Security fixes:
- Message printout was vulnerable to format string injection
- dropbearconvert import of OpenSSH keys could run arbitrary code
as the local dropbearconvert user when parsing malicious key
files
- dbclient could run arbitrary code as the local dbclient user if
particular -m or -c arguments are provided
- dbclient or dropbear server could expose process memory to the
running user if compiled with DEBUG_TRACE and running with -v
Fixes:
- Fix port forwarding failure when connecting to domains that have
both IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete
Using 'machinectl kill' is much faster then gracefully stopping the
container.
In the case of 'destroy', since we're destroying it anyway, there's no
reason to do a graceful shutdown.
cgit doesn't generate stable archives, so the SHA changed when there
was a commit earlier this year. Using fetchgit in hopes of stabilizing
the checked out sha.
Build the official keybase go client from source. The client includes both a
CLI for performing keybase operations and a service which will start
automatically when needed.
Keybase is a service which combines social proof with encryption. Learn more at
their site: http://keybase.io
This moves nixos-containers into its own package so that it can be
relied upon by other packages/systems. This should make development
using dynamic containers much easier.
(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
For some reason I haven't been able to figure out, sift does not build on OSX.
I think it is because sift uses cgo for some of its functionality which you can
see here:
https://github.com/svent/sift/blob/master/matching_cgo.go#L23
The error which hydra found (and is reproducible on OSX) can be seen here:
https://hydra.nixos.org/build/37169149
Ideally I would like to get sift building on OSX, however my nix-fu is weak.
Any suggestions are welcome. In the meantime I would like to get sift into one
of the release channels for Linux where it works fine.
New:
- compression format specification zstd_compression_format.md
- -- separator, stating that all following arguments are file names
- ZSTD_getDecompressedSize()
Fixes:
- dictBuilder using HC levels
- legacy support from ZSTD_decompress_usingDDict()
- multi-blocks decoding with intermediate uncompressed blocks
- currently pulled in from Git until the next release of PackageKit
has Nix support
- also: add in a service module to start packagekit properly
- nixos service can be enabled via services.packagekit.enable
- packagekit requires nixunstable to build properly
youtube-dl: 2016.06.27 -> 2016.07.03.1
`mps-youtube` is the only package that fails in `nox-review`, but this wat true before this merge. I have tested the updated result of `youtube-dl`. All fine for me.
Fixes:
- ZSTD_decompressBlock() using multiple consecutive blocks.
- potential segfault on very large files (many gigabytes).
- CLI displays system error message when destination file
cannot be created.
- potential leak in zdict.
Switch off HAVE_SAVED_UIDS since it activates a code path for temporary
privilege dropping which does not work on NixOS.
Vixie-cron's sources ship with two implementations. Unfortunately, the
one activated by HAVE_SAVED_UIDS (using setuid()) does not work on
NixOS. Saved UIDs work only if the program which is using them has the
setuid bit set on its own executable, not if called from a setuid
wrapper (as we do it in NixOS). The other implementation (using
setreuid()) works without problems.
Quote from
<http://stackoverflow.com/questions/8499296/realuid-saved-uid-effective-uid-whats-going-on>:
If you're euid is root and you change the uid, the privileges gets
dropped permanently.If effective user id is not root then saved user
id is never touched and you can regain the root privilege back
anytime you want in your program.
Also extend the default PATH with NixOS-specific bin directories as
vixie-cron's default is not really usable on NixOS.
Re #16518Closes#16522
* Add missing modules (fixes warnings and errors).
* Step 1 to unbreak starting Xvfb by making xpra invoke it with
valid log dir ($HOME/.xpra). Without this fix, it is invoked with
~/.xpra, which Xvfb doesn't know how to interpret and uses it
literally (fail). Step 2 will be fixing an Xvfb permission issue:
"xf86OpenConsole: Cannot open virtual console 1 (Permission denied)".
* Use XPRA_INSTALL_PREFIX to make it find its icons.
Commit 03353ce6ff ("system-config-printer: 1.3.12 -> 1 5.7")
forgot to update the hash. So since that commit we actually continued to
use the old version (1.3.12) because of the NixOS tarball cache...
The new version prints some warnings on startup:
/nix/store/HASH-system-config-printer-1.5.7/share/system-config-printer/system-config-printer.py:32: \
PyGIWarning: Polkit was imported without specifying a version first. \
Use gi.require_version('Polkit', '1.0') before import to ensure that the right version gets loaded.
from gi.repository import Polkit
...and similar errors for GdkPixbuf, Gdk, Gtk and Notify. These warnings
are already fixed upstream and will be part of the next release.
Implementation details:
* The new version needs python3.
* Remove unneeded, and python3 incompatible, 'notify' dependency.
system-config-printer > 1.3.12 replaced it with GOBject introspection
bindings to libnotify (from gi.repository import Notify).
* Add gtk3, gdk_pixbuf, pango, atk, libnotify as needed (for gobject
introspection).
* A new --with-udevdir configure option is used to prevent the
installer from trying to install stuff to "/rules.d" (yes, the root).
* Get pycups from the passed pythonPackages set (fixes loading of
python cups module).
* Use pygobject3 instead of pygobject, as needed.
* Use dbus from the passed pythonPackages attrset instead of
pythonDBus, so we get a python3 compatible module that loads
successfully.
* Python requests2 modules is required.
Our coreutils now uses single-binary-build mode where, by default,
simple shebang scripts are used for all the binaries. That doesn't work
e.g. with the Linux unpacker which only handles standard binaries and
symlinks. Let's use the symlinked mode instead for boostrapping.
This does NOT change any stdenv hashes.
I only tested the case most important to me:
$ nix-build pkgs/top-level/release.nix -A stdenvBootstrapTools.x86_64-linux.test
stripHash uses a global variable to communicate it's computation
results, but it's not necessary. You can just pipe to stdout in a
subshell. A function mostly behaves like just another command.
baseHash() also introduces a suffix-stripping capability since it's
something the users of the function tend to use.