Commit Graph

88605 Commits

Author SHA1 Message Date
Franz Pletz
2709079569 postgresql: security updates for all versions
Fixes CVE-2016-5423 and CVE-2016-5424.

See https://www.postgresql.org/about/news/1688/.
2016-08-16 18:35:22 +02:00
Joachim Fasting
d82ddd6dc0
grsecurity: 4.7-201608131240 -> 4.7-201608151842 2016-08-16 17:50:37 +02:00
Joachim Fasting
b1cceeda84
grsecurity: enable pax size overflow plugin 2016-08-16 17:50:36 +02:00
Joachim Fasting
3fcb9e6f57
grsecurity: support non-enforcing mode
Until we've made sure that most things actually work out of the box, we
need to give people a way of continuing to use the system without
completely disabling grsecurity.

Set sysctl kernel.pax.softmode=1 or boot with pax.softmode=1
2016-08-16 17:50:36 +02:00
Domen Kožar
bab8a2ebe3 netboot: prepare for https://github.com/NixOS/nixos-channel-scripts/issues/6 2016-08-16 17:27:11 +02:00
Eelco Dolstra
859157c36b Merge pull request #17779 from obadz/make-disk-image
nixos/lib/make-disk-image: refactor to use nixos-install
2016-08-16 16:44:12 +02:00
obadz
24f8cf08cc nixos/lib/make-disk-image: refactor to use nixos-install
- Replace hand-rolled version of nixos-install in make-disk-image by an
  actual call to nixos-install
- Required a few cleanups of nixos-install
- nixos-install invokes an activation script which the hand-rolled version
  in make-disk-image did not do. We remove /etc/machine-id as that's
  a host-specific, impure, output of the activation script

Testing:

nix-build '<nixpkgs/nixos/release.nix>' -A tests.installer.simple passes

Also tried generating an image with:

nix-build -E 'let
    pkgs = import <nixpkgs> {};
    lib = pkgs.lib;
    nixos = import <nixpkgs/nixos> {
      configuration = {
        fileSystems."/".device = "/dev/disk/by-label/nixos";
        boot.loader.grub.devices = [ "/dev/sda" ];
        boot.loader.grub.extraEntries = '"''"'
          menuentry "Ubuntu" {
             insmod ext2
             search --set=root --label ubuntu
             configfile /boot/grub/grub.cfg
          }
        '"''"';
      };
    };
  in import <nixpkgs/nixos/lib/make-disk-image.nix> {
    inherit pkgs lib;
    config = nixos.config;
    diskSize = 2000;
    partitioned = false;
    installBootLoader = false;
  }'

Then installed the image:
$ sudo df if=./result/nixos.img of=/dev/sdaX bs=1M
$ sudo resize2fs /dev/disk/by-label/nixos
$ sudo mount /dev/disk/by-label/nixos /mnt
$ sudo mount --rbind /proc /mnt/proc
$ sudo mount --rbind /dev /mnt/dev
$ sudo chroot /mnt /nix/var/nix/profiles/system/bin/switch-to-configuration boot

[ … optionally do something about passwords … ]

and successfully rebooted to that image.

Was doing all this from inside a Ubuntu VM with a single user nix install.
2016-08-16 15:31:16 +01:00
Joachim F
4d1d37014a Merge pull request #17718 from matthewbauer/patch-7
travis: build stdenv also
2016-08-16 15:06:35 +02:00
Franz Pletz
35654b7fc1 Merge pull request #17743 from mayflower/service/mattermost 2016-08-16 14:54:25 +02:00
Eelco Dolstra
38f306f492 Merge pull request #17768 from obadz/nixos-install
nixos-install: cleanups & improvements to run on non-NixOS systems
2016-08-16 13:31:50 +02:00
Eelco Dolstra
16b0724efe Merge pull request #17772 from nathan7/protobuf-3.0.0
protobuf: 3.0.0-beta-3.1 -> 3.0.0
2016-08-16 12:47:41 +02:00
Nathan Zadoks
874e90fd66 protobuf: 3.0.0-beta-3.1 -> 3.0.0 2016-08-16 12:09:36 +02:00
Frederik Rietdijk
6d75bf842b mercurial: pass in pythonPackages 2016-08-16 11:48:09 +02:00
Frederik Rietdijk
888efed972 Doc: fix python examples 2016-08-16 09:47:13 +02:00
Josef Kemetmüller
24ab0460a9 armadillo: Fix failing build (#17764)
The upgrade of cmake to v3.6.0 broke this build. HDF5 now can
only be found if hdf5-cpp is used as buildInput.
However the upgrade made it possible to remove a patch:
CMake can now find openblas on its own.
2016-08-16 06:29:15 +00:00
obadz
806e88c137 nixos-install: cleanups & improvements to run on non-NixOS systems
- Fix --no-bootloader which didn't do what it advertised
- Hardcode nixbld GID so that systems which do not have a nixbld user
  can still run nixos-install (only with --closure since they can't
  build anything)
- Cleanup: get rid of NIX_CONF_DIR(=/tmp)/nix.conf and pass arguments instead
- Cleanup: don't assume that the target system has '<nixpkgs/nixos>' or
  '<nixos-config>' to see if config.users.mutableUsers. Instead check if
  /var/setuid-wrappers/passwd is there

Installing NixOS now works from a Ubuntu host (using --closure).

nix-build -A tests.installer.simple '<nixpkgs/nixos/release.nix>' succeeds ✓
2016-08-16 02:47:49 +01:00
obadz
1759825b34 nixos/tests/ecryptfs: placate some commands causing many builds failure
These commands shouldn't have to be here in the first place as ecryptfs
homes should be automatically unmounted during logoff.
2016-08-16 02:47:08 +01:00
Shea Levy
9adad8612b Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs"
Was meant to go into staging, sorry

This reverts commit 57b2d1e9b0, reversing
changes made to 760b2b9048.
2016-08-15 19:05:52 -04:00
Shea Levy
57b2d1e9b0 Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs 2016-08-15 19:01:44 -04:00
Nikolay Amiantov
b067b53011 networkmanager098: fix binary paths 2016-08-16 00:19:26 +03:00
Nikolay Amiantov
cd05a8ed00 networkmanager: point to kmod's modprobe 2016-08-16 00:19:26 +03:00
Nikolay Amiantov
1f63958772 nixos treewide: don't set MODULE_DIR 2016-08-16 00:19:25 +03:00
Nikolay Amiantov
b2ebecd9e5 modprobe service: drop kmod wrapper 2016-08-16 00:19:25 +03:00
Nikolay Amiantov
1afd250676 treewide: replace several /sbin paths by /bin 2016-08-16 00:19:25 +03:00
Nikolay Amiantov
131fca0a85 kmod: add patch to allow searching for modules in several directories 2016-08-16 00:19:25 +03:00
obadz
760b2b9048 nixos/make-disk-image: add ability to defer bootloader install until image has been flashed 2016-08-15 20:01:55 +01:00
Joachim Fasting
f9c3076e58
grsecurity docs: mention chromium setuid sandbox 2016-08-15 20:36:47 +02:00
Joachim Fasting
050b7eec16
grsecurity module: systemd-nspawn requires cap_sys_admin
As with 9ca3504a798291fbd7c49fcfeec8b64daa2022ad

Closes https://github.com/NixOS/nixpkgs/issues/17714
2016-08-15 20:36:47 +02:00
Joachim Fasting
7fd99066c4
grsecurity module: permit chmod +s in sandboxed builds
While useless, some builds may dabble with setuid bits (e.g.,
util-linux), which breaks under grsec.  In the interest of user
friendliness, we once again compromise by disabling an otherwise useful
feature ...

Closes https://github.com/NixOS/nixpkgs/issues/17501
2016-08-15 20:36:47 +02:00
Joachim Fasting
9062c67914
grsecurity: 4.6.5-201607312210 -> 4.7-201608131240 2016-08-15 20:36:46 +02:00
Joachim Fasting
567640d80c
grsecurity docs: add note about user namespaces 2016-08-15 20:36:46 +02:00
Daniel Peebles
65ed79a1e8 Merge pull request #17642 from svend/gnupg21-fix-gpgsm-linking
gnupg: Fix gpgsm linking for gnupg 2.1.14
2016-08-15 14:19:19 -04:00
Svend Sorensen
ac2836610d gnupg: Add comment about when to drop fix-gpgsm-linking.patch 2016-08-15 11:16:55 -07:00
Thomas Tuegel
ef15f01a43 yakuake: get Konsole from kde5 2016-08-15 11:15:46 -05:00
Thomas Tuegel
ea9b705340 Remove obsolete Quassel aliases 2016-08-15 11:03:11 -05:00
Thomas Tuegel
cc82bdf7df kile: get Konsole from kde5 2016-08-15 10:47:01 -05:00
Thomas Tuegel
1e3a00aca5 dfilemanager: remove duplicate definition 2016-08-15 10:34:37 -05:00
Thomas Tuegel
de27f97e2d Remove kde5PackagesFun 2016-08-15 09:27:51 -05:00
Michal Rus
3313353899 guitarix: 0.34.0 -> 0.35.1; add glib_networking dep (#17740)
glib_networking is needed for downloading presets from withing Guitarix
UI. Before, Guitarix would return an “install glib_networking” error.
2016-08-15 14:25:46 +00:00
ibrahim Sağıroğlu
9ff4501c55 marathon: 0.15.3 -> v1.1.1 (#17612) 2016-08-15 14:13:05 +00:00
Thomas Tuegel
888570438c breeze-gtk: install GTK 3.20-compatible theme 2016-08-15 08:57:54 -05:00
Robin Lambertz
dacc3fa985 phpfpm: allow old config format as well (#17754) 2016-08-15 14:41:26 +02:00
obadz
6eb2ca2247 haskellPackages.Lazy-Pbkdf2.i686-linux: don't run tests that keep aborting 2016-08-15 13:05:55 +01:00
Moritz Ulrich
21df40f85f systemd-cryptsetup-generator: Fix bug.
The annoying wrapper script also wraps `systemd-cryptsetup`. We need to
copy the original binary to $out too.
2016-08-15 12:42:44 +02:00
Pascal Wittmann
b22fc4c411 Merge pull request #17708 from DamienCassou/fix-byzanz
byzanz: Let it find gstreamer plugins
2016-08-15 10:56:57 +02:00
Nikolay Amiantov
9b4a7984a4 qutebrowser: add shared files and cleanup 2016-08-15 11:38:53 +03:00
Nikolay Amiantov
5b296a1470 Merge branch 'master' into staging 2016-08-15 10:34:28 +03:00
Michal Rus
397a17aef9 visualvm: init at 1.3.8 (#17745) 2016-08-15 05:45:48 +02:00
Franz Pletz
64c79e8526 linux: 4.6.5 -> 4.6.6 2016-08-15 04:28:08 +02:00
Franz Pletz
2a8718fb0b linux_4_5: remove, not support by upstream anymore 2016-08-15 04:28:02 +02:00