| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Many packages have some kind of flag indicating whether or not to build with
systemd support. Most of these default to `stdenv.isLinux`, but systemd does
not build on (and is marked `broken` for) `isStatic`. Only a few packages have
the needed `&& !isStatic` in the default value for their parameter.
This commit moves the logic for the default value of these flags into
`systemd.meta.{platforms,badPlatforms}` and evaluates those conditions using
`lib.meta.availableOn`.
This provides three benefits:
1. The default values are set correctly (i.e. including `&& isStatic`)
2. The default values are set consistently
3. The way is paved for any future non-Linux systemd platforms (FreeBSD is
reported to have experimental systemd support)
|
|
|
|
https://webkitgtk.org/2022/12/22/webkitgtk2.38.3-released.html
https://webkitgtk.org/security/WSA-2022-0011.html
Fixes: CVE-2022-42852, CVE-2022-42856, CVE-2022-42867, CVE-2022-46692,
CVE-2022-46698, CVE-2022-46699, CVE-2022-46700
|
|
Since https://github.com/WebKit/WebKit/commit/31ac354cbeecf866f9a38f7b2f8f59f7975d3f6a,
bubblewrap gets called the following way on NixOS system,
when it has `share/fonts` in `environment.pathsToLink`:
$ bwrap --ro-bind /nix/store /nix/store --ro-bind /run/current-system /run/current-system --ro-bind-try /run/current-system/sw/share/fonts /run/current-system/sw/share/fonts -- $(realpath $(which true))
bwrap: Can't mkdir parents for /run/current-system/sw/share/fonts: No such file or directory
It fails because `/run/current-system/sw` is a symlink
so bubblewrap is not be able to add another mountpoint inside.
Ideally, we would remove the `/run/current-system/sw` bind mount
and mount only specific subdirectories we need, like the fonts.
Unfortunately, it is not clear what else is needed. For example,
in the past, Pipewire’s Jack module was loaded from `/run/current-system/sw/lib`
https://github.com/NixOS/nixpkgs/commit/756e60344fd83427148d8acf416c63573404a2e9
So, for now, let’s keep the and mount and move the binding of NixOS directories
to the end. Adding bindings starting at leaves and moving to root should be fine.
While at it, let’s also make the binding of `/run/current-system` conditional
since it will not be available outside of NixOS.
Fixes: https://github.com/NixOS/nixpkgs/issues/197085
|
|
|
|
https://webkitgtk.org/2022/11/04/webkitgtk2.38.2-released.html
https://webkitgtk.org/security/WSA-2022-0010.html
Fixes: CVE-2022-32888, CVE-2022-32923, CVE-2022-42799, CVE-2022-42823
CVE-2022-42824
|
|
https://webkitgtk.org/2022/10/20/webkitgtk2.38.1-released.html
https://github.com/WebKit/WebKit/compare/webkitgtk-2.38.0...webkitgtk-2.38.1
Changelog-Reviewed-By: Jan Tojnar <jtojnar@gmail.com>
|
|
USE_SYSTEMD was replaced by ENABLE_JOURNALD_LOG:
https://github.com/WebKit/WebKit/commit/f1ff3cc0f546a69f2869447bb583f2a5e1d0b755
-- Could NOT find Journald (missing: Journald_LIBRARY Journald_INCLUDE_DIR)
CMake Error at Source/cmake/OptionsGTK.cmake:486 (message):
libsystemd or libelogind are needed for ENABLE_JOURNALD_LOG
Call Stack (most recent call first):
Source/cmake/WebKitCommon.cmake:220 (include)
CMakeLists.txt:20 (include)
-- Configuring incomplete, errors occurred!
See also "/build/webkitgtk-2.36.0/build/CMakeFiles/CMakeOutput.log".
See also "/build/webkitgtk-2.36.0/build/CMakeFiles/CMakeError.log".
|
|
https://webkitgtk.org/2022/09/16/webkitgtk2.38.0-released.html
https://github.com/WebKit/WebKit/compare/webkitgtk-2.37.90...webkitgtk-2.38.0
https://webkitgtk.org/security/WSA-2022-0009.html
Fixes:
CVE-2022-32886
CVE-2022-32891
CVE-2022-32912
Changelog-Reviewed-By: Jan Tojnar <jtojnar@gmail.com>
|
|
To make it easier to distinguish which versions are in the closure.
|
|
https://webkitgtk.org/2022/08/19/webkitgtk2.37.90-released.html
https://github.com/WebKit/WebKit/compare/webkitgtk-2.37.1...webkitgtk-2.37.90
Changelog-Reviewed-By: Jan Tojnar <jtojnar@gmail.com>
|
|
https://webkitgtk.org/2022/07/12/webkitgtk2.37.1-released.html
Changelog-Reviewed-By: Jan Tojnar <jtojnar@gmail.com>
|
|
|
|
https://webkitgtk.org/2022/08/24/webkitgtk2.36.7-released.html
https://webkitgtk.org/security/WSA-2022-0008.html
Fixes: CVE-2022-32893
|
|
Fixes #185219.
|
|
https://webkitgtk.org/2022/07/28/webkitgtk2.36.5-released.html
https://webkitgtk.org/security/WSA-2022-0007.html
|
|
https://webkitgtk.org/2022/07/05/webkitgtk2.36.4-released.html
https://webkitgtk.org/security/WSA-2022-0006.html
|
|
https://webkitgtk.org/2022/05/28/webkitgtk2.36.3-released.html
https://webkitgtk.org/security/WSA-2022-0005.html
Fixes: CVE-2022-26700, CVE-2022-26709, CVE-2022-26717, CVE-2022-26716,
CVE-2022-26719, CVE-2022-30293, CVE-2022-30294
|
|
Build with WPE renderer is no longer tested upstream
https://bugs.webkit.org/show_bug.cgi?id=238513#c10
and that configuration is extremely buggy since 2.36.0:
https://github.com/NixOS/nixpkgs/issues/169201
Previously it was disabled in c0d053ea0ee2a1ff35f3251376fbca44e33a37c3.
|
|
https://webkitgtk.org/2022/05/18/webkitgtk2.36.2-released.html
|
|
https://webkitgtk.org/2022/04/21/webkitgtk2.36.1-released.html
|
|
https://webkitgtk.org/2022/03/21/webkitgtk2.36.0-released.html
|
|
This commit exposes support for compilation without systemd,
controlled by the global systemdSupport argument. This argument is
understood by many other nixpkgs expressions and can be set globally
in ~/.config/nixpkgs/config.nix.
|
|
enableGeoLocation option
The problem with enableGeoLocation was that it didn't compose well with
.overrideAttrs and setting geoclue2=null at the overlay level
because of the assert statement.
Thus, when combined with disabling libsecret, the resulting override code was:
avahi = null;
geoclue2 = { outPath = throw "geoclue is disabled"; };
webkitgtk = prev.lib.pipe prev.webkitgtk [
(x: x.override { enableGeoLocation = false; geoclue2 = prev.geoclue2; })
(x: x.overrideAttrs (old: { cmakeFlags = old.cmakeFlags ++ [ "-DUSE_LIBSECRET=OFF" ]; }))
(x: x.override { enableGeoLocation = false; geoclue2 = null; libsecret = null; })
];
It works, but is unnecessarily complex.
: detailed motviation
libsecret and geoclue2 are actually completely independent,
the real conflict is between assert and override/overrideAttrs which
don't work as expected; e.g. you can pass an updated parameter, but the
original parameter at callPackage "calltime" after recusion through overlays
gets used, so when globally setting "geoclue2=null;" in an overlay,
the assert is always hit without any way to work around that
|
|
https://webkitgtk.org/security/WSA-2022-0003.html
Fixes: CVE-2022-22620
|
|
https://webkitgtk.org/2022/02/09/webkitgtk2.34.5-released.html
https://webkitgtk.org/security/WSA-2022-0002.html
Fixes: CVE-2022-22589, CVE-2022-22590, CVE-2022-22592
|
|
https://webkitgtk.org/security/WSA-2022-0001.html
|
|
|
|
|
|
https://github.com/NixOS/nixpkgs/issues/145040
|
|
|
|
https://webkitgtk.org/2021/10/21/webkitgtk2.34.1-released.html
|
|
Changes:
- https://webkitgtk.org/2021/05/14/webkitgtk2.33.1-released.html
- https://webkitgtk.org/2021/06/08/webkitgtk2.33.2-released.html
- https://webkitgtk.org/2021/08/16/webkitgtk2.33.3-released.html
- https://webkitgtk.org/2021/09/02/webkitgtk2.33.90-released.html
- https://webkitgtk.org/2021/09/17/webkitgtk2.33.91-released.html
- https://webkitgtk.org/2021/09/22/webkitgtk2.34.0-released.html
Notably, libsoup3 is used by default. We revert that to reduce breakage
so programs using libsoup 3.x will need to override the argument.
|
|
https://webkitgtk.org/security/WSA-2021-0005.html
|
|
This has been synonymous for ~5y.
|
|
|
|
|
|
Relevant security advisory:
https://webkitgtk.org/security/WSA-2021-0004.html
CVEs:
CVE-2021-1817, CVE-2021-1820, CVE-2021-1825, CVE-2021-1826,
CVE-2021-21775, CVE-2021-21779, CVE-2021-21806, CVE-2021-30661,
CVE-2021-30663, CVE-2021-30665, CVE-2021-30666, CVE-2021-30682,
CVE-2021-30689, CVE-2021-30720, CVE-2021-30734, CVE-2021-30744,
CVE-2021-30749, CVE-2021-30758, CVE-2021-30761, CVE-2021-30762,
CVE-2021-30795, CVE-2021-30797, CVE-2021-30799
|
|
|
|
|
|
https://webkitgtk.org/2021/05/10/webkitgtk2.32.1-released.html
In particular, we now needed to fix the build with icu-69.
|
|
If `/run/opengl-driver/lib` is in `LD_LIBRARY_PATH`, bwrap will try to
mount it into the already bind mounted `/run/opengl-driver`. To
prevent this, we instead specify the subpaths of `/run/opengl-driver`
we're interested in.
Also, use the correct path for i686 builds.
|
|
- Libmanette and systemd features need to be disabled since they depend on systemd.
- FastMalloc for some reason does not include <malloc/malloc.h> so we added that.
- <CommonCrypto/CommonRandom.h> depends on a type from <CommonCrypto/CommonCryptor.h> but does not include it for some reason, resulting in the following error:
In file included from ../Source/WTF/wtf/RandomDevice.cpp:44:
/nix/store/wd30p2pq4lci8fk9fqldkgk1hgmwpapj-Libsystem-1238.60.2/include/CommonCrypto/CommonRandom.h:35:9: error: unknown type name 'CCCryptorStatus'
typedef CCCryptorStatus CCRNGStatus;
- The GL-related flags were renamed and removed (in previous releases as well) so we switched to the new ones so that GL is still disabled.
- Unrelatedly, `with` statement at the top of the expression is abomination so we narrowed its scope to just meta.
|
|
I hope this will improve the situation on aarch64-linux.
I don't think it could make anything worse.
Recent staging-next timeouts:
https://hydra.nixos.org/build/141551270
https://hydra.nixos.org/build/141547098
For now let's not touch meta.timeout, as there's less consensus and the
setting seems less reliable in practice, too.
|
|
|
|
https://webkitgtk.org/security/WSA-2021-0003.html
https://webkitgtk.org/2021/03/26/webkitgtk2.32.0-released.html
Fixes: CVE-2021-1788, CVE-2021-1844, CVE-2021-1871
|
|
https://webkitgtk.org/security/WSA-2021-0002.html
|
|
This reverts commit d2aeeb0d20054a1ba2b9924b11471604488655f7.
|
|
|
|
The package could not compile because it did not know the meaning of
TRUE and FALSE [1]. So we have to make sure our build environment
provides reasonable, sensible definitions to make the build succeed.
[1] https://hydra.nixos.org/build/137292531
|
