uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948 this can do it nicely. Signed-off-by: Anton Arapov <anton@deadbeef.mx>
2021-04-03 12:58:10 +02:00 · 2021-04-03 12:58:10 +02:00 · 56de2bcd43
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
--- a/pkgs/tools/security/tor/default.nix
+++ b/pkgs/tools/security/tor/default.nix
@ -0,0 +1,122 @@
+{ lib, stdenv, fetchurl, pkg-config, libevent, openssl, zlib, torsocks
+, libseccomp, systemd, libcap, xz, zstd, scrypt, nixosTests
+, writeShellScript
+
+# for update.nix
+, writeScript
+, common-updater-scripts
+, bash
+, coreutils
+, curl
+, gnugrep
+, gnupg
+, gnused
+, nix
+}:
+let
+  tor-client-auth-gen = writeShellScript "tor-client-auth-gen" ''
+    PATH="${lib.makeBinPath [coreutils gnugrep openssl]}"
+    pem="$(openssl genpkey -algorithm x25519)"
+
+    printf private_key=descriptor:x25519:
+    echo "$pem" | grep -v " PRIVATE KEY" |
+    base64 -d | tail --bytes=32 | base32 | tr -d =
+
+    printf public_key=descriptor:x25519:
+    echo "$pem" | openssl pkey -in /dev/stdin -pubout |
+    grep -v " PUBLIC KEY" |
+    base64 -d | tail --bytes=32 | base32 | tr -d =
+  '';
+in
+stdenv.mkDerivation rec {
+  pname = "tor";
+  version = "0.4.7.7";
+
+  src = fetchurl {
+    url = "https://dist.torproject.org/${pname}-${version}.tar.gz";
+    sha256 = "sha256-PhMRWLUrlDXX5D0cR+8oi5bQBTQsxEuMlQu0A4UaW0Q=";
+  };
+
+  outputs = [ "out" "geoip" ];
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [ libevent openssl zlib xz zstd scrypt ] ++
+    lib.optionals stdenv.isLinux [ libseccomp systemd libcap ];
+
+  patches = [ ./disable-monotonic-timer-tests.patch ];
+
+  configureFlags =
+    # cross compiles correctly but needs the following
+    lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "--disable-tool-name-check" ]
+    ++
+    # sandbox is broken on aarch64-linux https://gitlab.torproject.org/tpo/core/tor/-/issues/40599
+    lib.optionals (stdenv.isLinux && stdenv.isAarch64) [ "--disable-seccomp" ]
+  ;
+
+  NIX_CFLAGS_LINK = lib.optionalString stdenv.cc.isGNU "-lgcc_s";
+
+  postPatch = ''
+    substituteInPlace contrib/client-tools/torify \
+      --replace 'pathfind torsocks' true          \
+      --replace 'exec torsocks' 'exec ${torsocks}/bin/torsocks'
+
+    patchShebangs ./scripts/maint/checkShellScripts.sh
+  '';
+
+  enableParallelBuilding = true;
+
+  # disable tests on aarch64-darwin, the following tests fail there:
+  # oom/circbuf: [forking]
+  #   FAIL src/test/test_oom.c:187: assert(c1->marked_for_close)
+  #   [circbuf FAILED]
+  # oom/streambuf: [forking]
+  #   FAIL src/test/test_oom.c:287: assert(x_ OP_GE 500 - 5): 0 vs 495
+  #   [streambuf FAILED]
+  doCheck = !(stdenv.isDarwin && stdenv.isAarch64);
+
+  postInstall = ''
+    mkdir -p $geoip/share/tor
+    mv $out/share/tor/geoip{,6} $geoip/share/tor
+    rm -rf $out/share/tor
+    ln -s ${tor-client-auth-gen} $out/bin/tor-client-auth-gen
+  '';
+
+  passthru = {
+    tests.tor = nixosTests.tor;
+    updateScript = import ./update.nix {
+      inherit lib;
+      inherit
+        writeScript
+        common-updater-scripts
+        bash
+        coreutils
+        curl
+        gnupg
+        gnugrep
+        gnused
+        nix
+      ;
+    };
+  };
+
+  meta = with lib; {
+    homepage = "https://www.torproject.org/";
+    description = "Anonymizing overlay network";
+
+    longDescription = ''
+      Tor helps improve your privacy by bouncing your communications around a
+      network of relays run by volunteers all around the world: it makes it
+      harder for somebody watching your Internet connection to learn what sites
+      you visit, and makes it harder for the sites you visit to track you. Tor
+      works with many of your existing applications, including web browsers,
+      instant messaging clients, remote login, and other applications based on
+      the TCP protocol.
+    '';
+
+    license = licenses.bsd3;
+
+    maintainers = with maintainers;
+      [ thoughtpolice joachifm prusnak ];
+    platforms = platforms.unix;
+  };
+}
--- a/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch
+++ b/pkgs/tools/security/tor/disable-monotonic-timer-tests.patch
@ -0,0 +1,48 @@
+diff --git a/src/test/test_util.c b/src/test/test_util.c
+index 0d86a5ab5..e93c6ba89 100644
+--- a/src/test/test_util.c
+++ b/src/test/test_util.c
+@@ -6490,13 +6490,9 @@ test_util_monotonic_time(void *arg)
+   /* We need to be a little careful here since we don't know the system load.
+    */
+   tt_i64_op(monotime_diff_msec(&mt1, &mt2), OP_GE, 175);
+-  tt_i64_op(monotime_diff_msec(&mt1, &mt2), OP_LT, 1000);
+   tt_i64_op(monotime_coarse_diff_msec(&mtc1, &mtc2), OP_GE, 125);
+-  tt_i64_op(monotime_coarse_diff_msec(&mtc1, &mtc2), OP_LT, 1000);
+   tt_u64_op(nsec2-nsec1, OP_GE, 175000000);
+-  tt_u64_op(nsec2-nsec1, OP_LT, 1000000000);
+   tt_u64_op(nsecc2-nsecc1, OP_GE, 125000000);
+-  tt_u64_op(nsecc2-nsecc1, OP_LT, 1000000000);
+ 
+   tt_u64_op(msec1, OP_GE, nsec1 / 1000000);
+   tt_u64_op(usec1, OP_GE, nsec1 / 1000);
+@@ -6509,8 +6509,6 @@ test_util_monotonic_time(void *arg)
+ 
+   uint64_t coarse_stamp_diff =
+     monotime_coarse_stamp_units_to_approx_msec(stamp2-stamp1);
+-  tt_u64_op(coarse_stamp_diff, OP_GE, 120);
+-  tt_u64_op(coarse_stamp_diff, OP_LE, 1200);
+ 
+   {
+     uint64_t units = monotime_msec_to_approx_coarse_stamp_units(5000);
+@@ -6515,8 +6515,8 @@ test_util_monotonic_time(void *arg)
+   {
+     uint64_t units = monotime_msec_to_approx_coarse_stamp_units(5000);
+     uint64_t ms = monotime_coarse_stamp_units_to_approx_msec(units);
+-    tt_u64_op(ms, OP_GE, 4950);
+-    tt_u64_op(ms, OP_LT, 5050);
+    tt_u64_op(ms, OP_GE, 4000);
+    tt_u64_op(ms, OP_LT, 6000);
+   }
+ 
+  done:
+@@ -6640,9 +6640,6 @@ test_util_monotonic_time_add_msec(void *arg)
+   monotime_coarse_add_msec(&ct2, &ct1, 1337);
+   tt_i64_op(monotime_diff_msec(&t1, &t2), OP_EQ, 1337);
+   tt_i64_op(monotime_coarse_diff_msec(&ct1, &ct2), OP_EQ, 1337);
+-  // The 32-bit variant must be within 1% of the regular one.
+-  tt_int_op(monotime_coarse_diff_msec32_(&ct1, &ct2), OP_GT, 1323);
+-  tt_int_op(monotime_coarse_diff_msec32_(&ct1, &ct2), OP_LT, 1350);
+ 
+   /* Add 1337 msec twice more; make sure that any second rollover issues
+    * worked. */
--- a/pkgs/tools/security/tor/torsocks.nix
+++ b/pkgs/tools/security/tor/torsocks.nix
@ -0,0 +1,42 @@
+{ lib, stdenv, fetchgit, fetchurl, autoreconfHook, libcap }:
+
+stdenv.mkDerivation rec {
+  pname = "torsocks";
+  version = "2.3.0";
+
+  src = fetchgit {
+    url    = "https://git.torproject.org/torsocks.git";
+    rev    = "refs/tags/v${version}";
+    sha256 = "0x0wpcigf22sjxg7bm0xzqihmsrz51hl4v8xf91qi4qnmr4ny1hb";
+  };
+
+  nativeBuildInputs = [ autoreconfHook ];
+
+  patches = lib.optional stdenv.isDarwin
+    (fetchurl {
+       url = "https://trac.torproject.org/projects/tor/raw-attachment/ticket/28538/0001-Fix-macros-for-accept4-2.patch";
+       sha256 = "97881f0b59b3512acc4acb58a0d6dfc840d7633ead2f400fad70dda9b2ba30b0";
+     });
+
+  postPatch = ''
+    # Patch torify_app()
+    sed -i \
+      -e 's,\(local app_path\)=`which $1`,\1=`type -P $1`,' \
+      src/bin/torsocks.in
+  '' + lib.optionalString stdenv.isLinux ''
+    sed -i \
+      -e 's,\(local getcap\)=.*,\1=${libcap}/bin/getcap,' \
+      src/bin/torsocks.in
+  '';
+
+  doInstallCheck = true;
+  installCheckTarget = "check-recursive";
+
+  meta = {
+    description      = "Wrapper to safely torify applications";
+    homepage         = "https://github.com/dgoulet/torsocks";
+    license          = lib.licenses.gpl2;
+    platforms        = lib.platforms.unix;
+    maintainers      = with lib.maintainers; [ thoughtpolice ];
+  };
+}
--- a/pkgs/tools/security/tor/update.nix
+++ b/pkgs/tools/security/tor/update.nix
@ -0,0 +1,72 @@
+{ lib
+, writeScript
+, common-updater-scripts
+, bash
+, coreutils
+, curl
+, gnugrep
+, gnupg
+, gnused
+, nix
+}:
+
+with lib;
+
+let
+  downloadPageUrl = "https://dist.torproject.org";
+
+  # See https://support.torproject.org/little-t-tor/#fetching-the-tor-developers-key
+  signingKeys = [
+    "514102454D0A87DB0767A1EBBE6A0531C18A9179" # Alexander Færøy
+    "B74417EDDF22AC9F9E90F49142E86A2A11F48D36" # David Goulet
+    "2133BC600AB133E1D826D173FE43009C4607B1FB" # Nick Mathewson
+  ];
+in
+
+writeScript "update-tor" ''
+#! ${bash}/bin/bash
+
+set -eu -o pipefail
+
+export PATH=${makeBinPath [
+  common-updater-scripts
+  coreutils
+  curl
+  gnugrep
+  gnupg
+  gnused
+  nix
+]}
+
+srcBase=$(curl -L --list-only -- "${downloadPageUrl}" \
+  | grep -Eo 'tor-([[:digit:]]+\.?)+\.tar\.gz' \
+  | sort -Vu \
+  | tail -n1)
+srcFile=$srcBase
+srcUrl=${downloadPageUrl}/$srcBase
+
+srcName=''${srcBase/.tar.gz/}
+srcVers=(''${srcName//-/ })
+version=''${srcVers[1]}
+
+checksumUrl=$srcUrl.sha256sum
+checksumFile=''${checksumUrl##*/}
+
+sigUrl=$checksumUrl.asc
+sigFile=''${sigUrl##*/}
+
+# upstream does not support byte ranges ...
+[[ -e "$srcFile" ]] || curl -L -o "$srcFile" -- "$srcUrl"
+[[ -e "$checksumFile" ]] || curl -L -o "$checksumFile" -- "$checksumUrl"
+[[ -e "$sigFile" ]] || curl -L -o "$sigFile" -- "$sigUrl"
+
+export GNUPGHOME=$PWD/gnupg
+mkdir -m 700 -p "$GNUPGHOME"
+
+gpg --batch --recv-keys ${concatStringsSep " " (map (x: "'${x}'") signingKeys)}
+gpg --batch --verify "$sigFile" "$checksumFile"
+
+sha256sum -c "$checksumFile"
+
+update-source-version tor "$version" "$(cut -d ' ' "$checksumFile")"
+''