diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2024-06-13 00:14:32 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-13 00:14:32 +0000 |
| commit | f8c6f371f72f29fa673c643e756a8e4597c240ec (patch) | |
| tree | bc5492bdbd2e237854893983056910e9dab065b3 | |
| parent | 2d66614b2d8558b142739d5cceab6d58c903641c (diff) | |
| parent | 5c2ec3a5c2ee9909904f860dadc19bc12cd9cc44 (diff) | |
Merge release-23.11 into staging-next-23.11
18 files changed, 334 insertions, 70 deletions
diff --git a/nixos/tests/kernel-generic.nix b/nixos/tests/kernel-generic.nix index 72d31246b75d3..f851f638bc8a4 100644 --- a/nixos/tests/kernel-generic.nix +++ b/nixos/tests/kernel-generic.nix @@ -32,6 +32,8 @@ let linux_6_1_hardened linux_6_5_hardened linux_6_6_hardened + linux_6_8_hardened + linux_6_9_hardened linux_rt_5_4 linux_rt_5_10 linux_rt_5_15 diff --git a/pkgs/applications/editors/vim/plugins/overrides.nix b/pkgs/applications/editors/vim/plugins/overrides.nix index a27f8650f425e..7f055dd1827c0 100644 --- a/pkgs/applications/editors/vim/plugins/overrides.nix +++ b/pkgs/applications/editors/vim/plugins/overrides.nix @@ -371,6 +371,8 @@ self: super: { --replace " let node = get(g:, 'copilot_node_command', ''\'''\')" \ " let node = get(g:, 'copilot_node_command', '${nodejs}/bin/node')" ''; + + meta.license = lib.licenses.unfree; }; coq_nvim = super.coq_nvim.overrideAttrs { diff --git a/pkgs/development/compilers/go/1.22.nix b/pkgs/development/compilers/go/1.22.nix new file mode 100644 index 0000000000000..81a918b21199b --- /dev/null +++ b/pkgs/development/compilers/go/1.22.nix @@ -0,0 +1,189 @@ +{ lib +, stdenv +, fetchurl +, tzdata +, substituteAll +, iana-etc +, Security +, Foundation +, xcbuild +, mailcap +, buildPackages +, pkgsBuildTarget +, threadsCross +, testers +, skopeo +, buildGo122Module +}: + +let + useGccGoBootstrap = stdenv.buildPlatform.isMusl; + goBootstrap = if useGccGoBootstrap then buildPackages.gccgo12 else buildPackages.callPackage ./bootstrap121.nix { }; + + skopeoTest = skopeo.override { buildGoModule = buildGo122Module; }; + + goarch = platform: { + "aarch64" = "arm64"; + "arm" = "arm"; + "armv5tel" = "arm"; + "armv6l" = "arm"; + "armv7l" = "arm"; + "i686" = "386"; + "mips" = "mips"; + "mips64el" = "mips64le"; + "mipsel" = "mipsle"; + "powerpc64le" = "ppc64le"; + "riscv64" = "riscv64"; + "s390x" = "s390x"; + "x86_64" = "amd64"; + }.${platform.parsed.cpu.name} or (throw "Unsupported system: ${platform.parsed.cpu.name}"); + + # We need a target compiler which is still runnable at build time, + # to handle the cross-building case where build != host == target + targetCC = pkgsBuildTarget.targetPackages.stdenv.cc; + + isCross = stdenv.buildPlatform != stdenv.targetPlatform; +in +stdenv.mkDerivation (finalAttrs: { + pname = "go"; + version = "1.22.3"; + + src = fetchurl { + url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; + hash = "sha256-gGSO80+QMZPXKlnA3/AZ9fmK4MmqE63gsOy/+ZGnb2g="; + }; + + strictDeps = true; + buildInputs = [ ] + ++ lib.optionals stdenv.isLinux [ stdenv.cc.libc.out ] + ++ lib.optionals (stdenv.hostPlatform.libc == "glibc") [ stdenv.cc.libc.static ]; + + depsTargetTargetPropagated = lib.optionals stdenv.targetPlatform.isDarwin [ Foundation Security xcbuild ]; + + depsBuildTarget = lib.optional isCross targetCC; + + depsTargetTarget = lib.optional stdenv.targetPlatform.isWindows threadsCross.package; + + postPatch = '' + patchShebangs . + ''; + + patches = [ + (substituteAll { + src = ./iana-etc-1.17.patch; + iana = iana-etc; + }) + # Patch the mimetype database location which is missing on NixOS. + # but also allow static binaries built with NixOS to run outside nix + (substituteAll { + src = ./mailcap-1.17.patch; + inherit mailcap; + }) + # prepend the nix path to the zoneinfo files but also leave the original value for static binaries + # that run outside a nix server + (substituteAll { + src = ./tzdata-1.19.patch; + inherit tzdata; + }) + ./remove-tools-1.11.patch + ./go_no_vendor_checks-1.22.patch + ]; + + GOOS = stdenv.targetPlatform.parsed.kernel.name; + GOARCH = goarch stdenv.targetPlatform; + # GOHOSTOS/GOHOSTARCH must match the building system, not the host system. + # Go will nevertheless build a for host system that we will copy over in + # the install phase. + GOHOSTOS = stdenv.buildPlatform.parsed.kernel.name; + GOHOSTARCH = goarch stdenv.buildPlatform; + + # {CC,CXX}_FOR_TARGET must be only set for cross compilation case as go expect those + # to be different from CC/CXX + CC_FOR_TARGET = + if isCross then + "${targetCC}/bin/${targetCC.targetPrefix}cc" + else + null; + CXX_FOR_TARGET = + if isCross then + "${targetCC}/bin/${targetCC.targetPrefix}c++" + else + null; + + GOARM = toString (lib.intersectLists [ (stdenv.hostPlatform.parsed.cpu.version or "") ] [ "5" "6" "7" ]); + GO386 = "softfloat"; # from Arch: don't assume sse2 on i686 + CGO_ENABLED = 1; + + GOROOT_BOOTSTRAP = if useGccGoBootstrap then goBootstrap else "${goBootstrap}/share/go"; + + buildPhase = '' + runHook preBuild + export GOCACHE=$TMPDIR/go-cache + # this is compiled into the binary + export GOROOT_FINAL=$out/share/go + + export PATH=$(pwd)/bin:$PATH + + ${lib.optionalString isCross '' + # Independent from host/target, CC should produce code for the building system. + # We only set it when cross-compiling. + export CC=${buildPackages.stdenv.cc}/bin/cc + ''} + ulimit -a + + pushd src + ./make.bash + popd + runHook postBuild + ''; + + preInstall = '' + # Contains the wrong perl shebang when cross compiling, + # since it is not used for anything we can deleted as well. + rm src/regexp/syntax/make_perl_groups.pl + '' + (if (stdenv.buildPlatform.system != stdenv.hostPlatform.system) then '' + mv bin/*_*/* bin + rmdir bin/*_* + ${lib.optionalString (!(finalAttrs.GOHOSTARCH == finalAttrs.GOARCH && finalAttrs.GOOS == finalAttrs.GOHOSTOS)) '' + rm -rf pkg/${finalAttrs.GOHOSTOS}_${finalAttrs.GOHOSTARCH} pkg/tool/${finalAttrs.GOHOSTOS}_${finalAttrs.GOHOSTARCH} + ''} + '' else lib.optionalString (stdenv.hostPlatform.system != stdenv.targetPlatform.system) '' + rm -rf bin/*_* + ${lib.optionalString (!(finalAttrs.GOHOSTARCH == finalAttrs.GOARCH && finalAttrs.GOOS == finalAttrs.GOHOSTOS)) '' + rm -rf pkg/${finalAttrs.GOOS}_${finalAttrs.GOARCH} pkg/tool/${finalAttrs.GOOS}_${finalAttrs.GOARCH} + ''} + ''); + + installPhase = '' + runHook preInstall + mkdir -p $GOROOT_FINAL + cp -a bin pkg src lib misc api doc go.env $GOROOT_FINAL + mkdir -p $out/bin + ln -s $GOROOT_FINAL/bin/* $out/bin + runHook postInstall + ''; + + disallowedReferences = [ goBootstrap ]; + + passthru = { + inherit goBootstrap skopeoTest; + tests = { + skopeo = testers.testVersion { package = skopeoTest; }; + version = testers.testVersion { + package = finalAttrs.finalPackage; + command = "go version"; + version = "go${finalAttrs.version}"; + }; + }; + }; + + meta = with lib; { + changelog = "https://go.dev/doc/devel/release#go${lib.versions.majorMinor finalAttrs.version}"; + description = "The Go Programming language"; + homepage = "https://go.dev/"; + license = licenses.bsd3; + maintainers = teams.golang.members; + platforms = platforms.darwin ++ platforms.linux; + mainProgram = "go"; + }; +}) diff --git a/pkgs/development/compilers/go/go_no_vendor_checks-1.22.patch b/pkgs/development/compilers/go/go_no_vendor_checks-1.22.patch new file mode 100644 index 0000000000000..bd545d50948f0 --- /dev/null +++ b/pkgs/development/compilers/go/go_no_vendor_checks-1.22.patch @@ -0,0 +1,23 @@ +Starting from go1.14, go verifes that vendor/modules.txt matches the requirements +and replacements listed in the main module go.mod file, and it is a hard failure if +vendor/modules.txt is missing. + +Relax module consistency checks and switch back to pre go1.14 behaviour if +vendor/modules.txt is missing regardless of go version requirement in go.mod. + +This has been ported from FreeBSD: https://reviews.freebsd.org/D24122 +See https://github.com/golang/go/issues/37948 for discussion. + +diff --git a/src/cmd/go/internal/modload/vendor.go b/src/cmd/go/internal/modload/vendor.go +index b2cb44100e..05bf3829d5 100644 +--- a/src/cmd/go/internal/modload/vendor.go ++++ b/src/cmd/go/internal/modload/vendor.go +@@ -159,7 +159,7 @@ func checkVendorConsistency(indexes []*modFileIndex, modFiles []*modfile.File, m + panic(fmt.Errorf("not in workspace mode but number of indexes is %v, not 1", len(indexes))) + } + index := indexes[0] +- if gover.Compare(index.goVersion, "1.14") < 0 { ++ if gover.Compare(index.goVersion, "1.14") < 0 || (os.Getenv("GO_NO_VENDOR_CHECKS") == "1" && len(vendorMeta) == 0) { + // Go versions before 1.14 did not include enough information in + // vendor/modules.txt to check for consistency. + // If we know that we're on an earlier version, relax the consistency check. diff --git a/pkgs/development/python-modules/pyinfra/default.nix b/pkgs/development/python-modules/pyinfra/default.nix index d21fcddc42ee8..d1d8ae4e8d56b 100644 --- a/pkgs/development/python-modules/pyinfra/default.nix +++ b/pkgs/development/python-modules/pyinfra/default.nix @@ -19,7 +19,7 @@ buildPythonPackage rec { pname = "pyinfra"; - version = "2.8"; + version = "2.9.2"; format = "setuptools"; disabled = pythonOlder "3.7"; @@ -28,18 +28,9 @@ buildPythonPackage rec { owner = "Fizzadar"; repo = pname; rev = "refs/tags/v${version}"; - hash = "sha256-BYd2UYQJD/HsmpnlQjZvjfg17ShPuA3j4rtv6fTQK/A="; + hash = "sha256-lzbFwAg1aLCfBnSnqq4oVteArpkRBa7hU8V3vB5ODa8="; }; - patches = [ - # https://github.com/Fizzadar/pyinfra/pull/1018 - (fetchpatch { - name = "bump-paramiko-major-version.patch"; - url = "https://github.com/Fizzadar/pyinfra/commit/62a8f081279779c4f1eed246139f615cf5fed642.patch"; - hash = "sha256-aT9SeSqXOD76LFzf6R/MWTtavcW6fZT7chkVg9aXiBg="; - }) - ]; - propagatedBuildInputs = [ click colorama diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index a27feea36efb8..4d76cb1f99742 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -352,7 +352,8 @@ let # (stable) amdgpu support for bonaire and newer chipsets DRM_AMDGPU_CIK = yes; # Allow device firmware updates - DRM_DP_AUX_CHARDEV = yes; + DRM_DP_AUX_CHARDEV = whenOlder "6.10" yes; + DRM_DISPLAY_DP_AUX_CHARDEV = whenAtLeast "6.10" yes; # amdgpu display core (DC) support DRM_AMD_DC_DCN1_0 = whenOlder "5.6" yes; DRM_AMD_DC_DCN2_0 = whenBetween "5.3" "5.6" yes; @@ -769,8 +770,10 @@ let # i686 issues: https://github.com/NixOS/nixpkgs/pull/117961#issuecomment-812106375 useZstd = stdenv.buildPlatform.is64bit && versionAtLeast version "5.9"; in { - KERNEL_XZ = mkIf (!useZstd) yes; - KERNEL_ZSTD = mkIf useZstd yes; + # stdenv.hostPlatform.linux-kernel.target assumes uncompressed on RISC-V. + KERNEL_UNCOMPRESSED = mkIf stdenv.hostPlatform.isRiscV yes; + KERNEL_XZ = mkIf (!stdenv.hostPlatform.isRiscV && !useZstd) yes; + KERNEL_ZSTD = mkIf (!stdenv.hostPlatform.isRiscV && useZstd) yes; HID_BATTERY_STRENGTH = yes; # enabled by default in x86_64 but not arm64, so we do that here diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix index 7aa9c51173526..1e1289f82e814 100644 --- a/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -70,12 +70,22 @@ assert (versionAtLeast version "4.9"); GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + # Runtime undefined behaviour checks + # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html + # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan + UBSAN = yes; + UBSAN_TRAP = whenAtLeast "5.7" yes; + UBSAN_BOUNDS = whenAtLeast "5.7" yes; + UBSAN_SANITIZE_ALL = whenOlder "6.9" yes; + UBSAN_LOCAL_BOUNDS = option yes; # clang only + CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1 + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. RANDSTRUCT = whenAtLeast "5.19" yes; RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; # Disable various dangerous settings - ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory + ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory PROC_KCORE = no; # Exposes kernel text image layout INET_DIAG = no; # Has been used for heap based attacks in the past diff --git a/pkgs/os-specific/linux/kernel/hardened/patches.json b/pkgs/os-specific/linux/kernel/hardened/patches.json index 21772b2e03eb0..3a424b3b39635 100644 --- a/pkgs/os-specific/linux/kernel/hardened/patches.json +++ b/pkgs/os-specific/linux/kernel/hardened/patches.json @@ -2,52 +2,52 @@ "4.19": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-4.19.309-hardened1.patch", - "sha256": "1hww72w5anmfr9czqbl31glzl70s34492k9qz9zax141zg1sf6sp", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.309-hardened1/linux-hardened-4.19.309-hardened1.patch" + "name": "linux-hardened-4.19.315-hardened1.patch", + "sha256": "1w17mwsv618pw5bkahmz6in0i5zjjxd3d14gggafqdd3dgfr1h8q", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.315-hardened1/linux-hardened-4.19.315-hardened1.patch" }, - "sha256": "1yc45kfiwdqsqa11sxafs82b0day6qvgjcll8rx9vipidsmagbcm", - "version": "4.19.309" + "sha256": "1j1j8awy0237jp2r211qpa305c10y7rlcbkxkzdvzbgyhwy4spkc", + "version": "4.19.315" }, "5.10": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.10.212-hardened1.patch", - "sha256": "0h04i94vshhcli5m4qpnqg4vsi5v1ifvdhhklk7c0bvkfk35cbml", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.212-hardened1/linux-hardened-5.10.212-hardened1.patch" + "name": "linux-hardened-5.10.218-hardened1.patch", + "sha256": "1ah4pznha17ngg3w7l0j74h4910gjv8qj503adrap7plvapf82m4", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.10.218-hardened1/linux-hardened-5.10.218-hardened1.patch" }, - "sha256": "14vll2bghd52wngjxy78hgglydcxka59yziji0w56dcdpmky9wqc", - "version": "5.10.212" + "sha256": "1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw", + "version": "5.10.218" }, "5.15": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.15.151-hardened1.patch", - "sha256": "040jc5n9qsdz2wv5ksfvc28vd72nmya2i2f0ps0jiras6l2wlhjz", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.151-hardened1/linux-hardened-5.15.151-hardened1.patch" + "name": "linux-hardened-5.15.160-hardened1.patch", + "sha256": "1r10ylx886rslsmrixlijjm4crhwzkl3wj6kpyn2344qik1gxpqr", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.15.160-hardened1/linux-hardened-5.15.160-hardened1.patch" }, - "sha256": "0jby224ncdardjwmf8c59s5j71inpvdlzah984ilf2b6y85pc7la", - "version": "5.15.151" + "sha256": "018v19a7rhzc4szybzzn86jlnk42x7jm6xkadfd2d3xq6f7727pl", + "version": "5.15.160" }, "5.4": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-5.4.271-hardened1.patch", - "sha256": "0rw5il7885d0d3k2hmh46541svib6rp32g00fcl5bw37ydmq3z8b", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.271-hardened1/linux-hardened-5.4.271-hardened1.patch" + "name": "linux-hardened-5.4.277-hardened1.patch", + "sha256": "1zjw5wl8lj69j402qm8dg3m4dxgq3ppx2jyz8jks976vyhh8fsg4", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.277-hardened1/linux-hardened-5.4.277-hardened1.patch" }, - "sha256": "0l2qv4xlhnry9crs90rkihsxyny6jz8kxw08bfad7nys9hrn3g6d", - "version": "5.4.271" + "sha256": "0l8zq3k07hdprfpvw69ykkf2pdg8wiv28xz733yxsjcfb0l5n7vy", + "version": "5.4.277" }, "6.1": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.1.81-hardened1.patch", - "sha256": "0af9dxdsa858zyqc0vsrzg098afhg5vpb2wpr6gj2ykwc13iaf07", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.81-hardened1/linux-hardened-6.1.81-hardened1.patch" + "name": "linux-hardened-6.1.92-hardened1.patch", + "sha256": "0cw87ygmisi823y3f7xrck12b6zh3mq1qmb7lcmr3hg6w3xskmn3", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.1.92-hardened1/linux-hardened-6.1.92-hardened1.patch" }, - "sha256": "0arl96yrqplbmp2gjyqcfma1lgc30kbn95m0sflv0yyldwf8dg8f", - "version": "6.1.81" + "sha256": "1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch", + "version": "6.1.92" }, "6.5": { "patch": { @@ -62,12 +62,12 @@ "6.6": { "patch": { "extra": "-hardened1", - "name": "linux-hardened-6.6.21-hardened1.patch", - "sha256": "0k35s5pj92lvfp6kw3isg78zc3gijsg0xbzcyvxdkmhzaq8j6i1i", - "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.21-hardened1/linux-hardened-6.6.21-hardened1.patch" + "name": "linux-hardened-6.6.32-hardened1.patch", + "sha256": "19362a6lxs3cnaw19jvda7n791y95lfgn9ki4wmaxnw2qbpi0bgg", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.6.32-hardened1/linux-hardened-6.6.32-hardened1.patch" }, - "sha256": "0mz420w99agr7jv1jgqfr4fjhzbv005xif086sqx556s900l62zf", - "version": "6.6.21" + "sha256": "1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a", + "version": "6.6.32" }, "6.7": { "patch": { @@ -78,5 +78,25 @@ }, "sha256": "1lrp7pwnxnqyy8c2l4n4nz997039gbnssrfm8ss8kl3h2c7fr2g4", "version": "6.7.6" + }, + "6.8": { + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-6.8.11-hardened1.patch", + "sha256": "08i03dmri9h6jxcjd9g6s7pv0spqi3f4fgch1ars68cgngikvbpq", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.8.11-hardened1/linux-hardened-6.8.11-hardened1.patch" + }, + "sha256": "1di8kr596sf68sm61kp5rz6bn3sb0q5ag1qc5hm8f9dpyq4wv3dp", + "version": "6.8.11" + }, + "6.9": { + "patch": { + "extra": "-hardened1", + "name": "linux-hardened-6.9.2-hardened1.patch", + "sha256": "0ph1m0pnlqrhvddz2mjgcwvs0ddcpzigz8kgi9zi063qinlfbm3q", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/6.9.2-hardened1/linux-hardened-6.9.2-hardened1.patch" + }, + "sha256": "1yg5j284y1gz7zwxjz2abvlnas259m1y1vzd9lmcqqar5kgmnv6l", + "version": "6.9.2" } } diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index 90cb44b7c312b..4336e3fa0c139 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -1,15 +1,15 @@ { "testing": { - "version": "6.9-rc6", - "hash": "sha256:075l5vhk8zmwln4jks7gr5n5k67s65qvs07l2rpbc7a75fdp6c14" + "version": "6.10-rc1", + "hash": "sha256:006frl76cwi9a4mw7x6vsyazgrjfiz1gn4q4hvpykqql5mar3a05" }, "6.5": { "version": "6.5.13", "hash": "sha256:1dfbbydmayfj9npx3z0g38p574pmcx3qgs49dv0npigl48wd9yvq" }, "6.1": { - "version": "6.1.92", - "hash": "sha256:1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch" + "version": "6.1.93", + "hash": "sha256:1kqbfbw7ivhl6aqb8pl92fll4bhgyn8xkgv8vpx62gcjylpaycfz" }, "5.15": { "version": "5.15.160", @@ -28,15 +28,15 @@ "hash": "sha256:1j1j8awy0237jp2r211qpa305c10y7rlcbkxkzdvzbgyhwy4spkc" }, "6.6": { - "version": "6.6.32", - "hash": "sha256:1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a" + "version": "6.6.33", + "hash": "sha256:15yy80dwis74gmmamnnn8kayak3am15gg6llk4k74x9avhhbqgm1" }, "6.8": { "version": "6.8.12", "hash": "sha256:0fb0m0fv4521g63gq04d7lm6hy8169s1rykiav5bkd99s9b1kcqr" }, "6.9": { - "version": "6.9.3", - "hash": "sha256:1bnzxparybwh320019pr2msaapas41dhjmvg4gy791rn05jc88f3" + "version": "6.9.4", + "hash": "sha256:1hpcc1bkan1y03bigi8mxd86z0c0bjpklnp9piw1ml57s7h00a17" } } diff --git a/pkgs/os-specific/linux/kernel/linux-libre.nix b/pkgs/os-specific/linux/kernel/linux-libre.nix index 3ee93bb04e067..4bb2ebda3d028 100644 --- a/pkgs/os-specific/linux/kernel/linux-libre.nix +++ b/pkgs/os-specific/linux/kernel/linux-libre.nix @@ -1,8 +1,8 @@ { stdenv, lib, fetchsvn, linux , scripts ? fetchsvn { url = "https://www.fsfla.org/svn/fsfla/software/linux-libre/releases/branches/"; - rev = "19569"; - sha256 = "0nm3vzzfwx3g8scgwyszjbf7sa08kwd1xyq4v1m5py63pma7p80r"; + rev = "19575"; + sha256 = "1f826x8a6nmqcjcplg5x4rcqkr3p886abxhyqir8a102ymnh7wkw"; } , ... }: diff --git a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix index e19b0699a33fe..2bb90b38bbec0 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-5.10.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "5.10.216-rt108"; # updated by ./update-rt.sh + version = "5.10.218-rt110"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -17,14 +17,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v5.x/linux-${kversion}.tar.xz"; - sha256 = "0lg1zfb9y4ps86q85mlnyalb3s90zix003z62jb9bw139f65h473"; + sha256 = "1mmj5hwm5i16gc1y4nzr1cs882vi6vrihrincdcivv63x11v4dlw"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "0p0qmyz3g7fqlz4f638dlcp37az8lpq5yqw2fy5zqqs3qagy018j"; + sha256 = "0zam7hlcrphxv53jcza7sw0lv8a9mz15cl35adwb2rd2y1x9nhad"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix index 5c185e9a2d72c..f7f21a71263bd 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.1.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.1.91-rt31"; # updated by ./update-rt.sh + version = "6.1.92-rt32"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "1v2d5syxwwqlhvjzxk003qz9sr18r0n8dgg976vbi492r9iww2l8"; + sha256 = "1j9n8gk76nn4gw42iba5zgghr360gb9n1mslr5dyv76wpwkz86ch"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "1p8i0rv4vzm1h50g08mm7a5zbxyaibqs2894nwvalhb4dfj1vas7"; + sha256 = "00qa6l4jvkdny276jnwnra5dkagnp3qr43amf2mpqx3kdfw28g1q"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix index fa3fe59c134be..2f035b259b602 100644 --- a/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix +++ b/pkgs/os-specific/linux/kernel/linux-rt-6.6.nix @@ -6,7 +6,7 @@ , ... } @ args: let - version = "6.6.31-rt31"; # updated by ./update-rt.sh + version = "6.6.32-rt32"; # updated by ./update-rt.sh branch = lib.versions.majorMinor version; kversion = builtins.elemAt (lib.splitString "-" version) 0; in buildLinux (args // { @@ -18,14 +18,14 @@ in buildLinux (args // { src = fetchurl { url = "mirror://kernel/linux/kernel/v6.x/linux-${kversion}.tar.xz"; - sha256 = "080wwrc231fbf43hvvygddmdxdspyw23jc5vnd6fr5ccdybgzv6n"; + sha256 = "1qbc8dqmk2xs1cz968rysw5xvhq3lj8g0pxp48fr2qbzy3m29a5a"; }; kernelPatches = let rt-patch = { name = "rt"; patch = fetchurl { url = "mirror://kernel/linux/kernel/projects/rt/${branch}/older/patch-${version}.patch.xz"; - sha256 = "0pj4j420ac9khw7wk6k3bcgdvcmi7p3lwycaa896q2fscz47zf01"; + sha256 = "0hv2z6d2gw7hqfzw6dgrzxlirk4yifcxbmx71hxlvd9l2vgp72q5"; }; }; in [ rt-patch ] ++ kernelPatches; diff --git a/pkgs/servers/dns/knot-resolver/default.nix b/pkgs/servers/dns/knot-resolver/default.nix index 5097f28f0c241..27fc66d278822 100644 --- a/pkgs/servers/dns/knot-resolver/default.nix +++ b/pkgs/servers/dns/knot-resolver/default.nix @@ -17,11 +17,11 @@ lua = luajitPackages; unwrapped = stdenv.mkDerivation rec { pname = "knot-resolver"; - version = "5.7.2"; + version = "5.7.3"; src = fetchurl { url = "https://secure.nic.cz/files/knot-resolver/${pname}-${version}.tar.xz"; - sha256 = "sha256-X2oic5D81MLQqAKKZStVqdhj7HvgEpj+A43x0nP7mg8="; + hash = "sha256-78bkX/xe/ZiSHqXNP+zhZqGlzp6qEtQbRiaJZDU9vts="; }; outputs = [ "out" "dev" ]; diff --git a/pkgs/servers/matrix-conduit/default.nix b/pkgs/servers/matrix-conduit/default.nix index cc162e6373d67..1523962a94495 100644 --- a/pkgs/servers/matrix-conduit/default.nix +++ b/pkgs/servers/matrix-conduit/default.nix @@ -68,5 +68,8 @@ rustPlatform.buildRustPackage rec { license = licenses.asl20; maintainers = with maintainers; [ pstn piegames pimeys ]; mainProgram = "conduit"; + knownVulnerabilities = [ + "Severe security issue fixed in conduit 0.8.0, check https://conduit.rs/changelog/ for further information" + ]; }; } diff --git a/pkgs/servers/tailscale/default.nix b/pkgs/servers/tailscale/default.nix index 2f36358e912c0..6ae04e12a7988 100644 --- a/pkgs/servers/tailscale/default.nix +++ b/pkgs/servers/tailscale/default.nix @@ -12,7 +12,7 @@ }: let - version = "1.58.2"; + version = "1.66.4"; in buildGoModule { pname = "tailscale"; @@ -22,9 +22,9 @@ buildGoModule { owner = "tailscale"; repo = "tailscale"; rev = "v${version}"; - hash = "sha256-FiFFfUtse0CKR4XJ82HEjpZNxCaa4FnwSJfEzJ5kZgk="; + hash = "sha256-ETBca3qKO2iS30teIF5sr/oyJdRSKFqLFVO3+mmm7bo="; }; - vendorHash = "sha256-BK1zugKGtx2RpWHDvFZaFqz/YdoewsG8SscGt25uwtQ="; + vendorHash = "sha256-Hd77xy8stw0Y6sfk3/ItqRIbM/349M/4uf0iNy1xJGw="; nativeBuildInputs = lib.optionals stdenv.isLinux [ makeWrapper ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 60680549b54fa..656a17f6459ee 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -26034,6 +26034,17 @@ with pkgs; go = buildPackages.go_1_21; }; + # requires a newer Apple SDK + go_1_22 = darwin.apple_sdk_11_0.callPackage ../development/compilers/go/1.22.nix { + inherit (darwin.apple_sdk_11_0.frameworks) Foundation Security; + }; + buildGo122Module = darwin.apple_sdk_11_0.callPackage ../build-support/go/module.nix { + go = buildPackages.go_1_22; + }; + buildGo122Package = darwin.apple_sdk_11_0.callPackage ../build-support/go/package.nix { + go = buildPackages.go_1_22; + }; + go2nix = callPackage ../development/tools/go2nix { }; leaps = callPackage ../development/tools/leaps { }; @@ -27499,7 +27510,9 @@ with pkgs; systemd-journal2gelf = callPackage ../tools/system/systemd-journal2gelf { }; - tailscale = callPackage ../servers/tailscale { }; + tailscale = callPackage ../servers/tailscale { + buildGoModule = buildGo122Module; + }; tailscale-systray = callPackage ../applications/misc/tailscale-systray { }; @@ -28261,6 +28274,10 @@ with pkgs; linux_6_5_hardened = linuxKernel.kernels.linux_6_5_hardened; linuxPackages_6_6_hardened = linuxKernel.packages.linux_6_6_hardened; linux_6_6_hardened = linuxKernel.kernels.linux_6_6_hardened; + linuxPackages_6_8_hardened = linuxKernel.packages.linux_6_8_hardened; + linux_6_8_hardened = linuxKernel.kernels.linux_6_8_hardened; + linuxPackages_6_9_hardened = linuxKernel.packages.linux_6_9_hardened; + linux_6_9_hardened = linuxKernel.kernels.linux_6_9_hardened; # GNU Linux-libre kernels linuxPackages-libre = linuxKernel.packages.linux_libre; diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix index d0ee11f851315..b83c8d4bbf436 100644 --- a/pkgs/top-level/linux-kernels.nix +++ b/pkgs/top-level/linux-kernels.nix @@ -280,6 +280,8 @@ in { linux_6_1_hardened = hardenedKernelFor kernels.linux_6_1 { }; linux_6_5_hardened = hardenedKernelFor kernels.linux_6_5 { }; linux_6_6_hardened = hardenedKernelFor kernels.linux_6_6 { }; + linux_6_8_hardened = hardenedKernelFor kernels.linux_6_8 { }; + linux_6_9_hardened = hardenedKernelFor kernels.linux_6_9 { }; } // lib.optionalAttrs config.allowAliases { linux_4_9 = throw "linux 4.9 was removed because it will reach its end of life within 22.11"; @@ -662,6 +664,8 @@ in { linux_6_1_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_1_hardened); linux_6_5_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_5_hardened); linux_6_6_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_6_hardened); + linux_6_8_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_8_hardened); + linux_6_9_hardened = recurseIntoAttrs (packagesFor kernels.linux_6_9_hardened); linux_zen = recurseIntoAttrs (packagesFor kernels.linux_zen); linux_lqx = recurseIntoAttrs (packagesFor kernels.linux_lqx); |