3.4 branch detects support for getrandom() call during configure-time,
which gets picked up since glibc-2.25, and consequently it will fail
with older kernels during rutime.
This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".
CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/
/cc #22826.
Using the upstream patch directly. It's copied in nixpkgs, because:
- fetchpatch isn't usable at this point in bootstrapping,
- the upstream patch creates collisions in NEWS.
This reverts commit 1daf2e26d221712dfbe72f9f6d2f73ef230cc43c, reversing
changes made to c0c50dfcb70d48e5b79c4ae9f1aa9d339af860b4.
It seems this is what has been causing all the reliability problems
on Hydra. I'm currently unable to find why it happens, so I'm forced
to revert the update for now. Discussion: #22874.
Scrapy is usually installed via pip where copying all permissions
makes sense. In Nix the files copied are owned by root and
readonly. As a consequence scrapy can't edit the project templates so
scrapy startproject
fails.
- Append emacs to the oz wrapper's command search path rather than the
rpath. Previously, emacs would end up in the closure but the oz
shell script would not be helped by it. Now a user without emacs in
their PATH can still get the complete Oz experience (which depends
crucially on emacs). To build a variant without emacs, do
mozart.override { emacs = null; }
- Patch full path to oz executable into the oz desktop item to make the
output less reliant on the runtime PATH
- Compress .elc files to save a little bit of space
- Make it easier to extend platform support
- Inline builder.sh
- Be more specific about patching. oz and ozc are capable of inferring
OZHOME themselves; thus we generate wrappers only for the binary
executable components.
Note that gmp and boost would be removed by patchelf --shrink-path; I've
no idea whether they are used somehow, so we leave them in and forego
rpath shrinking for now.
This script is not needed anymore since "nix-prefetch-url --unpack
<url>" and "nix-prefetch-url -A foo.src" (where "foo.src" is a
fetchzip / fetchFromGitHub call) work fine.
Per #22590, `haskellPackages.servant` and by extension any package which transitively depends on `pythonX.Y-future` will fail to build on darwin even though there's apparently no reason why it can't be built there.
