Merge staging-next into staging

authored by

github-actions[bot] and committed by
GitHub
ebeb6fb7 98df8ad1

+279 -85
+22 -1
nixos/modules/security/wrappers/default.nix
··· 5 5 6 6 parentWrapperDir = dirOf wrapperDir; 7 7 8 - securityWrapper = sourceProg : pkgs.callPackage ./wrapper.nix { 8 + # This is security-sensitive code, and glibc vulns happen from time to time. 9 + # musl is security-focused and generally more minimal, so it's a better choice here. 10 + # The dynamic linker is still a fairly complex piece of code, and the wrappers are 11 + # quite small, so linking it statically is more appropriate. 12 + securityWrapper = sourceProg : pkgs.pkgsStatic.callPackage ./wrapper.nix { 9 13 inherit sourceProg; 14 + 15 + # glibc definitions of insecure environment variables 16 + # 17 + # We extract the single header file we need into its own derivation, 18 + # so that we don't have to pull full glibc sources to build wrappers. 19 + # 20 + # They're taken from pkgs.glibc so that we don't have to keep as close 21 + # an eye on glibc changes. Not every relevant variable is in this header, 22 + # so we maintain a slightly stricter list in wrapper.c itself as well. 23 + unsecvars = lib.overrideDerivation (pkgs.srcOnly pkgs.glibc) 24 + ({ name, ... }: { 25 + name = "${name}-unsecvars"; 26 + installPhase = '' 27 + mkdir $out 28 + cp sysdeps/generic/unsecvars.h $out 29 + ''; 30 + }); 10 31 }; 11 32 12 33 fileModeType =
+49
nixos/modules/security/wrappers/wrapper.c
··· 17 17 #include <syscall.h> 18 18 #include <byteswap.h> 19 19 20 + // imported from glibc 21 + #include "unsecvars.h" 22 + 20 23 #ifndef SOURCE_PROG 21 24 #error SOURCE_PROG should be defined via preprocessor commandline 22 25 #endif ··· 151 154 return 0; 152 155 } 153 156 157 + // These are environment variable aliases for glibc tunables. 158 + // This list shouldn't grow further, since this is a legacy mechanism. 159 + // Any future tunables are expected to only be accessible through GLIBC_TUNABLES. 160 + // 161 + // They are not included in the glibc-provided UNSECURE_ENVVARS list, 162 + // since any SUID executable ignores them. This wrapper also serves 163 + // executables that are merely granted ambient capabilities, rather than 164 + // being SUID, and hence don't run in secure mode. We'd like them to 165 + // defend those in depth as well, so we clear these explicitly. 166 + // 167 + // Except for MALLOC_CHECK_ (which is marked SXID_ERASE), these are all 168 + // marked SXID_IGNORE (ignored in secure mode), so even the glibc version 169 + // of this wrapper would leave them intact. 170 + #define UNSECURE_ENVVARS_TUNABLES \ 171 + "MALLOC_CHECK_\0" \ 172 + "MALLOC_TOP_PAD_\0" \ 173 + "MALLOC_PERTURB_\0" \ 174 + "MALLOC_MMAP_THRESHOLD_\0" \ 175 + "MALLOC_TRIM_THRESHOLD_\0" \ 176 + "MALLOC_MMAP_MAX_\0" \ 177 + "MALLOC_ARENA_MAX\0" \ 178 + "MALLOC_ARENA_TEST\0" 179 + 154 180 int main(int argc, char **argv) { 155 181 ASSERT(argc >= 1); 182 + 183 + int debug = getenv(wrapper_debug) != NULL; 184 + 185 + // Drop insecure environment variables explicitly 186 + // 187 + // glibc does this automatically in SUID binaries, but we'd like to cover this: 188 + // 189 + // a) before it gets to glibc 190 + // b) in binaries that are only granted ambient capabilities by the wrapper, 191 + // but don't run with an altered effective UID/GID, nor directly gain 192 + // capabilities themselves, and thus don't run in secure mode. 193 + // 194 + // We're using musl, which doesn't drop environment variables in secure mode, 195 + // and we'd also like glibc-specific variables to be covered. 196 + // 197 + // If we don't explicitly unset them, it's quite easy to just set LD_PRELOAD, 198 + // have it passed through to the wrapped program, and gain privileges. 199 + for (char *unsec = UNSECURE_ENVVARS_TUNABLES UNSECURE_ENVVARS; *unsec; unsec = strchr(unsec, 0) + 1) { 200 + if (debug) { 201 + fprintf(stderr, "unsetting %s\n", unsec); 202 + } 203 + unsetenv(unsec); 204 + } 156 205 157 206 // Read the capabilities set on the wrapper and raise them in to 158 207 // the ambient set so the program we're wrapping receives the
+2 -2
nixos/modules/security/wrappers/wrapper.nix
··· 1 - { stdenv, linuxHeaders, sourceProg, debug ? false }: 1 + { stdenv, unsecvars, linuxHeaders, sourceProg, debug ? false }: 2 2 # For testing: 3 3 # $ nix-build -E 'with import <nixpkgs> {}; pkgs.callPackage ./wrapper.nix { parentWrapperDir = "/run/wrappers"; debug = true; }' 4 4 stdenv.mkDerivation { ··· 16 16 dontStrip = debug; 17 17 installPhase = '' 18 18 mkdir -p $out/bin 19 - $CC $CFLAGS ${./wrapper.c} -o $out/bin/security-wrapper 19 + $CC $CFLAGS ${./wrapper.c} -I${unsecvars} -o $out/bin/security-wrapper 20 20 ''; 21 21 }
+3 -1
nixos/modules/services/web-apps/grocy.nix
··· 8 8 options.services.grocy = { 9 9 enable = mkEnableOption (lib.mdDoc "grocy"); 10 10 11 + package = mkPackageOptionMD pkgs "grocy" { }; 12 + 11 13 hostName = mkOption { 12 14 type = types.str; 13 15 description = lib.mdDoc '' ··· 143 145 services.nginx = { 144 146 enable = true; 145 147 virtualHosts."${cfg.hostName}" = mkMerge [ 146 - { root = "${pkgs.grocy}/public"; 148 + { root = "${cfg.package}/public"; 147 149 locations."/".extraConfig = '' 148 150 rewrite ^ /index.php; 149 151 '';
+3 -4
nixos/modules/services/x11/desktop-managers/gnome.nix
··· 307 307 gnome-flashback 308 308 ] ++ map gnome-flashback.mkSystemdTargetForWm flashbackWms; 309 309 310 - # gnome-panel needs these for menu applet 311 - environment.sessionVariables.XDG_DATA_DIRS = [ "${pkgs.gnome.gnome-flashback}/share" ]; 312 - # TODO: switch to sessionVariables (resolve conflict) 313 - environment.variables.XDG_CONFIG_DIRS = [ "${pkgs.gnome.gnome-flashback}/etc/xdg" ]; 310 + environment.systemPackages = with pkgs.gnome; [ 311 + gnome-flashback 312 + ]; 314 313 }) 315 314 316 315 (mkIf serviceCfg.core-os-services.enable {
+1 -1
nixos/tests/all-tests.nix
··· 714 714 service-runner = handleTest ./service-runner.nix {}; 715 715 sftpgo = runTest ./sftpgo.nix; 716 716 sfxr-qt = handleTest ./sfxr-qt.nix {}; 717 - sgtpuzzles = handleTest ./sgtpuzzles.nix {}; 717 + sgt-puzzles = handleTest ./sgt-puzzles.nix {}; 718 718 shadow = handleTest ./shadow.nix {}; 719 719 shadowsocks = handleTest ./shadowsocks {}; 720 720 shattered-pixel-dungeon = handleTest ./shattered-pixel-dungeon.nix {};
+4 -3
nixos/tests/gnome-flashback.nix
··· 49 49 assert "alice" in machine.succeed("getfacl -p /dev/snd/timer") 50 50 51 51 with subtest("Wait for Metacity"): 52 - machine.wait_until_succeeds( 53 - "pgrep metacity" 54 - ) 52 + machine.wait_until_succeeds("pgrep metacity") 53 + 54 + with subtest("Regression test for #233920"): 55 + machine.wait_until_succeeds("pgrep -fa gnome-flashback-media-keys") 55 56 machine.sleep(20) 56 57 machine.screenshot("screen") 57 58 '';
+2 -2
nixos/tests/sgtpuzzles.nix nixos/tests/sgt-puzzles.nix
··· 1 1 import ./make-test-python.nix ({ pkgs, ...} : 2 2 { 3 - name = "sgtpuzzles"; 3 + name = "sgt-puzzles"; 4 4 meta = with pkgs.lib.maintainers; { 5 5 maintainers = [ tomfitzhenry ]; 6 6 }; ··· 14 14 15 15 services.xserver.enable = true; 16 16 environment.systemPackages = with pkgs; [ 17 - sgtpuzzles 17 + sgt-puzzles 18 18 ]; 19 19 }; 20 20
+4 -4
pkgs/applications/networking/cluster/terraform/default.nix
··· 53 53 "Tool for building, changing, and versioning infrastructure"; 54 54 homepage = "https://www.terraform.io/"; 55 55 changelog = "https://github.com/hashicorp/terraform/blob/v${version}/CHANGELOG.md"; 56 - license = licenses.mpl20; 56 + license = licenses.bsl11; 57 57 maintainers = with maintainers; [ 58 58 Chili-Man 59 59 babariviere ··· 167 167 mkTerraform = attrs: pluggable (generic attrs); 168 168 169 169 terraform_1 = mkTerraform { 170 - version = "1.5.7"; 171 - hash = "sha256-pIhwJfa71/gW7lw/KRFBO4Q5Z5YMcTt3r9kD25k8cqM="; 172 - vendorHash = "sha256-lQgWNMBf+ioNxzAV7tnTQSIS840XdI9fg9duuwoK+U4="; 170 + version = "1.6.0"; 171 + hash = "sha256-R1phgtGn9hyNqa0wR1zY9uThTJSIj7TuK5ekXx48QP0="; 172 + vendorHash = "sha256-V7S+IzHfBhIHo0xCvHJ75gOmvVbJd2k8XBdvLG1dcsc="; 173 173 patches = [ ./provider-path-0_15.patch ]; 174 174 passthru = { 175 175 inherit plugins;
+3 -3
pkgs/applications/terminal-emulators/kitty/default.nix
··· 29 29 with python3Packages; 30 30 buildPythonApplication rec { 31 31 pname = "kitty"; 32 - version = "0.30.0"; 32 + version = "0.30.1"; 33 33 format = "other"; 34 34 35 35 src = fetchFromGitHub { 36 36 owner = "kovidgoyal"; 37 37 repo = "kitty"; 38 38 rev = "refs/tags/v${version}"; 39 - hash = "sha256-M6qFkeUp2rBudO2PiLN2VSrmut68c9mjjUr07WEX9VY="; 39 + hash = "sha256-zjXwiRo6Jw3K0iDf05f04MCtg1qKABah7x07CwvW0/0="; 40 40 }; 41 41 42 42 goModules = (buildGoModule { 43 43 pname = "kitty-go-modules"; 44 44 inherit src version; 45 - vendorHash = "sha256-53Y2S/P2fWT9STZFTdlkESxHNpoAggifZJ0+WXCzbkU="; 45 + vendorHash = "sha256-KDqzcJbI2f91wlrjVWgUmut4nhXA/rO9q5q3FaDWnfc="; 46 46 }).goModules; 47 47 48 48 buildInputs = [
+3 -3
pkgs/applications/version-management/gitoxide/default.nix
··· 13 13 14 14 rustPlatform.buildRustPackage rec { 15 15 pname = "gitoxide"; 16 - version = "0.29.0"; 16 + version = "0.30.0"; 17 17 18 18 src = fetchFromGitHub { 19 19 owner = "Byron"; 20 20 repo = "gitoxide"; 21 21 rev = "v${version}"; 22 - hash = "sha256-Ry5QvOoj4iSQZr1O+Y6qSHzhmm77nbkLjCcdPOhxR18="; 22 + hash = "sha256-VJZwNLFePUNIRHEyiEr1tiLaB2tuL6Ah81LNuM/1H14="; 23 23 }; 24 24 25 - cargoHash = "sha256-WZctsAxGojrGufF8CwUiw1xWzn9qVZUphDE3KmGTGy4="; 25 + cargoHash = "sha256-vEp0wLxmmmv33oRO7eOxOoOsV87/7DQ8db5RUfqUb88="; 26 26 27 27 nativeBuildInputs = [ cmake pkg-config ]; 28 28
+2 -2
pkgs/development/embedded/wch-isp/default.nix
··· 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "wch-isp"; 5 - version = "0.2.5"; 5 + version = "0.3.0"; 6 6 7 7 src = fetchFromGitHub { 8 8 owner = "jmaselbas"; 9 9 repo = pname; 10 10 rev = "v${version}"; 11 - hash = "sha256-JF1g2Qb1gG93lSaDQvltT6jCYk/dKntsIJPkQXYUvX4="; 11 + hash = "sha256-cbQJgHZAdSfzRsf/srMlRd+QgGUPpP5r3kBTNCgINDw="; 12 12 }; 13 13 14 14 nativeBuildInputs = [ pkg-config ];
+2
pkgs/development/libraries/libsmi/default.nix
··· 9 9 sha256 = "1lslaxr2qcj6hf4naq5n5mparfhmswsgq4wa7zm2icqvvgdcq6pj"; 10 10 }; 11 11 12 + env.NIX_CFLAGS_COMPILE = "-std=gnu90"; 13 + 12 14 meta = with lib; { 13 15 description = "A Library to Access SMI MIB Information"; 14 16 homepage = "https://www.ibr.cs.tu-bs.de/projects/libsmi/index.html";
+4 -4
pkgs/development/python-modules/alexapy/default.nix
··· 19 19 20 20 buildPythonPackage rec { 21 21 pname = "alexapy"; 22 - version = "1.27.1"; 23 - format = "pyproject"; 22 + version = "1.27.4"; 23 + pyproject = true; 24 24 25 25 disabled = pythonOlder "3.10"; 26 26 ··· 28 28 owner = "keatontaylor"; 29 29 repo = "alexapy"; 30 30 rev = "refs/tags/v${version}"; 31 - hash = "sha256-pMTVZ2iE/a1yNsWhmxkIQFkl18x06ZLjslj8hjKVBEA="; 31 + hash = "sha256-Z7h6VX4cwcepo0Kxq9GdHv+XFNg/0s/OhJ/iHubhovs="; 32 32 }; 33 33 34 34 pythonRelaxDeps = [ ··· 64 64 meta = with lib; { 65 65 description = "Python Package for controlling Alexa devices (echo dot, etc) programmatically"; 66 66 homepage = "https://gitlab.com/keatontaylor/alexapy"; 67 - changelog = "https://gitlab.com/keatontaylor/alexapy/-/blob/${src.rev}/CHANGELOG.md"; 67 + changelog = "https://gitlab.com/keatontaylor/alexapy/-/blob/v${version}/CHANGELOG.md"; 68 68 license = licenses.asl20; 69 69 maintainers = with maintainers; [ fab ]; 70 70 };
+7 -12
pkgs/development/python-modules/astropy/default.nix
··· 26 26 27 27 buildPythonPackage rec { 28 28 pname = "astropy"; 29 - version = "5.3.3"; 29 + version = "5.3.4"; 30 30 format = "pyproject"; 31 31 32 32 disabled = pythonOlder "3.8"; # according to setup.cfg 33 33 34 34 src = fetchPypi { 35 35 inherit pname version; 36 - hash = "sha256-AzDfn116IlQ2fpuM9EJVuhBwsGEjGIxqcu3BgEk/k7s="; 36 + hash = "sha256-1JD34vqsLMwBySRCAtYpFUJZr4qXkQTO2J3ErOTm8dg="; 37 37 }; 38 - patches = [ 39 - # Fixes running tests in parallel issue 40 - # https://github.com/astropy/astropy/issues/15316. Fix from 41 - # https://github.com/astropy/astropy/pull/15327 42 - (fetchpatch { 43 - url = "https://github.com/astropy/astropy/commit/1042c0fb06a992f683bdc1eea2beda0b846ed356.patch"; 44 - hash = "sha256-bApAcGBRrJ94thhByoYvdqw2e6v77+FmTfgmGcE6MMk="; 45 - }) 46 - ]; 47 - 48 38 # Relax cython dependency to allow this to build, upstream only doesn't 49 39 # support cython 3 as of writing. See: 50 40 # https://github.com/astropy/astropy/issues/15315 ··· 84 74 ''; 85 75 pythonImportsCheck = [ 86 76 "astropy" 77 + ]; 78 + disabledTests = [ 79 + # May fail due to parallelism, see: 80 + # https://github.com/astropy/astropy/issues/15441 81 + "TestUnifiedOutputRegistry" 87 82 ]; 88 83 89 84 meta = {
+2 -2
pkgs/development/python-modules/camel-converter/default.nix
··· 9 9 10 10 buildPythonPackage rec { 11 11 pname = "camel-converter"; 12 - version = "3.0.2"; 12 + version = "3.0.3"; 13 13 format = "pyproject"; 14 14 15 15 disabled = pythonOlder "3.8"; ··· 18 18 owner = "sanders41"; 19 19 repo = pname; 20 20 rev = "refs/tags/v${version}"; 21 - hash = "sha256-XKtWR9dmSMfqkJYUHDQtWBLG3CHrbrI5lNtPUTShmBE="; 21 + hash = "sha256-0sNb1zg8cnDjQQnStfe1k8uB1GpmNtd/VwqSqTcLmj0="; 22 22 }; 23 23 24 24 postPatch = ''
+3 -2
pkgs/development/python-modules/django-reversion/default.nix
··· 7 7 8 8 buildPythonPackage rec { 9 9 pname = "django-reversion"; 10 - version = "5.0.5"; 10 + version = "5.0.6"; 11 11 format = "setuptools"; 12 12 13 13 disabled = pythonOlder "3.7"; 14 14 15 15 src = fetchPypi { 16 16 inherit pname version; 17 - hash = "sha256-JTxpGwpOC+He7Atiw4yfu3W25aj9gdO1iib0YTWXAQY="; 17 + hash = "sha256-buJalwcN2hTz4IK4uZm/vstKnwgv8fhR40TQVqGMk0w="; 18 18 }; 19 19 20 20 propagatedBuildInputs = [ ··· 31 31 meta = with lib; { 32 32 description = "An extension to the Django web framework that provides comprehensive version control facilities"; 33 33 homepage = "https://github.com/etianen/django-reversion"; 34 + changelog = "https://github.com/etianen/django-reversion/blob/v${version}/CHANGELOG.rst"; 34 35 license = licenses.bsd3; 35 36 maintainers = with maintainers; [ ]; 36 37 };
+60
pkgs/development/python-modules/esig/default.nix
··· 1 + { lib 2 + , buildPythonPackage 3 + , fetchPypi 4 + , cmake 5 + , ninja 6 + , oldest-supported-numpy 7 + , scikit-build 8 + , setuptools 9 + , numpy 10 + , iisignature 11 + , boost 12 + }: 13 + 14 + buildPythonPackage rec { 15 + pname = "esig"; 16 + version = "0.9.8.3"; 17 + pyproject = true; 18 + 19 + src = fetchPypi { 20 + inherit pname version; 21 + hash = "sha256-BGZaJSrpNSwZMHBYFDmDVPZOtgam/EVyh5Y5FAB8e1o="; 22 + }; 23 + 24 + buildInputs = [ 25 + boost 26 + ]; 27 + 28 + dontUseCmakeConfigure = true; 29 + 30 + nativeBuildInputs = [ 31 + cmake 32 + ninja 33 + oldest-supported-numpy 34 + scikit-build 35 + setuptools 36 + ]; 37 + 38 + propagatedBuildInputs = [ 39 + numpy 40 + ]; 41 + 42 + passthru.optional-dependencies = { 43 + iisignature = [ 44 + iisignature 45 + ]; 46 + }; 47 + 48 + # PyPI tarball has no tests 49 + doCheck = false; 50 + 51 + pythonImportsCheck = [ "esig" ]; 52 + 53 + meta = with lib; { 54 + description = "This package provides \"rough path\" tools for analysing vector time series"; 55 + homepage = "https://github.com/datasig-ac-uk/esig"; 56 + changelog = "https://github.com/datasig-ac-uk/esig/blob/release/CHANGELOG"; 57 + license = licenses.gpl3Only; 58 + maintainers = with maintainers; [ mbalatsko ]; 59 + }; 60 + }
+2 -2
pkgs/development/python-modules/garth/default.nix
··· 12 12 13 13 buildPythonPackage rec { 14 14 pname = "garth"; 15 - version = "0.4.37"; 15 + version = "0.4.38"; 16 16 format = "pyproject"; 17 17 18 18 disabled = pythonOlder "3.9"; 19 19 20 20 src = fetchPypi { 21 21 inherit pname version; 22 - hash = "sha256-7mq661cW67EvvJ1s2W5Ybw+oiDz9vdmmt/ljt/llIoo="; 22 + hash = "sha256-c+wSXADcgl7DpJJxGUus3oA4v+DmjGwjKfp0tJbcxb8="; 23 23 }; 24 24 25 25 nativeBuildInputs = [
+2 -2
pkgs/development/python-modules/google-cloud-container/default.nix
··· 13 13 14 14 buildPythonPackage rec { 15 15 pname = "google-cloud-container"; 16 - version = "2.31.0"; 16 + version = "2.32.0"; 17 17 format = "setuptools"; 18 18 19 19 disabled = pythonOlder "3.7"; 20 20 21 21 src = fetchPypi { 22 22 inherit pname version; 23 - hash = "sha256-PGrG29a5tq41hn8zzJWdAy4Dju1O5ZPYhZ+CcsBraAY="; 23 + hash = "sha256-aU+42neWNlPhxw+mCSi0oR+vjh8VgKOQJQU6PhvM5t4="; 24 24 }; 25 25 26 26 propagatedBuildInputs = [
+39
pkgs/development/python-modules/iisignature/default.nix
··· 1 + { lib 2 + , buildPythonPackage 3 + , fetchPypi 4 + , setuptools 5 + , wheel 6 + , numpy 7 + }: 8 + 9 + buildPythonPackage rec { 10 + pname = "iisignature"; 11 + version = "0.24"; 12 + pyproject = true; 13 + 14 + src = fetchPypi { 15 + inherit pname version; 16 + hash = "sha256-C5MUxui4BIf68yMZH7NZhq1CJuhrDGfPCjspObaVucY="; 17 + }; 18 + 19 + nativeBuildInputs = [ 20 + setuptools 21 + wheel 22 + ]; 23 + 24 + propagatedBuildInputs = [ 25 + numpy 26 + ]; 27 + 28 + # PyPI tarball has no tests 29 + doCheck = false; 30 + 31 + pythonImportsCheck = [ "iisignature" ]; 32 + 33 + meta = with lib; { 34 + description = "Iterated integral signature calculations"; 35 + homepage = "https://pypi.org/project/iisignature"; 36 + license = licenses.mit; 37 + maintainers = with maintainers; [ mbalatsko ]; 38 + }; 39 + }
+2 -2
pkgs/development/python-modules/junos-eznc/default.nix
··· 22 22 23 23 buildPythonPackage rec { 24 24 pname = "junos-eznc"; 25 - version = "2.6.7"; 25 + version = "2.6.8"; 26 26 format = "setuptools"; 27 27 28 28 disabled = pythonOlder "3.7"; ··· 31 31 owner = "Juniper"; 32 32 repo = "py-junos-eznc"; 33 33 rev = "refs/tags/${version}"; 34 - hash = "sha256-+hGybznip5RpJm89MLg9JO4B/y50OIdgtmV2FIpZShU="; 34 + hash = "sha256-5xZjuU2U3BodAMQiWZIJ27AZiAwoMm4yJ4qr3DjMd9o="; 35 35 }; 36 36 37 37 postPatch = ''
+2 -2
pkgs/development/python-modules/magic-filter/default.nix
··· 8 8 9 9 buildPythonPackage rec { 10 10 pname = "magic-filter"; 11 - version = "1.0.11"; 11 + version = "1.0.12"; 12 12 format = "pyproject"; 13 13 14 14 disabled = pythonOlder "3.7"; ··· 17 17 owner = "aiogram"; 18 18 repo = "magic-filter"; 19 19 rev = "refs/tags/v${version}"; 20 - hash = "sha256-mfSq47UWOLyEDkAsdHsJuVl/rJ4KgiGPpDL7qSKEfws="; 20 + hash = "sha256-MSYIZ/bzngRu6mG3EGblUotSCA+6bi+l3EymFA8NRZA="; 21 21 }; 22 22 23 23 nativeBuildInputs = [
+11 -4
pkgs/development/python-modules/numpyro/default.nix
··· 9 9 , tqdm 10 10 , funsor 11 11 , pytestCheckHook 12 - , tensorflow-probability 12 + # TODO: uncomment when tensorflow-probability gets fixed. 13 + # , tensorflow-probability 13 14 }: 14 15 15 16 buildPythonPackage rec { 16 17 pname = "numpyro"; 17 - version = "0.13.0"; 18 + version = "0.13.2"; 18 19 format = "setuptools"; 19 20 20 21 disabled = pythonOlder "3.9"; 21 22 22 23 src = fetchPypi { 23 24 inherit version pname; 24 - hash = "sha256-n+5K6fZlatKkXGVxzKcVhmP5XNuJeeM+GcCJ1Kh/WMk="; 25 + hash = "sha256-Um8LFVGAlMeOaN9uMwycHJzqEnTaxp8FYXIk+m2VTug="; 25 26 }; 26 27 27 28 propagatedBuildInputs = [ ··· 35 36 nativeCheckInputs = [ 36 37 funsor 37 38 pytestCheckHook 38 - tensorflow-probability 39 + # TODO: uncomment when tensorflow-probability gets fixed. 40 + # tensorflow-probability 39 41 ]; 40 42 41 43 pythonImportsCheck = [ ··· 60 62 "test_zero_inflated_logits_probs_agree" 61 63 # NameError: unbound axis name: _provenance 62 64 "test_model_transformation" 65 + ]; 66 + 67 + # TODO: remove when tensorflow-probability gets fixed. 68 + disabledTestPaths = [ 69 + "test/test_distributions.py" 63 70 ]; 64 71 65 72 meta = with lib; {
+2 -2
pkgs/development/python-modules/parver/default.nix
··· 13 13 14 14 buildPythonPackage rec { 15 15 pname = "parver"; 16 - version = "0.4"; 16 + version = "0.5"; 17 17 format = "pyproject"; 18 18 19 19 src = fetchPypi { 20 20 inherit pname version; 21 - hash = "sha256-1KPbuTxTNz7poLoFXkhYxEFpsgS5EuSdAD6tlduam8o="; 21 + hash = "sha256-uf3h5ruc6fB+COnEvqjYglxeeOGKAFLQLgK/lRfrR3c="; 22 22 }; 23 23 24 24 nativeBuildInputs = [
+2 -2
pkgs/development/python-modules/pyfibaro/default.nix
··· 11 11 12 12 buildPythonPackage rec { 13 13 pname = "pyfibaro"; 14 - version = "0.7.4"; 14 + version = "0.7.5"; 15 15 format = "pyproject"; 16 16 17 17 disabled = pythonOlder "3.9"; ··· 20 20 owner = "rappenze"; 21 21 repo = pname; 22 22 rev = "refs/tags/${version}"; 23 - hash = "sha256-Z+JWwu40ober/9RNG9DLqlOlQyPwlAO3LhLnpr+4dL8="; 23 + hash = "sha256-hllYxPPbLu3dpjHwXfIvTMW0LWtcglTVfN7youZaXTw="; 24 24 }; 25 25 26 26 nativeBuildInputs = [
+2 -1
pkgs/development/python-modules/qcelemental/default.nix
··· 14 14 buildPythonPackage rec { 15 15 pname = "qcelemental"; 16 16 version = "0.26.0"; 17 - format = "pyproject"; 17 + 18 + pyproject = true; 18 19 19 20 disabled = pythonOlder "3.7"; 20 21
+14 -4
pkgs/development/python-modules/textdistance/default.nix
··· 1 - { lib, buildPythonPackage, fetchPypi }: 1 + { lib 2 + , buildPythonPackage 3 + , fetchPypi 4 + , pythonOlder 5 + }: 2 6 3 7 buildPythonPackage rec { 4 8 pname = "textdistance"; 5 - version = "4.5.0"; 9 + version = "4.6.0"; 10 + format = "setuptools"; 11 + 12 + disabled = pythonOlder "3.7"; 6 13 7 14 src = fetchPypi { 8 15 inherit pname version; 9 - hash = "sha256-Nk1D9PZjV0JmLj5s9TcqhoWUFshKPJsu+dZtRPWkOFw="; 16 + hash = "sha256-cyxQMVzU7pRjg4ZDzxnWkiEwLDYDHqpgcMMMwKpdqMo="; 10 17 }; 11 18 12 19 # There aren't tests 13 20 doCheck = false; 14 21 15 - pythonImportsCheck = [ "textdistance" ]; 22 + pythonImportsCheck = [ 23 + "textdistance" 24 + ]; 16 25 17 26 meta = with lib; { 18 27 description = "Python library for comparing distance between two or more sequences"; 19 28 homepage = "https://github.com/life4/textdistance"; 29 + changelog = "https://github.com/life4/textdistance/releases/tag/${version}"; 20 30 license = licenses.mit; 21 31 maintainers = with maintainers; [ ]; 22 32 };
+2 -2
pkgs/development/python-modules/whodap/default.nix
··· 9 9 10 10 buildPythonPackage rec { 11 11 pname = "whodap"; 12 - version = "0.1.9"; 12 + version = "0.1.10"; 13 13 format = "setuptools"; 14 14 15 15 disabled = pythonOlder "3.8"; ··· 18 18 owner = "pogzyb"; 19 19 repo = pname; 20 20 rev = "refs/tags/v${version}"; 21 - hash = "sha256-0Wxx33AO9g4ACAUwkFkLo2AemK7PxXvZXWgHpu+E96c="; 21 + hash = "sha256-5XDTl8NPrYWs7gPTJRDVCiZN3cWQ53/ojhJivBPHUL0="; 22 22 }; 23 23 24 24 propagatedBuildInputs = [
+2 -2
pkgs/development/tools/analysis/checkov/default.nix
··· 22 22 23 23 buildPythonApplication rec { 24 24 pname = "checkov"; 25 - version = "2.5.4"; 25 + version = "2.5.6"; 26 26 format = "setuptools"; 27 27 28 28 src = fetchFromGitHub { 29 29 owner = "bridgecrewio"; 30 30 repo = pname; 31 31 rev = "refs/tags/${version}"; 32 - hash = "sha256-Rp1Q486vbgZmWcxQNy1esRYl0HRWQonicNP0bYdqPtc="; 32 + hash = "sha256-X+JEhoFKT+nxgxABojC8jZiGp8bubJWi0qWNfU9kwDc="; 33 33 }; 34 34 35 35 patches = [
+3 -3
pkgs/development/tools/memray/default.nix
··· 8 8 9 9 python3.pkgs.buildPythonApplication rec { 10 10 pname = "memray"; 11 - version = "1.9.1"; 11 + version = "1.10.0"; 12 12 format = "setuptools"; 13 13 14 14 src = fetchFromGitHub { 15 15 owner = "bloomberg"; 16 16 repo = pname; 17 - rev = "refs/tags/v${version}"; 17 + rev = "refs/tags/${version}"; 18 18 hash = "sha256-DaJ1Hhg7q4ckA5feUx0twOsmy28v5aBBCTUAkn43xAo="; 19 19 }; 20 20 ··· 66 66 license = licenses.asl20; 67 67 maintainers = with maintainers; [ fab ]; 68 68 platforms = platforms.linux; 69 - changelog = "https://github.com/bloomberg/memray/releases/tag/v${version}"; 69 + changelog = "https://github.com/bloomberg/memray/releases/tag/${version}"; 70 70 }; 71 71 }
+3 -3
pkgs/games/sgt-puzzles/default.nix
··· 60 60 ''; 61 61 62 62 passthru = { 63 - tests.sgtpuzzles = nixosTests.sgtpuzzles; 64 - updateScript = writeScript "update-sgtpuzzles" '' 63 + tests.sgt-puzzles = nixosTests.sgt-puzzles; 64 + updateScript = writeScript "update-sgt-puzzles" '' 65 65 #!/usr/bin/env nix-shell 66 66 #!nix-shell -i bash -p curl pcre common-updater-scripts 67 67 68 68 set -eu -o pipefail 69 69 70 70 version="$(curl -sI 'https://www.chiark.greenend.org.uk/~sgtatham/puzzles/puzzles.tar.gz' | grep -Fi Location: | pcregrep -o1 'puzzles-([0-9a-f.]*).tar.gz')" 71 - update-source-version sgtpuzzles "$version" 71 + update-source-version sgt-puzzles "$version" 72 72 ''; 73 73 }; 74 74
+1 -1
pkgs/os-specific/linux/dpdk/default.nix
··· 68 68 ] 69 69 # kni kernel driver is currently not compatble with 5.11 70 70 ++ lib.optional (mod && kernel.kernelOlder "5.11") "-Ddisable_drivers=kni" 71 - ++ lib.optional (!shared) "-Ddefault_library=static" 71 + ++ [(if shared then "-Ddefault_library=shared" else "-Ddefault_library=static")] 72 72 ++ lib.optional (machine != null) "-Dmachine=${machine}" 73 73 ++ lib.optional mod "-Dkernel_dir=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" 74 74 ++ lib.optional (withExamples != []) "-Dexamples=${builtins.concatStringsSep "," withExamples}";
+2 -2
pkgs/os-specific/linux/libpsm2/default.nix
··· 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "libpsm2"; 5 - version = "11.2.230"; 5 + version = "12.0.1"; 6 6 7 7 preConfigure= '' 8 8 export UDEVDIR=$out/etc/udev ··· 30 30 owner = "intel"; 31 31 repo = "opa-psm2"; 32 32 rev = "PSM2_${version}"; 33 - sha256 = "sha256-dMfGq067TqstGAWNSZZaZCwvChTyPUsvaPVjFGGzp64="; 33 + sha256 = "sha256-MzocxY+X2a5rJvTo+gFU0U10YzzazR1IxzgEporJyhI="; 34 34 }; 35 35 36 36 postInstall = ''
+2 -2
pkgs/servers/http/nginx/modules.nix
··· 508 508 name = "njs"; 509 509 src = fetchhg { 510 510 url = "https://hg.nginx.org/njs"; 511 - rev = "0.7.10"; 512 - sha256 = "sha256-/yKzY+BUFxLk8bWo+mqKfRVRsC2moe+WvhaRYIGdr6Y="; 511 + rev = "0.8.1"; 512 + sha256 = "sha256-bFHrcA1ROMwYf+s0EWOXzkru6wvfRLvjvN8BV/r2tMc="; 513 513 name = "nginx-njs"; 514 514 }; 515 515
+6 -3
pkgs/top-level/all-packages.nix
··· 38478 38478 38479 38479 sfrotz = callPackage ../games/sfrotz { }; 38480 38480 38481 - sgtpuzzles = callPackage ../games/sgt-puzzles { }; 38481 + sgt-puzzles = callPackage ../games/sgt-puzzles { }; 38482 38482 38483 - sgtpuzzles-mobile = callPackage ../games/sgt-puzzles { 38483 + sgt-puzzles-mobile = callPackage ../games/sgt-puzzles { 38484 38484 isMobile = true; 38485 38485 }; 38486 + 38487 + sgtpuzzles = throw "sgtpuzzles has been renamed to sgt-puzzles."; # 2023-10-06 38488 + sgtpuzzles-mobile = throw "sgtpuzzles-mobile has been renamed to sgt-puzzles-mobile."; # 2023-10-06 38486 38489 38487 38490 shattered-pixel-dungeon = callPackage ../games/shattered-pixel-dungeon { }; 38488 38491 ··· 41330 41333 41331 41334 termpdfpy = python3Packages.callPackage ../applications/misc/termpdf.py { }; 41332 41335 41333 - inherit (callPackage ../applications/networking/cluster/terraform { }) 41336 + inherit (callPackage ../applications/networking/cluster/terraform { buildGoModule = buildGo121Module; }) 41334 41337 mkTerraform 41335 41338 terraform_1 41336 41339 terraform_plugins_test
+4
pkgs/top-level/python-packages.nix
··· 3555 3555 3556 3556 es-client = callPackage ../development/python-modules/es-client { }; 3557 3557 3558 + esig = callPackage ../development/python-modules/esig { }; 3559 + 3558 3560 espeak-phonemizer = callPackage ../development/python-modules/espeak-phonemizer { }; 3559 3561 3560 3562 esphome-dashboard-api = callPackage ../development/python-modules/esphome-dashboard-api { }; ··· 5209 5211 igraph = callPackage ../development/python-modules/igraph { 5210 5212 inherit (pkgs) igraph; 5211 5213 }; 5214 + 5215 + iisignature = callPackage ../development/python-modules/iisignature { }; 5212 5216 5213 5217 ijson = callPackage ../development/python-modules/ijson { }; 5214 5218