Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)
- Directory Traversal to Arbitrary File Read
- Account Takeover Through Expired Link
- Server Side Request Forgery Through Deprecated Service
- Group Two-Factor Authentication Requirement Bypass
- Stored XSS in Merge Request Pages
- Stored XSS in Merge Request Submission Form
- Stored XSS in File View
- Stored XSS in Grafana Integration
- Contribution Analytics Exposed to Non-members
- Incorrect Access Control in Docker Registry via Deploy Tokens
- Denial of Service via Permission Checks
- Denial of Service in Design For Public Issue
- GitHub Tokens Displayed in Plaintext on Integrations Page
- Incorrect Access Control via LFS Import
- Unescaped HTML in Header
- Private Merge Request Titles Leaked via Widget
- Project Namespace Exposed via Vulnerability Feedback Endpoint
- Denial of Service Through Recursive Requests
- Project Authorization Not Being Updated
- Incorrect Permission Level For Group Invites
- Disclosure of Private Group Epic Information
- User IP Address Exposed via Badge images
- Update postgresql (GitLab Omnibus)
###### Motivation for this change
Update to latest upstream version
###### Things done
* [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
* Built on platform(s)
* [x] NixOS
* [ ] macOS
* [ ] other Linux distributions
* [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
* [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nix-review --run "nix-review wip"`
* [x] Tested execution of all binary files (usually in `./result/bin/`)
* [ ] Determined the impact on package closure size (by running `nix path-info -S` before and after)
* [ ] Ensured that relevant documentation is up to date
* [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
###### Notify maintainers
cc @worldofpeace @tfc @jtraue
Old intercaps names are aliased.
darcs-to-git: rename from darcsToGit
git-fast-export: rename from gitFastExport
git-remote-gcrypt: rename from gitRemoteGcrypt
hub-unstable: rename from hubUnstable
top-git: rename from topGit
Changes the default fetcher in the Rust Platform to be the newer
`fetchCargoTarball`, and changes every application using the current default to
instead opt out.
This commit does not change any hashes or cause any rebuilds. Once integrated,
we will start deleting the opt-outs and recomputing hashes.
See #79975 for details.
The existing post-install was not successfully patching the git-gui script,
and thus was invoking the packaged osx app which uses the system tk,
which is too old to work (and is no longer supported by Apple anyway).
This has several advantages:
1. It takes up less space on disk in-between builds in the nix store.
2. It uses less space in the binary cache for vendor derivation packages.
3. It uses less network traffic downloading from the binary cache.
4. It plays nicely with hashed mirrors like tarballs.nixos.org, which only
substitute --flat hashes on single files (not recursive directory hashes).
5. It's consistent with how simple `fetchurl` src derivations work.
6. It provides a stronger abstraction between input src-package and output
package, e.g., it's harder to accidentally depend on the src derivation at
runtime by referencing something like `${src}/etc/index.html`. Likewise, in
the store it's harder to get confused with something that is just there as a
build-time dependency vs. a runtime dependency, since the build-time
src dependencies are tarred up.
Disadvantages are:
1. It takes slightly longer to untar at the start of a build.
As currently implemented, this attaches the compacted vendor.tar.gz feature as a
rider on `verifyCargoDeps`, since both of them are relatively newly implemented
behavior that change the `cargoSha256`.
If this PR is accepted, I will push forward the remaining rust packages with a
series of treewide PRs to update the `cargoSha256`s.
Git ships with a zsh completion script, but this script was previously
only available at $out/share/git/contrib/completion/git-completion.zsh,
which is not a path (or a filename) that would be discovered by a
typical zsh installation. This commit symlinks that file to
$out/share/zsh/site-functions/_git, which is a more standard location.
That zsh completion script is mostly a wrapper around the Bash
completion script, so this commit also patches the former so that it can
"find" the latter.
The old variant is still working but setting "cafile" is deprecated
since version 3.6 [0] and generates a warning:
DeprecationWarning: cafile, capath and cadefault are deprecated, use a custom context instead.
But without this patch "fetchRepoProject" still fails with
"error no host given" (see 337380ea1d).
[0]: https://docs.python.org/3.7/library/urllib.request.html#urllib.request.urlopen
