-
-
Notifications
You must be signed in to change notification settings - Fork 13.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
staging-next-23.11 iteration 7 - 2024-04-04 #301438
Conversation
This is a small simplification of the control flow surrounding these cases. It should make it more obvious when each case happens, and also explicitly defines the current behaviour of --replace.
[Backport release-23.11] stdenv: substituteStream: deprecate --replace in favor of --replace-{fail,warn,quiet}
Changes: - https://github.com/uclouvain/openjpeg/blob/v2.5.1/NEWS.md - https://github.com/uclouvain/openjpeg/blob/v2.5.2/NEWS.md (cherry picked from commit e29b451)
magit requires[1] seq 2.24. seq from GNU Elpa satisfies that. However, it is shadowed by the Emacs builtin one to workaround an old bug[2] and the version of the builtin seq in Emacs 28 is only 2.23. So magit is broken for Emacs 28 which is the default one in NixOS 23.11 and available in the unstable branch. This patch fixes magit by stopping shadowing seq from GNU Elpa since that old bug[2] is not relevant now. Fixes #272019. [1]: https://github.com/magit/magit/blob/f4ff817cb2a48f0f7887050c3be469c03a059567/lisp/magit.el#L27 [2]: #74936 (cherry picked from commit 7374ffe)
(cherry picked from commit a9cfbfd)
[Backport staging-23.11] emacs.pkgs.seq: stop shadowing it
[Backport staging-23.11] openjpeg: 2.5.0 -> 2.5.2
...into staging-23.11
Changes: https://lib.openmpt.org/libopenmpt/2024/03/03/releases-0.7.4-0.6.13-0.5.27-0.4.39/ (cherry picked from commit 3b6cf1e)
Fixes CVE-2023-48161, CVE-2023-39742 and CVE-2021-40633. Changes: https://sourceforge.net/p/giflib/code/ci/5.2.2/tree/NEWS (cherry picked from commit ce852b4)
(cherry picked from commit fac842b)
let aaru = "aa-remove-unknown"; in aaru tests whether /sys/kernel/security/apparmor/profiles can be opened. Even though the file's permissions usually are 0444, open() still might return `EPERM`, as this is a virtual filesystem. Thus, using `test -r` doesn't suffice for this check. What aaru does to solve this is (approximately) if ! read … < /sys/kernel/security/apparmor/profiles; then echo "Meh"; fi In principal this works just fine. When looking closer, it doesn't (which is the root cause of #273164). Careful readers will notice that the actual access check (for `open()`) isn't actually related to the `read` invocation, but the shell's input redirection, which works totally fine: If the file can't be opened, the shell will return an error and the test fails. `read` won't even be invoked. The culprit is, the `read` shell builtin might potentially jeopardize the *successful* test result (`open()` succeeding): When no profiles are loaded, the file will be empty and `read` will return 1 for `EOF`. As the `if`'s command is only invoked after the actual test succeeded, `true` is the command of choice here. I would prefer fixing this upstream, but I refuse to register an account there because GitLab.com wants me to validate an email address (sure), a phone number (why?) and a valid payment method ([redacted]). This fixes #273164 (»Apparmor service fails to start after nixos-rebuild switch«). (cherry picked from commit b69ffeb)
Changes: https://www.nlnetlabs.nl/news/2024/Mar/07/unbound-1.19.2-released/ (cherry picked from commit 40365d0)
|
Hydra is not loading the logs for me currently but I blindly guess we need 9db042b The eventlet update was part of python-updates run. I don't know if it would cause many breakages in other libraries but because it is python, it is likely to happen and I don't have the capacity to deal with the outfall in stable, especially if 24.05 is right around the corner. |
This comment was marked as outdated.
This comment was marked as outdated.
...into staging-next-23.11 (cherry picked from commit e7a0bc3)
Ah, thanks, indeed. I picked that patch, so it builds at least. You (anyone) could consider whether the security fixes need addressing, but that's mostly an independent thing. |
(cherry picked from commit 57a7279) .4 fixes expired cert in tests: https://hydra.nixos.org/build/255392216/nixlog/3/tail
(cherry picked from commit 2b0673c)
|
I don't think there's anything worth blocking on, really. |
https://hydra.nixos.org/jobset/nixpkgs/staging-next-23.11
https://hydra.nixos.org/jobset/nixos/staging-next-23.11-small
Significant breakages
(will be edited based on progress)