Merge staging-next-24.05 into staging-24.05

NixOS · Oct 30, 2024 · fc65363 · fc65363
2 parents 1d59bbc + cb0a2ce
commit fc65363
Show file tree

Hide file tree

Showing 10 changed files with 2,863 additions and 78 deletions.
diff --git a/pkgs/by-name/en/envision-unwrapped/Cargo.lock b/pkgs/by-name/en/envision-unwrapped/Cargo.lock
diff --git a/pkgs/by-name/en/envision-unwrapped/package.nix b/pkgs/by-name/en/envision-unwrapped/package.nix
@@ -0,0 +1,100 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitLab,
+  writeScript,
+  appstream-glib,
+  cargo,
+  meson,
+  ninja,
+  pkg-config,
+  rustPlatform,
+  rustc,
+  wrapGAppsHook4,
+  cairo,
+  desktop-file-utils,
+  gdb,
+  gdk-pixbuf,
+  glib,
+  gtk4,
+  gtksourceview5,
+  libadwaita,
+  libgit2,
+  libusb1,
+  openssl,
+  pango,
+  vte-gtk4,
+  zlib,
+  unstableGitUpdater,
+}:
+
+stdenv.mkDerivation (finalAttrs: {
+  pname = "envision-unwrapped";
+  version = "0-unstable-2024-06-25";
+
+  src = fetchFromGitLab {
+    owner = "gabmus";
+    repo = "envision";
+    rev = "b594f75778961c281daca398011914e9ac14b753";
+    hash = "sha256-felt9KdgVrXSgoufw/+gDlluqdv8vySDqwskQ0t2JOM=";
+  };
+
+  strictDeps = true;
+
+  cargoDeps = rustPlatform.importCargoLock {
+    lockFile = ./Cargo.lock;
+    outputHashes = {
+      "libmonado-rs-0.1.0" = "sha256-PsNgfpgso3HhIMXKky/u6Xw8phk1isRpNXKLhvN1wIE=";
+    };
+  };
+
+  nativeBuildInputs = [
+    appstream-glib
+    desktop-file-utils
+    cargo
+    meson
+    ninja
+    pkg-config
+    rustPlatform.cargoSetupHook
+    rustc
+    wrapGAppsHook4
+  ];
+
+  buildInputs = [
+    cairo
+    gdk-pixbuf
+    glib
+    gtk4
+    gtksourceview5
+    libadwaita
+    libgit2
+    libusb1
+    openssl
+    pango
+    vte-gtk4
+    zlib
+  ];
+
+  postInstall = ''
+    wrapProgram $out/bin/envision \
+      --prefix PATH : "${lib.makeBinPath [ gdb ]}"
+  '';
+
+  passthru.updateScript = writeScript "envision-update" ''
+    source ${builtins.head (unstableGitUpdater { })}
+
+    cp $tmpdir/Cargo.lock ./pkgs/by-name/en/envision-unwrapped/Cargo.lock
+  '';
+
+  meta = {
+    description = "UI for building, configuring and running Monado, the open source OpenXR runtime";
+    homepage = "https://gitlab.com/gabmus/envision";
+    license = lib.licenses.agpl3Only;
+    mainProgram = "envision";
+    maintainers = with lib.maintainers; [
+      pandapip1
+      Scrumplex
+    ];
+    platforms = lib.platforms.linux;
+  };
+})
diff --git a/pkgs/by-name/en/envision/package.nix b/pkgs/by-name/en/envision/package.nix
@@ -0,0 +1,93 @@
+{ buildFHSEnv, envision-unwrapped }:
+
+buildFHSEnv {
+  name = "envision";
+
+  extraOutputsToInstall = [ "dev" ];
+
+  strictDeps = true;
+
+  targetPkgs =
+    pkgs:
+    [ pkgs.envision-unwrapped ]
+    ++ (with pkgs; [
+      glibc
+      gcc
+    ])
+    ++ (
+      # OpenHMD dependencies
+      pkgs.openhmd.buildInputs ++ pkgs.openhmd.nativeBuildInputs
+    )
+    ++ (
+      # OpenComposite dependencies
+      pkgs.opencomposite.buildInputs ++ pkgs.opencomposite.nativeBuildInputs ++ [ pkgs.boost ]
+    )
+    ++ (
+      # Monado dependencies
+      (
+        pkgs.monado.buildInputs
+        ++ pkgs.monado.nativeBuildInputs
+        ++ (with pkgs; [
+          # Additional dependencies required by Monado when built using Envision
+          mesa
+          shaderc
+          xorg.libX11
+          xorg.libxcb
+          xorg.libXrandr
+          xorg.libXrender
+          xorg.xorgproto
+        ])
+      )
+    )
+    ++ (
+      # SteamVR driver dependencies
+      [ pkgs.zlib ])
+    ++ (
+      # WiVRn dependencies
+      # TODO: Replace with https://github.com/NixOS/nixpkgs/pull/316975 once merged
+      (with pkgs; [
+        avahi
+        cmake
+        cli11
+        ffmpeg
+        git
+        gst_all_1.gstreamer
+        gst_all_1.gst-plugins-base
+        libmd
+        libdrm
+        libpulseaudio
+        libva
+        ninja
+        nlohmann_json
+        openxr-loader
+        pipewire
+        systemdLibs # udev
+        vulkan-loader
+        vulkan-headers
+        x264
+      ])
+      ++ (with pkgs; [
+        android-tools # For adb installing WiVRn APKs
+      ])
+    );
+
+  profile = ''
+    export CMAKE_LIBRARY_PATH=/usr/lib
+    export CMAKE_INCLUDE_PATH=/usr/include
+    export PKG_CONFIG_PATH=/usr/lib/pkgconfig:/usr/share/pkgconfig
+  '';
+
+  extraInstallCommands = ''
+    mkdir -p $out/share/applications $out/share/metainfo
+    ln -s ${envision-unwrapped}/share/envision $out/share
+    ln -s ${envision-unwrapped}/share/icons $out/share
+    ln -s ${envision-unwrapped}/share/applications/org.gabmus.envision.desktop $out/share/applications
+    ln -s ${envision-unwrapped}/share/metainfo/org.gabmus.envision.appdata.xml $out/share/metainfo
+  '';
+
+  runScript = "envision";
+
+  meta = envision-unwrapped.meta // {
+    description = "${envision-unwrapped.meta.description} (with build environment)";
+  };
+}
diff --git a/pkgs/by-name/fo/forgejo/package.nix b/pkgs/by-name/fo/forgejo/package.nix
@@ -25,7 +25,7 @@ let
     pname = "forgejo-frontend";
     inherit (forgejo) src version;
 
-    npmDepsHash = "sha256-9U2I+JzDGQlfjyvZRbfPbDMmoHxIJ/SOBhMdn1la0EI=";
+    npmDepsHash = "sha256-RR1FVbyXgeXAWkNYjgleAE7hPqVur00bO1jF3WhGYKA=";
 
     patches = [
       ./package-json-npm-build-frontend.patch
@@ -40,14 +40,14 @@ let
 in
 buildGoModule rec {
   pname = "forgejo";
-  version = "7.0.9";
+  version = "7.0.10";
 
   src = fetchFromGitea {
     domain = "codeberg.org";
     owner = "forgejo";
     repo = "forgejo";
     rev = "v${version}";
-    hash = "sha256-JoHF49n2HWMHl/LMWxQlj7utkmzyZ5pHEfeSU8gjyfU=";
+    hash = "sha256-shPrbWuNmoSYXcL0QcgNjapdoWnO3/2h6eUFdMnteR4=";
   };
 
   vendorHash = "sha256-hfbNyCQMQzDzJxFc2MPAR4+v/qNcnORiQNbwbbIA4Nw=";

diff --git a/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch b/pkgs/by-name/gu/guix/guix-build-user-takeover-fix.patch
@@ -0,0 +1,42 @@
+diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
+index c5383bc..50d1abc 100644
+--- a/nix/libstore/build.cc
++++ b/nix/libstore/build.cc
+@@ -2312,15 +2312,6 @@ void DerivationGoal::registerOutputs()
+         Path actualPath = path;
+         if (useChroot) {
+             actualPath = chrootRootDir + path;
+-            if (pathExists(actualPath)) {
+-                /* Move output paths from the chroot to the store. */
+-                if (buildMode == bmRepair)
+-                    replaceValidPath(path, actualPath);
+-                else
+-                    if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
+-                        throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
+-            }
+-            if (buildMode != bmCheck) actualPath = path;
+         } else {
+             Path redirected = redirectedOutputs[path];
+             if (buildMode == bmRepair
+@@ -2360,6 +2351,21 @@ void DerivationGoal::registerOutputs()
+                something like that. */
+             canonicalisePathMetaData(actualPath, buildUser.enabled() ? buildUser.getUID() : -1, inodesSeen);
+
++            if (useChroot) {
++                if (pathExists(actualPath)) {
++                    /* Now that output paths have been canonicalized (in particular
++                    there are no setuid files left), move them outside of the
++                    chroot and to the store. */
++                    if (buildMode == bmRepair)
++                        replaceValidPath(path, actualPath);
++                    else
++                        if (buildMode != bmCheck && rename(actualPath.c_str(), path.c_str()) == -1)
++                            throw SysError(format("moving build output `%1%' from the chroot to the store") % path);
++                }
++                if (buildMode != bmCheck) actualPath = path;
++            }
++
++
+             /* FIXME: this is in-memory. */
+             StringSink sink;
+             dumpPath(actualPath, sink);
diff --git a/pkgs/by-name/gu/guix/package.nix b/pkgs/by-name/gu/guix/package.nix
@@ -1,38 +1,39 @@
-{ lib
-, stdenv
-, fetchurl
-, fetchpatch
-, autoreconfHook
-, disarchive
-, git
-, glibcLocales
-, guile
-, guile-avahi
-, guile-gcrypt
-, guile-git
-, guile-gnutls
-, guile-json
-, guile-lib
-, guile-lzlib
-, guile-lzma
-, guile-semver
-, guile-ssh
-, guile-sqlite3
-, guile-zlib
-, guile-zstd
-, help2man
-, makeWrapper
-, pkg-config
-, po4a
-, scheme-bytestructures
-, texinfo
-, bzip2
-, libgcrypt
-, sqlite
+{
+  lib,
+  stdenv,
+  fetchurl,
+  fetchpatch,
+  autoreconfHook,
+  disarchive,
+  git,
+  glibcLocales,
+  guile,
+  guile-avahi,
+  guile-gcrypt,
+  guile-git,
+  guile-gnutls,
+  guile-json,
+  guile-lib,
+  guile-lzlib,
+  guile-lzma,
+  guile-semver,
+  guile-ssh,
+  guile-sqlite3,
+  guile-zlib,
+  guile-zstd,
+  help2man,
+  makeWrapper,
+  pkg-config,
+  po4a,
+  scheme-bytestructures,
+  texinfo,
+  bzip2,
+  libgcrypt,
+  sqlite,
 
-, stateDir ? "/var"
-, storeDir ? "/gnu/store"
-, confDir ? "/etc"
+  stateDir ? "/var",
+  storeDir ? "/gnu/store",
+  confDir ? "/etc",
 }:
 
 stdenv.mkDerivation rec {
@@ -55,6 +56,9 @@ stdenv.mkDerivation rec {
       url = "https://git.savannah.gnu.org/cgit/guix.git/patch/?id=ff1251de0bc327ec478fc66a562430fbf35aef42";
       hash = "sha256-f4KWDVrvO/oI+4SCUHU5GandkGtHrlaM1BWygM/Qlao=";
     })
+    # manual port of build user takeover remediation commit
+    # see https://guix.gnu.org/en/blog/2024/build-user-takeover-vulnerability
+    ./guix-build-user-takeover-fix.patch
   ];
 
   postPatch = ''
@@ -151,7 +155,10 @@ stdenv.mkDerivation rec {
     homepage = "http://www.gnu.org/software/guix";
     license = licenses.gpl3Plus;
     mainProgram = "guix";
-    maintainers = with maintainers; [ cafkafk foo-dogsquared ];
+    maintainers = with maintainers; [
+      cafkafk
+      foo-dogsquared
+    ];
     platforms = platforms.linux;
   };
 }