Merge branch 'hardened-stdenv' into staging
Closes #12895 Amazing work by @globin & @fpletz getting hardened compiler flags by enabled default on the whole package set
This commit is contained in:
commit
24a9183f90
@ -632,7 +632,7 @@ Given a `default.nix`:
|
||||
src = ./.; }
|
||||
|
||||
Running `nix-shell` with no arguments should give you
|
||||
the environment in which the package would be build with
|
||||
the environment in which the package would be built with
|
||||
`nix-build`.
|
||||
|
||||
Shortcut to setup environments with C headers/libraries and python packages:
|
||||
|
203
doc/stdenv.xml
203
doc/stdenv.xml
@ -1360,6 +1360,209 @@ in the default system locations.</para>
|
||||
|
||||
</section>
|
||||
|
||||
<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title>
|
||||
|
||||
<para>There are flags available to harden packages at compile or link-time.
|
||||
These can be toggled using the <varname>stdenv.mkDerivation</varname> parameters
|
||||
<varname>hardeningDisable</varname> and <varname>hardeningEnable</varname>.
|
||||
</para>
|
||||
|
||||
<para>The following flags are enabled by default and might require disabling
|
||||
if the program to package is incompatible.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>format</varname></term>
|
||||
<listitem><para>Adds the <option>-Wformat -Wformat-security
|
||||
-Werror=format-security</option> compiler options. At present,
|
||||
this warns about calls to <varname>printf</varname> and
|
||||
<varname>scanf</varname> functions where the format string is
|
||||
not a string literal and there are no format arguments, as in
|
||||
<literal>printf(foo);</literal>. This may be a security hole
|
||||
if the format string came from untrusted input and contains
|
||||
<literal>%n</literal>.</para>
|
||||
|
||||
<para>This needs to be turned off or fixed for errors similar to:</para>
|
||||
|
||||
<programlisting>
|
||||
/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
|
||||
printf(help_message);
|
||||
^
|
||||
cc1plus: some warnings being treated as errors
|
||||
</programlisting></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>stackprotector</varname></term>
|
||||
<listitem>
|
||||
<para>Adds the <option>-fstack-protector-strong
|
||||
--param ssp-buffer-size=4</option>
|
||||
compiler options. This adds safety checks against stack overwrites
|
||||
rendering many potential code injection attacks into aborting situations.
|
||||
In the best case this turns code injection vulnerabilities into denial
|
||||
of service or into non-issues (depending on the application).</para>
|
||||
|
||||
<para>This needs to be turned off or fixed for errors similar to:</para>
|
||||
|
||||
<programlisting>
|
||||
bin/blib.a(bios_console.o): In function `bios_handle_cup':
|
||||
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'
|
||||
</programlisting></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>fortify</varname></term>
|
||||
<listitem>
|
||||
<para>Adds the <option>-O2 -D_FORTIFY_SOURCE=2</option> compiler
|
||||
options. During code generation the compiler knows a great deal of
|
||||
information about buffer sizes (where possible), and attempts to replace
|
||||
insecure unlimited length buffer function calls with length-limited ones.
|
||||
This is especially useful for old, crufty code. Additionally, format
|
||||
strings in writable memory that contain '%n' are blocked. If an application
|
||||
depends on such a format string, it will need to be worked around.
|
||||
</para>
|
||||
|
||||
<para>Addtionally, some warnings are enabled which might trigger build
|
||||
failures if compiler warnings are treated as errors in the package build.
|
||||
In this case, set <option>NIX_CFLAGS_COMPILE</option> to
|
||||
<option>-Wno-error=warning-type</option>.</para>
|
||||
|
||||
<para>This needs to be turned off or fixed for errors similar to:</para>
|
||||
|
||||
<programlisting>
|
||||
malloc.c:404:15: error: return type is an incomplete type
|
||||
malloc.c:410:19: error: storage size of 'ms' isn't known
|
||||
</programlisting>
|
||||
<programlisting>
|
||||
strdup.h:22:1: error: expected identifier or '(' before '__extension__'
|
||||
</programlisting>
|
||||
<programlisting>
|
||||
strsep.c:65:23: error: register name not specified for 'delim'
|
||||
</programlisting>
|
||||
<programlisting>
|
||||
installwatch.c:3751:5: error: conflicting types for '__open_2'
|
||||
</programlisting>
|
||||
<programlisting>
|
||||
fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>pic</varname></term>
|
||||
<listitem>
|
||||
<para>Adds the <option>-fPIC</option> compiler options. This options adds
|
||||
support for position independant code in shared libraries and thus making
|
||||
ASLR possible.</para>
|
||||
<para>Most notably, the Linux kernel, kernel modules and other code
|
||||
not running in an operating system environment like boot loaders won't
|
||||
build with PIC enabled. The compiler will is most cases complain that
|
||||
PIC is not supported for a specific build.
|
||||
</para>
|
||||
|
||||
<para>This needs to be turned off or fixed for assembler errors similar to:</para>
|
||||
|
||||
<programlisting>
|
||||
ccbLfRgg.s: Assembler messages:
|
||||
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>strictoverflow</varname></term>
|
||||
<listitem>
|
||||
<para>Signed integer overflow is undefined behaviour according to the C
|
||||
standard. If it happens, it is an error in the program as it should check
|
||||
for overflow before it can happen, not afterwards. GCC provides built-in
|
||||
functions to perform arithmetic with overflow checking, which are correct
|
||||
and faster than any custom implementation. As a workaround, the option
|
||||
<option>-fno-strict-overflow</option> makes gcc behave as if signed
|
||||
integer overflows were defined.
|
||||
</para>
|
||||
|
||||
<para>This flag should not trigger any build or runtime errors.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>relro</varname></term>
|
||||
<listitem>
|
||||
<para>Adds the <option>-z relro</option> linker option. During program
|
||||
load, several ELF memory sections need to be written to by the linker,
|
||||
but can be turned read-only before turning over control to the program.
|
||||
This prevents some GOT (and .dtors) overwrite attacks, but at least the
|
||||
part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.
|
||||
</para>
|
||||
|
||||
<para>This flag can break dynamic shared object loading. For instance, the
|
||||
module systems of Xorg and OpenCV are incompatible with this flag. In almost
|
||||
all cases the <varname>bindnow</varname> flag must also be disabled and
|
||||
incompatible programs typically fail with similar errors at runtime.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>bindnow</varname></term>
|
||||
<listitem>
|
||||
<para>Adds the <option>-z bindnow</option> linker option. During program
|
||||
load, all dynamic symbols are resolved, allowing for the complete GOT to
|
||||
be marked read-only (due to <varname>relro</varname>). This prevents GOT
|
||||
overwrite attacks. For very large applications, this can incur some
|
||||
performance loss during initial load while symbols are resolved, but this
|
||||
shouldn't be an issue for daemons.
|
||||
</para>
|
||||
|
||||
<para>This flag can break dynamic shared object loading. For instance, the
|
||||
module systems of Xorg and PHP are incompatible with this flag. Programs
|
||||
incompatible with this flag often fail at runtime due to missing symbols,
|
||||
like:</para>
|
||||
|
||||
<programlisting>
|
||||
intel_drv.so: undefined symbol: vgaHWFreeHWRec
|
||||
</programlisting>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
<para>The following flags are disabled by default and should be enabled
|
||||
for packages that take untrusted input, like network services.
|
||||
</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>pie</varname></term>
|
||||
<listitem>
|
||||
<para>Adds the <option>-fPIE</option> compiler and <option>-pie</option>
|
||||
linker options. Position Independent Executables are needed to take
|
||||
advantage of Address Space Layout Randomization, supported by modern
|
||||
kernel versions. While ASLR can already be enforced for data areas in
|
||||
the stack and heap (brk and mmap), the code areas must be compiled as
|
||||
position-independent. Shared libraries already do this with the
|
||||
<varname>pic</varname> flag, so they gain ASLR automatically, but binary
|
||||
.text regions need to be build with <varname>pie</varname> to gain ASLR.
|
||||
When this happens, ROP attacks are much harder since there are no static
|
||||
locations to bounce off of during a memory corruption attack.
|
||||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
<para>For more in-depth information on these hardening flags and hardening in
|
||||
general, refer to the
|
||||
<link xlink:href="https://wiki.debian.org/Hardening">Debian Wiki</link>,
|
||||
<link xlink:href="https://wiki.ubuntu.com/Security/Features">Ubuntu Wiki</link>,
|
||||
<link xlink:href="https://wiki.gentoo.org/wiki/Project:Hardened">Gentoo Wiki</link>,
|
||||
and the <link xlink:href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">
|
||||
Arch Wiki</link>.
|
||||
</para>
|
||||
|
||||
</section>
|
||||
|
||||
</chapter>
|
||||
|
||||
|
@ -9,8 +9,7 @@ with lib;
|
||||
default = false;
|
||||
description =
|
||||
'' When enabled, GNU software is chosen by default whenever a there is
|
||||
a choice between GNU and non-GNU software (e.g., GNU lsh
|
||||
vs. OpenSSH).
|
||||
a choice between GNU and non-GNU software.
|
||||
'';
|
||||
};
|
||||
};
|
||||
@ -33,11 +32,6 @@ with lib;
|
||||
boot.loader.grub.enable = !pkgs.stdenv.isArm;
|
||||
boot.loader.grub.version = 2;
|
||||
|
||||
# GNU lsh.
|
||||
services.openssh.enable = false;
|
||||
services.lshd.enable = true;
|
||||
programs.ssh.startAgent = false;
|
||||
|
||||
# TODO: GNU dico.
|
||||
# TODO: GNU Inetutils' inetd.
|
||||
# TODO: GNU Pies.
|
||||
|
@ -404,7 +404,6 @@
|
||||
./services/networking/softether.nix
|
||||
./services/networking/spiped.nix
|
||||
./services/networking/sslh.nix
|
||||
./services/networking/ssh/lshd.nix
|
||||
./services/networking/ssh/sshd.nix
|
||||
./services/networking/strongswan.nix
|
||||
./services/networking/supplicant.nix
|
||||
|
@ -1,176 +0,0 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
|
||||
inherit (pkgs) lsh;
|
||||
|
||||
cfg = config.services.lshd;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
|
||||
###### interface
|
||||
|
||||
options = {
|
||||
|
||||
services.lshd = {
|
||||
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable the GNU lshd SSH2 daemon, which allows
|
||||
secure remote login.
|
||||
'';
|
||||
};
|
||||
|
||||
portNumber = mkOption {
|
||||
default = 22;
|
||||
description = ''
|
||||
The port on which to listen for connections.
|
||||
'';
|
||||
};
|
||||
|
||||
interfaces = mkOption {
|
||||
default = [];
|
||||
description = ''
|
||||
List of network interfaces where listening for connections.
|
||||
When providing the empty list, `[]', lshd listens on all
|
||||
network interfaces.
|
||||
'';
|
||||
example = [ "localhost" "1.2.3.4:443" ];
|
||||
};
|
||||
|
||||
hostKey = mkOption {
|
||||
default = "/etc/lsh/host-key";
|
||||
description = ''
|
||||
Path to the server's private key. Note that this key must
|
||||
have been created, e.g., using "lsh-keygen --server |
|
||||
lsh-writekey --server", so that you can run lshd.
|
||||
'';
|
||||
};
|
||||
|
||||
syslog = mkOption {
|
||||
default = true;
|
||||
description = ''Whether to enable syslog output.'';
|
||||
};
|
||||
|
||||
passwordAuthentication = mkOption {
|
||||
default = true;
|
||||
description = ''Whether to enable password authentication.'';
|
||||
};
|
||||
|
||||
publicKeyAuthentication = mkOption {
|
||||
default = true;
|
||||
description = ''Whether to enable public key authentication.'';
|
||||
};
|
||||
|
||||
rootLogin = mkOption {
|
||||
default = false;
|
||||
description = ''Whether to enable remote root login.'';
|
||||
};
|
||||
|
||||
loginShell = mkOption {
|
||||
default = null;
|
||||
description = ''
|
||||
If non-null, override the default login shell with the
|
||||
specified value.
|
||||
'';
|
||||
example = "/nix/store/xyz-bash-10.0/bin/bash10";
|
||||
};
|
||||
|
||||
srpKeyExchange = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to enable SRP key exchange and user authentication.
|
||||
'';
|
||||
};
|
||||
|
||||
tcpForwarding = mkOption {
|
||||
default = true;
|
||||
description = ''Whether to enable TCP/IP forwarding.'';
|
||||
};
|
||||
|
||||
x11Forwarding = mkOption {
|
||||
default = true;
|
||||
description = ''Whether to enable X11 forwarding.'';
|
||||
};
|
||||
|
||||
subsystems = mkOption {
|
||||
description = ''
|
||||
List of subsystem-path pairs, where the head of the pair
|
||||
denotes the subsystem name, and the tail denotes the path to
|
||||
an executable implementing it.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
###### implementation
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
|
||||
services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
|
||||
|
||||
systemd.services.lshd = {
|
||||
description = "GNU lshd SSH2 daemon";
|
||||
|
||||
after = [ "network-interfaces.target" ];
|
||||
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
environment = {
|
||||
LD_LIBRARY_PATH = config.system.nssModules.path;
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh
|
||||
test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh
|
||||
|
||||
if ! test -f /var/spool/lsh/yarrow-seed-file
|
||||
then
|
||||
# XXX: It would be nice to provide feedback to the
|
||||
# user when this fails, so that they can retry it
|
||||
# manually.
|
||||
${lsh}/bin/lsh-make-seed --sloppy \
|
||||
-o /var/spool/lsh/yarrow-seed-file
|
||||
fi
|
||||
|
||||
if ! test -f "${cfg.hostKey}"
|
||||
then
|
||||
${lsh}/bin/lsh-keygen --server | \
|
||||
${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}"
|
||||
fi
|
||||
'';
|
||||
|
||||
script = with cfg; ''
|
||||
${lsh}/sbin/lshd --daemonic \
|
||||
--password-helper="${lsh}/sbin/lsh-pam-checkpw" \
|
||||
-p ${toString portNumber} \
|
||||
${if interfaces == [] then ""
|
||||
else (concatStrings (map (i: "--interface=\"${i}\"")
|
||||
interfaces))} \
|
||||
-h "${hostKey}" \
|
||||
${if !syslog then "--no-syslog" else ""} \
|
||||
${if passwordAuthentication then "--password" else "--no-password" } \
|
||||
${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \
|
||||
${if rootLogin then "--root-login" else "--no-root-login" } \
|
||||
${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \
|
||||
${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \
|
||||
${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \
|
||||
${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \
|
||||
--subsystems=${concatStringsSep ","
|
||||
(map (pair: (head pair) + "=" +
|
||||
(head (tail pair)))
|
||||
subsystems)}
|
||||
'';
|
||||
};
|
||||
|
||||
security.pam.services.lshd = {};
|
||||
};
|
||||
}
|
@ -341,7 +341,7 @@ in
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Whether GRUB should be build against libzfs.
|
||||
Whether GRUB should be built against libzfs.
|
||||
ZFS support is only available for GRUB v2.
|
||||
This option is ignored for GRUB v1.
|
||||
'';
|
||||
@ -351,7 +351,7 @@ in
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Whether GRUB should be build with EFI support.
|
||||
Whether GRUB should be built with EFI support.
|
||||
EFI support is only available for GRUB v2.
|
||||
This option is ignored for GRUB v1.
|
||||
'';
|
||||
|
@ -8,6 +8,7 @@ import ./make-test.nix ({ pkgs, ... }: {
|
||||
kdev = config.boot.kernelPackages.kernel.dev;
|
||||
kver = config.boot.kernelPackages.kernel.modDirVersion;
|
||||
ksrc = "${kdev}/lib/modules/${kver}/build";
|
||||
hardeningDisable = [ "pic" ];
|
||||
} ''
|
||||
echo "obj-m += $name.o" > Makefile
|
||||
echo "$source" > "$name.c"
|
||||
|
@ -2,6 +2,7 @@
|
||||
|
||||
stdenv.mkDerivation {
|
||||
name = "aacgain-1.9.0";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "mulx";
|
||||
repo = "aacgain";
|
||||
@ -9,6 +10,8 @@ stdenv.mkDerivation {
|
||||
sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase = ''
|
||||
cd mp4v2
|
||||
./configure
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = "unset CC";
|
||||
|
||||
patches = stdenv.lib.optionals stdenv.isDarwin [
|
||||
|
@ -16,6 +16,8 @@ stdenv.mkDerivation {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
src = fetchurl {
|
||||
url = mirror://sourceforge/csound/Csound6.04.tar.gz;
|
||||
sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g";
|
||||
|
@ -19,6 +19,8 @@ stdenv.mkDerivation {
|
||||
|
||||
patches = [ ./am_path_sdl.patch ./xml.patch ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "A live looping instrument with JACK and MIDI support";
|
||||
longDescription = ''
|
||||
|
@ -13,6 +13,8 @@ stdenv.mkDerivation {
|
||||
|
||||
buildInputs = [ mpd_clientlib dbus_glib audacious gtk gsl libaudclient ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Generates playlists such that each song sounds good following the previous song";
|
||||
homepage = http://gjay.sourceforge.net/;
|
||||
|
@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
|
||||
cp jack_capture $out/bin/
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "A program for recording soundfiles with jack";
|
||||
homepage = http://archive.notam02.no/arkiv/src;
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation {
|
||||
sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ pkgconfig intltool gtk alsaLib libglade ];
|
||||
|
||||
configureFlags = "--disable-jack";
|
||||
|
@ -21,6 +21,8 @@ stdenv.mkDerivation {
|
||||
|
||||
sourceRoot=".";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = "./cc";
|
||||
installPhase = ''
|
||||
mkdir -p "$out"/{bin,share/doc/mi2ly}
|
||||
|
@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ ncurses pkgconfig gtk ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configurePhase =
|
||||
'' sed -i Makefile \
|
||||
-e "s|^prefix=.*$|prefix=$out|g ;
|
||||
|
@ -15,6 +15,8 @@ stdenv.mkDerivation rec {
|
||||
install -Dv mp3val "$out/bin/mp3val"
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
meta = {
|
||||
description = "A tool for validating and repairing MPEG audio streams";
|
||||
longDescription = ''
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
|
||||
];
|
||||
|
@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "067f4li48qfhz2barj70zpf2d2mlii12npx07jx9xjkkgz84z4c9";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "relro" "bindnow" ];
|
||||
|
||||
makeFlags = [
|
||||
"PREFIX=$(out)"
|
||||
];
|
||||
|
@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ puredata ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
for file in `grep -r -l g_canvas.h`
|
||||
do
|
||||
|
@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ puredata ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
for i in ${puredata}/include/pd/*; do
|
||||
ln -s $i .
|
||||
|
@ -14,7 +14,9 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x";
|
||||
};
|
||||
|
||||
buildInputs = [puredata ];
|
||||
buildInputs = [ puredata ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
for D in net osc
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ qt4 alsaLib libjack2 ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
|
@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./fltk-path.patch ];
|
||||
|
||||
buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg
|
||||
|
@ -1,5 +1,5 @@
|
||||
{ stdenv, fetchurl, fetchgit, ftgl, freefont_ttf, libjack2, mesa_glu, pkgconfig
|
||||
, libltc, libsndfile, libsamplerate
|
||||
, libltc, libsndfile, libsamplerate, xz
|
||||
, lv2, mesa, gtk2, cairo, pango, fftwFloat, zita-convolver }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1ald0c5xbfkdq6g5xwyy8wmbi636m3k3gqrq16kbh46g0kld1as9";
|
||||
};
|
||||
|
||||
buildInputs = [ mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver];
|
||||
buildInputs = [ xz mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver];
|
||||
|
||||
makeFlags = [ "PREFIX=$(out)" "FONTFILE=${freefont_ttf}/share/fonts/truetype/FreeSansBold.ttf" "LIBZITACONVOLVER=${zita-convolver}/include/zita-convolver.h" ];
|
||||
|
||||
|
@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ];
|
||||
nativeBuildInputs = [ cmake pkgconfig ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "High quality software synthesizer";
|
||||
homepage = http://zynaddsubfx.sourceforge.net;
|
||||
|
@ -1,19 +1,23 @@
|
||||
{ stdenv, lib, fetchurl, ncurses }:
|
||||
{ stdenv, fetchurl, ncurses }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "bviplus-${version}";
|
||||
version = "0.9.4";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz";
|
||||
sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb";
|
||||
};
|
||||
|
||||
buildInputs = [
|
||||
ncurses
|
||||
];
|
||||
|
||||
makeFlags = "PREFIX=$(out)";
|
||||
|
||||
buildFlags = [ "CFLAGS=-fgnu89-inline" ];
|
||||
|
||||
meta = with lib; {
|
||||
meta = with stdenv.lib; {
|
||||
description = "Ncurses based hex editor with a vim-like interface";
|
||||
homepage = http://bviplus.sourceforge.net;
|
||||
license = licenses.gpl3;
|
||||
|
@ -56,6 +56,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags =
|
||||
(if stdenv.isDarwin
|
||||
then [ "--with-ns" "--disable-ns-self-contained" ]
|
||||
|
@ -3,13 +3,18 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "ht-${version}";
|
||||
version = "2.1.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/project/hte/ht-source/ht-${version}.tar.bz2";
|
||||
sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i";
|
||||
};
|
||||
|
||||
buildInputs = [
|
||||
ncurses
|
||||
];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with lib; {
|
||||
description = "File editor/viewer/analyzer for executables";
|
||||
homepage = "http://hte.sourceforge.net";
|
||||
|
@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ intltool pkgconfig gtk ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
"--enable-chooser"
|
||||
];
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1v8y8vwj3kn91crsddqkz843y6csgw7wkjnd3zdcb4bcrf1pjrsk";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ xlibsWrapper motif libXpm ];
|
||||
|
||||
buildFlags = if stdenv.isLinux then "linux" else
|
||||
|
@ -99,6 +99,9 @@ let
|
||||
"-DLUA_PRG=${luaPackages.lua}/bin/lua"
|
||||
];
|
||||
|
||||
# triggers on buffer overflow bug while running tests
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
preConfigure = ''
|
||||
substituteInPlace runtime/autoload/man.vim \
|
||||
--replace /usr/bin/man ${man}/bin/man
|
||||
|
@ -192,6 +192,8 @@ composableDerivation {
|
||||
|
||||
dontStrip = 1;
|
||||
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "The most popular clone of the VI editor";
|
||||
homepage = http://www.vim.org;
|
||||
|
@ -30,6 +30,8 @@ stdenv.mkDerivation rec {
|
||||
"--enable-nls"
|
||||
];
|
||||
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
postInstall = ''
|
||||
ln -s $out/bin/vim $out/bin/vi
|
||||
mkdir -p $out/share/vim
|
||||
|
@ -18,14 +18,14 @@ stdenv.mkDerivation rec {
|
||||
libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk
|
||||
];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./install.patch ];
|
||||
|
||||
nativeBuildInputs = [ cmake pkgconfig ];
|
||||
|
||||
NIX_LDFLAGS = "-llcms -ljpeg -lX11";
|
||||
|
||||
# NIX_CFLAGS_COMPILE = "-I.";
|
||||
|
||||
meta = {
|
||||
homepage = http://www.cinepaint.org/;
|
||||
license = stdenv.lib.licenses.free;
|
||||
|
@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
nativeBuildInputs = [ cmake ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "Fontmatrix is a free/libre font explorer for Linux, Windows and Mac";
|
||||
homepage = http://fontmatrix.be/;
|
||||
|
@ -11,8 +11,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1sz2n7jbmg3g97bs613xxjpzqbsl5rvpg6v7g3x3ycyd35r8vsfp";
|
||||
};
|
||||
|
||||
# It built code to be put in a shared object without -fPIC
|
||||
NIX_CFLAGS_COMPILE = "-fPIC";
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
prePatch = ''
|
||||
sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl
|
||||
|
@ -15,6 +15,8 @@ stdenv.mkDerivation {
|
||||
|
||||
buildInputs = [pkgconfig gtk libpng];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "A fast image viewer";
|
||||
homepage = http://gqview.sourceforge.net;
|
||||
|
@ -25,6 +25,6 @@ stdenv.mkDerivation rec {
|
||||
homepage = http://www.kipi-plugins.org;
|
||||
inherit (kdelibs.meta) platforms;
|
||||
maintainers = with stdenv.lib.maintainers; [ viric urkud ];
|
||||
broken = true; # it should be build from digikam sources, perhaps together
|
||||
broken = true; # it should be built from digikam sources, perhaps together
|
||||
};
|
||||
}
|
||||
|
@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
patches = [ ./include-unistd.diff ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = ''
|
||||
mkdir -p "$out/include"
|
||||
export NIX_LDFLAGS="-rpath $out/opt/meshlab $NIX_LDFLAGS"
|
||||
|
@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ];
|
||||
nativeBuildInputs = [ qmake4Hook ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
export CPATH="${ilmbase}/include/OpenEXR:$CPATH"
|
||||
'';
|
||||
|
@ -38,6 +38,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ autoconf automake libtool leptonica libpng libtiff ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
./autogen.sh
|
||||
substituteInPlace "configure" \
|
||||
|
@ -16,6 +16,8 @@ stdenv.mkDerivation {
|
||||
|
||||
nativeBuildInputs = [ imake makeWrapper ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
NIX_CFLAGS_COMPILE = "-I${libXpm.dev}/include/X11";
|
||||
|
||||
patches =
|
||||
|
@ -10,6 +10,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ SDL SDL_image pkgconfig libjpeg libpng libtiff ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
makeFlags = [
|
||||
"BACKEND=SDL"
|
||||
];
|
||||
|
@ -46,6 +46,8 @@ stdenv.mkDerivation rec {
|
||||
--set INFERNO_ROOT "$out/share/inferno"
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
meta = {
|
||||
description = "A compact distributed operating system for building cross-platform distributed systems";
|
||||
homepage = "http://inferno-os.org/";
|
||||
|
@ -1,11 +1,17 @@
|
||||
{ stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "epdfview-0.1.8";
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2";
|
||||
sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll";
|
||||
};
|
||||
|
||||
buildInputs = [ pkgconfig gtk poppler ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ (fetchpatch {
|
||||
name = "epdfview-0.1.8-glib2-headers.patch";
|
||||
url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634";
|
||||
@ -17,6 +23,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001";
|
||||
})
|
||||
];
|
||||
|
||||
meta = {
|
||||
homepage = http://trac.emma-soft.com/epdfview/;
|
||||
description = "A lightweight PDF document viewer using Poppler and GTK+";
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# Makefiles are patched to fix references to `/usr/X11R6' and to add
|
||||
# `-lX11' to make sure libX11's store path is in the RPATH.
|
||||
patchPhase = ''
|
||||
|
@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
|
||||
buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia
|
||||
libid3tag ncurses libtool ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "GTK+-based audio CD player/ripper";
|
||||
homepage = "http://nostatic.org/grip";
|
||||
|
@ -31,6 +31,8 @@ in stdenv.mkDerivation rec {
|
||||
openjpeg freetype jbig2dec djvulibre openssl ];
|
||||
NIX_LDFLAGS = "-lX11 -lXext";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
k2_pa = ./k2pdfopt.patch;
|
||||
tess_pa = ./tesseract.patch;
|
||||
|
||||
|
@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
|
||||
owner = "yuejia";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
sed -i 's#/usr/bin/##g' Makefile
|
||||
sed -i "s#-lclang#-L$(clang --print-search-dirs |
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# 'cvs' is only for the autogen
|
||||
buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa
|
||||
libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ];
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ];
|
||||
|
||||
unpackPhase = ''
|
||||
|
@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = ( if stdenv.isDarwin
|
||||
then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ]
|
||||
else [ ./sdcv.cpp.patch ] );
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
#
|
||||
# I know this is ugly, but the Makefile does strange things in this package,
|
||||
# so we have to:
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1x4qp6wpszscbbs4czkfvskm7qjglvxm813nqv281bpy4y1hhvgs";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ pkgconfig qt4 qmake4Hook ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
|
@ -10,6 +10,8 @@ stdenv.mkDerivation {
|
||||
|
||||
buildInputs = [tcl tk xlibsWrapper makeWrapper];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c
|
||||
'';
|
||||
|
@ -25,6 +25,8 @@ stdenv.mkDerivation {
|
||||
# Debian uses '-fpermissive' to bypass some errors on char* constantness.
|
||||
CXXFLAGS = "-O2 -fpermissive";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = "--enable-a4-paper";
|
||||
|
||||
postInstall = stdenv.lib.optionalString (base14Fonts != null) ''
|
||||
|
@ -11,9 +11,9 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
|
||||
|
||||
installPhase = ''
|
||||
make PREFIX=/ DESTDIR=$out install
|
||||
'';
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
installFlags = "PREFIX=/ DESTDIR=$(out)";
|
||||
|
||||
preFixup = ''
|
||||
wrapProgram "$out/bin/vimprobable2" \
|
||||
|
@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
|
||||
ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = "--with-ssl=${openssl.dev} --with-gc=${boehmgc.dev}"
|
||||
+ optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
|
||||
|
||||
|
@ -19,6 +19,8 @@ stdenv.mkDerivation {
|
||||
|
||||
dontDisableStatic = true;
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = "--with-ncurses=${ncurses.dev}";
|
||||
|
||||
preConfigure = stdenv.lib.optionalString enablePlugin ''
|
||||
|
@ -27,6 +27,8 @@ stdenv.mkDerivation rec {
|
||||
qmakeFlags="$qmakeFlags INSTALL_PREFIX=$out"
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "An XMPP client fully composed of plugins";
|
||||
maintainers = [ maintainers.raskin ];
|
||||
|
@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
|
||||
--localstatedir=$out/var --sbindir=$out/bin
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = {
|
||||
description = "A console-based network monitoring utility (fork of iptraf)";
|
||||
longDescription = ''
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "12n059j9iihhpf6spmlaspqzxz3wqan6kkpnhmlj08jdijpnk84m";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
sed -i -e 's,#include <linux/if_tr.h>,#include <netinet/if_tr.h>,' src/*
|
||||
'';
|
||||
|
@ -30,10 +30,7 @@ in stdenv.mkDerivation {
|
||||
}
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
'';
|
||||
|
||||
configureFlags = [ "--disable-pie" ];
|
||||
NIX_CFLAGS_COMPILE = "-Wno-error=unused-result";
|
||||
|
||||
buildInputs = [ bison flex autoconf automake openssl ];
|
||||
|
||||
|
@ -1,36 +1,37 @@
|
||||
{stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos
|
||||
, openldap
|
||||
}:
|
||||
|
||||
let
|
||||
s =
|
||||
rec {
|
||||
version = "2.00";
|
||||
baseName = "alpine";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "${baseName}-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2";
|
||||
sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8";
|
||||
baseName = "alpine";
|
||||
name = "${baseName}-${version}";
|
||||
};
|
||||
|
||||
buildInputs = [
|
||||
ncurses tcl openssl pam kerberos openldap
|
||||
];
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
inherit (s) name version;
|
||||
inherit buildInputs;
|
||||
src = fetchurl {
|
||||
inherit (s) url sha256;
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" "fortify" ];
|
||||
|
||||
configureFlags = [
|
||||
"--with-ssl-include-dir=${openssl.dev}/include/openssl"
|
||||
"--with-tcl-lib=${tcl.libPrefix}"
|
||||
"--with-passfile=.pine-passfile"
|
||||
];
|
||||
|
||||
preConfigure = ''
|
||||
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
inherit (s) version;
|
||||
description = ''Console mail reader'';
|
||||
description = "Console mail reader";
|
||||
license = stdenv.lib.licenses.asl20;
|
||||
maintainers = [stdenv.lib.maintainers.raskin];
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
|
@ -2,34 +2,35 @@
|
||||
, openldap
|
||||
}:
|
||||
let
|
||||
s =
|
||||
rec {
|
||||
baseName = "re-alpine";
|
||||
version = "2.03";
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
name = "${baseName}-${version}";
|
||||
inherit version;
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2";
|
||||
sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh";
|
||||
baseName = "re-alpine";
|
||||
name = "${baseName}-${version}";
|
||||
};
|
||||
|
||||
buildInputs = [
|
||||
ncurses tcl openssl pam kerberos openldap
|
||||
];
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
inherit (s) name version;
|
||||
inherit buildInputs;
|
||||
src = fetchurl {
|
||||
inherit (s) url sha256;
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
configureFlags = [
|
||||
"--with-ssl-include-dir=${openssl.dev}/include/openssl"
|
||||
"--with-tcl-lib=${tcl.libPrefix}"
|
||||
];
|
||||
|
||||
preConfigure = ''
|
||||
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
inherit (s) version;
|
||||
description = ''Console mail reader'';
|
||||
description = "Console mail reader";
|
||||
license = stdenv.lib.licenses.asl20;
|
||||
maintainers = [stdenv.lib.maintainers.raskin];
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
|
@ -14,6 +14,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
configurePhase = "makeFlags=PREFIX=$out";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postInstall = ''
|
||||
sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl
|
||||
sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer
|
||||
|
@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8";
|
||||
};
|
||||
|
||||
cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ];
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ cmake qt4 libxml2 libxslt ];
|
||||
|
||||
|
@ -5,6 +5,8 @@ stdenv.mkDerivation rec {
|
||||
name = "drgeo-${version}";
|
||||
version = "1.1.0";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/ofset/${name}.tar.gz";
|
||||
sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc";
|
||||
|
@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
substituteInPlace Makefile \
|
||||
--replace "CC=gcc" ""
|
||||
|
@ -17,6 +17,9 @@ stdenv.mkDerivation {
|
||||
src = fetchurl {
|
||||
inherit (s) url sha256;
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildPhase = ''
|
||||
find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g"
|
||||
find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g"
|
||||
@ -32,11 +35,13 @@ stdenv.mkDerivation {
|
||||
make -C source/formed realclean
|
||||
make -C source/formed formed
|
||||
'';
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p "$out"/{bin,share/otter}
|
||||
cp bin/* source/formed/formed "$out/bin/"
|
||||
cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
inherit (s) version;
|
||||
description = "A reliable first-order theorem prover";
|
||||
|
@ -8,7 +8,7 @@ stdenv.mkDerivation {
|
||||
sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3";
|
||||
};
|
||||
|
||||
phases = "unpackPhase patchPhase buildPhase installPhase";
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patchPhase = ''
|
||||
RM=$(type -tp rm)
|
||||
@ -23,6 +23,8 @@ stdenv.mkDerivation {
|
||||
|
||||
buildFlags = "all";
|
||||
|
||||
checkPhase = "make test1";
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/bin
|
||||
cp bin/* $out/bin
|
||||
|
@ -12,6 +12,8 @@ stdenv.mkDerivation {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ zlib bzip2 ];
|
||||
|
||||
# FIXME: move share/coin/Data to a separate output?
|
||||
|
@ -5,6 +5,8 @@ stdenv.mkDerivation {
|
||||
version = "4-beta";
|
||||
buildInputs = [unzip gcc48];
|
||||
|
||||
hardeningDisable = [ "stackprotector" ];
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip";
|
||||
sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj";
|
||||
@ -30,7 +32,7 @@ stdenv.mkDerivation {
|
||||
around datasets arising from point samples, images, distance
|
||||
matrices and so forth.
|
||||
'';
|
||||
homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html";
|
||||
homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html";
|
||||
license = stdenv.lib.licenses.gpl3;
|
||||
maintainers = with stdenv.lib.maintainers; [erikryb];
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
|
@ -1,4 +1,5 @@
|
||||
{ stdenv, fetchurl, intltool, autoreconfHook, pkgconfig, libqalculate, gtk3, wrapGAppsHook }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
name = "qalculate-gtk-${version}";
|
||||
version = "0.9.8";
|
||||
@ -8,6 +9,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "15ci0p7jlikk2rira6ykgrmcdvgpxzprpqmkdxx6hsg4pvzrj54s";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
nativeBuildInputs = [ intltool pkgconfig autoreconfHook wrapGAppsHook ];
|
||||
buildInputs = [ libqalculate gtk3 ];
|
||||
|
||||
|
@ -16,6 +16,8 @@ stdenv.mkDerivation rec {
|
||||
find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';'
|
||||
'';
|
||||
|
||||
hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector";
|
||||
|
||||
postInstall = ''
|
||||
rm -rf "$out/LIB"
|
||||
cp -r Singular/LIB "$out"
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# Perl is only for the documentation
|
||||
nativeBuildInputs = [ perl ];
|
||||
|
||||
|
@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0lk4vydpq5bi52m81h327gvzdzybf8kkak7yjwmpj6kg1jn9blaz";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
buildInputs = [
|
||||
|
@ -10,6 +10,8 @@ stdenv.mkDerivation {
|
||||
|
||||
patches = [ ./getcwd-chroot.patch ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
preConfigure = ''
|
||||
# Apply the Debian patches.
|
||||
for p in "debian/patches/"*; do
|
||||
|
@ -22,6 +22,8 @@ stdenv.mkDerivation {
|
||||
sha256 = "0qzs681a64k3shh5p0rg41l1z16fbk5sj0xga45k34hp1hsp654z";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [
|
||||
./docbook2texi.patch
|
||||
./symlinks-in-bin.patch
|
||||
|
@ -3,20 +3,13 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "qgit-2.5";
|
||||
|
||||
meta =
|
||||
{
|
||||
license = stdenv.lib.licenses.gpl2;
|
||||
homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
|
||||
description = "Graphical front-end to Git";
|
||||
inherit (qt4.meta) platforms;
|
||||
};
|
||||
|
||||
src = fetchurl
|
||||
{
|
||||
src = fetchurl {
|
||||
url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz";
|
||||
sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
buildInputs = [ qt4 libXext libX11 ];
|
||||
|
||||
nativeBuildInputs = [ qmake4Hook ];
|
||||
@ -24,4 +17,11 @@ stdenv.mkDerivation rec {
|
||||
installPhase = ''
|
||||
install -s -D -m 755 bin/qgit "$out/bin/qgit"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
license = stdenv.lib.licenses.gpl2;
|
||||
homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit";
|
||||
description = "Graphical front-end to Git";
|
||||
inherit (qt4.meta) platforms;
|
||||
};
|
||||
}
|
||||
|
@ -11,6 +11,8 @@ in stdenv.mkDerivation rec {
|
||||
sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
# taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports
|
||||
# needed to separate run-time and build-time directories
|
||||
patches = [
|
||||
@ -18,6 +20,7 @@ in stdenv.mkDerivation rec {
|
||||
./2004_FHS_plugins_assets.patch
|
||||
./2003_externalize_session_config.patch
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']"
|
||||
substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')"
|
||||
|
@ -43,6 +43,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
hardeningDisable = [ "bindnow" "relro" ];
|
||||
|
||||
postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub";
|
||||
|
||||
meta = {
|
||||
|
@ -67,14 +67,11 @@ stdenv.mkDerivation {
|
||||
pkgconfig perl perlXMLParser libavc1394 libiec61883 intltool libXv gettext libX11 glib cairo ffmpeg libv4l ]; # TODOoptional packages
|
||||
|
||||
configureFlags = "--enable-local-ffmpeg=no";
|
||||
#preConfigure = "
|
||||
# grep 11 env-vars
|
||||
# ex
|
||||
#";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ];
|
||||
|
||||
|
||||
postInstall = "
|
||||
rpath=`patchelf --print-rpath \$out/bin/kino`;
|
||||
for i in $\buildInputs; do
|
||||
@ -86,7 +83,6 @@ stdenv.mkDerivation {
|
||||
done
|
||||
";
|
||||
|
||||
|
||||
meta = {
|
||||
description = "Non-linear DV editor for GNU/Linux";
|
||||
homepage = http://www.kinodv.org/;
|
||||
|
@ -41,6 +41,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
doCheck = true;
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./subtitleeditor-0.52.1-build-fix.patch ];
|
||||
|
||||
preConfigure = ''
|
||||
|
@ -17,6 +17,8 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" {
|
||||
# TODO: properly include openssl for secureBoot
|
||||
buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ];
|
||||
|
||||
hardeningDisable = [ "stackprotector" "pic" "fortify" ];
|
||||
|
||||
unpackPhase = ''
|
||||
for file in \
|
||||
"${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg};
|
||||
|
@ -146,6 +146,8 @@ stdenv.mkDerivation rec {
|
||||
NIX_CFLAGS_COMPILE="-I${gtk.dev}/include/gtk-2.0/ -I${libtool}/include/";
|
||||
NIX_LDFLAGS="-L${libtool.lib}/lib";
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "An open-source IA-32 (x86) PC emulator";
|
||||
longDescription = ''
|
||||
|
@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ iasl flex bison ];
|
||||
|
||||
hardeningDisable = [ "fortify" ];
|
||||
|
||||
buildPhase = ''
|
||||
export LEX=${flex}/bin/flex
|
||||
make -C util/cbfstool
|
||||
|
@ -14,6 +14,8 @@ stdenv.mkDerivation {
|
||||
cp bios.bin* $out/.
|
||||
'';
|
||||
|
||||
hardeningDisable = [ "stackprotector" "pic" ];
|
||||
|
||||
meta = {
|
||||
description = "A simple x86 firmware for booting Linux";
|
||||
homepage = https://github.com/bonzini/qboot;
|
||||
|
@ -12,6 +12,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ iasl python ];
|
||||
|
||||
hardeningDisable = [ "pic" "stackprotector" "fortify" ];
|
||||
|
||||
configurePhase = ''
|
||||
# build SeaBIOS for CSM
|
||||
cat > .config << EOF
|
||||
|
@ -74,6 +74,8 @@ in stdenv.mkDerivation {
|
||||
++ optional pythonBindings python
|
||||
++ optional pulseSupport libpulseaudio;
|
||||
|
||||
hardeningDisable = [ "fortify" "pic" "stackprotector" ];
|
||||
|
||||
prePatch = ''
|
||||
set -x
|
||||
MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build`
|
||||
|
@ -17,6 +17,8 @@ stdenv.mkDerivation {
|
||||
|
||||
KERN_DIR = "${kernel.dev}/lib/modules/*/build";
|
||||
|
||||
hardeningDisable = [ "pic" ];
|
||||
|
||||
buildInputs = [ patchelf cdrkit makeWrapper dbus ];
|
||||
|
||||
installPhase = ''
|
||||
|
@ -48,6 +48,8 @@ stdenv.mkDerivation {
|
||||
|
||||
pythonPath = [ pythonPackages.curses ];
|
||||
|
||||
hardeningDisable = [ "stackprotector" "fortify" "pic" ];
|
||||
|
||||
patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;
|
||||
|
||||
postPatch = ''
|
||||
|
@ -3,12 +3,16 @@
|
||||
stdenv.mkDerivation rec {
|
||||
name = "stalonetray-${version}";
|
||||
version = "0.8.1";
|
||||
|
||||
src = fetchurl {
|
||||
url = "mirror://sourceforge/stalonetray/${name}.tar.bz2";
|
||||
sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll";
|
||||
};
|
||||
|
||||
buildInputs = [ libX11 xproto ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
meta = with stdenv.lib; {
|
||||
description = "Stand alone tray";
|
||||
maintainers = with maintainers; [ raskin ];
|
||||
|
@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
|
||||
|
||||
buildInputs = [ cairo gdk_pixbuf libconfig pango pkgconfig xcbutilwm ];
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
postPatch = ''
|
||||
substituteInPlace ./Makefile --replace "\$(shell git describe)" "${version}"
|
||||
'';
|
||||
|
61
pkgs/build-support/cc-wrapper/add-hardening
Normal file
61
pkgs/build-support/cc-wrapper/add-hardening
Normal file
@ -0,0 +1,61 @@
|
||||
hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
|
||||
hardeningFlags+=("${hardeningEnable[@]}")
|
||||
hardeningCFlags=()
|
||||
hardeningLDFlags=()
|
||||
hardeningDisable=${hardeningDisable:-""}
|
||||
|
||||
if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then
|
||||
hardeningDisable+=" bindnow relro"
|
||||
fi
|
||||
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi
|
||||
|
||||
if [[ ! $hardeningDisable == "all" ]]; then
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi
|
||||
for flag in "${hardeningFlags[@]}"
|
||||
do
|
||||
if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then
|
||||
case $flag in
|
||||
fortify)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi
|
||||
hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
|
||||
;;
|
||||
stackprotector)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi
|
||||
hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4')
|
||||
;;
|
||||
pie)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi
|
||||
hardeningCFlags+=('-fPIE')
|
||||
if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi
|
||||
hardeningLDFlags+=('-pie')
|
||||
fi
|
||||
;;
|
||||
pic)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi
|
||||
hardeningCFlags+=('-fPIC')
|
||||
;;
|
||||
strictoverflow)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi
|
||||
hardeningCFlags+=('-fno-strict-overflow')
|
||||
;;
|
||||
format)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi
|
||||
hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
|
||||
;;
|
||||
relro)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi
|
||||
hardeningLDFlags+=('-z relro')
|
||||
;;
|
||||
bindnow)
|
||||
if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi
|
||||
hardeningLDFlags+=('-z now')
|
||||
;;
|
||||
*)
|
||||
echo "Hardening flag unknown: $flag" >&2
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
done
|
||||
fi
|
@ -70,7 +70,6 @@ if [ "$nonFlagArgs" = 0 ]; then
|
||||
dontLink=1
|
||||
fi
|
||||
|
||||
|
||||
# Optionally filter out paths not refering to the store.
|
||||
if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then
|
||||
rest=()
|
||||
@ -117,16 +116,18 @@ if [[ "$isCpp" = 1 ]]; then
|
||||
NIX_CFLAGS_LINK="$NIX_CFLAGS_LINK $NIX_CXXSTDLIB_LINK"
|
||||
fi
|
||||
|
||||
# Add the flags for the C compiler proper.
|
||||
extraAfter=($NIX_CFLAGS_COMPILE)
|
||||
extraBefore=()
|
||||
LD=@ldPath@/ld
|
||||
source @out@/nix-support/add-hardening.sh
|
||||
|
||||
# Add the flags for the C compiler proper.
|
||||
extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]})
|
||||
extraBefore=()
|
||||
|
||||
if [ "$dontLink" != 1 ]; then
|
||||
|
||||
# Add the flags that should only be passed to the compiler when
|
||||
# linking.
|
||||
extraAfter+=($NIX_CFLAGS_LINK)
|
||||
extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]})
|
||||
|
||||
# Add the flags that should be passed to the linker (and prevent
|
||||
# `ld-wrapper' from adding NIX_LDFLAGS again).
|
||||
|
@ -238,6 +238,7 @@ stdenv.mkDerivation {
|
||||
rm $out/nix-support/setup-hook.tmp
|
||||
|
||||
substituteAll ${./add-flags} $out/nix-support/add-flags.sh
|
||||
cp -p ${./add-hardening} $out/nix-support/add-hardening.sh
|
||||
cp -p ${./utils.sh} $out/nix-support/utils.sh
|
||||
''
|
||||
+ extraBuildCommands;
|
||||
|
@ -47,8 +47,10 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \
|
||||
params=("${rest[@]}")
|
||||
fi
|
||||
|
||||
LD=@prog@
|
||||
source @out@/nix-support/add-hardening.sh
|
||||
|
||||
extra=()
|
||||
extra=(${hardeningLDFlags[@]})
|
||||
extraBefore=()
|
||||
|
||||
if [ -z "$NIX_LDFLAGS_SET" ]; then
|
||||
@ -56,7 +58,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then
|
||||
extraBefore+=($NIX_LDFLAGS_BEFORE)
|
||||
fi
|
||||
|
||||
extra+=($NIX_LDFLAGS_AFTER)
|
||||
extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN)
|
||||
|
||||
|
||||
# Add all used dynamic libraries to the rpath.
|
||||
|
@ -8,6 +8,8 @@ stdenv.mkDerivation rec {
|
||||
sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
|
||||
};
|
||||
|
||||
hardeningDisable = [ "format" ];
|
||||
|
||||
patches = [ ./glib.patch ./cups_1.6.patch ];
|
||||
|
||||
buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ];
|
||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user