commit 4d8b4225b562d20d57474a30b03c1604aa9c10fc · pyrox.dev/nixpkgs

+7

.github/labeler-no-sync.yml

··· 22 - doc/**/* 23 - nixos/doc/**/* 24 25 "backport release-25.05": 26 - any: 27 - changed-files:

··· 22 - doc/**/* 23 - nixos/doc/**/* 24 25 + "backport release-24.11": 26 + - any: 27 + - changed-files: 28 + - any-glob-to-any-file: 29 + - .github/workflows/* 30 + - ci/**/*.* 31 + 32 "backport release-25.05": 33 - any: 34 - changed-files:

-30

.github/workflows/dismissed-review.yml

··· 1 - name: Dismissed Review 2 - 3 - on: 4 - pull_request_review: 5 - types: [dismissed] 6 - 7 - permissions: 8 - pull-requests: write 9 - 10 - jobs: 11 - # The check-cherry-picks workflow creates review comments, 12 - # that should sometimes be manually dismissed. 13 - # When a CI-generated review is dismissed, this job automatically 14 - # minimizes it, to prevent it from cluttering the PR. 15 - minimize: 16 - name: Minimize as resolved 17 - if: github.event.review.user.login == 'github-actions[bot]' 18 - runs-on: ubuntu-24.04-arm 19 - steps: 20 - - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 21 - with: 22 - script: | 23 - await github.graphql(`mutation($node_id:ID!) { 24 - minimizeComment(input: { 25 - classifier: RESOLVED, 26 - subjectId: $node_id 27 - }) 28 - { clientMutationId } 29 - }`, { node_id: context.payload.review.node_id }) 30 -

···

+1

ci/OWNERS

··· 227 /nixos/tests/snapcast.nix @mweinelt 228 229 # Browsers 230 /pkgs/applications/networking/browsers/firefox @mweinelt 231 /pkgs/applications/networking/browsers/chromium @emilylange @networkException 232 /nixos/tests/chromium.nix @emilylange @networkException

··· 227 /nixos/tests/snapcast.nix @mweinelt 228 229 # Browsers 230 + /pkgs/applications/networking/browsers/librewolf @squalus @DominicWrege @fpletz @LordGrimmauld 231 /pkgs/applications/networking/browsers/firefox @mweinelt 232 /pkgs/applications/networking/browsers/chromium @emilylange @networkException 233 /nixos/tests/chromium.nix @emilylange @networkException

+2 -22

ci/README.md

··· 7 8 CI may need certain packages from Nixpkgs. 9 In order to ensure that the needed packages are generally available without building, 10 - [`pinned-nixpkgs.json`](./pinned-nixpkgs.json) contains a pinned Nixpkgs version tested by Hydra. 11 12 - Run [`update-pinned-nixpkgs.sh`](./update-pinned-nixpkgs.sh) to update it. 13 14 ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]` 15 ··· 20 21 - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05 22 - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>. 23 - 24 - ## `ci/nixpkgs-vet` 25 - 26 - This directory contains scripts and files used and related to [`nixpkgs-vet`](https://github.com/NixOS/nixpkgs-vet/), which the CI uses to implement `pkgs/by-name` checks, along with many other Nixpkgs architecture rules. 27 - See also the [CI GitHub Action](../.github/workflows/nixpkgs-vet.yml). 28 - 29 - ## `ci/nixpkgs-vet/update-pinned-tool.sh` 30 - 31 - Updates the pinned [`nixpkgs-vet` tool](https://github.com/NixOS/nixpkgs-vet) in [`ci/nixpkgs-vet/pinned-version.txt`](./nixpkgs-vet/pinned-version.txt) to the latest [release](https://github.com/NixOS/nixpkgs-vet/releases). 32 - 33 - Each release contains a pre-built `x86_64-linux` version of the tool which is used by CI. 34 - 35 - This script currently needs to be called manually when the CI tooling needs to be updated. 36 - 37 - Why not just build the tooling right from the PRs Nixpkgs version? 38 - 39 - - Because it allows CI to check all PRs, even if they would break the CI tooling. 40 - - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds. 41 - - Because it improves security, since we don't have to build potentially untrusted code from PRs. 42 - The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).

··· 7 8 CI may need certain packages from Nixpkgs. 9 In order to ensure that the needed packages are generally available without building, 10 + [`pinned.json`](./pinned.json) contains a pinned Nixpkgs version tested by Hydra. 11 12 + Run [`update-pinned.sh`](./update-pinned.sh) to update it. 13 14 ## `ci/nixpkgs-vet.sh BASE_BRANCH [REPOSITORY]` 15 ··· 20 21 - `BASE_BRANCH`: The base branch to use, e.g. master or release-24.05 22 - `REPOSITORY`: The repository from which to fetch the base branch. Defaults to <https://github.com/NixOS/nixpkgs.git>.

+1 -1

ci/codeowners-validator/default.nix

··· 20 }) 21 # Undoes part of the above PR: We don't want to require write access 22 # to the repository, that's only needed for GitHub's native CODEOWNERS. 23 - # Furthermore, it removes an unneccessary check from the code 24 # that breaks tokens generated for GitHub Apps. 25 ./permissions.patch 26 # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var

··· 20 }) 21 # Undoes part of the above PR: We don't want to require write access 22 # to the repository, that's only needed for GitHub's native CODEOWNERS. 23 + # Furthermore, it removes an unnecessary check from the code 24 # that breaks tokens generated for GitHub Apps. 25 ./permissions.patch 26 # Allows setting a custom CODEOWNERS path using the OWNERS_FILE env var

+5 -6

ci/default.nix

··· 1 let 2 - pinnedNixpkgs = builtins.fromJSON (builtins.readFile ./pinned-nixpkgs.json); 3 in 4 { 5 system ? builtins.currentSystem, ··· 10 nixpkgs' = 11 if nixpkgs == null then 12 fetchTarball { 13 - url = "https://github.com/NixOS/nixpkgs/archive/${pinnedNixpkgs.rev}.tar.gz"; 14 - sha256 = pinnedNixpkgs.sha256; 15 } 16 else 17 nixpkgs; ··· 25 fmt = 26 let 27 treefmtNixSrc = fetchTarball { 28 - # Master at 2025-02-12 29 - url = "https://github.com/numtide/treefmt-nix/archive/4f09b473c936d41582dd744e19f34ec27592c5fd.tar.gz"; 30 - sha256 = "051vh6raskrxw5k6jncm8zbk9fhbzgm1gxpq9gm5xw1b6wgbgcna"; 31 }; 32 treefmtEval = (import treefmtNixSrc).evalModule pkgs { 33 # Important: The auto-rebase script uses `git filter-branch --tree-filter`,

··· 1 let 2 + pinned = (builtins.fromJSON (builtins.readFile ./pinned.json)).pins; 3 in 4 { 5 system ? builtins.currentSystem, ··· 10 nixpkgs' = 11 if nixpkgs == null then 12 fetchTarball { 13 + inherit (pinned.nixpkgs) url; 14 + sha256 = pinned.nixpkgs.hash; 15 } 16 else 17 nixpkgs; ··· 25 fmt = 26 let 27 treefmtNixSrc = fetchTarball { 28 + inherit (pinned.treefmt-nix) url; 29 + sha256 = pinned.treefmt-nix.hash; 30 }; 31 treefmtEval = (import treefmtNixSrc).evalModule pkgs { 32 # Important: The auto-rebase script uses `git filter-branch --tree-filter`,

-3

ci/nixpkgs-vet.sh

··· 61 trace -n "Merging base branch into the HEAD commit in $tmp/merged.. " 62 git -C "$tmp/merged" merge -q --no-edit "$baseSha" 63 trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m" 64 - trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. " 65 - toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt") 66 - trace -e "\e[34m$toolVersion\e[0m" 67 68 trace "Running nixpkgs-vet.." 69 nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"

··· 61 trace -n "Merging base branch into the HEAD commit in $tmp/merged.. " 62 git -C "$tmp/merged" merge -q --no-edit "$baseSha" 63 trace -e "\e[34m$(git -C "$tmp/merged" rev-parse HEAD)\e[0m" 64 65 trace "Running nixpkgs-vet.." 66 nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"

-1

ci/nixpkgs-vet/pinned-version.txt

··· 1 - 0.1.4

···

-22

ci/nixpkgs-vet/update-pinned-tool.sh

··· 1 - #!/usr/bin/env nix-shell 2 - #!nix-shell -i bash -p jq curl 3 - 4 - set -o pipefail -o errexit -o nounset 5 - 6 - trace() { echo >&2 "$@"; } 7 - 8 - SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 9 - 10 - repository=NixOS/nixpkgs-vet 11 - pin_file=$SCRIPT_DIR/pinned-version.txt 12 - 13 - trace -n "Fetching latest release of $repository.. " 14 - latestRelease=$(curl -sSfL \ 15 - -H "Accept: application/vnd.github+json" \ 16 - -H "X-GitHub-Api-Version: 2022-11-28" \ 17 - https://api.github.com/repos/"$repository"/releases/latest) 18 - latestVersion=$(jq .tag_name -r <<< "$latestRelease") 19 - trace "$latestVersion" 20 - 21 - trace "Updating $pin_file" 22 - echo "$latestVersion" > "$pin_file"

···

-4

ci/pinned-nixpkgs.json

··· 1 - { 2 - "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707", 3 - "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07" 4 - }

···

+31

ci/pinned.json

···

··· 1 + { 2 + "pins": { 3 + "nixpkgs": { 4 + "type": "Git", 5 + "repository": { 6 + "type": "GitHub", 7 + "owner": "NixOS", 8 + "repo": "nixpkgs" 9 + }, 10 + "branch": "nixpkgs-unstable", 11 + "submodules": false, 12 + "revision": "8ca7ec685bbee55d6dcb326abe23945c0806c39e", 13 + "url": "https://github.com/NixOS/nixpkgs/archive/8ca7ec685bbee55d6dcb326abe23945c0806c39e.tar.gz", 14 + "hash": "1hkxm871m66mjsc4acdki32qqnpgk3n6vi3zrzns2bwlwp6ivcjx" 15 + }, 16 + "treefmt-nix": { 17 + "type": "Git", 18 + "repository": { 19 + "type": "GitHub", 20 + "owner": "numtide", 21 + "repo": "treefmt-nix" 22 + }, 23 + "branch": "main", 24 + "submodules": false, 25 + "revision": "1f3f7b784643d488ba4bf315638b2b0a4c5fb007", 26 + "url": "https://github.com/numtide/treefmt-nix/archive/1f3f7b784643d488ba4bf315638b2b0a4c5fb007.tar.gz", 27 + "hash": "13qisjalw9qvd6lkd9g8225r46j5wdjrp3zw6jrs81q2vxwdz37m" 28 + } 29 + }, 30 + "version": 5 31 + }

-17

ci/update-pinned-nixpkgs.sh

··· 1 - #!/usr/bin/env nix-shell 2 - #!nix-shell -i bash -p jq 3 - 4 - set -euo pipefail 5 - 6 - # https://stackoverflow.com/a/246128 7 - SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) 8 - 9 - repo=https://github.com/nixos/nixpkgs 10 - branch=nixpkgs-unstable 11 - file=$SCRIPT_DIR/pinned-nixpkgs.json 12 - 13 - defaultRev=$(git ls-remote "$repo" refs/heads/"$branch" | cut -f1) 14 - rev=${1:-$defaultRev} 15 - sha256=$(nix-prefetch-url --unpack "$repo/archive/$rev.tar.gz" --name source) 16 - 17 - jq -n --arg rev "$rev" --arg sha256 "$sha256" '$ARGS.named' | tee /dev/stderr > $file

···

+8

ci/update-pinned.sh

···

··· 1 + #!/usr/bin/env nix-shell 2 + #!nix-shell -i bash -p npins 3 + 4 + set -euo pipefail 5 + 6 + cd "$(dirname "${BASH_SOURCE[0]}")" 7 + 8 + npins --lock-file pinned.json update

+15

doc/languages-frameworks/go.section.md

··· 195 Defaults to `null` 196 197 198 ## Overriding `goModules` {#buildGoModule-goModules-override} 199 200 Overriding `<pkg>.goModules` by calling `goModules.overrideAttrs` is unsupported. Still, it is possible to override the `vendorHash` (`goModules`'s `outputHash`) and the `pre`/`post` hooks for both the build and patch phases of the primary and `goModules` derivation.

··· 195 Defaults to `null` 196 197 198 + ## Versioned toolchains and builders {#ssec-go-toolchain-versions} 199 + 200 + Beside `buildGoModule`, there are also versioned builders available that pin a specific Go version, like `buildGo124Module` for Go 1.24. 201 + Similar, versioned toolchains are available, like `go_1_24` for Go 1.24. 202 + Both builder and toolchain of a certain version will be removed as soon as the Go version reaches end of life. 203 + 204 + As toolchain updates in nixpkgs cause mass rebuilds and must go through the staging cycle, it can take a while until a new Go minor version is available to consumers of nixpkgs. 205 + If you want quicker access to the latest minor, use `go_latest` toolchain and `buildGoLatestModule` builder. 206 + To learn more about the Go maintenance and upgrade procedure in nixpkgs, check out the [Go toolchain/builder upgrade policy](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy). 207 + 208 + ::: {.warning} 209 + The use of `go_latest` and `buildGoLatestModule` is restricted within nixpkgs. 210 + The [Go toolchain/builder upgrade policy](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy) must be followed. 211 + ::: 212 + 213 ## Overriding `goModules` {#buildGoModule-goModules-override} 214 215 Overriding `<pkg>.goModules` by calling `goModules.overrideAttrs` is unsupported. Still, it is possible to override the `vendorHash` (`goModules`'s `outputHash`) and the `pre`/`post` hooks for both the build and patch phases of the primary and `goModules` derivation.

+3

doc/redirects.json

··· 3012 "ex-buildGoModule": [ 3013 "index.html#ex-buildGoModule" 3014 ], 3015 "buildGoModule-goModules-override": [ 3016 "index.html#buildGoModule-goModules-override" 3017 ],

··· 3012 "ex-buildGoModule": [ 3013 "index.html#ex-buildGoModule" 3014 ], 3015 + "ssec-go-toolchain-versions" : [ 3016 + "index.html#ssec-go-toolchain-versions" 3017 + ], 3018 "buildGoModule-goModules-override": [ 3019 "index.html#buildGoModule-goModules-override" 3020 ],

+5

doc/release-notes/rl-2505.section.md

··· 230 231 - `buildGoModule` now supports a `goSum` attribute (`null` by default) to optionally provide a path to `go.sum` and correctly enabling rebuilds when the file changes. 232 233 - top-level `playwright` now refers to the github Microsoft/playwright package 234 instead of the python tester launcher. You can still refer to the python 235 launcher via `python3Packages.toPythonApplication python3Packages.playwright`

··· 230 231 - `buildGoModule` now supports a `goSum` attribute (`null` by default) to optionally provide a path to `go.sum` and correctly enabling rebuilds when the file changes. 232 233 + - The newly added aliases `go_latest` and `buildGoLatestModule` are now available and can be use to prevent packages like `gopls` from breaking whenever the default toolchain minor version is lagging behind. 234 + It can also be used _outside of nixpkgs_ to get fast access to new Go minor versions without having to wait for a staging cycle that will update the default builder/toolchain. 235 + 236 + - A [policy documenting the details of Go toolchain and builder upgrades](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy) in nixpkgs, as well as rules related to using non-default builders like `buildGo1xxModule` and `buildGoLatestModule` has been added in-tree. 237 + 238 - top-level `playwright` now refers to the github Microsoft/playwright package 239 instead of the python tester launcher. You can still refer to the python 240 launcher via `python3Packages.toPythonApplication python3Packages.playwright`

+1 -1

lib/attrsets.nix

··· 1747 1748 /** 1749 Get the first of the `outputs` provided by the package, or the default. 1750 - This function is alligned with `_overrideFirst()` from the `multiple-outputs.sh` setup hook. 1751 Like `getOutput`, the function is idempotent. 1752 1753 # Inputs

··· 1747 1748 /** 1749 Get the first of the `outputs` provided by the package, or the default. 1750 + This function is aligned with `_overrideFirst()` from the `multiple-outputs.sh` setup hook. 1751 Like `getOutput`, the function is idempotent. 1752 1753 # Inputs

+1 -1

lib/fixed-points.nix

··· 389 390 extensions = composeManyExtensions [ overlayA overlayB ]; 391 392 - # Caluculate the fixed point of all composed overlays. 393 fixedpoint = lib.fix (lib.extends extensions original ); 394 395 in fixedpoint

··· 389 390 extensions = composeManyExtensions [ overlayA overlayB ]; 391 392 + # Calculate the fixed point of all composed overlays. 393 fixedpoint = lib.fix (lib.extends extensions original ); 394 395 in fixedpoint

+2 -2

lib/options.nix

··· 404 ```nix 405 myType = mkOptionType { 406 name = "myType"; 407 - merge = mergeDefaultOption; # <- This line is redundant. It is the default aready. 408 }; 409 ``` 410 ··· 470 args@{ 471 message, 472 # WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be 473 - # - type checked beyond what .check does (which should be very litte; only on the value head; not attribute values, etc) 474 # - if you want attribute values to be checked, or list items 475 # - if you want coercedTo-like behavior to work 476 merge ? loc: defs: (head defs).value,

··· 404 ```nix 405 myType = mkOptionType { 406 name = "myType"; 407 + merge = mergeDefaultOption; # <- This line is redundant. It is the default already. 408 }; 409 ``` 410 ··· 470 args@{ 471 message, 472 # WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be 473 + # - type checked beyond what .check does (which should be very little; only on the value head; not attribute values, etc) 474 # - if you want attribute values to be checked, or list items 475 # - if you want coercedTo-like behavior to work 476 merge ? loc: defs: (head defs).value,

+8 -2

lib/types.nix

··· 75 if pos == null then "" else " at ${pos.file}:${toString pos.line}:${toString pos.column}"; 76 77 # Internal functor to help for migrating functor.wrapped to functor.payload.elemType 78 - # Note that individual attributes can be overriden if needed. 79 elemTypeFunctor = 80 name: 81 { elemType, ... }@payload: ··· 1455 nestedTypes.coercedType = coercedType; 1456 nestedTypes.finalType = finalType; 1457 }; 1458 1459 - # Augment the given type with an additional type check function. 1460 addCheck = elemType: check: elemType // { check = x: elemType.check x && check x; }; 1461 1462 };

··· 75 if pos == null then "" else " at ${pos.file}:${toString pos.line}:${toString pos.column}"; 76 77 # Internal functor to help for migrating functor.wrapped to functor.payload.elemType 78 + # Note that individual attributes can be overridden if needed. 79 elemTypeFunctor = 80 name: 81 { elemType, ... }@payload: ··· 1455 nestedTypes.coercedType = coercedType; 1456 nestedTypes.finalType = finalType; 1457 }; 1458 + /** 1459 + Augment the given type with an additional type check function. 1460 1461 + :::{.warning} 1462 + This function has some broken behavior see: [#396021](https://github.com/NixOS/nixpkgs/issues/396021) 1463 + Fixing is not trivial, we appreciate any help! 1464 + ::: 1465 + */ 1466 addCheck = elemType: check: elemType // { check = x: elemType.check x && check x; }; 1467 1468 };

+2 -2

nixos/lib/make-options-doc/default.nix

··· 45 46 Documentation rendered as AsciiDoc. This is useful for e.g. man pages. 47 48 - > Note: NixOS itself uses this ouput to to build the configuration.nix man page" 49 50 ## optionsNix 51 ··· 59 let 60 # Evaluate a NixOS configuration 61 eval = import (pkgs.path + "/nixos/lib/eval-config.nix") { 62 - # Overriden explicitly here, this would include all modules from NixOS otherwise. 63 # See: docs of eval-config.nix for more details 64 baseModules = []; 65 modules = [

··· 45 46 Documentation rendered as AsciiDoc. This is useful for e.g. man pages. 47 48 + > Note: NixOS itself uses this output to to build the configuration.nix man page" 49 50 ## optionsNix 51 ··· 59 let 60 # Evaluate a NixOS configuration 61 eval = import (pkgs.path + "/nixos/lib/eval-config.nix") { 62 + # Overridden explicitly here, this would include all modules from NixOS otherwise. 63 # See: docs of eval-config.nix for more details 64 baseModules = []; 65 modules = [

+3 -7

nixos/lib/systemd-unit-options.nix

··· 15 inherit (lib) 16 any 17 concatMap 18 - filterOverrides 19 isList 20 literalExpression 21 mergeEqualOption ··· 56 name = "systemd option"; 57 merge = 58 loc: defs: 59 - let 60 - defs' = filterOverrides defs; 61 - in 62 - if any (def: isList def.value) defs' then 63 - concatMap (def: toList def.value) defs' 64 else 65 - mergeEqualOption loc defs'; 66 }; 67 68 sharedOptions = {

··· 15 inherit (lib) 16 any 17 concatMap 18 isList 19 literalExpression 20 mergeEqualOption ··· 55 name = "systemd option"; 56 merge = 57 loc: defs: 58 + if any (def: isList def.value) defs then 59 + concatMap (def: toList def.value) defs 60 else 61 + mergeEqualOption loc defs; 62 }; 63 64 sharedOptions = {

+1 -1

nixos/lib/testing/network.nix

··· 130 virtualisation.test.nodeName = mkOption { 131 internal = true; 132 default = name; 133 - # We need to force this in specilisations, otherwise it'd be 134 # readOnly = true; 135 description = '' 136 The `name` in `nodes.<name>`; stable across `specialisations`.

··· 130 virtualisation.test.nodeName = mkOption { 131 internal = true; 132 default = name; 133 + # We need to force this in specialisations, otherwise it'd be 134 # readOnly = true; 135 description = '' 136 The `name` in `nodes.<name>`; stable across `specialisations`.

+1 -1

nixos/maintainers/option-usages.nix

··· 60 inherit (eval) pkgs; 61 62 excludedTestOptions = [ 63 - # We cannot evluate _module.args, as it is used during the computation 64 # of the modules list. 65 "_module.args" 66

··· 60 inherit (eval) pkgs; 61 62 excludedTestOptions = [ 63 + # We cannot evaluate _module.args, as it is used during the computation 64 # of the modules list. 65 "_module.args" 66

+2 -4

nixos/modules/config/sysctl.nix

··· 9 checkType = x: lib.isBool x || lib.isString x || lib.isInt x || x == null; 10 in 11 checkType val || (val._type or "" == "override" && checkType val.content); 12 - merge = loc: defs: lib.mergeOneOption loc (lib.filterOverrides defs); 13 }; 14 15 in ··· 22 type = 23 let 24 highestValueType = lib.types.ints.unsigned // { 25 - merge = 26 - loc: defs: 27 - lib.foldl (a: b: if b.value == null then null else lib.max a b.value) 0 (lib.filterOverrides defs); 28 }; 29 in 30 lib.types.submodule {

··· 9 checkType = x: lib.isBool x || lib.isString x || lib.isInt x || x == null; 10 in 11 checkType val || (val._type or "" == "override" && checkType val.content); 12 + merge = loc: defs: lib.mergeOneOption loc defs; 13 }; 14 15 in ··· 22 type = 23 let 24 highestValueType = lib.types.ints.unsigned // { 25 + merge = loc: defs: lib.foldl (a: b: if b.value == null then null else lib.max a b.value) 0 defs; 26 }; 27 in 28 lib.types.submodule {

+3 -3

nixos/modules/misc/ids.nix

··· 273 caddy = 239; 274 taskd = 240; 275 # factorio = 241; # DynamicUser = true 276 - # emby = 242; # unusued, removed 2019-05-01 277 #graylog = 243;# dynamically allocated as of 2021-09-03 278 sniproxy = 244; 279 nzbget = 245; ··· 371 # system user or group of the same id in someone else's NixOS. 372 # This could break their system and make that person upset for a whole day. 373 # 374 - # Sidenote: the default is defined in `shadow` module[2], and the relavent change 375 # was made way back in 2014[3]. 376 # 377 # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number) ··· 700 # system user or group of the same id in someone else's NixOS. 701 # This could break their system and make that person upset for a whole day. 702 # 703 - # Sidenote: the default is defined in `shadow` module[2], and the relavent change 704 # was made way back in 2014[3]. 705 # 706 # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

··· 273 caddy = 239; 274 taskd = 240; 275 # factorio = 241; # DynamicUser = true 276 + # emby = 242; # unused, removed 2019-05-01 277 #graylog = 243;# dynamically allocated as of 2021-09-03 278 sniproxy = 244; 279 nzbget = 245; ··· 371 # system user or group of the same id in someone else's NixOS. 372 # This could break their system and make that person upset for a whole day. 373 # 374 + # Sidenote: the default is defined in `shadow` module[2], and the relevant change 375 # was made way back in 2014[3]. 376 # 377 # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number) ··· 700 # system user or group of the same id in someone else's NixOS. 701 # This could break their system and make that person upset for a whole day. 702 # 703 + # Sidenote: the default is defined in `shadow` module[2], and the relevant change 704 # was made way back in 2014[3]. 705 # 706 # [1]: https://man7.org/linux/man-pages/man5/login.defs.5.html#:~:text=SYS_UID_MAX%20(number)%2C%20SYS_UID_MIN%20(number)

+1 -1

nixos/modules/profiles/image-based-appliance.nix

··· 1 - # This profile sets up a sytem for image based appliance usage. An appliance is 2 # installed as an image, cannot be re-built, has no Nix available, and is 3 # generally not meant for interactive use. Updates to such an appliance are 4 # handled by updating whole partition images via a tool like systemd-sysupdate.

··· 1 + # This profile sets up a system for image based appliance usage. An appliance is 2 # installed as an image, cannot be re-built, has no Nix available, and is 3 # generally not meant for interactive use. Updates to such an appliance are 4 # handled by updating whole partition images via a tool like systemd-sysupdate.

+1 -1

nixos/modules/programs/turbovnc.nix

··· 45 # software rendering to implement GLX (OpenGL on Xorg). 46 # However, just building TurboVNC with support for that is not enough 47 # (it only takes care of the X server side part of OpenGL); 48 - # the indiviudual applications (e.g. `glxgears`) also need to directly load 49 # the OpenGL libs. 50 # Thus, this creates `/run/opengl-driver` populated by Mesa so that the applications 51 # can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`.

··· 45 # software rendering to implement GLX (OpenGL on Xorg). 46 # However, just building TurboVNC with support for that is not enough 47 # (it only takes care of the X server side part of OpenGL); 48 + # the individual applications (e.g. `glxgears`) also need to directly load 49 # the OpenGL libs. 50 # Thus, this creates `/run/opengl-driver` populated by Mesa so that the applications 51 # can find the llvmpipe `swrast.so` software rendering DRI lib via `libglvnd`.

+1 -1

nixos/modules/services/cluster/k3s/default.nix

··· 139 [ 140 (yamlFormat.generate "helm-chart-manifest-${name}.yaml" (mkHelmChartCR name value)) 141 ] 142 - # alternate the YAML doc seperator (---) and extraDeploy manifests to create 143 # multi document YAMLs 144 ++ (lib.concatMap (x: [ 145 yamlDocSeparator

··· 139 [ 140 (yamlFormat.generate "helm-chart-manifest-${name}.yaml" (mkHelmChartCR name value)) 141 ] 142 + # alternate the YAML doc separator (---) and extraDeploy manifests to create 143 # multi document YAMLs 144 ++ (lib.concatMap (x: [ 145 yamlDocSeparator

+1 -1

nixos/modules/services/desktops/bonsaid.nix

··· 143 lib.mkDefault (json.generate "bonsai_tree.json" (filterNulls cfg.settings)); 144 145 # bonsaid is controlled by bonsaictl, so place the latter in the environment by default. 146 - # bonsaictl is typically invoked by scripts or a DE so this isn't strictly necesssary, 147 # but it's helpful while administering the service generally. 148 environment.systemPackages = [ cfg.package ]; 149

··· 143 lib.mkDefault (json.generate "bonsai_tree.json" (filterNulls cfg.settings)); 144 145 # bonsaid is controlled by bonsaictl, so place the latter in the environment by default. 146 + # bonsaictl is typically invoked by scripts or a DE so this isn't strictly necessary, 147 # but it's helpful while administering the service generally. 148 environment.systemPackages = [ cfg.package ]; 149

+1 -1

nixos/modules/services/games/crossfire-server.nix

··· 176 # need to be writeable, so we can't just point at the ones in the nix 177 # store. Instead we take the approach of copying them out of the store 178 # on first run. If `bookarch` already exists, we assume the rest of the 179 - # files do as well, and copy nothing -- otherwise we risk ovewriting 180 # server state information every time the server is upgraded. 181 preStart = '' 182 if [ ! -e "${cfg.stateDir}"/bookarch ]; then

··· 176 # need to be writeable, so we can't just point at the ones in the nix 177 # store. Instead we take the approach of copying them out of the store 178 # on first run. If `bookarch` already exists, we assume the rest of the 179 + # files do as well, and copy nothing -- otherwise we risk overwriting 180 # server state information every time the server is upgraded. 181 preStart = '' 182 if [ ! -e "${cfg.stateDir}"/bookarch ]; then

+1 -1

nixos/modules/services/hardware/kmonad.nix

··· 201 # the old service and then starts the new service after config updates. 202 # Since we use path-based activation[1] here, the service unit will 203 # immediately[2] be started by the path unit. Probably that start is 204 - # before config updates, whcih causes the service unit to use the old 205 # config after nixos-rebuild switch. Setting stopIfChanged to false works 206 # around this issue by restarting the service after config updates. 207 # [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems

··· 201 # the old service and then starts the new service after config updates. 202 # Since we use path-based activation[1] here, the service unit will 203 # immediately[2] be started by the path unit. Probably that start is 204 + # before config updates, which causes the service unit to use the old 205 # config after nixos-rebuild switch. Setting stopIfChanged to false works 206 # around this issue by restarting the service after config updates. 207 # [0]: https://nixos.org/manual/nixos/unstable/#sec-switching-systems

+1 -1

nixos/modules/services/misc/ntfy-sh.nix

··· 107 RestrictNamespaces = true; 108 RestrictRealtime = true; 109 MemoryDenyWriteExecute = true; 110 - # Upstream Recommandation 111 LimitNOFILE = 20500; 112 }; 113 };

··· 107 RestrictNamespaces = true; 108 RestrictRealtime = true; 109 MemoryDenyWriteExecute = true; 110 + # Upstream Recommendation 111 LimitNOFILE = 20500; 112 }; 113 };

+1 -1

nixos/modules/services/monitoring/below.nix

··· 91 92 config = lib.mkIf cfg.enable { 93 environment.systemPackages = [ pkgs.below ]; 94 - # /etc/below.conf is also refered to by the `below` CLI tool, 95 # so this can't be a store-only file whose path is passed to the service 96 environment.etc."below/below.conf".text = cfgContents; 97

··· 91 92 config = lib.mkIf cfg.enable { 93 environment.systemPackages = [ pkgs.below ]; 94 + # /etc/below.conf is also referred to by the `below` CLI tool, 95 # so this can't be a store-only file whose path is passed to the service 96 environment.etc."below/below.conf".text = cfgContents; 97

+1 -1

nixos/modules/services/networking/cato-client.nix

··· 55 wantedBy = [ "multi-user.target" ]; 56 }; 57 58 - # set up Security wrapper Same as inteded in deb post install 59 security.wrappers.cato-clientd = { 60 source = "${cfg.package}/bin/cato-clientd"; 61 owner = "root";

··· 55 wantedBy = [ "multi-user.target" ]; 56 }; 57 58 + # set up Security wrapper Same as intended in deb post install 59 security.wrappers.cato-clientd = { 60 source = "${cfg.package}/bin/cato-clientd"; 61 owner = "root";

+1 -1

nixos/modules/services/networking/fedimintd.nix

··· 289 290 { 291 # Note: we want by default to enable OpenSSL, but it seems anything 100 and above is 292 - # overriden by default value from vhost-options.nix 293 enableACME = mkOverride 99 true; 294 forceSSL = mkOverride 99 true; 295 locations.${cfg.nginx.path} = {

··· 289 290 { 291 # Note: we want by default to enable OpenSSL, but it seems anything 100 and above is 292 + # overridden by default value from vhost-options.nix 293 enableACME = mkOverride 99 true; 294 forceSSL = mkOverride 99 true; 295 locations.${cfg.nginx.path} = {

+1 -1

nixos/modules/services/networking/netbird.nix

··· 550 User = client.user.name; 551 Group = client.user.group; 552 553 - # settings implied by DynamicUser=true, without actully using it, 554 # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser= 555 RemoveIPC = true; 556 PrivateTmp = true;

··· 550 User = client.user.name; 551 Group = client.user.group; 552 553 + # settings implied by DynamicUser=true, without actually using it, 554 # see https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#DynamicUser= 555 RemoveIPC = true; 556 PrivateTmp = true;

+1 -1

nixos/modules/services/networking/netbird/dashboard.nix

··· 102 # special options as its public anyway 103 # As far as I know leaking this secret is just 104 # an information leak as one can fetch some basic app 105 - # informations from the IDP 106 # To actually do something one still needs to have login 107 # data and this secret so this being public will not 108 # suffice for anything just decreasing security

··· 102 # special options as its public anyway 103 # As far as I know leaking this secret is just 104 # an information leak as one can fetch some basic app 105 + # information from the IDP 106 # To actually do something one still needs to have login 107 # data and this secret so this being public will not 108 # suffice for anything just decreasing security

+1 -1

nixos/modules/services/networking/ssh/sshd.nix

··· 42 # values must be separated by whitespace or even commas. 43 # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing 44 # the options at servconf.c:process_server_config_line_depth() to determine the right "mode" 45 - # for each. But fortunaly this fact is documented for most of them in the manpage. 46 commaSeparated = [ 47 "Ciphers" 48 "KexAlgorithms"

··· 42 # values must be separated by whitespace or even commas. 43 # Consult either sshd_config(5) or, as last resort, the OpehSSH source for parsing 44 # the options at servconf.c:process_server_config_line_depth() to determine the right "mode" 45 + # for each. But fortunately this fact is documented for most of them in the manpage. 46 commaSeparated = [ 47 "Ciphers" 48 "KexAlgorithms"

+1 -1

nixos/modules/services/networking/yggdrasil-jumper.nix

··· 133 134 services.yggdrasil.settings.Listen = 135 let 136 - # By default linux dynamically alocates ports in range 32768..60999 137 # `sysctl net.ipv4.ip_local_port_range` 138 # See: https://xkcd.com/221/ 139 prot_port = {

··· 133 134 services.yggdrasil.settings.Listen = 135 let 136 + # By default linux dynamically allocates ports in range 32768..60999 137 # `sysctl net.ipv4.ip_local_port_range` 138 # See: https://xkcd.com/221/ 139 prot_port = {

+1 -1

nixos/modules/services/security/tor.nix

··· 295 ( 296 lib.mapAttrs ( 297 k: v: 298 - # Not necesssary, but prettier rendering 299 if 300 lib.elem k [ 301 "AutomapHostsSuffixes"

··· 295 ( 296 lib.mapAttrs ( 297 k: v: 298 + # Not necessary, but prettier rendering 299 if 300 lib.elem k [ 301 "AutomapHostsSuffixes"

+1 -1

nixos/modules/services/web-apps/davis.nix

··· 348 else if 349 pgsqlLocal 350 # note: davis expects a non-standard postgres uri (due to the underlying doctrine library) 351 - # specifically the dummy hostname which is overriden by the host query parameter 352 then 353 "postgres://${user}@localhost/${db.name}?host=/run/postgresql" 354 else if mysqlLocal then

··· 348 else if 349 pgsqlLocal 350 # note: davis expects a non-standard postgres uri (due to the underlying doctrine library) 351 + # specifically the dummy hostname which is overridden by the host query parameter 352 then 353 "postgres://${user}@localhost/${db.name}?host=/run/postgresql" 354 else if mysqlLocal then

+1 -1

nixos/modules/services/web-apps/plausible.nix

··· 224 # Thus, disable distribution for improved simplicity and security: 225 # 226 # When distribution is enabled, 227 - # Elixir spwans the Erlang VM, which will listen by default on all 228 # interfaces for messages between Erlang nodes (capable of 229 # remote code execution); it can be protected by a cookie; see 230 # https://erlang.org/doc/reference_manual/distributed.html#security).

··· 224 # Thus, disable distribution for improved simplicity and security: 225 # 226 # When distribution is enabled, 227 + # Elixir spawns the Erlang VM, which will listen by default on all 228 # interfaces for messages between Erlang nodes (capable of 229 # remote code execution); it can be protected by a cookie; see 230 # https://erlang.org/doc/reference_manual/distributed.html#security).

+1 -1

nixos/modules/services/web-apps/windmill.nix

··· 132 { 133 134 # coming from https://github.com/windmill-labs/windmill/blob/main/init-db-as-superuser.sql 135 - # modified to not grant priviledges on all tables 136 # create role windmill_user and windmill_admin only if they don't exist 137 postgresql.postStart = lib.mkIf cfg.database.createLocally ( 138 lib.mkAfter ''

··· 132 { 133 134 # coming from https://github.com/windmill-labs/windmill/blob/main/init-db-as-superuser.sql 135 + # modified to not grant privileges on all tables 136 # create role windmill_user and windmill_admin only if they don't exist 137 postgresql.postStart = lib.mkIf cfg.database.createLocally ( 138 lib.mkAfter ''

+1 -1

nixos/modules/virtualisation/azure-common.nix

··· 26 27 # Enable cloud-init by default for waagent. 28 # Otherwise waagent would try manage networking using ifupdown, 29 - # which is currently not availeble in nixpkgs. 30 services.cloud-init.enable = true; 31 services.cloud-init.network.enable = true; 32 systemd.services.cloud-config.serviceConfig.Restart = "on-failure";

··· 26 27 # Enable cloud-init by default for waagent. 28 # Otherwise waagent would try manage networking using ifupdown, 29 + # which is currently not available in nixpkgs. 30 services.cloud-init.enable = true; 31 services.cloud-init.network.enable = true; 32 systemd.services.cloud-config.serviceConfig.Restart = "on-failure";

+1 -1

nixos/modules/virtualisation/azure-image.nix

··· 105 splashImage = null; 106 # For Gen 1 VM, configurate grub output to serial_com0. 107 # Not needed for Gen 2 VM wbere serial_com0 does not exist, 108 - # and outputing to console is enough to make Azure Serial Console working 109 extraConfig = lib.mkIf (!efiSupport) '' 110 serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 111 terminal_input --append serial

··· 105 splashImage = null; 106 # For Gen 1 VM, configurate grub output to serial_com0. 107 # Not needed for Gen 2 VM wbere serial_com0 does not exist, 108 + # and outputting to console is enough to make Azure Serial Console working 109 extraConfig = lib.mkIf (!efiSupport) '' 110 serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 111 terminal_input --append serial

+1 -1

nixos/modules/virtualisation/waagent.nix

··· 67 convert = 68 attrs: 69 pipe (recurse [ ] attrs) [ 70 - # Filter out null values and emoty lists 71 (filter (kv: kv.value != null && kv.value != [ ])) 72 # Transform to Key=Value form, then concatenate 73 (map (kv: "${kv.name}=${transform kv.value}"))

··· 67 convert = 68 attrs: 69 pipe (recurse [ ] attrs) [ 70 + # Filter out null values and empty lists 71 (filter (kv: kv.value != null && kv.value != [ ])) 72 # Transform to Key=Value form, then concatenate 73 (map (kv: "${kv.name}=${transform kv.value}"))

+2 -2

nixos/tests/appliance-repart-image.nix

··· 65 repartConfig = { 66 Type = "esp"; 67 Format = "vfat"; 68 - # Minimize = "guess" seems to not work very vell for vfat 69 - # partitons. It's better to set a sensible default instead. The 70 # aarch64 kernel seems to generally be a little bigger than the 71 # x86_64 kernel. To stay on the safe side, leave some more slack 72 # for every platform other than x86_64.

··· 65 repartConfig = { 66 Type = "esp"; 67 Format = "vfat"; 68 + # Minimize = "guess" seems to not work very well for vfat 69 + # partitions. It's better to set a sensible default instead. The 70 # aarch64 kernel seems to generally be a little bigger than the 71 # x86_64 kernel. To stay on the safe side, leave some more slack 72 # for every platform other than x86_64.

+1 -1

nixos/tests/common/acme/server/default.nix

··· 94 ) cfg.configuration.security.acme.certs 95 ) 96 # A specialisation's config is nested under its configuration attribute. 97 - # For ease of use, nest the root node's configuration simiarly. 98 ([ { configuration = node; } ] ++ (builtins.attrValues node.specialisation)) 99 ) 100 );

··· 94 ) cfg.configuration.security.acme.certs 95 ) 96 # A specialisation's config is nested under its configuration attribute. 97 + # For ease of use, nest the root node's configuration similarly. 98 ([ { configuration = node; } ] ++ (builtins.attrValues node.specialisation)) 99 ) 100 );

+1 -1

nixos/tests/ntfy-sh-migration.nix

··· 4 # this test works doing a migration and asserting ntfy-sh runs properly. first, 5 # ntfy-sh is configured to use a static user and group. then ntfy-sh is 6 # started and tested. after that, ntfy-sh is shut down and a systemd drop 7 - # in configuration file is used to upate the service configuration to use 8 # DynamicUser=true. then the ntfy-sh is started again and tested. 9 10 import ./make-test-python.nix {

··· 4 # this test works doing a migration and asserting ntfy-sh runs properly. first, 5 # ntfy-sh is configured to use a static user and group. then ntfy-sh is 6 # started and tested. after that, ntfy-sh is shut down and a systemd drop 7 + # in configuration file is used to update the service configuration to use 8 # DynamicUser=true. then the ntfy-sh is started again and tested. 9 10 import ./make-test-python.nix {

+2 -2

nixos/tests/sftpgo.nix

··· 6 # - downloading the file over sftp 7 # - assert that the ACLs are respected 8 # - share a file between alice and bob (using sftp) 9 - # - assert that eve cannot acceess the shared folder between alice and bob. 10 # 11 # Additional test coverage for the remaining protocols (i.e. ftp, http and webdav) 12 # would be a nice to have for the future. ··· 333 testScript = 334 { nodes, ... }: 335 let 336 - # A function to generate test cases for wheter 337 # a specified username is expected to access the shared folder. 338 accessSharedFoldersSubtest = 339 {

··· 6 # - downloading the file over sftp 7 # - assert that the ACLs are respected 8 # - share a file between alice and bob (using sftp) 9 + # - assert that eve cannot access the shared folder between alice and bob. 10 # 11 # Additional test coverage for the remaining protocols (i.e. ftp, http and webdav) 12 # would be a nice to have for the future. ··· 333 testScript = 334 { nodes, ... }: 335 let 336 + # A function to generate test cases for whether 337 # a specified username is expected to access the shared folder. 338 accessSharedFoldersSubtest = 339 {

+1 -1

nixos/tests/systemd-sysupdate.nix

··· 1 - # Tests downloading a signed update aritfact from a server to a target machine. 2 # This test does not rely on the `systemd.timer` units provided by the 3 # `systemd-sysupdate` module but triggers the `systemd-sysupdate` service 4 # manually to make the test more robust.

··· 1 + # Tests downloading a signed update artifact from a server to a target machine. 2 # This test does not rely on the `systemd.timer` units provided by the 3 # `systemd-sysupdate` module but triggers the `systemd-sysupdate` service 4 # manually to make the test more robust.

+1 -1

nixos/tests/systemd-timesyncd-nscd-dnssec.nix

··· 4 # correct time, we need to connect to an NTP server, which usually requires resolving its hostname. 5 # 6 # This test does the following: 7 - # - Sets up a DNS server (tinydns) listening on the eth1 ip addess, serving .ntp and fake.ntp records. 8 # - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings. 9 # - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server. 10 # - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.

··· 4 # correct time, we need to connect to an NTP server, which usually requires resolving its hostname. 5 # 6 # This test does the following: 7 + # - Sets up a DNS server (tinydns) listening on the eth1 ip address, serving .ntp and fake.ntp records. 8 # - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings. 9 # - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server. 10 # - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.

+4 -4

pkgs/applications/editors/emacs/elisp-packages/melpa-packages.nix

··· 17 ./update-from-overlay 18 19 It will update both melpa and elpa packages using 20 - https://github.com/nix-community/emacs-overlay. It's almost instantenous and 21 formats commits for you. 22 */ 23 ··· 1355 hyperbole = ignoreCompilationError (addPackageRequires (mkHome super.hyperbole) [ self.el-mock ]); # elisp error 1356 1357 # needs non-existent "browser database directory" during compilation 1358 - # TODO report to upsteam about missing dependency websocket 1359 ibrowse = ignoreCompilationError (addPackageRequires super.ibrowse [ self.websocket ]); 1360 1361 # elisp error and missing optional dependencies ··· 1368 1369 indium = mkHome super.indium; 1370 1371 - # TODO report to upsteam 1372 inlineR = addPackageRequires super.inlineR [ self.ess ]; 1373 1374 # https://github.com/duelinmarkers/insfactor.el/issues/7 ··· 1547 1548 org-gtd = ignoreCompilationError super.org-gtd; # elisp error 1549 1550 - # needs newer org than the Eamcs 29.4 builtin one 1551 org-link-beautify = addPackageRequires super.org-link-beautify [ 1552 self.org 1553 self.qrencode

··· 17 ./update-from-overlay 18 19 It will update both melpa and elpa packages using 20 + https://github.com/nix-community/emacs-overlay. It's almost instantaneous and 21 formats commits for you. 22 */ 23 ··· 1355 hyperbole = ignoreCompilationError (addPackageRequires (mkHome super.hyperbole) [ self.el-mock ]); # elisp error 1356 1357 # needs non-existent "browser database directory" during compilation 1358 + # TODO report to upstream about missing dependency websocket 1359 ibrowse = ignoreCompilationError (addPackageRequires super.ibrowse [ self.websocket ]); 1360 1361 # elisp error and missing optional dependencies ··· 1368 1369 indium = mkHome super.indium; 1370 1371 + # TODO report to upstream 1372 inlineR = addPackageRequires super.inlineR [ self.ess ]; 1373 1374 # https://github.com/duelinmarkers/insfactor.el/issues/7 ··· 1547 1548 org-gtd = ignoreCompilationError super.org-gtd; # elisp error 1549 1550 + # needs newer org than the Emacs 29.4 builtin one 1551 org-link-beautify = addPackageRequires super.org-link-beautify [ 1552 self.org 1553 self.qrencode

+5 -5

pkgs/applications/editors/vscode/extensions/default.nix

··· 1240 mktplcRef = { 1241 name = "dart-code"; 1242 publisher = "dart-code"; 1243 - version = "3.110.0"; 1244 - hash = "sha256-YLdhL5xNj8sidZUzMVZgOK6zTXgQnWdKWRrDg0on90s="; 1245 }; 1246 1247 meta.license = lib.licenses.mit; ··· 1251 mktplcRef = { 1252 name = "flutter"; 1253 publisher = "dart-code"; 1254 - version = "3.110.0"; 1255 - hash = "sha256-Zi+q56XcHZGUKgF3TNpaYSwwdqLT8Q1fxf8dFVAEuQY="; 1256 }; 1257 1258 meta.license = lib.licenses.mit; ··· 5709 }; 5710 5711 # TODO: add overrides overlay, so that we can have a generated.nix 5712 - # then apply extension specific modifcations to packages. 5713 5714 # overlays will be applied left to right, overrides should come after aliases. 5715 overlays = lib.optionals config.allowAliases [

··· 1240 mktplcRef = { 1241 name = "dart-code"; 1242 publisher = "dart-code"; 1243 + version = "3.112.0"; 1244 + hash = "sha256-nnEEKijl5ZdsHyBAWCL+MucjNGIuup75xSJaVzNawrs="; 1245 }; 1246 1247 meta.license = lib.licenses.mit; ··· 1251 mktplcRef = { 1252 name = "flutter"; 1253 publisher = "dart-code"; 1254 + version = "3.112.0"; 1255 + hash = "sha256-S+srv0zUCobM3IPXOME5oT0xdXdPmMHSs7rwNTBcnhk="; 1256 }; 1257 1258 meta.license = lib.licenses.mit; ··· 5709 }; 5710 5711 # TODO: add overrides overlay, so that we can have a generated.nix 5712 + # then apply extension specific modifications to packages. 5713 5714 # overlays will be applied left to right, overrides should come after aliases. 5715 overlays = lib.optionals config.allowAliases [

+1 -1

pkgs/applications/editors/vscode/extensions/ms-vscode.cpptools/default.nix

··· 33 34 <https://github.com/Microsoft/vscode-cpptools/issues/35> 35 36 - Once the symbolic link temporary solution taken, everything shoud run smootly. 37 */ 38 39 let

··· 33 34 <https://github.com/Microsoft/vscode-cpptools/issues/35> 35 36 + Once the symbolic link temporary solution taken, everything should run smootly. 37 */ 38 39 let

+1 -1

pkgs/applications/graphics/yacreader/default.nix

··· 49 libsForQt5.qtmacextras # can be removed when using qt6 50 ]; 51 52 - # custom Darwin install instructions taken from the upsteam compileOSX.sh script 53 installPhase = lib.optionalString stdenv.hostPlatform.isDarwin '' 54 runHook preInstall 55

··· 49 libsForQt5.qtmacextras # can be removed when using qt6 50 ]; 51 52 + # custom Darwin install instructions taken from the upstream compileOSX.sh script 53 installPhase = lib.optionalString stdenv.hostPlatform.isDarwin '' 54 runHook preInstall 55

+1

pkgs/applications/networking/browsers/librewolf/default.nix

··· 29 description = "Fork of Firefox, focused on privacy, security and freedom"; 30 homepage = "https://librewolf.net/"; 31 maintainers = with lib.maintainers; [ 32 squalus 33 dwrege 34 fpletz

··· 29 description = "Fork of Firefox, focused on privacy, security and freedom"; 30 homepage = "https://librewolf.net/"; 31 maintainers = with lib.maintainers; [ 32 + # Also update ci/OWNERS entry when changing maintainers 33 squalus 34 dwrege 35 fpletz

+3 -3

pkgs/applications/networking/ktailctl/default.nix

··· 26 }: 27 28 let 29 - version = "0.20.1"; 30 31 src = fetchFromGitHub { 32 owner = "f-koehler"; 33 repo = "KTailctl"; 34 rev = "v${version}"; 35 - hash = "sha256-8vtNAqCDXbzEuGXqUZL26EMmVLJqSFu+E/zhK8VafLE="; 36 }; 37 38 goDeps = ··· 40 pname = "ktailctl-go-wrapper"; 41 inherit src version; 42 modRoot = "src/wrapper"; 43 - vendorHash = "sha256-F0fY9ZqibZNIUQSIlLRO3rX4gYAFHWMdFtwRNigpGZE="; 44 }).goModules; 45 in 46 stdenv.mkDerivation {

··· 26 }: 27 28 let 29 + version = "0.20.2"; 30 31 src = fetchFromGitHub { 32 owner = "f-koehler"; 33 repo = "KTailctl"; 34 rev = "v${version}"; 35 + hash = "sha256-yMP+oAc1ZHr402j3NQOFLGFT/AK/PQ+figoVyOMEaus="; 36 }; 37 38 goDeps = ··· 40 pname = "ktailctl-go-wrapper"; 41 inherit src version; 42 modRoot = "src/wrapper"; 43 + vendorHash = "sha256-kX2L/ET6saxn73T4414ShRSeOIpX8i1HHjKkPbdjse0="; 44 }).goModules; 45 in 46 stdenv.mkDerivation {

+2 -2

pkgs/applications/virtualization/OVMF/default.nix

··· 96 "debian/python" 97 "debian/PkKek-1-*.pem" 98 ]; 99 - rev = "refs/tags/debian/2024.05-1"; 100 - hash = "sha256-uAjXJaHOVh944ZxcA2IgCsrsncxuhc0JKlsXs0E03s0="; 101 }; 102 103 buildPrefix = "Build/*/*";

··· 96 "debian/python" 97 "debian/PkKek-1-*.pem" 98 ]; 99 + rev = "refs/tags/debian/2025.02-8"; 100 + hash = "sha256-kAwfS8TBdN1PTm5kxTvqFuA9edBfBuMt6XmRWnFnolQ="; 101 }; 102 103 buildPrefix = "Build/*/*";

+7 -6

pkgs/build-support/go/README.md

··· 3 Go promises that "programs written to the Go 1 specification will continue to compile and run correctly, unchanged, over the lifetime of that specification" [1]. 4 Newer toolchain versions should build projects developed against older toolchains without problems. 5 6 There are however Go packages depending on internal APIs of the toolchain/runtime/stdlib that are not covered by the Go compatibility promise. 7 - These packages may break on toolchain updates. 8 - We name packages that (often) break on toolchain updates `toolchain-breaking`. 9 10 - There is another set of packages that depends on the toolchain, but in another way: 11 - Packages providing development support for the Go language (like `gopls`, `golangci-lint`,...) must be compiled with the version they should be used for. 12 If `gopls` is compiled for Go 1.23, it won't work for projects that require Go 1.24. 13 - We name packages that must be built with the latest toolchain to work as expected `toolchain-latest`. 14 15 Go only ever has two supported toolchains. With a new minor release, the second last Go toolchain is automatically end of life, meaning it won't receive security updates anymore. 16 ··· 26 A comment MUST be added explaining why this is the case for a certain package. 27 It is important to keep the number of packages using this builder within nixpkgs low, so the bump won't cause a mass rebuild. 28 29 - Consumer outside of nixpkgs on the other hand MAY rely on this toolchain/builder if they prefer being upgraded earlier to the newest toolchain. 30 31 3. Packages in `toolchain-breaking` SHOULD pin a toolchain version by using a builder with a fixed Go version (`buildGo1xxModule`). 32 The use of `buildGo1xxModule` MUST be accompanied with a comment explaining why this has a dependency on a specific Go version.

··· 3 Go promises that "programs written to the Go 1 specification will continue to compile and run correctly, unchanged, over the lifetime of that specification" [1]. 4 Newer toolchain versions should build projects developed against older toolchains without problems. 5 6 + **Definition(a "toolchain-breaking" package):** 7 There are however Go packages depending on internal APIs of the toolchain/runtime/stdlib that are not covered by the Go compatibility promise. 8 + These packages may break on toolchain minor version upgrades. 9 10 + **Definition(a "toolchain-latest" package):** 11 + Packages providing development support for the Go language (like `gopls`, `golangci-lint`,...) depend on the toolchain in another way: they must be compiled at least with the version they should be used for. 12 If `gopls` is compiled for Go 1.23, it won't work for projects that require Go 1.24. 13 14 Go only ever has two supported toolchains. With a new minor release, the second last Go toolchain is automatically end of life, meaning it won't receive security updates anymore. 15 ··· 25 A comment MUST be added explaining why this is the case for a certain package. 26 It is important to keep the number of packages using this builder within nixpkgs low, so the bump won't cause a mass rebuild. 27 28 + `go_latest` MUST not point to release candidates of Go. 29 + 30 + Consumer outside of nixpkgs on the other hand MAY rely on this toolchain/builder if they prefer being upgraded earlier to the newest toolchain minor version. 31 32 3. Packages in `toolchain-breaking` SHOULD pin a toolchain version by using a builder with a fixed Go version (`buildGo1xxModule`). 33 The use of `buildGo1xxModule` MUST be accompanied with a comment explaining why this has a dependency on a specific Go version.

+1 -1

pkgs/build-support/rust/build-rust-crate/default.nix

··· 15 jq, 16 libiconv, 17 # Controls codegen parallelization for all crates. 18 - # May be overriden on a per-crate level. 19 # See <https://doc.rust-lang.org/rustc/codegen-options/index.html#codegen-units> 20 defaultCodegenUnits ? 1, 21 }:

··· 15 jq, 16 libiconv, 17 # Controls codegen parallelization for all crates. 18 + # May be overridden on a per-crate level. 19 # See <https://doc.rust-lang.org/rustc/codegen-options/index.html#codegen-units> 20 defaultCodegenUnits ? 1, 21 }:

+3 -3

pkgs/build-support/rust/build-rust-crate/test/rcgen-crates.nix

··· 20 defaultCrateOverrides ? pkgs.defaultCrateOverrides, 21 # The features to enable for the root_crate or the workspace_members. 22 rootFeatures ? [ "default" ], 23 - # If true, throw errors instead of issueing deprecation warnings. 24 strictDeprecation ? false, 25 # Used for conditional compilation based on CPU feature detection. 26 targetFeatures ? [ ], ··· 4485 runTests ? false, 4486 testCrateFlags ? [ ], 4487 testInputs ? [ ], 4488 - # Any command to run immediatelly before a test is executed. 4489 testPreRun ? "", 4490 - # Any command run immediatelly after a test is executed. 4491 testPostRun ? "", 4492 }: 4493 lib.makeOverridable

··· 20 defaultCrateOverrides ? pkgs.defaultCrateOverrides, 21 # The features to enable for the root_crate or the workspace_members. 22 rootFeatures ? [ "default" ], 23 + # If true, throw errors instead of issuing deprecation warnings. 24 strictDeprecation ? false, 25 # Used for conditional compilation based on CPU feature detection. 26 targetFeatures ? [ ], ··· 4485 runTests ? false, 4486 testCrateFlags ? [ ], 4487 testInputs ? [ ], 4488 + # Any command to run immediately before a test is executed. 4489 testPreRun ? "", 4490 + # Any command run immediately after a test is executed. 4491 testPostRun ? "", 4492 }: 4493 lib.makeOverridable

+1 -1

pkgs/by-name/ad/adios2/package.nix

··· 85 yaml-cpp 86 nlohmann_json 87 88 - # Todo: add these optional dependcies in nixpkgs. 89 # sz 90 # mgard 91 # catalyst

··· 85 yaml-cpp 86 nlohmann_json 87 88 + # Todo: add these optional dependencies in nixpkgs. 89 # sz 90 # mgard 91 # catalyst

+4 -4

pkgs/by-name/am/amp-cli/package-lock.json

··· 5 "packages": { 6 "": { 7 "dependencies": { 8 - "@sourcegraph/amp": "^0.0.1748404992-ga3f78f" 9 } 10 }, 11 "node_modules/@colors/colors": { ··· 29 } 30 }, 31 "node_modules/@sourcegraph/amp": { 32 - "version": "0.0.1748404992-ga3f78f", 33 - "resolved": "https://registry.npmjs.org/@sourcegraph/amp/-/amp-0.0.1748404992-ga3f78f.tgz", 34 - "integrity": "sha512-+BvCW8zrbO7ENRzMg0LdAeKigjzL+ASIDBjJ/m2uL2CVT8WPk1h34FTNCbvnO6kssimEtdP8FcxR/2O4AHwUbA==", 35 "dependencies": { 36 "@types/runes": "^0.4.3", 37 "@vscode/ripgrep": "1.15.11",

··· 5 "packages": { 6 "": { 7 "dependencies": { 8 + "@sourcegraph/amp": "^0.0.1748865683-g71e54e" 9 } 10 }, 11 "node_modules/@colors/colors": { ··· 29 } 30 }, 31 "node_modules/@sourcegraph/amp": { 32 + "version": "0.0.1748865683-g71e54e", 33 + "resolved": "https://registry.npmjs.org/@sourcegraph/amp/-/amp-0.0.1748865683-g71e54e.tgz", 34 + "integrity": "sha512-ZiNbIbgCb/l7Q7wRT0sva6Ju7VDtq7+lijMWK8jotPorTq1DYUy3h7XJIOjyJEdvqlQkEfwrnbOfREmsnwlPyg==", 35 "dependencies": { 36 "@types/runes": "^0.4.3", 37 "@vscode/ripgrep": "1.15.11",

+12 -7

pkgs/by-name/am/amp-cli/package.nix

··· 4 fetchzip, 5 ripgrep, 6 makeWrapper, 7 }: 8 9 - buildNpmPackage rec { 10 pname = "amp-cli"; 11 - version = "0.0.1748404992-ga3f78f"; 12 13 src = fetchzip { 14 - url = "https://registry.npmjs.org/@sourcegraph/amp/-/amp-${version}.tgz"; 15 - hash = "sha256-axd5VP7afa4ptAl/y8CEVguqoRKVRhWfRDSI0sgyXqA="; 16 }; 17 18 postPatch = '' ··· 25 "version": "0.0.0", 26 "license": "UNLICENSED", 27 "dependencies": { 28 - "@sourcegraph/amp": "${version}" 29 }, 30 "bin": { 31 "amp": "./bin/amp-wrapper.js" ··· 44 chmod +x bin/amp-wrapper.js 45 ''; 46 47 - npmDepsHash = "sha256-05+hBr+eX3I92U9TsqPQrYcJCmKXTvz3n6ZTxR1XvC8="; 48 49 propagatedBuildInputs = [ 50 ripgrep ··· 69 ''; 70 71 passthru.updateScript = ./update.sh; 72 73 meta = { 74 description = "CLI for Amp, an agentic coding agent in research preview from Sourcegraph"; ··· 81 ]; 82 mainProgram = "amp"; 83 }; 84 - }

··· 4 fetchzip, 5 ripgrep, 6 makeWrapper, 7 + testers, 8 }: 9 10 + buildNpmPackage (finalAttrs: { 11 pname = "amp-cli"; 12 + version = "0.0.1748865683-g71e54e"; 13 14 src = fetchzip { 15 + url = "https://registry.npmjs.org/@sourcegraph/amp/-/amp-${finalAttrs.version}.tgz"; 16 + hash = "sha256-kkQKjw1SzDjV8/206i+NUyxeDhZ/35My9gyXRe/U7I8="; 17 }; 18 19 postPatch = '' ··· 26 "version": "0.0.0", 27 "license": "UNLICENSED", 28 "dependencies": { 29 + "@sourcegraph/amp": "${finalAttrs.version}" 30 }, 31 "bin": { 32 "amp": "./bin/amp-wrapper.js" ··· 45 chmod +x bin/amp-wrapper.js 46 ''; 47 48 + npmDepsHash = "sha256-yeZ5UCVUCbVjpYTYYN5mI6eCkShtnCKxumjpb5GRCws="; 49 50 propagatedBuildInputs = [ 51 ripgrep ··· 70 ''; 71 72 passthru.updateScript = ./update.sh; 73 + passthru.tests.version = testers.testVersion { 74 + package = finalAttrs.finalPackage; 75 + command = "HOME=$(mktemp -d) amp --version"; 76 + }; 77 78 meta = { 79 description = "CLI for Amp, an agentic coding agent in research preview from Sourcegraph"; ··· 86 ]; 87 mainProgram = "amp"; 88 }; 89 + })

+10 -10

pkgs/by-name/co/containerlab/package.nix

··· 6 versionCheckHook, 7 }: 8 9 - buildGoModule rec { 10 pname = "containerlab"; 11 version = "0.68.0"; 12 13 src = fetchFromGitHub { 14 owner = "srl-labs"; 15 repo = "containerlab"; 16 - rev = "v${version}"; 17 hash = "sha256-x6QDwduAMCD+Trj0awQXW0Tdleb2U6YBi/7mdMB6V/8="; 18 }; 19 20 vendorHash = "sha256-XRgKfRw6VGg+lkbtPWUVNfAk5a7ZdFwVmhjtM7uSwHs="; 21 22 - nativeBuildInputs = [ installShellFiles ]; 23 24 ldflags = [ 25 "-s" 26 "-w" 27 - "-X github.com/srl-labs/containerlab/cmd/version.Version=${version}" 28 - "-X github.com/srl-labs/containerlab/cmd/version.commit=${src.rev}" 29 "-X github.com/srl-labs/containerlab/cmd/version.date=1970-01-01T00:00:00Z" 30 ]; 31 ··· 42 --zsh <($out/bin/containerlab completion zsh) 43 ''; 44 45 - nativeInstallCheckInputs = [ 46 - versionCheckHook 47 - ]; 48 doInstallCheck = true; 49 versionCheckProgramArg = "version"; 50 51 meta = { 52 description = "Container-based networking lab"; 53 homepage = "https://containerlab.dev/"; 54 - changelog = "https://github.com/srl-labs/containerlab/releases/tag/${src.rev}"; 55 license = lib.licenses.bsd3; 56 platforms = lib.platforms.linux; 57 maintainers = with lib.maintainers; [ aaronjheng ]; 58 mainProgram = "containerlab"; 59 }; 60 - }

··· 6 versionCheckHook, 7 }: 8 9 + buildGoModule (finalAttrs: { 10 pname = "containerlab"; 11 version = "0.68.0"; 12 13 src = fetchFromGitHub { 14 owner = "srl-labs"; 15 repo = "containerlab"; 16 + tag = "v${finalAttrs.version}"; 17 hash = "sha256-x6QDwduAMCD+Trj0awQXW0Tdleb2U6YBi/7mdMB6V/8="; 18 }; 19 20 vendorHash = "sha256-XRgKfRw6VGg+lkbtPWUVNfAk5a7ZdFwVmhjtM7uSwHs="; 21 22 + nativeBuildInputs = [ 23 + installShellFiles 24 + versionCheckHook 25 + ]; 26 27 ldflags = [ 28 "-s" 29 "-w" 30 + "-X github.com/srl-labs/containerlab/cmd/version.Version=${finalAttrs.version}" 31 + "-X github.com/srl-labs/containerlab/cmd/version.commit=${finalAttrs.src.rev}" 32 "-X github.com/srl-labs/containerlab/cmd/version.date=1970-01-01T00:00:00Z" 33 ]; 34 ··· 45 --zsh <($out/bin/containerlab completion zsh) 46 ''; 47 48 doInstallCheck = true; 49 versionCheckProgramArg = "version"; 50 51 meta = { 52 description = "Container-based networking lab"; 53 homepage = "https://containerlab.dev/"; 54 + changelog = "https://github.com/srl-labs/containerlab/releases/tag/v${finalAttrs.version}"; 55 license = lib.licenses.bsd3; 56 platforms = lib.platforms.linux; 57 maintainers = with lib.maintainers; [ aaronjheng ]; 58 mainProgram = "containerlab"; 59 }; 60 + })

+2 -2

pkgs/by-name/du/duplicity/package.nix

··· 22 let 23 self = python3.pkgs.buildPythonApplication rec { 24 pname = "duplicity"; 25 - version = "3.0.4"; 26 27 src = fetchFromGitLab { 28 owner = "duplicity"; 29 repo = "duplicity"; 30 rev = "rel.${version}"; 31 - hash = "sha256-FoaKuB0mo2RFksMHnIUx984+h/U0tdvk+bvsuYt3r5g="; 32 }; 33 34 patches = [

··· 22 let 23 self = python3.pkgs.buildPythonApplication rec { 24 pname = "duplicity"; 25 + version = "3.0.4.1"; 26 27 src = fetchFromGitLab { 28 owner = "duplicity"; 29 repo = "duplicity"; 30 rev = "rel.${version}"; 31 + hash = "sha256-cVzGdn3a9/Kvu/QYWaTXJ1llkPRvj0g8qb7TUjennws="; 32 }; 33 34 patches = [

+2 -2

pkgs/by-name/fl/fly/package.nix

··· 8 9 buildGoModule rec { 10 pname = "fly"; 11 - version = "7.13.0"; 12 13 src = fetchFromGitHub { 14 owner = "concourse"; 15 repo = "concourse"; 16 rev = "v${version}"; 17 - hash = "sha256-myvYACdTqnEb8aBpBeCA1qvcnF0lwYbSo6kMgSz7iiA="; 18 }; 19 20 vendorHash = "sha256-WC4uzTgvW15IumwmsWXXeiF5qagbeb5XWRaSjd1XLvA=";

··· 8 9 buildGoModule rec { 10 pname = "fly"; 11 + version = "7.13.2"; 12 13 src = fetchFromGitHub { 14 owner = "concourse"; 15 repo = "concourse"; 16 rev = "v${version}"; 17 + hash = "sha256-onowKvN8YLDWRRn3rGEMoMxc6XaAcBKJcFOHSVh9Yy8="; 18 }; 19 20 vendorHash = "sha256-WC4uzTgvW15IumwmsWXXeiF5qagbeb5XWRaSjd1XLvA=";

+1 -1

pkgs/by-name/hy/hyperhdr/package.nix

··· 45 ]; 46 47 patches = [ 48 - # Allow completly unvendoring hyperhdr 49 # This can be removed on the next hyperhdr release 50 ./unvendor.patch 51 ];

··· 45 ]; 46 47 patches = [ 48 + # Allow completely unvendoring hyperhdr 49 # This can be removed on the next hyperhdr release 50 ./unvendor.patch 51 ];

+1 -1

pkgs/by-name/il/ilmbase/package.nix

··· 3 lib, 4 buildPackages, 5 cmake, 6 - # explicitely depending on openexr_2 because ilmbase doesn't exist for v3 7 openexr_2, 8 }: 9

··· 3 lib, 4 buildPackages, 5 cmake, 6 + # explicitly depending on openexr_2 because ilmbase doesn't exist for v3 7 openexr_2, 8 }: 9

+1 -1

pkgs/by-name/im/imlib2/package.nix

··· 75 enableParallelBuilding = true; 76 77 # Do not build amd64 assembly code on Darwin, because it fails to compile 78 - # with unknow directive errors 79 configureFlags = 80 optional stdenv.hostPlatform.isDarwin "--enable-amd64=no" 81 ++ optional (!svgSupport) "--without-svg"

··· 75 enableParallelBuilding = true; 76 77 # Do not build amd64 assembly code on Darwin, because it fails to compile 78 + # with unknown directive errors 79 configureFlags = 80 optional stdenv.hostPlatform.isDarwin "--enable-amd64=no" 81 ++ optional (!svgSupport) "--without-svg"

+1 -1

pkgs/by-name/ki/kissfft/package.nix

··· 57 (lib.cmakeFeature "KISSFFT_DATATYPE" datatype) 58 (lib.cmakeBool "KISSFFT_STATIC" enableStatic) 59 # `test/testkiss.py` expects this… 60 - (lib.cmakeFeature "KISSFFT_OPENMP" (if enableOpenmp then "ON" else "OFF")) 61 ]; 62 63 # Required for `test/testcpp.c`.

··· 57 (lib.cmakeFeature "KISSFFT_DATATYPE" datatype) 58 (lib.cmakeBool "KISSFFT_STATIC" enableStatic) 59 # `test/testkiss.py` expects this… 60 + (lib.cmakeBool "KISSFFT_OPENMP" enableOpenmp) 61 ]; 62 63 # Required for `test/testcpp.c`.

+1 -1

pkgs/by-name/li/libcredis/package.nix

··· 13 sha256 = "1l3hlw9rrc11qggbg9a2303p3bhxxx2vqkmlk8avsrbqw15r1ayr"; 14 }; 15 16 - # credis build system has no install actions, provide our own. 17 installPhase = '' 18 mkdir -p "$out/bin" 19 mkdir -p "$out/lib"

··· 13 sha256 = "1l3hlw9rrc11qggbg9a2303p3bhxxx2vqkmlk8avsrbqw15r1ayr"; 14 }; 15 16 + # credits build system has no install actions, provide our own. 17 installPhase = '' 18 mkdir -p "$out/bin" 19 mkdir -p "$out/lib"

+1 -1

pkgs/by-name/mi/miktex/package.nix

··· 106 patches = [ 107 ./startup-config-support-nix-store.patch 108 # Miktex will search exectables in "GetMyPrefix(true)/bin". 109 - # The path evalutate to "/usr/bin" in FHS style linux distrubution, 110 # compared to "/nix/store/.../bin" in NixOS. 111 # As a result, miktex will fail to find e.g. 'pkexec','ksudo','gksu' 112 # under /run/wrappers/bin in NixOS.

··· 106 patches = [ 107 ./startup-config-support-nix-store.patch 108 # Miktex will search exectables in "GetMyPrefix(true)/bin". 109 + # The path evaluate to "/usr/bin" in FHS style linux distribution, 110 # compared to "/nix/store/.../bin" in NixOS. 111 # As a result, miktex will fail to find e.g. 'pkexec','ksudo','gksu' 112 # under /run/wrappers/bin in NixOS.

+1 -1

pkgs/by-name/mx/mxnet/package.nix

··· 14 perl, 15 # mxnet cuda support is turned off, but dependencies like opencv can still be built with cudaSupport 16 # and fail to compile without the cudatoolkit 17 - # mxnet cuda support will not be availaible, as mxnet requires version <=11 18 cudaSupport ? config.cudaSupport, 19 cudaPackages ? { }, 20 }:

··· 14 perl, 15 # mxnet cuda support is turned off, but dependencies like opencv can still be built with cudaSupport 16 # and fail to compile without the cudatoolkit 17 + # mxnet cuda support will not be available, as mxnet requires version <=11 18 cudaSupport ? config.cudaSupport, 19 cudaPackages ? { }, 20 }:

+3 -3

pkgs/by-name/na/namespace-cli/package.nix

··· 6 7 buildGoModule rec { 8 pname = "namespace-cli"; 9 - version = "0.0.415"; 10 11 src = fetchFromGitHub { 12 owner = "namespacelabs"; 13 repo = "foundation"; 14 rev = "v${version}"; 15 - hash = "sha256-mWiY2HbOE7R9ltunpSLiM84iscTuSJTQtWCbk2O/HIQ="; 16 }; 17 18 - vendorHash = "sha256-waO9D0wSluzLl0pULeWMCYKh5IUqcS+VIvwDVwedx64="; 19 20 subPackages = [ 21 "cmd/nsc"

··· 6 7 buildGoModule rec { 8 pname = "namespace-cli"; 9 + version = "0.0.416"; 10 11 src = fetchFromGitHub { 12 owner = "namespacelabs"; 13 repo = "foundation"; 14 rev = "v${version}"; 15 + hash = "sha256-Te2BFbzrGU7iw+CqDafOiIByUfHEb8QGBAci+6imIm4="; 16 }; 17 18 + vendorHash = "sha256-hPZmNH4bhIds+Ps0pQCjYPfvVBaX8e3Bq/onq91Fzq8="; 19 20 subPackages = [ 21 "cmd/nsc"

+3 -3

pkgs/by-name/ne/neothesia/package.nix

··· 12 xorg, 13 }: 14 let 15 - version = "0.3.0"; 16 17 src = fetchFromGitHub { 18 owner = "PolyMeilex"; 19 repo = "Neothesia"; 20 rev = "v${version}"; 21 - hash = "sha256-JD1jQ/a6GHtB/d/fRMCiE4ZOO676BIiZ980VIYUloU0="; 22 }; 23 in 24 rustPlatform.buildRustPackage { ··· 38 ]; 39 40 useFetchCargoVendor = true; 41 - cargoHash = "sha256-OYdKuYOL3X6eqVYANvmfTRA8TGd4+QLg0zodDH0jxXk="; 42 43 cargoBuildFlags = [ 44 "-p neothesia -p neothesia-cli"

··· 12 xorg, 13 }: 14 let 15 + version = "0.3.1"; 16 17 src = fetchFromGitHub { 18 owner = "PolyMeilex"; 19 repo = "Neothesia"; 20 rev = "v${version}"; 21 + hash = "sha256-qYwBSye6RYClSlWmHwuy/rxq9w5932tR33Z+o2S1l8k="; 22 }; 23 in 24 rustPlatform.buildRustPackage { ··· 38 ]; 39 40 useFetchCargoVendor = true; 41 + cargoHash = "sha256-mXeNAVYqPsBWiUZFV/atx/xjLgFNarm2HwI7k/NaAbc="; 42 43 cargoBuildFlags = [ 44 "-p neothesia -p neothesia-cli"

+2 -2

pkgs/by-name/oc/ocenaudio/package.nix

··· 14 15 stdenv.mkDerivation (finalAttrs: { 16 pname = "ocenaudio"; 17 - version = "3.14.11"; 18 19 src = fetchurl { 20 name = "ocenaudio.deb"; 21 url = "https://www.ocenaudio.com/downloads/index.php/ocenaudio_debian12.deb?version=v${finalAttrs.version}"; 22 - hash = "sha256-+UQ4veSoqwNC6ENQVWmOFebiI6RQlV7rBL7n238xxyc="; 23 }; 24 25 nativeBuildInputs = [

··· 14 15 stdenv.mkDerivation (finalAttrs: { 16 pname = "ocenaudio"; 17 + version = "3.15"; 18 19 src = fetchurl { 20 name = "ocenaudio.deb"; 21 url = "https://www.ocenaudio.com/downloads/index.php/ocenaudio_debian12.deb?version=v${finalAttrs.version}"; 22 + hash = "sha256-MZjgdCBE+3dG6Ov+wwDKa/0Y8XIihwM50Gc/cgEf2FQ="; 23 }; 24 25 nativeBuildInputs = [

+3 -3

pkgs/by-name/pd/pdfarranger/package.nix

··· 12 13 python3Packages.buildPythonApplication rec { 14 pname = "pdfarranger"; 15 - version = "1.11.1"; 16 pyproject = true; 17 18 src = fetchFromGitHub { 19 owner = "pdfarranger"; 20 repo = "pdfarranger"; 21 tag = version; 22 - hash = "sha256-94qziqJaKW8/L/6+U1yojxdG8BmeAStn+qbfGemTrVA="; 23 }; 24 25 nativeBuildInputs = [ wrapGAppsHook3 ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ gettext ]; ··· 64 endle 65 ]; 66 license = lib.licenses.gpl3Plus; 67 - changelog = "https://github.com/pdfarranger/pdfarranger/releases/tag/${version}"; 68 }; 69 }

··· 12 13 python3Packages.buildPythonApplication rec { 14 pname = "pdfarranger"; 15 + version = "1.12.0"; 16 pyproject = true; 17 18 src = fetchFromGitHub { 19 owner = "pdfarranger"; 20 repo = "pdfarranger"; 21 tag = version; 22 + hash = "sha256-//JjIPDeyI+JZoFT2GU+wCP+tkKCchgS9ftMT5rUEOM="; 23 }; 24 25 nativeBuildInputs = [ wrapGAppsHook3 ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ gettext ]; ··· 64 endle 65 ]; 66 license = lib.licenses.gpl3Plus; 67 + changelog = "https://github.com/pdfarranger/pdfarranger/releases/tag/${src.tag}"; 68 }; 69 }

+3 -3

pkgs/by-name/ph/phel/package.nix

··· 7 8 php.buildComposerProject2 (finalAttrs: { 9 pname = "phel"; 10 - version = "0.16.1"; 11 12 src = fetchFromGitHub { 13 owner = "phel-lang"; 14 repo = "phel-lang"; 15 tag = "v${finalAttrs.version}"; 16 - hash = "sha256-irN1Dnov6vDiU4xGsf2nxz7/kz1YOMq0yOLYt4HY1EM="; 17 }; 18 19 - vendorHash = "sha256-SDLpl2gBvtVjREfcy1WDFqsGRK1fKr2wKPuBkPhApNI="; 20 21 doInstallCheck = true; 22 nativeInstallCheckInputs = [ versionCheckHook ];

··· 7 8 php.buildComposerProject2 (finalAttrs: { 9 pname = "phel"; 10 + version = "0.17.0"; 11 12 src = fetchFromGitHub { 13 owner = "phel-lang"; 14 repo = "phel-lang"; 15 tag = "v${finalAttrs.version}"; 16 + hash = "sha256-iS887QNUphe+czx1IEz+uESBqee73/mHzmg2Fvi26do="; 17 }; 18 19 + vendorHash = "sha256-lhxgL41gyHVOv1MqjwwnWQTQZz4WU2kWGCSV2EZoJrg="; 20 21 doInstallCheck = true; 22 nativeInstallCheckInputs = [ versionCheckHook ];

+2 -2

pkgs/by-name/sc/scalafmt/package.nix

··· 9 10 let 11 baseName = "scalafmt"; 12 - version = "3.9.6"; 13 deps = stdenv.mkDerivation { 14 name = "${baseName}-deps-${version}"; 15 buildCommand = '' ··· 19 cp $(< deps) $out/share/java/ 20 ''; 21 outputHashMode = "recursive"; 22 - outputHash = "sha256-qn3by++aYx/azaoDJFQfo8PHyjd3w4qI7g6NMIzLiPE="; 23 }; 24 in 25 stdenv.mkDerivation {

··· 9 10 let 11 baseName = "scalafmt"; 12 + version = "3.9.7"; 13 deps = stdenv.mkDerivation { 14 name = "${baseName}-deps-${version}"; 15 buildCommand = '' ··· 19 cp $(< deps) $out/share/java/ 20 ''; 21 outputHashMode = "recursive"; 22 + outputHash = "sha256-x1hEJtzZ0DmFDc7X5Tua3F0BcWz/Atm2zmMr7GgfkUM="; 23 }; 24 in 25 stdenv.mkDerivation {

+13 -7

pkgs/by-name/sd/sdl2-compat/package.nix

··· 2 cmake, 3 lib, 4 fetchFromGitHub, 5 - monado, 6 ninja, 7 nix-update-script, 8 SDL2_ttf, 9 SDL2_net, 10 SDL2_gfx, 11 SDL2_sound, 12 SDL2_mixer, 13 SDL2_image, 14 - sdl3, 15 - stdenv, 16 - testers, 17 - libX11, 18 - libGL, 19 }: 20 21 stdenv.mkDerivation (finalAttrs: { ··· 76 pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; 77 78 inherit 79 SDL2_ttf 80 SDL2_net 81 SDL2_gfx 82 SDL2_sound 83 SDL2_mixer 84 SDL2_image 85 ; 86 } 87 // lib.optionalAttrs stdenv.hostPlatform.isLinux { 88 - inherit monado; 89 }; 90 91 updateScript = nix-update-script {

··· 2 cmake, 3 lib, 4 fetchFromGitHub, 5 ninja, 6 + sdl3, 7 + stdenv, 8 + testers, 9 + libX11, 10 + libGL, 11 nix-update-script, 12 + 13 + # passthru tests 14 SDL2_ttf, 15 SDL2_net, 16 SDL2_gfx, 17 SDL2_sound, 18 SDL2_mixer, 19 SDL2_image, 20 + SDL_compat, 21 + ffmpeg, 22 + qemu, 23 }: 24 25 stdenv.mkDerivation (finalAttrs: { ··· 80 pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; 81 82 inherit 83 + SDL_compat 84 SDL2_ttf 85 SDL2_net 86 SDL2_gfx 87 SDL2_sound 88 SDL2_mixer 89 SDL2_image 90 + ffmpeg 91 ; 92 } 93 // lib.optionalAttrs stdenv.hostPlatform.isLinux { 94 + inherit qemu; 95 }; 96 97 updateScript = nix-update-script {

+14

pkgs/by-name/si/signal-desktop/dont-strip-absolute-paths.patch

···

··· 1 + diff --git a/node/build_node_bridge.py b/node/build_node_bridge.py 2 + index c983fc3..2ab06dc 100755 3 + --- a/node/build_node_bridge.py 4 + +++ b/node/build_node_bridge.py 5 + @@ -138,9 +138,6 @@ def main(args: Optional[List[str]] = None) -> int: 6 + cargo_env['CARGO_PROFILE_RELEASE_LTO'] = 'thin' 7 + # Enable ARMv8 cryptography acceleration when available 8 + cargo_env['RUSTFLAGS'] += ' --cfg aes_armv8' 9 + - # Strip absolute paths 10 + - for path in build_helpers.rust_paths_to_remap(): 11 + - cargo_env['RUSTFLAGS'] += f' --remap-path-prefix {path}=' 12 + 13 + # If set (below), will post-process the build library using this instead of just `cp`-ing it. 14 + objcopy = None

+10 -9

pkgs/by-name/si/signal-desktop/libsignal-node.nix

··· 24 in 25 rustPlatform.buildRustPackage (finalAttrs: { 26 pname = "libsignal-node"; 27 - version = "0.70.0"; 28 29 src = fetchFromGitHub { 30 owner = "signalapp"; 31 repo = "libsignal"; 32 tag = "v${finalAttrs.version}"; 33 - hash = "sha256-6CBhLvD0UflLzJHAMB21wSH8MWTUNx0uPdqOUo/Eq44="; 34 }; 35 useFetchCargoVendor = true; 36 - cargoHash = "sha256-4bSPPf16nUQTl6INa3mLhPIe8iiFfpPw1E5fpNvnKqs="; 37 38 npmRoot = "node"; 39 npmDeps = fetchNpmDeps { 40 name = "${finalAttrs.pname}-npm-deps"; 41 inherit (finalAttrs) version src; 42 sourceRoot = "${finalAttrs.src.name}/${finalAttrs.npmRoot}"; 43 - hash = "sha256-djk+YGZ/eUq6MXjUEE47bgKnQlUSuaoUPx8hUMtjvyQ="; 44 }; 45 46 nativeBuildInputs = [ ··· 56 env.BORING_BSSL_PATH = "${boringssl-wrapper}"; 57 env.NIX_LDFLAGS = if stdenv.hostPlatform.isDarwin then "-lc++" else "-lstdc++"; 58 59 - patchPhase = '' 60 - runHook prePatch 61 - 62 substituteInPlace node/binding.gyp \ 63 --replace-fail "'--out-dir', '<(PRODUCT_DIR)/'," \ 64 "'--out-dir', '$out/lib/<(NODE_OS_NAME)-<(target_arch)/'," \ ··· 68 substituteInPlace node/build_node_bridge.py \ 69 --replace-fail "dst_base = 'libsignal_client_%s_%s' % (node_os_name, node_arch)" \ 70 "dst_base = '@signalapp+libsignal-client'" 71 - 72 - runHook postPatch 73 ''; 74 75 buildPhase = ''

··· 24 in 25 rustPlatform.buildRustPackage (finalAttrs: { 26 pname = "libsignal-node"; 27 + version = "0.72.1"; 28 29 src = fetchFromGitHub { 30 owner = "signalapp"; 31 repo = "libsignal"; 32 tag = "v${finalAttrs.version}"; 33 + hash = "sha256-A8EAHHcBFSD4ZlvFig64g4+eoZQCuqE/qv509hA3I4s="; 34 }; 35 useFetchCargoVendor = true; 36 + cargoHash = "sha256-+vJrywIi/RcGGGns42XlN6S63RBil3fB4XByTLsaFVc="; 37 38 npmRoot = "node"; 39 npmDeps = fetchNpmDeps { 40 name = "${finalAttrs.pname}-npm-deps"; 41 inherit (finalAttrs) version src; 42 sourceRoot = "${finalAttrs.src.name}/${finalAttrs.npmRoot}"; 43 + hash = "sha256-ZD0ZN2b7KReGbnvarqvGpOlQ5TsJfnaHmmOWQ42Y48E="; 44 }; 45 46 nativeBuildInputs = [ ··· 56 env.BORING_BSSL_PATH = "${boringssl-wrapper}"; 57 env.NIX_LDFLAGS = if stdenv.hostPlatform.isDarwin then "-lc++" else "-lstdc++"; 58 59 + patches = [ 60 + # This is used to strip absolute paths of dependencies to avoid leaking info about build machine. Nix builders 61 + # already solve this problem by chrooting os this is not needed. 62 + ./dont-strip-absolute-paths.patch 63 + ]; 64 + postPatch = '' 65 substituteInPlace node/binding.gyp \ 66 --replace-fail "'--out-dir', '<(PRODUCT_DIR)/'," \ 67 "'--out-dir', '$out/lib/<(NODE_OS_NAME)-<(target_arch)/'," \ ··· 71 substituteInPlace node/build_node_bridge.py \ 72 --replace-fail "dst_base = 'libsignal_client_%s_%s' % (node_os_name, node_arch)" \ 73 "dst_base = '@signalapp+libsignal-client'" 74 ''; 75 76 buildPhase = ''

+8 -8

pkgs/by-name/si/signal-desktop/package.nix

··· 3 lib, 4 nodejs_22, 5 pnpm_10, 6 - electron_35, 7 python3, 8 makeWrapper, 9 callPackage, ··· 19 let 20 nodejs = nodejs_22; 21 pnpm = pnpm_10.override { inherit nodejs; }; 22 - electron = electron_35; 23 24 libsignal-node = callPackage ./libsignal-node.nix { inherit nodejs; }; 25 signal-sqlcipher = callPackage ./signal-sqlcipher.nix { inherit pnpm nodejs; }; ··· 48 ''; 49 }); 50 51 - version = "7.54.0"; 52 53 src = fetchFromGitHub { 54 owner = "signalapp"; 55 repo = "Signal-Desktop"; 56 tag = "v${version}"; 57 - hash = "sha256-dv1Yi7gSd7kY3MSrsPjcaf2hAEq6Y+XoWtlBfvd86ac="; 58 }; 59 60 sticker-creator = stdenv.mkDerivation (finalAttrs: { ··· 64 65 pnpmDeps = pnpm.fetchDeps { 66 inherit (finalAttrs) pname src version; 67 - hash = "sha256-TuPyRVNFIlR0A4YHMpQsQ6m+lm2fsp79FzQ1P5qqjIc="; 68 }; 69 70 strictDeps = true; ··· 116 ; 117 hash = 118 if withAppleEmojis then 119 - "sha256-Kdg0+kLEDFobWEEhJgKuaou/pYwn1dTugye7OcMYfEQ=" 120 else 121 - "sha256-cit/Hn7L6qmfIJCDF2wlx/4aKygRYy+zvBQGX6Mg+og="; 122 }; 123 124 env = { 125 ELECTRON_SKIP_BINARY_DOWNLOAD = "1"; 126 SIGNAL_ENV = "production"; 127 - SOURCE_DATE_EPOCH = 1747170390; 128 }; 129 130 preBuild = ''

··· 3 lib, 4 nodejs_22, 5 pnpm_10, 6 + electron_36, 7 python3, 8 makeWrapper, 9 callPackage, ··· 19 let 20 nodejs = nodejs_22; 21 pnpm = pnpm_10.override { inherit nodejs; }; 22 + electron = electron_36; 23 24 libsignal-node = callPackage ./libsignal-node.nix { inherit nodejs; }; 25 signal-sqlcipher = callPackage ./signal-sqlcipher.nix { inherit pnpm nodejs; }; ··· 48 ''; 49 }); 50 51 + version = "7.56.0"; 52 53 src = fetchFromGitHub { 54 owner = "signalapp"; 55 repo = "Signal-Desktop"; 56 tag = "v${version}"; 57 + hash = "sha256-BrgBlDEgb08oX7Mh/P4nuoM+dkSDpB45zOtDNMYeZr0="; 58 }; 59 60 sticker-creator = stdenv.mkDerivation (finalAttrs: { ··· 64 65 pnpmDeps = pnpm.fetchDeps { 66 inherit (finalAttrs) pname src version; 67 + hash = "sha256-cT7Ixl/V/mesPHvJUsG63Y/wXwKjbjkjdjP3S7uEOa0="; 68 }; 69 70 strictDeps = true; ··· 116 ; 117 hash = 118 if withAppleEmojis then 119 + "sha256-RP3d1t4bbvehdCDSL3bHrlJEnn65TDViI5jVjSiuJw8=" 120 else 121 + "sha256-KJvc+kVcwRKsUVW3lK7fPXUSqDQlJFPbYAzQjhFtfoU="; 122 }; 123 124 env = { 125 ELECTRON_SKIP_BINARY_DOWNLOAD = "1"; 126 SIGNAL_ENV = "production"; 127 + SOURCE_DATE_EPOCH = 1748456277; 128 }; 129 130 preBuild = ''

+3 -3

pkgs/by-name/si/signal-desktop/ringrtc.nix

··· 19 in 20 rustPlatform.buildRustPackage (finalAttrs: { 21 pname = "ringrtc"; 22 - version = "2.51.0"; 23 24 src = fetchFromGitHub { 25 owner = "signalapp"; 26 repo = "ringrtc"; 27 tag = "v${finalAttrs.version}"; 28 - hash = "sha256-PLrGLW6pDoCNpbWASxAqockAJRoeBrkBdxNOHYrQu4s="; 29 }; 30 useFetchCargoVendor = true; 31 - cargoHash = "sha256-u38VOV2xdNG1WFox+SWT9ejJD1TjK0yAI6lCB9r75iY="; 32 33 cargoBuildFlags = [ 34 "-p"

··· 19 in 20 rustPlatform.buildRustPackage (finalAttrs: { 21 pname = "ringrtc"; 22 + version = "2.52.0"; 23 24 src = fetchFromGitHub { 25 owner = "signalapp"; 26 repo = "ringrtc"; 27 tag = "v${finalAttrs.version}"; 28 + hash = "sha256-Ao1mFJYPnV3lfg4SERwq4dGnBhOVI9pwsqPAsUtV/iY="; 29 }; 30 useFetchCargoVendor = true; 31 + cargoHash = "sha256-mO9t4ZDDM5Y9cMkmdrYrdGYukN1xfGogPSNq+S1t4Us="; 32 33 cargoBuildFlags = [ 34 "-p"

+2 -2

pkgs/by-name/si/signal-desktop/signal-sqlcipher.nix

··· 11 }: 12 stdenv.mkDerivation (finalAttrs: { 13 pname = "node-sqlcipher"; 14 - version = "2.0.1"; 15 16 src = fetchFromGitHub { 17 owner = "signalapp"; 18 repo = "node-sqlcipher"; 19 tag = "v${finalAttrs.version}"; 20 - hash = "sha256-15t2HuEYdCxShK703/z3bb1VCgSNpziaK5+wM3TqSHg="; 21 }; 22 23 pnpmDeps = pnpm.fetchDeps {

··· 11 }: 12 stdenv.mkDerivation (finalAttrs: { 13 pname = "node-sqlcipher"; 14 + version = "2.0.3"; 15 16 src = fetchFromGitHub { 17 owner = "signalapp"; 18 repo = "node-sqlcipher"; 19 tag = "v${finalAttrs.version}"; 20 + hash = "sha256-H5/+XcXnINRL5BWItWx6YaPP46+k1xTbyfDqHPCRDXk="; 21 }; 22 23 pnpmDeps = pnpm.fetchDeps {

+2 -2

pkgs/by-name/si/signal-desktop/webrtc-sources.json

··· 1 { 2 "src": { 3 "args": { 4 - "hash": "sha256-yomovlwRmrzsN+dvmUgOM6pzBTH41QuHQXnEJBhQglY=", 5 "owner": "signalapp", 6 "repo": "webrtc", 7 - "tag": "6998b" 8 }, 9 "fetcher": "fetchFromGitHub" 10 },

··· 1 { 2 "src": { 3 "args": { 4 + "hash": "sha256-AFMJmIo7O4fYrVWABciQphTxHQSj4CdfhluIIPpPWAw=", 5 "owner": "signalapp", 6 "repo": "webrtc", 7 + "tag": "6998c" 8 }, 9 "fetcher": "fetchFromGitHub" 10 },

+1 -1

pkgs/by-name/ty/typical/package.nix

··· 30 31 patches = [ 32 # Related to https://github.com/stepchowfun/typical/pull/501 33 - # Commiting a slightly different patch because the upstream one doesn't apply cleanly 34 ./lifetime.patch 35 ]; 36

··· 30 31 patches = [ 32 # Related to https://github.com/stepchowfun/typical/pull/501 33 + # Committing a slightly different patch because the upstream one doesn't apply cleanly 34 ./lifetime.patch 35 ]; 36

+1 -1

pkgs/by-name/us/usb-reset/package.nix

··· 8 stdenv.mkDerivation { 9 pname = "usb-reset"; 10 # not tagged, but changelog has this with the date of the e9a9d6c commit 11 - # and no significant change occured between bumping the version in the Makefile and that 12 # and the changes since then (up to ff822d8) seem snap related 13 version = "0.3"; 14

··· 8 stdenv.mkDerivation { 9 pname = "usb-reset"; 10 # not tagged, but changelog has this with the date of the e9a9d6c commit 11 + # and no significant change occurred between bumping the version in the Makefile and that 12 # and the changes since then (up to ff822d8) seem snap related 13 version = "0.3"; 14

+4 -4

pkgs/by-name/va/vanillatd/package.nix

··· 66 ]; 67 68 cmakeFlags = [ 69 - (lib.cmakeFeature "BUILD_VANILLATD" (if appName == "vanillatd" then "ON" else "OFF")) 70 - (lib.cmakeFeature "BUILD_VANILLARA" (if appName == "vanillara" then "ON" else "OFF")) 71 - (lib.cmakeFeature "BUILD_REMASTERTD" (if appName == "remastertd" then "ON" else "OFF")) 72 - (lib.cmakeFeature "BUILD_REMASTERRA" (if appName == "remasterra" then "ON" else "OFF")) 73 (lib.cmakeFeature "CMAKE_BUILD_TYPE" CMAKE_BUILD_TYPE) 74 ]; 75

··· 66 ]; 67 68 cmakeFlags = [ 69 + (lib.cmakeBool "BUILD_VANILLATD" (appName == "vanillatd")) 70 + (lib.cmakeBool "BUILD_VANILLARA" (appName == "vanillara")) 71 + (lib.cmakeBool "BUILD_REMASTERTD" (appName == "remastertd")) 72 + (lib.cmakeBool "BUILD_REMASTERRA" (appName == "remasterra")) 73 (lib.cmakeFeature "CMAKE_BUILD_TYPE" CMAKE_BUILD_TYPE) 74 ]; 75

+2 -2

pkgs/by-name/ve/vectorcode/package.nix

··· 10 11 python3Packages.buildPythonApplication rec { 12 pname = "vectorcode"; 13 - version = "0.6.9"; 14 pyproject = true; 15 16 src = fetchFromGitHub { 17 owner = "Davidyz"; 18 repo = "VectorCode"; 19 tag = version; 20 - hash = "sha256-qXrXNt5uI/gePFyJ79y+zksSekq7BzsbL+1tvMQ/zKM="; 21 }; 22 23 build-system = with python3Packages; [

··· 10 11 python3Packages.buildPythonApplication rec { 12 pname = "vectorcode"; 13 + version = "0.6.10"; 14 pyproject = true; 15 16 src = fetchFromGitHub { 17 owner = "Davidyz"; 18 repo = "VectorCode"; 19 tag = version; 20 + hash = "sha256-k9YpsVFV1HkIIIFPB7Iz7Jar+lY5vK6gpzNIlX55ZDY="; 21 }; 22 23 build-system = with python3Packages; [

+19 -10

pkgs/by-name/wa/watchexec/package.nix

··· 4 rustPlatform, 5 fetchFromGitHub, 6 installShellFiles, 7 }: 8 9 - rustPlatform.buildRustPackage rec { 10 pname = "watchexec"; 11 - version = "2.3.1"; 12 13 src = fetchFromGitHub { 14 owner = "watchexec"; 15 repo = "watchexec"; 16 - rev = "v${version}"; 17 - hash = "sha256-ldxB1/WgOe1uGfKXkMEtGHIlWiKJgnZz6j/7eCOGD8s="; 18 }; 19 20 useFetchCargoVendor = true; 21 - cargoHash = "sha256-LdjJlf4HPN+kZOQKPNSdbYApGBD4Z6tKV9Y0FFKpAf0="; 22 23 nativeBuildInputs = [ installShellFiles ]; 24 ··· 35 36 postInstall = '' 37 installManPage doc/watchexec.1 38 - installShellCompletion --zsh --name _watchexec completions/zsh 39 ''; 40 41 - meta = with lib; { 42 description = "Executes commands in response to file modifications"; 43 homepage = "https://watchexec.github.io/"; 44 - license = with licenses; [ asl20 ]; 45 - maintainers = [ maintainers.michalrus ]; 46 mainProgram = "watchexec"; 47 }; 48 - }

··· 4 rustPlatform, 5 fetchFromGitHub, 6 installShellFiles, 7 + nix-update-script, 8 }: 9 10 + rustPlatform.buildRustPackage (finalAttrs: { 11 pname = "watchexec"; 12 + version = "2.3.2"; 13 14 src = fetchFromGitHub { 15 owner = "watchexec"; 16 repo = "watchexec"; 17 + tag = "v${finalAttrs.version}"; 18 + hash = "sha256-BJRvz3rFLaOCNhOsEo0rSOgB9BCJ2LMB9XEw8RBWXXs="; 19 }; 20 21 useFetchCargoVendor = true; 22 + cargoHash = "sha256-VtSRC4lyjMo2O9dNbVllcDEx08zQWJMQmQ/2bNMup6U="; 23 24 nativeBuildInputs = [ installShellFiles ]; 25 ··· 36 37 postInstall = '' 38 installManPage doc/watchexec.1 39 + installShellCompletion --cmd watchexec \ 40 + --bash completions/bash \ 41 + --fish completions/fish \ 42 + --zsh completions/zsh 43 ''; 44 45 + passthru.updateScript = nix-update-script { }; 46 + 47 + meta = { 48 description = "Executes commands in response to file modifications"; 49 homepage = "https://watchexec.github.io/"; 50 + license = with lib.licenses; [ asl20 ]; 51 + maintainers = with lib.maintainers; [ 52 + michalrus 53 + prince213 54 + ]; 55 mainProgram = "watchexec"; 56 }; 57 + })

+2 -2

pkgs/by-name/wh/whisper-ctranslate2/package.nix

··· 7 }: 8 let 9 pname = "whisper-ctranslate2"; 10 - version = "0.5.2"; 11 in 12 python3Packages.buildPythonApplication { 13 inherit pname version; ··· 17 owner = "Softcatala"; 18 repo = "whisper-ctranslate2"; 19 tag = version; 20 - hash = "sha256-53sKuaZJcH/i2C4oeKcvxRs3OmkvR3USw6nnPh+i+Eo="; 21 }; 22 23 build-system = [ python3Packages.setuptools ];

··· 7 }: 8 let 9 pname = "whisper-ctranslate2"; 10 + version = "0.5.3"; 11 in 12 python3Packages.buildPythonApplication { 13 inherit pname version; ··· 17 owner = "Softcatala"; 18 repo = "whisper-ctranslate2"; 19 tag = version; 20 + hash = "sha256-rRxadVYv69Jgzai+ANS6oKHOArTI9vPDPeTybtOySww="; 21 }; 22 23 build-system = [ python3Packages.setuptools ];

+1 -1

pkgs/by-name/yt/ytmdesktop/package.nix

··· 38 }; 39 40 patches = [ 41 - # instead of runnning git during the build process 42 # use the .COMMIT file generated in the fetcher FOD 43 ./git-rev-parse.patch 44 ];

··· 38 }; 39 40 patches = [ 41 + # instead of running git during the build process 42 # use the .COMMIT file generated in the fetcher FOD 43 ./git-rev-parse.patch 44 ];

+2 -2

pkgs/by-name/za/zashboard/package.nix

··· 9 10 stdenv.mkDerivation (finalAttrs: { 11 pname = "zashboard"; 12 - version = "1.90.0"; 13 14 src = fetchFromGitHub { 15 owner = "Zephyruso"; 16 repo = "zashboard"; 17 tag = "v${finalAttrs.version}"; 18 - hash = "sha256-LxA0X2E9Xue79xLAYuCz0ZA0v8hYVxkb+1h6qB4MiDI="; 19 }; 20 21 nativeBuildInputs = [

··· 9 10 stdenv.mkDerivation (finalAttrs: { 11 pname = "zashboard"; 12 + version = "1.93.0"; 13 14 src = fetchFromGitHub { 15 owner = "Zephyruso"; 16 repo = "zashboard"; 17 tag = "v${finalAttrs.version}"; 18 + hash = "sha256-0YlFDmn5XAQiGxGpFJtVgtFdPbxApVlsqRLwIun0YtI="; 19 }; 20 21 nativeBuildInputs = [

+1 -1

pkgs/by-name/ze/zepp-simulator/package.nix

··· 6 copyDesktopItems, 7 autoPatchelfHook, 8 9 - # Upstream is officialy built with Electron 18 10 # (but it works with latest Electron with minor changes, see HACK below) 11 electron, 12 asar,

··· 6 copyDesktopItems, 7 autoPatchelfHook, 8 9 + # Upstream is officially built with Electron 18 10 # (but it works with latest Electron with minor changes, see HACK below) 11 electron, 12 asar,

+1 -1

pkgs/development/compilers/gcc/common/configure-flags.nix

··· 38 39 # Note [Windows Exception Handling] 40 # sjlj (short jump long jump) exception handling makes no sense on x86_64, 41 - # it's forcably slowing programs down as it produces a constant overhead. 42 # On x86_64 we have SEH (Structured Exception Handling) and we should use 43 # that. On i686, we do not have SEH, and have to use sjlj with dwarf2. 44 # Hence it's now conditional on x86_32 (i686 is 32bit).

··· 38 39 # Note [Windows Exception Handling] 40 # sjlj (short jump long jump) exception handling makes no sense on x86_64, 41 + # it's forcibly slowing programs down as it produces a constant overhead. 42 # On x86_64 we have SEH (Structured Exception Handling) and we should use 43 # that. On i686, we do not have SEH, and have to use sjlj with dwarf2. 44 # Hence it's now conditional on x86_32 (i686 is 32bit).

+4 -4

pkgs/development/haskell-modules/configuration-common.nix

··· 21 # To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. 22 self: super: 23 { 24 - # Hackage's accelerate is from 2020 and incomptible with our GHC. 25 # The existing derivation also has missing dependencies 26 # compared to the source from github. 27 # https://github.com/AccelerateHS/accelerate/issues/553 ··· 820 katt = dontCheck super.katt; 821 language-slice = dontCheck super.language-slice; 822 823 - # Bogus lower bound on data-default-class added via Hackage revison 824 # https://github.com/mrkkrp/req/pull/180#issuecomment-2628201485 825 req = overrideCabal { 826 revision = null; ··· 1979 license = lib.licenses.bsd3; 1980 # ghc-bignum is not buildable if none of the three backends 1981 # is explicitly enabled. We enable Native for now as it doesn't 1982 - # depend on anything else as oppossed to GMP and FFI. 1983 # Apply patch which fixes a compilation failure we encountered. 1984 # Will need to be kept until we can drop ghc-bignum entirely, 1985 # i. e. if GHC 8.10.* and 8.8.* have been removed. ··· 2542 # Missing test files https://github.com/kephas/xdg-basedir-compliant/issues/1 2543 xdg-basedir-compliant = dontCheck super.xdg-basedir-compliant; 2544 2545 - # Test failure after libxcrypt migration, reported upstrem at 2546 # https://github.com/phadej/crypt-sha512/issues/13 2547 crypt-sha512 = dontCheck super.crypt-sha512; 2548

··· 21 # To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. 22 self: super: 23 { 24 + # Hackage's accelerate is from 2020 and incompatible with our GHC. 25 # The existing derivation also has missing dependencies 26 # compared to the source from github. 27 # https://github.com/AccelerateHS/accelerate/issues/553 ··· 820 katt = dontCheck super.katt; 821 language-slice = dontCheck super.language-slice; 822 823 + # Bogus lower bound on data-default-class added via Hackage revision 824 # https://github.com/mrkkrp/req/pull/180#issuecomment-2628201485 825 req = overrideCabal { 826 revision = null; ··· 1979 license = lib.licenses.bsd3; 1980 # ghc-bignum is not buildable if none of the three backends 1981 # is explicitly enabled. We enable Native for now as it doesn't 1982 + # depend on anything else as opposed to GMP and FFI. 1983 # Apply patch which fixes a compilation failure we encountered. 1984 # Will need to be kept until we can drop ghc-bignum entirely, 1985 # i. e. if GHC 8.10.* and 8.8.* have been removed. ··· 2542 # Missing test files https://github.com/kephas/xdg-basedir-compliant/issues/1 2543 xdg-basedir-compliant = dontCheck super.xdg-basedir-compliant; 2544 2545 + # Test failure after libxcrypt migration, reported upstream at 2546 # https://github.com/phadej/crypt-sha512/issues/13 2547 crypt-sha512 = dontCheck super.crypt-sha512; 2548

+1 -1

pkgs/development/interpreters/ruby/default.nix

··· 207 # When using a baseruby, ruby always sets "libdir" to the build 208 # directory, which nix rejects due to a reference in to /build/ in 209 # the final product. Removing this reference doesn't seem to break 210 - # anything and fixes cross compliation. 211 ./dont-refer-to-build-dir.patch 212 ]; 213

··· 207 # When using a baseruby, ruby always sets "libdir" to the build 208 # directory, which nix rejects due to a reference in to /build/ in 209 # the final product. Removing this reference doesn't seem to break 210 + # anything and fixes cross compilation. 211 ./dont-refer-to-build-dir.patch 212 ]; 213

+1 -1

pkgs/development/libraries/ffmpeg/generic.nix

··· 34 # all dependants in Nixpkgs 35 withSmallDeps ? ffmpegVariant == "small" || withFullDeps, 36 37 - # Everything enabled; only guarded behind platform exclusivity or brokeness. 38 # If you need to depend on ffmpeg-full because ffmpeg is missing some feature 39 # your package needs, you should enable that feature in regular ffmpeg 40 # instead.

··· 34 # all dependants in Nixpkgs 35 withSmallDeps ? ffmpegVariant == "small" || withFullDeps, 36 37 + # Everything enabled; only guarded behind platform exclusivity or brokenness. 38 # If you need to depend on ffmpeg-full because ffmpeg is missing some feature 39 # your package needs, you should enable that feature in regular ffmpeg 40 # instead.

+1 -1

pkgs/development/libraries/openssl/default.nix

··· 225 # This avoids conflicts between man pages of openssl subcommands (for 226 # example 'ts' and 'err') man pages and their equivalent top-level 227 # command in other packages (respectively man-pages and moreutils). 228 - # This is done in ubuntu and archlinux, and possiibly many other distros. 229 "MANSUFFIX=ssl" 230 ]; 231

··· 225 # This avoids conflicts between man pages of openssl subcommands (for 226 # example 'ts' and 'err') man pages and their equivalent top-level 227 # command in other packages (respectively man-pages and moreutils). 228 + # This is done in ubuntu and archlinux, and possibly many other distros. 229 "MANSUFFIX=ssl" 230 ]; 231

+1 -1

pkgs/development/libraries/vigra/default.nix

··· 29 }; 30 31 patches = [ 32 - # Pathes to fix compiling on LLVM 19 from https://github.com/ukoethe/vigra/pull/592 33 ./fix-llvm-19-1.patch 34 ./fix-llvm-19-2.patch 35 ];

··· 29 }; 30 31 patches = [ 32 + # Patches to fix compiling on LLVM 19 from https://github.com/ukoethe/vigra/pull/592 33 ./fix-llvm-19-1.patch 34 ./fix-llvm-19-2.patch 35 ];

+2 -2

pkgs/development/python-modules/aiokem/default.nix

··· 14 15 buildPythonPackage rec { 16 pname = "aiokem"; 17 - version = "0.5.11"; 18 pyproject = true; 19 20 disabled = pythonOlder "3.12"; ··· 23 owner = "kohlerlibs"; 24 repo = "aiokem"; 25 tag = "v${version}"; 26 - hash = "sha256-1fBGmsp6DoDP1EUjp2tfWT3nTux0/2iiC6x/LxrCrd8="; 27 }; 28 29 build-system = [ setuptools ];

··· 14 15 buildPythonPackage rec { 16 pname = "aiokem"; 17 + version = "0.5.12"; 18 pyproject = true; 19 20 disabled = pythonOlder "3.12"; ··· 23 owner = "kohlerlibs"; 24 repo = "aiokem"; 25 tag = "v${version}"; 26 + hash = "sha256-/NbPKN47aSfM7SllP04fHXV2fr+QQRr1x6NfbpeTfzc="; 27 }; 28 29 build-system = [ setuptools ];

+1 -1

pkgs/development/python-modules/brotlicffi/default.nix

··· 4 buildPythonPackage, 5 pythonOlder, 6 cffi, 7 - # overriden as pkgs.brotli 8 brotli, 9 setuptools, 10 pytestCheckHook,

··· 4 buildPythonPackage, 5 pythonOlder, 6 cffi, 7 + # overridden as pkgs.brotli 8 brotli, 9 setuptools, 10 pytestCheckHook,

+1 -1

pkgs/development/python-modules/datadog/default.nix

··· 60 # https://github.com/DataDog/datadogpy/issues/746 61 "TestDogshell" 62 63 - # Flaky: test execution time aganst magic values 64 "test_distributed" 65 "test_timed" 66 "test_timed_in_ms"

··· 60 # https://github.com/DataDog/datadogpy/issues/746 61 "TestDogshell" 62 63 + # Flaky: test execution time against magic values 64 "test_distributed" 65 "test_timed" 66 "test_timed_in_ms"

+1 -1

pkgs/development/python-modules/dm-haiku/default.nix

··· 60 61 # AttributeError: jax.core.Var was removed in JAX v0.6.0. Use jax.extend.core.Var instead, and 62 # see https://docs.jax.dev/en/latest/jax.extend.html for details. 63 - # Alrady on master: https://github.com/google-deepmind/dm-haiku/commit/cfe8480d253a93100bf5e2d24c40435a95399c96 64 # TODO: remove at the next release 65 postPatch = '' 66 substituteInPlace haiku/_src/jaxpr_info.py \

··· 60 61 # AttributeError: jax.core.Var was removed in JAX v0.6.0. Use jax.extend.core.Var instead, and 62 # see https://docs.jax.dev/en/latest/jax.extend.html for details. 63 + # Already on master: https://github.com/google-deepmind/dm-haiku/commit/cfe8480d253a93100bf5e2d24c40435a95399c96 64 # TODO: remove at the next release 65 postPatch = '' 66 substituteInPlace haiku/_src/jaxpr_info.py \

+1 -1

pkgs/development/python-modules/flashinfer/default.nix

··· 3 # requires the CUDA toolkit (via nvcc) to be available. 4 # 5 # This means that if you plan to use flashinfer, you will need to set the 6 - # environment varaible `CUDA_HOME` to `cudatoolkit`. 7 { 8 lib, 9 config,

··· 3 # requires the CUDA toolkit (via nvcc) to be available. 4 # 5 # This means that if you plan to use flashinfer, you will need to set the 6 + # environment variable `CUDA_HOME` to `cudatoolkit`. 7 { 8 lib, 9 config,

+1 -1

pkgs/development/python-modules/fmpy/default.nix

··· 178 }; 179 180 # FMPy searches for sundials without the "lib"-prefix; strip it 181 - # and symlink the so-files into existance. 182 postFixup = '' 183 pushd $out/lib 184 for so in *.so; do

··· 178 }; 179 180 # FMPy searches for sundials without the "lib"-prefix; strip it 181 + # and symlink the so-files into existence. 182 postFixup = '' 183 pushd $out/lib 184 for so in *.so; do

+2 -2

pkgs/development/python-modules/imeon-inverter-api/default.nix

··· 9 10 buildPythonPackage rec { 11 pname = "imeon-inverter-api"; 12 - version = "0.3.13"; 13 pyproject = true; 14 15 src = fetchFromGitHub { 16 owner = "Imeon-Inverters-for-Home-Assistant"; 17 repo = "inverter-api"; 18 tag = version; 19 - hash = "sha256-1ovmIG20AcUzyesXT5HC6oPEKofpH2B+AEfmKQnNQ8c="; 20 }; 21 22 build-system = [ pdm-pep517 ];

··· 9 10 buildPythonPackage rec { 11 pname = "imeon-inverter-api"; 12 + version = "0.3.14"; 13 pyproject = true; 14 15 src = fetchFromGitHub { 16 owner = "Imeon-Inverters-for-Home-Assistant"; 17 repo = "inverter-api"; 18 tag = version; 19 + hash = "sha256-zjG9rcKdV+o5M3yIRaxz93sP3u4Vfs8JhSSYzKdQi2I="; 20 }; 21 22 build-system = [ pdm-pep517 ];

+1 -1

pkgs/development/python-modules/itables/default.nix

··· 27 # itables has 4 different node packages, each with their own 28 # package-lock.json, and partially depending on each other. 29 # Our fetchNpmDeps tooling in nixpkgs doesn't support this yet, so we fetch 30 - # the source tarball from pypi, wich includes the javascript bundle already. 31 src = fetchPypi { 32 inherit pname version; 33 hash = "sha256-S5HASUVfqTny+Vu15MYSSrEffCaJuL7UhDOc3eudVWI=";

··· 27 # itables has 4 different node packages, each with their own 28 # package-lock.json, and partially depending on each other. 29 # Our fetchNpmDeps tooling in nixpkgs doesn't support this yet, so we fetch 30 + # the source tarball from pypi, which includes the javascript bundle already. 31 src = fetchPypi { 32 inherit pname version; 33 hash = "sha256-S5HASUVfqTny+Vu15MYSSrEffCaJuL7UhDOc3eudVWI=";

+1 -1

pkgs/development/python-modules/langchain-aws/default.nix

··· 54 # Boto @ 1.35 has outstripped the version requirement 55 "boto3" 56 # Each component release requests the exact latest core. 57 - # That prevents us from updating individul components. 58 "langchain-core" 59 ]; 60

··· 54 # Boto @ 1.35 has outstripped the version requirement 55 "boto3" 56 # Each component release requests the exact latest core. 57 + # That prevents us from updating individual components. 58 "langchain-core" 59 ]; 60

+1 -1

pkgs/development/python-modules/langchain-azure-dynamic-sessions/default.nix

··· 44 45 pythonRelaxDeps = [ 46 # Each component release requests the exact latest core. 47 - # That prevents us from updating individul components. 48 "langchain-core" 49 ]; 50

··· 44 45 pythonRelaxDeps = [ 46 # Each component release requests the exact latest core. 47 + # That prevents us from updating individual components. 48 "langchain-core" 49 ]; 50

+1 -1

pkgs/development/python-modules/langchain-chroma/default.nix

··· 32 33 pythonRelaxDeps = [ 34 # Each component release requests the exact latest core. 35 - # That prevents us from updating individul components. 36 "langchain-core" 37 "numpy" 38 ];

··· 32 33 pythonRelaxDeps = [ 34 # Each component release requests the exact latest core. 35 + # That prevents us from updating individual components. 36 "langchain-core" 37 "numpy" 38 ];

+1 -1

pkgs/development/python-modules/langchain-community/default.nix

··· 56 57 pythonRelaxDeps = [ 58 # Each component release requests the exact latest langchain and -core. 59 - # That prevents us from updating individul components. 60 "langchain" 61 "langchain-core" 62 "numpy"

··· 56 57 pythonRelaxDeps = [ 58 # Each component release requests the exact latest langchain and -core. 59 + # That prevents us from updating individual components. 60 "langchain" 61 "langchain-core" 62 "numpy"

+1 -1

pkgs/development/python-modules/langchain-groq/default.nix

··· 34 35 pythonRelaxDeps = [ 36 # Each component release requests the exact latest core. 37 - # That prevents us from updating individul components. 38 "langchain-core" 39 ]; 40

··· 34 35 pythonRelaxDeps = [ 36 # Each component release requests the exact latest core. 37 + # That prevents us from updating individual components. 38 "langchain-core" 39 ]; 40

+1 -1

pkgs/development/python-modules/langchain-huggingface/default.nix

··· 49 50 pythonRelaxDeps = [ 51 # Each component release requests the exact latest core. 52 - # That prevents us from updating individul components. 53 "langchain-core" 54 ]; 55

··· 49 50 pythonRelaxDeps = [ 51 # Each component release requests the exact latest core. 52 + # That prevents us from updating individual components. 53 "langchain-core" 54 ]; 55

+1 -1

pkgs/development/python-modules/langchain-mongodb/default.nix

··· 39 40 pythonRelaxDeps = [ 41 # Each component release requests the exact latest core. 42 - # That prevents us from updating individul components. 43 "langchain-core" 44 "numpy" 45 ];

··· 39 40 pythonRelaxDeps = [ 41 # Each component release requests the exact latest core. 42 + # That prevents us from updating individual components. 43 "langchain-core" 44 "numpy" 45 ];

+1 -1

pkgs/development/python-modules/langchain-ollama/default.nix

··· 40 41 pythonRelaxDeps = [ 42 # Each component release requests the exact latest core. 43 - # That prevents us from updating individul components. 44 "langchain-core" 45 ]; 46

··· 40 41 pythonRelaxDeps = [ 42 # Each component release requests the exact latest core. 43 + # That prevents us from updating individual components. 44 "langchain-core" 45 ]; 46

+1 -1

pkgs/development/python-modules/langchain-openai/default.nix

··· 52 53 pythonRelaxDeps = [ 54 # Each component release requests the exact latest core. 55 - # That prevents us from updating individul components. 56 "langchain-core" 57 ]; 58

··· 52 53 pythonRelaxDeps = [ 54 # Each component release requests the exact latest core. 55 + # That prevents us from updating individual components. 56 "langchain-core" 57 ]; 58

+1 -1

pkgs/development/python-modules/langchain-tests/default.nix

··· 42 43 pythonRelaxDeps = [ 44 # Each component release requests the exact latest core. 45 - # That prevents us from updating individul components. 46 "langchain-core" 47 "numpy" 48 ];

··· 42 43 pythonRelaxDeps = [ 44 # Each component release requests the exact latest core. 45 + # That prevents us from updating individual components. 46 "langchain-core" 47 "numpy" 48 ];

+1 -1

pkgs/development/python-modules/langchain-text-splitters/default.nix

··· 34 35 pythonRelaxDeps = [ 36 # Each component release requests the exact latest core. 37 - # That prevents us from updating individul components. 38 "langchain-core" 39 ]; 40

··· 34 35 pythonRelaxDeps = [ 36 # Each component release requests the exact latest core. 37 + # That prevents us from updating individual components. 38 "langchain-core" 39 ]; 40

+1 -1

pkgs/development/python-modules/langchain/default.nix

··· 60 61 pythonRelaxDeps = [ 62 # Each component release requests the exact latest core. 63 - # That prevents us from updating individul components. 64 "langchain-core" 65 "numpy" 66 "tenacity"

··· 60 61 pythonRelaxDeps = [ 62 # Each component release requests the exact latest core. 63 + # That prevents us from updating individual components. 64 "langchain-core" 65 "numpy" 66 "tenacity"

+3 -4

pkgs/development/python-modules/mitmproxy/default.nix

··· 15 hypothesis, 16 kaitaistruct, 17 ldap3, 18 - mitmproxy-linux, 19 mitmproxy-rs, 20 msgpack, 21 passlib, ··· 31 ruamel-yaml, 32 setuptools, 33 sortedcontainers, 34 - stdenv, 35 tornado, 36 urwid, 37 wsproto, ··· 40 41 buildPythonPackage rec { 42 pname = "mitmproxy"; 43 - version = "12.0.1"; 44 pyproject = true; 45 46 src = fetchFromGitHub { 47 owner = "mitmproxy"; 48 repo = "mitmproxy"; 49 tag = "v${version}"; 50 - hash = "sha256-BKT/qBWlfShAveL1KY5XXgQjhxR3Vr4zoJwiRxtBJkE="; 51 }; 52 53 pythonRelaxDeps = [ ··· 55 "h2" 56 "passlib" 57 "typing-extensions" # https://github.com/NixOS/nixpkgs/pull/397082 58 ]; 59 60 build-system = [ setuptools ];

··· 15 hypothesis, 16 kaitaistruct, 17 ldap3, 18 mitmproxy-rs, 19 msgpack, 20 passlib, ··· 30 ruamel-yaml, 31 setuptools, 32 sortedcontainers, 33 tornado, 34 urwid, 35 wsproto, ··· 38 39 buildPythonPackage rec { 40 pname = "mitmproxy"; 41 + version = "12.1.1"; 42 pyproject = true; 43 44 src = fetchFromGitHub { 45 owner = "mitmproxy"; 46 repo = "mitmproxy"; 47 tag = "v${version}"; 48 + hash = "sha256-RTHL5+lbR+AbkiE4+z4ZbxZSV2E4NGTmShbMIMRKJPA="; 49 }; 50 51 pythonRelaxDeps = [ ··· 53 "h2" 54 "passlib" 55 "typing-extensions" # https://github.com/NixOS/nixpkgs/pull/397082 56 + "tornado" 57 ]; 58 59 build-system = [ setuptools ];

+2 -2

pkgs/development/python-modules/mkdocs-rss-plugin/default.nix

··· 16 17 buildPythonPackage rec { 18 pname = "mkdocs-rss-plugin"; 19 - version = "1.17.1"; 20 pyproject = true; 21 22 disabled = pythonOlder "3.9"; ··· 25 owner = "Guts"; 26 repo = "mkdocs-rss-plugin"; 27 tag = version; 28 - hash = "sha256-Qa8EgjucJaxvKivE45kXSUgTx5RnLEpYCNZJRTO2E1Q="; 29 }; 30 31 build-system = [ setuptools ];

··· 16 17 buildPythonPackage rec { 18 pname = "mkdocs-rss-plugin"; 19 + version = "1.17.3"; 20 pyproject = true; 21 22 disabled = pythonOlder "3.9"; ··· 25 owner = "Guts"; 26 repo = "mkdocs-rss-plugin"; 27 tag = version; 28 + hash = "sha256-wgR0uwme7fXNZHx7xdm0HNfXG6qT4qpTJgR2SaXDel4="; 29 }; 30 31 build-system = [ setuptools ];

+1 -1

pkgs/development/python-modules/mpi-pytest/default.nix

··· 21 hash = "sha256-r9UB5H+qAJc6k2SVAiOCI2yRDLNv2zKRmfrAan+cX9I="; 22 }; 23 24 - # A temporary fixup to support fork mode with openmpi implemention 25 # See https://github.com/firedrakeproject/mpi-pytest/pull/17 26 postPatch = lib.optionalString (mpi4py.mpi.pname == "openmpi") '' 27 substituteInPlace pytest_mpi/plugin.py \

··· 21 hash = "sha256-r9UB5H+qAJc6k2SVAiOCI2yRDLNv2zKRmfrAan+cX9I="; 22 }; 23 24 + # A temporary fixup to support fork mode with openmpi implementation 25 # See https://github.com/firedrakeproject/mpi-pytest/pull/17 26 postPatch = lib.optionalString (mpi4py.mpi.pname == "openmpi") '' 27 substituteInPlace pytest_mpi/plugin.py \

+1 -1

pkgs/development/python-modules/piano-transcription-inference/default.nix

··· 68 # Project has no tests. 69 # In order to make pythonImportsCheck work, NUMBA_CACHE_DIR env var need to 70 # be set to a writable dir (https://github.com/numba/numba/issues/4032#issuecomment-488102702). 71 - # pythonImportsCheck has no pre* hook, use checkPhase to wordaround that. 72 checkPhase = '' 73 export NUMBA_CACHE_DIR="$(mktemp -d)" 74 '';

··· 68 # Project has no tests. 69 # In order to make pythonImportsCheck work, NUMBA_CACHE_DIR env var need to 70 # be set to a writable dir (https://github.com/numba/numba/issues/4032#issuecomment-488102702). 71 + # pythonImportsCheck has no pre* hook, use checkPhase to workaround that. 72 checkPhase = '' 73 export NUMBA_CACHE_DIR="$(mktemp -d)" 74 '';

+1 -1

pkgs/development/python-modules/pip/default.nix

··· 24 tomli-w, 25 werkzeug, 26 27 - # coupled downsteam dependencies 28 pip-tools, 29 }: 30

··· 24 tomli-w, 25 werkzeug, 26 27 + # coupled downstream dependencies 28 pip-tools, 29 }: 30

+3 -2

pkgs/development/python-modules/tesla-fleet-api/default.nix

··· 15 16 buildPythonPackage rec { 17 pname = "tesla-fleet-api"; 18 - version = "1.0.17"; 19 pyproject = true; 20 21 disabled = pythonOlder "3.10"; ··· 24 owner = "Teslemetry"; 25 repo = "python-tesla-fleet-api"; 26 tag = "v${version}"; 27 - hash = "sha256-3JLC+GXFNBy7xEPuk/ajVROp6IzZ7Jul+1VyOMB7t58="; 28 }; 29 30 build-system = [ setuptools ]; ··· 47 meta = with lib; { 48 description = "Python library for Tesla Fleet API and Teslemetry"; 49 homepage = "https://github.com/Teslemetry/python-tesla-fleet-api"; 50 license = licenses.asl20; 51 maintainers = with maintainers; [ fab ]; 52 };

··· 15 16 buildPythonPackage rec { 17 pname = "tesla-fleet-api"; 18 + version = "1.1.1"; 19 pyproject = true; 20 21 disabled = pythonOlder "3.10"; ··· 24 owner = "Teslemetry"; 25 repo = "python-tesla-fleet-api"; 26 tag = "v${version}"; 27 + hash = "sha256-ykVes0LXvkwdZRX9g1N9WqzDgKzR5u/YLKkdMC9lR64="; 28 }; 29 30 build-system = [ setuptools ]; ··· 47 meta = with lib; { 48 description = "Python library for Tesla Fleet API and Teslemetry"; 49 homepage = "https://github.com/Teslemetry/python-tesla-fleet-api"; 50 + changelog = "https://github.com/Teslemetry/python-tesla-fleet-api/releases/tag/${src.tag}"; 51 license = licenses.asl20; 52 maintainers = with maintainers; [ fab ]; 53 };

+1 -1

pkgs/development/python-modules/twisted/default.nix

··· 110 "MulticastTests.test_multiListen" 111 ]; 112 "src/twisted/trial/test/test_script.py" = [ 113 - # Fails in LXC containers with less than all cores availaible (limits.cpu) 114 "AutoJobsTests.test_cpuCount" 115 ]; 116 "src/twisted/internet/test/test_unix.py" = [

··· 110 "MulticastTests.test_multiListen" 111 ]; 112 "src/twisted/trial/test/test_script.py" = [ 113 + # Fails in LXC containers with less than all cores available (limits.cpu) 114 "AutoJobsTests.test_cpuCount" 115 ]; 116 "src/twisted/internet/test/test_unix.py" = [

+2 -2

pkgs/development/python-modules/types-s3transfer/default.nix

··· 8 9 buildPythonPackage rec { 10 pname = "types-s3transfer"; 11 - version = "0.12.0"; 12 pyproject = true; 13 14 disabled = pythonOlder "3.8"; ··· 16 src = fetchPypi { 17 pname = "types_s3transfer"; 18 inherit version; 19 - hash = "sha256-+PWSAUgekENihzvwvjJn8lnWCtlG69/LhH0JKh+ib5g="; 20 }; 21 22 build-system = [ setuptools ];

··· 8 9 buildPythonPackage rec { 10 pname = "types-s3transfer"; 11 + version = "0.13.0"; 12 pyproject = true; 13 14 disabled = pythonOlder "3.8"; ··· 16 src = fetchPypi { 17 pname = "types_s3transfer"; 18 inherit version; 19 + hash = "sha256-ID2ty5hlwvaPtEvARA4dwFt5GXukpkHAl2wmya9171I="; 20 }; 21 22 build-system = [ setuptools ];

+1 -1

pkgs/development/python-modules/yamllint/default.nix

··· 37 [ 38 # test failure reported upstream: https://github.com/adrienverge/yamllint/issues/373 39 "test_find_files_recursively" 40 - # Issue wih fixture 41 "test_codec_built_in_equivalent" 42 ] 43 ++ lib.optionals stdenv.hostPlatform.isDarwin [

··· 37 [ 38 # test failure reported upstream: https://github.com/adrienverge/yamllint/issues/373 39 "test_find_files_recursively" 40 + # Issue with fixture 41 "test_codec_built_in_equivalent" 42 ] 43 ++ lib.optionals stdenv.hostPlatform.isDarwin [

+1 -1

pkgs/development/tools/build-managers/bazel/bazel_6/default.nix

··· 241 # guarantee that it will always run in any nix context. 242 # 243 # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses 244 - # NIX_BUILD_TOP env var to conditionnally disable sleep features inside the 245 # sandbox. 246 # 247 # If you want to investigate the sandbox profile path,

··· 241 # guarantee that it will always run in any nix context. 242 # 243 # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses 244 + # NIX_BUILD_TOP env var to conditionally disable sleep features inside the 245 # sandbox. 246 # 247 # If you want to investigate the sandbox profile path,

+3 -3

pkgs/development/tools/build-managers/bazel/bazel_7/default.nix

··· 323 # --{,tool_}java_runtime_version=local_jdk and rely on the fact no java 324 # toolchain registered by default uses the local_jdk, making the selection 325 # unambiguous. 326 - # This toolchain has the advantage that it can use any ambiant java jdk, 327 # not only a given, fixed version. It allows bazel to work correctly in any 328 # environment where JAVA_HOME is set to the right java version, like inside 329 # nix derivations. 330 - # However, this patch breaks bazel hermeticity, by picking the ambiant java 331 # version instead of the more hermetic remote_jdk prebuilt binaries that 332 # rules_java provide by default. It also requires the user to have a 333 # JAVA_HOME set to the exact version required by the project. ··· 347 # guarantee that it will always run in any nix context. 348 # 349 # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses 350 - # NIX_BUILD_TOP env var to conditionnally disable sleep features inside the 351 # sandbox. 352 # 353 # If you want to investigate the sandbox profile path,

··· 323 # --{,tool_}java_runtime_version=local_jdk and rely on the fact no java 324 # toolchain registered by default uses the local_jdk, making the selection 325 # unambiguous. 326 + # This toolchain has the advantage that it can use any ambient java jdk, 327 # not only a given, fixed version. It allows bazel to work correctly in any 328 # environment where JAVA_HOME is set to the right java version, like inside 329 # nix derivations. 330 + # However, this patch breaks bazel hermeticity, by picking the ambient java 331 # version instead of the more hermetic remote_jdk prebuilt binaries that 332 # rules_java provide by default. It also requires the user to have a 333 # JAVA_HOME set to the exact version required by the project. ··· 347 # guarantee that it will always run in any nix context. 348 # 349 # See also ./bazel_darwin_sandbox.patch in bazel_5. That patch uses 350 + # NIX_BUILD_TOP env var to conditionally disable sleep features inside the 351 # sandbox. 352 # 353 # If you want to investigate the sandbox profile path,

+5 -2

pkgs/development/tools/build-managers/rebar3/default.nix

··· 12 git, 13 gnused, 14 nix, 15 rebar3-nix, 16 }: 17 18 let 19 - version = "3.24.0"; 20 owner = "erlang"; 21 deps = import ./rebar-deps.nix { inherit fetchFromGitHub fetchgit fetchHex; }; 22 rebar3 = stdenv.mkDerivation rec { ··· 29 inherit owner; 30 repo = pname; 31 rev = version; 32 - sha256 = "OhzgDipFhscHtRGlfc33ZewBgHgQLa9Zhjby/r1m49A="; 33 }; 34 35 buildInputs = [ erlang ]; ··· 94 git 95 gnused 96 nix 97 (rebar3WithPlugins { globalPlugins = [ rebar3-nix ]; }) 98 ] 99 } ··· 105 tmpdir=$(mktemp -d) 106 cp -R $(nix-build $nixpkgs --no-out-link -A rebar3.src)/* "$tmpdir" 107 (cd "$tmpdir" && rebar3 as test nix lock -o "$nix_path/rebar-deps.nix") 108 else 109 echo "rebar3 is already up-to-date" 110 fi

··· 12 git, 13 gnused, 14 nix, 15 + nixfmt-rfc-style, 16 rebar3-nix, 17 }: 18 19 let 20 + version = "3.25.0"; 21 owner = "erlang"; 22 deps = import ./rebar-deps.nix { inherit fetchFromGitHub fetchgit fetchHex; }; 23 rebar3 = stdenv.mkDerivation rec { ··· 30 inherit owner; 31 repo = pname; 32 rev = version; 33 + sha256 = "uiKgB+YuqKnfs9TZbnudp6TZd6ZGXfpF9c8jJffCs/U="; 34 }; 35 36 buildInputs = [ erlang ]; ··· 95 git 96 gnused 97 nix 98 + nixfmt-rfc-style 99 (rebar3WithPlugins { globalPlugins = [ rebar3-nix ]; }) 100 ] 101 } ··· 107 tmpdir=$(mktemp -d) 108 cp -R $(nix-build $nixpkgs --no-out-link -A rebar3.src)/* "$tmpdir" 109 (cd "$tmpdir" && rebar3 as test nix lock -o "$nix_path/rebar-deps.nix") 110 + nixfmt "$nix_path/rebar-deps.nix" 111 else 112 echo "rebar3 is already up-to-date" 113 fi

+2 -2

pkgs/servers/home-assistant/default.nix

··· 151 ]; 152 }); 153 154 - # Pinned due to home-assistant still needing 1.10.0 verison 155 - # Remove this when home-assistant upates the jellyfin-apiclient-python version 156 jellyfin-apiclient-python = super.jellyfin-apiclient-python.overridePythonAttrs (oldAttrs: rec { 157 version = "1.10.0"; 158 src = fetchFromGitHub {

··· 151 ]; 152 }); 153 154 + # Pinned due to home-assistant still needing 1.10.0 version 155 + # Remove this when home-assistant updates the jellyfin-apiclient-python version 156 jellyfin-apiclient-python = super.jellyfin-apiclient-python.overridePythonAttrs (oldAttrs: rec { 157 version = "1.10.0"; 158 src = fetchFromGitHub {

+1 -1

pkgs/servers/samba/4.x.nix

··· 167 libbsd 168 ] 169 ++ optionals stdenv.hostPlatform.isLinux [ 170 - liburing 171 systemd 172 ] 173 ++ optionals stdenv.hostPlatform.isDarwin [ libiconv ]

··· 167 libbsd 168 ] 169 ++ optionals stdenv.hostPlatform.isLinux [ 170 + #liburing # FIXME: better solution 171 systemd 172 ] 173 ++ optionals stdenv.hostPlatform.isDarwin [ libiconv ]

+1 -1

pkgs/stdenv/generic/check-meta.nix

··· 120 121 isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or [ ]) != [ ]; 122 123 - # Alow granular checks to allow only some unfree packages 124 # Example: 125 # {pkgs, ...}: 126 # {

··· 120 121 isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or [ ]) != [ ]; 122 123 + # Allow granular checks to allow only some unfree packages 124 # Example: 125 # {pkgs, ...}: 126 # {

+1 -1

pkgs/test/texlive/default.nix

··· 625 "outocp" 626 "pmxab" 627 628 - # GUI scripts that accept no argument or crash without a graphics server; please test manualy 629 "epspdftk" 630 "texdoctk" 631 "tlshell"

··· 625 "outocp" 626 "pmxab" 627 628 + # GUI scripts that accept no argument or crash without a graphics server; please test manually 629 "epspdftk" 630 "texdoctk" 631 "tlshell"

+6 -6

pkgs/top-level/all-packages.nix

··· 3660 3661 libhandy = callPackage ../development/libraries/libhandy { }; 3662 3663 - # Needed for apps that still depend on the unstable verison of the library (not libhandy-1) 3664 libhandy_0 = callPackage ../development/libraries/libhandy/0.x.nix { }; 3665 3666 libint = callPackage ../development/libraries/libint { }; ··· 4855 4856 zbar = libsForQt5.callPackage ../tools/graphics/zbar { }; 4857 4858 - # Nvidia support does not require any propietary libraries, so CI can build it. 4859 # Note that when enabling this unconditionally, non-nvidia users will always have an empty "GPU" section. 4860 zenith-nvidia = zenith.override { 4861 nvidiaSupport = true; ··· 7059 # host platform. 7060 # 7061 # Because this is the *next* stages choice, it's a bit non-modular to put 7062 - # here. In theory, bootstraping is supposed to not be a chain but at tree, 7063 # where each stage supports many "successor" stages, like multiple possible 7064 # futures. We don't have a better alternative, but with this downside in 7065 # mind, please be judicious when using this attribute. E.g. for building ··· 8209 stdenv = stdenvNoLibc; 8210 }; 8211 8212 - # These are used when buiding compiler-rt / libgcc, prior to building libc. 8213 preLibcCrossHeaders = 8214 let 8215 inherit (stdenv.targetPlatform) libc; ··· 10572 10573 nginxModules = recurseIntoAttrs (callPackage ../servers/http/nginx/modules.nix { }); 10574 10575 - # We should move to dynmaic modules and create a nginxFull package with all modules 10576 nginxShibboleth = nginxStable.override { 10577 modules = [ 10578 nginxModules.rtmp ··· 13700 jdk = jdk17; 13701 }; 13702 13703 - # perhaps there are better apps for this task? It's how I had configured my preivous system. 13704 # And I don't want to rewrite all rules 13705 profanity = callPackage ../applications/networking/instant-messengers/profanity ( 13706 {

··· 3660 3661 libhandy = callPackage ../development/libraries/libhandy { }; 3662 3663 + # Needed for apps that still depend on the unstable version of the library (not libhandy-1) 3664 libhandy_0 = callPackage ../development/libraries/libhandy/0.x.nix { }; 3665 3666 libint = callPackage ../development/libraries/libint { }; ··· 4855 4856 zbar = libsForQt5.callPackage ../tools/graphics/zbar { }; 4857 4858 + # Nvidia support does not require any proprietary libraries, so CI can build it. 4859 # Note that when enabling this unconditionally, non-nvidia users will always have an empty "GPU" section. 4860 zenith-nvidia = zenith.override { 4861 nvidiaSupport = true; ··· 7059 # host platform. 7060 # 7061 # Because this is the *next* stages choice, it's a bit non-modular to put 7062 + # here. In theory, bootstrapping is supposed to not be a chain but at tree, 7063 # where each stage supports many "successor" stages, like multiple possible 7064 # futures. We don't have a better alternative, but with this downside in 7065 # mind, please be judicious when using this attribute. E.g. for building ··· 8209 stdenv = stdenvNoLibc; 8210 }; 8211 8212 + # These are used when building compiler-rt / libgcc, prior to building libc. 8213 preLibcCrossHeaders = 8214 let 8215 inherit (stdenv.targetPlatform) libc; ··· 10572 10573 nginxModules = recurseIntoAttrs (callPackage ../servers/http/nginx/modules.nix { }); 10574 10575 + # We should move to dynamic modules and create a nginxFull package with all modules 10576 nginxShibboleth = nginxStable.override { 10577 modules = [ 10578 nginxModules.rtmp ··· 13700 jdk = jdk17; 13701 }; 13702 13703 + # perhaps there are better apps for this task? It's how I had configured my previous system. 13704 # And I don't want to rewrite all rules 13705 profanity = callPackage ../applications/networking/instant-messengers/profanity ( 13706 {

+1 -1

pkgs/top-level/stage.nix

··· 328 329 # The complete chain of package set builders, applied from top to bottom. 330 # stdenvOverlays must be last as it brings package forward from the 331 - # previous bootstrapping phases which have already been overlayed. 332 toFix = lib.foldl' (lib.flip lib.extends) (self: { }) ( 333 [ 334 stdenvBootstappingAndPlatforms

··· 328 329 # The complete chain of package set builders, applied from top to bottom. 330 # stdenvOverlays must be last as it brings package forward from the 331 + # previous bootstrapping phases which have already been overlaid. 332 toFix = lib.foldl' (lib.flip lib.extends) (self: { }) ( 333 [ 334 stdenvBootstappingAndPlatforms