From 4d54324f7cc554aca7f146e280b1366b5a630856 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Tue, 14 Feb 2017 15:40:56 +0200 Subject: [PATCH 01/33] mesa: 13.0.4 -> 17.0.0 Also enable the etnaviv driver on ARM, which got added in this release (and I've confirmed that it can run glmark2 relatively successfully). --- pkgs/development/libraries/mesa/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index abca82e62979..11d0c1334a96 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -27,7 +27,7 @@ if ! lists.elem stdenv.system platforms.mesaPlatforms then else let - version = "13.0.4"; + version = "17.0.0"; branch = head (splitString "." version); driverLink = "/run/opengl-driver" + optionalString stdenv.isi686 "-32"; in @@ -41,7 +41,7 @@ stdenv.mkDerivation { "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz" "https://launchpad.net/mesa/trunk/${version}/+download/mesa-${version}.tar.xz" ]; - sha256 = "a95d7ce8f7bd5f88585e4be3144a341236d8c0fc91f6feaec59bb8ba3120e726"; + sha256 = "10c4cvm6hhdch0idh2kn7qv1dq6zlw97sc3pz7bssn81f1ckvnrr"; }; prePatch = "patchShebangs ."; @@ -69,7 +69,7 @@ stdenv.mkDerivation { "--with-dri-searchpath=${driverLink}/lib/dri" "--with-egl-platforms=x11,wayland,drm" ] ++ (if stdenv.isArm || stdenv.isAarch64 then [ - "--with-gallium-drivers=nouveau,freedreno,vc4,swrast" + "--with-gallium-drivers=nouveau,freedreno,vc4,etnaviv,swrast" "--with-dri-drivers=nouveau,swrast" ] else [ "--with-gallium-drivers=svga,i915,ilo,r300,r600,radeonsi,nouveau,swrast" From da1f93f445d952ce24f6727eeed2cd7e60473447 Mon Sep 17 00:00:00 2001 From: Tuomas Tynkkynen Date: Thu, 16 Feb 2017 01:25:56 +0200 Subject: [PATCH 02/33] mesa: Remove obsolete patching The code we're patching was removed in 2015: http://comments.gmane.org/gmane.comp.video.mesa3d.devel/102524 --- pkgs/development/libraries/mesa/default.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix index 11d0c1334a96..b36316f72f4e 100644 --- a/pkgs/development/libraries/mesa/default.nix +++ b/pkgs/development/libraries/mesa/default.nix @@ -54,11 +54,6 @@ stdenv.mkDerivation { ./symlink-drivers.patch ]; - postPatch = '' - substituteInPlace src/egl/main/egldriver.c \ - --replace _EGL_DRIVER_SEARCH_DIR '"${driverLink}"' - ''; - outputs = [ "out" "dev" "drivers" "osmesa" ]; # TODO: Figure out how to enable opencl without having a runtime dependency on clang From abcb132effe9bdeaa629d4e7100f7360a83cd342 Mon Sep 17 00:00:00 2001 From: romildo Date: Thu, 16 Feb 2017 10:29:09 -0200 Subject: [PATCH 03/33] pygments: 2.1.3 -> 2.2.0 --- pkgs/top-level/python-packages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 6567158c185c..a44ec360ac7e 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -20321,12 +20321,12 @@ in { }; pygments = buildPythonPackage rec { - version = "2.1.3"; + version = "2.2.0"; name = "Pygments-${version}"; src = pkgs.fetchurl { url = "mirror://pypi/P/Pygments/${name}.tar.gz"; - sha256 = "10axnp2wpjnq9g8wg53fx0c70dfxqrz498jyz8mrdx9a3flwir48"; + sha256 = "1k78qdvir1yb1c634nkv6rbga8wv4289xarghmsbbvzhvr311bnv"; }; propagatedBuildInputs = with self; [ docutils ]; From 2055d6cacf14f37633788aa1fbb1470abe804dc4 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 23 Feb 2017 18:36:18 +0100 Subject: [PATCH 04/33] pythonPackages.searx: works with pygments 2.2 --- pkgs/top-level/python-packages.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index a44ec360ac7e..4654673adc15 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -28950,7 +28950,8 @@ EOF --replace 'pyyaml==3.11' 'pyyaml' \ --replace 'lxml==3.7.1' 'lxml' \ --replace 'pyopenssl==16.2.0' 'pyopenssl' \ - --replace 'requests[socks]==2.12.4' 'requests[socks]' + --replace 'requests[socks]==2.12.4' 'requests[socks]' \ + --replace 'pygments==2.1.3' 'pygments>=2.1,<3.0' ''; propagatedBuildInputs = with self; [ From 417dbaf6a34552f0c7d959e5a63e6672ff85c4d7 Mon Sep 17 00:00:00 2001 From: Mogria Date: Fri, 24 Feb 2017 16:36:58 +0100 Subject: [PATCH 05/33] findutils: updatedb now uses writable database outside of /nix/store by default updatedb could only be run by providing the --output parameter, because it would use a path inside the nix store as it's database. The default for --output is now /var/cache/locatedb (the same as in the NixOS locate service) --- pkgs/tools/misc/findutils/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/tools/misc/findutils/default.nix b/pkgs/tools/misc/findutils/default.nix index 8bedbeb12fef..8906564ade5b 100644 --- a/pkgs/tools/misc/findutils/default.nix +++ b/pkgs/tools/misc/findutils/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "info" ]; + configureFlags = [ "--localstatedir=/var/cache" ]; + crossAttrs = { # http://osdir.com/ml/bug-findutils-gnu/2009-08/msg00026.html configureFlags = [ "gl_cv_func_wcwidth_works=yes" ]; From 9d14ea4295d935dce73c16f3ceb025cbb2443c5a Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Thu, 23 Feb 2017 14:57:50 +0100 Subject: [PATCH 06/33] utillinux: 2.29 -> 2.29.2 for CVE-2017-2616 cc #23072 --- pkgs/os-specific/linux/util-linux/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/util-linux/default.nix b/pkgs/os-specific/linux/util-linux/default.nix index 6c3aacbef297..872a1897457c 100644 --- a/pkgs/os-specific/linux/util-linux/default.nix +++ b/pkgs/os-specific/linux/util-linux/default.nix @@ -6,11 +6,11 @@ stdenv.mkDerivation rec { version = lib.concatStringsSep "." ([ majorVersion ] ++ lib.optional (patchVersion != "") patchVersion); majorVersion = "2.29"; - patchVersion = ""; + patchVersion = "2"; src = fetchurl { url = "mirror://kernel/linux/utils/util-linux/v${majorVersion}/${name}.tar.xz"; - sha256 = "1rzrmdrz51p9sy7vlw5qmj8pmqazm7hgcch5yq242mkvrikyln9c"; + sha256 = "1qz81w8vzrmy8xn9yx7ls4amkbgwx6vr62pl6kv9g7r0g3ba9kmc"; }; patches = [ ./rtcwake-search-PATH-for-shutdown.patch ]; From 6988d2d456dd5f2175d2b99a64501e46a31f2181 Mon Sep 17 00:00:00 2001 From: Tim Steinbach Date: Sat, 25 Feb 2017 09:03:22 -0500 Subject: [PATCH 07/33] curl: 7.53.0 -> 7.53.1 --- pkgs/tools/networking/curl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/networking/curl/default.nix b/pkgs/tools/networking/curl/default.nix index 48f8edf7c44c..e9b438a6037b 100644 --- a/pkgs/tools/networking/curl/default.nix +++ b/pkgs/tools/networking/curl/default.nix @@ -21,11 +21,11 @@ assert scpSupport -> libssh2 != null; assert c-aresSupport -> c-ares != null; stdenv.mkDerivation rec { - name = "curl-7.53.0"; + name = "curl-7.53.1"; src = fetchurl { url = "http://curl.haxx.se/download/${name}.tar.bz2"; - sha256 = "008833dd9w4l2277q9r0bsq1vqmm0fr7qqyzvqlw5d47xy5mld5j"; + sha256 = "1s1hyndva0yp62xy96pcp4anzrvw6cl0abjajim17sbmdp00fwhw"; }; patches = [ ]; From 2f726fed9f6266cfdb1c0eabdecf0b603d904432 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 26 Feb 2017 09:26:22 +0100 Subject: [PATCH 08/33] findutils: fixup sandboxed build after #23152 --- pkgs/tools/misc/findutils/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/tools/misc/findutils/default.nix b/pkgs/tools/misc/findutils/default.nix index 8906564ade5b..30716146ec59 100644 --- a/pkgs/tools/misc/findutils/default.nix +++ b/pkgs/tools/misc/findutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "178nn4dl7wbcw499czikirnkniwnx36argdnqgz4ik9i6zvwkm6y"; }; - patches = [ ./memory-leak.patch ]; + patches = [ ./memory-leak.patch ./no-install-statedir.patch ]; buildInputs = [ coreutils ]; # bin/updatedb script needs to call sort From f157956266457581dbe62ba872d37420a529924c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 26 Feb 2017 09:44:27 +0100 Subject: [PATCH 09/33] findutils: add the forgotten file (I'm sorry) /cc #23152. --- pkgs/tools/misc/findutils/no-install-statedir.patch | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 pkgs/tools/misc/findutils/no-install-statedir.patch diff --git a/pkgs/tools/misc/findutils/no-install-statedir.patch b/pkgs/tools/misc/findutils/no-install-statedir.patch new file mode 100644 index 000000000000..a7a48038a3aa --- /dev/null +++ b/pkgs/tools/misc/findutils/no-install-statedir.patch @@ -0,0 +1,11 @@ +--- a/locate/Makefile.in ++++ b/locate/Makefile.in +@@ -2357,7 +2357,7 @@ updatedb: updatedb.sh Makefile + chmod +x $@ + + install-data-hook: +- $(top_srcdir)/build-aux/mkinstalldirs $(DESTDIR)$(localstatedir) ++ #$(top_srcdir)/build-aux/mkinstalldirs $(DESTDIR)$(localstatedir) + + dblocation.texi: + echo '@set LOCATE_DB $(LOCATE_DB)' > $@.tmp From 09f6b03b2e15d267303d4086f85b21fe498f3267 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 8 Feb 2017 23:54:44 +0100 Subject: [PATCH 10/33] Python 2.7: improve determinism There is some randomness in the Windows installers. Since we don't need them, we delete them. --- .../interpreters/python/cpython/2.7/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index ccf9296e0bcb..0f09bf7650bf 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -178,6 +178,17 @@ in stdenv.mkDerivation { echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py rm "$out"/lib/python*/plat-*/regen # refers to glibc.dev + + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; passthru = let From 8970a9c86e0fe0935ed5c53897874f38ba497fac Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Thu, 9 Feb 2017 10:14:21 +0100 Subject: [PATCH 11/33] Python 3.5: improve determinism - Windows installers are indeterministic and we don't need them. - since Python 3 ensurepip is installed by default. pip is indeteministic and we don't need it. - rebuild bytecode to ensure its deterministic --- .../python/cpython/3.5/default.nix | 40 +++++++++++++++---- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 215229086b75..10f2029e064c 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -50,6 +50,12 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' @@ -63,10 +69,25 @@ in stdenv.mkDerivation { }) ]; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + ]; + preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity substituteInPlace ./setup.py --replace $i /no-such-path @@ -75,12 +96,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -103,6 +118,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -110,6 +129,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; postFixup = '' From dd3a501a4ba29c2e929928981dcac3768b44c77b Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Thu, 9 Feb 2017 16:30:15 +0100 Subject: [PATCH 12/33] Python: mkPythonDerivation: use PYTHONHASHSEED=0 --- .../interpreters/python/mk-python-derivation.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/mk-python-derivation.nix b/pkgs/development/interpreters/python/mk-python-derivation.nix index c8fedaf75fc9..69eea056c763 100644 --- a/pkgs/development/interpreters/python/mk-python-derivation.nix +++ b/pkgs/development/interpreters/python/mk-python-derivation.nix @@ -57,9 +57,12 @@ python.stdenv.mkDerivation (builtins.removeAttrs attrs ["disabled"] // { inherit pythonPath; - # patch python interpreter to write null timestamps when compiling python files - # this way python doesn't try to update them when we freeze timestamps in nix store + + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED = 0; buildInputs = [ wrapPython ] ++ buildInputs ++ pythonPath ++ [ (ensureNewerSourcesHook { year = "1980"; }) ] From 14a88e76cf3009b00e7cd57050101a7291a042ed Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Sun, 19 Feb 2017 11:36:05 +0100 Subject: [PATCH 13/33] Python 3.5: use system expat and ffi --- .../development/interpreters/python/cpython/3.5/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/python/cpython/3.5/default.nix b/pkgs/development/interpreters/python/cpython/3.5/default.nix index 10f2029e064c..082f6ff67897 100644 --- a/pkgs/development/interpreters/python/cpython/3.5/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.5/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl, fetchpatch , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -32,7 +34,7 @@ let sitePackages = "lib/${libPrefix}/site-packages"; buildInputs = filter (p: p != null) [ - zlib bzip2 lzma gdbm sqlite readline ncurses openssl ] + zlib bzip2 expat lzma libffi gdbm sqlite readline ncurses openssl ] ++ optionals x11Support [ tcl tk libX11 xproto ] ++ optionals stdenv.isDarwin [ CF configd ]; @@ -86,6 +88,8 @@ in stdenv.mkDerivation { "--enable-shared" "--with-threads" "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" ]; preConfigure = '' From 1531b5edd254fbc3a2d2eae869979045918cb29c Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:03:24 +0100 Subject: [PATCH 14/33] Python 3.6: improve determinism --- .../python/cpython/3.6/default.nix | 40 +++++++++++++++---- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 42f8d109af2f..7ccd4fcede68 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -50,6 +50,12 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' @@ -63,10 +69,25 @@ in stdenv.mkDerivation { }) ]; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" ''; + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + ]; + preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity substituteInPlace ./setup.py --replace $i /no-such-path @@ -75,12 +96,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -103,6 +118,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -110,6 +129,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; passthru = let From d33f6f40321d98c58c32feb3faa943e7745623e1 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:03:40 +0100 Subject: [PATCH 15/33] Python 3.6: use system expat and ffi --- pkgs/development/interpreters/python/cpython/3.6/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/3.6/default.nix b/pkgs/development/interpreters/python/cpython/3.6/default.nix index 7ccd4fcede68..ebf621d50576 100644 --- a/pkgs/development/interpreters/python/cpython/3.6/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.6/default.nix @@ -1,6 +1,8 @@ { stdenv, fetchurl, fetchpatch , glibc , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -86,6 +88,8 @@ in stdenv.mkDerivation { "--enable-shared" "--with-threads" "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" ]; preConfigure = '' From 1bbf249befb19fd477613b278d012757e02c69ac Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:07:21 +0100 Subject: [PATCH 16/33] Python 3.4: improve determinism --- .../python/cpython/3.4/default.nix | 45 ++++++++++++++----- 1 file changed, 35 insertions(+), 10 deletions(-) diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 72419f8e1943..7508c39319e2 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -50,21 +50,41 @@ in stdenv.mkDerivation { NIX_LDFLAGS = optionalString stdenv.isLinux "-lgcc_s"; + # Determinism: The interpreter is patched to write null timestamps when compiling python files. + # This way python doesn't try to update them when we freeze timestamps in nix store. + DETERMINISTIC_BUILD=1; + # Determinism: We fix the hashes of str, bytes and datetime objects. + PYTHONHASHSEED=0; + prePatch = optionalString stdenv.isDarwin '' substituteInPlace configure --replace '`/usr/bin/arch`' '"i386"' substituteInPlace configure --replace '-Wl,-stack_size,1000000' ' ' ''; - postPatch = optionalString (x11Support && (tix != null)) '' + postPatch = '' + # Determinism + substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" + # Determinism. This is done unconditionally + substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" '' # Avoid picking up getentropy() from glibc >= 2.25, as that would break # on older kernels. http://bugs.python.org/issue29157 - + optionalString stdenv.isLinux - '' + + optionalString stdenv.isLinux '' substituteInPlace Python/random.c --replace 'defined(HAVE_GETENTROPY)' '0' cat Python/random.c - ''; + ''; + + CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}"; + LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}"; + LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}"; + + configureFlags = [ + "--enable-shared" + "--with-threads" + "--without-ensurepip" + ]; preConfigure = '' for i in /usr /sw /opt /pkg; do # improve purity @@ -74,12 +94,6 @@ in stdenv.mkDerivation { export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -msse2" export MACOSX_DEPLOYMENT_TARGET=10.6 ''} - - configureFlagsArray=( --enable-shared --with-threads - CPPFLAGS="${concatStringsSep " " (map (p: "-I${getDev p}/include") buildInputs)}" - LDFLAGS="${concatStringsSep " " (map (p: "-L${getLib p}/lib") buildInputs)}" - LIBS="${optionalString (!stdenv.isDarwin) "-lcrypt"} ${optionalString (ncurses != null) "-lncurses"}" - ) ''; setupHook = ./setup-hook.sh; @@ -102,6 +116,10 @@ in stdenv.mkDerivation { # Python on Nix is not manylinux1 compatible. https://github.com/NixOS/nixpkgs/issues/18484 echo "manylinux1_compatible=False" >> $out/lib/${libPrefix}/_manylinux.py + # Determinism: Windows installers were not deterministic. + # We're also not interested in building Windows installers. + find "$out" -name 'wininst*.exe' | xargs -r rm -f + # Use Python3 as default python ln -s "$out/bin/idle3" "$out/bin/idle" ln -s "$out/bin/pip3" "$out/bin/pip" @@ -109,6 +127,13 @@ in stdenv.mkDerivation { ln -s "$out/bin/python3" "$out/bin/python" ln -s "$out/bin/python3-config" "$out/bin/python-config" ln -s "$out/lib/pkgconfig/python3.pc" "$out/lib/pkgconfig/python.pc" + + # Determinism: rebuild all bytecode + # We exclude lib2to3 because that's Python 2 code which fails + # We rebuild three times, once for each optimization level + find $out -name "*.py" | $out/bin/python -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -O -m compileall -q -f -x "lib2to3" -i - + find $out -name "*.py" | $out/bin/python -OO -m compileall -q -f -x "lib2to3" -i - ''; postFixup = '' From 57ded03833df30d15fbfe9238f02ddf1a88d2c65 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:07:35 +0100 Subject: [PATCH 17/33] Python 3.4: use system expat and ffi --- pkgs/development/interpreters/python/cpython/3.4/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 7508c39319e2..44ee739fd394 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -1,5 +1,7 @@ { stdenv, fetchurl , bzip2 +, expat +, libffi , gdbm , lzma , ncurses @@ -84,6 +86,8 @@ in stdenv.mkDerivation { "--enable-shared" "--with-threads" "--without-ensurepip" + "--with-system-expat" + "--with-system-ffi" ]; preConfigure = '' From 04b7a2791e50614fb36eb3dfc0c080c3617c9178 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:42:34 +0100 Subject: [PATCH 18/33] Python 3.4: improve determinism --- pkgs/development/interpreters/python/cpython/3.4/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/python/cpython/3.4/default.nix b/pkgs/development/interpreters/python/cpython/3.4/default.nix index 44ee739fd394..143dbcd5686e 100644 --- a/pkgs/development/interpreters/python/cpython/3.4/default.nix +++ b/pkgs/development/interpreters/python/cpython/3.4/default.nix @@ -67,7 +67,7 @@ in stdenv.mkDerivation { # Determinism substituteInPlace "Lib/py_compile.py" --replace "source_stats['mtime']" "(1 if 'DETERMINISTIC_BUILD' in os.environ else source_stats['mtime'])" # Determinism. This is done unconditionally - substituteInPlace "Lib/importlib/_bootstrap_external.py" --replace "source_mtime = int(st['mtime'])" "source_mtime = 1" + substituteInPlace "Lib/importlib/_bootstrap.py" --replace "source_mtime = int(source_stats['mtime'])" "source_mtime = 1" '' + optionalString (x11Support && (tix != null)) '' substituteInPlace "Lib/tkinter/tix.py" --replace "os.environ.get('TIX_LIBRARY')" "os.environ.get('TIX_LIBRARY') or '${tix}/lib'" '' From 37704e90e29893121837b662eb0a34af2b8acf48 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:55:58 +0100 Subject: [PATCH 19/33] Python: explain deterministic build in docs --- doc/languages-frameworks/python.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/languages-frameworks/python.md b/doc/languages-frameworks/python.md index 19f241fb185a..0c7e521b11ee 100644 --- a/doc/languages-frameworks/python.md +++ b/doc/languages-frameworks/python.md @@ -641,6 +641,19 @@ community to help save time. No tool is preferred at the moment. - [pypi2nix](https://github.com/garbas/pypi2nix) by Rok Garbas - [pypi2nix](https://github.com/offlinehacker/pypi2nix) by Jaka Hudoklin +### Deterministic builds + +Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. +Minor modifications had to be made to the interpreters in order to generate +deterministic bytecode. This has security implications and is relevant for +those using Python in a `nix-shell`. + +When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will have timestamp 1. +The `buildPythonPackage` function sets `DETERMINISTIC_BUILD` as well as +[PYTHONHASHSEED](https://docs.python.org/3.5/using/cmdline.html#envvar-PYTHONHASHSEED). +Both are also exported in `nix-shell`. + + ## FAQ ### How can I install a working Python environment? From f69292ddc019d222a5c458c7095ccc8815abce53 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 22 Feb 2017 15:56:16 +0100 Subject: [PATCH 20/33] Python: explain deterministic builds in release notes --- nixos/doc/manual/release-notes/rl-1703.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nixos/doc/manual/release-notes/rl-1703.xml b/nixos/doc/manual/release-notes/rl-1703.xml index 3758a3bf2aac..aa9dc455ba22 100644 --- a/nixos/doc/manual/release-notes/rl-1703.xml +++ b/nixos/doc/manual/release-notes/rl-1703.xml @@ -253,6 +253,17 @@ following incompatible changes: + + + Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly. + Minor modifications had to be made to the interpreters in order to generate + deterministic bytecode. This has security implications and is relevant for + those using Python in a nix-shell. See the Nixpkgs manual + for details. + + + + From 4bc1d02698967b4f0ced8b7a6a43b9244d0591b1 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Sun, 26 Feb 2017 15:57:01 +0100 Subject: [PATCH 21/33] Python 2.7: increase priority Higher priority than Python 3.x so that `/bin/python` points to `/bin/python2` in case both 2 and 3 are installed. --- pkgs/development/interpreters/python/cpython/2.7/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index 0f09bf7650bf..c5306fe7891c 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -221,5 +221,8 @@ in stdenv.mkDerivation { license = stdenv.lib.licenses.psfl; platforms = stdenv.lib.platforms.all; maintainers = with stdenv.lib.maintainers; [ chaoflow domenkozar ]; + # Higher priority than Python 3.x so that `/bin/python` points to `/bin/python2` + # in case both 2 and 3 are installed. + priority = 5; }; } From 1b66b6a5ff018b231d26be205fd4d3947fb00ac0 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Sun, 26 Feb 2017 15:57:16 +0100 Subject: [PATCH 22/33] pythonPackages.pyparsing: 2.1.8 -> 2.1.10 --- pkgs/top-level/python-packages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 8b49b2401f22..836fa10d5edc 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -20819,11 +20819,11 @@ in { pyparsing = buildPythonPackage rec { name = "pyparsing-${version}"; - version = "2.1.8"; + version = "2.1.10"; src = pkgs.fetchurl { url = "mirror://pypi/p/pyparsing/${name}.tar.gz"; - sha256 = "0sy5fxhsvhf0fwk9h6nqlhn1lsjpdmg41jziw5z814rlkydqd903"; + sha256 = "811c3e7b0031021137fc83e051795025fcb98674d07eb8fe922ba4de53d39188"; }; # Not everything necessary to run the tests is included in the distribution From 57afc0f5ef43774695482faa8765488c97287b42 Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Sun, 26 Feb 2017 15:57:27 +0100 Subject: [PATCH 23/33] pythonPackages.packaging: 16.7 -> 16.8 --- pkgs/top-level/python-packages.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix index 836fa10d5edc..d093cb035392 100644 --- a/pkgs/top-level/python-packages.nix +++ b/pkgs/top-level/python-packages.nix @@ -31908,10 +31908,10 @@ EOF }; packaging = buildPythonPackage rec { - name = "packaging-16.7"; + name = "packaging-16.8"; src = pkgs.fetchurl { url = "mirror://pypi/p/packaging/${name}.tar.gz"; - sha256 = "07h18mrpqs0lv2x4fl43pqi0xj6hdrmrnm6v9q634yliagg6q91f"; + sha256 = "5d50835fdf0a7edf0b55e311b7c887786504efea1177abd7e69329a8e5ea619e"; }; propagatedBuildInputs = with self; [ pyparsing six ]; buildInputs = with self; [ pytest pretend ]; From 079353e20851073e9b5de183ab24414d7cd54ccb Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Sun, 26 Feb 2017 16:27:45 +0100 Subject: [PATCH 24/33] Python 2.7: increase priority - fixup From the manual: > This attribute should be a number, with a higher value denoting a lower priority. The default priority is 0. Just passing -5 or -10 wasn't sufficient, so let's make it -100. --- pkgs/development/interpreters/python/cpython/2.7/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix index c5306fe7891c..8426902414a7 100644 --- a/pkgs/development/interpreters/python/cpython/2.7/default.nix +++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix @@ -223,6 +223,6 @@ in stdenv.mkDerivation { maintainers = with stdenv.lib.maintainers; [ chaoflow domenkozar ]; # Higher priority than Python 3.x so that `/bin/python` points to `/bin/python2` # in case both 2 and 3 are installed. - priority = 5; + priority = -100; }; } From 78e4f9d8d7f6124713a7694140e44713fe70e209 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Feb 2017 18:03:34 +0100 Subject: [PATCH 25/33] libevent: split _openssl into a separate output ... to save ~3.4 MB of openssl from the default closure. --- pkgs/development/libraries/libevent/default.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libevent/default.nix b/pkgs/development/libraries/libevent/default.nix index 4abd0b033757..d2ba84bb5dd9 100644 --- a/pkgs/development/libraries/libevent/default.nix +++ b/pkgs/development/libraries/libevent/default.nix @@ -23,11 +23,21 @@ stdenv.mkDerivation { | grep -v '^dh-autoreconf' | sed 's|^|debian/patches/|')" ''; - outputs = [ "out" "dev" ]; + # libevent_openssl is moved into its own output, so that openssl isn't present + # in the default closure. + outputs = [ "out" "dev" "openssl" ]; outputBin = "dev"; + propagatedBuildOutputs = [ "out" "openssl" ]; buildInputs = [ openssl ] ++ stdenv.lib.optional stdenv.isCygwin findutils; + postInstall = '' + moveToOutput "lib/libevent_openssl*" "$openssl" + substituteInPlace "$dev/lib/pkgconfig/libevent_openssl.pc" \ + --replace "$out" "$openssl" + sed "/^libdir=/s|$out|$openssl|" -i "$openssl"/lib/libevent_openssl.la + ''; + meta = with stdenv.lib; { description = "Event notification library"; longDescription = '' From d00c26a59570d7cd93470808cc38def83a523762 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Feb 2017 17:41:35 +0100 Subject: [PATCH 26/33] unbound: lighten direct security deps of libunbound Unfortunately, it seems easiest to build all twice. Debian testing does this in a very similar way. Tested briefly some individual queries and resperf :-) --- pkgs/tools/networking/unbound/default.nix | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix index 83d3d88729df..f32a90a871ae 100644 --- a/pkgs/tools/networking/unbound/default.nix +++ b/pkgs/tools/networking/unbound/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, openssl, expat, libevent }: +{ stdenv, fetchurl, openssl, nettle, expat, libevent }: stdenv.mkDerivation rec { name = "unbound-${version}"; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB - buildInputs = [ openssl expat libevent ]; + buildInputs = [ openssl nettle expat libevent ]; configureFlags = [ "--with-ssl=${openssl.dev}" @@ -26,11 +26,20 @@ stdenv.mkDerivation rec { installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ]; - # get rid of runtime dependencies on $dev outputs - postInstall = ''substituteInPlace "$lib/lib/libunbound.la" '' + preFixup = + # Build libunbound again, but only against nettle instead of openssl. + # This avoids gnutls.out -> unbound.lib -> openssl.out. + '' + configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only" + configurePhase + buildPhase + installPhase + '' + # get rid of runtime dependencies on $dev outputs + + ''substituteInPlace "$lib/lib/libunbound.la" '' + stdenv.lib.concatMapStrings (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ") - [ openssl expat libevent ]; + buildInputs; meta = with stdenv.lib; { description = "Validating, recursive, and caching DNS resolver"; From 20ffc3cd735503ce92cb27ceead6b0ebabefbec4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Feb 2017 20:03:45 +0100 Subject: [PATCH 27/33] compress-man-pages: skip compressed manpages Because of bash 4.4 the semantics GLOBIGNORE changed. This resulted in already compressed manpages to be compressed twice. Also be careful about symlinks to fix #21777, e.g. the ledger example. --- .../setup-hooks/compress-man-pages.sh | 36 ++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/pkgs/build-support/setup-hooks/compress-man-pages.sh b/pkgs/build-support/setup-hooks/compress-man-pages.sh index f1d9cf3a3696..d10a898d6e46 100644 --- a/pkgs/build-support/setup-hooks/compress-man-pages.sh +++ b/pkgs/build-support/setup-hooks/compress-man-pages.sh @@ -3,26 +3,30 @@ fixupOutputHooks+=('if [ -z "$dontGzipMan" ]; then compressManPages "$prefix"; f compressManPages() { local dir="$1" - if [ ! -d "$dir/share/man" ]; then return; fi - echo "gzipping man pages in $dir" + if [ -L "$dir"/share ] || [ -L "$dir"/share/man ] || [ ! -d "$dir/share/man" ] + then return + fi + echo "gzipping man pages under $dir/share/man/" - GLOBIGNORE=.:..:*.gz:*.bz2 - - for f in "$dir"/share/man/*/* "$dir"/share/man/*/*/*; do - if [ -f "$f" -a ! -L "$f" ]; then - if gzip -c -n "$f" > "$f".gz; then - rm "$f" - else - rm "$f".gz - fi + # Compress all uncompressed manpages. Don't follow symlinks, etc. + find "$dir"/share/man/ -type f -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \ + | while IFS= read -r -d $'\0' f + do + if gzip -c -n "$f" > "$f".gz; then + rm "$f" + else + rm "$f".gz fi done - for f in "$dir"/share/man/*/* "$dir"/share/man/*/*/*; do - if [ -L "$f" -a -f `readlink -f "$f"`.gz ]; then - ln -sf `readlink "$f"`.gz "$f".gz && rm "$f" + # Point symlinks to compressed manpages. + find "$dir"/share/man/ -type l -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \ + | while IFS= read -r -d $'\0' f + do + local target + target="$(readlink -f "$f")" + if [ -f "$target".gz ]; then + ln -sf "$target".gz "$f".gz && rm "$f" fi done - - unset GLOBIGNORE } From e2e270d1e29bdafbbe7cb04008edf379b7d52179 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Feb 2017 20:08:26 +0100 Subject: [PATCH 28/33] binutils: drop the $dev/bin symlink Fixes #18839. I suspect I once added this just because of some deficiencies in an early development version of the multiple-output framework in stdenv. --- pkgs/development/tools/misc/binutils/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 6ac9f3febc42..5041ef3b3eda 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -81,8 +81,6 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; - postFixup = optionalString (cross == null) "ln -s $out/bin $dev/bin"; # tools needed for development - meta = with stdenv.lib; { description = "Tools for manipulating binaries (linker, assembler, etc.)"; longDescription = '' From 59d1ce1c7a729324e74baa0a7a88737f13d74942 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 27 Feb 2017 20:33:53 +0100 Subject: [PATCH 29/33] xorg.libX11: 1.6.4 -> 1.6.5 It seems like a maintenance release. --- pkgs/servers/x11/xorg/default.nix | 6 +++--- pkgs/servers/x11/xorg/tarballs-7.7.list | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index 96f348e92b39..eee912d1b8c3 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -669,11 +669,11 @@ let }) // {inherit windowswmproto libX11 libXext xextproto ;}; libX11 = (mkDerivation "libX11" { - name = "libX11-1.6.4"; + name = "libX11-1.6.5"; builder = ./builder.sh; src = fetchurl { - url = mirror://xorg/individual/lib/libX11-1.6.4.tar.bz2; - sha256 = "0hg46i6h92pmb7xp1cis2j43zq3fkdz89p0yv35w4vm17az4iixp"; + url = mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2; + sha256 = "0pa3cfp6h9rl2vxmkph65250gfqyki0ccqyaan6bl9d25gdr0f2d"; }; buildInputs = [pkgconfig inputproto kbproto libxcb xextproto xf86bigfontproto xproto xtrans ]; meta.platforms = stdenv.lib.platforms.unix; diff --git a/pkgs/servers/x11/xorg/tarballs-7.7.list b/pkgs/servers/x11/xorg/tarballs-7.7.list index 3247d3e7b155..4aeace9f0c22 100644 --- a/pkgs/servers/x11/xorg/tarballs-7.7.list +++ b/pkgs/servers/x11/xorg/tarballs-7.7.list @@ -59,7 +59,7 @@ mirror://xorg/individual/lib/libICE-1.0.9.tar.bz2 mirror://xorg/individual/lib/libpciaccess-0.13.4.tar.bz2 mirror://xorg/individual/lib/libSM-1.2.2.tar.bz2 mirror://xorg/X11R7.7/src/everything/libWindowsWM-1.0.1.tar.bz2 -mirror://xorg/individual/lib/libX11-1.6.4.tar.bz2 +mirror://xorg/individual/lib/libX11-1.6.5.tar.bz2 mirror://xorg/individual/lib/libXau-1.0.8.tar.bz2 mirror://xorg/individual/lib/libXaw-1.0.13.tar.bz2 mirror://xorg/individual/lib/libXcomposite-0.4.4.tar.bz2 From e6541423b6679f6c0b6bc252f2f126953402e2af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 28 Feb 2017 09:14:38 +0100 Subject: [PATCH 30/33] libuv: disable a problematic test on Darwin --- pkgs/development/libraries/libuv/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/libuv/default.nix b/pkgs/development/libraries/libuv/default.nix index 2a1c82ec639a..fe4ed6e410ec 100644 --- a/pkgs/development/libraries/libuv/default.nix +++ b/pkgs/development/libraries/libuv/default.nix @@ -17,7 +17,9 @@ stdenv.mkDerivation rec { "getnameinfo_basic" # probably network-dependent "spawn_setuid_fails" "spawn_setgid_fails" "fs_chown" # user namespaces "getaddrinfo_fail" "getaddrinfo_fail_sync" - ]; + ] + # sometimes: timeout (no output) + ++ stdenv.lib.optional stdenv.isDarwin "process_title"; tdRegexp = lib.concatStringsSep "\\|" toDisable; in lib.optionalString doCheck '' sed '/${tdRegexp}/d' -i test/test-list.h From ffcc8970901156225ff9ae5ba2bf58f48fbbb7e3 Mon Sep 17 00:00:00 2001 From: Gabriel Ebner Date: Tue, 28 Feb 2017 16:40:27 +0100 Subject: [PATCH 31/33] qt5.qttools: fix path to qhelpgenerator --- .../qt-5/5.7/qttools/cmake-paths.patch | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch b/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch index fe5bcadbe9a8..e3db17e978c2 100644 --- a/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch +++ b/pkgs/development/libraries/qt-5/5.7/qttools/cmake-paths.patch @@ -1,7 +1,6 @@ -Index: qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in -=================================================================== ---- qttools-opensource-src-5.5.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in -+++ qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in +diff -Naur qttools-opensource-src-5.7.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in qttools-opensource-src-5.7.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in +--- qttools-opensource-src-5.7.1.orig/src/assistant/help/Qt5HelpConfigExtras.cmake.in 2016-11-03 09:31:16.000000000 +0100 ++++ qttools-opensource-src-5.7.1/src/assistant/help/Qt5HelpConfigExtras.cmake.in 2017-02-28 16:37:20.130457615 +0100 @@ -2,11 +2,10 @@ if (NOT TARGET Qt5::qcollectiongenerator) add_executable(Qt5::qcollectiongenerator IMPORTED) @@ -18,11 +17,26 @@ Index: qttools-opensource-src-5.5.1/src/assistant/help/Qt5HelpConfigExtras.cmake _qt5_Help_check_file_exists(${imported_location}) set_target_properties(Qt5::qcollectiongenerator PROPERTIES -Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in -=================================================================== ---- qttools-opensource-src-5.5.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in -+++ qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in -@@ -44,11 +44,10 @@ endmacro() +@@ -17,11 +16,10 @@ + if (NOT TARGET Qt5::qhelpgenerator) + add_executable(Qt5::qhelpgenerator IMPORTED) + +-!!IF isEmpty(CMAKE_BIN_DIR_IS_ABSOLUTE) +- set(imported_location \"${_qt5Help_install_prefix}/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") +-!!ELSE +- set(imported_location \"$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") +-!!ENDIF ++ set(imported_location \"@NIX_OUT@/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") ++ if(NOT EXISTS \"${imported_location}\") ++ set(imported_location \"@NIX_DEV@/$${CMAKE_BIN_DIR}qhelpgenerator$$CMAKE_BIN_SUFFIX\") ++ endif() + _qt5_Help_check_file_exists(${imported_location}) + + set_target_properties(Qt5::qhelpgenerator PROPERTIES +diff -Naur qttools-opensource-src-5.7.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in qttools-opensource-src-5.7.1/src/linguist/Qt5LinguistToolsConfig.cmake.in +--- qttools-opensource-src-5.7.1.orig/src/linguist/Qt5LinguistToolsConfig.cmake.in 2016-11-03 09:31:16.000000000 +0100 ++++ qttools-opensource-src-5.7.1/src/linguist/Qt5LinguistToolsConfig.cmake.in 2017-02-28 16:35:40.470100681 +0100 +@@ -44,11 +44,10 @@ if (NOT TARGET Qt5::lrelease) add_executable(Qt5::lrelease IMPORTED) @@ -38,7 +52,7 @@ Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in _qt5_LinguistTools_check_file_exists(${imported_location}) set_target_properties(Qt5::lrelease PROPERTIES -@@ -59,11 +58,10 @@ endif() +@@ -59,11 +58,10 @@ if (NOT TARGET Qt5::lupdate) add_executable(Qt5::lupdate IMPORTED) @@ -54,7 +68,7 @@ Index: qttools-opensource-src-5.5.1/src/linguist/Qt5LinguistToolsConfig.cmake.in _qt5_LinguistTools_check_file_exists(${imported_location}) set_target_properties(Qt5::lupdate PROPERTIES -@@ -74,11 +72,10 @@ endif() +@@ -74,11 +72,10 @@ if (NOT TARGET Qt5::lconvert) add_executable(Qt5::lconvert IMPORTED) From 5c89ab7cb61f4a4f6879acc701a10ee577d6c1ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 28 Feb 2017 22:30:09 +0100 Subject: [PATCH 32/33] unbound: only use the two-phase build on Linux Hydra shows some problems on Darwin with structure defns/decls. http://hydra.nixos.org/build/49463873/nixlog/1/raw --- pkgs/tools/networking/unbound/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix index c263da6efe6b..0a1d557dd935 100644 --- a/pkgs/tools/networking/unbound/default.nix +++ b/pkgs/tools/networking/unbound/default.nix @@ -26,9 +26,10 @@ stdenv.mkDerivation rec { installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ]; - preFixup = + preFixup = stdenv.lib.optionalString stdenv.isLinux # Build libunbound again, but only against nettle instead of openssl. # This avoids gnutls.out -> unbound.lib -> openssl.out. + # There was some problem with this on Darwin; let's not complicate non-Linux. '' configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only" configurePhase From 64d4bfd1397b48236199a660c49ad60f13188365 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 1 Mar 2017 08:41:44 +0100 Subject: [PATCH 33/33] ploticus: fixup a manual-page symlink With new man compression this caused a build error. --- pkgs/tools/graphics/ploticus/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/tools/graphics/ploticus/default.nix b/pkgs/tools/graphics/ploticus/default.nix index b855410f37f2..d0e678578723 100644 --- a/pkgs/tools/graphics/ploticus/default.nix +++ b/pkgs/tools/graphics/ploticus/default.nix @@ -15,6 +15,12 @@ stdenv.mkDerivation { patches = [ ./ploticus-install.patch ]; + # Make the symlink relative instead of absolute. + # Otherwise it breaks when auto-moved to $out/share. + preFixup = '' + ln -sf pl.1 "$out"/man/man1/ploticus.1 + ''; + meta = with stdenv.lib; { description = "A non-interactive software package for producing plots and charts"; longDescription = ''Ploticus is a free, GPL'd, non-interactive