From 179b8146e668636fe59ef7663a6c8cd15d00db7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sat, 3 Nov 2018 15:47:44 +0100 Subject: [PATCH] systemd: apply patches from Debian There are some security fixes among those. --- pkgs/os-specific/linux/systemd/default.nix | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index db64b8e6f6de..1d45109ac852 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -1,4 +1,4 @@ -{ stdenv, lib, fetchFromGitHub, fetchpatch, pkgconfig, intltool, gperf, libcap, kmod +{ stdenv, lib, fetchFromGitHub, fetchpatch, fetchurl, pkgconfig, intltool, gperf, libcap, kmod , xz, pam, acl, libuuid, m4, utillinux, libffi , glib, kbd, libxslt, coreutils, libgcrypt, libgpgerror, libidn2, libapparmor , audit, lz4, bzip2, libmicrohttpd, pcre2 @@ -30,6 +30,22 @@ in stdenv.mkDerivation rec { sha256 = "1xci0491j95vdjgs397n618zii3sgwnvanirkblqqw6bcvcjvir1"; }; + prePatch = let + # Upstream's maintenance branches are still too intrusive: + # https://github.com/systemd/systemd-stable/tree/v239-stable + patches-deb = fetchurl { + # When the URL disappears, it typically means that Debian has new patches + # (probably security) and updating to new tarball will apply them as well. + name = "systemd-debian-patches.tar.xz"; + url = mirror://debian/pool/main/s/systemd/systemd_239-11~bpo9+1.debian.tar.xz; + sha256 = "136f6p4jbi4z94mf4g099dfcacwka8jwhza0wxxw2q5l5q3xiysh"; + }; + # Note that we skip debian-specific patches, i.e. ./debian/patches/debian/* + in '' + tar xf ${patches-deb} + patches="$patches $(cat debian/patches/series | grep -v '^debian/' | sed 's|^|debian/patches/|')" + ''; + outputs = [ "out" "lib" "man" "dev" ]; nativeBuildInputs =