigure" "doMakeInstall"];
+  hardening_pic = false;
 
   meta = {
     description = "GNU Common Lisp compiler working via GCC";

From 6619c68e0a1db9d0cf2b82c6fe2e3ca8c4359f06 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 02:20:27 +0000
Subject: [PATCH 302/507] teylus: disable format hardening

---
 pkgs/development/compilers/teyjus/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix
index b16b32a6a062..1e63b2d2be0b 100644
--- a/pkgs/development/compilers/teyjus/default.nix
+++ b/pkgs/development/compilers/teyjus/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ omake ocaml flex bison ];
 
+  hardening_format = false;
+
   buildPhase = "omake all";
 
   checkPhase = "omake check";

From 710f4cff7a82d1693a9735999c3a6413013124ae Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 02:25:49 +0000
Subject: [PATCH 303/507] wvstreams: use newer gcc

---
 pkgs/development/libraries/wvstreams/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/wvstreams/default.nix b/pkgs/development/libraries/wvstreams/default.nix
index b879cf37a315..ecfc9b88a0e4 100644
--- a/pkgs/development/libraries/wvstreams/default.nix
+++ b/pkgs/development/libraries/wvstreams/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, gcc46, fetchurl, qt4, dbus, zlib, openssl, readline, perl }:
+{ stdenv, fetchurl, qt4, dbus, zlib, openssl, readline, perl }:
 
 stdenv.mkDerivation {
   name = "wvstreams-4.6.1";
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
     sed -e '1i#include <unistd.h>' -i $(find . -name '*.c' -o -name '*.cc')
   '';
 
-  buildInputs = [ gcc46 qt4 dbus zlib openssl readline perl ];
+  buildInputs = [ qt4 dbus zlib openssl readline perl ];
 
   meta = {
     description = "Network programming library in C++";

From da9352ee736b7e4344a338b08c23e35b39d70c9b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 10:22:10 +0000
Subject: [PATCH 304/507] haskell.compilers.ghc6104: turn off format hardening

---
 pkgs/development/compilers/ghc/6.10.4.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix
index d8157673fbc3..4f95e859292a 100644
--- a/pkgs/development/compilers/ghc/6.10.4.nix
+++ b/pkgs/development/compilers/ghc/6.10.4.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ghc libedit perl gmp];
 
+  hardening_format = false;
+
   configureFlags = [
     "--with-gmp-libraries=${gmp}/lib"
     "--with-gmp-includes=${gmp}/include"

From e0200a507bb68222673caed2e689130285fc017b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 25 Feb 2016 20:06:54 +0000
Subject: [PATCH 305/507] ssvnc: turn off format hardening

---
 pkgs/applications/networking/remote/ssvnc/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix
index 956391b71f86..681ace6ab8fc 100644
--- a/pkgs/applications/networking/remote/ssvnc/default.nix
+++ b/pkgs/applications/networking/remote/ssvnc/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   configurePhase = "makeFlags=PREFIX=$out";
 
+  hardening_format = false;
+
   postInstall = ''
     sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
     sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer

From 7412bffd9e85a4038b8065ed7455dd9052a8cdfc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 15:42:23 +0000
Subject: [PATCH 306/507] self: use default compiler

---
 pkgs/development/interpreters/self/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/interpreters/self/default.nix b/pkgs/development/interpreters/self/default.nix
index d37d60993944..c00298c0fdc8 100644
--- a/pkgs/development/interpreters/self/default.nix
+++ b/pkgs/development/interpreters/self/default.nix
@@ -1,4 +1,4 @@
-{ fetchurl, fetchgit, stdenv, xorg, gcc44, makeWrapper, ncurses, cmake }:
+{ fetchurl, fetchgit, stdenv, xorg, makeWrapper, ncurses, cmake }:
 
 stdenv.mkDerivation rec {
   # The Self wrapper stores source in $XDG_DATA_HOME/self or ~/.local/share/self 
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
   };
 
   # gcc 4.6 and above causes crashes on Self startup but gcc 4.4 works.
-  buildInputs = [ gcc44 ncurses xorg.libX11 xorg.libXext makeWrapper cmake ];
+  buildInputs = [ ncurses xorg.libX11 xorg.libXext makeWrapper cmake ];
 
   selfWrapper = ./self;
 

From 351173c2ddf98b9d8ac64f64784835c91dc45571 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 15:51:08 +0000
Subject: [PATCH 307/507] stunnel: 5.29 -> 5.30

---
 pkgs/tools/networking/stunnel/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix
index e8b56ed7d966..b3a493c9375d 100644
--- a/pkgs/tools/networking/stunnel/default.nix
+++ b/pkgs/tools/networking/stunnel/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name    = "stunnel-${version}";
-  version = "5.29";
+  version = "5.30";
 
   src = fetchurl {
     url    = "http://www.stunnel.org/downloads/${name}.tar.gz";
-    sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423";
+    sha256 = "0w05sqwg3jn7n469w2yxj0cxx7az7jpd8wbcrwxlp5d1ys4v6vkx";
   };
 
   buildInputs = [ openssl ];

From 46b0d5163669f1368523cdae25420db2b043ae0a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 15:59:24 +0000
Subject: [PATCH 308/507] flow: 0.18 -> 0.22

---
 pkgs/development/tools/analysis/flow/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/tools/analysis/flow/default.nix b/pkgs/development/tools/analysis/flow/default.nix
index 938f6e9c2b96..3ed7434e4a8a 100644
--- a/pkgs/development/tools/analysis/flow/default.nix
+++ b/pkgs/development/tools/analysis/flow/default.nix
@@ -3,13 +3,13 @@
 with lib;
 
 stdenv.mkDerivation rec {
-  version = "0.18.1";
+  version = "0.22.0";
   name = "flow-${version}";
   src = fetchFromGitHub {
     owner = "facebook";
     repo = "flow";
     rev = "v${version}";
-    sha256 = "00pmrk577p6ngqif4rvhwybb4gyw70vsgxcxxwj995dg4hf196s1";
+    sha256 = "1p8a5cf85ydz6g04zsvsa6sh2b4p94mj9cqj7k6llf0dsiihrv54";
   };
 
   installPhase = ''

From c045d2de37261fcfb1d83f427b364684e715e842 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 16:08:51 +0000
Subject: [PATCH 309/507] signing-party: 2.1 -> 2.2

---
 pkgs/tools/security/signing-party/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/security/signing-party/default.nix b/pkgs/tools/security/signing-party/default.nix
index dfd5cd6c7d7c..e2e3955628de 100644
--- a/pkgs/tools/security/signing-party/default.nix
+++ b/pkgs/tools/security/signing-party/default.nix
@@ -1,12 +1,12 @@
 {stdenv, fetchurl, gnupg, perl, automake111x, autoconf}:
 
 stdenv.mkDerivation rec {
-  version = "2.1";
+  version = "2.2";
   basename = "signing-party";
   name = "${basename}-${version}";
   src = fetchurl {
     url = "mirror://debian/pool/main/s/${basename}/${basename}_${version}.orig.tar.gz";
-    sha256 = "0pcni3mf92503bqknwlsvv1f5gz23dmzwas2j8g2fk7afjd891ya";
+    sha256 = "13qncdyadw1cnslc2xss9s2rpkalm7rz572b23p7mqcdqp30cpdd";
   };
 
   sourceRoot = ".";

From b6279950bdec2614454bf41ec6ab999ad9b1a0ed Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 16:30:26 +0000
Subject: [PATCH 310/507] openssh: enable pie hardening

---
 pkgs/tools/networking/openssh/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index a6aed5169c8b..67c0f3ec89ee 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -71,6 +71,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_pie = true;
+
   postInstall = ''
     # Install ssh-copy-id, it's very useful.
     cp contrib/ssh-copy-id $out/bin/

From 310fa567881422cc8c95bb977c8f6b70e1e06304 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 16:38:26 +0000
Subject: [PATCH 311/507] nginx: enable pie hardening

---
 pkgs/servers/http/nginx/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix
index 6944a89477ad..3dbb34f9b021 100644
--- a/pkgs/servers/http/nginx/default.nix
+++ b/pkgs/servers/http/nginx/default.nix
@@ -55,6 +55,8 @@ stdenv.mkDerivation rec {
 
   preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules;
 
+  hardening_pie = true;
+
   meta = {
     description = "A reverse proxy and lightweight webserver";
     homepage    = http://nginx.org;

From a73762200daa5fe2c3fb9ab917fbab0c1fc34a20 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 16:45:49 +0000
Subject: [PATCH 312/507] socat: enable pie hardening

---
 pkgs/tools/networking/socat/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix
index c672801262be..b2704c2a2033 100644
--- a/pkgs/tools/networking/socat/default.nix
+++ b/pkgs/tools/networking/socat/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ];
 
+  hardening_pie = true;
+
   meta = {
     description = "A utility for bidirectional data transfer between two independent data channels";
     homepage = http://www.dest-unreach.org/socat/;

From 631c09bbe5946ca0e1b5a58f0ad37b7616481616 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 17:26:03 +0000
Subject: [PATCH 313/507] checksec: clean up

---
 pkgs/os-specific/linux/checksec/default.nix | 9 ++++-----
 pkgs/tools/networking/ntp/default.nix       | 2 ++
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix
index b423dc3a0862..5752bbb72bc4 100644
--- a/pkgs/os-specific/linux/checksec/default.nix
+++ b/pkgs/os-specific/linux/checksec/default.nix
@@ -3,6 +3,7 @@
 stdenv.mkDerivation rec {
   name = "checksec-${version}";
   version = "1.5";
+
   src = fetchurl {
     url    = "http://www.trapkit.de/tools/checksec.sh";
     sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p";
@@ -11,9 +12,9 @@ stdenv.mkDerivation rec {
   patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ];
 
   unpackPhase = ''
-    mkdir ${name}-${version}
-    cp $src ${name}-${version}/checksec.sh
-    cd ${name}-${version}
+    mkdir ${name}
+    cp $src ${name}/checksec.sh
+    cd ${name}
   '';
 
   installPhase = ''
@@ -32,8 +33,6 @@ stdenv.mkDerivation rec {
     substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -"
   '';
 
-  phases = "unpackPhase patchPhase installPhase";
-
   meta = {
     description = "A tool for checking security bits on executables";
     homepage    = "http://www.trapkit.de/tools/checksec.html";
diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
index 8a23eeb60f4f..4e1e8931f0ad 100644
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook ];
   buildInputs = [ libcap openssl ];
 
+  hardening_pie = true;
+
   postInstall = ''
     rm -rf $out/share/doc
   '';

From 87e64f153b792d0b07f1d6a0cd0e8b5dd0c21424 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 17:27:28 +0000
Subject: [PATCH 314/507] cron: enable pie hardening

---
 pkgs/tools/system/cron/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix
index 998be45d9c64..805336cfe44b 100644
--- a/pkgs/tools/system/cron/default.nix
+++ b/pkgs/tools/system/cron/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation {
 
   unpackCmd = "(mkdir cron && cd cron && sh $curSrc)";
 
+  hardening_pie = true;
+
   preBuild = ''
     substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755
     makeFlags="DESTROOT=$out"

From 62f65d15ca1ffaee1675a94d174259f4eca853b8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 17:54:46 +0000
Subject: [PATCH 315/507] chrony: enable pie hardening

---
 pkgs/tools/networking/chrony/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix
index dca92c565af9..57981fdaa669 100644
--- a/pkgs/tools/networking/chrony/default.nix
+++ b/pkgs/tools/networking/chrony/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap;
   nativeBuildInputs = [ pkgconfig ];
 
+  hardening_pie = true;
+
   configureFlags = [
     "--chronyvardir=$(out)/var/lib/chrony"
   ];

From e392824fb3cc7cc7f7bbe86997f46116ac9985e1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 17:55:51 +0000
Subject: [PATCH 316/507] dnsmasq: enable pie hardening

---
 pkgs/tools/networking/dnsmasq/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix
index 63720faf7078..6032e53f0baa 100644
--- a/pkgs/tools/networking/dnsmasq/default.nix
+++ b/pkgs/tools/networking/dnsmasq/default.nix
@@ -29,6 +29,8 @@ stdenv.mkDerivation rec {
     "LOCALEDIR=$(out)/share/locale"
   ];
 
+  hardening_pie = true;
+
   postBuild = optionalString stdenv.isLinux ''
     make -C contrib/wrt
   '';

From 8b9eccbf2dbc20672a21edccc02abf2a2728ebdd Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 23:03:00 +0000
Subject: [PATCH 317/507] radvd: enable pie hardening

---
 pkgs/tools/networking/radvd/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix
index 63f82f12787d..0dbbd759911e 100644
--- a/pkgs/tools/networking/radvd/default.nix
+++ b/pkgs/tools/networking/radvd/default.nix
@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   name = "radvd-2.11";
-  
+
   src = fetchurl {
     url = "http://www.litech.org/radvd/dist/${name}.tar.xz";
     sha256 = "1k2sbfs4w2lkgz2mh4zh66fgahjrn2hvxcpfc091bykrzj464qq4";
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libdaemon bison flex check ];
 
+  hardening_pie = true;
+
   meta = with stdenv.lib; {
     homepage = http://www.litech.org/radvd/;
     description = "IPv6 Router Advertisement Daemon";

From 1a31447c4c95496e63f23151de2849c641e28d89 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 23:06:53 +0000
Subject: [PATCH 318/507] icecast: enable pie hardening

---
 pkgs/servers/icecast/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix
index 4a89c5ad83b1..d0e238786e28 100644
--- a/pkgs/servers/icecast/default.nix
+++ b/pkgs/servers/icecast/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ];
 
+  hardening_pie = true;
+
   meta = {
     description = "Server software for streaming multimedia";
 

From b4dadff5429d0bf47bcdafff14dd3d0032039699 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Feb 2016 23:13:13 +0000
Subject: [PATCH 319/507] memcached: enable pie hardening

---
 pkgs/servers/memcached/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix
index 9d110d9c1461..cac568f8fc90 100644
--- a/pkgs/servers/memcached/default.nix
+++ b/pkgs/servers/memcached/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [cyrus_sasl libevent];
 
+  hardening_pie = true;
+
   meta = with stdenv.lib; {
     description = "A distributed memory object caching system";
     repositories.git = https://github.com/memcached/memcached.git;

From b3d9562fc853282702c82884edc8ded50fd517c1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 00:43:49 +0000
Subject: [PATCH 320/507] fix evaluation

---
 pkgs/top-level/all-packages.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 376fde4a8b00..d3aca452704b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -198,14 +198,14 @@ let
   };
 
   # We use pkgs_ because accessing pkgs would lead to an infinite recursion in stdenvOverrides
-  defaultStdenv = stdenvAdapters.useHardenFlags (
+  defaultStdenv = (import ../stdenv/adapters.nix pkgs_).useHardenFlags (
     pkgs_.allStdenvs.stdenv // { inherit platform; }
   );
 
   stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal);
 
   stdenv =
-    if bootStdenv != null then (stdenvAdapters.useHardenFlags bootStdenv // {inherit platform;}) else
+    if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else
       if crossSystem != null then
         stdenvCross
       else

From 5176e7ac770714afb031553fa1d25bb08b027dfa Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 00:48:49 +0000
Subject: [PATCH 321/507] mongodb: enable pie hardening

---
 pkgs/servers/nosql/mongodb/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix
index 2ea255e4432d..141e8e0929d1 100644
--- a/pkgs/servers/nosql/mongodb/default.nix
+++ b/pkgs/servers/nosql/mongodb/default.nix
@@ -19,6 +19,7 @@ let version = "3.2.1";
       #"stemmer"  -- not nice to package yet (no versioning, no makefile, no shared libs).
       "yaml"
     ] ++ optionals stdenv.isLinux [ "tcmalloc" ];
+
     buildInputs = [
       sasl boost gperftools pcre snappy
       zlib libyamlcpp sasl openssl libpcap
@@ -79,6 +80,8 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardening_pie = true;
+
   meta = {
     description = "a scalable, high-performance, open source NoSQL database";
     homepage = http://www.mongodb.org;

From 83bf03e1a361740ba07bde619628e110db67d891 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 08:20:53 +0000
Subject: [PATCH 322/507] glibc: disable stackprotector hardening

---
 pkgs/development/libraries/glibc/common.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 3ddc37af44da..7bbf5562f7c2 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -165,7 +165,8 @@ stdenv.mkDerivation ({
 
   preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH";
 
-  hardening_stackprotector = name != "glibc-locales";
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardening_stackprotector = false;
 
   meta = {
     homepage = http://www.gnu.org/software/libc/;

From d3fb7acb3a653c8a24dc5ea4de6b4da0f4c346ac Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 09:29:15 +0000
Subject: [PATCH 323/507] dietlibc: fix merge failure

---
 pkgs/os-specific/linux/dietlibc/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix
index 3d206cb5f779..09d7651c249d 100644
--- a/pkgs/os-specific/linux/dietlibc/default.nix
+++ b/pkgs/os-specific/linux/dietlibc/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
   builder = ./builder.sh;
 
   inherit glibc;
-  kernelHeaders = glibc.kernelHeaders;
+  kernelHeaders = glibc.linuxHeaders;
   hardening_stackprotector = false;
 
   patches = [

From 14177f5e0bea88d75a5beaf167a4ba5744c06758 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 09:38:51 +0000
Subject: [PATCH 324/507] speed_dreams: remove obsolete variable

---
 pkgs/top-level/all-packages.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index abb06530f152..31d87960ed70 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14671,7 +14671,6 @@ let
   speed_dreams = callPackage ../games/speed-dreams {
     # Torcs wants to make shared libraries linked with plib libraries (it provides static).
     # i686 is the only platform I know than can do that linking without plib built with -fPIC
-    plib = plib.override { enablePIC = !stdenv.isi686; };
     libpng = libpng12;
   };
 

From cfffac2a904fb717b4843d6f9378ef3f3010a47e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 11:50:34 +0000
Subject: [PATCH 325/507] postfix: use hardening flags from stdenv

---
 pkgs/servers/mail/postfix/2.11.nix    | 5 ++---
 pkgs/servers/mail/postfix/3.0.nix     | 5 +++--
 pkgs/servers/mail/postfix/default.nix | 3 ++-
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/pkgs/servers/mail/postfix/2.11.nix b/pkgs/servers/mail/postfix/2.11.nix
index 7c936bf12446..f2f155cbf3f3 100644
--- a/pkgs/servers/mail/postfix/2.11.nix
+++ b/pkgs/servers/mail/postfix/2.11.nix
@@ -36,9 +36,8 @@ stdenv.mkDerivation rec {
     export sendmail_path=$out/bin/sendmail
 
     make makefiles \
-      CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl \
-              -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' \
-      AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl -pie -Wl,-z,relro,-z,now'
+      CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' \
+      AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl'
   '';
 
   installTargets = [ "non-interactive-package" ];
diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix
index 9ea151e597bb..8f102c330ddb 100644
--- a/pkgs/servers/mail/postfix/3.0.nix
+++ b/pkgs/servers/mail/postfix/3.0.nix
@@ -9,12 +9,11 @@ let
   ccargs = lib.concatStringsSep " " ([
     "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl}/include/sasl"
     "-DHAS_DB_BYPASS_MAKEDEFS_CHECK"
-    "-fPIE" "-fstack-protector-all" "--param" "ssp-buffer-size=4" "-O2" "-D_FORTIFY_SOURCE=2"
    ] ++ lib.optional withPgSQL "-DHAS_PGSQL"
      ++ lib.optionals withMySQL [ "-DHAS_MYSQL" "-I${libmysql}/include/mysql" ]
      ++ lib.optional withSQLite "-DHAS_SQLITE");
    auxlibs = lib.concatStringsSep " " ([
-     "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" "-pie" "-Wl,-z,relro,-z,now"
+     "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl"
    ] ++ lib.optional withPgSQL "-lpq"
      ++ lib.optional withMySQL "-lmysqlclient"
      ++ lib.optional withSQLite "-lsqlite3");
@@ -37,6 +36,8 @@ in stdenv.mkDerivation rec {
 
   patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch ./post-install-script.patch ];
 
+  hardening_pie = true;
+
   preBuild = ''
     sed -e '/^PATH=/d' -i postfix-install
     sed -e "s|@PACKAGE@|$out|" -i conf/post-install
diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix
index 578453c8c56f..42355b46021d 100644
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@@ -15,6 +15,7 @@ stdenv.mkDerivation rec {
   buildInputs = [db openssl cyrus_sasl bison perl];
 
   hardening_format = false;
+  hardening_pie = true;
 
   patches = [
     ./postfix-2.2.9-db.patch
@@ -41,7 +42,7 @@ stdenv.mkDerivation rec {
     export sample_directory=$out/share/postfix/doc/samples
     export readme_directory=$out/share/postfix/doc
 
-    make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl -pie -Wl,-z,relro,-z,now'
+    make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl'
   '';
 
   installPhase = ''

From 8615f026a48cbf3f1c37b30e9b70bba6af013a12 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 27 Feb 2016 12:16:00 +0000
Subject: [PATCH 326/507] v8_3_16_14: use default stdenv

---
 pkgs/top-level/all-packages.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 31d87960ed70..3c00d2567403 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -8826,8 +8826,6 @@ let
 
   v8_3_16_14 = callPackage ../development/libraries/v8/3.16.14.nix {
     inherit (pythonPackages) gyp;
-    # The build succeeds using gcc5 but it fails to build pkgs.consul-ui
-    stdenv = overrideCC stdenv gcc48;
   };
 
   v8_3_24_10 = callPackage ../development/libraries/v8/3.24.10.nix {

From 4d6db3c64cf7eff77d29d05d0e6e78b238ef7846 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 28 Feb 2016 19:45:02 +0000
Subject: [PATCH 327/507] perl520: fix bootstrap compilation by disabling
 fortify hardening

---
 pkgs/development/interpreters/perl/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix
index d9158ad55ab5..6e416a351506 100644
--- a/pkgs/development/interpreters/perl/default.nix
+++ b/pkgs/development/interpreters/perl/default.nix
@@ -71,6 +71,9 @@ let
 
     enableParallelBuilding = true;
 
+    # FIXME needs gcc 4.9 in bootstrap tools
+    hardening_stackprotector = false;
+
     preConfigure =
       ''
         configureFlags="$configureFlags -Dprefix=$out -Dman1dir=$out/share/man/man1 -Dman3dir=$out/share/man/man3"

From 85515f0be84a21fb4ff84be8b51bbeecff8e6fa3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 29 Feb 2016 09:44:42 +0000
Subject: [PATCH 328/507] clisp_2_44_1: disable format hardening

---
 pkgs/development/interpreters/clisp/2.44.1.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix
index 66f53831374f..fa8c8309a7a6 100644
--- a/pkgs/development/interpreters/clisp/2.44.1.nix
+++ b/pkgs/development/interpreters/clisp/2.44.1.nix
@@ -1,11 +1,11 @@
 { stdenv, fetchurl, libsigsegv, gettext, ncurses, readline, libX11
 , libXau, libXt, pcre, zlib, libXpm, xproto, libXext, xextproto
 , libffi, libffcall, coreutils }:
-        
+
 stdenv.mkDerivation rec {
   v = "2.44.1";
   name = "clisp-${v}";
-  
+
   src = fetchurl {
     url = "mirror://gnu/clisp/release/${v}/${name}.tar.gz";
     sha256 = "0rkp6j6rih4s5d9acifh7pi4b9xfgcspif512l269dqy9qgyy4j1";
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
       zlib libXpm xproto libXext xextproto libffi libffcall ];
 
   patches = [ ./bits_ipctypes_to_sys_ipc.patch ]; # from Gentoo
-      
+
   # First, replace port 9090 (rather low, can be used)
   # with 64237 (much higher, IANA private area, not
   # anything rememberable).
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
 
     substituteInPlace modules/bindings/glibc/linux.lisp --replace "(def-c-type __swblk_t)" ""
   '';
-  
+
   configureFlags =
     ''
       --with-readline builddir --with-dynamic-ffi
@@ -45,6 +45,8 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE="-O0";
 
+  hardening_format = false;
+
   # TODO : make mod-check fails
   doCheck = false;
 

From 2d17e81d2d482c453074efb51482278455024e2f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 29 Feb 2016 12:31:59 +0000
Subject: [PATCH 329/507] clang-analyzer: use default clang

---
 pkgs/top-level/all-packages.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 70b6b95e491f..0f2a40a548ec 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -3998,10 +3998,7 @@ let
   clang_34 = wrapCC llvmPackages_34.clang;
   clang_33 = wrapCC (clangUnwrapped llvm_33 ../development/compilers/llvm/3.3/clang.nix);
 
-  clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer {
-    clang = clang_34;
-    llvmPackages = llvmPackages_34;
-  };
+  clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { };
 
   clangUnwrapped = llvm: pkg: callPackage pkg { inherit llvm; };
 

From 4f0608abdb1c3c9239808eca6de9c58de8bced80 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 29 Feb 2016 12:51:28 +0000
Subject: [PATCH 330/507] perseus: disable stackprotector hardening

---
 pkgs/applications/science/math/perseus/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix
index 94029a043492..d2694392efae 100644
--- a/pkgs/applications/science/math/perseus/default.nix
+++ b/pkgs/applications/science/math/perseus/default.nix
@@ -5,6 +5,8 @@ stdenv.mkDerivation {
   version = "4-beta";
   buildInputs = [unzip gcc48];
 
+  hardening_stackprotector = false;
+
   src = fetchurl {
     url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
     sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj";
@@ -30,7 +32,7 @@ stdenv.mkDerivation {
       around datasets arising from point samples, images, distance
       matrices and so forth.
     '';
-    homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html";
+    homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html";
     license = stdenv.lib.licenses.gpl3;
     maintainers = with stdenv.lib.maintainers; [erikryb];
     platforms = stdenv.lib.platforms.linux;

From 1bbb2f0cf3f1303abd40e7bc801e7582b74f3c62 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 1 Mar 2016 12:28:06 +0000
Subject: [PATCH 331/507] pdf2xml: disable format hardening

---
 pkgs/development/libraries/pdf2xml/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix
index c7c5aff24558..b73be0626230 100644
--- a/pkgs/development/libraries/pdf2xml/default.nix
+++ b/pkgs/development/libraries/pdf2xml/default.nix
@@ -2,20 +2,22 @@
 
 stdenv.mkDerivation {
   name = "pdf2xml";
-  
+
   src = fetchurl {
       url = http://tarballs.nixos.org/pdf2xml.tar.gz;
       sha256 = "04rl7ppxqgnvxvvws669cxp478lnrdmiqj0g3m4p69bawfjc4z3w";
   };
   sourceRoot = "pdf2xml/pdf2xml";
-  
+
   buildInputs = [libxml2 libxpdf];
 
   patches = [./pdf2xml.patch];
 
+  hardening_format = false;
+
   preBuild = ''
     cp Makefile.linux Makefile
-  
+
     sed -i 's|/usr/include/libxml2|${libxml2}/include/libxml2|' Makefile
     sed -i 's|-lxml2|-lxml2 -L${libxml2}/lib|' Makefile
     sed -i 's|XPDF = xpdf_3.01|XPDF = ${libxpdf}/lib|' Makefile
@@ -24,7 +26,7 @@ stdenv.mkDerivation {
 
     buildFlags+=" CXX=$CXX"
   '';
-  
+
   installPhase = ''
     mkdir -p $out/bin
     cp exe/* $out/bin

From 9ba6bd4dea6dde2aa50dc118d177db0697176811 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 1 Mar 2016 22:09:15 +0000
Subject: [PATCH 332/507] caneda: disable format hardening

---
 pkgs/applications/science/electronics/caneda/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix
index 404ffc5010b4..152aec27d833 100644
--- a/pkgs/applications/science/electronics/caneda/default.nix
+++ b/pkgs/applications/science/electronics/caneda/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
   };
 
-  cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ];
+  hardening_format = false;
 
   buildInputs = [ cmake qt4 libxml2 libxslt ];
 

From a6dae3b5adff94b13a0f63a4563b8d2aacf6e1d3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 1 Mar 2016 22:20:50 +0000
Subject: [PATCH 333/507] gnu-efi: disable stackprotector hardening

---
 pkgs/development/libraries/gnu-efi/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix
index e674aae2b58a..21be466a9b2d 100644
--- a/pkgs/development/libraries/gnu-efi/default.nix
+++ b/pkgs/development/libraries/gnu-efi/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pciutils ];
 
+  hardening_stackprotector = false;
+
   makeFlags = [
     "PREFIX=\${out}"
     "CC=gcc"

From a12ecfc4054db18fbb6c9208c284443717f4e5d6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 1 Mar 2016 22:21:08 +0000
Subject: [PATCH 334/507] refind: disable stackprotector hardening

---
 pkgs/tools/bootloaders/refind/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix
index 110e00976e83..f27dd3c5be67 100644
--- a/pkgs/tools/bootloaders/refind/default.nix
+++ b/pkgs/tools/bootloaders/refind/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ];
 
+  hardening_stackprotector = false;
+
   HOSTARCH =
     if stdenv.system == "x86_64-linux" then "x64"
     else if stdenv.system == "i686-linux" then "ia32"

From 2f7e9f26d84b79e9c5a0bd9e7647f10b5d02817e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 1 Mar 2016 22:21:21 +0000
Subject: [PATCH 335/507] gummiboot: disable stackprotector hardening

---
 pkgs/tools/misc/gummiboot/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix
index d25b4f65ad7f..b73d83201e0e 100644
--- a/pkgs/tools/misc/gummiboot/default.nix
+++ b/pkgs/tools/misc/gummiboot/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];
 
-  #hardening_all = false;
+  hardening_stackprotector = false;
 
   # Sigh, gummiboot should be able to find this in buildInputs
   configureFlags = [

From 4c9c4c4dcdf406adb235682ab4d50985513f92e3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 1 Mar 2016 22:47:29 +0000
Subject: [PATCH 336/507] redmine: disable format hardening

---
 pkgs/applications/version-management/redmine/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix
index 3a8df10f1661..982dcb1d56bf 100644
--- a/pkgs/applications/version-management/redmine/default.nix
+++ b/pkgs/applications/version-management/redmine/default.nix
@@ -11,6 +11,8 @@ in stdenv.mkDerivation rec {
     sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
   };
 
+  hardening_format = false;
+
   # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
   # needed to separate run-time and build-time directories
   patches = [
@@ -18,6 +20,7 @@ in stdenv.mkDerivation rec {
     ./2004_FHS_plugins_assets.patch
     ./2003_externalize_session_config.patch
   ];
+
   postPatch = ''
     substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']"
     substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')"

From 84cc00b4036b052fa39e74e8684cc6055b3fcf47 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 3 Mar 2016 16:55:17 +0000
Subject: [PATCH 337/507] ceph: possible fix for zip timestamps

---
 pkgs/tools/filesystems/ceph/generic.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/filesystems/ceph/generic.nix b/pkgs/tools/filesystems/ceph/generic.nix
index 1673e69679b4..19457e136556 100644
--- a/pkgs/tools/filesystems/ceph/generic.nix
+++ b/pkgs/tools/filesystems/ceph/generic.nix
@@ -1,4 +1,5 @@
-{ stdenv, autoconf, automake, makeWrapper, pkgconfig, libtool, which, git
+{ stdenv, ensureNewerSourcesHook, autoconf, automake, makeWrapper, pkgconfig
+, libtool, which, git
 , boost, python, pythonPackages, libxml2, zlib
 
 # Optional Dependencies
@@ -111,7 +112,10 @@ stdenv.mkDerivation {
     ./0001-Makefile-env-Don-t-force-sbin.patch
   ];
 
-  nativeBuildInputs = [ autoconf automake makeWrapper pkgconfig libtool which git ]
+  nativeBuildInputs = [
+    autoconf automake makeWrapper pkgconfig libtool which git
+    (ensureNewerSourcesHook { year = "1980"; })
+  ]
     ++ optionals (versionAtLeast version "9.0.2") [
       pythonPackages.setuptools pythonPackages.argparse
     ];

From 23d85c7c902b98b93d377ecf236a374e6a9b62bb Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 3 Mar 2016 18:53:49 +0000
Subject: [PATCH 338/507] spark: fix hash

---
 pkgs/applications/networking/cluster/spark/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/networking/cluster/spark/default.nix b/pkgs/applications/networking/cluster/spark/default.nix
index a0abe4f31422..79074d2d28e6 100644
--- a/pkgs/applications/networking/cluster/spark/default.nix
+++ b/pkgs/applications/networking/cluster/spark/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   src = fetchzip {
     url    = "mirror://apache/spark/${name}/${name}-bin-cdh4.tgz";
-    sha256 = "0waq8xx4bjj1yvfbadv1gdvz8s4kh5zasicv2n5623ld6lj7zgad";
+    sha256 = "19ycx1r8g82vkvzmn9wxkssmv2damrg72yfmrgzpc6xyh071g91c";
   };
 
   buildInputs = [ makeWrapper jre pythonPackages.python pythonPackages.numpy ]

From 745fa2fbc8c9dfa8eeccb57d3b60aa3d4871c86f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 3 Mar 2016 19:01:21 +0000
Subject: [PATCH 339/507] pharo-vm5: disable format hardening

---
 pkgs/development/pharo/vm/build-vm.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix
index 3dfe913145ce..9665b78d3b27 100644
--- a/pkgs/development/pharo/vm/build-vm.nix
+++ b/pkgs/development/pharo/vm/build-vm.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation rec {
     mimeType = "application/x-pharo-image";
   };
 
+  hardening_format = false;
+
   # Building
   preConfigure = ''
     cd build/

From c3096a4160b6122a4b6ee8bd66769458775b357c Mon Sep 17 00:00:00 2001
From: Tristan Helmich <tristan.helmich@gmail.com>
Date: Fri, 4 Mar 2016 14:48:06 +0100
Subject: [PATCH 340/507] memtest86+: disable pic/stackprotector hardening

---
 pkgs/tools/misc/memtest86+/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix
index 7e3824263365..097c26071fcf 100644
--- a/pkgs/tools/misc/memtest86+/default.nix
+++ b/pkgs/tools/misc/memtest86+/default.nix
@@ -22,6 +22,9 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = "-I. -std=gnu90";
 
+  hardening_pic = false;
+  hardening_stackprotector = false;
+
   buildFlags = "memtest.bin";
 
   installPhase = ''

From e43a3841b02134c1576b03ae86e14bd46030d953 Mon Sep 17 00:00:00 2001
From: Tristan Helmich <tristan.helmich@gmail.com>
Date: Fri, 4 Mar 2016 14:51:07 +0100
Subject: [PATCH 341/507] faac: disable format hardening

---
 pkgs/development/libraries/faac/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix
index 802aafc444c3..505f00532875 100644
--- a/pkgs/development/libraries/faac/default.nix
+++ b/pkgs/development/libraries/faac/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
     ++ optional mp4v2Support "--with-mp4v2"
     ++ optional drmSupport "--enable-drm";
 
+  hardening_format = false;
+
   buildInputs = [ ]
     ++ optional mp4v2Support mp4v2;
 

From d4ece75fd6df3410b8f038db152b04fb8014496d Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Fri, 26 Feb 2016 18:39:28 +0100
Subject: [PATCH 342/507] haskellPackages.epanet-haskell: Turn format hardening
 off

---
 pkgs/development/haskell-modules/configuration-common.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 80047f0ca1ed..e948d1833b83 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -44,6 +44,9 @@ self: super: {
   c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: {
     hardening_format = false;
   });
+  epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: {
+    hardening_format = false;
+  });
 
   # The package doesn't compile with ruby 1.9, which is our default at the moment.
   hruby = super.hruby.override { ruby = pkgs.ruby_2_1; };

From a2e449e43e82e258b94c723d92a5e9af641967e7 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 14 Nov 2015 06:24:15 +0100
Subject: [PATCH 343/507] coreutils: Skip some tests (filenames too long)

---
 pkgs/tools/misc/coreutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix
index 4a944f698786..6e7c6daca56d 100644
--- a/pkgs/tools/misc/coreutils/default.nix
+++ b/pkgs/tools/misc/coreutils/default.nix
@@ -28,6 +28,8 @@ let
     postPatch = optionalString (!stdenv.isDarwin) ''
       sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh
       sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh
+      sed '2i echo Skipping rm deep-2 test && exit 0' -i ./tests/rm/deep-2.sh
+      sed '2i echo Skipping du long-from-unreadable test && exit 0' -i ./tests/du/long-from-unreadable.sh
     '';
 
     configureFlags = optionalString stdenv.isSunOS "ac_cv_func_inotify_init=no";

From aff1f4ab948b921ceaf2b81610f2f82454302b4b Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Fri, 26 Feb 2016 18:38:15 +0100
Subject: [PATCH 344/507] Use general hardening flag toggle lists

The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
---
 pkgs/applications/audio/QmidiNet/default.nix  |  2 +-
 pkgs/applications/audio/aacgain/default.nix   |  2 +-
 .../applications/audio/cdparanoia/default.nix |  2 +-
 pkgs/applications/audio/csound/default.nix    |  2 +-
 .../audio/freewheeling/default.nix            |  2 +-
 .../audio/jack-capture/default.nix            |  2 +-
 pkgs/applications/audio/lingot/default.nix    |  2 +-
 pkgs/applications/audio/mi2ly/default.nix     |  2 +-
 pkgs/applications/audio/mp3info/default.nix   |  2 +-
 pkgs/applications/audio/mp3val/default.nix    |  2 +-
 pkgs/applications/audio/mpg321/default.nix    |  2 +-
 pkgs/applications/audio/musescore/default.nix |  3 +-
 .../audio/pd-plugins/cyclone/default.nix      |  2 +-
 .../audio/pd-plugins/maxlib/default.nix       |  2 +-
 .../audio/pd-plugins/mrpeach/default.nix      |  2 +-
 pkgs/applications/audio/rakarrack/default.nix |  2 +-
 .../audio/zynaddsubfx/default.nix             |  2 +-
 pkgs/applications/editors/ht/default.nix      |  2 +-
 pkgs/applications/editors/leafpad/default.nix |  2 +-
 .../graphics/cinepaint/default.nix            |  2 +-
 pkgs/applications/graphics/giv/default.nix    |  2 +-
 pkgs/applications/graphics/gqview/default.nix |  2 +-
 .../applications/graphics/meshlab/default.nix |  2 +-
 .../graphics/qtpfsgui/default.nix             |  2 +-
 .../graphics/tesseract/default.nix            |  2 +-
 pkgs/applications/graphics/xfig/default.nix   |  2 +-
 pkgs/applications/inferno/default.nix         |  2 +-
 pkgs/applications/misc/epdfview/default.nix   |  2 +-
 pkgs/applications/misc/gkrellm/default.nix    |  2 +-
 pkgs/applications/misc/grip/default.nix       |  2 +-
 pkgs/applications/misc/k2pdfopt/default.nix   |  2 +-
 pkgs/applications/misc/navit/default.nix      |  2 +-
 pkgs/applications/misc/posterazor/default.nix |  2 +-
 pkgs/applications/misc/sdcv/default.nix       |  2 +-
 pkgs/applications/misc/tasknc/default.nix     |  2 +-
 pkgs/applications/misc/vym/default.nix        |  2 +-
 pkgs/applications/misc/wordnet/default.nix    |  2 +-
 .../browsers/vimprobable2/default.nix         |  2 +-
 .../networking/browsers/w3m/default.nix       |  2 +-
 .../silc-client/default.nix                   |  2 +-
 .../instant-messengers/vacuum/default.nix     |  2 +-
 .../networking/iptraf-ng/default.nix          |  2 +-
 .../networking/mailreaders/alpine/default.nix |  3 +-
 .../mailreaders/realpine/default.nix          |  2 +-
 .../networking/remote/ssvnc/default.nix       |  2 +-
 .../science/electronics/caneda/default.nix    |  2 +-
 .../science/geometry/drgeo/default.nix        |  2 +-
 .../science/logic/ltl2ba/default.nix          |  2 +-
 .../science/logic/otter/default.nix           |  2 +-
 .../science/logic/prover9/default.nix         |  2 +-
 .../applications/science/math/cbc/default.nix |  2 +-
 .../science/math/perseus/default.nix          |  2 +-
 .../science/math/qalculate-gtk/default.nix    |  2 +-
 .../science/math/yacas/default.nix            |  2 +-
 .../version-management/cvs/default.nix        |  2 +-
 .../git-and-tools/git/default.nix             |  2 +-
 .../git-and-tools/qgit/default.nix            |  2 +-
 .../version-management/redmine/default.nix    |  2 +-
 pkgs/applications/video/aegisub/default.nix   |  3 +-
 .../virtualization/OVMF/default.nix           |  4 +-
 .../virtualization/bochs/default.nix          |  2 +-
 .../virtualization/cbfstool/default.nix       |  2 +-
 .../virtualization/seabios/default.nix        |  3 +-
 .../virtualbox/guest-additions/default.nix    |  2 +-
 .../virtualization/xen/generic.nix            |  4 +-
 .../window-managers/stalonetray/default.nix   |  2 +-
 pkgs/build-support/cc-wrapper/add-hardening   | 41 +++++++++++++++++++
 pkgs/build-support/cc-wrapper/cc-wrapper.sh   | 10 ++---
 pkgs/build-support/cc-wrapper/default.nix     |  1 +
 pkgs/build-support/cc-wrapper/ld-wrapper.sh   |  5 ++-
 .../gnome-2/platform/libgnomecups/default.nix |  2 +-
 .../gnome-2/platform/libgtkhtml/default.nix   |  2 +-
 .../gnome-3/3.18/misc/libgda/default.nix      |  2 +-
 pkgs/desktops/kde-4.14/kdebindings/qtruby.nix |  2 +-
 .../xfce/panel-plugins/xfce4-verve-plugin.nix |  2 +-
 pkgs/development/compilers/clean/default.nix  |  3 +-
 pkgs/development/compilers/dev86/default.nix  |  2 +-
 pkgs/development/compilers/ecl/default.nix    |  2 +-
 pkgs/development/compilers/edk2/default.nix   |  3 +-
 .../development/compilers/gcc/4.3/default.nix |  3 +-
 .../development/compilers/gcc/4.4/default.nix |  2 +-
 .../development/compilers/gcc/4.5/default.nix |  3 +-
 .../development/compilers/gcc/4.6/default.nix |  2 +-
 .../development/compilers/gcc/4.8/default.nix |  2 +-
 .../development/compilers/gcc/4.9/default.nix |  5 +--
 pkgs/development/compilers/gcc/5/default.nix  |  2 +-
 pkgs/development/compilers/gcl/default.nix    |  2 +-
 pkgs/development/compilers/ghc/6.10.4.nix     |  2 +-
 pkgs/development/compilers/go/1.4.nix         |  2 +-
 pkgs/development/compilers/go/1.5.nix         |  2 +-
 pkgs/development/compilers/go/1.6.nix         |  2 +-
 pkgs/development/compilers/mkcl/default.nix   |  2 +-
 pkgs/development/compilers/squeak/default.nix |  2 +-
 .../compilers/swi-prolog/default.nix          |  2 +-
 pkgs/development/compilers/teyjus/default.nix |  2 +-
 .../haskell-modules/configuration-common.nix  | 12 ++----
 .../development/interpreters/clisp/2.44.1.nix |  2 +-
 pkgs/development/interpreters/erlang/R14.nix  |  2 +-
 .../development/interpreters/lush/default.nix |  2 +-
 .../development/interpreters/perl/default.nix |  2 +-
 .../interpreters/spidermonkey/default.nix     |  2 +-
 .../interpreters/supercollider/default.nix    |  2 +-
 pkgs/development/libraries/CoinMP/default.nix |  2 +-
 .../development/libraries/accelio/default.nix |  3 +-
 .../development/libraries/allegro/default.nix |  2 +-
 .../libraries/audio/libbs2b/default.nix       |  2 +-
 pkgs/development/libraries/cgui/default.nix   |  2 +-
 pkgs/development/libraries/cloog/0.18.0.nix   |  2 +-
 pkgs/development/libraries/cwiid/default.nix  |  2 +-
 pkgs/development/libraries/db/db-4.4.nix      |  2 +-
 pkgs/development/libraries/db/db-4.5.nix      |  2 +-
 pkgs/development/libraries/db/db-4.7.nix      |  2 +-
 pkgs/development/libraries/db/db-4.8.nix      |  2 +-
 pkgs/development/libraries/faac/default.nix   |  2 +-
 pkgs/development/libraries/fox/default.nix    |  2 +-
 pkgs/development/libraries/fox/fox-1.6.nix    |  2 +-
 .../development/libraries/freetds/default.nix |  2 +-
 .../development/libraries/fribidi/default.nix |  2 +-
 pkgs/development/libraries/gd/default.nix     |  2 +-
 pkgs/development/libraries/gdal/default.nix   |  2 +-
 pkgs/development/libraries/gdal/gdal-1_11.nix |  2 +-
 pkgs/development/libraries/gdome2/default.nix |  2 +-
 .../development/libraries/geoclue/default.nix |  2 +-
 .../development/libraries/gettext/default.nix |  5 +--
 pkgs/development/libraries/giflib/4.1.nix     |  2 +-
 .../development/libraries/giflib/libungif.nix |  2 +-
 pkgs/development/libraries/glibc/common.nix   |  2 +-
 pkgs/development/libraries/glibc/default.nix  |  3 +-
 pkgs/development/libraries/gmp/5.1.x.nix      |  2 +-
 .../development/libraries/gnu-efi/default.nix |  2 +-
 pkgs/development/libraries/isl/0.11.1.nix     |  2 +-
 .../libraries/java/swt/default.nix            |  2 +-
 pkgs/development/libraries/libelf/default.nix |  2 +-
 pkgs/development/libraries/libf2c/default.nix |  2 +-
 .../libraries/libgeotiff/default.nix          |  2 +-
 .../libraries/libgphoto2/default.nix          |  2 +-
 pkgs/development/libraries/libmpc/default.nix |  2 +-
 pkgs/development/libraries/librsync/0.9.nix   |  2 +-
 .../libraries/libvisual/default.nix           |  2 +-
 pkgs/development/libraries/mp4v2/default.nix  |  2 +-
 pkgs/development/libraries/mpfr/default.nix   |  2 +-
 .../nvidia-texture-tools/default.nix          |  2 +-
 .../development/libraries/opencascade/6.5.nix |  2 +-
 .../libraries/opencascade/default.nix         |  2 +-
 pkgs/development/libraries/opencv/3.x.nix     |  3 +-
 pkgs/development/libraries/opencv/default.nix |  3 +-
 .../development/libraries/pdf2xml/default.nix |  2 +-
 .../libraries/portmidi/default.nix            |  2 +-
 pkgs/development/libraries/pupnp/default.nix  |  2 +-
 pkgs/development/libraries/qhull/default.nix  |  2 +-
 pkgs/development/libraries/qt-3/default.nix   |  2 +-
 .../libraries/qtscriptgenerator/default.nix   |  2 +-
 pkgs/development/libraries/smpeg/default.nix  |  2 +-
 .../development/libraries/speechd/default.nix |  2 +-
 pkgs/development/libraries/tidyp/default.nix  |  2 +-
 .../libraries/xmlrpc-c/default.nix            |  2 +-
 pkgs/development/libraries/zlib/default.nix   |  2 +-
 .../misc/avr-gcc-with-avr-libc/default.nix    |  2 +-
 pkgs/development/pharo/vm/build-vm.nix        |  2 +-
 .../python-modules/wxPython/generic.nix       |  2 +-
 .../tools/analysis/cccc/default.nix           |  2 +-
 .../tools/analysis/radare/default.nix         |  2 +-
 .../tools/analysis/valgrind/default.nix       |  2 +-
 .../development/tools/boost-build/default.nix |  2 +-
 .../tools/misc/binutils/default.nix           |  2 +-
 .../tools/misc/elfutils/default.nix           |  2 +-
 pkgs/development/tools/misc/gnum4/default.nix |  2 +-
 .../tools/misc/patchelf/default.nix           |  2 +-
 pkgs/development/tools/misc/texinfo/6.0.nix   |  2 +-
 pkgs/development/tools/omniorb/default.nix    |  2 +-
 pkgs/development/tools/parsing/bison/3.x.nix  |  2 +-
 pkgs/games/asc/default.nix                    |  2 +-
 pkgs/games/bsdgames/default.nix               |  2 +-
 pkgs/games/crack-attack/default.nix           |  2 +-
 pkgs/games/lincity/ng.nix                     |  2 +-
 pkgs/games/liquidwar/default.nix              |  2 +-
 pkgs/games/pioneers/default.nix               |  2 +-
 pkgs/games/stardust/default.nix               |  2 +-
 pkgs/games/torcs/default.nix                  |  2 +-
 pkgs/games/xconq/default.nix                  |  2 +-
 pkgs/games/zandronum/default.nix              |  2 +-
 pkgs/misc/emulators/dosbox/default.nix        |  2 +-
 pkgs/misc/emulators/mupen64plus/default.nix   |  2 +-
 pkgs/misc/emulators/nestopia/default.nix      |  2 +-
 pkgs/misc/emulators/uae/default.nix           |  2 +-
 pkgs/misc/mxt-app/default.nix                 |  2 +-
 pkgs/os-specific/linux/acpi-call/default.nix  |  2 +-
 pkgs/os-specific/linux/batman-adv/default.nix |  2 +-
 pkgs/os-specific/linux/bbswitch/default.nix   |  2 +-
 pkgs/os-specific/linux/blcr/default.nix       |  2 +-
 pkgs/os-specific/linux/busybox/default.nix    |  2 +-
 pkgs/os-specific/linux/criu/default.nix       |  3 +-
 pkgs/os-specific/linux/dietlibc/default.nix   |  3 +-
 .../linux/disk-indicator/default.nix          |  3 +-
 pkgs/os-specific/linux/facetimehd/default.nix |  2 +-
 pkgs/os-specific/linux/gogoclient/default.nix |  2 +-
 pkgs/os-specific/linux/ifenslave/default.nix  |  2 +-
 pkgs/os-specific/linux/jool/default.nix       |  2 +-
 .../os-specific/linux/kernel-headers/3.18.nix |  2 +-
 .../linux/kernel/manual-config.nix            |  6 +--
 pkgs/os-specific/linux/kexectools/default.nix |  2 +-
 pkgs/os-specific/linux/klibc/default.nix      |  3 +-
 .../linux/lttng-modules/default.nix           |  2 +-
 .../linux/multipath-tools/default.nix         |  2 +-
 pkgs/os-specific/linux/netatop/default.nix    |  2 +-
 pkgs/os-specific/linux/numad/default.nix      |  2 +-
 pkgs/os-specific/linux/paxctl/default.nix     |  2 +-
 pkgs/os-specific/linux/phc-intel/default.nix  |  2 +-
 pkgs/os-specific/linux/rtl8812au/default.nix  |  2 +-
 pkgs/os-specific/linux/setools/default.nix    |  2 +-
 pkgs/os-specific/linux/spl/default.nix        |  2 +-
 pkgs/os-specific/linux/sysdig/default.nix     |  2 +-
 pkgs/os-specific/linux/syslinux/default.nix   |  3 +-
 pkgs/os-specific/linux/tp_smapi/default.nix   |  2 +-
 .../linux/v4l2loopback/default.nix            |  3 +-
 pkgs/os-specific/linux/v86d/default.nix       |  2 +-
 .../linux/xf86-video-nested/default.nix       |  2 +-
 pkgs/os-specific/linux/zfs/default.nix        |  2 +-
 pkgs/servers/beanstalkd/default.nix           |  2 +-
 pkgs/servers/firebird/default.nix             |  2 +-
 pkgs/servers/gpm/default.nix                  |  2 +-
 pkgs/servers/http/nginx/default.nix           |  2 +-
 pkgs/servers/icecast/default.nix              |  2 +-
 pkgs/servers/irc/charybdis/default.nix        |  2 +-
 pkgs/servers/mail/postfix/3.0.nix             |  2 +-
 pkgs/servers/mail/postfix/default.nix         |  4 +-
 pkgs/servers/memcached/default.nix            |  2 +-
 pkgs/servers/nosql/mongodb/default.nix        |  2 +-
 pkgs/servers/nosql/riak/1.3.1.nix             |  2 +-
 pkgs/servers/nosql/riak/2.1.1.nix             |  2 +-
 pkgs/servers/openafs-client/default.nix       |  2 +-
 pkgs/servers/sip/freeswitch/default.nix       |  2 +-
 pkgs/shells/dash/default.nix                  |  2 +-
 pkgs/stdenv/adapters.nix                      | 20 ---------
 pkgs/tools/X11/xbindkeys-config/default.nix   |  2 +-
 pkgs/tools/admin/tightvnc/default.nix         |  2 +-
 pkgs/tools/archivers/sharutils/default.nix    |  2 +-
 pkgs/tools/archivers/unzip/default.nix        |  2 +-
 pkgs/tools/archivers/xarchive/default.nix     |  2 +-
 pkgs/tools/archivers/zip/default.nix          |  2 +-
 pkgs/tools/bootloaders/refind/default.nix     |  2 +-
 pkgs/tools/cd-dvd/cdrdao/default.nix          |  2 +-
 pkgs/tools/cd-dvd/cdrkit/default.nix          |  2 +-
 pkgs/tools/cd-dvd/dvdisaster/default.nix      |  2 +-
 pkgs/tools/compression/xz/default.nix         |  2 +-
 pkgs/tools/filesystems/fusesmb/default.nix    |  2 +-
 pkgs/tools/filesystems/udftools/default.nix   |  3 +-
 pkgs/tools/graphics/barcode/default.nix       |  2 +-
 pkgs/tools/graphics/editres/default.nix       |  2 +-
 pkgs/tools/graphics/ggobi/default.nix         |  2 +-
 pkgs/tools/graphics/graphviz/2.0.nix          |  3 +-
 pkgs/tools/graphics/graphviz/2.32.nix         |  2 +-
 pkgs/tools/graphics/graphviz/default.nix      |  2 +-
 pkgs/tools/graphics/nifskope/default.nix      |  2 +-
 pkgs/tools/graphics/plotutils/default.nix     |  2 +-
 pkgs/tools/graphics/pngcheck/default.nix      |  2 +-
 pkgs/tools/graphics/qrcode/default.nix        |  2 +-
 pkgs/tools/graphics/transfig/default.nix      |  2 +-
 pkgs/tools/graphics/zbar/default.nix          |  2 +-
 pkgs/tools/misc/coreutils/default.nix         |  2 +-
 pkgs/tools/misc/ddccontrol/default.nix        |  2 +-
 pkgs/tools/misc/detox/default.nix             |  2 +-
 pkgs/tools/misc/expect/default.nix            |  2 +-
 pkgs/tools/misc/gbdfed/default.nix            |  2 +-
 pkgs/tools/misc/grub/2.0x.nix                 |  2 +-
 pkgs/tools/misc/grub/default.nix              |  2 +-
 pkgs/tools/misc/grub/trusted.nix              |  3 +-
 pkgs/tools/misc/gummiboot/default.nix         |  2 +-
 pkgs/tools/misc/ipxe/default.nix              |  3 +-
 pkgs/tools/misc/memtest86+/default.nix        |  3 +-
 pkgs/tools/misc/pal/default.nix               |  2 +-
 pkgs/tools/misc/sutils/default.nix            |  2 +-
 pkgs/tools/misc/uucp/default.nix              |  2 +-
 pkgs/tools/misc/vorbisgain/default.nix        |  2 +-
 pkgs/tools/misc/wv/default.nix                |  2 +-
 pkgs/tools/misc/xfstests/default.nix          |  2 +-
 pkgs/tools/networking/chrony/default.nix      |  2 +-
 pkgs/tools/networking/dhcpdump/default.nix    |  2 +-
 pkgs/tools/networking/dnsmasq/default.nix     |  2 +-
 pkgs/tools/networking/eggdrop/default.nix     |  2 +-
 pkgs/tools/networking/iperf/2.nix             |  2 +-
 pkgs/tools/networking/mailutils/default.nix   |  2 +-
 pkgs/tools/networking/netboot/default.nix     |  2 +-
 pkgs/tools/networking/ntp/default.nix         |  2 +-
 .../tools/networking/openfortivpn/default.nix |  2 +-
 pkgs/tools/networking/openssh/default.nix     |  2 +-
 pkgs/tools/networking/radvd/default.nix       |  2 +-
 pkgs/tools/networking/socat/default.nix       |  2 +-
 pkgs/tools/networking/telnet/default.nix      |  2 +-
 pkgs/tools/networking/trickle/default.nix     |  2 +-
 pkgs/tools/networking/uwimap/default.nix      |  2 +-
 pkgs/tools/networking/vde2/default.nix        |  2 +-
 .../checkinstall/default.nix                  |  2 +-
 .../tools/package-management/clib/default.nix |  2 +-
 pkgs/tools/security/fprint_demo/default.nix   |  2 +-
 pkgs/tools/security/tboot/default.nix         |  3 +-
 pkgs/tools/system/cron/default.nix            |  2 +-
 pkgs/tools/system/foremost/default.nix        |  2 +-
 pkgs/tools/system/gdmap/default.nix           |  2 +-
 pkgs/tools/system/rsyslog/default.nix         |  2 +-
 pkgs/tools/system/which/default.nix           |  2 +-
 pkgs/tools/text/a2ps/default.nix              |  2 +-
 pkgs/tools/text/patchutils/default.nix        |  2 +-
 pkgs/tools/text/untex/default.nix             |  2 +-
 pkgs/tools/typesetting/tex/tetex/default.nix  |  2 +-
 .../tools/typesetting/tex/texlive-new/bin.nix |  4 +-
 pkgs/tools/video/mjpegtools/default.nix       |  2 +-
 pkgs/tools/video/vncrec/default.nix           |  2 +-
 pkgs/top-level/all-packages.nix               |  4 +-
 309 files changed, 366 insertions(+), 373 deletions(-)
 create mode 100644 pkgs/build-support/cc-wrapper/add-hardening

diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix
index c0879e58aca6..42c98cbb1101 100644
--- a/pkgs/applications/audio/QmidiNet/default.nix
+++ b/pkgs/applications/audio/QmidiNet/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ qt4 alsaLib libjack2 ];
 
diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix
index 80e3c5dc40a7..a22866dc031a 100644
--- a/pkgs/applications/audio/aacgain/default.nix
+++ b/pkgs/applications/audio/aacgain/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
     sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = ''
     cd mp4v2
diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix
index 9de3bef62ad3..abe679f10bc5 100644
--- a/pkgs/applications/audio/cdparanoia/default.nix
+++ b/pkgs/applications/audio/cdparanoia/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = "unset CC";
 
diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix
index 1cc0e56fe7e6..e1c063d823d6 100644
--- a/pkgs/applications/audio/csound/default.nix
+++ b/pkgs/applications/audio/csound/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   src = fetchurl {
     url = mirror://sourceforge/csound/Csound6.04.tar.gz;
diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix
index eae7ce390c01..1611975182bc 100644
--- a/pkgs/applications/audio/freewheeling/default.nix
+++ b/pkgs/applications/audio/freewheeling/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation {
 
   patches = [ ./am_path_sdl.patch ./xml.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A live looping instrument with JACK and MIDI support";
diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix
index 7a5095f37887..ec7f7a5c32db 100644
--- a/pkgs/applications/audio/jack-capture/default.nix
+++ b/pkgs/applications/audio/jack-capture/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     cp jack_capture $out/bin/
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "A program for recording soundfiles with jack";
diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix
index 92e39f7bb114..22ab37dc98af 100644
--- a/pkgs/applications/audio/lingot/default.nix
+++ b/pkgs/applications/audio/lingot/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
 
diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix
index 67ac74f5f5a2..fa4ea6343e91 100644
--- a/pkgs/applications/audio/mi2ly/default.nix
+++ b/pkgs/applications/audio/mi2ly/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   sourceRoot=".";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildPhase = "./cc";
   installPhase = ''
diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix
index f2434619c475..d28cd7c9e06d 100644
--- a/pkgs/applications/audio/mp3info/default.nix
+++ b/pkgs/applications/audio/mp3info/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ncurses pkgconfig gtk ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase =
     '' sed -i Makefile \
diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix
index abea55215715..7477bea7602c 100644
--- a/pkgs/applications/audio/mp3val/default.nix
+++ b/pkgs/applications/audio/mp3val/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     install -Dv mp3val "$out/bin/mp3val"
   '';
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = {
     description = "A tool for validating and repairing MPEG audio streams";
diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix
index c5bcd5ab4e41..b68c44278ee1 100644
--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix
index b6a98268a9bc..b89278a7fd9a 100644
--- a/pkgs/applications/audio/musescore/default.nix
+++ b/pkgs/applications/audio/musescore/default.nix
@@ -13,8 +13,7 @@ stdenv.mkDerivation rec {
     sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw";
   };
 
-  hardening_bindnow = false;
-  hardening_relro = false;
+  hardeningDisable = [ "relro" "bindnow" ];
 
   makeFlags = [
     "PREFIX=$(out)"
diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix
index 460745ddddb8..e4ec281cacb8 100644
--- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix
+++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     for file in `grep -r -l g_canvas.h`
diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix
index 1eb0e1be6547..3b836d9eb330 100644
--- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix
+++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     for i in ${puredata}/include/pd/*; do
diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
index 207967a978f5..972a162b73f4 100644
--- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
+++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ puredata ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     for D in net osc
diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix
index 647ed9036dc2..822e0d5548ba 100644
--- a/pkgs/applications/audio/rakarrack/default.nix
+++ b/pkgs/applications/audio/rakarrack/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation  rec {
     sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./fltk-path.patch ];
 
diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix
index c784b33700e7..ece3cbef5960 100644
--- a/pkgs/applications/audio/zynaddsubfx/default.nix
+++ b/pkgs/applications/audio/zynaddsubfx/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation  rec {
   buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
   nativeBuildInputs = [ cmake pkgconfig ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "High quality software synthesizer";
diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix
index 5ddcf34995f7..2817bd168dee 100644
--- a/pkgs/applications/editors/ht/default.nix
+++ b/pkgs/applications/editors/ht/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     ncurses
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with lib; {
     description = "File editor/viewer/analyzer for executables";
diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix
index f3755db448cd..a5b0f2e400a4 100644
--- a/pkgs/applications/editors/leafpad/default.nix
+++ b/pkgs/applications/editors/leafpad/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ intltool pkgconfig gtk ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "--enable-chooser"
diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix
index 7b8281b4e3c6..4866ba92addd 100644
--- a/pkgs/applications/graphics/cinepaint/default.nix
+++ b/pkgs/applications/graphics/cinepaint/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./install.patch ];
 
diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix
index c33da6552220..bd1a8d03ec49 100644
--- a/pkgs/applications/graphics/giv/default.nix
+++ b/pkgs/applications/graphics/giv/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   prePatch = ''
     sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl
diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix
index ff069d0d9727..822ef8ad4353 100644
--- a/pkgs/applications/graphics/gqview/default.nix
+++ b/pkgs/applications/graphics/gqview/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
 
   buildInputs = [pkgconfig gtk libpng];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A fast image viewer";
diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix
index c3aed10d00ca..fa1958059b80 100644
--- a/pkgs/applications/graphics/meshlab/default.nix
+++ b/pkgs/applications/graphics/meshlab/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./include-unistd.diff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildPhase = ''
     mkdir -p "$out/include"
diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix
index da6521199c5a..e6a0453e533a 100644
--- a/pkgs/applications/graphics/qtpfsgui/default.nix
+++ b/pkgs/applications/graphics/qtpfsgui/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = ''
     export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix
index b3db2fde4cb2..375b09995488 100644
--- a/pkgs/applications/graphics/tesseract/default.nix
+++ b/pkgs/applications/graphics/tesseract/default.nix
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
       ./autogen.sh
diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix
index 4f8f3ac16f4b..6903837e5ad5 100644
--- a/pkgs/applications/graphics/xfig/default.nix
+++ b/pkgs/applications/graphics/xfig/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ imake makeWrapper ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11";
 
diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix
index 3c970e40b482..b1574ea6963b 100644
--- a/pkgs/applications/inferno/default.nix
+++ b/pkgs/applications/inferno/default.nix
@@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
       --set INFERNO_ROOT "$out/share/inferno"
   '';
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = {
     description = "A compact distributed operating system for building cross-platform distributed systems";
diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix
index 7810284973f3..782ef4ae3660 100644
--- a/pkgs/applications/misc/epdfview/default.nix
+++ b/pkgs/applications/misc/epdfview/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig gtk poppler ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ (fetchpatch {
                 name = "epdfview-0.1.8-glib2-headers.patch";
diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix
index 7c755a4f3d3e..cf7fdafd7429 100644
--- a/pkgs/applications/misc/gkrellm/default.nix
+++ b/pkgs/applications/misc/gkrellm/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Makefiles are patched to fix references to `/usr/X11R6' and to add
   # `-lX11' to make sure libX11's store path is in the RPATH.
diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix
index 86127d56b01c..e0ece09db180 100644
--- a/pkgs/applications/misc/grip/default.nix
+++ b/pkgs/applications/misc/grip/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
     libid3tag ncurses libtool ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "GTK+-based audio CD player/ripper";
diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix
index dac597fe67cd..7c0d615f3663 100644
--- a/pkgs/applications/misc/k2pdfopt/default.nix
+++ b/pkgs/applications/misc/k2pdfopt/default.nix
@@ -31,7 +31,7 @@ in stdenv.mkDerivation rec {
                     openjpeg freetype jbig2dec djvulibre openssl ];
   NIX_LDFLAGS = "-lX11 -lXext";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   k2_pa = ./k2pdfopt.patch;
   tess_pa = ./tesseract.patch;
diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix
index 67f474cefac8..5f70d4b5c449 100644
--- a/pkgs/applications/misc/navit/default.nix
+++ b/pkgs/applications/misc/navit/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # 'cvs' is only for the autogen
   buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa
diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix
index 43da0c92a42f..b6d46cf9ed13 100644
--- a/pkgs/applications/misc/posterazor/default.nix
+++ b/pkgs/applications/misc/posterazor/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
 
diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix
index 6a768d449582..8e781cd1c026 100644
--- a/pkgs/applications/misc/sdcv/default.nix
+++ b/pkgs/applications/misc/sdcv/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = ( if stdenv.isDarwin
               then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix
index d725bba03079..b7b9d36b4cb8 100644
--- a/pkgs/applications/misc/tasknc/default.nix
+++ b/pkgs/applications/misc/tasknc/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   #
   # I know this is ugly, but the Makefile does strange things in this package,
diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix
index a62f7cd2aa66..e595d771ec0c 100644
--- a/pkgs/applications/misc/vym/default.nix
+++ b/pkgs/applications/misc/vym/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig qt4 ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = ''
     qmake PREFIX="$out"
diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix
index d5edf2a4d584..2f98bc66e9b3 100644
--- a/pkgs/applications/misc/wordnet/default.nix
+++ b/pkgs/applications/misc/wordnet/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   buildInputs = [tcl tk xlibsWrapper makeWrapper];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix
index 3d40aa1f60cc..2415c06dba42 100644
--- a/pkgs/applications/networking/browsers/vimprobable2/default.nix
+++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   installFlags = "PREFIX=/ DESTDIR=$(out)";
 
diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix
index cc3e55f02e91..ae1bf5bffea9 100644
--- a/pkgs/applications/networking/browsers/w3m/default.nix
+++ b/pkgs/applications/networking/browsers/w3m/default.nix
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
     ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
     + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix
index 156b138f290f..b765c97fb8e7 100644
--- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix
+++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation {
 
   dontDisableStatic = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--with-ncurses=${ncurses}";
 
diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix
index 181cd3301e38..12466379bf94 100644
--- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix
+++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [
     qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz
diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix
index 8084d5133f16..746d79805f5c 100644
--- a/pkgs/applications/networking/iptraf-ng/default.nix
+++ b/pkgs/applications/networking/iptraf-ng/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
                 --localstatedir=$out/var --sbindir=$out/bin
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A console-based network monitoring utility (fork of iptraf)";
diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix
index c77b51d70648..b86de98f950d 100644
--- a/pkgs/applications/networking/mailreaders/alpine/default.nix
+++ b/pkgs/applications/networking/mailreaders/alpine/default.nix
@@ -18,8 +18,7 @@ stdenv.mkDerivation {
     ncurses tcl openssl pam kerberos openldap
   ];
 
-  hardening_format = false;
-  hardening_fortify = false;
+  hardeningDisable = [ "format" "fortify" ];
 
   configureFlags = [
     "--with-ssl-include-dir=${openssl}/include/openssl"
diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix
index 1ee425314650..3ff690a244bc 100644
--- a/pkgs/applications/networking/mailreaders/realpine/default.nix
+++ b/pkgs/applications/networking/mailreaders/realpine/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     ncurses tcl openssl pam kerberos openldap
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "--with-ssl-include-dir=${openssl}/include/openssl"
diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix
index 681ace6ab8fc..ed64629fe244 100644
--- a/pkgs/applications/networking/remote/ssvnc/default.nix
+++ b/pkgs/applications/networking/remote/ssvnc/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   configurePhase = "makeFlags=PREFIX=$out";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postInstall = ''
     sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix
index 152aec27d833..dc00cef88982 100644
--- a/pkgs/applications/science/electronics/caneda/default.nix
+++ b/pkgs/applications/science/electronics/caneda/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ cmake qt4 libxml2 libxslt ];
 
diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix
index c5c2cee62e81..22e64ee0566b 100644
--- a/pkgs/applications/science/geometry/drgeo/default.nix
+++ b/pkgs/applications/science/geometry/drgeo/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
   name = "drgeo-${version}";
   version = "1.1.0";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   src = fetchurl {
     url = "mirror://sourceforge/ofset/${name}.tar.gz";
diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix
index cb0c308b1291..8eedafcd68bb 100644
--- a/pkgs/applications/science/logic/ltl2ba/default.nix
+++ b/pkgs/applications/science/logic/ltl2ba/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     substituteInPlace Makefile \
diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix
index b0b001f7b3c4..dd383f1fff64 100644
--- a/pkgs/applications/science/logic/otter/default.nix
+++ b/pkgs/applications/science/logic/otter/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation {
     inherit (s) url sha256;
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildPhase = ''
     find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix
index f6ec3b840ac5..9c09ea3db980 100644
--- a/pkgs/applications/science/logic/prover9/default.nix
+++ b/pkgs/applications/science/logic/prover9/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     RM=$(type -tp rm)
diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix
index f294750928ed..7643c912db4b 100644
--- a/pkgs/applications/science/math/cbc/default.nix
+++ b/pkgs/applications/science/math/cbc/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ zlib bzip2 ];
 
diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix
index d2694392efae..ae63716f106d 100644
--- a/pkgs/applications/science/math/perseus/default.nix
+++ b/pkgs/applications/science/math/perseus/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation {
   version = "4-beta";
   buildInputs = [unzip gcc48];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   src = fetchurl {
     url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix
index 77026eb490a1..d27f998b7932 100644
--- a/pkgs/applications/science/math/qalculate-gtk/default.nix
+++ b/pkgs/applications/science/math/qalculate-gtk/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   nativeBuildInputs = [ intltool pkgconfig ];
   buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ];
diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix
index af284a2f82e0..adf87c4ee5ba 100644
--- a/pkgs/applications/science/math/yacas/default.nix
+++ b/pkgs/applications/science/math/yacas/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Perl is only for the documentation
   nativeBuildInputs = [ perl ];
diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix
index 4912ce0b3e68..20d027da1f3c 100644
--- a/pkgs/applications/version-management/cvs/default.nix
+++ b/pkgs/applications/version-management/cvs/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   patches = [ ./getcwd-chroot.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     # Apply the Debian patches.
diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix
index 2799c25527bb..4e86e9328c8a 100644
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
     sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [
     ./docbook2texi.patch
diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix
index 6240baac8f19..6cafe4f96241 100644
--- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [qt libXext libX11];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configurePhase = "qmake PREFIX=$out";
 
diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix
index 982dcb1d56bf..2f03d582a94c 100644
--- a/pkgs/applications/version-management/redmine/default.nix
+++ b/pkgs/applications/version-management/redmine/default.nix
@@ -11,7 +11,7 @@ in stdenv.mkDerivation rec {
     sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
   # needed to separate run-time and build-time directories
diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix
index 49e2662adb41..cbaea3eb18b2 100644
--- a/pkgs/applications/video/aegisub/default.nix
+++ b/pkgs/applications/video/aegisub/default.nix
@@ -43,8 +43,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_bindnow = false;
-  hardening_relro = false;
+  hardeningDisable = [ "bindnow" "relro" ];
 
   postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
 
diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix
index 513242271a18..fc3c679d414d 100644
--- a/pkgs/applications/virtualization/OVMF/default.nix
+++ b/pkgs/applications/virtualization/OVMF/default.nix
@@ -17,9 +17,7 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
   # TODO: properly include openssl for secureBoot
   buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
 
-  hardening_stackprotector = false;
-  hardening_pic = false;
-  hardening_fortify = false;
+  hardeningDisable = [ "stackprotector" "pic" "fortify" ];
 
   unpackPhase = ''
     for file in \
diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix
index 705691b16826..952ae1f922d2 100644
--- a/pkgs/applications/virtualization/bochs/default.nix
+++ b/pkgs/applications/virtualization/bochs/default.nix
@@ -146,7 +146,7 @@ stdenv.mkDerivation rec {
   NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/";
   NIX_LDFLAGS="-L${libtool}/lib";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "An open-source IA-32 (x86) PC emulator";
diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix
index 01832b552925..dc78236677fc 100644
--- a/pkgs/applications/virtualization/cbfstool/default.nix
+++ b/pkgs/applications/virtualization/cbfstool/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl flex bison ];
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   buildPhase = ''
     export LEX=${flex}/bin/flex
diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix
index a06523973b72..3bc95a1c392f 100644
--- a/pkgs/applications/virtualization/seabios/default.nix
+++ b/pkgs/applications/virtualization/seabios/default.nix
@@ -12,8 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl python ];
 
-  hardening_pic = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "pic" "stackprotector" ];
 
   configurePhase = ''
     # build SeaBIOS for CSM
diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
index d579a6445d12..1c85723c3958 100644
--- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
+++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation {
 
   KERN_DIR = "${kernel.dev}/lib/modules/*/build";
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   buildInputs = [ patchelf cdrkit makeWrapper dbus ];
 
diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix
index 0a3bd3898c2c..23c4f34a5534 100644
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@@ -75,9 +75,7 @@ stdenv.mkDerivation {
 
   pythonPath = [ pythonPackages.curses ];
 
-  hardening_stackprotector = false;
-  hardening_fortify = false;
-  hardening_pic = false;
+  hardeningDisable = [ "stackprotector" "fortify" "pic" ];
 
   patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
 
diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix
index 43d0804222c7..3b5af42a8be2 100644
--- a/pkgs/applications/window-managers/stalonetray/default.nix
+++ b/pkgs/applications/window-managers/stalonetray/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libX11 xproto ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "Stand alone tray";
diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
new file mode 100644
index 000000000000..08fdd52be08a
--- /dev/null
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -0,0 +1,41 @@
+hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
+hardeningFlags+=("${hardeningEnable[@]}")
+hardeningCFlags=()
+hardeningLDFlags=()
+
+if [[ ! $hardeningDisable == "all" ]]; then
+  for flag in "${hardeningFlags[@]}"
+  do
+    if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
+      case $flag in
+        fortify)
+          hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
+          ;;
+        stackprotector)
+          hardeningCFlags+=('-fstack-protector-strong')
+          ;;
+        pie)
+          hardeningCFlags+=('-fPIE' '-pie')
+          ;;
+        pic)
+          hardeningCFlags+=('-fPIC')
+          ;;
+        strictoverflow)
+          hardeningCFlags+=('-fno-strict-overflow')
+          ;;
+        format)
+          hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
+          ;;
+        relro)
+          hardeningLDFlags+=('-z relro')
+          ;;
+        bindnow)
+          hardeningLDFlags+=('-z now')
+          ;;
+        *)
+          echo "Hardening flag unknown: $flag"
+          ;;
+      esac
+    fi
+  done
+fi
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index 6e12a0d8bc8f..a8a08e5e1443 100644
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -56,7 +56,6 @@ if [ "$nonFlagArgs" = 0 ]; then
     dontLink=1
 fi
 
-
 # Optionally filter out paths not refering to the store.
 params=("$@")
 if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
@@ -90,16 +89,17 @@ if [[ "@prog@" = *++ ]]; then
     fi
 fi
 
-# Add the flags for the C compiler proper.
-extraAfter=($NIX_CFLAGS_COMPILE)
-extraBefore=()
+source @out@/nix-support/add-hardening.sh
 
+# Add the flags for the C compiler proper.
+extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
+extraBefore=()
 
 if [ "$dontLink" != 1 ]; then
 
     # Add the flags that should only be passed to the compiler when
     # linking.
-    extraAfter+=($NIX_CFLAGS_LINK)
+    extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
 
     # Add the flags that should be passed to the linker (and prevent
     # `ld-wrapper' from adding NIX_LDFLAGS again).
diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix
index 110f51891417..2bf07747337f 100644
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@@ -234,6 +234,7 @@ stdenv.mkDerivation {
       rm $out/nix-support/setup-hook.tmp
 
       substituteAll ${./add-flags} $out/nix-support/add-flags.sh
+      cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
       cp -p ${./utils.sh} $out/nix-support/utils.sh
     ''
     + extraBuildCommands;
diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
index 6ef06eb70348..12c0709570b0 100644
--- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
@@ -47,8 +47,9 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
     params=("${rest[@]}")
 fi
 
+source @out@/nix-support/add-hardening.sh
 
-extra=()
+extra=(${hardeningLDFlags[@]})
 extraBefore=()
 
 if [ -z "$NIX_LDFLAGS_SET" ]; then
@@ -56,7 +57,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then
     extraBefore+=($NIX_LDFLAGS_BEFORE)
 fi
 
-extra+=($NIX_LDFLAGS_AFTER)
+extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
 
 
 # Add all used dynamic libraries to the rpath.
diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
index 9dc8d6f8ef1b..7eef5af0adcb 100644
--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./glib.patch ./cups_1.6.patch ];
 
diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
index d766957f0d79..be288b809d43 100644
--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@@ -11,5 +11,5 @@ stdenv.mkDerivation {
   buildInputs = [ pkgconfig gtk gettext ];
   propagatedBuildInputs = [ libxml2 ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 }
diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
index 6f10f6ea9203..5c13260aac9e 100644
--- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
+++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix
@@ -17,7 +17,7 @@ in stdenv.mkDerivation rec {
     "--enable-gi-system-install=no"
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   enableParallelBuilding = true;
 
diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
index c80bd67f404f..ed83dd03eca1 100644
--- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
+++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix
@@ -8,7 +8,7 @@ kde {
 
   nativeBuildInputs = [ cmake ];
 
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
 
   # The patch is not ready for upstream submmission.
   # I should add an option() instead.
diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
index 415c6bc6cfb7..442690706094 100644
--- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
+++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}";
diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix
index dcb7350fbbb2..3fed2289f954 100644
--- a/pkgs/development/compilers/clean/default.nix
+++ b/pkgs/development/compilers/clean/default.nix
@@ -14,8 +14,7 @@ stdenv.mkDerivation rec {
     })
     else throw "Architecture not supported";
 
-  hardening_format = false;
-  hardening_pic = false;
+  hardeningDisable = [ "format" "pic" ];
 
   # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild
   # and for chroot builds all of the library files will have equal timestamps.  This
diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix
index 0ee0a622b1e6..900cb92ab807 100644
--- a/pkgs/development/compilers/dev86/default.nix
+++ b/pkgs/development/compilers/dev86/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   makeFlags = "PREFIX=$(out)";
 
diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix
index 2208d8440497..1b8b8d862cf3 100644
--- a/pkgs/development/compilers/ecl/default.nix
+++ b/pkgs/development/compilers/ecl/default.nix
@@ -38,7 +38,7 @@ stdenv.mkDerivation {
       "--enable-unicode")
     ;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postInstall = ''
     sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config
diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix
index cf4d0e4f02aa..da178e80a1a4 100644
--- a/pkgs/development/compilers/edk2/default.nix
+++ b/pkgs/development/compilers/edk2/default.nix
@@ -22,8 +22,7 @@ edk2 = stdenv.mkDerivation {
 
   makeFlags = "-C BaseTools";
 
-  hardening_fortify = false;
-  hardening_format = false;
+  hardeningDisable = [ "format" "fortify" ];
 
   installPhase = ''
     mkdir -vp $out
diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix
index 6114c960ffdd..ecd841ca6369 100644
--- a/pkgs/development/compilers/gcc/4.3/default.nix
+++ b/pkgs/development/compilers/gcc/4.3/default.nix
@@ -95,8 +95,7 @@ stdenv.mkDerivation ({
     ++ (optionals langVhdl [gnat])
     ;
 
-  hardening_format = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "format" "stackprotector" ];
 
   configureFlags = "
     ${if enableMultilib then "" else "--disable-multilib"}
diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix
index fe79e9bcd72b..7f8b38e1ee68 100644
--- a/pkgs/development/compilers/gcc/4.4/default.nix
+++ b/pkgs/development/compilers/gcc/4.4/default.nix
@@ -103,7 +103,7 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches =
     [ ./pass-cxxcpp.patch
diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix
index 2493593f3575..7d84cb245164 100644
--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@@ -134,8 +134,7 @@ stdenv.mkDerivation ({
     inherit langC langCC langFortran langJava langAda;
   };
 
-  hardening_format = false;
-  hardening_all = name != "gnat";
+  hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all";
 
   patches =
     [ ]
diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix
index 323fd8b921b3..d63075424438 100644
--- a/pkgs/development/compilers/gcc/4.6/default.nix
+++ b/pkgs/development/compilers/gcc/4.6/default.nix
@@ -189,7 +189,7 @@ stdenv.mkDerivation ({
 
   inherit patches enableMultilib;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postPatch =
     if (stdenv.isGNU
diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix
index 58074e173aed..649312b1c1b1 100644
--- a/pkgs/development/compilers/gcc/4.8/default.nix
+++ b/pkgs/development/compilers/gcc/4.8/default.nix
@@ -218,7 +218,7 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postPatch =
     if (stdenv.isGNU
diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index fe1f4066110e..d4c8d018ff2b 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -220,9 +220,8 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
-  hardening_format = false;
+  # FIXME stackprotector needs gcc 4.9 in bootstrap tools
+  hardeningDisable = [ "format" "stackprotector" ];
 
   postPatch =
     if (stdenv.isGNU
diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix
index 47a272ac534e..ca6b6c52d99e 100644
--- a/pkgs/development/compilers/gcc/5/default.nix
+++ b/pkgs/development/compilers/gcc/5/default.nix
@@ -216,7 +216,7 @@ stdenv.mkDerivation ({
     sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   inherit patches;
 
diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix
index 008f426d74a1..e57abec2c1ba 100644
--- a/pkgs/development/compilers/gcl/default.nix
+++ b/pkgs/development/compilers/gcl/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
     "--enable-ansi"
   ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   meta = {
     description = "GNU Common Lisp compiler working via GCC";
diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix
index 4f95e859292a..def807971c01 100644
--- a/pkgs/development/compilers/ghc/6.10.4.nix
+++ b/pkgs/development/compilers/ghc/6.10.4.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ghc libedit perl gmp];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "--with-gmp-libraries=${gmp}/lib"
diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix
index 0d3a60b9100e..f25e6244768e 100644
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ pcre ];
   propagatedBuildInputs = lib.optional stdenv.isDarwin Security;
 
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix
index 9f84768fb931..7f7abd8a6e75 100644
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix
index 807d7424920d..d3739ddef5c2 100644
--- a/pkgs/development/compilers/go/1.6.nix
+++ b/pkgs/development/compilers/go/1.6.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     Security Foundation
   ];
 
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
 
   # I'm not sure what go wants from its 'src', but the go installation manual
   # describes an installation keeping the src.
diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix
index e57151b077fa..4299b50ea6da 100644
--- a/pkgs/development/compilers/mkcl/default.nix
+++ b/pkgs/development/compilers/mkcl/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ makeWrapper ];
   propagatedBuildInputs = [ gmp ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "GMP_CFLAGS=-I${gmp}/include"
diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix
index 341b8155c417..69529ab762b0 100644
--- a/pkgs/development/compilers/squeak/default.nix
+++ b/pkgs/development/compilers/squeak/default.nix
@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "Smalltalk programming language and environment";
diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix
index 3c257dfc7df6..954ef6924623 100644
--- a/pkgs/development/compilers/swi-prolog/default.nix
+++ b/pkgs/development/compilers/swi-prolog/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation {
   buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama
     libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--with-world --enable-gmp --enable-shared";
 
diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix
index 1e63b2d2be0b..301915b7a26b 100644
--- a/pkgs/development/compilers/teyjus/default.nix
+++ b/pkgs/development/compilers/teyjus/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ omake ocaml flex bison ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildPhase = "omake all";
 
diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index e948d1833b83..9dbb08737aa5 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -41,11 +41,9 @@ self: super: {
   options_1_2 = dontCheck super.options_1_2;
   options = dontCheck super.options;
   statistics = dontCheck super.statistics;
-  c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: {
-    hardening_format = false;
-  });
-  epanet-haskell = pkgs.lib.overrideDerivation super.epanet-haskell (drv: {
-    hardening_format = false;
+  c2hs = dontCheck super.c2hs;
+  epanet-haskell = super.epanet-haskell.overrideDerivation (drv: {
+    hardeningDisable = [ "format" ];
   });
 
   # The package doesn't compile with ruby 1.9, which is our default at the moment.
@@ -244,9 +242,7 @@ self: super: {
   gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
   gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
   gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
-  glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
-     hardening_fortify = false;
-  });
+  glib = addPkgconfigDepend super.glib pkgs.glib;
   gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
   gtk = addPkgconfigDepend super.gtk pkgs.gtk;
   gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };
diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix
index fa8c8309a7a6..42709abc1432 100644
--- a/pkgs/development/interpreters/clisp/2.44.1.nix
+++ b/pkgs/development/interpreters/clisp/2.44.1.nix
@@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE="-O0";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # TODO : make mod-check fails
   doCheck = false;
diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix
index e77300c0f84d..cf4355a38e16 100644
--- a/pkgs/development/interpreters/erlang/R14.nix
+++ b/pkgs/development/interpreters/erlang/R14.nix
@@ -22,7 +22,7 @@ stdenv.mkDerivation {
 
   configureFlags = "--with-ssl=${openssl}";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postInstall = let
     manpages = fetchurl {
diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix
index 7a4e5c1a336d..dcfdc11c7a9e 100644
--- a/pkgs/development/interpreters/lush/default.nix
+++ b/pkgs/development/interpreters/lush/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
     intltool gettext zlib
   ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   NIX_LDFLAGS=" -lz ";
 
diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix
index 6e416a351506..1e14d386b138 100644
--- a/pkgs/development/interpreters/perl/default.nix
+++ b/pkgs/development/interpreters/perl/default.nix
@@ -72,7 +72,7 @@ let
     enableParallelBuilding = true;
 
     # FIXME needs gcc 4.9 in bootstrap tools
-    hardening_stackprotector = false;
+    hardeningDisable = [ "stackprotector" ];
 
     preConfigure =
       ''
diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix
index 81071aafe4ee..a7482f269dbf 100644
--- a/pkgs/development/interpreters/spidermonkey/default.nix
+++ b/pkgs/development/interpreters/spidermonkey/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ readline ];
 
diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix
index cb60a41a6903..c1a4c17707c8 100644
--- a/pkgs/development/interpreters/supercollider/default.nix
+++ b/pkgs/development/interpreters/supercollider/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr";
   };
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   # QGtkStyle unavailable
   patchPhase = ''
diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix
index be44ef628853..079c0a5cf6f7 100644
--- a/pkgs/development/libraries/CoinMP/default.nix
+++ b/pkgs/development/libraries/CoinMP/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     homepage = https://projects.coin-or.org/CoinMP/;
diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix
index 9ca9db1e4511..faf3a0c73255 100644
--- a/pkgs/development/libraries/accelio/default.nix
+++ b/pkgs/development/libraries/accelio/default.nix
@@ -15,8 +15,7 @@ stdenv.mkDerivation rec {
     sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7";
   };
 
-  hardening_pic = false;
-  hardening_format = false;
+  hardeningDisable = [ "format" "pic" ];
 
   patches = [ ./fix-printfs.patch ];
 
diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix
index 50d3eec4f3f7..997a8d223054 100644
--- a/pkgs/development/libraries/allegro/default.nix
+++ b/pkgs/development/libraries/allegro/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ];
 
diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix
index 4a64bc260bd8..7195110b0bb9 100644
--- a/pkgs/development/libraries/audio/libbs2b/default.nix
+++ b/pkgs/development/libraries/audio/libbs2b/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libsndfile ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = "http://bs2b.sourceforge.net/";
diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix
index 3e5076d2509d..da9d1122cc54 100644
--- a/pkgs/development/libraries/cgui/default.nix
+++ b/pkgs/development/libraries/cgui/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     sh fix.sh unix
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   makeFlags = [ "SYSTEM_DIR=$(out)" ];
 
diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix
index 3dc9587c9215..359bde2e0582 100644
--- a/pkgs/development/libraries/cloog/0.18.0.nix
+++ b/pkgs/development/libraries/cloog/0.18.0.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   doCheck = true;
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     description = "Library that generates loops for scanning polyhedra";
diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix
index 0b7d96b5cc18..5af34145197e 100644
--- a/pkgs/development/libraries/cwiid/default.nix
+++ b/pkgs/development/libraries/cwiid/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--without-python";
 
diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix
index 327da38e986a..00875d73f418 100644
--- a/pkgs/development/libraries/db/db-4.4.nix
+++ b/pkgs/development/libraries/db/db-4.4.nix
@@ -5,5 +5,5 @@ import ./generic.nix (args // rec {
   extraPatches = [ ./cygwin-4.4.patch ];
   sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9";
   branch = "4.4";
-  drvArgs = { hardening_format = false; };
+  drvArgs = { hardeningDisable = [ "format" ]; };
 })
diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix
index 6d3b15d256e6..84b5ea67420a 100644
--- a/pkgs/development/libraries/db/db-4.5.nix
+++ b/pkgs/development/libraries/db/db-4.5.nix
@@ -5,5 +5,5 @@ import ./generic.nix (args // rec {
   extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ];
   sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m";
   branch = "4.5";
-  drvArgs = { hardening_format = false; };
+  drvArgs = { hardeningDisable = [ "format" ]; };
 })
diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix
index 0735099729a6..6016d112d517 100644
--- a/pkgs/development/libraries/db/db-4.7.nix
+++ b/pkgs/development/libraries/db/db-4.7.nix
@@ -4,5 +4,5 @@ import ./generic.nix (args // rec {
   version = "4.7.25";
   sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi";
   branch = "4.7";
-  drvArgs = { hardening_format = false; };
+  drvArgs = { hardeningDisable = [ "format" ]; };
 })
diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix
index 78c0a15c4e0b..40869a865ae5 100644
--- a/pkgs/development/libraries/db/db-4.8.nix
+++ b/pkgs/development/libraries/db/db-4.8.nix
@@ -5,5 +5,5 @@ import ./generic.nix (args // rec {
   extraPatches = [ ./clang-4.8.patch ];
   sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0";
   branch = "4.8";
-  drvArgs = { hardening_format = false; };
+  drvArgs = { hardeningDisable = [ "format" ]; };
 })
diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix
index 505f00532875..1ab01033f4df 100644
--- a/pkgs/development/libraries/faac/default.nix
+++ b/pkgs/development/libraries/faac/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     ++ optional mp4v2Support "--with-mp4v2"
     ++ optional drmSupport "--enable-drm";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ ]
     ++ optional mp4v2Support mp4v2;
diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix
index 78b7e9a63fc0..d47a028cbf86 100644
--- a/pkgs/development/libraries/fox/default.nix
+++ b/pkgs/development/libraries/fox/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "C++ based class library for building Graphical User Interfaces";
diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix
index 007609403e2e..ce778e4a3473 100644
--- a/pkgs/development/libraries/fox/fox-1.6.nix
+++ b/pkgs/development/libraries/fox/fox-1.6.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     branch = "1.6";
diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix
index bb4aeaeee27f..3ed308a34920 100644
--- a/pkgs/development/libraries/freetds/default.nix
+++ b/pkgs/development/libraries/freetds/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ];
 
diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix
index 09828665541b..d138015e6bb8 100644
--- a/pkgs/development/libraries/fribidi/default.nix
+++ b/pkgs/development/libraries/fribidi/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     homepage = http://fribidi.org/;
diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix
index a24a84168668..b581bce24b19 100644
--- a/pkgs/development/libraries/gd/default.nix
+++ b/pkgs/development/libraries/gd/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   propagatedBuildInputs = [libjpeg fontconfig]; # urgh
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "--without-x";
 
diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix
index 829c395cc7be..8f00bee8911a 100644
--- a/pkgs/development/libraries/gdal/default.nix
+++ b/pkgs/development/libraries/gdal/default.nix
@@ -18,7 +18,7 @@ composableDerivation.composableDerivation {} (fixed: rec {
   ++ (with pythonPackages; [ python numpy wrapPython ])
   ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]);
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [
     # This ensures that the python package is installed into gdal's prefix,
diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix
index 4c6ec24a16c6..2640159725a7 100644
--- a/pkgs/development/libraries/gdal/gdal-1_11.nix
+++ b/pkgs/development/libraries/gdal/gdal-1_11.nix
@@ -19,7 +19,7 @@ composableDerivation.composableDerivation {} (fixed: rec {
     ./python.patch
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults.
   # Unset CC and CXX as they confuse libtool.
diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix
index e9c32da20692..e9643da221ef 100644
--- a/pkgs/development/libraries/gdome2/default.nix
+++ b/pkgs/development/libraries/gdome2/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
     sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [pkgconfig glib libxml2 gtkdoc];
   propagatedBuildInputs = [glib libxml2];
diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix
index e8d43e6652f1..754c85ecf030 100644
--- a/pkgs/development/libraries/geoclue/default.nix
+++ b/pkgs/development/libraries/geoclue/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [dbus glib dbus_glib];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     sed -e '/-Werror/d' -i configure
diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix
index 9b24ccc79e82..2fcd5dd1a80b 100644
--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@@ -12,9 +12,8 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "doc" ];
 
-  # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
-  hardening_format = false;
+  # FIXME stackprotector needs gcc 4.9 in bootstrap tools
+  hardeningDisable = [ "format" "stackprotector" ];
 
   LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";
 
diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix
index 114e0e587b66..59204e7e7e5a 100644
--- a/pkgs/development/libraries/giflib/4.1.nix
+++ b/pkgs/development/libraries/giflib/4.1.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     branch = "4.1";
diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix
index 1cc4ae0201b9..fd9d4b7e81a9 100644
--- a/pkgs/development/libraries/giflib/libungif.nix
+++ b/pkgs/development/libraries/giflib/libungif.nix
@@ -7,6 +7,6 @@ stdenv.mkDerivation {
     md5 = "efdfcf8e32e35740288a8c5625a70ccb";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 }
 
diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 7bbf5562f7c2..50be7d8a7346 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -166,7 +166,7 @@ stdenv.mkDerivation ({
   preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH";
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     homepage = http://www.gnu.org/software/libc/;
diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
index 85a49999b484..c2109bd4158d 100644
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@@ -22,8 +22,7 @@ in
 
     builder = ./builder.sh;
 
-    hardening_stackprotector = false;
-    hardening_fortify = false;
+    hardeningDisable = [ "stackprotector" "fortify" ];
 
     # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
     # any program we run, because the gcc will have been placed at a new
diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix
index 0db619b36586..e803c7c56ac2 100644
--- a/pkgs/development/libraries/gmp/5.1.x.nix
+++ b/pkgs/development/libraries/gmp/5.1.x.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ m4 ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null;
 
diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix
index 21be466a9b2d..e2861a880c87 100644
--- a/pkgs/development/libraries/gnu-efi/default.nix
+++ b/pkgs/development/libraries/gnu-efi/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pciutils ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   makeFlags = [
     "PREFIX=\${out}"
diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix
index c56c5b3892af..f62d898cff74 100644
--- a/pkgs/development/libraries/isl/0.11.1.nix
+++ b/pkgs/development/libraries/isl/0.11.1.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     homepage = http://www.kotnet.org/~skimo/isl/;
diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix
index 855b800ba9f3..9fcffb1edb23 100644
--- a/pkgs/development/libraries/java/swt/default.nix
+++ b/pkgs/development/libraries/java/swt/default.nix
@@ -28,7 +28,7 @@ in stdenv.mkDerivation rec {
 
   builder = ./builder.sh;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Alas, the Eclipse Project apparently doesn't produce source-only
   # releases of SWT.  So we just grab a binary release and extract
diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix
index cb0c8a7f5c17..309f17b81429 100644
--- a/pkgs/development/libraries/libelf/default.nix
+++ b/pkgs/development/libraries/libelf/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation (rec {
   doCheck = true;
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   # For cross-compiling, native glibc is needed for the "gencat" program.
   crossAttrs = {
diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix
index 8edc53cb7eec..0d9d89589ffb 100644
--- a/pkgs/development/libraries/libf2c/default.nix
+++ b/pkgs/development/libraries/libf2c/default.nix
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ unzip ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "F2c converts Fortran 77 source code to C";
diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix
index 4d9fa09ad752..d30ea6e5324b 100644
--- a/pkgs/development/libraries/libgeotiff/default.nix
+++ b/pkgs/development/libraries/libgeotiff/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ libtiff ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery";
diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix
index 682a42e2db9d..a8511006d041 100644
--- a/pkgs/development/libraries/libgphoto2/default.nix
+++ b/pkgs/development/libraries/libgphoto2/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   # These are mentioned in the Requires line of libgphoto's pkg-config file.
   propagatedBuildInputs = [ libexif ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://www.gphoto.org/proj/libgphoto2/;
diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix
index cc883ba67b29..95e8dd9af48f 100644
--- a/pkgs/development/libraries/libmpc/default.nix
+++ b/pkgs/development/libraries/libmpc/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
   doCheck = true;
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     description = "Library for multiprecision complex arithmetic with exact rounding";
diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix
index d3dd293f975b..5f249582610f 100644
--- a/pkgs/development/libraries/librsync/0.9.nix
+++ b/pkgs/development/libraries/librsync/0.9.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared";
 
diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix
index a9320f1af7b0..50a1f5ac3377 100644
--- a/pkgs/development/libraries/libvisual/default.nix
+++ b/pkgs/development/libraries/libvisual/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig glib ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "An abstraction library for audio visualisations";
diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix
index 5281ab2c480b..ab3c3ed8c5a7 100644
--- a/pkgs/development/libraries/mp4v2/default.nix
+++ b/pkgs/development/libraries/mp4v2/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
   # `faac' expects `mp4.h'.
   postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://code.google.com/p/mp4v2;
diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix
index 2c6438857272..c63dc2c3dee9 100644
--- a/pkgs/development/libraries/mpfr/default.nix
+++ b/pkgs/development/libraries/mpfr/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ gmp ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   configureFlags =
     stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++
diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix
index cd8268faa658..f35d363e5755 100644
--- a/pkgs/development/libraries/nvidia-texture-tools/default.nix
+++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     # Fix build due to missing dependnecies.
diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix
index a1143757c77e..86ab85cbb9ae 100644
--- a/pkgs/development/libraries/opencascade/6.5.nix
+++ b/pkgs/development/libraries/opencascade/6.5.nix
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
   # https://bugs.freedesktop.org/show_bug.cgi?id=83631
     + " -DGLX_GLXEXT_LEGACY";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ];
 
diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix
index bcf1b747180e..79c24be75146 100644
--- a/pkgs/development/libraries/opencascade/default.nix
+++ b/pkgs/development/libraries/opencascade/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
   # https://bugs.freedesktop.org/show_bug.cgi?id=83631
   NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postInstall = ''
     mv $out/inc $out/include
diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix
index 16765083c55c..4f0ed3cd0ea9 100644
--- a/pkgs/development/libraries/opencv/3.x.nix
+++ b/pkgs/development/libraries/opencv/3.x.nix
@@ -49,8 +49,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_bindnow = false;
-  hardening_relro = false;
+  hardeningDisable = [ "bindnow" "relro" ];
 
   meta = {
     description = "Open Computer Vision Library with more than 500 algorithms";
diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix
index d5904e742b63..4259e9d4d69f 100644
--- a/pkgs/development/libraries/opencv/default.nix
+++ b/pkgs/development/libraries/opencv/default.nix
@@ -20,8 +20,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_bindnow = false;
-  hardening_relro = false;
+  hardeningDisable = [ "bindnow" "relro" ];
 
   meta = {
     description = "Open Computer Vision Library with more than 500 algorithms";
diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix
index b73be0626230..2d15e632152c 100644
--- a/pkgs/development/libraries/pdf2xml/default.nix
+++ b/pkgs/development/libraries/pdf2xml/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
 
   patches = [./pdf2xml.patch];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preBuild = ''
     cp Makefile.linux Makefile
diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix
index 4b55cffe94ff..5c056762a39b 100644
--- a/pkgs/development/libraries/portmidi/default.nix
+++ b/pkgs/development/libraries/portmidi/default.nix
@@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ unzip cmake /*jdk*/ alsaLib ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = "http://portmedia.sourceforge.net/portmidi/";
diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix
index 22dbef1bac2d..ad864410b16b 100644
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
   };
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = {
     description = "libupnp, an open source UPnP development kit for Linux";
diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix
index e8a67d3bc42a..011e133720fb 100644
--- a/pkgs/development/libraries/qhull/default.nix
+++ b/pkgs/development/libraries/qhull/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://www.qhull.org/;
diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix
index 8a11cc7087bb..728d220bb42f 100644
--- a/pkgs/development/libraries/qt-3/default.nix
+++ b/pkgs/development/libraries/qt-3/default.nix
@@ -32,7 +32,7 @@ stdenv.mkDerivation {
   nativeBuildInputs = [ which ];
   propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = "
     -v
diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix
index de87c6b73c6f..499c6f18453a 100644
--- a/pkgs/development/libraries/qtscriptgenerator/default.nix
+++ b/pkgs/development/libraries/qtscriptgenerator/default.nix
@@ -32,7 +32,7 @@ stdenv.mkDerivation {
     cp -av plugins/script/* $out/lib/qt4/plugins/script
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "QtScript bindings generator";
diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix
index 49d889f8b6ac..fe52571e1478 100644
--- a/pkgs/development/libraries/smpeg/default.nix
+++ b/pkgs/development/libraries/smpeg/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ SDL gtk mesa ];
 
diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix
index d94b4159e93e..94489e992a6f 100644
--- a/pkgs/development/libraries/speechd/default.nix
+++ b/pkgs/development/libraries/speechd/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ dotconf glib pkgconfig ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Common interface to speech synthesis";
diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix
index 818029dbb248..ba95da77b72c 100644
--- a/pkgs/development/libraries/tidyp/default.nix
+++ b/pkgs/development/libraries/tidyp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "A program that can validate your HTML, as well as modify it to be more clean and standard";
diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix
index 0d787092a3cd..0b5f08bdf9b3 100644
--- a/pkgs/development/libraries/xmlrpc-c/default.nix
+++ b/pkgs/development/libraries/xmlrpc-c/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     (cd tools/xmlrpc && make && make install)
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "A lightweight RPC library based on XML and HTTP";
diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix
index 2871985a0826..77ab0f8ffa9c 100644
--- a/pkgs/development/libraries/zlib/default.nix
+++ b/pkgs/development/libraries/zlib/default.nix
@@ -30,7 +30,7 @@ stdenv.mkDerivation (rec {
   '';
 
   # FIXME needs gcc 4.9 in bootstrap tools
-    hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   # As zlib takes part in the stdenv building, we don't want references
   # to the bootstrap-tools libgcc (as uses to happen on arm/mips)
diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix
index b27a6659004d..108f3616e64e 100644
--- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix
+++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix
@@ -26,7 +26,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ gmp mpfr libmpc zlib ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Make sure we don't strip the libraries in lib/gcc/avr.
   stripDebugList= [ "bin" "avr/bin" "libexec" ];
diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix
index 9665b78d3b27..8265e1dc776f 100644
--- a/pkgs/development/pharo/vm/build-vm.nix
+++ b/pkgs/development/pharo/vm/build-vm.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
     mimeType = "application/x-pharo-image";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Building
   preConfigure = ''
diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix
index 385980b28484..36051cc2e12e 100644
--- a/pkgs/development/python-modules/wxPython/generic.nix
+++ b/pkgs/development/python-modules/wxPython/generic.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
 
   sourceRoot = "wxPython-src-${version}/wxPython";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   src = fetchurl {
     url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2";
diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix
index a4d88f5d2ea4..b63bc66fabd2 100644
--- a/pkgs/development/tools/analysis/cccc/default.nix
+++ b/pkgs/development/tools/analysis/cccc/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
     sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./cccc.patch ];
 
diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix
index 8324d8991478..d42227198ce3 100644
--- a/pkgs/development/tools/analysis/radare/default.nix
+++ b/pkgs/development/tools/analysis/radare/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [pkgconfig readline libusb perl]
     ++ optional useX11 [gtkdialog vte gtk]
diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix
index 2896f4ff2716..0e0e44183f6b 100644
--- a/pkgs/development/tools/analysis/valgrind/default.nix
+++ b/pkgs/development/tools/analysis/valgrind/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "doc" ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   # Perl is needed for `cg_annotate'.
   # GDB is needed to provide a sane default for `--db-command'.
diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix
index aa590543e00e..240d24961e00 100644
--- a/pkgs/development/tools/boost-build/default.nix
+++ b/pkgs/development/tools/boost-build/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     grep -r '/usr/share/boost-build' \
diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix
index 78adfe487517..7ffa6ed867cc 100644
--- a/pkgs/development/tools/misc/binutils/default.nix
+++ b/pkgs/development/tools/misc/binutils/default.nix
@@ -40,7 +40,7 @@ stdenv.mkDerivation rec {
   inherit noSysDirs;
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   preConfigure = ''
     # Clear the default library search path.
diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix
index 464ad7910952..d4a2f80599f7 100644
--- a/pkgs/development/tools/misc/elfutils/default.nix
+++ b/pkgs/development/tools/misc/elfutils/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./glibc-2.21.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # We need bzip2 in NativeInputs because otherwise we can't unpack the src,
   # as the host-bzip2 will be in the path.
diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix
index e610858838de..79f7445af478 100644
--- a/pkgs/development/tools/misc/gnum4/default.nix
+++ b/pkgs/development/tools/misc/gnum4/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   patches = [ ./s_isdir.patch ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     homepage = http://www.gnu.org/software/m4/;
diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix
index 91658a5d4d9b..e999aa4eb2c6 100644
--- a/pkgs/development/tools/misc/patchelf/default.nix
+++ b/pkgs/development/tools/misc/patchelf/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   setupHook = [ ./setup-hook.sh ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     homepage = http://nixos.org/patchelf.html;
diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix
index 786998c6af76..cf62d906f3c7 100644
--- a/pkgs/development/tools/misc/texinfo/6.0.nix
+++ b/pkgs/development/tools/misc/texinfo/6.0.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
   configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk";
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   preInstall = ''
     installFlags="TEXMF=$out/texmf-dist";
diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix
index 192e05852179..da6760897ad7 100644
--- a/pkgs/development/tools/omniorb/default.nix
+++ b/pkgs/development/tools/omniorb/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ python ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant";
diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix
index 0062bc36561b..97a66490bf98 100644
--- a/pkgs/development/tools/parsing/bison/3.x.nix
+++ b/pkgs/development/tools/parsing/bison/3.x.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ m4 ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = {
     homepage = "http://www.gnu.org/software/bison/";
diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix
index 82d4748a9796..e67b92afa768 100644
--- a/pkgs/games/asc/default.nix
+++ b/pkgs/games/asc/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
   configureFlags = [ "--disable-paragui" "--disable-paraguitest" ];
 
   NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [
     SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat
diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix
index 6e138511d03d..599588e6f0ee 100644
--- a/pkgs/games/bsdgames/default.nix
+++ b/pkgs/games/bsdgames/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation {
     })
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     cat > config.params << EOF
diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix
index 9a4b1d049163..eb20c0b329e8 100644
--- a/pkgs/games/crack-attack/default.nix
+++ b/pkgs/games/crack-attack/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!";
diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix
index 0c3fc7055b7c..b6574eaf39e3 100644
--- a/pkgs/games/lincity/ng.nix
+++ b/pkgs/games/lincity/ng.nix
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
     inherit (s) url sha256;
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   inherit buildInputs;
 
diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix
index d374ed85b2db..532c4c635fb0 100644
--- a/pkgs/games/liquidwar/default.nix
+++ b/pkgs/games/liquidwar/default.nix
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
     libXrender libcaca cunit
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # To avoid problems finding SDL_types.h.
   configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ];
diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix
index 41780dd64f6d..3f1735c31aa1 100644
--- a/pkgs/games/pioneers/default.nix
+++ b/pkgs/games/pioneers/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gtk pkgconfig intltool ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://pio.sourceforge.net/;
diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix
index 94da81533c13..74d9bdcb35dc 100644
--- a/pkgs/games/stardust/default.nix
+++ b/pkgs/games/stardust/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "bindir=\${out}/bin" ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postConfigure = ''
     substituteInPlace config.h \
diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix
index fd320a32180e..1b1e877d274d 100644
--- a/pkgs/games/torcs/default.nix
+++ b/pkgs/games/torcs/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
 
   installTargets = "install datainstall";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Car racing game";
diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix
index cace72b5aacf..e6e237529531 100644
--- a/pkgs/games/xconq/default.nix
+++ b/pkgs/games/xconq/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     "--with-tkconfig=${tk}/lib"
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     # Fix Makefiles
diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix
index fa4c17649ac2..18abf280a81e 100644
--- a/pkgs/games/zandronum/default.nix
+++ b/pkgs/games/zandronum/default.nix
@@ -33,7 +33,7 @@ in stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   installPhase = ''
     mkdir -p $out/bin
diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix
index bbaa565e352e..d57ef5ae16da 100644
--- a/pkgs/misc/emulators/dosbox/default.nix
+++ b/pkgs/misc/emulators/dosbox/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ SDL ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   desktopItem = makeDesktopItem {
     name = "dosbox";
diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix
index dc3c14128566..1abf621fe7e0 100644
--- a/pkgs/misc/emulators/mupen64plus/default.nix
+++ b/pkgs/misc/emulators/mupen64plus/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     # Some C++ incompatibility fixes
diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix
index 3ed455bd350f..6620018c3376 100644
--- a/pkgs/misc/emulators/nestopia/default.nix
+++ b/pkgs/misc/emulators/nestopia/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   # nondeterministic failures when creating directories
   enableParallelBuilding = false;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper
                   libarchive libao unzip xdg_utils gsettings_desktop_schemas ];
diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix
index 54620699f2d8..9e773b18f7db 100644
--- a/pkgs/misc/emulators/uae/default.nix
+++ b/pkgs/misc/emulators/uae/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig gtk alsaLib SDL ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Ultimate/Unix/Unusable Amiga Emulator";
diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix
index e1db07bfff2b..2873225b26f1 100644
--- a/pkgs/misc/mxt-app/default.nix
+++ b/pkgs/misc/mxt-app/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec{
   buildInputs = [ autoconf automake libtool ];
   preConfigure = "./autogen.sh";
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = with stdenv.lib; {
     description = "Command line utility for Atmel maXTouch devices";
diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix
index 05a5549fae28..65223a32bad6 100644
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preBuild = ''
     sed -e 's/break/true/' -i examples/turn_off_gpu.sh
diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix
index 41c4f48ddb82..aabd36f945f5 100644
--- a/pkgs/os-specific/linux/batman-adv/default.nix
+++ b/pkgs/os-specific/linux/batman-adv/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preBuild = ''
     makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix
index 2c91bfbd10fb..67b843fac4dc 100644
--- a/pkgs/os-specific/linux/bbswitch/default.nix
+++ b/pkgs/os-specific/linux/bbswitch/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation {
     sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m";
   }) ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preBuild = ''
     substituteInPlace Makefile \
diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix
index 78a576234aca..c2e3fa4b9e1f 100644
--- a/pkgs/os-specific/linux/blcr/default.nix
+++ b/pkgs/os-specific/linux/blcr/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ perl makeWrapper ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     configureFlagsArray=(
diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix
index cc3cfe2465d5..2785a57ac8a7 100644
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
     sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./busybox-in-store.patch ];
 
diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index aacdfc496ee8..6567e4786366 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -23,7 +23,8 @@ stdenv.mkDerivation rec {
   configurePhase = "make config PREFIX=$out";
 
   makeFlags = "PREFIX=$(out)";
-  hardening_stackprotector = false;
+
+  hardeningDisable = [ "stackprotector" ];
 
   installPhase = ''
     mkdir -p $out/etc/logrotate.d
diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix
index 09d7651c249d..7a2d94100fa5 100644
--- a/pkgs/os-specific/linux/dietlibc/default.nix
+++ b/pkgs/os-specific/linux/dietlibc/default.nix
@@ -12,7 +12,8 @@ stdenv.mkDerivation {
 
   inherit glibc;
   kernelHeaders = glibc.linuxHeaders;
-  hardening_stackprotector = false;
+
+  hardeningDisable = [ "stackprotector" ];
 
   patches = [
 
diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix
index 8eba742ebfb8..4c2d0c885768 100644
--- a/pkgs/os-specific/linux/disk-indicator/default.nix
+++ b/pkgs/os-specific/linux/disk-indicator/default.nix
@@ -19,7 +19,8 @@ stdenv.mkDerivation {
   buildPhase = "make -f makefile";
 
   NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
-  hardening_fortify = false;
+
+  hardeningDisable = [ "fortify" ];
 
   installPhase = ''
     mkdir -p "$out/bin"
diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix
index 48494bd6b187..b25a65b2ab47 100644
--- a/pkgs/os-specific/linux/facetimehd/default.nix
+++ b/pkgs/os-specific/linux/facetimehd/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     export INSTALL_MOD_PATH="$out"
   '';
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix
index 93c334b95937..e86c751331b2 100644
--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   makeFlags = ["target=linux"];
   installFlags = ["installdir=$(out)"];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [openssl];
 
diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix
index a5cd24118191..b9390d1d5893 100644
--- a/pkgs/os-specific/linux/ifenslave/default.nix
+++ b/pkgs/os-specific/linux/ifenslave/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     cp -a ifenslave $out/bin
   '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Utility for enslaving networking interfaces under a bond";
diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix
index 7c956e3c2442..79094ebb3e38 100644
--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   src = sourceAttrs.src;
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   prePatch = ''
     sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix
index be54d7a4e6a7..22650747ba21 100644
--- a/pkgs/os-specific/linux/kernel-headers/3.18.nix
+++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix
@@ -35,7 +35,7 @@ stdenv.mkDerivation {
   buildInputs = [perl];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   extraIncludeDirs =
     if cross != null then
diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 5a22b5e2432d..85a4b98982a4 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -225,16 +225,12 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
-  hardening_format = false;
-  hardening_fortify = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ];
 
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"
   ];
 
-  hardening_pic = false;
-
   karch = stdenv.platform.kernelArch;
 
   crossAttrs = let cp = stdenv.cross.platform; in
diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix
index 98593ea85a9c..d1a2fabf8140 100644
--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ zlib ];
 
diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix
index b05b0dc44637..ffa381d0f297 100644
--- a/pkgs/os-specific/linux/klibc/default.nix
+++ b/pkgs/os-specific/linux/klibc/default.nix
@@ -21,8 +21,7 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ perl ];
 
-  hardening_format = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "format" "stackprotector" ];
 
   makeFlags = commonMakeFlags ++ [
     "KLIBCARCH=${stdenv.platform.kernelArch}"
diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index f6a5e30afa08..0bcc6dd5143c 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix
index 8aee4b73fdde..409eb31e14f7 100644
--- a/pkgs/os-specific/linux/multipath-tools/default.nix
+++ b/pkgs/os-specific/linux/multipath-tools/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postPatch = ''
     sed -i -re '
diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix
index e95cd4e133cf..35781dc7f95c 100644
--- a/pkgs/os-specific/linux/netatop/default.nix
+++ b/pkgs/os-specific/linux/netatop/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ zlib ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     patchShebangs mkversion
diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix
index 959de19ead26..7310e7e36add 100644
--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [
     ./numad-linker-flags.patch
diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix
index 50aa77104c28..7ef98eb23536 100644
--- a/pkgs/os-specific/linux/paxctl/default.nix
+++ b/pkgs/os-specific/linux/paxctl/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   setupHook = ./setup-hook.sh;
 
diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix
index 56ff6c473b40..56c12e9a4f0a 100644
--- a/pkgs/os-specific/linux/phc-intel/default.nix
+++ b/pkgs/os-specific/linux/phc-intel/default.nix
@@ -21,7 +21,7 @@ in stdenv.mkDerivation rec {
 
   buildInputs = [ which ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   makeFlags = with kernel; [
     "DESTDIR=$(out)"
diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index 5a03df983460..102b935be296 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   patchPhase = ''
     substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix
index 6e8d9d3cf7a6..5f539b9a97e5 100644
--- a/pkgs/os-specific/linux/setools/default.nix
+++ b/pkgs/os-specific/linux/setools/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     "--with-tcl=${tcl}/lib"
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   NIX_CFLAGS_COMPILE = "-fstack-protector-all";
   NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib";
diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix
index 67e2f16848bd..3fbfa4fdc531 100644
--- a/pkgs/os-specific/linux/spl/default.nix
+++ b/pkgs/os-specific/linux/spl/default.nix
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ autoconf automake libtool ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     ./autogen.sh
diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix
index 00f9a66f0cd4..358f7d38efa4 100644
--- a/pkgs/os-specific/linux/sysdig/default.nix
+++ b/pkgs/os-specific/linux/sysdig/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
     cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl
   ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   cmakeFlags = [
     "-DUSE_BUNDLED_DEPS=OFF"
diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index 3ace0f5c5edc..a68ab9c478ca 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -16,8 +16,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ libuuid makeWrapper ];
 
   enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
-  hardening_stackprotector = false;
-  hardening_pic = false;
+  hardeningDisable = [ "pic" "stackprotector" ];
 
   preBuild = ''
     substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)
diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix
index 116a03444507..dceb777ad720 100644
--- a/pkgs/os-specific/linux/tp_smapi/default.nix
+++ b/pkgs/os-specific/linux/tp_smapi/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666";
   };
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   makeFlags = [
     "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}"
diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix
index 8b44f3388d3f..376a407d9933 100644
--- a/pkgs/os-specific/linux/v4l2loopback/default.nix
+++ b/pkgs/os-specific/linux/v4l2loopback/default.nix
@@ -9,8 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568";
   };
 
-  hardening_pic = false;
-  hardening_format = false;
+  hardeningDisable = [ "format" "pic" ];
 
   preBuild = ''
     substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install"
diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix
index 17255aa12831..073a6ded998b 100644
--- a/pkgs/os-specific/linux/v86d/default.nix
+++ b/pkgs/os-specific/linux/v86d/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--with-klibc" "--with-x86emu" ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source"
diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix
index 96f353a64da2..8b712553be9e 100644
--- a/pkgs/os-specific/linux/xf86-video-nested/default.nix
+++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation {
       pkgconfig renderproto utilmacros xorgserver
     ];
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   CFLAGS = "-I${pixman}/include/pixman-1";
 
diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix
index 0a61bdcea850..c49f393dd165 100644
--- a/pkgs/os-specific/linux/zfs/default.nix
+++ b/pkgs/os-specific/linux/zfs/default.nix
@@ -38,7 +38,7 @@ stdenv.mkDerivation rec {
   # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work
   NIX_CFLAGS_LINK = "-lgcc_s";
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     substituteInPlace ./module/zfs/zfs_ctldir.c   --replace "umount -t zfs"           "${utillinux}/bin/umount -t zfs"
diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix
index f5693e451684..ef4621fb9a65 100644
--- a/pkgs/servers/beanstalkd/default.nix
+++ b/pkgs/servers/beanstalkd/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj";
   };
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = with stdenv.lib; {
     homepage = http://kr.github.io/beanstalkd/;
diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix
index e557a2a0061c..414582b69ef5 100644
--- a/pkgs/servers/firebird/default.nix
+++ b/pkgs/servers/firebird/default.nix
@@ -65,7 +65,7 @@ stdenv.mkDerivation rec {
     sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # configurePhase = ''
   #   sed -i 's@cp /usr/share/automake-.*@@' autogen.sh
diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix
index 99b6ce2a832d..ac5e0b7c1b1c 100644
--- a/pkgs/servers/gpm/default.nix
+++ b/pkgs/servers/gpm/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ];
   buildInputs = [ ncurses ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     ./autogen.sh
diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix
index 3dbb34f9b021..aaa858e302c9 100644
--- a/pkgs/servers/http/nginx/default.nix
+++ b/pkgs/servers/http/nginx/default.nix
@@ -55,7 +55,7 @@ stdenv.mkDerivation rec {
 
   preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules;
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   meta = {
     description = "A reverse proxy and lightweight webserver";
diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix
index d0e238786e28..dc3fef6125cc 100644
--- a/pkgs/servers/icecast/default.nix
+++ b/pkgs/servers/icecast/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   meta = {
     description = "Server software for streaming multimedia";
diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix
index d42f69d078bc..d00bcb7ef1a2 100644
--- a/pkgs/servers/irc/charybdis/default.nix
+++ b/pkgs/servers/irc/charybdis/default.nix
@@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
     "--with-program-prefix=charybdis-"
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ bison flex openssl ];
 
diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix
index 3a0f2e0954da..9d208e8af4d5 100644
--- a/pkgs/servers/mail/postfix/3.0.nix
+++ b/pkgs/servers/mail/postfix/3.0.nix
@@ -41,7 +41,7 @@ in stdenv.mkDerivation rec {
     ./relative-symlinks.patch
   ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   preBuild = ''
     sed -e '/^PATH=/d' -i postfix-install
diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix
index 42355b46021d..886412b24cd9 100644
--- a/pkgs/servers/mail/postfix/default.nix
+++ b/pkgs/servers/mail/postfix/default.nix
@@ -14,8 +14,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [db openssl cyrus_sasl bison perl];
 
-  hardening_format = false;
-  hardening_pie = true;
+  hardeningDisable = [ "format" ];
+  hardeningEnable = [ "pie" ];
 
   patches = [
     ./postfix-2.2.9-db.patch
diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix
index cac568f8fc90..5e4edd0b0322 100644
--- a/pkgs/servers/memcached/default.nix
+++ b/pkgs/servers/memcached/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [cyrus_sasl libevent];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   meta = with stdenv.lib; {
     description = "A distributed memory object caching system";
diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix
index 141e8e0929d1..913b312a54a3 100644
--- a/pkgs/servers/nosql/mongodb/default.nix
+++ b/pkgs/servers/nosql/mongodb/default.nix
@@ -80,7 +80,7 @@ in stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   meta = {
     description = "a scalable, high-performance, open source NoSQL database";
diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix
index ffa2056d5a9c..565ed226ab4f 100644
--- a/pkgs/servers/nosql/riak/1.3.1.nix
+++ b/pkgs/servers/nosql/riak/1.3.1.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postUnpack = ''
     mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb
diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix
index 05cf4270f9f8..b66e99f0afbe 100644
--- a/pkgs/servers/nosql/riak/2.1.1.nix
+++ b/pkgs/servers/nosql/riak/2.1.1.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
 
   src = srcs.riak;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   postPatch = ''
     sed -i deps/node_package/priv/base/env.sh \
diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix
index 1ff9b79e3835..aab4ee9059f9 100644
--- a/pkgs/servers/openafs-client/default.nix
+++ b/pkgs/servers/openafs-client/default.nix
@@ -23,7 +23,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ autoconf automake flex yacc ncurses perl which ];
 
-  hardening_pic = false;
+  hardeningDisable = [ "pic" ];
 
   preConfigure = ''
     ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux
diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix
index cb77ebd9c895..e4e1d393a52a 100644
--- a/pkgs/servers/sip/freeswitch/default.nix
+++ b/pkgs/servers/sip/freeswitch/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch";
diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix
index ba6a076f1f0e..0d685a3f4d32 100644
--- a/pkgs/shells/dash/default.nix
+++ b/pkgs/shells/dash/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://gondor.apana.org.au/~herbert/dash/;
diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix
index 4f092ee1d97c..836dedf1cb18 100644
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@@ -236,26 +236,6 @@ rec {
       });
     };
 
-  useHardenFlags = stdenv: stdenv //
-    { mkDerivation = args: stdenv.mkDerivation (args // {
-        NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
-          + stdenv.lib.optionalString (args.hardening_all or true) (
-            stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong"
-            + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
-            + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
-            + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
-            + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
-          );
-        NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "")
-          + stdenv.lib.optionalString (args.hardening_all or true) (
-              stdenv.lib.optionalString (args.hardening_relro or true) " -z relro"
-            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now"
-          );
-
-      });
-    };
-
   dropCxx = drv: drv.override {
     stdenv = if pkgs.stdenv.isDarwin
       then pkgs.allStdenvs.stdenvDarwinNaked
diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix
index b4fc755bd84a..cef071bb3b61 100644
--- a/pkgs/tools/X11/xbindkeys-config/default.nix
+++ b/pkgs/tools/X11/xbindkeys-config/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = https://packages.debian.org/source/xbindkeys-config;
diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix
index 24fec4e33bbd..e7164bf07b6c 100644
--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   inherit xauth fontDirectories perl;
   gcc = stdenv.cc.cc;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw
                   libXpm libXp xauth openssh ];
diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix
index d1f13b77f0c1..41043cda5b65 100644
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
      # Fix for building on Glibc 2.16.  Won't be needed once the
diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix
index 20f7038067db..da0983fc0970 100644
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [
     ./CVE-2014-8139.diff
diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix
index 6407fe4f350b..115fc8e3aff1 100644
--- a/pkgs/tools/archivers/xarchive/default.nix
+++ b/pkgs/tools/archivers/xarchive/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gtk2 pkgconfig ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "A GTK+ front-end for command line archiving tools";
diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix
index 8be743c8dd0a..145b81c95bc8 100644
--- a/pkgs/tools/archivers/zip/default.nix
+++ b/pkgs/tools/archivers/zip/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
     sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   makefile = "unix/Makefile";
   buildFlags = if stdenv.isCygwin then "cygwin" else "generic";
diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix
index f27dd3c5be67..f38b24c0fc07 100644
--- a/pkgs/tools/bootloaders/refind/default.nix
+++ b/pkgs/tools/bootloaders/refind/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   HOSTARCH =
     if stdenv.system == "x86_64-linux" then "x64"
diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix
index 2de5736a4c22..7e7558f69e69 100644
--- a/pkgs/tools/cd-dvd/cdrdao/default.nix
+++ b/pkgs/tools/cd-dvd/cdrdao/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ lame libvorbis libmad pkgconfig libao ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Adjust some headers to match glibc 2.12 ... patch is a diff between
   # the cdrdao CVS head and the 1.2.3 release.
diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix
index 34bb109a1715..0b10f30497d2 100644
--- a/pkgs/tools/cd-dvd/cdrkit/default.nix
+++ b/pkgs/tools/cd-dvd/cdrkit/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [cmake libcap zlib bzip2];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244
   patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ];
diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix
index 38e86c8ff1f2..7db35e2b80e2 100644
--- a/pkgs/tools/cd-dvd/dvdisaster/default.nix
+++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w";
   };
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   nativeBuildInputs = [ gettext pkgconfig which ];
   buildInputs = [ glib gtk2 ];
diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix
index 6ddebe6b99d0..986f940b9069 100644
--- a/pkgs/tools/compression/xz/default.nix
+++ b/pkgs/tools/compression/xz/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   postInstall = "rm -rf $out/share/doc";
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = with stdenv.lib; {
     homepage = http://tukaani.org/xz/;
diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix
index c53400e6afdd..5a3451810a12 100644
--- a/pkgs/tools/filesystems/fusesmb/default.nix
+++ b/pkgs/tools/filesystems/fusesmb/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
       ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0
     '';
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Samba mounted via FUSE";
diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix
index d3964b1e4275..5613bac9b1a5 100644
--- a/pkgs/tools/filesystems/udftools/default.nix
+++ b/pkgs/tools/filesystems/udftools/default.nix
@@ -11,7 +11,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ ncurses readline ];
 
   patches = [ ./gcc5.patch ];
-  hardening_fortify = false;
+
+  hardeningDisable = [ "fortify" ];
 
   preConfigure = ''
     sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c
diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix
index 7e6c99313418..d6a31bd5c7f7 100644
--- a/pkgs/tools/graphics/barcode/default.nix
+++ b/pkgs/tools/graphics/barcode/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "GNU barcode generator";
diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix
index c3d9a859f3ff..cdf38d1218ad 100644
--- a/pkgs/tools/graphics/editres/default.nix
+++ b/pkgs/tools/graphics/editres/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = "http://cgit.freedesktop.org/xorg/app/editres/";
diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix
index 03326aa4562f..e7fb3e773c1d 100644
--- a/pkgs/tools/graphics/ggobi/default.nix
+++ b/pkgs/tools/graphics/ggobi/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--with-all-plugins";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "Visualization program for exploring high-dimensional data";
diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix
index e08b1309d414..6f236509a310 100644
--- a/pkgs/tools/graphics/graphviz/2.0.nix
+++ b/pkgs/tools/graphics/graphviz/2.0.nix
@@ -14,8 +14,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd];
 
-  hardening_format = false;
-  hardening_fortify = false;
+  hardeningDisable = [ "format" "fortify" ];
 
   configureFlags =
     [ "--with-pngincludedir=${libpng}/include"
diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix
index 7f11f076dcc8..ede6624ac59d 100644
--- a/pkgs/tools/graphics/graphviz/2.32.nix
+++ b/pkgs/tools/graphics/graphviz/2.32.nix
@@ -31,7 +31,7 @@ stdenv.mkDerivation rec {
     ]
     ++ stdenv.lib.optional (xorg == null) "--without-x";
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   preBuild = ''
     sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile
diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix
index 9a9621dd784e..82f958321bdd 100644
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
     sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
   };
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   patches =
     [ ./0001-vimdot-lookup-vim-in-PATH.patch
diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix
index e28a2e164885..392527a21198 100644
--- a/pkgs/tools/graphics/nifskope/default.nix
+++ b/pkgs/tools/graphics/nifskope/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # Inspired by linux-install/nifskope.spec.in.
   installPhase =
diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix
index dc145a0d8623..abcbabea596c 100644
--- a/pkgs/tools/graphics/plotutils/default.nix
+++ b/pkgs/tools/graphics/plotutils/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--enable-libplotter"; # required for pstoedit
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   doCheck = true;
 
diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix
index f67e7202521b..496b1d355729 100644
--- a/pkgs/tools/graphics/pngcheck/default.nix
+++ b/pkgs/tools/graphics/pngcheck/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   makefile = "Makefile.unx";
   makeFlags = "ZPATH=${zlib}/lib";
diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix
index a1aefbff33c6..f2a85c73c2af 100644
--- a/pkgs/tools/graphics/qrcode/default.nix
+++ b/pkgs/tools/graphics/qrcode/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
     inherit (s) rev url sha256;
   };
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   installPhase = ''
     mkdir -p "$out"/{bin,share/doc/qrcode}
diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix
index c584ed282d6b..898031cbaf3f 100644
--- a/pkgs/tools/graphics/transfig/default.nix
+++ b/pkgs/tools/graphics/transfig/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
   buildInputs = [zlib libjpeg libpng imake];
   inherit libpng;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch];
 
diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix
index f0e53696fc5c..b96c469e3468 100644
--- a/pkgs/tools/graphics/zbar/default.nix
+++ b/pkgs/tools/graphics/zbar/default.nix
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--disable-video" ];
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   meta = with stdenv.lib; {
     description = "Bar code reader";
diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix
index 6e7c6daca56d..a06d3d0729a1 100644
--- a/pkgs/tools/misc/coreutils/default.nix
+++ b/pkgs/tools/misc/coreutils/default.nix
@@ -20,7 +20,7 @@ let
     };
 
     # FIXME needs gcc 4.9 in bootstrap tools
-    hardening_stackprotector = false;
+    hardeningDisable = [ "stackprotector" ];
 
     patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch;
 
diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix
index d537c0f506fc..132707106af0 100644
--- a/pkgs/tools/misc/ddccontrol/default.nix
+++ b/pkgs/tools/misc/ddccontrol/default.nix
@@ -37,7 +37,7 @@ stdenv.mkDerivation {
       ddccontrol-db
     ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   prePatch = ''
       newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g")
diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix
index 4475010f3b85..7d17dee8b53c 100644
--- a/pkgs/tools/misc/detox/default.nix
+++ b/pkgs/tools/misc/detox/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation {
 
   buildInputs = [flex];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     homepage = http://detox.sourceforge.net/;
diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix
index f99b83a2a0a5..80fb3c6a694c 100644
--- a/pkgs/tools/misc/expect/default.nix
+++ b/pkgs/tools/misc/expect/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ tcl ];
   nativeBuildInputs = [ makeWrapper ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     sed -i "s,/bin/stty,$(type -p stty),g" configure
diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix
index d3b62149bdf3..1ba4bceb7876 100644
--- a/pkgs/tools/misc/gbdfed/default.nix
+++ b/pkgs/tools/misc/gbdfed/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./Makefile.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Bitmap Font Editor";
diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix
index f3c09ef686a9..d56f9b3ce0f0 100644
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
     ++ optional doCheck qemu
     ++ optional zfsSupport zfs;
 
-  hardening_all = false;
+  hardeningDisable = [ "all" ];
 
   preConfigure =
     '' for i in "tests/util/"*.in
diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix
index c0579b918164..a690ef2084b2 100644
--- a/pkgs/tools/misc/grub/default.nix
+++ b/pkgs/tools/misc/grub/default.nix
@@ -36,7 +36,7 @@ stdenv.mkDerivation {
   # autoreconfHook required for the splashimage patch.
   buildInputs = [ autoreconfHook texinfo ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   prePatch = ''
     unpackFile $gentooPatches
diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix
index 39c1ce9c0c11..fc8784decc5f 100644
--- a/pkgs/tools/misc/grub/trusted.nix
+++ b/pkgs/tools/misc/grub/trusted.nix
@@ -47,8 +47,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ ncurses libusb freetype gettext devicemapper ]
     ++ optional doCheck qemu;
 
-  hardening_stackprotector = false;
-  hardening_pic = false;
+  hardeningDisable = [ "stackprotector" "pic" ];
 
   preConfigure =
     '' for i in "tests/util/"*.in
diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix
index b73d83201e0e..7946a3b062fc 100644
--- a/pkgs/tools/misc/gummiboot/default.nix
+++ b/pkgs/tools/misc/gummiboot/default.nix
@@ -5,7 +5,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];
 
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   # Sigh, gummiboot should be able to find this in buildInputs
   configureFlags = [
diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix
index 0830eb51b3ca..78f49588e8c3 100644
--- a/pkgs/tools/misc/ipxe/default.nix
+++ b/pkgs/tools/misc/ipxe/default.nix
@@ -19,8 +19,7 @@ stdenv.mkDerivation {
   preConfigure = "cd src";
 
   # not possible due to assembler code
-  hardening_pic = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "pic" "stackprotector" ];
 
   makeFlags =
     [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here.
diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix
index 097c26071fcf..62d490ea4f9e 100644
--- a/pkgs/tools/misc/memtest86+/default.nix
+++ b/pkgs/tools/misc/memtest86+/default.nix
@@ -22,8 +22,7 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = "-I. -std=gnu90";
 
-  hardening_pic = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" "pic" ];
 
   buildFlags = "memtest.bin";
 
diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix
index a65bd1fe8ec1..f92069e7b9f5 100644
--- a/pkgs/tools/misc/pal/default.nix
+++ b/pkgs/tools/misc/pal/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ glib gettext readline pkgconfig ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://palcal.sourceforge.net/;
diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix
index 48c47cc3d8db..8d4f00ee8478 100644
--- a/pkgs/tools/misc/sutils/default.nix
+++ b/pkgs/tools/misc/sutils/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
      sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8";
    };
 
-   hardening_format = false;
+   hardeningDisable = [ "format" ];
 
    prePatch = ''sed -i "s@/usr/local@$out@" Makefile'';
 
diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix
index cba343863bef..4ef050b409e5 100644
--- a/pkgs/tools/misc/uucp/default.nix
+++ b/pkgs/tools/misc/uucp/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Unix-unix cp over serial line, also includes cu program";
diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix
index 292023a1b582..567783f63138 100644
--- a/pkgs/tools/misc/vorbisgain/default.nix
+++ b/pkgs/tools/misc/vorbisgain/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ unzip libogg libvorbis ];
 
diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix
index 3d828a55121e..debc2c239ad6 100644
--- a/pkgs/tools/misc/wv/default.nix
+++ b/pkgs/tools/misc/wv/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Converter from Microsoft Word formats to human-editable ones";
diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix
index cef5fee9cf93..31b6e74917e8 100644
--- a/pkgs/tools/misc/xfstests/default.nix
+++ b/pkgs/tools/misc/xfstests/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patchPhase = ''
     # Patch the destination directory
diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix
index 0729f35db59b..d262f7fc9e0c 100644
--- a/pkgs/tools/networking/chrony/default.nix
+++ b/pkgs/tools/networking/chrony/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap;
   nativeBuildInputs = [ pkgconfig ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   configureFlags = [
     "--chronyvardir=$(out)/var/lib/chrony"
diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix
index 915562bd7791..91232b4ffa74 100644
--- a/pkgs/tools/networking/dhcpdump/default.nix
+++ b/pkgs/tools/networking/dhcpdump/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [libpcap perl];
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   installPhase = ''
     mkdir -pv $out/bin
diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix
index 6032e53f0baa..b05f4e8e80ee 100644
--- a/pkgs/tools/networking/dnsmasq/default.nix
+++ b/pkgs/tools/networking/dnsmasq/default.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
     "LOCALEDIR=$(out)/share/locale"
   ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   postBuild = optionalString stdenv.isLinux ''
     make -C contrib/wrt
diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix
index 90bc8b54f28f..a9f2419b1368 100644
--- a/pkgs/tools/networking/eggdrop/default.nix
+++ b/pkgs/tools/networking/eggdrop/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ tcl ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     prefix=$out/eggdrop
diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix
index 414ff692d10d..13f8cedc673d 100644
--- a/pkgs/tools/networking/iperf/2.nix
+++ b/pkgs/tools/networking/iperf/2.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     homepage = "http://sourceforge.net/projects/iperf/"; 
diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix
index 53e17e6cecdc..140d58e3163e 100644
--- a/pkgs/tools/networking/mailutils/default.nix
+++ b/pkgs/tools/networking/mailutils/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   patches = [ ./path-to-cat.patch ./no-gets.patch ];
 
diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix
index 349dba12538c..7a1eac59eeae 100644
--- a/pkgs/tools/networking/netboot/default.nix
+++ b/pkgs/tools/networking/netboot/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ yacc lzo db4 ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "Mini PXE server";
diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix
index 47fa2708821a..b2242fe54546 100644
--- a/pkgs/tools/networking/ntp/default.nix
+++ b/pkgs/tools/networking/ntp/default.nix
@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ autoreconfHook ];
   buildInputs = [ libcap openssl ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   postInstall = ''
     rm -rf $out/share/doc
diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix
index 25af3e11cafb..c1f78c911a1a 100644
--- a/pkgs/tools/networking/openfortivpn/default.nix
+++ b/pkgs/tools/networking/openfortivpn/default.nix
@@ -17,7 +17,7 @@ in stdenv.mkDerivation {
 
   buildInputs = [ openssl ppp autoreconfHook ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd"
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 7ade847b97be..6e497a0093e1 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -63,7 +63,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   postInstall = ''
     # Install ssh-copy-id, it's very useful.
diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix
index 8b0b3d9a736c..fc4ca793199d 100644
--- a/pkgs/tools/networking/radvd/default.nix
+++ b/pkgs/tools/networking/radvd/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig libdaemon bison flex check ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   meta = with stdenv.lib; {
     homepage = http://www.litech.org/radvd/;
diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix
index e59e6d460803..36c6a2deead0 100644
--- a/pkgs/tools/networking/socat/default.nix
+++ b/pkgs/tools/networking/socat/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ];
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   meta = {
     description = "A utility for bidirectional data transfer between two independent data channels";
diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix
index 3fe6144b72ca..3a5117653c83 100644
--- a/pkgs/tools/networking/telnet/default.nix
+++ b/pkgs/tools/networking/telnet/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ncurses];
 
diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix
index 22f991d8fe2a..1c8829a07b27 100644
--- a/pkgs/tools/networking/trickle/default.nix
+++ b/pkgs/tools/networking/trickle/default.nix
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--with-libevent";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     description = "Lightweight userspace bandwidth shaper";
diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix
index 1c7c946000eb..e7c771618480 100644
--- a/pkgs/tools/networking/uwimap/default.nix
+++ b/pkgs/tools/networking/uwimap/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation {
     # -fPIC is required to compile php with imap on x86_64 systems
     + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC";
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [ openssl ]
     ++ stdenv.lib.optional (!stdenv.isDarwin) pam;
diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix
index ba9552d4faea..81d43fa501cf 100644
--- a/pkgs/tools/networking/vde2/default.nix
+++ b/pkgs/tools/networking/vde2/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ openssl libpcap python ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://vde.sourceforge.net/;
diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix
index f1d7985e9a50..c47f1664cd6e 100644
--- a/pkgs/tools/package-management/checkinstall/default.nix
+++ b/pkgs/tools/package-management/checkinstall/default.nix
@@ -44,7 +44,7 @@ stdenv.mkDerivation {
 
   buildInputs = [gettext];
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   preBuild = ''
     makeFlagsArray=(PREFIX=$out)
diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix
index d52243dcea5c..cb365b9b4f76 100644
--- a/pkgs/tools/package-management/clib/default.nix
+++ b/pkgs/tools/package-management/clib/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm";
   };
 
-  hardening_fortify = false;
+  hardeningDisable = [ "fortify" ];
 
   makeFlags = "PREFIX=$(out)";
 
diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix
index 273d692ebaa6..8efd04690dbe 100644
--- a/pkgs/tools/security/fprint_demo/default.nix
+++ b/pkgs/tools/security/fprint_demo/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ libfprint gtk2 ];
   nativeBuildInputs = [ pkgconfig autoreconfHook ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/";
diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix
index 1a2bc6a31082..506b1d398d54 100644
--- a/pkgs/tools/security/tboot/default.nix
+++ b/pkgs/tools/security/tboot/default.nix
@@ -12,8 +12,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ];
 
-  hardening_pic = false;
-  hardening_stackprotector = false;
+  hardeningDisable = [ "pic" "stackprotector" ];
 
   configurePhase = ''
     for a in lcptools utils tb_polgen; do
diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix
index 805336cfe44b..26f088fd54a2 100644
--- a/pkgs/tools/system/cron/default.nix
+++ b/pkgs/tools/system/cron/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
 
   unpackCmd = "(mkdir cron && cd cron && sh $curSrc)";
 
-  hardening_pie = true;
+  hardeningEnable = [ "pie" ];
 
   preBuild = ''
     substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755
diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix
index 0696af07166b..0114c1d41ff6 100644
--- a/pkgs/tools/system/foremost/default.nix
+++ b/pkgs/tools/system/foremost/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preInstall = ''
     mkdir -p $out/{bin,share/man/man8}
diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix
index 1456b6fca7c4..7800bfa08313 100644
--- a/pkgs/tools/system/gdmap/default.nix
+++ b/pkgs/tools/system/gdmap/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./get_sensitive.patch ./set_flags.patch ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     homepage = http://gdmap.sourceforge.net;
diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix
index ef54bde3db56..e19dbb028474 100644
--- a/pkgs/tools/system/rsyslog/default.nix
+++ b/pkgs/tools/system/rsyslog/default.nix
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     rabbitmq-c hiredis
   ] ++ stdenv.lib.optional stdenv.isLinux systemd;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   configureFlags = [
     "--sysconfdir=/etc"
diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix
index 956fd590b14c..fc0889012c2e 100644
--- a/pkgs/tools/system/which/default.nix
+++ b/pkgs/tools/system/which/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
   };
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardening_stackprotector = false;
+  hardeningDisable = [ "stackprotector" ];
 
   meta = with stdenv.lib; {
     homepage = http://ftp.gnu.org/gnu/which/;
diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix
index bcbf2b66a860..4a32e972a5b3 100644
--- a/pkgs/tools/text/a2ps/default.nix
+++ b/pkgs/tools/text/a2ps/default.nix
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ libpaper gperf file ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "An Anyithing to PostScript converter and pretty-printer";
diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix
index 98f9c0483c2d..75922a6c830c 100644
--- a/pkgs/tools/text/patchutils/default.nix
+++ b/pkgs/tools/text/patchutils/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   meta = with stdenv.lib; {
     description = "Tools to manipulate patch files";
diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix
index 33f72b029a1e..ec99e8b4a27a 100644
--- a/pkgs/tools/text/untex/default.nix
+++ b/pkgs/tools/text/untex/default.nix
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   unpackPhase = "tar xf $src";
   installTargets = "install install.man";
diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix
index cffe0b39d229..c3d226a2acb0 100644
--- a/pkgs/tools/typesetting/tex/tetex/default.nix
+++ b/pkgs/tools/typesetting/tex/tetex/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ flex bison zlib libpng ncurses ed ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   # fixes "error: conflicting types for 'calloc'", etc.
   preBuild = stdenv.lib.optionalString stdenv.isDarwin ''
diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
index 3585c4d04af8..2cc673939038 100644
--- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
@@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec {
     perl
   ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   preConfigure = ''
     rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \
@@ -123,7 +123,7 @@ core-big = stdenv.mkDerivation {
 
   inherit (common) src;
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ];
 
diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix
index 989649c580f2..bfffbae65b59 100644
--- a/pkgs/tools/video/mjpegtools/default.nix
+++ b/pkgs/tools/video/mjpegtools/default.nix
@@ -15,5 +15,5 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ];
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 }
diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix
index a16dc169b98e..81860f22e897 100644
--- a/pkgs/tools/video/vncrec/default.nix
+++ b/pkgs/tools/video/vncrec/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc";
   };
 
-  hardening_format = false;
+  hardeningDisable = [ "format" ];
 
   buildInputs = [
     libX11 xproto imake gccmakedep libXt libXmu libXaw
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 9a10236a4190..63a8e1485d13 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -214,12 +214,12 @@ let
     allPackages = args: import ./all-packages.nix ({ inherit config system; } // args);
   };
 
-  defaultStdenv = stdenvAdapters.useHardenFlags (allStdenvs.stdenv // { inherit platform; });
+  defaultStdenv = allStdenvs.stdenv // { inherit platform; };
 
   stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal);
 
   stdenv =
-    if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else
+    if bootStdenv != null then (bootStdenv // {inherit platform;}) else
       if crossSystem != null then
         stdenvCross
       else

From 034b2ec2ed00e7d099a7810a284ca6b7dbe81dd9 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 5 Mar 2016 19:47:04 +0100
Subject: [PATCH 345/507] glibc: stackprotector is already disabled in
 default.nix

This overwrites the hardeningDisable attribute and removes disabling the
fortify flag.
---
 pkgs/development/libraries/glibc/common.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 50be7d8a7346..13d5adcd9b13 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -165,9 +165,6 @@ stdenv.mkDerivation ({
 
   preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH";
 
-  # FIXME needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "stackprotector" ];
-
   meta = {
     homepage = http://www.gnu.org/software/libc/;
     description = "The GNU C Library";

From 0cad2e7af170b9f9109fa515224e4aaab57d09c1 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 5 Mar 2016 21:39:38 +0100
Subject: [PATCH 346/507] vim: Disable hardening flag fortify

Fortify hardening detects a probable buffer overflow in vim at runtime. This
has to be fixed upstream.

Debian also disables fortify:

  https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/rules#n6
---
 pkgs/applications/editors/vim/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix
index 1249b0b95641..01ba9abe9d9d 100644
--- a/pkgs/applications/editors/vim/default.nix
+++ b/pkgs/applications/editors/vim/default.nix
@@ -30,6 +30,8 @@ stdenv.mkDerivation rec {
     "--enable-nls"
   ];
 
+  hardeningDisable = [ "fortify" ];
+
   postInstall = ''
     ln -s $out/bin/vim $out/bin/vi
     mkdir -p $out/share/vim

From 05a02c53a06043f6138a910adf073723a3f066d3 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 6 Mar 2016 00:14:55 +0100
Subject: [PATCH 347/507] cc-wrapper: -pie is a ldflag

---
 pkgs/build-support/cc-wrapper/add-hardening | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index 08fdd52be08a..f211d11ab3ed 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -15,7 +15,8 @@ if [[ ! $hardeningDisable == "all" ]]; then
           hardeningCFlags+=('-fstack-protector-strong')
           ;;
         pie)
-          hardeningCFlags+=('-fPIE' '-pie')
+          hardeningCFlags+=('-fPIE')
+          hardeningLDFlags+=('-pie')
           ;;
         pic)
           hardeningCFlags+=('-fPIC')

From fb57bfbd4f66943b59ed67499aa8cb0c8f4f9e6f Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 6 Mar 2016 00:15:18 +0100
Subject: [PATCH 348/507] php: enable PIE hardening

---
 pkgs/development/interpreters/php/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix
index 5503ee9c8870..0c28d9cb2991 100644
--- a/pkgs/development/interpreters/php/default.nix
+++ b/pkgs/development/interpreters/php/default.nix
@@ -249,6 +249,8 @@ let
         calendarSupport = config.php.calendar or true;
       };
 
+      hardeningEnable = [ "pie" ];
+
       configurePhase = ''
         # Don't record the configure flags since this causes unnecessary
         # runtime dependencies.

From 6473000edd8cda46bf891827b56999ab80e3478d Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 6 Mar 2016 00:15:35 +0100
Subject: [PATCH 349/507] opendkim: enable PIE hardening

---
 pkgs/development/libraries/opendkim/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/opendkim/default.nix b/pkgs/development/libraries/opendkim/default.nix
index e89cd880df13..752ff6be388b 100644
--- a/pkgs/development/libraries/opendkim/default.nix
+++ b/pkgs/development/libraries/opendkim/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   configureFlags= [ "--with-milter=${libmilter}" ];
 
+  hardeningEnable = [ "pie" ];
+
   nativeBuildInputs = [ pkgconfig makeWrapper ];
 
   buildInputs = [ libbsd openssl libmilter perl ];

From 1fb09c1e7d8a86aa46cfb18fc1aa3b91c9633199 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 6 Mar 2016 00:15:49 +0100
Subject: [PATCH 350/507] dhcpcd: enable PIE hardening

---
 pkgs/tools/networking/dhcpcd/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/networking/dhcpcd/default.nix b/pkgs/tools/networking/dhcpcd/default.nix
index 856f75f06333..1d1f927001f0 100644
--- a/pkgs/tools/networking/dhcpcd/default.nix
+++ b/pkgs/tools/networking/dhcpcd/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig udev ];
 
+  hardeningEnable = [ "pie" ];
+
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"

From 1b4ec4b4959fbae154ea079f1ec8d15bcf6ff707 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 6 Mar 2016 15:45:44 +0000
Subject: [PATCH 351/507] linuxPackages.virtualbox: disable
 fortify/pic/stackprotector

---
 pkgs/applications/virtualization/virtualbox/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix
index c0fd8214b317..e7232f056da7 100644
--- a/pkgs/applications/virtualization/virtualbox/default.nix
+++ b/pkgs/applications/virtualization/virtualbox/default.nix
@@ -74,6 +74,8 @@ in stdenv.mkDerivation {
     ++ optional pythonBindings python
     ++ optional pulseSupport libpulseaudio;
 
+  hardeningDisable = [ "fortify" "pic" "stackprotector" ];
+
   prePatch = ''
     set -x
     MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build`

From 2013614e1d74ad6b0f2d5ab76f3e2b77183806fe Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 6 Mar 2016 16:56:29 +0000
Subject: [PATCH 352/507] vim-configurable: Disable hardening flag fortify

Fortify hardening detects a probable buffer overflow in vim at runtime. This
has to be fixed upstream.

Debian also disables fortify:

  https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/rules#n6
---
 pkgs/applications/editors/vim/configurable.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/editors/vim/configurable.nix b/pkgs/applications/editors/vim/configurable.nix
index 2a80f5d42ad7..d041295ee9fb 100644
--- a/pkgs/applications/editors/vim/configurable.nix
+++ b/pkgs/applications/editors/vim/configurable.nix
@@ -191,6 +191,8 @@ composableDerivation {
 
   dontStrip = 1;
 
+  hardeningDisable = [ "fortify" ];
+
   meta = with stdenv.lib; {
     description = "The most popular clone of the VI editor";
     homepage    = http://www.vim.org;

From 63f60b6a13985645a821a9674ce23799d272eb16 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 6 Mar 2016 15:27:41 +0100
Subject: [PATCH 353/507] cc-wrapper: Disable pie when linking shared libraries

---
 pkgs/build-support/cc-wrapper/add-hardening | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index f211d11ab3ed..ba6fd4f77a95 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -16,7 +16,9 @@ if [[ ! $hardeningDisable == "all" ]]; then
           ;;
         pie)
           hardeningCFlags+=('-fPIE')
-          hardeningLDFlags+=('-pie')
+          if [[ ! "$*" =~ "-shared" ]]; then
+            hardeningLDFlags+=('-pie')
+          fi
           ;;
         pic)
           hardeningCFlags+=('-fPIC')

From ab1092875a6292e6fc5fb34d48436cf02374e00c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sun, 6 Mar 2016 18:03:57 +0100
Subject: [PATCH 354/507] cc-wrapper: Disable pie for linking static libs

---
 pkgs/build-support/cc-wrapper/add-hardening | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index ba6fd4f77a95..92e10db3ea48 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -16,7 +16,7 @@ if [[ ! $hardeningDisable == "all" ]]; then
           ;;
         pie)
           hardeningCFlags+=('-fPIE')
-          if [[ ! "$*" =~ "-shared" ]]; then
+          if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
             hardeningLDFlags+=('-pie')
           fi
           ;;

From b2b499e6c40a36ff8cdbfd8d27096592d0f394cb Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 7 Mar 2016 01:29:11 +0100
Subject: [PATCH 355/507] cc-wrapper: Increase number of functions for
 stackprotector

---
 pkgs/build-support/cc-wrapper/add-hardening | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index 92e10db3ea48..966d68e1948e 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -12,7 +12,7 @@ if [[ ! $hardeningDisable == "all" ]]; then
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
           ;;
         stackprotector)
-          hardeningCFlags+=('-fstack-protector-strong')
+          hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
           ;;
         pie)
           hardeningCFlags+=('-fPIE')

From baee91ec60ca724b00027033a8e0d7f97cf376a7 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 7 Mar 2016 21:39:26 +0100
Subject: [PATCH 356/507] cc-wrapper: Check if ld supports -z, fixes darwin

---
 pkgs/build-support/cc-wrapper/add-hardening | 7 ++++++-
 pkgs/build-support/cc-wrapper/cc-wrapper.sh | 1 +
 pkgs/build-support/cc-wrapper/ld-wrapper.sh | 1 +
 pkgs/development/libraries/gmp/5.1.x.nix    | 2 +-
 pkgs/shells/bash/default.nix                | 2 ++
 5 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index 966d68e1948e..ab8ce610e27a 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -2,11 +2,16 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
 hardeningFlags+=("${hardeningEnable[@]}")
 hardeningCFlags=()
 hardeningLDFlags=()
+hardeningDisable=(${hardeningDisable[@]})
+
+if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
+  hardeningDisable+=(bindnow relro)
+fi
 
 if [[ ! $hardeningDisable == "all" ]]; then
   for flag in "${hardeningFlags[@]}"
   do
-    if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
+    if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
       case $flag in
         fortify)
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
index a8a08e5e1443..e07eb8b41dca 100644
--- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh
@@ -89,6 +89,7 @@ if [[ "@prog@" = *++ ]]; then
     fi
 fi
 
+LD=@ldPath@/ld
 source @out@/nix-support/add-hardening.sh
 
 # Add the flags for the C compiler proper.
diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
index 12c0709570b0..09e87975437b 100644
--- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh
+++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh
@@ -47,6 +47,7 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
     params=("${rest[@]}")
 fi
 
+LD=@prog@
 source @out@/nix-support/add-hardening.sh
 
 extra=(${hardeningLDFlags[@]})
diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix
index e803c7c56ac2..5f20d66768e2 100644
--- a/pkgs/development/libraries/gmp/5.1.x.nix
+++ b/pkgs/development/libraries/gmp/5.1.x.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ m4 ];
 
   # FIXME needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "stackprotector" ];
+  hardeningDisable = [ "format" "stackprotector" ];
 
   patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null;
 
diff --git a/pkgs/shells/bash/default.nix b/pkgs/shells/bash/default.nix
index 60504ecaa9bc..c9eee56b9050 100644
--- a/pkgs/shells/bash/default.nix
+++ b/pkgs/shells/bash/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation rec {
     inherit sha256;
   };
 
+  hardeningDisable = [ "format" ];
+
   outputs = [ "out" "doc" ];
 
   NIX_CFLAGS_COMPILE = ''

From fedf31660dd637aa9a4374c0afc2f7c620bf232a Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 8 Mar 2016 00:39:07 +0100
Subject: [PATCH 357/507] nginx: Rmove custom hardening, now enabled by default

---
 pkgs/servers/http/nginx/default.nix  |  9 +--------
 pkgs/servers/http/nginx/unstable.nix | 11 +++--------
 2 files changed, 4 insertions(+), 16 deletions(-)

diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix
index 1aaa24127023..22ce5e754458 100644
--- a/pkgs/servers/http/nginx/default.nix
+++ b/pkgs/servers/http/nginx/default.nix
@@ -54,14 +54,7 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized";
 
-  preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules)
-    + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) ''
-      configureFlagsArray=(
-        --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2"
-        --with-ld-opt="-pie -Wl,-z,relro,-z,now"
-      )
-    ''
-    ;
+  preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules);
 
   hardeningEnable = [ "pie" ];
 
diff --git a/pkgs/servers/http/nginx/unstable.nix b/pkgs/servers/http/nginx/unstable.nix
index e85fb96d2edb..5adfb55cb2fd 100644
--- a/pkgs/servers/http/nginx/unstable.nix
+++ b/pkgs/servers/http/nginx/unstable.nix
@@ -52,14 +52,9 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = [ "-I${libxml2}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations";
 
-  preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules)
-    + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) ''
-      configureFlagsArray=(
-        --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2"
-        --with-ld-opt="-pie -Wl,-z,relro,-z,now"
-      )
-    ''
-    ;
+  preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules);
+
+  hardeningEnable = [ "pie" ];
 
   postInstall = ''
     mv $out/sbin $out/bin

From ac73835b54b3145ee9dcd3f4abb5107c95d8ca6e Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 8 Mar 2016 00:39:39 +0100
Subject: [PATCH 358/507] quicktun: Remove custom hardening, now enabled by
 default

---
 pkgs/tools/networking/quicktun/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix
index f07cfe4d0724..ed559f5d5c9f 100644
--- a/pkgs/tools/networking/quicktun/default.nix
+++ b/pkgs/tools/networking/quicktun/default.nix
@@ -11,8 +11,6 @@ stdenv.mkDerivation rec {
     sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i";
   };
 
-  CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now";
-
   buildInputs = [ libsodium ];
 
   phases = [ "unpackPhase" "buildPhase" "installPhase" ];

From 965abb6d54b57b3f4839f9a472f2a60ca2f4de12 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 8 Mar 2016 21:45:55 +0100
Subject: [PATCH 359/507] libxml2: Disable bindnow hardening

---
 pkgs/development/libraries/libxml2/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index cac8f10d37aa..1bb487fd8cdf 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation (rec {
     sha256 = "0bd17g6znn2r98gzpjppsqjg33iraky4px923j3k8kdl8qgy7sad";
   };
 
+  hardeningDisable = [ "bindnow" ];
+
   outputs = [ "out" "doc" ];
 
   buildInputs = stdenv.lib.optional pythonSupport python

From 9a5b070b4591a554b9cf36490d54c0ae28f5c22e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 8 Mar 2016 20:51:35 +0000
Subject: [PATCH 360/507] hardening: debug with NIX_DEBUG

---
 pkgs/build-support/cc-wrapper/add-hardening | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index ab8ce610e27a..abfd49766db2 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -14,30 +14,39 @@ if [[ ! $hardeningDisable == "all" ]]; then
     if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
       case $flag in
         fortify)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling fortify; fi
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
           ;;
         stackprotector)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling stackprotector; fi
           hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
           ;;
         pie)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling CFlags -fPIE; fi
           hardeningCFlags+=('-fPIE')
           if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
+            if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling LDFlags -pie; fi
             hardeningLDFlags+=('-pie')
           fi
           ;;
         pic)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling pic; fi
           hardeningCFlags+=('-fPIC')
           ;;
         strictoverflow)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling strictoverflow; fi
           hardeningCFlags+=('-fno-strict-overflow')
           ;;
         format)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling format; fi
           hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
           ;;
         relro)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling relro; fi
           hardeningLDFlags+=('-z relro')
           ;;
         bindnow)
+          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling bindnow; fi
           hardeningLDFlags+=('-z now')
           ;;
         *)

From 514a478e614f0ac439f84f72e2f9814f2bc1d01f Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 9 Mar 2016 10:08:07 +0100
Subject: [PATCH 361/507] cc-wrapper: Fix if syntax

---
 pkgs/build-support/cc-wrapper/add-hardening | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index abfd49766db2..82477c6b7d9d 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -14,39 +14,39 @@ if [[ ! $hardeningDisable == "all" ]]; then
     if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
       case $flag in
         fortify)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling fortify; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify; fi
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
           ;;
         stackprotector)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling stackprotector; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector; fi
           hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
           ;;
         pie)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling CFlags -fPIE; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE; fi
           hardeningCFlags+=('-fPIE')
           if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
-            if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling LDFlags -pie; fi
+            if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie; fi
             hardeningLDFlags+=('-pie')
           fi
           ;;
         pic)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling pic; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic; fi
           hardeningCFlags+=('-fPIC')
           ;;
         strictoverflow)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling strictoverflow; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow; fi
           hardeningCFlags+=('-fno-strict-overflow')
           ;;
         format)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling format; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format; fi
           hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
           ;;
         relro)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling relro; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro; fi
           hardeningLDFlags+=('-z relro')
           ;;
         bindnow)
-          if [ -n "$NIX_DEBUG" ]; then echo HARDENING: enabling bindnow; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow; fi
           hardeningLDFlags+=('-z now')
           ;;
         *)

From 7e2e0dfe7a4f9977ae0b6d74c821f8ffe7739efa Mon Sep 17 00:00:00 2001
From: Tristan Helmich <tristan.helmich@gmail.com>
Date: Thu, 10 Mar 2016 15:47:55 +0100
Subject: [PATCH 362/507] cc-wrapper: Use stderr for NIX_DEBUG output

Otherwise configure scripts might break when looking for the path to ld
---
 pkgs/build-support/cc-wrapper/add-hardening | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index 82477c6b7d9d..cd7718801efd 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -14,43 +14,43 @@ if [[ ! $hardeningDisable == "all" ]]; then
     if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
       case $flag in
         fortify)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi
           hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
           ;;
         stackprotector)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi
           hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
           ;;
         pie)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
           hardeningCFlags+=('-fPIE')
           if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
-            if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie; fi
+            if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
             hardeningLDFlags+=('-pie')
           fi
           ;;
         pic)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi
           hardeningCFlags+=('-fPIC')
           ;;
         strictoverflow)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
           hardeningCFlags+=('-fno-strict-overflow')
           ;;
         format)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi
           hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
           ;;
         relro)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi
           hardeningLDFlags+=('-z relro')
           ;;
         bindnow)
-          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow; fi
+          if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi
           hardeningLDFlags+=('-z now')
           ;;
         *)
-          echo "Hardening flag unknown: $flag"
+          echo "Hardening flag unknown: $flag" >&2
           ;;
       esac
     fi

From 1a5acdb6956e58111cadcd15e6220fdffc9d4b64 Mon Sep 17 00:00:00 2001
From: Tristan Helmich <tristan.helmich@gmail.com>
Date: Fri, 11 Mar 2016 14:02:07 +0100
Subject: [PATCH 363/507] cc-wrapper: Add additional NIX_DEBUG statements

---
 pkgs/build-support/cc-wrapper/add-hardening | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index cd7718801efd..219aa74894cb 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -8,7 +8,10 @@ if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
   hardeningDisable+=(bindnow relro)
 fi
 
+if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
+
 if [[ ! $hardeningDisable == "all" ]]; then
+  if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
   for flag in "${hardeningFlags[@]}"
   do
     if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then

From a9b942c0617b1cd5f0732d05eadad0114a178f37 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 14 Mar 2016 00:26:52 +0000
Subject: [PATCH 364/507] cc-wrapper: treat hardeningDisable as string

This fixes passing the env variable to the ld-wrapper through the gcc
call. Wtf?!
---
 pkgs/build-support/cc-wrapper/add-hardening | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
index 219aa74894cb..d5966136b9d5 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -2,10 +2,10 @@ hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
 hardeningFlags+=("${hardeningEnable[@]}")
 hardeningCFlags=()
 hardeningLDFlags=()
-hardeningDisable=(${hardeningDisable[@]})
+hardeningDisable=${hardeningDisable:-""}
 
 if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
-  hardeningDisable+=(bindnow relro)
+  hardeningDisable+=" bindnow relro"
 fi
 
 if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
@@ -14,7 +14,7 @@ if [[ ! $hardeningDisable == "all" ]]; then
   if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
   for flag in "${hardeningFlags[@]}"
   do
-    if [[ ! "${hardeningDisable[@]}" =~ "$flag" ]]; then
+    if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then
       case $flag in
         fortify)
           if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi

From 7dea0e91acb14b64f7c941399360fcf3a783f552 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 28 Mar 2016 19:17:23 +0000
Subject: [PATCH 365/507] gcc/isl: move bootstrap hardening flags to new
 bootstrap env

---
 pkgs/development/compilers/gcc/4.9/default.nix | 3 +--
 pkgs/development/compilers/gcc/5/default.nix   | 3 ++-
 pkgs/development/libraries/isl/0.11.1.nix      | 3 ---
 pkgs/development/libraries/isl/0.14.1.nix      | 3 +++
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix
index d4c8d018ff2b..02d48bc76f19 100644
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@@ -220,8 +220,7 @@ stdenv.mkDerivation ({
 
   inherit patches;
 
-  # FIXME stackprotector needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "format" "stackprotector" ];
+  hardeningDisable = [ "format" ];
 
   postPatch =
     if (stdenv.isGNU
diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix
index ed872703db85..f0a0b8e34643 100644
--- a/pkgs/development/compilers/gcc/5/default.nix
+++ b/pkgs/development/compilers/gcc/5/default.nix
@@ -216,7 +216,8 @@ stdenv.mkDerivation ({
     sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq";
   };
 
-  hardeningDisable = [ "format" ];
+  # FIXME stackprotector needs gcc 4.9 in bootstrap tools
+  hardeningDisable = [ "stackprotector" "format" ];
 
   inherit patches;
 
diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix
index f62d898cff74..63140dba37f7 100644
--- a/pkgs/development/libraries/isl/0.11.1.nix
+++ b/pkgs/development/libraries/isl/0.11.1.nix
@@ -13,9 +13,6 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  # FIXME needs gcc 4.9 in bootstrap tools
-  hardeningDisable = [ "stackprotector" ];
-
   meta = {
     homepage = http://www.kotnet.org/~skimo/isl/;
     license = stdenv.lib.licenses.lgpl21;
diff --git a/pkgs/development/libraries/isl/0.14.1.nix b/pkgs/development/libraries/isl/0.14.1.nix
index 8196dec283ac..77ba20cbb200 100644
--- a/pkgs/development/libraries/isl/0.14.1.nix
+++ b/pkgs/development/libraries/isl/0.14.1.nix
@@ -12,6 +12,9 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  # FIXME needs gcc 4.9 in bootstrap tools
+  hardeningDisable = [ "stackprotector" ];
+
   meta = {
     homepage = http://www.kotnet.org/~skimo/isl/;
     license = stdenv.lib.licenses.lgpl21;

From 247bc1ac9e921215b44dad3eb643ec7da5c50cf2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 28 Mar 2016 20:20:38 +0000
Subject: [PATCH 366/507] libidn: disable format hardening

---
 pkgs/development/libraries/libidn/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/libidn/default.nix b/pkgs/development/libraries/libidn/default.nix
index c3c6c13c98fc..713e1d39954c 100644
--- a/pkgs/development/libraries/libidn/default.nix
+++ b/pkgs/development/libraries/libidn/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   doCheck = ! stdenv.isDarwin;
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = stdenv.lib.optional stdenv.isDarwin libiconv;
 
   meta = {

From 97782aa79e2dad52697023e189826d8b9b39723e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 28 Mar 2016 22:14:14 +0000
Subject: [PATCH 367/507] opendkim: don't enable pie hardening

---
 pkgs/development/libraries/opendkim/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/development/libraries/opendkim/default.nix b/pkgs/development/libraries/opendkim/default.nix
index 752ff6be388b..e89cd880df13 100644
--- a/pkgs/development/libraries/opendkim/default.nix
+++ b/pkgs/development/libraries/opendkim/default.nix
@@ -10,8 +10,6 @@ stdenv.mkDerivation rec {
 
   configureFlags= [ "--with-milter=${libmilter}" ];
 
-  hardeningEnable = [ "pie" ];
-
   nativeBuildInputs = [ pkgconfig makeWrapper ];
 
   buildInputs = [ libbsd openssl libmilter perl ];

From b8e0cb3fe74f08f2431877a0789262d6afdf1718 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 28 Mar 2016 23:09:19 +0000
Subject: [PATCH 368/507] jbig2enc: fix merge

---
 pkgs/tools/graphics/jbig2enc/default.nix | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix
index 62c29a6192fd..0bb0bb00efa5 100644
--- a/pkgs/tools/graphics/jbig2enc/default.nix
+++ b/pkgs/tools/graphics/jbig2enc/default.nix
@@ -8,13 +8,6 @@ stdenv.mkDerivation {
     sha256 = "1wc0lmqz4jag3rhhk1xczlqpfv2qqp3fz7wzic2lba3vsbi1rrw3";
   };
 
-  patches = [
-    (fetchpatch {
-      url = "https://github.com/agl/jbig2enc/commit/53ce5fe7e73d7ed95c9e12b52dd4984723f865fa.diff";
-      sha256 = "0n6s24i1fy9xspawns3r0kmx2fl0q3wqp68l1yai36jhfw08i3n4";
-    })
-  ];
-
   propagatedBuildInputs = [ leptonica zlib libwebp giflib libjpeg libpng libtiff ];
 
   patches = [

From 4c55a0dbc5aafb1057ceeefbc3e2d343749caf3b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 28 Mar 2016 23:40:52 +0000
Subject: [PATCH 369/507] qcmm: fix merge

---
 pkgs/development/compilers/qcmm/builder.sh |  29 -----
 pkgs/development/compilers/qcmm/qcmm.patch | 121 ---------------------
 pkgs/top-level/all-packages.nix            |   5 -
 3 files changed, 155 deletions(-)
 delete mode 100644 pkgs/development/compilers/qcmm/builder.sh
 delete mode 100644 pkgs/development/compilers/qcmm/qcmm.patch

diff --git a/pkgs/development/compilers/qcmm/builder.sh b/pkgs/development/compilers/qcmm/builder.sh
deleted file mode 100644
index acdfbaa08dce..000000000000
--- a/pkgs/development/compilers/qcmm/builder.sh
+++ /dev/null
@@ -1,29 +0,0 @@
-source $stdenv/setup
-
-configureFlags="--with-lua=$lua"
-
-MKFLAGS="-w$lua/include/lauxlib.h,$lua/include/luadebug.h,$lua/include/lua.h,$lua/include/lualib.h"
-
-buildPhase() {
-  mk timestamps
-  mk $MKFLAGS all.opt
-}
-
-installPhase() {
-  mk $MKFLAGS install.opt
-
-  for file in $out/bin/*.opt; do
-    mv $file ${file%.opt}
-  done
-
-  find $out/man -type f -exec gzip -9n {} \;
-
-  find $out -name \*.a -exec echo stripping {} \; \
-            -exec strip -S {} \;
-
-  patchELF $out
-}
-
-checkPhase="mk $MKFLAGS test.opt"
-
-genericBuild
diff --git a/pkgs/development/compilers/qcmm/qcmm.patch b/pkgs/development/compilers/qcmm/qcmm.patch
deleted file mode 100644
index 414f18a9f73a..000000000000
--- a/pkgs/development/compilers/qcmm/qcmm.patch
+++ /dev/null
@@ -1,121 +0,0 @@
-diff -ur qc--20060131.orig/configure qc--20060131/configure
---- qc--20060131.orig/configure	2005-11-05 22:15:24.000000000 +0100
-+++ qc--20060131/configure	2006-02-02 14:29:07.000000000 +0100
-@@ -93,7 +93,22 @@
- # for file in dirs and return, full path, if found, and "" otherwise.
- #
- 
--sub search { search_with( sub($) { return (-f shift) }, @_) }
-+sub combine {
-+    my $base = shift;
-+    my $file = shift;
-+    return ("$base/$file")
-+};
-+
-+sub search { search_with( sub($) { return (-f shift) }, \&combine, @_) }
-+
-+sub search_suffix {
-+    my $f = sub($) {
-+        my $suffix = shift;
-+        my $base   = shift;
-+        return ($base . $suffix);
-+    };
-+    search_with(sub($) { return (-f shift) }, $f, @_)
-+}
- 
- sub searchx {
-     my $f = sub($) {
-@@ -105,16 +120,17 @@
-         }
-         return (1==2); # how do you write false in perl?
-     };
--    search_with($f, @_)
-+    search_with($f, \&combine, @_)
- }
- 
- sub search_with {
-     my $p    = shift;
-+    my $com  = shift;
-     my $file = shift;
-    
--    printf(LOG "searching for %-20s", $file); 
-+    printf(LOG "searching for %-20s ", $file); 
-     while ($f = shift (@_)) {
--        my $x = "$f/$file";
-+        my $x = &$com($f, $file);
-         if (&$p($x)) { 
-             print LOG "found $x\n"; 
-             return $x 
-@@ -124,6 +140,20 @@
-     return "";
- }
- 
-+#configure lua based on some known installation prefix
-+sub config_lua {
-+  my $base = shift;
-+  @libsuffix    = ( ".so", "40.so", ".a", "40.a" );
-+
-+  $x{lua_h}       = "$base/include/lua.h";
-+  $x{lualib_h}    = "$base/include/lualib.h";
-+  $x{liblua}      = search_suffix("$base/lib/liblua", @libsuffix);
-+  $x{liblualib}   = search_suffix("$base/lib/liblualib", @libsuffix);
-+  $x{lua_inc}     = "-I$base/include";
-+  $x{lua_lib}     = "-L$base/lib/";
-+  $x{lua_libs}    = "-llua -llualib";
-+}
-+
- 
- #
- # compile and run a small C program to find out about architecture
-@@ -183,6 +213,8 @@
-     
-     ./configure [options]
- 
-+    --with-lua=/lua/path    lua is installed in /lua/path the default
-+                            is to search for standard locations
-     --prefix=/usr/local     install into the /usr/local hierarchy which
-                             is also the default
-     -h, --help              this summary
-@@ -224,15 +256,15 @@
- # We start from here with reading the command line
- # ------------------------------------------------------------------ 
- 
-+open (LOG, ">$configure_log") || die "cannot write configure.log: $!";
-+
- foreach (@ARGV) {
-     if       (/^--?prefix=(.*)$/)             { $x{prefix}=$1     }
-     elsif    (/^--?h(elp?)$/)                 { usage(); exit 0   }  
-+    elsif    (/^--?with-lua=(.*)$/)           { config_lua($1)    }
-     else     { usage(); exit 1 }
- }
- 
--
--open (LOG, ">$configure_log") || die "cannot write configure.log: $!";
--
- # check for various executables and versions. Only update variable if
- # it is not already set.
- #
-diff -ur qc--20060131.orig/doc/mkfile qc--20060131/doc/mkfile
---- qc--20060131.orig/doc/mkfile	2005-11-07 01:41:21.000000000 +0100
-+++ qc--20060131/doc/mkfile	2006-02-02 00:38:00.000000000 +0100
-@@ -92,7 +92,7 @@
- # and accessible from Lua as This.manual.
- 
- qc--.man:D:     qc--.1
--	GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 | ul -t dump > $target                
-+	GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 > $target                
- 
- release.tex:D: release.nw
- 	noweave -delay $prereq > $target
-diff -ur qc--20060131.orig/mkfile qc--20060131/mkfile
---- qc--20060131.orig/mkfile	2005-07-01 22:29:52.000000000 +0200
-+++ qc--20060131/mkfile	2006-02-02 19:15:53.000000000 +0100
-@@ -97,7 +97,7 @@
- 	cd test2 && NPROC=1 mk $MKFLAGS all
- 
- test.opt:V:         all.opt
--	cd test2 && NPROC=1 mk QC=../bin/qc--.opt $MKFLAGS all
-+	cd test2 && NPROC=1 mk $MKFLAGS QC=../bin/qc--.opt all
- 
- coverage: test2/ocamlprof.dump	
- 	rm -f $target
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 2ed708b1c517..ab44630120c5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -4976,11 +4976,6 @@ in
     llvm = llvm_36;
   };
 
-  qcmm = callPackage ../development/compilers/qcmm {
-    lua   = lua4;
-    ocaml = ocaml_3_08_0;
-  };
-
   rgbds = callPackage ../development/compilers/rgbds { };
 
   rtags = callPackage ../development/tools/rtags/default.nix {};

From 0fc7905db32e82863f401a9c76e3d1bf9018358b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 29 Mar 2016 00:26:35 +0000
Subject: [PATCH 370/507] dhcpcd: do not enable pie hardening

---
 pkgs/tools/networking/dhcpcd/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/tools/networking/dhcpcd/default.nix b/pkgs/tools/networking/dhcpcd/default.nix
index 1d1f927001f0..856f75f06333 100644
--- a/pkgs/tools/networking/dhcpcd/default.nix
+++ b/pkgs/tools/networking/dhcpcd/default.nix
@@ -10,8 +10,6 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig udev ];
 
-  hardeningEnable = [ "pie" ];
-
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"

From c9ebdd4cac5d0170c9c4368a0c978a83a008c00f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 29 Mar 2016 00:34:20 +0000
Subject: [PATCH 371/507] libaio.i686: disable stackprotector hardening

---
 pkgs/os-specific/linux/libaio/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix
index b3df129912e4..1e85182d6c35 100644
--- a/pkgs/os-specific/linux/libaio/default.nix
+++ b/pkgs/os-specific/linux/libaio/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   makeFlags = "prefix=$(out)";
 
+  hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector";
+
   meta = {
     description = "Library for asynchronous I/O in Linux";
     homepage = http://lse.sourceforge.net/io/aio.html;

From 8f94246e07bdf91675b69b45f73e033e81bb3818 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 29 Mar 2016 10:22:14 +0000
Subject: [PATCH 372/507] linuxPackages.mxu11x0: disable pic hardening

---
 pkgs/os-specific/linux/mxu11x0/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix
index 4af404324039..ed88fc643fd0 100644
--- a/pkgs/os-specific/linux/mxu11x0/default.nix
+++ b/pkgs/os-specific/linux/mxu11x0/default.nix
@@ -28,6 +28,8 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "pic" ];
+
   meta = with stdenv.lib; {
     description = "MOXA UPort 11x0 USB to Serial Hub driver";
     homepage = "https://github.com/ellysh/mxu11x0";

From ba3399b92fb7bc1a81c91afeb307ed5ea95b06be Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 29 Mar 2016 10:25:06 +0000
Subject: [PATCH 373/507] linuxPackages.rtl8723bs: disable pic hardening

---
 pkgs/os-specific/linux/rtl8723bs/default.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkgs/os-specific/linux/rtl8723bs/default.nix b/pkgs/os-specific/linux/rtl8723bs/default.nix
index 6d55c5522f44..2adbb4b743cf 100644
--- a/pkgs/os-specific/linux/rtl8723bs/default.nix
+++ b/pkgs/os-specific/linux/rtl8723bs/default.nix
@@ -5,14 +5,16 @@ let
 in
 stdenv.mkDerivation rec {
   name = "rtl8723bs-${kernel.version}-c517f2b";
-  
+
   src = fetchFromGitHub {
     owner = "hadess";
     repo = "rtl8723bs";
     rev = "c517f2bf8bcc3d57311252ea7cd49ae81466eead";
     sha256 = "0phzrhq85g52pi2b74a9sr9l2x6dzlz714k3pix486w2x5axw4xb";
   };
-  
+
+  hardeningDisable = [ "pic" ];
+
   patchPhase = ''
     substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
     substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}"
@@ -20,12 +22,12 @@ stdenv.mkDerivation rec {
     substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
     substituteInPlace ./Makefile --replace '/lib/firmware' "$out/lib/firmware"
   '';
-  
+
   preInstall = ''
     mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/"
     mkdir -p "$out/lib/firmware/rtlwifi"
   '';
-   
+
   meta = {
     description = "Realtek SDIO Wi-Fi driver";
     homepage = "https://github.com/hadess/rtl8723bs";

From 4666eca4877f2fda81b40cf863d963e1ed4b7d49 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 29 Mar 2016 10:26:32 +0000
Subject: [PATCH 374/507] linuxPackages.mba6x_bl: disable pic hardening

---
 pkgs/os-specific/linux/mba6x_bl/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/mba6x_bl/default.nix b/pkgs/os-specific/linux/mba6x_bl/default.nix
index 010bda4bb154..2a0e53b39257 100644
--- a/pkgs/os-specific/linux/mba6x_bl/default.nix
+++ b/pkgs/os-specific/linux/mba6x_bl/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "pic" ];
+
   makeFlags = [
     "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     "INSTALL_MOD_PATH=$(out)"

From 9c3518bd6dc27cfe955d465c1cf51519dd1d917e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 29 Mar 2016 10:58:19 +0000
Subject: [PATCH 375/507] freeswitch: 1.2.3 -> 1.6.6

---
 pkgs/servers/sip/freeswitch/default.nix | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix
index e4e1d393a52a..1cce4c518ea9 100644
--- a/pkgs/servers/sip/freeswitch/default.nix
+++ b/pkgs/servers/sip/freeswitch/default.nix
@@ -1,18 +1,18 @@
 { fetchurl, stdenv, ncurses, curl, pkgconfig, gnutls, readline, openssl, perl, libjpeg
-, libzrtpcpp, gcc48 }:
+, libzrtpcpp }:
 
 stdenv.mkDerivation rec {
-  name = "freeswitch-1.2.3";
+  name = "freeswitch-1.6.6";
 
   src = fetchurl {
-    url = http://files.freeswitch.org/freeswitch-1.2.3.tar.bz2;
+    url = "http://files.freeswitch.org/releases/freeswitch/${name}.tar.bz2";
     sha256 = "0kfvn5f75c6r6yp18almjz9p6llvpm66gpbxcjswrg3ddgbkzg0k";
   };
 
   buildInputs = [ ncurses curl pkgconfig gnutls readline openssl perl libjpeg
-    libzrtpcpp gcc48 ];
+    libzrtpcpp ];
 
-  NIX_CFLAGS_COMPILE = "-Wno-error=cpp";
+  NIX_CFLAGS_COMPILE = "-Wno-error";
 
   hardeningDisable = [ "format" ];
 

From a56d90efda33d613a71d8ec7fcf3dadf0fff1be8 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 30 Mar 2016 20:45:31 +0200
Subject: [PATCH 376/507] php: Disable bindnow hardening flag

Fixes dynamic linking against i.e. mysql.
---
 pkgs/development/interpreters/php/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix
index 91beac4cd285..6fe6b18e0bff 100644
--- a/pkgs/development/interpreters/php/default.nix
+++ b/pkgs/development/interpreters/php/default.nix
@@ -250,6 +250,7 @@ let
       };
 
       hardeningEnable = [ "pie" ];
+      hardeningDisable = [ "bindnow" ];
 
       configurePhase = ''
         # Don't record the configure flags since this causes unnecessary

From 753086cd47271260bfef388db6696c1415cb0175 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 31 Mar 2016 09:48:09 +0200
Subject: [PATCH 377/507] wxPython: Fix build

---
 pkgs/development/python-modules/wxPython/generic.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix
index 334dd975e48f..a5e0552a8c18 100644
--- a/pkgs/development/python-modules/wxPython/generic.nix
+++ b/pkgs/development/python-modules/wxPython/generic.nix
@@ -22,7 +22,6 @@ stdenv.mkDerivation rec {
 
   pythonPath = [ python setuptools ];
   buildInputs = [ python setuptools pkgconfig wxGTK (wxGTK.gtk) wrapPython libX11 ]  ++ stdenv.lib.optional openglSupport pyopengl;
-  preConfigure = "cd wxPython";
 
   NIX_LDFLAGS = "-lX11 -lgdk-x11-2.0";
 

From 5df521abdabe5d294811b9824a5839b1ebbd3127 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 31 Mar 2016 13:57:06 +0200
Subject: [PATCH 378/507] gst-python: Disable bindnow hardening flag

Fixes dynamic linking against libxml2.
---
 .../libraries/gstreamer/legacy/gst-python/default.nix           | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix
index 889f55e50006..c8f928ec4523 100644
--- a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix
+++ b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
     sha256 = "0y1i4n5m1diljqr9dsq12anwazrhbs70jziich47gkdwllcza9lg";
   };
 
+  hardeningDisable = [ "bindnow" ];
+
   # Need to disable the testFake test case due to bug in pygobject.
   # See https://bugzilla.gnome.org/show_bug.cgi?id=692479
   patches = [ ./disable-testFake.patch ];

From d326ca40a80fe9de9eccb54f3afb071dd623476c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 11:36:13 +0000
Subject: [PATCH 379/507] stunnel: 5.30 -> 5.31

fixes tarball 404
---
 pkgs/tools/networking/stunnel/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix
index b3a493c9375d..48e3c5625832 100644
--- a/pkgs/tools/networking/stunnel/default.nix
+++ b/pkgs/tools/networking/stunnel/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name    = "stunnel-${version}";
-  version = "5.30";
+  version = "5.31";
 
   src = fetchurl {
     url    = "http://www.stunnel.org/downloads/${name}.tar.gz";
-    sha256 = "0w05sqwg3jn7n469w2yxj0cxx7az7jpd8wbcrwxlp5d1ys4v6vkx";
+    sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7";
   };
 
   buildInputs = [ openssl ];

From 3437b52e6bd510bfd586eede8e52a30a3fef3ba6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 11:41:30 +0000
Subject: [PATCH 380/507] qboot: turn off stackprotector and pic hardening

---
 pkgs/applications/virtualization/qboot/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/virtualization/qboot/default.nix b/pkgs/applications/virtualization/qboot/default.nix
index e4439ec124f4..0c6e3991b1c0 100644
--- a/pkgs/applications/virtualization/qboot/default.nix
+++ b/pkgs/applications/virtualization/qboot/default.nix
@@ -12,7 +12,9 @@ stdenv.mkDerivation {
   installPhase = ''
     mkdir -p $out
     cp bios.bin* $out/.
-    '';
+  '';
+
+  hardeningDisable = [ "stackprotector" "pic" ];
 
   meta = {
     description = "A simple x86 firmware for booting Linux";

From f3f9145d230963962942413e21d60e14c9960c6b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 11:49:13 +0000
Subject: [PATCH 381/507] spidermonkey.i686-linux: turn off stackprotector
 hardening

---
 pkgs/development/interpreters/spidermonkey/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix
index a7482f269dbf..fdd8209407c2 100644
--- a/pkgs/development/interpreters/spidermonkey/default.nix
+++ b/pkgs/development/interpreters/spidermonkey/default.nix
@@ -8,7 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4";
   };
 
-  hardeningDisable = [ "format" ];
+  hardeningDisable = [ "format" ]
+    ++ stdenv.lib.optional stdenv.isi686 "stackprotector";
 
   buildInputs = [ readline ];
 

From 025cedc6067e60533cea7afb467042f9ac2e65a8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 12:25:05 +0000
Subject: [PATCH 382/507] singular.i686-linux: turn off stackprotector
 hardening

---
 pkgs/applications/science/math/singular/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/science/math/singular/default.nix b/pkgs/applications/science/math/singular/default.nix
index 8bae1d6206d0..a0fdf7c82395 100644
--- a/pkgs/applications/science/math/singular/default.nix
+++ b/pkgs/applications/science/math/singular/default.nix
@@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
     find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';'
   '';
 
+  hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector";
+
   postInstall = ''
     rm -rf "$out/LIB"
     cp -r Singular/LIB "$out"

From 1f978b7422061b055cbb092789d2bc4792fe8940 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 12:27:29 +0000
Subject: [PATCH 383/507] Revert "abook: fix compiling with gcc5"

This reverts commit 37918bdc7a09e34985c57a3fe64000edf92362b3.

has been fixed on master differently
---
 pkgs/applications/misc/abook/default.nix | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pkgs/applications/misc/abook/default.nix b/pkgs/applications/misc/abook/default.nix
index c9d35efc6cd0..2c4bc0f21284 100644
--- a/pkgs/applications/misc/abook/default.nix
+++ b/pkgs/applications/misc/abook/default.nix
@@ -19,11 +19,6 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ ncurses readline ];
 
-  # Changed inline semantics in GCC5, need to export symbols for inline funcs
-  postPatch = ''
-    substituteInPlace database.c --replace inline extern
-  '';
-
   meta = {
     homepage = "http://abook.sourceforge.net/";
     description = "Text-based addressbook program designed to use with mutt mail client";

From 4ee2b2ab7b6d23e4bc67f9bc5fa42819c099972a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 12:37:35 +0000
Subject: [PATCH 384/507] rr: set Wno-error and turn off fortify hardening

---
 pkgs/development/tools/analysis/rr/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/development/tools/analysis/rr/default.nix b/pkgs/development/tools/analysis/rr/default.nix
index ea733b5b4618..b0950fb8cb24 100644
--- a/pkgs/development/tools/analysis/rr/default.nix
+++ b/pkgs/development/tools/analysis/rr/default.nix
@@ -19,6 +19,11 @@ stdenv.mkDerivation rec {
   buildInputs = [ cmake libpfm zlib python pkgconfig pythonPackages.pexpect which procps gdb ];
   cmakeFlags = "-DCMAKE_C_FLAGS_RELEASE:STRING= -DCMAKE_CXX_FLAGS_RELEASE:STRING=";
 
+  # we turn on additional warnings due to hardening
+  NIX_CFLAGS_COMPILE = "-Wno-error";
+
+  hardeningDisable = [ "fortify" ];
+
   enableParallelBuilding = true;
 
   # FIXME

From fbb8067aa12e2e74b60c255e3194942eb46770e4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 12:49:18 +0000
Subject: [PATCH 385/507] dietlibc.i686-linux: disable pic

---
 pkgs/os-specific/linux/dietlibc/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix
index 7a2d94100fa5..12ffbfbc5ce4 100644
--- a/pkgs/os-specific/linux/dietlibc/default.nix
+++ b/pkgs/os-specific/linux/dietlibc/default.nix
@@ -13,7 +13,8 @@ stdenv.mkDerivation {
   inherit glibc;
   kernelHeaders = glibc.linuxHeaders;
 
-  hardeningDisable = [ "stackprotector" ];
+  hardeningDisable = [ "stackprotector" ]
+    ++ stdenv.lib.optional stdenv.isi686 "pic";
 
   patches = [
 

From 59781091940fe6fced7dd880f40501deb192f69d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 12:51:54 +0000
Subject: [PATCH 386/507] syslinux: disable fortify hardening

---
 pkgs/os-specific/linux/syslinux/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix
index a68ab9c478ca..f4ad94b5085c 100644
--- a/pkgs/os-specific/linux/syslinux/default.nix
+++ b/pkgs/os-specific/linux/syslinux/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ libuuid makeWrapper ];
 
   enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...'
-  hardeningDisable = [ "pic" "stackprotector" ];
+  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
 
   preBuild = ''
     substituteInPlace Makefile --replace /bin/pwd $(type -P pwd)

From df72d621f15373de4670a6ee4828e20734323ca2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 13:31:15 +0000
Subject: [PATCH 387/507] Revert "php: enable PIE hardening"

This reverts commit fb57bfbd4f66943b59ed67499aa8cb0c8f4f9e6f.
---
 pkgs/development/interpreters/php/default.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix
index c890a3fc90f4..cec808ff862f 100644
--- a/pkgs/development/interpreters/php/default.nix
+++ b/pkgs/development/interpreters/php/default.nix
@@ -249,7 +249,6 @@ let
         calendarSupport = config.php.calendar or true;
       };
 
-      hardeningEnable = [ "pie" ];
       hardeningDisable = [ "bindnow" ];
 
       configurePhase = ''

From db6c023df0f2288fe3811bf14a84deb531e9999f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 3 Apr 2016 13:31:29 +0000
Subject: [PATCH 388/507] Revert "libxml2: Disable bindnow hardening"

This reverts commit 965abb6d54b57b3f4839f9a472f2a60ca2f4de12.
---
 pkgs/development/libraries/libxml2/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index 1bb487fd8cdf..cac8f10d37aa 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -13,8 +13,6 @@ stdenv.mkDerivation (rec {
     sha256 = "0bd17g6znn2r98gzpjppsqjg33iraky4px923j3k8kdl8qgy7sad";
   };
 
-  hardeningDisable = [ "bindnow" ];
-
   outputs = [ "out" "doc" ];
 
   buildInputs = stdenv.lib.optional pythonSupport python

From f519a255a56e7c42d04d1beb666d685078cc7e18 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 4 Apr 2016 14:08:53 +0000
Subject: [PATCH 389/507] xorg: switch off bindnow hardening for all packages

X otherwise fails to load modules.
---
 pkgs/servers/x11/xorg/builder.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/x11/xorg/builder.sh b/pkgs/servers/x11/xorg/builder.sh
index f5b8803a98a3..aabc34dce60c 100644
--- a/pkgs/servers/x11/xorg/builder.sh
+++ b/pkgs/servers/x11/xorg/builder.sh
@@ -50,5 +50,7 @@ fi
 
 enableParallelBuilding=1
 
+# breaks module loading
+hardeningDisable="bindnow"
 
 genericBuild

From bdbce02057e2c172f9629c6238d2048d1949ddb9 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 4 Apr 2016 16:17:14 +0000
Subject: [PATCH 390/507] eggdrop: fix build

---
 pkgs/tools/networking/eggdrop/default.nix | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix
index 0ad394b02913..a9f2419b1368 100644
--- a/pkgs/tools/networking/eggdrop/default.nix
+++ b/pkgs/tools/networking/eggdrop/default.nix
@@ -13,14 +13,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ tcl ];
 
-
   hardeningDisable = [ "format" ];
 
-  patches = [
-    # https://github.com/eggheads/eggdrop/issues/123
-    ./b34a33255f56bbd2317c26da12d702796d67ed50.patch
-  ];
-
   preConfigure = ''
     prefix=$out/eggdrop
     mkdir -p $prefix

From d00784602d8100bcca8df5e78552eb25386939eb Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 5 Apr 2016 16:21:15 +0000
Subject: [PATCH 391/507] ccrypt: disable format hardening

---
 pkgs/tools/security/ccrypt/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/security/ccrypt/default.nix b/pkgs/tools/security/ccrypt/default.nix
index e6a63a2f2882..0afa91086890 100644
--- a/pkgs/tools/security/ccrypt/default.nix
+++ b/pkgs/tools/security/ccrypt/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ perl ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     homepage = http://ccrypt.sourceforge.net/;
     description = "Utility for encrypting and decrypting files and streams with AES-256";

From d8d6f0bfcb827ad7f852556fcd50b48c1e2eb184 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 5 Apr 2016 16:29:55 +0000
Subject: [PATCH 392/507] grub4dos: disable stackprotector hardening

---
 pkgs/tools/misc/grub4dos/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/grub4dos/default.nix b/pkgs/tools/misc/grub4dos/default.nix
index c59869c0dc7e..f0ac6b5f7c98 100644
--- a/pkgs/tools/misc/grub4dos/default.nix
+++ b/pkgs/tools/misc/grub4dos/default.nix
@@ -14,6 +14,8 @@ in stdenv.mkDerivation {
 
   nativeBuildInputs = [ unzip nasm ];
 
+  hardeningDisable = [ "stackprotector" ];
+
   configureFlags = [ "--host=${arch}-pc-linux-gnu" ];
 
   postInstall = ''

From 9893a43dc3704d05417eac42af676a47e4f058f6 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 5 Apr 2016 16:43:31 +0000
Subject: [PATCH 393/507] gfortran-darwin: disable format hardening

---
 pkgs/development/compilers/gcc/gfortran-darwin.nix | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/compilers/gcc/gfortran-darwin.nix b/pkgs/development/compilers/gcc/gfortran-darwin.nix
index 66f273482cfb..5162f311e4e0 100644
--- a/pkgs/development/compilers/gcc/gfortran-darwin.nix
+++ b/pkgs/development/compilers/gcc/gfortran-darwin.nix
@@ -7,12 +7,18 @@
 stdenv.mkDerivation rec {
   name = "gfortran-${version}";
   version = "5.1.0";
-  buildInputs = [gmp mpfr libmpc isl_0_14 cloog zlib];
+
+  buildInputs = [ gmp mpfr libmpc isl_0_14 cloog zlib ];
+
   src = fetchurl {
     url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2";
     sha256 = "1bd5vj4px3s8nlakbgrh38ynxq4s654m6nxz7lrj03mvkkwgvnmp";
   };
+
   patches = ./gfortran-darwin.patch;
+
+  hardeningDisable = [ "format" ];
+
   configureFlags = ''
     --disable-bootstrap
     --disable-cloog-version-check
@@ -28,11 +34,15 @@ stdenv.mkDerivation rec {
     --with-native-system-header-dir=${Libsystem}/include
     --with-system-zlib
   '';
+
   postConfigure = ''
     export DYLD_LIBRARY_PATH=`pwd`/`uname -m`-apple-darwin`uname -r`/libgcc
   '';
-  makeFlags = ["CC=clang"];
+
+  makeFlags = [ "CC=clang" ];
+
   passthru.cc = stdenv.cc.cc;
+
   meta = with stdenv.lib; {
     description = "GNU Fortran compiler, part of the GNU Compiler Collection";
     homepage    = "https://gcc.gnu.org/fortran/";

From 4d4610ac0fb98d013a987342d9b0004a9a6e8a5a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 5 Apr 2016 16:44:02 +0000
Subject: [PATCH 394/507] gprolog.i686-linux: disable pic hardening

---
 pkgs/development/compilers/gprolog/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/gprolog/default.nix b/pkgs/development/compilers/gprolog/default.nix
index f2b5a04df986..c63cb85f5f17 100644
--- a/pkgs/development/compilers/gprolog/default.nix
+++ b/pkgs/development/compilers/gprolog/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "13miyas47bmijmadm68cbvb21n4s156gjafz7kfx9brk9djfkh0q";
   };
 
+  hardeningDisable = stdenv.lib.optional stdenv.isi686 "pic";
+
   patchPhase = ''
     sed -i -e "s|/tmp/make.log|$TMPDIR/make.log|g" src/Pl2Wam/check_boot
   '';

From f791c1074dc53fdbf24fae4d93745b0641c576d9 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 5 Apr 2016 16:44:30 +0000
Subject: [PATCH 395/507] lua.i686-linux: disable stackprotector hardening

---
 pkgs/development/interpreters/lua-4/default.nix | 2 ++
 pkgs/development/interpreters/lua-5/sec.nix     | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/pkgs/development/interpreters/lua-4/default.nix b/pkgs/development/interpreters/lua-4/default.nix
index 2d216389bd7c..d6f385f5b503 100644
--- a/pkgs/development/interpreters/lua-4/default.nix
+++ b/pkgs/development/interpreters/lua-4/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
   buildFlags = "all so sobin";
   installFlags = "INSTALL_ROOT=$$out";
 
+  hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector";
+
   meta = {
     homepage = "http://www.lua.org";
     description = "Powerful, fast, lightweight, embeddable scripting language";
diff --git a/pkgs/development/interpreters/lua-5/sec.nix b/pkgs/development/interpreters/lua-5/sec.nix
index 08eb1c89308c..7af17ae200c2 100644
--- a/pkgs/development/interpreters/lua-5/sec.nix
+++ b/pkgs/development/interpreters/lua-5/sec.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ lua5 openssl ];
 
+  hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector";
+
   preBuild = ''
     makeFlagsArray=(
       linux

From ad9376dc74e1e67a2391d1ba7afb23892906afde Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 5 Apr 2016 16:49:28 +0000
Subject: [PATCH 396/507] hunspell: disable format hardening

---
 pkgs/development/libraries/hunspell/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/hunspell/default.nix b/pkgs/development/libraries/hunspell/default.nix
index 98f6511f3917..14d36ef53157 100644
--- a/pkgs/development/libraries/hunspell/default.nix
+++ b/pkgs/development/libraries/hunspell/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ ncurses readline ];
   configureFlags = "--with-ui --with-readline";
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     homepage = http://hunspell.sourceforge.net;
     description = "Spell checker";

From 057a899791d6f346381961932625be8f31736d0e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 08:18:14 +0000
Subject: [PATCH 397/507] haskellPackages.glib: disable fortify hardening

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index c0282648a396..49a0a3eff159 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -240,7 +240,9 @@ self: super: {
   gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
   gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
   gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;
-  glib = addPkgconfigDepend super.glib pkgs.glib;
+  glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
+    hardeningDisable = [ "fortify" ];
+  });
   gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
   gtk = addPkgconfigDepend super.gtk pkgs.gtk;
   gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };

From 58a73d3f4be799a025347406d3a867c25555a8d1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 08:26:01 +0000
Subject: [PATCH 398/507] haskellPackages.lvmrun: disable format hardening

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 49a0a3eff159..f1c1abfedb5b 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -440,7 +440,9 @@ self: super: {
   lensref = dontCheck super.lensref;
   liquidhaskell = dontCheck super.liquidhaskell;
   lucid = dontCheck super.lucid; #https://github.com/chrisdone/lucid/issues/25
-  lvmrun = dontCheck super.lvmrun;
+  lvmrun = pkgs.lib.overrideDerivation (dontCheck super.lvmrun) (drv: {
+    hardeningDisable = [ "format" ];
+  });
   memcache = dontCheck super.memcache;
   milena = dontCheck super.milena;
   nats-queue = dontCheck super.nats-queue;

From 0086c6d4014851f2d1a8a99338faeed92cbf9e51 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 08:54:48 +0000
Subject: [PATCH 399/507] lrzsz: disable format hardening

---
 pkgs/tools/misc/lrzsz/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/lrzsz/default.nix b/pkgs/tools/misc/lrzsz/default.nix
index 729faa7a95d9..11351790becc 100644
--- a/pkgs/tools/misc/lrzsz/default.nix
+++ b/pkgs/tools/misc/lrzsz/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1wcgfa9fsigf1gri74gq0pa7pyajk12m4z69x7ci9c6x9fqkd2y2";
   };
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = [ "--program-transform-name=s/^l//" ];
 
   meta = with stdenv.lib; {

From 8bdd73291d35c03fcfaa959427bef437c5dfa81e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 09:12:12 +0000
Subject: [PATCH 400/507] wla-dx: disable format hardening

---
 pkgs/development/compilers/wla-dx/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/development/compilers/wla-dx/default.nix b/pkgs/development/compilers/wla-dx/default.nix
index 535868bee3ba..f91c555b6b99 100644
--- a/pkgs/development/compilers/wla-dx/default.nix
+++ b/pkgs/development/compilers/wla-dx/default.nix
@@ -2,16 +2,21 @@
 
 stdenv.mkDerivation rec {
   name = "wla-dx-git-2016-02-27";
+
   src = fetchFromGitHub {
     owner = "vhelin";
     repo = "wla-dx";
     rev = "8189fe8d5620584ea16563875ff3c5430527c86a";
     sha256 = "02zgkcyfx7y8j6jvyi12lm29fydnd7m3rxv6g2psv23fyzmpkkir";
   };
+
+  hardeningDisable = [ "format" ];
+
   installPhase = ''
     mkdir -p $out/bin
     install binaries/* $out/bin
   '';
+
   nativeBuildInputs = [ cmake ];
 
   meta = with stdenv.lib; {

From 812e25c86b1abffa1d7109d269877d3902455fed Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 09:12:20 +0000
Subject: [PATCH 401/507] mksh: disable format hardening

---
 pkgs/shells/mksh/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/shells/mksh/default.nix b/pkgs/shells/mksh/default.nix
index 696777c7f1ff..3037552dab62 100644
--- a/pkgs/shells/mksh/default.nix
+++ b/pkgs/shells/mksh/default.nix
@@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ groff ];
 
+  hardeningDisable = [ "format" ];
+
   buildPhase = ''
     mkdir build-dir/
     cp mksh.1 dot.mkshrc build-dir/

From 7a347f608207afc4aeb5086e97489999ed6a3f40 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 09:15:19 +0000
Subject: [PATCH 402/507] wml: disable format hardening

---
 pkgs/development/web/wml/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/web/wml/default.nix b/pkgs/development/web/wml/default.nix
index 22cc5001c920..be53724636b9 100644
--- a/pkgs/development/web/wml/default.nix
+++ b/pkgs/development/web/wml/default.nix
@@ -19,12 +19,14 @@ perlPackages.buildPerlPackage rec {
     sed -i 's/ doc / /g' wml_backend/p2_mp4h/Makefile.in
     sed -i '/p2_mp4h\/doc/d' Makefile.in
   '';
-  
+
   buildInputs = with perlPackages; 
     [ perl TermReadKey GD BitVector ncurses lynx makeWrapper ImageSize ];
 
   patches = [ ./redhat-with-thr.patch ./dynaloader.patch ./no_bitvector.patch ];
-  
+
+  hardeningDisable = [ "format" ];
+
   postPatch = ''
     substituteInPlace wml_frontend/wml.src \
       --replace "File::PathConvert::realpath" "Cwd::realpath" \

From 88b49cc74815077a942e5f319bb345a31038fbed Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 09:23:57 +0000
Subject: [PATCH 403/507] tinycc: disable fortify hardening

---
 pkgs/development/compilers/tinycc/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix
index f1a52f5de91e..96844b2b1f19 100644
--- a/pkgs/development/compilers/tinycc/default.nix
+++ b/pkgs/development/compilers/tinycc/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ perl texinfo ];
 
+  hardeningDisable = [ "fortify" ];
+
   postPatch = ''
     substituteInPlace "texi2pod.pl" \
       --replace "/usr/bin/perl" "${perl}/bin/perl"

From 8d4443a89a7b3dc9921bf759cce9c9912dc297fe Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 09:36:58 +0000
Subject: [PATCH 404/507] recutils: disable format hardening

---
 pkgs/tools/misc/recutils/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/recutils/default.nix b/pkgs/tools/misc/recutils/default.nix
index 4d6829e99a4c..6dd40e8476f3 100644
--- a/pkgs/tools/misc/recutils/default.nix
+++ b/pkgs/tools/misc/recutils/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ curl emacs ] ++ (stdenv.lib.optionals doCheck [ check bc ]);
 
   meta = {

From 5ca99ae7a7d685980048dff05b5db18d31202ebe Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 14:16:42 +0000
Subject: [PATCH 405/507] kernel.i686-linux: disable bindnow hardening

---
 pkgs/os-specific/linux/kernel/manual-config.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 85a4b98982a4..348221ce05d8 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -225,7 +225,8 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
-  hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ];
+  hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ]
+    ++ stdenv.lib.optional stdenv.isi686 "bindnow";
 
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"

From a73a28de7b16734d8e28da8be43a06b92eeb6bc3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 6 Apr 2016 16:16:23 +0000
Subject: [PATCH 406/507] fix grammar errors

---
 doc/languages-frameworks/python.md                  | 2 +-
 nixos/modules/system/boot/loader/grub/grub.nix      | 4 ++--
 pkgs/applications/graphics/kipi-plugins/default.nix | 4 ++--
 pkgs/servers/firebird/default.nix                   | 2 +-
 pkgs/servers/sql/virtuoso/7.x.nix                   | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/doc/languages-frameworks/python.md b/doc/languages-frameworks/python.md
index fc0a0ba987ae..3ee25669f742 100644
--- a/doc/languages-frameworks/python.md
+++ b/doc/languages-frameworks/python.md
@@ -599,7 +599,7 @@ Given a `default.nix`:
     src = ./.; }
 
 Running `nix-shell` with no arguments should give you
-the environment in which the package would be build with
+the environment in which the package would be built with
 `nix-build`.
 
 Shortcut to setup environments with C headers/libraries and python packages:
diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix
index d9f6f51f13a2..6b201fcce638 100644
--- a/nixos/modules/system/boot/loader/grub/grub.nix
+++ b/nixos/modules/system/boot/loader/grub/grub.nix
@@ -348,7 +348,7 @@ in
         default = false;
         type = types.bool;
         description = ''
-          Whether GRUB should be build against libzfs.
+          Whether GRUB should be built against libzfs.
           ZFS support is only available for GRUB v2.
           This option is ignored for GRUB v1.
         '';
@@ -358,7 +358,7 @@ in
         default = false;
         type = types.bool;
         description = ''
-          Whether GRUB should be build with EFI support.
+          Whether GRUB should be built with EFI support.
           EFI support is only available for GRUB v2.
           This option is ignored for GRUB v1.
         '';
diff --git a/pkgs/applications/graphics/kipi-plugins/default.nix b/pkgs/applications/graphics/kipi-plugins/default.nix
index 6a38698370d8..b69105fba7c8 100644
--- a/pkgs/applications/graphics/kipi-plugins/default.nix
+++ b/pkgs/applications/graphics/kipi-plugins/default.nix
@@ -7,7 +7,7 @@
 stdenv.mkDerivation rec {
   name = "kipi-plugins-1.9.0";
 
-  src = fetchurl { 
+  src = fetchurl {
     url = "mirror://sourceforge/kipi/${name}.tar.bz2";
     sha256 = "0k4k9v1rj7129n0s0i5pvv4rabx0prxqs6sca642fj95cxc6c96m";
   };
@@ -25,6 +25,6 @@ stdenv.mkDerivation rec {
     homepage = http://www.kipi-plugins.org;
     inherit (kdelibs.meta) platforms;
     maintainers = with stdenv.lib.maintainers; [ viric urkud ];
-    broken = true; # it should be build from digikam sources, perhaps together
+    broken = true; # it should be built from digikam sources, perhaps together
   };
 }
diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix
index 414582b69ef5..3e258ee6d3f1 100644
--- a/pkgs/servers/firebird/default.nix
+++ b/pkgs/servers/firebird/default.nix
@@ -11,7 +11,7 @@
   # icu version missmatch may cause such error when selecting from a table:
   # "Collation unicode for character set utf8 is not installed"
 
-  # icu 3.0 can still be build easily by nix (by dropping the #elif case and
+  # icu 3.0 can still be built easily by nix (by dropping the #elif case and
   # make | make)
   icu ? null
 
diff --git a/pkgs/servers/sql/virtuoso/7.x.nix b/pkgs/servers/sql/virtuoso/7.x.nix
index de610f9a7294..afb91602d76c 100644
--- a/pkgs/servers/sql/virtuoso/7.x.nix
+++ b/pkgs/servers/sql/virtuoso/7.x.nix
@@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
   meta = with stdenv.lib; {
     description = "SQL/RDF database used by, e.g., KDE-nepomuk";
     homepage = http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/;
-    #configure: The current version [...] can only be build on 64bit platforms
+    #configure: The current version [...] can only be built on 64bit platforms
     platforms = [ "x86_64-linux" "x86_64-darwin" ];
     maintainers = [ maintainers.urkud ];
   };

From a36f51f77327b3ecdb09184c09f5e1970a31492a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 19 Apr 2016 02:05:50 +0000
Subject: [PATCH 407/507] neovim: disable fortify hardening

---
 pkgs/applications/editors/neovim/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/applications/editors/neovim/default.nix b/pkgs/applications/editors/neovim/default.nix
index 7d23ae5bbbdd..064e68cae9f1 100644
--- a/pkgs/applications/editors/neovim/default.nix
+++ b/pkgs/applications/editors/neovim/default.nix
@@ -98,6 +98,9 @@ let
     LUA_CPATH="${lpeg}/lib/lua/${lua.luaversion}/?.so;${luabitop}/lib/lua/5.2/?.so";
     LUA_PATH="${luaMessagePack}/share/lua/5.1/?.lua";
 
+    # triggers on buffer overflow bug while running tests
+    hardeningDisable = [ "fortify" ];
+
     preConfigure = stdenv.lib.optionalString stdenv.isDarwin ''
       export DYLD_LIBRARY_PATH=${jemalloc}/lib
       substituteInPlace src/nvim/CMakeLists.txt --replace "    util" ""

From b59a6aa93a64629e02750de7120a3423b93384e2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 19 Apr 2016 02:21:57 +0000
Subject: [PATCH 408/507] kernel: turn off bindnow hardening

---
 pkgs/os-specific/linux/kernel/manual-config.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix
index 1fb702d57463..7ba01d667290 100644
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@@ -216,8 +216,7 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
   nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
     (ubootChooser stdenv.platform.uboot);
 
-  hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ]
-    ++ stdenv.lib.optional stdenv.isi686 "bindnow";
+  hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ];
 
   makeFlags = commonMakeFlags ++ [
     "ARCH=${stdenv.platform.kernelArch}"

From fd77c5c5a0daa0f1fd2cfa64085b9a27e40495f0 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 19 Apr 2016 10:56:55 +0000
Subject: [PATCH 409/507] haskellPackages.gio: turn off fortify hardening

---
 pkgs/development/haskell-modules/configuration-common.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 16944c2d5a3b..af25acfc3ae3 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -235,7 +235,9 @@ self: super: {
   jwt = dontCheck super.jwt;
 
   # https://github.com/NixOS/cabal2nix/issues/136
-  gio = addPkgconfigDepend super.gio pkgs.glib;
+  gio = pkgs.lib.overrideDerivation (addPkgconfigDepend super.gio pkgs.glib) (drv: {
+    hardeningDisable = [ "fortify" ];
+  });
   gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib;
   gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib;
   gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib;

From 33ef14fb62d0d651b972dc1c18aa53dd95c2b9e4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 19 Apr 2016 12:15:23 +0000
Subject: [PATCH 410/507] haskellPackages: clean up unnecessary overrides

---
 .../haskell-modules/configuration-common.nix           | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index af25acfc3ae3..2e4b53d415bc 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -255,9 +255,6 @@ self: super: {
   webkitgtk3-javascriptcore = super.webkitgtk3-javascriptcore.override { webkit = pkgs.webkitgtk24x; };
   websnap = super.websnap.override { webkit = pkgs.webkitgtk24x; };
 
-  # While waiting for https://github.com/jwiegley/gitlib/pull/53 to be merged
-  hlibgit2 = addBuildTool super.hlibgit2 pkgs.git;
-
   # https://github.com/mvoidex/hsdev/issues/11
   hsdev = dontHaddock super.hsdev;
 
@@ -270,9 +267,6 @@ self: super: {
   # Upstream notified by e-mail.
   permutation = dontCheck super.permutation;
 
-  # https://github.com/vincenthz/hs-tls/issues/102
-  tls = dontCheck super.tls;
-
   # https://github.com/jputcu/serialport/issues/25
   serialport = dontCheck super.serialport;
 
@@ -282,9 +276,6 @@ self: super: {
   # Fails no apparent reason. Upstream has been notified by e-mail.
   assertions = dontCheck super.assertions;
 
-  # https://github.com/vincenthz/tasty-kat/issues/1
-  tasty-kat = dontCheck super.tasty-kat;
-
   # These packages try to execute non-existent external programs.
   cmaes = dontCheck super.cmaes;                        # http://hydra.cryp.to/build/498725/log/raw
   dbmigrations = dontCheck super.dbmigrations;
@@ -309,7 +300,6 @@ self: super: {
   test-sandbox = dontCheck super.test-sandbox;
   users-postgresql-simple = dontCheck super.users-postgresql-simple;
   wai-middleware-hmac = dontCheck super.wai-middleware-hmac;
-  wai-middleware-throttle = dontCheck super.wai-middleware-throttle; # https://github.com/creichert/wai-middleware-throttle/issues/1
   xkbcommon = dontCheck super.xkbcommon;
   xmlgen = dontCheck super.xmlgen;
   hapistrano = dontCheck super.hapistrano;

From 9a8a9c43b48afa670273a2276de6d8134297c095 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 19 Apr 2016 12:21:06 +0000
Subject: [PATCH 411/507] haskellPackages.pango: turn off fortify hardening

---
 pkgs/development/haskell-modules/configuration-common.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 2e4b53d415bc..1cbda56844b6 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -43,9 +43,14 @@ self: super: {
   options = dontCheck super.options;
   statistics = dontCheck super.statistics;
   c2hs = dontCheck super.c2hs;
+
+  # fix errors caused by hardening flags
   epanet-haskell = super.epanet-haskell.overrideDerivation (drv: {
     hardeningDisable = [ "format" ];
   });
+  pango = super.pango.overrideDerivation (drv: {
+    hardeningDisable = [ "fortify" ];
+  });
 
   # Use the default version of mysql to build this package (which is actually mariadb).
   mysql = super.mysql.override { mysql = pkgs.mysql.lib; };

From 0fdde5efd08c036fe9d73b4e65f2ba9797053d0f Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 19 Apr 2016 12:33:01 +0000
Subject: [PATCH 412/507] rowhammer-test.isi686-linux: no Werror for format

---
 pkgs/tools/system/rowhammer-test/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/system/rowhammer-test/default.nix b/pkgs/tools/system/rowhammer-test/default.nix
index 728b15bb2988..226ec4351ea4 100644
--- a/pkgs/tools/system/rowhammer-test/default.nix
+++ b/pkgs/tools/system/rowhammer-test/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
     sha256 = "1fbfcnm5gjish47wdvikcsgzlb5vnlfqlzzm6mwiw2j5qkq0914i";
   };
 
+  NIX_CFLAGS_COMPILE = stdenv.lib.optional stdenv.isi686 "-Wno-error=format";
+
   buildPhase = "sh -e make.sh";
 
   installPhase = ''

From 9fbc20e2f89bc045efac7ade41949a2c2d571dec Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 3 May 2016 00:13:15 +0000
Subject: [PATCH 413/507] fix merge (webdsl removal)

---
 pkgs/top-level/all-packages.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e2753f197337..01728916fce3 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5203,8 +5203,6 @@ in
 
   vs90wrapper = callPackage ../development/compilers/vs90wrapper { };
 
-  webdsl = callPackage ../development/compilers/webdsl { };
-
   wla-dx = callPackage ../development/compilers/wla-dx { };
 
   wrapCCWith = ccWrapper: libc: extraBuildCommands: baseCC: ccWrapper {

From 527a605ad7313bb336b280ed0aae51b434b51389 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 9 May 2016 22:06:58 +0000
Subject: [PATCH 414/507] dar: disable format hardening

---
 pkgs/tools/archivers/dar/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/archivers/dar/default.nix b/pkgs/tools/archivers/dar/default.nix
index 92a81f9e5d67..b64b6e4ca0a2 100644
--- a/pkgs/tools/archivers/dar/default.nix
+++ b/pkgs/tools/archivers/dar/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     homepage = http://dar.linux.free.fr/;
     description = "Disk ARchiver, allows backing up files into indexed archives";

From eb6809eafd114404327b1b04133c7caaa7283b76 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 9 May 2016 22:09:22 +0000
Subject: [PATCH 415/507] emacs25pre: disable format hardening

---
 pkgs/applications/editors/emacs-25/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/editors/emacs-25/default.nix b/pkgs/applications/editors/emacs-25/default.nix
index 019015785e64..e591a48781a0 100644
--- a/pkgs/applications/editors/emacs-25/default.nix
+++ b/pkgs/applications/editors/emacs-25/default.nix
@@ -53,6 +53,8 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ];
 
+  hardeningDisable = [ "format" ];
+
   configureFlags =
     if stdenv.isDarwin
       then [ "--with-ns" "--disable-ns-self-contained" ]

From 365379857fb561df949fc841e80458e317a1d682 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 9 May 2016 22:21:57 +0000
Subject: [PATCH 416/507] gcl: disable bindnow hardening

---
 pkgs/development/compilers/gcl/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix
index cf25f989c7c4..0e4d5bed0514 100644
--- a/pkgs/development/compilers/gcl/default.nix
+++ b/pkgs/development/compilers/gcl/default.nix
@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
     "--enable-ansi"
   ];
 
-  hardeningDisable = [ "pic" ];
+  hardeningDisable = [ "pic" "bindnow" ];
 
   NIX_CFLAGS_COMPILE = "-fgnu89-inline";
 

From 2382084e3b526c1d76ceaa1a2ac60df377fb3c80 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 31 May 2016 12:22:17 +0000
Subject: [PATCH 417/507] haskellPackages.gtk{,3}: disable fortify hardening

---
 pkgs/development/haskell-modules/configuration-common.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix
index 7a9c28e516c5..47862bd7513c 100644
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@@ -246,8 +246,12 @@ self: super: {
   glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: {
     hardeningDisable = [ "fortify" ];
   });
-  gtk3 = super.gtk3.override { inherit (pkgs) gtk3; };
-  gtk = addPkgconfigDepend super.gtk pkgs.gtk;
+  gtk3 = pkgs.lib.overrideDerivation (super.gtk3.override { inherit (pkgs) gtk3; }) (drv: {
+    hardeningDisable = [ "fortify" ];
+  });
+  gtk = pkgs.lib.overrideDerivation (addPkgconfigDepend super.gtk pkgs.gtk) (drv: {
+    hardeningDisable = [ "fortify" ];
+  });
   gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; };
   gtksourceview3 = super.gtksourceview3.override { inherit (pkgs.gnome3) gtksourceview; };
 

From a78316ce4785b9791a2103c1f4c8dfd95abf290c Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 31 May 2016 12:28:59 +0000
Subject: [PATCH 418/507] milu: disable format hardening

---
 pkgs/applications/misc/milu/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/milu/default.nix b/pkgs/applications/misc/milu/default.nix
index 8b7fb6787d76..b8ccbe77cf5b 100644
--- a/pkgs/applications/misc/milu/default.nix
+++ b/pkgs/applications/misc/milu/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     owner = "yuejia";
   };
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     sed -i 's#/usr/bin/##g' Makefile
     sed -i "s#-lclang#-L$(clang --print-search-dirs |

From 878e24b35a40fcc9c294a31ed0ab0336db914635 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 31 May 2016 12:35:54 +0000
Subject: [PATCH 419/507] linuxPackages.dpdk: disable pic hardening

---
 pkgs/os-specific/linux/dpdk/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix
index 479188b365f2..81b3874cb2c9 100644
--- a/pkgs/os-specific/linux/dpdk/default.nix
+++ b/pkgs/os-specific/linux/dpdk/default.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
   outputs = [ "out" "examples" ];
 
+  hardeningDisable = [ "pic" ];
+
   buildPhase = ''
     make T=x86_64-native-linuxapp-gcc config
     make T=x86_64-native-linuxapp-gcc install

From e7be1168ba1211b6196c0f2597ddbb7d02323370 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 31 May 2016 12:57:28 +0000
Subject: [PATCH 420/507] picat: disable format hardening

---
 pkgs/development/compilers/picat/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/picat/default.nix b/pkgs/development/compilers/picat/default.nix
index 7f2f6158dd89..e86f3869e49a 100644
--- a/pkgs/development/compilers/picat/default.nix
+++ b/pkgs/development/compilers/picat/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
          else if stdenv.system == "x86_64-linux" then "linux64"
          else throw "Unsupported system";
 
+  hardeningDisable = [ "format" ];
+
   buildPhase = ''
     cd emu
     make -f Makefile.picat.$ARCH

From 8f1e9d91bebe456beb31484eb9c76a21b8ccf906 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 31 May 2016 12:57:57 +0000
Subject: [PATCH 421/507] subtitleeditor: disable format hardening

---
 pkgs/applications/video/subtitleeditor/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/video/subtitleeditor/default.nix b/pkgs/applications/video/subtitleeditor/default.nix
index c9655e2a4f27..e3cd242bd73c 100644
--- a/pkgs/applications/video/subtitleeditor/default.nix
+++ b/pkgs/applications/video/subtitleeditor/default.nix
@@ -41,6 +41,8 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./subtitleeditor-0.52.1-build-fix.patch ];
 
   preConfigure = ''

From 2a5e64b69c83592caf900cb0b7213235e96368de Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 31 May 2016 12:58:10 +0000
Subject: [PATCH 422/507] maude: disable stackprotector hardening

segfaults during tests
---
 pkgs/development/interpreters/maude/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/interpreters/maude/default.nix b/pkgs/development/interpreters/maude/default.nix
index 3473a11e8198..e5281c48f93e 100644
--- a/pkgs/development/interpreters/maude/default.nix
+++ b/pkgs/development/interpreters/maude/default.nix
@@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [flex bison ncurses buddy tecla gmpxx libsigsegv makeWrapper];
 
+  hardeningDisable = [ "stackprotector" ];
+
   preConfigure = ''
     configureFlagsArray=(
       --datadir=$out/share/maude

From 851446e26ecfda12be4fbda6809eec8b62e854c2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 11 Jun 2016 10:07:46 +0000
Subject: [PATCH 423/507] fix merge failure

---
 pkgs/top-level/all-packages.nix  | 2 --
 pkgs/top-level/rust-packages.nix | 6 +++---
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b1d710992476..b3a85bc1590a 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -935,8 +935,6 @@ in
       UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter;
   };
 
-  bittornado = callPackage ../tools/networking/p2p/bit-tornado { };
-
   bibtextools = callPackage ../tools/typesetting/bibtex-tools {
     inherit (strategoPackages016) strategoxt sdf;
   };
diff --git a/pkgs/top-level/rust-packages.nix b/pkgs/top-level/rust-packages.nix
index 31eb3007daae..26513a6b8622 100644
--- a/pkgs/top-level/rust-packages.nix
+++ b/pkgs/top-level/rust-packages.nix
@@ -7,15 +7,15 @@
 { runCommand, fetchFromGitHub, git }:
 
 let
-  version = "2016-05-28";
-  rev = "eb354be1bc4c368e4ed885bd126f625f371b4bfa";
+  version = "2016-06-10";
+  rev = "18a44fdb7bd193c4cf62a0f3a9b807daf8620546";
 
   src = fetchFromGitHub {
       inherit rev;
 
       owner = "rust-lang";
       repo = "crates.io-index";
-      sha256 = "1scbfraj2cgpi5q1bkhhj18jv58hkyl9pms8qnx3fvxs6yq68ba9";
+      sha256 = "0jrawwdw1znw7z4hxivlssc3g90h05f3zmwm10ap4qhjpy4rrc1z";
   };
 
 in

From 56b56c21384980ce4d83f4a5b3bcd3cedf759bdc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 13 Jun 2016 11:06:15 +0000
Subject: [PATCH 424/507] fix merge failure (2)

---
 pkgs/top-level/all-packages.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b3a85bc1590a..4a1f70889e6e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -935,10 +935,6 @@ in
       UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter;
   };
 
-  bibtextools = callPackage ../tools/typesetting/bibtex-tools {
-    inherit (strategoPackages016) strategoxt sdf;
-  };
-
   blueman = callPackage ../tools/bluetooth/blueman {
     inherit (gnome3) dconf gsettings_desktop_schemas;
     withPulseAudio = config.pulseaudio or true;

From 99cc3fa6cad876a4bddb0fb33e0835570206f4ea Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 31 May 2016 18:05:12 +0200
Subject: [PATCH 425/507] systemd: Disable stackprotector hardening flag

---
 pkgs/os-specific/linux/systemd/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 0ba6c431c9f7..748f180fe376 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -82,6 +82,8 @@ stdenv.mkDerivation rec {
       "--with-rc-local-script-path-stop=/etc/halt.local"
     ] ++ (if enableKDbus then [ "--enable-kdbus" ] else [ "--disable-kdbus" ]);
 
+  hardeningDisable = [ "stackprotector" ];
+
   preConfigure =
     ''
       ./autogen.sh

From 06ed2353479098d6ecd4ef49f4aeb6315aee3109 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 14 Jun 2016 11:45:47 +0000
Subject: [PATCH 426/507] gcc6: disable format hardening flag

---
 pkgs/development/compilers/gcc/6/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix
index 6ca0f2f59f44..5a9e615645ef 100644
--- a/pkgs/development/compilers/gcc/6/default.nix
+++ b/pkgs/development/compilers/gcc/6/default.nix
@@ -223,6 +223,8 @@ stdenv.mkDerivation ({
 
   libc_dev = stdenv.cc.libc_dev;
 
+  hardeningDisable = [ "format" ];
+
   postPatch =
     if (stdenv.isGNU
         || (libcCross != null                  # e.g., building `gcc.crossDrv'

From 2fa03127c8cff7d6170a8859b1aa70ba37c7ec48 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 14 Jun 2016 11:46:09 +0000
Subject: [PATCH 427/507] libdwg: disable format hardening flag

---
 pkgs/development/libraries/libdwg/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/libdwg/default.nix b/pkgs/development/libraries/libdwg/default.nix
index 8ffa1ff81924..2ee4e1fdb68e 100644
--- a/pkgs/development/libraries/libdwg/default.nix
+++ b/pkgs/development/libraries/libdwg/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   nativeBuildInputs = [ indent ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "library reading dwg files";
     homepage = http://libdwg.sourceforge.net/en/;

From d9e5fd3b07ec836ed394356b596fe3a7ee7509d3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 18 Jun 2016 11:49:54 +0000
Subject: [PATCH 428/507] gnome3_20.nautilus: disable format hardening flag

---
 pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix
index 67229487085e..4cb0b7fb35ca 100644
--- a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix
+++ b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
                   gnome3.gnome_desktop gnome3.adwaita-icon-theme
                   gnome3.gsettings_desktop_schemas gnome3.dconf libnotify tracker libselinux ];
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./extension_dir.patch ];
 
   meta = with stdenv.lib; {

From 07615735077db344539eb9131823600593f0eddf Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 18 Jun 2016 11:50:23 +0000
Subject: [PATCH 429/507] gnome3_20.libgda: disable format hardening flag

---
 pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix
index 75c45634636c..2e5b0a4af840 100644
--- a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix
+++ b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ];
 
   meta = with stdenv.lib; {

From f597e97236c9aad0470cc4744353e3e4c4c217b0 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 13 Jul 2016 19:27:26 +0200
Subject: [PATCH 430/507] atlas: Fix hardening

---
 pkgs/development/libraries/science/math/atlas/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix
index db8aff49c002..6ff7e387ec1f 100644
--- a/pkgs/development/libraries/science/math/atlas/default.nix
+++ b/pkgs/development/libraries/science/math/atlas/default.nix
@@ -66,6 +66,8 @@ stdenv.mkDerivation {
   patches = optional tolerateCpuTimingInaccuracy ./disable-timing-accuracy-check.patch
     ++ optional stdenv.isDarwin ./tmpdir.patch;
 
+  hardeningDisable = [ "format" ];
+
   # Configure outside of the source directory.
   preConfigure = ''
     mkdir build
@@ -76,7 +78,6 @@ stdenv.mkDerivation {
   # * -t 0 disables use of multi-threading. It's not quite clear what the
   #   consequences of that setting are and whether it's necessary or not.
   configureFlags = [
-    "-Fa alg"
     "-t ${threads}"
     cpuConfig
   ] ++ optional shared "--shared"

From 04d873a626c93d9d0dbd21a6f4989194dc0fc61e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 16 Jul 2016 21:34:13 +0000
Subject: [PATCH 431/507] osx-private-sdk: Fix hash

---
 pkgs/os-specific/darwin/osx-private-sdk/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/darwin/osx-private-sdk/default.nix b/pkgs/os-specific/darwin/osx-private-sdk/default.nix
index 1b8f37fdb8d1..ae8dc52a4029 100644
--- a/pkgs/os-specific/darwin/osx-private-sdk/default.nix
+++ b/pkgs/os-specific/darwin/osx-private-sdk/default.nix
@@ -3,5 +3,5 @@
 fetchgit {
   url = "https://github.com/samdmarshall/OSXPrivateSDK.git";
   rev = "f4d52b60e86b496abfaffa119a7d299562d99783";
-  sha256 = "0v1l11fqpqnzd5l2vq5c63jm1vrba56r06zpqnag87j5p1gic8lp";
+  sha256 = "0bv0884yxpvk2ishxj8gdy1w6wb0gwfq55q5qjp0s8z0z7f63zqh";
 }

From cc540843fe88a5e490e07e861f8dbb8f4714ece7 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 21 Jul 2016 00:01:20 +0000
Subject: [PATCH 432/507] linuxPackages.wireguard: disable pic

---
 pkgs/os-specific/linux/wireguard/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix
index 3e5f6ae74800..c023e4f3d6db 100644
--- a/pkgs/os-specific/linux/wireguard/default.nix
+++ b/pkgs/os-specific/linux/wireguard/default.nix
@@ -26,6 +26,8 @@ let
       sed -i '/depmod/,+1d' Makefile
     '';
 
+    hardeningDisable = [ "pic" ];
+
     KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
     INSTALL_MOD_PATH = "\${out}";
 

From 43ba8d295f414ab985bd3fc5d5125421bd8bd0ad Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 31 Jul 2016 20:28:29 +0000
Subject: [PATCH 433/507] nvidia-x11: disable pic/format hardening

---
 pkgs/os-specific/linux/nvidia-x11/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index e3be760700bc..30a3a912d43b 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -55,6 +55,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ perl nukeReferences ];
 
+  hardeningDisable = [ "pic" "format" ];
+
   disallowedReferences = if libsOnly then [] else [ kernel.dev ];
 
   meta = with stdenv.lib.meta; {

From 68a953cdc3f61fd99ebf01734537b2659154826d Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 28 Jul 2016 03:50:29 +0200
Subject: [PATCH 434/507] nedit: disable format hardening

---
 pkgs/applications/editors/nedit/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/editors/nedit/default.nix b/pkgs/applications/editors/nedit/default.nix
index 14220956698c..e59214395e4e 100644
--- a/pkgs/applications/editors/nedit/default.nix
+++ b/pkgs/applications/editors/nedit/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "1v8y8vwj3kn91crsddqkz843y6csgw7wkjnd3zdcb4bcrf1pjrsk";
   };
 
+  hardeningDisable = [ "format" ];
+
   buildInputs = [ xlibsWrapper motif libXpm ];
 
   buildFlags = if stdenv.isLinux then "linux" else "";

From 1005f464dd37cc35a4cc476a4ce4280df53d5671 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 28 Jul 2016 03:42:58 +0200
Subject: [PATCH 435/507] xpdf: disable format hardening

---
 pkgs/applications/misc/xpdf/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/misc/xpdf/default.nix b/pkgs/applications/misc/xpdf/default.nix
index a7d288162e39..739f1f0a9754 100644
--- a/pkgs/applications/misc/xpdf/default.nix
+++ b/pkgs/applications/misc/xpdf/default.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation {
   # Debian uses '-fpermissive' to bypass some errors on char* constantness.
   CXXFLAGS = "-O2 -fpermissive";
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = "--enable-a4-paper";
 
   postInstall = stdenv.lib.optionalString (base14Fonts != null) ''

From 44b24cc6510f6e9031880c8d20782cb0afccd7c2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 2 Aug 2016 15:04:52 +0000
Subject: [PATCH 436/507] motif: disable format hardening

---
 pkgs/development/libraries/motif/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/motif/default.nix b/pkgs/development/libraries/motif/default.nix
index 9d50fb3d3d19..4d9f1d56b3ec 100644
--- a/pkgs/development/libraries/motif/default.nix
+++ b/pkgs/development/libraries/motif/default.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [ libXp libXau ];
 
+  hardeningDisable = [ "format" ];
+
   makeFlags = [ "CFLAGS=-fno-strict-aliasing" ];
 
   patchPhase = ''

From 15b8491af31c7bb2e9ae0a78a097f8f34fcb7198 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 17:38:25 +0200
Subject: [PATCH 437/507] seabios: disable fortify hardening

---
 pkgs/applications/virtualization/seabios/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix
index 82ed4b7fe768..852121b18365 100644
--- a/pkgs/applications/virtualization/seabios/default.nix
+++ b/pkgs/applications/virtualization/seabios/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ iasl python ];
 
-  hardeningDisable = [ "pic" "stackprotector" ];
+  hardeningDisable = [ "pic" "stackprotector" "fortify" ];
 
   configurePhase = ''
     # build SeaBIOS for CSM

From cbc8fc239a79d35722eadb5e99d4b5f816710807 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 2 Aug 2016 15:30:36 +0000
Subject: [PATCH 438/507] zgv: disable format hardening

---
 pkgs/applications/graphics/zgv/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/zgv/default.nix b/pkgs/applications/graphics/zgv/default.nix
index 46d3e117d0e7..e06b76e35b12 100644
--- a/pkgs/applications/graphics/zgv/default.nix
+++ b/pkgs/applications/graphics/zgv/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ SDL SDL_image pkgconfig libjpeg libpng libtiff ];
 
+  hardeningDisable = [ "format" ];
+
   makeFlags = [
     "BACKEND=SDL"
   ];

From b9152cf5a09a495666b05c4e6e03c34d1ce37223 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 2 Aug 2016 15:30:50 +0000
Subject: [PATCH 439/507] yabar: disable format hardening

---
 pkgs/applications/window-managers/yabar/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/window-managers/yabar/default.nix b/pkgs/applications/window-managers/yabar/default.nix
index 2f4a7f0e06c5..c199cf6c01b0 100644
--- a/pkgs/applications/window-managers/yabar/default.nix
+++ b/pkgs/applications/window-managers/yabar/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ cairo gdk_pixbuf libconfig pango pkgconfig xcbutilwm ];
 
+  hardeningDisable = [ "format" ];
+
   postPatch = ''
     substituteInPlace ./Makefile --replace "\$(shell git describe)" "${version}"
   '';

From c0830c1764de07fe8c18ac9b112e1081afcae4b9 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 2 Aug 2016 15:31:03 +0000
Subject: [PATCH 440/507] wasm: disable format hardening

---
 pkgs/development/interpreters/wasm/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/interpreters/wasm/default.nix b/pkgs/development/interpreters/wasm/default.nix
index 56eebbf89a2e..9a30ae7d8a85 100644
--- a/pkgs/development/interpreters/wasm/default.nix
+++ b/pkgs/development/interpreters/wasm/default.nix
@@ -17,6 +17,9 @@ let
     buildInputs = [ cmake clang python ];
 
     buildPhase = "make clang-debug-no-tests";
+
+    hardeningDisable = [ "format" ];
+
     installPhase = ''
       mkdir -p $out/bin
       cp out/clang/Debug/no-tests/sexpr-wasm $out/bin

From 0eb6023d9c0d399595d1568a6af038d62bf7354a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Tue, 2 Aug 2016 15:31:10 +0000
Subject: [PATCH 441/507] libjson_rpc_cpp: disable format hardening

---
 pkgs/development/libraries/libjson-rpc-cpp/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/libjson-rpc-cpp/default.nix b/pkgs/development/libraries/libjson-rpc-cpp/default.nix
index 2cfede1eb6e3..ca60f1570bc4 100644
--- a/pkgs/development/libraries/libjson-rpc-cpp/default.nix
+++ b/pkgs/development/libraries/libjson-rpc-cpp/default.nix
@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
     rev = "c6e3d7195060774bf95afc6df9c9588922076d3e";
   };
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     for f in cmake/FindArgtable.cmake \
              src/stubgenerator/stubgenerator.cpp \

From b0d748e244df6c977b2a1db3873ffdc271e59615 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 17:49:08 +0200
Subject: [PATCH 442/507] bitkeeper: disable fortify hardening

---
 pkgs/applications/version-management/bitkeeper/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/version-management/bitkeeper/default.nix b/pkgs/applications/version-management/bitkeeper/default.nix
index 760832924822..e5937977994e 100644
--- a/pkgs/applications/version-management/bitkeeper/default.nix
+++ b/pkgs/applications/version-management/bitkeeper/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "0lk4vydpq5bi52m81h327gvzdzybf8kkak7yjwmpj6kg1jn9blaz";
   };
 
+  hardeningDisable = [ "fortify" ];
+
   enableParallelBuilding = true;
 
   buildInputs = [

From f2a66d4c16d19e671dc0a39956c08de2852e42a3 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 17:52:51 +0200
Subject: [PATCH 443/507] criu: fix merge fail

d020caa5b2eca90ea051403fbb4c52b99ee071b9 vs. e3d0fe898bb0451b2485ccc0be42354614f4fba3
---
 pkgs/os-specific/linux/criu/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix
index fb25ef27378a..efca4c7bbb5b 100644
--- a/pkgs/os-specific/linux/criu/default.nix
+++ b/pkgs/os-specific/linux/criu/default.nix
@@ -24,7 +24,7 @@ stdenv.mkDerivation rec {
     ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto
   '';
 
-  configurePhase = "make config PREFIX=$out";
+  buildPhase = "make PREFIX=$out";
 
   makeFlags = "PREFIX=$(out)";
 

From 0751027b3155406a4cd61568bc8393f9e34b5fa0 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 31 May 2016 16:24:38 +0200
Subject: [PATCH 444/507] wxPython: Disable format hardening

---
 pkgs/development/python-modules/wxPython/3.0.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/python-modules/wxPython/3.0.nix b/pkgs/development/python-modules/wxPython/3.0.nix
index 7c225a95f2a6..5f224428fce4 100644
--- a/pkgs/development/python-modules/wxPython/3.0.nix
+++ b/pkgs/development/python-modules/wxPython/3.0.nix
@@ -23,6 +23,8 @@ buildPythonPackage rec {
     sha256 = "0qfzx3sqx4mwxv99sfybhsij4b5pc03ricl73h4vhkzazgjjjhfm";
   };
 
+  hardeningDisable = [ "format" ];
+
   propagatedBuildInputs = [ pkgconfig wxGTK (wxGTK.gtk) libX11 ]  ++ lib.optional openglSupport pyopengl;
   preConfigure = "cd wxPython";
 

From c22c137c6cf3616b30f87028d92eb9d5fca35fec Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 18:01:21 +0200
Subject: [PATCH 445/507] ruby_2_0: disable format hardening

---
 pkgs/development/interpreters/ruby/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix
index 8db9dd4eaf9a..446013faafdc 100644
--- a/pkgs/development/interpreters/ruby/default.nix
+++ b/pkgs/development/interpreters/ruby/default.nix
@@ -22,6 +22,7 @@ let
       then version
       else versionNoPatch;
     tag = "v" + stdenv.lib.replaceChars ["." "p" "-"] ["_" "_" ""] fullVersionName;
+    isRuby20 = majorVersion == "2" && minorVersion == "0";
     isRuby21 = majorVersion == "2" && minorVersion == "1";
     baseruby = self.override { useRailsExpress = false; };
     self = lib.makeOverridable (
@@ -81,6 +82,8 @@ let
 
         enableParallelBuilding = true;
 
+        hardeningDisable = lib.optional isRuby20 [ "format" ];
+
         patches =
           [ ./gem_hook.patch ] ++
           (import ./patchsets.nix {

From fbbd50dbab794c7fcf748f54517596a6a96df96e Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 18:42:47 +0200
Subject: [PATCH 446/507] unicon-lang: disable fortify hardening

Detects buffer overflow in a tool used at link time.
---
 pkgs/development/interpreters/unicon-lang/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/interpreters/unicon-lang/default.nix b/pkgs/development/interpreters/unicon-lang/default.nix
index 7487aa633131..a6dfec49b2a2 100644
--- a/pkgs/development/interpreters/unicon-lang/default.nix
+++ b/pkgs/development/interpreters/unicon-lang/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
   };
   buildInputs = [ libX11 libXt unzip ];
 
+  hardeningDisable = [ "fortify" ];
+
   sourceRoot = ".";
 
   configurePhase = ''

From f0d0164a3811a4cd570dc64ffe8c56824c736f06 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 19:11:29 +0200
Subject: [PATCH 447/507] tracefilesim: disable fortify hardening

---
 .../tools/analysis/garcosim/tracefilesim/default.nix            | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix b/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix
index 740d51cc1348..7a6f3481d53f 100644
--- a/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix
+++ b/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
     sha256 = "156m92k38ap4bzidbr8dzl065rni8lrib71ih88myk9z5y1x5nxm";
   };
 
+  hardeningDisable = [ "fortify" ];
+
   installPhase = ''
     mkdir --parents "$out/bin"
     cp ./traceFileSim "$out/bin"

From c1f1fd68cc0342ebb55c6ed004f71dffbcbfaa0c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Tue, 2 Aug 2016 20:02:50 +0200
Subject: [PATCH 448/507] gegl_0_3: disable format hardening, add
 autoreconfHook

---
 pkgs/development/libraries/gegl/3.0.nix | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/pkgs/development/libraries/gegl/3.0.nix b/pkgs/development/libraries/gegl/3.0.nix
index 1ca0a2b59257..ab05715feb75 100644
--- a/pkgs/development/libraries/gegl/3.0.nix
+++ b/pkgs/development/libraries/gegl/3.0.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig, glib, babl, libpng, cairo, libjpeg, which
-, librsvg, pango, gtk, bzip2, intltool, libtool, automake, autoconf, json_glib }:
+, librsvg, pango, gtk, bzip2, json_glib, intltool, autoreconfHook }:
 
 stdenv.mkDerivation rec {
   name = "gegl-0.3.6";
@@ -9,17 +9,18 @@ stdenv.mkDerivation rec {
     sha256 = "08m7dlf2kwmp7jw3qskwxas192swhn1g4jcd8aldg9drfjygprvh";
   };
 
-  configureScript = "./autogen.sh";
+  hardeningDisable = [ "format" ];
 
   # needs fonts otherwise  don't know how to pass them
   configureFlags = "--disable-docs";
 
-  buildInputs = [ babl libpng cairo libjpeg librsvg pango gtk bzip2 intltool
-                  autoconf automake libtool which json_glib ];
+  buildInputs = [
+    babl libpng cairo libjpeg librsvg pango gtk bzip2 which json_glib intltool
+  ];
 
-  nativeBuildInputs = [ pkgconfig ];
+  nativeBuildInputs = [ pkgconfig autoreconfHook ];
 
-  meta = { 
+  meta = {
     description = "Graph-based image processing framework";
     homepage = http://www.gegl.org;
     license = stdenv.lib.licenses.gpl3;

From 98473cdb15d18e5f0b862a72ac7e629a433481fc Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 13:08:05 +0000
Subject: [PATCH 449/507] x42-plugins: fix unpacking

---
 pkgs/applications/audio/x42-plugins/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/audio/x42-plugins/default.nix b/pkgs/applications/audio/x42-plugins/default.nix
index f3a720508103..9ca78ee1a3f4 100644
--- a/pkgs/applications/audio/x42-plugins/default.nix
+++ b/pkgs/applications/audio/x42-plugins/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, fetchgit, ftgl, freefont_ttf, libjack2, mesa_glu, pkgconfig
-, libltc, libsndfile, libsamplerate
+, libltc, libsndfile, libsamplerate, xz
 , lv2, mesa, gtk2, cairo, pango, fftwFloat, zita-convolver }:
 
 stdenv.mkDerivation rec {
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
     sha256 = "1ald0c5xbfkdq6g5xwyy8wmbi636m3k3gqrq16kbh46g0kld1as9";
   };
 
-  buildInputs = [ mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig  zita-convolver];
+  buildInputs = [ xz mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig  zita-convolver];
 
   makeFlags = [ "PREFIX=$(out)" "FONTFILE=${freefont_ttf}/share/fonts/truetype/FreeSansBold.ttf" "LIBZITACONVOLVER=${zita-convolver}/include/zita-convolver.h" ];
 

From 3f9e8601f2a8537de90f04375400538049bbdaf2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 13:19:52 +0000
Subject: [PATCH 450/507] vxl: remove obsolete patch

---
 pkgs/development/libraries/vxl/default.nix |  2 --
 pkgs/development/libraries/vxl/gcc5.patch  | 15 ---------------
 2 files changed, 17 deletions(-)
 delete mode 100644 pkgs/development/libraries/vxl/gcc5.patch

diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix
index faed2052fa5f..b9f3c0e64d6c 100644
--- a/pkgs/development/libraries/vxl/default.nix
+++ b/pkgs/development/libraries/vxl/default.nix
@@ -22,8 +22,6 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  patches = [ ./gcc5.patch ];
-
   meta = {
     description = "C++ Libraries for Computer Vision Research and Implementation";
     homepage = http://vxl.sourceforge.net/;
diff --git a/pkgs/development/libraries/vxl/gcc5.patch b/pkgs/development/libraries/vxl/gcc5.patch
deleted file mode 100644
index 4660f9e8f483..000000000000
--- a/pkgs/development/libraries/vxl/gcc5.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20150216/1511118.html
-
---- vxl-git4e07960/vcl/vcl_compiler.h~	2012-11-02 12:08:21.000000000 +0100
-+++ vxl-git4e07960/vcl/vcl_compiler.h	2015-02-15 13:50:46.376329878 +0100
-@@ -119,6 +119,10 @@
- #  else
- #   define VCL_GCC_40
- #  endif
-+# elif (__GNUC__== 5)
-+// pretend GCC 5 to be GCC 4
-+#  define VCL_GCC_4
-+#  define VCL_GCC_41
- # else
- #  error "Dunno about this gcc"
- # endif

From a132aa46d6e817bb6fcb68254a554dc3f5f0ecae Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:02:44 +0000
Subject: [PATCH 451/507] gjay: disable format hardening

---
 pkgs/applications/audio/gjay/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/audio/gjay/default.nix b/pkgs/applications/audio/gjay/default.nix
index 93b23b2f763f..7486ec3e081f 100644
--- a/pkgs/applications/audio/gjay/default.nix
+++ b/pkgs/applications/audio/gjay/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ mpd_clientlib dbus_glib audacious gtk gsl libaudclient ];
 
+  hardeningDisable = [ "format" ];
+
   meta = with stdenv.lib; {
     description = "Generates playlists such that each song sounds good following the previous song";
     homepage = http://gjay.sourceforge.net/;

From c95ab0a2d192aae427213e17d79ed83d8cea3fa1 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:03:04 +0000
Subject: [PATCH 452/507] gnumake380: disable format hardening

---
 .../development/tools/build-managers/gnumake/3.80/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/development/tools/build-managers/gnumake/3.80/default.nix b/pkgs/development/tools/build-managers/gnumake/3.80/default.nix
index 9422a74aedda..08dd0acb42be 100644
--- a/pkgs/development/tools/build-managers/gnumake/3.80/default.nix
+++ b/pkgs/development/tools/build-managers/gnumake/3.80/default.nix
@@ -2,12 +2,16 @@
 
 stdenv.mkDerivation {
   name = "gnumake-3.80";
+
   src = fetchurl {
     url = http://tarballs.nixos.org/make-3.80.tar.bz2;
     md5 = "0bbd1df101bc0294d440471e50feca71";
   };
+
   patches = [./log.patch];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     platforms = stdenv.lib.platforms.unix;
   };

From 08928dc57a73bf56560a9487e1f398eae34b1436 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:03:18 +0000
Subject: [PATCH 453/507] kconfig-frontends: disable format hardening

---
 pkgs/development/tools/misc/kconfig-frontends/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/tools/misc/kconfig-frontends/default.nix b/pkgs/development/tools/misc/kconfig-frontends/default.nix
index 13e02fb9272b..8449cf9b6f38 100644
--- a/pkgs/development/tools/misc/kconfig-frontends/default.nix
+++ b/pkgs/development/tools/misc/kconfig-frontends/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ bison flex gperf ncurses pkgconfig ];
 
+  hardeningDisable = [ "format" ];
+
   configureFlags = [
     "--enable-frontends=conf,mconf,nconf"
   ];

From e266c6a2c15668f4de7fc66991fc308c880ae9e3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:03:36 +0000
Subject: [PATCH 454/507] eboard: disable format hardening

---
 pkgs/games/eboard/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/eboard/default.nix b/pkgs/games/eboard/default.nix
index 1a99fcd9c24e..7915822589c3 100644
--- a/pkgs/games/eboard/default.nix
+++ b/pkgs/games/eboard/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation {
   buildInputs = [ gtk ];
   nativeBuildInputs = [ perl pkgconfig ];
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     patchShebangs ./configure
   '';

From 847f9994e46f2fc959f5db01ec3d4b3f448b5b00 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:04:03 +0000
Subject: [PATCH 455/507] gnugo: disable format hardening

---
 pkgs/games/gnugo/default.nix | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/pkgs/games/gnugo/default.nix b/pkgs/games/gnugo/default.nix
index 4e6163d71638..827388691af0 100644
--- a/pkgs/games/gnugo/default.nix
+++ b/pkgs/games/gnugo/default.nix
@@ -1,25 +1,20 @@
 { stdenv, fetchurl }:
 
-let
-
-    versionNumber = "3.8";
-
-in
-
-stdenv.mkDerivation {
-
-  name = "gnugo-${versionNumber}";
+stdenv.mkDerivation rec {
+  name = "gnugo-${version}";
+  version = "3.8";
 
   src = fetchurl {
-    url = "mirror://gnu/gnugo/gnugo-${versionNumber}.tar.gz";
+    url = "mirror://gnu/gnugo/gnugo-${version}.tar.gz";
     sha256 = "0wkahvqpzq6lzl5r49a4sd4p52frdmphnqsfdv7gdp24bykdfs6s";
   };
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "GNU Go - A computer go player";
     homepage = "http://http://www.gnu.org/software/gnugo/";
     license = stdenv.lib.licenses.gpl3;
     platforms = stdenv.lib.platforms.unix;
   };
-
 }

From 7423e029a22b0f451665caf4c2ac82a773736c43 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:04:28 +0000
Subject: [PATCH 456/507] convertlit: disable format hardening

---
 pkgs/tools/text/convertlit/default.nix | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/pkgs/tools/text/convertlit/default.nix b/pkgs/tools/text/convertlit/default.nix
index 331fc3fea359..ffc2dc1c4d5c 100644
--- a/pkgs/tools/text/convertlit/default.nix
+++ b/pkgs/tools/text/convertlit/default.nix
@@ -1,22 +1,24 @@
-{stdenv, fetchurl, unzip, libtommath}:
+{stdenv, fetchzip, libtommath}:
 
 stdenv.mkDerivation {
   name = "convertlit-1.8";
-  
-  src = fetchurl {
+
+  src = fetchzip {
     url = http://www.convertlit.com/convertlit18src.zip;
-    sha256 = "1fjpwncyc2r3ipav7c9m7jxy6i7mphbyqj3gsm046425p7sqa2np";
+    sha256 = "182nsin7qscgbw2h92m0zadh3h8q410h5cza6v486yjfvla3dxjx";
+    stripRoot = false;
   };
 
-  buildInputs = [unzip libtommath];
+  buildInputs = [libtommath];
 
-  sourceRoot = ".";
+  hardeningDisable = [ "format" ];
 
   buildPhase = ''
     cd lib
     make
     cd ../clit18
-    substituteInPlace Makefile --replace ../libtommath-0.30/libtommath.a -ltommath
+    substituteInPlace Makefile \
+      --replace ../libtommath-0.30/libtommath.a -ltommath
     make
   '';
 

From 708653a6342de33689c853eb3b59c5f85202c0e8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:08:54 +0000
Subject: [PATCH 457/507] kino: disable format hardening

---
 pkgs/applications/video/kino/default.nix | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/pkgs/applications/video/kino/default.nix b/pkgs/applications/video/kino/default.nix
index 2503d78183f3..ea5158270876 100644
--- a/pkgs/applications/video/kino/default.nix
+++ b/pkgs/applications/video/kino/default.nix
@@ -67,14 +67,11 @@ stdenv.mkDerivation {
       pkgconfig perl perlXMLParser libavc1394 libiec61883 intltool libXv gettext libX11 glib cairo ffmpeg libv4l ]; # TODOoptional packages 
 
   configureFlags = "--enable-local-ffmpeg=no";
-  #preConfigure = "
-  #  grep 11 env-vars
-  #  ex
-  #";
+
+  hardeningDisable = [ "format" ];
 
   patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ];
 
-
   postInstall = "
     rpath=`patchelf --print-rpath \$out/bin/kino`;
     for i in $\buildInputs; do
@@ -86,8 +83,7 @@ stdenv.mkDerivation {
     done
   ";
 
-
-  meta = { 
+  meta = {
       description = "Non-linear DV editor for GNU/Linux";
       homepage = http://www.kinodv.org/;
       license = stdenv.lib.licenses.gpl2;

From bfa5a27ed9f87307f688fdece77a99e79b4bbee8 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:13:49 +0000
Subject: [PATCH 458/507] pfixtools: set -Wno-error=unused-result

hardening enables further warnings breaking the build
---
 pkgs/servers/mail/postfix/pfixtools.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/servers/mail/postfix/pfixtools.nix b/pkgs/servers/mail/postfix/pfixtools.nix
index 3e7ef9f23db5..b17beeb095f2 100644
--- a/pkgs/servers/mail/postfix/pfixtools.nix
+++ b/pkgs/servers/mail/postfix/pfixtools.nix
@@ -38,6 +38,8 @@ stdenv.mkDerivation {
                       --replace /bin/bash ${bash}/bin/bash;
   '';
 
+  NIX_CFLAGS_COMPILE = "-Wno-error=unused-result";
+
   makeFlags = "DESTDIR=$(out) prefix=";
 
   meta = {

From a3a2d52595b4173b51678044702ed68223bd347d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:19:41 +0000
Subject: [PATCH 459/507] rman: disable format hardening

---
 pkgs/development/tools/misc/rman/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/tools/misc/rman/default.nix b/pkgs/development/tools/misc/rman/default.nix
index 01e4b22e5f14..702dabcf3955 100644
--- a/pkgs/development/tools/misc/rman/default.nix
+++ b/pkgs/development/tools/misc/rman/default.nix
@@ -2,16 +2,21 @@
 
 stdenv.mkDerivation {
   name = "rman-3.2";
+
   src = fetchurl {
     url = mirror://sourceforge/polyglotman/3.2/rman-3.2.tar.gz;
     sha256 = "0prdld6nbkdlkcgc2r1zp13h2fh8r0mlwxx423dnc695ddlk18b8";
   };
+
   makeFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man";
+
   preInstall = ''
     mkdir -p $out/bin
     mkdir -p $out/share/man
   '';
-  
+
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "Parse formatted man pages and man page source from most flavors of UNIX and converts them to HTML, ASCII, TkMan, DocBook, and other formats";
     license = "artistic";

From 4f6bd094fbee12c469b7049292ce2d2638833048 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:24:53 +0000
Subject: [PATCH 460/507] spidermonkey_1_8_0rc1: disable format hardening

---
 pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix
index 46dedb36de96..41d37d3e39a0 100644
--- a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix
+++ b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix
@@ -13,9 +13,11 @@ stdenv.mkDerivation rec {
 
   postUnpack = "sourceRoot=\${sourceRoot}/src";
 
+  hardeningDisable = [ "format" ];
+
   makefileExtra = ./Makefile.extra;
   makefile = "Makefile.ref";
-  
+
   patchPhase =
     ''
       cat ${makefileExtra} >> ${makefile}

From 552a8c421943ce48c4bf964ebbf56f4362493aa4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:28:05 +0000
Subject: [PATCH 461/507] talkfilters: disable format hardening

---
 pkgs/misc/talkfilters/default.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkgs/misc/talkfilters/default.nix b/pkgs/misc/talkfilters/default.nix
index 7447620e71b6..4b3158b7a3d5 100644
--- a/pkgs/misc/talkfilters/default.nix
+++ b/pkgs/misc/talkfilters/default.nix
@@ -1,21 +1,23 @@
 { stdenv, fetchurl }:
 
-let 
-  name = "talkfilters";
+let
+  pname = "talkfilters";
   version = "2.3.8";
 in
 
 stdenv.mkDerivation {
-  name = "${name}";
+  name = "${pname}-${version}";
 
   src = fetchurl {
-    url = "http://www.hyperrealm.com/${name}/${name}-${version}.tar.gz";
+    url = "http://www.hyperrealm.com/${pname}/${pname}-${version}.tar.gz";
     sha256 = "19nc5vq4bnkjvhk8srqddzhcs93jyvpm9r6lzjzwc1mgf08yg0a6";
   };
 
-  meta = { 
+  hardeningDisable = [ "format" ];
+
+  meta = {
     description = "Converts English text into text that mimics a stereotyped or humorous dialect";
-    homepage = "http://http://www.hyperrealm.com/${name}";
+    homepage = "http://http://www.hyperrealm.com/${pname}";
     license = stdenv.lib.licenses.gpl2;
     maintainers = with stdenv.lib.maintainers; [ ikervagyok ];
     platforms = with stdenv.lib.platforms; unix;

From 7ab971a25200041e959ba65eb87528e2b116f8b3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Wed, 3 Aug 2016 20:32:34 +0000
Subject: [PATCH 462/507] scummvm: disable format hardening

---
 pkgs/games/scummvm/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/games/scummvm/default.nix b/pkgs/games/scummvm/default.nix
index a51b51395dbb..91c3114694b7 100644
--- a/pkgs/games/scummvm/default.nix
+++ b/pkgs/games/scummvm/default.nix
@@ -2,14 +2,16 @@
 
 stdenv.mkDerivation rec {
   name = "scummvm-1.8.0";
-  
+
   src = fetchurl {
     url = "mirror://sourceforge/scummvm/${name}.tar.bz2";
     sha256 = "0f3zgvz886lk9ps0v333aq74vx6grlx68hg14gfaxcvj55g73v01";
   };
-  
+
   buildInputs = [ SDL zlib libmpeg2 libmad libogg libvorbis flac alsaLib ];
 
+  hardeningDisable = [ "format" ];
+
   crossAttrs = {
     preConfigure = ''
       # Remove the --build flag set by the gcc cross wrapper setup

From 46323899bc73a743b87ed16fe764fb038b0e7709 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:24:24 +0000
Subject: [PATCH 463/507] ctpp2: use default gcc

---
 pkgs/development/libraries/ctpp2/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/ctpp2/default.nix b/pkgs/development/libraries/ctpp2/default.nix
index 00b5f7a8f13c..905121286c81 100644
--- a/pkgs/development/libraries/ctpp2/default.nix
+++ b/pkgs/development/libraries/ctpp2/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, cmake, gcc48 }:
+{ stdenv, fetchurl, cmake }:
 
 stdenv.mkDerivation rec {
   name = "ctpp2";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "1z22zfw9lb86z4hcan9hlvji49c9b7vznh7gjm95gnvsh43zsgx8";
   };
 
-  buildInputs = [ cmake gcc48 ];
+  buildInputs = [ cmake ];
 
   patchPhase = ''
     # include <unistd.h> to fix undefined getcwd

From 7e81a4294d0a9bd11f44c6fa2d8e1a20f54f979b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:25:56 +0000
Subject: [PATCH 464/507] dlx: disable format hardening

---
 pkgs/misc/emulators/dlx/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/misc/emulators/dlx/default.nix b/pkgs/misc/emulators/dlx/default.nix
index 01c5f866e1b0..feb474a13765 100644
--- a/pkgs/misc/emulators/dlx/default.nix
+++ b/pkgs/misc/emulators/dlx/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
 
   makeFlags = "LINK=gcc CFLAGS=-O2";
 
+  hardeningDisable = [ "format" ];
+
   installPhase = ''
     mkdir -p $out/include/dlx $out/share/dlx/{examples,doc} $out/bin
     mv -v masm mon dasm $out/bin/

From a748f315db7ef195ae29d868009791fbeef7458b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:26:31 +0000
Subject: [PATCH 465/507] fakenes: disable format hardening

---
 pkgs/misc/emulators/fakenes/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/misc/emulators/fakenes/default.nix b/pkgs/misc/emulators/fakenes/default.nix
index 1f986430b81d..6e9253b299e4 100644
--- a/pkgs/misc/emulators/fakenes/default.nix
+++ b/pkgs/misc/emulators/fakenes/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation {
   buildInputs = [ allegro openal mesa zlib hawknl freeglut libX11
     libXxf86vm libXcursor libXpm ];
 
+  hardeningDisable = [ "format" ];
+
   installPhase = ''
     mkdir -p $out/bin
     cp fakenes $out/bin

From a2ce15318bc8087903060a03b53639b8537d21d2 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:30:30 +0000
Subject: [PATCH 466/507] fondu: disable fortify hardening

---
 pkgs/tools/misc/fondu/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/tools/misc/fondu/default.nix b/pkgs/tools/misc/fondu/default.nix
index 516abfd2eb50..7610bb88f390 100644
--- a/pkgs/tools/misc/fondu/default.nix
+++ b/pkgs/tools/misc/fondu/default.nix
@@ -3,12 +3,16 @@
 stdenv.mkDerivation rec {
   version = "060102";
   name = "fondu-${version}";
+
   src = fetchurl {
     url = "http://fondu.sourceforge.net/fondu_src-${version}.tgz";
     sha256 = "152prqad9jszjmm4wwqrq83zk13ypsz09n02nrk1gg0fcxfm7fr2";
   };
+
   makeFlags = "DESTDIR=$(out)";
 
+  hardeningDisable = [ "fortify" ];
+
   meta = {
     platforms = stdenv.lib.platforms.unix;
   };

From 56e69fcc0ee9412e80f8ce83a08ad5a8897d5fc4 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:40:02 +0000
Subject: [PATCH 467/507] iptraf: disable fortify hardening

---
 pkgs/applications/networking/iptraf/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/networking/iptraf/default.nix b/pkgs/applications/networking/iptraf/default.nix
index 1d67fa3dcf57..d1a0b2d4b029 100644
--- a/pkgs/applications/networking/iptraf/default.nix
+++ b/pkgs/applications/networking/iptraf/default.nix
@@ -2,12 +2,14 @@
 
 stdenv.mkDerivation rec {
   name = "iptraf-3.0.1";
-  
+
   src = fetchurl {
     url = ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.1.tar.gz;
     sha256 = "12n059j9iihhpf6spmlaspqzxz3wqan6kkpnhmlj08jdijpnk84m";
   };
 
+  hardeningDisable = [ "format" ];
+
   patchPhase = ''
     sed -i -e 's,#include <linux/if_tr.h>,#include <netinet/if_tr.h>,' src/*
   '';
@@ -18,7 +20,7 @@ stdenv.mkDerivation rec {
     mkdir -p $out/bin
     cp iptraf $out/bin
   '';
-  
+
   buildInputs = [ncurses];
 
   meta = {

From e2844fcfc3d0c984a9356fb4cf82ebab8002841e Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:40:28 +0000
Subject: [PATCH 468/507] fontmatrix: disable fortify hardening

---
 pkgs/applications/graphics/fontmatrix/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/applications/graphics/fontmatrix/default.nix b/pkgs/applications/graphics/fontmatrix/default.nix
index 14ab9c26d7de..fc30a3559105 100644
--- a/pkgs/applications/graphics/fontmatrix/default.nix
+++ b/pkgs/applications/graphics/fontmatrix/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ cmake ];
 
+  hardeningDisable = [ "format" ];
+
   meta = {
     description = "Fontmatrix is a free/libre font explorer for Linux, Windows and Mac";
     homepage = http://fontmatrix.be/;

From 3bff87331422d8a9cbad920b91e60c2681b4dc8b Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:44:43 +0000
Subject: [PATCH 469/507] libgksu: disable fortify hardening

---
 pkgs/development/libraries/libgksu/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix
index 90d1b21cd3f0..b86eba685bbb 100644
--- a/pkgs/development/libraries/libgksu/default.nix
+++ b/pkgs/development/libraries/libgksu/default.nix
@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
+  hardeningDisable = [ "format" ];
+
   patches = [
         # Patches from the gentoo ebuild
 

From 78fc5dde2888279475bb5ccdfd2e9a065a870036 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:47:05 +0000
Subject: [PATCH 470/507] mmv: disable fortify hardening

---
 pkgs/tools/misc/mmv/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/misc/mmv/default.nix b/pkgs/tools/misc/mmv/default.nix
index ed2f54d693d0..417583ecc9eb 100644
--- a/pkgs/tools/misc/mmv/default.nix
+++ b/pkgs/tools/misc/mmv/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "0399c027ea1e51fd607266c1e33573866d4db89f64a74be8b4a1d2d1ff1fdeef";
   };
 
+  hardeningDisable = [ "format" ];
+
   patches = [
     # Use Debian patched version, as upstream is no longer maintained and it
     # contains a _lot_ of fixes.

From dd7e09114f155e4e142792e80a4195901c398251 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Thu, 4 Aug 2016 07:21:15 +0000
Subject: [PATCH 471/507] bip: set -Wno-error=unused-result, remove
 --disable-pie

---
 pkgs/applications/networking/irc/bip/default.nix | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/pkgs/applications/networking/irc/bip/default.nix b/pkgs/applications/networking/irc/bip/default.nix
index ee9a6392e07e..e391f0074c5a 100644
--- a/pkgs/applications/networking/irc/bip/default.nix
+++ b/pkgs/applications/networking/irc/bip/default.nix
@@ -30,10 +30,7 @@ in stdenv.mkDerivation {
     }
   ];
 
-  postPatch = ''
-  '';
-
-  configureFlags = [ "--disable-pie" ];
+  NIX_CFLAGS_COMPILE = "-Wno-error=unused-result";
 
   buildInputs = [ bison flex autoconf automake openssl ];
 

From 05dbbae47cfc9c03badfe4616be84d17acf44fbc Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:03:28 +0200
Subject: [PATCH 472/507] vlan: disable format hardening

---
 pkgs/tools/networking/vlan/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/vlan/default.nix b/pkgs/tools/networking/vlan/default.nix
index 9c9376550dfb..41ece0537ab4 100644
--- a/pkgs/tools/networking/vlan/default.nix
+++ b/pkgs/tools/networking/vlan/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
     sha256 = "1jjc5f26hj7bk8nkjxsa8znfxcf8pgry2ipnwmj2fr6ky0dhm3rv";
   };
 
+  hardeningDisable = [ "format" ];
+
   preBuild =
     ''
       # Ouch, the tarball contains pre-compiled binaries.
@@ -18,12 +20,12 @@ stdenv.mkDerivation rec {
     ''
       mkdir -p $out/sbin
       cp vconfig $out/sbin/
-      
+
       mkdir -p $out/share/man/man8
       cp vconfig.8 $out/share/man/man8/
     '';
 
-  meta = { 
+  meta = {
     description = "User mode programs to enable VLANs on Ethernet devices";
     platforms = stdenv.lib.platforms.linux;
   };

From 1f06067b0102f5d194f2a0f0b6554536e7a28d2c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:05:29 +0200
Subject: [PATCH 473/507] x2x: disable format hardening

---
 pkgs/tools/X11/x2x/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/X11/x2x/default.nix b/pkgs/tools/X11/x2x/default.nix
index 06d08195688a..dd529011557a 100644
--- a/pkgs/tools/X11/x2x/default.nix
+++ b/pkgs/tools/X11/x2x/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ imake libX11 libXtst libXext ];
 
+  hardeningDisable = [ "format" ];
+
   configurePhase = ''
     xmkmf
     makeFlags="BINDIR=$out/bin x2x"

From b898fdaceb7288cc74f5166d2ee84a9723b64a17 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:05:45 +0200
Subject: [PATCH 474/507] xmlroff: disable format hardening

---
 pkgs/tools/typesetting/xmlroff/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/typesetting/xmlroff/default.nix b/pkgs/tools/typesetting/xmlroff/default.nix
index 7bd34f402504..daa79d8e352c 100644
--- a/pkgs/tools/typesetting/xmlroff/default.nix
+++ b/pkgs/tools/typesetting/xmlroff/default.nix
@@ -28,6 +28,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = "--disable-pangoxsl --disable-gp";
 
+  hardeningDisable = [ "format" ];
+
   preBuild = ''
     substituteInPlace tools/insert-file-as-string.pl --replace "/usr/bin/perl" "${perl}/bin/perl"
     substituteInPlace Makefile --replace "docs" ""

From f993dff52b22e5ddc7c5d1aeeb0b29f5f469044a Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:09:14 +0200
Subject: [PATCH 475/507] trackballs: disable format hardening

---
 pkgs/games/trackballs/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/games/trackballs/default.nix b/pkgs/games/trackballs/default.nix
index 65e8f82178eb..5606be6a5943 100644
--- a/pkgs/games/trackballs/default.nix
+++ b/pkgs/games/trackballs/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ zlib mesa SDL SDL_ttf SDL_mixer SDL_image guile gettext ];
 
+  hardeningDisable = [ "format" ];
+
   CFLAGS = optionalString debug "-g -O0";
   CXXFLAGS = CFLAGS;
   dontStrip = debug;

From 56f03166e1d4ee027b9f313c53c5e86d16c2d357 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:09:27 +0200
Subject: [PATCH 476/507] reiser4progs: disable format hardening

---
 pkgs/tools/filesystems/reiser4progs/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/filesystems/reiser4progs/default.nix b/pkgs/tools/filesystems/reiser4progs/default.nix
index cd32025e5b66..681fc1c80ef0 100644
--- a/pkgs/tools/filesystems/reiser4progs/default.nix
+++ b/pkgs/tools/filesystems/reiser4progs/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [libaal];
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     substituteInPlace configure --replace " -static" ""
   '';

From 8b7dc1a3d6facdbfd264288aa7ba675aefc81c49 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:09:43 +0200
Subject: [PATCH 477/507] ploticus: disable format hardening

---
 pkgs/tools/graphics/ploticus/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/graphics/ploticus/default.nix b/pkgs/tools/graphics/ploticus/default.nix
index ff28959148fc..b855410f37f2 100644
--- a/pkgs/tools/graphics/ploticus/default.nix
+++ b/pkgs/tools/graphics/ploticus/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation {
 
   buildInputs = [ zlib libX11 libpng ];
 
+  hardeningDisable = [ "format" ];
+
   patches = [ ./ploticus-install.patch ];
 
   meta = with stdenv.lib; {

From 0c7f045a7a265cc7a6f6ff2c298d22b522c71bd3 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:09:57 +0200
Subject: [PATCH 478/507] tex4ht: disable format hardening

---
 pkgs/tools/typesetting/tex/tex4ht/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/typesetting/tex/tex4ht/default.nix b/pkgs/tools/typesetting/tex/tex4ht/default.nix
index 8380abf2e948..5aaae2c06b2a 100644
--- a/pkgs/tools/typesetting/tex/tex4ht/default.nix
+++ b/pkgs/tools/typesetting/tex/tex4ht/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ tetex unzip ];
 
+  hardeningDisable = [ "format" ];
+
   buildPhase = ''
     cd src
     for f in tex4ht t4ht htcmd ; do

From 1f1637f6a04c9a899f88a6e0e526ddfcf9f49bd1 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Thu, 4 Aug 2016 11:12:20 +0200
Subject: [PATCH 479/507] lprof: disable format hardening

---
 pkgs/tools/graphics/lprof/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/tools/graphics/lprof/default.nix b/pkgs/tools/graphics/lprof/default.nix
index 0aee233e79bb..7f6a15da33d3 100644
--- a/pkgs/tools/graphics/lprof/default.nix
+++ b/pkgs/tools/graphics/lprof/default.nix
@@ -7,6 +7,8 @@ stdenv.mkDerivation {
   name = "lprof-1.11.4.1";
   buildInputs = [ scons qt3 lcms1 libtiff vigra ];
 
+  hardeningDisable = [ "format" ];
+
   preConfigure = ''
     export QTDIR=${qt3}
     export qt_directory=${qt3}

From 19f5e2a1cfb86579855806513789d5c9db9d3afa Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 5 Aug 2016 18:09:35 +0000
Subject: [PATCH 480/507] x2vnc: disable format hardening

---
 pkgs/tools/X11/x2vnc/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/X11/x2vnc/default.nix b/pkgs/tools/X11/x2vnc/default.nix
index a0d1013b8726..31ad524cf8f3 100644
--- a/pkgs/tools/X11/x2vnc/default.nix
+++ b/pkgs/tools/X11/x2vnc/default.nix
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
       xorg.libXrandr xorg.randrproto
     ];
 
-  preInstall = "mkdir -p $out";
+  hardeningDisable = [ "format" ];
 
   meta = {
     homepage = http://fredrik.hubbe.net/x2vnc.html;

From bc025e83bd6c44df38851ef23da53359a0e62841 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 5 Aug 2016 18:15:27 +0000
Subject: [PATCH 481/507] uclibc: disable stackprotector hardening

---
 pkgs/os-specific/linux/uclibc/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix
index ab5f149c5125..c64297f05297 100644
--- a/pkgs/os-specific/linux/uclibc/default.nix
+++ b/pkgs/os-specific/linux/uclibc/default.nix
@@ -79,6 +79,8 @@ stdenv.mkDerivation {
     make oldconfig
   '';
 
+  hardeningDisable = [ "stackprotector" ];
+
   # Cross stripping hurts.
   dontStrip = cross != null;
 

From f7da99c7ff49e149a3f3bae57b80f52df53d63b3 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Aug 2016 11:56:58 +0000
Subject: [PATCH 482/507] xorg.xorgserver: disable relro hardening

Fixes modesetting module loading.
---
 pkgs/servers/x11/xorg/overrides.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix
index 5660957011c7..bcef1a5419f6 100644
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@@ -430,6 +430,7 @@ in
                                         # and there are no fonts in this package anyway
           "--enable-glamor"
         ];
+        hardeningDisable = [ "relro" ];
         postInstall = ''
           rm -fr $out/share/X11/xkb/compiled
           ln -s /var/tmp $out/share/X11/xkb/compiled

From d1b2c34750416d1e739cc6626342caf8d25c8b5d Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Fri, 12 Aug 2016 18:10:47 +0200
Subject: [PATCH 483/507] qrcode: enable fortify hardening, disable warning

---
 pkgs/tools/graphics/qrcode/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix
index f39071b394c1..606e546af293 100644
--- a/pkgs/tools/graphics/qrcode/default.nix
+++ b/pkgs/tools/graphics/qrcode/default.nix
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
     inherit (s) rev url sha256;
   };
 
-  hardeningDisable = [ "fortify" ];
+  NIX_CFLAGS_COMPILE = "-Wno-error=unused-result";
 
   installPhase = ''
     mkdir -p "$out"/{bin,share/doc/qrcode}

From 55966c2189e29de1d8c3b0294f739e41ab45bf0e Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Fri, 12 Aug 2016 18:11:21 +0200
Subject: [PATCH 484/507] doc: complete the hardening documentation

---
 doc/stdenv.xml | 178 ++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 169 insertions(+), 9 deletions(-)

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index 034e0bb7590d..a6359a9cff3d 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1362,19 +1362,27 @@ in the default system locations.</para>
 
 <section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
 
-<para>By default some flags to harden packages at compile or link-time are set:</para>
+<para>There are flags available to harden packages at compile or link-time.
+These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
+<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
+</para>
+
+<para>The following flags are enabled by default and might require disabling
+if the program to package is incompatible.
+</para>
 
 <variablelist>
 
   <varlistentry>
-    <term><varname>hardening_format</varname></term>
+    <term><varname>format</varname></term>
     <listitem><para>Adds the <option>-Wformat -Wformat-security
     -Werror=format-security</option> compiler options. At present,
-    this warns about calls to printf and scanf functions where the
-    format string is not a string literal and there are no format
-    arguments, as in <literal>printf(foo);</literal>. This may be
-    a security hole if the format string came from untrusted input
-    and contains <literal>%n</literal>.</para>
+    this warns about calls to <varname>printf</varname> and
+    <varname>scanf</varname> functions where the format string is
+    not a string literal and there are no format arguments, as in
+    <literal>printf(foo);</literal>. This may be a security hole
+    if the format string came from untrusted input and contains
+    <literal>%n</literal>.</para>
 
     <para>This needs to be turned off or fixed for errors similar to:</para>
 
@@ -1387,8 +1395,10 @@ cc1plus: some warnings being treated as errors
   </varlistentry>
 
   <varlistentry>
-    <term><varname>hardening_stackprotector</varname></term>
-    <listitem><para>Adds the <option>-fstack-protector-strong</option>
+    <term><varname>stackprotector</varname></term>
+    <listitem>
+    <para>Adds the <option>-fstack-protector-strong
+    --param ssp-buffer-size=4</option>
     compiler options. This adds safety checks against stack overwrites
     rendering many potential code injection attacks into aborting situations.
     In the best case this turns code injection vulnerabilities into denial
@@ -1401,7 +1411,157 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup':
 /tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
     </programlisting></listitem>
   </varlistentry>
+
+  <varlistentry>
+    <term><varname>fortify</varname></term>
+    <listitem>
+    <para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
+    options. During code generation the compiler knows a great deal of
+    information about buffer sizes (where possible), and attempts to replace
+    insecure unlimited length buffer function calls with length-limited ones.
+    This is especially useful for old, crufty code. Additionally, format
+    strings in writable memory that contain '%n' are blocked. If an application
+    depends on such a format string, it will need to be worked around.
+    </para>
+
+    <para>Addtionally, some warnings are enabled which might trigger build
+    failures if compiler warnings are treated as errors in the packsge build.
+    In this case, set <option>NIX_CFLAGS_COMPILE</option> to
+    <option>-Wno-error=warning-type</option>.</para>
+
+    <para>This needs to be turned off or fixed for errors similar to:</para>
+
+    <programlisting>
+malloc.c:404:15: error: return type is an incomplete type
+malloc.c:410:19: error: storage size of 'ms' isn't known
+    </programlisting>
+    <programlisting>
+strdup.h:22:1: error: expected identifier or '(' before '__extension__'
+    </programlisting>
+    <programlisting>
+strsep.c:65:23: error: register name not specified for 'delim'
+    </programlisting>
+    <programlisting>
+installwatch.c:3751:5: error: conflicting types for '__open_2'
+    </programlisting>
+    <programlisting>
+fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
+    </programlisting>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>pic</varname></term>
+    <listitem>
+    <para>Adds the <option>-fPIC</option> compiler options. This options adds
+    support for position independant code in shared libraries and thus making
+    ASLR possible.</para>
+    <para>Most notably, the Linux kernel, kernel modules and other code
+    not running in an operating system environment like boot loaders won't
+    build with PIC enabled. The compiler will is most cases complain that
+    PIC is not supported for a specific build.
+    </para>
+
+    <para>This needs to be turned off or fixed for assembler errors similar to:</para>
+
+    <programlisting>
+ccbLfRgg.s: Assembler messages:
+ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
+    </programlisting>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>strictoverflow</varname></term>
+    <listitem>
+    <para>Signed integer overflow is undefined behaviour according to the C
+    standard. If it happens, it is an error in the program as it should check
+    for overflow before it can happen, not afterwards. GCC provides built-in
+    functions to perform arithmetic with overflow checking, which are correct
+    and faster than any custom implementation. As a workaround, the option
+    <option>-fno-strict-overflow</option> makes gcc behave as if signed
+    integer overflows were defined.
+    </para>
+
+    <para>This flag should not trigger any build or runtime errors.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>relro</varname></term>
+    <listitem>
+    <para>Adds the <option>-z relro</option> linker option. During program
+    load, several ELF memory sections need to be written to by the linker,
+    but can be turned read-only before turning over control to the program.
+    This prevents some GOT (and .dtors) overwrite attacks, but at least the
+    part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
+    </para>
+
+    <para>This flag can break dynamic shared object loading. For instance, the
+    module systems of Xorg and OpenCV are incompatible with this flag. In almost
+    all cases the <varname>bindnow</varname> flag must also be disabled and
+    incompatible programs typically fail with similar errors at runtime.</para>
+    </listitem>
+  </varlistentry>
+
+  <varlistentry>
+    <term><varname>bindnow</varname></term>
+    <listitem>
+    <para>Adds the <option>-z bindnow</option> linker option. During program
+    load, all dynamic symbols are resolved, allowing for the complete GOT to
+    be marked read-only (due to <varname>relro</varname>). This prevents GOT
+    overwrite attacks. For very large applications, this can incur some
+    performance loss during initial load while symbols are resolved, but this
+    shouldn't be an issue for daemons.
+    </para>
+
+    <para>This flag can break dynamic shared object loading. For instance, the
+    module systems of Xorg and PHP are incompatible with this flag. Programs
+    incompatible with this flag often fail at runtime due to missing symbols,
+    like:</para>
+
+    <programlisting>
+intel_drv.so: undefined symbol: vgaHWFreeHWRec
+    </programlisting>
+    </listitem>
+  </varlistentry>
+
 </variablelist>
+
+<para>The following flags are disabled by default and should be enabled
+for packages that take untrusted input, like network services.
+</para>
+
+<variablelist>
+
+  <varlistentry>
+    <term><varname>pie</varname></term>
+    <listitem>
+    <para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
+    linker options. Position Independent Executables are needed to take
+    advantage of Address Space Layout Randomization, supported by modern
+    kernel versions. While ASLR can already be enforced for data areas in
+    the stack and heap (brk and mmap), the code areas must be compiled as
+    position-independent. Shared libraries already do this with the
+    <varname>pic</varname> flag, so they gain ASLR automatically, but binary
+    .text regions need to be build with <varname>pie</varname> to gain ASLR.
+    When this happens, ROP attacks are much harder since there are no static
+    locations to bounce off of during a memory corruption attack.
+    </para>
+    </listitem>
+  </varlistentry>
+
+</variablelist>
+
+<para>For more in-depth information on these hardening flags and hardening in
+general, refer to the
+<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
+<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
+<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
+and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
+Arch Wiki</link>.
+</para>
+
 </section>
 
 </chapter>

From 7a56781b35a859b36f523a10b4f3983935eeecc5 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Aug 2016 15:12:34 +0000
Subject: [PATCH 485/507] dvdisaster: remove obsolete fortify disabling

builds with fortify enabled by now
---
 pkgs/tools/cd-dvd/dvdisaster/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix
index 82a57c6684fb..08da13b569ae 100644
--- a/pkgs/tools/cd-dvd/dvdisaster/default.nix
+++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix
@@ -12,8 +12,6 @@ stdenv.mkDerivation rec {
     sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w";
   };
 
-  hardeningDisable = [ "fortify" ];
-
   nativeBuildInputs = [ gettext pkgconfig which ];
   buildInputs = [ glib gtk2 ];
 

From 572490bce93a34e7b0dc448bd71cac8f1a42cf00 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 12 Aug 2016 15:23:00 +0000
Subject: [PATCH 486/507] udftools: remove obsolete gcc5 patch

fixed by setting C compiler standard
---
 pkgs/tools/filesystems/udftools/default.nix |  2 --
 pkgs/tools/filesystems/udftools/gcc5.patch  | 17 -----------------
 2 files changed, 19 deletions(-)
 delete mode 100644 pkgs/tools/filesystems/udftools/gcc5.patch

diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix
index 75e37f77949d..b912bab68260 100644
--- a/pkgs/tools/filesystems/udftools/default.nix
+++ b/pkgs/tools/filesystems/udftools/default.nix
@@ -10,8 +10,6 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ ncurses readline ];
 
-  patches = [ ./gcc5.patch ];
-
   hardeningDisable = [ "fortify" ];
 
   NIX_CFLAGS_COMPILE = "-std=gnu90";
diff --git a/pkgs/tools/filesystems/udftools/gcc5.patch b/pkgs/tools/filesystems/udftools/gcc5.patch
deleted file mode 100644
index 2c57ff20e135..000000000000
--- a/pkgs/tools/filesystems/udftools/gcc5.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- udftools-1.0.0b3/libudffs/desc.c	2016-02-07 23:21:38.595391610 +0000
-+++ udftools-1.0.0b3/libudffs/desc.c	2016-02-07 23:21:57.759756269 +0000
-@@ -34,12 +34,12 @@
- #include "libudffs.h"
- #include "config.h"
- 
--inline struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc)
-+extern struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc)
- {
- 	return (struct impUseVolDescImpUse *)disc->udf_iuvd[0]->impUse;
- }
- 
--inline struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc)
-+extern struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc)
- {
- 	return (struct logicalVolIntegrityDescImpUse *)&(disc->udf_lvid->impUse[le32_to_cpu(disc->udf_lvd[0]->numPartitionMaps) * 2 * sizeof(uint32_t)]);
- }

From bea8972d967e6599aa28f7c0e30b9fc1fc589328 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 13 Aug 2016 09:45:48 +0000
Subject: [PATCH 487/507] nixos.tests.boot-stage1: disable pic for kernel
 module

---
 nixos/tests/boot-stage1.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/tests/boot-stage1.nix b/nixos/tests/boot-stage1.nix
index ad253d23c543..ccd8394a1f03 100644
--- a/nixos/tests/boot-stage1.nix
+++ b/nixos/tests/boot-stage1.nix
@@ -8,6 +8,7 @@ import ./make-test.nix ({ pkgs, ... }: {
         kdev = config.boot.kernelPackages.kernel.dev;
         kver = config.boot.kernelPackages.kernel.modDirVersion;
         ksrc = "${kdev}/lib/modules/${kver}/build";
+        hardeningDisable = [ "pic" ];
       } ''
         echo "obj-m += $name.o" > Makefile
         echo "$source" > "$name.c"

From af04b6d5a56a66866a66c6343e38e0d92228986a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 13 Aug 2016 10:06:00 +0000
Subject: [PATCH 488/507] hardening docs: fix typo

---
 doc/stdenv.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/stdenv.xml b/doc/stdenv.xml
index a6359a9cff3d..5be57fc5a976 100644
--- a/doc/stdenv.xml
+++ b/doc/stdenv.xml
@@ -1425,7 +1425,7 @@ bin/blib.a(bios_console.o): In function `bios_handle_cup':
     </para>
 
     <para>Addtionally, some warnings are enabled which might trigger build
-    failures if compiler warnings are treated as errors in the packsge build.
+    failures if compiler warnings are treated as errors in the package build.
     In this case, set <option>NIX_CFLAGS_COMPILE</option> to
     <option>-Wno-error=warning-type</option>.</para>
 

From 0f274be2fd4e0cfa9bf69e92c8e95ca0a0086784 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 13 Aug 2016 10:11:40 +0000
Subject: [PATCH 489/507] linuxPackages.ena: disable pic

---
 pkgs/os-specific/linux/ena/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix
index 7a047e9f2338..051725d32d98 100644
--- a/pkgs/os-specific/linux/ena/default.nix
+++ b/pkgs/os-specific/linux/ena/default.nix
@@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "03w6xgv3lfn28n38mj9cdi3px5zjyrbxnflpd3ggivkv6grf9fp7";
   };
 
+  hardeningDisable = [ "pic" ];
+
   configurePhase =
     ''
       cd kernel/linux/ena
@@ -30,5 +32,6 @@ stdenv.mkDerivation rec {
     homepage = https://github.com/amzn/amzn-drivers;
     license = lib.licenses.gpl2;
     maintainers = [ lib.maintainers.eelco ];
+    platforms = lib.platforms.linux;
   };
 }

From 7d9d2d6872703127ee0f3d75e85035ccbf4611f7 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:02:02 +0200
Subject: [PATCH 490/507] linuxPackages.broadcom_sta: disable pic hardening

---
 pkgs/os-specific/linux/broadcom-sta/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix
index 28b23a61ff06..e36512e00767 100644
--- a/pkgs/os-specific/linux/broadcom-sta/default.nix
+++ b/pkgs/os-specific/linux/broadcom-sta/default.nix
@@ -19,6 +19,8 @@ stdenv.mkDerivation {
     sha256 = hashes.${stdenv.system};
   };
 
+  hardeningDisable = [ "pic" ];
+
   patches = [
     ./i686-build-failure.patch
     ./license.patch

From a8deb8d6470ce74bd3f5de4afb0d8d1390657767 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:03:32 +0200
Subject: [PATCH 491/507] linuxPackages.frandom: disable pic hardening

---
 pkgs/os-specific/linux/frandom/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/frandom/default.nix b/pkgs/os-specific/linux/frandom/default.nix
index 80ad483b3676..dfdc79c2005f 100644
--- a/pkgs/os-specific/linux/frandom/default.nix
+++ b/pkgs/os-specific/linux/frandom/default.nix
@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "15rgyk4hfawqg7z1spk2xlk1nn6rcdls8gdhc70f91shrc9pvlls";
   };
 
+  hardeningDisable = [ "pic" ];
+
   preBuild = ''
     kernelVersion=${kernel.modDirVersion}
     substituteInPlace Makefile \

From f5c9f99877ced1b63d12a9c3ce327b46fae754bb Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:06:57 +0200
Subject: [PATCH 492/507] linuxPackages.ati_drivers_x11: disable pic & format
 hardening

---
 pkgs/os-specific/linux/ati-drivers/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix
index e5eb9b8c6c3c..902f0e37e35f 100644
--- a/pkgs/os-specific/linux/ati-drivers/default.nix
+++ b/pkgs/os-specific/linux/ati-drivers/default.nix
@@ -65,6 +65,8 @@ stdenv.mkDerivation rec {
     curlOpts = "--referer http://support.amd.com/en-us/download/desktop?os=Linux+x86_64";
   };
 
+  hardeningDisable = [ "pic" "format" ];
+
   patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}";
   patches = [
     ./patches/15.12-xstate-fp.patch

From d836b811cb533c4cacba9a932d4906cbb41abc7c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:24:38 +0200
Subject: [PATCH 493/507] linuxPackages.cryptodev: 1.6 -> 1.8, disable pic
 hardening

---
 pkgs/os-specific/linux/cryptodev/default.nix | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix
index 4ea9295ef4f9..f3c262231223 100644
--- a/pkgs/os-specific/linux/cryptodev/default.nix
+++ b/pkgs/os-specific/linux/cryptodev/default.nix
@@ -1,26 +1,19 @@
 { fetchurl, stdenv, kernel, onlyHeaders ? false }:
 
 stdenv.mkDerivation rec {
-  pname = "cryptodev-linux-1.6";
+  pname = "cryptodev-linux-1.8";
   name = "${pname}-${kernel.version}";
 
   src = fetchurl {
     url = "http://download.gna.org/cryptodev-linux/${pname}.tar.gz";
-    sha256 = "0bryzdb4xz3fp2q00a0mlqkj629md825lnlh4gjwmy51irf45wbm";
+    sha256 = "0xhkhcdlds9aiz0hams93dv0zkgcn2abaiagdjlqdck7zglvvyk7";
   };
 
-  buildPhase = if !onlyHeaders then ''
-    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
-      SUBDIRS=`pwd` INSTALL_PATH=$out
-  '' else ":";
+  hardeningDisable = [ "pic" ];
 
-  installPhase = stdenv.lib.optionalString (!onlyHeaders) ''
-    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
-      INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install
-  '' + ''
-    mkdir -p $out/include/crypto
-    cp crypto/cryptodev.h $out/include/crypto
-  '';
+  KERNEL_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build";
+  INSTALL_MOD_PATH = "\${out}";
+  PREFIX = "\${out}";
 
   meta = {
     description = "Device that allows access to Linux kernel cryptographic drivers";

From 5e085b7fea7bbcb425f6be6aab912cbd03859235 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:25:29 +0200
Subject: [PATCH 494/507] linuxPackages.e1000e: disable pic hardening

---
 pkgs/os-specific/linux/e1000e/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix
index 0b67a5382f75..5406c37522ea 100644
--- a/pkgs/os-specific/linux/e1000e/default.nix
+++ b/pkgs/os-specific/linux/e1000e/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation {
     sha256 = "07hg6xxqgqshnys1qs9wbl9qr7d4ixdkd1y1fj27cg6bn8s2n797";
   };
 
+  hardeningDisable = [ "pic" ];
+
   configurePhase = ''
     cd src
     kernel_version=${kernel.modDirVersion}

From f55fd87c8adfc58b6ab97fb965bd2d0de829f170 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:30:35 +0200
Subject: [PATCH 495/507] linuxPackages.ixgbevf: disable pic hardening

---
 pkgs/os-specific/linux/ixgbevf/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/ixgbevf/default.nix b/pkgs/os-specific/linux/ixgbevf/default.nix
index eb90c9fb1eb7..1f8ced6c2d2a 100644
--- a/pkgs/os-specific/linux/ixgbevf/default.nix
+++ b/pkgs/os-specific/linux/ixgbevf/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1i6ry3vd77190sxb47xhbz3v30gighwax6prav4ggs3q80a389c8";
   };
 
+  hardeningDisable = [ "pic" ];
+
   configurePhase = ''
     cd src
     makeFlagsArray+=(KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build INSTALL_MOD_PATH=$out MANDIR=/share/man)

From 62e6bc0bd9623da6559300a42aafdbb6b5ea4d26 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:40:42 +0200
Subject: [PATCH 496/507] linuxPackages.prl-tools: disable pic hardening

---
 pkgs/os-specific/linux/prl-tools/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/prl-tools/default.nix b/pkgs/os-specific/linux/prl-tools/default.nix
index da5d7d5f6070..9ca48ccaf057 100644
--- a/pkgs/os-specific/linux/prl-tools/default.nix
+++ b/pkgs/os-specific/linux/prl-tools/default.nix
@@ -47,6 +47,8 @@ stdenv.mkDerivation rec {
     '';
   };
 
+  hardeningDisable = [ "pic" ];
+
   # also maybe python2 to generate xorg.conf
   nativeBuildInputs = [ p7zip ] ++ lib.optionals (!libsOnly) [ makeWrapper ];
 

From 73a9ce2ce31be4d3db810a9ce7c29e722155401b Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:42:35 +0200
Subject: [PATCH 497/507] linuxPackages.psmouse_alps: remove, driver in kernel
 since 3.9

---
 .../linux/psmouse-alps/default.nix            | 40 -------------------
 pkgs/top-level/all-packages.nix               |  2 -
 2 files changed, 42 deletions(-)
 delete mode 100644 pkgs/os-specific/linux/psmouse-alps/default.nix

diff --git a/pkgs/os-specific/linux/psmouse-alps/default.nix b/pkgs/os-specific/linux/psmouse-alps/default.nix
deleted file mode 100644
index 9dd78f5885ad..000000000000
--- a/pkgs/os-specific/linux/psmouse-alps/default.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{ stdenv, fetchurl, kernel, zlib }:
-
-/* Only useful for kernels 3.2 to 3.5.
-   Fails to build in 3.8.
-   3.9 upstream already includes a proper alps driver for this */
-
-assert builtins.compareVersions "3.8" kernel.version == 1;
-
-let
-  ver = "1.3";
-  bname = "psmouse-alps-${ver}";
-in
-stdenv.mkDerivation {
-  name = "psmouse-alps-${kernel.version}-${ver}";
-
-  src = fetchurl {
-    url = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/at_download/file;
-    name = "${bname}-alt.tar.bz2";
-    sha256 = "1ghr8xcyidz31isxbwrbcr9rvxi4ad2idwmb3byar9n2ig116cxp";
-  };
-
-  buildPhase = ''
-    cd src/${bname}/src
-    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
-      SUBDIRS=`pwd` INSTALL_PATH=$out
-  '';
-
-  installPhase = ''
-    make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \
-      INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install
-  '';
-      
-  meta = {
-    description = "ALPS dlkm driver with all known touchpads";
-    homepage = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/view;
-    license = stdenv.lib.licenses.gpl2;
-    platforms = stdenv.lib.platforms.linux;
-    maintainers = with stdenv.lib.maintainers; [viric];
-  };
-}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a3a2c310d6a4..b65c2336ee7f 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11247,8 +11247,6 @@ in
 
     prl-tools = callPackage ../os-specific/linux/prl-tools { };
 
-    psmouse_alps = callPackage ../os-specific/linux/psmouse-alps { };
-
     seturgent = callPackage ../os-specific/linux/seturgent { };
 
     spl = callPackage ../os-specific/linux/spl {

From 5103e70a373698321253cbb0f5ad595d3ee2880c Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:44:39 +0200
Subject: [PATCH 498/507] linuxPackages.nvidiabl: disable pic hardening

---
 pkgs/os-specific/linux/nvidiabl/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/nvidiabl/default.nix b/pkgs/os-specific/linux/nvidiabl/default.nix
index a6797608664f..881c29c1ce0f 100644
--- a/pkgs/os-specific/linux/nvidiabl/default.nix
+++ b/pkgs/os-specific/linux/nvidiabl/default.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation {
     sha256 = "1c7ar39wc8jpqh67sw03lwnyp0m9l6dad469ybqrgcywdiwxspwj";
   };
 
+  hardeningDisable = [ "pic" ];
+
   patches = [ ./linux4compat.patch ];
 
   preConfigure = ''

From 9e7d118ea2252dbf74ee42636ec723faf85cdb4a Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:49:42 +0200
Subject: [PATCH 499/507] linuxPackages.nvidia-x11: disable pic & format
 hardening

---
 pkgs/os-specific/linux/nvidia-x11/beta.nix      | 2 ++
 pkgs/os-specific/linux/nvidia-x11/default.nix   | 4 ++--
 pkgs/os-specific/linux/nvidia-x11/legacy173.nix | 2 ++
 pkgs/os-specific/linux/nvidia-x11/legacy304.nix | 2 ++
 pkgs/os-specific/linux/nvidia-x11/legacy340.nix | 2 ++
 5 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/nvidia-x11/beta.nix b/pkgs/os-specific/linux/nvidia-x11/beta.nix
index d3111a4f75a1..6fd5fb6c0b63 100644
--- a/pkgs/os-specific/linux/nvidia-x11/beta.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/beta.nix
@@ -41,6 +41,8 @@ stdenv.mkDerivation {
 
   kernel = if libsOnly then null else kernel.dev;
 
+  hardeningDisable = [ "pic" "format" ];
+
   dontStrip = true;
 
   glPath      = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr];
diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix
index 139185e7f03d..f561c0addc87 100644
--- a/pkgs/os-specific/linux/nvidia-x11/default.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/default.nix
@@ -42,6 +42,8 @@ stdenv.mkDerivation {
 
   kernel = if libsOnly then null else kernel.dev;
 
+  hardeningDisable = [ "pic" "format" ];
+
   dontStrip = true;
 
   glPath      = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr];
@@ -57,8 +59,6 @@ stdenv.mkDerivation {
 
   buildInputs = [ perl nukeReferences ];
 
-  hardeningDisable = [ "pic" "format" ];
-
   disallowedReferences = if libsOnly then [] else [ kernel.dev ];
 
   meta = with stdenv.lib.meta; {
diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix
index 91813d67e1c1..27c963f4bd9c 100644
--- a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation {
 
   kernel = kernel.dev;
 
+  hardeningDisable = [ "pic" "format" ];
+
   inherit versionNumber;
 
   dontStrip = true;
diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix
index 5cf3583e873c..65cf42333e05 100644
--- a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix
@@ -32,6 +32,8 @@ stdenv.mkDerivation {
 
   kernel = if libsOnly then null else kernel.dev;
 
+  hardeningDisable = [ "pic" "format" ];
+
   dontStrip = true;
 
   glPath = stdenv.lib.makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr];
diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix
index fa9d6442e424..0682954d558f 100644
--- a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix
+++ b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix
@@ -42,6 +42,8 @@ stdenv.mkDerivation {
 
   kernel = if libsOnly then null else kernel.dev;
 
+  hardeningDisable = [ "pic" "format" ];
+
   dontStrip = true;
 
   glPath      = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr];

From b2c6d28a1de700d7ab6cb2a1aa4bf20cd86907f9 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:38:54 +0200
Subject: [PATCH 500/507] linuxPackages.ndiswrapper: disable pic hardening
 (still broken)

---
 pkgs/os-specific/linux/ndiswrapper/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix
index f95de4335648..eabc2840881e 100644
--- a/pkgs/os-specific/linux/ndiswrapper/default.nix
+++ b/pkgs/os-specific/linux/ndiswrapper/default.nix
@@ -3,6 +3,8 @@
 stdenv.mkDerivation {
   name = "ndiswrapper-1.59-${kernel.version}";
 
+  hardeningDisable = [ "pic" ];
+
   patches = [ ./no-sbin.patch ];
 
   # need at least .config and include 

From fa3a35b241def2f837d72b5de736c513d6856cf9 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Sat, 13 Aug 2016 16:54:58 +0200
Subject: [PATCH 501/507] linuxPackages.fusionio-vsl: disable pic hardening
 (still broken)

---
 pkgs/os-specific/linux/fusionio/vsl.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/fusionio/vsl.nix b/pkgs/os-specific/linux/fusionio/vsl.nix
index 8e24b5061cd3..665c4b4d0813 100644
--- a/pkgs/os-specific/linux/fusionio/vsl.nix
+++ b/pkgs/os-specific/linux/fusionio/vsl.nix
@@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
 
   src = srcs.vsl;
 
+  hardeningDisable = [ "pic" ];
+
   prePatch = ''
     cd root/usr/src/iomemory-vsl-*
   '';

From 2676cf9525c38ac8c6cb85a7d95f2e57e2760c3d Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 13 Aug 2016 11:19:15 +0000
Subject: [PATCH 502/507] linuxPackages.lttng-modules: fix build

---
 pkgs/os-specific/linux/lttng-modules/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix
index b3a67e70a1df..eeef64c70833 100644
--- a/pkgs/os-specific/linux/lttng-modules/default.nix
+++ b/pkgs/os-specific/linux/lttng-modules/default.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
 
   hardeningDisable = [ "pic" ];
 
+  NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration";
+
   preConfigure = ''
     export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
     export INSTALL_MOD_PATH="$out"

From 8071cafe661294cc9ff5f9451974c4a4fac9140a Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sat, 13 Aug 2016 11:20:12 +0000
Subject: [PATCH 503/507] linuxPackages.rtl8812au: fix build

---
 pkgs/os-specific/linux/rtl8812au/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix
index 75c01cfe1f7e..c38fa8843f42 100644
--- a/pkgs/os-specific/linux/rtl8812au/default.nix
+++ b/pkgs/os-specific/linux/rtl8812au/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
 
   hardeningDisable = [ "pic" ];
 
+  NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types";
+
   patchPhase = ''
     substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/"
     substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}"

From 27b9f5d65ee452c9a1a49a2e245b2a45ee1d65ab Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Sun, 14 Aug 2016 02:13:16 +0000
Subject: [PATCH 504/507] xorg.*: disable relro/bindnow hardening

Breaks the module system at runtime otherwise.
---
 pkgs/servers/x11/xorg/builder.sh    | 3 ---
 pkgs/servers/x11/xorg/default.nix   | 4 +++-
 pkgs/servers/x11/xorg/overrides.nix | 1 -
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/pkgs/servers/x11/xorg/builder.sh b/pkgs/servers/x11/xorg/builder.sh
index 15da0b51795b..055886374df4 100644
--- a/pkgs/servers/x11/xorg/builder.sh
+++ b/pkgs/servers/x11/xorg/builder.sh
@@ -46,7 +46,4 @@ fi
 
 enableParallelBuilding=1
 
-# breaks module loading
-hardeningDisable="bindnow"
-
 genericBuild
diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index 4a2ac2469d82..24b6cafd1bc2 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -9,7 +9,9 @@ let
   mkDerivation = name: attrs:
     let newAttrs = (overrides."${name}" or (x: x)) attrs;
         stdenv = newAttrs.stdenv or args.stdenv;
-    in stdenv.mkDerivation (removeAttrs newAttrs [ "stdenv" ]);
+      in stdenv.mkDerivation ((removeAttrs newAttrs [ "stdenv" ]) // {
+        hardeningDisable = [ "bindnow" "relro" ];
+      });
 
   overrides = import ./overrides.nix {inherit args xorg;};
 
diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix
index bcef1a5419f6..5660957011c7 100644
--- a/pkgs/servers/x11/xorg/overrides.nix
+++ b/pkgs/servers/x11/xorg/overrides.nix
@@ -430,7 +430,6 @@ in
                                         # and there are no fonts in this package anyway
           "--enable-glamor"
         ];
-        hardeningDisable = [ "relro" ];
         postInstall = ''
           rm -fr $out/share/X11/xkb/compiled
           ln -s /var/tmp $out/share/X11/xkb/compiled

From 1747d28e5ada05ec07c4b1d35048ea5b194bde64 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Mon, 15 Aug 2016 12:00:51 +0000
Subject: [PATCH 505/507] glibc: add patch to fix segfault in forkpty

---
 pkgs/development/libraries/glibc/common.nix   |  3 +
 .../development/libraries/glibc/forkpty.patch | 75 +++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 pkgs/development/libraries/glibc/forkpty.patch

diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index e90fdc4ad7bd..24890e560233 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -55,6 +55,9 @@ stdenv.mkDerivation ({
       ./cve-2016-1234.patch
       ./cve-2016-3706.patch
       ./fix_warnings.patch
+
+      # Fixes segfault when calling pty.fork() in python
+      ./forkpty.patch
     ];
 
   postPatch =
diff --git a/pkgs/development/libraries/glibc/forkpty.patch b/pkgs/development/libraries/glibc/forkpty.patch
new file mode 100644
index 000000000000..fe700e5797b6
--- /dev/null
+++ b/pkgs/development/libraries/glibc/forkpty.patch
@@ -0,0 +1,75 @@
+From f06f3f05b48c72e2c9b0fa78671f94fd22d67da8 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 1 Jun 2016 07:14:42 +0200
+Subject: [PATCH] fork in libpthread cannot use IFUNC resolver [BZ #19861]
+
+This commit only addresses the fork case, the vfork case has to be a
+tail call, which is why the generic code needs an IFUNC resolver
+there.
+
+diff --git a/nptl/pt-fork.c b/nptl/pt-fork.c
+index b65d6b4..db9b61d 100644
+--- a/nptl/pt-fork.c
++++ b/nptl/pt-fork.c
+@@ -25,33 +25,14 @@
+    the historical ABI requires it.  For static linking, there is no need to
+    provide anything here--the libc version will be linked in.  For shared
+    library ABI compatibility, there must be __fork and fork symbols in
+-   libpthread.so; so we define them using IFUNC to redirect to the libc
+-   function.  */
++   libpthread.so.
+ 
+-#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22)
+-
+-# if HAVE_IFUNC
+-
+-static __typeof (fork) *
+-__attribute__ ((used))
+-fork_resolve (void)
+-{
+-  return &__libc_fork;
+-}
++   With an IFUNC resolver, it would be possible to avoid the
++   indirection, but the IFUNC resolver might run before the
++   __libc_fork symbol has been relocated, in which case the IFUNC
++   resolver would not be able to provide the correct address.  */
+ 
+-#  ifdef HAVE_ASM_SET_DIRECTIVE
+-#   define DEFINE_FORK(name) \
+-  asm (".set " #name ", fork_resolve\n" \
+-       ".globl " #name "\n" \
+-       ".type " #name ", %gnu_indirect_function");
+-#  else
+-#   define DEFINE_FORK(name) \
+-  asm (#name " = fork_resolve\n" \
+-       ".globl " #name "\n" \
+-       ".type " #name ", %gnu_indirect_function");
+-#  endif
+-
+-# else  /* !HAVE_IFUNC */
++#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22)
+ 
+ static pid_t __attribute__ ((used))
+ fork_compat (void)
+@@ -59,14 +40,10 @@ fork_compat (void)
+   return __libc_fork ();
+ }
+ 
+-# define DEFINE_FORK(name) strong_alias (fork_compat, name)
+-
+-# endif  /* HAVE_IFUNC */
+-
+-DEFINE_FORK (fork_ifunc)
+-compat_symbol (libpthread, fork_ifunc, fork, GLIBC_2_0);
++strong_alias (fork_compat, fork_alias)
++compat_symbol (libpthread, fork_alias, fork, GLIBC_2_0);
+ 
+-DEFINE_FORK (__fork_ifunc)
+-compat_symbol (libpthread, __fork_ifunc, __fork, GLIBC_2_0);
++strong_alias (fork_compat, __fork_alias)
++compat_symbol (libpthread, __fork_alias, __fork, GLIBC_2_0);
+ 
+ #endif
+-- 
+1.7.1
+

From e0f124a9f814985b44a7216f010e928820ed2686 Mon Sep 17 00:00:00 2001
From: obadz <obadz-git@obadz.com>
Date: Wed, 17 Aug 2016 18:05:17 +0100
Subject: [PATCH 506/507] calamares/tarball test: fix eval error

See also acb4086

cc @ttuegel @globin
---
 pkgs/top-level/all-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 8e57aca9503e..4117cfc59365 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -667,7 +667,7 @@ in
   calamares = qt5.callPackage ../tools/misc/calamares rec {
     python = python3;
     boost = pkgs.boost.override { python=python3; };
-    libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; };
+    libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost=boost; };
   };
 
   capstone = callPackage ../development/libraries/capstone { };

From b092538811a2bd4454ed9b056952c0a10f091076 Mon Sep 17 00:00:00 2001
From: obadz <obadz-git@obadz.com>
Date: Sat, 20 Aug 2016 22:39:05 +0100
Subject: [PATCH 507/507] Revert "glibc: add patch to fix segfault in forkpty"

This reverts commit 1747d28e5ada05ec07c4b1d35048ea5b194bde64.

Was fixed upstream in glibc 2.24
---
 pkgs/development/libraries/glibc/common.nix   |  3 -
 .../development/libraries/glibc/forkpty.patch | 75 -------------------
 2 files changed, 78 deletions(-)
 delete mode 100644 pkgs/development/libraries/glibc/forkpty.patch

diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 24890e560233..e90fdc4ad7bd 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -55,9 +55,6 @@ stdenv.mkDerivation ({
       ./cve-2016-1234.patch
       ./cve-2016-3706.patch
       ./fix_warnings.patch
-
-      # Fixes segfault when calling pty.fork() in python
-      ./forkpty.patch
     ];
 
   postPatch =
diff --git a/pkgs/development/libraries/glibc/forkpty.patch b/pkgs/development/libraries/glibc/forkpty.patch
deleted file mode 100644
index fe700e5797b6..000000000000
--- a/pkgs/development/libraries/glibc/forkpty.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From f06f3f05b48c72e2c9b0fa78671f94fd22d67da8 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Wed, 1 Jun 2016 07:14:42 +0200
-Subject: [PATCH] fork in libpthread cannot use IFUNC resolver [BZ #19861]
-
-This commit only addresses the fork case, the vfork case has to be a
-tail call, which is why the generic code needs an IFUNC resolver
-there.
-
-diff --git a/nptl/pt-fork.c b/nptl/pt-fork.c
-index b65d6b4..db9b61d 100644
---- a/nptl/pt-fork.c
-+++ b/nptl/pt-fork.c
-@@ -25,33 +25,14 @@
-    the historical ABI requires it.  For static linking, there is no need to
-    provide anything here--the libc version will be linked in.  For shared
-    library ABI compatibility, there must be __fork and fork symbols in
--   libpthread.so; so we define them using IFUNC to redirect to the libc
--   function.  */
-+   libpthread.so.
- 
--#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22)
--
--# if HAVE_IFUNC
--
--static __typeof (fork) *
--__attribute__ ((used))
--fork_resolve (void)
--{
--  return &__libc_fork;
--}
-+   With an IFUNC resolver, it would be possible to avoid the
-+   indirection, but the IFUNC resolver might run before the
-+   __libc_fork symbol has been relocated, in which case the IFUNC
-+   resolver would not be able to provide the correct address.  */
- 
--#  ifdef HAVE_ASM_SET_DIRECTIVE
--#   define DEFINE_FORK(name) \
--  asm (".set " #name ", fork_resolve\n" \
--       ".globl " #name "\n" \
--       ".type " #name ", %gnu_indirect_function");
--#  else
--#   define DEFINE_FORK(name) \
--  asm (#name " = fork_resolve\n" \
--       ".globl " #name "\n" \
--       ".type " #name ", %gnu_indirect_function");
--#  endif
--
--# else  /* !HAVE_IFUNC */
-+#if SHLIB_COMPAT (libpthread, GLIBC_2_0, GLIBC_2_22)
- 
- static pid_t __attribute__ ((used))
- fork_compat (void)
-@@ -59,14 +40,10 @@ fork_compat (void)
-   return __libc_fork ();
- }
- 
--# define DEFINE_FORK(name) strong_alias (fork_compat, name)
--
--# endif  /* HAVE_IFUNC */
--
--DEFINE_FORK (fork_ifunc)
--compat_symbol (libpthread, fork_ifunc, fork, GLIBC_2_0);
-+strong_alias (fork_compat, fork_alias)
-+compat_symbol (libpthread, fork_alias, fork, GLIBC_2_0);
- 
--DEFINE_FORK (__fork_ifunc)
--compat_symbol (libpthread, __fork_ifunc, __fork, GLIBC_2_0);
-+strong_alias (fork_compat, __fork_alias)
-+compat_symbol (libpthread, __fork_alias, __fork, GLIBC_2_0);
- 
- #endif
--- 
-1.7.1
-