What this allows us to do is define a "dumpcap" setuid wrapper in NixOS
and have wireshark use that instead of the non-setuid dumpcap binary
that it normally uses.
As far as I can tell, the code that is changed to do lookup in PATH is
only used by wireshark/tshark to find dumpcap. dumpcap, the thing that's
typically setuid, is not affected by this patch. wireshark and tshark
should *not* be installed setuid, so the fact that they now do lookup in
PATH is not a security concern.
With this commit, and the following config, only "root" and users in the
"wireshark" group will have access to capturing network traffic with
wireshark/dumpcap:
environment.systemPackages = [ pkgs.wireshark ];
security.setuidOwners = [
{ program = "dumpcap";
owner = "root";
group = "wireshark";
setuid = true;
setgid = false;
permissions = "u+rx,g+x";
}
];
users.extraGroups.wireshark.gid = 500;
(This wouldn't have worked before, because then wireshark would not use
our setuid dumpcap binary.)
This makes running wireshark (or more specifically, dumpcap) as root a
bit more secure. From <wireshark-1.11.2>/doc/README.packaging:
The "--with-libcap" option is only useful when dumpcap is installed
setuid. If it is enabled dumpcap will try to drop any setuid privileges
it may have while retaining the CAP_NET_ADMIN and CAP_NET_RAW
capabilities. It is enabled by default, if the Linux capabilities
library (on which it depends) is found.
This implements some longstanding work of getting the Chromium
derivation more modular. Unfortunately, I didn't manage to decrease the
compile time, which was one of the primary goal for doing the refactor.
A main reason this didn't work out well was the fact that most bundled
libraries are so heavily patched that it's not possible within a limited
time frame to decouple it from the main derivation.
However, it should now be easier to build other derivations that build
upon Chromium, like libcef. Also, it finally adds support for the
non-free PepperAPI Flash and PDF plugins and support for fetching the
corresponding versions through the updater.
The packageName attribute defines the output path and binary name of the
product that's going to be created, so we really want to have "chromium"
instead of "chromium-browser" here, especially for the resulting binary.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We already have a desktop icon from the browser wrapper, so this is only
for people who do not use the wrapper (for example if you don't want to
use Mozilla plugins).
Also, we someday might want to propagate the desktop item to the browser
wrapper as well.
Conflicts:
pkgs/applications/networking/browsers/chromium/default.nix
Yes, it's just a comment and yes, it's so insignificant that everyone
would make a "O_o" face. But I'm getting annoyed by things like this.
Obviously that means no feature changes :-)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is to ensure that nothing unexpected will be after the merge of the
refactoring branch, and also my own autoupdate machinery is expecting
this location, so there really is no reason to change it now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
beta: 34.0.1847.60 -> 35.0.1916.47 (builds fine, tested)
dev: 35.0.1883.0 -> 36.0.1941.0 (builds fine, tested)
For the new version 36, we needed to rebase our user namespaces sandbox
patch, because http://crbug.com/312380 is preparing for an upstream
implementation of the same functionality.
Also, we need to add ply and jinja2 to the depends on version 36. This
is done unconditionally, because I want to avoid cluttering up the
expressions with various versionOlder checks.
The sandbox binary had to be fixed as well and we no longer use system
zlib, as - who might have guessed it - it's a fast moving target at
Chromium as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The version of v8 to use for Chromium is heavily tied to the specific
version of Chromium and thus it doesn't really make sense to use v8 from
<nixpkgs>, as we would need to have 3 different versions of v8, one for
each Chromium channel.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
It doesn't make sense to do the splitting of the source code on a remote
machine, so don't try to do it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This results in a new function called mkChromiumDerivation, which can be
used to easily build packages that are based on the Chromium source
tree.
We pass through this function as mkDerivation in the chromium wrappre,
so in the end if you want to create such a package, something like:
chromium.mkDerivation (base: {
name = "your-shiny-package-based-on-chromium";
...
})
will suffice.
Of course, this is only the first step towards this functionality,
because right now I'm not even sure the Chromium browser itself will
build.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This now uses the Debian package from the sources derivation instead of
hardcoding it, so we finally should have proper PepperAPI plugin support
without crashing plugins and whatnot.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This cases the Debian binaries to be fetched from Google's official APT
repository. If we aren't able to find a package from the APT repository,
it's very likely that it already got deleted upstream and we need to
fallback to mirrors instead.
Unfortunately, we can't use mirrors for updating, because Google doesn't
sign the Debian packages themselves and only the release files.
We're going to hook it into a Chromium updater soon, making the sha256
hashes publicly available, so if it is missing, we can still put the
sha256 manually into sources.nix, without risking anything by blindly
fetching from one of the provided mirrors.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The updater is now splitted between a shellscript and a Nix expression
file which contains helpers and lookup functions to reconstruct all
information needed in order to fetch the source tarballs.
This means, that the sources.nix now doesn't contain URLs and only
versions and the corresponding SHA256 hashes. Of course, right now this
sounds like it's unnecessary, but we're going to fetch binaries soon so
it's a good idea to not unnecessarily clutter up sources.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Next, we're going to refactor update.sh and the first step is to ensure
that we keep everything related to sources into its own subdirectory to
not clutter up the main directory too much.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We don't want ta have the source derivation in the runtime dependencies
of the browser itself. Also, we've broken the Firefox wrapper, because
we've no longer exposed the packageName attribute.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
I'm giving up on this after several attempts to correctly unbundle the
largest part, namely Google's WebKit fork Blink. Right now it's so much
tied into the Chromium source it's going to be fairly hard to do if
you're not working full time on it.
Also, the intermediate steps needed to do this properly would introduce
uneccesary complexity on our side, so we really need to finish this
without leaving it in the "messy" state in order to not make Chromium
even more difficult to maintain than it is already.
However, anyone who wants to proceed on this messy step is free to
revert this commit and continue doing so. In my case I'm going to try
again once https://crbug.com/239107 and https://crbug.com/239181 are
fixed in _stable_ (I don't want to introduce *lots* of conditionals on
the version either).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We obviously don't want the Hydra job of nixpkgs to fail, so we need to
make sure that we have a proper meta attribute on the outermost
derivation.
For builds based on the Chromium source tree (like for example libcef),
we can still move the wrapper elsewhere when we need it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is because of our symlink mess, as Chromium's build support scripts
are trying to resolve everything based on absolute paths and we split
off the bundled sources from the main derivation.
Yes, I'm refering to this as a mess, because in the end, we're going to
patch up the gyp files and use references someday.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Now, we no longer tie the sandbox directly to the browser derivation but
wrap everything together into one derivation at the entry point at
default.nix.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So far we just copied everything from source.* into the build directory
during the prePatch. This somewhat defeated the purpose of the source
splitup because it involved more I/O than just unpacking the entire
source tree.
Now, we're selectively *symlinking* the bundled sources into the build
directory. Even that isn't perfect because in the end we'd just
reference foreign derivations and we're done. But for now, this gets us
at least prepared for a massive reduction of compile time.
Unfortunately, gyp's behaviour when it comes to symlinks is quite
painful to come by, so we need to fix a few references to use absolute
paths.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We now no longer pass enablePepperFlash and enablePepperPDF to the
browser package itself and only use plugins.flagsEnabled from there.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This currently only passes through the arguments and is nothing more
than the foundation of the new structure. In essence, I want to have a
really small default.nix which is then going down into the respective
subparts that are isolated from each other.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is hardcoded for the dev channel at the moment and we're going to
fetch it along with the main Chromium sources.
Also I'm putting this in default.nix at the moment, because we're going
to tear apart the whole Chromium package into several subparts soon.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
We currently can't build the -lite package because beta and dev versions
aren't yet compatible with ICU version 52. But apart from that blocker,
this should get us ready for the switch.
Also, we're now correctly unbundling all dependencies which are used
from <nixpkgs>.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Starting with version 35, version 2 of libgnome_keyring is no longer
supported and it's probably pretty useless to do backports to version 2,
given the assumption that most users on Nix probably don't use it.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Teamviewer puts symlinks to nix store paths in ~/.teamviewer. When those
paths become garbage collected, teamviewer crashes upon start because of
those broken symlinks. An easy workaround to this behaviour is simply to
delete all symlinks before we start teamviewer. Teamviewer will fixup
the symlinks, just like it did the first time the user ran it.
This also does some various cleanup on the build process. In particular,
patchelf was not properly setting the rpath so e.g. librt and libm did
not point into glibc inside the Nix store on my Ubuntu system. This
properly sets the library paths on installation.
Also, the download URL for BitTorrent Sync changed, which is incredibly
annoying, because the URL doesn't encode version information. So maybe
this will fail later. :(
(A final note: this also changes the package name from 'btsync-bin' to
just 'btsync', and cleans up some meta attributes.)
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Okay, now this time we really broke beta and dev, because python_arch no
longer is in build/common.gypi anymore.
This just adds chrome/chrome_tests.gypi to the list of files to be
changed by sed.
Also, this time I did test at least whether gyp is running fine and
interrupted after the first 1000 build targets, so all channels *should*
now build fine.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Build failure on Hydra:
https://hydra.nixos.org/build/9823160
This was caused by the update of file in 5885709.
As file seems to be used for only one substition in the gyp files, we
can now drop the build dependency on file and patch out the substition
expression, as it is done before actually testing if the value has been
set by -D (gyp, y u no have lazy eval!?).
PS: Proudly untested against beta and dev channels, redeployed my own
Hydra and building on my workstation here really is ... annoying (lavg
41 on a system with nproc 8, less than 8 GB RAM and you probably will
have as much "fun" as I just had writing this commit mess...a....g
FUCK^H^H^H^H^H^H...e).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Since version 34, ICU data files are now created separately and thus
need to be installed as well.
Closes#2016
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
(cherry picked from commit f117341ff2de4b95d223b41b36942e2f60ada2a3)
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
According to their few additional commit logs, it's worth it.
I also set libotr to use the latest libgcrypt, related to a comment
in libotr commit. They talk about a libgcrypt fix that will have
more chances to be in the latest libgcrypt.
This patch adds optional ICE support to murmur which is enabled by
default. Additionally, it cleans up some of the expression similar to
the fixes added the mumble.
This patch adds a collection of changes to clean up the mumble
expression as well as add support for disabling the external speech
dispatcher from being compiled in.
This closes#1623, and updates _all_ channels to the corresponding
latest upstream versions.
Thanks to @wizeman for opening the pull request noted above and for
another update in between, @aristidb for fixing the patcheShebangs issue
and @shlevy for notifying me about the build failure in stdenv-updates
in the first place.
Sorry to everyone for my inactivity lately.
The following changes were needed in order to build those new releases:
* Patch out /bin/echo to allow building with all options enabled.
* Always use GN from the source tree.
* Remove import of depot_tools for version 34.
* Drop version 32 specific stuff.
With this commit, the following new upstream versions are introduced:
stable: 32.0.1700.77 -> 32.0.1700.102 (builds fine, tested)
beta: 32.0.1700.19 -> 33.0.1750.46 (builds fine, tested)
dev: 33.0.1712.4 -> 34.0.1809.0 (build broken with gnome_keyring)
The dev version requires a more recent version gnome_keyring and thus
won't build if gnomeKeyringSupport is set to true. I haven't tested this
build without gnomeKeyringSupport yet, so it might be broken and will be
fixed later.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The site plugins are released alongside the main Tkabber sources, so it
makes no sense to have them in a separate package (which also introduces
an impurity). In addition, both packages share the same makefile
structure, so it really makes sense to merge them.
Before people might get worried about my decision to enable those
plugins by default: Since version 1.0, Tkabber is no longer loading
_all_ available plugins, but gives you a menu (Plugins Management) to
selectively enable plugins (whereas all plugins are disabled by
default).
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Alongside "tkabber", there is also "tkabber-remote", which uses the same
variables as the main script and thus needs to be wrapped the same way
as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
If people still want the ocean-deep theme, it can still be set by using:
tkabber.override { theme = "ocean-deep"; }
But by default we should not set a theme, so the user will get the same
result as everyone who installs the upstream version.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
After several years, Tkabber finally got a new release.
The highlights are:
* Completely rewritten Tkabber internals
* Dropped Tcl/Tk 8.3 support. Now Tcl/Tk 8.4 is required
* Partial IPv6 support (requires Tcl/Tk 8.6)
* Switched from TclGPGME to TclGPG for encryption and signing
* Added new connection method BOSH (XEP-0124 and XEP-0206)
* Disabled SSLv2 and enabled TLSv1 TLS options
* Added user nicknames (XEP-0172) support.
* Updated the CAPTCHA forms (XEP-0158) support
* Added metacontacts (XEP-0209) support
* Implemented multiple proxy profiles
* Implemented remote controlling from a locally executed script
* Added new plugins: floatingcontact, poker
* Rewritten most plugins to support disabling and unloading on the fly
* A few interface enhancements (search in MUC affiliations lists, proxy
management)
* Many fixes and enhancements
The detailed changelogs can be found at:
http://svn.xmpp.ru/repos/tkabber/tags/1.0/tkabber/ChangeLoghttp://svn.xmpp.ru/repos/tkabber/tags/1.0/tkabber-plugins/ChangeLog
Signed-off-by: aszlig <aszlig@redmoonstudios.org>