From 18d5ed658be432ce93f10fd6e3841fe04d354c23 Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sat, 17 Jul 2021 10:19:45 +0200 Subject: [PATCH 01/32] nextcloud: fix logging parameter --- nixos/modules/services/web-apps/nextcloud.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 111b3173469..b9c1960f50c 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -468,6 +468,7 @@ in { ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} 'log_type' => 'syslog', 'log_level' => '${builtins.toString cfg.logLevel}', + 'loglevel' => '${builtins.toString cfg.logLevel}', ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"} ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} ${optionalString (c.dbhost != null) "'dbhost' => '${c.dbhost}',"} From 4885b0bcf4efacd622f1981325ff1b9c90a979e8 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 24 Mar 2022 05:59:14 +0000 Subject: [PATCH 02/32] wasabiwallet: 1.1.12.9 -> 1.1.13.1 --- pkgs/applications/blockchains/wasabiwallet/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/blockchains/wasabiwallet/default.nix b/pkgs/applications/blockchains/wasabiwallet/default.nix index f8e20f1a05d..e3cea78629f 100644 --- a/pkgs/applications/blockchains/wasabiwallet/default.nix +++ b/pkgs/applications/blockchains/wasabiwallet/default.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation rec { pname = "wasabiwallet"; - version = "1.1.12.9"; + version = "1.1.13.1"; src = fetchurl { url = "https://github.com/zkSNACKs/WalletWasabi/releases/download/v${version}/Wasabi-${version}.tar.gz"; - sha256 = "sha256-DtoLQbRXyR4xGm+M0xg9uj8wcbh1dOBJUG430OS8AS4="; + sha256 = "sha256-AtsNbUqEBQx0DPWR2LjNl7pdviYmvkv3bYKNBoeJHbw="; }; dontBuild = true; From a433cc0312fbb47edda411f9fbc6fd740911e3a0 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 26 Apr 2022 06:31:10 +0000 Subject: [PATCH 03/32] python310Packages.ipympl: 0.9.0 -> 0.9.1 --- pkgs/development/python-modules/ipympl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/ipympl/default.nix b/pkgs/development/python-modules/ipympl/default.nix index 226fea5b621..d17a4a85c3b 100644 --- a/pkgs/development/python-modules/ipympl/default.nix +++ b/pkgs/development/python-modules/ipympl/default.nix @@ -8,12 +8,12 @@ buildPythonPackage rec { pname = "ipympl"; - version = "0.9.0"; + version = "0.9.1"; format = "wheel"; src = fetchPypi { inherit pname version format; - sha256 = "sha256-HpO3T/zRbimxd1+nUkbSmclj7nPsMYuSUK0VJItZQs4="; + sha256 = "sha256-NQW0ctQSF4/RFeJVdk0efnYy1sgunebWKyVDijU3RoA="; }; From 59244e07f03795ced73e904d2efdc02b0a7ee8ca Mon Sep 17 00:00:00 2001 From: Aidan Gauland Date: Sat, 14 May 2022 08:12:36 +1200 Subject: [PATCH 04/32] nixos/nextcloud: Add option for max-age HSTS directive * Add an option services.nextcloud.nginx.hstsMaxAge for setting the max-age directive of the Strict-Transport-Security HTTP header. * Make the Strict-Transport-Security HTTP header in the Nginx virtualhost block dependant upon the option services.nextcloud.https instead of services.nextcloud.nginx.recommendedHttpHeaders, as this header makes no sense when not using HTTPS. (Closes #169465) --- .../from_md/release-notes/rl-2205.section.xml | 10 ++++++++ .../manual/release-notes/rl-2205.section.md | 2 ++ nixos/modules/services/web-apps/nextcloud.nix | 25 +++++++++++++++---- 3 files changed, 32 insertions(+), 5 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 7f5da547805..c0f36fcfd35 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -2514,6 +2514,16 @@ cp /var/lib/redis/dump.rdb "/var/lib/redis-mastodon/dump.rdb" enabled. + + + The Nextcloud module now allows setting the value of the + max-age directive of the + Strict-Transport-Security HTTP header, + which is now controlled by the + services.nextcloud.https option, rather + than services.nginx.recommendedHttpHeaders. + + The spark3 package has been updated from diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index acead412048..5902957a535 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -892,6 +892,8 @@ In addition to numerous new and upgraded packages, this release has the followin - The Nextcloud module now supports to create a Mysql database automatically with `services.nextcloud.database.createLocally` enabled. +- The Nextcloud module now allows setting the value of the `max-age` directive of the `Strict-Transport-Security` HTTP header, which is now controlled by the `services.nextcloud.https` option, rather than `services.nginx.recommendedHttpHeaders`. + - The `spark3` package has been updated from 3.1.2 to 3.2.1 ([#160075](https://github.com/NixOS/nixpkgs/pull/160075)): - Testing has been enabled for `aarch64-linux` in addition to `x86_64-linux`. diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index a4b886821eb..eb82cea62a4 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -546,10 +546,23 @@ in { ''; }; - nginx.recommendedHttpHeaders = mkOption { - type = types.bool; - default = true; - description = "Enable additional recommended HTTP response headers"; + nginx = { + recommendedHttpHeaders = mkOption { + type = types.bool; + default = true; + description = "Enable additional recommended HTTP response headers"; + }; + hstsMaxAge = mkOption { + type = types.ints.positive; + default = 15552000; + description = '' + Value for the max-age directive of the HTTP + Strict-Transport-Security header. + + See section 6.1.1 of IETF RFC 6797 for detailed information on this + directive and header. + ''; + }; }; }; @@ -983,7 +996,9 @@ in { add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options sameorigin; add_header Referrer-Policy no-referrer; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + ''} + ${optionalString (cfg.https) '' + add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always; ''} client_max_body_size ${cfg.maxUploadSize}; fastcgi_buffers 64 4K; From 983d2a78ac916625d6e776ad1a18531c5e0fb334 Mon Sep 17 00:00:00 2001 From: Izorkin Date: Sun, 15 May 2022 21:23:09 +0300 Subject: [PATCH 05/32] linux_5_17: add hardened kernel --- pkgs/top-level/all-packages.nix | 2 ++ pkgs/top-level/linux-kernels.nix | 1 + 2 files changed, 3 insertions(+) diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 9d0f42e685f..e00067f1dc4 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -23265,6 +23265,8 @@ with pkgs; linux_5_10_hardened = linuxKernel.kernels.linux_5_10_hardened; linuxPackages_5_15_hardened = linuxKernel.packages.linux_5_15_hardened; linux_5_15_hardened = linuxKernel.kernels.linux_5_15_hardened; + linuxPackages_5_17_hardened = linuxKernel.packages.linux_5_17_hardened; + linux_5_17_hardened = linuxKernel.kernels.linux_5_17_hardened; # Hardkernel (Odroid) kernels. linuxPackages_hardkernel_latest = linuxKernel.packageAliases.linux_hardkernel_latest; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index 7c892035e7f..8196811a7b2 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -236,6 +236,7 @@ in { linux_5_4_hardened = hardenedKernelFor kernels.linux_5_4 { }; linux_5_10_hardened = hardenedKernelFor kernels.linux_5_10 { }; linux_5_15_hardened = hardenedKernelFor kernels.linux_5_15 { }; + linux_5_17_hardened = hardenedKernelFor kernels.linux_5_17 { }; })); /* Linux kernel modules are inherently tied to a specific kernel. So From 9a1264cab0c050355dbf787bd595ee37188d1b33 Mon Sep 17 00:00:00 2001 From: schnusch Date: Sat, 23 Apr 2022 12:55:57 +0200 Subject: [PATCH 06/32] invidious.lsquic.boringssl: fix gcc11 build --- pkgs/servers/invidious/lsquic.nix | 53 +++++++++++++++++++++++++++---- 1 file changed, 47 insertions(+), 6 deletions(-) diff --git a/pkgs/servers/invidious/lsquic.nix b/pkgs/servers/invidious/lsquic.nix index 9c3bc68615c..ca04c97c128 100644 --- a/pkgs/servers/invidious/lsquic.nix +++ b/pkgs/servers/invidious/lsquic.nix @@ -1,11 +1,19 @@ -{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, cmake, zlib, perl, libevent, gcc10Stdenv, buildGoModule }: +{ lib, boringssl, stdenv, fetchgit, fetchFromGitHub, fetchurl, cmake, zlib, perl, libevent }: let versions = builtins.fromJSON (builtins.readFile ./versions.json); - buildGoModuleGcc10 = buildGoModule.override { stdenv = gcc10Stdenv; }; + fetchGitilesPatch = { name, url, sha256 }: + fetchurl { + url = "${url}%5E%21?format=TEXT"; + inherit name sha256; + downloadToTemp = true; + postFetch = '' + base64 -d < $downloadedFile > $out + ''; + }; # lsquic requires a specific boringssl version (noted in its README) - boringssl' = (boringssl.overrideAttrs (old: { + boringssl' = boringssl.overrideAttrs ({ preBuild, ... }: { version = versions.boringssl.rev; src = fetchgit { url = "https://boringssl.googlesource.com/boringssl"; @@ -15,10 +23,43 @@ let patches = [ # Use /etc/ssl/certs/ca-certificates.crt instead of /etc/ssl/cert.pem ./use-etc-ssl-certs.patch + + # because lsquic requires that specific boringssl version and that + # version does not yet include fixes for gcc11 build errors, they + # must be backported + (fetchGitilesPatch { + name = "fix-mismatch-between-header-and-implementation-of-bn_sqr_comba8.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/139adff9b27eaf0bdaac664ec4c9a7db2fe3f920"; + sha256 = "05sp602dvh50v46jkzmh4sf4wqnq5bwy553596g2rhxg75bailjj"; + }) + (fetchGitilesPatch { + name = "use-an-unsized-helper-for-truncated-SHA-512-variants.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/a24ab549e6ae246b391155d7bed3790ac0e07de2"; + sha256 = "0483jkpg4g64v23ln2blb74xnmzdjcn3r7w4zk7nfg8j3q5f9lxm"; + }) +/* + # the following patch is too complex, so we will modify the build flags + # of crypto/fipsmodule/CMakeFiles/fipsmodule.dir/bcm.c.o in preBuild + # and turn off -Werror=stringop-overflow + (fetchGitilesPatch { + name = "make-md32_common.h-single-included-and-use-an-unsized-helper-for-SHA-256.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/597ffef971dd980b7de5e97a0c9b7ca26eec94bc"; + sha256 = "1y0bkkdf1ccd6crx326agp01q22clm4ai4p982y7r6dkmxmh52qr"; + }) +*/ + (fetchGitilesPatch { + name = "fix-array-parameter-warnings.patch"; + url = "https://boringssl.googlesource.com/boringssl/+/92c6fbfc4c44dc8462d260d836020d2b793e7804"; + sha256 = "0h4sl95i8b0dj0na4ngf50wg54raxyjxl1zzwdc810abglp10vnv"; + }) ]; - })).override { - buildGoModule = buildGoModuleGcc10; - }; + + preBuild = '' + ${preBuild} + sed -e '/^build crypto\/fipsmodule\/CMakeFiles\/fipsmodule\.dir\/bcm\.c\.o:/,/^ *FLAGS =/ s/^ *FLAGS = -Werror/& -Wno-error=stringop-overflow/' \ + -i build.ninja + ''; + }); in stdenv.mkDerivation rec { pname = "lsquic"; From 0369625a8225d1734a617f3e39144bc8666c00b3 Mon Sep 17 00:00:00 2001 From: schnusch Date: Tue, 12 Apr 2022 14:30:47 +0200 Subject: [PATCH 07/32] invidious: use UTC for version in update script Previously the commits timezone was used for the date in the version. This turned out to be wrong for https://github.com/iv-org/invidious/commit/1f3f2788d4ab6ee4fc96c73c5e78900a9edcfec3 See https://github.com/NixOS/nixpkgs/commit/104e4643c52a7fb418721f1c254a34b8862cac5f --- pkgs/servers/invidious/update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/servers/invidious/update.sh b/pkgs/servers/invidious/update.sh index 580d6136388..bf43fbb4b36 100755 --- a/pkgs/servers/invidious/update.sh +++ b/pkgs/servers/invidious/update.sh @@ -41,7 +41,7 @@ git -C "$git_dir" fetch origin "$git_branch" # because there might still be commits coming # use the day of the latest commit we picked as version new_rev=$(git -C "$git_dir" log -n 1 --format='format:%H' --before="${today}T00:00:00Z" "origin/$git_branch") -new_version="unstable-$(git -C "$git_dir" log -n 1 --format='format:%cs' "$new_rev")" +new_version="unstable-$(TZ=UTC git -C "$git_dir" log -n 1 --date='format-local:%Y-%m-%d' --format='%cd' "$new_rev")" info "latest commit before $today: $new_rev" if [ "$new_rev" = "$old_rev" ]; then From 1305a10b290b7f20e6b228836628bb1313d6890a Mon Sep 17 00:00:00 2001 From: schnusch Date: Tue, 12 Apr 2022 14:33:27 +0200 Subject: [PATCH 08/32] invidious: unstable-2022-03-16 -> unstable-2022-05-11 --- pkgs/servers/invidious/shards.nix | 8 ++++---- pkgs/servers/invidious/versions.json | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/pkgs/servers/invidious/shards.nix b/pkgs/servers/invidious/shards.nix index 582a4083e7d..e5f297d902c 100644 --- a/pkgs/servers/invidious/shards.nix +++ b/pkgs/servers/invidious/shards.nix @@ -20,14 +20,14 @@ exception_page = { owner = "crystal-loot"; repo = "exception_page"; - rev = "v0.2.0"; - sha256 = "0nlgnh5iykbr1v2132342k2mz6s2laws6nkgqsqlwhhcr4gb4jcx"; + rev = "v0.2.2"; + sha256 = "1c8askb9b7621jjz5pjj6b8pdbhw3r1l3dym6swg1saspf5j3jwi"; }; kemal = { owner = "kemalcr"; repo = "kemal"; - rev = "v1.1.0"; - sha256 = "07vlvddy4mba9li2bvskzqzywwq55cyvlgkz13q6dsl4zfgc96ca"; + rev = "v1.1.2"; + sha256 = "1149q4qw0zrws5asqqr4snrdi67xsmisdcq58zcrbgqgsxgly9d0"; }; kilt = { owner = "jeromegn"; diff --git a/pkgs/servers/invidious/versions.json b/pkgs/servers/invidious/versions.json index cec068a09bf..40f8bb04182 100644 --- a/pkgs/servers/invidious/versions.json +++ b/pkgs/servers/invidious/versions.json @@ -4,15 +4,15 @@ "sha256": "sha256-EU6T9yQCdOLx98Io8o01rEsgxDFF/Xoy42LgPopD2/A=" }, "invidious": { - "rev": "ed265cfdcd131b9df5398d899cc5d7036a5b7846", - "sha256": "0hhnq4s0slwbgxra7gxapl7dcz60a7k71cndi4crqcikmazzac3b", - "version": "unstable-2022-03-16" + "rev": "ca27e096f3249533cc7a9b123a8a8378f3312bb7", + "sha256": "0xjdzxnw6b5lk8pr82sjj60wfzxqkyamh0gpf2wxby52jvlbdcka", + "version": "unstable-2022-05-11" }, "lsquic": { "sha256": "sha256-hG8cUvhbCNeMOsKkaJlgGpzUrIx47E/WhmPIdI5F3qM=", "version": "2.18.1" }, "videojs": { - "sha256": "0b4vxd29kpvy60yhqm376r1872gds17s6wljqw0zlr16j762k50r" + "sha256": "0m09pc9acpzhfwwvc9dayl60nn28skmmglgvmlp48dlkqgfbgc27" } } From a70d6ad88c8a26c477eaf3ca25be611cf4bc9ceb Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Tue, 17 May 2022 07:20:14 +1000 Subject: [PATCH 09/32] terraform-providers: update scripts - skip updates that include alpha|beta|pre in version --- .../networking/cluster/terraform-providers/update-provider | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/networking/cluster/terraform-providers/update-provider b/pkgs/applications/networking/cluster/terraform-providers/update-provider index 4310fcdcc27..fb506cefbe0 100755 --- a/pkgs/applications/networking/cluster/terraform-providers/update-provider +++ b/pkgs/applications/networking/cluster/terraform-providers/update-provider @@ -128,9 +128,12 @@ version="$(jq -r '.version' <<<"${registry_response}")" if [[ ${old_version} == "${version}" && ${force} != 1 && -z ${vendorSha256} && ${old_vendor_sha256} != "${vendorSha256}" ]]; then echo_provider "already at version ${version}" exit -else - echo_provider "updating from ${old_version} to ${version}" fi +if [[ ${version} =~ (alpha|beta|pre) && ${force} != 1 ]]; then + echo_provider "not updating to unstable version ${version}" + exit +fi +echo_provider "updating from ${old_version} to ${version}" update_attr version "${version}" provider_source_url="$(jq -r '.source' <<<"${registry_response}")" From be028357e3124d2ef2aa2f5286fc717dca922494 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Tue, 17 May 2022 07:25:26 +1000 Subject: [PATCH 10/32] terraform-providers.github: 4.25.0-alpha -> 4.24.1 --- .../networking/cluster/terraform-providers/providers.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/applications/networking/cluster/terraform-providers/providers.json b/pkgs/applications/networking/cluster/terraform-providers/providers.json index 94fcafcb48c..98bd0cfca4e 100644 --- a/pkgs/applications/networking/cluster/terraform-providers/providers.json +++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json @@ -420,10 +420,10 @@ "owner": "integrations", "provider-source-address": "registry.terraform.io/integrations/github", "repo": "terraform-provider-github", - "rev": "v4.25.0-alpha", - "sha256": "sha256-9BE19VywtNIeDfjBKzle5nGFPmpS8lHV60w0h2xTztU=", + "rev": "v4.24.1", + "sha256": "sha256-1fwHMN2HIVl+8ZL7OtP1U5ORc41e7Tm3qEpMqIgWL20=", "vendorSha256": null, - "version": "4.25.0-alpha" + "version": "4.24.1" }, "gitlab": { "owner": "gitlabhq", From 89e46a1779f55a5f4606516a0ca14cd16c5408cd Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Tue, 17 May 2022 07:23:18 +1000 Subject: [PATCH 11/32] terraform-providers.metal: 3.3.0-alpha.3 -> 3.2.2 --- .../networking/cluster/terraform-providers/providers.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/applications/networking/cluster/terraform-providers/providers.json b/pkgs/applications/networking/cluster/terraform-providers/providers.json index 98bd0cfca4e..db7ca3cf386 100644 --- a/pkgs/applications/networking/cluster/terraform-providers/providers.json +++ b/pkgs/applications/networking/cluster/terraform-providers/providers.json @@ -719,10 +719,10 @@ "owner": "equinix", "provider-source-address": "registry.terraform.io/equinix/metal", "repo": "terraform-provider-metal", - "rev": "v3.3.0-alpha.3", - "sha256": "sha256-wuZp0Be8a84y7JqpCGnBDPXgNG8JJcNWsIICP3ZjSVk=", - "vendorSha256": "sha256-Ln9EyycPduVuj+JefH9f+Q5KlNGvbcwcEDgaqH2M0So=", - "version": "3.3.0-alpha.3" + "rev": "v3.2.2", + "sha256": "193897farpyb3zxz6p79mfaf04ccin7xdirbkclqb3x3c56jy0xi", + "vendorSha256": null, + "version": "3.2.2" }, "minio": { "owner": "aminueza", From 380b50c0ade0fa67cfbc3bc94039ad6570d09b33 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 17 May 2022 00:02:33 +0200 Subject: [PATCH 12/32] podofo: 0.9.7 -> 0.9.8 https://sourceforge.net/p/podofo/tickets/75/ Fixes: CVE-2019-20093 --- pkgs/development/libraries/podofo/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/podofo/default.nix b/pkgs/development/libraries/podofo/default.nix index ee99ab5de6f..c4aab614915 100644 --- a/pkgs/development/libraries/podofo/default.nix +++ b/pkgs/development/libraries/podofo/default.nix @@ -3,12 +3,12 @@ }: stdenv.mkDerivation rec { - version = "0.9.7"; + version = "0.9.8"; pname = "podofo"; src = fetchurl { url = "mirror://sourceforge/podofo/${pname}-${version}.tar.gz"; - sha256 = "1f0yvkx6nf99fp741w2y706d8bs9824x1z2gqm3rdy5fv8bfgwkw"; + sha256 = "sha256-XeYH4V8ZK4rZBzgwB1nYjeoPXM3OO/AASKDJMrxkUVQ="; }; outputs = [ "out" "dev" "lib" ]; From 3d115ff0e981e716074d8b22f21f12491513b4fc Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Tue, 17 May 2022 09:23:21 +0100 Subject: [PATCH 13/32] syft: 0.45.1 -> 0.46.1 --- pkgs/tools/admin/syft/default.nix | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/pkgs/tools/admin/syft/default.nix b/pkgs/tools/admin/syft/default.nix index 0f7d3806182..4a74b851b34 100644 --- a/pkgs/tools/admin/syft/default.nix +++ b/pkgs/tools/admin/syft/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "syft"; - version = "0.45.1"; + version = "0.46.1"; src = fetchFromGitHub { owner = "anchore"; repo = pname; rev = "v${version}"; - sha256 = "sha256-oexsu52x9rAqwTVxTVHzKPuaIfvg5lvvuBmKcnb2Yew="; + sha256 = "sha256-ojjudnS0yJZ6YoHmq4m0YKyCqq9Ge+AFU7ejlPop71w="; # populate values that require us to use git. By doing this in postFetch we # can delete .git afterwards and maintain better reproducibility of the src. leaveDotGit = true; @@ -20,11 +20,11 @@ buildGoModule rec { find "$out" -name .git -print0 | xargs -0 rm -rf ''; }; - vendorSha256 = "sha256-d6ZBWX4/lgh610fBLTE1EUqZmpctLfxi2PSRifH+1jg="; + vendorSha256 = "sha256-nb7QcdmwAfYDTzCFNjs7uKwK/gng2iMD36ANaFSsftk="; nativeBuildInputs = [ installShellFiles ]; - subPackages = [ "." ]; + subPackages = [ "cmd/syft" ]; ldflags = [ "-s" @@ -52,6 +52,17 @@ buildGoModule rec { --zsh <($out/bin/syft completion zsh) ''; + doInstallCheck = true; + installCheckPhase = '' + runHook preInstallCheck + + export SYFT_CHECK_FOR_APP_UPDATE=false + $out/bin/syft --help + $out/bin/syft version | grep "${version}" + + runHook postInstallCheck + ''; + meta = with lib; { homepage = "https://github.com/anchore/syft"; changelog = "https://github.com/anchore/syft/releases/tag/v${version}"; From 83ebd8c52efcc40d070051226a1ddde24b7314dd Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Tue, 17 May 2022 10:56:45 +0100 Subject: [PATCH 14/32] libnih: remove libnih is a niche low-level library. It was used for lxc and cgmanager. Reverse dependencies were removed of transitioned from libnih a few years ago. Nowadays libnih does not build against upstream gcc-10. Let's remove it. --- pkgs/development/libraries/libnih/default.nix | 25 ------------------- pkgs/top-level/aliases.nix | 1 + pkgs/top-level/all-packages.nix | 2 -- 3 files changed, 1 insertion(+), 27 deletions(-) delete mode 100644 pkgs/development/libraries/libnih/default.nix diff --git a/pkgs/development/libraries/libnih/default.nix b/pkgs/development/libraries/libnih/default.nix deleted file mode 100644 index fbe01bf4062..00000000000 --- a/pkgs/development/libraries/libnih/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ lib, stdenv, fetchurl, pkg-config, dbus, expat }: - -let version = "1.0.3"; in - -stdenv.mkDerivation { - pname = "libnih"; - inherit version; - - src = fetchurl { - url = "https://code.launchpad.net/libnih/1.0/${version}/+download/libnih-${version}.tar.gz"; - sha256 = "01glc6y7z1g726zwpvp2zm79pyb37ki729jkh45akh35fpgp4xc9"; - }; - - nativeBuildInputs = [ pkg-config ]; - buildInputs = [ dbus expat ]; - - doCheck = false; # fails 1 of 17 test - - meta = { - description = "A small library for C application development"; - homepage = "https://launchpad.net/libnih"; - license = lib.licenses.gpl2; - platforms = lib.platforms.linux; - }; -} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 271e5ba4c85..a8d8a582551 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -677,6 +677,7 @@ mapAliases ({ liblastfm = libsForQt5.liblastfm; # Added 2020-06-14 liblrdf = throw "'liblrdf' has been renamed to/replaced by 'lrdf'"; # Converted to throw 2022-02-22 libmsgpack = throw "'libmsgpack' has been renamed to/replaced by 'msgpack'"; # Converted to throw 2022-02-22 + libnih = throw "'libnih' has been removed"; # Converted to throw 2022-05-17 libosmpbf = throw "libosmpbf was removed because it is no longer required by osrm-backend"; libpng_apng = throw "libpng_apng has been removed, because it is equivalent to libpng"; # Added 2021-03-21 libpulseaudio-vanilla = libpulseaudio; # Added 2022-04-20 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 03b807a0686..2063d708773 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -19036,8 +19036,6 @@ with pkgs; libnftnl = callPackage ../development/libraries/libnftnl { }; - libnih = callPackage ../development/libraries/libnih { }; - libnova = callPackage ../development/libraries/science/astronomy/libnova { }; libnxml = callPackage ../development/libraries/libnxml { }; From 960e437185ccdd5b0cbe66c496a405bee1223d1e Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Tue, 17 May 2022 12:31:47 +0200 Subject: [PATCH 15/32] python310Packages.pg8000: 1.27.1 -> 1.28.0 --- pkgs/development/python-modules/pg8000/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/pg8000/default.nix b/pkgs/development/python-modules/pg8000/default.nix index 9179448227f..b3ac256e0bb 100644 --- a/pkgs/development/python-modules/pg8000/default.nix +++ b/pkgs/development/python-modules/pg8000/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "pg8000"; - version = "1.27.1"; + version = "1.28.0"; format = "setuptools"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; - sha256 = "sha256-1qWDg0hZM0TyDrNa2kcqdy0yFFgm8u/ljb4bZeqZ6JA="; + sha256 = "sha256-Q1E949TjeOc6xEKpOQa6qdNWJFqmeqf2FgXFbjmn9ZE="; }; propagatedBuildInputs = [ From de3d4f4369ba73bf69087f102a9515d141f06b7e Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Tue, 17 May 2022 11:33:20 +0100 Subject: [PATCH 16/32] lrs: 7.0 -> 7.2 Among other things fixes build for gcc-10. --- pkgs/development/libraries/science/math/lrs/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/science/math/lrs/default.nix b/pkgs/development/libraries/science/math/lrs/default.nix index 063fead1165..ae5beb0f09e 100644 --- a/pkgs/development/libraries/science/math/lrs/default.nix +++ b/pkgs/development/libraries/science/math/lrs/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { pname = "lrs"; - version = "7.0"; + version = "7.2"; src = fetchurl { - url = "http://cgm.cs.mcgill.ca/~avis/C/lrslib/archive/lrslib-070.tar.gz"; - sha256 = "1zjdmkjracz695k73c2pvipc0skpyn1wzagkhilsvcw9pqljpwg9"; + url = "http://cgm.cs.mcgill.ca/~avis/C/lrslib/archive/lrslib-072.tar.gz"; + sha256 = "1w1jsnfgny8cihndr5gfm99pvwp48qsvxkqfsi2q87gd3m57aj7w"; }; buildInputs = [ gmp ]; From a44de15349c324c01145e8c22ff38334bcdf138c Mon Sep 17 00:00:00 2001 From: Madoura Date: Tue, 17 May 2022 06:23:29 -0500 Subject: [PATCH 17/32] vlang: 2022.19 -> 2022.20 --- pkgs/development/compilers/vlang/default.nix | 34 +++-- .../vlang/disable_vcreate_test.patch | 133 ------------------ 2 files changed, 20 insertions(+), 147 deletions(-) delete mode 100644 pkgs/development/compilers/vlang/disable_vcreate_test.patch diff --git a/pkgs/development/compilers/vlang/default.nix b/pkgs/development/compilers/vlang/default.nix index 0601022df61..64ccb2fc16e 100644 --- a/pkgs/development/compilers/vlang/default.nix +++ b/pkgs/development/compilers/vlang/default.nix @@ -2,21 +2,21 @@ stdenv.mkDerivation rec { pname = "vlang"; - version = "weekly.2022.19"; + version = "weekly.2022.20"; src = fetchFromGitHub { owner = "vlang"; repo = "v"; rev = version; - sha256 = "1bl91j3ip3i84jq3wg03sflllxv38sv4dc072r302rl2g9f4dbg6"; + sha256 = "1isbyfs98bdbm2qjf7q4bqbpsmdiqlavn3gznwr12bkvhnsf4j3x"; }; # Required for bootstrap. vc = fetchFromGitHub { owner = "vlang"; repo = "vc"; - rev = "a298ad7069f6333ef8ab59a616654fc74e04c847"; - sha256 = "168cgq6451hcgsxzyd8vq11g01642bs5kkwxqh6rz3rnc86ajic0"; + rev = "167f262866090493650f58832d62d910999dd5a4"; + sha256 = "1xax8355qkrccjcmx24gcab88xnrqj15mhqy0bgp3v2rb1hw1n3a"; }; # Required for vdoc. @@ -27,11 +27,6 @@ stdenv.mkDerivation rec { sha256 = "0cawzizr3rjz81blpvxvxrcvcdai1adj66885ss390444qq1fnv7"; }; - # vcreate_test.v requires git, so we must disable it. - patches = [ - ./disable_vcreate_test.patch - ]; - propagatedBuildInputs = [ glfw freetype openssl ] ++ lib.optional stdenv.hostPlatform.isUnix upx; @@ -42,9 +37,16 @@ stdenv.mkDerivation rec { "VC=${vc}" ]; - prePatch = '' + preBuild = '' export HOME=$(mktemp -d) - cp cmd/tools/vcreate_test.v $HOME/vcreate_test.v + ''; + + # vcreate_test.v requires git, so we must remove it when building the tools. + # vtest.v fails on Darwin, so let's just disable it for now. + preInstall = '' + mv cmd/tools/vcreate_test.v $HOME/vcreate_test.v + '' + lib.optionalString stdenv.isDarwin '' + mv cmd/tools/vtest.v $HOME/vtest.v ''; installPhase = '' @@ -64,12 +66,16 @@ stdenv.mkDerivation rec { $out/lib/v -v $out/lib/cmd/tools/vast $out/lib/v -v $out/lib/cmd/tools/vvet - # Return the pre-patch vcreate_test.v now that we no longer need the alteration. - cp $HOME/vcreate_test.v $out/lib/cmd/tools/vcreate_test.v - runHook postInstall ''; + # Return vcreate_test.v and vtest.v, so the user can use it. + postInstall = '' + cp $HOME/vcreate_test.v $out/lib/cmd/tools/vcreate_test.v + '' + lib.optionalString stdenv.isDarwin '' + cp $HOME/vtest.v $out/lib/cmd/tools/vtest.v + ''; + meta = with lib; { homepage = "https://vlang.io/"; description = "Simple, fast, safe, compiled language for developing maintainable software"; diff --git a/pkgs/development/compilers/vlang/disable_vcreate_test.patch b/pkgs/development/compilers/vlang/disable_vcreate_test.patch deleted file mode 100644 index 85ed867c83e..00000000000 --- a/pkgs/development/compilers/vlang/disable_vcreate_test.patch +++ /dev/null @@ -1,133 +0,0 @@ -diff --git a/cmd/tools/vcreate_test.v b/cmd/tools/vcreate_test.v -index 3d07f4773..de8a202df 100644 ---- a/cmd/tools/vcreate_test.v -+++ b/cmd/tools/vcreate_test.v -@@ -2,127 +2,6 @@ import os - - const test_path = 'vcreate_test' - --fn init_and_check() ? { -- os.execute_or_exit('${os.quoted_path(@VEXE)} init') -- -- assert os.read_file('vcreate_test.v') ? == [ -- 'module main\n', -- 'fn main() {', -- " println('Hello World!')", -- '}', -- '', -- ].join_lines() -- -- assert os.read_file('v.mod') ? == [ -- 'Module {', -- " name: 'vcreate_test'", -- " description: ''", -- " version: ''", -- " license: ''", -- ' dependencies: []', -- '}', -- '', -- ].join_lines() -- -- assert os.read_file('.gitignore') ? == [ -- '# Binaries for programs and plugins', -- 'main', -- 'vcreate_test', -- '*.exe', -- '*.exe~', -- '*.so', -- '*.dylib', -- '*.dll', -- 'vls.log', -- '', -- ].join_lines() -- -- assert os.read_file('.gitattributes') ? == [ -- '*.v linguist-language=V text=auto eol=lf', -- '*.vv linguist-language=V text=auto eol=lf', -- '*.vsh linguist-language=V text=auto eol=lf', -- '**/v.mod linguist-language=V text=auto eol=lf', -- '', -- ].join_lines() -- -- assert os.read_file('.editorconfig') ? == [ -- '[*]', -- 'charset = utf-8', -- 'end_of_line = lf', -- 'insert_final_newline = true', -- 'trim_trailing_whitespace = true', -- '', -- '[*.v]', -- 'indent_style = tab', -- 'indent_size = 4', -- '', -- ].join_lines() --} -- - fn test_v_init() ? { -- dir := os.join_path(os.temp_dir(), test_path) -- os.rmdir_all(dir) or {} -- os.mkdir(dir) or {} -- defer { -- os.rmdir_all(dir) or {} -- } -- os.chdir(dir) ? -- -- init_and_check() ? --} -- --fn test_v_init_in_git_dir() ? { -- dir := os.join_path(os.temp_dir(), test_path) -- os.rmdir_all(dir) or {} -- os.mkdir(dir) or {} -- defer { -- os.rmdir_all(dir) or {} -- } -- os.chdir(dir) ? -- os.execute_or_exit('git init .') -- init_and_check() ? --} -- --fn test_v_init_no_overwrite_gitignore() ? { -- dir := os.join_path(os.temp_dir(), test_path) -- os.rmdir_all(dir) or {} -- os.mkdir(dir) or {} -- os.write_file('$dir/.gitignore', 'blah') ? -- defer { -- os.rmdir_all(dir) or {} -- } -- os.chdir(dir) ? -- -- os.execute_or_exit('${os.quoted_path(@VEXE)} init') -- -- assert os.read_file('.gitignore') ? == 'blah' --} -- --fn test_v_init_no_overwrite_gitattributes_and_editorconfig() ? { -- git_attributes_content := '*.v linguist-language=V text=auto eol=lf' -- editor_config_content := '[*] --charset = utf-8 --end_of_line = lf --insert_final_newline = true --trim_trailing_whitespace = true -- --[*.v] --indent_style = tab --indent_size = 4 --' -- -- dir := os.join_path(os.temp_dir(), test_path) -- os.rmdir_all(dir) or {} -- os.mkdir(dir) or {} -- os.write_file('$dir/.gitattributes', git_attributes_content) ? -- os.write_file('$dir/.editorconfig', editor_config_content) ? -- defer { -- os.rmdir_all(dir) or {} -- } -- os.chdir(dir) ? -- -- os.execute_or_exit('${os.quoted_path(@VEXE)} init') -- -- assert os.read_file('.gitattributes') ? == git_attributes_content -- assert os.read_file('.editorconfig') ? == editor_config_content -+ println('vcreate_test disabled') - } From af4488d9c5588ca8f27cffd22834dca75eb62aaa Mon Sep 17 00:00:00 2001 From: 06kellyjac Date: Tue, 17 May 2022 13:14:43 +0100 Subject: [PATCH 18/32] witness: 0.1.7 -> 0.1.8 --- pkgs/tools/security/witness/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/security/witness/default.nix b/pkgs/tools/security/witness/default.nix index 921d524be6a..f443d765b57 100644 --- a/pkgs/tools/security/witness/default.nix +++ b/pkgs/tools/security/witness/default.nix @@ -2,15 +2,15 @@ buildGoModule rec { pname = "witness"; - version = "0.1.7"; + version = "0.1.8"; src = fetchFromGitHub { owner = "testifysec"; repo = pname; rev = "v${version}"; - sha256 = "sha256-fkY3/UmHzggmysrae8VCY3NMBxC/LcWoQcXBELEzJlM="; + sha256 = "sha256-i76sw5ysWDZwuNt7CYtpVy9mEV643i4YaMxksglyPWw="; }; - vendorSha256 = "sha256-ajWIjQXLvFQB1AVYyGjyWMrWIyue/d1uU5HHNf4/UcU="; + vendorSha256 = "sha256-A3fnAWEJ7SeUnDfIIOkbHIhUBRB8INcqMleOLL3LHF0="; nativeBuildInputs = [ installShellFiles ]; From 13d03f19adc18650d2da1784b037abc601cc2257 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 17 May 2022 14:40:13 +0200 Subject: [PATCH 19/32] dump_syms: fix build on darwin --- pkgs/development/tools/dump_syms/default.nix | 6 ++++++ pkgs/top-level/all-packages.nix | 4 +++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/development/tools/dump_syms/default.nix b/pkgs/development/tools/dump_syms/default.nix index a8c6821f27f..08788878cc9 100644 --- a/pkgs/development/tools/dump_syms/default.nix +++ b/pkgs/development/tools/dump_syms/default.nix @@ -1,8 +1,12 @@ { lib +, stdenv , rustPlatform , fetchFromGitHub , pkg-config , openssl + +# darwin +, Security }: let @@ -27,6 +31,8 @@ rustPlatform.buildRustPackage { buildInputs = [ openssl + ] ++ lib.optionals (stdenv.isDarwin) [ + Security ]; checkFlags = [ diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 3c64cab44fd..77d5b8edf5a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5309,7 +5309,9 @@ with pkgs; autoreconfHook = buildPackages.autoreconfHook269; }; - dump_syms = callPackage ../development/tools/dump_syms { }; + dump_syms = callPackage ../development/tools/dump_syms { + inherit (darwin.apple_sdk.frameworks) Security; + }; dumptorrent = callPackage ../tools/misc/dumptorrent { }; From 3b4cbaaa02d6c027870959cb35d2e3ecc85f1497 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Tue, 17 May 2022 04:20:00 +0000 Subject: [PATCH 20/32] dune_3: 3.1.1 -> 3.2.0 https://github.com/ocaml/dune/releases/tag/3.2.0 --- pkgs/development/tools/ocaml/dune/3.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/tools/ocaml/dune/3.nix b/pkgs/development/tools/ocaml/dune/3.nix index de661948b9c..009c3cb6fe2 100644 --- a/pkgs/development/tools/ocaml/dune/3.nix +++ b/pkgs/development/tools/ocaml/dune/3.nix @@ -6,11 +6,11 @@ else stdenv.mkDerivation rec { pname = "dune"; - version = "3.1.1"; + version = "3.2.0"; src = fetchurl { - url = "https://github.com/ocaml/dune/releases/download/${version}/fiber-${version}.tbz"; - sha256 = "sha256-AkhEVKsbmYhAx4c1CexrIwHrkmYsEy749fT1abNaa2A="; + url = "https://github.com/ocaml/dune/releases/download/${version}/chrome-trace-${version}.tbz"; + sha256 = "sha256-vR+85q557R6yb6ibsuLiOXivzrP1P1V4zxvasIoa1bw="; }; nativeBuildInputs = [ ocaml findlib ]; From e2806be7e9786d9f51dfbf4377b2a49e9f597e5c Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Tue, 17 May 2022 14:48:29 +0200 Subject: [PATCH 21/32] python310Packages.bc-python-hcl2: 0.3.39 -> 0.3.40 --- pkgs/development/python-modules/bc-python-hcl2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/bc-python-hcl2/default.nix b/pkgs/development/python-modules/bc-python-hcl2/default.nix index 8d5c2d7d4c2..56773e372b4 100644 --- a/pkgs/development/python-modules/bc-python-hcl2/default.nix +++ b/pkgs/development/python-modules/bc-python-hcl2/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "bc-python-hcl2"; - version = "0.3.39"; + version = "0.3.40"; format = "setuptools"; disabled = pythonOlder "3.6"; src = fetchPypi { inherit pname version; - hash = "sha256-JMQ2sLgAnMJ1/0nR8LgKbpPB43gVKtCtrZKr/T4p0O8="; + hash = "sha256-4we2Txk7kJ1SrCa82eQJ9OsqyTkFzocNi+GG7cV+OAc="; }; # Nose is required during build process, so can not use `checkInputs`. From 3cec1627e2c4336b3e854b0f6f7f83832e256126 Mon Sep 17 00:00:00 2001 From: Fabian Affolter Date: Tue, 17 May 2022 15:01:58 +0200 Subject: [PATCH 22/32] checkov: 2.0.1140 -> 2.0.1143 --- pkgs/development/tools/analysis/checkov/default.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/analysis/checkov/default.nix b/pkgs/development/tools/analysis/checkov/default.nix index eadeec8acce..743405be6a7 100644 --- a/pkgs/development/tools/analysis/checkov/default.nix +++ b/pkgs/development/tools/analysis/checkov/default.nix @@ -32,13 +32,13 @@ with py.pkgs; buildPythonApplication rec { pname = "checkov"; - version = "2.0.1140"; + version = "2.0.1143"; src = fetchFromGitHub { owner = "bridgecrewio"; repo = pname; rev = version; - hash = "sha256-aGO5mjBsUwpLIv73pZH1la6tyGByznTrjkW9dojkXwg="; + hash = "sha256-Kl9/wbjiQ46ysmnE24iQveTEzSTsVF5FHRqG3WWz3DQ="; }; nativeBuildInputs = with py.pkgs; [ @@ -94,6 +94,7 @@ buildPythonApplication rec { postPatch = '' substituteInPlace setup.py \ + --replace "bc-python-hcl2==0.3.39" "bc-python-hcl2>=0.3.39" \ --replace "cyclonedx-python-lib>=0.11.0,<1.0.0" "cyclonedx-python-lib>=0.11.0" \ --replace "prettytable>=3.0.0" "prettytable" \ --replace "pycep-parser==0.3.4" "pycep-parser" From 998f7e66b00d2752d133c6079ac3e16291e12b06 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 17 May 2022 13:18:03 +0000 Subject: [PATCH 23/32] python310Packages.cvxpy: 1.2.0 -> 1.2.1 --- pkgs/development/python-modules/cvxpy/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/cvxpy/default.nix b/pkgs/development/python-modules/cvxpy/default.nix index 73609966ba8..033af1fb5d9 100644 --- a/pkgs/development/python-modules/cvxpy/default.nix +++ b/pkgs/development/python-modules/cvxpy/default.nix @@ -16,14 +16,14 @@ buildPythonPackage rec { pname = "cvxpy"; - version = "1.2.0"; + version = "1.2.1"; format = "pyproject"; disabled = pythonOlder "3.5"; src = fetchPypi { inherit pname version; - sha256 = "sha256-QURm/ehJovqr/ZRE7ILKLnvxQsAdcjdSTPlzCt60IBw="; + sha256 = "sha256-bWdkJkPR3bLyr1m0Zrh9QsSi42eDGte0PDO1nu+ltQ4="; }; propagatedBuildInputs = [ From 8896e8d373ca125d227333e069053821451efa65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 17 May 2022 02:50:39 +0000 Subject: [PATCH 24/32] imagemagick: 7.1.0-33 -> 7.1.0-34 --- pkgs/applications/graphics/ImageMagick/7.0.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/ImageMagick/7.0.nix b/pkgs/applications/graphics/ImageMagick/7.0.nix index 44d54014976..66248ff5365 100644 --- a/pkgs/applications/graphics/ImageMagick/7.0.nix +++ b/pkgs/applications/graphics/ImageMagick/7.0.nix @@ -45,13 +45,13 @@ in stdenv.mkDerivation rec { pname = "imagemagick"; - version = "7.1.0-33"; + version = "7.1.0-34"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; rev = version; - hash = "sha256-qiXTSQcc48IIzz7RUcyOH2w8JUOTdU1zg43gJhoELXo="; + hash = "sha256-eASmIOTYupK5di3lggJ/8O5pkG88ZpFuvaYK23AWsq4="; }; outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big From 75021339971840c0f34b890e368dbfca10173d83 Mon Sep 17 00:00:00 2001 From: Daniel Beecham Date: Tue, 17 May 2022 16:47:33 +0200 Subject: [PATCH 25/32] nixos/locate: clarification in warning message (#173247) Co-authored-by: Sandro --- nixos/modules/misc/locate.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/misc/locate.nix b/nixos/modules/misc/locate.nix index 192c9ec413c..50495eebe4c 100644 --- a/nixos/modules/misc/locate.nix +++ b/nixos/modules/misc/locate.nix @@ -250,7 +250,7 @@ in }; warnings = optional (isMorPLocate && cfg.localuser != null) - "mlocate does not support the services.locate.localuser option; updatedb will run as root. (Silence with services.locate.localuser = null.)" + "mlocate and plocate do not support the services.locate.localuser option. updatedb will run as root. Silence this warning by setting services.locate.localuser = null." ++ optional (isFindutils && cfg.pruneNames != [ ]) "findutils locate does not support pruning by directory component" ++ optional (isFindutils && cfg.pruneBindMounts) From 8c53d65350e6c176a5ebddec3c2f2917b73b6573 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Tue, 17 May 2022 17:10:45 +0200 Subject: [PATCH 26/32] icinga2: 2.13.2 -> 2.13.3 --- pkgs/servers/monitoring/icinga2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/monitoring/icinga2/default.nix b/pkgs/servers/monitoring/icinga2/default.nix index a674aca2a37..643e505d794 100644 --- a/pkgs/servers/monitoring/icinga2/default.nix +++ b/pkgs/servers/monitoring/icinga2/default.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation rec { pname = "icinga2${nameSuffix}"; - version = "2.13.2"; + version = "2.13.3"; src = fetchFromGitHub { owner = "icinga"; repo = "icinga2"; rev = "v${version}"; - sha256 = "sha256:1ijvav2ymgq1i8jycrqbp2y4r54y0dkwjnwxc20bmcixxh877zdn"; + sha256 = "sha256:1z8wzhlhl8vb7m8axvayfyqgf86lz67gaa02n3r17049vwswdgmb"; }; patches = [ From 382f515dae52e9b3fa966c17d2dbe919c3b94b2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Janne=20He=C3=9F?= Date: Tue, 17 May 2022 17:13:13 +0200 Subject: [PATCH 27/32] icingaweb2-ipl: 0.8.0 -> 0.8.1 --- pkgs/servers/icingaweb2/ipl.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/servers/icingaweb2/ipl.nix b/pkgs/servers/icingaweb2/ipl.nix index e9075d7d043..9d21951a299 100644 --- a/pkgs/servers/icingaweb2/ipl.nix +++ b/pkgs/servers/icingaweb2/ipl.nix @@ -2,13 +2,13 @@ stdenvNoCC.mkDerivation rec { pname = "icingaweb2-ipl"; - version = "0.8.0"; + version = "0.8.1"; src = fetchFromGitHub { owner = "Icinga"; repo = "icinga-php-library"; rev = "v${version}"; - sha256 = "sha256:05k0qcd5c5xb124dpp6lvfdh4dzf6bkd34v4sy7aj776p4hrlqx2"; + sha256 = "sha256:0ndd4gd26rglbz85izfvqc4ghcfa7wpq6ghrhggbzg819phndg5a"; }; installPhase = '' From 8734e42bf15533fe4f2cde24ea5ee0246024355d Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Mon, 16 May 2022 18:56:59 +0000 Subject: [PATCH 28/32] fontforge: remove obsolete comment This was added in 07d12fbef1c ("fontforge: get rid of output hash depending on git"), to explain the line: export GIT="$(type -P true)". This line was removed in e9848d11ad0 ("fontforge: 20190801 -> 20200314"), but I forgot to remove the comment. Fixes: e9848d11ad0 ("fontforge: 20190801 -> 20200314") --- pkgs/tools/misc/fontforge/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/tools/misc/fontforge/default.nix b/pkgs/tools/misc/fontforge/default.nix index 3de016bf6d6..aa3d16a5fa5 100644 --- a/pkgs/tools/misc/fontforge/default.nix +++ b/pkgs/tools/misc/fontforge/default.nix @@ -63,7 +63,6 @@ stdenv.mkDerivation rec { ++ lib.optional (!withGTK) "-DENABLE_X11=ON" ++ lib.optional withExtras "-DENABLE_FONTFORGE_EXTRAS=ON"; - # work-around: git isn't really used, but configuration fails without it preConfigure = '' # The way $version propagates to $version of .pe-scripts (https://github.com/dejavu-fonts/dejavu-fonts/blob/358190f/scripts/generate.pe#L19) export SOURCE_DATE_EPOCH=$(date -d ${version} +%s) From ab8a7cae2c0eb3be8bf0175f9f53affd193983fa Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 17 May 2022 18:11:40 +0200 Subject: [PATCH 29/32] nixos/nextcloud: remove unneeded `log_level`-param Actually it's called `loglevel` on both v22 and v23. --- nixos/modules/services/web-apps/nextcloud.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index b9c1960f50c..0fa69d8b1ba 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -467,7 +467,6 @@ in { 'skeletondirectory' => '${cfg.skeletonDirectory}', ${optionalString cfg.caching.apcu "'memcache.local' => '\\OC\\Memcache\\APCu',"} 'log_type' => 'syslog', - 'log_level' => '${builtins.toString cfg.logLevel}', 'loglevel' => '${builtins.toString cfg.logLevel}', ${optionalString (c.overwriteProtocol != null) "'overwriteprotocol' => '${c.overwriteProtocol}',"} ${optionalString (c.dbname != null) "'dbname' => '${c.dbname}',"} From 744ca87ed01ef0ee02e62c12340c1071351e561f Mon Sep 17 00:00:00 2001 From: piegames Date: Sat, 14 May 2022 00:03:59 +0200 Subject: [PATCH 30/32] npins: Init at 0.1.0 --- pkgs/tools/nix/npins/default.nix | 44 ++++++++++++++++++++++++ pkgs/tools/nix/npins/source.nix | 57 +++++++++++++++++++++++++++++++ pkgs/tools/nix/npins/sources.json | 19 +++++++++++ pkgs/top-level/all-packages.nix | 2 ++ 4 files changed, 122 insertions(+) create mode 100644 pkgs/tools/nix/npins/default.nix create mode 100644 pkgs/tools/nix/npins/source.nix create mode 100644 pkgs/tools/nix/npins/sources.json diff --git a/pkgs/tools/nix/npins/default.nix b/pkgs/tools/nix/npins/default.nix new file mode 100644 index 00000000000..8324a2d8900 --- /dev/null +++ b/pkgs/tools/nix/npins/default.nix @@ -0,0 +1,44 @@ +{ lib +, rustPlatform +, fetchFromGitHub +, nix-gitignore +, makeWrapper +, stdenv +, darwin +, callPackage + + # runtime dependencies +, nix # for nix-prefetch-url +, nix-prefetch-git +, git # for git ls-remote +}: + +let + runtimePath = lib.makeBinPath [ nix nix-prefetch-git git ]; + sources = (builtins.fromJSON (builtins.readFile ./sources.json)).pins; +in rustPlatform.buildRustPackage rec { + pname = "npins"; + version = src.version; + src = passthru.mkSource sources.npins; + + cargoSha256 = "0rwnzkmx91cwcz9yw0rbbqv73ba6ggim9f4qgz5pgy6h696ld2k8"; + + buildInputs = lib.optional stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ Security ]); + nativeBuildInputs = [ makeWrapper ]; + + # (Almost) all tests require internet + doCheck = false; + + postFixup = '' + wrapProgram $out/bin/npins --prefix PATH : "${runtimePath}" + ''; + + meta = with lib; { + description = "Simple and convenient dependency pinning for Nix"; + homepage = "https://github.com/andir/npins"; + license = licenses.eupl12; + maintainers = with maintainers; [ piegames ]; + }; + + passthru.mkSource = callPackage ./source.nix {}; +} diff --git a/pkgs/tools/nix/npins/source.nix b/pkgs/tools/nix/npins/source.nix new file mode 100644 index 00000000000..8c9e47204af --- /dev/null +++ b/pkgs/tools/nix/npins/source.nix @@ -0,0 +1,57 @@ +# Not part of the public API – for use within nixpkgs only +# +# Usage: +# ```nix +# let +# sources = builtins.fromJSON (builtins.readFile ./sources.json); +# in mkMyDerivation rec { +# version = src.version; # This obviously only works for releases +# src = pkgs.npins.mkSource sources.mySource; +# } +# ``` + +{ fetchgit +, fetchzip +, fetchurl +}: +let + mkSource = spec: + assert spec ? type; let + path = + if spec.type == "Git" then mkGitSource spec + else if spec.type == "GitRelease" then mkGitSource spec + else if spec.type == "PyPi" then mkPyPiSource spec + else if spec.type == "Channel" then mkChannelSource spec + else throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = { repository, revision, url ? null, hash, ... }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (fetchzip { + inherit url; + sha256 = hash; + extension = "tar"; + }) + else assert repository.type == "Git"; fetchgit { + url = repository.url; + rev = revision; + }; + + mkPyPiSource = { url, hash, ... }: + fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = { url, hash, ... }: + fetchzip { + inherit url; + sha256 = hash; + extension = "tar"; + }; +in + mkSource diff --git a/pkgs/tools/nix/npins/sources.json b/pkgs/tools/nix/npins/sources.json new file mode 100644 index 00000000000..0481abe3f97 --- /dev/null +++ b/pkgs/tools/nix/npins/sources.json @@ -0,0 +1,19 @@ +{ + "pins": { + "npins": { + "type": "GitRelease", + "repository": { + "type": "GitHub", + "owner": "andir", + "repo": "npins" + }, + "pre_releases": false, + "version_upper_bound": null, + "version": "0.1.0", + "revision": "5c9253ff6010f435ab73fbe1e50ae0fdca0ec07b", + "url": "https://api.github.com/repos/andir/npins/tarball/0.1.0", + "hash": "019fr9xsirld8kap75k18in3krkikqhjn4mglpy3lyhbhc5n1kh6" + } + }, + "version": 2 +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index c3226537e8b..69a39d05db9 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -4019,6 +4019,8 @@ with pkgs; notify = callPackage ../tools/misc/notify { }; + npins = callPackage ../tools/nix/npins { }; + nrsc5 = callPackage ../applications/misc/nrsc5 { }; nsync = callPackage ../development/libraries/nsync { }; From 5cf446f41b400d9a209144b385460766778b787a Mon Sep 17 00:00:00 2001 From: Ben Darwin Date: Mon, 16 May 2022 15:59:16 -0400 Subject: [PATCH 31/32] ezminc: mark broken Package refuses to build with current GCC (11), but building with older GCC causes error linking libminc and I don't want to pin a bunch of deps. A newer version is available upstream but it only works with ITK 5.0 (see https://github.com/BIC-MNI/EZminc/issues/15), but we have 4.x and 5.2.x in tree and I'm reluctant to add 5.0 just for one package (even ITK 4.x is only used by ants and ezminc and should be removed as soon as ants is upgraded). --- pkgs/applications/science/biology/EZminc/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/applications/science/biology/EZminc/default.nix b/pkgs/applications/science/biology/EZminc/default.nix index a2ba038c059..6c140b03ee4 100644 --- a/pkgs/applications/science/biology/EZminc/default.nix +++ b/pkgs/applications/science/biology/EZminc/default.nix @@ -25,5 +25,6 @@ stdenv.mkDerivation rec { maintainers = with maintainers; [ bcdarwin ]; platforms = platforms.unix; license = licenses.free; + broken = true; # ITK5 compatibility issue (https://github.com/BIC-MNI/EZminc/issues/15) }; } From c0723eef37468a1783d3e2fde84e25b3e502f45c Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Thu, 12 May 2022 10:40:26 -0700 Subject: [PATCH 32/32] nixos/prometheus: enable checking syntax only This allows config checking with external files to not fail inside the sandbox. --- .../monitoring/prometheus/default.nix | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/default.nix b/nixos/modules/services/monitoring/prometheus/default.nix index ceb2db1faef..41848c1c6d3 100644 --- a/nixos/modules/services/monitoring/prometheus/default.nix +++ b/nixos/modules/services/monitoring/prometheus/default.nix @@ -5,6 +5,9 @@ with lib; let json = pkgs.formats.json { }; cfg = config.services.prometheus; + checkConfigEnabled = + (lib.isBool cfg.checkConfig && cfg.checkConfig) + || cfg.checkConfig == "syntax-only"; workingDir = "/var/lib/" + cfg.stateDir; @@ -27,7 +30,7 @@ let # a wrapper that verifies that the configuration is valid promtoolCheck = what: name: file: - if cfg.checkConfig then + if checkConfigEnabled then pkgs.runCommandLocal "${name}-${replaceStrings [" "] [""] what}-checked" { buildInputs = [ cfg.package ]; } '' @@ -58,7 +61,7 @@ let pkgs.writeText "prometheus.yml" cfg.configText else generatedPrometheusYml; in - promtoolCheck "check config" "prometheus.yml" yml; + promtoolCheck "check config ${lib.optionalString (cfg.checkConfig == "syntax-only") "--syntax-only"}" "prometheus.yml" yml; cmdlineArgs = cfg.extraFlags ++ [ "--storage.tsdb.path=${workingDir}/data/" @@ -1726,16 +1729,20 @@ in }; checkConfig = mkOption { - type = types.bool; + type = with types; either bool (enum [ "syntax-only" ]); default = true; + example = "syntax-only"; description = '' Check configuration with promtool check. The call to promtool is - subject to sandboxing by Nix. When credentials are stored in - external files (password_file, - bearer_token_file, etc), they will not be - visible to promtool and it will report - errors, despite a correct configuration. + subject to sandboxing by Nix. + + If you use credentials stored in external files + (password_file, bearer_token_file, etc), + they will not be visible to promtool + and it will report errors, despite a correct configuration. + To resolve this, you may set this option to "syntax-only" + in order to only syntax check the Prometheus configuration. ''; };