switch hardening flags

9 years ago · f6d3b7a2ae
parent 954e9903ad
commit f6d3b7a2ae
51 changed files with 68 additions and 63 deletions
--- a/pkgs/applications/audio/cdparanoia/default.nix
+++ b/pkgs/applications/audio/cdparanoia/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80";
  };

-  noHardening_format = true;
+  hardening_format = false;

  preConfigure = "unset CC";

--- a/pkgs/applications/audio/mpg321/default.nix
+++ b/pkgs/applications/audio/mpg321/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5";
  };

-  noHardening_format = true;
+  hardening_format = false;

  configureFlags = [
    ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no"))
--- a/pkgs/applications/networking/browsers/w3m/default.nix
+++ b/pkgs/applications/networking/browsers/w3m/default.nix
@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
    ln -s $out/libexec/w3m/w3mimgdisplay $out/bin
  '';

-  noHardening_format = true;
+  hardening_format = false;

  configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}"
    + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb";
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@ -21,7 +21,7 @@ stdenv.mkDerivation {
    sha256 = "03bvb8s5j8i54qbi3yayl42bv0wf2fpgnh1a2lkhbj79zi7b77zs";
  };

-  noHardening_format = true;
+  hardening_format = false;

  patches = [
    ./docbook2texi.patch
--- a/pkgs/applications/virtualization/xen/generic.nix
+++ b/pkgs/applications/virtualization/xen/generic.nix
@ -75,7 +75,7 @@ stdenv.mkDerivation {

  pythonPath = [ pythonPackages.curses ];

-  noHardening_all = true;
+  #hardening_all = false;

  patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches;

--- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71";
  };

-  noHardening_format = true;
+  hardening_format = false;

  patches = [ ./glib.patch ./cups_1.6.patch ];

--- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
+++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix
@ -11,5 +11,5 @@ stdenv.mkDerivation {
  buildInputs = [ pkgconfig gtk gettext ];
  propagatedBuildInputs = [ libxml2 ];

-  noHardening_format = true;
+  hardening_format = false;
 }
--- a/pkgs/development/compilers/dev86/default.nix
+++ b/pkgs/development/compilers/dev86/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation {
    sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e";
  };

-  noHardening_format = true;
+  hardening_format = false;

  makeFlags = "PREFIX=$(out)";

--- a/pkgs/development/compilers/gcc/4.5/default.nix
+++ b/pkgs/development/compilers/gcc/4.5/default.nix
@ -134,7 +134,7 @@ stdenv.mkDerivation ({
    inherit langC langCC langFortran langJava langAda;
  };

-  noHardening_all = true;
+  #hardening_all = false;

  patches =
    [ ]
--- a/pkgs/development/compilers/gcc/4.9/default.nix
+++ b/pkgs/development/compilers/gcc/4.9/default.nix
@ -218,7 +218,7 @@ stdenv.mkDerivation ({

  inherit patches;

-  noHardening_format = true;
+  hardening_format = false;

  postPatch =
    if (stdenv.isGNU
--- a/pkgs/development/compilers/go/1.4.nix
+++ b/pkgs/development/compilers/go/1.4.nix
@ -20,7 +20,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ pcre ];
  propagatedBuildInputs = lib.optional stdenv.isDarwin Security;

-  noHardening_all = true;
+  #hardening_all = false;

  # I'm not sure what go wants from its 'src', but the go installation manual
  # describes an installation keeping the src.
--- a/pkgs/development/compilers/go/1.5.nix
+++ b/pkgs/development/compilers/go/1.5.nix
@ -29,7 +29,7 @@ stdenv.mkDerivation rec {
    Security Foundation
  ];

-  noHardening_all = true;
+  #hardening_all = false;

  # I'm not sure what go wants from its 'src', but the go installation manual
  # describes an installation keeping the src.
--- a/pkgs/development/haskell-modules/configuration-common.nix
+++ b/pkgs/development/haskell-modules/configuration-common.nix
@ -45,7 +45,7 @@ self: super: {
  options = dontCheck super.options;
  statistics = dontCheck super.statistics;
  c2hs = let c2hs_ = pkgs.stdenv.lib.overrideDerivation super.c2hs (drv: {
-        noHardening_format = true;
+        hardening_format = false;
        doCheck = false;
      });
    in if pkgs.stdenv.isDarwin then dontCheck c2hs_ else c2hs_;
--- a/pkgs/development/libraries/CoinMP/default.nix
+++ b/pkgs/development/libraries/CoinMP/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6";
  };

-  noHardening_format = true;
+  hardening_format = false;

  meta = with stdenv.lib; {
    homepage = https://projects.coin-or.org/CoinMP/;
--- a/pkgs/development/libraries/audio/libbs2b/default.nix
+++ b/pkgs/development/libraries/audio/libbs2b/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {

  buildInputs = [ pkgconfig libsndfile ];

-  noHardening_format = true;
+  hardening_format = false;

  meta = {
    homepage = "http://bs2b.sourceforge.net/";
--- a/pkgs/development/libraries/fribidi/default.nix
+++ b/pkgs/development/libraries/fribidi/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
    sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b";
  };

-  noHardening_format = true;
+  hardening_format = false;

  meta = with stdenv.lib; {
    homepage = http://fribidi.org/;
--- a/pkgs/development/libraries/gd/default.nix
+++ b/pkgs/development/libraries/gd/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation {

  propagatedBuildInputs = [libjpeg fontconfig]; # urgh

-  noHardening_format = true;
+  hardening_format = false;

  configureFlags = "--without-x";

--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation (rec {

  outputs = [ "out" "doc" ];

-  noHardening_format = true;
+  hardening_format = false;

  LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else "";

--- a/pkgs/development/libraries/giflib/libungif.nix
+++ b/pkgs/development/libraries/giflib/libungif.nix
@ -7,6 +7,6 @@ stdenv.mkDerivation {
    md5 = "efdfcf8e32e35740288a8c5625a70ccb";
  };

-  noHardening_format = true;
+  hardening_format = false;
 }

--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@ -214,7 +214,7 @@ stdenv.mkDerivation ({
 }

 // stdenv.lib.optionalAttrs (name == "glibc-locales") {
-  noHardening_stackprotector = true;
+  hardening_stackprotector = false;
 }

 // stdenv.lib.optionalAttrs (hurdHeaders != null) {
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@ -25,7 +25,8 @@ in

    builder = ./builder.sh;

-    noHardening_all = true;
+    hardening_stackprotector = false;
+    hardening_fortify = false;

    # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for
    # any program we run, because the gcc will have been placed at a new
--- a/pkgs/development/libraries/gnu-efi/default.nix
+++ b/pkgs/development/libraries/gnu-efi/default.nix
@ -9,8 +9,6 @@ stdenv.mkDerivation rec {
    sha256 = "1jxlypkgb8bd1c114x96i699ib0glb5aca9dv56j377x2ldg4c65";
  };

-  noHardening_all = true;
-
  buildInputs = [ pciutils ];

  makeFlags = [
--- a/pkgs/development/libraries/libelf/default.nix
+++ b/pkgs/development/libraries/libelf/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation (rec {
  };

  doCheck = true;
-  
+
  # For cross-compiling, native glibc is needed for the "gencat" program.
  crossAttrs = {
    nativeBuildInputs = [ glibc ];
--- a/pkgs/development/libraries/libgphoto2/default.nix
+++ b/pkgs/development/libraries/libgphoto2/default.nix
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
  # These are mentioned in the Requires line of libgphoto's pkg-config file.
  propagatedBuildInputs = [ libexif ];

-  noHardening_format = true;
+  hardening_format = false;

  meta = {
    homepage = http://www.gphoto.org/proj/libgphoto2/;
--- a/pkgs/development/libraries/libvisual/default.nix
+++ b/pkgs/development/libraries/libvisual/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {

  buildInputs = [ pkgconfig glib ];

-  noHardening_format = true;
+  hardening_format = false;

  meta = {
    description = "An abstraction library for audio visualisations";
--- a/pkgs/development/libraries/pupnp/default.nix
+++ b/pkgs/development/libraries/pupnp/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k";
  };

-  noHardening_all = true;
+  #hardening_all = false;

  meta = {
    description = "libupnp, an open source UPnP development kit for Linux";
--- a/pkgs/development/libraries/speechd/default.nix
+++ b/pkgs/development/libraries/speechd/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {

  buildInputs = [ dotconf glib pkgconfig ];

-  noHardening_format = true;
+  hardening_format = false;

  meta = {
    description = "Common interface to speech synthesis";
--- a/pkgs/development/tools/misc/elfutils/default.nix
+++ b/pkgs/development/tools/misc/elfutils/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {

  patches = [ ./glibc-2.21.patch ];

-  noHardening_format = true;
+  hardening_format = false;

  # We need bzip2 in NativeInputs because otherwise we can't unpack the src,
  # as the host-bzip2 will be in the path.
--- a/pkgs/os-specific/linux/acpi-call/default.nix
+++ b/pkgs/os-specific/linux/acpi-call/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation {
    sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75";
  };

-  noHardening_pic = true;
+  hardening_pic = false;

  preBuild = ''
    sed -e 's/break/true/' -i examples/turn_off_gpu.sh
--- a/pkgs/os-specific/linux/busybox/default.nix
+++ b/pkgs/os-specific/linux/busybox/default.nix
@ -33,7 +33,7 @@ stdenv.mkDerivation rec {
    sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5";
  };

-  noHardening_format = true;
+  hardening_format = false;

  patches = [ ./busybox-in-store.patch ];

--- a/pkgs/os-specific/linux/gogoclient/default.nix
+++ b/pkgs/os-specific/linux/gogoclient/default.nix
@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
  makeFlags = ["target=linux"];
  installFlags = ["installdir=$(out)"];

-  noHardening_format = true;
+  hardening_format = false;

  buildInputs = [openssl];

--- a/pkgs/os-specific/linux/jool/default.nix
+++ b/pkgs/os-specific/linux/jool/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation {

  src = sourceAttrs.src;

-  noHardening_pic = true;
+  hardening_pic = false;

  prePatch = ''
    sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile
--- a/pkgs/os-specific/linux/kernel/manual-config.nix
+++ b/pkgs/os-specific/linux/kernel/manual-config.nix
@ -224,15 +224,15 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe
  nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null)
    (ubootChooser stdenv.platform.uboot);

-  noHardening_format = true;
-  noHardening_fortify = true;
-  noHardening_stackprotector = true;
+  hardening_format = false;
+  hardening_fortify = false;
+  hardening_stackprotector = false;

  makeFlags = commonMakeFlags ++ [
    "ARCH=${stdenv.platform.kernelArch}"
  ];

-  noHardening_pic = true;
+  hardening_pic = false;

  karch = stdenv.platform.kernelArch;

--- a/pkgs/os-specific/linux/kexectools/default.nix
+++ b/pkgs/os-specific/linux/kexectools/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
    sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di";
  };

-  noHardening_format = true;
+  hardening_format = false;

  buildInputs = [ zlib ];

--- a/pkgs/os-specific/linux/numad/default.nix
+++ b/pkgs/os-specific/linux/numad/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4";
  };

-  noHardening_format = true;
+  hardening_format = false;

  patches = [
    ./numad-linker-flags.patch
--- a/pkgs/servers/gpm/default.nix
+++ b/pkgs/servers/gpm/default.nix
@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ];
  buildInputs = [ ncurses ];

-  noHardening_format = true;
+  hardening_format = false;

  preConfigure = ''
    ./autogen.sh
--- a/pkgs/shells/dash/default.nix
+++ b/pkgs/shells/dash/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6";
  };

-  noHardening_format = true;
+  hardening_format = false;

  meta = {
    homepage = http://gondor.apana.org.au/~herbert/dash/;
--- a/pkgs/stdenv/adapters.nix
+++ b/pkgs/stdenv/adapters.nix
@ -239,16 +239,22 @@ rec {
  useHardenFlags = stdenv: stdenv //
    { mkDerivation = args: stdenv.mkDerivation (args // {
        NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "")
-          + stdenv.lib.optionalString (!(args.noHardening_all or false)) (
-            stdenv.lib.optionalString (!(args.noHardening_fortify or false)) " -O2 -D_FORTIFY_SOURCE=2"
-            + stdenv.lib.optionalString (!(args.noHardening_stackprotector or false)) " -fstack-protector-all"
-            + stdenv.lib.optionalString ((args.noHardening_pie or false) && true) " -fPIE -pie"
-            + stdenv.lib.optionalString (!(args.noHardening_pic or false)) " -fPIC"
-            + stdenv.lib.optionalString (!(args.noHardening_relro or false)) " -z relro"
-            + stdenv.lib.optionalString ((args.noHardening_bindnow or false) && true) " -z now"
-            + stdenv.lib.optionalString (!(args.noHardening_strictoverflow or false)) " -fno-strict-overflow"
-            + stdenv.lib.optionalString (!(args.noHardening_format or false)) " -Wformat -Wformat-security -Werror=format-security"
+          + stdenv.lib.optionalString (args.hardening_all or true) (
+            stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2"
+            + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-all"
+            + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie"
+            + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC"
+            + stdenv.lib.optionalString (args.hardening_relro or true) " -Wl,-z,relro"
+            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -Wl,-z,now"
+            + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow"
+            + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security"
          );
+        NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "")
+          + stdenv.lib.optionalString (args.hardening_all or true) (
+              stdenv.lib.optionalString (args.hardening_relro or true) " -z relro"
+            + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now"
+          );
+
      });
    };

--- a/pkgs/tools/admin/tightvnc/default.nix
+++ b/pkgs/tools/admin/tightvnc/default.nix
@ -13,7 +13,7 @@ stdenv.mkDerivation {
  inherit xauth fontDirectories perl;
  gcc = stdenv.cc.cc;

-  noHardening_format = true;
+  hardening_format = false;

  buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw
                  libXpm libXp xauth openssh ];
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g";
  };

-  noHardening_format = true;
+  hardening_format = false;

  preConfigure = ''
     # Fix for building on Glibc 2.16.  Won't be needed once the
--- a/pkgs/tools/archivers/unzip/default.nix
+++ b/pkgs/tools/archivers/unzip/default.nix
@ -9,7 +9,7 @@ stdenv.mkDerivation {
    sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83";
  };

-  noHardening_format = true;
+  hardening_format = false;

  patches = [
    ./CVE-2014-8139.diff
--- a/pkgs/tools/archivers/zip/default.nix
+++ b/pkgs/tools/archivers/zip/default.nix
@ -13,7 +13,7 @@ stdenv.mkDerivation {
    sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h";
  };

-  noHardening_format = true;
+  hardening_format = false;

  makefile = "unix/Makefile";
  buildFlags = if stdenv.isCygwin then "cygwin" else "generic";
--- a/pkgs/tools/cd-dvd/cdrkit/default.nix
+++ b/pkgs/tools/cd-dvd/cdrkit/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {

  buildInputs = [cmake libcap zlib bzip2];

-  noHardening_format = true;
+  hardening_format = false;

  # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244
  patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ];
--- a/pkgs/tools/graphics/graphviz/default.nix
+++ b/pkgs/tools/graphics/graphviz/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
    sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1";
  };

-  noHardening_all = true;
+  #hardening_all = false;

  patches =
    [ ./0001-vimdot-lookup-vim-in-PATH.patch
--- a/pkgs/tools/graphics/transfig/default.nix
+++ b/pkgs/tools/graphics/transfig/default.nix
@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
  buildInputs = [zlib libjpeg libpng imake];
  inherit libpng;

-  noHardening_format = true;
+  hardening_format = false;

  patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch];

--- a/pkgs/tools/misc/expect/default.nix
+++ b/pkgs/tools/misc/expect/default.nix
@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
  buildInputs = [ tcl ];
  nativeBuildInputs = [ makeWrapper ];

-  noHardening_format = true;
+  hardening_format = false;

  patchPhase = ''
    sed -i "s,/bin/stty,$(type -p stty),g" configure
--- a/pkgs/tools/misc/grub/2.0x.nix
+++ b/pkgs/tools/misc/grub/2.0x.nix
@ -52,7 +52,7 @@ stdenv.mkDerivation rec {
    ++ optional doCheck qemu
    ++ optional zfsSupport zfs;

-  noHardening_all = true;
+  hardening_all = false;

  preConfigure =
    '' for i in "tests/util/"*.in
--- a/pkgs/tools/misc/gummiboot/default.nix
+++ b/pkgs/tools/misc/gummiboot/default.nix
@ -5,7 +5,7 @@ stdenv.mkDerivation rec {

  buildInputs = [ gnu-efi pkgconfig libxslt utillinux ];

-  noHardening_all = true;
+  #hardening_all = false;

  # Sigh, gummiboot should be able to find this in buildInputs
  configureFlags = [
--- a/pkgs/tools/networking/iperf/2.nix
+++ b/pkgs/tools/networking/iperf/2.nix
@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
    sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3";
  };

-  noHardening_format = true;
+  hardening_format = false;

  meta = with stdenv.lib; {
    homepage = "http://sourceforge.net/projects/iperf/"; 
--- a/pkgs/tools/networking/vde2/default.nix
+++ b/pkgs/tools/networking/vde2/default.nix
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {

  buildInputs = [ openssl libpcap python ];

-  noHardening_format = true;
+  hardening_format = false;

  meta = {
    homepage = http://vde.sourceforge.net/;
--- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix
@ -64,7 +64,7 @@ core = stdenv.mkDerivation rec {
    perl
  ];

-  noHardening_format = true;
+  hardening_format = false;

  preConfigure = ''
    rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \