diff --git a/doc/release-notes/rl-2611.section.md b/doc/release-notes/rl-2611.section.md index 35e3d09228f8e..6989db9f75e31 100644 --- a/doc/release-notes/rl-2611.section.md +++ b/doc/release-notes/rl-2611.section.md @@ -100,3 +100,4 @@ ### Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements} - Create the first release note entry in this section! + diff --git a/nixos/doc/manual/release-notes/rl-2611.section.md b/nixos/doc/manual/release-notes/rl-2611.section.md index 4f3ce80f917aa..9404ebbdf846a 100644 --- a/nixos/doc/manual/release-notes/rl-2611.section.md +++ b/nixos/doc/manual/release-notes/rl-2611.section.md @@ -68,6 +68,8 @@ - `security.polkit.settings` added for RFC42 style configuration of the polkitd daemon. +- The `programs.fuse` module, which provides the `fusermount3` executable and the `/etc/fuse.conf` config file, is now opt-in. The obligation to enable it has been shifted to its various consumers (e.g. gvfs, flatpak, appimage, sshfs). This can break fuse consumers at runtime, that don't explicitly declare that dependency with a module, e.g the mounting functionality in various backup tools (borg, restic, rclone, ...). + - `services.plausible` can now again seed an initial admin user declaratively via [`services.plausible.adminUser.email`](#opt-services.plausible.adminUser.email). This makes fully declarative deployments safer: Otherwise the user needed to either accept Plausible's unauthenticated "first launch" setup wizard, which lets anyone reaching the instance create the first admin account, or do more work (deploying with NixOS's default binding to `localhost` without exposing it publicly, going through the wizard, and then deploying Plausible exposed to the Internet). This option was previously removed with NixOS 25.05 due to an upstream Plausible change making declarative admin creation more difficult, but this change re-implements the admin creation directly. diff --git a/nixos/lib/test-driver/src/test_driver/machine/__init__.py b/nixos/lib/test-driver/src/test_driver/machine/__init__.py index db96445af912b..00876b0e7d1b2 100644 --- a/nixos/lib/test-driver/src/test_driver/machine/__init__.py +++ b/nixos/lib/test-driver/src/test_driver/machine/__init__.py @@ -1044,12 +1044,16 @@ def shell_ready(timeout_secs: int) -> bool: assert self.shell tic = time.time() - # TODO: do we want to bail after a set number of attempts? - while not shell_ready(timeout_secs=30): + + for _ in range(10): + if shell_ready(timeout_secs=30): + break self.log("Guest root shell did not produce any data yet...") self.log( " To debug, enter the VM and run 'systemctl status backdoor.service'." ) + else: + raise RuntimeError("Shell did not start in time") while True: chunk = self.shell.recv(1024) @@ -1587,7 +1591,7 @@ def _execute( # NOTE If the test calls switch-to-configuration (with a differently configured specialization) # this will use the /etc/profile of the new specialisation while `QemuMachine` nodes # will continue to use the original /etc/profile. - command = f"set -eo pipefail; source /etc/profile; set -u; {command}" + command = f"set -eo pipefail; USER=root HOME=/root source /etc/profile; set -u; {command}" cp = subprocess.run( [ diff --git a/nixos/lib/testing/network.nix b/nixos/lib/testing/network.nix index 570b854d8e28a..86d65faf21ad7 100644 --- a/nixos/lib/testing/network.nix +++ b/nixos/lib/testing/network.nix @@ -135,8 +135,13 @@ let ); udevRules = map ( interface: - # MAC Addresses for QEMU network devices are lowercase, and udev string comparison is case-sensitive. - ''SUBSYSTEM=="net",ACTION=="add",ATTR{address}=="${toLower (qemu-common.qemuNicMac interface.vlan config.virtualisation.test.nodeNumber)}",NAME="${interface.name}"'' + lib.concatStringsSep ", " [ + ''SUBSYSTEM=="net"'' + ''ACTION=="add"'' + # MAC Addresses for QEMU network devices are lowercase, and udev string comparison is case-sensitive. + ''ATTR{address}=="${toLower (qemu-common.qemuNicMac interface.vlan config.virtualisation.test.nodeNumber)}"'' + ''NAME="${interface.name}"'' + ] ) interfaces; in { diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index df4165fbbec53..05f99aff70f41 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -74,7 +74,9 @@ in } ( '' + set +e mmap_rnd_bits_max=$(grep "^CONFIG_ARCH_MMAP_RND_BITS_MAX=" $configfile | grep --only-matching "[0-9]*$") + set -e if [[ -z "$mmap_rnd_bits_max" ]]; then echo "Unable to determine mmap_rnd_bits_max. Check your kernel configfile is valid." exit 1 @@ -83,7 +85,9 @@ in '' # HAVE_ARCH_MMAP_RND_COMPAT_BITS is not defined on 32-bit architectures or LoongArch64 + lib.optionalString (with pkgs.stdenv.hostPlatform; (!is32bit && !isLoongArch64)) '' + set +e mmap_rnd_compat_bits_max=$(grep "^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=" $configfile | grep --only-matching "[0-9]*$") + set -e if [[ -z "$mmap_rnd_compat_bits_max" ]]; then echo "Unable to determine mmap_rnd_compat_bits_max. Check your kernel configfile is valid." exit 1 diff --git a/nixos/modules/profiles/bashless.nix b/nixos/modules/profiles/bashless.nix index 501563b97b3d2..20f2f7256f073 100644 --- a/nixos/modules/profiles/bashless.nix +++ b/nixos/modules/profiles/bashless.nix @@ -15,8 +15,6 @@ environment.corePackages = lib.mkForce [ ]; # Contains bash completions nix.enable = lib.mkDefault false; - # The fuse{,3} package contains a runtime dependency on bash. - programs.fuse.enable = lib.mkDefault false; documentation.man.man-db.enable = lib.mkDefault false; # autovt depends on bash console.enable = lib.mkDefault false; diff --git a/nixos/modules/programs/appimage.nix b/nixos/modules/programs/appimage.nix index c0379557c97ab..4662a6c3d8cc7 100644 --- a/nixos/modules/programs/appimage.nix +++ b/nixos/modules/programs/appimage.nix @@ -43,6 +43,8 @@ in } ); environment.systemPackages = [ cfg.package ]; + + programs.fuse.enable = true; }; meta.maintainers = with lib.maintainers; [ diff --git a/nixos/modules/programs/fuse.nix b/nixos/modules/programs/fuse.nix index e7e317d7ef9b4..07026cbd33dbe 100644 --- a/nixos/modules/programs/fuse.nix +++ b/nixos/modules/programs/fuse.nix @@ -12,9 +12,7 @@ in meta.maintainers = [ ]; options.programs.fuse = { - enable = lib.mkEnableOption "fuse" // { - default = true; - }; + enable = lib.mkEnableOption "fuse"; mountMax = lib.mkOption { # In the C code it's an "int" (i.e. signed and at least 16 bit), but diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 0813b1b6b84c7..f6106d3e83fe5 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -274,6 +274,7 @@ in services.power-profiles-daemon.enable = mkDefault true; services.system-config-printer.enable = mkIf config.services.printing.enable (mkDefault true); + programs.fuse.enable = true; services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; services.libinput.enable = mkDefault true; diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index 5756738c9fdad..e874cbac7a4f9 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -40,6 +40,8 @@ in pkgs.fuse3 ]; + programs.fuse.enable = true; + security.polkit.enable = true; fonts.fontDir.enable = true; diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 0048103277989..cebfb08202295 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -40,6 +40,8 @@ in environment.systemPackages = [ cfg.package ]; + programs.fuse.enable = true; + services.dbus.packages = [ cfg.package ]; systemd.packages = [ cfg.package ]; diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix index 3390374172c4a..935ebff7e5bdf 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix @@ -17,7 +17,7 @@ in type = types.str; default = "http://localhost:8053/"; description = '' - HTTP XML API address of an Bind server. + HTTP API address of a BIND server. ''; }; bindTimeout = mkOption { @@ -29,13 +29,14 @@ in }; bindVersion = mkOption { type = types.enum [ - "xml.v2" + "json" + "xml" "xml.v3" "auto" ]; - default = "auto"; + default = "json"; description = '' - BIND statistics version. Can be detected automatically. + BIND statistics version. Defaults to JSON. ''; }; bindGroups = mkOption { diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 3c75423f3ffa2..4e676b80a1aa5 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -332,8 +332,9 @@ in boot.kernel.sysctl."net.core.rmem_max" = lib.mkDefault 7500000; boot.kernel.sysctl."net.core.wmem_max" = lib.mkDefault 7500000; - programs.fuse = lib.mkIf (cfg.autoMount && cfg.settings.Mounts.FuseAllowOther) { - userAllowOther = true; + programs.fuse = { + enable = lib.mkIf cfg.autoMount true; + userAllowOther = lib.mkIf cfg.settings.Mounts.fuseAllowOther true; }; users.users = lib.mkIf (cfg.user == "ipfs") { diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index f242cb8c6a5bd..311bf9cc9aa1e 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -124,6 +124,16 @@ let jobScripts = concatLists ( mapAttrsToList (_: unit: unit.jobScripts or [ ]) (filterAttrs (_: v: v.enable) cfg.services) ); + unitEnv = pkgs.buildEnv { + name = "initrd-unit-env"; + paths = concatLists ( + mapAttrsToList (_: unit: unit.path or [ ]) (filterAttrs (_: v: v.enable) cfg.services) + ); + pathsToLink = [ + "/bin" + "/sbin" + ]; + }; stage1Units = generateUnits { type = "initrd"; @@ -636,6 +646,7 @@ in "${pkgs.bashNonInteractive}/bin" ] ++ jobScripts + ++ [ unitEnv ] ++ map (c: removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents) ++ lib.optional (pkgs.stdenv.hostPlatform.libc == "glibc") "${pkgs.glibc}/lib/libnss_files.so.2"; @@ -763,6 +774,7 @@ in ]; }; serviceConfig.Type = "oneshot"; + serviceConfig.EnvironmentFile = "-/etc/switch-root.conf"; description = "NixOS Activation"; script = # bash @@ -770,6 +782,14 @@ in set -uo pipefail export PATH="/bin:${cfg.package.util-linux}/bin" + # A non-NixOS closure (e.g. init=/bin/sh) has no prepare-root; + # initrd-find-nixos-closure records this as a non-empty NEW_INIT. + # Skip activation and let initrd-switch-root hand over to it directly. + if [ -n "''${NEW_INIT:-}" ]; then + echo "$NEW_INIT is not a NixOS system - not activating" + exit 0 + fi + closure="$(realpath /nixos-closure)" # Initialize the system diff --git a/nixos/modules/system/etc/etc-activation.nix b/nixos/modules/system/etc/etc-activation.nix index b00c25e378024..31842fc9c0c62 100644 --- a/nixos/modules/system/etc/etc-activation.nix +++ b/nixos/modules/system/etc/etc-activation.nix @@ -71,6 +71,10 @@ RequiresMountsFor = [ "/sysroot/nix/store" ]; + # find-etc only creates this symlink for a NixOS init. For a + # non-NixOS init= (e.g. init=/bin/sh) it is absent, so skip the + # mount instead of failing the whole initrd. + ConditionPathExists = "/etc-metadata-image"; }; requires = [ config.boot.initrd.systemd.services.initrd-find-etc.name @@ -123,6 +127,8 @@ "/run/nixos-etc-metadata" ]; DefaultDependencies = false; + # Skip for a non-NixOS init=, see the metadata mount above. + ConditionPathExists = "/etc-basedir"; }; } ]; @@ -140,6 +146,8 @@ # before the overlay is mounted. "/run/nixos-etc-metadata" ]; + # Skip for a non-NixOS init=, see the metadata mount above. + ConditionPathExists = "/etc-metadata-image"; }; serviceConfig = { Type = "oneshot"; diff --git a/nixos/modules/tasks/filesystems/sshfs.nix b/nixos/modules/tasks/filesystems/sshfs.nix index f070779ecc54c..917ceea7b691a 100644 --- a/nixos/modules/tasks/filesystems/sshfs.nix +++ b/nixos/modules/tasks/filesystems/sshfs.nix @@ -10,6 +10,8 @@ lib.mkIf (config.boot.supportedFilesystems.sshfs or config.boot.supportedFilesystems."fuse.sshfs" or false) { + programs.fuse.enable = true; + system.fsPackages = [ pkgs.sshfs ]; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 09b0a4632d28c..d6175df3d9209 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -1646,6 +1646,7 @@ in "i686-linux" ] ./initrd-network-openvpn { systemdStage1 = true; }; systemd-initrd-networkd-ssh = runTest ./systemd-initrd-networkd-ssh.nix; + systemd-initrd-non-nixos = runTest ./systemd-initrd-non-nixos.nix; systemd-initrd-shutdown = runTest { imports = [ ./systemd-shutdown.nix ]; _module.args.systemdStage1 = true; diff --git a/nixos/tests/gocryptfs.nix b/nixos/tests/gocryptfs.nix index d0e5df5e40b5e..763e1c1407fa5 100644 --- a/nixos/tests/gocryptfs.nix +++ b/nixos/tests/gocryptfs.nix @@ -13,6 +13,8 @@ pkgs.openssl ]; + programs.fuse.enable = true; + specialisation.fstab-test.configuration = { # This can't be fileSytems, as the qemu machinery doesn't honor it. virtualisation.fileSystems."/plain" = { diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index b1033987565a5..990dc02a5ab8e 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -111,7 +111,7 @@ let wait_for_unit("prometheus-bind-exporter.service") wait_for_open_port(9119) succeed( - "curl -sSf http://localhost:9119/metrics | grep 'bind_query_recursions_total 0'" + "curl -sSf http://localhost:9119/metrics | grep 'bind_up 1'" ) ''; }; diff --git a/nixos/tests/simple-container.nix b/nixos/tests/simple-container.nix index 2698534236518..5cd3478f3d406 100644 --- a/nixos/tests/simple-container.nix +++ b/nixos/tests/simple-container.nix @@ -1,11 +1,16 @@ { name = "simple-container"; - containers.machine = { }; + containers = { + machine = { pkgs, ... }: { + users.users.root.packages = [ pkgs.hello ]; + }; + noprofile = { }; + }; testScript = '' start_all() - machine.wait_for_unit("multi-user.target") - machine.shutdown() + machine.succeed("hello") + noprofile.fail("hello") ''; } diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 2dbc9386f8aea..b81d84086f2e2 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -43,6 +43,19 @@ let server.serve_forever() ''; + # Per-connection (Accept=yes) socket-activated service that requires the + # connection socket to be passed via socket activation and fails when started + # without one. It greets the client and stays alive for as long as the + # connection is held open. + acceptSocketTest = pkgs.writeShellScript "accept-socket-test.sh" '' + if [ "''${LISTEN_FDS:-0}" -lt 1 ]; then + echo "Expected exactly one socket, got 0" >&2 + exit 4 + fi + printf hello >&3 + exec ${lib.getExe' pkgs.coreutils "cat"} <&3 >/dev/null + ''; + in { name = "switch-test"; @@ -508,6 +521,32 @@ in }; }; + accept-socket.configuration = { + systemd.sockets.accept-socket = { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "/run/accept-test.sock" ]; + socketConfig = { + Accept = "yes"; + SocketMode = "0777"; + }; + }; + systemd.services."accept-socket@" = { + description = "A per-connection socket-activated service"; + serviceConfig.ExecStart = acceptSocketTest; + }; + }; + + accept-socket-service-modified.configuration = { + imports = [ accept-socket.configuration ]; + systemd.services."accept-socket@".serviceConfig.X-Test = "test"; + }; + + socket-activated-without-socket.configuration = { + imports = [ simple-socket.configuration ]; + systemd.sockets.socket-activated.enable = false; + systemd.services.socket-activated.wantedBy = [ "multi-user.target" ]; + }; + mount.configuration = { systemd.mounts = [ { @@ -1587,6 +1626,49 @@ in if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": raise Exception("Socket was not properly activated after the service was restarted") + # A service transitioning to socket activation is not started directly, + # it's left for the newly started socket to activate on demand + switch_to_specialisation("${machine}", "socket-activated-without-socket") + machine.succeed("systemctl is-active socket-activated.service") + out = switch_to_specialisation("${machine}", "simple-socket-stop-if-changed") + assert_contains(out, "stopping the following units: socket-activated.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_contains(out, "the following new units were started: socket-activated.socket\n") + machine.succeed("[ -S /run/test.sock ]") + if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": + raise Exception("Socket was not properly activated after the transition") + + with subtest("socket-activated services with Accept=yes"): + # Socket-activated services don't get started, just the socket + machine.fail("[ -S /run/accept-test.sock ]") + out = switch_to_specialisation("${machine}", "accept-socket") + assert_contains(out, "the following new units were started: accept-socket.socket\n") + machine.succeed("[ -S /run/accept-test.sock ]") + + # Hold a connection open so a per-connection instance keeps running + machine.succeed("socat EXEC:'sleep infinity' UNIX-CONNECT:/run/accept-test.sock >&2 &") + instance = machine.wait_until_succeeds( + "systemctl list-units --no-legend --state=running 'accept-socket@*.service' " + + "| grep -m1 -o 'accept-socket@[^ ]*\\.service'" + ).strip() + + # Changing the templated service must stop the running instance and + # restart the socket instead of (re)starting the per-connection + # instance, which cannot be started without a connection socket + out = switch_to_specialisation("${machine}", "accept-socket-service-modified") + assert_contains(out, "stopping the following units:") + assert_contains(out, instance) + assert_contains(out, "accept-socket.socket") + assert_contains(out, "\nstarting the following units: accept-socket.socket\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "\nrestarting the following units:") + # The per-connection instance must not be (re)started + starting = out[out.index("\nstarting the following units:") :] + assert instance not in starting, f"instance {instance} should not be (re)started" + # Socket-activation of the unit still works + if machine.succeed("socat - UNIX-CONNECT:/run/accept-test.sock /dev/console + exec ${pkgs.coreutils}/bin/sleep infinity + ''; + + common = { + boot.initrd.systemd.enable = true; + + virtualisation = { + # tmpfs root, like real non-NixOS closure init= microvm consumers. + diskImage = null; + + graphics = false; + }; + + # Speed up wait_for_console. + boot.consoleLogLevel = lib.mkForce 3; + boot.initrd.systemd.managerEnvironment.SYSTEMD_LOG_LEVEL = "warning"; + + # switch-root needs an os-release on the target root. A real system has one + # on disk; our fresh tmpfs does not, so create it. + boot.initrd.systemd.tmpfiles.settings."10-os-release"."/sysroot/etc/os-release".f = { + mode = "0644"; + argument = "ID=test-non-nixos"; + }; + }; +in +{ + name = "systemd-initrd-non-nixos"; + + nodes = { + bashActivation = common; + + nixosInit = { + imports = [ common ]; + system.nixos-init.enable = true; + system.etc.overlay.enable = true; + services.userborn.enable = true; + }; + }; + + testScript = '' + import os + + # The last init= on the cmdline wins; QEMU_KERNEL_PARAMS is appended after + # the default one, so this boots our non-NixOS init. + os.environ["QEMU_KERNEL_PARAMS"] = "init=${lib.getExe nonNixosInit}" + + start_all() + + # If a code path does not skip the non-NixOS init, switch-root is blocked and + # the machine drops to emergency mode: the marker never appears and the wait + # times out. + with subtest("bash initrd-nixos-activation skips a non-NixOS init"): + bashActivation.wait_for_console_text("${marker}", timeout=300) + + with subtest("nixos-init switches to a non-NixOS init directly"): + nixosInit.wait_for_console_text("${marker}", timeout=300) + ''; +} diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py b/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py deleted file mode 100644 index 5dc789c93ad95..0000000000000 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py +++ /dev/null @@ -1,416 +0,0 @@ -import functools -import hashlib -import json -import multiprocessing as mp -import re -import shutil -import subprocess -import sys -import tomllib -from os.path import islink, realpath -from pathlib import Path -from typing import Any, TypedDict, cast -from urllib.parse import unquote - -import requests -import tomli_w -from requests.adapters import HTTPAdapter, Retry - -eprint = functools.partial(print, file=sys.stderr) - - -def load_toml(path: Path) -> dict[str, Any]: - with open(path, "rb") as f: - return tomllib.load(f) - - -def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int: - # lockfile v1 and v2 don't have the `version` key, so assume v2 - version = cargo_lock_toml.get("version", 2) - - # TODO: add logic for differentiating between v1 and v2 - - return version - - -def create_http_session() -> requests.Session: - retries = Retry( - total=5, - backoff_factor=0.5, - status_forcelist=[500, 502, 503, 504] - ) - session = requests.Session() - session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" - session.mount('http://', HTTPAdapter(max_retries=retries)) - session.mount('https://', HTTPAdapter(max_retries=retries)) - return session - - -def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str: - sha256_hash = hashlib.sha256() - with session.get(url, stream=True) as response: - if not response.ok: - raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}") - with open(destination_path, "wb") as file: - for chunk in response.iter_content(1024): # Download in chunks - if chunk: # Filter out keep-alive chunks - file.write(chunk) - sha256_hash.update(chunk) - - # Compute the final checksum - checksum = sha256_hash.hexdigest() - return checksum - - -def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: - # TODO: support other registries - # maybe fetch config.json from the registry root and get the dl key - # See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration - if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": - raise Exception("Only the default crates.io registry is supported.") - - # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec - # rate limit on the API servers. - return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" - - -def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: - - url = get_download_url_for_tarball(pkg) - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: allow legacy checksum specification, see importCargoLock for example - # also, don't forget about the other usage of the checksum - expected_checksum = pkg["checksum"] - - tarball_out_dir = out_dir / "tarballs" / filename - eprint(f"Fetching {url} -> tarballs/{filename}") - - calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir) - - if calculated_checksum != expected_checksum: - raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.") - - -def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None: - - tree_out_dir = out_dir / "git" / git_sha_rev - eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}") - - cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)] - subprocess.check_output(cmd) - - -GIT_SOURCE_REGEX = re.compile("git\\+(?P[^?]+)(\\?(?Prev|tag|branch)=(?P.*))?#(?P.*)") - - -class GitSourceInfo(TypedDict): - url: str - type: str | None - value: str | None - git_sha_rev: str - - -def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo: - match = GIT_SOURCE_REGEX.match(source) - if match is None: - raise Exception(f"Unable to process git source: {source}.") - - source_info = cast(GitSourceInfo, match.groupdict(default=None)) - - # the source URL is URL-encoded in lockfile_version >=4 - # since we just used regex to parse it we have to manually decode the escaped branch/tag name - if lockfile_version >= 4 and source_info["value"] is not None: - source_info["value"] = unquote(source_info["value"]) - - return source_info - - -def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - git_packages: list[dict[str, Any]] = [] - registry_packages: list[dict[str, Any]] = [] - - for pkg in cargo_lock_toml["package"]: - # ignore local dependenices - if "source" not in pkg.keys(): - eprint(f"Skipping local dependency: {pkg["name"]}") - continue - source = pkg["source"] - - if source.startswith("git+"): - git_packages.append(pkg) - elif source.startswith("registry+"): - registry_packages.append(pkg) - else: - raise Exception(f"Can't process source: {source}.") - - git_sha_rev_to_url: dict[str, str] = {} - for pkg in git_packages: - source_info = parse_git_source(pkg["source"], lockfile_version) - git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"] - - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - # fetch git trees sequentially, since fetching concurrently leads to flaky behaviour - if len(git_packages) != 0: - (out_dir / "git").mkdir() - for git_sha_rev, url in git_sha_rev_to_url.items(): - download_git_tree(url, git_sha_rev, out_dir) - - # run tarball download jobs in parallel, with at most 5 concurrent download jobs - with mp.Pool(min(5, mp.cpu_count())) as pool: - if len(registry_packages) != 0: - (out_dir / "tarballs").mkdir() - session = create_http_session() - tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages) - pool.starmap(download_tarball, tarball_args_gen) - - -def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]: - cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)] - output = subprocess.check_output(cmd) - return json.loads(output) - - -def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None: - try: - metadata = get_manifest_metadata(manifest_path) - except subprocess.CalledProcessError: - eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping") - return None - - for pkg in metadata["packages"]: - if pkg["name"] == crate_name: - return Path(pkg["manifest_path"]) - - return None - - -def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path: - # Scan all Cargo.toml files; sort by depth/path to make ordering deterministic - # and prefer less-nested manifests first. - manifest_paths = sorted( - tree.glob("**/Cargo.toml"), - key=lambda path: (len(path.parts), str(path)), - ) - - for manifest_path in manifest_paths: - res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name) - if res is not None: - return res - - raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.") - - -def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None: - - # This function will get called by copytree to decide which entries of a directory should be copied - # We'll copy everything except symlinks that are invalid - def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]: - ignorelist: list[str] = [] - - dir = Path(realpath(dir_str, strict=True)) - - for path_str in path_strs: - path = dir / path_str - if not islink(path): - continue - - # Filter out cyclic symlinks and symlinks pointing at nonexistant files - try: - target_path = Path(realpath(path, strict=True)) - except OSError: - ignorelist.append(path_str) - eprint(f"Failed to resolve symlink, ignoring: {path}") - continue - - # Filter out symlinks that point outside of the current crate's base git tree - # This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path - if not target_path.is_relative_to(git_tree): - ignorelist.append(path_str) - eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}") - continue - - return ignorelist - - crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name) - crate_tree = crate_manifest_path.parent - - eprint(f"Copying to {crate_out_dir}") - shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func) - crate_out_dir.chmod(0o755) - - with open(crate_manifest_path, "r") as f: - manifest_data = f.read() - - if "workspace" in manifest_data: - crate_manifest_metadata = get_manifest_metadata(crate_manifest_path) - workspace_root = Path(crate_manifest_metadata["workspace_root"]) - - root_manifest_path = workspace_root / "Cargo.toml" - manifest_path = crate_out_dir / "Cargo.toml" - - manifest_path.chmod(0o644) - eprint(f"Patching {manifest_path}") - - cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)] - subprocess.check_output(cmd) - - -def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None: - eprint(f"Unpacking to {crate_out_dir}") - crate_out_dir.mkdir() - cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"] - subprocess.check_output(cmd) - - -def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]: - selector = {} - selector["git"] = source_info["url"] - if source_info["type"] is not None: - selector[source_info["type"]] = source_info["value"] - return selector - - -def make_registry_source_selector(source: str) -> dict[str, str]: - registry = source[9:] if source.startswith("registry+") else source - selector = {} - selector["registry"] = registry - return selector - - -def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: - lockfile_path = vendor_staging_dir / "Cargo.lock" - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - source_to_ind: dict[str, str] = {} - source_config = {} - next_registry_ind = 0 - next_git_ind = 0 - - def add_source_replacement( - orig_key: str, - orig_selector: dict[str, str], - vendored_key: str, - vendored_dir: str - ) -> None: - source_config[vendored_key] = {} - source_config[vendored_key]["directory"] = vendored_dir - source_config[orig_key] = orig_selector - source_config[orig_key]["replace-with"] = vendored_key - - # we reserve registry index 0 for crates-io - source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0" - source_to_ind["sparse+https://index.crates.io/"] = "registry-0" - add_source_replacement( - orig_key="crates-io", - orig_selector={}, # there is an internal selector defined for the `crates-io` source - vendored_key="vendored-source-registry-0", - vendored_dir="@vendor@/source-registry-0" - ) - next_registry_ind += 1 - - for pkg in cargo_lock_toml["package"]: - # ignore local dependencies - if "source" not in pkg.keys(): - continue - source: str = pkg["source"] - if source in source_to_ind: - continue - - if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 - source_info = parse_git_source(source, lockfile_version) - selector = make_git_source_selector(source_info) - elif source.startswith("registry+") or source.startswith("sparse+"): - ind = f"registry-{next_registry_ind}" - next_registry_ind += 1 - selector = make_registry_source_selector(source) - else: - raise Exception(f"Can't process source: {source}.") - - source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) - - config_path = out_dir / ".cargo" / "config.toml" - config_path.parent.mkdir() - - with open(config_path, "wb") as config_file: - tomli_w.dump({"source": source_config}, config_file) - - for pkg in cargo_lock_toml["package"]: - - # ignore local dependenices - if "source" not in pkg.keys(): - continue - - source: str = pkg["source"] - source_ind = source_to_ind[source] - crate_dir_name = f"{pkg["name"]}-{pkg["version"]}" - source_dir_name = f"source-{source_ind}" - crate_out_dir = out_dir / source_dir_name / crate_dir_name - crate_out_dir.parent.mkdir(exist_ok=True) - - if source.startswith("git+"): - - source_info = parse_git_source(source, lockfile_version) - - git_sha_rev = source_info["git_sha_rev"] - git_tree = vendor_staging_dir / "git" / git_sha_rev - - copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir) - - # git based crates allow having no checksum information - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}}, f) - - elif source.startswith("registry+") or source.startswith("sparse+"): - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: change this when non-crates-io registries are supported - dir_name = "tarballs" - - tarball_path = vendor_staging_dir / dir_name / filename - - extract_crate_tarball_contents(tarball_path, crate_out_dir) - - # non-git based crates need the package checksum at minimum - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}, "package": pkg["checksum"]}, f) - - else: - raise Exception(f"Can't process source: {source}.") - - -def main() -> None: - subcommand = sys.argv[1] - - subcommand_func_dict = { - "create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])), - "create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3])) - } - - subcommand_func = subcommand_func_dict.get(subcommand) - - if subcommand_func is None: - raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}") - - subcommand_func() - - -if __name__ == "__main__": - main() diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 3bee7e150c8e8..825f07b175ee9 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -40,6 +40,7 @@ def create_http_session() -> requests.Session: status_forcelist=[500, 502, 503, 504] ) session = requests.Session() + session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" session.mount('http://', HTTPAdapter(max_retries=retries)) session.mount('https://', HTTPAdapter(max_retries=retries)) return session @@ -68,7 +69,9 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": raise Exception("Only the default crates.io registry is supported.") - return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download" + # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec + # rate limit on the API servers. + return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: @@ -289,6 +292,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: lockfile_version = get_lockfile_version(cargo_lock_toml) source_to_ind: dict[str, str] = {} + selector_to_ind: dict[tuple, str] = {} source_config = {} next_registry_ind = 0 next_git_ind = 0 @@ -324,24 +328,35 @@ def add_source_replacement( continue if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 source_info = parse_git_source(source, lockfile_version) selector = make_git_source_selector(source_info) + selector_key = (source_info["url"], source_info["type"], source_info["value"]) + if selector_key in selector_to_ind: + ind = selector_to_ind[selector_key] + else: + ind = f"git-{next_git_ind}" + next_git_ind += 1 + selector_to_ind[selector_key] = ind + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) elif source.startswith("registry+") or source.startswith("sparse+"): ind = f"registry-{next_registry_ind}" next_registry_ind += 1 selector = make_registry_source_selector(source) + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) else: raise Exception(f"Can't process source: {source}.") source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) config_path = out_dir / ".cargo" / "config.toml" config_path.parent.mkdir() diff --git a/pkgs/build-support/rust/fetch-cargo-vendor.nix b/pkgs/build-support/rust/fetch-cargo-vendor.nix index 2802bf9e73f11..8d554a8dc3e22 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor.nix +++ b/pkgs/build-support/rust/fetch-cargo-vendor.nix @@ -37,29 +37,18 @@ let "hash" ]; - mkFetchCargoVendorUtil = - name: src: - writers.writePython3Bin name { - libraries = - with python3Packages; - [ - requests - tomli-w - ] - ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests - flakeIgnore = [ - "E501" - ]; - } (builtins.readFile src); - - # Separate util used only by the FOD `vendorStaging` stage below. Kept - # distinct from fetchCargoVendorUtil so that changes to the network-facing - # bits (User-Agent, download URL) don't invalidate the input-addressed - # `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs. - # vendorStaging is an FOD, so swapping its util is free for consumers. - # TODO: unify with fetchCargoVendorUtil on the next `staging` cycle. - fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py; - fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py; + fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" { + libraries = + with python3Packages; + [ + requests + tomli-w + ] + ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests + flakeIgnore = [ + "E501" + ]; + } (builtins.readFile ./fetch-cargo-vendor-util.py); in { @@ -79,7 +68,7 @@ let impureEnvVars = lib.fetchers.proxyImpureEnvVars; nativeBuildInputs = [ - fetchCargoVendorUtilV2 + fetchCargoVendorUtil cacert nix-prefetch-git' ] @@ -92,7 +81,7 @@ let cd "$cargoRoot" fi - fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out" + fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out" runHook postBuild ''; diff --git a/pkgs/by-name/as/assimp/package.nix b/pkgs/by-name/as/assimp/package.nix index 717fd1a0746f7..24769c4a231cd 100644 --- a/pkgs/by-name/as/assimp/package.nix +++ b/pkgs/by-name/as/assimp/package.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "assimp"; - version = "6.0.4"; + version = "6.0.5"; outputs = [ "out" "lib" @@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "assimp"; repo = "assimp"; tag = "v${finalAttrs.version}"; - hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk="; + hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg="; }; postPatch = '' diff --git a/pkgs/by-name/at/at-spi2-core/package.nix b/pkgs/by-name/at/at-spi2-core/package.nix index dd5e8f9e4ce13..c204431843746 100644 --- a/pkgs/by-name/at/at-spi2-core/package.nix +++ b/pkgs/by-name/at/at-spi2-core/package.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "at-spi2-core"; - version = "2.60.1"; + version = "2.60.4"; outputs = [ "out" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz"; - hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI="; + hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index 197df3501597b..3b2389e7843c6 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -30,13 +30,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; - version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release + version = "4.1.4"; src = fetchFromGitHub { owner = "linux-audit"; repo = "audit-userspace"; - rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4"; - hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM="; + tag = "v${finalAttrs.version}"; + hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo="; }; postPatch = '' @@ -132,10 +132,6 @@ stdenv.mkDerivation (finalAttrs: { # Instead, we load audit rules in a dedicated module. postFixup = '' moveToOutput bin/augenrules $scripts - substituteInPlace $scripts/bin/augenrules \ - --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \ - --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \ - --replace-fail "/bin/ls" "ls" wrapProgram $scripts/bin/augenrules \ --prefix PATH : ${ lib.makeBinPath [ diff --git a/pkgs/by-name/bi/bind/package.nix b/pkgs/by-name/bi/bind/package.nix index 2f12ebf30ea04..1da6cba114798 100644 --- a/pkgs/by-name/bi/bind/package.nix +++ b/pkgs/by-name/bi/bind/package.nix @@ -9,6 +9,7 @@ libidn2, libtool, libxml2, + json_c, openssl, liburcu, libuv, @@ -29,11 +30,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "bind"; - version = "9.20.23"; + version = "9.20.24"; src = fetchurl { url = "https://downloads.isc.org/isc/bind9/${finalAttrs.version}/bind-${finalAttrs.version}.tar.xz"; - hash = "sha256-XUR1rtP55QDvVUsrFNlyvbg9M94hSps76SkY6kaQg3E="; + hash = "sha256-mJ/vH8iOpZ0EzYb4VNylpGFqIKmWi83ePBo2aKs2vgg="; }; outputs = [ @@ -59,6 +60,7 @@ stdenv.mkDerivation (finalAttrs: { libidn2 libtool libxml2 + json_c openssl liburcu libuv diff --git a/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch new file mode 100644 index 0000000000000..0bc04b60bb87a --- /dev/null +++ b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch @@ -0,0 +1,32 @@ +From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 11 May 2026 14:56:04 +0200 +Subject: [PATCH] event: fix wakeup consumption + +The events on a multi wakeup socketpair were only consumed via +curl_multi_poll()/curl_multi_wait() but not in event based processing on +a curl_multi_socket() call. That led to busy loops as reported in + +Fixes #21547 +Reported-by: Earnestly on github +Closes #21549 +--- + lib/multi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/multi.c b/lib/multi.c +index be32740a7097..5e84133f13fd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + Curl_uint32_bset_remove(&multi->dirty, data->mid); + + if(data == multi->admin) { ++#ifdef ENABLE_WAKEUP ++ /* Consume any pending wakeup signals before processing. ++ * This is necessary for event based processing. See #21547 */ ++ (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE); ++#endif + #ifdef USE_RESOLV_THREADED + Curl_async_thrdd_multi_process(multi); + #endif diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 28220181cba0b..a25ea809c62b0 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -96,6 +96,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY="; }; + patches = [ + # https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23 + # According to , this fixes + # a performance regression, causing high CPU usage + ./fix-wakeup-consumption.patch + ]; + # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion # necessary for FreeBSD code path in configure postPatch = '' @@ -115,6 +122,7 @@ stdenv.mkDerivation (finalAttrs: { enableParallelBuilding = true; strictDeps = true; + __structuredAttrs = true; env = { CXX = "${stdenv.cc.targetPrefix}c++"; diff --git a/pkgs/by-name/do/doctest/package.nix b/pkgs/by-name/do/doctest/package.nix index f6ffd1b9e5590..cbea1dcba7494 100644 --- a/pkgs/by-name/do/doctest/package.nix +++ b/pkgs/by-name/do/doctest/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "doctest"; - version = "2.5.0"; + version = "2.5.2"; src = fetchFromGitHub { owner = "doctest"; repo = "doctest"; tag = "v${finalAttrs.version}"; - hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A="; + hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M="; }; nativeBuildInputs = [ cmake ]; @@ -27,6 +27,7 @@ stdenv.mkDerivation (finalAttrs: { doCheck = true; meta = { + changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}"; homepage = "https://github.com/doctest/doctest"; description = "Fastest feature-rich C++11/14/17/20 single-header testing framework"; platforms = lib.platforms.all; diff --git a/pkgs/by-name/du/duplicity/package.nix b/pkgs/by-name/du/duplicity/package.nix index 7cdb8eff47f21..8e7b8698a1a4c 100644 --- a/pkgs/by-name/du/duplicity/package.nix +++ b/pkgs/by-name/du/duplicity/package.nix @@ -75,20 +75,17 @@ let glib ]; - pythonPath = - with python3.pkgs; - [ - b2sdk - boto3 - idna - pygobject3 - fasteners - paramiko - pexpect - # Currently marked as broken. - # pydrive2 - ] - ++ paramiko.optional-dependencies.invoke; + pythonPath = with python3.pkgs; [ + b2sdk + boto3 + idna + pygobject3 + fasteners + paramiko + pexpect + # Currently marked as broken. + # pydrive2 + ]; nativeCheckInputs = [ gnupg # Add 'gpg' to PATH. diff --git a/pkgs/by-name/e2/e2fsprogs/package.nix b/pkgs/by-name/e2/e2fsprogs/package.nix index ceb394b1c433e..970ea64682c51 100644 --- a/pkgs/by-name/e2/e2fsprogs/package.nix +++ b/pkgs/by-name/e2/e2fsprogs/package.nix @@ -3,7 +3,6 @@ stdenv, buildPackages, fetchurl, - fetchpatch, pkg-config, libuuid, gettext, @@ -20,25 +19,15 @@ stdenv.mkDerivation rec { pname = "e2fsprogs"; - version = "1.47.3"; + version = "1.47.4"; __structuredAttrs = true; src = fetchurl { url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz"; - hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk="; + hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws="; }; - patches = [ - # Upstream patch that fixes musl build (and probably others). - # Should be included in next release after 1.47.3. - (fetchpatch { - name = "stdio-portability.patch"; - url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262"; - hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8="; - }) - ]; - # fuse2fs adds 14mb of dependencies outputs = [ "bin" diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index cf55e71a2037d..78ff9e9253b06 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.8.0"; + version = "2.8.1"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI="; + hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA="; }; strictDeps = true; diff --git a/pkgs/by-name/ff/fftw/package.nix b/pkgs/by-name/ff/fftw/package.nix index 0d9736335f682..a706799bf693e 100644 --- a/pkgs/by-name/ff/fftw/package.nix +++ b/pkgs/by-name/ff/fftw/package.nix @@ -1,6 +1,5 @@ { fetchurl, - fetchpatch, stdenv, lib, gfortran, @@ -22,24 +21,16 @@ assert lib.elem precision [ stdenv.mkDerivation (finalAttrs: { pname = "fftw-${precision}"; - version = "3.3.10"; + version = "3.3.11"; src = fetchurl { urls = [ "https://fftw.org/fftw-${finalAttrs.version}.tar.gz" "ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz" ]; - hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc="; + hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE="; }; - patches = [ - (fetchpatch { - name = "remove_missing_FFTW3LibraryDepends.patch"; - url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch"; - hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU="; - }) - ]; - outputs = [ "out" "dev" @@ -107,6 +98,7 @@ stdenv.mkDerivation (finalAttrs: { __structuredAttrs = true; meta = { + changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS"; description = "Fastest Fourier Transform in the West library"; homepage = "https://www.fftw.org/"; license = lib.licenses.gpl2Plus; diff --git a/pkgs/by-name/fr/freetype/package.nix b/pkgs/by-name/fr/freetype/package.nix index 76ffe6324cf26..2f5f6ccef0a84 100644 --- a/pkgs/by-name/fr/freetype/package.nix +++ b/pkgs/by-name/fr/freetype/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, buildPackages, pkgsHostHost, pkg-config, @@ -39,7 +40,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "freetype"; - version = "2.14.2"; + version = "2.14.3"; src = let @@ -47,7 +48,7 @@ stdenv.mkDerivation (finalAttrs: { in fetchurl { url = "mirror://savannah/freetype/freetype-${version}.tar.xz"; - sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE="; + sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8="; }; propagatedBuildInputs = [ @@ -69,6 +70,53 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./enable-table-validation.patch + + # https://project-zero.issues.chromium.org/issues/505355061 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part1.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/1803559c4ee407d0bcbf2a67dbe96690cee869d2.patch"; + hash = "sha256-zxtJ2pJz8pNofgYrJ6c8/eZqRvxTotanF2IdU9ckpM4="; + }) + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part2.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7d600a022e1d813e85a8c94ffd395f6135872267.patch"; + hash = "sha256-aHE11C9Cr23D2lqNmTVUDA5E07xxUm+AcYdWJG9zLFs="; + }) + + # https://project-zero.issues.chromium.org/issues/505357209 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 + (fetchpatch { + name = "truetype-iup-integer-overflow.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7974be74d8b5a2fbf99aa88f0461d1f80af51cee.patch"; + hash = "sha256-b5Px0ALsnC5K1+601YioAjCLkLVXNnvTIZ1aQtCeNoQ="; + }) + + # https://project-zero.issues.chromium.org/issues/506902245 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423 + # https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/428 + (fetchpatch { + name = "truetype-variation-handling-signednes-mismatch.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/0d45c7f1911bc6db0bf072eea0c8cdccd77bc6b3.patch"; + hash = "sha256-bw/9O86sZQa+vwdgx2MTqxWi6vjMcRTyC42ba9CaZ3I="; + }) + + # prerequisite for the below to apply, since this changes formatting of + # affected code. + (fetchpatch { + name = "ftobjs-formatting.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/590b77014bd920d0bdf64c039fddbce89a288b83.patch"; + hash = "sha256-govOzLBzQMAjSKABVFryDnSn2by2f/W9BgGG3o+qSuE="; + }) + + # https://project-zero.issues.chromium.org/issues/507321912 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 + (fetchpatch { + name = "sub-byte-bitmaps-heap-buffer-over-read.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/cbe12767ea73d1006edc75fcd61c0b0d2a88f34e.patch"; + hash = "sha256-jMeqY9uX7Ryfdd8icGDT4kEKl6aGRWafSN8GzOhGW7g="; + }) ] ++ lib.optional useEncumberedCode ./enable-subpixel-rendering.patch; diff --git a/pkgs/by-name/gh/ghostscript/package.nix b/pkgs/by-name/gh/ghostscript/package.nix index 36b9ced6f56b7..6cd7c4b18ed1a 100644 --- a/pkgs/by-name/gh/ghostscript/package.nix +++ b/pkgs/by-name/gh/ghostscript/package.nix @@ -67,13 +67,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "ghostscript${lib.optionalString x11Support "-with-X"}"; - version = "10.07.0"; + version = "10.07.1"; src = fetchurl { url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${ lib.replaceStrings [ "." ] [ "" ] finalAttrs.version }/ghostscript-${finalAttrs.version}.tar.xz"; - hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E="; + hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU="; }; patches = [ @@ -233,6 +233,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://www.ghostscript.com/"; + changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html"; description = "PostScript interpreter (mainline version)"; longDescription = '' Ghostscript is the name of a set of tools that provides (i) an diff --git a/pkgs/by-name/gr/gram/package.nix b/pkgs/by-name/gr/gram/package.nix index 6d6f84306f331..48a4664be6fd1 100644 --- a/pkgs/by-name/gr/gram/package.nix +++ b/pkgs/by-name/gr/gram/package.nix @@ -31,7 +31,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "gram"; - version = "2.1.2"; + version = "2.2.0"; outputs = [ "out" @@ -44,7 +44,7 @@ rustPlatform.buildRustPackage (finalAttrs: { owner = "GramEditor"; repo = "gram"; tag = finalAttrs.version; - hash = "sha256-7FzAvC/JMMIFcuTGkL2Ju644UAIsneOMhiDUFnQske4="; + hash = "sha256-w0uZ2qAc3Tt6QVRAX97LWW9aOs02fG1SEYCDhpUhinE="; }; postPatch = '' @@ -54,7 +54,7 @@ rustPlatform.buildRustPackage (finalAttrs: { --replace-fail '$CARGO_ABOUT_VERSION' '${cargo-about.version}' ''; - cargoHash = "sha256-feESY8ALSG3xa906HBc4pOKGerQ1jF7VUxzvUcsZbrY="; + cargoHash = "sha256-+lmDbawAIRllC7LzGJ9qPMtHXPd5aMoul47YOA7nfXA="; __structuredAttrs = true; @@ -71,7 +71,7 @@ rustPlatform.buildRustPackage (finalAttrs: { dontUseCmakeConfigure = true; buildInputs = [ - libgit2 + (libgit2.override { withExperimentalSha256 = true; }) openssl sqlite zlib diff --git a/pkgs/by-name/gr/groff/package.nix b/pkgs/by-name/gr/groff/package.nix index a824d9a82f023..083b1493dcf6b 100644 --- a/pkgs/by-name/gr/groff/package.nix +++ b/pkgs/by-name/gr/groff/package.nix @@ -48,8 +48,7 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g="; }; - patches = lib.optionals stdenv.isLinux [ - # TODO: apply everywhere on rebuild + patches = [ # This revert a upstream refactor in continuous rendering mode, but this # causes a big performance regression for big manpages like # `man 5 configuration.nix`. diff --git a/pkgs/by-name/gt/gtk4/package.nix b/pkgs/by-name/gt/gtk4/package.nix index 28fd6efc8850d..9b7807508a353 100644 --- a/pkgs/by-name/gt/gtk4/package.nix +++ b/pkgs/by-name/gt/gtk4/package.nix @@ -95,11 +95,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM="; }; - patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch { - name = "fix-32bit-VkImage-null.patch"; - url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; - hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; - }); + patches = [ + (fetchpatch { + name = "fix-32bit-VkImage-null.patch"; + url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; + hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; + }) + ]; depsBuildBuild = [ pkg-config diff --git a/pkgs/by-name/im/imagemagick/package.nix b/pkgs/by-name/im/imagemagick/package.nix index 40d518373564b..ffce265c53e04 100644 --- a/pkgs/by-name/im/imagemagick/package.nix +++ b/pkgs/by-name/im/imagemagick/package.nix @@ -89,13 +89,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-23"; + version = "7.1.2-24"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc="; + hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA="; }; outputs = [ diff --git a/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch new file mode 100644 index 0000000000000..fe37f894fdc47 --- /dev/null +++ b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch @@ -0,0 +1,61 @@ +From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 8 Apr 2026 17:57:59 -0400 +Subject: [PATCH] Fix two NegoEx parsing vulnerabilities + +In parse_nego_message(), check the result of the second call to +vector_base() before dereferencing it. In parse_message(), check for +a short header_len to prevent an integer underflow when calculating +the remaining message length. + +Reported by Cem Onat Karagun. + +CVE-2026-40355: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a null pointer dereference, causing the process to terminate. + +CVE-2026-40356: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a read overrun of up to 52 bytes, possibly causing the process +to terminate. Exfiltration of the bytes read does not appear +possible. + +(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f) + +ticket: 9205 +version_fixed: 1.22.3 +--- + lib/gssapi/spnego/negoex_util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c +index edc5462e844..a65238e5730 100644 +--- a/lib/gssapi/spnego/negoex_util.c ++++ b/lib/gssapi/spnego/negoex_util.c +@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, + offset = k5_input_get_uint32_le(in); + count = k5_input_get_uint16_le(in); + p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); ++ if (p == NULL) { ++ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } + for (i = 0; i < count; i++) { + extension_type = load_32_le(p + i * EXTENSION_LENGTH); + if (extension_type & EXTENSION_FLAG_CRITICAL) { +@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, + msg_len = k5_input_get_uint32_le(in); + conv_id = k5_input_get_bytes(in, GUID_LENGTH); + +- if (in->status || msg_len > token_remaining || header_len > msg_len) { ++ if (in->status || msg_len > token_remaining || ++ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index 0b504c6dc8a66..c4e35061d41af 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -34,16 +34,20 @@ stdenv.mkDerivation (finalAttrs: { pname = "krb5"; - version = "1.22.1"; + version = "1.22.2"; __structuredAttrs = true; src = fetchurl { url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz"; - hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68="; + hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM="; }; - patches = lib.optionals stdenv.hostPlatform.isFreeBSD [ + patches = [ + # https://github.com/krb5/krb5/pull/1506 + ./CVE-2026-40355-and-CVE-2026-40356.patch + ] + ++ lib.optionals stdenv.hostPlatform.isFreeBSD [ (fetchpatch { name = "fix-missing-ENODATA.patch"; url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d"; @@ -170,6 +174,7 @@ stdenv.mkDerivation (finalAttrs: { ]; meta = { + changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/"; description = "MIT Kerberos 5"; homepage = "http://web.mit.edu/kerberos/"; license = lib.licenses.mit; diff --git a/pkgs/by-name/li/libadwaita/package.nix b/pkgs/by-name/li/libadwaita/package.nix index 0d1ed0da7e85e..8f289c6e4977e 100644 --- a/pkgs/by-name/li/libadwaita/package.nix +++ b/pkgs/by-name/li/libadwaita/package.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libadwaita"; - version = "1.9.0"; + version = "1.9.1"; outputs = [ "out" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "GNOME"; repo = "libadwaita"; tag = finalAttrs.version; - hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY="; + hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE="; }; depsBuildBuild = [ diff --git a/pkgs/by-name/li/libaec/package.nix b/pkgs/by-name/li/libaec/package.nix index c9824823b6691..3b7b1768c93bf 100644 --- a/pkgs/by-name/li/libaec/package.nix +++ b/pkgs/by-name/li/libaec/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "libaec"; - version = "1.1.6"; + version = "1.1.7"; src = fetchFromGitHub { owner = "Deutsches-Klimarechenzentrum"; repo = "libaec"; tag = "v${finalAttrs.version}"; - hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8="; + hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libass/package.nix b/pkgs/by-name/li/libass/package.nix index 61b8611327f0d..045b0d926bdb8 100644 --- a/pkgs/by-name/li/libass/package.nix +++ b/pkgs/by-name/li/libass/package.nix @@ -44,9 +44,7 @@ stdenv.mkDerivation (finalAttrs: { fribidi harfbuzz ] - ++ lib.optional fontconfigSupport fontconfig - # TODO: remove dep after branchoff (in darwin stdenv) - ++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out; + ++ lib.optional fontconfigSupport fontconfig; meta = { description = "Portable ASS/SSA subtitle renderer"; diff --git a/pkgs/by-name/li/libcaca/package.nix b/pkgs/by-name/li/libcaca/package.nix index 689257d7ff8ed..d233cdabfe871 100644 --- a/pkgs/by-name/li/libcaca/package.nix +++ b/pkgs/by-name/li/libcaca/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitHub, + fetchpatch, autoreconfHook, imlib2, libxext, @@ -23,6 +24,14 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-42046.patch"; + url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch"; + hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY="; + }) + ]; + nativeBuildInputs = [ autoreconfHook pkg-config diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 51e24c6ed5ac2..771b9e3366340 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.18"; + version = "1.1.1"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I="; + hash = "sha256-ZHfPC86oylqt2bwWMJRWVjdMEEmX6UOKR7XkR0HPyok="; }; nativeBuildInputs = [ @@ -43,6 +43,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://github.com/strukturag/libde265"; + changelog = "https://github.com/strukturag/libde265/releases/tag/${finalAttrs.src.tag}"; description = "Open h.265 video codec implementation"; mainProgram = "dec265"; license = lib.licenses.lgpl3; diff --git a/pkgs/by-name/li/libgcrypt/package.nix b/pkgs/by-name/li/libgcrypt/package.nix index 9317da7494fda..08fa5886de73f 100644 --- a/pkgs/by-name/li/libgcrypt/package.nix +++ b/pkgs/by-name/li/libgcrypt/package.nix @@ -17,11 +17,11 @@ assert enableCapabilities -> stdenv.hostPlatform.isLinux; stdenv.mkDerivation rec { pname = "libgcrypt"; - version = "1.11.2"; + version = "1.12.2"; src = fetchurl { url = "mirror://gnupg/libgcrypt/${pname}-${version}.tar.bz2"; - hash = "sha256-a6Wd0ZInDowdIt20GgfZXc28Hw+wLQPEtUsjWBQzCqw="; + hash = "sha256-fOM8JJIiGgQ2+WqFACFenz49y1/SanV81BXnqEO6vV4="; }; outputs = [ @@ -73,17 +73,6 @@ stdenv.mkDerivation rec { postConfigure = '' sed -i configure \ -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/' - '' - # The cipher/simd-common-riscv.h wasn't added to the release tarball, please remove this hack on next version update - # https://dev.gnupg.org/T7647 - + lib.optionalString stdenv.hostPlatform.isRiscV '' - cp ${ - fetchurl { - url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=cipher/simd-common-riscv.h;h=8381000f9ac148c60a6963a1d9ec14a3fee1c576;hb=81ce5321b1b79bde6dfdc3c164efb40c13cf656b"; - hash = "sha256-Toe15YLAOYULnLc2fGMMv/xzs/q1t3LsyiqtL7imc+8="; - name = "simd-common-riscv.h"; - } - } cipher/simd-common-riscv.h ''; enableParallelBuilding = true; diff --git a/pkgs/by-name/li/libgit2/package.nix b/pkgs/by-name/li/libgit2/package.nix index 568fa09201aa4..c17240378a92d 100644 --- a/pkgs/by-name/li/libgit2/package.nix +++ b/pkgs/by-name/li/libgit2/package.nix @@ -17,6 +17,7 @@ gitstatus, llhttp, withGssapi ? false, + withExperimentalSha256 ? false, krb5, }: @@ -43,6 +44,7 @@ stdenv.mkDerivation (finalAttrs: { "-DUSE_HTTP_PARSER=llhttp" "-DUSE_SSH=ON" (lib.cmakeBool "USE_GSSAPI" withGssapi) + (lib.cmakeBool "EXPERIMENTAL_SHA256" withExperimentalSha256) "-DBUILD_SHARED_LIBS=${if staticBuild then "OFF" else "ON"}" ] ++ lib.optionals stdenv.hostPlatform.isWindows [ @@ -89,6 +91,13 @@ stdenv.mkDerivation (finalAttrs: { ) ''; + postInstall = lib.optionalString withExperimentalSha256 '' + # Downstream Rust bindings (git2-rs / git2-sys) expect experimental headers + # to be located at 'git2/experimental.h', but upstream libgit2 installs them + # into 'git2-experimental/' when EXPERIMENTAL_SHA256 is enabled. + ln -s git2-experimental $dev/include/git2 + ''; + passthru.tests = lib.mapAttrs (_: v: v.override { libgit2 = finalAttrs.finalPackage; }) { inherit libgit2-glib; inherit (python3Packages) pygit2; diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index 7d4912e775986..42171d469f5a9 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.21.2"; + version = "1.23.0"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-odkJ0wZSGoZ7mX9fkaNREDpMvQuQA9HKaf3so1dYrbc="; + hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg="; }; nativeBuildInputs = [ diff --git a/pkgs/by-name/li/libpng/package.nix b/pkgs/by-name/li/libpng/package.nix index d533f3ed56bbd..7d52bcffb378e 100644 --- a/pkgs/by-name/li/libpng/package.nix +++ b/pkgs/by-name/li/libpng/package.nix @@ -11,10 +11,10 @@ assert zlib != null; let - patchVersion = "1.6.56"; + patchVersion = "1.6.58"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz"; - hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g="; + hash = "sha256-7ufeoi7VAoaAF5cchsY8TtHmCF3guuv9zD0zIvAPPrA="; }; whenPatched = lib.optionalString apngSupport; @@ -24,11 +24,11 @@ let in stdenv'.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.56"; + version = "1.6.58"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg="; + hash = "sha256-KOtAP1Hw90BSSRMs7P6C6lwO+X8bMsWmWCiBSuDTR3U="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 7a266936f6c41..4bf139efc381d 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -23,6 +23,9 @@ let pname = "libressl"; inherit version; + strictDeps = true; + __structuredAttrs = true; + src = fetchurl { url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz"; inherit hash; @@ -60,6 +63,23 @@ let preCheck = '' export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" + '' + + lib.optionalString stdenv.hostPlatform.isElf '' + # Bail if any shared object has executable stack enabled. This can + # happen when an object produced from an assmbly file in libcrypto is + # missing a .note.GNU-stack section. An executable stack is dangerous + # and unintentional, but without this check the derivation will build + # and even run if W^X is not enforced; it would fail dangerously. + objdump -p **/*.so | awk ' + BEGIN { res = 0 } + /file format/ { file = $1 } + /STACK/ { stack = 1; next } + stack { + if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 } + stack = 0 + } + END { exit res } + ' ''; postCheck = '' export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName} @@ -96,6 +116,7 @@ let maintainers = with lib.maintainers; [ thoughtpolice fpletz + ruuda ]; inherit knownVulnerabilities; @@ -111,37 +132,42 @@ let identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version; }; }; + # https://github.com/libressl/portable/pull/1206 + # This got merged in February 2026 and is included as of LibreSSL 4.3.0. common-cmake-install-full-dirs-patch = fetchpatch { url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch"; hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM="; }; in { - libressl_4_1 = generic { - version = "4.1.2"; - hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE="; - # Fixes build on loongarch64 - # https://github.com/libressl/portable/pull/1184 - postPatch = '' - mkdir -p include/arch/loongarch64 - cp ${ - fetchurl { - url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h"; - hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo="; - } - } include/arch/loongarch64/opensslconf.h - ''; + # 4.2 was released October 2025 and will become unsupported on October 22, + # 2026, one year after the release of OpenBSD 7.8. + libressl_4_2 = generic { + version = "4.2.1"; + hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws="; patches = [ common-cmake-install-full-dirs-patch ]; }; - libressl_4_2 = generic { - version = "4.2.1"; - hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws="; + # 4.3 was released April 2026 and will become unsupported one year after the + # release of OpenBSD 7.9. + libressl_4_3 = generic { + version = "4.3.1"; + hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA="; patches = [ - common-cmake-install-full-dirs-patch + # Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL + # 4.3 started requiring executable stack because some objects were missing + # a .note.GNU-stack section; will probably be included in the next release. + (fetchpatch { + url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch"; + hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I="; + # This patch is written to be applied with -p0, with no leading path + # component, but Nix applies with -p1 by default, so we add it to not + # break compatibility with how other patches must be applied. + decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'"; + }) ]; }; } diff --git a/pkgs/by-name/md/mdadm4/no-self-references.patch b/pkgs/by-name/md/mdadm4/no-self-references.patch deleted file mode 100644 index 3b3dc4d846095..0000000000000 --- a/pkgs/by-name/md/mdadm4/no-self-references.patch +++ /dev/null @@ -1,124 +0,0 @@ -diff --git a/Makefile b/Makefile -index 2a51d813..a31ac48a 100644 ---- a/Makefile -+++ b/Makefile -@@ -63,6 +63,9 @@ endif - ifdef DEBIAN - CPPFLAGS += -DDEBIAN - endif -+ifdef NIXOS -+CPPFLAGS += -DNIXOS -+endif - ifdef DEFAULT_OLD_METADATA - CPPFLAGS += -DDEFAULT_OLD_METADATA - DEFAULT_METADATA=0.90 -@@ -129,6 +132,7 @@ endif - INSTALL = /usr/bin/install - DESTDIR = - BINDIR = /sbin -+INSTALL_BINDIR = ${BINDIR} - MANDIR = /usr/share/man - MAN4DIR = $(MANDIR)/man4 - MAN5DIR = $(MANDIR)/man5 -@@ -253,16 +257,16 @@ sha1.o : sha1.c sha1.h md5.h - install : install-bin install-man install-udev - - install-static : mdadm.static install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-tcc : mdadm.tcc install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-uclibc : mdadm.uclibc install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-klibc : mdadm.klibc install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-man: mdadm.8 md.4 mdadm.conf.5 mdmon.8 - $(INSTALL) -D -m 644 mdadm.8 $(DESTDIR)$(MAN8DIR)/mdadm.8 -@@ -305,7 +309,7 @@ install-bin: mdadm mdmon - $(INSTALL) -D $(STRIP) -m 755 mdmon $(DESTDIR)$(BINDIR)/mdmon - - uninstall: -- rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(BINDIR)/mdadm -+ rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - test: mdadm mdmon test_stripe swap_super raid6check - @echo "Please run './test' as root" -diff --git a/policy.c b/policy.c -index eee9ef63..9f916e9d 100644 ---- a/policy.c -+++ b/policy.c -@@ -817,12 +817,39 @@ char *find_rule(struct rule *rule, char *rule_type) - #define UDEV_RULE_FORMAT \ - "ACTION==\"add\", SUBSYSTEM==\"block\", " \ - "ENV{DEVTYPE}==\"%s\", ENV{ID_PATH}==\"%s\", " \ --"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n" -+"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n" - - #define UDEV_RULE_FORMAT_NOTYPE \ - "ACTION==\"add\", SUBSYSTEM==\"block\", " \ - "ENV{ID_PATH}==\"%s\", " \ --"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n" -+"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n" -+ -+#ifdef NIXOS -+const char *get_mdadm_bindir(void) -+{ -+ static char *bindir = NULL; -+ if (bindir != NULL) { -+ return bindir; -+ } else { -+ int len; -+ bindir = xmalloc(1025); -+ len = readlink("/proc/self/exe", bindir, 1024); -+ if (len > 0) { -+ char *basename; -+ if ((basename = strrchr(bindir, '/')) != NULL) -+ *basename = '\0'; -+ else -+ *(bindir + len) = '\0'; -+ } else { -+ *bindir = '\0'; -+ } -+ return bindir; -+ } -+} -+#define SELF get_mdadm_bindir() -+#else -+#define SELF BINDIR -+#endif - - /* Write rule in the rule file. Use format from UDEV_RULE_FORMAT */ - int write_rule(struct rule *rule, int fd, int force_part) -@@ -836,9 +863,9 @@ int write_rule(struct rule *rule, int fd, int force_part) - if (force_part) - typ = type_part; - if (typ) -- snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth); -+ snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth, SELF); - else -- snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth); -+ snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth, SELF); - return write(fd, line, strlen(line)) == (int)strlen(line); - } - -diff --git a/util.c b/util.c -index 3d05d074..e004a798 100644 ---- a/util.c -+++ b/util.c -@@ -1913,7 +1913,9 @@ int start_mdmon(char *devnm) - char pathbuf[1024]; - char *paths[4] = { - pathbuf, -+#ifndef NIXOS - BINDIR "/mdmon", -+#endif - "./mdmon", - NULL - }; diff --git a/pkgs/by-name/md/mdadm4/package.nix b/pkgs/by-name/md/mdadm4/package.nix index 2143acc494e55..a35b504f6234e 100644 --- a/pkgs/by-name/md/mdadm4/package.nix +++ b/pkgs/by-name/md/mdadm4/package.nix @@ -15,27 +15,16 @@ stdenv.mkDerivation (finalAttrs: { pname = "mdadm"; - version = "4.4"; + version = "4.6"; src = fetchgit { url = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git"; tag = "mdadm-${finalAttrs.version}"; - hash = "sha256-jGmc8fkJM0V9J7V7tQPXSF/WD0kzyEAloBAwaAFenS0="; + hash = "sha256-jFsVPJC4lcShkSwQCGjVdVkvk4q4weM7i5DzrLgpuSM="; }; patches = [ - ./no-self-references.patch ./fix-hardcoded-mapdir.patch - # Fixes build on musl - (fetchurl { - url = "https://raw.githubusercontent.com/void-linux/void-packages/e58d2b17d3c40faffc0d426aab00184f28d9dafa/srcpkgs/mdadm/patches/musl.patch"; - hash = "sha256-TIcQs+8RM5Q6Z8MHkI50kaJd7f9WdS/EVI16F7b2+SA="; - }) - # Fixes build on musl 1.2.5+ - (fetchurl { - url = "https://lore.kernel.org/linux-raid/20240220165158.3521874-1-raj.khem@gmail.com/raw"; - hash = "sha256-JOZ8n7zi+nq236NPpB4e2gUy8I3l3DbcoLhpeL73f98="; - }) ]; makeFlags = [ @@ -97,6 +86,7 @@ stdenv.mkDerivation (finalAttrs: { }; meta = { + changelog = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=${finalAttrs.src.tag}"; description = "Programs for managing RAID arrays under Linux"; homepage = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git"; license = lib.licenses.gpl2Plus; diff --git a/pkgs/by-name/ni/nixos-init/src/find_etc.rs b/pkgs/by-name/ni/nixos-init/src/find_etc.rs index 8b994e1d75343..d06f7bbb0114e 100644 --- a/pkgs/by-name/ni/nixos-init/src/find_etc.rs +++ b/pkgs/by-name/ni/nixos-init/src/find_etc.rs @@ -3,7 +3,7 @@ use std::{os::unix, path::Path}; use anyhow::{Context, Result}; use crate::config::Config; -use crate::{SYSROOT_PATH, find_toplevel_in_prefix, resolve_in_prefix}; +use crate::{SYSROOT_PATH, find_init_in_prefix, resolve_in_prefix, verify_init_is_nixos}; /// Entrypoint for the `find-etc` binary. /// @@ -12,7 +12,20 @@ use crate::{SYSROOT_PATH, find_toplevel_in_prefix, resolve_in_prefix}; /// This avoids needing a reference to the toplevel embedded in the initrd and thus reduces the /// need to re-build it. pub fn find_etc() -> Result<()> { - let toplevel = find_toplevel_in_prefix(SYSROOT_PATH)?; + let init_in_sysroot = + find_init_in_prefix(SYSROOT_PATH).context("Failed to find init in sysroot")?; + + // A non-NixOS init= (e.g. init=/bin/sh) has no etc metadata image. Skip + // without creating the symlinks: the etc-overlay mounts are gated on them + // and so skip too, and initrd-init switches root to the init directly. + let Ok(toplevel) = verify_init_is_nixos(SYSROOT_PATH, &init_in_sysroot) else { + log::info!( + "{} is not a NixOS system - not setting up the etc overlay.", + init_in_sysroot.display() + ); + return Ok(()); + }; + let config = Config::from_toplevel(&toplevel, SYSROOT_PATH)?; let basedir = config diff --git a/pkgs/by-name/ni/nixos-init/src/lib.rs b/pkgs/by-name/ni/nixos-init/src/lib.rs index c781757c9b820..bbb4abdb829b5 100644 --- a/pkgs/by-name/ni/nixos-init/src/lib.rs +++ b/pkgs/by-name/ni/nixos-init/src/lib.rs @@ -27,16 +27,6 @@ pub use crate::{ pub const SYSROOT_PATH: &str = "/sysroot"; -/// Find the path to the toplevel closure of the system in a prefix. -/// -/// Uses the `init=` parameter on the kernel command-line. -/// -/// Returns the relative path of the init to the prefix, e.g. without the `/sysroot` prefix. -pub fn find_toplevel_in_prefix(prefix: &str) -> Result { - let init_in_sysroot = find_init_in_prefix(prefix)?; - verify_init_is_nixos(prefix, init_in_sysroot) -} - /// Verify that an init path is inside a `NixOS` toplevel directory. /// /// If the path is verified, returns the path to the toplevel. @@ -87,20 +77,16 @@ pub fn find_init_in_prefix(prefix: &str) -> Result { } /// Extract the value of the `init` parameter from the given kernel `cmdline`. +/// +/// If `init=` appears multiple times the last one wins, matching the kernel. +/// This is what makes appending `init=/bin/sh` at the boot prompt work even +/// though the boot entry already has an `init=`. fn extract_init(cmdline: &str) -> Result { - let init_params: Vec<&str> = cmdline + let init = cmdline .split_ascii_whitespace() - .filter(|p| p.starts_with("init=")) - .collect(); - - if init_params.len() != 1 { - bail!("Expected exactly one init param on kernel cmdline: {cmdline}") - } - - let init = init_params - .first() - .and_then(|s| s.split('=').next_back()) - .context("Failed to extract init path from kernel cmdline: {cmdline}")?; + .filter_map(|p| p.strip_prefix("init=")) + .next_back() + .with_context(|| format!("No init= parameter on kernel cmdline: {cmdline}"))?; Ok(PathBuf::from(init)) } @@ -129,4 +115,25 @@ mod tests { Ok(()) } + + #[test] + fn test_extract_init_single() { + assert_eq!( + extract_init("root=fstab init=/nix/store/xxx-nixos/init quiet").unwrap(), + PathBuf::from("/nix/store/xxx-nixos/init") + ); + } + + #[test] + fn test_extract_init_last_wins() { + assert_eq!( + extract_init("init=/nix/store/xxx-nixos/init init=/bin/sh").unwrap(), + PathBuf::from("/bin/sh") + ); + } + + #[test] + fn test_extract_init_missing() { + assert!(extract_init("root=fstab quiet").is_err()); + } } diff --git a/pkgs/by-name/op/openapv/package.nix b/pkgs/by-name/op/openapv/package.nix index b153552d6f172..27d31127a0041 100644 --- a/pkgs/by-name/op/openapv/package.nix +++ b/pkgs/by-name/op/openapv/package.nix @@ -12,13 +12,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openapv"; - version = "0.2.1.2"; + version = "0.2.1.3"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openapv"; - tag = "v${finalAttrs.version}"; - hash = "sha256-wxncN7j5p0GXpWhOx4Ix0oTgGK2sIrfJgQ45fFwmQBI="; + tag = "v${finalAttrs.version}-fix"; # Remove the `-fix` suffix after the next version + hash = "sha256-lc/x2dWh6T8c63siHB32ka+SPVYTTyaO4YrQ12EbGqw="; }; postPatch = '' diff --git a/pkgs/by-name/op/openldap/package.nix b/pkgs/by-name/op/openldap/package.nix index c87e6c2e75a5f..7499f3a6fd163 100644 --- a/pkgs/by-name/op/openldap/package.nix +++ b/pkgs/by-name/op/openldap/package.nix @@ -122,6 +122,8 @@ stdenv.mkDerivation (finalAttrs: { # https://bugs.openldap.org/show_bug.cgi?id=8623 rm -f tests/scripts/test022-ppolicy + rm -f tests/scripts/test*-sync* + rm -f tests/scripts/test063-delta-multiprovider # https://bugs.openldap.org/show_bug.cgi?id=10009 diff --git a/pkgs/by-name/pd/pdftitle/package.nix b/pkgs/by-name/pd/pdftitle/package.nix index d28ca7f8e2813..2e402c91cb3f2 100644 --- a/pkgs/by-name/pd/pdftitle/package.nix +++ b/pkgs/by-name/pd/pdftitle/package.nix @@ -2,7 +2,6 @@ lib, fetchFromGitHub, python3Packages, - openai, pdfminer, withOpenai ? false, diff --git a/pkgs/by-name/pr/prometheus-bind-exporter/package.nix b/pkgs/by-name/pr/prometheus-bind-exporter/package.nix index 1749028329e98..b135449f097b9 100644 --- a/pkgs/by-name/pr/prometheus-bind-exporter/package.nix +++ b/pkgs/by-name/pr/prometheus-bind-exporter/package.nix @@ -7,16 +7,16 @@ buildGoModule rec { pname = "bind_exporter"; - version = "0.7.0"; + version = "0.8.0"; src = fetchFromGitHub { rev = "v${version}"; owner = "prometheus-community"; repo = "bind_exporter"; - sha256 = "sha256-x/XGatlXCKo9cI92JzFItApsjuZAfZX+8IZRpy7PVUo="; + sha256 = "sha256-r1P+zy3iMgPmfvIBgycW8KS0gfNOxCT9YMmHdeY4uXA="; }; - vendorHash = "sha256-f0ei/zotOj5ebURAOWUox/7J3jS2abQ5UgjninI9nRk="; + vendorHash = "sha256-/fPj5LOe3QdnVPdtYdaqtnGMJ7/SZ458mpvjwO8TxEI="; passthru.tests = { inherit (nixosTests.prometheus-exporters) bind; }; diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix index 72c500777df23..ea3f3d9fa1e47 100644 --- a/pkgs/by-name/pu/publicsuffix-list/package.nix +++ b/pkgs/by-name/pu/publicsuffix-list/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "publicsuffix-list"; - version = "0-unstable-2026-03-26"; + version = "0-unstable-2026-05-13"; src = fetchFromGitHub { owner = "publicsuffix"; repo = "list"; - rev = "d333b72b39575da1ce6932b01d7c421a4107c620"; - hash = "sha256-LWnvQrIyj+iq96T1u9WEq+HGOZ5sJYN5nCintEr6sBk="; + rev = "e452c7058d6946bd76952b128c12f5ce87a5acb8"; + hash = "sha256-5D4RZAyJOL4hMU32Rmp3SYmjgqEtF36mZJr4YBG0k7E="; }; dontBuild = true; diff --git a/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch b/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch deleted file mode 100644 index d9209a97c1ed3..0000000000000 --- a/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9b104ed9859f17b6ed4c4ad01806c75a0c197dd7 Mon Sep 17 00:00:00 2001 -From: Emily -Date: Tue, 5 Aug 2025 15:55:24 +0100 -Subject: [PATCH] Allow `ls(1)` to fail in test setup - -This can happen when the tests are unable to `stat(2)` some files in -`/etc`, `/bin`, or `/`, due to Unix permissions or other sandboxing. We -still guard against serious errors, which use exit code 2. ---- - testsuite/longdir.test | 4 ++-- - testsuite/rsync.fns | 8 ++++---- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/testsuite/longdir.test b/testsuite/longdir.test -index 8d66bb5f..26747292 100644 ---- a/testsuite/longdir.test -+++ b/testsuite/longdir.test -@@ -16,9 +16,9 @@ makepath "$longdir" || test_skipped "unable to create long directory" - touch "$longdir/1" || test_skipped "unable to create files in long directory" - date > "$longdir/1" - if [ -r /etc ]; then -- ls -la /etc >"$longdir/2" -+ ls -la /etc >"$longdir/2" || [ $? -eq 1 ] - else -- ls -la / >"$longdir/2" -+ ls -la / >"$longdir/2" || [ $? -eq 1 ] - fi - checkit "$RSYNC --delete -avH '$fromdir/' '$todir'" "$fromdir/" "$todir" - -diff --git a/testsuite/rsync.fns b/testsuite/rsync.fns -index 2ab97b69..f7da363f 100644 ---- a/testsuite/rsync.fns -+++ b/testsuite/rsync.fns -@@ -195,15 +195,15 @@ hands_setup() { - echo some data > "$fromdir/dir/subdir/foobar.baz" - mkdir "$fromdir/dir/subdir/subsubdir" - if [ -r /etc ]; then -- ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - else -- ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - fi - mkdir "$fromdir/dir/subdir/subsubdir2" - if [ -r /bin ]; then -- ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - else -- ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - fi - - # echo testing head: --- -2.50.1 - diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index 90380b4869166..a102ff36cc15f 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -1,12 +1,12 @@ { lib, stdenv, - fetchpatch, fetchurl, + fetchpatch, updateAutotoolsGnuConfigScriptsHook, perl, - + python3, libiconv, zlib, popt, @@ -29,24 +29,29 @@ stdenv.mkDerivation (finalAttrs: { pname = "rsync"; - version = "3.4.1"; + version = "3.4.4"; src = fetchurl { # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz"; - hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI="; + hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; - patches = [ - # See: - ./fix-tests-in-darwin-sandbox.patch - # fix compilation with gcc15 + patches = lib.optionals (stdenv.hostPlatform.isDarwin) [ + # Fixes test failure on darwin (fetchpatch { - url = "https://github.com/RsyncProject/rsync/commit/a4b926dcdce96b0f2cc0dc7744e95747b233500a.patch"; - hash = "sha256-UiEQJ+p2gtIDYNJqnxx4qKgItKIZzCpkHnvsgoxBmSE="; + url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch"; + hash = "sha256-pg65K9BCTq/WvS5icK6KT28ARccFKedp2445wLYdRsE="; + excludes = [ + ".github/workflows/cygwin-build.yml" + ]; }) ]; + preBuild = '' + patchShebangs ./runtests.py + ''; + nativeBuildInputs = [ updateAutotoolsGnuConfigScriptsHook perl @@ -86,6 +91,15 @@ stdenv.mkDerivation (finalAttrs: { passthru.tests = { inherit (nixosTests) rsyncd; }; + nativeCheckInputs = [ + python3 + ]; + + # Test fails when built in a chroot store + preCheck = '' + rm testsuite/chgrp.test + ''; + doCheck = true; __darwinAllowLocalNetworking = true; diff --git a/pkgs/by-name/ru/ruff/package.nix b/pkgs/by-name/ru/ruff/package.nix index 8aa8f51b82736..ca5d024755088 100644 --- a/pkgs/by-name/ru/ruff/package.nix +++ b/pkgs/by-name/ru/ruff/package.nix @@ -16,7 +16,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "ruff"; - version = "0.15.17"; + version = "0.15.18"; __structuredAttrs = true; @@ -24,12 +24,12 @@ rustPlatform.buildRustPackage (finalAttrs: { owner = "astral-sh"; repo = "ruff"; tag = finalAttrs.version; - hash = "sha256-+UsKRBe+lp/LdsmK/W11wCt2RypEryA5eBPb01OKCJw="; + hash = "sha256-DH00tENXdCdNcGPXPGzZsU3RVYQ0VBe1QLvbgEg/G6k="; }; cargoBuildFlags = [ "--package=ruff" ]; - cargoHash = "sha256-y1sKf+KXya/K+WUiIE357U6DXh/d+AQgj0SQIi1gpUw="; + cargoHash = "sha256-RmK14NMPbhoRVLwIF5GXdGQg2AnMH20JGx7XF4HO+wY="; nativeBuildInputs = [ installShellFiles ]; diff --git a/pkgs/by-name/ru/rust-cbindgen/package.nix b/pkgs/by-name/ru/rust-cbindgen/package.nix index 14374532ff525..88bb855e800b0 100644 --- a/pkgs/by-name/ru/rust-cbindgen/package.nix +++ b/pkgs/by-name/ru/rust-cbindgen/package.nix @@ -14,16 +14,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "rust-cbindgen"; - version = "0.29.2"; + version = "0.29.3"; src = fetchFromGitHub { owner = "mozilla"; repo = "cbindgen"; rev = "v${finalAttrs.version}"; - hash = "sha256-P2A+XSLrcuYsI48gnZSNNs5qX+EatiuEJSEJbMvMSxg="; + hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA="; }; - cargoHash = "sha256-DbmlpjiOraLWPh5RgJqCIGIYzE1h82MH2S6gpLH+CIQ="; + cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ="; nativeCheckInputs = [ cmake diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index 19ee7429320d4..f5814d3f91b8e 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -70,7 +70,7 @@ assert lib.assertMsg (ibusSupport -> dbusSupport) "SDL3 requires dbus support to stdenv.mkDerivation (finalAttrs: { pname = "sdl3"; - version = "3.4.8"; + version = "3.4.10"; outputs = [ "lib" @@ -83,14 +83,21 @@ stdenv.mkDerivation (finalAttrs: { owner = "libsdl-org"; repo = "SDL"; tag = "release-${finalAttrs.version}"; - hash = "sha256-uBGyGxrUVx642Ku8qhR2sTy2JagcSioIhh/5RsXVAIM="; + hash = "sha256-6Dph2eLiJUmpQzPWe8EuY5LrWhrFwde2f2dwfgCcWNw="; }; postPatch = - # Tests timeout on Darwin lib.optionalString (finalAttrs.finalPackage.doCheck) '' + # Tests timeout on Darwin substituteInPlace test/CMakeLists.txt \ --replace-fail 'set(noninteractive_timeout 10)' 'set(noninteractive_timeout 30)' + + # intermittent test failure + # https://github.com/libsdl-org/SDL/issues/15346 + substituteInPlace test/CMakeLists.txt \ + --replace-fail \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 20)' \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 300)' '' + lib.optionalString waylandSupport '' substituteInPlace src/dialog/unix/SDL_zenitymessagebox.c \ diff --git a/pkgs/by-name/si/simdjson/package.nix b/pkgs/by-name/si/simdjson/package.nix index 575f604ca34c4..3cb507297c472 100644 --- a/pkgs/by-name/si/simdjson/package.nix +++ b/pkgs/by-name/si/simdjson/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "simdjson"; - version = "4.6.0"; + version = "4.6.4"; src = fetchFromGitHub { owner = "simdjson"; repo = "simdjson"; tag = "v${finalAttrs.version}"; - hash = "sha256-VGErBWAHk63XMv8yC+Na+gXHByhYhtIEMSBySwIDlXk="; + hash = "sha256-8oQzsR7DSaNTN9su1uI9tRQ9HvOwXShPwSrnQj8+lGM="; }; nativeBuildInputs = [ cmake ]; diff --git a/pkgs/by-name/st/strace/package.nix b/pkgs/by-name/st/strace/package.nix index 86f8b0fa4c42a..77345bd6a3ae7 100644 --- a/pkgs/by-name/st/strace/package.nix +++ b/pkgs/by-name/st/strace/package.nix @@ -11,11 +11,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "strace"; - version = "7.0"; + version = "7.1"; src = fetchurl { url = "https://strace.io/files/${finalAttrs.version}/strace-${finalAttrs.version}.tar.xz"; - hash = "sha256-bJJBm+Py7FYLMXKKRlIhfFmGTIZCunsbN3GxsBOtB0s="; + hash = "sha256-gXQ+zypbRBhrL1A4r9yL7aflxwrtFbT7+8xuns4kSQ8="; }; separateDebugInfo = true; diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs index 1bc5810d3fd37..db6009945e9cc 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs @@ -743,11 +743,6 @@ fn handle_modified_unit( // This unit should be restarted instead of stopped and started. units_to_restart.insert(unit.to_string(), ()); record_unit(&restart_list, unit); - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); - } } else { // If this unit is socket-activated, then stop the socket unit(s) as well, and // restart the socket(s) instead of the service. @@ -769,10 +764,17 @@ fn handle_modified_unit( }; if sockets.is_empty() { - sockets.push(format!("{base_name}.socket")); + // For a templated instance (`foo@bar.service`), `base_name` + // includes the trailing `@`; the implicitly-associated socket + // is `foo.socket`, so strip it. + let socket_base = base_name.strip_suffix('@').unwrap_or(base_name); + sockets.push(format!("{socket_base}.socket")); } for socket in &sockets { + let socket_in_new_config = + toplevel.join(scope.etc_dir()).join(socket).exists(); + if active_cur.contains_key(socket) { // We can now be sure this is a socket-activated unit @@ -783,7 +785,7 @@ fn handle_modified_unit( } // Only restart sockets that actually exist in new configuration: - if toplevel.join(scope.etc_dir()).join(socket).exists() { + if socket_in_new_config { if use_restart_as_stop_and_start { units_to_restart.insert(socket.to_string(), ()); record_unit(&restart_list, socket); @@ -794,12 +796,9 @@ fn handle_modified_unit( socket_activated = true; } - - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); - } + } else if socket_in_new_config { + // Transitioning to socket activation; let the socket start it. + socket_activated = true; } } } @@ -828,11 +827,11 @@ fn handle_modified_unit( } else { units_to_stop.insert(unit.to_string(), ()); } - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); - } + } + + // Remove from units to reload so we don't restart and reload + if units_to_reload.remove(unit).is_some() { + unrecord_unit(&reload_list, unit); } } } diff --git a/pkgs/by-name/ty/ty/package.nix b/pkgs/by-name/ty/ty/package.nix index 41db756b44922..48a4dbae05f2a 100644 --- a/pkgs/by-name/ty/ty/package.nix +++ b/pkgs/by-name/ty/ty/package.nix @@ -17,7 +17,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "ty"; - version = "0.0.49"; + version = "0.0.52"; __structuredAttrs = true; src = fetchFromGitHub { @@ -25,7 +25,7 @@ rustPlatform.buildRustPackage (finalAttrs: { repo = "ty"; tag = finalAttrs.version; fetchSubmodules = true; - hash = "sha256-IKeoskueujGYFjhUd3V7iwKwZjFZqG3OYfe36S6J2aw="; + hash = "sha256-p9fTzQ4DYvnwrtLdpSTekBV4ZbR1KETR8dfsbp8CDpo="; }; # For Darwin platforms, remove the integration test for file notifications, @@ -39,7 +39,7 @@ rustPlatform.buildRustPackage (finalAttrs: { cargoBuildFlags = [ "--package=ty" ]; - cargoHash = "sha256-y1sKf+KXya/K+WUiIE357U6DXh/d+AQgj0SQIi1gpUw="; + cargoHash = "sha256-NUIdYOeyRsR/ZQueEXshYdWTnSeQiRjZRRi2ag8Dm48="; nativeBuildInputs = [ installShellFiles ]; buildInputs = [ rust-jemalloc-sys ]; diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix index 45cdc57ff0a87..9358185211031 100644 --- a/pkgs/by-name/un/unbound/package.nix +++ b/pkgs/by-name/un/unbound/package.nix @@ -57,13 +57,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "unbound"; - version = "1.25.0"; + version = "1.25.1"; src = fetchFromGitHub { owner = "NLnetLabs"; repo = "unbound"; tag = "release-${finalAttrs.version}"; - hash = "sha256-BAqGNi5lfYYTQd7CPH0lssLc5/AkeuKSVEFcrF/cNyc="; + hash = "sha256-1PXnxCPxoB5IrVBQIsrxiWAq+IoH7Ma9T1TTJsoTJc4="; }; outputs = [ diff --git a/pkgs/by-name/va/valkey/package.nix b/pkgs/by-name/va/valkey/package.nix index 81a40f68bf214..82e625efe9330 100644 --- a/pkgs/by-name/va/valkey/package.nix +++ b/pkgs/by-name/va/valkey/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, - fetchpatch, lua, jemalloc, pkg-config, @@ -25,13 +24,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "valkey"; - version = "9.0.4"; + version = "9.1.0"; src = fetchFromGitHub { owner = "valkey-io"; repo = "valkey"; rev = finalAttrs.version; - hash = "sha256-FDm6i6G6h9WapMTj7ke4YtOjZ4rwIJZGONunQi0v7CE="; + hash = "sha256-RMZz83fycpOTPWB1dIXU0/hdh4ZGC+6JhCws8htAQ5E="; }; patches = lib.optional useSystemJemalloc ./use_system_jemalloc.patch; @@ -94,13 +93,14 @@ stdenv.mkDerivation (finalAttrs: { fi # Skip some more flaky tests. - # Skip test requiring custom jemalloc (unit/memefficiency). + # Skip test requiring custom jemalloc (unit/memefficiency, unit/type/string). ./runtest \ --no-latency \ --timeout 2000 \ --clients "$CLIENTS" \ --tags -leaks \ --skipunit unit/memefficiency \ + --skipunit unit/type/string \ --skipunit integration/failover \ --skipunit integration/aof-multi-part diff --git a/pkgs/by-name/xv/xvfb/package.nix b/pkgs/by-name/xv/xvfb/package.nix index d14e353387763..934fade5a7958 100644 --- a/pkgs/by-name/xv/xvfb/package.nix +++ b/pkgs/by-name/xv/xvfb/package.nix @@ -38,13 +38,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "xvfb"; - # TODO: rebuild avoidance. revert on staging. - # inherit (xorg-server) src version; - version = "21.1.22"; - src = fetchurl { - url = "mirror://xorg/individual/xserver/xorg-server-${finalAttrs.version}.tar.xz"; - hash = "sha256-GiQsiRfEm6KczB9gIWE9iiuYBd0NJxpmrp0J9LC7BrM="; - }; + inherit (xorg-server) src version; strictDeps = true; diff --git a/pkgs/development/compilers/go/1.26.nix b/pkgs/development/compilers/go/1.26.nix index 01704593ad777..242fa4c91de87 100644 --- a/pkgs/development/compilers/go/1.26.nix +++ b/pkgs/development/compilers/go/1.26.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.26.3"; + version = "1.26.4"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg="; + hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0="; }; strictDeps = true; diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix index a86e4a3d186d7..7c3d4eb2a5e0a 100644 --- a/pkgs/development/compilers/rust/cargo.nix +++ b/pkgs/development/compilers/rust/cargo.nix @@ -3,6 +3,7 @@ stdenv, pkgsHostHost, pkgsBuildBuild, + fetchpatch, file, curl, pkg-config, @@ -26,6 +27,23 @@ rustPlatform.buildRustPackage.override pname = "cargo"; inherit (rustc.unwrapped) version src; + patches = [ + (fetchpatch { + name = "CVE-2026-5222.patch"; + url = "https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-YG7xtC308z+o1xVzrV81qqWov1121GVouyAXKflyBF8="; + }) + (fetchpatch { + name = "CVE-2026-5223.patch"; + url = "https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-DbmPQ31N4AIYZEBiwwGAn59hgPsFEVTzA6PrI071LXE="; + }) + ]; + # the rust source tarball already has all the dependencies vendored, no need to fetch them again cargoVendorDir = "vendor"; buildAndTestSubdir = "src/tools/cargo"; diff --git a/pkgs/development/interpreters/perl/CVE-2026-8376.patch b/pkgs/development/interpreters/perl/CVE-2026-8376.patch new file mode 100644 index 0000000000000..c8ad722981788 --- /dev/null +++ b/pkgs/development/interpreters/perl/CVE-2026-8376.patch @@ -0,0 +1,20 @@ +Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly. + +diff --git a/regcomp_study.c b/regcomp_study.c +index b513454a4258..1602663f4b26 100644 +--- a/regcomp_study.c ++++ b/regcomp_study.c +@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_ + (U8 *) SvEND(data->last_found)) + - (U8*)s; + l -= old; ++ ++ if (l > 0 && ++ (mincount >= SSize_t_MAX / (SSize_t)l ++ || old > SSize_t_MAX - mincount * (SSize_t)l)) { ++ FAIL("Regexp out of space"); ++ } ++ + /* Get the added string: */ + last_str = newSVpvn_utf8(s + old, l, UTF); + last_chrs = UTF ? utf8_length((U8*)(s + old), diff --git a/pkgs/development/interpreters/perl/interpreter.nix b/pkgs/development/interpreters/perl/interpreter.nix index fce8e1c9e0f04..cdb03912b5177 100644 --- a/pkgs/development/interpreters/perl/interpreter.nix +++ b/pkgs/development/interpreters/perl/interpreter.nix @@ -36,6 +36,8 @@ let commonPatches = [ # Do not look in /usr etc. for dependencies. ./no-sys-dirs.patch + + ./CVE-2026-8376.patch ] # Fix build on Solaris on x86_64 @@ -79,6 +81,61 @@ let # Some more details: https://arsv.github.io/perl-cross/modules.html ++ lib.optional crossCompiling ./cross.patch; + # Inject fixed CPAN releases for bundled dual-life distributions until the + # next perl maintenance release includes them. + vendoredPerlDistributions = [ + { + # CVE-2026-7010 + path = "cpan/HTTP-Tiny"; + src = fetchurl { + url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz"; + hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M="; + }; + } + { + # CVE-2026-3381, CVE-2026-4176 + path = "cpan/Compress-Raw-Zlib"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz"; + hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg="; + }; + } + { + # Runtime dependency of IO-Compress 2.220. + path = "cpan/Compress-Raw-Bzip2"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz"; + hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g="; + }; + } + { + # CVE-2026-48962, CVE-2026-48961, CVE-2026-48959 + path = "cpan/IO-Compress"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz"; + hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic="; + }; + } + { + # CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 + path = "cpan/Archive-Tar"; + src = fetchurl { + url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz"; + hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw="; + }; + } + ]; + + replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: '' + rm -rf ${d.path} + mkdir -p ${d.path} + + tar --strip-components=1 -C ${d.path} -xf ${d.src} + + # Remove executable bits to make t/porting/exec-bit.t happy. + find ${d.path} -type f -exec chmod a-x {} + + '') vendoredPerlDistributions; + libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr"; libcInc = lib.getDev libc; libcLib = lib.getLib libc; @@ -136,10 +193,10 @@ stdenv.mkDerivation ( --replace "/bin/pwd" "$(type -P pwd)" '' ) - + - # Perl's build system uses the src variable, and its value may end up in - # the output in some cases (when cross-compiling) - '' + + replaceVendoredPerlDistributions + + '' + # Perl's build system uses the src variable, and its value may end up in + # the output in some cases (when cross-compiling). unset src ''; diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index 4735d184c0305..5baddb0c34e2c 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -30,8 +30,8 @@ let hash = "sha256-DjmW5LeI9OJmPeIh61znAns4+kolxwKguEvKawgxy8I="; }; v8 = { - version = "8.1"; - hash = "sha256-FdKhhCveEo5UodEoyUh3aBHABv3OT2VXmwBXE1ce3p0="; + version = "8.1.1"; + hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ="; }; in diff --git a/pkgs/development/libraries/glibc/2.42-master.patch b/pkgs/development/libraries/glibc/2.42-master.patch index 47ed7dd1183bb..a7bdf93961db0 100644 --- a/pkgs/development/libraries/glibc/2.42-master.patch +++ b/pkgs/development/libraries/glibc/2.42-master.patch @@ -7154,3 +7154,762 @@ index 00181cfefb..e83ea2b939 100644 TEST_VERIFY (ret != 0); TEST_COMPARE (errno, EBUSY); } + +commit f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a +Author: Florian Weimer +Date: Thu Apr 16 19:13:43 2026 +0200 + + Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046) + + Follow the example in iso-2022-jp-3.c and use the __count state + variable to store the pending character. This avoids restarting + the conversion if the output buffer ends between two 4-byte UCS-4 + code points, so that the assert reported in the bug can no longer + happen. + + Even though the fix is applied to ibm1364.c, the change is only + effective for the two HAS_COMBINED codecs for IBM1390, IBM1399. + + The test case was mostly auto-generated using + claude-4.6-opus-high-thinking, and composer-2-fast shows up in the + log as well. During review, gpt-5.4-xhigh flagged that the original + version of the test case was not exercising the new character + flush logic. + + This fixes bug 33980. + + Assisted-by: LLM + Reviewed-by: Carlos O'Donell + (cherry picked from commit d6f08d1cf027f4eb2ba289a6cc66853722d4badc) + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 5a2abeea24..cc689f63e9 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -76,7 +76,7 @@ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ + bug-iconv13 bug-iconv14 bug-iconv15 \ +- tst-iconv-iso-2022-cn-ext ++ tst-iconv-iso-2022-cn-ext tst-bug33980 + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +@@ -333,6 +333,8 @@ $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) + $(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) ++$(objpfx)tst-bug33980.out: $(addprefix $(objpfx), $(gconv-modules)) \ ++ $(addprefix $(objpfx),$(modules.so)) + + $(objpfx)iconv-test.out: run-iconv-test.sh \ + $(addprefix $(objpfx), $(gconv-modules)) \ +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 45c62acee5..244c61ad7a 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -67,12 +67,29 @@ + + /* Since this is a stateful encoding we have to provide code which resets + the output state to the initial state. This has to be done during the +- flushing. */ ++ flushing. For the to-internal direction (FROM_DIRECTION is true), ++ there may be a pending character that needs flushing. */ + #define EMIT_SHIFT_TO_INIT \ + if ((data->__statep->__count & ~7) != sb) \ + { \ + if (FROM_DIRECTION) \ +- data->__statep->__count &= 7; \ ++ { \ ++ uint32_t ch = data->__statep->__count >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ if (__glibc_unlikely (outend - outbuf < 4)) \ ++ status = __GCONV_FULL_OUTPUT; \ ++ else \ ++ { \ ++ put32 (outbuf, ch); \ ++ outbuf += 4; \ ++ /* Clear character and db bit. */ \ ++ data->__statep->__count &= 7; \ ++ } \ ++ } \ ++ else \ ++ data->__statep->__count &= 7; \ ++ } \ + else \ + { \ + /* We are not in the initial state. To switch back we have \ +@@ -99,11 +116,13 @@ + *curcsp = save_curcs + + +-/* Current codeset type. */ ++/* Current codeset type. The bit is stored in the __count variable of ++ the conversion state. If the db bit is set, bit 7 and above store ++ a pending UCS-4 code point if non-zero. */ + enum + { +- sb = 0, +- db = 64 ++ sb = 0, /* Single byte mode. */ ++ db = 64 /* Double byte mode. */ + }; + + +@@ -119,21 +138,29 @@ enum + } \ + else \ + { \ +- /* This is a combined character. Make sure we have room. */ \ +- if (__glibc_unlikely (outptr + 8 > outend)) \ +- { \ +- result = __GCONV_FULL_OUTPUT; \ +- break; \ +- } \ +- \ + const struct divide *cmbp \ + = &DB_TO_UCS4_COMB[ch - __TO_UCS4_COMBINED_MIN]; \ + assert (cmbp->res1 != 0 && cmbp->res2 != 0); \ + \ + put32 (outptr, cmbp->res1); \ + outptr += 4; \ +- put32 (outptr, cmbp->res2); \ +- outptr += 4; \ ++ \ ++ /* See whether we have room for the second character. */ \ ++ if (outend - outptr >= 4) \ ++ { \ ++ put32 (outptr, cmbp->res2); \ ++ outptr += 4; \ ++ } \ ++ else \ ++ { \ ++ /* Otherwise store only the first character now, and \ ++ put the second one into the queue. */ \ ++ curcs |= cmbp->res2 << 7; \ ++ inptr += 2; \ ++ /* Tell the caller why we terminate the loop. */ \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ + } \ + } + #else +@@ -153,7 +180,20 @@ enum + #define LOOPFCT FROM_LOOP + #define BODY \ + { \ +- uint32_t ch = *inptr; \ ++ uint32_t ch; \ ++ \ ++ ch = curcs >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ put32 (outptr, ch); \ ++ outptr += 4; \ ++ /* Remove the pending character, but preserve state bits. */ \ ++ curcs &= (1 << 7) - 1; \ ++ continue; \ ++ } \ ++ \ ++ /* Otherwise read the next input byte. */ \ ++ ch = *inptr; \ + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +diff --git a/iconvdata/tst-bug33980.c b/iconvdata/tst-bug33980.c +new file mode 100644 +index 0000000000..c9693e0efe +--- /dev/null ++++ b/iconvdata/tst-bug33980.c +@@ -0,0 +1,153 @@ ++/* Test for bug 33980: combining characters in IBM1390/IBM1399. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Run iconv in a loop with a small output buffer of OUTBUFSIZE bytes ++ starting at OUTBUF. OUTBUF should be right before an unmapped page ++ so that writing past the end will fault. Skip SHIFT bytes at the ++ start of the input and output, to exercise different buffer ++ alignment. TRUNCATE indicates skipped bytes at the end of ++ input (0 and 1 a valid). */ ++static void ++test_one (const char *encoding, unsigned int shift, unsigned int truncate, ++ char *outbuf, size_t outbufsize) ++{ ++ /* In IBM1390 and IBM1399, the DBCS code 0xECB5 expands to two ++ Unicode code points when translated. */ ++ static char input[] = ++ { ++ /* 8 letters X. */ ++ 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, ++ /* SO, 0xECB5, SI: shift to DBCS, special character, shift back. */ ++ 0x0e, 0xec, 0xb5, 0x0f ++ }; ++ ++ /* Expected output after UTF-8 conversion. */ ++ static char expected[] = ++ { ++ 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', ++ /* U+304B (HIRAGANA LETTER KA). */ ++ 0xe3, 0x81, 0x8b, ++ /* U+309A (COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK). */ ++ 0xe3, 0x82, 0x9a ++ }; ++ ++ iconv_t cd = iconv_open ("UTF-8", encoding); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ char result_storage[64]; ++ struct alloc_buffer result_buf ++ = alloc_buffer_create (result_storage, sizeof (result_storage)); ++ ++ char *inptr = &input[shift]; ++ size_t inleft = sizeof (input) - shift - truncate; ++ ++ while (inleft > 0) ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ size_t inleft_before = inleft; ++ ++ size_t ret = iconv (cd, &inptr, &inleft, &outptr, &outleft); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ if (ret == (size_t) -1 && errno == E2BIG) ++ { ++ if (produced == 0 && inleft == inleft_before) ++ { ++ /* Output buffer too small to make progress. This is ++ expected for very small output buffer sizes. */ ++ TEST_VERIFY_EXIT (outbufsize < 3); ++ break; ++ } ++ continue; ++ } ++ if (ret == (size_t) -1) ++ FAIL_EXIT1 ("%s (outbufsize %zu): iconv: %m", encoding, outbufsize); ++ break; ++ } ++ ++ /* Flush any pending state (e.g. a buffered combined character). ++ With outbufsize < 3, we could not store the first character, so ++ the second character did not become pending, and there is nothing ++ to flush. */ ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ ++ size_t ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ /* Second flush does not provide more data. */ ++ outptr = outbuf; ++ outleft = outbufsize; ++ ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ TEST_VERIFY (outptr == outbuf); ++ } ++ ++ TEST_VERIFY_EXIT (!alloc_buffer_has_failed (&result_buf)); ++ size_t result_used ++ = sizeof (result_storage) - alloc_buffer_size (&result_buf); ++ ++ if (outbufsize >= 3) ++ { ++ TEST_COMPARE (inleft, 0); ++ TEST_COMPARE (result_used, sizeof (expected) - shift); ++ TEST_COMPARE_BLOB (result_storage, result_used, ++ &expected[shift], sizeof (expected) - shift); ++ } ++ else ++ /* If the buffer is too small, only the leading X could be converted. */ ++ TEST_COMPARE (result_used, 8 - shift); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) == 0); ++} ++ ++static int ++do_test (void) ++{ ++ struct support_next_to_fault ntf ++ = support_next_to_fault_allocate (8); ++ ++ for (int shift = 0; shift <= 8; ++shift) ++ for (int truncate = 0; truncate < 2; ++truncate) ++ for (size_t outbufsize = 1; outbufsize <= 8; outbufsize++) ++ { ++ char *outbuf = ntf.buffer + ntf.length - outbufsize; ++ test_one ("IBM1390", shift, truncate, outbuf, outbufsize); ++ test_one ("IBM1399", shift, truncate, outbuf, outbufsize); ++ } ++ ++ support_next_to_fault_free (&ntf); ++ return 0; ++} ++ ++#include + +commit 12feedaf67e11c4618dc50c6aab4dbfd1e6d9531 +Author: DJ Delorie +Date: Mon Jan 26 22:24:42 2026 -0500 + + include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h + + Including sys/mount.h should not implicitly include fcntl.h + as that causes namespace pollution and conflicts with kernel + headers. It only needs O_CLOEXEC for OPEN_TREE_CLOEXEC + (although it shouldn't need that, but it's defined that way) + so we provide that define (via a private version) separately. + + Reviewed-by: Adhemerval Zanella + Tested-by: Florian Weimer + (cherry picked from commit 419245719ccbc7dad6a97f24465e7f09c090327a) + +diff --git a/io/fcntl.c b/io/fcntl.c +index e88e28664c..b7dab1bb39 100644 +--- a/io/fcntl.c ++++ b/io/fcntl.c +@@ -18,6 +18,10 @@ + #include + #include + ++#ifndef __O_CLOEXEC ++# error __O_CLOEXEC not defined by fcntl.h/cloexec.h ++#endif ++ + /* Perform file control operations on FD. */ + int + __fcntl (int fd, int cmd, ...) +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index c47cbdf428..053041f256 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -129,6 +129,7 @@ CFLAGS-test-errno-linux.c += $(no-fortify-source) + + sysdep_headers += \ + bits/a.out.h \ ++ bits/cloexec.h \ + bits/epoll.h \ + bits/eventfd.h \ + bits/inotify.h \ +diff --git a/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/bits/cloexec.h b/sysdeps/unix/sysv/linux/bits/cloexec.h +new file mode 100644 +index 0000000000..3059fb6473 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 02000000 +diff --git a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +index f425a4bf22..98954feaca 100644 +--- a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h ++++ b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +@@ -81,9 +81,7 @@ + #ifndef __O_NOFOLLOW + # define __O_NOFOLLOW 0400000 + #endif +-#ifndef __O_CLOEXEC +-# define __O_CLOEXEC 02000000 +-#endif ++#include + #ifndef __O_DIRECT + # define __O_DIRECT 040000 + #endif +diff --git a/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +new file mode 100644 +index 0000000000..6706eaa7d5 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 0x400000 +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index b549e75148..365da1c296 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -21,7 +21,6 @@ + #ifndef _SYS_MOUNT_H + #define _SYS_MOUNT_H 1 + +-#include + #include + #include + #include +@@ -266,6 +265,11 @@ enum fsconfig_command + + /* open_tree flags. */ + #define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef O_CLOEXEC ++# include ++# define O_CLOEXEC __O_CLOEXEC ++#endif ++#undef OPEN_TREE_CLOEXEC + #define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ + + +diff --git a/sysdeps/unix/sysv/linux/tst-mount.c b/sysdeps/unix/sysv/linux/tst-mount.c +index 40913c7082..78a2772b2f 100644 +--- a/sysdeps/unix/sysv/linux/tst-mount.c ++++ b/sysdeps/unix/sysv/linux/tst-mount.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include /* For AT_ constants. */ + #include + + _Static_assert (sizeof (struct mount_attr) == MOUNT_ATTR_SIZE_VER0, + +commit 3ecfa68561d723564a1fb565366182eb4acb3e8f +Author: Florian Weimer +Date: Wed Mar 4 18:32:36 2026 +0100 + + Linux: Only define OPEN_TREE_* macros in if undefined (bug 33921) + + There is a conditional inclusion of earlier in the file. + If that defines the macros, do not redefine them. This addresses build + problems as the token sequence used by the UAPI macro definitions + changes between Linux versions. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit d12b017cddfeb9fe9920ba054ae3dfcb8e9238b8) + +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index 365da1c296..30ba56c1e8 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -264,14 +264,16 @@ enum fsconfig_command + #define FSOPEN_CLOEXEC 0x00000001 + + /* open_tree flags. */ +-#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef OPEN_TREE_CLONE ++# define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#endif + #ifndef O_CLOEXEC + # include + # define O_CLOEXEC __O_CLOEXEC + #endif +-#undef OPEN_TREE_CLOEXEC +-#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ +- ++#ifndef OPEN_TREE_CLOEXEC ++# define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ ++#endif + + __BEGIN_DECLS + + +commit 3e87cf9be93acf19d685e8003fc649cdb052a891 +Author: H.J. Lu +Date: Mon Apr 13 10:46:42 2026 +0800 + + abilist.awk: Handle weak unversioned defined symbols + + After + + commit f685e3953f9a38a41bbd0a597f9882870cee13d5 + Author: H.J. Lu + Date: Wed Oct 29 09:49:57 2025 +0800 + + elf: Don't set its DT_VERSYM entry for unversioned symbol + + ld no longer assigns version index 1 to unversioned defined symbol. + For libmachuser.so, "objdump --dynamic-syms" reports: + + 0000dd30 w DF .text 000000f8 processor_start + + instead of + + 0000dd30 w DF .text 000000f8 (Base) processor_start + + Also allow NF == 6 for weak unversioned dynamic symbols. This fixes BZ + 33650. + + Signed-off-by: H.J. Lu + Reviewed-by: Sam James + (cherry picked from commit ee5d1db2a81468413fbf7c82779ffa782f429d1a) + +diff --git a/scripts/abilist.awk b/scripts/abilist.awk +index 6cc7af6ac8..7ea1edf8c0 100644 +--- a/scripts/abilist.awk ++++ b/scripts/abilist.awk +@@ -38,7 +38,7 @@ $4 == "*UND*" { next } + $2 == "l" { next } + + # If the target uses ST_OTHER, it will be output before the symbol name. +-$2 == "g" || $2 == "w" && (NF == 7 || NF == 8) { ++$2 == "g" || $2 == "w" && (NF == 6 || NF == 7 || NF == 8) { + type = $3; + size = $5; + sub(/^0*/, "", size); + +commit b4bca35ab9e76890504c4dbdd5eaf15a93514580 +Author: Rocket Ma +Date: Fri May 1 20:39:07 2026 -0700 + + libio: Fix ungetwc operating on byte stream [BZ #33998] + + * libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one + character, it accidently compare the wchar to push back with the last + char from byte stream, instead of wide stream. Under specific coding, + attacker may exploit this to leak information. This commit fix bug + 33998, or CVE-2026-5928. + + Signed-off-by: Rocket Ma + Reviewed-by: Carlos O'Donell + (cherry picked from commit ef3bfb5f910011f3780cb06aa47e730035f53285) + +diff --git a/libio/Makefile b/libio/Makefile +index f020f8ec4d..fa2b8ae791 100644 +--- a/libio/Makefile ++++ b/libio/Makefile +@@ -83,6 +83,7 @@ tests = \ + bug-ungetwc1 \ + bug-ungetwc2 \ + bug-wfflush \ ++ bug-wgenops-bz33998 \ + bug-wmemstream1 \ + bug-wsetpos \ + test-fmemopen \ +diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c +new file mode 100644 +index 0000000000..cc4067da99 +--- /dev/null ++++ b/libio/bug-wgenops-bz33998.c +@@ -0,0 +1,54 @@ ++/* Regression test for ungetwc operating on byte stream (BZ #33998) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "support/temp_file.h" ++#include "support/xstdio.h" ++#include "support/xunistd.h" ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ char *filename; ++ int fd = create_temp_file ("tst-bz33998-", &filename); ++ TEST_VERIFY (fd != -1); ++ xwrite (fd, "A", sizeof ("A")); // write "A\0" by design ++ xclose (fd); ++ ++ FILE *fp = xfopen (filename, "r+"); ++ TEST_COMPARE (getwc (fp), L'A'); ++ /* If the bug is fixed, then ungetwc should not touch byte stream. ++ If the bug is not fixed, ungetwc firstly match last read char, L'A', ++ failed, then the pbackfail branch, matching last read char in byte ++ stream, that is, '\0' (initialized when setup wide stream). */ ++ char *old_read_ptr = fp->_IO_read_ptr; ++ TEST_COMPARE (ungetwc (L'\0', fp), L'\0'); ++ TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr); ++ ++ xfclose (fp); ++ free (filename); ++ ++ return 0; ++} ++ ++#include +diff --git a/libio/wgenops.c b/libio/wgenops.c +index 0a11d1b1de..9e0b2c00ea 100644 +--- a/libio/wgenops.c ++++ b/libio/wgenops.c +@@ -108,8 +108,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c) + { + if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base + && !_IO_in_backup (fp) +- && (wint_t) fp->_IO_read_ptr[-1] == c) +- --fp->_IO_read_ptr; ++ && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c) ++ --fp->_wide_data->_IO_read_ptr; + else + { + /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/ + +commit 4ebd33dd77eabe8d4c45232bed4b42a31d2f9edc +Author: Rocket Ma +Date: Fri Apr 17 23:48:41 2026 -0700 + + stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] + + * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with + format %mc or %mC, glibc allocates one byte less, leading to + user-controlled one byte overflow. This commit fixes BZ #34008, or + CVE-2026-5450. + + Reviewed-by: Carlos O'Donell + Signed-off-by: Rocket Ma + Reviewed-by: H.J. Lu + (cherry picked from commit 839898777226a3ed88c0859f25ffe712519b4ead) + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 64b3575acb..e52c333808 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -347,6 +347,7 @@ tests := \ + tst-vfprintf-user-type \ + tst-vfprintf-width-i18n \ + tst-vfprintf-width-prec-alloc \ ++ tst-vfscanf-bz34008 \ + tst-wc-printf \ + tstdiomisc \ + tstgetln \ +@@ -562,6 +563,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \ + tst-vfprintf-width-prec-ENV = \ + MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++tst-vfscanf-bz34008-ENV = \ ++ MALLOC_CHECK_=3 \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so + tst-printf-bz25691-ENV = \ + MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c +new file mode 100644 +index 0000000000..48371c8a3d +--- /dev/null ++++ b/stdio-common/tst-vfscanf-bz34008.c +@@ -0,0 +1,48 @@ ++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "malloc/mcheck.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define WIDTH 0x410 ++#define SCANFSTR "%1040mc" ++static int ++do_test (void) ++{ ++ mcheck_pedantic (NULL); ++ char *input = malloc (WIDTH + 1); ++ TEST_VERIFY (input != NULL); ++ memset (input, 'A', WIDTH); ++ input[WIDTH] = '\0'; ++ ++ char *buf = NULL; ++ TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); ++ TEST_VERIFY (buf != NULL); ++ ++ free (buf); ++ free (input); ++ return 0; ++} ++ ++#include +diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c +index 86ae5019a6..17b5565d0f 100644 +--- a/stdio-common/vfscanf-internal.c ++++ b/stdio-common/vfscanf-internal.c +@@ -853,8 +853,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + { + /* Enlarge the buffer. */ + size_t newsize +- = strsize +- + (strsize >= width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + + str = (char *) realloc (*strptr, newsize); + if (str == NULL) +@@ -925,7 +924,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); +@@ -980,7 +979,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index a013a2db2f0cd..b6c6a6c864453 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -51,7 +51,7 @@ let version = "2.42"; - patchSuffix = "-61"; + patchSuffix = "-67"; sha256 = "sha256-0XdeMuRijmTvkw9DW2e7Y691may2viszW58Z8WUJ8X8="; in @@ -68,8 +68,8 @@ stdenv.mkDerivation ( patches = [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. - $ git fetch --all -p && git checkout origin/release/2.40/master && git describe - glibc-2.42-61-ga56a2943d2 + $ git fetch --all -p && git checkout origin/release/2.42/master && git describe + glibc-2.42-67-g4ebd33dd77 $ git show --minimal --reverse glibc-2.42.. ':!ADVISORIES' > 2.42-master.patch To compare the archive contents zdiff can be used. diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 52a3ab58ad612..015688e4474b4 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -46,13 +46,13 @@ let }; }; libxml2 = callPackage ./common.nix { - version = "2.15.2"; + version = "2.15.3"; src = fetchFromGitLab { domain = "gitlab.gnome.org"; owner = "GNOME"; repo = "libxml2"; tag = "v${packages.libxml2.version}"; - hash = "sha256-k5dZ75D/BOouYAjrof9Jm2lY29XZhOqS1kudDGmGY9Q="; + hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo="; }; extraMeta = { maintainers = with lib.maintainers; [ diff --git a/pkgs/development/libraries/openexr/3.nix b/pkgs/development/libraries/openexr/3.nix index efecd33bef353..a989e883a2b34 100644 --- a/pkgs/development/libraries/openexr/3.nix +++ b/pkgs/development/libraries/openexr/3.nix @@ -13,13 +13,13 @@ stdenv.mkDerivation rec { pname = "openexr"; - version = "3.4.10"; + version = "3.4.11"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openexr"; rev = "v${version}"; - hash = "sha256-jXio+PvagKTR8NjcYIQ/j8LOMNc/0sQBuaixKk/0V3k="; + hash = "sha256-5dx2tag6XyuJfNfJgc68X+VWKXaHOL3M7ZJEQbQwFDA="; }; outputs = [ diff --git a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json index fd5fcefbff345..57473c4f5a293 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json +++ b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json @@ -1,202 +1,202 @@ { "qt3d": { "url": "https://invent.kde.org/qt/qt/qt3d.git", - "rev": "208f5835e6c2415c9dc5cbe92bba83aa28bab7ea", - "sha256": "0zqvdq5y25b1w7agx5wlr16p1wrx54086r0xcdfg9wx8dayhh1md" + "rev": "c3892c3ee3c0a2b8a050d0a1532f34806636eade", + "sha256": "0y3f4pr0vr7cpwmjxqspv79p7rljgc913fl8nqpv8y2aw8i5r4ly" }, "qtactiveqt": { "url": "https://invent.kde.org/qt/qt/qtactiveqt.git", - "rev": "e4c93bc7cac45bac6bccda3310947e8fe026a9ed", - "sha256": "1qq6jvqkl4ff7sw20pi1mawh5pypv7vxmj56d38z6p06r1azkvls" + "rev": "e85773764374878adc197b6a45ae8ec3ff44dafa", + "sha256": "1sbayayxgjj8jfi3apxw6m8qsmkba0gph2rm1wsnzjsa80zr17ia" }, "qtandroidextras": { "url": "https://invent.kde.org/qt/qt/qtandroidextras.git", - "rev": "4928bd58dbc1cdcf44a7e454e3d4654c3c2016f1", - "sha256": "02rsh60lyl6bn2jhx0ajn43safbi904nhwvdpikanrmdbg0z6dpp" + "rev": "14a14b137f0d794278947e980d99c47e6929e5e2", + "sha256": "0nvyxjm5qfq7sk22rp9hxrf8gvs6jq4i3kww1s0i8lsr69fl9biz" }, "qtbase": { "url": "https://invent.kde.org/qt/qt/qtbase.git", - "rev": "bebdfd54917e25d1c100e6bd9f5dd53c2e645fd8", - "sha256": "0bg36lxngkq2k11bhqdyfvbc1qyqaghwsi446zfn67vxvyxya3hx" + "rev": "fbed962c3195ab3952fa54d40e012ad1a4fdc42b", + "sha256": "1gnbgs7kh0vxjh3spv5g5zaaj1z1b0h8752pqi4lqg6jd1js2bpl" }, "qtcharts": { "url": "https://invent.kde.org/qt/qt/qtcharts.git", - "rev": "1093fb53ced126100d14af30a8adffd29b7ef855", - "sha256": "0cnlg59l743milkki8mjbrfd4cx5ycbqw73apcrnrsag9dqdbw41" + "rev": "16e9aff210cd4de7192adfc6cd91cdd44ba45a3d", + "sha256": "02virkb7h8hhkdsqpv2qg3lly4msf648f7421z10acxhin6ypw5i" }, "qtconnectivity": { "url": "https://invent.kde.org/qt/qt/qtconnectivity.git", - "rev": "f1be05c8efeb65b77a8bfd21763ab55bb5c04906", - "sha256": "1vl7wfw9sd8qfl8ixzl5wz4v5km5zdf9bii53q3pw4f2lplsralq" + "rev": "7e29434e06372efbb2127d0ef41538ff9aec1597", + "sha256": "1wv9bh13rq6mnnzsh6g88a2kj2j4nfv83vqpbdxmyavdf349pwdj" }, "qtdatavis3d": { "url": "https://invent.kde.org/qt/qt/qtdatavis3d.git", - "rev": "d9b988d3c5f9f34b97f3a9ac1347bfb55464cd60", - "sha256": "09jk32kw7wgcrd117a9lsm5w7jszsdhdslk10qn631wz203zbs4i" + "rev": "b52063032fda9af894ca0e582774364ce8caf0f8", + "sha256": "1zbfx7hqh1ydi2vx8pj6dxlrrc7wf8sqcwxzx8acphdyj66zcmch" }, "qtdeclarative": { "url": "https://invent.kde.org/qt/qt/qtdeclarative.git", - "rev": "1189557a50f11e7bc5716467a149cd09987a9f88", - "sha256": "0cd89d8i8chy1j1yanp1cq5s7467qr24b9c7cx9qw0nb0rf6f8qr" + "rev": "5bc1ac07b2d2c7839368084a4bb97e4c67eb8294", + "sha256": "0xpq0xjiscx72dcyg0lpr90ag5q7gypzcqnwbsnh401jrxn2pll1" }, "qtdoc": { "url": "https://invent.kde.org/qt/qt/qtdoc.git", - "rev": "ddb2afda6f713259fc8d95fb22a1c96bb448c36a", - "sha256": "0nk2vwl0ppix794xzj8nqrhsc333v8v4vr1rmwddymwlrdqlqd5d" + "rev": "385efd460ec13a465765fc30dd11217ae46d1846", + "sha256": "0djflkibfgjp8gr16hiv6nipj4q4xyclgv84f3d951dj2q7779v6" }, "qtgamepad": { "url": "https://invent.kde.org/qt/qt/qtgamepad.git", - "rev": "269fc0731f6838a1c02877a83c0ada23659c69fc", - "sha256": "06jhby671yzbj753yb0lnk4bv2r0nxxibq7fq1yljxdms0rc72iz" + "rev": "9b69ae558f0f9feffe30b0aa8993e270dfcc81ff", + "sha256": "056b39r4jsag5d7f5m04vmpydvnwpfs5mcynsdx717qdginlmiam" }, "qtgraphicaleffects": { "url": "https://invent.kde.org/qt/qt/qtgraphicaleffects.git", - "rev": "dfb2e7b2c98a9b7185c300d0b92b4048f5d89ba5", - "sha256": "1sn46lmq0y56mw0q11sgaijr2vg1wpp6lj237finp6vr3bji2816" + "rev": "551732fb1d963e53af437e3982a010f69eb76253", + "sha256": "1pyjb66nhlhin6ysm4005ng4m2ak857ai761rqx8l2h4fscgwvhf" }, "qtimageformats": { "url": "https://invent.kde.org/qt/qt/qtimageformats.git", - "rev": "c91e4c63c1eaf1e23806d9df10e3d5a9ae353c1d", - "sha256": "0q0vcymiqfyz8sfs9wdkhhwff55acj2rsmrb8w6yikmwcmcxp2a3" + "rev": "4076e38d68f05f5e1bcdedb79442d9008f18702c", + "sha256": "1kgvs3jgs2qysrx2kr4vn68h9gjv6ir1nd4hg0m2fbsjk644aa8w" }, "qtlocation": { "url": "https://invent.kde.org/qt/qt/qtlocation.git", - "rev": "ba48a8b5cedd157d972c08d371ac2581db166bf7", - "sha256": "00kwv405qq9q8fcwar33s2wvs1dm10fb8plxbz1q0jqcjs2ips6x" + "rev": "81f560be2274958011c255efa1d2d573874bed11", + "sha256": "1lpxngppxkhych9pkkcvw7ypw02cd324pw0z9hd9kqcd803p2017" }, "qtlottie": { "url": "https://invent.kde.org/qt/qt/qtlottie.git", - "rev": "27ed5a3c95a0810a96fac2a8661ea94d8ea3c44e", - "sha256": "04ivyxnn8d3pkjsbx0gwyj3f5if4m4cih6wyavm8bd2m2kkszx35" + "rev": "5f1be885cf4ee0f1eb5400bf0c5d138818fc01d0", + "sha256": "01880y8r2acnzfg09qm031kx99vp3zjv3zi38sh17shgcipx1fxp" }, "qtmacextras": { "url": "https://invent.kde.org/qt/qt/qtmacextras.git", - "rev": "fc7e9f41d9cec2df05c1d38d6e55d3a0d501dd25", - "sha256": "07q1arvdjwmbrayp2b213b8gqm4psczhx9z1m83invwmbs8iqj07" + "rev": "722060e4edff268feb2dda1298a7837c90f6262f", + "sha256": "1fqw1p6vx3gqw1sf1yk4cz1cb3d1xrbjq0p22gi0pspll314c8x0" }, "qtmultimedia": { "url": "https://invent.kde.org/qt/qt/qtmultimedia.git", - "rev": "ff83d119c75cd8406f73ccc08958fe36747e7390", - "sha256": "09jadnvphilcxxy85dlsr8a6x5w32r1c2hrbh93qbvvf9zlg60ld" + "rev": "8ddc44103baf166525d6650c842d7f08f651e7bb", + "sha256": "0akj2d8b6kdy125ggs9cd7pra3vm47frqpn6p756jafsxylkqwbh" }, "qtnetworkauth": { "url": "https://invent.kde.org/qt/qt/qtnetworkauth.git", - "rev": "510687fa4fdee84dd3d6d166e8f080c484016199", - "sha256": "0a8abmql94wxpfvdj5a1rnh3xsd49c5z8x93hm311sgjkd0aajx7" + "rev": "d1ce24a72122c315e3d190c9ebc26ed603b90057", + "sha256": "1wcw26x38k619xavrwav21w0vrzb24bn6ncxllcwd9bdn7vvn1wr" }, "qtpurchasing": { "url": "https://invent.kde.org/qt/qt/qtpurchasing.git", - "rev": "8e9a5ec9f68639162c85c198b28e072e7150883c", - "sha256": "04pmwqnw907dg0hpas0pdrh2fxcqn2mvqz82b1vkviksg8ny3saw" + "rev": "b471c6ca3edfa5ba459b8694622825b9e776bed6", + "sha256": "1plwpxasiw2sx76a294i4i92vk5g5gaigjfy284jpmaargxsyd7k" }, "qtquick3d": { "url": "https://invent.kde.org/qt/qt/qtquick3d.git", - "rev": "47a325358078b72016081a86be628411df2728a9", - "sha256": "18h309g6ni6y4bcss930g04z8ymhl2nfm3sv5s4h2fz3dl0xsqwr" + "rev": "4e85bd063c726f015dc8afb05834de7a71bf6a1b", + "sha256": "0k6wjkr2jyc1v6xrm34dnlbbdnippiph5jxzjxawlxijzzvmgcp5" }, "qtquickcontrols": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols.git", - "rev": "0c3c18bf8bdac1ef1afdb8aade903edb5c2bc041", - "sha256": "0h8bhrbgfcf7nbfppah8lxnhvygc09983qrvp935r5sw7251km4d" + "rev": "af7fc486c8910b51733e1c7e758d50ca1a158b36", + "sha256": "1nbgpnz2qi8g24cmli25a9319vgqmk9vgngb12q2j8c8k3nlhhfs" }, "qtquickcontrols2": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git", - "rev": "e464888c53a641ee44a34ff2350cfb156c8ed59f", - "sha256": "08lnqz6v48j1hi6dpll7a052p6r5qfb32md16fppqzn6g5jg9ir2" + "rev": "5b808e0995d018c6de9f075d4a61f58d3641c11b", + "sha256": "1a65j06nzlxl1hmdh5li1gglcrqms0g560c2cj9vqzqm551krdj8" }, "qtquicktimeline": { "url": "https://invent.kde.org/qt/qt/qtquicktimeline.git", - "rev": "43130f2681b76a8d743a04704465b716b6b2faee", - "sha256": "1z1avxxq9d9nzqyxy5pq5maj73cf6dvsn5k83p3sf5kq3x0y75cj" + "rev": "ea9d6c4d5a0a172b4778e8f37d694d02aab83f37", + "sha256": "0170n0mcrf8phh3nsg2f904p8vxwmw8lks48zkpnbvyrj4gzqcr2" }, "qtremoteobjects": { "url": "https://invent.kde.org/qt/qt/qtremoteobjects.git", - "rev": "b2740a7c7f5b6ac810240404a947ca5cff9de5f7", - "sha256": "1jxlwc2y165fxdalcr4iqq55gsg5x4nxqd8wdq3dc1824yfnzm6i" + "rev": "48d10f341279e08c1bc4abb764c2d3ab9a259a51", + "sha256": "0523n172f96w474y804sanppfx2zkgsm342vwa6ailrcfkjw8v58" }, "qtscxml": { "url": "https://invent.kde.org/qt/qt/qtscxml.git", - "rev": "57491f554bc53bd020978b5744437b7ac7e56a27", - "sha256": "00mvwgb3xr116nl7649zq7ai2074clzw760c140sy91zqgqkjsx4" + "rev": "edc6f0dd5e806cced1937b2b853717f588e14fd2", + "sha256": "1072slgrvy910mxxqsvf7fgi237mjnbd2b8amw1srqzqj2bmnsj3" }, "qtsensors": { "url": "https://invent.kde.org/qt/qt/qtsensors.git", - "rev": "50a61b360877e7c1300df76b5aabf8d75554a398", - "sha256": "0giqwn4grg9999y31avh7ajsv9gkcfzf0xndx8bvv79si0wp59g6" + "rev": "8c6d11df60d4d783869c2d81568e3178f5ae75ce", + "sha256": "18jc5nncmpmbf758mcj9wj6dfn87hl51zp0ihqcvk6k6a8ra6l7p" }, "qtserialbus": { "url": "https://invent.kde.org/qt/qt/qtserialbus.git", - "rev": "c23069351ec31563c9ea9fcdce42ccdba95ea518", - "sha256": "1qgxlgnl53gabrfqihxwygdbdiqjvn2hfajmwb3h44srpq0srk33" + "rev": "6734222bccc5541f9527281c810c6b5f8fdd092f", + "sha256": "0ragq01wdwqwqp9720i3xan3a4xnkkvgc8gjy1wgwmdrs0mlb49z" }, "qtserialport": { "url": "https://invent.kde.org/qt/qt/qtserialport.git", - "rev": "b64a7eeda9b6a65b5ed01b1b40b07177f0aa4c0f", - "sha256": "134mn0njfvmzgrf325bikazkiq4xdn5wjhj56kxh1hhaz3q25hyp" + "rev": "ca1f2486527e7acf87d466062c035845f9774573", + "sha256": "0xdywglxh9sxs2s60shwf6c4m5w20h77l9d58rganqwpbrh49vkj" }, "qtspeech": { "url": "https://invent.kde.org/qt/qt/qtspeech.git", - "rev": "aa2376f9b1302222edcd16b4641bbd7004318c00", - "sha256": "0vcxgkymzhaw01f26zlny4bka9k829rwzkwk95rr3dfq7wlyxshz" + "rev": "a384f0d4fb8a2d0743d5dfdf12e40f6d76f8714c", + "sha256": "0imn7jskjvz30xnbg1z8wxkcw82hb6v92xls327385wxxj0a5i6r" }, "qtsvg": { "url": "https://invent.kde.org/qt/qt/qtsvg.git", - "rev": "b74f7291f343dcbcb487b020868f042d8fe83098", - "sha256": "1n0sjn8h5k2sh8p2a85cxdpqbnd63gz4rf9wwbshhd13w623f9s8" + "rev": "d2abfb9cb1f036446e5913fadb0f065dab9f0159", + "sha256": "048lbk25rbfbd2c8pbsifdxjcxb2003hi04lfsmgh7xr27x55gch" }, "qttools": { "url": "https://invent.kde.org/qt/qt/qttools.git", - "rev": "fa40a2d3373b89be0cd0a43fe0c1d047e3d34058", - "sha256": "06kr88gmwc7xh1whdbcg84y1naak5rv99jkscjbhzyz3z91xy7hl" + "rev": "3e3ab58b40734a1b9bbb7e72b2969d1f752351b1", + "sha256": "18dmmw1r13in7h90y3637jw3sc2pvv33bfr1bs11dyp951spw8d3" }, "qttranslations": { "url": "https://invent.kde.org/qt/qt/qttranslations.git", - "rev": "3cbcceb8e3e2e63a4022f1be946c7118c527a83e", - "sha256": "15lw5snqfkwwcsazh02lhiia39gy08nfijdpkzvll2qvg4b58zkn" + "rev": "388e4f32ed4b28d92bd61b917ba0e6b910e2784d", + "sha256": "1k76zl5c1x9q8kid3sjv4d66wy9ryl24fyiabrg32c7nbn53pbd4" }, "qtvirtualkeyboard": { "url": "https://invent.kde.org/qt/qt/qtvirtualkeyboard.git", - "rev": "859d2a6ee329cc08414410b2ef8c0af77a6853d3", - "sha256": "06sdpcanzp1a71d99rjivrbjp780mvwssc4w1sap2gskcmmgkwbs" + "rev": "4fc9919ee3fad1d520d0921ba3069dca3c34ff78", + "sha256": "12kn69l34s1r6s9w7cw9l5524kwrx8xrxwbx4hw059jns1pqac0d" }, "qtwayland": { "url": "https://invent.kde.org/qt/qt/qtwayland.git", - "rev": "df49b9f3badce793a0a9ea850cf1a02cc5bafef6", - "sha256": "01xm2r1pv7kxb4aj72ldfzmax6d799h6bj4h2xhpcii812wf5lda" + "rev": "605b8bc942ab263b9d1892af33a81b408f522ccc", + "sha256": "09vrd62ikxzjpv6awi7n34pswg4w5yvmac5ckc6ma6rqvps7mbip" }, "qtwebchannel": { "url": "https://invent.kde.org/qt/qt/qtwebchannel.git", - "rev": "2a157921861e651f43456cb7941b250c89feb736", - "sha256": "1w58b602f20mppd0zfr9yvfdn1xwfkfclnjs0p5mgymq6d946dyk" + "rev": "6a20afaeba182ce6e3faee592e1e85a0d3ec0fc6", + "sha256": "18jfxpasn47qd4glkgvps7nzm07dag6w9jbkq9l7fzbkpcbnqykb" }, "qtwebglplugin": { "url": "https://invent.kde.org/qt/qt/qtwebglplugin.git", - "rev": "b9aaac72d0853ba48f6bfd710a43df94d83d4701", - "sha256": "07zx55f52jgk31bm6c68iydknrih245ndnvz714l6kxw66fv4rjq" + "rev": "2a8ce0a61b4b9e892d948948182d935fa6792a1b", + "sha256": "10n50frndssj3vmmhghlw48dn0c9b26zgkgjvkza8x234j9dijv2" }, "qtwebsockets": { "url": "https://invent.kde.org/qt/qt/qtwebsockets.git", - "rev": "0f910acb737cefc889ce1088fc60d15bc18efe9c", - "sha256": "1ba9ll28hznd6qpjjiqvc2z6gaz2qgq7105dd0w810xpbaiixy0a" + "rev": "10eb706b24aa05f4ee69c2f2fec99b21994dfe2b", + "sha256": "1k01s4qkpzsjy7lygb0nhniym6g7yinih3sc16l3kljkabw44rx0" }, "qtwebview": { "url": "https://invent.kde.org/qt/qt/qtwebview.git", - "rev": "34342073a59f3a27ef3de02f6b21337c4f8db6cf", - "sha256": "1h6n7dkd6mjclxllyw2brz8wv4d68dx2ykckbwb3bkxyd6rmg1f6" + "rev": "043cb7c0eaf8d1bcee56a62d6a102f727a22fcbc", + "sha256": "0ha0ksbxm21hj37z7yk3f09ncgchw78cpcrxv56a205i2f04370d" }, "qtwinextras": { "url": "https://invent.kde.org/qt/qt/qtwinextras.git", - "rev": "5e5ae2b77078dbe51fb798743de606e6f9a5e19d", - "sha256": "04x8ax197z0dr01nxrb6bh4q8c077ny5n812fx5mq56l54v2m1ks" + "rev": "0704d01ff1218c2f32a194e38005e625c579222c", + "sha256": "0fsfrs770cia9i9ijvx1jyh0mjiza1cn1l7fm1a877h2qbd20l9f" }, "qtx11extras": { "url": "https://invent.kde.org/qt/qt/qtx11extras.git", - "rev": "c44c4fa86fa0794c25baef4ee1f6272aca8c511a", - "sha256": "0287cvs9wqlzz6gnj81gi8rp50s2rdnigcmld3fgddsg8f3v7hdj" + "rev": "6695a3df4460577b3fcb5546b45a0c5cb3addac4", + "sha256": "1xjdicq8kf6816hgnz4hc7ykcfngispm8xzv3bxacf98zicmy9rm" }, "qtxmlpatterns": { "url": "https://invent.kde.org/qt/qt/qtxmlpatterns.git", - "rev": "0b644263abca66503db1ce8a4e126cf358a34685", - "sha256": "1b1zzglvcdp7wvlpgk1gj8gmyy2r21yi6p8xiyvbccq5bbjpn0hw" + "rev": "ed3b333aa56ac193e969725e3c34be9070441271", + "sha256": "0s0z9dbivrq5pva6psfcfclw4816zb1rlr9ns03lf286iy196368" } } diff --git a/pkgs/development/libraries/qt-5/5.15/srcs.nix b/pkgs/development/libraries/qt-5/5.15/srcs.nix index 87a7bb97707df..ec5fdc9d5646e 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs.nix +++ b/pkgs/development/libraries/qt-5/5.15/srcs.nix @@ -5,7 +5,7 @@ }: let - version = "5.15.18"; + version = "5.15.19"; mk = name: args: { inherit version; diff --git a/pkgs/development/libraries/qt-6/fetch.sh b/pkgs/development/libraries/qt-6/fetch.sh index 73d170689480a..bd94b3ae2c487 100644 --- a/pkgs/development/libraries/qt-6/fetch.sh +++ b/pkgs/development/libraries/qt-6/fetch.sh @@ -1 +1 @@ -WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.0/submodules/ -A '*.tar.xz' ) +WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.1/submodules/ -A '*.tar.xz' ) diff --git a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix index fa3ae210d2811..df428b92f64ee 100644 --- a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix @@ -246,11 +246,6 @@ stdenv.mkDerivation { # don't pass qtbase's QML directory to qmlimportscanner if it's empty ./skip-missing-qml-directory.patch - # backport crash fix - (fetchpatch { - url = "https://github.com/qt/qtbase/commit/1466f88633b2c29a6159a0c2eacd0c0d6601aa5e.diff"; - hash = "sha256-ubDAXF47SYagRAJ5SYyBxXl2PiHjAZo3xlYPDz1jRYM="; - }) # another crash fix (fetchpatch { url = "https://github.com/qt/qtbase/commit/515cbbacfba9f4259c9c3b0714a31222c2b4c879.diff"; diff --git a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix index 786229c5651b3..2f19e06a67fa2 100644 --- a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix @@ -43,6 +43,12 @@ qtModule { hash = "sha256-ESy35OlmsvI4yFQ/rFT8oelOUBCwCmlcbQJvwcTrCig="; revert = true; }) + + # backport fix recommended by KDE + (fetchpatch { + url = "https://github.com/qt/qtdeclarative/commit/8a2c82be6ad90e3f2a0760d8bab1e3a8cdb2473a.diff"; + hash = "sha256-3KbyoQPAiRyCwGnwwYV3y0yz2i6UAJcX70EPsXV0ZZM="; + }) ]; cmakeFlags = [ diff --git a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix index effea1d03ab42..c70d2cbd1f881 100644 --- a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix +++ b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix @@ -6,13 +6,13 @@ qtModule rec { pname = "qtmqtt"; - version = "6.11.0"; + version = "6.11.1"; src = fetchFromGitHub { owner = "qt"; repo = "qtmqtt"; tag = "v${version}"; - hash = "sha256-7X+HWAftWHn40RPFQD3/f+bp00LQk8Vsb871WfxdZSE="; + hash = "sha256-GWaF4iCPtATL1mJkPHVY0rom8R2FMNWGahE3KWBlfV8="; }; propagatedBuildInputs = [ qtbase ]; diff --git a/pkgs/development/libraries/qt-6/srcs.nix b/pkgs/development/libraries/qt-6/srcs.nix index 73067dc5fd5c4..93c206858d18d 100644 --- a/pkgs/development/libraries/qt-6/srcs.nix +++ b/pkgs/development/libraries/qt-6/srcs.nix @@ -4,339 +4,339 @@ { qt3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "086xpissihbil51ryl83dlcpkpv3pp3ryj0712x9k9z6756j7ks0"; - name = "qt3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "01q11bs7vjz1s5wdrdjq904dgl2m6l7r8d3vd2kyf7lx0j78qvd6"; + name = "qt3d-everywhere-src-6.11.1.tar.xz"; }; }; qt5compat = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt5compat-everywhere-src-6.11.0.tar.xz"; - sha256 = "0gn6sj136y8yl1c00nbm81rmhws0mgx35ny7llx74j97ddj58ag6"; - name = "qt5compat-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt5compat-everywhere-src-6.11.1.tar.xz"; + sha256 = "06qndy534rzabxk9yq07dsl8fj1vd72lmck11r5xbajil3d9zjyg"; + name = "qt5compat-everywhere-src-6.11.1.tar.xz"; }; }; qtactiveqt = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtactiveqt-everywhere-src-6.11.0.tar.xz"; - sha256 = "1kbqa0gx41s097281g4zym9jmjs2ffc75p3rgkbs6bvnlrvl0h89"; - name = "qtactiveqt-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtactiveqt-everywhere-src-6.11.1.tar.xz"; + sha256 = "05hcnhxkajry4ha7ykmqr83p16qjipspwxid8l2rxgz80wy6aadv"; + name = "qtactiveqt-everywhere-src-6.11.1.tar.xz"; }; }; qtbase = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtbase-everywhere-src-6.11.0.tar.xz"; - sha256 = "0pkmrd8ypw1v21cx0890gc6z4v0xr5qip2jnr56r2kc6g5cxh6i3"; - name = "qtbase-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtbase-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b616gr7k8byfr2ns4vczs4kj3sznhlrlw9inpb3m8la48qllnfr"; + name = "qtbase-everywhere-src-6.11.1.tar.xz"; }; }; qtcanvaspainter = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gmgzmh81wrnj81xsmilqwhc1wv7j2avg91mww8jlrv5rplzynjl"; - name = "qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; + sha256 = "1l08zp68q3wcr9v5hh82kw6jqvc1wmnrjn7h9959psx520dwcdly"; + name = "qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; }; }; qtcharts = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcharts-everywhere-src-6.11.0.tar.xz"; - sha256 = "1dcldlw24qd9swynxcdsxnk8haiv442wx323j7qgfwjp13a9nh5c"; - name = "qtcharts-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcharts-everywhere-src-6.11.1.tar.xz"; + sha256 = "0p2icmrwb6am7x2kgk9pnpa8ypi7jiscyaawgi0x31iaihqyvqrz"; + name = "qtcharts-everywhere-src-6.11.1.tar.xz"; }; }; qtconnectivity = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtconnectivity-everywhere-src-6.11.0.tar.xz"; - sha256 = "0fhrqqz58h3smkksfgnax73bmsiz7q9a1w9vhwd83vs9r0jc3w60"; - name = "qtconnectivity-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtconnectivity-everywhere-src-6.11.1.tar.xz"; + sha256 = "14g5h0wixqy981cnn5f8gkjbji804f18gfjkzbanxd0lljg2h191"; + name = "qtconnectivity-everywhere-src-6.11.1.tar.xz"; }; }; qtdatavis3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdatavis3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1jr3bkvp4wj1jdafc64ziq4raxbya6jk6s0d4mq0w2kr7zpqrggf"; - name = "qtdatavis3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdatavis3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b4kcqfq5q79lm70f08qiksxl36laa9dgx9ladjk2xwl1af7n6hy"; + name = "qtdatavis3d-everywhere-src-6.11.1.tar.xz"; }; }; qtdeclarative = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdeclarative-everywhere-src-6.11.0.tar.xz"; - sha256 = "1sgxxmg49flana7mylyz4c5mf5hr00kzl8nkwwj87pqx8dlybv2f"; - name = "qtdeclarative-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdeclarative-everywhere-src-6.11.1.tar.xz"; + sha256 = "193ar0fcfzjjr7mi8i2622vip95qrr3qry949d9lyc5hf3v71rjj"; + name = "qtdeclarative-everywhere-src-6.11.1.tar.xz"; }; }; qtdoc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdoc-everywhere-src-6.11.0.tar.xz"; - sha256 = "1wwl2vr1qs2lqmz45iqpkzkxqp97g0yzfmz0kb5wpi8sys7c07bx"; - name = "qtdoc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdoc-everywhere-src-6.11.1.tar.xz"; + sha256 = "1hd5z6prx2sbr3wxzkynrn2iyjllvkids505l2xg3p272j4b5306"; + name = "qtdoc-everywhere-src-6.11.1.tar.xz"; }; }; qtgraphs = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgraphs-everywhere-src-6.11.0.tar.xz"; - sha256 = "0nxifvs5042pzyd5syhgpmxzsq07fhpbbm57ckwzsn55q14cnvyz"; - name = "qtgraphs-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgraphs-everywhere-src-6.11.1.tar.xz"; + sha256 = "0qh43qxqg4biyrrsd78nmi4dm3dnbswa95cq8db2k3lans517cc4"; + name = "qtgraphs-everywhere-src-6.11.1.tar.xz"; }; }; qtgrpc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgrpc-everywhere-src-6.11.0.tar.xz"; - sha256 = "0yd8jjxigaynv386f3cs1i743nm7yngciw346xqfil3chd8wpvcx"; - name = "qtgrpc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgrpc-everywhere-src-6.11.1.tar.xz"; + sha256 = "0l52w91hd2crq6zyh5a8arv07yixnwcr2pya74bxpk2hqpq08ys3"; + name = "qtgrpc-everywhere-src-6.11.1.tar.xz"; }; }; qthttpserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qthttpserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "16wqglm8ws63qs7i769xy94bygwbhkz7hjfw27hnps7d4yirb41b"; - name = "qthttpserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qthttpserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "01p7li9fvwnz2shx3d9wj9nnnnipya2q0whchyvgjqb8yzy71gq4"; + name = "qthttpserver-everywhere-src-6.11.1.tar.xz"; }; }; qtimageformats = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtimageformats-everywhere-src-6.11.0.tar.xz"; - sha256 = "1j0cjj7gxjbprszw349janl3zk38rkby1bmxil329zp2qlmb1bfk"; - name = "qtimageformats-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtimageformats-everywhere-src-6.11.1.tar.xz"; + sha256 = "04y4pa5krrpyiqn039d6m8bzcxj6pa1m850rz3bmw5xc8ml6rgxj"; + name = "qtimageformats-everywhere-src-6.11.1.tar.xz"; }; }; qtlanguageserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlanguageserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gq5yjvk6iyg606pgpxkb136qlz9hpb7ngll81nhiyb1ym1y9j0v"; - name = "qtlanguageserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlanguageserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "1vwavpi8swgs88pfjfddnb9cmsb4k1sjcgywp2rsnm6ay8vqa02h"; + name = "qtlanguageserver-everywhere-src-6.11.1.tar.xz"; }; }; qtlocation = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlocation-everywhere-src-6.11.0.tar.xz"; - sha256 = "1vxb6n8xf98zcg2bw29gsaqa74sg6jn9ilzs8c5b9q79i9m3if49"; - name = "qtlocation-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlocation-everywhere-src-6.11.1.tar.xz"; + sha256 = "06z4hbiqki5chhmph131s71czyrjpnjvy3rxb4560vwy55vwx49p"; + name = "qtlocation-everywhere-src-6.11.1.tar.xz"; }; }; qtlottie = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlottie-everywhere-src-6.11.0.tar.xz"; - sha256 = "02ndplkk4bq01b0fh9l2ykw09v0k5nbsayrs9wcjwrdwg5law8rg"; - name = "qtlottie-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlottie-everywhere-src-6.11.1.tar.xz"; + sha256 = "0y969gp64imwh49d5zbnw0wi2yva9fsp6qn58617rs9kvkdzml70"; + name = "qtlottie-everywhere-src-6.11.1.tar.xz"; }; }; qtmultimedia = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtmultimedia-everywhere-src-6.11.0.tar.xz"; - sha256 = "0h30l8zflkla7rcshgs0jfjbjwvq9rqx0wq83f6vd0x9lz0cmi4h"; - name = "qtmultimedia-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtmultimedia-everywhere-src-6.11.1.tar.xz"; + sha256 = "02lvq1jk6m67m6z0w7vdzxhzmi441j8avvp79mfclfpfvm98w3rr"; + name = "qtmultimedia-everywhere-src-6.11.1.tar.xz"; }; }; qtnetworkauth = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtnetworkauth-everywhere-src-6.11.0.tar.xz"; - sha256 = "1mqly8had79f54dlygh42jr0c0jfiv4j4w2rbr0s7qx9nk9ig342"; - name = "qtnetworkauth-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtnetworkauth-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gan2qjv97d1387jqaiis2gigm6lz5jbk1k10x13w0yc5kr5n7cz"; + name = "qtnetworkauth-everywhere-src-6.11.1.tar.xz"; }; }; qtopenapi = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtopenapi-everywhere-src-6.11.0.tar.xz"; - sha256 = "1h2pcq6i72yic0r7ns36vj678d1xqy291jamqd6b6jkjddmj1hlg"; - name = "qtopenapi-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtopenapi-everywhere-src-6.11.1.tar.xz"; + sha256 = "0nzl95w5pbfd6mfb6rzv6arz09pcm6siz1n07pgm9rrdr6z083a4"; + name = "qtopenapi-everywhere-src-6.11.1.tar.xz"; }; }; qtpositioning = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtpositioning-everywhere-src-6.11.0.tar.xz"; - sha256 = "1scnnz65qyfg0nl9vjkqcss8xsw3yf91w71d9p1kwlfybscd07yn"; - name = "qtpositioning-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtpositioning-everywhere-src-6.11.1.tar.xz"; + sha256 = "1xbq1xjjbhb41lfp9mli8a5rgqf5pniswv0161v6wa5f04cbkrnm"; + name = "qtpositioning-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1549gdb3yxj1bpl54kgnkkhzjx0zxqi71ssp4rj6qnz56fxh085l"; - name = "qtquick3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "0vs5bcz62r32gin0g4lb6wdmqrv0ypzar1s9wsza98la7zg8asy7"; + name = "qtquick3d-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3dphysics = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dcx9913xss435cijx5bzckvsn66qfi6c39rx0gyv9iiys76qym5"; - name = "qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; + sha256 = "1bvrmjb6m0ynq00ybdghvkbmwm237vff23ng8n4njysf05pns26i"; + name = "qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; }; }; qtquickeffectmaker = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; - sha256 = "05fpv497rmx2lw7gx05sxyxjwx8gq8fbbnkzhnw73pk2xqzq20mc"; - name = "qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; + sha256 = "0sqk8hkkdibv0ayxrvpcbgj3dcwfngpd6qjp2xm15pcbx1q3xrng"; + name = "qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; }; }; qtquicktimeline = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquicktimeline-everywhere-src-6.11.0.tar.xz"; - sha256 = "1micycw7m25gw0bgbfq7bnr7cg7qrjj2r69320rglc8lak6f3nq6"; - name = "qtquicktimeline-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquicktimeline-everywhere-src-6.11.1.tar.xz"; + sha256 = "09wcx83yxif8r4v81h2jfj3wlj60wnc9k4dsp7hlah4yzm1zclxg"; + name = "qtquicktimeline-everywhere-src-6.11.1.tar.xz"; }; }; qtremoteobjects = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtremoteobjects-everywhere-src-6.11.0.tar.xz"; - sha256 = "15yykbaxqc6v2flgjvn92w7gwfvi820dg4cxkjxcfhpix2m21571"; - name = "qtremoteobjects-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtremoteobjects-everywhere-src-6.11.1.tar.xz"; + sha256 = "06hiiyjpcgn8dp9jmgxj30nlrw73rqb869f0m63scccmqsarhqj0"; + name = "qtremoteobjects-everywhere-src-6.11.1.tar.xz"; }; }; qtscxml = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtscxml-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rylchpvzldy7hhr3icr85w8m4hf7wch17yqh368yrn3q19klf3c"; - name = "qtscxml-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtscxml-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gr0j09isxgii3aivfvr35x40d9n0kj0g2icc7g7bzniwm2m4jcf"; + name = "qtscxml-everywhere-src-6.11.1.tar.xz"; }; }; qtsensors = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsensors-everywhere-src-6.11.0.tar.xz"; - sha256 = "1iy33w7gjp06xi4342si979q9w84cvbbk90kxmk2gx69icjjja21"; - name = "qtsensors-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsensors-everywhere-src-6.11.1.tar.xz"; + sha256 = "13ygry3lybkgci6gkrd7k081l01icavzkiyy4g82drbvv9i70q93"; + name = "qtsensors-everywhere-src-6.11.1.tar.xz"; }; }; qtserialbus = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialbus-everywhere-src-6.11.0.tar.xz"; - sha256 = "1qfs9zqvz3hf16w8gg6nlwxcv6sz72546pds02dabhkcw47nqvmh"; - name = "qtserialbus-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialbus-everywhere-src-6.11.1.tar.xz"; + sha256 = "02pj4jnxc4afl5ymv7w8asggpg0hdj3dbnwwcqd305b8il69qv64"; + name = "qtserialbus-everywhere-src-6.11.1.tar.xz"; }; }; qtserialport = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialport-everywhere-src-6.11.0.tar.xz"; - sha256 = "111pmva70mcffhq09q2h1gcr03fivs9j2ywx4ib00pbyxfvr4ii6"; - name = "qtserialport-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialport-everywhere-src-6.11.1.tar.xz"; + sha256 = "0x1r5l3kx7riprf0b2api0bcg0z755fq9vbgmx7px6pxiy4imwws"; + name = "qtserialport-everywhere-src-6.11.1.tar.xz"; }; }; qtshadertools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtshadertools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0jp1sb9pl7y821awln7rpk0hz7d5ipwnkqhy51caich9i2pb2g74"; - name = "qtshadertools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtshadertools-everywhere-src-6.11.1.tar.xz"; + sha256 = "1z42r414jid12jmhm1yf5kw44j886w01igav0kggkg13kcphax90"; + name = "qtshadertools-everywhere-src-6.11.1.tar.xz"; }; }; qtspeech = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtspeech-everywhere-src-6.11.0.tar.xz"; - sha256 = "08fv8v6rvcv0pa6r52kr2na2rcpjr3yk556ksinnh6aslv8qbid9"; - name = "qtspeech-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtspeech-everywhere-src-6.11.1.tar.xz"; + sha256 = "051z4yf22hkqhy3pkgxq8s77x06k4cd70i9jcmd8f99004cc6df0"; + name = "qtspeech-everywhere-src-6.11.1.tar.xz"; }; }; qtsvg = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsvg-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rih59jsn0wq12gq5gbs1cz9by27x2x4wjpd0ya7s207pr9xda6z"; - name = "qtsvg-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsvg-everywhere-src-6.11.1.tar.xz"; + sha256 = "154adaicyy5wyz6yc95g3lm4iw9v2zdsd7l5qp107gr490pz0g3z"; + name = "qtsvg-everywhere-src-6.11.1.tar.xz"; }; }; qttasktree = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttasktree-everywhere-src-6.11.0.tar.xz"; - sha256 = "0kxkm3qvzw5i5x2ads6skpz8z6shbn2msznmr614yvsdgiga4yjr"; - name = "qttasktree-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttasktree-everywhere-src-6.11.1.tar.xz"; + sha256 = "1mjdwy3i24ggn2g82z5pg3grzhnaxmq7nmvdc7ba8dsdixzvjam2"; + name = "qttasktree-everywhere-src-6.11.1.tar.xz"; }; }; qttools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0xpwv483zrw3jkajhv9sbr7bm95qahxg770vn1jqk10hg8yrkcfg"; - name = "qttools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttools-everywhere-src-6.11.1.tar.xz"; + sha256 = "03gmr9zpf0raqcvqk2cpw9lblw907hsl5cb5c2fgm4wwcxd86qcf"; + name = "qttools-everywhere-src-6.11.1.tar.xz"; }; }; qttranslations = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttranslations-everywhere-src-6.11.0.tar.xz"; - sha256 = "0mpy3y76n1jw2prhad9rqyn48miqlmqg3581jgzr4s1iwhpqpx2l"; - name = "qttranslations-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttranslations-everywhere-src-6.11.1.tar.xz"; + sha256 = "0xsnxhiqc3ybwvyn1jbhdf1sjmcf7v4mma6w9sxwg535420jrh1p"; + name = "qttranslations-everywhere-src-6.11.1.tar.xz"; }; }; qtvirtualkeyboard = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; - sha256 = "11p6m1s7r7q2y6a2ak5lyzfd2907s2skfa630snf64x32cblp2nq"; - name = "qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; + sha256 = "073y02qmpwxxdqc4pkm6k9frghsjg1zppg2hip5b4hv269xrdim1"; + name = "qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; }; }; qtwayland = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwayland-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dsdv1d4p1wf0sqd26cmj486bvwlprmqzmjddsw24agrc3kyc477"; - name = "qtwayland-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwayland-everywhere-src-6.11.1.tar.xz"; + sha256 = "1cyr5frhglp2krxvpnqk9q426rgp6nr34ngnxpa42m7p0ajqly4m"; + name = "qtwayland-everywhere-src-6.11.1.tar.xz"; }; }; qtwebchannel = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebchannel-everywhere-src-6.11.0.tar.xz"; - sha256 = "097vm6pxh18bil9ld9cxg50v861nyhaha4f6bjfjqph1icx18ip9"; - name = "qtwebchannel-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebchannel-everywhere-src-6.11.1.tar.xz"; + sha256 = "10ld2nh6gd1v2ssbgqlf6w0lsjlqkjdfwqv85mn5krnnf45vbyv9"; + name = "qtwebchannel-everywhere-src-6.11.1.tar.xz"; }; }; qtwebengine = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebengine-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dk72k92zp19jkph1vl88l2dyrh105v6cycsxln1anfxnb423fb3"; - name = "qtwebengine-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebengine-everywhere-src-6.11.1.tar.xz"; + sha256 = "10vhcvw8j60n0mf38bi3fjcx5v1i0cbfyn4wbqhzqn61qv66d737"; + name = "qtwebengine-everywhere-src-6.11.1.tar.xz"; }; }; qtwebsockets = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebsockets-everywhere-src-6.11.0.tar.xz"; - sha256 = "0cnh67ncfh0gvpqfiqhr0cpmswq9zysza130axlmh69mzg8i17sn"; - name = "qtwebsockets-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebsockets-everywhere-src-6.11.1.tar.xz"; + sha256 = "1gvgci383dfm4sljqlapdiva7jhks1i2z2ayck0wbj1436hklgi4"; + name = "qtwebsockets-everywhere-src-6.11.1.tar.xz"; }; }; qtwebview = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebview-everywhere-src-6.11.0.tar.xz"; - sha256 = "1cy4x331h0f4d5l8c18xrvdq6hwz7r16qd1xhr8gdm8j9bcsw3nb"; - name = "qtwebview-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebview-everywhere-src-6.11.1.tar.xz"; + sha256 = "0g8k4xs7b0s474x00ds4i8q9b164icdgrdg8ngln10nmf3pwhqld"; + name = "qtwebview-everywhere-src-6.11.1.tar.xz"; }; }; } diff --git a/pkgs/development/libraries/science/math/openblas/default.nix b/pkgs/development/libraries/science/math/openblas/default.nix index 9d5d2b4449fdd..97b7596b937c5 100644 --- a/pkgs/development/libraries/science/math/openblas/default.nix +++ b/pkgs/development/libraries/science/math/openblas/default.nix @@ -170,7 +170,7 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openblas"; - version = "0.3.32"; + version = "0.3.33"; outputs = [ "out" @@ -181,7 +181,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "OpenMathLib"; repo = "OpenBLAS"; rev = "v${finalAttrs.version}"; - hash = "sha256-D0Wu5Ew72aTqSjj970yOfAwPg1T4Qm6zmpaGlQ/5Q1k="; + hash = "sha256-EArf0K2Gs+w8IRD5wkMOQv79e8yMoTgQfa9kzjXKn3Y="; }; patches = [ @@ -190,13 +190,13 @@ stdenv.mkDerivation (finalAttrs: { # INCLUDEDIR already fixed in upstream HEAD & significant refactor # to config gen so not PRing changes ./cmake-include-fixes.patch - # Fix build on LoongArch (error: '_Float16' is not supported on this target) + # This was an attempted fix for the below commit but still leaves some scipy tests failing. (fetchpatch { - url = "https://github.com/OpenMathLib/OpenBLAS/commit/7086a1b075ca317e12cfe79d40a32ad342a30496.patch"; - hash = "sha256-pA3HK2f2MJr/+h/uale7edIYk/KH194EscYFcsujPXY="; + url = "https://github.com/OpenMathLib/OpenBLAS/commit/e3ce4623c299068bbd47c35ee87aab334bac73b1.patch"; + revert = true; + hash = "sha256-WrP3RCDk/EbpqVOw9XGLnFI+6/bBGJTIrt2TRYGLVQ4="; }) # This commit led to miscompilation of certain ASIMD extensions code paths. - # There was an attempted fix in upstream but this still leaves some scipy tests failing. (fetchpatch { url = "https://github.com/OpenMathLib/OpenBLAS/commit/3f6e928d34aca977bd5d4191e6d2c2338a342.patch"; revert = true; @@ -271,7 +271,9 @@ stdenv.mkDerivation (finalAttrs: { (lib.cmakeBool "USE_OPENMP" false) # openblas will refuse building with both USE_OPENMP=ON and USE_THREAD=OFF ]; - doCheck = true; + # FIXME: this broke some time between a0374025a863d007d98e3297f6aa46cc3141c2f0 and 34268251cf5547d39063f2c5ea9a196246f7f3a6 + # This just serves to unbreak stable + doCheck = stdenv.hostPlatform.system != "i686-linux"; postInstall = '' # Provide headers in /include directly for compat with some consumers like flint diff --git a/pkgs/development/python-modules/aiodns/default.nix b/pkgs/development/python-modules/aiodns/default.nix index 54b67a88be19a..21251500362e9 100644 --- a/pkgs/development/python-modules/aiodns/default.nix +++ b/pkgs/development/python-modules/aiodns/default.nix @@ -8,14 +8,14 @@ buildPythonPackage (finalAttrs: { pname = "aiodns"; - version = "4.0.0"; + version = "4.0.4"; pyproject = true; src = fetchFromGitHub { owner = "saghul"; repo = "aiodns"; tag = "v${finalAttrs.version}"; - hash = "sha256-/iYkhzN01+NaUfMXaM39IvlEKfoKc29+f0S4y0y3GG8="; + hash = "sha256-TLiiSRhZaEbHeyrQPk8uvj10VEttRanYEgkBy7DxH4Y="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/asgi-csrf/default.nix b/pkgs/development/python-modules/asgi-csrf/default.nix index f3ec2670d6f81..9c36730fd74c4 100644 --- a/pkgs/development/python-modules/asgi-csrf/default.nix +++ b/pkgs/development/python-modules/asgi-csrf/default.nix @@ -49,6 +49,8 @@ buildPythonPackage rec { pythonImportsCheck = [ "asgi_csrf" ]; meta = { + # https://github.com/simonw/asgi-csrf/issues/38 + broken = lib.versionAtLeast python-multipart.version "0.0.26"; description = "ASGI middleware for protecting against CSRF attacks"; license = lib.licenses.asl20; homepage = "https://github.com/simonw/asgi-csrf"; diff --git a/pkgs/development/python-modules/captum/default.nix b/pkgs/development/python-modules/captum/default.nix index 32889473641c0..455eac5c5fc15 100644 --- a/pkgs/development/python-modules/captum/default.nix +++ b/pkgs/development/python-modules/captum/default.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, - fetchpatch, buildPythonPackage, pytestCheckHook, setuptools, @@ -53,6 +52,10 @@ buildPythonPackage rec { scikit-learn ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + disabledTestPaths = lib.optionals stdenv.hostPlatform.isDarwin [ # These tests may fail if multiple builds run them at the same time due diff --git a/pkgs/development/python-modules/cfn-lint/default.nix b/pkgs/development/python-modules/cfn-lint/default.nix index db06eac381553..70a2968acfe8e 100644 --- a/pkgs/development/python-modules/cfn-lint/default.nix +++ b/pkgs/development/python-modules/cfn-lint/default.nix @@ -69,6 +69,13 @@ buildPythonPackage rec { "test_update_docs" ]; + disabledTestPaths = [ + # unexpected exit code afer nodejs_24 24.16.0 update + "test/integration/test_quickstart_templates.py::TestQuickStartTemplates::test_templates" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_module_integration" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_templates" + ]; + pythonImportsCheck = [ "cfnlint" ]; meta = { diff --git a/pkgs/development/python-modules/django/5.nix b/pkgs/development/python-modules/django/5.nix index 3a7274793a2bd..273b61da19c95 100644 --- a/pkgs/development/python-modules/django/5.nix +++ b/pkgs/development/python-modules/django/5.nix @@ -41,14 +41,14 @@ buildPythonPackage rec { pname = "django"; - version = "5.2.14"; + version = "5.2.15"; pyproject = true; src = fetchFromGitHub { owner = "django"; repo = "django"; tag = version; - hash = "sha256-gb/4WL2VLoqRucpXuKyPsMSwKZ6gaxy5JA7QTeeazjk="; + hash = "sha256-K9yFHr3IkVNMqoeumESszVlju2fW2r8hS8z6M2OdVpE="; }; patches = [ diff --git a/pkgs/development/python-modules/fastapi/default.nix b/pkgs/development/python-modules/fastapi/default.nix index 9d5aea8559e58..3e29f81a9da26 100644 --- a/pkgs/development/python-modules/fastapi/default.nix +++ b/pkgs/development/python-modules/fastapi/default.nix @@ -45,14 +45,14 @@ buildPythonPackage rec { pname = "fastapi"; - version = "0.135.3"; + version = "0.136.3"; pyproject = true; src = fetchFromGitHub { owner = "tiangolo"; repo = "fastapi"; tag = version; - hash = "sha256-sE5d+MgmP9L+MUosRBsR+KSJkcC9i2EOOtKHq0sXjRM="; + hash = "sha256-lfmk8ZveKPukEEfwWq2mKtWmOHAtVzGuE5BsOskDzh0="; }; build-system = [ pdm-backend ]; diff --git a/pkgs/development/python-modules/fasthtml/default.nix b/pkgs/development/python-modules/fasthtml/default.nix index 3f47dd2ce5a75..12b9b77c04355 100644 --- a/pkgs/development/python-modules/fasthtml/default.nix +++ b/pkgs/development/python-modules/fasthtml/default.nix @@ -31,14 +31,14 @@ buildPythonPackage (finalAttrs: { pname = "fasthtml"; - version = "0.12.48"; + version = "0.13.3"; pyproject = true; src = fetchFromGitHub { owner = "AnswerDotAI"; repo = "fasthtml"; tag = finalAttrs.version; - hash = "sha256-lMAuIw4sMkS3XSG/0Bs0iQPSjMusbmjUKv0w4cINwas="; + hash = "sha256-PS5HGegC6pG/bJAGrKDsRYguBnNS9EDrZIjWvjErO4M="; }; build-system = [ diff --git a/pkgs/development/python-modules/frictionless/default.nix b/pkgs/development/python-modules/frictionless/default.nix index 80013e731fd4e..68edce923de38 100644 --- a/pkgs/development/python-modules/frictionless/default.nix +++ b/pkgs/development/python-modules/frictionless/default.nix @@ -195,7 +195,8 @@ buildPythonPackage rec { openpyxl xlrd ] - ++ lib.concatAttrValues optional-dependencies; + # datasette is transitively broken by asgi-csrf + ++ lib.concatAttrValues (lib.removeAttrs optional-dependencies [ "datasette" ]); disabledTestPaths = [ # Requires optional dependencies that have not been packaged (commented out above) diff --git a/pkgs/development/python-modules/linearmodels/default.nix b/pkgs/development/python-modules/linearmodels/default.nix index 9a5ae03ffe5f0..d67690e48774c 100644 --- a/pkgs/development/python-modules/linearmodels/default.nix +++ b/pkgs/development/python-modules/linearmodels/default.nix @@ -67,6 +67,8 @@ buildPythonPackage (finalAttrs: { preCheck = '' rm linearmodels/__init__.py + + export OMP_NUM_THREADS=1 ''; disabledTestPaths = [ diff --git a/pkgs/development/python-modules/mace-torch/default.nix b/pkgs/development/python-modules/mace-torch/default.nix index 3c8b486f643bc..4ed39d4797827 100644 --- a/pkgs/development/python-modules/mace-torch/default.nix +++ b/pkgs/development/python-modules/mace-torch/default.nix @@ -82,6 +82,10 @@ buildPythonPackage (finalAttrs: { writableTmpDirAsHomeHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + disabledTests = [ # _pickle.PickleError: ScriptFunction cannot be pickled "test_run_eval_fail_with_wrong_model" diff --git a/pkgs/development/python-modules/mistune/default.nix b/pkgs/development/python-modules/mistune/default.nix index a130857e1a71e..8cdfa4023ded4 100644 --- a/pkgs/development/python-modules/mistune/default.nix +++ b/pkgs/development/python-modules/mistune/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "mistune"; - version = "3.2.0"; + version = "3.2.1"; pyproject = true; src = fetchFromGitHub { owner = "lepture"; repo = "mistune"; tag = "v${version}"; - hash = "sha256-rUEZNVuMT5+GsMakrkK6rshKSKtTTN72kK92AmQ8bl8="; + hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/openai-agents/default.nix b/pkgs/development/python-modules/openai-agents/default.nix index c09e4bb7db4f0..a35a81bdad58b 100644 --- a/pkgs/development/python-modules/openai-agents/default.nix +++ b/pkgs/development/python-modules/openai-agents/default.nix @@ -3,7 +3,7 @@ buildPythonPackage, fetchPypi, hatchling, - griffe, + griffelib, mcp, openai, pydantic, @@ -12,15 +12,15 @@ typing-extensions, }: -buildPythonPackage rec { +buildPythonPackage (finalAttrs: { pname = "openai-agents"; - version = "0.6.9"; + version = "0.17.6"; pyproject = true; src = fetchPypi { - inherit version; + inherit (finalAttrs) version; pname = "openai_agents"; - hash = "sha256-5VYjgntKGxHWbsAIS9K56ixtYPIz4EVHgDr0M5Z+L9s="; + hash = "sha256-/tlPjPDrTFfGOomtSxB5MtdfKgttnolciPo8IX5jyCI="; }; build-system = [ @@ -28,7 +28,7 @@ buildPythonPackage rec { ]; dependencies = [ - griffe + griffelib mcp openai pydantic @@ -42,10 +42,10 @@ buildPythonPackage rec { ]; meta = { - changelog = "https://github.com/openai/openai-agents-python/releases/tag/${version}"; + changelog = "https://github.com/openai/openai-agents-python/releases/tag/v${finalAttrs.version}"; homepage = "https://github.com/openai/openai-agents-python"; description = "Lightweight, powerful framework for multi-agent workflows"; license = lib.licenses.mit; maintainers = [ lib.maintainers.bryanhonof ]; }; -} +}) diff --git a/pkgs/development/python-modules/openai/default.nix b/pkgs/development/python-modules/openai/default.nix index ddfa0f3b8548d..41871cd05921b 100644 --- a/pkgs/development/python-modules/openai/default.nix +++ b/pkgs/development/python-modules/openai/default.nix @@ -51,14 +51,14 @@ buildPythonPackage rec { pname = "openai"; - version = "2.33.0"; + version = "2.41.1"; pyproject = true; src = fetchFromGitHub { owner = "openai"; repo = "openai-python"; tag = "v${version}"; - hash = "sha256-w2ejAJ+V7e4wYSQ/9+WdhO+XaYeSq8U/V5YXHSpn+rI="; + hash = "sha256-jSkBxZY5POlrznhBwFMR2NcL92uGRSYI6BDDC3C7RfU="; }; postPatch = ''substituteInPlace pyproject.toml --replace-fail "hatchling==1.26.3" "hatchling"''; @@ -129,6 +129,5 @@ buildPythonPackage rec { changelog = "https://github.com/openai/openai-python/blob/${src.tag}/CHANGELOG.md"; license = lib.licenses.asl20; maintainers = [ lib.maintainers.malo ]; - mainProgram = "openai"; }; } diff --git a/pkgs/development/python-modules/paramiko/default.nix b/pkgs/development/python-modules/paramiko/default.nix index 156fae9d96d04..6350ba2e5a8a5 100644 --- a/pkgs/development/python-modules/paramiko/default.nix +++ b/pkgs/development/python-modules/paramiko/default.nix @@ -30,6 +30,7 @@ buildPythonPackage rec { dependencies = [ bcrypt cryptography + invoke pynacl ]; @@ -39,7 +40,6 @@ buildPythonPackage rec { gssapi ]; ed25519 = [ ]; - invoke = [ invoke ]; }; nativeCheckInputs = [ diff --git a/pkgs/development/python-modules/pillow-heif/default.nix b/pkgs/development/python-modules/pillow-heif/default.nix index eea442596817a..cc00832bb662c 100644 --- a/pkgs/development/python-modules/pillow-heif/default.nix +++ b/pkgs/development/python-modules/pillow-heif/default.nix @@ -77,6 +77,17 @@ buildPythonPackage rec { disabledTests = [ # Time sensitive speed test, not reproducible "test_decode_threads" + # Tests failing with libheif 1.22.0. To be removed in the next release + # https://github.com/bigcat88/pillow_heif/issues/424 + # these check what happens when the ispe is not valid + "test_numpy_array_invalid_ispe" + "test_allow_incorrect_headers" + "test_invalid_ispe_ok" + "test_invalid_ispe_allow" + "test_invalid_ispe_stride" + "test_invalid_ispe_stride_pillow" + # disable version check for libheif + "test_libheif_info" ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ # https://github.com/bigcat88/pillow_heif/issues/89 diff --git a/pkgs/development/python-modules/pyjwt/default.nix b/pkgs/development/python-modules/pyjwt/default.nix index 1d18045a863c9..74754630a145f 100644 --- a/pkgs/development/python-modules/pyjwt/default.nix +++ b/pkgs/development/python-modules/pyjwt/default.nix @@ -13,14 +13,14 @@ buildPythonPackage rec { pname = "pyjwt"; - version = "2.12.1"; + version = "2.13.0"; pyproject = true; src = fetchFromGitHub { owner = "jpadilla"; repo = "pyjwt"; tag = version; - hash = "sha256-wgOa5JhQT82ppoad6s8gPH7tGRNbbVWmJaaDF84d+r0="; + hash = "sha256-q4ynXCJVDsyZh70439dloyWgRTLVm+elDOahUVOT5vA="; }; outputs = [ diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix index 4781d391f0a21..ed476d568dd85 100644 --- a/pkgs/development/python-modules/python-multipart/default.nix +++ b/pkgs/development/python-modules/python-multipart/default.nix @@ -2,10 +2,8 @@ lib, buildPythonPackage, fetchFromGitHub, - fetchpatch, hatchling, pytestCheckHook, - mock, pyyaml, # for passthru.tests @@ -18,32 +16,22 @@ buildPythonPackage (finalAttrs: { pname = "python-multipart"; - version = "0.0.22"; + version = "0.0.29"; pyproject = true; src = fetchFromGitHub { owner = "Kludex"; repo = "python-multipart"; tag = finalAttrs.version; - hash = "sha256-UegnwGxiXQalbp18t1dl2JOQH6BY975cpBa9uo3SOuk="; + hash = "sha256-1aV7gWLuulINesm3L8Wm3+prmeD9+OY/ihm36rtQPRs="; }; - patches = [ - (fetchpatch { - name = "CVE-2026-40347-part-1.patch"; - url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch"; - hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k="; - }) - ./CVE-2026-40347-part-2.patch - ]; - build-system = [ hatchling ]; pythonImportsCheck = [ "python_multipart" ]; nativeCheckInputs = [ pytestCheckHook - mock pyyaml ]; diff --git a/pkgs/development/python-modules/rq/default.nix b/pkgs/development/python-modules/rq/default.nix index a53e08d86223c..0efb763e3694d 100644 --- a/pkgs/development/python-modules/rq/default.nix +++ b/pkgs/development/python-modules/rq/default.nix @@ -76,6 +76,10 @@ buildPythonPackage (finalAttrs: { # PermissionError: [Errno 13] Permission denied: '/tmp/rq-tests.txt' "test_deleted_jobs_arent_executed" "test_suspend_worker_execution" + ] + ++ lib.optionals stdenv.hostPlatform.isLinux [ + # no delay between reaping worker and checking; racy + "test_reap_workers" ]; pythonImportsCheck = [ "rq" ]; diff --git a/pkgs/development/python-modules/scikit-bio/default.nix b/pkgs/development/python-modules/scikit-bio/default.nix index 1190d875005a6..c909d8d66d08a 100644 --- a/pkgs/development/python-modules/scikit-bio/default.nix +++ b/pkgs/development/python-modules/scikit-bio/default.nix @@ -62,6 +62,10 @@ buildPythonPackage (finalAttrs: { pytestCheckHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + # only the $out dir contains the built cython extensions, so we run the tests inside there enabledTestPaths = [ "${placeholder "out"}/${python.sitePackages}/skbio" ]; diff --git a/pkgs/development/python-modules/starlette/default.nix b/pkgs/development/python-modules/starlette/default.nix index 219ce1e8b7a79..e66a5cf7a80d8 100644 --- a/pkgs/development/python-modules/starlette/default.nix +++ b/pkgs/development/python-modules/starlette/default.nix @@ -27,14 +27,14 @@ buildPythonPackage rec { pname = "starlette"; - version = "0.52.1"; + version = "1.1.0"; pyproject = true; src = fetchFromGitHub { owner = "encode"; repo = "starlette"; tag = version; - hash = "sha256-XPAeRnh9a0A1/5VGZzzGQBhlBsih1VR8QmFdkxG5cQE="; + hash = "sha256-9iQXlpA1VDGw1c7X1zJPmJ3Dub46PwqrVIX1+fWOZ7M="; }; build-system = [ hatchling ]; diff --git a/pkgs/development/python-modules/torch-geometric/default.nix b/pkgs/development/python-modules/torch-geometric/default.nix index 06863712e7c5b..839f5c8e02e5b 100644 --- a/pkgs/development/python-modules/torch-geometric/default.nix +++ b/pkgs/development/python-modules/torch-geometric/default.nix @@ -185,6 +185,10 @@ buildPythonPackage (finalAttrs: { writableTmpDirAsHomeHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + pytestFlags = [ # DeprecationWarning: Failing to pass a value to the 'type_params' parameter of # 'typing._eval_type' is deprecated, as it leads to incorrect behaviour when calling diff --git a/pkgs/development/python-modules/valkey/default.nix b/pkgs/development/python-modules/valkey/default.nix index 5674542e90165..dcccacb7d569c 100644 --- a/pkgs/development/python-modules/valkey/default.nix +++ b/pkgs/development/python-modules/valkey/default.nix @@ -40,11 +40,20 @@ buildPythonPackage rec { }; patches = [ + # valkey 9.0 compat (fetchpatch { - # valkey 9.0 compat url = "https://github.com/valkey-io/valkey-py/commit/c01505e547f614f278b882a016557b6ed652bb9f.patch"; hash = "sha256-rvA65inIioqdc+QV4KaaUv1I/TMZUq0TWaFJcJiy8NU="; }) + # valkey 9.1 compat + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/df5c44903dc8e2dda733e5576324ba0ff8c4c6a0.patch"; + hash = "sha256-0wsWuaOYWBgf6BjlJuciZYRbugYfchTU2khQX7rtRJg="; + }) + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/046c7fb9e8260c2d69d05141b1519903c4e40efe.patch"; + hash = "sha256-/yN1y0hbmBR6o6ab4h0qkn/qhU6jASOIeqWhxUi5w/I="; + }) ]; build-system = [ setuptools ]; diff --git a/pkgs/development/python-modules/x-transformers/default.nix b/pkgs/development/python-modules/x-transformers/default.nix index 16d3dff4fd61b..1496775f5eec8 100644 --- a/pkgs/development/python-modules/x-transformers/default.nix +++ b/pkgs/development/python-modules/x-transformers/default.nix @@ -42,6 +42,10 @@ buildPythonPackage (finalAttrs: { nativeCheckInputs = [ pytestCheckHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + # RuntimeError: torch.compile is not supported on Python 3.14+ disabledTests = lib.optionals (pythonAtLeast "3.14") [ "test_up" ]; diff --git a/pkgs/development/python-modules/xmltodict/default.nix b/pkgs/development/python-modules/xmltodict/default.nix index 9d1c01842a420..bd22bc108bbe4 100644 --- a/pkgs/development/python-modules/xmltodict/default.nix +++ b/pkgs/development/python-modules/xmltodict/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "xmltodict"; - version = "1.0.2"; + version = "1.0.4"; pyproject = true; src = fetchFromGitHub { owner = "martinblech"; repo = "xmltodict"; tag = "v${version}"; - hash = "sha256-gnTNkh0GLfRmjMsLhfvpNrewfinNOhem0i3wzIZvKpA="; + hash = "sha256-G7hVtS6toUJC0YY1AXBOJSc3wnAZyWilLnT/5vvFRRw="; }; build-system = [ setuptools ]; diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index 343be8e147919..5fd5eeac69191 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -47,7 +47,7 @@ uvwasi, zlib, zstd, - icu, + icu78, bash, ninja, pkgconf, @@ -274,7 +274,7 @@ let # that use bash wrappers, e.g. polaris-web. buildInputs = [ bash - icu + icu78 ] ++ builtins.attrValues sharedLibDeps; diff --git a/pkgs/development/web/nodejs/v24.nix b/pkgs/development/web/nodejs/v24.nix index 69004825bea27..914ab1479370a 100644 --- a/pkgs/development/web/nodejs/v24.nix +++ b/pkgs/development/web/nodejs/v24.nix @@ -23,8 +23,8 @@ let [ ]; in buildNodejs { - version = "24.15.0"; - sha256 = "a4f653d79ed140aaad921e8c22a3b585ca85cfdab80d4030f6309e4663a8a1c8"; + version = "24.16.0"; + sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f"; patches = ( if (stdenv.hostPlatform.emulatorAvailable buildPackages) then @@ -56,13 +56,6 @@ buildNodejs { ./use-correct-env-in-tests.patch ./bin-sh-node-run-v22.patch ./use-nix-codesign.patch - # https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124 - # OpenSSL reports different errors - # https://github.com/nodejs/node/pull/62629 - (fetchpatch2 { - url = "https://github.com/nodejs/node/commit/dd25d8f29d3ddadcf5a5ebfdf98ece55f9df96c6.patch?full_index=1"; - hash = "sha256-6cxRN7TyWmJgUZt3jp2YXbVIjrDb2BNep5LxBOtT3Q0="; - }) # Patch for nghttp2 1.69 support (fetchpatch2 { diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index d3dd8012c5089..54ff5434cfe31 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -30,8 +30,8 @@ "lts": true }, "6.18": { - "version": "6.18.35", - "hash": "sha256:0dpjprjzc4w44kw49jcgx1ffrm6gxn2gsnsz3hhmw4hr4a9h51pp", + "version": "6.18.36", + "hash": "sha256:0kn4r43lnd5nb5c298b30030qyaxv05s7k40n9si1j3iyk4qdazv", "lts": true }, "7.0": { diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index f0fb666cd8de3..4d91ed2e72a54 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -201,13 +201,13 @@ let in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "260.1"; + version = "260.2"; src = fetchFromGitHub { owner = "systemd"; repo = "systemd"; rev = "v${finalAttrs.version}"; - hash = "sha256-FUKj3lvjz8TIsyu8NyJYtiNele+1BhdJPdw7r7nW6as="; + hash = "sha256-NXmmSV7/9WIW6C8wjdOwaerCy4v7Zcrd8+XDzcS8rEk="; }; # PATCH POLICY diff --git a/pkgs/pkgs-lib/formats.nix b/pkgs/pkgs-lib/formats.nix index 98750c6c2ad21..e5f941af37709 100644 --- a/pkgs/pkgs-lib/formats.nix +++ b/pkgs/pkgs-lib/formats.nix @@ -146,14 +146,14 @@ optionalAttrs allowAliases aliases runCommand name { nativeBuildInputs = [ jq ]; - value = toJSON value; + inherit value; preferLocalBuild = true; __structuredAttrs = true; } + # NIX_ATTRS_JSON_FILE won't have `value` if it's null, but jq returns null for missing properties anyway + # jsonNull test keeps this in check '' - valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - jq . "$valuePath" > $out + jq .value "$NIX_ATTRS_JSON_FILE" > $out '' ) { }; @@ -171,14 +171,16 @@ optionalAttrs allowAliases aliases runCommand name { nativeBuildInputs = [ remarshal_0_17 ]; - value = toJSON value; + inherit value; preferLocalBuild = true; __structuredAttrs = true; } '' - valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - json2yaml "$valuePath" "$out" + json2yaml ${ + # attributes with null values are omitted from the JSON with structured attrs + # yaml_1_1Null test keeps this in check + if value == null then ''<(echo "null")'' else ''--unwrap value "$NIX_ATTRS_JSON_FILE"'' + } "$out" '' ) { }; @@ -196,14 +198,16 @@ optionalAttrs allowAliases aliases runCommand name { nativeBuildInputs = [ remarshal ]; - value = toJSON value; + inherit value; preferLocalBuild = true; __structuredAttrs = true; } '' - valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - json2yaml "$valuePath" "$out" + json2yaml ${ + # attributes with null values are omitted from the JSON with structured attrs + # yaml_1_2Null test keeps this in check + if value == null then ''<(echo "null")'' else ''--unwrap value "$NIX_ATTRS_JSON_FILE"'' + } "$out" '' ) { }; @@ -958,8 +962,10 @@ optionalAttrs allowAliases aliases python3 black ]; - imports = toJSON (value._imports or [ ]); - value = toJSON (removeAttrs value [ "_imports" ]); + imports = value._imports or [ ]; + # value must be an attrset, type would verify that, + # otherwise removeAttrs will fail. + value = removeAttrs value [ "_imports" ]; pythonGen = pkgs.writeText "pythonGen" '' import json import os @@ -982,26 +988,20 @@ optionalAttrs allowAliases aliases else: return repr(value) - with open(os.environ["importsPath"], "r") as f: - imports = json.load(f) - if imports is not None: - for i in imports: + with open(os.environ["NIX_ATTRS_JSON_FILE"], "r") as f: + attrs = json.load(f) + if attrs["imports"] is not None: + for i in attrs["imports"]: print(f"import {i}") print() - with open(os.environ["valuePath"], "r") as f: - for key, value in json.load(f).items(): + for key, value in attrs["value"].items(): print(f"{key} = {recursive_repr(value)}") ''; preferLocalBuild = true; __structuredAttrs = true; } '' - export importsPath="$TMPDIR/imports" - printf "%s" "$imports" > "$importsPath" - export valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - cat "$valuePath" python3 "$pythonGen" > $out black $out '' @@ -1015,7 +1015,13 @@ optionalAttrs allowAliases aliases }: if format == "badgerfish" then { - type = serializableValueWith { typeName = "XML"; }; + type = + attrsOf (serializableValueWith { + typeName = "XML"; + }) + // { + description = "XML value"; + }; generate = name: value: @@ -1031,14 +1037,16 @@ optionalAttrs allowAliases aliases python3Packages.xmltodict libxml2Python ]; - value = toJSON value; + inherit value; pythonGen = pkgs.writeText "pythonGen" '' import json import os import xmltodict - with open(os.environ["valuePath"], "r") as f: - print(xmltodict.unparse(json.load(f), full_document=${ + with open(os.environ["NIX_ATTRS_JSON_FILE"], "r") as f: + value = json.load(f).get("value") + assert type(value) is dict, "value must be an attrset" + print(xmltodict.unparse(value, full_document=${ if withHeader then "True" else "False" }, pretty=True, indent=" " * 2)) ''; @@ -1046,8 +1054,6 @@ optionalAttrs allowAliases aliases __structuredAttrs = true; } '' - export valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" python3 "$pythonGen" > $out xmllint $out > /dev/null '' diff --git a/pkgs/pkgs-lib/formats/configobj/default.nix b/pkgs/pkgs-lib/formats/configobj/default.nix index 8179c4412e5fc..227d8e7aa9903 100644 --- a/pkgs/pkgs-lib/formats/configobj/default.nix +++ b/pkgs/pkgs-lib/formats/configobj/default.nix @@ -3,10 +3,6 @@ pkgs, }: let - inherit (lib) - toJSON - ; - inherit (lib.types) serializableValueWith ; @@ -25,12 +21,12 @@ in (pkgs.python3.withPackages (ps: [ ps.configobj ])) ]; - valuesJSON = toJSON value; + inherit value; __structuredAttrs = true; strictDeps = true; } '' - printf "%s" "$valuesJSON" | python3 ${./generate.py} > "$out" + python3 ${./generate.py} > "$out" ''; }; } diff --git a/pkgs/pkgs-lib/formats/configobj/generate.py b/pkgs/pkgs-lib/formats/configobj/generate.py index 5863396c120dd..e531e68a4fbb7 100644 --- a/pkgs/pkgs-lib/formats/configobj/generate.py +++ b/pkgs/pkgs-lib/formats/configobj/generate.py @@ -1,7 +1,10 @@ import json +import os import sys from configobj import ConfigObj config = ConfigObj(interpolation=False, encoding="UTF8") -config.update(json.load(sys.stdin)) +with open(os.environ["NIX_ATTRS_JSON_FILE"]) as f: + value = json.load(f).get("value") +config.update(value) config.write(sys.stdout.buffer) diff --git a/pkgs/pkgs-lib/tests/formats.nix b/pkgs/pkgs-lib/tests/formats.nix index 1b10f13610389..b03b44c991505 100644 --- a/pkgs/pkgs-lib/tests/formats.nix +++ b/pkgs/pkgs-lib/tests/formats.nix @@ -142,6 +142,14 @@ runBuildTests { ''; }; + jsonNull = shouldPass { + format = formats.json { }; + input = null; + expected = '' + null + ''; + }; + yaml_1_1Atoms = shouldPass { format = formats.yaml_1_1 { }; input = { @@ -176,6 +184,15 @@ runBuildTests { ''; }; + yaml_1_1Null = shouldPass { + format = formats.yaml_1_1 { }; + input = null; + expected = '' + null + ... + ''; + }; + yaml_1_2Atoms = shouldPass { format = formats.yaml_1_2 { }; input = { @@ -210,6 +227,16 @@ runBuildTests { ''; }; + yaml_1_2Null = shouldPass { + format = formats.yaml_1_2 { }; + input = null; + # nixfmt insists on removing indentation, so force it with ${" "} + expected = '' + + ${" "}null + ''; + }; + iniAtoms = shouldPass { format = formats.ini { }; input = { @@ -884,6 +911,14 @@ runBuildTests { ''; }; + cdnNull = shouldPass { + format = formats.cdn { }; + input = null; + expected = '' + null: null + ''; + }; + # This test is responsible for # 1. testing type coercions # 2. providing a more readable example test @@ -994,6 +1029,14 @@ runBuildTests { ''; }; + luaNull = shouldPass { + format = formats.lua { }; + input = null; + expected = '' + return nil + ''; + }; + nixConfAtoms = shouldPass { format = formats.nixConf { package = pkgs.nix; @@ -1019,6 +1062,15 @@ runBuildTests { ''; }; + nixConfNull = shouldFail { + format = formats.nixConf { + package = pkgs.nix; + version = pkgs.nix.version; + extraOptions = "ignore-try = false"; + }; + input = null; + }; + phpAtoms = shouldPass rec { format = formats.php { finalVariable = "config"; }; input = { @@ -1048,6 +1100,16 @@ runBuildTests { ''; }; + phpNull = shouldPass { + format = formats.php { finalVariable = "config"; }; + input = null; + expected = '' + ''; }; + PlistNull = shouldPass { + format = formats.plist { }; + input = null; + expected = '' + + + + + ''; + }; + hcl1Atoms = shouldPass { format = formats.hcl1 { }; input = { diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix index 5ca1e26dfea4c..8de81bf72298e 100644 --- a/pkgs/servers/home-assistant/default.nix +++ b/pkgs/servers/home-assistant/default.nix @@ -324,6 +324,9 @@ python3Packages.buildPythonApplication rec { (replaceVars ./patches/ffmpeg-path.patch { ffmpeg = "${lib.getExe ffmpeg-headless}"; }) + + # https://github.com/home-assistant/core/pull/172893 + ./patches/pyjwt-2.13-compat.patch ]; postPatch = '' diff --git a/pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch b/pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch new file mode 100644 index 0000000000000..4f72df241c555 --- /dev/null +++ b/pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch @@ -0,0 +1,48 @@ +diff --git a/homeassistant/auth/__init__.py b/homeassistant/auth/__init__.py +index d4b86febd1d..0edd0edd69b 100644 +--- a/homeassistant/auth/__init__.py ++++ b/homeassistant/auth/__init__.py +@@ -656,6 +656,8 @@ class AuthManager: + try: + unverif_claims = jwt_wrapper.unverified_hs256_token_decode(token) + except jwt.InvalidTokenError: ++ # PyJWT 2.13 raises InvalidKeyError (not an InvalidTokenError) when ++ # the refresh token's key has been removed and is therefore empty. + return None + + refresh_token = self.async_get_refresh_token( +@@ -673,7 +675,7 @@ class AuthManager: + jwt_wrapper.verify_and_decode( + token, jwt_key, leeway=10, issuer=issuer, algorithms=["HS256"] + ) +- except jwt.InvalidTokenError: ++ except jwt.InvalidTokenError, jwt.InvalidKeyError: + return None + + if refresh_token is None or not refresh_token.user.is_active: +diff --git a/homeassistant/components/html5/notify.py b/homeassistant/components/html5/notify.py +index 24b395748d8..3424749e86d 100644 +--- a/homeassistant/components/html5/notify.py ++++ b/homeassistant/components/html5/notify.py +@@ -327,7 +327,7 @@ class HTML5PushCallbackView(HomeAssistantView): + if target_check.get(ATTR_TARGET) in self.registrations: + possible_target = self.registrations[target_check[ATTR_TARGET]] + key = possible_target["subscription"]["keys"]["auth"] +- with suppress(jwt.exceptions.DecodeError), warnings.catch_warnings(): ++ with suppress(jwt.exceptions.DecodeError, jwt.exceptions.InvalidKeyError), warnings.catch_warnings(): + warnings.simplefilter("ignore", InsecureKeyLengthWarning) + return jwt.decode(token, key, algorithms=["ES256", "HS256"]) + +diff --git a/tests/components/elmax/conftest.py b/tests/components/elmax/conftest.py +index 02f01036996..c9c3f13e9e3 100644 +--- a/tests/components/elmax/conftest.py ++++ b/tests/components/elmax/conftest.py +@@ -82,7 +82,7 @@ def httpx_mock_direct_fixture(base_uri: str) -> Generator[respx.MockRouter]: + expiration = datetime.now() + timedelta(hours=1) + decoded_jwt["payload"]["exp"] = int(expiration.timestamp()) + jws_string = jwt.encode( +- payload=decoded_jwt["payload"], algorithm="HS256", key="" ++ payload=decoded_jwt["payload"], algorithm="HS256", key="test" + ) + login_json["token"] = f"JWT {jws_string}" + login_route.return_value = Response(200, json=login_json) diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index de15b36aef1ce..11d964fd2f067 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -30,6 +30,9 @@ stdenv.mkDerivation ( patchFlags = [ "-p0" ]; patches = [ + # https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 + ./patches/CVE-2026-42250.patch + ./patches/bzip2-1.0.6.2-autoconfiscated.patch ]; # Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N diff --git a/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch new file mode 100644 index 0000000000000..db16326cdeb70 --- /dev/null +++ b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch @@ -0,0 +1,34 @@ +From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 28 May 2026 16:15:45 +0200 +Subject: bzip2recover: Make sure to not process more than + BZ_MAX_HANDLED_BLOCKS + +There is an off-by-one in the check before calling tooManyBlocks. This +causes the scanning loop to run one more time and cause a possible +read or write one past the global bStart, bEnd, rbStart and rbEnd +buffers. There are no known exploits of this issue and you will need +to compile with something like gcc -fsanitize=address (ASAN +AddressSanitizer) to observe the faulty read/write. + +This has been assigned CVE-2026-42250. +--- + bzip2recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git bzip2recover.c bzip2recover.c +index a8131e0..4b1c219 100644 +--- bzip2recover.c ++++ bzip2recover.c +@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv ) + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + +-- +cgit + diff --git a/pkgs/tools/package-management/lix/common-lix.nix b/pkgs/tools/package-management/lix/common-lix.nix index 9e400afd6b066..d5277055efd26 100644 --- a/pkgs/tools/package-management/lix/common-lix.nix +++ b/pkgs/tools/package-management/lix/common-lix.nix @@ -126,6 +126,19 @@ let '' substitute $inputPath $out --replace-fail @deps@ "$(cat ${deps})" ''; + + # https://github.com/NixOS/nixpkgs/pull/525953 backported a performance patch + # that /somehow/ breaks Lix unit tests. + # FIXME revert when the patch is gone in curl drv + curl-fixed = curl.overrideAttrs ( + { + patches ? [ ], + ... + }: + { + patches = lib.filter (patch: !lib.strings.hasSuffix "fix-wakeup-consumption.patch" patch) patches; + } + ); in # gcc miscompiles coroutines at least until 13.2, possibly longer # do not remove this check unless you are sure you (or your users) will not report bugs to Lix upstream about GCC miscompilations. @@ -243,14 +256,14 @@ stdenv.mkDerivation (finalAttrs: { ++ lib.optionals stdenv.hostPlatform.isLinux [ util-linuxMinimal ] ++ lib.optionals (lib.versionAtLeast version "2.94") [ zstd ] ++ lib.optionals (withPlugins && finalAttrs.doInstallCheck) [ - curl + curl-fixed ]; buildInputs = [ boost brotli bzip2 - curl + curl-fixed capnproto editline openssl diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index 99a801c4cc8ef..188ac323543f3 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -15,8 +15,10 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-+Hzuae7CtPy/YKOWsDCtaqNBXxkqpffuhMrV4R9/WuM="; }; - # This test is filesystem-dependent - observed failing on ZFS - postPatch = lib.optionalString stdenv.hostPlatform.isFreeBSD '' + # This test is filesystem-dependent - observed failing on ZFS. + # It is also just plain flaky: it has been observed failing about 10% + # of the time on btrfs and ext4 too. + postPatch = '' sed -E -i -e '/bad-filenames/d' tests/Makefile.am ''; diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index f1f6a4e1db58a..69a3670c18e9c 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1685,6 +1685,7 @@ mapAliases { open-stage-control = throw "'open-stage-control' has been removed due to being broken for more than a year; see RFC 180"; # Added 2026-05-04 open-timeline-io = warnAlias "'open-timeline-io' has been renamed to 'opentimelineio'" opentimelineio; # Added 2025-08-10 openafs_1_8 = throw "'openafs_1_8' has been renamed to/replaced by 'openafs'"; # Converted to throw 2025-10-27 + openai = throw "'openai' has been removed, since upstream removed the legacy CLI in v2.35.0; use 'python3Packages.openai' instead"; # Added 2026-06-10 openai-triton-llvm = throw "'openai-triton-llvm' has been renamed to/replaced by 'triton-llvm'"; # Converted to throw 2025-10-27 openai-whisper-cpp = throw "'openai-whisper-cpp' has been renamed to/replaced by 'whisper-cpp'"; # Converted to throw 2025-10-27 openalSoft = warnAlias "'openalSoft' has been renamed to 'openal-soft'" openal-soft; # Added 2026-02-09 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index faeef85638508..4bb26534613f3 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5306,8 +5306,6 @@ with pkgs; sdk = true; }; - openai = with python3Packages; toPythonApplication openai; - openai-whisper = with python3.pkgs; toPythonApplication openai-whisper; oprofile = callPackage ../development/tools/profiling/oprofile { @@ -6510,8 +6508,8 @@ with pkgs; zunclient = with python313Packages; toPythonApplication python-zunclient; inherit (callPackages ../by-name/li/libressl { }) - libressl_4_1 libressl_4_2 + libressl_4_3 ; openssl = openssl_3_6; diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 5b7a40a4a6dc8..3cf8a274f5832 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -16662,12 +16662,12 @@ with self; }; }; - HTTPDaemon = buildPerlPackage { + HTTPDaemon = buildPerlModule { pname = "HTTP-Daemon"; - version = "6.16"; + version = "6.17"; src = fetchurl { - url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.16.tar.gz"; - hash = "sha256-s40JJyXm+k4MTcKkfhVwcEkbr6Db4Wx4o1joBqp+Fz0="; + url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.17.tar.gz"; + hash = "sha256-FigVgMQOIxCNAoQ0aYtdfVNje/kEyd+CJIHiU8vskgw="; }; buildInputs = [ ModuleBuildTiny @@ -22106,6 +22106,12 @@ with self; url = "mirror://cpan/authors/id/I/IS/ISHIGAKI/Module-CPANTS-Analyse-1.02.tar.gz"; hash = "sha256-nhFzm5zQi6LXWllzfx+yl/RYA/KJBjxcdZv8eP1Rbns="; }; + + # Fails with 'symlinks not listed in MANIFEST is not ignored for a non-local distribution' + postPatch = '' + rm -f t/analyse/manifest.t + ''; + propagatedBuildInputs = [ ArchiveAnyLite ArrayDiff