From 7eefaeb5e36c2899d15fe8b9a2cd0a693f61471d Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Sat, 29 Oct 2022 16:20:57 +0200 Subject: [PATCH 01/20] nextcloud25: use openssl 1.1 as a PHP extension to fix RC4 encryption --- .../from_md/release-notes/rl-2211.section.xml | 16 +++++++ .../manual/release-notes/rl-2211.section.md | 2 + nixos/modules/services/web-apps/nextcloud.nix | 47 ++++++++++++++++++- nixos/tests/nextcloud/basic.nix | 1 + nixos/tests/nextcloud/default.nix | 5 ++ pkgs/top-level/php-packages.nix | 9 ++++ 6 files changed, 79 insertions(+), 1 deletion(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 25b3a686c0d9..e06a6094c1a7 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -607,6 +607,22 @@ binaries, use the p4d package instead. + + + The NextCloud NixOS module uses OpenSSL 3.x for its PHP’s + openssl extension, this breaks RC4-based server-side + encryption in NextCloud, making all your files unreadable upon + upgrade. Upon testing, we could not trigger any cases of + data loss, but we + cannot guarantee that for + every accidental OpenSSL upgrade. To restore functionality, + services.nextcloud.enableBrokenCiphersForSSE + has to be set to true. NextCloud is + planning to implement AES-256-GCM server-side encryption in + the future through + https://github.com/nextcloud/server/pull/25551. + + The coq package and versioned variants diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 583480bec020..5831dbbaba8a 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -196,6 +196,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. +- The NextCloud NixOS module uses OpenSSL 3.x for its PHP's openssl extension, this breaks RC4-based server-side encryption in NextCloud, making all your files unreadable upon upgrade. Upon testing, we could not trigger any cases of **data loss**, but we **cannot guarantee** that for every accidental OpenSSL upgrade. To restore functionality, [`services.nextcloud.enableBrokenCiphersForSSE`](#opt-services.nextcloud.enableBrokenCiphersForSSE) has to be set to `true`. NextCloud is planning to implement AES-256-GCM server-side encryption in the future through . + - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through `coqPackages.coqide`. It is still possible to get CoqIDE as part of diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 04599884f139..2a4ca13b473f 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -13,7 +13,12 @@ let phpPackage = cfg.phpPackage.buildEnv { extensions = { enabled, all }: (with all; - enabled + # disable default openssl extension + (lib.filter (e: e.pname != "openssl") enabled) + # use OpenSSL 1.1 for RC4 NextCloud encryption if user + # has acknowledged the brokeness of the ciphers (RC4). + # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. + ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) ++ optional cfg.enableImagemagick imagick # Optionally enabled depending on caching settings ++ optional cfg.caching.apcu apcu @@ -80,6 +85,36 @@ in { options.services.nextcloud = { enable = mkEnableOption (lib.mdDoc "nextcloud"); + + enableBrokenCiphersForSSE = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + This option uses OpenSSL PHP extension linked against OpenSSL 1.x rather + than latest OpenSSL (≥ 3), this is not recommended except if you need + it. + + Server-side encryption in NextCloud uses RC4 ciphers, a broken cipher + since ~2004. + + This cipher has been disabled in OpenSSL ≥ 3 and requires + a specific legacy profile to re-enable it. + + If you upgrade to a NextCloud using OpenSSL ≥ 3 and have + server-side encryption configured, you will not be able to access + your files anymore, enabling this option can restore access to your files. + + Unless you are using external storage, + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear + it provides any amount of security beyond encryption for external storage. + If you know more about this feature and is keen on it, + please chime in or open + an issue in nixpkgs. + + In the future, NextCloud may move to AES-256-GCM, by then, + this option will be deprecated. + ''; + }; hostName = mkOption { type = types.str; description = lib.mdDoc "FQDN for the nextcloud instance."; @@ -649,6 +684,16 @@ in { ++ (optional (versionOlder cfg.package.version "23") (upgradeWarning 22 "22.05")) ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) + ++ (optional cfg.enableBrokenCiphersForSSE '' + You're using PHP's openssl extension built against OpenSSL 1.1. + This is only necessary if you're using NextCloud's server-side encryption. + Please keep in mind that it's using the broken RC4 cipher. + + In order to disable this option and remove this warning, + server-side encryption has to be disabled, see on how to achieve this. + + For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 + '') ++ (optional isUnsupportedMariadb '' You seem to be using MariaDB at an unsupported version (i.e. at least 10.6)! Please note that this isn't supported officially by Nextcloud. You can either diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index eb37470a4c7b..5cf4d8ca7554 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -41,6 +41,7 @@ in { enable = true; datadir = "/var/lib/nextcloud-data"; hostName = "nextcloud"; + enableBrokenCiphersForSSE = args.enableBrokenCiphersForSSE or false; config = { # Don't inherit adminuser since "root" is supposed to be the default adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home! diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index 7dbdff988238..b55831047c62 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -8,6 +8,11 @@ with pkgs.lib; foldl (matrix: ver: matrix // { "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; + "with-legacy-openssl${toString ver}" = import ./basic.nix { + inherit system pkgs; + nextcloudVersion = ver; + enableBrokenCiphersForSSE = true; + }; "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { inherit system pkgs; nextcloudVersion = ver; diff --git a/pkgs/top-level/php-packages.nix b/pkgs/top-level/php-packages.nix index 0b9f4237327b..2ab2000af583 100644 --- a/pkgs/top-level/php-packages.nix +++ b/pkgs/top-level/php-packages.nix @@ -414,6 +414,15 @@ lib.makeScope pkgs.newScope (self: with self; { configureFlags = [ "--with-openssl" ]; doCheck = false; } + # This provides a legacy OpenSSL PHP extension + # For situations where OpenSSL 3 do not support a set of features + # without a specific openssl.cnf file + { + name = "openssl-legacy"; + buildInputs = [ openssl_1_1 ]; + configureFlags = [ "--with-openssl" ]; + doCheck = false; + } { name = "pcntl"; } { name = "pdo"; doCheck = false; } { From 394d4de8770db0c32c4a01957496d08256cdcaf5 Mon Sep 17 00:00:00 2001 From: Raito Bezarius Date: Mon, 7 Nov 2022 14:42:43 +0100 Subject: [PATCH 02/20] =?UTF-8?q?nextcloud25:=20enable=20by=20default=20br?= =?UTF-8?q?oken=20ciphers=20for=20NixOS=20=E2=89=A4=2022.11?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- nixos/modules/services/web-apps/nextcloud.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 2a4ca13b473f..43b00f601c49 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -88,7 +88,8 @@ in { enableBrokenCiphersForSSE = mkOption { type = types.bool; - default = false; + # Workaround can be removed at backport-time for 22.11. + default = !(versionOlder stateVersion "22.11"); description = lib.mdDoc '' This option uses OpenSSL PHP extension linked against OpenSSL 1.x rather than latest OpenSSL (≥ 3), this is not recommended except if you need From 61128cba67d881a5a741ea2a403bfb43be636fc8 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 8 Nov 2022 22:52:27 +0100 Subject: [PATCH 03/20] nixos/nextcloud: minor docs cleanup for openssl change * s/NextCloud/Nextcloud/g * `enableBrokenCiphersForSSE` should be enabled by default for any NixOS installation from before 22.11 to make sure existing installations don't run into the issue. Not the other way round. * Update release notes to reflect on that. * Improve wording of the warning a bit: explain which option to change to get rid of it. * Ensure that basic tests w/o `enableBrokenCiphersForSSE` run with OpenSSL 3. --- .../from_md/release-notes/rl-2211.section.xml | 26 +++++++------ .../manual/release-notes/rl-2211.section.md | 7 +++- nixos/modules/services/web-apps/nextcloud.nix | 37 +++++++++++-------- nixos/tests/nextcloud/basic.nix | 2 + 4 files changed, 43 insertions(+), 29 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index e06a6094c1a7..71d9ed1d2962 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -609,18 +609,20 @@ - The NextCloud NixOS module uses OpenSSL 3.x for its PHP’s - openssl extension, this breaks RC4-based server-side - encryption in NextCloud, making all your files unreadable upon - upgrade. Upon testing, we could not trigger any cases of - data loss, but we - cannot guarantee that for - every accidental OpenSSL upgrade. To restore functionality, - services.nextcloud.enableBrokenCiphersForSSE - has to be set to true. NextCloud is - planning to implement AES-256-GCM server-side encryption in - the future through - https://github.com/nextcloud/server/pull/25551. + The openssl-extension for the PHP + interpreter used by services.nextcloud is + built against OpenSSL 1.1 if + is below + 22.11. This is to make sure that people + using + server-side + encryption don’t loose access to their files. + + + In any other case it’s safe to use OpenSSL 3 for PHP’s openssl + extension. This can be done by setting + + to false. diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 5831dbbaba8a..f141813c452d 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -196,7 +196,12 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. -- The NextCloud NixOS module uses OpenSSL 3.x for its PHP's openssl extension, this breaks RC4-based server-side encryption in NextCloud, making all your files unreadable upon upgrade. Upon testing, we could not trigger any cases of **data loss**, but we **cannot guarantee** that for every accidental OpenSSL upgrade. To restore functionality, [`services.nextcloud.enableBrokenCiphersForSSE`](#opt-services.nextcloud.enableBrokenCiphersForSSE) has to be set to `true`. NextCloud is planning to implement AES-256-GCM server-side encryption in the future through . +- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if + [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) + don't loose access to their files. + + In any other case it's safe to use OpenSSL 3 for PHP's openssl extension. This can be done by setting + [](#opt-services.nextcloud.enableBrokenCiphersForSSE) to `false`. - The `coq` package and versioned variants starting at `coq_8_14` no longer include CoqIDE, which is now available through diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 43b00f601c49..6a71ac0d269c 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -15,7 +15,7 @@ let (with all; # disable default openssl extension (lib.filter (e: e.pname != "openssl") enabled) - # use OpenSSL 1.1 for RC4 NextCloud encryption if user + # use OpenSSL 1.1 for RC4 Nextcloud encryption if user # has acknowledged the brokeness of the ciphers (RC4). # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. ++ (if cfg.enableBrokenCiphersForSSE then [ cfg.phpPackage.extensions.openssl-legacy ] else [ cfg.phpPackage.extensions.openssl ]) @@ -88,32 +88,32 @@ in { enableBrokenCiphersForSSE = mkOption { type = types.bool; - # Workaround can be removed at backport-time for 22.11. - default = !(versionOlder stateVersion "22.11"); + default = versionOlder stateVersion "22.11"; + defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; description = lib.mdDoc '' - This option uses OpenSSL PHP extension linked against OpenSSL 1.x rather + This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather than latest OpenSSL (≥ 3), this is not recommended except if you need it. - Server-side encryption in NextCloud uses RC4 ciphers, a broken cipher + Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher since ~2004. This cipher has been disabled in OpenSSL ≥ 3 and requires a specific legacy profile to re-enable it. - If you upgrade to a NextCloud using OpenSSL ≥ 3 and have + If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have server-side encryption configured, you will not be able to access - your files anymore, enabling this option can restore access to your files. + your files anymore. Enabling this option can restore access to your files. + Upon testing we didn't encounter any data corruption when turning + this on and off again, but this cannot be guaranteed for + each Nextcloud installation. Unless you are using external storage, it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear it provides any amount of security beyond encryption for external storage. - If you know more about this feature and is keen on it, - please chime in or open - an issue in nixpkgs. - In the future, NextCloud may move to AES-256-GCM, by then, - this option will be deprecated. + In the future, Nextcloud may move to AES-256-GCM, by then, + this option will be removed. ''; }; hostName = mkOption { @@ -686,12 +686,17 @@ in { ++ (optional (versionOlder cfg.package.version "24") (upgradeWarning 23 "22.05")) ++ (optional (versionOlder cfg.package.version "25") (upgradeWarning 24 "22.11")) ++ (optional cfg.enableBrokenCiphersForSSE '' - You're using PHP's openssl extension built against OpenSSL 1.1. - This is only necessary if you're using NextCloud's server-side encryption. + You're using PHP's openssl extension built against OpenSSL 1.1 for Nextcloud. + This is only necessary if you're using Nextcloud's server-side encryption. Please keep in mind that it's using the broken RC4 cipher. - In order to disable this option and remove this warning, - server-side encryption has to be disabled, see on how to achieve this. + If you don't use that feature, you can switch to OpenSSL 3 by declaring + + services.nextcloud.enableBrokenCiphersForSSE = false; + + Otherwise you'd have to disable server-side encryption first in order + to be able to safely disable this option and get rid of that warning. + See on how to achieve this. For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 '') diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index 5cf4d8ca7554..66ed9a62b8ae 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -37,6 +37,8 @@ in { "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" ]; + system.stateVersion = "22.11"; + services.nextcloud = { enable = true; datadir = "/var/lib/nextcloud-data"; From 35b146ca31ea5f6cfdeee11dc7ca737fa9fbc1dd Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Thu, 10 Nov 2022 12:05:24 +0100 Subject: [PATCH 04/20] nixos/nextcloud: fixup openssl compat change Upon testing the change itself I realized that it doesn't build properly because * the `pname` of a php extension is `php-`, not ``. * calling the extension `openssl-legacy` resulted in PHP trying to compile `ext/openssl-legacy` which broke since it doesn't exist: source root is php-8.1.12 setting SOURCE_DATE_EPOCH to timestamp 1666719000 of file php-8.1.12/win32/wsyslog.c patching sources cdToExtensionRootPhase /nix/store/48mnkga4kh84xyiqwzx8v7iv090i7z66-stdenv-linux/setup: line 1399: cd: ext/openssl-legacy: No such file or directory I didn't encounter that one before because I was mostly interested in having a sane behavior for everyone not using this "feature" and the documentation around this. My findings about the behavior with turning openssl1.1 on/off are still valid because I tested this on `master` with manually replacing `openssl` by `openssl_1_1` in `php-packages.nix`. To work around the issue I had to slightly modify the extension build-system for PHP: * The attribute `extensionName` is now relevant to determine the output paths (e.g. `lib/openssl.so`). This is not a behavioral change for existing extensions because then `extensionName==name`. However when specifying `extName` in `php-packages.nix` this value is overridden and it is made sure that the extension called `extName` NOT `name` (i.e. `openssl` vs `openssl-legacy`) is built and installed. The `name` still has to be kept to keep the legacy openssl available as `php.extensions.openssl-legacy`. Additionally I implemented a small VM test to check the behavior with server-side encryption: * For `stateVersion` below 22.11, OpenSSL 1.1 is used (in `basic.nix` it's checked that OpenSSL 3 is used). With that the "default" behavior of the module is checked. * It is ensured that the PHP interpreter for Nextcloud's php-fpm actually loads the correct openssl extension. * It is tested that (encrypted) files remain usable when (temporarily) installing OpenSSL3 (of course then they're not decryptable, but on a rollback that should still be possible). Finally, a few more documentation changes: * I also mentioned the issue in `nextcloud.xml` to make sure the issue is at least mentioned in the manual section about Nextcloud. Not too much detail here, but the relevant option `enableBrokenCiphersForSSE` is referenced. * I fixed a few minor wording issues to also give the full context (we're talking about Nextcloud; we're talking about the PHP extension **only**; please check if you really need this even though it's enabled by default). This is because I felt that sometimes it might be hard to understand what's going on when e.g. an eval-warning appears without telling where exactly it comes from. --- .../from_md/release-notes/rl-2211.section.xml | 3 +- .../manual/release-notes/rl-2211.section.md | 2 +- nixos/modules/services/web-apps/nextcloud.nix | 31 +++--- nixos/modules/services/web-apps/nextcloud.xml | 14 +++ nixos/tests/nextcloud/basic.nix | 8 +- nixos/tests/nextcloud/default.nix | 3 +- nixos/tests/nextcloud/openssl-sse.nix | 105 ++++++++++++++++++ pkgs/development/interpreters/php/generic.nix | 2 +- pkgs/top-level/php-packages.nix | 10 +- 9 files changed, 153 insertions(+), 25 deletions(-) create mode 100644 nixos/tests/nextcloud/openssl-sse.nix diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 71d9ed1d2962..7f788be2b0a5 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -610,8 +610,7 @@ The openssl-extension for the PHP - interpreter used by services.nextcloud is - built against OpenSSL 1.1 if + interpreter used by Nextcloud is built against OpenSSL 1.1 if is below 22.11. This is to make sure that people using diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index f141813c452d..bc7f86bf5526 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -196,7 +196,7 @@ Available as [services.patroni](options.html#opt-services.patroni.enable). - The `p4` package now only includes the open-source Perforce Helix Core command-line client and APIs. It no longer installs the unfree Helix Core Server binaries `p4d`, `p4broker`, and `p4p`. To install the Helix Core Server binaries, use the `p4d` package instead. -- The `openssl`-extension for the PHP interpreter used by `services.nextcloud` is built against OpenSSL 1.1 if +- The `openssl`-extension for the PHP interpreter used by Nextcloud is built against OpenSSL 1.1 if [](#opt-system.stateVersion) is below `22.11`. This is to make sure that people using [server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html) don't loose access to their files. diff --git a/nixos/modules/services/web-apps/nextcloud.nix b/nixos/modules/services/web-apps/nextcloud.nix index 6a71ac0d269c..da621573f2a2 100644 --- a/nixos/modules/services/web-apps/nextcloud.nix +++ b/nixos/modules/services/web-apps/nextcloud.nix @@ -14,7 +14,7 @@ let extensions = { enabled, all }: (with all; # disable default openssl extension - (lib.filter (e: e.pname != "openssl") enabled) + (lib.filter (e: e.pname != "php-openssl") enabled) # use OpenSSL 1.1 for RC4 Nextcloud encryption if user # has acknowledged the brokeness of the ciphers (RC4). # TODO: remove when https://github.com/nextcloud/server/issues/32003 is fixed. @@ -91,26 +91,29 @@ in { default = versionOlder stateVersion "22.11"; defaultText = literalExpression "versionOlder system.stateVersion \"22.11\""; description = lib.mdDoc '' - This option uses OpenSSL PHP extension linked against OpenSSL 1.1 rather - than latest OpenSSL (≥ 3), this is not recommended except if you need - it. - - Server-side encryption in Nextcloud uses RC4 ciphers, a broken cipher - since ~2004. + This option enables using the OpenSSL PHP extension linked against OpenSSL 1.1 + rather than latest OpenSSL (≥ 3), this is not recommended unless you need + it for server-side encryption (SSE). SSE uses the legacy RC4 cipher which is + considered broken for several years now. See also [RFC7465](https://datatracker.ietf.org/doc/html/rfc7465). This cipher has been disabled in OpenSSL ≥ 3 and requires a specific legacy profile to re-enable it. - If you upgrade to a Nextcloud using OpenSSL ≥ 3 and have + If you deploy Nextcloud using OpenSSL ≥ 3 for PHP and have server-side encryption configured, you will not be able to access your files anymore. Enabling this option can restore access to your files. Upon testing we didn't encounter any data corruption when turning this on and off again, but this cannot be guaranteed for each Nextcloud installation. - Unless you are using external storage, - it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) as it is unclear - it provides any amount of security beyond encryption for external storage. + It is `true` by default for systems with a [](#opt-system.stateVersion) below + `22.11` to make sure that existing installations won't break on update. On newer + NixOS systems you have to explicitly enable it on your own. + + Please note that this only provides additional value when using + external storage such as S3 since it's not an end-to-end encryption. + If this is not the case, + it is advised to [disable server-side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#disabling-encryption) and set this to `false`. In the future, Nextcloud may move to AES-256-GCM, by then, this option will be removed. @@ -690,12 +693,14 @@ in { This is only necessary if you're using Nextcloud's server-side encryption. Please keep in mind that it's using the broken RC4 cipher. - If you don't use that feature, you can switch to OpenSSL 3 by declaring + If you don't use that feature, you can switch to OpenSSL 3 and get + rid of this warning by declaring services.nextcloud.enableBrokenCiphersForSSE = false; + If you need to use server-side encryption you can ignore this waring. Otherwise you'd have to disable server-side encryption first in order - to be able to safely disable this option and get rid of that warning. + to be able to safely disable this option and get rid of this warning. See on how to achieve this. For more context, here is the implementing pull request: https://github.com/NixOS/nixpkgs/pull/198470 diff --git a/nixos/modules/services/web-apps/nextcloud.xml b/nixos/modules/services/web-apps/nextcloud.xml index a0b69dbd606c..ca57692fc16a 100644 --- a/nixos/modules/services/web-apps/nextcloud.xml +++ b/nixos/modules/services/web-apps/nextcloud.xml @@ -170,6 +170,20 @@ + + + Server-side encryption + + Nextcloud supports server-side encryption (SSE). + This is not an end-to-end encryption, but can be used to encrypt files that will be persisted + to external storage such as S3. Please note that this won't work anymore when using OpenSSL 3 + for PHP's openssl extension because this is implemented using the legacy cipher RC4. + If is above 22.05, + this is disabled by default. To turn it on again and for further information please refer to + . + + + diff --git a/nixos/tests/nextcloud/basic.nix b/nixos/tests/nextcloud/basic.nix index 66ed9a62b8ae..a475049e7b26 100644 --- a/nixos/tests/nextcloud/basic.nix +++ b/nixos/tests/nextcloud/basic.nix @@ -37,13 +37,12 @@ in { "d /var/lib/nextcloud-data 0750 nextcloud nginx - -" ]; - system.stateVersion = "22.11"; + system.stateVersion = "22.11"; # stateVersion >=21.11 to make sure that we use OpenSSL3 services.nextcloud = { enable = true; datadir = "/var/lib/nextcloud-data"; hostName = "nextcloud"; - enableBrokenCiphersForSSE = args.enableBrokenCiphersForSSE or false; config = { # Don't inherit adminuser since "root" is supposed to be the default adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; # Don't try this at home! @@ -102,6 +101,10 @@ in { # This is just to ensure the nextcloud-occ program is working nextcloud.succeed("nextcloud-occ status") nextcloud.succeed("curl -sSf http://nextcloud/login") + # Ensure that no OpenSSL 1.1 is used. + nextcloud.succeed( + "${nodes.nextcloud.services.phpfpm.pools.nextcloud.phpPackage}/bin/php -i | grep 'OpenSSL Library Version' | awk -F'=>' '{ print $2 }' | awk '{ print $2 }' | grep -v 1.1" + ) nextcloud.succeed( "${withRcloneEnv} ${copySharedFile}" ) @@ -111,5 +114,6 @@ in { "${withRcloneEnv} ${diffSharedFile}" ) assert "hi" in client.succeed("cat /mnt/dav/test-shared-file") + nextcloud.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud-data/data/root/files/test-shared-file") ''; })) args diff --git a/nixos/tests/nextcloud/default.nix b/nixos/tests/nextcloud/default.nix index b55831047c62..b8d3ba75b51a 100644 --- a/nixos/tests/nextcloud/default.nix +++ b/nixos/tests/nextcloud/default.nix @@ -8,10 +8,9 @@ with pkgs.lib; foldl (matrix: ver: matrix // { "basic${toString ver}" = import ./basic.nix { inherit system pkgs; nextcloudVersion = ver; }; - "with-legacy-openssl${toString ver}" = import ./basic.nix { + "openssl-sse${toString ver}" = import ./openssl-sse.nix { inherit system pkgs; nextcloudVersion = ver; - enableBrokenCiphersForSSE = true; }; "with-postgresql-and-redis${toString ver}" = import ./with-postgresql-and-redis.nix { inherit system pkgs; diff --git a/nixos/tests/nextcloud/openssl-sse.nix b/nixos/tests/nextcloud/openssl-sse.nix new file mode 100644 index 000000000000..7595ee2c67e3 --- /dev/null +++ b/nixos/tests/nextcloud/openssl-sse.nix @@ -0,0 +1,105 @@ +args@{ pkgs, nextcloudVersion ? 25, ... }: + +(import ../make-test-python.nix ({ pkgs, ...}: let + adminuser = "root"; + adminpass = "notproduction"; + nextcloudBase = { + networking.firewall.allowedTCPPorts = [ 80 ]; + system.stateVersion = "22.05"; # stateVersions <22.11 use openssl 1.1 by default + services.nextcloud = { + enable = true; + config.adminpassFile = "${pkgs.writeText "adminpass" adminpass}"; + package = pkgs.${"nextcloud" + (toString nextcloudVersion)}; + }; + }; +in { + name = "nextcloud-openssl"; + meta = with pkgs.lib.maintainers; { + maintainers = [ ma27 ]; + }; + nodes.nextcloudwithopenssl1 = { + imports = [ nextcloudBase ]; + services.nextcloud.hostName = "nextcloudwithopenssl1"; + }; + nodes.nextcloudwithopenssl3 = { + imports = [ nextcloudBase ]; + services.nextcloud = { + hostName = "nextcloudwithopenssl3"; + enableBrokenCiphersForSSE = false; + }; + }; + testScript = { nodes, ... }: let + withRcloneEnv = host: pkgs.writeScript "with-rclone-env" '' + #!${pkgs.runtimeShell} + export RCLONE_CONFIG_NEXTCLOUD_TYPE=webdav + export RCLONE_CONFIG_NEXTCLOUD_URL="http://${host}/remote.php/webdav/" + export RCLONE_CONFIG_NEXTCLOUD_VENDOR="nextcloud" + export RCLONE_CONFIG_NEXTCLOUD_USER="${adminuser}" + export RCLONE_CONFIG_NEXTCLOUD_PASS="$(${pkgs.rclone}/bin/rclone obscure ${adminpass})" + "''${@}" + ''; + withRcloneEnv1 = withRcloneEnv "nextcloudwithopenssl1"; + withRcloneEnv3 = withRcloneEnv "nextcloudwithopenssl3"; + copySharedFile1 = pkgs.writeScript "copy-shared-file" '' + #!${pkgs.runtimeShell} + echo 'hi' | ${withRcloneEnv1} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file + ''; + copySharedFile3 = pkgs.writeScript "copy-shared-file" '' + #!${pkgs.runtimeShell} + echo 'bye' | ${withRcloneEnv3} ${pkgs.rclone}/bin/rclone rcat nextcloud:test-shared-file2 + ''; + openssl1-node = nodes.nextcloudwithopenssl1.config.system.build.toplevel; + openssl3-node = nodes.nextcloudwithopenssl3.config.system.build.toplevel; + in '' + nextcloudwithopenssl1.start() + nextcloudwithopenssl1.wait_for_unit("multi-user.target") + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("curl -sSf http://nextcloudwithopenssl1/login") + + with subtest("With OpenSSL 1 SSE can be enabled and used"): + nextcloudwithopenssl1.succeed("nextcloud-occ app:enable encryption") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") + + with subtest("Upload file and ensure it's encrypted"): + nextcloudwithopenssl1.succeed("${copySharedFile1}") + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + + with subtest("Switch to OpenSSL 3"): + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + + with subtest("Existing encrypted files cannot be read, but new files can be added"): + nextcloudwithopenssl1.fail("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file >&2") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:disable") + nextcloudwithopenssl1.succeed("${copySharedFile3}") + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + + with subtest("Switch back to OpenSSL 1.1 and ensure that encrypted files are readable again"): + nextcloudwithopenssl1.succeed("${openssl1-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("nextcloud-occ encryption:enable") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + nextcloudwithopenssl1.succeed("grep -E '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + nextcloudwithopenssl1.succeed("grep bye /var/lib/nextcloud/data/root/files/test-shared-file2") + + with subtest("Ensure that everything can be decrypted"): + nextcloudwithopenssl1.succeed("echo y | nextcloud-occ encryption:decrypt-all >&2") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv1} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + nextcloudwithopenssl1.succeed("grep -vE '^HBEGIN:oc_encryption_module' /var/lib/nextcloud/data/root/files/test-shared-file") + + with subtest("Switch to OpenSSL 3 ensure that all files are usable now"): + nextcloudwithopenssl1.succeed("${openssl3-node}/bin/switch-to-configuration test") + nextcloudwithopenssl1.wait_for_open_port(80) + nextcloudwithopenssl1.succeed("nextcloud-occ status") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file2 | grep bye") + nextcloudwithopenssl1.succeed("${withRcloneEnv3} ${pkgs.rclone}/bin/rclone cat nextcloud:test-shared-file | grep hi") + + nextcloudwithopenssl1.shutdown() + ''; +})) args diff --git a/pkgs/development/interpreters/php/generic.nix b/pkgs/development/interpreters/php/generic.nix index d1b7c6829557..ae59bf349a9c 100644 --- a/pkgs/development/interpreters/php/generic.nix +++ b/pkgs/development/interpreters/php/generic.nix @@ -91,7 +91,7 @@ let [ ] allExtensionFunctions; - getExtName = ext: lib.removePrefix "php-" (builtins.parseDrvName ext.name).name; + getExtName = ext: ext.extensionName; # Recursively get a list of all internal dependencies # for a list of extensions. diff --git a/pkgs/top-level/php-packages.nix b/pkgs/top-level/php-packages.nix index 2ab2000af583..af3bb5451025 100644 --- a/pkgs/top-level/php-packages.nix +++ b/pkgs/top-level/php-packages.nix @@ -71,16 +71,17 @@ lib.makeScope pkgs.newScope (self: with self; { # will mark the extension as a zend extension or not. mkExtension = lib.makeOverridable ({ name - , configureFlags ? [ "--enable-${name}" ] + , configureFlags ? [ "--enable-${extName}" ] , internalDeps ? [ ] , postPhpize ? "" , buildInputs ? [ ] , zendExtension ? false , doCheck ? true + , extName ? name , ... }@args: stdenv.mkDerivation ((builtins.removeAttrs args [ "name" ]) // { pname = "php-${name}"; - extensionName = name; + extensionName = extName; outputs = [ "out" "dev" ]; @@ -103,7 +104,7 @@ lib.makeScope pkgs.newScope (self: with self; { cdToExtensionRootPhase = '' # Go to extension source root. - cd "ext/${name}" + cd "ext/${extName}" ''; preConfigure = '' @@ -139,7 +140,7 @@ lib.makeScope pkgs.newScope (self: with self; { runHook preInstall mkdir -p $out/lib/php/extensions - cp modules/${name}.so $out/lib/php/extensions/${name}.so + cp modules/${extName}.so $out/lib/php/extensions/${extName}.so mkdir -p $dev/include ${rsync}/bin/rsync -r --filter="+ */" \ --filter="+ *.h" \ @@ -419,6 +420,7 @@ lib.makeScope pkgs.newScope (self: with self; { # without a specific openssl.cnf file { name = "openssl-legacy"; + extName = "openssl"; buildInputs = [ openssl_1_1 ]; configureFlags = [ "--with-openssl" ]; doCheck = false; From f010cdcad38519f71f2468d309a67467929a1fe8 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Tue, 15 Nov 2022 14:52:23 +0100 Subject: [PATCH 05/20] asterisk: 16.26.1 -> 16.29.0, 18.12.1 -> 18.15.0, 19.4.1 -> 19.7.0, init 20.0.0 --- pkgs/servers/asterisk/default.nix | 7 +++++++ pkgs/servers/asterisk/versions.json | 16 ++++++++++------ pkgs/top-level/all-packages.nix | 2 +- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/pkgs/servers/asterisk/default.nix b/pkgs/servers/asterisk/default.nix index eeefe0dcd14f..5c0a539aed5d 100644 --- a/pkgs/servers/asterisk/default.nix +++ b/pkgs/servers/asterisk/default.nix @@ -98,6 +98,11 @@ let hash = "sha256-T3q4r/4WCAZCNGnULxMnNKH9wEK7gkseV/sV8IPasHQ="; }; + pjproject_2_12_1 = fetchurl { + url = "https://raw.githubusercontent.com/asterisk/third-party/master/pjproject/2.12.1/pjproject-2.12.1.tar.bz2"; + hash = "sha256-DiNH1hB5ZheYzyUjFyk1EtlsMJlgjf+QRVKjEk+hNjc="; + }; + mp3-202 = fetchsvn { url = "http://svn.digium.com/svn/thirdparty/mp3/trunk"; rev = "202"; @@ -117,6 +122,7 @@ let inherit version sha256; externals = { "externals_cache/pjproject-2.12.tar.bz2" = pjproject_2_12; + "externals_cache/pjproject-2.12.1.tar.bz2" = pjproject_2_12_1; "addons/mp3" = mp3-202; }; }) (lib.importJSON ./versions.json); @@ -136,6 +142,7 @@ in { # 16.x LTS 2018-10-09 2022-10-09 2023-10-09 # 18.x LTS 2020-10-20 2024-10-20 2025-10-20 # 19.x Standard 2021-11-02 2022-11-02 2023-11-02 + # 20.x LTS 2022-11-02 2026-10-19 2027-10-19 asterisk-lts = versions.asterisk_18; asterisk-stable = versions.asterisk_19; asterisk = versions.asterisk_19.overrideAttrs (o: { diff --git a/pkgs/servers/asterisk/versions.json b/pkgs/servers/asterisk/versions.json index 77023dac2c28..7e6943a6822d 100644 --- a/pkgs/servers/asterisk/versions.json +++ b/pkgs/servers/asterisk/versions.json @@ -1,14 +1,18 @@ { "asterisk_16": { - "sha256": "201c92e591fc1db2c71b264907beef594d62d660168d42b5e83f9dc593b1bce0", - "version": "16.26.1" + "sha256": "406a91290e18d25a6fc23ae6b9c56b1fb2bd70216e336c74cf9c26b908c89c3d", + "version": "16.29.0" }, "asterisk_18": { - "sha256": "acbb58e5c3cd2b9c7c4506fa80b717c3c3c550ce9722ff0177b4f11f98725563", - "version": "18.12.1" + "sha256": "a963dafeba0e7e1051a1ac56964999c111dbcdb25a47010bc1f772bf8edbed75", + "version": "18.15.0" }, "asterisk_19": { - "sha256": "6b0b985163f20fcc8f8878069b8a9ee725eef4cfbdb1c1031fe3840fb32d7abe", - "version": "19.4.1" + "sha256": "832a967c5a040b0768c0e8df1646762f7304019fcf7f2e065a8b4828fa4092b7", + "version": "19.7.0" + }, + "asterisk_20": { + "sha256": "949022c20dc6da65b456e1b1b5b42a7901bb41fc9ce20920891739e7220d72eb", + "version": "20.0.0" } } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b12df22622cf..743a98fe8c37 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -23489,7 +23489,7 @@ with pkgs; inherit (callPackages ../servers/asterisk { }) asterisk asterisk-stable asterisk-lts - asterisk_16 asterisk_18 asterisk_19; + asterisk_16 asterisk_18 asterisk_19 asterisk_20; asterisk-module-sccp = callPackage ../servers/asterisk/sccp { }; From 520902c32b3e78fe65c79c22b7ca1bbfb35b21d1 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 16 Nov 2022 10:02:32 +0000 Subject: [PATCH 06/20] libheif: 1.13.0 -> 1.14.0 --- pkgs/development/libraries/libheif/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libheif/default.nix b/pkgs/development/libraries/libheif/default.nix index 51bd86edb719..1f9037dab75d 100644 --- a/pkgs/development/libraries/libheif/default.nix +++ b/pkgs/development/libraries/libheif/default.nix @@ -3,7 +3,7 @@ stdenv.mkDerivation rec { pname = "libheif"; - version = "1.13.0"; + version = "1.14.0"; outputs = [ "bin" "out" "dev" "man" ]; @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { owner = "strukturag"; repo = "libheif"; rev = "v${version}"; - sha256 = "sha256-/w/I6dgyiAscUqVpPjw2z6LbZJ6IBTeE5lawLg0awTM="; + sha256 = "sha256-MvCiVAHM9C/rxeh6f9Bd13GECc2ladEP7Av7y3eWDcY="; }; nativeBuildInputs = [ autoreconfHook pkg-config ]; From de995f3058cca083e51770f212a8ac6351298feb Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 16 Nov 2022 11:32:55 +0100 Subject: [PATCH 07/20] asterisk: patch pjsip CVE-2022-31031, CVE-2022-39244, CVE-2022-39269 Also remove pjsip 2.12, which was unused --- pkgs/servers/asterisk/default.nix | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/pkgs/servers/asterisk/default.nix b/pkgs/servers/asterisk/default.nix index 5c0a539aed5d..447c391f43bb 100644 --- a/pkgs/servers/asterisk/default.nix +++ b/pkgs/servers/asterisk/default.nix @@ -3,12 +3,30 @@ util-linux, dmidecode, libuuid, newt, lua, speex, libopus, opusfile, libogg, srtp, wget, curl, iksemel, pkg-config, - autoconf, libtool, automake, + autoconf, libtool, automake, fetchpatch, python39, writeScript, withOpus ? true, }: let + # remove when upgrading to pjsip >1.12.1 + pjsip_patches = [ + (fetchpatch { + name = "0150-CVE-2022-31031.patch"; + url = "https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202.patch"; + sha256 = "sha256-30kHrmB51UIw4x/J6/CD+vPKf/gBYDCcFoUpwEWkDMY="; + }) + (fetchpatch { + name = "0151-CVE-2022-39244.patch"; + url = "https://github.com/pjsip/pjproject/commit/c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae.patch"; + sha256 = "sha256-hTUMh6bYAizn6GF+sRV1vjKVxSf9pnI+eQdPOqsdJI4="; + }) + (fetchpatch { + name = "0152-CVE-2022-39269.patch"; + url = "https://github.com/pjsip/pjproject/commit/d2acb9af4e27b5ba75d658690406cec9c274c5cc.patch"; + sha256 = "sha256-bKE/MrRAqN1FqD2ubhxIOOf5MgvZluHHeVXPjbR12iQ="; + }) + ]; common = {version, sha256, externals}: stdenv.mkDerivation { inherit version; pname = "asterisk"; @@ -58,6 +76,9 @@ let cp ${asterisk-opus}/codecs/* ./codecs cp ${asterisk-opus}/formats/* ./formats ''} + ${lib.concatMapStringsSep "\n" (patch: '' + cp ${patch} ./third-party/pjproject/patches/${patch.name} + '') pjsip_patches} ./bootstrap.sh ''; @@ -69,6 +90,7 @@ let ]; preBuild = '' + cat third-party/pjproject/source/pjlib-util/src/pjlib-util/scanner.c make menuselect.makeopts ${lib.optionalString (externals ? "addons/mp3") '' substituteInPlace menuselect.makeopts --replace 'format_mp3 ' "" @@ -93,11 +115,6 @@ let }; }; - pjproject_2_12 = fetchurl { - url = "https://raw.githubusercontent.com/asterisk/third-party/master/pjproject/2.12/pjproject-2.12.tar.bz2"; - hash = "sha256-T3q4r/4WCAZCNGnULxMnNKH9wEK7gkseV/sV8IPasHQ="; - }; - pjproject_2_12_1 = fetchurl { url = "https://raw.githubusercontent.com/asterisk/third-party/master/pjproject/2.12.1/pjproject-2.12.1.tar.bz2"; hash = "sha256-DiNH1hB5ZheYzyUjFyk1EtlsMJlgjf+QRVKjEk+hNjc="; @@ -121,7 +138,6 @@ let versions = lib.mapAttrs (_: {version, sha256}: common { inherit version sha256; externals = { - "externals_cache/pjproject-2.12.tar.bz2" = pjproject_2_12; "externals_cache/pjproject-2.12.1.tar.bz2" = pjproject_2_12_1; "addons/mp3" = mp3-202; }; From 94b4a737bfebd2b2c1159ebaa2ce88bb55586007 Mon Sep 17 00:00:00 2001 From: Yorick van Pelt Date: Wed, 16 Nov 2022 11:44:45 +0100 Subject: [PATCH 08/20] asterisk: fix comment about version --- pkgs/servers/asterisk/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/servers/asterisk/default.nix b/pkgs/servers/asterisk/default.nix index 447c391f43bb..36927f4f6d3a 100644 --- a/pkgs/servers/asterisk/default.nix +++ b/pkgs/servers/asterisk/default.nix @@ -9,7 +9,7 @@ }: let - # remove when upgrading to pjsip >1.12.1 + # remove when upgrading to pjsip >2.12.1 pjsip_patches = [ (fetchpatch { name = "0150-CVE-2022-31031.patch"; From 1812d1540e5ed7eabb5252c0b442ff2b2d09752d Mon Sep 17 00:00:00 2001 From: Pol Dellaiera Date: Sun, 13 Nov 2022 21:14:38 +0100 Subject: [PATCH 09/20] php82: init at 8.2.0rc6 --- .../from_md/release-notes/rl-2211.section.xml | 5 ++ .../manual/release-notes/rl-2211.section.md | 2 + nixos/tests/all-tests.nix | 1 + pkgs/development/interpreters/php/8.2.nix | 61 +++++++++++++++++++ .../php-packages/datadog_trace/default.nix | 3 +- .../php-packages/gnupg/default.nix | 3 +- .../development/php-packages/oci8/default.nix | 14 +++-- .../php-packages/xdebug/default.nix | 14 ++++- pkgs/top-level/all-packages.nix | 10 +++ 9 files changed, 104 insertions(+), 9 deletions(-) create mode 100644 pkgs/development/interpreters/php/8.2.nix diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index d5cc14a3bdfd..bc5dd182e30d 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -139,6 +139,11 @@ other distributions. + + + PHP 8.2.0 RC 6 is available. + + protonup has been aliased to and replaced diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index d61cf2967553..34371d8317bc 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -57,6 +57,8 @@ In addition to numerous new and upgraded packages, this release has the followin `mod_php` usage we still enable `ZTS` (Zend Thread Safe). This has been a common practice for a long time in other distributions. +- PHP 8.2.0 RC 6 is available. + - `protonup` has been aliased to and replaced by `protonup-ng` due to upstream not maintaining it. - Perl has been updated to 5.36, and its core module `HTTP::Tiny` was patched to verify SSL/TLS certificates by default. diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index c7aa9ed78ba4..8afa901cc370 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -492,6 +492,7 @@ in { php = handleTest ./php {}; php80 = handleTest ./php { php = pkgs.php80; }; php81 = handleTest ./php { php = pkgs.php81; }; + php82 = handleTest ./php { php = pkgs.php82; }; phylactery = handleTest ./web-apps/phylactery.nix {}; pict-rs = handleTest ./pict-rs.nix {}; pinnwand = handleTest ./pinnwand.nix {}; diff --git a/pkgs/development/interpreters/php/8.2.nix b/pkgs/development/interpreters/php/8.2.nix new file mode 100644 index 000000000000..72816da1d4b1 --- /dev/null +++ b/pkgs/development/interpreters/php/8.2.nix @@ -0,0 +1,61 @@ +{ callPackage, lib, stdenv, fetchurl, ... }@_args: + +let + hash = "sha256-sbT8sIwle3OugXxqLZO3jKXlrOQsX1iH7WRH8G+nv8Y="; + + base = callPackage ./generic.nix (_args // { + version = "8.2.0"; + phpAttrsOverrides = attrs: attrs // { + src = fetchurl { + url = "https://downloads.php.net/~sergey/php-8.2.0RC6.tar.xz"; + inherit hash; + }; + }; + inherit hash; + }); + +in +base.withExtensions ({ all, ... }: with all; ([ + bcmath + calendar + curl + ctype + dom + exif + fileinfo + filter + ftp + gd + gettext + gmp + iconv + imap + intl + ldap + mbstring + mysqli + mysqlnd + opcache + openssl + pcntl + pdo + pdo_mysql + pdo_odbc + pdo_pgsql + pdo_sqlite + pgsql + posix + readline + session + simplexml + sockets + soap + sodium + sysvsem + sqlite3 + tokenizer + xmlreader + xmlwriter + zip + zlib +])) diff --git a/pkgs/development/php-packages/datadog_trace/default.nix b/pkgs/development/php-packages/datadog_trace/default.nix index 9b91d85fefe5..f77433a8a9ec 100644 --- a/pkgs/development/php-packages/datadog_trace/default.nix +++ b/pkgs/development/php-packages/datadog_trace/default.nix @@ -1,4 +1,4 @@ -{ buildPecl, curl, fetchFromGitHub, lib, pcre2 }: +{ buildPecl, curl, fetchFromGitHub, lib, pcre2, php }: buildPecl rec { pname = "ddtrace"; @@ -14,6 +14,7 @@ buildPecl rec { buildInputs = [ curl pcre2 ]; meta = with lib; { + broken = lib.versionOlder php.version "8.1"; # Broken on PHP older than 8.1. description = "Datadog Tracing PHP Client"; homepage = "https://github.com/DataDog/dd-trace-php"; license = licenses.apsl20; diff --git a/pkgs/development/php-packages/gnupg/default.nix b/pkgs/development/php-packages/gnupg/default.nix index 1d0b65d2c562..22ce2be4473b 100644 --- a/pkgs/development/php-packages/gnupg/default.nix +++ b/pkgs/development/php-packages/gnupg/default.nix @@ -1,4 +1,4 @@ -{ buildPecl, lib, gpgme, file, gnupg }: +{ buildPecl, lib, gpgme, file, gnupg, php }: buildPecl { pname = "gnupg"; @@ -29,6 +29,7 @@ buildPecl { doCheck = true; meta = with lib; { + broken = lib.versionOlder php.version "8.1"; # Broken on PHP older than 8.1. description = "PHP wrapper for GpgME library that provides access to GnuPG"; license = licenses.bsd3; homepage = "https://pecl.php.net/package/gnupg"; diff --git a/pkgs/development/php-packages/oci8/default.nix b/pkgs/development/php-packages/oci8/default.nix index 2657a67d38ba..477eea5898e5 100644 --- a/pkgs/development/php-packages/oci8/default.nix +++ b/pkgs/development/php-packages/oci8/default.nix @@ -1,12 +1,18 @@ -{ buildPecl, lib, oracle-instantclient }: +{ buildPecl, lib, oracle-instantclient, php }: + let - version = "3.0.1"; - sha256 = "108ds92620dih5768z19hi0jxfa7wfg5hdvyyvpapir87c0ap914"; + versionData = if (lib.versionOlder php.version "8.1") then { + version = "3.0.1"; + sha256 = "108ds92620dih5768z19hi0jxfa7wfg5hdvyyvpapir87c0ap914"; + } else { + version = "3.2.1"; + sha256 = "zyF703DzRZDBhlNFFt/dknmZ7layqhgjG1/ZDN+PEsg="; + }; in buildPecl { pname = "oci8"; - inherit version sha256; + inherit (versionData) version sha256; buildInputs = [ oracle-instantclient ]; configureFlags = [ "--with-oci8=shared,instantclient,${oracle-instantclient.lib}/lib" ]; diff --git a/pkgs/development/php-packages/xdebug/default.nix b/pkgs/development/php-packages/xdebug/default.nix index 80b0ec73109c..388360462dcf 100644 --- a/pkgs/development/php-packages/xdebug/default.nix +++ b/pkgs/development/php-packages/xdebug/default.nix @@ -1,10 +1,18 @@ -{ buildPecl, lib }: +{ buildPecl, lib, php }: +let + versionData = if (lib.versionOlder php.version "8.1") then { + version = "3.1.6"; + sha256 = "1lnmrb5kgq8lbhjs48j3wwhqgk44pnqb1yjq4b5r6ysv9l5wlkjm"; + } else { + version = "3.2.0RC2"; + sha256 = "dQgXDP3Ifg+D0niWxaJ4ec71Vfr8KH40jv6QbxSyY+4="; + }; +in buildPecl { pname = "xdebug"; - version = "3.1.6"; - sha256 = "1lnmrb5kgq8lbhjs48j3wwhqgk44pnqb1yjq4b5r6ysv9l5wlkjm"; + inherit (versionData) version sha256; doCheck = true; checkTarget = "test"; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index a70dd9e0494c..6550ce27ef52 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -15765,6 +15765,16 @@ with pkgs; phpExtensions = php.extensions; phpPackages = php.packages; + # Import PHP82 interpreter, extensions and packages + php82 = callPackage ../development/interpreters/php/8.2.nix { + stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; + pcre2 = pcre2.override { + withJitSealloc = !stdenv.isDarwin; + }; + }; + php82Extensions = recurseIntoAttrs php82.extensions; + php82Packages = recurseIntoAttrs php82.packages; + # Import PHP81 interpreter, extensions and packages php81 = callPackage ../development/interpreters/php/8.1.nix { stdenv = if stdenv.cc.isClang then llvmPackages.stdenv else stdenv; From 207dda19db05f25474aa126402a914df230df15c Mon Sep 17 00:00:00 2001 From: figsoda Date: Sat, 19 Nov 2022 15:26:28 -0500 Subject: [PATCH 10/20] rust-petname: 1.1.2 -> 1.1.3 --- pkgs/tools/text/rust-petname/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/tools/text/rust-petname/default.nix b/pkgs/tools/text/rust-petname/default.nix index f20a9e519de9..fda0ebf90404 100644 --- a/pkgs/tools/text/rust-petname/default.nix +++ b/pkgs/tools/text/rust-petname/default.nix @@ -2,15 +2,15 @@ rustPlatform.buildRustPackage rec { pname = "rust-petname"; - version = "1.1.2"; + version = "1.1.3"; src = fetchCrate { inherit version; crateName = "petname"; - sha256 = "sha256-DfRWGwnWVJBcbW7aPEzgPd+gfldP+ypZlk8FcPZzp8g="; + sha256 = "sha256-C6EJ8awdTV9TecMeYdbmleK8171+hvphjXJrWNJSXxo="; }; - cargoSha256 = "sha256-tCVJX8NcbT+6t2kDeCMfcSDaq3O89ycj08bxTmp3JHs="; + cargoSha256 = "sha256-mB4n1IxhNXrAsCz/jv5jgqyO9OgISZnI5E/vFu80+FE="; meta = with lib; { description = "Generate human readable random names"; From ca2679963460afe35ad9b88c9a40363778c8fad8 Mon Sep 17 00:00:00 2001 From: Thomas Watson Date: Sun, 6 Nov 2022 15:13:45 -0600 Subject: [PATCH 11/20] python3Packages.numba: 0.56.2 -> 0.56.4, fix tests and CUDA --- .../python-modules/numba/cuda_path.patch | 17 +++---- .../python-modules/numba/default.nix | 48 +++++++++++++++---- 2 files changed, 47 insertions(+), 18 deletions(-) diff --git a/pkgs/development/python-modules/numba/cuda_path.patch b/pkgs/development/python-modules/numba/cuda_path.patch index 275eeb1ccab6..1ad472ec424f 100644 --- a/pkgs/development/python-modules/numba/cuda_path.patch +++ b/pkgs/development/python-modules/numba/cuda_path.patch @@ -1,5 +1,5 @@ diff --git a/numba/cuda/cuda_paths.py b/numba/cuda/cuda_paths.py -index b9988bc..a642680 100644 +index 0da435d33..7b1fde087 100644 --- a/numba/cuda/cuda_paths.py +++ b/numba/cuda/cuda_paths.py @@ -24,10 +24,7 @@ def _find_valid_path(options): @@ -14,15 +14,12 @@ index b9988bc..a642680 100644 ] by, libdir = _find_valid_path(options) return by, libdir -@@ -35,18 +32,16 @@ def _get_libdevice_path_decision(): +@@ -35,16 +32,14 @@ def _get_libdevice_path_decision(): def _nvvm_lib_dir(): if IS_WIN32: - return 'nvvm', 'bin' + return 'bin', - elif IS_OSX: -- return 'nvvm', 'lib' -+ return 'lib', else: - return 'nvvm', 'lib64' + return 'lib64', @@ -33,13 +30,13 @@ index b9988bc..a642680 100644 - ('Conda environment', get_conda_ctk()), - ('CUDA_HOME', get_cuda_home(*_nvvm_lib_dir())), - ('System', get_system_ctk(*_nvvm_lib_dir())), -+ ('Nix store', get_nix_ctk(*_nvvm_lib_dir())), ++ ('Nix store', get_nix_ctk(*_nvvm_lib_dir())), ] by, path = _find_valid_path(options) return by, path -@@ -74,14 +69,12 @@ def _cudalib_path(): - elif IS_OSX: - return 'lib' +@@ -64,14 +59,12 @@ def _cudalib_path(): + if IS_WIN32: + return 'bin' else: - return 'lib64' + return 'lib' @@ -54,7 +51,7 @@ index b9988bc..a642680 100644 ] by, libdir = _find_valid_path(options) return by, libdir -@@ -92,6 +85,22 @@ def _get_cudalib_dir(): +@@ -82,6 +75,22 @@ def _get_cudalib_dir(): return _env_path_tuple(by, libdir) diff --git a/pkgs/development/python-modules/numba/default.nix b/pkgs/development/python-modules/numba/default.nix index 965130658c44..35145189207a 100644 --- a/pkgs/development/python-modules/numba/default.nix +++ b/pkgs/development/python-modules/numba/default.nix @@ -11,6 +11,8 @@ , libcxx , importlib-metadata , substituteAll +, runCommand +, fetchpatch # CUDA-only dependencies: , addOpenGLRunpath ? null @@ -23,14 +25,14 @@ let inherit (cudaPackages) cudatoolkit; in buildPythonPackage rec { - version = "0.56.2"; + version = "0.56.4"; pname = "numba"; format = "setuptools"; disabled = pythonOlder "3.6" || pythonAtLeast "3.11"; src = fetchPypi { inherit pname version; - hash = "sha256-NJLwpdCeJX/FIfU3emxrkH7sGSDRRznwskWLnSmUalo="; + hash = "sha256-Mtn+9BLIFIPX7+DOts9NMxD96LYkqc7MoA95BXOslu4="; }; postPatch = '' @@ -55,7 +57,15 @@ in buildPythonPackage rec { cudatoolkit.lib ]; - patches = lib.optionals cudaSupport [ + patches = [ + # fix failure in test_cache_invalidate (numba.tests.test_caching.TestCache) + # remove when upgrading past version 0.56 + (fetchpatch { + name = "fix-test-cache-invalidate-readonly.patch"; + url = "https://github.com/numba/numba/commit/993e8c424055a7677b2755b184fc9e07549713b9.patch"; + hash = "sha256-IhIqRLmP8gazx+KWIyCxZrNLMT4jZT8CWD3KcH4KjOo="; + }) + ] ++ lib.optionals cudaSupport [ (substituteAll { src = ./cuda_path.patch; cuda_toolkit_path = cudatoolkit; @@ -70,18 +80,40 @@ in buildPythonPackage rec { done ''; - # Copy test script into $out and run the test suite. + # run a smoke test in a temporary directory so that + # a) Python picks up the installed library in $out instead of the build files + # b) we have somewhere to put $HOME so some caching tests work + # c) it doesn't take 6 CPU hours for the full suite checkPhase = '' - ${python.interpreter} -m numba.runtests - ''; + runHook preCheck - # ImportError: cannot import name '_typeconv' - doCheck = false; + pushd $(mktemp -d) + HOME=. ${python.interpreter} -m numba.runtests -m $NIX_BUILD_CORES numba.tests.test_usecases + popd + + runHook postCheck + ''; pythonImportsCheck = [ "numba" ]; + passthru.tests = { + # CONTRIBUTOR NOTE: numba also contains CUDA tests, though these cannot be run in + # this sandbox environment. Consider running similar commands to those below outside the + # sandbox manually if you have the appropriate hardware; support will be detected + # and the corresponding tests enabled automatically. + # Also, the full suite currently does not complete on anything but x86_64-linux. + fullSuite = runCommand "${pname}-test" {} '' + pushd $(mktemp -d) + # pip and python in $PATH is needed for the test suite to pass fully + PATH=${python.withPackages (p: [ p.numba p.pip ])}/bin:$PATH + HOME=$PWD python -m numba.runtests -m $NIX_BUILD_CORES + popd + touch $out # stop Nix from complaining no output was generated and failing the build + ''; + }; + meta = with lib; { description = "Compiling Python code using LLVM"; homepage = "https://numba.pydata.org/"; From 160f4ebc8f12cebbb495d55e38c78569b0793d41 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Sun, 20 Nov 2022 04:20:00 +0000 Subject: [PATCH 12/20] gallery-dl: 1.23.5 -> 1.24.0 https://github.com/mikf/gallery-dl/releases/tag/v1.24.0 --- pkgs/applications/misc/gallery-dl/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/misc/gallery-dl/default.nix b/pkgs/applications/misc/gallery-dl/default.nix index 602c5c0e47e9..0b7233e189c0 100644 --- a/pkgs/applications/misc/gallery-dl/default.nix +++ b/pkgs/applications/misc/gallery-dl/default.nix @@ -2,13 +2,13 @@ buildPythonApplication rec { pname = "gallery-dl"; - version = "1.23.5"; + version = "1.24.0"; format = "setuptools"; src = fetchPypi { inherit version; pname = "gallery_dl"; - sha256 = "sha256-NhnuW7rq5Dgrnkw/nUO/pFg/Sh2D/d9gFCIb+gQy5QE="; + sha256 = "sha256-LGZjPkiX252IRgRG1fxVS4IdnKA3RgVjOhZLxYScIJo="; }; propagatedBuildInputs = [ From 1cd38dd6c7078aff5c3cb5950d97099f25768aa6 Mon Sep 17 00:00:00 2001 From: Peter Becich Date: Sat, 19 Nov 2022 21:35:27 -0800 Subject: [PATCH 13/20] buck: 2021.05.05.01 -> 2022.05.05.01 --- pkgs/development/tools/build-managers/buck/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/tools/build-managers/buck/default.nix b/pkgs/development/tools/build-managers/buck/default.nix index 1602b8083414..d94dccf7fbc8 100644 --- a/pkgs/development/tools/build-managers/buck/default.nix +++ b/pkgs/development/tools/build-managers/buck/default.nix @@ -2,13 +2,13 @@ stdenv.mkDerivation rec { pname = "buck"; - version = "2021.05.05.01"; + version = "2022.05.05.01"; src = fetchFromGitHub { owner = "facebook"; repo = pname; rev = "v${version}"; - sha256 = "sha256-mASJCLxW7320MXYUUWYfaxs9AbSdltxlae8OQsPUZJc="; + sha256 = "15v4sk1l43pgd5jxr5lxnh0ks6vb3xk5253n66s7vvsnph48j14q"; }; patches = [ ./pex-mtime.patch ]; From a8ab6540fdd68f426832e539c5141771e93656a2 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 20 Nov 2022 09:53:19 +0000 Subject: [PATCH 14/20] tty-share: 2.2.1 -> 2.3.0 --- pkgs/applications/misc/tty-share/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/misc/tty-share/default.nix b/pkgs/applications/misc/tty-share/default.nix index a1adc152349b..92ff192c101a 100644 --- a/pkgs/applications/misc/tty-share/default.nix +++ b/pkgs/applications/misc/tty-share/default.nix @@ -2,13 +2,13 @@ buildGoModule rec { pname = "tty-share"; - version = "2.2.1"; + version = "2.3.0"; src = fetchFromGitHub { owner = "elisescu"; repo = "tty-share"; rev = "v${version}"; - sha256 = "sha256-aAqKfi0ZX0UB07yGY6x0HcMspvq4rcJXKHSONxAwMlc="; + sha256 = "sha256-/oK2m2kxmF9HHYfTK6NlZxKKkDS7Oay+ed7jR/+szs0="; }; # Upstream has a `./vendor` directory with all deps which we rely upon. From 115a8853c4590dbdab22c7c34e35f0bd4b5ea558 Mon Sep 17 00:00:00 2001 From: Mario Rodas Date: Sun, 20 Nov 2022 09:54:00 +0000 Subject: [PATCH 15/20] tty-share: enable on darwin --- pkgs/applications/misc/tty-share/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/applications/misc/tty-share/default.nix b/pkgs/applications/misc/tty-share/default.nix index 92ff192c101a..37cc10c3823c 100644 --- a/pkgs/applications/misc/tty-share/default.nix +++ b/pkgs/applications/misc/tty-share/default.nix @@ -19,7 +19,6 @@ buildGoModule rec { meta = with lib; { homepage = "https://tty-share.com"; description = "Share terminal via browser for remote work or shared sessions"; - platforms = platforms.linux; license = licenses.mit; maintainers = with maintainers; [ andys8 ]; }; From d2068fdd5d425e0e724df7a13764672c597d8f6e Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 20 Nov 2022 10:47:48 +0000 Subject: [PATCH 16/20] ventoy-bin: 1.0.81 -> 1.0.82 --- pkgs/tools/cd-dvd/ventoy-bin/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/cd-dvd/ventoy-bin/default.nix b/pkgs/tools/cd-dvd/ventoy-bin/default.nix index 6a481e52139d..8f1571d1aee6 100644 --- a/pkgs/tools/cd-dvd/ventoy-bin/default.nix +++ b/pkgs/tools/cd-dvd/ventoy-bin/default.nix @@ -51,13 +51,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "ventoy-bin"; - version = "1.0.81"; + version = "1.0.82"; src = let inherit (finalAttrs) version; in fetchurl { url = "https://github.com/ventoy/Ventoy/releases/download/v${version}/ventoy-${version}-linux.tar.gz"; - hash = "sha256-15y05g+F+oEFYUUy7SE57GZ1RSHqdZnk2iOPsy1L0GI="; + hash = "sha256-NN36gg2rUZgAxyMoYhMc7IbWgQLrPvuWERDF7JVsFfw="; }; patches = [ From 83ac8be43cc87f2dc392335e9ab0829a402fcf94 Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Sun, 20 Nov 2022 11:46:47 +0100 Subject: [PATCH 17/20] github-runner: support `x86_64-darwin` --- .../github-runner/default.nix | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/pkgs/development/tools/continuous-integration/github-runner/default.nix b/pkgs/development/tools/continuous-integration/github-runner/default.nix index e460ffd2590a..2f4cb7c411f3 100644 --- a/pkgs/development/tools/continuous-integration/github-runner/default.nix +++ b/pkgs/development/tools/continuous-integration/github-runner/default.nix @@ -6,7 +6,6 @@ , fetchFromGitHub , fetchurl , git -, glibc , icu , libkrb5 , lib @@ -40,6 +39,7 @@ let runtimeIds = { "x86_64-linux" = "linux-x64"; "aarch64-linux" = "linux-arm64"; + "x86_64-darwin" = "osx-x64"; }; runtimeId = runtimeIds.${stdenv.system}; fakeSha1 = "0000000000000000000000000000000000000000"; @@ -61,16 +61,18 @@ stdenv.mkDerivation rec { dotnetSdk dotnetPackages.Nuget makeWrapper + ] ++ lib.optionals stdenv.isLinux [ autoPatchelfHook ]; buildInputs = [ curl # libcurl.so.4 libkrb5 # libgssapi_krb5.so.2 - lttng-ust # liblttng-ust.so.0 stdenv.cc.cc.lib # libstdc++.so.6 zlib # libz.so.1 icu + ] ++ lib.optionals stdenv.isLinux [ + lttng-ust # liblttng-ust.so.0 ]; patches = [ @@ -104,6 +106,8 @@ stdenv.mkDerivation rec { --replace '/bin/ln' '${coreutils}/bin/ln' ''; + DOTNET_SYSTEM_GLOBALIZATION_INVARIANT = stdenv.isDarwin; + configurePhase = '' runHook preConfigure @@ -137,6 +141,8 @@ stdenv.mkDerivation rec { doCheck = true; + __darwinAllowLocalNetworking = true; + # Fully qualified name of disabled tests disabledTests = [ "GitHub.Runner.Common.Tests.Listener.SelfUpdaterL0.TestSelfUpdateAsync" ] @@ -195,6 +201,13 @@ stdenv.mkDerivation rec { ++ lib.optionals (stdenv.hostPlatform.system == "aarch64-linux") [ # "JavaScript Actions in Alpine containers are only supported on x64 Linux runners. Detected Linux Arm64" "GitHub.Runner.Common.Tests.Worker.StepHostL0.DetermineNodeRuntimeVersionInAlpineContainerAsync" + ] + ++ lib.optionals DOTNET_SYSTEM_GLOBALIZATION_INVARIANT [ + "GitHub.Runner.Common.Tests.ProcessExtensionL0.SuccessReadProcessEnv" + "GitHub.Runner.Common.Tests.Util.StringUtilL0.FormatUsesInvariantCulture" + "GitHub.Runner.Common.Tests.Worker.VariablesL0.Constructor_SetsOrdinalIgnoreCaseComparer" + "GitHub.Runner.Common.Tests.Worker.WorkerL0.DispatchCancellation" + "GitHub.Runner.Common.Tests.Worker.WorkerL0.DispatchRunNewJob" ]; checkInputs = [ git ]; @@ -269,7 +282,7 @@ stdenv.mkDerivation rec { # Stripping breaks the binaries dontStrip = true; - preFixup = '' + preFixup = lib.optionalString stdenv.isLinux '' patchelf --replace-needed liblttng-ust.so.0 liblttng-ust.so $out/lib/libcoreclrtraceptprovider.so ''; @@ -277,17 +290,16 @@ stdenv.mkDerivation rec { fix_rpath() { patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" $out/lib/$1 } - wrap() { makeWrapper $out/lib/$1 $out/bin/$1 \ --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath (buildInputs ++ [ openssl ])} \ "''${@:2}" } - + '' + lib.optionalString stdenv.isLinux '' fix_rpath Runner.Listener fix_rpath Runner.PluginHost fix_rpath Runner.Worker - + '' + '' wrap Runner.Listener wrap Runner.PluginHost wrap Runner.Worker @@ -296,7 +308,7 @@ stdenv.mkDerivation rec { wrap config.sh --run 'export RUNNER_ROOT=''${RUNNER_ROOT:-$HOME/.github-runner}' \ --run 'mkdir -p $RUNNER_ROOT' \ - --prefix PATH : ${lib.makeBinPath [ glibc.bin ]} \ + --prefix PATH : ${lib.makeBinPath [ stdenv.cc ]} \ --chdir $out ''; @@ -308,7 +320,7 @@ stdenv.mkDerivation rec { # Inspired by passthru.fetch-deps in pkgs/build-support/build-dotnet-module/default.nix passthru.createDepsFile = writeShellApplication { name = "create-deps-file"; - runtimeInputs = [ dotnetSdk (nuget-to-nix.override { dotnet-sdk = dotnetSdk; }) ]; + runtimeInputs = [ coreutils dotnetSdk (nuget-to-nix.override { dotnet-sdk = dotnetSdk; }) ]; text = '' # Disable telemetry data export DOTNET_CLI_TELEMETRY_OPTOUT=1 From 8262b08df041b4284d5408d90af0834495af8c72 Mon Sep 17 00:00:00 2001 From: Vincent Haupert Date: Sun, 20 Nov 2022 12:58:15 +0100 Subject: [PATCH 18/20] github-runner: support `aarch64-darwin` --- .../tools/continuous-integration/github-runner/default.nix | 4 ++++ pkgs/top-level/all-packages.nix | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkgs/development/tools/continuous-integration/github-runner/default.nix b/pkgs/development/tools/continuous-integration/github-runner/default.nix index 2f4cb7c411f3..84c9c9268496 100644 --- a/pkgs/development/tools/continuous-integration/github-runner/default.nix +++ b/pkgs/development/tools/continuous-integration/github-runner/default.nix @@ -1,4 +1,5 @@ { autoPatchelfHook +, autoSignDarwinBinariesHook , coreutils , curl , dotnetCorePackages @@ -40,6 +41,7 @@ let "x86_64-linux" = "linux-x64"; "aarch64-linux" = "linux-arm64"; "x86_64-darwin" = "osx-x64"; + "aarch64-darwin" = "osx-arm64"; }; runtimeId = runtimeIds.${stdenv.system}; fakeSha1 = "0000000000000000000000000000000000000000"; @@ -63,6 +65,8 @@ stdenv.mkDerivation rec { makeWrapper ] ++ lib.optionals stdenv.isLinux [ autoPatchelfHook + ] ++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [ + autoSignDarwinBinariesHook ]; buildInputs = [ diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 783bbd1ff696..274ec8a6c55f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -7198,7 +7198,9 @@ with pkgs; github-backup = callPackage ../tools/misc/github-backup { }; - github-runner = callPackage ../development/tools/continuous-integration/github-runner { }; + github-runner = callPackage ../development/tools/continuous-integration/github-runner { + inherit (darwin) autoSignDarwinBinariesHook; + }; gitkraken = callPackage ../applications/version-management/gitkraken { }; From 626e8b67fa595a4c1f0a466dce335f06c28fb357 Mon Sep 17 00:00:00 2001 From: ajs124 Date: Sun, 20 Nov 2022 16:37:42 +0100 Subject: [PATCH 19/20] nixos/tests/acme/server: regenerate certs expired today --- .../common/acme/server/acme.test.cert.pem | 32 ++++++------ .../common/acme/server/acme.test.key.pem | 50 +++++++++---------- nixos/tests/common/acme/server/ca.cert.pem | 34 ++++++------- nixos/tests/common/acme/server/ca.key.pem | 50 +++++++++---------- 4 files changed, 83 insertions(+), 83 deletions(-) diff --git a/nixos/tests/common/acme/server/acme.test.cert.pem b/nixos/tests/common/acme/server/acme.test.cert.pem index 76b0d916a817..562e7a329b68 100644 --- a/nixos/tests/common/acme/server/acme.test.cert.pem +++ b/nixos/tests/common/acme/server/acme.test.cert.pem @@ -1,19 +1,19 @@ -----BEGIN CERTIFICATE----- -MIIDLDCCAhSgAwIBAgIIRDAN3FHH//IwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE -AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMB4XDTIwMTAyMTEzMjgzNloXDTIyMTEy -MDEzMjgzNlowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9 -Z4Xu5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeH -pImHO/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCN -Xf/LjIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/l -EnHrkcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOY -H+RfQfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABo3YwdDAOBgNVHQ8B +MIIDLDCCAhSgAwIBAgIIHvJkPAdMFGAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgNDYwMjMxMB4XDTIyMTEyMDE1MzcwNFoXDTI0MTIy +MDE1MzcwNFowFDESMBAGA1UEAxMJYWNtZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAs/Xad8Jn0YMI8nTjbVakGsFplxSKkgWs9Jv8tETC1FBV +KNo3yF6IElBhzKw3eF6piZqDwNFXobuMCZ3Ckaj+EOdSA0DhjwUSBmEok/0siIu4 +WbAS2iKwZGuJlJRYOmfXRPt2nNSPhuNHtZJoTWufN5K1XS+4v1dsVUWdWvkUuaC5 +/uoujcYd4D6XDhJCubDCE+WSYk0KBLtMQ8irbNu4FGoCn5T7kDq46XwVjulWxc5q +dZ/Z/zgKQkoLaHgWKLjvuu7/CZw6RXyBlwVJh36pljixRnpnLfMMykO9Sq7Z3cR2 +aVcMRjjeH0uScfFHIb3hvqyZLd+NHw3SqE8la/Nq1wIDAQABo3YwdDAOBgNVHQ8B Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB -/wQCMAAwHwYDVR0jBBgwFoAU+8IZlLV/Qp5CXqpXMLvtxWlxcJwwFAYDVR0RBA0w -C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQB0pe8I5/VDkB5VMgQB2GJV -GKzyigfWbVez9uLmqMj9PPP/zzYKSYeq+91aMuOZrnH7NqBxSTwanULkmqAmhbJJ -YkXw+FlFekf9FyxcuArzwzzNZDSGcjcdXpN8S2K1qkBd00iSJF9kU7pdZYCIKR20 -QirdBrELEfsJ3GU62a6N3a2YsrisZUvq5TbjGJDcytAtt+WG3gmV7RInLdFfPwbw -bEHPCnx0uiV0nxLjd/aVT+RceVrFQVt4hR99jLoMlBitSKluZ1ljsrpIyroBhQT0 -pp/pVi6HJdijG0fsPrC325NEGAwcpotLUhczoeM/rffKJd54wLhDkfYxOyRZXivs +/wQCMAAwHwYDVR0jBBgwFoAUW4rxHHeasqLl7KMK+F3uVN0JGwYwFAYDVR0RBA0w +C4IJYWNtZS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQBDT8HY62N6YbG7Fp3gPD2L +Y0ZFHAAYM5l+Qn55aYkaTxpaRFPAeh0POmTIgSXfFSQYR00w3x2ni0K1ecBI814y +Mkgoki+jP6JhgV1fPTa5Wqm2x/Ufcr6LbTIDVqO5zFxTdkqZHfC7sMahDNULVrN2 +RVkTLppDfmQ+oFcwNvZSgK9SDJNMlsNllOyGGUuMSd1KjWU4/Wr0AmaS+V3Cjf14 +MsvgVhN66ECom1yyy3q9HZgAoZy6lnHOWHD4BVXOmbS2Y1lSVv/atmiGH7F9nvNN +Ggh/+RmkXGczV80wT2TnivEamJGHA4kwThL40SRKfaTTX7miImI25E6+390hBXyw -----END CERTIFICATE----- diff --git a/nixos/tests/common/acme/server/acme.test.key.pem b/nixos/tests/common/acme/server/acme.test.key.pem index 741df99a372e..fd3e9f7dbcf6 100644 --- a/nixos/tests/common/acme/server/acme.test.key.pem +++ b/nixos/tests/common/acme/server/acme.test.key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAo8XjMVUaljcaqQ5MFhfPuQgSwdyXEUbpSHz+5yPkE0h9Z4Xu -5BJF1Oq7h5ggCtadVsIspiY6Jm6aWDOjlh4myzW5UNBNUG3OPEk50vmmHFeHpImH -O/d8yb33QoF9VRcTZs4tuJYg7l9bSs4jNG72vYvv2YiGAcmjJcsmAZIfniCNXf/L -jIm+Cxykn+Vo3UuzO1w5/iuofdgWO/aZxMezmXUivlL3ih4cNzCJei8WlB/lEnHr -kcy3ogRmmynP5zcz7vmGIJX2ji6dhCa4Got5B7eZK76o2QglhQXqPatG0AOYH+Rf -QfzKemqPG5om9MgJtwFtTOU1LoaiBw//jXKESQIDAQABAoIBADox/2FwVFo8ioS4 -R+Ex5OZjMAcjU6sX/516jTmlT05q2+UFerYgqB/YqXqtW/V9/brulN8VhmRRuRbO -grq9TBu5o3hMDK0f18EkZB/MBnLbx594H033y6gEkPBZAyhRYtuNOEH3VwxdZhtW -1Lu1EoiYSUqLcNMBy6+KWJ8GRaXyacMYBlj2lMHmyzkA/t1+2mwTGC3lT6zN0F5Y -E5umXOxsn6Tb6q3KM9O5IvtmMMKpgj4HIHZLZ6j40nNgHwGRaAv4Sha/vx0DeBw3 -6VlNiTTPdShEkhESlM5/ocqTfI92VHJpM5gkqTYOWBi2aKIPfAopXoqoJdWl4pQ/ -NCFIu2ECgYEAzntNKIcQtf0ewe0/POo07SIFirvz6jVtYNMTzeQfL6CoEjYArJeu -Vzc4wEQfA4ZFVerBb1/O6M449gI3zex1PH4AX0h8q8DSjrppK1Jt2TnpVh97k7Gg -Tnat/M/yW3lWYkcMVJJ3AYurXLFTT1dYP0HvBwZN04yInrEcPNXKfmcCgYEAywyJ -51d4AE94PrANathKqSI/gk8sP+L1gzylZCcUEAiGk/1r45iYB4HN2gvWbS+CvSdp -F7ShlDWrTaNh2Bm1dgTjc4pWb4J+CPy/KN2sgLwIuM4+ZWIZmEDcio6khrM/gNqK -aR7xUsvWsqU26O84woY/xR8IHjSNF7cFWE1H2c8CgYEAt6SSi2kVQ8dMg84uYE8t -o3qO00U3OycpkOQqyQQLeKC62veMwfRl6swCfX4Y11mkcTXJtPTRYd2Ia8StPUkB -PDwUuKoPt/JXUvoYb59wc7M+BIsbrdBdc2u6cw+/zfutCNuH6/AYSBeg4WAVaIuW -wSwzG1xP+8cR+5IqOzEqWCECgYATweeVTCyQEyuHJghYMi2poXx+iIesu7/aAkex -pB/Oo5W8xrb90XZRnK7UHbzCqRHWqAQQ23Gxgztk9ZXqui2vCzC6qGZauV7cLwPG -zTMg36sVmHP314DYEM+k59ZYiQ6P0jQPoIQo407D2VGrfsOOIhQIcUmP7tsfyJ5L -hlGMfwKBgGq4VNnnuX8I5kl03NpaKfG+M8jEHmVwtI9RkPTCCX9bMjeG0cDxqPTF -TRkf3r8UWQTZ5QfAfAXYAOlZvmGhHjSembRbXMrMdi3rGsYRSrQL6n5NHnORUaMy -FCWo4gyAnniry7tx9dVNgmHmbjEHuQnf8AC1r3dibRCjvJWUiQ8H +MIIEowIBAAKCAQEAs/Xad8Jn0YMI8nTjbVakGsFplxSKkgWs9Jv8tETC1FBVKNo3 +yF6IElBhzKw3eF6piZqDwNFXobuMCZ3Ckaj+EOdSA0DhjwUSBmEok/0siIu4WbAS +2iKwZGuJlJRYOmfXRPt2nNSPhuNHtZJoTWufN5K1XS+4v1dsVUWdWvkUuaC5/uou +jcYd4D6XDhJCubDCE+WSYk0KBLtMQ8irbNu4FGoCn5T7kDq46XwVjulWxc5qdZ/Z +/zgKQkoLaHgWKLjvuu7/CZw6RXyBlwVJh36pljixRnpnLfMMykO9Sq7Z3cR2aVcM +RjjeH0uScfFHIb3hvqyZLd+NHw3SqE8la/Nq1wIDAQABAoIBAG2s50FXjLgmONyz +Giv3wrm/qF94GF+X7+l/64nd4jNM5imonJiT7C/lJ0V6q6/DWWXQcn2f191slJMD +v6HQMU8R+2yaLR1hxLN4oSdYA70QEgEvCr5Ap+n7k/SmWAL4aDzVWFuKPBLED178 +ZG7SqU1QLxIk1F5gpFhvvc/Ev7nE0KAzTJ3jGyWHZjJ1TKAWHx6oeKOw4OejRcGO ++rDBfQrV59fiCy8CFraGPDGie5Eb7ioXyt4cf4/odtLol7bSIwH4BLwfvKJbRobi +gSjvL5JJLjhjWzeoj+JC4o0sWQegytWpNCHSFETfHQ8rlcagTN8JaTcBg6+wrR2O +OPeoFqkCgYEA7o9jSk7i23SiKo3C+T9KFIL2OS7akwUqIQZehZJ6LXljYEDP1lcz +wjvWuLGVzlST3fmumHIMZLjjBU1cMYAPZrbUrEeayATD4jBxyiXbHqhB3DQ0W4CX +obUhcdsLGsKp0zXls8FeiQs6GOeEwSDU+1nAL9/hLK7w6cJ2zyj8HBUCgYEAwR3H +/ltIjD8tXNF05ayOguzrbivx2vaXusskZgn9QqntoGqqsXLOgsqcUH0dtiTyVOn+ +Nba7w+o5NfaAfE9uR+oeZSo1IJU8oEi/EZqXTcYf5p3oAjXXZ9wXX8kl91EjCzKl +0kDpSpsMhUzdB2i5I9Oh1fLaW4iMwyuY1CgnqjsCgYBHIJFmEmcpL3k6XtIHJoub +2gA3xHR+6UdKWW/NO4MaE9tBU5GkQpO4EcdPggM8ZZNA17Tq1vZDAa0OY6ZdS+VL +pq96Pk8z29fblL4Ym3jdhyU71oTV011iZXL3U2vYKrofsy4tjjX1fldwHXdDbdqS +povaulGU1QQXblemJH4mkQKBgC3IUq6Rk4x0OdvkaFM+6nZNlq8Cyg7AIU6OdG2g +dqNER+qc/yScdCr7v70xPEb/UVgiNTskvDUBJVkOvH08E4gHD/ep3vh/iOTy+iFB +RheRHeT9kJBdlVixC/WQaWjNmoJAGqHS87vVME214Dyubh35QUfIkE3c/IoUnuHF +N0obAoGBANJpPBF36H1nb+TcVerOBXI8oqeIyoq7f4W/wbIirnZq/XfBaaOL5R6v +6+p4LEcQ1Mf33Yfr5M4aR0q7fgNDg/g4LcMg6fI3+UwPC6lJY+K8zzF4fmGDhheC +D+LsZG0Funl9kT0yxPBQhCJmmkJNIHiSNuRLt9Infne2408+YV+T -----END RSA PRIVATE KEY----- diff --git a/nixos/tests/common/acme/server/ca.cert.pem b/nixos/tests/common/acme/server/ca.cert.pem index 5c33e879b675..8d52a0a8f462 100644 --- a/nixos/tests/common/acme/server/ca.cert.pem +++ b/nixos/tests/common/acme/server/ca.cert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDSzCCAjOgAwIBAgIIeHRvRrNvbGQwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE -AxMVbWluaWNhIHJvb3QgY2EgNzg3NDZmMCAXDTIwMTAyMTEzMjgzNloYDzIxMjAx -MDIxMTMyODM2WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA3ODc0NmYwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrNTzVLDJOKtGYGLU98EEcLKps -tXHCLC6G54LKbEcU80fn+ArX8qsPSHyhdXQkcYjq6Vh/EDJ1TctyRSnvAjwyG4Aa -1Zy1QFc/JnjMjvzimCkUc9lQ+wkLwHSM/KGwR1cGjmtQ/EMClZTA0NwulJsXMKVz -bd5asXbq/yJTQ5Ww25HtdNjwRQXTvB7r3IKcY+DsED9CvFvC9oG/ZhtZqZuyyRdC -kFUrrv8WNUDkWSN+lMR6xMx8v0583IN6f11IhX0b+svK98G81B2eswBdkzvVyv9M -unZBO0JuJG8sdM502KhWLmzBC1ZbvgUBF9BumDRpMFH4DCj7+qQ2taWeGyc7AgMB +MIIDSzCCAjOgAwIBAgIIRgIx/Q6DdK0wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE +AxMVbWluaWNhIHJvb3QgY2EgNDYwMjMxMCAXDTIyMTEyMDE1MzcwNFoYDzIxMjIx +MTIwMTUzNzA0WjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSA0NjAyMzEwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYxM/efiS7rNNzdu+AK+J57+om +QYsoteVpmwcU6Ul8Zr6pcsBSLetV2PCWGVKKfXdK1Ep+JdBoiuG8EY/wffYJy+So +WRRWX+bGIFly74urX2iOH/yimF8XMaHj4CzjMD1wM2rFLswL3VK2DM+wrCMO2zE2 +BAiUAJ++ws99Dl74DQ9lGne8hMjFgzakINCNd948/t2+LMVxqCgQ7fI+iHA1X7QF +1AT5c86wd/GxLzfl343DxLSeMRFbGUVSH6NBBnIQdFDq1GjNGPbn8ZlDXw5WWeR5 +ufnxcRRNpp3GnHG3/VOebFAr++5/0ze+QvF6XPXk9RZWvhh0dD14/8W/PMK1AgMB AAGjgYYwgYMwDgYDVR0PAQH/BAQDAgKEMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr -BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBT7whmUtX9CnkJe -qlcwu+3FaXFwnDAfBgNVHSMEGDAWgBT7whmUtX9CnkJeqlcwu+3FaXFwnDANBgkq -hkiG9w0BAQsFAAOCAQEARMe1wKmF33GjEoLLw0oDDS4EdAv26BzCwtrlljsEtwQN -95oSzUNd6o4Js7WCG2o543OX6cxzM+yju8TES3+vJKDgsbNMU0bWCv//tdrb0/G8 -OkU3Kfi5q4fOauZ1pqGv/pXdfYhZ5ieB/zwis3ykANe5JfB0XqwCb1Vd0C3UCIS2 -NPKngRwNSzphIsbzfvxGDkdM1enuGl5CVyDhrwTMqGaJGDSOv6U5jKFxKRvigqTN -Ls9lPmT5NXYETduWLBR3yUIdH6kZXrcozZ02B9vjOB2Cv4RMDc+9eM30CLIWpf1I -097e7JkhzxFhfC/bMMt3P1FeQc+fwH91wdBmNi7tQw== +BgEFBQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRbivEcd5qyouXs +owr4Xe5U3QkbBjAfBgNVHSMEGDAWgBRbivEcd5qyouXsowr4Xe5U3QkbBjANBgkq +hkiG9w0BAQsFAAOCAQEAdSudxwrpXf/nxXJ8THob63UEvvof0o7uENbNPjqt7VZZ +lQeKnZOrzjYbTcsbyDpm/zsniT9620ntVcL4/IG2eeuSPA9btHNiFM6R3Nby8Op4 +emqNzrS0DFqV/CAOAue+C44Vb9IS+ibFxEpI3GTH0FVWpEglLuesXKV+boy1aCNq +BYvk6lVplmnTtyfEUAQxyjJhTHu0+ZDwmw1+/NY9Wn2aeile+/G8ao+MBXARELmq +aoGKfFfrMGRT/KDSyODBEdJ1XkLr0TYjNvyctsaYBp9FhVQiuNMOyCku7EB8y+tZ +odYtLw6ecNnrjgQAnxSDg1ChrQ0wNSdPyjvycNgvjQ== -----END CERTIFICATE----- diff --git a/nixos/tests/common/acme/server/ca.key.pem b/nixos/tests/common/acme/server/ca.key.pem index ed46f5dccf46..cde4e8ac7c75 100644 --- a/nixos/tests/common/acme/server/ca.key.pem +++ b/nixos/tests/common/acme/server/ca.key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAqzU81SwyTirRmBi1PfBBHCyqbLVxwiwuhueCymxHFPNH5/gK -1/KrD0h8oXV0JHGI6ulYfxAydU3LckUp7wI8MhuAGtWctUBXPyZ4zI784pgpFHPZ -UPsJC8B0jPyhsEdXBo5rUPxDApWUwNDcLpSbFzClc23eWrF26v8iU0OVsNuR7XTY -8EUF07we69yCnGPg7BA/QrxbwvaBv2YbWambsskXQpBVK67/FjVA5FkjfpTEesTM -fL9OfNyDen9dSIV9G/rLyvfBvNQdnrMAXZM71cr/TLp2QTtCbiRvLHTOdNioVi5s -wQtWW74FARfQbpg0aTBR+Awo+/qkNrWlnhsnOwIDAQABAoIBAA3ykVkgd5ysmlSU -trcsCnHcJaojgff6l3PACoSpG4VWaGY6a8+54julgRm6MtMBONFCX0ZCsImj484U -Wl0xRmwil2YYPuL5MeJgJPktMObY1IfpBCw3tz3w2M3fiuCMf0d2dMGtO1xLiUnH -+hgFXTkfamsj6ThkOrbcQBSebeRxbKM5hqyCaQoieV+0IJnyxUVq/apib8N50VsH -SHd4oqLUuEZgg6N70+l5DpzedJUb4nrwS/KhUHUBgnoPItYBCiGPmrwLk7fUhPs6 -kTDqJDtc/xW/JbjmzhWEpVvtumcC/OEKULss7HLdeQqwVBrRQkznb0M9AnSra3d0 -X11/Y4ECgYEA3FC8SquLPFb2lHK4+YbJ4Ac6QVWeYFEHiZ0Rj+CmONmjcAvOGLPE -SblRLm3Nbrkxbm8FF6/AfXa/rviAKEVPs5xqGfSDw/3n1uInPcmShiBCLwM/jHH5 -NeVG+R5mTg5zyQ/pQMLWRcs+Ail+ZAnZuoGpW3Cdc8OtCUYFQ7XB6nsCgYEAxvBJ -zFxcTtsDzWbMWXejugQiUqJcEbKWwEfkRbf3J2rAVO2+EFr7LxdRfN2VwPiTQcWc -LnN2QN+ouOjqBMTh3qm5oQY+TLLHy86k9g1k0gXWkMRQgP2ZdfWH1HyrwjLUgLe1 -VezFN7N1azgy6xFkInAAvuA4loxElZNvkGBgekECgYA/Xw26ILvNIGqO6qzgQXAh -+5I7JsiGheg4IjDiBMlrQtbrLMoceuD0H9UFGNplhel9DXwWgxxIOncKejpK2x0A -2fX+/0FDh+4+9hA5ipiV8gN3iGSoHkSDxy5yC9d7jlapt+TtFt4Rd1OfxZWwatDw -/8jaH3t6yAcmyrhK8KYVrwKBgAE5KwsBqmOlvyE9N5Z5QN189wUREIXfVkP6bTHs -jq2EX4hmKdwJ4y+H8i1VY31bSfSGlY5HkXuWpH/2lrHO0CDBZG3UDwADvWzIaYVF -0c/kz0v2mRQh+xaZmus4lQnNrDbaalgL666LAPbW0qFVaws3KxoBYPe0BxvwWyhF -H3LBAoGBAKRRNsq2pWQ8Gqxc0rVoH0FlexU9U2ci3lsLmgEB0A/o/kQkSyAxaRM+ -VdKp3sWfO8o8lX5CVQslCNBSjDTNcat3Co4NEBLg6Xv1yKN/WN1GhusnchP9szsP -oU47gC89QhUyWSd6vvr2z2NG9C3cACxe4dhDSHQcE4nHSldzCKv2 +MIIEowIBAAKCAQEAmMTP3n4ku6zTc3bvgCviee/qJkGLKLXlaZsHFOlJfGa+qXLA +Ui3rVdjwlhlSin13StRKfiXQaIrhvBGP8H32CcvkqFkUVl/mxiBZcu+Lq19ojh/8 +ophfFzGh4+As4zA9cDNqxS7MC91StgzPsKwjDtsxNgQIlACfvsLPfQ5e+A0PZRp3 +vITIxYM2pCDQjXfePP7dvizFcagoEO3yPohwNV+0BdQE+XPOsHfxsS835d+Nw8S0 +njERWxlFUh+jQQZyEHRQ6tRozRj25/GZQ18OVlnkebn58XEUTaadxpxxt/1TnmxQ +K/vuf9M3vkLxelz15PUWVr4YdHQ9eP/FvzzCtQIDAQABAoIBAAMvJv4GNxHKWmXv +trI/N+s+uuytNQ9WKz/2QUGIU0XKhnLVt3h/CIazjOA0CupkDxZ6MktK0ns7WdUn +sI5cscImg8+We7wJJ7A9gF/K6mhaBr3foM5qyqCbIjqzs3vQx5cNG06c2RfuNwkg +XzvZeqmWnAH6N4uOL8Y0HUsH/6a/5rHEBTgUOnOidR8T1vdIN5vnpknef/H575ab +jTdDyb15Vns7nC4Q8lortkLsQzOt//LWpVuLZXGDm1Xi47ahNXM8Fo/MFK+xcBDF +onMFuclxImN3FqkyMH6PgJS392bZ1LLcmS4bqZ0oIwfUZ/kIEwAI2cTwEYfYmN7C +ekgvpsECgYEAxoJUcZW4iWvT8kznWKKT+YJAfTYmgwOxB1Dn3RxFA8cXocQQvwvM +mSl1AKOjWHFl/eW9s4zwy/fOnsN1m1tCTuWSNn5sudZSJfbd5CCiYaYTI66McCCm +5FGzqLM44Wm5y2qLa7l3in8Tza/645RpLXZyRfMInoW5In0XKbokLbkCgYEAxQM/ +p63V5KuZYsm9BWNcCvAbS6G9NHjbeRrkAd171SSdibdwLIBeyn7A5JCiVqhZZbsO +1q1okO4m4j+JHzntWi63yXwG49sEVNaFbExPE4tfJeHD0Po8MJffoLNVTE+INT0B +fl1elhMpE9qpizFIHF7L8KnUf5Igi+yp0d6Amt0CgYACAhmGmKQoR736KosAm4xx +rr6mRaD4HFZzI39k/j84fZAgo9IjjKQCPKghXIZvg54rhmJ36YoaFiSx+Ho9Gxw9 +nhbvlDHXY3KrTacLAsWBxWNWLhLfo4TstGLj5wRBS4eEpkxIx7SM4yI5J3mbScoS +mqsnSAEjUWkBD1DnrClniQKBgQCdfC9SNp+Yn6OJWIKE4Bwfkjf/iVbZrxKiCGDj +LM1kYFSeVciRijw72n8PNp7ObtyneZQu/4dq8zSZ/vf5wjB9uoKnyUEou1cHCkS1 +gXpkwTBZ89K4JpAeuAjHSROSYLEc/ZtIDBMkHETl3hFRdx+RriWQR/HZ2FG0CIbn +gNmE8QKBgDlFu+TcspI2R9mKbHrbPTXOAlmi2g7RZ3jF1m4S/aZqSL/bqPRBb0OU +dY7MX4GHhJYR7RnMMROZQI0H4ZwWSMfokBDa96MDY107atK8TqZmYKaZQsEB8B4r +fMmKnQljYj91d/reowLJrQRf5SjBvtDIEIsiC8UgjQImAsZ8huEX -----END RSA PRIVATE KEY----- From 72156f4e1fe65797e9c6a47b3762d58d6d132377 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sun, 20 Nov 2022 16:16:59 +0000 Subject: [PATCH 20/20] libheif: add some key reverse dependencies to passthru.tests --- .../development/libraries/libheif/default.nix | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libheif/default.nix b/pkgs/development/libraries/libheif/default.nix index 1f9037dab75d..45c04b857f76 100644 --- a/pkgs/development/libraries/libheif/default.nix +++ b/pkgs/development/libraries/libheif/default.nix @@ -1,5 +1,23 @@ -{ lib, stdenv, fetchFromGitHub, autoreconfHook, pkg-config, dav1d, rav1e, libde265, x265, libpng, - libjpeg, libaom }: +{ lib +, stdenv +, fetchFromGitHub +, autoreconfHook +, pkg-config +, dav1d +, rav1e +, libde265 +, x265 +, libpng +, libjpeg +, libaom + +# for passthru.tests +, gimp +, imagemagick +, imlib2Full +, imv +, vips +}: stdenv.mkDerivation rec { pname = "libheif"; @@ -19,6 +37,10 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + passthru.tests = { + inherit gimp imagemagick imlib2Full imv vips; + }; + meta = { homepage = "http://www.libheif.org/"; description = "ISO/IEC 23008-12:2017 HEIF image file format decoder and encoder";