diff options
367 files changed, 1351 insertions, 1323 deletions
diff --git a/doc/stdenv.xml b/doc/stdenv.xml index f8d9acb2fb0..51a27dcdbc0 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1317,6 +1317,49 @@ in the default system locations.</para> </section> +<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title> + +<para>By default some flags to harden packages at compile or link-time are set:</para> + +<variablelist> + + <varlistentry> + <term><varname>hardening_format</varname></term> + <listitem><para>Adds the <option>-Wformat -Wformat-security + -Werror=format-security</option> compiler options. At present, + this warns about calls to printf and scanf functions where the + format string is not a string literal and there are no format + arguments, as in <literal>printf(foo);</literal>. This may be + a security hole if the format string came from untrusted input + and contains <literal>%n</literal>.</para> + + <para>This needs to be turned off or fixed for errors similar to:</para> + + <programlisting> +/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security] + printf(help_message); + ^ +cc1plus: some warnings being treated as errors + </programlisting></listitem> + </varlistentry> + + <varlistentry> + <term><varname>hardening_stackprotector</varname></term> + <listitem><para>Adds the <option>-fstack-protector-strong</option> + compiler options. This adds safety checks against stack overwrites + rendering many potential code injection attacks into aborting situations. + In the best case this turns code injection vulnerabilities into denial + of service or into non-issues (depending on the application).</para> + + <para>This needs to be turned off or fixed for errors similar to:</para> + + <programlisting> +bin/blib.a(bios_console.o): In function `bios_handle_cup': +/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail' + </programlisting></listitem> + </varlistentry> +</variablelist> +</section> </chapter> diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index f8c35b440d1..5cc41ce8690 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -9,8 +9,7 @@ with lib; default = false; description = '' When enabled, GNU software is chosen by default whenever a there is - a choice between GNU and non-GNU software (e.g., GNU lsh - vs. OpenSSH). + a choice between GNU and non-GNU software. ''; }; }; @@ -33,12 +32,6 @@ with lib; boot.loader.grub.enable = !pkgs.stdenv.isArm; boot.loader.grub.version = 2; - # GNU lsh. - services.openssh.enable = false; - services.lshd.enable = true; - programs.ssh.startAgent = false; - services.xserver.startGnuPGAgent = true; - # TODO: GNU dico. # TODO: GNU Inetutils' inetd. # TODO: GNU Pies. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index ad1636e002d..91d771b1cfb 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -366,7 +366,6 @@ ./services/networking/softether.nix ./services/networking/spiped.nix ./services/networking/sslh.nix - ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix ./services/networking/strongswan.nix ./services/networking/supplicant.nix diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix deleted file mode 100644 index 661a6a52463..00000000000 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) lsh; - - cfg = config.services.lshd; - -in - -{ - - ###### interface - - options = { - - services.lshd = { - - enable = mkOption { - default = false; - description = '' - Whether to enable the GNU lshd SSH2 daemon, which allows - secure remote login. - ''; - }; - - portNumber = mkOption { - default = 22; - description = '' - The port on which to listen for connections. - ''; - }; - - interfaces = mkOption { - default = []; - description = '' - List of network interfaces where listening for connections. - When providing the empty list, `[]', lshd listens on all - network interfaces. - ''; - example = [ "localhost" "1.2.3.4:443" ]; - }; - - hostKey = mkOption { - default = "/etc/lsh/host-key"; - description = '' - Path to the server's private key. Note that this key must - have been created, e.g., using "lsh-keygen --server | - lsh-writekey --server", so that you can run lshd. - ''; - }; - - syslog = mkOption { - default = true; - description = ''Whether to enable syslog output.''; - }; - - passwordAuthentication = mkOption { - default = true; - description = ''Whether to enable password authentication.''; - }; - - publicKeyAuthentication = mkOption { - default = true; - description = ''Whether to enable public key authentication.''; - }; - - rootLogin = mkOption { - default = false; - description = ''Whether to enable remote root login.''; - }; - - loginShell = mkOption { - default = null; - description = '' - If non-null, override the default login shell with the - specified value. - ''; - example = "/nix/store/xyz-bash-10.0/bin/bash10"; - }; - - srpKeyExchange = mkOption { - default = false; - description = '' - Whether to enable SRP key exchange and user authentication. - ''; - }; - - tcpForwarding = mkOption { - default = true; - description = ''Whether to enable TCP/IP forwarding.''; - }; - - x11Forwarding = mkOption { - default = true; - description = ''Whether to enable X11 forwarding.''; - }; - - subsystems = mkOption { - description = '' - List of subsystem-path pairs, where the head of the pair - denotes the subsystem name, and the tail denotes the path to - an executable implementing it. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; - - systemd.services.lshd = { - description = "GNU lshd SSH2 daemon"; - - after = [ "network-interfaces.target" ]; - - wantedBy = [ "multi-user.target" ]; - - environment = { - LD_LIBRARY_PATH = config.system.nssModules.path; - }; - - preStart = '' - test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh - test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh - - if ! test -f /var/spool/lsh/yarrow-seed-file - then - # XXX: It would be nice to provide feedback to the - # user when this fails, so that they can retry it - # manually. - ${lsh}/bin/lsh-make-seed --sloppy \ - -o /var/spool/lsh/yarrow-seed-file - fi - - if ! test -f "${cfg.hostKey}" - then - ${lsh}/bin/lsh-keygen --server | \ - ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" - fi - ''; - - script = with cfg; '' - ${lsh}/sbin/lshd --daemonic \ - --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ - -p ${toString portNumber} \ - ${if interfaces == [] then "" - else (concatStrings (map (i: "--interface=\"${i}\"") - interfaces))} \ - -h "${hostKey}" \ - ${if !syslog then "--no-syslog" else ""} \ - ${if passwordAuthentication then "--password" else "--no-password" } \ - ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ - ${if rootLogin then "--root-login" else "--no-root-login" } \ - ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ - ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ - ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ - ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ - --subsystems=${concatStringsSep "," - (map (pair: (head pair) + "=" + - (head (tail pair))) - subsystems)} - ''; - }; - - security.pam.services.lshd = {}; - }; -} diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix index d8d8945db92..c0879e58aca 100644 --- a/pkgs/applications/audio/QmidiNet/default.nix +++ b/pkgs/applications/audio/QmidiNet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; + hardening_format = false; + buildInputs = [ qt4 alsaLib libjack2 ]; meta = with stdenv.lib; { diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 69cc798ec0f..80e3c5dc40a 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -2,6 +2,7 @@ stdenv.mkDerivation { name = "aacgain-1.9.0"; + src = fetchFromGitHub { owner = "mulx"; repo = "aacgain"; @@ -9,6 +10,8 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; + hardening_format = false; + configurePhase = '' cd mp4v2 ./configure @@ -28,7 +31,7 @@ stdenv.mkDerivation { make LDFLAGS=-static cd .. - make + make ''; installPhase = '' diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 1658d9c7449..9de3bef62ad 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; + hardening_format = false; + preConfigure = "unset CC"; patches = stdenv.lib.optionals stdenv.isDarwin [ diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index afca63a2a8a..1cc0e56fe7e 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardening_format = false; + src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g"; diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index f7330ee12f9..eae7ce390c0 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; + hardening_format = false; + meta = { description = "A live looping instrument with JACK and MIDI support"; longDescription = '' diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index ef6d13e5696..7a5095f3788 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,9 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - meta = with stdenv.lib; { + hardening_format = false; + + meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; homepage = http://archive.notam02.no/arkiv/src; license = licenses.gpl2; diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 4b07c84b0be..92e39f7bb11 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; + hardening_format = false; + buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; configureFlags = "--disable-jack"; diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 1d736b06938..67ac74f5f5a 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sourceRoot="."; + hardening_format = false; + buildPhase = "./cc"; installPhase = '' mkdir -p "$out"/{bin,share/doc/mi2ly} diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index e4c45c613ee..f2434619c47 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; + hardening_format = false; + configurePhase = '' sed -i Makefile \ -e "s|^prefix=.*$|prefix=$out|g ; diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index 0957420b658..abea5521571 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; + hardening_fortify = false; + meta = { description = "A tool for validating and repairing MPEG audio streams"; longDescription = '' diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index 489831dc464..c5bcd5ab4e4 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; + hardening_format = false; + configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) ]; diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index e1f0472ce9e..b6a98268a9b 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw"; }; + hardening_bindnow = false; + hardening_relro = false; + makeFlags = [ "PREFIX=$(out)" ]; diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index 2331944db01..460745ddddb 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardening_format = false; + patchPhase = '' for file in `grep -r -l g_canvas.h` do diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index c5732387b50..1eb0e1be654 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardening_format = false; + patchPhase = '' for i in ${puredata}/include/pd/*; do ln -s $i . diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 5f76b208e14..207967a978f 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -14,7 +14,9 @@ stdenv.mkDerivation rec { sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x"; }; - buildInputs = [puredata ]; + buildInputs = [ puredata ]; + + hardening_format = false; patchPhase = '' for D in net osc diff --git a/pkgs/applications/audio/pd-plugins/puremapping/default.nix b/pkgs/applications/audio/pd-plugins/puremapping/default.nix index 2e9a37a2f0d..9300d7461fe 100644 --- a/pkgs/applications/audio/pd-plugins/puremapping/default.nix +++ b/pkgs/applications/audio/pd-plugins/puremapping/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, unzip, puredata }: stdenv.mkDerivation rec { - name = "puremapping-1.01"; + name = "puremapping-20160130"; src = fetchurl { - url = "http://www.chnry.net/ch/IMG/zip/puremapping-libdir-generic.zip"; + url = "http://www.chnry.net/data/puremapping-20160130-generic.zip"; name = "puremapping"; - sha256 = "1ygzxsfj3rnzjkpmgi4wch810q8s5vm1gdam6a938hbbvamafgvc"; + sha256 = "1h7qgqd8srrxw2y1rkdw5js4k6f5vc8x6nlm2mq9mq9vjck7n1j7"; }; buildInputs = [ unzip puredata ]; diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index b746cccd113..647ed9036dc 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; + hardening_format = false; + patches = [ ./fltk-path.patch ]; buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg diff --git a/pkgs/applications/audio/zam-plugins/default.nix b/pkgs/applications/audio/zam-plugins/default.nix index 48f559dfd86..3c9e80494d1 100644 --- a/pkgs/applications/audio/zam-plugins/default.nix +++ b/pkgs/applications/audio/zam-plugins/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { url = "https://github.com/zamaudio/zam-plugins.git"; deepClone = true; rev = "91fe56931a3e57b80f18c740d2dde6b44f962aee"; - sha256 = "0n29zxg4l2m3jsnfw6q2alyzaw7ibbv9nvk57k07sv3lh2yy3f30"; + sha256 = "1d8w3086xshl61yqaxg6lrvqb7bww30dsdzcd0mnii49wyzjpj0b"; }; buildInputs = [ boost libX11 mesa liblo libjack2 ladspaH lv2 pkgconfig rubberband libsndfile ]; diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index 84a62d34fa6..c784b33700e 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; + hardening_format = false; + meta = with stdenv.lib; { description = "High quality software synthesizer"; homepage = http://zynaddsubfx.sourceforge.net; diff --git a/pkgs/applications/editors/bviplus/default.nix b/pkgs/applications/editors/bviplus/default.nix index 5adb0dad26c..d61fa182379 100644 --- a/pkgs/applications/editors/bviplus/default.nix +++ b/pkgs/applications/editors/bviplus/default.nix @@ -1,17 +1,23 @@ -{ stdenv, lib, fetchurl, ncurses }: +{ stdenv, fetchurl, ncurses }: stdenv.mkDerivation rec { name = "bviplus-${version}"; version = "0.9.4"; + src = fetchurl { url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz"; sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb"; }; + buildInputs = [ ncurses ]; + + patches = [ ./gcc5.diff ]; + makeFlags = "PREFIX=$(out)"; - meta = with lib; { + + meta = with stdenv.lib; { description = "ncurses based hex editor with a vim-like interface"; homepage = "http://bviplus.sourceforge.net"; license = licenses.gpl3; diff --git a/pkgs/applications/editors/bviplus/gcc5.diff b/pkgs/applications/editors/bviplus/gcc5.diff new file mode 100644 index 00000000000..75dc57151dd --- /dev/null +++ b/pkgs/applications/editors/bviplus/gcc5.diff @@ -0,0 +1,11 @@ +--- bviplus-0.9.4/vf_backend.c 2016-02-07 15:58:47.265405962 +0000 ++++ bviplus-0.9.4/vf_backend.c 2016-02-07 16:04:30.020004919 +0000 +@@ -253,7 +253,7 @@ + /*--------------------------- + + ---------------------------*/ +-inline void compute_percent_complete(off_t offset, off_t size, int *complete) ++extern void compute_percent_complete(off_t offset, off_t size, int *complete) + { + if (size == 0) + { diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index b7acdb7f1d5..5ddcf34995f 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -3,13 +3,18 @@ stdenv.mkDerivation rec { name = "ht-${version}"; version = "2.1.0"; + src = fetchurl { url = "http://sourceforge.net/projects/hte/files/ht-source/ht-${version}.tar.bz2"; sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i"; }; + buildInputs = [ ncurses ]; + + hardening_format = false; + meta = with lib; { description = "File editor/viewer/analyzer for executables"; homepage = "http://hte.sourceforge.net"; diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index fc35a993bad..f3755db448c 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; + hardening_format = false; + configureFlags = [ "--enable-chooser" ]; diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index f1ca27eed80..7b8281b4e3c 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,14 +18,14 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; + hardening_format = false; + patches = [ ./install.patch ]; nativeBuildInputs = [ cmake pkgconfig ]; NIX_LDFLAGS = "-llcms -ljpeg -lX11"; - # NIX_CFLAGS_COMPILE = "-I."; - meta = { homepage = http://www.cinepaint.org/; license = stdenv.lib.licenses.free; diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index 2e9d55a3f3f..c33da655222 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -9,8 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1q0806b66ajppxbv1i71wx5d3ydc1h3hsz23m6g4g80dhiai7dly"; }; - # It built code to be put in a shared object without -fPIC - NIX_CFLAGS_COMPILE = "-fPIC"; + hardening_format = false; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index a8132e30c72..ff069d0d972 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; + hardening_format = false; + meta = { description = "A fast image viewer"; homepage = http://gqview.sourceforge.net; diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index 49bfb47c85a..c3aed10d00c 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; + hardening_format = false; + buildPhase = '' mkdir -p "$out/include" cp -r vcglib "$out/include" diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index efa245cc7e9..da6521199c5 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; + hardening_format = false; + configurePhase = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" qmake PREFIX=$out EXIV2PATH=${exiv2}/include/exiv2 \ diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b531c41e2d8..b3db2fde4cb 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; + hardening_format = false; + preConfigure = '' ./autogen.sh substituteInPlace "configure" \ diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index 9e53fe3efe2..4f8f3ac16f4 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; + hardening_format = false; + NIX_CFLAGS_COMPILE = "-I${libXpm}/include/X11"; patches = diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index a0e2796a302..a1c4bd912f2 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -54,6 +54,8 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; + hardening_fortify = false; + meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; homepage = "http://inferno-os.org/"; diff --git a/pkgs/applications/misc/abook/default.nix b/pkgs/applications/misc/abook/default.nix index 77e48e49dd8..b8e662a42cd 100644 --- a/pkgs/applications/misc/abook/default.nix +++ b/pkgs/applications/misc/abook/default.nix @@ -11,6 +11,11 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig ncurses readline ]; + # Changed inline semantics in GCC5, need to export symbols for inline funcs + postPatch = '' + substituteInPlace database.c --replace inline extern + ''; + meta = { homepage = "http://abook.sourceforge.net/"; description = "Text-based addressbook program designed to use with mutt mail client"; diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index da198e6d88b..7810284973f 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -1,11 +1,17 @@ { stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }: + stdenv.mkDerivation rec { name = "epdfview-0.1.8"; + src = fetchurl { url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2"; sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll"; }; + buildInputs = [ pkgconfig gtk poppler ]; + + hardening_format = false; + patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634"; @@ -17,13 +23,14 @@ stdenv.mkDerivation rec { sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001"; }) ]; + meta = { homepage = http://trac.emma-soft.com/epdfview/; description = "A lightweight PDF document viewer using Poppler and GTK+"; longDescription = '' ePDFView is a free lightweight PDF document viewer using Poppler and GTK+ libraries. The aim of ePDFView is to make a simple PDF document - viewer, in the lines of Evince but without using the Gnome libraries. + viewer, in the lines of Evince but without using the Gnome libraries. ''; license = stdenv.lib.licenses.gpl2; maintainers = with stdenv.lib.maintainers; [ astsmtl ]; diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index 934a7c69c99..7c755a4f3d3 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; + hardening_format = false; + # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. patchPhase = '' diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index 39621536e68..86127d56b01 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; + hardening_format = false; + meta = { description = "GTK+-based audio CD player/ripper"; homepage = "http://nostatic.org/grip"; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index ce57db371dd..dac597fe67c 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,6 +31,8 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; + hardening_format = false; + k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; @@ -96,7 +98,7 @@ in stdenv.mkDerivation rec { -ljbig2dec -ljpeg -lopenjp2 -lpng -lfreetype -lpthread -lmujs \ -lPgm2asc -llept -ltesseract -lcrypto - mkdir -p $out/bin + mkdir -p $out/bin cp k2pdfopt $out/bin ''; diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 1be39c66642..67f474cefac 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; + hardening_format = false; + # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ]; diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index f55af543f18..43da0c92a42 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; + hardening_format = false; + buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; unpackPhase = '' diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 3859d2c82ab..6a768d44958 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; + hardening_format = false; + patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] else [ ./sdcv.cpp.patch ] ); diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index f7460618d96..d725bba0307 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; + hardening_format = false; + # # I know this is ugly, but the Makefile does strange things in this package, # so we have to: diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index 62f741f9eea..a62f7cd2aa6 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig qt4 ]; + hardening_format = false; + configurePhase = '' qmake PREFIX="$out" ''; @@ -22,7 +24,7 @@ stdenv.mkDerivation rec { Such maps can help you to improve your creativity and effectivity. You can use them for time management, to organize tasks, to get an overview over complex contexts, to sort your ideas etc. - + Maps can be drawn by hand on paper or a flip chart and help to structure your thoughs. While a tree like structure like shown on this page can be drawn by hand or any drawing software vym offers much more features to work with such maps. diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index b244e9c1bfc..d5edf2a4d58 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; + hardening_format = false; + patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c ''; diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 6f8eede9b3f..3d40aa1f60c 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,9 +11,9 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - installPhase = '' - make PREFIX=/ DESTDIR=$out install - ''; + hardening_format = false; + + installFlags = "PREFIX=/ DESTDIR=$(out)"; preFixup = '' wrapProgram "$out/bin/vimprobable2" \ @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { GTK bindings). The goal of Vimprobable is to build a completely keyboard-driven, efficient and pleasurable browsing-experience. Its featureset might be considered "minimalistic", but not as minimalistic as - being completely featureless. + being completely featureless. ''; homepage = "http://sourceforge.net/apps/trac/vimprobable"; license = stdenv.lib.licenses.mit; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index 076b3faf11f..cc3e55f02e9 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,6 +50,8 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; + hardening_format = false; + configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 133a15aebf8..156b138f290 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { dontDisableStatic = true; + hardening_format = false; + configureFlags = "--with-ncurses=${ncurses}"; preConfigure = stdenv.lib.optionalString enablePlugin '' diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index 205c21adab4..181cd3301e3 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -1,56 +1,31 @@ -x@{builderDefsPackage - , qt4, openssl - , xproto, libX11, libXScrnSaver, scrnsaverproto - , xz - , ...}: -builderDefsPackage -(a : -let - helperArgNames = ["stdenv" "fetchurl" "builderDefsPackage"] ++ - []; +{ stdenv, fetchurl, qt4, openssl, xproto, libX11 +, libXScrnSaver, scrnsaverproto, xz +}: - buildInputs = map (n: builtins.getAttr n x) - (builtins.attrNames (builtins.removeAttrs x helperArgNames)); - sourceInfo = rec { - version="1.2.4"; - baseName="vacuum-im"; - name="${baseName}-${version}"; +stdenv.mkDerivation rec { + name="${baseName}-${version}"; + baseName = "vacuum-im"; + version = "1.2.4"; + + src = fetchurl { url="https://googledrive.com/host/0B7A5K_290X8-d1hjQmJaSGZmTTA/vacuum-1.2.4.tar.gz"; sha256="10qxpfbbaagqcalhk0nagvi5irbbz5hk31w19lba8hxf6pfylrhf"; }; -in -rec { - src = a.fetchurl { - url = sourceInfo.url; - sha256 = sourceInfo.sha256; - }; - inherit (sourceInfo) name version; - inherit buildInputs; + configurePhase = "qmake INSTALL_PREFIX=$out -recursive vacuum.pro"; - /* doConfigure should be removed if not needed */ - phaseNames = ["addInputs" "doQMake" "doMakeInstall"]; + hardening_format = false; - doQMake = a.fullDepEntry ('' - qmake INSTALL_PREFIX=$out -recursive vacuum.pro - '') ["doUnpack" "addInputs"]; - - meta = { + buildInputs = [ + qt4 openssl xproto libX11 libXScrnSaver scrnsaverproto xz + ]; + + meta = with stdenv.lib; { description = "An XMPP client fully composed of plugins"; - maintainers = with a.lib.maintainers; - [ - raskin - ]; - platforms = with a.lib.platforms; - linux; - license = with a.lib.licenses; - gpl3; + maintainers = with maintainers; [ raskin ]; + platforms = with platforms; linux; + license = with licenses; gpl3; homepage = "http://code.google.com/p/vacuum-im/"; }; - passthru = { - updateInfo = { - downloadPage = "http://code.google.com/p/vacuum-im/downloads/list?can=2&q=&colspec=Filename"; - }; - }; -}) x +} diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 368d78a36f9..8084d5133f1 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; + hardening_format = false; + meta = { description = "A console-based network monitoring utility (fork of iptraf)"; longDescription = '' diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index 03c2c21aed0..c77b51d7064 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -1,35 +1,37 @@ {stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos , openldap }: + let - s = - rec { - version = "2.00"; + version = "2.00"; + baseName = "alpine"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + + src = fetchurl { url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2"; sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8"; - baseName = "alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_format = false; + hardening_fortify = false; + configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index c1835992158..1ee42531465 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -2,34 +2,35 @@ , openldap }: let - s = - rec { - version = "2.03"; + baseName = "re-alpine"; + version = "2.03"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + inherit version; + + src = fetchurl { url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2"; sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh"; - baseName = "re-alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_format = false; + configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 956391b71f8..681ace6ab8f 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; + hardening_format = false; + postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index f0be5258ce4..c5c2cee62e8 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; + hardening_format = false; + src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc"; diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index cdadd18ac9f..4ba773756e5 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; + hardening_format = false; + installPhase = '' mkdir -p $out/bin mv ltl2ba $out/bin diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index 398f6c9a3e2..b0b001f7b3c 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation { src = fetchurl { inherit (s) url sha256; }; + + hardening_format = false; + buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g" @@ -32,11 +35,13 @@ stdenv.mkDerivation { make -C source/formed realclean make -C source/formed formed ''; + installPhase = '' mkdir -p "$out"/{bin,share/otter} cp bin/* source/formed/formed "$out/bin/" cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/" ''; + meta = { inherit (s) version; description = "A reliable first-order theorem prover"; diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index d92c7887210..f6ec3b840ac 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - phases = "unpackPhase patchPhase buildPhase installPhase"; + hardening_format = false; patchPhase = '' RM=$(type -tp rm) @@ -23,6 +23,8 @@ stdenv.mkDerivation { buildFlags = "all"; + checkPhase = "make test1"; + installPhase = '' mkdir -p $out/bin cp bin/* $out/bin diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index 0d1ef26092e..f294750928e 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardening_format = false; + buildInputs = [ zlib bzip2 ]; # FIXME: move share/coin/Data to a separate output? diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index 6bc5d874bc0..77026eb490a 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4"; }; + hardening_format = false; + nativeBuildInputs = [ intltool pkgconfig ]; buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ]; diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index 2c9d63be1b4..af284a2f82e 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; + hardening_format = false; + # Perl is only for the documentation nativeBuildInputs = [ perl ]; @@ -32,7 +34,7 @@ stdenv.mkDerivation rec { ''; }; - meta = { + meta = { description = "Easy to use, general purpose Computer Algebra System"; homepage = http://yacas.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index e9de202a809..4912ce0b3e6 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; + hardening_format = false; + preConfigure = '' # Apply the Debian patches. for p in "debian/patches/"*; do diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 2878fec3c09..2799c25527b 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sha256 = "1zkbdmh5gvxalr8l1cwnirqq5raijmp2d0s36s6qabrlvqvq2yj7"; }; + hardening_format = false; + patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index a7e6a62ce5f..6240baac8f1 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -2,21 +2,26 @@ stdenv.mkDerivation rec { name = "qgit-2.5"; - meta = - { - license = stdenv.lib.licenses.gpl2; - homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; - description = "Graphical front-end to Git"; - inherit (qt.meta) platforms; - }; - src = fetchurl - { + + src = fetchurl { url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz"; sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499"; }; + buildInputs = [qt libXext libX11]; + + hardening_format = false; + configurePhase = "qmake PREFIX=$out"; + installPhase = '' install -s -D -m 755 bin/qgit "$out/bin/qgit" ''; + + meta = { + license = stdenv.lib.licenses.gpl2; + homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; + description = "Graphical front-end to Git"; + inherit (qt.meta) platforms; + }; } diff --git a/pkgs/applications/version-management/rcs/default.nix b/pkgs/applications/version-management/rcs/default.nix index a829af8aa23..3e66f85ff73 100644 --- a/pkgs/applications/version-management/rcs/default.nix +++ b/pkgs/applications/version-management/rcs/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { doCheck = true; - NIX_CFLAGS_COMPILE = if stdenv.isDarwin then "-std=gnu99" else null; + NIX_CFLAGS_COMPILE = "-std=gnu99"; meta = { homepage = http://www.gnu.org/software/rcs/; diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index a5c14d0888f..49e2662adb4 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,6 +43,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_bindnow = false; + hardening_relro = false; + postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; meta = { diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 479d625c7de..513242271a1 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,6 +17,10 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; + hardening_stackprotector = false; + hardening_pic = false; + hardening_fortify = false; + unpackPhase = '' for file in \ "${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg}; diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index 9a75a3ddfd4..705691b1682 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -145,7 +145,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool}/lib"; - + + hardening_format = false; + meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; longDescription = '' diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index d99f569d7e6..01832b55292 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; + hardening_fortify = false; + buildPhase = '' export LEX=${flex}/bin/flex make -C util/cbfstool diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index 8e6a7fcb0d2..a06523973b7 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; + hardening_pic = false; + hardening_stackprotector = false; + configurePhase = '' # build SeaBIOS for CSM cat > .config << EOF @@ -21,12 +24,12 @@ stdenv.mkDerivation rec { EOF make olddefconfig - ''; + ''; installPhase = '' mkdir $out cp out/Csm16.bin $out/Csm16.bin - ''; + ''; meta = with stdenv.lib; { description = "Open source implementation of a 16bit X86 BIOS"; diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index 43f591cf6aa..0ef00550ee4 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; + hardening_pic = false; + buildInputs = [ patchelf cdrkit makeWrapper dbus ]; installPhase = '' diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index 6774675266c..0a3bd3898c2 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -75,6 +75,10 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; + hardening_stackprotector = false; + hardening_fortify = false; + hardening_pic = false; + patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; postPatch = '' diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 5ef5ba769c4..43d0804222c 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { name = "stalonetray-${version}"; version = "0.8.1"; + src = fetchurl { url = "mirror://sourceforge/stalonetray/${name}.tar.bz2"; sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll"; }; + buildInputs = [ libX11 xproto ]; + hardening_format = false; + meta = with stdenv.lib; { description = "Stand alone tray"; maintainers = with maintainers; [ raskin ]; diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 2aa47d799c9..9dc8d6f8ef1 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; + hardening_format = false; + patches = [ ./glib.patch ./cups_1.6.patch ]; buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 6aab400c60a..d766957f0d7 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation { name = "libgtkhtml-2.11.1"; - + src = fetchurl { url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2; sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw"; }; - + buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; + + hardening_format = false; } diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix index 1fcb411d120..6f10f6ea920 100644 --- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix @@ -17,6 +17,8 @@ in stdenv.mkDerivation rec { "--enable-gi-system-install=no" ]; + hardening_format = false; + enableParallelBuilding = true; buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ]; diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index 03e9dc9a007..c80bd67f404 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -1,18 +1,20 @@ -{ kde, cmake, smokeqt, ruby }: +{ kde, cmake, smokeqt, ruby_2_2 }: kde { # TODO: scintilla2, qwt5 - buildInputs = [ smokeqt ruby ]; + buildInputs = [ smokeqt ruby_2_2 ]; nativeBuildInputs = [ cmake ]; + hardening_all = false; + # The patch is not ready for upstream submmission. # I should add an option() instead. patches = [ ./qtruby-install-prefix.patch ]; - cmakeFlags="-DRUBY_ROOT_DIR=${ruby}"; + cmakeFlags="-DRUBY_ROOT_DIR=${ruby_2_2}"; meta = { description = "Ruby bindings for Qt library"; diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 603a68cc5f6..415c6bc6cfb 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; + hardening_format = false; + meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; description = "A command-line plugin"; diff --git a/pkgs/development/compilers/ccl/default.nix b/pkgs/development/compilers/ccl/default.nix index e5e07705a18..ee0153c13b0 100644 --- a/pkgs/development/compilers/ccl/default.nix +++ b/pkgs/development/compilers/ccl/default.nix @@ -5,7 +5,7 @@ let /* TODO: there are also MacOS, FreeBSD and Windows versions */ x86_64-linux = { arch = "linuxx86"; - sha256 = "0d2vhp5n74yhwixnvlsnp7dzaf9aj6zd2894hr2728djyd8x9fx6"; + sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq"; runtime = "lx86cl64"; kernel = "linuxx8664"; }; diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index 7f3e679e847..dcb7350fbbb 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,6 +14,9 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; + hardening_format = false; + hardening_pic = false; + # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This # makes clm try to rebuild the library modules (and fail due to absence of write permission diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index f37dae80830..0ee0a622b1e 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; + hardening_format = false; + makeFlags = "PREFIX=$(out)"; # Awful hackery to get dev86 to compile with recent gcc/binutils. diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index 172283b19de..bd99335192b 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -1,47 +1,45 @@ {stdenv, fetchurl , libtool, autoconf, automake , gmp, mpfr, libffi -, noUnicode ? false, +, noUnicode ? false, }: + let - s = # Generated upstream information - rec { - baseName="ecl"; - version="16.0.0"; - name="${baseName}-${version}"; - hash="0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil"; - url="https://common-lisp.net/project/ecl/files/release/16.0.0/ecl-16.0.0.tgz"; - sha256="0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil"; - }; - buildInputs = [ - libtool autoconf automake - ]; - propagatedBuildInputs = [ - libffi gmp mpfr - ]; + baseName = "ecl"; + version = "16.0.0"; in stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs propagatedBuildInputs; + name = "${baseName}-${version}"; + inherit version; + src = fetchurl { - inherit (s) url sha256; + url = "https://common-lisp.net/project/ecl/files/ecl-16.0.0.tgz"; + sha256 = "0czh78z9i5b7jc241mq1h1gdscvdw5fbhfb0g9sn4rchwk1x8gil"; }; + configureFlags = [ "--enable-threads" "--with-gmp-prefix=${gmp}" "--with-libffi-prefix=${libffi}" - ] - ++ - (stdenv.lib.optional (! noUnicode) - "--enable-unicode") - ; + ] ++ (stdenv.lib.optional (!noUnicode) "--enable-unicode"); + + buildInputs = [ + libtool autoconf automake + ]; + + propagatedBuildInputs = [ + libffi gmp mpfr + ]; + + hardening_format = false; + postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config ''; + meta = { - inherit (s) version; description = "Lisp implementation aiming to be small, fast and easy to embed"; - license = stdenv.lib.licenses.mit ; + license = stdenv.lib.licenses.mit; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; }; diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index f68681e6023..cf4d0e4f02a 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -11,7 +11,7 @@ else edk2 = stdenv.mkDerivation { name = "edk2-2014-12-10"; - + src = fetchgit { url = git://github.com/tianocore/edk2; rev = "684a565a04"; @@ -20,9 +20,10 @@ edk2 = stdenv.mkDerivation { buildInputs = [ libuuid pythonFull ]; - buildPhase = '' - make -C BaseTools - ''; + makeFlags = "-C BaseTools"; + + hardening_fortify = false; + hardening_format = false; installPhase = '' mkdir -vp $out diff --git a/pkgs/development/compilers/gcc/4.3/default.nix b/pkgs/development/compilers/gcc/4.3/default.nix index 3db8ee5f3ea..6114c960ffd 100644 --- a/pkgs/development/compilers/gcc/4.3/default.nix +++ b/pkgs/development/compilers/gcc/4.3/default.nix @@ -82,7 +82,7 @@ stdenv.mkDerivation ({ ++ optional langJava ./java-jvgenmain-link.patch ++ optional langVhdl ./ghdl-ortho-cflags.patch ++ optional langVhdl ./ghdl-runtime-o2.patch; - + inherit noSysDirs profiledCompiler staticCompiler crossStageStatic binutilsCross libcCross; targetConfig = if cross != null then cross.config else null; @@ -95,6 +95,9 @@ stdenv.mkDerivation ({ ++ (optionals langVhdl [gnat]) ; + hardening_format = false; + hardening_stackprotector = false; + configureFlags = " ${if enableMultilib then "" else "--disable-multilib"} ${if enableShared then "" else "--disable-shared"} @@ -124,7 +127,7 @@ stdenv.mkDerivation ({ NIX_EXTRA_LDFLAGS = if staticCompiler then "-static" else ""; inherit gmp mpfr; - + passthru = { inherit langC langCC langFortran langVhdl langTreelang enableMultilib; }; diff --git a/pkgs/development/compilers/gcc/4.4/default.nix b/pkgs/development/compilers/gcc/4.4/default.nix index 47c8c86a95d..fe79e9bcd72 100644 --- a/pkgs/development/compilers/gcc/4.4/default.nix +++ b/pkgs/development/compilers/gcc/4.4/default.nix @@ -103,6 +103,8 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + hardening_format = false; + patches = [ ./pass-cxxcpp.patch diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 6cde7aba92a..2493593f357 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,6 +134,9 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + hardening_format = false; + hardening_all = name != "gnat"; + patches = [ ] ++ optional (cross != null) ../libstdc++-target.patch @@ -207,7 +210,7 @@ stdenv.mkDerivation ({ nativeBuildInputs = [ texinfo which ] ++ optional (perl != null) perl; - + buildInputs = [ gmp mpfr libmpc libelf gettext ] ++ (optional (ppl != null) ppl) ++ (optional (cloogppl != null) cloogppl) diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index b3caad11b71..323fd8b921b 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -189,6 +189,8 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; + hardening_format = false; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index fd80f4ec8c5..58074e173ae 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -218,6 +218,8 @@ stdenv.mkDerivation ({ inherit patches; + hardening_format = false; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 9e4823966cf..fe1f4066110 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -74,7 +74,7 @@ let version = "4.9.3"; ++ optional langFortran ../gfortran-driving.patch # The NXConstStr.patch can be removed at 4.9.4 ++ optional stdenv.isDarwin ../gfortran-darwin-NXConstStr.patch; - + javaEcj = fetchurl { # The `$(top_srcdir)/ecj.jar' file is automatically picked up at # `configure' time. @@ -220,6 +220,10 @@ stdenv.mkDerivation ({ inherit patches; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + hardening_format = false; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 3b105143c0b..47a272ac534 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -216,6 +216,8 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; + hardening_format = false; + inherit patches; postPatch = diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index 25b1599fbea..008f426d74a 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -27,22 +27,7 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - # Upstream bug submitted - http://savannah.gnu.org/bugs/index.php?30371 - # $TMPDIR must have no extension - # setVars = a.noDepEntry '' - # export TMPDIR="''${TMPDIR:-''${TMP:-''${TEMP}}}/tmp-for-gcl" - # mkdir -p "$TMPDIR" - # ''; - - preBuild = '' - # sed -re "s@/bin/cat@$(which cat)@g" -i configure */configure - # sed -re "s@if test -d /proc/self @if false @" -i configure - # sed -re 's^([ \t])cpp ^\1cpp -I${stdenv.cc.cc}/include -I${stdenv.cc.libc}/include ^g' -i makefile - ''; - - /* doConfigure should be removed if not needed */ - # phaseNames = ["setVars" "doUnpack" "preBuild" - # "doConfigure" "doMakeInstall"]; + hardening_pic = false; meta = { description = "GNU Common Lisp compiler working via GCC"; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index d8157673fbc..4f95e859292 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; + hardening_format = false; + configureFlags = [ "--with-gmp-libraries=${gmp}/lib" "--with-gmp-includes=${gmp}/include" diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 9c6bbba24d5..0d3a60b9100 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; + hardening_all = false; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index b5bfac85028..9f84768fb93 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardening_all = false; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index 122f0d336f7..807d7424920 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardening_all = false; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index f6ab05bd29b..e57151b077f 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; + hardening_format = false; + configureFlags = [ "GMP_CFLAGS=-I${gmp}/include" "GMP_LDFLAGS=-L${gmp}/lib" diff --git a/pkgs/development/compilers/qcmm/default.nix b/pkgs/development/compilers/qcmm/default.nix deleted file mode 100644 index a221ae29f04..00000000000 --- a/pkgs/development/compilers/qcmm/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{stdenv, fetchurl, mk, ocaml, noweb, lua, groff }: -stdenv.mkDerivation { - name = "qcmm-2006-01-31"; - src = fetchurl { - url = http://tarballs.nixos.org/qc--20060131.tar.gz; - md5 = "9097830775bcf22c9bad54f389f5db23"; - }; - buildInputs = [ mk ocaml noweb groff ]; - patches = [ ./qcmm.patch ]; - builder = ./builder.sh; - inherit lua; -} diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 8aa980b72e6..341b8155c41 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,6 +27,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; longDescription = '' diff --git a/pkgs/development/compilers/strategoxt/0.16.nix b/pkgs/development/compilers/strategoxt/0.16.nix deleted file mode 100644 index 4cfa2c79892..00000000000 --- a/pkgs/development/compilers/strategoxt/0.16.nix +++ /dev/null @@ -1,47 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation rec { - name = "sdf2-bundle-2.3.3"; - - src = fetchurl { - url = ftp://ftp.stratego-language.org/pub/stratego/sdf2/sdf2-bundle-2.3.3/sdf2-bundle-2.3.3.tar.gz; - md5 = "62ecabe5fbb8bbe043ee18470107ef88"; - }; - - buildInputs = [pkgconfig aterm getopt]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - }; - - - strategoxt = stdenv.mkDerivation { - name = "strategoxt-0.16"; - - src = fetchurl { - url = ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.16/strategoxt-0.16.tar.gz; - md5 = "8b8eabbd785faa84ec20134b63d4829e"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - -} diff --git a/pkgs/development/compilers/strategoxt/0.17.nix b/pkgs/development/compilers/strategoxt/0.17.nix deleted file mode 100644 index d621cbf5f0c..00000000000 --- a/pkgs/development/compilers/strategoxt/0.17.nix +++ /dev/null @@ -1,112 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, readline, ncurses}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-0.17"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/strategoxt-0.17.tar.gz"; - sha256 = "70355576c3ce3c5a8a26435705a49cf7d13e91eada974a654534d63e0d34acdb"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/java-front/java-front-0.9/java-front-0.9.tar.gz"; - sha256 = "96f40bf31486d3ced3ecebdcc0067e83ce6acbdbe57e3c847136ac3d7b62cc3c"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/strategoxt/0.18.nix b/pkgs/development/compilers/strategoxt/0.18.nix deleted file mode 100644 index 611586c5d93..00000000000 --- a/pkgs/development/compilers/strategoxt/0.18.nix +++ /dev/null @@ -1,124 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, makeStaticBinaries, readline, ncurses}: - -rec { - - inherit aterm; - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-1.8pre24429"; - - src = fetchurl { - url = http://hydra.nixos.org/build/2175544/download/1/strategoxt-1.8pre24429.tar.gz; - sha256 = "124f1d61a440b94c38b731c2e7015340dbbc1deb6d442b31dbecb46b0a00fa83"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - broken = true; - }; - }; - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9.1pre20122"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/766286/download/1/java-front-0.9.1pre20122.tar.gz"; - sha256 = "ef85d3af962fcd54e028ea501e64220b86af335a49143f2819bd3f4789bef7e6"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - aspectjfront = stdenv.mkDerivation (rec { - name = "aspectj-front-0.2pre20035"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/175690/download/1/aspectj-front-0.2pre20035.tar.gz"; - sha256 = "48f6cda6f9f19436e9553e8d27e6bb42500d08370332e3ad214affb49851e58e"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt javafront]; - - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - broken = true; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index 1f38198b30b..3c257dfc7df 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; + hardening_format = false; + configureFlags = "--with-world --enable-gmp --enable-shared"; buildFlags = "world"; diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index b16b32a6a06..1e63b2d2be0 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; + hardening_format = false; + buildPhase = "omake all"; checkPhase = "omake check"; diff --git a/pkgs/development/compilers/webdsl/default.nix b/pkgs/development/compilers/webdsl/default.nix deleted file mode 100644 index a0122319aed..00000000000 --- a/pkgs/development/compilers/webdsl/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, fetchurl, pkgconfig, strategoPackages }: - -stdenv.mkDerivation rec { - name = "webdsl-9.7pre4168"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/654196/download/1/${name}.tar.gz"; - sha256 = "08bec3ba02254ec7474ce70206b7be4390fe07456cfc57d927d96a21dd6dcb33"; - }; - - buildInputs = - [ pkgconfig strategoPackages.aterm strategoPackages.sdf - strategoPackages.strategoxt strategoPackages.javafront - ]; - - # This corrected a failing build on at least one 64 bit Linux system. - # See the comment about this here: http://webdsl.org/selectpage/Download/WebDSLOnLinux - preBuild = (if stdenv.system == "x86_64-linux" then "ulimit -s unlimited" else ""); - - meta = { - homepage = http://webdsl.org/; - description = "A domain-specific language for developing dynamic web applications with a rich data model"; - }; -} diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 1b2a82f3dcb..a307041e0c8 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -41,7 +41,9 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs; + c2hs = pkgs.lib.overrideDerivation (dontCheck super.c2hs) (drv: { + hardening_format = false; + }); # The package doesn't compile with ruby 1.9, which is our default at the moment. hruby = super.hruby.override { ruby = pkgs.ruby_2_1; }; @@ -239,7 +241,9 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = addPkgconfigDepend super.glib pkgs.glib; + glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { + hardening_fortify = false; + }); gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix index 773ad698629..e77300c0f84 100644 --- a/pkgs/development/interpreters/erlang/R14.nix +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation { configureFlags = "--with-ssl=${openssl}"; + hardening_format = false; + postInstall = let manpages = fetchurl { url = "http://www.erlang.org/download/otp_doc_man_R${version}.tar.gz"; diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 63cf85bc506..7a4e5c1a336 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -1,32 +1,29 @@ {stdenv, fetchurl, libX11, xproto, indent, readline, gsl, freeglut, mesa, SDL , blas, binutils, intltool, gettext, zlib}: -let - s = # Generated upstream information - rec { - baseName="lush"; - version="2.0.1"; - name="${baseName}-${version}"; - hash="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; + +stdenv.mkDerivation rec { + baseName = "lush"; + version = "2.0.1"; + name = "${baseName}-${version}"; + + src = fetchurl { url="mirror://sourceforge/project/lush/lush2/lush-2.0.1.tar.gz"; sha256="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; }; + buildInputs = [ libX11 xproto indent readline gsl freeglut mesa SDL blas binutils intltool gettext zlib ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_pic = false; + NIX_LDFLAGS=" -lz "; + meta = { - inherit (s) version; - description = ''Lisp Universal SHell''; + description = "Lisp Universal SHell"; license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; + maintainers = [ stdenv.lib.maintainers.raskin ]; platforms = stdenv.lib.platforms.linux; }; } diff --git a/pkgs/development/interpreters/ruby/patchsets.nix b/pkgs/development/interpreters/ruby/patchsets.nix index 18e2ab9231a..01e4e2f4c58 100644 --- a/pkgs/development/interpreters/ruby/patchsets.nix +++ b/pkgs/development/interpreters/ruby/patchsets.nix @@ -3,6 +3,7 @@ rec { "1.9.3" = [ ./ssl_v3.patch + ./rand-egd.patch ./ruby19-parallel-install.patch ./bitperfect-rdoc.patch ] ++ ops useRailsExpress [ @@ -28,6 +29,7 @@ rec { ]; "2.0.0" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/02-railsexpress-gc.patch" @@ -81,6 +83,7 @@ rec { ]; "2.1.3" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.3/railsexpress/02-improve-gc-stats.patch" @@ -106,6 +109,7 @@ rec { ]; "2.1.7" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.7/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.7/railsexpress/02-improve-gc-stats.patch" @@ -128,6 +132,7 @@ rec { ]; "2.2.2" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.2/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.2/railsexpress/02-improve-gc-stats.patch" @@ -136,6 +141,7 @@ rec { ]; "2.2.3" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.3/railsexpress/02-improve-gc-stats.patch" diff --git a/pkgs/development/interpreters/ruby/rand-egd.patch b/pkgs/development/interpreters/ruby/rand-egd.patch new file mode 100644 index 00000000000..e4f6452000c --- /dev/null +++ b/pkgs/development/interpreters/ruby/rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,7 +221,9 @@ Init_ossl_rand(void) + DEFMETH(mRandom, "write_random_file", ossl_rand_write_file, 1); + DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1); + DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + DEFMETH(mRandom, "egd", ossl_rand_egd, 1); + DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + DEFMETH(mRandom, "status?", ossl_rand_status, 0) + } diff --git a/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch new file mode 100644 index 00000000000..ebf2bf56fcf --- /dev/null +++ b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,8 +221,10 @@ Init_ossl_rand(void) + rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1); + rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1); + rb_define_module_function(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1); + rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + rb_define_module_function(mRandom, "status?", ossl_rand_status, 0); + } diff --git a/pkgs/development/interpreters/self/default.nix b/pkgs/development/interpreters/self/default.nix index d37d6099394..c00298c0fdc 100644 --- a/pkgs/development/interpreters/self/default.nix +++ b/pkgs/development/interpreters/self/default.nix @@ -1,4 +1,4 @@ -{ fetchurl, fetchgit, stdenv, xorg, gcc44, makeWrapper, ncurses, cmake }: +{ fetchurl, fetchgit, stdenv, xorg, makeWrapper, ncurses, cmake }: stdenv.mkDerivation rec { # The Self wrapper stores source in $XDG_DATA_HOME/self or ~/.local/share/self @@ -21,7 +21,7 @@ stdenv.mkDerivation rec { }; # gcc 4.6 and above causes crashes on Self startup but gcc 4.4 works. - buildInputs = [ gcc44 ncurses xorg.libX11 xorg.libXext makeWrapper cmake ]; + buildInputs = [ ncurses xorg.libX11 xorg.libXext makeWrapper cmake ]; selfWrapper = ./self; diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index b7744ea53c3..81071aafe4e 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; + hardening_format = false; + buildInputs = [ readline ]; postUnpack = "sourceRoot=\${sourceRoot}/src"; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index f44347c61b7..cb60a41a690 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -3,10 +3,10 @@ , libXt, qt, readline , useSCEL ? false, emacs }: - + let optional = stdenv.lib.optional; in -stdenv.mkDerivation rec { +stdenv.mkDerivation rec { name = "supercollider-3.6.6"; meta = { @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr"; }; + hardening_stackprotector = false; + # QGtkStyle unavailable patchPhase = '' substituteInPlace editors/sc-ide/widgets/code_editor/autocompleter.cpp \ @@ -29,12 +31,12 @@ stdenv.mkDerivation rec { cmakeFlags = '' -DSC_WII=OFF - -DSC_EL=${if useSCEL then "ON" else "OFF"} + -DSC_EL=${if useSCEL then "ON" else "OFF"} ''; nativeBuildInputs = [ cmake pkgconfig ]; - buildInputs = [ + buildInputs = [ gcc libjack2 libsndfile fftw curl libXt qt readline ] ++ optional useSCEL emacs; } diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index e819078f786..be44ef62885 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; + hardening_format = false; + meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL"; diff --git a/pkgs/development/libraries/a52dec/default.nix b/pkgs/development/libraries/a52dec/default.nix index 7d5c5fab393..5a47d50284f 100644 --- a/pkgs/development/libraries/a52dec/default.nix +++ b/pkgs/development/libraries/a52dec/default.nix @@ -8,8 +8,6 @@ stdenv.mkDerivation rec { sha256 = "0czccp4fcpf2ykp16xcrzdfmnircz1ynhls334q374xknd5747d2"; }; - NIX_CFLAGS_COMPILE = "-fpic"; - # From Handbrake patches = [ ./A00-a52-state-t-public.patch diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 637976977b1..9ca9db1e451 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; + hardening_pic = false; + hardening_format = false; + patches = [ ./fix-printfs.patch ]; postPatch = '' diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index deb3a6877e8..50d3eec4f3f 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; + hardening_format = false; + cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/aterm/2.5.nix b/pkgs/development/libraries/aterm/2.5.nix deleted file mode 100644 index ef53a76d20b..00000000000 --- a/pkgs/development/libraries/aterm/2.5.nix +++ /dev/null @@ -1,33 +0,0 @@ -{stdenv, fetchurl}: - -stdenv.mkDerivation { - name = "aterm-2.5-r21238"; - - src = fetchurl { - url = http://buildfarm.st.ewi.tudelft.nl/releases/meta-environment/aterm-2.5pre21238-l2q7rg38/aterm-2.5.tar.gz; - md5 = "33ddcb1a229baf406ad1f603eb1d5995"; - }; - - patches = [ - # Fix for http://bugzilla.sen.cwi.nl:8080/show_bug.cgi?id=841 - ./max-long.patch - - # Patch the ATerm header files so that they don't rely on - # SIZEOF_LONG, SIZEOF_INT and SIZEOF_VOID_P being set. - ./sizeof.patch - ]; - - doCheck = true; - - dontDisableStatic = true; - - NIX_CFLAGS_COMPILE = "-D__USE_BSD"; - - meta = { - homepage = http://www.cwi.nl/htbin/sen1/twiki/bin/view/SEN1/ATerm; - license = "LGPL"; - description = "Library for manipulation of term data structures in C"; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; - maintainers = [ stdenv.lib.maintainers.eelco ]; - }; -} diff --git a/pkgs/development/libraries/aterm/max-long.patch b/pkgs/development/libraries/aterm/max-long.patch deleted file mode 100644 index a2f260b970b..00000000000 --- a/pkgs/development/libraries/aterm/max-long.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -rc aterm-2.8-orig/aterm/hash.c aterm-2.8/aterm/hash.c -*** aterm-2.8-orig/aterm/hash.c 2008-11-10 13:54:22.000000000 +0100 ---- aterm-2.8/aterm/hash.c 2009-01-27 18:14:14.000000000 +0100 -*************** -*** 93,146 **** - } - - /*}}} */ -- /*{{{ static long calc_long_max() */ -- static long calc_long_max() -- { -- long try_long_max; -- long long_max; -- long delta; -- -- try_long_max = 1; -- do { -- long_max = try_long_max; -- try_long_max = long_max * 2; -- } while (try_long_max > 0); -- -- delta = long_max; -- while (delta > 1) { -- while (long_max + delta < 0) { -- delta /= 2; -- } -- long_max += delta; -- } -- -- return long_max; -- -- } -- /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { -- -- /* Hack: LONG_MAX (limits.h) is often unreliable, we need to find -- * out the maximum possible value of a signed long dynamically. -- */ -- static long st_long_max = 0; -- -- /* the resulting length has the form 2^k-1 */ -- - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (st_long_max == 0) { -! st_long_max = calc_long_max(); -! } -! -! if (sizeMinus1 > st_long_max / 2) { -! return st_long_max-1; - } - - return (2*sizeMinus1)+1; ---- 93,109 ---- - } - - /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (sizeMinus1 > LONG_MAX / 2) { -! return LONG_MAX-1; - } - - return (2*sizeMinus1)+1; diff --git a/pkgs/development/libraries/aterm/sizeof.patch b/pkgs/development/libraries/aterm/sizeof.patch deleted file mode 100644 index 2649cc56491..00000000000 --- a/pkgs/development/libraries/aterm/sizeof.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -rc -x '*~' aterm-2.5-orig/aterm/aterm.c aterm-2.5/aterm/aterm.c -*** aterm-2.5-orig/aterm/aterm.c 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/aterm.c 2010-02-23 15:10:38.000000000 +0100 -*************** -*** 150,155 **** ---- 150,157 ---- - if (initialized) - return; - -+ assert(sizeof(long) == sizeof(void *)); -+ - /*{{{ Handle arguments */ - - for (lcv=1; lcv < argc; lcv++) { -diff -rc -x '*~' aterm-2.5-orig/aterm/encoding.h aterm-2.5/aterm/encoding.h -*** aterm-2.5-orig/aterm/encoding.h 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/encoding.h 2010-02-23 15:36:05.000000000 +0100 -*************** -*** 10,24 **** - { - #endif/* __cplusplus */ - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if SIZEOF_LONG != SIZEOF_VOID_P -! #error Size of long is not the same as the size of a pointer - #endif - -! #if SIZEOF_INT > 4 - #error Size of int is not 32 bits - #endif - ---- 10,30 ---- - { - #endif/* __cplusplus */ - -! #include <limits.h> -! -! #ifndef SIZEOF_LONG -! #if ULONG_MAX > 4294967295 -! #define SIZEOF_LONG 8 -! #else -! #define SIZEOF_LONG 4 -! #endif - #endif - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if UINT_MAX > 4294967295 - #error Size of int is not 32 bits - #endif - diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index e43a5acb6bd..4a64bc260bd 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; + hardening_format = false; + meta = { homepage = "http://bs2b.sourceforge.net/"; description = "Bauer stereophonic-to-binaural DSP library"; diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 0f117862236..3e5076d2509 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -12,10 +12,11 @@ stdenv.mkDerivation rec { buildInputs = [ texinfo allegro perl ]; configurePhase = '' - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fPIC" sh fix.sh unix ''; + hardening_format = false; + makeFlags = [ "SYSTEM_DIR=$(out)" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index ccd93828319..3dc9587c921 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index a86bdc8e035..0b7d96b5cc1 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -1,26 +1,34 @@ { stdenv, autoreconfHook, fetchgit, bison, flex, bluez, pkgconfig, gtk }: stdenv.mkDerivation rec { - name = "cwiid-2010-02-21-git"; - src = fetchgit { - url = https://github.com/abstrakraft/cwiid; - sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06"; - rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; - }; - configureFlags = "--without-python"; - prePatch = '' - sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in - ''; - buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; - postInstall = '' - # Some programs (for example, cabal-install) have problems with the double 0 - sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc - ''; - meta = { - description = "Linux Nintendo Wiimote interface"; - homepage = http://cwiid.org; - license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ stdenv.lib.maintainers.bennofs ]; - platforms = stdenv.lib.platforms.linux; - }; + name = "cwiid-2010-02-21-git"; + + src = fetchgit { + url = https://github.com/abstrakraft/cwiid; + sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06"; + rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; + }; + + hardening_format = false; + + configureFlags = "--without-python"; + + prePatch = '' + sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in + ''; + + buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; + + postInstall = '' + # Some programs (for example, cabal-install) have problems with the double 0 + sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc + ''; + + meta = { + description = "Linux Nintendo Wiimote interface"; + homepage = http://cwiid.org; + license = stdenv.lib.licenses.gpl2Plus; + maintainers = [ stdenv.lib.maintainers.bennofs ]; + platforms = stdenv.lib.platforms.linux; + }; } diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 757b1f71405..327da38e986 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; + drvArgs = { hardening_format = false; }; }) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index b1e4b2c4708..6d3b15d256e 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; + drvArgs = { hardening_format = false; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 9a7d586cd04..0735099729a 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,4 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; + drvArgs = { hardening_format = false; }; }) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 6a161b0b72d..78c0a15c4e0 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; + drvArgs = { hardening_format = false; }; }) diff --git a/pkgs/development/libraries/db/generic.nix b/pkgs/development/libraries/db/generic.nix index f5ee4e440ff..fdc828effdf 100644 --- a/pkgs/development/libraries/db/generic.nix +++ b/pkgs/development/libraries/db/generic.nix @@ -7,9 +7,10 @@ , extraPatches ? [ ] , license ? stdenv.lib.licenses.sleepycat , branch ? null +, drvArgs ? {} }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (rec { name = "db-${version}"; src = fetchurl { @@ -42,4 +43,4 @@ stdenv.mkDerivation rec { platforms = platforms.unix; branch = branch; }; -} +} // drvArgs) diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 2d44444ab40..78b7e9a63fc 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + meta = { description = "C++ based class library for building Graphical User Interfaces"; longDescription = '' diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 3c823adf91b..007609403e2 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + meta = { branch = "1.6"; description = "A C++ based class library for building Graphical User Interfaces"; diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index 695abcfbba2..bb4aeaeee27 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; + hardening_format = false; + buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; configureFlags = stdenv.lib.optionalString odbcSupport "--with-odbc=${unixODBC}"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 23795e9633e..09828665541 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -3,12 +3,14 @@ stdenv.mkDerivation rec { name = "fribidi-${version}"; version = "0.19.6"; - + src = fetchurl { url = "http://fribidi.org/download/${name}.tar.bz2"; sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; + hardening_format = false; + meta = with stdenv.lib; { homepage = http://fribidi.org/; description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)"; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 7c3c53626b5..a24a8416866 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -2,16 +2,18 @@ stdenv.mkDerivation { name = "gd-2.0.35"; - + src = fetchurl { url = http://www.libgd.org/releases/gd-2.0.35.tar.bz2; sha256 = "1y80lcmb8qbzf0a28841zxhq9ndfapmh2fsrqfd9lalxfj8288mz"; }; - + buildInputs = [zlib libpng freetype]; propagatedBuildInputs = [libjpeg fontconfig]; # urgh + hardening_format = false; + configureFlags = "--without-x"; meta = { diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index 1607387160d..829c395cc7b 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -18,6 +18,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ++ (with pythonPackages; [ python numpy wrapPython ]) ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]); + hardening_format = false; + patches = [ # This ensures that the python package is installed into gdal's prefix, # rather than trying to install into python's prefix. diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 0e4b4d03541..4c6ec24a16c 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,6 +19,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; + hardening_format = false; + # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. preConfigure = "export CFLAGS=-O0 CXXFLAGS=-O0; unset CC CXX"; diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index cc8f76949ee..e9c32da2069 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; + hardening_format = false; + buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; patches = [ ./xml-document.patch ]; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index 1b703e2fdba..e8d43e6652f 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; + hardening_format = false; + preConfigure = '' sed -e '/-Werror/d' -i configure ''; diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index c96d241ee90..9b24ccc79e8 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -12,6 +12,10 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + hardening_format = false; + LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; configureFlags = [ "--disable-csharp" "--with-xz" ] diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 13cd1c79b6a..114e0e587b6 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -2,10 +2,14 @@ stdenv.mkDerivation { name = "giflib-4.1.6"; + src = fetchurl { url = mirror://sourceforge/giflib/giflib-4.1.6.tar.bz2; sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; + + hardening_format = false; + meta = { branch = "4.1"; }; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index f3302f8f333..1cc4ae0201b 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -6,5 +6,7 @@ stdenv.mkDerivation { url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz; md5 = "efdfcf8e32e35740288a8c5625a70ccb"; }; + + hardening_format = false; } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 13d5adcd9b1..7bbf5562f7c 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -165,6 +165,9 @@ stdenv.mkDerivation ({ preBuild = lib.optionalString withGd "unset NIX_DONT_SET_RPATH"; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://www.gnu.org/software/libc/; description = "The GNU C Library"; diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 5e25c2dc8bc..85a49999b48 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -22,6 +22,9 @@ in builder = ./builder.sh; + hardening_stackprotector = false; + hardening_fortify = false; + # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new # store path than that determined when built (as a source for the diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 7b393067ff5..0db619b3658 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; configureFlags = diff --git a/pkgs/development/libraries/gsm/default.nix b/pkgs/development/libraries/gsm/default.nix index fb9ff8eb0fb..42d36b8406e 100644 --- a/pkgs/development/libraries/gsm/default.nix +++ b/pkgs/development/libraries/gsm/default.nix @@ -41,8 +41,6 @@ stdenv.mkDerivation rec { preInstall = "mkdir -p $out/{bin,lib,man/man1,man/man3,include/gsm}"; - NIX_CFLAGS_COMPILE = optional (!staticSupport) "-fPIC"; - parallelBuild = false; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/hspell/default.nix b/pkgs/development/libraries/hspell/default.nix index 9b44d12c293..eebd105a00d 100644 --- a/pkgs/development/libraries/hspell/default.nix +++ b/pkgs/development/libraries/hspell/default.nix @@ -16,8 +16,6 @@ stdenv.mkDerivation rec { patchPhase = ''patchShebangs .''; buildInputs = [ perl zlib ]; - makeFlags = "CFLAGS=-fPIC"; - meta = { description = "Hebrew spell checker"; homepage = http://hspell.ivrix.org.il/; diff --git a/pkgs/development/libraries/isl/0.11.1.nix b/pkgs/development/libraries/isl/0.11.1.nix index 63140dba37f..c56c5b3892a 100644 --- a/pkgs/development/libraries/isl/0.11.1.nix +++ b/pkgs/development/libraries/isl/0.11.1.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/development/libraries/itk/default.nix b/pkgs/development/libraries/itk/default.nix index 7b4e3834af7..eda9434ab65 100644 --- a/pkgs/development/libraries/itk/default.nix +++ b/pkgs/development/libraries/itk/default.nix @@ -12,7 +12,6 @@ stdenv.mkDerivation rec { "-DBUILD_TESTING=OFF" "-DBUILD_EXAMPLES=OFF" "-DBUILD_SHARED_LIBS=ON" - "-DCMAKE_CXX_FLAGS=-fPIC" ]; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index d942dd7b692..855b800ba9f 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -28,6 +28,8 @@ in stdenv.mkDerivation rec { builder = ./builder.sh; + hardening_format = false; + # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract # "src.zip" from that. diff --git a/pkgs/development/libraries/libcli/default.nix b/pkgs/development/libraries/libcli/default.nix index 1c247f6faa8..cf1b21ceaa9 100644 --- a/pkgs/development/libraries/libcli/default.nix +++ b/pkgs/development/libraries/libcli/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub }: +{ stdenv, fetchFromGitHub, fetchpatch }: stdenv.mkDerivation rec { name = "libcli-${version}"; @@ -11,6 +11,13 @@ stdenv.mkDerivation rec { owner = "dparrish"; }; + patches = [ + (fetchpatch { + url = https://patch-diff.githubusercontent.com/raw/dparrish/libcli/pull/21.diff; + sha256 = "150nm33xi3992zx8a9smjzd8zs7pavrwg1pijah6nyl22q9gxm21"; + }) + ]; + enableParallelBuilding = true; makeFlags = [ "PREFIX=$(out)" ]; diff --git a/pkgs/development/libraries/libdnet/default.nix b/pkgs/development/libraries/libdnet/default.nix index 8911539d7b0..dbda4107c48 100644 --- a/pkgs/development/libraries/libdnet/default.nix +++ b/pkgs/development/libraries/libdnet/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation { buildInputs = [ automake autoconf libtool ]; - CFLAGS="-fPIC"; - # .so endings are missing (quick and dirty fix) postInstall = '' for i in $out/lib/*; do diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 048902f4fc4..cb0c8a7f5c1 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -9,7 +9,10 @@ stdenv.mkDerivation (rec { }; doCheck = true; - + + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { nativeBuildInputs = [ glibc ]; diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 3123bb33d45..8edc53cb7ee 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "libf2c-20100903"; - + src = fetchurl { url = http://www.netlib.org/f2c/libf2c.zip; sha256 = "1mcp1lh7gay7hm186dr0wvwd2bc05xydhnc1qy3dqs4n3r102g7i"; @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; + hardening_format = false; + meta = { description = "F2c converts Fortran 77 source code to C"; homepage = http://www.netlib.org/f2c/; diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index d07aae3ab80..4d9fa09ad75 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; + hardening_format = false; + meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; homepage = http://www.remotesensing.org/geotiff/geotiff.html; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index e25cdb61d86..682a42e2db9 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; + hardening_format = false; + meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; description = "A library for accessing digital cameras"; diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index 1e8ea0ffa13..cc883ba67b2 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -16,6 +16,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index 76daf7d748b..d3dd293f975 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -1,13 +1,15 @@ -{stdenv, fetchurl}: +{ stdenv, fetchurl }: stdenv.mkDerivation { name = "librsync-0.9.7"; - + src = fetchurl { url = mirror://sourceforge/librsync/librsync-0.9.7.tar.gz; sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; + hardening_format = false; + configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; crossAttrs = { diff --git a/pkgs/development/libraries/libunwind/default.nix b/pkgs/development/libraries/libunwind/default.nix index 3fc8b508559..86f0c50dd20 100644 --- a/pkgs/development/libraries/libunwind/default.nix +++ b/pkgs/development/libraries/libunwind/default.nix @@ -22,7 +22,6 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ xz ]; - NIX_CFLAGS_COMPILE = if stdenv.system == "x86_64-linux" then "-fPIC" else ""; preInstall = '' mkdir -p "$out/lib" touch "$out/lib/libunwind-generic.so" diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index dc2f0338b48..a9320f1af7b 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; + hardening_format = false; + meta = { description = "An abstraction library for audio visualisations"; homepage = "http://sourceforge.net/projects/libvisual/"; diff --git a/pkgs/development/libraries/libyaml-cpp/default.nix b/pkgs/development/libraries/libyaml-cpp/default.nix index f56bf77abfe..1ba31a7a6d5 100644 --- a/pkgs/development/libraries/libyaml-cpp/default.nix +++ b/pkgs/development/libraries/libyaml-cpp/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, cmake, boost, makePIC ? false }: +{ stdenv, fetchurl, cmake, boost }: stdenv.mkDerivation { name = "libyaml-cpp-0.5.1"; @@ -10,8 +10,6 @@ stdenv.mkDerivation { buildInputs = [ cmake boost ]; - cmakeFlags = stdenv.lib.optionals makePIC [ "-DCMAKE_C_FLAGS=-fPIC" "-DCMAKE_CXX_FLAGS=-fPIC" ]; - meta = with stdenv.lib; { homepage = http://code.google.com/p/yaml-cpp/; description = "A YAML parser and emitter for C++"; diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 06e8c8e5ac3..5281ab2c480 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; + hardening_format = false; + meta = { homepage = http://code.google.com/p/mp4v2; maintainers = [ stdenv.lib.maintainers.urkud ]; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 581f956b0af..2c643885727 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -13,6 +13,9 @@ stdenv.mkDerivation rec { # mpfr.h requires gmp.h propagatedBuildInputs = [ gmp ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ stdenv.lib.optional stdenv.is64bit "--with-pic"; diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index 754ab4233e5..cd8268faa65 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; + hardening_format = false; + patchPhase = '' # Fix build due to missing dependnecies. echo 'target_link_libraries(bc7 nvmath)' >> src/nvtt/bc7/CMakeLists.txt diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index 4228c285dfd..a1143757c77 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; + hardening_format = false; + configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ]; postInstall = '' diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index ec15d9d631e..bcf1b747180 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; + hardening_format = false; + postInstall = '' mv $out/inc $out/include mkdir -p $out/share/doc/${name} diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 4a58ae43bb7..16765083c55 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -49,6 +49,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_bindnow = false; + hardening_relro = false; + meta = { description = "Open Computer Vision Library with more than 500 algorithms"; homepage = http://opencv.org/; diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index 4ce1787dbac..d5904e742b6 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -20,6 +20,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_bindnow = false; + hardening_relro = false; + meta = { description = "Open Computer Vision Library with more than 500 algorithms"; homepage = http://opencv.org/; diff --git a/pkgs/development/libraries/phonon/qt5/default.nix b/pkgs/development/libraries/phonon/qt5/default.nix index fc07344d2d1..c7baeb2e340 100644 --- a/pkgs/development/libraries/phonon/qt5/default.nix +++ b/pkgs/development/libraries/phonon/qt5/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake pkgconfig ]; - NIX_CFLAGS_COMPILE = "-fPIC"; - cmakeFlags = [ "-DCMAKE_BUILD_TYPE=${if debug then "Debug" else "Release"}" "-DPHONON_BUILD_PHONON4QT5=ON" diff --git a/pkgs/development/libraries/plib/default.nix b/pkgs/development/libraries/plib/default.nix index ff60e62cad3..dc75a407e92 100644 --- a/pkgs/development/libraries/plib/default.nix +++ b/pkgs/development/libraries/plib/default.nix @@ -1,6 +1,5 @@ { fetchurl, stdenv, mesa, freeglut, SDL -, libXi, libSM, libXmu, libXext, libX11, -enablePIC ? false }: +, libXi, libSM, libXmu, libXext, libX11 }: stdenv.mkDerivation rec { name = "plib-1.8.5"; @@ -13,8 +12,6 @@ stdenv.mkDerivation rec { patches = [ ./CVE-2012-4552.patch ]; - NIX_CFLAGS_COMPILE = if enablePIC then "-fPIC" else ""; - propagatedBuildInputs = [ mesa freeglut SDL diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 518eeee9253..4b55cffe94f 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,6 +46,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; + hardening_format = false; + meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; description = "Platform independent library for MIDI I/O"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index c5e26c1dfad..22dbef1bac2 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; + hardening_fortify = false; + meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index 76ceb12b401..e8a67d3bc42 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; + hardening_format = false; + meta = { homepage = http://www.qhull.org/; description = "Computes the convex hull, Delaunay triangulation, Voronoi diagram and more"; diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 08d8f141deb..8a11cc7087b 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; + hardening_format = false; + configureFlags = " -v -system-zlib -system-libpng -system-libjpeg diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index b8ed81de487..de87c6b73c6 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation { buildInputs = [ qt4 ]; patches = [ ./qtscriptgenerator.gcc-4.4.patch ./qt-4.8.patch ]; - + # Why isn't the author providing proper Makefile or a CMakeLists.txt ? buildPhase = '' # remove phonon stuff which causes errors (thanks to Gentoo bug reports) sed -i "/typesystem_phonon.xml/d" generator/generator.qrc - sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro - + sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro + cd generator qmake make @@ -25,13 +25,15 @@ stdenv.mkDerivation { qmake make ''; - + installPhase = '' cd .. mkdir -p $out/lib/qt4/plugins/script cp -av plugins/script/* $out/lib/qt4/plugins/script ''; + hardening_format = false; + meta = { description = "QtScript bindings generator"; homepage = http://code.google.com/p/qtscriptgenerator/; diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix index 1fa48ffea91..9779af6addc 100644 --- a/pkgs/development/libraries/science/math/atlas/default.nix +++ b/pkgs/development/libraries/science/math/atlas/default.nix @@ -73,14 +73,10 @@ stdenv.mkDerivation { configureScript=../configure ''; - # * -fPIC is passed even in non-shared builds so that the ATLAS code can be - # used to inside of shared libraries, like Octave does. - # # * -t 0 disables use of multi-threading. It's not quite clear what the # consequences of that setting are and whether it's necessary or not. configureFlags = [ "-Fa alg" - "-fPIC" "-t ${threads}" cpuConfig ] ++ optional shared "--shared" diff --git a/pkgs/development/libraries/science/math/suitesparse/default.nix b/pkgs/development/libraries/science/math/suitesparse/default.nix index e32b8b34426..b4b9a6970ff 100644 --- a/pkgs/development/libraries/science/math/suitesparse/default.nix +++ b/pkgs/development/libraries/science/math/suitesparse/default.nix @@ -33,8 +33,6 @@ stdenv.mkDerivation { "LAPACK=" ]; - NIX_CFLAGS = "-fPIC"; - postInstall = '' # Build and install shared library ( diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index c2473ae2c5d..49d889f8b6a 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + buildInputs = [ SDL gtk mesa ]; nativeBuildInputs = [ autoconf automake libtool m4 pkgconfig makeWrapper ]; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index 5104532ea91..d94b4159e93 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; + hardening_format = false; + meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index fee74f3d6f9..818029dbb24 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; + hardening_format = false; + meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; homepage = http://tidyp.com/; diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix index e181ade4d6c..b9f3c0e64d6 100644 --- a/pkgs/development/libraries/vxl/default.nix +++ b/pkgs/development/libraries/vxl/default.nix @@ -1,10 +1,12 @@ -{ stdenv, fetchurl, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: +{ stdenv, fetchFromGitHub, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: stdenv.mkDerivation { - name = "vxl-1.17.0"; + name = "vxl-1.17.0-nix1"; - src = fetchurl { - url = mirror://sourceforge/vxl/vxl-1.17.0.zip; - sha256 = "1qg7i8h201pa8jljg7vph4rlxk6n5cj9f9gd1hkkmbw6fh44lsxh"; + src = fetchFromGitHub { + owner = "vxl"; + repo = "vxl"; + rev = "777c0beb7c8b30117400f6fc9a6d63bf8cb7c67a"; + sha256 = "0xpkwwb93ka6c3da8zjhfg9jk5ssmh9ifdh1by54sz6c7mbp55m8"; }; buildInputs = [ cmake unzip libtiff expat zlib libpng libjpeg ]; diff --git a/pkgs/development/libraries/wvstreams/default.nix b/pkgs/development/libraries/wvstreams/default.nix index b879cf37a31..ecfc9b88a0e 100644 --- a/pkgs/development/libraries/wvstreams/default.nix +++ b/pkgs/development/libraries/wvstreams/default.nix @@ -1,4 +1,4 @@ -{ stdenv, gcc46, fetchurl, qt4, dbus, zlib, openssl, readline, perl }: +{ stdenv, fetchurl, qt4, dbus, zlib, openssl, readline, perl }: stdenv.mkDerivation { name = "wvstreams-4.6.1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation { sed -e '1i#include <unistd.h>' -i $(find . -name '*.c' -o -name '*.cc') ''; - buildInputs = [ gcc46 qt4 dbus zlib openssl readline perl ]; + buildInputs = [ qt4 dbus zlib openssl readline perl ]; meta = { description = "Network programming library in C++"; diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 56bcba8297d..0d787092a3c 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; + hardening_format = false; + meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; homepage = http://xmlrpc-c.sourceforge.net/; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 7a6f480215c..2871985a082 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -29,10 +29,12 @@ stdenv.mkDerivation (rec { fi ''; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) - NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc " - + stdenv.lib.optionalString (stdenv.isFreeBSD) "-fPIC"; + NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc"; crossAttrs = { dontStrip = static; diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index cbd38903aac..b27a6659004 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -19,20 +19,22 @@ stdenv.mkDerivation { sha256 = "0sd9qkvhmk9av4g1f8dsjwc309hf1g0731bhvicnjb3b3d42l1n3"; }) ]; - + sourceRoot = "."; nativeBuildInputs = [ texinfo ]; - + buildInputs = [ gmp mpfr libmpc zlib ]; - + + hardening_format = false; + # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; - + installPhase = '' # important, without this gcc won't find the binutils executables export PATH=$PATH:$out/bin - + # Binutils. pushd binutils-*/ mkdir obj-avr @@ -64,7 +66,7 @@ stdenv.mkDerivation { make install popd ''; - + meta = with stdenv.lib; { description = "AVR development environment including binutils, avr-gcc and avr-libc"; # I've tried compiling the packages separately.. too much hassle. This just works. Fine. diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 3151dbcfac3..385980b2848 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -11,6 +11,10 @@ stdenv.mkDerivation rec { disabled = isPy3k || isPyPy; doCheck = false; + sourceRoot = "wxPython-src-${version}/wxPython"; + + hardening_format = false; + src = fetchurl { url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2"; inherit sha256; @@ -18,7 +22,6 @@ stdenv.mkDerivation rec { pythonPath = [ python setuptools ]; buildInputs = [ python setuptools pkgconfig wxGTK (wxGTK.gtk) wrapPython ] ++ stdenv.lib.optional openglSupport pyopengl; - preConfigure = "cd wxPython"; installPhase = '' ${python.interpreter} setup.py install WXPORT=gtk2 NO_HEADERS=1 BUILD_GLCANVAS=${if openglSupport then "1" else "0"} UNICODE=1 --prefix=$out diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index c672c7964e7..a4d88f5d2ea 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -11,7 +11,11 @@ stdenv.mkDerivation { url = "mirror://sourceforge/${name}/${version}/${name}-${version}.tar.gz"; sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; + + hardening_format = false; + patches = [ ./cccc.patch ]; + preConfigure = '' substituteInPlace install/install.mak --replace /usr/local/bin $out/bin substituteInPlace install/install.mak --replace MKDIR=mkdir "MKDIR=mkdir -p" diff --git a/pkgs/development/tools/analysis/flow/default.nix b/pkgs/development/tools/analysis/flow/default.nix index 938f6e9c2b9..3ed7434e4a8 100644 --- a/pkgs/development/tools/analysis/flow/default.nix +++ b/pkgs/development/tools/analysis/flow/default.nix @@ -3,13 +3,13 @@ with lib; stdenv.mkDerivation rec { - version = "0.18.1"; + version = "0.22.0"; name = "flow-${version}"; src = fetchFromGitHub { owner = "facebook"; repo = "flow"; rev = "v${version}"; - sha256 = "00pmrk577p6ngqif4rvhwybb4gyw70vsgxcxxwj995dg4hf196s1"; + sha256 = "1p8a5cf85ydz6g04zsvsa6sh2b4p94mj9cqj7k6llf0dsiihrv54"; }; installPhase = '' diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 3c83f0e9d49..8324d899147 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -8,8 +8,8 @@ assert useX11 -> (gtk != null && vte != null && gtkdialog != null); assert rubyBindings -> ruby != null; assert pythonBindings -> python != null; -let - optional = stdenv.lib.optional; +let + inherit (stdenv.lib) optional; in stdenv.mkDerivation rec { name = "radare-1.5.2"; @@ -19,6 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; + hardening_format = false; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index b4b56be9c6d..2896f4ff271 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + hardening_stackprotector = false; + # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. nativeBuildInputs = [ perl ]; diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index 723219336bb..aa590543e00 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; + hardening_format = false; + patchPhase = '' grep -r '/usr/share/boost-build' \ | awk '{split($0,a,":"); print a[1];}' \ diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 86d69d8da8c..78adfe48751 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -39,6 +39,9 @@ stdenv.mkDerivation rec { inherit noSysDirs; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + preConfigure = '' # Clear the default library search path. if test "$noSysDirs" = "1"; then diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 0a62859d207..464ad791095 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; + hardening_format = false; + # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. nativeBuildInputs = [ m4 bison flex gettext bzip2 ]; diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index 7216e1e169d..e610858838d 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { # Upstream is aware of it; it may be in the next release. patches = [ ./s_isdir.patch ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://www.gnu.org/software/m4/; description = "GNU M4, a macro processor"; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 5aa81e46bed..91658a5d4d9 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = http://nixos.org/patchelf.html; license = "GPL"; diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 507ca22cd1a..786998c6af7 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 0fe4b191e50..192e0585217 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; + hardening_format = false; + meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant"; homepage = "http://omniorb.sourceforge.net/"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index ee007414017..0062bc36561 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -11,6 +11,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man; propagatedBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = { homepage = "http://www.gnu.org/software/bison/"; description = "Yacc-compatible parser generator"; diff --git a/pkgs/development/tools/toluapp/default.nix b/pkgs/development/tools/toluapp/default.nix index 73a8b64ed22..69dfa0280e5 100644 --- a/pkgs/development/tools/toluapp/default.nix +++ b/pkgs/development/tools/toluapp/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { --replace /usr/local $out ''; - NIX_CFLAGS_COMPILE = "-fPIC"; - buildPhase = ''scons''; installPhase = ''scons install''; diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index b2f251bfecb..82d4748a979 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,6 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems + hardening_format = false; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 0709692552c..6e138511d03 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { }) ]; + hardening_format = false; + preConfigure = '' cat > config.params << EOF bsd_games_cfg_man6dir=$out/share/man/man6 diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 538efebf833..9a4b1d04916 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; + hardening_format = false; + meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; homepage = http://www.nongnu.org/crack-attack/; diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 8807831ef01..0c3fc7055b7 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -15,13 +15,15 @@ let s = # Generated upstream information }; buildInputs = [zlib jam pkgconfig gettext libxml2 libxslt xproto libX11 mesa SDL SDL_mixer SDL_image SDL_ttf SDL_gfx physfs]; -in +in stdenv.mkDerivation rec { inherit (s) name version; src = fetchurl { inherit (s) url sha256; }; + hardening_format = false; + inherit buildInputs; buildPhase = "jam"; diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index ce346459201..d374ed85b2d 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; + hardening_format = false; + # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL}/include/SDL" ]; diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index af9900cede5..41780dd64f6 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; + hardening_format = false; + meta = { homepage = http://pio.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index aa68da6b73d..94da81533c1 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; + hardening_format = false; + postConfigure = '' substituteInPlace config.h \ --replace '#define PACKAGE ""' '#define PACKAGE "stardust"' diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index e6370d6e7c6..fd320a32180 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; + hardening_format = false; + meta = { description = "Car racing game"; homepage = http://torcs.sourceforge.net/; diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index 53c3ec7dec8..cace72b5aac 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -3,9 +3,9 @@ stdenv.mkDerivation rec { name = "${baseName}-${version}"; - baseName="xconq"; + baseName = "xconq"; version = "7.5.0-0pre.0.20050612"; - + src = fetchurl { url = "mirror://sourceforge/project/${baseName}/${baseName}/${name}/${name}.tar.gz"; sha256 = "1za78yx57mgwcmmi33wx3533yz1x093dnqis8q2qmqivxav51lca"; @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; + hardening_format = false; + patchPhase = '' # Fix Makefiles find . -name 'Makefile.in' -exec sed -re 's@^ ( *)(cd|[&][&])@ \1\2@' -i '{}' ';' diff --git a/pkgs/games/xpilot/bloodspilot-server.nix b/pkgs/games/xpilot/bloodspilot-server.nix index 3c811f1ba2e..42bcb326316 100644 --- a/pkgs/games/xpilot/bloodspilot-server.nix +++ b/pkgs/games/xpilot/bloodspilot-server.nix @@ -1,23 +1,27 @@ -{stdenv, fetchurl, expat}: -let - buildInputs = [ - expat - ]; -in +{ stdenv, fetchurl, expat }: + stdenv.mkDerivation rec { - version = "1.4.6"; name = "bloodspilot-xpilot-fxi-server-${version}"; - inherit buildInputs; + version = "1.4.6"; + src = fetchurl { url = "mirror://sourceforge/project/bloodspilot/server/server%20v${version}/xpilot-${version}fxi.tar.gz"; sha256 = "0d7hnpshifq6gy9a0g6il6h1hgqqjyys36n8w84hr8d4nhg4d1ji"; }; - meta = { - inherit version; - description = ''A multiplayer X11 space combat game (server part)''; - homepage = "http://bloodspilot.sf.net/"; - license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; - platforms = stdenv.lib.platforms.linux; + + buildInputs = [ + expat + ]; + + patches = [ + ./server-gcc5.patch + ]; + + meta = with stdenv.lib; { + description = "A multiplayer X11 space combat game (server part)"; + homepage = http://bloodspilot.sf.net/; + license = licenses.gpl2Plus ; + maintainers = [ maintainers.raskin ]; + platforms = platforms.linux; }; } diff --git a/pkgs/games/xpilot/server-gcc5.patch b/pkgs/games/xpilot/server-gcc5.patch new file mode 100644 index 00000000000..5618399bfec --- /dev/null +++ b/pkgs/games/xpilot/server-gcc5.patch @@ -0,0 +1,65 @@ +--- xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:20:43.531714342 +0000 ++++ xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:21:15.301331053 +0000 +@@ -608,9 +608,9 @@ + } + + #if STDVA +-inline int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) ++extern int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) + #else +-inline int32_t Packet_scanf(va_alist) ++extern int32_t Packet_scanf(va_alist) + va_dcl + #endif + { +--- xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:29.581784405 +0000 ++++ xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:38.152952500 +0000 +@@ -71,7 +71,7 @@ + * p: first object, q: second object + */ + +-inline int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, ++extern int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, + int32_t q1x, int32_t q1y, int32_t q2x, int32_t q2y, int32_t r) + { + int32_t fac1, fac2; /* contraction between the distance between the x and y coordinates of objects */ +--- xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:29.546313808 +0000 ++++ xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:40.464527932 +0000 +@@ -1411,12 +1411,12 @@ + return NULL; + } + +-inline bool Player_idle_timed_out(player_t *pl) ++extern bool Player_idle_timed_out(player_t *pl) + { + return (frame_loops - pl->frame_last_busy > MAX_PLAYER_IDLE_TICKS && (NumPlayers > 1)) ? true : false; + } + +-inline bool Player_is_recovered(player_t *pl) ++extern bool Player_is_recovered(player_t *pl) + { + return (pl->recovery_count <= 0.0) ? true : false; + } +--- xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:21:45.659923025 +0000 ++++ xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:22:07.224345939 +0000 +@@ -24,17 +24,17 @@ + char msg[MSG_LEN]; + + +-inline double Get_Score(player_t *pl) ++extern double Get_Score(player_t *pl) + { + return pl->score; + } + +-inline void Score_set(player_t * pl, double score) ++extern void Score_set(player_t * pl, double score) + { + pl->score = score; + } + +-inline void Score_add(player_t * pl, double score) ++extern void Score_add(player_t * pl, double score) + { + pl->score += score; + } diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index 27ba69ad82b..fa4c17649ac 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -33,6 +33,8 @@ in stdenv.mkDerivation { enableParallelBuilding = true; + hardening_format = false; + installPhase = '' mkdir -p $out/bin mkdir -p $out/share/zandronum diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index 2525cafc28b..bbaa565e352 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "dosbox-0.74"; - + src = fetchurl { url = "mirror://sourceforge/dosbox/${name}.tar.gz"; sha256 = "01cfjc5bs08m4w79nbxyv7rnvzq2yckmgrbq36njn06lw8b4kxqk"; @@ -17,9 +17,11 @@ stdenv.mkDerivation rec { ]; patchFlags = "-p0"; - + buildInputs = [ SDL ]; - + + hardening_format = false; + desktopItem = makeDesktopItem { name = "dosbox"; exec = "dosbox"; diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index 571e14347b4..dc3c1412856 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -6,9 +6,11 @@ stdenv.mkDerivation { url = http://mupen64plus.googlecode.com/files/Mupen64Plus-1-5-src.tar.gz; sha256 = "0gygfgyr2sg4yx77ijk133d1ra0v1yxi4xjxrg6kp3zdjmhdmcjq"; }; - + buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - + + hardening_format = false; + preConfigure = '' # Some C++ incompatibility fixes sed -i -e 's|char \* extstr = strstr|const char * extstr = strstr|' glide64/Main.cpp @@ -20,10 +22,10 @@ stdenv.mkDerivation { # Remove PATH environment variable from install script sed -i -e "s|export PATH=|#export PATH=|" ./install.sh ''; - + buildPhase = "make all"; installPhase = "PREFIX=$out make install"; - + meta = { description = "A Nintendo 64 Emulator"; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index fc64caf1053..3ed455bd350 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; + hardening_format = false; + buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index f877eff5c64..54620699f2d 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -2,13 +2,18 @@ stdenv.mkDerivation rec { name = "uae-0.8.29"; + src = fetchurl { url = "http://web.archive.org/web/20130905032631/http://www.amigaemulator.org/files/sources/develop/${name}.tar.bz2"; sha256 = "05s3cd1rd5a970s938qf4c2xm3l7f54g5iaqw56v8smk355m4qr4"; }; + configureFlags = [ "--with-sdl" "--with-sdl-sound" "--with-sdl-gfx" "--with-alsa" ]; + buildInputs = [ pkgconfig gtk alsaLib SDL ]; - + + hardening_format = false; + meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index cfcba8a3a8b..e1db07bfff2 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; + hardening_fortify = false; + meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; homepage = http://github.com/atmel-maxtouch/mxt-app; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 289b54f1b54..05a5549fae2 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation { rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - + + hardening_pic = false; + preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index b8bef1b5a9a..41c4f48ddb8 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; + hardening_pic = false; + preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \ diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index ec1e5f2e20b..2c91bfbd10f 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; + hardening_pic = false; + preBuild = '' substituteInPlace Makefile \ --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index bc7523858fe..78a576234ac 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; + hardening_pic = false; + preConfigure = '' configureFlagsArray=( --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build @@ -33,7 +35,7 @@ stdenv.mkDerivation { wrapProgram "$prog" --prefix LD_LIBRARY_PATH ":" "$out/lib" done ''; - + meta = { description = "Berkeley Lab Checkpoint/Restart for Linux (BLCR)"; homepage = https://ftg.lbl.gov/projects/CheckpointRestart/; diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index fa6591701a6..cc3cfe2465d 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; + hardening_format = false; + patches = [ ./busybox-in-store.patch ]; configurePhase = '' diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index b423dc3a086..5752bbb72bc 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -3,6 +3,7 @@ stdenv.mkDerivation rec { name = "checksec-${version}"; version = "1.5"; + src = fetchurl { url = "http://www.trapkit.de/tools/checksec.sh"; sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p"; @@ -11,9 +12,9 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ]; unpackPhase = '' - mkdir ${name}-${version} - cp $src ${name}-${version}/checksec.sh - cd ${name}-${version} + mkdir ${name} + cp $src ${name}/checksec.sh + cd ${name} ''; installPhase = '' @@ -32,8 +33,6 @@ stdenv.mkDerivation rec { substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" ''; - phases = "unpackPhase patchPhase installPhase"; - meta = { description = "A tool for checking security bits on executables"; homepage = "http://www.trapkit.de/tools/checksec.html"; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index 433cc2c81d7..aacdfc496ee 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -21,7 +21,9 @@ stdenv.mkDerivation rec { ''; configurePhase = "make config PREFIX=$out"; - buildPhase = "make PREFIX=$out"; + + makeFlags = "PREFIX=$(out)"; + hardening_stackprotector = false; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index d98bfb96735..09d7651c249 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -9,9 +9,10 @@ stdenv.mkDerivation { md5 = "2465d652fff6f1fad3da3b98e60e83c9"; }; builder = ./builder.sh; - + inherit glibc; kernelHeaders = glibc.linuxHeaders; + hardening_stackprotector = false; patches = [ diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index 406492db236..8eba742ebfb 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -19,6 +19,7 @@ stdenv.mkDerivation { buildPhase = "make -f makefile"; NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardening_fortify = false; installPhase = '' mkdir -p "$out/bin" diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix index 9e7e2a6bb8e..9412747d6bc 100644 --- a/pkgs/os-specific/linux/dmraid/default.nix +++ b/pkgs/os-specific/linux/dmraid/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq"; }; + patches = [ ./hardening-format.patch ]; + postPatch = '' sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in ''; diff --git a/pkgs/os-specific/linux/dmraid/hardening-format.patch b/pkgs/os-specific/linux/dmraid/hardening-format.patch new file mode 100644 index 00000000000..f91a7fb18aa --- /dev/null +++ b/pkgs/os-specific/linux/dmraid/hardening-format.patch @@ -0,0 +1,18 @@ +--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:16:57.455425454 +0000 ++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:17:55.520564013 +0000 +@@ -838,13 +838,13 @@ + + sz = _log_all_devs(log_type, rs, NULL, 0); + if (!sz) { +- syslog(LOG_ERR, msg[0]); ++ syslog(LOG_ERR, "%s", msg[0]); + return; + } + + str = dm_malloc(++sz); + if (!str) { +- syslog(LOG_ERR, msg[1]); ++ syslog(LOG_ERR, "%s", msg[1]); + return; + } + diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index 06e6abfe417..48494bd6b18 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -4,7 +4,6 @@ assert stdenv.lib.versionAtLeast kernel.version "3.19"; stdenv.mkDerivation rec { - name = "facetimehd-${version}-${kernel.version}"; version = "git-20160127"; @@ -19,6 +18,8 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; + hardening_pic = false; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ]; @@ -30,5 +31,4 @@ stdenv.mkDerivation rec { maintainers = [ maintainers.womfoo ]; platforms = platforms.linux; }; - } diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index a627a8cbcc9..93c334b9593 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; + hardening_format = false; + buildInputs = [openssl]; preFixup = '' diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index d8985003b41..a5cd2411819 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; + hardening_format = false; + meta = { description = "Utility for enslaving networking interfaces under a bond"; license = stdenv.lib.licenses.gpl2; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index fdb2f041a65..7c956e3c244 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { src = sourceAttrs.src; + hardening_pic = false; + prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile ''; diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index 0cc38a0548c..be54d7a4e6a 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -34,6 +34,9 @@ stdenv.mkDerivation { buildInputs = [perl]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + extraIncludeDirs = if cross != null then (if cross.arch == "powerpc" then ["ppc"] else []) diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index 238b7ecd242..5a22b5e2432 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -225,10 +225,16 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); + hardening_format = false; + hardening_fortify = false; + hardening_stackprotector = false; + makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; + hardening_pic = false; + karch = stdenv.platform.kernelArch; crossAttrs = let cp = stdenv.cross.platform; in diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index 2199524154d..98593ea85a9 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "1qrfka9xvy77k0rg3k0cf7xai0f9vpgsbs4l3bs8r4nvzy37j2di"; }; + hardening_format = false; + buildInputs = [ zlib ]; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index b948dbff2c1..b05b0dc4463 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -21,6 +21,9 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardening_format = false; + hardening_stackprotector = false; + makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" "KLIBCKERNELSRC=${kernelHeaders}" diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix index c5e94ed81e9..5332fc0bf3d 100644 --- a/pkgs/os-specific/linux/ldm/default.nix +++ b/pkgs/os-specific/linux/ldm/default.nix @@ -19,12 +19,13 @@ stdenv.mkDerivation rec { buildInputs = [ udev utillinux ]; - preBuild = '' + postPatch = '' + sed -i '1i#include <sys/stat.h>' ldm.c substituteInPlace ldm.c \ --replace "/mnt/" "${mountPath}" ''; - buildPhase = "make ldm"; + buildFlags = "ldm"; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index dc21176fa3c..f6a5e30afa0 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; + hardening_pic = false; + preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" export INSTALL_MOD_PATH="$out" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index ba69b421c3d..8aee4b73fdd 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; + hardening_format = false; + postPatch = '' sed -i -re ' s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index 1e74cd94c55..e95cd4e133c 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; + hardening_pic = false; + preConfigure = '' patchShebangs mkversion sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \ diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 2e88e2c794e..959de19ead2 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; + hardening_format = false; + patches = [ ./numad-linker-flags.patch ]; diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index afb342768c3..50aa77104c2 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { "MANDIR=share/man/man1" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + setupHook = ./setup-hook.sh; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 2b86238b2df..56ff6c473b4 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,6 +21,8 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; + hardening_pic = false; + makeFlags = with kernel; [ "DESTDIR=$(out)" "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build" diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index 6279deac60a..5a03df98346 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -3,29 +3,31 @@ stdenv.mkDerivation rec { name = "rtl8812au-${kernel.version}-${version}"; version = "4.2.2-1"; - + src = fetchFromGitHub { owner = "csssuf"; repo = "rtl8812au"; rev = "874906aec694c800bfc29b146737b88dae767832"; sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - + + hardening_pic = false; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" substituteInPlace ./Makefile --replace /sbin/depmod # substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + meta = { description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod"; homepage = "https://github.com/csssuf/rtl8812au"; license = stdenv.lib.licenses.gpl2; platforms = [ "x86_64-linux" "i686-linux" ]; }; -} \ No newline at end of file +} diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index bb17683800f..6e8d9d3cf7a 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; + hardening_format = false; + NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 959523ec597..67e2f16848b 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool ]; + hardening_pic = false; + preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index c9a594e684c..00f9a66f0cd 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -1,32 +1,33 @@ {stdenv, fetchurl, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: let inherit (stdenv.lib) optional optionalString; - s = rec { - baseName="sysdig"; - version = "0.8.0"; - name="${baseName}-${version}"; - url="https://github.com/draios/sysdig/archive/${version}.tar.gz"; + baseName = "sysdig"; + version = "0.8.0"; +in +stdenv.mkDerivation { + name="${baseName}-${version}"; + + src = fetchurl { + url = "https://github.com/draios/sysdig/archive/${version}.tar.gz"; sha256 = "1939k3clwxg09m1bn0szqiy2nxg66srl72n7476jc58hgaraq3dr"; }; + buildInputs = [ cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardening_pic = false; cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF"; + preConfigure = '' export INSTALL_MOD_PATH="$out" '' + optionalString (kernel != null) '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ''; + postInstall = optionalString (kernel != null) '' make install_driver kernel_dev=${kernel.dev} @@ -42,8 +43,7 @@ stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit (s) version; - description = ''A tracepoint-based system tracing tool for Linux (with clients for other OSes)''; + description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)"; license = licenses.gpl2; maintainers = [maintainers.raskin]; platforms = platforms.linux ++ platforms.darwin; diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index c051aac4312..3ace0f5c5ed 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' + hardening_stackprotector = false; + hardening_pic = false; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 40d9e7c1068..116a0344450 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666"; }; + hardening_pic = false; + makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" "SHELL=/bin/sh" diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 13617360d2d..8b44f3388d3 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -8,7 +8,10 @@ stdenv.mkDerivation rec { url = "https://github.com/umlaeute/v4l2loopback/archive/v${version}.tar.gz"; sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - + + hardening_pic = false; + hardening_format = false; + preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" sed -i '/depmod/d' Makefile @@ -16,7 +19,7 @@ stdenv.mkDerivation rec { ''; buildInputs = [ kmod ]; - + makeFlags = [ "KERNELRELEASE=${kernel.modDirVersion}" "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 0ef992a4b44..17255aa1283 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; + hardening_stackprotector = false; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 0f9e0591a06..96f353a64da 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,10 +16,9 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; + hardening_fortify = false; - configurePhase = '' - ./configure --prefix=$out CFLAGS="-I${pixman}/include/pixman-1" - ''; + CFLAGS = "-I${pixman}/include/pixman-1"; meta = { homepage = http://cgit.freedesktop.org/xorg/driver/xf86-video-nested; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 42da97a7a7b..0a61bdcea85 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; + hardening_pic = false; + preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" substituteInPlace ./module/zfs/zfs_ctldir.c --replace "mount -t zfs" "${utillinux}/bin/mount -t zfs" diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index cea7ca0b337..f5693e45168 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; + hardening_fortify = false; + meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; description = "A simple, fast work queue"; diff --git a/pkgs/servers/certificate-transparency/default.nix b/pkgs/servers/certificate-transparency/default.nix index 292ca6bc0e3..a7c2be4e286 100644 --- a/pkgs/servers/certificate-transparency/default.nix +++ b/pkgs/servers/certificate-transparency/default.nix @@ -1,4 +1,7 @@ -{ stdenv, pkgs, ...}: +{ stdenv, fetchFromGitHub, autoreconfHook, clang, pkgconfig +, glog, gmock, gtest, google-gflags, gperftools, json_c, leveldb +, libevent, libevhtp, openssl, protobuf, sqlite +}: stdenv.mkDerivation rec { name = "certificate-transparency-${version}"; @@ -6,15 +9,7 @@ stdenv.mkDerivation rec { version = "2016-01-14"; rev = "250672b5aef3666edbdfc9a75b95a09e7a57ed08"; - meta = with stdenv.lib; { - homepage = https://www.certificate-transparency.org/; - description = "Auditing for TLS certificates"; - license = licenses.asl20; - platforms = platforms.unix; - maintainers = with maintainers; [ philandstuff ]; - }; - - src = pkgs.fetchFromGitHub { + src = fetchFromGitHub { owner = "google"; repo = "certificate-transparency"; rev = rev; @@ -22,13 +17,13 @@ stdenv.mkDerivation rec { }; # need to disable regex support in evhtp or building will fail - libevhtp_without_regex = stdenv.lib.overrideDerivation pkgs.libevhtp + libevhtp_without_regex = stdenv.lib.overrideDerivation libevhtp (oldAttrs: { - cmakeFlags="-DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC"; + cmakeFlags = "-DEVHTP_DISABLE_REGEX:STRING=ON"; }); - buildInputs = with pkgs; [ - autoconf automake clang_34 pkgconfig + buildInputs = [ + autoreconfHook clang pkgconfig glog gmock google-gflags gperftools gtest json_c leveldb libevent libevhtp_without_regex openssl protobuf sqlite ]; @@ -37,21 +32,24 @@ stdenv.mkDerivation rec { ./protobuf-include-from-env.patch ]; - doCheck = false; - - preConfigure = '' - ./autogen.sh - configureFlagsArray=( - CC=clang - CXX=clang++ - GMOCK_DIR=${pkgs.gmock} - GTEST_DIR=${pkgs.gtest} - ) - ''; + configureFlags = [ + "CC=clang" + "CXX=clang++" + "GMOCK_DIR=${gmock}" + "GTEST_DIR=${gtest}" + ]; # the default Makefile constructs BUILD_VERSION from `git describe` # which isn't available in the nix build environment makeFlags = "BUILD_VERSION=${version}-${rev}"; - protocFlags = "-I ${pkgs.protobuf}/include"; + protocFlags = "-I ${protobuf}/include"; + + meta = with stdenv.lib; { + homepage = https://www.certificate-transparency.org/; + description = "Auditing for TLS certificates."; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; } diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index 3e778317169..e557a2a0061 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; + hardening_format = false; + # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh # sh autogen.sh $configureFlags --prefix=$out diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index a9fac485f90..99b6ce2a832 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; + hardening_format = false; + preConfigure = '' ./autogen.sh ''; diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index 6944a89477a..3dbb34f9b02 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -55,6 +55,8 @@ stdenv.mkDerivation rec { preConfigure = concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules; + hardening_pie = true; + meta = { description = "A reverse proxy and lightweight webserver"; homepage = http://nginx.org; diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index 4a89c5ad83b..d0e238786e2 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; + hardening_pie = true; + meta = { description = "Server software for streaming multimedia"; diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index a38a25c8a5c..d42f69d078b 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; + hardening_format = false; + buildInputs = [ bison flex openssl ]; meta = { diff --git a/pkgs/servers/mail/postfix/2.11.nix b/pkgs/servers/mail/postfix/2.11.nix index 7c936bf1244..f2f155cbf3f 100644 --- a/pkgs/servers/mail/postfix/2.11.nix +++ b/pkgs/servers/mail/postfix/2.11.nix @@ -36,9 +36,8 @@ stdenv.mkDerivation rec { export sendmail_path=$out/bin/sendmail make makefiles \ - CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl \ - -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' \ - AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl -pie -Wl,-z,relro,-z,now' + CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' \ + AUXLIBS='-ldb -lnsl -lresolv -lsasl2 -lcrypto -lssl' ''; installTargets = [ "non-interactive-package" ]; diff --git a/pkgs/servers/mail/postfix/3.0.nix b/pkgs/servers/mail/postfix/3.0.nix index 52327090e44..3a0f2e0954d 100644 --- a/pkgs/servers/mail/postfix/3.0.nix +++ b/pkgs/servers/mail/postfix/3.0.nix @@ -9,12 +9,11 @@ let ccargs = lib.concatStringsSep " " ([ "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl}/include/sasl" "-DHAS_DB_BYPASS_MAKEDEFS_CHECK" - "-fPIE" "-fstack-protector-all" "--param" "ssp-buffer-size=4" "-O2" "-D_FORTIFY_SOURCE=2" ] ++ lib.optional withPgSQL "-DHAS_PGSQL" ++ lib.optionals withMySQL [ "-DHAS_MYSQL" "-I${libmysql}/include/mysql" ] ++ lib.optional withSQLite "-DHAS_SQLITE"); auxlibs = lib.concatStringsSep " " ([ - "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" "-pie" "-Wl,-z,relro,-z,now" + "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" ] ++ lib.optional withPgSQL "-lpq" ++ lib.optional withMySQL "-lmysqlclient" ++ lib.optional withSQLite "-lsqlite3"); @@ -42,6 +41,8 @@ in stdenv.mkDerivation rec { ./relative-symlinks.patch ]; + hardening_pie = true; + preBuild = '' sed -e '/^PATH=/d' -i postfix-install sed -e "s|@PACKAGE@|$out|" -i conf/post-install diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 838ca7a8d8d..42355b46021 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -14,6 +14,9 @@ stdenv.mkDerivation rec { buildInputs = [db openssl cyrus_sasl bison perl]; + hardening_format = false; + hardening_pie = true; + patches = [ ./postfix-2.2.9-db.patch ./postfix-2.2.9-lib.patch @@ -39,7 +42,7 @@ stdenv.mkDerivation rec { export sample_directory=$out/share/postfix/doc/samples export readme_directory=$out/share/postfix/doc - make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl -fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl -pie -Wl,-z,relro,-z,now' + make makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I${cyrus_sasl}/include/sasl' AUXLIBS='-lssl -lcrypto -lsasl2 -ldb -lnsl' ''; installPhase = '' diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index 9d110d9c146..cac568f8fc9 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; + hardening_pie = true; + meta = with stdenv.lib; { description = "A distributed memory object caching system"; repositories.git = https://github.com/memcached/memcached.git; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 2ea255e4432..141e8e0929d 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -19,6 +19,7 @@ let version = "3.2.1"; #"stemmer" -- not nice to package yet (no versioning, no makefile, no shared libs). "yaml" ] ++ optionals stdenv.isLinux [ "tcmalloc" ]; + buildInputs = [ sasl boost gperftools pcre snappy zlib libyamlcpp sasl openssl libpcap @@ -79,6 +80,8 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_pie = true; + meta = { description = "a scalable, high-performance, open source NoSQL database"; homepage = http://www.mongodb.org; diff --git a/pkgs/servers/nosql/riak/1.3.1.nix b/pkgs/servers/nosql/riak/1.3.1.nix index df85044b8d1..ffa2056d5a9 100644 --- a/pkgs/servers/nosql/riak/1.3.1.nix +++ b/pkgs/servers/nosql/riak/1.3.1.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { patches = [ ./riak-1.3.1.patch ./riak-admin-1.3.1.patch ]; + hardening_format = false; + postUnpack = '' mkdir -p $sourceRoot/deps/eleveldb/c_src/leveldb cp -r ${srcs.leveldb}/* $sourceRoot/deps/eleveldb/c_src/leveldb diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index c62cea180be..05cf4270f9f 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,6 +34,8 @@ stdenv.mkDerivation rec { src = srcs.riak; + hardening_format = false; + postPatch = '' sed -i deps/node_package/priv/base/env.sh \ -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/riak}@' \ diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 5d8e255f47f..1ff9b79e383 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation { buildInputs = [ autoconf automake flex yacc ncurses perl which ]; + hardening_pic = false; + preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index efa70875549..cb77ebd9c89 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardening_format = false; + meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; homepage = http://freeswitch.org/; diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index 7bd179067cd..b3d13c9c258 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -440,4 +440,8 @@ in configureFlags = "--with-cpp=${args.mcpp}/bin/mcpp"; }; + sessreg = attrs: attrs // { + preBuild = "sed -i 's|gcc -E|gcc -E -P|' man/Makefile"; + }; + } diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index d3104439e57..ba6a076f1f0 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; + hardening_format = false; + meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible"; diff --git a/pkgs/stdenv/adapters.nix b/pkgs/stdenv/adapters.nix index 836dedf1cb1..4f092ee1d97 100644 --- a/pkgs/stdenv/adapters.nix +++ b/pkgs/stdenv/adapters.nix @@ -236,6 +236,26 @@ rec { }); }; + useHardenFlags = stdenv: stdenv // + { mkDerivation = args: stdenv.mkDerivation (args // { + NIX_CFLAGS_COMPILE = toString (args.NIX_CFLAGS_COMPILE or "") + + stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_fortify or true) " -O2 -D_FORTIFY_SOURCE=2" + + stdenv.lib.optionalString (args.hardening_stackprotector or true) " -fstack-protector-strong" + + stdenv.lib.optionalString (args.hardening_pie or false) " -fPIE -pie" + + stdenv.lib.optionalString (args.hardening_pic or true) " -fPIC" + + stdenv.lib.optionalString (args.hardening_strictoverflow or true) " -fno-strict-overflow" + + stdenv.lib.optionalString (args.hardening_format or true) " -Wformat -Wformat-security -Werror=format-security" + ); + NIX_LDFLAGS = toString (args.NIX_LDFLAGS or "") + + stdenv.lib.optionalString (args.hardening_all or true) ( + stdenv.lib.optionalString (args.hardening_relro or true) " -z relro" + + stdenv.lib.optionalString (args.hardening_bindnow or true) " -z now" + ); + + }); + }; + dropCxx = drv: drv.override { stdenv = if pkgs.stdenv.isDarwin then pkgs.allStdenvs.stdenvDarwinNaked diff --git a/pkgs/tools/X11/sct/default.nix b/pkgs/tools/X11/sct/default.nix index 4bf62e53f55..2eed4335af1 100644 --- a/pkgs/tools/X11/sct/default.nix +++ b/pkgs/tools/X11/sct/default.nix @@ -4,7 +4,7 @@ stdenv.mkDerivation rec { buildInputs = [libX11 libXrandr]; src = fetchurl { url = http://www.tedunangst.com/flak/files/sct.c; - sha256 = "1bivy0sl5v1jsq4jbq6p9hplz6cvw4nx9rc96p2kxsg506rqllc5"; + sha256 = "01f3ndx3s6d2qh2xmbpmhd4962dyh8yp95l87xwrs4plqdz6knhd"; }; phases = ["patchPhase" "buildPhase" "installPhase"]; patchPhase = '' diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index 57d8d82759c..b4fc755bd84 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; + hardening_format = false; + meta = { homepage = https://packages.debian.org/source/xbindkeys-config; description = "Graphical interface for configuring xbindkeys"; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 22b8a607fd3..24fec4e33bb 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; + hardening_format = false; + buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/cromfs/default.nix b/pkgs/tools/archivers/cromfs/default.nix index cd151698f25..042880b39c9 100644 --- a/pkgs/tools/archivers/cromfs/default.nix +++ b/pkgs/tools/archivers/cromfs/default.nix @@ -1,18 +1,15 @@ -{ stdenv, fetchurl, pkgconfig, fuse, perl, gcc48 }: +{ stdenv, fetchurl, pkgconfig, fuse, perl }: stdenv.mkDerivation rec { name = "cromfs-1.5.10.2"; - + src = fetchurl { url = "http://bisqwit.iki.fi/src/arch/${name}.tar.bz2"; sha256 = "0xy2x1ws1qqfp7hfj6yzm80zhrxzmhn0w2yns77im1lmd2h18817"; }; - patchPhase = ''sed -i 's@/bin/bash@/bin/sh@g' configure''; + postPatch = "patchShebangs configure"; - # Removing the static linking, as it doesn't compile in x86_64. - makeFlags = "cromfs-driver util/mkcromfs util/unmkcromfs util/cvcromfs"; - installPhase = '' install -d $out/bin install cromfs-driver $out/bin @@ -21,7 +18,7 @@ stdenv.mkDerivation rec { install util/unmkcromfs $out/bin ''; - buildInputs = [ pkgconfig fuse perl gcc48 ]; + buildInputs = [ pkgconfig fuse perl ]; meta = { description = "FUSE Compressed ROM filesystem with lzma"; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index e806a962eab..d1f13b77f0c 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; + hardening_format = false; + preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the # gnulib in sharutils is updated. diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index b5d03bc18b2..20f7038067d 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; + hardening_format = false; + patches = [ ./CVE-2014-8139.diff ./CVE-2014-8140.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index ed60e3147a8..6407fe4f350 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; + hardening_format = false; + meta = { description = "A GTK+ front-end for command line archiving tools"; maintainers = [ stdenv.lib.maintainers.iElectric ]; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 431ed354d21..8be743c8dd0 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; + hardening_format = false; + makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; installFlags = "prefix=$(out) INSTALL=cp"; diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 375bbcda7e4..2de5736a4c2 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; + hardening_format = false; + # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. patches = [ ./adjust-includes-for-glibc-212.patch ]; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index bcf9ec2c0cc..34bb109a171 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; + hardening_format = false; + # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 7cb1bf7506d..38e86c8ff1f 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; + hardening_fortify = false; + nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 5f5ee28ca06..6ddebe6b99d 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; description = "XZ, general-purpose data compression software, successor of LZMA"; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index 4ddab385a42..c53400e6afd 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; + hardening_format = false; + meta = { description = "Samba mounted via FUSE"; homepage = http://www.ricardis.tudelft.nl/~vincent/fusesmb/; diff --git a/pkgs/tools/filesystems/jfsutils/default.nix b/pkgs/tools/filesystems/jfsutils/default.nix index 46ded088c69..16d95bd1933 100644 --- a/pkgs/tools/filesystems/jfsutils/default.nix +++ b/pkgs/tools/filesystems/jfsutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha1 = "291e8bd9d615cf3d27e4000117c81a3602484a50"; }; - patches = [ ./types.patch ]; + patches = [ ./types.patch ./hardening-format.patch ]; buildInputs = [ libuuid ]; diff --git a/pkgs/tools/filesystems/jfsutils/hardening-format.patch b/pkgs/tools/filesystems/jfsutils/hardening-format.patch new file mode 100644 index 00000000000..dd2a93a81ec --- /dev/null +++ b/pkgs/tools/filesystems/jfsutils/hardening-format.patch @@ -0,0 +1,37 @@ +--- a/fscklog/fscklog.c 2016-01-29 04:59:54.102223291 +0000 ++++ b/fscklog/fscklog.c 2016-01-29 05:00:10.707552565 +0000 +@@ -252,8 +252,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", basename(file_name), line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } +--- a/fscklog/display.c 2016-01-29 05:05:42.582133444 +0000 ++++ b/fscklog/display.c 2016-01-29 05:05:47.541231780 +0000 +@@ -182,7 +182,7 @@ + } else { + /* the record looks ok */ + msg_txt = &log_entry[log_entry_pos]; +- printf(msg_txt); ++ printf("%s", msg_txt); + /* + * set up for the next record + */ +--- a/logdump/helpers.c 2016-01-29 05:06:26.081996021 +0000 ++++ b/logdump/helpers.c 2016-01-29 05:06:43.097333425 +0000 +@@ -95,8 +95,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", file_name, line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index 329950f8969..d3964b1e427 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; + patches = [ ./gcc5.patch ]; + hardening_fortify = false; + preConfigure = '' sed -e '1i#include <limits.h>' -i cdrwtool/cdrwtool.c -i pktsetup/pktsetup.c sed -e 's@[(]char[*][)]spm [+]=@spm = ((char*) spm) + @' -i wrudf/wrudf.c diff --git a/pkgs/tools/filesystems/udftools/gcc5.patch b/pkgs/tools/filesystems/udftools/gcc5.patch new file mode 100644 index 00000000000..2c57ff20e13 --- /dev/null +++ b/pkgs/tools/filesystems/udftools/gcc5.patch @@ -0,0 +1,17 @@ +--- udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:38.595391610 +0000 ++++ udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:57.759756269 +0000 +@@ -34,12 +34,12 @@ + #include "libudffs.h" + #include "config.h" + +-inline struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) ++extern struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) + { + return (struct impUseVolDescImpUse *)disc->udf_iuvd[0]->impUse; + } + +-inline struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) ++extern struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) + { + return (struct logicalVolIntegrityDescImpUse *)&(disc->udf_lvid->impUse[le32_to_cpu(disc->udf_lvd[0]->numPartitionMaps) * 2 * sizeof(uint32_t)]); + } diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index b35b929da40..7e6c9931341 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,13 +9,14 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; + hardening_format = false; + meta = with stdenv.lib; { description = "GNU barcode generator"; maintainers = with maintainers; [ raskin ]; platforms = with platforms; allBut darwin; downloadPage = "http://ftp.gnu.org/gnu/barcode/"; updateWalker = true; - inherit version; homepage = http://ftp.gnu.org/gnu/barcode/; }; } diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index 64222185044..c3d9a859f3f 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -10,7 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libXt libXaw libXres utilmacros ]; - preConfigure = "configureFlags=--with-appdefaultdir=$out/share/X11/app-defaults/editres"; + configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; + + hardening_format = false; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index cf2c5598d2a..03326aa4562 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; + hardening_format = false; + meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; homepage = http://www.ggobi.org/; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index 04fff805381..e08b1309d41 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -13,7 +13,10 @@ stdenv.mkDerivation rec { }; buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - + + hardening_format = false; + hardening_fortify = false; + configureFlags = [ "--with-pngincludedir=${libpng}/include" "--with-pnglibdir=${libpng}/lib" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 2743bd78aa7..7f11f076dcc 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; + hardening_fortify = false; + preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile ''; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 5635e3a69ff..9a9621dd784 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,9 +12,11 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; + hardening_fortify = false; + patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch - + # NOTE: Once this patch is removed, flex can probably be removed from # buildInputs. ./cve-2014-9157.patch diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix index 71f0789286a..a6f6c437612 100644 --- a/pkgs/tools/graphics/jbig2enc/default.nix +++ b/pkgs/tools/graphics/jbig2enc/default.nix @@ -1,4 +1,6 @@ -{stdenv, fetchurl, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: stdenv.mkDerivation { +{ stdenv, fetchurl, fetchpatch, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: + +stdenv.mkDerivation { name = "jbig2enc-0.28"; src = fetchurl { @@ -6,6 +8,13 @@ sha256 = "1wc0lmqz4jag3rhhk1xczlqpfv2qqp3fz7wzic2lba3vsbi1rrw3"; }; + patches = [ + (fetchpatch { + url = "https://github.com/agl/jbig2enc/commit/53ce5fe7e73d7ed95c9e12b52dd4984723f865fa.diff"; + sha256 = "0n6s24i1fy9xspawns3r0kmx2fl0q3wqp68l1yai36jhfw08i3n4"; + }) + ]; + propagatedBuildInputs = [ leptonica zlib libwebp giflib libjpeg libpng libtiff ]; # This is necessary, because the resulting library has diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix index e69a73ff321..9f0253d1462 100644 --- a/pkgs/tools/graphics/netpbm/default.nix +++ b/pkgs/tools/graphics/netpbm/default.nix @@ -3,11 +3,11 @@ , enableX11 ? false, libX11 }: stdenv.mkDerivation rec { - name = "netpbm-10.66.00"; + name = "netpbm-10.70.00"; src = fetchurl { url = "mirror://gentoo/distfiles/${name}.tar.xz"; - sha256 = "1z33pxdir92m7jlvp5c2q44gxwj7jyf8skiqkr71kgirw4w4zsbz"; + sha256 = "14vxmzbwsy4rzrqjnzr4cvz1s0amacq69faps3v1j1kr05lcns0j"; }; postPatch = /* CVE-2005-2471, from Arch */ '' @@ -15,8 +15,6 @@ stdenv.mkDerivation rec { --replace '"-DSAFER"' '"-DPARANOIDSAFER"' ''; - NIX_CFLAGS_COMPILE = "-fPIC"; # Gentoo adds this on every platform - buildInputs = [ pkgconfig flex zlib perl libpng libjpeg libxml2 makeWrapper libtiff ] ++ lib.optional enableX11 libX11; diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index 13dc27921a4..e28a2e16488 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + # Inspired by linux-install/nifskope.spec.in. installPhase = '' diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index 6a7a6745c87..dc145a0d862 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit + hardening_format = false; + doCheck = true; meta = { diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index 160badaf668..f67e7202521 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - # configurePhase = '' - # sed -i s,/usr,$out, Makefile - # ''; + hardening_format = false; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index e5bc5517b89..a1aefbff33c 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchgit}: +{ stdenv, fetchgit }: let s = rec { @@ -16,14 +16,19 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs; + src = fetchgit { inherit (s) rev url sha256; }; + + hardening_fortify = false; + installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} cp qrcode "$out/bin" cp DOCUMENTATION LICENCE "$out/share/doc/qrcode" ''; + meta = { inherit (s) version; description = ''A small QR-code tool''; diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index f540029cbc7..c584ed282d6 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; + hardening_format = false; + patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; prefixPatch1 = diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index 48e3316a4a2..f0e53696fc5 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -15,7 +15,9 @@ stdenv.mkDerivation rec { [ imagemagickBig pkgconfig python pygtk perl libX11 libv4l qt4 lzma gtk2 ]; - configureFlags = ["--disable-video"]; + configureFlags = [ "--disable-video" ]; + + hardening_fortify = false; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/calamares/default.nix b/pkgs/tools/misc/calamares/default.nix index ab00d52c777..075f925c92f 100644 --- a/pkgs/tools/misc/calamares/default.nix +++ b/pkgs/tools/misc/calamares/default.nix @@ -1,15 +1,16 @@ -{ stdenv, fetchgit, cmake, polkit-qt, libyamlcpp, python, boost, parted +{ stdenv, fetchurl, cmake, polkit-qt, libyamlcpp, python, boost, parted , extra-cmake-modules, kconfig, ki18n, kcoreaddons, solid, utillinux, libatasmart , ckbcomp, glibc, tzdata, xkeyboard_config, qtbase, qtquick1, qtsvg, qttools }: stdenv.mkDerivation rec { - name = "calamares-${version}"; - version = "1.0"; - - src = fetchgit { - url = "https://github.com/calamares/calamares.git"; - rev = "dabfb68a68cb012a90cd7b94a22e1ea08f7dd8ad"; - sha256 = "2851ce487aaac61d2df342a47f91ec87fe52ff036227ef697caa7056fe5f188c"; + name = "${pname}-${version}"; + pname = "calamares"; + version = "1.1.4.2"; + + # release including submodule + src = fetchurl { + url = "https://github.com/${pname}/${pname}/releases/download/v${version}/${name}.tar.gz"; + sha256 = "1mh0nmzc3i1aqcj79q2s3vpccn0mirlfbj26sfyb0v6gcrvf707d"; }; buildInputs = [ diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 3bd5a9cbc58..4a944f69878 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -19,6 +19,9 @@ let sha256 = "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; # The test tends to fail on btrfs and maybe other unusual filesystems. diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index 2d5d10054b5..d537c0f506f 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -16,10 +16,12 @@ let version = "0.4.2"; in stdenv.mkDerivation { name = "ddccontrol-${version}"; + src = fetchurl { url = "mirror://sourceforge/ddccontrol/ddccontrol-${version}.tar.bz2"; sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1"; }; + buildInputs = [ intltool @@ -35,6 +37,8 @@ stdenv.mkDerivation { ddccontrol-db ]; + hardening_format = false; + prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") mv configure.ac configure.ac.old diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index bdc018aec34..4475010f3b8 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [flex]; + hardening_format = false; + meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; description = "Utility designed to clean up filenames"; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index a50717d5399..f99b83a2a0a 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; + hardening_format = false; + patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure ''; diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index 104d3fad8d0..d3b62149bdf 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; + hardening_format = false; + meta = { description = "Bitmap Font Editor"; longDescription = '' diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index 8e52adc7699..f3c09ef686a 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; + hardening_all = false; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index d6534fc5ee6..c0579b91816 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,6 +36,8 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; + hardening_stackprotector = false; + prePatch = '' unpackFile $gentooPatches rm patch/400_all_grub-0.97-reiser4-20050808-gentoo.patch diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 694f45599f3..39c1ce9c0c1 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,6 +47,9 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; + hardening_stackprotector = false; + hardening_pic = false; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index 9d9b7700c90..d25b4f65ad7 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; + #hardening_all = false; + # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ "--with-efi-includedir=${gnu-efi}/include" diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index e4c161b2e51..0830eb51b3c 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -18,6 +18,10 @@ stdenv.mkDerivation { preConfigure = "cd src"; + # not possible due to assembler code + hardening_pic = false; + hardening_stackprotector = false; + makeFlags = [ "ECHO_E_BIN_ECHO=echo" "ECHO_E_BIN_ECHO_E=echo" # No /bin/echo here. "ISOLINUX_BIN_LIST=${syslinux}/share/syslinux/isolinux.bin" diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index ff7279d0d57..a65bd1fe8ec 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -12,12 +12,12 @@ stdenv.mkDerivation rec { sed -i -e 's,/etc/pal\.conf,'$out/etc/pal.conf, src/input.c ''; - preBuild = '' - export makeFlags="prefix=$out" - ''; + makeFlags = "prefix=$(out)"; buildInputs = [ glib gettext readline pkgconfig ]; + hardening_format = false; + meta = { homepage = http://palcal.sourceforge.net/; description = "Command-line calendar program that can keep track of events"; diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index d0576cc069a..48c47cc3d8d 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; + hardening_format = false; + prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; meta = { diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index bf73dbcbf2f..cba343863be 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - doCheck = true; + hardening_format = false; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index ea61e063328..292023a1b58 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,11 +8,14 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; + hardening_format = false; + buildInputs = [ unzip libogg libvorbis ]; + patchPhase = '' chmod -v +x configure configureFlags="--mandir=$out/share/man" - ''; + ''; meta = with stdenv.lib; { homepage = http://sjeng.org/vorbisgain.html; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index dbb46cea832..3d828a55121 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; + hardening_format = false; + meta = { description = "Converter from Microsoft Word formats to human-editable ones"; }; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index b7c1795c037..cef5fee9cf9 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; + hardening_format = false; + patchPhase = '' # Patch the destination directory sed -i include/builddefs.in -e "s|^PKG_LIB_DIR\s*=.*|PKG_LIB_DIR=$out/lib/xfstests|" diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 38839c4b6ac..0729f35db59 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardening_pie = true; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed..915562bd779 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardening_fortify = false; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 63720faf707..6032e53f0ba 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardening_pie = true; + postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt ''; diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index cf7fb20df68..90bc8b54f28 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,16 +1,20 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; + hardening_format = false; + preConfigure = '' prefix=$out/eggdrop mkdir -p $prefix diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd63..414ff692d10 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + hardening_format = false; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix deleted file mode 100644 index 77d268f3a47..00000000000 --- a/pkgs/tools/networking/lsh/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam -, nettools, lsof, procps }: - -stdenv.mkDerivation rec { - name = "lsh-2.0.4"; - src = fetchurl { - url = "mirror://gnu/lsh/${name}.tar.gz"; - sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; - }; - - patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; - - preConfigure = '' - # Patch `lsh-make-seed' so that it can gather enough entropy. - sed -i "src/lsh-make-seed.c" \ - -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; - s|/usr/bin/netstat|${nettools}/bin/netstat|g ; - s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; - s|/bin/vmstat|${procps}/bin/vmstat|g ; - s|/bin/ps|${procps}/bin/sp|g ; - s|/usr/bin/w|${procps}/bin/w|g ; - s|/usr/bin/df|$(type -P df)|g ; - s|/usr/bin/ipcs|$(type -P ipcs)|g ; - s|/usr/bin/uptime|$(type -P uptime)|g" - - # Skip the `configure' script that checks whether /dev/ptmx & co. work as - # expected, because it relies on impurities (for instance, /dev/pts may - # be unavailable in chroots.) - export lsh_cv_sys_unix98_ptys=yes - ''; - - buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; - - meta = { - description = "GPL'd implementation of the SSH protocol"; - - longDescription = '' - lsh is a free implementation (in the GNU sense) of the ssh - version 2 protocol, currently being standardised by the IETF - SECSH working group. - ''; - - homepage = http://www.lysator.liu.se/~nisse/lsh/; - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch deleted file mode 100644 index 9dd81de3fbc..00000000000 --- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch +++ /dev/null @@ -1,16 +0,0 @@ -Correctly handle the `--no-root-login' option. - ---- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 -+++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 -@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str - self->allow_root = 1; - break; - -+ case OPT_NO_ROOT_LOGIN: -+ self->allow_root = 0; -+ break; -+ - case OPT_KERBEROS_PASSWD: - self->pw_helper = PATH_KERBEROS_HELPER; - break; - diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch deleted file mode 100644 index 6a6156855c5..00000000000 --- a/pkgs/tools/networking/lsh/pam-service-name.patch +++ /dev/null @@ -1,14 +0,0 @@ -Tell `lsh-pam-checkpw', the PAM password helper program, to use a more -descriptive service name. - ---- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 -+++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 -@@ -38,7 +38,7 @@ - #include <security/pam_appl.h> - - #define PWD_MAXLEN 1024 --#define SERVICE_NAME "other" -+#define SERVICE_NAME "lshd" - #define TIMEOUT 600 - - static int diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index cbca408f084..53e17e6cecd 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardening_format = false; + patches = [ ./path-to-cat.patch ./no-gets.patch ]; configureFlags = "--with-path-sendmail=${sendmailPath}"; diff --git a/pkgs/tools/networking/ncat/default.nix b/pkgs/tools/networking/ncat/default.nix deleted file mode 100644 index 8f81e9284b6..00000000000 --- a/pkgs/tools/networking/ncat/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{stdenv, fetchurl, openssl}: - -stdenv.mkDerivation { - name = "ncat-0.10rc3"; - - src = fetchurl { - url = mirror://sourceforge/nmap-ncat/ncat-0.10rc3.tar.gz; - sha256 = "1yb26ipxwhqkfannji90jxi38k35fal4ffx0jm5clr1a1rndjjzb"; - }; - - patches = [./ncat-0.10rc3.patch]; - - buildInputs = [openssl]; - - CFLAGS = "-g"; - - postInstall = '' - install -D ncat $out/bin/ncat - install -D docs/man/ncat.1 $out/man/ncat.1 - ''; - - meta = { - description = "A netcat implementation with IPv6 support"; - }; -} diff --git a/pkgs/tools/networking/ncat/ncat-0.10rc3.patch b/pkgs/tools/networking/ncat/ncat-0.10rc3.patch deleted file mode 100644 index ed4c93673aa..00000000000 --- a/pkgs/tools/networking/ncat/ncat-0.10rc3.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -urN ncat-0.10rc3/ncat_main.c ncat-0.10rc3-fixed/ncat_main.c ---- ncat-0.10rc3/ncat_main.c 2006-01-10 03:29:08.000000000 +0300 -+++ ncat-0.10rc3-fixed/ncat_main.c 2007-07-09 09:58:58.000000000 +0400 -@@ -23,6 +23,7 @@ - { - struct sockaddr_in ss; - struct sockaddr_in6 ss6; -+ struct sockaddr_storage sst; - - struct conn_state cs; - -@@ -271,7 +272,7 @@ - } - - /* resolve hostname */ -- if (!resolve(argv[optind], (struct sockaddr_storage *) &ss)) { -+ if (!resolve(argv[optind], (struct sockaddr_storage *) &sst)) { - /* host failed to resolve :( */ - fprintf(stderr, - "%s: Could not resolve target hostname %s. QUITTING.\n", -@@ -297,6 +298,8 @@ - - /* IPv6 connect() */ - if (oipv == 6) { -+ memcpy(&ss6,&sst,sizeof(ss6)); -+ - ss6.sin6_family = AF_INET6; - ss_len = sizeof(struct sockaddr_in6); - -@@ -329,6 +332,8 @@ - } - /* IPv4 connect() - default. */ - else { -+ memcpy(&ss,&sst,sizeof(ss)); -+ - ss.sin_family = AF_INET; - ss_len = sizeof(struct sockaddr_in); - diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69..349dba12538 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardening_format = false; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 0e7c23fd3a6..47fa2708821 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardening_pie = true; + postInstall = '' rm -rf $out/share/doc ''; diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 50fde6a7794..25af3e11caf 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "0kwl8hv3nydd34xp1489jpjdj4bmknfl9xrgynij0vf5qx29xv7m"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; - preConfigure = '' - aclocal - autoconf - automake --add-missing + hardening_format = false; + preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index a6aed5169c8..67c0f3ec89e 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -71,6 +71,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_pie = true; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 84db01dc4ba..8b0b3d9a736 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardening_pie = true; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index f57af20739d..e59e6d46080 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardening_pie = true; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index e8b56ed7d96..b3a493c9375 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.30"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "0w05sqwg3jn7n469w2yxj0cxx7az7jpd8wbcrwxlp5d1ys4v6vkx"; }; buildInputs = [ openssl ]; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4..3fe6144b72c 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardening_format = false; + buildInputs = [ncurses]; meta = { diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc87..22f991d8fe2 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardening_format = false; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 1da9ca96984..1c7c946000e 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardening_format = false; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 72a31262e26..ba9552d4fae 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + hardening_format = false; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index dc3373c3b6f..f1d7985e9a5 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation { buildInputs = [gettext]; + hardening_fortify = false; + preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index ae1213aee7c..d52243dcea5 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; + hardening_fortify = false; + makeFlags = "PREFIX=$(out)"; buildInputs = [ curl ]; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 282c3541dde..273d692ebaa 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; + hardening_format = false; + meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; description = "A simple GTK+ application to demonstrate and test libfprint's capabilities"; diff --git a/pkgs/tools/security/john/default.nix b/pkgs/tools/security/john/default.nix index 2e99208fe11..dfaa56f0c77 100644 --- a/pkgs/tools/security/john/default.nix +++ b/pkgs/tools/security/john/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "08q92sfdvkz47rx6qjn7qv57cmlpy7i7rgddapq5384mb413vjds"; }; + patches = [ ./gcc5.patch ]; + postPatch = '' sed -ri -e ' s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/! diff --git a/pkgs/tools/security/john/gcc5.patch b/pkgs/tools/security/john/gcc5.patch new file mode 100644 index 00000000000..73da83483f9 --- /dev/null +++ b/pkgs/tools/security/john/gcc5.patch @@ -0,0 +1,14 @@ +diff --git a/src/common.h b/src/common.h +--- a/src/common.h ++++ b/src/common.h +@@ -31,7 +31,9 @@ typedef unsigned long long ARCH_WORD_64; + #define is_aligned(PTR, CNT) ((((ARCH_WORD)(const void *)(PTR))&(CNT-1))==0) + + #ifdef __GNUC__ +-#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) ++#if __GNUC__ >= 5 ++#define MAYBE_INLINE __attribute__((gnu_inline)) inline ++#elif __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) + #define MAYBE_INLINE __attribute__((always_inline)) inline + #elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1) + #define MAYBE_INLINE __attribute__((always_inline)) diff --git a/pkgs/tools/security/signing-party/default.nix b/pkgs/tools/security/signing-party/default.nix index dfd5cd6c7d7..e2e3955628d 100644 --- a/pkgs/tools/security/signing-party/default.nix +++ b/pkgs/tools/security/signing-party/default.nix @@ -1,12 +1,12 @@ {stdenv, fetchurl, gnupg, perl, automake111x, autoconf}: stdenv.mkDerivation rec { - version = "2.1"; + version = "2.2"; basename = "signing-party"; name = "${basename}-${version}"; src = fetchurl { url = "mirror://debian/pool/main/s/${basename}/${basename}_${version}.orig.tar.gz"; - sha256 = "0pcni3mf92503bqknwlsvv1f5gz23dmzwas2j8g2fk7afjd891ya"; + sha256 = "13qncdyadw1cnslc2xss9s2rpkalm7rz572b23p7mqcdqp30cpdd"; }; sourceRoot = "."; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 854f67f2aee..1a2bc6a3108 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,12 +12,16 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; + hardening_pic = false; + hardening_stackprotector = false; + configurePhase = '' for a in lcptools utils tb_polgen; do substituteInPlace $a/Makefile --replace /usr/sbin /sbin done substituteInPlace docs/Makefile --replace /usr/share /share ''; + installFlags = "DESTDIR=$(out)"; meta = with stdenv.lib; { diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 998be45d9c6..805336cfe44 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; + hardening_pie = true; + preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 makeFlags="DESTROOT=$out" diff --git a/pkgs/tools/system/facter/default.nix b/pkgs/tools/system/facter/default.nix index c0328636536..117a3c1c1a2 100644 --- a/pkgs/tools/system/facter/default.nix +++ b/pkgs/tools/system/facter/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1ngp3xjdh6x1w7lsi4lji2xzqp0x950jngcdlq11lcr0wfnzwyxj"; }; - libyamlcpp_ = libyamlcpp.override { makePIC = true; }; - - buildInputs = [ boost cmake curl libyamlcpp_ openssl utillinux ]; + buildInputs = [ boost cmake curl libyamlcpp openssl utillinux ]; meta = with stdenv.lib; { homepage = https://github.com/puppetlabs/facter; diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index cfac8923779..0696af07166 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardening_format = false; + preInstall = '' mkdir -p $out/{bin,share/man/man8} ''; diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 3d3809610e4..1456b6fca7c 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "gdmap-0.8.1"; - + src = fetchurl { url = "mirror://sourceforge/gdmap/${name}.tar.gz"; sha256 = "0nr8l88cg19zj585hczj8v73yh21k7j13xivhlzl8jdk0j0cj052"; @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; + hardening_format = false; + meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; description = "Recursive rectangle map of disk usage"; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index 5d3dbd861aa..ef54bde3db5 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; + hardening_format = false; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" diff --git a/pkgs/tools/system/stress-ng/default.nix b/pkgs/tools/system/stress-ng/default.nix index a973d143fa9..692fd250f83 100644 --- a/pkgs/tools/system/stress-ng/default.nix +++ b/pkgs/tools/system/stress-ng/default.nix @@ -2,10 +2,10 @@ stdenv.mkDerivation rec { name = "stress-ng-${version}"; - version = "0.05.00"; + version = "0.05.18"; src = fetchurl { - sha256 = "0ppri86z6fj48nm5l0x1r8mh7mwaf7bvhmi10jz6a8w7apnc181w"; + sha256 = "13x0cc4gfakz7vikc6b2vjbk1gw5awyp9i6843di7lnkx1ba177r"; url = "http://kernel.ubuntu.com/~cking/tarballs/stress-ng/${name}.tar.gz"; }; diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index e9199a8f063..956fd590b14 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -2,12 +2,15 @@ stdenv.mkDerivation rec { name = "which-2.21"; - + src = fetchurl { url = "mirror://gnu/which/${name}.tar.gz"; sha256 = "1bgafvy3ypbhhfznwjv1lxmd6mci3x1byilnnkc7gcr486wlb8pl"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardening_stackprotector = false; + meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; platforms = platforms.all; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index 7de6a8dd574..bcbf2b66a86 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; + hardening_format = false; + meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; longDescription = '' diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 4df52eef669..98f9c0483c2 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one + hardening_format = false; + meta = with stdenv.lib; { description = "Tools to manipulate patch files"; homepage = http://cyberelk.net/tim/software/patchutils; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index e2f6142a2a0..33f72b029a1 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; + hardening_format = false; + unpackPhase = "tar xf $src"; installTargets = "install install.man"; installFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man/man1"; diff --git a/pkgs/tools/typesetting/bibtex-tools/default.nix b/pkgs/tools/typesetting/bibtex-tools/default.nix deleted file mode 100644 index a822a181a65..00000000000 --- a/pkgs/tools/typesetting/bibtex-tools/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{stdenv, fetchurl, hevea, tetex, strategoxt, aterm, sdf}: - -stdenv.mkDerivation { - name = "bibtex-tools-0.2pre13026"; - src = fetchurl { - url = http://tarballs.nixos.org/bibtex-tools-0.2pre13026.tar.gz; - md5 = "2d8a5de7c53eb670307048eb3d14cdd6"; - }; - configureFlags = " - --with-aterm=${aterm} - --with-sdf=${sdf} - --with-strategoxt=${strategoxt} - --with-hevea=${hevea} - --with-latex=${tetex}"; - buildInputs = [aterm sdf strategoxt hevea]; - meta.broken = true; -} diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index 8d6c88a0004..cffe0b39d22 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation { name = "tetex-3.0"; - + src = fetchurl { url = ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-3.0.tar.gz; md5 = "944a4641e79e61043fdaf8f38ecbb4b3"; @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; + hardening_format = false; + # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 57d texk/kpathsea/c-std.h diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index 431f3926a13..3585c4d04af 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec { perl ]; + hardening_format = false; + preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib} @@ -121,6 +123,8 @@ core-big = stdenv.mkDerivation { inherit (common) src; + hardening_format = false; + buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; configureFlags = common.configureFlags diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 33b497fa3eb..989649c580f 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -7,9 +7,13 @@ stdenv.mkDerivation rec { name = "mjpegtools-2.1.0"; + src = fetchurl { url = "mirror://sourceforge/mjpeg/${name}.tar.gz"; sha256 = "01y4xpfdvd4zgv6fmcjny9mr1gbfd4y2i4adp657ydw6fqyi8kw6"; }; + buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; + + hardening_format = false; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index 4654d5902cb..a16dc169b98 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; + hardening_format = false; + buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw libXext xextproto libSM libICE libXpm libXp diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 1515d556b17..70b6b95e491 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -198,12 +198,14 @@ let }; # We use pkgs_ because accessing pkgs would lead to an infinite recursion in stdenvOverrides - defaultStdenv = pkgs_.allStdenvs.stdenv // { inherit platform; }; + defaultStdenv = (import ../stdenv/adapters.nix pkgs_).useHardenFlags ( + pkgs_.allStdenvs.stdenv // { inherit platform; } + ); stdenvCross = lowPrio (makeStdenvCross defaultStdenv crossSystem binutilsCross gccCrossStageFinal); stdenv = - if bootStdenv != null then (bootStdenv // {inherit platform;}) else + if bootStdenv != null then ((import ../stdenv/adapters.nix pkgs_).useHardenFlags bootStdenv // {inherit platform;}) else if crossSystem != null then stdenvCross else @@ -1012,10 +1014,6 @@ let UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter; }; - bibtextools = callPackage ../tools/typesetting/bibtex-tools { - inherit (strategoPackages016) strategoxt sdf; - }; - bittornado = callPackage ../tools/networking/p2p/bit-tornado { }; blueman = callPackage ../tools/bluetooth/blueman { @@ -2312,10 +2310,6 @@ let lrzip = callPackage ../tools/compression/lrzip { }; - # lsh installs `bin/nettle-lfib-stream' and so does Nettle. Give the - # former a lower priority than Nettle. - lsh = lowPrio (callPackage ../tools/networking/lsh { }); - lshw = callPackage ../tools/system/lshw { }; lxc = callPackage ../os-specific/linux/lxc { }; @@ -2506,8 +2500,6 @@ let nc6 = callPackage ../tools/networking/nc6 { }; - ncat = callPackage ../tools/networking/ncat { }; - ncftp = callPackage ../tools/networking/ncftp { }; ncompress = callPackage ../tools/compression/ncompress { }; @@ -5074,11 +5066,6 @@ let llvm = llvm_36; }; - qcmm = callPackage ../development/compilers/qcmm { - lua = lua4; - ocaml = ocaml_3_08_0; - }; - rtags = callPackage ../development/tools/rtags/default.nix {}; rustcMaster = callPackage ../development/compilers/rustc/head.nix {}; @@ -5139,20 +5126,6 @@ let stalin = callPackage ../development/compilers/stalin { }; - strategoPackages = recurseIntoAttrs strategoPackages018; - - strategoPackages016 = callPackage ../development/compilers/strategoxt/0.16.nix { - stdenv = overrideInStdenv stdenv [gnumake380]; - }; - - strategoPackages017 = callPackage ../development/compilers/strategoxt/0.17.nix { - readline = readline5; - }; - - strategoPackages018 = callPackage ../development/compilers/strategoxt/0.18.nix { - readline = readline5; - }; - metaBuildEnv = callPackage ../development/compilers/meta-environment/meta-build-env { }; swiProlog = callPackage ../development/compilers/swi-prolog { }; @@ -5193,8 +5166,6 @@ let vs90wrapper = callPackage ../development/compilers/vs90wrapper { }; - webdsl = callPackage ../development/compilers/webdsl { }; - win32hello = callPackage ../development/compilers/visual-c++/test { }; wrapCCWith = ccWrapper: libc: extraBuildCommands: baseCC: ccWrapper { @@ -6368,10 +6339,6 @@ let aspellDicts = recurseIntoAttrs (callPackages ../development/libraries/aspell/dictionaries.nix {}); - aterm = aterm25; - - aterm25 = callPackage ../development/libraries/aterm/2.5.nix { }; - attica = callPackage ../development/libraries/attica { }; attr = callPackage ../development/libraries/attr { }; @@ -8862,8 +8829,6 @@ let v8_3_16_14 = callPackage ../development/libraries/v8/3.16.14.nix { inherit (pythonPackages) gyp; - # The build succeeds using gcc5 but it fails to build pkgs.consul-ui - stdenv = overrideCC stdenv gcc48; }; v8_3_24_10 = callPackage ../development/libraries/v8/3.24.10.nix { @@ -14720,15 +14685,10 @@ let speed_dreams = callPackage ../games/speed-dreams { # Torcs wants to make shared libraries linked with plib libraries (it provides static). # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; libpng = libpng12; }; - torcs = callPackage ../games/torcs { - # Torcs wants to make shared libraries linked with plib libraries (it provides static). - # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; - }; + torcs = callPackage ../games/torcs { }; trigger = callPackage ../games/trigger { }; @@ -15107,22 +15067,21 @@ let calamares = callPackage ../tools/misc/calamares rec { python = python3; - boost = pkgs.boost.override { python=python3; }; - libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; }; + boost = pkgs.boost.override { python = python3; }; + libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost = boost; }; }; dfilemanager = callPackage ../applications/misc/dfilemanager { }; fcitx-qt5 = callPackage ../tools/inputmethods/fcitx/fcitx-qt5.nix { }; - k9copy = callPackage ../applications/video/k9copy {}; + k9copy = callPackage ../applications/video/k9copy { }; kdeconnect = callPackage ../applications/misc/kdeconnect { }; kile = callPackage ../applications/editors/kile/frameworks.nix { }; - konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { - }; + konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { }; quassel = callPackage ../applications/networking/irc/quassel/qt-5.nix { monolithic = true; diff --git a/pkgs/top-level/guile-2-test.nix b/pkgs/top-level/guile-2-test.nix index 802277d474a..3219fc9108a 100644 --- a/pkgs/top-level/guile-2-test.nix +++ b/pkgs/top-level/guile-2-test.nix @@ -56,7 +56,6 @@ in (mapTestOn { guile = linux; autogen = linux; - lsh = linux; mailutils = linux; mcron = linux; texmacs = linux; diff --git a/pkgs/top-level/release-cross.nix b/pkgs/top-level/release-cross.nix index ced90c0489c..fe7b88d813c 100644 --- a/pkgs/top-level/release-cross.nix +++ b/pkgs/top-level/release-cross.nix @@ -219,7 +219,6 @@ in { libffi.crossDrv = nativePlatforms; libtool.crossDrv = nativePlatforms; libunistring.crossDrv = nativePlatforms; - lsh.crossDrv = nativePlatforms; nixUnstable.crossDrv = nativePlatforms; openssl.crossDrv = nativePlatforms; # dependency of Nix patch.crossDrv = nativePlatforms; diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index 01786591973..6abe39cfe76 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -89,7 +89,6 @@ with import ./release-lib.nix { inherit supportedSystems; }; libxml2 = all; libxslt = all; lout = linux; - lsh = linux; lsof = linux; ltrace = linux; lvm2 = linux; @@ -112,7 +111,6 @@ with import ./release-lib.nix { inherit supportedSystems; }; mpg321 = linux; mutt = linux; mysql = linux; - ncat = linux; netcat = all; nfs-utils = linux; nix = all; diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index 6c510ea029f..81bab2d6c0c 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -165,7 +165,6 @@ let mupen64plus = linux; mutt = linux; nano = allBut cygwin; - ncat = linux; netcat = all; nss_ldap = linux; nssmdns = linux; @@ -246,14 +245,6 @@ let #rPackages = packagePlatforms pkgs.rPackages; - strategoPackages = { - sdf = linux; - strategoxt = linux; - javafront = linux; - strategoShell = linux ++ darwin; - dryad = linux; - }; - ocamlPackages = { }; perlPackages = { }; |