This turns the GCC clobbered error into a warning which should fix:
```
emanage_store.c: In function 'semanage_exec_prog':
semanage_store.c:1278:6: error: variable 'i' might be clobbered by 'longjmp' or 'vfork' [8;;https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wclobbered-Werror=clobbered8;;]
1278 | int i;
| ^
cc1: all warnings being treated as errors
```
Version 0.1.0 is based on the last commit that included support for V1
encryption policies. Version 1.0 is about to be released and will
include a PR which removes V1 policy support and adds V2 policy support.
Source: https://github.com/google/fscryptctl/issues/12#issuecomment-772888154
When version 1.0 is released we'll likely package it as fscryptctl and
mark fscryptctl-experimental as broken (referring to fscryptctl).
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners. The actual
parsing of that information validates field lengths appropriately, but
processing of the parsed information misses a length check when storing
a copy of the secondary device types. This can result in writing
attacker controlled data into the peer entry after the area assigned for
the secondary device type. The overflow can result in corrupting
pointers for heap allocations. This can result in an attacker within
radio range of the device running P2P discovery being able to cause
unexpected behavior, including termination of the wpa_supplicant process
and potentially arbitrary code execution.
https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt
Fixes: CVE-2021-0326
This was recently introduced, and apparently not nixpkgs-fmt'ed.
While there's no global consensus on nixpkgs-fmt'ing everything,
indenting this by 2 more spaces won't hurt.
The use of systemctl makes this incompatible with darwin even though
building/deploying a nixos closure from darwin is a perfectly valid use case.
NIX_DAEMON is pretty much unnecessary nowadays as nix uses other
indicators for deciding whether to use the daemon or not.
Fix a race condition that occurs in parallel builds of
nvidia-settings, frequently ending in the following error:
/bin/bash: _out/Linux_x86_64/antialias.png.h: No such file or directory
make[1]: *** [Makefile:320: _out/Linux_x86_64/antialias.png.h] Error 1
Upstream issue and fix from:
https://github.com/NVIDIA/nvidia-settings/issues/59
in service of getting elfutils building against musl-libc, this library
is an extraction of the obstack functions from glibc/libiberty. this is
the approach taken by void and alpine linux.
this is in service of getting elfutils building against musl-libc again.
the currently-included netbsd.fts package has a bunch of #define
collisions with current elfutils, so pulling this library in, which is
what both void and alpine linux do.
The wpa_supplicant upstream is slow to push out new releases and has
been asked several times to do so. Support for Opportunistic Wireless
Encryption has been on master since late 2019 and still hasn't made it
into a release yet.
This backports a rather simple patchset to enable OWE key management
and exposes it also via DBus, so it can be used from Network-Manager.
The kernel config parameter `DRM_AMD_DC_DCN3_0` is required to enable
the RX 6000 series GPUs, and is supported on kernels at least `5.9.12`.
Source: https://wiki.gentoo.org/wiki/AMDGPU#Installation
Ignore the sanity check that prevents the Nvidia drivers from
being built for kernels with real-time patches.
Even though the driver might not be officially supported by
Nvidia for linux-rt, it seems to work without issues.
Attempting to install the driver for linux-rt fails with the
following error message:
The kernel you are installing for is a PREEMPT_RT kernel!
The NVIDIA driver does not support real-time kernels. If you
are using a stock distribution kernel, please install
a variant of this kernel that does not have the PREEMPT_RT
patch set applied; if this is a custom kernel, please
install a standard Linux kernel. Then try installing the
NVIDIA kernel module again.
*** Failed PREEMPT_RT sanity check. Bailing out! ***
Maintainer notes
-----
The execline exec function interface changed quite drastically, and
backwards-compatibility to the old functions was dropped in-between
the last release and this one. Thus, downstream code might break.
At the end of this commit message is a compatibility interface.
-----
Release notes
-----
Hello,
Happy New Year to everyone!
New versions of the skarnet.org packages are available.
This is a major release. The skalibs major version number has been
bumped, which means that compatibility with previous versions is not
ensured. Other packages have been updated to build against the new
skalibs. If they only had their patch number increased, that's all
the modifications they had (save for possible bugfixes); but some
packages also received significant changes and underwent either a major
(compatibility not ensured) or minor (simple additions) release.
Support for the 2.9.* branch of skalibs, and associated versions of
the other packages, is still ensured for a while, but users are always
strongly encouraged to upgrade.
* General
-------
- Some rarely-triggered build bugs have been fixed.
- -fno-stack-protector is not part of the default CFLAGS anymore;
stack protector policy now defaults to the compiler's settings.
* skalibs-2.10.0.0
----------------
- Bugfixes.
- Significant code cleanup.
- New sysdep: chroot.
- Lots of new functions, mostly to optimize the number of needed
fcntl() calls at open() time. Traces should generally be marginally
shorter than they were before.
- Removal of the DJBUNIX_FLAG_NB and DJBUNIX_FLAG_COE macros, replaced
by the POSIX O_NONBLOCK and O_CLOEXEC macros wherever they were used.
- Removal of the skalibs/webipc.h header, and better header separation.
- Complete revamping of the pathexec functions, now separated into
exec_* (simple execution) and mexec_* (execution with merging of the
environment first). In true skalibs fashion, there is a little code,
and 3 pages of convenience macros (the exec.h header).
- Complete rewrite of the locking functions, with a change of
underlying mechanisms. The skalibs locking primitives are now named
fd_lock(), fd_unlock() and fd_islocked().
The Unix locks primitive space is a horror show. flock() is not
POSIX and does not have a way to test for a lock without taking it.
The POSIX lockf() only has exclusive locks, not shared ones. The least
bad option is fcntl(), which has shared and exclusive locks *and* a way
to check for a lock without taking it, but does not allow taking a
shared lock via a O_WRONLY file descriptor. Of all inconveniences this
is the most minor one, so now skalibs uses fcntl().
https://skarnet.org/software/skalibs/
git://git.skarnet.org/skalibs
* nsss-0.1.0.0
------------
- New --enable-libc-includes configure option. Without this option,
the pwd.h, grp.h and shadow.h headers are not installed anymore, so
by default installing nsss on a FHS system does not overwrite the
libc headers.
https://skarnet.org/software/nsss/
git://git.skarnet.org/nsss
* utmps-0.1.0.0
-------------
- New --enable-libc-includes configure option. Without this option,
the utmpx.h header is not installed anymore, so by default installing
utmps on a FHS system does not overwrite the libc headers.
https://skarnet.org/software/utmps/
git://git.skarnet.org/utmps
* execline-2.7.0.0
----------------
- Bugfixes.
- The trap program has changed. The "timeout" directive has been
removed; a "default" directive has been added, to handle all signals
for which a specific directive has not been given. Subprograms are
now run with the SIGNAL environment variable set to the signal number
(in addition to ! always being set to the application's pid).
- The forstdin program has changed. It now exits 0 if it has read at
least one line, and 1 otherwise.
- The default list of delimiters for backtick, withstdinas, forstdin
and forbacktickx has been set to "\n", so by default those programs
will read and/or split on lines and only lines.
- The backtick, withstdinas, forstdin, forbacktickx, forx, getpid
and getcwd programs now have a -E option to activate autoimport.
(This saves the user from manually adding "importas var var" after
every use of these programs.)
https://skarnet.org/software/execline/
git://git.skarnet.org/execline
* s6-2.10.0.0
-----------
It is imperative to restart your supervision trees, by rebooting if
necessary, after upgrading s6 to the new version. Otherwise, new s6
binaries interacting with service directories maintained by old
s6-supervise binaries may not work.
If you are using s6-linux-init, it is necessary to upgrade to the
latest version of s6-linux-init at the same time as s6.
- Bugfixes.
- Significant code refactoring.
- The internal locking system of service directories has changed,
allowing for a cleaner permissions model and official support of
relaxed permissions.
- New binary to implement those relaxed permissions: s6-svperms.
- The "nosetsid" file is not supported anymore in service directories.
Services are now always started in a new session.
- s6-supervise now traps SIGINT: before dying, it sends a SIGINT to its
service's process group. This allows correct transmission of ^C when a
supervision tree is running in a terminal, even though every service
runs in its own session.
- s6-svc -X doesn't exist anymore. s6-supervise now always closes stdin
and stdout on the last execution of the service.
- The semantics of SIGHUP and SIGQUIT have changed for s6-supervise.
- The set of commands sent by s6-svscanctl and received by s6-svscan
has been cleaned up and made more logical.
- When told to exit normally (typically via s6-svscanctl -t), s6-svscan
now first waits for the whole supervision tree to die. The
.s6-svscan/finish script can now assume that all services are completely
down. (s6-svscanctl -b is an exception; it should not be used in normal
circumstances.)
- The -s and -S options to s6-svscan are not supported anymore. Signal
management in s6-svscan has been streamlined: signals have a default
handler that can be overridden by a corresponding executable
.s6-svscan/SIGfoo file.
- Default signal handlers for s6-svscan have more intuitive semantics.
- New binary to help with management of user-owned supervision trees:
s6-usertree-maker.
https://skarnet.org/software/s6/
git://git.skarnet.org/s6
s6 now has man pages! Thanks to flexibeast for performing the conversion
work. Please allow some time for the man pages to be updated to reflect
the current HTML documentation. The repository can be found here:
https://github.com/flexibeast/s6-man-pages
* s6-linux-init-1.0.6.0
---------------------
It *is necessary* to upgrade s6-linux-init at the same time as s6.
It *is recommended*, although not strictly necessary, to create your
run-image directory again via a s6-linux-init-maker invocation. Old
images will still boot, as long as you are using an upgraded version
of s6-linux-init; but they may incorrectly handle signals sent to init,
so for instance Ctrl-Alt-Del may not work anymore, until you run
s6-linux-init-maker again.
- New internal binary: s6-linux-init-nuke. This program is not meant
to be invoked by users directly: it simply removes a dependency to the
'kill' program in a rare case involving containers.
https://skarnet.org/software/s6-linux-init/
git://git.skarnet.org/s6-linux-init
* s6-dns-2.3.4.0
--------------
- New library function: s6dns_message_parse_question().
https://skarnet.org/software/s6-dns/
git://git.skarnet.org/s6-dns
* s6-networking-2.4.0.0
---------------------
- Important refactoring of the tls code. The crypto tunnel now runs
as a child of the application, instead of the other way around. It is
now isolated in a s6-tls[cd]-io binary; s6-tlsc is now a simple wrapper
around s6-tlsc-io, and s6-tlsd is a simple wrapper around s6-tlsd-io.
- New binaries: s6-ucspitlsc and s6-ucspitlsd. Those implement
opportunistic TLS via the UCSPI-TLS protocol.
- The -K option to the tls binaries has changed semantics: it now
enforces a timeout for the handshake instead of dropping the connection
after some inactivity. Note that this option is only useful with the
bearssl backend: the libtls backend always performs a synchronous
handshake, with no way of interrupting it after a timeout expires.
- The execline dependency is now optional. Disabling execline, however,
changes the behaviour of s6-tcpserver-access (which cannot support
exec files without it).
https://skarnet.org/software/s6-networking/
git://git.skarnet.org/s6-networking
It is now possible to build the s6-networking package against OpenSSL
instead of LibreSSL, thanks to the libretls project:
https://git.causal.agency/libretls/about/
* mdevd-0.1.3.0
-------------
- New -C option to the mdevd program. This option makes mdevd
automatically spawn a mdevd-coldplug program when it's ready, allowing
mdevd to be used as a drop-in mdev -d replacement. (Note that the
coldplug is also performed if mdevd restarts after being killed, so
this feature should not be used in place of a proper service startup
sequence with a mdevd-coldplug oneshot depending on the mdevd longrun.
It has only been added for convenience.)
https://skarnet.org/software/mdevd/
git://git.skarnet.org/mdevd
* Other packages
--------------
The following packages have received an update so they build with the
latest version of skalibs and other dependencies, but nothing has changed
except possibly some bugfixes, and hopefully not too many bug additions.
- s6-rc-0.5.2.1. (It is not necessary to recompile your service
database. However, it is necessary to upgrade s6-rc along with s6, and
to reboot the system ASAP after upgrading.)
- s6-portable-utils-2.2.3.1
- s6-linux-utils-2.5.1.4
- bcnm-0.0.1.2
Enjoy,
Bug-reports welcome.
--
Laurent
-----
execline compat interface
-----
/* Compatibility */
#define pathexec_run(file, argv, envp) exec_ae(file, argv, envp)
#define pathexec0_run(file, argv, envp) exec0_ae(file, argv, envp)
#define xpathexec_run(file, argv, envp) xexec_ae(file, argv, envp)
#define xpathexec0_run(file, argv, envp) xexec0_ae(file, argv, envp)
#define pathexec_env(key, value) env_mexec(key, value)
#define pathexec_fromenv(argv, envp, envlen) mexec_f(argv, envp, envlen)
#define pathexec(argv) mexec(argv)
#define pathexec0(argv) mexec0(argv)
#define xpathexec_fromenv(argv, envp, envlen) xmexec_f(argv, envp, envlen)
#define xpathexec(argv) xmexec(argv)
#define xpathexec0(argv) xmexec0(argv)
#define pathexec_r_name(file, argv, envp, envlen, modif, modiflen) mexec_afm(file, argv, envp, envlen, modif, modiflen)
#define pathexec_r(argv, envp, envlen, modif, modiflen) mexec_fm(argv, envp, envlen, modif, modiflen)
#define xpathexec_r_name(file, argv, envp, envlen, modif, modiflen) xmexec_afm(file, argv, envp, envlen, modif, modiflen)
#define xpathexec_r(argv, envp, envlen, modif, modiflen) xmexec_fm(argv, envp, envlen, modif, modiflen)
#endif
copied from 18e4356557 (diff-69efbe5d997280a1430a6af2fa38e3f5105e706076a26fc751885c505ca598c6R140)
* alsaLib: fix build under musl-libc
there's a commit in upstream master that fixes the build issue here.
this patch is also applied in alpine linux.
* alsaLib: explainer for DL_ORIGIN patch
The `platform` field is pointless nesting: it's just stuff that happens
to be defined together, and that should be an implementation detail.
This instead makes `linux-kernel` and `gcc` top level fields in platform
configs. They join `rustc` there [all are optional], which was put there
and not in `platform` in anticipation of a change like this.
`linux-kernel.arch` in particular also becomes `linuxArch`, to match the
other `*Arch`es.
The next step after is this to combine the *specific* machines from
`lib.systems.platforms` with `lib.systems.examples`, keeping just the
"multiplatform" ones for defaulting.
`throw` aborts eval when the package is touched in inappropriate places. See
https://github.com/NixOS/nixpkgs/issues/109001 for an adverse instance of that.
ZFS now behaves like a regular broken package when it's, you know, broken.
It also still prints the helpful incompatibility notice when fully evaluated.