Merge pull request #41192 from oxij/tree/hardening-unformat

remove some format hardenings

pkgs/development/compilers/ghc/8.0.2.nix

@@ -162,6 +162,8 @@ stdenv.mkDerivation rec {
   # that in turn causes GHCi to abort
   stripDebugFlags = [ "-S" ] ++ stdenv.lib.optional (!targetPlatform.isDarwin) "--keep-file-symbols";
 
+  hardeningDisable = [ "format" ];
+
   postInstall = ''
     for bin in "$out"/lib/${name}/bin/*; do
       isELF "$bin" || continue

pkgs/development/compilers/ghc/8.4.2.nix

@@ -172,6 +172,8 @@ stdenv.mkDerivation rec {
 
   checkTarget = "test";
 
+  hardeningDisable = [ "format" ];
+
   postInstall = ''
     for bin in "$out"/lib/${name}/bin/*; do
       isELF "$bin" || continue

pkgs/development/libraries/a52dec/default.nix

@@ -8,6 +8,12 @@ stdenv.mkDerivation rec {
     sha256 = "0czccp4fcpf2ykp16xcrzdfmnircz1ynhls334q374xknd5747d2";
   };
 
+  # fails 1 out of 1 tests with "BAD GLOBAL SYMBOLS" on i686
+  # which can also be fixed with
+  # hardeningDisable = stdenv.lib.optional stdenv.isi686 "pic";
+  # but it's better to disable tests than loose ASLR on i686
+  doCheck = !stdenv.isi686;
+
   meta = {
     description = "ATSC A/52 stream decoder";
     homepage = http://liba52.sourceforge.net/;

pkgs/development/libraries/enchant/default.nix

@@ -4,16 +4,17 @@ stdenv.mkDerivation rec {
   name = "${pname}-${version}";
   version = "1.6.0";
   pname = "enchant";
-  
+
   src = fetchurl {
     url = "http://www.abisource.com/downloads/${pname}/${version}/${name}.tar.gz";
     sha256 = "0zq9yw1xzk8k9s6x83n1f9srzcwdavzazn3haln4nhp9wxxrxb1g";
   };
-  
+
   nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [aspell glib hunspell hspell];
-  
+  buildInputs = [ aspell glib hunspell hspell ];
+
   meta = {
+    description = "Generic spell checking library";
     homepage = http://www.abisource.com/enchant;
     platforms = stdenv.lib.platforms.unix;
   };

pkgs/development/libraries/tinyxml/2.6.2.nix

@@ -21,8 +21,11 @@ in stdenv.mkDerivation {
     # Use CC, CXX, and LD from environment
     ./2.6.2-cxx.patch
   ];
+
   preConfigure = "export LD=${if stdenv.isDarwin then "clang++" else "g++"}";
 
+  hardeningDisable = [ "format" ];
+
   NIX_CFLAGS_COMPILE =
     stdenv.lib.optional stdenv.isDarwin "-mmacosx-version-min=10.9";
 

pkgs/os-specific/linux/kernel/perf.nix

@@ -31,6 +31,8 @@ stdenv.mkDerivation {
 
   makeFlags = ["prefix=$(out)" "WERROR=0"] ++ kernel.makeFlags;
 
+  hardeningDisable = [ "format" ];
+
   # perf refers both to newt and slang
   nativeBuildInputs = [
     asciidoc xmlto docbook_xsl docbook_xml_dtd_45 libxslt

pkgs/top-level/all-packages.nix

@@ -9263,7 +9263,7 @@ with pkgs;
 
   qt-gstreamer = callPackage ../development/libraries/gstreamer/legacy/qt-gstreamer {};
 
-  qt-gstreamer1 = callPackage ../development/libraries/gstreamer/qt-gstreamer { boost = boost155;};
+  qt-gstreamer1 = callPackage ../development/libraries/gstreamer/qt-gstreamer { boost = boost155; };
 
   qtstyleplugin-kvantum-qt4 = callPackage ../development/libraries/qtstyleplugin-kvantum-qt4 { };
 

pkgs/top-level/perl-packages.nix

@@ -6462,10 +6462,9 @@ let self = _self // overrides; _self = with self; {
     patches = [ ../development/perl-modules/gd-options-passthrough-and-fontconfig.patch ];
 
     # otherwise "cc1: error: -Wformat-security ignored without -Wformat [-Werror=format-security]"
-    NIX_CFLAGS_COMPILE = [ "-Wno-error=format-security" ];
+    hardeningDisable = [ "format" ];
 
-    # tests fail
-    doCheck = false;
+    doCheck = false; # fails 1 out of 13 tests
 
     makeMakerFlags = "--lib_png_path=${pkgs.libpng.out} --lib_jpeg_path=${pkgs.libjpeg.out} --lib_zlib_path=${pkgs.zlib.out} --lib_ft_path=${pkgs.freetype.out} --lib_fontconfig_path=${pkgs.fontconfig.lib} --lib_xpm_path=${pkgs.xorg.libXpm.out}";
   };