Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Staging next with systemd privacy fix #107086

Merged
merged 194 commits into from
Dec 23, 2020
Merged

Staging next with systemd privacy fix #107086

merged 194 commits into from
Dec 23, 2020

Conversation

FRidh
Copy link
Member

@FRidh FRidh commented Dec 17, 2020
edited
Loading

Motivation for this change

Includes channel blocking fixes for systemd. Let's hope it won't break anything else.

https://hydra.nixos.org/job/nixpkgs/staging-next/unstable#tabs-constituents

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

KAction and others added 30 commits October 20, 2020 00:00
@KAction
keyutils: fix static build
89e9c49
@KAction
openssh: fix static build
4879ea9
@r-burns
boost: fix segfaults on ppc64
ca89e80 
Fixes NixOS/nix#2517

See also:
boostorg/context#72
boostorg/fiber#193

These issues have been resolved by:
boostorg/context#106
boostorg/context@d4608a4
which is merged into boost as of v1.71.0.

This feature was introduced (with the bug) in
boost v1.61 and was fixed in v1.71. So we apply
the patch to all versions in that range.
@Ericson2314
clang, cc-wrapper: Move --gcc-toolchain logic into CC wrapper
11302dc
@Mic92
systemd: fix pc files
74f96a5 
upstream decided to make this non-configurable... Lets' revert to the
version before.
@raboof @Mic92
rustc: generate deterministic manifest
b909a33 
The order of the entries in the manifest generated while installing
rustc depends on the (parallel) build, so let's sort it to make it
deterministic. Also remove install.log from the output.

Co-Authored-By: Jörg Thalheim <[email protected]>
@jtojnar
gdk-pixbuf: 2.42.0 → 2.42.2
3141ee4 
Fixes CVE-2020-29385

https://ftp.gnome.org/pub/GNOME/sources/gdk-pixbuf/2.42/gdk-pixbuf-2.42.2.news
@r-ryantm
openbazaar-client: 2.4.8 -> 2.4.9
2f0b8ff
@github-actions
Merge staging-next into staging
9adc06e
@r-ryantm
topgrade: 6.0.1 -> 6.0.2
7a5572b
@Mic92
Merge pull request #106284 from raboof/rustc-deterministic-manifest
650db4a
@github-actions
Merge staging-next into staging
c76c05e
@marsam
Merge pull request #106328 from r-ryantm/auto-update/topgrade
fc18dfd 
topgrade: 6.0.1 -> 6.0.2
@flokli
Merge pull request #106044 from Mic92/systemd
3b41567 
systemd: fix pc files
@mweinelt
openssl: 1.1.1h -> 1.1.1i
76e0197 
Fixes: CVE-2020-1971
Closes: #106218
@github-actions
Merge staging-next into staging
5ed8ad0
@nh2
Merge pull request #100906 from KAction/openssh
87413f3 
openssh: fix static build
@SuperSandro2000
Merge pull request #106310 from r-ryantm/auto-update/openbazaar-client
a258874 
openbazaar-client: 2.4.8 -> 2.4.9
@github-actions
Merge staging-next into staging
a2f873d
@github-actions
Merge staging-next into staging
3339899
@Ma27
Merge pull request #106362 from mweinelt/openssl
00a1069 
openssl: 1.1.1h -> 1.1.1i
@github-actions
Merge staging-next into staging
8feb00a
@r-ryantm @ehmry
alephone-infinity: 20190331 -> 20200904
ec4aef3
@mweinelt
curl: 7.73.0 -> 7.74.0
5ba7277 
https://curl.se/docs/CVE-2020-8284.html
https://curl.se/docs/CVE-2020-8285.html
https://curl.se/docs/CVE-2020-8286.html

Fixes: CVE-2020-8284, CVE-2020-8285, CVE-2020-8286
@github-actions
Merge staging-next into staging
4ce8ce1
@jtojnar
Merge branch 'staging-next' into staging
bf2f0ec
@jtojnar
Merge pull request #106302 from NixOS/gdk-pixbuf-2.42.2
0facf25 
gdk-pixbuf: 2.42.0 → 2.42.2
@github-actions
Merge staging-next into staging
d85d0c3
@github-actions
Merge staging-next into staging
4e33f29
@primeos
python3Packages.cryptography: 3.2.1 -> 3.3.1
44b7d77 
Backward incompatible changes:
- Support for Python 3.5 has been removed due to low usage and
  maintenance burden.
- The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
  initialization vectors. This change is to conform with an upcoming
  OpenSSL release that will no longer support sizes outside this window.
- When deserializing asymmetric keys we now raise ValueError rather than
  UnsupportedAlgorithm when an unsupported cipher is used. This change
  is to conform with an upcoming OpenSSL release that will no longer
  distinguish between error types.
- We no longer allow loading of finite field Diffie-Hellman parameters
  of less than 512 bits in length. This change is to conform with an
  upcoming OpenSSL release that no longer supports smaller sizes. These
  keys were already wildly insecure and should not have been used in any
  application outside of testing.
@FRidh
Copy link
Member Author

FRidh commented Dec 21, 2020

I think we should revert the cc wrapper and bintools changes instead. Everything else looked fine. Stdenv changes need to be tested better before being merged into staging.

@Emantor
Copy link
Member

Emantor commented Dec 21, 2020

I think we should revert the cc wrapper and bintools changes instead. Everything else looked fine. Stdenv changes need to be tested better before being merged into staging.

TBH, that would also be my preference, the fix for the dynamicLinker for darwin feels more like a hack to me.

@vcunat
Copy link
Member

vcunat commented Dec 21, 2020
edited
Loading

Depends if that's the only cause for a large rebuild (or for risk of regressions). IIRC systemd by itself doesn't cause such a huge rebuild (in comparison to stdenv stuff).

@vcunat
Copy link
Member

vcunat commented Dec 21, 2020

Stdenv changes need to be tested better before being merged into staging.

32-bit cases are easy to miss (and considered rather minor generally) and darwin is hard to test for most people 🤷🏽

@flokli
Copy link
Contributor

flokli commented Dec 21, 2020

I think we should revert the cc wrapper and bintools changes instead. Everything else looked fine. Stdenv changes need to be tested better before being merged into staging.

I agree with @FRidh here. Let's revert the cc wrapper and bintools changes, run another hydra evaluation, and get channels unblocked.

The other changes can be re-introduced in a followup PR, and be more thoroughly tested.

@vcunat
Revert "Merge #107253: bintools-wrapper: fix inverted link32 check"
bf44473 
This reverts commit 241c391, reversing
changes made to ab8c2b2.

These toolchain changes are too problematic, so reverting for now; see
#107086 (comment)
@vcunat
Revert "bintools-wrapper: skip dynamic linker for static binaries"
363175c 
This reverts commit ccfd26e.

These toolchain changes are too problematic, so reverting for now; see
#107086 (comment)
@vcunat
Revert "Merge #94582: clang, cc-wrapper: Move --gcc-toolchain logic…
ac03cfa 
…..."

This reverts commit 0f25eb3, reversing
changes made to df91ae1.

These toolchain changes are too problematic, so reverting for now; see
#107086 (comment)
@vcunat
Copy link
Member

vcunat commented Dec 21, 2020

Done.

$ ./maintainers/scripts/rebuild-amount.sh 583470209f9d5
  25938 x86_64-darwin
  30435 x86_64-linux

^^ this amount of darwin rebuilds will surely take several days, but perhaps we can afford to merge before that finishes.

@ofborg ofborg bot removed the 10.rebuild-linux-stdenv This PR causes stdenv to rebuild label Dec 22, 2020
@Atemu
Copy link
Member

Atemu commented Dec 22, 2020

I was going to ask why we'd need to wait for Darwin builds as the Darwin channel would just block for a few days until they're done which wouldn't be a huge issue but I just noticed that such channel does not exist.

Is there a specific reason why we don't have one for unstable? It'd sure be convenient for cases like these.

@vcunat
Copy link
Member

vcunat commented Dec 22, 2020

I'm not aware of any reason. I think I've already mentioned somewhere that it would be nice to remove this difference. There's nixpkgs-unstable channel.

@archseer
Copy link
Member

I think there should be a channel per architecture target, see #83049 for similar issues with aarch64

@FRidh
Copy link
Member Author

FRidh commented Dec 23, 2020

This is not the place to discuss what channels we should have.

@flokli
Copy link
Contributor

flokli commented Dec 23, 2020

@FRidh considering there's less than 500 queued jobs left for x86_64-linux, I assume this is good to merge (and we can trigger a NixOS eval afterwards?)

@flokli
Copy link
Contributor

flokli commented Dec 23, 2020
edited
Loading

Okay, there's no more builds left for x86_64-linux. Let's merge this :-)

@flokli flokli merged commit e7659b6 into master Dec 23, 2020
@petrosagg
Copy link
Member

petrosagg commented Dec 23, 2020
edited
Loading

Sorry if this is a basic question, I'm not fully familiar with the hydra pipeline. What's left for the nixos-unstable channel to get unblocked? Will it reuse the artifacts from this build run?

@flokli
Copy link
Contributor

flokli commented Dec 23, 2020

nixos-unstable runs builds from master - this was in staging-next.

I just triggered https://hydra.nixos.org/jobset/nixos/unstable-small and https://hydra.nixos.org/jobset/nixos/trunk-combined, which should update the corresponding channels (once succeeded).

@vcunat
Copy link
Member

vcunat commented Dec 23, 2020

All hydra jobsets populate cache.nixos.org, and same /nix/store hashes get reused.

@jonringer
Copy link
Contributor

unfortunately, nixos.tests.installer.simpleUefiSystemdBoot is failing https://hydra.nixos.org/build/133597924/nixlog/100.

I get the same failure locally.

@jakobrs
Copy link
Contributor

jakobrs commented Dec 23, 2020

#107275 is the PR that broke the test.

@Atemu
Copy link
Member

Atemu commented Dec 24, 2020
edited
Loading

Eval complete: https://hydra.nixos.org/eval/1637149?filter=tested&compare=1637089&full=#tabs-now-succeed

Channel updated too! Thank you to everyone!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ttuegel ttuegel ttuegel approved these changes

@Ericson2314 Ericson2314 Awaiting requested review from Ericson2314

@jonringer jonringer Awaiting requested review from jonringer

@LnL7 LnL7 Awaiting requested review from LnL7

@matthewbauer matthewbauer Awaiting requested review from matthewbauer

@Mic92 Mic92 Awaiting requested review from Mic92

@zowoq zowoq Awaiting requested review from zowoq

Assignees
No one assigned
Labels
1.severity: channel blocker Blocks a channel 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: python 6.topic: qt/kde 6.topic: rust 8.has: clean-up 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: package (new) This PR adds a new package 10.rebuild-darwin: 501+ 10.rebuild-darwin: 5001+ 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.