tjh.dev
commits
[Backport release 21.05] buildRustCrate: don't try to set CARGO_FEATURE_ variables for dep: fe…
These features are internal-only, have special characters that bash
doesn't support in variable names, and aren't normally given
environment variables by cargo as far as I can tell.
(cherry picked from commit ede639a8d63f2c6da0944cab441955ca16e9cce5)
(cherry picked from commit a94a643de982df1a1e94fb09fb6bc974def243ef)
[backport release-21.05] Two recent backports from 21.11
We are replicating one mechanism behind `-Z build-std`.
There isn't yet crate2nix support for this, but one can (and I do) add
the missing stdlib deps (for this feature to pick up) with overrides.
(cherry picked from commit cc29693a0979c3b81da6942c214841ef11de95b5)
(cherry picked from commit 5aef865cefc2a906296b9a256bf597f70e4ee243)
(cherry picked from commit c19d19615c20844835b8729e21e038bc01f959c9)
It is possible to both be bare metal and have a libc (newlib).
This libc doesn't provide very much --- not enough for CMake to think
the C toolchain works. We therefore adjust our logic so we hit the "bare
metal" case with or without libc.
The "use LLVM" bootstrap is intentionally not affected.
(cherry picked from commit bf39e322721e581f972a14e18310797260f7f35f)
(cherry picked from commit c820cd8cee30f09431d8ce78dee613360052727a)
(cherry picked from commit 0a284ae9b9585d7ff0606092d1df2c01301c2ed5)
[Backport release-21.06] build-support/rust/lib: make arch and os functions respect target JSON
(cherry picked from commit 39811b1da9fb1c97c65ff09dd27dc3a68e6d4e65)
(cherry picked from commit b49c1ce29f34a503a9e11038a156729ad7bf1fde)
(cherry picked from commit 38d5ec716adf140532889312445a0c889a281b0e)
autoPatchelfHook actually doesn't depend on stdenv and only needs
bintools (with its wrapper). This change uses $NIX_BINTOOLS instead of
$NIX_CC and makes the dependency on bintools explicit.
(cherry picked from commit a7f5e8321e9db6f2cf2f3c6be7ce5cac28bff271)
Conflicts:
pkgs/top-level/all-packages.nix
Fully enabling crossSystem support for autoPatchelfHook came with some
perhaps unintended consequences of being a bit more aggressive about
patching ELF files from architectures/ABIs that differ from the target
(previously, those files would be ignored because ldd usually couldn't
handle them).
This change adds architecture and rough OS ABI detection to the script
so that it doesn't try to blindly replace the interpreter of files that
can't possibly use that interpreter, and also makes sure it doesn't
accidentally use libraries of other architectures/ABIs.
(cherry picked from commit 4765a3e153040b9576cbc086dab46fa7abda381d)
In #84415, autoPatchelfHook was taught to use the correct path to the
readelf binary when a crossSystem is specified. Unfortunately, the
remainder of the functionality in the script depended on ldd, which only
reads ELF files of its own architecture. It has the further unfortunate
quality of not reporting any useful error, but rather that the file is
not a dynamic executable.
This change uses patchelf to directly analyze the DT_NEEDED tags in the
target files instead, which correctly works across architectures. It
also updates the use of objdump to be prefix-aware $OBJDUMP (which would
have been required in the PR mentioned above, but we never made it that
far into the script execution).
(cherry picked from commit b79483d2b72c8e349a8fa8a6e67e8061d82d6027)
(cherry picked from commit ad1e2500efd0aa49b0dc7427bf69d4879f3b0ff5)
(cherry picked from commit aec730a0af4c977513ce28236cbecaca72af6901)
[21.05] tsm-client: 8.1.8.0 -> 8.1.13.3 (security update)
[21.05] teleport: 6.1.3 -> 6.2.26
Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6540692 (CVE-2021-44832)
cherry-picked from https://github.com/NixOS/nixpkgs/pull/138386
Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6537640 (CVE-2021-45105, CVE-2021-45046)
cherry-picked from https://github.com/NixOS/nixpkgs/pull/138386
Link to Security Bulletin:
https://www.ibm.com/support/pages/node/6527080 (CVE-2021-44228)
cherry-picked from https://github.com/NixOS/nixpkgs/pull/138386
IBM publishes their IBM Spectrum Protect client
for Linux in two flavors:
* "Linux x86_64 client"
* "Linux x86_64 Ubuntu client"
Up to this commit, nixpkgs used the Ubuntu
flavor to build its `tsm-client` derivation.
However, the history of published archive files in
* https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/
* https://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v8r1/Linux/
suggests that updates in the fourth level of
the version numbers (e.g. 8.1.13.0 -> 8.1.13.1)
do not get published as Ubuntu flavor.
It order to be able to always use the latest release,
this commit switches to the non-Ubuntu flavor.
The non-Ubuntu archive contains rpm files,
so this commit switches from `ar` to `rpmextract`.
Instead of unpacking all deb files,
the build recipe now unpacks all _but one_ rpm file:
The file `TIVsm-WEBGUI.x86_64.rpm` apparently
contains a plugin that is not included
in the Ubuntu version (see note below).
Comparing the old and the new derivation's output indicates
that this choice minimizes the difference between the results:
The output of the old (Ubuntu flavor) derivation contains:
* `commons-codec-1.6.jar`
* `share/` with changelog and copyright information
for the packages `gskssl64` and `gskcrypt64`
The output of the new (non-Ubuntu flavor) derivation contains:
* `lib64`, symlink to `lib`
* `commons-codec-1.14.jar`
* `opt/tivoli/tsm/license/{api,baclient}/sm/`
with license agreement files in many languages
Besides these differences, the outputs' file names are equal.
Note: I don't know what functionality
`TIVsm-WEBGUI.x86_64.rpm` actually provides.
Unpacking it with the other rpm files makes patchelf complain
about missing X11 libraries, so in order to include it here,
one would likely need to add those to `buildInputs`.
However, as the old (Ubuntu flavor) `tsm-client` package
did not contain this functionality and as I cannot test
or use it in any way, I opted to not include it now.
If we want to include this with a later commit,
we should add another package build option (like `enableGui`)
so that the default `tsm-client` package does not pull in
X11 libraries and its closure size therefore stays small.
cherry-picked/adapted from https://github.com/NixOS/nixpkgs/pull/138386
tsm-client now links against openssl;
patchelf complains without it.
Links to IBM's "Authorized Program Analysis Report"s
(something like release notes),
to READMEs, and to Security Bulletins,
for all updates between 8.1.8.0 and 8.1.13.0:
* 8.1.9.x
* APARs: https://www.ibm.com/support/pages/node/1077159
* READMEs: https://www.ibm.com/support/pages/node/1108473
* https://www.ibm.com/support/pages/node/1107261 (CVE-2018-2025)
* https://www.ibm.com/support/pages/node/1107777 (CVE-2019-4406)
* 8.1.10.x
* APARs: https://www.ibm.com/support/pages/node/6223098
* READMEs: https://www.ibm.com/support/pages/node/6223388
* https://www.ibm.com/support/pages/node/6221448 (CVE-2020-4494, CVE-2020-4406)
* https://www.ibm.com/support/pages/node/6245356 (CVE-2020-2654)
* https://www.ibm.com/support/pages/node/6245366 (CVE-2015-4000)
* 8.1.11.x
* APARs: https://www.ibm.com/support/pages/node/6367203
* READMEs: https://www.ibm.com/support/pages/node/6367205
* https://www.ibm.com/support/pages/node/6371646
* https://www.ibm.com/support/pages/node/6371650
* https://www.ibm.com/support/pages/node/6371652
* 8.1.12.x
* APARs: https://www.ibm.com/support/pages/node/6429561
* READMEs: https://www.ibm.com/support/pages/node/6443671
* https://www.ibm.com/support/pages/node/6445503 (CVE-2021-20532)
* https://www.ibm.com/support/pages/node/6445497 (CVE-2021-29672, CVE-2021-20546)
* https://www.ibm.com/support/pages/node/6445489 (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)
* https://www.ibm.com/support/pages/node/6445483 (CVE-2020-27221, CVE-2020-14782)
* 8.1.13.x
* APARs: https://www.ibm.com/support/pages/node/6524936
* READMEs: https://www.ibm.com/support/pages/node/6524938
* https://www.ibm.com/support/pages/node/6524706 (CVE-2021-39048)
* https://www.ibm.com/support/pages/node/6524712 (CVE-2021-3712, CVE-2021-3711)
cherry-picked/adapted from https://github.com/NixOS/nixpkgs/pull/138386
IBM has changed the URL structures of their support web pages.
The commit at hand updates most URLs and
in particular the package update instructions
so they follow the new structure.
It also calculates the source download URL from the
version number, so package updates no longer have to
update the URL in addition to the version string.
cherry-picked from https://github.com/NixOS/nixpkgs/pull/138386
... into release-21.05
(cherry picked from commit 76c1bb81060673f9c2e6991a95f85aa0840758e3)
Hydra looks OK, only a few thousand x86_64-darwin builds are queued now.
[Backport release-21.05] firmwareLinuxNonfree: 20211027 -> 20211216
[Backport release-21.05] forge: fix build
CVEs:
- https://nvd.nist.gov/vuln/detail/CVE-2020-35448 (3.3 Low)
- https://nvd.nist.gov/vuln/detail/CVE-2021-20284 (5.5 Medium)
- https://nvd.nist.gov/vuln/detail/CVE-2021-20294 (7.8 High)
(cherry picked from commit f378420360a278e317b6cb14bfce1a305acbbedb)
The build was failing due to mismatched libstdc++ between
stdenv.cc and cudatoolkit.cc. This can be fixed by bumping
the build-time cudatoolkit to 11, which is able to use the
same cc as stdenv.
(cherry picked from commit e263bdd82b3c91b0ad47412ac348a7dba3d0cb20)
[Backport release-21.05] Kernels 2021-12-22
[21.05] lapack: add patch for CVE-2021-4048
Remove the affected JndiLookup.class until we can update to the lastest
Mediathekview version.
(cherry picked from commit 2a360652e2af41c7afdc4d15b96e187417aebb04)
[21.05] zap: 2.10.0 -> 2.11.1
(cherry picked from commit 6a6756ce7ec780ae1ecae79e8a85188c89937981)
(cherry picked from commit 745023e01a287d8833b6c95a7a12f675dfef6d45)
(cherry picked from commit 6d952e40483a6951d585b79070872e81909409a9)
(cherry picked from commit 2c526159cf348026233b67f239f9d80f6131d3b9)
(cherry picked from commit 7617df63c2869e51cbbb323078c2c8e0c93b9d2c)
(cherry picked from commit 63ea61bcf0be615562d7d8f982c005d6c52d6118)
(cherry picked from commit d3c7e5801f572697f0483436dff80fc4ffa1658d)
(cherry picked from commit 4d5800ed103555675b600b9688c1733df6bf1e51)
(cherry picked from commit f1edf331dfef08d0e142fd7720af12f7fbaaee8e)
(cherry picked from commit 7ba37884e2c504686d465de5cbd500d23072f971)
(cherry picked from commit d35c79a419f49277fd4b7e55e69c16607b7a8a65)
(cherry picked from commit 387250dce577597ea0517bb5d838a439df5bcc3a)
(cherry picked from commit 0cb00d51f7c135416e09b341324cbe14c368bc16)
(cherry picked from commit fbd944d91d118d147783b589d3bdba4b1ed1189f)
[Backport release 21.05] buildRustCrate: don't try to set CARGO_FEATURE_ variables for dep: fe…
These features are internal-only, have special characters that bash
doesn't support in variable names, and aren't normally given
environment variables by cargo as far as I can tell.
(cherry picked from commit ede639a8d63f2c6da0944cab441955ca16e9cce5)
(cherry picked from commit a94a643de982df1a1e94fb09fb6bc974def243ef)
We are replicating one mechanism behind `-Z build-std`.
There isn't yet crate2nix support for this, but one can (and I do) add
the missing stdlib deps (for this feature to pick up) with overrides.
(cherry picked from commit cc29693a0979c3b81da6942c214841ef11de95b5)
(cherry picked from commit 5aef865cefc2a906296b9a256bf597f70e4ee243)
(cherry picked from commit c19d19615c20844835b8729e21e038bc01f959c9)
It is possible to both be bare metal and have a libc (newlib).
This libc doesn't provide very much --- not enough for CMake to think
the C toolchain works. We therefore adjust our logic so we hit the "bare
metal" case with or without libc.
The "use LLVM" bootstrap is intentionally not affected.
(cherry picked from commit bf39e322721e581f972a14e18310797260f7f35f)
(cherry picked from commit c820cd8cee30f09431d8ce78dee613360052727a)
(cherry picked from commit 0a284ae9b9585d7ff0606092d1df2c01301c2ed5)
Fully enabling crossSystem support for autoPatchelfHook came with some
perhaps unintended consequences of being a bit more aggressive about
patching ELF files from architectures/ABIs that differ from the target
(previously, those files would be ignored because ldd usually couldn't
handle them).
This change adds architecture and rough OS ABI detection to the script
so that it doesn't try to blindly replace the interpreter of files that
can't possibly use that interpreter, and also makes sure it doesn't
accidentally use libraries of other architectures/ABIs.
(cherry picked from commit 4765a3e153040b9576cbc086dab46fa7abda381d)
In #84415, autoPatchelfHook was taught to use the correct path to the
readelf binary when a crossSystem is specified. Unfortunately, the
remainder of the functionality in the script depended on ldd, which only
reads ELF files of its own architecture. It has the further unfortunate
quality of not reporting any useful error, but rather that the file is
not a dynamic executable.
This change uses patchelf to directly analyze the DT_NEEDED tags in the
target files instead, which correctly works across architectures. It
also updates the use of objdump to be prefix-aware $OBJDUMP (which would
have been required in the PR mentioned above, but we never made it that
far into the script execution).
(cherry picked from commit b79483d2b72c8e349a8fa8a6e67e8061d82d6027)
IBM publishes their IBM Spectrum Protect client
for Linux in two flavors:
* "Linux x86_64 client"
* "Linux x86_64 Ubuntu client"
Up to this commit, nixpkgs used the Ubuntu
flavor to build its `tsm-client` derivation.
However, the history of published archive files in
* https://public.dhe.ibm.com/storage/tivoli-storage-management/maintenance/client/v8r1/Linux/
* https://public.dhe.ibm.com/storage/tivoli-storage-management/patches/client/v8r1/Linux/
suggests that updates in the fourth level of
the version numbers (e.g. 8.1.13.0 -> 8.1.13.1)
do not get published as Ubuntu flavor.
It order to be able to always use the latest release,
this commit switches to the non-Ubuntu flavor.
The non-Ubuntu archive contains rpm files,
so this commit switches from `ar` to `rpmextract`.
Instead of unpacking all deb files,
the build recipe now unpacks all _but one_ rpm file:
The file `TIVsm-WEBGUI.x86_64.rpm` apparently
contains a plugin that is not included
in the Ubuntu version (see note below).
Comparing the old and the new derivation's output indicates
that this choice minimizes the difference between the results:
The output of the old (Ubuntu flavor) derivation contains:
* `commons-codec-1.6.jar`
* `share/` with changelog and copyright information
for the packages `gskssl64` and `gskcrypt64`
The output of the new (non-Ubuntu flavor) derivation contains:
* `lib64`, symlink to `lib`
* `commons-codec-1.14.jar`
* `opt/tivoli/tsm/license/{api,baclient}/sm/`
with license agreement files in many languages
Besides these differences, the outputs' file names are equal.
Note: I don't know what functionality
`TIVsm-WEBGUI.x86_64.rpm` actually provides.
Unpacking it with the other rpm files makes patchelf complain
about missing X11 libraries, so in order to include it here,
one would likely need to add those to `buildInputs`.
However, as the old (Ubuntu flavor) `tsm-client` package
did not contain this functionality and as I cannot test
or use it in any way, I opted to not include it now.
If we want to include this with a later commit,
we should add another package build option (like `enableGui`)
so that the default `tsm-client` package does not pull in
X11 libraries and its closure size therefore stays small.
cherry-picked/adapted from https://github.com/NixOS/nixpkgs/pull/138386
tsm-client now links against openssl;
patchelf complains without it.
Links to IBM's "Authorized Program Analysis Report"s
(something like release notes),
to READMEs, and to Security Bulletins,
for all updates between 8.1.8.0 and 8.1.13.0:
* 8.1.9.x
* APARs: https://www.ibm.com/support/pages/node/1077159
* READMEs: https://www.ibm.com/support/pages/node/1108473
* https://www.ibm.com/support/pages/node/1107261 (CVE-2018-2025)
* https://www.ibm.com/support/pages/node/1107777 (CVE-2019-4406)
* 8.1.10.x
* APARs: https://www.ibm.com/support/pages/node/6223098
* READMEs: https://www.ibm.com/support/pages/node/6223388
* https://www.ibm.com/support/pages/node/6221448 (CVE-2020-4494, CVE-2020-4406)
* https://www.ibm.com/support/pages/node/6245356 (CVE-2020-2654)
* https://www.ibm.com/support/pages/node/6245366 (CVE-2015-4000)
* 8.1.11.x
* APARs: https://www.ibm.com/support/pages/node/6367203
* READMEs: https://www.ibm.com/support/pages/node/6367205
* https://www.ibm.com/support/pages/node/6371646
* https://www.ibm.com/support/pages/node/6371650
* https://www.ibm.com/support/pages/node/6371652
* 8.1.12.x
* APARs: https://www.ibm.com/support/pages/node/6429561
* READMEs: https://www.ibm.com/support/pages/node/6443671
* https://www.ibm.com/support/pages/node/6445503 (CVE-2021-20532)
* https://www.ibm.com/support/pages/node/6445497 (CVE-2021-29672, CVE-2021-20546)
* https://www.ibm.com/support/pages/node/6445489 (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)
* https://www.ibm.com/support/pages/node/6445483 (CVE-2020-27221, CVE-2020-14782)
* 8.1.13.x
* APARs: https://www.ibm.com/support/pages/node/6524936
* READMEs: https://www.ibm.com/support/pages/node/6524938
* https://www.ibm.com/support/pages/node/6524706 (CVE-2021-39048)
* https://www.ibm.com/support/pages/node/6524712 (CVE-2021-3712, CVE-2021-3711)
cherry-picked/adapted from https://github.com/NixOS/nixpkgs/pull/138386
IBM has changed the URL structures of their support web pages.
The commit at hand updates most URLs and
in particular the package update instructions
so they follow the new structure.
It also calculates the source download URL from the
version number, so package updates no longer have to
update the URL in addition to the version string.
cherry-picked from https://github.com/NixOS/nixpkgs/pull/138386