This release includes the following changes:
o libssh2_session_set_last_error: Add function
o mac: Add support for HMAC-SHA-256 and HMAC-SHA-512
o WinCNG: support for SHA256/512 HMAC
o kex: Added diffie-hellman-group-exchange-sha256 support
o OS/400 crypto library QC3 support
This release includes the following security advisory:
o diffie_hellman_sha256: convert bytes to bits
CVE-2016-0787: http://www.libssh2.org/adv_20160223.html
This release includes the following bugfixes:
o SFTP: Increase speed and datasize in SFTP read
o openssl: make libssh2_sha1 return error code
o openssl: fix memleak in _libssh2_dsa_sha1_verify()
o cmake: include CMake files in the release tarballs
o Fix builds with Visual Studio 2015
o hostkey.c: Fix compiling error when OPENSSL_NO_MD5 is defined
o GNUmakefile: add support for LIBSSH2_LDFLAG_EXTRAS
o GNUmakefile: add -m64 CFLAGS when targeting mingw64
o kex: free server host key before allocating it (again)
o SCP: add libssh2_scp_recv2 to support large (> 2GB) files on windows
o channel: Detect bad usage of libssh2_channel_process_startup
o userauth: Fix off by one error when reading public key file
o kex: removed dupe entry from libssh2_kex_methods
o _libssh2_error: Support allocating the error message
o hostkey: fix invalid memory access if libssh2_dsa_new fails
o hostkey: align code path of ssh_rsa_init to ssh_dss_init
o libssh2.pc.in: fix the output of pkg-config --libs
o wincng: fixed possible memory leak in _libssh2_wincng_hash
o wincng: fixed _libssh2_wincng_hash_final return value
o add OpenSSL 1.1.0-pre2 compatibility
o agent_disconnect_unix: unset the agent fd after closing it
o sftp: stop reading when buffer is full
o sftp: Send at least one read request before reading
o sftp: Don't return EAGAIN if data was written to buffer
o sftp: Check read packet file offset
o configure: build "silent" if possible
o openssl: add OpenSSL 1.1.0-pre3-dev compatibility
o GNUmakefile: list system libs after user libs
The included patch from upstream fixes the issue described here:
https://bugreports.qt.io/browse/QTBUG-48321
The backing store of certain widgets was being improperly invalidated,
leading to display bugs in, e.g. VLC.
This patch is included in Qt 5.6, so we should remove it when we
upgrade.
This package was failing to build on wendy:
lt-linux-libnuma: linux-libnuma.c:70: main: Assertion `numa_bitmask_equal(bitmask, numa_all_nodes_ptr)' failed.
Since we shouldn't run tests that depend on the hardware
characteristics of the build machine, I've disabled these.
The glibc DNS client side resolver is vulnerable to a stack-based buffer
overflow when the getaddrinfo() library function is used. Software using
this function may be exploited with attacker-controlled domain names,
attacker-controlled DNS servers, or through a man-in-the-middle attack.
https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
Built and tested locally.
From the changelog:
```
Version 0.7.82, 2016-01-27
+ Matroska: CRC-32 validation
+ Matroska: support of padding/junk at the start of a segment
+ Matroska: trace is activated for all elements (but report is still
based on the first element met)
+ Matroska: add an intermediate level in the trace for the raw stream
parser
x FLV: potential infinite loop fixed
x #B966, DTS: DTS-HD HR 3840 not detected anymore
x AC-3: wrong sample rate with 32 kHz streams
x #B948, EBUCore 1.6: invalid output due to position of
containerEncoding element
x #B957, MPEG-7 output: No XML encoded value output
```
Some of the original URLs were broken now.
It seems that set of mirrors is preferred and faster than the others.
In the x264 case the source isn't there so http://download.videolan.org
is used instead.
It's the same as openalSoft (same package source and version). I suppose it
contained original Creative open-source OpenAL implementation some time ago, but
then it changed and nobody noticed. It's referenced nowhere, anyway.
CipherScan is a simple way to find out which SSL ciphersuites are
supported by a target.
It can take advantage of the extra features in Peter Mosmans' openssl
fork (which is also included in this commit).
Doing it in an openssl setup hook only works if packages have openssl
as a build input - it doesn't work if they're using a program linked
against openssl.
This will probably be mandatory soon, and is a step in the right
direction. Removes the deprecated meta.version, and move some meta
sections to the end of the file where I should have put them in
the first place.
Once #7701 gets merged, we have another environment variable called
$outputLib, which then points to another environment variable which is
the final library output.
This was brought up in discussion with @lethalman and @vcunat in:
https://github.com/NixOS/nixpkgs/pull/12558#discussion_r50599813
The closure-size branch is not yet merged into master, so this is only
a preparation and we're still falling back to $out and $lib whenever
$outputLib isn't available.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
As the comment needed explanation, that it's about temporary build
files, this should do better.
Thanks again to @lethalman for pointing that out.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
If no config.nix.storeDir has been set, don't fall back to "/nix/store"
but use builtins.storeDir instead so we always should end up with the
correct store path no matter whether config.nix.storeDir has been set.
Thanks to @lethalman for pointing this out.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
After patching up the shared libraries in c420de6 to use absolute paths,
there are still some libraries left which do not get an absolute paths
assigned.
Those libraries are the ones which have an absolute path outside of the
Nix store, so we assume that they're build products of the current build
and make them absolute by prepending "$out/lib" or "$lib/lib" (depending
on whether it's a multiple output derivation or not) to its basename.
So for my test case, the resulting library paths now look like this:
/nix/store/...-libblockdev-1.3/lib/libblockdev.so.0
/nix/store/...-glibc-2.21/lib/libm.so.6
/nix/store/...-dmraid-1.0.0.rc16/lib/libdmraid.so.1.0.0.rc16
/nix/store/...-libblockdev-1.3/lib/libbd_utils.so.0
Which is perfectly fine and everything gets resolved correctly after
importing the library using GI.
However, I didn't test it against other libraries and programs, so this
still needs testing, especially for Darwin.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The gi-r-scanner is generating a list of shared libraries that are
referenced in the shared-library attribute of the <namespace/> element
of the GIR file. However, this attribute only contains the names of the
libraries and not the full store paths, like for example while preparing
to package libblockdev, the following items were included in the
shared-library attribute:
/nix/store/...-libblockdev-1.3/lib/libblockdev.so.0
libm.so.6
libdmraid.so.1.0.0.rc16
libbd_utils.so.0
Unfortunately, loading such a library without setting LD_LIBRARY_PATH is
going to fail finding libm.so.6 and libdmraid.so.1.0.0.rc16.
Now the first attempt at solving this was to put absolute paths of all
the libraries referenced in the shared-library attribute, but this also
led up to including paths of build-time shared objects into that
attribute:
/nix/store/...-libblockdev-1.3/lib/libblockdev.so.0
/nix/store/...-glibc-2.21/lib/libm.so.6
/nix/store/...-dmraid-1.0.0.rc16/lib/libdmraid.so.1.0.0.rc16
/tmp/nix-build-libblockdev-1.3.drv-0/.../utils/.libs/libbd_utils.so.0
This of course is not what we want, so the final solution is to only
use the absolute path whenever it is a Nix path and leave the library
name as-is if the path doesn't reside within the store, like this:
/nix/store/...-libblockdev-1.3/lib/libblockdev.so.0
/nix/store/...-glibc-2.21/lib/libm.so.6
/nix/store/...-dmraid-1.0.0.rc16/lib/libdmraid.so.1.0.0.rc16
libbd_utils.so.0
The downside of this approach is that if not even the output path of the
library is in LD_LIBRARY_PATH, even loading of libbd_utils.so.0 could
fail, so we need to patch the loader as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
By default, GPGME tries to search in $PATH for the gpg and gpgconf
binaries. This has the downside, that the library won't work by its own
and needs to have GnuPG in systemPackages or the user environment.
I've stumbled on this while working on one of the dependencies of
nixos-assimilate and nixpart (volume_key), where the testing environment
didn't come with GnuPG in $PATH and thus the tests have failed.
After testing this with a few programs using GPGME, I haven't found any
weird behavior in conjunction with the GnuPG agent.
However one possible implication could be that if the GnuPG used in
$PATH (and the config files in the user's home directory) should be
vastly incompatible, it could lead to failures.
In practice however, the GnuPG1/2 versions pretty much seem to stay
compatible within their major releases so it shouldn't pose a problem.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This patch is directly taken from easytag. id3lib is not maintained any longer
and the last release is 13 years old.
This patch fixes some unicode issues.
Recent illumos includes a linux-incompatible `inotify.h` header, which configure detects: compilation fails.
Also, a newer `dtrace` on SmartOS fails creating the probes ELF linkable object (with `dtrace -G`). Disable for now.
Remove old configure option `--disable-modular-tests`.
Recent illumos includes a linux-incompatible `inotify.h` header, which configure detects: compilation fails.
Also, a newer `dtrace` on SmartOS fails creating the probes ELF linkable object (with `dtrace -G`). Disable for now.
Remove old configure option `--disable-modular-tests`.
Also split out gmock's source so that it can be copied into protobuf's
source. Hopefull this hack can be removed again once gmock is replaced
by gtest.
This does not include python bindings.
Eelco showed alternative way of building static libraries via
stdenv adapter in a conversation several days ago and expressed
concern about adding new enableStatic flags.
