talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge staging-next into staging

Browse Source
This commit is contained in:
nixpkgs-ci[bot] 2025-06-25 00:19:11 +00:00 committed by GitHub
commit f851e952fb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
100 changed files with 940 additions and 4074 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
nixos/modules/config/sysctl.nix
View File

@ -72,12 +72,21 @@ in
restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
};
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = lib.mkDefault 1;
# NixOS wide defaults
boot.kernel.sysctl = {
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
"kernel.kptr_restrict" = lib.mkDefault 1;
# Improve compatibility with applications that allocate
# a lot of memory, like modern games
boot.kernel.sysctl."vm.max_map_count" = lib.mkDefault 1048576;
# Improve compatibility with applications that allocate
# a lot of memory, like modern games
"vm.max_map_count" = lib.mkDefault 1048576;
# The default max inotify watches is 8192.
# Nowadays most apps require a good number of inotify watches,
# the value below is used by default on several other distros.
"fs.inotify.max_user_instances" = lib.mkDefault 524288;
"fs.inotify.max_user_watches" = lib.mkDefault 524288;
};
};
}

12
nixos/modules/installer/tools/nix-fallback-paths.nix
View File

@ -1,8 +1,8 @@
{
x86_64-linux = "/nix/store/pfh6bq2wxbpp3xz5sinymmp44n505zh8-nix-2.28.3";
i686-linux = "/nix/store/nfxdfb9zcrm9sqkw8xhdqs7vcvrwp1k2-nix-2.28.3";
aarch64-linux = "/nix/store/7w6fj8s7h4pcmx38m1f51xd93ywizm4i-nix-2.28.3";
riscv64-linux = "/nix/store/nnynd5vfd6pf9jkp13bmj44rlrd61l3h-nix-riscv64-unknown-linux-gnu-2.28.3";
x86_64-darwin = "/nix/store/rdxbh5m09c9i2s7zkh7b8g6mnrpmaa19-nix-2.28.3";
aarch64-darwin = "/nix/store/wjrdsqbaial7pl9vfhqc7cpzd9lqcr6a-nix-2.28.3";
x86_64-linux = "/nix/store/gy397nw6h414f4l4vxny1wg8cn4i955d-nix-2.28.4";
i686-linux = "/nix/store/k192aqw8zh71zrli5abqd5wg01bqwmh9-nix-2.28.4";
aarch64-linux = "/nix/store/cp0bzvj8vf5y2z0nimq57crcq6h419fj-nix-2.28.4";
riscv64-linux = "/nix/store/zav2zzhxld8fqvj7hb5z83ggd3ij6888-nix-riscv64-unknown-linux-gnu-2.28.4";
x86_64-darwin = "/nix/store/gj4y690ligr5gawmpnkiw2qs087m068w-nix-2.28.4";
aarch64-darwin = "/nix/store/nb6nkjac7nj242j3m56pkdkbikfjw343-nix-2.28.4";
}

8
nixos/modules/services/misc/graphical-desktop.nix
View File

@ -21,14 +21,6 @@ in
};
config = lib.mkIf cfg.enable {
# The default max inotify watches is 8192.
# Nowadays most apps require a good number of inotify watches,
# the value below is used by default on several other distros.
boot.kernel.sysctl = {
"fs.inotify.max_user_instances" = lib.mkDefault 524288;
"fs.inotify.max_user_watches" = lib.mkDefault 524288;
};
environment = {
# localectl looks into 00-keyboard.conf
etc."X11/xorg.conf.d/00-keyboard.conf".text = ''

12
nixos/modules/services/web-apps/galene.nix
View File

@ -128,23 +128,13 @@ in
};
config = mkIf cfg.enable {
assertions = [
{
assertion = cfg.insecure || (cfg.certFile != null && cfg.keyFile != null);
message = ''
Galene needs both certFile and keyFile defined for encryption, or
the insecure flag.
'';
}
];
systemd.services.galene = {
description = "galene";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
${optionalString (cfg.insecure != true) ''
${optionalString (cfg.insecure != true && cfg.certFile != null && cfg.keyFile != null) ''
install -m 700 -o '${cfg.user}' -g '${cfg.group}' ${cfg.certFile} ${cfg.dataDir}/cert.pem
install -m 700 -o '${cfg.user}' -g '${cfg.group}' ${cfg.keyFile} ${cfg.dataDir}/key.pem
''}

2
nixos/modules/system/boot/systemd/oomd.nix
View File

@ -68,7 +68,7 @@ in
ManagedOOMMemoryPressure = "kill";
ManagedOOMMemoryPressureLimit = lib.mkDefault "80%";
};
systemd.slices."user-".sliceConfig = lib.mkIf cfg.enableUserSlices {
systemd.slices."user".sliceConfig = lib.mkIf cfg.enableUserSlices {
ManagedOOMMemoryPressure = "kill";
ManagedOOMMemoryPressureLimit = lib.mkDefault "80%";
};

4
pkgs/applications/editors/android-studio/default.nix
View File

@ -16,8 +16,8 @@ let
inherit tiling_wm;
};
stableVersion = {
version = "2024.3.2.15"; # "Android Studio Meerkat Feature Drop | 2024.3.2 Patch 1"
sha256Hash = "sha256-L8s8l1/Q4AJEGvdzTLLu9sRZlkNyRDMQvK8moZXOeIE=";
version = "2025.1.1.13"; # "Android Studio Narwhal | 2025.1.1"
sha256Hash = "sha256-MEUqYZd/Ny2spzFqbZ40j2H4Tg6pHQGWqkpRrVtbwO8=";
};
betaVersion = {
version = "2025.1.1.11"; # "Android Studio Narwhal | 2025.1.1 RC 1"

4
pkgs/applications/editors/vscode/extensions/default.nix
View File

@ -2502,8 +2502,8 @@ let
mktplcRef = {
name = "ionic";
publisher = "ionic";
version = "1.104.0";
hash = "sha256-E3Hfs7YgZ4+eF0Pg7CI7fPFt6DEtFw0DdLq4BSY7vBQ=";
version = "1.105.0";
hash = "sha256-wUYX7TmCyzKGPnl7LycfxN5axCGzq/T2/+XnSdPJJEI=";
};
meta = {
description = "Official VSCode extension for Ionic and Capacitor development";

4
pkgs/applications/editors/vscode/extensions/github.copilot-chat/default.nix
View File

@ -7,8 +7,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
mktplcRef = {
publisher = "github";
name = "copilot-chat";
version = "0.28.0";
hash = "sha256-Pc04vtCSPlXALPnFtgQcEVa+exzfkYqFh/b8K3bUBJg=";
version = "0.28.2";
hash = "sha256-o6h9AOeBMRqVkhSgHUE2/vmsmJCXciY21mIQD7SUHOU=";
};
meta = {

4
pkgs/applications/editors/vscode/extensions/github.copilot/default.nix
View File

@ -7,8 +7,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
mktplcRef = {
publisher = "github";
name = "copilot";
version = "1.335.0";
hash = "sha256-GqUegNF1XIpEaQy+0v+TTyIR+EPaeXKVpH4QnvxXt9c=";
version = "1.336.0";
hash = "sha256-7IiYfOX3Xl3cW5FcG+7FjGAmkw7Wa9802eguRmaFE5Y=";
};
meta = {

4
pkgs/applications/editors/vscode/extensions/ms-python.python/default.nix
View File

@ -15,8 +15,8 @@ vscode-utils.buildVscodeMarketplaceExtension rec {
mktplcRef = {
name = "python";
publisher = "ms-python";
version = "2025.6.1";
hash = "sha256-aCutbmWI68IRqAwztQ9USo996zWL29UO2eAC75b3/IY=";
version = "2025.8.0";
hash = "sha256-v+MjJmiFMStbVRmh1I7hJp1Fq262QwRyRt9m2f3yF0o=";
};
buildInputs = [ icu ];

4
pkgs/applications/editors/vscode/extensions/rooveterinaryinc.roo-cline/default.nix
View File

@ -8,8 +8,8 @@ vscode-utils.buildVscodeMarketplaceExtension {
mktplcRef = {
publisher = "RooVeterinaryInc";
name = "roo-cline";
version = "3.20.3";
hash = "sha256-YCO8TjUZ2IpjTkDYf/4wQgsqGEvn2bt4+yVwWlb2eUQ=";
version = "3.21.5";
hash = "sha256-g5CBUTjpgypibDBbH9kD9SQ6OGDemtch6fX9sWvxEno=";
};
passthru.updateScript = vscode-extension-update-script { };

6
pkgs/applications/emulators/libretro/cores/citra.nix
View File

@ -9,13 +9,13 @@
}:
mkLibretroCore {
core = "citra";
version = "0-unstable-2025-05-17";
version = "0-unstable-2025-06-22";
src = fetchFromGitHub {
owner = "libretro";
repo = "citra";
rev = "8e634afee9e870620b40efedaef77478cd1f3c99";
hash = "sha256-pf0fgamSg2OHxvft36+Y4wPF9hjyZOQXEtMWs0dkNRM=";
rev = "176214934cd46d6e072adcbda5f676bc4ca3162e";
hash = "sha256-cdBR64OBOGMy0ROR89mbKXC0xk+QkBHUKEkIn2czGiQ=";
fetchSubmodules = true;
};

4
pkgs/applications/networking/browsers/floorp/default.nix
View File

@ -9,7 +9,7 @@
(
(buildMozillaMach rec {
pname = "floorp";
packageVersion = "11.27.0";
packageVersion = "11.28.0";
applicationName = "Floorp";
binaryName = "floorp";
branding = "browser/branding/official";
@ -24,7 +24,7 @@
repo = "Floorp";
fetchSubmodules = true;
rev = "v${packageVersion}";
hash = "sha256-lQ84NNWlu4hVKK/CDIDS5JKGdD4i7TTjv4x/dQhDJwo=";
hash = "sha256-2BSl7RHhqFAYSpshBYxuVWwLlVXdOT3xgH4tva5ShY4=";
};
extraConfigureFlags = [

6
pkgs/applications/networking/cluster/terraform-providers/providers.json
View File

@ -1138,13 +1138,13 @@
"vendorHash": null
},
"sakuracloud": {
"hash": "sha256-HGG6Tf1MR7V+AAo1ic9H1xWChSFiiEKfUN0D4QFUNfU=",
"hash": "sha256-vIP7hlPvx7o8/uXpg6TOEeoDL9FGaTBdXzziOyLrdGY=",
"homepage": "https://registry.terraform.io/providers/sacloud/sakuracloud",
"owner": "sacloud",
"repo": "terraform-provider-sakuracloud",
"rev": "v2.27.0",
"rev": "v2.28.0",
"spdx": "Apache-2.0",
"vendorHash": "sha256-dW3qlNRcmsuWidBYPmFpjBi2u+oT67UPJELAeALq1FY="
"vendorHash": "sha256-hJmMNxlhyzcnguLFJih/K1CSZHIOspTgCJ8nyVjT7mg="
},
"scaleway": {
"hash": "sha256-rAbCLMA4u+bOXbmGDdM5wHIzPytwuX8HTOUgYQwLAdg=",

11
pkgs/applications/networking/remote/citrix-workspace/generic.nix
View File

@ -55,6 +55,7 @@
libsecret,
libcanberra-gtk3,
sane-backends,
fetchurl,
homepage,
version,
@ -87,6 +88,14 @@ let
'';
};
libxml2' = libxml2.overrideAttrs rec {
version = "2.13.8";
src = fetchurl {
url = "mirror://gnome/sources/libxml2/${lib.versions.majorMinor version}/libxml2-${version}.tar.xz";
hash = "sha256-J3KUyzMRmrcbK8gfL0Rem8lDW4k60VuyzSsOhZoO6Eo=";
};
};
in
stdenv.mkDerivation rec {
@ -157,7 +166,7 @@ stdenv.mkDerivation rec {
libsecret
libsoup_2_4
libvorbis
libxml2
libxml2'
llvmPackages.libunwind
libgbm
nspr

30
pkgs/applications/networking/remote/citrix-workspace/sources.nix
View File

@ -28,16 +28,6 @@ let
# The latest versions can be found at https://www.citrix.com/downloads/workspace-app/linux/
# x86 is unsupported past 23.11, see https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/deprecation
supportedVersions = lib.mapAttrs mkVersionInfo {
"23.09.0" = {
major = "23";
minor = "9";
patch = "0";
x64hash = "7b06339654aa27258d6dfa922828b43256e780b282d07109f452246c7aa27514";
x86hash = "95436fb289602cf31c65b7df89da145fc170233cb2e758a2f11116f15b57d382";
x64suffix = "24";
x86suffix = "24";
homepage = "https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-linux/workspace-app-for-linux-latest9.html";
};
"23.11.0" = {
major = "23";
@ -69,7 +59,7 @@ let
x86hash = "";
x64suffix = "76";
x86suffix = "";
homepage = "https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html";
homepage = "https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-linux/workspace-app-for-linux-latest1.html";
};
"24.08.0" = {
@ -80,7 +70,7 @@ let
x86hash = "";
x64suffix = "98";
x86suffix = "";
homepage = "https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html";
homepage = "https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-linux/workspace-app-for-linux-latest-2408.html";
};
"24.11.0" = {
@ -91,8 +81,9 @@ let
x86hash = "";
x64suffix = "85";
x86suffix = "";
homepage = "https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html";
homepage = "https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-linux/workspace-app-for-linux-latest13.html";
};
"25.03.0" = {
major = "25";
minor = "03";
@ -101,9 +92,19 @@ let
x86hash = "";
x64suffix = "66";
x86suffix = "";
homepage = "https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html";
homepage = "https://www.citrix.com/downloads/workspace-app/legacy-workspace-app-for-linux/workspace-app-for-linux-latest-2503.html";
};
"25.05.0" = {
major = "25";
minor = "05";
patch = "0";
x64hash = "0fwqsxggswms40b5k8saxpm1ghkxppl27x19w8jcslq1f0i1fwqx";
x86hash = "";
x64suffix = "44";
x86suffix = "";
homepage = "https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html";
};
};
# Retain attribute-names for abandoned versions of Citrix workspace to
@ -114,6 +115,7 @@ let
unsupportedVersions = [
"23.02.0"
"23.07.0"
"23.09.0"
];
in
{

4
pkgs/applications/science/chemistry/jmol/default.nix
View File

@ -31,7 +31,7 @@ let
};
in
stdenv.mkDerivation rec {
version = "16.3.25";
version = "16.3.27";
pname = "jmol";
src =
@ -40,7 +40,7 @@ stdenv.mkDerivation rec {
in
fetchurl {
url = "mirror://sourceforge/jmol/Jmol/Version%20${baseVersion}/Jmol%20${version}/Jmol-${version}-binary.tar.gz";
hash = "sha256-y6IM2xRsueEZCuUtgZg9UnB7Ux4rd+63XJ9kOpMDjRE=";
hash = "sha256-VRyMMkSwdXX80DudS+4uCZBnxypgmR/75PyK/vEJyrs=";
};
patchPhase = ''

7
pkgs/build-support/writers/scripts.nix
View File

@ -1194,7 +1194,12 @@ rec {
// {
interpreter =
if pythonPackages != pkgs.pypy2Packages || pythonPackages != pkgs.pypy3Packages then
if libraries == [ ] then python.interpreter else (python.withPackages (ps: libraries)).interpreter
if libraries == [ ] then
python.interpreter
else if (lib.isFunction libraries) then
(python.withPackages libraries).interpreter
else
(python.withPackages (ps: libraries)).interpreter
else
python.interpreter;
check = optionalString (python.isPy3k && doCheck) (

4
pkgs/by-name/al/allure/package.nix
View File

@ -8,11 +8,11 @@
stdenv.mkDerivation (finalAttrs: {
pname = "allure";
version = "2.34.0";
version = "2.34.1";
src = fetchurl {
url = "https://github.com/allure-framework/allure2/releases/download/${finalAttrs.version}/allure-${finalAttrs.version}.tgz";
hash = "sha256-1R4x8LjUv4ZQXfFeJ1HkHml3sRLhb1tRV3UqApVEo7U=";
hash = "sha256-3xPFiDQp7dUEGiTW0HKolE5lJ00ddqRB/UXSWFURNJo=";
};
dontConfigure = true;

6
pkgs/by-name/ca/cargo-public-api/package.nix
View File

@ -9,15 +9,15 @@
rustPlatform.buildRustPackage rec {
pname = "cargo-public-api";
version = "0.47.1";
version = "0.48.0";
src = fetchCrate {
inherit pname version;
hash = "sha256-xDMOrL9yyaEEwPhcrkPugVMTyKW4T6X1yE4tN9dmPas=";
hash = "sha256-QNv1aVdGZUSgiq4nJ5epuioZOJCKsss7GKYlsf98CJc=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-HhYGc0S/i6KWZsv4E1NTkZb+jdUkcKDP/c0hdVTHJXE=";
cargoHash = "sha256-XzMNQbDP1dCs1vCEGgOBLR0xw8RSXupMdX5V0SPtvy4=";
nativeBuildInputs = [ pkg-config ];

6
pkgs/by-name/ca/cargo-xwin/package.nix
View File

@ -6,17 +6,17 @@
rustPlatform.buildRustPackage rec {
pname = "cargo-xwin";
version = "0.18.6";
version = "0.19.0";
src = fetchFromGitHub {
owner = "rust-cross";
repo = "cargo-xwin";
rev = "v${version}";
hash = "sha256-srPXWJAMc5IOLucGg0QNG23aqMABftQTM3PjcbZc8+A=";
hash = "sha256-uu3fKq6ZebDbTBpp5UaAOCWnaeJ0xRgVO+GNDHheKGA=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-1JJSK7Ss4o/Vk1mxQtNfTLOuA5fwfKpcv5MrsJEuXYU=";
cargoHash = "sha256-/u1qBe+eOAXqjgly62eFIglO3XuZd/f2w7DcHsqvZGA=";
meta = with lib; {
description = "Cross compile Cargo project to Windows MSVC target with ease";

8
pkgs/by-name/cl/claude-code/package-lock.json generated
View File

@ -6,13 +6,13 @@
"packages": {
"": {
"dependencies": {
"@anthropic-ai/claude-code": "^1.0.30"
"@anthropic-ai/claude-code": "^1.0.33"
}
},
"node_modules/@anthropic-ai/claude-code": {
"version": "1.0.30",
"resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-1.0.30.tgz",
"integrity": "sha512-qIs92Cq3hFwn9/lZBta+wWJfGoQsrbFuiVm0bkurwGKxaJV69Ibr6hYfSU/lIKLcbvSygkZ/tWRxFQt44gnFhQ==",
"version": "1.0.33",
"resolved": "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-1.0.33.tgz",
"integrity": "sha512-rKQ1C0+iSV/bS4LVfyCt2FIkIc8MnFi5EbmRAXEunNkXLCQLHfXjsqx7cLOy7c11vZwGkyf/wEp5LwaDQHdjCQ==",
"hasInstallScript": true,
"license": "SEE LICENSE IN README.md",
"bin": {

6
pkgs/by-name/cl/claude-code/package.nix
View File

@ -7,16 +7,16 @@
buildNpmPackage rec {
pname = "claude-code";
version = "1.0.30";
version = "1.0.33";
nodejs = nodejs_20; # required for sandboxed Nix builds on Darwin
src = fetchzip {
url = "https://registry.npmjs.org/@anthropic-ai/claude-code/-/claude-code-${version}.tgz";
hash = "sha256-DwzSXpDrNV8FhfqrRQ3OK/LjmiXd+VHEW91jnyds2P4=";
hash = "sha256-AH/ZokL0Ktsx18DrpUKgYrZKdBnKo29jntwXUWspH8w=";
};
npmDepsHash = "sha256-M6H6A4i4JBqcFTG/ZkmxpINa4lw8sO5+iu2YcBqmvi4=";
npmDepsHash = "sha256-oHSePK/QiAHP+2Fn+yUf66TcRGCoZg3mrI4x7S/nbCc=";
postPatch = ''
cp ${./package-lock.json} package-lock.json

15
pkgs/by-name/de/deploy-rs/package.nix
View File

@ -6,23 +6,26 @@
rustPlatform.buildRustPackage {
pname = "deploy-rs";
version = "0-unstable-2024-06-12";
version = "0-unstable-2025-06-05";
src = fetchFromGitHub {
owner = "serokell";
repo = "deploy-rs";
rev = "3867348fa92bc892eba5d9ddb2d7a97b9e127a8a";
hash = "sha256-FaGrf7qwZ99ehPJCAwgvNY5sLCqQ3GDiE/6uLhxxwSY=";
rev = "6bc76b872374845ba9d645a2f012b764fecd765f";
hash = "sha256-hXh76y/wDl15almBcqvjryB50B0BaiXJKk20f314RoE=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-e+Exc0lEamAieZ7QHJBYvmnmM/9YHdLRD3La4U5FRMo=";
cargoHash = "sha256-9O93YTEz+e2oxenE0gwxsbz55clbKo9+37yVOqz7ErE=";
meta = {
description = "Multi-profile Nix-flake deploy tool";
homepage = "https://github.com/serokell/deploy-rs";
license = lib.licenses.mpl20;
maintainers = with lib.maintainers; [ teutat3s ];
maintainers = with lib.maintainers; [
teutat3s
jk
];
teams = [ lib.teams.serokell ];
mainProgram = "deploy";
};
}

4
pkgs/by-name/dm/dms/package.nix
View File

@ -6,13 +6,13 @@
buildGoModule rec {
pname = "dms";
version = "1.7.1";
version = "1.7.2";
src = fetchFromGitHub {
owner = "anacrolix";
repo = "dms";
tag = "v${version}";
hash = "sha256-dObY2MNrrQqn5i/y2LDlKvd9S04EArmsalIsfXsrth0=";
hash = "sha256-C1XcaPQp+T0scrCBsvqjJrmUR0N7mJOQC9Z2TxvtYc8=";
};
vendorHash = "sha256-f6Jl78ZPLD7Oq4Bq8MBQpHEKnBvpyTWZ9qHa1fGOlgA=";

119
pkgs/by-name/el/electron-cash/package.nix Normal file
View File

@ -0,0 +1,119 @@
{
lib,
stdenv,
fetchFromGitHub,
python3Packages,
qt5,
secp256k1,
}:
python3Packages.buildPythonApplication rec {
pname = "electron-cash";
version = "4.4.2";
pyproject = true;
src = fetchFromGitHub {
owner = "Electron-Cash";
repo = "Electron-Cash";
tag = version;
sha256 = "sha256-hqaPxetS6JONvlRMjNonXUGFpdmnuadD00gcPzY07x0=";
};
build-system = with python3Packages; [
cython
setuptools
];
dependencies = with python3Packages; [
# requirements
pyaes
ecdsa
requests
qrcode
protobuf
jsonrpclib-pelix
pysocks
qdarkstyle
python-dateutil
stem
certifi
pathvalidate
dnspython
bitcoinrpc
# requirements-binaries
pyqt5
psutil
pycryptodomex
cryptography
zxing-cpp
# requirements-hw
trezor
keepkey
btchip-python
hidapi
pyopenssl
pyscard
pysatochip
];
nativeBuildInputs = [ qt5.wrapQtAppsHook ];
buildInputs = [ ] ++ lib.optional stdenv.hostPlatform.isLinux qt5.qtwayland;
# 1. If secp256k1 wasn't added to the library path, the following warning is given:
#
# Electron Cash was unable to find the secp256k1 library on this system.
# Elliptic curve cryptography operations will be performed in slow
# Python-only mode.
#
# Upstream hardcoded `libsecp256k1.so.0` where we provides
# `libsecp256k1.so.5`. The only breaking change is the removal of two
# functions which seem not used by electron-cash.
# See: <https://github.com/Electron-Cash/Electron-Cash/issues/3009>
#
# 2. The code should be compatible with python-dateutil 2.10 which is the
# version we have in nixpkgs. Changelog:
# <https://dateutil.readthedocs.io/en/latest/changelog.html#version-2-9-0-post0-2024-03-01>
postPatch = ''
substituteInPlace setup.py \
--replace-fail "(share_dir" '("share"'
substituteInPlace electroncash/secp256k1.py \
--replace-fail "libsecp256k1.so.0" "${secp256k1}/lib/libsecp256k1.so.5"
substituteInPlace contrib/requirements/requirements.txt \
--replace-fail "python-dateutil<2.9" "python-dateutil<2.10"
'';
preFixup = ''
makeWrapperArgs+=("''${qtWrapperArgs[@]}")
'';
doInstallCheck = true;
installCheckPhase = ''
output="$($out/bin/electron-cash help 2>&1)"
if [[ "$output" == *"failed to load"* ]]; then
echo "$output"
echo "Forbidden text detected: failed to load"
exit 1
fi
'';
meta = {
description = "Bitcoin Cash SPV Wallet";
mainProgram = "electron-cash";
longDescription = ''
An easy-to-use Bitcoin Cash client featuring wallets generated from
mnemonic seeds (in addition to other, more advanced, wallet options)
and the ability to perform transactions without downloading a copy
of the blockchain.
'';
homepage = "https://www.electroncash.org/";
platforms = lib.platforms.unix;
maintainers = with lib.maintainers; [
nyanloutre
oxalica
];
license = lib.licenses.mit;
};
}

6
pkgs/by-name/ev/evcc/package.nix
View File

@ -17,13 +17,13 @@
}:
let
version = "0.204.3";
version = "0.204.5";
src = fetchFromGitHub {
owner = "evcc-io";
repo = "evcc";
tag = version;
hash = "sha256-Z8Fac1vIBUJ34hXgOOAo8z91lBCKw+IP1Ff6r+jBtj0=";
hash = "sha256-kGn7O2OCvStez2eaT+h7EDBi96Q7dshK8X7DUD2SBOo=";
};
vendorHash = "sha256-n67OSKpMhvgqftoVAqtABfcNgdRSbWjmJv7HSmv3Ev8=";
@ -52,7 +52,7 @@ buildGo124Module rec {
npmDeps = fetchNpmDeps {
inherit src;
hash = "sha256-6oFvrLY5OM+5YgWRlx28+z2yB+Vo/SkV6ZsD3r3Ckis=";
hash = "sha256-HDokBgvRxmKkuQyGIqkX0Hy4Up+K25yYSRYAstE8mBY=";
};
nativeBuildInputs = [

6
pkgs/by-name/fe/ferron/package.nix
View File

@ -10,17 +10,17 @@
rustPlatform.buildRustPackage (finalAttrs: {
pname = "ferron";
version = "1.3.1";
version = "1.3.3";
src = fetchFromGitHub {
owner = "ferronweb";
repo = "ferron";
tag = finalAttrs.version;
hash = "sha256-DD9mv2tMGLtnBU1YAb/CDTt+OcDVRzEfW3kUmePT+y4=";
hash = "sha256-pJ3UGiQUIon1RTZqw0Y4b/FC+0aAxHSwmXRApWsNhP4=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-ezH8Oraog7XmD4zcrT5eiqS4zQ54m0SXNWlBRx0mJgo=";
cargoHash = "sha256-9ZJYf7tcsdBhE82MSmLi2deSM+l1mjfwSIHLTDan5Hg=";
nativeBuildInputs = [
pkg-config

4
pkgs/by-name/fl/flexget/package.nix
View File

@ -7,14 +7,14 @@
python3Packages.buildPythonApplication rec {
pname = "flexget";
version = "3.16.5";
version = "3.16.9";
pyproject = true;
src = fetchFromGitHub {
owner = "Flexget";
repo = "Flexget";
tag = "v${version}";
hash = "sha256-tmxVk74eqN4qIe7cJF5IIWe7aXIH3Q2vi1galTF+FbI=";
hash = "sha256-LXlv/nZhZtkyUYg7UknXIyYsjqtYEeHVSzfwgNnwgwY=";
};
pythonRelaxDeps = true;

6
pkgs/by-name/go/go-exploitdb/package.nix
View File

@ -6,16 +6,16 @@
buildGoModule rec {
pname = "go-exploitdb";
version = "0.5.0";
version = "0.6.0";
src = fetchFromGitHub {
owner = "vulsio";
repo = "go-exploitdb";
tag = "v${version}";
hash = "sha256-7S6DuPCsT3mP4/W5Lsyg4RS7Km8dmYkrUhvSjlRhahc=";
hash = "sha256-Mihy8qk9lQKXFn6Hx1QaHfrhuxq3WOCC3XdtIx3K8Ds=";
};
vendorHash = "sha256-uqXNRfWWNvpDC3q+eDX3NOQIHz0di4/Vjh7r8OMsTr4=";
vendorHash = "sha256-Ya8l7BNRwsN1N9CpeiKGzJXHIvqrqcQphtvi+7DqwME=";
ldflags = [
"-s"

4
pkgs/by-name/ha/halo/package.nix
View File

@ -8,10 +8,10 @@
}:
stdenv.mkDerivation rec {
pname = "halo";
version = "2.21.0";
version = "2.21.1";
src = fetchurl {
url = "https://github.com/halo-dev/halo/releases/download/v${version}/halo-${version}.jar";
hash = "sha256-taEaHhPy/jR2ThY9Qk+cded3+LyZSNnrytWh8G5zqVE=";
hash = "sha256-1R4xeXANk2LUbIcHEEwNOnBhKsIBkf+naB9b9VSOg9w=";
};
nativeBuildInputs = [

4
pkgs/by-name/ha/haproxy/package.nix
View File

@ -42,11 +42,11 @@ let
in
stdenv.mkDerivation (finalAttrs: {
pname = "haproxy";
version = "3.2.0";
version = "3.2.1";
src = fetchurl {
url = "https://www.haproxy.org/download/${lib.versions.majorMinor finalAttrs.version}/src/haproxy-${finalAttrs.version}.tar.gz";
hash = "sha256-92KuMbyhtR/rieQ5Xjbhf4Z8JTcqEIU8cNKSw90Xt7A=";
hash = "sha256-uz+Wenl8iFHQhoPsQ9+v5K179a2G+msHIcrQM+qeWuU=";
};
buildInputs =

4
pkgs/by-name/hd/hdrop/package.nix
View File

@ -15,13 +15,13 @@
stdenvNoCC.mkDerivation rec {
pname = "hdrop";
version = "0.7.7";
version = "0.7.8";
src = fetchFromGitHub {
owner = "Schweber";
repo = "hdrop";
rev = "v${version}";
hash = "sha256-T+hyC3YfTMn5txFlFbm/+wKWj21vuwIN5lfe+iiAm8c=";
hash = "sha256-JlfSGJBN3aJnZcN8aY464mmADP5boenGQzOxv2sswGc=";
};
nativeBuildInputs = [

6
pkgs/by-name/hu/hugo/package.nix
View File

@ -11,16 +11,16 @@
buildGoModule (finalAttrs: {
pname = "hugo";
version = "0.147.8";
version = "0.147.9";
src = fetchFromGitHub {
owner = "gohugoio";
repo = "hugo";
tag = "v${finalAttrs.version}";
hash = "sha256-h8fgV6fWhYrqbG/FPGCPYDnQshz1L8ulxPon+Xnw4lY=";
hash = "sha256-rTEtllENG33jAAgROjQrOjd4FKpe8uYAi3VLMII71SM=";
};
vendorHash = "sha256-VHql1iznNp2qL+qA+M1tSKCf823qozWW8PSyHihFU8A=";
vendorHash = "sha256-lSTSzQFR1JpGb8iYWyL/UM0W/AmFvFAcvi3+pJAJOws=";
checkFlags =
let

6
pkgs/by-name/jq/jql/package.nix
View File

@ -6,17 +6,17 @@
rustPlatform.buildRustPackage rec {
pname = "jql";
version = "8.0.6";
version = "8.0.7";
src = fetchFromGitHub {
owner = "yamafaktory";
repo = "jql";
rev = "jql-v${version}";
hash = "sha256-bb3QoODsVZaTw5mcagvcGLn8uwG48nmHPgtlIC2ZdVE=";
hash = "sha256-OBv7uScgFnLhkeQ2dKey+QYUvX4y/iLFjfCUJeqhXBs=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-7+qlQf44DgjijKlM+HRjyubH3W/PJbortri3ur0ASnk=";
cargoHash = "sha256-AAdYjlPpyhxKQ8mXdLBdivMp8G91Ho5ntS73HC8wMfQ=";
meta = with lib; {
description = "JSON Query Language CLI tool built with Rust";

6
pkgs/by-name/ka/kanata/package.nix
View File

@ -12,17 +12,17 @@
}:
rustPlatform.buildRustPackage rec {
pname = "kanata";
version = "1.8.1";
version = "1.9.0";
src = fetchFromGitHub {
owner = "jtroo";
repo = "kanata";
rev = "v${version}";
sha256 = "sha256-w/PeSqj51gJOWmAV5UPMprntdzinX/IL49D2ZUMfeSM=";
sha256 = "sha256-xxAIwiwCQugDXpWga9bQ9ZGfem46rwDlmf64dX/tw7g=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-T9fZxv3aujYparzVphfYBJ+5ti/T1VkeCeCqWPyllY8=";
cargoHash = "sha256-LfjuQHR3vVUr2e0efVymnfCnyYkFRx7ZiNdSIjBZc5s=";
buildInputs = lib.optionals stdenv.hostPlatform.isDarwin [
apple-sdk_13

6
pkgs/by-name/li/lint-staged/package.nix
View File

@ -8,16 +8,16 @@
buildNpmPackage rec {
pname = "lint-staged";
version = "16.1.1";
version = "16.1.2";
src = fetchFromGitHub {
owner = "okonet";
repo = "lint-staged";
rev = "v${version}";
hash = "sha256-DBLS0hMu2mG4+sGhhGjIlfj2y2A33RccEP3plweaKio=";
hash = "sha256-fpUZ4OAkbitsR/eCUVRFuJ+FWtIwZVgDz4dG/RGojP4=";
};
npmDepsHash = "sha256-LJipxwO5B01KlfjOVhlhw5veH2+wpzWm0EwcRdVFleQ=";
npmDepsHash = "sha256-2TXGwQRy+IMksICDy5drCqxP+ng644fQlhG+lvJrCUA=";
dontNpmBuild = true;

6
pkgs/by-name/lu/lurk/package.nix
View File

@ -6,17 +6,17 @@
rustPlatform.buildRustPackage rec {
pname = "lurk";
version = "0.3.9";
version = "0.3.10";
src = fetchFromGitHub {
owner = "jakwai01";
repo = "lurk";
tag = "v${version}";
hash = "sha256-KiM5w0YPxEpJ4cR/8YfhWlTrffqf5Ak1eu0yxgOmqUs=";
hash = "sha256-5riwosaT7QjRFnIFRAcyLul7i1g8OpHyUuuJNOROTF0=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-N8jAmD9IpR+HALWpqp7y/wp75JVb4zgzoLT5oJ06njY=";
cargoHash = "sha256-CDrqcKNhQYbtDaasyCQ6VPGdIrW34VBKPDpbFeommAc=";
postPatch = ''
substituteInPlace src/lib.rs \

17
pkgs/by-name/me/memtree/package.nix
View File

@ -7,23 +7,24 @@
python3Packages.buildPythonApplication {
pname = "memtree";
version = "0-unstable-2025-06-06";
version = "0-unstable-2025-06-10";
pyproject = true;
src = fetchFromGitHub {
owner = "nbraud";
owner = "nicoonoclaste";
repo = "memtree";
rev = "279f1fa0a811de86c278ce74830bd8aa1b00db58";
hash = "sha256-gUULox3QSx68x8lb1ytanY36cw/I9L4HdpR8OPOsxuc=";
rev = "ad1a7d1e4fa5f195c2aa1012101d01ab580a05e8";
hash = "sha256-stIRBXhaLqYsN2WMQnu46z39ssantzM8M6T3kCOoZKc=";
# Remove irrelevant content, avoid src hash change on flake.lock updates etc.
postFetch = "rm -r $out/.* $out/flake.* $out/bors.toml";
};
pythonRelaxDeps = [ "rich" ];
nativeBuildInputs = with python3Packages; [
build-system = with python3Packages; [
poetry-core
];
propagatedBuildInputs = with python3Packages; [
dependencies = with python3Packages; [
rich
];

4
pkgs/by-name/me/meteor-git/package.nix
View File

@ -6,13 +6,13 @@
buildGoModule rec {
pname = "meteor-git";
version = "0.27.0";
version = "0.28.1";
src = fetchFromGitHub {
owner = "stefanlogue";
repo = "meteor";
rev = "v${version}";
hash = "sha256-OH4WQNSbTMaysaHoKcy3S9V7BWu93Djr8toWtQ7Xj/w=";
hash = "sha256-2BosD88B3ZnLniNhKn4VJjHM5tCfbiTBjLqpU8RHMBI=";
};
vendorHash = "sha256-jKd/eJwp5SZvTrP3RN7xT7ibAB0PQondGR3RT+HQXIo=";

4
pkgs/by-name/mu/mullvad-browser/package.nix
View File

@ -97,7 +97,7 @@ let
++ lib.optionals mediaSupport [ ffmpeg ]
);
version = "14.5.3";
version = "14.5.4";
sources = {
x86_64-linux = fetchurl {
@ -109,7 +109,7 @@ let
"https://tor.eff.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
"https://tor.calyxinstitute.org/dist/mullvadbrowser/${version}/mullvad-browser-linux-x86_64-${version}.tar.xz"
];
hash = "sha256-W005Lkgw96sYseB8LBE76b7+RxMC5vNb1+3KrDp8IE0=";
hash = "sha256-DJEc+2GJHxG49euVpwH8h/yLoR6DVn0a0ZUFS429XaA=";
};
};

6
pkgs/by-name/ne/netron/package.nix
View File

@ -16,16 +16,16 @@ let
in
buildNpmPackage (finalAttrs: {
pname = "netron";
version = "8.3.8";
version = "8.3.9";
src = fetchFromGitHub {
owner = "lutzroeder";
repo = "netron";
tag = "v${finalAttrs.version}";
hash = "sha256-BHV51d5X8uXnqjCkpVnZX40dAuF2HCNk/6A5cKr9nZE=";
hash = "sha256-4AnbhdZVkPhpzNxmjhRNcUTiWrxXNWqVrUxR8pO+ULo=";
};
npmDepsHash = "sha256-E4jqaDJqgvOvV+67jtMzt/4YkhQ4GmKati0wuVMC8yI=";
npmDepsHash = "sha256-71O2cMr44tLv4m/iM/pOE126k1Z2DTRDKI7o7aWUePg=";
nativeBuildInputs = [ jq ];

14
pkgs/by-name/ni/nixos-rebuild-ng/package.nix
View File

@ -15,6 +15,13 @@
# Very long tmp dirs lead to "too long for Unix domain socket"
# SSH ControlPath errors. Especially macOS sets long TMPDIR paths.
withTmpdir ? if stdenv.hostPlatform.isDarwin then "/tmp" else null,
# This version is kind of arbitrary, we use some features that were
# implemented in newer versions of Nix, but not necessary 2.18.
# However, Lix is a fork of Nix 2.18, so this looks like a good version
# to cut specific functionality.
# ATTN: This currently doesn't disambiguate between Nix and Lix, so using this
# in a conditional needs careful checking against both Nix implementations.
withNix218 ? lib.versionAtLeast nix.version "2.18",
# passthru.tests
nixosTests,
nixVersions,
@ -23,13 +30,6 @@
}:
let
executable = if withNgSuffix then "nixos-rebuild-ng" else "nixos-rebuild";
# This version is kind of arbitrary, we use some features that were
# implemented in newer versions of Nix, but not necessary 2.18.
# However, Lix is a fork of Nix 2.18, so this looks like a good version
# to cut specific functionality.
# ATTN: This currently doesn't disambiguate between Nix and Lix, so using this
# in a conditional needs careful checking against both Nix implementations.
withNix218 = lib.versionAtLeast nix.version "2.18";
in
python3Packages.buildPythonApplication rec {
pname = "nixos-rebuild-ng";

1
pkgs/by-name/ni/nixos-rebuild-ng/src/nixos_rebuild/nix.py
View File

@ -210,6 +210,7 @@ def copy_closure(
run_wrapper(
[
"nix",
*FLAKE_FLAGS,
"copy",
*dict_to_flags(copy_flags),
"--from",

2
pkgs/by-name/ni/nixos-rebuild-ng/src/tests/test_main.py
View File

@ -688,6 +688,8 @@ def test_execute_nix_switch_build_target_host(
call(
[
"nix",
"--extra-experimental-features",
"nix-command flakes",
"copy",
"--from",
"ssh://user@build-host",

2
pkgs/by-name/ni/nixos-rebuild-ng/src/tests/test_nix.py
View File

@ -263,6 +263,8 @@ def test_copy_closure(monkeypatch: MonkeyPatch) -> None:
mock_run.assert_called_with(
[
"nix",
"--extra-experimental-features",
"nix-command flakes",
"copy",
"--copy-flag",
"--from",

6
pkgs/by-name/no/novops/package.nix
View File

@ -11,17 +11,17 @@
rustPlatform.buildRustPackage rec {
pname = "novops";
version = "0.20.0";
version = "0.20.1";
src = fetchFromGitHub {
owner = "PierreBeucher";
repo = "novops";
rev = "v${version}";
hash = "sha256-TvlbA9RXuAPm1rN3VaIrVKMfyePT9oLSh87Bqclwcj8=";
hash = "sha256-F3MtDTaeLoI54/xbbIU61hb+qLDn2u4lRv+3kU5c/D0=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-oXOK8LQZ2+u566HIi0DYuocEsZMfj1ogkHciH8hFVR8=";
cargoHash = "sha256-F+JIAHk28qpJy97aQQup1Ss5G1p4LQzkj1ptjBhp1CY=";
buildInputs =
[

6
pkgs/by-name/oc/oci2git/package.nix
View File

@ -10,16 +10,16 @@
rustPlatform.buildRustPackage (finalAttrs: {
pname = "oci2git";
version = "0.1.4";
version = "0.1.5";
src = fetchFromGitHub {
owner = "Virviil";
repo = "oci2git";
tag = "v${finalAttrs.version}";
hash = "sha256-vz4OqRg7CYliAswQWtzEWUb7Z10fwxDhYrvQ3q4ZtPA=";
hash = "sha256-axUNZWV9hKdnHfPqgIx1O2onHvBb4n5Wdv2laNV83Ik=";
};
cargoHash = "sha256-Aj93f+L4h1FxHpWehD11sTPXTFsg2B9rJ96mSJ/VVQ4=";
cargoHash = "sha256-1U/kvuXAPYFU1YekY6xKeEsTJ03ol1uN2DDp7j/Sync=";
nativeBuildInputs = [
pkg-config

6
pkgs/by-name/oh/oh-my-zsh/package.nix
View File

@ -19,14 +19,14 @@
}:
stdenv.mkDerivation rec {
version = "2025-06-10";
version = "2025-06-19";
pname = "oh-my-zsh";
src = fetchFromGitHub {
owner = "ohmyzsh";
repo = "ohmyzsh";
rev = "042605ee6b2afeb21e380d05b22d5072f0eeff44";
sha256 = "sha256-qAD9lSjHDtZoWznbBAnUUI+bMa3DpXaaxNoY5fEN4lY=";
rev = "f8022980a3423f25e3d5e1b6a60d2372a2ba006b";
sha256 = "sha256-o7UCVCSDh/GpzvAPWpD72MQlHIC06nQVhIBj7n/OxXo=";
};
strictDeps = true;

6
pkgs/by-name/ol/ollama/package.nix
View File

@ -117,17 +117,17 @@ in
goBuild (finalAttrs: {
pname = "ollama";
# don't forget to invalidate all hashes each update
version = "0.9.1";
version = "0.9.2";
src = fetchFromGitHub {
owner = "ollama";
repo = "ollama";
tag = "v${finalAttrs.version}";
hash = "sha256-6ha8aGRljb/uN+CtPpZDpcAVmpZccCq/1TSCQ5FVL8E=";
hash = "sha256-2mvaIEfto/w2yjaJxopn5L2rn8pCTHfQvo8mmzTO4i0=";
fetchSubmodules = true;
};
vendorHash = "sha256-svJt7Cuy+auVd8II3+JaAefiZcG88QyDgjWPnpoxfts=";
vendorHash = "sha256-t7+GLNC6mRcXq9ErxN6gGki5WWWoEcMfzRVjta4fddA=";
env =
lib.optionalAttrs enableRocm {

6
pkgs/by-name/op/opentofu/package.nix
View File

@ -15,16 +15,16 @@
let
package = buildGoModule rec {
pname = "opentofu";
version = "1.9.1";
version = "1.10.0";
src = fetchFromGitHub {
owner = "opentofu";
repo = "opentofu";
tag = "v${version}";
hash = "sha256-YZMv17fnvzgzm35MXFkvMc5JAuPnyapa41H8Ob4t88c=";
hash = "sha256-4/Z09iJK37ofWKLQ9+uUitkcGfMBTYzunOOeDZjrDOM=";
};
vendorHash = "sha256-avfyMwYv8nKLCUHSExsPvYQrt9sMKZNPHFB/YFGQs2s=";
vendorHash = "sha256-npMGiUIDhp4n7nKMWeyq+TDggU1xm5RzQrGOxvzWcnI=";
ldflags = [
"-s"
"-w"

4
pkgs/by-name/po/podman/package.nix
View File

@ -74,13 +74,13 @@ let
in
buildGoModule rec {
pname = "podman";
version = "5.5.1";
version = "5.5.2";
src = fetchFromGitHub {
owner = "containers";
repo = "podman";
rev = "v${version}";
hash = "sha256-/dGFDwjAAc1D88VslVDolf2YVPZ9cHUCQjdaEreQSE0=";
hash = "sha256-iLpJQC1v+jPeQNCjgtx3pPKsa6wLcrqtQkeG7qF3rWo=";
};
patches = [

9
pkgs/by-name/re/renode/package.nix
View File

@ -3,6 +3,7 @@
lib,
fetchFromGitHub,
fetchurl,
fetchpatch,
autoPatchelfHook,
makeWrapper,
nix-update-script,
@ -37,6 +38,14 @@ let
rev = "v6.1";
hash = "sha256-l1VupBKi52UWqJMisT2CVnXph3fGxB63mBVvYdM1NWE=";
};
patches = (oldAttrs.patches or [ ]) ++ [
(fetchpatch {
# utest: Improve filtering of output sugar for Python 3.13+
name = "python3.13-support.patch";
url = "https://github.com/robotframework/robotframework/commit/921e352556dc8538b72de1e693e2a244d420a26d.patch";
hash = "sha256-aSaror26x4kVkLVetPEbrJG4H1zstHsNWqmwqOys3zo=";
})
];
}))
];
in

6
pkgs/by-name/rm/rmpc/package.nix
View File

@ -9,17 +9,17 @@
rustPlatform.buildRustPackage rec {
pname = "rmpc";
version = "0.8.0";
version = "0.9.0";
src = fetchFromGitHub {
owner = "mierak";
repo = "rmpc";
rev = "v${version}";
hash = "sha256-RfYaWoVGdeE5y/hkRH+gZgnc0Hrp9V+Pttvjcu3Q14g=";
hash = "sha256-6hs0neoQf1h5IORJZp8R3ELLvYBXMr1iqc7ErSsGnUQ=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-m25lo7mufGS7m1QSnhYdXMaXfjdqtJ8hVLdbuRsxbKY=";
cargoHash = "sha256-xXH/MRQgT/Je/aOCZ26vdC3PtlosXLIrjbOHtnvf9os=";
checkFlags = [
# Test currently broken, needs to be removed. See https://github.com/mierak/rmpc/issues/254

4
pkgs/by-name/ru/runitor/package.nix
View File

@ -8,14 +8,14 @@
buildGoModule rec {
pname = "runitor";
version = "1.4.0";
version = "1.4.1";
vendorHash = "sha256-SYYAAtuWt/mTmZPBilYxf2uZ6OcgeTnobYiye47i8mI=";
src = fetchFromGitHub {
owner = "bdd";
repo = "runitor";
rev = "v${version}";
sha256 = "sha256-eD8bJ34ZfTPToQrZ8kZGcSBdMmmCwRtuXgwZmz15O3s=";
sha256 = "sha256-y4wIfal8aiVD5ZoRF6GnYUGRssBLMOPSWa40+3OU4y0=";
};
ldflags = [

4
pkgs/by-name/sq/sql-formatter/package.nix
View File

@ -11,13 +11,13 @@
}:
stdenv.mkDerivation rec {
pname = "sql-formatter";
version = "15.6.4";
version = "15.6.5";
src = fetchFromGitHub {
owner = "sql-formatter-org";
repo = "sql-formatter";
rev = "v${version}";
hash = "sha256-nrdr6h+q8jVXKM6xPXeQkGN3zqdUCPs/FVnPMfMPG3E=";
hash = "sha256-oNUQvNsdlLJn2JQdCV0Kp3oaXuLJuPGH+Pfe+gRog2E=";
};
yarnOfflineCache = fetchYarnDeps {

6
pkgs/by-name/sr/srgn/package.nix
View File

@ -6,17 +6,17 @@
}:
rustPlatform.buildRustPackage rec {
pname = "srgn";
version = "0.13.7";
version = "0.14.0";
src = fetchFromGitHub {
owner = "alexpovel";
repo = "srgn";
rev = "srgn-v${version}";
hash = "sha256-JHO++d25UmYgTuSOvkZaF0rkab8B6XetHcoEchpLimk=";
hash = "sha256-ZWjpkClhac4VD4b/Veffb5FHGvh+oeTu3ukaOux6MG0=";
};
useFetchCargoVendor = true;
cargoHash = "sha256-H0LBH8nd/uyFufrUWVyNZjn9AKJcAlsv3UVuXoM7ZGM=";
cargoHash = "sha256-d/wFD0kxWNOsYaY4G5P9iM85dSo0UZGSte5AqOosM2g=";
nativeBuildInputs = [ installShellFiles ];

6
pkgs/by-name/ta/talosctl/package.nix
View File

@ -8,16 +8,16 @@
buildGoModule rec {
pname = "talosctl";
version = "1.10.3";
version = "1.10.4";
src = fetchFromGitHub {
owner = "siderolabs";
repo = "talos";
tag = "v${version}";
hash = "sha256-smqQBFm33uTgK4RGtiu9wlgbHkt8jw7zeiVGWsHG/8s=";
hash = "sha256-TWaORaR+3PTc+KqWuZiR5HpsuY7ox5BjQ72F8uYRzWQ=";
};
vendorHash = "sha256-fDKCozvQ1dPM0DFS7DysZ1DHryj3se1bmaLb+3B0kxo=";
vendorHash = "sha256-SDSWWhj3MTuNASZOujKz2M3glO1dhg0cS2pdfeZXyPk=";
ldflags = [
"-s"

6
pkgs/by-name/to/tor-browser/package.nix
View File

@ -111,7 +111,7 @@ lib.warnIf (useHardenedMalloc != null)
++ lib.optionals mediaSupport [ ffmpeg ]
);
version = "14.5.3";
version = "14.5.4";
sources = {
x86_64-linux = fetchurl {
@ -121,7 +121,7 @@ lib.warnIf (useHardenedMalloc != null)
"https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux-x86_64-${version}.tar.xz"
"https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux-x86_64-${version}.tar.xz"
];
hash = "sha256-1MgXLdoRrmwFAG2JtkCUa2NQ/H3Xxd9+2jbV+fRRVXA=";
hash = "sha256-27Wq9VwFB85swQZIRQMKZgeUeb/SgQ04aaWmZtlpY9s=";
};
i686-linux = fetchurl {
@ -131,7 +131,7 @@ lib.warnIf (useHardenedMalloc != null)
"https://tor.eff.org/dist/torbrowser/${version}/tor-browser-linux-i686-${version}.tar.xz"
"https://tor.calyxinstitute.org/dist/torbrowser/${version}/tor-browser-linux-i686-${version}.tar.xz"
];
hash = "sha256-T6BdLhEXYzo3zIJZ2aREjAWmIRDV/xtVhVvkDUozoo4=";
hash = "sha256-OgexrnQWGYSf9g3Le/LyBcpGo3xFqpCMq1NUHF5fi9M=";
};
};

59
pkgs/by-name/ve/vectorcode/package.nix
View File

@ -45,7 +45,47 @@ let
dependencies = old.dependencies ++ [
self.chroma-hnswlib
];
doCheck = false;
# The base package disables additional tests, so explicitly override
disabledTests = [
# Tests are flaky / timing sensitive
"test_fastapi_server_token_authn_allows_when_it_should_allow"
"test_fastapi_server_token_authn_rejects_when_it_should_reject"
# Issue with event loop
"test_http_client_bw_compatibility"
# httpx ReadError
"test_not_existing_collection_delete"
];
disabledTestPaths = [
# Tests require network access
"chromadb/test/auth/test_simple_rbac_authz.py"
"chromadb/test/db/test_system.py"
"chromadb/test/ef/test_default_ef.py"
"chromadb/test/property/"
"chromadb/test/property/test_cross_version_persist.py"
"chromadb/test/stress/"
"chromadb/test/test_api.py"
# httpx failures
"chromadb/test/api/test_delete_database.py"
# Cannot be loaded by pytest without path hacks (fixed in 1.0.0)
"chromadb/test/test_logservice.py"
"chromadb/test/proto/test_utils.py"
"chromadb/test/segment/distributed/test_protobuf_translation.py"
# Hypothesis FailedHealthCheck due to nested @given tests
"chromadb/test/cache/test_cache.py"
# Tests fail when running in parallel.
# E.g. when building the building python 3.12 and 3.13 versions simultaneously.
# ValueError: An instance of Chroma already exists for ephemeral with different settings
"chromadb/test/test_chroma.py"
"chromadb/test/test_client.py"
];
});
};
};
@ -107,6 +147,10 @@ python.pkgs.buildPythonApplication rec {
];
};
nativeBuildInputs = [
installShellFiles
];
postInstall = ''
$out/bin/vectorcode --print-completion=bash >vectorcode.bash
$out/bin/vectorcode --print-completion=zsh >vectorcode.zsh
@ -123,11 +167,16 @@ python.pkgs.buildPythonApplication rec {
};
'';
# Test collection breaks on aarch64-linux, because the transitive onnxruntime
# tries to read /sys/devices/system/cpu, which does not exist in the sandbox.
#
# We inherit the issue from chromadb, so inherit its `doCheck` attribute.
inherit (python.pkgs.chromadb) doCheck;
pythonImportsCheck = [ "vectorcode" ];
nativeCheckInputs =
[
installShellFiles
versionCheckHook
]
++ (with python.pkgs; [
@ -145,6 +194,12 @@ python.pkgs.buildPythonApplication rec {
"test_supported_rerankers_initialization"
];
passthru = {
# Expose these overridden inputs for debugging
inherit python;
inherit (python.pkgs) chromadb;
};
meta = {
description = "Code repository indexing tool to supercharge your LLM experience";
homepage = "https://github.com/Davidyz/VectorCode";

6
pkgs/by-name/wi/wishlist/package.nix
View File

@ -6,16 +6,16 @@
buildGoModule rec {
pname = "wishlist";
version = "0.15.1";
version = "0.15.2";
src = fetchFromGitHub {
owner = "charmbracelet";
repo = "wishlist";
rev = "v${version}";
sha256 = "sha256-53fojA+gdvpSVNjx6QncH16F8/x+lpY5SkNs7obW2XQ=";
sha256 = "sha256-RulCoXPqfsZrxlDMTbyFNxqf/tdi26Ikq6wNUXCp86I=";
};
vendorHash = "sha256-VB515IK9ZJYC08EmShOPbLKU0fHZ16Dw+c5hiZ7mW8Q=";
vendorHash = "sha256-RPIxE1/ICchtCsIhShcJeUFfCWwzlCUfrY8yWfBeuHU=";
doCheck = false;

127
pkgs/by-name/x2/x2t/package.nix
View File

@ -1,17 +1,23 @@
{
stdenv,
lib,
fetchFromGitHub,
pkg-config,
autoconf,
automake,
boost,
icu,
qt5,
buildNpmPackage,
closurecompiler,
fetchFromGitHub,
glibc,
harfbuzz,
icu,
jdk,
lib,
nodejs,
nodePackages,
# needs to be static and built with MD2 support!
openssl,
pkg-config,
qt5,
runCommand,
nodejs,
onlyoffice-documentserver,
stdenv,
writeScript,
x2t,
}:
@ -104,6 +110,96 @@ let
rev = core-rev;
hash = "sha256-EXeqG8MJWS1asjFihnuMnDSHeKt2x+Ui+8MYK50AnSY=";
};
web-apps = buildNpmPackage (finalAttrs: {
name = "onlyoffice-core-webapps";
#src = /home/aengelen/d/onlyoffice/documentserver/web-apps;
#sourceRoot = "/build/web-apps/build";
src = fetchFromGitHub {
owner = "ONLYOFFICE";
repo = "web-apps";
# rev that the 'web-apps' submodule in documentserver points at
rev = "5255c27b1af64f6edf08d1aba20a23b8149e338c";
hash = "sha256-49v2h+ILQ0X/gNHny6LQcj94A6h7nS99liUAnLRNxzw=";
};
sourceRoot = "${finalAttrs.src.name}/build";
patches = [
./web-apps-avoid-phantomjs.patch
];
npmDepsHash = "sha256-Uen7gl6w/0A4MDk+7j+exkdwfCYqMSPJidad8AM60eQ=";
nativeBuildInputs = [
autoconf
automake
nodePackages.grunt-cli
];
dontNpmBuild = true;
postBuild = ''
chmod u+w ..
mkdir ../deploy
chmod u+w -R ../apps
grunt --force
'';
installPhase = ''
runHook preInstall
cp -r ../deploy/web-apps $out
runHook postInstall
'';
});
sdkjs = buildNpmPackage (finalAttrs: {
name = "onlyoffice-core-sdkjs";
src = fetchFromGitHub {
owner = "ONLYOFFICE";
repo = "sdkjs";
# rev that the 'sdkjs' submodule in documentserver points at
rev = "0e50652cb08c7753a9ab72d0558560ada5d43046";
hash = "sha256-fApr34aT0X8ffPwbsUEWnA3SK8pT5RKNan3YxzhvtAU=";
};
sourceRoot = "${finalAttrs.src.name}/build";
postPatch = ''
cp npm-shrinkwrap.json package-lock.json
'';
npmDepsHash = "sha256-Hpf+z3RGqZ1LTdow6xP00hNmWf4xs+KnVBj4NbPW4uM=";
dontNpmBuild = true;
nativeBuildInputs = [
nodePackages.grunt-cli
jdk
];
postBuild = ''
chmod u+w ..
# the one from node_modules seems a weird hybrid between dynamic and static linking
cp ${closurecompiler}/bin/closure-compiler node_modules/google-closure-compiler-linux/compiler
grunt
'';
installPhase = ''
runHook preInstall
cp -r ../deploy/sdkjs $out
runHook postInstall
'';
});
dictionaries = fetchFromGitHub {
owner = "ONLYOFFICE";
repo = "dictionaries";
tag = "v8.2.0.103";
hash = "sha256-3BwWAvnw0RCD6fxTCRstJSrF5QgfVNVBe8rN1hHhCoU=";
};
buildCoreComponent =
rootdir: attrs:
stdenv.mkDerivation (
@ -630,12 +726,12 @@ buildCoreComponent "X2tConverter/build/Qt" {
mkdir -p $out/etc
cat >$out/etc/DoctRenderer.config <<EOF
<Settings>
<file>${onlyoffice-documentserver}/var/www/onlyoffice/documentserver/sdkjs/common/Native/native.js</file>
<file>${onlyoffice-documentserver}/var/www/onlyoffice/documentserver/sdkjs/common/Native/jquery_native.js</file>
<file>${sdkjs}/common/Native/native.js</file>
<file>${sdkjs}//common/Native/jquery_native.js</file>
<allfonts>${allfonts}/converter/AllFonts.js</allfonts>
<file>${onlyoffice-documentserver}/var/www/onlyoffice/documentserver/web-apps/vendor/xregexp/xregexp-all-min.js</file>
<sdkjs>${onlyoffice-documentserver}/var/www/onlyoffice/documentserver/sdkjs</sdkjs>
<dictionaries>${onlyoffice-documentserver}/var/www/onlyoffice/documentserver/dictionaries</dictionaries>
<file>${web-apps}/vendor/xregexp/xregexp-all-min.js</file>
<sdkjs>${sdkjs}</sdkjs>
<dictionaries>${dictionaries}</dictionaries>
</Settings>
EOF
@ -669,6 +765,9 @@ buildCoreComponent "X2tConverter/build/Qt" {
epubfile
fb2file
iworkfile
web-apps
sdkjs
dictionaries
;
};
meta = {
@ -676,6 +775,6 @@ buildCoreComponent "X2tConverter/build/Qt" {
homepage = "https://github.com/ONLYOFFICE/core/tree/master/X2tConverter";
license = lib.licenses.agpl3Only;
maintainers = with lib.maintainers; [ raboof ];
platforms = lib.platforms.all;
platforms = lib.platforms.linux;
};
}

12
pkgs/by-name/x2/x2t/web-apps-avoid-phantomjs.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git a/build/package.json b/build/package.json
index 96b35b328a..f8ec8397b4 100644
--- a/package.json
+++ b/package.json
@@ -45,7 +45,6 @@
},
"devDependencies": {
"chai": "^5.1.0",
- "grunt-mocha": "^1.2.0",
"mocha": "^10.2.0"
}
}

4
pkgs/by-name/za/zapzap/package.nix
View File

@ -7,14 +7,14 @@
python3Packages.buildPythonApplication rec {
pname = "zapzap";
version = "6.0.1.8";
version = "6.1";
format = "setuptools";
src = fetchFromGitHub {
owner = "rafatosta";
repo = "zapzap";
tag = version;
hash = "sha256-JsBKss/E3YQ85YqDdw4slN7uMssZ4l5HgbXSZW1AIZM=";
hash = "sha256-g3J9oVIRiar0QoksRjJZsbvSKiFBILaUdSUscNs1VXE=";
};
nativeBuildInputs = with python3Packages; [

4
pkgs/by-name/zs/zsh-wd/package.nix
View File

@ -7,13 +7,13 @@
stdenvNoCC.mkDerivation rec {
pname = "wd";
version = "0.10.0";
version = "0.10.1";
src = fetchFromGitHub {
owner = "mfaerevaag";
repo = "wd";
rev = "v${version}";
hash = "sha256-/xOe7XFzQt+qVGf6kfsOPPM8szWYhnmx5Mq/QIw0y1c=";
hash = "sha256-dlpkSKdWilNnz3dpRfN+EPx/vjIZpmZ/DMzeO9sh4z0=";
};
nativeBuildInputs = [ installShellFiles ];

15
pkgs/development/libraries/gstreamer/devtools/default.nix
View File

@ -41,9 +41,13 @@ stdenv.mkDerivation (finalAttrs: {
};
cargoDeps = rustPlatform.fetchCargoVendor {
inherit (finalAttrs) src cargoRoot;
inherit (finalAttrs)
src
patches
cargoRoot
;
name = "gst-devtools-${finalAttrs.version}";
hash = "sha256-p26jeKRDSPTgQzf4ckhLPSFa8RKsgkjUEXJG8IlPPZo=";
hash = "sha256-GLxevEwoTgS7kmDlul0AA2wIFRY7js8Ij4UIu1ZQf8I=";
};
patches = [
@ -54,6 +58,13 @@ stdenv.mkDerivation (finalAttrs: {
stripLen = 2;
hash = "sha256-CpBFTmdn+VO6ZeNe6NZR6ELvakZqQdaF3o3G5TSDuUU=";
})
# dots-viewer: sort static files
# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/9208
(fetchpatch {
url = "https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/b3099f78775eab1ac19a9e163c0386e01e74b768.patch";
stripLen = 2;
hash = "sha256-QRHqbZ6slYcwGl+o9Oi4jV+ANMorCED4cQV5qDS74eg=";
})
];
depsBuildBuild = [

38
pkgs/development/python-modules/asyncstdlib-fw/default.nix Normal file
View File

@ -0,0 +1,38 @@
{
lib,
buildPythonPackage,
fetchPypi,
# build-system
pdm-backend,
}:
buildPythonPackage rec {
pname = "asyncstdlib-fw";
version = "3.13.2";
pyproject = true;
# Not available from any repo
src = fetchPypi {
pname = "asyncstdlib_fw";
inherit version;
hash = "sha256-Ua0JTCBMWTbDBA84wy/W1UmzkcmA8h8foJW2X7aAah8=";
};
build-system = [
pdm-backend
];
doCheck = false; # no tests supplied
pythonImportsCheck = [
"asyncstdlib"
];
meta = {
description = "Fork of asyncstdlib that work with fireworks-ai";
homepage = "https://pypi.org/project/asyncstdlib-fw/";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ sarahec ];
};
}

6
pkgs/development/python-modules/awsiotsdk/default.nix
View File

@ -11,7 +11,7 @@
buildPythonPackage rec {
pname = "awsiotsdk";
version = "1.22.2";
version = "1.23.0";
pyproject = true;
disabled = pythonOlder "3.7";
@ -20,7 +20,7 @@ buildPythonPackage rec {
owner = "aws";
repo = "aws-iot-device-sdk-python-v2";
tag = "v${version}";
hash = "sha256-vqx/OgQ/hgH6ULBI1I9+fD4CswQZDzfdNlhImbnQiKg=";
hash = "sha256-3WrmR6YV4j+itxj/NHFnGw4qoa12aKhqeekMALZ5kUo=";
};
postPatch = ''
@ -49,7 +49,7 @@ buildPythonPackage rec {
meta = {
description = "Next generation AWS IoT Client SDK for Python using the AWS Common Runtime";
homepage = "https://github.com/aws/aws-iot-device-sdk-python-v2";
changelog = "https://github.com/aws/aws-iot-device-sdk-python-v2/releases/tag/v${version}";
changelog = "https://github.com/aws/aws-iot-device-sdk-python-v2/releases/tag/${src.tag}";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ fab ];
};

64
pkgs/development/python-modules/betterproto-fw/default.nix Normal file
View File

@ -0,0 +1,64 @@
{
lib,
buildPythonPackage,
fetchPypi,
# build-system
pdm-backend,
# dependencies
grpclib,
python-dateutil,
typing-extensions,
# optional dependencies
jinja2,
ruff,
betterproto-rust-codec,
}:
buildPythonPackage rec {
pname = "betterproto-fw";
version = "2.0.3";
pyproject = true;
# Not available on Github
src = fetchPypi {
pname = "betterproto_fw";
inherit version;
hash = "sha256-ut5GchUiTygHhC2hj+gSWKCoVnZrrV8KIKFHTFzba5M=";
};
build-system = [
pdm-backend
];
dependencies = [
grpclib
python-dateutil
typing-extensions
];
optional-dependencies = {
compiler = [
jinja2
ruff
];
rust-codec = [
betterproto-rust-codec
];
};
doCheck = false; # no tests supplied
pythonImportsCheck = [
"betterproto"
];
meta = {
description = "Fork of betterproto used in fireworks-ai";
homepage = "https://pypi.org/project/betterproto-fw/";
license = lib.licenses.mit;
maintainers = [ lib.maintainers.sarahec ];
};
}

49
pkgs/development/python-modules/betterproto-rust-codec/default.nix Normal file
View File

@ -0,0 +1,49 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
# build
cargo,
rustc,
rustPlatform,
}:
buildPythonPackage rec {
pname = "betterproto-rust-codec";
version = "0.1.1";
pyproject = true;
src = fetchFromGitHub {
owner = "124C41p";
repo = "betterproto-rust-codec";
tag = "v${version}";
hash = "sha256-Q8oCk/VVe4Dcw6Z5PBFJBKRlsHgi6Jn+FWDqLH8BgYc=";
};
cargoDeps = rustPlatform.fetchCargoVendor {
inherit pname version src;
hash = "sha256-zYXE55o1/Tt6XJahV6WcGANPM/9xk6uYwQLazkIJj7A=";
};
build-system = [
rustPlatform.maturinBuildHook
];
nativeBuildInputs = [
cargo
rustPlatform.cargoSetupHook
rustc
];
pythonImportsCheck = [
"betterproto_rust_codec"
];
meta = {
description = "Converter between betterproto messages and the Protobuf wire format";
homepage = "https://github.com/124C41p/betterproto-rust-codec/releases/tag/${src.tag}";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ sarahec ];
};
}

4
pkgs/development/python-modules/chromadb/default.nix
View File

@ -171,10 +171,10 @@ buildPythonPackage rec {
# Disable on aarch64-linux due to broken onnxruntime
# https://github.com/microsoft/onnxruntime/issues/10038
pythonImportsCheck = lib.optionals (stdenv.hostPlatform.system != "aarch64-linux") [ "chromadb" ];
pythonImportsCheck = lib.optionals doCheck [ "chromadb" ];
# Test collection breaks on aarch64-linux
doCheck = stdenv.hostPlatform.system != "aarch64-linux";
doCheck = with stdenv.buildPlatform; !(isAarch && isLinux);
env = {
ZSTD_SYS_USE_PKG_CONFIG = true;

6
pkgs/development/python-modules/dbt-semantic-interfaces/default.nix
View File

@ -19,7 +19,7 @@
buildPythonPackage rec {
pname = "dbt-semantic-interfaces";
version = "0.8.1";
version = "0.8.4";
pyproject = true;
disabled = pythonOlder "3.8";
@ -28,7 +28,7 @@ buildPythonPackage rec {
owner = "dbt-labs";
repo = "dbt-semantic-interfaces";
tag = "v${version}";
hash = "sha256-gY2CJqN/ohYs4Qej451PexWcsM7N9GuHt79qC+NC7T4=";
hash = "sha256-H9PGU6pG/NhA7NyKaaw6B2RNlJLzKT7ilDHFTL7KGUY=";
};
pythonRelaxDeps = [ "importlib-metadata" ];
@ -59,7 +59,7 @@ buildPythonPackage rec {
meta = with lib; {
description = "Shared interfaces used by dbt-core and MetricFlow projects";
homepage = "https://github.com/dbt-labs/dbt-semantic-interfaces";
changelog = "https://github.com/dbt-labs/dbt-semantic-interfaces/releases/tag/v${version}";
changelog = "https://github.com/dbt-labs/dbt-semantic-interfaces/releases/tag/${src.tag}";
license = licenses.asl20;
maintainers = with maintainers; [ pbsds ];
};

102
pkgs/development/python-modules/fireworks-ai/default.nix
View File

@ -4,15 +4,26 @@
fetchPypi,
# build-system
setuptools,
versioneer,
pdm-backend,
# local dependencies
black,
mypy,
# dependencies
httpx,
httpx-ws,
grpcio,
grpclib,
httpx-sse,
pydantic,
httpx-ws,
httpx,
mmh3,
openai,
pillow,
protobuf,
pydantic,
python-dateutil,
rich,
typing-extensions,
# optional dependencies
fastapi,
@ -25,29 +36,98 @@
tqdm,
}:
let
asyncstdlib-fw = buildPythonPackage rec {
pname = "asyncstdlib_fw";
version = "3.13.2";
pyproject = true;
src = fetchPypi {
inherit pname version;
hash = "sha256-Ua0JTCBMWTbDBA84wy/W1UmzkcmA8h8foJW2X7aAah8=";
};
build-system = [
pdm-backend
];
dependencies = [
black
mypy
];
pythonImportsCheck = [
"asyncstdlib"
];
};
betterproto-fw = buildPythonPackage rec {
pname = "betterproto_fw";
version = "2.0.3";
pyproject = true;
src = fetchPypi {
inherit version pname;
hash = "sha256-ut5GchUiTygHhC2hj+gSWKCoVnZrrV8KIKFHTFzba5M=";
};
build-system = [
pdm-backend
];
dependencies = [
grpclib
python-dateutil
typing-extensions
];
pythonImportsCheck = [
"betterproto"
];
};
in
buildPythonPackage rec {
pname = "fireworks-ai";
version = "0.15.13";
version = "0.17.16";
pyproject = true;
# no source available
src = fetchPypi {
pname = "fireworks_ai";
inherit version;
hash = "sha256-ZZSF4R1HOYpNmKnL2OPWoUwdSJJ2j2e3+hzW0QH55io=";
hash = "sha256-WblcAaYjnzwPS4n5rixNHbHLNGTE3bTPXvQ9lYZ1f9A=";
};
build-system = [
setuptools
versioneer
pdm-backend
];
pythonRelaxDeps = [
"protobuf"
];
dependencies = [
asyncstdlib-fw
betterproto-fw
grpcio
grpclib
httpx
httpx
httpx-ws
httpx-sse
pydantic
httpx-sse
httpx-ws
httpx-ws
mmh3
openai
pillow
pillow
protobuf
pydantic
pydantic
python-dateutil
rich
typing-extensions
];
optional-dependencies = {

4
pkgs/development/python-modules/llama-cloud-services/default.nix
View File

@ -17,14 +17,14 @@
buildPythonPackage rec {
pname = "llama-cloud-services";
version = "0.6.32";
version = "0.6.36";
pyproject = true;
src = fetchFromGitHub {
owner = "run-llama";
repo = "llama_cloud_services";
tag = "v${version}";
hash = "sha256-18Rt+MCI5vNJGsao/NPgzXuT4+fYsqaQN2KfjAQtxTM=";
hash = "sha256-m3XC4CiDUJemy7enWMG5iYGX6s7LGSfc16vGmDWhAic=";
};
pythonRelaxDeps = [ "llama-cloud" ];

15
pkgs/development/python-modules/mmcv/default.nix
View File

@ -48,10 +48,17 @@ buildPythonPackage rec {
hash = "sha256-NNF9sLJWV1q6uBE73LUW4UWwYm4TBMTBJjJkFArBmsc=";
};
postPatch = ''
substituteInPlace setup.py \
--replace-fail "cpu_use = 4" "cpu_use = $NIX_BUILD_CORES"
'';
postPatch =
# Fails in python >= 3.13
# exec(compile(f.read(), version_file, "exec")) does not populate the locals() namesp
# In python 3.13, the locals() dictionary in a function does not automatically update with
# changes made by exec().
# https://peps.python.org/pep-0558/
''
substituteInPlace setup.py \
--replace-fail "cpu_use = 4" "cpu_use = $NIX_BUILD_CORES" \
--replace-fail "return locals()['__version__']" "return '${version}'"
'';
nativeBuildInputs = [
ninja

17
pkgs/development/python-modules/mmengine/default.nix
View File

@ -52,6 +52,23 @@ buildPythonPackage rec {
})
];
postPatch =
# Fails in python >= 3.13
# exec(compile(f.read(), version_file, "exec")) does not populate the locals() namesp
# In python 3.13, the locals() dictionary in a function does not automatically update with
# changes made by exec().
# https://peps.python.org/pep-0558/
''
substituteInPlace setup.py \
--replace-fail \
"return locals()['__version__']" \
"return '${version}'"
''
+ ''
substituteInPlace tests/test_config/test_lazy.py \
--replace-fail "import numpy.compat" ""
'';
build-system = [ setuptools ];
dependencies = [

10
pkgs/development/python-modules/openusd/default.nix
View File

@ -72,6 +72,12 @@ buildPythonPackage rec {
url = "https://github.com/PixarAnimationStudios/OpenUSD/commit/9ea3bc1ab550ec46c426dab04292d9667ccd2518.patch?full_index=1";
hash = "sha256-QjA3kjUDsSleUr+S/bQLb+QK723SNFvnmRPT+ojjgq8=";
})
(fetchpatch {
# https://github.com/PixarAnimationStudios/OpenUSD/pull/3648
name = "propagate-dependencies-opengl.patch";
url = "https://gitlab.archlinux.org/archlinux/packaging/packages/usd/-/raw/41469f20113d3550c5b42e67d1139dedc1062b8c/usd-find-dependency-OpenGL.patch?full_index=1";
hash = "sha256-aUWGKn365qov0ttGOq5GgNxYGIGZ4DfmeMJfakbOugQ=";
})
];
env.OSL_LOCATION = "${osl}";
@ -125,7 +131,6 @@ buildPythonPackage rec {
tbb
]
++ lib.optionals stdenv.hostPlatform.isLinux [
libGL
libX11
libXt
]
@ -142,6 +147,9 @@ buildPythonPackage rec {
pyopengl
distutils
]
++ lib.optionals stdenv.hostPlatform.isLinux [
libGL
]
++ lib.optionals (withTools || withUsdView) [
pyside-tools-uic
pyside6

4
pkgs/development/python-modules/pyexploitdb/default.nix
View File

@ -10,7 +10,7 @@
buildPythonPackage rec {
pname = "pyexploitdb";
version = "0.2.85";
version = "0.2.86";
pyproject = true;
disabled = pythonOlder "3.7";
@ -18,7 +18,7 @@ buildPythonPackage rec {
src = fetchPypi {
pname = "pyExploitDb";
inherit version;
hash = "sha256-QVtF8r7AA/HYYA0Ex+YnUGskqjWNUzLxKJp9uZKKGng=";
hash = "sha256-4vnokNCHiPquSpXjLSFTTm4F1i7xyA4LQY7MY8Ip7G8=";
};
build-system = [ setuptools ];

145
pkgs/development/python-modules/pytensor/default.nix
View File

@ -33,7 +33,7 @@
buildPythonPackage rec {
pname = "pytensor";
version = "2.31.3";
version = "2.31.4";
pyproject = true;
src = fetchFromGitHub {
@ -43,7 +43,7 @@ buildPythonPackage rec {
postFetch = ''
sed -i 's/git_refnames = "[^"]*"/git_refnames = " (tag: ${src.tag})"/' $out/pytensor/_version.py
'';
hash = "sha256-tvK8UzJZvX9X2NKgqkyhi0ZzAb38Lu0ULze4L1Z3YfU=";
hash = "sha256-wHkEZqgnau8DaoOaSFg0Ma6EtjGLmc+y4fskNEyk7yg=";
};
build-system = [
@ -82,81 +82,72 @@ buildPythonPackage rec {
rm -rf pytensor
'';
disabledTests =
[
# ValueError: dtype attribute is not a valid dtype instance
"test_AddDS"
"test_AddSD"
"test_add_sd"
"test_grad"
"test_rop"
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
# pytensor.link.c.exceptions.CompileError: Compilation failed (return status=1)
"OpFromGraph"
"add"
"cls_ofg1"
"direct"
"multiply"
"test_AddDS"
"test_AddSD"
"test_AddSS"
"test_MulDS"
"test_MulSD"
"test_MulSS"
"test_NoOutputFromInplace"
"test_OpFromGraph"
"test_adv_sub1_sparse_grad"
"test_alloc"
"test_binary"
"test_borrow_input"
"test_borrow_output"
"test_cache_race_condition"
"test_check_for_aliased_inputs"
"test_clinker_literal_cache"
"test_csm_grad"
"test_csm_unsorted"
"test_csr_dense_grad"
"test_debugprint"
"test_ellipsis_einsum"
"test_empty_elemwise"
"test_flatten"
"test_fprop"
"test_get_item_list_grad"
"test_grad"
"test_infer_shape"
"test_jax_pad"
"test_kron"
"test_masked_input"
"test_max"
"test_modes"
"test_mul_s_v_grad"
"test_multiple_outputs"
"test_not_inplace"
"test_numba_Cholesky_grad"
"test_numba_pad"
"test_optimizations_preserved"
"test_overided_function"
"test_potential_output_aliasing_induced_by_updates"
"test_profiling"
"test_rebuild_strict"
"test_runtime_broadcast_c"
"test_scan_err1"
"test_scan_err2"
"test_shared"
"test_size_implied_by_broadcasted_parameters"
"test_solve_triangular_grad"
"test_structured_add_s_v_grad"
"test_structureddot_csc_grad"
"test_structureddot_csr_grad"
"test_sum"
"test_swap_SharedVariable_with_given"
"test_test_value_op"
"test_unary"
"test_unbroadcast"
"test_update_equiv"
"test_update_same"
];
disabledTests = lib.optionals stdenv.hostPlatform.isDarwin [
# pytensor.link.c.exceptions.CompileError: Compilation failed (return status=1)
"OpFromGraph"
"add"
"cls_ofg1"
"direct"
"multiply"
"test_AddDS"
"test_AddSD"
"test_AddSS"
"test_MulDS"
"test_MulSD"
"test_MulSS"
"test_NoOutputFromInplace"
"test_OpFromGraph"
"test_adv_sub1_sparse_grad"
"test_alloc"
"test_binary"
"test_borrow_input"
"test_borrow_output"
"test_cache_race_condition"
"test_check_for_aliased_inputs"
"test_clinker_literal_cache"
"test_csm_grad"
"test_csm_unsorted"
"test_csr_dense_grad"
"test_debugprint"
"test_ellipsis_einsum"
"test_empty_elemwise"
"test_flatten"
"test_fprop"
"test_get_item_list_grad"
"test_grad"
"test_infer_shape"
"test_jax_pad"
"test_kron"
"test_masked_input"
"test_max"
"test_modes"
"test_mul_s_v_grad"
"test_multiple_outputs"
"test_not_inplace"
"test_numba_Cholesky_grad"
"test_numba_pad"
"test_optimizations_preserved"
"test_overided_function"
"test_potential_output_aliasing_induced_by_updates"
"test_profiling"
"test_rebuild_strict"
"test_runtime_broadcast_c"
"test_scan_err1"
"test_scan_err2"
"test_shared"
"test_size_implied_by_broadcasted_parameters"
"test_solve_triangular_grad"
"test_structured_add_s_v_grad"
"test_structureddot_csc_grad"
"test_structureddot_csr_grad"
"test_sum"
"test_swap_SharedVariable_with_given"
"test_test_value_op"
"test_unary"
"test_unbroadcast"
"test_update_equiv"
"test_update_same"
];
disabledTestPaths = [
# Don't run the most compute-intense tests

4
pkgs/development/python-modules/switchbot-api/default.nix
View File

@ -9,7 +9,7 @@
buildPythonPackage rec {
pname = "switchbot-api";
version = "2.5.0";
version = "2.6.0";
pyproject = true;
disabled = pythonOlder "3.10";
@ -18,7 +18,7 @@ buildPythonPackage rec {
owner = "SeraphicCorp";
repo = "py-switchbot-api";
tag = "v${version}";
hash = "sha256-Eesdd9tNXJQ0kilfuUxpAcUO+5Rf2HRyD0N71tKT/pw=";
hash = "sha256-vRV8n5hyx3t67W8MC8QW+3RrRqroAEpw2diMwmyQayI=";
};
build-system = [ poetry-core ];

4
pkgs/development/python-modules/tencentcloud-sdk-python/default.nix
View File

@ -10,7 +10,7 @@
buildPythonPackage rec {
pname = "tencentcloud-sdk-python";
version = "3.0.1406";
version = "3.0.1407";
pyproject = true;
disabled = pythonOlder "3.9";
@ -19,7 +19,7 @@ buildPythonPackage rec {
owner = "TencentCloud";
repo = "tencentcloud-sdk-python";
tag = version;
hash = "sha256-trRgXXaXeGUcFA/ZRuMz9+EnTx/JUSa5+e5YX2yn8xY=";
hash = "sha256-3F/37g6caCBotlhAe1xmFSyiTT5O1RJyQHEMjYTtoEw=";
};
build-system = [ setuptools ];

8
pkgs/development/python-modules/tensorflow-metadata/default.nix
View File

@ -14,14 +14,14 @@
buildPythonPackage rec {
pname = "tensorflow-metadata";
version = "1.17.1";
version = "1.17.2";
pyproject = true;
src = fetchFromGitHub {
owner = "tensorflow";
repo = "metadata";
tag = "v${version}";
hash = "sha256-/jVAGt3nKPwVk+poXzQ9tVCi9HEZENrbjeN4dcOfWeo=";
hash = "sha256-YqFQOm8K4WFUlpWqkZm8pZpfupf7ZtJTODJodjLnzK4=";
};
patches = [ ./build.patch ];
@ -36,10 +36,6 @@ buildPythonPackage rec {
build-system = [ setuptools ];
pythonRelaxDeps = [
"protobuf"
];
dependencies = [
absl-py
googleapis-common-protos

4
pkgs/development/python-modules/test2ref/default.nix
View File

@ -10,14 +10,14 @@
buildPythonPackage rec {
pname = "test2ref";
version = "1.1.0";
version = "1.1.1";
pyproject = true;
src = fetchFromGitHub {
owner = "nbiotcloud";
repo = "test2ref";
tag = "v${version}";
hash = "sha256-m95undMr1W2GRcSELv7s9kpuXyu+HnGo+huc0Uh9rQI=";
hash = "sha256-Lo0rXKpiXGZle6X2f2Zofc/ihzAqruDyKNP4wp2jqv4=";
};
build-system = [

10
pkgs/development/python-modules/textual-textarea/default.nix
View File

@ -14,6 +14,7 @@
pytestCheckHook,
pytest-asyncio,
tree-sitter-python,
tree-sitter-sql,
}:
buildPythonPackage rec {
@ -48,19 +49,12 @@ buildPythonPackage rec {
pytestCheckHook
pytest-asyncio
tree-sitter-python
tree-sitter-sql
];
pythonImportsCheck = [ "textual_textarea" ];
pytestFlagsArray = [
# "--deselect=tests/functional_tests/test_comments.py::test_comments[sql--- ]"
];
disabledTests = [
# Requires unpackaged tree-sitter-sql
# textual.widgets._text_area.LanguageDoesNotExist
"test_comments"
# AssertionError: assert Selection(sta...), end=(0, 6)) == Selection(sta...), end=(1, 0))
# https://github.com/tconbeer/textual-textarea/issues/296
"test_keys"

7
pkgs/development/python-modules/warp-lang/default.nix
View File

@ -97,7 +97,12 @@ let
# Some of the libmathdx routines were written by or derived
# from code written by Meta Platforms, Inc. and affiliates and
# are subject to the BSD License.
bsd
bsd3
# Some of the libmathdx routines were written by or derived from
# code written by Victor Zverovich and are subject to the following
# license:
mit
];
platforms = with lib.platforms; linux ++ [ "x86_64-windows" ];
maintainers = with lib.maintainers; [ yzx9 ];

4
pkgs/development/python-modules/wcmatch/default.nix
View File

@ -9,12 +9,12 @@
buildPythonPackage rec {
pname = "wcmatch";
version = "10.0";
version = "10.1";
format = "pyproject";
src = fetchPypi {
inherit pname version;
hash = "sha256-5y8N4Ju6agTg3nCTewzwblXzbzez3rQi36+FS4Z7hAo=";
hash = "sha256-8R+UIIyMhIShb09IY4qF13HZUT9Ks/N1lZeIAcuUZa8=";
};
nativeBuildInputs = [ hatchling ];

6
pkgs/os-specific/linux/nct6687d/default.nix
View File

@ -9,13 +9,13 @@
stdenv.mkDerivation {
pname = "nct6687d";
version = "0-unstable-2025-05-17";
version = "0-unstable-2025-06-19";
src = fetchFromGitHub {
owner = "Fred78290";
repo = "nct6687d";
rev = "e2730ffad9449b81ced099bc2827efd2a8c25ddd";
hash = "sha256-rqCeKGcke66gDvNSlLlPEqyVKbQrFnonrIT9/GicA7k=";
rev = "cd6a28196ceb98531a045eb279eb6179176cdc82";
hash = "sha256-brJigUwQwzLsMIvJdY1CehOdYub+dsh3u3ALIn496VU=";
};
setSourceRoot = ''

2
pkgs/servers/home-assistant/component-packages.nix
View File

@ -2,7 +2,7 @@
# Do not edit!
{
version = "2025.6.2";
version = "2025.6.3";
components = {
"3_day_blinds" =
ps: with ps; [

6
pkgs/servers/home-assistant/default.nix
View File

@ -386,7 +386,7 @@ let
extraBuildInputs = extraPackages python.pkgs;
# Don't forget to run update-component-packages.py after updating
hassVersion = "2025.6.2";
hassVersion = "2025.6.3";
in
python.pkgs.buildPythonApplication rec {
@ -407,13 +407,13 @@ python.pkgs.buildPythonApplication rec {
owner = "home-assistant";
repo = "core";
tag = version;
hash = "sha256-5+L687sUD+e8F9UYnFURSUMG2/USuOpNu5a9By0yZ/g=";
hash = "sha256-3fv0WjZ3guiHCoMFEwjPEVHdswRqCweghKxd9ZBf86w=";
};
# Secondary source is pypi sdist for translations
sdist = fetchPypi {
inherit pname version;
hash = "sha256-DLqP9/b68ikGuxrvFiJCqguE2WgnKP0HtiU2X7tUbkE=";
hash = "sha256-ybPpuWrNFhpnwuLsFcJQJd7PBiOWl24yHLODzCgVcps=";
};
build-system = with python.pkgs; [

4
pkgs/servers/home-assistant/frontend.nix
View File

@ -8,7 +8,7 @@ buildPythonPackage rec {
# the frontend version corresponding to a specific home-assistant version can be found here
# https://github.com/home-assistant/home-assistant/blob/master/homeassistant/components/frontend/manifest.json
pname = "home-assistant-frontend";
version = "20250531.3";
version = "20250531.4";
format = "wheel";
src = fetchPypi {
@ -16,7 +16,7 @@ buildPythonPackage rec {
pname = "home_assistant_frontend";
dist = "py3";
python = "py3";
hash = "sha256-FmG7Ym85KwE76s+srHzcGM2p5hh56X7cZOBZu4Gr4mM=";
hash = "sha256-bNUEWJSLMmwVnfeM445Qp817/lXpiRwKncFImWd+8Dc=";
};
# there is nothing to strip in this package

3
pkgs/tools/package-management/lix/common-lix.nix
View File

@ -87,6 +87,8 @@ assert lib.assertMsg (
# RISC-V support in progress https://github.com/seccomp/libseccomp/pull/50
withLibseccomp ? lib.meta.availableOn stdenv.hostPlatform libseccomp,
libseccomp,
pastaFod ? lib.meta.availableOn stdenv.hostPlatform passt,
passt,
confDir,
stateDir,
@ -172,6 +174,7 @@ stdenv.mkDerivation (finalAttrs: {
doxygen
]
++ lib.optionals (hasDtraceSupport && withDtrace) [ systemtap-sdt ]
++ lib.optionals pastaFod [ passt ]
++ lib.optionals parseToYAML [ yq ]
++ lib.optionals stdenv.hostPlatform.isLinux [ util-linuxMinimal ];

10
pkgs/tools/package-management/lix/default.nix
View File

@ -238,14 +238,14 @@ lib.makeExtensible (self: {
attrName = "git";
lix-args = rec {
version = "2.94.0-pre-20250621_${builtins.substring 0 12 src.rev}";
version = "2.94.0-pre-20250624_${builtins.substring 0 12 src.rev}";
src = fetchFromGitea {
domain = "git.lix.systems";
owner = "lix-project";
repo = "lix";
rev = "242a228124f77b57c2e3b3aedb259ffb7913cd3c";
hash = "sha256-hCbhc9P+UmIlYv81+vs6v3bDqviCUhwPH3XqClZdfSk=";
rev = "42e2bd045c9e51a59fdab038dc4e6f9e86c4922c";
hash = "sha256-BsY8kpwQML9/036g9C+No7lhzqmn4ZTlIsuo92SVSJk=";
};
cargoDeps = rustPlatform.fetchCargoVendor {
@ -253,10 +253,6 @@ lib.makeExtensible (self: {
inherit src;
hash = "sha256-YMyNOXdlx0I30SkcmdW/6DU0BYc3ZOa2FMJSKMkr7I8=";
};
patches = [
./patches/LIX_HEAD_CVE-2025-46415_46416.patch
];
};
};

2363
pkgs/tools/package-management/lix/patches/LIX_HEAD_CVE-2025-46415_46416.patch
View File

File diff suppressed because it is too large Load Diff

34
pkgs/tools/package-management/nix/default.nix
View File

@ -169,9 +169,8 @@ lib.makeExtensible (
};
nix_2_24 = commonAutoconf {
version = "2.24.14";
version = "2.24.15";
hash = "sha256-SthMCsj6POjawLnJq9+lj/UzObX9skaeN1UGmMZiwTY=";
patches = [ ./patches/ghsa-g948-229j-48j3-2.24.patch ];
self_attribute_name = "nix_2_24";
};
@ -183,27 +182,22 @@ lib.makeExtensible (
};
nix_2_28 = commonMeson {
version = "2.28.3";
hash = "sha256-TjZp5ITSUvNRAzNznmkZRQxNRzMLiSAplz4bV2T8cbs=";
patches = [ ./patches/ghsa-g948-229j-48j3-2.28.patch ];
version = "2.28.4";
hash = "sha256-V1tPrBkPteqF8VWUgpotNFYJ2Xm6WmB3aMPexuEHl9I=";
self_attribute_name = "nix_2_28";
};
nixComponents_2_29 =
(nixDependencies.callPackage ./modular/packages.nix rec {
version = "2.29.0";
inherit (self.nix_2_24.meta) maintainers teams;
otherSplices = generateSplicesForNixComponents "nixComponents_2_29";
src = fetchFromGitHub {
# FIXME: back to NixOS org once they fix it
owner = "vcunat";
repo = "nix";
rev = "p/jq-1.8.0"; # just a tiny test-only patch atop 2.29.0
# see https://github.com/NixOS/nix/pull/13371
hash = "sha256-F2ZODsET4cBsgsyOi8Sg/quESU0DnrYri0hYniqu37k=";
};
}).appendPatches
[ ./patches/ghsa-g948-229j-48j3-2.29.patch ];
nixComponents_2_29 = nixDependencies.callPackage ./modular/packages.nix {
version = "2.29.1";
inherit (self.nix_2_24.meta) maintainers teams;
otherSplices = generateSplicesForNixComponents "nixComponents_2_29";
src = fetchFromGitHub {
owner = "NixOS";
repo = "nix";
rev = "2.29.1";
hash = "sha256-rCL3l4t20jtMeNjCq6fMaTzWvBKgj+qw1zglLrniRfY=";
};
};
nix_2_29 = addTests "nix_2_29" self.nixComponents_2_29.nix-everything;

436
pkgs/tools/package-management/nix/patches/ghsa-g948-229j-48j3-2.24.patch
View File

@ -1,436 +0,0 @@
From b0fab9f90b397a2b02f41df5f467ae3cf8b91c3c Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 19 Jun 2025 16:20:34 +0200
Subject: [PATCH] Fixes for GHSA-g948-229j-48j3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Squashed commit of the following:
commit 04fff3a637d455cbb1d75937a235950e43008db9
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 12:30:32 2025 +0200
Chown structured attr files safely
commit 5417ad445e414c649d0cfc71a05661c7bf8f3ef5
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 12:14:04 2025 +0200
Replace 'bool sync' with an enum for clarity
And drop writeFileAndSync().
commit 7ae0141f328d8e8e1094be24665789c05f974ba6
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 11:35:28 2025 +0200
Drop guessOrInventPathFromFD()
No need to do hacky stuff like that when we already know the original path.
commit 45b05098bd019da7c57cd4227a89bfd0fa65bb08
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 11:15:58 2025 +0200
Tweak comment
commit 0af15b31209d1b7ec8addfae9a1a6b60d8f35848
Author: Raito Bezarius <raito@lix.systems>
Date: Thu Mar 27 12:22:26 2025 +0100
libstore: ensure that temporary directory is always 0o000 before deletion
In the case the deletion fails, we should ensure that the temporary
directory cannot be used for nefarious purposes.
Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 2c20fa37b15cfa03ac6a1a6a47cdb2ed66c0827e
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 12:42:55 2025 +0100
libutil: ensure that `_deletePath` does NOT use absolute paths with dirfds
When calling `_deletePath` with a parent file descriptor, `openat` is
made effective by using relative paths to the directory file descriptor.
To avoid the problem, the signature is changed to resist misuse with an
assert in the prologue of the function.
Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit d3c370bbcae48bb825ce19fd0f73bb4eefd2c9ea
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:07:47 2025 +0100
libstore: ensure that `passAsFile` is created in the original temp dir
This ensures that `passAsFile` data is created inside the expected
temporary build directory by `openat()` from the parent directory file
descriptor.
This avoids a TOCTOU which is part of the attack chain of CVE-????.
Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 45d3598724f932d024ef6bc2ffb00c1bb90e6018
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:06:03 2025 +0100
libutil: writeFile variant for file descriptors
`writeFile` lose its `sync` boolean flag to make things simpler.
A new `writeFileAndSync` function is created and all call sites are
converted to it.
Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 732bd9b98cabf4aaf95a01fd318923de303f9996
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:05:34 2025 +0100
libstore: chown to builder variant for file descriptors
We use it immediately for the build temporary directory.
Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 962c65f8dcd5570dd92c72370a862c7b38942e0d
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:04:59 2025 +0100
libstore: open build directory as a dirfd as well
We now keep around a proper AutoCloseFD around the temporary directory
which we plan to use for openat operations and avoiding the build
directory being swapped out while we are doing something else.
Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit c9b42462b75b5a37ee6564c2b53cff186c8323da
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:04:12 2025 +0100
libutil: guess or invent a path from file descriptors
This is useful for certain error recovery paths (no pun intended) that
does not thread through the original path name.
Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e
Signed-off-by: Raito Bezarius <raito@lix.systems>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/local-store.cc | 6 +--
.../unix/build/local-derivation-goal.cc | 46 ++++++++++++++----
.../unix/build/local-derivation-goal.hh | 20 ++++++++
src/libutil/file-system.cc | 47 +++++++++++--------
src/libutil/file-system.hh | 8 +++-
5 files changed, 94 insertions(+), 33 deletions(-)
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index c6e3af456..c5489444e 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -187,7 +187,7 @@ void migrateCASchema(SQLite& db, Path schemaPath, AutoCloseFD& lockFd)
txn.commit();
}
- writeFile(schemaPath, fmt("%d", nixCASchemaVersion), 0666, true);
+ writeFile(schemaPath, fmt("%d", nixCASchemaVersion), 0666, FsSync::Yes);
lockFile(lockFd.get(), ltRead, true);
}
}
@@ -345,7 +345,7 @@ LocalStore::LocalStore(
else if (curSchema == 0) { /* new store */
curSchema = nixSchemaVersion;
openDB(*state, true);
- writeFile(schemaPath, fmt("%1%", curSchema), 0666, true);
+ writeFile(schemaPath, fmt("%1%", curSchema), 0666, FsSync::Yes);
}
else if (curSchema < nixSchemaVersion) {
@@ -394,7 +394,7 @@ LocalStore::LocalStore(
txn.commit();
}
- writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, true);
+ writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, FsSync::Yes);
lockFile(globalLock.get(), ltRead, true);
}
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index f8824e9ce..82c79f361 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -526,7 +526,14 @@ void LocalDerivationGoal::startBuilder()
} else {
tmpDir = topTmpDir;
}
- chownToBuilder(tmpDir);
+
+ /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to
+ POSIX semantics.*/
+ tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)};
+ if (!tmpDirFd)
+ throw SysError("failed to open the build temporary directory descriptor '%1%'", tmpDir);
+
+ chownToBuilder(tmpDirFd.get(), tmpDir);
for (auto & [outputName, status] : initialOutputs) {
/* Set scratch path we'll actually use during the build.
@@ -1110,9 +1117,7 @@ void LocalDerivationGoal::initTmpDir() {
} else {
auto hash = hashString(HashAlgorithm::SHA256, i.first);
std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false);
- Path p = tmpDir + "/" + fn;
- writeFile(p, rewriteStrings(i.second, inputRewrites));
- chownToBuilder(p);
+ writeBuilderFile(fn, rewriteStrings(i.second, inputRewrites));
env[i.first + "Path"] = tmpDirInSandbox + "/" + fn;
}
}
@@ -1217,11 +1222,9 @@ void LocalDerivationGoal::writeStructuredAttrs()
auto jsonSh = writeStructuredAttrsShell(json);
- writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites));
- chownToBuilder(tmpDir + "/.attrs.sh");
+ writeBuilderFile(".attrs.sh", rewriteStrings(jsonSh, inputRewrites));
env["NIX_ATTRS_SH_FILE"] = tmpDirInSandbox + "/.attrs.sh";
- writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites));
- chownToBuilder(tmpDir + "/.attrs.json");
+ writeBuilderFile(".attrs.json", rewriteStrings(json.dump(), inputRewrites));
env["NIX_ATTRS_JSON_FILE"] = tmpDirInSandbox + "/.attrs.json";
}
}
@@ -1730,6 +1733,24 @@ void setupSeccomp()
#endif
}
+void LocalDerivationGoal::chownToBuilder(int fd, const Path & path)
+{
+ if (!buildUser) return;
+ if (fchown(fd, buildUser->getUID(), buildUser->getGID()) == -1)
+ throw SysError("cannot change ownership of file '%1%'", path);
+}
+
+void LocalDerivationGoal::writeBuilderFile(
+ const std::string & name,
+ std::string_view contents)
+{
+ auto path = std::filesystem::path(tmpDir) / name;
+ AutoCloseFD fd{openat(tmpDirFd.get(), name.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
+ if (!fd)
+ throw SysError("creating file %s", path);
+ writeFile(fd, path, contents);
+ chownToBuilder(fd.get(), path);
+}
void LocalDerivationGoal::runChild()
{
@@ -3006,6 +3027,15 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo
void LocalDerivationGoal::deleteTmpDir(bool force)
{
if (topTmpDir != "") {
+ /* As an extra precaution, even in the event of `deletePath` failing to
+ * clean up, the `tmpDir` will be chowned as if we were to move
+ * it inside the Nix store.
+ *
+ * This hardens against an attack which smuggles a file descriptor
+ * to make use of the temporary directory.
+ */
+ chmod(topTmpDir.c_str(), 0000);
+
/* Don't keep temporary directories for builtins because they
might have privileged stuff (like a copy of netrc). */
if (settings.keepFailed && !force && !drv->isBuiltin()) {
diff --git a/src/libstore/unix/build/local-derivation-goal.hh b/src/libstore/unix/build/local-derivation-goal.hh
index bf25cf2a6..69c517c4a 100644
--- a/src/libstore/unix/build/local-derivation-goal.hh
+++ b/src/libstore/unix/build/local-derivation-goal.hh
@@ -37,6 +37,11 @@ struct LocalDerivationGoal : public DerivationGoal
*/
Path topTmpDir;
+ /**
+ * The file descriptor of the temporary directory.
+ */
+ AutoCloseFD tmpDirFd;
+
/**
* The path of the temporary directory in the sandbox.
*/
@@ -232,9 +237,24 @@ struct LocalDerivationGoal : public DerivationGoal
/**
* Make a file owned by the builder.
+ *
+ * SAFETY: this function is prone to TOCTOU as it receives a path and not a descriptor.
+ * It's only safe to call in a child of a directory only visible to the owner.
*/
void chownToBuilder(const Path & path);
+ /**
+ * Make a file owned by the builder addressed by its file descriptor.
+ */
+ void chownToBuilder(int fd, const Path & path);
+
+ /**
+ * Create a file in `tmpDir` owned by the builder.
+ */
+ void writeBuilderFile(
+ const std::string & name,
+ std::string_view contents);
+
int getChildStatus() override;
/**
diff --git a/src/libutil/file-system.cc b/src/libutil/file-system.cc
index 8ec38e73b..554214d66 100644
--- a/src/libutil/file-system.cc
+++ b/src/libutil/file-system.cc
@@ -247,7 +247,7 @@ void readFile(const Path & path, Sink & sink)
}
-void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync)
+void writeFile(const Path & path, std::string_view s, mode_t mode, FsSync sync)
{
AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT
// TODO
@@ -257,22 +257,29 @@ void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync)
, mode));
if (!fd)
throw SysError("opening file '%1%'", path);
+
+ writeFile(fd, path, s, mode, sync);
+
+ /* Close explicitly to propagate the exceptions. */
+ fd.close();
+}
+
+void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode, FsSync sync)
+{
+ assert(fd);
try {
writeFull(fd.get(), s);
+
+ if (sync == FsSync::Yes)
+ fd.fsync();
+
} catch (Error & e) {
- e.addTrace({}, "writing file '%1%'", path);
+ e.addTrace({}, "writing file '%1%'", origPath);
throw;
}
- if (sync)
- fd.fsync();
- // Explicitly close to make sure exceptions are propagated.
- fd.close();
- if (sync)
- syncParent(path);
}
-
-void writeFile(const Path & path, Source & source, mode_t mode, bool sync)
+void writeFile(const Path & path, Source & source, mode_t mode, FsSync sync)
{
AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT
// TODO
@@ -296,11 +303,11 @@ void writeFile(const Path & path, Source & source, mode_t mode, bool sync)
e.addTrace({}, "writing file '%1%'", path);
throw;
}
- if (sync)
+ if (sync == FsSync::Yes)
fd.fsync();
// Explicitly close to make sure exceptions are propagated.
fd.close();
- if (sync)
+ if (sync == FsSync::Yes)
syncParent(path);
}
@@ -318,7 +325,8 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
#ifndef _WIN32
checkInterrupt();
- std::string name(baseNameOf(path.native()));
+ std::string name(path.filename());
+ assert(name != "." && name != ".." && !name.empty());
struct stat st;
if (fstatat(parentfd, name.c_str(), &st,
@@ -359,7 +367,7 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
throw SysError("chmod '%1%'", path);
}
- int fd = openat(parentfd, path.c_str(), O_RDONLY);
+ int fd = openat(parentfd, name.c_str(), O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
if (fd == -1)
throw SysError("opening directory '%1%'", path);
AutoCloseDir dir(fdopendir(fd));
@@ -371,7 +379,7 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
checkInterrupt();
std::string childName = dirent->d_name;
if (childName == "." || childName == "..") continue;
- _deletePath(dirfd(dir.get()), path + "/" + childName, bytesFreed);
+ _deletePath(dirfd(dir.get()), path / childName, bytesFreed);
}
if (errno) throw SysError("reading directory '%1%'", path);
}
@@ -389,14 +397,13 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
static void _deletePath(const fs::path & path, uint64_t & bytesFreed)
{
- Path dir = dirOf(path.string());
- if (dir == "")
- dir = "/";
+ assert(path.is_absolute());
+ assert(path.parent_path() != path);
- AutoCloseFD dirfd = toDescriptor(open(dir.c_str(), O_RDONLY));
+ AutoCloseFD dirfd = toDescriptor(open(path.parent_path().string().c_str(), O_RDONLY));
if (!dirfd) {
if (errno == ENOENT) return;
- throw SysError("opening directory '%1%'", path);
+ throw SysError("opening directory %s", path.parent_path());
}
_deletePath(dirfd.get(), path, bytesFreed);
diff --git a/src/libutil/file-system.hh b/src/libutil/file-system.hh
index ed1112c7e..32b84456d 100644
--- a/src/libutil/file-system.hh
+++ b/src/libutil/file-system.hh
@@ -148,12 +148,16 @@ Descriptor openDirectory(const std::filesystem::path & path);
std::string readFile(const Path & path);
void readFile(const Path & path, Sink & sink);
+enum struct FsSync { Yes, No };
+
/**
* Write a string to a file.
*/
-void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, bool sync = false);
+void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No);
+
+void writeFile(const Path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No);
-void writeFile(const Path & path, Source & source, mode_t mode = 0666, bool sync = false);
+void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No);
/**
* Flush a file's parent directory to disk
--
2.44.1

454
pkgs/tools/package-management/nix/patches/ghsa-g948-229j-48j3-2.28.patch
View File

@ -1,454 +0,0 @@
From 24c1aa735a40d3bf5361755fa10ac0e577a55eed Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 19 Jun 2025 16:20:34 +0200
Subject: [PATCH] Fixes for GHSA-g948-229j-48j3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Squashed commit of the following:
commit 04fff3a637d455cbb1d75937a235950e43008db9
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 12:30:32 2025 +0200
Chown structured attr files safely
commit 5417ad445e414c649d0cfc71a05661c7bf8f3ef5
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 12:14:04 2025 +0200
Replace 'bool sync' with an enum for clarity
And drop writeFileAndSync().
commit 7ae0141f328d8e8e1094be24665789c05f974ba6
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 11:35:28 2025 +0200
Drop guessOrInventPathFromFD()
No need to do hacky stuff like that when we already know the original path.
commit 45b05098bd019da7c57cd4227a89bfd0fa65bb08
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 11:15:58 2025 +0200
Tweak comment
commit 0af15b31209d1b7ec8addfae9a1a6b60d8f35848
Author: Raito Bezarius <raito@lix.systems>
Date: Thu Mar 27 12:22:26 2025 +0100
libstore: ensure that temporary directory is always 0o000 before deletion
In the case the deletion fails, we should ensure that the temporary
directory cannot be used for nefarious purposes.
Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 2c20fa37b15cfa03ac6a1a6a47cdb2ed66c0827e
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 12:42:55 2025 +0100
libutil: ensure that `_deletePath` does NOT use absolute paths with dirfds
When calling `_deletePath` with a parent file descriptor, `openat` is
made effective by using relative paths to the directory file descriptor.
To avoid the problem, the signature is changed to resist misuse with an
assert in the prologue of the function.
Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit d3c370bbcae48bb825ce19fd0f73bb4eefd2c9ea
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:07:47 2025 +0100
libstore: ensure that `passAsFile` is created in the original temp dir
This ensures that `passAsFile` data is created inside the expected
temporary build directory by `openat()` from the parent directory file
descriptor.
This avoids a TOCTOU which is part of the attack chain of CVE-????.
Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 45d3598724f932d024ef6bc2ffb00c1bb90e6018
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:06:03 2025 +0100
libutil: writeFile variant for file descriptors
`writeFile` lose its `sync` boolean flag to make things simpler.
A new `writeFileAndSync` function is created and all call sites are
converted to it.
Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 732bd9b98cabf4aaf95a01fd318923de303f9996
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:05:34 2025 +0100
libstore: chown to builder variant for file descriptors
We use it immediately for the build temporary directory.
Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 962c65f8dcd5570dd92c72370a862c7b38942e0d
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:04:59 2025 +0100
libstore: open build directory as a dirfd as well
We now keep around a proper AutoCloseFD around the temporary directory
which we plan to use for openat operations and avoiding the build
directory being swapped out while we are doing something else.
Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit c9b42462b75b5a37ee6564c2b53cff186c8323da
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:04:12 2025 +0100
libutil: guess or invent a path from file descriptors
This is useful for certain error recovery paths (no pun intended) that
does not thread through the original path name.
Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e
Signed-off-by: Raito Bezarius <raito@lix.systems>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/local-store.cc | 4 +-
.../unix/build/local-derivation-goal.cc | 46 ++++++++++++++----
.../nix/store/build/local-derivation-goal.hh | 20 ++++++++
src/libutil/file-content-address.cc | 2 +-
src/libutil/file-system.cc | 47 +++++++++++--------
src/libutil/include/nix/util/file-system.hh | 14 ++++--
6 files changed, 98 insertions(+), 35 deletions(-)
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index f3bee6953..eddc87ef9 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -249,7 +249,7 @@ LocalStore::LocalStore(
else if (curSchema == 0) { /* new store */
curSchema = nixSchemaVersion;
openDB(*state, true);
- writeFile(schemaPath, fmt("%1%", curSchema), 0666, true);
+ writeFile(schemaPath, fmt("%1%", curSchema), 0666, FsSync::Yes);
}
else if (curSchema < nixSchemaVersion) {
@@ -300,7 +300,7 @@ LocalStore::LocalStore(
txn.commit();
}
- writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, true);
+ writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, FsSync::Yes);
lockFile(globalLock.get(), ltRead, true);
}
diff --git a/src/libstore/unix/build/local-derivation-goal.cc b/src/libstore/unix/build/local-derivation-goal.cc
index 9edb6fb0f..a0442d0b8 100644
--- a/src/libstore/unix/build/local-derivation-goal.cc
+++ b/src/libstore/unix/build/local-derivation-goal.cc
@@ -567,7 +567,14 @@ void LocalDerivationGoal::startBuilder()
} else {
tmpDir = topTmpDir;
}
- chownToBuilder(tmpDir);
+
+ /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to
+ POSIX semantics.*/
+ tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)};
+ if (!tmpDirFd)
+ throw SysError("failed to open the build temporary directory descriptor '%1%'", tmpDir);
+
+ chownToBuilder(tmpDirFd.get(), tmpDir);
for (auto & [outputName, status] : initialOutputs) {
/* Set scratch path we'll actually use during the build.
@@ -1159,9 +1166,7 @@ void LocalDerivationGoal::initTmpDir()
} else {
auto hash = hashString(HashAlgorithm::SHA256, i.first);
std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false);
- Path p = tmpDir + "/" + fn;
- writeFile(p, rewriteStrings(i.second, inputRewrites));
- chownToBuilder(p);
+ writeBuilderFile(fn, rewriteStrings(i.second, inputRewrites));
env[i.first + "Path"] = tmpDirInSandbox + "/" + fn;
}
}
@@ -1266,11 +1271,9 @@ void LocalDerivationGoal::writeStructuredAttrs()
auto jsonSh = writeStructuredAttrsShell(json);
- writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites));
- chownToBuilder(tmpDir + "/.attrs.sh");
+ writeBuilderFile(".attrs.sh", rewriteStrings(jsonSh, inputRewrites));
env["NIX_ATTRS_SH_FILE"] = tmpDirInSandbox + "/.attrs.sh";
- writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites));
- chownToBuilder(tmpDir + "/.attrs.json");
+ writeBuilderFile(".attrs.json", rewriteStrings(json.dump(), inputRewrites));
env["NIX_ATTRS_JSON_FILE"] = tmpDirInSandbox + "/.attrs.json";
}
}
@@ -1781,6 +1784,24 @@ void setupSeccomp()
#endif
}
+void LocalDerivationGoal::chownToBuilder(int fd, const Path & path)
+{
+ if (!buildUser) return;
+ if (fchown(fd, buildUser->getUID(), buildUser->getGID()) == -1)
+ throw SysError("cannot change ownership of file '%1%'", path);
+}
+
+void LocalDerivationGoal::writeBuilderFile(
+ const std::string & name,
+ std::string_view contents)
+{
+ auto path = std::filesystem::path(tmpDir) / name;
+ AutoCloseFD fd{openat(tmpDirFd.get(), name.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
+ if (!fd)
+ throw SysError("creating file %s", path);
+ writeFile(fd, path, contents);
+ chownToBuilder(fd.get(), path);
+}
void LocalDerivationGoal::runChild()
{
@@ -3000,6 +3021,15 @@ void LocalDerivationGoal::checkOutputs(const std::map<std::string, ValidPathInfo
void LocalDerivationGoal::deleteTmpDir(bool force)
{
if (topTmpDir != "") {
+ /* As an extra precaution, even in the event of `deletePath` failing to
+ * clean up, the `tmpDir` will be chowned as if we were to move
+ * it inside the Nix store.
+ *
+ * This hardens against an attack which smuggles a file descriptor
+ * to make use of the temporary directory.
+ */
+ chmod(topTmpDir.c_str(), 0000);
+
/* Don't keep temporary directories for builtins because they
might have privileged stuff (like a copy of netrc). */
if (settings.keepFailed && !force && !drv->isBuiltin()) {
diff --git a/src/libstore/unix/include/nix/store/build/local-derivation-goal.hh b/src/libstore/unix/include/nix/store/build/local-derivation-goal.hh
index 795286a01..fb62e3ca4 100644
--- a/src/libstore/unix/include/nix/store/build/local-derivation-goal.hh
+++ b/src/libstore/unix/include/nix/store/build/local-derivation-goal.hh
@@ -37,6 +37,11 @@ struct LocalDerivationGoal : public DerivationGoal
*/
Path topTmpDir;
+ /**
+ * The file descriptor of the temporary directory.
+ */
+ AutoCloseFD tmpDirFd;
+
/**
* The path of the temporary directory in the sandbox.
*/
@@ -239,9 +244,24 @@ struct LocalDerivationGoal : public DerivationGoal
/**
* Make a file owned by the builder.
+ *
+ * SAFETY: this function is prone to TOCTOU as it receives a path and not a descriptor.
+ * It's only safe to call in a child of a directory only visible to the owner.
*/
void chownToBuilder(const Path & path);
+ /**
+ * Make a file owned by the builder addressed by its file descriptor.
+ */
+ void chownToBuilder(int fd, const Path & path);
+
+ /**
+ * Create a file in `tmpDir` owned by the builder.
+ */
+ void writeBuilderFile(
+ const std::string & name,
+ std::string_view contents);
+
int getChildStatus() override;
/**
diff --git a/src/libutil/file-content-address.cc b/src/libutil/file-content-address.cc
index 142bc70d5..d95781691 100644
--- a/src/libutil/file-content-address.cc
+++ b/src/libutil/file-content-address.cc
@@ -93,7 +93,7 @@ void restorePath(
{
switch (method) {
case FileSerialisationMethod::Flat:
- writeFile(path, source, 0666, startFsync);
+ writeFile(path, source, 0666, startFsync ? FsSync::Yes : FsSync::No);
break;
case FileSerialisationMethod::NixArchive:
restorePath(path, source, startFsync);
diff --git a/src/libutil/file-system.cc b/src/libutil/file-system.cc
index 9ce3682f1..204a63c4e 100644
--- a/src/libutil/file-system.cc
+++ b/src/libutil/file-system.cc
@@ -298,7 +298,7 @@ void readFile(const Path & path, Sink & sink)
}
-void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync)
+void writeFile(const Path & path, std::string_view s, mode_t mode, FsSync sync)
{
AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT
// TODO
@@ -308,22 +308,29 @@ void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync)
, mode));
if (!fd)
throw SysError("opening file '%1%'", path);
+
+ writeFile(fd, path, s, mode, sync);
+
+ /* Close explicitly to propagate the exceptions. */
+ fd.close();
+}
+
+void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode, FsSync sync)
+{
+ assert(fd);
try {
writeFull(fd.get(), s);
+
+ if (sync == FsSync::Yes)
+ fd.fsync();
+
} catch (Error & e) {
- e.addTrace({}, "writing file '%1%'", path);
+ e.addTrace({}, "writing file '%1%'", origPath);
throw;
}
- if (sync)
- fd.fsync();
- // Explicitly close to make sure exceptions are propagated.
- fd.close();
- if (sync)
- syncParent(path);
}
-
-void writeFile(const Path & path, Source & source, mode_t mode, bool sync)
+void writeFile(const Path & path, Source & source, mode_t mode, FsSync sync)
{
AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT
// TODO
@@ -347,11 +354,11 @@ void writeFile(const Path & path, Source & source, mode_t mode, bool sync)
e.addTrace({}, "writing file '%1%'", path);
throw;
}
- if (sync)
+ if (sync == FsSync::Yes)
fd.fsync();
// Explicitly close to make sure exceptions are propagated.
fd.close();
- if (sync)
+ if (sync == FsSync::Yes)
syncParent(path);
}
@@ -414,7 +421,8 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
#ifndef _WIN32
checkInterrupt();
- std::string name(baseNameOf(path.native()));
+ std::string name(path.filename());
+ assert(name != "." && name != ".." && !name.empty());
struct stat st;
if (fstatat(parentfd, name.c_str(), &st,
@@ -455,7 +463,7 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
throw SysError("chmod %1%", path);
}
- int fd = openat(parentfd, path.c_str(), O_RDONLY);
+ int fd = openat(parentfd, name.c_str(), O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
if (fd == -1)
throw SysError("opening directory %1%", path);
AutoCloseDir dir(fdopendir(fd));
@@ -467,7 +475,7 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
checkInterrupt();
std::string childName = dirent->d_name;
if (childName == "." || childName == "..") continue;
- _deletePath(dirfd(dir.get()), path + "/" + childName, bytesFreed);
+ _deletePath(dirfd(dir.get()), path / childName, bytesFreed);
}
if (errno) throw SysError("reading directory %1%", path);
}
@@ -485,14 +493,13 @@ static void _deletePath(Descriptor parentfd, const fs::path & path, uint64_t & b
static void _deletePath(const fs::path & path, uint64_t & bytesFreed)
{
- Path dir = dirOf(path.string());
- if (dir == "")
- dir = "/";
+ assert(path.is_absolute());
+ assert(path.parent_path() != path);
- AutoCloseFD dirfd = toDescriptor(open(dir.c_str(), O_RDONLY));
+ AutoCloseFD dirfd = toDescriptor(open(path.parent_path().string().c_str(), O_RDONLY));
if (!dirfd) {
if (errno == ENOENT) return;
- throw SysError("opening directory '%1%'", path);
+ throw SysError("opening directory %s", path.parent_path());
}
_deletePath(dirfd.get(), path, bytesFreed);
diff --git a/src/libutil/include/nix/util/file-system.hh b/src/libutil/include/nix/util/file-system.hh
index e6b1cfef3..9a0057bbe 100644
--- a/src/libutil/include/nix/util/file-system.hh
+++ b/src/libutil/include/nix/util/file-system.hh
@@ -193,21 +193,27 @@ std::string readFile(const Path & path);
std::string readFile(const std::filesystem::path & path);
void readFile(const Path & path, Sink & sink);
+enum struct FsSync { Yes, No };
+
/**
* Write a string to a file.
*/
-void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, bool sync = false);
-static inline void writeFile(const std::filesystem::path & path, std::string_view s, mode_t mode = 0666, bool sync = false)
+void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No);
+
+static inline void writeFile(const std::filesystem::path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No)
{
return writeFile(path.string(), s, mode, sync);
}
-void writeFile(const Path & path, Source & source, mode_t mode = 0666, bool sync = false);
-static inline void writeFile(const std::filesystem::path & path, Source & source, mode_t mode = 0666, bool sync = false)
+void writeFile(const Path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No);
+
+static inline void writeFile(const std::filesystem::path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No)
{
return writeFile(path.string(), source, mode, sync);
}
+void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No);
+
/**
* Flush a path's parent directory to disk.
*/
--
2.44.1

449
pkgs/tools/package-management/nix/patches/ghsa-g948-229j-48j3-2.29.patch
View File

@ -1,449 +0,0 @@
From 01619fbe2dc06b79609b95b6f95ddbf4e871e762 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <edolstra@gmail.com>
Date: Thu, 19 Jun 2025 16:20:34 +0200
Subject: [PATCH] Fixes for GHSA-g948-229j-48j3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Squashed commit of the following:
commit 04fff3a637d455cbb1d75937a235950e43008db9
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 12:30:32 2025 +0200
Chown structured attr files safely
commit 5417ad445e414c649d0cfc71a05661c7bf8f3ef5
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 12:14:04 2025 +0200
Replace 'bool sync' with an enum for clarity
And drop writeFileAndSync().
commit 7ae0141f328d8e8e1094be24665789c05f974ba6
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 11:35:28 2025 +0200
Drop guessOrInventPathFromFD()
No need to do hacky stuff like that when we already know the original path.
commit 45b05098bd019da7c57cd4227a89bfd0fa65bb08
Author: Eelco Dolstra <edolstra@gmail.com>
Date: Thu Jun 12 11:15:58 2025 +0200
Tweak comment
commit 0af15b31209d1b7ec8addfae9a1a6b60d8f35848
Author: Raito Bezarius <raito@lix.systems>
Date: Thu Mar 27 12:22:26 2025 +0100
libstore: ensure that temporary directory is always 0o000 before deletion
In the case the deletion fails, we should ensure that the temporary
directory cannot be used for nefarious purposes.
Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 2c20fa37b15cfa03ac6a1a6a47cdb2ed66c0827e
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 12:42:55 2025 +0100
libutil: ensure that `_deletePath` does NOT use absolute paths with dirfds
When calling `_deletePath` with a parent file descriptor, `openat` is
made effective by using relative paths to the directory file descriptor.
To avoid the problem, the signature is changed to resist misuse with an
assert in the prologue of the function.
Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit d3c370bbcae48bb825ce19fd0f73bb4eefd2c9ea
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:07:47 2025 +0100
libstore: ensure that `passAsFile` is created in the original temp dir
This ensures that `passAsFile` data is created inside the expected
temporary build directory by `openat()` from the parent directory file
descriptor.
This avoids a TOCTOU which is part of the attack chain of CVE-????.
Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 45d3598724f932d024ef6bc2ffb00c1bb90e6018
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:06:03 2025 +0100
libutil: writeFile variant for file descriptors
`writeFile` lose its `sync` boolean flag to make things simpler.
A new `writeFileAndSync` function is created and all call sites are
converted to it.
Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 732bd9b98cabf4aaf95a01fd318923de303f9996
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:05:34 2025 +0100
libstore: chown to builder variant for file descriptors
We use it immediately for the build temporary directory.
Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit 962c65f8dcd5570dd92c72370a862c7b38942e0d
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:04:59 2025 +0100
libstore: open build directory as a dirfd as well
We now keep around a proper AutoCloseFD around the temporary directory
which we plan to use for openat operations and avoiding the build
directory being swapped out while we are doing something else.
Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a
Signed-off-by: Raito Bezarius <raito@lix.systems>
commit c9b42462b75b5a37ee6564c2b53cff186c8323da
Author: Raito Bezarius <raito@lix.systems>
Date: Wed Mar 26 01:04:12 2025 +0100
libutil: guess or invent a path from file descriptors
This is useful for certain error recovery paths (no pun intended) that
does not thread through the original path name.
Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e
Signed-off-by: Raito Bezarius <raito@lix.systems>
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
src/libstore/local-store.cc | 4 +-
src/libstore/unix/build/derivation-builder.cc | 66 ++++++++++++++++---
src/libutil/file-content-address.cc | 2 +-
src/libutil/file-system.cc | 47 +++++++------
src/libutil/include/nix/util/file-system.hh | 14 ++--
5 files changed, 98 insertions(+), 35 deletions(-)
diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc
index 76fadba86..1ab3ed13a 100644
--- a/src/libstore/local-store.cc
+++ b/src/libstore/local-store.cc
@@ -247,7 +247,7 @@ LocalStore::LocalStore(ref<const Config> config)
else if (curSchema == 0) { /* new store */
curSchema = nixSchemaVersion;
openDB(*state, true);
- writeFile(schemaPath, fmt("%1%", curSchema), 0666, true);
+ writeFile(schemaPath, fmt("%1%", curSchema), 0666, FsSync::Yes);
}
else if (curSchema < nixSchemaVersion) {
@@ -298,7 +298,7 @@ LocalStore::LocalStore(ref<const Config> config)
txn.commit();
}
- writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, true);
+ writeFile(schemaPath, fmt("%1%", nixSchemaVersion), 0666, FsSync::Yes);
lockFile(globalLock.get(), ltRead, true);
}
diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
index 58e8d8ba6..856bc81c3 100644
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@@ -129,6 +129,11 @@ private:
*/
Path topTmpDir;
+ /**
+ * The file descriptor of the temporary directory.
+ */
+ AutoCloseFD tmpDirFd;
+
/**
* The path of the temporary directory in the sandbox.
*/
@@ -325,9 +330,24 @@ private:
/**
* Make a file owned by the builder.
+ *
+ * SAFETY: this function is prone to TOCTOU as it receives a path and not a descriptor.
+ * It's only safe to call in a child of a directory only visible to the owner.
*/
void chownToBuilder(const Path & path);
+ /**
+ * Make a file owned by the builder addressed by its file descriptor.
+ */
+ void chownToBuilder(int fd, const Path & path);
+
+ /**
+ * Create a file in `tmpDir` owned by the builder.
+ */
+ void writeBuilderFile(
+ const std::string & name,
+ std::string_view contents);
+
/**
* Run the builder's process.
*/
@@ -895,7 +915,14 @@ void DerivationBuilderImpl::startBuilder()
} else {
tmpDir = topTmpDir;
}
- chownToBuilder(tmpDir);
+
+ /* The TOCTOU between the previous mkdir call and this open call is unavoidable due to
+ POSIX semantics.*/
+ tmpDirFd = AutoCloseFD{open(tmpDir.c_str(), O_RDONLY | O_NOFOLLOW | O_DIRECTORY)};
+ if (!tmpDirFd)
+ throw SysError("failed to open the build temporary directory descriptor '%1%'", tmpDir);
+
+ chownToBuilder(tmpDirFd.get(), tmpDir);
for (auto & [outputName, status] : initialOutputs) {
/* Set scratch path we'll actually use during the build.
@@ -1469,9 +1496,7 @@ void DerivationBuilderImpl::initTmpDir()
} else {
auto hash = hashString(HashAlgorithm::SHA256, i.first);
std::string fn = ".attr-" + hash.to_string(HashFormat::Nix32, false);
- Path p = tmpDir + "/" + fn;
- writeFile(p, rewriteStrings(i.second, inputRewrites));
- chownToBuilder(p);
+ writeBuilderFile(fn, rewriteStrings(i.second, inputRewrites));
env[i.first + "Path"] = tmpDirInSandbox + "/" + fn;
}
}
@@ -1580,11 +1605,9 @@ void DerivationBuilderImpl::writeStructuredAttrs()
auto jsonSh = StructuredAttrs::writeShell(json);
- writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites));
- chownToBuilder(tmpDir + "/.attrs.sh");
+ writeBuilderFile(".attrs.sh", rewriteStrings(jsonSh, inputRewrites));
env["NIX_ATTRS_SH_FILE"] = tmpDirInSandbox + "/.attrs.sh";
- writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites));
- chownToBuilder(tmpDir + "/.attrs.json");
+ writeBuilderFile(".attrs.json", rewriteStrings(json.dump(), inputRewrites));
env["NIX_ATTRS_JSON_FILE"] = tmpDirInSandbox + "/.attrs.json";
}
}
@@ -1838,6 +1861,24 @@ void setupSeccomp()
#endif
}
+void DerivationBuilderImpl::chownToBuilder(int fd, const Path & path)
+{
+ if (!buildUser) return;
+ if (fchown(fd, buildUser->getUID(), buildUser->getGID()) == -1)
+ throw SysError("cannot change ownership of file '%1%'", path);
+}
+
+void DerivationBuilderImpl::writeBuilderFile(
+ const std::string & name,
+ std::string_view contents)
+{
+ auto path = std::filesystem::path(tmpDir) / name;
+ AutoCloseFD fd{openat(tmpDirFd.get(), name.c_str(), O_WRONLY | O_TRUNC | O_CREAT | O_CLOEXEC | O_EXCL | O_NOFOLLOW, 0666)};
+ if (!fd)
+ throw SysError("creating file %s", path);
+ writeFile(fd, path, contents);
+ chownToBuilder(fd.get(), path);
+}
void DerivationBuilderImpl::runChild()
{
@@ -3043,6 +3084,15 @@ void DerivationBuilderImpl::checkOutputs(const std::map<std::string, ValidPathIn
void DerivationBuilderImpl::deleteTmpDir(bool force)
{
if (topTmpDir != "") {
+ /* As an extra precaution, even in the event of `deletePath` failing to
+ * clean up, the `tmpDir` will be chowned as if we were to move
+ * it inside the Nix store.
+ *
+ * This hardens against an attack which smuggles a file descriptor
+ * to make use of the temporary directory.
+ */
+ chmod(topTmpDir.c_str(), 0000);
+
/* Don't keep temporary directories for builtins because they
might have privileged stuff (like a copy of netrc). */
if (settings.keepFailed && !force && !drv.isBuiltin()) {
diff --git a/src/libutil/file-content-address.cc b/src/libutil/file-content-address.cc
index 142bc70d5..d95781691 100644
--- a/src/libutil/file-content-address.cc
+++ b/src/libutil/file-content-address.cc
@@ -93,7 +93,7 @@ void restorePath(
{
switch (method) {
case FileSerialisationMethod::Flat:
- writeFile(path, source, 0666, startFsync);
+ writeFile(path, source, 0666, startFsync ? FsSync::Yes : FsSync::No);
break;
case FileSerialisationMethod::NixArchive:
restorePath(path, source, startFsync);
diff --git a/src/libutil/file-system.cc b/src/libutil/file-system.cc
index 90ec5eda5..aeee49e9b 100644
--- a/src/libutil/file-system.cc
+++ b/src/libutil/file-system.cc
@@ -303,7 +303,7 @@ void readFile(const Path & path, Sink & sink, bool memory_map)
}
-void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync)
+void writeFile(const Path & path, std::string_view s, mode_t mode, FsSync sync)
{
AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT
// TODO
@@ -313,22 +313,29 @@ void writeFile(const Path & path, std::string_view s, mode_t mode, bool sync)
, mode));
if (!fd)
throw SysError("opening file '%1%'", path);
+
+ writeFile(fd, path, s, mode, sync);
+
+ /* Close explicitly to propagate the exceptions. */
+ fd.close();
+}
+
+void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode, FsSync sync)
+{
+ assert(fd);
try {
writeFull(fd.get(), s);
+
+ if (sync == FsSync::Yes)
+ fd.fsync();
+
} catch (Error & e) {
- e.addTrace({}, "writing file '%1%'", path);
+ e.addTrace({}, "writing file '%1%'", origPath);
throw;
}
- if (sync)
- fd.fsync();
- // Explicitly close to make sure exceptions are propagated.
- fd.close();
- if (sync)
- syncParent(path);
}
-
-void writeFile(const Path & path, Source & source, mode_t mode, bool sync)
+void writeFile(const Path & path, Source & source, mode_t mode, FsSync sync)
{
AutoCloseFD fd = toDescriptor(open(path.c_str(), O_WRONLY | O_TRUNC | O_CREAT
// TODO
@@ -352,11 +359,11 @@ void writeFile(const Path & path, Source & source, mode_t mode, bool sync)
e.addTrace({}, "writing file '%1%'", path);
throw;
}
- if (sync)
+ if (sync == FsSync::Yes)
fd.fsync();
// Explicitly close to make sure exceptions are propagated.
fd.close();
- if (sync)
+ if (sync == FsSync::Yes)
syncParent(path);
}
@@ -419,7 +426,8 @@ static void _deletePath(Descriptor parentfd, const std::filesystem::path & path,
#ifndef _WIN32
checkInterrupt();
- std::string name(baseNameOf(path.native()));
+ std::string name(path.filename());
+ assert(name != "." && name != ".." && !name.empty());
struct stat st;
if (fstatat(parentfd, name.c_str(), &st,
@@ -460,7 +468,7 @@ static void _deletePath(Descriptor parentfd, const std::filesystem::path & path,
throw SysError("chmod %1%", path);
}
- int fd = openat(parentfd, path.c_str(), O_RDONLY);
+ int fd = openat(parentfd, name.c_str(), O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
if (fd == -1)
throw SysError("opening directory %1%", path);
AutoCloseDir dir(fdopendir(fd));
@@ -472,7 +480,7 @@ static void _deletePath(Descriptor parentfd, const std::filesystem::path & path,
checkInterrupt();
std::string childName = dirent->d_name;
if (childName == "." || childName == "..") continue;
- _deletePath(dirfd(dir.get()), path + "/" + childName, bytesFreed);
+ _deletePath(dirfd(dir.get()), path / childName, bytesFreed);
}
if (errno) throw SysError("reading directory %1%", path);
}
@@ -490,14 +498,13 @@ static void _deletePath(Descriptor parentfd, const std::filesystem::path & path,
static void _deletePath(const std::filesystem::path & path, uint64_t & bytesFreed)
{
- Path dir = dirOf(path.string());
- if (dir == "")
- dir = "/";
+ assert(path.is_absolute());
+ assert(path.parent_path() != path);
- AutoCloseFD dirfd = toDescriptor(open(dir.c_str(), O_RDONLY));
+ AutoCloseFD dirfd = toDescriptor(open(path.parent_path().string().c_str(), O_RDONLY));
if (!dirfd) {
if (errno == ENOENT) return;
- throw SysError("opening directory '%1%'", path);
+ throw SysError("opening directory %s", path.parent_path());
}
_deletePath(dirfd.get(), path, bytesFreed);
diff --git a/src/libutil/include/nix/util/file-system.hh b/src/libutil/include/nix/util/file-system.hh
index b8fa4cfa0..a9a6e43bf 100644
--- a/src/libutil/include/nix/util/file-system.hh
+++ b/src/libutil/include/nix/util/file-system.hh
@@ -175,21 +175,27 @@ std::string readFile(const Path & path);
std::string readFile(const std::filesystem::path & path);
void readFile(const Path & path, Sink & sink, bool memory_map = true);
+enum struct FsSync { Yes, No };
+
/**
* Write a string to a file.
*/
-void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, bool sync = false);
-static inline void writeFile(const std::filesystem::path & path, std::string_view s, mode_t mode = 0666, bool sync = false)
+void writeFile(const Path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No);
+
+static inline void writeFile(const std::filesystem::path & path, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No)
{
return writeFile(path.string(), s, mode, sync);
}
-void writeFile(const Path & path, Source & source, mode_t mode = 0666, bool sync = false);
-static inline void writeFile(const std::filesystem::path & path, Source & source, mode_t mode = 0666, bool sync = false)
+void writeFile(const Path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No);
+
+static inline void writeFile(const std::filesystem::path & path, Source & source, mode_t mode = 0666, FsSync sync = FsSync::No)
{
return writeFile(path.string(), source, mode, sync);
}
+void writeFile(AutoCloseFD & fd, const Path & origPath, std::string_view s, mode_t mode = 0666, FsSync sync = FsSync::No);
+
/**
* Flush a path's parent directory to disk.
*/
--
2.44.1

1
pkgs/top-level/aliases.nix
View File

@ -596,7 +596,6 @@ mapAliases {
eidolon = throw "eidolon was removed as it is unmaintained upstream."; # Added 2025-05-28
eintopf = lauti; # Project was renamed, added 2025-05-01
elasticsearch7Plugins = elasticsearchPlugins;
electron-cash = throw "'electron-cash' has been removed due to lack of maintenance."; # Added 2025-06-17
electronplayer = throw "'electronplayer' has been removed as it had been discontinued upstream since October 2024"; # Added 2024-12-17
element-desktop-wayland = throw "element-desktop-wayland has been removed. Consider setting NIXOS_OZONE_WL=1 via 'environment.sessionVariables' instead"; # Added 2024-12-17

4
pkgs/top-level/all-packages.nix
View File

@ -2548,15 +2548,15 @@ with pkgs;
circus = with python310Packages; toPythonApplication circus;
inherit (callPackage ../applications/networking/remote/citrix-workspace { })
citrix_workspace_23_09_0
citrix_workspace_23_11_0
citrix_workspace_24_02_0
citrix_workspace_24_05_0
citrix_workspace_24_08_0
citrix_workspace_24_11_0
citrix_workspace_25_03_0
citrix_workspace_25_05_0
;
citrix_workspace = citrix_workspace_25_03_0;
citrix_workspace = citrix_workspace_25_05_0;
cmst = libsForQt5.callPackage ../tools/networking/cmst { };

6
pkgs/top-level/python-packages.nix
View File

@ -1045,6 +1045,8 @@ self: super: with self; {
asyncstdlib = callPackage ../development/python-modules/asyncstdlib { };
asyncstdlib-fw = callPackage ../development/python-modules/asyncstdlib-fw { };
asynctest = callPackage ../development/python-modules/asynctest { };
asyncua = callPackage ../development/python-modules/asyncua { };
@ -1803,6 +1805,10 @@ self: super: with self; {
betterproto = callPackage ../development/python-modules/betterproto { };
betterproto-fw = callPackage ../development/python-modules/betterproto-fw { };
betterproto-rust-codec = callPackage ../development/python-modules/betterproto-rust-codec { };
bezier = callPackage ../development/python-modules/bezier { };
beziers = callPackage ../development/python-modules/beziers { };