From 338121d8754466a9c69a878b9d07e77edc9eab2a Mon Sep 17 00:00:00 2001
From: Philip Taron <philip.taron@gmail.com>
Date: Tue, 15 Jul 2025 10:49:02 -0700
Subject: [PATCH 1/2] tor: sandbox is no longer broken on aarch64-linux

This was fixed in https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/574 by @delroth.
---
 pkgs/by-name/to/tor/package.nix | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/pkgs/by-name/to/tor/package.nix b/pkgs/by-name/to/tor/package.nix
index 006c0f204029..c4df65ea12d6 100644
--- a/pkgs/by-name/to/tor/package.nix
+++ b/pkgs/by-name/to/tor/package.nix
@@ -90,13 +90,8 @@ stdenv.mkDerivation (finalAttrs: {
     # https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQ#compiling-c-tor-with-the-pow-defense
     [ "--enable-gpl" ]
     ++
-      # cross compiles correctly but needs the following
-      lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "--disable-tool-name-check" ]
-    ++
-      # sandbox is broken on aarch64-linux https://gitlab.torproject.org/tpo/core/tor/-/issues/40599
-      lib.optionals (stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isAarch64) [
-        "--disable-seccomp"
-      ];
+    # cross compiles correctly but needs the following
+    lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [ "--disable-tool-name-check" ];
 
   NIX_CFLAGS_LINK = lib.optionalString stdenv.cc.isGNU "-lgcc_s";
 

From 3cf7dc230744f7667d2ec1a2c951d8e610172ba9 Mon Sep 17 00:00:00 2001
From: Philip Taron <philip.taron@gmail.com>
Date: Tue, 15 Jul 2025 11:24:15 -0700
Subject: [PATCH 2/2] tor.updateScript: use callPackage

---
 pkgs/by-name/to/tor/package.nix | 29 ++++-------------------------
 1 file changed, 4 insertions(+), 25 deletions(-)

diff --git a/pkgs/by-name/to/tor/package.nix b/pkgs/by-name/to/tor/package.nix
index c4df65ea12d6..7c78a5bee9fd 100644
--- a/pkgs/by-name/to/tor/package.nix
+++ b/pkgs/by-name/to/tor/package.nix
@@ -1,5 +1,8 @@
 {
   lib,
+  callPackage,
+  coreutils,
+  gnugrep,
   stdenv,
   fetchurl,
   pkg-config,
@@ -16,17 +19,6 @@
   nixosTests,
   writeShellScript,
   versionCheckHook,
-
-  # for update.nix
-  writeScript,
-  common-updater-scripts,
-  bash,
-  coreutils,
-  curl,
-  gnugrep,
-  gnupg,
-  gnused,
-  nix,
 }:
 
 let
@@ -121,20 +113,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   passthru = {
     tests.tor = nixosTests.tor;
-    updateScript = import ./update.nix {
-      inherit lib;
-      inherit
-        writeScript
-        common-updater-scripts
-        bash
-        coreutils
-        curl
-        gnupg
-        gnugrep
-        gnused
-        nix
-        ;
-    };
+    updateScript = callPackage ./update.nix { };
   };
 
   meta = {