Fixing this will require some fiddling due to the odd version number;
see the Hydra build logs for more.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This now provides a handful of different grsecurity kernels for slightly
different 'flavors' of packages. This doesn't change the grsecurity
module to use them just yet, however.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
AppArmor only requires a few patches to the 3.2 and 3.4 kernels in order
to work properly (with the minor catch grsecurity -stable includes the
3.2 patches.) This adds them to the kernel builds by default, removes
features.apparmor (since it's always true) and makes it the default MAC
system.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
fetchpatch is fetchurl that determinizes the patch.
Some parts of generated patches change from time to time, e.g. see #1983 and
http://comments.gmane.org/gmane.linux.distributions.nixos/12815
Using fetchpatch should prevent the hash from changing.
Conflicts (auto-solved):
pkgs/development/libraries/haskell/gitit/default.nix
This is needed for grsecurity kernels to be able to build stuff (e.g. pango).
With grsec the libGL is slower, but we don't care much at build time,
so we can share binaries among grsec and nogrsec.
This adds 2-3 MB to nogrsec closures that use mesa drivers (libGL is doubled).
1) Packages formerly called haskell-haskell-platform-ghcXYZ-VVVV.X.Y.Z are
now called haskell-platform-VVVV.X.Y.Z. The latest version can be
installed by running "nix-env -i haskell-platform".
2) The attributes haskellPackages_ghcXYZ.haskellPlatform no longer exist.
Instead, we have attributes like haskellPlatformPackages."2012_4_0_0".
(The last numeric bit must be quoted when used in a Nix file, but not on
the command line to nix-env, nix-build, etc.) The latest Platform has a
top-level alias called simply haskellPlatform.
3) The haskellPackages_ghcXYZ package sets offer the latest version of every
library that GHC x.y.z can compile. For example, if 2.7 is the latest
version of QuickCheck and if GHC 7.0.4 can compile that version, then
haskellPackages_ghc704.QuickCheck refers to version 2.7.
4) All intermediate GHC releases were dropped from all-packages.nix to
simplify our configuration. What remains is a haskellPackages_ghcXYZ set
for the latest version of every major release branch, i.e. GHC 6.10.4,
6.12.3, 7.0.4, 7.2.2, 7.4.2, 7.6.3, 7.8.2, and 7.9.x (HEAD snapshot).
5) The ghcXYZPrefs functions in haskell-defaults.nix now inherit overrides
from newer to older compilers, i.e. an override configured for GHC 7.0.4
will automatically apply to GHC 6.12.3 and 6.10.4, too. This change has
reduced the redundancy in those configuration functions. The downside is
that overriding an attribute for only one particular GHC version has become
more difficult. In practice, this case doesn't occur much, though.
6) The 'cabal' builder has a brand-new argument called 'extension'. That
function is "self : super : {}" by default and users can override it to
mess with the attribute set passed to cabal.mkDerivation. An example use
would be the definition of darcs in all-packages.nix:
| darcs = haskellPackages.darcs.override {
| cabal = haskellPackages.cabal.override {
| extension = self : super : {
| isLibrary = false;
| configureFlags = "-f-library " + super.configureFlags or "";
| };
| };
| };
In this case, extension disables building the library part of the package
to give us an executable-only version that has no dependencies on GHC or
any other Haskell packages.
The 'self' argument refers to the final version of the attribute set and
'super' refers to the original attribute set.
Note that ...
- Haskell Platform packages always provide the Haddock binary that came with
the compiler.
- Haskell Platform 2009.2.0.2 is broken because of build failures in cgi and
cabal-install.
- Haskell Platform 2010.1.0.0 is broken becasue of build failures in cgi.
This should make it easier to enable proprietary pepper API plugins
though nixpkgs config, so it can be easily installed using something
like:
nix-env -i chromium-stable
With something like:
{ chromium.enablePepperFlash = true; }
In ~/.nixpkgs/config.nix to enable pepper API based Flash and to avoid
the browser wrapper from Firefox entirely.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is a small wrapper around fetchzip. It allows you to say:
src = fetchGitHub {
owner = "NixOS";
repo = "nix";
rev = "924e19341a5ee488634bc9ce1ea9758ac496afc3"; # or a tag
sha256 = "1ld1jc26wy0smkg63chvdzsppfw6zy1ykf3mmc50hkx397wcbl09";
};
This function downloads and unpacks a file in one fixed-output
derivation. This is primarily useful for dynamically generated zip
files, such as GitHub's /archive URLs, where the unpacked content of
the zip file doesn't change, but the zip file itself may (e.g. due to
minor changes in the compression algorithm, or changes in timestamps).
Fetchzip is implemented by extending fetchurl with a "postFetch" hook
that is executed after the file has been downloaded. This hook can
thus perform arbitrary checks or transformations on the downloaded
file.
COPRTHR is a very excellent little SDK implementing OpenCL and related
tech for regular multicore processors, as well as things like my new
Parallella (along with remote/networked OpenCL compute support).
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This hook allows to scatter files in $out to multiple outputs.
For "bin" and "doc" outputs there are prefefined default masks, but
they can be overriden by setting files_<outname>, for example:
files_bin = [ "/bin/*" "/lib/libexec/" ];
To make an effect hook must be specified in buildInputs.
These packages come with R, but if we install them as part of this build, then
we cannot update them without re-building R as well. Instead, we add those
packages to the R environment through the r-wrapper. This means that
recommended packages can be updated in cran-packgaes.nix, and those updates
have an effect on the installation without re-building R itself.
This packaging splices off the unfree faac library and forces handbrake
to use the (more recent/patched) versions of libraries in Nixpkgs.
Produces the CLI HandbrakeCLI and optionally the GTK+ version ghb.
Libmkv was started from Handbrake but is now unmaintained upstream.
Patches:
- A01: add constant to header file
- A02: Breaks API: Allow changing output sampling frequency
- P00: Fix accessing large files on Mingw32
'qgis', one of the few 'qwt' dependees in nixpkgs, fails to build with
qwt 6. So I'm not moving the default version away from 5.x. Also, not
changing the default allows easy/safe cherry-picking to the stable
branch.
By default, we now build all the optional nginx modules, including the
out-of-band ones like moreheaders and rtmp support.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This also includes support for the verification tools I'm using. Cryptol
2 is still the default obviously.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Brice Minaud reported a simple attack on the CBEAM Pi permutation
function, resulting in it being withdrawn from CAESAR. :(
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This is just a convenient shorthand so people don't have to spell out
haskellPackages.cryptol
Note that the top-level expression is named 'cryptol2' but the package
isn't. That's because Cryptol is a library and other things could depend
on it (hence the vanilla name), but also the full name will be
disambiguated as 'haskell-cryptol-ghc7.6.3' anyway.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Upstream has not been tagging new versions for a long time, but we need
compatibility with newer kernels. The 0.6.2 versions already have a bunch of
backported compatibility patches, but 3.14 kernels need even more.
Also, the git versions have fixed a bunch of crashes and other bugs, so perhaps
we should just bite the bullet and just use recent git versions (as sometimes
upstream recommends, when people run into bugs).
This adds a new "boot.zfs.useGit" boolean option, so that a user can
easily opt into using the git versions.
This includes a lot of fixes for cross-building to Windows and Mac OS X
and could possibly fix things even for non-cross-builds, like for
example OpenSSL on Windows.
The main reason for merging this in 14.04 already is that we already
have runInWindowsVM in master and it doesn't work until we actually
cross-build Cygwin's setup binary as the upstream version is a fast
moving target which gets _overwritten_ on every new release.
Conflicts:
pkgs/top-level/all-packages.nix
This implements some longstanding work of getting the Chromium
derivation more modular. Unfortunately, I didn't manage to decrease the
compile time, which was one of the primary goal for doing the refactor.
A main reason this didn't work out well was the fact that most bundled
libraries are so heavily patched that it's not possible within a limited
time frame to decouple it from the main derivation.
However, it should now be easier to build other derivations that build
upon Chromium, like libcef. Also, it finally adds support for the
non-free PepperAPI Flash and PDF plugins and support for fetching the
corresponding versions through the updater.
The current version of v8 breaks builds of nodejs, mongodb and
rethinkdb. So let's bring back the old package with annoying _3_14
version suffix so hopefully the corresponding maintainers will get rid
of that dependency :-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This currently only passes through the arguments and is nothing more
than the foundation of the new structure. In essence, I want to have a
really small default.nix which is then going down into the respective
subparts that are isolated from each other.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is needed by Chromium and is part of the zlib source tree in
contrib/, so let's propagate the version of zlib and use the same source
tree.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.
This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.
- New security.grsecurity NixOS attributes.
- All grsec kernels supported
- Allows default 'auto' grsec configuration, or custom config
- Supports custom kernel options through kernelExtraConfig
- Defaults to high-security - user must choose kernel, server/desktop
mode, and any virtualisation software. That's all.
- kptr_restrict is fixed under grsecurity (it's unwriteable)
- grsecurity patch creation is now significantly abstracted
- only need revision, version, and SHA1
- kernel version requirements are asserted for sanity
- built kernels can have the uname specify the exact grsec version
for development or bug reports. Off by default (requires
`security.grsecurity.config.verboseVersion = true;`)
- grsecurity sysctl support
- By default, disabled.
- For people who enable it, NixOS deploys a 'grsec-lock' systemd
service which runs at startup. You are expected to configure sysctl
through NixOS like you regularly would, which will occur before the
service is started. As a result, changing sysctl settings requires
a reboot.
- New default group: 'grsecurity'
- Root is a member by default
- GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
making it possible to easily add users to this group for /proc
access
- AppArmor is now automatically enabled where it wasn't before, despite
implying features.apparmor = true
The most trivial example of enabling grsecurity in your kernel is by
specifying:
security.grsecurity.enable = true;
security.grsecurity.testing = true; # testing 3.13 kernel
security.grsecurity.config.system = "desktop"; # or "server"
This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:
security.grsecurity.enable = true;
security.grsecurity.stable = true; # enable stable 3.2 kernel
security.grsecurity.config = {
system = "server";
priority = "security";
virtualisationConfig = "host";
virtualisationSoftware = "kvm";
hardwareVirtualisation = true;
}
This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
- mark llvm34 as broken on darwin (so it doesn't install by default with nix-env)
- don't use our gcc for llvm_34 (might fix the build)
- switch also clang default to 3.3 on darwin (llvm was before)
Lockdep doesn't *really* require the kernel package - just the kernel
sources. It's really a user-space tool just compiled from some portable
code within the kernel, nothing more.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
NB: This currently doesn't add a working musl-wrapper around musl-gcc to
allow it to work properly (musl has its own dynamic linker as well as
libc too which must be accounted for). But at the moment it builds fine,
and I plan on working more on it in the future. So lets get it
integrated and building on Hydra.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
There are two versions here because beginning with 1.6.0, Boolector has
a more restrictive, unfree license which disallows commercial use.
As a result, Boolector 1.5 is the default 'boolector' expression.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
- Vte, add gtk3 support, enable introspection, update to 0.35.90
- Spice-gtk, add gtk3 support
- gtk-vnc, add gtk3 support
- Add libvirt-glib (thanks @bjornfor)
- Add usbredir
- qemu, enable usbredir
- spice-gtk, enable usbredir
- virt-manager, update to 1.0.1
[Bjørn:
* Set namePrefix = "" to preserve package name "virt-manager"
(instead of "python2.7-virt-manager")
* Add dconf to GIO_EXTRA_MODULES to get persistent settings in
virt-manager. Without it:
GLib-GIO-Message: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications.
* Add ${gtk3}/share to XDG_DATA_DIRS to unbreak "Take Screenshot"
feature (fixes "Settings schema 'org.gtk.Settings.FileChooser' is not installed")
* gtk-vnc: don't pull "pkgs" attrset for optionalString, use stdenv.lib.optionalString instead.
]
Lockdep is the kernel's locking validation/debugging tool and has seen
heavy pro-active usage and development. In Linux 3.14, it's now
available directly to userspace for the same purpose. It comes with a
convenient utility to LD_PRELOAD a shared library for validation, or a
user-space API to link to directly.
Signed-off-by: Austin Seipp <aseipp@pobox.com>
These are packages for precompiled ARM microcontroller compilers from
https://launchpad.net/gcc-arm-embedded.
[Bjørn: modify commit message (add paragraph).]