Every version is insecure, none of them build successfully, the
project has been abandoned upstream for years, the website is gone,
and nothing in the tree that works used them.
Unmaintained, abandoned upstream, depends on an outdated version of
the abandoned libav, and doesn’t build even if that dependency is
replaced with FFmpeg.
MuPDF 1.17 was kept for `k2pdfopt` but it is no more needed since 01a2741e7a.
There no good reason to keep this old version with known vulnerabilities.
This was broken by the Rust 1.80 upgrade, and is an old version that
we’d have to patch to keep working.
We have already done the 0.4 → 0.5 update without keeping around
the old version or adding in any additional `stateVersion` logic
in <https://github.com/NixOS/nixpkgs/pull/280221>. As a result,
migration for 0.3 users is going to be a little awkward. I’ve done
my best to provide comprehensive instructions for anyone who hasn’t
already bumped to 0.4.
It is probably a footgun to add `stateVersion` logic for any
package that makes backwards‐incompatible schema changes and only
supports migration from the immediately previous version. Users
won’t get migrated by default and we have to either package and
maintain an endlessly growing list of old versions or add complicated
instructions like this. It’s not really practical for us to support
a significantly better migration story than upstream does.
Long‐dead upstream (completely vanished, in fact), using a release
from 2013, barely surviving on a huge pile of Debian patches and
drive‐by fixes. Even the Debian patch set in our package here is
out of date. The `meta.homepage` was updated to point to a GitHub
repository with commits from as recently as 5½ years ago, but that
appears to be a separate fork from another developer, and we never
actually shipped it.
The last time this package was substantially touched was by @vs49688,
who heroically took the time to patch it to update it from FFmpeg
2(!) to FFmpeg 4 as part of a tree‐wide sweep almost three years
ago. Now that I’m dealing with FFmpeg 4, it would need patching
again, and I really don’t feel like it.
I considered simply dropping the FFmpeg dependency by disabling
compressed CDDA support, but it’s just not worth it to keep
this package alive. The state of PlayStation emulation has improved
dramatically from when this fork was current. DuckStation and Mednafen
are both better options for the majority of people. The PCSX Reloaded
code lives on as PCSX ReARMed, which we package as a libretro core,
but not as a standalone emulator. I would encourage anyone who has
reason to want a packaged PCSX fork to package the standalone version
of PCSX ReARMed from <https://github.com/notaz/pcsx_rearmed>. You
can tag me for review if you’d like.
Essentially unmaintained upstream for almost a decade, kept alive
with treewides and drive‐by fixes, and depends on the deprecated
and removed OpenCV C API. Sorry, it looks like a fun toy! Hopefully
someone can port it to a newer OpenCV.
These versions have been obsolete for 5 to 10 years, and have been
broken since 34cd4905d1 unless the user
specifies manual overrides. Given that nobody seems to have reported
an issue with them, I conclude that demand for them is minimal and
that there’s no need for them to block the removal of OpenCV 2.
krb5 and libkrb5 are two separate derivations that can easily end up
in the same closure. They both provide the same shared libraries and
some packages end up getting both copies. Since both copies come from
the same source, packages often get lucky in this situation and just
use whichever library is found first. Sometimes packages are less
fortunate and end up trying to load both. This has gone largely
unnoticed in Nixpkgs, likely because Kerberos is not widely used
outside of enterprise deployments.
This situation seems to have arisen out of a need to break a cycle
in `fetchurl -> curl -> krb5 -> fetchurl`. The libkrb5 build was able to
avoid depending on bison and libedit, making it easier to break the
cycle.
However, we can break the cycle without resorting to two variants of
krb5. Libedit can be removed with configure flags and byacc can be used
instead of bison, allowing a much smaller build closure that can easily
be resolved when breaking the cycle.
This change also adds a "lib" output to krb5 so that packages depending
on krb5 can still benefit from a smaller runtime closure if they only
need the shared libraries.
A future change will include a tree-wide refactor to switch uses of
libkrb5 to krb5.
* remove irrlichtmt input. Minetest's irrlicht fork has been moved into
the minetest repo and is now statically linked.
* remove mesa from buildInputs for darwin. Otherwise startup fails with
"OpenGL driver version is not 1.2 or better." and "Shaders are enabled
but GLSL is not supported by the driver.". Presumably that happens
because minetest tries to use an incomplete OpenGL driver from mesa
instead of the drivers provided by macOS.
* remove withTouchSupport arg, as the upstream CMake option has been
removed. Touch support should now always be enabled.
* make minetest-touch an alias for minetestclient
* remove unused args
Re-roll of https://github.com/NixOS/nixpkgs/pull/328907, but this time
adding the patch from ArchLinux, which keeps both EGL and GLX code paths
active.
Remove overrides where EGL was explicitly requested previously, as well
as the glew-egl package variant.
Add an alias for glew-egl, in case there's any users of this outside
of nixpkgs.
As far as I can tell, the name of the software is "rustic". Every
other distro calls it "rustic". [1] The crate is presumably called
"rustic-rs" because "rustic" is already taken on crates.io, which is
not a problem in Nixpkgs.
I've added "rustic-rs" as an alias, so the old name will continue
working.
[1]: https://repology.org/project/rustic/versions
This package was marked as vulnerable in
<https://github.com/NixOS/nixpkgs/pull/255959>, almost a year ago and
over a year after the project was archived upstream. The package and
module are unusable without bypassing a security warning in 23.05,
23.11, and 24.05.
Given that the package is intended as an organizer for
potentially‐untrusted media files, the vulnerability is critical and
leads to remote code execution, and there is basically no prospect
of upstream releasing a fix, remove the package and module entirely
for 24.11.
This was a major version behind and using outdated or insecure packages
like sqlalchemy-migrate and Qt WebKit. It hadn’t seen any attention
since it was added in 2020. If anyone wants to step up to update it
to the latest version and maintain it, that would be great!
