Skip to content

staging-next-25.11 iteration 6 - 2026-04-24#513189

Merged
vcunat merged 215 commits into
release-25.11from
staging-next-25.11
May 5, 2026
Merged

staging-next-25.11 iteration 6 - 2026-04-24#513189
vcunat merged 215 commits into
release-25.11from
staging-next-25.11

Conversation

LordGrimmauld and others added 30 commits March 24, 2026 08:59
(cherry picked from commit 5fafdd0)
Trigger re-installation of grub files when the store path of the grub
package changes.
This is consistent with how side-effects are executed in other parts of
NixOS, e.g. systemd service management, and ensures that the actually
running grub stays in sync with the grub package in the Nix store that
is part of the system closure.
In particular, this causes security patches or dependency changes to be
taken into effect without the need to bump the package version.

Impact:
This change causes a re-installation of grub for all systems,
due to the lack of a persisted grub store path in existing state files.

Background:
So far we only re-installed grub outside of the store when its its
version, the package name, or some flags changed.
This leads to the various security patches only fixing new installations
of grub and not existing ones. This has been like this for over a decade,
but it remains unclear why the implementation decision had been to
be overly cautious with modifying boot loader side effects.

Fixes #486315

PL-135147

(cherry picked from commit 41997d4)
This fixes a test failure that shows up for us with musl on x86_64,
but it's doing the wrong thing on all architectures and upstream
doesn't seem in a hurry to fix the test[1].  It's also not clear to me
that they have a robust way to even identify these widespread issues
to apply the workarounds, so let's err on the safe side and make the
compiler work in the way the codebase has been written to
expect.  (Upstream does not set this flag because they don't want to
rely on non-standard compiler options[2].)

Link: Mbed-TLS/TF-PSA-Crypto#585 [1]
Link: Mbed-TLS/mbedtls#9885 (comment) [2]
(cherry picked from commit c46c3a5)
@vcunat

vcunat commented May 2, 2026

Copy link
Copy Markdown
Member Author

@doronbehar

Copy link
Copy Markdown
Contributor

Would it be OK to version bump it to 7.2.0? As on master...

@vcunat

vcunat commented May 3, 2026

Copy link
Copy Markdown
Member Author

I had tried to pick this nix expression from nixpkgs master but it was still failing.

@doronbehar

Copy link
Copy Markdown
Contributor

Pushed a fix directly to staging-next-25.11 with 5 commits cherry picked as are from master. Tested the change on aarch64-{darwin,linux} and x86_64-linux.

vcunat and others added 10 commits May 4, 2026 15:15
They are annoying and racy with pproxy. We're running over 5k tests, this
is fine.

(cherry picked from commit b9c75a3)
I just hope that it will solve the aarch64-linux issues:
https://hydra.nixos.org/build/327737600#tabs-buildsteps
DynamoDB tests fail with aiobotocore 3.x due to HTTP header issue with
moto: 'Duplicate Server header found'. This is the same issue that
causes aiobotocore itself to disable its DynamoDB tests.

Fixes 7 test failures:
- test_dynamo_resource_query
- test_dynamo_resource_put
- test_dynamo_resource_batch_write_flush_on_exit_context
- test_dynamo_resource_batch_write_flush_amount
- test_flush_doesnt_reset_item_buffer
- test_dynamo_resource_property
- test_dynamo_resource_waiter

(cherry picked from commit bba77e6)
https://hydra.nixos.org/build/327728584/nixlog/2/tail
@vcunat vcunat merged commit 0c88e1f into release-25.11 May 5, 2026
24 of 26 checks passed
@vcunat

vcunat commented May 5, 2026

Copy link
Copy Markdown
Member Author

I think it's good enough now 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 4.workflow: staging A staging-next or staging-next-XX.YY branch 8.has: package (update) This PR updates a package to a newer version 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches.

Projects

None yet

Development

Successfully merging this pull request may close these issues.