staging-next-23.11 iteration 7 - 2024-04-04 #301438
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a small simplification of the control flow surrounding these cases. It should make it more obvious when each case happens, and also explicitly defines the current behaviour of --replace.
[Backport release-23.11] stdenv: substituteStream: deprecate --replace in favor of --replace-{fail,warn,quiet}
Changes: - https://github.com/uclouvain/openjpeg/blob/v2.5.1/NEWS.md - https://github.com/uclouvain/openjpeg/blob/v2.5.2/NEWS.md (cherry picked from commit e29b451)
magit requires[1] seq 2.24. seq from GNU Elpa satisfies that. However, it is shadowed by the Emacs builtin one to workaround an old bug[2] and the version of the builtin seq in Emacs 28 is only 2.23. So magit is broken for Emacs 28 which is the default one in NixOS 23.11 and available in the unstable branch. This patch fixes magit by stopping shadowing seq from GNU Elpa since that old bug[2] is not relevant now. Fixes #272019. [1]: https://github.com/magit/magit/blob/f4ff817cb2a48f0f7887050c3be469c03a059567/lisp/magit.el#L27 [2]: #74936 (cherry picked from commit 7374ffe)
(cherry picked from commit a9cfbfd)
[Backport staging-23.11] emacs.pkgs.seq: stop shadowing it
[Backport staging-23.11] openjpeg: 2.5.0 -> 2.5.2
...into staging-23.11
Changes: https://lib.openmpt.org/libopenmpt/2024/03/03/releases-0.7.4-0.6.13-0.5.27-0.4.39/ (cherry picked from commit 3b6cf1e)
Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633. Changes: https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS (cherry picked from commit ce852b4)
(cherry picked from commit fac842b)
let aaru = "aa-remove-unknown"; in
aaru tests whether /sys/kernel/security/apparmor/profiles can be opened.
Even though the file's permissions usually are 0444, open() still might
return `EPERM`, as this is a virtual filesystem. Thus, using `test -r`
doesn't suffice for this check.
What aaru does to solve this is (approximately)
if ! read … < /sys/kernel/security/apparmor/profiles; then
echo "Meh";
fi
In principal this works just fine. When looking closer, it doesn't
(which is the root cause of #273164). Careful readers will notice that
the actual access check (for `open()`) isn't actually related to the
`read` invocation, but the shell's input redirection, which works
totally fine:
If the file can't be opened, the shell will return an error and the test
fails. `read` won't even be invoked. The culprit is, the `read` shell
builtin might potentially jeopardize the *successful* test result
(`open()` succeeding): When no profiles are loaded, the file will be
empty and `read` will return 1 for `EOF`.
As the `if`'s command is only invoked after the actual test succeeded,
`true` is the command of choice here.
I would prefer fixing this upstream, but I refuse to register an account
there because GitLab.com wants me to validate an email address (sure), a
phone number (why?) and a valid payment method ([redacted]).
This fixes #273164 (»Apparmor service fails to start after nixos-rebuild
switch«).
(cherry picked from commit b69ffeb)
Changes: https://www.nlnetlabs.nl/news/2024/Mar/07/unbound-1.19.2-released/ (cherry picked from commit 40365d0)
github-actions
bot
added
8.has: documentation
6.topic: emacs
6.topic: rust
6.topic: golang
6.topic: stdenv
|
|
Hydra is not loading the logs for me currently but I blindly guess we need 9db042b The eventlet update was part of python-updates run. I don't know if it would cause many breakages in other libraries but because it is python, it is likely to happen and I don't have the capacity to deal with the outfall in stable, especially if 24.05 is right around the corner. |
This comment was marked as outdated.
This comment was marked as outdated.
...into staging-next-23.11 (cherry picked from commit e7a0bc3)
|
Ah, thanks, indeed. I picked that patch, so it builds at least. You (anyone) could consider whether the security fixes need addressing, but that's mostly an independent thing. |
(cherry picked from commit 57a7279) .4 fixes expired cert in tests: https://hydra.nixos.org/build/255392216/nixlog/3/tail
(cherry picked from commit 2b0673c)
|
|
I don't think there's anything worth blocking on, really. |
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://hydra.nixos.org/jobset/nixpkgs/staging-next-23.11
https://hydra.nixos.org/jobset/nixos/staging-next-23.11-small
Significant breakages
(will be edited based on progress)