From d473ef2ed2aa00e7c358ba4b64822057c4b6573f Mon Sep 17 00:00:00 2001
From: Aneesh Agrawal <aneeshusa@gmail.com>
Date: Thu, 5 Oct 2017 15:45:38 -0400
Subject: [PATCH 1/9] openssh: 7.5p1 -> 7.6p1

Release notes are available at https://www.openssh.com/txt/release-7.6.
Mostly a bugfix release, no major backwards-incompatible changes.
---
 pkgs/tools/networking/openssh/default.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 8343f23a1a03..037bb07922be 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -13,11 +13,11 @@ assert withGssapiPatches -> withKerberos;
 let
 
   # **please** update this patch when you update to a new openssh release.
-  gssapiSrc = fetchpatch {
+  gssapiPatch = fetchpatch {
     name = "openssh-gssapi.patch";
     url = "https://anonscm.debian.org/cgit/pkg-ssh/openssh.git/plain/debian"
-        + "/patches/gssapi.patch?id=db2122d97eb1ecdd8d99b7bf79b0dd2b5addfd92";
-    sha256 = "1rw10pmvjw55521ys59x1kabvbvmla506znakwwjijggdsakvsjm";
+        + "/patches/gssapi.patch?id=1e0d55f9163793742d20eaadd4784db16fd3459d";
+    sha256 = "130phj87q87p9crigd6852nnaqsqkfg09h45a32lk4524h9kkxgb";
   };
 
 in
@@ -26,7 +26,7 @@ stdenv.mkDerivation rec {
   # Please ensure that openssh_with_kerberos still builds when
   # bumping the version here!
   name = "openssh-${version}";
-  version = "7.5p1";
+  version = if hpnSupport then "7.5p1" else "7.6p1";
 
   src = if hpnSupport then
       fetchurl {
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
     else
       fetchurl {
         url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
-        sha256 = "1w7rb5gbrikxdkp8w7zxnci4549gk4bw1lml01s59w5rzb2y6ilq";
+        sha256 = "08qpsb8mrzcx8wgvz9insiyvq7sbg26yj5nvl2m5n57yvppcl8x3";
       };
 
   patches =
@@ -47,7 +47,7 @@ stdenv.mkDerivation rec {
       # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
       ./dont_create_privsep_path.patch
     ]
-    ++ optional withGssapiPatches gssapiSrc;
+    ++ optional withGssapiPatches gssapiPatch;
 
   postPatch =
     # On Hydra this makes installation fail (sometimes?),

From b34f5db38fccea937b47ef74c0b0bc49df1c0619 Mon Sep 17 00:00:00 2001
From: mimadrid <mimadrid@ucm.es>
Date: Sat, 4 Nov 2017 11:29:40 +0100
Subject: [PATCH 2/9] parallel: 20170722 -> 20171022

---
 pkgs/tools/misc/parallel/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/misc/parallel/default.nix b/pkgs/tools/misc/parallel/default.nix
index 648d09b42654..676db3ab69c8 100644
--- a/pkgs/tools/misc/parallel/default.nix
+++ b/pkgs/tools/misc/parallel/default.nix
@@ -1,11 +1,11 @@
 { fetchurl, stdenv, perl, makeWrapper, procps }:
 
 stdenv.mkDerivation rec {
-  name = "parallel-20170722";
+  name = "parallel-20171022";
 
   src = fetchurl {
     url = "mirror://gnu/parallel/${name}.tar.bz2";
-    sha256 = "117g50bx1kcbrqix0f1539z5rzhvgsni2wddjv939wcxkrdb1idx";
+    sha256 = "18pq10npl7g764ww7cy9r5n5s3kiy984jclf932qfgndcxsbpqpp";
   };
 
   nativeBuildInputs = [ makeWrapper perl ];

From 109de2b869be77cbda9c97b81d16bc06307f1f94 Mon Sep 17 00:00:00 2001
From: Joerg Thalheim <joerg@thalheim.io>
Date: Wed, 8 Nov 2017 15:24:38 +0000
Subject: [PATCH 3/9] iana-etc: 20170512 -> 20171106

---
 pkgs/data/misc/iana-etc/default.nix | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/pkgs/data/misc/iana-etc/default.nix b/pkgs/data/misc/iana-etc/default.nix
index 842b031c6bed..249f0e5dcb91 100644
--- a/pkgs/data/misc/iana-etc/default.nix
+++ b/pkgs/data/misc/iana-etc/default.nix
@@ -2,16 +2,15 @@
 
 stdenv.mkDerivation rec {
   name = "iana-etc-${version}";
-  version = "20170512";
+  version = "20171106";
 
   src = fetchurl {
     url = "https://github.com/Mic92/iana-etc/releases/download/${version}/iana-etc-${version}.tar.gz";
-    sha256 = "0zx2ag894qldvrv8f4hs84644kdcp8a83gjg33xsw8rrn38gll2a";
+    sha256 = "0pbmq95gdkp66cljwklv4gzh8lvl30l4k77hfwvrxz5mfqia6qdd";
   };
 
   installPhase = ''
-    mkdir -p $out/etc
-    cp services protocols $out/etc/
+    install -D -t $out/etc services protocols
   '';
 
   meta = with stdenv.lib; {

From ee0c6293250c95ba1434c50d03632c6a424b3e63 Mon Sep 17 00:00:00 2001
From: Herwig Hochleitner <herwig@bendlas.net>
Date: Sat, 28 Oct 2017 12:59:47 +0200
Subject: [PATCH 4/9] webkitgtk: 2.18.1 -> 2.18.2

---
 pkgs/development/libraries/webkitgtk/2.18.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/webkitgtk/2.18.nix b/pkgs/development/libraries/webkitgtk/2.18.nix
index e1b520eb10b1..d83da0402bab 100644
--- a/pkgs/development/libraries/webkitgtk/2.18.nix
+++ b/pkgs/development/libraries/webkitgtk/2.18.nix
@@ -12,7 +12,7 @@ assert enableGeoLocation -> geoclue2 != null;
 with stdenv.lib;
 stdenv.mkDerivation rec {
   name = "webkitgtk-${version}";
-  version = "2.18.1";
+  version = "2.18.2";
 
   meta = {
     description = "Web content rendering engine, GTK+ port";
@@ -42,7 +42,7 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "http://webkitgtk.org/releases/${name}.tar.xz";
-    sha256 = "15fp7szmkpannx7avsynf0nv3y343qwq0fvq3rz2m2mw5wq7pnww";
+    sha256 = "1ry8zvv6k01g9p7agg326n0ziqpqjxd49h5w1b2is6rjnpqv6k5i";
   };
 
   # see if we can clean this up....

From d61c612768b857a1b0f1d1c11a19d2d6df9d9761 Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Mon, 30 Oct 2017 12:25:07 +0100
Subject: [PATCH 5/9] Fix sharutils tests in darwin sandbox

---
 pkgs/tools/archivers/sharutils/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix
index 77ab8a1cb033..11072fc28dea 100644
--- a/pkgs/tools/archivers/sharutils/default.nix
+++ b/pkgs/tools/archivers/sharutils/default.nix
@@ -13,6 +13,16 @@ stdenv.mkDerivation rec {
   # GNU Gettext is needed on non-GNU platforms.
   buildInputs = [ coreutils gettext ];
 
+  # These tests try to hit /etc/passwd to find out your username if pass in a submitter
+  # name on the command line. Since we block access to /etc/passwd on the Darwin sandbox
+  # that cause shar to just segfault. It isn't a problem on Linux because their sandbox
+  # remaps /etc/passwd to a trivial file, but we can't do that on Darwin so I do this
+  # instead. In this case, I pass in the very imaginative "submitter" as the submitter name
+  patchPhase = ''
+    substituteInPlace tests/shar-1 --replace '$''\{SHAR}' '$''\{SHAR} -s submitter'
+    substituteInPlace tests/shar-2 --replace '$''\{SHAR}' '$''\{SHAR} -s submitter'
+  '';
+
   doCheck = true;
 
   crossAttrs = {

From 48a34be41ce5c4e85b8e34281ae9af714d35baaf Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Tue, 31 Oct 2017 12:58:08 +0100
Subject: [PATCH 6/9] Support frameworks properly in sandbox

---
 pkgs/os-specific/darwin/apple-sdk/default.nix | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pkgs/os-specific/darwin/apple-sdk/default.nix b/pkgs/os-specific/darwin/apple-sdk/default.nix
index 957b610f3a25..9a6624104f45 100644
--- a/pkgs/os-specific/darwin/apple-sdk/default.nix
+++ b/pkgs/os-specific/darwin/apple-sdk/default.nix
@@ -136,10 +136,13 @@ let
     # don't use pure CF for dylibs that depend on frameworks
     setupHook = ./framework-setup-hook.sh;
 
-    # allows building the symlink tree
-    __impureHostDeps = [ "/System/Library/Frameworks/${name}.framework" ];
-
-    __propagatedImpureHostDeps = stdenv.lib.optional (name != "Kernel") "/System/Library/Frameworks/${name}.framework/${name}";
+    # Not going to be more specific than this for now
+    __propagatedImpureHostDeps = stdenv.lib.optionals (name != "Kernel") [
+      # The setup-hook ensures that everyone uses the impure CoreFoundation who uses these SDK frameworks, so let's expose it
+      "/System/Library/Frameworks/CoreFoundation.framework"
+      "/System/Library/Frameworks/${name}.framework"
+      "/System/Library/Frameworks/${name}.framework/${name}"
+    ];
 
     meta = with stdenv.lib; {
       description = "Apple SDK framework ${name}";

From 0f75e6bef7ddfd89dd62e87fbe2a8ee34d1aba8f Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Wed, 8 Nov 2017 22:20:00 -0500
Subject: [PATCH 7/9] cpython: make configd optional (for sandboxed darwin
 bootstraps)

---
 pkgs/development/interpreters/python/cpython/2.7/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/interpreters/python/cpython/2.7/default.nix b/pkgs/development/interpreters/python/cpython/2.7/default.nix
index 4ac827db7cb6..eb2a46cb3b79 100644
--- a/pkgs/development/interpreters/python/cpython/2.7/default.nix
+++ b/pkgs/development/interpreters/python/cpython/2.7/default.nix
@@ -128,7 +128,7 @@ let
     ++ optional hostPlatform.isCygwin expat
     ++ [ db gdbm ncurses sqlite readline ]
     ++ optionals x11Support [ tcl tk xlibsWrapper libX11 ]
-    ++ optionals stdenv.isDarwin [ CF configd ];
+    ++ optionals stdenv.isDarwin ([ CF ] ++ optional (configd != null) configd);
 
   mkPaths = paths: {
     C_INCLUDE_PATH = makeSearchPathOutput "dev" "include" paths;

From 94fc7214ce2396e488ed17918a9824d2c39db144 Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Wed, 8 Nov 2017 22:23:07 -0500
Subject: [PATCH 8/9] git: remove custom sandbox profile (not allowed by modern
 Nix anymore)

---
 .../version-management/git-and-tools/git/default.nix           | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix
index 6358a340bb6e..5e42992cbe22 100644
--- a/pkgs/applications/version-management/git-and-tools/git/default.nix
+++ b/pkgs/applications/version-management/git-and-tools/git/default.nix
@@ -53,9 +53,6 @@ stdenv.mkDerivation {
   NIX_LDFLAGS = stdenv.lib.optionalString (!stdenv.cc.isClang) "-lgcc_s"
               + stdenv.lib.optionalString (stdenv.isFreeBSD) "-lthr";
 
-  # without this, git fails when trying to check for /etc/gitconfig existence
-  propagatedSandboxProfile = stdenv.lib.sandbox.allowDirectoryList "/etc";
-
   makeFlags = "prefix=\${out} PERL_PATH=${perl}/bin/perl SHELL_PATH=${stdenv.shell} "
       + (if pythonSupport then "PYTHON_PATH=${python}/bin/python" else "NO_PYTHON=1")
       + (if stdenv.isSunOS then " INSTALL=install NO_INET_NTOP= NO_INET_PTON=" else "")

From bb863378d3d7b2bc6dc81a55005a11b96da25c84 Mon Sep 17 00:00:00 2001
From: Dan Peebles <pumpkin@me.com>
Date: Wed, 8 Nov 2017 22:32:44 -0500
Subject: [PATCH 9/9] adv_cmds: remove custom sandbox profile (not allowed in
 recent Nix)

---
 .../darwin/apple-source-releases/adv_cmds/default.nix          | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
index ccbd8343e0d0..35608587c569 100644
--- a/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
+++ b/pkgs/os-specific/darwin/apple-source-releases/adv_cmds/default.nix
@@ -84,9 +84,6 @@ in appleDerivation {
   ];
   setOutputFlags = false;
 
-  # ps uses this syscall to get process info
-  propagatedSandboxProfile = stdenv.lib.sandbox.allow "mach-priv-task-port";
-
   meta = {
     platforms = stdenv.lib.platforms.darwin;
     maintainers = with stdenv.lib.maintainers; [ gridaphobe ];