pyrox.dev / nixpkgs
lol
fork atom

Merge staging-next into staging

authored by nixpkgs-ci[bot] and committed by GitHub 7204b818 31c16824

+35 -659
unified split
+2 -2
pkgs/by-name/bl/blis/package.nix
··· 20 20 in 21 21 stdenv.mkDerivation rec { 22 22 pname = "blis"; 23 - version = "1.1"; 23 + version = "2.0"; 24 24 25 25 src = fetchFromGitHub { 26 26 owner = "flame"; 27 27 repo = "blis"; 28 28 rev = version; 29 - sha256 = "sha256-joOTyHT87PelKNhL9+1lLqMz22WsENa+Rom41grBb0Y="; 29 + sha256 = "sha256-+n8SbiiEJDN4j1IPmZfI5g1i2J+jWrUXh7S48JEDTAE="; 30 30 }; 31 31 32 32 inherit blas64;
-85
pkgs/by-name/ca/catalyst-browser/package.nix
··· 1 - { 2 - stdenv, 3 - lib, 4 - fetchurl, 5 - appimageTools, 6 - makeWrapper, 7 - electron_33, 8 - electronPackage ? electron_33, 9 - asar, 10 - }: 11 - 12 - let 13 - electron = electronPackage; 14 - in 15 - stdenv.mkDerivation rec { 16 - pname = "catalyst-browser"; 17 - version = "3.9.6"; 18 - 19 - src = fetchurl { 20 - url = "https://github.com/CatalystDevOrg/Catalyst/releases/download/v${version}/catalyst-${version}.AppImage"; 21 - hash = "sha256-aqEwVykPt6p3HjDAsr7N/+uHnEK5yTUAgCsaT7OmI0w="; 22 - name = "catalyst-${version}.AppImage"; 23 - }; 24 - 25 - appimageContents = appimageTools.extractType2 { 26 - inherit pname src version; 27 - }; 28 - 29 - dontUnpack = true; 30 - dontConfigure = true; 31 - dontBuild = true; 32 - 33 - nativeBuildInputs = [ 34 - makeWrapper 35 - asar 36 - ]; 37 - 38 - installPhase = '' 39 - runHook preInstall 40 - 41 - mkdir -p $out/bin $out/share/catalyst $out/share/applications 42 - mkdir -p $out/share/catalyst/resources/ 43 - 44 - cp -a ${appimageContents}/locales $out/share/catalyst 45 - cp -a ${appimageContents}/catalyst.desktop $out/share/applications/catalyst.desktop 46 - mkdir -p $out/share/pixmaps 47 - cp -r ${appimageContents}/usr/share/icons/hicolor/1080x1080/apps/catalyst.png $out/share/pixmaps/ 48 - asar extract ${appimageContents}/resources/app.asar resources/ 49 - rm -rf resources/.github 50 - rm -rf resources/.vscode 51 - rm -rf resources/.eslintrc.json 52 - rm -rf resources/.gitignore 53 - rm -rf resources/.pnpm-debug.log 54 - rm -rf resources/contributing.md 55 - rm -rf resources/pnpm-lock.yaml 56 - rm -rf resources/README.md 57 - rm -rf resources/CODE_OF_CONDUCT.md 58 - rm -rf *.nix 59 - substituteInPlace resources/src/index.html \ 60 - --replace-fail 'catalyst-default-distrib' 'catalyst-default-nixpkgs' 61 - 62 - substituteInPlace $out/share/applications/catalyst.desktop \ 63 - --replace-fail 'Exec=AppRun' 'Exec=${meta.mainProgram}' 64 - 65 - asar pack resources/ $out/share/catalyst/resources/app.asar 66 - 67 - runHook postInstall 68 - ''; 69 - 70 - postFixup = '' 71 - makeWrapper ${electron}/bin/electron $out/bin/${meta.mainProgram} \ 72 - --add-flags $out/share/catalyst/resources/app.asar \ 73 - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc ]}" 74 - ''; 75 - 76 - meta = { 77 - description = "Minimal, functional, and customizable user-focused FOSS web browser based on Chromium"; 78 - homepage = "https://getcatalyst.eu.org"; 79 - license = lib.licenses.mit; 80 - mainProgram = "catalyst"; 81 - maintainers = with lib.maintainers; [ jdev082 ]; 82 - platforms = [ "x86_64-linux" ]; 83 - sourceProvenance = [ lib.sourceTypes.binaryNativeCode ]; 84 - }; 85 - }
+3 -3
pkgs/by-name/dr/drupal/package.nix
··· 7 7 8 8 php.buildComposerProject2 (finalAttrs: { 9 9 pname = "drupal"; 10 - version = "11.1.7"; 10 + version = "11.2.1"; 11 11 12 12 src = fetchFromGitLab { 13 13 domain = "git.drupalcode.org"; 14 14 owner = "project"; 15 15 repo = "drupal"; 16 16 tag = finalAttrs.version; 17 - hash = "sha256-jf28r44VDP9MzShoJMFD+6xSUcKBRGYJ1/ruQ3nGTRE="; 17 + hash = "sha256-GlQvgI3dmRSHtNky0ZL4Y4VWIaUrO+EjPwnkkF9DJDQ="; 18 18 }; 19 19 20 - vendorHash = "sha256-LUZTf/Zn8p+V2K1LjhvrgaGBiTcSmGRsG1t9vXUcbeY="; 20 + vendorHash = "sha256-2XqYxuIlnXzyvOYtY67H1hOuuFjApi0H5VV74j/RJzI="; 21 21 composerNoPlugins = false; 22 22 23 23 passthru = {
+3 -3
pkgs/by-name/ki/kitex/package.nix
··· 8 8 9 9 buildGoModule (finalAttrs: { 10 10 pname = "kitex"; 11 - version = "0.14.0"; 11 + version = "0.14.1"; 12 12 13 13 src = fetchFromGitHub { 14 14 owner = "cloudwego"; 15 15 repo = "kitex"; 16 16 tag = "v${finalAttrs.version}"; 17 - hash = "sha256-I5jXSrhpEkTuBfKJCHlGk5nKeW4pVujEscB0Lb3MdbM="; 17 + hash = "sha256-gjkEUiGt42ZXSriu7awZxSRl8fPnbLiqCjqbe1Yjcu8="; 18 18 }; 19 19 20 - vendorHash = "sha256-nTwS5QeTmWfMVEcvsgyx4XbGG5Nk0dzAjXBtvJdpR9c="; 20 + vendorHash = "sha256-UlwaMPLo+gyDlncLvGnr0ec8sDfBa1xzVSSfXBAgngM="; 21 21 22 22 subPackages = [ "tool/cmd/kitex" ]; 23 23
+3 -3
pkgs/by-name/ma/matrix-commander-rs/package.nix
··· 9 9 10 10 rustPlatform.buildRustPackage rec { 11 11 pname = "matrix-commander-rs"; 12 - version = "0.10.1"; 12 + version = "1.0.0"; 13 13 14 14 src = fetchFromGitHub { 15 15 owner = "8go"; 16 16 repo = "matrix-commander-rs"; 17 17 tag = "v${version}"; 18 - hash = "sha256-ljRFZYfTSyiIVgABgQAVLlwhOmeMumAyZe9tASPtMZA="; 18 + hash = "sha256-CvsMRxB5s891cVu03RroTQYOGA6rmhpif8VT0njXTnc="; 19 19 }; 20 20 21 21 useFetchCargoVendor = true; 22 - cargoHash = "sha256-BMVxxCOAznAsqKUgGHJ9hPgdIksCyzMVUHeLa+om09U="; 22 + cargoHash = "sha256-hzWq09qJTox8yZuMOQ1///hKxY4EsWn/mHKy3svxlF8="; 23 23 24 24 nativeBuildInputs = [ 25 25 pkg-config
+2 -2
pkgs/by-name/nh/nhost-cli/package.nix
··· 6 6 7 7 buildGoModule rec { 8 8 pname = "nhost-cli"; 9 - version = "1.29.8"; 9 + version = "1.29.9"; 10 10 11 11 src = fetchFromGitHub { 12 12 owner = "nhost"; 13 13 repo = "cli"; 14 14 tag = "v${version}"; 15 - hash = "sha256-y+I0BN41WsiUTg//7PMEi24esYsldpmk0/hGtjs8kdA="; 15 + hash = "sha256-9UxB/tshTwMg4K7K0Fs1Ld96ET6Drg77GJgONj4cRmM="; 16 16 }; 17 17 18 18 vendorHash = null;
+2 -2
pkgs/by-name/po/poliedros/package.nix
··· 14 14 nix-update-script, 15 15 }: 16 16 let 17 - version = "1.0.1"; 17 + version = "1.5.0"; 18 18 in 19 19 python3Packages.buildPythonApplication { 20 20 pname = "poliedros"; ··· 25 25 owner = "kriptolix"; 26 26 repo = "Poliedros"; 27 27 tag = "v${version}"; 28 - hash = "sha256-1lYEsfyl6ckH1TmMLRP+flnm77INiA8ntnGVWnwpLvs="; 28 + hash = "sha256-1itBovF5xGB8zMedtKKcQ2FJeOd5gT1COrJtwEOgdbk="; 29 29 }; 30 30 31 31 nativeBuildInputs = [
+3 -3
pkgs/by-name/te/telegraf/package.nix
··· 10 10 11 11 buildGoModule rec { 12 12 pname = "telegraf"; 13 - version = "1.35.0"; 13 + version = "1.35.1"; 14 14 15 15 subPackages = [ "cmd/telegraf" ]; 16 16 ··· 18 18 owner = "influxdata"; 19 19 repo = "telegraf"; 20 20 rev = "v${version}"; 21 - hash = "sha256-lBD+GzFlm1CRfOQORYCDndNvObzxkkCijsGu2YsagYI="; 21 + hash = "sha256-vdn/c3EVtGnCh750IqjMjRxeW2Zimn8PazREL9KZX2Y="; 22 22 }; 23 23 24 - vendorHash = "sha256-RVpw94W8rrJSIsFmZRSo29h6ZN9xzYBqbGs46ZIwzKc="; 24 + vendorHash = "sha256-W5Ng7IH4WKq1v1PfO1Wi3eBDonITcIuJzJTmtHPnCmg="; 25 25 proxyVendor = true; 26 26 27 27 ldflags = [
+3 -3
pkgs/by-name/tx/txtpbfmt/package.nix
··· 7 7 8 8 buildGoModule { 9 9 pname = "txtpbfmt"; 10 - version = "0-unstable-2025-03-26"; 10 + version = "0-unstable-2025-06-25"; 11 11 12 12 src = fetchFromGitHub { 13 13 owner = "protocolbuffers"; 14 14 repo = "txtpbfmt"; 15 - rev = "a5fe55684d52b017a494471a2a08264d778166ad"; 16 - hash = "sha256-e8tDQOr6CtGjVhhiPjSG14adrqi5geBitD1SnqL6Tx8="; 15 + rev = "c917e9664b93f5f7ba1890e9fe9db7390758f0e6"; 16 + hash = "sha256-iyzKPGoKid6gz6eaINpAcV7gYkwiiRY9bjjFYIinGjw="; 17 17 }; 18 18 19 19 vendorHash = "sha256-iWY0b6PAw9BhA8WrTEECnVAKWTGXuIiGvOi9uhJO4PI=";
+3 -3
pkgs/by-name/va/vault/package.nix
··· 12 12 13 13 buildGoModule rec { 14 14 pname = "vault"; 15 - version = "1.19.5"; 15 + version = "1.20.0"; 16 16 17 17 src = fetchFromGitHub { 18 18 owner = "hashicorp"; 19 19 repo = "vault"; 20 20 rev = "v${version}"; 21 - hash = "sha256-pj9aaEpXEmBBjJOqdvD2bYip5gg3pUob7gmV8rbhnuo="; 21 + hash = "sha256-2583vthe9x2WylLOMJFDBswqT3cF7euHyVc05V887B4="; 22 22 }; 23 23 24 - vendorHash = "sha256-tOGB9psxlgC+h/uJd93tkpDYzi/xIZ25rDMQ4LnX9Pg="; 24 + vendorHash = "sha256-re1GZ+B1dKKLrKt8lj0fUuBkcUY/B38Y4o7yJIN7sts="; 25 25 26 26 proxyVendor = true; 27 27
-79
pkgs/by-name/vi/vieb/package.nix
··· 1 - { 2 - stdenv, 3 - buildNpmPackage, 4 - fetchFromGitHub, 5 - electron, 6 - makeWrapper, 7 - python3, 8 - makeDesktopItem, 9 - lib, 10 - }: 11 - 12 - buildNpmPackage rec { 13 - pname = "vieb"; 14 - version = "12.3.0"; 15 - 16 - src = fetchFromGitHub { 17 - owner = "Jelmerro"; 18 - repo = "vieb"; 19 - rev = version; 20 - hash = "sha256-g3L+bzsDP3vfTaroqCWzRDymFTZE+6nLytRWzPMBoX8="; 21 - }; 22 - 23 - postPatch = '' 24 - sed -i '/"electron"/d' package.json 25 - ''; 26 - 27 - npmDepsHash = "sha256-0V2fKdfqO64DLqLGz1OK9BZEbwGDqPFUdxu9F6v6Ms4="; 28 - makeCacheWritable = true; 29 - dontNpmBuild = true; 30 - env.ELECTRON_SKIP_BINARY_DOWNLOAD = 1; 31 - 32 - nativeBuildInputs = [ makeWrapper ] ++ lib.optional stdenv.hostPlatform.isAarch64 python3; 33 - 34 - desktopItem = makeDesktopItem { 35 - name = "vieb"; 36 - exec = "vieb %U"; 37 - icon = "vieb"; 38 - desktopName = "Web Browser"; 39 - genericName = "Web Browser"; 40 - categories = [ 41 - "Network" 42 - "WebBrowser" 43 - ]; 44 - mimeTypes = [ 45 - "text/html" 46 - "application/xhtml+xml" 47 - "x-scheme-handler/http" 48 - "x-scheme-handler/https" 49 - ]; 50 - }; 51 - 52 - postInstall = '' 53 - install -Dm0644 {${desktopItem},$out}/share/applications/vieb.desktop 54 - 55 - pushd $out/lib/node_modules/vieb/app/img/icons 56 - for file in *.png; do 57 - install -Dm0644 $file $out/share/icons/hicolor/''${file//.png}/apps/vieb.png 58 - done 59 - popd 60 - 61 - makeWrapper ${electron}/bin/electron $out/bin/vieb \ 62 - --add-flags $out/lib/node_modules/vieb/app \ 63 - --set npm_package_version ${version} 64 - ''; 65 - 66 - distPhase = ":"; # disable useless $out/tarballs directory 67 - 68 - meta = { 69 - homepage = "https://vieb.dev/"; 70 - changelog = "https://github.com/Jelmerro/Vieb/releases/tag/${version}"; 71 - description = "Vim Inspired Electron Browser"; 72 - mainProgram = "vieb"; 73 - maintainers = with lib.maintainers; [ 74 - tejing 75 - ]; 76 - platforms = lib.platforms.unix; 77 - license = lib.licenses.gpl3Plus; 78 - }; 79 - }
+4 -3
pkgs/by-name/we/wechat/package.nix
··· 27 27 28 28 sources = 29 29 let 30 + # https://dldir1.qq.com/weixin/mac/mac-release.xml 30 31 any-darwin = { 31 - version = "4.0.5.24"; 32 + version = "4.0.5.27-29258"; 32 33 src = fetchurl { 33 - url = "https://web.archive.org/web/20250608064358if_/https://dldir1v6.qq.com/weixin/Universal/Mac/WeChatMac.dmg"; 34 - hash = "sha256-ieixBgYhZ5jU3TWCV7BXKFBidJ1bbabXBHTkrpNcGDI="; 34 + url = "https://dldir1v6.qq.com/weixin/Universal/Mac/xWeChatMac_universal_4.0.5.27_29258.dmg"; 35 + hash = "sha256-Gje1F9rdykxTqYIJ4Pfq3zpUH3t3GKIK/QL5kt1qCVc="; 35 36 }; 36 37 }; 37 38 in
+3 -2
pkgs/desktops/deepin/tools/deepin-anything/default.nix
··· 14 14 15 15 stdenv.mkDerivation rec { 16 16 pname = "deepin-anything"; 17 - version = "6.1.9"; 17 + version = "6.2.10"; 18 18 19 19 src = fetchFromGitHub { 20 20 owner = "linuxdeepin"; 21 21 repo = "deepin-anything"; 22 22 rev = version; 23 - hash = "sha256-OYPsUXMjuU6gG+EzyYl640+2/59n8D5V906CVGwn6Bo="; 23 + hash = "sha256-eGel+pLAYHYkPXQxzTz+lMPSlgNiDFAev2bzGjj4ZFw="; 24 24 }; 25 25 26 26 postPatch = '' ··· 41 41 udisks2-qt5 42 42 util-linux 43 43 libnl 44 + libsForQt5.polkit-qt 44 45 glib 45 46 pcre 46 47 ];
+2 -3
pkgs/tools/package-management/nix/default.nix
··· 175 175 }; 176 176 177 177 nix_2_26 = commonMeson { 178 - version = "2.26.3"; 179 - hash = "sha256-5ZV8YqU8mfFmoAMiUEuBqNwk0T3vUR//x1D12BiYCeY="; 180 - patches = [ ./patches/ghsa-g948-229j-48j3-2.26.patch ]; 178 + version = "2.26.4"; 179 + hash = "sha256-WmGMiwwC9RLomNtpDeRoe5bqBAH84A6pLcqi1MbcQi4="; 181 180 self_attribute_name = "nix_2_26"; 182 181 }; 183 182
-463
pkgs/tools/package-management/nix/patches/ghsa-g948-229j-48j3-2.26.patch
··· 1 - From 787e012f26761e1455e711ab4ceedaa2c740621c Mon Sep 17 00:00:00 2001 2 - From: Eelco Dolstra <edolstra@gmail.com> 3 - Date: Thu, 19 Jun 2025 16:20:34 +0200 4 - Subject: [PATCH] Fixes for GHSA-g948-229j-48j3 5 - MIME-Version: 1.0 6 - Content-Type: text/plain; charset=UTF-8 7 - Content-Transfer-Encoding: 8bit 8 - 9 - Squashed commit of the following: 10 - 11 - commit 04fff3a637d455cbb1d75937a235950e43008db9 12 - Author: Eelco Dolstra <edolstra@gmail.com> 13 - Date: Thu Jun 12 12:30:32 2025 +0200 14 - 15 - Chown structured attr files safely 16 - 17 - commit 5417ad445e414c649d0cfc71a05661c7bf8f3ef5 18 - Author: Eelco Dolstra <edolstra@gmail.com> 19 - Date: Thu Jun 12 12:14:04 2025 +0200 20 - 21 - Replace 'bool sync' with an enum for clarity 22 - 23 - And drop writeFileAndSync(). 24 - 25 - commit 7ae0141f328d8e8e1094be24665789c05f974ba6 26 - Author: Eelco Dolstra <edolstra@gmail.com> 27 - Date: Thu Jun 12 11:35:28 2025 +0200 28 - 29 - Drop guessOrInventPathFromFD() 30 - 31 - No need to do hacky stuff like that when we already know the original path. 32 - 33 - commit 45b05098bd019da7c57cd4227a89bfd0fa65bb08 34 - Author: Eelco Dolstra <edolstra@gmail.com> 35 - Date: Thu Jun 12 11:15:58 2025 +0200 36 - 37 - Tweak comment 38 - 39 - commit 0af15b31209d1b7ec8addfae9a1a6b60d8f35848 40 - Author: Raito Bezarius <raito@lix.systems> 41 - Date: Thu Mar 27 12:22:26 2025 +0100 42 - 43 - libstore: ensure that temporary directory is always 0o000 before deletion 44 - 45 - In the case the deletion fails, we should ensure that the temporary 46 - directory cannot be used for nefarious purposes. 47 - 48 - Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120 49 - Signed-off-by: Raito Bezarius <raito@lix.systems> 50 - 51 - commit 2c20fa37b15cfa03ac6a1a6a47cdb2ed66c0827e 52 - Author: Raito Bezarius <raito@lix.systems> 53 - Date: Wed Mar 26 12:42:55 2025 +0100 54 - 55 - libutil: ensure that `_deletePath` does NOT use absolute paths with dirfds 56 - 57 - When calling `_deletePath` with a parent file descriptor, `openat` is 58 - made effective by using relative paths to the directory file descriptor. 59 - 60 - To avoid the problem, the signature is changed to resist misuse with an 61 - assert in the prologue of the function. 62 - 63 - Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96 64 - Signed-off-by: Raito Bezarius <raito@lix.systems> 65 - 66 - commit d3c370bbcae48bb825ce19fd0f73bb4eefd2c9ea 67 - Author: Raito Bezarius <raito@lix.systems> 68 - Date: Wed Mar 26 01:07:47 2025 +0100 69 - 70 - libstore: ensure that `passAsFile` is created in the original temp dir 71 - 72 - This ensures that `passAsFile` data is created inside the expected 73 - temporary build directory by `openat()` from the parent directory file 74 - descriptor. 75 - 76 - This avoids a TOCTOU which is part of the attack chain of CVE-????. 77 - 78 - Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a 79 - Signed-off-by: Raito Bezarius <raito@lix.systems> 80 - 81 - commit 45d3598724f932d024ef6bc2ffb00c1bb90e6018 82 - Author: Raito Bezarius <raito@lix.systems> 83 - Date: Wed Mar 26 01:06:03 2025 +0100 84 - 85 - libutil: writeFile variant for file descriptors 86 - 87 - `writeFile` lose its `sync` boolean flag to make things simpler. 88 - 89 - A new `writeFileAndSync` function is created and all call sites are 90 - converted to it. 91 - 92 - Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192 93 - Signed-off-by: Raito Bezarius <raito@lix.systems> 94 - 95 - commit 732bd9b98cabf4aaf95a01fd318923de303f9996 96 - Author: Raito Bezarius <raito@lix.systems> 97 - Date: Wed Mar 26 01:05:34 2025 +0100 98 - 99 - libstore: chown to builder variant for file descriptors 100 - 101 - We use it immediately for the build temporary directory. 102 - 103 - Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947 104 - Signed-off-by: Raito Bezarius <raito@lix.systems> 105 - 106 - commit 962c65f8dcd5570dd92c72370a862c7b38942e0d 107 - Author: Raito Bezarius <raito@lix.systems> 108 - Date: Wed Mar 26 01:04:59 2025 +0100 109 - 110 - libstore: open build directory as a dirfd as well 111 - 112 - We now keep around a proper AutoCloseFD around the temporary directory 113 - which we plan to use for openat operations and avoiding the build 114 - directory being swapped out while we are doing something else. 115 - 116 - Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a 117 - Signed-off-by: Raito Bezarius <raito@lix.systems> 118 - 119 - commit c9b42462b75b5a37ee6564c2b53cff186c8323da 120 - Author: Raito Bezarius <raito@lix.systems> 121 - Date: Wed Mar 26 01:04:12 2025 +0100 122 - 123 - libutil: guess or invent a path from file descriptors 124 - 125 - This is useful for certain error recovery paths (no pun intended) that 126 - does not thread through the original path name. 127 - 128 - Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e 129 - Signed-off-by: Raito Bezarius <raito@lix.systems> 130 - 131 - Signed-off-by: Jörg Thalheim <joerg@thalheim.io> 132 - --- 133 - src/libstore/local-store.cc | 6 +-- 134 - .../unix/build/local-derivation-goal.cc | 46 ++++++++++++++---- 135 - .../unix/build/local-derivation-goal.hh | 20 ++++++++ 136 - src/libutil/file-content-address.cc | 2 +- 137 - src/libutil/file-system.cc | 47 +++++++++++-------- 138 - src/libutil/file-system.hh | 14 ++++-- 139 - 6 files changed, 99 insertions(+), 36 deletions(-) 140 - 141 - diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc 142 - index 9a7a941b6..c0c808e0a 100644 143 - --- a/src/libstore/local-store.cc 144 - +++ b/src/libstore/local-store.cc 145 - @@ -116,7 +116,7 @@ LocalStore::LocalStore( 146 - state->stmts = std::make_unique<State::Stmts>(); 147 - 148 - /* Create missing state directories if they don't already exist. */ 149 - - createDirs(realStoreDir); 150 - + createDirs(realStoreDir.get()); 151 - if (readOnly) { 152 - experimentalFeatureSettings.require(Xp::ReadOnlyLocalStore); 153 - } else { 154 - @@ -248,7 +248,7 @@ LocalStore::LocalStore( 155 - else if (curSchema == 0) { /* new store */ 156 - curSchema = nixSchemaVersion; 157 - openDB(*state, true); 158 - - writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, true); 159 - + writeFile(schemaPath, fmt("%1%", curSchema), 0666, FsSync::Yes); 160 - } 161 - 162 - else if (curSchema < nixSchemaVersion) { 163 - @@ -299,7 +299,7 @@ LocalStore::LocalStore( 164 - txn.commit(); 165 - } 166 - 167 - - writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, true); 168 - + writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, FsSync::Yes); 169 - 170 - lockFile(globalLock.get(), ltRead, true); 171 - } 172 - diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc 173 - index 5b9bc0bb0..80309e332 100644 174 - --- a/src/libstore/unix/build/local-derivation-goal.cc 175 - +++ b/src/libstore/unix/build/local-derivation-goal.cc 176 - @@ -559,7 +559,14 @@ void LocalDerivationGoal::startBuilder() 177 - } else { 178 - tmpDir = topTmpDir; 179 - } 180 - - chownToBuilder(tmpDir); 181 - + 182 - + /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to 183 - + POSIX semantics.*/ 184 - + tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)}; 185 - + if (!tmpDirFd) 186 - + throw SysError("failed to open the build temporary directory descriptor '%1%'", tmpDir); 187 - + 188 - + chownToBuilder(tmpDirFd.get(), tmpDir); 189 - 190 - for (auto & [outputName, status] : initialOutputs) { 191 - /* Set scratch path we'll actually use during the build. 192 - @@ -1157,9 +1164,7 @@ void LocalDerivationGoal::initTmpDir() 193 - } else { 194 - auto hash = hashString(HashAlgorithm::SHA256, i.first); 195 - std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false); 196 - - Path p = tmpDir + "/" + fn; 197 - - writeFile(p, rewriteStrings(i.second, inputRewrites)); 198 - - chownToBuilder(p); 199 - + writeBuilderFile(fn, rewriteStrings(i.second, inputRewrites)); 200 - env[i.first + "Path"] = tmpDirInSandbox + "/" + fn; 201 - } 202 - } 203 - @@ -1264,11 +1269,9 @@ void LocalDerivationGoal::writeStructuredAttrs() 204 - 205 - auto jsonSh = writeStructuredAttrsShell(json); 206 - 207 - - writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites)); 208 - - chownToBuilder(tmpDir + "/.attrs.sh"); 209 - + writeBuilderFile(".attrs.sh", rewriteStrings(jsonSh, inputRewrites)); 210 - env["NIX_ATTRS_SH_FILE"] = tmpDirInSandbox + "/.attrs.sh"; 211 - - writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites)); 212 - - chownToBuilder(tmpDir + "/.attrs.json"); 213 - + writeBuilderFile(".attrs.json", rewriteStrings(json.dump(), inputRewrites)); 214 - env["NIX_ATTRS_JSON_FILE"] = tmpDirInSandbox + "/.attrs.json"; 215 - } 216 - } 217 - @@ -1779,6 +1782,24 @@ void setupSeccomp() 218 - #endif 219 - } 220 - 221 - +void LocalDerivationGoal::chownToBuilder(int fd, const Path & path) 222 - +{ 223 - + if (!buildUser) return; 224 - + if (fchown(fd, buildUser->getUID(), buildUser->getGID()) == -1) 225 - + throw SysError("cannot change ownership of file '%1%'", path); 226 - +} 227 - + 228 - +void LocalDerivationGoal::writeBuilderFile( 229 - + const std::string & name, 230 - + std::string_view contents) 231 - +{ 232 - + auto path = std::filesystem::path(tmpDir) / name; 233 - + AutoCloseFD fd{openat(tmpDirFd.get(), name.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)}; 234 - + if (!fd) 235 - + throw SysError("creating file %s", path); 236 - + writeFile(fd, path, contents); 237 - + chownToBuilder(fd.get(), path); 238 - +} 239 - 240 - void LocalDerivationGoal::runChild() 241 - { 242 - @@ -3038,6 +3059,15 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo 243 - void LocalDerivationGoal::deleteTmpDir(bool force) 244 - { 245 - if (topTmpDir != "") { 246 - + /* As an extra precaution, even in the event of `deletePath` failing to 247 - + * clean up, the `tmpDir` will be chowned as if we were to move 248 - + * it inside the Nix store. 249 - + * 250 - + * This hardens against an attack which smuggles a file descriptor 251 - + * to make use of the temporary directory. 252 - + */ 253 - + chmod(topTmpDir.c_str(), 0000); 254 - + 255 - /* Don't keep temporary directories for builtins because they 256 - might have privileged stuff (like a copy of netrc). */ 257 - if (settings.keepFailed && !force && !drv->isBuiltin()) { 258 - diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh 259 - index 1ea247661..74a1e1c50 100644 260 - --- a/src/libstore/unix/build/local-derivation-goal.hh 261 - +++ b/src/libstore/unix/build/local-derivation-goal.hh 262 - @@ -37,6 +37,11 @@ struct LocalDerivationGoal : public DerivationGoal 263 - */ 264 - Path topTmpDir; 265 - 266 - + /** 267 - + * The file descriptor of the temporary directory. 268 - + */ 269 - + AutoCloseFD tmpDirFd; 270 - + 271 - /** 272 - * The path of the temporary directory in the sandbox. 273 - */ 274 - @@ -244,9 +249,24 @@ struct LocalDerivationGoal : public DerivationGoal 275 - 276 - /** 277 - * Make a file owned by the builder. 278 - + * 279 - + * SAFETY: this function is prone to TOCTOU as it receives a path and not a descriptor. 280 - + * It's only safe to call in a child of a directory only visible to the owner. 281 - */ 282 - void chownToBuilder(const Path & path); 283 - 284 - + /** 285 - + * Make a file owned by the builder addressed by its file descriptor. 286 - + */ 287 - + void chownToBuilder(int fd, const Path & path); 288 - + 289 - + /** 290 - + * Create a file in `tmpDir` owned by the builder. 291 - + */ 292 - + void writeBuilderFile( 293 - + const std::string & name, 294 - + std::string_view contents); 295 - + 296 - int getChildStatus() override; 297 - 298 - /** 299 - diff --git a/src/libutil/file-content-address.cc b/src/libutil/file-content-address.cc 300 - index 69301d9c8..2b6839346 100644 301 - --- a/src/libutil/file-content-address.cc 302 - +++ b/src/libutil/file-content-address.cc 303 - @@ -93,7 +93,7 @@ void restorePath( 304 - { 305 - switch (method) { 306 - case FileSerialisationMethod::Flat: 307 - - writeFile(path, source, 0666, startFsync); 308 - + writeFile(path, source, 0666, startFsync ? FsSync::Yes : FsSync::No); 309 - break; 310 - case FileSerialisationMethod::NixArchive: 311 - restorePath(path, source, startFsync); 312 - diff --git a/src/libutil/file-system.cc b/src/libutil/file-system.cc 313 - index 6fe93b63a..b3183f495 100644 314 - --- a/src/libutil/file-system.cc 315 - +++ b/src/libutil/file-system.cc 316 - @@ -258,7 +258,7 @@ void readFile(const Path & path, Sink & sink) 317 - } 318 - 319 - 320 - -void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync) 321 - +void writeFile(const Path & path, std::string_view s, mode_t mode, FsSync sync) 322 - { 323 - AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT 324 - // TODO 325 - @@ -268,22 +268,29 @@ void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync) 326 - , mode)); 327 - if (!fd) 328 - throw SysError("opening file '%1%'", path); 329 - + 330 - + writeFile(fd, path, s, mode, sync); 331 - + 332 - + /* Close explicitly to propagate the exceptions. */ 333 - + fd.close(); 334 - +} 335 - + 336 - +void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode, FsSync sync) 337 - +{ 338 - + assert(fd); 339 - try { 340 - writeFull(fd.get(), s); 341 - + 342 - + if (sync == FsSync::Yes) 343 - + fd.fsync(); 344 - + 345 - } catch (Error & e) { 346 - - e.addTrace({}, "writing file '%1%'", path); 347 - + e.addTrace({}, "writing file '%1%'", origPath); 348 - throw; 349 - } 350 - - if (sync) 351 - - fd.fsync(); 352 - - // Explicitly close to make sure exceptions are propagated. 353 - - fd.close(); 354 - - if (sync) 355 - - syncParent(path); 356 - } 357 - 358 - - 359 - -void writeFile(const Path & path, Source & source, mode_t mode, bool sync) 360 - +void writeFile(const Path & path, Source & source, mode_t mode, FsSync sync) 361 - { 362 - AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT 363 - // TODO 364 - @@ -307,11 +314,11 @@ void writeFile(const Path & path, Source & source, mode_t mode, bool sync) 365 - e.addTrace({}, "writing file '%1%'", path); 366 - throw; 367 - } 368 - - if (sync) 369 - + if (sync == FsSync::Yes) 370 - fd.fsync(); 371 - // Explicitly close to make sure exceptions are propagated. 372 - fd.close(); 373 - - if (sync) 374 - + if (sync == FsSync::Yes) 375 - syncParent(path); 376 - } 377 - 378 - @@ -374,7 +381,8 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b 379 - #ifndef _WIN32 380 - checkInterrupt(); 381 - 382 - - std::string name(baseNameOf(path.native())); 383 - + std::string name(path.filename()); 384 - + assert(name != "." && name != ".." && !name.empty()); 385 - 386 - struct stat st; 387 - if (fstatat(parentfd, name.c_str(), &st, 388 - @@ -415,7 +423,7 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b 389 - throw SysError("chmod %1%", path); 390 - } 391 - 392 - - int fd = openat(parentfd, path.c_str(), O_RDONLY); 393 - + int fd = openat(parentfd, name.c_str(), O_RDONLY | O_DIRECTORY | O_NOFOLLOW); 394 - if (fd == -1) 395 - throw SysError("opening directory %1%", path); 396 - AutoCloseDir dir(fdopendir(fd)); 397 - @@ -427,7 +435,7 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b 398 - checkInterrupt(); 399 - std::string childName = dirent->d_name; 400 - if (childName == "." || childName == "..") continue; 401 - - _deletePath(dirfd(dir.get()), path + "/" + childName, bytesFreed); 402 - + _deletePath(dirfd(dir.get()), path / childName, bytesFreed); 403 - } 404 - if (errno) throw SysError("reading directory %1%", path); 405 - } 406 - @@ -445,14 +453,13 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b 407 - 408 - static void _deletePath(const fs::path & path, uint64_t & bytesFreed) 409 - { 410 - - Path dir = dirOf(path.string()); 411 - - if (dir == "") 412 - - dir = "/"; 413 - + assert(path.is_absolute()); 414 - + assert(path.parent_path() != path); 415 - 416 - - AutoCloseFD dirfd = toDescriptor(open(dir.c_str(), O_RDONLY)); 417 - + AutoCloseFD dirfd = toDescriptor(open(path.parent_path().string().c_str(), O_RDONLY)); 418 - if (!dirfd) { 419 - if (errno == ENOENT) return; 420 - - throw SysError("opening directory '%1%'", path); 421 - + throw SysError("opening directory %s", path.parent_path()); 422 - } 423 - 424 - _deletePath(dirfd.get(), path, bytesFreed); 425 - diff --git a/src/libutil/file-system.hh b/src/libutil/file-system.hh 426 - index 204907339..b2db8869e 100644 427 - --- a/src/libutil/file-system.hh 428 - +++ b/src/libutil/file-system.hh 429 - @@ -194,21 +194,27 @@ std::string readFile(const Path & path); 430 - std::string readFile(const std::filesystem::path & path); 431 - void readFile(const Path & path, Sink & sink); 432 - 433 - +enum struct FsSync { Yes, No }; 434 - + 435 - /** 436 - * Write a string to a file. 437 - */ 438 - -void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, bool sync = false); 439 - -static inline void writeFile(const std::filesystem::path & path, std::string_view s, mode_t mode = 0666, bool sync = false) 440 - +void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No); 441 - + 442 - +static inline void writeFile(const std::filesystem::path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No) 443 - { 444 - return writeFile(path.string(), s, mode, sync); 445 - } 446 - 447 - -void writeFile(const Path & path, Source & source, mode_t mode = 0666, bool sync = false); 448 - -static inline void writeFile(const std::filesystem::path & path, Source & source, mode_t mode = 0666, bool sync = false) 449 - +void writeFile(const Path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No); 450 - + 451 - +static inline void writeFile(const std::filesystem::path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No) 452 - { 453 - return writeFile(path.string(), source, mode, sync); 454 - } 455 - 456 - +void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No); 457 - + 458 - /** 459 - * Flush a path's parent directory to disk. 460 - */ 461 - -- 462 - 2.49.0 463 -
+2
pkgs/top-level/aliases.nix
··· 412 412 cassandra_3_0 = throw "'cassandra_3_0' has been removed has it reached end-of-life"; # Added 2025-03-23 413 413 cassandra_3_11 = throw "'cassandra_3_11' has been removed has it reached end-of-life"; # Added 2025-03-23 414 414 cawbird = throw "cawbird has been abandoned upstream and is broken anyways due to Twitter closing its API"; 415 + catalyst-browser = throw "'catalyst-browser' has been removed due to a lack of maintenance and not satisfying our security criteria for browsers."; # Added 2025-06-25 415 416 cde = throw "'cde' has been removed as it is unmaintained and broken"; # Added 2025-05-17 416 417 centerim = throw "centerim has been removed due to upstream disappearing"; # Added 2025-04-18 417 418 certmgr-selfsigned = certmgr; # Added 2023-11-30 ··· 2053 2054 ventoy-bin = ventoy; # Added 2023-04-12 2054 2055 ventoy-bin-full = ventoy-full; # Added 2023-04-12 2055 2056 verilog = iverilog; # Added 2024-07-12 2057 + vieb = throw "'vieb' has been removed as it doesn't satisfy our security criteria for browsers."; # Added 2025-06-25 2056 2058 ViennaRNA = viennarna; # Added 2023-08-23 2057 2059 vimHugeX = vim-full; # Added 2022-12-04 2058 2060 vim_configurable = vim-full; # Added 2022-12-04