See discussion at
https://github.com/NixOS/nixpkgs/pull/63952#issuecomment-507048690.
Upstream commit:
commit 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254
Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun Jun 30 11:54:35 2019 -0400
dirmngr: Only use SKS pool CA for SKS pool
* dirmngr/http.c (http_session_new): when checking whether the
keyserver is the HKPS pool, check specifically against the pool name,
as ./configure might have been used to select a different default
keyserver. It makes no sense to apply Kristian's certificate
authority to anything other than the literal host
hkps.pool.sks-keyservers.net.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
GnuPG-Bug-Id: 4593
See https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f.
The SKS network is vulnerable to certificate poisoning, which can
destroy GnuPG installations. keys.openpgp.org is a new non-SKS keyserver
that is resistant to this type of attack.
With such an attack being possible, it is unsafe to use SKS keyservers
for almost anything, and so we should protect our users from a now
unsafe default. keys.openpgp.org offers some (but not all) functionality
of SKS, and is better than nothing.
This default is only present in gnupg22. gnupg20 and gnupg1orig are not
affected.
When $subPackages has more than one item, the build was failing because
./ was added only to the first subPackage. This commit adds ./ to all
specified subPackages.
branch names are mutable, and with
https://github.com/NixOS/systemd/pull/29 being merged in, the nixos-v242
branch advanced from 5c20aab77900f478fd380ab189787d80e4a35963 to
40eb070cb309ec09def0ecdeaf7514c702200835, causing systemd's
fetchFromGitHub to fail with a sha256sum mismatch (when not relying on
the cache).
Fix this, by pointing systemd.src to the commit id before the branch
advancement. This won't cause a rebuild, as the sha256 stayed the same.
Fast-forwarding systemd to 40eb070cb309ec09def0ecdeaf7514c702200835 will
be done in https://github.com/NixOS/nixpkgs/pull/63784 , which also uses
the commit id, and not a branch name for rev.
On Darwin, the last argument to GCC is coming up as an empty string.
This is breaking the build of proto_library targets. However, I was not
able to reproduce with the example cpp project[0].
This commit patches the cc_wrapper of Bazel that gets installed on
Darwin to remove the last argument if it's an empty string. This is
not a probem on Linux.
[0]: https://github.com/bazelbuild/examples/tree/master/cpp-tutorial/stage3
including parallel bumps of pythonPackages.libvirt and perlPackages.SysVirt
also include patches for CVE-2019-10161, CVE-2019-10166, CVE-2019-10167
and CVE-2019-10168
See https://github.com/NixOS/nixpkgs/issues/58126 for more details.
This will instruct the user how to manually finish the setup instead of
failing with error messages (unfortunately it is quite a bit hacky
though...).
Extra note:
We cannot use "bundle config --local" due to BUNDLE_GEMFILE (would
attempt to create .bundle/config in the Nix store) and manually creating
.bundle/config doesn't work either as these configuration variables are
still overwritten by the environment variables, even though this
shouldn't be the case [0].
[0]: https://bundler.io/v2.0/man/bundle-config.1.html
