Merge branch 'staging'

It's only half-rebuilt on Hydra, but it brings a security fix.

nixos/modules/module-list.nix

@@ -788,6 +788,7 @@
   ./virtualisation/lxd.nix
   ./virtualisation/amazon-options.nix
   ./virtualisation/hyperv-guest.nix
+  ./virtualisation/kvmgt.nix
   ./virtualisation/openvswitch.nix
   ./virtualisation/parallels-guest.nix
   ./virtualisation/qemu-guest-agent.nix

nixos/modules/virtualisation/kvmgt.nix

@@ -0,0 +1,64 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.virtualisation.kvmgt;
+  kernelPackages = config.boot.kernelPackages;
+  vgpuOptions = {
+    uuid = mkOption {
+      type = types.string;
+      description = "UUID of VGPU device. You can generate one with <package>libossp_uuid</package>.";
+    };
+  };
+in {
+  options = {
+    virtualisation.kvmgt = {
+      enable = mkEnableOption ''
+        KVMGT (iGVT-g) VGPU support. Allows Qemu/KVM guests to share host's Intel integrated graphics card.
+        Currently only one graphical device can be shared
+      '';
+      # multi GPU support is under the question
+      device = mkOption {
+        type = types.string;
+        default = "0000:00:02.0";
+        description = "PCI ID of graphics card. You can figure it with <command>ls /sys/class/mdev_bus</command>.";
+      };
+      vgpus = mkOption {
+        default = {};
+        type = with types; attrsOf (submodule [ { options = vgpuOptions; } ]);
+        description = ''
+          Virtual GPUs to be used in Qemu. You can find devices via <command>ls /sys/bus/pci/devices/*/mdev_supported_types</command>
+          and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command>
+        '';
+        example = {
+          "i915-GVTg_V5_8" = {
+            uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525";
+          };
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    assertions = singleton {
+      assertion = versionAtLeast kernelPackages.kernel.version "4.16";
+      message = "KVMGT is not properly supported for kernels older than 4.16";
+    };
+    boot.kernelParams = [ "i915.enable_gvt=1" ];
+    systemd.services = mapAttrs' (name: value:
+      nameValuePair "kvmgt-${name}" {
+        description = "KVMGT VGPU ${name}";
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+          ExecStart = "${pkgs.runtimeShell} -c 'echo ${value.uuid} > /sys/bus/pci/devices/${cfg.device}/mdev_supported_types/${name}/create'";
+          ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/bus/pci/devices/${cfg.device}/${value.uuid}/remove'";
+        };
+        wantedBy = [ "multi-user.target" ];
+      }
+    ) cfg.vgpus;
+  };
+
+  meta.maintainers = with maintainers; [ gnidorah ];
+}

pkgs/applications/virtualization/virt-viewer/default.nix

@@ -1,7 +1,7 @@
 { stdenv, fetchurl, pkgconfig, intltool, glib, libxml2, gtk3, gtkvnc, gmp
 , libgcrypt, gnupg, cyrus_sasl, shared-mime-info, libvirt, yajl, xen
 , gsettings-desktop-schemas, makeWrapper, libvirt-glib, libcap_ng, numactl
-, libapparmor
+, libapparmor, gst_all_1
 , spiceSupport ? true
 , spice-gtk ? null, spice-protocol ? null, libcap ? null, gdbm ? null
 }:
@@ -30,11 +30,14 @@ stdenv.mkDerivation rec {
     xen
   ] ++ optionals spiceSupport [
     spice-gtk spice-protocol libcap gdbm
+    gst_all_1.gst-plugins-base gst_all_1.gst-plugins-good
   ];
 
   postInstall = ''
     for f in "$out"/bin/*; do
-        wrapProgram "$f" --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH"
+        wrapProgram "$f" \
+          --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
+          --prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0"
     done
   '';
 

pkgs/development/libraries/cairo/default.nix

@@ -10,14 +10,14 @@
 assert glSupport -> libGL != null;
 
 let
-  version = "1.15.10";
+  version = "1.15.12";
   inherit (stdenv.lib) optional optionals;
 in stdenv.mkDerivation rec {
   name = "cairo-${version}";
 
   src = fetchurl {
     url = "http://cairographics.org/${if stdenv.lib.mod (builtins.fromJSON (stdenv.lib.versions.minor version)) 2 == 0 then "releases" else "snapshots"}/${name}.tar.xz";
-    sha256 = "14l3jll98pjdlpm8f972v0spzcsf6y5nz85y2k8iybyg6ihj5jk2";
+    sha256 = "1jcl0mnqq6j2xip8p506g2cj54sfycm339rrd3p4g2jljhdhh8vn";
   };
 
   outputs = [ "out" "dev" "devdoc" ];

pkgs/development/libraries/fftw/default.nix

@@ -5,7 +5,7 @@ with lib;
 assert elem precision [ "single" "double" "long-double" "quad-precision" ];
 
 let
-  version = "3.3.7";
+  version = "3.3.8";
   withDoc = stdenv.cc.isGNU;
 in
 
@@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "ftp://ftp.fftw.org/pub/fftw/fftw-${version}.tar.gz";
-    sha256 = "0wsms8narnbhfsa8chdflv2j9hzspvflblnqdn7hw8x5xdzrnq1v";
+    sha256 = "00z3k8fq561wq2khssqg0kallk0504dzlx989x3vvicjdqpjc4v1";
   };
 
   outputs = [ "out" "dev" "man" ]

pkgs/development/libraries/json-glib/default.nix

@@ -1,14 +1,15 @@
 { stdenv, fetchurl, fetchpatch, glib, meson, ninja, pkgconfig, gettext
-, gobjectIntrospection, dbus
-, fixDarwinDylibNames
+, gobjectIntrospection, dbus, fixDarwinDylibNames, gnome3
 }:
 
-stdenv.mkDerivation rec {
-  name = "json-glib-${minVer}.2";
-  minVer = "1.4";
+let
+  pname = "json-glib";
+  version = "1.4.2";
+in stdenv.mkDerivation rec {
+  name = "${pname}-${version}";
 
   src = fetchurl {
-    url = "mirror://gnome/sources/json-glib/${minVer}/${name}.tar.xz";
+    url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
     sha256 = "2d7709a44749c7318599a6829322e081915bdc73f5be5045882ed120bb686dc8";
   };
 
@@ -28,9 +29,15 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
+  passthru = {
+    updateScript = gnome3.updateScript {
+      packageName = pname;
+    };
+  };
+
   meta = with stdenv.lib; {
-    homepage = http://live.gnome.org/JsonGlib;
     description = "A library providing (de)serialization support for the JavaScript Object Notation (JSON) format";
+    homepage = https://wiki.gnome.org/Projects/JsonGlib;
     license = licenses.lgpl2;
     maintainers = with maintainers; [ lethalman ];
     platforms = with platforms; unix;

pkgs/development/libraries/libffi/default.nix

@@ -49,6 +49,11 @@ stdenv.mkDerivation rec {
     "--enable-pax_emutramp"
   ];
 
+  preCheck = ''
+    # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
+    NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
+  '';
+
   inherit doCheck;
 
   dontStrip = hostPlatform != buildPlatform; # Don't run the native `strip' when cross-compiling.

pkgs/development/libraries/p11-kit/default.nix

@@ -3,13 +3,13 @@
 
 stdenv.mkDerivation rec {
   name = "p11-kit-${version}";
-  version = "0.23.10";
+  version = "0.23.12";
 
   src = fetchFromGitHub {
     owner = "p11-glue";
     repo = "p11-kit";
     rev = version;
-    sha256 = "0n0wqv028flzvnxllqv8i6x9nv705csl7ddzi0fzvppc9fp2yinp";
+    sha256 = "0pb3qlddzbw7dglwnrl7fs9g71vhqk7qzxnb1i4nw633qgy21ga1";
   };
 
   outputs = [ "out" "dev"];
@@ -31,6 +31,7 @@ stdenv.mkDerivation rec {
   installFlags = [ "exampledir=\${out}/etc/pkcs11" ];
 
   doInstallCheck = false; # probably a bug in this derivation
+  enableParallelBuilding = true;
 
   meta = with stdenv.lib; {
     homepage = https://p11-glue.freedesktop.org/;

pkgs/development/libraries/spice-gtk/default.nix

@@ -2,7 +2,7 @@
 , openssl, libpulseaudio, pixman, gobjectIntrospection, libjpeg_turbo, zlib
 , cyrus_sasl, python2Packages, autoreconfHook, usbredir, libsoup
 , withPolkit ? true, polkit, acl, usbutils
-, vala, gtk3, epoxy, libdrm }:
+, vala, gtk3, epoxy, libdrm, gst_all_1, phodav }:
 
 # If this package is built with polkit support (withPolkit=true),
 # usb redirection reqires spice-client-glib-usb-acl-helper to run setuid root.
@@ -46,8 +46,8 @@ in stdenv.mkDerivation rec {
   '';
 
   buildInputs = [
-    spice-protocol celt_0_5_1 openssl libpulseaudio pixman
-    libjpeg_turbo zlib cyrus_sasl python pygtk usbredir gtk3 epoxy libdrm
+    spice-protocol celt_0_5_1 openssl libpulseaudio gst_all_1.gst-plugins-base pixman
+    libjpeg_turbo zlib cyrus_sasl python pygtk usbredir gtk3 epoxy libdrm phodav
   ] ++ optionals withPolkit [ polkit acl usbutils ] ;
 
   nativeBuildInputs = [ pkgconfig gettext libsoup autoreconfHook vala gobjectIntrospection ];

pkgs/development/libraries/sqlite/default.nix

@@ -66,6 +66,11 @@ stdenv.mkDerivation rec {
     echo ""
   '';
 
+  postInstall = ''
+    # Do not contaminate dependent libtool-based projects with sqlite dependencies.
+    sed -i $out/lib/libsqlite3.la -e "s/dependency_libs=.*/dependency_libs='''/"
+  '';
+
   meta = {
     description = "A self-contained, serverless, zero-configuration, transactional SQL database engine";
     downloadPage = http://sqlite.org/download.html;

pkgs/development/libraries/vsqlite/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, boost, sqlite, zlib }:
+{ stdenv, fetchurl, boost, sqlite }:
 
 stdenv.mkDerivation rec {
   name = "vsqlite-${version}";
@@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
     sha256 = "17fkj0d2jh0xkjpcayhs1xvbnh1d69f026i7vs1zqnbiwbkpz237";
   };
 
-  buildInputs = [ boost sqlite zlib ];
+  buildInputs = [ boost sqlite ];
 
   prePatch = stdenv.lib.optionalString stdenv.isDarwin ''
     substituteInPlace Makefile.in \

pkgs/development/tools/misc/itstool/default.nix

@@ -2,11 +2,13 @@
 # We need the same Python as is used to build libxml2Python
 
 stdenv.mkDerivation rec {
-  name = "itstool-2.0.4";
+  # 2.0.3+ breaks the build of gnome3.gnome-desktop
+  # https://github.com/itstool/itstool/issues/17
+  name = "itstool-2.0.2";
 
   src = fetchurl {
     url = "http://files.itstool.org/itstool/${name}.tar.bz2";
-    sha256 = "0q7b4qrc758zfx3adsgvz0r93swdbxjr42w37rahngm33nshihlp";
+    sha256 = "bf909fb59b11a646681a8534d5700fec99be83bb2c57badf8c1844512227033a";
   };
 
   buildInputs = [ python2 libxml2Python ];

pkgs/development/tools/parsing/bison/3.x.nix

@@ -1,14 +1,14 @@
 { stdenv, hostPlatform, fetchurl, m4, perl, help2man }:
 
 stdenv.mkDerivation rec {
-  name = "bison-3.0.4";
+  name = "bison-3.0.5";
 
   src = fetchurl {
     url = "mirror://gnu/bison/${name}.tar.gz";
-    sha256 = "b67fd2daae7a64b5ba862c66c07c1addb9e6b1b05c5f2049392cfd8a2172952e";
+    sha256 = "0rnml9spd6p0i5qy9g4r82drwdr09r1z9cf4p89agbrkxqmrsffd";
   };
 
-  patches = stdenv.lib.optional hostPlatform.isDarwin stdenv.secure-format-patch;
+  patches = []; # remove on another rebuild
 
   nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man;
   propagatedBuildInputs = [ m4 ];

pkgs/os-specific/linux/busybox/default.nix

@@ -33,14 +33,14 @@ let
 in
 
 stdenv.mkDerivation rec {
-  name = "busybox-1.28.3";
+  name = "busybox-1.28.4";
 
   # Note to whoever is updating busybox: please verify that:
   # nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
   # still builds after the update.
   src = fetchurl {
     url = "http://busybox.net/downloads/${name}.tar.bz2";
-    sha256 = "0via6faqj9xcyi8r39r4n0wxlk8r2292yk0slzwrdri37w1j43dd";
+    sha256 = "0smfn8hlds6nx8war62kyaykg3n7mxbjjfcpsgz84znwk4v4mhg3";
   };
 
   hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ];

pkgs/os-specific/linux/kernel/common-config.nix

@@ -214,6 +214,11 @@ with stdenv.lib;
   ${optionalString (versionOlder version "4.3") ''
     DRM_I915_KMS y
   ''}
+  # iGVT-g support
+  ${optionalString (versionAtLeast version "4.16") ''
+    DRM_I915_GVT y
+    DRM_I915_GVT_KVMGT m
+  ''}
   # Allow specifying custom EDID on the kernel command line
   DRM_LOAD_EDID_FIRMWARE y
   VGA_SWITCHEROO y # Hybrid graphics support

pkgs/os-specific/linux/procps-ng/default.nix

@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   name = "procps-${version}";
-  version = "3.3.14";
+  version = "3.3.15";
 
   # The project's releases are on SF, but git repo on gitlab.
   src = fetchurl {
     url = "mirror://sourceforge/procps-ng/procps-ng-${version}.tar.xz";
-    sha256 = "0v3j6rkzzscqds37i105cxx3q4dk04rsgpqfd5p7hzcvk59h5njy";
+    sha256 = "0r84kwa5fl0sjdashcn4vh7hgfm7ahdcysig3mcjvpmkzi7p9g8h";
   };
 
   buildInputs = [ ncurses ];

pkgs/tools/misc/parallel/default.nix

@@ -1,11 +1,11 @@
 { fetchurl, stdenv, perl, makeWrapper, procps }:
 
 stdenv.mkDerivation rec {
-  name = "parallel-20180422";
+  name = "parallel-20180522";
 
   src = fetchurl {
     url = "mirror://gnu/parallel/${name}.tar.bz2";
-    sha256 = "0xsfpbxwgd4197gra981iv0nmjfk58c0d88dxx6dh6yrqz523klx";
+    sha256 = "1khcz9pm7rjnq4gw8pn30k1d40x337a204dxj4y4qijpx8m7w0gb";
   };
 
   nativeBuildInputs = [ makeWrapper perl ];

pkgs/tools/networking/phodav/default.nix

@@ -0,0 +1,25 @@
+{ stdenv, fetchurl
+, intltool, pkgconfig, glib, libsoup }:
+
+let
+  version = "2.2";
+in stdenv.mkDerivation rec {
+  name = "phodav-${version}";
+
+  src = fetchurl {
+    url = "http://ftp.gnome.org/pub/GNOME/sources/phodav/${version}/${name}.tar.xz";
+    sha256 = "1hap0lncbcmivnflh0fbx7y58ry78p9wgj7z03r64ic0kvf0a0q8";
+  };
+
+  buildInputs = [ intltool glib libsoup ];
+
+  nativeBuildInputs = [ pkgconfig ];
+
+  meta = with stdenv.lib; {
+    description = "WebDav server implementation and library using libsoup";
+    homepage = https://wiki.gnome.org/phodav;
+    license = licenses.lgpl21;
+    maintainers = with maintainers; [ gnidorah ];
+    platforms = platforms.linux;
+  };
+}

pkgs/top-level/all-packages.nix

@@ -4400,6 +4400,8 @@ with pkgs;
 
   philter = callPackage ../tools/networking/philter { };
 
+  phodav = callPackage ../tools/networking/phodav { };
+
   pinentry = callPackage ../tools/security/pinentry {
     libcap = if stdenv.isDarwin then null else libcap;
   };