diff options
405 files changed, 1495 insertions, 1387 deletions
diff --git a/doc/languages-frameworks/python.md b/doc/languages-frameworks/python.md index fc0a0ba987a..3ee25669f74 100644 --- a/doc/languages-frameworks/python.md +++ b/doc/languages-frameworks/python.md @@ -599,7 +599,7 @@ Given a `default.nix`: src = ./.; } Running `nix-shell` with no arguments should give you -the environment in which the package would be build with +the environment in which the package would be built with `nix-build`. Shortcut to setup environments with C headers/libraries and python packages: diff --git a/doc/stdenv.xml b/doc/stdenv.xml index 136e83ee0cd..89589293844 100644 --- a/doc/stdenv.xml +++ b/doc/stdenv.xml @@ -1317,6 +1317,49 @@ in the default system locations.</para> </section> +<section xml:id="sec-hardening-in-nixpkgs"><title>Hardening in Nixpkgs</title> + +<para>By default some flags to harden packages at compile or link-time are set:</para> + +<variablelist> + + <varlistentry> + <term><varname>hardening_format</varname></term> + <listitem><para>Adds the <option>-Wformat -Wformat-security + -Werror=format-security</option> compiler options. At present, + this warns about calls to printf and scanf functions where the + format string is not a string literal and there are no format + arguments, as in <literal>printf(foo);</literal>. This may be + a security hole if the format string came from untrusted input + and contains <literal>%n</literal>.</para> + + <para>This needs to be turned off or fixed for errors similar to:</para> + + <programlisting> +/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security] + printf(help_message); + ^ +cc1plus: some warnings being treated as errors + </programlisting></listitem> + </varlistentry> + + <varlistentry> + <term><varname>hardening_stackprotector</varname></term> + <listitem><para>Adds the <option>-fstack-protector-strong</option> + compiler options. This adds safety checks against stack overwrites + rendering many potential code injection attacks into aborting situations. + In the best case this turns code injection vulnerabilities into denial + of service or into non-issues (depending on the application).</para> + + <para>This needs to be turned off or fixed for errors similar to:</para> + + <programlisting> +bin/blib.a(bios_console.o): In function `bios_handle_cup': +/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail' + </programlisting></listitem> + </varlistentry> +</variablelist> +</section> </chapter> diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index ad0e35c8a63..5cc41ce8690 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -9,8 +9,7 @@ with lib; default = false; description = '' When enabled, GNU software is chosen by default whenever a there is - a choice between GNU and non-GNU software (e.g., GNU lsh - vs. OpenSSH). + a choice between GNU and non-GNU software. ''; }; }; @@ -33,11 +32,6 @@ with lib; boot.loader.grub.enable = !pkgs.stdenv.isArm; boot.loader.grub.version = 2; - # GNU lsh. - services.openssh.enable = false; - services.lshd.enable = true; - programs.ssh.startAgent = false; - # TODO: GNU dico. # TODO: GNU Inetutils' inetd. # TODO: GNU Pies. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 41b60773a70..756804b5d09 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -378,7 +378,6 @@ ./services/networking/softether.nix ./services/networking/spiped.nix ./services/networking/sslh.nix - ./services/networking/ssh/lshd.nix ./services/networking/ssh/sshd.nix ./services/networking/strongswan.nix ./services/networking/supplicant.nix diff --git a/nixos/modules/services/networking/ssh/lshd.nix b/nixos/modules/services/networking/ssh/lshd.nix deleted file mode 100644 index 661a6a52463..00000000000 --- a/nixos/modules/services/networking/ssh/lshd.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - inherit (pkgs) lsh; - - cfg = config.services.lshd; - -in - -{ - - ###### interface - - options = { - - services.lshd = { - - enable = mkOption { - default = false; - description = '' - Whether to enable the GNU lshd SSH2 daemon, which allows - secure remote login. - ''; - }; - - portNumber = mkOption { - default = 22; - description = '' - The port on which to listen for connections. - ''; - }; - - interfaces = mkOption { - default = []; - description = '' - List of network interfaces where listening for connections. - When providing the empty list, `[]', lshd listens on all - network interfaces. - ''; - example = [ "localhost" "1.2.3.4:443" ]; - }; - - hostKey = mkOption { - default = "/etc/lsh/host-key"; - description = '' - Path to the server's private key. Note that this key must - have been created, e.g., using "lsh-keygen --server | - lsh-writekey --server", so that you can run lshd. - ''; - }; - - syslog = mkOption { - default = true; - description = ''Whether to enable syslog output.''; - }; - - passwordAuthentication = mkOption { - default = true; - description = ''Whether to enable password authentication.''; - }; - - publicKeyAuthentication = mkOption { - default = true; - description = ''Whether to enable public key authentication.''; - }; - - rootLogin = mkOption { - default = false; - description = ''Whether to enable remote root login.''; - }; - - loginShell = mkOption { - default = null; - description = '' - If non-null, override the default login shell with the - specified value. - ''; - example = "/nix/store/xyz-bash-10.0/bin/bash10"; - }; - - srpKeyExchange = mkOption { - default = false; - description = '' - Whether to enable SRP key exchange and user authentication. - ''; - }; - - tcpForwarding = mkOption { - default = true; - description = ''Whether to enable TCP/IP forwarding.''; - }; - - x11Forwarding = mkOption { - default = true; - description = ''Whether to enable X11 forwarding.''; - }; - - subsystems = mkOption { - description = '' - List of subsystem-path pairs, where the head of the pair - denotes the subsystem name, and the tail denotes the path to - an executable implementing it. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable { - - services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; - - systemd.services.lshd = { - description = "GNU lshd SSH2 daemon"; - - after = [ "network-interfaces.target" ]; - - wantedBy = [ "multi-user.target" ]; - - environment = { - LD_LIBRARY_PATH = config.system.nssModules.path; - }; - - preStart = '' - test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh - test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh - - if ! test -f /var/spool/lsh/yarrow-seed-file - then - # XXX: It would be nice to provide feedback to the - # user when this fails, so that they can retry it - # manually. - ${lsh}/bin/lsh-make-seed --sloppy \ - -o /var/spool/lsh/yarrow-seed-file - fi - - if ! test -f "${cfg.hostKey}" - then - ${lsh}/bin/lsh-keygen --server | \ - ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" - fi - ''; - - script = with cfg; '' - ${lsh}/sbin/lshd --daemonic \ - --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ - -p ${toString portNumber} \ - ${if interfaces == [] then "" - else (concatStrings (map (i: "--interface=\"${i}\"") - interfaces))} \ - -h "${hostKey}" \ - ${if !syslog then "--no-syslog" else ""} \ - ${if passwordAuthentication then "--password" else "--no-password" } \ - ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ - ${if rootLogin then "--root-login" else "--no-root-login" } \ - ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ - ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ - ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ - ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ - --subsystems=${concatStringsSep "," - (map (pair: (head pair) + "=" + - (head (tail pair))) - subsystems)} - ''; - }; - - security.pam.services.lshd = {}; - }; -} diff --git a/nixos/modules/system/boot/loader/grub/grub.nix b/nixos/modules/system/boot/loader/grub/grub.nix index 05322497a4b..0728db98644 100644 --- a/nixos/modules/system/boot/loader/grub/grub.nix +++ b/nixos/modules/system/boot/loader/grub/grub.nix @@ -348,7 +348,7 @@ in default = false; type = types.bool; description = '' - Whether GRUB should be build against libzfs. + Whether GRUB should be built against libzfs. ZFS support is only available for GRUB v2. This option is ignored for GRUB v1. ''; @@ -358,7 +358,7 @@ in default = false; type = types.bool; description = '' - Whether GRUB should be build with EFI support. + Whether GRUB should be built with EFI support. EFI support is only available for GRUB v2. This option is ignored for GRUB v1. ''; diff --git a/pkgs/applications/audio/QmidiNet/default.nix b/pkgs/applications/audio/QmidiNet/default.nix index d8d8945db92..42c98cbb110 100644 --- a/pkgs/applications/audio/QmidiNet/default.nix +++ b/pkgs/applications/audio/QmidiNet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ qt4 alsaLib libjack2 ]; meta = with stdenv.lib; { diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 69cc798ec0f..a22866dc031 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -2,6 +2,7 @@ stdenv.mkDerivation { name = "aacgain-1.9.0"; + src = fetchFromGitHub { owner = "mulx"; repo = "aacgain"; @@ -9,6 +10,8 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; + hardeningDisable = [ "format" ]; + configurePhase = '' cd mp4v2 ./configure @@ -28,7 +31,7 @@ stdenv.mkDerivation { make LDFLAGS=-static cd .. - make + make ''; installPhase = '' diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 1658d9c7449..abe679f10bc 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; + hardeningDisable = [ "format" ]; + preConfigure = "unset CC"; patches = stdenv.lib.optionals stdenv.isDarwin [ diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index afca63a2a8a..e1c063d823d 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g"; diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index f7330ee12f9..1611975182b 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; + hardeningDisable = [ "format" ]; + meta = { description = "A live looping instrument with JACK and MIDI support"; longDescription = '' diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index ef6d13e5696..ec7f7a5c32d 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,9 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - meta = with stdenv.lib; { + hardeningDisable = [ "format" ]; + + meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; homepage = http://archive.notam02.no/arkiv/src; license = licenses.gpl2; diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 4b07c84b0be..22ab37dc98a 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; configureFlags = "--disable-jack"; diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 1d736b06938..fa4ea6343e9 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sourceRoot="."; + hardeningDisable = [ "format" ]; + buildPhase = "./cc"; installPhase = '' mkdir -p "$out"/{bin,share/doc/mi2ly} diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index e4c45c613ee..d28cd7c9e06 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; + hardeningDisable = [ "format" ]; + configurePhase = '' sed -i Makefile \ -e "s|^prefix=.*$|prefix=$out|g ; diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index 0957420b658..7477bea7602 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; + hardeningDisable = [ "fortify" ]; + meta = { description = "A tool for validating and repairing MPEG audio streams"; longDescription = '' diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index 489831dc464..b68c44278ee 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; + hardeningDisable = [ "format" ]; + configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) ]; diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index e1f0472ce9e..b89278a7fd9 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "12a83v4i830gj76z5744034y1vvwzgy27mjbjp508yh9bd328yqw"; }; + hardeningDisable = [ "relro" "bindnow" ]; + makeFlags = [ "PREFIX=$(out)" ]; diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index 2331944db01..e4ec281cacb 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardeningDisable = [ "format" ]; + patchPhase = '' for file in `grep -r -l g_canvas.h` do diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index c5732387b50..3b836d9eb33 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardeningDisable = [ "format" ]; + patchPhase = '' for i in ${puredata}/include/pd/*; do ln -s $i . diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 5f76b208e14..972a162b73f 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -14,7 +14,9 @@ stdenv.mkDerivation rec { sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x"; }; - buildInputs = [puredata ]; + buildInputs = [ puredata ]; + + hardeningDisable = [ "format" ]; patchPhase = '' for D in net osc diff --git a/pkgs/applications/audio/pd-plugins/puremapping/default.nix b/pkgs/applications/audio/pd-plugins/puremapping/default.nix index 2e9a37a2f0d..9300d7461fe 100644 --- a/pkgs/applications/audio/pd-plugins/puremapping/default.nix +++ b/pkgs/applications/audio/pd-plugins/puremapping/default.nix @@ -1,12 +1,12 @@ { stdenv, fetchurl, unzip, puredata }: stdenv.mkDerivation rec { - name = "puremapping-1.01"; + name = "puremapping-20160130"; src = fetchurl { - url = "http://www.chnry.net/ch/IMG/zip/puremapping-libdir-generic.zip"; + url = "http://www.chnry.net/data/puremapping-20160130-generic.zip"; name = "puremapping"; - sha256 = "1ygzxsfj3rnzjkpmgi4wch810q8s5vm1gdam6a938hbbvamafgvc"; + sha256 = "1h7qgqd8srrxw2y1rkdw5js4k6f5vc8x6nlm2mq9mq9vjck7n1j7"; }; buildInputs = [ unzip puredata ]; diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index b746cccd113..822e0d5548b 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; + hardeningDisable = [ "format" ]; + patches = [ ./fltk-path.patch ]; buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index 0fccf66ddbc..ec803f2a9c5 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "High quality software synthesizer"; homepage = http://zynaddsubfx.sourceforge.net; diff --git a/pkgs/applications/editors/bviplus/default.nix b/pkgs/applications/editors/bviplus/default.nix index 5adb0dad26c..d61fa182379 100644 --- a/pkgs/applications/editors/bviplus/default.nix +++ b/pkgs/applications/editors/bviplus/default.nix @@ -1,17 +1,23 @@ -{ stdenv, lib, fetchurl, ncurses }: +{ stdenv, fetchurl, ncurses }: stdenv.mkDerivation rec { name = "bviplus-${version}"; version = "0.9.4"; + src = fetchurl { url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz"; sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb"; }; + buildInputs = [ ncurses ]; + + patches = [ ./gcc5.diff ]; + makeFlags = "PREFIX=$(out)"; - meta = with lib; { + + meta = with stdenv.lib; { description = "ncurses based hex editor with a vim-like interface"; homepage = "http://bviplus.sourceforge.net"; license = licenses.gpl3; diff --git a/pkgs/applications/editors/bviplus/gcc5.diff b/pkgs/applications/editors/bviplus/gcc5.diff new file mode 100644 index 00000000000..75dc57151dd --- /dev/null +++ b/pkgs/applications/editors/bviplus/gcc5.diff @@ -0,0 +1,11 @@ +--- bviplus-0.9.4/vf_backend.c 2016-02-07 15:58:47.265405962 +0000 ++++ bviplus-0.9.4/vf_backend.c 2016-02-07 16:04:30.020004919 +0000 +@@ -253,7 +253,7 @@ + /*--------------------------- + + ---------------------------*/ +-inline void compute_percent_complete(off_t offset, off_t size, int *complete) ++extern void compute_percent_complete(off_t offset, off_t size, int *complete) + { + if (size == 0) + { diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index b7acdb7f1d5..2817bd168de 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -3,13 +3,18 @@ stdenv.mkDerivation rec { name = "ht-${version}"; version = "2.1.0"; + src = fetchurl { url = "http://sourceforge.net/projects/hte/files/ht-source/ht-${version}.tar.bz2"; sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i"; }; + buildInputs = [ ncurses ]; + + hardeningDisable = [ "format" ]; + meta = with lib; { description = "File editor/viewer/analyzer for executables"; homepage = "http://hte.sourceforge.net"; diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index fc35a993bad..a5b0f2e400a 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; + hardeningDisable = [ "format" ]; + configureFlags = [ "--enable-chooser" ]; diff --git a/pkgs/applications/editors/vim/configurable.nix b/pkgs/applications/editors/vim/configurable.nix index 2a80f5d42ad..d041295ee9f 100644 --- a/pkgs/applications/editors/vim/configurable.nix +++ b/pkgs/applications/editors/vim/configurable.nix @@ -191,6 +191,8 @@ composableDerivation { dontStrip = 1; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "The most popular clone of the VI editor"; homepage = http://www.vim.org; diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 97a40e5c7e5..1c81cda7ce9 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { "--enable-nls" ]; + hardeningDisable = [ "fortify" ]; + postInstall = '' ln -s $out/bin/vim $out/bin/vi mkdir -p $out/share/vim diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index f1ca27eed80..4866ba92add 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,14 +18,14 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; + hardeningDisable = [ "format" ]; + patches = [ ./install.patch ]; nativeBuildInputs = [ cmake pkgconfig ]; NIX_LDFLAGS = "-llcms -ljpeg -lX11"; - # NIX_CFLAGS_COMPILE = "-I."; - meta = { homepage = http://www.cinepaint.org/; license = stdenv.lib.licenses.free; diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index f9ea3173b43..a98fcac4e59 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -11,8 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1sz2n7jbmg3g97bs613xxjpzqbsl5rvpg6v7g3x3ycyd35r8vsfp"; }; - # It built code to be put in a shared object without -fPIC - NIX_CFLAGS_COMPILE = "-fPIC"; + hardeningDisable = [ "format" ]; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index a8132e30c72..822ef8ad435 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; + hardeningDisable = [ "format" ]; + meta = { description = "A fast image viewer"; homepage = http://gqview.sourceforge.net; diff --git a/pkgs/applications/graphics/kipi-plugins/default.nix b/pkgs/applications/graphics/kipi-plugins/default.nix index 6a38698370d..b69105fba7c 100644 --- a/pkgs/applications/graphics/kipi-plugins/default.nix +++ b/pkgs/applications/graphics/kipi-plugins/default.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { name = "kipi-plugins-1.9.0"; - src = fetchurl { + src = fetchurl { url = "mirror://sourceforge/kipi/${name}.tar.bz2"; sha256 = "0k4k9v1rj7129n0s0i5pvv4rabx0prxqs6sca642fj95cxc6c96m"; }; @@ -25,6 +25,6 @@ stdenv.mkDerivation rec { homepage = http://www.kipi-plugins.org; inherit (kdelibs.meta) platforms; maintainers = with stdenv.lib.maintainers; [ viric urkud ]; - broken = true; # it should be build from digikam sources, perhaps together + broken = true; # it should be built from digikam sources, perhaps together }; } diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index 49bfb47c85a..fa1958059b8 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; + hardeningDisable = [ "format" ]; + buildPhase = '' mkdir -p "$out/include" cp -r vcglib "$out/include" diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index efa245cc7e9..e6a0453e533 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; + hardeningDisable = [ "format" ]; + configurePhase = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" qmake PREFIX=$out EXIV2PATH=${exiv2}/include/exiv2 \ diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b531c41e2d8..375b0999548 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; + hardeningDisable = [ "format" ]; + preConfigure = '' ./autogen.sh substituteInPlace "configure" \ diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index ca1d5345fb6..c70b1029b79 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; + hardeningDisable = [ "format" ]; + NIX_CFLAGS_COMPILE = "-I${libXpm.dev}/include/X11"; patches = diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index 1a720f00300..b1574ea6963 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -46,6 +46,8 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; + hardeningDisable = [ "fortify" ]; + meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; homepage = "http://inferno-os.org/"; diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index da198e6d88b..782ef4ae366 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -1,11 +1,17 @@ { stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }: + stdenv.mkDerivation rec { name = "epdfview-0.1.8"; + src = fetchurl { url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2"; sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll"; }; + buildInputs = [ pkgconfig gtk poppler ]; + + hardeningDisable = [ "format" ]; + patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634"; @@ -17,13 +23,14 @@ stdenv.mkDerivation rec { sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001"; }) ]; + meta = { homepage = http://trac.emma-soft.com/epdfview/; description = "A lightweight PDF document viewer using Poppler and GTK+"; longDescription = '' ePDFView is a free lightweight PDF document viewer using Poppler and GTK+ libraries. The aim of ePDFView is to make a simple PDF document - viewer, in the lines of Evince but without using the Gnome libraries. + viewer, in the lines of Evince but without using the Gnome libraries. ''; license = stdenv.lib.licenses.gpl2; maintainers = with stdenv.lib.maintainers; [ astsmtl ]; diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index 934a7c69c99..cf7fdafd742 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; + hardeningDisable = [ "format" ]; + # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. patchPhase = '' diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index 39621536e68..e0ece09db18 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; + hardeningDisable = [ "format" ]; + meta = { description = "GTK+-based audio CD player/ripper"; homepage = "http://nostatic.org/grip"; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index ce57db371dd..7c0d615f366 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,6 +31,8 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; + hardeningDisable = [ "format" ]; + k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; @@ -96,7 +98,7 @@ in stdenv.mkDerivation rec { -ljbig2dec -ljpeg -lopenjp2 -lpng -lfreetype -lpthread -lmujs \ -lPgm2asc -llept -ltesseract -lcrypto - mkdir -p $out/bin + mkdir -p $out/bin cp k2pdfopt $out/bin ''; diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 1be39c66642..5f70d4b5c44 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; + hardeningDisable = [ "format" ]; + # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ]; diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index f55af543f18..b6d46cf9ed1 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; unpackPhase = '' diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 3859d2c82ab..8e781cd1c02 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; + hardeningDisable = [ "format" ]; + patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] else [ ./sdcv.cpp.patch ] ); diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index f7460618d96..b7b9d36b4cb 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; + hardeningDisable = [ "format" ]; + # # I know this is ugly, but the Makefile does strange things in this package, # so we have to: diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index 62f741f9eea..e595d771ec0 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig qt4 ]; + hardeningDisable = [ "format" ]; + configurePhase = '' qmake PREFIX="$out" ''; @@ -22,7 +24,7 @@ stdenv.mkDerivation rec { Such maps can help you to improve your creativity and effectivity. You can use them for time management, to organize tasks, to get an overview over complex contexts, to sort your ideas etc. - + Maps can be drawn by hand on paper or a flip chart and help to structure your thoughs. While a tree like structure like shown on this page can be drawn by hand or any drawing software vym offers much more features to work with such maps. diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index b244e9c1bfc..2f98bc66e9b 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; + hardeningDisable = [ "format" ]; + patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c ''; diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 45aa2a9c2d1..e2d5061b92e 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,9 +11,9 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - installPhase = '' - make PREFIX=/ DESTDIR=$out install - ''; + hardeningDisable = [ "format" ]; + + installFlags = "PREFIX=/ DESTDIR=$(out)"; preFixup = '' wrapProgram "$out/bin/vimprobable2" \ @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { GTK bindings). The goal of Vimprobable is to build a completely keyboard-driven, efficient and pleasurable browsing-experience. Its featureset might be considered "minimalistic", but not as minimalistic as - being completely featureless. + being completely featureless. ''; homepage = "http://sourceforge.net/apps/trac/vimprobable"; license = stdenv.lib.licenses.mit; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index 076b3faf11f..ae1bf5bffea 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,6 +50,8 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; + hardeningDisable = [ "format" ]; + configureFlags = "--with-ssl=${openssl} --with-gc=${boehmgc}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 133a15aebf8..b765c97fb8e 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { dontDisableStatic = true; + hardeningDisable = [ "format" ]; + configureFlags = "--with-ncurses=${ncurses}"; preConfigure = stdenv.lib.optionalString enablePlugin '' diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index d7798273e7c..5148992779a 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { qmake INSTALL_PREFIX=$out -recursive vacuum.pro ''; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An XMPP client fully composed of plugins"; maintainers = [ maintainers.raskin ]; diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 368d78a36f9..746d79805f5 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; + hardeningDisable = [ "format" ]; + meta = { description = "A console-based network monitoring utility (fork of iptraf)"; longDescription = '' diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index 03c2c21aed0..b86de98f950 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -1,35 +1,36 @@ {stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos , openldap }: + let - s = - rec { - version = "2.00"; + version = "2.00"; + baseName = "alpine"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + + src = fetchurl { url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2"; sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8"; - baseName = "alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "format" "fortify" ]; + configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index c1835992158..3ff690a244b 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -2,34 +2,35 @@ , openldap }: let - s = - rec { - version = "2.03"; + baseName = "re-alpine"; + version = "2.03"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + inherit version; + + src = fetchurl { url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2"; sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh"; - baseName = "re-alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "format" ]; + configureFlags = [ "--with-ssl-include-dir=${openssl}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 956391b71f8..ed64629fe24 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; + hardeningDisable = [ "format" ]; + postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix index 404ffc5010b..dc00cef8898 100644 --- a/pkgs/applications/science/electronics/caneda/default.nix +++ b/pkgs/applications/science/electronics/caneda/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8"; }; - cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ]; + hardeningDisable = [ "format" ]; buildInputs = [ cmake qt4 libxml2 libxslt ]; diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index f0be5258ce4..22e64ee0566 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; + hardeningDisable = [ "format" ]; + src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc"; diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index f9bdd9a6b3b..8eedafcd68b 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace Makefile \ --replace "CC=gcc" "" diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index 398f6c9a3e2..dd383f1fff6 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation { src = fetchurl { inherit (s) url sha256; }; + + hardeningDisable = [ "format" ]; + buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g" @@ -32,11 +35,13 @@ stdenv.mkDerivation { make -C source/formed realclean make -C source/formed formed ''; + installPhase = '' mkdir -p "$out"/{bin,share/otter} cp bin/* source/formed/formed "$out/bin/" cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/" ''; + meta = { inherit (s) version; description = "A reliable first-order theorem prover"; diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index d92c7887210..9c09ea3db98 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - phases = "unpackPhase patchPhase buildPhase installPhase"; + hardeningDisable = [ "format" ]; patchPhase = '' RM=$(type -tp rm) @@ -23,6 +23,8 @@ stdenv.mkDerivation { buildFlags = "all"; + checkPhase = "make test1"; + installPhase = '' mkdir -p $out/bin cp bin/* $out/bin diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index 0d1ef26092e..7643c912db4 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + buildInputs = [ zlib bzip2 ]; # FIXME: move share/coin/Data to a separate output? diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix index 94029a04349..ae63716f106 100644 --- a/pkgs/applications/science/math/perseus/default.nix +++ b/pkgs/applications/science/math/perseus/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation { version = "4-beta"; buildInputs = [unzip gcc48]; + hardeningDisable = [ "stackprotector" ]; + src = fetchurl { url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip"; sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj"; @@ -30,7 +32,7 @@ stdenv.mkDerivation { around datasets arising from point samples, images, distance matrices and so forth. ''; - homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html"; + homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html"; license = stdenv.lib.licenses.gpl3; maintainers = with stdenv.lib.maintainers; [erikryb]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index 6bc5d874bc0..d27f998b793 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0b986x5yny9vrzgxlbyg80b23mxylxv2zz8ppd9svhva6vi8xsm4"; }; + hardeningDisable = [ "format" ]; + nativeBuildInputs = [ intltool pkgconfig ]; buildInputs = [ libqalculate gtk gnome2.libglade gnome2.libgnome gnome2.scrollkeeper ]; diff --git a/pkgs/applications/science/math/singular/default.nix b/pkgs/applications/science/math/singular/default.nix index 8bae1d6206d..a0fdf7c8239 100644 --- a/pkgs/applications/science/math/singular/default.nix +++ b/pkgs/applications/science/math/singular/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';' ''; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + postInstall = '' rm -rf "$out/LIB" cp -r Singular/LIB "$out" diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index 2c9d63be1b4..adf87c4ee5b 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; + hardeningDisable = [ "format" ]; + # Perl is only for the documentation nativeBuildInputs = [ perl ]; @@ -32,7 +34,7 @@ stdenv.mkDerivation rec { ''; }; - meta = { + meta = { description = "Easy to use, general purpose Computer Algebra System"; homepage = http://yacas.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index e9de202a809..20d027da1f3 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; + hardeningDisable = [ "format" ]; + preConfigure = '' # Apply the Debian patches. for p in "debian/patches/"*; do diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 4f41ffb916e..cb64218b52d 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation { sha256 = "0k77b5x41k80fqqmkmg59rdvs92xgp73iigh01l49h383r7rl2cs"; }; + hardeningDisable = [ "format" ]; + patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index a7e6a62ce5f..6cafe4f9624 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -2,21 +2,26 @@ stdenv.mkDerivation rec { name = "qgit-2.5"; - meta = - { - license = stdenv.lib.licenses.gpl2; - homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; - description = "Graphical front-end to Git"; - inherit (qt.meta) platforms; - }; - src = fetchurl - { + + src = fetchurl { url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz"; sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499"; }; + buildInputs = [qt libXext libX11]; + + hardeningDisable = [ "format" ]; + configurePhase = "qmake PREFIX=$out"; + installPhase = '' install -s -D -m 755 bin/qgit "$out/bin/qgit" ''; + + meta = { + license = stdenv.lib.licenses.gpl2; + homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; + description = "Graphical front-end to Git"; + inherit (qt.meta) platforms; + }; } diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix index 3a8df10f166..2f03d582a94 100644 --- a/pkgs/applications/version-management/redmine/default.nix +++ b/pkgs/applications/version-management/redmine/default.nix @@ -11,6 +11,8 @@ in stdenv.mkDerivation rec { sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0"; }; + hardeningDisable = [ "format" ]; + # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports # needed to separate run-time and build-time directories patches = [ @@ -18,6 +20,7 @@ in stdenv.mkDerivation rec { ./2004_FHS_plugins_assets.patch ./2003_externalize_session_config.patch ]; + postPatch = '' substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']" substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')" diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index a5c14d0888f..cbaea3eb18b 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,6 +43,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "bindnow" "relro" ]; + postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; meta = { diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 479d625c7de..fc3c679d414 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; + hardeningDisable = [ "stackprotector" "pic" "fortify" ]; + unpackPhase = '' for file in \ "${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg}; diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index 2cf57d78ba0..8c420b11f55 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -145,7 +145,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk.dev}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool.lib}/lib"; - + + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; longDescription = '' diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index d99f569d7e6..dc78236677f 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; + hardeningDisable = [ "fortify" ]; + buildPhase = '' export LEX=${flex}/bin/flex make -C util/cbfstool diff --git a/pkgs/applications/virtualization/qboot/default.nix b/pkgs/applications/virtualization/qboot/default.nix index e4439ec124f..0c6e3991b1c 100644 --- a/pkgs/applications/virtualization/qboot/default.nix +++ b/pkgs/applications/virtualization/qboot/default.nix @@ -12,7 +12,9 @@ stdenv.mkDerivation { installPhase = '' mkdir -p $out cp bios.bin* $out/. - ''; + ''; + + hardeningDisable = [ "stackprotector" "pic" ]; meta = { description = "A simple x86 firmware for booting Linux"; diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index 8e6a7fcb0d2..3bc95a1c392 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; + hardeningDisable = [ "pic" "stackprotector" ]; + configurePhase = '' # build SeaBIOS for CSM cat > .config << EOF @@ -21,12 +23,12 @@ stdenv.mkDerivation rec { EOF make olddefconfig - ''; + ''; installPhase = '' mkdir $out cp out/Csm16.bin $out/Csm16.bin - ''; + ''; meta = with stdenv.lib; { description = "Open source implementation of a 16bit X86 BIOS"; diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index f09480ba394..ce7780277d7 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -74,6 +74,8 @@ in stdenv.mkDerivation { ++ optional pythonBindings python ++ optional pulseSupport libpulseaudio; + hardeningDisable = [ "fortify" "pic" "stackprotector" ]; + prePatch = '' set -x MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build` diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index ba32ff98b0d..a898325f635 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; + hardeningDisable = [ "pic" ]; + buildInputs = [ patchelf cdrkit makeWrapper dbus ]; installPhase = '' diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index c830fccb120..a62a1a20092 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -48,6 +48,8 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; + hardeningDisable = [ "stackprotector" "fortify" "pic" ]; + patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; postPatch = '' diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 5ef5ba769c4..3b5af42a8be 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { name = "stalonetray-${version}"; version = "0.8.1"; + src = fetchurl { url = "mirror://sourceforge/stalonetray/${name}.tar.bz2"; sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll"; }; + buildInputs = [ libX11 xproto ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Stand alone tray"; maintainers = with maintainers; [ raskin ]; diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening new file mode 100644 index 00000000000..d5966136b9d --- /dev/null +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -0,0 +1,61 @@ +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags+=("${hardeningEnable[@]}") +hardeningCFlags=() +hardeningLDFlags=() +hardeningDisable=${hardeningDisable:-""} + +if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then + hardeningDisable+=" bindnow relro" +fi + +if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi + +if [[ ! $hardeningDisable == "all" ]]; then + if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi + for flag in "${hardeningFlags[@]}" + do + if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then + case $flag in + fortify) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi + hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') + ;; + pie) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi + hardeningCFlags+=('-fPIE') + if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi + hardeningLDFlags+=('-pie') + fi + ;; + pic) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + relro) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi + hardeningLDFlags+=('-z relro') + ;; + bindnow) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi + hardeningLDFlags+=('-z now') + ;; + *) + echo "Hardening flag unknown: $flag" >&2 + ;; + esac + fi + done +fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 894ea95b5fa..688dd7be1c6 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -65,7 +65,6 @@ if [ "$nonFlagArgs" = 0 ]; then dontLink=1 fi - # Optionally filter out paths not refering to the store. if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then rest=() @@ -110,16 +109,18 @@ if [[ "$isCpp" = 1 ]]; then NIX_CFLAGS_LINK="$NIX_CFLAGS_LINK $NIX_CXXSTDLIB_LINK" fi +LD=@ldPath@/ld +source @out@/nix-support/add-hardening.sh + # Add the flags for the C compiler proper. -extraAfter=($NIX_CFLAGS_COMPILE) +extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]}) extraBefore=() - if [ "$dontLink" != 1 ]; then # Add the flags that should only be passed to the compiler when # linking. - extraAfter+=($NIX_CFLAGS_LINK) + extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]}) # Add the flags that should be passed to the linker (and prevent # `ld-wrapper' from adding NIX_LDFLAGS again). diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index 6cdd0477244..0d862fe53de 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -236,6 +236,7 @@ stdenv.mkDerivation { rm $out/nix-support/setup-hook.tmp substituteAll ${./add-flags} $out/nix-support/add-flags.sh + cp -p ${./add-hardening} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 28d73f046e6..44d9a047936 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,8 +47,10 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +LD=@prog@ +source @out@/nix-support/add-hardening.sh -extra=() +extra=(${hardeningLDFlags[@]}) extraBefore=() if [ -z "$NIX_LDFLAGS_SET" ]; then @@ -56,7 +58,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then extraBefore+=($NIX_LDFLAGS_BEFORE) fi -extra+=($NIX_LDFLAGS_AFTER) +extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN) # Add all used dynamic libraries to the rpath. diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 2aa47d799c9..7eef5af0adc 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; + hardeningDisable = [ "format" ]; + patches = [ ./glib.patch ./cups_1.6.patch ]; buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 6aab400c60a..be288b809d4 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation { name = "libgtkhtml-2.11.1"; - + src = fetchurl { url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2; sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw"; }; - + buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; + + hardeningDisable = [ "format" ]; } diff --git a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix index 12065b53600..a228d12509b 100644 --- a/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.18/misc/libgda/default.nix @@ -17,6 +17,8 @@ in stdenv.mkDerivation rec { "--enable-gi-system-install=no" ]; + hardeningDisable = [ "format" ]; + enableParallelBuilding = true; buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ]; diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index 03e9dc9a007..ed83dd03eca 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -1,18 +1,20 @@ -{ kde, cmake, smokeqt, ruby }: +{ kde, cmake, smokeqt, ruby_2_2 }: kde { # TODO: scintilla2, qwt5 - buildInputs = [ smokeqt ruby ]; + buildInputs = [ smokeqt ruby_2_2 ]; nativeBuildInputs = [ cmake ]; + hardeningDisable = [ "all" ]; + # The patch is not ready for upstream submmission. # I should add an option() instead. patches = [ ./qtruby-install-prefix.patch ]; - cmakeFlags="-DRUBY_ROOT_DIR=${ruby}"; + cmakeFlags="-DRUBY_ROOT_DIR=${ruby_2_2}"; meta = { description = "Ruby bindings for Qt library"; diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 603a68cc5f6..44269070609 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; + hardeningDisable = [ "format" ]; + meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; description = "A command-line plugin"; diff --git a/pkgs/development/compilers/ccl/default.nix b/pkgs/development/compilers/ccl/default.nix index e5e07705a18..ee0153c13b0 100644 --- a/pkgs/development/compilers/ccl/default.nix +++ b/pkgs/development/compilers/ccl/default.nix @@ -5,7 +5,7 @@ let /* TODO: there are also MacOS, FreeBSD and Windows versions */ x86_64-linux = { arch = "linuxx86"; - sha256 = "0d2vhp5n74yhwixnvlsnp7dzaf9aj6zd2894hr2728djyd8x9fx6"; + sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq"; runtime = "lx86cl64"; kernel = "linuxx8664"; }; diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index 7f3e679e847..3fed2289f95 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; + hardeningDisable = [ "format" "pic" ]; + # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This # makes clm try to rebuild the library modules (and fail due to absence of write permission diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index f37dae80830..900cb92ab80 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "33398b87ca85e2b69e4062cf59f2f7354af46da5edcba036c6f97bae17b8d00e"; }; + hardeningDisable = [ "format" ]; + makeFlags = "PREFIX=$(out)"; # Awful hackery to get dev86 to compile with recent gcc/binutils. diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index a04ec454cae..1b8b8d862cf 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -23,9 +23,11 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs propagatedBuildInputs; + src = fetchurl { inherit (s) url sha256; }; + configureFlags = [ "--enable-threads" "--with-gmp-prefix=${gmp}" @@ -35,9 +37,13 @@ stdenv.mkDerivation { (stdenv.lib.optional (! noUnicode) "--enable-unicode") ; + + hardeningDisable = [ "format" ]; + postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config ''; + meta = { inherit (s) version; description = "Lisp implementation aiming to be small, fast and easy to embed"; diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index f68681e6023..da178e80a1a 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -11,7 +11,7 @@ else edk2 = stdenv.mkDerivation { name = "edk2-2014-12-10"; - + src = fetchgit { url = git://github.com/tianocore/edk2; rev = "684a565a04"; @@ -20,9 +20,9 @@ edk2 = stdenv.mkDerivation { buildInputs = [ libuuid pythonFull ]; - buildPhase = '' - make -C BaseTools - ''; + makeFlags = "-C BaseTools"; + + hardeningDisable = [ "format" "fortify" ]; installPhase = '' mkdir -vp $out diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 6cde7aba92a..7d84cb24516 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,6 +134,8 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all"; + patches = [ ] ++ optional (cross != null) ../libstdc++-target.patch @@ -207,7 +209,7 @@ stdenv.mkDerivation ({ nativeBuildInputs = [ texinfo which ] ++ optional (perl != null) perl; - + buildInputs = [ gmp mpfr libmpc libelf gettext ] ++ (optional (ppl != null) ppl) ++ (optional (cloogppl != null) cloogppl) diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index bc968d1f66e..bdffbc043d0 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -193,6 +193,8 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; + hardeningDisable = [ "format" ]; + libc_dev = stdenv.cc.libc_dev; postPatch = diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 09e3751580c..823b104e6e4 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -216,6 +216,8 @@ stdenv.mkDerivation ({ inherit patches; + hardeningDisable = [ "format" ]; + outputs = [ "out" "lib" "doc" ]; setOutputFlags = false; NIX_NO_SELF_RPATH = true; diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 2d568980fd4..736b4e59e6d 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -218,6 +218,8 @@ stdenv.mkDerivation ({ inherit patches; + hardeningDisable = [ "format" ]; + outputs = if langJava || langGo then ["out" "man" "info"] else [ "out" "lib" "man" "info" ]; setOutputFlags = false; diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 20c60eac309..f54ca304042 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -215,6 +215,9 @@ stdenv.mkDerivation ({ sha256 = "1ny4smkp5bzs3cp8ss7pl6lk8yss0d9m4av1mvdp72r1x695akxq"; }; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" "format" ]; + inherit patches; outputs = [ "out" "lib" "man" "info" ]; diff --git a/pkgs/development/compilers/gcc/gfortran-darwin.nix b/pkgs/development/compilers/gcc/gfortran-darwin.nix index 66f273482cf..5162f311e4e 100644 --- a/pkgs/development/compilers/gcc/gfortran-darwin.nix +++ b/pkgs/development/compilers/gcc/gfortran-darwin.nix @@ -7,12 +7,18 @@ stdenv.mkDerivation rec { name = "gfortran-${version}"; version = "5.1.0"; - buildInputs = [gmp mpfr libmpc isl_0_14 cloog zlib]; + + buildInputs = [ gmp mpfr libmpc isl_0_14 cloog zlib ]; + src = fetchurl { url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2"; sha256 = "1bd5vj4px3s8nlakbgrh38ynxq4s654m6nxz7lrj03mvkkwgvnmp"; }; + patches = ./gfortran-darwin.patch; + + hardeningDisable = [ "format" ]; + configureFlags = '' --disable-bootstrap --disable-cloog-version-check @@ -28,11 +34,15 @@ stdenv.mkDerivation rec { --with-native-system-header-dir=${Libsystem}/include --with-system-zlib ''; + postConfigure = '' export DYLD_LIBRARY_PATH=`pwd`/`uname -m`-apple-darwin`uname -r`/libgcc ''; - makeFlags = ["CC=clang"]; + + makeFlags = [ "CC=clang" ]; + passthru.cc = stdenv.cc.cc; + meta = with stdenv.lib; { description = "GNU Fortran compiler, part of the GNU Compiler Collection"; homepage = "https://gcc.gnu.org/fortran/"; diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index cf5b862646e..cf25f989c7c 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -32,24 +32,9 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - # Upstream bug submitted - http://savannah.gnu.org/bugs/index.php?30371 - # $TMPDIR must have no extension - # setVars = a.noDepEntry '' - # export TMPDIR="''${TMPDIR:-''${TMP:-''${TEMP}}}/tmp-for-gcl" - # mkdir -p "$TMPDIR" - # ''; - - preBuild = '' - # sed -re "s@/bin/cat@$(which cat)@g" -i configure */configure - # sed -re "s@if test -d /proc/self @if false @" -i configure - # sed -re 's^([ \t])cpp ^\1cpp -I${stdenv.cc.cc}/include -I${stdenv.cc.libc}/include ^g' -i makefile - - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fgnu89-inline" - ''; - - /* doConfigure should be removed if not needed */ - # phaseNames = ["setVars" "doUnpack" "preBuild" - # "doConfigure" "doMakeInstall"]; + hardeningDisable = [ "pic" ]; + + NIX_CFLAGS_COMPILE = "-fgnu89-inline"; meta = { description = "GNU Common Lisp compiler working via GCC"; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index d8d25ef8082..9a816797291 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; + hardeningDisable = [ "format" ]; + configureFlags = [ "--with-gmp-libraries=${gmp.out}/lib" "--with-gmp-includes=${gmp.dev}/include" diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 3a1f39eab24..3161b9f70b7 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index b5bfac85028..7f7abd8a6e7 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index d9924c56744..7572dfddd30 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/gprolog/default.nix b/pkgs/development/compilers/gprolog/default.nix index f2b5a04df98..c63cb85f5f1 100644 --- a/pkgs/development/compilers/gprolog/default.nix +++ b/pkgs/development/compilers/gprolog/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "13miyas47bmijmadm68cbvb21n4s156gjafz7kfx9brk9djfkh0q"; }; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "pic"; + patchPhase = '' sed -i -e "s|/tmp/make.log|$TMPDIR/make.log|g" src/Pl2Wam/check_boot ''; diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index af1ebd6a196..1678a6e5091 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; + hardeningDisable = [ "format" ]; + configureFlags = [ "GMP_CFLAGS=-I${gmp.dev}/include" "GMP_LDFLAGS=-L${gmp.out}/lib" diff --git a/pkgs/development/compilers/qcmm/builder.sh b/pkgs/development/compilers/qcmm/builder.sh deleted file mode 100644 index acdfbaa08dc..00000000000 --- a/pkgs/development/compilers/qcmm/builder.sh +++ /dev/null @@ -1,29 +0,0 @@ -source $stdenv/setup - -configureFlags="--with-lua=$lua" - -MKFLAGS="-w$lua/include/lauxlib.h,$lua/include/luadebug.h,$lua/include/lua.h,$lua/include/lualib.h" - -buildPhase() { - mk timestamps - mk $MKFLAGS all.opt -} - -installPhase() { - mk $MKFLAGS install.opt - - for file in $out/bin/*.opt; do - mv $file ${file%.opt} - done - - find $out/man -type f -exec gzip -9n {} \; - - find $out -name \*.a -exec echo stripping {} \; \ - -exec strip -S {} \; - - patchELF $out -} - -checkPhase="mk $MKFLAGS test.opt" - -genericBuild diff --git a/pkgs/development/compilers/qcmm/default.nix b/pkgs/development/compilers/qcmm/default.nix deleted file mode 100644 index a221ae29f04..00000000000 --- a/pkgs/development/compilers/qcmm/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{stdenv, fetchurl, mk, ocaml, noweb, lua, groff }: -stdenv.mkDerivation { - name = "qcmm-2006-01-31"; - src = fetchurl { - url = http://tarballs.nixos.org/qc--20060131.tar.gz; - md5 = "9097830775bcf22c9bad54f389f5db23"; - }; - buildInputs = [ mk ocaml noweb groff ]; - patches = [ ./qcmm.patch ]; - builder = ./builder.sh; - inherit lua; -} diff --git a/pkgs/development/compilers/qcmm/qcmm.patch b/pkgs/development/compilers/qcmm/qcmm.patch deleted file mode 100644 index 414f18a9f73..00000000000 --- a/pkgs/development/compilers/qcmm/qcmm.patch +++ /dev/null @@ -1,121 +0,0 @@ -diff -ur qc--20060131.orig/configure qc--20060131/configure ---- qc--20060131.orig/configure 2005-11-05 22:15:24.000000000 +0100 -+++ qc--20060131/configure 2006-02-02 14:29:07.000000000 +0100 -@@ -93,7 +93,22 @@ - # for file in dirs and return, full path, if found, and "" otherwise. - # - --sub search { search_with( sub($) { return (-f shift) }, @_) } -+sub combine { -+ my $base = shift; -+ my $file = shift; -+ return ("$base/$file") -+}; -+ -+sub search { search_with( sub($) { return (-f shift) }, \&combine, @_) } -+ -+sub search_suffix { -+ my $f = sub($) { -+ my $suffix = shift; -+ my $base = shift; -+ return ($base . $suffix); -+ }; -+ search_with(sub($) { return (-f shift) }, $f, @_) -+} - - sub searchx { - my $f = sub($) { -@@ -105,16 +120,17 @@ - } - return (1==2); # how do you write false in perl? - }; -- search_with($f, @_) -+ search_with($f, \&combine, @_) - } - - sub search_with { - my $p = shift; -+ my $com = shift; - my $file = shift; - -- printf(LOG "searching for %-20s", $file); -+ printf(LOG "searching for %-20s ", $file); - while ($f = shift (@_)) { -- my $x = "$f/$file"; -+ my $x = &$com($f, $file); - if (&$p($x)) { - print LOG "found $x\n"; - return $x -@@ -124,6 +140,20 @@ - return ""; - } - -+#configure lua based on some known installation prefix -+sub config_lua { -+ my $base = shift; -+ @libsuffix = ( ".so", "40.so", ".a", "40.a" ); -+ -+ $x{lua_h} = "$base/include/lua.h"; -+ $x{lualib_h} = "$base/include/lualib.h"; -+ $x{liblua} = search_suffix("$base/lib/liblua", @libsuffix); -+ $x{liblualib} = search_suffix("$base/lib/liblualib", @libsuffix); -+ $x{lua_inc} = "-I$base/include"; -+ $x{lua_lib} = "-L$base/lib/"; -+ $x{lua_libs} = "-llua -llualib"; -+} -+ - - # - # compile and run a small C program to find out about architecture -@@ -183,6 +213,8 @@ - - ./configure [options] - -+ --with-lua=/lua/path lua is installed in /lua/path the default -+ is to search for standard locations - --prefix=/usr/local install into the /usr/local hierarchy which - is also the default - -h, --help this summary -@@ -224,15 +256,15 @@ - # We start from here with reading the command line - # ------------------------------------------------------------------ - -+open (LOG, ">$configure_log") || die "cannot write configure.log: $!"; -+ - foreach (@ARGV) { - if (/^--?prefix=(.*)$/) { $x{prefix}=$1 } - elsif (/^--?h(elp?)$/) { usage(); exit 0 } -+ elsif (/^--?with-lua=(.*)$/) { config_lua($1) } - else { usage(); exit 1 } - } - -- --open (LOG, ">$configure_log") || die "cannot write configure.log: $!"; -- - # check for various executables and versions. Only update variable if - # it is not already set. - # -diff -ur qc--20060131.orig/doc/mkfile qc--20060131/doc/mkfile ---- qc--20060131.orig/doc/mkfile 2005-11-07 01:41:21.000000000 +0100 -+++ qc--20060131/doc/mkfile 2006-02-02 00:38:00.000000000 +0100 -@@ -92,7 +92,7 @@ - # and accessible from Lua as This.manual. - - qc--.man:D: qc--.1 -- GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 | ul -t dump > $target -+ GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 > $target - - release.tex:D: release.nw - noweave -delay $prereq > $target -diff -ur qc--20060131.orig/mkfile qc--20060131/mkfile ---- qc--20060131.orig/mkfile 2005-07-01 22:29:52.000000000 +0200 -+++ qc--20060131/mkfile 2006-02-02 19:15:53.000000000 +0100 -@@ -97,7 +97,7 @@ - cd test2 && NPROC=1 mk $MKFLAGS all - - test.opt:V: all.opt -- cd test2 && NPROC=1 mk QC=../bin/qc--.opt $MKFLAGS all -+ cd test2 && NPROC=1 mk $MKFLAGS QC=../bin/qc--.opt all - - coverage: test2/ocamlprof.dump - rm -f $target diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 8aa980b72e6..69529ab762b 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,6 +27,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; longDescription = '' diff --git a/pkgs/development/compilers/strategoxt/0.16.nix b/pkgs/development/compilers/strategoxt/0.16.nix deleted file mode 100644 index 4cfa2c79892..00000000000 --- a/pkgs/development/compilers/strategoxt/0.16.nix +++ /dev/null @@ -1,47 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation rec { - name = "sdf2-bundle-2.3.3"; - - src = fetchurl { - url = ftp://ftp.stratego-language.org/pub/stratego/sdf2/sdf2-bundle-2.3.3/sdf2-bundle-2.3.3.tar.gz; - md5 = "62ecabe5fbb8bbe043ee18470107ef88"; - }; - - buildInputs = [pkgconfig aterm getopt]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - }; - - - strategoxt = stdenv.mkDerivation { - name = "strategoxt-0.16"; - - src = fetchurl { - url = ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.16/strategoxt-0.16.tar.gz; - md5 = "8b8eabbd785faa84ec20134b63d4829e"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - -} diff --git a/pkgs/development/compilers/strategoxt/0.17.nix b/pkgs/development/compilers/strategoxt/0.17.nix deleted file mode 100644 index d621cbf5f0c..00000000000 --- a/pkgs/development/compilers/strategoxt/0.17.nix +++ /dev/null @@ -1,112 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, readline, ncurses}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-0.17"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/strategoxt-0.17.tar.gz"; - sha256 = "70355576c3ce3c5a8a26435705a49cf7d13e91eada974a654534d63e0d34acdb"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/java-front/java-front-0.9/java-front-0.9.tar.gz"; - sha256 = "96f40bf31486d3ced3ecebdcc0067e83ce6acbdbe57e3c847136ac3d7b62cc3c"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/strategoxt/0.18.nix b/pkgs/development/compilers/strategoxt/0.18.nix deleted file mode 100644 index 611586c5d93..00000000000 --- a/pkgs/development/compilers/strategoxt/0.18.nix +++ /dev/null @@ -1,124 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, makeStaticBinaries, readline, ncurses}: - -rec { - - inherit aterm; - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-1.8pre24429"; - - src = fetchurl { - url = http://hydra.nixos.org/build/2175544/download/1/strategoxt-1.8pre24429.tar.gz; - sha256 = "124f1d61a440b94c38b731c2e7015340dbbc1deb6d442b31dbecb46b0a00fa83"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - broken = true; - }; - }; - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9.1pre20122"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/766286/download/1/java-front-0.9.1pre20122.tar.gz"; - sha256 = "ef85d3af962fcd54e028ea501e64220b86af335a49143f2819bd3f4789bef7e6"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - aspectjfront = stdenv.mkDerivation (rec { - name = "aspectj-front-0.2pre20035"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/175690/download/1/aspectj-front-0.2pre20035.tar.gz"; - sha256 = "48f6cda6f9f19436e9553e8d27e6bb42500d08370332e3ad214affb49851e58e"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt javafront]; - - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - broken = true; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index 1f38198b30b..954ef692462 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; + hardeningDisable = [ "format" ]; + configureFlags = "--with-world --enable-gmp --enable-shared"; buildFlags = "world"; diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index b16b32a6a06..301915b7a26 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; + hardeningDisable = [ "format" ]; + buildPhase = "omake all"; checkPhase = "omake check"; diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix index fbadb9d7436..40e4d49d51e 100644 --- a/pkgs/development/compilers/tinycc/default.nix +++ b/pkgs/development/compilers/tinycc/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl texinfo ]; + hardeningDisable = [ "fortify" ]; + postPatch = '' substituteInPlace "texi2pod.pl" \ --replace "/usr/bin/perl" "${perl}/bin/perl" diff --git a/pkgs/development/compilers/webdsl/default.nix b/pkgs/development/compilers/webdsl/default.nix deleted file mode 100644 index a0122319aed..00000000000 --- a/pkgs/development/compilers/webdsl/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, fetchurl, pkgconfig, strategoPackages }: - -stdenv.mkDerivation rec { - name = "webdsl-9.7pre4168"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/654196/download/1/${name}.tar.gz"; - sha256 = "08bec3ba02254ec7474ce70206b7be4390fe07456cfc57d927d96a21dd6dcb33"; - }; - - buildInputs = - [ pkgconfig strategoPackages.aterm strategoPackages.sdf - strategoPackages.strategoxt strategoPackages.javafront - ]; - - # This corrected a failing build on at least one 64 bit Linux system. - # See the comment about this here: http://webdsl.org/selectpage/Download/WebDSLOnLinux - preBuild = (if stdenv.system == "x86_64-linux" then "ulimit -s unlimited" else ""); - - meta = { - homepage = http://webdsl.org/; - description = "A domain-specific language for developing dynamic web applications with a rich data model"; - }; -} diff --git a/pkgs/development/compilers/wla-dx/default.nix b/pkgs/development/compilers/wla-dx/default.nix index 535868bee3b..f91c555b6b9 100644 --- a/pkgs/development/compilers/wla-dx/default.nix +++ b/pkgs/development/compilers/wla-dx/default.nix @@ -2,16 +2,21 @@ stdenv.mkDerivation rec { name = "wla-dx-git-2016-02-27"; + src = fetchFromGitHub { owner = "vhelin"; repo = "wla-dx"; rev = "8189fe8d5620584ea16563875ff3c5430527c86a"; sha256 = "02zgkcyfx7y8j6jvyi12lm29fydnd7m3rxv6g2psv23fyzmpkkir"; }; + + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin install binaries/* $out/bin ''; + nativeBuildInputs = [ cmake ]; meta = with stdenv.lib; { diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index b824a06bd68..16944c2d5a3 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -42,7 +42,10 @@ self: super: { options_1_2 = dontCheck super.options_1_2; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs; + c2hs = dontCheck super.c2hs; + epanet-haskell = super.epanet-haskell.overrideDerivation (drv: { + hardeningDisable = [ "format" ]; + }); # Use the default version of mysql to build this package (which is actually mariadb). mysql = super.mysql.override { mysql = pkgs.mysql.lib; }; @@ -236,7 +239,9 @@ self: super: { gio_0_13_0_3 = addPkgconfigDepend super.gio_0_13_0_3 pkgs.glib; gio_0_13_0_4 = addPkgconfigDepend super.gio_0_13_0_4 pkgs.glib; gio_0_13_1_0 = addPkgconfigDepend super.gio_0_13_1_0 pkgs.glib; - glib = addPkgconfigDepend super.glib pkgs.glib; + glib = pkgs.lib.overrideDerivation (addPkgconfigDepend super.glib pkgs.glib) (drv: { + hardeningDisable = [ "fortify" ]; + }); gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; gtk = addPkgconfigDepend super.gtk pkgs.gtk; gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; @@ -433,7 +438,9 @@ self: super: { lensref = dontCheck super.lensref; liquidhaskell = dontCheck super.liquidhaskell; lucid = dontCheck super.lucid; #https://github.com/chrisdone/lucid/issues/25 - lvmrun = dontCheck super.lvmrun; + lvmrun = pkgs.lib.overrideDerivation (dontCheck super.lvmrun) (drv: { + hardeningDisable = [ "format" ]; + }); memcache = dontCheck super.memcache; milena = dontCheck super.milena; nats-queue = dontCheck super.nats-queue; diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index 682978a5ac8..b7b329ea956 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, libsigsegv, gettext, ncurses, readline, libX11 , libXau, libXt, pcre, zlib, libXpm, xproto, libXext, xextproto , libffi, libffcall, coreutils }: - + stdenv.mkDerivation rec { v = "2.44.1"; name = "clisp-${v}"; - + src = fetchurl { url = "mirror://gnu/clisp/release/${v}/${name}.tar.gz"; sha256 = "0rkp6j6rih4s5d9acifh7pi4b9xfgcspif512l269dqy9qgyy4j1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { zlib libXpm xproto libXext xextproto libffi libffcall ]; patches = [ ./bits_ipctypes_to_sys_ipc.patch ]; # from Gentoo - + # First, replace port 9090 (rather low, can be used) # with 64237 (much higher, IANA private area, not # anything rememberable). @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { substituteInPlace modules/bindings/glibc/linux.lisp --replace "(def-c-type __swblk_t)" "" ''; - + configureFlags = '' --with-readline builddir --with-dynamic-ffi @@ -45,6 +45,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-O0 ${stdenv.lib.optionalString (!stdenv.is64bit) "-falign-functions=4"}"; + hardeningDisable = [ "format" ]; + # TODO : make mod-check fails doCheck = false; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix new file mode 100644 index 00000000000..cf4355a38e1 --- /dev/null +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -0,0 +1,65 @@ +{ stdenv, fetchurl, perl, gnum4, ncurses, openssl +, makeWrapper, gnused, gawk }: + +let version = "14B04"; in + +stdenv.mkDerivation { + name = "erlang-" + version; + + src = fetchurl { + url = "http://www.erlang.org/download/otp_src_R${version}.tar.gz"; + sha256 = "0vlvjlg8vzcy6inb4vj00bnj0aarvpchzxwhmi492nv31s8kb6q9"; + }; + + buildInputs = [ perl gnum4 ncurses openssl makeWrapper ]; + + patchPhase = '' sed -i "s@/bin/rm@rm@" lib/odbc/configure erts/configure ''; + + preConfigure = '' + export HOME=$PWD/../ + sed -e s@/bin/pwd@pwd@g -i otp_build + ''; + + configureFlags = "--with-ssl=${openssl}"; + + hardeningDisable = [ "format" ]; + + postInstall = let + manpages = fetchurl { + url = "http://www.erlang.org/download/otp_doc_man_R${version}.tar.gz"; + sha256 = "1nh7l7wilyyaxvlwkjxgm3cq7wpd90sk6vxhgpvg7hwai8g52545"; + }; + in '' + tar xf "${manpages}" -C "$out/lib/erlang" + for i in "$out"/lib/erlang/man/man[0-9]/*.[0-9]; do + prefix="''${i%/*}" + ensureDir "$out/share/man/''${prefix##*/}" + ln -s "$i" "$out/share/man/''${prefix##*/}/''${i##*/}erl" + done + ''; + + # Some erlang bin/ scripts run sed and awk + postFixup = '' + wrapProgram $out/lib/erlang/bin/erl --prefix PATH ":" "${gnused}/bin/" + wrapProgram $out/lib/erlang/bin/start_erl --prefix PATH ":" "${gnused}/bin/:${gawk}/bin" + ''; + + setupHook = ./setup-hook.sh; + + meta = { + homepage = "http://www.erlang.org/"; + description = "Programming language used for massively scalable soft real-time systems"; + + longDescription = '' + Erlang is a programming language used to build massively scalable + soft real-time systems with requirements on high availability. + Some of its uses are in telecoms, banking, e-commerce, computer + telephony and instant messaging. Erlang's runtime system has + built-in support for concurrency, distribution and fault + tolerance. + ''; + + platforms = stdenv.lib.platforms.linux; + maintainers = [ stdenv.lib.maintainers.simons ]; + }; +} diff --git a/pkgs/development/interpreters/lua-4/default.nix b/pkgs/development/interpreters/lua-4/default.nix index 2d216389bd7..d6f385f5b50 100644 --- a/pkgs/development/interpreters/lua-4/default.nix +++ b/pkgs/development/interpreters/lua-4/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildFlags = "all so sobin"; installFlags = "INSTALL_ROOT=$$out"; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + meta = { homepage = "http://www.lua.org"; description = "Powerful, fast, lightweight, embeddable scripting language"; diff --git a/pkgs/development/interpreters/lua-5/sec.nix b/pkgs/development/interpreters/lua-5/sec.nix index 08eb1c89308..7af17ae200c 100644 --- a/pkgs/development/interpreters/lua-5/sec.nix +++ b/pkgs/development/interpreters/lua-5/sec.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ lua5 openssl ]; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + preBuild = '' makeFlagsArray=( linux diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 63cf85bc506..dcfdc11c7a9 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -1,32 +1,29 @@ {stdenv, fetchurl, libX11, xproto, indent, readline, gsl, freeglut, mesa, SDL , blas, binutils, intltool, gettext, zlib}: -let - s = # Generated upstream information - rec { - baseName="lush"; - version="2.0.1"; - name="${baseName}-${version}"; - hash="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; + +stdenv.mkDerivation rec { + baseName = "lush"; + version = "2.0.1"; + name = "${baseName}-${version}"; + + src = fetchurl { url="mirror://sourceforge/project/lush/lush2/lush-2.0.1.tar.gz"; sha256="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; }; + buildInputs = [ libX11 xproto indent readline gsl freeglut mesa SDL blas binutils intltool gettext zlib ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "pic" ]; + NIX_LDFLAGS=" -lz "; + meta = { - inherit (s) version; - description = ''Lisp Universal SHell''; + description = "Lisp Universal SHell"; license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; + maintainers = [ stdenv.lib.maintainers.raskin ]; platforms = stdenv.lib.platforms.linux; }; } diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index f8565b9637a..18494708d52 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -68,6 +68,9 @@ let enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlags="$configureFlags -Dprefix=$out -Dman1dir=$out/share/man/man1 -Dman3dir=$out/share/man/man3" diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix index a618fd85d71..e5b0d37a737 100644 --- a/pkgs/development/interpreters/php/default.nix +++ b/pkgs/development/interpreters/php/default.nix @@ -255,6 +255,8 @@ let calendarSupport = config.php.calendar or true; }; + hardeningDisable = [ "bindnow" ]; + configurePhase = '' # Don't record the configure flags since this causes unnecessary # runtime dependencies. diff --git a/pkgs/development/interpreters/ruby/patchsets.nix b/pkgs/development/interpreters/ruby/patchsets.nix index ded72b8695e..4231623f892 100644 --- a/pkgs/development/interpreters/ruby/patchsets.nix +++ b/pkgs/development/interpreters/ruby/patchsets.nix @@ -3,6 +3,7 @@ rec { "1.9.3" = [ ./ssl_v3.patch + ./rand-egd.patch ./ruby19-parallel-install.patch ./bitperfect-rdoc.patch ] ++ ops useRailsExpress [ @@ -28,6 +29,7 @@ rec { ]; "2.0.0" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/02-railsexpress-gc.patch" @@ -36,6 +38,7 @@ rec { ]; "2.1.7" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.7/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.7/railsexpress/02-improve-gc-stats.patch" @@ -49,6 +52,7 @@ rec { ]; "2.2.3" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.3/railsexpress/02-improve-gc-stats.patch" diff --git a/pkgs/development/interpreters/ruby/rand-egd.patch b/pkgs/development/interpreters/ruby/rand-egd.patch new file mode 100644 index 00000000000..e4f6452000c --- /dev/null +++ b/pkgs/development/interpreters/ruby/rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,7 +221,9 @@ Init_ossl_rand(void) + DEFMETH(mRandom, "write_random_file", ossl_rand_write_file, 1); + DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1); + DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + DEFMETH(mRandom, "egd", ossl_rand_egd, 1); + DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + DEFMETH(mRandom, "status?", ossl_rand_status, 0) + } diff --git a/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch new file mode 100644 index 00000000000..ebf2bf56fcf --- /dev/null +++ b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,8 +221,10 @@ Init_ossl_rand(void) + rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1); + rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1); + rb_define_module_function(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1); + rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + rb_define_module_function(mRandom, "status?", ossl_rand_status, 0); + } diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index b7744ea53c3..fdd8209407c 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,6 +8,9 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; + hardeningDisable = [ "format" ] + ++ stdenv.lib.optional stdenv.isi686 "stackprotector"; + buildInputs = [ readline ]; postUnpack = "sourceRoot=\${sourceRoot}/src"; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index f44347c61b7..c1a4c17707c 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -3,10 +3,10 @@ , libXt, qt, readline , useSCEL ? false, emacs }: - + let optional = stdenv.lib.optional; in -stdenv.mkDerivation rec { +stdenv.mkDerivation rec { name = "supercollider-3.6.6"; meta = { @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { sha256 = "11khrv6jchs0vv0lv43am8lp0x1rr3h6l2xj9dmwrxcpdayfbalr"; }; + hardeningDisable = [ "stackprotector" ]; + # QGtkStyle unavailable patchPhase = '' substituteInPlace editors/sc-ide/widgets/code_editor/autocompleter.cpp \ @@ -29,12 +31,12 @@ stdenv.mkDerivation rec { cmakeFlags = '' -DSC_WII=OFF - -DSC_EL=${if useSCEL then "ON" else "OFF"} + -DSC_EL=${if useSCEL then "ON" else "OFF"} ''; nativeBuildInputs = [ cmake pkgconfig ]; - buildInputs = [ + buildInputs = [ gcc libjack2 libsndfile fftw curl libXt qt readline ] ++ optional useSCEL emacs; } diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index e819078f786..079c0a5cf6f 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL"; diff --git a/pkgs/development/libraries/a52dec/default.nix b/pkgs/development/libraries/a52dec/default.nix index 7d5c5fab393..5a47d50284f 100644 --- a/pkgs/development/libraries/a52dec/default.nix +++ b/pkgs/development/libraries/a52dec/default.nix @@ -8,8 +8,6 @@ stdenv.mkDerivation rec { sha256 = "0czccp4fcpf2ykp16xcrzdfmnircz1ynhls334q374xknd5747d2"; }; - NIX_CFLAGS_COMPILE = "-fpic"; - # From Handbrake patches = [ ./A00-a52-state-t-public.patch diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 76c5cf32bbd..002b26078f5 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; + hardeningDisable = [ "format" "pic" ]; + patches = [ ./fix-printfs.patch ]; postPatch = '' diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index deb3a6877e8..997a8d22305 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; + hardeningDisable = [ "format" ]; + cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/aterm/2.5.nix b/pkgs/development/libraries/aterm/2.5.nix deleted file mode 100644 index c1bbbb0ae5a..00000000000 --- a/pkgs/development/libraries/aterm/2.5.nix +++ /dev/null @@ -1,34 +0,0 @@ -{stdenv, fetchurl}: - -stdenv.mkDerivation { - name = "aterm-2.5-r21238"; - - src = fetchurl { - url = http://buildfarm.st.ewi.tudelft.nl/releases/meta-environment/aterm-2.5pre21238-l2q7rg38/aterm-2.5.tar.gz; - md5 = "33ddcb1a229baf406ad1f603eb1d5995"; - }; - - patches = [ - # Fix for http://bugzilla.sen.cwi.nl:8080/show_bug.cgi?id=841 - ./max-long.patch - - # Patch the ATerm header files so that they don't rely on - # SIZEOF_LONG, SIZEOF_INT and SIZEOF_VOID_P being set. - ./sizeof.patch - ]; - - doCheck = true; - - dontDisableStatic = true; - - NIX_CFLAGS_COMPILE = "-D__USE_BSD"; - - meta = { - homepage = http://www.cwi.nl/htbin/sen1/twiki/bin/view/SEN1/ATerm; - license = "LGPL"; - description = "Library for manipulation of term data structures in C"; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; - maintainers = [ stdenv.lib.maintainers.eelco ]; - broken = true; - }; -} diff --git a/pkgs/development/libraries/aterm/max-long.patch b/pkgs/development/libraries/aterm/max-long.patch deleted file mode 100644 index a2f260b970b..00000000000 --- a/pkgs/development/libraries/aterm/max-long.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -rc aterm-2.8-orig/aterm/hash.c aterm-2.8/aterm/hash.c -*** aterm-2.8-orig/aterm/hash.c 2008-11-10 13:54:22.000000000 +0100 ---- aterm-2.8/aterm/hash.c 2009-01-27 18:14:14.000000000 +0100 -*************** -*** 93,146 **** - } - - /*}}} */ -- /*{{{ static long calc_long_max() */ -- static long calc_long_max() -- { -- long try_long_max; -- long long_max; -- long delta; -- -- try_long_max = 1; -- do { -- long_max = try_long_max; -- try_long_max = long_max * 2; -- } while (try_long_max > 0); -- -- delta = long_max; -- while (delta > 1) { -- while (long_max + delta < 0) { -- delta /= 2; -- } -- long_max += delta; -- } -- -- return long_max; -- -- } -- /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { -- -- /* Hack: LONG_MAX (limits.h) is often unreliable, we need to find -- * out the maximum possible value of a signed long dynamically. -- */ -- static long st_long_max = 0; -- -- /* the resulting length has the form 2^k-1 */ -- - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (st_long_max == 0) { -! st_long_max = calc_long_max(); -! } -! -! if (sizeMinus1 > st_long_max / 2) { -! return st_long_max-1; - } - - return (2*sizeMinus1)+1; ---- 93,109 ---- - } - - /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (sizeMinus1 > LONG_MAX / 2) { -! return LONG_MAX-1; - } - - return (2*sizeMinus1)+1; diff --git a/pkgs/development/libraries/aterm/sizeof.patch b/pkgs/development/libraries/aterm/sizeof.patch deleted file mode 100644 index 2649cc56491..00000000000 --- a/pkgs/development/libraries/aterm/sizeof.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -rc -x '*~' aterm-2.5-orig/aterm/aterm.c aterm-2.5/aterm/aterm.c -*** aterm-2.5-orig/aterm/aterm.c 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/aterm.c 2010-02-23 15:10:38.000000000 +0100 -*************** -*** 150,155 **** ---- 150,157 ---- - if (initialized) - return; - -+ assert(sizeof(long) == sizeof(void *)); -+ - /*{{{ Handle arguments */ - - for (lcv=1; lcv < argc; lcv++) { -diff -rc -x '*~' aterm-2.5-orig/aterm/encoding.h aterm-2.5/aterm/encoding.h -*** aterm-2.5-orig/aterm/encoding.h 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/encoding.h 2010-02-23 15:36:05.000000000 +0100 -*************** -*** 10,24 **** - { - #endif/* __cplusplus */ - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if SIZEOF_LONG != SIZEOF_VOID_P -! #error Size of long is not the same as the size of a pointer - #endif - -! #if SIZEOF_INT > 4 - #error Size of int is not 32 bits - #endif - ---- 10,30 ---- - { - #endif/* __cplusplus */ - -! #include <limits.h> -! -! #ifndef SIZEOF_LONG -! #if ULONG_MAX > 4294967295 -! #define SIZEOF_LONG 8 -! #else -! #define SIZEOF_LONG 4 -! #endif - #endif - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if UINT_MAX > 4294967295 - #error Size of int is not 32 bits - #endif - diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index e43a5acb6bd..7195110b0bb 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; + hardeningDisable = [ "format" ]; + meta = { homepage = "http://bs2b.sourceforge.net/"; description = "Bauer stereophonic-to-binaural DSP library"; diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 0f117862236..da9d1122cc5 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -12,10 +12,11 @@ stdenv.mkDerivation rec { buildInputs = [ texinfo allegro perl ]; configurePhase = '' - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fPIC" sh fix.sh unix ''; + hardeningDisable = [ "format" ]; + makeFlags = [ "SYSTEM_DIR=$(out)" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index ccd93828319..359bde2e058 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index a86bdc8e035..5af34145197 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -1,26 +1,34 @@ { stdenv, autoreconfHook, fetchgit, bison, flex, bluez, pkgconfig, gtk }: stdenv.mkDerivation rec { - name = "cwiid-2010-02-21-git"; - src = fetchgit { - url = https://github.com/abstrakraft/cwiid; - sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06"; - rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; - }; - configureFlags = "--without-python"; - prePatch = '' - sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in - ''; - buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; - postInstall = '' - # Some programs (for example, cabal-install) have problems with the double 0 - sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc - ''; - meta = { - description = "Linux Nintendo Wiimote interface"; - homepage = http://cwiid.org; - license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ stdenv.lib.maintainers.bennofs ]; - platforms = stdenv.lib.platforms.linux; - }; + name = "cwiid-2010-02-21-git"; + + src = fetchgit { + url = https://github.com/abstrakraft/cwiid; + sha256 = "6f5355d036dab017da713c49d3042011fa24fb732ed0d5ee338ab6f5ff400f06"; + rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; + }; + + hardeningDisable = [ "format" ]; + + configureFlags = "--without-python"; + + prePatch = '' + sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in + ''; + + buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; + + postInstall = '' + # Some programs (for example, cabal-install) have problems with the double 0 + sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc + ''; + + meta = { + description = "Linux Nintendo Wiimote interface"; + homepage = http://cwiid.org; + license = stdenv.lib.licenses.gpl2Plus; + maintainers = [ stdenv.lib.maintainers.bennofs ]; + platforms = stdenv.lib.platforms.linux; + }; } diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 757b1f71405..00875d73f41 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index b1e4b2c4708..84b5ea67420 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 9a7d586cd04..6016d112d51 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,4 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 6a161b0b72d..40869a865ae 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/generic.nix b/pkgs/development/libraries/db/generic.nix index f5ee4e440ff..fdc828effdf 100644 --- a/pkgs/development/libraries/db/generic.nix +++ b/pkgs/development/libraries/db/generic.nix @@ -7,9 +7,10 @@ , extraPatches ? [ ] , license ? stdenv.lib.licenses.sleepycat , branch ? null +, drvArgs ? {} }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (rec { name = "db-${version}"; src = fetchurl { @@ -42,4 +43,4 @@ stdenv.mkDerivation rec { platforms = platforms.unix; branch = branch; }; -} +} // drvArgs) diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix index 802aafc444c..1ab01033f4d 100644 --- a/pkgs/development/libraries/faac/default.nix +++ b/pkgs/development/libraries/faac/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { ++ optional mp4v2Support "--with-mp4v2" ++ optional drmSupport "--enable-drm"; + hardeningDisable = [ "format" ]; + buildInputs = [ ] ++ optional mp4v2Support mp4v2; diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 2d44444ab40..d47a028cbf8 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { description = "C++ based class library for building Graphical User Interfaces"; longDescription = '' diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 3c823adf91b..ce778e4a347 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { branch = "1.6"; description = "A C++ based class library for building Graphical User Interfaces"; diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index 695abcfbba2..3ed308a3492 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; + hardeningDisable = [ "format" ]; + buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; configureFlags = stdenv.lib.optionalString odbcSupport "--with-odbc=${unixODBC}"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 23795e9633e..d138015e6bb 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -3,12 +3,14 @@ stdenv.mkDerivation rec { name = "fribidi-${version}"; version = "0.19.6"; - + src = fetchurl { url = "http://fribidi.org/download/${name}.tar.bz2"; sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://fribidi.org/; description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)"; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index 7c3c53626b5..b581bce24b1 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -2,16 +2,18 @@ stdenv.mkDerivation { name = "gd-2.0.35"; - + src = fetchurl { url = http://www.libgd.org/releases/gd-2.0.35.tar.bz2; sha256 = "1y80lcmb8qbzf0a28841zxhq9ndfapmh2fsrqfd9lalxfj8288mz"; }; - + buildInputs = [zlib libpng freetype]; propagatedBuildInputs = [libjpeg fontconfig]; # urgh + hardeningDisable = [ "format" ]; + configureFlags = "--without-x"; meta = { diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index 1607387160d..8f00bee8911 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -18,6 +18,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ++ (with pythonPackages; [ python numpy wrapPython ]) ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]); + hardeningDisable = [ "format" ]; + patches = [ # This ensures that the python package is installed into gdal's prefix, # rather than trying to install into python's prefix. diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 0e4b4d03541..2640159725a 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,6 +19,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; + hardeningDisable = [ "format" ]; + # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. preConfigure = "export CFLAGS=-O0 CXXFLAGS=-O0; unset CC CXX"; diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index cc8f76949ee..e9643da221e 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; + hardeningDisable = [ "format" ]; + buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; patches = [ ./xml-document.patch ]; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index 1b703e2fdba..754c85ecf03 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; + hardeningDisable = [ "format" ]; + preConfigure = '' sed -e '/-Werror/d' -i configure ''; diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index 940df56c03c..b75e85cbea5 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; + LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; configureFlags = [ "--disable-csharp" "--with-xz" ] diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 13cd1c79b6a..59204e7e7e5 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -2,10 +2,14 @@ stdenv.mkDerivation { name = "giflib-4.1.6"; + src = fetchurl { url = mirror://sourceforge/giflib/giflib-4.1.6.tar.bz2; sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; + + hardeningDisable = [ "format" ]; + meta = { branch = "4.1"; }; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index ca2d0945722..123cfca1b82 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -6,5 +6,7 @@ stdenv.mkDerivation { url = mirror://sourceforge/giflib/libungif-4.1.4.tar.gz; sha256 = "5e65e1e5deacd0cde489900dbf54c6c2ee2ebc818199e720dbad685d87abda3d"; }; + + hardeningDisable = [ "format" ]; } diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 80fc2ce1e93..a164c21890e 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -19,6 +19,8 @@ in builder = ./builder.sh; + hardeningDisable = [ "stackprotector" "fortify" ]; + # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new # store path than that determined when built (as a source for the diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 0768df60a79..ad3f0da981f 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -14,6 +14,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; + patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; configureFlags = diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index e674aae2b58..e2861a880c8 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pciutils ]; + hardeningDisable = [ "stackprotector" ]; + makeFlags = [ "PREFIX=\${out}" "CC=gcc" diff --git a/pkgs/development/libraries/gsm/default.nix b/pkgs/development/libraries/gsm/default.nix index fb9ff8eb0fb..42d36b8406e 100644 --- a/pkgs/development/libraries/gsm/default.nix +++ b/pkgs/development/libraries/gsm/default.nix @@ -41,8 +41,6 @@ stdenv.mkDerivation rec { preInstall = "mkdir -p $out/{bin,lib,man/man1,man/man3,include/gsm}"; - NIX_CFLAGS_COMPILE = optional (!staticSupport) "-fPIC"; - parallelBuild = false; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix index 889f55e5000..c8f928ec452 100644 --- a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix +++ b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "0y1i4n5m1diljqr9dsq12anwazrhbs70jziich47gkdwllcza9lg"; }; + hardeningDisable = [ "bindnow" ]; + # Need to disable the testFake test case due to bug in pygobject. # See https://bugzilla.gnome.org/show_bug.cgi?id=692479 patches = [ ./disable-testFake.patch ]; diff --git a/pkgs/development/libraries/hspell/default.nix b/pkgs/development/libraries/hspell/default.nix index 9b44d12c293..eebd105a00d 100644 --- a/pkgs/development/libraries/hspell/default.nix +++ b/pkgs/development/libraries/hspell/default.nix @@ -16,8 +16,6 @@ stdenv.mkDerivation rec { patchPhase = ''patchShebangs .''; buildInputs = [ perl zlib ]; - makeFlags = "CFLAGS=-fPIC"; - meta = { description = "Hebrew spell checker"; homepage = http://hspell.ivrix.org.il/; diff --git a/pkgs/development/libraries/hunspell/default.nix b/pkgs/development/libraries/hunspell/default.nix index 0d0ff38fb47..d48c598dd92 100644 --- a/pkgs/development/libraries/hunspell/default.nix +++ b/pkgs/development/libraries/hunspell/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; configureFlags = [ "--with-ui" "--with-readline" ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://hunspell.sourceforge.net; description = "Spell checker"; diff --git a/pkgs/development/libraries/isl/0.14.1.nix b/pkgs/development/libraries/isl/0.14.1.nix index 8196dec283a..77ba20cbb20 100644 --- a/pkgs/development/libraries/isl/0.14.1.nix +++ b/pkgs/development/libraries/isl/0.14.1.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/development/libraries/itk/default.nix b/pkgs/development/libraries/itk/default.nix index 7b4e3834af7..eda9434ab65 100644 --- a/pkgs/development/libraries/itk/default.nix +++ b/pkgs/development/libraries/itk/default.nix @@ -12,7 +12,6 @@ stdenv.mkDerivation rec { "-DBUILD_TESTING=OFF" "-DBUILD_EXAMPLES=OFF" "-DBUILD_SHARED_LIBS=ON" - "-DCMAKE_CXX_FLAGS=-fPIC" ]; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index e91c8bbca7b..e45121032d5 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -23,6 +23,8 @@ in stdenv.mkDerivation rec { fullVersion = "${version}-201202080800"; name = "swt-${version}"; + hardeningDisable = [ "format" ]; + # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract # "src.zip" from that. diff --git a/pkgs/development/libraries/libdnet/default.nix b/pkgs/development/libraries/libdnet/default.nix index 8911539d7b0..dbda4107c48 100644 --- a/pkgs/development/libraries/libdnet/default.nix +++ b/pkgs/development/libraries/libdnet/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation { buildInputs = [ automake autoconf libtool ]; - CFLAGS="-fPIC"; - # .so endings are missing (quick and dirty fix) postInstall = '' for i in $out/lib/*; do diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 623256bb6b7..515e0c32ee1 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -9,7 +9,10 @@ stdenv.mkDerivation rec { }; doCheck = true; - + + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { nativeBuildInputs = [ glibc ]; diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 3123bb33d45..0d9d89589ff 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "libf2c-20100903"; - + src = fetchurl { url = http://www.netlib.org/f2c/libf2c.zip; sha256 = "1mcp1lh7gay7hm186dr0wvwd2bc05xydhnc1qy3dqs4n3r102g7i"; @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; + hardeningDisable = [ "format" ]; + meta = { description = "F2c converts Fortran 77 source code to C"; homepage = http://www.netlib.org/f2c/; diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index d07aae3ab80..d30ea6e5324 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; + hardeningDisable = [ "format" ]; + meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; homepage = http://www.remotesensing.org/geotiff/geotiff.html; diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index 55129a94476..6912c02260d 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; description = "A library for accessing digital cameras"; diff --git a/pkgs/development/libraries/libidn/default.nix b/pkgs/development/libraries/libidn/default.nix index b16dc835741..e49a85942d7 100644 --- a/pkgs/development/libraries/libidn/default.nix +++ b/pkgs/development/libraries/libidn/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { doCheck = ! stdenv.isDarwin; + hardeningDisable = [ "format" ]; + buildInputs = stdenv.lib.optional stdenv.isDarwin libiconv; meta = { diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index 2a4600f5204..0d3c9c0997c 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -16,6 +16,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index 76daf7d748b..5f249582610 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -1,13 +1,15 @@ -{stdenv, fetchurl}: +{ stdenv, fetchurl }: stdenv.mkDerivation { name = "librsync-0.9.7"; - + src = fetchurl { url = mirror://sourceforge/librsync/librsync-0.9.7.tar.gz; sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; + hardeningDisable = [ "format" ]; + configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; crossAttrs = { diff --git a/pkgs/development/libraries/libunwind/default.nix b/pkgs/development/libraries/libunwind/default.nix index da09e2fcbe2..7eea905f64a 100644 --- a/pkgs/development/libraries/libunwind/default.nix +++ b/pkgs/development/libraries/libunwind/default.nix @@ -24,7 +24,6 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ xz ]; - NIX_CFLAGS_COMPILE = if stdenv.system == "x86_64-linux" then "-fPIC" else ""; preInstall = '' mkdir -p "$out/lib" touch "$out/lib/libunwind-generic.so" diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index dc2f0338b48..50a1f5ac337 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; + hardeningDisable = [ "format" ]; + meta = { description = "An abstraction library for audio visualisations"; homepage = "http://sourceforge.net/projects/libvisual/"; diff --git a/pkgs/development/libraries/libyaml-cpp/default.nix b/pkgs/development/libraries/libyaml-cpp/default.nix index f56bf77abfe..1ba31a7a6d5 100644 --- a/pkgs/development/libraries/libyaml-cpp/default.nix +++ b/pkgs/development/libraries/libyaml-cpp/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, cmake, boost, makePIC ? false }: +{ stdenv, fetchurl, cmake, boost }: stdenv.mkDerivation { name = "libyaml-cpp-0.5.1"; @@ -10,8 +10,6 @@ stdenv.mkDerivation { buildInputs = [ cmake boost ]; - cmakeFlags = stdenv.lib.optionals makePIC [ "-DCMAKE_C_FLAGS=-fPIC" "-DCMAKE_CXX_FLAGS=-fPIC" ]; - meta = with stdenv.lib; { homepage = http://code.google.com/p/yaml-cpp/; description = "A YAML parser and emitter for C++"; diff --git a/pkgs/development/libraries/mailcore2/default.nix b/pkgs/development/libraries/mailcore2/default.nix index f535b19bd0e..4259e52510b 100644 --- a/pkgs/development/libraries/mailcore2/default.nix +++ b/pkgs/development/libraries/mailcore2/default.nix @@ -26,7 +26,6 @@ stdenv.mkDerivation rec { --replace "/usr/include/libxml2" "${libxml2.dev}/include/libxml2" substituteInPlace src/core/basetypes/MCHTMLCleaner.cpp \ --replace buffio.h tidybuffio.h ->>>>>>> master ''; cmakeFlags = [ diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 06e8c8e5ac3..ab3c3ed8c5a 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; + hardeningDisable = [ "format" ]; + meta = { homepage = http://code.google.com/p/mp4v2; maintainers = [ stdenv.lib.maintainers.urkud ]; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 8a964af01c8..882e0ec4faa 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { # mpfr.h requires gmp.h propagatedBuildInputs = [ gmp ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ stdenv.lib.optional stdenv.is64bit "--with-pic"; diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index 754ab4233e5..f35d363e575 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Fix build due to missing dependnecies. echo 'target_link_libraries(bc7 nvmath)' >> src/nvtt/bc7/CMakeLists.txt diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index 4228c285dfd..86ab85cbb9a 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; + hardeningDisable = [ "format" ]; + configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype}" ]; postInstall = '' diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index ec15d9d631e..79c24be7514 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; + hardeningDisable = [ "format" ]; + postInstall = '' mv $out/inc $out/include mkdir -p $out/share/doc/${name} diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 4a58ae43bb7..4f0ed3cd0ea 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -49,6 +49,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "bindnow" "relro" ]; + meta = { description = "Open Computer Vision Library with more than 500 algorithms"; homepage = http://opencv.org/; diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index 4ce1787dbac..4259e9d4d69 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "bindnow" "relro" ]; + meta = { description = "Open Computer Vision Library with more than 500 algorithms"; homepage = http://opencv.org/; diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix index 4ebb0cbcc26..2431bfafa71 100644 --- a/pkgs/development/libraries/pdf2xml/default.nix +++ b/pkgs/development/libraries/pdf2xml/default.nix @@ -2,20 +2,22 @@ stdenv.mkDerivation { name = "pdf2xml"; - + src = fetchurl { url = http://tarballs.nixos.org/pdf2xml.tar.gz; sha256 = "04rl7ppxqgnvxvvws669cxp478lnrdmiqj0g3m4p69bawfjc4z3w"; }; sourceRoot = "pdf2xml/pdf2xml"; - + buildInputs = [libxml2 libxpdf]; patches = [./pdf2xml.patch]; + hardeningDisable = [ "format" ]; + preBuild = '' cp Makefile.linux Makefile - + sed -i 's|/usr/include/libxml2|${libxml2.dev}/include/libxml2|' Makefile sed -i 's|-lxml2|-lxml2 -L${libxml2.out}/lib|' Makefile sed -i 's|XPDF = xpdf_3.01|XPDF = ${libxpdf}/lib|' Makefile @@ -24,7 +26,7 @@ stdenv.mkDerivation { buildFlags+=" CXX=$CXX" ''; - + installPhase = '' mkdir -p $out/bin cp exe/* $out/bin diff --git a/pkgs/development/libraries/phonon/qt5/default.nix b/pkgs/development/libraries/phonon/qt5/default.nix index fc07344d2d1..c7baeb2e340 100644 --- a/pkgs/development/libraries/phonon/qt5/default.nix +++ b/pkgs/development/libraries/phonon/qt5/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake pkgconfig ]; - NIX_CFLAGS_COMPILE = "-fPIC"; - cmakeFlags = [ "-DCMAKE_BUILD_TYPE=${if debug then "Debug" else "Release"}" "-DPHONON_BUILD_PHONON4QT5=ON" diff --git a/pkgs/development/libraries/plib/default.nix b/pkgs/development/libraries/plib/default.nix index ff60e62cad3..dc75a407e92 100644 --- a/pkgs/development/libraries/plib/default.nix +++ b/pkgs/development/libraries/plib/default.nix @@ -1,6 +1,5 @@ { fetchurl, stdenv, mesa, freeglut, SDL -, libXi, libSM, libXmu, libXext, libX11, -enablePIC ? false }: +, libXi, libSM, libXmu, libXext, libX11 }: stdenv.mkDerivation rec { name = "plib-1.8.5"; @@ -13,8 +12,6 @@ stdenv.mkDerivation rec { patches = [ ./CVE-2012-4552.patch ]; - NIX_CFLAGS_COMPILE = if enablePIC then "-fPIC" else ""; - propagatedBuildInputs = [ mesa freeglut SDL diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 518eeee9253..5c056762a39 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,6 +46,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; + hardeningDisable = [ "format" ]; + meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; description = "Platform independent library for MIDI I/O"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index c5e26c1dfad..ad864410b16 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; + hardeningDisable = [ "fortify" ]; + meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index f98c7bdb97e..f2bac09f4bc 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; + hardeningDisable = [ "format" ]; + patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 's/namespace std { struct bidirectional_iterator_tag; struct random_access_iterator_tag; }/#include <iterator>/' ./src/libqhullcpp/QhullIterator.h sed -i 's/namespace std { struct bidirectional_iterator_tag; struct random_access_iterator_tag; }/#include <iterator>/' ./src/libqhullcpp/QhullLinkedList.h diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 40fa63d75ca..28271a7a0a0 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; + hardeningDisable = [ "format" ]; + configureFlags = " -v -system-zlib -system-libpng -system-libjpeg diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index b8ed81de487..499c6f18453 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation { buildInputs = [ qt4 ]; patches = [ ./qtscriptgenerator.gcc-4.4.patch ./qt-4.8.patch ]; - + # Why isn't the author providing proper Makefile or a CMakeLists.txt ? buildPhase = '' # remove phonon stuff which causes errors (thanks to Gentoo bug reports) sed -i "/typesystem_phonon.xml/d" generator/generator.qrc - sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro - + sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro + cd generator qmake make @@ -25,13 +25,15 @@ stdenv.mkDerivation { qmake make ''; - + installPhase = '' cd .. mkdir -p $out/lib/qt4/plugins/script cp -av plugins/script/* $out/lib/qt4/plugins/script ''; + hardeningDisable = [ "format" ]; + meta = { description = "QtScript bindings generator"; homepage = http://code.google.com/p/qtscriptgenerator/; diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix index 1fa48ffea91..9779af6addc 100644 --- a/pkgs/development/libraries/science/math/atlas/default.nix +++ b/pkgs/development/libraries/science/math/atlas/default.nix @@ -73,14 +73,10 @@ stdenv.mkDerivation { configureScript=../configure ''; - # * -fPIC is passed even in non-shared builds so that the ATLAS code can be - # used to inside of shared libraries, like Octave does. - # # * -t 0 disables use of multi-threading. It's not quite clear what the # consequences of that setting are and whether it's necessary or not. configureFlags = [ "-Fa alg" - "-fPIC" "-t ${threads}" cpuConfig ] ++ optional shared "--shared" diff --git a/pkgs/development/libraries/science/math/suitesparse/default.nix b/pkgs/development/libraries/science/math/suitesparse/default.nix index 7dc6c32a8db..b1cf9c83c7b 100644 --- a/pkgs/development/libraries/science/math/suitesparse/default.nix +++ b/pkgs/development/libraries/science/math/suitesparse/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation { "LAPACK=" ]; - NIX_CFLAGS = "-fPIC" + stdenv.lib.optionalString stdenv.isDarwin " -DNTIMER"; + NIX_CFLAGS = stdenv.lib.optionalString stdenv.isDarwin " -DNTIMER"; postInstall = '' # Build and install shared library diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index 2f300abebbf..76788aa791b 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + buildInputs = [ SDL gtk mesa ]; nativeBuildInputs = [ autoconf automake libtool m4 pkgconfig makeWrapper ]; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index 5104532ea91..94489e992a6 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ dotconf glib pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { description = "Common interface to speech synthesis"; diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index fee74f3d6f9..ba95da77b72 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; homepage = http://tidyp.com/; diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix index 725a0bdfcea..faed2052fa5 100644 --- a/pkgs/development/libraries/vxl/default.nix +++ b/pkgs/development/libraries/vxl/default.nix @@ -1,10 +1,12 @@ -{ stdenv, fetchurl, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: +{ stdenv, fetchFromGitHub, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: stdenv.mkDerivation { - name = "vxl-1.17.0"; + name = "vxl-1.17.0-nix1"; - src = fetchurl { - url = mirror://sourceforge/vxl/vxl-1.17.0.zip; - sha256 = "1qg7i8h201pa8jljg7vph4rlxk6n5cj9f9gd1hkkmbw6fh44lsxh"; + src = fetchFromGitHub { + owner = "vxl"; + repo = "vxl"; + rev = "777c0beb7c8b30117400f6fc9a6d63bf8cb7c67a"; + sha256 = "0xpkwwb93ka6c3da8zjhfg9jk5ssmh9ifdh1by54sz6c7mbp55m8"; }; buildInputs = [ cmake unzip libtiff expat zlib libpng libjpeg ]; diff --git a/pkgs/development/libraries/wvstreams/default.nix b/pkgs/development/libraries/wvstreams/default.nix index b879cf37a31..ecfc9b88a0e 100644 --- a/pkgs/development/libraries/wvstreams/default.nix +++ b/pkgs/development/libraries/wvstreams/default.nix @@ -1,4 +1,4 @@ -{ stdenv, gcc46, fetchurl, qt4, dbus, zlib, openssl, readline, perl }: +{ stdenv, fetchurl, qt4, dbus, zlib, openssl, readline, perl }: stdenv.mkDerivation { name = "wvstreams-4.6.1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation { sed -e '1i#include <unistd.h>' -i $(find . -name '*.c' -o -name '*.cc') ''; - buildInputs = [ gcc46 qt4 dbus zlib openssl readline perl ]; + buildInputs = [ qt4 dbus zlib openssl readline perl ]; meta = { description = "Network programming library in C++"; diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 56bcba8297d..0b5f08bdf9b 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; homepage = http://xmlrpc-c.sourceforge.net/; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 59713bb8d20..6d0f8185921 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -31,6 +31,9 @@ stdenv.mkDerivation rec { fi ''; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + configureFlags = stdenv.lib.optional (!static) "--shared"; postInstall = '' @@ -47,8 +50,7 @@ stdenv.mkDerivation rec { # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) - NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc " - + stdenv.lib.optionalString (stdenv.isFreeBSD) "-fPIC"; + NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc"; crossAttrs = { dontStrip = static; diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index cbd38903aac..108f3616e64 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -19,20 +19,22 @@ stdenv.mkDerivation { sha256 = "0sd9qkvhmk9av4g1f8dsjwc309hf1g0731bhvicnjb3b3d42l1n3"; }) ]; - + sourceRoot = "."; nativeBuildInputs = [ texinfo ]; - + buildInputs = [ gmp mpfr libmpc zlib ]; - + + hardeningDisable = [ "format" ]; + # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; - + installPhase = '' # important, without this gcc won't find the binutils executables export PATH=$PATH:$out/bin - + # Binutils. pushd binutils-*/ mkdir obj-avr @@ -64,7 +66,7 @@ stdenv.mkDerivation { make install popd ''; - + meta = with stdenv.lib; { description = "AVR development environment including binutils, avr-gcc and avr-libc"; # I've tried compiling the packages separately.. too much hassle. This just works. Fine. diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 3dfe913145c..8265e1dc776 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { mimeType = "application/x-pharo-image"; }; + hardeningDisable = [ "format" ]; + # Building preConfigure = '' cd build/ diff --git a/pkgs/development/python-modules/wxPython/generic.nix b/pkgs/development/python-modules/wxPython/generic.nix index 16c7c126318..a5e0552a8c1 100644 --- a/pkgs/development/python-modules/wxPython/generic.nix +++ b/pkgs/development/python-modules/wxPython/generic.nix @@ -11,6 +11,10 @@ stdenv.mkDerivation rec { disabled = isPy3k || isPyPy; doCheck = false; + sourceRoot = "wxPython-src-${version}/wxPython"; + + hardeningDisable = [ "format" ]; + src = fetchurl { url = "mirror://sourceforge/wxpython/wxPython-src-${version}.tar.bz2"; inherit sha256; @@ -18,7 +22,6 @@ stdenv.mkDerivation rec { pythonPath = [ python setuptools ]; buildInputs = [ python setuptools pkgconfig wxGTK (wxGTK.gtk) wrapPython libX11 ] ++ stdenv.lib.optional openglSupport pyopengl; - preConfigure = "cd wxPython"; NIX_LDFLAGS = "-lX11 -lgdk-x11-2.0"; diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index c672c7964e7..b63bc66fabd 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -11,7 +11,11 @@ stdenv.mkDerivation { url = "mirror://sourceforge/${name}/${version}/${name}-${version}.tar.gz"; sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; + + hardeningDisable = [ "format" ]; + patches = [ ./cccc.patch ]; + preConfigure = '' substituteInPlace install/install.mak --replace /usr/local/bin $out/bin substituteInPlace install/install.mak --replace MKDIR=mkdir "MKDIR=mkdir -p" diff --git a/pkgs/development/tools/analysis/flow/default.nix b/pkgs/development/tools/analysis/flow/default.nix index e0802f9850b..d08922458a5 100644 --- a/pkgs/development/tools/analysis/flow/default.nix +++ b/pkgs/development/tools/analysis/flow/default.nix @@ -3,13 +3,14 @@ with lib; stdenv.mkDerivation rec { - version = "0.22.1"; + version = "0.22.0"; name = "flow-${version}"; + src = fetchFromGitHub { owner = "facebook"; repo = "flow"; rev = "v${version}"; - sha256 = "11d04g8rvjv2q79pmrjjx8lmmm1ix8kih7wc0adln0ap5123ph46"; + sha256 = "1p8a5cf85ydz6g04zsvsa6sh2b4p94mj9cqj7k6llf0dsiihrv54"; }; installPhase = '' diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 3c83f0e9d49..d42227198ce 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -8,8 +8,8 @@ assert useX11 -> (gtk != null && vte != null && gtkdialog != null); assert rubyBindings -> ruby != null; assert pythonBindings -> python != null; -let - optional = stdenv.lib.optional; +let + inherit (stdenv.lib) optional; in stdenv.mkDerivation rec { name = "radare-1.5.2"; @@ -19,6 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] diff --git a/pkgs/development/tools/analysis/rr/default.nix b/pkgs/development/tools/analysis/rr/default.nix index ea733b5b461..b0950fb8cb2 100644 --- a/pkgs/development/tools/analysis/rr/default.nix +++ b/pkgs/development/tools/analysis/rr/default.nix @@ -19,6 +19,11 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpfm zlib python pkgconfig pythonPackages.pexpect which procps gdb ]; cmakeFlags = "-DCMAKE_C_FLAGS_RELEASE:STRING= -DCMAKE_CXX_FLAGS_RELEASE:STRING="; + # we turn on additional warnings due to hardening + NIX_CFLAGS_COMPILE = "-Wno-error"; + + hardeningDisable = [ "fortify" ]; + enableParallelBuilding = true; # FIXME diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index b4b56be9c6d..0e0e44183f6 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + hardeningDisable = [ "stackprotector" ]; + # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. nativeBuildInputs = [ perl ]; diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index 723219336bb..240d24961e0 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; + hardeningDisable = [ "format" ]; + patchPhase = '' grep -r '/usr/share/boost-build' \ | awk '{split($0,a,":"); print a[1];}' \ diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index 80b5643aad1..0d13e7c978c 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -47,6 +47,9 @@ stdenv.mkDerivation rec { inherit noSysDirs; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' # Clear the default library search path. if test "$noSysDirs" = "1"; then diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 0a62859d207..d4a2f80599f 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; + hardeningDisable = [ "format" ]; + # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. nativeBuildInputs = [ m4 bison flex gettext bzip2 ]; diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index 7216e1e169d..79f7445af47 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { # Upstream is aware of it; it may be in the next release. patches = [ ./s_isdir.patch ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.gnu.org/software/m4/; description = "GNU M4, a macro processor"; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 77a1f266168..807b2a9a49d 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + #doCheck = true; # problems when loading libc.so.6 meta = { diff --git a/pkgs/development/tools/misc/texinfo/6.0.nix b/pkgs/development/tools/misc/texinfo/6.0.nix index 507ca22cd1a..cf62d906f3c 100644 --- a/pkgs/development/tools/misc/texinfo/6.0.nix +++ b/pkgs/development/tools/misc/texinfo/6.0.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 0fe4b191e50..da6760897ad 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant"; homepage = "http://omniorb.sourceforge.net/"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index ee007414017..97a66490bf9 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -11,6 +11,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man; propagatedBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = "http://www.gnu.org/software/bison/"; description = "Yacc-compatible parser generator"; diff --git a/pkgs/development/tools/toluapp/default.nix b/pkgs/development/tools/toluapp/default.nix index 73a8b64ed22..69dfa0280e5 100644 --- a/pkgs/development/tools/toluapp/default.nix +++ b/pkgs/development/tools/toluapp/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { --replace /usr/local $out ''; - NIX_CFLAGS_COMPILE = "-fPIC"; - buildPhase = ''scons''; installPhase = ''scons install''; diff --git a/pkgs/development/web/wml/default.nix b/pkgs/development/web/wml/default.nix index 22cc5001c92..be53724636b 100644 --- a/pkgs/development/web/wml/default.nix +++ b/pkgs/development/web/wml/default.nix @@ -19,12 +19,14 @@ perlPackages.buildPerlPackage rec { sed -i 's/ doc / /g' wml_backend/p2_mp4h/Makefile.in sed -i '/p2_mp4h\/doc/d' Makefile.in ''; - + buildInputs = with perlPackages; [ perl TermReadKey GD BitVector ncurses lynx makeWrapper ImageSize ]; patches = [ ./redhat-with-thr.patch ./dynaloader.patch ./no_bitvector.patch ]; - + + hardeningDisable = [ "format" ]; + postPatch = '' substituteInPlace wml_frontend/wml.src \ --replace "File::PathConvert::realpath" "Cwd::realpath" \ diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index b2f251bfecb..e67b92afa76 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,6 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems + hardeningDisable = [ "format" ]; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 0709692552c..599588e6f0e 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { }) ]; + hardeningDisable = [ "format" ]; + preConfigure = '' cat > config.params << EOF bsd_games_cfg_man6dir=$out/share/man/man6 diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 538efebf833..eb20c0b329e 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; + hardeningDisable = [ "format" ]; + meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; homepage = http://www.nongnu.org/crack-attack/; diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 8807831ef01..b6574eaf39e 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -15,13 +15,15 @@ let s = # Generated upstream information }; buildInputs = [zlib jam pkgconfig gettext libxml2 libxslt xproto libX11 mesa SDL SDL_mixer SDL_image SDL_ttf SDL_gfx physfs]; -in +in stdenv.mkDerivation rec { inherit (s) name version; src = fetchurl { inherit (s) url sha256; }; + hardeningDisable = [ "format" ]; + inherit buildInputs; buildPhase = "jam"; diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index f97c0ec412f..ccab07308fd 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; + hardeningDisable = [ "format" ]; + # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL.dev}/include/SDL" ]; diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index af9900cede5..3f1735c31aa 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://pio.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index aa68da6b73d..74d9bdcb35d 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; + hardeningDisable = [ "format" ]; + postConfigure = '' substituteInPlace config.h \ --replace '#define PACKAGE ""' '#define PACKAGE "stardust"' diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index e6370d6e7c6..1b1e877d274 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; + hardeningDisable = [ "format" ]; + meta = { description = "Car racing game"; homepage = http://torcs.sourceforge.net/; diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index 53c3ec7dec8..e6e23752953 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -3,9 +3,9 @@ stdenv.mkDerivation rec { name = "${baseName}-${version}"; - baseName="xconq"; + baseName = "xconq"; version = "7.5.0-0pre.0.20050612"; - + src = fetchurl { url = "mirror://sourceforge/project/${baseName}/${baseName}/${name}/${name}.tar.gz"; sha256 = "1za78yx57mgwcmmi33wx3533yz1x093dnqis8q2qmqivxav51lca"; @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Fix Makefiles find . -name 'Makefile.in' -exec sed -re 's@^ ( *)(cd|[&][&])@ \1\2@' -i '{}' ';' diff --git a/pkgs/games/xpilot/bloodspilot-server.nix b/pkgs/games/xpilot/bloodspilot-server.nix index 3c811f1ba2e..42bcb326316 100644 --- a/pkgs/games/xpilot/bloodspilot-server.nix +++ b/pkgs/games/xpilot/bloodspilot-server.nix @@ -1,23 +1,27 @@ -{stdenv, fetchurl, expat}: -let - buildInputs = [ - expat - ]; -in +{ stdenv, fetchurl, expat }: + stdenv.mkDerivation rec { - version = "1.4.6"; name = "bloodspilot-xpilot-fxi-server-${version}"; - inherit buildInputs; + version = "1.4.6"; + src = fetchurl { url = "mirror://sourceforge/project/bloodspilot/server/server%20v${version}/xpilot-${version}fxi.tar.gz"; sha256 = "0d7hnpshifq6gy9a0g6il6h1hgqqjyys36n8w84hr8d4nhg4d1ji"; }; - meta = { - inherit version; - description = ''A multiplayer X11 space combat game (server part)''; - homepage = "http://bloodspilot.sf.net/"; - license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; - platforms = stdenv.lib.platforms.linux; + + buildInputs = [ + expat + ]; + + patches = [ + ./server-gcc5.patch + ]; + + meta = with stdenv.lib; { + description = "A multiplayer X11 space combat game (server part)"; + homepage = http://bloodspilot.sf.net/; + license = licenses.gpl2Plus ; + maintainers = [ maintainers.raskin ]; + platforms = platforms.linux; }; } diff --git a/pkgs/games/xpilot/server-gcc5.patch b/pkgs/games/xpilot/server-gcc5.patch new file mode 100644 index 00000000000..5618399bfec --- /dev/null +++ b/pkgs/games/xpilot/server-gcc5.patch @@ -0,0 +1,65 @@ +--- xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:20:43.531714342 +0000 ++++ xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:21:15.301331053 +0000 +@@ -608,9 +608,9 @@ + } + + #if STDVA +-inline int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) ++extern int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) + #else +-inline int32_t Packet_scanf(va_alist) ++extern int32_t Packet_scanf(va_alist) + va_dcl + #endif + { +--- xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:29.581784405 +0000 ++++ xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:38.152952500 +0000 +@@ -71,7 +71,7 @@ + * p: first object, q: second object + */ + +-inline int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, ++extern int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, + int32_t q1x, int32_t q1y, int32_t q2x, int32_t q2y, int32_t r) + { + int32_t fac1, fac2; /* contraction between the distance between the x and y coordinates of objects */ +--- xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:29.546313808 +0000 ++++ xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:40.464527932 +0000 +@@ -1411,12 +1411,12 @@ + return NULL; + } + +-inline bool Player_idle_timed_out(player_t *pl) ++extern bool Player_idle_timed_out(player_t *pl) + { + return (frame_loops - pl->frame_last_busy > MAX_PLAYER_IDLE_TICKS && (NumPlayers > 1)) ? true : false; + } + +-inline bool Player_is_recovered(player_t *pl) ++extern bool Player_is_recovered(player_t *pl) + { + return (pl->recovery_count <= 0.0) ? true : false; + } +--- xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:21:45.659923025 +0000 ++++ xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:22:07.224345939 +0000 +@@ -24,17 +24,17 @@ + char msg[MSG_LEN]; + + +-inline double Get_Score(player_t *pl) ++extern double Get_Score(player_t *pl) + { + return pl->score; + } + +-inline void Score_set(player_t * pl, double score) ++extern void Score_set(player_t * pl, double score) + { + pl->score = score; + } + +-inline void Score_add(player_t * pl, double score) ++extern void Score_add(player_t * pl, double score) + { + pl->score += score; + } diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index 27ba69ad82b..18abf280a81 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -33,6 +33,8 @@ in stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin mkdir -p $out/share/zandronum diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index 2525cafc28b..d57ef5ae16d 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "dosbox-0.74"; - + src = fetchurl { url = "mirror://sourceforge/dosbox/${name}.tar.gz"; sha256 = "01cfjc5bs08m4w79nbxyv7rnvzq2yckmgrbq36njn06lw8b4kxqk"; @@ -17,9 +17,11 @@ stdenv.mkDerivation rec { ]; patchFlags = "-p0"; - + buildInputs = [ SDL ]; - + + hardeningDisable = [ "format" ]; + desktopItem = makeDesktopItem { name = "dosbox"; exec = "dosbox"; diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index 571e14347b4..1abf621fe7e 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -6,9 +6,11 @@ stdenv.mkDerivation { url = http://mupen64plus.googlecode.com/files/Mupen64Plus-1-5-src.tar.gz; sha256 = "0gygfgyr2sg4yx77ijk133d1ra0v1yxi4xjxrg6kp3zdjmhdmcjq"; }; - + buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - + + hardeningDisable = [ "format" ]; + preConfigure = '' # Some C++ incompatibility fixes sed -i -e 's|char \* extstr = strstr|const char * extstr = strstr|' glide64/Main.cpp @@ -20,10 +22,10 @@ stdenv.mkDerivation { # Remove PATH environment variable from install script sed -i -e "s|export PATH=|#export PATH=|" ./install.sh ''; - + buildPhase = "make all"; installPhase = "PREFIX=$out make install"; - + meta = { description = "A Nintendo 64 Emulator"; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index fc64caf1053..6620018c337 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index f877eff5c64..9e773b18f7d 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -2,13 +2,18 @@ stdenv.mkDerivation rec { name = "uae-0.8.29"; + src = fetchurl { url = "http://web.archive.org/web/20130905032631/http://www.amigaemulator.org/files/sources/develop/${name}.tar.bz2"; sha256 = "05s3cd1rd5a970s938qf4c2xm3l7f54g5iaqw56v8smk355m4qr4"; }; + configureFlags = [ "--with-sdl" "--with-sdl-sound" "--with-sdl-gfx" "--with-alsa" ]; + buildInputs = [ pkgconfig gtk alsaLib SDL ]; - + + hardeningDisable = [ "format" ]; + meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index cfcba8a3a8b..2873225b26f 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; homepage = http://github.com/atmel-maxtouch/mxt-app; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 289b54f1b54..65223a32bad 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation { rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - + + hardeningDisable = [ "pic" ]; + preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index b8bef1b5a9a..aabd36f945f 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0r5faf12ifpj8h1fklkzvy4ck359cadk8xh1l3n7vimh67hxbxbz"; }; + hardeningDisable = [ "pic" ]; + preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \ diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index ec1e5f2e20b..67b843fac4d 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; + hardeningDisable = [ "pic" ]; + preBuild = '' substituteInPlace Makefile \ --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index bc7523858fe..c2e3fa4b9e1 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' configureFlagsArray=( --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build @@ -33,7 +35,7 @@ stdenv.mkDerivation { wrapProgram "$prog" --prefix LD_LIBRARY_PATH ":" "$out/lib" done ''; - + meta = { description = "Berkeley Lab Checkpoint/Restart for Linux (BLCR)"; homepage = https://ftg.lbl.gov/projects/CheckpointRestart/; diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index fa6591701a6..2785a57ac8a 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; + hardeningDisable = [ "format" ]; + patches = [ ./busybox-in-store.patch ]; configurePhase = '' diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index e698c11ad0f..1a879ba3330 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -3,6 +3,7 @@ stdenv.mkDerivation rec { name = "checksec-${version}"; version = "1.5"; + src = fetchurl { url = "http://www.trapkit.de/tools/checksec.sh"; sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p"; @@ -11,9 +12,9 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ]; unpackPhase = '' - mkdir ${name}-${version} - cp $src ${name}-${version}/checksec.sh - cd ${name}-${version} + mkdir ${name} + cp $src ${name}/checksec.sh + cd ${name} ''; installPhase = '' @@ -32,8 +33,6 @@ stdenv.mkDerivation rec { substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" ''; - phases = "unpackPhase patchPhase installPhase"; - meta = { description = "A tool for checking security bits on executables"; homepage = "http://www.trapkit.de/tools/checksec.html"; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index 0d06864df1e..16116019567 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -24,7 +24,11 @@ stdenv.mkDerivation rec { ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto ''; - buildPhase = "make PREFIX=$out"; + configurePhase = "make config PREFIX=$out"; + + makeFlags = "PREFIX=$(out)"; + + hardeningDisable = [ "stackprotector" ]; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/dietlibc/default.nix b/pkgs/os-specific/linux/dietlibc/default.nix index d98bfb96735..12ffbfbc5ce 100644 --- a/pkgs/os-specific/linux/dietlibc/default.nix +++ b/pkgs/os-specific/linux/dietlibc/default.nix @@ -9,10 +9,13 @@ stdenv.mkDerivation { md5 = "2465d652fff6f1fad3da3b98e60e83c9"; }; builder = ./builder.sh; - + inherit glibc; kernelHeaders = glibc.linuxHeaders; + hardeningDisable = [ "stackprotector" ] + ++ stdenv.lib.optional stdenv.isi686 "pic"; + patches = [ # dietlibc's sigcontext.h provides a macro called PC(), which is diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index 406492db236..4c2d0c88576 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -p "$out/bin" cp ./disk_indicator "$out/bin/" diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix index 9e7e2a6bb8e..9412747d6bc 100644 --- a/pkgs/os-specific/linux/dmraid/default.nix +++ b/pkgs/os-specific/linux/dmraid/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq"; }; + patches = [ ./hardening-format.patch ]; + postPatch = '' sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in ''; diff --git a/pkgs/os-specific/linux/dmraid/hardening-format.patch b/pkgs/os-specific/linux/dmraid/hardening-format.patch new file mode 100644 index 00000000000..f91a7fb18aa --- /dev/null +++ b/pkgs/os-specific/linux/dmraid/hardening-format.patch @@ -0,0 +1,18 @@ +--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:16:57.455425454 +0000 ++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:17:55.520564013 +0000 +@@ -838,13 +838,13 @@ + + sz = _log_all_devs(log_type, rs, NULL, 0); + if (!sz) { +- syslog(LOG_ERR, msg[0]); ++ syslog(LOG_ERR, "%s", msg[0]); + return; + } + + str = dm_malloc(++sz); + if (!str) { +- syslog(LOG_ERR, msg[1]); ++ syslog(LOG_ERR, "%s", msg[1]); + return; + } + diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index 06e6abfe417..b25a65b2ab4 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -4,7 +4,6 @@ assert stdenv.lib.versionAtLeast kernel.version "3.19"; stdenv.mkDerivation rec { - name = "facetimehd-${version}-${kernel.version}"; version = "git-20160127"; @@ -19,6 +18,8 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ]; @@ -30,5 +31,4 @@ stdenv.mkDerivation rec { maintainers = [ maintainers.womfoo ]; platforms = platforms.linux; }; - } diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index a627a8cbcc9..e86c751331b 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; + hardeningDisable = [ "format" ]; + buildInputs = [openssl]; preFixup = '' diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index d8985003b41..b9390d1d589 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; + hardeningDisable = [ "format" ]; + meta = { description = "Utility for enslaving networking interfaces under a bond"; license = stdenv.lib.licenses.gpl2; diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 389dcc22053..274d0cc4139 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { src = sourceAttrs.src; + hardeningDisable = [ "pic" ]; + prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile ''; diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index 0cc38a0548c..22650747ba2 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -34,6 +34,9 @@ stdenv.mkDerivation { buildInputs = [perl]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + extraIncludeDirs = if cross != null then (if cross.arch == "powerpc" then ["ppc"] else []) diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index ffe09cc2fee..1fb702d5746 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -216,6 +216,9 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); + hardeningDisable = [ "format" "fortify" "stackprotector" "pic" ] + ++ stdenv.lib.optional stdenv.isi686 "bindnow"; + makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index d7d79b0257d..cb30de44a81 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "03cj7w2l5fqn72xfhl4q6z0zbziwkp9bfn0gs7gaf9i44jv6gkhl"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ zlib ]; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index b948dbff2c1..ffa381d0f29 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" "stackprotector" ]; + makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" "KLIBCKERNELSRC=${kernelHeaders}" diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix index a32d815ac2f..5e9b2c869ef 100644 --- a/pkgs/os-specific/linux/ldm/default.nix +++ b/pkgs/os-specific/linux/ldm/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation rec { sed '16i#include <sys/stat.h>' -i ldm.c ''; - buildPhase = "make ldm"; + buildFlags = "ldm"; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix index b3df129912e..1e85182d6c3 100644 --- a/pkgs/os-specific/linux/libaio/default.nix +++ b/pkgs/os-specific/linux/libaio/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { makeFlags = "prefix=$(out)"; + hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector"; + meta = { description = "Library for asynchronous I/O in Linux"; homepage = http://lse.sourceforge.net/io/aio.html; diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index f029c6b82be..b3a67e70a1d 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; + hardeningDisable = [ "pic" ]; + preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" export INSTALL_MOD_PATH="$out" diff --git a/pkgs/os-specific/linux/mba6x_bl/default.nix b/pkgs/os-specific/linux/mba6x_bl/default.nix index 010bda4bb15..2a0e53b3925 100644 --- a/pkgs/os-specific/linux/mba6x_bl/default.nix +++ b/pkgs/os-specific/linux/mba6x_bl/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" "INSTALL_MOD_PATH=$(out)" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index ba69b421c3d..409eb31e14f 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; + hardeningDisable = [ "format" ]; + postPatch = '' sed -i -re ' s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix index 4af40432403..ed88fc643fd 100644 --- a/pkgs/os-specific/linux/mxu11x0/default.nix +++ b/pkgs/os-specific/linux/mxu11x0/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + meta = with stdenv.lib; { description = "MOXA UPort 11x0 USB to Serial Hub driver"; homepage = "https://github.com/ellysh/mxu11x0"; diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index 1e74cd94c55..35781dc7f95 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' patchShebangs mkversion sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \ diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 2e88e2c794e..7310e7e36ad 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; + hardeningDisable = [ "format" ]; + patches = [ ./numad-linker-flags.patch ]; diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index afb342768c3..7ef98eb2353 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { "MANDIR=share/man/man1" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + setupHook = ./setup-hook.sh; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 2b86238b2df..56c12e9a4f0 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,6 +21,8 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; + hardeningDisable = [ "pic" ]; + makeFlags = with kernel; [ "DESTDIR=$(out)" "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build" diff --git a/pkgs/os-specific/linux/rtl8723bs/default.nix b/pkgs/os-specific/linux/rtl8723bs/default.nix index 6d55c5522f4..2adbb4b743c 100644 --- a/pkgs/os-specific/linux/rtl8723bs/default.nix +++ b/pkgs/os-specific/linux/rtl8723bs/default.nix @@ -5,14 +5,16 @@ let in stdenv.mkDerivation rec { name = "rtl8723bs-${kernel.version}-c517f2b"; - + src = fetchFromGitHub { owner = "hadess"; repo = "rtl8723bs"; rev = "c517f2bf8bcc3d57311252ea7cd49ae81466eead"; sha256 = "0phzrhq85g52pi2b74a9sr9l2x6dzlz714k3pix486w2x5axw4xb"; }; - + + hardeningDisable = [ "pic" ]; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" @@ -20,12 +22,12 @@ stdenv.mkDerivation rec { substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" substituteInPlace ./Makefile --replace '/lib/firmware' "$out/lib/firmware" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" mkdir -p "$out/lib/firmware/rtlwifi" ''; - + meta = { description = "Realtek SDIO Wi-Fi driver"; homepage = "https://github.com/hadess/rtl8723bs"; diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index bc6a97029c7..75c01cfe1f7 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -3,25 +3,27 @@ stdenv.mkDerivation rec { name = "rtl8812au-${kernel.version}-${version}"; version = "4.2.2-1"; - + src = fetchFromGitHub { owner = "csssuf"; repo = "rtl8812au"; rev = "874906aec694c800bfc29b146737b88dae767832"; sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - + + hardeningDisable = [ "pic" ]; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" substituteInPlace ./Makefile --replace /sbin/depmod # substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + meta = { description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod"; homepage = "https://github.com/csssuf/rtl8812au"; diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index bb17683800f..5f539b9a97e 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; + hardeningDisable = [ "format" ]; + NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 2db3a397aeb..de497eb4fd1 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index 8296ec62c5b..99b869abcb0 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -1,32 +1,33 @@ {stdenv, fetchurl, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: let inherit (stdenv.lib) optional optionalString; - s = rec { - baseName="sysdig"; - version = "0.9.0"; - name="${baseName}-${version}"; - url="https://github.com/draios/sysdig/archive/${version}.tar.gz"; + baseName = "sysdig"; + version = "0.9.0"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + + src = fetchurl { + url = "https://github.com/draios/sysdig/archive/${version}.tar.gz"; sha256 = "198x1zmlydvi4i1sfvs8xjh9z5pb47l6xs4phrnkwwak46rhka3j"; }; + buildInputs = [ cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "pic" ]; cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF"; + preConfigure = '' export INSTALL_MOD_PATH="$out" '' + optionalString (kernel != null) '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ''; + postInstall = optionalString (kernel != null) '' make install_driver kernel_dev=${kernel.dev} @@ -42,8 +43,7 @@ stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit (s) version; - description = ''A tracepoint-based system tracing tool for Linux (with clients for other OSes)''; + description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)"; license = licenses.gpl2; maintainers = [maintainers.raskin]; platforms = platforms.linux ++ platforms.darwin; diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index c051aac4312..f4ad94b5085 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,6 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' + hardeningDisable = [ "pic" "stackprotector" "fortify" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 40d9e7c1068..dceb777ad72 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "6aef02b92d10360ac9be0db29ae390636be55017990063a092a285c70b54e666"; }; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" "SHELL=/bin/sh" diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 13617360d2d..376a407d993 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation rec { url = "https://github.com/umlaeute/v4l2loopback/archive/v${version}.tar.gz"; sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - + + hardeningDisable = [ "format" "pic" ]; + preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" sed -i '/depmod/d' Makefile @@ -16,7 +18,7 @@ stdenv.mkDerivation rec { ''; buildInputs = [ kmod ]; - + makeFlags = [ "KERNELRELEASE=${kernel.modDirVersion}" "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 0ef992a4b44..073a6ded998 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; + hardeningDisable = [ "stackprotector" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 0f9e0591a06..8b712553be9 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,10 +16,9 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; + hardeningDisable = [ "fortify" ]; - configurePhase = '' - ./configure --prefix=$out CFLAGS="-I${pixman}/include/pixman-1" - ''; + CFLAGS = "-I${pixman}/include/pixman-1"; meta = { homepage = http://cgit.freedesktop.org/xorg/driver/xf86-video-nested; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 9fc28996a83..46d6fa49699 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; + hardeningDisable = [ "pic" ]; + preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" substituteInPlace ./module/zfs/zfs_ctldir.c --replace "mount -t zfs" "${utillinux}/bin/mount -t zfs" diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index cea7ca0b337..ef4621fb9a6 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; description = "A simple, fast work queue"; diff --git a/pkgs/servers/certificate-transparency/default.nix b/pkgs/servers/certificate-transparency/default.nix index 292ca6bc0e3..a7c2be4e286 100644 --- a/pkgs/servers/certificate-transparency/default.nix +++ b/pkgs/servers/certificate-transparency/default.nix @@ -1,4 +1,7 @@ -{ stdenv, pkgs, ...}: +{ stdenv, fetchFromGitHub, autoreconfHook, clang, pkgconfig +, glog, gmock, gtest, google-gflags, gperftools, json_c, leveldb +, libevent, libevhtp, openssl, protobuf, sqlite +}: stdenv.mkDerivation rec { name = "certificate-transparency-${version}"; @@ -6,15 +9,7 @@ stdenv.mkDerivation rec { version = "2016-01-14"; rev = "250672b5aef3666edbdfc9a75b95a09e7a57ed08"; - meta = with stdenv.lib; { - homepage = https://www.certificate-transparency.org/; - description = "Auditing for TLS certificates"; - license = licenses.asl20; - platforms = platforms.unix; - maintainers = with maintainers; [ philandstuff ]; - }; - - src = pkgs.fetchFromGitHub { + src = fetchFromGitHub { owner = "google"; repo = "certificate-transparency"; rev = rev; @@ -22,13 +17,13 @@ stdenv.mkDerivation rec { }; # need to disable regex support in evhtp or building will fail - libevhtp_without_regex = stdenv.lib.overrideDerivation pkgs.libevhtp + libevhtp_without_regex = stdenv.lib.overrideDerivation libevhtp (oldAttrs: { - cmakeFlags="-DEVHTP_DISABLE_REGEX:STRING=ON -DCMAKE_C_FLAGS:STRING=-fPIC"; + cmakeFlags = "-DEVHTP_DISABLE_REGEX:STRING=ON"; }); - buildInputs = with pkgs; [ - autoconf automake clang_34 pkgconfig + buildInputs = [ + autoreconfHook clang pkgconfig glog gmock google-gflags gperftools gtest json_c leveldb libevent libevhtp_without_regex openssl protobuf sqlite ]; @@ -37,21 +32,24 @@ stdenv.mkDerivation rec { ./protobuf-include-from-env.patch ]; - doCheck = false; - - preConfigure = '' - ./autogen.sh - configureFlagsArray=( - CC=clang - CXX=clang++ - GMOCK_DIR=${pkgs.gmock} - GTEST_DIR=${pkgs.gtest} - ) - ''; + configureFlags = [ + "CC=clang" + "CXX=clang++" + "GMOCK_DIR=${gmock}" + "GTEST_DIR=${gtest}" + ]; # the default Makefile constructs BUILD_VERSION from `git describe` # which isn't available in the nix build environment makeFlags = "BUILD_VERSION=${version}-${rev}"; - protocFlags = "-I ${pkgs.protobuf}/include"; + protocFlags = "-I ${protobuf}/include"; + + meta = with stdenv.lib; { + homepage = https://www.certificate-transparency.org/; + description = "Auditing for TLS certificates."; + license = licenses.asl20; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; } diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index 3e778317169..3e258ee6d3f 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -11,7 +11,7 @@ # icu version missmatch may cause such error when selecting from a table: # "Collation unicode for character set utf8 is not installed" - # icu 3.0 can still be build easily by nix (by dropping the #elif case and + # icu 3.0 can still be built easily by nix (by dropping the #elif case and # make | make) icu ? null @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; + hardeningDisable = [ "format" ]; + # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh # sh autogen.sh $configureFlags --prefix=$out diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index a9fac485f90..ac5e0b7c1b1 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; + hardeningDisable = [ "format" ]; + preConfigure = '' ./autogen.sh ''; diff --git a/pkgs/servers/http/nginx/default.nix b/pkgs/servers/http/nginx/default.nix index b3bc092dc40..ed13ae0bea7 100644 --- a/pkgs/servers/http/nginx/default.nix +++ b/pkgs/servers/http/nginx/default.nix @@ -54,14 +54,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2.dev}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations -Wno-error=conditional-uninitialized"; - preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) - + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' - configureFlagsArray=( - --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" - --with-ld-opt="-pie -Wl,-z,relro,-z,now" - ) - '' - ; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); + + hardeningEnable = [ "pie" ]; meta = { description = "A reverse proxy and lightweight webserver"; diff --git a/pkgs/servers/http/nginx/unstable.nix b/pkgs/servers/http/nginx/unstable.nix index 5af882bac52..05cc58e4148 100644 --- a/pkgs/servers/http/nginx/unstable.nix +++ b/pkgs/servers/http/nginx/unstable.nix @@ -52,14 +52,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = [ "-I${libxml2.dev}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; - preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) - + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' - configureFlagsArray=( - --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" - --with-ld-opt="-pie -Wl,-z,relro,-z,now" - ) - '' - ; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); + + hardeningEnable = [ "pie" ]; postInstall = '' mv $out/sbin $out/bin diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index 4a89c5ad83b..dc3fef6125c 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; + hardeningEnable = [ "pie" ]; + meta = { description = "Server software for streaming multimedia"; diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index c8368fa9524..6ecad81973b 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; + hardeningDisable = [ "format" ]; + buildInputs = [ bison flex openssl ]; meta = with stdenv.lib; { diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 52327090e44..a92ffa4402f 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -9,12 +9,11 @@ let ccargs = lib.concatStringsSep " " ([ "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl}/include/sasl" "-DHAS_DB_BYPASS_MAKEDEFS_CHECK" - "-fPIE" "-fstack-protector-all" "--param" "ssp-buffer-size=4" "-O2" "-D_FORTIFY_SOURCE=2" ] ++ lib.optional withPgSQL "-DHAS_PGSQL" ++ lib.optionals withMySQL [ "-DHAS_MYSQL" "-I${libmysql}/include/mysql" ] ++ lib.optional withSQLite "-DHAS_SQLITE"); auxlibs = lib.concatStringsSep " " ([ - "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" "-pie" "-Wl,-z,relro,-z,now" + "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" ] ++ lib.optional withPgSQL "-lpq" ++ lib.optional withMySQL "-lmysqlclient" ++ lib.optional withSQLite "-lsqlite3"); @@ -35,6 +34,9 @@ in stdenv.mkDerivation rec { ++ lib.optional withMySQL libmysql ++ lib.optional withSQLite sqlite; + hardeningDisable = [ "format" ]; + hardeningEnable = [ "pie" ]; + patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index 9d110d9c146..5e4edd0b032 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { description = "A distributed memory object caching system"; repositories.git = https://github.com/memcached/memcached.git; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index ca7e30e95e3..fd28776909c 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -19,6 +19,7 @@ let version = "3.2.1"; #"stemmer" -- not nice to package yet (no versioning, no makefile, no shared libs). "yaml" ] ++ optionals stdenv.isLinux [ "tcmalloc" ]; + buildInputs = [ sasl boost gperftools pcre-cpp snappy zlib libyamlcpp sasl openssl libpcap @@ -92,6 +93,8 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + meta = { description = "a scalable, high-performance, open source NoSQL database"; homepage = http://www.mongodb.org; diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index c62cea180be..b66e99f0afb 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,6 +34,8 @@ stdenv.mkDerivation rec { src = srcs.riak; + hardeningDisable = [ "format" ]; + postPatch = '' sed -i deps/node_package/priv/base/env.sh \ -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/riak}@' \ diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 40d3edcf21a..52a7941d093 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index efa70875549..1cce4c518ea 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -1,18 +1,20 @@ { fetchurl, stdenv, ncurses, curl, pkgconfig, gnutls, readline, openssl, perl, libjpeg -, libzrtpcpp, gcc48 }: +, libzrtpcpp }: stdenv.mkDerivation rec { - name = "freeswitch-1.2.3"; + name = "freeswitch-1.6.6"; src = fetchurl { - url = http://files.freeswitch.org/freeswitch-1.2.3.tar.bz2; + url = "http://files.freeswitch.org/releases/freeswitch/${name}.tar.bz2"; sha256 = "0kfvn5f75c6r6yp18almjz9p6llvpm66gpbxcjswrg3ddgbkzg0k"; }; buildInputs = [ ncurses curl pkgconfig gnutls readline openssl perl libjpeg - libzrtpcpp gcc48 ]; + libzrtpcpp ]; - NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + NIX_CFLAGS_COMPILE = "-Wno-error"; + + hardeningDisable = [ "format" ]; meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; diff --git a/pkgs/servers/sql/virtuoso/7.x.nix b/pkgs/servers/sql/virtuoso/7.x.nix index de610f9a729..afb91602d76 100644 --- a/pkgs/servers/sql/virtuoso/7.x.nix +++ b/pkgs/servers/sql/virtuoso/7.x.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "SQL/RDF database used by, e.g., KDE-nepomuk"; homepage = http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/; - #configure: The current version [...] can only be build on 64bit platforms + #configure: The current version [...] can only be built on 64bit platforms platforms = [ "x86_64-linux" "x86_64-darwin" ]; maintainers = [ maintainers.urkud ]; }; diff --git a/pkgs/servers/x11/xorg/builder.sh b/pkgs/servers/x11/xorg/builder.sh index c9e53f3800d..15da0b51795 100644 --- a/pkgs/servers/x11/xorg/builder.sh +++ b/pkgs/servers/x11/xorg/builder.sh @@ -46,5 +46,7 @@ fi enableParallelBuilding=1 +# breaks module loading +hardeningDisable="bindnow" genericBuild diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index a0405ec077f..2743551474d 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -534,4 +534,8 @@ in configureFlags = "--with-cpp=${args.mcpp}/bin/mcpp"; }; + sessreg = attrs: attrs // { + preBuild = "sed -i 's|gcc -E|gcc -E -P|' man/Makefile"; + }; + } diff --git a/pkgs/shells/bash/default.nix b/pkgs/shells/bash/default.nix index 2fa229692eb..815b7bde73a 100644 --- a/pkgs/shells/bash/default.nix +++ b/pkgs/shells/bash/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { inherit sha256; }; + hardeningDisable = [ "format" ]; + outputs = if (!interactive) # conditional to avoid mass rebuild ATM then [ "out" "doc" ] else [ "out" "doc" "info" ]; diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index d3104439e57..0d685a3f4d3 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; + hardeningDisable = [ "format" ]; + meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible"; diff --git a/pkgs/shells/mksh/default.nix b/pkgs/shells/mksh/default.nix index 696777c7f1f..3037552dab6 100644 --- a/pkgs/shells/mksh/default.nix +++ b/pkgs/shells/mksh/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ groff ]; + hardeningDisable = [ "format" ]; + buildPhase = '' mkdir build-dir/ cp mksh.1 dot.mkshrc build-dir/ diff --git a/pkgs/tools/X11/sct/default.nix b/pkgs/tools/X11/sct/default.nix index 4bf62e53f55..2eed4335af1 100644 --- a/pkgs/tools/X11/sct/default.nix +++ b/pkgs/tools/X11/sct/default.nix @@ -4,7 +4,7 @@ stdenv.mkDerivation rec { buildInputs = [libX11 libXrandr]; src = fetchurl { url = http://www.tedunangst.com/flak/files/sct.c; - sha256 = "1bivy0sl5v1jsq4jbq6p9hplz6cvw4nx9rc96p2kxsg506rqllc5"; + sha256 = "01f3ndx3s6d2qh2xmbpmhd4962dyh8yp95l87xwrs4plqdz6knhd"; }; phases = ["patchPhase" "buildPhase" "installPhase"]; patchPhase = '' diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index 57d8d82759c..cef071bb3b6 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; + hardeningDisable = [ "format" ]; + meta = { homepage = https://packages.debian.org/source/xbindkeys-config; description = "Graphical interface for configuring xbindkeys"; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 22b8a607fd3..e7164bf07b6 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; + hardeningDisable = [ "format" ]; + buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/cromfs/default.nix b/pkgs/tools/archivers/cromfs/default.nix index cd151698f25..042880b39c9 100644 --- a/pkgs/tools/archivers/cromfs/default.nix +++ b/pkgs/tools/archivers/cromfs/default.nix @@ -1,18 +1,15 @@ -{ stdenv, fetchurl, pkgconfig, fuse, perl, gcc48 }: +{ stdenv, fetchurl, pkgconfig, fuse, perl }: stdenv.mkDerivation rec { name = "cromfs-1.5.10.2"; - + src = fetchurl { url = "http://bisqwit.iki.fi/src/arch/${name}.tar.bz2"; sha256 = "0xy2x1ws1qqfp7hfj6yzm80zhrxzmhn0w2yns77im1lmd2h18817"; }; - patchPhase = ''sed -i 's@/bin/bash@/bin/sh@g' configure''; + postPatch = "patchShebangs configure"; - # Removing the static linking, as it doesn't compile in x86_64. - makeFlags = "cromfs-driver util/mkcromfs util/unmkcromfs util/cvcromfs"; - installPhase = '' install -d $out/bin install cromfs-driver $out/bin @@ -21,7 +18,7 @@ stdenv.mkDerivation rec { install util/unmkcromfs $out/bin ''; - buildInputs = [ pkgconfig fuse perl gcc48 ]; + buildInputs = [ pkgconfig fuse perl ]; meta = { description = "FUSE Compressed ROM filesystem with lzma"; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index e806a962eab..41043cda5b6 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the # gnulib in sharutils is updated. diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index b5d03bc18b2..da0983fc097 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; + hardeningDisable = [ "format" ]; + patches = [ ./CVE-2014-8139.diff ./CVE-2014-8140.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index ed60e3147a8..115fc8e3aff 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { description = "A GTK+ front-end for command line archiving tools"; maintainers = [ stdenv.lib.maintainers.iElectric ]; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 431ed354d21..145b81c95bc 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; + hardeningDisable = [ "format" ]; + makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; installFlags = "prefix=$(out) INSTALL=cp"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index 110e00976e8..f38b24c0fc0 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; + hardeningDisable = [ "stackprotector" ]; + HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" else if stdenv.system == "i686-linux" then "ia32" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 375bbcda7e4..7e7558f69e6 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; + hardeningDisable = [ "format" ]; + # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. patches = [ ./adjust-includes-for-glibc-212.patch ]; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index bcf9ec2c0cc..0b10f30497d 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; + hardeningDisable = [ "format" ]; + # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/cd-dvd/dvdisaster/default.nix b/pkgs/tools/cd-dvd/dvdisaster/default.nix index 08da13b569a..82a57c6684f 100644 --- a/pkgs/tools/cd-dvd/dvdisaster/default.nix +++ b/pkgs/tools/cd-dvd/dvdisaster/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0f8gjnia2fxcbmhl8b3qkr5b7idl8m855dw7xw2fnmbqwvcm6k4w"; }; + hardeningDisable = [ "fortify" ]; + nativeBuildInputs = [ gettext pkgconfig which ]; buildInputs = [ glib gtk2 ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 5d6a8634b1b..64571e24d9a 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; description = "XZ, general-purpose data compression software, successor of LZMA"; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index 4ddab385a42..5a3451810a1 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; + hardeningDisable = [ "format" ]; + meta = { description = "Samba mounted via FUSE"; homepage = http://www.ricardis.tudelft.nl/~vincent/fusesmb/; diff --git a/pkgs/tools/filesystems/jfsutils/default.nix b/pkgs/tools/filesystems/jfsutils/default.nix index 46ded088c69..16d95bd1933 100644 --- a/pkgs/tools/filesystems/jfsutils/default.nix +++ b/pkgs/tools/filesystems/jfsutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha1 = "291e8bd9d615cf3d27e4000117c81a3602484a50"; }; - patches = [ ./types.patch ]; + patches = [ ./types.patch ./hardening-format.patch ]; buildInputs = [ libuuid ]; diff --git a/pkgs/tools/filesystems/jfsutils/hardening-format.patch b/pkgs/tools/filesystems/jfsutils/hardening-format.patch new file mode 100644 index 00000000000..dd2a93a81ec --- /dev/null +++ b/pkgs/tools/filesystems/jfsutils/hardening-format.patch @@ -0,0 +1,37 @@ +--- a/fscklog/fscklog.c 2016-01-29 04:59:54.102223291 +0000 ++++ b/fscklog/fscklog.c 2016-01-29 05:00:10.707552565 +0000 +@@ -252,8 +252,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", basename(file_name), line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } +--- a/fscklog/display.c 2016-01-29 05:05:42.582133444 +0000 ++++ b/fscklog/display.c 2016-01-29 05:05:47.541231780 +0000 +@@ -182,7 +182,7 @@ + } else { + /* the record looks ok */ + msg_txt = &log_entry[log_entry_pos]; +- printf(msg_txt); ++ printf("%s", msg_txt); + /* + * set up for the next record + */ +--- a/logdump/helpers.c 2016-01-29 05:06:26.081996021 +0000 ++++ b/logdump/helpers.c 2016-01-29 05:06:43.097333425 +0000 +@@ -95,8 +95,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", file_name, line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index 7cb924c6cf1..75e37f77949 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -10,6 +10,10 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; + patches = [ ./gcc5.patch ]; + + hardeningDisable = [ "fortify" ]; + NIX_CFLAGS_COMPILE = "-std=gnu90"; preConfigure = '' diff --git a/pkgs/tools/filesystems/udftools/gcc5.patch b/pkgs/tools/filesystems/udftools/gcc5.patch new file mode 100644 index 00000000000..2c57ff20e13 --- /dev/null +++ b/pkgs/tools/filesystems/udftools/gcc5.patch @@ -0,0 +1,17 @@ +--- udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:38.595391610 +0000 ++++ udftools-1.0.0b3/libudffs/desc.c 2016-02-07 23:21:57.759756269 +0000 +@@ -34,12 +34,12 @@ + #include "libudffs.h" + #include "config.h" + +-inline struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) ++extern struct impUseVolDescImpUse *query_iuvdiu(struct udf_disc *disc) + { + return (struct impUseVolDescImpUse *)disc->udf_iuvd[0]->impUse; + } + +-inline struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) ++extern struct logicalVolIntegrityDescImpUse *query_lvidiu(struct udf_disc *disc) + { + return (struct logicalVolIntegrityDescImpUse *)&(disc->udf_lvid->impUse[le32_to_cpu(disc->udf_lvd[0]->numPartitionMaps) * 2 * sizeof(uint32_t)]); + } diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index b35b929da40..d6a31bd5c7f 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,13 +9,14 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "GNU barcode generator"; maintainers = with maintainers; [ raskin ]; platforms = with platforms; allBut darwin; downloadPage = "http://ftp.gnu.org/gnu/barcode/"; updateWalker = true; - inherit version; homepage = http://ftp.gnu.org/gnu/barcode/; }; } diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index 64222185044..cdf38d1218a 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -10,7 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libXt libXaw libXres utilmacros ]; - preConfigure = "configureFlags=--with-appdefaultdir=$out/share/X11/app-defaults/editres"; + configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; + + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index cf2c5598d2a..e7fb3e773c1 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; homepage = http://www.ggobi.org/; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index 02b700111de..9e0eea516d3 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -13,7 +13,9 @@ stdenv.mkDerivation rec { }; buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd]; - + + hardeningDisable = [ "format" "fortify" ]; + configureFlags = [ "--with-pngincludedir=${libpng}/include" "--with-pnglibdir=${libpng.out}/lib" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index 8da3ea0a174..b40672754bc 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; + hardeningDisable = [ "fortify" ]; + preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile ''; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index ce620cf3017..9b49cca8d7b 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,9 +12,11 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; + hardeningDisable = [ "fortify" ]; + patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch - + # NOTE: Once this patch is removed, flex can probably be removed from # buildInputs. ./cve-2014-9157.patch diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix index 8d0b7d2d9f4..0bb0bb00efa 100644 --- a/pkgs/tools/graphics/jbig2enc/default.nix +++ b/pkgs/tools/graphics/jbig2enc/default.nix @@ -1,4 +1,6 @@ -{stdenv, fetchurl, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: stdenv.mkDerivation { +{ stdenv, fetchurl, fetchpatch, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: + +stdenv.mkDerivation { name = "jbig2enc-0.28"; src = fetchurl { diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix index 4a52434d379..a3a5e30d41b 100644 --- a/pkgs/tools/graphics/netpbm/default.nix +++ b/pkgs/tools/graphics/netpbm/default.nix @@ -3,11 +3,11 @@ , enableX11 ? false, libX11 }: stdenv.mkDerivation rec { - name = "netpbm-10.66.00"; + name = "netpbm-10.70.00"; src = fetchurl { url = "mirror://gentoo/distfiles/${name}.tar.xz"; - sha256 = "1z33pxdir92m7jlvp5c2q44gxwj7jyf8skiqkr71kgirw4w4zsbz"; + sha256 = "14vxmzbwsy4rzrqjnzr4cvz1s0amacq69faps3v1j1kr05lcns0j"; }; postPatch = /* CVE-2005-2471, from Arch */ '' @@ -15,8 +15,6 @@ stdenv.mkDerivation rec { --replace '"-DSAFER"' '"-DPARANOIDSAFER"' ''; - NIX_CFLAGS_COMPILE = "-fPIC"; # Gentoo adds this on every platform - buildInputs = [ pkgconfig flex zlib perl libpng libjpeg libxml2 makeWrapper libtiff ] ++ lib.optional enableX11 libX11; diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index 13dc27921a4..392527a2119 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + # Inspired by linux-install/nifskope.spec.in. installPhase = '' diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index 6a7a6745c87..abcbabea596 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit + hardeningDisable = [ "format" ]; + doCheck = true; meta = { diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index d288e7018e6..b8d020ca434 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - # configurePhase = '' - # sed -i s,/usr,$out, Makefile - # ''; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib.out}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index e5bc5517b89..f2a85c73c2a 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchgit}: +{ stdenv, fetchgit }: let s = rec { @@ -16,14 +16,19 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs; + src = fetchgit { inherit (s) rev url sha256; }; + + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} cp qrcode "$out/bin" cp DOCUMENTATION LICENCE "$out/share/doc/qrcode" ''; + meta = { inherit (s) version; description = ''A small QR-code tool''; diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index f540029cbc7..898031cbaf3 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; + hardeningDisable = [ "format" ]; + patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; prefixPatch1 = diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index 48e3316a4a2..b96c469e346 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -15,7 +15,9 @@ stdenv.mkDerivation rec { [ imagemagickBig pkgconfig python pygtk perl libX11 libv4l qt4 lzma gtk2 ]; - configureFlags = ["--disable-video"]; + configureFlags = [ "--disable-video" ]; + + hardeningDisable = [ "fortify" ]; meta = with stdenv.lib; { description = "Bar code reader"; diff --git a/pkgs/tools/misc/calamares/default.nix b/pkgs/tools/misc/calamares/default.nix index f9f9f06eb51..9346ce48127 100644 --- a/pkgs/tools/misc/calamares/default.nix +++ b/pkgs/tools/misc/calamares/default.nix @@ -1,15 +1,16 @@ -{ stdenv, fetchgit, cmake, polkit-qt, libyamlcpp, python, boost, parted +{ stdenv, fetchurl, cmake, polkit-qt, libyamlcpp, python, boost, parted , extra-cmake-modules, kconfig, ki18n, kcoreaddons, solid, utillinux, libatasmart , ckbcomp, glibc, tzdata, xkeyboard_config, qtbase, qtquick1, qtsvg, qttools }: stdenv.mkDerivation rec { - name = "calamares-${version}"; - version = "1.0"; - - src = fetchgit { - url = "https://github.com/calamares/calamares.git"; - rev = "dabfb68a68cb012a90cd7b94a22e1ea08f7dd8ad"; - sha256 = "2851ce487aaac61d2df342a47f91ec87fe52ff036227ef697caa7056fe5f188c"; + name = "${pname}-${version}"; + pname = "calamares"; + version = "1.1.4.2"; + + # release including submodule + src = fetchurl { + url = "https://github.com/${pname}/${pname}/releases/download/v${version}/${name}.tar.gz"; + sha256 = "1mh0nmzc3i1aqcj79q2s3vpccn0mirlfbj26sfyb0v6gcrvf707d"; }; buildInputs = [ diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index 377e2d62eef..6836ee46ba1 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -19,12 +19,17 @@ let sha256 = "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; # The test tends to fail on btrfs and maybe other unusual filesystems. postPatch = optionalString (!stdenv.isDarwin) '' sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh + sed '2i echo Skipping rm deep-2 test && exit 0' -i ./tests/rm/deep-2.sh + sed '2i echo Skipping du long-from-unreadable test && exit 0' -i ./tests/du/long-from-unreadable.sh ''; outputs = [ "out" "info" ]; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index 2d5d10054b5..132707106af 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -16,10 +16,12 @@ let version = "0.4.2"; in stdenv.mkDerivation { name = "ddccontrol-${version}"; + src = fetchurl { url = "mirror://sourceforge/ddccontrol/ddccontrol-${version}.tar.bz2"; sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1"; }; + buildInputs = [ intltool @@ -35,6 +37,8 @@ stdenv.mkDerivation { ddccontrol-db ]; + hardeningDisable = [ "format" ]; + prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") mv configure.ac configure.ac.old diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index bdc018aec34..7d17dee8b53 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [flex]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; description = "Utility designed to clean up filenames"; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index a50717d5399..80fb3c6a694 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; + hardeningDisable = [ "format" ]; + patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure ''; diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index 104d3fad8d0..1ba4bceb787 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; + hardeningDisable = [ "format" ]; + meta = { description = "Bitmap Font Editor"; longDescription = '' diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index ae1df626fe5..15b1740638e 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; + hardeningDisable = [ "all" ]; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index d6534fc5ee6..a690ef2084b 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,6 +36,8 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; + hardeningDisable = [ "stackprotector" ]; + prePatch = '' unpackFile $gentooPatches rm patch/400_all_grub-0.97-reiser4-20050808-gentoo.patch diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 694f45599f3..fc8784decc5 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,6 +47,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; + hardeningDisable = [ "stackprotector" "pic" ]; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub4dos/default.nix b/pkgs/tools/misc/grub4dos/default.nix index c59869c0dc7..f0ac6b5f7c9 100644 --- a/pkgs/tools/misc/grub4dos/default.nix +++ b/pkgs/tools/misc/grub4dos/default.nix @@ -14,6 +14,8 @@ in stdenv.mkDerivation { nativeBuildInputs = [ unzip nasm ]; + hardeningDisable = [ "stackprotector" ]; + configureFlags = [ "--host=${arch}-pc-linux-gnu" ]; postInstall = '' diff --git a/pkgs/tools/misc/gummiboot/default.nix b/pkgs/tools/misc/gummiboot/default.nix index 9d9b7700c90..7946a3b062f 100644 --- a/pkgs/tools/misc/gummiboot/default.nix +++ b/pkgs/tools/misc/gummiboot/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { buildInputs = [ gnu-efi pkgconfig libxslt utillinux ]; + hardeningDisable = [ "stackprotector" ]; + # Sigh, gummiboot should be able to find this in buildInputs configureFlags = [ "--with-efi-includedir=${gnu-efi}/include" diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index 4346d25ca07..e96d38d8dfe 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation { preConfigure = "cd src"; + # not possible due to assembler code + hardeningDisable = [ "pic" "stackprotector" ]; + NIX_CFLAGS_COMPILE = "-Wno-error"; makeFlags = diff --git a/pkgs/tools/misc/lrzsz/default.nix b/pkgs/tools/misc/lrzsz/default.nix index 729faa7a95d..11351790bec 100644 --- a/pkgs/tools/misc/lrzsz/default.nix +++ b/pkgs/tools/misc/lrzsz/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1wcgfa9fsigf1gri74gq0pa7pyajk12m4z69x7ci9c6x9fqkd2y2"; }; + hardeningDisable = [ "format" ]; + configureFlags = [ "--program-transform-name=s/^l//" ]; meta = with stdenv.lib; { diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index 7e382426336..62d490ea4f9 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; + hardeningDisable = [ "stackprotector" "pic" ]; + buildFlags = "memtest.bin"; installPhase = '' diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index ff7279d0d57..f92069e7b9f 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -12,12 +12,12 @@ stdenv.mkDerivation rec { sed -i -e 's,/etc/pal\.conf,'$out/etc/pal.conf, src/input.c ''; - preBuild = '' - export makeFlags="prefix=$out" - ''; + makeFlags = "prefix=$(out)"; buildInputs = [ glib gettext readline pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://palcal.sourceforge.net/; description = "Command-line calendar program that can keep track of events"; diff --git a/pkgs/tools/misc/recutils/default.nix b/pkgs/tools/misc/recutils/default.nix index 4d6829e99a4..6dd40e8476f 100644 --- a/pkgs/tools/misc/recutils/default.nix +++ b/pkgs/tools/misc/recutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { doCheck = true; + hardeningDisable = [ "format" ]; + buildInputs = [ curl emacs ] ++ (stdenv.lib.optionals doCheck [ check bc ]); meta = { diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index d0576cc069a..8d4f00ee847 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; + hardeningDisable = [ "format" ]; + prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; meta = { diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index bf73dbcbf2f..4ef050b409e 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - doCheck = true; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index ea61e063328..567783f6313 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,11 +8,14 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ unzip libogg libvorbis ]; + patchPhase = '' chmod -v +x configure configureFlags="--mandir=$out/share/man" - ''; + ''; meta = with stdenv.lib; { homepage = http://sjeng.org/vorbisgain.html; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index b0943f469b3..ce5a00708f9 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; + hardeningDisable = [ "format" ]; + meta = { description = "Converter from Microsoft Word formats to human-editable ones"; }; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index 957582a3687..abca512b1d0 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Patch the destination directory sed -i include/builddefs.in -e "s|^PKG_LIB_DIR\s*=.*|PKG_LIB_DIR=$out/lib/xfstests|" diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 38839c4b6ac..d262f7fc9e0 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardeningEnable = [ "pie" ]; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed..91232b4ffa7 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 63720faf707..b05f4e8e80e 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardeningEnable = [ "pie" ]; + postBuild = optionalString stdenv.isLinux '' make -C contrib/wrt ''; diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 623b42d6fc1..a9f2419b136 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,20 +1,19 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; - patches = [ - # https://github.com/eggheads/eggdrop/issues/123 - ./b34a33255f56bbd2317c26da12d702796d67ed50.patch - ]; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd63..13f8cedc673 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix deleted file mode 100644 index 5d788af1682..00000000000 --- a/pkgs/tools/networking/lsh/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam -, nettools, lsof, procps }: - -stdenv.mkDerivation rec { - name = "lsh-2.0.4"; - src = fetchurl { - url = "mirror://gnu/lsh/${name}.tar.gz"; - sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; - }; - - patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; - - preConfigure = '' - # Patch `lsh-make-seed' so that it can gather enough entropy. - sed -i "src/lsh-make-seed.c" \ - -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; - s|/usr/bin/netstat|${nettools}/bin/netstat|g ; - s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; - s|/bin/vmstat|${procps}/bin/vmstat|g ; - s|/bin/ps|${procps}/bin/sp|g ; - s|/usr/bin/w|${procps}/bin/w|g ; - s|/usr/bin/df|$(type -P df)|g ; - s|/usr/bin/ipcs|$(type -P ipcs)|g ; - s|/usr/bin/uptime|$(type -P uptime)|g" - - # Skip the `configure' script that checks whether /dev/ptmx & co. work as - # expected, because it relies on impurities (for instance, /dev/pts may - # be unavailable in chroots.) - export lsh_cv_sys_unix98_ptys=yes - ''; - - NIX_CFLAGS_COMPILE = "-std=gnu90"; - - buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; - - meta = { - description = "GPL'd implementation of the SSH protocol"; - - longDescription = '' - lsh is a free implementation (in the GNU sense) of the ssh - version 2 protocol, currently being standardised by the IETF - SECSH working group. - ''; - - homepage = http://www.lysator.liu.se/~nisse/lsh/; - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch deleted file mode 100644 index 9dd81de3fbc..00000000000 --- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch +++ /dev/null @@ -1,16 +0,0 @@ -Correctly handle the `--no-root-login' option. - ---- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 -+++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 -@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str - self->allow_root = 1; - break; - -+ case OPT_NO_ROOT_LOGIN: -+ self->allow_root = 0; -+ break; -+ - case OPT_KERBEROS_PASSWD: - self->pw_helper = PATH_KERBEROS_HELPER; - break; - diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch deleted file mode 100644 index 6a6156855c5..00000000000 --- a/pkgs/tools/networking/lsh/pam-service-name.patch +++ /dev/null @@ -1,14 +0,0 @@ -Tell `lsh-pam-checkpw', the PAM password helper program, to use a more -descriptive service name. - ---- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 -+++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 -@@ -38,7 +38,7 @@ - #include <security/pam_appl.h> - - #define PWD_MAXLEN 1024 --#define SERVICE_NAME "other" -+#define SERVICE_NAME "lshd" - #define TIMEOUT 600 - - static int diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index cbca408f084..140d58e3163 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardeningDisable = [ "format" ]; + patches = [ ./path-to-cat.patch ./no-gets.patch ]; configureFlags = "--with-path-sendmail=${sendmailPath}"; diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69..7a1eac59eea 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 0e7c23fd3a6..b2242fe5454 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardeningEnable = [ "pie" ]; + postInstall = '' rm -rf $out/share/doc ''; diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index 50fde6a7794..c1f78c911a1 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "0kwl8hv3nydd34xp1489jpjdj4bmknfl9xrgynij0vf5qx29xv7m"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; - preConfigure = '' - aclocal - autoconf - automake --add-missing + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 64b9fe98278..064745f8855 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -73,6 +73,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix index f07cfe4d072..ed559f5d5c9 100644 --- a/pkgs/tools/networking/quicktun/default.nix +++ b/pkgs/tools/networking/quicktun/default.nix @@ -11,8 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i"; }; - CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"; - buildInputs = [ libsodium ]; phases = [ "unpackPhase" "buildPhase" "installPhase" ]; diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 84db01dc4ba..fc4ca793199 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index f57af20739d..36c6a2deead 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardeningEnable = [ "pie" ]; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index e8b56ed7d96..48e3c562583 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.31"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7"; }; buildInputs = [ openssl ]; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4..3a5117653c8 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ncurses]; meta = { diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc87..1c8829a07b2 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardeningDisable = [ "format" ]; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index e2c83bcb975..69b3e633f37 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardeningDisable = [ "format" ]; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 72a31262e26..81d43fa501c 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index 8ab9001573a..fea6ccedd34 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation { buildInputs = [gettext]; + hardeningDisable = [ "fortify" ]; + preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index ae1213aee7c..cb365b9b4f7 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0hbi5hf4w0iim96h89j7krxv61x92ffxjbldxp3zk92m5sgpldnm"; }; + hardeningDisable = [ "fortify" ]; + makeFlags = "PREFIX=$(out)"; buildInputs = [ curl ]; diff --git a/pkgs/tools/security/ccrypt/default.nix b/pkgs/tools/security/ccrypt/default.nix index e6a63a2f288..0afa9108689 100644 --- a/pkgs/tools/security/ccrypt/default.nix +++ b/pkgs/tools/security/ccrypt/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://ccrypt.sourceforge.net/; description = "Utility for encrypting and decrypting files and streams with AES-256"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index 282c3541dde..8efd04690db 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; description = "A simple GTK+ application to demonstrate and test libfprint's capabilities"; diff --git a/pkgs/tools/security/john/default.nix b/pkgs/tools/security/john/default.nix index 2e99208fe11..dfaa56f0c77 100644 --- a/pkgs/tools/security/john/default.nix +++ b/pkgs/tools/security/john/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "08q92sfdvkz47rx6qjn7qv57cmlpy7i7rgddapq5384mb413vjds"; }; + patches = [ ./gcc5.patch ]; + postPatch = '' sed -ri -e ' s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/! diff --git a/pkgs/tools/security/john/gcc5.patch b/pkgs/tools/security/john/gcc5.patch new file mode 100644 index 00000000000..73da83483f9 --- /dev/null +++ b/pkgs/tools/security/john/gcc5.patch @@ -0,0 +1,14 @@ +diff --git a/src/common.h b/src/common.h +--- a/src/common.h ++++ b/src/common.h +@@ -31,7 +31,9 @@ typedef unsigned long long ARCH_WORD_64; + #define is_aligned(PTR, CNT) ((((ARCH_WORD)(const void *)(PTR))&(CNT-1))==0) + + #ifdef __GNUC__ +-#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) ++#if __GNUC__ >= 5 ++#define MAYBE_INLINE __attribute__((gnu_inline)) inline ++#elif __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) + #define MAYBE_INLINE __attribute__((always_inline)) inline + #elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1) + #define MAYBE_INLINE __attribute__((always_inline)) diff --git a/pkgs/tools/security/signing-party/default.nix b/pkgs/tools/security/signing-party/default.nix index dfd5cd6c7d7..e2e3955628d 100644 --- a/pkgs/tools/security/signing-party/default.nix +++ b/pkgs/tools/security/signing-party/default.nix @@ -1,12 +1,12 @@ {stdenv, fetchurl, gnupg, perl, automake111x, autoconf}: stdenv.mkDerivation rec { - version = "2.1"; + version = "2.2"; basename = "signing-party"; name = "${basename}-${version}"; src = fetchurl { url = "mirror://debian/pool/main/s/${basename}/${basename}_${version}.orig.tar.gz"; - sha256 = "0pcni3mf92503bqknwlsvv1f5gz23dmzwas2j8g2fk7afjd891ya"; + sha256 = "13qncdyadw1cnslc2xss9s2rpkalm7rz572b23p7mqcdqp30cpdd"; }; sourceRoot = "."; diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 854f67f2aee..506b1d398d5 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,12 +12,15 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; + hardeningDisable = [ "pic" "stackprotector" ]; + configurePhase = '' for a in lcptools utils tb_polgen; do substituteInPlace $a/Makefile --replace /usr/sbin /sbin done substituteInPlace docs/Makefile --replace /usr/share /share ''; + installFlags = "DESTDIR=$(out)"; meta = with stdenv.lib; { diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 998be45d9c6..26f088fd54a 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; + hardeningEnable = [ "pie" ]; + preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 makeFlags="DESTROOT=$out" diff --git a/pkgs/tools/system/facter/default.nix b/pkgs/tools/system/facter/default.nix index a90000dde87..6d162188a53 100644 --- a/pkgs/tools/system/facter/default.nix +++ b/pkgs/tools/system/facter/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0k2k92y42zb6vf542zwkhvg15kv32yb4zvw6nlcqlgmyg19c5qmv"; }; - libyamlcpp_ = libyamlcpp.override { makePIC = true; }; - - buildInputs = [ boost cmake curl leatherman libyamlcpp_ openssl utillinux ]; + buildInputs = [ boost cmake curl leatherman libyamlcpp openssl utillinux ]; meta = with stdenv.lib; { homepage = https://github.com/puppetlabs/facter; diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index cfac8923779..0114c1d41ff 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + preInstall = '' mkdir -p $out/{bin,share/man/man8} ''; diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 3d3809610e4..7800bfa0831 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "gdmap-0.8.1"; - + src = fetchurl { url = "mirror://sourceforge/gdmap/${name}.tar.gz"; sha256 = "0nr8l88cg19zj585hczj8v73yh21k7j13xivhlzl8jdk0j0cj052"; @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; description = "Recursive rectangle map of disk usage"; diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index 2f38c9b374a..f3e6b15ed2c 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; + hardeningDisable = [ "format" ]; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" diff --git a/pkgs/tools/system/stress-ng/default.nix b/pkgs/tools/system/stress-ng/default.nix index a973d143fa9..692fd250f83 100644 --- a/pkgs/tools/system/stress-ng/default.nix +++ b/pkgs/tools/system/stress-ng/default.nix @@ -2,10 +2,10 @@ stdenv.mkDerivation rec { name = "stress-ng-${version}"; - version = "0.05.00"; + version = "0.05.18"; src = fetchurl { - sha256 = "0ppri86z6fj48nm5l0x1r8mh7mwaf7bvhmi10jz6a8w7apnc181w"; + sha256 = "13x0cc4gfakz7vikc6b2vjbk1gw5awyp9i6843di7lnkx1ba177r"; url = "http://kernel.ubuntu.com/~cking/tarballs/stress-ng/${name}.tar.gz"; }; diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index e9199a8f063..fc0889012c2 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -2,12 +2,15 @@ stdenv.mkDerivation rec { name = "which-2.21"; - + src = fetchurl { url = "mirror://gnu/which/${name}.tar.gz"; sha256 = "1bgafvy3ypbhhfznwjv1lxmd6mci3x1byilnnkc7gcr486wlb8pl"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; platforms = platforms.all; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index 7de6a8dd574..4a32e972a5b 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; longDescription = '' diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 4df52eef669..75922a6c830 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Tools to manipulate patch files"; homepage = http://cyberelk.net/tim/software/patchutils; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index e2f6142a2a0..ec99e8b4a27 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; + hardeningDisable = [ "format" ]; + unpackPhase = "tar xf $src"; installTargets = "install install.man"; installFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man/man1"; diff --git a/pkgs/tools/typesetting/bibtex-tools/default.nix b/pkgs/tools/typesetting/bibtex-tools/default.nix deleted file mode 100644 index a822a181a65..00000000000 --- a/pkgs/tools/typesetting/bibtex-tools/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{stdenv, fetchurl, hevea, tetex, strategoxt, aterm, sdf}: - -stdenv.mkDerivation { - name = "bibtex-tools-0.2pre13026"; - src = fetchurl { - url = http://tarballs.nixos.org/bibtex-tools-0.2pre13026.tar.gz; - md5 = "2d8a5de7c53eb670307048eb3d14cdd6"; - }; - configureFlags = " - --with-aterm=${aterm} - --with-sdf=${sdf} - --with-strategoxt=${strategoxt} - --with-hevea=${hevea} - --with-latex=${tetex}"; - buildInputs = [aterm sdf strategoxt hevea]; - meta.broken = true; -} diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index 8d6c88a0004..c3d226a2acb 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation { name = "tetex-3.0"; - + src = fetchurl { url = ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-3.0.tar.gz; md5 = "944a4641e79e61043fdaf8f38ecbb4b3"; @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; + hardeningDisable = [ "format" ]; + # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 57d texk/kpathsea/c-std.h diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index f833cc2f82b..83dcd4b72cd 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec { perl ]; + hardeningDisable = [ "format" ]; + preConfigure = '' rm -r libs/{cairo,freetype2,gd,gmp,graphite2,harfbuzz,icu,libpaper,libpng} \ libs/{mpfr,pixman,poppler,potrace,xpdf,zlib,zziplib} @@ -122,6 +124,8 @@ core-big = stdenv.mkDerivation { inherit (common) src; + hardeningDisable = [ "format" ]; + buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; configureFlags = common.configureFlags diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 33b497fa3eb..bfffbae65b5 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -7,9 +7,13 @@ stdenv.mkDerivation rec { name = "mjpegtools-2.1.0"; + src = fetchurl { url = "mirror://sourceforge/mjpeg/${name}.tar.gz"; sha256 = "01y4xpfdvd4zgv6fmcjny9mr1gbfd4y2i4adp657ydw6fqyi8kw6"; }; + buildInputs = [ gtk libdv libjpeg libpng libX11 pkgconfig SDL SDL_gfx ]; + + hardeningDisable = [ "format" ]; } diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index 4654d5902cb..81860f22e89 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw libXext xextproto libSM libICE libXpm libXp diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 57947babc1b..3e89547389f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -892,10 +892,6 @@ in UnicodeCollate UnicodeLineBreak URI XMLLibXMLSimple XMLLibXSLT XMLWriter; }; - bibtextools = callPackage ../tools/typesetting/bibtex-tools { - inherit (strategoPackages016) strategoxt sdf; - }; - bittornado = callPackage ../tools/networking/p2p/bit-tornado { }; blueman = callPackage ../tools/bluetooth/blueman { @@ -2269,10 +2265,6 @@ in lrzip = callPackage ../tools/compression/lrzip { }; - # lsh installs `bin/nettle-lfib-stream' and so does Nettle. Give the - # former a lower priority than Nettle. - lsh = lowPrio (callPackage ../tools/networking/lsh { }); - lshw = callPackage ../tools/system/lshw { }; lxc = callPackage ../os-specific/linux/lxc { }; @@ -4000,10 +3992,7 @@ in clang_35 = wrapCC llvmPackages_35.clang; clang_34 = wrapCC llvmPackages_34.clang; - clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { - clang = clang_34; - llvmPackages = llvmPackages_34; - }; + clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { }; clangUnwrapped = llvm: pkg: callPackage pkg { inherit llvm; }; @@ -5073,11 +5062,6 @@ in llvm = llvm_36; }; - qcmm = callPackage ../development/compilers/qcmm { - lua = lua4; - ocaml = ocaml_3_08_0; - }; - rgbds = callPackage ../development/compilers/rgbds { }; rtags = callPackage ../development/tools/rtags/default.nix {}; @@ -5140,20 +5124,6 @@ in stalin = callPackage ../development/compilers/stalin { }; - strategoPackages = recurseIntoAttrs strategoPackages018; - - strategoPackages016 = callPackage ../development/compilers/strategoxt/0.16.nix { - stdenv = overrideInStdenv stdenv [gnumake380]; - }; - - strategoPackages017 = callPackage ../development/compilers/strategoxt/0.17.nix { - readline = readline5; - }; - - strategoPackages018 = callPackage ../development/compilers/strategoxt/0.18.nix { - readline = readline5; - }; - metaBuildEnv = callPackage ../development/compilers/meta-environment/meta-build-env { }; swiProlog = callPackage ../development/compilers/swi-prolog { }; @@ -5194,8 +5164,6 @@ in vs90wrapper = callPackage ../development/compilers/vs90wrapper { }; - webdsl = callPackage ../development/compilers/webdsl { }; - win32hello = callPackage ../development/compilers/visual-c++/test { }; wla-dx = callPackage ../development/compilers/wla-dx { }; @@ -6409,10 +6377,6 @@ in aspellDicts = recurseIntoAttrs (callPackages ../development/libraries/aspell/dictionaries.nix {}); - aterm = self.aterm25; - - aterm25 = callPackage ../development/libraries/aterm/2.5.nix { }; - attica = callPackage ../development/libraries/attica { }; attr = callPackage ../development/libraries/attr { }; @@ -8971,8 +8935,6 @@ in v8_3_16_14 = callPackage ../development/libraries/v8/3.16.14.nix { inherit (pythonPackages) gyp; - # The build succeeds using gcc5 but it fails to build pkgs.consul-ui - stdenv = overrideCC stdenv gcc48; }; v8_3_24_10 = callPackage ../development/libraries/v8/3.24.10.nix { @@ -15055,15 +15017,10 @@ in speed_dreams = callPackage ../games/speed-dreams { # Torcs wants to make shared libraries linked with plib libraries (it provides static). # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; libpng = libpng12; }; - torcs = callPackage ../games/torcs { - # Torcs wants to make shared libraries linked with plib libraries (it provides static). - # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; - }; + torcs = callPackage ../games/torcs { }; trigger = callPackage ../games/trigger { }; @@ -15442,8 +15399,8 @@ in calamares = callPackage ../tools/misc/calamares rec { python = python3; - boost = pkgs.boost.override { python=python3; }; - libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; }; + boost = pkgs.boost.override { python = python3; }; + libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost = boost; }; }; colord-kde = callPackage ../tools/misc/colord-kde/0.5.nix {}; @@ -15452,14 +15409,13 @@ in fcitx-qt5 = callPackage ../tools/inputmethods/fcitx/fcitx-qt5.nix { }; - k9copy = callPackage ../applications/video/k9copy {}; + k9copy = callPackage ../applications/video/k9copy { }; kdeconnect = callPackage ../applications/misc/kdeconnect { }; kile = callPackage ../applications/editors/kile/frameworks.nix { }; - konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { - }; + konversation = callPackage ../applications/networking/irc/konversation/1.6.nix { }; quassel = callPackage ../applications/networking/irc/quassel/qt-5.nix { monolithic = true; diff --git a/pkgs/top-level/guile-2-test.nix b/pkgs/top-level/guile-2-test.nix index 70f2de75ae9..56a0769da0b 100644 --- a/pkgs/top-level/guile-2-test.nix +++ b/pkgs/top-level/guile-2-test.nix @@ -56,7 +56,6 @@ in (mapTestOn { guile = linux; autogen = linux; - lsh = linux; mailutils = linux; mcron = linux; texmacs = linux; diff --git a/pkgs/top-level/release-cross.nix b/pkgs/top-level/release-cross.nix index ced90c0489c..fe7b88d813c 100644 --- a/pkgs/top-level/release-cross.nix +++ b/pkgs/top-level/release-cross.nix @@ -219,7 +219,6 @@ in { libffi.crossDrv = nativePlatforms; libtool.crossDrv = nativePlatforms; libunistring.crossDrv = nativePlatforms; - lsh.crossDrv = nativePlatforms; nixUnstable.crossDrv = nativePlatforms; openssl.crossDrv = nativePlatforms; # dependency of Nix patch.crossDrv = nativePlatforms; diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index bd2223b4b04..95df07ea709 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -88,7 +88,6 @@ with import ./release-lib.nix { inherit supportedSystems; }; libxml2 = all; libxslt = all; lout = linux; - lsh = linux; lsof = linux; ltrace = linux; lvm2 = linux; diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index 24ea9bdc470..5aa1fd87881 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -247,14 +247,6 @@ let #rPackages = packagePlatforms pkgs.rPackages; - strategoPackages = { - sdf = linux; - strategoxt = linux; - javafront = linux; - strategoShell = linux ++ darwin; - dryad = linux; - }; - ocamlPackages = { }; perlPackages = { }; |