Update nixpkgs (+ jupyterhub) #777

dpausp · 2023-09-04T15:51:33Z

Update nixpkgs

Pull upstream NixOS changes, security fixes and package updates:

element-web: 1.11.38 -> 1.11.40
grafana: 9.5.7 -> 9.5.8
haproxy: 2.7.8 -> 2.7.10 (CVE-2023-40225)
linux: 6.1.45 -> 6.1.51
matrix-synapse: 1.90.0 -> 1.91.0
postfix: 3.8.0 -> 3.8.2
qemu: 8.0.3 -> 8.0.4

PL-131738

This also adds a fix and update for jupyterhub:

jupyterhub: 1.5.0 -> 4.0.1

PL-131716

@flyingcircusio/release-managers

Release process

Impact:

[NixOS 23.05] Machines will reboot after the update to activate the changed kernel.

Changelog:

(include commit msg from above)

Security implications

Security requirements defined? (WHERE)
- pull in upstream security fixes regularly
Security requirements tested? (EVIDENCE)
- verified that the changed nixexprs packing code in the release job still produces the same archive content as before
- automated tests still run, works on various test VM, including a test mail server
- checked commit log for fixed CVEs and possible problems with updates, looked at synapse/upgrade.md, Postfix Announcements and Grafana changelog

Pull upstream NixOS changes, security fixes and package updates: - element-web: 1.11.38 -> 1.11.40 - grafana: 9.5.7 -> 9.5.8 - haproxy: 2.7.8 -> 2.7.10 (CVE-2023-40225) - linux: 6.1.45 -> 6.1.51 - matrix-synapse: 1.90.0 -> 1.91.0 - postfix: 3.8.0 -> 3.8.2 - qemu: 8.0.3 -> 8.0.4 PL-131738 This also adds a fix and update for jupyterhub: - jupyterhub: 1.5.0 -> 4.0.1 PL-131716

release/default.nix

upstream introduced a test which tests behaviour with broken symlinks, related to RFC 140. Our combined sources for the release tarball contain symlinks to the various inputs (nixpkgs, fc, nixos-mailserver) which have to be dereferenced by tar, thus using the -h option. This causes tar to fail on the test symlink which points to nothing. We use tar now without dereferencing which makes it a bit more complicated to get the desired archive structure. This change also modifies xz compression settings to reduce file size and decompression time. xz now uses the default of -6 with additional "extreme" tuning which reduces size even further without increasing decompression time. We now also use all available cores for compression.

dpausp force-pushed the PL-131738-update-nixpkgs branch 2 times, most recently from e01dbf5 to 0b6cce4 Compare September 6, 2023 14:53

dpausp mentioned this pull request Sep 6, 2023

Update nixpkgs + jupyterhub 4.0.1 #774

Closed

2 tasks

dpausp changed the title ~~Update nixpkgs~~ Update nixpkgs (+ jupyterhub) Sep 6, 2023

dpausp force-pushed the PL-131738-update-nixpkgs branch from 0b6cce4 to cda45e3 Compare September 6, 2023 23:15

dpausp force-pushed the PL-131738-update-nixpkgs branch from cda45e3 to 96e3872 Compare September 8, 2023 10:14

dpausp marked this pull request as ready for review September 8, 2023 11:35

dpausp requested a review from osnyx September 8, 2023 11:35

sysvinit reviewed Sep 11, 2023

View reviewed changes

release/default.nix Outdated Show resolved Hide resolved

dpausp force-pushed the PL-131738-update-nixpkgs branch from 96e3872 to 561db61 Compare September 13, 2023 09:02

ctheune merged commit 6068ed0 into fc-23.05-dev Sep 13, 2023
1 check passed

ctheune deleted the PL-131738-update-nixpkgs branch September 13, 2023 09:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update nixpkgs (+ jupyterhub) #777

Update nixpkgs (+ jupyterhub) #777

dpausp commented Sep 4, 2023 •

edited

Loading

Update nixpkgs (+ jupyterhub) #777

Update nixpkgs (+ jupyterhub) #777

Conversation

dpausp commented Sep 4, 2023 • edited Loading

Release process

Security implications

dpausp commented Sep 4, 2023 •

edited

Loading