From 88eb4509f919f1af77fa5ad0a681cb19ba10b784 Mon Sep 17 00:00:00 2001 From: sternenseemann Date: Sun, 16 Nov 2025 11:20:19 +0100 Subject: [PATCH 01/54] lowdown: unset doInstallCheck instead of emptying installCheckPhase (cherry picked from commit 3bb7b6d06e1d0350b2681252ec9e5b32cdd9af04) --- pkgs/by-name/lo/lowdown/package.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/lo/lowdown/package.nix b/pkgs/by-name/lo/lowdown/package.nix index 0ed05f5969824..d9ba6692ae525 100644 --- a/pkgs/by-name/lo/lowdown/package.nix +++ b/pkgs/by-name/lo/lowdown/package.nix @@ -97,9 +97,8 @@ stdenv.mkDerivation rec { rm "$lib/lib/liblowdown.so" ''; - doInstallCheck = true; - - installCheckPhase = lib.optionalString (!stdenv.hostPlatform.isDarwin || !enableDarwinSandbox) '' + doInstallCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox; + installCheckPhase = '' runHook preInstallCheck echo '# TEST' > test.md From 972dc0985b0192e31887a211a41ef148e26f637c Mon Sep 17 00:00:00 2001 From: sternenseemann Date: Sun, 16 Nov 2025 11:23:19 +0100 Subject: [PATCH 02/54] lowdown: add unsandboxed variant to passthru.tests (cherry picked from commit 4a9fbcf73f675e8fa902e16adf804406d40f6bc9) --- pkgs/by-name/lo/lowdown/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/lo/lowdown/package.nix b/pkgs/by-name/lo/lowdown/package.nix index d9ba6692ae525..527512bfb9632 100644 --- a/pkgs/by-name/lo/lowdown/package.nix +++ b/pkgs/by-name/lo/lowdown/package.nix @@ -11,6 +11,7 @@ enableDarwinSandbox ? true, # for passthru.tests nix, + lowdown-unsandboxed, }: stdenv.mkDerivation rec { @@ -111,8 +112,8 @@ stdenv.mkDerivation rec { checkTarget = "regress"; passthru.tests = { - # most important consumer in nixpkgs - inherit nix; + # most important consumers in nixpkgs + inherit nix lowdown-unsandboxed; }; meta = with lib; { From 83146924c71471d327d88615ef73711467123943 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 16 Nov 2025 10:55:14 +0000 Subject: [PATCH 03/54] lowdown: 2.0.2 -> 2.0.3 Changes: https://github.com/kristapsdz/lowdown/releases/tag/VERSION_2_0_3 - 2.0.3 notably adds support for building a proper Darwin dylib, but messes up the naming scheme of versioned dylibs, so we still have to rename them in postInstall. See https://github.com/kristapsdz/lowdown/issues/168. - make regress no longer ignores failures (?!), so we can no longer run the test suite on darwin if sandboxing is enabled. See https://github.com/kristapsdz/lowdown/commit/4bfd934330ffdb92126. Co-authored-by: sternenseemann (cherry picked from commit 44da5f3b3519c0c95c4da042d7b3dae4e627b9c5) --- pkgs/by-name/lo/lowdown/package.nix | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/pkgs/by-name/lo/lowdown/package.nix b/pkgs/by-name/lo/lowdown/package.nix index 527512bfb9632..22e9d43474330 100644 --- a/pkgs/by-name/lo/lowdown/package.nix +++ b/pkgs/by-name/lo/lowdown/package.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "lowdown${ lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed" }"; - version = "2.0.2"; + version = "2.0.3"; outputs = [ "out" @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz"; - hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA=="; + hash = "sha512-QJ+SOuL0BgvhUBscCuoAPeVcfUBGBmSZoSK5imQftwg8z8fQa7y4fjiq3FERx4dXVocchR8F4a43lL51KPWj/g=="; }; nativeBuildInputs = [ @@ -39,6 +39,12 @@ stdenv.mkDerivation rec { ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ fixDarwinDylibNames ]; + postPatch = '' + # fails test, some column width mismatch + rm regress/table-footnotes.md + rm regress/table-styles.md + ''; + # The Darwin sandbox calls fail inside Nix builds, presumably due to # being nested inside another sandbox. preConfigure = lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) '' @@ -85,17 +91,16 @@ stdenv.mkDerivation rec { test -f $lib/lib/liblowdown.so.${soVersion} || \ die "postInstall: expected $lib/lib/liblowdown.so.${soVersion} is missing" '' - # Fix lib extension so that fixDarwinDylibNames detects it, see - # . + # Versioned lib doesn't end in .dylib which is required by fixDarwinDylibNames + # . + lib.optionalString (enableShared && stdenv.hostPlatform.isDarwin) '' darwinDylib="$lib/lib/liblowdown.${soVersion}.dylib" - mv "$lib/lib/liblowdown.so.${soVersion}" "$darwinDylib" + mv "$lib/lib/liblowdown.dylib.${soVersion}" "$darwinDylib" # Make sure we are re-creating a symbolic link here - test -L "$lib/lib/liblowdown.so" || \ - die "postInstall: expected $lib/lib/liblowdown.so to be a symlink" - ln -s "$darwinDylib" "$lib/lib/liblowdown.dylib" - rm "$lib/lib/liblowdown.so" + test -L "$lib/lib/liblowdown.dylib" || \ + die "postInstall: expected $lib/lib/liblowdown.dylib to be a symlink" + ln -sf "$darwinDylib" "$lib/lib/liblowdown.dylib" ''; doInstallCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox; @@ -108,7 +113,7 @@ stdenv.mkDerivation rec { runHook postInstallCheck ''; - doCheck = true; + doCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox; checkTarget = "regress"; passthru.tests = { From 2dd9fa9c642aa47297b4f8c71014b9bc8ebdd50c Mon Sep 17 00:00:00 2001 From: sternenseemann Date: Fri, 21 Nov 2025 15:27:30 +0100 Subject: [PATCH 04/54] lowdown: 2.0.3 -> 2.0.4 This version finally installs correctly named .dylibs on darwin! (cherry picked from commit 5d1fa9f208adc656e05e03b1b72e3aaa84d3cefa) --- pkgs/by-name/lo/lowdown/package.nix | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/pkgs/by-name/lo/lowdown/package.nix b/pkgs/by-name/lo/lowdown/package.nix index 22e9d43474330..7ea55e19f137e 100644 --- a/pkgs/by-name/lo/lowdown/package.nix +++ b/pkgs/by-name/lo/lowdown/package.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation rec { pname = "lowdown${ lib.optionalString (stdenv.hostPlatform.isDarwin && !enableDarwinSandbox) "-unsandboxed" }"; - version = "2.0.3"; + version = "2.0.4"; outputs = [ "out" @@ -29,7 +29,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz"; - hash = "sha512-QJ+SOuL0BgvhUBscCuoAPeVcfUBGBmSZoSK5imQftwg8z8fQa7y4fjiq3FERx4dXVocchR8F4a43lL51KPWj/g=="; + sha512 = "649a508b7727df6e7e1203abb3853e05f167b64832fd5e1271f142ccf782e600b1de73c72dc02673d7b175effdc54f2c0f60318208a968af9f9763d09cf4f9ef"; }; nativeBuildInputs = [ @@ -81,28 +81,6 @@ stdenv.mkDerivation rec { "install_static" ]; - postInstall = - let - soVersion = "2"; - in - - # Check that soVersion is up to date even if we are not on darwin - lib.optionalString (enableShared && !stdenv.hostPlatform.isDarwin) '' - test -f $lib/lib/liblowdown.so.${soVersion} || \ - die "postInstall: expected $lib/lib/liblowdown.so.${soVersion} is missing" - '' - # Versioned lib doesn't end in .dylib which is required by fixDarwinDylibNames - # . - + lib.optionalString (enableShared && stdenv.hostPlatform.isDarwin) '' - darwinDylib="$lib/lib/liblowdown.${soVersion}.dylib" - mv "$lib/lib/liblowdown.dylib.${soVersion}" "$darwinDylib" - - # Make sure we are re-creating a symbolic link here - test -L "$lib/lib/liblowdown.dylib" || \ - die "postInstall: expected $lib/lib/liblowdown.dylib to be a symlink" - ln -sf "$darwinDylib" "$lib/lib/liblowdown.dylib" - ''; - doInstallCheck = !stdenv.hostPlatform.isDarwin || !enableDarwinSandbox; installCheckPhase = '' runHook preInstallCheck From 6d27dfd022a202408c996a79646477a41b81efb9 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 25 Jan 2026 20:39:31 +0000 Subject: [PATCH 05/54] publicsuffix-list: 0-unstable-2025-12-28 -> 0-unstable-2026-01-25 (cherry picked from commit 363e4c1c1367469b7ab3e48955dfcc0db24b730b) --- pkgs/by-name/pu/publicsuffix-list/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix index 4d53a001b9972..bdfb3b97e38e2 100644 --- a/pkgs/by-name/pu/publicsuffix-list/package.nix +++ b/pkgs/by-name/pu/publicsuffix-list/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "publicsuffix-list"; - version = "0-unstable-2025-12-28"; + version = "0-unstable-2026-01-25"; src = fetchFromGitHub { owner = "publicsuffix"; repo = "list"; - rev = "1ef6d3bc102c85d12e92be54ec0dad8ee990dd5f"; - hash = "sha256-rQdum6XLgfXwzpKTneakFmC80tOmlPFrZ8C7dfEnlSo="; + rev = "6c40921fc61160568b101aff506d548ba3300ba6"; + hash = "sha256-BOSau54FwCHNLordlN0+I708acXSogjnfKINpfMeYcc="; }; dontBuild = true; From 401d2a89b57ddcbcdcb8a93adb1009ca986f2d72 Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Mon, 29 Dec 2025 16:00:02 +0100 Subject: [PATCH 06/54] gnupg: 2.4.8 -> 2.4.9 - Updates gnupg 2.4.8 to 2.4.9 - Update freepg patches to source-2.4.9-freepg - Use `substituteInPlace` with `--replace-fail` to make keyserver change more robust. - Update `static.patch` to generated `configure` (Thanks alyssais) (cherry picked from commit 88088f7841b1b6796b24eca3362e7213836f1923) --- pkgs/tools/security/gnupg/24.nix | 14 ++-- pkgs/tools/security/gnupg/static.patch | 95 ++++++++++++++------------ 2 files changed, 59 insertions(+), 50 deletions(-) diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index ddca7735483a7..46774bfdbfdd8 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -36,11 +36,11 @@ assert guiSupport -> !enableMinimal; stdenv.mkDerivation rec { pname = "gnupg"; - version = "2.4.8"; + version = "2.4.9"; src = fetchurl { url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2"; - hash = "sha256-tYyA15sE0yQ/9JwcP8a1+DE46zeEaJVjvN0GBZUxhhY="; + hash = "sha256-3RerLpoE/XnTnYU/WZy8hSBi3bmrUqTd60F2/YswKWQ="; }; depsBuildBuild = [ buildPackages.stdenv.cc ]; @@ -87,8 +87,8 @@ stdenv.mkDerivation rec { domain = "gitlab.com"; owner = "freepg"; repo = "gnupg"; - rev = "361c223eb00ca372fbf9506f5150ddbec193936f"; - hash = "sha256-hRuwrB6G2vjp7Md6m+cwoi7g4GtW0sazAEN5RC+AKdg="; + tag = "source-2.4.9-freepg"; + hash = "sha256-wF+iR0OgnU8VI90NlFOXtN5aCRC0YY/X7sPiDXjJm5M="; }; patches = [ @@ -128,6 +128,7 @@ stdenv.mkDerivation rec { "0029-Add-keyboxd-systemd-support.patch" "0033-Support-large-RSA-keygen-in-non-batch-mode.patch" "0034-gpg-Verify-Text-mode-Signatures-over-binary-Literal-.patch" + "0039-gpg-Do-not-use-a-default-when-asking-for-another-out.patch" ]; postPatch = @@ -139,7 +140,10 @@ stdenv.mkDerivation rec { # A significant difference between the two seems to be that keys.openpgp.org is verifying keys, while keyserver.ubuntu.com isn't: https://unix.stackexchange.com/a/694528 # The keys.openpgp.org also has a great FAQ: https://keys.openpgp.org/about/faq '' - sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1 + substituteInPlace configure configure.ac \ + --replace-fail "hkps://keyserver.ubuntu.com" "hkps://keys.openpgp.org" + substituteInPlace doc/gnupg.info-1 doc/dirmngr.texi \ + --replace-fail "https://keyserver.ubuntu.com" "https://keys.openpgp.org" '' + lib.optionalString (stdenv.hostPlatform.isLinux && withPcsc) '' sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c diff --git a/pkgs/tools/security/gnupg/static.patch b/pkgs/tools/security/gnupg/static.patch index ce1b75aaf210f..cfa7b7ea41d5f 100644 --- a/pkgs/tools/security/gnupg/static.patch +++ b/pkgs/tools/security/gnupg/static.patch @@ -1,4 +1,4 @@ -From 6a426b8093cf6633425d08a2d33ed24d200473a0 Mon Sep 17 00:00:00 2001 +From 5eec11089067947bd850e069651cfa9bf4c48d07 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sun, 9 Feb 2025 08:51:32 +0100 Subject: [PATCH] build: use pkg-config to find tss2-esys @@ -8,15 +8,15 @@ won't be linked when tss2-esys is a static library. --- Link: https://dev.gnupg.org/D606 - configure | 131 +++++++++++++++++++++++++++++---------------------- + configure | 132 ++++++++++++++++++++++++++++----------------------- configure.ac | 5 +- - 2 files changed, 76 insertions(+), 60 deletions(-) + 2 files changed, 75 insertions(+), 62 deletions(-) diff --git a/configure b/configure -index 59f027d..f53c99d 100755 +index f5d8bef90..e7f4fb175 100755 --- a/configure +++ b/configure -@@ -669,12 +669,12 @@ TEST_LIBTSS_FALSE +@@ -696,12 +696,12 @@ TEST_LIBTSS_FALSE TEST_LIBTSS_TRUE HAVE_LIBTSS_FALSE HAVE_LIBTSS_TRUE @@ -31,7 +31,7 @@ index 59f027d..f53c99d 100755 W32SOCKLIBS NETLIBS CROSS_COMPILING_FALSE -@@ -1005,7 +1005,9 @@ PKG_CONFIG_LIBDIR +@@ -1030,7 +1030,9 @@ PKG_CONFIG_LIBDIR SQLITE3_CFLAGS SQLITE3_LIBS LIBGNUTLS_CFLAGS @@ -42,7 +42,7 @@ index 59f027d..f53c99d 100755 # Initialize some variables set by options. -@@ -1771,6 +1773,9 @@ Some influential environment variables: +@@ -1805,6 +1807,9 @@ Some influential environment variables: C compiler flags for LIBGNUTLS, overriding pkg-config LIBGNUTLS_LIBS linker flags for LIBGNUTLS, overriding pkg-config @@ -52,15 +52,16 @@ index 59f027d..f53c99d 100755 Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -@@ -15465,64 +15470,77 @@ else +@@ -16616,67 +16621,77 @@ else $as_nop fi elif test "$with_tss" = intel; then -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing Esys_Initialize" >&5 --$as_echo_n "checking for library containing Esys_Initialize... " >&6; } --if ${ac_cv_search_Esys_Initialize+:} false; then : -- $as_echo_n "(cached) " >&6 --else +- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing Esys_Initialize" >&5 +-printf %s "checking for library containing Esys_Initialize... " >&6; } +-if test ${ac_cv_search_Esys_Initialize+y} +-then : +- printf %s "(cached) " >&6 +-else $as_nop - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ @@ -68,52 +69,54 @@ index 59f027d..f53c99d 100755 -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ --#ifdef __cplusplus --extern "C" --#endif -char Esys_Initialize (); -int --main () +-main (void) -{ -return Esys_Initialize (); - ; - return 0; -} -_ACEOF --for ac_lib in '' tss2-esys; do +-for ac_lib in '' tss2-esys +-do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi -- if ac_fn_c_try_link "$LINENO"; then : +- if ac_fn_c_try_link "$LINENO" +-then : - ac_cv_search_Esys_Initialize=$ac_res -fi --rm -f core conftest.err conftest.$ac_objext \ +-rm -f core conftest.err conftest.$ac_objext conftest.beam \ - conftest$ac_exeext -- if ${ac_cv_search_Esys_Initialize+:} false; then : +- if test ${ac_cv_search_Esys_Initialize+y} +-then : - break -fi -done --if ${ac_cv_search_Esys_Initialize+:} false; then : +-if test ${ac_cv_search_Esys_Initialize+y} +-then : +pkg_failed=no -+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBTSS" >&5 -+$as_echo_n "checking for LIBTSS... " >&6; } ++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for LIBTSS" >&5 ++printf %s "checking for LIBTSS... " >&6; } +-else $as_nop +- ac_cv_search_Esys_Initialize=no +if test -n "$LIBTSS_CFLAGS"; then + pkg_cv_LIBTSS_CFLAGS="$LIBTSS_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 ++ { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tss2-esys tss2-mu tss2-rc tss2-tctildr") 2>&5 + ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBTSS_CFLAGS=`$PKG_CONFIG --cflags "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes - else -- ac_cv_search_Esys_Initialize=no ++else + pkg_failed=yes fi -rm conftest.$ac_ext @@ -121,25 +124,27 @@ index 59f027d..f53c99d 100755 + else + pkg_failed=untried fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_Esys_Initialize" >&5 --$as_echo "$ac_cv_search_Esys_Initialize" >&6; } +-{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_Esys_Initialize" >&5 +-printf "%s\n" "$ac_cv_search_Esys_Initialize" >&6; } -ac_res=$ac_cv_search_Esys_Initialize --if test "$ac_res" != no; then : +-if test "$ac_res" != no +-then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - have_libtss=Intel +-else $as_nop +- as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 +if test -n "$LIBTSS_LIBS"; then + pkg_cv_LIBTSS_LIBS="$LIBTSS_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ -+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 ++ { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tss2-esys tss2-mu tss2-rc tss2-tctildr\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tss2-esys tss2-mu tss2-rc tss2-tctildr") 2>&5 + ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBTSS_LIBS=`$PKG_CONFIG --libs "tss2-esys tss2-mu tss2-rc tss2-tctildr" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes - else -- as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 ++else + pkg_failed=yes +fi + else @@ -149,8 +154,8 @@ index 59f027d..f53c99d 100755 + + +if test $pkg_failed = yes; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes @@ -167,29 +172,29 @@ index 59f027d..f53c99d 100755 + + as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 +elif test $pkg_failed = untried; then -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -+$as_echo "no" >&6; } ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } + as_fn_error $? "Intel TPM Software Stack requested but not found" "$LINENO" 5 +else + LIBTSS_CFLAGS=$pkg_cv_LIBTSS_CFLAGS + LIBTSS_LIBS=$pkg_cv_LIBTSS_LIBS -+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -+$as_echo "yes" >&6; } ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++printf "%s\n" "yes" >&6; } + have_libtss=Intel +fi else as_fn_error $? "Invalid TPM Software Stack requested: $with_tss" "$LINENO" 5 fi -@@ -15616,7 +15634,6 @@ $as_echo "$as_me: WARNING: Need Esys_TR_GetTpmHandle API (usually requires Intel +@@ -16768,7 +16783,6 @@ printf "%s\n" "$as_me: WARNING: Need Esys_TR_GetTpmHandle API (usually requires fi - LIBTSS_LIBS="$LIBS -ltss2-mu -ltss2-rc -ltss2-tctildr" - $as_echo "#define HAVE_INTEL_TSS 1" >>confdefs.h + printf "%s\n" "#define HAVE_INTEL_TSS 1" >>confdefs.h diff --git a/configure.ac b/configure.ac -index dc44465..92880e6 100644 +index 94bc80583..e88d0f650 100644 --- a/configure.ac +++ b/configure.ac @@ -1574,8 +1574,8 @@ if test "$build_tpm2d" = "yes"; then @@ -212,5 +217,5 @@ index dc44465..92880e6 100644 fi LIBS="$_save_libs" -- -2.47.2 +2.51.0 From fabf792f20f9bc1b3034a782e034b4d9509dbed5 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 28 Jan 2026 00:56:36 +0000 Subject: [PATCH 07/54] cryptsetup: 2.8.3 -> 2.8.4 (cherry picked from commit 9d0740c9a6d23b3aa6e15d56fa63db3c46a16758) --- pkgs/by-name/cr/cryptsetup/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/cr/cryptsetup/package.nix b/pkgs/by-name/cr/cryptsetup/package.nix index d310ed986ca9b..79a0af738ce08 100644 --- a/pkgs/by-name/cr/cryptsetup/package.nix +++ b/pkgs/by-name/cr/cryptsetup/package.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "cryptsetup"; - version = "2.8.3"; + version = "2.8.4"; outputs = [ "bin" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { url = "mirror://kernel/linux/utils/cryptsetup/v${lib.versions.majorMinor finalAttrs.version}/" + "cryptsetup-${finalAttrs.version}.tar.xz"; - hash = "sha256-SoojuLnRoyUEUuQKzq1EIaA+RaOJVK0FlWNPQmaqgA8="; + hash = "sha256-RD5G+JZMmsx4D0Va+7jiOqDo7X7FBM/FngT0BvoeioM="; }; patches = [ From 1fac75104084bffc673eb14ab38dde2cd0256278 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 31 Jan 2026 15:08:07 +0100 Subject: [PATCH 08/54] expat: 2.7.3 -> 2.7.4 https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes Fixes: CVE-2026-24515, CVE-2026-25210 (cherry picked from commit 11d0d9bfab1bebe84efc7ad6f73909055935fd36) --- pkgs/by-name/ex/expat/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index 39dca62d6c1e0..80f5f017a36a5 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.7.3"; + version = "2.7.4"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-cd+PQHBqe7CoClNnB56nXZHaT4xlxY7Fm837997Nq58="; + hash = "sha256-npyrtFfB4J3pHbJwbYNlZFeSY46zvh+U27IUkwEIasA="; }; strictDeps = true; From fbbd5ee387c963e87157f0a89395a708a4d5f8c6 Mon Sep 17 00:00:00 2001 From: Alex Epelde Date: Fri, 23 Jan 2026 10:35:50 -0500 Subject: [PATCH 09/54] libsoup_3: soup-init: Use libdl instead of gmodule in soup2_is_loaded Upstream MR: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/475. This patch made it onto Debian's libsoup-3.6.5-3. More context: https://bugs.debian.org/1109685. (cherry picked from commit f8dcea1c811458703954317042d856cd04bb536b) --- pkgs/development/libraries/libsoup/3.x.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/libraries/libsoup/3.x.nix b/pkgs/development/libraries/libsoup/3.x.nix index 0611a148e7065..bc1c1c5489293 100644 --- a/pkgs/development/libraries/libsoup/3.x.nix +++ b/pkgs/development/libraries/libsoup/3.x.nix @@ -2,6 +2,7 @@ stdenv, lib, fetchurl, + fetchpatch, glib, meson, ninja, @@ -37,6 +38,14 @@ stdenv.mkDerivation rec { hash = "sha256-aJF2Wqw+lJAXlFw+rr2MyCFt93JFbcn0YJdvvbetojQ="; }; + patches = [ + (fetchpatch { + name = "soup-init-use-libdl-instead-of-gmodule-in-soup2_is_loaded.patch"; + url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/2316e56a5502ac4c41ef4ff56a3266e680aca129.patch"; + hash = "sha256-6TOM6sygVPpBWjTNgFG37JFbJDl0t2f9Iwidvh/isa4="; + }) + ]; + depsBuildBuild = [ pkg-config ]; From 5b1b7b30e9512127d0407909f87f508069bac128 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Wed, 21 Jan 2026 16:09:30 +0100 Subject: [PATCH 10/54] linux/common-config: remove obsolete hack Tested that 6.18 and 6.19 now build without this. (cherry picked from commit 5d4365c7a52756cb4776bc894f7c195818bd89a8) --- pkgs/os-specific/linux/kernel/common-config.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 68255aed8a628..3ca1302a5ad87 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -563,10 +563,6 @@ let # Enable CEC over DisplayPort DRM_DP_CEC = whenOlder "6.10" yes; DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes; - - # Required for Nova - # FIXME: remove after https://gitlab.freedesktop.org/drm/rust/kernel/-/commit/3d3352e73a55a4ccf110f8b3419bbe2fbfd8a030 lands - RUST_FW_LOADER_ABSTRACTIONS = lib.mkIf withRust (whenAtLeast "6.12" yes); } // lib.optionalAttrs From 4ec7bd6831cd54afb601ab6281954e4d2566baf8 Mon Sep 17 00:00:00 2001 From: Gary Guo Date: Tue, 3 Feb 2026 01:09:45 +0000 Subject: [PATCH 11/54] linux/common-config: disable nova_core and drm_nova (cherry picked from commit 4469240b411d16aaf23c4c21f02870a81c84fdeb) --- pkgs/os-specific/linux/kernel/common-config.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 3ca1302a5ad87..571b92b5242c7 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -563,6 +563,10 @@ let # Enable CEC over DisplayPort DRM_DP_CEC = whenOlder "6.10" yes; DRM_DISPLAY_DP_AUX_CEC = whenAtLeast "6.10" yes; + + # Do not enable Nova drivers, which are still WIP. This is the Kconfig default. + NOVA_CORE = whenAtLeast "6.15" no; + DRM_NOVA = whenAtLeast "6.16" no; } // lib.optionalAttrs From d7b09311a9f1a5e92b17421091457bfabc7c9a26 Mon Sep 17 00:00:00 2001 From: Leon Klingele Date: Wed, 4 Feb 2026 17:29:17 +0100 Subject: [PATCH 12/54] go_1_25: 1.25.6 -> 1.25.7 (cherry picked from commit 466bc97ad91ffa340bfd137eff2e56452119b42d) --- pkgs/development/compilers/go/1.25.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/go/1.25.nix b/pkgs/development/compilers/go/1.25.nix index 7e76017801425..15924f0934bd5 100644 --- a/pkgs/development/compilers/go/1.25.nix +++ b/pkgs/development/compilers/go/1.25.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.25.6"; + version = "1.25.7"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-WMv3ceRNdt5vVtGeM7d9dFoeSJNAkih15GWFuXXCsFk="; + hash = "sha256-F48oMoICdLQ+F30y8Go+uwEp5CfdIKXkyI3ywXY88Qo="; }; strictDeps = true; From 58208015467bc23585698b9e127cf7630748222a Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 4 Feb 2026 03:38:12 +0100 Subject: [PATCH 13/54] python314: 3.14.2 -> 3.14.3 https://docs.python.org/release/3.14.3/whatsnew/changelog.html Fixes: CVE-2026-1299, CVE-2025-11468, CVE-2025-15282, CVE-2026-0672, CVE-2026-0865 (cherry picked from commit 08371b96c322c2760287412612b7169dea4532d8) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 4a927d2597ff1..46124f4e933f3 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -91,10 +91,10 @@ sourceVersion = { major = "3"; minor = "14"; - patch = "2"; + patch = "3"; suffix = ""; }; - hash = "sha256-zlQ6uFS8JWthtx6bJ/gx/9G/1gpHnWOfi+f5dXz1c+k="; + hash = "sha256-qX1VSemtgf4XFZ7QLGh3StXSZscvjZoLWpw3H+hdkCs="; inherit passthruFun; }; From 2f37758ae23bcd5725c9e5abe9fb3753a85927b4 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 4 Feb 2026 03:44:12 +0100 Subject: [PATCH 14/54] python313: 3.13.11 -> 3.13.12 https://docs.python.org/release/3.13.12/whatsnew/changelog.html Fixes: CVE-2026-1299, CVE-2025-11468, CVE-2025-15282, CVE-2026-0672, CVE-2026-0865 (cherry picked from commit b428db0f48114136aafab971f9295226a23a167c) --- pkgs/development/interpreters/python/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix index 46124f4e933f3..0a7a500dd2440 100644 --- a/pkgs/development/interpreters/python/default.nix +++ b/pkgs/development/interpreters/python/default.nix @@ -20,10 +20,10 @@ sourceVersion = { major = "3"; minor = "13"; - patch = "11"; + patch = "12"; suffix = ""; }; - hash = "sha256-Fu3nu3zb+oldEbBkL6DlI/KR5khxlNU89tOzOMOhfqI="; + hash = "sha256-KoTNMd2Njqiq/3XeZvwbSwEn3VeZqlCmSumjE4hbRZM="; }; }; From 1688efe84ad6d725b1620403a4ac069155c4a73f Mon Sep 17 00:00:00 2001 From: Ben Pye Date: Fri, 6 Feb 2026 21:02:29 -0800 Subject: [PATCH 15/54] linux/common-config: enable DSI output for RK3588 SoCs (cherry picked from commit 68f6eca98b645f4285e6ad6f8fee586a0aef2192) --- pkgs/os-specific/linux/kernel/common-config.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 571b92b5242c7..038e4fe2d4bd8 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -589,6 +589,8 @@ let DRM_VC4_HDMI_CEC = yes; # Enable HDMI out on platforms using the RK3588 lineup of SoCs. ROCKCHIP_DW_HDMI_QP = whenAtLeast "6.13" yes; + # Enable DSI out on platforms using the RK3588 lineup of SoCs. + ROCKCHIP_DW_MIPI_DSI2 = whenAtLeast "6.16" yes; }; # Enable Rust and features that depend on it From fd1b3906df9419fd651c68482f11c4a4f88d3eb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 10 Feb 2026 06:30:16 +0100 Subject: [PATCH 16/54] libpng: 1.6.54 -> 1.6.55 on non-darwin The trouble is that it would be a stdenv rebuild on darwin, so for now let's update on non-darwin only. https://seclists.org/oss-sec/2026/q1/156 https://github.com/pnggroup/libpng/blob/v1.6.55/ANNOUNCE (cherry picked from commit 66c5b8edc0d76f28b620f6d2e31a12afad530b68) --- pkgs/development/libraries/libpng/default.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index e548f82bdbb8f..62092f3185860 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -20,11 +20,15 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.54"; + version = if !stdenv.isDarwin then "1.6.55" else "1.6.54"; # FIXME: darwin lags temporarily src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU="; + hash = + if !stdenv.isDarwin then + "sha256-2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0=" + else + "sha256-AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" From 12a9f5b9509f99ab6ca4b4603b52defc7a3000f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 10 Feb 2026 06:43:43 +0100 Subject: [PATCH 17/54] libpng: 1.6.54 -> 1.6.55 on darwin This finishes 66c5b8edc0d76f28b620f6d2e31a12afad530b68, as on nixpkgs staging we don't care about causing stdenv rebuilds. (cherry picked from commit 7a82aba9bc1cbe2910241634044c0249f7614a66) --- pkgs/development/libraries/libpng/default.nix | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pkgs/development/libraries/libpng/default.nix b/pkgs/development/libraries/libpng/default.nix index 62092f3185860..074a520d8acb0 100644 --- a/pkgs/development/libraries/libpng/default.nix +++ b/pkgs/development/libraries/libpng/default.nix @@ -20,15 +20,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = if !stdenv.isDarwin then "1.6.55" else "1.6.54"; # FIXME: darwin lags temporarily + version = "1.6.55"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = - if !stdenv.isDarwin then - "sha256-2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0=" - else - "sha256-AcnYowPJQewsURwUMSo7HTbO20Hi9RaMzaqF1TuIeAU="; + hash = "sha256-2SVyKGSDetWuKoIHDUsuBgPccq9EvUV8OWIpgli46C0="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" From 11ac5a7a7760a3bcb6e27f9b2e205a3cc08099b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 10 Feb 2026 06:35:28 +0100 Subject: [PATCH 18/54] gnutls: 3.8.11 -> 3.8.12 Fixes: CVE-2026-1584 CVE-2025-14831 https://lists.gnutls.org/pipermail/gnutls-help/2026-February/004914.html (cherry picked from commit c38793f70403f335423e097ba140afefc2395946) --- pkgs/development/libraries/gnutls/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/gnutls/default.nix b/pkgs/development/libraries/gnutls/default.nix index 2cce91e8115dd..2f3a53bd1327c 100644 --- a/pkgs/development/libraries/gnutls/default.nix +++ b/pkgs/development/libraries/gnutls/default.nix @@ -59,11 +59,11 @@ in stdenv.mkDerivation rec { pname = "gnutls"; - version = "3.8.11"; + version = "3.8.12"; src = fetchurl { url = "mirror://gnupg/gnutls/v${lib.versions.majorMinor version}/gnutls-${version}.tar.xz"; - hash = "sha256-kb0jxKhuvGFS6BMD0gz2zq65e8j4QmbQ+uxuKfF7qiA="; + hash = "sha256-p7NBQhv9RZrPejdMpK87ngZgjc1715Kyv0cL6gErjlE="; }; outputs = [ From 8096ec799765c482a899ebfe951d1606a620cf27 Mon Sep 17 00:00:00 2001 From: Jonas Heinrich Date: Sat, 27 Dec 2025 16:52:01 +0100 Subject: [PATCH 19/54] phpPackages.imagick: fix cross compilation (cherry picked from commit 7a2727154913a70f3c7102e608a608a3e7c70672) --- pkgs/development/php-packages/imagick/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/development/php-packages/imagick/default.nix b/pkgs/development/php-packages/imagick/default.nix index f3ed1d1d8e730..0d009970abf43 100644 --- a/pkgs/development/php-packages/imagick/default.nix +++ b/pkgs/development/php-packages/imagick/default.nix @@ -1,11 +1,9 @@ { buildPecl, - fetchpatch, lib, imagemagick, pkg-config, pcre2, - php, }: buildPecl { @@ -15,7 +13,11 @@ buildPecl { sha256 = "sha256-vaZ0YchU8g1hBXgrdpxST8NziLddRIHZUWRNIWf/7sY="; configureFlags = [ "--with-imagick=${imagemagick.dev}" ]; + + depsBuildBuild = [ pkg-config ]; + nativeBuildInputs = [ pkg-config ]; + buildInputs = [ pcre2 ]; meta = { From a2d2740a4302a2c0de13761a0146942ff3c18677 Mon Sep 17 00:00:00 2001 From: Jonas Heinrich Date: Sat, 27 Dec 2025 20:06:15 +0100 Subject: [PATCH 20/54] imagemagick: fix cross compile (cherry picked from commit e7a4c6ced979298c8c97d84a8596736e5e9752a3) --- pkgs/applications/graphics/ImageMagick/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix index 33dd080943a1a..f55bffa67262f 100644 --- a/pkgs/applications/graphics/ImageMagick/default.nix +++ b/pkgs/applications/graphics/ImageMagick/default.nix @@ -173,7 +173,7 @@ stdenv.mkDerivation (finalAttrs: { configDestination=($out/share/ImageMagick-*) grep -v '/nix/store' $dev/lib/ImageMagick-*/config-Q16HDRI/configure.xml > $configDestination/configure.xml for file in "$dev"/bin/*-config; do - substituteInPlace "$file" --replace pkg-config \ + substituteInPlace "$file" --replace-fail "$PKG_CONFIG" \ "PKG_CONFIG_PATH='$dev/lib/pkgconfig' '$(command -v $PKG_CONFIG)'" done '' From 127574d8aead795b547c6ecdab3abb4b32ac878d Mon Sep 17 00:00:00 2001 From: Jonas Heinrich Date: Thu, 29 Jan 2026 12:56:29 +0100 Subject: [PATCH 21/54] phpPackages.imagick: cleanup (cherry picked from commit 624d04074e6ebcfa7889c33b1552a7f8d20ead7f) --- pkgs/development/php-packages/imagick/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/php-packages/imagick/default.nix b/pkgs/development/php-packages/imagick/default.nix index 0d009970abf43..da43667899093 100644 --- a/pkgs/development/php-packages/imagick/default.nix +++ b/pkgs/development/php-packages/imagick/default.nix @@ -10,7 +10,7 @@ buildPecl { pname = "imagick"; version = "3.8.0"; - sha256 = "sha256-vaZ0YchU8g1hBXgrdpxST8NziLddRIHZUWRNIWf/7sY="; + hash = "sha256-vaZ0YchU8g1hBXgrdpxST8NziLddRIHZUWRNIWf/7sY="; configureFlags = [ "--with-imagick=${imagemagick.dev}" ]; From 308ba5020bc7303e058aaa382228a0d62b14cf57 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 12 Nov 2025 23:28:40 +0100 Subject: [PATCH 22/54] python3Packages.cryptography: 46.0.2 -> 46.0.3 https://cryptography.io/en/latest/changelog/#v46-0-3 (cherry picked from commit ccf3c1ae95a2738f317ffaeb5088b0f7ab106a73) --- pkgs/development/python-modules/cryptography/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index d9b3a68715ae1..15016552b3d41 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.2"; + version = "46.0.3"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,12 +31,12 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-gsEHKEYiMw2eliEpxwzFGDetOp77PivlMoBD3HBbbFA="; + hash = "sha256-6t7f/BaMkA24MY05B7aYa0myxnCjrCsh1qk6RgAjeQc="; }; cargoDeps = rustPlatform.fetchCargoVendor { inherit pname version src; - hash = "sha256-aCQzY2gBjVVwiqlqAxkH4y6yf4lqdQuSEnQSIjLPRJg="; + hash = "sha256-5ElDEl7MdcQfu/hy+POSBcvkNCFAMo6La5s6uRhZ/fM="; }; postPatch = '' From eb03b7e39bcb6c4a083325eb11fd9a2c93607845 Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Sat, 7 Feb 2026 14:40:31 -0500 Subject: [PATCH 23/54] python3Packages.cryptography: 46.0.3 -> 46.0.4 Changelog: https://cryptography.io/en/latest/changelog/#v46-0-4 (cherry picked from commit 15a77549d27acf6ce7b86d3b4463094574e3100c) --- pkgs/development/python-modules/cryptography/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index 15016552b3d41..d36b12525c8e5 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.3"; + version = "46.0.4"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,7 +31,7 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-6t7f/BaMkA24MY05B7aYa0myxnCjrCsh1qk6RgAjeQc="; + hash = "sha256-vT99F/wmd/ipgASmIcQITXNgng69Nn7cN66W2cXOzZY="; }; cargoDeps = rustPlatform.fetchCargoVendor { From c6a7862853cc5e7b17435599fe6086effe16e7d3 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 11 Feb 2026 00:25:51 +0100 Subject: [PATCH 24/54] python3Packages.cryptography: 46.0.4 -> 46.0.5 https://cryptography.io/en/latest/changelog/#v46-0-5 Fixes: CVE-2026-26007 (cherry picked from commit 2402ab652b76f442f30d2ed1eee24991b0600b73) --- pkgs/development/python-modules/cryptography/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix index d36b12525c8e5..eef08b32b5461 100644 --- a/pkgs/development/python-modules/cryptography/default.nix +++ b/pkgs/development/python-modules/cryptography/default.nix @@ -22,7 +22,7 @@ buildPythonPackage rec { pname = "cryptography"; - version = "46.0.4"; + version = "46.0.5"; pyproject = true; disabled = pythonOlder "3.7"; @@ -31,7 +31,7 @@ buildPythonPackage rec { owner = "pyca"; repo = "cryptography"; tag = version; - hash = "sha256-vT99F/wmd/ipgASmIcQITXNgng69Nn7cN66W2cXOzZY="; + hash = "sha256-jzdkAVMnKr0z1MBUgs6xjLnTZrqNOBwq3w56JDwgFgk="; }; cargoDeps = rustPlatform.fetchCargoVendor { From 749fb38d44dfbb9133a7d9720d3b6533ca89d845 Mon Sep 17 00:00:00 2001 From: Brian May Date: Sun, 14 Dec 2025 09:02:50 +1100 Subject: [PATCH 25/54] modemmanager: 1.24.0 -> 1.24.2 (cherry picked from commit fb1b67d26d3ea1e4bd2e5d293672550bb71b6b84) --- pkgs/by-name/mo/modemmanager/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/mo/modemmanager/package.nix b/pkgs/by-name/mo/modemmanager/package.nix index d2f43bb425722..a7a73ee2c50fc 100644 --- a/pkgs/by-name/mo/modemmanager/package.nix +++ b/pkgs/by-name/mo/modemmanager/package.nix @@ -32,14 +32,14 @@ stdenv.mkDerivation rec { pname = "modemmanager"; - version = "1.24.0"; + version = "1.24.2"; src = fetchFromGitLab { domain = "gitlab.freedesktop.org"; owner = "mobile-broadband"; repo = "ModemManager"; rev = version; - hash = "sha256-3jI75aR2esmv5dkE4TrdCHIcCvtdOBKnBC5XLEKoVFs="; + hash = "sha256-rBLOqpx7Y2BB6/xvhIw+rDEXsLtePhHLBvfpSuJzQik="; }; patches = [ From 48b03458adf722e7ad1003c5296e90aa6747d977 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 11 Feb 2026 10:38:06 +0100 Subject: [PATCH 26/54] python3Packages.pillow: 12.1.0 -> 12.1.1 https://pillow.readthedocs.io/en/stable/releasenotes/12.1.1.html (cherry picked from commit 0d08329ea869994518e76731736cc038dd29c97b) --- pkgs/development/python-modules/pillow/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/pillow/default.nix b/pkgs/development/python-modules/pillow/default.nix index 3b301afdc59b0..bc4007bd63c9b 100644 --- a/pkgs/development/python-modules/pillow/default.nix +++ b/pkgs/development/python-modules/pillow/default.nix @@ -44,14 +44,14 @@ buildPythonPackage rec { pname = "pillow"; - version = "12.1.0"; + version = "12.1.1"; pyproject = true; src = fetchFromGitHub { owner = "python-pillow"; repo = "pillow"; tag = version; - hash = "sha256-QGtuxKpkx2FScQHj9lH4mhEAo6jE+NAR2sR5/zvHUuA="; + hash = "sha256-NlmNabyoHiakwvomjivTA7N304ovNCMDSaBLSmcmZ7w="; }; build-system = [ From e401c4e928dbac6ae64f4f70b72af253dcfcbec9 Mon Sep 17 00:00:00 2001 From: Jason Odoom Date: Wed, 11 Feb 2026 23:57:19 -0500 Subject: [PATCH 27/54] libsoup_3: add patch for CVE-2025-11021 Upstream patch: https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788 Fixes: CVE-2025-11021 (cherry picked from commit 5618939936e7ae9d0939df1412520cc0f501687f) --- pkgs/development/libraries/libsoup/3.x.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/development/libraries/libsoup/3.x.nix b/pkgs/development/libraries/libsoup/3.x.nix index bc1c1c5489293..9e8d8fb5653ad 100644 --- a/pkgs/development/libraries/libsoup/3.x.nix +++ b/pkgs/development/libraries/libsoup/3.x.nix @@ -44,6 +44,11 @@ stdenv.mkDerivation rec { url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/2316e56a5502ac4c41ef4ff56a3266e680aca129.patch"; hash = "sha256-6TOM6sygVPpBWjTNgFG37JFbJDl0t2f9Iwidvh/isa4="; }) + (fetchpatch { + name = "CVE-2025-11021.patch"; + url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788.patch"; + hash = "sha256-08WiDnqg4//y8uPhIcV6svWdpRo27FmW+6DHy4OEZk8="; + }) ]; depsBuildBuild = [ From 6366e2d521820333a4b6c28e8e2886c29732f516 Mon Sep 17 00:00:00 2001 From: Wolfgang Walther Date: Tue, 10 Feb 2026 10:49:02 +0100 Subject: [PATCH 28/54] libpq: 18.1 -> 18.2 Release Notes: https://github.com/postgres/postgres/blob/REL_18_STABLE/doc/src/sgml/release-18.sgml (cherry picked from commit c9967163b89c10f8b4891a19f7d4003f013a1502) --- pkgs/servers/sql/postgresql/libpq.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/servers/sql/postgresql/libpq.nix b/pkgs/servers/sql/postgresql/libpq.nix index 0faf9f4f6ed52..393341f0c919d 100644 --- a/pkgs/servers/sql/postgresql/libpq.nix +++ b/pkgs/servers/sql/postgresql/libpq.nix @@ -40,14 +40,14 @@ stdenv.mkDerivation (finalAttrs: { pname = "libpq"; - version = "18.1"; + version = "18.2"; src = fetchFromGitHub { owner = "postgres"; repo = "postgres"; # rev, not tag, on purpose: see generic.nix. - rev = "refs/tags/REL_18_1"; - hash = "sha256-cZA2hWtr5RwsUrRWkvl/yvUzFPSfdtpyAKGXfrVUr0g="; + rev = "refs/tags/REL_18_2"; + hash = "sha256-cvBXxA7/kEwDGxFv/YoZCIh17jzUujrCtfKAmtSxKTw="; }; __structuredAttrs = true; From 2734a39cd5e4c003374ce5ac7093449485323735 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Mon, 5 Jan 2026 09:34:37 +0000 Subject: [PATCH 29/54] mimir: 3.0.1 -> 3.0.2 (cherry picked from commit 378d0f3313be5fb5f9183087ace34885d28f1e60) --- pkgs/by-name/mi/mimir/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index ebc6e2bfead33..c2e42872e1aae 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -7,13 +7,13 @@ }: buildGoModule (finalAttrs: { pname = "mimir"; - version = "3.0.1"; + version = "3.0.2"; src = fetchFromGitHub { rev = "mimir-${finalAttrs.version}"; owner = "grafana"; repo = "mimir"; - hash = "sha256-tYGzU/sn6KLLetDmAyph5u8bCocmfF4ZysTkOCSVf+U="; + hash = "sha256-8dym3E6VinpExE4A+ekbhiQ+Zhwvue6/s1mAhBkwPMU="; }; vendorHash = null; From 0316de609448576ffb5db5480cee1f77ce104be2 Mon Sep 17 00:00:00 2001 From: "Adam C. Stephens" Date: Wed, 11 Feb 2026 22:57:11 -0500 Subject: [PATCH 30/54] mimir: 3.0.2 -> 3.0.3 Changelog: https://github.com/grafana/mimir/releases/tag/mimir-3.0.3 (cherry picked from commit b85d69c79c07d711660ea558c61168e4979fb1de) --- pkgs/by-name/mi/mimir/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/mi/mimir/package.nix b/pkgs/by-name/mi/mimir/package.nix index c2e42872e1aae..739d2c1a9a6a0 100644 --- a/pkgs/by-name/mi/mimir/package.nix +++ b/pkgs/by-name/mi/mimir/package.nix @@ -7,13 +7,13 @@ }: buildGoModule (finalAttrs: { pname = "mimir"; - version = "3.0.2"; + version = "3.0.3"; src = fetchFromGitHub { rev = "mimir-${finalAttrs.version}"; owner = "grafana"; repo = "mimir"; - hash = "sha256-8dym3E6VinpExE4A+ekbhiQ+Zhwvue6/s1mAhBkwPMU="; + hash = "sha256-OUFmtHGGDU1+7EwfGVzrjPS2hqba0FfIuQl0V7up9Yk="; }; vendorHash = null; From d251f26173fc8a4deda62dd364c9b49621967c26 Mon Sep 17 00:00:00 2001 From: Dmitry Kalinkin Date: Fri, 13 Feb 2026 16:22:43 -0500 Subject: [PATCH 31/54] unzip: vendor CVE-2021-2417.patch Patch was obtained from the official Hyra binary cache nix-store -r /nix/store/f3pxcmnazzmxsmc5b6rbbnkh8nzlx3bl-CVE-2021-4217.patch (cherry picked from commit 1220da2c65a420982e638739cd133a697b334c7b) --- pkgs/by-name/un/unzip/CVE-2021-4217.patch | 47 +++++++++++++++++++++++ pkgs/by-name/un/unzip/package.nix | 6 +-- 2 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 pkgs/by-name/un/unzip/CVE-2021-4217.patch diff --git a/pkgs/by-name/un/unzip/CVE-2021-4217.patch b/pkgs/by-name/un/unzip/CVE-2021-4217.patch new file mode 100644 index 0000000000000..9344d1d0cf8dc --- /dev/null +++ b/pkgs/by-name/un/unzip/CVE-2021-4217.patch @@ -0,0 +1,47 @@ +From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 +From: Nils Bars +Date: Mon, 17 Jan 2022 16:53:16 +0000 +Subject: [PATCH] Fix null pointer dereference and use of uninitialized data + +This fixes a bug that causes use of uninitialized heap data if `readbuf` fails +to read as many bytes as indicated by the extra field length attribute. +Furthermore, this fixes a null pointer dereference if an archive contains an +`EF_UNIPATH` extra field but does not have a filename set. +--- + fileio.c | 5 ++++- + process.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fileio.c ++++ b/fileio.c +@@ -2310,8 +2310,11 @@ int do_string(__G__ length, option) /* + seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + + (G.inptr-G.inbuf) + length); + } else { +- if (readbuf(__G__ (char *)G.extra_field, length) == 0) ++ unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); ++ if (bytes_read == 0) + return PK_EOF; ++ if (bytes_read != length) ++ return PK_ERR; + /* Looks like here is where extra fields are read */ + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) + { +--- a/process.c ++++ b/process.c +@@ -2067,10 +2067,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) + G.unipath_checksum = makelong(offset + ef_buf); + offset += 4; + ++ if (!G.filename_full) { ++ /* Check if we have a unicode extra section but no filename set */ ++ return PK_ERR; ++ } ++ + /* + * Compute 32-bit crc + */ +- + chksum = crc32(chksum, (uch *)(G.filename_full), + strlen(G.filename_full)); + diff --git a/pkgs/by-name/un/unzip/package.nix b/pkgs/by-name/un/unzip/package.nix index 1b35d4f52f936..37f9b313a1d0d 100644 --- a/pkgs/by-name/un/unzip/package.nix +++ b/pkgs/by-name/un/unzip/package.nix @@ -73,11 +73,7 @@ stdenv.mkDerivation rec { # Clang 16 makes implicit declarations an error by default for C99 and newer, causing the # configure script to fail to detect errno and the directory libraries on Darwin. ./implicit-declarations-fix.patch - (fetchurl { - name = "CVE-2021-4217.patch"; - url = "https://git.launchpad.net/ubuntu/+source/unzip/plain/debian/patches/CVE-2021-4217.patch?id=94a790fcbb5d6c53cdf5d786bcaa0b8dc10309b6"; - hash = "sha256-YKE4jVNSlrHLbszXNYYRtAQs0ly4AsodEz6tadMIVqE="; - }) + ./CVE-2021-4217.patch ] ++ lib.optional enableNLS (fetchurl { url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/app-arch/unzip/files/unzip-6.0-natspec.patch?id=56bd759df1d0c750a065b8c845e93d5dfa6b549d"; From 529cd1c52d0c6e206681a8b98aa50a00b9439fe1 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Tue, 10 Feb 2026 00:28:43 +0000 Subject: [PATCH 32/54] capstone: 5.0.6 -> 5.0.7 (cherry picked from commit c12ba2de5b7ee4212cc0826c4d8ad4ae20afea29) --- pkgs/development/libraries/capstone/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/capstone/default.nix b/pkgs/development/libraries/capstone/default.nix index 5fd139afecce9..5689bb07ff4ec 100644 --- a/pkgs/development/libraries/capstone/default.nix +++ b/pkgs/development/libraries/capstone/default.nix @@ -8,13 +8,13 @@ stdenv.mkDerivation rec { pname = "capstone"; - version = "5.0.6"; + version = "5.0.7"; src = fetchFromGitHub { owner = "capstone-engine"; repo = "capstone"; rev = version; - hash = "sha256-ovIvsxVq+/q5UUMzP4WpxzaE0898uayNc1g2Coignnc="; + hash = "sha256-+6QReHZK+iIXspizy6Kvk7cj016HOKgiaKSaP4h7mao="; }; cmakeFlags = [ From d8c60a87c9fe39363c96c7c1ff3d1d02a14ee439 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 29 Jan 2026 13:08:18 +0000 Subject: [PATCH 33/54] libvpx: 1.15.2 -> 1.16.0 https://github.com/webmproject/libvpx/raw/v1.16.0/CHANGELOG (cherry picked from commit 9674df814d36ece48b7ce5031475fefcebf3ae44) --- pkgs/by-name/li/libvpx/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libvpx/package.nix b/pkgs/by-name/li/libvpx/package.nix index 3887adeddd399..c25668287dd34 100644 --- a/pkgs/by-name/li/libvpx/package.nix +++ b/pkgs/by-name/li/libvpx/package.nix @@ -131,13 +131,13 @@ assert isCygwin -> unitTestsSupport && webmIOSupport && libyuvSupport; stdenv.mkDerivation rec { pname = "libvpx"; - version = "1.15.2"; + version = "1.16.0"; src = fetchFromGitHub { owner = "webmproject"; repo = "libvpx"; rev = "v${version}"; - hash = "sha256-1F5Zlue2DY1yJXwfDfGeh3KcFTQVo9voHcGkgItKgh0="; + hash = "sha256-z1Ov3BHnAGuayeY4D86oTRiDfuZ2Wpc4ZD7pXGaakVI="; }; postPatch = '' From 23869dd3f201686728e1a46e598d31c38c150e34 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 17 Feb 2026 19:37:42 +0100 Subject: [PATCH 34/54] zlib: 1.3.1 -> 1.3.2 https://github.com/madler/zlib/releases/tag/v1.3.2 https://github.com/madler/zlib/compare/v1.3.1...v1.3.2 https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf (cherry picked from commit 0f8161a0ef3d8494d8edfd3c8c12a3ae67331faf) --- pkgs/development/libraries/zlib/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/zlib/default.nix b/pkgs/development/libraries/zlib/default.nix index cf8664c78e4fb..6808a2ca0ae53 100644 --- a/pkgs/development/libraries/zlib/default.nix +++ b/pkgs/development/libraries/zlib/default.nix @@ -27,7 +27,7 @@ assert splitStaticOutput -> static; stdenv.mkDerivation (finalAttrs: { pname = "zlib"; - version = "1.3.1"; + version = "1.3.2"; src = let @@ -40,7 +40,7 @@ stdenv.mkDerivation (finalAttrs: { # Stable archive path, but captcha can be encountered, causing hash mismatch. "https://www.zlib.net/fossils/zlib-${version}.tar.gz" ]; - hash = "sha256-mpOyt9/ax3zrpaVYpYDnRmfdb+3kWFuR7vtg8Dty3yM="; + hash = "sha256-uzKaCizQJ00FUZ1hxmfAYuBpkNcuEl7i36jeZPARnRY="; }; postPatch = lib.optionalString stdenv.hostPlatform.isDarwin '' From 903014c709a70b837a1cbac4f55af59f085b9396 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 17 Feb 2026 22:19:41 +0100 Subject: [PATCH 35/54] perlPackages.CryptURandom: 0.54 -> 0.55 Fixes CVE-2026-2474 Fixes #491497 https://metacpan.org/release/DDICK/Crypt-URandom-0.55/source/Changes (cherry picked from commit affe1930a70a1a5a8655ebe722c1c6d0a3b75705) --- pkgs/top-level/perl-packages.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 736680205bab5..4e7a38b4e1389 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -7453,10 +7453,10 @@ with self; CryptURandom = buildPerlPackage { pname = "Crypt-URandom"; - version = "0.54"; + version = "0.55"; src = fetchurl { - url = "mirror://cpan/authors/id/D/DD/DDICK/Crypt-URandom-0.54.tar.gz"; - hash = "sha256-SnPNOUkzMo2khKrrhkXXNbNUZd9gEJ5VngoosGYFOlc="; + url = "mirror://cpan/authors/id/D/DD/DDICK/Crypt-URandom-0.55.tar.gz"; + hash = "sha256-759EFBBzwTVz6FsUj/mpCJxFglt9ZgjYMuQmOJnTotQ="; }; meta = { description = "Provide non blocking randomness"; From 5dc0d4be008662d705f355998d22f4e9d9510868 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 18 Feb 2026 20:45:57 +0000 Subject: [PATCH 36/54] nss: 3.112.2 -> 3.112.3 (cherry picked from commit 7274737f3aab719ab2d9c3862643927fee9adec4) --- pkgs/development/libraries/nss/esr.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/nss/esr.nix b/pkgs/development/libraries/nss/esr.nix index c7e53ae11ab65..6e835d0dc71fb 100644 --- a/pkgs/development/libraries/nss/esr.nix +++ b/pkgs/development/libraries/nss/esr.nix @@ -1,6 +1,6 @@ import ./generic.nix { - version = "3.112.2"; - hash = "sha256-hK0TovR0LrVkB96BwCnhwaljDSElR85fnobzCa9+uKo="; + version = "3.112.3"; + hash = "sha256-1gOfP3HM1irGuJ+ln6n1toJC46+K5Z7pGm26vSryU7M="; filename = "esr.nix"; versionRegex = "NSS_(3)_(112)(?:_(\\d+))?_RTM"; } From 49c0ad08b5b3bf10d434ceb68fc6766d68c11e50 Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Thu, 19 Feb 2026 13:17:45 +0100 Subject: [PATCH 37/54] alsa-lib: apply patch for CVE-2026-25068 Fixes #488125 (cherry picked from commit 4ba4d670a6e8847392fd905908d7f73b0498e559) --- pkgs/by-name/al/alsa-lib/package.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/by-name/al/alsa-lib/package.nix b/pkgs/by-name/al/alsa-lib/package.nix index d0768cf443e31..b2c7252329e81 100644 --- a/pkgs/by-name/al/alsa-lib/package.nix +++ b/pkgs/by-name/al/alsa-lib/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, alsa-topology-conf, alsa-ucm-conf, testers, @@ -23,6 +24,11 @@ stdenv.mkDerivation (finalAttrs: { # "libs" field to declare locations for both native and 32bit plugins, in # order to support apps with 32bit sound running on x86_64 architecture. ./alsa-plugin-conf-multilib.patch + (fetchpatch { + name = "CVE-2026-25068.patch"; + url = "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch"; + hash = "sha256-4memtcg+FDOctX6wgiCdmnlG+IUS+5rL1f3LcsWS5lw="; + }) ]; enableParallelBuilding = true; From e6ca949881bf621b8e9874a88b1f8e6dab63cb1d Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sat, 3 Jan 2026 16:42:41 +0000 Subject: [PATCH 38/54] cacert: 3.117 -> 3.119.1 (cherry picked from commit 30ddbcaf2f4f51d4676e5cd644a3e088e5f6a57e) --- pkgs/by-name/ca/cacert/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index e92080542defb..ccfb2b777d96d 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -23,7 +23,7 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - srcVersion = "3.117"; + srcVersion = "3.119.1"; version = if nssOverride != null then nssOverride.version else srcVersion; meta = { homepage = "https://curl.haxx.se/docs/caextract.html"; @@ -47,7 +47,7 @@ let owner = "nss-dev"; repo = "nss"; rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; - hash = "sha256-sAs0TiV3TK/WtgHvEjl2KFAgebyWZYmcRcmxjpn2AME="; + hash = "sha256-GxLTqHcVWGiFezcwdctXJ8k9wqizVJPHyLBPZzphLro="; }; dontBuild = true; From 0c70e4580b16c06f0db02186db1d58c0cce8ac8f Mon Sep 17 00:00:00 2001 From: Silvan Mosberger Date: Thu, 20 Nov 2025 00:04:02 +0100 Subject: [PATCH 39/54] cacert: Improve sourcing Switch to fetching only certdata.txt directly from the upstream repository (and a mirror), because: - While it's possible to deduct that github/nss-dev is an NSS-project-owned mirror repository, it's not trivial: - Go to the homepage: https://firefox-source-docs.mozilla.org/security/nss/index.html - Navigate to the source, e.g. https://phabricator.services.mozilla.com/source/nss/ - Check the readme.md, which mentions github.com/nss-dev/nss - GitHub is a mirror of the Mercurial repository, and while I was able to confirm that the latest version does match, it leaves more room for a malicious actor: - It's unknown who owns the nss-dev GitHub organisation, there's no public members and no contact information - The mirroring automation from Mercurial to GitHub is not documented - Git hashes by necessity don't match Mercurial hashes, so it's not easy to verify that they match - Previously the build and update script were more complicated and slow by depending on the entire source, when we really only need a single file. Furthermore, update the meta.homepage to point to the actual page that mentions the root certificates, because the old one pointed to a curl page which we don't even use anymore (if we ever even did, Git history is inconclusive) The cacert build was verified to be unchanged (cherry picked from commit 0e7826fd7ab978c1d214f4068692ecf89422f65a) --- pkgs/by-name/ca/cacert/package.nix | 59 ++++++++++++------------------ pkgs/by-name/ca/cacert/update.sh | 4 +- 2 files changed, 25 insertions(+), 38 deletions(-) diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index ccfb2b777d96d..5d41238dcaebe 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -2,15 +2,12 @@ lib, stdenv, writeText, - fetchFromGitHub, + fetchurl, buildcatrust, blacklist ? [ ], extraCertificateFiles ? [ ], extraCertificateStrings ? [ ], - # Used by update.sh - nssOverride ? null, - # Used for tests only runCommand, cacert, @@ -23,10 +20,9 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - srcVersion = "3.119.1"; - version = if nssOverride != null then nssOverride.version else srcVersion; + version = "3.119.1"; meta = { - homepage = "https://curl.haxx.se/docs/caextract.html"; + homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; platforms = lib.platforms.all; maintainers = with lib.maintainers; [ @@ -35,40 +31,31 @@ let ]; license = lib.licenses.mpl20; }; - certdata = stdenv.mkDerivation { - pname = "nss-cacert-certdata"; - inherit version; - - src = - if nssOverride != null then - nssOverride.src - else - fetchFromGitHub { - owner = "nss-dev"; - repo = "nss"; - rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; - hash = "sha256-GxLTqHcVWGiFezcwdctXJ8k9wqizVJPHyLBPZzphLro="; - }; - - dontBuild = true; - - installPhase = '' - runHook preInstall - - mkdir $out - cp lib/ckfw/builtins/certdata.txt $out - - runHook postInstall - ''; - - inherit meta; - }; in stdenv.mkDerivation { pname = "nss-cacert"; inherit version; - src = certdata; + src = fetchurl { + urls = + let + # This file is effectively a public interface, see the homepage link + file = "lib/ckfw/builtins/certdata.txt"; + tag = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM"; + in + [ + # Prefer mercurial as the canonical source, while github is just a mirror + "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" + "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" + ]; + hash = "sha256-qQOzzQUjHjkzJRXvfr435pcmLzlRWlIBXCPGKAW3PNA="; + }; + + unpackPhase = '' + runHook preUnpack + cp "$src" "$(stripHash "$src")" + runHook postUnpack + ''; outputs = [ "out" diff --git a/pkgs/by-name/ca/cacert/update.sh b/pkgs/by-name/ca/cacert/update.sh index d578102ad56bd..ca7c2969bda70 100755 --- a/pkgs/by-name/ca/cacert/update.sh +++ b/pkgs/by-name/ca/cacert/update.sh @@ -25,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.." CURRENT_PATH=$(nix-build --no-out-link -A cacert.out) -PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out") +PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs { src = nss_latest.src + \"/lib/ckfw/builtins/certdata.txt\"; }).out") # Check the hash of the etc subfolder # We can't check the entire output as that contains the nix-support folder @@ -35,5 +35,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc") if [[ "$CURRENT_HASH" != "$PATCHED_HASH" ]]; then NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .) - update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION" + update-source-version cacert "$NSS_VERSION" fi From a21ff0cf03bb57c7b67ba64ab70e6b4019e865a5 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 20 Feb 2026 11:20:35 +0100 Subject: [PATCH 40/54] cacert: 3.119.1 -> 3.121 https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_3_121.rst (cherry picked from commit b972c9e279446bfb4efa7326ef8a2096f856498e) --- pkgs/by-name/ca/cacert/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ca/cacert/package.nix b/pkgs/by-name/ca/cacert/package.nix index 5d41238dcaebe..61c9fcded8c6b 100644 --- a/pkgs/by-name/ca/cacert/package.nix +++ b/pkgs/by-name/ca/cacert/package.nix @@ -20,7 +20,7 @@ let lib.concatStringsSep "\n\n" extraCertificateStrings ); - version = "3.119.1"; + version = "3.121"; meta = { homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers"; description = "Bundle of X.509 certificates of public Certificate Authorities (CA)"; @@ -48,7 +48,7 @@ stdenv.mkDerivation { "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}" "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}" ]; - hash = "sha256-qQOzzQUjHjkzJRXvfr435pcmLzlRWlIBXCPGKAW3PNA="; + hash = "sha256-O5jU4/9XoybZWHwzYzA5yMOpzwtV98pYHXWY/zKesfM="; }; unpackPhase = '' From 023f1d080f98f75ae2c3ef2c470f2ee88dd966bd Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Thu, 19 Feb 2026 10:22:17 +0000 Subject: [PATCH 41/54] libsoup_3: 3.6.5 -> 3.6.6 (cherry picked from commit 28ab6fa50e136e95cb0c3590fcfd01edfc7b866a) --- pkgs/development/libraries/libsoup/3.x.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libsoup/3.x.nix b/pkgs/development/libraries/libsoup/3.x.nix index 9e8d8fb5653ad..dd544a843201e 100644 --- a/pkgs/development/libraries/libsoup/3.x.nix +++ b/pkgs/development/libraries/libsoup/3.x.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation rec { pname = "libsoup"; - version = "3.6.5"; + version = "3.6.6"; outputs = [ "out" @@ -35,7 +35,7 @@ stdenv.mkDerivation rec { src = fetchurl { url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz"; - hash = "sha256-aJF2Wqw+lJAXlFw+rr2MyCFt93JFbcn0YJdvvbetojQ="; + hash = "sha256-Ue0K4G+dWkD0Af9Fni5fZS+aUQt3MOE1nuZtFNSHJ0A="; }; patches = [ From b19e8c0a82fb87e23c3634c2fb33194d151258ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 24 Feb 2026 07:43:33 +0100 Subject: [PATCH 42/54] libsoup_3: add .meta.changelog In particular, this will simplify reviewing automatic update PRs. (cherry picked from commit 53d5b5cbcde5aa30ab05c651b9c9bbe6007c8b23) --- pkgs/development/libraries/libsoup/3.x.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/development/libraries/libsoup/3.x.nix b/pkgs/development/libraries/libsoup/3.x.nix index dd544a843201e..82bff765c6495 100644 --- a/pkgs/development/libraries/libsoup/3.x.nix +++ b/pkgs/development/libraries/libsoup/3.x.nix @@ -126,6 +126,7 @@ stdenv.mkDerivation rec { description = "HTTP client/server library for GNOME"; homepage = "https://gitlab.gnome.org/GNOME/libsoup"; license = lib.licenses.lgpl2Plus; + changelog = "https://gitlab.gnome.org/GNOME/libsoup/-/blob/${version}/NEWS"; inherit (glib.meta) maintainers platforms teams; }; } From 84d06fdea37e8ae03859b9d6efd65c0e2aa86c8a Mon Sep 17 00:00:00 2001 From: Tom Hunze Date: Sat, 7 Feb 2026 11:53:40 +0100 Subject: [PATCH 43/54] python3Packages.exceptiongroup: fix build after cpython repr changes CPython fixed https://github.com/python/cpython/issues/141732 in https://github.com/python/cpython/pull/141736, but exceptiongroup 1.3.1, including its test suite, still matches the old repr behavior. The CPython fix has only been backported to 3.13 so far, where it was first included in version 3.13.12, so we only need to patch for 3.13 and 3.15+. Upstream issue: https://github.com/agronholm/exceptiongroup/issues/154 (cherry picked from commit 294b175b8b1507d80efd7dd2407eb45770e695d2) --- .../python-modules/exceptiongroup/default.nix | 10 ++++ .../exceptiongroup/match-repr-fix.patch | 48 +++++++++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch diff --git a/pkgs/development/python-modules/exceptiongroup/default.nix b/pkgs/development/python-modules/exceptiongroup/default.nix index 2e8cdbff1c702..af18b36dc295c 100644 --- a/pkgs/development/python-modules/exceptiongroup/default.nix +++ b/pkgs/development/python-modules/exceptiongroup/default.nix @@ -6,6 +6,7 @@ pytestCheckHook, pythonAtLeast, pythonOlder, + isPy313, typing-extensions, }: @@ -23,6 +24,15 @@ buildPythonPackage rec { hash = "sha256-b3Z1NsYKp0CecUq8kaC/j3xR/ZZHDIw4MhUeadizz88="; }; + # CPython fixed https://github.com/python/cpython/issues/141732 in + # https://github.com/python/cpython/pull/141736, but exceptiongroup 1.3.1, + # including its test suite, still matches the old repr behavior. + # The CPython fix has only been backported to 3.13 so far, where it was + # first included in version 3.13.12, so we only need to patch for 3.13 + # and 3.15+. + # Upstream issue: https://github.com/agronholm/exceptiongroup/issues/154 + patches = lib.optional (isPy313 || pythonAtLeast "3.15") ./match-repr-fix.patch; + build-system = [ flit-scm ]; dependencies = lib.optionals (pythonOlder "3.13") [ typing-extensions ]; diff --git a/pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch b/pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch new file mode 100644 index 0000000000000..ed09c9f39600c --- /dev/null +++ b/pkgs/development/python-modules/exceptiongroup/match-repr-fix.patch @@ -0,0 +1,48 @@ +From 9be2b65dbd8366da27cd79c09195493217dbf539 Mon Sep 17 00:00:00 2001 +From: Tom Hunze +Date: Sat, 7 Feb 2026 11:37:49 +0100 +Subject: [PATCH] Fix `ExceptionGroup` repr changing when original exception + sequence is mutated + +https://github.com/python/cpython/pull/141736 +--- + src/exceptiongroup/_exceptions.py | 3 ++- + tests/test_exceptions.py | 3 +-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/exceptiongroup/_exceptions.py b/src/exceptiongroup/_exceptions.py +index f42c1ad..996d8e1 100644 +--- a/src/exceptiongroup/_exceptions.py ++++ b/src/exceptiongroup/_exceptions.py +@@ -101,6 +101,7 @@ class BaseExceptionGroup(BaseException, Generic[_BaseExceptionT_co]): + ) + + instance = super().__new__(cls, __message, __exceptions) ++ instance._exceptions_str = repr(__exceptions) + instance._exceptions = tuple(__exceptions) + return instance + +@@ -275,7 +276,7 @@ class BaseExceptionGroup(BaseException, Generic[_BaseExceptionT_co]): + return f"{self.message} ({len(self._exceptions)} sub-exception{suffix})" + + def __repr__(self) -> str: +- return f"{self.__class__.__name__}({self.args[0]!r}, {self.args[1]!r})" ++ return f"{self.__class__.__name__}({self.args[0]!r}, {self._exceptions_str})" + + + class ExceptionGroup(BaseExceptionGroup[_ExceptionT_co], Exception): +diff --git a/tests/test_exceptions.py b/tests/test_exceptions.py +index e2bc81a..a253236 100644 +--- a/tests/test_exceptions.py ++++ b/tests/test_exceptions.py +@@ -883,6 +883,5 @@ def test_exceptions_mutate_original_sequence(): + exceptions.append(KeyError("bar")) + assert excgrp.exceptions is exc_tuple + assert repr(excgrp) == ( +- "BaseExceptionGroup('foo', [ValueError(1), KeyboardInterrupt(), " +- "KeyError('bar')])" ++ "BaseExceptionGroup('foo', [ValueError(1), KeyboardInterrupt()])" + ) +-- +2.51.2 + From 8248847075845eed2a85ca883d52078b3be3cc1f Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 5 Nov 2025 01:57:08 +0100 Subject: [PATCH 44/54] python314Packages.exceptiongroup: disable failing tests (cherry picked from commit 2cfaed45cfcc8c5c9fc243a2308c060e6efdfb0c) --- pkgs/development/python-modules/exceptiongroup/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/development/python-modules/exceptiongroup/default.nix b/pkgs/development/python-modules/exceptiongroup/default.nix index af18b36dc295c..2aea62325c6bf 100644 --- a/pkgs/development/python-modules/exceptiongroup/default.nix +++ b/pkgs/development/python-modules/exceptiongroup/default.nix @@ -41,6 +41,12 @@ buildPythonPackage rec { doCheck = pythonAtLeast "3.11"; # infinite recursion with pytest + disabledTests = lib.optionals (pythonAtLeast "3.14") [ + # RecursionError not raised + "test_deep_split" + "test_deep_subgroup" + ]; + pythonImportsCheck = [ "exceptiongroup" ]; meta = { From 7b1d3304d9da5a658f5df7dc27d41aa2cca49379 Mon Sep 17 00:00:00 2001 From: whispers Date: Tue, 24 Feb 2026 21:05:58 -0500 Subject: [PATCH 45/54] alsa-lib: fix patch for CVE-2026-25068 for v1.2.14 #492079 introduced a patch for CVE-2026-25068, which was backported to staging-25.11 in #492453. However, the patch fails to compile when ported directly to 25.11 since the way of doing error handling changed from an `SNDERR` macro to an `snd_error` function between v1.2.14 (which is on 25.11) and on v1.2.15. In order to fix this, we vendor the patch and change the offending line like so: ```diff - + snd_error(TOPOLOGY, "mixer: unexpected channel count %d", map->num_channels); + + SNDERR("mixer: unexpected channel count %d", map->num_channels); ``` Not-cherry-picked-because: fix that does not apply to unstable since it is on a later version of package --- pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch | 31 +++++++++++++++++++ pkgs/by-name/al/alsa-lib/package.nix | 16 ++++++---- 2 files changed, 41 insertions(+), 6 deletions(-) create mode 100644 pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch diff --git a/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch b/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch new file mode 100644 index 0000000000000..7aa23ea7c1981 --- /dev/null +++ b/pkgs/by-name/al/alsa-lib/CVE-2026-25068.patch @@ -0,0 +1,31 @@ +From 5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Thu, 29 Jan 2026 16:51:09 +0100 +Subject: [PATCH] topology: decoder - add boundary check for channel mixer + count + +Malicious binary topology file may cause heap corruption. + +CVE: CVE-2026-25068 + +Signed-off-by: Jaroslav Kysela +--- + src/topology/ctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/topology/ctl.c b/src/topology/ctl.c +index a0c24518..322c461c 100644 +--- a/src/topology/ctl.c ++++ b/src/topology/ctl.c +@@ -1250,6 +1250,11 @@ int tplg_decode_control_mixer1(snd_tplg_t *tplg, + if (mc->num_channels > 0) { + map = tplg_calloc(heap, sizeof(*map)); + map->num_channels = mc->num_channels; ++ if (map->num_channels > SND_TPLG_MAX_CHAN || ++ map->num_channels > SND_SOC_TPLG_MAX_CHAN) { ++ SNDERR("mixer: unexpected channel count %d", map->num_channels); ++ return -EINVAL; ++ } + for (i = 0; i < map->num_channels; i++) { + map->channel[i].reg = mc->channel[i].reg; + map->channel[i].shift = mc->channel[i].shift; diff --git a/pkgs/by-name/al/alsa-lib/package.nix b/pkgs/by-name/al/alsa-lib/package.nix index b2c7252329e81..1ced2ec453612 100644 --- a/pkgs/by-name/al/alsa-lib/package.nix +++ b/pkgs/by-name/al/alsa-lib/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchurl, - fetchpatch, alsa-topology-conf, alsa-ucm-conf, testers, @@ -24,11 +23,16 @@ stdenv.mkDerivation (finalAttrs: { # "libs" field to declare locations for both native and 32bit plugins, in # order to support apps with 32bit sound running on x86_64 architecture. ./alsa-plugin-conf-multilib.patch - (fetchpatch { - name = "CVE-2026-25068.patch"; - url = "https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40.patch"; - hash = "sha256-4memtcg+FDOctX6wgiCdmnlG+IUS+5rL1f3LcsWS5lw="; - }) + + # Patch for CVE-2026-25058. Relies on a function `snd_error` which does not + # exist in alsa-lib 1.2.14, so we vendor the change to use the old `SNDERR` + # macro instead. + # + # Upstream fix: + # https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 + # Introduction of `snd_error`: + # https://github.com/alsa-project/alsa-lib/commit/62c8e635dcce3d750985505ad20f8711d6dabf0d + ./CVE-2026-25068.patch ]; enableParallelBuilding = true; From df7d074b98131dd39eb37a95adfe06cb60874909 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 7 Feb 2026 14:53:20 +0100 Subject: [PATCH 46/54] python3Packages.tkinter: work around wantobjects resource This is only supported when running with `python -m test` through libregrtest. (cherry picked from commit ed442821a11a46fe75494d17a787b1b3e832c3eb) https://hydra.nixos.org/build/322755322/nixlog/3/tail --- pkgs/development/python-modules/tkinter/default.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkgs/development/python-modules/tkinter/default.nix b/pkgs/development/python-modules/tkinter/default.nix index 233b2b2b0e4a9..4b7a0477c15fa 100644 --- a/pkgs/development/python-modules/tkinter/default.nix +++ b/pkgs/development/python-modules/tkinter/default.nix @@ -5,6 +5,7 @@ replaceVars, setuptools, python, + pythonAtLeast, pythonOlder, tcl, tclPackages, @@ -74,6 +75,18 @@ buildPythonPackage { preCheck = '' cd $NIX_BUILD_TOP/Python-*/Lib export HOME=$TMPDIR + '' + + lib.optionalString (pythonAtLeast "3.13" && pythonOlder "3.15") '' + # https://github.com/python/cpython/pull/143570 + # wantobject resources are only supported via libregrtest + substituteInPlace \ + test/test_tcl.py \ + test/test_ttk/__init__.py \ + test/test_tkinter/__init__.py \ + test/test_tkinter/support.py \ + --replace-fail \ + "support.get_resource_value('wantobjects')" \ + "0" ''; checkPhase = From 9812196e6b66490c1ba73710f899f7c912f21d03 Mon Sep 17 00:00:00 2001 From: whispers Date: Wed, 25 Feb 2026 00:11:00 -0500 Subject: [PATCH 47/54] libsoup_3: drop patches incorporated in 3.6.6 This package currently fails to build during the patch application step as it includes patches that were incorporated into libsoup 3.6.6. These patches were introduced in #468891 and #489681. Since they are now part of a regular release, we thus drop these patches. The List of commits where these changes are present can be seen at https://gitlab.gnome.org/GNOME/libsoup/-/compare/3.6.5...3.6.6. (cherry picked from commit fa666582c559f2ba5c7dcd3b10c15e2ec69d6c10) https://hydra.nixos.org/build/322622408/nixlog/1/tail --- pkgs/development/libraries/libsoup/3.x.nix | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/pkgs/development/libraries/libsoup/3.x.nix b/pkgs/development/libraries/libsoup/3.x.nix index 82bff765c6495..3b82e60baaa66 100644 --- a/pkgs/development/libraries/libsoup/3.x.nix +++ b/pkgs/development/libraries/libsoup/3.x.nix @@ -2,7 +2,6 @@ stdenv, lib, fetchurl, - fetchpatch, glib, meson, ninja, @@ -38,19 +37,6 @@ stdenv.mkDerivation rec { hash = "sha256-Ue0K4G+dWkD0Af9Fni5fZS+aUQt3MOE1nuZtFNSHJ0A="; }; - patches = [ - (fetchpatch { - name = "soup-init-use-libdl-instead-of-gmodule-in-soup2_is_loaded.patch"; - url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/2316e56a5502ac4c41ef4ff56a3266e680aca129.patch"; - hash = "sha256-6TOM6sygVPpBWjTNgFG37JFbJDl0t2f9Iwidvh/isa4="; - }) - (fetchpatch { - name = "CVE-2025-11021.patch"; - url = "https://gitlab.gnome.org/GNOME/libsoup/-/commit/9e1a427d2f047439d0320defe1593e6352595788.patch"; - hash = "sha256-08WiDnqg4//y8uPhIcV6svWdpRo27FmW+6DHy4OEZk8="; - }) - ]; - depsBuildBuild = [ pkg-config ]; From 0eb9bf4ff43b928476f5eaa0d8fdd938386f3eaf Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Mon, 16 Feb 2026 13:52:09 +0200 Subject: [PATCH 48/54] python314Packages.msrest: disable failing tests (cherry picked from commit f3e179d71020a7386d77464ed0fd212c5173a310) --- pkgs/development/python-modules/msrest/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/development/python-modules/msrest/default.nix b/pkgs/development/python-modules/msrest/default.nix index 0e3062e4de945..435b5811657ec 100644 --- a/pkgs/development/python-modules/msrest/default.nix +++ b/pkgs/development/python-modules/msrest/default.nix @@ -70,6 +70,13 @@ buildPythonPackage { "test_eventgrid_domain_auth" ]; + disabledTestPaths = [ + # 2 AssertionErrors... See: + # https://github.com/Azure/msrest-for-python/issues/267 + "tests/asynctests/test_async_client.py::TestServiceClient::test_client_send" + "tests/test_client.py::TestServiceClient::test_client_send" + ]; + pythonImportsCheck = [ "msrest" ]; meta = { From 2e8ac25bb23119e0be3ffef9de97ccc65f19da90 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 22 Feb 2026 06:42:39 +0000 Subject: [PATCH 49/54] minizip: install missing `ints.h` header Without the change the `gtwebengine` fails to buil as: /nix/store/...-minizip-1.3.2/include/minizip/ioapi.h:74:10: fatal error: ints.h: No such file or directory 74 | #include "ints.h" | ^~~~~~~~ (cherry picked from commit 373ddfd70dcd2933ba3385c3a173f228381ee5f5) We're affected also here: https://hydra.nixos.org/build/322951570/nixlog/1 --- pkgs/by-name/mi/minizip/package.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/by-name/mi/minizip/package.nix b/pkgs/by-name/mi/minizip/package.nix index 3a09845916197..e2e1757f03d47 100644 --- a/pkgs/by-name/mi/minizip/package.nix +++ b/pkgs/by-name/mi/minizip/package.nix @@ -3,12 +3,23 @@ stdenv, zlib, autoreconfHook, + fetchpatch, }: stdenv.mkDerivation { pname = "minizip"; inherit (zlib) src version; + patches = [ + # install missing header for qtwebengine: + # https://github.com/madler/zlib/pull/1178 + (fetchpatch { + name = "add-int.h.patch"; + url = "https://github.com/madler/zlib/commit/cb14dc9ade3759352417a300e6c2ed73268f1d97.patch"; + hash = "sha256-eX06nYLRPqpkbBAOso1ynGDYs9dcRAI14cG89qXuUzo="; + }) + ]; + patchFlags = [ "-p3" ]; nativeBuildInputs = [ autoreconfHook ]; From 174ec16960de4ba5635a586b9b3323533d2395ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 23 Feb 2026 08:54:24 +0100 Subject: [PATCH 50/54] certbot: pull an upstream patch to fix test This was caused by a python's patch-level bump. It broke the build (cherry picked from commit add68064f0a461ac065a8d4b31219f79b3c3b7e3) https://hydra.nixos.org/build/322840575/nixlog/1/tail --- pkgs/development/python-modules/certbot/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/development/python-modules/certbot/default.nix b/pkgs/development/python-modules/certbot/default.nix index 662b4ca4c8a5e..08091a2328283 100644 --- a/pkgs/development/python-modules/certbot/default.nix +++ b/pkgs/development/python-modules/certbot/default.nix @@ -5,6 +5,7 @@ python, runCommand, fetchFromGitHub, + fetchpatch, configargparse, acme, configobj, @@ -34,6 +35,14 @@ buildPythonPackage rec { hash = "sha256-jKhdclLBeWv6IxIZQtD8VWbSQ3SDZePA/kTxjiBXJ4o="; }; + patches = [ + (fetchpatch { + name = "fix-test_rollback_too_many.patch"; + url = "https://github.com/certbot/certbot/commit/4c61a450d4a843c66baab6d5d9a42ce0554e99d7.patch"; + hash = "sha256-PSh2JXoEWNUrqxNh8X5QchyIP8KRHT60T/cLax6VRWo="; + }) + ]; + postPatch = "cd certbot"; # using sourceRoot would interfere with patches build-system = [ setuptools ]; From 2324c4b3e28a1b179e80c3afa8d1b7a97388dccb Mon Sep 17 00:00:00 2001 From: Gaetan Lepage Date: Tue, 20 Jan 2026 23:26:41 +0000 Subject: [PATCH 51/54] python3Packages.wandb: 0.21.4 -> 0.24.0 Diff: https://github.com/wandb/wandb/compare/v0.21.4...v0.24.0 Changelog: https://github.com/wandb/wandb/raw/v0.24.0/CHANGELOG.md (cherry picked from commit 4db10e8223ee3e26e1336c3029f33e9ef92c6a15) But we can't use finalAttrs, as buildPythonPackage apparently doesn't support it on 25.11 yet. We need to update to 0.25.0 to fix failing tests: https://hydra.nixos.org/build/323071433/nixlog/5/tail --- .../python-modules/wandb/default.nix | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/pkgs/development/python-modules/wandb/default.nix b/pkgs/development/python-modules/wandb/default.nix index 9e81d3601b941..03aacdde6cf9b 100644 --- a/pkgs/development/python-modules/wandb/default.nix +++ b/pkgs/development/python-modules/wandb/default.nix @@ -2,10 +2,12 @@ lib, stdenv, fetchFromGitHub, + pythonAtLeast, ## wandb-core - buildGo125Module, + buildGoModule, gitMinimal, + writableTmpDirAsHomeHook, versionCheckHook, ## gpu-stats @@ -20,11 +22,9 @@ # dependencies click, - docker-pycreds, gitpython, platformdirs, protobuf, - psutil, pydantic, pyyaml, requests, @@ -73,16 +73,15 @@ torch, torchvision, tqdm, - writableTmpDirAsHomeHook, }: let - version = "0.21.4"; + version = "0.24.0"; src = fetchFromGitHub { owner = "wandb"; repo = "wandb"; tag = "v${version}"; - hash = "sha256-1l68nU/rmYg/Npg1EVraGr2tu/lkNAo9M7Q0IyckEoc="; + hash = "sha256-dICa/sIFEHI59gJxrvWyI9Uc3rbwXi+Xh60O/hElZh0="; }; gpu-stats = rustPlatform.buildRustPackage { @@ -110,7 +109,7 @@ let }; }; - wandb-core = buildGo125Module rec { + wandb-core = buildGoModule rec { pname = "wandb-core"; inherit src version; @@ -128,6 +127,7 @@ let nativeBuildInputs = [ gitMinimal + writableTmpDirAsHomeHook ]; nativeInstallCheckInputs = [ @@ -196,11 +196,9 @@ buildPythonPackage rec { dependencies = [ click - docker-pycreds gitpython platformdirs protobuf - psutil pydantic pyyaml requests @@ -388,14 +386,17 @@ buildPythonPackage rec { # Breaks in sandbox: "Timed out waiting for wandb service to start" "test_setup_offline" + ] + ++ lib.optionals (pythonAtLeast "3.14") [ + # AttributeError: '...' object has no attribute '__annotations__' + "test_watch_graph_torch_jit" + "test_watch_parameters_torch_jit" ]; - pythonImportsCheck = [ "wandb" ]; - meta = { description = "CLI and library for interacting with the Weights and Biases API"; homepage = "https://github.com/wandb/wandb"; - changelog = "https://github.com/wandb/wandb/raw/v${version}/CHANGELOG.md"; + changelog = "https://github.com/wandb/wandb/raw/${version}/CHANGELOG.md"; license = lib.licenses.mit; maintainers = with lib.maintainers; [ samuela ]; broken = gpu-stats.meta.broken || wandb-core.meta.broken; From 0a4700725905f7c6a30b9e3a66da5e31d452da2f Mon Sep 17 00:00:00 2001 From: Gaetan Lepage Date: Thu, 26 Feb 2026 08:32:10 +0000 Subject: [PATCH 52/54] python3Packages.wandb: 0.24.0 -> 0.25.0 Diff: https://github.com/wandb/wandb/compare/v0.24.0...v0.25.0 Changelog: https://github.com/wandb/wandb/raw/0.25.0/CHANGELOG.md (cherry picked from commit f3db9f33f2e3d8252bd5d5c56e2b6f2a13537a53) --- pkgs/development/python-modules/wandb/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/development/python-modules/wandb/default.nix b/pkgs/development/python-modules/wandb/default.nix index 03aacdde6cf9b..85a52efa39eca 100644 --- a/pkgs/development/python-modules/wandb/default.nix +++ b/pkgs/development/python-modules/wandb/default.nix @@ -76,12 +76,12 @@ }: let - version = "0.24.0"; + version = "0.25.0"; src = fetchFromGitHub { owner = "wandb"; repo = "wandb"; tag = "v${version}"; - hash = "sha256-dICa/sIFEHI59gJxrvWyI9Uc3rbwXi+Xh60O/hElZh0="; + hash = "sha256-ouJHMPcWiHn2p0mFatmC28xUmjzxsoDW9WBX6FzjyDc="; }; gpu-stats = rustPlatform.buildRustPackage { @@ -91,7 +91,7 @@ let sourceRoot = "${src.name}/gpu_stats"; - cargoHash = "sha256-iZinowkbBc3nuE0uRS2zLN2y97eCMD1mp/MKVKdnXaE="; + cargoHash = "sha256-yzvXJYkQTNOScOI3yfVBH6IGZzcFduuXqW3pI5hEZGw="; checkFlags = [ # fails in sandbox From 56aea18098efa993e15edd2059ad9df7ec22ecb0 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 21 Feb 2026 14:55:55 +0100 Subject: [PATCH 53/54] python3Packages.posthog: disable failing test (cherry picked from commit 8ad1a1b72ab6f2da3cd9a498bf497d25852820e0) https://hydra.nixos.org/build/322941365/nixlog/3/tail --- pkgs/development/python-modules/posthog/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/posthog/default.nix b/pkgs/development/python-modules/posthog/default.nix index f2411acfa8455..5f8fa34e1c015 100644 --- a/pkgs/development/python-modules/posthog/default.nix +++ b/pkgs/development/python-modules/posthog/default.nix @@ -62,6 +62,8 @@ buildPythonPackage rec { "test_upload" # AssertionError: 2 != 3 "test_flush_interval" + # len(client.distinct_ids_feature_flags_reported) = 101 != i % 100 + 1 + "test_capture_multiple_users_doesnt_out_of_memory" ]; disabledTestPaths = [ From a40edd078f3615e218202ff3475e4857d738b513 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 20 Feb 2026 02:42:28 +0100 Subject: [PATCH 54/54] home-assistant: fix build It's a partial cherry-pick from commit 13aff78e56d0b2472d1d140d5a22a165f58094f8 https://hydra.nixos.org/build/322879205/nixlog/3/tail --- pkgs/servers/home-assistant/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix index 5ef698f83c68c..eb0fd582d4baf 100644 --- a/pkgs/servers/home-assistant/default.nix +++ b/pkgs/servers/home-assistant/default.nix @@ -498,6 +498,10 @@ python.pkgs.buildPythonApplication rec { "tests/test_test_fixtures.py::test_evict_faked_translations" "tests/helpers/test_backup.py::test_async_get_manager" "tests/helpers/test_trigger.py::test_platform_multiple_triggers[sync_action]" + # various failing after python-updates + "tests/helpers/test_entity_platform.py::test_platform_warn_slow_setup" # ValueError: not enough values to unpack (expected 2, got 0) + "tests/helpers/test_entity_component.py::test_set_scan_interval_via_config" # assert 10 == 30.0 + "tests/helpers/test_entity_component.py::test_set_entity_namespace_via_config" # AssertionError: assert [] == ['test_domain...named_device'] ]; preCheck = ''