This should solve CVE-2016-5131 and some other bugs, but not what Suse
calls CVE-2016-9597: https://bugzilla.suse.com/show_bug.cgi?id=1017497
The bugzilla discussion seems to indicate that the CVE is referenced
incorrectly and only shows reproducing when using command-line flags
that are considered "unsafe".
CVE-2016-9318 also remains unfixed, as I consider their reasoning OK:
https://lwn.net/Alerts/714411/
/cc #22826.
Using the upstream patch directly. It's copied in nixpkgs, because:
- fetchpatch isn't usable at this point in bootstrapping,
- the upstream patch creates collisions in NEWS.
This reverts commit 1daf2e26d2, reversing
changes made to c0c50dfcb7.
It seems this is what has been causing all the reliability problems
on Hydra. I'm currently unable to find why it happens, so I'm forced
to revert the update for now. Discussion: #22874.
Scrapy is usually installed via pip where copying all permissions
makes sense. In Nix the files copied are owned by root and
readonly. As a consequence scrapy can't edit the project templates so
scrapy startproject
fails.
The initialization code is now a systemd service that explicitly
waits for network-online, so the occasional failure I was seeing
because the `nixos-rebuild` couldn't get anything from the binary
cache should stop. I hope!
- Append emacs to the oz wrapper's command search path rather than the
rpath. Previously, emacs would end up in the closure but the oz
shell script would not be helped by it. Now a user without emacs in
their PATH can still get the complete Oz experience (which depends
crucially on emacs). To build a variant without emacs, do
mozart.override { emacs = null; }
- Patch full path to oz executable into the oz desktop item to make the
output less reliant on the runtime PATH
- Compress .elc files to save a little bit of space
- Make it easier to extend platform support
- Inline builder.sh
- Be more specific about patching. oz and ozc are capable of inferring
OZHOME themselves; thus we generate wrappers only for the binary
executable components.
Note that gmp and boost would be removed by patchelf --shrink-path; I've
no idea whether they are used somehow, so we leave them in and forego
rpath shrinking for now.