Commit Graph

89201 Commits

Author SHA1 Message Date
Franz Pletz
3c06e5f6f7 cc-wrapper: check ld hardening capabilities in stdenv 2016-08-23 18:13:31 +02:00
Robin Gloster
9e211203da czmq: fix build
Uses -Werror, failing with additionally enabled warnings from hardening.
2016-08-23 15:51:26 +00:00
Joachim Fasting
8ab400988c lsh: fix gcc5 build
The build fails with c11 (also tested c99), but works with gnu90.
2016-08-23 15:33:32 +00:00
Robin Gloster
7413278f9b Revert "Remove lsh, broken & unmaintained"
This reverts commit 73f4c2bdf8.
2016-08-23 15:32:41 +00:00
Robin Gloster
3a18f06eab Revert "lsh: remove last references"
This reverts commit 8329066d5e.
2016-08-23 15:31:33 +00:00
Robin Gloster
07604ad631 add-hardening.sh: fix quotation 2016-08-23 15:27:51 +00:00
Robin Gloster
335d0097cf cc-wrapper: add-{flags,hardening} -> add-{flags,hardening}.sh 2016-08-23 15:27:51 +00:00
Franz Pletz
b4cc9bd63a Merge remote-tracking branch 'origin/master' into hardened-stdenv
Fixes #17801 and #17802.
2016-08-17 19:43:43 +02:00
obadz
e0f124a9f8 calamares/tarball test: fix eval error
See also acb4086

cc @ttuegel @globin
2016-08-17 18:06:00 +01:00
Rommel M. Martinez
963d8cc3e0 translate-shell: init at 0.9.4 (#17780) 2016-08-17 16:20:55 +02:00
Peter Hoeg
5de7993f7e dropbox: 6.4.14 -> 8.4.19 (#17797) 2016-08-17 16:19:32 +02:00
Tomas Hlavaty
e444532046 mlt: 0.9.6 -> 6.2.0 (#17725)
The old version with qt4 is kept around for kdenlive dependency.
2016-08-17 16:09:58 +02:00
Joachim Fasting
66a3f0e988
gradm: 3.1-201607172312 -> 3.1-201608131257 2016-08-17 15:19:33 +02:00
Joachim Fasting
ba20363f11
grsecurity: 4.7-201608151842 -> 4.7.1-201608161813 2016-08-17 15:19:27 +02:00
mimadrid
60c3f3f2b9
nerdfonts: 0.7.0 -> 0.8.0, fixes #17693 2016-08-17 14:06:28 +02:00
Anthony Cowley
29572c28a3 llvm-3.8: build shared library on darwin (#17671)
- Enable the shared library build on darwin by default to match other
  platforms.

- Fix the dylib file's name in the store

- Symlink a versioned name as some tooling expects this.
2016-08-17 13:43:57 +02:00
Christine Koppelt
75bffa11d6 influxdb: add 1.0.0-beta3 (#17733) 2016-08-17 13:40:05 +02:00
8573
34435a9502 redshift: Fix default value of $DISPLAY (#17746)
Before commit 54fa0cfe4e, the `redshift`
service was run with the environment variable `DISPLAY` set to `:0`.

Commit 54fa0cfe4e changed this to
instead use the value of the `services.xserver.display` configuration
option in the value of the `DISPLAY` variable. In so doing, no default
value was provided for the case where `services.xserver.display` is
`null`.

While the default value of `services.xserver.display` is `0`, use of
which by the `redshift` module would result in `DISPLAY` again being
set to `:0`, `services.xserver.display` may also be `null`, to which
value it is set by, e.g., the `lightdm` module.

In the case that `services.xserver.display` is `null`, with the change
made in commit 54fa0cfe4e, the `DISPLAY`
variable in the environment of the `redshift` service would be set to
`:` (a single colon), which, according to my personal experience,
would result in —

  - the `redshift` service failing to start; and

  - systemd repeatedly attempting to restart the `redshift` service,
    looping indefinitely, while the hapless `redshift` spews error
    messages into the journal.

It can be observed that the malformed value of `DISPLAY` is likely at
fault for this issue by executing the following commands in an
ordinary shell, with a suitable `redshift` executable, and the X11
display not already tinted:

  - `redshift -O 2500` — This command should reduce the color
    temperature of the display (making it more reddish).

  - `DISPLAY=':' redshift -O 6500` — This command should raise the
    color temperature back up, were it not for the `DISPLAY`
    environment variable being set to `:` for it, which should cause
    it to, instead, fail with several error messages.

This commit attempts to fix this issue by having the `DISPLAY`
environment variable for the `redshift` service default to its old
value of `:0` in the case that `services.xserver.display` is `null`.

I have tested this solution on NixOS, albeit without the benefit of a
system with multiple displays.
2016-08-17 13:34:26 +02:00
Michal Rus
d965dfc00d bitwig-studio: init at 1.3.12 (#17756) 2016-08-17 13:23:48 +02:00
cmfwyp
c403221af5 calibre: 2.58.0 -> 2.64.0 (#17771)
Extension definitions were moved to extensions.json, so the patch
needed to be updated.
2016-08-17 13:20:39 +02:00
Franz Pletz
6aa729cf52 ympd: remove unncessary preConfigure hook
Fixes #17788.
2016-08-17 13:19:41 +02:00
Franz Pletz
131bc22b84 gitlab service: add option for db_key_base secret 2016-08-17 13:17:47 +02:00
Franz Pletz
cfb930c985 znapzend: 0.15.5 -> 0.15.7 2016-08-17 13:17:46 +02:00
Langston Barrett
0cc89278a1 ympd: init at 1.3.0 2016-08-17 13:17:41 +02:00
Nikolay Amiantov
1db8403e6f Merge pull request #17792 from jflanglois/stage-1-zram
stage-1: exclude zram devices from resumeDevices
2016-08-17 14:16:20 +04:00
Franz Pletz
32ce20c86b Merge pull request #17791 from ebzzry/emem-0.2.24
emem: 0.2.23 -> 0.2.24
2016-08-17 11:20:02 +02:00
Frederik Rietdijk
80b3a7b128 Revert "pythonPackages.psutil: 3.4.2 -> 4.3.0"
This reverts commit 86caec1be1.

In this commit tests were re-enabled, but without correctly testing whether it could.
When a package builds it doesn't mean the tests are actually run. This is often seen when it says that 0 tests were run.
Typically this is because the test runner was invoked incorrectly.

By re-enabling the tests, a false impression is generated that the package is tested while in fact it isn't. Furthermore, the Python 3.5
package broke because the tests are invoked incorrectly.

cc @abbradar
2016-08-17 10:52:22 +02:00
Lluís Batlle i Rossell
9f9cac34d3 Updating mlt to 6.2.0
(cherry picked from commit 93d8ab8007102e0e4d7f23cf25bb353d1cc5bced)

I checked with kdenlive people, and they say that we should always use the
latest mlt possible; that it should not be any problem, and provide only
improvements.
2016-08-17 10:06:30 +02:00
Julien Langlois
552c30c155 stage-1: exclude zram devices from resumeDevices 2016-08-17 00:21:47 -07:00
Rommel M. Martinez
e5a4afc1b7 emem: 0.2.23 -> 0.2.24 2016-08-17 14:37:37 +08:00
Franz Pletz
efab1cb928 Merge pull request #17782 from Baughn/unifi-fix
Unifi controller fixes
2016-08-17 06:24:55 +02:00
Franz Pletz
2571438988 linux: 4.7 -> 4.7.1 2016-08-17 05:46:00 +02:00
Franz Pletz
7a4407461b linux: 4.6.6 -> 4.6.7
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz
da95fb368c linux: 4.4.17 -> 4.4.18
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz
2104d28bcd linux: 4.1.27 -> 4.1.30
Fixes CVE-2016-5696.
2016-08-17 05:45:59 +02:00
Franz Pletz
b070a9c439 gitlab: 8.10.3 -> 8.10.6 2016-08-17 05:36:24 +02:00
Frederik Rietdijk
5a501bd828 Remove top-level dbus_python and pythonDBus.
See #11567.

Furthermore, it renames pythonPackages.dbus to pythonPackages.dbus-
python as that's the name upstream uses.

There is a small rebuild but I couldn't figure out the actual cause.
2016-08-16 22:52:37 +02:00
Frederik Rietdijk
6b23bd99a3 Remove top-level pyatspi
See #11567.
2016-08-16 22:52:37 +02:00
Domen Kožar
40da4e6ce7 fix eval 2016-08-16 22:30:15 +02:00
Domen Kožar
584c19b4a5 Merge pull request #17720 from oxij/fix-xen
Fix xen build
2016-08-16 22:06:52 +02:00
Svein Ove Aas
102472b8de unifi: Open required ports by default.
The controller does not work at all if they aren't, with the exception
of special configurations involving L3 or custom ports.
2016-08-16 21:01:49 +01:00
Svein Ove Aas
e3f0a09b6d unifi: chown the data dir as well.
It needs to be writeable.
2016-08-16 21:01:49 +01:00
Robert Helgesson
f396a0b4d0
hd-idle: init at 1.05 2016-08-16 21:59:14 +02:00
Franz Pletz
2709079569 postgresql: security updates for all versions
Fixes CVE-2016-5423 and CVE-2016-5424.

See https://www.postgresql.org/about/news/1688/.
2016-08-16 18:35:22 +02:00
Joachim Fasting
d82ddd6dc0
grsecurity: 4.7-201608131240 -> 4.7-201608151842 2016-08-16 17:50:37 +02:00
Joachim Fasting
b1cceeda84
grsecurity: enable pax size overflow plugin 2016-08-16 17:50:36 +02:00
Joachim Fasting
3fcb9e6f57
grsecurity: support non-enforcing mode
Until we've made sure that most things actually work out of the box, we
need to give people a way of continuing to use the system without
completely disabling grsecurity.

Set sysctl kernel.pax.softmode=1 or boot with pax.softmode=1
2016-08-16 17:50:36 +02:00
Domen Kožar
bab8a2ebe3 netboot: prepare for https://github.com/NixOS/nixos-channel-scripts/issues/6 2016-08-16 17:27:11 +02:00
Eelco Dolstra
859157c36b Merge pull request #17779 from obadz/make-disk-image
nixos/lib/make-disk-image: refactor to use nixos-install
2016-08-16 16:44:12 +02:00
obadz
24f8cf08cc nixos/lib/make-disk-image: refactor to use nixos-install
- Replace hand-rolled version of nixos-install in make-disk-image by an
  actual call to nixos-install
- Required a few cleanups of nixos-install
- nixos-install invokes an activation script which the hand-rolled version
  in make-disk-image did not do. We remove /etc/machine-id as that's
  a host-specific, impure, output of the activation script

Testing:

nix-build '<nixpkgs/nixos/release.nix>' -A tests.installer.simple passes

Also tried generating an image with:

nix-build -E 'let
    pkgs = import <nixpkgs> {};
    lib = pkgs.lib;
    nixos = import <nixpkgs/nixos> {
      configuration = {
        fileSystems."/".device = "/dev/disk/by-label/nixos";
        boot.loader.grub.devices = [ "/dev/sda" ];
        boot.loader.grub.extraEntries = '"''"'
          menuentry "Ubuntu" {
             insmod ext2
             search --set=root --label ubuntu
             configfile /boot/grub/grub.cfg
          }
        '"''"';
      };
    };
  in import <nixpkgs/nixos/lib/make-disk-image.nix> {
    inherit pkgs lib;
    config = nixos.config;
    diskSize = 2000;
    partitioned = false;
    installBootLoader = false;
  }'

Then installed the image:
$ sudo df if=./result/nixos.img of=/dev/sdaX bs=1M
$ sudo resize2fs /dev/disk/by-label/nixos
$ sudo mount /dev/disk/by-label/nixos /mnt
$ sudo mount --rbind /proc /mnt/proc
$ sudo mount --rbind /dev /mnt/dev
$ sudo chroot /mnt /nix/var/nix/profiles/system/bin/switch-to-configuration boot

[ … optionally do something about passwords … ]

and successfully rebooted to that image.

Was doing all this from inside a Ubuntu VM with a single user nix install.
2016-08-16 15:31:16 +01:00