Merge branch 'master' into staging

* master:
  Revert "vinagre: disable format hardening"
  nix: point at curl 7.59.0 (#41452)
  vinagre: disable format hardening
  linux: Add 4.17
  gnome3.vinagre: fix build
  linux-copperhead: 4.16.12.a -> 4.16.13.a
  julia: add some version info to passthru, will be used by julia2nix
  gdal: Fix darwin build
  opendkim: fix libbsd dependency
  avoid redundant rm calls
  perlPackages.CPANPLUS: add cpanp dependency
  plotutils: fix parallel building
  nixos/gitea: Respect gitea-dump enable option. (#41437)
  kubernetes: corrected spelling mistake in docs (#41439)
  python.pkgs.trustme: fix python2 build
  revert 4a86f8c9ab and properly remove the temporary ssh host keys file/directory.

nixos/modules/services/cluster/kubernetes/default.nix

@@ -78,7 +78,7 @@ let
     };
 
     caFile = mkOption {
-      description = "${prefix} certificate authrority file used to connect to kube-apiserver.";
+      description = "${prefix} certificate authority file used to connect to kube-apiserver.";
       type = types.nullOr types.path;
       default = cfg.caFile;
     };

nixos/modules/services/misc/gitea.nix

@@ -356,7 +356,7 @@ in
         text = cfg.database.password;
       })));
 
-    systemd.services.gitea-dump = {
+    systemd.services.gitea-dump = mkIf cfg.dump.enable {
        description = "gitea dump";
        after = [ "gitea.service" ];
        wantedBy = [ "default.target" ];
@@ -376,7 +376,7 @@ in
        };
     };
 
-    systemd.timers.gitea-dump = {
+    systemd.timers.gitea-dump = mkIf cfg.dump.enable {
       description = "Update timer for gitea-dump";
       partOf = [ "gitea-dump.service" ];
       wantedBy = [ "timers.target" ];

nixos/modules/virtualisation/google-compute-image.nix

@@ -257,7 +257,7 @@ in
               echo "Setup of ssh host keys from http://metadata.google.internal/computeMetadata/v1/instance/attributes/ failed."
               false
           fi
-          rm -f $SSH_HOST_KEYS_DIR
+          rm -rf $SSH_HOST_KEYS_DIR
         '';
       serviceConfig.Type = "oneshot";
       serviceConfig.RemainAfterExit = true;

pkgs/desktops/gnome-3/apps/vinagre/default.nix

@@ -18,6 +18,8 @@ stdenv.mkDerivation rec {
   buildInputs = [ gtk3 vte libxml2 gtkvnc intltool libsecret
                   itstool makeWrapper gnome3.defaultIconTheme librsvg ];
 
+  NIX_CFLAGS_COMPILE = "-Wno-format-nonliteral";
+
   preFixup = ''
     wrapProgram "$out/bin/vinagre" \
       --prefix XDG_DATA_DIRS : "$XDG_ICON_DIRS:$GSETTINGS_SCHEMAS_PATH:$out/share"

pkgs/development/compilers/julia/0.6.nix

@@ -50,11 +50,16 @@ let
     url = "mirror://pypi/v/virtualenv/virtualenv-${virtualenvVersion}.tar.gz";
     sha256 = "06fw4liazpx5vf3am45q2pdiwrv0id7ckv7n6zmpml29x6vkzmkh";
   };
+
+  majorVersion = "0";
+  minorVersion = "6";
+  maintenanceVersion = "2";
+  version = "${majorVersion}.${minorVersion}.${maintenanceVersion}";
 in
 
 stdenv.mkDerivation rec {
   pname = "julia";
-  version = "0.6.2";
+  inherit version;
   name = "${pname}-${version}";
 
   src = fetchzip {
@@ -183,6 +188,11 @@ stdenv.mkDerivation rec {
     done
   '';
 
+  passthru = {
+    inherit majorVersion minorVersion maintenanceVersion;
+    site = "share/julia/site/v${majorVersion}.${minorVersion}";
+  };
+
   meta = {
     description = "High-level performance-oriented dynamical language for technical computing";
     homepage = https://julialang.org/;

pkgs/development/libraries/gdal/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, unzip, libjpeg, libtiff, zlib
+{ stdenv, fetchurl, fetchpatch, unzip, libjpeg, libtiff, zlib
 , postgresql, mysql, libgeotiff, pythonPackages, proj, geos, openssl
 , libpng, sqlite, libspatialite, poppler, hdf4
 , libiconv
@@ -16,6 +16,16 @@ stdenv.mkDerivation rec {
     sha256 = "18iaamzkn0lipizynvspf3bs5qzgcy36hn6bbi941q8dlfdf8xbg";
   };
 
+  patches = [
+    # fix build with recent Poppler
+    (fetchpatch {
+      url    = "https://github.com/OSGeo/gdal/commit/124f0343436d1267319ac627fc220530091b41ea.diff";
+      stripLen = 2;
+      extraPrefix = "";
+      sha256 = "1v6iiy4cgrdcfas3iva5swh9446pqfjh5p6bcab6y49hyjhpsgfy";
+    })
+  ];
+
   buildInputs = [ unzip libjpeg libtiff libpng proj openssl sqlite
     libspatialite poppler hdf4 ]
   ++ (with pythonPackages; [ python numpy wrapPython ])

pkgs/development/python-modules/trustme/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildPythonPackage, fetchPypi, cryptography, pytest, pyopenssl, service-identity }:
+{ lib, buildPythonPackage, fetchPypi, isPy3k, cryptography, futures, pytest, pyopenssl, service-identity }:
 
 buildPythonPackage rec {
   pname = "trustme";
@@ -15,6 +15,8 @@ buildPythonPackage rec {
   '';
   propagatedBuildInputs = [
     cryptography
+  ] ++ lib.optionals (!isPy3k) [
+    futures
   ];
 
   meta = {

pkgs/os-specific/linux/kernel/linux-4.16.nix

@@ -1,4 +1,4 @@
-{ stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, ... } @ args:
+{ stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
 
 with stdenv.lib;
 
@@ -6,7 +6,7 @@ buildLinux (args // rec {
   version = "4.16.13";
 
   # modDirVersion needs to be x.y.z, will automatically add .0 if needed
-  modDirVersion = concatStrings (intersperse "." (take 3 (splitString "." "${version}.0")));
+  modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
 
   # branchVersion needs to be x.y
   extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));

pkgs/os-specific/linux/kernel/linux-4.17.nix

@@ -0,0 +1,18 @@
+{ stdenv, buildPackages, hostPlatform, fetchurl, perl, buildLinux, modDirVersionArg ? null, ... } @ args:
+
+with stdenv.lib;
+
+buildLinux (args // rec {
+  version = "4.17";
+
+  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
+  modDirVersion = if (modDirVersionArg == null) then concatStrings (intersperse "." (take 3 (splitString "." "${version}.0"))) else modDirVersionArg;
+
+  # branchVersion needs to be x.y
+  extraMeta.branch = concatStrings (intersperse "." (take 2 (splitString "." version)));
+
+  src = fetchurl {
+    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
+    sha256 = "04yd7hnsdyaq4xmrgg7509qjf09k1dy6k1p8qqfrdspajvc1valz";
+  };
+} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/linux-copperhead-stable.nix

@@ -1,30 +0,0 @@
-{ stdenv, buildPackages, hostPlatform, fetchFromGitHub, perl, buildLinux, ... } @ args:
-
-with stdenv.lib;
-
-let
-  version = "4.16.12";
-  revision = "a";
-  sha256 = "0gkgvhh2v5lca67xjmq512mqnfbln6lkk6hgigby2406b9w1b0sd";
-
-  # modVersion needs to be x.y.z, will automatically add .0 if needed
-  modVersion = concatStrings (intersperse "." (take 3 (splitString "." "${version}.0")));
-
-  # branchVersion needs to be x.y
-  branchVersion = concatStrings (intersperse "." (take 2 (splitString "." version)));
-
-  modDirVersion = "${modVersion}-hardened";
-in
-buildLinux (args // {
-  inherit modDirVersion;
-
-  version = "${version}-${revision}";
-  extraMeta.branch = "${branchVersion}";
-
-  src = fetchFromGitHub {
-    inherit sha256;
-    owner = "copperhead";
-    repo = "linux-hardened";
-    rev = "${version}.${revision}";
-  };
-} // (args.argsOverride or {}))

pkgs/os-specific/linux/kernel/patches.nix

@@ -28,6 +28,11 @@ rec {
     patch = ./tag-hardened.patch;
   };
 
+  copperhead_4_16 = rec {
+    name = "copperhead-4.16";
+    patch = ./copperhead-4-16.patch;
+  };
+
   # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
   iwlwifi_mvm_support_version_7_scan_req_umac_fw_command = rec {
     name = "iwlwifi_mvm_support_version_7_scan_req_umac_fw_command";

pkgs/tools/graphics/plotutils/default.nix

@@ -17,6 +17,11 @@ stdenv.mkDerivation rec {
   buildInputs = [ libpng ];
   patches = map fetchurl (import ./debian-patches.nix);
 
+  preBuild = ''
+    # Fix parallel building.
+    make -C libplot xmi.h
+  '';
+
   configureFlags = "--enable-libplotter"; # required for pstoedit
 
   hardeningDisable = [ "format" ];

pkgs/tools/networking/curl/7_59.nix

@@ -0,0 +1,113 @@
+{ stdenv, lib, fetchurl, pkgconfig, perl
+, http2Support ? true, nghttp2
+, idnSupport ? false, libidn ? null
+, ldapSupport ? false, openldap ? null
+, zlibSupport ? false, zlib ? null
+, sslSupport ? false, openssl ? null
+, gnutlsSupport ? false, gnutls ? null
+, scpSupport ? false, libssh2 ? null
+, gssSupport ? false, kerberos ? null
+, c-aresSupport ? false, c-ares ? null
+, brotliSupport ? false, brotli ? null
+}:
+
+assert http2Support -> nghttp2 != null;
+assert idnSupport -> libidn != null;
+assert ldapSupport -> openldap != null;
+assert zlibSupport -> zlib != null;
+assert sslSupport -> openssl != null;
+assert !(gnutlsSupport && sslSupport);
+assert gnutlsSupport -> gnutls != null;
+assert scpSupport -> libssh2 != null;
+assert c-aresSupport -> c-ares != null;
+assert brotliSupport -> brotli != null;
+assert gssSupport -> kerberos != null;
+
+stdenv.mkDerivation rec {
+  name = "curl-7.59.0";
+
+  src = fetchurl {
+    urls = [
+      "https://github.com/curl/curl/releases/download/${lib.replaceStrings ["."] ["_"] name}/${name}.tar.bz2"
+      "https://curl.haxx.se/download/${name}.tar.bz2"
+    ];
+    sha256 = "185mazhi4bc5mc6rvhrmnc67j8l3sg7f0w2hp5gmi5ccdbyhz4mm";
+  };
+
+  outputs = [ "bin" "dev" "out" "man" "devdoc" ];
+  separateDebugInfo = stdenv.isLinux;
+
+  enableParallelBuilding = true;
+
+  nativeBuildInputs = [ pkgconfig perl ];
+
+  # Zlib and OpenSSL must be propagated because `libcurl.la' contains
+  # "-lz -lssl", which aren't necessary direct build inputs of
+  # applications that use Curl.
+  propagatedBuildInputs = with stdenv.lib;
+    optional http2Support nghttp2 ++
+    optional idnSupport libidn ++
+    optional ldapSupport openldap ++
+    optional zlibSupport zlib ++
+    optional gssSupport kerberos ++
+    optional c-aresSupport c-ares ++
+    optional sslSupport openssl ++
+    optional gnutlsSupport gnutls ++
+    optional scpSupport libssh2 ++
+    optional brotliSupport brotli;
+
+  # for the second line see https://curl.haxx.se/mail/tracker-2014-03/0087.html
+  preConfigure = ''
+    sed -e 's|/usr/bin|/no-such-path|g' -i.bak configure
+    rm src/tool_hugehelp.c
+  '';
+
+  configureFlags = [
+      "--with-ca-fallback"
+      "--disable-manual"
+      ( if sslSupport then "--with-ssl=${openssl.dev}" else "--without-ssl" )
+      ( if gnutlsSupport then "--with-gnutls=${gnutls.dev}" else "--without-gnutls" )
+      ( if scpSupport then "--with-libssh2=${libssh2.dev}" else "--without-libssh2" )
+      ( if ldapSupport then "--enable-ldap" else "--disable-ldap" )
+      ( if ldapSupport then "--enable-ldaps" else "--disable-ldaps" )
+      ( if idnSupport then "--with-libidn=${libidn.dev}" else "--without-libidn" )
+      ( if brotliSupport then "--with-brotli" else "--without-brotli" )
+    ]
+    ++ stdenv.lib.optional c-aresSupport "--enable-ares=${c-ares}"
+    ++ stdenv.lib.optional gssSupport "--with-gssapi=${kerberos.dev}";
+
+  CXX = "${stdenv.cc.targetPrefix}c++";
+  CXXCPP = "${stdenv.cc.targetPrefix}c++ -E";
+
+  doCheck = false; # expensive, fails
+
+  postInstall = ''
+    moveToOutput bin/curl-config "$dev"
+    sed '/^dependency_libs/s|${libssh2.dev}|${libssh2.out}|' -i "$out"/lib/*.la
+  '' + stdenv.lib.optionalString gnutlsSupport ''
+    ln $out/lib/libcurl.so $out/lib/libcurl-gnutls.so
+    ln $out/lib/libcurl.so $out/lib/libcurl-gnutls.so.4
+    ln $out/lib/libcurl.so $out/lib/libcurl-gnutls.so.4.4.0
+  '';
+
+  crossAttrs = {
+    # We should refer to the cross built openssl
+    # For the 'urandom', maybe it should be a cross-system option
+    configureFlags = [
+        ( if sslSupport then "--with-ssl=${openssl.crossDrv}" else "--without-ssl" )
+        ( if gnutlsSupport then "--with-gnutls=${gnutls.crossDrv}" else "--without-gnutls" )
+        "--with-random /dev/urandom"
+      ];
+  };
+
+  passthru = {
+    inherit sslSupport openssl;
+  };
+
+  meta = with stdenv.lib; {
+    description = "A command line tool for transferring files with URL syntax";
+    homepage    = https://curl.haxx.se/;
+    maintainers = with maintainers; [ lovek323 ];
+    platforms   = platforms.all;
+  };
+}

pkgs/top-level/all-packages.nix

@@ -1891,6 +1891,15 @@ with pkgs;
     brotliSupport = true;
   };
 
+  curl_7_59 = callPackage ../tools/networking/curl/7_59.nix rec {
+    fetchurl = fetchurlBoot;
+    http2Support = true;
+    zlibSupport = true;
+    sslSupport = zlibSupport;
+    scpSupport = zlibSupport && !stdenv.isSunOS && !stdenv.isCygwin;
+    gssSupport = true;
+  };
+
   curl = callPackage ../tools/networking/curl rec {
     fetchurl = fetchurlBoot;
     http2Support = true;
@@ -4151,7 +4160,9 @@ with pkgs;
 
   opendht = callPackage ../development/libraries/opendht {};
 
-  opendkim = callPackage ../development/libraries/opendkim { };
+  opendkim = callPackage ../development/libraries/opendkim {
+    libbsd = libbsd-freedesktop;
+  };
 
   opendylan = callPackage ../development/compilers/opendylan {
     opendylan-bootstrap = opendylan_bin;
@@ -13466,13 +13477,13 @@ with pkgs;
     ];
   };
 
-  linux_copperhead_stable = callPackage ../os-specific/linux/kernel/linux-copperhead-stable.nix {
-    kernelPatches = with kernelPatches; [
-      bridge_stp_helper
-      modinst_arg_list_too_long
-      tag_hardened
-    ];
-  };
+  linux_copperhead_stable = (linux_4_16.override {
+    kernelPatches = linux_4_16.kernelPatches ++ [
+      kernelPatches.copperhead_4_16
+      kernelPatches.tag_hardened
+     ];
+    modDirVersionArg = linux_4_16.modDirVersion + "-hardened";
+  });
 
   # linux mptcp is based on the 4.4 kernel
   linux_mptcp = callPackage ../os-specific/linux/kernel/linux-mptcp.nix {
@@ -13527,6 +13538,17 @@ with pkgs;
       ];
   };
 
+  linux_4_17 = callPackage ../os-specific/linux/kernel/linux-4.17.nix {
+    kernelPatches =
+      [ kernelPatches.bridge_stp_helper
+        # See pkgs/os-specific/linux/kernel/cpu-cgroup-v2-patches/README.md
+        # when adding a new linux version
+        # kernelPatches.cpu-cgroup-v2."4.11"
+        kernelPatches.modinst_arg_list_too_long
+        kernelPatches.bcm2835_mmal_v4l2_camera_driver # Only needed for 4.16!
+      ];
+  };
+
   linux_testing = callPackage ../os-specific/linux/kernel/linux-testing.nix {
     kernelPatches = [
       kernelPatches.bridge_stp_helper
@@ -13712,7 +13734,7 @@ with pkgs;
   linux = linuxPackages.kernel;
 
   # Update this when adding the newest kernel major version!
-  linuxPackages_latest = linuxPackages_4_16;
+  linuxPackages_latest = linuxPackages_4_17;
   linux_latest = linuxPackages_latest.kernel;
 
   # Build the kernel modules for the some of the kernels.
@@ -13723,6 +13745,7 @@ with pkgs;
   linuxPackages_4_9 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_9);
   linuxPackages_4_14 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_14);
   linuxPackages_4_16 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_16);
+  linuxPackages_4_17 = recurseIntoAttrs (linuxPackagesFor pkgs.linux_4_17);
   # Don't forget to update linuxPackages_latest!
 
   # Intentionally lacks recurseIntoAttrs, as -rc kernels will quite likely break out-of-tree modules and cause failed Hydra builds.
@@ -20867,6 +20890,7 @@ with pkgs;
   inherit (callPackages ../tools/package-management/nix {
       storeDir = config.nix.storeDir or "/nix/store";
       stateDir = config.nix.stateDir or "/nix/var";
+      curl = curl_7_59;
       })
     nix
     nix1

pkgs/top-level/perl-packages.nix

@@ -2920,7 +2920,7 @@ let self = _self // overrides; _self = with self; {
       url = "mirror://cpan/authors/id/B/BI/BINGOS/${name}.tar.gz";
       sha256 = "1ahddfs9jc2z3h7z6lkf9ppmrgw2kjnzcpbrhvwq3rlpxa9xshhq";
     };
-    propagatedBuildInputs = [ ArchiveExtract LogMessage ModulePluggable ObjectAccessor PackageConstants ];
+    propagatedBuildInputs = [ ArchiveExtract LogMessage ModulePluggable ObjectAccessor PackageConstants TermUI ];
     meta = {
       homepage = https://github.com/jib/cpanplus-devel;
       description = "Ameliorated interface to the CPAN";