First of all, these "documents" are not really documentation, so it
really doesn't make much sense to put it into $doc.
The main point however is that the installer tests are failing since
this was introduced in ac0cdc1952.
One way to circumvent this is putting dbus.doc into
system.extraDependencies of the installer tests, but given the first
point this sounds a bit odd to me.
So I went for the second way of putting it into $out, because it's now
basically necessary to build a NixOS system.
With this the NixOS installer tests should now work again, although I
have only tested this with the installer.simple test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
The problem with using libxslt as buildInputs is that the dev output is
used for building the dbus config.
This is one of the reasons why the installer tests are failing since
ac0cdc1952, because the tests do not have
libxslt.dev in their closure and really shouldn't.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
This is the output of the builder:
building path(s) `/nix/store/khkcfb8433i9mabb6wnb8ik6p9skg644-dbus-1'
error : connection refused
error : connection refused
However, even when using --nonet we'd still get this:
I/O error : Attempt to load network entity
http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd
So in order to avoid this, we now provide an XML catalog file, mapping
the public URLs to the local DTD paths inside the store instead of using
--path (which doesn't seem to work with xsltproc).
Tested this by comparing the SHA256 (nix-hash --type sha256) of the
output path generated by:
nix-build -E '(import ./. {}).makeDBusConf {
suidHelper = "SUIDHELPER";
serviceDirectories = [ "SERVICEDIR1" "SERVICEDIR1" ];
}'
... with the SHA256 of the generated output path prior to this commit
and they have the same hash:
6f3f9594b12fddbff9407b85252b6f649da11f56b7fd514f761966c11399a7ab
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @abbradar
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".
CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/
/cc #22826.
This reverts commit 1daf2e26d2, reversing
changes made to c0c50dfcb7.
It seems this is what has been causing all the reliability problems
on Hydra. I'm currently unable to find why it happens, so I'm forced
to revert the update for now. Discussion: #22874.
Use XSLT transform to modify stock dbus configuration file. This is needed
because some dbus components doesn't support <include> so we need to put our
core configuration in the main file.