diff options
| author | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
|---|---|---|
| committer | obadz <obadz-git@obadz.com> | 2016-08-22 01:19:35 +0100 |
| commit | 24a9183f907cec515724484d84b0cf236de2e8d0 (patch) | |
| tree | 67ab37c4de5d8e8f17b78cc8c6680f25edf7d930 /pkgs | |
| parent | ba50fd71700bf796ea2339115733ca5a850015ea (diff) | |
| parent | b092538811a2bd4454ed9b056952c0a10f091076 (diff) | |
Merge branch 'hardened-stdenv' into staging
Closes #12895 Amazing work by @globin & @fpletz getting hardened compiler flags by enabled default on the whole package set
Diffstat (limited to 'pkgs')
461 files changed, 1570 insertions, 1267 deletions
diff --git a/pkgs/applications/audio/aacgain/default.nix b/pkgs/applications/audio/aacgain/default.nix index 69cc798ec0f96..a22866dc031ab 100644 --- a/pkgs/applications/audio/aacgain/default.nix +++ b/pkgs/applications/audio/aacgain/default.nix @@ -2,6 +2,7 @@ stdenv.mkDerivation { name = "aacgain-1.9.0"; + src = fetchFromGitHub { owner = "mulx"; repo = "aacgain"; @@ -9,6 +10,8 @@ stdenv.mkDerivation { sha256 = "07hl432vsscqg01b6wr99qmsj4gbx0i02x4k565432y6zpfmaxm0"; }; + hardeningDisable = [ "format" ]; + configurePhase = '' cd mp4v2 ./configure @@ -28,7 +31,7 @@ stdenv.mkDerivation { make LDFLAGS=-static cd .. - make + make ''; installPhase = '' diff --git a/pkgs/applications/audio/cdparanoia/default.nix b/pkgs/applications/audio/cdparanoia/default.nix index 8d5ff663a540f..28183a2c66919 100644 --- a/pkgs/applications/audio/cdparanoia/default.nix +++ b/pkgs/applications/audio/cdparanoia/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1pv4zrajm46za0f6lv162iqffih57a8ly4pc69f7y0gfyigb8p80"; }; + hardeningDisable = [ "format" ]; + preConfigure = "unset CC"; patches = stdenv.lib.optionals stdenv.isDarwin [ diff --git a/pkgs/applications/audio/csound/default.nix b/pkgs/applications/audio/csound/default.nix index 664d80490f2ad..166ed592ad842 100644 --- a/pkgs/applications/audio/csound/default.nix +++ b/pkgs/applications/audio/csound/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + src = fetchurl { url = mirror://sourceforge/csound/Csound6.04.tar.gz; sha256 = "1030w38lxdwjz1irr32m9cl0paqmgr02lab2m7f7j1yihwxj1w0g"; diff --git a/pkgs/applications/audio/freewheeling/default.nix b/pkgs/applications/audio/freewheeling/default.nix index f7330ee12f919..1611975182bcf 100644 --- a/pkgs/applications/audio/freewheeling/default.nix +++ b/pkgs/applications/audio/freewheeling/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { patches = [ ./am_path_sdl.patch ./xml.patch ]; + hardeningDisable = [ "format" ]; + meta = { description = "A live looping instrument with JACK and MIDI support"; longDescription = '' diff --git a/pkgs/applications/audio/gjay/default.nix b/pkgs/applications/audio/gjay/default.nix index 93b23b2f763f8..7486ec3e081fa 100644 --- a/pkgs/applications/audio/gjay/default.nix +++ b/pkgs/applications/audio/gjay/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ mpd_clientlib dbus_glib audacious gtk gsl libaudclient ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Generates playlists such that each song sounds good following the previous song"; homepage = http://gjay.sourceforge.net/; diff --git a/pkgs/applications/audio/jack-capture/default.nix b/pkgs/applications/audio/jack-capture/default.nix index ef6d13e56966b..ec7f7a5c32dbc 100644 --- a/pkgs/applications/audio/jack-capture/default.nix +++ b/pkgs/applications/audio/jack-capture/default.nix @@ -18,7 +18,9 @@ stdenv.mkDerivation rec { cp jack_capture $out/bin/ ''; - meta = with stdenv.lib; { + hardeningDisable = [ "format" ]; + + meta = with stdenv.lib; { description = "A program for recording soundfiles with jack"; homepage = http://archive.notam02.no/arkiv/src; license = licenses.gpl2; diff --git a/pkgs/applications/audio/lingot/default.nix b/pkgs/applications/audio/lingot/default.nix index 4b07c84b0be8c..22ab37dc98af2 100644 --- a/pkgs/applications/audio/lingot/default.nix +++ b/pkgs/applications/audio/lingot/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "0ygras6ndw2fylwxx86ac11pcr2y2bcfvvgiwrh92z6zncx254gc"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig intltool gtk alsaLib libglade ]; configureFlags = "--disable-jack"; diff --git a/pkgs/applications/audio/mi2ly/default.nix b/pkgs/applications/audio/mi2ly/default.nix index 1d736b06938a9..fa4ea6343e915 100644 --- a/pkgs/applications/audio/mi2ly/default.nix +++ b/pkgs/applications/audio/mi2ly/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation { sourceRoot="."; + hardeningDisable = [ "format" ]; + buildPhase = "./cc"; installPhase = '' mkdir -p "$out"/{bin,share/doc/mi2ly} diff --git a/pkgs/applications/audio/mp3info/default.nix b/pkgs/applications/audio/mp3info/default.nix index e4c45c613ee8c..d28cd7c9e06d1 100644 --- a/pkgs/applications/audio/mp3info/default.nix +++ b/pkgs/applications/audio/mp3info/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses pkgconfig gtk ]; + hardeningDisable = [ "format" ]; + configurePhase = '' sed -i Makefile \ -e "s|^prefix=.*$|prefix=$out|g ; diff --git a/pkgs/applications/audio/mp3val/default.nix b/pkgs/applications/audio/mp3val/default.nix index 0957420b65856..7477bea7602c4 100644 --- a/pkgs/applications/audio/mp3val/default.nix +++ b/pkgs/applications/audio/mp3val/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { install -Dv mp3val "$out/bin/mp3val" ''; + hardeningDisable = [ "fortify" ]; + meta = { description = "A tool for validating and repairing MPEG audio streams"; longDescription = '' diff --git a/pkgs/applications/audio/mpg321/default.nix b/pkgs/applications/audio/mpg321/default.nix index 489831dc46411..b68c44278ee1e 100644 --- a/pkgs/applications/audio/mpg321/default.nix +++ b/pkgs/applications/audio/mpg321/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0ki8mh76bbmdh77qsiw682dvi8y468yhbdabqwg05igmwc1wqvq5"; }; + hardeningDisable = [ "format" ]; + configureFlags = [ ("--enable-alsa=" + (if stdenv.isLinux then "yes" else "no")) ]; diff --git a/pkgs/applications/audio/musescore/default.nix b/pkgs/applications/audio/musescore/default.nix index 99fe26b5927a2..c719080c7427c 100644 --- a/pkgs/applications/audio/musescore/default.nix +++ b/pkgs/applications/audio/musescore/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "067f4li48qfhz2barj70zpf2d2mlii12npx07jx9xjkkgz84z4c9"; }; + hardeningDisable = [ "relro" "bindnow" ]; + makeFlags = [ "PREFIX=$(out)" ]; diff --git a/pkgs/applications/audio/pd-plugins/cyclone/default.nix b/pkgs/applications/audio/pd-plugins/cyclone/default.nix index 2331944db0174..e4ec281cacb85 100644 --- a/pkgs/applications/audio/pd-plugins/cyclone/default.nix +++ b/pkgs/applications/audio/pd-plugins/cyclone/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardeningDisable = [ "format" ]; + patchPhase = '' for file in `grep -r -l g_canvas.h` do diff --git a/pkgs/applications/audio/pd-plugins/maxlib/default.nix b/pkgs/applications/audio/pd-plugins/maxlib/default.nix index c5732387b503b..3b836d9eb3304 100644 --- a/pkgs/applications/audio/pd-plugins/maxlib/default.nix +++ b/pkgs/applications/audio/pd-plugins/maxlib/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ puredata ]; + hardeningDisable = [ "format" ]; + patchPhase = '' for i in ${puredata}/include/pd/*; do ln -s $i . diff --git a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix index 5f76b208e143d..972a162b73f44 100644 --- a/pkgs/applications/audio/pd-plugins/mrpeach/default.nix +++ b/pkgs/applications/audio/pd-plugins/mrpeach/default.nix @@ -14,7 +14,9 @@ stdenv.mkDerivation rec { sha256 = "12jqba3jsdrk20ib9wc2wiivki88ypcd4mkzgsri9siywbbz9w8x"; }; - buildInputs = [puredata ]; + buildInputs = [ puredata ]; + + hardeningDisable = [ "format" ]; patchPhase = '' for D in net osc diff --git a/pkgs/applications/audio/qmidinet/default.nix b/pkgs/applications/audio/qmidinet/default.nix index d8d8945db9287..42c98cbb11015 100644 --- a/pkgs/applications/audio/qmidinet/default.nix +++ b/pkgs/applications/audio/qmidinet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1a1pj4w74wj1gcfv4a0vzcglmr5sw0xp0y56w8rk3ig4k11xi8sa"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ qt4 alsaLib libjack2 ]; meta = with stdenv.lib; { diff --git a/pkgs/applications/audio/rakarrack/default.nix b/pkgs/applications/audio/rakarrack/default.nix index 37815412fc350..ec71cfb427c6a 100644 --- a/pkgs/applications/audio/rakarrack/default.nix +++ b/pkgs/applications/audio/rakarrack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1rpf63pdn54c4yg13k7cb1w1c7zsvl97c4qxcpz41c8l91xd55kn"; }; + hardeningDisable = [ "format" ]; + patches = [ ./fltk-path.patch ]; buildInputs = [ alsaLib alsaUtils fltk libjack2 libXft libXpm libjpeg diff --git a/pkgs/applications/audio/x42-plugins/default.nix b/pkgs/applications/audio/x42-plugins/default.nix index f3a7205081038..9ca78ee1a3f4a 100644 --- a/pkgs/applications/audio/x42-plugins/default.nix +++ b/pkgs/applications/audio/x42-plugins/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, fetchgit, ftgl, freefont_ttf, libjack2, mesa_glu, pkgconfig -, libltc, libsndfile, libsamplerate +, libltc, libsndfile, libsamplerate, xz , lv2, mesa, gtk2, cairo, pango, fftwFloat, zita-convolver }: stdenv.mkDerivation rec { @@ -11,7 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1ald0c5xbfkdq6g5xwyy8wmbi636m3k3gqrq16kbh46g0kld1as9"; }; - buildInputs = [ mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver]; + buildInputs = [ xz mesa_glu ftgl freefont_ttf libjack2 libltc libsndfile libsamplerate lv2 mesa gtk2 cairo pango fftwFloat pkgconfig zita-convolver]; makeFlags = [ "PREFIX=$(out)" "FONTFILE=${freefont_ttf}/share/fonts/truetype/FreeSansBold.ttf" "LIBZITACONVOLVER=${zita-convolver}/include/zita-convolver.h" ]; diff --git a/pkgs/applications/audio/zynaddsubfx/default.nix b/pkgs/applications/audio/zynaddsubfx/default.nix index 0fccf66ddbc73..ec803f2a9c520 100644 --- a/pkgs/applications/audio/zynaddsubfx/default.nix +++ b/pkgs/applications/audio/zynaddsubfx/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ alsaLib libjack2 fftw fltk13 libjpeg minixml zlib liblo ]; nativeBuildInputs = [ cmake pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "High quality software synthesizer"; homepage = http://zynaddsubfx.sourceforge.net; diff --git a/pkgs/applications/editors/bviplus/default.nix b/pkgs/applications/editors/bviplus/default.nix index 18a9cc5f02ac4..d08e006ec5b31 100644 --- a/pkgs/applications/editors/bviplus/default.nix +++ b/pkgs/applications/editors/bviplus/default.nix @@ -1,19 +1,23 @@ -{ stdenv, lib, fetchurl, ncurses }: +{ stdenv, fetchurl, ncurses }: stdenv.mkDerivation rec { name = "bviplus-${version}"; version = "0.9.4"; + src = fetchurl { url = "mirror://sourceforge/project/bviplus/bviplus/${version}/bviplus-${version}.tgz"; sha256 = "10x6fbn8v6i0y0m40ja30pwpyqksnn8k2vqd290vxxlvlhzah4zb"; }; + buildInputs = [ ncurses ]; + makeFlags = "PREFIX=$(out)"; + buildFlags = [ "CFLAGS=-fgnu89-inline" ]; - meta = with lib; { + meta = with stdenv.lib; { description = "Ncurses based hex editor with a vim-like interface"; homepage = http://bviplus.sourceforge.net; license = licenses.gpl3; diff --git a/pkgs/applications/editors/emacs-25/default.nix b/pkgs/applications/editors/emacs-25/default.nix index dcd8a2ab6960f..56100ae6e63eb 100644 --- a/pkgs/applications/editors/emacs-25/default.nix +++ b/pkgs/applications/editors/emacs-25/default.nix @@ -56,6 +56,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = stdenv.lib.optionals stdenv.isDarwin [ AppKit GSS ImageIO ]; + hardeningDisable = [ "format" ]; + configureFlags = (if stdenv.isDarwin then [ "--with-ns" "--disable-ns-self-contained" ] diff --git a/pkgs/applications/editors/ht/default.nix b/pkgs/applications/editors/ht/default.nix index 0ca4f19b4afe7..4455c70d71a80 100644 --- a/pkgs/applications/editors/ht/default.nix +++ b/pkgs/applications/editors/ht/default.nix @@ -3,13 +3,18 @@ stdenv.mkDerivation rec { name = "ht-${version}"; version = "2.1.0"; + src = fetchurl { url = "mirror://sourceforge/project/hte/ht-source/ht-${version}.tar.bz2"; sha256 = "0w2xnw3z9ws9qrdpb80q55h6ynhh3aziixcfn45x91bzrbifix9i"; }; + buildInputs = [ ncurses ]; + + hardeningDisable = [ "format" ]; + meta = with lib; { description = "File editor/viewer/analyzer for executables"; homepage = "http://hte.sourceforge.net"; diff --git a/pkgs/applications/editors/leafpad/default.nix b/pkgs/applications/editors/leafpad/default.nix index fc35a993badfd..a5b0f2e400a42 100644 --- a/pkgs/applications/editors/leafpad/default.nix +++ b/pkgs/applications/editors/leafpad/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ intltool pkgconfig gtk ]; + hardeningDisable = [ "format" ]; + configureFlags = [ "--enable-chooser" ]; diff --git a/pkgs/applications/editors/nedit/default.nix b/pkgs/applications/editors/nedit/default.nix index 8a478b2759335..d933a207cd4a0 100644 --- a/pkgs/applications/editors/nedit/default.nix +++ b/pkgs/applications/editors/nedit/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1v8y8vwj3kn91crsddqkz843y6csgw7wkjnd3zdcb4bcrf1pjrsk"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ xlibsWrapper motif libXpm ]; buildFlags = if stdenv.isLinux then "linux" else diff --git a/pkgs/applications/editors/neovim/default.nix b/pkgs/applications/editors/neovim/default.nix index a01dd7a8d8462..c13ad738ffee2 100644 --- a/pkgs/applications/editors/neovim/default.nix +++ b/pkgs/applications/editors/neovim/default.nix @@ -99,6 +99,9 @@ let "-DLUA_PRG=${luaPackages.lua}/bin/lua" ]; + # triggers on buffer overflow bug while running tests + hardeningDisable = [ "fortify" ]; + preConfigure = '' substituteInPlace runtime/autoload/man.vim \ --replace /usr/bin/man ${man}/bin/man diff --git a/pkgs/applications/editors/vim/configurable.nix b/pkgs/applications/editors/vim/configurable.nix index b46ac7d40d5e3..f0d76eae3b4f2 100644 --- a/pkgs/applications/editors/vim/configurable.nix +++ b/pkgs/applications/editors/vim/configurable.nix @@ -192,6 +192,8 @@ composableDerivation { dontStrip = 1; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "The most popular clone of the VI editor"; homepage = http://www.vim.org; diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix index 97a40e5c7e5a4..1c81cda7ce979 100644 --- a/pkgs/applications/editors/vim/default.nix +++ b/pkgs/applications/editors/vim/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { "--enable-nls" ]; + hardeningDisable = [ "fortify" ]; + postInstall = '' ln -s $out/bin/vim $out/bin/vi mkdir -p $out/share/vim diff --git a/pkgs/applications/graphics/cinepaint/default.nix b/pkgs/applications/graphics/cinepaint/default.nix index f1ca27eed8034..4866ba92addd4 100644 --- a/pkgs/applications/graphics/cinepaint/default.nix +++ b/pkgs/applications/graphics/cinepaint/default.nix @@ -18,14 +18,14 @@ stdenv.mkDerivation rec { libXext libXpm libXau libXxf86vm pixman libpthreadstubs fltk ]; + hardeningDisable = [ "format" ]; + patches = [ ./install.patch ]; nativeBuildInputs = [ cmake pkgconfig ]; NIX_LDFLAGS = "-llcms -ljpeg -lX11"; - # NIX_CFLAGS_COMPILE = "-I."; - meta = { homepage = http://www.cinepaint.org/; license = stdenv.lib.licenses.free; diff --git a/pkgs/applications/graphics/fontmatrix/default.nix b/pkgs/applications/graphics/fontmatrix/default.nix index 14ab9c26d7de0..fc30a35591058 100644 --- a/pkgs/applications/graphics/fontmatrix/default.nix +++ b/pkgs/applications/graphics/fontmatrix/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ cmake ]; + hardeningDisable = [ "format" ]; + meta = { description = "Fontmatrix is a free/libre font explorer for Linux, Windows and Mac"; homepage = http://fontmatrix.be/; diff --git a/pkgs/applications/graphics/giv/default.nix b/pkgs/applications/graphics/giv/default.nix index 1b5ee01d4c069..1587ceb4037ef 100644 --- a/pkgs/applications/graphics/giv/default.nix +++ b/pkgs/applications/graphics/giv/default.nix @@ -11,8 +11,7 @@ stdenv.mkDerivation rec { sha256 = "1sz2n7jbmg3g97bs613xxjpzqbsl5rvpg6v7g3x3ycyd35r8vsfp"; }; - # It built code to be put in a shared object without -fPIC - NIX_CFLAGS_COMPILE = "-fPIC"; + hardeningDisable = [ "format" ]; prePatch = '' sed -i s,/usr/bin/perl,${perl}/bin/perl, doc/eperl diff --git a/pkgs/applications/graphics/gqview/default.nix b/pkgs/applications/graphics/gqview/default.nix index 58bae84cd500c..d2a819c1a3c20 100644 --- a/pkgs/applications/graphics/gqview/default.nix +++ b/pkgs/applications/graphics/gqview/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [pkgconfig gtk libpng]; + hardeningDisable = [ "format" ]; + meta = { description = "A fast image viewer"; homepage = http://gqview.sourceforge.net; diff --git a/pkgs/applications/graphics/kipi-plugins/default.nix b/pkgs/applications/graphics/kipi-plugins/default.nix index 6a38698370d88..b69105fba7c87 100644 --- a/pkgs/applications/graphics/kipi-plugins/default.nix +++ b/pkgs/applications/graphics/kipi-plugins/default.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { name = "kipi-plugins-1.9.0"; - src = fetchurl { + src = fetchurl { url = "mirror://sourceforge/kipi/${name}.tar.bz2"; sha256 = "0k4k9v1rj7129n0s0i5pvv4rabx0prxqs6sca642fj95cxc6c96m"; }; @@ -25,6 +25,6 @@ stdenv.mkDerivation rec { homepage = http://www.kipi-plugins.org; inherit (kdelibs.meta) platforms; maintainers = with stdenv.lib.maintainers; [ viric urkud ]; - broken = true; # it should be build from digikam sources, perhaps together + broken = true; # it should be built from digikam sources, perhaps together }; } diff --git a/pkgs/applications/graphics/meshlab/default.nix b/pkgs/applications/graphics/meshlab/default.nix index d8434de5a77e4..07789fce3a92b 100644 --- a/pkgs/applications/graphics/meshlab/default.nix +++ b/pkgs/applications/graphics/meshlab/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { patches = [ ./include-unistd.diff ]; + hardeningDisable = [ "format" ]; + buildPhase = '' mkdir -p "$out/include" export NIX_LDFLAGS="-rpath $out/opt/meshlab $NIX_LDFLAGS" diff --git a/pkgs/applications/graphics/qtpfsgui/default.nix b/pkgs/applications/graphics/qtpfsgui/default.nix index befdf1b4e7c11..7e5701395fe9d 100644 --- a/pkgs/applications/graphics/qtpfsgui/default.nix +++ b/pkgs/applications/graphics/qtpfsgui/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ qt4 exiv2 openexr fftwSinglePrec libtiff ]; nativeBuildInputs = [ qmake4Hook ]; + hardeningDisable = [ "format" ]; + preConfigure = '' export CPATH="${ilmbase}/include/OpenEXR:$CPATH" ''; diff --git a/pkgs/applications/graphics/tesseract/default.nix b/pkgs/applications/graphics/tesseract/default.nix index b531c41e2d8a3..375b09995488f 100644 --- a/pkgs/applications/graphics/tesseract/default.nix +++ b/pkgs/applications/graphics/tesseract/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { buildInputs = [ autoconf automake libtool leptonica libpng libtiff ]; + hardeningDisable = [ "format" ]; + preConfigure = '' ./autogen.sh substituteInPlace "configure" \ diff --git a/pkgs/applications/graphics/xfig/default.nix b/pkgs/applications/graphics/xfig/default.nix index ca1d5345fb6ac..c70b1029b7910 100644 --- a/pkgs/applications/graphics/xfig/default.nix +++ b/pkgs/applications/graphics/xfig/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ imake makeWrapper ]; + hardeningDisable = [ "format" ]; + NIX_CFLAGS_COMPILE = "-I${libXpm.dev}/include/X11"; patches = diff --git a/pkgs/applications/graphics/zgv/default.nix b/pkgs/applications/graphics/zgv/default.nix index 46d3e117d0e76..e06b76e35b123 100644 --- a/pkgs/applications/graphics/zgv/default.nix +++ b/pkgs/applications/graphics/zgv/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ SDL SDL_image pkgconfig libjpeg libpng libtiff ]; + hardeningDisable = [ "format" ]; + makeFlags = [ "BACKEND=SDL" ]; diff --git a/pkgs/applications/inferno/default.nix b/pkgs/applications/inferno/default.nix index 1a720f0030049..b1574ea6963b2 100644 --- a/pkgs/applications/inferno/default.nix +++ b/pkgs/applications/inferno/default.nix @@ -46,6 +46,8 @@ stdenv.mkDerivation rec { --set INFERNO_ROOT "$out/share/inferno" ''; + hardeningDisable = [ "fortify" ]; + meta = { description = "A compact distributed operating system for building cross-platform distributed systems"; homepage = "http://inferno-os.org/"; diff --git a/pkgs/applications/misc/epdfview/default.nix b/pkgs/applications/misc/epdfview/default.nix index da198e6d88b0c..782ef4ae36609 100644 --- a/pkgs/applications/misc/epdfview/default.nix +++ b/pkgs/applications/misc/epdfview/default.nix @@ -1,11 +1,17 @@ { stdenv, fetchurl, fetchpatch, pkgconfig, gtk, poppler }: + stdenv.mkDerivation rec { name = "epdfview-0.1.8"; + src = fetchurl { url = "http://trac.emma-soft.com/epdfview/chrome/site/releases/${name}.tar.bz2"; sha256 = "1w7qybh8ssl4dffi5qfajq8mndw7ipsd92vkim03nywxgjp4i1ll"; }; + buildInputs = [ pkgconfig gtk poppler ]; + + hardeningDisable = [ "format" ]; + patches = [ (fetchpatch { name = "epdfview-0.1.8-glib2-headers.patch"; url = "https://projects.archlinux.org/svntogit/community.git/plain/trunk/epdfview-0.1.8-glib2-headers.patch?h=packages/epdfview&id=40ba115c860bdec31d03a30fa594a7ec2864d634"; @@ -17,13 +23,14 @@ stdenv.mkDerivation rec { sha256 = "07yvgvai2bvbr5fa1mv6lg7nqr0qyryjn1xyjlh8nidg9k9vv001"; }) ]; + meta = { homepage = http://trac.emma-soft.com/epdfview/; description = "A lightweight PDF document viewer using Poppler and GTK+"; longDescription = '' ePDFView is a free lightweight PDF document viewer using Poppler and GTK+ libraries. The aim of ePDFView is to make a simple PDF document - viewer, in the lines of Evince but without using the Gnome libraries. + viewer, in the lines of Evince but without using the Gnome libraries. ''; license = stdenv.lib.licenses.gpl2; maintainers = with stdenv.lib.maintainers; [ astsmtl ]; diff --git a/pkgs/applications/misc/gkrellm/default.nix b/pkgs/applications/misc/gkrellm/default.nix index ac8f876ad3fcd..91ba685246224 100644 --- a/pkgs/applications/misc/gkrellm/default.nix +++ b/pkgs/applications/misc/gkrellm/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [gettext pkgconfig glib gtk libX11 libSM libICE]; + hardeningDisable = [ "format" ]; + # Makefiles are patched to fix references to `/usr/X11R6' and to add # `-lX11' to make sure libX11's store path is in the RPATH. patchPhase = '' diff --git a/pkgs/applications/misc/grip/default.nix b/pkgs/applications/misc/grip/default.nix index dc180adde65a0..07cecc2d84e2e 100644 --- a/pkgs/applications/misc/grip/default.nix +++ b/pkgs/applications/misc/grip/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk glib pkgconfig libgnome libgnomeui vte curl cdparanoia libid3tag ncurses libtool ]; + hardeningDisable = [ "format" ]; + meta = { description = "GTK+-based audio CD player/ripper"; homepage = "http://nostatic.org/grip"; diff --git a/pkgs/applications/misc/k2pdfopt/default.nix b/pkgs/applications/misc/k2pdfopt/default.nix index ce57db371dde5..7c0d615f36633 100644 --- a/pkgs/applications/misc/k2pdfopt/default.nix +++ b/pkgs/applications/misc/k2pdfopt/default.nix @@ -31,6 +31,8 @@ in stdenv.mkDerivation rec { openjpeg freetype jbig2dec djvulibre openssl ]; NIX_LDFLAGS = "-lX11 -lXext"; + hardeningDisable = [ "format" ]; + k2_pa = ./k2pdfopt.patch; tess_pa = ./tesseract.patch; @@ -96,7 +98,7 @@ in stdenv.mkDerivation rec { -ljbig2dec -ljpeg -lopenjp2 -lpng -lfreetype -lpthread -lmujs \ -lPgm2asc -llept -ltesseract -lcrypto - mkdir -p $out/bin + mkdir -p $out/bin cp k2pdfopt $out/bin ''; diff --git a/pkgs/applications/misc/milu/default.nix b/pkgs/applications/misc/milu/default.nix index 8b7fb6787d76b..b8ccbe77cf5bf 100644 --- a/pkgs/applications/misc/milu/default.nix +++ b/pkgs/applications/misc/milu/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { owner = "yuejia"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' sed -i 's#/usr/bin/##g' Makefile sed -i "s#-lclang#-L$(clang --print-search-dirs | diff --git a/pkgs/applications/misc/navit/default.nix b/pkgs/applications/misc/navit/default.nix index 1be39c6664217..5f70d4b5c4491 100644 --- a/pkgs/applications/misc/navit/default.nix +++ b/pkgs/applications/misc/navit/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1xx62l5srfhh9cfi7n3pxj8hpcgr1rpa0hzfmbrqadzv09z36723"; }; + hardeningDisable = [ "format" ]; + # 'cvs' is only for the autogen buildInputs = [ pkgconfig gtk SDL fontconfig freetype imlib2 SDL_image mesa libXmu freeglut python gettext quesoglc gd postgresql cmake qt4 SDL_ttf fribidi ]; diff --git a/pkgs/applications/misc/posterazor/default.nix b/pkgs/applications/misc/posterazor/default.nix index f55af543f18dd..b6d46cf9ed13f 100644 --- a/pkgs/applications/misc/posterazor/default.nix +++ b/pkgs/applications/misc/posterazor/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dqpdk8zl0smdg4fganp3hxb943q40619qmxjlga9jhjc01s7fq5"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ cmake unzip pkgconfig libXpm fltk13 freeimage ]; unpackPhase = '' diff --git a/pkgs/applications/misc/sdcv/default.nix b/pkgs/applications/misc/sdcv/default.nix index 3859d2c82abd7..8e781cd1c0265 100644 --- a/pkgs/applications/misc/sdcv/default.nix +++ b/pkgs/applications/misc/sdcv/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { sha256 = "1cnyv7gd1qvz8ma8545d3aq726wxrx4km7ykl97831irx5wz0r51"; }; + hardeningDisable = [ "format" ]; + patches = ( if stdenv.isDarwin then [ ./sdcv.cpp.patch-darwin ./utils.hpp.patch ] else [ ./sdcv.cpp.patch ] ); diff --git a/pkgs/applications/misc/tasknc/default.nix b/pkgs/applications/misc/tasknc/default.nix index 85e6c07d670ad..ae0b46d056fe0 100644 --- a/pkgs/applications/misc/tasknc/default.nix +++ b/pkgs/applications/misc/tasknc/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0max5schga9hmf3vfqk2ic91dr6raxglyyjcqchzla280kxn5c28"; }; + hardeningDisable = [ "format" ]; + # # I know this is ugly, but the Makefile does strange things in this package, # so we have to: diff --git a/pkgs/applications/misc/vym/default.nix b/pkgs/applications/misc/vym/default.nix index 97fa47399f502..8e1514583a253 100644 --- a/pkgs/applications/misc/vym/default.nix +++ b/pkgs/applications/misc/vym/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1x4qp6wpszscbbs4czkfvskm7qjglvxm813nqv281bpy4y1hhvgs"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig qt4 qmake4Hook ]; meta = with stdenv.lib; { @@ -18,7 +20,7 @@ stdenv.mkDerivation rec { Such maps can help you to improve your creativity and effectivity. You can use them for time management, to organize tasks, to get an overview over complex contexts, to sort your ideas etc. - + Maps can be drawn by hand on paper or a flip chart and help to structure your thoughs. While a tree like structure like shown on this page can be drawn by hand or any drawing software vym offers much more features to work with such maps. diff --git a/pkgs/applications/misc/wordnet/default.nix b/pkgs/applications/misc/wordnet/default.nix index b244e9c1bfce9..2f98bc66e9b34 100644 --- a/pkgs/applications/misc/wordnet/default.nix +++ b/pkgs/applications/misc/wordnet/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [tcl tk xlibsWrapper makeWrapper]; + hardeningDisable = [ "format" ]; + patchPhase = '' sed "13i#define USE_INTERP_RESULT 1" -i src/stubs.c ''; diff --git a/pkgs/applications/misc/xpdf/default.nix b/pkgs/applications/misc/xpdf/default.nix index a7d288162e391..739f1f0a97549 100644 --- a/pkgs/applications/misc/xpdf/default.nix +++ b/pkgs/applications/misc/xpdf/default.nix @@ -25,6 +25,8 @@ stdenv.mkDerivation { # Debian uses '-fpermissive' to bypass some errors on char* constantness. CXXFLAGS = "-O2 -fpermissive"; + hardeningDisable = [ "format" ]; + configureFlags = "--enable-a4-paper"; postInstall = stdenv.lib.optionalString (base14Fonts != null) '' diff --git a/pkgs/applications/networking/browsers/vimprobable2/default.nix b/pkgs/applications/networking/browsers/vimprobable2/default.nix index 45aa2a9c2d124..e2d5061b92e42 100644 --- a/pkgs/applications/networking/browsers/vimprobable2/default.nix +++ b/pkgs/applications/networking/browsers/vimprobable2/default.nix @@ -11,9 +11,9 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ]; - installPhase = '' - make PREFIX=/ DESTDIR=$out install - ''; + hardeningDisable = [ "format" ]; + + installFlags = "PREFIX=/ DESTDIR=$(out)"; preFixup = '' wrapProgram "$out/bin/vimprobable2" \ @@ -32,7 +32,7 @@ stdenv.mkDerivation rec { GTK bindings). The goal of Vimprobable is to build a completely keyboard-driven, efficient and pleasurable browsing-experience. Its featureset might be considered "minimalistic", but not as minimalistic as - being completely featureless. + being completely featureless. ''; homepage = "http://sourceforge.net/apps/trac/vimprobable"; license = stdenv.lib.licenses.mit; diff --git a/pkgs/applications/networking/browsers/w3m/default.nix b/pkgs/applications/networking/browsers/w3m/default.nix index d3b7843f291d4..e4486943e628c 100644 --- a/pkgs/applications/networking/browsers/w3m/default.nix +++ b/pkgs/applications/networking/browsers/w3m/default.nix @@ -50,6 +50,8 @@ stdenv.mkDerivation rec { ln -s $out/libexec/w3m/w3mimgdisplay $out/bin ''; + hardeningDisable = [ "format" ]; + configureFlags = "--with-ssl=${openssl.dev} --with-gc=${boehmgc.dev}" + optionalString graphicsSupport " --enable-image=${optionalString x11Support "x11,"}fb"; diff --git a/pkgs/applications/networking/instant-messengers/silc-client/default.nix b/pkgs/applications/networking/instant-messengers/silc-client/default.nix index 1454760f541b5..df85c55dbee0a 100644 --- a/pkgs/applications/networking/instant-messengers/silc-client/default.nix +++ b/pkgs/applications/networking/instant-messengers/silc-client/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { dontDisableStatic = true; + hardeningDisable = [ "format" ]; + configureFlags = "--with-ncurses=${ncurses.dev}"; preConfigure = stdenv.lib.optionalString enablePlugin '' diff --git a/pkgs/applications/networking/instant-messengers/vacuum/default.nix b/pkgs/applications/networking/instant-messengers/vacuum/default.nix index 0572e3f9e2e90..e8c1f50164dff 100644 --- a/pkgs/applications/networking/instant-messengers/vacuum/default.nix +++ b/pkgs/applications/networking/instant-messengers/vacuum/default.nix @@ -27,6 +27,8 @@ stdenv.mkDerivation rec { qmakeFlags="$qmakeFlags INSTALL_PREFIX=$out" ''; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An XMPP client fully composed of plugins"; maintainers = [ maintainers.raskin ]; diff --git a/pkgs/applications/networking/iptraf-ng/default.nix b/pkgs/applications/networking/iptraf-ng/default.nix index 368d78a36f902..746d79805f5c6 100644 --- a/pkgs/applications/networking/iptraf-ng/default.nix +++ b/pkgs/applications/networking/iptraf-ng/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { --localstatedir=$out/var --sbindir=$out/bin ''; + hardeningDisable = [ "format" ]; + meta = { description = "A console-based network monitoring utility (fork of iptraf)"; longDescription = '' diff --git a/pkgs/applications/networking/iptraf/default.nix b/pkgs/applications/networking/iptraf/default.nix index 1d67fa3dcf57d..d1a0b2d4b0292 100644 --- a/pkgs/applications/networking/iptraf/default.nix +++ b/pkgs/applications/networking/iptraf/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation rec { name = "iptraf-3.0.1"; - + src = fetchurl { url = ftp://iptraf.seul.org/pub/iptraf/iptraf-3.0.1.tar.gz; sha256 = "12n059j9iihhpf6spmlaspqzxz3wqan6kkpnhmlj08jdijpnk84m"; }; + hardeningDisable = [ "format" ]; + patchPhase = '' sed -i -e 's,#include <linux/if_tr.h>,#include <netinet/if_tr.h>,' src/* ''; @@ -18,7 +20,7 @@ stdenv.mkDerivation rec { mkdir -p $out/bin cp iptraf $out/bin ''; - + buildInputs = [ncurses]; meta = { diff --git a/pkgs/applications/networking/irc/bip/default.nix b/pkgs/applications/networking/irc/bip/default.nix index ee9a6392e07e7..e391f0074c5a2 100644 --- a/pkgs/applications/networking/irc/bip/default.nix +++ b/pkgs/applications/networking/irc/bip/default.nix @@ -30,10 +30,7 @@ in stdenv.mkDerivation { } ]; - postPatch = '' - ''; - - configureFlags = [ "--disable-pie" ]; + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; buildInputs = [ bison flex autoconf automake openssl ]; diff --git a/pkgs/applications/networking/mailreaders/alpine/default.nix b/pkgs/applications/networking/mailreaders/alpine/default.nix index f2769946f7081..424619010e3b8 100644 --- a/pkgs/applications/networking/mailreaders/alpine/default.nix +++ b/pkgs/applications/networking/mailreaders/alpine/default.nix @@ -1,36 +1,37 @@ {stdenv, fetchurl, ncurses, tcl, openssl, pam, pkgconfig, gettext, kerberos , openldap }: + let - s = - rec { - version = "2.00"; + version = "2.00"; + baseName = "alpine"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + + src = fetchurl { url = "ftp://ftp.cac.washington.edu/alpine/alpine-${version}.tar.bz2"; sha256 = "19m2w21dqn55rhxbh5lr9qarc2fqa9wmpj204jx7a0zrb90bhpf8"; - baseName = "alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "format" "fortify" ]; + configureFlags = [ "--with-ssl-include-dir=${openssl.dev}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" "--with-passfile=.pine-passfile" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/networking/mailreaders/realpine/default.nix b/pkgs/applications/networking/mailreaders/realpine/default.nix index 2247398ef7822..7ba582cdb5d05 100644 --- a/pkgs/applications/networking/mailreaders/realpine/default.nix +++ b/pkgs/applications/networking/mailreaders/realpine/default.nix @@ -2,34 +2,35 @@ , openldap }: let - s = - rec { - version = "2.03"; + baseName = "re-alpine"; + version = "2.03"; +in +stdenv.mkDerivation { + name = "${baseName}-${version}"; + inherit version; + + src = fetchurl { url = "mirror://sourceforge/re-alpine/re-alpine-${version}.tar.bz2"; sha256 = "11xspzbk9cwmklmcw6rxsan7j71ysd4m9c7qldlc59ck595k5nbh"; - baseName = "re-alpine"; - name = "${baseName}-${version}"; }; + buildInputs = [ ncurses tcl openssl pam kerberos openldap ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "format" ]; + configureFlags = [ "--with-ssl-include-dir=${openssl.dev}/include/openssl" "--with-tcl-lib=${tcl.libPrefix}" - ]; + ]; + preConfigure = '' export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" ''; + meta = { - inherit (s) version; - description = ''Console mail reader''; + description = "Console mail reader"; license = stdenv.lib.licenses.asl20; maintainers = [stdenv.lib.maintainers.raskin]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/networking/remote/ssvnc/default.nix b/pkgs/applications/networking/remote/ssvnc/default.nix index 956391b71f864..ed64629fe244d 100644 --- a/pkgs/applications/networking/remote/ssvnc/default.nix +++ b/pkgs/applications/networking/remote/ssvnc/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { configurePhase = "makeFlags=PREFIX=$out"; + hardeningDisable = [ "format" ]; + postInstall = '' sed -i -e 's|exec wish|exec ${tk}/bin/wish|' $out/lib/ssvnc/util/ssvnc.tcl sed -i -e 's|/usr/bin/perl|${perl}/bin/perl|' $out/lib/ssvnc/util/ss_vncviewer diff --git a/pkgs/applications/science/electronics/caneda/default.nix b/pkgs/applications/science/electronics/caneda/default.nix index 404ffc5010b4e..dc00cef889824 100644 --- a/pkgs/applications/science/electronics/caneda/default.nix +++ b/pkgs/applications/science/electronics/caneda/default.nix @@ -19,7 +19,7 @@ stdenv.mkDerivation rec { sha256 = "dfbcac97f5a1b41ad9a63392394f37fb294cbf78c576673c9bc4a5370957b2c8"; }; - cmakeFlags = [ "-DCMAKE_BUILD_TYPE=Release" ]; + hardeningDisable = [ "format" ]; buildInputs = [ cmake qt4 libxml2 libxslt ]; diff --git a/pkgs/applications/science/geometry/drgeo/default.nix b/pkgs/applications/science/geometry/drgeo/default.nix index 048f34d7abfaf..3e5408ac7f5d3 100644 --- a/pkgs/applications/science/geometry/drgeo/default.nix +++ b/pkgs/applications/science/geometry/drgeo/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation rec { name = "drgeo-${version}"; version = "1.1.0"; + hardeningDisable = [ "format" ]; + src = fetchurl { url = "mirror://sourceforge/ofset/${name}.tar.gz"; sha256 = "05i2czgzhpzi80xxghinvkyqx4ym0gm9f38fz53idjhigiivp4wc"; diff --git a/pkgs/applications/science/logic/ltl2ba/default.nix b/pkgs/applications/science/logic/ltl2ba/default.nix index 59c6461f5b6c5..f0947fa0ed6e2 100644 --- a/pkgs/applications/science/logic/ltl2ba/default.nix +++ b/pkgs/applications/science/logic/ltl2ba/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "16z0gc7a9dkarwn0l6rvg5jdhw1q4qyn4501zlchy0zxqddz0sx6"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace Makefile \ --replace "CC=gcc" "" diff --git a/pkgs/applications/science/logic/otter/default.nix b/pkgs/applications/science/logic/otter/default.nix index 08d19c143eed7..b19650eb86303 100644 --- a/pkgs/applications/science/logic/otter/default.nix +++ b/pkgs/applications/science/logic/otter/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation { src = fetchurl { inherit (s) url sha256; }; + + hardeningDisable = [ "format" ]; + buildPhase = '' find . -name Makefile | xargs sed -i -e "s@/bin/rm@$(type -P rm)@g" find . -name Makefile | xargs sed -i -e "s@/bin/mv@$(type -P mv)@g" @@ -32,11 +35,13 @@ stdenv.mkDerivation { make -C source/formed realclean make -C source/formed formed ''; + installPhase = '' mkdir -p "$out"/{bin,share/otter} cp bin/* source/formed/formed "$out/bin/" cp -r examples examples-mace2 documents README* Legal Changelog Contents index.html "$out/share/otter/" ''; + meta = { inherit (s) version; description = "A reliable first-order theorem prover"; diff --git a/pkgs/applications/science/logic/prover9/default.nix b/pkgs/applications/science/logic/prover9/default.nix index d92c7887210ef..9c09ea3db980b 100644 --- a/pkgs/applications/science/logic/prover9/default.nix +++ b/pkgs/applications/science/logic/prover9/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation { sha256 = "1l2i3d3h5z7nnbzilb6z92r0rbx0kh6yaxn2c5qhn3000xcfsay3"; }; - phases = "unpackPhase patchPhase buildPhase installPhase"; + hardeningDisable = [ "format" ]; patchPhase = '' RM=$(type -tp rm) @@ -23,6 +23,8 @@ stdenv.mkDerivation { buildFlags = "all"; + checkPhase = "make test1"; + installPhase = '' mkdir -p $out/bin cp bin/* $out/bin diff --git a/pkgs/applications/science/math/cbc/default.nix b/pkgs/applications/science/math/cbc/default.nix index 0d1ef26092e2e..7643c912db4b9 100644 --- a/pkgs/applications/science/math/cbc/default.nix +++ b/pkgs/applications/science/math/cbc/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + buildInputs = [ zlib bzip2 ]; # FIXME: move share/coin/Data to a separate output? diff --git a/pkgs/applications/science/math/perseus/default.nix b/pkgs/applications/science/math/perseus/default.nix index 94029a043492e..ae63716f106d7 100644 --- a/pkgs/applications/science/math/perseus/default.nix +++ b/pkgs/applications/science/math/perseus/default.nix @@ -5,6 +5,8 @@ stdenv.mkDerivation { version = "4-beta"; buildInputs = [unzip gcc48]; + hardeningDisable = [ "stackprotector" ]; + src = fetchurl { url = "http://www.sas.upenn.edu/~vnanda/source/perseus_4_beta.zip"; sha256 = "09brijnqabhgfjlj5wny0bqm5dwqcfkp1x5wif6yzdmqh080jybj"; @@ -30,7 +32,7 @@ stdenv.mkDerivation { around datasets arising from point samples, images, distance matrices and so forth. ''; - homepage = "www.sas.upenn.edu/~vnanda/perseus/index.html"; + homepage = "http://www.sas.upenn.edu/~vnanda/perseus/index.html"; license = stdenv.lib.licenses.gpl3; maintainers = with stdenv.lib.maintainers; [erikryb]; platforms = stdenv.lib.platforms.linux; diff --git a/pkgs/applications/science/math/qalculate-gtk/default.nix b/pkgs/applications/science/math/qalculate-gtk/default.nix index fe13a9aebbcd4..d58eea6f9b947 100644 --- a/pkgs/applications/science/math/qalculate-gtk/default.nix +++ b/pkgs/applications/science/math/qalculate-gtk/default.nix @@ -1,4 +1,5 @@ { stdenv, fetchurl, intltool, autoreconfHook, pkgconfig, libqalculate, gtk3, wrapGAppsHook }: + stdenv.mkDerivation rec { name = "qalculate-gtk-${version}"; version = "0.9.8"; @@ -8,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "15ci0p7jlikk2rira6ykgrmcdvgpxzprpqmkdxx6hsg4pvzrj54s"; }; + hardeningDisable = [ "format" ]; + nativeBuildInputs = [ intltool pkgconfig autoreconfHook wrapGAppsHook ]; buildInputs = [ libqalculate gtk3 ]; diff --git a/pkgs/applications/science/math/singular/default.nix b/pkgs/applications/science/math/singular/default.nix index 8bae1d6206d09..a0fdf7c823957 100644 --- a/pkgs/applications/science/math/singular/default.nix +++ b/pkgs/applications/science/math/singular/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { find . -exec sed -e 's@/bin/uname@${coreutils}&@g' -i '{}' ';' ''; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + postInstall = '' rm -rf "$out/LIB" cp -r Singular/LIB "$out" diff --git a/pkgs/applications/science/math/yacas/default.nix b/pkgs/applications/science/math/yacas/default.nix index 2c9d63be1b4d4..adf87c4ee5ba2 100644 --- a/pkgs/applications/science/math/yacas/default.nix +++ b/pkgs/applications/science/math/yacas/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1dmafm3w0lm5w211nwkfzaid1rvvmgskz7k4500pjhgdczi5sd78"; }; + hardeningDisable = [ "format" ]; + # Perl is only for the documentation nativeBuildInputs = [ perl ]; @@ -32,7 +34,7 @@ stdenv.mkDerivation rec { ''; }; - meta = { + meta = { description = "Easy to use, general purpose Computer Algebra System"; homepage = http://yacas.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/applications/version-management/bitkeeper/default.nix b/pkgs/applications/version-management/bitkeeper/default.nix index 7608329248222..e5937977994e0 100644 --- a/pkgs/applications/version-management/bitkeeper/default.nix +++ b/pkgs/applications/version-management/bitkeeper/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0lk4vydpq5bi52m81h327gvzdzybf8kkak7yjwmpj6kg1jn9blaz"; }; + hardeningDisable = [ "fortify" ]; + enableParallelBuilding = true; buildInputs = [ diff --git a/pkgs/applications/version-management/cvs/default.nix b/pkgs/applications/version-management/cvs/default.nix index b0e0f334e4d0e..3aace6b7e0219 100644 --- a/pkgs/applications/version-management/cvs/default.nix +++ b/pkgs/applications/version-management/cvs/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { patches = [ ./getcwd-chroot.patch ]; + hardeningDisable = [ "format" ]; + preConfigure = '' # Apply the Debian patches. for p in "debian/patches/"*; do diff --git a/pkgs/applications/version-management/git-and-tools/git/default.nix b/pkgs/applications/version-management/git-and-tools/git/default.nix index 8443745735b02..4eea75ad4ef82 100644 --- a/pkgs/applications/version-management/git-and-tools/git/default.nix +++ b/pkgs/applications/version-management/git-and-tools/git/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation { sha256 = "0qzs681a64k3shh5p0rg41l1z16fbk5sj0xga45k34hp1hsp654z"; }; + hardeningDisable = [ "format" ]; + patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch diff --git a/pkgs/applications/version-management/git-and-tools/qgit/default.nix b/pkgs/applications/version-management/git-and-tools/qgit/default.nix index 3f5f9a2dbe1be..b8d001ee97c82 100644 --- a/pkgs/applications/version-management/git-and-tools/qgit/default.nix +++ b/pkgs/applications/version-management/git-and-tools/qgit/default.nix @@ -3,20 +3,13 @@ stdenv.mkDerivation rec { name = "qgit-2.5"; - meta = - { - license = stdenv.lib.licenses.gpl2; - homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; - description = "Graphical front-end to Git"; - inherit (qt4.meta) platforms; - }; - - src = fetchurl - { + src = fetchurl { url = "http://libre.tibirna.org/attachments/download/9/${name}.tar.gz"; sha256 = "25f1ca2860d840d87b9919d34fc3a1b05d4163671ed87d29c3e4a8a09e0b2499"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ qt4 libXext libX11 ]; nativeBuildInputs = [ qmake4Hook ]; @@ -24,4 +17,11 @@ stdenv.mkDerivation rec { installPhase = '' install -s -D -m 755 bin/qgit "$out/bin/qgit" ''; + + meta = { + license = stdenv.lib.licenses.gpl2; + homepage = "http://libre.tibirna.org/projects/qgit/wiki/QGit"; + description = "Graphical front-end to Git"; + inherit (qt4.meta) platforms; + }; } diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix index 7590ae743a377..b81808edc224a 100644 --- a/pkgs/applications/version-management/redmine/default.nix +++ b/pkgs/applications/version-management/redmine/default.nix @@ -11,6 +11,8 @@ in stdenv.mkDerivation rec { sha256 = "0x0zwxyj4dwbk7l64s3lgny10mjf0ba8jwrbafsm4d72sncmacv0"; }; + hardeningDisable = [ "format" ]; + # taken from redmine (2.5.1-2~bpo70+3) in debian wheezy-backports # needed to separate run-time and build-time directories patches = [ @@ -18,6 +20,7 @@ in stdenv.mkDerivation rec { ./2004_FHS_plugins_assets.patch ./2003_externalize_session_config.patch ]; + postPatch = '' substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins')" "ENV['RAILS_PLUGINS']" substituteInPlace lib/redmine/plugin.rb --replace "File.join(Rails.root, 'plugins', id.to_s, 'db', 'migrate')" "File.join(ENV['RAILS_PLUGINS'], id.to_s, 'db', 'migrate')" diff --git a/pkgs/applications/video/aegisub/default.nix b/pkgs/applications/video/aegisub/default.nix index 92a2f4fb63433..39a85a03199d2 100644 --- a/pkgs/applications/video/aegisub/default.nix +++ b/pkgs/applications/video/aegisub/default.nix @@ -43,6 +43,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "bindnow" "relro" ]; + postInstall = "ln -s $out/bin/aegisub-* $out/bin/aegisub"; meta = { diff --git a/pkgs/applications/video/kino/default.nix b/pkgs/applications/video/kino/default.nix index 2503d78183f33..ea5158270876e 100644 --- a/pkgs/applications/video/kino/default.nix +++ b/pkgs/applications/video/kino/default.nix @@ -67,13 +67,10 @@ stdenv.mkDerivation { pkgconfig perl perlXMLParser libavc1394 libiec61883 intltool libXv gettext libX11 glib cairo ffmpeg libv4l ]; # TODOoptional packages configureFlags = "--enable-local-ffmpeg=no"; - #preConfigure = " - # grep 11 env-vars - # ex - #"; - patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ]; + hardeningDisable = [ "format" ]; + patches = [ ./kino-1.3.4-v4l1.patch ./kino-1.3.4-libav-0.7.patch ./kino-1.3.4-libav-0.8.patch ]; #./kino-1.3.4-libavcodec-pkg-config.patch ]; postInstall = " rpath=`patchelf --print-rpath \$out/bin/kino`; @@ -86,8 +83,7 @@ stdenv.mkDerivation { done "; - - meta = { + meta = { description = "Non-linear DV editor for GNU/Linux"; homepage = http://www.kinodv.org/; license = stdenv.lib.licenses.gpl2; diff --git a/pkgs/applications/video/subtitleeditor/default.nix b/pkgs/applications/video/subtitleeditor/default.nix index c9655e2a4f27d..e3cd242bd73ce 100644 --- a/pkgs/applications/video/subtitleeditor/default.nix +++ b/pkgs/applications/video/subtitleeditor/default.nix @@ -41,6 +41,8 @@ stdenv.mkDerivation rec { doCheck = true; + hardeningDisable = [ "format" ]; + patches = [ ./subtitleeditor-0.52.1-build-fix.patch ]; preConfigure = '' diff --git a/pkgs/applications/virtualization/OVMF/default.nix b/pkgs/applications/virtualization/OVMF/default.nix index 479d625c7de70..fc3c679d414d5 100644 --- a/pkgs/applications/virtualization/OVMF/default.nix +++ b/pkgs/applications/virtualization/OVMF/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation (edk2.setup "OvmfPkg/OvmfPkg${targetArch}.dsc" { # TODO: properly include openssl for secureBoot buildInputs = [nasm iasl] ++ stdenv.lib.optionals (secureBoot == true) [ openssl ]; + hardeningDisable = [ "stackprotector" "pic" "fortify" ]; + unpackPhase = '' for file in \ "${edk2.src}"/{UefiCpuPkg,MdeModulePkg,IntelFrameworkModulePkg,PcAtChipsetPkg,FatBinPkg,EdkShellBinPkg,MdePkg,ShellPkg,OptionRomPkg,IntelFrameworkPkg}; diff --git a/pkgs/applications/virtualization/bochs/default.nix b/pkgs/applications/virtualization/bochs/default.nix index 2cf57d78ba0cc..8c420b11f55c6 100644 --- a/pkgs/applications/virtualization/bochs/default.nix +++ b/pkgs/applications/virtualization/bochs/default.nix @@ -145,7 +145,9 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE="-I${gtk.dev}/include/gtk-2.0/ -I${libtool}/include/"; NIX_LDFLAGS="-L${libtool.lib}/lib"; - + + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An open-source IA-32 (x86) PC emulator"; longDescription = '' diff --git a/pkgs/applications/virtualization/cbfstool/default.nix b/pkgs/applications/virtualization/cbfstool/default.nix index 97ca3003fdd0e..1a45dc3c44d9e 100644 --- a/pkgs/applications/virtualization/cbfstool/default.nix +++ b/pkgs/applications/virtualization/cbfstool/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ iasl flex bison ]; + hardeningDisable = [ "fortify" ]; + buildPhase = '' export LEX=${flex}/bin/flex make -C util/cbfstool diff --git a/pkgs/applications/virtualization/qboot/default.nix b/pkgs/applications/virtualization/qboot/default.nix index e4439ec124f44..0c6e3991b1c02 100644 --- a/pkgs/applications/virtualization/qboot/default.nix +++ b/pkgs/applications/virtualization/qboot/default.nix @@ -12,7 +12,9 @@ stdenv.mkDerivation { installPhase = '' mkdir -p $out cp bios.bin* $out/. - ''; + ''; + + hardeningDisable = [ "stackprotector" "pic" ]; meta = { description = "A simple x86 firmware for booting Linux"; diff --git a/pkgs/applications/virtualization/seabios/default.nix b/pkgs/applications/virtualization/seabios/default.nix index cf17c08554a7c..ba5fe4dcc1da1 100644 --- a/pkgs/applications/virtualization/seabios/default.nix +++ b/pkgs/applications/virtualization/seabios/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ iasl python ]; + hardeningDisable = [ "pic" "stackprotector" "fortify" ]; + configurePhase = '' # build SeaBIOS for CSM cat > .config << EOF @@ -21,12 +23,12 @@ stdenv.mkDerivation rec { EOF make olddefconfig - ''; + ''; installPhase = '' mkdir $out cp out/Csm16.bin $out/Csm16.bin - ''; + ''; meta = with stdenv.lib; { description = "Open source implementation of a 16bit X86 BIOS"; diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix index ebdac411b113b..ada571586c625 100644 --- a/pkgs/applications/virtualization/virtualbox/default.nix +++ b/pkgs/applications/virtualization/virtualbox/default.nix @@ -74,6 +74,8 @@ in stdenv.mkDerivation { ++ optional pythonBindings python ++ optional pulseSupport libpulseaudio; + hardeningDisable = [ "fortify" "pic" "stackprotector" ]; + prePatch = '' set -x MODULES_BUILD_DIR=`echo ${kernel.dev}/lib/modules/*/build` diff --git a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix index 1a1134e84a413..1d37e45b23dc4 100644 --- a/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix +++ b/pkgs/applications/virtualization/virtualbox/guest-additions/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { KERN_DIR = "${kernel.dev}/lib/modules/*/build"; + hardeningDisable = [ "pic" ]; + buildInputs = [ patchelf cdrkit makeWrapper dbus ]; installPhase = '' diff --git a/pkgs/applications/virtualization/xen/generic.nix b/pkgs/applications/virtualization/xen/generic.nix index c830fccb12015..a62a1a2009239 100644 --- a/pkgs/applications/virtualization/xen/generic.nix +++ b/pkgs/applications/virtualization/xen/generic.nix @@ -48,6 +48,8 @@ stdenv.mkDerivation { pythonPath = [ pythonPackages.curses ]; + hardeningDisable = [ "stackprotector" "fortify" "pic" ]; + patches = stdenv.lib.optionals ((xenserverPatched == false) && (builtins.hasAttr "xenPatches" xenConfig)) xenConfig.xenPatches; postPatch = '' diff --git a/pkgs/applications/window-managers/stalonetray/default.nix b/pkgs/applications/window-managers/stalonetray/default.nix index 5ef5ba769c421..3b5af42a8be26 100644 --- a/pkgs/applications/window-managers/stalonetray/default.nix +++ b/pkgs/applications/window-managers/stalonetray/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { name = "stalonetray-${version}"; version = "0.8.1"; + src = fetchurl { url = "mirror://sourceforge/stalonetray/${name}.tar.bz2"; sha256 = "1wp8pnlv34w7xizj1vivnc3fkwqq4qgb9dbrsg15598iw85gi8ll"; }; + buildInputs = [ libX11 xproto ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Stand alone tray"; maintainers = with maintainers; [ raskin ]; diff --git a/pkgs/applications/window-managers/yabar/default.nix b/pkgs/applications/window-managers/yabar/default.nix index 2f4a7f0e06c5d..c199cf6c01b0e 100644 --- a/pkgs/applications/window-managers/yabar/default.nix +++ b/pkgs/applications/window-managers/yabar/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ cairo gdk_pixbuf libconfig pango pkgconfig xcbutilwm ]; + hardeningDisable = [ "format" ]; + postPatch = '' substituteInPlace ./Makefile --replace "\$(shell git describe)" "${version}" ''; diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening new file mode 100644 index 0000000000000..d5966136b9d55 --- /dev/null +++ b/pkgs/build-support/cc-wrapper/add-hardening @@ -0,0 +1,61 @@ +hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow) +hardeningFlags+=("${hardeningEnable[@]}") +hardeningCFlags=() +hardeningLDFlags=() +hardeningDisable=${hardeningDisable:-""} + +if [[ "$($LD -z 2>&1)" =~ "unknown option" ]]; then + hardeningDisable+=" bindnow relro" +fi + +if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: Value of '$hardeningDisable': $hardeningDisable >&2; fi + +if [[ ! $hardeningDisable == "all" ]]; then + if [[ -n "$NIX_DEBUG" ]]; then echo 'HARDENING: Is active (not completely disabled with "all" flag)' >&2; fi + for flag in "${hardeningFlags[@]}" + do + if [[ ! "${hardeningDisable}" =~ "$flag" ]]; then + case $flag in + fortify) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling fortify >&2; fi + hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2') + ;; + stackprotector) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling stackprotector >&2; fi + hardeningCFlags+=('-fstack-protector-strong' '--param ssp-buffer-size=4') + ;; + pie) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling CFlags -fPIE >&2; fi + hardeningCFlags+=('-fPIE') + if [[ ! ("$*" =~ " -shared " || "$*" =~ " -static ") ]]; then + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling LDFlags -pie >&2; fi + hardeningLDFlags+=('-pie') + fi + ;; + pic) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling pic >&2; fi + hardeningCFlags+=('-fPIC') + ;; + strictoverflow) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling strictoverflow >&2; fi + hardeningCFlags+=('-fno-strict-overflow') + ;; + format) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling format >&2; fi + hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security') + ;; + relro) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling relro >&2; fi + hardeningLDFlags+=('-z relro') + ;; + bindnow) + if [[ -n "$NIX_DEBUG" ]]; then echo HARDENING: enabling bindnow >&2; fi + hardeningLDFlags+=('-z now') + ;; + *) + echo "Hardening flag unknown: $flag" >&2 + ;; + esac + fi + done +fi diff --git a/pkgs/build-support/cc-wrapper/cc-wrapper.sh b/pkgs/build-support/cc-wrapper/cc-wrapper.sh index 024a1866daca7..03f068d8298eb 100644 --- a/pkgs/build-support/cc-wrapper/cc-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/cc-wrapper.sh @@ -70,7 +70,6 @@ if [ "$nonFlagArgs" = 0 ]; then dontLink=1 fi - # Optionally filter out paths not refering to the store. if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" ]; then rest=() @@ -117,16 +116,18 @@ if [[ "$isCpp" = 1 ]]; then NIX_CFLAGS_LINK="$NIX_CFLAGS_LINK $NIX_CXXSTDLIB_LINK" fi +LD=@ldPath@/ld +source @out@/nix-support/add-hardening.sh + # Add the flags for the C compiler proper. -extraAfter=($NIX_CFLAGS_COMPILE) +extraAfter=($NIX_CFLAGS_COMPILE ${hardeningCFlags[@]}) extraBefore=() - if [ "$dontLink" != 1 ]; then # Add the flags that should only be passed to the compiler when # linking. - extraAfter+=($NIX_CFLAGS_LINK) + extraAfter+=($NIX_CFLAGS_LINK ${hardeningLDFlags[@]}) # Add the flags that should be passed to the linker (and prevent # `ld-wrapper' from adding NIX_LDFLAGS again). diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix index a37c806905fd9..14ece26f6af02 100644 --- a/pkgs/build-support/cc-wrapper/default.nix +++ b/pkgs/build-support/cc-wrapper/default.nix @@ -238,6 +238,7 @@ stdenv.mkDerivation { rm $out/nix-support/setup-hook.tmp substituteAll ${./add-flags} $out/nix-support/add-flags.sh + cp -p ${./add-hardening} $out/nix-support/add-hardening.sh cp -p ${./utils.sh} $out/nix-support/utils.sh '' + extraBuildCommands; diff --git a/pkgs/build-support/cc-wrapper/ld-wrapper.sh b/pkgs/build-support/cc-wrapper/ld-wrapper.sh index 28d73f046e68f..44d9a047936a5 100644 --- a/pkgs/build-support/cc-wrapper/ld-wrapper.sh +++ b/pkgs/build-support/cc-wrapper/ld-wrapper.sh @@ -47,8 +47,10 @@ if [ "$NIX_ENFORCE_PURITY" = 1 -a -n "$NIX_STORE" \ params=("${rest[@]}") fi +LD=@prog@ +source @out@/nix-support/add-hardening.sh -extra=() +extra=(${hardeningLDFlags[@]}) extraBefore=() if [ -z "$NIX_LDFLAGS_SET" ]; then @@ -56,7 +58,7 @@ if [ -z "$NIX_LDFLAGS_SET" ]; then extraBefore+=($NIX_LDFLAGS_BEFORE) fi -extra+=($NIX_LDFLAGS_AFTER) +extra+=($NIX_LDFLAGS_AFTER $NIX_LDFLAGS_HARDEN) # Add all used dynamic libraries to the rpath. diff --git a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix index 2aa47d799c9a4..7eef5af0adcb9 100644 --- a/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgnomecups/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0a8xdaxzz2wc0n1fjcav65093gixzyac3948l8cxx1mk884yhc71"; }; + hardeningDisable = [ "format" ]; + patches = [ ./glib.patch ./cups_1.6.patch ]; buildInputs = [ pkgconfig gtk gettext intltool libart_lgpl ]; diff --git a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix index 6aab400c60ae6..be288b809d43a 100644 --- a/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix +++ b/pkgs/desktops/gnome-2/platform/libgtkhtml/default.nix @@ -2,12 +2,14 @@ stdenv.mkDerivation { name = "libgtkhtml-2.11.1"; - + src = fetchurl { url = mirror://gnome/sources/libgtkhtml/2.11/libgtkhtml-2.11.1.tar.bz2; sha256 = "0msajafd42545dxzyr5zqka990cjrxw2yz09ajv4zs8m1w6pm9rw"; }; - + buildInputs = [ pkgconfig gtk gettext ]; propagatedBuildInputs = [ libxml2 ]; + + hardeningDisable = [ "format" ]; } diff --git a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix index 67229487085e2..4cb0b7fb35ca9 100644 --- a/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix +++ b/pkgs/desktops/gnome-3/3.20/core/nautilus/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { gnome3.gnome_desktop gnome3.adwaita-icon-theme gnome3.gsettings_desktop_schemas gnome3.dconf libnotify tracker libselinux ]; + hardeningDisable = [ "format" ]; + patches = [ ./extension_dir.patch ]; meta = with stdenv.lib; { diff --git a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix index 75c45634636c2..2e5b0a4af8403 100644 --- a/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix +++ b/pkgs/desktops/gnome-3/3.20/misc/libgda/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig intltool itstool libxml2 gtk3 openssl ]; meta = with stdenv.lib; { diff --git a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix index 03e9dc9a007fa..ed83dd03eca1c 100644 --- a/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix +++ b/pkgs/desktops/kde-4.14/kdebindings/qtruby.nix @@ -1,18 +1,20 @@ -{ kde, cmake, smokeqt, ruby }: +{ kde, cmake, smokeqt, ruby_2_2 }: kde { # TODO: scintilla2, qwt5 - buildInputs = [ smokeqt ruby ]; + buildInputs = [ smokeqt ruby_2_2 ]; nativeBuildInputs = [ cmake ]; + hardeningDisable = [ "all" ]; + # The patch is not ready for upstream submmission. # I should add an option() instead. patches = [ ./qtruby-install-prefix.patch ]; - cmakeFlags="-DRUBY_ROOT_DIR=${ruby}"; + cmakeFlags="-DRUBY_ROOT_DIR=${ruby_2_2}"; meta = { description = "Ruby bindings for Qt library"; diff --git a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix index 603a68cc5f67b..4426907060949 100644 --- a/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix +++ b/pkgs/desktops/xfce/panel-plugins/xfce4-verve-plugin.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig intltool glib exo pcre libxfce4util libxfce4ui xfce4panel xfconf gtk ]; + hardeningDisable = [ "format" ]; + meta = { homepage = "http://goodies.xfce.org/projects/panel-plugins/${p_name}"; description = "A command-line plugin"; diff --git a/pkgs/development/compilers/ccl/default.nix b/pkgs/development/compilers/ccl/default.nix index e5e07705a18b0..ee0153c13b0f8 100644 --- a/pkgs/development/compilers/ccl/default.nix +++ b/pkgs/development/compilers/ccl/default.nix @@ -5,7 +5,7 @@ let /* TODO: there are also MacOS, FreeBSD and Windows versions */ x86_64-linux = { arch = "linuxx86"; - sha256 = "0d2vhp5n74yhwixnvlsnp7dzaf9aj6zd2894hr2728djyd8x9fx6"; + sha256 = "07cny2qkzc624bzpdsy4iakcln0p7v5rhf8bv0vnh6rhpvnahrnq"; runtime = "lx86cl64"; kernel = "linuxx8664"; }; diff --git a/pkgs/development/compilers/clean/default.nix b/pkgs/development/compilers/clean/default.nix index 7f3e679e84763..3fed2289f9549 100644 --- a/pkgs/development/compilers/clean/default.nix +++ b/pkgs/development/compilers/clean/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { }) else throw "Architecture not supported"; + hardeningDisable = [ "format" "pic" ]; + # clm uses timestamps of dcl, icl, abc and o files to decide what must be rebuild # and for chroot builds all of the library files will have equal timestamps. This # makes clm try to rebuild the library modules (and fail due to absence of write permission diff --git a/pkgs/development/compilers/dev86/default.nix b/pkgs/development/compilers/dev86/default.nix index d17a5775db250..514075651e156 100644 --- a/pkgs/development/compilers/dev86/default.nix +++ b/pkgs/development/compilers/dev86/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "154dyr2ph4n0kwi8yx0n78j128kw29rk9r9f7s2gddzrdl712jr3"; }; + hardeningDisable = [ "format" ]; + makeFlags = "PREFIX=$(out)"; meta = { diff --git a/pkgs/development/compilers/ecl/default.nix b/pkgs/development/compilers/ecl/default.nix index 76ee5219a9004..61737004e6fbe 100644 --- a/pkgs/development/compilers/ecl/default.nix +++ b/pkgs/development/compilers/ecl/default.nix @@ -23,9 +23,11 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs propagatedBuildInputs; + src = fetchurl { inherit (s) url sha256; }; + configureFlags = [ "--enable-threads" "--with-gmp-prefix=${gmp.dev}" @@ -35,12 +37,16 @@ stdenv.mkDerivation { (stdenv.lib.optional (! noUnicode) "--enable-unicode") ; + + hardeningDisable = [ "format" ]; + postInstall = '' sed -e 's/@[-a-zA-Z_]*@//g' -i $out/bin/ecl-config wrapProgram "$out/bin/ecl" \ --prefix NIX_LDFLAGS ' ' "-L${gmp.lib or gmp.out or gmp}/lib" \ --prefix NIX_LDFLAGS ' ' "-L${libffi.lib or libffi.out or libffi}/lib" ''; + meta = { inherit (s) version; description = "Lisp implementation aiming to be small, fast and easy to embed"; diff --git a/pkgs/development/compilers/edk2/default.nix b/pkgs/development/compilers/edk2/default.nix index 99b652e0a5f32..4ddf580fae5d6 100644 --- a/pkgs/development/compilers/edk2/default.nix +++ b/pkgs/development/compilers/edk2/default.nix @@ -11,7 +11,7 @@ else edk2 = stdenv.mkDerivation { name = "edk2-2014-12-10"; - + src = fetchgit { url = git://github.com/tianocore/edk2; rev = "684a565a04"; @@ -20,9 +20,9 @@ edk2 = stdenv.mkDerivation { buildInputs = [ libuuid pythonFull ]; - buildPhase = '' - make -C BaseTools - ''; + makeFlags = "-C BaseTools"; + + hardeningDisable = [ "format" "fortify" ]; installPhase = '' mkdir -vp $out diff --git a/pkgs/development/compilers/gcc/4.5/default.nix b/pkgs/development/compilers/gcc/4.5/default.nix index 69ff590a63147..7a97b6897145e 100644 --- a/pkgs/development/compilers/gcc/4.5/default.nix +++ b/pkgs/development/compilers/gcc/4.5/default.nix @@ -134,6 +134,8 @@ stdenv.mkDerivation ({ inherit langC langCC langFortran langJava langAda; }; + hardeningDisable = [ "format" ] ++ optional (name != "gnat") "all"; + patches = [ ] ++ optional (cross != null) ../libstdc++-target.patch @@ -207,7 +209,7 @@ stdenv.mkDerivation ({ nativeBuildInputs = [ texinfo which gettext ] ++ optional (perl != null) perl; - + buildInputs = [ gmp mpfr libmpc libelf ] ++ (optional (ppl != null) ppl) ++ (optional (cloogppl != null) cloogppl) diff --git a/pkgs/development/compilers/gcc/4.6/default.nix b/pkgs/development/compilers/gcc/4.6/default.nix index fad198b1f5c84..f98fde69fc4ba 100644 --- a/pkgs/development/compilers/gcc/4.6/default.nix +++ b/pkgs/development/compilers/gcc/4.6/default.nix @@ -193,6 +193,8 @@ stdenv.mkDerivation ({ inherit patches enableMultilib; + hardeningDisable = [ "format" ]; + libc_dev = stdenv.cc.libc_dev; postPatch = diff --git a/pkgs/development/compilers/gcc/4.8/default.nix b/pkgs/development/compilers/gcc/4.8/default.nix index 42fd4bec2ebcc..d15a9a90b7946 100644 --- a/pkgs/development/compilers/gcc/4.8/default.nix +++ b/pkgs/development/compilers/gcc/4.8/default.nix @@ -217,6 +217,8 @@ stdenv.mkDerivation ({ inherit patches; + hardeningDisable = [ "format" ]; + outputs = [ "out" "lib" "doc" ]; setOutputFlags = false; NIX_NO_SELF_RPATH = true; diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index a8aa550c93c4d..7bf3e3bb60562 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -221,6 +221,8 @@ stdenv.mkDerivation ({ inherit patches; + hardeningDisable = [ "format" ]; + outputs = if langJava || langGo then ["out" "man" "info"] else [ "out" "lib" "man" "info" ]; setOutputFlags = false; diff --git a/pkgs/development/compilers/gcc/5/default.nix b/pkgs/development/compilers/gcc/5/default.nix index 2ac4f553f850c..74f7f37e7f30c 100644 --- a/pkgs/development/compilers/gcc/5/default.nix +++ b/pkgs/development/compilers/gcc/5/default.nix @@ -219,6 +219,9 @@ stdenv.mkDerivation ({ inherit sha256; }; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" "format" ]; + inherit patches; outputs = [ "out" "lib" "man" "info" ]; diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index ec6f0ca8d14c4..844530ae639b5 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -226,6 +226,8 @@ stdenv.mkDerivation ({ libc_dev = stdenv.cc.libc_dev; + hardeningDisable = [ "format" ]; + postPatch = if (stdenv.isGNU || (libcCross != null # e.g., building `gcc.crossDrv' diff --git a/pkgs/development/compilers/gcc/gfortran-darwin.nix b/pkgs/development/compilers/gcc/gfortran-darwin.nix index 7fa58a053b440..48caeea5f1ff0 100644 --- a/pkgs/development/compilers/gcc/gfortran-darwin.nix +++ b/pkgs/development/compilers/gcc/gfortran-darwin.nix @@ -7,12 +7,18 @@ stdenv.mkDerivation rec { name = "gfortran-${version}"; version = "5.1.0"; - buildInputs = [gmp mpfr libmpc isl_0_14 cloog zlib]; + + buildInputs = [ gmp mpfr libmpc isl_0_14 cloog zlib ]; + src = fetchurl { url = "mirror://gnu/gcc/gcc-${version}/gcc-${version}.tar.bz2"; sha256 = "1bd5vj4px3s8nlakbgrh38ynxq4s654m6nxz7lrj03mvkkwgvnmp"; }; + patches = ./gfortran-darwin.patch; + + hardeningDisable = [ "format" ]; + configureFlags = '' --disable-bootstrap --disable-cloog-version-check @@ -28,11 +34,15 @@ stdenv.mkDerivation rec { --with-native-system-header-dir=${Libsystem}/include --with-system-zlib ''; + postConfigure = '' export DYLD_LIBRARY_PATH=`pwd`/`uname -m`-apple-darwin`uname -r`/libgcc ''; - makeFlags = ["CC=clang"]; + + makeFlags = [ "CC=clang" ]; + passthru.cc = stdenv.cc.cc; + meta = with stdenv.lib; { description = "GNU Fortran compiler, part of the GNU Compiler Collection"; homepage = "https://gcc.gnu.org/fortran/"; diff --git a/pkgs/development/compilers/gcl/default.nix b/pkgs/development/compilers/gcl/default.nix index cf5b862646e48..0e4d5bed0514c 100644 --- a/pkgs/development/compilers/gcl/default.nix +++ b/pkgs/development/compilers/gcl/default.nix @@ -32,24 +32,9 @@ stdenv.mkDerivation rec { "--enable-ansi" ]; - # Upstream bug submitted - http://savannah.gnu.org/bugs/index.php?30371 - # $TMPDIR must have no extension - # setVars = a.noDepEntry '' - # export TMPDIR="''${TMPDIR:-''${TMP:-''${TEMP}}}/tmp-for-gcl" - # mkdir -p "$TMPDIR" - # ''; - - preBuild = '' - # sed -re "s@/bin/cat@$(which cat)@g" -i configure */configure - # sed -re "s@if test -d /proc/self @if false @" -i configure - # sed -re 's^([ \t])cpp ^\1cpp -I${stdenv.cc.cc}/include -I${stdenv.cc.libc}/include ^g' -i makefile - - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fgnu89-inline" - ''; - - /* doConfigure should be removed if not needed */ - # phaseNames = ["setVars" "doUnpack" "preBuild" - # "doConfigure" "doMakeInstall"]; + hardeningDisable = [ "pic" "bindnow" ]; + + NIX_CFLAGS_COMPILE = "-fgnu89-inline"; meta = { description = "GNU Common Lisp compiler working via GCC"; diff --git a/pkgs/development/compilers/ghc/6.10.4.nix b/pkgs/development/compilers/ghc/6.10.4.nix index d8d25ef8082c4..9a816797291bb 100644 --- a/pkgs/development/compilers/ghc/6.10.4.nix +++ b/pkgs/development/compilers/ghc/6.10.4.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ghc libedit perl gmp]; + hardeningDisable = [ "format" ]; + configureFlags = [ "--with-gmp-libraries=${gmp.out}/lib" "--with-gmp-includes=${gmp.dev}/include" diff --git a/pkgs/development/compilers/go/1.4.nix b/pkgs/development/compilers/go/1.4.nix index 17c3cc0521778..5b6af31d684f1 100644 --- a/pkgs/development/compilers/go/1.4.nix +++ b/pkgs/development/compilers/go/1.4.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { buildInputs = [ pcre ]; propagatedBuildInputs = lib.optional stdenv.isDarwin Security; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.5.nix b/pkgs/development/compilers/go/1.5.nix index b2eb4b1f246fc..e6060f3ecec6e 100644 --- a/pkgs/development/compilers/go/1.5.nix +++ b/pkgs/development/compilers/go/1.5.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/go/1.6.nix b/pkgs/development/compilers/go/1.6.nix index fa2b3d31d75b2..bbf2a946ece67 100644 --- a/pkgs/development/compilers/go/1.6.nix +++ b/pkgs/development/compilers/go/1.6.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { Security Foundation ]; + hardeningDisable = [ "all" ]; + # I'm not sure what go wants from its 'src', but the go installation manual # describes an installation keeping the src. preUnpack = '' diff --git a/pkgs/development/compilers/gprolog/default.nix b/pkgs/development/compilers/gprolog/default.nix index 283bfedcf54e4..1465206484d4c 100644 --- a/pkgs/development/compilers/gprolog/default.nix +++ b/pkgs/development/compilers/gprolog/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "13miyas47bmijmadm68cbvb21n4s156gjafz7kfx9brk9djfkh0q"; }; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "pic"; + patchPhase = '' sed -i -e "s|/tmp/make.log|$TMPDIR/make.log|g" src/Pl2Wam/check_boot ''; diff --git a/pkgs/development/compilers/mkcl/default.nix b/pkgs/development/compilers/mkcl/default.nix index 4d53ba20d0810..daebf3b284ee2 100644 --- a/pkgs/development/compilers/mkcl/default.nix +++ b/pkgs/development/compilers/mkcl/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; propagatedBuildInputs = [ gmp ]; + hardeningDisable = [ "format" ]; + configureFlags = [ "GMP_CFLAGS=-I${gmp.dev}/include" "GMP_LDFLAGS=-L${gmp.out}/lib" diff --git a/pkgs/development/compilers/picat/default.nix b/pkgs/development/compilers/picat/default.nix index 7f2f6158dd89f..e86f3869e49ae 100644 --- a/pkgs/development/compilers/picat/default.nix +++ b/pkgs/development/compilers/picat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { else if stdenv.system == "x86_64-linux" then "linux64" else throw "Unsupported system"; + hardeningDisable = [ "format" ]; + buildPhase = '' cd emu make -f Makefile.picat.$ARCH diff --git a/pkgs/development/compilers/qcmm/builder.sh b/pkgs/development/compilers/qcmm/builder.sh deleted file mode 100644 index acdfbaa08dce0..0000000000000 --- a/pkgs/development/compilers/qcmm/builder.sh +++ /dev/null @@ -1,29 +0,0 @@ -source $stdenv/setup - -configureFlags="--with-lua=$lua" - -MKFLAGS="-w$lua/include/lauxlib.h,$lua/include/luadebug.h,$lua/include/lua.h,$lua/include/lualib.h" - -buildPhase() { - mk timestamps - mk $MKFLAGS all.opt -} - -installPhase() { - mk $MKFLAGS install.opt - - for file in $out/bin/*.opt; do - mv $file ${file%.opt} - done - - find $out/man -type f -exec gzip -9n {} \; - - find $out -name \*.a -exec echo stripping {} \; \ - -exec strip -S {} \; - - patchELF $out -} - -checkPhase="mk $MKFLAGS test.opt" - -genericBuild diff --git a/pkgs/development/compilers/qcmm/default.nix b/pkgs/development/compilers/qcmm/default.nix deleted file mode 100644 index a221ae29f04d5..0000000000000 --- a/pkgs/development/compilers/qcmm/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{stdenv, fetchurl, mk, ocaml, noweb, lua, groff }: -stdenv.mkDerivation { - name = "qcmm-2006-01-31"; - src = fetchurl { - url = http://tarballs.nixos.org/qc--20060131.tar.gz; - md5 = "9097830775bcf22c9bad54f389f5db23"; - }; - buildInputs = [ mk ocaml noweb groff ]; - patches = [ ./qcmm.patch ]; - builder = ./builder.sh; - inherit lua; -} diff --git a/pkgs/development/compilers/qcmm/qcmm.patch b/pkgs/development/compilers/qcmm/qcmm.patch deleted file mode 100644 index 414f18a9f73ac..0000000000000 --- a/pkgs/development/compilers/qcmm/qcmm.patch +++ /dev/null @@ -1,121 +0,0 @@ -diff -ur qc--20060131.orig/configure qc--20060131/configure ---- qc--20060131.orig/configure 2005-11-05 22:15:24.000000000 +0100 -+++ qc--20060131/configure 2006-02-02 14:29:07.000000000 +0100 -@@ -93,7 +93,22 @@ - # for file in dirs and return, full path, if found, and "" otherwise. - # - --sub search { search_with( sub($) { return (-f shift) }, @_) } -+sub combine { -+ my $base = shift; -+ my $file = shift; -+ return ("$base/$file") -+}; -+ -+sub search { search_with( sub($) { return (-f shift) }, \&combine, @_) } -+ -+sub search_suffix { -+ my $f = sub($) { -+ my $suffix = shift; -+ my $base = shift; -+ return ($base . $suffix); -+ }; -+ search_with(sub($) { return (-f shift) }, $f, @_) -+} - - sub searchx { - my $f = sub($) { -@@ -105,16 +120,17 @@ - } - return (1==2); # how do you write false in perl? - }; -- search_with($f, @_) -+ search_with($f, \&combine, @_) - } - - sub search_with { - my $p = shift; -+ my $com = shift; - my $file = shift; - -- printf(LOG "searching for %-20s", $file); -+ printf(LOG "searching for %-20s ", $file); - while ($f = shift (@_)) { -- my $x = "$f/$file"; -+ my $x = &$com($f, $file); - if (&$p($x)) { - print LOG "found $x\n"; - return $x -@@ -124,6 +140,20 @@ - return ""; - } - -+#configure lua based on some known installation prefix -+sub config_lua { -+ my $base = shift; -+ @libsuffix = ( ".so", "40.so", ".a", "40.a" ); -+ -+ $x{lua_h} = "$base/include/lua.h"; -+ $x{lualib_h} = "$base/include/lualib.h"; -+ $x{liblua} = search_suffix("$base/lib/liblua", @libsuffix); -+ $x{liblualib} = search_suffix("$base/lib/liblualib", @libsuffix); -+ $x{lua_inc} = "-I$base/include"; -+ $x{lua_lib} = "-L$base/lib/"; -+ $x{lua_libs} = "-llua -llualib"; -+} -+ - - # - # compile and run a small C program to find out about architecture -@@ -183,6 +213,8 @@ - - ./configure [options] - -+ --with-lua=/lua/path lua is installed in /lua/path the default -+ is to search for standard locations - --prefix=/usr/local install into the /usr/local hierarchy which - is also the default - -h, --help this summary -@@ -224,15 +256,15 @@ - # We start from here with reading the command line - # ------------------------------------------------------------------ - -+open (LOG, ">$configure_log") || die "cannot write configure.log: $!"; -+ - foreach (@ARGV) { - if (/^--?prefix=(.*)$/) { $x{prefix}=$1 } - elsif (/^--?h(elp?)$/) { usage(); exit 0 } -+ elsif (/^--?with-lua=(.*)$/) { config_lua($1) } - else { usage(); exit 1 } - } - -- --open (LOG, ">$configure_log") || die "cannot write configure.log: $!"; -- - # check for various executables and versions. Only update variable if - # it is not already set. - # -diff -ur qc--20060131.orig/doc/mkfile qc--20060131/doc/mkfile ---- qc--20060131.orig/doc/mkfile 2005-11-07 01:41:21.000000000 +0100 -+++ qc--20060131/doc/mkfile 2006-02-02 00:38:00.000000000 +0100 -@@ -92,7 +92,7 @@ - # and accessible from Lua as This.manual. - - qc--.man:D: qc--.1 -- GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 | ul -t dump > $target -+ GROFF_NO_SGR=1 nroff -man -Tascii qc--.1 > $target - - release.tex:D: release.nw - noweave -delay $prereq > $target -diff -ur qc--20060131.orig/mkfile qc--20060131/mkfile ---- qc--20060131.orig/mkfile 2005-07-01 22:29:52.000000000 +0200 -+++ qc--20060131/mkfile 2006-02-02 19:15:53.000000000 +0100 -@@ -97,7 +97,7 @@ - cd test2 && NPROC=1 mk $MKFLAGS all - - test.opt:V: all.opt -- cd test2 && NPROC=1 mk QC=../bin/qc--.opt $MKFLAGS all -+ cd test2 && NPROC=1 mk $MKFLAGS QC=../bin/qc--.opt all - - coverage: test2/ocamlprof.dump - rm -f $target diff --git a/pkgs/development/compilers/squeak/default.nix b/pkgs/development/compilers/squeak/default.nix index 8aa980b72e601..69529ab762b0a 100644 --- a/pkgs/development/compilers/squeak/default.nix +++ b/pkgs/development/compilers/squeak/default.nix @@ -27,6 +27,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Smalltalk programming language and environment"; longDescription = '' diff --git a/pkgs/development/compilers/strategoxt/0.16.nix b/pkgs/development/compilers/strategoxt/0.16.nix deleted file mode 100644 index 4cfa2c7989202..0000000000000 --- a/pkgs/development/compilers/strategoxt/0.16.nix +++ /dev/null @@ -1,47 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation rec { - name = "sdf2-bundle-2.3.3"; - - src = fetchurl { - url = ftp://ftp.stratego-language.org/pub/stratego/sdf2/sdf2-bundle-2.3.3/sdf2-bundle-2.3.3.tar.gz; - md5 = "62ecabe5fbb8bbe043ee18470107ef88"; - }; - - buildInputs = [pkgconfig aterm getopt]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - }; - - - strategoxt = stdenv.mkDerivation { - name = "strategoxt-0.16"; - - src = fetchurl { - url = ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.16/strategoxt-0.16.tar.gz; - md5 = "8b8eabbd785faa84ec20134b63d4829e"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - -} diff --git a/pkgs/development/compilers/strategoxt/0.17.nix b/pkgs/development/compilers/strategoxt/0.17.nix deleted file mode 100644 index d621cbf5f0c25..0000000000000 --- a/pkgs/development/compilers/strategoxt/0.17.nix +++ /dev/null @@ -1,112 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, readline, ncurses}: - -rec { - - inherit aterm; - - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-0.17"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/strategoxt-0.17.tar.gz"; - sha256 = "70355576c3ce3c5a8a26435705a49cf7d13e91eada974a654534d63e0d34acdb"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/java-front/java-front-0.9/java-front-0.9.tar.gz"; - sha256 = "96f40bf31486d3ced3ecebdcc0067e83ce6acbdbe57e3c847136ac3d7b62cc3c"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/strategoxt/0.18.nix b/pkgs/development/compilers/strategoxt/0.18.nix deleted file mode 100644 index 611586c5d9328..0000000000000 --- a/pkgs/development/compilers/strategoxt/0.18.nix +++ /dev/null @@ -1,124 +0,0 @@ -{stdenv, fetchurl, aterm, pkgconfig, getopt, jdk, makeStaticBinaries, readline, ncurses}: - -rec { - - inherit aterm; - - sdf = stdenv.mkDerivation ( rec { - name = "sdf2-bundle-2.4"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/sdf2-bundle-2.4.tar.gz"; - sha256 = "2ec83151173378f48a3326e905d11049d094bf9f0c7cff781bc2fce0f3afbc11"; - }; - - buildInputs = [pkgconfig aterm]; - - preConfigure = '' - substituteInPlace pgen/src/sdf2table.src \ - --replace getopt ${getopt}/bin/getopt - ''; - - meta = { - homepage = http://www.program-transformation.org/Sdf/SdfBundle; - meta = "Tools for the SDF2 Syntax Definition Formalism, including the `pgen' parser generator and `sglr' parser"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2 -Wl,--stack=0x2300000"; } else {} ) ) ; - - - strategoxt = stdenv.mkDerivation rec { - name = "strategoxt-1.8pre24429"; - - src = fetchurl { - url = http://hydra.nixos.org/build/2175544/download/1/strategoxt-1.8pre24429.tar.gz; - sha256 = "124f1d61a440b94c38b731c2e7015340dbbc1deb6d442b31dbecb46b0a00fa83"; - }; - - buildInputs = [pkgconfig aterm sdf getopt]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - }; - }; - - strategoShell = stdenv.mkDerivation rec { - name = "stratego-shell-0.7"; - - src = fetchurl { - url = "ftp://ftp.strategoxt.org/pub/stratego/StrategoXT/strategoxt-0.17/stratego-shell-0.7.tar.gz"; - sha256 = "0q21vks9gaw9v4rxz90wb0pxzb19l7gwi4nbjvk4zb1imdk7znck"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt getopt readline ncurses]; - - meta = { - homepage = http://strategoxt.org/; - meta = "A language and toolset for program transformation"; - broken = true; - }; - }; - - javafront = stdenv.mkDerivation (rec { - name = "java-front-0.9.1pre20122"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/766286/download/1/java-front-0.9.1pre20122.tar.gz"; - sha256 = "ef85d3af962fcd54e028ea501e64220b86af335a49143f2819bd3f4789bef7e6"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt]; - - # !!! The explicit `--with-strategoxt' is necessary; otherwise we - # get an XTC registration that refers to "/share/strategoxt/XTC". - configureFlags = "--enable-xtc --with-strategoxt=${strategoxt}"; - - meta = { - homepage = http://strategoxt.org/Stratego/JavaFront; - meta = "Tools for generating or transforming Java code"; - }; - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - - aspectjfront = stdenv.mkDerivation (rec { - name = "aspectj-front-0.2pre20035"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/175690/download/1/aspectj-front-0.2pre20035.tar.gz"; - sha256 = "48f6cda6f9f19436e9553e8d27e6bb42500d08370332e3ad214affb49851e58e"; - }; - - buildInputs = [pkgconfig aterm sdf strategoxt javafront]; - - } // ( if stdenv.system == "i686-cygwin" then { CFLAGS = "-O2"; } else {} ) ) ; - - dryad = stdenv.mkDerivation rec { - name = "dryad-0.2pre18355"; - - src = fetchurl { - url = "http://releases.strategoxt.org/dryad/${name}-zbqfh1rm/dryad-0.2pre18355.tar.gz"; - sha256 = "2c27b7f82f87ffc27b75969acc365560651275d348b3b5cbb530276d20ae83ab"; - }; - - buildInputs = [jdk pkgconfig aterm sdf strategoxt javafront]; - - meta = { - homepage = http://strategoxt.org/Stratego/TheDryad; - meta = "A collection of tools for developing transformation systems for Java source and bytecode"; - broken = true; - }; - }; - - - /* - libraries = ... { - configureFlags = - if stdenv ? isMinGW && stdenv.isMinGW then "--with-std=C99" else ""; - - # avoids loads of warnings about too big description fields because of a broken debug format - CFLAGS = - if stdenv ? isMinGW && stdenv.isMinGW then "-O2" else null; - }; - */ - -} diff --git a/pkgs/development/compilers/swi-prolog/default.nix b/pkgs/development/compilers/swi-prolog/default.nix index ae3e162910c91..c3e77152b3e08 100644 --- a/pkgs/development/compilers/swi-prolog/default.nix +++ b/pkgs/development/compilers/swi-prolog/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { buildInputs = [ gmp readline openssl libjpeg unixODBC libXinerama libXft libXpm libSM libXt zlib freetype pkgconfig fontconfig ]; + hardeningDisable = [ "format" ]; + configureFlags = "--with-world --enable-gmp --enable-shared"; buildFlags = "world"; diff --git a/pkgs/development/compilers/teyjus/default.nix b/pkgs/development/compilers/teyjus/default.nix index b16b32a6a0620..301915b7a26b7 100644 --- a/pkgs/development/compilers/teyjus/default.nix +++ b/pkgs/development/compilers/teyjus/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ omake ocaml flex bison ]; + hardeningDisable = [ "format" ]; + buildPhase = "omake all"; checkPhase = "omake check"; diff --git a/pkgs/development/compilers/tinycc/default.nix b/pkgs/development/compilers/tinycc/default.nix index de8044386e700..87e09e3231f29 100644 --- a/pkgs/development/compilers/tinycc/default.nix +++ b/pkgs/development/compilers/tinycc/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl texinfo ]; + hardeningDisable = [ "fortify" ]; + postPatch = '' substituteInPlace "texi2pod.pl" \ --replace "/usr/bin/perl" "${perl}/bin/perl" diff --git a/pkgs/development/compilers/webdsl/default.nix b/pkgs/development/compilers/webdsl/default.nix deleted file mode 100644 index a0122319aed74..0000000000000 --- a/pkgs/development/compilers/webdsl/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ stdenv, fetchurl, pkgconfig, strategoPackages }: - -stdenv.mkDerivation rec { - name = "webdsl-9.7pre4168"; - - src = fetchurl { - url = "http://hydra.nixos.org/build/654196/download/1/${name}.tar.gz"; - sha256 = "08bec3ba02254ec7474ce70206b7be4390fe07456cfc57d927d96a21dd6dcb33"; - }; - - buildInputs = - [ pkgconfig strategoPackages.aterm strategoPackages.sdf - strategoPackages.strategoxt strategoPackages.javafront - ]; - - # This corrected a failing build on at least one 64 bit Linux system. - # See the comment about this here: http://webdsl.org/selectpage/Download/WebDSLOnLinux - preBuild = (if stdenv.system == "x86_64-linux" then "ulimit -s unlimited" else ""); - - meta = { - homepage = http://webdsl.org/; - description = "A domain-specific language for developing dynamic web applications with a rich data model"; - }; -} diff --git a/pkgs/development/compilers/wla-dx/default.nix b/pkgs/development/compilers/wla-dx/default.nix index f01d93cafd6cf..13a48aaaa30c7 100644 --- a/pkgs/development/compilers/wla-dx/default.nix +++ b/pkgs/development/compilers/wla-dx/default.nix @@ -2,16 +2,21 @@ stdenv.mkDerivation rec { name = "wla-dx-git-2016-02-27"; + src = fetchFromGitHub { owner = "vhelin"; repo = "wla-dx"; rev = "8189fe8d5620584ea16563875ff3c5430527c86a"; sha256 = "02zgkcyfx7y8j6jvyi12lm29fydnd7m3rxv6g2psv23fyzmpkkir"; }; + + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin install binaries/* $out/bin ''; + nativeBuildInputs = [ cmake ]; meta = with stdenv.lib; { diff --git a/pkgs/development/haskell-modules/configuration-common.nix b/pkgs/development/haskell-modules/configuration-common.nix index 7cba0d1599fdb..6af3d16c35ae4 100644 --- a/pkgs/development/haskell-modules/configuration-common.nix +++ b/pkgs/development/haskell-modules/configuration-common.nix @@ -23,7 +23,12 @@ self: super: { nanospec = dontCheck super.nanospec; options = dontCheck super.options; statistics = dontCheck super.statistics; - c2hs = if pkgs.stdenv.isDarwin then dontCheck super.c2hs else super.c2hs; + c2hs = dontCheck super.c2hs; + + # fix errors caused by hardening flags + epanet-haskell = super.epanet-haskell.overrideDerivation (drv: { + hardeningDisable = [ "format" ]; + }); # This test keeps being aborted because it runs too quietly for too long Lazy-Pbkdf2 = if pkgs.stdenv.isi686 then dontCheck super.Lazy-Pbkdf2 else super.Lazy-Pbkdf2; @@ -203,10 +208,24 @@ self: super: { jwt = dontCheck super.jwt; # https://github.com/NixOS/cabal2nix/issues/136 and https://github.com/NixOS/cabal2nix/issues/216 - gio = addPkgconfigDepend (addBuildTool super.gio self.gtk2hs-buildtools) pkgs.glib; - glib = addPkgconfigDepend (addBuildTool super.glib self.gtk2hs-buildtools) pkgs.glib; - gtk3 = super.gtk3.override { inherit (pkgs) gtk3; }; - gtk = addPkgconfigDepend (addBuildTool super.gtk self.gtk2hs-buildtools) pkgs.gtk; + gio = pkgs.lib.overrideDerivation (addPkgconfigDepend ( + addBuildTool super.gio self.gtk2hs-buildtools + ) pkgs.glib) (drv: { + hardeningDisable = [ "fortify" ]; + }); + glib = pkgs.lib.overrideDerivation (addPkgconfigDepend ( + addBuildTool super.glib self.gtk2hs-buildtools + ) pkgs.glib) (drv: { + hardeningDisable = [ "fortify" ]; + }); + gtk3 = pkgs.lib.overrideDerivation (super.gtk3.override { inherit (pkgs) gtk3; }) (drv: { + hardeningDisable = [ "fortify" ]; + }); + gtk = pkgs.lib.overrideDerivation (addPkgconfigDepend ( + addBuildTool super.gtk self.gtk2hs-buildtools + ) pkgs.gtk) (drv: { + hardeningDisable = [ "fortify" ]; + }); gtksourceview2 = (addPkgconfigDepend super.gtksourceview2 pkgs.gtk2).override { inherit (pkgs.gnome2) gtksourceview; }; gtksourceview3 = super.gtksourceview3.override { inherit (pkgs.gnome3) gtksourceview; }; @@ -385,7 +404,9 @@ self: super: { lensref = dontCheck super.lensref; liquidhaskell = dontCheck super.liquidhaskell; lucid = dontCheck super.lucid; #https://github.com/chrisdone/lucid/issues/25 - lvmrun = dontCheck super.lvmrun; + lvmrun = pkgs.lib.overrideDerivation (dontCheck super.lvmrun) (drv: { + hardeningDisable = [ "format" ]; + }); memcache = dontCheck super.memcache; milena = dontCheck super.milena; nats-queue = dontCheck super.nats-queue; @@ -933,7 +954,9 @@ self: super: { # Tools that use gtk2hs-buildtools now depend on them in a custom-setup stanza cairo = addBuildTool super.cairo self.gtk2hs-buildtools; - pango = addBuildTool super.pango self.gtk2hs-buildtools; + pango = (addBuildTool super.pango self.gtk2hs-buildtools).overrideDerivation (drv: { + hardeningDisable = [ "fortify" ]; + }); # Fix tests which would otherwise fail with "Couldn't launch intero process." intero = overrideCabal super.intero (drv: { diff --git a/pkgs/development/interpreters/clisp/2.44.1.nix b/pkgs/development/interpreters/clisp/2.44.1.nix index 682978a5ac8d5..b7b329ea9560b 100644 --- a/pkgs/development/interpreters/clisp/2.44.1.nix +++ b/pkgs/development/interpreters/clisp/2.44.1.nix @@ -1,11 +1,11 @@ { stdenv, fetchurl, libsigsegv, gettext, ncurses, readline, libX11 , libXau, libXt, pcre, zlib, libXpm, xproto, libXext, xextproto , libffi, libffcall, coreutils }: - + stdenv.mkDerivation rec { v = "2.44.1"; name = "clisp-${v}"; - + src = fetchurl { url = "mirror://gnu/clisp/release/${v}/${name}.tar.gz"; sha256 = "0rkp6j6rih4s5d9acifh7pi4b9xfgcspif512l269dqy9qgyy4j1"; @@ -16,7 +16,7 @@ stdenv.mkDerivation rec { zlib libXpm xproto libXext xextproto libffi libffcall ]; patches = [ ./bits_ipctypes_to_sys_ipc.patch ]; # from Gentoo - + # First, replace port 9090 (rather low, can be used) # with 64237 (much higher, IANA private area, not # anything rememberable). @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { substituteInPlace modules/bindings/glibc/linux.lisp --replace "(def-c-type __swblk_t)" "" ''; - + configureFlags = '' --with-readline builddir --with-dynamic-ffi @@ -45,6 +45,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-O0 ${stdenv.lib.optionalString (!stdenv.is64bit) "-falign-functions=4"}"; + hardeningDisable = [ "format" ]; + # TODO : make mod-check fails doCheck = false; diff --git a/pkgs/development/interpreters/erlang/R14.nix b/pkgs/development/interpreters/erlang/R14.nix new file mode 100644 index 0000000000000..cf4355a38e16f --- /dev/null +++ b/pkgs/development/interpreters/erlang/R14.nix @@ -0,0 +1,65 @@ +{ stdenv, fetchurl, perl, gnum4, ncurses, openssl +, makeWrapper, gnused, gawk }: + +let version = "14B04"; in + +stdenv.mkDerivation { + name = "erlang-" + version; + + src = fetchurl { + url = "http://www.erlang.org/download/otp_src_R${version}.tar.gz"; + sha256 = "0vlvjlg8vzcy6inb4vj00bnj0aarvpchzxwhmi492nv31s8kb6q9"; + }; + + buildInputs = [ perl gnum4 ncurses openssl makeWrapper ]; + + patchPhase = '' sed -i "s@/bin/rm@rm@" lib/odbc/configure erts/configure ''; + + preConfigure = '' + export HOME=$PWD/../ + sed -e s@/bin/pwd@pwd@g -i otp_build + ''; + + configureFlags = "--with-ssl=${openssl}"; + + hardeningDisable = [ "format" ]; + + postInstall = let + manpages = fetchurl { + url = "http://www.erlang.org/download/otp_doc_man_R${version}.tar.gz"; + sha256 = "1nh7l7wilyyaxvlwkjxgm3cq7wpd90sk6vxhgpvg7hwai8g52545"; + }; + in '' + tar xf "${manpages}" -C "$out/lib/erlang" + for i in "$out"/lib/erlang/man/man[0-9]/*.[0-9]; do + prefix="''${i%/*}" + ensureDir "$out/share/man/''${prefix##*/}" + ln -s "$i" "$out/share/man/''${prefix##*/}/''${i##*/}erl" + done + ''; + + # Some erlang bin/ scripts run sed and awk + postFixup = '' + wrapProgram $out/lib/erlang/bin/erl --prefix PATH ":" "${gnused}/bin/" + wrapProgram $out/lib/erlang/bin/start_erl --prefix PATH ":" "${gnused}/bin/:${gawk}/bin" + ''; + + setupHook = ./setup-hook.sh; + + meta = { + homepage = "http://www.erlang.org/"; + description = "Programming language used for massively scalable soft real-time systems"; + + longDescription = '' + Erlang is a programming language used to build massively scalable + soft real-time systems with requirements on high availability. + Some of its uses are in telecoms, banking, e-commerce, computer + telephony and instant messaging. Erlang's runtime system has + built-in support for concurrency, distribution and fault + tolerance. + ''; + + platforms = stdenv.lib.platforms.linux; + maintainers = [ stdenv.lib.maintainers.simons ]; + }; +} diff --git a/pkgs/development/interpreters/lua-4/default.nix b/pkgs/development/interpreters/lua-4/default.nix index 2d216389bd7c9..d6f385f5b503f 100644 --- a/pkgs/development/interpreters/lua-4/default.nix +++ b/pkgs/development/interpreters/lua-4/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildFlags = "all so sobin"; installFlags = "INSTALL_ROOT=$$out"; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + meta = { homepage = "http://www.lua.org"; description = "Powerful, fast, lightweight, embeddable scripting language"; diff --git a/pkgs/development/interpreters/lua-5/sec.nix b/pkgs/development/interpreters/lua-5/sec.nix index a4d14f7e9d70b..478f65fd82849 100644 --- a/pkgs/development/interpreters/lua-5/sec.nix +++ b/pkgs/development/interpreters/lua-5/sec.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ lua5 openssl ]; + hardeningDisable = stdenv.lib.optional stdenv.isi686 "stackprotector"; + preBuild = '' makeFlagsArray=( linux diff --git a/pkgs/development/interpreters/lush/default.nix b/pkgs/development/interpreters/lush/default.nix index 63cf85bc506be..dcfdc11c7a9e8 100644 --- a/pkgs/development/interpreters/lush/default.nix +++ b/pkgs/development/interpreters/lush/default.nix @@ -1,32 +1,29 @@ {stdenv, fetchurl, libX11, xproto, indent, readline, gsl, freeglut, mesa, SDL , blas, binutils, intltool, gettext, zlib}: -let - s = # Generated upstream information - rec { - baseName="lush"; - version="2.0.1"; - name="${baseName}-${version}"; - hash="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; + +stdenv.mkDerivation rec { + baseName = "lush"; + version = "2.0.1"; + name = "${baseName}-${version}"; + + src = fetchurl { url="mirror://sourceforge/project/lush/lush2/lush-2.0.1.tar.gz"; sha256="02pkfn3nqdkm9fm44911dbcz0v3r0l53vygj8xigl6id5g3iwi4k"; }; + buildInputs = [ libX11 xproto indent readline gsl freeglut mesa SDL blas binutils intltool gettext zlib ]; -in -stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchurl { - inherit (s) url sha256; - }; + + hardeningDisable = [ "pic" ]; + NIX_LDFLAGS=" -lz "; + meta = { - inherit (s) version; - description = ''Lisp Universal SHell''; + description = "Lisp Universal SHell"; license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; + maintainers = [ stdenv.lib.maintainers.raskin ]; platforms = stdenv.lib.platforms.linux; }; } diff --git a/pkgs/development/interpreters/maude/default.nix b/pkgs/development/interpreters/maude/default.nix index 737ded6e1bbcb..4493b2c7b8521 100644 --- a/pkgs/development/interpreters/maude/default.nix +++ b/pkgs/development/interpreters/maude/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [flex bison ncurses buddy tecla gmpxx libsigsegv makeWrapper]; + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlagsArray=( --datadir=$out/share/maude diff --git a/pkgs/development/interpreters/perl/default.nix b/pkgs/development/interpreters/perl/default.nix index 99860c3046859..04d6c706b46ce 100644 --- a/pkgs/development/interpreters/perl/default.nix +++ b/pkgs/development/interpreters/perl/default.nix @@ -68,6 +68,9 @@ let enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' configureFlags="$configureFlags -Dprefix=$out -Dman1dir=$out/share/man/man1 -Dman3dir=$out/share/man/man3" diff --git a/pkgs/development/interpreters/php/default.nix b/pkgs/development/interpreters/php/default.nix index 3188d94244163..2841a70ddcf1c 100644 --- a/pkgs/development/interpreters/php/default.nix +++ b/pkgs/development/interpreters/php/default.nix @@ -257,6 +257,8 @@ let calendarSupport = config.php.calendar or true; }; + hardeningDisable = [ "bindnow" ]; + configurePhase = '' # Don't record the configure flags since this causes unnecessary # runtime dependencies. diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix index 8db9dd4eaf9ab..446013faafdc3 100644 --- a/pkgs/development/interpreters/ruby/default.nix +++ b/pkgs/development/interpreters/ruby/default.nix @@ -22,6 +22,7 @@ let then version else versionNoPatch; tag = "v" + stdenv.lib.replaceChars ["." "p" "-"] ["_" "_" ""] fullVersionName; + isRuby20 = majorVersion == "2" && minorVersion == "0"; isRuby21 = majorVersion == "2" && minorVersion == "1"; baseruby = self.override { useRailsExpress = false; }; self = lib.makeOverridable ( @@ -81,6 +82,8 @@ let enableParallelBuilding = true; + hardeningDisable = lib.optional isRuby20 [ "format" ]; + patches = [ ./gem_hook.patch ] ++ (import ./patchsets.nix { diff --git a/pkgs/development/interpreters/ruby/patchsets.nix b/pkgs/development/interpreters/ruby/patchsets.nix index 0e81db4e047f7..bf848aba58258 100644 --- a/pkgs/development/interpreters/ruby/patchsets.nix +++ b/pkgs/development/interpreters/ruby/patchsets.nix @@ -3,6 +3,7 @@ rec { "1.9.3" = [ ./ssl_v3.patch + ./rand-egd.patch ./ruby19-parallel-install.patch ./bitperfect-rdoc.patch ] ++ ops useRailsExpress [ @@ -28,6 +29,7 @@ rec { ]; "2.0.0" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.0.0/p${patchLevel}/railsexpress/02-railsexpress-gc.patch" @@ -36,6 +38,7 @@ rec { ]; "2.1.7" = [ ./ssl_v3.patch + ./rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.1.7/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.1.7/railsexpress/02-improve-gc-stats.patch" @@ -49,6 +52,7 @@ rec { ]; "2.2.3" = [ ./ssl_v3.patch + ./ruby22-rand-egd.patch ] ++ ops useRailsExpress [ "${patchSet}/patches/ruby/2.2.3/railsexpress/01-zero-broken-tests.patch" "${patchSet}/patches/ruby/2.2.3/railsexpress/02-improve-gc-stats.patch" diff --git a/pkgs/development/interpreters/ruby/rand-egd.patch b/pkgs/development/interpreters/ruby/rand-egd.patch new file mode 100644 index 0000000000000..e4f6452000c22 --- /dev/null +++ b/pkgs/development/interpreters/ruby/rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,7 +221,9 @@ Init_ossl_rand(void) + DEFMETH(mRandom, "write_random_file", ossl_rand_write_file, 1); + DEFMETH(mRandom, "random_bytes", ossl_rand_bytes, 1); + DEFMETH(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + DEFMETH(mRandom, "egd", ossl_rand_egd, 1); + DEFMETH(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + DEFMETH(mRandom, "status?", ossl_rand_status, 0) + } diff --git a/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch new file mode 100644 index 0000000000000..ebf2bf56fcfa3 --- /dev/null +++ b/pkgs/development/interpreters/ruby/ruby22-rand-egd.patch @@ -0,0 +1,42 @@ +diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb +index e272cba..3a1fa71 100644 +--- a/ext/openssl/extconf.rb ++++ b/ext/openssl/extconf.rb +@@ -87,6 +87,7 @@ + have_func("PEM_def_callback") + have_func("PKCS5_PBKDF2_HMAC") + have_func("PKCS5_PBKDF2_HMAC_SHA1") ++have_func("RAND_egd") + have_func("X509V3_set_nconf") + have_func("X509V3_EXT_nconf_nid") + have_func("X509_CRL_add0_revoked") +diff --git a/ext/openssl/ossl_rand.c b/ext/openssl/ossl_rand.c +index 29cbf8c..27466fe 100644 +--- a/ext/openssl/ossl_rand.c ++++ b/ext/openssl/ossl_rand.c +@@ -148,6 +148,7 @@ ossl_rand_pseudo_bytes(VALUE self, VALUE len) + return str; + } + ++#ifdef HAVE_RAND_EGD + /* + * call-seq: + * egd(filename) -> true +@@ -186,6 +187,7 @@ ossl_rand_egd_bytes(VALUE self, VALUE filename, VALUE len) + } + return Qtrue; + } ++#endif /* HAVE_RAND_EGD */ + + /* + * call-seq: +@@ -219,8 +221,10 @@ Init_ossl_rand(void) + rb_define_module_function(mRandom, "write_random_file", ossl_rand_write_file, 1); + rb_define_module_function(mRandom, "random_bytes", ossl_rand_bytes, 1); + rb_define_module_function(mRandom, "pseudo_bytes", ossl_rand_pseudo_bytes, 1); ++#ifdef HAVE_RAND_EGD + rb_define_module_function(mRandom, "egd", ossl_rand_egd, 1); + rb_define_module_function(mRandom, "egd_bytes", ossl_rand_egd_bytes, 2); ++#endif /* HAVE_RAND_EGD */ + rb_define_module_function(mRandom, "status?", ossl_rand_status, 0); + } diff --git a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix index 46dedb36de967..41d37d3e39a00 100644 --- a/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix +++ b/pkgs/development/interpreters/spidermonkey/1.8.0-rc1.nix @@ -13,9 +13,11 @@ stdenv.mkDerivation rec { postUnpack = "sourceRoot=\${sourceRoot}/src"; + hardeningDisable = [ "format" ]; + makefileExtra = ./Makefile.extra; makefile = "Makefile.ref"; - + patchPhase = '' cat ${makefileExtra} >> ${makefile} diff --git a/pkgs/development/interpreters/spidermonkey/default.nix b/pkgs/development/interpreters/spidermonkey/default.nix index 21ba0b8cba484..1fe4b90b2b80b 100644 --- a/pkgs/development/interpreters/spidermonkey/default.nix +++ b/pkgs/development/interpreters/spidermonkey/default.nix @@ -8,6 +8,9 @@ stdenv.mkDerivation rec { sha256 = "12v6v2ccw1y6ng3kny3xw0lfs58d1klylqq707k0x04m707kydj4"; }; + hardeningDisable = [ "format" ] + ++ stdenv.lib.optional stdenv.isi686 "stackprotector"; + buildInputs = [ readline ]; postUnpack = "sourceRoot=\${sourceRoot}/src"; diff --git a/pkgs/development/interpreters/supercollider/default.nix b/pkgs/development/interpreters/supercollider/default.nix index 20690cbd4772d..dcb1f8e7062e7 100644 --- a/pkgs/development/interpreters/supercollider/default.nix +++ b/pkgs/development/interpreters/supercollider/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { sha256 = "1mybxcnl7flliz74kdfnvh18v5dwd9zbdsw2kc7wpl4idcly1n0s"; }; + hardeningDisable = [ "stackprotector" ]; + cmakeFlags = '' -DSC_WII=OFF -DSC_EL=${if useSCEL then "ON" else "OFF"} @@ -26,7 +28,7 @@ stdenv.mkDerivation rec { buildInputs = [ gcc libjack2 libsndfile fftw curl libXt qt55.qtwebkit qt55.qttools readline ] - ++ optional useSCEL emacs; + ++ optional useSCEL emacs; meta = { description = "Programming language for real time audio synthesis"; diff --git a/pkgs/development/interpreters/unicon-lang/default.nix b/pkgs/development/interpreters/unicon-lang/default.nix index 7487aa6331314..a6dfec49b2a25 100644 --- a/pkgs/development/interpreters/unicon-lang/default.nix +++ b/pkgs/development/interpreters/unicon-lang/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { }; buildInputs = [ libX11 libXt unzip ]; + hardeningDisable = [ "fortify" ]; + sourceRoot = "."; configurePhase = '' diff --git a/pkgs/development/interpreters/wasm/default.nix b/pkgs/development/interpreters/wasm/default.nix index 56eebbf89a2e9..9a30ae7d8a85d 100644 --- a/pkgs/development/interpreters/wasm/default.nix +++ b/pkgs/development/interpreters/wasm/default.nix @@ -17,6 +17,9 @@ let buildInputs = [ cmake clang python ]; buildPhase = "make clang-debug-no-tests"; + + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin cp out/clang/Debug/no-tests/sexpr-wasm $out/bin diff --git a/pkgs/development/libraries/CoinMP/default.nix b/pkgs/development/libraries/CoinMP/default.nix index e819078f78685..079c0a5cf6f7c 100644 --- a/pkgs/development/libraries/CoinMP/default.nix +++ b/pkgs/development/libraries/CoinMP/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0gqi2vqkg35gazzzv8asnhihchnbjcd6bzjfzqhmj7wy1dw9iiw6"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = https://projects.coin-or.org/CoinMP/; description = "COIN-OR lightweight API for COIN-OR libraries CLP, CBC, and CGL"; diff --git a/pkgs/development/libraries/a52dec/default.nix b/pkgs/development/libraries/a52dec/default.nix index 5c7cd9fddc627..d8a56a3d28ed4 100644 --- a/pkgs/development/libraries/a52dec/default.nix +++ b/pkgs/development/libraries/a52dec/default.nix @@ -8,8 +8,6 @@ stdenv.mkDerivation rec { sha256 = "0czccp4fcpf2ykp16xcrzdfmnircz1ynhls334q374xknd5747d2"; }; - NIX_CFLAGS_COMPILE = "-fpic"; - # From Handbrake patches = [ ./A00-a52-state-t-public.patch diff --git a/pkgs/development/libraries/accelio/default.nix b/pkgs/development/libraries/accelio/default.nix index 76c5cf32bbdbb..002b26078f539 100644 --- a/pkgs/development/libraries/accelio/default.nix +++ b/pkgs/development/libraries/accelio/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { sha256 = "172frqk2n43g0arhazgcwfvj0syf861vdzdpxl7idr142bb0ykf7"; }; + hardeningDisable = [ "format" "pic" ]; + patches = [ ./fix-printfs.patch ]; postPatch = '' diff --git a/pkgs/development/libraries/allegro/default.nix b/pkgs/development/libraries/allegro/default.nix index deb3a6877e895..997a8d223054e 100644 --- a/pkgs/development/libraries/allegro/default.nix +++ b/pkgs/development/libraries/allegro/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { xf86dgaproto xf86miscproto xf86vidmodeproto libXxf86vm openal mesa ]; + hardeningDisable = [ "format" ]; + cmakeFlags = [ "-DCMAKE_SKIP_RPATH=ON" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/aterm/2.5.nix b/pkgs/development/libraries/aterm/2.5.nix deleted file mode 100644 index c1bbbb0ae5a92..0000000000000 --- a/pkgs/development/libraries/aterm/2.5.nix +++ /dev/null @@ -1,34 +0,0 @@ -{stdenv, fetchurl}: - -stdenv.mkDerivation { - name = "aterm-2.5-r21238"; - - src = fetchurl { - url = http://buildfarm.st.ewi.tudelft.nl/releases/meta-environment/aterm-2.5pre21238-l2q7rg38/aterm-2.5.tar.gz; - md5 = "33ddcb1a229baf406ad1f603eb1d5995"; - }; - - patches = [ - # Fix for http://bugzilla.sen.cwi.nl:8080/show_bug.cgi?id=841 - ./max-long.patch - - # Patch the ATerm header files so that they don't rely on - # SIZEOF_LONG, SIZEOF_INT and SIZEOF_VOID_P being set. - ./sizeof.patch - ]; - - doCheck = true; - - dontDisableStatic = true; - - NIX_CFLAGS_COMPILE = "-D__USE_BSD"; - - meta = { - homepage = http://www.cwi.nl/htbin/sen1/twiki/bin/view/SEN1/ATerm; - license = "LGPL"; - description = "Library for manipulation of term data structures in C"; - platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin; - maintainers = [ stdenv.lib.maintainers.eelco ]; - broken = true; - }; -} diff --git a/pkgs/development/libraries/aterm/max-long.patch b/pkgs/development/libraries/aterm/max-long.patch deleted file mode 100644 index a2f260b970b3d..0000000000000 --- a/pkgs/development/libraries/aterm/max-long.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -rc aterm-2.8-orig/aterm/hash.c aterm-2.8/aterm/hash.c -*** aterm-2.8-orig/aterm/hash.c 2008-11-10 13:54:22.000000000 +0100 ---- aterm-2.8/aterm/hash.c 2009-01-27 18:14:14.000000000 +0100 -*************** -*** 93,146 **** - } - - /*}}} */ -- /*{{{ static long calc_long_max() */ -- static long calc_long_max() -- { -- long try_long_max; -- long long_max; -- long delta; -- -- try_long_max = 1; -- do { -- long_max = try_long_max; -- try_long_max = long_max * 2; -- } while (try_long_max > 0); -- -- delta = long_max; -- while (delta > 1) { -- while (long_max + delta < 0) { -- delta /= 2; -- } -- long_max += delta; -- } -- -- return long_max; -- -- } -- /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { -- -- /* Hack: LONG_MAX (limits.h) is often unreliable, we need to find -- * out the maximum possible value of a signed long dynamically. -- */ -- static long st_long_max = 0; -- -- /* the resulting length has the form 2^k-1 */ -- - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (st_long_max == 0) { -! st_long_max = calc_long_max(); -! } -! -! if (sizeMinus1 > st_long_max / 2) { -! return st_long_max-1; - } - - return (2*sizeMinus1)+1; ---- 93,109 ---- - } - - /*}}} */ - /*{{{ static long calculateNewSize(sizeMinus1, nrdel, nrentries) */ - - static long calculateNewSize - (long sizeMinus1, long nr_deletions, long nr_entries) - { - if (nr_deletions >= nr_entries/2) { - return sizeMinus1; - } - -! if (sizeMinus1 > LONG_MAX / 2) { -! return LONG_MAX-1; - } - - return (2*sizeMinus1)+1; diff --git a/pkgs/development/libraries/aterm/sizeof.patch b/pkgs/development/libraries/aterm/sizeof.patch deleted file mode 100644 index 2649cc564913a..0000000000000 --- a/pkgs/development/libraries/aterm/sizeof.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -rc -x '*~' aterm-2.5-orig/aterm/aterm.c aterm-2.5/aterm/aterm.c -*** aterm-2.5-orig/aterm/aterm.c 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/aterm.c 2010-02-23 15:10:38.000000000 +0100 -*************** -*** 150,155 **** ---- 150,157 ---- - if (initialized) - return; - -+ assert(sizeof(long) == sizeof(void *)); -+ - /*{{{ Handle arguments */ - - for (lcv=1; lcv < argc; lcv++) { -diff -rc -x '*~' aterm-2.5-orig/aterm/encoding.h aterm-2.5/aterm/encoding.h -*** aterm-2.5-orig/aterm/encoding.h 2007-02-27 23:41:31.000000000 +0100 ---- aterm-2.5/aterm/encoding.h 2010-02-23 15:36:05.000000000 +0100 -*************** -*** 10,24 **** - { - #endif/* __cplusplus */ - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if SIZEOF_LONG != SIZEOF_VOID_P -! #error Size of long is not the same as the size of a pointer - #endif - -! #if SIZEOF_INT > 4 - #error Size of int is not 32 bits - #endif - ---- 10,30 ---- - { - #endif/* __cplusplus */ - -! #include <limits.h> -! -! #ifndef SIZEOF_LONG -! #if ULONG_MAX > 4294967295 -! #define SIZEOF_LONG 8 -! #else -! #define SIZEOF_LONG 4 -! #endif - #endif - -! #if SIZEOF_LONG > 4 -! #define AT_64BIT - #endif - -! #if UINT_MAX > 4294967295 - #error Size of int is not 32 bits - #endif - diff --git a/pkgs/development/libraries/audio/libbs2b/default.nix b/pkgs/development/libraries/audio/libbs2b/default.nix index d81bceffffbc9..b625bb18b88fe 100644 --- a/pkgs/development/libraries/audio/libbs2b/default.nix +++ b/pkgs/development/libraries/audio/libbs2b/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libsndfile ]; + hardeningDisable = [ "format" ]; + meta = { homepage = "http://bs2b.sourceforge.net/"; description = "Bauer stereophonic-to-binaural DSP library"; diff --git a/pkgs/development/libraries/cgui/default.nix b/pkgs/development/libraries/cgui/default.nix index 0f11786223602..da9d1122cc54a 100644 --- a/pkgs/development/libraries/cgui/default.nix +++ b/pkgs/development/libraries/cgui/default.nix @@ -12,10 +12,11 @@ stdenv.mkDerivation rec { buildInputs = [ texinfo allegro perl ]; configurePhase = '' - export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -fPIC" sh fix.sh unix ''; + hardeningDisable = [ "format" ]; + makeFlags = [ "SYSTEM_DIR=$(out)" ]; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/cloog/0.18.0.nix b/pkgs/development/libraries/cloog/0.18.0.nix index ccd938283199d..359bde2e0582a 100644 --- a/pkgs/development/libraries/cloog/0.18.0.nix +++ b/pkgs/development/libraries/cloog/0.18.0.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { description = "Library that generates loops for scanning polyhedra"; diff --git a/pkgs/development/libraries/ctpp2/default.nix b/pkgs/development/libraries/ctpp2/default.nix index 00b5f7a8f13cf..905121286c810 100644 --- a/pkgs/development/libraries/ctpp2/default.nix +++ b/pkgs/development/libraries/ctpp2/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, cmake, gcc48 }: +{ stdenv, fetchurl, cmake }: stdenv.mkDerivation rec { name = "ctpp2"; @@ -9,7 +9,7 @@ stdenv.mkDerivation rec { sha256 = "1z22zfw9lb86z4hcan9hlvji49c9b7vznh7gjm95gnvsh43zsgx8"; }; - buildInputs = [ cmake gcc48 ]; + buildInputs = [ cmake ]; patchPhase = '' # include <unistd.h> to fix undefined getcwd diff --git a/pkgs/development/libraries/cwiid/default.nix b/pkgs/development/libraries/cwiid/default.nix index 41d6320adc6c8..980155c007a9f 100644 --- a/pkgs/development/libraries/cwiid/default.nix +++ b/pkgs/development/libraries/cwiid/default.nix @@ -1,26 +1,34 @@ { stdenv, autoreconfHook, fetchgit, bison, flex, bluez, pkgconfig, gtk }: stdenv.mkDerivation rec { - name = "cwiid-2010-02-21-git"; - src = fetchgit { - url = https://github.com/abstrakraft/cwiid; - sha256 = "0qdb0x757k76nfj32xc2nrrdqd9jlwgg63vfn02l2iznnzahxp0h"; - rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; - }; - configureFlags = "--without-python"; - prePatch = '' - sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in - ''; - buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; - postInstall = '' - # Some programs (for example, cabal-install) have problems with the double 0 - sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc - ''; - meta = { - description = "Linux Nintendo Wiimote interface"; - homepage = http://cwiid.org; - license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ stdenv.lib.maintainers.bennofs ]; - platforms = stdenv.lib.platforms.linux; - }; + name = "cwiid-2010-02-21-git"; + + src = fetchgit { + url = https://github.com/abstrakraft/cwiid; + sha256 = "0qdb0x757k76nfj32xc2nrrdqd9jlwgg63vfn02l2iznnzahxp0h"; + rev = "fadf11e89b579bcc0336a0692ac15c93785f3f82"; + }; + + hardeningDisable = [ "format" ]; + + configureFlags = "--without-python"; + + prePatch = '' + sed -i -e '/$(LDCONFIG)/d' common/include/lib.mak.in + ''; + + buildInputs = [ autoreconfHook bison flex bluez pkgconfig gtk ]; + + postInstall = '' + # Some programs (for example, cabal-install) have problems with the double 0 + sed -i -e "s/0.6.00/0.6.0/" $out/lib/pkgconfig/cwiid.pc + ''; + + meta = { + description = "Linux Nintendo Wiimote interface"; + homepage = http://cwiid.org; + license = stdenv.lib.licenses.gpl2Plus; + maintainers = [ stdenv.lib.maintainers.bennofs ]; + platforms = stdenv.lib.platforms.linux; + }; } diff --git a/pkgs/development/libraries/db/db-4.4.nix b/pkgs/development/libraries/db/db-4.4.nix index 757b1f71405b6..00875d73f4189 100644 --- a/pkgs/development/libraries/db/db-4.4.nix +++ b/pkgs/development/libraries/db/db-4.4.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.4.patch ]; sha256 = "0y9vsq8dkarx1mhhip1vaciz6imbbyv37c1dm8b20l7p064bg2i9"; branch = "4.4"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.5.nix b/pkgs/development/libraries/db/db-4.5.nix index b1e4b2c47085e..84b5ea67420ad 100644 --- a/pkgs/development/libraries/db/db-4.5.nix +++ b/pkgs/development/libraries/db/db-4.5.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./cygwin-4.5.patch ./register-race-fix.patch ]; sha256 = "0bd81k0qv5i8w5gbddrvld45xi9k1gvmcrfm0393v0lrm37dab7m"; branch = "4.5"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.7.nix b/pkgs/development/libraries/db/db-4.7.nix index 9a7d586cd0428..6016d112d5171 100644 --- a/pkgs/development/libraries/db/db-4.7.nix +++ b/pkgs/development/libraries/db/db-4.7.nix @@ -4,4 +4,5 @@ import ./generic.nix (args // rec { version = "4.7.25"; sha256 = "0gi667v9cw22c03hddd6xd6374l0pczsd56b7pba25c9sdnxjkzi"; branch = "4.7"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/db-4.8.nix b/pkgs/development/libraries/db/db-4.8.nix index 6a161b0b72d8d..40869a865ae5f 100644 --- a/pkgs/development/libraries/db/db-4.8.nix +++ b/pkgs/development/libraries/db/db-4.8.nix @@ -5,4 +5,5 @@ import ./generic.nix (args // rec { extraPatches = [ ./clang-4.8.patch ]; sha256 = "0ampbl2f0hb1nix195kz1syrqqxpmvnvnfvphambj7xjrl3iljg0"; branch = "4.8"; + drvArgs = { hardeningDisable = [ "format" ]; }; }) diff --git a/pkgs/development/libraries/db/generic.nix b/pkgs/development/libraries/db/generic.nix index f5ee4e440ff00..fdc828effdfbe 100644 --- a/pkgs/development/libraries/db/generic.nix +++ b/pkgs/development/libraries/db/generic.nix @@ -7,9 +7,10 @@ , extraPatches ? [ ] , license ? stdenv.lib.licenses.sleepycat , branch ? null +, drvArgs ? {} }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (rec { name = "db-${version}"; src = fetchurl { @@ -42,4 +43,4 @@ stdenv.mkDerivation rec { platforms = platforms.unix; branch = branch; }; -} +} // drvArgs) diff --git a/pkgs/development/libraries/faac/default.nix b/pkgs/development/libraries/faac/default.nix index 802aafc444c3f..1ab01033f4df0 100644 --- a/pkgs/development/libraries/faac/default.nix +++ b/pkgs/development/libraries/faac/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { ++ optional mp4v2Support "--with-mp4v2" ++ optional drmSupport "--enable-drm"; + hardeningDisable = [ "format" ]; + buildInputs = [ ] ++ optional mp4v2Support mp4v2; diff --git a/pkgs/development/libraries/fox/default.nix b/pkgs/development/libraries/fox/default.nix index 2d44444ab40de..d47a028cbf865 100644 --- a/pkgs/development/libraries/fox/default.nix +++ b/pkgs/development/libraries/fox/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { description = "C++ based class library for building Graphical User Interfaces"; longDescription = '' diff --git a/pkgs/development/libraries/fox/fox-1.6.nix b/pkgs/development/libraries/fox/fox-1.6.nix index 3c823adf91b6d..ce778e4a3473f 100644 --- a/pkgs/development/libraries/fox/fox-1.6.nix +++ b/pkgs/development/libraries/fox/fox-1.6.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { branch = "1.6"; description = "A C++ based class library for building Graphical User Interfaces"; diff --git a/pkgs/development/libraries/freetds/default.nix b/pkgs/development/libraries/freetds/default.nix index 695abcfbba2ba..3ed308a349208 100644 --- a/pkgs/development/libraries/freetds/default.nix +++ b/pkgs/development/libraries/freetds/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "0r946axzxs0czsmr7283w7vmk5jx3jnxxc32d2ncxsrsh2yli0ba"; }; + hardeningDisable = [ "format" ]; + buildInputs = stdenv.lib.optional odbcSupport [ unixODBC ]; configureFlags = stdenv.lib.optionalString odbcSupport "--with-odbc=${unixODBC}"; diff --git a/pkgs/development/libraries/fribidi/default.nix b/pkgs/development/libraries/fribidi/default.nix index 669d023dde8ba..35d67b6330977 100644 --- a/pkgs/development/libraries/fribidi/default.nix +++ b/pkgs/development/libraries/fribidi/default.nix @@ -3,12 +3,14 @@ stdenv.mkDerivation rec { name = "fribidi-${version}"; version = "0.19.6"; - + src = fetchurl { url = "http://fribidi.org/download/${name}.tar.bz2"; sha256 = "0zg1hpaml34ny74fif97j7ngrshlkl3wk3nja3gmlzl17i1bga6b"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://fribidi.org/; description = "GNU implementation of the Unicode Bidirectional Algorithm (bidi)"; diff --git a/pkgs/development/libraries/gd/default.nix b/pkgs/development/libraries/gd/default.nix index dfeec5d8890b3..06da5d4264ded 100644 --- a/pkgs/development/libraries/gd/default.nix +++ b/pkgs/development/libraries/gd/default.nix @@ -19,10 +19,13 @@ stdenv.mkDerivation rec { sha256 = "0g3xz8jpz1pl2zzmssglrpa9nxiaa7rmcmvgpbrjz8k9cyynqsvl"; }; + hardeningDisable = [ "format" ]; + # -pthread gets passed to clang, causing warnings configureFlags = stdenv.lib.optional stdenv.isDarwin "--enable-werror=no"; nativeBuildInputs = [ pkgconfig ]; + buildInputs = [ zlib fontconfig freetype ]; propagatedBuildInputs = [ libpng libjpeg libwebp libtiff libXpm ]; diff --git a/pkgs/development/libraries/gdal/default.nix b/pkgs/development/libraries/gdal/default.nix index f19f760c7487e..90341898a8a89 100644 --- a/pkgs/development/libraries/gdal/default.nix +++ b/pkgs/development/libraries/gdal/default.nix @@ -18,6 +18,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ++ (with pythonPackages; [ python numpy wrapPython ]) ++ (stdenv.lib.optionals netcdfSupport [ netcdf hdf5 curl ]); + hardeningDisable = [ "format" ]; + # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. preConfigure = "export CFLAGS=-O0 CXXFLAGS=-O0; unset CC CXX"; diff --git a/pkgs/development/libraries/gdal/gdal-1_11.nix b/pkgs/development/libraries/gdal/gdal-1_11.nix index 06f8afba33411..b62f87c2a21e5 100644 --- a/pkgs/development/libraries/gdal/gdal-1_11.nix +++ b/pkgs/development/libraries/gdal/gdal-1_11.nix @@ -19,6 +19,8 @@ composableDerivation.composableDerivation {} (fixed: rec { ./python.patch ]; + hardeningDisable = [ "format" ]; + # Don't use optimization for gcc >= 4.3. That's said to be causing segfaults. # Unset CC and CXX as they confuse libtool. preConfigure = "export CFLAGS=-O0 CXXFLAGS=-O0; unset CC CXX"; diff --git a/pkgs/development/libraries/gdome2/default.nix b/pkgs/development/libraries/gdome2/default.nix index cc8f76949eeac..e9643da221ef4 100644 --- a/pkgs/development/libraries/gdome2/default.nix +++ b/pkgs/development/libraries/gdome2/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0hyms5s3hziajp3qbwdwqjc2xcyhb783damqg8wxjpwfxyi81fzl"; }; + hardeningDisable = [ "format" ]; + buildInputs = [pkgconfig glib libxml2 gtkdoc]; propagatedBuildInputs = [glib libxml2]; patches = [ ./xml-document.patch ]; diff --git a/pkgs/development/libraries/gegl/3.0.nix b/pkgs/development/libraries/gegl/3.0.nix index 2a201ed55236a..df68eecd137be 100644 --- a/pkgs/development/libraries/gegl/3.0.nix +++ b/pkgs/development/libraries/gegl/3.0.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, pkgconfig, glib, babl, libpng, cairo, libjpeg, which -, librsvg, pango, gtk, bzip2, intltool, libtool, automake, autoconf, json_glib , libraw }: +, librsvg, pango, gtk, bzip2, json_glib, intltool, autoreconfHook, libraw }: stdenv.mkDerivation rec { name = "gegl-0.3.6"; @@ -9,17 +9,19 @@ stdenv.mkDerivation rec { sha256 = "08m7dlf2kwmp7jw3qskwxas192swhn1g4jcd8aldg9drfjygprvh"; }; - configureScript = "./autogen.sh"; + hardeningDisable = [ "format" ]; # needs fonts otherwise don't know how to pass them configureFlags = "--disable-docs"; - buildInputs = [ babl libpng cairo libjpeg librsvg pango gtk bzip2 intltool - autoconf automake libtool which json_glib libraw ]; + buildInputs = [ + babl libpng cairo libjpeg librsvg pango gtk bzip2 which json_glib intltool + libraw + ]; - nativeBuildInputs = [ pkgconfig ]; + nativeBuildInputs = [ pkgconfig autoreconfHook ]; - meta = { + meta = { description = "Graph-based image processing framework"; homepage = http://www.gegl.org; license = stdenv.lib.licenses.gpl3; diff --git a/pkgs/development/libraries/geoclue/default.nix b/pkgs/development/libraries/geoclue/default.nix index 1b703e2fdba8d..754c85ecf030a 100644 --- a/pkgs/development/libraries/geoclue/default.nix +++ b/pkgs/development/libraries/geoclue/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [dbus glib dbus_glib]; + hardeningDisable = [ "format" ]; + preConfigure = '' sed -e '/-Werror/d' -i configure ''; diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix index bf65e69475327..7d555ba4d062b 100644 --- a/pkgs/development/libraries/gettext/default.nix +++ b/pkgs/development/libraries/gettext/default.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + # FIXME stackprotector needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; + LDFLAGS = if stdenv.isSunOS then "-lm -lmd -lmp -luutil -lnvpair -lnsl -lidmap -lavl -lsec" else ""; configureFlags = [ "--disable-csharp" "--with-xz" ] diff --git a/pkgs/development/libraries/giflib/4.1.nix b/pkgs/development/libraries/giflib/4.1.nix index 2f9d54c0b4ee7..c70bda034871c 100644 --- a/pkgs/development/libraries/giflib/4.1.nix +++ b/pkgs/development/libraries/giflib/4.1.nix @@ -2,10 +2,14 @@ stdenv.mkDerivation { name = "giflib-4.1.6"; + src = fetchurl { url = mirror://sourceforge/giflib/giflib-4.1.6.tar.bz2; sha256 = "1v9b7ywz7qg8hli0s9vv1b8q9xxb2xvqq2mg1zpr73xwqpcwxhg1"; }; + + hardeningDisable = [ "format" ]; + meta = { branch = "4.1"; platforms = stdenv.lib.platforms.unix; diff --git a/pkgs/development/libraries/giflib/libungif.nix b/pkgs/development/libraries/giflib/libungif.nix index 4abd96fa3cec4..357ca751ccf11 100644 --- a/pkgs/development/libraries/giflib/libungif.nix +++ b/pkgs/development/libraries/giflib/libungif.nix @@ -7,6 +7,8 @@ stdenv.mkDerivation { sha256 = "5e65e1e5deacd0cde489900dbf54c6c2ee2ebc818199e720dbad685d87abda3d"; }; + hardeningDisable = [ "format" ]; + meta = { platforms = stdenv.lib.platforms.unix; }; diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix index 4d377bb93cbef..1c116c8d98702 100644 --- a/pkgs/development/libraries/glibc/default.nix +++ b/pkgs/development/libraries/glibc/default.nix @@ -33,6 +33,8 @@ in makeFlagsArray+=("bindir=$bin/bin" "sbindir=$bin/sbin" "rootsbindir=$bin/sbin") ''; + hardeningDisable = [ "stackprotector" "fortify" ]; + # When building glibc from bootstrap-tools, we need libgcc_s at RPATH for # any program we run, because the gcc will have been placed at a new # store path than that determined when built (as a source for the diff --git a/pkgs/development/libraries/gmp/5.1.x.nix b/pkgs/development/libraries/gmp/5.1.x.nix index 1e9142444d11e..c6cbfdd89b418 100644 --- a/pkgs/development/libraries/gmp/5.1.x.nix +++ b/pkgs/development/libraries/gmp/5.1.x.nix @@ -14,6 +14,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "format" "stackprotector" ]; + patches = if stdenv.isDarwin then [ ./need-size-t.patch ] else null; configureFlags = diff --git a/pkgs/development/libraries/gnu-efi/default.nix b/pkgs/development/libraries/gnu-efi/default.nix index 336785e1abdd2..d679d88e91d19 100644 --- a/pkgs/development/libraries/gnu-efi/default.nix +++ b/pkgs/development/libraries/gnu-efi/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ pciutils ]; + hardeningDisable = [ "stackprotector" ]; + makeFlags = [ "PREFIX=\${out}" "CC=gcc" diff --git a/pkgs/development/libraries/gsm/default.nix b/pkgs/development/libraries/gsm/default.nix index fb9ff8eb0fbcc..42d36b8406e21 100644 --- a/pkgs/development/libraries/gsm/default.nix +++ b/pkgs/development/libraries/gsm/default.nix @@ -41,8 +41,6 @@ stdenv.mkDerivation rec { preInstall = "mkdir -p $out/{bin,lib,man/man1,man/man3,include/gsm}"; - NIX_CFLAGS_COMPILE = optional (!staticSupport) "-fPIC"; - parallelBuild = false; meta = with stdenv.lib; { diff --git a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix index b0ac9e799e9a7..249eb9a30da72 100644 --- a/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix +++ b/pkgs/development/libraries/gstreamer/legacy/gst-python/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "0y1i4n5m1diljqr9dsq12anwazrhbs70jziich47gkdwllcza9lg"; }; + hardeningDisable = [ "bindnow" ]; + # Need to disable the testFake test case due to bug in pygobject. # See https://bugzilla.gnome.org/show_bug.cgi?id=692479 patches = [ ./disable-testFake.patch ]; diff --git a/pkgs/development/libraries/hspell/default.nix b/pkgs/development/libraries/hspell/default.nix index 9b44d12c29347..eebd105a00db0 100644 --- a/pkgs/development/libraries/hspell/default.nix +++ b/pkgs/development/libraries/hspell/default.nix @@ -16,8 +16,6 @@ stdenv.mkDerivation rec { patchPhase = ''patchShebangs .''; buildInputs = [ perl zlib ]; - makeFlags = "CFLAGS=-fPIC"; - meta = { description = "Hebrew spell checker"; homepage = http://hspell.ivrix.org.il/; diff --git a/pkgs/development/libraries/hunspell/default.nix b/pkgs/development/libraries/hunspell/default.nix index 0d0ff38fb47f3..d48c598dd92d7 100644 --- a/pkgs/development/libraries/hunspell/default.nix +++ b/pkgs/development/libraries/hunspell/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; configureFlags = [ "--with-ui" "--with-readline" ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://hunspell.sourceforge.net; description = "Spell checker"; diff --git a/pkgs/development/libraries/isl/0.14.1.nix b/pkgs/development/libraries/isl/0.14.1.nix index 8196dec283ac4..77ba20cbb2003 100644 --- a/pkgs/development/libraries/isl/0.14.1.nix +++ b/pkgs/development/libraries/isl/0.14.1.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.kotnet.org/~skimo/isl/; license = stdenv.lib.licenses.lgpl21; diff --git a/pkgs/development/libraries/itk/default.nix b/pkgs/development/libraries/itk/default.nix index 7b4e3834af768..eda9434ab6572 100644 --- a/pkgs/development/libraries/itk/default.nix +++ b/pkgs/development/libraries/itk/default.nix @@ -12,7 +12,6 @@ stdenv.mkDerivation rec { "-DBUILD_TESTING=OFF" "-DBUILD_EXAMPLES=OFF" "-DBUILD_SHARED_LIBS=ON" - "-DCMAKE_CXX_FLAGS=-fPIC" ]; enableParallelBuilding = true; diff --git a/pkgs/development/libraries/java/swt/default.nix b/pkgs/development/libraries/java/swt/default.nix index 37b8b502c3b7f..5ea6fa644cdeb 100644 --- a/pkgs/development/libraries/java/swt/default.nix +++ b/pkgs/development/libraries/java/swt/default.nix @@ -23,6 +23,8 @@ in stdenv.mkDerivation rec { fullVersion = "${version}-201202080800"; name = "swt-${version}"; + hardeningDisable = [ "format" ]; + # Alas, the Eclipse Project apparently doesn't produce source-only # releases of SWT. So we just grab a binary release and extract # "src.zip" from that. diff --git a/pkgs/development/libraries/libdnet/default.nix b/pkgs/development/libraries/libdnet/default.nix index 8911539d7b021..dbda4107c485c 100644 --- a/pkgs/development/libraries/libdnet/default.nix +++ b/pkgs/development/libraries/libdnet/default.nix @@ -12,8 +12,6 @@ stdenv.mkDerivation { buildInputs = [ automake autoconf libtool ]; - CFLAGS="-fPIC"; - # .so endings are missing (quick and dirty fix) postInstall = '' for i in $out/lib/*; do diff --git a/pkgs/development/libraries/libdwg/default.nix b/pkgs/development/libraries/libdwg/default.nix index f44d228f65018..2a2dfbb0be53a 100644 --- a/pkgs/development/libraries/libdwg/default.nix +++ b/pkgs/development/libraries/libdwg/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ indent ]; + hardeningDisable = [ "format" ]; + meta = { description = "Library reading dwg files"; homepage = http://libdwg.sourceforge.net/en/; diff --git a/pkgs/development/libraries/libelf/default.nix b/pkgs/development/libraries/libelf/default.nix index 12588617d4a1f..5027afa397ac7 100644 --- a/pkgs/development/libraries/libelf/default.nix +++ b/pkgs/development/libraries/libelf/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + # For cross-compiling, native glibc is needed for the "gencat" program. crossAttrs = { nativeBuildInputs = [ gettext glibc ]; diff --git a/pkgs/development/libraries/libf2c/default.nix b/pkgs/development/libraries/libf2c/default.nix index 97168c3ae6c4d..78901e2f013ec 100644 --- a/pkgs/development/libraries/libf2c/default.nix +++ b/pkgs/development/libraries/libf2c/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "libf2c-20100903"; - + src = fetchurl { url = http://www.netlib.org/f2c/libf2c.zip; sha256 = "1mcp1lh7gay7hm186dr0wvwd2bc05xydhnc1qy3dqs4n3r102g7i"; @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip ]; + hardeningDisable = [ "format" ]; + meta = { description = "F2c converts Fortran 77 source code to C"; homepage = http://www.netlib.org/f2c/; diff --git a/pkgs/development/libraries/libgeotiff/default.nix b/pkgs/development/libraries/libgeotiff/default.nix index d07aae3ab8074..d30ea6e5324b3 100644 --- a/pkgs/development/libraries/libgeotiff/default.nix +++ b/pkgs/development/libraries/libgeotiff/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ libtiff ]; + hardeningDisable = [ "format" ]; + meta = { description = "Library implementing attempt to create a tiff based interchange format for georeferenced raster imagery"; homepage = http://www.remotesensing.org/geotiff/geotiff.html; diff --git a/pkgs/development/libraries/libgksu/default.nix b/pkgs/development/libraries/libgksu/default.nix index 90d1b21cd3f0b..b86eba685bbb4 100644 --- a/pkgs/development/libraries/libgksu/default.nix +++ b/pkgs/development/libraries/libgksu/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + patches = [ # Patches from the gentoo ebuild diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix index af8c1a8f1a21d..a6c739017ee9d 100644 --- a/pkgs/development/libraries/libgphoto2/default.nix +++ b/pkgs/development/libraries/libgphoto2/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { # These are mentioned in the Requires line of libgphoto's pkg-config file. propagatedBuildInputs = [ libexif ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://www.gphoto.org/proj/libgphoto2/; description = "A library for accessing digital cameras"; diff --git a/pkgs/development/libraries/libidn/default.nix b/pkgs/development/libraries/libidn/default.nix index d1abf155ae3a9..52b74c54d99fb 100644 --- a/pkgs/development/libraries/libidn/default.nix +++ b/pkgs/development/libraries/libidn/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { doCheck = ! stdenv.isDarwin; + hardeningDisable = [ "format" ]; + buildInputs = stdenv.lib.optional stdenv.isDarwin libiconv; meta = { diff --git a/pkgs/development/libraries/libjson-rpc-cpp/default.nix b/pkgs/development/libraries/libjson-rpc-cpp/default.nix index 2cfede1eb6e36..ca60f1570bc40 100644 --- a/pkgs/development/libraries/libjson-rpc-cpp/default.nix +++ b/pkgs/development/libraries/libjson-rpc-cpp/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { rev = "c6e3d7195060774bf95afc6df9c9588922076d3e"; }; + hardeningDisable = [ "format" ]; + patchPhase = '' for f in cmake/FindArgtable.cmake \ src/stubgenerator/stubgenerator.cpp \ diff --git a/pkgs/development/libraries/libmpc/default.nix b/pkgs/development/libraries/libmpc/default.nix index 2a4600f52045c..0d3c9c0997c13 100644 --- a/pkgs/development/libraries/libmpc/default.nix +++ b/pkgs/development/libraries/libmpc/default.nix @@ -16,6 +16,9 @@ stdenv.mkDerivation rec { doCheck = true; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { description = "Library for multiprecision complex arithmetic with exact rounding"; diff --git a/pkgs/development/libraries/librsync/0.9.nix b/pkgs/development/libraries/librsync/0.9.nix index 9738794b6b17f..0954694cf290f 100644 --- a/pkgs/development/libraries/librsync/0.9.nix +++ b/pkgs/development/libraries/librsync/0.9.nix @@ -1,13 +1,15 @@ -{stdenv, fetchurl}: +{ stdenv, fetchurl }: stdenv.mkDerivation { name = "librsync-0.9.7"; - + src = fetchurl { url = mirror://sourceforge/librsync/librsync-0.9.7.tar.gz; sha256 = "1mj1pj99mgf1a59q9f2mxjli2fzxpnf55233pc1klxk2arhf8cv6"; }; + hardeningDisable = [ "format" ]; + configureFlags = if stdenv.isCygwin then "--enable-static" else "--enable-shared"; crossAttrs = { diff --git a/pkgs/development/libraries/libunwind/default.nix b/pkgs/development/libraries/libunwind/default.nix index da09e2fcbe25d..7eea905f64af4 100644 --- a/pkgs/development/libraries/libunwind/default.nix +++ b/pkgs/development/libraries/libunwind/default.nix @@ -24,7 +24,6 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ xz ]; - NIX_CFLAGS_COMPILE = if stdenv.system == "x86_64-linux" then "-fPIC" else ""; preInstall = '' mkdir -p "$out/lib" touch "$out/lib/libunwind-generic.so" diff --git a/pkgs/development/libraries/libvisual/default.nix b/pkgs/development/libraries/libvisual/default.nix index dc2f0338b483c..50a1f5ac33776 100644 --- a/pkgs/development/libraries/libvisual/default.nix +++ b/pkgs/development/libraries/libvisual/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig glib ]; + hardeningDisable = [ "format" ]; + meta = { description = "An abstraction library for audio visualisations"; homepage = "http://sourceforge.net/projects/libvisual/"; diff --git a/pkgs/development/libraries/libyaml-cpp/default.nix b/pkgs/development/libraries/libyaml-cpp/default.nix index ef806bce1232a..21442cd162428 100644 --- a/pkgs/development/libraries/libyaml-cpp/default.nix +++ b/pkgs/development/libraries/libyaml-cpp/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, cmake, boost, makePIC ? false }: +{ stdenv, fetchFromGitHub, cmake, boost }: stdenv.mkDerivation rec { name = "libyaml-cpp-${version}"; @@ -13,8 +13,6 @@ stdenv.mkDerivation rec { buildInputs = [ cmake boost ]; - cmakeFlags = stdenv.lib.optionals makePIC [ "-DCMAKE_C_FLAGS=-fPIC" "-DCMAKE_CXX_FLAGS=-fPIC" ]; - meta = with stdenv.lib; { inherit (src.meta) homepage; description = "A YAML parser and emitter for C++"; diff --git a/pkgs/development/libraries/motif/default.nix b/pkgs/development/libraries/motif/default.nix index 08b59deff59d2..1f86af0a2e86d 100644 --- a/pkgs/development/libraries/motif/default.nix +++ b/pkgs/development/libraries/motif/default.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { propagatedBuildInputs = [ libXp libXau ]; + hardeningDisable = [ "format" ]; + makeFlags = [ "CFLAGS=-fno-strict-aliasing" ]; prePatch = ''rm lib/Xm/Xm.h''; diff --git a/pkgs/development/libraries/mp4v2/default.nix b/pkgs/development/libraries/mp4v2/default.nix index 06e8c8e5ac35c..ab3c3ed8c5a7b 100644 --- a/pkgs/development/libraries/mp4v2/default.nix +++ b/pkgs/development/libraries/mp4v2/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # `faac' expects `mp4.h'. postInstall = "ln -s mp4v2/mp4v2.h $out/include/mp4.h"; + hardeningDisable = [ "format" ]; + meta = { homepage = http://code.google.com/p/mp4v2; maintainers = [ stdenv.lib.maintainers.urkud ]; diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix index 8a964af01c80a..882e0ec4faaf7 100644 --- a/pkgs/development/libraries/mpfr/default.nix +++ b/pkgs/development/libraries/mpfr/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { # mpfr.h requires gmp.h propagatedBuildInputs = [ gmp ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + configureFlags = stdenv.lib.optional stdenv.isSunOS "--disable-thread-safe" ++ stdenv.lib.optional stdenv.is64bit "--with-pic"; diff --git a/pkgs/development/libraries/nvidia-texture-tools/default.nix b/pkgs/development/libraries/nvidia-texture-tools/default.nix index 754ab4233e586..f35d363e57557 100644 --- a/pkgs/development/libraries/nvidia-texture-tools/default.nix +++ b/pkgs/development/libraries/nvidia-texture-tools/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ cmake libpng ilmbase libtiff zlib libjpeg mesa libX11 ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Fix build due to missing dependnecies. echo 'target_link_libraries(bc7 nvmath)' >> src/nvtt/bc7/CMakeLists.txt diff --git a/pkgs/development/libraries/opencascade/6.5.nix b/pkgs/development/libraries/opencascade/6.5.nix index 904137c4d8ccd..252a6bb0ad16f 100644 --- a/pkgs/development/libraries/opencascade/6.5.nix +++ b/pkgs/development/libraries/opencascade/6.5.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 + " -DGLX_GLXEXT_LEGACY"; + hardeningDisable = [ "format" ]; + configureFlags = [ "--with-tcl=${tcl}/lib" "--with-tk=${tk}/lib" "--with-qt=${qt4}" "--with-ftgl=${ftgl}" "--with-freetype=${freetype.dev}" ]; postInstall = '' diff --git a/pkgs/development/libraries/opencascade/default.nix b/pkgs/development/libraries/opencascade/default.nix index 536281d537252..8a7f9970e657a 100644 --- a/pkgs/development/libraries/opencascade/default.nix +++ b/pkgs/development/libraries/opencascade/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { # https://bugs.freedesktop.org/show_bug.cgi?id=83631 NIX_CFLAGS_COMPILE = "-DGLX_GLXEXT_LEGACY"; + hardeningDisable = [ "format" ]; + postInstall = '' mv $out/inc $out/include mkdir -p $out/share/doc/${name} diff --git a/pkgs/development/libraries/opencv/3.x.nix b/pkgs/development/libraries/opencv/3.x.nix index 187b6df39b2cb..9ca59c9c73af1 100644 --- a/pkgs/development/libraries/opencv/3.x.nix +++ b/pkgs/development/libraries/opencv/3.x.nix @@ -94,6 +94,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "bindnow" "relro" ]; + passthru = lib.optionalAttrs enablePython { pythonPath = []; }; meta = { diff --git a/pkgs/development/libraries/opencv/default.nix b/pkgs/development/libraries/opencv/default.nix index 70ea306ae808d..f792e17890cb7 100644 --- a/pkgs/development/libraries/opencv/default.nix +++ b/pkgs/development/libraries/opencv/default.nix @@ -58,6 +58,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "bindnow" "relro" ]; + passthru = lib.optionalAttrs enablePython { pythonPath = []; }; meta = { diff --git a/pkgs/development/libraries/pdf2xml/default.nix b/pkgs/development/libraries/pdf2xml/default.nix index 52c785becc528..c4cb57f3fa229 100644 --- a/pkgs/development/libraries/pdf2xml/default.nix +++ b/pkgs/development/libraries/pdf2xml/default.nix @@ -2,20 +2,22 @@ stdenv.mkDerivation { name = "pdf2xml"; - + src = fetchurl { url = http://tarballs.nixos.org/pdf2xml.tar.gz; sha256 = "04rl7ppxqgnvxvvws669cxp478lnrdmiqj0g3m4p69bawfjc4z3w"; }; sourceRoot = "pdf2xml/pdf2xml"; - + buildInputs = [libxml2 libxpdf]; patches = [./pdf2xml.patch]; + hardeningDisable = [ "format" ]; + preBuild = '' cp Makefile.linux Makefile - + sed -i 's|/usr/include/libxml2|${libxml2.dev}/include/libxml2|' Makefile sed -i 's|-lxml2|-lxml2 -L${libxml2.out}/lib|' Makefile sed -i 's|XPDF = xpdf_3.01|XPDF = ${libxpdf}/lib|' Makefile @@ -24,7 +26,7 @@ stdenv.mkDerivation { buildFlags+=" CXX=$CXX" ''; - + installPhase = '' mkdir -p $out/bin cp exe/* $out/bin diff --git a/pkgs/development/libraries/plib/default.nix b/pkgs/development/libraries/plib/default.nix index 51e59fda5ac1b..4030be2996cc1 100644 --- a/pkgs/development/libraries/plib/default.nix +++ b/pkgs/development/libraries/plib/default.nix @@ -1,6 +1,5 @@ { fetchurl, fetchpatch, stdenv, mesa, freeglut, SDL -, libXi, libSM, libXmu, libXext, libX11, -enablePIC ? false }: +, libXi, libSM, libXmu, libXext, libX11 }: stdenv.mkDerivation rec { name = "plib-1.8.5"; @@ -22,8 +21,6 @@ stdenv.mkDerivation rec { }) ]; - NIX_CFLAGS_COMPILE = if enablePIC then "-fPIC" else ""; - propagatedBuildInputs = [ mesa freeglut SDL diff --git a/pkgs/development/libraries/portmidi/default.nix b/pkgs/development/libraries/portmidi/default.nix index 6ca35ab3c570a..5318df4451707 100644 --- a/pkgs/development/libraries/portmidi/default.nix +++ b/pkgs/development/libraries/portmidi/default.nix @@ -46,6 +46,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip cmake /*jdk*/ alsaLib ]; + hardeningDisable = [ "format" ]; + meta = { homepage = "http://portmedia.sourceforge.net/portmidi/"; description = "Platform independent library for MIDI I/O"; diff --git a/pkgs/development/libraries/pupnp/default.nix b/pkgs/development/libraries/pupnp/default.nix index 9d47b55755156..2138e1689b398 100644 --- a/pkgs/development/libraries/pupnp/default.nix +++ b/pkgs/development/libraries/pupnp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0amjv4lypvclmi4vim2qdyw5xa6v4x50zjgf682vahqjc0wjn55k"; }; + hardeningDisable = [ "fortify" ]; + meta = { description = "libupnp, an open source UPnP development kit for Linux"; diff --git a/pkgs/development/libraries/qhull/default.nix b/pkgs/development/libraries/qhull/default.nix index 58d11c04fccaa..829765d85499f 100644 --- a/pkgs/development/libraries/qhull/default.nix +++ b/pkgs/development/libraries/qhull/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { cmakeFlags = "-DMAN_INSTALL_DIR=share/man/man1 -DDOC_INSTALL_DIR=share/doc/qhull"; + hardeningDisable = [ "format" ]; + patchPhase = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 's/namespace std { struct bidirectional_iterator_tag; struct random_access_iterator_tag; }/#include <iterator>/' ./src/libqhullcpp/QhullIterator.h sed -i 's/namespace std { struct bidirectional_iterator_tag; struct random_access_iterator_tag; }/#include <iterator>/' ./src/libqhullcpp/QhullLinkedList.h diff --git a/pkgs/development/libraries/qt-3/default.nix b/pkgs/development/libraries/qt-3/default.nix index 949f3f5b77863..6d92de001cb7d 100644 --- a/pkgs/development/libraries/qt-3/default.nix +++ b/pkgs/development/libraries/qt-3/default.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ which ]; propagatedBuildInputs = [libpng xlibsWrapper libXft libXrender zlib libjpeg]; + hardeningDisable = [ "format" ]; + configureFlags = " -v -system-zlib -system-libpng -system-libjpeg diff --git a/pkgs/development/libraries/qtscriptgenerator/default.nix b/pkgs/development/libraries/qtscriptgenerator/default.nix index 5b93fbfaade99..3221fec4b4bc6 100644 --- a/pkgs/development/libraries/qtscriptgenerator/default.nix +++ b/pkgs/development/libraries/qtscriptgenerator/default.nix @@ -9,13 +9,13 @@ stdenv.mkDerivation { buildInputs = [ qt4 ]; patches = [ ./qtscriptgenerator.gcc-4.4.patch ./qt-4.8.patch ]; - + # Why isn't the author providing proper Makefile or a CMakeLists.txt ? buildPhase = '' # remove phonon stuff which causes errors (thanks to Gentoo bug reports) sed -i "/typesystem_phonon.xml/d" generator/generator.qrc - sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro - + sed -i "/qtscript_phonon/d" qtbindings/qtbindings.pro + cd generator qmake make @@ -25,13 +25,15 @@ stdenv.mkDerivation { qmake make ''; - + installPhase = '' cd .. mkdir -p $out/lib/qt4/plugins/script cp -av plugins/script/* $out/lib/qt4/plugins/script ''; + hardeningDisable = [ "format" ]; + meta = { description = "QtScript bindings generator"; homepage = http://code.google.com/p/qtscriptgenerator/; diff --git a/pkgs/development/libraries/science/math/atlas/default.nix b/pkgs/development/libraries/science/math/atlas/default.nix index 23f12e7cf7628..6ff7e387ec1f0 100644 --- a/pkgs/development/libraries/science/math/atlas/default.nix +++ b/pkgs/development/libraries/science/math/atlas/default.nix @@ -66,6 +66,8 @@ stdenv.mkDerivation { patches = optional tolerateCpuTimingInaccuracy ./disable-timing-accuracy-check.patch ++ optional stdenv.isDarwin ./tmpdir.patch; + hardeningDisable = [ "format" ]; + # Configure outside of the source directory. preConfigure = '' mkdir build @@ -73,14 +75,9 @@ stdenv.mkDerivation { configureScript=../configure ''; - # * -fPIC is passed even in non-shared builds so that the ATLAS code can be - # used to inside of shared libraries, like Octave does. - # # * -t 0 disables use of multi-threading. It's not quite clear what the # consequences of that setting are and whether it's necessary or not. configureFlags = [ - "-Fa alg" - "-fPIC" "-t ${threads}" cpuConfig ] ++ optional shared "--shared" diff --git a/pkgs/development/libraries/science/math/suitesparse/default.nix b/pkgs/development/libraries/science/math/suitesparse/default.nix index f81df2a6c0222..99f54cebddd17 100644 --- a/pkgs/development/libraries/science/math/suitesparse/default.nix +++ b/pkgs/development/libraries/science/math/suitesparse/default.nix @@ -38,7 +38,7 @@ stdenv.mkDerivation { "LAPACK=" ]; - NIX_CFLAGS = "-fPIC" + stdenv.lib.optionalString stdenv.isDarwin " -DNTIMER"; + NIX_CFLAGS = stdenv.lib.optionalString stdenv.isDarwin " -DNTIMER"; postInstall = '' # Build and install shared library diff --git a/pkgs/development/libraries/smpeg/default.nix b/pkgs/development/libraries/smpeg/default.nix index 388b34d31e19d..77a74c4e84464 100644 --- a/pkgs/development/libraries/smpeg/default.nix +++ b/pkgs/development/libraries/smpeg/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + buildInputs = [ SDL gtk mesa ]; nativeBuildInputs = [ autoconf automake libtool m4 pkgconfig makeWrapper ]; diff --git a/pkgs/development/libraries/speechd/default.nix b/pkgs/development/libraries/speechd/default.nix index 613fee3c6d638..1a943be0fc208 100644 --- a/pkgs/development/libraries/speechd/default.nix +++ b/pkgs/development/libraries/speechd/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { ++ lib.optional withPico svox; nativeBuildInputs = [ pkgconfig python3Packages.wrapPython ]; + hardeningDisable = [ "format" ]; + pythonPath = with python3Packages; [ pyxdg ]; postPatch = lib.optionalString withPico '' diff --git a/pkgs/development/libraries/tidyp/default.nix b/pkgs/development/libraries/tidyp/default.nix index fee74f3d6f9e4..ba95da77b72ce 100644 --- a/pkgs/development/libraries/tidyp/default.nix +++ b/pkgs/development/libraries/tidyp/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0f5ky0ih4vap9c6j312jn73vn8m2bj69pl2yd3a5nmv35k9zmc10"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "A program that can validate your HTML, as well as modify it to be more clean and standard"; homepage = http://tidyp.com/; diff --git a/pkgs/development/libraries/vxl/default.nix b/pkgs/development/libraries/vxl/default.nix index 725a0bdfceaff..b9f3c0e64d6ca 100644 --- a/pkgs/development/libraries/vxl/default.nix +++ b/pkgs/development/libraries/vxl/default.nix @@ -1,10 +1,12 @@ -{ stdenv, fetchurl, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: +{ stdenv, fetchFromGitHub, unzip, cmake, libtiff, expat, zlib, libpng, libjpeg }: stdenv.mkDerivation { - name = "vxl-1.17.0"; + name = "vxl-1.17.0-nix1"; - src = fetchurl { - url = mirror://sourceforge/vxl/vxl-1.17.0.zip; - sha256 = "1qg7i8h201pa8jljg7vph4rlxk6n5cj9f9gd1hkkmbw6fh44lsxh"; + src = fetchFromGitHub { + owner = "vxl"; + repo = "vxl"; + rev = "777c0beb7c8b30117400f6fc9a6d63bf8cb7c67a"; + sha256 = "0xpkwwb93ka6c3da8zjhfg9jk5ssmh9ifdh1by54sz6c7mbp55m8"; }; buildInputs = [ cmake unzip libtiff expat zlib libpng libjpeg ]; @@ -20,8 +22,6 @@ stdenv.mkDerivation { enableParallelBuilding = true; - patches = [ ./gcc5.patch ]; - meta = { description = "C++ Libraries for Computer Vision Research and Implementation"; homepage = http://vxl.sourceforge.net/; diff --git a/pkgs/development/libraries/vxl/gcc5.patch b/pkgs/development/libraries/vxl/gcc5.patch deleted file mode 100644 index 4660f9e8f4834..0000000000000 --- a/pkgs/development/libraries/vxl/gcc5.patch +++ /dev/null @@ -1,15 +0,0 @@ -https://lists.fedoraproject.org/pipermail/scm-commits/Week-of-Mon-20150216/1511118.html - ---- vxl-git4e07960/vcl/vcl_compiler.h~ 2012-11-02 12:08:21.000000000 +0100 -+++ vxl-git4e07960/vcl/vcl_compiler.h 2015-02-15 13:50:46.376329878 +0100 -@@ -119,6 +119,10 @@ - # else - # define VCL_GCC_40 - # endif -+# elif (__GNUC__== 5) -+// pretend GCC 5 to be GCC 4 -+# define VCL_GCC_4 -+# define VCL_GCC_41 - # else - # error "Dunno about this gcc" - # endif diff --git a/pkgs/development/libraries/xmlrpc-c/default.nix b/pkgs/development/libraries/xmlrpc-c/default.nix index 56bcba8297de0..0b5f08bdf9b34 100644 --- a/pkgs/development/libraries/xmlrpc-c/default.nix +++ b/pkgs/development/libraries/xmlrpc-c/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { (cd tools/xmlrpc && make && make install) ''; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "A lightweight RPC library based on XML and HTTP"; homepage = http://xmlrpc-c.sourceforge.net/; diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index 2176fa6f31ced..77f576239a976 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -31,6 +31,9 @@ stdenv.mkDerivation rec { fi ''; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + configureFlags = stdenv.lib.optional (!static) "--shared"; postInstall = '' @@ -47,8 +50,7 @@ stdenv.mkDerivation rec { # As zlib takes part in the stdenv building, we don't want references # to the bootstrap-tools libgcc (as uses to happen on arm/mips) - NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc " - + stdenv.lib.optionalString (stdenv.isFreeBSD) "-fPIC"; + NIX_CFLAGS_COMPILE = stdenv.lib.optionalString (!stdenv.isDarwin) "-static-libgcc"; crossAttrs = { dontStrip = static; diff --git a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix index 87a0d0dda9b7b..237c4e4027f19 100644 --- a/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix +++ b/pkgs/development/misc/avr-gcc-with-avr-libc/default.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation { buildInputs = [ gmp mpfr libmpc zlib ]; + hardeningDisable = [ "format" ]; + # Make sure we don't strip the libraries in lib/gcc/avr. stripDebugList= [ "bin" "avr/bin" "libexec" ]; diff --git a/pkgs/development/pharo/vm/build-vm.nix b/pkgs/development/pharo/vm/build-vm.nix index 3dfe913145cec..8265e1dc776ff 100644 --- a/pkgs/development/pharo/vm/build-vm.nix +++ b/pkgs/development/pharo/vm/build-vm.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { mimeType = "application/x-pharo-image"; }; + hardeningDisable = [ "format" ]; + # Building preConfigure = '' cd build/ diff --git a/pkgs/development/python-modules/wxPython/3.0.nix b/pkgs/development/python-modules/wxPython/3.0.nix index 7c225a95f2a6a..5f224428fce42 100644 --- a/pkgs/development/python-modules/wxPython/3.0.nix +++ b/pkgs/development/python-modules/wxPython/3.0.nix @@ -23,6 +23,8 @@ buildPythonPackage rec { sha256 = "0qfzx3sqx4mwxv99sfybhsij4b5pc03ricl73h4vhkzazgjjjhfm"; }; + hardeningDisable = [ "format" ]; + propagatedBuildInputs = [ pkgconfig wxGTK (wxGTK.gtk) libX11 ] ++ lib.optional openglSupport pyopengl; preConfigure = "cd wxPython"; diff --git a/pkgs/development/tools/analysis/cccc/default.nix b/pkgs/development/tools/analysis/cccc/default.nix index c672c7964e75d..b63bc66fabd25 100644 --- a/pkgs/development/tools/analysis/cccc/default.nix +++ b/pkgs/development/tools/analysis/cccc/default.nix @@ -11,7 +11,11 @@ stdenv.mkDerivation { url = "mirror://sourceforge/${name}/${version}/${name}-${version}.tar.gz"; sha256 = "1gsdzzisrk95kajs3gfxks3bjvfd9g680fin6a9pjrism2lyrcr7"; }; + + hardeningDisable = [ "format" ]; + patches = [ ./cccc.patch ]; + preConfigure = '' substituteInPlace install/install.mak --replace /usr/local/bin $out/bin substituteInPlace install/install.mak --replace MKDIR=mkdir "MKDIR=mkdir -p" diff --git a/pkgs/development/tools/analysis/flow/default.nix b/pkgs/development/tools/analysis/flow/default.nix index f9aae3760d6c4..618d87f8b0a27 100644 --- a/pkgs/development/tools/analysis/flow/default.nix +++ b/pkgs/development/tools/analysis/flow/default.nix @@ -5,6 +5,7 @@ with lib; stdenv.mkDerivation rec { version = "0.30.0"; name = "flow-${version}"; + src = fetchFromGitHub { owner = "facebook"; repo = "flow"; diff --git a/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix b/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix index 740d51cc13484..7a6f3481d53fd 100644 --- a/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix +++ b/pkgs/development/tools/analysis/garcosim/tracefilesim/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { sha256 = "156m92k38ap4bzidbr8dzl065rni8lrib71ih88myk9z5y1x5nxm"; }; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir --parents "$out/bin" cp ./traceFileSim "$out/bin" diff --git a/pkgs/development/tools/analysis/radare/default.nix b/pkgs/development/tools/analysis/radare/default.nix index 3c83f0e9d4951..d42227198ce3d 100644 --- a/pkgs/development/tools/analysis/radare/default.nix +++ b/pkgs/development/tools/analysis/radare/default.nix @@ -8,8 +8,8 @@ assert useX11 -> (gtk != null && vte != null && gtkdialog != null); assert rubyBindings -> ruby != null; assert pythonBindings -> python != null; -let - optional = stdenv.lib.optional; +let + inherit (stdenv.lib) optional; in stdenv.mkDerivation rec { name = "radare-1.5.2"; @@ -19,6 +19,7 @@ stdenv.mkDerivation rec { sha256 = "1qdrmcnzfvfvqb27c7pknwm8jl2hqa6c4l66wzyddwlb8yjm46hd"; }; + hardeningDisable = [ "format" ]; buildInputs = [pkgconfig readline libusb perl] ++ optional useX11 [gtkdialog vte gtk] diff --git a/pkgs/development/tools/analysis/rr/default.nix b/pkgs/development/tools/analysis/rr/default.nix index c1184445e28e4..8cd38a152ecf2 100644 --- a/pkgs/development/tools/analysis/rr/default.nix +++ b/pkgs/development/tools/analysis/rr/default.nix @@ -24,6 +24,11 @@ stdenv.mkDerivation rec { "-Ddisable32bit=ON" ]; + # we turn on additional warnings due to hardening + NIX_CFLAGS_COMPILE = "-Wno-error"; + + hardeningDisable = [ "fortify" ]; + enableParallelBuilding = true; # FIXME diff --git a/pkgs/development/tools/analysis/valgrind/default.nix b/pkgs/development/tools/analysis/valgrind/default.nix index b4b56be9c6d98..0e0e44183f6bd 100644 --- a/pkgs/development/tools/analysis/valgrind/default.nix +++ b/pkgs/development/tools/analysis/valgrind/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { outputs = [ "out" "doc" ]; + hardeningDisable = [ "stackprotector" ]; + # Perl is needed for `cg_annotate'. # GDB is needed to provide a sane default for `--db-command'. nativeBuildInputs = [ perl ]; diff --git a/pkgs/development/tools/boost-build/default.nix b/pkgs/development/tools/boost-build/default.nix index 723219336bb90..240d24961e001 100644 --- a/pkgs/development/tools/boost-build/default.nix +++ b/pkgs/development/tools/boost-build/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "10sbbkx2752r4i1yshyp47nw29lyi1p34sy6hj7ivvnddiliayca"; }; + hardeningDisable = [ "format" ]; + patchPhase = '' grep -r '/usr/share/boost-build' \ | awk '{split($0,a,":"); print a[1];}' \ diff --git a/pkgs/development/tools/build-managers/gnumake/3.80/default.nix b/pkgs/development/tools/build-managers/gnumake/3.80/default.nix index 9422a74aedda8..08dd0acb42bea 100644 --- a/pkgs/development/tools/build-managers/gnumake/3.80/default.nix +++ b/pkgs/development/tools/build-managers/gnumake/3.80/default.nix @@ -2,12 +2,16 @@ stdenv.mkDerivation { name = "gnumake-3.80"; + src = fetchurl { url = http://tarballs.nixos.org/make-3.80.tar.bz2; md5 = "0bbd1df101bc0294d440471e50feca71"; }; + patches = [./log.patch]; + hardeningDisable = [ "format" ]; + meta = { platforms = stdenv.lib.platforms.unix; }; diff --git a/pkgs/development/tools/misc/binutils/default.nix b/pkgs/development/tools/misc/binutils/default.nix index bbdb01bdc65fc..93b0b35c81514 100644 --- a/pkgs/development/tools/misc/binutils/default.nix +++ b/pkgs/development/tools/misc/binutils/default.nix @@ -41,6 +41,9 @@ stdenv.mkDerivation rec { inherit noSysDirs; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' # Clear the default library search path. if test "$noSysDirs" = "1"; then diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix index 0a62859d20755..d4a2f80599f78 100644 --- a/pkgs/development/tools/misc/elfutils/default.nix +++ b/pkgs/development/tools/misc/elfutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./glibc-2.21.patch ]; + hardeningDisable = [ "format" ]; + # We need bzip2 in NativeInputs because otherwise we can't unpack the src, # as the host-bzip2 will be in the path. nativeBuildInputs = [ m4 bison flex gettext bzip2 ]; diff --git a/pkgs/development/tools/misc/gnum4/default.nix b/pkgs/development/tools/misc/gnum4/default.nix index 0670428005e4b..0696dc9064493 100644 --- a/pkgs/development/tools/misc/gnum4/default.nix +++ b/pkgs/development/tools/misc/gnum4/default.nix @@ -15,6 +15,9 @@ stdenv.mkDerivation rec { # Upstream is aware of it; it may be in the next release. patches = [ ./s_isdir.patch ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = http://www.gnu.org/software/m4/; description = "GNU M4, a macro processor"; diff --git a/pkgs/development/tools/misc/kconfig-frontends/default.nix b/pkgs/development/tools/misc/kconfig-frontends/default.nix index 13e02fb9272bd..8449cf9b6f385 100644 --- a/pkgs/development/tools/misc/kconfig-frontends/default.nix +++ b/pkgs/development/tools/misc/kconfig-frontends/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ bison flex gperf ncurses pkgconfig ]; + hardeningDisable = [ "format" ]; + configureFlags = [ "--enable-frontends=conf,mconf,nconf" ]; diff --git a/pkgs/development/tools/misc/patchelf/default.nix b/pkgs/development/tools/misc/patchelf/default.nix index 77a1f26616822..807b2a9a49dbd 100644 --- a/pkgs/development/tools/misc/patchelf/default.nix +++ b/pkgs/development/tools/misc/patchelf/default.nix @@ -10,6 +10,9 @@ stdenv.mkDerivation rec { setupHook = [ ./setup-hook.sh ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + #doCheck = true; # problems when loading libc.so.6 meta = { diff --git a/pkgs/development/tools/misc/rman/default.nix b/pkgs/development/tools/misc/rman/default.nix index 01e4b22e5f141..702dabcf39550 100644 --- a/pkgs/development/tools/misc/rman/default.nix +++ b/pkgs/development/tools/misc/rman/default.nix @@ -2,16 +2,21 @@ stdenv.mkDerivation { name = "rman-3.2"; + src = fetchurl { url = mirror://sourceforge/polyglotman/3.2/rman-3.2.tar.gz; sha256 = "0prdld6nbkdlkcgc2r1zp13h2fh8r0mlwxx423dnc695ddlk18b8"; }; + makeFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man"; + preInstall = '' mkdir -p $out/bin mkdir -p $out/share/man ''; - + + hardeningDisable = [ "format" ]; + meta = { description = "Parse formatted man pages and man page source from most flavors of UNIX and converts them to HTML, ASCII, TkMan, DocBook, and other formats"; license = "artistic"; diff --git a/pkgs/development/tools/misc/texinfo/6.1.nix b/pkgs/development/tools/misc/texinfo/6.1.nix index f19ccb35508fd..e3001ffba7bd9 100644 --- a/pkgs/development/tools/misc/texinfo/6.1.nix +++ b/pkgs/development/tools/misc/texinfo/6.1.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { configureFlags = stdenv.lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk"; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + preInstall = '' installFlags="TEXMF=$out/texmf-dist"; installTargets="install install-tex"; diff --git a/pkgs/development/tools/omniorb/default.nix b/pkgs/development/tools/omniorb/default.nix index 09955ca5d70d6..8488d47dea5f4 100644 --- a/pkgs/development/tools/omniorb/default.nix +++ b/pkgs/development/tools/omniorb/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ python ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "omniORB is a robust high performance CORBA ORB for C++ and Python. It is freely available under the terms of the GNU Lesser General Public License (for the libraries), and GNU General Public License (for the tools). omniORB is largely CORBA 2.6 compliant"; homepage = "http://omniorb.sourceforge.net/"; diff --git a/pkgs/development/tools/parsing/bison/3.x.nix b/pkgs/development/tools/parsing/bison/3.x.nix index 6aa717c53cdef..ebbee4e693dc9 100644 --- a/pkgs/development/tools/parsing/bison/3.x.nix +++ b/pkgs/development/tools/parsing/bison/3.x.nix @@ -11,6 +11,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man; propagatedBuildInputs = [ m4 ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = { homepage = "http://www.gnu.org/software/bison/"; description = "Yacc-compatible parser generator"; diff --git a/pkgs/development/tools/toluapp/default.nix b/pkgs/development/tools/toluapp/default.nix index c11e1b34f1ade..64a2f4346c794 100644 --- a/pkgs/development/tools/toluapp/default.nix +++ b/pkgs/development/tools/toluapp/default.nix @@ -20,8 +20,6 @@ stdenv.mkDerivation rec { --replace /usr/local $out ''; - NIX_CFLAGS_COMPILE = "-fPIC"; - buildPhase = ''scons''; installPhase = ''scons install''; diff --git a/pkgs/development/web/wml/default.nix b/pkgs/development/web/wml/default.nix index 3d47d32f1c836..58336c80e04f9 100644 --- a/pkgs/development/web/wml/default.nix +++ b/pkgs/development/web/wml/default.nix @@ -21,12 +21,14 @@ perlPackages.buildPerlPackage rec { sed -i 's/ doc / /g' wml_backend/p2_mp4h/Makefile.in sed -i '/p2_mp4h\/doc/d' Makefile.in ''; - + buildInputs = with perlPackages; [ perl TermReadKey GD BitVector ncurses lynx makeWrapper ImageSize ]; patches = [ ./redhat-with-thr.patch ./dynaloader.patch ./no_bitvector.patch ]; - + + hardeningDisable = [ "format" ]; + postPatch = '' substituteInPlace wml_frontend/wml.src \ --replace "File::PathConvert::realpath" "Cwd::realpath" \ diff --git a/pkgs/games/asc/default.nix b/pkgs/games/asc/default.nix index b2f251bfecb87..e67b92afa768c 100644 --- a/pkgs/games/asc/default.nix +++ b/pkgs/games/asc/default.nix @@ -13,6 +13,7 @@ stdenv.mkDerivation rec { configureFlags = [ "--disable-paragui" "--disable-paraguitest" ]; NIX_CFLAGS_COMPILE = "-fpermissive"; # I'm too lazy to catch all gcc47-related problems + hardeningDisable = [ "format" ]; buildInputs = [ SDL SDL_image SDL_mixer SDL_sound libsigcxx physfs boost expat diff --git a/pkgs/games/bsdgames/default.nix b/pkgs/games/bsdgames/default.nix index 0709692552c2f..599588e6f0ee8 100644 --- a/pkgs/games/bsdgames/default.nix +++ b/pkgs/games/bsdgames/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation { }) ]; + hardeningDisable = [ "format" ]; + preConfigure = '' cat > config.params << EOF bsd_games_cfg_man6dir=$out/share/man/man6 diff --git a/pkgs/games/crack-attack/default.nix b/pkgs/games/crack-attack/default.nix index 538efebf8334b..eb20c0b329e80 100644 --- a/pkgs/games/crack-attack/default.nix +++ b/pkgs/games/crack-attack/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ pkgconfig gtk freeglut SDL mesa libXi libXmu ]; + hardeningDisable = [ "format" ]; + meta = { description = "A fast-paced puzzle game inspired by the classic Super NES title Tetris Attack!"; homepage = http://www.nongnu.org/crack-attack/; diff --git a/pkgs/games/eboard/default.nix b/pkgs/games/eboard/default.nix index 1a99fcd9c24e8..7915822589c3b 100644 --- a/pkgs/games/eboard/default.nix +++ b/pkgs/games/eboard/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ gtk ]; nativeBuildInputs = [ perl pkgconfig ]; + hardeningDisable = [ "format" ]; + preConfigure = '' patchShebangs ./configure ''; diff --git a/pkgs/games/gnugo/default.nix b/pkgs/games/gnugo/default.nix index 4e6163d716385..827388691af0d 100644 --- a/pkgs/games/gnugo/default.nix +++ b/pkgs/games/gnugo/default.nix @@ -1,25 +1,20 @@ { stdenv, fetchurl }: -let - - versionNumber = "3.8"; - -in - -stdenv.mkDerivation { - - name = "gnugo-${versionNumber}"; +stdenv.mkDerivation rec { + name = "gnugo-${version}"; + version = "3.8"; src = fetchurl { - url = "mirror://gnu/gnugo/gnugo-${versionNumber}.tar.gz"; + url = "mirror://gnu/gnugo/gnugo-${version}.tar.gz"; sha256 = "0wkahvqpzq6lzl5r49a4sd4p52frdmphnqsfdv7gdp24bykdfs6s"; }; + hardeningDisable = [ "format" ]; + meta = { description = "GNU Go - A computer go player"; homepage = "http://http://www.gnu.org/software/gnugo/"; license = stdenv.lib.licenses.gpl3; platforms = stdenv.lib.platforms.unix; }; - } diff --git a/pkgs/games/lincity/ng.nix b/pkgs/games/lincity/ng.nix index 8807831ef0149..b6574eaf39e33 100644 --- a/pkgs/games/lincity/ng.nix +++ b/pkgs/games/lincity/ng.nix @@ -15,13 +15,15 @@ let s = # Generated upstream information }; buildInputs = [zlib jam pkgconfig gettext libxml2 libxslt xproto libX11 mesa SDL SDL_mixer SDL_image SDL_ttf SDL_gfx physfs]; -in +in stdenv.mkDerivation rec { inherit (s) name version; src = fetchurl { inherit (s) url sha256; }; + hardeningDisable = [ "format" ]; + inherit buildInputs; buildPhase = "jam"; diff --git a/pkgs/games/liquidwar/default.nix b/pkgs/games/liquidwar/default.nix index f97c0ec412fc4..ccab07308fd9c 100644 --- a/pkgs/games/liquidwar/default.nix +++ b/pkgs/games/liquidwar/default.nix @@ -24,6 +24,8 @@ stdenv.mkDerivation rec { libXrender libcaca cunit ]; + hardeningDisable = [ "format" ]; + # To avoid problems finding SDL_types.h. configureFlags = [ "CFLAGS=-I${SDL.dev}/include/SDL" ]; diff --git a/pkgs/games/pioneers/default.nix b/pkgs/games/pioneers/default.nix index af9900cede536..3f1735c31aa16 100644 --- a/pkgs/games/pioneers/default.nix +++ b/pkgs/games/pioneers/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk pkgconfig intltool ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://pio.sourceforge.net/; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/games/scummvm/default.nix b/pkgs/games/scummvm/default.nix index a51b51395dbbf..91c3114694b7f 100644 --- a/pkgs/games/scummvm/default.nix +++ b/pkgs/games/scummvm/default.nix @@ -2,14 +2,16 @@ stdenv.mkDerivation rec { name = "scummvm-1.8.0"; - + src = fetchurl { url = "mirror://sourceforge/scummvm/${name}.tar.bz2"; sha256 = "0f3zgvz886lk9ps0v333aq74vx6grlx68hg14gfaxcvj55g73v01"; }; - + buildInputs = [ SDL zlib libmpeg2 libmad libogg libvorbis flac alsaLib ]; + hardeningDisable = [ "format" ]; + crossAttrs = { preConfigure = '' # Remove the --build flag set by the gcc cross wrapper setup diff --git a/pkgs/games/stardust/default.nix b/pkgs/games/stardust/default.nix index aa68da6b73d0a..74d9bdcb35dca 100644 --- a/pkgs/games/stardust/default.nix +++ b/pkgs/games/stardust/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { installFlags = [ "bindir=\${out}/bin" ]; + hardeningDisable = [ "format" ]; + postConfigure = '' substituteInPlace config.h \ --replace '#define PACKAGE ""' '#define PACKAGE "stardust"' diff --git a/pkgs/games/torcs/default.nix b/pkgs/games/torcs/default.nix index e6370d6e7c61a..1b1e877d274d9 100644 --- a/pkgs/games/torcs/default.nix +++ b/pkgs/games/torcs/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { installTargets = "install datainstall"; + hardeningDisable = [ "format" ]; + meta = { description = "Car racing game"; homepage = http://torcs.sourceforge.net/; diff --git a/pkgs/games/trackballs/default.nix b/pkgs/games/trackballs/default.nix index 65e8f82178eb6..5606be6a5943c 100644 --- a/pkgs/games/trackballs/default.nix +++ b/pkgs/games/trackballs/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ zlib mesa SDL SDL_ttf SDL_mixer SDL_image guile gettext ]; + hardeningDisable = [ "format" ]; + CFLAGS = optionalString debug "-g -O0"; CXXFLAGS = CFLAGS; dontStrip = debug; diff --git a/pkgs/games/xconq/default.nix b/pkgs/games/xconq/default.nix index 53c3ec7dec855..e6e237529531d 100644 --- a/pkgs/games/xconq/default.nix +++ b/pkgs/games/xconq/default.nix @@ -3,9 +3,9 @@ stdenv.mkDerivation rec { name = "${baseName}-${version}"; - baseName="xconq"; + baseName = "xconq"; version = "7.5.0-0pre.0.20050612"; - + src = fetchurl { url = "mirror://sourceforge/project/${baseName}/${baseName}/${name}/${name}.tar.gz"; sha256 = "1za78yx57mgwcmmi33wx3533yz1x093dnqis8q2qmqivxav51lca"; @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { "--with-tkconfig=${tk}/lib" ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Fix Makefiles find . -name 'Makefile.in' -exec sed -re 's@^ ( *)(cd|[&][&])@ \1\2@' -i '{}' ';' diff --git a/pkgs/games/xpilot/bloodspilot-server.nix b/pkgs/games/xpilot/bloodspilot-server.nix index 3c811f1ba2eff..42bcb32631698 100644 --- a/pkgs/games/xpilot/bloodspilot-server.nix +++ b/pkgs/games/xpilot/bloodspilot-server.nix @@ -1,23 +1,27 @@ -{stdenv, fetchurl, expat}: -let - buildInputs = [ - expat - ]; -in +{ stdenv, fetchurl, expat }: + stdenv.mkDerivation rec { - version = "1.4.6"; name = "bloodspilot-xpilot-fxi-server-${version}"; - inherit buildInputs; + version = "1.4.6"; + src = fetchurl { url = "mirror://sourceforge/project/bloodspilot/server/server%20v${version}/xpilot-${version}fxi.tar.gz"; sha256 = "0d7hnpshifq6gy9a0g6il6h1hgqqjyys36n8w84hr8d4nhg4d1ji"; }; - meta = { - inherit version; - description = ''A multiplayer X11 space combat game (server part)''; - homepage = "http://bloodspilot.sf.net/"; - license = stdenv.lib.licenses.gpl2Plus ; - maintainers = [stdenv.lib.maintainers.raskin]; - platforms = stdenv.lib.platforms.linux; + + buildInputs = [ + expat + ]; + + patches = [ + ./server-gcc5.patch + ]; + + meta = with stdenv.lib; { + description = "A multiplayer X11 space combat game (server part)"; + homepage = http://bloodspilot.sf.net/; + license = licenses.gpl2Plus ; + maintainers = [ maintainers.raskin ]; + platforms = platforms.linux; }; } diff --git a/pkgs/games/xpilot/server-gcc5.patch b/pkgs/games/xpilot/server-gcc5.patch new file mode 100644 index 0000000000000..5618399bfecda --- /dev/null +++ b/pkgs/games/xpilot/server-gcc5.patch @@ -0,0 +1,65 @@ +--- xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:20:43.531714342 +0000 ++++ xpilot-1.4.6fxi/src/common/net.c 2016-02-09 00:21:15.301331053 +0000 +@@ -608,9 +608,9 @@ + } + + #if STDVA +-inline int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) ++extern int32_t Packet_scanf(sockbuf_t *sbuf, const char *fmt, ...) + #else +-inline int32_t Packet_scanf(va_alist) ++extern int32_t Packet_scanf(va_alist) + va_dcl + #endif + { +--- xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:29.581784405 +0000 ++++ xpilot-1.4.6fxi/src/server/collision.c 2016-02-09 00:22:38.152952500 +0000 +@@ -71,7 +71,7 @@ + * p: first object, q: second object + */ + +-inline int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, ++extern int32_t Collision_occured(int32_t p1x, int32_t p1y, int32_t p2x, int32_t p2y, + int32_t q1x, int32_t q1y, int32_t q2x, int32_t q2y, int32_t r) + { + int32_t fac1, fac2; /* contraction between the distance between the x and y coordinates of objects */ +--- xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:29.546313808 +0000 ++++ xpilot-1.4.6fxi/src/server/player.c 2016-02-09 00:25:40.464527932 +0000 +@@ -1411,12 +1411,12 @@ + return NULL; + } + +-inline bool Player_idle_timed_out(player_t *pl) ++extern bool Player_idle_timed_out(player_t *pl) + { + return (frame_loops - pl->frame_last_busy > MAX_PLAYER_IDLE_TICKS && (NumPlayers > 1)) ? true : false; + } + +-inline bool Player_is_recovered(player_t *pl) ++extern bool Player_is_recovered(player_t *pl) + { + return (pl->recovery_count <= 0.0) ? true : false; + } +--- xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:21:45.659923025 +0000 ++++ xpilot-1.4.6fxi/src/server/score.c 2016-02-09 00:22:07.224345939 +0000 +@@ -24,17 +24,17 @@ + char msg[MSG_LEN]; + + +-inline double Get_Score(player_t *pl) ++extern double Get_Score(player_t *pl) + { + return pl->score; + } + +-inline void Score_set(player_t * pl, double score) ++extern void Score_set(player_t * pl, double score) + { + pl->score = score; + } + +-inline void Score_add(player_t * pl, double score) ++extern void Score_add(player_t * pl, double score) + { + pl->score += score; + } diff --git a/pkgs/games/zandronum/default.nix b/pkgs/games/zandronum/default.nix index 4e1dcd4432372..39c1ea6b74692 100644 --- a/pkgs/games/zandronum/default.nix +++ b/pkgs/games/zandronum/default.nix @@ -35,6 +35,8 @@ in stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin mkdir -p $out/share/zandronum diff --git a/pkgs/misc/emulators/dlx/default.nix b/pkgs/misc/emulators/dlx/default.nix index 01c5f866e1b00..feb474a13765c 100644 --- a/pkgs/misc/emulators/dlx/default.nix +++ b/pkgs/misc/emulators/dlx/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { makeFlags = "LINK=gcc CFLAGS=-O2"; + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/include/dlx $out/share/dlx/{examples,doc} $out/bin mv -v masm mon dasm $out/bin/ diff --git a/pkgs/misc/emulators/dosbox/default.nix b/pkgs/misc/emulators/dosbox/default.nix index ebbb1fe7c316f..f7400e4b76151 100644 --- a/pkgs/misc/emulators/dosbox/default.nix +++ b/pkgs/misc/emulators/dosbox/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "dosbox-0.74"; - + src = fetchurl { url = "mirror://sourceforge/dosbox/${name}.tar.gz"; sha256 = "01cfjc5bs08m4w79nbxyv7rnvzq2yckmgrbq36njn06lw8b4kxqk"; @@ -17,9 +17,11 @@ stdenv.mkDerivation rec { ]; patchFlags = "-p0"; - + + hardeningDisable = [ "format" ]; + buildInputs = [ SDL mesa ]; - + desktopItem = makeDesktopItem { name = "dosbox"; exec = "dosbox"; diff --git a/pkgs/misc/emulators/fakenes/default.nix b/pkgs/misc/emulators/fakenes/default.nix index 1f986430b81df..6e9253b299e49 100644 --- a/pkgs/misc/emulators/fakenes/default.nix +++ b/pkgs/misc/emulators/fakenes/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ allegro openal mesa zlib hawknl freeglut libX11 libXxf86vm libXcursor libXpm ]; + hardeningDisable = [ "format" ]; + installPhase = '' mkdir -p $out/bin cp fakenes $out/bin diff --git a/pkgs/misc/emulators/mupen64plus/default.nix b/pkgs/misc/emulators/mupen64plus/default.nix index a51d97773e4ba..07174d76e4e8e 100644 --- a/pkgs/misc/emulators/mupen64plus/default.nix +++ b/pkgs/misc/emulators/mupen64plus/default.nix @@ -6,9 +6,11 @@ stdenv.mkDerivation { url = http://mupen64plus.googlecode.com/files/Mupen64Plus-1-5-src.tar.gz; sha256 = "0gygfgyr2sg4yx77ijk133d1ra0v1yxi4xjxrg6kp3zdjmhdmcjq"; }; - + buildInputs = [ which pkgconfig SDL gtk mesa SDL_ttf ]; - + + hardeningDisable = [ "format" ]; + preConfigure = '' # Some C++ incompatibility fixes sed -i -e 's|char \* extstr = strstr|const char * extstr = strstr|' glide64/Main.cpp @@ -20,10 +22,10 @@ stdenv.mkDerivation { # Remove PATH environment variable from install script sed -i -e "s|export PATH=|#export PATH=|" ./install.sh ''; - + buildPhase = "make all"; installPhase = "PREFIX=$out make install"; - + meta = { description = "A Nintendo 64 Emulator"; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/misc/emulators/nestopia/default.nix b/pkgs/misc/emulators/nestopia/default.nix index fc64caf1053dd..6620018c33767 100644 --- a/pkgs/misc/emulators/nestopia/default.nix +++ b/pkgs/misc/emulators/nestopia/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { # nondeterministic failures when creating directories enableParallelBuilding = false; + hardeningDisable = [ "format" ]; + buildInputs = [ pkgconfig SDL2 alsaLib gtk3 mesa_glu mesa makeWrapper libarchive libao unzip xdg_utils gsettings_desktop_schemas ]; diff --git a/pkgs/misc/emulators/uae/default.nix b/pkgs/misc/emulators/uae/default.nix index b57a2143cc226..ceafc714381c3 100644 --- a/pkgs/misc/emulators/uae/default.nix +++ b/pkgs/misc/emulators/uae/default.nix @@ -2,13 +2,18 @@ stdenv.mkDerivation rec { name = "uae-0.8.29"; + src = fetchurl { url = "http://web.archive.org/web/20130905032631/http://www.amigaemulator.org/files/sources/develop/${name}.tar.bz2"; sha256 = "05s3cd1rd5a970s938qf4c2xm3l7f54g5iaqw56v8smk355m4qr4"; }; + configureFlags = [ "--with-sdl" "--with-sdl-sound" "--with-sdl-gfx" "--with-alsa" ]; + buildInputs = [ pkgconfig gtk alsaLib SDL ]; - + + hardeningDisable = [ "format" ]; + meta = { description = "Ultimate/Unix/Unusable Amiga Emulator"; license = stdenv.lib.licenses.gpl2Plus; diff --git a/pkgs/misc/mxt-app/default.nix b/pkgs/misc/mxt-app/default.nix index cfcba8a3a8bab..2873225b26f13 100644 --- a/pkgs/misc/mxt-app/default.nix +++ b/pkgs/misc/mxt-app/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec{ buildInputs = [ autoconf automake libtool ]; preConfigure = "./autogen.sh"; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "Command line utility for Atmel maXTouch devices"; homepage = http://github.com/atmel-maxtouch/mxt-app; diff --git a/pkgs/misc/talkfilters/default.nix b/pkgs/misc/talkfilters/default.nix index 7447620e71b6c..4b3158b7a3d5a 100644 --- a/pkgs/misc/talkfilters/default.nix +++ b/pkgs/misc/talkfilters/default.nix @@ -1,21 +1,23 @@ { stdenv, fetchurl }: -let - name = "talkfilters"; +let + pname = "talkfilters"; version = "2.3.8"; in stdenv.mkDerivation { - name = "${name}"; + name = "${pname}-${version}"; src = fetchurl { - url = "http://www.hyperrealm.com/${name}/${name}-${version}.tar.gz"; + url = "http://www.hyperrealm.com/${pname}/${pname}-${version}.tar.gz"; sha256 = "19nc5vq4bnkjvhk8srqddzhcs93jyvpm9r6lzjzwc1mgf08yg0a6"; }; - meta = { + hardeningDisable = [ "format" ]; + + meta = { description = "Converts English text into text that mimics a stereotyped or humorous dialect"; - homepage = "http://http://www.hyperrealm.com/${name}"; + homepage = "http://http://www.hyperrealm.com/${pname}"; license = stdenv.lib.licenses.gpl2; maintainers = with stdenv.lib.maintainers; [ ikervagyok ]; platforms = with stdenv.lib.platforms; unix; diff --git a/pkgs/os-specific/linux/acpi-call/default.nix b/pkgs/os-specific/linux/acpi-call/default.nix index 289b54f1b54cc..65223a32bad67 100644 --- a/pkgs/os-specific/linux/acpi-call/default.nix +++ b/pkgs/os-specific/linux/acpi-call/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation { rev = "ac67445bc75ec4fcf46ceb195fb84d74ad350d51"; sha256 = "0jl19irz9x9pxab2qp4z8c3jijv2m30zhmnzi6ygbrisqqlg4c75"; }; - + + hardeningDisable = [ "pic" ]; + preBuild = '' sed -e 's/break/true/' -i examples/turn_off_gpu.sh sed -e 's@/bin/bash@.bin/sh@' -i examples/turn_off_gpu.sh diff --git a/pkgs/os-specific/linux/ati-drivers/default.nix b/pkgs/os-specific/linux/ati-drivers/default.nix index e5eb9b8c6c3ce..902f0e37e35fd 100644 --- a/pkgs/os-specific/linux/ati-drivers/default.nix +++ b/pkgs/os-specific/linux/ati-drivers/default.nix @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { curlOpts = "--referer http://support.amd.com/en-us/download/desktop?os=Linux+x86_64"; }; + hardeningDisable = [ "pic" "format" ]; + patchPhaseSamples = "patch -p2 < ${./patches/patch-samples.patch}"; patches = [ ./patches/15.12-xstate-fp.patch diff --git a/pkgs/os-specific/linux/batman-adv/default.nix b/pkgs/os-specific/linux/batman-adv/default.nix index 0b8a70cb97623..627cb8794af58 100644 --- a/pkgs/os-specific/linux/batman-adv/default.nix +++ b/pkgs/os-specific/linux/batman-adv/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "0pj6jans75pxw9arp1747kmmk72zbc2vgkf2a0w565pj98x1nlk1"; }; + hardeningDisable = [ "pic" ]; + preBuild = '' makeFlags="KERNELPATH=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" sed -i -e "s,INSTALL_MOD_DIR=,INSTALL_MOD_PATH=$out INSTALL_MOD_DIR=," \ diff --git a/pkgs/os-specific/linux/bbswitch/default.nix b/pkgs/os-specific/linux/bbswitch/default.nix index ec1e5f2e20bc1..67b843fac4dcb 100644 --- a/pkgs/os-specific/linux/bbswitch/default.nix +++ b/pkgs/os-specific/linux/bbswitch/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { sha256 = "1lbr6pyyby4k9rn2ry5qc38kc738d0442jhhq57vmdjb6hxjya7m"; }) ]; + hardeningDisable = [ "pic" ]; + preBuild = '' substituteInPlace Makefile \ --replace "\$(shell uname -r)" "${kernel.modDirVersion}" \ diff --git a/pkgs/os-specific/linux/blcr/default.nix b/pkgs/os-specific/linux/blcr/default.nix index bc7523858fe19..c2e3fa4b9e1f5 100644 --- a/pkgs/os-specific/linux/blcr/default.nix +++ b/pkgs/os-specific/linux/blcr/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { buildInputs = [ perl makeWrapper ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' configureFlagsArray=( --with-linux=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build @@ -33,7 +35,7 @@ stdenv.mkDerivation { wrapProgram "$prog" --prefix LD_LIBRARY_PATH ":" "$out/lib" done ''; - + meta = { description = "Berkeley Lab Checkpoint/Restart for Linux (BLCR)"; homepage = https://ftg.lbl.gov/projects/CheckpointRestart/; diff --git a/pkgs/os-specific/linux/broadcom-sta/default.nix b/pkgs/os-specific/linux/broadcom-sta/default.nix index 28b23a61ff066..e36512e00767f 100644 --- a/pkgs/os-specific/linux/broadcom-sta/default.nix +++ b/pkgs/os-specific/linux/broadcom-sta/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation { sha256 = hashes.${stdenv.system}; }; + hardeningDisable = [ "pic" ]; + patches = [ ./i686-build-failure.patch ./license.patch diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 296b19bc5b6c1..eaf45745f024b 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -33,6 +33,8 @@ stdenv.mkDerivation rec { sha256 = "16ii9sqracvh2r1gfzhmlypl269nnbkpvrwa7270k35d3bigk9h5"; }; + hardeningDisable = [ "format" ]; + patches = [ ./busybox-in-store.patch ]; configurePhase = '' diff --git a/pkgs/os-specific/linux/checksec/default.nix b/pkgs/os-specific/linux/checksec/default.nix index e698c11ad0fba..1a879ba33304d 100644 --- a/pkgs/os-specific/linux/checksec/default.nix +++ b/pkgs/os-specific/linux/checksec/default.nix @@ -3,6 +3,7 @@ stdenv.mkDerivation rec { name = "checksec-${version}"; version = "1.5"; + src = fetchurl { url = "http://www.trapkit.de/tools/checksec.sh"; sha256 = "0iq9v568mk7g7ksa1939g5f5sx7ffq8s8n2ncvphvlckjgysgf3p"; @@ -11,9 +12,9 @@ stdenv.mkDerivation rec { patches = [ ./0001-attempt-to-modprobe-config-before-checking-kernel.patch ]; unpackPhase = '' - mkdir ${name}-${version} - cp $src ${name}-${version}/checksec.sh - cd ${name}-${version} + mkdir ${name} + cp $src ${name}/checksec.sh + cd ${name} ''; installPhase = '' @@ -32,8 +33,6 @@ stdenv.mkDerivation rec { substituteInPlace $out/bin/checksec --replace "/usr/bin/id -" "${coreutils}/bin/id -" ''; - phases = "unpackPhase patchPhase installPhase"; - meta = { description = "A tool for checking security bits on executables"; homepage = "http://www.trapkit.de/tools/checksec.html"; diff --git a/pkgs/os-specific/linux/criu/default.nix b/pkgs/os-specific/linux/criu/default.nix index 630c498532580..efca4c7bbb5b6 100644 --- a/pkgs/os-specific/linux/criu/default.nix +++ b/pkgs/os-specific/linux/criu/default.nix @@ -24,7 +24,11 @@ stdenv.mkDerivation rec { ln -sf ${protobuf}/include/google/protobuf/descriptor.proto ./images/google/protobuf/descriptor.proto ''; - buildPhase = "make PREFIX=$out"; + buildPhase = "make PREFIX=$out"; + + makeFlags = "PREFIX=$(out)"; + + hardeningDisable = [ "stackprotector" ]; installPhase = '' mkdir -p $out/etc/logrotate.d diff --git a/pkgs/os-specific/linux/cryptodev/default.nix b/pkgs/os-specific/linux/cryptodev/default.nix index 4ea9295ef4f99..f3c262231223c 100644 --- a/pkgs/os-specific/linux/cryptodev/default.nix +++ b/pkgs/os-specific/linux/cryptodev/default.nix @@ -1,26 +1,19 @@ { fetchurl, stdenv, kernel, onlyHeaders ? false }: stdenv.mkDerivation rec { - pname = "cryptodev-linux-1.6"; + pname = "cryptodev-linux-1.8"; name = "${pname}-${kernel.version}"; src = fetchurl { url = "http://download.gna.org/cryptodev-linux/${pname}.tar.gz"; - sha256 = "0bryzdb4xz3fp2q00a0mlqkj629md825lnlh4gjwmy51irf45wbm"; + sha256 = "0xhkhcdlds9aiz0hams93dv0zkgcn2abaiagdjlqdck7zglvvyk7"; }; - buildPhase = if !onlyHeaders then '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - SUBDIRS=`pwd` INSTALL_PATH=$out - '' else ":"; + hardeningDisable = [ "pic" ]; - installPhase = stdenv.lib.optionalString (!onlyHeaders) '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install - '' + '' - mkdir -p $out/include/crypto - cp crypto/cryptodev.h $out/include/crypto - ''; + KERNEL_DIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; + INSTALL_MOD_PATH = "\${out}"; + PREFIX = "\${out}"; meta = { description = "Device that allows access to Linux kernel cryptographic drivers"; diff --git a/pkgs/os-specific/linux/disk-indicator/default.nix b/pkgs/os-specific/linux/disk-indicator/default.nix index d0d0371ec2d7e..46ebc923e3b27 100644 --- a/pkgs/os-specific/linux/disk-indicator/default.nix +++ b/pkgs/os-specific/linux/disk-indicator/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation { NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -p "$out/bin" cp ./disk_indicator "$out/bin/" diff --git a/pkgs/os-specific/linux/dmraid/default.nix b/pkgs/os-specific/linux/dmraid/default.nix index fcbc8cb512532..d39cadf41993d 100644 --- a/pkgs/os-specific/linux/dmraid/default.nix +++ b/pkgs/os-specific/linux/dmraid/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0m92971gyqp61darxbiri6a48jz3wq3gkp8r2k39320z0i6w8jgq"; }; + patches = [ ./hardening-format.patch ]; + postPatch = '' sed -i 's/\[\[[^]]*\]\]/[ "''$''${n##*.}" = "so" ]/' */lib/Makefile.in ''; diff --git a/pkgs/os-specific/linux/dmraid/hardening-format.patch b/pkgs/os-specific/linux/dmraid/hardening-format.patch new file mode 100644 index 0000000000000..f91a7fb18aa0e --- /dev/null +++ b/pkgs/os-specific/linux/dmraid/hardening-format.patch @@ -0,0 +1,18 @@ +--- a/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:16:57.455425454 +0000 ++++ b/1.0.0.rc16/lib/events/libdmraid-events-isw.c 2016-01-29 05:17:55.520564013 +0000 +@@ -838,13 +838,13 @@ + + sz = _log_all_devs(log_type, rs, NULL, 0); + if (!sz) { +- syslog(LOG_ERR, msg[0]); ++ syslog(LOG_ERR, "%s", msg[0]); + return; + } + + str = dm_malloc(++sz); + if (!str) { +- syslog(LOG_ERR, msg[1]); ++ syslog(LOG_ERR, "%s", msg[1]); + return; + } + diff --git a/pkgs/os-specific/linux/dpdk/default.nix b/pkgs/os-specific/linux/dpdk/default.nix index 9d1d3d666ace3..e0c164e6232ee 100644 --- a/pkgs/os-specific/linux/dpdk/default.nix +++ b/pkgs/os-specific/linux/dpdk/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; outputs = [ "out" "kmod" "examples" ]; + hardeningDisable = [ "pic" ]; + configurePhase = '' make T=x86_64-native-linuxapp-gcc config ''; diff --git a/pkgs/os-specific/linux/e1000e/default.nix b/pkgs/os-specific/linux/e1000e/default.nix index 0b67a5382f751..5406c37522ead 100644 --- a/pkgs/os-specific/linux/e1000e/default.nix +++ b/pkgs/os-specific/linux/e1000e/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "07hg6xxqgqshnys1qs9wbl9qr7d4ixdkd1y1fj27cg6bn8s2n797"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd src kernel_version=${kernel.modDirVersion} diff --git a/pkgs/os-specific/linux/ena/default.nix b/pkgs/os-specific/linux/ena/default.nix index 7a047e9f2338a..051725d32d987 100644 --- a/pkgs/os-specific/linux/ena/default.nix +++ b/pkgs/os-specific/linux/ena/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "03w6xgv3lfn28n38mj9cdi3px5zjyrbxnflpd3ggivkv6grf9fp7"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd kernel/linux/ena @@ -30,5 +32,6 @@ stdenv.mkDerivation rec { homepage = https://github.com/amzn/amzn-drivers; license = lib.licenses.gpl2; maintainers = [ lib.maintainers.eelco ]; + platforms = lib.platforms.linux; }; } diff --git a/pkgs/os-specific/linux/facetimehd/default.nix b/pkgs/os-specific/linux/facetimehd/default.nix index cbacb6ae074d9..de726d5b42c99 100644 --- a/pkgs/os-specific/linux/facetimehd/default.nix +++ b/pkgs/os-specific/linux/facetimehd/default.nix @@ -4,7 +4,6 @@ assert stdenv.lib.versionAtLeast kernel.version "3.19"; stdenv.mkDerivation rec { - name = "facetimehd-${version}-${kernel.version}"; version = "git-20160503"; @@ -29,6 +28,8 @@ stdenv.mkDerivation rec { export INSTALL_MOD_PATH="$out" ''; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ]; @@ -40,5 +41,4 @@ stdenv.mkDerivation rec { maintainers = with maintainers; [ womfoo grahamc ]; platforms = platforms.linux; }; - } diff --git a/pkgs/os-specific/linux/frandom/default.nix b/pkgs/os-specific/linux/frandom/default.nix index 80ad483b36765..dfdc79c2005f5 100644 --- a/pkgs/os-specific/linux/frandom/default.nix +++ b/pkgs/os-specific/linux/frandom/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "15rgyk4hfawqg7z1spk2xlk1nn6rcdls8gdhc70f91shrc9pvlls"; }; + hardeningDisable = [ "pic" ]; + preBuild = '' kernelVersion=${kernel.modDirVersion} substituteInPlace Makefile \ diff --git a/pkgs/os-specific/linux/fusionio/vsl.nix b/pkgs/os-specific/linux/fusionio/vsl.nix index 8e24b5061cd34..665c4b4d08134 100644 --- a/pkgs/os-specific/linux/fusionio/vsl.nix +++ b/pkgs/os-specific/linux/fusionio/vsl.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { src = srcs.vsl; + hardeningDisable = [ "pic" ]; + prePatch = '' cd root/usr/src/iomemory-vsl-* ''; diff --git a/pkgs/os-specific/linux/gogoclient/default.nix b/pkgs/os-specific/linux/gogoclient/default.nix index c33d9cfae9ede..7383db95c3753 100644 --- a/pkgs/os-specific/linux/gogoclient/default.nix +++ b/pkgs/os-specific/linux/gogoclient/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { makeFlags = ["target=linux"]; installFlags = ["installdir=$(out)"]; + hardeningDisable = [ "format" ]; + buildInputs = [openssl]; preFixup = '' diff --git a/pkgs/os-specific/linux/ifenslave/default.nix b/pkgs/os-specific/linux/ifenslave/default.nix index d8985003b41a9..b9390d1d58934 100644 --- a/pkgs/os-specific/linux/ifenslave/default.nix +++ b/pkgs/os-specific/linux/ifenslave/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { cp -a ifenslave $out/bin ''; + hardeningDisable = [ "format" ]; + meta = { description = "Utility for enslaving networking interfaces under a bond"; license = stdenv.lib.licenses.gpl2; diff --git a/pkgs/os-specific/linux/ixgbevf/default.nix b/pkgs/os-specific/linux/ixgbevf/default.nix index eb90c9fb1eb74..1f8ced6c2d2a6 100644 --- a/pkgs/os-specific/linux/ixgbevf/default.nix +++ b/pkgs/os-specific/linux/ixgbevf/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "1i6ry3vd77190sxb47xhbz3v30gighwax6prav4ggs3q80a389c8"; }; + hardeningDisable = [ "pic" ]; + configurePhase = '' cd src makeFlagsArray+=(KSRC=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build INSTALL_MOD_PATH=$out MANDIR=/share/man) diff --git a/pkgs/os-specific/linux/jool/default.nix b/pkgs/os-specific/linux/jool/default.nix index 389dcc220536b..274d0cc41394a 100644 --- a/pkgs/os-specific/linux/jool/default.nix +++ b/pkgs/os-specific/linux/jool/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { src = sourceAttrs.src; + hardeningDisable = [ "pic" ]; + prePatch = '' sed -e 's@/lib/modules/\$(.*)@${kernel.dev}/lib/modules/${kernel.modDirVersion}@' -i mod/*/Makefile ''; diff --git a/pkgs/os-specific/linux/kernel-headers/3.18.nix b/pkgs/os-specific/linux/kernel-headers/3.18.nix index 0cc38a0548ca0..22650747ba210 100644 --- a/pkgs/os-specific/linux/kernel-headers/3.18.nix +++ b/pkgs/os-specific/linux/kernel-headers/3.18.nix @@ -34,6 +34,9 @@ stdenv.mkDerivation { buildInputs = [perl]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + extraIncludeDirs = if cross != null then (if cross.arch == "powerpc" then ["ppc"] else []) diff --git a/pkgs/os-specific/linux/kernel/manual-config.nix b/pkgs/os-specific/linux/kernel/manual-config.nix index c5a4ba2b18ad5..f4693417e205b 100644 --- a/pkgs/os-specific/linux/kernel/manual-config.nix +++ b/pkgs/os-specific/linux/kernel/manual-config.nix @@ -222,6 +222,8 @@ stdenv.mkDerivation ((drvAttrs config stdenv.platform (kernelPatches ++ nativeKe nativeBuildInputs = [ perl bc nettools openssl ] ++ optional (stdenv.platform.uboot != null) (ubootChooser stdenv.platform.uboot); + hardeningDisable = [ "bindnow" "format" "fortify" "stackprotector" "pic" ]; + makeFlags = commonMakeFlags ++ [ "ARCH=${stdenv.platform.kernelArch}" ]; diff --git a/pkgs/os-specific/linux/kexectools/default.nix b/pkgs/os-specific/linux/kexectools/default.nix index d7d79b0257d75..cb30de44a81a7 100644 --- a/pkgs/os-specific/linux/kexectools/default.nix +++ b/pkgs/os-specific/linux/kexectools/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { sha256 = "03cj7w2l5fqn72xfhl4q6z0zbziwkp9bfn0gs7gaf9i44jv6gkhl"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ zlib ]; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/klibc/default.nix b/pkgs/os-specific/linux/klibc/default.nix index 02ec36d64ba7c..84b66ac0d9c76 100644 --- a/pkgs/os-specific/linux/klibc/default.nix +++ b/pkgs/os-specific/linux/klibc/default.nix @@ -20,6 +20,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" "stackprotector" ]; + makeFlags = commonMakeFlags ++ [ "KLIBCARCH=${stdenv.platform.kernelArch}" "KLIBCKERNELSRC=${linuxHeaders}" diff --git a/pkgs/os-specific/linux/ldm/default.nix b/pkgs/os-specific/linux/ldm/default.nix index 9a9fca2431af4..0c333feab1c14 100644 --- a/pkgs/os-specific/linux/ldm/default.nix +++ b/pkgs/os-specific/linux/ldm/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation rec { sed '16i#include <sys/stat.h>' -i ldm.c ''; - buildPhase = "make ldm"; + buildFlags = "ldm"; installPhase = '' mkdir -p $out/bin diff --git a/pkgs/os-specific/linux/libaio/default.nix b/pkgs/os-specific/linux/libaio/default.nix index b3df129912e47..1e85182d6c35f 100644 --- a/pkgs/os-specific/linux/libaio/default.nix +++ b/pkgs/os-specific/linux/libaio/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { makeFlags = "prefix=$(out)"; + hardeningDisable = stdenv.lib.optional (stdenv.isi686) "stackprotector"; + meta = { description = "Library for asynchronous I/O in Linux"; homepage = http://lse.sourceforge.net/io/aio.html; diff --git a/pkgs/os-specific/linux/lttng-modules/default.nix b/pkgs/os-specific/linux/lttng-modules/default.nix index f029c6b82bec5..eeef64c708331 100644 --- a/pkgs/os-specific/linux/lttng-modules/default.nix +++ b/pkgs/os-specific/linux/lttng-modules/default.nix @@ -10,6 +10,10 @@ stdenv.mkDerivation rec { sha256 = "0sk7cyjf5ylmxqrrrz5zmmw4c0dmxh1f98aj870gmcnxfa76y4mx"; }; + hardeningDisable = [ "pic" ]; + + NIX_CFLAGS_COMPILE = "-Wno-error=implicit-function-declaration"; + preConfigure = '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" export INSTALL_MOD_PATH="$out" diff --git a/pkgs/os-specific/linux/mba6x_bl/default.nix b/pkgs/os-specific/linux/mba6x_bl/default.nix index 010bda4bb1542..2a0e53b392575 100644 --- a/pkgs/os-specific/linux/mba6x_bl/default.nix +++ b/pkgs/os-specific/linux/mba6x_bl/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" "INSTALL_MOD_PATH=$(out)" diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index ba69b421c3d33..409eb31e14f70 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1yd6l1l1c62xjr1xnij2x49kr416anbgfs4y06r86kp9hkmz2g7i"; }; + hardeningDisable = [ "format" ]; + postPatch = '' sed -i -re ' s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", diff --git a/pkgs/os-specific/linux/mxu11x0/default.nix b/pkgs/os-specific/linux/mxu11x0/default.nix index 4af4043240394..ed88fc643fd0c 100644 --- a/pkgs/os-specific/linux/mxu11x0/default.nix +++ b/pkgs/os-specific/linux/mxu11x0/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation { enableParallelBuilding = true; + hardeningDisable = [ "pic" ]; + meta = with stdenv.lib; { description = "MOXA UPort 11x0 USB to Serial Hub driver"; homepage = "https://github.com/ellysh/mxu11x0"; diff --git a/pkgs/os-specific/linux/ndiswrapper/default.nix b/pkgs/os-specific/linux/ndiswrapper/default.nix index f95de43356486..eabc2840881ed 100644 --- a/pkgs/os-specific/linux/ndiswrapper/default.nix +++ b/pkgs/os-specific/linux/ndiswrapper/default.nix @@ -3,6 +3,8 @@ stdenv.mkDerivation { name = "ndiswrapper-1.59-${kernel.version}"; + hardeningDisable = [ "pic" ]; + patches = [ ./no-sbin.patch ]; # need at least .config and include diff --git a/pkgs/os-specific/linux/netatop/default.nix b/pkgs/os-specific/linux/netatop/default.nix index 5d54d0a21ff3a..5177ea45e7ab9 100644 --- a/pkgs/os-specific/linux/netatop/default.nix +++ b/pkgs/os-specific/linux/netatop/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { buildInputs = [ zlib ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' patchShebangs mkversion sed -i -e 's,^KERNDIR.*,KERNDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build,' \ diff --git a/pkgs/os-specific/linux/numad/default.nix b/pkgs/os-specific/linux/numad/default.nix index 55edff5771209..ed84c41001b6a 100644 --- a/pkgs/os-specific/linux/numad/default.nix +++ b/pkgs/os-specific/linux/numad/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "08zd1yc3w00yv4mvvz5sq1gf91f6p2s9ljcd72m33xgnkglj60v4"; }; + hardeningDisable = [ "format" ]; + patches = [ ./numad-linker-flags.patch ]; diff --git a/pkgs/os-specific/linux/nvidia-x11/beta.nix b/pkgs/os-specific/linux/nvidia-x11/beta.nix index d3111a4f75a1c..6fd5fb6c0b637 100644 --- a/pkgs/os-specific/linux/nvidia-x11/beta.nix +++ b/pkgs/os-specific/linux/nvidia-x11/beta.nix @@ -41,6 +41,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/default.nix b/pkgs/os-specific/linux/nvidia-x11/default.nix index cbd4e466b7021..f561c0addc875 100644 --- a/pkgs/os-specific/linux/nvidia-x11/default.nix +++ b/pkgs/os-specific/linux/nvidia-x11/default.nix @@ -42,6 +42,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix index 91813d67e1c1e..27c963f4bd9cc 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy173.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy173.nix @@ -26,6 +26,8 @@ stdenv.mkDerivation { kernel = kernel.dev; + hardeningDisable = [ "pic" "format" ]; + inherit versionNumber; dontStrip = true; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix index 5cf3583e873cf..65cf42333e057 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy304.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy304.nix @@ -32,6 +32,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = stdenv.lib.makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix index fa9d6442e4243..0682954d558f4 100644 --- a/pkgs/os-specific/linux/nvidia-x11/legacy340.nix +++ b/pkgs/os-specific/linux/nvidia-x11/legacy340.nix @@ -42,6 +42,8 @@ stdenv.mkDerivation { kernel = if libsOnly then null else kernel.dev; + hardeningDisable = [ "pic" "format" ]; + dontStrip = true; glPath = makeLibraryPath [xorg.libXext xorg.libX11 xorg.libXrandr]; diff --git a/pkgs/os-specific/linux/nvidiabl/default.nix b/pkgs/os-specific/linux/nvidiabl/default.nix index a6797608664f6..881c29c1ce0f6 100644 --- a/pkgs/os-specific/linux/nvidiabl/default.nix +++ b/pkgs/os-specific/linux/nvidiabl/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation { sha256 = "1c7ar39wc8jpqh67sw03lwnyp0m9l6dad469ybqrgcywdiwxspwj"; }; + hardeningDisable = [ "pic" ]; + patches = [ ./linux4compat.patch ]; preConfigure = '' diff --git a/pkgs/os-specific/linux/paxctl/default.nix b/pkgs/os-specific/linux/paxctl/default.nix index afb342768c337..7ef98eb235368 100644 --- a/pkgs/os-specific/linux/paxctl/default.nix +++ b/pkgs/os-specific/linux/paxctl/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation rec { "MANDIR=share/man/man1" ]; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + setupHook = ./setup-hook.sh; meta = with stdenv.lib; { diff --git a/pkgs/os-specific/linux/phc-intel/default.nix b/pkgs/os-specific/linux/phc-intel/default.nix index 2b86238b2df5b..56c12e9a4f0a2 100644 --- a/pkgs/os-specific/linux/phc-intel/default.nix +++ b/pkgs/os-specific/linux/phc-intel/default.nix @@ -21,6 +21,8 @@ in stdenv.mkDerivation rec { buildInputs = [ which ]; + hardeningDisable = [ "pic" ]; + makeFlags = with kernel; [ "DESTDIR=$(out)" "KERNELSRC=${dev}/lib/modules/${modDirVersion}/build" diff --git a/pkgs/os-specific/linux/prl-tools/default.nix b/pkgs/os-specific/linux/prl-tools/default.nix index da5d7d5f60706..9ca48ccaf057f 100644 --- a/pkgs/os-specific/linux/prl-tools/default.nix +++ b/pkgs/os-specific/linux/prl-tools/default.nix @@ -47,6 +47,8 @@ stdenv.mkDerivation rec { ''; }; + hardeningDisable = [ "pic" ]; + # also maybe python2 to generate xorg.conf nativeBuildInputs = [ p7zip ] ++ lib.optionals (!libsOnly) [ makeWrapper ]; diff --git a/pkgs/os-specific/linux/psmouse-alps/default.nix b/pkgs/os-specific/linux/psmouse-alps/default.nix deleted file mode 100644 index 9dd78f5885ada..0000000000000 --- a/pkgs/os-specific/linux/psmouse-alps/default.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ stdenv, fetchurl, kernel, zlib }: - -/* Only useful for kernels 3.2 to 3.5. - Fails to build in 3.8. - 3.9 upstream already includes a proper alps driver for this */ - -assert builtins.compareVersions "3.8" kernel.version == 1; - -let - ver = "1.3"; - bname = "psmouse-alps-${ver}"; -in -stdenv.mkDerivation { - name = "psmouse-alps-${kernel.version}-${ver}"; - - src = fetchurl { - url = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/at_download/file; - name = "${bname}-alt.tar.bz2"; - sha256 = "1ghr8xcyidz31isxbwrbcr9rvxi4ad2idwmb3byar9n2ig116cxp"; - }; - - buildPhase = '' - cd src/${bname}/src - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - SUBDIRS=`pwd` INSTALL_PATH=$out - ''; - - installPhase = '' - make -C ${kernel.dev}/lib/modules/${kernel.modDirVersion}/build \ - INSTALL_MOD_PATH=$out SUBDIRS=`pwd` modules_install - ''; - - meta = { - description = "ALPS dlkm driver with all known touchpads"; - homepage = http://www.dahetral.com/public-download/alps-psmouse-dlkm-for-3-2-and-3-5/view; - license = stdenv.lib.licenses.gpl2; - platforms = stdenv.lib.platforms.linux; - maintainers = with stdenv.lib.maintainers; [viric]; - }; -} diff --git a/pkgs/os-specific/linux/rtl8723bs/default.nix b/pkgs/os-specific/linux/rtl8723bs/default.nix index 0464453459033..39f6a3826c27d 100644 --- a/pkgs/os-specific/linux/rtl8723bs/default.nix +++ b/pkgs/os-specific/linux/rtl8723bs/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "07srd457wnz29nvvq02wz66s387bhjbydnmbs3qr7ljprabhsgmi"; }; + hardeningDisable = [ "pic" ]; + buildInputs = [ nukeReferences ]; makeFlags = concatStringsSep " " [ diff --git a/pkgs/os-specific/linux/rtl8812au/default.nix b/pkgs/os-specific/linux/rtl8812au/default.nix index bc6a97029c7ed..c38fa8843f424 100644 --- a/pkgs/os-specific/linux/rtl8812au/default.nix +++ b/pkgs/os-specific/linux/rtl8812au/default.nix @@ -3,25 +3,29 @@ stdenv.mkDerivation rec { name = "rtl8812au-${kernel.version}-${version}"; version = "4.2.2-1"; - + src = fetchFromGitHub { owner = "csssuf"; repo = "rtl8812au"; rev = "874906aec694c800bfc29b146737b88dae767832"; sha256 = "14ifhplawipfd6971mxw76dv3ygwc0n8sbz2l3f0vvkin6x88bsj"; }; - + + hardeningDisable = [ "pic" ]; + + NIX_CFLAGS_COMPILE="-Wno-error=incompatible-pointer-types"; + patchPhase = '' substituteInPlace ./Makefile --replace /lib/modules/ "${kernel.dev}/lib/modules/" substituteInPlace ./Makefile --replace '$(shell uname -r)' "${kernel.modDirVersion}" substituteInPlace ./Makefile --replace /sbin/depmod # substituteInPlace ./Makefile --replace '$(MODDESTDIR)' "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + preInstall = '' mkdir -p "$out/lib/modules/${kernel.modDirVersion}/kernel/net/wireless/" ''; - + meta = { description = "Driver for Realtek 802.11ac, rtl8812au, provides the 8812au mod"; homepage = "https://github.com/csssuf/rtl8812au"; diff --git a/pkgs/os-specific/linux/setools/default.nix b/pkgs/os-specific/linux/setools/default.nix index bb17683800f17..5f539b9a97e54 100644 --- a/pkgs/os-specific/linux/setools/default.nix +++ b/pkgs/os-specific/linux/setools/default.nix @@ -18,6 +18,8 @@ stdenv.mkDerivation rec { "--with-tcl=${tcl}/lib" ]; + hardeningDisable = [ "format" ]; + NIX_CFLAGS_COMPILE = "-fstack-protector-all"; NIX_LDFLAGS = "-L${libsepol}/lib -L${libselinux}/lib"; diff --git a/pkgs/os-specific/linux/spl/default.nix b/pkgs/os-specific/linux/spl/default.nix index 45926228b6c8e..d5a235084d4d9 100644 --- a/pkgs/os-specific/linux/spl/default.nix +++ b/pkgs/os-specific/linux/spl/default.nix @@ -30,6 +30,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' substituteInPlace ./module/spl/spl-generic.c --replace /usr/bin/hostid hostid substituteInPlace ./module/spl/spl-generic.c --replace "PATH=/sbin:/usr/sbin:/bin:/usr/bin" "PATH=${coreutils}:${gawk}:/bin" diff --git a/pkgs/os-specific/linux/sysdig/default.nix b/pkgs/os-specific/linux/sysdig/default.nix index cda63ea70af28..76858ab5e48ef 100644 --- a/pkgs/os-specific/linux/sysdig/default.nix +++ b/pkgs/os-specific/linux/sysdig/default.nix @@ -1,17 +1,8 @@ {stdenv, fetchurl, fetchFromGitHub, cmake, luajit, kernel, zlib, ncurses, perl, jsoncpp, libb64, openssl, curl}: let inherit (stdenv.lib) optional optionalString; - s = rec { - name = "sysdig-${version}"; - version = "0.11.0"; - owner = "draios"; - repo = "sysdig"; - rev = version; - sha256 = "131bafa7jy16r2jwph50j0bxwqdvr319fsfhqkavx6xy18i31q3v"; - }; - buildInputs = [ - cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl - ]; + baseName = "sysdig"; + version = "0.10.0"; # sysdig-0.11.0 depends on some headers from jq which are not # installed by default. # Relevant sysdig issue: https://github.com/draios/sysdig/issues/626 @@ -21,11 +12,19 @@ let }; in stdenv.mkDerivation { - inherit (s) name version; - inherit buildInputs; - src = fetchFromGitHub { - inherit (s) owner repo rev sha256; + name = "${baseName}-${version}"; + + src = fetchurl { + url = "https://github.com/draios/sysdig/archive/${version}.tar.gz"; + sha256 = "0hs0r9z9j7padqdcj69bwx52iw6gvdl0w322qwivpv12j3prcpsj"; }; + + buildInputs = [ + cmake zlib luajit ncurses perl jsoncpp libb64 openssl curl + ]; + + hardeningDisable = [ "pic" ]; + postPatch = '' sed '1i#include <cmath>' -i userspace/libsinsp/{cursesspectro,filterchecks}.cpp ''; @@ -33,17 +32,20 @@ stdenv.mkDerivation { cmakeFlags = [ "-DUSE_BUNDLED_DEPS=OFF" "-DUSE_BUNDLED_JQ=ON" - "-DSYSDIG_VERSION=${s.version}" + "-DSYSDIG_VERSION=${version}" ] ++ optional (kernel == null) "-DBUILD_DRIVER=OFF"; + preConfigure = '' export INSTALL_MOD_PATH="$out" '' + optionalString (kernel != null) '' export KERNELDIR="${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" ''; + preBuild = '' mkdir -p jq-prefix/src cp ${jq-prefix} jq-prefix/src/jq-1.5.tar.gz ''; + postInstall = optionalString (kernel != null) '' make install_driver kernel_dev=${kernel.dev} @@ -59,8 +61,7 @@ stdenv.mkDerivation { ''; meta = with stdenv.lib; { - inherit (s) version; - description = ''A tracepoint-based system tracing tool for Linux (with clients for other OSes)''; + description = "A tracepoint-based system tracing tool for Linux (with clients for other OSes)"; license = licenses.gpl2; maintainers = [maintainers.raskin]; platforms = platforms.linux ++ platforms.darwin; diff --git a/pkgs/os-specific/linux/syslinux/default.nix b/pkgs/os-specific/linux/syslinux/default.nix index c051aac431265..f4ad94b5085ce 100644 --- a/pkgs/os-specific/linux/syslinux/default.nix +++ b/pkgs/os-specific/linux/syslinux/default.nix @@ -16,6 +16,7 @@ stdenv.mkDerivation rec { buildInputs = [ libuuid makeWrapper ]; enableParallelBuilding = false; # Fails very rarely with 'No rule to make target: ...' + hardeningDisable = [ "pic" "stackprotector" "fortify" ]; preBuild = '' substituteInPlace Makefile --replace /bin/pwd $(type -P pwd) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index baf303f6f3325..eff515c3dad14 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -80,6 +80,8 @@ stdenv.mkDerivation rec { "--with-rc-local-script-path-stop=/etc/halt.local" ] ++ (if enableKDbus then [ "--enable-kdbus" ] else [ "--disable-kdbus" ]); + hardeningDisable = [ "stackprotector" ]; + preConfigure = '' ./autogen.sh diff --git a/pkgs/os-specific/linux/tp_smapi/default.nix b/pkgs/os-specific/linux/tp_smapi/default.nix index 38f2c8545db83..f0f25f14e4961 100644 --- a/pkgs/os-specific/linux/tp_smapi/default.nix +++ b/pkgs/os-specific/linux/tp_smapi/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "09rdg7fm423x6sbbw3lvnvmk4nyc33az8ar93xgq0n9qii49z3bv"; }; + hardeningDisable = [ "pic" ]; + makeFlags = [ "KBASE=${kernel.dev}/lib/modules/${kernel.modDirVersion}" "SHELL=/bin/sh" diff --git a/pkgs/os-specific/linux/uclibc/default.nix b/pkgs/os-specific/linux/uclibc/default.nix index 448c9f3f4ee48..81c8b7b4df7ac 100644 --- a/pkgs/os-specific/linux/uclibc/default.nix +++ b/pkgs/os-specific/linux/uclibc/default.nix @@ -79,6 +79,8 @@ stdenv.mkDerivation { make oldconfig ''; + hardeningDisable = [ "stackprotector" ]; + # Cross stripping hurts. dontStrip = cross != null; diff --git a/pkgs/os-specific/linux/v4l2loopback/default.nix b/pkgs/os-specific/linux/v4l2loopback/default.nix index 5fa81a0d3a73a..57f4b9ab6747f 100644 --- a/pkgs/os-specific/linux/v4l2loopback/default.nix +++ b/pkgs/os-specific/linux/v4l2loopback/default.nix @@ -8,7 +8,9 @@ stdenv.mkDerivation rec { url = "https://github.com/umlaeute/v4l2loopback/archive/v${version}.tar.gz"; sha256 = "1crkhxlnskqrfj3f7jmiiyi5m75zmj7n0s26xz07wcwdzdf2p568"; }; - + + hardeningDisable = [ "format" "pic" ]; + preBuild = '' substituteInPlace Makefile --replace "modules_install" "INSTALL_MOD_PATH=$out modules_install" sed -i '/depmod/d' Makefile @@ -16,7 +18,7 @@ stdenv.mkDerivation rec { ''; buildInputs = [ kmod ]; - + makeFlags = [ "KERNELRELEASE=${kernel.modDirVersion}" "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" diff --git a/pkgs/os-specific/linux/v86d/default.nix b/pkgs/os-specific/linux/v86d/default.nix index 0ef992a4b44c9..073a6ded998b3 100644 --- a/pkgs/os-specific/linux/v86d/default.nix +++ b/pkgs/os-specific/linux/v86d/default.nix @@ -17,6 +17,8 @@ stdenv.mkDerivation rec { configureFlags = [ "--with-klibc" "--with-x86emu" ]; + hardeningDisable = [ "stackprotector" ]; + makeFlags = [ "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/source" "DESTDIR=$(out)" diff --git a/pkgs/os-specific/linux/wireguard/default.nix b/pkgs/os-specific/linux/wireguard/default.nix index 84f67bfd8cf9d..3264194f1256f 100644 --- a/pkgs/os-specific/linux/wireguard/default.nix +++ b/pkgs/os-specific/linux/wireguard/default.nix @@ -30,6 +30,8 @@ let sed -i '/depmod/,+1d' Makefile ''; + hardeningDisable = [ "pic" ]; + KERNELDIR = "${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"; INSTALL_MOD_PATH = "\${out}"; diff --git a/pkgs/os-specific/linux/xf86-video-nested/default.nix b/pkgs/os-specific/linux/xf86-video-nested/default.nix index 247ec6e152a7c..8d3e490db87cf 100644 --- a/pkgs/os-specific/linux/xf86-video-nested/default.nix +++ b/pkgs/os-specific/linux/xf86-video-nested/default.nix @@ -16,10 +16,9 @@ stdenv.mkDerivation { pkgconfig renderproto utilmacros xorgserver ]; + hardeningDisable = [ "fortify" ]; - configurePhase = '' - ./configure --prefix=$out CFLAGS="-I${pixman}/include/pixman-1" - ''; + CFLAGS = "-I${pixman}/include/pixman-1"; meta = { homepage = http://cgit.freedesktop.org/xorg/driver/xf86-video-nested; diff --git a/pkgs/os-specific/linux/zfs/default.nix b/pkgs/os-specific/linux/zfs/default.nix index 3ae41bc00b8e5..4b5d7e35daebf 100644 --- a/pkgs/os-specific/linux/zfs/default.nix +++ b/pkgs/os-specific/linux/zfs/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { # for zdb to get the rpath to libgcc_s, needed for pthread_cancel to work NIX_CFLAGS_LINK = "-lgcc_s"; + hardeningDisable = [ "pic" ]; + preConfigure = '' substituteInPlace ./module/zfs/zfs_ctldir.c --replace "umount -t zfs" "${utillinux}/bin/umount -t zfs" substituteInPlace ./module/zfs/zfs_ctldir.c --replace "mount -t zfs" "${utillinux}/bin/mount -t zfs" diff --git a/pkgs/servers/beanstalkd/default.nix b/pkgs/servers/beanstalkd/default.nix index cea7ca0b337fc..ef4621fb9a654 100644 --- a/pkgs/servers/beanstalkd/default.nix +++ b/pkgs/servers/beanstalkd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0n9dlmiddcfl7i0f1lwfhqiwyvf26493fxfcmn8jm30nbqciwfwj"; }; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { homepage = http://kr.github.io/beanstalkd/; description = "A simple, fast work queue"; diff --git a/pkgs/servers/firebird/default.nix b/pkgs/servers/firebird/default.nix index 3e778317169c4..3e258ee6d3f16 100644 --- a/pkgs/servers/firebird/default.nix +++ b/pkgs/servers/firebird/default.nix @@ -11,7 +11,7 @@ # icu version missmatch may cause such error when selecting from a table: # "Collation unicode for character set utf8 is not installed" - # icu 3.0 can still be build easily by nix (by dropping the #elif case and + # icu 3.0 can still be built easily by nix (by dropping the #elif case and # make | make) icu ? null @@ -65,6 +65,8 @@ stdenv.mkDerivation rec { sha256 = "0887a813wffp44hnc2gmwbc4ylpqw3fh3hz3bf6q3648344a9fdv"; }; + hardeningDisable = [ "format" ]; + # configurePhase = '' # sed -i 's@cp /usr/share/automake-.*@@' autogen.sh # sh autogen.sh $configureFlags --prefix=$out diff --git a/pkgs/servers/gpm/default.nix b/pkgs/servers/gpm/default.nix index a9fac485f9050..ac5e0b7c1b1ce 100644 --- a/pkgs/servers/gpm/default.nix +++ b/pkgs/servers/gpm/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ automake autoconf libtool flex bison texinfo ]; buildInputs = [ ncurses ]; + hardeningDisable = [ "format" ]; + preConfigure = '' ./autogen.sh ''; diff --git a/pkgs/servers/http/nginx/generic.nix b/pkgs/servers/http/nginx/generic.nix index 6817f18bd1db5..b1d70907e28c2 100644 --- a/pkgs/servers/http/nginx/generic.nix +++ b/pkgs/servers/http/nginx/generic.nix @@ -49,14 +49,9 @@ stdenv.mkDerivation { NIX_CFLAGS_COMPILE = [ "-I${libxml2.dev}/include/libxml2" ] ++ optional stdenv.isDarwin "-Wno-error=deprecated-declarations"; - preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules) - + optionalString (hardening && (stdenv.cc.cc.isGNU or false)) '' - configureFlagsArray=( - --with-cc-opt="-fPIE -fstack-protector-all --param ssp-buffer-size=4 -O2 -D_FORTIFY_SOURCE=2" - --with-ld-opt="-pie -Wl,-z,relro,-z,now" - ) - '' - ; + preConfigure = (concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules); + + hardeningEnable = [ "pie" ]; postInstall = '' mv $out/sbin $out/bin diff --git a/pkgs/servers/icecast/default.nix b/pkgs/servers/icecast/default.nix index 9beb961de207d..d241b59c3febf 100644 --- a/pkgs/servers/icecast/default.nix +++ b/pkgs/servers/icecast/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libxml2 libxslt curl libvorbis libtheora speex libkate libopus ]; + hardeningEnable = [ "pie" ]; + meta = { description = "Server software for streaming multimedia"; diff --git a/pkgs/servers/irc/charybdis/default.nix b/pkgs/servers/irc/charybdis/default.nix index df4250c81fa73..89eeeaecb34ab 100644 --- a/pkgs/servers/irc/charybdis/default.nix +++ b/pkgs/servers/irc/charybdis/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { "--with-program-prefix=charybdis-" ]; + hardeningDisable = [ "format" ]; + buildInputs = [ bison flex openssl ]; meta = with stdenv.lib; { diff --git a/pkgs/servers/mail/postfix/default.nix b/pkgs/servers/mail/postfix/default.nix index 99371f41b0f1f..43cdffd660cd0 100644 --- a/pkgs/servers/mail/postfix/default.nix +++ b/pkgs/servers/mail/postfix/default.nix @@ -9,12 +9,11 @@ let ccargs = lib.concatStringsSep " " ([ "-DUSE_TLS" "-DUSE_SASL_AUTH" "-DUSE_CYRUS_SASL" "-I${cyrus_sasl.dev}/include/sasl" "-DHAS_DB_BYPASS_MAKEDEFS_CHECK" - "-fPIE" "-fstack-protector-all" "--param" "ssp-buffer-size=4" "-O2" "-D_FORTIFY_SOURCE=2" ] ++ lib.optional withPgSQL "-DHAS_PGSQL" ++ lib.optionals withMySQL [ "-DHAS_MYSQL" "-I${lib.getDev libmysql}/include/mysql" ] ++ lib.optional withSQLite "-DHAS_SQLITE"); auxlibs = lib.concatStringsSep " " ([ - "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" "-pie" "-Wl,-z,relro,-z,now" + "-ldb" "-lnsl" "-lresolv" "-lsasl2" "-lcrypto" "-lssl" ] ++ lib.optional withPgSQL "-lpq" ++ lib.optional withMySQL "-lmysqlclient" ++ lib.optional withSQLite "-lsqlite3"); @@ -35,6 +34,9 @@ in stdenv.mkDerivation rec { ++ lib.optional withMySQL libmysql ++ lib.optional withSQLite sqlite; + hardeningDisable = [ "format" ]; + hardeningEnable = [ "pie" ]; + patches = [ ./postfix-script-shell.patch ./postfix-3.0-no-warnings.patch diff --git a/pkgs/servers/mail/postfix/pfixtools.nix b/pkgs/servers/mail/postfix/pfixtools.nix index 3e7ef9f23db5a..b17beeb095f22 100644 --- a/pkgs/servers/mail/postfix/pfixtools.nix +++ b/pkgs/servers/mail/postfix/pfixtools.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation { --replace /bin/bash ${bash}/bin/bash; ''; + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; + makeFlags = "DESTDIR=$(out) prefix="; meta = { diff --git a/pkgs/servers/memcached/default.nix b/pkgs/servers/memcached/default.nix index 9d110d9c14612..5e4edd0b03227 100644 --- a/pkgs/servers/memcached/default.nix +++ b/pkgs/servers/memcached/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cyrus_sasl libevent]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { description = "A distributed memory object caching system"; repositories.git = https://github.com/memcached/memcached.git; diff --git a/pkgs/servers/nosql/mongodb/default.nix b/pkgs/servers/nosql/mongodb/default.nix index 127d807133e0d..d18de78bdde30 100644 --- a/pkgs/servers/nosql/mongodb/default.nix +++ b/pkgs/servers/nosql/mongodb/default.nix @@ -19,6 +19,7 @@ let version = "3.2.1"; #"stemmer" -- not nice to package yet (no versioning, no makefile, no shared libs). "yaml" ] ++ optionals stdenv.isLinux [ "tcmalloc" ]; + buildInputs = [ sasl boost gperftools pcre-cpp snappy zlib libyamlcpp sasl openssl libpcap @@ -92,6 +93,8 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + meta = { description = "A scalable, high-performance, open source NoSQL database"; homepage = http://www.mongodb.org; diff --git a/pkgs/servers/nosql/riak/2.1.1.nix b/pkgs/servers/nosql/riak/2.1.1.nix index c62cea180be77..b66e99f0afbe9 100644 --- a/pkgs/servers/nosql/riak/2.1.1.nix +++ b/pkgs/servers/nosql/riak/2.1.1.nix @@ -34,6 +34,8 @@ stdenv.mkDerivation rec { src = srcs.riak; + hardeningDisable = [ "format" ]; + postPatch = '' sed -i deps/node_package/priv/base/env.sh \ -e 's@{{platform_data_dir}}@''${RIAK_DATA_DIR:-/var/db/riak}@' \ diff --git a/pkgs/servers/openafs-client/default.nix b/pkgs/servers/openafs-client/default.nix index 40d3edcf21a4c..52a7941d0932f 100644 --- a/pkgs/servers/openafs-client/default.nix +++ b/pkgs/servers/openafs-client/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses ]; + hardeningDisable = [ "pic" ]; + preConfigure = '' ln -s "${kernel.dev}/lib/modules/"*/build $TMP/linux diff --git a/pkgs/servers/sip/freeswitch/default.nix b/pkgs/servers/sip/freeswitch/default.nix index efa70875549f3..1cce4c518ea97 100644 --- a/pkgs/servers/sip/freeswitch/default.nix +++ b/pkgs/servers/sip/freeswitch/default.nix @@ -1,18 +1,20 @@ { fetchurl, stdenv, ncurses, curl, pkgconfig, gnutls, readline, openssl, perl, libjpeg -, libzrtpcpp, gcc48 }: +, libzrtpcpp }: stdenv.mkDerivation rec { - name = "freeswitch-1.2.3"; + name = "freeswitch-1.6.6"; src = fetchurl { - url = http://files.freeswitch.org/freeswitch-1.2.3.tar.bz2; + url = "http://files.freeswitch.org/releases/freeswitch/${name}.tar.bz2"; sha256 = "0kfvn5f75c6r6yp18almjz9p6llvpm66gpbxcjswrg3ddgbkzg0k"; }; buildInputs = [ ncurses curl pkgconfig gnutls readline openssl perl libjpeg - libzrtpcpp gcc48 ]; + libzrtpcpp ]; - NIX_CFLAGS_COMPILE = "-Wno-error=cpp"; + NIX_CFLAGS_COMPILE = "-Wno-error"; + + hardeningDisable = [ "format" ]; meta = { description = "Cross-Platform Scalable FREE Multi-Protocol Soft Switch"; diff --git a/pkgs/servers/sql/virtuoso/7.x.nix b/pkgs/servers/sql/virtuoso/7.x.nix index 192bdc9dcb1e6..7a8db3f2962cc 100644 --- a/pkgs/servers/sql/virtuoso/7.x.nix +++ b/pkgs/servers/sql/virtuoso/7.x.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "SQL/RDF database used by, e.g., KDE-nepomuk"; homepage = http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/; - #configure: The current version [...] can only be build on 64bit platforms + #configure: The current version [...] can only be built on 64bit platforms platforms = [ "x86_64-linux" "x86_64-darwin" ]; maintainers = [ maintainers.urkud ]; }; diff --git a/pkgs/servers/x11/xorg/builder.sh b/pkgs/servers/x11/xorg/builder.sh index c9e53f3800d3d..055886374df40 100644 --- a/pkgs/servers/x11/xorg/builder.sh +++ b/pkgs/servers/x11/xorg/builder.sh @@ -46,5 +46,4 @@ fi enableParallelBuilding=1 - genericBuild diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix index da74fcb4ca6d4..6d09116a867a0 100644 --- a/pkgs/servers/x11/xorg/default.nix +++ b/pkgs/servers/x11/xorg/default.nix @@ -9,7 +9,9 @@ let mkDerivation = name: attrs: let newAttrs = (overrides."${name}" or (x: x)) attrs; stdenv = newAttrs.stdenv or args.stdenv; - in stdenv.mkDerivation (removeAttrs newAttrs [ "stdenv" ]); + in stdenv.mkDerivation ((removeAttrs newAttrs [ "stdenv" ]) // { + hardeningDisable = [ "bindnow" "relro" ]; + }); overrides = import ./overrides.nix {inherit args xorg;}; diff --git a/pkgs/servers/x11/xorg/overrides.nix b/pkgs/servers/x11/xorg/overrides.nix index ebd09e3096eed..10b0b3ce2ad6e 100644 --- a/pkgs/servers/x11/xorg/overrides.nix +++ b/pkgs/servers/x11/xorg/overrides.nix @@ -561,4 +561,8 @@ in configureFlags = "--with-cpp=${args.mcpp}/bin/mcpp"; }; + sessreg = attrs: attrs // { + preBuild = "sed -i 's|gcc -E|gcc -E -P|' man/Makefile"; + }; + } diff --git a/pkgs/shells/bash/default.nix b/pkgs/shells/bash/default.nix index 0e3fc1d806900..c6868eedba6cc 100644 --- a/pkgs/shells/bash/default.nix +++ b/pkgs/shells/bash/default.nix @@ -21,6 +21,8 @@ stdenv.mkDerivation rec { inherit sha256; }; + hardeningDisable = [ "format" ]; + outputs = [ "out" "doc" "info" ]; # the man pages are small and useful enough diff --git a/pkgs/shells/dash/default.nix b/pkgs/shells/dash/default.nix index b950d48f04c63..eaccb9a68dadc 100644 --- a/pkgs/shells/dash/default.nix +++ b/pkgs/shells/dash/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "03y6z8akj72swa6f42h2dhq3p09xasbi6xia70h2vc27fwikmny6"; }; + hardeningDisable = [ "format" ]; + meta = { homepage = http://gondor.apana.org.au/~herbert/dash/; description = "A POSIX-compliant implementation of /bin/sh that aims to be as small as possible"; diff --git a/pkgs/shells/mksh/default.nix b/pkgs/shells/mksh/default.nix index dde890a022db6..edb44e09b1fab 100644 --- a/pkgs/shells/mksh/default.nix +++ b/pkgs/shells/mksh/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ groff ]; + hardeningDisable = [ "format" ]; + buildPhase = '' mkdir build-dir/ cp mksh.1 dot.mkshrc build-dir/ diff --git a/pkgs/tools/X11/x2vnc/default.nix b/pkgs/tools/X11/x2vnc/default.nix index a0d1013b8726a..31ad524cf8f3a 100644 --- a/pkgs/tools/X11/x2vnc/default.nix +++ b/pkgs/tools/X11/x2vnc/default.nix @@ -13,7 +13,7 @@ stdenv.mkDerivation rec { xorg.libXrandr xorg.randrproto ]; - preInstall = "mkdir -p $out"; + hardeningDisable = [ "format" ]; meta = { homepage = http://fredrik.hubbe.net/x2vnc.html; diff --git a/pkgs/tools/X11/x2x/default.nix b/pkgs/tools/X11/x2x/default.nix index 06d08195688ad..dd529011557a6 100644 --- a/pkgs/tools/X11/x2x/default.nix +++ b/pkgs/tools/X11/x2x/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [ imake libX11 libXtst libXext ]; + hardeningDisable = [ "format" ]; + configurePhase = '' xmkmf makeFlags="BINDIR=$out/bin x2x" diff --git a/pkgs/tools/X11/xbindkeys-config/default.nix b/pkgs/tools/X11/xbindkeys-config/default.nix index 57d8d82759ce2..cef071bb3b61b 100644 --- a/pkgs/tools/X11/xbindkeys-config/default.nix +++ b/pkgs/tools/X11/xbindkeys-config/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "1rs3li2hyig6cdzvgqlbz0vw6x7rmgr59qd6m0cvrai8xhqqykda"; }; + hardeningDisable = [ "format" ]; + meta = { homepage = https://packages.debian.org/source/xbindkeys-config; description = "Graphical interface for configuring xbindkeys"; diff --git a/pkgs/tools/admin/tightvnc/default.nix b/pkgs/tools/admin/tightvnc/default.nix index 22b8a607fd347..e7164bf07b6c3 100644 --- a/pkgs/tools/admin/tightvnc/default.nix +++ b/pkgs/tools/admin/tightvnc/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { inherit xauth fontDirectories perl; gcc = stdenv.cc.cc; + hardeningDisable = [ "format" ]; + buildInputs = [ xlibsWrapper zlib libjpeg imake gccmakedep libXmu libXaw libXpm libXp xauth openssh ]; diff --git a/pkgs/tools/archivers/cromfs/default.nix b/pkgs/tools/archivers/cromfs/default.nix index cd151698f2506..042880b39c9b1 100644 --- a/pkgs/tools/archivers/cromfs/default.nix +++ b/pkgs/tools/archivers/cromfs/default.nix @@ -1,18 +1,15 @@ -{ stdenv, fetchurl, pkgconfig, fuse, perl, gcc48 }: +{ stdenv, fetchurl, pkgconfig, fuse, perl }: stdenv.mkDerivation rec { name = "cromfs-1.5.10.2"; - + src = fetchurl { url = "http://bisqwit.iki.fi/src/arch/${name}.tar.bz2"; sha256 = "0xy2x1ws1qqfp7hfj6yzm80zhrxzmhn0w2yns77im1lmd2h18817"; }; - patchPhase = ''sed -i 's@/bin/bash@/bin/sh@g' configure''; + postPatch = "patchShebangs configure"; - # Removing the static linking, as it doesn't compile in x86_64. - makeFlags = "cromfs-driver util/mkcromfs util/unmkcromfs util/cvcromfs"; - installPhase = '' install -d $out/bin install cromfs-driver $out/bin @@ -21,7 +18,7 @@ stdenv.mkDerivation rec { install util/unmkcromfs $out/bin ''; - buildInputs = [ pkgconfig fuse perl gcc48 ]; + buildInputs = [ pkgconfig fuse perl ]; meta = { description = "FUSE Compressed ROM filesystem with lzma"; diff --git a/pkgs/tools/archivers/dar/default.nix b/pkgs/tools/archivers/dar/default.nix index 92a81f9e5d670..b64b6e4ca0a2d 100644 --- a/pkgs/tools/archivers/dar/default.nix +++ b/pkgs/tools/archivers/dar/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + meta = { homepage = http://dar.linux.free.fr/; description = "Disk ARchiver, allows backing up files into indexed archives"; diff --git a/pkgs/tools/archivers/sharutils/default.nix b/pkgs/tools/archivers/sharutils/default.nix index e806a962eabbd..41043cda5b65a 100644 --- a/pkgs/tools/archivers/sharutils/default.nix +++ b/pkgs/tools/archivers/sharutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1mallg1gprimlggdisfzdmh1xi676jsfdlfyvanlcw72ny8fsj3g"; }; + hardeningDisable = [ "format" ]; + preConfigure = '' # Fix for building on Glibc 2.16. Won't be needed once the # gnulib in sharutils is updated. diff --git a/pkgs/tools/archivers/unzip/default.nix b/pkgs/tools/archivers/unzip/default.nix index b5d03bc18b271..da0983fc09709 100644 --- a/pkgs/tools/archivers/unzip/default.nix +++ b/pkgs/tools/archivers/unzip/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0dxx11knh3nk95p2gg2ak777dd11pr7jx5das2g49l262scrcv83"; }; + hardeningDisable = [ "format" ]; + patches = [ ./CVE-2014-8139.diff ./CVE-2014-8140.diff diff --git a/pkgs/tools/archivers/xarchive/default.nix b/pkgs/tools/archivers/xarchive/default.nix index 5868dcf10a7fe..0cb4fbbf3f03a 100644 --- a/pkgs/tools/archivers/xarchive/default.nix +++ b/pkgs/tools/archivers/xarchive/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [ gtk2 pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { description = "A GTK+ front-end for command line archiving tools"; maintainers = [ stdenv.lib.maintainers.domenkozar ]; diff --git a/pkgs/tools/archivers/zip/default.nix b/pkgs/tools/archivers/zip/default.nix index 431ed354d21c7..145b81c95bc80 100644 --- a/pkgs/tools/archivers/zip/default.nix +++ b/pkgs/tools/archivers/zip/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { sha256 = "0sb3h3067pzf3a7mlxn1hikpcjrsvycjcnj9hl9b1c3ykcgvps7h"; }; + hardeningDisable = [ "format" ]; + makefile = "unix/Makefile"; buildFlags = if stdenv.isCygwin then "cygwin" else "generic"; installFlags = "prefix=$(out) INSTALL=cp"; diff --git a/pkgs/tools/bootloaders/refind/default.nix b/pkgs/tools/bootloaders/refind/default.nix index 110e00976e831..f38b24c0fc077 100644 --- a/pkgs/tools/bootloaders/refind/default.nix +++ b/pkgs/tools/bootloaders/refind/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ unzip gnu-efi efibootmgr dosfstools imagemagick ]; + hardeningDisable = [ "stackprotector" ]; + HOSTARCH = if stdenv.system == "x86_64-linux" then "x64" else if stdenv.system == "i686-linux" then "ia32" diff --git a/pkgs/tools/cd-dvd/cdrdao/default.nix b/pkgs/tools/cd-dvd/cdrdao/default.nix index 95d0f1051be91..caf37ccbe1d5d 100644 --- a/pkgs/tools/cd-dvd/cdrdao/default.nix +++ b/pkgs/tools/cd-dvd/cdrdao/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation { buildInputs = [ lame libvorbis libmad pkgconfig libao ]; + hardeningDisable = [ "format" ]; + # Adjust some headers to match glibc 2.12 ... patch is a diff between # the cdrdao CVS head and the 1.2.3 release. patches = [ ./adjust-includes-for-glibc-212.patch ]; diff --git a/pkgs/tools/cd-dvd/cdrkit/default.nix b/pkgs/tools/cd-dvd/cdrkit/default.nix index 5353a8d432f79..36382c9e8c9f8 100644 --- a/pkgs/tools/cd-dvd/cdrkit/default.nix +++ b/pkgs/tools/cd-dvd/cdrkit/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [cmake libcap zlib bzip2]; + hardeningDisable = [ "format" ]; + # efi-boot-patch extracted from http://arm.koji.fedoraproject.org/koji/rpminfo?rpmID=174244 patches = [ ./include-path.patch ./cdrkit-1.1.9-efi-boot.patch ]; diff --git a/pkgs/tools/compression/xz/default.nix b/pkgs/tools/compression/xz/default.nix index 5d6a8634b1baa..64571e24d9a30 100644 --- a/pkgs/tools/compression/xz/default.nix +++ b/pkgs/tools/compression/xz/default.nix @@ -17,6 +17,9 @@ stdenv.mkDerivation rec { postInstall = "rm -rf $out/share/doc"; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = with stdenv.lib; { homepage = http://tukaani.org/xz/; description = "XZ, general-purpose data compression software, successor of LZMA"; diff --git a/pkgs/tools/filesystems/fusesmb/default.nix b/pkgs/tools/filesystems/fusesmb/default.nix index 4ddab385a4274..5a3451810a127 100644 --- a/pkgs/tools/filesystems/fusesmb/default.nix +++ b/pkgs/tools/filesystems/fusesmb/default.nix @@ -16,6 +16,8 @@ stdenv.mkDerivation rec { ln -fs ${samba}/lib/libsmbclient.so $out/lib/libsmbclient.so.0 ''; + hardeningDisable = [ "format" ]; + meta = { description = "Samba mounted via FUSE"; homepage = http://www.ricardis.tudelft.nl/~vincent/fusesmb/; diff --git a/pkgs/tools/filesystems/jfsutils/default.nix b/pkgs/tools/filesystems/jfsutils/default.nix index 46ded088c6963..16d95bd19336b 100644 --- a/pkgs/tools/filesystems/jfsutils/default.nix +++ b/pkgs/tools/filesystems/jfsutils/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha1 = "291e8bd9d615cf3d27e4000117c81a3602484a50"; }; - patches = [ ./types.patch ]; + patches = [ ./types.patch ./hardening-format.patch ]; buildInputs = [ libuuid ]; diff --git a/pkgs/tools/filesystems/jfsutils/hardening-format.patch b/pkgs/tools/filesystems/jfsutils/hardening-format.patch new file mode 100644 index 0000000000000..dd2a93a81ec67 --- /dev/null +++ b/pkgs/tools/filesystems/jfsutils/hardening-format.patch @@ -0,0 +1,37 @@ +--- a/fscklog/fscklog.c 2016-01-29 04:59:54.102223291 +0000 ++++ b/fscklog/fscklog.c 2016-01-29 05:00:10.707552565 +0000 +@@ -252,8 +252,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", basename(file_name), line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } +--- a/fscklog/display.c 2016-01-29 05:05:42.582133444 +0000 ++++ b/fscklog/display.c 2016-01-29 05:05:47.541231780 +0000 +@@ -182,7 +182,7 @@ + } else { + /* the record looks ok */ + msg_txt = &log_entry[log_entry_pos]; +- printf(msg_txt); ++ printf("%s", msg_txt); + /* + * set up for the next record + */ +--- a/logdump/helpers.c 2016-01-29 05:06:26.081996021 +0000 ++++ b/logdump/helpers.c 2016-01-29 05:06:43.097333425 +0000 +@@ -95,8 +95,8 @@ + + sprintf(debug_detail, " [%s:%d]\n", file_name, line_number); + +- printf(msg_string); +- printf(debug_detail); ++ printf("%s", msg_string); ++ printf("%s", debug_detail); + + return 0; + } diff --git a/pkgs/tools/filesystems/reiser4progs/default.nix b/pkgs/tools/filesystems/reiser4progs/default.nix index cd32025e5b66d..681fc1c80ef01 100644 --- a/pkgs/tools/filesystems/reiser4progs/default.nix +++ b/pkgs/tools/filesystems/reiser4progs/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [libaal]; + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace configure --replace " -static" "" ''; diff --git a/pkgs/tools/filesystems/udftools/default.nix b/pkgs/tools/filesystems/udftools/default.nix index 7cb924c6cf13b..b912bab682606 100644 --- a/pkgs/tools/filesystems/udftools/default.nix +++ b/pkgs/tools/filesystems/udftools/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses readline ]; + hardeningDisable = [ "fortify" ]; + NIX_CFLAGS_COMPILE = "-std=gnu90"; preConfigure = '' diff --git a/pkgs/tools/graphics/barcode/default.nix b/pkgs/tools/graphics/barcode/default.nix index b35b929da404a..d6a31bd5c7f7d 100644 --- a/pkgs/tools/graphics/barcode/default.nix +++ b/pkgs/tools/graphics/barcode/default.nix @@ -9,13 +9,14 @@ stdenv.mkDerivation rec { sha256 = "1indapql5fjz0bysyc88cmc54y8phqrbi7c76p71fgjp45jcyzp8"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "GNU barcode generator"; maintainers = with maintainers; [ raskin ]; platforms = with platforms; allBut darwin; downloadPage = "http://ftp.gnu.org/gnu/barcode/"; updateWalker = true; - inherit version; homepage = http://ftp.gnu.org/gnu/barcode/; }; } diff --git a/pkgs/tools/graphics/editres/default.nix b/pkgs/tools/graphics/editres/default.nix index 78a66721b0c96..a3d343cea5776 100644 --- a/pkgs/tools/graphics/editres/default.nix +++ b/pkgs/tools/graphics/editres/default.nix @@ -10,7 +10,9 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libXt libXaw libXres utilmacros ]; - preConfigure = "configureFlags=--with-appdefaultdir=$out/share/X11/app-defaults/editres"; + configureFlags = "--with-appdefaultdir=$(out)/share/X11/app-defaults/editres"; + + hardeningDisable = [ "format" ]; meta = { homepage = "http://cgit.freedesktop.org/xorg/app/editres/"; diff --git a/pkgs/tools/graphics/ggobi/default.nix b/pkgs/tools/graphics/ggobi/default.nix index cf2c5598d2a9b..e7fb3e773c1df 100644 --- a/pkgs/tools/graphics/ggobi/default.nix +++ b/pkgs/tools/graphics/ggobi/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-all-plugins"; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Visualization program for exploring high-dimensional data"; homepage = http://www.ggobi.org/; diff --git a/pkgs/tools/graphics/graphviz/2.0.nix b/pkgs/tools/graphics/graphviz/2.0.nix index 5fa78a3e3b8cb..255ec2d536f6c 100644 --- a/pkgs/tools/graphics/graphviz/2.0.nix +++ b/pkgs/tools/graphics/graphviz/2.0.nix @@ -12,10 +12,13 @@ stdenv.mkDerivation rec { sha256 = "39b8e1f2ba4cc1f5bdc8e39c7be35e5f831253008e4ee2c176984f080416676c"; }; - buildInputs = [pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc + buildInputs = [ + pkgconfig xlibsWrapper libpng libjpeg expat libXaw yacc libtool fontconfig pango gd libwebp - ]; - + ]; + + hardeningDisable = [ "format" "fortify" ]; + configureFlags = [ "--with-pngincludedir=${libpng.dev}/include" "--with-pnglibdir=${libpng.out}/lib" diff --git a/pkgs/tools/graphics/graphviz/2.32.nix b/pkgs/tools/graphics/graphviz/2.32.nix index edbe9cd33747c..9c125433c3a6b 100644 --- a/pkgs/tools/graphics/graphviz/2.32.nix +++ b/pkgs/tools/graphics/graphviz/2.32.nix @@ -31,6 +31,8 @@ stdenv.mkDerivation rec { ] ++ stdenv.lib.optional (xorg == null) "--without-x"; + hardeningDisable = [ "fortify" ]; + preBuild = '' sed -e 's@am__append_5 *=.*@am_append_5 =@' -i lib/gvc/Makefile ''; diff --git a/pkgs/tools/graphics/graphviz/default.nix b/pkgs/tools/graphics/graphviz/default.nix index 975c5dc13e8ee..1162b338ed756 100644 --- a/pkgs/tools/graphics/graphviz/default.nix +++ b/pkgs/tools/graphics/graphviz/default.nix @@ -12,9 +12,11 @@ stdenv.mkDerivation rec { sha256 = "17l5czpvv5ilmg17frg0w4qwf89jzh2aglm9fgx0l0aakn6j7al1"; }; + hardeningDisable = [ "fortify" ]; + patches = [ ./0001-vimdot-lookup-vim-in-PATH.patch - + # NOTE: Once this patch is removed, flex can probably be removed from # buildInputs. ./cve-2014-9157.patch diff --git a/pkgs/tools/graphics/jbig2enc/default.nix b/pkgs/tools/graphics/jbig2enc/default.nix index 8d0b7d2d9f49e..0bb0bb00efa5f 100644 --- a/pkgs/tools/graphics/jbig2enc/default.nix +++ b/pkgs/tools/graphics/jbig2enc/default.nix @@ -1,4 +1,6 @@ -{stdenv, fetchurl, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: stdenv.mkDerivation { +{ stdenv, fetchurl, fetchpatch, leptonica, zlib, libwebp, giflib, libjpeg, libpng, libtiff }: + +stdenv.mkDerivation { name = "jbig2enc-0.28"; src = fetchurl { diff --git a/pkgs/tools/graphics/lprof/default.nix b/pkgs/tools/graphics/lprof/default.nix index 0aee233e79bb6..7f6a15da33d3d 100644 --- a/pkgs/tools/graphics/lprof/default.nix +++ b/pkgs/tools/graphics/lprof/default.nix @@ -7,6 +7,8 @@ stdenv.mkDerivation { name = "lprof-1.11.4.1"; buildInputs = [ scons qt3 lcms1 libtiff vigra ]; + hardeningDisable = [ "format" ]; + preConfigure = '' export QTDIR=${qt3} export qt_directory=${qt3} diff --git a/pkgs/tools/graphics/netpbm/default.nix b/pkgs/tools/graphics/netpbm/default.nix index bebf7680ded37..3c724ccc2b83a 100644 --- a/pkgs/tools/graphics/netpbm/default.nix +++ b/pkgs/tools/graphics/netpbm/default.nix @@ -3,11 +3,11 @@ , enableX11 ? false, libX11 }: stdenv.mkDerivation rec { - name = "netpbm-10.66.00"; + name = "netpbm-10.70.00"; src = fetchurl { url = "mirror://gentoo/distfiles/${name}.tar.xz"; - sha256 = "1z33pxdir92m7jlvp5c2q44gxwj7jyf8skiqkr71kgirw4w4zsbz"; + sha256 = "14vxmzbwsy4rzrqjnzr4cvz1s0amacq69faps3v1j1kr05lcns0j"; }; postPatch = /* CVE-2005-2471, from Arch */ '' @@ -15,8 +15,6 @@ stdenv.mkDerivation rec { --replace '"-DSAFER"' '"-DPARANOIDSAFER"' ''; - NIX_CFLAGS_COMPILE = "-fPIC"; # Gentoo adds this on every platform - buildInputs = [ pkgconfig flex zlib perl libpng libjpeg libxml2 makeWrapper libtiff ] ++ lib.optional enableX11 libX11; diff --git a/pkgs/tools/graphics/nifskope/default.nix b/pkgs/tools/graphics/nifskope/default.nix index decd6fb56fd34..f66d01ef7aa37 100644 --- a/pkgs/tools/graphics/nifskope/default.nix +++ b/pkgs/tools/graphics/nifskope/default.nix @@ -23,6 +23,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + # Inspired by linux-install/nifskope.spec.in. installPhase = '' diff --git a/pkgs/tools/graphics/ploticus/default.nix b/pkgs/tools/graphics/ploticus/default.nix index ff28959148fce..b855410f37f23 100644 --- a/pkgs/tools/graphics/ploticus/default.nix +++ b/pkgs/tools/graphics/ploticus/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation { buildInputs = [ zlib libX11 libpng ]; + hardeningDisable = [ "format" ]; + patches = [ ./ploticus-install.patch ]; meta = with stdenv.lib; { diff --git a/pkgs/tools/graphics/plotutils/default.nix b/pkgs/tools/graphics/plotutils/default.nix index 6a7a6745c87c8..abcbabea596ce 100644 --- a/pkgs/tools/graphics/plotutils/default.nix +++ b/pkgs/tools/graphics/plotutils/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { configureFlags = "--enable-libplotter"; # required for pstoedit + hardeningDisable = [ "format" ]; + doCheck = true; meta = { diff --git a/pkgs/tools/graphics/pngcheck/default.nix b/pkgs/tools/graphics/pngcheck/default.nix index 38efa0236b2e7..6814a06e3b952 100644 --- a/pkgs/tools/graphics/pngcheck/default.nix +++ b/pkgs/tools/graphics/pngcheck/default.nix @@ -8,9 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0pzkj1bb4kdybk6vbfq9s0wzdm5szmrgixkas3xmbpv4mhws1w3p"; }; - # configurePhase = '' - # sed -i s,/usr,$out, Makefile - # ''; + hardeningDisable = [ "format" ]; makefile = "Makefile.unx"; makeFlags = "ZPATH=${zlib.static}/lib"; diff --git a/pkgs/tools/graphics/qrcode/default.nix b/pkgs/tools/graphics/qrcode/default.nix index f0e86ddfb1de3..606e546af2931 100644 --- a/pkgs/tools/graphics/qrcode/default.nix +++ b/pkgs/tools/graphics/qrcode/default.nix @@ -1,4 +1,4 @@ -{stdenv, fetchgit}: +{ stdenv, fetchgit }: let s = rec { @@ -16,14 +16,19 @@ in stdenv.mkDerivation { inherit (s) name version; inherit buildInputs; + src = fetchgit { inherit (s) rev url sha256; }; + + NIX_CFLAGS_COMPILE = "-Wno-error=unused-result"; + installPhase = '' mkdir -p "$out"/{bin,share/doc/qrcode} cp qrcode "$out/bin" cp DOCUMENTATION LICENCE "$out/share/doc/qrcode" ''; + meta = { inherit (s) version; description = ''A small QR-code tool''; diff --git a/pkgs/tools/graphics/transfig/default.nix b/pkgs/tools/graphics/transfig/default.nix index 3e8e824d1c656..948bba6d459f7 100644 --- a/pkgs/tools/graphics/transfig/default.nix +++ b/pkgs/tools/graphics/transfig/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { buildInputs = [zlib libjpeg libpng imake]; inherit libpng; + hardeningDisable = [ "format" ]; + patches = [prefixPatch1 prefixPatch2 prefixPatch3 varargsPatch gensvgPatch]; prefixPatch1 = diff --git a/pkgs/tools/graphics/zbar/default.nix b/pkgs/tools/graphics/zbar/default.nix index 2751da42a4c36..9a181e7d087d4 100644 --- a/pkgs/tools/graphics/zbar/default.nix +++ b/pkgs/tools/graphics/zbar/default.nix @@ -38,6 +38,8 @@ stdenv.mkDerivation rec { [ imagemagickBig pkgconfig python pygtk perl libX11 libv4l qt4 lzma gtk2 autoreconfHook ]; + hardeningDisable = [ "fortify" ]; + meta = with stdenv.lib; { description = "Bar code reader"; longDescription = '' diff --git a/pkgs/tools/misc/calamares/default.nix b/pkgs/tools/misc/calamares/default.nix index 98fcf9182d4b9..7c7c0b0a5ec38 100644 --- a/pkgs/tools/misc/calamares/default.nix +++ b/pkgs/tools/misc/calamares/default.nix @@ -1,15 +1,16 @@ -{ stdenv, fetchgit, cmake, polkit-qt, libyamlcpp, python, boost, parted +{ stdenv, fetchurl, cmake, polkit-qt, libyamlcpp, python, boost, parted , extra-cmake-modules, kconfig, ki18n, kcoreaddons, solid, utillinux, libatasmart , ckbcomp, glibc, tzdata, xkeyboard_config, qtbase, qtsvg, qttools }: stdenv.mkDerivation rec { - name = "calamares-${version}"; - version = "1.0"; - - src = fetchgit { - url = "https://github.com/calamares/calamares.git"; - rev = "dabfb68a68cb012a90cd7b94a22e1ea08f7dd8ad"; - sha256 = "12n161fmzybi20pxcjikqnckhzh175ni5da122p74bx7fzv7q41p"; + name = "${pname}-${version}"; + pname = "calamares"; + version = "1.1.4.2"; + + # release including submodule + src = fetchurl { + url = "https://github.com/${pname}/${pname}/releases/download/v${version}/${name}.tar.gz"; + sha256 = "1mh0nmzc3i1aqcj79q2s3vpccn0mirlfbj26sfyb0v6gcrvf707d"; }; buildInputs = [ diff --git a/pkgs/tools/misc/coreutils/default.nix b/pkgs/tools/misc/coreutils/default.nix index ea9ee271ebfd8..e1d9bb921fd97 100644 --- a/pkgs/tools/misc/coreutils/default.nix +++ b/pkgs/tools/misc/coreutils/default.nix @@ -20,12 +20,17 @@ let sha256 = "11yfrnb94xzmvi4lhclkcmkqsbhww64wf234ya1aacjvg82prrii"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + patches = optional stdenv.isCygwin ./coreutils-8.23-4.cygwin.patch; # The test tends to fail on btrfs and maybe other unusual filesystems. postPatch = optionalString (!stdenv.isDarwin) '' sed '2i echo Skipping dd sparse test && exit 0' -i ./tests/dd/sparse.sh sed '2i echo Skipping cp sparse test && exit 0' -i ./tests/cp/sparse.sh + sed '2i echo Skipping rm deep-2 test && exit 0' -i ./tests/rm/deep-2.sh + sed '2i echo Skipping du long-from-unreadable test && exit 0' -i ./tests/du/long-from-unreadable.sh ''; outputs = [ "out" "info" ]; diff --git a/pkgs/tools/misc/ddccontrol/default.nix b/pkgs/tools/misc/ddccontrol/default.nix index 2d5d10054b5b9..132707106af0a 100644 --- a/pkgs/tools/misc/ddccontrol/default.nix +++ b/pkgs/tools/misc/ddccontrol/default.nix @@ -16,10 +16,12 @@ let version = "0.4.2"; in stdenv.mkDerivation { name = "ddccontrol-${version}"; + src = fetchurl { url = "mirror://sourceforge/ddccontrol/ddccontrol-${version}.tar.bz2"; sha1 = "fd5c53286315a61a18697a950e63ed0c8d5acff1"; }; + buildInputs = [ intltool @@ -35,6 +37,8 @@ stdenv.mkDerivation { ddccontrol-db ]; + hardeningDisable = [ "format" ]; + prePatch = '' newPath=$(echo "${ddccontrol-db}/share/ddccontrol-db" | sed "s/\\//\\\\\\//g") mv configure.ac configure.ac.old diff --git a/pkgs/tools/misc/detox/default.nix b/pkgs/tools/misc/detox/default.nix index bdc018aec34a5..7d17dee8b53c2 100644 --- a/pkgs/tools/misc/detox/default.nix +++ b/pkgs/tools/misc/detox/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { buildInputs = [flex]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://detox.sourceforge.net/; description = "Utility designed to clean up filenames"; diff --git a/pkgs/tools/misc/expect/default.nix b/pkgs/tools/misc/expect/default.nix index a50717d539926..80fb3c6a694c2 100644 --- a/pkgs/tools/misc/expect/default.nix +++ b/pkgs/tools/misc/expect/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ tcl ]; nativeBuildInputs = [ makeWrapper ]; + hardeningDisable = [ "format" ]; + patchPhase = '' sed -i "s,/bin/stty,$(type -p stty),g" configure ''; diff --git a/pkgs/tools/misc/fondu/default.nix b/pkgs/tools/misc/fondu/default.nix index 516abfd2eb50e..7610bb88f3903 100644 --- a/pkgs/tools/misc/fondu/default.nix +++ b/pkgs/tools/misc/fondu/default.nix @@ -3,12 +3,16 @@ stdenv.mkDerivation rec { version = "060102"; name = "fondu-${version}"; + src = fetchurl { url = "http://fondu.sourceforge.net/fondu_src-${version}.tgz"; sha256 = "152prqad9jszjmm4wwqrq83zk13ypsz09n02nrk1gg0fcxfm7fr2"; }; + makeFlags = "DESTDIR=$(out)"; + hardeningDisable = [ "fortify" ]; + meta = { platforms = stdenv.lib.platforms.unix; }; diff --git a/pkgs/tools/misc/gbdfed/default.nix b/pkgs/tools/misc/gbdfed/default.nix index 104d3fad8d097..1ba4bceb7876c 100644 --- a/pkgs/tools/misc/gbdfed/default.nix +++ b/pkgs/tools/misc/gbdfed/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { patches = [ ./Makefile.patch ]; + hardeningDisable = [ "format" ]; + meta = { description = "Bitmap Font Editor"; longDescription = '' diff --git a/pkgs/tools/misc/grub/2.0x.nix b/pkgs/tools/misc/grub/2.0x.nix index ae1df626fe5da..15b1740638e2b 100644 --- a/pkgs/tools/misc/grub/2.0x.nix +++ b/pkgs/tools/misc/grub/2.0x.nix @@ -52,6 +52,8 @@ stdenv.mkDerivation rec { ++ optional doCheck qemu ++ optional zfsSupport zfs; + hardeningDisable = [ "all" ]; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index d6534fc5ee615..a690ef2084b27 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -36,6 +36,8 @@ stdenv.mkDerivation { # autoreconfHook required for the splashimage patch. buildInputs = [ autoreconfHook texinfo ]; + hardeningDisable = [ "stackprotector" ]; + prePatch = '' unpackFile $gentooPatches rm patch/400_all_grub-0.97-reiser4-20050808-gentoo.patch diff --git a/pkgs/tools/misc/grub/trusted.nix b/pkgs/tools/misc/grub/trusted.nix index 6ae672db7a556..377d6faefa015 100644 --- a/pkgs/tools/misc/grub/trusted.nix +++ b/pkgs/tools/misc/grub/trusted.nix @@ -47,6 +47,8 @@ stdenv.mkDerivation rec { buildInputs = [ ncurses libusb freetype gettext devicemapper ] ++ optional doCheck qemu; + hardeningDisable = [ "stackprotector" "pic" ]; + preConfigure = '' for i in "tests/util/"*.in do diff --git a/pkgs/tools/misc/grub4dos/default.nix b/pkgs/tools/misc/grub4dos/default.nix index ec784d8e1a4ca..7e9b82a6a3f9c 100644 --- a/pkgs/tools/misc/grub4dos/default.nix +++ b/pkgs/tools/misc/grub4dos/default.nix @@ -17,6 +17,8 @@ in stdenv.mkDerivation rec { nativeBuildInputs = [ nasm ]; + hardeningDisable = [ "stackprotector" ]; + configureFlags = [ "--host=${arch}-pc-linux-gnu" ]; postInstall = '' diff --git a/pkgs/tools/misc/ipxe/default.nix b/pkgs/tools/misc/ipxe/default.nix index a79b9018c5453..6ee14a0ce937d 100644 --- a/pkgs/tools/misc/ipxe/default.nix +++ b/pkgs/tools/misc/ipxe/default.nix @@ -18,6 +18,9 @@ stdenv.mkDerivation { preConfigure = "cd src"; + # not possible due to assembler code + hardeningDisable = [ "pic" "stackprotector" ]; + NIX_CFLAGS_COMPILE = "-Wno-error"; makeFlags = diff --git a/pkgs/tools/misc/lrzsz/default.nix b/pkgs/tools/misc/lrzsz/default.nix index 729faa7a95d9a..11351790becc4 100644 --- a/pkgs/tools/misc/lrzsz/default.nix +++ b/pkgs/tools/misc/lrzsz/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1wcgfa9fsigf1gri74gq0pa7pyajk12m4z69x7ci9c6x9fqkd2y2"; }; + hardeningDisable = [ "format" ]; + configureFlags = [ "--program-transform-name=s/^l//" ]; meta = with stdenv.lib; { diff --git a/pkgs/tools/misc/memtest86+/default.nix b/pkgs/tools/misc/memtest86+/default.nix index f9c8ac4b8387e..77149a1799003 100644 --- a/pkgs/tools/misc/memtest86+/default.nix +++ b/pkgs/tools/misc/memtest86+/default.nix @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { NIX_CFLAGS_COMPILE = "-I. -std=gnu90"; + hardeningDisable = [ "stackprotector" "pic" ]; + buildFlags = "memtest.bin"; installPhase = '' diff --git a/pkgs/tools/misc/mmv/default.nix b/pkgs/tools/misc/mmv/default.nix index ed2f54d693d02..417583ecc9ebb 100644 --- a/pkgs/tools/misc/mmv/default.nix +++ b/pkgs/tools/misc/mmv/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "0399c027ea1e51fd607266c1e33573866d4db89f64a74be8b4a1d2d1ff1fdeef"; }; + hardeningDisable = [ "format" ]; + patches = [ # Use Debian patched version, as upstream is no longer maintained and it # contains a _lot_ of fixes. diff --git a/pkgs/tools/misc/pal/default.nix b/pkgs/tools/misc/pal/default.nix index ff7279d0d57c9..f92069e7b9f50 100644 --- a/pkgs/tools/misc/pal/default.nix +++ b/pkgs/tools/misc/pal/default.nix @@ -12,12 +12,12 @@ stdenv.mkDerivation rec { sed -i -e 's,/etc/pal\.conf,'$out/etc/pal.conf, src/input.c ''; - preBuild = '' - export makeFlags="prefix=$out" - ''; + makeFlags = "prefix=$(out)"; buildInputs = [ glib gettext readline pkgconfig ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://palcal.sourceforge.net/; description = "Command-line calendar program that can keep track of events"; diff --git a/pkgs/tools/misc/recutils/default.nix b/pkgs/tools/misc/recutils/default.nix index 4d6829e99a4c1..6dd40e8476f3c 100644 --- a/pkgs/tools/misc/recutils/default.nix +++ b/pkgs/tools/misc/recutils/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { doCheck = true; + hardeningDisable = [ "format" ]; + buildInputs = [ curl emacs ] ++ (stdenv.lib.optionals doCheck [ check bc ]); meta = { diff --git a/pkgs/tools/misc/sutils/default.nix b/pkgs/tools/misc/sutils/default.nix index d0576cc069a7c..8d4f00ee84786 100644 --- a/pkgs/tools/misc/sutils/default.nix +++ b/pkgs/tools/misc/sutils/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0xqk42vl82chy458d64fj68a4md4bxaip8n3xw9skxz0a1sgvks8"; }; + hardeningDisable = [ "format" ]; + prePatch = ''sed -i "s@/usr/local@$out@" Makefile''; meta = { diff --git a/pkgs/tools/misc/uucp/default.nix b/pkgs/tools/misc/uucp/default.nix index bf73dbcbf2fca..4ef050b409e59 100644 --- a/pkgs/tools/misc/uucp/default.nix +++ b/pkgs/tools/misc/uucp/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0b5nhl9vvif1w3wdipjsk8ckw49jj1w85xw1mmqi3zbcpazia306"; }; - doCheck = true; + hardeningDisable = [ "format" ]; meta = { description = "Unix-unix cp over serial line, also includes cu program"; diff --git a/pkgs/tools/misc/vorbisgain/default.nix b/pkgs/tools/misc/vorbisgain/default.nix index ea61e06332822..567783f631384 100644 --- a/pkgs/tools/misc/vorbisgain/default.nix +++ b/pkgs/tools/misc/vorbisgain/default.nix @@ -8,11 +8,14 @@ stdenv.mkDerivation rec { sha256 = "1v1h6mhnckmvvn7345hzi9abn5z282g4lyyl4nnbqwnrr98v0vfx"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ unzip libogg libvorbis ]; + patchPhase = '' chmod -v +x configure configureFlags="--mandir=$out/share/man" - ''; + ''; meta = with stdenv.lib; { homepage = http://sjeng.org/vorbisgain.html; diff --git a/pkgs/tools/misc/wv/default.nix b/pkgs/tools/misc/wv/default.nix index 411a549a68617..a18c03b126ac4 100644 --- a/pkgs/tools/misc/wv/default.nix +++ b/pkgs/tools/misc/wv/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { buildInputs = [ zlib imagemagick libpng glib pkgconfig libgsf libxml2 bzip2 ]; + hardeningDisable = [ "format" ]; + meta = { description = "Converter from Microsoft Word formats to human-editable ones"; platforms = stdenv.lib.platforms.unix; diff --git a/pkgs/tools/misc/xfstests/default.nix b/pkgs/tools/misc/xfstests/default.nix index 80025164cb687..5574e3274cd6b 100644 --- a/pkgs/tools/misc/xfstests/default.nix +++ b/pkgs/tools/misc/xfstests/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation { buildInputs = [ acl autoreconfHook attr gawk libaio libuuid libxfs openssl perl ]; + hardeningDisable = [ "format" ]; + patchPhase = '' # Patch the destination directory sed -i include/builddefs.in -e "s|^PKG_LIB_DIR\s*=.*|PKG_LIB_DIR=$out/lib/xfstests|" diff --git a/pkgs/tools/networking/chrony/default.nix b/pkgs/tools/networking/chrony/default.nix index 9d2afe752571b..f5b5893d5437d 100644 --- a/pkgs/tools/networking/chrony/default.nix +++ b/pkgs/tools/networking/chrony/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { buildInputs = [ readline texinfo nss nspr ] ++ stdenv.lib.optional stdenv.isLinux libcap; nativeBuildInputs = [ pkgconfig ]; + hardeningEnable = [ "pie" ]; + configureFlags = [ "--chronyvardir=$(out)/var/lib/chrony" ]; diff --git a/pkgs/tools/networking/dhcpdump/default.nix b/pkgs/tools/networking/dhcpdump/default.nix index 778cfc3b5ed69..91232b4ffa74c 100644 --- a/pkgs/tools/networking/dhcpdump/default.nix +++ b/pkgs/tools/networking/dhcpdump/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [libpcap perl]; + hardeningDisable = [ "fortify" ]; + installPhase = '' mkdir -pv $out/bin cp dhcpdump $out/bin diff --git a/pkgs/tools/networking/dnsmasq/default.nix b/pkgs/tools/networking/dnsmasq/default.nix index 6b47e0cae840a..14bde9a5fa5b0 100644 --- a/pkgs/tools/networking/dnsmasq/default.nix +++ b/pkgs/tools/networking/dnsmasq/default.nix @@ -29,6 +29,8 @@ stdenv.mkDerivation rec { "LOCALEDIR=$(out)/share/locale" ]; + hardeningEnable = [ "pie" ]; + postBuild = optionalString stdenv.isLinux '' make -C contrib/lease-tools ''; diff --git a/pkgs/tools/networking/eggdrop/default.nix b/pkgs/tools/networking/eggdrop/default.nix index 623b42d6fc1bb..a9f2419b1368e 100644 --- a/pkgs/tools/networking/eggdrop/default.nix +++ b/pkgs/tools/networking/eggdrop/default.nix @@ -1,20 +1,19 @@ -{ stdenv, fetchurl, tcl }: +{ stdenv, fetchFromGitHub, tcl }: stdenv.mkDerivation rec { name = "eggdrop-${version}"; - version = "1.6.21"; + version = "1.6.21-nix1"; - src = fetchurl { - url = "ftp://ftp.eggheads.org/pub/eggdrop/GNU/1.6/eggdrop${version}.tar.gz"; - sha256 = "1galvbh9y4c3msrg1s9na0asm077mh1g2i2vsv1vczmfrbgq92vs"; + src = fetchFromGitHub { + owner = "eggheads"; + repo = "eggdrop"; + rev = "9ec109a13c016c4cdc7d52b7e16e4b9b6fbb9331"; + sha256 = "0mf1vcbmpnvmf5mxk7gi3z32fxpcbynsh9jni8z8frrscrdf5lp5"; }; buildInputs = [ tcl ]; - patches = [ - # https://github.com/eggheads/eggdrop/issues/123 - ./b34a33255f56bbd2317c26da12d702796d67ed50.patch - ]; + hardeningDisable = [ "format" ]; preConfigure = '' prefix=$out/eggdrop diff --git a/pkgs/tools/networking/iperf/2.nix b/pkgs/tools/networking/iperf/2.nix index 33d8ee2fd636a..13f8cedc673d8 100644 --- a/pkgs/tools/networking/iperf/2.nix +++ b/pkgs/tools/networking/iperf/2.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "0nr6c81x55ihs7ly2dwq19v9i1n6wiyad1gacw3aikii0kzlwsv3"; }; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://sourceforge.net/projects/iperf/"; description = "Tool to measure IP bandwidth using UDP or TCP"; diff --git a/pkgs/tools/networking/lsh/default.nix b/pkgs/tools/networking/lsh/default.nix deleted file mode 100644 index 5d788af1682e6..0000000000000 --- a/pkgs/tools/networking/lsh/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam -, nettools, lsof, procps }: - -stdenv.mkDerivation rec { - name = "lsh-2.0.4"; - src = fetchurl { - url = "mirror://gnu/lsh/${name}.tar.gz"; - sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; - }; - - patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; - - preConfigure = '' - # Patch `lsh-make-seed' so that it can gather enough entropy. - sed -i "src/lsh-make-seed.c" \ - -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; - s|/usr/bin/netstat|${nettools}/bin/netstat|g ; - s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; - s|/bin/vmstat|${procps}/bin/vmstat|g ; - s|/bin/ps|${procps}/bin/sp|g ; - s|/usr/bin/w|${procps}/bin/w|g ; - s|/usr/bin/df|$(type -P df)|g ; - s|/usr/bin/ipcs|$(type -P ipcs)|g ; - s|/usr/bin/uptime|$(type -P uptime)|g" - - # Skip the `configure' script that checks whether /dev/ptmx & co. work as - # expected, because it relies on impurities (for instance, /dev/pts may - # be unavailable in chroots.) - export lsh_cv_sys_unix98_ptys=yes - ''; - - NIX_CFLAGS_COMPILE = "-std=gnu90"; - - buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; - - meta = { - description = "GPL'd implementation of the SSH protocol"; - - longDescription = '' - lsh is a free implementation (in the GNU sense) of the ssh - version 2 protocol, currently being standardised by the IETF - SECSH working group. - ''; - - homepage = http://www.lysator.liu.se/~nisse/lsh/; - license = stdenv.lib.licenses.gpl2Plus; - - maintainers = [ ]; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/pkgs/tools/networking/lsh/lshd-no-root-login.patch b/pkgs/tools/networking/lsh/lshd-no-root-login.patch deleted file mode 100644 index 9dd81de3fbc1d..0000000000000 --- a/pkgs/tools/networking/lsh/lshd-no-root-login.patch +++ /dev/null @@ -1,16 +0,0 @@ -Correctly handle the `--no-root-login' option. - ---- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 -+++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 -@@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str - self->allow_root = 1; - break; - -+ case OPT_NO_ROOT_LOGIN: -+ self->allow_root = 0; -+ break; -+ - case OPT_KERBEROS_PASSWD: - self->pw_helper = PATH_KERBEROS_HELPER; - break; - diff --git a/pkgs/tools/networking/lsh/pam-service-name.patch b/pkgs/tools/networking/lsh/pam-service-name.patch deleted file mode 100644 index 6a6156855c513..0000000000000 --- a/pkgs/tools/networking/lsh/pam-service-name.patch +++ /dev/null @@ -1,14 +0,0 @@ -Tell `lsh-pam-checkpw', the PAM password helper program, to use a more -descriptive service name. - ---- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 -+++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 -@@ -38,7 +38,7 @@ - #include <security/pam_appl.h> - - #define PWD_MAXLEN 1024 --#define SERVICE_NAME "other" -+#define SERVICE_NAME "lshd" - #define TIMEOUT 600 - - static int diff --git a/pkgs/tools/networking/mailutils/default.nix b/pkgs/tools/networking/mailutils/default.nix index 4b1633947b098..0ae993db332e5 100644 --- a/pkgs/tools/networking/mailutils/default.nix +++ b/pkgs/tools/networking/mailutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "0szbqa12zqzldqyw97lxqax3ja2adis83i7brdfsxmrfw68iaf65"; }; + hardeningDisable = [ "format" ]; + patches = [ ./path-to-cat.patch ./no-gets.patch ./scm_c_string.patch ]; configureFlags = [ diff --git a/pkgs/tools/networking/netboot/default.nix b/pkgs/tools/networking/netboot/default.nix index 0f75bd44d69b9..7a1eac59eeae4 100644 --- a/pkgs/tools/networking/netboot/default.nix +++ b/pkgs/tools/networking/netboot/default.nix @@ -9,10 +9,12 @@ stdenv.mkDerivation rec { buildInputs = [ yacc lzo db4 ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Mini PXE server"; maintainers = [ maintainers.raskin ]; platforms = ["x86_64-linux"]; license = stdenv.lib.licenses.free; }; -} \ No newline at end of file +} diff --git a/pkgs/tools/networking/ntp/default.nix b/pkgs/tools/networking/ntp/default.nix index 433a3349702df..4c42771be170c 100644 --- a/pkgs/tools/networking/ntp/default.nix +++ b/pkgs/tools/networking/ntp/default.nix @@ -19,6 +19,8 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ autoreconfHook ]; buildInputs = [ libcap openssl ]; + hardeningEnable = [ "pie" ]; + postInstall = '' rm -rf $out/share/doc ''; diff --git a/pkgs/tools/networking/openfortivpn/default.nix b/pkgs/tools/networking/openfortivpn/default.nix index d0e8ea4b1d9b9..e3e2053e2ce6e 100644 --- a/pkgs/tools/networking/openfortivpn/default.nix +++ b/pkgs/tools/networking/openfortivpn/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchFromGitHub, automake, autoconf, openssl, ppp }: +{ stdenv, fetchFromGitHub, autoreconfHook, openssl, ppp }: with stdenv.lib; @@ -15,13 +15,11 @@ in stdenv.mkDerivation { sha256 = "08ycz053wa29ckgr93132hr3vrd84r3bks9q807qanri0n35y256"; }; - buildInputs = [ openssl automake autoconf ppp ]; + buildInputs = [ openssl ppp autoreconfHook ]; - preConfigure = '' - aclocal - autoconf - automake --add-missing + hardeningDisable = [ "format" ]; + preConfigure = '' substituteInPlace src/tunnel.c --replace "/usr/sbin/pppd" "${ppp}/bin/pppd" ''; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index dab638301820b..8f4c0aa54dfaf 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -71,6 +71,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningEnable = [ "pie" ]; + postInstall = '' # Install ssh-copy-id, it's very useful. cp contrib/ssh-copy-id $out/bin/ diff --git a/pkgs/tools/networking/quicktun/default.nix b/pkgs/tools/networking/quicktun/default.nix index f07cfe4d07241..ed559f5d5c9f8 100644 --- a/pkgs/tools/networking/quicktun/default.nix +++ b/pkgs/tools/networking/quicktun/default.nix @@ -11,8 +11,6 @@ stdenv.mkDerivation rec { sha256 = "0m7gvlgs1mhyw3c8s2dg05j7r7hz8kjpb0sk245m61ir9dmwlf8i"; }; - CFLAGS = "-fPIE -fPIC -pie -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro,-z,now"; - buildInputs = [ libsodium ]; phases = [ "unpackPhase" "buildPhase" "installPhase" ]; diff --git a/pkgs/tools/networking/radvd/default.nix b/pkgs/tools/networking/radvd/default.nix index 42d4a8177563d..1c8ef67a78306 100644 --- a/pkgs/tools/networking/radvd/default.nix +++ b/pkgs/tools/networking/radvd/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ pkgconfig libdaemon bison flex check ]; + hardeningEnable = [ "pie" ]; + meta = with stdenv.lib; { homepage = http://www.litech.org/radvd/; description = "IPv6 Router Advertisement Daemon"; diff --git a/pkgs/tools/networking/socat/default.nix b/pkgs/tools/networking/socat/default.nix index f9eff5b12d55c..19cdb884bd1a7 100644 --- a/pkgs/tools/networking/socat/default.nix +++ b/pkgs/tools/networking/socat/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./enable-ecdhe.patch ./libressl-fixes.patch ]; + hardeningEnable = [ "pie" ]; + meta = { description = "A utility for bidirectional data transfer between two independent data channels"; homepage = http://www.dest-unreach.org/socat/; diff --git a/pkgs/tools/networking/stunnel/default.nix b/pkgs/tools/networking/stunnel/default.nix index 2f12aaa7ee236..114247682c7ae 100644 --- a/pkgs/tools/networking/stunnel/default.nix +++ b/pkgs/tools/networking/stunnel/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "stunnel-${version}"; - version = "5.29"; + version = "5.31"; src = fetchurl { url = "http://www.stunnel.org/downloads/${name}.tar.gz"; - sha256 = "0lgmdpsm36a6j5s0jabv3cfg3rzqz9c9sfdqgkx399iy80jrd423"; + sha256 = "1dz0p85ha78vxc2hjhrkr4xf8w3q8r177bqdrgm26v6wncdbfim7"; }; buildInputs = [ openssl ]; diff --git a/pkgs/tools/networking/telnet/default.nix b/pkgs/tools/networking/telnet/default.nix index 9827b62c6c4ad..3a5117653c836 100644 --- a/pkgs/tools/networking/telnet/default.nix +++ b/pkgs/tools/networking/telnet/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { sha256 = "0cs7ks22dhcn5qfjv2vl6ikhw93x68gg33zdn5f5cxgg81kx5afn"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ncurses]; meta = { diff --git a/pkgs/tools/networking/trickle/default.nix b/pkgs/tools/networking/trickle/default.nix index d10e645dc8746..1c8829a07b273 100644 --- a/pkgs/tools/networking/trickle/default.nix +++ b/pkgs/tools/networking/trickle/default.nix @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "0s1qq3k5mpcs9i7ng0l9fvr1f75abpbzfi1jaf3zpzbs1dz50dlx"; }; - buildInputs = [libevent]; + buildInputs = [ libevent ]; preConfigure = '' sed -i 's|libevent.a|libevent.so|' configure @@ -22,6 +22,8 @@ stdenv.mkDerivation rec { configureFlags = "--with-libevent"; + hardeningDisable = [ "format" ]; + meta = { description = "Lightweight userspace bandwidth shaper"; license = stdenv.lib.licenses.bsd3; diff --git a/pkgs/tools/networking/uwimap/default.nix b/pkgs/tools/networking/uwimap/default.nix index 9d4ae5d671ac5..c2c707fbc77a2 100644 --- a/pkgs/tools/networking/uwimap/default.nix +++ b/pkgs/tools/networking/uwimap/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation { # -fPIC is required to compile php with imap on x86_64 systems + stdenv.lib.optionalString stdenv.isx86_64 " EXTRACFLAGS=-fPIC"; + hardeningDisable = [ "format" ]; + buildInputs = [ openssl ] ++ stdenv.lib.optional (!stdenv.isDarwin) pam; diff --git a/pkgs/tools/networking/vde2/default.nix b/pkgs/tools/networking/vde2/default.nix index 88ee459f8168f..3a3709a9df001 100644 --- a/pkgs/tools/networking/vde2/default.nix +++ b/pkgs/tools/networking/vde2/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ openssl libpcap python ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://vde.sourceforge.net/; description = "Virtual Distributed Ethernet, an Ethernet compliant virtual network"; diff --git a/pkgs/tools/networking/vlan/default.nix b/pkgs/tools/networking/vlan/default.nix index 9c9376550dfb6..41ece0537ab48 100644 --- a/pkgs/tools/networking/vlan/default.nix +++ b/pkgs/tools/networking/vlan/default.nix @@ -8,6 +8,8 @@ stdenv.mkDerivation rec { sha256 = "1jjc5f26hj7bk8nkjxsa8znfxcf8pgry2ipnwmj2fr6ky0dhm3rv"; }; + hardeningDisable = [ "format" ]; + preBuild = '' # Ouch, the tarball contains pre-compiled binaries. @@ -18,12 +20,12 @@ stdenv.mkDerivation rec { '' mkdir -p $out/sbin cp vconfig $out/sbin/ - + mkdir -p $out/share/man/man8 cp vconfig.8 $out/share/man/man8/ ''; - meta = { + meta = { description = "User mode programs to enable VLANs on Ethernet devices"; platforms = stdenv.lib.platforms.linux; }; diff --git a/pkgs/tools/package-management/checkinstall/default.nix b/pkgs/tools/package-management/checkinstall/default.nix index 8ab9001573a24..fea6ccedd34f3 100644 --- a/pkgs/tools/package-management/checkinstall/default.nix +++ b/pkgs/tools/package-management/checkinstall/default.nix @@ -44,6 +44,8 @@ stdenv.mkDerivation { buildInputs = [gettext]; + hardeningDisable = [ "fortify" ]; + preBuild = '' makeFlagsArray=(PREFIX=$out) diff --git a/pkgs/tools/package-management/clib/default.nix b/pkgs/tools/package-management/clib/default.nix index c1f76bca14b1d..cd9499d9146dc 100644 --- a/pkgs/tools/package-management/clib/default.nix +++ b/pkgs/tools/package-management/clib/default.nix @@ -11,6 +11,8 @@ stdenv.mkDerivation rec { sha256 = "08n2i3dyh5vnrb74a6wlqqn67c9nwkq0v0v651zzha495mqbciq7"; }; + hardeningDisable = [ "fortify" ]; + makeFlags = "PREFIX=$(out)"; buildInputs = [ curl ]; diff --git a/pkgs/tools/security/ccrypt/default.nix b/pkgs/tools/security/ccrypt/default.nix index e6a63a2f28822..0afa91086890b 100644 --- a/pkgs/tools/security/ccrypt/default.nix +++ b/pkgs/tools/security/ccrypt/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { nativeBuildInputs = [ perl ]; + hardeningDisable = [ "format" ]; + meta = { homepage = http://ccrypt.sourceforge.net/; description = "Utility for encrypting and decrypting files and streams with AES-256"; diff --git a/pkgs/tools/security/fprint_demo/default.nix b/pkgs/tools/security/fprint_demo/default.nix index c2dbb31bec45f..26e0d0e45e138 100644 --- a/pkgs/tools/security/fprint_demo/default.nix +++ b/pkgs/tools/security/fprint_demo/default.nix @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { buildInputs = [ libfprint gtk2 ]; nativeBuildInputs = [ pkgconfig autoreconfHook ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = "http://www.freedesktop.org/wiki/Software/fprint/fprint_demo/"; description = "A simple GTK+ application to demonstrate and test libfprint's capabilities"; diff --git a/pkgs/tools/security/john/default.nix b/pkgs/tools/security/john/default.nix index d428d67fdc9fd..c44f144bea689 100644 --- a/pkgs/tools/security/john/default.nix +++ b/pkgs/tools/security/john/default.nix @@ -13,6 +13,8 @@ stdenv.mkDerivation rec { sha256 = "08q92sfdvkz47rx6qjn7qv57cmlpy7i7rgddapq5384mb413vjds"; }; + patches = [ ./gcc5.patch ]; + postPatch = '' sed -ri -e ' s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/! diff --git a/pkgs/tools/security/john/gcc5.patch b/pkgs/tools/security/john/gcc5.patch new file mode 100644 index 0000000000000..73da83483f909 --- /dev/null +++ b/pkgs/tools/security/john/gcc5.patch @@ -0,0 +1,14 @@ +diff --git a/src/common.h b/src/common.h +--- a/src/common.h ++++ b/src/common.h +@@ -31,7 +31,9 @@ typedef unsigned long long ARCH_WORD_64; + #define is_aligned(PTR, CNT) ((((ARCH_WORD)(const void *)(PTR))&(CNT-1))==0) + + #ifdef __GNUC__ +-#if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) ++#if __GNUC__ >= 5 ++#define MAYBE_INLINE __attribute__((gnu_inline)) inline ++#elif __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 7) || defined(__INTEL_COMPILER) + #define MAYBE_INLINE __attribute__((always_inline)) inline + #elif __GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 1) + #define MAYBE_INLINE __attribute__((always_inline)) diff --git a/pkgs/tools/security/tboot/default.nix b/pkgs/tools/security/tboot/default.nix index 854f67f2aeec2..506b1d398d54e 100644 --- a/pkgs/tools/security/tboot/default.nix +++ b/pkgs/tools/security/tboot/default.nix @@ -12,12 +12,15 @@ stdenv.mkDerivation rec { patches = [ ./tboot-add-well-known-secret-option-to-lcp_writepol.patch ]; + hardeningDisable = [ "pic" "stackprotector" ]; + configurePhase = '' for a in lcptools utils tb_polgen; do substituteInPlace $a/Makefile --replace /usr/sbin /sbin done substituteInPlace docs/Makefile --replace /usr/share /share ''; + installFlags = "DESTDIR=$(out)"; meta = with stdenv.lib; { diff --git a/pkgs/tools/system/cron/default.nix b/pkgs/tools/system/cron/default.nix index 2ddea737c8bb0..3d03f19cb6f85 100644 --- a/pkgs/tools/system/cron/default.nix +++ b/pkgs/tools/system/cron/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation { unpackCmd = "(mkdir cron && cd cron && sh $curSrc)"; + hardeningEnable = [ "pie" ]; + preBuild = '' substituteInPlace Makefile --replace ' -o root' ' ' --replace 111 755 makeFlags="DESTROOT=$out" diff --git a/pkgs/tools/system/facter/default.nix b/pkgs/tools/system/facter/default.nix index de9b79d79c35e..0ebfe36f59dcf 100644 --- a/pkgs/tools/system/facter/default.nix +++ b/pkgs/tools/system/facter/default.nix @@ -13,9 +13,7 @@ stdenv.mkDerivation rec { # since we cant expand $out in cmakeFlags preConfigure = "cmakeFlags+=\" -DRUBY_LIB_INSTALL=$out/lib/ruby\""; - libyamlcpp_ = libyamlcpp.override { makePIC = true; }; - - buildInputs = [ boost cmake curl leatherman libyamlcpp_ openssl ruby utillinux ]; + buildInputs = [ boost cmake curl leatherman libyamlcpp openssl ruby utillinux ]; meta = with stdenv.lib; { homepage = https://github.com/puppetlabs/facter; diff --git a/pkgs/tools/system/foremost/default.nix b/pkgs/tools/system/foremost/default.nix index cfac89237795a..0114c1d41ff67 100644 --- a/pkgs/tools/system/foremost/default.nix +++ b/pkgs/tools/system/foremost/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + hardeningDisable = [ "format" ]; + preInstall = '' mkdir -p $out/{bin,share/man/man8} ''; diff --git a/pkgs/tools/system/gdmap/default.nix b/pkgs/tools/system/gdmap/default.nix index 3d3809610e4d8..7800bfa08313a 100644 --- a/pkgs/tools/system/gdmap/default.nix +++ b/pkgs/tools/system/gdmap/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation rec { name = "gdmap-0.8.1"; - + src = fetchurl { url = "mirror://sourceforge/gdmap/${name}.tar.gz"; sha256 = "0nr8l88cg19zj585hczj8v73yh21k7j13xivhlzl8jdk0j0cj052"; @@ -12,6 +12,8 @@ stdenv.mkDerivation rec { patches = [ ./get_sensitive.patch ./set_flags.patch ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { homepage = http://gdmap.sourceforge.net; description = "Recursive rectangle map of disk usage"; diff --git a/pkgs/tools/system/rowhammer-test/default.nix b/pkgs/tools/system/rowhammer-test/default.nix index 728b15bb29880..226ec4351ea44 100644 --- a/pkgs/tools/system/rowhammer-test/default.nix +++ b/pkgs/tools/system/rowhammer-test/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation { sha256 = "1fbfcnm5gjish47wdvikcsgzlb5vnlfqlzzm6mwiw2j5qkq0914i"; }; + NIX_CFLAGS_COMPILE = stdenv.lib.optional stdenv.isi686 "-Wno-error=format"; + buildPhase = "sh -e make.sh"; installPhase = '' diff --git a/pkgs/tools/system/rsyslog/default.nix b/pkgs/tools/system/rsyslog/default.nix index 2f38c9b374afc..f3e6b15ed2c5e 100644 --- a/pkgs/tools/system/rsyslog/default.nix +++ b/pkgs/tools/system/rsyslog/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { rabbitmq-c hiredis ] ++ stdenv.lib.optional stdenv.isLinux systemd; + hardeningDisable = [ "format" ]; + configureFlags = [ "--sysconfdir=/etc" "--localstatedir=/var" diff --git a/pkgs/tools/system/which/default.nix b/pkgs/tools/system/which/default.nix index e9199a8f06320..fc0889012c2e1 100644 --- a/pkgs/tools/system/which/default.nix +++ b/pkgs/tools/system/which/default.nix @@ -2,12 +2,15 @@ stdenv.mkDerivation rec { name = "which-2.21"; - + src = fetchurl { url = "mirror://gnu/which/${name}.tar.gz"; sha256 = "1bgafvy3ypbhhfznwjv1lxmd6mci3x1byilnnkc7gcr486wlb8pl"; }; + # FIXME needs gcc 4.9 in bootstrap tools + hardeningDisable = [ "stackprotector" ]; + meta = with stdenv.lib; { homepage = http://ftp.gnu.org/gnu/which/; platforms = platforms.all; diff --git a/pkgs/tools/text/a2ps/default.nix b/pkgs/tools/text/a2ps/default.nix index 7de6a8dd5745f..4a32e972a5b39 100644 --- a/pkgs/tools/text/a2ps/default.nix +++ b/pkgs/tools/text/a2ps/default.nix @@ -14,6 +14,8 @@ stdenv.mkDerivation rec { buildInputs = [ libpaper gperf file ]; + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "An Anyithing to PostScript converter and pretty-printer"; longDescription = '' diff --git a/pkgs/tools/text/convertlit/default.nix b/pkgs/tools/text/convertlit/default.nix index 331fc3fea359d..ffc2dc1c4d5c3 100644 --- a/pkgs/tools/text/convertlit/default.nix +++ b/pkgs/tools/text/convertlit/default.nix @@ -1,22 +1,24 @@ -{stdenv, fetchurl, unzip, libtommath}: +{stdenv, fetchzip, libtommath}: stdenv.mkDerivation { name = "convertlit-1.8"; - - src = fetchurl { + + src = fetchzip { url = http://www.convertlit.com/convertlit18src.zip; - sha256 = "1fjpwncyc2r3ipav7c9m7jxy6i7mphbyqj3gsm046425p7sqa2np"; + sha256 = "182nsin7qscgbw2h92m0zadh3h8q410h5cza6v486yjfvla3dxjx"; + stripRoot = false; }; - buildInputs = [unzip libtommath]; + buildInputs = [libtommath]; - sourceRoot = "."; + hardeningDisable = [ "format" ]; buildPhase = '' cd lib make cd ../clit18 - substituteInPlace Makefile --replace ../libtommath-0.30/libtommath.a -ltommath + substituteInPlace Makefile \ + --replace ../libtommath-0.30/libtommath.a -ltommath make ''; diff --git a/pkgs/tools/text/patchutils/default.nix b/pkgs/tools/text/patchutils/default.nix index 4df52eef669eb..75922a6c830ca 100644 --- a/pkgs/tools/text/patchutils/default.nix +++ b/pkgs/tools/text/patchutils/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { patches = [ ./drop-comments.patch ]; # we would get into a cycle when using fetchpatch on this one + hardeningDisable = [ "format" ]; + meta = with stdenv.lib; { description = "Tools to manipulate patch files"; homepage = http://cyberelk.net/tim/software/patchutils; diff --git a/pkgs/tools/text/untex/default.nix b/pkgs/tools/text/untex/default.nix index e2f6142a2a0fe..ec99e8b4a27af 100644 --- a/pkgs/tools/text/untex/default.nix +++ b/pkgs/tools/text/untex/default.nix @@ -9,6 +9,8 @@ stdenv.mkDerivation rec { sha256 = "07p836jydd5yjy905m5ylnnac1h4cc4jsr41panqb808mlsiwmmy"; }; + hardeningDisable = [ "format" ]; + unpackPhase = "tar xf $src"; installTargets = "install install.man"; installFlags = "BINDIR=$(out)/bin MANDIR=$(out)/share/man/man1"; diff --git a/pkgs/tools/typesetting/bibtex-tools/default.nix b/pkgs/tools/typesetting/bibtex-tools/default.nix deleted file mode 100644 index a822a181a653f..0000000000000 --- a/pkgs/tools/typesetting/bibtex-tools/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{stdenv, fetchurl, hevea, tetex, strategoxt, aterm, sdf}: - -stdenv.mkDerivation { - name = "bibtex-tools-0.2pre13026"; - src = fetchurl { - url = http://tarballs.nixos.org/bibtex-tools-0.2pre13026.tar.gz; - md5 = "2d8a5de7c53eb670307048eb3d14cdd6"; - }; - configureFlags = " - --with-aterm=${aterm} - --with-sdf=${sdf} - --with-strategoxt=${strategoxt} - --with-hevea=${hevea} - --with-latex=${tetex}"; - buildInputs = [aterm sdf strategoxt hevea]; - meta.broken = true; -} diff --git a/pkgs/tools/typesetting/tex/tetex/default.nix b/pkgs/tools/typesetting/tex/tetex/default.nix index 8d6c88a0004e1..c3d226a2acb0e 100644 --- a/pkgs/tools/typesetting/tex/tetex/default.nix +++ b/pkgs/tools/typesetting/tex/tetex/default.nix @@ -2,7 +2,7 @@ stdenv.mkDerivation { name = "tetex-3.0"; - + src = fetchurl { url = ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-3.0.tar.gz; md5 = "944a4641e79e61043fdaf8f38ecbb4b3"; @@ -15,6 +15,8 @@ stdenv.mkDerivation { buildInputs = [ flex bison zlib libpng ncurses ed ]; + hardeningDisable = [ "format" ]; + # fixes "error: conflicting types for 'calloc'", etc. preBuild = stdenv.lib.optionalString stdenv.isDarwin '' sed -i 57d texk/kpathsea/c-std.h diff --git a/pkgs/tools/typesetting/tex/tex4ht/default.nix b/pkgs/tools/typesetting/tex/tex4ht/default.nix index 8380abf2e9480..5aaae2c06b2ac 100644 --- a/pkgs/tools/typesetting/tex/tex4ht/default.nix +++ b/pkgs/tools/typesetting/tex/tex4ht/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { buildInputs = [ tetex unzip ]; + hardeningDisable = [ "format" ]; + buildPhase = '' cd src for f in tex4ht t4ht htcmd ; do diff --git a/pkgs/tools/typesetting/tex/texlive-new/bin.nix b/pkgs/tools/typesetting/tex/texlive-new/bin.nix index b98b9103ce74d..26aebd567724f 100644 --- a/pkgs/tools/typesetting/tex/texlive-new/bin.nix +++ b/pkgs/tools/typesetting/tex/texlive-new/bin.nix @@ -64,6 +64,8 @@ core = stdenv.mkDerivation rec { perl ]; + hardeningDisable = [ "format" ]; + postPatch = '' for i in texk/kpathsea/mktex*; do sed -i '/^mydir=/d' "$i" @@ -128,6 +130,8 @@ core-big = stdenv.mkDerivation { inherit (common) src; + hardeningDisable = [ "format" ]; + buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 ]; configureFlags = common.configureFlags diff --git a/pkgs/tools/typesetting/xmlroff/default.nix b/pkgs/tools/typesetting/xmlroff/default.nix index 7bd34f4025046..daa79d8e352c1 100644 --- a/pkgs/tools/typesetting/xmlroff/default.nix +++ b/pkgs/tools/typesetting/xmlroff/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { configureFlags = "--disable-pangoxsl --disable-gp"; + hardeningDisable = [ "format" ]; + preBuild = '' substituteInPlace tools/insert-file-as-string.pl --replace "/usr/bin/perl" "${perl}/bin/perl" substituteInPlace Makefile --replace "docs" "" diff --git a/pkgs/tools/video/mjpegtools/default.nix b/pkgs/tools/video/mjpegtools/default.nix index 1b259b5b91b5b..489b67f483ba3 100644 --- a/pkgs/tools/video/mjpegtools/default.nix +++ b/pkgs/tools/video/mjpegtools/default.nix @@ -15,6 +15,8 @@ stdenv.mkDerivation rec { sha256 = "01y4xpfdvd4zgv6fmcjny9mr1gbfd4y2i4adp657ydw6fqyi8kw6"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ libdv libjpeg libpng pkgconfig ] ++ lib.optional (!withMinimal) [ gtk libX11 SDL SDL_gfx ]; diff --git a/pkgs/tools/video/vncrec/default.nix b/pkgs/tools/video/vncrec/default.nix index 7d395afebecb2..162a1b6d5a47a 100644 --- a/pkgs/tools/video/vncrec/default.nix +++ b/pkgs/tools/video/vncrec/default.nix @@ -10,6 +10,8 @@ stdenv.mkDerivation rec { sha256 = "1yp6r55fqpdhc8cgrgh9i0mzxmkls16pgf8vfcpng1axr7cigyhc"; }; + hardeningDisable = [ "format" ]; + buildInputs = [ libX11 xproto imake gccmakedep libXt libXmu libXaw libXext xextproto libSM libICE libXpm libXp diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 83f168cc9617a..616dca8acd142 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -669,7 +669,7 @@ in calamares = qt5.callPackage ../tools/misc/calamares rec { python = python3; boost = pkgs.boost.override { python=python3; }; - libyamlcpp = callPackage ../development/libraries/libyaml-cpp { makePIC=true; boost=boost; }; + libyamlcpp = callPackage ../development/libraries/libyaml-cpp { boost=boost; }; }; capstone = callPackage ../development/libraries/capstone { }; @@ -945,10 +945,6 @@ in ClassAccessor TextRoman DataUniqid LinguaTranslit UnicodeNormalize; }; - bibtextools = callPackage ../tools/typesetting/bibtex-tools { - inherit (strategoPackages016) strategoxt sdf; - }; - blueman = callPackage ../tools/bluetooth/blueman { inherit (gnome3) dconf gsettings_desktop_schemas; withPulseAudio = config.pulseaudio or true; @@ -2460,10 +2456,6 @@ in lsb-release = callPackage ../os-specific/linux/lsb-release { }; - # lsh installs `bin/nettle-lfib-stream' and so does Nettle. Give the - # former a lower priority than Nettle. - lsh = lowPrio (callPackage ../tools/networking/lsh { }); - lshw = callPackage ../tools/system/lshw { }; lxc = callPackage ../os-specific/linux/lxc { }; @@ -4348,10 +4340,7 @@ in clang_35 = wrapCC llvmPackages_35.clang; clang_34 = wrapCC llvmPackages_34.clang; - clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { - clang = clang_34; - llvmPackages = llvmPackages_34; - }; + clang-analyzer = callPackage ../development/tools/analysis/clang-analyzer { }; clangUnwrapped = llvm: pkg: callPackage pkg { inherit llvm; }; @@ -5475,11 +5464,6 @@ in ponyc = callPackage ../development/compilers/ponyc { }; - qcmm = callPackage ../development/compilers/qcmm { - lua = lua4; - ocaml = ocaml_3_08_0; - }; - rgbds = callPackage ../development/compilers/rgbds { }; rtags = callPackage ../development/tools/rtags/default.nix {}; @@ -5547,20 +5531,6 @@ in stalin = callPackage ../development/compilers/stalin { }; - strategoPackages = recurseIntoAttrs strategoPackages018; - - strategoPackages016 = callPackage ../development/compilers/strategoxt/0.16.nix { - stdenv = overrideInStdenv stdenv [gnumake380]; - }; - - strategoPackages017 = callPackage ../development/compilers/strategoxt/0.17.nix { - readline = readline5; - }; - - strategoPackages018 = callPackage ../development/compilers/strategoxt/0.18.nix { - readline = readline5; - }; - metaBuildEnv = callPackage ../development/compilers/meta-environment/meta-build-env { }; swiProlog = callPackage ../development/compilers/swi-prolog { }; @@ -5602,8 +5572,6 @@ in vs90wrapper = callPackage ../development/compilers/vs90wrapper { }; - webdsl = callPackage ../development/compilers/webdsl { }; - wla-dx = callPackage ../development/compilers/wla-dx { }; wrapCCWith = ccWrapper: libc: extraBuildCommands: baseCC: ccWrapper { @@ -6886,10 +6854,6 @@ in aspellDicts = recurseIntoAttrs (callPackages ../development/libraries/aspell/dictionaries.nix {}); - aterm = self.aterm25; - - aterm25 = callPackage ../development/libraries/aterm/2.5.nix { }; - attica = callPackage ../development/libraries/attica { }; attr = callPackage ../development/libraries/attr { }; @@ -9617,8 +9581,6 @@ in v8_3_16_14 = callPackage ../development/libraries/v8/3.16.14.nix { inherit (pythonPackages) gyp; - # The build succeeds using gcc5 but it fails to build pkgs.consul-ui - stdenv = overrideCC stdenv gcc48; }; v8_3_24_10 = callPackage ../development/libraries/v8/3.24.10.nix { @@ -11287,8 +11249,6 @@ in prl-tools = callPackage ../os-specific/linux/prl-tools { }; - psmouse_alps = callPackage ../os-specific/linux/psmouse-alps { }; - seturgent = callPackage ../os-specific/linux/seturgent { }; spl = callPackage ../os-specific/linux/spl { @@ -16015,15 +15975,10 @@ in speed_dreams = callPackage ../games/speed-dreams { # Torcs wants to make shared libraries linked with plib libraries (it provides static). # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; libpng = libpng12; }; - torcs = callPackage ../games/torcs { - # Torcs wants to make shared libraries linked with plib libraries (it provides static). - # i686 is the only platform I know than can do that linking without plib built with -fPIC - plib = plib.override { enablePIC = !stdenv.isi686; }; - }; + torcs = callPackage ../games/torcs { }; trigger = callPackage ../games/trigger { }; diff --git a/pkgs/top-level/guile-2-test.nix b/pkgs/top-level/guile-2-test.nix index 9d2fbcbef5cce..70ec6c0dc0cea 100644 --- a/pkgs/top-level/guile-2-test.nix +++ b/pkgs/top-level/guile-2-test.nix @@ -56,7 +56,6 @@ in (mapTestOn { guile = linux; autogen = linux; - lsh = linux; mailutils = linux; mcron = linux; texmacs = linux; diff --git a/pkgs/top-level/release-small.nix b/pkgs/top-level/release-small.nix index 2774ff66f5768..77efcc2e0211d 100644 --- a/pkgs/top-level/release-small.nix +++ b/pkgs/top-level/release-small.nix @@ -88,7 +88,6 @@ with import ./release-lib.nix { inherit supportedSystems; }; libxml2 = all; libxslt = all; lout = linux; - lsh = linux; lsof = linux; ltrace = linux; lvm2 = linux; diff --git a/pkgs/top-level/release.nix b/pkgs/top-level/release.nix index 4ae5951ceff54..ce093a1da22a7 100644 --- a/pkgs/top-level/release.nix +++ b/pkgs/top-level/release.nix @@ -255,14 +255,6 @@ let #rPackages = packagePlatforms pkgs.rPackages; - strategoPackages = { - sdf = linux; - strategoxt = linux; - javafront = linux; - strategoShell = linux ++ darwin; - dryad = linux; - }; - ocamlPackages = { }; perlPackages = { }; |