Since firefox 58.0.1 the google api key is now stored at an absolute
path ($TMPDIR/ga). Since variable expansion in `configureFlags` does not
really work (as expected) the build started failing when using the
legacy firefox build system. With the newer `./mach` based builds
firefox reads the configure flags from `.mozconfig` instead.
This commit moves the `with-google-api-keyfile=` setting into the
`preConfigure` phase where we can properly expand `$TMPDIR` into
whatever the path is.
As stated by Sylvestre Ledru (@sylvestre) on Nov 22, 2017 at
https://github.com/NixOS/nixpkgs/issues/31843#issuecomment-346372756 we
have permission to use the official firefox branding.
Fur purposes of documentation the statement of @sylvestre:
> As the person who did part of the work described in the LWN article
> and release manager working for Mozilla, I can confirm the statement
> that I made in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815006
>
> @garbas shared with me the list of patches applied for the Nix package.
> As they are just for portability and tiny modifications, they don't
> alter the experience of the product. In parallel, Rok also shared the
> build options. They seem good (even if I cannot judge the quality of the
> packaging of the underlying dependencies like sqlite, png, etc).
> Therefor, as long as you keep the patch queue sane and you don't alter
> the experience of Firefox users, you won't have any issues using the
> official branding.
This is already tracked in upstream issue mumble-voip/mumble#3281 and a
fix has been merged in mumble-voip/mumble@caa187373e.
The patch I'm adding here is using the merged commit
mumble-voip/mumble@ea861fe867 and I've
only added it for the stable release because the patch is already
included in the git version.
@pbogdan also had a similar commit to this
(pbogdan/nixpkgs@8029edea29), but the
patch was applied to both stable and git and thus the git version would
have been broken.
Tested by building mumble and mumble_git and running the mumble NixOS VM
test.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @viric, @jgeerds, @abbradar
Fixes: #33655
The CVE patches weren't previously applied because they depend on the
enableCopyDevicesPatch parameter. The naming of the patches attribute in
base.nix was misleading.
The new rsync release now really fixes:
* CVE-2017-15994
* CVE-2017-16548
* CVE-2017-17433
* CVE-2017-17434
