Commit Graph

2095 Commits

Author SHA1 Message Date
Joachim Fasting
886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Rob Vermaas
91436641ec Fix hash for Debian 8.4 Jessie
(cherry picked from commit fd60751ce0c85427423b78d8a46c3f78d65bd0e2)
2016-06-13 12:20:55 +00:00
zimbatm
28fa4a2f03 Escape all shell arguments uniformly 2016-06-12 18:11:37 +01:00
zimbatm
a42b7faaec nix-prefetch-git: shellcheck fixes
Used shellcheck (https://github.com/koalaman/shellcheck) to validate
the script and fixed any resulting escaping and ambiguity issues.
2016-06-12 13:45:20 +01:00
Nikolay Amiantov
b341de88e9 Merge pull request #16030 from abbradar/fhs-refactor
Improvements for FHS user chrootenv
2016-06-11 21:04:20 +04:00
Tuomas Tynkkynen
a06a405d0b cross GCC: Fix some paths to libc headers (after multiple outputs)
It's not completely clear to me why the path to libc headers is set
differently when cross building...
2016-06-11 04:15:17 +03:00
Robin Gloster
8031cba2ab Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-06-10 09:27:04 +00:00
Domen Kožar
7a5b85cdda pkgs.runCommand: passAsFile (buildCommand can be very long)
Close #15803. This avoids the error:

while setting up the build environment: executing
‘/nix/store/7sb42axk5lrxqz45nldrb2pchlys14s1-bash-4.3-p42/bin/bash’:
Argument list too long

Note: I wanted to make it optional based on buildCommand length,
but that seems pointless as I'm sure it's less performant.

Amended by vcunat:
https://github.com/NixOS/nixpkgs/pull/15803#issuecomment-224841225
2016-06-10 10:49:26 +02:00
Vladimír Čunát
46f22d89b9 Merge #15867: glibc, gcc: fixes for ARM targets
... needed after closure-size merge (#7701)
2016-06-10 09:57:17 +02:00
Vladimír Čunát
cec03a8ecd Merge #14753: makeWrapper: allow spaces in variables 2016-06-09 13:09:43 +02:00
Kamil Chmielewski
7eb671ebcd no more goPackages 2016-06-09 13:08:00 +02:00
Nikolay Amiantov
3d8664ee42 buildFHSUserEnv: mark CHROOTENV_EXTRA_BINDS as discussed for deprecation 2016-06-07 14:22:38 +03:00
Nikolay Amiantov
3e90b00c10 buildFHSEnv: link 'bin' output 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
8d9e5d297d buildFHSEnv: don't link GCC compiler part 2016-06-07 04:06:35 +03:00
Nikolay Amiantov
74107a7867 buildFHSEnv: refactor and simplify, drop buildFHSChrootEnv
This takes another approach at binding FHS directory structure. We
now bind-mount all the root filesystem to directory "/host" in the target tree.
From that we symlink all the directories into the tree if they do not already
exist in FHS structure.

This probably makes `CHROOTENV_EXTRA_BINDS` unnecessary -- its main usecase was
to add bound directories from the host to the sandbox, and we not just symlink
all of them. I plan to get some feedback on its usage and maybe deprecate it.

This also drops old `buildFHSChrootEnv` infrastructure. The main problem with it
is it's very difficult to unmount a recursive-bound directory when mount is not
sandboxed. This problem is a bug even without these changes -- if
you have for example `/home/alice` mounted to somewhere, you wouldn't see
it in `buildFHSChrootEnv` now. With the new directory structure, it's
impossible to use regular bind at all. After some tackling with this I realized
that the fix would be brittle and dangerous (if you don't unmount everything
clearly and proceed to removing the temporary directory, bye-bye fs!). It also
probably doesn't worth it because I haven't heard that someone actually uses it
for a long time, and `buildFHSUserEnv` should cover most cases while being much
more maintainable and safe for the end-user.
2016-06-07 04:06:35 +03:00
David Craven
c22f0c7474 Fix buildRustPackage edge cases
1. When multiple versions of the same package are required
   $revs is an array.
2. When cargo fetch is run it usually doesn't need a network
   connection. But when it does SSL_CERT_FILE isn't set.
2016-06-02 17:15:52 +02:00
Eric Litak
7399d0949c fixing libcCross related flags
(excluding darwin and mingw for now)
2016-05-31 16:28:04 -07:00
Robin Gloster
2d382f3d98 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-30 19:39:34 +00:00
Nikolay Amiantov
1b2139b3e2 buildFHSEnv: use separate gcc for 64- and 32-bit 2016-05-29 23:22:58 +03:00
Moritz Ulrich
d8b0618e6c buildRustPackage: Don't specify logLevel by default. 2016-05-28 15:05:11 +02:00
Moritz Ulrich
1e04865e87 buildRustPackage: Add log-level argument. 2016-05-28 15:05:11 +02:00
Vladimír Čunát
e4832c7541 Merge branch 'staging'
Includes a security update of libxml2.
2016-05-27 15:58:40 +02:00
Nikolay Amiantov
ebe1cbe0da symlinkJoin: allow arbitrary additional attributes 2016-05-27 13:42:22 +03:00
Vladimír Čunát
81039713fa Merge branch 'master' into staging
... to get the systemd update (rebuilding ~7k jobs).
2016-05-26 16:50:22 +02:00
Domen Kožar
56714859f4 add CentOS 7.1 2016-05-24 11:35:39 +01:00
Domen Kožar
7fc845aeb1 add OpenSuse 13.2
(cherry picked from commit 2cf5dcd99a7d3aac8a39ab98c1738454dfa20bfb)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-05-24 11:06:11 +01:00
Domen Kožar
ba0d4ecaf7 debian7: change hash due to 7.10 release
(cherry picked from commit 00df301ac2fd1818fa1f96debcee23dbb979834d)
Signed-off-by: Domen Kožar <domen@dev.si>
2016-05-24 10:40:39 +01:00
Vladimír Čunát
0b192a0976 Merge branch 'master' into staging
That's to get mesa rebuild from master, as it's nontrivial.
2016-05-23 09:02:10 +02:00
Guillaume Maudoux
bfd522da63 setup-hooks: do not pass missing dirs to find (close #15405)
find fails when called with an inexistent search path.
That situation may arise when the output is created after by a postFixup hook.
vcunat amended the PR by clarifying one more `return` to `return 0`.
2016-05-22 12:08:01 +02:00
Nikolay Amiantov
ca38376566 buildFHSUserEnv: don't run bash in login mode for .env
Fixes https://github.com/NixOS/nixpkgs/issues/12406 for `.env`
2016-05-20 14:17:49 +03:00
Profpatsch
28f8ca560f debian-build: fix checkinstall invocation (#15538)
Checkinstall had two problems:
1. when it was called without a version (e.g. with a derivation created
by fetchFromGitHub) it would use `src` as debian version, which caused
dpkg to fail
2. when dpkg failed, it would invoke the pager with the log, which hangs
the build

So now
1. the default version is the dummy `0.0.0`
2. the used pager is `cat`
2016-05-19 09:41:10 +01:00
Franz Pletz
f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Domen Kožar
a01b6a0d07 fetchzip: improve error message 2016-05-17 17:32:53 +01:00
Vladimír Čunát
af364c0f77 fetchurl mirrors: fix gnupg URLs
Some mirrors were missing /gcrypt. Now they should be consistent.
Fixes 15510. Closes 15511.
2016-05-17 11:35:49 +02:00
Eelco Dolstra
a5fa7c25cb Merge pull request #15469 from NixOS/fetchgit
fetchgit: remove only .git folder
2016-05-16 16:44:55 +02:00
Domen Kožar
64a072e357 fetchgit: remove only .git
Source of this change goes back to 2009 and original version of
fetchgit at 205fb0c87e.

The nondeterminism is really caused by changing .git so leave other
files alone as they might be interesting.

Note: this causes a hash mismatch with Hydra's version of Git Plugin
which we should fix to comply.
2016-05-15 00:24:04 +01:00
Thomas Tuegel
21efdd8003 Merge pull request #15420 from samuelrivas/emacs-wrapper
emacs: hide wrapper dependencies
2016-05-13 11:58:24 -05:00
Samuel Rivas
67394f9152 emacs: hide wrapper dependencies
Move all the dependencies to their own derivation, so that we don't publish all
of them if the wrapper is installed in a profile.

The previous solution just moved them to a custom directory to avoid conflicts,
this refactors that and completely hides them, while preserving the desired
improvement of adding only one directory to each of the emacs search paths
2016-05-12 22:43:30 +02:00
Vladimír Čunát
6c2fbfbd77 Merge branch 'master' into staging 2016-05-12 04:53:38 +02:00
Carles Pagès
e7ab828da1 makeImageFromDebDist: accept additional parameters for vm, as in rpm version. 2016-05-11 15:43:24 +02:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Eelco Dolstra
cb37ab146b Add mirror://mozilla scheme 2016-05-09 19:37:22 +02:00
Vladimír Čunát
65a9fa8cdc Merge branch 'master' into staging 2016-05-08 21:24:48 +02:00
zimbatm
4ba7767d91 Merge pull request #14722 from puffnfresh/bug/dockertools-postmount
dockerTools: only add "/nix" if it exists
2016-05-06 17:40:23 +01:00
Joachim Fasting
50d915c758
grsecurity: optionally disable features for redistributed kernels 2016-05-06 16:37:25 +02:00
Vladimír Čunát
1dc36904d8 Merge #14920: windows improvements, mainly mingw 2016-05-05 08:30:19 +02:00
Vladimír Čunát
7a005601d4 Merge branch 'master' to resolve conflicts 2016-05-05 08:25:38 +02:00
Vladimír Čunát
2cbb7bf9d1 cc-wrapper: add -B flag with cc.lib
This fixes `gcc --print-file-name=libstdc++.so`
and thus it should fix #14967.
2016-05-04 14:23:54 +02:00
Peter Simons
397c75aeb4 Revert "Just strip everything by default"
This reverts commit 2362891dc8. The patch
is broken. :-(
2016-05-04 13:40:53 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Tuomas Tynkkynen
aadaa91379 Merge remote-tracking branch 'upstream/master' into staging
Conflicts:
	pkgs/applications/networking/browsers/vivaldi/default.nix
	pkgs/misc/emulators/wine/base.nix
2016-05-03 23:12:48 +03:00
Guillaume Maudoux
2362891dc8 Just strip everything by default
Run strip of each file and discard expected failure types.
Also default to stripping the entire output.
2016-05-03 11:04:34 +02:00
Robin Gloster
c92bca56f8 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-02 22:58:02 +00:00
Joachim Fasting
39db90eaf6
grsecurity: simplify preConfigure 2016-05-02 11:28:06 +02:00
Joachim Fasting
a69501a936
grsecurity: ensure that PaX ELF markings are enabled
The upstream default is to enable only xattr markings, breaking the
paxmarks facility.
2016-05-02 11:28:06 +02:00
Maxim Ivanov
dea920bfdc Remove obsolete scatter output hook
There are no users of it in main tree and recent merge
of multiple outputs branch makes it obsolete for private trees
too.

At the time hook was created, recently merged multiple output
branch was relying on passing flags to autotools to split
outputs, which obviously wasn't working for other build systems

Scatter output was taking different approach where files were
moved out from a build tree based on known  paths, which is more
or less what current multiple-outputs.sh hook is able to do too.
2016-04-30 22:05:33 +01:00
Domen Kožar
8a3b70791c vmTools.diskImages: add ubuntu 16.04 2016-04-29 11:50:27 +01:00
Tuomas Tynkkynen
4ff8f377af Merge remote-tracking branch 'upstream/master' into staging 2016-04-28 00:13:53 +03:00
Nikolay Amiantov
f6eb686222 Merge pull request #15002 from abbradar/symlink-join-wrappers
Use symlinkJoin for wrappers
2016-04-26 16:47:43 +04:00
Frederik Rietdijk
d5e6a4494a Python: use PyPI mirror (#15001)
* mirrors: add pypi

* Python: Use pypi mirror for all PyPI packages
2016-04-26 13:38:03 +01:00
Nikolay Amiantov
dfe608c8a2 symlinkJoin: accept set as an argument with additional options 2016-04-26 15:37:42 +03:00
Nikolay Amiantov
62616ec5e2 Merge commit 'refs/pull/14907/head' of git://github.com/NixOS/nixpkgs into staging 2016-04-25 18:02:47 +03:00
Nikolay Amiantov
5e85760ff1 Merge commit 'refs/pull/14909/head' of git://github.com/NixOS/nixpkgs into staging 2016-04-25 18:02:32 +03:00
Nikolay Amiantov
5f19542581 Merge commit 'refs/pull/14694/head' of git://github.com/NixOS/nixpkgs into staging 2016-04-25 18:02:23 +03:00
Nikolay Amiantov
69a072484d gcc-wrapper-old: fix binutils and coreutils' paths 2016-04-25 14:27:51 +03:00
jraygauthier
ddc401ed0a icon-conv-tools: init at 0.0.0 (#13905)
A nix specific set of tools for converting icon files
that are not in a freedesktop ready format.

I plan on using these tools for both `keepass` and
`retroarch` packages. It may benifit many other packages.
2016-04-25 13:16:47 +02:00
Nikolay Amiantov
5ff40ddedf add get* helper functions and mass-replace manual outputs search with them 2016-04-25 13:24:39 +03:00
Profpatsch
a2d38bc7fc doc/stdenv.xml document substitution env variables
The filtering of environment variables that start with an uppercase
letter is documented in the manual.
2016-04-23 21:41:35 +02:00
Tuomas Tynkkynen
bd18cc3cdc Merge pull request #14888 from dezgeg/pr-kill-module-init-tools
Delete all usages of module_init_tools and remove the package
2016-04-23 14:29:41 +03:00
Vladimír Čunát
6e7787e666 stdenv for windows: auto-link dependency DLLs
For every *.{exe,dll} in $output/bin/ we try to find all (potential)
transitive dependencies and symlink those DLLs into $output/bin
so they are found on invocation.
(DLLs are first searched in the directory of the running exe file.)

The links are relative, so relocating whole /nix/store won't break them.
The hook is activated on cygwin and when cross-compiling to mingw.
2016-04-23 10:52:00 +02:00
Guido Zgraggen
6ea0ae58af nix-prefetch-git: create parent directories 2016-04-22 16:51:49 -07:00
Tuomas Tynkkynen
01854a850a treewide: Replace module_init_tools -> kmod
The former is deprecated and doesn't handle compressed kernel modules,
so all current usages of it are broken.
2016-04-22 10:40:57 +03:00
Vladimír Čunát
57474b7d4a Merge branch 'master' into staging
Compare to Hydra nixpkgs job 1260021.
2016-04-20 16:49:52 +02:00
Vladimír Čunát
f6dfbb692c stdenv multiple-outputs: fix cross-build propagation
Fixes #14817. The outputs weren't propagated correctly when
cross-building.
2016-04-20 16:37:23 +02:00
Vladimír Čunát
9f8751528c stdenv multiple-outputs: fix #14782 --docdir location
- the default --docdir is typically DATAROOTDIR/doc/pkgName
- I saw no other way than to employ some magic to guess this `pkgName`
- user can override it by setting $shareDocName
2016-04-20 16:36:10 +02:00
Eelco Dolstra
21a2f2ba3b nix: Add a "dev" output
This gets rid of boehm-dev in the closure (as well as Nix's own
headers).
2016-04-18 21:13:18 +02:00
Robin Gloster
d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Vladimír Čunát
f57c6449dc buildEnv: fix #14682 evaluation in some edge cases
I supplied meta.outputsToInstall automatically in all
mkDerivation products, but some packages still don't use it.
The reported case: jekyll -> bundlerEnv -> buildEnv -> runCommand.
2016-04-17 08:57:17 +02:00
Marius Bakke
d534e38d58 makeWrapper: allow special characters in variable contents 2016-04-16 02:58:02 +01:00
Brian McKenna
0167b61ef4 dockerTools: only add "/nix" if it exists
The /nix path in 4d200538 of the layer tar didn't exist for some
packages, such as cacert. This is because cacert just creates an /etc
directory and doesn't depend on any other /nix paths. If we tried
putting this directory in the tar and using overlayfs with it, we'd get
"Invalid argument" when trying to remove the directory.

We now check whether the closure is non-empty before telling tar to
store the /nix directory.

Fixes #14710.
2016-04-16 01:16:49 +10:00
Brian McKenna
bc2f314f73 dockerTools: make tars deterministic
There were two sources of non-determinisim coming into the images. The
first was tar mtimes, the second was pigz/gzip times.

An example image now passes with the --check flag.
2016-04-15 09:29:15 +10:00
Domen Kožar
0f9268e52c fetchurl: assert required Nix version for sha512 2016-04-14 12:50:21 +01:00
Luca Bruno
44d651485a dockerTools: fix difference between base files and layer files 2016-04-14 12:23:49 +02:00
Luca Bruno
4d200538c2 dockerTools: fix /nix/store permissions 2016-04-14 12:23:48 +02:00
Luca Bruno
6d8845ed8f Merge pull request #14588 from puffnfresh/bug/remove-docker-tarballs
dockerTools: remove "tarballs" attribute
2016-04-13 21:01:01 +02:00
Eelco Dolstra
3ecbe604ef fetchurl: Support SHA-512 hashes 2016-04-13 14:11:14 +02:00
Nikolay Amiantov
d0fd551876 buildFHSEnv: post-closure-size fix 2016-04-13 14:28:33 +03:00
Nikolay Amiantov
5c38c36472 Merge pull request #14650 from hrdinka/fhs-chroot/pkg-path
build-fhs-chrootenv: set PKG_CONFIG_PATH
2016-04-13 14:24:09 +04:00
Christoph Hrdinka
54fa4c4cec build-fhs-chrootenv: set PKG_CONFIG_PATH
Currently `PKG_CONFIG_PATH` isn't set in FHS chroots rendering `pkg-config`
unusable. This patch sets it to `/usr/lib/pkgconfig`.
2016-04-13 11:06:33 +02:00
Vladimír Čunát
39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Joachim Fasting
27035365ec build-support/grsecurity: simplify the grsecurityOverrider
Adding inputs required by gcc plugins to the ambient environment is sufficient.
2016-04-12 01:23:32 +02:00
Brian McKenna
d150fe8915 dockerTools: use pigz for final image tar
Saves a few seconds on large images.
2016-04-11 16:32:47 +10:00
Brian McKenna
ebb911cc0b dockerTools: remove tarballs functionality
I think the intention of this functionality was to provide a simple
alternative to the "runAsRoot" and "contents" attributes.

The implementation caused very slow builds of Docker images. Almost all
of the build time was spent in IO for tar, due to tarballs being
created, immediately extracted, then recreated. I had 30 minute builds
on some of my images which are now down to less than 2 minutes. A couple
of other users on #nix IRC have observed similar improvements.

The implementation also mutated the produced Docker layers without
changing their hashes. Using non-empty tarballs would produce images
which got cached incorrectly in Docker.

I have a commit which just fixes the performance problem but I opted to
completely remove the tarball feature after I found out that it didn't
correctly implement the Docker Image Specification due to the broken
hashing.
2016-04-11 16:32:43 +10:00
Vladimír Čunát
30f14243c3 Merge branch 'master' into closure-size
Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs
2016-04-10 11:17:52 +02:00
Robin Gloster
3e68106afd Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-07 21:52:26 +00:00
Vladimír Čunát
710573ce6d Merge #12653: rework default outputs 2016-04-07 16:00:09 +02:00
Vladimír Čunát
9a824f2f1d treewide: rename extraOutputs{ToLink,ToInstall}
This is to get more consistent with `meta.outputsToInstall`.
2016-04-07 15:59:44 +02:00
Vladimír Čunát
2995439003 buildEnv: respect meta.outputsToInstall
As a result `systemPackages` now also respect it.
Only nix-env remains and that has a PR filed:
    https://github.com/NixOS/nix/pull/815
2016-04-07 15:59:44 +02:00
Vladimír Čunát
d1df28f8e5 Merge 'staging' into closure-size
This is mainly to get the update of bootstrap tools.
Otherwise there were mysterious segfaults:
https://github.com/NixOS/nixpkgs/pull/7701#issuecomment-203389817
2016-04-07 14:40:51 +02:00
Tuomas Tynkkynen
6b42f9f4be Merge commit 'bde820' from staging
http://hydra.nixos.org/eval/1252653 - only ~9400 packages to go at the
time of writing this.
2016-04-06 01:18:28 +03:00
Vladimír Čunát
aa670eb503 vmTools: update debian jessie 8.3 -> 8.4
Their in-place updates break download hashes...
2016-04-05 14:32:04 +02:00
Robin Gloster
bbbaccfa68 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-04 15:24:52 +00:00
Nikolay Amiantov
88c97e2860 Merge pull request #14413 from abbradar/steam-run
steam-run: add derivation
2016-04-04 18:04:45 +04:00
Samuel Rivas
f1b0d6410e emacsWithPackages: reduce some duplication 2016-04-03 21:21:50 +02:00
Samuel Rivas
2b199537b7 emacsWithPackages: move bin and site-lisp to private share directory
This is to avoid unwanted side effects when installing a wrapped emacs in the environment:

  * All executables in the dependencies become available in the user environment
  * All site-lisp binaries in the dependencies become accessible to unwrapped emacs

Also, both bin and site-lisp would generate conflicts so installing a wrapped emacs becomes really cumbersome
2016-04-03 21:11:38 +02:00
Robin Gloster
696d85a62d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-03 11:01:57 +00:00
Nikolay Amiantov
375c410d07 userFHSEnv: add passthru, rename meta 2016-04-03 04:19:58 +03:00
Tomasz Kontusz
6c9ce23c00 cc-wrapper: Fix a typo in param parsing (close #14401) 2016-04-02 20:51:48 +02:00
Eelco Dolstra
13a1c7b8c1 useOldCXXAbi: Change into a setup hook
Stdenv adapters considered weird.
2016-04-01 13:36:59 +02:00
Lluís Batlle i Rossell
635c99ce87 vm: allow overriding QEMU_OPTS / memSize for images.
It's nice to be able to create disk images with -smp 4
in qemu.
2016-04-01 10:32:59 +02:00
Vladimír Čunát
ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Franz Pletz
2e08d8234e Merge remote-tracking branch 'origin/master' 2016-03-31 10:06:30 +02:00
Lluís Batlle i Rossell
ab93f8c137 Making vm's qemu cache=unsafe. Faster.
I don't think it's unsafe, if it's meant for nix expressions.
2016-03-31 09:27:25 +02:00
Lluís Batlle i Rossell
e21dd19168 Making vm's interactive shell handle the terminal well. 2016-03-31 09:27:14 +02:00
Robin Gloster
a4e65c3639 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-30 09:01:20 +00:00
Nikolay Amiantov
a5322efd95 Revert "Remove PATH assumption from fhs-userenv."
This reverts commit 2f26b82411.

This breaks terminfo in Bash for some reason (i.e. TAB and other
special keys).
2016-03-29 17:58:07 +03:00
Robin Gloster
f60c9df0ba Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-28 15:16:29 +00:00
Rodney Lorrimar
457eddd18f bower2nix: 2.1.0 -> 3.0.1
1. Update bower2nix version and add new/updated dependencies into
   node-packages-generated.nix. This was done manually, with npm2nix
   generating the initial set of derivations. In future, it would be
   nice to have an automatic process (see #10358, #9332).

2. Add an override to nodePackages.bower2nix wrapping the commands so
   that git is on the PATH.

3. Update fetchbower to support new command-line options of bower2nix,
   and to allow github URL tag versions.
2016-03-28 08:23:06 +01:00
Domen Kožar
b07e7bfc7b Merge remote-tracking branch 'origin/staging' 2016-03-27 13:19:04 +01:00
Joachim Fasting
304c4a514e grsecurity: fix gcc plugin
Also needs mpfr and libmpc
2016-03-26 21:01:21 +01:00
Nicolas B. Pierron
5d6a4a6fa9 Merge pull request #14000 from nbp/fix-extend
Use fix and extends functions for all-packages.nix
2016-03-24 20:54:20 +01:00
Nikolay Amiantov
119c287c71 cc-wrapper: use Bash arrays properly 2016-03-24 21:13:11 +03:00
Nikolay Amiantov
0c6db0ca48 cc-wrapper: add option to skip flags for native optimizations 2016-03-24 20:16:17 +03:00
Eelco Dolstra
89693e71b9 Merge pull request #13907 from abbradar/cpp-wrapper
cc-wrapper: add C++-specific paths if `-x cpp` is passed
2016-03-24 18:12:04 +01:00
zimbatm
40e9dff04a nix-prefetch-git: fix url_to_name heuristic
The function wasn't checking that *all* of the characters where
[a-z0-9]. Fixes #13921
2016-03-23 11:22:51 +00:00
Ryan Trinkle
be30ba8e0e nix-prefetch-scripts: make nix-prefetch-git report fetchSubmodules in its JSON output
Previously, nix-prefetch-git would report the same JSON whether submodules were being fetched or not; with this change, the --fetch-submodules option will cause the JSON output to include "fetchSubmodules": true, so that fetchgit (builtins.fromJSON (builtins.readFile ./path/to/output.json)) will work.
2016-03-21 23:26:18 -04:00
Nicolas B. Pierron
5cdaa7b907 Remove all-packages.nix helperFunctions dependency. 2016-03-20 16:41:20 +00:00
zimbatm
ae487615a6 nix-prefetch-git: fix url_to_name heuristic
The function wasn't checking that *all* of the characters where
[a-z0-9]. Fixes #13921
2016-03-18 21:58:52 +00:00
Sander van der Burg
27e23486bb fetchbower: quote parameter to prevent ambigious redirects if version specifiers have wildcards 2016-03-18 12:06:01 +00:00
Peter Simons
af81505c00 wrap-gapps-hook.sh: fix double inclusion guard
The simple "return" would not override the non-zero error code set by the
preceding test command, therefore aborting scripts running with "set -e".
2016-03-18 07:52:36 +01:00
Nikolay Amiantov
11b69246e0 Merge pull request #13938 from abbradar/fhs-gcc-paths
buildFHSEnv: add standard paths for compilers
2016-03-16 15:44:34 +03:00
Nikolay Amiantov
9488fee869 buildFHSEnv: add standard paths for compilers 2016-03-15 19:44:42 +03:00
Robin Gloster
3f45f0948d Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-03-15 01:44:24 +00:00
zimbatm
9504992e1d Merge pull request #13897 from nbp/fix-ocaml-pkgs-platform
Ensure that we can evaluate the platform attribute of ocaml packages.
2016-03-14 19:25:40 +00:00
Vladimír Čunát
d6b46ecb30 Merge branch 'closure-size' into p/default-outputs 2016-03-14 11:27:15 +01:00
Nikolay Amiantov
87607af7a1 cc-wrapper: add C++-specific paths if -x c++ is passed 2016-03-14 06:58:18 +03:00
Robin Gloster
a9b942c061 cc-wrapper: treat hardeningDisable as string
This fixes passing the env variable to the ld-wrapper through the gcc
call. Wtf?!
2016-03-14 00:26:52 +00:00
Nicolas B. Pierron
72c6f8a140 Ensure that we can evaluate the platform attribute of ocaml packages. 2016-03-13 19:08:26 +00:00
Nicolas B. Pierron
6313a5698a Replace references to all-packages.nix, by references to the top-level of nixpkgs repository. 2016-03-13 18:25:52 +00:00
Vladimír Čunát
ab0bc1ecaf symlinkJoin: preferLocalBuild && !allowSubstitutes 2016-03-11 15:59:18 +01:00
Tristan Helmich
1a5acdb695 cc-wrapper: Add additional NIX_DEBUG statements 2016-03-11 14:02:07 +01:00
Eelco Dolstra
2af1cb3aa6 Merge remote-tracking branch 'origin/binutils-2.26' into staging
This still breaks a few packages, but nothing really major:

  http://hydra.nixos.org/eval/1241850?filter=x86_64-linux&compare=1237919&full=#tabs-now-fail
2016-03-11 11:58:49 +01:00
Tristan Helmich
7e2e0dfe7a cc-wrapper: Use stderr for NIX_DEBUG output
Otherwise configure scripts might break when looking for the path to ld
2016-03-10 15:47:55 +01:00
Franz Pletz
514a478e61 cc-wrapper: Fix if syntax 2016-03-09 10:08:07 +01:00
Robin Gloster
9a5b070b45 hardening: debug with NIX_DEBUG 2016-03-08 20:51:35 +00:00
Vladimír Čunát
09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Franz Pletz
eb5a897161 Merge remote-tracking branch 'origin/pr/13505'
Fixes #13505.
2016-03-08 01:01:44 +01:00
Franz Pletz
baee91ec60 cc-wrapper: Check if ld supports -z, fixes darwin 2016-03-07 21:40:20 +01:00
Franz Pletz
b2b499e6c4 cc-wrapper: Increase number of functions for stackprotector 2016-03-07 01:30:40 +01:00
Franz Pletz
ab1092875a cc-wrapper: Disable pie for linking static libs 2016-03-07 01:30:39 +01:00
Franz Pletz
63f60b6a13 cc-wrapper: Disable pie when linking shared libraries 2016-03-07 01:30:39 +01:00
zimbatm
5e5494a852 make-wrapper.sh: add an --unset argument
`--set FOO ""` is not strictly equivalent to `--unset FOO`. In the former case
the environment variable still exists with an empty string as a value.
2016-03-06 22:48:14 +00:00
Franz Pletz
05a02c53a0 cc-wrapper: -pie is a ldflag 2016-03-06 00:14:55 +01:00
Franz Pletz
aff1f4ab94 Use general hardening flag toggle lists
The following parameters are now available:

  * hardeningDisable
    To disable specific hardening flags
  * hardeningEnable
    To enable specific hardening flags

Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.

cc-wrapper supports the following flags:

  * fortify
  * stackprotector
  * pie (disabled by default)
  * pic
  * strictoverflow
  * format
  * relro
  * bindnow
2016-03-05 18:55:26 +01:00
Profpatsch
82fa1a796b lib/copyPathToStore: annotate docstring 2016-03-01 15:26:35 +01:00
zimbatm
0d2e437fc9 Merge pull request #13584 from zimbatm/nix-prefetch-git-json
nix-prefetch-git: change the default output to JSON
2016-03-01 10:07:00 +00:00
Lluís Batlle i Rossell
202ebf794c vm/rpm/rpm-closure.pl: make it deterministic
Some recent perl version introduced "keys" to return the keys
in random order. As some of the packages are solved by "provides" and
based on the order, this randomness affects what packages get into the
closure.

This problem may be in other nix perl scripts.
2016-03-01 11:02:42 +01:00
zimbatm
90de261f33 nix-prefetch-git: change the default output to JSON
As discussed on the mailing list. The nix output was short-lived so it's
probably okay to change it.
2016-02-29 22:47:16 +00:00
Luca Bruno
5f8311775c chromium: add StartupWMClass to desktop file. Fixes #12433 2016-02-29 20:42:58 +01:00
zimbatm
6d9cc54089 build-maven: use lib.importJSON 2016-02-29 13:49:29 +00:00
tg(x)
38614d3f6a grsecurity: use kernel version instead of testing / stable 2016-02-28 04:10:59 +01:00
Eelco Dolstra
d5bb6a1f9c glibc: Enable separate debug symbols
The importance of glibc makes it worthwhile to provide debug
symbols. However, this revealed an issue with separateDebugInfo: it
was indiscriminately adding --build-id to all ld invocations, while in
fact it should only do that for final links. Glibc also uses non-final
("relocatable") links, leading to subsequent failure to apply a build
ID ("Cannot create .note.gnu.build-id section, --build-id
ignored"). So now ld-wrapper.sh only passes --build-id for final
links.
2016-02-28 02:57:37 +01:00
Eelco Dolstra
69a337edae separateDebugInfo: Compress debug sections at compile/link time 2016-02-28 01:54:55 +01:00
Eelco Dolstra
2040a9ac57 stdenv-linux: Ensure binutils comes before bootstrapTools in $PATH
Otherwise, when building glibc and other packages, the "strip" from
bootstrapTools is used, which doesn't recognise some tags produced by
the newer "ld" from binutils.
2016-02-28 01:13:15 +01:00
zimbatm
de124cfa79 Merge pull request #11671 from timbertson/fetchgit
fetchgit: output improvements
2016-02-27 22:45:07 +00:00
Eelco Dolstra
e6f61b4cf3 fetchurlBoot: Use Nix's builtin fetchurl function
This removes the need for curl in bootstrapTools, and enables https
for bootstrap tarballs.
2016-02-27 20:27:24 +01:00
tg(x)
4e3d6d3e90 grsecurity: separate fix patches for testing & stable 2016-02-27 19:54:55 +01:00
tg(x)
7547960546 grsecurity: move version information to one place 2016-02-27 18:36:12 +01:00
tg(x)
d95321b83e grsecurity: 4.3.4 -> 4.4.2 2016-02-27 18:36:12 +01:00
Tim Cuthbertson
21547a61ba nix-prefetch-git: print out valid nix expression; make --quiet very quiet 2016-02-27 21:26:35 +11:00
Tim Cuthbertson
456cbb29d9 nix-prefetch-git: add --quiet flag and minor cleanup 2016-02-27 16:56:38 +11:00
zimbatm
35ab3d301f Merge remote-tracking branch 'upstream/staging' 2016-02-26 22:37:04 +00:00
Tony White
4806cddda3 fetchurl: use kernel.org cdn by default
- use http://cdn.kernel.org/pub/ as the default mirror
for kernel source requests.
Discovered by browsing :
 https://www.kernel.org/introducing-fastly-cdn.html
2016-02-26 21:32:00 +00:00
zimbatm
d2f3e250cf Merge pull request #8576 from obadz/nix-prefetch-zip
Add --ext option to nix-prefetch-zip
2016-02-26 00:57:30 +00:00
Nikolay Amiantov
4f74a4aacb fetch-cargo-deps: factor into fetchCargoDeps function 2016-02-25 14:05:44 +03:00
Nikolay Amiantov
34023d867d fetchcargo: set CA bundle path 2016-02-25 13:51:12 +03:00
Vladimír Čunát
93f6af1071 Merge branch 'master' into staging 2016-02-25 09:01:48 +01:00
Vladimír Čunát
30b7bd8d01 Merge branch 'glibc-2.22' into staging
I'm running whole my working notebook on 2.22 without any problems.
I don't expect any significant issues.
2016-02-25 08:42:59 +01:00
Jude Taylor
a2b19cdb04 revert fetch-cargo-deps change 2016-02-23 18:31:45 -08:00
Jude Taylor
7336191574 fix fetch-cargo SSL error 2016-02-23 16:42:51 -08:00
zimbatm
cfa99e5a99 Merge pull request #13114 from colemickens/azure
azure: package qemu 2.2.0 to fix VHD creation
2016-02-23 22:47:44 +00:00
zimbatm
69059602ff Merge pull request #13111 from tsion/simplify-assert
Simplify fetchurl assertion logic.
2016-02-23 22:42:27 +00:00
zimbatm
c3e9630dfa Merge pull request #13369 from grahamc/nix-prefetch-git-output-base32
nix-prefetch-git: output base32 hash so output matches nix-build errors
2016-02-22 18:21:11 +00:00
Graham Christensen
60f354dfb8 nix-prefetch-git: output base32 hash so output matches nix-build errors
It turns out hashFormat has never been set.
2016-02-22 10:50:27 -06:00
Ricardo M. Correia
fd3e02add8 Merge pull request #13027 from puffnfresh/package/pijul
pijul: 0.1 -> 0.2-6ab9ba
2016-02-20 15:43:53 +01:00
Vladimír Čunát
4b581903b3 requireFile: preferLocalBuild = true
There's no point trying to "distribute" showing the error message.
2016-02-19 13:47:50 +01:00
Nikolay Amiantov
9525abdeec steamPackages.runtime: use mirrors, add my mirror 2016-02-19 14:10:09 +03:00
Scott Olson
43a523526d Require at least one of url or urls in fetchurl. 2016-02-19 03:18:21 -06:00
Cole Mickens
718848d5aa azure: package qemu @ 2.2.0
This commit packages qemu-220. This package is qemu-2.2.0
and is only used with Azure.
2016-02-18 21:08:28 -08:00
Scott Olson
9cf93ba135 Simplify fetchurl assertion logic.
The two lines I removed technically assert the exact same thing, since `!a -> b`
is equivalent to `a || b`. So, I replaced the two lines with the more symmetric
form to make it clearer.
2016-02-18 22:39:43 -06:00
Eelco Dolstra
d71a4851e8 Don't try to apply patchelf to non-ELF binaries 2016-02-18 22:54:11 +01:00
Eelco Dolstra
bf63de1613 separateDebugInfo: Handle weird filenames properly 2016-02-18 22:54:11 +01:00
Eelco Dolstra
076de98c94 separateDebugInfo: Restore ELF check 2016-02-18 21:37:26 +01:00
Luca Bruno
b7c57c831f Merge pull request #13099 from datakurre/datakurre-dockertools
dockerTools: Fix issue where image name with repository prefix was no…
2016-02-18 17:30:54 +01:00
Asko Soukka
584427c694 dockerTools: Fix issue where image name with repository prefix was not supported 2016-02-18 18:16:58 +02:00
Vladimír Čunát
e9520e81b3 Merge branch 'master' into staging 2016-02-17 10:06:31 +01:00
Benjamin Staffin
fc85f1beed nix-prefetch-hg: Various bash style improvements, fixes #9511 2016-02-17 00:35:30 +01:00
Brian McKenna
8b644c5826 rust: fix prePatch phase fail when sourceRoot set
We want to go up more than a single directory if we're in a nested one.
2016-02-17 07:28:26 +11:00
Vladimír Čunát
d039c87984 Merge branch 'master' into closure-size 2016-02-14 08:33:51 +01:00