JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #102114 from MetaDark/fetchzip

Browse Source 
fetchzip: remove write permissions for unpacked files
This commit is contained in:
Benjamin Hipple 2020-11-28 19:18:14 -05:00 committed by GitHub
commit 9426084fec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 7 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkgs/applications/editors/eclipse/plugins.nix
View File

@ -355,9 +355,6 @@ rec {
url = "https://download.jboss.org/drools/release/${version}/droolsjbpm-tools-distribution-${version}.zip"; url = "https://download.jboss.org/drools/release/${version}/droolsjbpm-tools-distribution-${version}.zip";
sha512 = "2qzc1iszqfrfnw8xip78n3kp6hlwrvrr708vlmdk7nv525xhs0ssjaxriqdhcr0s6jripmmazxivv3763rnk2bfkh31hmbnckpx4r3m"; sha512 = "2qzc1iszqfrfnw8xip78n3kp6hlwrvrr708vlmdk7nv525xhs0ssjaxriqdhcr0s6jripmmazxivv3763rnk2bfkh31hmbnckpx4r3m";
extraPostFetch = '' extraPostFetch = ''
# work around https://github.com/NixOS/nixpkgs/issues/38649
chmod go-w $out;
# update site is a couple levels deep, alongside some other irrelevant stuff # update site is a couple levels deep, alongside some other irrelevant stuff
cd $out; cd $out;
find . -type f -not -path ./binaries/org.drools.updatesite/\* -exec rm {} \; find . -type f -not -path ./binaries/org.drools.updatesite/\* -exec rm {} \;

1
pkgs/applications/misc/ipmicfg/default.nix
View File

@ -8,7 +8,6 @@ stdenv.mkDerivation rec {
src = fetchzip { src = fetchzip {
url = "https://www.supermicro.com/wftp/utility/IPMICFG/IPMICFG_${version}_build.${buildVersion}.zip"; url = "https://www.supermicro.com/wftp/utility/IPMICFG/IPMICFG_${version}_build.${buildVersion}.zip";
sha256 = "0srkzivxa4qlf3x9zdkri7xfq7kjj4fsmn978vzmzsvbxkqswd5a"; sha256 = "0srkzivxa4qlf3x9zdkri7xfq7kjj4fsmn978vzmzsvbxkqswd5a";
extraPostFetch = "chmod u+rwX,go-rwx+X $out/";
}; };
installPhase = '' installPhase = ''

1
pkgs/applications/office/atlassian-cli/default.nix
View File

@ -7,7 +7,6 @@ stdenv.mkDerivation rec {
src = fetchzip { src = fetchzip {
url = "https://bobswift.atlassian.net/wiki/download/attachments/16285777/${pname}-${version}-distribution.zip"; url = "https://bobswift.atlassian.net/wiki/download/attachments/16285777/${pname}-${version}-distribution.zip";
sha256 = "091dhjkx7fdn23cj7c4071swncsbmknpvidmmjzhc0355l3p4k2g"; sha256 = "091dhjkx7fdn23cj7c4071swncsbmknpvidmmjzhc0355l3p4k2g";
extraPostFetch = "chmod go-w $out";
}; };
tools = [ tools = [

9
pkgs/build-support/fetchzip/default.nix
View File

@ -44,8 +44,13 @@
mv "$unpackDir/$fn" "$out" mv "$unpackDir/$fn" "$out"
'' else '' '' else ''
mv "$unpackDir" "$out" mv "$unpackDir" "$out"
'') #*/ '')
+ extraPostFetch; + extraPostFetch
# Remove write permissions for files unpacked with write bits set
# Fixes https://github.com/NixOS/nixpkgs/issues/38649
+ ''
chmod -R a-w "$out"
'';
} // removeAttrs args [ "stripRoot" "extraPostFetch" ])).overrideAttrs (x: { } // removeAttrs args [ "stripRoot" "extraPostFetch" ])).overrideAttrs (x: {
# Hackety-hack: we actually need unzip hooks, too # Hackety-hack: we actually need unzip hooks, too
nativeBuildInputs = x.nativeBuildInputs ++ [ unzip ]; nativeBuildInputs = x.nativeBuildInputs ++ [ unzip ];

2
pkgs/servers/web-apps/engelsystem/default.nix
View File

@ -11,8 +11,6 @@ in stdenv.mkDerivation rec {
url = url =
"https://github.com/engelsystem/engelsystem/releases/download/v3.1.0/engelsystem-v3.1.0.zip"; "https://github.com/engelsystem/engelsystem/releases/download/v3.1.0/engelsystem-v3.1.0.zip";
sha256 = "01wra7li7n5kn1l6xkrmw4vlvvyqh089zs43qzn98hj0mw8gw7ai"; sha256 = "01wra7li7n5kn1l6xkrmw4vlvvyqh089zs43qzn98hj0mw8gw7ai";
# This is needed, because the zip contains a directory with world write access, which is not allowed in nix
extraPostFetch = "chmod -R a-w $out";
}; };
buildInputs = [ phpExt ]; buildInputs = [ phpExt ];