* treewide Drop unneeded go 1.12 overrides
* Fix packr to be go module compatible.
I updated to version 2.8.0 which is the latest on master.
Then due to the 2 different sets of go modules which are used, I split
the build into two different derivations, then merged them togethor
using symlinkJoin to have the same output structure as the existing derivation.
* Remove consul dependency on go1.12
I updated the consul version to 1.7.2 and flipped it to building using
modules.
* Remove go1.12 from perkeep.
Update the version to the latest unstable on master.
* Update scaleway-cli to not be pinned to go1.12
Switched the version to 1.20
* Update prometheus-varnish-exporter to not depend on go1.12
* Update lnd to build with go1.12
Updated the version
Forced only building subpackages with main to prevent panics over
multiple modules in one repo
* Remove go1.12 from openshift
Had to update the version to 4.1.0 and do a bit of munging to get this
to work
* Remove go1.12 completely.
These are no longer needed.
* Update bazel-watcher and make it build with go 1.14
The command module references the tests, and since all command modules
get imported at startup, dbaafbbf73
turned it into a startup crash.
Unless you're actively hacking on gsutil, this command isn't much use,
so we're better off without it.
The update checking mechanism references the tests, and thus
dbaafbbf73 turned it into a crash at
startup.
It isn't much use in nixpkgs, so we're better off without it.
Changes the default fetcher in the Rust Platform to be the newer
`fetchCargoTarball`, and changes every application using the current default to
instead opt out.
This commit does not change any hashes or cause any rebuilds. Once integrated,
we will start deleting the opt-outs and recomputing hashes.
See #79975 for details.
This reverts commit a1eacb900e.
Adding dev outputs to python packages means they can't be included in
a Python environment created with python3.withPackages, because
makePythonPath will include the dev output, which is empty apart from
nix-support, rather than the out output, which contains all the Python
code.
Traceback (most recent call last):
File "/nix/store/8qkdlyv2ckrimvi50qvl0anzv66jcp2j-python-swiftclient-3.6.0/bin/.swift-wrapped", line 7, in <module>
from swiftclient.shell import main
File "/nix/store/8qkdlyv2ckrimvi50qvl0anzv66jcp2j-python-swiftclient-3.6.0/lib/python3.7/site-packages/swiftclient/__init__.py", line 20, in <module>
from .client import * # noqa
File "/nix/store/8qkdlyv2ckrimvi50qvl0anzv66jcp2j-python-swiftclient-3.6.0/lib/python3.7/site-packages/swiftclient/client.py", line 33, in <module>
from swiftclient import version as swiftclient_version
File "/nix/store/8qkdlyv2ckrimvi50qvl0anzv66jcp2j-python-swiftclient-3.6.0/lib/python3.7/site-packages/swiftclient/version.py", line 15, in <module>
import pkg_resources
ModuleNotFoundError: No module named 'pkg_resources'
This addresses the following security issues:
* CVE-2019-14846 - Several Ansible plugins could disclose aws
credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py,
lookup/aws_ssm.py use the boto3 library from the Ansible process. The
boto3 library logs credentials at log level DEBUG. If Ansible's
logging was enabled (by setting LOG_PATH to a value) Ansible would set
the global log level to DEBUG. This was inherited by boto and would
then log boto credentials to the file specified by LOG_PATH. This did
not affect aws ansible modules as those are executed in a separate
process. This has been fixed by switching to log level INFO
* Convert CLI provided passwords to text initially, to prevent unsafe
context being lost when converting from bytes->text during post
processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
* properly hide parameters marked with no_log in suboptions when
invalid parameters are passed to the module (CVE-2019-14858)
* resolves CVE-2019-10206, by avoiding templating passwords from
prompt as it is probable they have special characters.
* Handle improper variable substitution that was happening in
safe_eval, it was always meant to just do 'type enforcement' and have
Jinja2 deal with all variable interpolation. Also see CVE-2019-10156
Changelog: 9bdb89f740/changelogs/CHANGELOG-v2.6.rst
This fixes the following security issues:
* Ansible: Splunk and Sumologic callback plugins leak sensitive data
in logs (CVE-2019-14864)
* CVE-2019-14846 - Several Ansible plugins could disclose aws
credentials in log files. inventory/aws_ec2.py, inventory/aws_rds.py,
lookup/aws_account_attribute.py, and lookup/aws_secret.py,
lookup/aws_ssm.py use the boto3 library from the Ansible process. The
boto3 library logs credentials at log level DEBUG. If Ansible's
logging was enabled (by setting LOG_PATH to a value) Ansible would set
the global log level to DEBUG. This was inherited by boto and would
then log boto credentials to the file specified by LOG_PATH. This did
not affect aws ansible modules as those are executed in a separate
process. This has been fixed by switching to log level INFO
* Convert CLI provided passwords to text initially, to prevent unsafe
context being lost when converting from bytes->text during post
processing of PlayContext. This prevents CLI provided passwords from
being incorrectly templated (CVE-2019-14856)
* properly hide parameters marked with no_log in suboptions when invalid
parameters are passed to the module (CVE-2019-14858)
* resolves CVE-2019-10206, by avoiding templating passwords from
prompt as it is probable they have special characters.
* Handle improper variable substitution that was happening in
safe_eval, it was always meant to just do 'type enforcement' and have
Jinja2 deal with all variable interpolation. Also see CVE-2019-10156
Changelog: 0623dedf2d/changelogs/CHANGELOG-v2.7.rst (v2-7-15)
tigervnc ships vncserver, quote from the documentation:
vncserver - a wrapper script which makes starting Xvnc more convenient vncserver requires Perl.
This override to the old 1.x version of `prompt_toolkit` appears to be
unnecessary; removing it does not change the hash of `awscli`.
In a follow-up, we could likely remove the RSA override as well, if we're OK
with patching out the `setup.cfg` requirements. This dropped support for some
old modules, but appears to not break API compatibility otherwise:
https://github.com/sybrenstuvel/python-rsa/blob/master/CHANGELOG.md#version-40---released-2018-09-16
Without providers (also called plugins) pulumi doesn't do much. The way
they work, if you want to use a provider, pulimi will look for it in
your PATH, and if not found it will download it. Providers are just
executables, but third party binaries usually don't work on nixos unless
they are patched with the patchelf utility. Because of that, I'm
installing some patched providers with the main pulumi binary.
I'm also adding a small script helper to generate the hashes for all the
binaries.