Commit Graph

117 Commits

Author SHA1 Message Date
github-actions[bot]
df465dde1a
Merge master into staging-next 2022-08-16 00:02:25 +00:00
Robert Scott
22c9c6cb71 unbound: add comment clarifying unbound's python support 2022-08-06 17:23:09 +01:00
Robert Scott
62e6c1a561 unbound: add gnutls to passthru.tests 2022-08-06 17:21:45 +01:00
Robert Scott
9d8e6c29d2 python3Packages.pyunbound: inherit patches from unbound if present 2022-08-06 17:21:10 +01:00
ajs124
982f8b6f4e unbound: set myself as maintainer 2022-08-01 17:22:34 +02:00
ajs124
f2298fcf8f unbound: 1.16.0 -> 1.16.2
fixes CVE-2022-30698 and CVE-2022-30699
2022-08-01 17:22:28 +02:00
ajs124
cf32ea06a4 unbound: 1.14.0 -> 1.16.0 2022-06-10 00:14:55 +02:00
github-actions[bot]
fc17fe6417
Merge master into staging-next 2022-04-02 18:01:07 +00:00
Alyssa Ross
fd78240ac8
treewide: use lib.getLib for OpenSSL libraries
At some point, I'd like to make another attempt at
71f1f4884b ("openssl: stop static binaries referencing libs"), which
was reverted in 195c7da07d.  One problem with my previous attempt is
that I moved OpenSSL's libraries to a lib output, but many dependent
packages were hardcoding the out output as the location of the
libraries.  This patch fixes every such case I could find in the tree.
It won't have any effect immediately, but will mean these packages
will automatically use an OpenSSL lib output if it is reintroduced in
future.

This patch should cause very few rebuilds, because it shouldn't make
any change at all to most packages I'm touching.  The few rebuilds
that are introduced come from when I've changed a package builder not
to use variable names like openssl.out in scripts / substitution
patterns, which would be confusing since they don't hardcode the
output any more.

I started by making the following global replacements:

    ${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib
    ${openssl.out}/lib -> ${lib.getLib openssl}/lib

Then I removed the ".out" suffix when part of the argument to
lib.makeLibraryPath, since that function uses lib.getLib internally.

Then I fixed up cases where openssl was part of the -L flag to the
compiler/linker, since that unambigously is referring to libraries.

Then I manually investigated and fixed the following packages:

 - pycurl
 - citrix-workspace
 - ppp
 - wraith
 - unbound
 - gambit
 - acl2

I'm reasonably confindent in my fixes for all of them.

For acl2, since the openssl library paths are manually provided above
anyway, I don't think openssl is required separately as a build input
at all.  Removing it doesn't make a difference to the output size, the
file list, or the closure.

I've tested evaluation with the OfBorg meta checks, to protect against
introducing evaluation failures.
2022-03-30 15:10:00 +00:00
László Vaskó
66ea96f942 unbound: optionally build the Python module
It works both with Python2 and 3

Example usage: https://github.com/NLnetLabs/pythonunbound
2022-03-16 16:59:57 +01:00
Emery Hemingway
9b84a53ce8 Adjust ehmry maintainership 2022-02-20 08:35:57 -06:00
Martin Weinelt
ba9ecbe329
unbound: 1.13.2 -> 1.14.0 2021-12-13 19:48:28 +01:00
Vladimír Čunát
9a0723cc3f
unbound-full: fix the build again
... by not avoiding openssl dependency in .lib.
dnstap part of code ran into issues with this during checkPhase.

The benefit of withSlimLib is mainly for `unbound`;
for the fuller builds it doesn't seem important.
2021-11-28 15:41:19 +01:00
Alyssa Ross
e07e701515
unbound: don't run tests when cross-compiling
stdenv.mkDerivation will automatically set doCheck to false when
cross-compiling (which is why the default checkPhase doesn't happen).
2021-11-11 12:26:21 +00:00
Alyssa Ross
1103974a27
Revert "unbound: don't run tests when cross compiling"
This reverts commit 28e5327e96.

This change didn't have any effect, because stdenv.mkDerivation will
ignore the doCheck argument when cross-compiling.  The reason tests
are being run when cross-compiling is because of the manual checkPhase
invocation in postFixup.
2021-11-11 12:23:12 +00:00
Bernardo Meurer
28e5327e96
unbound: don't run tests when cross compiling 2021-11-09 20:26:18 -08:00
Bernardo Meurer
3f0160288b
unbound: enable tests 2021-11-05 09:25:57 -07:00
Sandro Jäckel
bf60e5144c
unbound: use lib.optionalString 2021-10-18 16:13:14 +02:00
Poscat
280e7b93be
unbound: enable more features 2021-10-17 15:15:12 +08:00
Vladimír Čunát
70e05c1003
Merge branch 'master' into staging-next 2021-08-25 19:42:15 +02:00
Sandro Jäckel
fc5bfd6844
unbound: unify unbound and pyunbound source
and also update both at the same time
2021-08-23 23:28:31 +02:00
Jan Tojnar
4ff3577f25 Merge branch 'staging-next' into staging 2021-08-23 14:19:54 +02:00
R. RyanTM
cafcfc6045 python38Packages.pyunbound: 1.13.1 -> 1.13.2 2021-08-22 00:16:08 +00:00
davidak
f944bdcffb
Merge pull request #134239 from Kranzes/auto-update/unbound
unbound: 1.13.1 -> 1.13.2
2021-08-19 23:18:55 +02:00
Ilan Joselevich
36e9d30c98 unbound: 1.13.1 -> 1.13.2 2021-08-15 18:54:29 +03:00
github-actions[bot]
c0f81f0ce6
Merge master into staging-next 2021-08-06 12:01:15 +00:00
Sandro Jäckel
a08e1ea7f9
unbound: format, cleanup 2021-08-06 09:17:08 +02:00
github-actions[bot]
a7d7790dd5
Merge master into staging-next 2021-08-06 06:01:01 +00:00
László Vaskó
86621f1fe2 pythonPackages.pyunbound: patchElf only works on linux platform 2021-08-06 00:24:41 +02:00
László Vaskó
fcff510efb pythonPackages.pyunbound: fixing nixpkgs-hammering suggestions
- `swig` is a build tool so it likely goes to `nativeBuildInputs`,
    not `buildInputs`

  - `patchPhase` should not be overridden, use `postPatch` instead

  - `configureFlags` and `installFlags` cannot contain spaces,
    break-up arguments to reflect that they are indeed without spaces

  - `substituteStream()`: WARNING: pattern
    `libdir='/build/unbound-1.13.1/lib/python3.9/site-packages'`
    doesn't match anything in file `_unbound.la`

    Also checked with `strings`, the correct path is present in the binary
2021-08-05 23:58:36 +02:00
László Vaskó
5fe5522a67 pythonPackages.pyunbound: 1.9.3 -> 1.13.1
Updating to get it in-line with `unbound`
2021-08-05 21:26:58 +02:00
László Vaskó
92b4e83245 pythonPackages.pyunbound: fix build
`_unbound.so` references `libunbound.so.8` in its RPATH
2021-08-05 21:15:02 +02:00
Andreas Rammhold
6edbb14e81
unbound: remove references to compile-time dependencies in outputs
Previously unbound dev dependencies would leak into the unbound binary
through the embedded configure flags string in the binary.

Before this commit `unbound -V` would list something like this:

> Version 1.13.1
> Configure line: --disable-static --prefix=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1 --bindir=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1/bin --sbindir=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1/sbin --includedir=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1/include --oldincludedir=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1/include --mandir=/nix/store/n4kgsi87dxjm2ifpllh31grfcg7q3n8x-unbound-1.13.1-man/share/man --infodir=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1/share/info --docdir=/nix/store/1892sms7ciiki99jra4qhmwysaipv1qz-unbound-1.13.1/share/doc/unbound --libdir=/nix/store/ncpggv4bmdh22y6108qrdvnid6rqamlz-unbound-1.13.1-lib/lib --libexecdir=/nix/store/ncpggv4bmdh22y6108qrdvnid6rqamlz-unbound-1.13.1-lib/libexec --localedir=/nix/store/ncpggv4bmdh22y6108qrdvnid6rqamlz-unbound-1.13.1-lib/share/locale --with-ssl=/nix/store/dndqy1r8h0kcnd55895czs8lrpv8xqf4-openssl-1.1.1k-dev --with-libexpat=/nix/store/x5kjng6iha7kcdm3p12fxfvzg09wizwc-expat-2.2.10-dev --with-libevent=/nix/store/89i6mpzp1n866i86y07pxka1a58v4s1a-libevent-2.1.12-dev --localstatedir=/var --sysconfdir=/etc --sbindir=${out}/bin --with-rootkey-file=/nix/store/gyz4nxg9s1faqkhaqbasdxzldm8zial8-dns-root-data-2019-01-11/root.key --enable-pie --enable-relro-now
> Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1k  25 Mar 2021
> Linked modules: dns64 respip validator iterator

After this commit:

> Version 1.13.1
> Configure line: --disable-static --prefix=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1 --bindir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1/bin --sbindir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1/sbin --includedir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1/include --oldincludedir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1/include --mandir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1-man/share/man --infodir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1/share/info --docdir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1/share/doc/unbound --libdir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1-lib/lib --libexecdir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1-lib/libexec --localedir=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-unbound-1.13.1-lib/share/locale --with-ssl=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-openssl-1.1.1k-dev --with-libexpat=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-expat-2.2.10-dev --with-libevent=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-libevent-2.1.12-dev --localstatedir=/var --sysconfdir=/etc --sbindir=${out}/bin --with-rootkey-file=/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-dns-root-data-2019-01-11/root.key --enable-pie --enable-relro-now
> Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 1.1.1k  25 Mar 2021
> Linked modules: dns64 respip validator iterator

Notice: All the paths are now invalid and thus do not produce a
reference in the output binaries.

This removes a total of 2MiB from the closure of unbound.
2021-06-02 01:56:46 +02:00
Sandro Jäckel
ac309027ab
unbound: wrap unbound-control-setup with openssl 2021-04-24 10:26:40 +02:00
R. RyanTM
a24b40bd40 unbound: 1.13.0 -> 1.13.1 2021-03-20 09:22:21 +01:00
Daniel Nagy
a40f86e390 unbound: optionally support DNS-over-HTTPS
unbound can be used as a DNS-over-HTTPS (DoH) server.

This is a blog post introducing the feature:

https://www.nlnetlabs.nl/news/2020/Oct/08/unbound-1.12.0-released/
2021-02-25 18:37:57 -05:00
Ben Siraphob
8c5d37129f pkgs/tools: stdenv.lib -> lib 2021-01-15 17:12:36 +07:00
Profpatsch
4a7f99d55d treewide: with stdenv.lib; in meta -> with lib;
Part of: https://github.com/NixOS/nixpkgs/issues/108938

meta = with stdenv.lib;

is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.

This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.

The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
2021-01-11 10:38:22 +01:00
Martin Weinelt
e8959c4660 unbound: 1.12.0 -> 1.13.0
https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-December/007102.html

Fixes: CVE-2020-28935
2020-12-08 05:22:41 +01:00
Ninjatrappeur
5f5d38e88f
Merge pull request #101218 from andir/unbound-systemd 2020-11-08 16:55:29 +01:00
Andreas Rammhold
c07ce093ec
unbound: allow building with systemd support
Systemd has to remain an optional (non-default) dependency as otherwise
we will have an unpleasant bootstrap cycle. Most (if not all) of the
(lib)unbound consumers will likely not care about unbound's systemd
integration that only affects the daemon mode, anyway.
2020-11-03 13:15:53 +01:00
Vladimír Čunát
89023c38fc
Recover the complicated situation after my bad merge
I made a mistake merge.  Reverting it in c778945806 undid the state
on master, but now I realize it crippled the git merge mechanism.
As the merge contained a mix of commits from `master..staging-next`
and other commits from `staging-next..staging`, it got the
`staging-next` branch into a state that was difficult to recover.

I reconstructed the "desired" state of staging-next tree by:
 - checking out the last commit of the problematic range: 4effe769e2
 - `git rebase -i --preserve-merges a8a018ddc0` - dropping the mistaken
   merge commit and its revert from that range (while keeping
   reapplication from 4effe769e2)
 - merging the last unaffected staging-next commit (803ca85c20)
 - fortunately no other commits have been pushed to staging-next yet
 - applying a diff on staging-next to get it into that state
2020-10-26 09:01:04 +01:00
Vladimír Čunát
c778945806
Revert "Merge #101508: libraw: 0.20.0 -> 0.20.2"
I'm sorry; I didn't notice it contained staging commits.

This reverts commit 17f5305b6c, reversing
changes made to a8a018ddc0.
2020-10-25 09:41:51 +01:00
Martin Weinelt
7d2a6beb6d
unbound: 1.11.0 -> 1.12.0 2020-10-09 00:46:40 +02:00
Frederik Rietdijk
377242d587 Merge staging-next into staging 2020-09-03 19:21:10 +02:00
Arthur Gautier
cc1920a109
unbound: disable lto on static builds (PR #96020)
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>

Amended by vcunat (isMusl != isStatic).
https://github.com/NixOS/nixpkgs/pull/96223#issuecomment-681204478
2020-09-01 08:49:31 +02:00
Vladimír Čunát
848a3a4d4a
Revert "unbound: fix build with nettle-3.5"
This reverts commit 96d65875f8.
The fix has been upstreamed a long time ago.
2020-08-29 07:47:41 +02:00
R. RyanTM
73cd1efe6d unbound: 1.10.1 -> 1.11.0 2020-08-02 22:43:22 +02:00
Vladimír Čunát
73390e3349
unbound: 1.10.0 -> 1.10.1 (security)
https://www.nlnetlabs.nl/news/2020/May/19/unbound-1.10.1-released/
It fixes DoS CVEs; details e.g. on http://www.nxnsattack.com/

On each Linux platform this should be around 8k rebuilds,
so as a compromise I'm pushing to staging-next.
2020-05-19 11:00:51 +02:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00