From b6c8359810152534c8e6bda471e17847d279ef7e Mon Sep 17 00:00:00 2001 From: Aliaksandr Date: Thu, 12 Feb 2026 02:14:41 +0200 Subject: [PATCH 001/133] bind: add json_c for JSON statistics channel support bind_exporter 0.8.0 defaults to the JSON statistics channel instead of XML. This requires BIND to be compiled with json-c support. Without this, BIND returns 404 for /json/v1/server requests, causing the prometheus-bind-exporter to fail to retrieve metrics. --- pkgs/by-name/bi/bind/package.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/by-name/bi/bind/package.nix b/pkgs/by-name/bi/bind/package.nix index aa435fcb2feb0..43a6c1ce1dcb1 100644 --- a/pkgs/by-name/bi/bind/package.nix +++ b/pkgs/by-name/bi/bind/package.nix @@ -9,6 +9,7 @@ libidn2, libtool, libxml2, + json_c, openssl, liburcu, libuv, @@ -59,6 +60,7 @@ stdenv.mkDerivation (finalAttrs: { libidn2 libtool libxml2 + json_c openssl liburcu libuv From 95d571d0f5e203e6b7238c4251f2364a29c97765 Mon Sep 17 00:00:00 2001 From: Aliaksandr Date: Thu, 12 Feb 2026 02:14:47 +0200 Subject: [PATCH 002/133] prometheus-bind-exporter: 0.7.0 -> 0.8.0 https://github.com/prometheus-community/bind_exporter/releases/tag/v0.8.0 Changelog: - [CHANGE] Drop XML statistics v2 support - [CHANGE] Deprecate collection of task stats by default - [CHANGE] Update logging library - [ENHANCEMENT] Add metric rpz_rewrites - [BUGFIX] Make log level configurable via command-line flag The exporter now defaults to JSON statistics channel instead of XML. --- pkgs/by-name/pr/prometheus-bind-exporter/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/pr/prometheus-bind-exporter/package.nix b/pkgs/by-name/pr/prometheus-bind-exporter/package.nix index 1749028329e98..b135449f097b9 100644 --- a/pkgs/by-name/pr/prometheus-bind-exporter/package.nix +++ b/pkgs/by-name/pr/prometheus-bind-exporter/package.nix @@ -7,16 +7,16 @@ buildGoModule rec { pname = "bind_exporter"; - version = "0.7.0"; + version = "0.8.0"; src = fetchFromGitHub { rev = "v${version}"; owner = "prometheus-community"; repo = "bind_exporter"; - sha256 = "sha256-x/XGatlXCKo9cI92JzFItApsjuZAfZX+8IZRpy7PVUo="; + sha256 = "sha256-r1P+zy3iMgPmfvIBgycW8KS0gfNOxCT9YMmHdeY4uXA="; }; - vendorHash = "sha256-f0ei/zotOj5ebURAOWUox/7J3jS2abQ5UgjninI9nRk="; + vendorHash = "sha256-/fPj5LOe3QdnVPdtYdaqtnGMJ7/SZ458mpvjwO8TxEI="; passthru.tests = { inherit (nixosTests.prometheus-exporters) bind; }; From d9a2e3b3c0ba8d4edf67475e1c64b00202cc58c6 Mon Sep 17 00:00:00 2001 From: Aliaksandr Date: Thu, 12 Feb 2026 02:14:53 +0200 Subject: [PATCH 003/133] nixos/prometheus-exporters/bind: update for bind_exporter 0.8.0 - Change default bindVersion from 'auto' to 'json' (new upstream default) - Add 'json' and 'xml' to bindVersion enum options - Remove deprecated 'xml.v2' option (dropped in 0.8.0) --- .../services/monitoring/prometheus/exporters/bind.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix index 3390374172c4a..935ebff7e5bdf 100644 --- a/nixos/modules/services/monitoring/prometheus/exporters/bind.nix +++ b/nixos/modules/services/monitoring/prometheus/exporters/bind.nix @@ -17,7 +17,7 @@ in type = types.str; default = "http://localhost:8053/"; description = '' - HTTP XML API address of an Bind server. + HTTP API address of a BIND server. ''; }; bindTimeout = mkOption { @@ -29,13 +29,14 @@ in }; bindVersion = mkOption { type = types.enum [ - "xml.v2" + "json" + "xml" "xml.v3" "auto" ]; - default = "auto"; + default = "json"; description = '' - BIND statistics version. Can be detected automatically. + BIND statistics version. Defaults to JSON. ''; }; bindGroups = mkOption { From f9e4559b773822abfa1c3a8decc9377144aa3bb2 Mon Sep 17 00:00:00 2001 From: Aliaksandr Date: Thu, 12 Feb 2026 02:14:58 +0200 Subject: [PATCH 004/133] nixosTests.prometheus-exporters.bind: check bind_up metric Check for 'bind_up 1' instead of 'bind_query_recursions_total 0'. The bind_query_recursions_total metric is only emitted when there have been recursive queries. In a fresh BIND instance with no traffic, this counter doesn't exist. The bind_up metric reliably indicates that the exporter successfully connected to BIND's statistics channel. --- nixos/tests/prometheus-exporters.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/tests/prometheus-exporters.nix b/nixos/tests/prometheus-exporters.nix index 6383f1b54cfd7..3f8d5fa611104 100644 --- a/nixos/tests/prometheus-exporters.nix +++ b/nixos/tests/prometheus-exporters.nix @@ -108,7 +108,7 @@ let wait_for_unit("prometheus-bind-exporter.service") wait_for_open_port(9119) succeed( - "curl -sSf http://localhost:9119/metrics | grep 'bind_query_recursions_total 0'" + "curl -sSf http://localhost:9119/metrics | grep 'bind_up 1'" ) ''; }; From bff3d1a971098e1a7e2ae1c7a1de31f7e04a1d66 Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Mon, 15 Jun 2026 21:38:42 +0200 Subject: [PATCH 005/133] libgit2: add withExperimentalSha256 argument --- pkgs/by-name/li/libgit2/package.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/by-name/li/libgit2/package.nix b/pkgs/by-name/li/libgit2/package.nix index 568fa09201aa4..c17240378a92d 100644 --- a/pkgs/by-name/li/libgit2/package.nix +++ b/pkgs/by-name/li/libgit2/package.nix @@ -17,6 +17,7 @@ gitstatus, llhttp, withGssapi ? false, + withExperimentalSha256 ? false, krb5, }: @@ -43,6 +44,7 @@ stdenv.mkDerivation (finalAttrs: { "-DUSE_HTTP_PARSER=llhttp" "-DUSE_SSH=ON" (lib.cmakeBool "USE_GSSAPI" withGssapi) + (lib.cmakeBool "EXPERIMENTAL_SHA256" withExperimentalSha256) "-DBUILD_SHARED_LIBS=${if staticBuild then "OFF" else "ON"}" ] ++ lib.optionals stdenv.hostPlatform.isWindows [ @@ -89,6 +91,13 @@ stdenv.mkDerivation (finalAttrs: { ) ''; + postInstall = lib.optionalString withExperimentalSha256 '' + # Downstream Rust bindings (git2-rs / git2-sys) expect experimental headers + # to be located at 'git2/experimental.h', but upstream libgit2 installs them + # into 'git2-experimental/' when EXPERIMENTAL_SHA256 is enabled. + ln -s git2-experimental $dev/include/git2 + ''; + passthru.tests = lib.mapAttrs (_: v: v.override { libgit2 = finalAttrs.finalPackage; }) { inherit libgit2-glib; inherit (python3Packages) pygit2; From 78067eb5942286a9ade63cdfc6c107c9710b563f Mon Sep 17 00:00:00 2001 From: Tom Herbers Date: Sun, 14 Jun 2026 12:18:42 +0200 Subject: [PATCH 006/133] gram: 2.1.2 -> 2.2.0 Changelog: https://codeberg.org/GramEditor/gram/releases/tag/2.2.0 --- pkgs/by-name/gr/gram/package.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/by-name/gr/gram/package.nix b/pkgs/by-name/gr/gram/package.nix index 6d6f84306f331..48a4664be6fd1 100644 --- a/pkgs/by-name/gr/gram/package.nix +++ b/pkgs/by-name/gr/gram/package.nix @@ -31,7 +31,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "gram"; - version = "2.1.2"; + version = "2.2.0"; outputs = [ "out" @@ -44,7 +44,7 @@ rustPlatform.buildRustPackage (finalAttrs: { owner = "GramEditor"; repo = "gram"; tag = finalAttrs.version; - hash = "sha256-7FzAvC/JMMIFcuTGkL2Ju644UAIsneOMhiDUFnQske4="; + hash = "sha256-w0uZ2qAc3Tt6QVRAX97LWW9aOs02fG1SEYCDhpUhinE="; }; postPatch = '' @@ -54,7 +54,7 @@ rustPlatform.buildRustPackage (finalAttrs: { --replace-fail '$CARGO_ABOUT_VERSION' '${cargo-about.version}' ''; - cargoHash = "sha256-feESY8ALSG3xa906HBc4pOKGerQ1jF7VUxzvUcsZbrY="; + cargoHash = "sha256-+lmDbawAIRllC7LzGJ9qPMtHXPd5aMoul47YOA7nfXA="; __structuredAttrs = true; @@ -71,7 +71,7 @@ rustPlatform.buildRustPackage (finalAttrs: { dontUseCmakeConfigure = true; buildInputs = [ - libgit2 + (libgit2.override { withExperimentalSha256 = true; }) openssl sqlite zlib From 2e23af70a8e4528205b3f45472bdb5007e4ab0bc Mon Sep 17 00:00:00 2001 From: Oskar Philipsson Date: Mon, 17 Nov 2025 08:51:40 +0100 Subject: [PATCH 007/133] nixos/systemd-initrd: add systemd.*.services.path to initrd store --- nixos/modules/system/boot/systemd/initrd.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index f242cb8c6a5bd..6a52b920c2e25 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -124,6 +124,16 @@ let jobScripts = concatLists ( mapAttrsToList (_: unit: unit.jobScripts or [ ]) (filterAttrs (_: v: v.enable) cfg.services) ); + unitEnv = pkgs.buildEnv { + name = "initrd-unit-env"; + paths = concatLists ( + mapAttrsToList (_: unit: unit.path or [ ]) (filterAttrs (_: v: v.enable) cfg.services) + ); + pathsToLink = [ + "/bin" + "/sbin" + ]; + }; stage1Units = generateUnits { type = "initrd"; @@ -636,6 +646,7 @@ in "${pkgs.bashNonInteractive}/bin" ] ++ jobScripts + ++ [ unitEnv ] ++ map (c: removeAttrs c [ "text" ]) (builtins.attrValues cfg.contents) ++ lib.optional (pkgs.stdenv.hostPlatform.libc == "glibc") "${pkgs.glibc}/lib/libnss_files.so.2"; From 494b92013764b1e576cdcc4231c31140c949adc6 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Thu, 18 Jun 2026 21:17:37 +0200 Subject: [PATCH 008/133] ruff: 0.15.17 -> 0.15.18 Changelog: https://github.com/astral-sh/ruff/releases/tag/0.15.18 Diff: https://github.com/astral-sh/ruff/compare/0.15.17...0.15.18 --- pkgs/by-name/ru/ruff/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ru/ruff/package.nix b/pkgs/by-name/ru/ruff/package.nix index 8aa8f51b82736..ca5d024755088 100644 --- a/pkgs/by-name/ru/ruff/package.nix +++ b/pkgs/by-name/ru/ruff/package.nix @@ -16,7 +16,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "ruff"; - version = "0.15.17"; + version = "0.15.18"; __structuredAttrs = true; @@ -24,12 +24,12 @@ rustPlatform.buildRustPackage (finalAttrs: { owner = "astral-sh"; repo = "ruff"; tag = finalAttrs.version; - hash = "sha256-+UsKRBe+lp/LdsmK/W11wCt2RypEryA5eBPb01OKCJw="; + hash = "sha256-DH00tENXdCdNcGPXPGzZsU3RVYQ0VBe1QLvbgEg/G6k="; }; cargoBuildFlags = [ "--package=ruff" ]; - cargoHash = "sha256-y1sKf+KXya/K+WUiIE357U6DXh/d+AQgj0SQIi1gpUw="; + cargoHash = "sha256-RmK14NMPbhoRVLwIF5GXdGQg2AnMH20JGx7XF4HO+wY="; nativeBuildInputs = [ installShellFiles ]; From bc7d3e5dda98e8bb1a813b817f327372cb26f5a1 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Thu, 18 Jun 2026 22:23:52 +0100 Subject: [PATCH 009/133] bind: 9.20.23 -> 9.20.24 Changes: https://bind9.readthedocs.io/en/bind-9.20/notes.html#notes-for-bind-9-20-24 --- pkgs/by-name/bi/bind/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/bi/bind/package.nix b/pkgs/by-name/bi/bind/package.nix index 2f12ebf30ea04..c47a0cb1433eb 100644 --- a/pkgs/by-name/bi/bind/package.nix +++ b/pkgs/by-name/bi/bind/package.nix @@ -29,11 +29,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "bind"; - version = "9.20.23"; + version = "9.20.24"; src = fetchurl { url = "https://downloads.isc.org/isc/bind9/${finalAttrs.version}/bind-${finalAttrs.version}.tar.xz"; - hash = "sha256-XUR1rtP55QDvVUsrFNlyvbg9M94hSps76SkY6kaQg3E="; + hash = "sha256-mJ/vH8iOpZ0EzYb4VNylpGFqIKmWi83ePBo2aKs2vgg="; }; outputs = [ From f35704a496985c19a04ca51e5963d354a78182b3 Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Thu, 18 Jun 2026 18:44:16 +0200 Subject: [PATCH 010/133] ty: 0.0.49 -> 0.0.51 Changelog: https://github.com/astral-sh/ty/releases/tag/0.0.51 Diff: https://github.com/astral-sh/ty/compare/0.0.49...0.0.51 --- pkgs/by-name/ty/ty/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ty/ty/package.nix b/pkgs/by-name/ty/ty/package.nix index 41db756b44922..8a3b04bc7a094 100644 --- a/pkgs/by-name/ty/ty/package.nix +++ b/pkgs/by-name/ty/ty/package.nix @@ -17,7 +17,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "ty"; - version = "0.0.49"; + version = "0.0.51"; __structuredAttrs = true; src = fetchFromGitHub { @@ -25,7 +25,7 @@ rustPlatform.buildRustPackage (finalAttrs: { repo = "ty"; tag = finalAttrs.version; fetchSubmodules = true; - hash = "sha256-IKeoskueujGYFjhUd3V7iwKwZjFZqG3OYfe36S6J2aw="; + hash = "sha256-99CucCCZ8oOQV1PaPLZXq++8S7d6QJSAaQq/WXP87n4="; }; # For Darwin platforms, remove the integration test for file notifications, @@ -39,7 +39,7 @@ rustPlatform.buildRustPackage (finalAttrs: { cargoBuildFlags = [ "--package=ty" ]; - cargoHash = "sha256-y1sKf+KXya/K+WUiIE357U6DXh/d+AQgj0SQIi1gpUw="; + cargoHash = "sha256-N76A6howQn/ZbDJ7PWrThDYKhH+vc7tnZPShR7T31Ug="; nativeBuildInputs = [ installShellFiles ]; buildInputs = [ rust-jemalloc-sys ]; From d8b16de49ddea3c9fea3d9fe3c447cf0effd35fc Mon Sep 17 00:00:00 2001 From: Yureka Date: Fri, 19 Jun 2026 12:04:18 +0200 Subject: [PATCH 011/133] nixos: fix message on failure to determine mmap ASLR entropy Previously the script would stop early without any explanation. Now it continues to the point where the proper error message is printed, and then exits with an error exit status. --- nixos/modules/config/sysctl.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix index df4165fbbec53..05f99aff70f41 100644 --- a/nixos/modules/config/sysctl.nix +++ b/nixos/modules/config/sysctl.nix @@ -74,7 +74,9 @@ in } ( '' + set +e mmap_rnd_bits_max=$(grep "^CONFIG_ARCH_MMAP_RND_BITS_MAX=" $configfile | grep --only-matching "[0-9]*$") + set -e if [[ -z "$mmap_rnd_bits_max" ]]; then echo "Unable to determine mmap_rnd_bits_max. Check your kernel configfile is valid." exit 1 @@ -83,7 +85,9 @@ in '' # HAVE_ARCH_MMAP_RND_COMPAT_BITS is not defined on 32-bit architectures or LoongArch64 + lib.optionalString (with pkgs.stdenv.hostPlatform; (!is32bit && !isLoongArch64)) '' + set +e mmap_rnd_compat_bits_max=$(grep "^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=" $configfile | grep --only-matching "[0-9]*$") + set -e if [[ -z "$mmap_rnd_compat_bits_max" ]]; then echo "Unable to determine mmap_rnd_compat_bits_max. Check your kernel configfile is valid." exit 1 From ad3e95b0931c8c618dc3fd017174fd97302c5538 Mon Sep 17 00:00:00 2001 From: Ilan Joselevich Date: Fri, 19 Jun 2026 12:36:40 +0300 Subject: [PATCH 012/133] switch-to-configuration-ng: handle socket-activated Accept=yes services A per-connection instance spawned by an Accept=yes socket (e.g. foo@1234.service) has an implicit socket of foo.socket, but the implicit name was derived from the template base name including the trailing "@", yielding foo@.socket. That never matches an active unit, so such running instances were treated as non-socket-activated and the activation script tried to start them directly on a configuration switch. That fails because there is no connection socket to pass, sending the instance into a restart loop. Strip the trailing "@" so the implicit socket resolves correctly; the running instances are then stopped and their socket restarted, leaving systemd to spawn fresh instances for new connections. Resolves: https://github.com/NixOS/nixpkgs/issues/533205 Assisted-by: Claude:claude-opus-4-8 --- nixos/tests/switch-test.nix | 64 +++++++++++++++++++ .../sw/switch-to-configuration-ng/src/main.rs | 6 +- 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 2dbc9386f8aea..63dc78e2e6dcf 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -43,6 +43,19 @@ let server.serve_forever() ''; + # Per-connection (Accept=yes) socket-activated service that requires the + # connection socket to be passed via socket activation and fails when started + # without one. It greets the client and stays alive for as long as the + # connection is held open. + acceptSocketTest = pkgs.writeShellScript "accept-socket-test.sh" '' + if [ "''${LISTEN_FDS:-0}" -lt 1 ]; then + echo "Expected exactly one socket, got 0" >&2 + exit 4 + fi + printf hello >&3 + exec ${lib.getExe' pkgs.coreutils "cat"} <&3 >/dev/null + ''; + in { name = "switch-test"; @@ -508,6 +521,26 @@ in }; }; + accept-socket.configuration = { + systemd.sockets.accept-socket = { + wantedBy = [ "sockets.target" ]; + listenStreams = [ "/run/accept-test.sock" ]; + socketConfig = { + Accept = "yes"; + SocketMode = "0777"; + }; + }; + systemd.services."accept-socket@" = { + description = "A per-connection socket-activated service"; + serviceConfig.ExecStart = acceptSocketTest; + }; + }; + + accept-socket-service-modified.configuration = { + imports = [ accept-socket.configuration ]; + systemd.services."accept-socket@".serviceConfig.X-Test = "test"; + }; + mount.configuration = { systemd.mounts = [ { @@ -1587,6 +1620,37 @@ in if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": raise Exception("Socket was not properly activated after the service was restarted") + with subtest("socket-activated services with Accept=yes"): + # Socket-activated services don't get started, just the socket + machine.fail("[ -S /run/accept-test.sock ]") + out = switch_to_specialisation("${machine}", "accept-socket") + assert_contains(out, "the following new units were started: accept-socket.socket\n") + machine.succeed("[ -S /run/accept-test.sock ]") + + # Hold a connection open so a per-connection instance keeps running + machine.succeed("socat EXEC:'sleep infinity' UNIX-CONNECT:/run/accept-test.sock >&2 &") + instance = machine.wait_until_succeeds( + "systemctl list-units --no-legend --state=running 'accept-socket@*.service' " + + "| grep -m1 -o 'accept-socket@[^ ]*\\.service'" + ).strip() + + # Changing the templated service must stop the running instance and + # restart the socket instead of (re)starting the per-connection + # instance, which cannot be started without a connection socket + out = switch_to_specialisation("${machine}", "accept-socket-service-modified") + assert_contains(out, "stopping the following units:") + assert_contains(out, instance) + assert_contains(out, "accept-socket.socket") + assert_contains(out, "\nstarting the following units: accept-socket.socket\n") + assert_lacks(out, "NOT restarting the following changed units:") + assert_lacks(out, "\nrestarting the following units:") + # The per-connection instance must not be (re)started + starting = out[out.index("\nstarting the following units:") :] + assert instance not in starting, f"instance {instance} should not be (re)started" + # Socket-activation of the unit still works + if machine.succeed("socat - UNIX-CONNECT:/run/accept-test.sock Date: Fri, 19 Jun 2026 12:54:08 -0700 Subject: [PATCH 013/133] mdadm: 4.4 -> 4.6 Changelog: https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=mdadm-4.6 --- .../md/mdadm4/no-self-references.patch | 124 ------------------ pkgs/by-name/md/mdadm4/package.nix | 16 +-- 2 files changed, 3 insertions(+), 137 deletions(-) delete mode 100644 pkgs/by-name/md/mdadm4/no-self-references.patch diff --git a/pkgs/by-name/md/mdadm4/no-self-references.patch b/pkgs/by-name/md/mdadm4/no-self-references.patch deleted file mode 100644 index 3b3dc4d846095..0000000000000 --- a/pkgs/by-name/md/mdadm4/no-self-references.patch +++ /dev/null @@ -1,124 +0,0 @@ -diff --git a/Makefile b/Makefile -index 2a51d813..a31ac48a 100644 ---- a/Makefile -+++ b/Makefile -@@ -63,6 +63,9 @@ endif - ifdef DEBIAN - CPPFLAGS += -DDEBIAN - endif -+ifdef NIXOS -+CPPFLAGS += -DNIXOS -+endif - ifdef DEFAULT_OLD_METADATA - CPPFLAGS += -DDEFAULT_OLD_METADATA - DEFAULT_METADATA=0.90 -@@ -129,6 +132,7 @@ endif - INSTALL = /usr/bin/install - DESTDIR = - BINDIR = /sbin -+INSTALL_BINDIR = ${BINDIR} - MANDIR = /usr/share/man - MAN4DIR = $(MANDIR)/man4 - MAN5DIR = $(MANDIR)/man5 -@@ -253,16 +257,16 @@ sha1.o : sha1.c sha1.h md5.h - install : install-bin install-man install-udev - - install-static : mdadm.static install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.static $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-tcc : mdadm.tcc install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.tcc $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-uclibc : mdadm.uclibc install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.uclibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-klibc : mdadm.klibc install-man -- $(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(BINDIR)/mdadm -+ $(INSTALL) -D $(STRIP) -m 755 mdadm.klibc $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - install-man: mdadm.8 md.4 mdadm.conf.5 mdmon.8 - $(INSTALL) -D -m 644 mdadm.8 $(DESTDIR)$(MAN8DIR)/mdadm.8 -@@ -305,7 +309,7 @@ install-bin: mdadm mdmon - $(INSTALL) -D $(STRIP) -m 755 mdmon $(DESTDIR)$(BINDIR)/mdmon - - uninstall: -- rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(BINDIR)/mdadm -+ rm -f $(DESTDIR)$(MAN8DIR)/mdadm.8 $(DESTDIR)$(MAN8DIR)/mdmon.8 $(DESTDIR)$(MAN4DIR)/md.4 $(DESTDIR)$(MAN5DIR)/mdadm.conf.5 $(DESTDIR)$(INSTALL_BINDIR)/mdadm - - test: mdadm mdmon test_stripe swap_super raid6check - @echo "Please run './test' as root" -diff --git a/policy.c b/policy.c -index eee9ef63..9f916e9d 100644 ---- a/policy.c -+++ b/policy.c -@@ -817,12 +817,39 @@ char *find_rule(struct rule *rule, char *rule_type) - #define UDEV_RULE_FORMAT \ - "ACTION==\"add\", SUBSYSTEM==\"block\", " \ - "ENV{DEVTYPE}==\"%s\", ENV{ID_PATH}==\"%s\", " \ --"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n" -+"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n" - - #define UDEV_RULE_FORMAT_NOTYPE \ - "ACTION==\"add\", SUBSYSTEM==\"block\", " \ - "ENV{ID_PATH}==\"%s\", " \ --"RUN+=\"" BINDIR "/mdadm --incremental $env{DEVNAME}\"\n" -+"RUN+=\"%s/mdadm --incremental $env{DEVNAME}\"\n" -+ -+#ifdef NIXOS -+const char *get_mdadm_bindir(void) -+{ -+ static char *bindir = NULL; -+ if (bindir != NULL) { -+ return bindir; -+ } else { -+ int len; -+ bindir = xmalloc(1025); -+ len = readlink("/proc/self/exe", bindir, 1024); -+ if (len > 0) { -+ char *basename; -+ if ((basename = strrchr(bindir, '/')) != NULL) -+ *basename = '\0'; -+ else -+ *(bindir + len) = '\0'; -+ } else { -+ *bindir = '\0'; -+ } -+ return bindir; -+ } -+} -+#define SELF get_mdadm_bindir() -+#else -+#define SELF BINDIR -+#endif - - /* Write rule in the rule file. Use format from UDEV_RULE_FORMAT */ - int write_rule(struct rule *rule, int fd, int force_part) -@@ -836,9 +863,9 @@ int write_rule(struct rule *rule, int fd, int force_part) - if (force_part) - typ = type_part; - if (typ) -- snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth); -+ snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT, typ, pth, SELF); - else -- snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth); -+ snprintf(line, sizeof(line) - 1, UDEV_RULE_FORMAT_NOTYPE, pth, SELF); - return write(fd, line, strlen(line)) == (int)strlen(line); - } - -diff --git a/util.c b/util.c -index 3d05d074..e004a798 100644 ---- a/util.c -+++ b/util.c -@@ -1913,7 +1913,9 @@ int start_mdmon(char *devnm) - char pathbuf[1024]; - char *paths[4] = { - pathbuf, -+#ifndef NIXOS - BINDIR "/mdmon", -+#endif - "./mdmon", - NULL - }; diff --git a/pkgs/by-name/md/mdadm4/package.nix b/pkgs/by-name/md/mdadm4/package.nix index 2143acc494e55..a35b504f6234e 100644 --- a/pkgs/by-name/md/mdadm4/package.nix +++ b/pkgs/by-name/md/mdadm4/package.nix @@ -15,27 +15,16 @@ stdenv.mkDerivation (finalAttrs: { pname = "mdadm"; - version = "4.4"; + version = "4.6"; src = fetchgit { url = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git"; tag = "mdadm-${finalAttrs.version}"; - hash = "sha256-jGmc8fkJM0V9J7V7tQPXSF/WD0kzyEAloBAwaAFenS0="; + hash = "sha256-jFsVPJC4lcShkSwQCGjVdVkvk4q4weM7i5DzrLgpuSM="; }; patches = [ - ./no-self-references.patch ./fix-hardcoded-mapdir.patch - # Fixes build on musl - (fetchurl { - url = "https://raw.githubusercontent.com/void-linux/void-packages/e58d2b17d3c40faffc0d426aab00184f28d9dafa/srcpkgs/mdadm/patches/musl.patch"; - hash = "sha256-TIcQs+8RM5Q6Z8MHkI50kaJd7f9WdS/EVI16F7b2+SA="; - }) - # Fixes build on musl 1.2.5+ - (fetchurl { - url = "https://lore.kernel.org/linux-raid/20240220165158.3521874-1-raj.khem@gmail.com/raw"; - hash = "sha256-JOZ8n7zi+nq236NPpB4e2gUy8I3l3DbcoLhpeL73f98="; - }) ]; makeFlags = [ @@ -97,6 +86,7 @@ stdenv.mkDerivation (finalAttrs: { }; meta = { + changelog = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/tree/CHANGELOG.md?h=${finalAttrs.src.tag}"; description = "Programs for managing RAID arrays under Linux"; homepage = "https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git"; license = lib.licenses.gpl2Plus; From ef352e5401b276b155a93cba39e6a02ac2d7ebfc Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 1 Jun 2026 19:54:38 +0200 Subject: [PATCH 014/133] nixos/fuse: disable by default This change disables the fuse module by default and shifts the obligation to enable it to consumers. --- nixos/doc/manual/release-notes/rl-2611.section.md | 2 ++ nixos/modules/profiles/bashless.nix | 2 -- nixos/modules/programs/fuse.nix | 4 +--- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2611.section.md b/nixos/doc/manual/release-notes/rl-2611.section.md index 0252bcb370eae..2a79a0500d3ab 100644 --- a/nixos/doc/manual/release-notes/rl-2611.section.md +++ b/nixos/doc/manual/release-notes/rl-2611.section.md @@ -58,4 +58,6 @@ - `security.polkit.settings` added for RFC42 style configuration of the polkitd daemon. +- The `programs.fuse` module, which provides the `fusermount3` executable and the `/etc/fuse.conf` config file, is now opt-in. The obligation to enable it has been shifted to its various consumers (e.g. gvfs, flatpak, appimage, sshfs). This can break fuse consumers at runtime, that don't explicitly declare that dependency with a module, e.g the mounting functionality in various backup tools (borg, restic, rclone, ...). + - The `newuidmap` and `newgidmap` security wrappers are now installed with `cap_setuid`/`cap_setgid` file capabilities instead of the setuid-root bit, matching shadow's `--with-fcaps` install mode and other major distributions. Rootless containers (podman, docker-rootless, unprivileged user namespaces) are unaffected. The only behavioural change is that mapping host uid 0 via `/etc/subuid` (which NixOS never configures by default) additionally requires `cap_setfcap`; users who explicitly grant uid 0 in a subuid range can restore the previous behaviour with `security.wrappers.newuidmap.capabilities = lib.mkForce "cap_setuid,cap_setfcap+ep";`. diff --git a/nixos/modules/profiles/bashless.nix b/nixos/modules/profiles/bashless.nix index 501563b97b3d2..20f2f7256f073 100644 --- a/nixos/modules/profiles/bashless.nix +++ b/nixos/modules/profiles/bashless.nix @@ -15,8 +15,6 @@ environment.corePackages = lib.mkForce [ ]; # Contains bash completions nix.enable = lib.mkDefault false; - # The fuse{,3} package contains a runtime dependency on bash. - programs.fuse.enable = lib.mkDefault false; documentation.man.man-db.enable = lib.mkDefault false; # autovt depends on bash console.enable = lib.mkDefault false; diff --git a/nixos/modules/programs/fuse.nix b/nixos/modules/programs/fuse.nix index e7e317d7ef9b4..07026cbd33dbe 100644 --- a/nixos/modules/programs/fuse.nix +++ b/nixos/modules/programs/fuse.nix @@ -12,9 +12,7 @@ in meta.maintainers = [ ]; options.programs.fuse = { - enable = lib.mkEnableOption "fuse" // { - default = true; - }; + enable = lib.mkEnableOption "fuse"; mountMax = lib.mkOption { # In the C code it's an "int" (i.e. signed and at least 16 bit), but From 5a7a109c5ac4e41c5d508ddfd45129cd9d1f1319 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 1 Jun 2026 19:56:50 +0200 Subject: [PATCH 015/133] nixos/gvfs: enable fuse --- nixos/modules/services/desktops/gvfs.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/desktops/gvfs.nix b/nixos/modules/services/desktops/gvfs.nix index 0048103277989..cebfb08202295 100644 --- a/nixos/modules/services/desktops/gvfs.nix +++ b/nixos/modules/services/desktops/gvfs.nix @@ -40,6 +40,8 @@ in environment.systemPackages = [ cfg.package ]; + programs.fuse.enable = true; + services.dbus.packages = [ cfg.package ]; systemd.packages = [ cfg.package ]; From bd44b6318872853768665494351ad5fe75e83f0d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 2 Jun 2026 01:43:26 +0200 Subject: [PATCH 016/133] nixos/kubo: enable programs.fuse --- nixos/modules/services/network-filesystems/kubo.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nixos/modules/services/network-filesystems/kubo.nix b/nixos/modules/services/network-filesystems/kubo.nix index 3c75423f3ffa2..4e676b80a1aa5 100644 --- a/nixos/modules/services/network-filesystems/kubo.nix +++ b/nixos/modules/services/network-filesystems/kubo.nix @@ -332,8 +332,9 @@ in boot.kernel.sysctl."net.core.rmem_max" = lib.mkDefault 7500000; boot.kernel.sysctl."net.core.wmem_max" = lib.mkDefault 7500000; - programs.fuse = lib.mkIf (cfg.autoMount && cfg.settings.Mounts.FuseAllowOther) { - userAllowOther = true; + programs.fuse = { + enable = lib.mkIf cfg.autoMount true; + userAllowOther = lib.mkIf cfg.settings.Mounts.fuseAllowOther true; }; users.users = lib.mkIf (cfg.user == "ipfs") { From 69a96a84d616f8075fb03c4c233d11ee994cc2d8 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 2 Jun 2026 02:05:22 +0200 Subject: [PATCH 017/133] nixos/flatpak: enable fuse --- nixos/modules/services/desktops/flatpak.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/services/desktops/flatpak.nix b/nixos/modules/services/desktops/flatpak.nix index 5756738c9fdad..e874cbac7a4f9 100644 --- a/nixos/modules/services/desktops/flatpak.nix +++ b/nixos/modules/services/desktops/flatpak.nix @@ -40,6 +40,8 @@ in pkgs.fuse3 ]; + programs.fuse.enable = true; + security.polkit.enable = true; fonts.fontDir.enable = true; From 28c15019478ea63cb4484f6e819993d9a43f6fb4 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 2 Jun 2026 02:06:30 +0200 Subject: [PATCH 018/133] nixos/appimage: enable fuse --- nixos/modules/programs/appimage.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/programs/appimage.nix b/nixos/modules/programs/appimage.nix index c0379557c97ab..4662a6c3d8cc7 100644 --- a/nixos/modules/programs/appimage.nix +++ b/nixos/modules/programs/appimage.nix @@ -43,6 +43,8 @@ in } ); environment.systemPackages = [ cfg.package ]; + + programs.fuse.enable = true; }; meta.maintainers = with lib.maintainers; [ From ab51f0dbef1ff1b7ba0fc1b59b3a366117eaefd2 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 2 Jun 2026 02:43:40 +0200 Subject: [PATCH 019/133] nixos/sshfs: enable fuse --- nixos/modules/tasks/filesystems/sshfs.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/modules/tasks/filesystems/sshfs.nix b/nixos/modules/tasks/filesystems/sshfs.nix index f070779ecc54c..917ceea7b691a 100644 --- a/nixos/modules/tasks/filesystems/sshfs.nix +++ b/nixos/modules/tasks/filesystems/sshfs.nix @@ -10,6 +10,8 @@ lib.mkIf (config.boot.supportedFilesystems.sshfs or config.boot.supportedFilesystems."fuse.sshfs" or false) { + programs.fuse.enable = true; + system.fsPackages = [ pkgs.sshfs ]; }; } From 99ed707074f5a579998e1072a3b83fd9f9d16e97 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 5 Jun 2026 13:56:54 +0200 Subject: [PATCH 020/133] nixos/test/gocryptfs: enable fuse --- nixos/tests/gocryptfs.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/tests/gocryptfs.nix b/nixos/tests/gocryptfs.nix index d0e5df5e40b5e..763e1c1407fa5 100644 --- a/nixos/tests/gocryptfs.nix +++ b/nixos/tests/gocryptfs.nix @@ -13,6 +13,8 @@ pkgs.openssl ]; + programs.fuse.enable = true; + specialisation.fstab-test.configuration = { # This can't be fileSytems, as the qemu machinery doesn't honor it. virtualisation.fileSystems."/plain" = { From a92efa870c547481956055a2011475aee39b1ae1 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 15 Jun 2026 17:51:15 +0200 Subject: [PATCH 021/133] nixos/plasma6: opt into fuse Used by the kio-* stack. --- nixos/modules/services/desktop-managers/plasma6.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/desktop-managers/plasma6.nix b/nixos/modules/services/desktop-managers/plasma6.nix index 0813b1b6b84c7..f6106d3e83fe5 100644 --- a/nixos/modules/services/desktop-managers/plasma6.nix +++ b/nixos/modules/services/desktop-managers/plasma6.nix @@ -274,6 +274,7 @@ in services.power-profiles-daemon.enable = mkDefault true; services.system-config-printer.enable = mkIf config.services.printing.enable (mkDefault true); + programs.fuse.enable = true; services.udisks2.enable = true; services.upower.enable = config.powerManagement.enable; services.libinput.enable = mkDefault true; From 944a258aebf337420c2aaf0332228682b2dad956 Mon Sep 17 00:00:00 2001 From: Ilan Joselevich Date: Fri, 19 Jun 2026 15:14:40 +0300 Subject: [PATCH 022/133] switch-to-configuration-ng: handle transition to socket activation When a service gains a `.socket` unit, the socket is not yet active, so the `active_cur.contains_key(socket)` check is false and the service is queued in `units_to_start`. That races with the socket unit being started by `sockets.target`, producing "Socket service already active, refusing" or "no socket activation file descriptors found" errors. Treat the service as socket-activated whenever the socket is absent now but present in the new configuration, leaving it to be activated on demand by the newly started socket rather than started directly. Fixes: https://github.com/NixOS/nixpkgs/pull/510391#issuecomment-4273511176 Assisted-by: Claude:claude-opus-4-8 --- nixos/tests/switch-test.nix | 18 +++++++++++++++++ .../sw/switch-to-configuration-ng/src/main.rs | 20 +++++++++++++------ 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index 63dc78e2e6dcf..b81d84086f2e2 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -541,6 +541,12 @@ in systemd.services."accept-socket@".serviceConfig.X-Test = "test"; }; + socket-activated-without-socket.configuration = { + imports = [ simple-socket.configuration ]; + systemd.sockets.socket-activated.enable = false; + systemd.services.socket-activated.wantedBy = [ "multi-user.target" ]; + }; + mount.configuration = { systemd.mounts = [ { @@ -1620,6 +1626,18 @@ in if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": raise Exception("Socket was not properly activated after the service was restarted") + # A service transitioning to socket activation is not started directly, + # it's left for the newly started socket to activate on demand + switch_to_specialisation("${machine}", "socket-activated-without-socket") + machine.succeed("systemctl is-active socket-activated.service") + out = switch_to_specialisation("${machine}", "simple-socket-stop-if-changed") + assert_contains(out, "stopping the following units: socket-activated.service\n") + assert_lacks(out, "\nstarting the following units:") + assert_contains(out, "the following new units were started: socket-activated.socket\n") + machine.succeed("[ -S /run/test.sock ]") + if machine.succeed("socat - UNIX-CONNECT:/run/test.sock") != "hello": + raise Exception("Socket was not properly activated after the transition") + with subtest("socket-activated services with Accept=yes"): # Socket-activated services don't get started, just the socket machine.fail("[ -S /run/accept-test.sock ]") diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs index ec6bf1ad253f3..b5d307d7bdb11 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs @@ -777,6 +777,9 @@ fn handle_modified_unit( } for socket in &sockets { + let socket_in_new_config = + toplevel.join(scope.etc_dir()).join(socket).exists(); + if active_cur.contains_key(socket) { // We can now be sure this is a socket-activated unit @@ -787,7 +790,7 @@ fn handle_modified_unit( } // Only restart sockets that actually exist in new configuration: - if toplevel.join(scope.etc_dir()).join(socket).exists() { + if socket_in_new_config { if use_restart_as_stop_and_start { units_to_restart.insert(socket.to_string(), ()); record_unit(&restart_list, socket); @@ -798,12 +801,17 @@ fn handle_modified_unit( socket_activated = true; } + } else if socket_in_new_config { + // Transitioning to socket activation; let the socket start it. + socket_activated = true; + } else { + continue; + } - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); - } + // Remove from units to reload so we don't restart and reload + if units_to_reload.contains_key(unit) { + units_to_reload.remove(unit); + unrecord_unit(&reload_list, unit); } } } From be9a0ac9924a5c4f116f7f4bc18be335664272e9 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 20 Jun 2026 20:18:30 +0200 Subject: [PATCH 023/133] nixos/test-driver: properly tokenize udev rule When running a container test the udev linter complains, that tokens should be separate by a comma followed by a space. --- nixos/lib/testing/network.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/lib/testing/network.nix b/nixos/lib/testing/network.nix index 570b854d8e28a..86d65faf21ad7 100644 --- a/nixos/lib/testing/network.nix +++ b/nixos/lib/testing/network.nix @@ -135,8 +135,13 @@ let ); udevRules = map ( interface: - # MAC Addresses for QEMU network devices are lowercase, and udev string comparison is case-sensitive. - ''SUBSYSTEM=="net",ACTION=="add",ATTR{address}=="${toLower (qemu-common.qemuNicMac interface.vlan config.virtualisation.test.nodeNumber)}",NAME="${interface.name}"'' + lib.concatStringsSep ", " [ + ''SUBSYSTEM=="net"'' + ''ACTION=="add"'' + # MAC Addresses for QEMU network devices are lowercase, and udev string comparison is case-sensitive. + ''ATTR{address}=="${toLower (qemu-common.qemuNicMac interface.vlan config.virtualisation.test.nodeNumber)}"'' + ''NAME="${interface.name}"'' + ] ) interfaces; in { From 2498d84c02e6daaee998a9ee77a2b932ba3743e5 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Wed, 10 Jun 2026 15:34:30 -0700 Subject: [PATCH 024/133] pdftitle: use python3Packages.openai The openai function argument shadowed the `with python3Packages` scope, so withOpenai injected the top-level CLI application into the Python dependencies instead of the library. Also unblocks dropping the top-level openai attribute, whose CLI was removed upstream in v2.35.0. --- pkgs/by-name/pd/pdftitle/package.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/by-name/pd/pdftitle/package.nix b/pkgs/by-name/pd/pdftitle/package.nix index d28ca7f8e2813..2e402c91cb3f2 100644 --- a/pkgs/by-name/pd/pdftitle/package.nix +++ b/pkgs/by-name/pd/pdftitle/package.nix @@ -2,7 +2,6 @@ lib, fetchFromGitHub, python3Packages, - openai, pdfminer, withOpenai ? false, From 041650c87f71339cf684fcb88ed5b37faac90f14 Mon Sep 17 00:00:00 2001 From: Malo Bourgon Date: Wed, 10 Jun 2026 15:28:12 -0700 Subject: [PATCH 025/133] python3Packages.openai: 2.33.0 -> 2.41.1, openai: drop Upstream removed the legacy CLI in v2.35.0, so the top-level package built with toPythonApplication no longer provides any binaries. Changelog: https://github.com/openai/openai-python/blob/v2.41.1/CHANGELOG.md Diff: https://github.com/openai/openai-python/compare/v2.33.0...v2.41.1 --- pkgs/development/python-modules/openai/default.nix | 5 ++--- pkgs/top-level/aliases.nix | 1 + pkgs/top-level/all-packages.nix | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/pkgs/development/python-modules/openai/default.nix b/pkgs/development/python-modules/openai/default.nix index ddfa0f3b8548d..41871cd05921b 100644 --- a/pkgs/development/python-modules/openai/default.nix +++ b/pkgs/development/python-modules/openai/default.nix @@ -51,14 +51,14 @@ buildPythonPackage rec { pname = "openai"; - version = "2.33.0"; + version = "2.41.1"; pyproject = true; src = fetchFromGitHub { owner = "openai"; repo = "openai-python"; tag = "v${version}"; - hash = "sha256-w2ejAJ+V7e4wYSQ/9+WdhO+XaYeSq8U/V5YXHSpn+rI="; + hash = "sha256-jSkBxZY5POlrznhBwFMR2NcL92uGRSYI6BDDC3C7RfU="; }; postPatch = ''substituteInPlace pyproject.toml --replace-fail "hatchling==1.26.3" "hatchling"''; @@ -129,6 +129,5 @@ buildPythonPackage rec { changelog = "https://github.com/openai/openai-python/blob/${src.tag}/CHANGELOG.md"; license = lib.licenses.asl20; maintainers = [ lib.maintainers.malo ]; - mainProgram = "openai"; }; } diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 8017987d67c30..86c474e649bb2 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -1640,6 +1640,7 @@ mapAliases { open-stage-control = throw "'open-stage-control' has been removed due to being broken for more than a year; see RFC 180"; # Added 2026-05-04 open-timeline-io = warnAlias "'open-timeline-io' has been renamed to 'opentimelineio'" opentimelineio; # Added 2025-08-10 openafs_1_8 = throw "'openafs_1_8' has been renamed to/replaced by 'openafs'"; # Converted to throw 2025-10-27 + openai = throw "'openai' has been removed, since upstream removed the legacy CLI in v2.35.0; use 'python3Packages.openai' instead"; # Added 2026-06-10 openai-triton-llvm = throw "'openai-triton-llvm' has been renamed to/replaced by 'triton-llvm'"; # Converted to throw 2025-10-27 openai-whisper-cpp = throw "'openai-whisper-cpp' has been renamed to/replaced by 'whisper-cpp'"; # Converted to throw 2025-10-27 openalSoft = warnAlias "'openalSoft' has been renamed to 'openal-soft'" openal-soft; # Added 2026-02-09 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index fe2fd4a521fc7..4d9cde7b04fe6 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -5506,8 +5506,6 @@ with pkgs; sdk = true; }; - openai = with python3Packages; toPythonApplication openai; - openai-whisper = with python3.pkgs; toPythonApplication openai-whisper; openocd-rp2040 = openocd.overrideAttrs (old: { From 9f4df694e5b05a13059e1db13ae98d297ac05b5c Mon Sep 17 00:00:00 2001 From: Jonathan Davies Date: Mon, 15 Jun 2026 22:46:56 +0100 Subject: [PATCH 026/133] =?UTF-8?q?python3Packages.openai-agents:=200.6.9?= =?UTF-8?q?=20=E2=86=92=200.17.6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkgs/development/python-modules/openai-agents/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/development/python-modules/openai-agents/default.nix b/pkgs/development/python-modules/openai-agents/default.nix index c09e4bb7db4f0..c6dc0ed6fd752 100644 --- a/pkgs/development/python-modules/openai-agents/default.nix +++ b/pkgs/development/python-modules/openai-agents/default.nix @@ -3,7 +3,7 @@ buildPythonPackage, fetchPypi, hatchling, - griffe, + griffelib, mcp, openai, pydantic, @@ -14,13 +14,13 @@ buildPythonPackage rec { pname = "openai-agents"; - version = "0.6.9"; + version = "0.17.6"; pyproject = true; src = fetchPypi { inherit version; pname = "openai_agents"; - hash = "sha256-5VYjgntKGxHWbsAIS9K56ixtYPIz4EVHgDr0M5Z+L9s="; + hash = "sha256-/tlPjPDrTFfGOomtSxB5MtdfKgttnolciPo8IX5jyCI="; }; build-system = [ @@ -28,7 +28,7 @@ buildPythonPackage rec { ]; dependencies = [ - griffe + griffelib mcp openai pydantic From c9cf60793e491f11ab78f5507cfd01d5dde2f3b7 Mon Sep 17 00:00:00 2001 From: Jonathan Davies Date: Sun, 21 Jun 2026 10:39:38 +0100 Subject: [PATCH 027/133] python3Packages.openai-agents: Migrate to finalAttrs --- pkgs/development/python-modules/openai-agents/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/development/python-modules/openai-agents/default.nix b/pkgs/development/python-modules/openai-agents/default.nix index c6dc0ed6fd752..a35a81bdad58b 100644 --- a/pkgs/development/python-modules/openai-agents/default.nix +++ b/pkgs/development/python-modules/openai-agents/default.nix @@ -12,13 +12,13 @@ typing-extensions, }: -buildPythonPackage rec { +buildPythonPackage (finalAttrs: { pname = "openai-agents"; version = "0.17.6"; pyproject = true; src = fetchPypi { - inherit version; + inherit (finalAttrs) version; pname = "openai_agents"; hash = "sha256-/tlPjPDrTFfGOomtSxB5MtdfKgttnolciPo8IX5jyCI="; }; @@ -42,10 +42,10 @@ buildPythonPackage rec { ]; meta = { - changelog = "https://github.com/openai/openai-agents-python/releases/tag/${version}"; + changelog = "https://github.com/openai/openai-agents-python/releases/tag/v${finalAttrs.version}"; homepage = "https://github.com/openai/openai-agents-python"; description = "Lightweight, powerful framework for multi-agent workflows"; license = lib.licenses.mit; maintainers = [ lib.maintainers.bryanhonof ]; }; -} +}) From e866333c7bce3204862ca7432833a0f89b0d9792 Mon Sep 17 00:00:00 2001 From: whispers Date: Mon, 11 May 2026 17:42:53 -0400 Subject: [PATCH 028/133] expat: 2.8.0 -> 2.8.1 Changelog: https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes Diff: https://github.com/libexpat/libexpat/compare/R_2_8_0...R_2_8_1 Fixes: CVE-2026-45186 (cherry picked from commit fe1ca2c575fa37169ccb114ffc9a5581aa44860d) (cherry picked from commit d7c0b19df27ef7951010f5d16df235638e98af83) --- pkgs/by-name/ex/expat/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/ex/expat/package.nix b/pkgs/by-name/ex/expat/package.nix index cf55e71a2037d..78ff9e9253b06 100644 --- a/pkgs/by-name/ex/expat/package.nix +++ b/pkgs/by-name/ex/expat/package.nix @@ -18,7 +18,7 @@ # files. let - version = "2.8.0"; + version = "2.8.1"; tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}"; in stdenv.mkDerivation (finalAttrs: { @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { url = with finalAttrs; "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz"; - hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI="; + hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA="; }; strictDeps = true; From 412b051db6b2f5f49b1a0ddbc414bde79a9f0619 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Tue, 12 May 2026 18:27:09 +0200 Subject: [PATCH 029/133] Revert "groff: only apply the latest patch on linux for now" This reverts commit 37a9427fd325fd4f815f4717a6280a7b076a173f. (cherry picked from commit b2e8b0c6028f84faa0cf2b959732f30591c7f18f) (cherry picked from commit e682a0e50ac6a972e00b2347abfdc0d907e5e433) --- pkgs/by-name/gr/groff/package.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkgs/by-name/gr/groff/package.nix b/pkgs/by-name/gr/groff/package.nix index a824d9a82f023..083b1493dcf6b 100644 --- a/pkgs/by-name/gr/groff/package.nix +++ b/pkgs/by-name/gr/groff/package.nix @@ -48,8 +48,7 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g="; }; - patches = lib.optionals stdenv.isLinux [ - # TODO: apply everywhere on rebuild + patches = [ # This revert a upstream refactor in continuous rendering mode, but this # causes a big performance regression for big manpages like # `man 5 configuration.nix`. From 2102ac377de6caaba3a6e86a23577fbaebcaa32f Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Tue, 12 May 2026 22:44:31 +0200 Subject: [PATCH 030/133] audit: 4.1.2-unstable-2025-09-06 -> 4.1.4 Upstream diff: https://github.com/linux-audit/audit-userspace/compare/cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4...v4.1.4 Adds support for io_uring and syscalls of Linux 7.0 kernels. (cherry picked from commit 2b8ed1fe219eb6783afc4081e3ab62e8ee99ee39) (cherry picked from commit 5aece021f4b248331fa6813c13255bab33dfa220) --- pkgs/by-name/au/audit/package.nix | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index 197df3501597b..3b2389e7843c6 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -30,13 +30,13 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; - version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release + version = "4.1.4"; src = fetchFromGitHub { owner = "linux-audit"; repo = "audit-userspace"; - rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4"; - hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM="; + tag = "v${finalAttrs.version}"; + hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo="; }; postPatch = '' @@ -132,10 +132,6 @@ stdenv.mkDerivation (finalAttrs: { # Instead, we load audit rules in a dedicated module. postFixup = '' moveToOutput bin/augenrules $scripts - substituteInPlace $scripts/bin/augenrules \ - --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \ - --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \ - --replace-fail "/bin/ls" "ls" wrapProgram $scripts/bin/augenrules \ --prefix PATH : ${ lib.makeBinPath [ From 85e30362ddcd34addeaeb91164f88d3516cf6e23 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 21:53:30 +0200 Subject: [PATCH 031/133] libressl_4_3: init at 4.3.1 I also added expiration date comments on all of them, because I always spend some time chasing what the support dates are, and it would save maintainer time to be able to see what to do with these branches. (cherry picked from commit feb7c9ff7812521077ce8ac75c0cdc8f5de31152) (cherry picked from commit c6eddcf80ad012ce92537c3191f65ccf52b66495) --- pkgs/by-name/li/libressl/default.nix | 13 +++++++++++++ pkgs/top-level/all-packages.nix | 1 + 2 files changed, 14 insertions(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 7a266936f6c41..7a74082434336 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -111,13 +111,17 @@ let identifiers.cpeParts = lib.meta.cpeFullVersionWithVendor "openbsd" version; }; }; + # https://github.com/libressl/portable/pull/1206 + # This got merged in February 2026 and is included as of LibreSSL 4.3.0. common-cmake-install-full-dirs-patch = fetchpatch { url = "https://github.com/libressl/portable/commit/a15ea0710398eaeed3be53cf643e80a1e80c981d.patch"; hash = "sha256-Mlf4SrGCCqALQicbGtmVGdkdfcE8DEGYkOuVyG2CozM="; }; in { + # 4.1 was released April 2025 and became unsupported on April 28, 2026, + # one year after the release of OpenBSD 7.7. libressl_4_1 = generic { version = "4.1.2"; hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE="; @@ -137,6 +141,8 @@ in ]; }; + # 4.2 was released October 2025 and will become unsupported on October 22, + # 2026, one year after the release of OpenBSD 7.8. libressl_4_2 = generic { version = "4.2.1"; hash = "sha256-bVwvWFg1iOp5H0yGRQBAcdAN+lVKW/eIoAbKHrWr1ws="; @@ -144,4 +150,11 @@ in common-cmake-install-full-dirs-patch ]; }; + + # 4.3 was released April 2026 and will become unsupported one year after the + # release of OpenBSD 7.9. + libressl_4_3 = generic { + version = "4.3.1"; + hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA="; + }; } diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e1f46c269394a..f49a37287af7d 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6529,6 +6529,7 @@ with pkgs; inherit (callPackages ../by-name/li/libressl { }) libressl_4_1 libressl_4_2 + libressl_4_3 ; openssl = openssl_3_6; From fdf4fbeb3d959d58c76a2f22096ad0f7d86827b6 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 22:07:13 +0200 Subject: [PATCH 032/133] libressl_4_1: delete unsupported package LibreSSL branches are supported for one year after the OpenBSD release in which they are included. LibreSSL 4.1 was part of OpenBSD 7.7, which was released on April 28, 2025, so it's end of life now. (cherry picked from commit 0bfe3de9edd95a12bd7049dcd03055d796124a31) (cherry picked from commit 8953025b909e821bfa97037abac04271b8554f9b) --- pkgs/by-name/li/libressl/default.nix | 21 --------------------- pkgs/top-level/all-packages.nix | 1 - 2 files changed, 22 deletions(-) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 7a74082434336..8d6f40f61c01f 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -120,27 +120,6 @@ let }; in { - # 4.1 was released April 2025 and became unsupported on April 28, 2026, - # one year after the release of OpenBSD 7.7. - libressl_4_1 = generic { - version = "4.1.2"; - hash = "sha256-+6Ti+ip/UjBt96OJlwoQ6YuX6w7bKZqf252/SZmcYeE="; - # Fixes build on loongarch64 - # https://github.com/libressl/portable/pull/1184 - postPatch = '' - mkdir -p include/arch/loongarch64 - cp ${ - fetchurl { - url = "https://github.com/libressl/portable/raw/refs/tags/v4.1.0/include/arch/loongarch64/opensslconf.h"; - hash = "sha256-68dw5syUy1z6GadCMR4TR9+0UQX6Lw/CbPWvjHGAhgo="; - } - } include/arch/loongarch64/opensslconf.h - ''; - patches = [ - common-cmake-install-full-dirs-patch - ]; - }; - # 4.2 was released October 2025 and will become unsupported on October 22, # 2026, one year after the release of OpenBSD 7.8. libressl_4_2 = generic { diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f49a37287af7d..7056a9abe702a 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6527,7 +6527,6 @@ with pkgs; zunclient = with python313Packages; toPythonApplication python-zunclient; inherit (callPackages ../by-name/li/libressl { }) - libressl_4_1 libressl_4_2 libressl_4_3 ; From d5937f2bc8f9cacecd1670ec373699d00746368c Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 22:08:40 +0200 Subject: [PATCH 033/133] libressl: add ruuda as maintainer I've been keeping this package up to date over the past few years, since I run a webserver that depends on it. I'd be happy to be co-maintainer for it, and hopefully reduce the load on others. (cherry picked from commit 16656233905ab0ff2fa329c86593cb925094b1e7) (cherry picked from commit 6fd22ccf4c3bea1f931d26a48425eb01e0c07414) --- pkgs/by-name/li/libressl/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 8d6f40f61c01f..fba1c17d51802 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -96,6 +96,7 @@ let maintainers = with lib.maintainers; [ thoughtpolice fpletz + ruuda ]; inherit knownVulnerabilities; From 7c6518130da971e6a0823a899f6f08ed30eaf4c4 Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Fri, 1 May 2026 22:51:35 +0200 Subject: [PATCH 034/133] libressl: enable strictDeps and __structuredAttrs (cherry picked from commit c74cade494dc95a74dd75099bf700e9bab5deb35) (cherry picked from commit 6fbc1e2a1d6115826542176da8629c43638c4ae4) --- pkgs/by-name/li/libressl/default.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index fba1c17d51802..a4ac4000d4520 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -23,6 +23,9 @@ let pname = "libressl"; inherit version; + strictDeps = true; + __structuredAttrs = true; + src = fetchurl { url = "mirror://openbsd/LibreSSL/libressl-${version}.tar.gz"; inherit hash; From c0a53e695020cfcd935eabf446d2918187aa751b Mon Sep 17 00:00:00 2001 From: Ruud van Asseldonk Date: Tue, 12 May 2026 19:03:20 +0200 Subject: [PATCH 035/133] libressl_4_3: backport executable stack fix And also add an additional check to preCheck that will enable us to catch executable stack issues earlier next time. (cherry picked from commit 5198c49a5a58932c1a782aee9ad2fd6509f935e1) (cherry picked from commit 4248c5fd7a9c28e2fd27a865686fe864fcded34d) --- pkgs/by-name/li/libressl/default.nix | 29 ++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index a4ac4000d4520..4ccc79407ba7e 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -61,6 +61,22 @@ let doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV); preCheck = '' + # Bail if any shared object has executable stack enabled. This can + # happen when an object produced from an assmbly file in libcrypto is + # missing a .note.GNU-stack section. An executable stack is dangerous + # and unintentional, but without this check the derivation will build + # and even run if W^X is not enforced; it would fail dangerously. + objdump -p **/*.so | awk ' + BEGIN { res = 0 } + /file format/ { file = $1 } + /STACK/ { stack = 1; next } + stack { + if ($0 ~ /flags.*x/) { print file " has executable stack"; res = 1 } + stack = 0 + } + END { exit res } + ' + export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" ''; @@ -139,5 +155,18 @@ in libressl_4_3 = generic { version = "4.3.1"; hash = "sha256-wttCrOFOfVQZgm+rNadC7G5NEnJaBRpR0M6jwQug+lA="; + patches = [ + # Fix for https://github.com/libressl/portable/issues/1278, where LibreSSL + # 4.3 started requiring executable stack because some objects were missing + # a .note.GNU-stack section; will probably be included in the next release. + (fetchpatch { + url = "https://raw.githubusercontent.com/libressl/portable/4dae91d056c6c75ba5cf2bc5e6148b8e02239119/patches/gnu-stack.patch"; + hash = "sha256-Q1oWL4N8w5Zmjfq5QkTJR53NgZ4GqChSDaBicli5G2I="; + # This patch is written to be applied with -p0, with no leading path + # component, but Nix applies with -p1 by default, so we add it to not + # break compatibility with how other patches must be applied. + decode = "sed 's|^--- |--- a/|; s|^+++ |+++ b/|'"; + }) + ]; }; } From f479a5dca236793c02d0c3b6a4d3ecb365d2ac49 Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Sun, 10 May 2026 15:19:19 +0200 Subject: [PATCH 036/133] openexr: 3.4.10 -> 3.4.11 changelog: https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.11 diff: https://github.com/AcademySoftwareFoundation/openexr/compare/v3.4.10...v3.4.11 (cherry picked from commit 32f67f000b22d422e36befbbabd36279e2a660a2) (cherry picked from commit 34b3da5050e8e4c26efe67418533e587063230fd) --- pkgs/development/libraries/openexr/3.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/openexr/3.nix b/pkgs/development/libraries/openexr/3.nix index efecd33bef353..a989e883a2b34 100644 --- a/pkgs/development/libraries/openexr/3.nix +++ b/pkgs/development/libraries/openexr/3.nix @@ -13,13 +13,13 @@ stdenv.mkDerivation rec { pname = "openexr"; - version = "3.4.10"; + version = "3.4.11"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openexr"; rev = "v${version}"; - hash = "sha256-jXio+PvagKTR8NjcYIQ/j8LOMNc/0sQBuaixKk/0V3k="; + hash = "sha256-5dx2tag6XyuJfNfJgc68X+VWKXaHOL3M7ZJEQbQwFDA="; }; outputs = [ From ab6adf5c8246eff91b48479823125cb44a5da12f Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Tue, 28 Apr 2026 21:53:45 +0200 Subject: [PATCH 037/133] openapv: 0.2.1.2 -> 0.2.1.3 changelog: https://github.com/AcademySoftwareFoundation/openapv/releases/tag/v0.2.1.3-fix diff: https://github.com/AcademySoftwareFoundation/openapv/compare/v0.2.1.2...v0.2.1.3-fix (cherry picked from commit 02d2fdd686118eed0091ea82b41310dc74e571fd) (cherry picked from commit ce58349f07ce81aa3d1562ace68ad03a6d841438) --- pkgs/by-name/op/openapv/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/op/openapv/package.nix b/pkgs/by-name/op/openapv/package.nix index b153552d6f172..27d31127a0041 100644 --- a/pkgs/by-name/op/openapv/package.nix +++ b/pkgs/by-name/op/openapv/package.nix @@ -12,13 +12,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openapv"; - version = "0.2.1.2"; + version = "0.2.1.3"; src = fetchFromGitHub { owner = "AcademySoftwareFoundation"; repo = "openapv"; - tag = "v${finalAttrs.version}"; - hash = "sha256-wxncN7j5p0GXpWhOx4Ix0oTgGK2sIrfJgQ45fFwmQBI="; + tag = "v${finalAttrs.version}-fix"; # Remove the `-fix` suffix after the next version + hash = "sha256-lc/x2dWh6T8c63siHB32ka+SPVYTTyaO4YrQ12EbGqw="; }; postPatch = '' From 49d2ce082a0796988ecd7d1bbe9ec013c0f0ef6c Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 19 May 2026 16:13:05 +0200 Subject: [PATCH 038/133] python3Packages.aiodns: 4.0.0 -> 4.0.3 https://github.com/saghul/aiodns/releases/tag/v4.0.1 https://github.com/saghul/aiodns/releases/tag/v4.0.2 https://github.com/saghul/aiodns/releases/tag/v4.0.3 (cherry picked from commit 78f51bc5bcc5037966c06d952debc2e3c05f65ba) (cherry picked from commit aea1edbd625ce6297297b665a8d3a645dbceeb26) --- pkgs/development/python-modules/aiodns/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/aiodns/default.nix b/pkgs/development/python-modules/aiodns/default.nix index 54b67a88be19a..1a147d54fa042 100644 --- a/pkgs/development/python-modules/aiodns/default.nix +++ b/pkgs/development/python-modules/aiodns/default.nix @@ -8,14 +8,14 @@ buildPythonPackage (finalAttrs: { pname = "aiodns"; - version = "4.0.0"; + version = "4.0.3"; pyproject = true; src = fetchFromGitHub { owner = "saghul"; repo = "aiodns"; tag = "v${finalAttrs.version}"; - hash = "sha256-/iYkhzN01+NaUfMXaM39IvlEKfoKc29+f0S4y0y3GG8="; + hash = "sha256-a26n8n/nxq/LxgPCQJNFjU4yVSCL7YK1lBkiDdVDo2w="; }; build-system = [ setuptools ]; From ebd0392d1b23dc81258339cc78f6ba27713b3069 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 19 May 2026 16:13:19 +0200 Subject: [PATCH 039/133] python3Packages.xmltodict: 1.0.2 -> 1.0.4 https://github.com/martinblech/xmltodict/blob/v1.0.4/CHANGELOG.md (cherry picked from commit 70d339f357ec9f39f6afb6cdeab341b48f21aac7) (cherry picked from commit 3a7535469af279b4c0b5a0a2b0268c120d0fe510) --- pkgs/development/python-modules/xmltodict/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/xmltodict/default.nix b/pkgs/development/python-modules/xmltodict/default.nix index 9d1c01842a420..bd22bc108bbe4 100644 --- a/pkgs/development/python-modules/xmltodict/default.nix +++ b/pkgs/development/python-modules/xmltodict/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "xmltodict"; - version = "1.0.2"; + version = "1.0.4"; pyproject = true; src = fetchFromGitHub { owner = "martinblech"; repo = "xmltodict"; tag = "v${version}"; - hash = "sha256-gnTNkh0GLfRmjMsLhfvpNrewfinNOhem0i3wzIZvKpA="; + hash = "sha256-G7hVtS6toUJC0YY1AXBOJSc3wnAZyWilLnT/5vvFRRw="; }; build-system = [ setuptools ]; From 344a6379c3246ac76e5519b96e9f61b70a89320a Mon Sep 17 00:00:00 2001 From: K900 Date: Thu, 21 May 2026 11:38:44 +0300 Subject: [PATCH 040/133] qt5: 5.15.18 -> 5.15.19 (cherry picked from commit 52afc5fa587029d9eb09757b68199aea80226062) (cherry picked from commit 0b9b29e4218a3fa46d0fe9c9866b6fba675f4828) --- .../libraries/qt-5/5.15/srcs-generated.json | 160 +++++++++--------- pkgs/development/libraries/qt-5/5.15/srcs.nix | 2 +- 2 files changed, 81 insertions(+), 81 deletions(-) diff --git a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json index fd5fcefbff345..57473c4f5a293 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json +++ b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json @@ -1,202 +1,202 @@ { "qt3d": { "url": "https://invent.kde.org/qt/qt/qt3d.git", - "rev": "208f5835e6c2415c9dc5cbe92bba83aa28bab7ea", - "sha256": "0zqvdq5y25b1w7agx5wlr16p1wrx54086r0xcdfg9wx8dayhh1md" + "rev": "c3892c3ee3c0a2b8a050d0a1532f34806636eade", + "sha256": "0y3f4pr0vr7cpwmjxqspv79p7rljgc913fl8nqpv8y2aw8i5r4ly" }, "qtactiveqt": { "url": "https://invent.kde.org/qt/qt/qtactiveqt.git", - "rev": "e4c93bc7cac45bac6bccda3310947e8fe026a9ed", - "sha256": "1qq6jvqkl4ff7sw20pi1mawh5pypv7vxmj56d38z6p06r1azkvls" + "rev": "e85773764374878adc197b6a45ae8ec3ff44dafa", + "sha256": "1sbayayxgjj8jfi3apxw6m8qsmkba0gph2rm1wsnzjsa80zr17ia" }, "qtandroidextras": { "url": "https://invent.kde.org/qt/qt/qtandroidextras.git", - "rev": "4928bd58dbc1cdcf44a7e454e3d4654c3c2016f1", - "sha256": "02rsh60lyl6bn2jhx0ajn43safbi904nhwvdpikanrmdbg0z6dpp" + "rev": "14a14b137f0d794278947e980d99c47e6929e5e2", + "sha256": "0nvyxjm5qfq7sk22rp9hxrf8gvs6jq4i3kww1s0i8lsr69fl9biz" }, "qtbase": { "url": "https://invent.kde.org/qt/qt/qtbase.git", - "rev": "bebdfd54917e25d1c100e6bd9f5dd53c2e645fd8", - "sha256": "0bg36lxngkq2k11bhqdyfvbc1qyqaghwsi446zfn67vxvyxya3hx" + "rev": "fbed962c3195ab3952fa54d40e012ad1a4fdc42b", + "sha256": "1gnbgs7kh0vxjh3spv5g5zaaj1z1b0h8752pqi4lqg6jd1js2bpl" }, "qtcharts": { "url": "https://invent.kde.org/qt/qt/qtcharts.git", - "rev": "1093fb53ced126100d14af30a8adffd29b7ef855", - "sha256": "0cnlg59l743milkki8mjbrfd4cx5ycbqw73apcrnrsag9dqdbw41" + "rev": "16e9aff210cd4de7192adfc6cd91cdd44ba45a3d", + "sha256": "02virkb7h8hhkdsqpv2qg3lly4msf648f7421z10acxhin6ypw5i" }, "qtconnectivity": { "url": "https://invent.kde.org/qt/qt/qtconnectivity.git", - "rev": "f1be05c8efeb65b77a8bfd21763ab55bb5c04906", - "sha256": "1vl7wfw9sd8qfl8ixzl5wz4v5km5zdf9bii53q3pw4f2lplsralq" + "rev": "7e29434e06372efbb2127d0ef41538ff9aec1597", + "sha256": "1wv9bh13rq6mnnzsh6g88a2kj2j4nfv83vqpbdxmyavdf349pwdj" }, "qtdatavis3d": { "url": "https://invent.kde.org/qt/qt/qtdatavis3d.git", - "rev": "d9b988d3c5f9f34b97f3a9ac1347bfb55464cd60", - "sha256": "09jk32kw7wgcrd117a9lsm5w7jszsdhdslk10qn631wz203zbs4i" + "rev": "b52063032fda9af894ca0e582774364ce8caf0f8", + "sha256": "1zbfx7hqh1ydi2vx8pj6dxlrrc7wf8sqcwxzx8acphdyj66zcmch" }, "qtdeclarative": { "url": "https://invent.kde.org/qt/qt/qtdeclarative.git", - "rev": "1189557a50f11e7bc5716467a149cd09987a9f88", - "sha256": "0cd89d8i8chy1j1yanp1cq5s7467qr24b9c7cx9qw0nb0rf6f8qr" + "rev": "5bc1ac07b2d2c7839368084a4bb97e4c67eb8294", + "sha256": "0xpq0xjiscx72dcyg0lpr90ag5q7gypzcqnwbsnh401jrxn2pll1" }, "qtdoc": { "url": "https://invent.kde.org/qt/qt/qtdoc.git", - "rev": "ddb2afda6f713259fc8d95fb22a1c96bb448c36a", - "sha256": "0nk2vwl0ppix794xzj8nqrhsc333v8v4vr1rmwddymwlrdqlqd5d" + "rev": "385efd460ec13a465765fc30dd11217ae46d1846", + "sha256": "0djflkibfgjp8gr16hiv6nipj4q4xyclgv84f3d951dj2q7779v6" }, "qtgamepad": { "url": "https://invent.kde.org/qt/qt/qtgamepad.git", - "rev": "269fc0731f6838a1c02877a83c0ada23659c69fc", - "sha256": "06jhby671yzbj753yb0lnk4bv2r0nxxibq7fq1yljxdms0rc72iz" + "rev": "9b69ae558f0f9feffe30b0aa8993e270dfcc81ff", + "sha256": "056b39r4jsag5d7f5m04vmpydvnwpfs5mcynsdx717qdginlmiam" }, "qtgraphicaleffects": { "url": "https://invent.kde.org/qt/qt/qtgraphicaleffects.git", - "rev": "dfb2e7b2c98a9b7185c300d0b92b4048f5d89ba5", - "sha256": "1sn46lmq0y56mw0q11sgaijr2vg1wpp6lj237finp6vr3bji2816" + "rev": "551732fb1d963e53af437e3982a010f69eb76253", + "sha256": "1pyjb66nhlhin6ysm4005ng4m2ak857ai761rqx8l2h4fscgwvhf" }, "qtimageformats": { "url": "https://invent.kde.org/qt/qt/qtimageformats.git", - "rev": "c91e4c63c1eaf1e23806d9df10e3d5a9ae353c1d", - "sha256": "0q0vcymiqfyz8sfs9wdkhhwff55acj2rsmrb8w6yikmwcmcxp2a3" + "rev": "4076e38d68f05f5e1bcdedb79442d9008f18702c", + "sha256": "1kgvs3jgs2qysrx2kr4vn68h9gjv6ir1nd4hg0m2fbsjk644aa8w" }, "qtlocation": { "url": "https://invent.kde.org/qt/qt/qtlocation.git", - "rev": "ba48a8b5cedd157d972c08d371ac2581db166bf7", - "sha256": "00kwv405qq9q8fcwar33s2wvs1dm10fb8plxbz1q0jqcjs2ips6x" + "rev": "81f560be2274958011c255efa1d2d573874bed11", + "sha256": "1lpxngppxkhych9pkkcvw7ypw02cd324pw0z9hd9kqcd803p2017" }, "qtlottie": { "url": "https://invent.kde.org/qt/qt/qtlottie.git", - "rev": "27ed5a3c95a0810a96fac2a8661ea94d8ea3c44e", - "sha256": "04ivyxnn8d3pkjsbx0gwyj3f5if4m4cih6wyavm8bd2m2kkszx35" + "rev": "5f1be885cf4ee0f1eb5400bf0c5d138818fc01d0", + "sha256": "01880y8r2acnzfg09qm031kx99vp3zjv3zi38sh17shgcipx1fxp" }, "qtmacextras": { "url": "https://invent.kde.org/qt/qt/qtmacextras.git", - "rev": "fc7e9f41d9cec2df05c1d38d6e55d3a0d501dd25", - "sha256": "07q1arvdjwmbrayp2b213b8gqm4psczhx9z1m83invwmbs8iqj07" + "rev": "722060e4edff268feb2dda1298a7837c90f6262f", + "sha256": "1fqw1p6vx3gqw1sf1yk4cz1cb3d1xrbjq0p22gi0pspll314c8x0" }, "qtmultimedia": { "url": "https://invent.kde.org/qt/qt/qtmultimedia.git", - "rev": "ff83d119c75cd8406f73ccc08958fe36747e7390", - "sha256": "09jadnvphilcxxy85dlsr8a6x5w32r1c2hrbh93qbvvf9zlg60ld" + "rev": "8ddc44103baf166525d6650c842d7f08f651e7bb", + "sha256": "0akj2d8b6kdy125ggs9cd7pra3vm47frqpn6p756jafsxylkqwbh" }, "qtnetworkauth": { "url": "https://invent.kde.org/qt/qt/qtnetworkauth.git", - "rev": "510687fa4fdee84dd3d6d166e8f080c484016199", - "sha256": "0a8abmql94wxpfvdj5a1rnh3xsd49c5z8x93hm311sgjkd0aajx7" + "rev": "d1ce24a72122c315e3d190c9ebc26ed603b90057", + "sha256": "1wcw26x38k619xavrwav21w0vrzb24bn6ncxllcwd9bdn7vvn1wr" }, "qtpurchasing": { "url": "https://invent.kde.org/qt/qt/qtpurchasing.git", - "rev": "8e9a5ec9f68639162c85c198b28e072e7150883c", - "sha256": "04pmwqnw907dg0hpas0pdrh2fxcqn2mvqz82b1vkviksg8ny3saw" + "rev": "b471c6ca3edfa5ba459b8694622825b9e776bed6", + "sha256": "1plwpxasiw2sx76a294i4i92vk5g5gaigjfy284jpmaargxsyd7k" }, "qtquick3d": { "url": "https://invent.kde.org/qt/qt/qtquick3d.git", - "rev": "47a325358078b72016081a86be628411df2728a9", - "sha256": "18h309g6ni6y4bcss930g04z8ymhl2nfm3sv5s4h2fz3dl0xsqwr" + "rev": "4e85bd063c726f015dc8afb05834de7a71bf6a1b", + "sha256": "0k6wjkr2jyc1v6xrm34dnlbbdnippiph5jxzjxawlxijzzvmgcp5" }, "qtquickcontrols": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols.git", - "rev": "0c3c18bf8bdac1ef1afdb8aade903edb5c2bc041", - "sha256": "0h8bhrbgfcf7nbfppah8lxnhvygc09983qrvp935r5sw7251km4d" + "rev": "af7fc486c8910b51733e1c7e758d50ca1a158b36", + "sha256": "1nbgpnz2qi8g24cmli25a9319vgqmk9vgngb12q2j8c8k3nlhhfs" }, "qtquickcontrols2": { "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git", - "rev": "e464888c53a641ee44a34ff2350cfb156c8ed59f", - "sha256": "08lnqz6v48j1hi6dpll7a052p6r5qfb32md16fppqzn6g5jg9ir2" + "rev": "5b808e0995d018c6de9f075d4a61f58d3641c11b", + "sha256": "1a65j06nzlxl1hmdh5li1gglcrqms0g560c2cj9vqzqm551krdj8" }, "qtquicktimeline": { "url": "https://invent.kde.org/qt/qt/qtquicktimeline.git", - "rev": "43130f2681b76a8d743a04704465b716b6b2faee", - "sha256": "1z1avxxq9d9nzqyxy5pq5maj73cf6dvsn5k83p3sf5kq3x0y75cj" + "rev": "ea9d6c4d5a0a172b4778e8f37d694d02aab83f37", + "sha256": "0170n0mcrf8phh3nsg2f904p8vxwmw8lks48zkpnbvyrj4gzqcr2" }, "qtremoteobjects": { "url": "https://invent.kde.org/qt/qt/qtremoteobjects.git", - "rev": "b2740a7c7f5b6ac810240404a947ca5cff9de5f7", - "sha256": "1jxlwc2y165fxdalcr4iqq55gsg5x4nxqd8wdq3dc1824yfnzm6i" + "rev": "48d10f341279e08c1bc4abb764c2d3ab9a259a51", + "sha256": "0523n172f96w474y804sanppfx2zkgsm342vwa6ailrcfkjw8v58" }, "qtscxml": { "url": "https://invent.kde.org/qt/qt/qtscxml.git", - "rev": "57491f554bc53bd020978b5744437b7ac7e56a27", - "sha256": "00mvwgb3xr116nl7649zq7ai2074clzw760c140sy91zqgqkjsx4" + "rev": "edc6f0dd5e806cced1937b2b853717f588e14fd2", + "sha256": "1072slgrvy910mxxqsvf7fgi237mjnbd2b8amw1srqzqj2bmnsj3" }, "qtsensors": { "url": "https://invent.kde.org/qt/qt/qtsensors.git", - "rev": "50a61b360877e7c1300df76b5aabf8d75554a398", - "sha256": "0giqwn4grg9999y31avh7ajsv9gkcfzf0xndx8bvv79si0wp59g6" + "rev": "8c6d11df60d4d783869c2d81568e3178f5ae75ce", + "sha256": "18jc5nncmpmbf758mcj9wj6dfn87hl51zp0ihqcvk6k6a8ra6l7p" }, "qtserialbus": { "url": "https://invent.kde.org/qt/qt/qtserialbus.git", - "rev": "c23069351ec31563c9ea9fcdce42ccdba95ea518", - "sha256": "1qgxlgnl53gabrfqihxwygdbdiqjvn2hfajmwb3h44srpq0srk33" + "rev": "6734222bccc5541f9527281c810c6b5f8fdd092f", + "sha256": "0ragq01wdwqwqp9720i3xan3a4xnkkvgc8gjy1wgwmdrs0mlb49z" }, "qtserialport": { "url": "https://invent.kde.org/qt/qt/qtserialport.git", - "rev": "b64a7eeda9b6a65b5ed01b1b40b07177f0aa4c0f", - "sha256": "134mn0njfvmzgrf325bikazkiq4xdn5wjhj56kxh1hhaz3q25hyp" + "rev": "ca1f2486527e7acf87d466062c035845f9774573", + "sha256": "0xdywglxh9sxs2s60shwf6c4m5w20h77l9d58rganqwpbrh49vkj" }, "qtspeech": { "url": "https://invent.kde.org/qt/qt/qtspeech.git", - "rev": "aa2376f9b1302222edcd16b4641bbd7004318c00", - "sha256": "0vcxgkymzhaw01f26zlny4bka9k829rwzkwk95rr3dfq7wlyxshz" + "rev": "a384f0d4fb8a2d0743d5dfdf12e40f6d76f8714c", + "sha256": "0imn7jskjvz30xnbg1z8wxkcw82hb6v92xls327385wxxj0a5i6r" }, "qtsvg": { "url": "https://invent.kde.org/qt/qt/qtsvg.git", - "rev": "b74f7291f343dcbcb487b020868f042d8fe83098", - "sha256": "1n0sjn8h5k2sh8p2a85cxdpqbnd63gz4rf9wwbshhd13w623f9s8" + "rev": "d2abfb9cb1f036446e5913fadb0f065dab9f0159", + "sha256": "048lbk25rbfbd2c8pbsifdxjcxb2003hi04lfsmgh7xr27x55gch" }, "qttools": { "url": "https://invent.kde.org/qt/qt/qttools.git", - "rev": "fa40a2d3373b89be0cd0a43fe0c1d047e3d34058", - "sha256": "06kr88gmwc7xh1whdbcg84y1naak5rv99jkscjbhzyz3z91xy7hl" + "rev": "3e3ab58b40734a1b9bbb7e72b2969d1f752351b1", + "sha256": "18dmmw1r13in7h90y3637jw3sc2pvv33bfr1bs11dyp951spw8d3" }, "qttranslations": { "url": "https://invent.kde.org/qt/qt/qttranslations.git", - "rev": "3cbcceb8e3e2e63a4022f1be946c7118c527a83e", - "sha256": "15lw5snqfkwwcsazh02lhiia39gy08nfijdpkzvll2qvg4b58zkn" + "rev": "388e4f32ed4b28d92bd61b917ba0e6b910e2784d", + "sha256": "1k76zl5c1x9q8kid3sjv4d66wy9ryl24fyiabrg32c7nbn53pbd4" }, "qtvirtualkeyboard": { "url": "https://invent.kde.org/qt/qt/qtvirtualkeyboard.git", - "rev": "859d2a6ee329cc08414410b2ef8c0af77a6853d3", - "sha256": "06sdpcanzp1a71d99rjivrbjp780mvwssc4w1sap2gskcmmgkwbs" + "rev": "4fc9919ee3fad1d520d0921ba3069dca3c34ff78", + "sha256": "12kn69l34s1r6s9w7cw9l5524kwrx8xrxwbx4hw059jns1pqac0d" }, "qtwayland": { "url": "https://invent.kde.org/qt/qt/qtwayland.git", - "rev": "df49b9f3badce793a0a9ea850cf1a02cc5bafef6", - "sha256": "01xm2r1pv7kxb4aj72ldfzmax6d799h6bj4h2xhpcii812wf5lda" + "rev": "605b8bc942ab263b9d1892af33a81b408f522ccc", + "sha256": "09vrd62ikxzjpv6awi7n34pswg4w5yvmac5ckc6ma6rqvps7mbip" }, "qtwebchannel": { "url": "https://invent.kde.org/qt/qt/qtwebchannel.git", - "rev": "2a157921861e651f43456cb7941b250c89feb736", - "sha256": "1w58b602f20mppd0zfr9yvfdn1xwfkfclnjs0p5mgymq6d946dyk" + "rev": "6a20afaeba182ce6e3faee592e1e85a0d3ec0fc6", + "sha256": "18jfxpasn47qd4glkgvps7nzm07dag6w9jbkq9l7fzbkpcbnqykb" }, "qtwebglplugin": { "url": "https://invent.kde.org/qt/qt/qtwebglplugin.git", - "rev": "b9aaac72d0853ba48f6bfd710a43df94d83d4701", - "sha256": "07zx55f52jgk31bm6c68iydknrih245ndnvz714l6kxw66fv4rjq" + "rev": "2a8ce0a61b4b9e892d948948182d935fa6792a1b", + "sha256": "10n50frndssj3vmmhghlw48dn0c9b26zgkgjvkza8x234j9dijv2" }, "qtwebsockets": { "url": "https://invent.kde.org/qt/qt/qtwebsockets.git", - "rev": "0f910acb737cefc889ce1088fc60d15bc18efe9c", - "sha256": "1ba9ll28hznd6qpjjiqvc2z6gaz2qgq7105dd0w810xpbaiixy0a" + "rev": "10eb706b24aa05f4ee69c2f2fec99b21994dfe2b", + "sha256": "1k01s4qkpzsjy7lygb0nhniym6g7yinih3sc16l3kljkabw44rx0" }, "qtwebview": { "url": "https://invent.kde.org/qt/qt/qtwebview.git", - "rev": "34342073a59f3a27ef3de02f6b21337c4f8db6cf", - "sha256": "1h6n7dkd6mjclxllyw2brz8wv4d68dx2ykckbwb3bkxyd6rmg1f6" + "rev": "043cb7c0eaf8d1bcee56a62d6a102f727a22fcbc", + "sha256": "0ha0ksbxm21hj37z7yk3f09ncgchw78cpcrxv56a205i2f04370d" }, "qtwinextras": { "url": "https://invent.kde.org/qt/qt/qtwinextras.git", - "rev": "5e5ae2b77078dbe51fb798743de606e6f9a5e19d", - "sha256": "04x8ax197z0dr01nxrb6bh4q8c077ny5n812fx5mq56l54v2m1ks" + "rev": "0704d01ff1218c2f32a194e38005e625c579222c", + "sha256": "0fsfrs770cia9i9ijvx1jyh0mjiza1cn1l7fm1a877h2qbd20l9f" }, "qtx11extras": { "url": "https://invent.kde.org/qt/qt/qtx11extras.git", - "rev": "c44c4fa86fa0794c25baef4ee1f6272aca8c511a", - "sha256": "0287cvs9wqlzz6gnj81gi8rp50s2rdnigcmld3fgddsg8f3v7hdj" + "rev": "6695a3df4460577b3fcb5546b45a0c5cb3addac4", + "sha256": "1xjdicq8kf6816hgnz4hc7ykcfngispm8xzv3bxacf98zicmy9rm" }, "qtxmlpatterns": { "url": "https://invent.kde.org/qt/qt/qtxmlpatterns.git", - "rev": "0b644263abca66503db1ce8a4e126cf358a34685", - "sha256": "1b1zzglvcdp7wvlpgk1gj8gmyy2r21yi6p8xiyvbccq5bbjpn0hw" + "rev": "ed3b333aa56ac193e969725e3c34be9070441271", + "sha256": "0s0z9dbivrq5pva6psfcfclw4816zb1rlr9ns03lf286iy196368" } } diff --git a/pkgs/development/libraries/qt-5/5.15/srcs.nix b/pkgs/development/libraries/qt-5/5.15/srcs.nix index 87a7bb97707df..ec5fdc9d5646e 100644 --- a/pkgs/development/libraries/qt-5/5.15/srcs.nix +++ b/pkgs/development/libraries/qt-5/5.15/srcs.nix @@ -5,7 +5,7 @@ }: let - version = "5.15.18"; + version = "5.15.19"; mk = name: args: { inherit version; From e717fb6c8feb631205a8b94c41276138664f52cd Mon Sep 17 00:00:00 2001 From: ElXreno Date: Sat, 25 Apr 2026 16:00:45 +0300 Subject: [PATCH 041/133] openldap: skip flaky syncreplication tests (cherry picked from commit 63147b12a5831e23ce5e88f5f9a35fe8997e9978) (cherry picked from commit ab31c6a2289e966d48b61035e6fb03e683244bcd) --- pkgs/by-name/op/openldap/package.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/by-name/op/openldap/package.nix b/pkgs/by-name/op/openldap/package.nix index c87e6c2e75a5f..7499f3a6fd163 100644 --- a/pkgs/by-name/op/openldap/package.nix +++ b/pkgs/by-name/op/openldap/package.nix @@ -122,6 +122,8 @@ stdenv.mkDerivation (finalAttrs: { # https://bugs.openldap.org/show_bug.cgi?id=8623 rm -f tests/scripts/test022-ppolicy + rm -f tests/scripts/test*-sync* + rm -f tests/scripts/test063-delta-multiprovider # https://bugs.openldap.org/show_bug.cgi?id=10009 From 988d5e4c9f5ad27c981d131081bb752d496bb586 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Thu, 21 May 2026 15:20:19 +0200 Subject: [PATCH 042/133] nodejs_24: 24.15.0 -> 24.16.0 (cherry picked from commit e9b7cf21331391509ae684ab5530fd43373dbd0c) (cherry picked from commit 252225814ab5f11143a02e8aad9459c2d9f498cd) --- pkgs/development/web/nodejs/v24.nix | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/pkgs/development/web/nodejs/v24.nix b/pkgs/development/web/nodejs/v24.nix index 69004825bea27..914ab1479370a 100644 --- a/pkgs/development/web/nodejs/v24.nix +++ b/pkgs/development/web/nodejs/v24.nix @@ -23,8 +23,8 @@ let [ ]; in buildNodejs { - version = "24.15.0"; - sha256 = "a4f653d79ed140aaad921e8c22a3b585ca85cfdab80d4030f6309e4663a8a1c8"; + version = "24.16.0"; + sha256 = "2ff84a6de70b6165290111b0fc656ded1ad207a799816fe720cc7c31232df30f"; patches = ( if (stdenv.hostPlatform.emulatorAvailable buildPackages) then @@ -56,13 +56,6 @@ buildNodejs { ./use-correct-env-in-tests.patch ./bin-sh-node-run-v22.patch ./use-nix-codesign.patch - # https://github.com/NixOS/nixpkgs/pull/507974#issuecomment-4249433124 - # OpenSSL reports different errors - # https://github.com/nodejs/node/pull/62629 - (fetchpatch2 { - url = "https://github.com/nodejs/node/commit/dd25d8f29d3ddadcf5a5ebfdf98ece55f9df96c6.patch?full_index=1"; - hash = "sha256-6cxRN7TyWmJgUZt3jp2YXbVIjrDb2BNep5LxBOtT3Q0="; - }) # Patch for nghttp2 1.69 support (fetchpatch2 { From 8861a6b466194c3b4604d1ccb01398ac2fad8f66 Mon Sep 17 00:00:00 2001 From: Sefa Eyeoglu Date: Thu, 21 May 2026 09:28:33 +0200 Subject: [PATCH 043/133] unbound: 1.25.0 -> 1.25.1 Signed-off-by: Sefa Eyeoglu (cherry picked from commit 0c98395be2ba98874b055e6ed709c385446bfe06) (cherry picked from commit 71959781635822ba5e52066008b014781350fb5a) --- pkgs/by-name/un/unbound/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix index 45cdc57ff0a87..9358185211031 100644 --- a/pkgs/by-name/un/unbound/package.nix +++ b/pkgs/by-name/un/unbound/package.nix @@ -57,13 +57,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "unbound"; - version = "1.25.0"; + version = "1.25.1"; src = fetchFromGitHub { owner = "NLnetLabs"; repo = "unbound"; tag = "release-${finalAttrs.version}"; - hash = "sha256-BAqGNi5lfYYTQd7CPH0lssLc5/AkeuKSVEFcrF/cNyc="; + hash = "sha256-1PXnxCPxoB5IrVBQIsrxiWAq+IoH7Ma9T1TTJsoTJc4="; }; outputs = [ From dcbc584e5525348077f7c8b31d12efa6596e4769 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 19 May 2026 20:09:22 -0700 Subject: [PATCH 044/133] python3Packages.python-multipart: 0.0.22 -> 0.0.29 Diff: https://github.com/Kludex/python-multipart/compare/0.0.22...0.0.29 Changelog: https://github.com/Kludex/python-multipart/blob/0.0.29/CHANGELOG.md (cherry picked from commit 83594b903142a5f02015987a98b706416e4161ec) (cherry picked from commit 5010b8e892a3e3d0a514051904f89e330c7252f9) --- .../python-modules/python-multipart/default.nix | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/pkgs/development/python-modules/python-multipart/default.nix b/pkgs/development/python-modules/python-multipart/default.nix index 4781d391f0a21..ed476d568dd85 100644 --- a/pkgs/development/python-modules/python-multipart/default.nix +++ b/pkgs/development/python-modules/python-multipart/default.nix @@ -2,10 +2,8 @@ lib, buildPythonPackage, fetchFromGitHub, - fetchpatch, hatchling, pytestCheckHook, - mock, pyyaml, # for passthru.tests @@ -18,32 +16,22 @@ buildPythonPackage (finalAttrs: { pname = "python-multipart"; - version = "0.0.22"; + version = "0.0.29"; pyproject = true; src = fetchFromGitHub { owner = "Kludex"; repo = "python-multipart"; tag = finalAttrs.version; - hash = "sha256-UegnwGxiXQalbp18t1dl2JOQH6BY975cpBa9uo3SOuk="; + hash = "sha256-1aV7gWLuulINesm3L8Wm3+prmeD9+OY/ihm36rtQPRs="; }; - patches = [ - (fetchpatch { - name = "CVE-2026-40347-part-1.patch"; - url = "https://github.com/Kludex/python-multipart/commit/6a7b76dd2653d99d8e5981d7ff09a4a047750b37.patch"; - hash = "sha256-W1nyYMMoaf+lsNze3ppPeAXN+swG1dScDibazePSt+k="; - }) - ./CVE-2026-40347-part-2.patch - ]; - build-system = [ hatchling ]; pythonImportsCheck = [ "python_multipart" ]; nativeCheckInputs = [ pytestCheckHook - mock pyyaml ]; From 44573c77ca46c5cbacba382c0fb023e9f286923d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 19 May 2026 20:11:39 -0700 Subject: [PATCH 045/133] python3Packages.asgi-csrf: mark broken (cherry picked from commit 1355d225b662faa1bb9bdbbfce935c416e2a17a0) (cherry picked from commit b928e51eac5a88edf9dca5f35e4dfeb341a21ecf) --- pkgs/development/python-modules/asgi-csrf/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/asgi-csrf/default.nix b/pkgs/development/python-modules/asgi-csrf/default.nix index f3ec2670d6f81..9c36730fd74c4 100644 --- a/pkgs/development/python-modules/asgi-csrf/default.nix +++ b/pkgs/development/python-modules/asgi-csrf/default.nix @@ -49,6 +49,8 @@ buildPythonPackage rec { pythonImportsCheck = [ "asgi_csrf" ]; meta = { + # https://github.com/simonw/asgi-csrf/issues/38 + broken = lib.versionAtLeast python-multipart.version "0.0.26"; description = "ASGI middleware for protecting against CSRF attacks"; license = lib.licenses.asl20; homepage = "https://github.com/simonw/asgi-csrf"; From 5c3ae22a1b76f4e2ebea41459060a1c6233ac261 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Wed, 20 May 2026 09:17:04 -0700 Subject: [PATCH 046/133] python3Packages.frictionless: exclude datasette from nativeCheckInputs Datasette depends on asgi-csrf which was broken by updating python-multipart past version 0.0.26. (cherry picked from commit ba2df560b675f7f17843675cfce3422fb758745f) (cherry picked from commit 4316ed9b28fad64bd73607646972215dc975c7c7) --- pkgs/development/python-modules/frictionless/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/frictionless/default.nix b/pkgs/development/python-modules/frictionless/default.nix index 80013e731fd4e..68edce923de38 100644 --- a/pkgs/development/python-modules/frictionless/default.nix +++ b/pkgs/development/python-modules/frictionless/default.nix @@ -195,7 +195,8 @@ buildPythonPackage rec { openpyxl xlrd ] - ++ lib.concatAttrValues optional-dependencies; + # datasette is transitively broken by asgi-csrf + ++ lib.concatAttrValues (lib.removeAttrs optional-dependencies [ "datasette" ]); disabledTestPaths = [ # Requires optional dependencies that have not been packaged (commented out above) From 8accd65376f0e99cd0d64778f180e039a30345b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 22 May 2026 08:00:28 +0200 Subject: [PATCH 047/133] gtk4: make patch unconditional The condition was just to avoid rebuilds at that moment. (cherry picked from commit ace84983c415e2f4c20bcb3e561f1bde840ae5e6) (cherry picked from commit 25498003f382192bd8446d9029918dc794be9875) --- pkgs/by-name/gt/gtk4/package.nix | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/pkgs/by-name/gt/gtk4/package.nix b/pkgs/by-name/gt/gtk4/package.nix index 28fd6efc8850d..9b7807508a353 100644 --- a/pkgs/by-name/gt/gtk4/package.nix +++ b/pkgs/by-name/gt/gtk4/package.nix @@ -95,11 +95,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM="; }; - patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch { - name = "fix-32bit-VkImage-null.patch"; - url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; - hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; - }); + patches = [ + (fetchpatch { + name = "fix-32bit-VkImage-null.patch"; + url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch"; + hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ="; + }) + ]; depsBuildBuild = [ pkg-config From 8e3eb65c3ca2bc14678edf33a304378a119a6e28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Fri, 22 May 2026 11:05:40 -0700 Subject: [PATCH 048/133] python3Packages.aiodns: 4.0.3 -> 4.0.4 Diff: https://github.com/saghul/aiodns/compare/v4.0.3...v4.0.4 Changelog: https://github.com/saghul/aiodns/releases/tag/v4.0.4 (cherry picked from commit a53c6a389758b5517c67c2481d49656191a20880) (cherry picked from commit 10cf133bbf1f994932c9544c80c0efd62be8203e) --- pkgs/development/python-modules/aiodns/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/aiodns/default.nix b/pkgs/development/python-modules/aiodns/default.nix index 1a147d54fa042..21251500362e9 100644 --- a/pkgs/development/python-modules/aiodns/default.nix +++ b/pkgs/development/python-modules/aiodns/default.nix @@ -8,14 +8,14 @@ buildPythonPackage (finalAttrs: { pname = "aiodns"; - version = "4.0.3"; + version = "4.0.4"; pyproject = true; src = fetchFromGitHub { owner = "saghul"; repo = "aiodns"; tag = "v${finalAttrs.version}"; - hash = "sha256-a26n8n/nxq/LxgPCQJNFjU4yVSCL7YK1lBkiDdVDo2w="; + hash = "sha256-TLiiSRhZaEbHeyrQPk8uvj10VEttRanYEgkBy7DxH4Y="; }; build-system = [ setuptools ]; From c5cd03ad0d9e333731b36d2c627661614ad35214 Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 23 May 2026 14:53:37 +0300 Subject: [PATCH 049/133] kdePackages.plasma-workspace: backport patch for Qt 6.11.1 regression (cherry picked from commit 66adfb9dab823f579f9d45ee241731a10fb4e7eb) (cherry picked from commit 7a4e6649b6583df4d70a99c27c50e06ae5a12f6f) --- pkgs/kde/plasma/plasma-workspace/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/kde/plasma/plasma-workspace/default.nix b/pkgs/kde/plasma/plasma-workspace/default.nix index d7a60c7853185..26211754685f2 100644 --- a/pkgs/kde/plasma/plasma-workspace/default.nix +++ b/pkgs/kde/plasma/plasma-workspace/default.nix @@ -25,6 +25,7 @@ libqalculate, pipewire, gpsd, + fetchpatch, }: mkKdeDerivation { pname = "plasma-workspace"; @@ -42,6 +43,12 @@ mkKdeDerivation { # stop accidentally duplicating fontconfig configs ./fontconfig.patch + + # backport qt 6.11.1 regression workaround + (fetchpatch { + url = "https://invent.kde.org/plasma/plasma-workspace/-/commit/31a64dfa1a71ab1b6a495f2f44132c86858acb8f.diff"; + hash = "sha256-j+AEdDlutDuXmYdK8BJH8bgDF9gieCkbFJK8di+9nxk="; + }) ]; outputs = [ From 6e26421199965863c60fb52e362b47ae0f166c51 Mon Sep 17 00:00:00 2001 From: K900 Date: Sat, 23 May 2026 14:53:51 +0300 Subject: [PATCH 050/133] qt6: 6.11.0 -> 6.11.1 (cherry picked from commit 1b3320b2d9c665aa4689ea2661221a7753afb974) (cherry picked from commit abe60ca22f7620d763522c84b796e98d1ba5a9e0) --- pkgs/development/libraries/qt-6/fetch.sh | 2 +- .../libraries/qt-6/modules/qtbase/default.nix | 5 - .../qt-6/modules/qtdeclarative/default.nix | 6 + .../libraries/qt-6/modules/qtmqtt.nix | 4 +- pkgs/development/libraries/qt-6/srcs.nix | 336 +++++++++--------- 5 files changed, 177 insertions(+), 176 deletions(-) diff --git a/pkgs/development/libraries/qt-6/fetch.sh b/pkgs/development/libraries/qt-6/fetch.sh index 73d170689480a..bd94b3ae2c487 100644 --- a/pkgs/development/libraries/qt-6/fetch.sh +++ b/pkgs/development/libraries/qt-6/fetch.sh @@ -1 +1 @@ -WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.0/submodules/ -A '*.tar.xz' ) +WGET_ARGS=( https://download.qt.io/official_releases/qt/6.11/6.11.1/submodules/ -A '*.tar.xz' ) diff --git a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix index fa3ae210d2811..df428b92f64ee 100644 --- a/pkgs/development/libraries/qt-6/modules/qtbase/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtbase/default.nix @@ -246,11 +246,6 @@ stdenv.mkDerivation { # don't pass qtbase's QML directory to qmlimportscanner if it's empty ./skip-missing-qml-directory.patch - # backport crash fix - (fetchpatch { - url = "https://github.com/qt/qtbase/commit/1466f88633b2c29a6159a0c2eacd0c0d6601aa5e.diff"; - hash = "sha256-ubDAXF47SYagRAJ5SYyBxXl2PiHjAZo3xlYPDz1jRYM="; - }) # another crash fix (fetchpatch { url = "https://github.com/qt/qtbase/commit/515cbbacfba9f4259c9c3b0714a31222c2b4c879.diff"; diff --git a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix index 786229c5651b3..2f19e06a67fa2 100644 --- a/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix +++ b/pkgs/development/libraries/qt-6/modules/qtdeclarative/default.nix @@ -43,6 +43,12 @@ qtModule { hash = "sha256-ESy35OlmsvI4yFQ/rFT8oelOUBCwCmlcbQJvwcTrCig="; revert = true; }) + + # backport fix recommended by KDE + (fetchpatch { + url = "https://github.com/qt/qtdeclarative/commit/8a2c82be6ad90e3f2a0760d8bab1e3a8cdb2473a.diff"; + hash = "sha256-3KbyoQPAiRyCwGnwwYV3y0yz2i6UAJcX70EPsXV0ZZM="; + }) ]; cmakeFlags = [ diff --git a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix index effea1d03ab42..c70d2cbd1f881 100644 --- a/pkgs/development/libraries/qt-6/modules/qtmqtt.nix +++ b/pkgs/development/libraries/qt-6/modules/qtmqtt.nix @@ -6,13 +6,13 @@ qtModule rec { pname = "qtmqtt"; - version = "6.11.0"; + version = "6.11.1"; src = fetchFromGitHub { owner = "qt"; repo = "qtmqtt"; tag = "v${version}"; - hash = "sha256-7X+HWAftWHn40RPFQD3/f+bp00LQk8Vsb871WfxdZSE="; + hash = "sha256-GWaF4iCPtATL1mJkPHVY0rom8R2FMNWGahE3KWBlfV8="; }; propagatedBuildInputs = [ qtbase ]; diff --git a/pkgs/development/libraries/qt-6/srcs.nix b/pkgs/development/libraries/qt-6/srcs.nix index 73067dc5fd5c4..93c206858d18d 100644 --- a/pkgs/development/libraries/qt-6/srcs.nix +++ b/pkgs/development/libraries/qt-6/srcs.nix @@ -4,339 +4,339 @@ { qt3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "086xpissihbil51ryl83dlcpkpv3pp3ryj0712x9k9z6756j7ks0"; - name = "qt3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "01q11bs7vjz1s5wdrdjq904dgl2m6l7r8d3vd2kyf7lx0j78qvd6"; + name = "qt3d-everywhere-src-6.11.1.tar.xz"; }; }; qt5compat = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qt5compat-everywhere-src-6.11.0.tar.xz"; - sha256 = "0gn6sj136y8yl1c00nbm81rmhws0mgx35ny7llx74j97ddj58ag6"; - name = "qt5compat-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qt5compat-everywhere-src-6.11.1.tar.xz"; + sha256 = "06qndy534rzabxk9yq07dsl8fj1vd72lmck11r5xbajil3d9zjyg"; + name = "qt5compat-everywhere-src-6.11.1.tar.xz"; }; }; qtactiveqt = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtactiveqt-everywhere-src-6.11.0.tar.xz"; - sha256 = "1kbqa0gx41s097281g4zym9jmjs2ffc75p3rgkbs6bvnlrvl0h89"; - name = "qtactiveqt-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtactiveqt-everywhere-src-6.11.1.tar.xz"; + sha256 = "05hcnhxkajry4ha7ykmqr83p16qjipspwxid8l2rxgz80wy6aadv"; + name = "qtactiveqt-everywhere-src-6.11.1.tar.xz"; }; }; qtbase = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtbase-everywhere-src-6.11.0.tar.xz"; - sha256 = "0pkmrd8ypw1v21cx0890gc6z4v0xr5qip2jnr56r2kc6g5cxh6i3"; - name = "qtbase-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtbase-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b616gr7k8byfr2ns4vczs4kj3sznhlrlw9inpb3m8la48qllnfr"; + name = "qtbase-everywhere-src-6.11.1.tar.xz"; }; }; qtcanvaspainter = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gmgzmh81wrnj81xsmilqwhc1wv7j2avg91mww8jlrv5rplzynjl"; - name = "qtcanvaspainter-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; + sha256 = "1l08zp68q3wcr9v5hh82kw6jqvc1wmnrjn7h9959psx520dwcdly"; + name = "qtcanvaspainter-everywhere-src-6.11.1.tar.xz"; }; }; qtcharts = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtcharts-everywhere-src-6.11.0.tar.xz"; - sha256 = "1dcldlw24qd9swynxcdsxnk8haiv442wx323j7qgfwjp13a9nh5c"; - name = "qtcharts-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtcharts-everywhere-src-6.11.1.tar.xz"; + sha256 = "0p2icmrwb6am7x2kgk9pnpa8ypi7jiscyaawgi0x31iaihqyvqrz"; + name = "qtcharts-everywhere-src-6.11.1.tar.xz"; }; }; qtconnectivity = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtconnectivity-everywhere-src-6.11.0.tar.xz"; - sha256 = "0fhrqqz58h3smkksfgnax73bmsiz7q9a1w9vhwd83vs9r0jc3w60"; - name = "qtconnectivity-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtconnectivity-everywhere-src-6.11.1.tar.xz"; + sha256 = "14g5h0wixqy981cnn5f8gkjbji804f18gfjkzbanxd0lljg2h191"; + name = "qtconnectivity-everywhere-src-6.11.1.tar.xz"; }; }; qtdatavis3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdatavis3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1jr3bkvp4wj1jdafc64ziq4raxbya6jk6s0d4mq0w2kr7zpqrggf"; - name = "qtdatavis3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdatavis3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "1b4kcqfq5q79lm70f08qiksxl36laa9dgx9ladjk2xwl1af7n6hy"; + name = "qtdatavis3d-everywhere-src-6.11.1.tar.xz"; }; }; qtdeclarative = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdeclarative-everywhere-src-6.11.0.tar.xz"; - sha256 = "1sgxxmg49flana7mylyz4c5mf5hr00kzl8nkwwj87pqx8dlybv2f"; - name = "qtdeclarative-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdeclarative-everywhere-src-6.11.1.tar.xz"; + sha256 = "193ar0fcfzjjr7mi8i2622vip95qrr3qry949d9lyc5hf3v71rjj"; + name = "qtdeclarative-everywhere-src-6.11.1.tar.xz"; }; }; qtdoc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtdoc-everywhere-src-6.11.0.tar.xz"; - sha256 = "1wwl2vr1qs2lqmz45iqpkzkxqp97g0yzfmz0kb5wpi8sys7c07bx"; - name = "qtdoc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtdoc-everywhere-src-6.11.1.tar.xz"; + sha256 = "1hd5z6prx2sbr3wxzkynrn2iyjllvkids505l2xg3p272j4b5306"; + name = "qtdoc-everywhere-src-6.11.1.tar.xz"; }; }; qtgraphs = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgraphs-everywhere-src-6.11.0.tar.xz"; - sha256 = "0nxifvs5042pzyd5syhgpmxzsq07fhpbbm57ckwzsn55q14cnvyz"; - name = "qtgraphs-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgraphs-everywhere-src-6.11.1.tar.xz"; + sha256 = "0qh43qxqg4biyrrsd78nmi4dm3dnbswa95cq8db2k3lans517cc4"; + name = "qtgraphs-everywhere-src-6.11.1.tar.xz"; }; }; qtgrpc = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtgrpc-everywhere-src-6.11.0.tar.xz"; - sha256 = "0yd8jjxigaynv386f3cs1i743nm7yngciw346xqfil3chd8wpvcx"; - name = "qtgrpc-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtgrpc-everywhere-src-6.11.1.tar.xz"; + sha256 = "0l52w91hd2crq6zyh5a8arv07yixnwcr2pya74bxpk2hqpq08ys3"; + name = "qtgrpc-everywhere-src-6.11.1.tar.xz"; }; }; qthttpserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qthttpserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "16wqglm8ws63qs7i769xy94bygwbhkz7hjfw27hnps7d4yirb41b"; - name = "qthttpserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qthttpserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "01p7li9fvwnz2shx3d9wj9nnnnipya2q0whchyvgjqb8yzy71gq4"; + name = "qthttpserver-everywhere-src-6.11.1.tar.xz"; }; }; qtimageformats = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtimageformats-everywhere-src-6.11.0.tar.xz"; - sha256 = "1j0cjj7gxjbprszw349janl3zk38rkby1bmxil329zp2qlmb1bfk"; - name = "qtimageformats-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtimageformats-everywhere-src-6.11.1.tar.xz"; + sha256 = "04y4pa5krrpyiqn039d6m8bzcxj6pa1m850rz3bmw5xc8ml6rgxj"; + name = "qtimageformats-everywhere-src-6.11.1.tar.xz"; }; }; qtlanguageserver = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlanguageserver-everywhere-src-6.11.0.tar.xz"; - sha256 = "1gq5yjvk6iyg606pgpxkb136qlz9hpb7ngll81nhiyb1ym1y9j0v"; - name = "qtlanguageserver-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlanguageserver-everywhere-src-6.11.1.tar.xz"; + sha256 = "1vwavpi8swgs88pfjfddnb9cmsb4k1sjcgywp2rsnm6ay8vqa02h"; + name = "qtlanguageserver-everywhere-src-6.11.1.tar.xz"; }; }; qtlocation = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlocation-everywhere-src-6.11.0.tar.xz"; - sha256 = "1vxb6n8xf98zcg2bw29gsaqa74sg6jn9ilzs8c5b9q79i9m3if49"; - name = "qtlocation-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlocation-everywhere-src-6.11.1.tar.xz"; + sha256 = "06z4hbiqki5chhmph131s71czyrjpnjvy3rxb4560vwy55vwx49p"; + name = "qtlocation-everywhere-src-6.11.1.tar.xz"; }; }; qtlottie = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtlottie-everywhere-src-6.11.0.tar.xz"; - sha256 = "02ndplkk4bq01b0fh9l2ykw09v0k5nbsayrs9wcjwrdwg5law8rg"; - name = "qtlottie-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtlottie-everywhere-src-6.11.1.tar.xz"; + sha256 = "0y969gp64imwh49d5zbnw0wi2yva9fsp6qn58617rs9kvkdzml70"; + name = "qtlottie-everywhere-src-6.11.1.tar.xz"; }; }; qtmultimedia = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtmultimedia-everywhere-src-6.11.0.tar.xz"; - sha256 = "0h30l8zflkla7rcshgs0jfjbjwvq9rqx0wq83f6vd0x9lz0cmi4h"; - name = "qtmultimedia-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtmultimedia-everywhere-src-6.11.1.tar.xz"; + sha256 = "02lvq1jk6m67m6z0w7vdzxhzmi441j8avvp79mfclfpfvm98w3rr"; + name = "qtmultimedia-everywhere-src-6.11.1.tar.xz"; }; }; qtnetworkauth = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtnetworkauth-everywhere-src-6.11.0.tar.xz"; - sha256 = "1mqly8had79f54dlygh42jr0c0jfiv4j4w2rbr0s7qx9nk9ig342"; - name = "qtnetworkauth-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtnetworkauth-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gan2qjv97d1387jqaiis2gigm6lz5jbk1k10x13w0yc5kr5n7cz"; + name = "qtnetworkauth-everywhere-src-6.11.1.tar.xz"; }; }; qtopenapi = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtopenapi-everywhere-src-6.11.0.tar.xz"; - sha256 = "1h2pcq6i72yic0r7ns36vj678d1xqy291jamqd6b6jkjddmj1hlg"; - name = "qtopenapi-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtopenapi-everywhere-src-6.11.1.tar.xz"; + sha256 = "0nzl95w5pbfd6mfb6rzv6arz09pcm6siz1n07pgm9rrdr6z083a4"; + name = "qtopenapi-everywhere-src-6.11.1.tar.xz"; }; }; qtpositioning = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtpositioning-everywhere-src-6.11.0.tar.xz"; - sha256 = "1scnnz65qyfg0nl9vjkqcss8xsw3yf91w71d9p1kwlfybscd07yn"; - name = "qtpositioning-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtpositioning-everywhere-src-6.11.1.tar.xz"; + sha256 = "1xbq1xjjbhb41lfp9mli8a5rgqf5pniswv0161v6wa5f04cbkrnm"; + name = "qtpositioning-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3d = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3d-everywhere-src-6.11.0.tar.xz"; - sha256 = "1549gdb3yxj1bpl54kgnkkhzjx0zxqi71ssp4rj6qnz56fxh085l"; - name = "qtquick3d-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3d-everywhere-src-6.11.1.tar.xz"; + sha256 = "0vs5bcz62r32gin0g4lb6wdmqrv0ypzar1s9wsza98la7zg8asy7"; + name = "qtquick3d-everywhere-src-6.11.1.tar.xz"; }; }; qtquick3dphysics = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dcx9913xss435cijx5bzckvsn66qfi6c39rx0gyv9iiys76qym5"; - name = "qtquick3dphysics-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; + sha256 = "1bvrmjb6m0ynq00ybdghvkbmwm237vff23ng8n4njysf05pns26i"; + name = "qtquick3dphysics-everywhere-src-6.11.1.tar.xz"; }; }; qtquickeffectmaker = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; - sha256 = "05fpv497rmx2lw7gx05sxyxjwx8gq8fbbnkzhnw73pk2xqzq20mc"; - name = "qtquickeffectmaker-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; + sha256 = "0sqk8hkkdibv0ayxrvpcbgj3dcwfngpd6qjp2xm15pcbx1q3xrng"; + name = "qtquickeffectmaker-everywhere-src-6.11.1.tar.xz"; }; }; qtquicktimeline = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtquicktimeline-everywhere-src-6.11.0.tar.xz"; - sha256 = "1micycw7m25gw0bgbfq7bnr7cg7qrjj2r69320rglc8lak6f3nq6"; - name = "qtquicktimeline-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtquicktimeline-everywhere-src-6.11.1.tar.xz"; + sha256 = "09wcx83yxif8r4v81h2jfj3wlj60wnc9k4dsp7hlah4yzm1zclxg"; + name = "qtquicktimeline-everywhere-src-6.11.1.tar.xz"; }; }; qtremoteobjects = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtremoteobjects-everywhere-src-6.11.0.tar.xz"; - sha256 = "15yykbaxqc6v2flgjvn92w7gwfvi820dg4cxkjxcfhpix2m21571"; - name = "qtremoteobjects-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtremoteobjects-everywhere-src-6.11.1.tar.xz"; + sha256 = "06hiiyjpcgn8dp9jmgxj30nlrw73rqb869f0m63scccmqsarhqj0"; + name = "qtremoteobjects-everywhere-src-6.11.1.tar.xz"; }; }; qtscxml = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtscxml-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rylchpvzldy7hhr3icr85w8m4hf7wch17yqh368yrn3q19klf3c"; - name = "qtscxml-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtscxml-everywhere-src-6.11.1.tar.xz"; + sha256 = "0gr0j09isxgii3aivfvr35x40d9n0kj0g2icc7g7bzniwm2m4jcf"; + name = "qtscxml-everywhere-src-6.11.1.tar.xz"; }; }; qtsensors = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsensors-everywhere-src-6.11.0.tar.xz"; - sha256 = "1iy33w7gjp06xi4342si979q9w84cvbbk90kxmk2gx69icjjja21"; - name = "qtsensors-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsensors-everywhere-src-6.11.1.tar.xz"; + sha256 = "13ygry3lybkgci6gkrd7k081l01icavzkiyy4g82drbvv9i70q93"; + name = "qtsensors-everywhere-src-6.11.1.tar.xz"; }; }; qtserialbus = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialbus-everywhere-src-6.11.0.tar.xz"; - sha256 = "1qfs9zqvz3hf16w8gg6nlwxcv6sz72546pds02dabhkcw47nqvmh"; - name = "qtserialbus-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialbus-everywhere-src-6.11.1.tar.xz"; + sha256 = "02pj4jnxc4afl5ymv7w8asggpg0hdj3dbnwwcqd305b8il69qv64"; + name = "qtserialbus-everywhere-src-6.11.1.tar.xz"; }; }; qtserialport = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtserialport-everywhere-src-6.11.0.tar.xz"; - sha256 = "111pmva70mcffhq09q2h1gcr03fivs9j2ywx4ib00pbyxfvr4ii6"; - name = "qtserialport-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtserialport-everywhere-src-6.11.1.tar.xz"; + sha256 = "0x1r5l3kx7riprf0b2api0bcg0z755fq9vbgmx7px6pxiy4imwws"; + name = "qtserialport-everywhere-src-6.11.1.tar.xz"; }; }; qtshadertools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtshadertools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0jp1sb9pl7y821awln7rpk0hz7d5ipwnkqhy51caich9i2pb2g74"; - name = "qtshadertools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtshadertools-everywhere-src-6.11.1.tar.xz"; + sha256 = "1z42r414jid12jmhm1yf5kw44j886w01igav0kggkg13kcphax90"; + name = "qtshadertools-everywhere-src-6.11.1.tar.xz"; }; }; qtspeech = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtspeech-everywhere-src-6.11.0.tar.xz"; - sha256 = "08fv8v6rvcv0pa6r52kr2na2rcpjr3yk556ksinnh6aslv8qbid9"; - name = "qtspeech-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtspeech-everywhere-src-6.11.1.tar.xz"; + sha256 = "051z4yf22hkqhy3pkgxq8s77x06k4cd70i9jcmd8f99004cc6df0"; + name = "qtspeech-everywhere-src-6.11.1.tar.xz"; }; }; qtsvg = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtsvg-everywhere-src-6.11.0.tar.xz"; - sha256 = "1rih59jsn0wq12gq5gbs1cz9by27x2x4wjpd0ya7s207pr9xda6z"; - name = "qtsvg-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtsvg-everywhere-src-6.11.1.tar.xz"; + sha256 = "154adaicyy5wyz6yc95g3lm4iw9v2zdsd7l5qp107gr490pz0g3z"; + name = "qtsvg-everywhere-src-6.11.1.tar.xz"; }; }; qttasktree = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttasktree-everywhere-src-6.11.0.tar.xz"; - sha256 = "0kxkm3qvzw5i5x2ads6skpz8z6shbn2msznmr614yvsdgiga4yjr"; - name = "qttasktree-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttasktree-everywhere-src-6.11.1.tar.xz"; + sha256 = "1mjdwy3i24ggn2g82z5pg3grzhnaxmq7nmvdc7ba8dsdixzvjam2"; + name = "qttasktree-everywhere-src-6.11.1.tar.xz"; }; }; qttools = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttools-everywhere-src-6.11.0.tar.xz"; - sha256 = "0xpwv483zrw3jkajhv9sbr7bm95qahxg770vn1jqk10hg8yrkcfg"; - name = "qttools-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttools-everywhere-src-6.11.1.tar.xz"; + sha256 = "03gmr9zpf0raqcvqk2cpw9lblw907hsl5cb5c2fgm4wwcxd86qcf"; + name = "qttools-everywhere-src-6.11.1.tar.xz"; }; }; qttranslations = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qttranslations-everywhere-src-6.11.0.tar.xz"; - sha256 = "0mpy3y76n1jw2prhad9rqyn48miqlmqg3581jgzr4s1iwhpqpx2l"; - name = "qttranslations-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qttranslations-everywhere-src-6.11.1.tar.xz"; + sha256 = "0xsnxhiqc3ybwvyn1jbhdf1sjmcf7v4mma6w9sxwg535420jrh1p"; + name = "qttranslations-everywhere-src-6.11.1.tar.xz"; }; }; qtvirtualkeyboard = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; - sha256 = "11p6m1s7r7q2y6a2ak5lyzfd2907s2skfa630snf64x32cblp2nq"; - name = "qtvirtualkeyboard-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; + sha256 = "073y02qmpwxxdqc4pkm6k9frghsjg1zppg2hip5b4hv269xrdim1"; + name = "qtvirtualkeyboard-everywhere-src-6.11.1.tar.xz"; }; }; qtwayland = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwayland-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dsdv1d4p1wf0sqd26cmj486bvwlprmqzmjddsw24agrc3kyc477"; - name = "qtwayland-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwayland-everywhere-src-6.11.1.tar.xz"; + sha256 = "1cyr5frhglp2krxvpnqk9q426rgp6nr34ngnxpa42m7p0ajqly4m"; + name = "qtwayland-everywhere-src-6.11.1.tar.xz"; }; }; qtwebchannel = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebchannel-everywhere-src-6.11.0.tar.xz"; - sha256 = "097vm6pxh18bil9ld9cxg50v861nyhaha4f6bjfjqph1icx18ip9"; - name = "qtwebchannel-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebchannel-everywhere-src-6.11.1.tar.xz"; + sha256 = "10ld2nh6gd1v2ssbgqlf6w0lsjlqkjdfwqv85mn5krnnf45vbyv9"; + name = "qtwebchannel-everywhere-src-6.11.1.tar.xz"; }; }; qtwebengine = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebengine-everywhere-src-6.11.0.tar.xz"; - sha256 = "0dk72k92zp19jkph1vl88l2dyrh105v6cycsxln1anfxnb423fb3"; - name = "qtwebengine-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebengine-everywhere-src-6.11.1.tar.xz"; + sha256 = "10vhcvw8j60n0mf38bi3fjcx5v1i0cbfyn4wbqhzqn61qv66d737"; + name = "qtwebengine-everywhere-src-6.11.1.tar.xz"; }; }; qtwebsockets = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebsockets-everywhere-src-6.11.0.tar.xz"; - sha256 = "0cnh67ncfh0gvpqfiqhr0cpmswq9zysza130axlmh69mzg8i17sn"; - name = "qtwebsockets-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebsockets-everywhere-src-6.11.1.tar.xz"; + sha256 = "1gvgci383dfm4sljqlapdiva7jhks1i2z2ayck0wbj1436hklgi4"; + name = "qtwebsockets-everywhere-src-6.11.1.tar.xz"; }; }; qtwebview = { - version = "6.11.0"; + version = "6.11.1"; src = fetchurl { - url = "${mirror}/official_releases/qt/6.11/6.11.0/submodules/qtwebview-everywhere-src-6.11.0.tar.xz"; - sha256 = "1cy4x331h0f4d5l8c18xrvdq6hwz7r16qd1xhr8gdm8j9bcsw3nb"; - name = "qtwebview-everywhere-src-6.11.0.tar.xz"; + url = "${mirror}/official_releases/qt/6.11/6.11.1/submodules/qtwebview-everywhere-src-6.11.1.tar.xz"; + sha256 = "0g8k4xs7b0s474x00ds4i8q9b164icdgrdg8ngln10nmf3pwhqld"; + name = "qtwebview-everywhere-src-6.11.1.tar.xz"; }; }; } From bbacb13154653be5e334c81f7764b71c8dba88ee Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Sat, 9 May 2026 12:06:55 +1000 Subject: [PATCH 051/133] glibc: 2.42-61 -> 2.42-67 (cherry picked from commit 4a8e8392a42c9668f1ba0af081b4f6195f2341cb) (cherry picked from commit e0c442323becde6dc2d34c92f932bb1dd0470856) --- .../libraries/glibc/2.42-master.patch | 759 ++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 6 +- 2 files changed, 762 insertions(+), 3 deletions(-) diff --git a/pkgs/development/libraries/glibc/2.42-master.patch b/pkgs/development/libraries/glibc/2.42-master.patch index 47ed7dd1183bb..a7bdf93961db0 100644 --- a/pkgs/development/libraries/glibc/2.42-master.patch +++ b/pkgs/development/libraries/glibc/2.42-master.patch @@ -7154,3 +7154,762 @@ index 00181cfefb..e83ea2b939 100644 TEST_VERIFY (ret != 0); TEST_COMPARE (errno, EBUSY); } + +commit f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a +Author: Florian Weimer +Date: Thu Apr 16 19:13:43 2026 +0200 + + Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046) + + Follow the example in iso-2022-jp-3.c and use the __count state + variable to store the pending character. This avoids restarting + the conversion if the output buffer ends between two 4-byte UCS-4 + code points, so that the assert reported in the bug can no longer + happen. + + Even though the fix is applied to ibm1364.c, the change is only + effective for the two HAS_COMBINED codecs for IBM1390, IBM1399. + + The test case was mostly auto-generated using + claude-4.6-opus-high-thinking, and composer-2-fast shows up in the + log as well. During review, gpt-5.4-xhigh flagged that the original + version of the test case was not exercising the new character + flush logic. + + This fixes bug 33980. + + Assisted-by: LLM + Reviewed-by: Carlos O'Donell + (cherry picked from commit d6f08d1cf027f4eb2ba289a6cc66853722d4badc) + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 5a2abeea24..cc689f63e9 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -76,7 +76,7 @@ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ + bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ + bug-iconv13 bug-iconv14 bug-iconv15 \ +- tst-iconv-iso-2022-cn-ext ++ tst-iconv-iso-2022-cn-ext tst-bug33980 + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +@@ -333,6 +333,8 @@ $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) + $(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ + $(addprefix $(objpfx),$(modules.so)) ++$(objpfx)tst-bug33980.out: $(addprefix $(objpfx), $(gconv-modules)) \ ++ $(addprefix $(objpfx),$(modules.so)) + + $(objpfx)iconv-test.out: run-iconv-test.sh \ + $(addprefix $(objpfx), $(gconv-modules)) \ +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 45c62acee5..244c61ad7a 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -67,12 +67,29 @@ + + /* Since this is a stateful encoding we have to provide code which resets + the output state to the initial state. This has to be done during the +- flushing. */ ++ flushing. For the to-internal direction (FROM_DIRECTION is true), ++ there may be a pending character that needs flushing. */ + #define EMIT_SHIFT_TO_INIT \ + if ((data->__statep->__count & ~7) != sb) \ + { \ + if (FROM_DIRECTION) \ +- data->__statep->__count &= 7; \ ++ { \ ++ uint32_t ch = data->__statep->__count >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ if (__glibc_unlikely (outend - outbuf < 4)) \ ++ status = __GCONV_FULL_OUTPUT; \ ++ else \ ++ { \ ++ put32 (outbuf, ch); \ ++ outbuf += 4; \ ++ /* Clear character and db bit. */ \ ++ data->__statep->__count &= 7; \ ++ } \ ++ } \ ++ else \ ++ data->__statep->__count &= 7; \ ++ } \ + else \ + { \ + /* We are not in the initial state. To switch back we have \ +@@ -99,11 +116,13 @@ + *curcsp = save_curcs + + +-/* Current codeset type. */ ++/* Current codeset type. The bit is stored in the __count variable of ++ the conversion state. If the db bit is set, bit 7 and above store ++ a pending UCS-4 code point if non-zero. */ + enum + { +- sb = 0, +- db = 64 ++ sb = 0, /* Single byte mode. */ ++ db = 64 /* Double byte mode. */ + }; + + +@@ -119,21 +138,29 @@ enum + } \ + else \ + { \ +- /* This is a combined character. Make sure we have room. */ \ +- if (__glibc_unlikely (outptr + 8 > outend)) \ +- { \ +- result = __GCONV_FULL_OUTPUT; \ +- break; \ +- } \ +- \ + const struct divide *cmbp \ + = &DB_TO_UCS4_COMB[ch - __TO_UCS4_COMBINED_MIN]; \ + assert (cmbp->res1 != 0 && cmbp->res2 != 0); \ + \ + put32 (outptr, cmbp->res1); \ + outptr += 4; \ +- put32 (outptr, cmbp->res2); \ +- outptr += 4; \ ++ \ ++ /* See whether we have room for the second character. */ \ ++ if (outend - outptr >= 4) \ ++ { \ ++ put32 (outptr, cmbp->res2); \ ++ outptr += 4; \ ++ } \ ++ else \ ++ { \ ++ /* Otherwise store only the first character now, and \ ++ put the second one into the queue. */ \ ++ curcs |= cmbp->res2 << 7; \ ++ inptr += 2; \ ++ /* Tell the caller why we terminate the loop. */ \ ++ result = __GCONV_FULL_OUTPUT; \ ++ break; \ ++ } \ + } \ + } + #else +@@ -153,7 +180,20 @@ enum + #define LOOPFCT FROM_LOOP + #define BODY \ + { \ +- uint32_t ch = *inptr; \ ++ uint32_t ch; \ ++ \ ++ ch = curcs >> 7; \ ++ if (__glibc_unlikely (ch != 0)) \ ++ { \ ++ put32 (outptr, ch); \ ++ outptr += 4; \ ++ /* Remove the pending character, but preserve state bits. */ \ ++ curcs &= (1 << 7) - 1; \ ++ continue; \ ++ } \ ++ \ ++ /* Otherwise read the next input byte. */ \ ++ ch = *inptr; \ + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +diff --git a/iconvdata/tst-bug33980.c b/iconvdata/tst-bug33980.c +new file mode 100644 +index 0000000000..c9693e0efe +--- /dev/null ++++ b/iconvdata/tst-bug33980.c +@@ -0,0 +1,153 @@ ++/* Test for bug 33980: combining characters in IBM1390/IBM1399. ++ Copyright (C) 2026 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++/* Run iconv in a loop with a small output buffer of OUTBUFSIZE bytes ++ starting at OUTBUF. OUTBUF should be right before an unmapped page ++ so that writing past the end will fault. Skip SHIFT bytes at the ++ start of the input and output, to exercise different buffer ++ alignment. TRUNCATE indicates skipped bytes at the end of ++ input (0 and 1 a valid). */ ++static void ++test_one (const char *encoding, unsigned int shift, unsigned int truncate, ++ char *outbuf, size_t outbufsize) ++{ ++ /* In IBM1390 and IBM1399, the DBCS code 0xECB5 expands to two ++ Unicode code points when translated. */ ++ static char input[] = ++ { ++ /* 8 letters X. */ ++ 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, 0xe7, ++ /* SO, 0xECB5, SI: shift to DBCS, special character, shift back. */ ++ 0x0e, 0xec, 0xb5, 0x0f ++ }; ++ ++ /* Expected output after UTF-8 conversion. */ ++ static char expected[] = ++ { ++ 'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X', ++ /* U+304B (HIRAGANA LETTER KA). */ ++ 0xe3, 0x81, 0x8b, ++ /* U+309A (COMBINING KATAKANA-HIRAGANA SEMI-VOICED SOUND MARK). */ ++ 0xe3, 0x82, 0x9a ++ }; ++ ++ iconv_t cd = iconv_open ("UTF-8", encoding); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ char result_storage[64]; ++ struct alloc_buffer result_buf ++ = alloc_buffer_create (result_storage, sizeof (result_storage)); ++ ++ char *inptr = &input[shift]; ++ size_t inleft = sizeof (input) - shift - truncate; ++ ++ while (inleft > 0) ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ size_t inleft_before = inleft; ++ ++ size_t ret = iconv (cd, &inptr, &inleft, &outptr, &outleft); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ if (ret == (size_t) -1 && errno == E2BIG) ++ { ++ if (produced == 0 && inleft == inleft_before) ++ { ++ /* Output buffer too small to make progress. This is ++ expected for very small output buffer sizes. */ ++ TEST_VERIFY_EXIT (outbufsize < 3); ++ break; ++ } ++ continue; ++ } ++ if (ret == (size_t) -1) ++ FAIL_EXIT1 ("%s (outbufsize %zu): iconv: %m", encoding, outbufsize); ++ break; ++ } ++ ++ /* Flush any pending state (e.g. a buffered combined character). ++ With outbufsize < 3, we could not store the first character, so ++ the second character did not become pending, and there is nothing ++ to flush. */ ++ { ++ char *outptr = outbuf; ++ size_t outleft = outbufsize; ++ ++ size_t ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ size_t produced = outptr - outbuf; ++ alloc_buffer_copy_bytes (&result_buf, outbuf, produced); ++ ++ /* Second flush does not provide more data. */ ++ outptr = outbuf; ++ outleft = outbufsize; ++ ret = iconv (cd, NULL, NULL, &outptr, &outleft); ++ TEST_VERIFY_EXIT (ret == 0); ++ TEST_VERIFY (outptr == outbuf); ++ } ++ ++ TEST_VERIFY_EXIT (!alloc_buffer_has_failed (&result_buf)); ++ size_t result_used ++ = sizeof (result_storage) - alloc_buffer_size (&result_buf); ++ ++ if (outbufsize >= 3) ++ { ++ TEST_COMPARE (inleft, 0); ++ TEST_COMPARE (result_used, sizeof (expected) - shift); ++ TEST_COMPARE_BLOB (result_storage, result_used, ++ &expected[shift], sizeof (expected) - shift); ++ } ++ else ++ /* If the buffer is too small, only the leading X could be converted. */ ++ TEST_COMPARE (result_used, 8 - shift); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) == 0); ++} ++ ++static int ++do_test (void) ++{ ++ struct support_next_to_fault ntf ++ = support_next_to_fault_allocate (8); ++ ++ for (int shift = 0; shift <= 8; ++shift) ++ for (int truncate = 0; truncate < 2; ++truncate) ++ for (size_t outbufsize = 1; outbufsize <= 8; outbufsize++) ++ { ++ char *outbuf = ntf.buffer + ntf.length - outbufsize; ++ test_one ("IBM1390", shift, truncate, outbuf, outbufsize); ++ test_one ("IBM1399", shift, truncate, outbuf, outbufsize); ++ } ++ ++ support_next_to_fault_free (&ntf); ++ return 0; ++} ++ ++#include + +commit 12feedaf67e11c4618dc50c6aab4dbfd1e6d9531 +Author: DJ Delorie +Date: Mon Jan 26 22:24:42 2026 -0500 + + include: isolate __O_CLOEXEC flag for sys/mount.h and fcntl.h + + Including sys/mount.h should not implicitly include fcntl.h + as that causes namespace pollution and conflicts with kernel + headers. It only needs O_CLOEXEC for OPEN_TREE_CLOEXEC + (although it shouldn't need that, but it's defined that way) + so we provide that define (via a private version) separately. + + Reviewed-by: Adhemerval Zanella + Tested-by: Florian Weimer + (cherry picked from commit 419245719ccbc7dad6a97f24465e7f09c090327a) + +diff --git a/io/fcntl.c b/io/fcntl.c +index e88e28664c..b7dab1bb39 100644 +--- a/io/fcntl.c ++++ b/io/fcntl.c +@@ -18,6 +18,10 @@ + #include + #include + ++#ifndef __O_CLOEXEC ++# error __O_CLOEXEC not defined by fcntl.h/cloexec.h ++#endif ++ + /* Perform file control operations on FD. */ + int + __fcntl (int fd, int cmd, ...) +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index c47cbdf428..053041f256 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -129,6 +129,7 @@ CFLAGS-test-errno-linux.c += $(no-fortify-source) + + sysdep_headers += \ + bits/a.out.h \ ++ bits/cloexec.h \ + bits/epoll.h \ + bits/eventfd.h \ + bits/inotify.h \ +diff --git a/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/alpha/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/bits/cloexec.h b/sysdeps/unix/sysv/linux/bits/cloexec.h +new file mode 100644 +index 0000000000..3059fb6473 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 02000000 +diff --git a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +index f425a4bf22..98954feaca 100644 +--- a/sysdeps/unix/sysv/linux/bits/fcntl-linux.h ++++ b/sysdeps/unix/sysv/linux/bits/fcntl-linux.h +@@ -81,9 +81,7 @@ + #ifndef __O_NOFOLLOW + # define __O_NOFOLLOW 0400000 + #endif +-#ifndef __O_CLOEXEC +-# define __O_CLOEXEC 02000000 +-#endif ++#include + #ifndef __O_DIRECT + # define __O_DIRECT 040000 + #endif +diff --git a/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +new file mode 100644 +index 0000000000..f381f28a53 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/hppa/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 010000000 +diff --git a/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +new file mode 100644 +index 0000000000..6706eaa7d5 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/sparc/bits/cloexec.h +@@ -0,0 +1 @@ ++#define __O_CLOEXEC 0x400000 +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index b549e75148..365da1c296 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -21,7 +21,6 @@ + #ifndef _SYS_MOUNT_H + #define _SYS_MOUNT_H 1 + +-#include + #include + #include + #include +@@ -266,6 +265,11 @@ enum fsconfig_command + + /* open_tree flags. */ + #define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef O_CLOEXEC ++# include ++# define O_CLOEXEC __O_CLOEXEC ++#endif ++#undef OPEN_TREE_CLOEXEC + #define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ + + +diff --git a/sysdeps/unix/sysv/linux/tst-mount.c b/sysdeps/unix/sysv/linux/tst-mount.c +index 40913c7082..78a2772b2f 100644 +--- a/sysdeps/unix/sysv/linux/tst-mount.c ++++ b/sysdeps/unix/sysv/linux/tst-mount.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include /* For AT_ constants. */ + #include + + _Static_assert (sizeof (struct mount_attr) == MOUNT_ATTR_SIZE_VER0, + +commit 3ecfa68561d723564a1fb565366182eb4acb3e8f +Author: Florian Weimer +Date: Wed Mar 4 18:32:36 2026 +0100 + + Linux: Only define OPEN_TREE_* macros in if undefined (bug 33921) + + There is a conditional inclusion of earlier in the file. + If that defines the macros, do not redefine them. This addresses build + problems as the token sequence used by the UAPI macro definitions + changes between Linux versions. + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit d12b017cddfeb9fe9920ba054ae3dfcb8e9238b8) + +diff --git a/sysdeps/unix/sysv/linux/sys/mount.h b/sysdeps/unix/sysv/linux/sys/mount.h +index 365da1c296..30ba56c1e8 100644 +--- a/sysdeps/unix/sysv/linux/sys/mount.h ++++ b/sysdeps/unix/sysv/linux/sys/mount.h +@@ -264,14 +264,16 @@ enum fsconfig_command + #define FSOPEN_CLOEXEC 0x00000001 + + /* open_tree flags. */ +-#define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#ifndef OPEN_TREE_CLONE ++# define OPEN_TREE_CLONE 1 /* Clone the target tree and attach the clone */ ++#endif + #ifndef O_CLOEXEC + # include + # define O_CLOEXEC __O_CLOEXEC + #endif +-#undef OPEN_TREE_CLOEXEC +-#define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ +- ++#ifndef OPEN_TREE_CLOEXEC ++# define OPEN_TREE_CLOEXEC O_CLOEXEC /* Close the file on execve() */ ++#endif + + __BEGIN_DECLS + + +commit 3e87cf9be93acf19d685e8003fc649cdb052a891 +Author: H.J. Lu +Date: Mon Apr 13 10:46:42 2026 +0800 + + abilist.awk: Handle weak unversioned defined symbols + + After + + commit f685e3953f9a38a41bbd0a597f9882870cee13d5 + Author: H.J. Lu + Date: Wed Oct 29 09:49:57 2025 +0800 + + elf: Don't set its DT_VERSYM entry for unversioned symbol + + ld no longer assigns version index 1 to unversioned defined symbol. + For libmachuser.so, "objdump --dynamic-syms" reports: + + 0000dd30 w DF .text 000000f8 processor_start + + instead of + + 0000dd30 w DF .text 000000f8 (Base) processor_start + + Also allow NF == 6 for weak unversioned dynamic symbols. This fixes BZ + 33650. + + Signed-off-by: H.J. Lu + Reviewed-by: Sam James + (cherry picked from commit ee5d1db2a81468413fbf7c82779ffa782f429d1a) + +diff --git a/scripts/abilist.awk b/scripts/abilist.awk +index 6cc7af6ac8..7ea1edf8c0 100644 +--- a/scripts/abilist.awk ++++ b/scripts/abilist.awk +@@ -38,7 +38,7 @@ $4 == "*UND*" { next } + $2 == "l" { next } + + # If the target uses ST_OTHER, it will be output before the symbol name. +-$2 == "g" || $2 == "w" && (NF == 7 || NF == 8) { ++$2 == "g" || $2 == "w" && (NF == 6 || NF == 7 || NF == 8) { + type = $3; + size = $5; + sub(/^0*/, "", size); + +commit b4bca35ab9e76890504c4dbdd5eaf15a93514580 +Author: Rocket Ma +Date: Fri May 1 20:39:07 2026 -0700 + + libio: Fix ungetwc operating on byte stream [BZ #33998] + + * libio/wgenops.c: When _IO_wdefault_pbackfail attempts to push back one + character, it accidently compare the wchar to push back with the last + char from byte stream, instead of wide stream. Under specific coding, + attacker may exploit this to leak information. This commit fix bug + 33998, or CVE-2026-5928. + + Signed-off-by: Rocket Ma + Reviewed-by: Carlos O'Donell + (cherry picked from commit ef3bfb5f910011f3780cb06aa47e730035f53285) + +diff --git a/libio/Makefile b/libio/Makefile +index f020f8ec4d..fa2b8ae791 100644 +--- a/libio/Makefile ++++ b/libio/Makefile +@@ -83,6 +83,7 @@ tests = \ + bug-ungetwc1 \ + bug-ungetwc2 \ + bug-wfflush \ ++ bug-wgenops-bz33998 \ + bug-wmemstream1 \ + bug-wsetpos \ + test-fmemopen \ +diff --git a/libio/bug-wgenops-bz33998.c b/libio/bug-wgenops-bz33998.c +new file mode 100644 +index 0000000000..cc4067da99 +--- /dev/null ++++ b/libio/bug-wgenops-bz33998.c +@@ -0,0 +1,54 @@ ++/* Regression test for ungetwc operating on byte stream (BZ #33998) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "support/temp_file.h" ++#include "support/xstdio.h" ++#include "support/xunistd.h" ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ char *filename; ++ int fd = create_temp_file ("tst-bz33998-", &filename); ++ TEST_VERIFY (fd != -1); ++ xwrite (fd, "A", sizeof ("A")); // write "A\0" by design ++ xclose (fd); ++ ++ FILE *fp = xfopen (filename, "r+"); ++ TEST_COMPARE (getwc (fp), L'A'); ++ /* If the bug is fixed, then ungetwc should not touch byte stream. ++ If the bug is not fixed, ungetwc firstly match last read char, L'A', ++ failed, then the pbackfail branch, matching last read char in byte ++ stream, that is, '\0' (initialized when setup wide stream). */ ++ char *old_read_ptr = fp->_IO_read_ptr; ++ TEST_COMPARE (ungetwc (L'\0', fp), L'\0'); ++ TEST_VERIFY (fp->_IO_read_ptr == old_read_ptr); ++ ++ xfclose (fp); ++ free (filename); ++ ++ return 0; ++} ++ ++#include +diff --git a/libio/wgenops.c b/libio/wgenops.c +index 0a11d1b1de..9e0b2c00ea 100644 +--- a/libio/wgenops.c ++++ b/libio/wgenops.c +@@ -108,8 +108,8 @@ _IO_wdefault_pbackfail (FILE *fp, wint_t c) + { + if (fp->_wide_data->_IO_read_ptr > fp->_wide_data->_IO_read_base + && !_IO_in_backup (fp) +- && (wint_t) fp->_IO_read_ptr[-1] == c) +- --fp->_IO_read_ptr; ++ && (wint_t) fp->_wide_data->_IO_read_ptr[-1] == c) ++ --fp->_wide_data->_IO_read_ptr; + else + { + /* Need to handle a filebuf in write mode (switch to read mode). FIXME!*/ + +commit 4ebd33dd77eabe8d4c45232bed4b42a31d2f9edc +Author: Rocket Ma +Date: Fri Apr 17 23:48:41 2026 -0700 + + stdio-common: Fix buffer overflow in scanf %mc [BZ #34008] + + * stdio-common/vfscanf-internal.c: When enlarging allocated buffer with + format %mc or %mC, glibc allocates one byte less, leading to + user-controlled one byte overflow. This commit fixes BZ #34008, or + CVE-2026-5450. + + Reviewed-by: Carlos O'Donell + Signed-off-by: Rocket Ma + Reviewed-by: H.J. Lu + (cherry picked from commit 839898777226a3ed88c0859f25ffe712519b4ead) + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 64b3575acb..e52c333808 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -347,6 +347,7 @@ tests := \ + tst-vfprintf-user-type \ + tst-vfprintf-width-i18n \ + tst-vfprintf-width-prec-alloc \ ++ tst-vfscanf-bz34008 \ + tst-wc-printf \ + tstdiomisc \ + tstgetln \ +@@ -562,6 +563,9 @@ tst-printf-bz18872-ENV = MALLOC_TRACE=$(objpfx)tst-printf-bz18872.mtrace \ + tst-vfprintf-width-prec-ENV = \ + MALLOC_TRACE=$(objpfx)tst-vfprintf-width-prec.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++tst-vfscanf-bz34008-ENV = \ ++ MALLOC_CHECK_=3 \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so + tst-printf-bz25691-ENV = \ + MALLOC_TRACE=$(objpfx)tst-printf-bz25691.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +diff --git a/stdio-common/tst-vfscanf-bz34008.c b/stdio-common/tst-vfscanf-bz34008.c +new file mode 100644 +index 0000000000..48371c8a3d +--- /dev/null ++++ b/stdio-common/tst-vfscanf-bz34008.c +@@ -0,0 +1,48 @@ ++/* Regression test for vfscanf %Nmc out-of-bound write (BZ #34008) ++ Copyright (C) 2026 The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include "malloc/mcheck.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define WIDTH 0x410 ++#define SCANFSTR "%1040mc" ++static int ++do_test (void) ++{ ++ mcheck_pedantic (NULL); ++ char *input = malloc (WIDTH + 1); ++ TEST_VERIFY (input != NULL); ++ memset (input, 'A', WIDTH); ++ input[WIDTH] = '\0'; ++ ++ char *buf = NULL; ++ TEST_VERIFY (sscanf (input, SCANFSTR, &buf) != -1); ++ TEST_VERIFY (buf != NULL); ++ ++ free (buf); ++ free (input); ++ return 0; ++} ++ ++#include +diff --git a/stdio-common/vfscanf-internal.c b/stdio-common/vfscanf-internal.c +index 86ae5019a6..17b5565d0f 100644 +--- a/stdio-common/vfscanf-internal.c ++++ b/stdio-common/vfscanf-internal.c +@@ -853,8 +853,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + { + /* Enlarge the buffer. */ + size_t newsize +- = strsize +- + (strsize >= width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + + str = (char *) realloc (*strptr, newsize); + if (str == NULL) +@@ -925,7 +924,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); +@@ -980,7 +979,7 @@ __vfscanf_internal (FILE *s, const char *format, va_list argptr, + && wstr == (wchar_t *) *strptr + strsize) + { + size_t newsize +- = strsize + (strsize > width ? width - 1 : strsize); ++ = strsize + (strsize >= width ? width : strsize); + /* Enlarge the buffer. */ + wstr = (wchar_t *) realloc (*strptr, + newsize * sizeof (wchar_t)); diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index a013a2db2f0cd..b6c6a6c864453 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -51,7 +51,7 @@ let version = "2.42"; - patchSuffix = "-61"; + patchSuffix = "-67"; sha256 = "sha256-0XdeMuRijmTvkw9DW2e7Y691may2viszW58Z8WUJ8X8="; in @@ -68,8 +68,8 @@ stdenv.mkDerivation ( patches = [ /* No tarballs for stable upstream branch, only https://sourceware.org/git/glibc.git and using git would complicate bootstrapping. - $ git fetch --all -p && git checkout origin/release/2.40/master && git describe - glibc-2.42-61-ga56a2943d2 + $ git fetch --all -p && git checkout origin/release/2.42/master && git describe + glibc-2.42-67-g4ebd33dd77 $ git show --minimal --reverse glibc-2.42.. ':!ADVISORIES' > 2.42-master.patch To compare the archive contents zdiff can be used. From 790c6832f29815016405921bcc43e5b12e3ebd2d Mon Sep 17 00:00:00 2001 From: Guilhem Saurel Date: Wed, 29 Apr 2026 14:51:08 +0200 Subject: [PATCH 052/133] doctest: 2.5.0 -> 2.5.2 Diff: https://github.com/doctest/doctest/compare/v2.5.0...v2.5.2 Changelog: https://github.com/doctest/doctest/releases/tag/v2.5.2 (cherry picked from commit 7bd3d8daf2081be2a6a0aa44b54f0df58f95c7d4) (cherry picked from commit be6ec59922761c1318c13a9721e1dcd8ef9655ec) --- pkgs/by-name/do/doctest/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/do/doctest/package.nix b/pkgs/by-name/do/doctest/package.nix index f6ffd1b9e5590..cbea1dcba7494 100644 --- a/pkgs/by-name/do/doctest/package.nix +++ b/pkgs/by-name/do/doctest/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "doctest"; - version = "2.5.0"; + version = "2.5.2"; src = fetchFromGitHub { owner = "doctest"; repo = "doctest"; tag = "v${finalAttrs.version}"; - hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A="; + hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M="; }; nativeBuildInputs = [ cmake ]; @@ -27,6 +27,7 @@ stdenv.mkDerivation (finalAttrs: { doCheck = true; meta = { + changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}"; homepage = "https://github.com/doctest/doctest"; description = "Fastest feature-rich C++11/14/17/20 single-header testing framework"; platforms = lib.platforms.all; From 8806b112de554ae6b991712b53f08396010c78a8 Mon Sep 17 00:00:00 2001 From: znaniye Date: Thu, 16 Oct 2025 14:28:11 -0300 Subject: [PATCH 053/133] python3Packages.paramiko: invoke is a required dependency (cherry picked from commit 9088b3d1674994911e0d24c851fb46cca48871a0) (cherry picked from commit f5ae9c36bfc691af8af70232640a43b0a703e067) --- pkgs/development/python-modules/paramiko/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/paramiko/default.nix b/pkgs/development/python-modules/paramiko/default.nix index 156fae9d96d04..6350ba2e5a8a5 100644 --- a/pkgs/development/python-modules/paramiko/default.nix +++ b/pkgs/development/python-modules/paramiko/default.nix @@ -30,6 +30,7 @@ buildPythonPackage rec { dependencies = [ bcrypt cryptography + invoke pynacl ]; @@ -39,7 +40,6 @@ buildPythonPackage rec { gssapi ]; ed25519 = [ ]; - invoke = [ invoke ]; }; nativeCheckInputs = [ From 5eaef1532890d5a1ba2f4707c15fbc95ce6c3964 Mon Sep 17 00:00:00 2001 From: znaniye Date: Thu, 16 Oct 2025 15:43:36 -0300 Subject: [PATCH 054/133] duplicity: remove invoke from dependencies invoke is not a required dependency of duplicity. It does not appear in upstream's requirements.txt nor pyproject.toml: - https://gitlab.com/duplicity/duplicity/-/blob/dev/requirements.txt - https://gitlab.com/duplicity/duplicity/-/blob/dev/pyproject.toml (cherry picked from commit b6254c48df9b757515242f80d7f78a598333b941) (cherry picked from commit 747ba2d3768790a11db05c5fd33706e238f6f4e1) --- pkgs/by-name/du/duplicity/package.nix | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/pkgs/by-name/du/duplicity/package.nix b/pkgs/by-name/du/duplicity/package.nix index 7cdb8eff47f21..8e7b8698a1a4c 100644 --- a/pkgs/by-name/du/duplicity/package.nix +++ b/pkgs/by-name/du/duplicity/package.nix @@ -75,20 +75,17 @@ let glib ]; - pythonPath = - with python3.pkgs; - [ - b2sdk - boto3 - idna - pygobject3 - fasteners - paramiko - pexpect - # Currently marked as broken. - # pydrive2 - ] - ++ paramiko.optional-dependencies.invoke; + pythonPath = with python3.pkgs; [ + b2sdk + boto3 + idna + pygobject3 + fasteners + paramiko + pexpect + # Currently marked as broken. + # pydrive2 + ]; nativeCheckInputs = [ gnupg # Add 'gpg' to PATH. From ba90fa78f87b021f29e9625497230f019b9cbf83 Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sat, 11 Apr 2026 21:47:48 +0100 Subject: [PATCH 055/133] simdjson: 4.6.0 -> 4.6.4 Changes: - https://github.com/simdjson/simdjson/releases/tag/v4.6.1 - https://github.com/simdjson/simdjson/releases/tag/v4.6.2 - https://github.com/simdjson/simdjson/releases/tag/v4.6.3 - https://github.com/simdjson/simdjson/releases/tag/v4.6.4 (cherry picked from commit 3803be5263c98b9e52d0e6f791272137f5e1e193) (cherry picked from commit c0e4b6b891525ce5bb2ace1fb2f277277e8edaba) --- pkgs/by-name/si/simdjson/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/si/simdjson/package.nix b/pkgs/by-name/si/simdjson/package.nix index 575f604ca34c4..3cb507297c472 100644 --- a/pkgs/by-name/si/simdjson/package.nix +++ b/pkgs/by-name/si/simdjson/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "simdjson"; - version = "4.6.0"; + version = "4.6.4"; src = fetchFromGitHub { owner = "simdjson"; repo = "simdjson"; tag = "v${finalAttrs.version}"; - hash = "sha256-VGErBWAHk63XMv8yC+Na+gXHByhYhtIEMSBySwIDlXk="; + hash = "sha256-8oQzsR7DSaNTN9su1uI9tRQ9HvOwXShPwSrnQj8+lGM="; }; nativeBuildInputs = [ cmake ]; From 8b34d586be2b1dc985cd7c62b9b0b870280479bd Mon Sep 17 00:00:00 2001 From: Eman Resu <78693624+quatquatt@users.noreply.github.com> Date: Sun, 17 May 2026 21:16:45 -0400 Subject: [PATCH 056/133] libass: remove libiconv dependency on darwin This is already in stdenv. (cherry picked from commit f6172a101fe458c28e6d70de9e530b2699693d0d) (cherry picked from commit dd411ee50591dd1784732c29082a384bac99a166) --- pkgs/by-name/li/libass/package.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/pkgs/by-name/li/libass/package.nix b/pkgs/by-name/li/libass/package.nix index 61b8611327f0d..045b0d926bdb8 100644 --- a/pkgs/by-name/li/libass/package.nix +++ b/pkgs/by-name/li/libass/package.nix @@ -44,9 +44,7 @@ stdenv.mkDerivation (finalAttrs: { fribidi harfbuzz ] - ++ lib.optional fontconfigSupport fontconfig - # TODO: remove dep after branchoff (in darwin stdenv) - ++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out; + ++ lib.optional fontconfigSupport fontconfig; meta = { description = "Portable ASS/SSA subtitle renderer"; From 9756eaf1f856e108847e8cf0b1f484635dbc5b07 Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Fri, 1 May 2026 13:58:01 +0200 Subject: [PATCH 057/133] assimp: 6.0.4 -> 6.0.5 changelog: https://github.com/assimp/assimp/blob/master/CHANGES.md diff: https://github.com/assimp/assimp/compare/v6.0.4...v6.0.5 (cherry picked from commit b0af552236ff2e10d2fd7c3de4819079062c8055) (cherry picked from commit cfdafe68e00b10563e924aaf36d03363cb7ff6e3) --- pkgs/by-name/as/assimp/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/as/assimp/package.nix b/pkgs/by-name/as/assimp/package.nix index 717fd1a0746f7..24769c4a231cd 100644 --- a/pkgs/by-name/as/assimp/package.nix +++ b/pkgs/by-name/as/assimp/package.nix @@ -9,7 +9,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "assimp"; - version = "6.0.4"; + version = "6.0.5"; outputs = [ "out" "lib" @@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "assimp"; repo = "assimp"; tag = "v${finalAttrs.version}"; - hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk="; + hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg="; }; postPatch = '' From bd2d251cdce34631a6ffeafd4d439a0ac8e84cfe Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 12 May 2026 13:58:14 +0200 Subject: [PATCH 058/133] libcaca: apply patch for CVE-2026-42046 Fixes https://github.com/NixOS/nixpkgs/issues/519387 (cherry picked from commit 00cd8e646c7da669125ae26acf4b47079826e1f0) (cherry picked from commit 8513d19d4f92c99ec7403755360bbb225d681aa7) --- pkgs/by-name/li/libcaca/package.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkgs/by-name/li/libcaca/package.nix b/pkgs/by-name/li/libcaca/package.nix index 689257d7ff8ed..d233cdabfe871 100644 --- a/pkgs/by-name/li/libcaca/package.nix +++ b/pkgs/by-name/li/libcaca/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitHub, + fetchpatch, autoreconfHook, imlib2, libxext, @@ -23,6 +24,14 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw="; }; + patches = [ + (fetchpatch { + name = "CVE-2026-42046.patch"; + url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch"; + hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY="; + }) + ]; + nativeBuildInputs = [ autoreconfHook pkg-config From 179557247bbc7f426f56a16c65eb4ce8f510e359 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Sun, 3 May 2026 06:56:18 +0000 Subject: [PATCH 059/133] freetype: 2.14.2 -> 2.14.3 (cherry picked from commit 21622bac70c240e85777be65c5b65bac6c3f3553) (cherry picked from commit 3a60965e1736cb336b6e1b9d0405b13409153fd0) --- pkgs/by-name/fr/freetype/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/fr/freetype/package.nix b/pkgs/by-name/fr/freetype/package.nix index 76ffe6324cf26..1eb213ab71f17 100644 --- a/pkgs/by-name/fr/freetype/package.nix +++ b/pkgs/by-name/fr/freetype/package.nix @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "freetype"; - version = "2.14.2"; + version = "2.14.3"; src = let @@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: { in fetchurl { url = "mirror://savannah/freetype/freetype-${version}.tar.xz"; - sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE="; + sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8="; }; propagatedBuildInputs = [ From 752123aaa9a161eba848be49162de3deb6e1e4c8 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 20 May 2026 02:10:28 +0000 Subject: [PATCH 060/133] libde265: 1.0.18 -> 1.0.19 (cherry picked from commit 8aa7c75b47254ac38ee2470c3ad42a7d6af5bb99) (cherry picked from commit a14161da713e1511cdffa409d62ee71adc34c509) --- pkgs/by-name/li/libde265/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 51e24c6ed5ac2..65121864428c7 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.18"; + version = "1.0.19"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I="; + hash = "sha256-77OIclR2TwOigo/k5ps9S0TrDNvEjf290PqZyqBcydo="; }; nativeBuildInputs = [ From 96f63700bc8536004e18405ee9326a3e2e46a8cf Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 26 May 2026 13:01:50 +0200 Subject: [PATCH 061/133] python3Packages.starlette: 0.52.1 -> 1.1.0 https://www.starlette.io/release-notes/#110 https://github.com/Kludex/starlette/security/advisories/GHSA-86qp-5c8j-p5mr Fixes: CVE-2026-48710 (cherry picked from commit 83ece5c3a1e6340a1d9b9b40db3d5c50e9e05672) (cherry picked from commit a416d0dc4ff922c0ba1f72c0d5ed53bef01f4ed7) --- pkgs/development/python-modules/starlette/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/starlette/default.nix b/pkgs/development/python-modules/starlette/default.nix index 219ce1e8b7a79..e66a5cf7a80d8 100644 --- a/pkgs/development/python-modules/starlette/default.nix +++ b/pkgs/development/python-modules/starlette/default.nix @@ -27,14 +27,14 @@ buildPythonPackage rec { pname = "starlette"; - version = "0.52.1"; + version = "1.1.0"; pyproject = true; src = fetchFromGitHub { owner = "encode"; repo = "starlette"; tag = version; - hash = "sha256-XPAeRnh9a0A1/5VGZzzGQBhlBsih1VR8QmFdkxG5cQE="; + hash = "sha256-9iQXlpA1VDGw1c7X1zJPmJ3Dub46PwqrVIX1+fWOZ7M="; }; build-system = [ hatchling ]; From f8562c72832be386cec783ba2ab5959668d3af82 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 26 May 2026 13:06:41 +0200 Subject: [PATCH 062/133] python3Packages.fastapi: 0.135.3 -> 0.136.3 https://github.com/fastapi/fastapi/releases/tag/0.136.0 https://github.com/fastapi/fastapi/releases/tag/0.136.1 https://github.com/fastapi/fastapi/releases/tag/0.136.2 https://github.com/fastapi/fastapi/releases/tag/0.136.3 (cherry picked from commit b481729faf5004e2da0fa3b932a6f2696b4cc98c) (cherry picked from commit bab01dc06d12e17407068fc3ebba0ac81947592b) --- pkgs/development/python-modules/fastapi/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/fastapi/default.nix b/pkgs/development/python-modules/fastapi/default.nix index 9d5aea8559e58..3e29f81a9da26 100644 --- a/pkgs/development/python-modules/fastapi/default.nix +++ b/pkgs/development/python-modules/fastapi/default.nix @@ -45,14 +45,14 @@ buildPythonPackage rec { pname = "fastapi"; - version = "0.135.3"; + version = "0.136.3"; pyproject = true; src = fetchFromGitHub { owner = "tiangolo"; repo = "fastapi"; tag = version; - hash = "sha256-sE5d+MgmP9L+MUosRBsR+KSJkcC9i2EOOtKHq0sXjRM="; + hash = "sha256-lfmk8ZveKPukEEfwWq2mKtWmOHAtVzGuE5BsOskDzh0="; }; build-system = [ pdm-backend ]; From a7d2d596aff1c30c3a752c678f1be62f30a59dfa Mon Sep 17 00:00:00 2001 From: Paul Grandperrin Date: Tue, 26 May 2026 21:21:06 +0200 Subject: [PATCH 063/133] systemd: fix tmpfiles errors when mount is noatime fixes #520485 (cherry picked from commit d28f57cdff13598302f9cbebf024a02530893d03) (cherry picked from commit 6c3ff740324716f92fba901032bd2511dd9af7f5) --- pkgs/os-specific/linux/systemd/default.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index f0fb666cd8de3..1ca295d5b1380 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -5,6 +5,7 @@ pkgsCross, testers, fetchFromGitHub, + fetchpatch, buildPackages, makeBinaryWrapper, ninja, @@ -237,6 +238,13 @@ stdenv.mkDerivation (finalAttrs: { ./0003-add-rootprefix-to-lookup-dir-paths.patch ./0004-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0005-core-don-t-taint-on-unmerged-usr.patch + + # TODO: remove the following patch when systemd v261 is released. + # see upstream PR: https://github.com/systemd/systemd/pull/41232 + (fetchpatch { + url = "https://github.com/systemd/systemd/commit/df45055942330fcd2b77389e449905e7f6ca34ec.patch"; + hash = "sha256-PDh4mP9rYGCglp25346nExU2v6P0WYPfLZgu+YwzZ9c="; + }) ] ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ ./0006-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch From d0551bc010492e023fbe37f2ef6f052f57677153 Mon Sep 17 00:00:00 2001 From: Liam Murphy Date: Sun, 26 Apr 2026 12:09:41 +1000 Subject: [PATCH 064/133] openblas: 0.3.32 -> 0.3.33 This release fixes build failures for linbox on aarch64 (https://hydra.nixos.org/build/327030681, https://hydra.nixos.org/build/327030680); see https://github.com/OpenMathLib/OpenBLAS/issues/5763. (cherry picked from commit 2ba029a78e1fc8804152a62e4202215264554b6c) (cherry picked from commit af26b2500da6c199b3eaebfbafe25d7227b430d8) --- .../libraries/science/math/openblas/default.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkgs/development/libraries/science/math/openblas/default.nix b/pkgs/development/libraries/science/math/openblas/default.nix index 9d5d2b4449fdd..4acddd306b5f8 100644 --- a/pkgs/development/libraries/science/math/openblas/default.nix +++ b/pkgs/development/libraries/science/math/openblas/default.nix @@ -170,7 +170,7 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "openblas"; - version = "0.3.32"; + version = "0.3.33"; outputs = [ "out" @@ -181,7 +181,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "OpenMathLib"; repo = "OpenBLAS"; rev = "v${finalAttrs.version}"; - hash = "sha256-D0Wu5Ew72aTqSjj970yOfAwPg1T4Qm6zmpaGlQ/5Q1k="; + hash = "sha256-EArf0K2Gs+w8IRD5wkMOQv79e8yMoTgQfa9kzjXKn3Y="; }; patches = [ @@ -190,13 +190,13 @@ stdenv.mkDerivation (finalAttrs: { # INCLUDEDIR already fixed in upstream HEAD & significant refactor # to config gen so not PRing changes ./cmake-include-fixes.patch - # Fix build on LoongArch (error: '_Float16' is not supported on this target) + # This was an attempted fix for the below commit but still leaves some scipy tests failing. (fetchpatch { - url = "https://github.com/OpenMathLib/OpenBLAS/commit/7086a1b075ca317e12cfe79d40a32ad342a30496.patch"; - hash = "sha256-pA3HK2f2MJr/+h/uale7edIYk/KH194EscYFcsujPXY="; + url = "https://github.com/OpenMathLib/OpenBLAS/commit/e3ce4623c299068bbd47c35ee87aab334bac73b1.patch"; + revert = true; + hash = "sha256-WrP3RCDk/EbpqVOw9XGLnFI+6/bBGJTIrt2TRYGLVQ4="; }) # This commit led to miscompilation of certain ASIMD extensions code paths. - # There was an attempted fix in upstream but this still leaves some scipy tests failing. (fetchpatch { url = "https://github.com/OpenMathLib/OpenBLAS/commit/3f6e928d34aca977bd5d4191e6d2c2338a342.patch"; revert = true; From a7e09a45bbee1dde3f2604abaab38001edc1bb0b Mon Sep 17 00:00:00 2001 From: whispers Date: Tue, 26 May 2026 19:54:52 -0400 Subject: [PATCH 065/133] cargo: add patches for CVE-2026-5222 and CVE-2026-5223 Upstream pull request: https://github.com/rust-lang/cargo/pull/17031 Fixes: CVE-2026-5222, https://blog.rust-lang.org/2026/05/25/cve-2026-5222/ Fixes: CVE-2026-5223, https://blog.rust-lang.org/2026/05/25/cve-2026-5223/ Not-cherry-picked-because: master will get these fixes via the rust 1.96 upgrade on 2026-05-28 (cherry picked from commit 5f1133b2f1e36b654119f042b8eaf9f16aff706c) --- pkgs/development/compilers/rust/cargo.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/pkgs/development/compilers/rust/cargo.nix b/pkgs/development/compilers/rust/cargo.nix index a86e4a3d186d7..7c3d4eb2a5e0a 100644 --- a/pkgs/development/compilers/rust/cargo.nix +++ b/pkgs/development/compilers/rust/cargo.nix @@ -3,6 +3,7 @@ stdenv, pkgsHostHost, pkgsBuildBuild, + fetchpatch, file, curl, pkg-config, @@ -26,6 +27,23 @@ rustPlatform.buildRustPackage.override pname = "cargo"; inherit (rustc.unwrapped) version src; + patches = [ + (fetchpatch { + name = "CVE-2026-5222.patch"; + url = "https://github.com/rust-lang/cargo/commit/c4d63a44234de22dc745231c416b80ed848d997f.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-YG7xtC308z+o1xVzrV81qqWov1121GVouyAXKflyBF8="; + }) + (fetchpatch { + name = "CVE-2026-5223.patch"; + url = "https://github.com/rust-lang/cargo/commit/285cebf58911eca5b7f177f5d0b1c53e1f646577.patch"; + stripLen = 1; + extraPrefix = "src/tools/cargo/"; + hash = "sha256-DbmPQ31N4AIYZEBiwwGAn59hgPsFEVTzA6PrI071LXE="; + }) + ]; + # the rust source tarball already has all the dependencies vendored, no need to fetch them again cargoVendorDir = "vendor"; buildAndTestSubdir = "src/tools/cargo"; From 8b70ffa9d004dc1bfc8fda5719a380fc7d21243d Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Fri, 22 May 2026 01:30:05 +0000 Subject: [PATCH 066/133] libaec: 1.1.6 -> 1.1.7 (cherry picked from commit 6a792a71bfd22611ad167767298bee9244d5c339) (cherry picked from commit 8d7f1c326fedc792e8e3cb12345f1cba1625537f) --- pkgs/by-name/li/libaec/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libaec/package.nix b/pkgs/by-name/li/libaec/package.nix index c9824823b6691..3b7b1768c93bf 100644 --- a/pkgs/by-name/li/libaec/package.nix +++ b/pkgs/by-name/li/libaec/package.nix @@ -7,13 +7,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "libaec"; - version = "1.1.6"; + version = "1.1.7"; src = fetchFromGitHub { owner = "Deutsches-Klimarechenzentrum"; repo = "libaec"; tag = "v${finalAttrs.version}"; - hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8="; + hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8="; }; nativeBuildInputs = [ From f4dff6b5f92f72ed287a272ddbd3b10a81c0ca6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 25 May 2026 15:59:29 -0700 Subject: [PATCH 067/133] e2fsprogs: 1.47.3 -> 1.47.4 Changelog: https://e2fsprogs.sourceforge.net/e2fsprogs-release.html#1.47.4 (cherry picked from commit ec681ffc8f0d1277b5f5a19ad844c5a7d3fda2b1) (cherry picked from commit 4940e8201b0b1a632f629256a28637d89764f39f) --- pkgs/by-name/e2/e2fsprogs/package.nix | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/pkgs/by-name/e2/e2fsprogs/package.nix b/pkgs/by-name/e2/e2fsprogs/package.nix index ceb394b1c433e..970ea64682c51 100644 --- a/pkgs/by-name/e2/e2fsprogs/package.nix +++ b/pkgs/by-name/e2/e2fsprogs/package.nix @@ -3,7 +3,6 @@ stdenv, buildPackages, fetchurl, - fetchpatch, pkg-config, libuuid, gettext, @@ -20,25 +19,15 @@ stdenv.mkDerivation rec { pname = "e2fsprogs"; - version = "1.47.3"; + version = "1.47.4"; __structuredAttrs = true; src = fetchurl { url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz"; - hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk="; + hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws="; }; - patches = [ - # Upstream patch that fixes musl build (and probably others). - # Should be included in next release after 1.47.3. - (fetchpatch { - name = "stdio-portability.patch"; - url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262"; - hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8="; - }) - ]; - # fuse2fs adds 14mb of dependencies outputs = [ "bin" From 880289462edf18d93c7b52d97ed9eac2708c7fb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 24 May 2026 19:24:27 -0700 Subject: [PATCH 068/133] libadwaita: 1.9.0 -> 1.9.1 Diff: https://gitlab.gnome.org/GNOME/libadwaita/-/compare/1.9.0...1.9.1 Changelog: https://gitlab.gnome.org/GNOME/libadwaita/-/blob/1.9.1/NEWS (cherry picked from commit d2a5f7f0cafe93df429883d62a6365ec7f4db78c) (cherry picked from commit 27504c8f0df600820cc88797834ab8c8a1011309) --- pkgs/by-name/li/libadwaita/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libadwaita/package.nix b/pkgs/by-name/li/libadwaita/package.nix index 0d1ed0da7e85e..8f289c6e4977e 100644 --- a/pkgs/by-name/li/libadwaita/package.nix +++ b/pkgs/by-name/li/libadwaita/package.nix @@ -23,7 +23,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libadwaita"; - version = "1.9.0"; + version = "1.9.1"; outputs = [ "out" @@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "GNOME"; repo = "libadwaita"; tag = finalAttrs.version; - hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY="; + hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE="; }; depsBuildBuild = [ From 664ed12255eb5f8bca3f5b01e6fc4abf105b00ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 26 May 2026 09:46:24 -0700 Subject: [PATCH 069/133] imagemagick: 7.1.2-23 -> 7.1.2-24 Diff: https://github.com/ImageMagick/ImageMagick/compare/7.1.2-23...7.1.2-24 Changelog: https://github.com/ImageMagick/Website/blob/main/ChangeLog.md (cherry picked from commit 4a101f0ce85487c821f8cd07e0a9715e4a1389d6) (cherry picked from commit 99cd697f9ff2c21f137236bf26955f510bd93b10) --- pkgs/by-name/im/imagemagick/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/im/imagemagick/package.nix b/pkgs/by-name/im/imagemagick/package.nix index 40d518373564b..ffce265c53e04 100644 --- a/pkgs/by-name/im/imagemagick/package.nix +++ b/pkgs/by-name/im/imagemagick/package.nix @@ -89,13 +89,13 @@ in stdenv.mkDerivation (finalAttrs: { pname = "imagemagick"; - version = "7.1.2-23"; + version = "7.1.2-24"; src = fetchFromGitHub { owner = "ImageMagick"; repo = "ImageMagick"; tag = finalAttrs.version; - hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc="; + hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA="; }; outputs = [ From fbaac14681bf6af3fc619693fbddd485be293295 Mon Sep 17 00:00:00 2001 From: Doron Behar Date: Tue, 26 May 2026 20:58:30 +0300 Subject: [PATCH 070/133] curl: set structuredAttrs (cherry picked from commit 160ca6558e44577004c7660a41e6cf50557d7661) (cherry picked from commit 9ea380a822df127898e92ebe6c5af1b8c8cff4e0) --- pkgs/by-name/cu/curlMinimal/package.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 28220181cba0b..6edda92e86094 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -115,6 +115,7 @@ stdenv.mkDerivation (finalAttrs: { enableParallelBuilding = true; strictDeps = true; + __structuredAttrs = true; env = { CXX = "${stdenv.cc.targetPrefix}c++"; From eac01b30609bc7ee045ee13c1ddaf9b860f80523 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 26 May 2026 14:10:04 -0700 Subject: [PATCH 071/133] fftw: 3.3.10 -> 3.3.11 Changelog: https://github.com/FFTW/fftw3/blob/fftw-3.3.11/NEWS (cherry picked from commit 07e44fb25f474a24adf65c976ff72677ad637a4a) (cherry picked from commit 546ea47450680b3f5aa4947632d7937d6997d873) --- pkgs/by-name/ff/fftw/package.nix | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/pkgs/by-name/ff/fftw/package.nix b/pkgs/by-name/ff/fftw/package.nix index 0d9736335f682..a706799bf693e 100644 --- a/pkgs/by-name/ff/fftw/package.nix +++ b/pkgs/by-name/ff/fftw/package.nix @@ -1,6 +1,5 @@ { fetchurl, - fetchpatch, stdenv, lib, gfortran, @@ -22,24 +21,16 @@ assert lib.elem precision [ stdenv.mkDerivation (finalAttrs: { pname = "fftw-${precision}"; - version = "3.3.10"; + version = "3.3.11"; src = fetchurl { urls = [ "https://fftw.org/fftw-${finalAttrs.version}.tar.gz" "ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz" ]; - hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc="; + hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE="; }; - patches = [ - (fetchpatch { - name = "remove_missing_FFTW3LibraryDepends.patch"; - url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch"; - hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU="; - }) - ]; - outputs = [ "out" "dev" @@ -107,6 +98,7 @@ stdenv.mkDerivation (finalAttrs: { __structuredAttrs = true; meta = { + changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS"; description = "Fastest Fourier Transform in the West library"; homepage = "https://www.fftw.org/"; license = lib.licenses.gpl2Plus; From 46b00f0ee0ef0d8373f2b29655dd5724628991b7 Mon Sep 17 00:00:00 2001 From: Lisanna Dettwyler Date: Fri, 6 Mar 2026 11:06:41 -0500 Subject: [PATCH 072/133] rsync: skip chgrp test This test fails when built in a chroot store. Signed-off-by: Lisanna Dettwyler (cherry picked from commit 9d229c780ed441cda7dcf943718cc8aa3aa53492) (cherry picked from commit 87aae16c78154ea23b8021d3c38538b8288de95b) --- pkgs/by-name/rs/rsync/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index 90380b4869166..ce2e35c176841 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -86,6 +86,11 @@ stdenv.mkDerivation (finalAttrs: { passthru.tests = { inherit (nixosTests) rsyncd; }; + # Test fails when built in a chroot store + preCheck = '' + rm testsuite/chgrp.test + ''; + doCheck = true; __darwinAllowLocalNetworking = true; From 88fbe351f206444955adad33486d7e453223f516 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 3 May 2026 11:17:29 -0700 Subject: [PATCH 073/133] python3Packages.mistune: 3.2.0 -> 3.2.1 Diff: https://github.com/lepture/mistune/compare/v3.2.0...v3.2.1 Changelog: https://github.com/lepture/mistune/blob/v3.2.1/docs/changes.rst (cherry picked from commit efdf5458bd1bbff0bb38dba4b05ac1766ecd9590) (cherry picked from commit 70c873b54906f9d82f329a6f6e5679ca180e0933) --- pkgs/development/python-modules/mistune/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/mistune/default.nix b/pkgs/development/python-modules/mistune/default.nix index a130857e1a71e..8cdfa4023ded4 100644 --- a/pkgs/development/python-modules/mistune/default.nix +++ b/pkgs/development/python-modules/mistune/default.nix @@ -8,14 +8,14 @@ buildPythonPackage rec { pname = "mistune"; - version = "3.2.0"; + version = "3.2.1"; pyproject = true; src = fetchFromGitHub { owner = "lepture"; repo = "mistune"; tag = "v${version}"; - hash = "sha256-rUEZNVuMT5+GsMakrkK6rshKSKtTTN72kK92AmQ8bl8="; + hash = "sha256-8AEEh/SWAk/Esq0jAoZGLw1FIQUw6C5Xq8CgnI2fjv0="; }; build-system = [ setuptools ]; From 1ed273b4fe75c4bbc50228fee8132abfa607d128 Mon Sep 17 00:00:00 2001 From: dish Date: Wed, 20 May 2026 09:46:01 -0400 Subject: [PATCH 074/133] rsync: 3.4.1 -> 3.4.3 https://download.samba.org/pub/rsync/NEWS.html#3.4.2 https://download.samba.org/pub/rsync/NEWS.html#3.4.3 (cherry picked from commit 6f04e4e7027cb6ecb7d696cacc31ef785a142021) (cherry picked from commit b63badda2293d801ec9e59867c4db91458b90a61) --- .../rsync/fix-tests-in-darwin-sandbox.patch | 56 ------------------- pkgs/by-name/rs/rsync/package.nix | 23 ++++---- 2 files changed, 10 insertions(+), 69 deletions(-) delete mode 100644 pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch diff --git a/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch b/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch deleted file mode 100644 index d9209a97c1ed3..0000000000000 --- a/pkgs/by-name/rs/rsync/fix-tests-in-darwin-sandbox.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 9b104ed9859f17b6ed4c4ad01806c75a0c197dd7 Mon Sep 17 00:00:00 2001 -From: Emily -Date: Tue, 5 Aug 2025 15:55:24 +0100 -Subject: [PATCH] Allow `ls(1)` to fail in test setup - -This can happen when the tests are unable to `stat(2)` some files in -`/etc`, `/bin`, or `/`, due to Unix permissions or other sandboxing. We -still guard against serious errors, which use exit code 2. ---- - testsuite/longdir.test | 4 ++-- - testsuite/rsync.fns | 8 ++++---- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/testsuite/longdir.test b/testsuite/longdir.test -index 8d66bb5f..26747292 100644 ---- a/testsuite/longdir.test -+++ b/testsuite/longdir.test -@@ -16,9 +16,9 @@ makepath "$longdir" || test_skipped "unable to create long directory" - touch "$longdir/1" || test_skipped "unable to create files in long directory" - date > "$longdir/1" - if [ -r /etc ]; then -- ls -la /etc >"$longdir/2" -+ ls -la /etc >"$longdir/2" || [ $? -eq 1 ] - else -- ls -la / >"$longdir/2" -+ ls -la / >"$longdir/2" || [ $? -eq 1 ] - fi - checkit "$RSYNC --delete -avH '$fromdir/' '$todir'" "$fromdir/" "$todir" - -diff --git a/testsuite/rsync.fns b/testsuite/rsync.fns -index 2ab97b69..f7da363f 100644 ---- a/testsuite/rsync.fns -+++ b/testsuite/rsync.fns -@@ -195,15 +195,15 @@ hands_setup() { - echo some data > "$fromdir/dir/subdir/foobar.baz" - mkdir "$fromdir/dir/subdir/subsubdir" - if [ -r /etc ]; then -- ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr /etc > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - else -- ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" -+ ls -ltr / > "$fromdir/dir/subdir/subsubdir/etc-ltr-list" || [ $? -eq 1 ] - fi - mkdir "$fromdir/dir/subdir/subsubdir2" - if [ -r /bin ]; then -- ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt /bin > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - else -- ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" -+ ls -lt / > "$fromdir/dir/subdir/subsubdir2/bin-lt-list" || [ $? -eq 1 ] - fi - - # echo testing head: --- -2.50.1 - diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index ce2e35c176841..c8137c8cf3c3f 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -1,12 +1,11 @@ { lib, stdenv, - fetchpatch, fetchurl, updateAutotoolsGnuConfigScriptsHook, perl, - + python3, libiconv, zlib, popt, @@ -29,23 +28,17 @@ stdenv.mkDerivation (finalAttrs: { pname = "rsync"; - version = "3.4.1"; + version = "3.4.3"; src = fetchurl { # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz"; - hash = "sha256-KSS8s6Hti1UfwQH3QLnw/gogKxFQJ2R89phQ1l/YjFI="; + hash = "sha256-xy5jyjAhy8gLqG7DAQJ3P0xWMfvEkrUudzs5WPgqU9M="; }; - patches = [ - # See: - ./fix-tests-in-darwin-sandbox.patch - # fix compilation with gcc15 - (fetchpatch { - url = "https://github.com/RsyncProject/rsync/commit/a4b926dcdce96b0f2cc0dc7744e95747b233500a.patch"; - hash = "sha256-UiEQJ+p2gtIDYNJqnxx4qKgItKIZzCpkHnvsgoxBmSE="; - }) - ]; + preBuild = '' + patchShebangs ./runtests.py + ''; nativeBuildInputs = [ updateAutotoolsGnuConfigScriptsHook @@ -86,6 +79,10 @@ stdenv.mkDerivation (finalAttrs: { passthru.tests = { inherit (nixosTests) rsyncd; }; + nativeCheckInputs = [ + python3 + ]; + # Test fails when built in a chroot store preCheck = '' rm testsuite/chgrp.test From 671e8aefd911c8f67dde43263502817dbec494bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 24 May 2026 21:34:13 -0700 Subject: [PATCH 075/133] at-spi2-core: 2.60.1 -> 2.60.4 (cherry picked from commit eb99a699438577d486d66e3d860c3ba67facbb1b) (cherry picked from commit 97dc0a920b756d88ce0d3d37ed8376eb8bdd2e25) --- pkgs/by-name/at/at-spi2-core/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/at/at-spi2-core/package.nix b/pkgs/by-name/at/at-spi2-core/package.nix index dd5e8f9e4ce13..c204431843746 100644 --- a/pkgs/by-name/at/at-spi2-core/package.nix +++ b/pkgs/by-name/at/at-spi2-core/package.nix @@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "at-spi2-core"; - version = "2.60.1"; + version = "2.60.4"; outputs = [ "out" @@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: { src = fetchurl { url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz"; - hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI="; + hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc="; }; nativeBuildInputs = [ From 9ad85fe44d8ad4c07040feb066e4147ba433f943 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Tue, 26 May 2026 13:41:00 -0700 Subject: [PATCH 076/133] ffmpeg_8: 8.1 -> 8.1.1 Changelog: https://github.com/FFmpeg/FFmpeg/blob/n8.1.1/Changelog (cherry picked from commit 91518f18f5de0f58d3cd532a8eeb227d78b5159f) (cherry picked from commit e5b3e52db386c03161a45b145328eb84dc5eb2bf) --- pkgs/development/libraries/ffmpeg/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/ffmpeg/default.nix b/pkgs/development/libraries/ffmpeg/default.nix index a155b694f6c33..acfedac85f4da 100644 --- a/pkgs/development/libraries/ffmpeg/default.nix +++ b/pkgs/development/libraries/ffmpeg/default.nix @@ -30,8 +30,8 @@ let hash = "sha256-GDN0+tJY8Nap9UkNUfzqT9cGV1IVCuy5Du/64G+8QdE="; }; v8 = { - version = "8.1"; - hash = "sha256-FdKhhCveEo5UodEoyUh3aBHABv3OT2VXmwBXE1ce3p0="; + version = "8.1.1"; + hash = "sha256-WPGfjTZjsgpR5QiANRWF4g6LF2ejGzFQUrLjhzw9cfQ="; }; in From dcc6f5d9625e96e38e578f2daca963cf1c92886d Mon Sep 17 00:00:00 2001 From: Marcin Serwin Date: Thu, 28 May 2026 17:22:46 +0200 Subject: [PATCH 077/133] nodejs: pin icu to newer version Not-cherry-picked-because: icu will be advanced globally on the unstable branch by https://github.com/NixOS/nixpkgs/pull/520553 Signed-off-by: Marcin Serwin (cherry picked from commit 4b965d7e22e3f82c9e9c77dd51bdd70679f0a904) --- pkgs/development/web/nodejs/nodejs.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/web/nodejs/nodejs.nix b/pkgs/development/web/nodejs/nodejs.nix index 343be8e147919..5fd5eeac69191 100644 --- a/pkgs/development/web/nodejs/nodejs.nix +++ b/pkgs/development/web/nodejs/nodejs.nix @@ -47,7 +47,7 @@ uvwasi, zlib, zstd, - icu, + icu78, bash, ninja, pkgconf, @@ -274,7 +274,7 @@ let # that use bash wrappers, e.g. polaris-web. buildInputs = [ bash - icu + icu78 ] ++ builtins.attrValues sharedLibDeps; From 29e701ec567f38e3318ecd1344b56a9552c676f1 Mon Sep 17 00:00:00 2001 From: Hythera <87016780+Hythera@users.noreply.github.com> Date: Mon, 25 May 2026 16:48:01 +0200 Subject: [PATCH 078/133] valkey: 9.0.4 -> 9.1.0 changelog: https://github.com/valkey-io/valkey/releases/tag/9.1.0 diff: https://github.com/valkey-io/valkey/compare/9.0.4...9.1.0 (cherry picked from commit 51f6d0a44cbf2051f267b101abd331b4fd372915) (cherry picked from commit 09c98d00a43ad8ed5420af2885ecc846fe71c9b1) --- pkgs/by-name/va/valkey/package.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/by-name/va/valkey/package.nix b/pkgs/by-name/va/valkey/package.nix index 81a40f68bf214..82e625efe9330 100644 --- a/pkgs/by-name/va/valkey/package.nix +++ b/pkgs/by-name/va/valkey/package.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, - fetchpatch, lua, jemalloc, pkg-config, @@ -25,13 +24,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "valkey"; - version = "9.0.4"; + version = "9.1.0"; src = fetchFromGitHub { owner = "valkey-io"; repo = "valkey"; rev = finalAttrs.version; - hash = "sha256-FDm6i6G6h9WapMTj7ke4YtOjZ4rwIJZGONunQi0v7CE="; + hash = "sha256-RMZz83fycpOTPWB1dIXU0/hdh4ZGC+6JhCws8htAQ5E="; }; patches = lib.optional useSystemJemalloc ./use_system_jemalloc.patch; @@ -94,13 +93,14 @@ stdenv.mkDerivation (finalAttrs: { fi # Skip some more flaky tests. - # Skip test requiring custom jemalloc (unit/memefficiency). + # Skip test requiring custom jemalloc (unit/memefficiency, unit/type/string). ./runtest \ --no-latency \ --timeout 2000 \ --clients "$CLIENTS" \ --tags -leaks \ --skipunit unit/memefficiency \ + --skipunit unit/type/string \ --skipunit integration/failover \ --skipunit integration/aof-multi-part From b7a103e1c957affe138090e1c0a8bbbbc9a31f04 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 28 May 2026 21:59:59 +0200 Subject: [PATCH 079/133] rust-cbindgen: 0.29.2 -> 0.29.3 https://github.com/mozilla/cbindgen/blob/v0.29.3/CHANGES (cherry picked from commit a2e41bb76c7f3b1fca68f135e4029254225c5aa9) (cherry picked from commit b8a547de99897e9ca171f207cfe9da97dadd5f87) --- pkgs/by-name/ru/rust-cbindgen/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ru/rust-cbindgen/package.nix b/pkgs/by-name/ru/rust-cbindgen/package.nix index 14374532ff525..88bb855e800b0 100644 --- a/pkgs/by-name/ru/rust-cbindgen/package.nix +++ b/pkgs/by-name/ru/rust-cbindgen/package.nix @@ -14,16 +14,16 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "rust-cbindgen"; - version = "0.29.2"; + version = "0.29.3"; src = fetchFromGitHub { owner = "mozilla"; repo = "cbindgen"; rev = "v${finalAttrs.version}"; - hash = "sha256-P2A+XSLrcuYsI48gnZSNNs5qX+EatiuEJSEJbMvMSxg="; + hash = "sha256-d0rY7Sk37s8HEZlQq9Sbjj1P+DgygD0Yjx8cXlFKEIA="; }; - cargoHash = "sha256-DbmlpjiOraLWPh5RgJqCIGIYzE1h82MH2S6gpLH+CIQ="; + cargoHash = "sha256-UeierkQpfCiB5ES9ZW9hO+0AcI9Ip8qSJ/Nd+I1xrmQ="; nativeCheckInputs = [ cmake From 1526af39b965a485e88ff6ad5a4d3ead9a792c55 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Mon, 18 May 2026 09:19:18 +0000 Subject: [PATCH 080/133] publicsuffix-list: 0-unstable-2026-03-26 -> 0-unstable-2026-05-13 (cherry picked from commit 963f597bc3ffcf2c03004e6df66537a0741b5036) (cherry picked from commit 379e54dd196bfd9aa89c5566cbc0878aa6e9cdca) --- pkgs/by-name/pu/publicsuffix-list/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/pu/publicsuffix-list/package.nix b/pkgs/by-name/pu/publicsuffix-list/package.nix index 72c500777df23..ea3f3d9fa1e47 100644 --- a/pkgs/by-name/pu/publicsuffix-list/package.nix +++ b/pkgs/by-name/pu/publicsuffix-list/package.nix @@ -7,13 +7,13 @@ stdenvNoCC.mkDerivation { pname = "publicsuffix-list"; - version = "0-unstable-2026-03-26"; + version = "0-unstable-2026-05-13"; src = fetchFromGitHub { owner = "publicsuffix"; repo = "list"; - rev = "d333b72b39575da1ce6932b01d7c421a4107c620"; - hash = "sha256-LWnvQrIyj+iq96T1u9WEq+HGOZ5sJYN5nCintEr6sBk="; + rev = "e452c7058d6946bd76952b128c12f5ce87a5acb8"; + hash = "sha256-5D4RZAyJOL4hMU32Rmp3SYmjgqEtF36mZJr4YBG0k7E="; }; dontBuild = true; From dc108799c2593f6847ae4ea10b79afff0e3cd6d7 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Fri, 22 May 2026 01:28:43 +0200 Subject: [PATCH 081/133] libheif: 1.21.2 -> 1.22.2 (cherry picked from commit fd4f3737156ff8f2aa524f07771581c3b29ca103) (cherry picked from commit bd4354a482ba98e5912e25686242d4c99736bcc3) --- pkgs/by-name/li/libheif/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index 7d4912e775986..a24d7986b8846 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.21.2"; + version = "1.22.2"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-odkJ0wZSGoZ7mX9fkaNREDpMvQuQA9HKaf3so1dYrbc="; + hash = "sha256-z5vTfZATfwDn8Zwqt3piS7PaOQQ3UG+u20sR6j+dsUg="; }; nativeBuildInputs = [ From 96a47e2cd89ca225a4434fbcb6d9cc605b061cd1 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Thu, 28 May 2026 10:48:35 +0200 Subject: [PATCH 082/133] python3Packages.pillow-heif: disable tests that abuse spec and break in libheif 1.22.0, disable version check for libheif (cherry picked from commit 37ff020c2fefcccc4a354c0f8a193da9b700aea0) (cherry picked from commit 37bd922bf9ef88c748c37e1080bf458d861d110c) --- .../python-modules/pillow-heif/default.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkgs/development/python-modules/pillow-heif/default.nix b/pkgs/development/python-modules/pillow-heif/default.nix index eea442596817a..cc00832bb662c 100644 --- a/pkgs/development/python-modules/pillow-heif/default.nix +++ b/pkgs/development/python-modules/pillow-heif/default.nix @@ -77,6 +77,17 @@ buildPythonPackage rec { disabledTests = [ # Time sensitive speed test, not reproducible "test_decode_threads" + # Tests failing with libheif 1.22.0. To be removed in the next release + # https://github.com/bigcat88/pillow_heif/issues/424 + # these check what happens when the ispe is not valid + "test_numpy_array_invalid_ispe" + "test_allow_incorrect_headers" + "test_invalid_ispe_ok" + "test_invalid_ispe_allow" + "test_invalid_ispe_stride" + "test_invalid_ispe_stride_pillow" + # disable version check for libheif + "test_libheif_info" ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ # https://github.com/bigcat88/pillow_heif/issues/89 From 3fcd08afd1ebdad5669e49cae1d23a7891976d92 Mon Sep 17 00:00:00 2001 From: Sefa Eyeoglu Date: Thu, 21 May 2026 10:42:50 +0200 Subject: [PATCH 083/133] curl: backport performance patch https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23 See https://curl.se/mail/distros-2026-05/0000.html Signed-off-by: Sefa Eyeoglu (cherry picked from commit 06028a8aa5018ac8e70ae8edaff5c7397143e08c) (cherry picked from commit 99edca13d244d3020cf906c5bf0a1cf5ff7e53a6) --- .../curlMinimal/fix-wakeup-consumption.patch | 32 +++++++++++++++++++ pkgs/by-name/cu/curlMinimal/package.nix | 7 ++++ 2 files changed, 39 insertions(+) create mode 100644 pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch diff --git a/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch new file mode 100644 index 0000000000000..0bc04b60bb87a --- /dev/null +++ b/pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch @@ -0,0 +1,32 @@ +From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Mon, 11 May 2026 14:56:04 +0200 +Subject: [PATCH] event: fix wakeup consumption + +The events on a multi wakeup socketpair were only consumed via +curl_multi_poll()/curl_multi_wait() but not in event based processing on +a curl_multi_socket() call. That led to busy loops as reported in + +Fixes #21547 +Reported-by: Earnestly on github +Closes #21549 +--- + lib/multi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/multi.c b/lib/multi.c +index be32740a7097..5e84133f13fd 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + Curl_uint32_bset_remove(&multi->dirty, data->mid); + + if(data == multi->admin) { ++#ifdef ENABLE_WAKEUP ++ /* Consume any pending wakeup signals before processing. ++ * This is necessary for event based processing. See #21547 */ ++ (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE); ++#endif + #ifdef USE_RESOLV_THREADED + Curl_async_thrdd_multi_process(multi); + #endif diff --git a/pkgs/by-name/cu/curlMinimal/package.nix b/pkgs/by-name/cu/curlMinimal/package.nix index 6edda92e86094..a25ea809c62b0 100644 --- a/pkgs/by-name/cu/curlMinimal/package.nix +++ b/pkgs/by-name/cu/curlMinimal/package.nix @@ -96,6 +96,13 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY="; }; + patches = [ + # https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23 + # According to , this fixes + # a performance regression, causing high CPU usage + ./fix-wakeup-consumption.patch + ]; + # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion # necessary for FreeBSD code path in configure postPatch = '' From 83c65a6c3494a62090d714e4ed112eefcb20dfba Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Fri, 29 May 2026 21:35:29 -0400 Subject: [PATCH 084/133] gnupatch: disable flaky test Fixes #525260 (cherry picked from commit 64ae7d0e374a774bb78520e6b0f320e804317d70) (cherry picked from commit cebcbaab7a6e5fc72132855f96f3f81ebd567df5) --- pkgs/tools/text/gnupatch/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/text/gnupatch/default.nix b/pkgs/tools/text/gnupatch/default.nix index 99a801c4cc8ef..188ac323543f3 100644 --- a/pkgs/tools/text/gnupatch/default.nix +++ b/pkgs/tools/text/gnupatch/default.nix @@ -15,8 +15,10 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-+Hzuae7CtPy/YKOWsDCtaqNBXxkqpffuhMrV4R9/WuM="; }; - # This test is filesystem-dependent - observed failing on ZFS - postPatch = lib.optionalString stdenv.hostPlatform.isFreeBSD '' + # This test is filesystem-dependent - observed failing on ZFS. + # It is also just plain flaky: it has been observed failing about 10% + # of the time on btrfs and ext4 too. + postPatch = '' sed -E -i -e '/bad-filenames/d' tests/Makefile.am ''; From f75e2f0964134dd4929264e7881e155d30e21c7d Mon Sep 17 00:00:00 2001 From: Marcus Ramberg Date: Sat, 30 May 2026 17:00:51 +0200 Subject: [PATCH 085/133] perlPackages.HTTPDaemon: 6.16 -> 6.17 (cherry picked from commit 6faf86656418e44e9936417490163cb95b3c45e5) (cherry picked from commit dd4bec621ddd03146588e9c9f10af9da36486ad9) --- pkgs/top-level/perl-packages.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 5b7a40a4a6dc8..33583a11471c5 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -16662,12 +16662,12 @@ with self; }; }; - HTTPDaemon = buildPerlPackage { + HTTPDaemon = buildPerlModule { pname = "HTTP-Daemon"; - version = "6.16"; + version = "6.17"; src = fetchurl { - url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.16.tar.gz"; - hash = "sha256-s40JJyXm+k4MTcKkfhVwcEkbr6Db4Wx4o1joBqp+Fz0="; + url = "mirror://cpan/authors/id/O/OA/OALDERS/HTTP-Daemon-6.17.tar.gz"; + hash = "sha256-FigVgMQOIxCNAoQ0aYtdfVNje/kEyd+CJIHiU8vskgw="; }; buildInputs = [ ModuleBuildTiny From 1b76c2916059ed3a104de5e99871b779f601854c Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich Date: Sun, 31 May 2026 21:03:00 +0100 Subject: [PATCH 086/133] sdl3: 3.4.8 -> 3.4.10 Changes: https://github.com/libsdl-org/SDL/releases/tag/release-3.4.10 (cherry picked from commit 29533d61c20a8014b1a24f002441ade41cad28b8) (cherry picked from commit 6910e98a97602753d814b6a3f0877baa9bd7561c) --- pkgs/by-name/sd/sdl3/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index 19ee7429320d4..c874d844d6a8f 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -70,7 +70,7 @@ assert lib.assertMsg (ibusSupport -> dbusSupport) "SDL3 requires dbus support to stdenv.mkDerivation (finalAttrs: { pname = "sdl3"; - version = "3.4.8"; + version = "3.4.10"; outputs = [ "lib" @@ -83,7 +83,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "libsdl-org"; repo = "SDL"; tag = "release-${finalAttrs.version}"; - hash = "sha256-uBGyGxrUVx642Ku8qhR2sTy2JagcSioIhh/5RsXVAIM="; + hash = "sha256-6Dph2eLiJUmpQzPWe8EuY5LrWhrFwde2f2dwfgCcWNw="; }; postPatch = From 68be3d0bebd4fc1a6e5041450f9f5a24762faf4e Mon Sep 17 00:00:00 2001 From: winston Date: Mon, 1 Jun 2026 02:49:17 +0200 Subject: [PATCH 087/133] sdl3: increase test timeout for testrwlock (cherry picked from commit 07bc3407475405b03836980665277d31bfcb4b75) (cherry picked from commit 5787be340983685f7490e1b46bdca5896ae1746d) --- pkgs/by-name/sd/sdl3/package.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkgs/by-name/sd/sdl3/package.nix b/pkgs/by-name/sd/sdl3/package.nix index c874d844d6a8f..f5814d3f91b8e 100644 --- a/pkgs/by-name/sd/sdl3/package.nix +++ b/pkgs/by-name/sd/sdl3/package.nix @@ -87,10 +87,17 @@ stdenv.mkDerivation (finalAttrs: { }; postPatch = - # Tests timeout on Darwin lib.optionalString (finalAttrs.finalPackage.doCheck) '' + # Tests timeout on Darwin substituteInPlace test/CMakeLists.txt \ --replace-fail 'set(noninteractive_timeout 10)' 'set(noninteractive_timeout 30)' + + # intermittent test failure + # https://github.com/libsdl-org/SDL/issues/15346 + substituteInPlace test/CMakeLists.txt \ + --replace-fail \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 20)' \ + 'add_sdl_test_executable(testrwlock SOURCES testrwlock.c NONINTERACTIVE NONINTERACTIVE_TIMEOUT 300)' '' + lib.optionalString waylandSupport '' substituteInPlace src/dialog/unix/SDL_zenitymessagebox.c \ From 2a0e0baec1c99cdc087c14f83ac6c31c929d14eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Silva?= Date: Fri, 29 May 2026 10:01:50 +0100 Subject: [PATCH 088/133] rustPlatform.fetchCargoVendor: remove duplicate fetcher (cherry picked from commit ddda3ed831d0d9f26f2fb446f8986b2c2fae4bc2) (cherry picked from commit 570daf3d1c3b06ee4b9d96afc01536596b78d34a) --- .../rust/fetch-cargo-vendor-util-v2.py | 416 ------------------ .../rust/fetch-cargo-vendor-util.py | 5 +- .../build-support/rust/fetch-cargo-vendor.nix | 39 +- 3 files changed, 18 insertions(+), 442 deletions(-) delete mode 100644 pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py b/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py deleted file mode 100644 index 5dc789c93ad95..0000000000000 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py +++ /dev/null @@ -1,416 +0,0 @@ -import functools -import hashlib -import json -import multiprocessing as mp -import re -import shutil -import subprocess -import sys -import tomllib -from os.path import islink, realpath -from pathlib import Path -from typing import Any, TypedDict, cast -from urllib.parse import unquote - -import requests -import tomli_w -from requests.adapters import HTTPAdapter, Retry - -eprint = functools.partial(print, file=sys.stderr) - - -def load_toml(path: Path) -> dict[str, Any]: - with open(path, "rb") as f: - return tomllib.load(f) - - -def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int: - # lockfile v1 and v2 don't have the `version` key, so assume v2 - version = cargo_lock_toml.get("version", 2) - - # TODO: add logic for differentiating between v1 and v2 - - return version - - -def create_http_session() -> requests.Session: - retries = Retry( - total=5, - backoff_factor=0.5, - status_forcelist=[500, 502, 503, 504] - ) - session = requests.Session() - session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" - session.mount('http://', HTTPAdapter(max_retries=retries)) - session.mount('https://', HTTPAdapter(max_retries=retries)) - return session - - -def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str: - sha256_hash = hashlib.sha256() - with session.get(url, stream=True) as response: - if not response.ok: - raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}") - with open(destination_path, "wb") as file: - for chunk in response.iter_content(1024): # Download in chunks - if chunk: # Filter out keep-alive chunks - file.write(chunk) - sha256_hash.update(chunk) - - # Compute the final checksum - checksum = sha256_hash.hexdigest() - return checksum - - -def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: - # TODO: support other registries - # maybe fetch config.json from the registry root and get the dl key - # See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration - if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": - raise Exception("Only the default crates.io registry is supported.") - - # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec - # rate limit on the API servers. - return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" - - -def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: - - url = get_download_url_for_tarball(pkg) - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: allow legacy checksum specification, see importCargoLock for example - # also, don't forget about the other usage of the checksum - expected_checksum = pkg["checksum"] - - tarball_out_dir = out_dir / "tarballs" / filename - eprint(f"Fetching {url} -> tarballs/{filename}") - - calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir) - - if calculated_checksum != expected_checksum: - raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.") - - -def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None: - - tree_out_dir = out_dir / "git" / git_sha_rev - eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}") - - cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)] - subprocess.check_output(cmd) - - -GIT_SOURCE_REGEX = re.compile("git\\+(?P[^?]+)(\\?(?Prev|tag|branch)=(?P.*))?#(?P.*)") - - -class GitSourceInfo(TypedDict): - url: str - type: str | None - value: str | None - git_sha_rev: str - - -def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo: - match = GIT_SOURCE_REGEX.match(source) - if match is None: - raise Exception(f"Unable to process git source: {source}.") - - source_info = cast(GitSourceInfo, match.groupdict(default=None)) - - # the source URL is URL-encoded in lockfile_version >=4 - # since we just used regex to parse it we have to manually decode the escaped branch/tag name - if lockfile_version >= 4 and source_info["value"] is not None: - source_info["value"] = unquote(source_info["value"]) - - return source_info - - -def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None: - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - git_packages: list[dict[str, Any]] = [] - registry_packages: list[dict[str, Any]] = [] - - for pkg in cargo_lock_toml["package"]: - # ignore local dependenices - if "source" not in pkg.keys(): - eprint(f"Skipping local dependency: {pkg["name"]}") - continue - source = pkg["source"] - - if source.startswith("git+"): - git_packages.append(pkg) - elif source.startswith("registry+"): - registry_packages.append(pkg) - else: - raise Exception(f"Can't process source: {source}.") - - git_sha_rev_to_url: dict[str, str] = {} - for pkg in git_packages: - source_info = parse_git_source(pkg["source"], lockfile_version) - git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"] - - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - # fetch git trees sequentially, since fetching concurrently leads to flaky behaviour - if len(git_packages) != 0: - (out_dir / "git").mkdir() - for git_sha_rev, url in git_sha_rev_to_url.items(): - download_git_tree(url, git_sha_rev, out_dir) - - # run tarball download jobs in parallel, with at most 5 concurrent download jobs - with mp.Pool(min(5, mp.cpu_count())) as pool: - if len(registry_packages) != 0: - (out_dir / "tarballs").mkdir() - session = create_http_session() - tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages) - pool.starmap(download_tarball, tarball_args_gen) - - -def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]: - cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)] - output = subprocess.check_output(cmd) - return json.loads(output) - - -def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None: - try: - metadata = get_manifest_metadata(manifest_path) - except subprocess.CalledProcessError: - eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping") - return None - - for pkg in metadata["packages"]: - if pkg["name"] == crate_name: - return Path(pkg["manifest_path"]) - - return None - - -def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path: - # Scan all Cargo.toml files; sort by depth/path to make ordering deterministic - # and prefer less-nested manifests first. - manifest_paths = sorted( - tree.glob("**/Cargo.toml"), - key=lambda path: (len(path.parts), str(path)), - ) - - for manifest_path in manifest_paths: - res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name) - if res is not None: - return res - - raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.") - - -def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None: - - # This function will get called by copytree to decide which entries of a directory should be copied - # We'll copy everything except symlinks that are invalid - def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]: - ignorelist: list[str] = [] - - dir = Path(realpath(dir_str, strict=True)) - - for path_str in path_strs: - path = dir / path_str - if not islink(path): - continue - - # Filter out cyclic symlinks and symlinks pointing at nonexistant files - try: - target_path = Path(realpath(path, strict=True)) - except OSError: - ignorelist.append(path_str) - eprint(f"Failed to resolve symlink, ignoring: {path}") - continue - - # Filter out symlinks that point outside of the current crate's base git tree - # This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path - if not target_path.is_relative_to(git_tree): - ignorelist.append(path_str) - eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}") - continue - - return ignorelist - - crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name) - crate_tree = crate_manifest_path.parent - - eprint(f"Copying to {crate_out_dir}") - shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func) - crate_out_dir.chmod(0o755) - - with open(crate_manifest_path, "r") as f: - manifest_data = f.read() - - if "workspace" in manifest_data: - crate_manifest_metadata = get_manifest_metadata(crate_manifest_path) - workspace_root = Path(crate_manifest_metadata["workspace_root"]) - - root_manifest_path = workspace_root / "Cargo.toml" - manifest_path = crate_out_dir / "Cargo.toml" - - manifest_path.chmod(0o644) - eprint(f"Patching {manifest_path}") - - cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)] - subprocess.check_output(cmd) - - -def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None: - eprint(f"Unpacking to {crate_out_dir}") - crate_out_dir.mkdir() - cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"] - subprocess.check_output(cmd) - - -def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]: - selector = {} - selector["git"] = source_info["url"] - if source_info["type"] is not None: - selector[source_info["type"]] = source_info["value"] - return selector - - -def make_registry_source_selector(source: str) -> dict[str, str]: - registry = source[9:] if source.startswith("registry+") else source - selector = {} - selector["registry"] = registry - return selector - - -def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: - lockfile_path = vendor_staging_dir / "Cargo.lock" - out_dir.mkdir(exist_ok=True) - shutil.copy(lockfile_path, out_dir / "Cargo.lock") - - cargo_lock_toml = load_toml(lockfile_path) - lockfile_version = get_lockfile_version(cargo_lock_toml) - - source_to_ind: dict[str, str] = {} - source_config = {} - next_registry_ind = 0 - next_git_ind = 0 - - def add_source_replacement( - orig_key: str, - orig_selector: dict[str, str], - vendored_key: str, - vendored_dir: str - ) -> None: - source_config[vendored_key] = {} - source_config[vendored_key]["directory"] = vendored_dir - source_config[orig_key] = orig_selector - source_config[orig_key]["replace-with"] = vendored_key - - # we reserve registry index 0 for crates-io - source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0" - source_to_ind["sparse+https://index.crates.io/"] = "registry-0" - add_source_replacement( - orig_key="crates-io", - orig_selector={}, # there is an internal selector defined for the `crates-io` source - vendored_key="vendored-source-registry-0", - vendored_dir="@vendor@/source-registry-0" - ) - next_registry_ind += 1 - - for pkg in cargo_lock_toml["package"]: - # ignore local dependencies - if "source" not in pkg.keys(): - continue - source: str = pkg["source"] - if source in source_to_ind: - continue - - if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 - source_info = parse_git_source(source, lockfile_version) - selector = make_git_source_selector(source_info) - elif source.startswith("registry+") or source.startswith("sparse+"): - ind = f"registry-{next_registry_ind}" - next_registry_ind += 1 - selector = make_registry_source_selector(source) - else: - raise Exception(f"Can't process source: {source}.") - - source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) - - config_path = out_dir / ".cargo" / "config.toml" - config_path.parent.mkdir() - - with open(config_path, "wb") as config_file: - tomli_w.dump({"source": source_config}, config_file) - - for pkg in cargo_lock_toml["package"]: - - # ignore local dependenices - if "source" not in pkg.keys(): - continue - - source: str = pkg["source"] - source_ind = source_to_ind[source] - crate_dir_name = f"{pkg["name"]}-{pkg["version"]}" - source_dir_name = f"source-{source_ind}" - crate_out_dir = out_dir / source_dir_name / crate_dir_name - crate_out_dir.parent.mkdir(exist_ok=True) - - if source.startswith("git+"): - - source_info = parse_git_source(source, lockfile_version) - - git_sha_rev = source_info["git_sha_rev"] - git_tree = vendor_staging_dir / "git" / git_sha_rev - - copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir) - - # git based crates allow having no checksum information - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}}, f) - - elif source.startswith("registry+") or source.startswith("sparse+"): - filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz" - - # TODO: change this when non-crates-io registries are supported - dir_name = "tarballs" - - tarball_path = vendor_staging_dir / dir_name / filename - - extract_crate_tarball_contents(tarball_path, crate_out_dir) - - # non-git based crates need the package checksum at minimum - with open(crate_out_dir / ".cargo-checksum.json", "w") as f: - json.dump({"files": {}, "package": pkg["checksum"]}, f) - - else: - raise Exception(f"Can't process source: {source}.") - - -def main() -> None: - subcommand = sys.argv[1] - - subcommand_func_dict = { - "create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])), - "create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3])) - } - - subcommand_func = subcommand_func_dict.get(subcommand) - - if subcommand_func is None: - raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}") - - subcommand_func() - - -if __name__ == "__main__": - main() diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 3bee7e150c8e8..5dc789c93ad95 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -40,6 +40,7 @@ def create_http_session() -> requests.Session: status_forcelist=[500, 502, 503, 504] ) session = requests.Session() + session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)" session.mount('http://', HTTPAdapter(max_retries=retries)) session.mount('https://', HTTPAdapter(max_retries=retries)) return session @@ -68,7 +69,9 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str: if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index": raise Exception("Only the default crates.io registry is supported.") - return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download" + # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec + # rate limit on the API servers. + return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download" def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None: diff --git a/pkgs/build-support/rust/fetch-cargo-vendor.nix b/pkgs/build-support/rust/fetch-cargo-vendor.nix index 2802bf9e73f11..8d554a8dc3e22 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor.nix +++ b/pkgs/build-support/rust/fetch-cargo-vendor.nix @@ -37,29 +37,18 @@ let "hash" ]; - mkFetchCargoVendorUtil = - name: src: - writers.writePython3Bin name { - libraries = - with python3Packages; - [ - requests - tomli-w - ] - ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests - flakeIgnore = [ - "E501" - ]; - } (builtins.readFile src); - - # Separate util used only by the FOD `vendorStaging` stage below. Kept - # distinct from fetchCargoVendorUtil so that changes to the network-facing - # bits (User-Agent, download URL) don't invalidate the input-addressed - # `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs. - # vendorStaging is an FOD, so swapping its util is free for consumers. - # TODO: unify with fetchCargoVendorUtil on the next `staging` cycle. - fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py; - fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py; + fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" { + libraries = + with python3Packages; + [ + requests + tomli-w + ] + ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests + flakeIgnore = [ + "E501" + ]; + } (builtins.readFile ./fetch-cargo-vendor-util.py); in { @@ -79,7 +68,7 @@ let impureEnvVars = lib.fetchers.proxyImpureEnvVars; nativeBuildInputs = [ - fetchCargoVendorUtilV2 + fetchCargoVendorUtil cacert nix-prefetch-git' ] @@ -92,7 +81,7 @@ let cd "$cargoRoot" fi - fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out" + fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out" runHook postBuild ''; From b3bdc19f55fe967c0c24e2728d543a9c462f4927 Mon Sep 17 00:00:00 2001 From: kuflierl <41301536+kuflierl@users.noreply.github.com> Date: Tue, 2 Jun 2026 15:07:04 +0200 Subject: [PATCH 089/133] libheif: 1.22.2 -> 1.23.0 changelog: https://github.com/strukturag/libheif/releases/tag/v1.23.0 (cherry picked from commit 536f85e8fc0b8bcf2a341b973d2c1eb4c20077cd) (cherry picked from commit 96b8fd4e618c2249400bea96e8b9ebdbb8b2d7b4) --- pkgs/by-name/li/libheif/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libheif/package.nix b/pkgs/by-name/li/libheif/package.nix index a24d7986b8846..42171d469f5a9 100644 --- a/pkgs/by-name/li/libheif/package.nix +++ b/pkgs/by-name/li/libheif/package.nix @@ -24,7 +24,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "libheif"; - version = "1.22.2"; + version = "1.23.0"; outputs = [ "bin" @@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: { owner = "strukturag"; repo = "libheif"; rev = "v${finalAttrs.version}"; - hash = "sha256-z5vTfZATfwDn8Zwqt3piS7PaOQQ3UG+u20sR6j+dsUg="; + hash = "sha256-+LbYwDSxixy4TaraUCN2LiCnn32dkMppCA8EOFXbvtg="; }; nativeBuildInputs = [ From e40d42cbb7d42823e752693d1e951da7f234fe26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 15:34:33 -0700 Subject: [PATCH 090/133] bzip2: patch CVE-2026-42250 (cherry picked from commit a7b6fa34c1c4955920c50349475f41c2581981b8) (cherry picked from commit 2f092df439722bc95d790d0a2c734e637ff08006) --- pkgs/tools/compression/bzip2/default.nix | 3 ++ .../bzip2/patches/CVE-2026-42250.patch | 34 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch diff --git a/pkgs/tools/compression/bzip2/default.nix b/pkgs/tools/compression/bzip2/default.nix index de15b36aef1ce..11d964fd2f067 100644 --- a/pkgs/tools/compression/bzip2/default.nix +++ b/pkgs/tools/compression/bzip2/default.nix @@ -30,6 +30,9 @@ stdenv.mkDerivation ( patchFlags = [ "-p0" ]; patches = [ + # https://sourceware.org/cgit/bzip2/patch/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 + ./patches/CVE-2026-42250.patch + ./patches/bzip2-1.0.6.2-autoconfiscated.patch ]; # Fix up hardcoded version from the above patch, e.g. seen in bzip2.pc or libbz2.so.1.0.N diff --git a/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch new file mode 100644 index 0000000000000..db16326cdeb70 --- /dev/null +++ b/pkgs/tools/compression/bzip2/patches/CVE-2026-42250.patch @@ -0,0 +1,34 @@ +From 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 Mon Sep 17 00:00:00 2001 +From: Mark Wielaard +Date: Thu, 28 May 2026 16:15:45 +0200 +Subject: bzip2recover: Make sure to not process more than + BZ_MAX_HANDLED_BLOCKS + +There is an off-by-one in the check before calling tooManyBlocks. This +causes the scanning loop to run one more time and cause a possible +read or write one past the global bStart, bEnd, rbStart and rbEnd +buffers. There are no known exploits of this issue and you will need +to compile with something like gcc -fsanitize=address (ASAN +AddressSanitizer) to observe the faulty read/write. + +This has been assigned CVE-2026-42250. +--- + bzip2recover.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git bzip2recover.c bzip2recover.c +index a8131e0..4b1c219 100644 +--- bzip2recover.c ++++ bzip2recover.c +@@ -402,7 +402,7 @@ Int32 main ( Int32 argc, Char** argv ) + rbEnd[rbCtr] = bEnd[currBlock]; + rbCtr++; + } +- if (currBlock >= BZ_MAX_HANDLED_BLOCKS) ++ if (currBlock >= BZ_MAX_HANDLED_BLOCKS - 1) + tooManyBlocks(BZ_MAX_HANDLED_BLOCKS); + currBlock++; + +-- +cgit + From 15c74e4f1eccd9cd6fcfc6d58ae83aca761557c4 Mon Sep 17 00:00:00 2001 From: whispers Date: Fri, 22 May 2026 21:28:20 -0400 Subject: [PATCH 091/133] libgcrypt: 1.11.2 -> 1.12.2 1.12.0: https://dev.gnupg.org/T7643, https://lists.gnupg.org/pipermail/gnupg-announce/2026q1/000502.html 1.12.1: https://dev.gnupg.org/T8067 1.12.2: https://dev.gnupg.org/T8114, https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000503.html (cherry picked from commit 5131deab4ec023f576cd4e6b0519c282dab8206d) (cherry picked from commit 3cfb42b48e77a9ae29b846f9146402dc47692ced) --- pkgs/by-name/li/libgcrypt/package.nix | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/pkgs/by-name/li/libgcrypt/package.nix b/pkgs/by-name/li/libgcrypt/package.nix index 9317da7494fda..08fa5886de73f 100644 --- a/pkgs/by-name/li/libgcrypt/package.nix +++ b/pkgs/by-name/li/libgcrypt/package.nix @@ -17,11 +17,11 @@ assert enableCapabilities -> stdenv.hostPlatform.isLinux; stdenv.mkDerivation rec { pname = "libgcrypt"; - version = "1.11.2"; + version = "1.12.2"; src = fetchurl { url = "mirror://gnupg/libgcrypt/${pname}-${version}.tar.bz2"; - hash = "sha256-a6Wd0ZInDowdIt20GgfZXc28Hw+wLQPEtUsjWBQzCqw="; + hash = "sha256-fOM8JJIiGgQ2+WqFACFenz49y1/SanV81BXnqEO6vV4="; }; outputs = [ @@ -73,17 +73,6 @@ stdenv.mkDerivation rec { postConfigure = '' sed -i configure \ -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/' - '' - # The cipher/simd-common-riscv.h wasn't added to the release tarball, please remove this hack on next version update - # https://dev.gnupg.org/T7647 - + lib.optionalString stdenv.hostPlatform.isRiscV '' - cp ${ - fetchurl { - url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=cipher/simd-common-riscv.h;h=8381000f9ac148c60a6963a1d9ec14a3fee1c576;hb=81ce5321b1b79bde6dfdc3c164efb40c13cf656b"; - hash = "sha256-Toe15YLAOYULnLc2fGMMv/xzs/q1t3LsyiqtL7imc+8="; - name = "simd-common-riscv.h"; - } - } cipher/simd-common-riscv.h ''; enableParallelBuilding = true; From 9b9b7a4d93c6a21aaa03d11cef8024c222cb991c Mon Sep 17 00:00:00 2001 From: Leon Klingele Date: Tue, 2 Jun 2026 22:41:39 +0200 Subject: [PATCH 092/133] go_1_26: 1.26.3 -> 1.26.4 (cherry picked from commit b359a44a033e0c805540f60c26d9834357ba341c) (cherry picked from commit f16209a21ec4da1743f1137e02a62b93c4fe10cd) --- pkgs/development/compilers/go/1.26.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/compilers/go/1.26.nix b/pkgs/development/compilers/go/1.26.nix index 01704593ad777..242fa4c91de87 100644 --- a/pkgs/development/compilers/go/1.26.nix +++ b/pkgs/development/compilers/go/1.26.nix @@ -25,11 +25,11 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "go"; - version = "1.26.3"; + version = "1.26.4"; src = fetchurl { url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz"; - hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg="; + hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0="; }; strictDeps = true; From 608382cc0c18f8773d5b7f6e3901e5a02885d626 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 15:01:48 -0700 Subject: [PATCH 093/133] python3Packages.pyjwt: 2.12.1 -> 2.13.0 Diff: https://github.com/jpadilla/pyjwt/compare/2.12.1...2.13.0 Changelog: https://github.com/jpadilla/pyjwt/blob/2.13.0/CHANGELOG.rst (cherry picked from commit 3b6cda4e40f81fada80e9cc10e040d59a2826a20) (cherry picked from commit 35e7bdb1f4f22d136664d22e742b10994635443d) --- pkgs/development/python-modules/pyjwt/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/pyjwt/default.nix b/pkgs/development/python-modules/pyjwt/default.nix index 1d18045a863c9..74754630a145f 100644 --- a/pkgs/development/python-modules/pyjwt/default.nix +++ b/pkgs/development/python-modules/pyjwt/default.nix @@ -13,14 +13,14 @@ buildPythonPackage rec { pname = "pyjwt"; - version = "2.12.1"; + version = "2.13.0"; pyproject = true; src = fetchFromGitHub { owner = "jpadilla"; repo = "pyjwt"; tag = version; - hash = "sha256-wgOa5JhQT82ppoad6s8gPH7tGRNbbVWmJaaDF84d+r0="; + hash = "sha256-q4ynXCJVDsyZh70439dloyWgRTLVm+elDOahUVOT5vA="; }; outputs = [ From 360c80e28179890828262156e12ab51ac816f79e Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 4 Jun 2026 01:51:51 +0200 Subject: [PATCH 094/133] python3Packages.django_5: 5.2.14 -> 5.2.15 https://docs.djangoproject.com/en/5.2/releases/5.2.15/ https://www.djangoproject.com/weblog/2026/jun/03/security-releases/ Fixes: CVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193, CVE-2026-48587 (cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a) (cherry picked from commit 32ff989879ca372003d44ee8421d81f3353c8ac0) --- pkgs/development/python-modules/django/5.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/django/5.nix b/pkgs/development/python-modules/django/5.nix index 3a7274793a2bd..273b61da19c95 100644 --- a/pkgs/development/python-modules/django/5.nix +++ b/pkgs/development/python-modules/django/5.nix @@ -41,14 +41,14 @@ buildPythonPackage rec { pname = "django"; - version = "5.2.14"; + version = "5.2.15"; pyproject = true; src = fetchFromGitHub { owner = "django"; repo = "django"; tag = version; - hash = "sha256-gb/4WL2VLoqRucpXuKyPsMSwKZ6gaxy5JA7QTeeazjk="; + hash = "sha256-K9yFHr3IkVNMqoeumESszVlju2fW2r8hS8z6M2OdVpE="; }; patches = [ From 1cf8084a61a0a5033b77feb7293dce3ff8941255 Mon Sep 17 00:00:00 2001 From: whispers Date: Tue, 2 Jun 2026 11:02:48 -0400 Subject: [PATCH 095/133] xvfb: 21.1.22 -> 21.1.23, drop rebuild avoidance xorg announcement: https://lists.x.org/archives/xorg-announce/2026-June/003703.html xorg advisory: https://lists.x.org/archives/xorg-announce/2026-June/003702.html (cherry picked from commit 8310c133b7c8dfd173a135bdb9ac0b7a7fc6b5e6) (cherry picked from commit 128add25cfb35e89a5e101480ce15aaef73a6f43) --- pkgs/by-name/xv/xvfb/package.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pkgs/by-name/xv/xvfb/package.nix b/pkgs/by-name/xv/xvfb/package.nix index d14e353387763..934fade5a7958 100644 --- a/pkgs/by-name/xv/xvfb/package.nix +++ b/pkgs/by-name/xv/xvfb/package.nix @@ -38,13 +38,7 @@ stdenv.mkDerivation (finalAttrs: { pname = "xvfb"; - # TODO: rebuild avoidance. revert on staging. - # inherit (xorg-server) src version; - version = "21.1.22"; - src = fetchurl { - url = "mirror://xorg/individual/xserver/xorg-server-${finalAttrs.version}.tar.xz"; - hash = "sha256-GiQsiRfEm6KczB9gIWE9iiuYBd0NJxpmrp0J9LC7BrM="; - }; + inherit (xorg-server) src version; strictDeps = true; From e4f8aa8b230b279b57f1025b88a1fe206fb3507a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 31 May 2026 12:59:26 -0700 Subject: [PATCH 096/133] ghostscript: 10.07.0 -> 10.07.1 Changelog: https://ghostscript.readthedocs.io/en/gs10.07.1/News.html (cherry picked from commit 6f5cb5357ce5f049e4571c5fe16afbdb3644e971) (cherry picked from commit cab7cf2acdb2294def13bbce083d9807dd95530b) --- pkgs/by-name/gh/ghostscript/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/gh/ghostscript/package.nix b/pkgs/by-name/gh/ghostscript/package.nix index 36b9ced6f56b7..6cd7c4b18ed1a 100644 --- a/pkgs/by-name/gh/ghostscript/package.nix +++ b/pkgs/by-name/gh/ghostscript/package.nix @@ -67,13 +67,13 @@ let in stdenv.mkDerivation (finalAttrs: { pname = "ghostscript${lib.optionalString x11Support "-with-X"}"; - version = "10.07.0"; + version = "10.07.1"; src = fetchurl { url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${ lib.replaceStrings [ "." ] [ "" ] finalAttrs.version }/ghostscript-${finalAttrs.version}.tar.xz"; - hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E="; + hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU="; }; patches = [ @@ -233,6 +233,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://www.ghostscript.com/"; + changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html"; description = "PostScript interpreter (mainline version)"; longDescription = '' Ghostscript is the name of a set of tools that provides (i) an From 8336ce23196cf992a685559f6083b542aee8a3f7 Mon Sep 17 00:00:00 2001 From: "R. Ryantm" Date: Wed, 27 May 2026 10:06:49 +0000 Subject: [PATCH 097/133] systemd: 260.1 -> 260.2 (cherry picked from commit d08a97a02625f300a3c12da8fc5e5f7579cf38d8) (cherry picked from commit 8981bd36a7893b59577d0a4ae1de03f7a81e3609) --- pkgs/os-specific/linux/systemd/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 1ca295d5b1380..a7806fc7d4735 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -202,13 +202,13 @@ let in stdenv.mkDerivation (finalAttrs: { inherit pname; - version = "260.1"; + version = "260.2"; src = fetchFromGitHub { owner = "systemd"; repo = "systemd"; rev = "v${finalAttrs.version}"; - hash = "sha256-FUKj3lvjz8TIsyu8NyJYtiNele+1BhdJPdw7r7nW6as="; + hash = "sha256-NXmmSV7/9WIW6C8wjdOwaerCy4v7Zcrd8+XDzcS8rEk="; }; # PATCH POLICY From 2b7fc293239017429fad1046292f250d671e4259 Mon Sep 17 00:00:00 2001 From: r-vdp Date: Sun, 31 May 2026 11:43:03 +0300 Subject: [PATCH 098/133] systemd: drop upstreamed tmpfiles noatime patch (cherry picked from commit 3dbcb86c1f33d575b16b78d576a16d4d3a2f0608) (cherry picked from commit 9bcbc7814a0b2a5515fdf6449c12a055712328d8) --- pkgs/os-specific/linux/systemd/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a7806fc7d4735..4d91ed2e72a54 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -5,7 +5,6 @@ pkgsCross, testers, fetchFromGitHub, - fetchpatch, buildPackages, makeBinaryWrapper, ninja, @@ -238,13 +237,6 @@ stdenv.mkDerivation (finalAttrs: { ./0003-add-rootprefix-to-lookup-dir-paths.patch ./0004-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch ./0005-core-don-t-taint-on-unmerged-usr.patch - - # TODO: remove the following patch when systemd v261 is released. - # see upstream PR: https://github.com/systemd/systemd/pull/41232 - (fetchpatch { - url = "https://github.com/systemd/systemd/commit/df45055942330fcd2b77389e449905e7f6ca34ec.patch"; - hash = "sha256-PDh4mP9rYGCglp25346nExU2v6P0WYPfLZgu+YwzZ9c="; - }) ] ++ lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isGnu) [ ./0006-timesyncd-disable-NSCD-when-DNSSEC-validation-is-dis.patch From 11899547f29a22b9e8adef50930ced66ac57c4d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 1 Jun 2026 22:25:35 -0700 Subject: [PATCH 099/133] libde265: 1.0.19 -> 1.1.0 Diff: https://github.com/strukturag/libde265/compare/v1.0.19...v1.1.0 Changelog: https://github.com/strukturag/libde265/releases/tag/v1.1.0 (cherry picked from commit eb64ffdbce253915ec1e43f6f055cfbbab87d586) (cherry picked from commit ca8d5775de348f1505ae1f84c3c08c5ca01dbf98) --- pkgs/by-name/li/libde265/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 65121864428c7..80293886a1e1d 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.0.19"; + version = "1.1.0"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-77OIclR2TwOigo/k5ps9S0TrDNvEjf290PqZyqBcydo="; + hash = "sha256-QhBi23HttVdIJCueSeKj3ZKwqX1iFcuAX7GmnMRCyN8="; }; nativeBuildInputs = [ @@ -43,6 +43,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://github.com/strukturag/libde265"; + changelog = "https://github.com/strukturag/libde265/releases/tag/${finalAttrs.src.tag}"; description = "Open h.265 video codec implementation"; mainProgram = "dec265"; license = lib.licenses.lgpl3; From 213f8e5f584907ba1b6f1419d044af7e7e5c69f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Mon, 1 Jun 2026 11:38:44 -0700 Subject: [PATCH 100/133] krb5: 1.22.1 -> 1.22.2 Changelog: https://web.mit.edu/Kerberos/krb5-1.22/ (cherry picked from commit 5a913250424c829e00c300968eefb71f5865d852) (cherry picked from commit b3a92ec281d998f0b947846c19956752ad275bfc) --- pkgs/by-name/kr/krb5/package.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index 0b504c6dc8a66..3c402ff11721b 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -34,13 +34,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "krb5"; - version = "1.22.1"; + version = "1.22.2"; __structuredAttrs = true; src = fetchurl { url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz"; - hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68="; + hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM="; }; patches = lib.optionals stdenv.hostPlatform.isFreeBSD [ @@ -170,6 +170,7 @@ stdenv.mkDerivation (finalAttrs: { ]; meta = { + changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/"; description = "MIT Kerberos 5"; homepage = "http://web.mit.edu/kerberos/"; license = lib.licenses.mit; From 7b5710119386670cb12c68b20fc473cb0ab0c64c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Thu, 4 Jun 2026 09:47:51 -0700 Subject: [PATCH 101/133] krb5: patch CVE-2026-40355 and CVE-2026-40356 (cherry picked from commit a42608a7a8c0d84c9ef80ab8acb05507052e6bbb) (cherry picked from commit 3cff9ef0a777a198dcd45125284696f528522ab0) --- .../CVE-2026-40355-and-CVE-2026-40356.patch | 61 +++++++++++++++++++ pkgs/by-name/kr/krb5/package.nix | 6 +- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch diff --git a/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch new file mode 100644 index 0000000000000..fe37f894fdc47 --- /dev/null +++ b/pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch @@ -0,0 +1,61 @@ +From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Wed, 8 Apr 2026 17:57:59 -0400 +Subject: [PATCH] Fix two NegoEx parsing vulnerabilities + +In parse_nego_message(), check the result of the second call to +vector_base() before dereferencing it. In parse_message(), check for +a short header_len to prevent an integer underflow when calculating +the remaining message length. + +Reported by Cem Onat Karagun. + +CVE-2026-40355: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a null pointer dereference, causing the process to terminate. + +CVE-2026-40356: + +In MIT krb5 release 1.18 and later, if an application calls +gss_accept_sec_context() on a system with a NegoEx mechanism +registered in /etc/gss/mech, an unauthenticated remote attacker can +trigger a read overrun of up to 52 bytes, possibly causing the process +to terminate. Exfiltration of the bytes read does not appear +possible. + +(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f) + +ticket: 9205 +version_fixed: 1.22.3 +--- + lib/gssapi/spnego/negoex_util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c +index edc5462e844..a65238e5730 100644 +--- a/lib/gssapi/spnego/negoex_util.c ++++ b/lib/gssapi/spnego/negoex_util.c +@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in, + offset = k5_input_get_uint32_le(in); + count = k5_input_get_uint16_le(in); + p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len); ++ if (p == NULL) { ++ *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; ++ return GSS_S_DEFECTIVE_TOKEN; ++ } + for (i = 0; i < count; i++) { + extension_type = load_32_le(p + i * EXTENSION_LENGTH); + if (extension_type & EXTENSION_FLAG_CRITICAL) { +@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in, + msg_len = k5_input_get_uint32_le(in); + conv_id = k5_input_get_bytes(in, GUID_LENGTH); + +- if (in->status || msg_len > token_remaining || header_len > msg_len) { ++ if (in->status || msg_len > token_remaining || ++ header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) { + *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE; + return GSS_S_DEFECTIVE_TOKEN; + } diff --git a/pkgs/by-name/kr/krb5/package.nix b/pkgs/by-name/kr/krb5/package.nix index 3c402ff11721b..c4e35061d41af 100644 --- a/pkgs/by-name/kr/krb5/package.nix +++ b/pkgs/by-name/kr/krb5/package.nix @@ -43,7 +43,11 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM="; }; - patches = lib.optionals stdenv.hostPlatform.isFreeBSD [ + patches = [ + # https://github.com/krb5/krb5/pull/1506 + ./CVE-2026-40355-and-CVE-2026-40356.patch + ] + ++ lib.optionals stdenv.hostPlatform.isFreeBSD [ (fetchpatch { name = "fix-missing-ENODATA.patch"; url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d"; From 4907a037124adc94b805de978557c06fa8f55213 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 3 Jun 2026 13:36:13 +0200 Subject: [PATCH 102/133] libxml2: 2.15.2 -> 2.15.3 Changelog: https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.15.3/NEWS Fixes CVE-2026-6732 Other security issues fixed here seem to not have CVEs assigned (yet) (cherry picked from commit efef7d2661da0fe1a31640df138cedeeb746b165) (cherry picked from commit 2c2c8a3587fd408f44570b009d5b25e2abb14a68) --- pkgs/development/libraries/libxml2/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix index 52a3ab58ad612..015688e4474b4 100644 --- a/pkgs/development/libraries/libxml2/default.nix +++ b/pkgs/development/libraries/libxml2/default.nix @@ -46,13 +46,13 @@ let }; }; libxml2 = callPackage ./common.nix { - version = "2.15.2"; + version = "2.15.3"; src = fetchFromGitLab { domain = "gitlab.gnome.org"; owner = "GNOME"; repo = "libxml2"; tag = "v${packages.libxml2.version}"; - hash = "sha256-k5dZ75D/BOouYAjrof9Jm2lY29XZhOqS1kudDGmGY9Q="; + hash = "sha256-fDntZDyITs223by8n7ueOXiO7yyzshtANoWbY0+yeqo="; }; extraMeta = { maintainers = with lib.maintainers; [ From c6a6976a2a2ee65a76071f57de1c44227c2a5717 Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Thu, 4 Jun 2026 17:38:16 +0200 Subject: [PATCH 103/133] perl: backport security fixes Perl ships with some CPAN modules vendored as "dual-life", this commit inject updated versions certain modules directly from CPAN rather than applying patches from upstream, as they can be tricky to maintain. It also includes a patch for CVE-2026-8376 which affects 32-bit platforms. - perl: CVE-2026-8376 https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c - HTTP-Tiny 0.094: CVE-2026-7010 https://metacpan.org/release/HAARG/HTTP-Tiny-0.094/changes - Compress-Raw-Zlib 2.222: CVE-2026-3381, CVE-2026-4176 https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.222/changes - Compress-Raw-Bzip2 2.218 https://metacpan.org/release/PMQS/Compress-Raw-Bzip2-2.218/changes - IO-Compress 2.220: CVE-2026-48959, CVE-2026-48961, CVE-2026-48962 https://metacpan.org/release/PMQS/IO-Compress-2.220/changes - Archive-Tar 3.12: CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 https://metacpan.org/release/BINGOS/Archive-Tar-3.12/changes Assisted-by: Codex (OpenAI) Signed-off-by: Stig Palmquist (cherry picked from commit d59aeb80e50481c69e9535b6421c84a4a398531f) (cherry picked from commit 5613fd0d417095f6e8bf247b23ec19b0ee210a92) --- .../interpreters/perl/CVE-2026-8376.patch | 20 ++++++ .../interpreters/perl/interpreter.nix | 65 +++++++++++++++++-- 2 files changed, 81 insertions(+), 4 deletions(-) create mode 100644 pkgs/development/interpreters/perl/CVE-2026-8376.patch diff --git a/pkgs/development/interpreters/perl/CVE-2026-8376.patch b/pkgs/development/interpreters/perl/CVE-2026-8376.patch new file mode 100644 index 0000000000000..c8ad722981788 --- /dev/null +++ b/pkgs/development/interpreters/perl/CVE-2026-8376.patch @@ -0,0 +1,20 @@ +Targeted patch for CVE-2026-8376, based on 5e7f119eb2bb1181be908701f22bf7068e722f1c but avoids changes to t/re/pat_psycho.t as they do not apply cleanly. + +diff --git a/regcomp_study.c b/regcomp_study.c +index b513454a4258..1602663f4b26 100644 +--- a/regcomp_study.c ++++ b/regcomp_study.c +@@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_ + (U8 *) SvEND(data->last_found)) + - (U8*)s; + l -= old; ++ ++ if (l > 0 && ++ (mincount >= SSize_t_MAX / (SSize_t)l ++ || old > SSize_t_MAX - mincount * (SSize_t)l)) { ++ FAIL("Regexp out of space"); ++ } ++ + /* Get the added string: */ + last_str = newSVpvn_utf8(s + old, l, UTF); + last_chrs = UTF ? utf8_length((U8*)(s + old), diff --git a/pkgs/development/interpreters/perl/interpreter.nix b/pkgs/development/interpreters/perl/interpreter.nix index fce8e1c9e0f04..cdb03912b5177 100644 --- a/pkgs/development/interpreters/perl/interpreter.nix +++ b/pkgs/development/interpreters/perl/interpreter.nix @@ -36,6 +36,8 @@ let commonPatches = [ # Do not look in /usr etc. for dependencies. ./no-sys-dirs.patch + + ./CVE-2026-8376.patch ] # Fix build on Solaris on x86_64 @@ -79,6 +81,61 @@ let # Some more details: https://arsv.github.io/perl-cross/modules.html ++ lib.optional crossCompiling ./cross.patch; + # Inject fixed CPAN releases for bundled dual-life distributions until the + # next perl maintenance release includes them. + vendoredPerlDistributions = [ + { + # CVE-2026-7010 + path = "cpan/HTTP-Tiny"; + src = fetchurl { + url = "mirror://cpan/authors/id/H/HA/HAARG/HTTP-Tiny-0.094.tar.gz"; + hash = "sha256-poQemfwbVdFd6VlHzL17dnvsxRxxAhl/qPBE333cB0M="; + }; + } + { + # CVE-2026-3381, CVE-2026-4176 + path = "cpan/Compress-Raw-Zlib"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Zlib-2.222.tar.gz"; + hash = "sha256-Hf19URplVifIGBXTDTurwo+luIRV/wP4sECZ3LUShrg="; + }; + } + { + # Runtime dependency of IO-Compress 2.220. + path = "cpan/Compress-Raw-Bzip2"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/Compress-Raw-Bzip2-2.218.tar.gz"; + hash = "sha256-iRU+ai69pSNJSTsHT6S3VJ/x+QU952E8GKXgXFtBX6g="; + }; + } + { + # CVE-2026-48962, CVE-2026-48961, CVE-2026-48959 + path = "cpan/IO-Compress"; + src = fetchurl { + url = "mirror://cpan/authors/id/P/PM/PMQS/IO-Compress-2.220.tar.gz"; + hash = "sha256-nZbqKR8sVO82fHOWuFfZO6GsHEsvG84T7Yo+Xz7rtic="; + }; + } + { + # CVE-2026-42496, CVE-2026-42497, CVE-2026-9538 + path = "cpan/Archive-Tar"; + src = fetchurl { + url = "mirror://cpan/authors/id/B/BI/BINGOS/Archive-Tar-3.12.tar.gz"; + hash = "sha256-ARTvObZfSfiWgoOrR3Gdfoj5jXNg/jZJvjMcf1PVgyw="; + }; + } + ]; + + replaceVendoredPerlDistributions = lib.concatMapStringsSep "\n" (d: '' + rm -rf ${d.path} + mkdir -p ${d.path} + + tar --strip-components=1 -C ${d.path} -xf ${d.src} + + # Remove executable bits to make t/porting/exec-bit.t happy. + find ${d.path} -type f -exec chmod a-x {} + + '') vendoredPerlDistributions; + libc = if stdenv.cc.libc or null != null then stdenv.cc.libc else "/usr"; libcInc = lib.getDev libc; libcLib = lib.getLib libc; @@ -136,10 +193,10 @@ stdenv.mkDerivation ( --replace "/bin/pwd" "$(type -P pwd)" '' ) - + - # Perl's build system uses the src variable, and its value may end up in - # the output in some cases (when cross-compiling) - '' + + replaceVendoredPerlDistributions + + '' + # Perl's build system uses the src variable, and its value may end up in + # the output in some cases (when cross-compiling). unset src ''; From 8abfd69d34c6658e7eed4cd71b7ab4fae7982e83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Fri, 5 Jun 2026 12:52:54 +0200 Subject: [PATCH 104/133] libpng: 1.6.56 -> 1.6.58 Fixes: CVE-2026-34757 and CVE-2026-40930 (#528286) (cherry picked from commit 316db7c96c1096ae2bf0a40bdec1fc630e1498a2) (cherry picked from commit 2d355d1abaa61f5d60dc524c3645c4d6cbb980be) --- pkgs/by-name/li/libpng/package.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/by-name/li/libpng/package.nix b/pkgs/by-name/li/libpng/package.nix index d533f3ed56bbd..7d52bcffb378e 100644 --- a/pkgs/by-name/li/libpng/package.nix +++ b/pkgs/by-name/li/libpng/package.nix @@ -11,10 +11,10 @@ assert zlib != null; let - patchVersion = "1.6.56"; + patchVersion = "1.6.58"; patch_src = fetchurl { url = "mirror://sourceforge/libpng-apng/libpng-${patchVersion}-apng.patch.gz"; - hash = "sha256-nOMtSidjoqxfJYcmui9J6QETJ8HujDCGKjLQ8wiJ++g="; + hash = "sha256-7ufeoi7VAoaAF5cchsY8TtHmCF3guuv9zD0zIvAPPrA="; }; whenPatched = lib.optionalString apngSupport; @@ -24,11 +24,11 @@ let in stdenv'.mkDerivation (finalAttrs: { pname = "libpng" + whenPatched "-apng"; - version = "1.6.56"; + version = "1.6.58"; src = fetchurl { url = "mirror://sourceforge/libpng/libpng-${finalAttrs.version}.tar.xz"; - hash = "sha256-99i/FgG3gE9YOiVKs0OmVJymzyfSVcMCxHry2dNqbxg="; + hash = "sha256-KOtAP1Hw90BSSRMs7P6C6lwO+X8bMsWmWCiBSuDTR3U="; }; postPatch = whenPatched "gunzip < ${patch_src} | patch -Np1" From 7b8f0d2c39d3ebe39e044576e6cf80e392648a3f Mon Sep 17 00:00:00 2001 From: Cathal Mullan Date: Sat, 21 Mar 2026 16:08:18 +0000 Subject: [PATCH 105/133] rustPlatform.fetchCargoVendor: de-duplicate git sources by selector (cherry picked from commit 100e23324c871a3b9210bd50c59d4f22e6cc452c) (cherry picked from commit 28fe7e5b4d263e339b52c304e1aa34a3e06b1cef) --- .../rust/fetch-cargo-vendor-util.py | 28 +++++++++++++------ 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/pkgs/build-support/rust/fetch-cargo-vendor-util.py b/pkgs/build-support/rust/fetch-cargo-vendor-util.py index 5dc789c93ad95..825f07b175ee9 100644 --- a/pkgs/build-support/rust/fetch-cargo-vendor-util.py +++ b/pkgs/build-support/rust/fetch-cargo-vendor-util.py @@ -292,6 +292,7 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None: lockfile_version = get_lockfile_version(cargo_lock_toml) source_to_ind: dict[str, str] = {} + selector_to_ind: dict[tuple, str] = {} source_config = {} next_registry_ind = 0 next_git_ind = 0 @@ -327,24 +328,35 @@ def add_source_replacement( continue if source.startswith("git+"): - ind = f"git-{next_git_ind}" - next_git_ind += 1 source_info = parse_git_source(source, lockfile_version) selector = make_git_source_selector(source_info) + selector_key = (source_info["url"], source_info["type"], source_info["value"]) + if selector_key in selector_to_ind: + ind = selector_to_ind[selector_key] + else: + ind = f"git-{next_git_ind}" + next_git_ind += 1 + selector_to_ind[selector_key] = ind + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) elif source.startswith("registry+") or source.startswith("sparse+"): ind = f"registry-{next_registry_ind}" next_registry_ind += 1 selector = make_registry_source_selector(source) + add_source_replacement( + orig_key=f"original-source-{ind}", + orig_selector=selector, + vendored_key=f"vendored-source-{ind}", + vendored_dir=f"@vendor@/source-{ind}" + ) else: raise Exception(f"Can't process source: {source}.") source_to_ind[source] = ind - add_source_replacement( - orig_key=f"original-source-{ind}", - orig_selector=selector, - vendored_key=f"vendored-source-{ind}", - vendored_dir=f"@vendor@/source-{ind}" - ) config_path = out_dir / ".cargo" / "config.toml" config_path.parent.mkdir() From cd50997cecd9082dc6ba715231b9e6cc68df1139 Mon Sep 17 00:00:00 2001 From: whispers Date: Fri, 5 Jun 2026 22:16:08 -0400 Subject: [PATCH 106/133] freetype: add patches for four vulnerabilities from project zero - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419 / https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423 - https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 (cherry picked from commit a06fb593b6facc51ec4348cfb4f105536e319739) (cherry picked from commit ff252bdb2913aa7a371e51f665cded93345ecb7c) --- pkgs/by-name/fr/freetype/package.nix | 48 ++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/pkgs/by-name/fr/freetype/package.nix b/pkgs/by-name/fr/freetype/package.nix index 1eb213ab71f17..2f5f6ccef0a84 100644 --- a/pkgs/by-name/fr/freetype/package.nix +++ b/pkgs/by-name/fr/freetype/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, buildPackages, pkgsHostHost, pkg-config, @@ -69,6 +70,53 @@ stdenv.mkDerivation (finalAttrs: { patches = [ ./enable-table-validation.patch + + # https://project-zero.issues.chromium.org/issues/505355061 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1419 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part1.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/1803559c4ee407d0bcbf2a67dbe96690cee869d2.patch"; + hash = "sha256-zxtJ2pJz8pNofgYrJ6c8/eZqRvxTotanF2IdU9ckpM4="; + }) + (fetchpatch { + name = "truetype-shz-limit-heap-buffer-overflow-part2.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7d600a022e1d813e85a8c94ffd395f6135872267.patch"; + hash = "sha256-aHE11C9Cr23D2lqNmTVUDA5E07xxUm+AcYdWJG9zLFs="; + }) + + # https://project-zero.issues.chromium.org/issues/505357209 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 + (fetchpatch { + name = "truetype-iup-integer-overflow.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/7974be74d8b5a2fbf99aa88f0461d1f80af51cee.patch"; + hash = "sha256-b5Px0ALsnC5K1+601YioAjCLkLVXNnvTIZ1aQtCeNoQ="; + }) + + # https://project-zero.issues.chromium.org/issues/506902245 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423 + # https://gitlab.freedesktop.org/freetype/freetype/-/merge_requests/428 + (fetchpatch { + name = "truetype-variation-handling-signednes-mismatch.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/0d45c7f1911bc6db0bf072eea0c8cdccd77bc6b3.patch"; + hash = "sha256-bw/9O86sZQa+vwdgx2MTqxWi6vjMcRTyC42ba9CaZ3I="; + }) + + # prerequisite for the below to apply, since this changes formatting of + # affected code. + (fetchpatch { + name = "ftobjs-formatting.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/590b77014bd920d0bdf64c039fddbce89a288b83.patch"; + hash = "sha256-govOzLBzQMAjSKABVFryDnSn2by2f/W9BgGG3o+qSuE="; + }) + + # https://project-zero.issues.chromium.org/issues/507321912 + # https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 + (fetchpatch { + name = "sub-byte-bitmaps-heap-buffer-over-read.patch"; + url = "https://gitlab.freedesktop.org/freetype/freetype/-/commit/cbe12767ea73d1006edc75fcd61c0b0d2a88f34e.patch"; + hash = "sha256-jMeqY9uX7Ryfdd8icGDT4kEKl6aGRWafSN8GzOhGW7g="; + }) ] ++ lib.optional useEncumberedCode ./enable-subpixel-rendering.patch; From b036a47ec700ef1494de4e38c5737196e778ee08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= Date: Sun, 7 Jun 2026 09:25:39 -0700 Subject: [PATCH 107/133] libde265: 1.1.0 -> 1.1.1 Diff: https://github.com/strukturag/libde265/compare/v1.1.0...v1.1.1 Changelog: https://github.com/strukturag/libde265/releases/tag/v1.1.1 (cherry picked from commit 80edf6a63022180fcf57ad25c4255dfefda2f65c) (cherry picked from commit 1706cb9fb147f760580d6cb50bd77da6e5abef63) --- pkgs/by-name/li/libde265/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/li/libde265/package.nix b/pkgs/by-name/li/libde265/package.nix index 80293886a1e1d..771b9e3366340 100644 --- a/pkgs/by-name/li/libde265/package.nix +++ b/pkgs/by-name/li/libde265/package.nix @@ -15,14 +15,14 @@ }: stdenv.mkDerivation (finalAttrs: { - version = "1.1.0"; + version = "1.1.1"; pname = "libde265"; src = fetchFromGitHub { owner = "strukturag"; repo = "libde265"; tag = "v${finalAttrs.version}"; - hash = "sha256-QhBi23HttVdIJCueSeKj3ZKwqX1iFcuAX7GmnMRCyN8="; + hash = "sha256-ZHfPC86oylqt2bwWMJRWVjdMEEmX6UOKR7XkR0HPyok="; }; nativeBuildInputs = [ From ba1d85c8a9a45b3cd2013bbcdbd9ba573711270e Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Mon, 8 Jun 2026 16:42:44 +0200 Subject: [PATCH 108/133] rsync: 3.4.3 -> 3.4.4 https://github.com/RsyncProject/rsync/releases/tag/v3.4.4 (cherry picked from commit ff0334da83c1a0e1ecb3864fcb84dd24dbcaecc5) (cherry picked from commit a97ae27e15acefdb3a2374b27a16db0e9d46545a) --- pkgs/by-name/rs/rsync/package.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index c8137c8cf3c3f..a6d869ad44da5 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -28,12 +28,12 @@ stdenv.mkDerivation (finalAttrs: { pname = "rsync"; - version = "3.4.3"; + version = "3.4.4"; src = fetchurl { # signed with key 9FEF 112D CE19 A0DC 7E88 2CB8 1BB2 4997 A853 5F6F url = "mirror://samba/rsync/src/rsync-${finalAttrs.version}.tar.gz"; - hash = "sha256-xy5jyjAhy8gLqG7DAQJ3P0xWMfvEkrUudzs5WPgqU9M="; + hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; preBuild = '' From 98d05b721ff8c8d2ab03099bb7c8702629235298 Mon Sep 17 00:00:00 2001 From: Leona Maroni Date: Wed, 10 Jun 2026 09:21:32 +0200 Subject: [PATCH 109/133] rsync: fix test failure on darwin Not-cherry-picked-because: Guarded to darwin, will remove guard on staging/staging-26.05 (cherry picked from commit c10ba493e0f242454a78fdde32fce0956065222c) --- pkgs/by-name/rs/rsync/package.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pkgs/by-name/rs/rsync/package.nix b/pkgs/by-name/rs/rsync/package.nix index a6d869ad44da5..a102ff36cc15f 100644 --- a/pkgs/by-name/rs/rsync/package.nix +++ b/pkgs/by-name/rs/rsync/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchpatch, updateAutotoolsGnuConfigScriptsHook, perl, @@ -36,6 +37,17 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-vYjPgvplPaMjFPsikTZAfFyQ+A0XWNj0sJF2eHfY+pY="; }; + patches = lib.optionals (stdenv.hostPlatform.isDarwin) [ + # Fixes test failure on darwin + (fetchpatch { + url = "https://github.com/RsyncProject/rsync/commit/e1c5f0e93a75dd45f32f3b92ba221ef158ac2e5f.patch"; + hash = "sha256-pg65K9BCTq/WvS5icK6KT28ARccFKedp2445wLYdRsE="; + excludes = [ + ".github/workflows/cygwin-build.yml" + ]; + }) + ]; + preBuild = '' patchShebangs ./runtests.py ''; From df10d00b617c6428938d3a1b14205ae72c679718 Mon Sep 17 00:00:00 2001 From: Michael Daniels Date: Sun, 7 Jun 2026 20:34:11 -0400 Subject: [PATCH 110/133] libressl: fix Darwin build https://hydra.nixos.org/build/331199232 (cherry picked from commit 3b6967c20926a7c6423ebd9875a6cd18a7f254d5) (cherry picked from commit ffc75d7b6e066c3d06fc8e07c4ef19cbb6faba9b) --- pkgs/by-name/li/libressl/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/li/libressl/default.nix b/pkgs/by-name/li/libressl/default.nix index 4ccc79407ba7e..4bf139efc381d 100644 --- a/pkgs/by-name/li/libressl/default.nix +++ b/pkgs/by-name/li/libressl/default.nix @@ -61,6 +61,10 @@ let doCheck = !(stdenv.hostPlatform.isPower64 || stdenv.hostPlatform.isRiscV); preCheck = '' + export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} + export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" + '' + + lib.optionalString stdenv.hostPlatform.isElf '' # Bail if any shared object has executable stack enabled. This can # happen when an object produced from an assmbly file in libcrypto is # missing a .note.GNU-stack section. An executable stack is dangerous @@ -76,9 +80,6 @@ let } END { exit res } ' - - export PREVIOUS_${ldLibPathEnvName}=$${ldLibPathEnvName} - export ${ldLibPathEnvName}="$${ldLibPathEnvName}:$(realpath tls/):$(realpath ssl/):$(realpath crypto/)" ''; postCheck = '' export ${ldLibPathEnvName}=$PREVIOUS_${ldLibPathEnvName} From 07f0989d40f587fe482cb766318804457a2cbd5d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Mon, 15 Jun 2026 15:24:45 +0200 Subject: [PATCH 111/133] python3Packages.valkey: fix valkey 9.1 compat (cherry picked from commit 28e20e77fc5109649ddd16d7ad5aa459dba93186) (cherry picked from commit 653b43f22f8c9c1bc452eedaa19c234313f00212) --- pkgs/development/python-modules/valkey/default.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/valkey/default.nix b/pkgs/development/python-modules/valkey/default.nix index 5674542e90165..dcccacb7d569c 100644 --- a/pkgs/development/python-modules/valkey/default.nix +++ b/pkgs/development/python-modules/valkey/default.nix @@ -40,11 +40,20 @@ buildPythonPackage rec { }; patches = [ + # valkey 9.0 compat (fetchpatch { - # valkey 9.0 compat url = "https://github.com/valkey-io/valkey-py/commit/c01505e547f614f278b882a016557b6ed652bb9f.patch"; hash = "sha256-rvA65inIioqdc+QV4KaaUv1I/TMZUq0TWaFJcJiy8NU="; }) + # valkey 9.1 compat + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/df5c44903dc8e2dda733e5576324ba0ff8c4c6a0.patch"; + hash = "sha256-0wsWuaOYWBgf6BjlJuciZYRbugYfchTU2khQX7rtRJg="; + }) + (fetchpatch { + url = "https://github.com/valkey-io/valkey-py/commit/046c7fb9e8260c2d69d05141b1519903c4e40efe.patch"; + hash = "sha256-/yN1y0hbmBR6o6ab4h0qkn/qhU6jASOIeqWhxUi5w/I="; + }) ]; build-system = [ setuptools ]; From 4e59517c0fa5c2d8835a4d75637daf8b1fd622fc Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Fri, 19 Jun 2026 03:24:57 +0200 Subject: [PATCH 112/133] python3Packages.cnf-lint: disable failing tests Bisected to 252225814ab5f11143a02e8aad9459c2d9f498cd. (cherry picked from commit eb643cb18ca43227504637f5c5d6e93234510abb) --- pkgs/development/python-modules/cfn-lint/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pkgs/development/python-modules/cfn-lint/default.nix b/pkgs/development/python-modules/cfn-lint/default.nix index db06eac381553..70a2968acfe8e 100644 --- a/pkgs/development/python-modules/cfn-lint/default.nix +++ b/pkgs/development/python-modules/cfn-lint/default.nix @@ -69,6 +69,13 @@ buildPythonPackage rec { "test_update_docs" ]; + disabledTestPaths = [ + # unexpected exit code afer nodejs_24 24.16.0 update + "test/integration/test_quickstart_templates.py::TestQuickStartTemplates::test_templates" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_module_integration" + "test/integration/test_quickstart_templates_non_strict.py::TestQuickStartTemplates::test_templates" + ]; + pythonImportsCheck = [ "cfnlint" ]; meta = { From 5ea9077ca0bfbcf1d4787741fe7f460aee4ce2d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 21 Jun 2026 09:48:15 +0200 Subject: [PATCH 113/133] python3Packages.fasthtml: 0.12.48 -> 0.13.3 .starlette upgrade in 83ece5c3a1e broke compatibility: https://hydra.nixos.org/build/331250021/nixlog/6/tail Upstream fixes that v0.13.0 and updating past 0.13.3 would need resolving - fastcore>=1.12.41 not satisfied by version 1.12.39 (which isn't great approach for stable 26.05 which motivates this commit) https://github.com/AnswerDotAI/fasthtml/releases (cherry picked from commit 6a56b38c1324b2a4cb755210ea9caa77fca88035) (from PR https://github.com/NixOS/nixpkgs/pull/533848 ) (cherry picked from commit 18a1ef95cd42d379ffc937dc9a68c7a12f59d16d) --- pkgs/development/python-modules/fasthtml/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/development/python-modules/fasthtml/default.nix b/pkgs/development/python-modules/fasthtml/default.nix index 3f47dd2ce5a75..12b9b77c04355 100644 --- a/pkgs/development/python-modules/fasthtml/default.nix +++ b/pkgs/development/python-modules/fasthtml/default.nix @@ -31,14 +31,14 @@ buildPythonPackage (finalAttrs: { pname = "fasthtml"; - version = "0.12.48"; + version = "0.13.3"; pyproject = true; src = fetchFromGitHub { owner = "AnswerDotAI"; repo = "fasthtml"; tag = finalAttrs.version; - hash = "sha256-lMAuIw4sMkS3XSG/0Bs0iQPSjMusbmjUKv0w4cINwas="; + hash = "sha256-PS5HGegC6pG/bJAGrKDsRYguBnNS9EDrZIjWvjErO4M="; }; build-system = [ From 7106a694391b7839c3d9c0a3c4eb0eb5e731338a Mon Sep 17 00:00:00 2001 From: Jost Alemann Date: Tue, 23 Jun 2026 04:21:47 +0200 Subject: [PATCH 114/133] ty: 0.0.51 -> 0.0.52 Changelog: https://github.com/astral-sh/ty/releases/tag/0.0.52 Diff: https://github.com/astral-sh/ty/compare/0.0.51...0.0.52 --- pkgs/by-name/ty/ty/package.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/by-name/ty/ty/package.nix b/pkgs/by-name/ty/ty/package.nix index 8a3b04bc7a094..48a4dbae05f2a 100644 --- a/pkgs/by-name/ty/ty/package.nix +++ b/pkgs/by-name/ty/ty/package.nix @@ -17,7 +17,7 @@ rustPlatform.buildRustPackage (finalAttrs: { pname = "ty"; - version = "0.0.51"; + version = "0.0.52"; __structuredAttrs = true; src = fetchFromGitHub { @@ -25,7 +25,7 @@ rustPlatform.buildRustPackage (finalAttrs: { repo = "ty"; tag = finalAttrs.version; fetchSubmodules = true; - hash = "sha256-99CucCCZ8oOQV1PaPLZXq++8S7d6QJSAaQq/WXP87n4="; + hash = "sha256-p9fTzQ4DYvnwrtLdpSTekBV4ZbR1KETR8dfsbp8CDpo="; }; # For Darwin platforms, remove the integration test for file notifications, @@ -39,7 +39,7 @@ rustPlatform.buildRustPackage (finalAttrs: { cargoBuildFlags = [ "--package=ty" ]; - cargoHash = "sha256-N76A6howQn/ZbDJ7PWrThDYKhH+vc7tnZPShR7T31Ug="; + cargoHash = "sha256-NUIdYOeyRsR/ZQueEXshYdWTnSeQiRjZRRi2ag8Dm48="; nativeBuildInputs = [ installShellFiles ]; buildInputs = [ rust-jemalloc-sys ]; From cac02061f84ad05a4d8db7c6f245fbe21b70f4c2 Mon Sep 17 00:00:00 2001 From: r-vdp Date: Tue, 23 Jun 2026 14:21:17 +0200 Subject: [PATCH 115/133] switch-to-configuration-ng: pull common code out of the different conditional branches All branches here are restarting instead of reloading, so it makes sense to remove the unit from units_to_reload in all cases. --- .../sw/switch-to-configuration-ng/src/main.rs | 23 ++++--------------- 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs index b5d307d7bdb11..55d1d93bde346 100644 --- a/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs +++ b/pkgs/by-name/sw/switch-to-configuration-ng/src/main.rs @@ -743,11 +743,6 @@ fn handle_modified_unit( // This unit should be restarted instead of stopped and started. units_to_restart.insert(unit.to_string(), ()); record_unit(&restart_list, unit); - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); - } } else { // If this unit is socket-activated, then stop the socket unit(s) as well, and // restart the socket(s) instead of the service. @@ -804,14 +799,6 @@ fn handle_modified_unit( } else if socket_in_new_config { // Transitioning to socket activation; let the socket start it. socket_activated = true; - } else { - continue; - } - - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); } } } @@ -840,11 +827,11 @@ fn handle_modified_unit( } else { units_to_stop.insert(unit.to_string(), ()); } - // Remove from units to reload so we don't restart and reload - if units_to_reload.contains_key(unit) { - units_to_reload.remove(unit); - unrecord_unit(&reload_list, unit); - } + } + + // Remove from units to reload so we don't restart and reload + if units_to_reload.remove(unit).is_some() { + unrecord_unit(&reload_list, unit); } } } From 7601f8a10854992b594fc85ecb4685a1a0ec3346 Mon Sep 17 00:00:00 2001 From: Yuriy Taraday Date: Tue, 23 Jun 2026 15:42:14 +0200 Subject: [PATCH 116/133] pkgs-lib/formats: Add tests for serializing null values In the effort to pass values directly as structured values, we ran into issue with serializing null's. This adds tests for null for all formats that support it and negative tests for some others. See https://github.com/NixOS/nixpkgs/pull/524404#issuecomment-4665694636 --- pkgs/pkgs-lib/formats.nix | 8 +++- pkgs/pkgs-lib/tests/formats.nix | 83 +++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 1 deletion(-) diff --git a/pkgs/pkgs-lib/formats.nix b/pkgs/pkgs-lib/formats.nix index ef7d104f20e4c..a184b0cbce535 100644 --- a/pkgs/pkgs-lib/formats.nix +++ b/pkgs/pkgs-lib/formats.nix @@ -1017,7 +1017,13 @@ optionalAttrs allowAliases aliases }: if format == "badgerfish" then { - type = serializableValueWith { typeName = "XML"; }; + type = + attrsOf (serializableValueWith { + typeName = "XML"; + }) + // { + description = "XML value"; + }; generate = name: value: diff --git a/pkgs/pkgs-lib/tests/formats.nix b/pkgs/pkgs-lib/tests/formats.nix index ee6d817287c26..242fd64bc70a3 100644 --- a/pkgs/pkgs-lib/tests/formats.nix +++ b/pkgs/pkgs-lib/tests/formats.nix @@ -142,6 +142,14 @@ runBuildTests { ''; }; + jsonNull = shouldPass { + format = formats.json { }; + input = null; + expected = '' + null + ''; + }; + yaml_1_1Atoms = shouldPass { format = formats.yaml_1_1 { }; input = { @@ -176,6 +184,15 @@ runBuildTests { ''; }; + yaml_1_1Null = shouldPass { + format = formats.yaml_1_1 { }; + input = null; + expected = '' + null + ... + ''; + }; + yaml_1_2Atoms = shouldPass { format = formats.yaml_1_2 { }; input = { @@ -210,6 +227,16 @@ runBuildTests { ''; }; + yaml_1_2Null = shouldPass { + format = formats.yaml_1_2 { }; + input = null; + # nixfmt insists on removing indentation, so force it with ${" "} + expected = '' + + ${" "}null + ''; + }; + iniAtoms = shouldPass { format = formats.ini { }; input = { @@ -879,6 +906,14 @@ runBuildTests { ''; }; + cdnNull = shouldPass { + format = formats.cdn { }; + input = null; + expected = '' + null: null + ''; + }; + # This test is responsible for # 1. testing type coercions # 2. providing a more readable example test @@ -989,6 +1024,14 @@ runBuildTests { ''; }; + luaNull = shouldPass { + format = formats.lua { }; + input = null; + expected = '' + return nil + ''; + }; + nixConfAtoms = shouldPass { format = formats.nixConf { package = pkgs.nix; @@ -1014,6 +1057,15 @@ runBuildTests { ''; }; + nixConfNull = shouldFail { + format = formats.nixConf { + package = pkgs.nix; + version = pkgs.nix.version; + extraOptions = "ignore-try = false"; + }; + input = null; + }; + phpAtoms = shouldPass rec { format = formats.php { finalVariable = "config"; }; input = { @@ -1043,6 +1095,16 @@ runBuildTests { ''; }; + phpNull = shouldPass { + format = formats.php { finalVariable = "config"; }; + input = null; + expected = '' + ''; }; + PlistNull = shouldPass { + format = formats.plist { }; + input = null; + expected = '' + + + + + ''; + }; + hcl1Atoms = shouldPass { format = formats.hcl1 { }; input = { From 3aebc40624d576bd95cc17da7db374e2582d6df0 Mon Sep 17 00:00:00 2001 From: K900 Date: Tue, 23 Jun 2026 20:59:38 +0300 Subject: [PATCH 117/133] nixos/test-driver: abort if we didn't connect to the backdoor in 5 minutes This is a lot of minutes, but less than the 1 hour it would normally take to time out the entire build. --- nixos/lib/test-driver/src/test_driver/machine/__init__.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nixos/lib/test-driver/src/test_driver/machine/__init__.py b/nixos/lib/test-driver/src/test_driver/machine/__init__.py index db96445af912b..a202956abff43 100644 --- a/nixos/lib/test-driver/src/test_driver/machine/__init__.py +++ b/nixos/lib/test-driver/src/test_driver/machine/__init__.py @@ -1044,12 +1044,16 @@ def shell_ready(timeout_secs: int) -> bool: assert self.shell tic = time.time() - # TODO: do we want to bail after a set number of attempts? - while not shell_ready(timeout_secs=30): + + for _ in range(10): + if shell_ready(timeout_secs=30): + break self.log("Guest root shell did not produce any data yet...") self.log( " To debug, enter the VM and run 'systemctl status backdoor.service'." ) + else: + raise RuntimeError("Shell did not start in time") while True: chunk = self.shell.recv(1024) From efdeeebcb9127136cdb83f2212d785f0d33b1407 Mon Sep 17 00:00:00 2001 From: Yuriy Taraday Date: Tue, 23 Jun 2026 14:40:23 +0200 Subject: [PATCH 118/133] Reapply "pkgs-lib/formats: Use .attrs.json where possible" This expands on https://github.com/NixOS/nixpkgs/pull/498928 that introduced __structuredAttrs here by actually using data in `.attrs.json` when it makes sense, instead of relying on environment variables. This reverts commit bf6ada5d786e8aa4faff128e7e73a4792c2e99fe. This reapplies commit 691dc02df0111c320cd6697aacd4b113ba632e40. --- pkgs/pkgs-lib/formats.nix | 60 ++++++++++----------- pkgs/pkgs-lib/formats/configobj/default.nix | 8 +-- pkgs/pkgs-lib/formats/configobj/generate.py | 5 +- 3 files changed, 36 insertions(+), 37 deletions(-) diff --git a/pkgs/pkgs-lib/formats.nix b/pkgs/pkgs-lib/formats.nix index a184b0cbce535..f23f740ab7a92 100644 --- a/pkgs/pkgs-lib/formats.nix +++ b/pkgs/pkgs-lib/formats.nix @@ -146,14 +146,14 @@ optionalAttrs allowAliases aliases runCommand name { nativeBuildInputs = [ jq ]; - value = toJSON value; + inherit value; preferLocalBuild = true; __structuredAttrs = true; } + # NIX_ATTRS_JSON_FILE won't have `value` if it's null, but jq returns null for missing properties anyway + # jsonNull test keeps this in check '' - valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - jq . "$valuePath" > $out + jq .value "$NIX_ATTRS_JSON_FILE" > $out '' ) { }; @@ -171,14 +171,16 @@ optionalAttrs allowAliases aliases runCommand name { nativeBuildInputs = [ remarshal_0_17 ]; - value = toJSON value; + inherit value; preferLocalBuild = true; __structuredAttrs = true; } '' - valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - json2yaml "$valuePath" "$out" + json2yaml ${ + # attributes with null values are omitted from the JSON with structured attrs + # yaml_1_1Null test keeps this in check + if value == null then ''<(echo "null")'' else ''--unwrap value "$NIX_ATTRS_JSON_FILE"'' + } "$out" '' ) { }; @@ -196,14 +198,16 @@ optionalAttrs allowAliases aliases runCommand name { nativeBuildInputs = [ remarshal ]; - value = toJSON value; + inherit value; preferLocalBuild = true; __structuredAttrs = true; } '' - valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - json2yaml "$valuePath" "$out" + json2yaml ${ + # attributes with null values are omitted from the JSON with structured attrs + # yaml_1_2Null test keeps this in check + if value == null then ''<(echo "null")'' else ''--unwrap value "$NIX_ATTRS_JSON_FILE"'' + } "$out" '' ) { }; @@ -960,8 +964,10 @@ optionalAttrs allowAliases aliases python3 black ]; - imports = toJSON (value._imports or [ ]); - value = toJSON (removeAttrs value [ "_imports" ]); + imports = value._imports or [ ]; + # value must be an attrset, type would verify that, + # otherwise removeAttrs will fail. + value = removeAttrs value [ "_imports" ]; pythonGen = pkgs.writeText "pythonGen" '' import json import os @@ -984,26 +990,20 @@ optionalAttrs allowAliases aliases else: return repr(value) - with open(os.environ["importsPath"], "r") as f: - imports = json.load(f) - if imports is not None: - for i in imports: + with open(os.environ["NIX_ATTRS_JSON_FILE"], "r") as f: + attrs = json.load(f) + if attrs["imports"] is not None: + for i in attrs["imports"]: print(f"import {i}") print() - with open(os.environ["valuePath"], "r") as f: - for key, value in json.load(f).items(): + for key, value in attrs["value"].items(): print(f"{key} = {recursive_repr(value)}") ''; preferLocalBuild = true; __structuredAttrs = true; } '' - export importsPath="$TMPDIR/imports" - printf "%s" "$imports" > "$importsPath" - export valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" - cat "$valuePath" python3 "$pythonGen" > $out black $out '' @@ -1039,14 +1039,16 @@ optionalAttrs allowAliases aliases python3Packages.xmltodict libxml2Python ]; - value = toJSON value; + inherit value; pythonGen = pkgs.writeText "pythonGen" '' import json import os import xmltodict - with open(os.environ["valuePath"], "r") as f: - print(xmltodict.unparse(json.load(f), full_document=${ + with open(os.environ["NIX_ATTRS_JSON_FILE"], "r") as f: + value = json.load(f).get("value") + assert type(value) is dict, "value must be an attrset" + print(xmltodict.unparse(value, full_document=${ if withHeader then "True" else "False" }, pretty=True, indent=" " * 2)) ''; @@ -1054,8 +1056,6 @@ optionalAttrs allowAliases aliases __structuredAttrs = true; } '' - export valuePath="$TMPDIR/value" - printf "%s" "$value" > "$valuePath" python3 "$pythonGen" > $out xmllint $out > /dev/null '' diff --git a/pkgs/pkgs-lib/formats/configobj/default.nix b/pkgs/pkgs-lib/formats/configobj/default.nix index 8179c4412e5fc..227d8e7aa9903 100644 --- a/pkgs/pkgs-lib/formats/configobj/default.nix +++ b/pkgs/pkgs-lib/formats/configobj/default.nix @@ -3,10 +3,6 @@ pkgs, }: let - inherit (lib) - toJSON - ; - inherit (lib.types) serializableValueWith ; @@ -25,12 +21,12 @@ in (pkgs.python3.withPackages (ps: [ ps.configobj ])) ]; - valuesJSON = toJSON value; + inherit value; __structuredAttrs = true; strictDeps = true; } '' - printf "%s" "$valuesJSON" | python3 ${./generate.py} > "$out" + python3 ${./generate.py} > "$out" ''; }; } diff --git a/pkgs/pkgs-lib/formats/configobj/generate.py b/pkgs/pkgs-lib/formats/configobj/generate.py index 5863396c120dd..e531e68a4fbb7 100644 --- a/pkgs/pkgs-lib/formats/configobj/generate.py +++ b/pkgs/pkgs-lib/formats/configobj/generate.py @@ -1,7 +1,10 @@ import json +import os import sys from configobj import ConfigObj config = ConfigObj(interpolation=False, encoding="UTF8") -config.update(json.load(sys.stdin)) +with open(os.environ["NIX_ATTRS_JSON_FILE"]) as f: + value = json.load(f).get("value") +config.update(value) config.write(sys.stdout.buffer) From 3f596088797d2e3a62e20cae2d2936e8548a690e Mon Sep 17 00:00:00 2001 From: Atemu Date: Wed, 24 Jun 2026 00:34:06 +0200 Subject: [PATCH 119/133] lix: remove broken perf patch from curl Fixes https://github.com/NixOS/nixpkgs/issues/534713 --- .../tools/package-management/lix/common-lix.nix | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/pkgs/tools/package-management/lix/common-lix.nix b/pkgs/tools/package-management/lix/common-lix.nix index 9e400afd6b066..d5277055efd26 100644 --- a/pkgs/tools/package-management/lix/common-lix.nix +++ b/pkgs/tools/package-management/lix/common-lix.nix @@ -126,6 +126,19 @@ let '' substitute $inputPath $out --replace-fail @deps@ "$(cat ${deps})" ''; + + # https://github.com/NixOS/nixpkgs/pull/525953 backported a performance patch + # that /somehow/ breaks Lix unit tests. + # FIXME revert when the patch is gone in curl drv + curl-fixed = curl.overrideAttrs ( + { + patches ? [ ], + ... + }: + { + patches = lib.filter (patch: !lib.strings.hasSuffix "fix-wakeup-consumption.patch" patch) patches; + } + ); in # gcc miscompiles coroutines at least until 13.2, possibly longer # do not remove this check unless you are sure you (or your users) will not report bugs to Lix upstream about GCC miscompilations. @@ -243,14 +256,14 @@ stdenv.mkDerivation (finalAttrs: { ++ lib.optionals stdenv.hostPlatform.isLinux [ util-linuxMinimal ] ++ lib.optionals (lib.versionAtLeast version "2.94") [ zstd ] ++ lib.optionals (withPlugins && finalAttrs.doInstallCheck) [ - curl + curl-fixed ]; buildInputs = [ boost brotli bzip2 - curl + curl-fixed capnproto editline openssl From b12656477c958885ea7469f18efe45967fee22c1 Mon Sep 17 00:00:00 2001 From: Atemu Date: Wed, 24 Jun 2026 00:43:16 +0200 Subject: [PATCH 120/133] Revert "nixos/system-path: don't link `/etc/xdg/` uncoditionally" This created more breakage than expected. Revert until the critical modules are patched. This reverts commit 603fc91c3326715ceb023220b193ff46046e7f08. --- doc/release-notes/rl-2611.section.md | 2 +- nixos/modules/config/system-path.nix | 1 + nixos/modules/config/xdg/autostart.nix | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/release-notes/rl-2611.section.md b/doc/release-notes/rl-2611.section.md index d9e27a469008f..c3d9415e5459c 100644 --- a/doc/release-notes/rl-2611.section.md +++ b/doc/release-notes/rl-2611.section.md @@ -10,7 +10,6 @@ -- Paths under `/etc/xdg/` from packages in `environment.systemPackages` are no longer linked into the global `/etc/` by default. Modules depending on such directories must declare them explicitly using `environment.pathsToLink`. - `databricks-cli` has been updated from `0.290.2` to `1.x.x`, the first major release. OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of `~/.databricks/token-cache.json`; cached tokens from older versions are not migrated, so run `databricks auth login` once per profile after upgrading. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg`. Additionally, the `vector_search_endpoints` DABs resource renamed `min_qps` to `target_qps` (and the `vector-search-endpoints` command renamed `--min-qps` to `--target-qps`). See the [upstream changelog](https://github.com/databricks/cli/blob/main/CHANGELOG.md) for details. - `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details. @@ -94,3 +93,4 @@ ### Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements} - Create the first release note entry in this section! + diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index 5776c8ede4137..c014f00da6059 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -187,6 +187,7 @@ in environment.pathsToLink = [ "/bin" + "/etc/xdg" "/etc/gtk-2.0" "/etc/gtk-3.0" "/lib" # FIXME: remove and update debug-info.nix diff --git a/nixos/modules/config/xdg/autostart.nix b/nixos/modules/config/xdg/autostart.nix index a266b046de1a6..46c90ae1793a9 100644 --- a/nixos/modules/config/xdg/autostart.nix +++ b/nixos/modules/config/xdg/autostart.nix @@ -22,6 +22,8 @@ }; config = { + # FIXME this does not actually work because "/etc/xdg" is linked + # unconditionally in `nixos/modules/config/system-path.nix` environment.pathsToLink = lib.mkIf config.xdg.autostart.install [ "/etc/xdg/autostart" ]; From 0dc4ca4c71e3264818087b678c050fdbb3e3f87b Mon Sep 17 00:00:00 2001 From: Nina Fromm Date: Mon, 22 Jun 2026 17:35:25 +0200 Subject: [PATCH 121/133] nixos/tests: Load root profile in nspawn tests This is currently a hacky workarround, but bettern than nothing until we come up with a better solution. --- .../test-driver/src/test_driver/machine/__init__.py | 2 +- nixos/tests/simple-container.nix | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/nixos/lib/test-driver/src/test_driver/machine/__init__.py b/nixos/lib/test-driver/src/test_driver/machine/__init__.py index db96445af912b..83e39c0be49b3 100644 --- a/nixos/lib/test-driver/src/test_driver/machine/__init__.py +++ b/nixos/lib/test-driver/src/test_driver/machine/__init__.py @@ -1587,7 +1587,7 @@ def _execute( # NOTE If the test calls switch-to-configuration (with a differently configured specialization) # this will use the /etc/profile of the new specialisation while `QemuMachine` nodes # will continue to use the original /etc/profile. - command = f"set -eo pipefail; source /etc/profile; set -u; {command}" + command = f"set -eo pipefail; USER=root HOME=/root source /etc/profile; set -u; {command}" cp = subprocess.run( [ diff --git a/nixos/tests/simple-container.nix b/nixos/tests/simple-container.nix index 2698534236518..5cd3478f3d406 100644 --- a/nixos/tests/simple-container.nix +++ b/nixos/tests/simple-container.nix @@ -1,11 +1,16 @@ { name = "simple-container"; - containers.machine = { }; + containers = { + machine = { pkgs, ... }: { + users.users.root.packages = [ pkgs.hello ]; + }; + noprofile = { }; + }; testScript = '' start_all() - machine.wait_for_unit("multi-user.target") - machine.shutdown() + machine.succeed("hello") + noprofile.fail("hello") ''; } From 105327541bf13621cf79d3674543c17e2e5861a0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 24 Jun 2026 12:17:06 +0200 Subject: [PATCH 122/133] Reapply "staging-nixos merge for 2026-06-19" (#534864) This reverts commit 532f984da08d27af048ed8664238f97f38ede850, reversing changes made to 421ceaeef8fa1bb8b0729aec488d42b3af69a3fa. --- doc/release-notes/rl-2611.section.md | 1 + nixos/modules/config/system-path.nix | 1 - nixos/modules/config/xdg/autostart.nix | 2 - nixos/modules/system/boot/systemd/initrd.nix | 9 +++ nixos/modules/system/etc/etc-activation.nix | 8 +++ nixos/tests/all-tests.nix | 1 + nixos/tests/systemd-initrd-non-nixos.nix | 68 +++++++++++++++++++ pkgs/by-name/ni/nixos-init/src/find_etc.rs | 17 ++++- pkgs/by-name/ni/nixos-init/src/lib.rs | 51 ++++++++------ pkgs/by-name/st/strace/package.nix | 4 +- .../os-specific/linux/kernel/kernels-org.json | 4 +- 11 files changed, 135 insertions(+), 31 deletions(-) create mode 100644 nixos/tests/systemd-initrd-non-nixos.nix diff --git a/doc/release-notes/rl-2611.section.md b/doc/release-notes/rl-2611.section.md index 27bff446bb6e4..d9e27a469008f 100644 --- a/doc/release-notes/rl-2611.section.md +++ b/doc/release-notes/rl-2611.section.md @@ -10,6 +10,7 @@ +- Paths under `/etc/xdg/` from packages in `environment.systemPackages` are no longer linked into the global `/etc/` by default. Modules depending on such directories must declare them explicitly using `environment.pathsToLink`. - `databricks-cli` has been updated from `0.290.2` to `1.x.x`, the first major release. OAuth tokens for interactive logins (`auth_type = databricks-cli`) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of `~/.databricks/token-cache.json`; cached tokens from older versions are not migrated, so run `databricks auth login` once per profile after upgrading. To keep the previous file-backed storage, set `DATABRICKS_AUTH_STORAGE=plaintext` or add `auth_storage = plaintext` under `[__settings__]` in `~/.databrickscfg`. Additionally, the `vector_search_endpoints` DABs resource renamed `min_qps` to `target_qps` (and the `vector-search-endpoints` command renamed `--min-qps` to `--target-qps`). See the [upstream changelog](https://github.com/databricks/cli/blob/main/CHANGELOG.md) for details. - `hurl` has been updated to `8.x.x` which has some breaking changes. See [upstream changelog](https://github.com/Orange-OpenSource/hurl/releases/tag/8.0.0) for details. diff --git a/nixos/modules/config/system-path.nix b/nixos/modules/config/system-path.nix index c014f00da6059..5776c8ede4137 100644 --- a/nixos/modules/config/system-path.nix +++ b/nixos/modules/config/system-path.nix @@ -187,7 +187,6 @@ in environment.pathsToLink = [ "/bin" - "/etc/xdg" "/etc/gtk-2.0" "/etc/gtk-3.0" "/lib" # FIXME: remove and update debug-info.nix diff --git a/nixos/modules/config/xdg/autostart.nix b/nixos/modules/config/xdg/autostart.nix index 46c90ae1793a9..a266b046de1a6 100644 --- a/nixos/modules/config/xdg/autostart.nix +++ b/nixos/modules/config/xdg/autostart.nix @@ -22,8 +22,6 @@ }; config = { - # FIXME this does not actually work because "/etc/xdg" is linked - # unconditionally in `nixos/modules/config/system-path.nix` environment.pathsToLink = lib.mkIf config.xdg.autostart.install [ "/etc/xdg/autostart" ]; diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix index 6a52b920c2e25..311bf9cc9aa1e 100644 --- a/nixos/modules/system/boot/systemd/initrd.nix +++ b/nixos/modules/system/boot/systemd/initrd.nix @@ -774,6 +774,7 @@ in ]; }; serviceConfig.Type = "oneshot"; + serviceConfig.EnvironmentFile = "-/etc/switch-root.conf"; description = "NixOS Activation"; script = # bash @@ -781,6 +782,14 @@ in set -uo pipefail export PATH="/bin:${cfg.package.util-linux}/bin" + # A non-NixOS closure (e.g. init=/bin/sh) has no prepare-root; + # initrd-find-nixos-closure records this as a non-empty NEW_INIT. + # Skip activation and let initrd-switch-root hand over to it directly. + if [ -n "''${NEW_INIT:-}" ]; then + echo "$NEW_INIT is not a NixOS system - not activating" + exit 0 + fi + closure="$(realpath /nixos-closure)" # Initialize the system diff --git a/nixos/modules/system/etc/etc-activation.nix b/nixos/modules/system/etc/etc-activation.nix index b00c25e378024..31842fc9c0c62 100644 --- a/nixos/modules/system/etc/etc-activation.nix +++ b/nixos/modules/system/etc/etc-activation.nix @@ -71,6 +71,10 @@ RequiresMountsFor = [ "/sysroot/nix/store" ]; + # find-etc only creates this symlink for a NixOS init. For a + # non-NixOS init= (e.g. init=/bin/sh) it is absent, so skip the + # mount instead of failing the whole initrd. + ConditionPathExists = "/etc-metadata-image"; }; requires = [ config.boot.initrd.systemd.services.initrd-find-etc.name @@ -123,6 +127,8 @@ "/run/nixos-etc-metadata" ]; DefaultDependencies = false; + # Skip for a non-NixOS init=, see the metadata mount above. + ConditionPathExists = "/etc-basedir"; }; } ]; @@ -140,6 +146,8 @@ # before the overlay is mounted. "/run/nixos-etc-metadata" ]; + # Skip for a non-NixOS init=, see the metadata mount above. + ConditionPathExists = "/etc-metadata-image"; }; serviceConfig = { Type = "oneshot"; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 1c760d0648f0e..d8971bd745e32 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -1645,6 +1645,7 @@ in "i686-linux" ] ./initrd-network-openvpn { systemdStage1 = true; }; systemd-initrd-networkd-ssh = runTest ./systemd-initrd-networkd-ssh.nix; + systemd-initrd-non-nixos = runTest ./systemd-initrd-non-nixos.nix; systemd-initrd-shutdown = runTest { imports = [ ./systemd-shutdown.nix ]; _module.args.systemdStage1 = true; diff --git a/nixos/tests/systemd-initrd-non-nixos.nix b/nixos/tests/systemd-initrd-non-nixos.nix new file mode 100644 index 0000000000000..0f564af6504aa --- /dev/null +++ b/nixos/tests/systemd-initrd-non-nixos.nix @@ -0,0 +1,68 @@ +{ lib, pkgs, ... }: +let + marker = "REACHED NON-NIXOS INIT AS PID 1"; + + # A non-NixOS init (no prepare-root). We use a store path, not literal + # /bin/sh: a fresh disk has no /bin/sh yet (it is created by the activation a + # non-NixOS init skips), while the store is always mounted; init=/bin/sh works + # the same on a real system. Writes a marker, then stays alive so PID 1 lives. + nonNixosInit = pkgs.writeShellScriptBin "non-nixos" '' + echo "${marker}" > /dev/console + exec ${pkgs.coreutils}/bin/sleep infinity + ''; + + common = { + boot.initrd.systemd.enable = true; + + virtualisation = { + # tmpfs root, like real non-NixOS closure init= microvm consumers. + diskImage = null; + + graphics = false; + }; + + # Speed up wait_for_console. + boot.consoleLogLevel = lib.mkForce 3; + boot.initrd.systemd.managerEnvironment.SYSTEMD_LOG_LEVEL = "warning"; + + # switch-root needs an os-release on the target root. A real system has one + # on disk; our fresh tmpfs does not, so create it. + boot.initrd.systemd.tmpfiles.settings."10-os-release"."/sysroot/etc/os-release".f = { + mode = "0644"; + argument = "ID=test-non-nixos"; + }; + }; +in +{ + name = "systemd-initrd-non-nixos"; + + nodes = { + bashActivation = common; + + nixosInit = { + imports = [ common ]; + system.nixos-init.enable = true; + system.etc.overlay.enable = true; + services.userborn.enable = true; + }; + }; + + testScript = '' + import os + + # The last init= on the cmdline wins; QEMU_KERNEL_PARAMS is appended after + # the default one, so this boots our non-NixOS init. + os.environ["QEMU_KERNEL_PARAMS"] = "init=${lib.getExe nonNixosInit}" + + start_all() + + # If a code path does not skip the non-NixOS init, switch-root is blocked and + # the machine drops to emergency mode: the marker never appears and the wait + # times out. + with subtest("bash initrd-nixos-activation skips a non-NixOS init"): + bashActivation.wait_for_console_text("${marker}", timeout=300) + + with subtest("nixos-init switches to a non-NixOS init directly"): + nixosInit.wait_for_console_text("${marker}", timeout=300) + ''; +} diff --git a/pkgs/by-name/ni/nixos-init/src/find_etc.rs b/pkgs/by-name/ni/nixos-init/src/find_etc.rs index 8b994e1d75343..d06f7bbb0114e 100644 --- a/pkgs/by-name/ni/nixos-init/src/find_etc.rs +++ b/pkgs/by-name/ni/nixos-init/src/find_etc.rs @@ -3,7 +3,7 @@ use std::{os::unix, path::Path}; use anyhow::{Context, Result}; use crate::config::Config; -use crate::{SYSROOT_PATH, find_toplevel_in_prefix, resolve_in_prefix}; +use crate::{SYSROOT_PATH, find_init_in_prefix, resolve_in_prefix, verify_init_is_nixos}; /// Entrypoint for the `find-etc` binary. /// @@ -12,7 +12,20 @@ use crate::{SYSROOT_PATH, find_toplevel_in_prefix, resolve_in_prefix}; /// This avoids needing a reference to the toplevel embedded in the initrd and thus reduces the /// need to re-build it. pub fn find_etc() -> Result<()> { - let toplevel = find_toplevel_in_prefix(SYSROOT_PATH)?; + let init_in_sysroot = + find_init_in_prefix(SYSROOT_PATH).context("Failed to find init in sysroot")?; + + // A non-NixOS init= (e.g. init=/bin/sh) has no etc metadata image. Skip + // without creating the symlinks: the etc-overlay mounts are gated on them + // and so skip too, and initrd-init switches root to the init directly. + let Ok(toplevel) = verify_init_is_nixos(SYSROOT_PATH, &init_in_sysroot) else { + log::info!( + "{} is not a NixOS system - not setting up the etc overlay.", + init_in_sysroot.display() + ); + return Ok(()); + }; + let config = Config::from_toplevel(&toplevel, SYSROOT_PATH)?; let basedir = config diff --git a/pkgs/by-name/ni/nixos-init/src/lib.rs b/pkgs/by-name/ni/nixos-init/src/lib.rs index c781757c9b820..bbb4abdb829b5 100644 --- a/pkgs/by-name/ni/nixos-init/src/lib.rs +++ b/pkgs/by-name/ni/nixos-init/src/lib.rs @@ -27,16 +27,6 @@ pub use crate::{ pub const SYSROOT_PATH: &str = "/sysroot"; -/// Find the path to the toplevel closure of the system in a prefix. -/// -/// Uses the `init=` parameter on the kernel command-line. -/// -/// Returns the relative path of the init to the prefix, e.g. without the `/sysroot` prefix. -pub fn find_toplevel_in_prefix(prefix: &str) -> Result { - let init_in_sysroot = find_init_in_prefix(prefix)?; - verify_init_is_nixos(prefix, init_in_sysroot) -} - /// Verify that an init path is inside a `NixOS` toplevel directory. /// /// If the path is verified, returns the path to the toplevel. @@ -87,20 +77,16 @@ pub fn find_init_in_prefix(prefix: &str) -> Result { } /// Extract the value of the `init` parameter from the given kernel `cmdline`. +/// +/// If `init=` appears multiple times the last one wins, matching the kernel. +/// This is what makes appending `init=/bin/sh` at the boot prompt work even +/// though the boot entry already has an `init=`. fn extract_init(cmdline: &str) -> Result { - let init_params: Vec<&str> = cmdline + let init = cmdline .split_ascii_whitespace() - .filter(|p| p.starts_with("init=")) - .collect(); - - if init_params.len() != 1 { - bail!("Expected exactly one init param on kernel cmdline: {cmdline}") - } - - let init = init_params - .first() - .and_then(|s| s.split('=').next_back()) - .context("Failed to extract init path from kernel cmdline: {cmdline}")?; + .filter_map(|p| p.strip_prefix("init=")) + .next_back() + .with_context(|| format!("No init= parameter on kernel cmdline: {cmdline}"))?; Ok(PathBuf::from(init)) } @@ -129,4 +115,25 @@ mod tests { Ok(()) } + + #[test] + fn test_extract_init_single() { + assert_eq!( + extract_init("root=fstab init=/nix/store/xxx-nixos/init quiet").unwrap(), + PathBuf::from("/nix/store/xxx-nixos/init") + ); + } + + #[test] + fn test_extract_init_last_wins() { + assert_eq!( + extract_init("init=/nix/store/xxx-nixos/init init=/bin/sh").unwrap(), + PathBuf::from("/bin/sh") + ); + } + + #[test] + fn test_extract_init_missing() { + assert!(extract_init("root=fstab quiet").is_err()); + } } diff --git a/pkgs/by-name/st/strace/package.nix b/pkgs/by-name/st/strace/package.nix index 86f8b0fa4c42a..77345bd6a3ae7 100644 --- a/pkgs/by-name/st/strace/package.nix +++ b/pkgs/by-name/st/strace/package.nix @@ -11,11 +11,11 @@ stdenv.mkDerivation (finalAttrs: { pname = "strace"; - version = "7.0"; + version = "7.1"; src = fetchurl { url = "https://strace.io/files/${finalAttrs.version}/strace-${finalAttrs.version}.tar.xz"; - hash = "sha256-bJJBm+Py7FYLMXKKRlIhfFmGTIZCunsbN3GxsBOtB0s="; + hash = "sha256-gXQ+zypbRBhrL1A4r9yL7aflxwrtFbT7+8xuns4kSQ8="; }; separateDebugInfo = true; diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index d3dd8012c5089..54ff5434cfe31 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -30,8 +30,8 @@ "lts": true }, "6.18": { - "version": "6.18.35", - "hash": "sha256:0dpjprjzc4w44kw49jcgx1ffrm6gxn2gsnsz3hhmw4hr4a9h51pp", + "version": "6.18.36", + "hash": "sha256:0kn4r43lnd5nb5c298b30030qyaxv05s7k40n9si1j3iyk4qdazv", "lts": true }, "7.0": { From fef886e90e8cd5a722669efc571d7083650809e5 Mon Sep 17 00:00:00 2001 From: Atemu Date: Wed, 24 Jun 2026 01:19:04 +0200 Subject: [PATCH 123/133] openblas: disable checks on i686-linux (cherry picked from commit 89e0f58061bbae3fb73505d8fd7366bdeca08f28) --- pkgs/development/libraries/science/math/openblas/default.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/development/libraries/science/math/openblas/default.nix b/pkgs/development/libraries/science/math/openblas/default.nix index 4acddd306b5f8..97b7596b937c5 100644 --- a/pkgs/development/libraries/science/math/openblas/default.nix +++ b/pkgs/development/libraries/science/math/openblas/default.nix @@ -271,7 +271,9 @@ stdenv.mkDerivation (finalAttrs: { (lib.cmakeBool "USE_OPENMP" false) # openblas will refuse building with both USE_OPENMP=ON and USE_THREAD=OFF ]; - doCheck = true; + # FIXME: this broke some time between a0374025a863d007d98e3297f6aa46cc3141c2f0 and 34268251cf5547d39063f2c5ea9a196246f7f3a6 + # This just serves to unbreak stable + doCheck = stdenv.hostPlatform.system != "i686-linux"; postInstall = '' # Provide headers in /include directly for compat with some consumers like flint From 1d5fe677aaf34eee3e2d310416ac0b2826d80c30 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 24 Jun 2026 16:06:45 +0200 Subject: [PATCH 124/133] python3Packages.scikit-bio: reduce openmp threads during tests The tests finish quickly enough with just a single OpenMP thread and this prevents it from becoming a scheduling nightmare on hydra. --- pkgs/development/python-modules/scikit-bio/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/scikit-bio/default.nix b/pkgs/development/python-modules/scikit-bio/default.nix index 1190d875005a6..c909d8d66d08a 100644 --- a/pkgs/development/python-modules/scikit-bio/default.nix +++ b/pkgs/development/python-modules/scikit-bio/default.nix @@ -62,6 +62,10 @@ buildPythonPackage (finalAttrs: { pytestCheckHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + # only the $out dir contains the built cython extensions, so we run the tests inside there enabledTestPaths = [ "${placeholder "out"}/${python.sitePackages}/skbio" ]; From d7ab41af3fe3af22b78b7d842964abed1b3e3abf Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 24 Jun 2026 16:38:22 +0200 Subject: [PATCH 125/133] python3Packages.captum: reduce openmp threads during tests --- pkgs/development/python-modules/captum/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkgs/development/python-modules/captum/default.nix b/pkgs/development/python-modules/captum/default.nix index 32889473641c0..455eac5c5fc15 100644 --- a/pkgs/development/python-modules/captum/default.nix +++ b/pkgs/development/python-modules/captum/default.nix @@ -2,7 +2,6 @@ lib, stdenv, fetchFromGitHub, - fetchpatch, buildPythonPackage, pytestCheckHook, setuptools, @@ -53,6 +52,10 @@ buildPythonPackage rec { scikit-learn ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + disabledTestPaths = lib.optionals stdenv.hostPlatform.isDarwin [ # These tests may fail if multiple builds run them at the same time due From dbb77388c90ee297214b3de8167781f931df2507 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 24 Jun 2026 17:00:27 +0200 Subject: [PATCH 126/133] python3Packages.mace-torch: reduce openmp threads during tests --- pkgs/development/python-modules/mace-torch/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/mace-torch/default.nix b/pkgs/development/python-modules/mace-torch/default.nix index 3c8b486f643bc..4ed39d4797827 100644 --- a/pkgs/development/python-modules/mace-torch/default.nix +++ b/pkgs/development/python-modules/mace-torch/default.nix @@ -82,6 +82,10 @@ buildPythonPackage (finalAttrs: { writableTmpDirAsHomeHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + disabledTests = [ # _pickle.PickleError: ScriptFunction cannot be pickled "test_run_eval_fail_with_wrong_model" From adc70fc450ba544a10c35389f5071d5861feab6d Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 24 Jun 2026 18:14:24 +0200 Subject: [PATCH 127/133] home-assistant: backport pyjwt 2.13.0 support --- pkgs/servers/home-assistant/default.nix | 3 ++ .../patches/pyjwt-2.13-compat.patch | 48 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix index 5ca1e26dfea4c..8de81bf72298e 100644 --- a/pkgs/servers/home-assistant/default.nix +++ b/pkgs/servers/home-assistant/default.nix @@ -324,6 +324,9 @@ python3Packages.buildPythonApplication rec { (replaceVars ./patches/ffmpeg-path.patch { ffmpeg = "${lib.getExe ffmpeg-headless}"; }) + + # https://github.com/home-assistant/core/pull/172893 + ./patches/pyjwt-2.13-compat.patch ]; postPatch = '' diff --git a/pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch b/pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch new file mode 100644 index 0000000000000..4f72df241c555 --- /dev/null +++ b/pkgs/servers/home-assistant/patches/pyjwt-2.13-compat.patch @@ -0,0 +1,48 @@ +diff --git a/homeassistant/auth/__init__.py b/homeassistant/auth/__init__.py +index d4b86febd1d..0edd0edd69b 100644 +--- a/homeassistant/auth/__init__.py ++++ b/homeassistant/auth/__init__.py +@@ -656,6 +656,8 @@ class AuthManager: + try: + unverif_claims = jwt_wrapper.unverified_hs256_token_decode(token) + except jwt.InvalidTokenError: ++ # PyJWT 2.13 raises InvalidKeyError (not an InvalidTokenError) when ++ # the refresh token's key has been removed and is therefore empty. + return None + + refresh_token = self.async_get_refresh_token( +@@ -673,7 +675,7 @@ class AuthManager: + jwt_wrapper.verify_and_decode( + token, jwt_key, leeway=10, issuer=issuer, algorithms=["HS256"] + ) +- except jwt.InvalidTokenError: ++ except jwt.InvalidTokenError, jwt.InvalidKeyError: + return None + + if refresh_token is None or not refresh_token.user.is_active: +diff --git a/homeassistant/components/html5/notify.py b/homeassistant/components/html5/notify.py +index 24b395748d8..3424749e86d 100644 +--- a/homeassistant/components/html5/notify.py ++++ b/homeassistant/components/html5/notify.py +@@ -327,7 +327,7 @@ class HTML5PushCallbackView(HomeAssistantView): + if target_check.get(ATTR_TARGET) in self.registrations: + possible_target = self.registrations[target_check[ATTR_TARGET]] + key = possible_target["subscription"]["keys"]["auth"] +- with suppress(jwt.exceptions.DecodeError), warnings.catch_warnings(): ++ with suppress(jwt.exceptions.DecodeError, jwt.exceptions.InvalidKeyError), warnings.catch_warnings(): + warnings.simplefilter("ignore", InsecureKeyLengthWarning) + return jwt.decode(token, key, algorithms=["ES256", "HS256"]) + +diff --git a/tests/components/elmax/conftest.py b/tests/components/elmax/conftest.py +index 02f01036996..c9c3f13e9e3 100644 +--- a/tests/components/elmax/conftest.py ++++ b/tests/components/elmax/conftest.py +@@ -82,7 +82,7 @@ def httpx_mock_direct_fixture(base_uri: str) -> Generator[respx.MockRouter]: + expiration = datetime.now() + timedelta(hours=1) + decoded_jwt["payload"]["exp"] = int(expiration.timestamp()) + jws_string = jwt.encode( +- payload=decoded_jwt["payload"], algorithm="HS256", key="" ++ payload=decoded_jwt["payload"], algorithm="HS256", key="test" + ) + login_json["token"] = f"JWT {jws_string}" + login_route.return_value = Response(200, json=login_json) From b153953686370a8dc14231db115b058b137644de Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 25 Jun 2026 00:30:22 +0200 Subject: [PATCH 128/133] python3Packages.torch-geometric: reduce openmp threads during tests --- pkgs/development/python-modules/torch-geometric/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/torch-geometric/default.nix b/pkgs/development/python-modules/torch-geometric/default.nix index 06863712e7c5b..839f5c8e02e5b 100644 --- a/pkgs/development/python-modules/torch-geometric/default.nix +++ b/pkgs/development/python-modules/torch-geometric/default.nix @@ -185,6 +185,10 @@ buildPythonPackage (finalAttrs: { writableTmpDirAsHomeHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + pytestFlags = [ # DeprecationWarning: Failing to pass a value to the 'type_params' parameter of # 'typing._eval_type' is deprecated, as it leads to incorrect behaviour when calling From b6e39b216d88ce807410f1e05908d9cdbb4afb39 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 25 Jun 2026 00:44:12 +0200 Subject: [PATCH 129/133] python3Packages.x-transformers: limit openmp threads during tests --- pkgs/development/python-modules/x-transformers/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/x-transformers/default.nix b/pkgs/development/python-modules/x-transformers/default.nix index 16d3dff4fd61b..1496775f5eec8 100644 --- a/pkgs/development/python-modules/x-transformers/default.nix +++ b/pkgs/development/python-modules/x-transformers/default.nix @@ -42,6 +42,10 @@ buildPythonPackage (finalAttrs: { nativeCheckInputs = [ pytestCheckHook ]; + preCheck = '' + export OMP_NUM_THREADS=1 + ''; + # RuntimeError: torch.compile is not supported on Python 3.14+ disabledTests = lib.optionals (pythonAtLeast "3.14") [ "test_up" ]; From 0eaf2dd6bd7827463977f16a06aca7a017bd9d4c Mon Sep 17 00:00:00 2001 From: Ryan Omasta Date: Wed, 24 Jun 2026 23:24:13 -0600 Subject: [PATCH 130/133] perl5Packages.ModuleCPANTSAnalyse: skip failing test --- pkgs/top-level/perl-packages.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix index 33583a11471c5..3cf8a274f5832 100644 --- a/pkgs/top-level/perl-packages.nix +++ b/pkgs/top-level/perl-packages.nix @@ -22106,6 +22106,12 @@ with self; url = "mirror://cpan/authors/id/I/IS/ISHIGAKI/Module-CPANTS-Analyse-1.02.tar.gz"; hash = "sha256-nhFzm5zQi6LXWllzfx+yl/RYA/KJBjxcdZv8eP1Rbns="; }; + + # Fails with 'symlinks not listed in MANIFEST is not ignored for a non-local distribution' + postPatch = '' + rm -f t/analyse/manifest.t + ''; + propagatedBuildInputs = [ ArchiveAnyLite ArrayDiff From d1be3d60e2488f9b73a7171da9cb259e775e46ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Thu, 25 Jun 2026 08:08:22 +0200 Subject: [PATCH 131/133] Revert "kdePackages.plasma-workspace: backport patch for Qt 6.11.1 regression" This reverts commit c5cd03ad0d9e333731b36d2c627661614ad35214. The patch is already included in the current source. https://hydra.nixos.org/build/332720971/nixlog/2/tail --- pkgs/kde/plasma/plasma-workspace/default.nix | 7 ------- 1 file changed, 7 deletions(-) diff --git a/pkgs/kde/plasma/plasma-workspace/default.nix b/pkgs/kde/plasma/plasma-workspace/default.nix index 26211754685f2..d7a60c7853185 100644 --- a/pkgs/kde/plasma/plasma-workspace/default.nix +++ b/pkgs/kde/plasma/plasma-workspace/default.nix @@ -25,7 +25,6 @@ libqalculate, pipewire, gpsd, - fetchpatch, }: mkKdeDerivation { pname = "plasma-workspace"; @@ -43,12 +42,6 @@ mkKdeDerivation { # stop accidentally duplicating fontconfig configs ./fontconfig.patch - - # backport qt 6.11.1 regression workaround - (fetchpatch { - url = "https://invent.kde.org/plasma/plasma-workspace/-/commit/31a64dfa1a71ab1b6a495f2f44132c86858acb8f.diff"; - hash = "sha256-j+AEdDlutDuXmYdK8BJH8bgDF9gieCkbFJK8di+9nxk="; - }) ]; outputs = [ From 56913ae775f990b0bc49730e5fad21c64942c917 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 25 Jun 2026 10:38:05 +0200 Subject: [PATCH 132/133] python3Packages.rq: disable racy test It reaps a worker and checks if it has been removed right after, but this is apparently racy. --- pkgs/development/python-modules/rq/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/development/python-modules/rq/default.nix b/pkgs/development/python-modules/rq/default.nix index a53e08d86223c..0efb763e3694d 100644 --- a/pkgs/development/python-modules/rq/default.nix +++ b/pkgs/development/python-modules/rq/default.nix @@ -76,6 +76,10 @@ buildPythonPackage (finalAttrs: { # PermissionError: [Errno 13] Permission denied: '/tmp/rq-tests.txt' "test_deleted_jobs_arent_executed" "test_suspend_worker_execution" + ] + ++ lib.optionals stdenv.hostPlatform.isLinux [ + # no delay between reaping worker and checking; racy + "test_reap_workers" ]; pythonImportsCheck = [ "rq" ]; From bc00d2562d0095193d1707c9a4a382fa059458f6 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Thu, 25 Jun 2026 11:15:07 +0200 Subject: [PATCH 133/133] python3Packages.linearomdels: reduce openmp threads during tests --- pkgs/development/python-modules/linearmodels/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/development/python-modules/linearmodels/default.nix b/pkgs/development/python-modules/linearmodels/default.nix index 9a5ae03ffe5f0..d67690e48774c 100644 --- a/pkgs/development/python-modules/linearmodels/default.nix +++ b/pkgs/development/python-modules/linearmodels/default.nix @@ -67,6 +67,8 @@ buildPythonPackage (finalAttrs: { preCheck = '' rm linearmodels/__init__.py + + export OMP_NUM_THREADS=1 ''; disabledTestPaths = [