dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge master into haskell-updates

Browse Source
This commit is contained in:
github-actions[bot] 2024-08-02 00:14:04 +00:00 committed by GitHub
commit d3651f9b43
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
294 changed files with 10174 additions and 5009 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/basic-eval.yml vendored
View File

@ -15,6 +15,7 @@ permissions:
jobs:
tests:
name: basic-eval-checks
runs-on: ubuntu-latest
# we don't limit this action to only NixOS repo since the checks are cheap and useful developer feedback
steps:

1
.github/workflows/check-by-name.yml vendored
View File

@ -27,6 +27,7 @@ permissions: {}
jobs:
check:
name: pkgs-by-name-check
# This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases
runs-on: ubuntu-latest
# This should take 1 minute at most, but let's be generous.

1
.github/workflows/check-cherry-picks.yml vendored
View File

@ -10,6 +10,7 @@ permissions: {}
jobs:
check:
name: cherry-pick-check
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

1
.github/workflows/check-maintainers-sorted.yaml vendored
View File

@ -9,6 +9,7 @@ permissions:
jobs:
nixos:
name: maintainer-list-check
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

1
.github/workflows/check-nix-format.yml vendored
View File

@ -14,6 +14,7 @@ permissions:
jobs:
nixos:
name: nixfmt-check
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:

1
.github/workflows/check-nixf-tidy.yml vendored
View File

@ -8,6 +8,7 @@ permissions:
jobs:
nixos:
name: exp-nixf-tidy-check
runs-on: ubuntu-latest
if: "!contains(github.event.pull_request.title, '[skip treewide]')"
steps:

2
.github/workflows/check-shell.yml vendored
View File

@ -7,6 +7,7 @@ permissions: {}
jobs:
x86_64-linux:
name: shell-check-x86_64-linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@ -18,6 +19,7 @@ jobs:
run: nix-build shell.nix
aarch64-darwin:
name: shell-check-aarch64-darwin
runs-on: macos-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

1
.github/workflows/editorconfig.yml vendored
View File

@ -10,6 +10,7 @@ on:
jobs:
tests:
name: editorconfig-check
runs-on: ubuntu-latest
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:

1
.github/workflows/labels.yml vendored
View File

@ -15,6 +15,7 @@ permissions:
jobs:
labels:
name: label-pr
runs-on: ubuntu-latest
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:

1
.github/workflows/manual-nixos.yml vendored
View File

@ -11,6 +11,7 @@ on:
jobs:
nixos:
name: nixos-manual-build
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

1
.github/workflows/manual-nixpkgs.yml vendored
View File

@ -13,6 +13,7 @@ on:
jobs:
nixpkgs:
name: nixpkgs-manual-build
runs-on: ubuntu-latest
if: github.repository_owner == 'NixOS'
steps:

1
.github/workflows/nix-parse.yml vendored
View File

@ -10,6 +10,7 @@ on:
jobs:
tests:
name: nix-files-parseable-check
runs-on: ubuntu-latest
if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
steps:

1
.github/workflows/ofborg-pending.yml vendored
View File

@ -16,6 +16,7 @@ permissions:
jobs:
action:
name: set-ofborg-pending
if: github.repository_owner == 'NixOS'
permissions:
statuses: write

6
maintainers/maintainer-list.nix
View File

@ -8435,6 +8435,12 @@
githubId = 19296926;
keys = [ { fingerprint = "DF12 23B1 A9FD C5BE 3DA5 B6F7 904A F1C7 CDF6 95C3"; } ];
};
hxtmdev = {
email = "daniel@hxtm.dev";
name = "Daniel Höxtermann";
github = "hxtmdev";
githubId = 7771007;
};
hypersw = {
email = "baltic@hypersw.net";
github = "hypersw";

23
nixos/lib/systemd-lib.nix
View File

@ -12,6 +12,7 @@ let
concatStringsSep
const
elem
elemAt
filter
filterAttrs
flatten
@ -21,11 +22,14 @@ let
isFloat
isList
isPath
isString
length
makeBinPath
makeSearchPathOutput
mapAttrs
mapAttrsToList
mapNullable
match
mkAfter
mkIf
optional
@ -101,6 +105,8 @@ in rec {
optional (attr ? ${name} && ! isByteFormat attr.${name})
"Systemd ${group} field `${name}' must be in byte format [0-9]+[KMGT].";
toIntBaseDetected = value: assert (match "[0-9]+|0x[0-9a-fA-F]+" value) != null; (builtins.fromTOML "v=${value}").v;
hexChars = stringToCharacters "0123456789abcdefABCDEF";
isMacAddress = s: stringLength s == 17
@ -156,6 +162,23 @@ in rec {
optional (attr ? ${name} && !(((isInt attr.${name} || isFloat attr.${name}) && min <= attr.${name} && max >= attr.${name}) || elem attr.${name} values))
"Systemd ${group} field `${name}' is not a value in range [${toString min},${toString max}], or one of ${toString values}";
assertRangeWithOptionalMask = name: min: max: group: attr:
if (attr ? ${name}) then
if isInt attr.${name} then
assertRange name min max group attr
else if isString attr.${name} then
let
fields = match "([0-9]+|0x[0-9a-fA-F]+)(/([0-9]+|0x[0-9a-fA-F]+))?" attr.${name};
in if fields == null then ["Systemd ${group} field `${name}' must either be an integer or two integers separated by a slash (/)."]
else let
value = toIntBaseDetected (elemAt fields 0);
mask = mapNullable toIntBaseDetected (elemAt fields 2);
in
optional (!(min <= value && max >= value)) "Systemd ${group} field `${name}' has main value outside the range [${toString min},${toString max}]."
++ optional (mask != null && !(min <= mask && max >= mask)) "Systemd ${group} field `${name}' has mask outside the range [${toString min},${toString max}]."
else ["Systemd ${group} field `${name}' must either be an integer or a string."]
else [];
assertMinimum = name: min: group: attr:
optional (attr ? ${name} && attr.${name} < min)
"Systemd ${group} field `${name}' must be greater than or equal to ${toString min}";

4
nixos/modules/programs/tmux.nix
View File

@ -16,6 +16,7 @@ let
set -g default-terminal "${cfg.terminal}"
set -g base-index ${toString cfg.baseIndex}
setw -g pane-base-index ${toString cfg.baseIndex}
set -g history-limit ${toString cfg.historyLimit}
${optionalString cfg.newSession "new-session"}
@ -50,7 +51,6 @@ let
setw -g aggressive-resize ${boolToStr cfg.aggressiveResize}
setw -g clock-mode-style ${if cfg.clock24 then "24" else "12"}
set -s escape-time ${toString cfg.escapeTime}
set -g history-limit ${toString cfg.historyLimit}
${cfg.extraConfigBeforePlugins}
@ -230,4 +230,6 @@ in {
imports = [
(lib.mkRenamedOptionModule [ "programs" "tmux" "extraTmuxConf" ] [ "programs" "tmux" "extraConfig" ])
];
meta.maintainers = with lib.maintainers; [ hxtmdev ];
}

14
nixos/modules/security/pam.nix
View File

@ -489,6 +489,18 @@ let
package = mkPackageOption pkgs.plasma5Packages "kwallet-pam" {
pkgsText = "pkgs.plasma5Packages";
};
forceRun = mkEnableOption null // {
description = ''
The `force_run` option is used to tell the PAM module for KWallet
to forcefully run even if no graphical session (such as a GUI
display manager) is detected. This is useful for when you are
starting an X Session or a Wayland Session from a TTY. If you
intend to log-in from a TTY, it is recommended that you enable
this option **and** ensure that `plasma-kwallet-pam.service` is
started by `graphical-session.target`.
'';
};
};
sssdStrictAccess = mkOption {
@ -861,7 +873,7 @@ let
order = "user,group,default";
debug = true;
}; }
{ name = "kwallet"; enable = cfg.kwallet.enable; control = "optional"; modulePath = "${cfg.kwallet.package}/lib/security/pam_kwallet5.so"; }
{ name = "kwallet"; enable = cfg.kwallet.enable; control = "optional"; modulePath = "${cfg.kwallet.package}/lib/security/pam_kwallet5.so"; settings = lib.mkIf cfg.kwallet.forceRun { force_run = true; }; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
auto_start = true;
}; }

2
nixos/modules/services/misc/forgejo.nix
View File

@ -66,7 +66,7 @@ in
services.forgejo = {
enable = mkEnableOption "Forgejo, a software forge";
package = mkPackageOption pkgs "forgejo" { };
package = mkPackageOption pkgs "forgejo-lts" { };
useWizard = mkOption {
default = false;

2
nixos/modules/services/networking/deconz.nix
View File

@ -14,7 +14,7 @@ in
{
options.services.deconz = {
enable = lib.mkEnableOption "deCONZ, a Zigbee gateway for use with ConBee hardware (https://phoscon.de/en/conbee2)";
enable = lib.mkEnableOption "deCONZ, a Zigbee gateway for use with ConBee/RaspBee hardware (https://phoscon.de/)";
package = lib.mkOption {
type = lib.types.package;

4
nixos/modules/services/networking/wpa_supplicant.nix
View File

@ -139,9 +139,9 @@ let
$0 = substr($0, 1, i-1) repl substr($0, i+length(find))
}
print
}' "${configFile}" > "${finalConfig}"
}' "${configFile}" > ${finalConfig}
else
touch "${finalConfig}"
touch ${finalConfig}
fi
iface_args="-s ${optionalString cfg.dbusControlled "-u"} -D${cfg.driver} ${configStr}"

4
nixos/modules/services/web-apps/movim.nix
View File

@ -86,8 +86,8 @@ let
# `cfg.podConfig` to prevent confusing situtions where the
# values are rewritten on server reboot
''
substituteInPlace ${appDir}/app/widgets/AdminMain/adminmain.tpl \
--replace-warn 'name="${k}"' 'name="${k}" disabled'
substituteInPlace ${appDir}/app/Widgets/AdminMain/adminmain.tpl \
--replace-warn 'name="${k}"' 'name="${k}" readonly'
'')
[ ]
cfg.podConfig));

4
nixos/modules/services/web-apps/pretix.nix
View File

@ -249,7 +249,7 @@ in
};
host = mkOption {
type = with types; nullOr types.path;
type = with types; nullOr path;
default = if cfg.settings.database.backend == "postgresql" then "/run/postgresql" else null;
defaultText = literalExpression ''
if config.services.pretix.settings..database.backend == "postgresql" then "/run/postgresql"
@ -535,7 +535,7 @@ in
fi
'';
serviceConfig = {
TimeoutStartSec = "5min";
TimeoutStartSec = "15min";
ExecStart = "${getExe' pythonEnv "gunicorn"} --bind unix:/run/pretix/pretix.sock ${cfg.gunicorn.extraArgs} pretix.wsgi";
RuntimeDirectory = "pretix";
};

8
nixos/modules/services/web-apps/sogo.nix
View File

@ -2,17 +2,13 @@
cfg = config.services.sogo;
preStart = pkgs.writeShellScriptBin "sogo-prestart" ''
touch /etc/sogo/sogo.conf
chown sogo:sogo /etc/sogo/sogo.conf
chmod 640 /etc/sogo/sogo.conf
${if (cfg.configReplaces != {}) then ''
# Insert secrets
${concatStringsSep "\n" (mapAttrsToList (k: v: ''export ${k}="$(cat "${v}" | tr -d '\n')"'') cfg.configReplaces)}
${pkgs.perl}/bin/perl -p ${concatStringsSep " " (mapAttrsToList (k: v: '' -e 's/${k}/''${ENV{"${k}"}}/g;' '') cfg.configReplaces)} /etc/sogo/sogo.conf.raw > /etc/sogo/sogo.conf
${pkgs.perl}/bin/perl -p ${concatStringsSep " " (mapAttrsToList (k: v: '' -e 's/${k}/''${ENV{"${k}"}}/g;' '') cfg.configReplaces)} /etc/sogo/sogo.conf.raw | install -m 640 -o sogo -g sogo /dev/stdin /etc/sogo/sogo.conf
'' else ''
cp /etc/sogo/sogo.conf.raw /etc/sogo/sogo.conf
install -m 640 -o sogo -g sogo /etc/sogo/sogo.conf.raw /etc/sogo/sogo.conf
''}
'';

3
nixos/modules/system/boot/networkd.nix
View File

@ -778,8 +778,7 @@ let
])
(assertInt "TypeOfService")
(assertRange "TypeOfService" 0 255)
(assertInt "FirewallMark")
(assertRange "FirewallMark" 1 4294967295)
(assertRangeWithOptionalMask "FirewallMark" 1 4294967295)
(assertInt "Priority")
(assertPortOrPortRange "SourcePort")
(assertPortOrPortRange "DestinationPort")

3
nixos/tests/all-tests.nix
View File

@ -342,7 +342,8 @@ in {
fluentd = handleTest ./fluentd.nix {};
fluidd = handleTest ./fluidd.nix {};
fontconfig-default-fonts = handleTest ./fontconfig-default-fonts.nix {};
forgejo = handleTest ./forgejo.nix { };
forgejo = handleTest ./forgejo.nix { forgejoPackage = pkgs.forgejo; };
forgejo-lts = handleTest ./forgejo.nix { forgejoPackage = pkgs.forgejo-lts; };
freenet = handleTest ./freenet.nix {};
freeswitch = handleTest ./freeswitch.nix {};
freetube = discoverTests (import ./freetube.nix);

4
nixos/tests/forgejo.nix
View File

@ -1,6 +1,7 @@
{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
, forgejoPackage ? pkgs.forgejo
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
@ -53,6 +54,7 @@ let
virtualisation.memorySize = 2047;
services.forgejo = {
enable = true;
package = forgejoPackage;
database = { inherit type; };
settings.service.DISABLE_REGISTRATION = true;
settings."repository.signing".SIGNING_KEY = signingPrivateKeyId;
@ -145,7 +147,7 @@ let
assert "BEGIN PGP PUBLIC KEY BLOCK" in server.succeed("curl http://localhost:3000/api/v1/signing-key.gpg")
api_version = json.loads(server.succeed("curl http://localhost:3000/api/forgejo/v1/version")).get("version")
assert "development" != api_version and "${pkgs.forgejo.version}+gitea-" in api_version, (
assert "development" != api_version and "${forgejoPackage.version}+gitea-" in api_version, (
"/api/forgejo/v1/version should not return 'development' "
+ f"but should contain a forgejo+gitea compatibility version string. Got '{api_version}' instead."
)

6
nixos/tests/systemd-networkd.nix
View File

@ -57,6 +57,8 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
{ Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; }
{ Table = 40; IPProtocol = "tcp"; InvertRule = true; }
{ Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; }
{ Table = 60; FirewallMark = 4; }
{ Table = 70; FirewallMark = "16/0x1f"; }
];
};
};
@ -119,5 +121,9 @@ testScript = ''
)
# IPProtocol + InvertRule
node1.succeed("sudo ip rule | grep 'not from all ipproto tcp lookup 40'")
# FirewallMark without a mask
node1.succeed("sudo ip rule | grep 'from all fwmark 0x4 lookup 60'")
# FirewallMark with a mask
node1.succeed("sudo ip rule | grep 'from all fwmark 0x10/0x1f lookup 70'")
'';
})

4
pkgs/applications/audio/lsp-plugins/default.nix
View File

@ -8,13 +8,13 @@ stdenv.mkDerivation rec {
version = "1.2.16";
src = fetchurl {
url = "https://github.com/sadko4u/${pname}/releases/download/${version}/${pname}-src-${version}.tar.gz";
url = "https://github.com/lsp-plugins/lsp-plugins/releases/download/${version}/lsp-plugins-src-${version}.tar.gz";
sha256 = "sha256-w2BUIF44z78syLroQk2asVXA5bt9P9POiuwxpnlkc8o=";
};
outputs = [ "out" "dev" "doc" ];
nativeBuildInputs = [ pkg-config php makeWrapper ];
nativeBuildInputs = [ pkg-config (php.withExtensions (_: [])) makeWrapper ];
buildInputs = [ jack2 libsndfile libGLU libGL lv2 cairo ladspaH libXrandr ];
makeFlags = [

4
pkgs/applications/audio/mympd/default.nix
View File

@ -16,13 +16,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "mympd";
version = "16.1.0";
version = "17.0.0";
src = fetchFromGitHub {
owner = "jcorporation";
repo = "myMPD";
rev = "v${finalAttrs.version}";
sha256 = "sha256-fka7FQkJKHB2L28JzN1SOtmDkJvvox9dKguuh96lVo0=";
sha256 = "sha256-/8IDwzgZzf63MvXTBP2CoC5IHi7Umr3exU1/oDdadgk=";
};
nativeBuildInputs = [

6
pkgs/applications/blockchains/erigon/default.nix
View File

@ -2,7 +2,7 @@
let
pname = "erigon";
version = "2.60.4";
version = "2.60.5";
in
buildGoModule {
inherit pname version;
@ -11,11 +11,11 @@ buildGoModule {
owner = "ledgerwatch";
repo = pname;
rev = "v${version}";
hash = "sha256-qcBKWwF9/i9ipE70+5AG5cuhYYqDBXAlY2OWxIh4KfU=";
hash = "sha256-sI5XlPoHjAN3QsNWJXhi+qHDPVpcLqgX1hMa6gN5Iwc=";
fetchSubmodules = true;
};
vendorHash = "sha256-r8Hh0UGdUbVOx9r10ymb9bJNZvxm/MzAVA9D0BaIzJg=";
vendorHash = "sha256-2Gx3ZUq1FDGEPW4qTwK916AGVMwoIDY97rkuEzRXP1U=";
proxyVendor = true;
# Build errors in mdbx when format hardening is enabled:

8
pkgs/applications/editors/android-studio/default.nix
View File

@ -13,12 +13,12 @@ let
sha256Hash = "sha256-Qvi/Mc4NEk3dERlfZiowBk2Pmqsgbl5mg56HamvG7aI=";
};
betaVersion = {
version = "2024.1.2.9"; # "Android Studio Koala Feature Drop | 2024.1.2 Beta 1"
sha256Hash = "sha256-eTnpU9KrquW4nMRqde9PUmVQ05kf6kFy1yr+Ima9M50=";
version = "2024.1.2.10"; # "Android Studio Koala Feature Drop | 2024.1.2 Beta 2"
sha256Hash = "sha256-/LrHYyrOPfnSliM5XUOzENjJ+G+M1Ajw31tFAOsbfnQ=";
};
latestVersion = {
version = "2024.1.3.1"; # "Android Studio Ladybug | 2024.1.3 Canary 1"
sha256Hash = "sha256-BSrcPdkK4dU5/bV29NGKcCR10XYMJrPvC91fcJs5Vq8=";
version = "2024.1.3.3"; # "Android Studio Ladybug | 2024.1.3 Canary 3"
sha256Hash = "sha256-Ps3jMtNAdfPitFeXIFKpjSyM4si4tp4MrS3r5VURFh4=";
};
in {
# Attributes are named by their corresponding release channels

4
pkgs/applications/graphics/ImageMagick/default.nix
View File

@ -49,13 +49,13 @@ in
stdenv.mkDerivation (finalAttrs: {
pname = "imagemagick";
version = "7.1.1-35";
version = "7.1.1-36";
src = fetchFromGitHub {
owner = "ImageMagick";
repo = "ImageMagick";
rev = finalAttrs.version;
hash = "sha256-ac0xvCwwH/qsdewBAO6POcPY74kBPkcnW6ywVvnegKw=";
hash = "sha256-Y/tj8IAhsCFK7Yd0MXZ8X6AOLxICyVOIaSaQveMf17k=";
};
outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big

20
pkgs/applications/networking/browsers/chromium/upstream-info.nix
View File

@ -1,11 +1,11 @@
{
stable = {
chromedriver = {
hash_darwin = "sha256-c/lMkOdoW/tX57opl/weJGh/iyUeTTF5Xejs7IpA+Qg=";
hash_darwin = "sha256-BW83pgPJiKxdQ1K4+8KMDGBqvR+J3i+8AZmKfnYSmWk=";
hash_darwin_aarch64 =
"sha256-sst73OxUsrs2yWA72qdonARGi/W0FYObNfolidCiXio=";
hash_linux = "sha256-p5cQmMdte7TfTPohg+rpIsyyYk1OKSNb0BwaMWmHuCo=";
version = "127.0.6533.72";
"sha256-ZGZy4VDNRXJBMLtAhRUybssWRXSfEUWVRsF+etfhdzQ=";
hash_linux = "sha256-1gM4KqzacJ13X5NmBn2hW6L/a7zN21rSZBk6a0IjCow=";
version = "127.0.6533.88";
};
deps = {
gn = {
@ -15,8 +15,8 @@
version = "2024-06-06";
};
};
hash = "sha256-m99HaGCuIihDdbVnmu6xatnC/QDxgLVby2TWY/L+RHk=";
version = "127.0.6533.72";
hash = "sha256-nZZ2yrVu+0TloMaM455bmyeoeVnfeGR3EGubAf8snNU=";
version = "127.0.6533.88";
};
ungoogled-chromium = {
deps = {
@ -27,11 +27,11 @@
version = "2024-06-06";
};
ungoogled-patches = {
hash = "sha256-IBdOV+eFJWD+kCxnhSWWjiBgMbP/DxF+gUVIIpWf4rc=";
rev = "127.0.6533.72-1";
hash = "sha256-4LfYBqFQ/e/ePaOTSFBpELt0ilo/Vohwnwp8FvkfavU=";
rev = "127.0.6533.88-1";
};
};
hash = "sha256-m99HaGCuIihDdbVnmu6xatnC/QDxgLVby2TWY/L+RHk=";
version = "127.0.6533.72";
hash = "sha256-nZZ2yrVu+0TloMaM455bmyeoeVnfeGR3EGubAf8snNU=";
version = "127.0.6533.88";
};
}

4
pkgs/applications/networking/cloudflared/default.nix
View File

@ -7,13 +7,13 @@
buildGoModule rec {
pname = "cloudflared";
version = "2024.7.1";
version = "2024.7.3";
src = fetchFromGitHub {
owner = "cloudflare";
repo = "cloudflared";
rev = "refs/tags/${version}";
hash = "sha256-VJJN2hWmgjnBy8FhQn3c91BLx8NU3TvRgxKoanFs+GM=";
hash = "sha256-zz8xwIgGnMJjSv2XXUgsaUKXvHtXVuc2jyahrZ/yxmE=";
};
vendorHash = null;

4
pkgs/applications/networking/cluster/cilium/default.nix
View File

@ -2,13 +2,13 @@
buildGoModule rec {
pname = "cilium-cli";
version = "0.16.13";
version = "0.16.14";
src = fetchFromGitHub {
owner = "cilium";
repo = pname;
rev = "v${version}";
hash = "sha256-69LDIKaAJYbxTp0qBgfnE/YG6vnyN9/HgyxEBPqFY+4=";
hash = "sha256-VYfLy0vR3ON29EHUx1R2jF61+DbxH2RUsUQXFgxjMUU=";
};
vendorHash = null;

6
pkgs/applications/networking/cluster/helm/plugins/helm-unittest.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "helm-unittest";
version = "0.5.1";
version = "0.5.2";
src = fetchFromGitHub {
owner = pname;
repo = pname;
rev = "v${version}";
hash = "sha256-YWzjv1/I+LX3AMeQenI36AsNJkZ6IzbMhM/f5/Kxs2M=";
hash = "sha256-xA0dA8q7ZDQk35VjyIsJFbm3OlagnIbJ/iz5z2KsxjU=";
};
vendorHash = "sha256-A2izHBh58yPd2XPm4GKVosPtahUtQ35GbyBdr/L13CQ=";
vendorHash = "sha256-hSnTjEvi1Lexp7wAogqeoXWDCg/bvblw0bt1/lX9iR0=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''

6
pkgs/applications/networking/cluster/helmfile/default.nix
View File

@ -8,16 +8,16 @@
buildGoModule rec {
pname = "helmfile";
version = "0.166.0";
version = "0.167.0";
src = fetchFromGitHub {
owner = "helmfile";
repo = "helmfile";
rev = "v${version}";
hash = "sha256-TZskvZyNihklCJB0yMFXk1bLEuhetQvJ+6uLnYiLBs0=";
hash = "sha256-a3HkpnO54NtaYhQsCXye2aWKhMq8mRj1nnevwK/4RZs=";
};
vendorHash = "sha256-Ny7r9G3Y5SuigIKkXra5Xn08QIlhzFASXGMMc+g1S/E=";
vendorHash = "sha256-2d0B/qq0uERCFgTJDxvhc2FWQ/ffODbD1Z6aFWHX0Ew=";
proxyVendor = true; # darwin/linux hash mismatch

799
pkgs/applications/networking/feedreaders/newsflash/Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

49
pkgs/applications/networking/feedreaders/newsflash/default.nix
View File

@ -1,18 +1,17 @@
{
lib,
stdenv,
rustPlatform,
fetchFromGitLab,
substituteAll,
rustPlatform,
blueprint-compiler,
cargo,
desktop-file-utils,
meson,
ninja,
pkg-config,
rustc,
blueprint-compiler,
wrapGAppsHook4,
gdk-pixbuf,
glib,
clapper,
gtk4,
libadwaita,
@ -28,60 +27,46 @@
stdenv.mkDerivation (finalAttrs: {
pname = "newsflash";
version = "3.3.0";
version = "3.3.2";
src = fetchFromGitLab {
owner = "news-flash";
repo = "news_flash_gtk";
rev = "refs/tags/v.${finalAttrs.version}";
hash = "sha256-s8h/OIJJzMmsCsaQJ0SOjCAVXfYQbjOupdDtLOqM9d0=";
hash = "sha256-caINK4tmDsP7AkLUBqbM96Po7sQxFOn/CAq62K+3aoE=";
};
cargoDeps = rustPlatform.importCargoLock {
lockFile = ./Cargo.lock;
outputHashes = {
"article_scraper-2.1.0" = "sha256-0jDXH5kkX34tAWK+3hpmW1LWBsFksVgTnSuQX+XXVEM=";
"clapper-0.1.0" = "sha256-xQ7l6luO5E4PMjtN9elg0bkJa7IhWzA7KuYDJ+m/VY0=";
"news-flash-2.3.0-alpha.0" = "sha256-ZgX6tQmPDMSpLcYD04u2ReQXdzeGzQTwGaUy/y4z4do=";
"news-flash-2.3.0-alpha.0" = "sha256-+CYU2CpF2WfSVjhLtLpHjdAGoycdhdbN9UucKO9XKiA=";
"newsblur_api-0.3.0" = "sha256-m2178zdJzeskl3BQpZr6tlxTAADehxz8uYcZzi15nhQ=";
};
};
patches = [
# Post install tries to generate an icon cache & update the
# desktop database. The gtk setup hook drop-icon-theme-cache.sh
# would strip out the icon cache and the desktop database wouldn't
# be included in $out. They will generated by xdg.mime.enable &
# gtk.iconCache.enable instead.
./no-post-install.patch
# Replace placeholder "0.0.0" project version with nixpkgs version
(substituteAll {
src = ./hardcode-version.patch;
inherit (finalAttrs) version;
})
];
postPatch = ''
patchShebangs build-aux/cargo.sh
meson rewrite kwargs set project / version '${finalAttrs.version}'
'';
strictDeps = true;
nativeBuildInputs = [
blueprint-compiler
cargo
desktop-file-utils
meson
ninja
pkg-config
rustc
rustPlatform.cargoSetupHook
wrapGAppsHook4
# Provides setup hook to fix "Unrecognized image file format"
gdk-pixbuf
# Provides glib-compile-resources to compile gresources
glib
rustPlatform.cargoSetupHook
cargo
rustc
blueprint-compiler
];
buildInputs =
@ -110,15 +95,15 @@ stdenv.mkDerivation (finalAttrs: {
passthru.updateScript = gitUpdater { rev-prefix = "v."; };
meta = with lib; {
meta = {
description = "Modern feed reader designed for the GNOME desktop";
homepage = "https://gitlab.com/news-flash/news_flash_gtk";
license = licenses.gpl3Plus;
maintainers = with maintainers; [
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [
kira-bruneau
stunkymonkey
];
platforms = platforms.unix;
platforms = lib.platforms.unix;
mainProgram = "io.gitlab.news_flash.NewsFlash";
};
})

12
pkgs/applications/networking/feedreaders/newsflash/hardcode-version.patch
View File

@ -1,12 +0,0 @@
diff --git a/meson.build b/meson.build
index 55a5048a..1c648189 100644
--- a/meson.build
+++ b/meson.build
@@ -1,6 +1,6 @@
project(
'newsflash', 'rust',
- version: '0.0.0',
+ version: '@version@',
license: 'GPLv3',
)

15
pkgs/applications/networking/feedreaders/newsflash/no-post-install.patch
View File

@ -1,15 +0,0 @@
diff --git a/meson.build b/meson.build
index e554ddd7..55a5048a 100644
--- a/meson.build
+++ b/meson.build
@@ -56,10 +56,3 @@ meson.add_dist_script(
subdir('data')
subdir('po')
subdir('src')
-
-gnome.post_install(
- gtk_update_icon_cache: true,
- glib_compile_schemas: false,
- update_desktop_database: true,
-)
-

4
pkgs/applications/networking/instant-messengers/gajim/default.nix
View File

@ -21,11 +21,11 @@
python3.pkgs.buildPythonApplication rec {
pname = "gajim";
version = "1.9.2";
version = "1.9.3";
src = fetchurl {
url = "https://gajim.org/downloads/${lib.versions.majorMinor version}/gajim-${version}.tar.gz";
hash = "sha256-nxSYXVliK+x3RbaXxZ2MA2PZ3bX6UYyctCKNCcdqPDM=";
hash = "sha256-TxWyUDoBvscKa2ogPrFlzLC2q+5RMyMnAiOpQdpFP4M=";
};
format = "pyproject";

14
pkgs/applications/networking/resilio-sync/default.nix
View File

@ -2,22 +2,22 @@
stdenv.mkDerivation rec {
pname = "resilio-sync";
version = "2.7.3";
version = "2.8.1.1390";
src = {
x86_64-linux = fetchurl {
url = "https://download-cdn.resilio.com/${version}/linux-x64/resilio-sync_x64.tar.gz";
sha256 = "sha256-DYQs9KofHkvtlsRQHRLwQHoHwSZkr40Ih0RVAw2xv3M=";
url = "https://download-cdn.resilio.com/${version}/linux/x64/0/resilio-sync_x64.tar.gz";
sha256 = "sha256-XrfE2frDxOS32MzO7gpJEsMd0WY+b7TS0h/H94M7Py4=";
};
i686-linux = fetchurl {
url = "https://download-cdn.resilio.com/${version}/linux-i386/resilio-sync_i386.tar.gz";
sha256 = "sha256-PFKVBs0KthG4tuvooHkAciPhNQP0K8oi2LyoRUs5V7I=";
url = "https://download-cdn.resilio.com/${version}/linux/i386/0/resilio-sync_i386.tar.gz";
sha256 = "sha256-tWwb9DHLlXeyimzyo/yxVKqlkP3jlAxT2Yzs6h2bIgs=";
};
aarch64-linux = fetchurl {
url = "https://download-cdn.resilio.com/${version}/linux-arm64/resilio-sync_arm64.tar.gz";
sha256 = "sha256-o2DlYOBTkFhQMEDJySlVSNlVqLNbBzacyv2oTwxrXto=";
url = "https://download-cdn.resilio.com/${version}/linux/arm64/0/resilio-sync_arm64.tar.gz";
sha256 = "sha256-b859DqxTfnBMMeiwXlGKTQ+Mpmr2Rpg24l/GNkxSWbA=";
};
}.${stdenv.hostPlatform.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}");

4
pkgs/applications/office/paperless-ngx/default.nix
View File

@ -24,13 +24,13 @@
}:
let
version = "2.11.0";
version = "2.11.2";
src = fetchFromGitHub {
owner = "paperless-ngx";
repo = "paperless-ngx";
rev = "refs/tags/v${version}";
hash = "sha256-lKPjvWc6FcEOwDgIUW8Eki8h8C19G618o1rhXnrlw/E=";
hash = "sha256-2VmV8Z8TDacc4qZePG87ZgnBydLdm+anpmk8gFKbSLM=";
};
# subpath installation is broken with uvicorn >= 0.26

3
pkgs/applications/qubes/qubes-core-vchan-xen/default.nix
View File

@ -28,8 +28,9 @@ stdenv.mkDerivation rec {
description = "Libraries required for the higher-level Qubes daemons and tools";
homepage = "https://qubes-os.org";
license = licenses.gpl2Plus;
maintainers = with maintainers; [ _0x4A6F ];
maintainers = [ ];
platforms = platforms.linux;
broken = true;
};
}

2
pkgs/applications/science/logic/bitwuzla/default.nix
View File

@ -43,7 +43,7 @@ stdenv.mkDerivation (finalAttrs: {
# but setting it to shared works even in pkgsStatic
"-Ddefault_library=shared"
(lib.strings.mesonEnable "testing" finalAttrs.doCheck)
(lib.strings.mesonEnable "testing" finalAttrs.finalPackage.doCheck)
];
nativeCheckInputs = [ python3 ];

4
pkgs/applications/science/misc/cwltool/default.nix
View File

@ -7,14 +7,14 @@
python3.pkgs.buildPythonApplication rec {
pname = "cwltool";
version = "3.1.20240508115724";
version = "3.1.20240708091337";
pyproject = true;
src = fetchFromGitHub {
owner = "common-workflow-language";
repo = "cwltool";
rev = "refs/tags/${version}";
hash = "sha256-hBP/8PIqvs820UsxrRuyMVIWgQGFVcMHCUToxhcupTk=";
hash = "sha256-Umxh8sRBy7fC6+GrcN1q4iO0KVpmUhGPtnqZZK/6c9M=";
};
postPatch = ''

6
pkgs/applications/version-management/gh/default.nix
View File

@ -2,16 +2,16 @@
buildGoModule rec {
pname = "gh";
version = "2.53.0";
version = "2.54.0";
src = fetchFromGitHub {
owner = "cli";
repo = "cli";
rev = "v${version}";
hash = "sha256-nvvL1yculmjPbR7ON/sKyIFe4Z0HnukzJwPVXRHEyhQ=";
hash = "sha256-wcEQcIDr+isuwDbwbgjGsioDjxAPfosu4vuJhro91DQ=";
};
vendorHash = "sha256-GioSeZ/nyPNehjHATqiQyECjXGJ67RZvrswTMrHenJM=";
vendorHash = "sha256-JZ30OXn5XdwLhz02fZgZltLw4FIM2wTlXzRgN8mhPjQ=";
nativeBuildInputs = [ installShellFiles ];

6
pkgs/applications/virtualization/nixpacks/default.nix
View File

@ -2,16 +2,16 @@
rustPlatform.buildRustPackage rec {
pname = "nixpacks";
version = "1.24.6";
version = "1.26.0";
src = fetchFromGitHub {
owner = "railwayapp";
repo = pname;
rev = "v${version}";
sha256 = "sha256-4vZgl/AmGrRFcUUIa7S5LeuroDsInDsqEQ1G4p4fxEA=";
sha256 = "sha256-w6XOSTMrjUg7q/M3a21sD2U+swmdkIUNvglgTFbufh8=";
};
cargoHash = "sha256-rO0upaiGhrUSrnt2uGAaii/ulpipV0BW5B7bv+fMBWg=";
cargoHash = "sha256-Kxz7Lw2LEC6YwycR5kj+vRIoT7Jqt2y9rLJq8ACM/0E=";
# skip test due FHS dependency
doCheck = false;

16
pkgs/applications/virtualization/xen/0000-fix-install-python.4.15.patch
View File

@ -1,16 +0,0 @@
tools/python/install-wrap script brakes shebangs patching, disable
diff --git a/tools/Rules.mk b/tools/Rules.mk
index 444e5bacdd..c99ea959ff 100644
--- a/tools/Rules.mk
+++ b/tools/Rules.mk
@@ -135,8 +135,7 @@ CFLAGS += $(CFLAGS-y)
CFLAGS += $(EXTRA_CFLAGS_XEN_TOOLS)
-INSTALL_PYTHON_PROG = \
- $(XEN_ROOT)/tools/python/install-wrap "$(PYTHON_PATH)" $(INSTALL_PROG)
+INSTALL_PYTHON_PROG = $(INSTALL_PROG)
%.opic: %.c
$(CC) $(CPPFLAGS) -DPIC $(CFLAGS) $(CFLAGS_$*.opic) -fPIC -c -o $@ $< $(APPEND_CFLAGS)

19
pkgs/applications/virtualization/xen/0000-qemu-seabios-enable-ATA_DMA.patch
View File

@ -1,19 +0,0 @@
diff -uNr a/src/Kconfig b/src/Kconfig
--- a/src/Kconfig 2015-08-31 10:15:13.231134858 +0200
+++ b/src/Kconfig 2015-08-31 10:14:24.039180178 +0200
@@ -144,13 +144,13 @@
config ATA_DMA
depends on ATA
bool "ATA DMA"
- default n
+ default y
help
Detect and try to use ATA bus mastering DMA controllers.
config ATA_PIO32
depends on ATA
bool "ATA 32bit PIO"
- default n
+ default y
help
Use 32bit PIO accesses on ATA (minor optimization on PCI transfers).
config AHCI

42
pkgs/applications/virtualization/xen/0004-makefile-use-efi-ld.4.15.patch
View File

@ -1,42 +0,0 @@
diff --git a/xen/arch/x86/Makefile b/xen/arch/x86/Makefile
index b6567c4127..83defeee95 100644
--- a/xen/arch/x86/Makefile
+++ b/xen/arch/x86/Makefile
@@ -124,11 +124,11 @@ ifneq ($(efi-y),)
export XEN_BUILD_EFI := $(shell $(CC) $(XEN_CFLAGS) -c efi/check.c -o efi/check.o 2>/dev/null && echo y)
# Check if the linker supports PE.
EFI_LDFLAGS = $(patsubst -m%,-mi386pep,$(XEN_LDFLAGS)) --subsystem=10 --strip-debug
-XEN_BUILD_PE := $(if $(XEN_BUILD_EFI),$(shell $(LD) $(EFI_LDFLAGS) -o efi/check.efi efi/check.o 2>/dev/null && echo y))
+XEN_BUILD_PE := $(if $(XEN_BUILD_EFI),$(shell $(EFI_LD) $(EFI_LDFLAGS) -o efi/check.efi efi/check.o 2>/dev/null && echo y))
CFLAGS-$(XEN_BUILD_EFI) += -DXEN_BUILD_EFI
# Check if the linker produces fixups in PE by default (we need to disable it doing so for now).
XEN_NO_PE_FIXUPS := $(if $(XEN_BUILD_EFI), \
- $(shell $(LD) $(EFI_LDFLAGS) --disable-reloc-section -o efi/check.efi efi/check.o 2>/dev/null && \
+ $(shell $(EFI_LD) $(EFI_LDFLAGS) --disable-reloc-section -o efi/check.efi efi/check.o 2>/dev/null && \
echo --disable-reloc-section))
endif
@@ -217,20 +217,20 @@ note_file_option ?= $(note_file)
ifeq ($(XEN_BUILD_PE),y)
$(TARGET).efi: prelink-efi.o $(note_file) efi.lds efi/relocs-dummy.o efi/mkreloc
$(foreach base, $(VIRT_BASE) $(ALT_BASE), \
- $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \
+ $(EFI_LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< efi/relocs-dummy.o \
$(BASEDIR)/common/symbols-dummy.o $(note_file_option) -o $(@D)/.$(@F).$(base).0 &&) :
efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).0) >$(@D)/.$(@F).0r.S
$(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).0 \
| $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).0s.S
$(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o
$(foreach base, $(VIRT_BASE) $(ALT_BASE), \
- $(LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \
+ $(EFI_LD) $(call EFI_LDFLAGS,$(base)) -T efi.lds -N $< \
$(@D)/.$(@F).0r.o $(@D)/.$(@F).0s.o $(note_file_option) -o $(@D)/.$(@F).$(base).1 &&) :
efi/mkreloc $(foreach base,$(VIRT_BASE) $(ALT_BASE),$(@D)/.$(@F).$(base).1) >$(@D)/.$(@F).1r.S
$(NM) -pa --format=sysv $(@D)/.$(@F).$(VIRT_BASE).1 \
| $(BASEDIR)/tools/symbols $(all_symbols) --sysv --sort >$(@D)/.$(@F).1s.S
$(MAKE) -f $(BASEDIR)/Rules.mk $(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o
- $(LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \
+ $(EFI_LD) $(call EFI_LDFLAGS,$(VIRT_BASE)) -T efi.lds -N $< \
$(@D)/.$(@F).1r.o $(@D)/.$(@F).1s.o $(note_file_option) -o $@
$(NM) -pa --format=sysv $(@D)/$(@F) \
| $(BASEDIR)/tools/symbols --all-symbols --xensyms --sysv --sort >$(@D)/$(@F).map

37
pkgs/applications/virtualization/xen/0005-makefile-fix-efi-mountdir-use.4.15.patch
View File

@ -1,37 +0,0 @@
EFI_MOUNTPOINT is conventionally /boot/efi or /boot/EFI or something
like that, and (on my machine) has directories within that called
{Boot, nixos, gummiboot}.
This patch does two things:
1) Xen apparently wants to put files in
$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR) - we remove the duplicate 'efi' name
because I can't see why we have it
2) Ensures the said directory exists
diff --git a/xen/Makefile b/xen/Makefile
index acb2d28891..d0763fbbe7 100644
--- a/xen/Makefile
+++ b/xen/Makefile
@@ -289,7 +289,9 @@ _install: $(TARGET)$(CONFIG_XEN_INSTALL_SUFFIX)
ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi; \
ln -sf $(T)-$(XEN_FULLVERSION).efi $(D)$(EFI_DIR)/$(T).efi; \
if [ -n '$(EFI_MOUNTPOINT)' -a -n '$(EFI_VENDOR)' ]; then \
- $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \
+ [ -d $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR) ] || \
+ $(INSTALL_DIR) $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR) ;\
+ $(INSTALL_DATA) $(TARGET).efi $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi; \
elif [ "$(D)" = "$(patsubst $(shell cd $(XEN_ROOT) && pwd)/%,%,$(D))" ]; then \
echo 'EFI installation only partially done (EFI_VENDOR not set)' >&2; \
fi; \
@@ -319,7 +321,7 @@ _uninstall:
rm -f $(D)$(DEBUG_DIR)/$(T)-$(XEN_FULLVERSION).efi.map
rm -f $(D)$(EFI_DIR)/$(T)-$(XEN_VERSION).efi
rm -f $(D)$(EFI_DIR)/$(T).efi
- rm -f $(D)$(EFI_MOUNTPOINT)/efi/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi
+ rm -f $(D)$(EFI_MOUNTPOINT)/$(EFI_VENDOR)/$(T)-$(XEN_FULLVERSION).efi
.PHONY: _debug
_debug:

183
pkgs/applications/virtualization/xen/4.15.nix
View File

@ -1,183 +0,0 @@
{ lib, callPackage, fetchurl, fetchpatch, fetchgit
, ocaml-ng
, withInternalQemu ? true
, withInternalTraditionalQemu ? true
, withInternalSeabios ? true
, withSeabios ? !withInternalSeabios, seabios
, withInternalOVMF ? false # FIXME: tricky to build
, withOVMF ? false, OVMF
, withLibHVM ? false
# xen
, python3Packages
# qemu
, udev, pciutils, xorg, SDL, pixman, acl, glusterfs, spice-protocol, usbredir
, alsa-lib, glib, python3
, ... } @ args:
assert withInternalSeabios -> !withSeabios;
assert withInternalOVMF -> !withOVMF;
assert !withLibHVM;
with lib;
# Patching XEN? Check the XSAs at
# https://xenbits.xen.org/xsa/
# and try applying all the ones we don't have yet.
let
xsa = import ./xsa-patches.nix { inherit fetchpatch; };
qemuMemfdBuildFix = fetchpatch {
name = "xen-4.8-memfd-build-fix.patch";
url = "https://github.com/qemu/qemu/commit/75e5b70e6b5dcc4f2219992d7cffa462aa406af0.patch";
sha256 = "0gaz93kb33qc0jx6iphvny0yrd17i8zhcl3a9ky5ylc2idz0wiwa";
};
qemuDeps = [
udev pciutils xorg.libX11 SDL pixman acl glusterfs spice-protocol usbredir
alsa-lib glib python3
];
in
callPackage (import ./generic.nix (rec {
version = "4.15.1";
src = fetchurl {
url = "https://downloads.xenproject.org/release/xen/${version}/xen-${version}.tar.gz";
sha256 = "1rmc7gb72xwhr3h9rc3bkac41s8kjjzz45miwdq6yalyq7j7vss5";
};
# Sources needed to build tools and firmwares.
xenfiles = optionalAttrs withInternalQemu {
qemu-xen = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/qemu-xen.git";
# rev = "refs/tags/qemu-xen-${version}";
# use revision hash - reproducible but must be updated with each new version
rev = "e2af2d050338c99e8436e251ad67aafb3ebbd501";
sha256 = "sha256-gVykPtzAA7tmpe6iVvnulaW+b0jD3gwL1JXC5yeIA7M=";
};
buildInputs = qemuDeps;
postPatch = ''
# needed in build but /usr/bin/env is not available in sandbox
substituteInPlace scripts/tracetool.py \
--replace "/usr/bin/env python" "${python3}/bin/python"
'';
meta.description = "Xen's fork of upstream Qemu";
};
} // optionalAttrs withInternalTraditionalQemu {
# TODO 4.15: something happened with traditional in this release?
qemu-xen-traditional = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/qemu-xen-traditional.git";
# rev = "refs/tags/xen-${version}";
# use revision hash - reproducible but must be updated with each new version
rev = "3d273dd05e51e5a1ffba3d98c7437ee84e8f8764";
sha256 = "1dc6dhjp4y2irmi9yiyw1kzmm1habyy8j1s2zkf6qyak850krqj7";
};
buildInputs = qemuDeps;
patches = [
];
postPatch = ''
substituteInPlace xen-hooks.mak \
--replace /usr/include/pci ${pciutils}/include/pci
'';
meta.description = "Xen's fork of upstream Qemu that uses old device model";
};
} // optionalAttrs withInternalSeabios {
"firmware/seabios-dir-remote" = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/seabios.git";
rev = "155821a1990b6de78dde5f98fa5ab90e802021e0";
sha256 = "sha256-F3lzr00CMAObJtpz0eZFT/rwjFx+bvlI37/JtHXP5Eo=";
};
patches = [ ./0000-qemu-seabios-enable-ATA_DMA.patch ];
meta.description = "Xen's fork of Seabios";
};
} // optionalAttrs withInternalOVMF {
"firmware/ovmf-dir-remote" = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/ovmf.git";
rev = "a3741780fe3535e19e02efa869a7cac481891129";
sha256 = "0000000000000000000000000000000000000000000000000000";
};
meta.description = "Xen's fork of OVMF";
};
} // {
# TODO: patch Xen to make this optional?
"firmware/etherboot/ipxe.git" = {
src = fetchgit {
url = "https://git.ipxe.org/ipxe.git";
rev = "988d2c13cdf0f0b4140685af35ced70ac5b3283c";
sha256 = "1pkf1n1c0rdlzfls8fvjvi1sd9xjd9ijqlyz3wigr70ijcv6x8i9";
};
meta.description = "Xen's fork of iPXE";
};
};
configureFlags = []
++ optional (!withInternalQemu) "--with-system-qemu" # use qemu from PATH
++ optional (withInternalTraditionalQemu) "--enable-qemu-traditional"
++ optional (!withInternalTraditionalQemu) "--disable-qemu-traditional"
++ optional (withSeabios) "--with-system-seabios=${seabios}/share/seabios"
++ optional (!withInternalSeabios && !withSeabios) "--disable-seabios"
++ optional (withOVMF) "--with-system-ovmf=${OVMF.firmware}"
++ optional (withInternalOVMF) "--enable-ovmf";
NIX_CFLAGS_COMPILE = toString [
# TODO 4.15: drop unneeded ones
# Fix build on Glibc 2.24.
"-Wno-error=deprecated-declarations"
# Fix build with GCC 8
"-Wno-error=maybe-uninitialized"
"-Wno-error=stringop-truncation"
"-Wno-error=format-truncation"
"-Wno-error=array-bounds"
# Fix build with GCC 9
"-Wno-error=address-of-packed-member"
"-Wno-error=format-overflow"
"-Wno-error=absolute-value"
# Fix build with GCC 10
"-Wno-error=enum-conversion"
"-Wno-error=zero-length-bounds"
# Fix build with GCC 12
# xentoollog_stubs.c:57: error: "Some_val" redefined [-Werror]
"-Wno-error"
];
patches = with xsa; flatten [
./0000-fix-ipxe-src.4.15.patch
./0000-fix-install-python.4.15.patch
./0004-makefile-use-efi-ld.4.15.patch
./0005-makefile-fix-efi-mountdir-use.4.15.patch
XSA_386
];
postPatch = ''
# Avoid a glibc >= 2.25 deprecation warnings that get fatal via -Werror.
sed 1i'#include <sys/sysmacros.h>' \
-i tools/libs/light/libxl_device.c
# Fix missing pkg-config dir
mkdir -p tools/pkg-config
'';
preBuild = ''
# PKG_CONFIG env var collides with variables used in tools Makefiles.
unset PKG_CONFIG
'';
passthru = {
qemu-system-i386 = if withInternalQemu
then "lib/xen/bin/qemu-system-i386"
else throw "this xen has no qemu builtin";
};
})) ({
ocamlPackages = ocaml-ng.ocamlPackages_4_14;
} // args)

8
pkgs/applications/virtualization/xen/0000-fix-ipxe-src.4.15.patch → pkgs/applications/virtualization/xen/4.16/0000-xen-ipxe-src-4.16.patch
View File

@ -1,21 +1,21 @@
hack to make etherboot use prefetched ipxe
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -

49
pkgs/applications/virtualization/xen/4.16/default.nix Normal file
View File

@ -0,0 +1,49 @@
{
lib,
fetchpatch,
callPackage,
ocaml-ng,
...
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [ upstreamPatches.XSA_458 ];
in
callPackage (import ../generic.nix {
branch = "4.16";
version = "4.16.6";
latest = false;
pkg = {
xen = {
rev = "4b33780de790bd438dd7cbb6143b410d94f0f049";
hash = "sha256-2kcmfKwBo3w1U5CSxLSYSteqvzcJaB+cA7keVb3amyA=";
patches = [ ./0000-xen-ipxe-src-4.16.patch ] ++ upstreamPatchList;
};
qemu = {
rev = "c02cb236b5e4a76cf74e641cc35a0e3ebd3e52f3";
hash = "sha256-LwlPry04az9QQowaDG2la8PYlGOUMbZaQAsCHxj+pwM=";
patches = [ ];
};
seaBIOS = {
rev = "d239552ce7220e448ae81f41515138f7b9e3c4db";
hash = "sha256-UKMceJhIprN4/4Xe4EG2EvKlanxVcEi5Qcrrk3Ogiik=";
patches = [ ];
};
ovmf = {
rev = "7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5";
hash = "sha256-Qq2RgktCkJZBsq6Ch+6tyRHhme4lfcN7d2oQfxwhQt8=";
patches = [ ];
};
ipxe = {
rev = "3c040ad387099483102708bb1839110bc788cefb";
hash = "sha256-y2QdZEoGsGUQjrrvD8YRa8VoqcZSr4tjLM//I/MrsLI=";
patches = [ ];
};
};
}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition)

27
pkgs/applications/virtualization/xen/4.17/0000-xen-ipxe-src-4.17.patch Normal file
View File

@ -0,0 +1,27 @@
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -
+$D/src/arch/i386/Makefile: $G Config
+ mkdir $D
+ cp -a $G/* $D
for i in $$(cat patches/series) ; do \
patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \
done

52
pkgs/applications/virtualization/xen/4.17/default.nix Normal file
View File

@ -0,0 +1,52 @@
{
lib,
fetchpatch,
callPackage,
ocaml-ng,
...
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatches.QUBES_REPRODUCIBLE_BUILDS
upstreamPatches.XSA_458
];
in
callPackage (import ../generic.nix {
branch = "4.17";
version = "4.17.4";
latest = false;
pkg = {
xen = {
rev = "d530627aaa9b6e03c7f911434bb342fca3d13300";
hash = "sha256-4ltQUzo4XPzGT/7fGt1hnNMqBQBVF7VP+WXD9ZaJcGo=";
patches = [ ./0000-xen-ipxe-src-4.17.patch ] ++ upstreamPatchList;
};
qemu = {
rev = "ffb451126550b22b43b62fb8731a0d78e3376c03";
hash = "sha256-G0hMPid9d3fd1jAY7CiZ33xUZf1hdy96T1VUKFGeHSk=";
patches = [ ];
};
seaBIOS = {
rev = "d239552ce7220e448ae81f41515138f7b9e3c4db";
hash = "sha256-UKMceJhIprN4/4Xe4EG2EvKlanxVcEi5Qcrrk3Ogiik=";
patches = [ ];
};
ovmf = {
rev = "7b4a99be8a39c12d3a7fc4b8db9f0eab4ac688d5";
hash = "sha256-Qq2RgktCkJZBsq6Ch+6tyRHhme4lfcN7d2oQfxwhQt8=";
patches = [ ];
};
ipxe = {
rev = "1d1cf74a5e58811822bee4b3da3cff7282fcdfca";
hash = "sha256-8pwoPrmkpL6jIM+Y/C0xSvyrBM/Uv0D1GuBwNm+0DHU=";
patches = [ ];
};
};
}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition)

27
pkgs/applications/virtualization/xen/4.18/0000-xen-ipxe-src-4.18.patch Normal file
View File

@ -0,0 +1,27 @@
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -
+$D/src/arch/i386/Makefile: $G Config
+ mkdir $D
+ cp -a $G/* $D
for i in $$(cat patches/series) ; do \
patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \
done

52
pkgs/applications/virtualization/xen/4.18/default.nix Normal file
View File

@ -0,0 +1,52 @@
{
lib,
fetchpatch,
callPackage,
ocaml-ng,
...
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
upstreamPatches.QUBES_REPRODUCIBLE_BUILDS
upstreamPatches.XSA_458
];
in
callPackage (import ../generic.nix {
branch = "4.18";
version = "4.18.2";
latest = false;
pkg = {
xen = {
rev = "d152a0424677d8b78e00ed1270a583c5dafff16f";
hash = "sha256-pHCjj+Bcy4xQfB9xHU9fccFwVdP2DXrUhdszwGvrdmY=";
patches = [ ./0000-xen-ipxe-src-4.18.patch ] ++ upstreamPatchList;
};
qemu = {
rev = "0df9387c8983e1b1e72d8c574356f572342c03e6";
hash = "sha256-BX+LXfNzwdUMALwwI1ZDW12dJ357oynjnrboLHREDGQ=";
patches = [ ];
};
seaBIOS = {
rev = "ea1b7a0733906b8425d948ae94fba63c32b1d425";
hash = "sha256-J2FuT+FXn9YoFLSfxDOxyKZvKrys59a6bP1eYvEXVNU=";
patches = [ ];
};
ovmf = {
rev = "ba91d0292e593df8528b66f99c1b0b14fadc8e16";
hash = "sha256-htOvV43Hw5K05g0SF3po69HncLyma3BtgpqYSdzRG4s=";
patches = [ ];
};
ipxe = {
rev = "1d1cf74a5e58811822bee4b3da3cff7282fcdfca";
hash = "sha256-8pwoPrmkpL6jIM+Y/C0xSvyrBM/Uv0D1GuBwNm+0DHU=";
patches = [ ];
};
};
}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition)

27
pkgs/applications/virtualization/xen/4.19/0000-xen-ipxe-src-4.19.patch Normal file
View File

@ -0,0 +1,27 @@
Hack to make etherboot use pre-fetched iPXE.
diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile
index ed9e11305f..979a3acea8 100644
--- a/tools/firmware/etherboot/Makefile
+++ b/tools/firmware/etherboot/Makefile
@@ -16,6 +16,7 @@ IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz
D=ipxe
T=ipxe.tar.gz
+G=ipxe.git
ROMS = $(addprefix $D/src/bin/, $(addsuffix .rom, $(ETHERBOOT_NICS)))
ROM = $D/src/bin/ipxe.bin
@@ -41,9 +42,9 @@ $T:
fi
mv _$T $T
-$D/src/arch/i386/Makefile: $T Config
- rm -rf $D
- gzip -dc $T | tar xf -
+$D/src/arch/i386/Makefile: $G Config
+ mkdir $D
+ cp -a $G/* $D
for i in $$(cat patches/series) ; do \
patch -d $D -p1 --quiet <patches/$$i || exit 1 ; \
done

49
pkgs/applications/virtualization/xen/4.19/default.nix Normal file
View File

@ -0,0 +1,49 @@
{
lib,
fetchpatch,
callPackage,
ocaml-ng,
...
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [ upstreamPatches.QUBES_REPRODUCIBLE_BUILDS ];
in
callPackage (import ../generic.nix {
branch = "4.19";
version = "4.19.0";
latest = true;
pkg = {
xen = {
rev = "026c9fa29716b0ff0f8b7c687908e71ba29cf239";
hash = "sha256-Q6x+2fZ4ITBz6sKICI0NHGx773Rc919cl+wzI89UY+Q=";
patches = [ ./0000-xen-ipxe-src-4.19.patch ] ++ upstreamPatchList;
};
qemu = {
rev = "0df9387c8983e1b1e72d8c574356f572342c03e6";
hash = "sha256-BX+LXfNzwdUMALwwI1ZDW12dJ357oynjnrboLHREDGQ=";
patches = [ ];
};
seaBIOS = {
rev = "a6ed6b701f0a57db0569ab98b0661c12a6ec3ff8";
hash = "sha256-hWemj83cxdY8p+Jhkh5GcPvI0Sy5aKYZJCsKDjHTUUk=";
patches = [ ];
};
ovmf = {
rev = "ba91d0292e593df8528b66f99c1b0b14fadc8e16";
hash = "sha256-htOvV43Hw5K05g0SF3po69HncLyma3BtgpqYSdzRG4s=";
patches = [ ];
};
ipxe = {
rev = "1d1cf74a5e58811822bee4b3da3cff7282fcdfca";
hash = "sha256-8pwoPrmkpL6jIM+Y/C0xSvyrBM/Uv0D1GuBwNm+0DHU=";
patches = [ ];
};
};
}) ({ ocamlPackages = ocaml-ng.ocamlPackages_4_14; } // genericDefinition)

195
pkgs/applications/virtualization/xen/README.md Normal file
View File

@ -0,0 +1,195 @@
<p align="center">
<a href="https://xenproject.org/">
<picture>
<source
media="(prefers-color-scheme: light)"
srcset="https://downloads.xenproject.org/Branding/Logos/Green+Black/xen_project_logo_dualcolor_2000x832.png">
<source
media="(prefers-color-scheme: dark)"
srcset="https://xenproject.org/wp-content/uploads/sites/79/2018/09/logo_xenproject.png">
<img
src="https://downloads.xenproject.org/Branding/Logos/Green+Black/xen_project_logo_dualcolor_2000x832.png"
width="512px"
alt="Xen Project Logo">
</picture>
</a>
</p>
# Xen Hypervisor <a href="https://xenproject.org/"><img src="https://downloads.xenproject.org/Branding/Mascots/Xen-Fu-Panda-2000px.png" width="48px" align="top" alt="Xen Fu Panda"></a>
This directory includes the build recipes for the [Xen Hypervisor](https://xenproject.org/).
Some other notable packages that compose the Xen Ecosystem include:
- `ocamlPackages.xenstore`: Mirage's `oxenstore` implementation.
- `ocamlPackages.vchan`: Mirage's `xen-vchan` implementation.
- `ocamlPackages.xenstore-tool`: XAPI's `oxenstore` utilities.
- `xen-guest-agent`: Guest drivers for UNIX domUs.
- `win-pvdrivers`: Guest drivers for Windows domUs.
## Updating
### Automatically
An automated update script is available in this directory. To produce up-to-date
files for all supported Xen branches, simply run `./update.sh`, and follow the
instructions given to you by the script. Notably, it will request that you verify
the Xen Project code signing PGP key. This README understands that the fingerprint
of that key is [`23E3 222C 145F 4475 FA80 60A7 83FE 14C9 57E8 2BD9`](https://keys.openpgp.org/search?q=pgp%40xen.org),
but you should verify this information by seeking the fingerprint from other trusted
sources, as this document may be compromised. Once the PGP key is verified, it will
use `git verify-tag` to ascertain the validity of the cloned Xen sources.
After the script is done, follow the steps in [**For Both Update Methods**](#for-both-update-methods) below.
#### Downstream Patch Names
The script expects local patch names to follow a certain specification.
Please name any required patches using the template below:
```console
0000-project-description-branch.patch
```
Where:
1. The first four numbers define the patch order.
**0001** will be applied after **0000**, and so on.
1. `project` means the name of the source the patch should be applied to.
- If you are applying patches to the main Xen sources, use `xen`.
- For the pre-fetched QEMU, use `qemu`.
- For SeaBIOS, use `seabios`.
- For OVMF, use `ovmf`.
- For iPXE, use `ipxe`.
1. `description` is a string with uppercase and lowercase letters, numbers and
dashes. It describes the patch name and what it does to the upstream code.
1. `branch` is the branch for which this patch is supposed to patch.
It should match the name of the directory it is in.
For example, a patch fixing `xentop`'s output in the 4.15 branch should have
the following name: `0000-xen-xentop-output-4.15.patch`, and it should be added
to the `4.15/` directory.
### Manually
The script is not infallible, and it may break in the future. If that happens,
open a PR fixing the script, and update Xen manually:
1. Check the support matrix to see which branches are security-supported.
1. Create one directory per branch.
1. [Update](https://xenbits.xenproject.org/gitweb/) the `default.nix` files for
the branches that already exist and copy a new one to any branches that do
not yet exist in Nixpkgs.
- Do not forget to set the `branch`, `version`, and `latest` attributes for
each of the `default.nix` files.
- The revisions are preferably commit hashes, but tag names are acceptable
as well.
### For Both Update Methods
1. Make sure all branches build. (Both the `standard` and `slim` versions)
1. Use the NixOS module to test if dom0 boots successfully on all new versions.
1. Clean up your changes and commit them, making sure to follow the
[Nixpkgs Contribution Guidelines](../../../../CONTRIBUTING.md).
1. Open a PR and await a review from the current maintainers.
## Features
### Pre-fetched Sources
On a typical Xen build, the Xen Makefiles will fetch more required sources with
`git` and `wget`. Due to the Nix Sandbox, build-time fetching will fail, so we
pre-fetch the required sources before building.[^1] To accomplish this, we have
a `prefetchedSources` attribute that contains the required derivations, if they
are requested by the main Xen build.
### EFI
Building `xen.efi` requires an `ld` with PE support.[^2]
We use a `makeFlag` to override the `$LD` environment variable to point to our
patched `efiBinutils`. For more information, see the comment in `./generic.nix`.
> [!TIP]
> If you are certain you will not be running Xen in an x86 EFI environment, disable
the `withEFI` flag with an [override](https://nixos.org/manual/nixpkgs/stable/#chap-overrides)
to save you the need to compile `efiBinutils`.
### Default Overrides
By default, Xen also builds
[QEMU](https://www.qemu.org/),
[SeaBIOS](https://www.seabios.org/SeaBIOS),
[OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF) and
[iPXE](https://ipxe.org/).
- QEMU is used for stubdomains and handling devices.
- SeaBIOS is the default legacy BIOS ROM for HVM domains.
- OVMF is the default UEFI ROM for HVM domains.
- iPXE provides a PXE boot environment for HVMs.
However, those packages are already available on Nixpkgs, and Xen does not
necessarily need to build them into the main hypervisor build. For this reason,
we also have the `withInternal<Component>` flags, which enables and disables
building those built-in components. The two most popular Xen configurations will
be the default build, with all built-in components, and a `slim` build, with none
of those components. To simplify this process, the `./packages.nix` file includes
the `xen-slim` package overrides that have all `withInternal<Component>` flags
disabled. See the `meta.longDescription` attribute for the `xen-slim` packages
for more information.
## Security
We aim to support all **security-supported** versions of Xen at any given time.
See the [Xen Support Matrix](https://xenbits.xen.org/docs/unstable/support-matrix.html)
for a list of versions. As soon as a version is no longer **security-supported**,
it should be removed from Nixpkgs.
> [!CAUTION]
> Pull requests that introduce XSA patches
should have the `1.severity: security` label.
### Maintainers
Xen is a particularly complex piece of software, so we are always looking for new
maintainers. Help out by [making and triaging issues](https://github.com/NixOS/nixpkgs/issues/new/choose),
[sending build fixes and improvements through PRs](https://github.com/NixOS/nixpkgs/compare),
updating the branches, and [patching security flaws](https://xenbits.xenproject.org/xsa/).
We are also looking for testers, particularly those who can test Xen on AArch64
machines. Open issues for any build failures or runtime errors you find!
## Tests
So far, we only have had one simple automated test that checks for
the correct `pkg-config` output files.
Due to Xen's nature as a type-1 hypervisor, it is not a trivial matter to design
new tests, as even basic functionality requires a machine booted in a dom0
kernel. For this reason, most testing done with this package must be done
manually in a NixOS machine with `virtualisation.xen.enable` set to `true`.
Another unfortunate thing is that none of the Xen commands have a `--version`
flag. This means that `testers.testVersion` cannot ascertain the Xen version.
The only way to verify that you have indeed built the correct version is to
boot into the freshly built Xen kernel and run `xl info`.
<p align="center">
<a href="https://xenproject.org/">
<img
src="https://downloads.xenproject.org/Branding/Mascots/Xen%20Big%20Panda%204242x3129.png"
width="96px"
alt="Xen Fu Panda">
</a>
</p>
[^1]: We also produce fake `git`, `wget` and `hostname` binaries that do nothing,
to prevent the build from failing because Xen cannot fetch the sources that
were already fetched by Nix.
[^2]: From the [Xen Documentation](https://xenbits.xenproject.org/docs/unstable/misc/efi.html):
> For x86, building `xen.efi` requires `gcc` 4.5.x or above (4.6.x or newer
recommended, as 4.5.x was probably never really tested for this purpose)
and `binutils` 2.22 or newer. Additionally, the `binutils` build must be
configured to include support for the x86_64-pep emulation (i.e.
`--enable-targets=x86_64-pep` or an option of equivalent effect should be
passed to the configure script).

880
pkgs/applications/virtualization/xen/generic.nix
View File

@ -1,265 +1,687 @@
config:
{ lib, stdenv, cmake, pkg-config, which
versionDefinition:
{
lib,
stdenv,
autoPatchelfHook,
cmake,
ninja,
pkg-config,
testers,
which,
# Xen
, bison, bzip2, checkpolicy, dev86, figlet, flex, gettext, glib
, acpica-tools, libaio, libiconv, libuuid, ncurses, openssl, perl
, xz, yajl, zlib
, python3Packages
fetchgit,
fetchFromGitHub,
# Xen Optional
, ocamlPackages
# Xen
acpica-tools,
bison,
bzip2,
dev86,
e2fsprogs,
flex,
libnl,
libuuid,
lzo,
ncurses,
ocamlPackages,
perl,
python311Packages,
systemdMinimal,
xz,
yajl,
zlib,
zstd,
# Scripts
, coreutils, gawk, gnused, gnugrep, diffutils, multipath-tools
, iproute2, inetutils, iptables, bridge-utils, openvswitch, nbd, drbd
, util-linux, procps, systemd
# Xen Optional
withInternalQEMU ? true,
pixman,
glib,
# Documentation
# python3Packages.markdown
, fig2dev, ghostscript, texinfo, pandoc
withInternalSeaBIOS ? true,
withSeaBIOS ? !withInternalSeaBIOS,
seabios,
, binutils-unwrapped
withInternalOVMF ? true,
withOVMF ? !withInternalOVMF,
OVMF,
nasm,
, ...} @ args:
withInternalIPXE ? true,
withIPXE ? !withInternalIPXE,
ipxe,
with lib;
withFlask ? false,
checkpolicy,
efiVendor ? "nixos", # Allow downstreams with custom branding to quickly override the EFI Vendor string.
withEFI ? true,
binutils-unwrapped,
# Documentation
fig2dev,
pandoc,
# Scripts
bridge-utils,
coreutils,
diffutils,
gawk,
gnugrep,
gnused,
inetutils,
iproute2,
iptables,
multipath-tools,
nbd,
openvswitch,
util-linux,
...
}@packageDefinition:
let
#TODO: fix paths instead
scriptEnvPath = concatMapStringsSep ":" (x: "${x}/bin") [
which perl
coreutils gawk gnused gnugrep diffutils util-linux multipath-tools
iproute2 inetutils iptables bridge-utils openvswitch nbd drbd
#TODO: fix paths instead.
scriptEnvPath = lib.strings.concatMapStringsSep ":" (x: "${x}/bin") [
bridge-utils
coreutils
diffutils
gawk
gnugrep
gnused
inetutils
iproute2
iptables
multipath-tools
nbd
openvswitch
perl
util-linux
which
];
withXenfiles = f: concatStringsSep "\n" (mapAttrsToList f config.xenfiles);
inherit (versionDefinition) branch;
inherit (versionDefinition) version;
inherit (versionDefinition) latest;
inherit (versionDefinition) pkg;
pname = "xen";
withTools = a: f: withXenfiles (name: x: optionalString (hasAttr a x) ''
echo "processing ${name}"
__do() {
cd "tools/${name}"
${f name x}
# Sources needed to build tools and firmwares.
prefetchedSources =
lib.attrsets.optionalAttrs withInternalQEMU {
qemu-xen = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/qemu-xen.git";
fetchSubmodules = true;
inherit (pkg.qemu) rev;
inherit (pkg.qemu) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.qemu) pkg.qemu.patches;
postPatch = ''
substituteInPlace scripts/tracetool.py \
--replace-fail "/usr/bin/env python" "${python311Packages.python}/bin/python"
'';
};
}
( __do )
'');
// lib.attrsets.optionalAttrs withInternalSeaBIOS {
"firmware/seabios-dir-remote" = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/seabios.git";
inherit (pkg.seaBIOS) rev;
inherit (pkg.seaBIOS) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [
"patches"
] pkg.seaBIOS) pkg.seaBIOS.patches;
};
}
// lib.attrsets.optionalAttrs withInternalOVMF {
"firmware/ovmf-dir-remote" = {
src = fetchgit {
url = "https://xenbits.xen.org/git-http/ovmf.git";
fetchSubmodules = true;
inherit (pkg.ovmf) rev;
inherit (pkg.ovmf) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ovmf) pkg.ovmf.patches;
postPatch = ''
substituteInPlace \
OvmfPkg/build.sh BaseTools/BinWrappers/PosixLike/{AmlToC,BrotliCompress,build,GenFfs,GenFv,GenFw,GenSec,LzmaCompress,TianoCompress,Trim,VfrCompile} \
--replace-fail "/usr/bin/env bash" ${stdenv.shell}
'';
};
}
// lib.attrsets.optionalAttrs withInternalIPXE {
"firmware/etherboot/ipxe.git" = {
src = fetchFromGitHub {
owner = "ipxe";
repo = "ipxe";
inherit (pkg.ipxe) rev;
inherit (pkg.ipxe) hash;
};
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.ipxe) pkg.ipxe.patches;
};
};
withPrefetchedSources =
sourcePkg: lib.strings.concatLines (lib.attrsets.mapAttrsToList sourcePkg prefetchedSources);
# We don't want to use the wrapped version, because this version of ld is
# only used for linking the Xen EFI binary, and the build process really
# needs control over the LDFLAGS used
# Sometimes patches are sourced through a path, like ./0000-xen.patch.
# This would break the patch attribute parser functions, so we normalise
# all patches sourced through paths by setting them to a { type = "path"; }
# attribute set.
# Patches from fetchpatch are already attribute sets.
normalisedPatchList = builtins.map (
patch:
if !builtins.isAttrs patch then
if builtins.isPath patch then
{ type = "path"; }
else
throw "xen/generic.nix: normalisedPatchList attempted to normalise something that is not a Path or an Attribute Set."
else
patch
) pkg.xen.patches;
# Simple counter for the number of attrsets (patches) in the patches list after normalisation.
numberOfPatches = lib.lists.count (patch: builtins.isAttrs patch) normalisedPatchList;
# builtins.elemAt's index begins at 0, so we subtract 1 from the number of patches in order to
# produce the range that will be used in the following builtin.map calls.
availablePatchesToTry = lib.lists.range 0 (numberOfPatches - 1);
# Takes in an attrByPath input, and outputs the attribute value for each patch in a list.
# If a patch does not have a given attribute, returns `null`. Use lib.lists.remove null
# to remove these junk values, if necessary.
retrievePatchAttributes =
attributeName:
builtins.map (
x: lib.attrsets.attrByPath attributeName null (builtins.elemAt normalisedPatchList x)
) availablePatchesToTry;
# Produces a list of newline-separated strings that lists the vulnerabilities this
# Xen is NOT affected by, due to the applied Xen Security Advisory patches. This is
# then used in meta.longDescription, to let users know their Xen is patched against
# known vulnerabilities, as the package version isn't always the best indicator.
#
# Produces something like this: (one string for each XSA)
# * [Xen Security Advisory #1](https://xenbits.xenproject.org/xsa/advisory-1.html): **Title for XSA.**
# >Description of issue in XSA
#Extra lines
#are not indented,
#but markdown should be
#fine with it.
# Fixes:
# * [CVE-1999-00001](https://www.cve.org/CVERecord?id=CVE-1999-00001)
# * [CVE-1999-00002](https://www.cve.org/CVERecord?id=CVE-1999-00002)
# * [CVE-1999-00003](https://www.cve.org/CVERecord?id=CVE-1999-00003)
writeAdvisoryDescription =
if (lib.lists.remove null (retrievePatchAttributes [ "xsa" ]) != [ ]) then
lib.lists.zipListsWith (a: b: a + b)
(lib.lists.zipListsWith (a: b: a + "**" + b + ".**\n >")
(lib.lists.zipListsWith (a: b: "* [Xen Security Advisory #" + a + "](" + b + "): ")
(lib.lists.remove null (retrievePatchAttributes [ "xsa" ]))
(
lib.lists.remove null (retrievePatchAttributes [
"meta"
"homepage"
])
)
)
(
lib.lists.remove null (retrievePatchAttributes [
"meta"
"description"
])
)
)
(
lib.lists.remove null (retrievePatchAttributes [
"meta"
"longDescription"
])
)
else
[ ];
withTools =
attr: file:
withPrefetchedSources (
name: source:
lib.strings.optionalString (builtins.hasAttr attr source) ''
echo "processing ${name}"
__do() {
cd "tools/${name}"
${file name source}
}
( __do )
''
);
# Originally, there were two versions of binutils being used: the standard one and
# this patched one. Unfortunately, that required patches to the Xen Makefiles, and
# quickly became too complex to maintain. The new solution is to simply build this
# efi-binutils derivation and use it for the whole build process, except if
# enableEFI is disabled; it'll then use `binutils`.
efiBinutils = binutils-unwrapped.overrideAttrs (oldAttrs: {
name = "efi-binutils";
configureFlags = oldAttrs.configureFlags ++ [
"--enable-targets=x86_64-pep"
];
doInstallCheck = false; # We get a spurious failure otherwise, due to host/target mis-match
configureFlags = oldAttrs.configureFlags ++ [ "--enable-targets=x86_64-pep" ];
doInstallCheck = false; # We get a spurious failure otherwise, due to a host/target mismatch.
});
in
stdenv.mkDerivation (rec {
inherit (config) version;
stdenv.mkDerivation (finalAttrs: {
inherit pname;
inherit version;
name = "xen-${version}";
outputs = [
"out" # TODO: Split $out in $bin for binaries and $lib for libraries.
"man" # Manual pages for Xen userspace utilities.
"dev" # Development headers.
"boot" # xen.gz kernel, policy file if Flask is enabled, xen.efi if EFI is enabled.
];
dontUseCmakeConfigure = true;
# Main Xen source.
src = fetchgit {
url = "https://xenbits.xen.org/git-http/xen.git";
inherit (pkg.xen) rev;
inherit (pkg.xen) hash;
};
hardeningDisable = [ "stackprotector" "fortify" "pic" ];
# Gets the patches from the pkg.xen.patches attribute from the versioned files.
patches = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "patches" ] pkg.xen) pkg.xen.patches;
nativeBuildInputs = [ pkg-config cmake ];
buildInputs = [
which
nativeBuildInputs =
[
autoPatchelfHook
bison
cmake
fig2dev
flex
pandoc
pkg-config
]
++ lib.lists.optionals withInternalQEMU [
ninja
python311Packages.sphinx
];
buildInputs =
[
# Xen
acpica-tools
bzip2
dev86
e2fsprogs.dev
libnl
libuuid
lzo
ncurses
perl
python311Packages.python
xz
yajl
zlib
zstd
# Xen
bison bzip2 checkpolicy dev86 figlet flex gettext glib acpica-tools libaio
libiconv libuuid ncurses openssl perl python3Packages.python xz yajl zlib
# oxenstored
ocamlPackages.findlib
ocamlPackages.ocaml
systemdMinimal
# oxenstored
ocamlPackages.findlib ocamlPackages.ocaml systemd
# Python Fixes
python311Packages.wrapPython
]
++ lib.lists.optionals withInternalQEMU [
glib
pixman
]
++ lib.lists.optional withInternalOVMF nasm
++ lib.lists.optional withFlask checkpolicy;
# Python fixes
python3Packages.wrapPython
configureFlags =
[ "--enable-systemd" ]
++ lib.lists.optional (!withInternalQEMU) "--with-system-qemu"
# Documentation
python3Packages.markdown fig2dev ghostscript texinfo pandoc
++ lib.lists.optional withSeaBIOS "--with-system-seabios=${seabios}/share/seabios"
++ lib.lists.optional (!withInternalSeaBIOS && !withSeaBIOS) "--disable-seabios"
# Others
] ++ (concatMap (x: x.buildInputs or []) (attrValues config.xenfiles))
++ (config.buildInputs or []);
++ lib.lists.optional withOVMF "--with-system-ovmf=${OVMF.firmware}"
++ lib.lists.optional withInternalOVMF "--enable-ovmf"
prePatch = ''
### Generic fixes
++ lib.lists.optional withIPXE "--with-system-ipxe=${ipxe}"
++ lib.lists.optional withInternalIPXE "--enable-ipxe";
# Xen's stubdoms, tools and firmwares need various sources that
# are usually fetched at build time using wget and git. We can't
# have that, so we prefetch them in nix-expression and setup
# fake wget and git for debugging purposes.
makeFlags =
[
"PREFIX=$(out)"
"CONFIG_DIR=/etc"
"XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files"
"XEN_SCRIPT_DIR=$(CONFIG_DIR)/xen/scripts"
"BASH_COMPLETION_DIR=$(PREFIX)/share/bash-completion/completions"
]
++ lib.lists.optionals withEFI [
"EFI_VENDOR=${efiVendor}"
"INSTALL_EFI_STRIP=1"
"LD=${efiBinutils}/bin/ld" # See the comment in the efiBinutils definition above.
]
# These flags set the CONFIG_* options in /boot/xen.config
# and define if the default policy file is built. However,
# the Flask binaries always get compiled by default.
++ lib.lists.optionals withFlask [
"XSM_ENABLE=y"
"FLASK_ENABLE=y"
]
++ (pkg.xen.makeFlags or [ ]);
mkdir fake-bin
# Fake git: just print what it wants and die
cat > fake-bin/wget << EOF
#!${stdenv.shell} -e
echo ===== FAKE WGET: Not fetching \$*
[ -e \$3 ]
EOF
# Fake git: just print what it wants and die
cat > fake-bin/git << EOF
#!${stdenv.shell}
echo ===== FAKE GIT: Not cloning \$*
[ -e \$3 ]
EOF
chmod +x fake-bin/*
export PATH=$PATH:$PWD/fake-bin
# Remove in-tree qemu stuff in case we build from a tar-ball
rm -rf tools/qemu-xen tools/qemu-xen-traditional
# Fix shebangs, mainly for build-scripts
# We want to do this before getting prefetched stuff to speed things up
# (prefetched stuff has lots of files)
find . -type f | xargs sed -i 's@/usr/bin/\(python\|perl\)@/usr/bin/env \1@g'
find . -type f -not -path "./tools/hotplug/Linux/xendomains.in" \
| xargs sed -i 's@/bin/bash@${stdenv.shell}@g'
# Get prefetched stuff
${withXenfiles (name: x: ''
echo "${x.src} -> tools/${name}"
cp -r ${x.src} tools/${name}
chmod -R +w tools/${name}
'')}
'';
patches = [
] ++ (config.patches or []);
postPatch = ''
### Hacks
# Work around a bug in our GCC wrapper: `gcc -MF foo -v' doesn't
# print the GCC version number properly.
substituteInPlace xen/Makefile \
--replace '$(CC) $(CFLAGS) -v' '$(CC) -v'
# Hack to get `gcc -m32' to work without having 32-bit Glibc headers.
mkdir -p tools/include/gnu
touch tools/include/gnu/stubs-32.h
### Fixing everything else
substituteInPlace tools/libfsimage/common/fsimage_plugin.c \
--replace /usr $out
substituteInPlace tools/misc/xenpvnetboot \
--replace /usr/sbin/mount ${util-linux}/bin/mount \
--replace /usr/sbin/umount ${util-linux}/bin/umount
substituteInPlace tools/xenmon/xenmon.py \
--replace /usr/bin/pkill ${procps}/bin/pkill
${optionalString (builtins.compareVersions config.version "4.8" >= 0) ''
substituteInPlace tools/hotplug/Linux/launch-xenstore.in \
--replace /bin/mkdir mkdir
''}
${optionalString (builtins.compareVersions config.version "4.6" < 0) ''
# TODO: use this as a template and support our own if-up scripts instead?
substituteInPlace tools/hotplug/Linux/xen-backend.rules.in \
--replace "@XEN_SCRIPT_DIR@" $out/etc/xen/scripts
# blktap is not provided by xen, but by xapi
sed -i '/blktap/d' tools/hotplug/Linux/xen-backend.rules.in
''}
${withTools "patches" (name: x: ''
${concatMapStringsSep "\n" (p: ''
echo "# Patching with ${p}"
patch -p1 < ${p}
'') x.patches}
'')}
${withTools "postPatch" (name: x: x.postPatch)}
${config.postPatch or ""}
'';
postConfigure = ''
substituteInPlace tools/hotplug/Linux/xendomains \
--replace /bin/ls ls
'';
EFI_LD = "${efiBinutils}/bin/ld";
EFI_VENDOR = "nixos";
# TODO: Flask needs more testing before enabling it by default.
#makeFlags = [ "XSM_ENABLE=y" "FLASK_ENABLE=y" "PREFIX=$(out)" "CONFIG_DIR=/etc" "XEN_EXTFILES_URL=\\$(XEN_ROOT)/xen_ext_files" ];
makeFlags = [ "PREFIX=$(out) CONFIG_DIR=/etc" "XEN_SCRIPT_DIR=/etc/xen/scripts" ]
++ (config.makeFlags or []);
preBuild = ''
${config.preBuild or ""}
'';
buildFlags = [ "xen" "tools" ];
postBuild = ''
make -C docs man-pages
${withTools "buildPhase" (name: x: x.buildPhase)}
'';
installPhase = ''
mkdir -p $out $out/share $out/share/man
cp -prvd dist/install/nix/store/*/* $out/
cp -prvd dist/install/boot $out/boot
cp -prvd dist/install/etc $out
cp -dR docs/man1 docs/man5 $out/share/man/
${withTools "installPhase" (name: x: x.installPhase)}
# Hack
substituteInPlace $out/etc/xen/scripts/hotplugpath.sh \
--replace SBINDIR=\"$out/sbin\" SBINDIR=\"$out/bin\"
wrapPythonPrograms
# We also need to wrap pygrub, which lies in lib
wrapPythonProgramsIn "$out/lib" "$out $pythonPath"
shopt -s extglob
for i in $out/etc/xen/scripts/!(*.sh); do
sed -i "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i
done
'';
buildFlags = [
"xen" # Build the Xen Hypervisor.
"tools" # Build the userspace tools, such as `xl`.
"docs" # Build the Xen Documentation
# TODO: Enable the Stubdomains target. This requires another pre-fetched source: mini-os. Currently, Xen appears to build a limited version of stubdomains which does not include mini-os.
# "stubdom"
];
enableParallelBuilding = true;
# TODO(@oxij): Stop referencing args here
env.NIX_CFLAGS_COMPILE = builtins.toString (
[
"-Wno-error=maybe-uninitialized"
"-Wno-error=array-bounds"
]
++ lib.lists.optionals withInternalOVMF [
"-Wno-error=format-security"
"-Wno-error=use-after-free"
"-Wno-error=vla-parameter"
"-Wno-error=dangling-pointer"
"-Wno-error=stringop-overflow"
]
);
dontUseCmakeConfigure = true;
dontUseNinjaBuild = withInternalQEMU;
prePatch =
# Xen's stubdoms, tools and firmwares need various sources that
# are usually fetched at build time using wget and git. We can't
# have that, so we pre-fetch them in the versioned Nix expressions,
# and produce fake wget and git executables for debugging purposes.
#
# We also produce a fake hostname executable to prevent spurious
# command-not-found errors during compilation.
#
# The snippet below produces executables that simply print in stdout
# what they were supposed to fetch, and exit gracefully.
''
mkdir fake-bin
cat > fake-bin/wget << EOF
#!${stdenv.shell} -e
echo ===== FAKE WGET: Not fetching \$*
[ -e \$3 ]
EOF
cat > fake-bin/git << EOF
#!${stdenv.shell}
echo ===== FAKE GIT: Not cloning \$*
[ -e \$3 ]
EOF
cat > fake-bin/hostname << EOF
#!${stdenv.shell}
echo ${efiVendor}
[ -e \$3 ]
EOF
chmod +x fake-bin/*
export PATH=$PATH:$PWD/fake-bin
''
# Remove in-tree QEMU sources, as we either pre-fetch them through
# the versioned Nix expressions if withInternalQEMU is true, or we
# don't build QEMU at all if withInternalQEMU is false.
+ ''
rm --recursive --force tools/qemu-xen tools/qemu-xen-traditional
''
# The following expression moves the sources we fetched in the
# versioned Nix expressions to their correct locations inside
# the Xen source tree.
+ ''
${withPrefetchedSources (
name: source: ''
echo "Copying pre-fetched source: ${source.src} -> tools/${name}"
cp --recursive ${source.src} tools/${name}
chmod --recursive +w tools/${name}
''
)}
'';
postPatch =
# The following patch forces Xen to install xen.efi on $out/boot
# instead of $out/boot/efi/efi/nixos, as the latter directory
# would otherwise need to be created manually. This also creates
# a more consistent output for downstreams who override the
# efiVendor attribute above.
''
substituteInPlace xen/Makefile \
--replace-fail "\$(D)\$(EFI_MOUNTPOINT)/efi/\$(EFI_VENDOR)/\$(T)-\$(XEN_FULLVERSION).efi" \
"\$(D)\$(BOOT_DIR)/\$(T)-\$(XEN_FULLVERSION).efi"
''
# The following patch fixes the call to /bin/mkdir on the
# launch_xenstore.sh helper script.
+ ''
substituteInPlace tools/hotplug/Linux/launch-xenstore.in \
--replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir"
''
# The following expression fixes the paths called by Xen's systemd
# units, so we can use them in the NixOS module.
+ ''
substituteInPlace \
tools/hotplug/Linux/systemd/{xen-init-dom0,xen-qemu-dom0-disk-backend,xenconsoled,xendomains,xenstored}.service.in \
--replace-fail /bin/grep ${gnugrep}/bin/grep
substituteInPlace \
tools/hotplug/Linux/systemd/{xen-qemu-dom0-disk-backend,xenconsoled}.service.in \
--replace-fail "/bin/mkdir" "${coreutils}/bin/mkdir"
''
# The following expression applies the patches defined on each
# prefetchedSources attribute.
+ ''
${withTools "patches" (
name: source: ''
${lib.strings.concatMapStringsSep "\n" (patch: ''
echo "Patching with ${patch}"
patch --strip 1 < ${patch}
'') source.patches}
''
)}
${withTools "postPatch" (name: source: source.postPatch)}
${pkg.xen.postPatch or ""}
'';
preBuild = lib.lists.optionals (lib.attrsets.hasAttrByPath [ "preBuild" ] pkg.xen) pkg.xen.preBuild;
postBuild = ''
${withTools "buildPhase" (name: source: source.buildPhase)}
${pkg.xen.postBuild or ""}
'';
installPhase =
let
cpFlags = builtins.toString [
"--preserve=mode,ownership,timestamps,link"
"--recursive"
"--verbose"
"--no-dereference"
];
in
# Run the preInstall tasks.
''
runHook preInstall
''
# Create $out directories and copy build output.
+ ''
mkdir --parents $out $out/share $boot
cp ${cpFlags} dist/install/nix/store/*/* $out/
cp ${cpFlags} dist/install/etc $out
cp ${cpFlags} dist/install/boot $boot
''
# Run the postInstall tasks.
+ ''
runHook postInstall
'';
postInstall =
# Wrap xencov_split, xenmon and xentrace_format.
''
wrapPythonPrograms
''
# We also need to wrap pygrub, which lies in $out/libexec/xen/bin.
+ ''
wrapPythonProgramsIn "$out/libexec/xen/bin" "$out $pythonPath"
''
# Fix shebangs in Xen's various scripts.
#TODO: Remove any and all usage of `sed` and replace these complicated magic runes with readable code.
+ ''
shopt -s extglob
for i in $out/etc/xen/scripts/!(*.sh); do
sed --in-place "2s@^@export PATH=$out/bin:${scriptEnvPath}\n@" $i
done
''
+ ''
${withTools "installPhase" (name: source: source.installPhase)}
${pkg.xen.installPhase or ""}
'';
postFixup =
# Fix binaries in $out/lib/xen/bin.
''
addAutoPatchelfSearchPath $out/lib
autoPatchelf $out/libexec/xen/bin/
''
# Flask is particularly hard to disable. Even after
# setting the make flags to `n`, it still gets compiled.
# If withFlask is disabled, delete the extra binaries.
+ lib.strings.optionalString (!withFlask) ''
rm -f $out/bin/flask-*
'';
passthru = {
efi =
if withEFI then "boot/xen-${version}.efi" else throw "This Xen was compiled without an EFI binary.";
flaskPolicy =
if withFlask then
"boot/xenpolicy-${version}"
else
throw "This Xen was compiled without FLASK support.";
qemu-system-i386 =
if withInternalQEMU then
"libexec/xen/bin/qemu-system-i386"
else
throw "This Xen was compiled without a built-in QEMU.";
# This test suite is very simple, as Xen's userspace
# utilities require the hypervisor to be booted.
tests = {
pkg-config = testers.hasPkgConfigModules {
package = finalAttrs.finalPackage;
moduleNames = [
"xencall"
"xencontrol"
"xendevicemodel"
"xenevtchn"
"xenforeignmemory"
"xengnttab"
"xenguest"
"xenhypfs"
"xenlight"
"xenstat"
"xenstore"
"xentoolcore"
"xentoollog"
"xenvchan"
"xlutil"
];
};
};
};
meta = {
homepage = "http://www.xen.org/";
description = "Xen hypervisor and related components"
+ optionalString (args ? meta && args.meta ? description)
" (${args.meta.description})";
longDescription = (args.meta.longDescription or "")
+ "\nIncludes:\n"
+ withXenfiles (name: x: "* ${name}: ${x.meta.description or "(No description)"}.");
platforms = [ "x86_64-linux" ];
maintainers = [ ];
license = lib.licenses.gpl2;
knownVulnerabilities = [
# https://www.openwall.com/lists/oss-security/2023/03/21/1
# Affects 3.2 (at *least*) - 4.17
"CVE-2022-42332"
# https://www.openwall.com/lists/oss-security/2023/03/21/2
# Affects 4.11 - 4.17
"CVE-2022-42333"
"CVE-2022-42334"
# https://www.openwall.com/lists/oss-security/2023/03/21/3
# Affects 4.15 - 4.17
"CVE-2022-42331"
# https://xenbits.xen.org/docs/unstable/support-matrix.html
] ++ lib.optionals (lib.versionOlder version "4.15") [
"This version of Xen has reached its end of life. See https://xenbits.xen.org/docs/unstable/support-matrix.html"
inherit branch;
# Short description for Xen.
description =
"Xen Hypervisor"
# The "and related components" addition is automatically hidden if said components aren't being built.
+ lib.strings.optionalString (prefetchedSources != { }) " and related components"
# To alter the description inside the paranthesis, edit ./packages.nix.
+ lib.strings.optionalString (lib.attrsets.hasAttrByPath [
"meta"
"description"
] packageDefinition) " (${packageDefinition.meta.description})";
# Long description for Xen.
longDescription =
# Starts with the longDescription from ./packages.nix.
(packageDefinition.meta.longDescription or "")
+
lib.strings.optionalString (!withInternalQEMU)
"\nUse with `qemu_xen_${lib.stringAsChars (x: if x == "." then "_" else x) branch}`"
+ lib.strings.optionalString latest "or `qemu_xen`"
+ "."
# Then, if any of the optional with* components are being built, add the "Includes:" string.
+
lib.strings.optionalString
(
withInternalQEMU
|| withInternalSeaBIOS
|| withInternalOVMF
|| withInternalIPXE
|| withEFI
|| withFlask
)
(
"\nIncludes:\n"
# Originally, this was a call for the complicated withPrefetchedSources. Since there aren't
# that many optional components, we just use lib.strings.optionalString, because it's simpler.
# Optional components that aren't being built are automatically hidden.
+ lib.strings.optionalString withEFI "* `xen.efi`: Xen's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package.\n"
+ lib.strings.optionalString withFlask "* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package.\n"
+ lib.strings.optionalString withInternalQEMU "* `qemu-xen`: Xen's mirror of [QEMU](https://www.qemu.org/).\n"
+ lib.strings.optionalString withInternalSeaBIOS "* `seabios-xen`: Xen's mirror of [SeaBIOS](https://www.seabios.org/SeaBIOS).\n"
+ lib.strings.optionalString withInternalOVMF "* `ovmf-xen`: Xen's mirror of [OVMF](https://github.com/tianocore/tianocore.github.io/wiki/OVMF).\n"
+ lib.strings.optionalString withInternalIPXE "* `ipxe-xen`: Xen's pinned version of [iPXE](https://ipxe.org/).\n"
)
# Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to.
# This will hopefully give users the peace of mind that their Xen is secure, without needing
# to search the source code for the XSA patches.
+ lib.strings.optionalString (writeAdvisoryDescription != [ ]) (
"\nThis Xen (${version}) has been patched against the following known security vulnerabilities:\n"
+ lib.strings.removeSuffix "\n" (lib.strings.concatLines writeAdvisoryDescription)
);
homepage = "https://xenproject.org/";
downloadPage = "https://downloads.xenproject.org/release/xen/${version}/";
changelog = "https://wiki.xenproject.org/wiki/Xen_Project_${branch}_Release_Notes";
license = with lib.licenses; [
# Documentation.
cc-by-40
# Most of Xen is licensed under the GPL v2.0.
gpl2Only
# Xen Libraries and the `xl` command-line utility.
lgpl21Only
# Development headers in $dev/include.
mit
];
} // (config.meta or {});
} // removeAttrs config [ "xenfiles" "buildInputs" "patches" "postPatch" "meta" ])
maintainers = [ lib.maintainers.sigmasquadron ];
mainProgram = "xl";
# Evaluates to x86_64-linux.
platforms = lib.lists.intersectLists lib.platforms.linux lib.platforms.x86_64;
knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "4.16") [
"Xen ${version} is no longer supported by the Xen Security Team. See https://xenbits.xenproject.org/docs/unstable/support-matrix.html"
];
};
})

110
pkgs/applications/virtualization/xen/packages.nix
View File

@ -1,58 +1,68 @@
{ callPackage
}:
# TODO(@oxij) on new Xen version: generalize this to generate [vanilla slim
# light] for each ./<version>.nix.
{ callPackage }:
let
standard = {
meta = {
description = "Standard Xen";
longDescription = ''
Standard version of Xen. Uses forks of QEMU, SeaBIOS, OVMF and iPXE provided
by the Xen Project. This provides the vanilla Xen experince, but wastes space
and build time. A typical NixOS setup that runs lots of VMs will usually need
to build two different versions of QEMU when using this Xen derivation (one
fork and upstream).
'';
};
};
slim = {
meta = {
description = "Without Internal Components";
longDescription = ''
Slimmed-down version of Xen that reuses nixpkgs packages as much as possible.
Instead of using the Xen forks for various internal components, this version uses
`seabios`, `ovmf` and `ipxe` from nixpkgs. These components may ocasionally get
out of sync with the hypervisor itself, but this builds faster and uses less space
than the default derivation.
'';
};
};
in
# TODO: generalise this to automatically generate both Xen variants for each ./<version>/default.nix.
rec {
xen_4_15-vanilla = callPackage ./4.15.nix {
meta = {
description = "vanilla";
longDescription = ''
Vanilla version of Xen. Uses forks of Qemu and Seabios bundled
with Xen. This gives vanilla experince, but wastes space and
build time: typical NixOS setup that runs lots of VMs will
build three different versions of Qemu when using this (two
forks and upstream).
'';
};
xen_4_19 = callPackage ./4.19/default.nix { inherit (standard) meta; };
xen_4_19-slim = xen_4_19.override {
withInternalQEMU = false;
withInternalSeaBIOS = false;
withInternalOVMF = false;
withInternalIPXE = false;
inherit (slim) meta;
};
xen_4_15-slim = xen_4_15-vanilla.override {
withInternalQemu = false;
withInternalTraditionalQemu = true;
withInternalSeabios = false;
withSeabios = true;
meta = {
description = "slim";
longDescription = ''
Slimmed-down version of Xen that reuses nixpkgs packages as
much as possible. Different parts may get out of sync, but
this builds faster and uses less space than vanilla. Use with
`qemu_xen` from nixpkgs.
'';
};
xen_4_18 = callPackage ./4.18/default.nix { inherit (standard) meta; };
xen_4_18-slim = xen_4_18.override {
withInternalQEMU = false;
withInternalSeaBIOS = false;
withInternalOVMF = false;
withInternalIPXE = false;
inherit (slim) meta;
};
xen_4_15-light = xen_4_15-vanilla.override {
withInternalQemu = false;
withInternalTraditionalQemu = false;
withInternalSeabios = false;
withSeabios = true;
meta = {
description = "light";
longDescription = ''
Slimmed-down version of Xen without `qemu-traditional` (you
don't need it if you don't know what it is). Use with
`qemu_xen-light` from nixpkgs.
'';
};
xen_4_17 = callPackage ./4.17/default.nix { inherit (standard) meta; };
xen_4_17-slim = xen_4_17.override {
withInternalQEMU = false;
withInternalSeaBIOS = false;
withInternalOVMF = false;
withInternalIPXE = false;
inherit (slim) meta;
};
xen-vanilla = xen_4_15-vanilla;
xen-slim = xen_4_15-slim;
xen-light = xen_4_15-light;
xen_4_16 = callPackage ./4.16/default.nix { inherit (standard) meta; };
xen_4_16-slim = xen_4_16.override {
withInternalQEMU = false;
withInternalSeaBIOS = false;
withInternalOVMF = false;
withInternalIPXE = false;
inherit (slim) meta;
};
xen = xen_4_19;
xen-slim = xen_4_19-slim;
}

114
pkgs/applications/virtualization/xen/patches.nix Normal file
View File

@ -0,0 +1,114 @@
# Patching Xen? Check the XSAs at https://xenbits.xen.org/xsa/
# and try applying all the ones we haven't gotten around to
# yet, if any are necessary. Patches from other downstreams
# are also welcome if they fix important issues with vanilla Xen.
{ lib, fetchpatch }:
let
xsaPatch =
{
id,
title,
description,
type ? "xsa",
hash ? "",
cve ? null,
}:
(fetchpatch {
name =
"XSA-" + id + lib.strings.optionalString (cve != null) ("-" + builtins.concatStringsSep "+" cve);
url = "https://xenbits.xen.org/xsa/xsa${id}.patch";
inherit hash;
passthru = {
xsa = id;
inherit type;
};
meta = {
description = title;
longDescription =
description
+ "\n"
+ (
if (cve == null) then
# Why the two spaces preceding these CVE messages?
# This is parsed by writeAdvisoryDescription in generic.nix,
# and doing this was easier than messing with lib.strings even more.
" _No CVE was assigned to this XSA._"
else
" Fixes:${
lib.strings.concatMapStrings (
x: "\n * [" + x + "](https://www.cve.org/CVERecord?id=" + x + ")"
) cve
}"
);
homepage = "https://xenbits.xenproject.org/xsa/advisory-${id}.html";
};
});
qubesPatch =
{
name,
tag,
type ? "qubes",
hash ? "",
}:
(fetchpatch {
inherit name;
url = "https://raw.githubusercontent.com/QubesOS/qubes-vmm-xen/v${tag}/${name}.patch";
inherit hash;
passthru.type = type;
});
in
{
# Example patches:
#
# "XSA_100" = xsaPatch {
# id = "100";
# name = "Verbatim Title of XSA";
# cve = [ "CVE-1999-0001" "CVE-1999-0002" ]; # Not all XSAs have CVEs. This attribute is optional.
# hash = "sha256-0000000000000000000000000000000000000000000000000000";
# };
#
# "QUBES_libxl-fix-all-issues" = qubesPatch {
# name = "1000-libxl-fix-all-issues";
# tag = "4.20.0-1";
# hash = "sha256-0000000000000000000000000000000000000000000000000000";
# };
# Build reproducibility patches for Xen.
# Qubes OS has not updated them to later versions of Xen yet,
# but they appear to work on Xen 4.17.4 - 4.19.0.
QUBES_REPRODUCIBLE_BUILDS = [
(qubesPatch {
name = "1100-Define-build-dates-time-based-on-SOURCE_DATE_EPOCH";
tag = "4.17.4-5";
hash = "sha256-OwKA9oPTwhRcSmiOb+PxzifbO/IG8IHWlvddFh/nP6s=";
})
(qubesPatch {
name = "1101-docs-rename-DATE-to-PANDOC_REL_DATE-and-allow-to-spe";
tag = "4.17.4-5";
hash = "sha256-BUtYt0mM3bURVaGv4oDznzxx1Wo4sfOpGV5GB8qc5Ns=";
})
(qubesPatch {
name = "1102-docs-xen-headers-use-alphabetical-sorting-for-incont";
tag = "4.17.4-5";
hash = "sha256-mQUp2w9lUb7KDq5MuPQjs6y7iuMDeXoZjDjlXfa5z44=";
})
];
# Xen Security Advisory #458: (4.16 - 4.19-rc3)
"XSA_458" = xsaPatch {
id = "458";
title = "Double unlock in x86 guest IRQ handling";
description = ''
An optional feature of PCI MSI called "Multiple Message" allows a device
to use multiple consecutive interrupt vectors. Unlike for MSI-X, the
setting up of these consecutive vectors needs to happen all in one go.
In this handling an error path could be taken in different situations,
with or without a particular lock held. This error path wrongly releases
the lock even when it is not currently held.
'';
cve = [ "CVE-2024-31143" ];
hash = "sha256-yHI9Sp/7Ed40iIYQ/HOOIULlfzAzL0c0MGqdF+GR+AQ=";
};
}

194
pkgs/applications/virtualization/xen/update.sh Executable file
View File

@ -0,0 +1,194 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p gitMinimal curl gnupg nix-prefetch-git nixfmt-rfc-style
# shellcheck disable=SC2206,SC2207 shell=bash
set -e
# Set a temporary $HOME in /tmp for GPG.
HOME=/tmp/xenUpdateScript
# This script expects to be called in an interactive terminal somewhere inside Nixpkgs.
echo "Preparing..."
nixpkgs=$(git rev-parse --show-toplevel)
xenPath="$nixpkgs/pkgs/applications/virtualization/xen"
rm -rf /tmp/xenUpdateScript
mkdir /tmp/xenUpdateScript
# Import and verify PGP key.
curl --silent --output /tmp/xenUpdateScript/xen.asc https://keys.openpgp.org/vks/v1/by-fingerprint/23E3222C145F4475FA8060A783FE14C957E82BD9
gpg --quiet --import /tmp/xenUpdateScript/xen.asc
fingerprint="$(gpg --with-colons --fingerprint "pgp@xen.org" 2>/dev/null | awk -F: '/^pub:.*/ { getline; print $10}')"
echo -e "Please ascertain through multiple external sources that the \e[1;32mXen Project PGP Key Fingerprint\e[0m is indeed \e[1;33m$fingerprint\e[0m. If that is not the case, \e[1;31mexit immediately\e[0m."
read -r -p $'Press \e[1;34menter\e[0m to continue with a pre-filled expected fingerprint, or input an arbitrary PGP fingerprint to match with the key\'s fingerprint: ' userInputFingerprint
userInputFingerprint=${userInputFingerprint:-"23E3222C145F4475FA8060A783FE14C957E82BD9"}
# Clone xen.git.
echo -e "Cloning \e[1;34mxen.git\e[0m..."
git clone --quiet https://xenbits.xen.org/git-http/xen.git /tmp/xenUpdateScript/xen
cd /tmp/xenUpdateScript/xen
# Get list of versions and branches.
versionList="$(git tag --list "RELEASE-*" | sed s/RELEASE-//g | sed s/4.1.6.1//g | sort --numeric-sort)"
latestVersion=$(echo "$versionList" | tr ' ' '\n' | tail --lines=1)
branchList=($(echo "$versionList" | tr ' ' '\n' | sed s/\.[0-9]*$//g | awk '!seen[$0]++'))
# Figure out which versions we're actually going to install.
minSupportedBranch="$(grep " knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version " "$xenPath"/generic.nix | sed s/' knownVulnerabilities = lib.lists.optionals (lib.strings.versionOlder version "'//g | sed s/'") \['//g)"
supportedBranches=($(for version in "${branchList[@]}"; do if [ "$(printf '%s\n' "$minSupportedBranch" "$version" | sort -V | head -n1)" = "$minSupportedBranch" ]; then echo "$version"; fi; done))
supportedVersions=($(for version in "${supportedBranches[@]}"; do echo "$versionList" | tr ' ' '\n' | grep "$version" | tail --lines=1; done))
# Main loop that installs every supportedVersion.
for version in "${supportedVersions[@]}"; do
echo -e "\n------------------------------------------------"
branch=${version/%.[0-9]/}
if [[ "$version" == "$latestVersion" ]]; then
latest=true
echo -e "\nFound \e[1;34mlatest\e[0m release: \e[1;32mXen $version\e[0m in branch \e[1;36m$branch\e[0m."
else
latest=false
echo -e "\nFound \e[1;33msecurity-supported\e[0m release: \e[1;32mXen $version\e[0m in branch \e[1;36m$branch\e[0m."
fi
# Verify PGP key automatically. If the fingerprint matches what the user specified, or the default fingerprint, then we consider it trusted.
cd /tmp/xenUpdateScript/xen
if [[ "$fingerprint" = "$userInputFingerprint" ]]; then
echo "$fingerprint:6:" | gpg --quiet --import-ownertrust
(git verify-tag RELEASE-"$version" 2>/dev/null && echo -e "\n\e[1;32mSuccessfully authenticated Xen $version.\e[0m") || (echo -e "\e[1;31merror:\e[0m Unable to verify tag \e[1;32mRELEASE-$version\e[0m.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or a \e[1;31msupply chain attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1)
else
echo -e "\e[1;31merror:\e[0m Unable to verify \e[1;34mpgp@xen.org\e[0m's fingerprint.\n- It is possible that \e[1;33mthis script has broken\e[0m, the Xen Project has \e[1;33mcycled their PGP keys\e[0m, or an \e[1;31mimpersonation attack is in progress\e[0m.\n\n\e[1;31mPlease update manually.\e[0m" && exit 1
fi
git switch --quiet --detach RELEASE-"$version"
# Originally we told people to go check the Makefile themselves.
echo -e "\nDetermining source versions from Xen Makefiles..."
qemuVersion="$(grep -ie "QEMU_UPSTREAM_REVISION ?=" /tmp/xenUpdateScript/xen/Config.mk | sed s/"QEMU_UPSTREAM_REVISION ?= "//g)"
seaBIOSVersion="$(grep -ie "SEABIOS_UPSTREAM_REVISION ?= rel-" /tmp/xenUpdateScript/xen/Config.mk | sed s/"SEABIOS_UPSTREAM_REVISION ?= "//g)"
ovmfVersion="$(grep -ie "OVMF_UPSTREAM_REVISION ?=" /tmp/xenUpdateScript/xen/Config.mk | sed s/"OVMF_UPSTREAM_REVISION ?= "//g)"
ipxeVersion="$(grep -ie "IPXE_GIT_TAG :=" /tmp/xenUpdateScript/xen/tools/firmware/etherboot/Makefile | sed s/"IPXE_GIT_TAG := "//g)"
# Use `nix-prefetch-git` to fetch `rev`s and `hash`es.
echo "Pre-fetching sources and determining hashes..."
echo -e -n " \e[1;32mXen\e[0m..."
fetchXen=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/xen.git --rev RELEASE-"$version" --quiet)
finalVersion="$(echo "$fetchXen" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)"
hash="$(echo "$fetchXen" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)"
echo "done!"
echo -e -n " \e[1;36mQEMU\e[0m..."
fetchQEMU=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/qemu-xen.git --rev "$qemuVersion" --quiet --fetch-submodules)
finalQEMUVersion="$(echo "$fetchQEMU" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)"
qemuHash="$(echo "$fetchQEMU" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)"
echo "done!"
echo -e -n " \e[1;36mSeaBIOS\e[0m..."
fetchSeaBIOS=$(nix-prefetch-git --url https://xenbits.xen.org/git-http/seabios.git --rev "$seaBIOSVersion" --quiet)
finalSeaBIOSVersion="$(echo "$fetchSeaBIOS" | tr ', ' '\n ' | grep -ie rev | sed s/' "rev": "'//g | sed s/'"'//g)"
seaBIOSHash="$(echo "$fetchSeaBIOS" | tr ', ' '\n ' | grep -ie hash | sed s/' "hash": "'//g | sed s/'"'//g)"
echo "done!"
echo -e -n " \e[1;36mOVMF\e[0m..."
ovmfHash="$(nix-prefetch-git --url https://xenbits.xen.org/git-http/ovmf.git --rev "$ovmfVersion" --quiet --fetch-submodules | grep -ie hash | sed s/' "hash": "'//g | sed s/'",'//g)"
echo "done!"
echo -e -n " \e[1;36miPXE\e[0m..."
ipxeHash="$(nix-prefetch-git --url https://github.com/ipxe/ipxe.git --rev "$ipxeVersion" --quiet | grep -ie hash | sed s/' "hash": "'//g | sed s/'",'//g)"
echo "done!"
cd "$xenPath"
echo -e "\nFound the following revisions:\n \e[1;32mXen\e[0m: \e[1;33m$finalVersion\e[0m (\e[1;33m$hash\e[0m)\n \e[1;36mQEMU\e[0m: \e[1;33m$finalQEMUVersion\e[0m (\e[1;33m$qemuHash\e[0m)\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$finalSeaBIOSVersion\e[0m (\e[1;33m$seaBIOSHash\e[0m)\n \e[1;36mOVMF\e[0m: \e[1;33m$ovmfVersion\e[0m (\e[1;33m$ovmfHash\e[0m)\n \e[1;36miPXE\e[0m: \e[1;33m$ipxeVersion\e[0m (\e[1;33m$ipxeHash\e[0m)"
# Set OCaml Version
read -r -p $'\nEnter the corresponding \e[1;33mOCaml\e[0m version for \e[1;32mXen '"$version"$'\e[0m, or press \e[1;34menter\e[0m for the default value of \e[1;32m4_14\e[0m: ' ocamlVersion
ocamlVersion=${ocamlVersion:-"4_14"}
mkdir -p "$branch"/
rm -f "$branch"/default.nix
# Prepare any .patch files that are called by Nix through a path value.
echo -e "\nPlease add any required patches to version \e[1;32m$branch\e[0m in \e[1;34m$branch/\e[0m, and press \e[1;34menter\e[0m when done."
read -r -p $'Remember to follow the naming specification as defined in \e[1;34m./README.md\e[0m.'
echo -e "\nDiscovering patches..."
discoveredXenPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-xen-*-$branch.patch" -printf "./%f ")"
discoveredQEMUPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-qemu-*-$branch.patch" -printf "./%f ")"
discoveredSeaBIOSPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-seabios-*-$branch.patch" -printf "./%f ")"
discoveredOVMFPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-ovmf-*-$branch.patch" -printf "./%f ")"
discoveredIPXEPatches="$(find "$branch"/ -type f -name "[0-9][0-9][0-9][0-9]-ipxe-*-$branch.patch" -printf "./%f ")"
discoveredXenPatchesEcho=${discoveredXenPatches:-"\e[1;31mNone found!\e[0m"}
discoveredQEMUPatchesEcho=${discoveredQEMUPatches:-"\e[1;31mNone found!\e[0m"}
discoveredSeaBIOSPatchesEcho=${discoveredSeaBIOSPatches:-"\e[1;31mNone found!\e[0m"}
discoveredOVMFPatchesEcho=${discoveredOVMFPatches:-"\e[1;31mNone found!\e[0m"}
discoveredIPXEPatchesEcho=${discoveredIPXEPatches:-"\e[1;31mNone found!\e[0m"}
echo -e "Found the following patches:\n \e[1;32mXen\e[0m: \e[1;33m$discoveredXenPatchesEcho\e[0m\n \e[1;36mQEMU\e[0m: \e[1;33m$discoveredQEMUPatchesEcho\e[0m\n \e[1;36mSeaBIOS\e[0m: \e[1;33m$discoveredSeaBIOSPatchesEcho\e[0m\n \e[1;36mOVMF\e[0m: \e[1;33m$discoveredOVMFPatchesEcho\e[0m\n \e[1;36miPXE\e[0m: \e[1;33m$discoveredIPXEPatchesEcho\e[0m"
# Prepare patches that are called in ./patches.nix.
defaultPatchListInit=("QUBES_REPRODUCIBLE_BUILDS" "XSA_458")
read -r -a defaultPatchList -p $'\nWould you like to override the \e[1;34mupstreamPatches\e[0m list for \e[1;32mXen '"$version"$'\e[0m? If no, press \e[1;34menter\e[0m to use the default patch list: [ \e[1;34m'"${defaultPatchListInit[*]}"$' \e[0m]: '
defaultPatchList=(${defaultPatchList[@]:-${defaultPatchListInit[@]}})
spaceSeparatedPatchList=${defaultPatchList[*]}
upstreamPatches="upstreamPatches.${spaceSeparatedPatchList// / upstreamPatches.}"
# Write and format default.nix file.
echo -e "\nWriting updated \e[1;34mversionDefinition\e[0m..."
cat >"$branch"/default.nix <<EOF
{
lib,
fetchpatch,
callPackage,
ocaml-ng,
...
}@genericDefinition:
let
upstreamPatches = import ../patches.nix {
inherit lib;
inherit fetchpatch;
};
upstreamPatchList = lib.lists.flatten [
$upstreamPatches
];
in
callPackage (import ../generic.nix {
branch = "$branch";
version = "$version";
latest = $latest;
pkg = {
xen = {
rev = "$finalVersion";
hash = "$hash";
patches = [ $discoveredXenPatches ] ++ upstreamPatchList;
};
qemu = {
rev = "$finalQEMUVersion";
hash = "$qemuHash";
patches = [ $discoveredQEMUPatches ];
};
seaBIOS = {
rev = "$finalSeaBIOSVersion";
hash = "$seaBIOSHash";
patches = [ $discoveredSeaBIOSPatches ];
};
ovmf = {
rev = "$ovmfVersion";
hash = "$ovmfHash";
patches = [ $discoveredOVMFPatches ];
};
ipxe = {
rev = "$ipxeVersion";
hash = "$ipxeHash";
patches = [ $discoveredIPXEPatches ];
};
};
}) ({ ocamlPackages = ocaml-ng.ocamlPackages_$ocamlVersion; } // genericDefinition)
EOF
echo "Formatting..."
nixfmt "$branch"/default.nix
echo -e "\n\e[1;32mSuccessfully produced $branch/default.nix.\e[0m"
done
echo -e -n "\nCleaning up..."
rm -rf /tmp/xenUpdateScript
echo done!

493
pkgs/applications/virtualization/xen/xsa-patches.nix
View File

@ -1,493 +0,0 @@
{ fetchpatch }:
let
xsaPatch = { name , sha256 }: (fetchpatch {
url = "https://xenbits.xen.org/xsa/xsa${name}.patch";
inherit sha256;
});
in {
# 4.5
XSA_190 = (xsaPatch {
name = "190-4.5";
sha256 = "0f8pw38kkxky89ny3ic5h26v9zsjj9id89lygx896zc3w1klafqm";
});
# 4.5
XSA_191 = (xsaPatch {
name = "191-4.6";
sha256 = "1wl1ndli8rflmc44pkp8cw4642gi8z7j7gipac8mmlavmn3wdqhg";
});
# 4.5
XSA_192 = (xsaPatch {
name = "192-4.5";
sha256 = "0m8cv0xqvx5pdk7fcmaw2vv43xhl62plyx33xqj48y66x5z9lxpm";
});
# 4.5
XSA_193 = (xsaPatch {
name = "193-4.5";
sha256 = "0k9mykhrpm4rbjkhv067f6s05lqmgnldcyb3vi8cl0ndlyh66lvr";
});
# 4.5
XSA_195 = (xsaPatch {
name = "195";
sha256 = "0m0g953qnjy2knd9qnkdagpvkkgjbk3ydgajia6kzs499dyqpdl7";
});
# 4.5
XSA_196 = [
(xsaPatch {
name = "196-0001-x86-emul-Correct-the-IDT-entry-calculation-in-inject";
sha256 = "0z53nzrjvc745y26z1qc8jlg3blxp7brawvji1hx3s74n346ssl6";
})
(xsaPatch {
name = "196-0002-x86-svm-Fix-injection-of-software-interrupts";
sha256 = "11cqvr5jn2s92wsshpilx9qnfczrd9hnyb5aim6qwmz3fq3hrrkz";
})
];
# 4.5
XSA_198 = (xsaPatch {
name = "198";
sha256 = "0d1nndn4p520c9xa87ixnyks3mrvzcri7c702d6mm22m8ansx6d9";
});
# 4.5
XSA_200 = (xsaPatch {
name = "200-4.6";
sha256 = "0k918ja83470iz5k4vqi15293zjvz2dipdhgc9sy9rrhg4mqncl7";
});
# 4.5
XSA_202_45 = (xsaPatch {
name = "202-4.6";
sha256 = "0nnznkrvfbbc8z64dr9wvbdijd4qbpc0wz2j5vpmx6b32sm7932f";
});
# 4.5
XSA_204_45 = (xsaPatch {
name = "204-4.5";
sha256 = "083z9pbdz3f532fnzg7n2d5wzv6rmqc0f4mvc3mnmkd0rzqw8vcp";
});
# 4.5
XSA_206_45 = [
(xsaPatch {
name = "206-4.5/0001-xenstored-apply-a-write-transaction-rate-limit";
sha256 = "07vsm8mlbxh2s01ny2xywnm1bqhhxas1az31fzwb6f1g14vkzwm4";
})
(xsaPatch {
name = "206-4.5/0002-xenstored-Log-when-the-write-transaction-rate-limit-";
sha256 = "17pnvxjmhny22abwwivacfig4vfsy5bqlki07z236whc2y7yzbsx";
})
(xsaPatch {
name = "206-4.5/0003-oxenstored-refactor-putting-response-on-wire";
sha256 = "0xf566yicnisliy82cydb2s9k27l3bxc43qgmv6yr2ir3ixxlw5s";
})
(xsaPatch {
name = "206-4.5/0004-oxenstored-remove-some-unused-parameters";
sha256 = "16cqx9i0w4w3x06qqdk9rbw4z96yhm0kbc32j40spfgxl82d1zlk";
})
(xsaPatch {
name = "206-4.5/0005-oxenstored-refactor-request-processing";
sha256 = "1g2hzlv7w03sqnifbzda85mwlz3bw37rk80l248180sv3k7k6bgv";
})
(xsaPatch {
name = "206-4.5/0006-oxenstored-keep-track-of-each-transaction-s-operatio";
sha256 = "0n65yfxvpfd4cz95dpbwqj3nablyzq5g7a0klvi2y9zybhch9cmg";
})
(xsaPatch {
name = "206-4.5/0007-oxenstored-move-functions-that-process-simple-operat";
sha256 = "0qllvbc9rnj7jhhlslxxs35gvphvih0ywz52jszj4irm23ka5vnz";
})
(xsaPatch {
name = "206-4.5/0008-oxenstored-replay-transaction-upon-conflict";
sha256 = "0lixkxjfzciy9l0f980cmkr8mcsx14c289kg0mn5w1cscg0hb46g";
})
(xsaPatch {
name = "206-4.5/0009-oxenstored-log-request-and-response-during-transacti";
sha256 = "09ph8ddcx0k7rndd6hx6kszxh3fhxnvdjsq13p97n996xrpl1x7b";
})
(xsaPatch {
name = "206-4.5/0010-oxenstored-allow-compilation-prior-to-OCaml-3.12.0";
sha256 = "1y0m7sqdz89z2vs4dfr45cyvxxas323rxar0xdvvvivgkgxawvxj";
})
(xsaPatch {
name = "206-4.5/0011-oxenstored-comments-explaining-some-variables";
sha256 = "1d3n0y9syya4kaavrvqn01d3wsn85gmw7qrbylkclznqgkwdsr2p";
})
(xsaPatch {
name = "206-4.5/0012-oxenstored-handling-of-domain-conflict-credit";
sha256 = "12zgid5y9vrhhpk2syxp0x01lzzr6447fa76n6rjmzi1xgdzpaf8";
})
(xsaPatch {
name = "206-4.5/0013-oxenstored-ignore-domains-with-no-conflict-credit";
sha256 = "0v3g9pm60w6qi360hdqjcw838s0qcyywz9qpl8gzmhrg7a35avxl";
})
(xsaPatch {
name = "206-4.5/0014-oxenstored-add-transaction-info-relevant-to-history-";
sha256 = "0vv3w0h5xh554i9v2vbc8gzm8wabjf2vzya3dyv5yzvly6ygv0sb";
})
(xsaPatch {
name = "206-4.5/0015-oxenstored-support-commit-history-tracking";
sha256 = "1iv2vy29g437vj73x9p33rdcr5ln2q0kx1b3pgxq202ghbc1x1zj";
})
(xsaPatch {
name = "206-4.5/0016-oxenstored-only-record-operations-with-side-effects-";
sha256 = "1cjkw5ganbg6lq78qsg0igjqvbgph3j349faxgk1p5d6nr492zzy";
})
(xsaPatch {
name = "206-4.5/0017-oxenstored-discard-old-commit-history-on-txn-end";
sha256 = "0lm15lq77403qqwpwcqvxlzgirp6ffh301any9g401hs98f9y4ps";
})
(xsaPatch {
name = "206-4.5/0018-oxenstored-track-commit-history";
sha256 = "1jh92p6vjhkm3bn5vz260npvsjji63g2imsxflxs4f3r69sz1nkd";
})
(xsaPatch {
name = "206-4.5/0019-oxenstored-blame-the-connection-that-caused-a-transa";
sha256 = "17k264pk0fvsamj85578msgpx97mw63nmj0j9v5hbj4bgfazvj4h";
})
(xsaPatch {
name = "206-4.5/0020-oxenstored-allow-self-conflicts";
sha256 = "15z3rd49q0pa72si0s8wjsy2zvbm613d0hjswp4ikc6nzsnsh4qy";
})
(xsaPatch {
name = "206-4.5/0021-oxenstored-do-not-commit-read-only-transactions";
sha256 = "04wpzazhv90lg3228z5i6vnh1z4lzd08z0d0fvc4br6pkd0w4va8";
})
(xsaPatch {
name = "206-4.5/0022-oxenstored-don-t-wake-to-issue-no-conflict-credit";
sha256 = "1shbrn0w68rlywcc633zcgykfccck1a77igmg8ydzwjsbwxsmsjy";
})
(xsaPatch {
name = "206-4.5/0023-oxenstored-transaction-conflicts-improve-logging";
sha256 = "1086y268yh8047k1vxnxs2nhp6izp7lfmq01f1gq5n7jiy1sxcq7";
})
(xsaPatch {
name = "206-4.5/0024-oxenstored-trim-history-in-the-frequent_ops-function";
sha256 = "014zs6i4gzrimn814k5i7gz66vbb0adkzr2qyai7i4fxc9h9r7w8";
})
];
# 4.5 - 4.8
XSA_207 = (xsaPatch {
name = "207";
sha256 = "0wdlhijmw9mdj6a82pyw1rwwiz605dwzjc392zr3fpb2jklrvibc";
});
# 4.5 - 4.8
XSA_212 = (xsaPatch {
name = "212";
sha256 = "1ggjbbym5irq534a3zc86md9jg8imlpc9wx8xsadb9akgjrr1r8d";
});
# 4.5
XSA_213_45 = (xsaPatch {
name = "213-4.5";
sha256 = "1vnqf89ydacr5bq3d6z2r33xb2sn5vsd934rncyc28ybc9rvj6wm";
});
# 4.5 - 4.8
XSA_214 = (xsaPatch {
name = "214";
sha256 = "0qapzx63z0yl84phnpnglpkxp6b9sy1y7cilhwjhxyigpfnm2rrk";
});
# 4.5
XSA_215 = (xsaPatch {
name = "215";
sha256 = "0sv8ccc5xp09f1w1gj5a9n3mlsdsh96sdb1n560vh31f4kkd61xs";
});
# 4.5
XSA_217_45 = (xsaPatch {
name = "217-4.5";
sha256 = "067pgsfrb9py2dhm1pk9g8f6fs40vyfrcxhj8c12vzamb6svzmn4";
});
# 4.5
XSA_218_45 = [
(xsaPatch {
name = "218-4.5/0001-IOMMU-handle-IOMMU-mapping-and-unmapping-failures";
sha256 = "00y6j3yjxw0igpldsavikmhlxw711k2jsj1qx0s05w2k608gadkq";
})
(xsaPatch {
name = "218-4.5/0002-gnttab-fix-unmap-pin-accounting-race";
sha256 = "0qbbfnnjlpdcd29mzmacfmi859k92c213l91q7w1rg2k6pzx928k";
})
(xsaPatch {
name = "218-4.5/0003-gnttab-Avoid-potential-double-put-of-maptrack-entry";
sha256 = "1cndzvyhf41mk4my6vh3bk9jvh2y4gpmqdhvl9zhxhmppszslqkc";
})
(xsaPatch {
name = "218-4.5/0004-gnttab-correct-maptrack-table-accesses";
sha256 = "02zpb0ffigijacqvyyjylwx3qpgibwslrka7mbxwnclf4s9c03a2";
})
];
# 4.5
XSA_219_45 = (xsaPatch {
name = "219-4.5";
sha256 = "003msr5vhsc66scmdpgn0lp3p01g4zfw5vj86y5lw9ajkbaywdsm";
});
# 4.5
XSA_220_45 = (xsaPatch {
name = "220-4.5";
sha256 = "1dj9nn6lzxlipjb3nb7b9m4337fl6yn2bd7ap1lqrjn8h9zkk1pp";
});
# 4.5 - 4.8
XSA_221 = (xsaPatch {
name = "221";
sha256 = "1mcr1nqgxyjrkywdg7qhlfwgz7vj2if1dhic425vgd41p9cdgl26";
});
# 4.5
XSA_222_45 = [
(xsaPatch {
name = "222-1-4.6";
sha256 = "1g4dqm5qx4wqlv1520jpfiscph95vllcp4gqp1rdfailk8xi0mcf";
})
(xsaPatch {
name = "222-2-4.5";
sha256 = "1hw8rhc7q4v309f4w11gxfsn5x1pirvxkg7s4kr711fnmvp9hkzd";
})
];
# 4.5 - 4.8
XSA_223 = (xsaPatch {
name = "223";
sha256 = "0803gjgcbq9vaz2mq0v5finf1fq8iik1g4hqsjqhjxvspn8l70c5";
});
# 4.5
XSA_224_45 = [
(xsaPatch {
name = "224-4.5/0001-gnttab-Fix-handling-of-dev_bus_addr-during-unmap";
sha256 = "1aislj66ss4cb3v2bh12mrqsyrf288d4h54rj94jjq7h1hnycw7h";
})
(xsaPatch {
name = "224-4.5/0002-gnttab-never-create-host-mapping-unless-asked-to";
sha256 = "1j6fgm1ccb07gg0mi5qmdr0vqwwc3n12z433g1jrija2gbk1x8aq";
})
(xsaPatch {
name = "224-4.5/0003-gnttab-correct-logic-to-get-page-references-during-m";
sha256 = "166kmicwx280fjqjvgigbmhabjksa0hhvqx5h4v6kjlcjpmxqy08";
})
(xsaPatch {
name = "224-4.5/0004-gnttab-__gnttab_unmap_common_complete-is-all-or-noth";
sha256 = "1skc0yj1zsn8xgyq1y57bdc0scvvlmd0ynrjwwf1zkias1wlilav";
})
];
# 4.5
XSA_226_45 = [
(xsaPatch {
name = "226-4.5/0001-gnttab-dont-use-possibly-unbounded-tail-calls";
sha256 = "1hx47ppv5q33cw4dwp82lgvv4fp28gx7rxijw0iaczsv8bvb8vcg";
})
(xsaPatch {
name = "226-4.5/0002-gnttab-fix-transitive-grant-handling";
sha256 = "1gzp8m2zfihwlk71c3lqyd0ajh9h11pvkhzhw0mawckxy0qksvlc";
})
];
# 4.5
XSA_227_45 = (xsaPatch {
name = "227-4.5";
sha256 = "1qfjfisgqm4x98qw54x2qrvgjnvvzizx9p1pjhcnsps9q6g1y3x8";
});
# 4.5 - 4.9
XSA_230 = (xsaPatch {
name = "230";
sha256 = "10x0j7wmzkrwycs1ng89fgjzvzh8vsdd4c5nb68b3j1azdx4ld83";
});
# 4.5
XSA_231_45 = (xsaPatch {
name = "231-4.5";
sha256 = "06gwx2f1lg51dfk2b4zxp7wv9c4pxdi87pg2asvmxqc78ir7l5s6";
});
# 4.5 - 4.9
XSA_232 = (xsaPatch {
name = "232";
sha256 = "0n6irjpmraa3hbxxm64a1cplc6y6g07x7v2fmlpvn70ql3fs0220";
});
# 4.5 - 4.9
XSA_233 = (xsaPatch {
name = "233";
sha256 = "1w3m8349cqav56av63w6jzvlsv4jw5rimwvskr9pq2rcbk2dx8kf";
});
# 4.5
XSA_234_45 = (xsaPatch {
name = "234-4.5";
sha256 = "1ji6hbgybb4gbgz5l5fis9midnvjbddzam8d63377rkzdyb3yz9f";
});
# 4.5
XSA_235_45 = (xsaPatch {
name = "235-4.5";
sha256 = "0hhgnql2gji111020z4wiyzg23wqs6ymanb67rg11p4qad1fp3ff";
});
# 4.5
XSA_236_45 = (xsaPatch {
name = "236-4.5";
sha256 = "0hcla86x81wykssd2967gblp7fzx61290p4ls4v0hcyxdg2bs2yz";
});
# 4.5
XSA_237_45 = [
(xsaPatch {
name = "237-4.5/0001-x86-dont-allow-MSI-pIRQ-mapping-on-unowned-device";
sha256 = "0hjxs20jhls4i0iph45a0qpw4znkm04gv74jmwhw84gy4hrhzq3b";
})
(xsaPatch {
name = "237-4.5/0002-x86-enforce-proper-privilege-when-mapping-pIRQ-s";
sha256 = "0ki8nmbc2g1l9wnqsph45a2k4c6dk5s7jvdlxg3zznyiyxjcv8yn";
})
(xsaPatch {
name = "237-4.5/0003-x86-MSI-disallow-redundant-enabling";
sha256 = "1hdz83qrjaqnihz8ji186dypxiblbfpgyb01j9m5alhk4whjqvp1";
})
(xsaPatch {
name = "237-4.5/0004-x86-IRQ-conditionally-preserve-irq-pirq-mapping-on-error";
sha256 = "0csdfn9kzn1k94pg3fcwsgqw14wcd4myi1jkcq5alj1fmkhw4wmk";
})
(xsaPatch {
name = "237-4.5/0005-x86-FLASK-fix-unmap-domain-IRQ-XSM-hook";
sha256 = "14b73rkvbkd1a2gh9kp0zrvv2d3kfwkiv24fg9agh4hrf2w3nx7y";
})
];
# 4.5
XSA_238_45 = (xsaPatch {
name = "238-4.5";
sha256 = "1x2fg5vfv5jc084h5gjm6fq0nxjpzvi96px3sqzz4pvsvy4y4i1z";
});
# 4.5
XSA_239_45 = (xsaPatch {
name = "239-4.5";
sha256 = "06bi8q3973yajxsdj7pcqarvb56q2gisxdiy0cpbyffbmpkfv3h6";
});
# 4.5
XSA_240_45 = [
(xsaPatch {
name = "240-4.5/0001-x86-limit-linear-page-table-use-to-a-single-level";
sha256 = "0pmf10mbnmb88y7mly8s2l0j88cg0ayhkcnmj1zbjrkjmpccv395";
})
(xsaPatch {
name = "240-4.5/0002-x86-mm-Disable-PV-linear-pagetables-by-default";
sha256 = "19f096ra3xndvzkjjasx73p2g25hfkm905px0p3yakwll0qzd029";
})
];
# 4.5 - 4.8
XSA_241 = (xsaPatch {
name = "241-4.8";
sha256 = "16zb75kzs98f4mdxhbyczk5mbh9dvn6j3yhfafki34x1dfdnq4pj";
});
# 4.5 - 4.9
XSA_242 = (xsaPatch {
name = "242-4.9";
sha256 = "0yx3x0i2wybsm7lzdffxa2mm866bjl4ipbb9vipnw77dyg705zpr";
});
# 4.5
XSA_243_45 = [
(xsaPatch {
name = "243-4.6-1";
sha256 = "1cqanpyysa7px0j645z4jw9yqsvv6cbh7yq1b86ap134axfifcan";
})
(xsaPatch {
name = "243-4.5-2";
sha256 = "0wbcgw4m0nzm2902jnda2020l7bd5adkq8j5myi1zmsfzbq03hwn";
})
];
# 4.5
XSA_244_45 = (xsaPatch {
name = "244-4.5";
sha256 = "05ci3vdl1ywfjpzcvsy1k52whxjk8pxzj7dh3r94yqasr56i5v2l";
});
# 4.5 - 4.9
XSA_245 = [
(xsaPatch {
name = "245/0001-xen-page_alloc-Cover-memory-unreserved-after-boot-in";
sha256 = "12brsgbn7xwakalsn10afykgqmx119mqg6vjj3v2b1pnmf4ss0w8";
})
(xsaPatch {
name = "245/0002-xen-arm-Correctly-report-the-memory-region-in-the-du";
sha256 = "1k6z5r7wnrswsczn2j3a1mc4nvxqm4ydj6n6rvgqizk2pszdkqg8";
})
];
# 4.5 - 4.7
XSA_246_45 = [
(xsaPatch {
name = "246-4.7";
sha256 = "13rad4k8z3bq15d67dhgy96kdbrjiq9sy8px0jskbpx9ygjdahkn";
})
];
# 4.5
XSA_247_45 = [
(xsaPatch {
name = "247-4.5/0001-p2m-Always-check-to-see-if-removing-a-p2m-entry-actu";
sha256 = "0h1mp5s9si8aw2gipds317f27h9pi7bgnhj0bcmw11p0ch98sg1m";
})
(xsaPatch {
name = "247-4.5/0002-p2m-Check-return-value-of-p2m_set_entry-when-decreas";
sha256 = "0vjjybxbcm4xl26wbqvcqfiyvvlayswm4f98i1fr5a9abmljn5sb";
})
];
# 4.5
XSA_248_45 = [
(xsaPatch {
name = "248-4.5";
sha256 = "0csxg6h492ddsa210b45av28iqf7cn2dfdqk4zx10zwf1pv2shyn";
})
];
# 4.5 .. 4.9
XSA_249 = [
(xsaPatch {
name = "249";
sha256 = "0v6ngzqhkz7yv4n83xlpxfbkr2qyg5b1cds7ikkinm86hiqy6agl";
})
];
# 4.5
XSA_250_45 = [
(xsaPatch {
name = "250-4.5";
sha256 = "0pqldl6qnl834gvfp90z247q9xcjh3835s2iffnajz7jhjb2145d";
})
];
# 4.5
XSA_251_45 = [
(xsaPatch {
name = "251-4.5";
sha256 = "0lc94cx271z09r0mhxaypyd9d4740051p28idf5calx5228dqjgm";
})
];
XSA_386 = (xsaPatch {
name = "386";
sha256 = "sha256-pAuLgt3sDeL73NSDqZCWxRGZk1tWaYlDbh7cUcJ4s+w=";
});
}

4
pkgs/by-name/ap/apt/package.nix
View File

@ -33,11 +33,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "apt";
version = "2.9.6";
version = "2.9.7";
src = fetchurl {
url = "mirror://debian/pool/main/a/apt/apt_${finalAttrs.version}.tar.xz";
hash = "sha256-eapV5XBc/WmpMSsf8j17WOUyMu4itk0WozPzrmJmDdc=";
hash = "sha256-y5mvbh/hPZdcjUbJYK9xTTuv3P7Y4VHdkKlGld1KwVs=";
};
# cycle detection; lib can't be split

84
pkgs/by-name/ar/art/package.nix Normal file
View File

@ -0,0 +1,84 @@
{ lib
, stdenv
, fetchFromBitbucket
, cmake
, pkg-config
, wrapGAppsHook3
, makeWrapper
, pixman
, libpthreadstubs
, gtkmm3
, libXau
, libXdmcp
, lcms2
, libiptcdata
, fftw
, expat
, pcre
, libsigcxx
, lensfun
, librsvg
, libcanberra-gtk3
, exiv2
, exiftool
, mimalloc
}:
stdenv.mkDerivation rec {
pname = "art";
version = "1.22.1";
src = fetchFromBitbucket {
owner = "agriggio";
repo = "art";
rev = version;
hash = "sha256-f6SnTvMelJaPGNeGboI34RvWXcJatEi1G6vfAdDFy8A=";
};
nativeBuildInputs = [
cmake
pkg-config
wrapGAppsHook3
];
buildInputs = [
pixman
libpthreadstubs
gtkmm3
libXau
libXdmcp
lcms2
libiptcdata
fftw
expat
pcre
libsigcxx
lensfun
librsvg
exiv2
exiftool
libcanberra-gtk3
mimalloc
];
cmakeFlags = [
"-DPROC_TARGET_NUMBER=2"
"-DCACHE_NAME_SUFFIX=\"\""
];
CMAKE_CXX_FLAGS = toString [
"-std=c++11"
"-Wno-deprecated-declarations"
"-Wno-unused-result"
];
env.CXXFLAGS = "-include cstdint"; # needed at least with gcc13 on aarch64-linux
meta = {
description = "A raw converter based on RawTherapee";
homepage = "https://bitbucket.org/agriggio/art/";
license = lib.licenses.gpl3Only;
maintainers = with lib.maintainers; [ paperdigits ];
mainProgram = "art";
platforms = lib.platforms.linux;
};
}

10
pkgs/by-name/aw/await/package.nix
View File

@ -1,14 +1,18 @@
{ lib, stdenv, fetchFromGitHub }:
{
lib,
stdenv,
fetchFromGitHub,
}:
stdenv.mkDerivation rec {
pname = "await";
version = "0.999";
version = "1.0.1";
src = fetchFromGitHub {
owner = "slavaGanzin";
repo = "await";
rev = "v${version}";
hash = "sha256-z178TKA0x6UnpBQaA8dig2FLeJKGxPndfvwtmylAD90=";
hash = "sha256-5lKuqxrUAHfeV0hikrDbxkKAdPtODfal5byc3L7aZmw=";
};
buildPhase = ''

2
pkgs/by-name/ay/ayatana-indicator-messages/package.nix
View File

@ -95,7 +95,7 @@ stdenv.mkDerivation (finalAttrs: {
];
cmakeFlags = [
"-DENABLE_TESTS=${lib.boolToString finalAttrs.doCheck}"
"-DENABLE_TESTS=${lib.boolToString finalAttrs.finalPackage.doCheck}"
"-DGSETTINGS_LOCALINSTALL=ON"
"-DGSETTINGS_COMPILE=ON"
];

4
pkgs/by-name/bn/bngblaster/package.nix
View File

@ -30,10 +30,10 @@ stdenv.mkDerivation (finalAttrs: {
jansson
openssl
cmocka
] ++ lib.optionals finalAttrs.doCheck [ libpcap ];
] ++ lib.optionals finalAttrs.finalPackage.doCheck [ libpcap ];
cmakeFlags = [
"-DBNGBLASTER_TESTS=${if finalAttrs.doCheck then "ON" else "OFF"}"
"-DBNGBLASTER_TESTS=${if finalAttrs.finalPackage.doCheck then "ON" else "OFF"}"
"-DBNGBLASTER_VERSION=${finalAttrs.version}"
];

6
pkgs/by-name/c2/c2patool/package.nix
View File

@ -10,16 +10,16 @@
}:
rustPlatform.buildRustPackage rec {
pname = "c2patool";
version = "0.9.5";
version = "0.9.6";
src = fetchFromGitHub {
owner = "contentauth";
repo = pname;
rev = "v${version}";
sha256 = "sha256-VmaU8cUtjF5xWOJqK1DB8AAPr1Q7nxOvZVPYsle67Pw=";
sha256 = "sha256-IESolMRRDJwLsWndXvat9otqPTPduQN1uZokx/tUCH0=";
};
cargoHash = "sha256-L79hWws9ub02K+3gL6bD5rtEiQGtq0BykxFmsml2EuI=";
cargoHash = "sha256-cgL/88CuiqaSWj7HJABiZnIkEzJUhgPl6e2OJQ5LAnM=";
# use the non-vendored openssl
OPENSSL_NO_VENDOR = 1;

6
pkgs/by-name/ca/cargo-expand/package.nix
View File

@ -5,16 +5,16 @@
rustPlatform.buildRustPackage rec {
pname = "cargo-expand";
version = "1.0.88";
version = "1.0.89";
src = fetchFromGitHub {
owner = "dtolnay";
repo = pname;
rev = version;
hash = "sha256-H0KgtiBxafmk2PSIxnlhzRgqt5zVfk59qWnc4iDTL0k=";
hash = "sha256-oFc3hcTEZW0qgk8m4dl3NThz10ogWEMn+3BMUXmpehI=";
};
cargoHash = "sha256-UtXsUaJB7PY7FQaHu3EKZnbGjajW9e/WtK23fF0fU4c=";
cargoHash = "sha256-ce+yu3UbWbpB4UOyAAJR8MKmbJhfCHmaGHEhs5GpFeU=";
meta = with lib; {
description = "Cargo subcommand to show result of macro expansion";

6
pkgs/by-name/ca/cargo-make/package.nix
View File

@ -10,16 +10,16 @@
rustPlatform.buildRustPackage rec {
pname = "cargo-make";
version = "0.37.14";
version = "0.37.15";
src = fetchFromGitHub {
owner = "sagiegurari";
repo = "cargo-make";
rev = version;
hash = "sha256-YyZF45Oi8sqTC/YM8F2dNBUI1rB0mPNeWMT7dYFWB5Q=";
hash = "sha256-sIiRlqUn59BxrvOs7N1es3vJVQRerV0EhNntuXXgPJA=";
};
cargoHash = "sha256-tidV2mZgrJCokeUVKYQKlYENm7v362sGsi2Eb0vLNJ8=";
cargoHash = "sha256-MvCGdlEevHND7buW+JuAyH6gRck5ppSAq9xylXSgm5w=";
nativeBuildInputs = [ pkg-config ];

2
pkgs/by-name/cp/cppitertools/package.nix
View File

@ -64,7 +64,7 @@ stdenv.mkDerivation (finalAttrs: {
substituteInPlace CMakeLists.txt \
--replace-fail " DIRECTORY ." " DIRECTORY . EXCLUDE_FROM_ALL"
''
+ lib.optionalString finalAttrs.doCheck ''
+ lib.optionalString finalAttrs.finalPackage.doCheck ''
# Required for tests.
cp ${lib.getDev catch2}/include/catch2/catch.hpp test/
'';

2
pkgs/by-name/di/digikam/package.nix
View File

@ -149,7 +149,7 @@ stdenv.mkDerivation (finalAttrs: {
checkInputs = [ kdePackages.qtdeclarative ];
postConfigure = lib.optionalString finalAttrs.doCheck ''
postConfigure = lib.optionalString finalAttrs.finalPackage.doCheck ''
ln -s ${testData} $cmakeDir/test-data
'';

3
pkgs/by-name/dm/dmd/generic.nix
View File

@ -222,5 +222,8 @@ stdenv.mkDerivation (finalAttrs: {
mainProgram = "dmd";
maintainers = with maintainers; [ lionello dukc jtbx ];
platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
# ld: section __DATA/__thread_bss has type zero-fill but non-zero file offset file '/private/tmp/nix-build-dmd-2.109.1.drv-0/.rdmd-301/rdmd-build.d-A1CF043A7D87C5E88A58F3C0EF5A0DF7/objs/build.o' for architecture x86_64
# clang-16: error: linker command failed with exit code 1 (use -v to see invocation)
broken = stdenv.isDarwin && stdenv.isx86_64;
};
})

2
pkgs/by-name/ei/eiwd/package.nix
View File

@ -69,7 +69,7 @@ stdenv.mkDerivation (finalAttrs: {
mkdir -p $doc/share/doc
cp -a doc $doc/share/doc/iwd
cp -a README AUTHORS TODO $doc/share/doc/iwd
'' + lib.optionalString finalAttrs.doCheck ''
'' + lib.optionalString finalAttrs.finalPackage.doCheck ''
mkdir -p $test/bin
cp -a test/* $test/bin/
'';

6
pkgs/by-name/fi/files-cli/package.nix
View File

@ -7,16 +7,16 @@
buildGoModule rec {
pname = "files-cli";
version = "2.13.96";
version = "2.13.100";
src = fetchFromGitHub {
repo = "files-cli";
owner = "files-com";
rev = "v${version}";
hash = "sha256-TGaOTHtStmKHG/W/a/qWhZVt2IGcEdWD5mtZ2x4ozjI=";
hash = "sha256-Mfd7r+fVhhQ88rX1eH9lvbnaCf63lNnmWfyuOZ3kolU=";
};
vendorHash = "sha256-jeVEWicv2jYqhJt3aZAxx4fWmJXIVIryiS+ahqpdxsY=";
vendorHash = "sha256-kHGamX6MHql7+RJDQMx/b5oLJmGOA0TykYw/wfA2KG8=";
ldflags = [
"-s"

2
pkgs/by-name/fo/fooyin/package.nix
View File

@ -41,7 +41,7 @@ stdenv.mkDerivation (finalAttrs: {
];
cmakeFlags = [
(lib.cmakeBool "BUILD_TESTING" (finalAttrs.doCheck or false))
(lib.cmakeBool "BUILD_TESTING" finalAttrs.finalPackage.doCheck)
# we need INSTALL_FHS to be true as the various artifacts are otherwise just dumped in the root
# of $out and the fixupPhase cleans things up anyway
(lib.cmakeBool "INSTALL_FHS" true)

169
pkgs/by-name/fo/forgejo/generic.nix Normal file
View File

@ -0,0 +1,169 @@
{ lts ? false
, version
, hash
, npmDepsHash
, vendorHash
}:
{ bash
, brotli
, buildGoModule
, forgejo
, git
, gzip
, lib
, makeWrapper
, nix-update-script
, nixosTests
, openssh
, pam
, pamSupport ? true
, sqliteSupport ? true
, xorg
, runCommand
, stdenv
, fetchFromGitea
, buildNpmPackage
}:
let
src = fetchFromGitea {
domain = "codeberg.org";
owner = "forgejo";
repo = "forgejo";
rev = "v${version}";
inherit hash;
};
frontend = buildNpmPackage {
pname = "forgejo-frontend";
inherit src version npmDepsHash;
patches = [
./package-json-npm-build-frontend.patch
];
# override npmInstallHook
installPhase = ''
mkdir $out
cp -R ./public $out/
'';
};
in
buildGoModule rec {
pname = "forgejo" + lib.optionalString lts "-lts";
inherit
version
src
vendorHash
;
subPackages = [ "." "contrib/environment-to-ini" ];
outputs = [ "out" "data" ];
nativeBuildInputs = [
makeWrapper
];
buildInputs = lib.optional pamSupport pam;
nativeCheckInputs = [
git
openssh
];
patches = [
./static-root-path.patch
];
postPatch = ''
substituteInPlace modules/setting/server.go --subst-var data
'';
tags = lib.optional pamSupport "pam"
++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
ldflags = [
"-s"
"-w"
"-X main.Version=${version}"
"-X 'main.Tags=${lib.concatStringsSep " " tags}'"
];
preConfigure = ''
export ldflags+=" -X main.ForgejoVersion=$(GITEA_VERSION=${version} make show-version-api)"
'';
preCheck = ''
# $HOME is required for ~/.ssh/authorized_keys and such
export HOME="$TMPDIR/home"
# expose and use the GO_TEST_PACKAGES var from the Makefile
# instead of manually copying over the entire list:
# https://codeberg.org/forgejo/forgejo/src/tag/v7.0.4/Makefile#L124
echo -e 'show-backend-tests:\n\t@echo ''${GO_TEST_PACKAGES}' >> Makefile
getGoDirs() {
make show-backend-tests
}
'';
checkFlags =
let
skippedTests = [
"Test_SSHParsePublicKey/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
"Test_calcFingerprint/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
"TestPamAuth" # we don't have PAM set up in the build sandbox
"TestPassword" # requires network: api.pwnedpasswords.com
"TestCaptcha" # requires network: hcaptcha.com
"TestDNSUpdate" # requires network: release.forgejo.org
"TestMigrateWhiteBlocklist" # requires network: gitlab.com (DNS)
];
in
[ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ];
postInstall = ''
mkdir $data
cp -R ./{templates,options} ${frontend}/public $data
mkdir -p $out
cp -R ./options/locale $out/locale
wrapProgram $out/bin/gitea \
--prefix PATH : ${lib.makeBinPath [ bash git gzip openssh ]}
'';
# $data is not available in goModules.drv
overrideModAttrs = (_: {
postPatch = null;
});
passthru = {
# allow nix-update to handle npmDepsHash
inherit (frontend) npmDeps;
data-compressed = runCommand "forgejo-data-compressed" {
nativeBuildInputs = [ brotli xorg.lndir ];
} ''
mkdir $out
lndir ${forgejo.data}/ $out/
# Create static gzip and brotli files
find -L $out -type f -regextype posix-extended -iregex '.*\.(css|html|js|svg|ttf|txt)' \
-exec gzip --best --keep --force {} ';' \
-exec brotli --best --keep --no-copy-stat {} ';'
'';
tests = if lts then nixosTests.forgejo-lts else nixosTests.forgejo;
updateScript = nix-update-script { };
};
meta = {
description = "Self-hosted lightweight software forge";
homepage = "https://forgejo.org";
changelog = "https://codeberg.org/forgejo/forgejo/releases/tag/${src.rev}";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ emilylange urandom bendlas adamcstephens ];
broken = stdenv.isDarwin;
mainProgram = "gitea";
};
}

7
pkgs/by-name/fo/forgejo/lts.nix Normal file
View File

@ -0,0 +1,7 @@
import ./generic.nix {
version = "7.0.6";
hash = "sha256-Y8H85HMKnzNSXnrLOxhzOBSfedivGvcQ3MOAp31Kvno=";
npmDepsHash = "sha256-OqtYRjftwGxgW1JgMxyWd+9DndpEkd3LdQHSECc40yU=";
vendorHash = "sha256-hfbNyCQMQzDzJxFc2MPAR4+v/qNcnORiQNbwbbIA4Nw=";
lts = true;
}

16
pkgs/by-name/fo/forgejo/package-json-npm-build-frontend.patch
View File

@ -1,14 +1,12 @@
diff --git a/package.json b/package.json
index b50c52cf43..d6aafb8775 100644
index 0abf6fe8b9..9d6ae0fdff 100644
--- a/package.json
+++ b/package.json
@@ -98,5 +98,8 @@
},
"browserslist": [
"defaults"
- ]
+ ],
@@ -1,4 +1,7 @@
{
+ "scripts": {
+ "build": "node_modules/.bin/webpack"
+ }
}
+ },
"type": "module",
"engines": {
"node": ">= 18.0.0"

162
pkgs/by-name/fo/forgejo/package.nix
View File

@ -1,157 +1,7 @@
{ bash
, brotli
, buildGoModule
, forgejo
, git
, gzip
, lib
, makeWrapper
, nix-update-script
, nixosTests
, openssh
, pam
, pamSupport ? true
, sqliteSupport ? true
, xorg
, runCommand
, stdenv
, fetchFromGitea
, buildNpmPackage
}:
let
frontend = buildNpmPackage {
pname = "forgejo-frontend";
inherit (forgejo) src version;
npmDepsHash = "sha256-Nu9aOjJpEAuCWWnJfZXy/GayiUDiyc3hOu6Bx7GxfxA=";
patches = [
./package-json-npm-build-frontend.patch
];
# override npmInstallHook
installPhase = ''
mkdir $out
cp -R ./public $out/
'';
};
in
buildGoModule rec {
pname = "forgejo";
version = "7.0.5";
src = fetchFromGitea {
domain = "codeberg.org";
owner = "forgejo";
repo = "forgejo";
rev = "v${version}";
hash = "sha256-Y/Ita5dr3COACffAIAjcqHHcdKiUWWEb/f/MPzMG200=";
};
vendorHash = "sha256-hfbNyCQMQzDzJxFc2MPAR4+v/qNcnORiQNbwbbIA4Nw=";
subPackages = [ "." "contrib/environment-to-ini" ];
outputs = [ "out" "data" ];
nativeBuildInputs = [
makeWrapper
git # checkPhase
openssh # checkPhase
];
buildInputs = lib.optional pamSupport pam;
patches = [
./static-root-path.patch
];
postPatch = ''
substituteInPlace modules/setting/server.go --subst-var data
'';
tags = lib.optional pamSupport "pam"
++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
ldflags = [
"-s"
"-w"
"-X main.Version=${version}"
"-X 'main.Tags=${lib.concatStringsSep " " tags}'"
];
preConfigure = ''
export ldflags+=" -X main.ForgejoVersion=$(GITEA_VERSION=${version} make show-version-api)"
'';
preCheck = ''
# $HOME is required for ~/.ssh/authorized_keys and such
export HOME="$TMPDIR/home"
# expose and use the GO_TEST_PACKAGES var from the Makefile
# instead of manually copying over the entire list:
# https://codeberg.org/forgejo/forgejo/src/tag/v7.0.4/Makefile#L124
echo -e 'show-backend-tests:\n\t@echo ''${GO_TEST_PACKAGES}' >> Makefile
getGoDirs() {
make show-backend-tests
}
'';
checkFlags =
let
skippedTests = [
"Test_SSHParsePublicKey/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
"Test_calcFingerprint/dsa-1024/SSHKeygen" # dsa-1024 is deprecated in openssh and requires opting-in at compile time
"TestPamAuth" # we don't have PAM set up in the build sandbox
"TestPassword" # requires network: api.pwnedpasswords.com
"TestCaptcha" # requires network: hcaptcha.com
"TestDNSUpdate" # requires network: release.forgejo.org
"TestMigrateWhiteBlocklist" # requires network: gitlab.com (DNS)
];
in
[ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ];
postInstall = ''
mkdir $data
cp -R ./{templates,options} ${frontend}/public $data
mkdir -p $out
cp -R ./options/locale $out/locale
wrapProgram $out/bin/gitea \
--prefix PATH : ${lib.makeBinPath [ bash git gzip openssh ]}
'';
# $data is not available in goModules.drv
overrideModAttrs = (_: {
postPatch = null;
});
passthru = {
# allow nix-update to handle npmDepsHash
inherit (frontend) npmDeps;
data-compressed = runCommand "forgejo-data-compressed" {
nativeBuildInputs = [ brotli xorg.lndir ];
} ''
mkdir $out
lndir ${forgejo.data}/ $out/
# Create static gzip and brotli files
find -L $out -type f -regextype posix-extended -iregex '.*\.(css|html|js|svg|ttf|txt)' \
-exec gzip --best --keep --force {} ';' \
-exec brotli --best --keep --no-copy-stat {} ';'
'';
tests = nixosTests.forgejo;
updateScript = nix-update-script { };
};
meta = {
description = "Self-hosted lightweight software forge";
homepage = "https://forgejo.org";
changelog = "https://codeberg.org/forgejo/forgejo/releases/tag/${src.rev}";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ emilylange urandom bendlas adamcstephens ];
broken = stdenv.isDarwin;
mainProgram = "gitea";
};
import ./generic.nix {
version = "8.0.0";
hash = "sha256-ol/2D+zMieERVDHOKlu+wm3WKkQNjbIw0sc0KLUTwzI=";
npmDepsHash = "sha256-6AMaZadgcTvOBsIXJjZQB6Q1rkdn+R82pclXdVvtdWY=";
vendorHash = "sha256-tNb0tCf+gjUmUqrjkzt7Wqqz21hW9WRh8CEdX8rv8Do=";
lts = false;
}

4
pkgs/by-name/gf/gfal2/package.nix
View File

@ -98,8 +98,8 @@ stdenv.mkDerivation (finalAttrs: {
(pluginName: "-DPLUGIN_${lib.toUpper pluginName}=${lib.toUpper (lib.boolToString finalAttrs.passthru.enablePluginStatus.${pluginName})}")
(lib.attrNames finalAttrs.passthru.enablePluginStatus)
)
++ [ "-DSKIP_TESTS=${lib.toUpper (lib.boolToString (!finalAttrs.doCheck))}" ]
++ lib.optionals finalAttrs.doCheck [ "-DGTEST_INCLUDE_DIR=${gtest.dev}/include" ]
++ [ "-DSKIP_TESTS=${lib.toUpper (lib.boolToString (!finalAttrs.finalPackage.doCheck))}" ]
++ lib.optionals finalAttrs.finalPackage.doCheck [ "-DGTEST_INCLUDE_DIR=${gtest.dev}/include" ]
++ lib.optionals finalAttrs.passthru.enablePluginStatus.http [ "-DCRYPTOPP_INCLUDE_DIRS=${cryptopp.dev}/include/cryptopp" ]
++ lib.optionals finalAttrs.passthru.enablePluginStatus.xrootd [ "-DXROOTD_INCLUDE_DIR=${xrootd.dev}/include/xrootd" ]
;

13
pkgs/by-name/gl/glsl_analyzer/package.nix
View File

@ -1,25 +1,22 @@
{ lib
, pkgs
, stdenv
, fetchFromGitHub
, zig_0_12
, darwin
, zig_0_13
}:
let stdenv = if pkgs.stdenv.isDarwin then darwin.apple_sdk_11_0.stdenv else pkgs.stdenv; in
stdenv.mkDerivation (finalAttrs: {
pname = "glsl_analyzer";
version = "1.4.5";
version = "1.5.1";
src = fetchFromGitHub {
owner = "nolanderc";
repo = "glsl_analyzer";
rev = "v${finalAttrs.version}";
hash = "sha256-+eYBw/F1RzI5waAkLgbV0J/Td91hbNcAtHcisQaL82k=";
hash = "sha256-AIzk05T8JZn8HWSI6JDFUIYl4sutd3HR3Zb+xmJll0g=";
};
nativeBuildInputs = [
zig_0_12.hook
zig_0_13.hook
];
postPatch = ''

219
pkgs/by-name/go/google-chrome/package.nix
View File

@ -1,83 +1,187 @@
{ lib, stdenv, patchelf, makeWrapper, fetchurl, writeScript
{
fetchurl,
lib,
makeWrapper,
patchelf,
stdenv,
writeScript,
# Linked dynamic libraries.
, glib, fontconfig, freetype, pango, cairo, libX11, libXi, atk, nss, nspr
, libXcursor, libXext, libXfixes, libXrender, libXScrnSaver, libXcomposite, libxcb
, alsa-lib, libXdamage, libXtst, libXrandr, libxshmfence, expat, cups
, dbus, gtk3, gtk4, gdk-pixbuf, gcc-unwrapped, at-spi2-atk, at-spi2-core
, libkrb5, libdrm, libglvnd, mesa
, libxkbcommon, pipewire, wayland # ozone/wayland
# Linked dynamic libraries.
alsa-lib,
at-spi2-atk,
at-spi2-core,
atk,
cairo,
cups,
dbus,
expat,
fontconfig,
freetype,
gcc-unwrapped,
gdk-pixbuf,
glib,
gtk3,
gtk4,
libdrm,
libglvnd,
libkrb5,
libX11,
libxcb,
libXcomposite,
libXcursor,
libXdamage,
libXext,
libXfixes,
libXi,
libxkbcommon,
libXrandr,
libXrender,
libXScrnSaver,
libxshmfence,
libXtst,
mesa,
nspr,
nss,
pango,
pipewire,
wayland, # ozone/wayland
# Command line programs
, coreutils
# Command line programs
coreutils,
# command line arguments which are always set e.g "--disable-gpu"
, commandLineArgs ? ""
# command line arguments which are always set e.g "--disable-gpu"
commandLineArgs ? "",
# Will crash without.
, systemd
# Will crash without.
systemd,
# Loaded at runtime.
, libexif, pciutils
# Loaded at runtime.
libexif,
pciutils,
# Additional dependencies according to other distros.
## Ubuntu
, liberation_ttf, curl, util-linux, xdg-utils, wget
## Arch Linux.
, flac, harfbuzz, icu, libpng, libopus, snappy, speechd-minimal
## Gentoo
, bzip2, libcap
# Additional dependencies according to other distros.
## Ubuntu
curl,
liberation_ttf,
util-linux,
wget,
xdg-utils,
## Arch Linux.
flac,
harfbuzz,
icu,
libopus,
libpng,
snappy,
speechd-minimal,
## Gentoo
bzip2,
libcap,
# Necessary for USB audio devices.
, pulseSupport ? true, libpulseaudio
# Necessary for USB audio devices.
libpulseaudio,
pulseSupport ? true,
, gsettings-desktop-schemas
, adwaita-icon-theme
adwaita-icon-theme,
gsettings-desktop-schemas,
# For video acceleration via VA-API (--enable-features=VaapiVideoDecoder)
, libvaSupport ? true, libva
# For video acceleration via VA-API (--enable-features=VaapiVideoDecoder)
libva,
libvaSupport ? true,
# For Vulkan support (--enable-features=Vulkan)
, addDriverRunpath
# For Vulkan support (--enable-features=Vulkan)
addDriverRunpath,
}:
let
opusWithCustomModes = libopus.override {
withCustomModes = true;
};
opusWithCustomModes = libopus.override { withCustomModes = true; };
deps = [
glib fontconfig freetype pango cairo libX11 libXi atk nss nspr
libXcursor libXext libXfixes libXrender libXScrnSaver libXcomposite libxcb
alsa-lib libXdamage libXtst libXrandr libxshmfence expat cups
dbus gdk-pixbuf gcc-unwrapped.lib
systemd
libexif pciutils
liberation_ttf curl util-linux wget
flac harfbuzz icu libpng opusWithCustomModes snappy speechd-minimal
bzip2 libcap at-spi2-atk at-spi2-core
libkrb5 libdrm libglvnd mesa coreutils
libxkbcommon pipewire wayland
] ++ lib.optional pulseSupport libpulseaudio
deps =
[
alsa-lib
at-spi2-atk
at-spi2-core
atk
bzip2
cairo
coreutils
cups
curl
dbus
expat
flac
fontconfig
freetype
gcc-unwrapped.lib
gdk-pixbuf
glib
harfbuzz
icu
libcap
libdrm
liberation_ttf
libexif
libglvnd
libkrb5
libpng
libX11
libxcb
libXcomposite
libXcursor
libXdamage
libXext
libXfixes
libXi
libxkbcommon
libXrandr
libXrender
libXScrnSaver
libxshmfence
libXtst
mesa
nspr
nss
opusWithCustomModes
pango
pciutils
pipewire
snappy
speechd-minimal
systemd
util-linux
wayland
wget
]
++ lib.optional pulseSupport libpulseaudio
++ lib.optional libvaSupport libva
++ [ gtk3 gtk4 ];
++ [
gtk3
gtk4
];
in stdenv.mkDerivation (finalAttrs: {
in
stdenv.mkDerivation (finalAttrs: {
pname = "google-chrome";
version = "127.0.6533.72";
version = "127.0.6533.88";
src = fetchurl {
url = "https://dl.google.com/linux/chrome/deb/pool/main/g/google-chrome-stable/google-chrome-stable_${finalAttrs.version}-1_amd64.deb";
hash = "sha256-DpEYK/6SEaNfEa8uzGhXhALSSxt51X9X5ksaia8srJg=";
hash = "sha256-0l9cidNFO0dcyzWy4nDD/OGFQDBLXx9aPVq6ioDkqK0=";
};
nativeBuildInputs = [ patchelf makeWrapper ];
buildInputs = [
# needed for GSETTINGS_SCHEMAS_PATH
gsettings-desktop-schemas glib gtk3
nativeBuildInputs = [
makeWrapper
patchelf
];
buildInputs = [
# needed for XDG_ICON_DIRS
adwaita-icon-theme
glib
gtk3
gtk4
# needed for GSETTINGS_SCHEMAS_PATH
gsettings-desktop-schemas
];
unpackPhase = ''
@ -160,7 +264,10 @@ in stdenv.mkDerivation (finalAttrs: {
changelog = "https://chromereleases.googleblog.com/";
license = lib.licenses.unfree;
sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];
maintainers = with lib.maintainers; [ jnsgruk johnrtitor ];
maintainers = with lib.maintainers; [
jnsgruk
johnrtitor
];
platforms = [ "x86_64-linux" ];
mainProgram = "google-chrome-stable";
};

3
pkgs/by-name/gr/gruvbox-gtk-theme/package.nix
View File

@ -2,7 +2,6 @@
lib,
stdenvNoCC,
fetchFromGitHub,
gnome,
sassc,
gnome-themes-extra,
gtk-engine-murrine,
@ -32,7 +31,7 @@ stdenvNoCC.mkDerivation {
propagatedUserEnvPkgs = [ gtk-engine-murrine ];
nativeBuildInputs = [ gnome.gnome-shell sassc ];
nativeBuildInputs = [ sassc ];
buildInputs = [ gnome-themes-extra ];
dontBuild = true;

6
pkgs/by-name/gr/grype/package.nix
View File

@ -9,13 +9,13 @@
buildGoModule rec {
pname = "grype";
version = "0.79.3";
version = "0.79.4";
src = fetchFromGitHub {
owner = "anchore";
repo = "grype";
rev = "refs/tags/v${version}";
hash = "sha256-EAolb8r4n0r9SC7eh4wogHIM3iYgf9lKRFHryD4hhGc=";
hash = "sha256-h9XqqT4cyOxfAdQuG3DcLQLLXgjrRNjdwmE7eaeLxbg=";
# populate values that require us to use git. By doing this in postFetch we
# can delete .git afterwards and maintain better reproducibility of the src.
leaveDotGit = true;
@ -30,7 +30,7 @@ buildGoModule rec {
proxyVendor = true;
vendorHash = "sha256-/SbEc2YEXwBqR8PPnPj8Q3lDGMp/Kpib8E4lUzFGGV8=";
vendorHash = "sha256-qlkGNQC1MUkRg+coKruEwyu3hBrYgILaj8IOhOj7nAc=";
nativeBuildInputs = [ installShellFiles ];

4
pkgs/by-name/in/influxdb-cxx/package.nix
View File

@ -26,10 +26,10 @@ stdenv.mkDerivation (finalAttrs: {
nativeBuildInputs = [ cmake ];
buildInputs = [ boost libcpr ]
++ lib.optionals finalAttrs.doCheck [ catch2_3 trompeloeil ];
++ lib.optionals finalAttrs.finalPackage.doCheck [ catch2_3 trompeloeil ];
cmakeFlags = [
(lib.cmakeBool "INFLUXCXX_TESTING" finalAttrs.doCheck)
(lib.cmakeBool "INFLUXCXX_TESTING" finalAttrs.finalPackage.doCheck)
(lib.cmakeFeature "CMAKE_CTEST_ARGUMENTS" "-E;BoostSupportTest") # requires network access
];

46
pkgs/by-name/jo/journalist/package.nix Normal file
View File

@ -0,0 +1,46 @@
{
lib,
buildGoModule,
fetchpatch,
fetchFromGitHub,
}:
buildGoModule rec {
pname = "journalist";
version = "1.0.0-unstable-2024-06-15";
src = fetchFromGitHub {
owner = "mrusme";
repo = "journalist";
rev = "93781b1278e271995769f576b74fee794a19de14";
hash = "sha256-RRo9AEaHJPzN9+oW5kIBUNCPVdFkY2USOIZeUts8P/M=";
};
overrideModAttrs = _oldAttrs: {
patches = [
# fix go.sum by adding missing module
# see https://github.com/mrusme/journalist/pull/18
(fetchpatch {
name = "fix-go-sum.patch";
url = "https://github.com/mrusme/journalist/commit/546585222993586057a12ab4e9b38000c537f6cf.patch";
hash = "sha256-+QZhP/Har5UVi1pvqB6wWY0+xKqP0B8QukCcNlGkqxQ=";
})
];
};
vendorHash = "sha256-fEHVc9kRbeeXICWhJshLp9JK/ICBR/RB5SVChJzSXpI=";
ldflags = [
"-s"
"-w"
"-X github.com/mrusme/journalist/journalistd.VERSION=${version}"
];
meta = {
description = "RSS aggregator";
homepage = "https://github.com/mrusme/journalist";
license = lib.licenses.gpl3Only;
maintainers = with lib.maintainers; [ moraxyc ];
mainProgram = "journalist";
};
}

2
pkgs/by-name/li/libdict/package.nix
View File

@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: {
];
cmakeFlags = [
"-DLIBDICT_TESTS=${if finalAttrs.doCheck then "ON" else "OFF"}"
"-DLIBDICT_TESTS=${if finalAttrs.finalPackage.doCheck then "ON" else "OFF"}"
"-DLIBDICT_SHARED=${if stdenv.hostPlatform.isStatic then "OFF" else "ON"}"
];

4
pkgs/by-name/ll/llama-cpp/package.nix
View File

@ -69,13 +69,13 @@ let
in
effectiveStdenv.mkDerivation (finalAttrs: {
pname = "llama-cpp";
version = "3423";
version = "3499";
src = fetchFromGitHub {
owner = "ggerganov";
repo = "llama.cpp";
rev = "refs/tags/b${finalAttrs.version}";
hash = "sha256-ztc5BGuqGKor9ag5XPEVPLhOryQg8GGlFX6Ye8v1nok=";
hash = "sha256-qF2vjZqRFWVMQhswdlDv80ML7H4UiVc0hWva9nxMGUk=";
leaveDotGit = true;
postFetch = ''
git -C "$out" rev-parse --short HEAD > $out/COMMIT

12
pkgs/by-name/mo/movim/package.nix
View File

@ -38,13 +38,13 @@ let
in
php.buildComposerProject (finalAttrs: {
pname = "movim";
version = "0.25.1";
version = "0.26";
src = fetchFromGitHub {
owner = "movim";
repo = "movim";
rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-VshDFHDCfemHS/TN5qEe8CGizZksf44xENSmvX44uAc=";
hash = "sha256-ffAA4aDcjJSuqBIqI6b36daAp7UWj+FpWxYiY+c+f5Q=";
};
php = php.buildEnv ({
@ -67,17 +67,17 @@ php.buildComposerProject (finalAttrs: {
# pinned commonmark
composerStrictValidation = false;
vendorHash = "sha256-nxbsw0re/7zKhpWxtA8JAf7JL3RLghqaYsi4rkM6VZg=";
vendorHash = "sha256-4KNGWI4hvlDnIxo9nh/hytxkk+KVxjB8uF/HB88XPwQ=";
postPatch = ''
# Our modules are already wrapped, removes missing *.so warnings;
# replacing `$configuration` with actually-used flags.
substituteInPlace src/Movim/Daemon/Session.php \
--replace-fail "exec php ' . \$configuration " "exec php -dopcache.enable=1 -dopcache.enable_cli=1 ' "
--replace-fail \
"'exec ' . PHP_BINARY . ' ' . \$configuration . '" \
"'exec ' . PHP_BINARY . ' -dopcache.enable=1 -dopcache.enable_cli=1 ' . '"
# Point to PHP + PHP INI in the Nix store
substituteInPlace src/Movim/{Console/DaemonCommand.php,Daemon/Session.php} \
--replace-fail "exec php " "exec ${lib.getExe finalAttrs.php} "
substituteInPlace src/Movim/Console/DaemonCommand.php \
--replace-fail "<info>php vendor/bin/phinx migrate</info>" \
"<info>${lib.getBin finalAttrs.php} vendor/bin/phinx migrate</info>" \

4
pkgs/by-name/ms/msolve/package.nix
View File

@ -9,13 +9,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "msolve";
version = "0.6.7";
version = "0.7.1";
src = fetchFromGitHub {
owner = "algebraic-solving";
repo = "msolve";
rev = "v${finalAttrs.version}";
hash = "sha256-w7+7Ef5X+pRUW9+2akXv7By37ROB7nTij6J1Iy8P/eU=";
hash = "sha256-f1AtZ0tyHg3fqz44GK7eCsye+wiKeBbpKK9JWXpV/tk=";
};
postPatch = ''

4
pkgs/by-name/ne/neovim-unwrapped/package.nix
View File

@ -41,7 +41,7 @@ stdenv.mkDerivation (finalAttrs:
(nvim-lpeg-dylib ps)
luabitop
mpack
] ++ lib.optionals finalAttrs.doCheck [
] ++ lib.optionals finalAttrs.finalPackage.doCheck [
luv
coxpcall
busted
@ -105,7 +105,7 @@ in {
tree-sitter
unibilium
] ++ lib.optionals stdenv.isDarwin [ libiconv CoreServices ]
++ lib.optionals finalAttrs.doCheck [ glibcLocales procps ]
++ lib.optionals finalAttrs.finalPackage.doCheck [ glibcLocales procps ]
;
doCheck = false;

3
pkgs/by-name/no/nose2pytest/package.nix Normal file
View File

@ -0,0 +1,3 @@
{ python3Packages }:
python3Packages.toPythonApplication python3Packages.nose2pytest

4
pkgs/by-name/pa/packer/package.nix
View File

@ -6,13 +6,13 @@
buildGoModule rec {
pname = "packer";
version = "1.11.1";
version = "1.11.2";
src = fetchFromGitHub {
owner = "hashicorp";
repo = "packer";
rev = "v${version}";
hash = "sha256-GjC8nc8gpYQ3v0IYJc6vz0809PD6kTWx/HE1UOhTYc0=";
hash = "sha256-xi5CWL+KQd9nZSd0EscdH+lfw+WLtteSxtEos0lCNcA=";
};
vendorHash = "sha256-Xmmc30W1ZfMc7YSQswyCjw1KyDA5qi8W+kZ1L7cM3cQ=";

Some files were not shown because too many files have changed in this diff Show More