Merge master into staging-next

This commit is contained in:
github-actions[bot] 2021-05-09 12:23:16 +00:00 committed by GitHub
commit bc1f4b790e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 241 additions and 53 deletions

View File

@ -61,6 +61,17 @@ in
'';
};
security.sudo.execWheelOnly = mkOption {
type = types.bool;
default = false;
description = ''
Only allow members of the <code>wheel</code> group to execute sudo by
setting the executable's permissions accordingly.
This prevents users that are not members of <code>wheel</code> from
exploiting vulnerabilities in sudo such as CVE-2021-3156.
'';
};
security.sudo.configFile = mkOption {
type = types.lines;
# Note: if syntax errors are detected in this file, the NixOS
@ -216,9 +227,20 @@ in
${cfg.extraConfig}
'';
security.wrappers = {
sudo.source = "${cfg.package.out}/bin/sudo";
sudoedit.source = "${cfg.package.out}/bin/sudoedit";
security.wrappers = let
owner = "root";
group = if cfg.execWheelOnly then "wheel" else "root";
setuid = true;
permissions = if cfg.execWheelOnly then "u+rx,g+x" else "u+rx,g+x,o+x";
in {
sudo = {
source = "${cfg.package.out}/bin/sudo";
inherit owner group setuid permissions;
};
sudoedit = {
source = "${cfg.package.out}/bin/sudoedit";
inherit owner group setuid permissions;
};
};
environment.systemPackages = [ sudo ];

View File

@ -150,6 +150,10 @@ in
config = mkIf cfg.enable (mkMerge [{
boot.kernelModules = [ "bridge" "veth" ];
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = mkOverride 99 true;
"net.ipv4.conf.default.forwarding" = mkOverride 99 true;
};
environment.systemPackages = [ cfg.package ]
++ optional cfg.enableNvidia pkgs.nvidia-docker;
users.groups.docker.gid = config.ids.gids.docker;

View File

@ -45,5 +45,8 @@ import ./make-test-python.nix ({ pkgs, ...} : {
# Must match version 4 times to ensure client and server git commits and versions are correct
docker.succeed('[ $(docker version | grep ${pkgs.docker.version} | wc -l) = "4" ]')
docker.succeed("systemctl restart systemd-sysctl")
docker.succeed("grep 1 /proc/sys/net/ipv4/conf/all/forwarding")
docker.succeed("grep 1 /proc/sys/net/ipv4/conf/default/forwarding")
'';
})

View File

@ -10,7 +10,7 @@ in
maintainers = [ lschuermann ];
};
machine =
nodes.machine =
{ lib, ... }:
with lib;
{
@ -48,6 +48,19 @@ in
};
};
nodes.strict = { ... }: {
users.users = {
admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
noadmin = { isNormalUser = true; };
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
execWheelOnly = true;
};
};
testScript =
''
with subtest("users in wheel group should have passwordless sudo"):
@ -79,5 +92,11 @@ in
with subtest("users in group 'barfoo' should not be able to keep their environment"):
machine.fail("sudo -u test3 sudo -n -E -u root true")
with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
strict.succeed('su - admin -c "sudo -u root true"')
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
strict.fail('su - noadmin -c "sudo --help"')
'';
})

View File

@ -2,13 +2,13 @@
mkDerivation rec {
pname = "ghostwriter";
version = "2.0.0-rc5";
version = "2.0.0";
src = fetchFromGitHub {
owner = "wereturtle";
repo = pname;
rev = version;
sha256 = "sha256-Gc0/AHxxJd5Cq3dBQ0Xy2TF78CBmQFYUzm4s7q1aHEE=";
sha256 = "sha256-5O2W7ZQeDkNzwi6t9MfNbv4fmNvak1AcMnzJTE1F9L8=";
};
nativeBuildInputs = [ qmake pkg-config qttools ];

View File

@ -21,7 +21,7 @@ buildPythonApplication rec {
checkInputs = [ coverage coveralls docopt mock pylint pytest vcrpy ];
propagatedBuildInputs = [ beautifulsoup4 decorator kitchen requests ];
propagatedBuildInputs = [ beautifulsoup4 decorator kitchen requests six ];
meta = with lib; {
description = "Browse Reddit from your Terminal (fork of rtv)";

View File

@ -15,13 +15,13 @@
}:
buildPythonApplication rec {
pname = "visidata";
version = "2.2.1";
version = "2.4";
src = fetchFromGitHub {
owner = "saulpw";
repo = "visidata";
rev = "v${version}";
sha256 = "1gkvnywjg0n3n7d855ivclsj3d8mzihhkgv9a18srcszkmyix903";
sha256 = "0mvf2603d9b0s6rh7sl7mg4ipbh0nk05xgh1078mwvx31qjsmq1i";
};
propagatedBuildInputs = [

View File

@ -1,7 +1,7 @@
{ lib, stdenv, buildPythonApplication, fetchFromGitHub, pythonOlder,
attrs, aiohttp, appdirs, click, keyring, Logbook, peewee, janus,
prompt_toolkit, matrix-nio, dbus-python, pydbus, notify2, pygobject3,
setuptools,
setuptools, fetchpatch,
pytest, faker, pytest-aiohttp, aioresponses,
@ -10,7 +10,7 @@
buildPythonApplication rec {
pname = "pantalaimon";
version = "0.8.0";
version = "0.9.2";
disabled = pythonOlder "3.6";
@ -19,9 +19,17 @@ buildPythonApplication rec {
owner = "matrix-org";
repo = pname;
rev = version;
sha256 = "0n86cdpw85qzlcr1ynvar0f0zbphmdz1jia9r75lmj07iw4r5hk9";
sha256 = "11dfv5b2slqybisq6npmrqxrzslh4bjs4093vrc05s94046d9d9n";
};
patches = [
# accept newer matrix-nio versions
(fetchpatch {
url = "https://github.com/matrix-org/pantalaimon/commit/73f68c76fb05037bd7fe71688ce39eb1f526a385.patch";
sha256 = "0wvqcfan8yp67p6khsqkynbkifksp2422b9jy511mvhpy51sqykl";
})
];
propagatedBuildInputs = [
aiohttp
appdirs

View File

@ -1,10 +1,11 @@
{ lib, stdenv, fetchurl, boost, zlib, botan, libidn
, lua, pcre, sqlite, perl, pkg-config, expect
{ lib, stdenv, fetchurl, fetchFromGitHub, boost, zlib, botan2, libidn
, lua, pcre, sqlite, perl, pkg-config, expect, less
, bzip2, gmp, openssl
, autoreconfHook, texinfo
}:
let
version = "1.1";
version = "1.1-unstable-2021-05-01";
perlVersion = lib.getVersion perl;
in
@ -14,22 +15,41 @@ stdenv.mkDerivation rec {
pname = "monotone";
inherit version;
src = fetchurl {
url = "http://monotone.ca/downloads/${version}/monotone-${version}.tar.bz2";
sha256 = "124cwgi2q86hagslbk5idxbs9j896rfjzryhr6z63r6l485gcp7r";
# src = fetchurl {
# url = "http://monotone.ca/downloads/${version}/monotone-${version}.tar.bz2";
# sha256 = "124cwgi2q86hagslbk5idxbs9j896rfjzryhr6z63r6l485gcp7r";
# };
# My mirror of upstream Monotone repository
# Could fetchmtn, but circular dependency; snapshot requested
# https://lists.nongnu.org/archive/html/monotone-devel/2021-05/msg00000.html
src = fetchFromGitHub {
owner = "7c6f434c";
repo = "monotone-mirror";
rev = "b30b0e1c16def043d2dad57d1467d5bfdecdb070";
hash = "sha256:1hfy8vaap3184cd7h3qhz0da7c992idkc6q2nz9frhma45c5vgmd";
};
patches = [ ./monotone-1.1-Adapt-to-changes-in-pcre-8.42.patch ];
nativeBuildInputs = [ pkg-config ];
buildInputs = [ boost zlib botan libidn lua pcre sqlite expect
openssl gmp bzip2 ];
postPatch = ''
sed -e 's@/usr/bin/less@${less}/bin/less@' -i src/unix/terminal.cc
'';
nativeBuildInputs = [ pkg-config autoreconfHook texinfo ];
buildInputs = [ boost zlib botan2 libidn lua pcre sqlite expect
openssl gmp bzip2 perl ];
postInstall = ''
mkdir -p $out/share/${pname}-${version}
cp -rv contrib/ $out/share/${pname}-${version}/contrib
mkdir -p $out/${perl.libPrefix}/${perlVersion}
cp -v contrib/Monotone.pm $out/${perl.libPrefix}/${perlVersion}
patchShebangs "$out/share/monotone"
patchShebangs "$out/share/${pname}-${version}"
find "$out"/share/{doc/monotone,${pname}-${version}}/contrib/ -type f | xargs sed -e 's@! */usr/bin/@!/usr/bin/env @; s@! */bin/bash@!/usr/bin/env bash@' -i
'';
#doCheck = true; # some tests fail (and they take VERY long)
@ -38,6 +58,6 @@ stdenv.mkDerivation rec {
description = "A free distributed version control system";
maintainers = [ maintainers.raskin ];
platforms = platforms.unix;
license = licenses.gpl2;
license = licenses.gpl2Plus;
};
}

View File

@ -20,4 +20,15 @@ in {
# Fix broken symlinks in the Xfce background directory.
patches = [ ./f33-fix-xfce-path.patch ];
};
f34 = fedoraBackground rec {
version = "34.0.1";
src = fetchurl {
url = "https://github.com/fedoradesign/backgrounds/releases/download/v${version}/f${lib.versions.major version}-backgrounds-${version}.tar.xz";
hash = "sha256-0gotgQ4N0yE8WZbsu7B3jmUIZrycbqjEMxZl01JcJj4=";
};
# Fix broken symlinks in the Xfce background directory.
patches = [ ./f34-fix-xfce-path.patch ];
};
}

View File

@ -0,0 +1,13 @@
diff --git a/default/Makefile b/default/Makefile
index 172d5d9..540a1c0 100644
--- a/default/Makefile
+++ b/default/Makefile
@@ -1,7 +1,7 @@
WP_NAME=f34
WP_BIGNAME=F34
WP_DIR=$(DESTDIR)/usr/share/backgrounds/$(WP_NAME)
-WP_DIR_LN=/usr/share/backgrounds/$(WP_NAME)
+WP_DIR_LN=$(DESTDIR)/usr/share/backgrounds/$(WP_NAME)
GNOME_BG_DIR=$(DESTDIR)/usr/share/gnome-background-properties
KDE_BG_DIR=$(DESTDIR)/usr/share/wallpapers
MATE_BG_DIR=$(DESTDIR)/usr/share/mate-background-properties

View File

@ -1,16 +1,16 @@
{ lib, fetchPypi, buildPythonPackage, pythonOlder, aiohttp, attrs }:
{ lib, fetchPypi, buildPythonPackage, pythonOlder, aiohttp, python-socks, attrs }:
buildPythonPackage rec {
pname = "aiohttp-socks";
version = "0.3.9";
version = "0.6.0";
src = fetchPypi {
inherit version;
pname = "aiohttp_socks";
sha256 = "1mn2ng66951mri49f99zh3660j83kvqhr6dpx90s9fkjwk83hmjy";
sha256 = "04w010bvi719ifpc3sshav95k10hf9nq8czn9yglkj206yxcypdr";
};
propagatedBuildInputs = [ aiohttp attrs ];
propagatedBuildInputs = [ aiohttp attrs python-socks ];
# Checks needs internet access
doCheck = false;

View File

@ -2,9 +2,11 @@
, buildPythonPackage
, fetchFromGitHub
, git
, poetry-core
, attrs
, future
, aiohttp
, aiohttp-socks
, aiofiles
, h11
, h2
@ -16,27 +18,37 @@
, peewee
, cachetools
, atomicwrites
, pytestCheckHook
, faker
, aioresponses
, hypothesis
, pytest-aiohttp
, pytest-benchmark
}:
buildPythonPackage rec {
pname = "matrix-nio";
version = "0.15.2";
version = "0.18.0";
format = "pyproject";
src = fetchFromGitHub {
owner = "poljar";
repo = "matrix-nio";
rev = version;
sha256 = "190xw3cvk4amr9pl8ip2i7k3xdjd0231kn2zl6chny5axx22p1dv";
sha256 = "1rn5lz81y4bvgjhxzd57qhr0lmkm5xljl4bj9w10lnm4f7ls0xdi";
};
nativeBuildInputs = [
git
poetry-core
pytestCheckHook
];
propagatedBuildInputs = [
attrs
future
aiohttp
aiohttp-socks
aiofiles
h11
h2
@ -50,7 +62,20 @@ buildPythonPackage rec {
atomicwrites
];
doCheck = false;
checkInputs = [
faker
aioresponses
hypothesis
pytest-aiohttp
pytest-benchmark
];
disabledTests = [
# touches network
"test_connect_wrapper"
# time dependent and flaky
"test_transfer_monitor_callbacks"
];
meta = with lib; {
description = "A Python Matrix client library, designed according to sans I/O principles";

View File

@ -1,21 +1,45 @@
{ lib, isPy27, buildPythonPackage, fetchPypi, scikitlearn }:
{ lib
, isPy27
, buildPythonPackage
, fetchFromGitHub
, fetchpatch
, scikitlearn
, pytestCheckHook
, pytest-randomly
}:
buildPythonPackage rec {
pname = "mlrose";
version = "1.3.0";
disabled = isPy27;
src = fetchPypi {
inherit pname version;
sha256 = "cec83253bf6da67a7fb32b2c9ae13e9dbc6cfbcaae2aa3107993e69e9788f15e";
src = fetchFromGitHub {
owner = "gkhayes";
repo = "mlrose";
rev = "v${version}";
sha256 = "1dn43k3rcypj58ymcj849b37w66jz7fphw8842v6mlbij3x0rxfl";
};
patches = [
# Fixes compatibility with scikit-learn 0.24.1
(fetchpatch {
url = "https://github.com/gkhayes/mlrose/pull/55/commits/19caf8616fc194402678aa67917db334ad02852a.patch";
sha256 = "1nivz3bn21nd21bxbcl16a6jmy7y5j8ilz90cjmd0xq4v7flsahf";
})
];
propagatedBuildInputs = [ scikitlearn ];
checkInputs = [ pytest-randomly pytestCheckHook ];
postPatch = ''
sed -i 's,sklearn,scikit-learn,g' setup.py
substituteInPlace setup.py --replace sklearn scikit-learn
'';
pythonImportsCheck = [ "mlrose" ];
# Fix random seed during tests
pytestFlagsArray = [ "--randomly-seed 0" ];
meta = with lib; {
description = "Machine Learning, Randomized Optimization and SEarch";
homepage = "https://github.com/gkhayes/mlrose";

View File

@ -1,16 +1,16 @@
{ lib
, fetchFromGitHub
}: rec {
version = "3.0.0";
version = "3.0.1";
src = fetchFromGitHub {
owner = "openrazer";
repo = "openrazer";
rev = "v${version}";
sha256 = "sha256-gw6Qt9BntPcF3zw19PXftDbhoCeBr8hwrujy51rb5Fc=";
sha256 = "sha256-ptB0jP0kp1Liynkfz0B0OMw6xNQG1s8IvxhgNAdEytM=";
};
meta = with lib; {
homepage = "https://openrazer.github.io/";
license = licenses.gpl2;
license = licenses.gpl2Only;
maintainers = with maintainers; [ roelvandijk evanjs ];
platforms = platforms.linux;
};

View File

@ -12,14 +12,14 @@
buildPythonPackage rec {
pname = "peewee";
version = "3.13.3";
version = "3.14.4";
# pypi release does not provide tests
src = fetchFromGitHub {
owner = "coleifer";
repo = pname;
rev = version;
sha256 = "1r67hxb9m6v0xbnbqfnsw6dahmdr94pf81b4x51jfw6x9sa4izi4";
sha256 = "0x85swpaffysc05kka0mab87cnilzw1lpacfhcx5ayabh0i2qsh6";
};

View File

@ -30,7 +30,11 @@ buildPythonPackage rec {
mock
];
checkPhase = "nosetests";
postPatch = ''
substituteInPlace setup.py --replace "xlrd<2" "xlrd<3"
'';
checkPhase = "nosetests --exclude test_issue_151";
meta = {
description = "A wrapper library to read, manipulate and write data in xls using xlrd and xlwt";

View File

@ -0,0 +1,22 @@
{ lib, buildPythonPackage, trio, curio, async-timeout, fetchPypi, pythonOlder }:
buildPythonPackage rec {
pname = "python-socks";
version = "1.2.4";
src = fetchPypi {
inherit pname version;
sha256 = "1n6xb18jy41ybgkmamakg6psp3qididd45qknxiggngaiibz43kx";
};
disabled = pythonOlder "3.6.1";
propagatedBuildInputs = [ trio curio async-timeout ];
meta = with lib; {
description = "Core proxy client (SOCKS4, SOCKS5, HTTP) functionality for Python";
homepage = "https://github.com/romis2012/python-socks";
license = licenses.asl20;
maintainers = with maintainers; [ mjlbach ];
};
}

View File

@ -1,19 +1,25 @@
{ lib
, buildPythonPackage
, fetchFromGitHub
, poetry-core
}:
buildPythonPackage rec {
pname = "unpaddedbase64";
version = "1.1.0";
version = "2.1.0";
format = "pyproject";
src = fetchFromGitHub {
owner = "matrix-org";
repo = "python-${pname}";
rev = "refs/tags/v${version}";
sha256 = "0if3fjfxga0bwdq47v77fs9hrcqpmwdxry2i2a7pdqsp95258nxd";
sha256 = "1n6har8pxv0mqb96lanzihp1xf76aa17jw3977drb1fgz947pnmz";
};
nativeBuildInputs = [
poetry-core
];
meta = with lib; {
homepage = "https://github.com/matrix-org/python-unpaddedbase64";
description = "Unpadded Base64";

View File

@ -10,7 +10,8 @@ let
common = import ../../../development/python-modules/openrazer/common.nix { inherit lib fetchFromGitHub; };
in
stdenv.mkDerivation (common // {
name = "openrazer-${common.version}-${kernel.version}";
pname = "openrazer";
version = "${common.version}-${kernel.version}";
nativeBuildInputs = kernel.moduleBuildDependencies;
@ -19,6 +20,8 @@ stdenv.mkDerivation (common // {
];
installPhase = ''
runHook preInstall
binDir="$out/lib/modules/${kernel.modDirVersion}/kernel/drivers/hid"
mkdir -p "$binDir"
cp -v driver/*.ko "$binDir"
@ -32,9 +35,12 @@ stdenv.mkDerivation (common // {
--replace /usr/bin/logger ${util-linux}/bin/logger \
--replace chgrp ${coreutils}/bin/chgrp \
--replace "PATH='/sbin:/bin:/usr/sbin:/usr/bin'" ""
runHook postInstall
'';
meta = common.meta // {
description = "An entirely open source Linux driver that allows you to manage your Razer peripherals on GNU/Linux";
broken = kernel.kernelOlder "4.19";
};
})

View File

@ -12,13 +12,13 @@
stdenv.mkDerivation rec {
pname = "ddccontrol";
version = "0.5.1";
version = "0.5.2";
src = fetchFromGitHub {
owner = "ddccontrol";
repo = "ddccontrol";
rev = "0.5.1";
sha256 = "sha256-e6Rzzz5S+Um2ZBuUkfAJQA4V+zqCqsUHB0f1t/dTU2w=";
rev = "0.5.2";
sha256 = "sha256-kul0sjbwbCwadvrccG3KwL/fKWACFUg74QGvgfWE4FQ=";
};
nativeBuildInputs = [

View File

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "fselect";
version = "0.7.4";
version = "0.7.5";
src = fetchFromGitHub {
owner = "jhspetersson";
repo = "fselect";
rev = version;
sha256 = "sha256-gwFX5c5y4bL+KhPDnvCbDco1ORYyqZYFsetMrmOATZU=";
sha256 = "sha256-6/mcGq6qKYmcBcNndYYJB3rnHr6ZVpEcVjJBz7NEJEw=";
};
cargoSha256 = "sha256-gWCiaAgb7hBenbp1kogCoB6vctYfDZccRW9li2yxJaU=";
cargoSha256 = "sha256-W6YmFsTlU3LD3tvhLuA/3k/269gR2RLLOo86BQC5x98=";
nativeBuildInputs = [ installShellFiles ];
buildInputs = lib.optional stdenv.isDarwin libiconv;

View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "clash";
version = "1.5.0";
version = "1.6.0";
src = fetchFromGitHub {
owner = "Dreamacro";
repo = pname;
rev = "v${version}";
sha256 = "sha256-I4qpcHsN8WGt7YLNXO08BJypilhMSVmZjqECDjlEqXU=";
sha256 = "sha256-XG/nci8Sj0vfa/SFPpJwl1Zmt/23LfKxocejplZtS0E=";
};
vendorSha256 = "sha256-Nfzk7p52msGxTPDbs4g9KuRPFxp4Npt0QXkdVOZvipc=";
vendorSha256 = "sha256-WR1CpjEMHRkpd0/iqrOm0oVXvyQO+r6GyeP0L0zx8aA=";
doCheck = false;

View File

@ -24755,7 +24755,6 @@ in
monotone = callPackage ../applications/version-management/monotone {
lua = lua5;
botan = botan.override (x: { openssl = null; });
};
monotoneViz = callPackage ../applications/version-management/monotone-viz {

View File

@ -6676,6 +6676,8 @@ in {
python-socketio_4 = callPackage ../development/python-modules/python-socketio/4.nix { };
python-socks = callPackage ../development/python-modules/python-socks { };
python-sql = callPackage ../development/python-modules/python-sql { };
python-stdnum = callPackage ../development/python-modules/python-stdnum { };