Skip to content

Make staging-next from cherry-picked last staging-next-26.05#534248

Merged
vcunat merged 86 commits into
NixOS:staging-nextfrom
vcunat:p/staging-next
Jun 23, 2026
Merged

Make staging-next from cherry-picked last staging-next-26.05#534248
vcunat merged 86 commits into
NixOS:staging-nextfrom
vcunat:p/staging-next

Conversation

@vcunat

@vcunat vcunat commented Jun 22, 2026

Copy link
Copy Markdown
Member

Why? We can get those security fixes pretty fast, as the whole estimated rebuild work seems to be only a fraction of the usual staging-next iteration thanks to 26.05 not diverging from master too much yet.

How? Basically cherry-picked all non-merge commits introduced during the last staging-next-26.05, with minor manual adjustments. (some were already applied, some didn't make sense to pick; basically all were cherry-picked from staging not long ago, so it wasn't lot of work)

Details:

  • rough upper bound for rebuilds was estimated by diff against current release-26.05 saying

    linux 19640, darwin 12070

  • the usual rebuild amount (taken from the last staging-next):

    linux 80727, darwin 65513

whispersofthedawn and others added 30 commits June 22, 2026 07:59
This reverts commit 37a9427.

(cherry picked from commit b2e8b0c)
(cherry picked from commit e682a0e)
Upstream diff: linux-audit/audit-userspace@cb13fe7...v4.1.4

Adds support for io_uring and syscalls of Linux 7.0 kernels.

(cherry picked from commit 2b8ed1f)
(cherry picked from commit 5aece02)
I also added expiration date comments on all of them, because I always
spend some time chasing what the support dates are, and it would save
maintainer time to be able to see what to do with these branches.

(cherry picked from commit feb7c9f)
(cherry picked from commit c6eddcf)
LibreSSL branches are supported for one year after the OpenBSD release
in which they are included. LibreSSL 4.1 was part of OpenBSD 7.7, which
was released on April 28, 2025, so it's end of life now.

(cherry picked from commit 0bfe3de)
(cherry picked from commit 8953025)
I've been keeping this package up to date over the past few years, since
I run a webserver that depends on it. I'd be happy to be co-maintainer
for it, and hopefully reduce the load on others.

(cherry picked from commit 1665623)
(cherry picked from commit 6fd22cc)
(cherry picked from commit c74cade)
(cherry picked from commit 6fbc1e2)
And also add an additional check to preCheck that will enable us to
catch executable stack issues earlier next time.

(cherry picked from commit 5198c49)
(cherry picked from commit 4248c5f)
(cherry picked from commit 52afc5f)
(cherry picked from commit 0b9b29e)
(cherry picked from commit 63147b1)
(cherry picked from commit ab31c6a)
(cherry picked from commit e9b7cf2)
(cherry picked from commit 2522258)
Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 0c98395)
(cherry picked from commit 7195978)
(cherry picked from commit 1355d22)
(cherry picked from commit b928e51)
Datasette depends on asgi-csrf which was broken by updating
python-multipart past version 0.0.26.

(cherry picked from commit ba2df56)
(cherry picked from commit 4316ed9)
The condition was just to avoid rebuilds at that moment.

(cherry picked from commit ace8498)
(cherry picked from commit 2549800)
(cherry picked from commit 66adfb9)
(cherry picked from commit 7a4e664)
(cherry picked from commit 1b3320b)
(cherry picked from commit abe60ca)
(cherry picked from commit 4a8e839)
(cherry picked from commit e0c4423)
(cherry picked from commit 9088b3d)
(cherry picked from commit f5ae9c3)
invoke is not a required dependency of duplicity.
It does not appear in upstream's requirements.txt nor pyproject.toml:
- https://gitlab.com/duplicity/duplicity/-/blob/dev/requirements.txt
- https://gitlab.com/duplicity/duplicity/-/blob/dev/pyproject.toml

(cherry picked from commit b6254c4)
(cherry picked from commit 747ba2d)
This is already in stdenv.

(cherry picked from commit f6172a1)
(cherry picked from commit dd411ee)
leona-ya and others added 5 commits June 22, 2026 08:21
Not-cherry-picked-because: Guarded to darwin, will remove guard on staging/staging-26.05
(cherry picked from commit c10ba49)
https://hydra.nixos.org/build/331199232
(cherry picked from commit 3b6967c)
(cherry picked from commit ffc75d7)
(cherry picked from commit 28e20e7)
(cherry picked from commit 653b43f)
Bisected to 2522258.

(cherry picked from commit eb643cb)
.starlette upgrade in 83ece5c broke compatibility:
https://hydra.nixos.org/build/331250021/nixlog/6/tail

Upstream fixes that v0.13.0 and updating past 0.13.3 would need resolving
 - fastcore>=1.12.41 not satisfied by version 1.12.39
(which isn't great approach for stable 26.05 which motivates this commit)
https://github.com/AnswerDotAI/fasthtml/releases

(cherry picked from commit 6a56b38)
(from PR NixOS#533848 )
(cherry picked from commit 18a1ef9)
@nixpkgs-ci nixpkgs-ci Bot added 8.has: package (new) This PR adds a new package 8.has: package (update) This PR updates a package to a newer version 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches. 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation 6.topic: rust General-purpose programming language emphasizing performance, type safety, and concurrency. 6.topic: golang Go is a high-level general purpose programming language that is statically typed and compiled. 6.topic: nodejs Node.js is a free, open-source, cross-platform JavaScript runtime environment 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. labels Jun 22, 2026
@vcunat vcunat added this pull request to the merge queue Jun 23, 2026
Merged via the queue into NixOS:staging-next with commit ad1fe3e Jun 23, 2026
42 checks passed
@vcunat vcunat deleted the p/staging-next branch June 23, 2026 12:20
@marcin-serwin

Copy link
Copy Markdown
Contributor

Was including dcc6f5d (from #525241) here intentional?

This means that icu is pinned for nodejs on master, cc @aduh95.

@vcunat

vcunat commented Jun 26, 2026

Copy link
Copy Markdown
Member Author
  • It was useful to reduce the amount of rebuilds.
  • All this gets undone in the following staging-next iteration, i.e. staging state was unchanged by this.
  • I guess it would be best to finish PR icu: advance the default to icu78 #520553 soon, so that the icu in nodejs doesn't flap back and forth. (and having it newer on stable than on unstable over longer term would weird in itself)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

6.topic: golang Go is a high-level general purpose programming language that is statically typed and compiled. 6.topic: nodejs Node.js is a free, open-source, cross-platform JavaScript runtime environment 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: qt/kde Object-oriented framework for GUI creation 6.topic: rust General-purpose programming language emphasizing performance, type safety, and concurrency. 6.topic: systemd Software suite that provides an array of system components for Linux operating systems. 8.has: package (new) This PR adds a new package 8.has: package (update) This PR updates a package to a newer version 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 5001+ This PR causes many rebuilds on Darwin and must target the staging branches. 10.rebuild-darwin-stdenv This PR causes stdenv to rebuild on Darwin and must target a staging branch. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 10.rebuild-linux-stdenv This PR causes stdenv to rebuild on Linux and must target a staging branch. 10.rebuild-nixos-tests This PR causes rebuilds for all NixOS tests and should normally target the staging branches.

Projects

None yet

Development

Successfully merging this pull request may close these issues.