Merge remote-tracking branch 'upstream/master' into HEAD

lib/licenses.nix

@@ -546,12 +546,12 @@ lib.mapAttrs (n: v: v // { shortName = n; }) rec {
     fullName = "zlib License";
   };
 
-  zpt20 = spdx { # FIXME: why zpt* instead of zpl*
+  zpl20 = spdx {
     spdxId = "ZPL-2.0";
     fullName = "Zope Public License 2.0";
   };
 
-  zpt21 = spdx {
+  zpl21 = spdx {
     spdxId = "ZPL-2.1";
     fullName = "Zope Public License 2.1";
   };

nixos/doc/manual/release-notes/rl-1709.xml

@@ -187,6 +187,15 @@ rmdir /var/lib/ipfs/.ipfs
       have therefore been removed.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      The <option>time.timeZone</option> option now allows the value
+      <literal>null</literal> in addition to timezone strings. This value
+      allows changing the timezone of a system imperatively using
+      <command>timedatectl set-timezone</command>. The default timezone
+      is still UTC.
+    </para>
+  </listitem>
 
 </itemizedlist>
 

nixos/modules/services/web-apps/piwik-doc.xml

@@ -23,16 +23,24 @@
       and enter those credentials in your browser.
       You can use passwordless database authentication via the UNIX_SOCKET authentication plugin
       with the following SQL commands:
+
       <programlisting>
+        # For MariaDB
         INSTALL PLUGIN unix_socket SONAME 'auth_socket';
-        ALTER USER root IDENTIFIED VIA unix_socket;
         CREATE DATABASE piwik;
-        CREATE USER 'piwik'@'localhost' IDENTIFIED VIA unix_socket;
+        CREATE USER 'piwik'@'localhost' IDENTIFIED WITH unix_socket;
+        GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost';
+
+        # For MySQL
+        INSTALL PLUGIN auth_socket SONAME 'auth_socket.so';
+        CREATE DATABASE piwik;
+        CREATE USER 'piwik'@'localhost' IDENTIFIED WITH auth_socket;
         GRANT ALL PRIVILEGES ON piwik.* TO 'piwik'@'localhost';
       </programlisting>
+
       Then fill in <literal>piwik</literal> as database user and database name, and leave the password field blank.
-      This works with MariaDB and MySQL. This authentication works by allowing only the <literal>piwik</literal> unix
-      user to authenticate as <literal>piwik</literal> database (without needing a password), but no other users.
+      This authentication works by allowing only the <literal>piwik</literal> unix user to authenticate as the 
+      <literal>piwik</literal> database user (without needing a password), but no other users.
       For more information on passwordless login, see
       <link xlink:href="https://mariadb.com/kb/en/mariadb/unix_socket-authentication-plugin/" />.
     </para>

pkgs/applications/audio/cmus/default.nix

@@ -121,6 +121,8 @@ stdenv.mkDerivation rec {
     ++ stdenv.lib.optionals stdenv.isDarwin [ libiconv CoreAudio ]
     ++ concatMap (a: a.deps) opts;
 
+  makeFlags = [ "LD=$(CC)" ];
+
   meta = with stdenv.lib; {
     description = "Small, fast and powerful console music player for Linux and *BSD";
     homepage = https://cmus.github.io/;

pkgs/applications/editors/atom/default.nix

@@ -33,6 +33,9 @@ stdenv.mkDerivation rec {
       $out/share/atom/resources/app/apm/bin/node
 
     find $out/share/atom -name "*.node" -exec patchelf --set-rpath "${atomEnv.libPath}:$out/share/atom" {} \;
+
+    paxmark m $out/share/atom/atom
+    paxmark m $out/share/atom/resources/app/apm/bin/node
   '';
 
   meta = with stdenv.lib; {

pkgs/applications/networking/cluster/minikube/default.nix

@@ -14,15 +14,15 @@ let
   # instead, we download localkube ourselves and shove it into the minikube binary. The versions URL that minikube uses is
   # currently https://storage.googleapis.com/minikube/k8s_releases.json
 
-  localkube-version = "1.6.3";
+  localkube-version = "1.7.0";
   localkube-binary = fetchurl {
     url = "https://storage.googleapis.com/minikube/k8sReleases/v${localkube-version}/localkube-linux-amd64";
-    sha256 = "1fmxxjv1bxrfngc4ykfgg76b79dh8pq0k1gsbzhiy3hhrppfqylm";
+    sha256 = "1pp5bi0bpxxzrshvkv47hqs20jfx3gp1i1p3pw1rvzm5n1fn2q1a";
   };
 in buildGoPackage rec {
   pname   = "minikube";
   name    = "${pname}-${version}";
-  version = "0.20.0";
+  version = "0.21.0";
 
   goPackagePath = "k8s.io/minikube";
 
@@ -30,7 +30,7 @@ in buildGoPackage rec {
     owner  = "kubernetes";
     repo   = "minikube";
     rev    = "v${version}";
-    sha256 = "0bly2phy67x4ckcg46g6r4kqfdpjfs1cb3588a900m8b4xyavvvb";
+    sha256 = "1y72kdrpbxwfzxs9jslcrb2l3xw83z4i7raf5c7sky4wf2nx8vis";
   };
 
   # kubernetes is here only to shut up a loud warning when generating the completions below. minikube checks very eagerly

pkgs/applications/networking/gns3/server.nix

@@ -0,0 +1,37 @@
+{ stdenv, python34Packages, fetchFromGitHub }:
+
+python34Packages.buildPythonPackage rec {
+  name = "${pname}-${version}";
+  pname = "gns3-server";
+  version = "2.0.3";
+
+  src = fetchFromGitHub {
+    owner = "GNS3";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "1c7mzj1r2zh90a7vs3s17jakfp9s43b8nnj29rpamqxvl3qhbdy7";
+  };
+
+  propagatedBuildInputs = with python34Packages; [
+    aiohttp jinja2 psutil zipstream aiohttp-cors raven jsonschema
+  ];
+
+  # Requires network access
+  doCheck = false;
+
+  postInstall = ''
+    rm $out/bin/gns3loopback # For windows only
+  '';
+  meta = with stdenv.lib; {
+    description = "Graphical Network Simulator 3 server";
+    longDescription = ''
+      The GNS3 server manages emulators such as Dynamips, VirtualBox or
+      Qemu/KVM. Clients like the GNS3 GUI control the server using a HTTP REST
+      API.
+    '';
+    homepage = "https://www.gns3.com/";
+    license = licenses.gpl3Plus;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ primeos ];
+  };
+}

pkgs/data/icons/elementary-icon-theme/default.nix

@@ -1,7 +1,7 @@
 { stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  version = "4.1.0";
+  version = "4.2.0";
 
   package-name = "elementary-icon-theme";
 
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "https://launchpad.net/elementaryicons/4.x/${version}/+download/${name}.tar.xz";
-    sha256 = "08pkk4299dj442dby15lwxwz7bax5d3828v1f81mbll084k7vssm";
+    sha256 = "0w1l9hlih4ddkdjpha5lsyf6iagv436nhm4aphak8w8jyycg81bm";
   };
 
   dontBuild = true;

pkgs/development/compilers/emscripten-fastcomp/default.nix

@@ -1,7 +1,7 @@
 { stdenv, fetchFromGitHub, cmake, python, ... }:
 
 let
-  rev = "1.37.13";
+  rev = "1.37.16";
   gcc = if stdenv.cc.isGNU then stdenv.cc.cc else stdenv.cc.cc.gcc;
 in
 stdenv.mkDerivation rec {
@@ -10,14 +10,14 @@ stdenv.mkDerivation rec {
   src = fetchFromGitHub {
     owner = "kripken";
     repo = "emscripten-fastcomp";
-    sha256 = "1r4f4d5dmhxqwmpf2psainx7sj1j26fdp5acifdwg4sbbpsv96az";
+    sha256 = "0wj9sc0gciaiidcjv6wb0qn6ks06xds7q34351masc7qpvd217by";
     inherit rev;
   };
 
   srcFL = fetchFromGitHub {
     owner = "kripken";
     repo = "emscripten-fastcomp-clang";
-    sha256 = "1p0108iz77vmzm7i1aa29sk93g5vd95xiwmags18qkr7x3fmfqsw";
+    sha256 = "1akdgxzxhzjbhp4d14ajcrp9jrf39x004a726ly2gynqc185l4j7";
     inherit rev;
   };
 

pkgs/development/compilers/emscripten/default.nix

@@ -3,7 +3,7 @@
 }:
 
 let
-  rev = "1.37.13";
+  rev = "1.37.16";
   appdir = "share/emscripten";
 in
 
@@ -13,7 +13,7 @@ stdenv.mkDerivation {
   src = fetchFromGitHub {
     owner = "kripken";
     repo = "emscripten";
-    sha256 = "0xnr8nq431pksb346fwsbs5knqmcygb8mywzzl0c9nz3ims1vkx5";
+    sha256 = "1qyhjx5zza01vnwmj6qzxbkagxknn4kzb6gw12fqw5q8pa8fy4zy";
     inherit rev;
   };
 

pkgs/development/compilers/jsonnet/default.nix

@@ -1,6 +1,6 @@
 { stdenv, lib, fetchFromGitHub, emscripten }:
 
-let version = "0.8.9"; in
+let version = "0.9.4"; in
 
 stdenv.mkDerivation {
   name = "jsonnet-${version}";
@@ -9,7 +9,7 @@ stdenv.mkDerivation {
     rev = "v${version}";
     owner = "google";
     repo = "jsonnet";
-    sha256 = "0phk8dzby5v60r7fwd1qf4as2jdpmdmksjw3g4p3mkkr7sc81119";
+    sha256 = "1bh9x8d3mxnic31b6gh4drn5l6qpyqfgsn2l48sv0jknhinm1a7l";
   };
 
   buildInputs = [ emscripten ];

pkgs/development/compilers/rust/rustc.nix

@@ -114,8 +114,12 @@ stdenv.mkDerivation {
   dontUseCmakeConfigure = true;
 
   # ps is needed for one of the test cases
-  nativeBuildInputs = [ file python2 procps rustPlatform.rust.rustc git cmake
-    which libffi gdb ];
+  nativeBuildInputs =
+    [ file python2 procps rustPlatform.rust.rustc git cmake
+      which libffi
+    ]
+    # Only needed for the debuginfo tests
+    ++ optional (!stdenv.isDarwin) gdb;
 
   buildInputs = [ ncurses ] ++ targetToolchains
     ++ optional (!forceBundledLLVM) llvmShared;

pkgs/development/compilers/sbcl/default.nix

@@ -9,11 +9,11 @@
 
 stdenv.mkDerivation rec {
   name    = "sbcl-${version}";
-  version = "1.3.19";
+  version = "1.3.20";
 
   src = fetchurl {
     url    = "mirror://sourceforge/project/sbcl/sbcl/${version}/${name}-source.tar.bz2";
-    sha256 = "0660gw43myikpa6n2qjhjxz61ilqazva4v8shljgwymag99risxm";
+    sha256 = "0qhzrl2msdyzqp3165qlh9s6jrif5rddsmj9q50z0bxnaf0330jj";
   };
 
   patchPhase = ''

pkgs/development/compilers/urweb/default.nix

@@ -4,11 +4,11 @@
 
 stdenv.mkDerivation rec {
   name = "urweb-${version}";
-  version = "20170105";
+  version = "20170720";
 
   src = fetchurl {
     url = "http://www.impredicative.com/ur/${name}.tgz";
-    sha256 = "2ad3aea2c4851c9b18f752d38c7127af8293fbbbbdb3dd06b73a4603fe399b67";
+    sha256 = "17qh9mcmlhbv6r52yij8l9ik7j7x6x7c09lf6pznnbdh4sf8p5wb";
   };
 
   buildInputs = [ openssl mlton mysql.client postgresql sqlite ];

pkgs/development/libraries/gnutls/generic.nix

@@ -1,7 +1,7 @@
 { lib, fetchurl, stdenv, zlib, lzo, libtasn1, nettle, pkgconfig, lzip
 , guileBindings, guile, perl, gmp, autogen, libidn, p11_kit, libiconv
 , tpmSupport ? false, trousers, which, nettools, libunistring
-, unbound, dns-root-data
+, unbound, dns-root-data, gettext
 
 # Version dependent args
 , version, src, patches ? [], postPatch ? "", nativeBuildInputs ? []
@@ -41,6 +41,7 @@ stdenv.mkDerivation {
 
   buildInputs = [ lzo lzip libtasn1 libidn p11_kit zlib gmp autogen libunistring unbound ]
     ++ lib.optional (stdenv.isFreeBSD || stdenv.isDarwin) libiconv
+    ++ lib.optional stdenv.isDarwin gettext
     ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
     ++ lib.optional guileBindings guile
     ++ buildInputs;

pkgs/development/libraries/libsodium/default.nix

@@ -1,11 +1,11 @@
 { stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  name = "libsodium-1.0.12";
+  name = "libsodium-1.0.13";
 
   src = fetchurl {
     url = "https://download.libsodium.org/libsodium/releases/${name}.tar.gz";
-    sha256 = "159givfh5jgli3cifxgssivkklfyfq6lzyjgrx8h4jx5ncdqyr5q";
+    sha256 = "1z93wfg4k5svg8yck6cgdr6ysj91kbpn03nyzwxanncy3b5sq4ww";
   };
 
   outputs = [ "out" "dev" ];

pkgs/development/libraries/openssl/default.nix

@@ -48,7 +48,8 @@ let
     ] ++ stdenv.lib.optionals withCryptodev [
       "-DHAVE_CRYPTODEV"
       "-DUSE_CRYPTODEV_DIGESTS"
-    ] ++ stdenv.lib.optional enableSSL2 "enable-ssl2";
+    ] ++ stdenv.lib.optional enableSSL2 "enable-ssl2"
+      ++ stdenv.lib.optional (versionAtLeast version "1.1.0" && stdenv.isAarch64) "no-afalgeng";
 
     makeFlags = [ "MANDIR=$(man)/share/man" ];
 

pkgs/development/libraries/qt-5/5.6/qtbase/default.nix

@@ -103,6 +103,8 @@ stdenv.mkDerivation {
   preConfigure = ''
     export LD_LIBRARY_PATH="$PWD/lib:$PWD/plugins/platforms:$LD_LIBRARY_PATH"
     export MAKEFLAGS=-j$NIX_BUILD_CORES
+    # We need to set LD to CXX or otherwise we get nasty compile errors
+    export LD=$CXX
 
     configureFlags+="\
         -plugindir $out/$qtPluginPrefix \
@@ -111,6 +113,8 @@ stdenv.mkDerivation {
 
     NIX_CFLAGS_COMPILE+=" -DNIXPKGS_QT_PLUGIN_PREFIX=\"$qtPluginPrefix\""
     NIX_CFLAGS_COMPILE+=" -DNIXPKGS_QPA_PLATFORM_PLUGIN_PATH=\"''${!outputLib}/$qtPluginPrefix/platforms\""
+
+    unset LD
   '';
 
   prefixKey = "-prefix ";

pkgs/development/python-modules/btrees/default.nix

@@ -16,6 +16,6 @@ buildPythonPackage rec {
   meta = with stdenv.lib; {
     description = "Scalable persistent components";
     homepage = http://packages.python.org/BTrees;
-    license = licenses.zpt21;
+    license = licenses.zpl21;
   };
 }

pkgs/development/python-modules/buildout-nix/default.nix

@@ -15,7 +15,7 @@ buildPythonPackage {
   meta = {
     homepage = http://www.buildout.org;
     description = "A software build and configuration system";
-    license = stdenv.lib.licenses.zpt21;
+    license = stdenv.lib.licenses.zpl21;
     maintainers = [ stdenv.lib.maintainers.goibhniu ];
   };
 }

pkgs/development/python-modules/setuptools/default.nix

@@ -32,7 +32,7 @@ stdenv.mkDerivation rec {
   meta = with stdenv.lib; {
     description = "Utilities to facilitate the installation of Python packages";
     homepage = http://pypi.python.org/pypi/setuptools;
-    license = with licenses; [ psfl zpt20 ];
+    license = with licenses; [ psfl zpl20 ];
     platforms = platforms.all;
     priority = 10;
   };

pkgs/development/python-modules/zc_lockfile/default.nix

@@ -21,7 +21,7 @@ buildPythonPackage rec {
   meta = with stdenv.lib; {
     description = "Inter-process locks";
     homepage =  http://www.python.org/pypi/zc.lockfile;
-    license = licenses.zpt20;
+    license = licenses.zpl20;
     maintainers = with maintainers; [ goibhniu ];
   };
 }

pkgs/development/python-modules/zconfig/default.nix

@@ -24,7 +24,7 @@ buildPythonPackage rec {
   meta = with stdenv.lib; {
     description = "Structured Configuration Library";
     homepage = http://pypi.python.org/pypi/ZConfig;
-    license = licenses.zpt20;
+    license = licenses.zpl20;
     maintainers = [ maintainers.goibhniu ];
   };
 }

pkgs/development/python-modules/zope_interface/default.nix

@@ -19,7 +19,7 @@ buildPythonPackage rec {
   meta = with stdenv.lib; {
     description = "Zope.Interface";
     homepage = http://zope.org/Products/ZopeInterface;
-    license = licenses.zpt20;
+    license = licenses.zpl20;
     maintainers = [ maintainers.goibhniu ];
   };
 }

pkgs/development/python-modules/zope_testrunner/default.nix

@@ -26,7 +26,7 @@ buildPythonPackage rec {
   meta = with stdenv.lib; {
     description = "A flexible test runner with layer support";
     homepage = http://pypi.python.org/pypi/zope.testrunner;
-    license = licenses.zpt20;
+    license = licenses.zpl20;
     maintainers = [ maintainers.goibhniu ];
   };
 }

pkgs/development/tools/phantomjs2/default.nix

@@ -1,6 +1,7 @@
-{ stdenv, fetchgit,
-  bison2, flex, fontconfig, freetype, gperf, icu, openssl, libjpeg, libpng, perl, python, ruby, sqlite,
-  darwin, writeScriptBin, cups
+{ stdenv, fetchFromGitHub, fetchpatch
+, bison2, flex, fontconfig, freetype, gperf, icu, openssl, libjpeg
+, libpng, perl, python, ruby, sqlite, qtwebkit, qmake, qtbase
+, darwin, writeScriptBin, cups
 }:
 
 let
@@ -35,54 +36,54 @@ in stdenv.mkDerivation rec {
   name = "phantomjs-${version}";
   version = "2.1.1";
 
-  # needs git submodules, so can't use fetchFromGitHub
-  src = fetchgit {
-    rev = "refs/tags/${version}";
-    url = "https://github.com/ariya/phantomjs.git";
-    sha256 = "1gyc8qxn8v4vm4lgd9njrprz46fg1j5ziq0mm888q8ms0p7jy2pi";
+  src = fetchFromGitHub {
+    owner = "ariya";
+    repo = "phantomjs";
+    rev = version;
+    sha256 = "1zsbpk1sgh9a16f1a5nx3qvk77ibjn812wqkxqck8n6fia85m5iq";
   };
 
-  buildInputs = [ bison2 flex fontconfig freetype gperf icu openssl libjpeg libpng perl python ruby sqlite ]
-    ++ stdenv.lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [
-      AGL ApplicationServices AppKit Cocoa OpenGL
-      darwin.libobjc fakeClang cups
-    ]);
+  nativeBuildInputs = [ qmake ];
+  buildInputs = [
+    bison2 flex fontconfig freetype gperf icu openssl
+    libjpeg libpng perl python ruby sqlite qtwebkit qtbase
+  ] ++ stdenv.lib.optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [
+    AGL ApplicationServices AppKit Cocoa OpenGL
+    darwin.libobjc fakeClang cups
+  ]);
 
+  patches = [
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/collab-maint/phantomjs.git/plain/debian/patches/build-hardening.patch?id=42c9154d8c87c9fe434908259b0eddde4d892ca3";
+      sha256 = "1qs1r76w90qgpw742i7lf0y3b7m9zh5wxcbrhrak6mq1kqaphqb5";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/collab-maint/phantomjs.git/plain/debian/patches/build-qt-components.patch?id=9b5c1ce95a7044ebffc634f773edf7d4eb9b6cd3";
+      sha256 = "1fw2q59aqcks3abvwkqg9903yif6aivdsznc0h6frhhjvpp19vsb";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/collab-maint/phantomjs.git/plain/debian/patches/build-qt55-evaluateJavaScript.patch?id=9b5c1ce95a7044ebffc634f773edf7d4eb9b6cd3";
+      sha256 = "1avig9cfny8kv3s4mf3mdzvf3xlzgyh351yzwc4bkpnjvzv4fmq6";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/collab-maint/phantomjs.git/plain/debian/patches/build-qt55-no-websecurity.patch?id=9b5c1ce95a7044ebffc634f773edf7d4eb9b6cd3";
+      sha256 = "1nykqpxa7lcf9iarz5lywgg3v3b1h19iwvjdg4kgq0ai6idhcab8";
+    })
+    (fetchpatch {
+      url = "https://anonscm.debian.org/cgit/collab-maint/phantomjs.git/plain/debian/patches/build-qt55-print.patch?id=9b5c1ce95a7044ebffc634f773edf7d4eb9b6cd3";
+      sha256 = "1fydmdjxnplglpbd3ypaih5l237jkxjirpdhzz92mcpy29yla6jw";
+    })
+    ./system-qtbase.patch
+  ];
 
-  patchPhase = ''
+  postPatch = ''
     patchShebangs .
-    sed -i -e 's|/bin/pwd|pwd|' src/qt/qtbase/configure
-    touch src/qt/{qtbase,qtwebkit,3rdparty}/.git
-  '' + stdenv.lib.optionalString stdenv.isDarwin ''
-    sed -i 's,-licucore,/usr/lib/libicucore.dylib,' src/qt/qtwebkit/Source/WTF/WTF.pri
-    substituteInPlace src/qt/qtwebkit/Tools/qmake/mkspecs/features/features.pri \
-      --replace "ENABLE_3D_RENDERING=1" "ENABLE_3D_RENDERING=0"
-    sed -i 88d src/qt/qtwebkit/Tools/qmake/mkspecs/features/features.prf
-    echo 'CONFIG -= create_cmake' >> src/qt/qtwebkit/Source/api.pri
-    echo 'CONFIG -= create_cmake' >> src/qt/qtwebkit/Source/widgetsapi.pri
-    pushd src/qt
-
-      substituteInPlace qtbase/configure \
-        --replace /usr/bin/xcode-select true \
-        --replace '/usr/bin/xcodebuild -sdk $sdk -version Path 2>/dev/null' 'echo /var/empty' \
-        --replace '/usr/bin/xcrun -sdk $sdk -find' 'type -P'
-      substituteInPlace qtbase/mkspecs/features/mac/default_pre.prf \
-        --replace '/usr/bin/xcode-select --print-path 2>/dev/null' "echo ${stdenv.libc}" \
-        --replace '/usr/bin/xcrun -find xcrun 2>/dev/null' 'echo success' \
-        --replace '/usr/bin/xcodebuild -version' 'echo Xcode 7.2; echo Build version 7C68' \
-        --replace 'sdk rez' ""
-      for file in $(grep -rl /usr/bin/xcrun .); do
-        substituteInPlace "$file" --replace "/usr/bin/xcrun" ${fakeXcrun}/bin/xcrun
-      done
-      substituteInPlace qtbase/src/tools/qlalr/lalr.cpp --replace _Nullable Nullable
-
-    popd
+    substituteInPlace src/phantomjs.pro \
+      --replace "QT_MINOR_VERSION, 5" "QT_MINOR_VERSION, 9"
   '';
 
   __impureHostDeps = stdenv.lib.optional stdenv.isDarwin "/usr/lib/libicucore.dylib";
 
-  buildPhase = "./build.py --confirm -j$NIX_BUILD_CORES";
-
   enableParallelBuilding = true;
 
   installPhase = ''
@@ -99,6 +100,10 @@ in stdenv.mkDerivation rec {
     $out/bin/phantomjs
   '';
 
+  preFixup = ''
+    rm -r ../__nix_qt5__
+  '';
+
   meta = with stdenv.lib; {
     description = "Headless WebKit with JavaScript API";
     longDescription = ''

pkgs/development/tools/phantomjs2/system-qtbase.patch

@@ -0,0 +1,13 @@
+--- a/build.py
++++ b/build.py
+@@ -80,9 +80,9 @@
+ def qmakePath():
+     exe = "qmake"
+     if platform.system() == "Windows":
+         exe += ".exe"
+-    return os.path.abspath("src/qt/qtbase/bin/" + exe)
++    return os.path.abspath("@qtbase@" + exe)
+ 
+ # returns paths for 3rd party libraries (Windows only)
+ def findThirdPartyDeps():
+     include_dirs = []

pkgs/games/anki/default.nix

@@ -7,7 +7,7 @@
 }:
 
 let
-    version = "2.0.36";
+    version = "2.0.46";
     inherit (python2Packages) python wrapPython sqlalchemy pyaudio beautifulsoup httplib2 matplotlib pyqt4;
     qt4 = pyqt4.qt;
 in
@@ -15,10 +15,11 @@ stdenv.mkDerivation rec {
     name = "anki-${version}";
     src = fetchurl {
       urls = [
-        "http://ankisrs.net/download/mirror/${name}.tgz"
-        "http://ankisrs.net/download/mirror/archive/${name}.tgz"
+        "https://apps.ankiweb.net/downloads/current/${name}-source.tgz"
+        # "http://ankisrs.net/download/mirror/${name}.tgz"
+        # "http://ankisrs.net/download/mirror/archive/${name}.tgz"
       ];
-      sha256 = "070p0jmx6cy7kp9bfcgpgkzpyqkcj81wy8gmacns03n5rlq8487v";
+      sha256 = "01h51rbnj0r6lmjnn2vzxzaf7mxkc0azmg1v4mvf4pkpsp50a7hr";
     };
 
     pythonPath = [ pyqt4 sqlalchemy pyaudio beautifulsoup httplib2 ]

pkgs/games/anki/fix-paths.patch

@@ -1,7 +1,6 @@
-diff -Nurp anki-2.0.33.orig/anki/lang.py anki-2.0.33/anki/lang.py
---- anki-2.0.33.orig/anki/lang.py	2015-12-27 11:23:02.334908723 +0100
-+++ anki-2.0.33/anki/lang.py	2015-12-27 14:06:00.688003103 +0100
-@@ -71,13 +71,7 @@ def ngettext(single, plural, n):
+--- anki-2.0.46/anki/lang.py.orig	2017-08-06 15:30:10.781419237 +0200
++++ anki-2.0.46/anki/lang.py	2017-08-06 15:31:33.023043036 +0200
+@@ -71,15 +71,7 @@
      return localTranslation().ungettext(single, plural, n)
  
  def langDir():
@@ -11,6 +10,8 @@ diff -Nurp anki-2.0.33.orig/anki/lang.py anki-2.0.33/anki/lang.py
 -        dir = os.path.join(os.path.dirname(sys.argv[0]), "locale")
 -    if not os.path.isdir(dir):
 -        dir = "/usr/share/anki/locale"
+-    if not os.path.isdir(dir):
+-        dir = "/usr/local/share/anki/bin/locale"
 -    return dir
 +    return "@anki@/share/locale"
  

pkgs/os-specific/linux/kernel/hardened-config.nix

@@ -5,6 +5,8 @@
 # Dangerous features that can be permanently (for the boot session) disabled at
 # boot via sysctl or kernel cmdline are left enabled here, for improved
 # flexibility.
+#
+# See also <nixos/modules/profiles/hardened.nix>
 
 { stdenv, version }:
 
@@ -13,42 +15,8 @@ with stdenv.lib;
 assert (versionAtLeast version "4.9");
 
 ''
-GCC_PLUGINS y # Enable gcc plugin options
-
-${optionalString (versionAtLeast version "4.11") ''
-  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
-''}
-
-DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
-
-${optionalString (versionAtLeast version "4.10") ''
-  BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption
-''}
-
-# Additional validation of commonly targetted structures
-DEBUG_CREDENTIALS y
-DEBUG_NOTIFIERS y
-DEBUG_LIST y
-DEBUG_SG y
-
-HARDENED_USERCOPY y # Bounds check usercopy
-
-# Wipe on free with page_poison=1
-PAGE_POISONING y
-PAGE_POISONING_NO_SANITY y
-PAGE_POISONING_ZERO y
-
-CC_STACKPROTECTOR_REGULAR n
-CC_STACKPROTECTOR_STRONG y
-
-# Stricter /dev/mem
-STRICT_DEVMEM y
-IO_STRICT_DEVMEM y
-
-# Disable various dangerous settings
-ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
-PROC_KCORE n # Exposes kernel text image layout
-INET_DIAG n # Has been used for heap based attacks in the past
+# Report BUG() conditions and kill the offending process.
+BUG y
 
 ${optionalString (stdenv.system == "x86_64-linux") ''
   DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
@@ -56,8 +24,69 @@ ${optionalString (stdenv.system == "x86_64-linux") ''
   # Reduce attack surface by disabling various emulations
   IA32_EMULATION n
   X86_X32 n
+  MODIFY_LDT_SYSCALL? n
 
   VMAP_STACK y # Catch kernel stack overflows
+
+  # Randomize position of kernel and memory.
+  RANDOMIZE_BASE y
+  RANDOMIZE_MEMORY y
+
+  # Disable legacy virtual syscalls by default (modern glibc use vDSO instead).
+  #
+  # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism,
+  # which is supposed to be safer than the native variant (wrt. ret2libc), so
+  # disabling it mainly helps reduce surface.
+  LEGACY_VSYSCALL_NONE y
 ''}
 
+# Safer page access permissions (wrt. code injection).  Default on >=4.11.
+${optionalString (versionOlder version "4.11") ''
+  DEBUG_RODATA y
+  DEBUG_SET_MODULE_RONX y
+''}
+
+DEBUG_WX y # boot-time warning on RWX mappings
+
+# Stricter /dev/mem
+STRICT_DEVMEM y
+IO_STRICT_DEVMEM y
+
+# Perform additional validation of commonly targeted structures.
+DEBUG_CREDENTIALS y
+DEBUG_NOTIFIERS y
+DEBUG_LIST y
+DEBUG_SG y
+SCHED_STACK_END_CHECK y
+BUG_ON_DATA_CORRUPTION y
+
+# Perform usercopy bounds checking.
+HARDENED_USERCOPY y
+
+# Randomize allocator freelists.
+SLAB_FREELIST_RANDOM y
+
+# Wipe higher-level memory allocations on free() with page_poison=1
+PAGE_POISONING y
+PAGE_POISONING_NO_SANITY y
+PAGE_POISONING_ZERO y
+
+# Reboot devices immediately if kernel experiences an Oops.
+PANIC_ON_OOPS y
+PANIC_TIMEOUT -1
+
+GCC_PLUGINS y # Enable gcc plugin options
+
+${optionalString (versionAtLeast version "4.11") ''
+  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
+''}
+
+# Disable various dangerous settings
+ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
+PROC_KCORE n # Exposes kernel text image layout
+INET_DIAG n # Has been used for heap based attacks in the past
+
+# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
+CC_STACKPROTECTOR_REGULAR n
+CC_STACKPROTECTOR_STRONG y
 ''

pkgs/os-specific/linux/kernel/linux-4.12.nix

@@ -1,12 +1,12 @@
 { stdenv, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
 
 import ./generic.nix (args // rec {
-  version = "4.12.4";
+  version = "4.12.5";
   extraMeta.branch = "4.12";
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "1jasxw8ifkklyfmp0avh53zjymgqwybaz3cmh9l5ydss3xgxfw7l";
+    sha256 = "1833ibdb13dbg5xmf500bxkin8ng4yav3l5qvfilj0v4ygjlhlbi";
   };
 
   kernelPatches = args.kernelPatches;

pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix

@@ -1,15 +1,15 @@
 { stdenv, hostPlatform, fetchFromGitHub, perl, buildLinux, ... } @ args:
 
 let
-  version = "4.12.4";
+  version = "4.12.5";
   revision = "a";
-  sha256 = "1c6fin95ppl7lj09vr3vxfwxgf3db15wyncvq07b675fpkdx0nnx";
+  sha256 = "03cyh9fsbd95gdd477k1jmk3f9aj5dnw5wr8041y51v8f63vzbpk";
 in
 
 import ./generic.nix (args // {
   version = "${version}-${revision}";
   extraMeta.branch = "4.12";
-  modDirVersion = "${version}";
+  modDirVersion = "${version}-hardened";
 
   src = fetchFromGitHub {
     inherit sha256;

pkgs/os-specific/linux/kernel/patches.nix

@@ -156,4 +156,9 @@ rec {
         sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2";
       };
     };
+
+  tag_hardened = rec {
+    name = "tag-hardened";
+    patch = ./tag-hardened.patch;
+  };
 }

pkgs/os-specific/linux/kernel/tag-hardened.patch

@@ -0,0 +1,7 @@
+diff --git a/localversion-hardened b/localversion-hardened
+new file mode 100644
+index 0000000000..e578045860
+--- /dev/null
++++ b/localversion-hardened
+@@ -0,0 +1 @@
++-hardened

pkgs/shells/grml-zsh-config/default.nix

@@ -1,15 +1,17 @@
-{ stdenv, fetchurl, lib
+{ stdenv, fetchFromGitHub, lib
 , zsh, coreutils, inetutils, procps, txt2tags }:
 
 with lib;
 
 stdenv.mkDerivation rec {
   name = "grml-zsh-config-${version}";
-  version = "0.12.4";
+  version = "0.14.2";
 
-  src = fetchurl {
-    url = "http://deb.grml.org/pool/main/g/grml-etc-core/grml-etc-core_${version}.tar.gz";
-    sha256 = "1cbedc41e32787c37c2ed546355a26376dacf2ae1fab9551c9ace3e46d236b72";
+  src = fetchFromGitHub {
+    owner = "grml";
+    repo = "grml-etc-core";
+    rev = "v${version}";
+    sha256 = "1xvv2mnkfqa657w8y4q2zrchhindngdzij9fbalcg1gggz4zdwcm";
   };
 
   buildInputs = [ zsh coreutils inetutils procps txt2tags ];
@@ -33,6 +35,6 @@ stdenv.mkDerivation rec {
     homepage = http://grml.org/zsh/;
     license = licenses.gpl2;
     platforms = platforms.linux;
-    maintainers = [ maintainers.msteen ];
+    maintainers = with maintainers; [ msteen rvolosatovs ];
   };
 }

pkgs/shells/oil/default.nix

@@ -0,0 +1,36 @@
+{ stdenv, lib, fetchurl, coreutils }:
+let
+  version = "0.0.0";
+in
+stdenv.mkDerivation {
+  name = "oil-${version}";
+
+  src = fetchurl {
+    url = "https://www.oilshell.org/download/oil-${version}.tar.xz";
+    sha256 = "1mvyvvzw149piwa7xdl3byyn7h31p4cnrf3w9dxr5qfd9vc4gmsm";
+  };
+
+  postPatch = ''
+    patchShebangs build
+  '';
+
+  preInstall = ''
+    mkdir -p $out/bin
+  '';
+
+  # Stripping breaks the bundles by removing the zip file from the end.
+  dontStrip = true;
+
+  meta = {
+    homepage = https://www.oilshell.org/;
+
+    description = "A new unix shell, still in its early stages";
+
+    license = with lib.licenses; [
+      psfl # Includes a portion of the python interpreter and standard library
+      asl20 # Licence for Oil itself
+    ];
+
+    maintainers = with lib.maintainers; [ lheckemann ];
+  };
+}

pkgs/tools/compression/pigz/default.nix

@@ -1,16 +1,18 @@
 { stdenv, fetchurl, zlib, utillinux }:
 
 let name = "pigz";
-    version = "2.3.3";
+    version = "2.3.4";
 in
 stdenv.mkDerivation {
   name = name + "-" + version;
 
   src = fetchurl {
     url = "http://www.zlib.net/${name}/${name}-${version}.tar.gz";
-    sha256 = "172hdf26k4zmm7z8md7nl0dph2a7mhf3x7slb9bhfyff6as6g2sf";
+    sha256 = "16lgbjzzfx0k4a1znsw8kq3lnkx17gw93zq2sn01sny11fj1y0vg";
   };
 
+  enableParallelBuilding = true;
+
   buildInputs = [zlib] ++ stdenv.lib.optional stdenv.isLinux utillinux;
 
   doCheck = stdenv.isLinux;

pkgs/tools/networking/dnscrypt-proxy/default.nix

@@ -11,6 +11,8 @@ stdenv.mkDerivation rec {
     sha256 = "1dhvklr4dg2vlw108n11xbamacaryyg3dbrg629b76lp7685p7z8";
   };
 
+  enableParallelBuilding = true;
+
   configureFlags = optional stdenv.isLinux "--with-systemd";
 
   nativeBuildInputs = [ pkgconfig ];

pkgs/tools/networking/par2cmdline/default.nix

@@ -2,19 +2,19 @@
 
 stdenv.mkDerivation rec {
   name    = "par2cmdline-${version}";
-  version = "0.6.13";
+  version = "0.7.3";
 
   src = fetchFromGitHub {
     owner = "Parchive";
     repo = "par2cmdline";
     rev = "v${version}";
-    sha256 = "0jxixkc8vid933nph2mvhgz58my42kwjlzbir38hml2xrzq00d8f";
+    sha256 = "1hkb1brz70p79rv7dlzhnl1invjmkll81rcpnhwvafv1yriklfai";
   };
 
   nativeBuildInputs = [ autoreconfHook ];
 
   meta = with stdenv.lib; {
-    homepage = https://github.com/BlackIkeEagle/par2cmdline;
+    homepage = https://github.com/Parchive/par2cmdline;
     description = "PAR 2.0 compatible file verification and repair tool";
     longDescription = ''
       par2cmdline is a program for creating and using PAR2 files to detect

pkgs/tools/security/vulnix/requirements.nix

@@ -22,7 +22,7 @@ rec {
     ]);
 
     meta = with stdenv.lib; {
-      license = licenses.zpt21;
+      license = licenses.zpl21;
       description = "Zope Object Database: object database and persistence";
     };
   };
@@ -40,7 +40,7 @@ rec {
       mock
     ];
     meta = with stdenv.lib; {
-      license = licenses.zpt21;
+      license = licenses.zpl21;
       description = "Transaction management for Python";
     };
   };

pkgs/top-level/all-packages.nix

@@ -5106,6 +5106,8 @@ with pkgs;
 
   oh = callPackage ../shells/oh { };
 
+  oil = callPackage ../shells/oil { };
+
   pash = callPackage ../shells/pash { };
 
   tcsh = callPackage ../shells/tcsh { };
@@ -7140,7 +7142,7 @@ with pkgs;
 
   phantomjs = callPackage ../development/tools/phantomjs { };
 
-  phantomjs2 = callPackage ../development/tools/phantomjs2 { };
+  phantomjs2 = libsForQt5.callPackage ../development/tools/phantomjs2 { };
 
   pmccabe = callPackage ../development/tools/misc/pmccabe { };
 
@@ -8039,6 +8041,7 @@ with pkgs;
   mpir = callPackage ../development/libraries/mpir {};
 
   gns3-gui = callPackage ../applications/networking/gns3/gui.nix { };
+  gns3-server = callPackage ../applications/networking/gns3/server.nix { };
 
   gobjectIntrospection = callPackage ../development/libraries/gobject-introspection {
     nixStoreDir = config.nix.storeDir or builtins.storeDir;
@@ -12042,10 +12045,11 @@ with pkgs;
       kernelPatches.p9_fixes
       kernelPatches.modinst_arg_list_too_long
       kernelPatches.cpu-cgroup-v2."4.11"
+      kernelPatches.tag_hardened
     ];
     extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
       inherit stdenv;
-      inherit (linux) version;
+      inherit (linux_hardened_copperhead) version;
     };
   };
 

pkgs/top-level/python-packages.nix

@@ -292,13 +292,23 @@ in {
 
   aiofiles = callPackage ../development/python-modules/aiofiles { };
 
-  aiohttp = buildPythonPackage rec {
+  aiohttp =
+  let yarl_0_9_8 = self.yarl.overrideAttrs (old: rec {
+    pname = "yarl";
+    version = "0.9.8";
+    name = "${pname}-${version}";
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/${builtins.substring 0 1 pname}/${pname}/${name}.tar.gz";
+      sha256 = "1v2dsmr7bqp0yx51pwhbxyvzza8m2f88prsnbd926mi6ah38p0d7";
+    };
+  });
+  in buildPythonPackage rec {
     name = "aiohttp-${version}";
-    version = "1.1.6";
+    version = "1.3.5";
 
     src = pkgs.fetchurl {
       url = "mirror://pypi/a/aiohttp/${name}.tar.gz";
-      sha256 = "0742feb9759a5832aa4a30abf64e53055e139ed41e26f79b9558d08e05c74d60";
+      sha256 = "0hpqdiaifgyfqmxkyzwypwvrnvz5rqzgzylzhihfidc5ldfs856d";
     };
 
     disabled = pythonOlder "3.4";
@@ -306,15 +316,40 @@ in {
     doCheck = false; # Too many tests fail.
 
     buildInputs = with self; [ pytest gunicorn pytest-raisesregexp ];
-    propagatedBuildInputs = with self; [ async-timeout chardet multidict yarl ];
+    propagatedBuildInputs = with self; [ async-timeout chardet multidict yarl_0_9_8 ];
 
     meta = {
-      description = "http client/server for asyncio";
+      description = "Http client/server for asyncio";
       license = with licenses; [ asl20 ];
       homepage = https://github.com/KeepSafe/aiohttp/;
     };
   };
 
+  aiohttp-cors = buildPythonPackage rec {
+    name = "${pname}-${version}";
+    pname = "aiohttp-cors";
+    # 0.5.3 is the current version but gns3-server requires 0.5.1
+    version = "0.5.1";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/a/${pname}/${name}.tar.gz";
+      sha256 = "0szma27ri25fq4nwwvs36myddggw3jz4pyzmq63yz4xpw0jjdxck";
+    };
+
+    # Requires network access
+    doCheck = false;
+
+    propagatedBuildInputs = with self; [ zodb3 aiohttp ]
+      ++ optional (pythonOlder "3.5") typing;
+
+    meta = {
+      description = "CORS support for aiohttp";
+      homepage = "https://github.com/aio-libs/aiohttp-cors";
+      license = licenses.asl20;
+      maintainers = with maintainers; [ primeos ];
+    };
+  };
+
   alabaster = callPackage ../development/python-modules/alabaster {};
 
   alembic = callPackage ../development/python-modules/alembic {};
@@ -2582,7 +2617,7 @@ in {
    meta = {
       homepage = "http://www.buildout.org";
       description = "A software build and configuration system";
-      license = licenses.zpt21;
+      license = licenses.zpl21;
       maintainers = with maintainers; [ garbas ];
     };
   };
@@ -12551,7 +12586,7 @@ in {
     meta = {
       description = "A documentation builder";
       homepage = http://pypi.python.org/pypi/manuel;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
     };
   };
 
@@ -17273,7 +17308,7 @@ in {
     doCheck = false;
     meta = {
       description = "PostgreSQL database adapter for the Python programming language";
-      license = with licenses; [ gpl2 zpt20 ];
+      license = with licenses; [ gpl2 zpl20 ];
     };
   };
 
@@ -21323,7 +21358,7 @@ in {
     meta = {
       description = "Simple generic functions";
       homepage = http://cheeseshop.python.org/pypi/simplegeneric;
-      license = licenses.zpt21;
+      license = licenses.zpl21;
     };
   };
 
@@ -23573,7 +23608,7 @@ in {
     meta = {
       description = "Transaction management";
       homepage = http://pypi.python.org/pypi/transaction;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
     };
   };
 
@@ -23611,7 +23646,7 @@ in {
      meta = {
        description = "A tool which computes a dependency graph between active Python eggs";
        homepage = http://thomas-lotze.de/en/software/eggdeps/;
-       license = licenses.zpt20;
+       license = licenses.zpl20;
      };
    };
 
@@ -24781,7 +24816,7 @@ EOF
     meta = {
       description = "A daemon process control library and tools for Unix-based systems";
       homepage = http://pypi.python.org/pypi/zdaemon;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
       maintainers = with maintainers; [ goibhniu ];
     };
   };
@@ -24817,6 +24852,26 @@ EOF
     };
   });
 
+  zipstream = buildPythonPackage rec {
+    name = "${pname}-${version}";
+    pname = "zipstream";
+    version = "1.1.4";
+
+    src = pkgs.fetchurl {
+      url = "mirror://pypi/z/${pname}/${name}.tar.gz";
+      sha256 = "01im5anqdyggmwkigqcjg0qw2a5bnn84h33mfaqjjd69a28lpwif";
+    };
+
+    buildInputs = with self; [ nose ];
+
+    meta = {
+      description = "A zip archive generator";
+      homepage = "https://github.com/allanlei/python-zipstream";
+      license = licenses.gpl3Plus;
+      maintainers = with maintainers; [ primeos ];
+    };
+  };
+
   zodb3 = buildPythonPackage rec {
     name = "zodb3-${version}";
     version = "3.11.0";
@@ -24832,7 +24887,7 @@ EOF
     meta = {
       description = "An object-oriented database for Python";
       homepage = http://pypi.python.org/pypi/ZODB3;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
       maintainers = with maintainers; [ goibhniu ];
     };
   };
@@ -24854,12 +24909,13 @@ EOF
     preCheck = if isPy3k then ''
       # test failure on py3.4
       rm src/ZODB/tests/testDB.py
+      rm src/ZODB/tests/test_fsdump.py # Error with Python 3.6
     '' else "";
 
     meta = {
       description = "An object-oriented database for Python";
       homepage = http://pypi.python.org/pypi/ZODB;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
       maintainers = with maintainers; [ goibhniu ];
     };
   };
@@ -25065,7 +25121,7 @@ EOF
     meta = {
       description = "An event publishing system";
       homepage = http://pypi.python.org/pypi/zope.event;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
       maintainers = with maintainers; [ goibhniu ];
     };
   };
@@ -25088,7 +25144,7 @@ EOF
      meta = {
        description = "Exception interfaces and implementations";
        homepage = http://pypi.python.org/pypi/zope.exceptions;
-       license = licenses.zpt20;
+       license = licenses.zpl20;
        maintainers = with maintainers; [ goibhniu ];
      };
    };
@@ -25308,7 +25364,7 @@ EOF
     meta = {
       description = "Zope testing helpers";
       homepage =  http://pypi.python.org/pypi/zope.testing;
-      license = licenses.zpt20;
+      license = licenses.zpl20;
       maintainers = with maintainers; [ goibhniu ];
     };
   };