summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/akonadi-paths.patch53
-rw-r--r--gnu/packages/patches/bluez-CVE-2020-0556.patch180
-rw-r--r--gnu/packages/patches/calibre-msgpack-compat.patch18
-rw-r--r--gnu/packages/patches/calibre-remove-test-bs4.patch34
-rw-r--r--gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch42
-rw-r--r--gnu/packages/patches/kinit-kdeinit-extra_libs.patch10
-rw-r--r--gnu/packages/patches/libdrm-realpath-virtio.patch42
-rw-r--r--gnu/packages/patches/libdrm-symbol-check.patch215
-rw-r--r--gnu/packages/patches/nss-CVE-2020-12399.patch138
-rw-r--r--gnu/packages/patches/pyqt-unbundled-qt.patch19
-rw-r--r--gnu/packages/patches/qtbase-QTBUG-81715.patch40
-rw-r--r--gnu/packages/patches/qtbase-use-TZDIR.patch4
12 files changed, 75 insertions, 720 deletions
diff --git a/gnu/packages/patches/akonadi-paths.patch b/gnu/packages/patches/akonadi-paths.patch
index da250ee9e8..ac08ec5448 100644
--- a/gnu/packages/patches/akonadi-paths.patch
+++ b/gnu/packages/patches/akonadi-paths.patch
@@ -1,31 +1,31 @@
 This is based on the respectve patch from NixPkgs, but with the parts pinning
 mysql and postgresql executables removed. The our package definition on why.
 
-
-Index: akonadi-19.08.0/src/akonadicontrol/agentmanager.cpp
-===================================================================
---- akonadi-19.08.0.orig/src/akonadicontrol/agentmanager.cpp
-+++ akonadi-19.08.0/src/akonadicontrol/agentmanager.cpp
-@@ -78,12 +78,12 @@ AgentManager::AgentManager(bool verbose,
-     mStorageController = new Akonadi::ProcessControl;
-     mStorageController->setShutdownTimeout(15 * 1000);   // the server needs more time for shutdown if we are using an internal mysqld
-     connect(mStorageController, &Akonadi::ProcessControl::unableToStart, this, &AgentManager::serverFailure);
--    mStorageController->start(QStringLiteral("akonadiserver"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash);
-+    mStorageController->start(QLatin1String(NIX_OUT "/bin/akonadiserver"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash);
+diff --git a/src/akonadicontrol/agentmanager.cpp b/src/akonadicontrol/agentmanager.cpp
+--- a/src/akonadicontrol/agentmanager.cpp
++++ b/src/akonadicontrol/agentmanager.cpp
+@@ -61,7 +61,7 @@ public:
+                 []() {
+                     QCoreApplication::instance()->exit(255);
+                 });
+-        start(QStringLiteral("akonadiserver"), args, RestartOnCrash);
++        start(QLatin1String(NIX_OUT "/bin/akonadiserver"), args, RestartOnCrash);
+     }
  
-     if (mAgentServerEnabled) {
-         mAgentServer = new Akonadi::ProcessControl;
-         connect(mAgentServer, &Akonadi::ProcessControl::unableToStart, this, &AgentManager::agentServerFailure);
--        mAgentServer->start(QStringLiteral("akonadi_agent_server"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash);
-+        mAgentServer->start(QLatin1String(NIX_OUT "/bin/akonadi_agent_server"), serviceArgs, Akonadi::ProcessControl::RestartOnCrash);
+     ~StorageProcessControl() override
+@@ -84,7 +84,7 @@ public:
+                 []() {
+                     qCCritical(AKONADICONTROL_LOG) << "Failed to start AgentServer!";
+                 });
+-        start(QStringLiteral("akonadi_agent_server"), args, RestartOnCrash);
++        start(QLatin1String(NIX_OUT "/bin/akonadi_agent_server"), args, RestartOnCrash);
      }
- }
  
-Index: akonadi-19.08.0/src/akonadicontrol/agentprocessinstance.cpp
-===================================================================
---- akonadi-19.08.0.orig/src/akonadicontrol/agentprocessinstance.cpp
-+++ akonadi-19.08.0/src/akonadicontrol/agentprocessinstance.cpp
-@@ -62,7 +62,7 @@ bool AgentProcessInstance::start(const A
+     ~AgentServerProcessControl() override
+diff --git a/src/akonadicontrol/agentprocessinstance.cpp b/src/akonadicontrol/agentprocessinstance.cpp
+--- a/src/akonadicontrol/agentprocessinstance.cpp
++++ b/src/akonadicontrol/agentprocessinstance.cpp
+@@ -62,7 +62,7 @@ bool AgentProcessInstance::start(const AgentType &agentInfo)
      } else {
          Q_ASSERT(agentInfo.launchMethod == AgentType::Launcher);
          const QStringList arguments = QStringList() << executable << identifier();
@@ -34,11 +34,10 @@ Index: akonadi-19.08.0/src/akonadicontrol/agentprocessinstance.cpp
          mController->start(agentLauncherExec, arguments);
      }
      return true;
-Index: akonadi-19.08.0/src/server/storage/dbconfigmysql.cpp
-===================================================================
---- akonadi-19.08.0.orig/src/server/storage/dbconfigmysql.cpp
-+++ akonadi-19.08.0/src/server/storage/dbconfigmysql.cpp
-@@ -209,7 +193,7 @@ bool DbConfigMysql::startInternalServer(
+diff --git a/src/server/storage/dbconfigmysql.cpp b/src/server/storage/dbconfigmysql.cpp
+--- a/src/server/storage/dbconfigmysql.cpp
++++ b/src/server/storage/dbconfigmysql.cpp
+@@ -209,7 +209,7 @@ bool DbConfigMysql::startInternalServer()
  #endif
  
      // generate config file
diff --git a/gnu/packages/patches/bluez-CVE-2020-0556.patch b/gnu/packages/patches/bluez-CVE-2020-0556.patch
deleted file mode 100644
index 7c34459a3a..0000000000
--- a/gnu/packages/patches/bluez-CVE-2020-0556.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-Fix CVE-2020-0556:
-
-https://lore.kernel.org/linux-bluetooth/20200310023516.209146-1-alainm@chromium.org/
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
-http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0556
-
-Patches copied from upstream source repository:
-
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=3cccdbab2324086588df4ccf5f892fb3ce1f1787
-https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=8cdbd3b09f29da29374e2f83369df24228da0ad1
-
-From 3cccdbab2324086588df4ccf5f892fb3ce1f1787 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:18 +0000
-Subject: [PATCH] HID accepts bonded device connections only.
-
-This change adds a configuration for platforms to choose a more secure
-posture for the HID profile.  While some older mice are known to not
-support pairing or encryption, some platform may choose a more secure
-posture by requiring the device to be bonded  and require the
-connection to be encrypted when bonding is required.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.html
----
- profiles/input/device.c   | 23 ++++++++++++++++++++++-
- profiles/input/device.h   |  1 +
- profiles/input/input.conf |  8 ++++++++
- profiles/input/manager.c  | 13 ++++++++++++-
- 4 files changed, 43 insertions(+), 2 deletions(-)
-
-diff --git a/profiles/input/device.c b/profiles/input/device.c
-index 2cb3811c8..d89da2d7c 100644
---- a/profiles/input/device.c
-+++ b/profiles/input/device.c
-@@ -92,6 +92,7 @@ struct input_device {
- 
- static int idle_timeout = 0;
- static bool uhid_enabled = false;
-+static bool classic_bonded_only = false;
- 
- void input_set_idle_timeout(int timeout)
- {
-@@ -103,6 +104,11 @@ void input_enable_userspace_hid(bool state)
- 	uhid_enabled = state;
- }
- 
-+void input_set_classic_bonded_only(bool state)
-+{
-+	classic_bonded_only = state;
-+}
-+
- static void input_device_enter_reconnect_mode(struct input_device *idev);
- static int connection_disconnect(struct input_device *idev, uint32_t flags);
- 
-@@ -970,8 +976,18 @@ static int hidp_add_connection(struct input_device *idev)
- 	if (device_name_known(idev->device))
- 		device_get_name(idev->device, req->name, sizeof(req->name));
- 
-+	/* Make sure the device is bonded if required */
-+	if (classic_bonded_only && !device_is_bonded(idev->device,
-+				btd_device_get_bdaddr_type(idev->device))) {
-+		error("Rejected connection from !bonded device %s", dst_addr);
-+		goto cleanup;
-+	}
-+
- 	/* Encryption is mandatory for keyboards */
--	if (req->subclass & 0x40) {
-+	/* Some platforms may choose to require encryption for all devices */
-+	/* Note that this only matters for pre 2.1 devices as otherwise the */
-+	/* device is encrypted by default by the lower layers */
-+	if (classic_bonded_only || req->subclass & 0x40) {
- 		if (!bt_io_set(idev->intr_io, &gerr,
- 					BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
- 					BT_IO_OPT_INVALID)) {
-@@ -1203,6 +1219,11 @@ static void input_device_enter_reconnect_mode(struct input_device *idev)
- 	DBG("path=%s reconnect_mode=%s", idev->path,
- 				reconnect_mode_to_string(idev->reconnect_mode));
- 
-+	/* Make sure the device is bonded if required */
-+	if (classic_bonded_only && !device_is_bonded(idev->device,
-+				btd_device_get_bdaddr_type(idev->device)))
-+		return;
-+
- 	/* Only attempt an auto-reconnect when the device is required to
- 	 * accept reconnections from the host.
- 	 */
-diff --git a/profiles/input/device.h b/profiles/input/device.h
-index 51a9aee18..3044db673 100644
---- a/profiles/input/device.h
-+++ b/profiles/input/device.h
-@@ -29,6 +29,7 @@ struct input_conn;
- 
- void input_set_idle_timeout(int timeout);
- void input_enable_userspace_hid(bool state);
-+void input_set_classic_bonded_only(bool state);
- 
- int input_device_register(struct btd_service *service);
- void input_device_unregister(struct btd_service *service);
-diff --git a/profiles/input/input.conf b/profiles/input/input.conf
-index 3e1d65aae..166aff4a4 100644
---- a/profiles/input/input.conf
-+++ b/profiles/input/input.conf
-@@ -11,3 +11,11 @@
- # Enable HID protocol handling in userspace input profile
- # Defaults to false (HIDP handled in HIDP kernel module)
- #UserspaceHID=true
-+
-+# Limit HID connections to bonded devices
-+# The HID Profile does not specify that devices must be bonded, however some
-+# platforms may want to make sure that input connections only come from bonded
-+# device connections. Several older mice have been known for not supporting
-+# pairing/encryption.
-+# Defaults to false to maximize device compatibility.
-+#ClassicBondedOnly=true
-diff --git a/profiles/input/manager.c b/profiles/input/manager.c
-index 1d31b0652..5cd27b839 100644
---- a/profiles/input/manager.c
-+++ b/profiles/input/manager.c
-@@ -96,7 +96,7 @@ static int input_init(void)
- 	config = load_config_file(CONFIGDIR "/input.conf");
- 	if (config) {
- 		int idle_timeout;
--		gboolean uhid_enabled;
-+		gboolean uhid_enabled, classic_bonded_only;
- 
- 		idle_timeout = g_key_file_get_integer(config, "General",
- 							"IdleTimeout", &err);
-@@ -114,6 +114,17 @@ static int input_init(void)
- 			input_enable_userspace_hid(uhid_enabled);
- 		} else
- 			g_clear_error(&err);
-+
-+		classic_bonded_only = g_key_file_get_boolean(config, "General",
-+						"ClassicBondedOnly", &err);
-+
-+		if (!err) {
-+			DBG("input.conf: ClassicBondedOnly=%s",
-+					classic_bonded_only ? "true" : "false");
-+			input_set_classic_bonded_only(classic_bonded_only);
-+		} else
-+			g_clear_error(&err);
-+
- 	}
- 
- 	btd_profile_register(&input_profile);
--- 
-2.25.1
-
-From 8cdbd3b09f29da29374e2f83369df24228da0ad1 Mon Sep 17 00:00:00 2001
-From: Alain Michaud <alainm@chromium.org>
-Date: Tue, 10 Mar 2020 02:35:16 +0000
-Subject: [PATCH] HOGP must only accept data from bonded devices.
-
-HOGP 1.0 Section 6.1 establishes that the HOGP must require bonding.
-
-Reference:
-https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00352.htm
----
- profiles/input/hog.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/profiles/input/hog.c b/profiles/input/hog.c
-index 83c017dcb..dfac68921 100644
---- a/profiles/input/hog.c
-+++ b/profiles/input/hog.c
-@@ -186,6 +186,10 @@ static int hog_accept(struct btd_service *service)
- 			return -EINVAL;
- 	}
- 
-+	/* HOGP 1.0 Section 6.1 requires bonding */
-+	if (!device_is_bonded(device, btd_device_get_bdaddr_type(device)))
-+		return -ECONNREFUSED;
-+
- 	/* TODO: Replace GAttrib with bt_gatt_client */
- 	bt_hog_attach(dev->hog, attrib);
- 
--- 
-2.25.1
-
diff --git a/gnu/packages/patches/calibre-msgpack-compat.patch b/gnu/packages/patches/calibre-msgpack-compat.patch
deleted file mode 100644
index 9920103bea..0000000000
--- a/gnu/packages/patches/calibre-msgpack-compat.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Fix deserialization with msgpack 1.0.
-
-Patch copied from upstream source repository:
-https://github.com/kovidgoyal/calibre/commit/0ff41ac64994ec11b7859fc004c94d08769e3af3
-
-diff --git a/src/calibre/utils/serialize.py b/src/calibre/utils/serialize.py
-index f5d560c468..c35ae53849 100644
---- a/src/calibre/utils/serialize.py
-+++ b/src/calibre/utils/serialize.py
-@@ -110,7 +110,7 @@ def msgpack_decoder(code, data):
- def msgpack_loads(dump, use_list=True):
-     # use_list controls whether msgpack arrays are unpacked as lists or tuples
-     import msgpack
--    return msgpack.unpackb(dump, ext_hook=msgpack_decoder, raw=False, use_list=use_list)
-+    return msgpack.unpackb(dump, ext_hook=msgpack_decoder, raw=False, use_list=use_list, strict_map_key=False)
- 
- 
- def json_loads(data):
diff --git a/gnu/packages/patches/calibre-remove-test-bs4.patch b/gnu/packages/patches/calibre-remove-test-bs4.patch
deleted file mode 100644
index 77dd45d329..0000000000
--- a/gnu/packages/patches/calibre-remove-test-bs4.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-In my efforts to fix all Calibre tests, this test would always complain about
-backports.functools_lru_cache not existing even after I packaged and added
-python2-soupsieve as an input and confirmed it was in the
-PYTHONPATH. Currently Calibre does not actually use it for anything other than
-testing it's there, so I assume they will start using it in future Calibre
-versions.
-
-From 2738dd42caebe55326c76922a12ba8740bdb22e7 Mon Sep 17 00:00:00 2001
-From: Brendan Tildesley <mail@brendan.scot>
-Date: Sat, 27 Apr 2019 00:42:39 +1000
-Subject: [PATCH] Remove test_bs4
-
----
- src/calibre/test_build.py | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/src/calibre/test_build.py b/src/calibre/test_build.py
-index 73f1172e8c..07bdffd3e5 100644
---- a/src/calibre/test_build.py
-+++ b/src/calibre/test_build.py
-@@ -73,10 +73,6 @@ class BuildTest(unittest.TestCase):
-         from html5_parser import parse
-         parse('<p>xxx')
- 
--    def test_bs4(self):
--        import soupsieve, bs4
--        del soupsieve, bs4
--
-     def test_zeroconf(self):
-         if ispy3:
-             import zeroconf as z, ifaddr
--- 
-2.21.0
-
diff --git a/gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch b/gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch
deleted file mode 100644
index 13345c0038..0000000000
--- a/gnu/packages/patches/kdepim-runtime-Fix-missing-link-libraries.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From b84c4ba97cecf7304e99cafdd8a9c5866ce27050 Mon Sep 17 00:00:00 2001
-From: Hartmut Goebel <h.goebel@crazy-compilers.com>
-Date: Tue, 21 Jan 2020 23:33:50 +0100
-Subject: [PATCH] Fix missing link libraries.
-
-See <https://phabricator.kde.org/D26819>
-
-These are only actually missing if the libraries reside in different
-prefixes, as it is the case in Guix or Nix.
----
- resources/ews/test/CMakeLists.txt | 1 +
- resources/facebook/CMakeLists.txt | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/resources/ews/test/CMakeLists.txt b/resources/ews/test/CMakeLists.txt
-index b20eddcb8..6355eb994 100644
---- a/resources/ews/test/CMakeLists.txt
-+++ b/resources/ews/test/CMakeLists.txt
-@@ -35,6 +35,7 @@ qt5_add_resources(isolatestestcommon_RSRCS isolatedtestcommon.qrc)
- add_library(isolatedtestcommon STATIC ${isolatestestcommon_SRCS})
- target_link_libraries(isolatedtestcommon
-   KF5::AkonadiCore
-+  KF5::AkonadiMime
-   Qt5::Core
-   Qt5::Network
-   Qt5::Test
-diff --git a/resources/facebook/CMakeLists.txt b/resources/facebook/CMakeLists.txt
-index bdd5eeaa7..27a9c83c1 100644
---- a/resources/facebook/CMakeLists.txt
-+++ b/resources/facebook/CMakeLists.txt
-@@ -21,7 +21,8 @@ add_library(facebookresourcelib STATIC ${fbresource_SRCS})
- 
- target_link_libraries(facebookresourcelib
-     KF5::KIOWidgets
-+    KF5::AkonadiCore
-     KF5::IconThemes
-     KF5::I18n
-     KF5::ConfigGui
-     KF5::CalendarCore
--- 
-2.21.1
-
diff --git a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch
index c3c4ce1161..1271f3df7d 100644
--- a/gnu/packages/patches/kinit-kdeinit-extra_libs.patch
+++ b/gnu/packages/patches/kinit-kdeinit-extra_libs.patch
@@ -42,12 +42,12 @@ pkgs/development/libraries/kde-frameworks/kinit/kdeinit-extra_libs.patch
  extern "C" {
  
      static void secondary_child_handler(int)
-@@ -1689,7 +1693,7 @@
+@@ -1673,7 +1673,7 @@
+ #if defined(Q_OS_UNIX) && !defined(Q_OS_OSX)
      if (!d.suicide && qEnvironmentVariableIsEmpty("KDE_IS_PRELINKED")) {
-         const int extrasCount = sizeof(extra_libs) / sizeof(extra_libs[0]);
-         for (int i = 0; i < extrasCount; i++) {
--            const QString extra = findSharedLib(QString::fromLatin1(extra_libs[i]));
-+            const QString extra = QString::fromLatin1(extra_libs[i]);
+         for (const char *extra_lib : extra_libs) {
+-            const QString extra = findSharedLib(QString::fromLatin1(extra_lib));
++            const QString extra = QString::fromLatin1(extra_lib);
              if (!extra.isEmpty()) {
                  QLibrary l(extra);
                  l.setLoadHints(QLibrary::ExportExternalSymbolsHint);
diff --git a/gnu/packages/patches/libdrm-realpath-virtio.patch b/gnu/packages/patches/libdrm-realpath-virtio.patch
new file mode 100644
index 0000000000..b7d85160b4
--- /dev/null
+++ b/gnu/packages/patches/libdrm-realpath-virtio.patch
@@ -0,0 +1,42 @@
+Only check for for relative path on virtio devices.  Otherwise it could
+break driver loading in some circumstances, notably the IceCat sandbox.
+
+https://gitlab.freedesktop.org/mesa/drm/-/issues/39
+
+Taken from upstream:
+https://gitlab.freedesktop.org/mesa/drm/-/commit/57df07572ce45a1b60bae6fb89770388d3abd6dd
+
+diff --git a/xf86drm.c b/xf86drm.c
+--- a/xf86drm.c
++++ b/xf86drm.c
+@@ -3103,15 +3103,18 @@ static int drmParseSubsystemType(int maj, int min)
+     int subsystem_type;
+ 
+     snprintf(path, sizeof(path), "/sys/dev/char/%d:%d/device", maj, min);
+-    if (!realpath(path, real_path))
+-        return -errno;
+-    snprintf(path, sizeof(path), "%s", real_path);
+ 
+     subsystem_type = get_subsystem_type(path);
++    /* Try to get the parent (underlying) device type */
+     if (subsystem_type == DRM_BUS_VIRTIO) {
++        /* Assume virtio-pci on error */
++        if (!realpath(path, real_path))
++            return DRM_BUS_VIRTIO;
+         strncat(path, "/..", PATH_MAX);
+         subsystem_type = get_subsystem_type(path);
+-    }
++        if (subsystem_type < 0)
++            return DRM_BUS_VIRTIO;
++     }
+     return subsystem_type;
+ #elif defined(__OpenBSD__) || defined(__DragonFly__) || defined(__FreeBSD__)
+     return DRM_BUS_PCI;
+@@ -3920,6 +3923,7 @@ process_device(drmDevicePtr *device, const char *d_name,
+ 
+     switch (subsystem_type) {
+     case DRM_BUS_PCI:
++    case DRM_BUS_VIRTIO:
+         return drmProcessPciDevice(device, node, node_type, maj, min,
+                                    fetch_deviceinfo, flags);
+     case DRM_BUS_USB:
diff --git a/gnu/packages/patches/libdrm-symbol-check.patch b/gnu/packages/patches/libdrm-symbol-check.patch
deleted file mode 100644
index 0a77763a4f..0000000000
--- a/gnu/packages/patches/libdrm-symbol-check.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-Augment the list of expected symbols to fix the symbol-check tests on
-mips64el-linux, armhf-linux and aarch64-linux.
-
---- libdrm-2.4.65/freedreno/freedreno-symbol-check.orig	2015-09-04 11:07:40.000000000 -0400
-+++ libdrm-2.4.65/freedreno/freedreno-symbol-check	2015-10-18 23:57:15.288416229 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_FREEDRENO_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_freedreno.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- fd_bo_cpu_fini
- fd_bo_cpu_prep
- fd_bo_del
---- libdrm-2.4.65/nouveau/nouveau-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/nouveau/nouveau-symbol-check	2015-10-18 23:55:26.078327118 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_NOUVEAU_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_nouveau.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- nouveau_bo_map
- nouveau_bo_name_get
- nouveau_bo_name_ref
---- libdrm-2.4.65/libkms/kms-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/libkms/kms-symbol-check	2015-10-18 23:46:10.683869471 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBKMS_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libkms.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- kms_bo_create
- kms_bo_destroy
- kms_bo_get_prop
---- libdrm-2.4.65/intel/intel-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/intel/intel-symbol-check	2015-10-18 23:55:53.309558508 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_INTEL_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_intel.so} | awk '{print $3}' | while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- drm_intel_bo_alloc
- drm_intel_bo_alloc_for_render
- drm_intel_bo_alloc_tiled
---- libdrm-2.4.65/amdgpu/amdgpu-symbol-check.orig	2015-08-17 10:08:11.000000000 -0400
-+++ libdrm-2.4.65/amdgpu/amdgpu-symbol-check	2015-10-18 23:56:10.606917723 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.am/libdrm_amdgpuinclude_HEADERS
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_amdgpu.so} | awk '{print $3}' | while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- amdgpu_bo_alloc
- amdgpu_bo_cpu_map
- amdgpu_bo_cpu_unmap
---- libdrm-2.4.65/exynos/exynos-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/exynos/exynos-symbol-check	2015-10-18 23:56:32.025486153 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.am/libdrm_exynos*_HEADERS
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_exynos.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- exynos_bo_create
- exynos_bo_destroy
- exynos_bo_from_name
---- libdrm-2.4.65/omap/omap-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/omap/omap-symbol-check	2015-10-18 23:56:44.834438626 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.am/libdrm_omap*HEADERS
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_omap.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- omap_bo_cpu_fini
- omap_bo_cpu_prep
- omap_bo_del
---- libdrm-2.4.65/tegra/tegra-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/tegra/tegra-symbol-check	2015-10-18 23:57:00.756759698 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first nine) are taken from tegra.h.
-+# The following symbols (past the first 12) are taken from tegra.h.
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
- ( grep -q "^$func$" || echo $func )  <<EOF
-@@ -9,6 +9,9 @@
- __bss_start
- __end__
- _bss_end__
-+_fbss
-+_fdata
-+_ftext
- _edata
- _end
- _fini
---- libdrm-2.4.65/radeon/radeon-symbol-check.orig	2015-05-04 11:47:43.000000000 -0400
-+++ libdrm-2.4.65/radeon/radeon-symbol-check	2015-10-18 23:57:00.756759698 -0400
-@@ -1,6 +1,6 @@
- #!/bin/bash
- 
--# The following symbols (past the first five) are taken from the public headers.
-+# The following symbols (past the first 12) are taken from the public headers.
- # A list of the latter should be available Makefile.sources/LIBDRM_RADEON_H_FILES
- 
- FUNCS=$(nm -D --format=bsd --defined-only ${1-.libs/libdrm_tegra.so} | awk '{print $3}'| while read func; do
-@@ -10,6 +10,13 @@
- _end
- _fini
- _init
-+_fbss
-+_fdata
-+_ftext
-+__bss_start__
-+__bss_end__
-+_bss_end__
-+__end__
- radeon_bo_debug
- radeon_bo_get_handle
- radeon_bo_get_src_domain
diff --git a/gnu/packages/patches/nss-CVE-2020-12399.patch b/gnu/packages/patches/nss-CVE-2020-12399.patch
deleted file mode 100644
index 0d91b655e2..0000000000
--- a/gnu/packages/patches/nss-CVE-2020-12399.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-Fix CVE-2020-12399 (Timing attack on DSA signature generation: NSS has
-shown timing differences when performing DSA signatures, which was
-exploitable and could eventually leak private keys.)
-
-Copied from upstream:
-<https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e>
-but with "nss/" inserted into the file name to patch.
-
-# HG changeset patch
-# User Robert Relyea <rrelyea@redhat.com>
-# Date 1589907685 0
-# Node ID daa823a4a29bcef0fec33a379ec83857429aea2e
-# Parent  d2cfb4ccdf167e5ea06d2bb5bc39c50f789929c8
-Bug 1631576 - Force a fixed length for DSA exponentiation r=pereida,bbrumley
-
-Differential Revision: https://phabricator.services.mozilla.com/D72011
-
-diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c
---- a/nss/lib/freebl/dsa.c
-+++ b/nss/lib/freebl/dsa.c
-@@ -308,23 +308,24 @@ DSA_NewKeyFromSeed(const PQGParams *para
-     SECItem seedItem;
-     seedItem.data = (unsigned char *)seed;
-     seedItem.len = PQG_GetLength(&params->subPrime);
-     return dsa_NewKeyExtended(params, &seedItem, privKey);
- }
- 
- static SECStatus
- dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest,
--               const unsigned char *kb)
-+               const unsigned char *kbytes)
- {
-     mp_int p, q, g; /* PQG parameters */
-     mp_int x, k;    /* private key & pseudo-random integer */
-     mp_int r, s;    /* tuple (r, s) is signature) */
-     mp_int t;       /* holding tmp values */
-     mp_int ar;      /* holding blinding values */
-+    mp_digit fuzz;  /* blinding multiplier for q */
-     mp_err err = MP_OKAY;
-     SECStatus rv = SECSuccess;
-     unsigned int dsa_subprime_len, dsa_signature_len, offset;
-     SECItem localDigest;
-     unsigned char localDigestData[DSA_MAX_SUBPRIME_LEN];
-     SECItem t2 = { siBuffer, NULL, 0 };
- 
-     /* FIPS-compliance dictates that digest is a SHA hash. */
-@@ -368,31 +369,46 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
-     CHECK_MPI_OK(mp_init(&q));
-     CHECK_MPI_OK(mp_init(&g));
-     CHECK_MPI_OK(mp_init(&x));
-     CHECK_MPI_OK(mp_init(&k));
-     CHECK_MPI_OK(mp_init(&r));
-     CHECK_MPI_OK(mp_init(&s));
-     CHECK_MPI_OK(mp_init(&t));
-     CHECK_MPI_OK(mp_init(&ar));
-+
-     /*
-     ** Convert stored PQG and private key into MPI integers.
-     */
-     SECITEM_TO_MPINT(key->params.prime, &p);
-     SECITEM_TO_MPINT(key->params.subPrime, &q);
-     SECITEM_TO_MPINT(key->params.base, &g);
-     SECITEM_TO_MPINT(key->privateValue, &x);
--    OCTETS_TO_MPINT(kb, &k, dsa_subprime_len);
-+    OCTETS_TO_MPINT(kbytes, &k, dsa_subprime_len);
-+
-+    /* k blinding  create a single value that has the high bit set in
-+     * the mp_digit*/
-+    if (RNG_GenerateGlobalRandomBytes(&fuzz, sizeof(mp_digit)) != SECSuccess) {
-+        PORT_SetError(SEC_ERROR_NEED_RANDOM);
-+        rv = SECFailure;
-+        goto cleanup;
-+    }
-+    fuzz |= 1ULL << ((sizeof(mp_digit) * PR_BITS_PER_BYTE - 1));
-     /*
-     ** FIPS 186-1, Section 5, Step 1
-     **
-     ** r = (g**k mod p) mod q
-     */
--    CHECK_MPI_OK(mp_exptmod(&g, &k, &p, &r)); /* r = g**k mod p */
--    CHECK_MPI_OK(mp_mod(&r, &q, &r));         /* r = r mod q    */
-+    CHECK_MPI_OK(mp_mul_d(&q, fuzz, &t)); /* t = q*fuzz */
-+    CHECK_MPI_OK(mp_add(&k, &t, &t));     /* t = k+q*fuzz */
-+    /* length of t is now fixed, bits in k have been blinded */
-+    CHECK_MPI_OK(mp_exptmod(&g, &t, &p, &r)); /* r = g**t mod p */
-+    /* r is now g**(k+q*fuzz) == g**k mod p */
-+    CHECK_MPI_OK(mp_mod(&r, &q, &r)); /* r = r mod q    */
-+
-     /*
-     ** FIPS 186-1, Section 5, Step 2
-     **
-     ** s = (k**-1 * (HASH(M) + x*r)) mod q
-     */
-     if (DSA_NewRandom(NULL, &key->params.subPrime, &t2) != SECSuccess) {
-         PORT_SetError(SEC_ERROR_NEED_RANDOM);
-         rv = SECFailure;
-@@ -406,25 +422,34 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
-         goto cleanup;
-     }
-     SECITEM_TO_MPINT(t2, &ar); /* ar <-$ Zq */
-     SECITEM_FreeItem(&t2, PR_FALSE);
- 
-     /* Using mp_invmod on k directly would leak bits from k. */
-     CHECK_MPI_OK(mp_mul(&k, &ar, &k));       /* k = k * ar */
-     CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
--    CHECK_MPI_OK(mp_invmod(&k, &q, &k));     /* k = k**-1 mod q */
-+    /* k is now k*t*ar */
-+    CHECK_MPI_OK(mp_invmod(&k, &q, &k)); /* k = k**-1 mod q */
-+    /* k is now (k*t*ar)**-1 */
-     CHECK_MPI_OK(mp_mulmod(&k, &t, &q, &k)); /* k = k * t mod q */
--    SECITEM_TO_MPINT(localDigest, &s);       /* s = HASH(M)     */
-+    /* k is now (k*ar)**-1 */
-+    SECITEM_TO_MPINT(localDigest, &s); /* s = HASH(M)     */
-     /* To avoid leaking secret bits here the addition is blinded. */
--    CHECK_MPI_OK(mp_mul(&x, &ar, &x));        /* x = x * ar */
--    CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x));  /* x = x * r mod q */
-+    CHECK_MPI_OK(mp_mul(&x, &ar, &x)); /* x = x * ar */
-+    /* x is now x*ar */
-+    CHECK_MPI_OK(mp_mulmod(&x, &r, &q, &x)); /* x = x * r mod q */
-+    /* x is now x*r*ar */
-     CHECK_MPI_OK(mp_mulmod(&s, &ar, &q, &t)); /* t = s * ar mod q */
--    CHECK_MPI_OK(mp_add(&t, &x, &s));         /* s = t + x */
--    CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s));  /* s = s * k mod q */
-+    /* t is now hash(M)*ar */
-+    CHECK_MPI_OK(mp_add(&t, &x, &s)); /* s = t + x */
-+    /* s is now (HASH(M)+x*r)*ar */
-+    CHECK_MPI_OK(mp_mulmod(&s, &k, &q, &s)); /* s = s * k mod q */
-+    /* s is now (HASH(M)+x*r)*ar*(k*ar)**-1 = (k**-1)*(HASH(M)+x*r) */
-+
-     /*
-     ** verify r != 0 and s != 0
-     ** mentioned as optional in FIPS 186-1.
-     */
-     if (mp_cmp_z(&r) == 0 || mp_cmp_z(&s) == 0) {
-         PORT_SetError(SEC_ERROR_NEED_RANDOM);
-         rv = SECFailure;
-         goto cleanup;
-
diff --git a/gnu/packages/patches/pyqt-unbundled-qt.patch b/gnu/packages/patches/pyqt-unbundled-qt.patch
deleted file mode 100644
index 5c91ed031c..0000000000
--- a/gnu/packages/patches/pyqt-unbundled-qt.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Remove test for bundled Qt which breaks dependent applications.  This has
-been fixed in 5.13.
-
-Taken from Arch Linux:
-https://git.archlinux.org/svntogit/packages.git/tree/trunk/python2-pyqt5-crash-fix.patch?h=packages/pyqt5&id=3e56e11d1fd7b1eac8242ce64c58db2bd9acba20
-
-diff -ur PyQt5_gpl-5.12.3/qpy/QtCore/qpycore_post_init.cpp.in PyQt5_gpl-5.12.3b/qpy/QtCore/qpycore_post_init.cpp.in
---- PyQt5_gpl-5.12.3/qpy/QtCore/qpycore_post_init.cpp.in        2019-06-25 14:41:02.000000000 +0200
-+++ PyQt5_gpl-5.12.3b/qpy/QtCore/qpycore_post_init.cpp.in       2019-07-01 17:06:34.882644535 +0200
-@@ -151,8 +151,4 @@
-     // initialised first (at least for Windows) and this is the only way to
-     // guarantee things are done in the right order.
-     PyQtSlotProxy::mutex = new QMutex(QMutex::Recursive);
--
--    // Load the embedded qt.conf file if there is a bundled copy of Qt.
--    if (!qpycore_qt_conf())
--        Py_FatalError("PyQt5.QtCore: Unable to embed qt.conf");
- }
-
diff --git a/gnu/packages/patches/qtbase-QTBUG-81715.patch b/gnu/packages/patches/qtbase-QTBUG-81715.patch
deleted file mode 100644
index 70b83b97d2..0000000000
--- a/gnu/packages/patches/qtbase-QTBUG-81715.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8a3fde00bf53d99e9e4853e8ab97b0e1bcf74915 Mon Sep 17 00:00:00 2001
-From: Joerg Bornemann <joerg.bornemann@qt.io>
-Date: Wed, 29 Jan 2020 11:06:35 +0100
-Subject: [PATCH] Fix qt5_make_output_file macro for paths containing dots
-
-Commit 89bd5a7e broke CMake projects that use dots in their build
-paths, because the used regular expression matches the directory part
-of the path as well.
-
-The regex wants to achieve the same as get_filename_component(...
-NAME_WLE) which is available since CMake 3.14. Re-implement the
-NAME_WLE functionality for older CMake versions by using multiple
-get_filename_component calls.
-
-Fixes: QTBUG-81715
-Task-number: QTBUG-80295
-Change-Id: I2ef053300948f6e1b2c0c5eafac35105f193d4e6
-Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
----
-
-diff --git a/src/corelib/Qt5CoreMacros.cmake b/src/corelib/Qt5CoreMacros.cmake
-index 7735e51..b3da640 100644
---- a/src/corelib/Qt5CoreMacros.cmake
-+++ b/src/corelib/Qt5CoreMacros.cmake
-@@ -59,7 +59,14 @@
-     set(_outfile "${CMAKE_CURRENT_BINARY_DIR}/${rel}")
-     string(REPLACE ".." "__" _outfile ${_outfile})
-     get_filename_component(outpath ${_outfile} PATH)
--    string(REGEX REPLACE "\\.[^.]*$" "" _outfile ${_outfile})
-+    if(CMAKE_VERSION VERSION_LESS "3.14")
-+        get_filename_component(_outfile_ext ${_outfile} EXT)
-+        get_filename_component(_outfile_ext ${_outfile_ext} NAME_WE)
-+        get_filename_component(_outfile ${_outfile} NAME_WE)
-+        string(APPEND _outfile ${_outfile_ext})
-+    else()
-+        get_filename_component(_outfile ${_outfile} NAME_WLE)
-+    endif()
-     file(MAKE_DIRECTORY ${outpath})
-     set(${outfile} ${outpath}/${prefix}${_outfile}.${ext})
- endmacro()
diff --git a/gnu/packages/patches/qtbase-use-TZDIR.patch b/gnu/packages/patches/qtbase-use-TZDIR.patch
index 11c737d844..b6c377b133 100644
--- a/gnu/packages/patches/qtbase-use-TZDIR.patch
+++ b/gnu/packages/patches/qtbase-use-TZDIR.patch
@@ -4,8 +4,8 @@ important to be able to update it fast.
 
 Based on a patch fron NixOS.
 ===================================================================
---- qtbase-opensource-src-5.9.4.orig/src/corelib/tools/qtimezoneprivate_tz.cpp
-+++ qtbase-opensource-src-5.9.4/src/corelib/tools/qtimezoneprivate_tz.cpp
+--- qtbase-opensource-src-5.14.2.orig/src/corelib/time/qtimezoneprivate_tz.cpp
++++ qtbase-opensource-src-5.15.2/src/corelib/time/qtimezoneprivate_tz.cpp
 @@ -70,7 +70,11 @@
  // Parse zone.tab table, assume lists all installed zones, if not will need to read directories
  static QTzTimeZoneHash loadTzTimeZones()