| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
At some point, I'd like to make another attempt at
71f1f4884b5 ("openssl: stop static binaries referencing libs"), which
was reverted in 195c7da07df. One problem with my previous attempt is
that I moved OpenSSL's libraries to a lib output, but many dependent
packages were hardcoding the out output as the location of the
libraries. This patch fixes every such case I could find in the tree.
It won't have any effect immediately, but will mean these packages
will automatically use an OpenSSL lib output if it is reintroduced in
future.
This patch should cause very few rebuilds, because it shouldn't make
any change at all to most packages I'm touching. The few rebuilds
that are introduced come from when I've changed a package builder not
to use variable names like openssl.out in scripts / substitution
patterns, which would be confusing since they don't hardcode the
output any more.
I started by making the following global replacements:
${pkgs.openssl.out}/lib -> ${lib.getLib pkgs.openssl}/lib
${openssl.out}/lib -> ${lib.getLib openssl}/lib
Then I removed the ".out" suffix when part of the argument to
lib.makeLibraryPath, since that function uses lib.getLib internally.
Then I fixed up cases where openssl was part of the -L flag to the
compiler/linker, since that unambigously is referring to libraries.
Then I manually investigated and fixed the following packages:
- pycurl
- citrix-workspace
- ppp
- wraith
- unbound
- gambit
- acl2
I'm reasonably confindent in my fixes for all of them.
For acl2, since the openssl library paths are manually provided above
anyway, I don't think openssl is required separately as a build input
at all. Removing it doesn't make a difference to the output size, the
file list, or the closure.
I've tested evaluation with the OfBorg meta checks, to protect against
introducing evaluation failures.
|
|
Failing Hydra build: https://hydra.nixos.org/build/155170191
Patch derived from linuxfromscratch/openembedded.org[1][2].
[1] https://www.linuxfromscratch.org/blfs/view/svn/basicnet/ntp.html
[2] https://patchwork.openembedded.org/patch/180019/
|
|
it causes issues and most distros dont enable it
see https://github.com/NixOS/nixpkgs/issues/140996
|
|
|
|
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
|
|
|
|
Part of: https://github.com/NixOS/nixpkgs/issues/108938
meta = with stdenv.lib;
is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.
This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.
The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
|
|
|
|
|
|
|
|
Signed-off-by: Austin Seipp <aseipp@pobox.com>
|
|
From http://www.ntp.org/index.html:
> ntp-4.2.8p13 was released on 07 March 2019.
> It addresses 1 medium-severity security issue in ntpd, and provides 17
> other non-security fixes and 1 improvements over 4.2.8p12.
|
|
After a series of amendments the seccomp.patch made ntpd work properly
but only on 32-bit systems.
This commit replaces that patch with the one submitted upstream by
cleverca22 and that fixes the issue also on 64-bit systems.
Close #38627, #45885
|
|
|
|
Semi-automatic update generated by
https://github.com/ryantm/nixpkgs-update tools. This update was made
based on information from
https://repology.org/metapackage/ntp/versions.
|
|
|
|
|
|
* treewide: http -> https sources
This updates the source urls of all top-level packages from http to
https where possible.
* buildtorrent: fix url and tab -> spaces
|
|
ntpd uses openat to adjust the drift file, which it only does after a few hours of uptime
|
|
Semi-automatic update generated by https://github.com/ryantm/nixpkgs-update tools.
This update was made based on information from https://repology.org/metapackage/ntp/versions.
These checks were done:
- built on NixOS
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/calc_tickadj passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntp-wait passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntptrace passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/update-leap had a zero exit code or showed the expected version
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/sntp passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpd passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpdate had a zero exit code or showed the expected version
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpdc passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntpq passed the binary check.
- /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntp-keygen passed the binary check.
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/ntptime had a zero exit code or showed the expected version
- Warning: no invocation of /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11/bin/tickadj had a zero exit code or showed the expected version
- 8 of 12 passed binary check by having a zero exit code.
- 0 of 12 passed binary check by having the new version present in output.
- found 4.2.8p11 with grep in /nix/store/ib7i3wijfdx2h24aswazaqivr6hfrbip-ntp-4.2.8p11
- directory tree listing: https://gist.github.com/643849ae077bac0514537c8aa923dd6d
- du listing: https://gist.github.com/1b2abf7cee80b022945ff72be1eb7070
|
|
ntpd: Add patch to allow getpid syscall in seccomp filter.
|
|
http://nwtime.org/network-time-foundation-publishes-ntp-4-2-8-p10/
|
|
Fixes issue #21136.
The problem is that the seccomp system call filter configured by ntpd did not
include some system calls that were apparently needed. For example the
program hanged in getpid just after the filter was installed:
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0
seccomp(SECCOMP_SET_MODE_STRICT, 1, NULL) = -1 EINVAL (Invalid argument)
seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=41, filter=0x5620d7f0bd90}) = 0
getpid() = ?
I do not know exactly why this is a problem on NixOS only, perhaps we have getpid
caching disabled.
The fcntl and setsockopt system calls also had to be added.
|
|
It only has the allowed system call numbers defined for i386 and x86_64
so it fails to build otherwise.
|
|
|
|
|
|
Includes fixes for 10 CVEs and contains other fixes.
See http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se.
|
|
|
|
Fixes CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956.
|
|
The following parameters are now available:
* hardeningDisable
To disable specific hardening flags
* hardeningEnable
To enable specific hardening flags
Only the cc-wrapper supports this right now, but these may be reused by
other wrappers, builders or setup hooks.
cc-wrapper supports the following flags:
* fortify
* stackprotector
* pie (disabled by default)
* pic
* strictoverflow
* format
* relro
* bindnow
|
|
|
|
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
|
|
|
|
55 files changed, 6041 deletions. Tested with `nix-build -A tarball`.
|
|
|
|
|
|
|
|
|
|
|
|
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
The package would no longer build without libcrypto,
and it wouldn't find it without pkgconfig.
I checked that Debian and Arch do use openssl as a dependency,
so it's probably not so bad a thing to have.
CC maintainer @edolstra.
|
|
|
|
svn path=/nixpkgs/trunk/; revision=30290
|
|
svn path=/nixpkgs/trunk/; revision=24118
|
|
svn path=/nixpkgs/trunk/; revision=18916
|
|
svn path=/nixpkgs/trunk/; revision=15828
|
|
svn path=/nixpkgs/trunk/; revision=14798
|
|
svn path=/nixpkgs/trunk/; revision=12883
|
|
svn path=/nixpkgs/trunk/; revision=10217
|
|
svn path=/nixpkgs/trunk/; revision=9292
|
