From 8bd4d8ee663ff4a61c6f80b0f02e1c9d5dbd5c8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20de=20Kok?= Date: Sun, 18 Apr 2021 10:44:09 +0200 Subject: [PATCH 1/7] cudnn_cudatoolkit_11_0: 8.1.0 -> 8.1.1 Changelog: https://docs.nvidia.com/deeplearning/cudnn/release-notes/rel_8.html#rel-811 --- pkgs/development/libraries/science/math/cudnn/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/science/math/cudnn/default.nix b/pkgs/development/libraries/science/math/cudnn/default.nix index b8aac46d9194..d8e68a48cbfb 100644 --- a/pkgs/development/libraries/science/math/cudnn/default.nix +++ b/pkgs/development/libraries/science/math/cudnn/default.nix @@ -53,12 +53,12 @@ in rec { cudnn_cudatoolkit_10 = cudnn_cudatoolkit_10_2; cudnn_cudatoolkit_11_0 = generic rec { - version = "8.1.0"; + version = "8.1.1"; cudatoolkit = cudatoolkit_11_0; # 8.1.0 is compatible with CUDA 11.0, 11.1, and 11.2: # https://docs.nvidia.com/deeplearning/cudnn/support-matrix/index.html#cudnn-cuda-hardware-versions - srcName = "cudnn-11.2-linux-x64-v8.1.0.77.tgz"; - sha256 = "sha256-2+gvrwcdkbqbzwBIAUatM/RiSC3+5WyvRHnBuNq+Pss="; + srcName = "cudnn-11.2-linux-x64-v8.1.1.33.tgz"; + sha256 = "sha256-mKh4TpKGLyABjSDCgbMNSgzZUfk2lPZDPM9K6cUCumo="; }; cudnn_cudatoolkit_11_1 = cudnn_cudatoolkit_11_0.override { From 7475b12169f459dec709c7e25c46abc4e393d4b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20de=20Kok?= Date: Sun, 18 Apr 2021 10:53:22 +0200 Subject: [PATCH 2/7] cudnn_cudatoolkit: accept `hash` attribute for SRI hashes --- .../libraries/science/math/cudnn/default.nix | 2 +- .../libraries/science/math/cudnn/generic.nix | 13 +++++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/pkgs/development/libraries/science/math/cudnn/default.nix b/pkgs/development/libraries/science/math/cudnn/default.nix index d8e68a48cbfb..f5518813cdc5 100644 --- a/pkgs/development/libraries/science/math/cudnn/default.nix +++ b/pkgs/development/libraries/science/math/cudnn/default.nix @@ -58,7 +58,7 @@ in rec { # 8.1.0 is compatible with CUDA 11.0, 11.1, and 11.2: # https://docs.nvidia.com/deeplearning/cudnn/support-matrix/index.html#cudnn-cuda-hardware-versions srcName = "cudnn-11.2-linux-x64-v8.1.1.33.tgz"; - sha256 = "sha256-mKh4TpKGLyABjSDCgbMNSgzZUfk2lPZDPM9K6cUCumo="; + hash = "sha256-mKh4TpKGLyABjSDCgbMNSgzZUfk2lPZDPM9K6cUCumo="; }; cudnn_cudatoolkit_11_1 = cudnn_cudatoolkit_11_0.override { diff --git a/pkgs/development/libraries/science/math/cudnn/generic.nix b/pkgs/development/libraries/science/math/cudnn/generic.nix index d9c19e6790c6..f5a4fac1a908 100644 --- a/pkgs/development/libraries/science/math/cudnn/generic.nix +++ b/pkgs/development/libraries/science/math/cudnn/generic.nix @@ -1,8 +1,11 @@ { version , srcName -, sha256 +, hash ? null +, sha256 ? null }: +assert (hash != null) || (sha256 != null); + { stdenv , lib , cudatoolkit @@ -22,11 +25,13 @@ stdenv.mkDerivation { name = "cudatoolkit-${cudatoolkit.majorVersion}-cudnn-${version}"; inherit version; - src = fetchurl { + + src = let + hash_ = if hash != null then { inherit hash; } else { inherit sha256; }; + in fetchurl ({ # URL from NVIDIA docker containers: https://gitlab.com/nvidia/cuda/blob/centos7/7.0/runtime/cudnn4/Dockerfile url = "https://developer.download.nvidia.com/compute/redist/cudnn/v${version}/${srcName}"; - inherit sha256; - }; + } // hash_); nativeBuildInputs = [ addOpenGLRunpath ]; From fef20991e894dea59f4522b272e57124227492ec Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Fri, 30 Apr 2021 19:37:43 +0000 Subject: [PATCH 3/7] macchina: 0.6.9 -> 0.7.2 --- pkgs/tools/misc/macchina/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/misc/macchina/default.nix b/pkgs/tools/misc/macchina/default.nix index d975e02d5ac4..42a83f91df6d 100644 --- a/pkgs/tools/misc/macchina/default.nix +++ b/pkgs/tools/misc/macchina/default.nix @@ -2,16 +2,16 @@ rustPlatform.buildRustPackage rec { pname = "macchina"; - version = "0.6.9"; + version = "0.7.2"; src = fetchFromGitHub { owner = "Macchina-CLI"; repo = pname; rev = "v${version}"; - sha256 = "sha256-y23gpYDnYoiTJcNyWKslVenPTXcCrOvxq+0N9PjQN3g="; + sha256 = "sha256-ICiU0emo5lEs6996TwkauuBWb2+Yy6lL+/x7zQgO470="; }; - cargoSha256 = "sha256-jfLj8kLBG6AeeYo421JCl1bMqWwOGiwQgv7AEomtFcY="; + cargoSha256 = "sha256-OfOh0YXeLT/kBuR9SOV7pHa8Z4b6+JvtVwqqwd1hCJY="; nativeBuildInputs = [ installShellFiles ]; From f722f8d518a6b5048219eacbd2e4bf26bb48c300 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 1 May 2021 09:46:26 +0200 Subject: [PATCH 4/7] postgresql_jdbc: 42.2.5 -> 42.2.20 Fixes CVE-2020-13692. --- pkgs/development/java-modules/postgresql_jdbc/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/java-modules/postgresql_jdbc/default.nix b/pkgs/development/java-modules/postgresql_jdbc/default.nix index e7968cf80c0a..524273e080fe 100644 --- a/pkgs/development/java-modules/postgresql_jdbc/default.nix +++ b/pkgs/development/java-modules/postgresql_jdbc/default.nix @@ -2,19 +2,21 @@ stdenv.mkDerivation rec { pname = "postgresql-jdbc"; - version = "42.2.5"; + version = "42.2.20"; src = fetchMavenArtifact { artifactId = "postgresql"; groupId = "org.postgresql"; - sha256 = "1p0cbb7ka41xxipzjy81hmcndkqynav22xyipkg7qdqrqvw4dykz"; + sha256 = "0kjilsrz9shymfki48kg1q84la1870ixlh2lnfw347x8mqw2k2vh"; inherit version; }; phases = [ "installPhase" ]; installPhase = '' + runHook preInstall install -m444 -D $src/share/java/*postgresql-${version}.jar $out/share/java/postgresql-jdbc.jar + runHook postInstall ''; meta = with lib; { From 2ec00820e6ae1079f4facc362a03a3a2a16c2712 Mon Sep 17 00:00:00 2001 From: "R. RyanTM" Date: Sat, 1 May 2021 08:30:14 +0000 Subject: [PATCH 5/7] cgal_5: 5.2 -> 5.2.1 --- pkgs/development/libraries/CGAL/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/CGAL/default.nix b/pkgs/development/libraries/CGAL/default.nix index 7ff9ac43343e..bd8edc14a8bb 100644 --- a/pkgs/development/libraries/CGAL/default.nix +++ b/pkgs/development/libraries/CGAL/default.nix @@ -8,13 +8,13 @@ stdenv.mkDerivation rec { pname = "cgal"; - version = "5.2"; + version = "5.2.1"; src = fetchFromGitHub { owner = "CGAL"; repo = "releases"; rev = "CGAL-${version}"; - sha256 = "1+ov1fu79MXoW0D8odInMZPFMYg69st//PoMW42oXpA="; + sha256 = "sha256-sJyeehgt84rLX8ZBYIbFgHLG2aJDDHEj5GeVnQhjiOQ="; }; # note: optional component libCGAL_ImageIO would need zlib and opengl; From ada3e19b7a20424381a75e109ced34e59054e1d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sat, 1 May 2021 11:01:38 +0200 Subject: [PATCH 6/7] prs: 0.2.10 -> 0.2.11 (#121314) https://gitlab.com/timvisee/prs/-/blob/v0.2.11/CHANGELOG.md#0211-2021-04-30 --- pkgs/tools/security/prs/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/security/prs/default.nix b/pkgs/tools/security/prs/default.nix index 42332e40cc3b..6d97958ec78c 100644 --- a/pkgs/tools/security/prs/default.nix +++ b/pkgs/tools/security/prs/default.nix @@ -13,16 +13,16 @@ rustPlatform.buildRustPackage rec { pname = "prs"; - version = "0.2.10"; + version = "0.2.11"; src = fetchFromGitLab { owner = "timvisee"; repo = "prs"; rev = "v${version}"; - sha256 = "sha256-czGyBdy4emw7bUV6Nn+k+fJm+JqR6o0TEEUuIbEsml4="; + sha256 = "sha256-jBHe3ZeB+GS+Ds8c6ySwoyyJfqoCWKSgIObg+z1TNmU="; }; - cargoSha256 = "sha256-jnBYuk7uvnbvT2OQ35DJk6WIUSqJiZCvsmpSIxw9X1U="; + cargoSha256 = "sha256-dhQuzzML817cDIsYuZElHZfq55AdZ20xeXTNm1nJPqk="; postPatch = '' # The GPGME backend is recommended From c49a518f9f9b175a8689f48e253fa4bc0c1fb401 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sat, 1 May 2021 00:22:19 +0000 Subject: [PATCH 7/7] qemu: 5.2.0 -> 6.0.0; adopt; broaden platforms Tested building qemu_kvm, qemu_full, and qemu_test on x86_64-linux. Also tested booting a VM generated with nixos-rebuild build-vm. I wasn't able to test building pkgsMusl.qemu_kvm, because of many build failures in dependencies. --- .../virtualization/qemu/default.nix | 130 +----------------- 1 file changed, 6 insertions(+), 124 deletions(-) diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index c3484a3312cf..0c7cbd853a29 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -39,7 +39,7 @@ let in stdenv.mkDerivation rec { - version = "5.2.0"; + version = "6.0.0"; pname = "qemu" + lib.optionalString xenSupport "-xen" + lib.optionalString hostCpuOnly "-host-cpu-only" @@ -47,7 +47,7 @@ stdenv.mkDerivation rec { src = fetchurl { url= "https://download.qemu.org/qemu-${version}.tar.xz"; - sha256 = "1g0pvx4qbirpcn9mni704y03n3lvkmw2c0rbcwvydyr8ns4xh66b"; + sha256 = "1f9hz8rf12jm8baa7kda34yl4hyl0xh0c4ap03krfjx23i3img47"; }; nativeBuildInputs = [ python python.pkgs.sphinx pkg-config flex bison meson ninja ] @@ -84,126 +84,6 @@ stdenv.mkDerivation rec { patches = [ ./fix-qemu-ga.patch ./9p-ignore-noatime.patch - (fetchpatch { - name = "CVE-2020-27821.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/memory-clamp-cached-translation-if-points-to-MMIO-region-CVE-2020-27821.patch"; - sha256 = "0sj0kr0g6jalygr5mb9i17fgr491jzaxvk3dvala0268940s01x9"; - }) - (fetchpatch { - name = "CVE-2021-20221.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/arm_gic-fix-interrupt-ID-in-GICD_SGIR-CVE-2021-20221.patch"; - sha256 = "1iyvcw87hzlc57fg5l87vddqmch8iw2yghk0s125hk5shn1bygjq"; - }) - (fetchpatch { - name = "CVE-2021-20181.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch"; - sha256 = "149ifiazj6rn4d4mv2c7lcayq744fijsv5abxlb8bhbkj99wd64f"; - }) - (fetchpatch { - name = "CVE-2020-35517.part-1.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-extract-lo_do_open-from-lo_open.patch"; - sha256 = "0j4waaz6q54by4a7vd5m8s2n8y0an9hqf0ndycxsy03g4ksm669d"; - }) - (fetchpatch { - name = "CVE-2020-35517.part-2.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-optionally-return-inode-pointer-from-lo_do_lookup.patch"; - sha256 = "08bag890r6dx2rhnq58gyvsxvzwqgvn83pjlg95b5ic0z6gyjnsg"; - }) - (fetchpatch { - name = "CVE-2020-35517.part-3.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-prevent-opening-of-special-files-CVE-2020-35517.patch"; - sha256 = "0ziy6638zbkn037l29ywirvgymbqq66l5rngg8iwyky67acilv94"; - }) - (fetchpatch { - name = "CVE-2021-20263.part-1.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-save-error-code-early-at-the-failure-callsite.patch"; - sha256 = "15rwb15yjpclrqaxkhx76npr8zlfm9mj4jb19czg093is2cn4rys"; - }) - (fetchpatch { - name = "CVE-2021-20263.part-2.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-drop-remapped-security.capability-xattr-as-needed-CVE-2021-20263.patch"; - sha256 = "06ylz80ilg30wlskd4dsjx677fp5qr8cranwlakvjhr88b630xw0"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-1.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-introduce.patch"; - sha256 = "0hcpf00vqpg9rc0wl8cry905w04614843aqifybyv15wbv190gpz"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-2.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-cadence_gem.patch"; - sha256 = "12mjnrvs6p4g5frzqb08k4h86hphdqlka91fcma2a3m4ap98nrxy"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-3.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-dp8393x.patch"; - sha256 = "02z6q0578fj55phjlg2larrsx3psch2ixzy470yf57jl3jq1dy6k"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-4.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-e1000.patch"; - sha256 = "0zzbiz8i9js524mcdi739c7hrsmn82gnafrygi0xrd5sqf1hp08z"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-5.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-lan9118.patch"; - sha256 = "1f44v5znd9s7l7wgc71nbg8jw1bjqiga4wkz7d7cpnkv3l7b9kjj"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-6.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-msf2.patch"; - sha256 = "04n1rzn6gfxdalp34903ysdhlvxqkfndnqayjj3iv1k27i5pcidn"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-7.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-pcnet.patch"; - sha256 = "1p9ls6f8r6hxprj8ha6278fydcxj3av29p1hvszxmabazml2g7l2"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-8.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-rtl8139.patch"; - sha256 = "0lms1zn49kpwblkp54widjjy7fwyhdh1x832l1jvds79l2nm6i04"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-9.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-sungem.patch"; - sha256 = "1mkzyrgsp9ml9yqzjxdfqnwjr7n0fd8vxby4yp4ksrskyni8y0p4"; - }) - (fetchpatch { - name = "CVE-2021-3416.part-10.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-tx_pkt-iov.patch"; - sha256 = "1pwqq8yw06y3p6hah3dgjhsqzk802wbn7zyajla1zwdfpic63jss"; - }) - (fetchpatch { - name = "CVE-2021-3409.part-1.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/dont-transfer-any-data-when-command-time-out.patch"; - sha256 = "0wf1yhb9mqpfgh9rv0hff0v1sw3zl2vsfgjrby4r8jvxdfjrxj8s"; - }) - (fetchpatch { - name = "CVE-2021-3409.part-2.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch"; - sha256 = "1dd405dsdc7fbp68yf6f32js1azsv3n595c6nbxh28kfh9lspx4v"; - }) - (fetchpatch { - name = "CVE-2021-3409.part-3.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/correctly-set-the-controller-status-for-ADMA.patch"; - sha256 = "08jk51pfrbn1zfymahgllrzivajh2v2qx0868rv9zmgi0jldbky6"; - }) - (fetchpatch { - name = "CVE-2021-3409.part-4.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch"; - sha256 = "1valfhw3l83br1cny6n4kmrv0f416hl625mggayqfz4prsknyhh7"; - }) - (fetchpatch { - name = "CVE-2021-3409.part-5.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch"; - sha256 = "01p5qrr00rh3mlwrp3qq56h7yhqv0w7pw2cw035nxw3mnap03v31"; - }) - (fetchpatch { - name = "CVE-2021-3392.patch"; - url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch"; - sha256 = "0n7dn2p102c21mf3ncqrnks0wl5kas6yspafbn8jd03ignjgc4hd"; - }) ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch ++ optionals stdenv.hostPlatform.isMusl [ (fetchpatch { @@ -234,6 +114,8 @@ stdenv.mkDerivation rec { patchShebangs . # avoid conflicts with libc++ include for mv VERSION QEMU_VERSION + substituteInPlace configure \ + --replace '$source_path/VERSION' '$source_path/QEMU_VERSION' substituteInPlace meson.build \ --replace "'VERSION'" "'QEMU_VERSION'" '' + optionalString stdenv.hostPlatform.isMusl '' @@ -304,7 +186,7 @@ stdenv.mkDerivation rec { homepage = "http://www.qemu.org/"; description = "A generic and open source machine emulator and virtualizer"; license = licenses.gpl2Plus; - maintainers = with maintainers; [ eelco ]; - platforms = platforms.linux ++ platforms.darwin; + maintainers = with maintainers; [ eelco qyliss ]; + platforms = platforms.unix; }; }