Fixes a number of CVEs:
- a DNS request hijacking vulnerability. (CVE-2017-0902)
- an ANSI escape sequence vulnerability. (CVE-2017-0899)
- a DoS vulnerability in the query command. (CVE-2017-0900)
- a vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files. (CVE-2017-0901)
While we tell pip not to fetch (with the `--no-index` option),
`setuptools` can do so itself. In the past we used a `distutils.cfg`
with `allow-hosts = None` to prevent setuptools from fetching itself.
This was removed when we started building wheels in
2562f94de4e4fd2ddc677187fa2e2848L69.
The `dist-utils.cfg` code was still there, and adding it to
`buildInputs` is sufficient.
Tested with python.pkgs.passlib by removing the `checkInputs` / `nose`.
This reverts commit 0a944b345e, reversing
changes made to 61733ed6cc.
I dislike these massive stdenv changes with unclear motivation,
especially when they involve gratuitous mass renames like NIX_CC ->
NIX_BINUTILS. The previous such rename (NIX_GCC -> NIX_CC) caused
months of pain, so let's not do that again.
It's now the default. /cc #19456
This makes a real build simplification, because in our current
bootstrapping+aliases, `gcc6` attribute is not the default compiler
but a derivation *built by* the default compiler.
nix-exec didn't build before this commit already
test.{support, regrtest} are the internal packages cpython
developers use to write tests.
Although they are not public and the API may change/break
some developers use these packages to write tests for their
(3rd party) software.
The derivations for cpython now only remove the actual tests
but leave the packages in place that are used to write them.
Discussion: https://github.com/NixOS/nixpkgs/pull/28540
* pgadmin: use https homepage
* msn-pecan: move homepage to github
google code is now unavailable
* pidgin-latex: use https for homepage
* pidgin-opensteamworks: use github for homepage
google code is unavailable
* putty: use https for homepage
* ponylang: use https for homepage
* picolisp: use https for homepage
* phonon: use https for homepage
* pugixml: use https for homepage
* pioneer: use https for homepage
* packer: use https for homepage
* pokerth: usee https for homepage
* procps-ng: use https for homepage
* pycaml: use https for homepage
* proot: move homepage to .github.io
* pius: use https for homepage
* pdfread: use https for homepage
* postgresql: use https for homepage
* ponysay: move homepage to new site
* prometheus: use https for homepage
* powerdns: use https for homepage
* pm-utils: use https for homepage
* patchelf: move homepage to https
* tesseract: move homepage to github
* quodlibet: move homepage from google code
* jbrout: move homepage from google code
* eiskaltdcpp: move homepage to github
* nodejs: use https to homepage
* nix: use https for homepage
* pdf2djvu: move homepage from google code
* game-music-emu: move homepage from google code
* vacuum: move homepae from google code
Symbolic links were added pointing to the executables that end with 3 as
part of the Python 2 to 3 migration. At some point I disabled ensurepip
but forgot to remove this symbolic link.
Symbolic links were added pointing to the executables that end with 3 as
part of the Python 2 to 3 migration. At some point I disabled ensurepip
but forgot to remove this symbolic link.
Symbolic links were added pointing to the executables that end with 3 as
part of the Python 2 to 3 migration. At some point I disabled ensurepip
but forgot to remove this symbolic link.
* pkgs: refactor needless quoting of homepage meta attribute
A lot of packages are needlessly quoting the homepage meta attribute
(about 1400, 22%), this commit refactors all of those instances.
* pkgs: Fixing some links that were wrongfully unquoted in the previous
commit
* Fixed some instances
Python envs did not pass through any of the properties the Python
interpreter has. That could be annoying, especially not having
`python.interpreter` which is the path to the interpreter. This commit
fixes the situation and inherit python.passthru.
- Adds the necessary passthru vars for bundler, bundix, etc. to accept
the package as a ruby.
- Adds the devEnv attribute, so that jruby.devEnv can be used to get
an environment with bundler and bundix installed.
Other executables all invoke jruby, and so don't need to be wrapped.
In some cases wrapping breaks the executables because one file is a ruby
script that directly loads the other (e.g. `gem` is a wrapper that loads
`jgem`). In this case, if the latter script has been wrapped by nix,
loading will fail.
I suppose 2.1 with caveats with some pointers is better than nothing.
I'm sorry for the potential confusion. In particular, the problem
about 64-bit pointers is the same in 2.0 and 2.1, despite the warning
only being shown for 2.1 on the web site.
Thus far all executables in a derivation were wrapped. This commit
only wraps executables in $out/bin. If other scripts need to be wrapped
as well, then one can use wrapPythonProgramsIn.
When tests are disabled, we do not want to pass checkInputs to
stdenv.mkDerivation. This reduces the build requirements and, more
importantly, helps cutting cycles.
This still causes some uncached rebuilds, but master(!) and staging
move too fast forward rebuild-wise, so Hydra might never catch up.
(There are also other occasional problems.)
Therefore I merge at this point where the rebuild isn't that bad.
The Python interpreters are patched so they can build .pyc bytecode free
of certain indeterminism.
When building Python packages we currently set
```
compiling python files.
in nix store.
DETERMINISTIC_BUILD=1;
PYTHONHASHSEED = 0;
```
Instead if setting these environment variables in the function that
builds the package, this commit sets the variables instead in the Python
setup hook. That way, whenever Python is included in a derivation, these
variables are set.
See also the issue https://github.com/NixOS/nixpkgs/issues/25707.
Split outputs mean that the "include" folder from PHP gets placed into a
"dev" derivation. However php-config is not aware of this, which means
that compiling extensions with phpize fails with an error about being
unable to find header files (see #24357, #24420). This fixes that by:
1. passing the `--includedir` flag to `configure` so that `php-config`
gives the correct paths.
2. moving the `phpize` and `php-config` scripts and man pages to the
dev derivation, to prevent cylic references.
3. ensuring that the `configure` script arguments are stripped from
all binaries, including `php-embed`, to prevent cyclic references.
This commit fixes several issues:
- as reported in https://github.com/NixOS/nixpkgs/issues/24924 it was
possible that the file _sysconfigdata.pyc was generated after the actual
build of the CPython interpreter. We forgot to regenerate that file
during the build. This is now fixed
- the expression of the 3.3 interpreter now also includes some of the
determinism patches even though the output isn't yet reproducible. The
reason for adding them is that this makes the expressions of the
different interpreters more similar.
- references to -dev packages are now also removed in the 3.6 package,
thereby reducing its closure size
makeinfo (provided by the texinfo package) is used by the "help"
command in Octave to display info about functions, etc. By default,
Octave looks for "makeinfo" in the PATH, rather than specifying the
location of the executable. This results in Nix not being aware that
makeinfo is required at runtime (so unless you happen have makeinfo
available from your path, "help" won't work).
This patch fixes that by setting the path to makeinfo in Octave,
thereby creating a runtime dependency on texinfo.
There are a few dozen new failures on Darwin, probably related to
updates of stdenv's llvm and/or pkgconfig.
Still the total number of successes increases.
Python does add the script's directory into "sys.path". For the case of
"catch_conflicts.py" this means "/nix/store" is added to "sys.path". This can
result in very long delays if the store contains a lot of entries.
(moved from master commit 76213d102c)
Python does add the script's directory into "sys.path". For the case of
"catch_conflicts.py" this means "/nix/store" is added to "sys.path". This can
result in very long delays if the store contains a lot of entries.
This change is required on darwin, but did not make it into the 4.2.1
release of Octave. It is a very small change, and a comment on the
patch includes a link for more information and a note that it should
be removed from subsequent releases.
From the manual:
> This attribute should be a number, with a higher value denoting a
lower priority. The default priority is 0.
Just passing -5 or -10 wasn't sufficient, so let's make it -100.
- Windows installers are indeterministic and we don't need them.
- since Python 3 ensurepip is installed by default. pip is indeteministic and we don't need it.
- rebuild bytecode to ensure its deterministic
