The patch doesn't apply in version 22 and newer, because mode 1 sandboxes are
connsidered "legacy" (well, apart from the fact that I'd personally prefer BPF
anyway), for reasons I wasn't able to find, yet. But let's proceed on BPF
integration and thus gain more insight on the exact reasons.
If you look at what changed, you'll surely notice that version 22 is now in
beta, so we have to expect things to break. And one thing that will break for
sure is the seccomp patch, because beginning with 22 the new BPF seccomp sandbox
is going to replace the mode 1 seccomp sandbox.
This commit doesn't add any feature and just fixes a small annoyance which
result in messages like this:
Checking if xxx applies...no.
See that there is no whitespace between "..." and "no"? Well, the world cares
for more important things, but for me personally those minor annoyances can turn
into major annoyances.
The previous version seemed rather old and not even the examples from the
official site compile with that fossil. As there are no reverse dependencies,
this update should be trivial and hopefully doesn't hurt someones personal
feelings.
If the environment variable HYDRA_DISALLOW_UNFREE is set to "1", then
evaluation of a package with license "unfree" will throw an error.
Thus such packages or any packages that depend on them will fail to
evaluate.
chromium: Improve update script and update to latest versions.
Previously, we had a single hash of the whole version response from
omahaproxy.
Unfortunately the dev version is released quite frequently, so the hash
is of no use at all (we could rather directly fetch rather than
executing the script, because it will fetch all channels anyway).
This pull request adds two methods of caching:
* First of all, if a perticular version/channel is already in the
previous version of the sources.nix file, don't download it again.
* And the second method is to check if the current sha256 is already
downloaded and reads the corresponding sha256 from the lookup table.
So, this should really help to avoid flooding the download servers and
to not stress impatient users too much.
Fix NSS library not finding root CA certificates.
This now uses more or less hardcoded CA certificates from Mozilla, which
is the case on Debian and Gentoo aswell. And it fixes the root CA
loading issue, as i discovered that firefox builds with the bundled
version of NSS. With this branch this is no longer the case.
My long-term plans are to integrate an automatic chainloader for
OPENSSL_X509_CERT_FILE, but I'm not sure if this is really a good idea
(hence not included in this branch), as the nss-pem module is still
somewhat experimental. Regardless of it's experimental nature i'm still
including it in order to make it possible for users to load custom PEM
encoded certificates into the NSS database.
This fixups also makes it possible to enable FIPS mode, in case someone
might be interested in that.
And finally, we have a Chromium without quirky bugs from the
experimental OpenSSL integration, which was my original motivation to do
this.
See #112 for further comments.
So, now even Firefox can be built with our shiny new fixed up NSS derivation,
and as this is desired (especially if we want to support certificates from the
CA bundle), let's make it the default.
Hurray! This is the first time chromium is working with NSS _and_ is able to
verify certificates using the root certificates built in into NSS.
Optimally it would use certs from OPENSSL_X509_CERT_FILE, but at least it's
working, so let's add that at some later point.
Before, the entire directory was deleted and recreated, which fails if we want
to sign libraries (shlibsign is obviously deleted in that step as well), so we
delete everything but "nss-config" on postFixup.
This adds a patch from Debian, as they're already have security modules from NSS
in it's own library directory rather than /usr/lib{,64}/ and patch in loading of
libsoftokn as well.
The patch and our own fix of the patch (well, they hardcode Debian specific
stuff in there) ensures that SECMOD_AddNewModule() will find the right module
from the derivation's output path, so the built-in CA root certificates are
recognized and verified correctly.
Running NSS in FIPS mode is only possible if the libraries are signed correctly,
so we're doing this in the postFixup hook, to insure nothing gets altered after
that phase.
For more information about FIPS mode, please see:
https://developer.mozilla.org/en-US/docs/NSS/FIPS_Mode_-_an_explanation
First of all, let's remove that redundant BUILD_OPT variable.
This variable already is in makeFlags, so we really don't want it to be lurking
around in the attribute set of the derivation, and it annoys me for being there
for days.
We now state build targets explicitly rather than relying on "nss_build_all".
This makes NSPR_CONFIG_STATUS and the touch of build_nspr stamp obsolete, as
only nss_build_all includes build_nspr.
In addition, we don't need the -lz hack anymore, as this has been fixed in
recent NSS versions, so we can completly remove the postBuild hook.
And while we're at it, we're removing those outdated build instructions as well,
especially because we don't and can't follow official building guidelines
anymore, as those are difficult to apply to Nix.
This is a compatibility module which adds suport for PEM certificates used by
OpenSSL and compatible libraries. The module gets built but isn't used at the
moment, so we're going to work on integration of it later.
Let's use system SQLite library, which makes sense anyway. More importantly
because it conflicts with the sqlite package, as NSS is building this as a
shared library aswell.
So to begin with fixing NSS let's get to the latest upstream release and start
fixing, so we won't carry around historic crap we then will throw away anyway.
Please note that this update changes the directory structure quite a bit. In
particular, the file "/etc/bash_completion" no longer exists, which means that
shell code which relies on that path must be updated. I'll commit appropriate
changes for NixOS in a moment.
virtualbox: Fix build for manual kernel.
This should fix building VirtualBox against kernels made using the new
manual kernel configuration system.
This has been tested with the standard nixpkgs kernel as well.
First of all, modules won't install when there is no "make modules" prior to it,
so we're doing this now with a new function called forEachModule, so we can
avoid duplication as much as possible.
In addition this sets $sourcedir to the current directory of the configurePhase,
so we're able to find the source tree later on, after several chdir()s.
The scripts/depmod.sh checks whether the path in $DEPMOD is executable and only
executes it if that's the case. So, by setting DEPMOD to "/do_not_use_depmod"
the destination path doesn't exist _and_ thus isn't executable aswell.
The for loop didn't find $curdir, because it was set _after_ the directory has
been changed. The variable is now called $srcroot and is set before the
installPhase is changing directories.
Don't rely on VirtualBox's in-tree build scripts to set include paths correctly
and use the official way of the Linux kernel to build the modules. That way we
don't need to make ugly symlinks in the kernel tree or heavily patch VirtualBox.
Until this commit we had a single hash of the whole version response from
omahaproxy. This worked well for not updating unnecessarily but only until one
single channel has a new version available.
Unfortunately the dev version is released quite frequently, so the hash is of no
use at all (we could rather directly fetch everything everytime we execute the
script).
This led to this commit, which adds two methods of caching:
First of all, if a perticular version/channel is already in the previous version
of the sources.nix file, don't download it again.
And the second method is to check if the current sha256 is already downloaded
and reads the corresponding sha256 from the lookup table.
So, this should really help to avoid flooding the download servers and to not
stress impatient users too much.
It doesn't add any unwanted defaults, and it makes cross-building
experiments (and cross-building for a new device is always
experimental..) way easier.
As explained in my previous attempt:
There is a test that fails on mips, and that breaks the nix build.
The text does not exist anymore in automake upstream git, so the next
version may not need this mips-specific disabling.
There is a test that fails on mips, and that breaks the nix build.
The text does not exist anymore in automake upstream git, so the next
version may not need this mips-specific disabling.