Merge staging into master

Brings in: - changed output order for multiple outputs: #14766 - audit disabled by default #17916 Conflicts: pkgs/development/libraries/openldap/default.nix
NixOS · Sep 1, 2016 · 8c4aeb1 · 8c4aeb1
2 parents 003ab1d + 838c753
commit 8c4aeb1
Show file tree

Hide file tree

Showing 270 changed files with 460 additions and 403 deletions.
diff --git a/doc/multiple-output.xml b/doc/multiple-output.xml
@@ -29,15 +29,15 @@
 
 <section><title>Using a split package</title>
   <para>In the Nix language the individual outputs can be reached explicitly as attributes, e.g. <varname>coreutils.info</varname>, but the typical case is just using packages as build inputs.</para>
-  <para>When a multiple-output derivation gets into a build input of another derivation, the first output is added (<varname>.dev</varname> by convention) and also <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname>. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
+  <para>When a multiple-output derivation gets into a build input of another derivation, the <varname>dev</varname> output is added if it exists, otherwise the first output is added. In addition to that, <varname>propagatedBuildOutputs</varname> of that package which by default contain <varname>$outputBin</varname> and <varname>$outputLib</varname> are also added. (See <xref linkend="multiple-output-file-type-groups" />.)</para>
 </section>
 
 
 <section><title>Writing a split derivation</title>
   <para>Here you find how to write a derivation that produces multiple outputs.</para>
   <para>In nixpkgs there is a framework supporting multiple-output derivations. It tries to cover most cases by default behavior.  You can find the source separated in &lt;<filename>nixpkgs/pkgs/build-support/setup-hooks/multiple-outputs.sh</filename>&gt;; it's relatively well-readable.  The whole machinery is triggered by defining the <varname>outputs</varname> attribute to contain the list of desired output names (strings).</para>
-  <programlisting>outputs = [ "dev" "out" "bin" "doc" ];</programlisting>
-  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should usually be <varname>dev</varname>; typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
+  <programlisting>outputs = [ "bin" "dev" "out" "doc" ];</programlisting>
+  <para>Often such a single line is enough.  For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output.  By convention, the first output should contain the executable programs provided by the package as that output is used by Nix in string conversions, allowing references to binaries like <literal>${pkgs.perl}/bin/perl</literal> to always work. Typically you also want to have the main <varname>out</varname> output, as it catches any files that didn't get elsewhere.</para>
 
   <note><para>There is a special handling of the <varname>debug</varname> output, described at <xref linkend="stdenv-separateDebugInfo" />.</para></note>
 

diff --git a/lib/attrsets.nix b/lib/attrsets.nix
@@ -454,6 +454,8 @@ rec {
   getLib = getOutput "lib";
   getDev = getOutput "dev";
 
+  /* Pick the outputs of packages to place in buildInputs */
+  chooseDevOutputs = drvs: builtins.map (drv: if drv.outputUnspecified or false then drv.dev or drv else drv) drvs;
 
   /*** deprecated stuff ***/
 

diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml
@@ -34,6 +34,17 @@ following incompatible changes:</para>
 
 <itemizedlist>
 
+  <listitem>
+    <para>A large number of packages have been converted to use the multiple outputs feature
+      of Nix to greatly reduce the amount of required disk space. This may require changes
+      to any custom packages to make them build again; see the relevant chapter in the
+      Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
+      related to multiple-output packages
+      <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
+      late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
+    </para>
+  </listitem>
+
   <listitem>
     <para>Shell aliases for systemd sub-commands
     <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
@@ -66,6 +77,11 @@ following incompatible changes:</para>
     <literal>environment.variables</literal>.</para>
   </listitem>
 
+  <listitem>
+    <para>The <literal>audit</literal> service is no longer enabled by default.
+    Use <literal>security.audit.enable = true;</literal> to explicitly enable it.</para>
+  </listitem>
+
 </itemizedlist>
 
 

diff --git a/nixos/modules/config/fonts/fonts.nix b/nixos/modules/config/fonts/fonts.nix
@@ -22,7 +22,7 @@ with lib;
   config = {
 
     fonts.fonts =
-      [ pkgs.xorg.fontbhttf
+      [
         pkgs.xorg.fontbhlucidatypewriter100dpi
         pkgs.xorg.fontbhlucidatypewriter75dpi
         pkgs.dejavu_fonts

diff --git a/nixos/modules/security/audit.nix b/nixos/modules/security/audit.nix
@@ -4,13 +4,21 @@ with lib;
 
 let
   cfg = config.security.audit;
+  enabled = cfg.enable == "lock" || cfg.enable;
 
   failureModes = {
     silent = 0;
     printk = 1;
     panic  = 2;
   };
 
+  disableScript = pkgs.writeScript "audit-disable" ''
+    #!${pkgs.stdenv.shell} -eu
+    # Explicitly disable everything, as otherwise journald might start it.
+    auditctl -D
+    auditctl -e 0 -a task,never
+  '';
+
   # TODO: it seems like people like their rules to be somewhat secret, yet they will not be if
   # put in the store like this. At the same time, it doesn't feel like a huge deal and working
   # around that is a pain so I'm leaving it like this for now.
@@ -47,7 +55,7 @@ in {
     security.audit = {
       enable = mkOption {
         type        = types.enum [ false true "lock" ];
-        default     = true; # The kernel seems to enable it by default with no rules anyway
+        default     = false;
         description = ''
           Whether to enable the Linux audit system. The special `lock' value can be used to
           enable auditing and prevent disabling it until a restart. Be careful about locking
@@ -91,7 +99,7 @@ in {
     };
   };
 
-  config = mkIf (cfg.enable == "lock" || cfg.enable) {
+  config = {
     systemd.services.audit = {
       description = "Kernel Auditing";
       wantedBy = [ "basic.target" ];
@@ -103,8 +111,8 @@ in {
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
-        ExecStart = "@${startScript} audit-start";
-        ExecStop  = "@${stopScript}  audit-stop";
+        ExecStart = "@${if enabled then startScript else disableScript} audit-start";
+        ExecStop  = "@${stopScript} audit-stop";
       };
     };
   };

diff --git a/pkgs/applications/audio/ardour/ardour3.nix b/pkgs/applications/audio/ardour/ardour3.nix
@@ -48,7 +48,7 @@ stdenv.mkDerivation rec {
 
   patchPhase = ''
     printf '#include "libs/ardour/ardour/revision.h"\nnamespace ARDOUR { const char* revision = \"${revision}\"; }\n' > libs/ardour/revision.cc
-    sed 's|/usr/include/libintl.h|${glibc}/include/libintl.h|' -i wscript
+    sed 's|/usr/include/libintl.h|${glibc.dev}/include/libintl.h|' -i wscript
     patchShebangs ./tools/
   '';
 

diff --git a/pkgs/applications/audio/flac/default.nix b/pkgs/applications/audio/flac/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
 
   #doCheck = true; # takes lots of time
 
-  outputs = [ "dev" "out" "bin" "doc" ];
+  outputs = [ "bin" "dev" "out" "doc" ];
 
   meta = with stdenv.lib; {
     homepage = http://xiph.org/flac/;

diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix
@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
 
   patches = [ ./imagetragick.patch ] ++ cfg.patches;
 
-  outputs = [ "dev" "out" "doc" ]; # bin/ isn't really big
+  outputs = [ "out" "dev" "doc" ]; # bin/ isn't really big
   outputMan = "out"; # it's tiny
 
   enableParallelBuilding = true;

diff --git a/pkgs/applications/misc/djvulibre/default.nix b/pkgs/applications/misc/djvulibre/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "0psh3zl9dj4n4r3lx25390nx34xz0bg0ql48zdskhq354ljni5p6";
   };
 
-  outputs = [ "dev" "out" "bin" ];
+  outputs = [ "bin" "dev" "out" ];
 
   buildInputs = [ libjpeg libtiff librsvg ] ++ libintlOrEmpty;
 

diff --git a/pkgs/applications/misc/golden-cheetah/default.nix b/pkgs/applications/misc/golden-cheetah/default.nix
@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
   preConfigure = ''
     cp src/gcconfig.pri.in src/gcconfig.pri
     cp qwt/qwtconfig.pri.in qwt/qwtconfig.pri
-    echo 'QMAKE_LRELEASE = ${qttools}/bin/lrelease' >> src/gcconfig.pri
+    echo 'QMAKE_LRELEASE = ${qttools.dev}/bin/lrelease' >> src/gcconfig.pri
     sed -i -e '21,23d' qwt/qwtconfig.pri # Removed forced installation to /usr/local
   '';
   #postConfigure =

diff --git a/pkgs/applications/misc/mupdf/default.nix b/pkgs/applications/misc/mupdf/default.nix
@@ -30,7 +30,7 @@ stdenv.mkDerivation rec {
   makeFlags = [ "prefix=$(out)" ];
   nativeBuildInputs = [ pkgconfig ];
   buildInputs = [ zlib libX11 libXcursor libXext harfbuzz mesa libXrandr libXinerama freetype libjpeg jbig2dec openjpeg ];
-  outputs = [ "out" "bin" "doc" ];
+  outputs = [ "bin" "dev" "out" "doc" ];
 
   preConfigure = ''
     # Don't remove mujs because upstream version is incompatible
@@ -55,7 +55,7 @@ stdenv.mkDerivation rec {
     Description: Library for rendering PDF documents
     Version: ${version}
     Libs: -L$out/lib -lmupdf -lmupdfthird
-    Cflags: -I$out/include
+    Cflags: -I$dev/include
     EOF
 
     moveToOutput "bin" "$bin"

diff --git a/pkgs/applications/misc/pgadmin/default.nix b/pkgs/applications/misc/pgadmin/default.nix
@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
   '';
 
   configureFlags = [
-    "--with-libxml2=${libxml2}"
+    "--with-libxml2=${libxml2.dev}"
     "--with-libxslt=${libxslt.dev}"
   ];
 

diff --git a/pkgs/applications/misc/taskjuggler/default.nix b/pkgs/applications/misc/taskjuggler/default.nix
@@ -46,8 +46,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = "
     --without-arts --disable-docs
-    --x-includes=${libX11}/include
-    --x-libraries=${libX11}/lib
+    --x-includes=${libX11.dev}/include
+    --x-libraries=${libX11.out}/lib
     --with-qt-dir=${qt3}
   ";
 

diff --git a/pkgs/applications/misc/xxkb/default.nix b/pkgs/applications/misc/xxkb/default.nix
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   buildInputs = [
     imake
     libX11 libXt libXext libXpm
-  ] ++ stdenv.lib.optional svgSupport [ librsvg glib gdk_pixbuf pkgconfig ];
+  ] ++ stdenv.lib.optionals svgSupport [ librsvg glib gdk_pixbuf pkgconfig ];
 
   outputs = [ "out" "man" ];
 

diff --git a/pkgs/applications/science/electronics/tkgate/1.x.nix b/pkgs/applications/science/electronics/tkgate/1.x.nix
@@ -17,8 +17,8 @@ stdenv.mkDerivation rec {
   patchPhase = ''
     sed -i config.h \
       -e 's|.*#define.*TKGATE_TCLTK_VERSIONS.*|#define TKGATE_TCLTK_VERSIONS "${tcl.release}"|' \
-      -e 's|.*#define.*TKGATE_INCDIRS.*|#define TKGATE_INCDIRS "${tcl}/include ${tk}/include ${libiconvInc} ${libX11}/include"|' \
-      -e 's|.*#define.*TKGATE_LIBDIRS.*|#define TKGATE_LIBDIRS "${tcl}/lib ${tk}/lib ${libiconvLib} ${libX11}/lib"|' \
+      -e 's|.*#define.*TKGATE_INCDIRS.*|#define TKGATE_INCDIRS "${tcl}/include ${tk}/include ${libiconvInc} ${libX11.dev}/include"|' \
+      -e 's|.*#define.*TKGATE_LIBDIRS.*|#define TKGATE_LIBDIRS "${tcl}/lib ${tk}/lib ${libiconvLib} ${libX11.out}/lib"|' \
       \
       -e '20 i #define TCL_LIBRARY "${tcl}/lib"' \
       -e '20 i #define TK_LIBRARY "${tk}/lib/${tk.libPrefix}"' \

diff --git a/pkgs/applications/science/math/calc/default.nix b/pkgs/applications/science/math/calc/default.nix
@@ -3,7 +3,7 @@
 with stdenv.lib;
 let
   makeFlags = ''
-    INCDIR=${glibc}/include \
+    INCDIR=${glibc.dev}/include \
     BINDIR=$out/bin LIBDIR=$out/lib CALC_INCDIR=$out/include/calc CALC_SHAREDIR=$out/share/calc MANDIR=$out/share/man/man1 \
     USE_READLINE=-DUSE_READLINE READLINE_LIB=-lreadline READLINE_EXTRAS='-lhistory -lncurses' \
     TERMCONTROL=-DUSE_TERMIOS \

diff --git a/pkgs/applications/science/misc/root/default.nix b/pkgs/applications/science/misc/root/default.nix
@@ -28,7 +28,7 @@ stdenv.mkDerivation rec {
     "-DCMAKE_INSTALL_LIBDIR=lib"
     "-DCMAKE_INSTALL_INCLUDEDIR=include"
   ]
-  ++ stdenv.lib.optional (stdenv.cc.libc != null) "-DC_INCLUDE_DIRS=${stdenv.cc.libc}/include";
+  ++ stdenv.lib.optional (stdenv.cc.libc != null) "-DC_INCLUDE_DIRS=${stdenv.lib.getDev stdenv.cc.libc}/include";
 
   enableParallelBuilding = true;
 

diff --git a/pkgs/applications/version-management/redmine/default.nix b/pkgs/applications/version-management/redmine/default.nix
@@ -48,7 +48,7 @@ in stdenv.mkDerivation rec {
     mkdir -p vendor/cache
     ${stdenv.lib.concatStrings (map (gem: "ln -s ${gem} vendor/cache/${gem.name};") gemspec)}
 
-    bundle config build.nokogiri --use-system-libraries --with-iconv-dir="${libiconv}" --with-xslt-dir="${libxslt.dev}" --with-xml2-dir="${libxml2}"
+    bundle config build.nokogiri --use-system-libraries --with-iconv-dir="${libiconv}" --with-xslt-dir="${libxslt.dev}" --with-xml2-dir="${libxml2.dev}"
 
     bundle install --verbose --local --deployment
 

diff --git a/pkgs/applications/version-management/subversion/default.nix b/pkgs/applications/version-management/subversion/default.nix
@@ -27,7 +27,7 @@ let
     };
 
   # Can't do separate $lib and $bin, as libs reference bins
-  outputs = [ "dev" "out" "man" ];
+  outputs = [ "out" "dev" "man" ];
 
     buildInputs = [ zlib apr aprutil sqlite ]
       ++ stdenv.lib.optional httpSupport serf

diff --git a/pkgs/applications/virtualization/virtualbox/default.nix b/pkgs/applications/virtualization/virtualbox/default.nix
@@ -108,7 +108,7 @@ in stdenv.mkDerivation {
 
   # first line: ugly hack, and it isn't yet clear why it's a problem
   configurePhase = ''
-    NIX_CFLAGS_COMPILE=$(echo "$NIX_CFLAGS_COMPILE" | sed 's,\-isystem ${stdenv.cc.libc}/include,,g')
+    NIX_CFLAGS_COMPILE=$(echo "$NIX_CFLAGS_COMPILE" | sed 's,\-isystem ${lib.getDev stdenv.cc.libc}/include,,g')
 
     cat >> LocalConfig.kmk <<LOCAL_CONFIG
     VBOX_WITH_TESTCASES            :=

diff --git a/pkgs/build-support/grsecurity/default.nix b/pkgs/build-support/grsecurity/default.nix
@@ -1,4 +1,5 @@
 { stdenv
+, lib
 , overrideDerivation
 
 # required for gcc plugins
@@ -24,7 +25,7 @@ overrideDerivation (kernel.override {
   inherit extraConfig;
   ignoreConfigErrors = true;
 }) (attrs: {
-  nativeBuildInputs = [ gmp libmpc mpfr ] ++ (attrs.nativeBuildInputs or []);
+  nativeBuildInputs = (lib.chooseDevOutputs [ gmp libmpc mpfr ]) ++ (attrs.nativeBuildInputs or []);
   preConfigure = ''
     echo ${localver} >localversion-grsec
     ${attrs.preConfigure or ""}

diff --git a/pkgs/build-support/setup-hooks/multiple-outputs.sh b/pkgs/build-support/setup-hooks/multiple-outputs.sh
@@ -160,8 +160,7 @@ _multioutDevs() {
     done
 }
 
-# Make the first output (typically "dev") propagate other outputs needed for development.
-# Take the first, because that's what one gets when putting the package into buildInputs.
+# Make the "dev" propagate other outputs needed for development.
 # Note: with current cross-building setup, all packages are "native" if not cross-building;
 # however, if cross-building, the outputs are non-native. We have to choose the right file.
 _multioutPropagateDev() {
@@ -171,13 +170,17 @@ _multioutPropagateDev() {
     for outputFirst in $outputs; do
         break
     done
+    local propagaterOutput="$outputDev"
+    if [ -z "$propagaterOutput" ]; then
+        propagaterOutput="$outputFirst"
+    fi
 
     # Default value: propagate binaries, includes and libraries
     if [ -z "${propagatedBuildOutputs+1}" ]; then
         local po_dirty="$outputBin $outputInclude $outputLib"
         set +o pipefail
         propagatedBuildOutputs=`echo "$po_dirty" \
-            | tr -s ' ' '\n' | grep -v -F "$outputFirst" \
+            | tr -s ' ' '\n' | grep -v -F "$propagaterOutput" \
             | sort -u | tr '\n' ' ' `
         set -o pipefail
     fi
@@ -187,16 +190,16 @@ _multioutPropagateDev() {
         return
     fi
 
-    mkdir -p "${!outputFirst}"/nix-support
     local propagatedBuildInputsFile
     if [ -z "$crossConfig" ]; then
         propagatedBuildInputsFile=propagated-native-build-inputs
     else
         propagatedBuildInputsFile=propagated-build-inputs
     fi
 
+    mkdir -p "${!propagaterOutput}"/nix-support
     for output in $propagatedBuildOutputs; do
-        echo -n " ${!output}" >> "${!outputFirst}"/nix-support/$propagatedBuildInputsFile
+        echo -n " ${!output}" >> "${!propagaterOutput}"/nix-support/$propagatedBuildInputsFile
     done
 }
 
diff --git a/pkgs/data/fonts/dejavu-fonts/default.nix b/pkgs/data/fonts/dejavu-fonts/default.nix
@@ -13,6 +13,8 @@ stdenv.mkDerivation rec {
     sha256 = "1xknlg2h287dx34v2n5r33bpcl4biqf0cv7nak657rjki7s0k4bk";
   };
 
+  outputs = [ "out" "minimal" ];
+
   buildFlags = "full-ttf";
 
   preBuild = "patchShebangs scripts";
@@ -22,6 +24,10 @@ stdenv.mkDerivation rec {
     for i in $(find build -name '*.ttf'); do
         cp $i $out/share/fonts/truetype;
     done;
+  '' + ''
+    local fname=share/fonts/truetype/DejaVuSans.ttf
+    moveToOutput "$fname" "$minimal"
+    ln -s "$minimal/$fname" "$out/$fname"
   '';
 
   meta = {

diff --git a/pkgs/desktops/gnome-2/platform/GConf/default.nix b/pkgs/desktops/gnome-2/platform/GConf/default.nix
@@ -11,7 +11,7 @@ stdenv.mkDerivation {
     sha256 = "09ch709cb9fniwc4221xgkq0jf0x0lxs814sqig8p2dcll0llvzk";
   };
 
-  outputs = [ "dev" "out" "doc" ];
+  outputs = [ "out" "dev" "doc" ];
 
   buildInputs = [ ORBit2 dbus_libs dbus_glib libxml2 ]
     # polkit requires pam, which requires shadow.h, which is not available on

diff --git a/pkgs/desktops/gnome-2/platform/ORBit2/default.nix b/pkgs/desktops/gnome-2/platform/ORBit2/default.nix
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig ];
   propagatedBuildInputs = [ glib libIDL ] ++ libintlOrEmpty;
 
-  outputs = [ "dev" "out" ];
+  outputs = [ "out" "dev" ];
 
   preBuild = ''
     sed 's/-DG_DISABLE_DEPRECATED//' -i linc2/src/Makefile

diff --git a/pkgs/desktops/gnome-2/platform/gnome-vfs/default.nix b/pkgs/desktops/gnome-2/platform/gnome-vfs/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "1ajg8jb8k3snxc7rrgczlh8daxkjidmcv3zr9w809sq4p2sn9pk2";
   };
 
-  outputs = [ "dev" "out" ];
+  outputs = [ "out" "dev" ];
 
   buildInputs =
     [ pkgconfig libxml2 bzip2 openssl samba dbus_glib fam cdparanoia

diff --git a/pkgs/desktops/gnome-2/platform/libbonobo/default.nix b/pkgs/desktops/gnome-2/platform/libbonobo/default.nix
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "0swp4kk6x7hy1rvd1f9jba31lvfc6qvafkvbpg9h0r34fzrd8q4i";
   };
 
-  outputs = [ "dev" "out" ];
+  outputs = [ "out" "dev" ];
 
   preConfigure = # still using stuff deprecated in new glib versions
     "sed 's/-DG_DISABLE_DEPRECATED//g' -i configure activation-server/Makefile.in";

diff --git a/pkgs/desktops/gnome-2/platform/libglade/default.nix b/pkgs/desktops/gnome-2/platform/libglade/default.nix
@@ -8,7 +8,7 @@ stdenv.mkDerivation {
     sha256 = "1v2x2s04jry4gpabws92i0wq2ghd47yr5n9nhgnkd7c38xv1wdk4";
   };
 
-  outputs = [ "dev" "out" ];
+  outputs = [ "out" "dev" ];
 
   buildInputs = [ pkgconfig gtk python gettext ];