diff --git a/doc/languages-frameworks/python.md b/doc/languages-frameworks/python.md index 19f241fb185a..0c7e521b11ee 100644 --- a/doc/languages-frameworks/python.md +++ b/doc/languages-frameworks/python.md @@ -641,6 +641,19 @@ community to help save time. No tool is preferred at the moment. - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin +### Deterministic builds + +Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. +Minor modifications had to be made to the interpreters in order to generate +deterministic bytecode. This has security implications and is relevant for +those using Python in a `nix-shell`. + +When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1. +The `buildPythonPackage` function sets `DETERMINISTIC_BUILD` as well as +[PYTHONHASHSEED](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED). +Both are also exported in `nix-shell`. + + ## FAQ ### How can I install a working Python environment? diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index e9d3a65e3ba0..cea8b93b075c 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -271,6 +271,16 @@ following incompatible changes: + + + Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. + Minor modifications had to be made to the interpreters in order to generate + deterministic bytecode. This has security implications and is relevant for + those using Python in a nix-shell. See the Nixpkgs manual + for details. + + + diff --git a/pkgs/build-support/setup-hooks/compress-man-pages.sh b/pkgs/build-support/setup-hooks/compress-man-pages.sh index f1d9cf3a3696..d10a898d6e46 100644 --- a/pkgs/build-support/setup-hooks/compress-man-pages.sh +++ b/pkgs/build-support/setup-hooks/compress-man-pages.sh @@ -3,26 +3,30 @@ fixupOutputHooks+=('if [ -z "$dontGzipMan" ]; then compressManPages "$prefix"; f compressManPages() { local dir="$1" - if [ ! -d "$dir/share/man" ]; then return; fi - echo "gzipping man pages in $dir" + if [ -L "$dir"/share ] || [ -L "$dir"/share/man ] || [ ! -d "$dir/share/man" ] + then return + fi + echo "gzipping man pages under $dir/share/man/" - GLOBIGNORE=.:..:*.gz:*.bz2 - - for f in "$dir"/share/man/*/* "$dir"/share/man/*/*/*; do - if [ -f "$f" -a ! -L "$f" ]; then - if gzip -c -n "$f" > "$f".gz; then - rm "$f" - else - rm "$f".gz - fi + # Compress all uncompressed manpages. Don't follow symlinks, etc. + find "$dir"/share/man/ -type f -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \ + | while IFS= read -r -d $'\0' f + do + if gzip -c -n "$f" > "$f".gz; then + rm "$f" + else + rm "$f".gz fi done - for f in "$dir"/share/man/*/* "$dir"/share/man/*/*/*; do - if [ -L "$f" -a -f `readlink -f "$f"`.gz ]; then - ln -sf `readlink "$f"`.gz "$f".gz && rm "$f" + # Point symlinks to compressed manpages. + find "$dir"/share/man/ -type l -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \ + | while IFS= read -r -d $'\0' f + do + local target + target="$(readlink -f "$f")" + if [ -f "$target".gz ]; then + ln -sf "$target".gz "$f".gz && rm "$f" fi done - - unset GLOBIGNORE } diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index ccf9296e0bcb..8426902414a7 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -178,6 +178,17 @@ in stdenv.mkDerivation { echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev + + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; passthru = let @@ -210,5 +221,8 @@ in stdenv.mkDerivation { license = stdenv.lib.licenses.psfl; platforms = stdenv.lib.platforms.all; maintainers = with stdenv.lib.maintainers; [ chaoflow domenkozar ]; + # Higher priority than Python 3.x so that `/bin/python` points to `/bin/python2` + # in case both 2 and 3 are installed. + priority = -100; }; } diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 72419f8e1943..143dbcd5686e 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -50,21 +52,43 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' ''; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap.py" --replace "source_mtime = int(source_stats['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" '' # Avoid picking up getentropy() from glibc >= 2.25, as that would break # on older kernels. http://bugs.python.org/issue29157 - + optionalString stdenv.isLinux - '' + + optionalString stdenv.isLinux '' substituteInPlace Python/random.c --replace 'defined(HAVE_GETENTROPY)' '0' cat Python/random.c - ''; + ''; + + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" + ]; preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity @@ -74,12 +98,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -102,6 +120,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -109,6 +131,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; postFixup = '' diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 215229086b75..082f6ff67897 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl, fetchpatch , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -32,7 +34,7 @@ let sitePackages = "lib/${libPrefix}/site-packages"; buildInputs = filter (p: p != null) [ - zlib bzip2 lzma gdbm sqlite readline ncurses openssl ] + zlib bzip2 expat lzma libffi gdbm sqlite readline ncurses openssl ] ++ optionals x11Support [ tcl tk libX11 xproto ] ++ optionals stdenv.isDarwin [ CF configd ]; @@ -50,6 +52,12 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' @@ -63,10 +71,27 @@ in stdenv.mkDerivation { }) ]; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" + ]; + preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity substituteInPlace ./setup.py --replace $i /no-such-path @@ -75,12 +100,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -103,6 +122,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -110,6 +133,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; postFixup = '' diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 42f8d109af2f..ebf621d50576 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -1,6 +1,8 @@ { stdenv, fetchurl, fetchpatch , glibc , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -50,6 +52,12 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' @@ -63,10 +71,27 @@ in stdenv.mkDerivation { }) ]; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" + ]; + preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity substituteInPlace ./setup.py --replace $i /no-such-path @@ -75,12 +100,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -103,6 +122,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -110,6 +133,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; passthru = let diff --git a/pkgs/development/interpreters/python/mk-python-derivation.nix b/pkgs/development/interpreters/python/mk-python-derivation.nix index c8fedaf75fc9..69eea056c763 100644 --- a/pkgs/development/interpreters/python/mk-python-derivation.nix +++ b/pkgs/development/interpreters/python/mk-python-derivation.nix @@ -57,9 +57,12 @@ python.stdenv.mkDerivation (builtins.removeAttrs attrs ["disabled"] // { inherit pythonPath; - # patch python interpreter to write null timestamps when compiling python files - # this way python doesn't try to update them when we freeze timestamps in nix store + + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED = 0; buildInputs = [ wrapPython ] ++ buildInputs ++ pythonPath ++ [ (ensureNewerSourcesHook { year = "1980"; }) ] diff --git a/pkgs/development/libraries/libevent/default.nix b/pkgs/development/libraries/libevent/default.nix index 4abd0b033757..d2ba84bb5dd9 100644 --- a/pkgs/development/libraries/libevent/default.nix +++ b/pkgs/development/libraries/libevent/default.nix @@ -23,11 +23,21 @@ stdenv.mkDerivation { | grep -v '^dh-autoreconf' | sed 's|^|debian/patches/|')" ''; - outputs = [ "out" "dev" ]; + # libevent_openssl is moved into its own output, so that openssl isn't present + # in the default closure. + outputs = [ "out" "dev" "openssl" ]; outputBin = "dev"; + propagatedBuildOutputs = [ "out" "openssl" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional stdenv.isCygwin findutils; + postInstall = '' + moveToOutput "lib/libevent_openssl*" "$openssl" + substituteInPlace "$dev/lib/pkgconfig/libevent_openssl.pc" \ + --replace "$out" "$openssl" + sed "/^libdir=/s|$out|$openssl|" -i "$openssl"/lib/libevent_openssl.la + ''; + meta = with stdenv.lib; { description = "Event notification library"; longDescription = '' diff --git a/pkgs/development/libraries/libuv/default.nix b/pkgs/development/libraries/libuv/default.nix index 2a1c82ec639a..fe4ed6e410ec 100644 --- a/pkgs/development/libraries/libuv/default.nix +++ b/pkgs/development/libraries/libuv/default.nix @@ -17,7 +17,9 @@ stdenv.mkDerivation rec { "getnameinfo_basic" # probably network-dependent "spawn_setuid_fails" "spawn_setgid_fails" "fs_chown" # user namespaces "getaddrinfo_fail" "getaddrinfo_fail_sync" - ]; + ] + # sometimes: timeout (no output) + ++ stdenv.lib.optional stdenv.isDarwin "process_title"; tdRegexp = lib.concatStringsSep "\\|" toDisable; in lib.optionalString doCheck '' sed '/${tdRegexp}/d' -i test/test-list.h diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index 08fb80c8435a..b36316f72f4e 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -27,7 +27,7 @@ if ! lists.elem stdenv.system platforms.mesaPlatforms then else let - version = "13.0.5"; + version = "17.0.0"; branch = head (splitString "." version); driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32"; in @@ -41,7 +41,7 @@ stdenv.mkDerivation { "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz" "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz" ]; - sha256 = "bfcea7e2c801525a60895c8aff11aa68457ee9aa35d01a4638e1f310a3f5ef87"; + sha256 = "10c4cvm6hhdch0idh2kn7qv1dq6zlw97sc3pz7bssn81f1ckvnrr"; }; prePatch = "patchShebangs ."; @@ -54,11 +54,6 @@ stdenv.mkDerivation { ./symlink-drivers.patch ]; - postPatch = '' - substituteInPlace src/egl/main/egldriver.c \ - --replace _EGL_DRIVER_SEARCH_DIR '"${driverLink}"' - ''; - outputs = [ "out" "dev" "drivers" "osmesa" ]; # TODO: Figure out how to enable opencl without having a runtime dependency on clang @@ -69,7 +64,7 @@ stdenv.mkDerivation { "--with-dri-searchpath=${driverLink}/lib/dri" "--with-egl-platforms=x11,wayland,drm" ] ++ (if stdenv.isArm || stdenv.isAarch64 then [ - "--with-gallium-drivers=nouveau,freedreno,vc4,swrast" + "--with-gallium-drivers=nouveau,freedreno,vc4,etnaviv,swrast" "--with-dri-drivers=nouveau,swrast" ] else [ "--with-gallium-drivers=svga,i915,ilo,r300,r600,radeonsi,nouveau,swrast" diff --git a/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch b/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch index fe5bcadbe9a8..e3db17e978c2 100644 --- a/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch +++ b/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch @@ -1,7 +1,6 @@ -Index: qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in -=================================================================== ---- qttools-opensource-src-5.5.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in -+++ qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in +diff -Naur qttools-opensource-src-5.7.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in qttools-opensource-src-5.7.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in +--- qttools-opensource-src-5.7.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in 2016-11-03 09:31:16.000000000 +0100 ++++ qttools-opensource-src-5.7.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in 2017-02-28 16:37:20.130457615 +0100 @@ -2,11 +2,10 @@ if (NOT TARGET Qt5::qcollectiongenerator) add_executable(Qt5::qcollectiongenerator IMPORTED) @@ -18,11 +17,26 @@ Index: qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake _qt5_Help_check_file_exists(${imported_location}) set_target_properties(Qt5::qcollectiongenerator PROPERTIES -Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in -=================================================================== ---- qttools-opensource-src-5.5.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in -+++ qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in -@@ -44,11 +44,10 @@ endmacro() +@@ -17,11 +16,10 @@ + if (NOT TARGET Qt5::qhelpgenerator) + add_executable(Qt5::qhelpgenerator IMPORTED) + +-!!IF isEmpty(CMAKE_BIN_DIR_IS_ABSOLUTE) +- set(imported_location \"${_qt5Help_install_prefix}/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") +-!!ELSE +- set(imported_location \"$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") +-!!ENDIF ++ set(imported_location \"@NIX_OUT@/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") ++ if(NOT EXISTS \"${imported_location}\") ++ set(imported_location \"@NIX_DEV@/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") ++ endif() + _qt5_Help_check_file_exists(${imported_location}) + + set_target_properties(Qt5::qhelpgenerator PROPERTIES +diff -Naur qttools-opensource-src-5.7.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in qttools-opensource-src-5.7.1/src/linguist/Qt5LinguistToolsConfig.cmake.in +--- qttools-opensource-src-5.7.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in 2016-11-03 09:31:16.000000000 +0100 ++++ qttools-opensource-src-5.7.1/src/linguist/Qt5LinguistToolsConfig.cmake.in 2017-02-28 16:35:40.470100681 +0100 +@@ -44,11 +44,10 @@ if (NOT TARGET Qt5::lrelease) add_executable(Qt5::lrelease IMPORTED) @@ -38,7 +52,7 @@ Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in _qt5_LinguistTools_check_file_exists(${imported_location}) set_target_properties(Qt5::lrelease PROPERTIES -@@ -59,11 +58,10 @@ endif() +@@ -59,11 +58,10 @@ if (NOT TARGET Qt5::lupdate) add_executable(Qt5::lupdate IMPORTED) @@ -54,7 +68,7 @@ Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in _qt5_LinguistTools_check_file_exists(${imported_location}) set_target_properties(Qt5::lupdate PROPERTIES -@@ -74,11 +72,10 @@ endif() +@@ -74,11 +72,10 @@ if (NOT TARGET Qt5::lconvert) add_executable(Qt5::lconvert IMPORTED) diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 6ac9f3febc42..5041ef3b3eda 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -81,8 +81,6 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - postFixup = optionalString (cross == null) "ln -s $out/bin $dev/bin"; # tools needed for development - meta = with stdenv.lib; { description = "Tools for manipulating binaries (linker, assembler, etc.)"; longDescription = '' diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 6c3aacbef297..872a1897457c 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -6,11 +6,11 @@ stdenv.mkDerivation rec { version = lib.concatStringsSep "." ([ majorVersion ] ++ lib.optional (patchVersion != "") patchVersion); majorVersion = "2.29"; - patchVersion = ""; + patchVersion = "2"; src = fetchurl { url = "mirror://kernel/linux/utils/util-linux/v${majorVersion}/${name}.tar.xz"; - sha256 = "1rzrmdrz51p9sy7vlw5qmj8pmqazm7hgcch5yq242mkvrikyln9c"; + sha256 = "1qz81w8vzrmy8xn9yx7ls4amkbgwx6vr62pl6kv9g7r0g3ba9kmc"; }; patches = [ ./rtcwake-search-PATH-for-shutdown.patch ]; diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index 96f348e92b39..eee912d1b8c3 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -669,11 +669,11 @@ let }) // {inherit windowswmproto libX11 libXext xextproto ;}; libX11 = (mkDerivation "libX11" { - name = "libX11-1.6.4"; + name = "libX11-1.6.5"; builder = ./builder.sh; src = fetchurl { - url = mirror://xorg/individual/lib/libX11-1.6.4.tar.bz2; - sha256 = "0hg46i6h92pmb7xp1cis2j43zq3fkdz89p0yv35w4vm17az4iixp"; + url = mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2; + sha256 = "0pa3cfp6h9rl2vxmkph65250gfqyki0ccqyaan6bl9d25gdr0f2d"; }; buildInputs = [pkgconfig inputproto kbproto libxcb xextproto xf86bigfontproto xproto xtrans ]; meta.platforms = stdenv.lib.platforms.unix; diff --git a/pkgs/servers/x11/xorg/tarballs-7.7.list b/pkgs/servers/x11/xorg/tarballs-7.7.list index 3247d3e7b155..4aeace9f0c22 100644 --- a/pkgs/servers/x11/xorg/tarballs-7.7.list +++ b/pkgs/servers/x11/xorg/tarballs-7.7.list @@ -59,7 +59,7 @@ mirror://xorg/individual/lib/libICE-1.0.9.tar.bz2 mirror://xorg/individual/lib/libpciaccess-0.13.4.tar.bz2 mirror://xorg/individual/lib/libSM-1.2.2.tar.bz2 mirror://xorg/X11R7.7/src/everything/libWindowsWM-1.0.1.tar.bz2 -mirror://xorg/individual/lib/libX11-1.6.4.tar.bz2 +mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2 mirror://xorg/individual/lib/libXau-1.0.8.tar.bz2 mirror://xorg/individual/lib/libXaw-1.0.13.tar.bz2 mirror://xorg/individual/lib/libXcomposite-0.4.4.tar.bz2 diff --git a/pkgs/tools/graphics/ploticus/default.nix b/pkgs/tools/graphics/ploticus/default.nix index b855410f37f2..d0e678578723 100644 --- a/pkgs/tools/graphics/ploticus/default.nix +++ b/pkgs/tools/graphics/ploticus/default.nix @@ -15,6 +15,12 @@ stdenv.mkDerivation { patches = [ ./ploticus-install.patch ]; + # Make the symlink relative instead of absolute. + # Otherwise it breaks when auto-moved to $out/share. + preFixup = '' + ln -sf pl.1 "$out"/man/man1/ploticus.1 + ''; + meta = with stdenv.lib; { description = "A non-interactive software package for producing plots and charts"; longDescription = ''Ploticus is a free, GPL'd, non-interactive diff --git a/pkgs/tools/misc/findutils/default.nix b/pkgs/tools/misc/findutils/default.nix index f1090bcf457f..53d75485d5ca 100644 --- a/pkgs/tools/misc/findutils/default.nix +++ b/pkgs/tools/misc/findutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y"; }; - patches = [ ./memory-leak.patch ]; + patches = [ ./memory-leak.patch ./no-install-statedir.patch ]; buildInputs = [ coreutils ]; # bin/updatedb script needs to call sort @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "info" ]; + configureFlags = [ "--localstatedir=/var/cache" ]; + crossAttrs = { # Fix the 'buildInputs = [ coreutils ]' above - that adds the cross coreutils to PATH :( propagatedBuildInputs = [ ]; diff --git a/pkgs/tools/misc/findutils/no-install-statedir.patch b/pkgs/tools/misc/findutils/no-install-statedir.patch new file mode 100644 index 000000000000..a7a48038a3aa --- /dev/null +++ b/pkgs/tools/misc/findutils/no-install-statedir.patch @@ -0,0 +1,11 @@ +--- a/locate/Makefile.in ++++ b/locate/Makefile.in +@@ -2357,7 +2357,7 @@ updatedb: updatedb.sh Makefile + chmod +x $@ + + install-data-hook: +- $(top_srcdir)/build-aux/mkinstalldirs $(DESTDIR)$(localstatedir) ++ #$(top_srcdir)/build-aux/mkinstalldirs $(DESTDIR)$(localstatedir) + + dblocation.texi: + echo '@set LOCATE_DB $(LOCATE_DB)' > $@.tmp diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 48f8edf7c44c..e9b438a6037b 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -21,11 +21,11 @@ assert scpSupport -> libssh2 != null; assert c-aresSupport -> c-ares != null; stdenv.mkDerivation rec { - name = "curl-7.53.0"; + name = "curl-7.53.1"; src = fetchurl { url = "http://curl.haxx.se/download/${name}.tar.bz2"; - sha256 = "008833dd9w4l2277q9r0bsq1vqmm0fr7qqyzvqlw5d47xy5mld5j"; + sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw"; }; patches = [ ]; diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix index 6cbd505103bf..0a1d557dd935 100644 --- a/pkgs/tools/networking/unbound/default.nix +++ b/pkgs/tools/networking/unbound/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, openssl, expat, libevent }: +{ stdenv, fetchurl, openssl, nettle, expat, libevent }: stdenv.mkDerivation rec { name = "unbound-${version}"; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB - buildInputs = [ openssl expat libevent ]; + buildInputs = [ openssl nettle expat libevent ]; configureFlags = [ "--with-ssl=${openssl.dev}" @@ -26,11 +26,21 @@ stdenv.mkDerivation rec { installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ]; - # get rid of runtime dependencies on $dev outputs - postInstall = ''substituteInPlace "$lib/lib/libunbound.la" '' + preFixup = stdenv.lib.optionalString stdenv.isLinux + # Build libunbound again, but only against nettle instead of openssl. + # This avoids gnutls.out -> unbound.lib -> openssl.out. + # There was some problem with this on Darwin; let's not complicate non-Linux. + '' + configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only" + configurePhase + buildPhase + installPhase + '' + # get rid of runtime dependencies on $dev outputs + + ''substituteInPlace "$lib/lib/libunbound.la" '' + stdenv.lib.concatMapStrings (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ") - [ openssl expat libevent ]; + buildInputs; meta = with stdenv.lib; { description = "Validating, recursive, and caching DNS resolver"; diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index d9ec862146c0..3a92359cb9ab 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -20325,12 +20325,12 @@ in { }; pygments = buildPythonPackage rec { - version = "2.1.3"; + version = "2.2.0"; name = "Pygments-${version}"; src = pkgs.fetchurl { url = "mirror://pypi/P/Pygments/${name}.tar.gz"; - sha256 = "10axnp2wpjnq9g8wg53fx0c70dfxqrz498jyz8mrdx9a3flwir48"; + sha256 = "1k78qdvir1yb1c634nkv6rbga8wv4289xarghmsbbvzhvr311bnv"; }; propagatedBuildInputs = with self; [ docutils ]; @@ -20807,11 +20807,11 @@ in { pyparsing = buildPythonPackage rec { name = "pyparsing-${version}"; - version = "2.1.8"; + version = "2.1.10"; src = pkgs.fetchurl { url = "mirror://pypi/p/pyparsing/${name}.tar.gz"; - sha256 = "0sy5fxhsvhf0fwk9h6nqlhn1lsjpdmg41jziw5z814rlkydqd903"; + sha256 = "811c3e7b0031021137fc83e051795025fcb98674d07eb8fe922ba4de53d39188"; }; # Not everything necessary to run the tests is included in the distribution @@ -28976,7 +28976,8 @@ EOF --replace 'pyyaml==3.11' 'pyyaml' \ --replace 'lxml==3.7.1' 'lxml' \ --replace 'pyopenssl==16.2.0' 'pyopenssl' \ - --replace 'requests[socks]==2.12.4' 'requests[socks]' + --replace 'requests[socks]==2.12.4' 'requests[socks]' \ + --replace 'pygments==2.1.3' 'pygments>=2.1,<3.0' ''; propagatedBuildInputs = with self; [ @@ -31899,10 +31900,10 @@ EOF }; packaging = buildPythonPackage rec { - name = "packaging-16.7"; + name = "packaging-16.8"; src = pkgs.fetchurl { url = "mirror://pypi/p/packaging/${name}.tar.gz"; - sha256 = "07h18mrpqs0lv2x4fl43pqi0xj6hdrmrnm6v9q634yliagg6q91f"; + sha256 = "5d50835fdf0a7edf0b55e311b7c887786504efea1177abd7e69329a8e5ea619e"; }; propagatedBuildInputs = with self; [ pyparsing six ]; buildInputs = with self; [ pytest pretend ];