This contribution pulls in the patch fixing CVE-2020-35476.
The fix is also included in the 2.4.1 version but the upgrade requires
more work: a tarball with all the third party tools is no more provided.
The build process attempts to get them during the build which fail.
https://github.com/advisories/GHSA-hv53-q76c-7f8c
Noticed the problem on never disappearing diff reported by:
$ ./maintainers/scripts/rebuild-amount.sh --print HEAD
Estimating rebuild amount by counting changed Hydra jobs.
1 x86_64-linux
basex.x86_64-linux /nix/store/5ng...-basex-9.4.3
Before the change local non-store path was used:
$ nix-build -A basex; fgrep -R Icon result/
result/share/applications/basex.desktop:Icon=/home/.../tools/text/xml/basex/basex.svg
After the change the file got into store as expected:
$ nix-build -A basex; fgrep -R Icon result/
result/share/applications/basex.desktop:Icon=/nix/store/...-basex.svg
This is somewhat of a hack, and other packages are certainly affected by
this issue (e.g. assh runs into it in some cgo code), but at least this
documents a workaround in-tree and gets one more package building now.
For example BANNER_TIMEOUT can be overriden like:
```
ipxe.overrideArgs(old: {
enableOptions = old.enableOptions ++ [ "BANNER_TIMEOUT 100" ];
});
```
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
The build failure here is not due to Apple Silicon per se but instead
an artifact of the aarch64-darwin toolchain using a newer version of the
Xcode SDK as a basis. This causes issues building on case-insensitive
filesystems due to the collision between the standard <version> header
and a mosh source file called VERSION.
Fix with a MacPorts backport of an upstream mosh commit, via Homebrew.
Homebrew carries a patch that has been sent upstream. Since it's
designed to be suitable for inclusion as-is and strictly improves
correctness, we just apply it unconditionally on all platforms.
I currently do not have much time to work on nixpkgs. Remove
myself as a maintainer from a bunch of packages to avoid that
people are waiting on me for a review.
