Commit graph

85406 commits

Author SHA1 Message Date
Joachim Fasting
637ec46fcc Merge pull request #16227 from romildo/upd.xfce
libxfce4ui: add libICE and libSM as propagated build inputs
2016-06-15 18:42:42 +02:00
Joachim Fasting
88db78f8ff Merge pull request #16233 from ambrop72/ccrcsim
crrcsim: 0.9.12 -> 0.9.13
2016-06-15 18:42:28 +02:00
Joachim Fasting
7b08c5cb3a Merge pull request #16242 from arkency/buildkite-agent-2.1.13
buildkite-agent: 2.1.8 ~> 2.1.13
2016-06-15 18:40:21 +02:00
Peter Simons
7c09b6c3ef Merge pull request #16250 from YPares/master
haskell: generic-stack-builder was missing an env var
2016-06-15 17:54:04 +02:00
Peter Simons
ae854ce14f Merge pull request #16249 from nathan7/git-2.9.0
git: 2.8.3 -> 2.9.0
2016-06-15 17:50:11 +02:00
YPares
3868cad832 haskell: generic-stack-builder sets an env var
generic-stack-builder was not setting STACK_PLATFORM_VARIANT="nix".
This is required by stack when handling its haskell packages database
snapshot. Stack must keep separated packages built with its own GHC
and those built with GHC from Nixpkgs.
2016-06-15 17:08:41 +02:00
Nathan Zadoks
8d3df9f6c4 git: 2.8.3 -> 2.9.0 2016-06-15 10:56:29 -04:00
zimbatm
285aee3c12 protobuf3_0: 3.0.0-beta-2 -> 3.0.0-beta-3.1 2016-06-15 14:54:26 +01:00
Ambroz Bizjak
7102c3c0c4 cura: Fix breakage due to numpy change. (#16234)
Upstream bug report: https://github.com/daid/Cura/issues/1461
2016-06-15 13:42:32 +01:00
Paweł Pacana
f3d202150c buildkite-agent: 2.1.8 ~> 2.1.13 2016-06-15 11:52:04 +02:00
Wout Mertens
3bbdfe5df7 Merge pull request #16232 from matthewbauer/makeself-fix-header
makeself: header wasn't being patched correctly
2016-06-15 09:44:33 +02:00
Rushmore Mushambi
48de566e54 Merge pull request #16231 from rushmorem/lizardfs
lizardfs: init at 3.9.4
2016-06-15 04:48:21 +02:00
rushmorem
c4435493aa lizardfs: init at 3.9.4
LizardFS is a highly reliable, scalable and efficient distributed file
system.
2016-06-15 04:23:44 +02:00
Arseniy Seroka
06027595fc
vimPlugins: update 2016-06-15 2016-06-15 00:03:59 +03:00
Robert Helgesson
34ebc3c085 perl-CGI: 4.28 -> 4.31 2016-06-14 22:13:38 +02:00
Robert Helgesson
b0e02cecb6 perl-PDF-API2: 2.027 -> 2.028 2016-06-14 22:13:21 +02:00
Robert Helgesson
4a69b81213 perl-Readonly: 2.04 -> 2.05 2016-06-14 22:13:07 +02:00
Ambroz Bizjak
b422df0e99 crrcsim: 0.9.12 -> 0.9.13 2016-06-14 21:50:53 +02:00
Matthew Bauer
a221ff5569 makeself: header wasn't being patched correctly 2016-06-14 19:17:29 +00:00
Robert Helgesson
2968db5b7b perl-Crypt-JWT: 0.011 -> 0.017 2016-06-14 20:43:04 +02:00
Robert Helgesson
3d1eea2225 perl-CryptX: 0.035 -> 0.036 2016-06-14 20:42:43 +02:00
Robert Helgesson
ee0684fa1e perl-Math-BigInt: 1.999722 -> 1.999723 2016-06-14 20:41:21 +02:00
Tobias Geerinckx-Rice
9f996d6406
tzdata: 2016d -> 2016e 2016-06-14 18:27:57 +02:00
Tobias Geerinckx-Rice
156a14d153
geolite-legacy: 2016-06-08 -> 2016-06-13 2016-06-14 18:27:56 +02:00
Lluís Batlle i Rossell
93912d99d2 Adding nvenc support to ffmpeg (default off)
I add the nvidia-video-sdk header files, required to make it work.

You have to set nvenct=true to ffmpeg-full and nonfreeLicensing=true to
ffmpeg-full to use this.
2016-06-14 17:51:55 +02:00
José Romildo Malaquias
e72d29020c libxfce4ui: add libICE and libSM as propagated build inputs 2016-06-14 11:53:11 -03:00
José Romildo Malaquias
370cc4f44f libxfce4ui: use nativeBuildInputs for dependencies not needed at runtime 2016-06-14 11:51:04 -03:00
Arseniy Seroka
186a6a207d Merge pull request #16222 from kamilchm/rework-go
Fixes #16181 - using bin output for Go services
2016-06-14 17:19:17 +03:00
Joachim Fasting
c94f4f85c5 Merge pull request #16226 from bobvanderlinden/fix-lsyncd
lsyncd: removed support for Darwin
2016-06-14 15:04:48 +02:00
Joachim Fasting
f04291abe5 Merge pull request #16138 from romildo/upd.arc
arc-gtk-theme-git: 2016-06-02 -> 2016-06-06
2016-06-14 15:04:18 +02:00
Joachim Fasting
d27006b82b
dnscrypt-wrapper: 0.2 -> 0.2.1 2016-06-14 14:22:18 +02:00
Joachim Fasting
130b06eb0b
grsecurity: 4.5.7-201606080852 -> 4.5.7-201606110914 2016-06-14 14:18:01 +02:00
Peter Simons
39d657ec04 Merge pull request #16167 from rasendubi/ghc-docs
GHC: Split docs
2016-06-14 12:32:42 +02:00
José Romildo Malaquias
1f77d3cd09
idea.idea-{community,ultimate}: 2016.1.2 -> 2016.1.3
(cherry picked from commit a6fd3e8680ff3da7ddc55c8d8dfd38e17f9fcd1f)
2016-06-14 12:28:27 +02:00
Edward Tjörnhammar
efb519d2f4
i2pd: 2.6.0 -> 2.7.0 2016-06-14 12:28:27 +02:00
Luca Bruno
63b2bf108d Merge pull request #16224 from aneeshusa/enable-multiple-outputs-for-tmux
tmux: enable multiple outputs
2016-06-14 10:57:18 +02:00
Bob van der Linden
61431e239b lsyncd: removed support for Darwin 2016-06-14 10:46:56 +02:00
Moritz Ulrich
dc3cfbbe0f Merge pull request #16225 from hiberno/update-rofi-pass
rofi-pass: 1.3.1 -> 1.3.2
2016-06-14 10:31:17 +02:00
Christian Lask
4e59526bf4 rofi-pass: 1.3.1 -> 1.3.2
Note: You'll need to add the `_rofi` command to your config of rofi-pass
to make this release work. Refer to config.example for an example of
how this might look like. For more information on this change, see
75cf715158.
2016-06-14 10:07:59 +02:00
Joachim Fasting
886c03ad2e Merge pull request #16107 from joachifm/grsec-ng
Rework grsecurity support
2016-06-14 03:52:50 +02:00
Joachim Fasting
7bda8f0a8f
grsecurity: add a xen guest kernel
This is for the benefit of users who want to quickly get up and running
on a Xen host, for which the stock NixOS kernel is likely unsuitable.
2016-06-14 03:38:19 +02:00
Joachim Fasting
544b42f8f5
top-level/release.nix: remove obsolete grsec jobs 2016-06-14 03:38:19 +02:00
Joachim Fasting
dae5f53d25
qemu: apply PaX markings 2016-06-14 03:38:18 +02:00
Joachim Fasting
09cf92ccee
nixos: flesh out the grsecurity test suite
I've failed to figure out what why `paxtest blackhat` hangs the vm, and
have resigned to running individual `paxtest` programs.  This provides
limited coverage, but at least verifies that some important features are
in fact working.

Ideas for future work includes a subtest for basic desktop
functionality.
2016-06-14 03:38:18 +02:00
Joachim Fasting
a53452f3e1
nixos: remove the grsecurity GID
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose.  That leaves no use for the grsecurity GID.

More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
2016-06-14 03:38:17 +02:00
Joachim Fasting
0677cc61c8
nixos: rewrite the grsecurity module
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel.  The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.

The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.

The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).

Administration of Grsecurity's role based access control system is yet
to be implemented.
2016-06-14 03:38:12 +02:00
Joachim Fasting
3123c7df37 Merge pull request #16204 from vrthra/mlterm
mlterm: Disable darwin compilaton
2016-06-14 03:09:46 +02:00
Tuomas Tynkkynen
7ae1e9bb6d multi_v7_defconfig: Enable AHCI_IMX 2016-06-14 01:31:57 +03:00
Joachim Fasting
75b9a7beac
grsecurity: implement a single NixOS kernel
This patch replaces the old grsecurity kernels with a single NixOS
specific grsecurity kernel.  This kernel is intended as a general
purpose kernel, tuned for casual desktop use.

Providing only a single kernel may seem like a regression compared to
offering a multitude of flavors.  It is impossible, however, to
effectively test and support that many options.  This is amplified by
the reality that very few seem to actually use grsecurity on NixOS,
meaning that bugs go unnoticed for long periods of time, simply because
those code paths end up never being exercised.  More generally, it is
hopeless to anticipate imagined needs.  It is better to start from a
solid foundation and possibly add more flavours on demand.

While the generic kernel is intended to cover a wide range of use cases,
it cannot cover everything.  For some, the configuration will be either
too restrictive or too lenient.  In those cases, the recommended
solution is to build a custom kernel --- this is *strongly* recommended
for security sensitive deployments.

Building a custom grsec kernel should be as simple as
```nix
linux_grsec_nixos.override {
  extraConfig = ''
    GRKERNSEC y
    PAX y
    # and so on ...
  '';
}
```

The generic kernel should be usable both as a KVM guest and host.  When
running as a host, the kernel assumes hardware virtualisation support.
Virtualisation systems other than KVM are *unsupported*: users of
non-KVM systems are better served by compiling a custom kernel.

Unlike previous Grsecurity kernels, this configuration disables `/proc`
restrictions in favor of `security.hideProcessInformation`.

Known incompatibilities:
- ZFS: can't load spl and zfs kernel modules; claims incompatibility
  with KERNEXEC method `or` and RAP; changing to `bts` does not fix the
  problem, which implies we'd have to disable RAP as well for ZFS to
  work
- `kexec()`: likely incompatible with KERNEXEC (unverified)
- Xen: likely incompatible with KERNEXEC and UDEREF (unverified)
- Virtualbox: likely incompatible with UDEREF (unverified)
2016-06-14 00:08:20 +02:00
Kamil Chmielewski
437ea9fd37 Fixes #16181 - using bin output for Go services 2016-06-13 23:32:16 +02:00