WIP: make-sandboxed: handle /opt-style packaging, with toplevels linked into /bin, a bit better

hosts/common/programs/calls.nix

@@ -8,6 +8,10 @@
 # - the bot will reply with auto-generated username/password plus a SIP server endpoint.
 #   just copy those into gnome-calls' GUI configurator
 # - now gnome-calls can do outbound calls. inbound calls can be routed by messaging the bot: "configure calls"
+#
+# user guide:
+# - "Use for Calls" means, "when i click a tel: URI, use this account": <https://gitlab.gnome.org/GNOME/calls/-/issues/513>
+# - `calls -vvv` for verbosity
 { config, lib, pkgs, ... }:
 let
   cfg = config.sane.programs.calls;
@@ -79,6 +83,10 @@ in
       "gnome-keyring"  # to remember the password
     ];
 
+    mime.associations."x-scheme-handler/tel" = "org.gnome.Calls.desktop";
+    mime.associations."x-scheme-handler/sip" = "org.gnome.Calls.desktop";
+    mime.associations."x-scheme-handler/sips" = "org.gnome.Calls.desktop";
+
     services.gnome-calls = {
       description = "gnome-calls daemon to monitor incoming SIP calls";
       partOf = lib.mkIf cfg.config.autostart [ "graphical-session" ];

hosts/common/programs/sway/default.nix

@@ -62,21 +62,6 @@ let
       substituteInPlace types/wlr_xdg_activation_v1.c \
         --replace-fail 'if (token->seat != NULL)' 'if (false && token->seat != NULL)'
     '';
-    patches = (upstream.patches or []) ++ [
-      (pkgs.fetchpatch {
-        # XXX(2024-08-12): drmSyncobj causes sway to fail to create any output at launch:
-        # sway: 00:00:09.955 [ERROR] [wlr] [render/drm_syncobj.c:24] drmSyncobjCreate failed: Operation not supported
-        # sway: 00:00:09.955 [ERROR] [sway/desktop/output.c:545] Failed to create a scene output
-        # this is fixable in wlroots -- not via sway.
-        # - sway patch (reverting it does *not* fix): <https://github.com/swaywm/sway/pull/8156>
-        # - wlroot patch which introduced the bug: <https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4715>
-        # see (tracking): <https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4715#note_2523517>
-        # - <https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4781>
-        name = "render-gles2-check-for-DRM_CAP_SYNCOBJ_TIMELINE";
-        url = "https://gitlab.freedesktop.org/wlroots/wlroots/-/merge_requests/4781.patch";
-        hash = "sha256-Z6m49DZutyTB54z4AGmjTUoE0EbF4tJ1GyOXC+gqQgU=";
-      })
-    ];
   });
   swayPackage = wrapSway (
     (pkgs.nixpkgs-wayland.sway-unwrapped.override {

modules/programs/make-sandboxed.nix

@@ -4,6 +4,7 @@
   buildPackages,
   file,
   gnugrep,
+  gnused,
   makeBinaryWrapper,
   runCommandLocal,
   runtimeShell,
@@ -11,6 +12,7 @@
   symlinkJoin,
   writeShellScriptBin,
   writeTextFile,
+  xorg,
 }:
 let
   fakeSaneSandboxed = writeShellScriptBin "sanebox" ''
@@ -60,6 +62,7 @@ let
       # the ordering here is specific: inject our deps BEFORE the unwrapped program's
       # so that the unwrapped's take precendence and we limit interference (e.g. makeWrapper impl)
       fakeSaneSandboxed
+      gnugrep
       makeBinaryWrapper
     ] ++ (unwrapped.nativeBuildInputs or []);
     disallowedReferences = (unwrapped.disallowedReferences or []) ++ [
@@ -70,8 +73,7 @@ let
 
     postFixup = (unwrapped.postFixup or "") + ''
       assertExecutable() {
-        # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
-        :
+        :  # my programs refer to sanebox by name, not path, which triggers an over-eager assertion in nixpkgs (so, mask that)
       }
       makeDocumentedCWrapper() {
         # this is identical to nixpkgs' implementation, only replace execv with execvp, the latter which looks for the executable on PATH.
@@ -93,26 +95,68 @@ let
         # if desired, makeWrapper-style naming could be achieved by leveraging `exec -a <original_name>`
         # or `make-wrapper --inherit-argv0`
         mkdir -p "$_dir/.sandboxed"
-        if [[ "$(readlink $_dir/$_name)" =~ ^\.\./ ]]; then
-          # relative links which ascend a directory (into a non-bin/ directory)
-          # won't point to the right place if we naively move them
-          ln -s "../$(readlink $_dir/$_name)" "$_dir/.sandboxed/$_name"
-          rm "$_dir/$_name"
-        else
-          mv "$_dir/$_name" "$_dir/.sandboxed/"
-        fi
+        mv "$_dir/$_name" "$_dir/.sandboxed/"
         makeBinaryWrapper ${sanebox'} "$_dir/$_name" --suffix PATH : /run/current-system/sw/libexec/sanebox ${lib.escapeShellArgs (lib.flatten (builtins.map (f: [ "--add-flags" f ]) extraSandboxArgs))} --add-flags "$_dir/.sandboxed/$_name"
       }
 
-      crawlAndWrap() {
-        local _dir="$1"
-        for _p in $(ls "$_dir/"); do
-          if [ -x "$_dir/$_p" ] && ! [ -d "$_dir/$_p" ]; then
-            sandboxWrap "$_dir" "$_p"
-          elif [ -d "$_dir/$_p" ]; then
-            crawlAndWrap "$_dir/$_p"
+      derefWhileInSameOutput() {
+        local output="$1"
+        local item="$2"
+        if [ -L "$item" ]; then
+          local target=$(readlink "$item")
+          if [[ "$target" =~ ^"$output"/ ]]; then
+            # absolute link back into the same package
+            item=$(derefWhileInSameOutput "$output" "$target")
+          elif [[ "$target" =~ ^/nix/store/ ]]; then
+            : # absolute link to another package: we're done
+          else
+            # relative link
+            local parent=$(dirname "$item")
+            target="$parent/$target"
+            item=$(derefWhileInSameOutput "$output" "$target")
+          fi
+        fi
+        echo "$item"
+      }
+      findUnwrapped() {
+        if [ -L "$1" ]; then
+          echo "$1"
+        else
+          local dir_=$(dirname "$1")
+          local file_=$(basename "$1")
+          local sandboxed="$dir_/.sandboxed/$file_"
+          local unwrapped="$dir_/.''${file_}-unwrapped"
+          if grep -q "$sandboxed" "$1"; then
+            echo "/dev/null"  #< already sandboxed
+          elif grep -q "$unwrapped" "$1"; then
+            echo $(findUnwrapped "$unwrapped")
+          else
+            echo "$1"
+          fi
+        fi
+      }
+
+      crawlAndWrap() {
+        local output="$1"
+        local _dir="$2"
+        local item
+        for item in $(ls -a "$_dir/"); do
+          if [ "$item" != . ] && [ "$item" != .. ]; then
+            local target="$_dir/$item"
+            if [ -x "$target" ] && ! [ -d "$target" ]; then
+              # in the case of symlinks, deref until we find the real file, or the symlink points outside the package
+              target=$(derefWhileInSameOutput "$output" "$target")
+              target=$(findUnwrapped "$target")
+              if [ "$target" != /dev/null ]; then
+                local parent=$(dirname "$target")
+                local bin=$(basename "$target")
+                sandboxWrap "$parent" "$bin"
+              fi
+            elif [ -d "$_dir/$item" ]; then
+              crawlAndWrap "$_dir/$item"
+            fi
+            # ignore all non-binaries
           fi
-          # ignore all non-binaries
         done
       }
 
@@ -120,10 +164,10 @@ let
         local outdir=''${!output}
         echo "scanning output '$output' at $outdir for binaries to sandbox"
         if [ -e "$outdir/bin" ]; then
-          crawlAndWrap "$outdir/bin"
+          crawlAndWrap "$outdir" "$outdir/bin"
         fi
         if [ -e "$outdir/libexec" ]; then
-          crawlAndWrap "$outdir/libexec"
+          crawlAndWrap "$outdir" "$outdir/libexec"
         fi
       done
     '';
@@ -139,20 +183,57 @@ let
   ;
 
   # helper used for `wrapperType == "wrappedDerivation"` which simply symlinks all a package's binaries into a new derivation
-  symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {} ''
+  symlinkBinaries = pkgName: package: (runCommandLocal "${pkgName}-bin-only" {
+    nativeBuildInputs = [ gnused ];
+  } ''
     set -e
-    if [ -e "${package}/bin" ]; then
-      mkdir -p "$out/bin"
-      ${buildPackages.xorg.lndir}/bin/lndir "${package}/bin" "$out/bin"
-    fi
-    if [ "$(readlink ${package}/sbin)" == "bin" ]; then
-      # weird packages like wpa_supplicant depend on a sbin/ -> bin symlink in their service files
-      ln -s bin "$out/sbin"
-    fi
-    if [ -e "${package}/libexec" ]; then
-      mkdir -p "$out/libexec"
-      ${buildPackages.xorg.lndir}/bin/lndir "${package}/libexec" "$out/libexec"
-    fi
+    symlinkPath() {
+      if [ -e "$out/$1" ]; then
+        :  # already linked. may happen when e.g. the package has bin/foo, and sbin -> bin.
+      elif ! [ -x "${package}/$1" ]; then
+        :  # not a binary, nor a directory (-x) which could contain binaries
+      elif [ -L "${package}/$1" ]; then
+        local target=$(readlink "${package}/$1")
+        if [[ "$target" =~ ^${package}/ ]]; then
+          # absolute link back into the same package
+          echo "handling $1: descending into absolute symlink to same package: $target"
+          target=$(echo "$target" | sed 's:${package}/::')
+          ln -s "$out/$target" "$out/$1"
+          # create/link the backing path
+          # N.B.: if some leading component of the backing path is also a symlink... this might not work as expected.
+          local parent=$(dirname "$out/$target")
+          mkdir -p "$parent"
+          symlinkPath "$target"
+        elif [[ "$target" =~ ^/nix/store/ ]]; then
+          # absolute link to another package
+          echo "handling $1: symlinking absolute store path: $target"
+          ln -s "$target" "$out/$1"
+        else
+          # relative link
+          echo "handling $1: descending into relative symlink: $target"
+          ln -s "$target" "$out/$1"
+          local parent=$(dirname "$1")
+          local derefParent=$(dirname "$out/$parent/$target")
+          $(set -x && mkdir -p "$derefParent")
+          symlinkPath "$parent/$target"
+        fi
+      elif [ -d "${package}/$1" ]; then
+        echo "handling $1: descending into directory"
+        mkdir -p "$out/$1"
+        items=($(ls -a "${package}/$1"))
+        for item in "''${items[@]}"; do
+          if [ "$item" != . ] && [ "$item" != .. ]; then
+            symlinkPath "$1/$item"
+          fi
+        done
+      elif [ -e "${package}/$1" ]; then
+        echo "handling $1: symlinking ordinary file"
+        ln -s "${package}/$1" "$out/$1"
+      fi
+    }
+    symlinkPath bin
+    symlinkPath sbin
+    symlinkPath libexec
     # allow downstream wrapping to hook this (and thereby actually wrap the binaries)
     runHook postFixup
   '').overrideAttrs (_: {
@@ -185,6 +266,28 @@ let
           mv ./substituteResult "$_outPath"
         fi
       }
+
+      # remove any files which exist in sandoxedBin (makes it possible to sandbox /opt-style packages)
+      # also remove any files which would be "hidden". mostly useful for /opt-style packages which contain nix-wrapped binaries.
+      removeUnwanted() {
+        local file_=$(basename "$1")
+        if [[ "$file_" == .* ]]; then
+          rm -r "$out/$1"
+        elif [ -f "$out/$1" ] || [ -L "$out/$1" ]; then
+          if [ -e "${sandboxedBin}/$1" ]; then
+            rm "$out/$1"
+          fi
+        elif [ -d "$out/$1" ]; then
+          local files=($(ls -a "$out/$1"))
+          for item in "''${files[@]}"; do
+            if [ "$item" != . ] && [ "$item" != .. ]; then
+              removeUnwanted "$1/$item"
+            fi
+          done
+        fi
+      }
+      removeUnwanted ""
+
       # fixup a few files i understand well enough
       for d in \
         $out/etc/xdg/autostart/*.desktop \
@@ -207,13 +310,15 @@ let
       # further, since the sandboxed binaries intentionally reference the unsandboxed binaries,
       # we have to patch those out as a way to whitelist them.
       checkSandboxed = let
-        sandboxedNonBin = fixHardcodedRefs unsandboxed "/dev/null" unsandboxedNonBin;
+        sandboxedNonBin = fixHardcodedRefs unsandboxed sandboxedBin unsandboxedNonBin;
       in runCommandLocal "${sandboxedNonBin.name}-check-sandboxed"
         { disallowedReferences = [ unsandboxed ]; }
+        # dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries.
+        # the dereference *can* fail, in case it's a relative symlink that refers to a part of the non-binaries we don't patch.
+        # in such case, this could lead to weird brokenness (e.g. no icons/images), so failing is reasonable.
+        # N.B.: this `checkSandboxed` protects against accidentally referencing unsandboxed binaries from data files (.deskop, .service, etc).
+        # there's an *additional* `checkSandboxed` further below which invokes every executable in the final package to make sure the binaries are truly sandboxed.
         ''
-          # dereference every symlink, ensuring that whatever data is behind it does not reference non-sandboxed binaries.
-          # the dereference *can* fail, in case it's a relative symlink that refers to a part of the non-binaries we don't patch.
-          # in such case, this could lead to weird brokenness (e.g. no icons/images), so failing is reasonable.
           cp -R --dereference "${sandboxedNonBin}" "$out"  # IF YOUR BUILD FAILS HERE, TRY SANDBOXING WITH "inplace"
         ''
       ;
@@ -224,7 +329,9 @@ let
   # patch them to use the sandboxed binaries,
   # and add some passthru metadata to enforce no lingering references to the unsandboxed binaries.
   sandboxNonBinaries = pkgName: unsandboxed: sandboxedBin: let
-    sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {} ''
+    sandboxedWithoutFixedRefs = (runCommandLocal "${pkgName}-sandboxed-non-binary" {
+      nativeBuildInputs = [ xorg.lndir ];
+    } ''
       set -e
       mkdir "$out"
       # link in a limited subset of the directories.
@@ -233,7 +340,7 @@ let
       for dir in etc share; do
         if [ -e "${unsandboxed}/$dir" ]; then
           mkdir "$out/$dir"
-          ${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/$dir" "$out/$dir"
+          lndir "${unsandboxed}/$dir" "$out/$dir"
         fi
       done
       runHook postInstall
@@ -243,7 +350,7 @@ let
     });
   in fixHardcodedRefs unsandboxed sandboxedBin sandboxedWithoutFixedRefs;
 
-  # take the nearly-final sandboxed package, with binaries and and else, and
+  # take the nearly-final sandboxed package, with binaries and all else, and
   # populate passthru attributes the caller expects, like `checkSandboxed`.
   fixupMetaAndPassthru = pkgName: pkg: extraPassthru: pkg.overrideAttrs (finalAttrs: prevAttrs: let
     nonBin = (prevAttrs.passthru or {}).sandboxedNonBin or {};

overlays/cross.nix

@@ -339,29 +339,29 @@ in with final; {
     '';
   });
 
-  # 2024/08/12: upstreaming is unblocked
-  flatpak = prev.flatpak.overrideAttrs (upstream: {
-    # fixes "No package 'libxml-2.0' found"
-    buildInputs = upstream.buildInputs ++ [ libxml2 ];
-    configureFlags = upstream.configureFlags ++ [
-      "--enable-selinux-module=no"  # fixes "checking for /usr/share/selinux/devel/Makefile... configure: error: cannot check for file existence when cross compiling"
-      "--disable-gtk-doc"  # fixes "You must have gtk-doc >= 1.20 installed to build documentation for Flatpak"
-    ];
+  # 2024/08/12: upstreaming is unblocked, implemented on `pr-flatpak-cross`, out for PR: <https://github.com/NixOS/nixpkgs/pull/334324>
+  # flatpak = prev.flatpak.overrideAttrs (upstream: {
+  #   # fixes "No package 'libxml-2.0' found"
+  #   buildInputs = upstream.buildInputs ++ [ libxml2 ];
+  #   configureFlags = upstream.configureFlags ++ [
+  #     "--enable-selinux-module=no"  # fixes "checking for /usr/share/selinux/devel/Makefile... configure: error: cannot check for file existence when cross compiling"
+  #     "--disable-gtk-doc"  # fixes "You must have gtk-doc >= 1.20 installed to build documentation for Flatpak"
+  #   ];
 
-    postPatch = let
-      # copied from nixpkgs flatpak and modified to use buildPackages python
-      vsc-py = buildPackages.python3.withPackages (pp: [
-        pp.pyparsing
-      ]);
-    in ''
-      patchShebangs buildutil
-      patchShebangs tests
-      PATH=${lib.makeBinPath [vsc-py]}:$PATH patchShebangs --build subprojects/variant-schema-compiler/variant-schema-compiler
-    '' + ''
-      sed -i s:'\$BWRAP --version:${stdenv.hostPlatform.emulator buildPackages} \$BWRAP --version:' configure.ac
-      sed -i s:'\$DBUS_PROXY --version:${stdenv.hostPlatform.emulator buildPackages} \$DBUS_PROXY --version:' configure.ac
-    '';
-  });
+  #   postPatch = let
+  #     # copied from nixpkgs flatpak and modified to use buildPackages python
+  #     vsc-py = buildPackages.python3.withPackages (pp: [
+  #       pp.pyparsing
+  #     ]);
+  #   in ''
+  #     patchShebangs buildutil
+  #     patchShebangs tests
+  #     PATH=${lib.makeBinPath [vsc-py]}:$PATH patchShebangs --build subprojects/variant-schema-compiler/variant-schema-compiler
+  #   '' + ''
+  #     sed -i s:'\$BWRAP --version:${stdenv.hostPlatform.emulator buildPackages} \$BWRAP --version:' configure.ac
+  #     sed -i s:'\$DBUS_PROXY --version:${stdenv.hostPlatform.emulator buildPackages} \$DBUS_PROXY --version:' configure.ac
+  #   '';
+  # });
 
   # 2024/08/12: upstreaming is blocked by xdg-desktop-portal
   fractal = prev.fractal.overrideAttrs (upstream: {

pkgs/additional/nixpkgs-wayland/default.nix

@@ -7,8 +7,8 @@ let
   src = fetchFromGitHub {
     owner = "nix-community";
     repo = "nixpkgs-wayland";
-    rev = "6d1c004b346b6a80d851cc2a66ef4f4c22be0f19";
-    hash = "sha256-p/Kgq0hyHemFTZMdd6ehO6aEhu/eN0XrICc4Qwbjc6A=";
+    rev = "21a4a9425b00f476c6ba656bae3da54eeb05c10a";
+    hash = "sha256-Th5U0PbID2ifs6GFn29QoIJmWMfZCIqYB/Ice1pe7pc=";
   };
   flake = import "${src}/flake.nix";
   evaluated = flake.outputs {
@@ -25,7 +25,7 @@ let
 in src.overrideAttrs (base: {
   # attributes required by update scripts
   pname = "nixpkgs-wayland";
-  version = "0-unstable-2024-08-12";
+  version = "0-unstable-2024-08-13";
   src = src;
 
   # passthru only nixpkgs-wayland's own packages -- not the whole nixpkgs-with-nixpkgs-wayland-as-overlay:

pkgs/additional/nixpkgs/default.nix

@@ -27,12 +27,12 @@
 }:
 let
   lock = {
-    master.rev = "c67d90d51787d796c0a50fcfdab41956fa89ba3d";
-    master.sha256 = "sha256-FLb7zQJoc6d6xir++q1NARVJXsk0jBM7bZfrJndpDiU=";
-    staging.rev = "c67d90d51787d796c0a50fcfdab41956fa89ba3d";
-    staging.sha256 = "sha256-FLb7zQJoc6d6xir++q1NARVJXsk0jBM7bZfrJndpDiU=";
-    staging-next.rev = "c67d90d51787d796c0a50fcfdab41956fa89ba3d";
-    staging-next.sha256 = "sha256-FLb7zQJoc6d6xir++q1NARVJXsk0jBM7bZfrJndpDiU=";
+    master.rev = "02a8f81ccbc8fee8f0be9daf1b1e56830e78382c";
+    master.sha256 = "sha256:0mcjiyp818vldkdg223bln7mwzsgdffnpgl6sg3cf5mfvh8hk0v3";
+    staging.rev = "558b07002999a26ed9bc67f372dd19f6a37b892e";
+    staging.sha256 = "sha256-xP/h4X4ms/gxugNFRxl4q0D1+RwrZA4RsI7okgVVS7E=";
+    staging-next.rev = "d353e29271bcbaab945b7c1c13208950590da9d3";
+    staging-next.sha256 = "sha256-0DdUd/mIqEe5JSWhLYQ1PHMvvrdmnYuVe7l4hWbGTm8=";
   };
   lock' = lock."${variant}";
   unpatchedSrc = fetchzip {
@@ -81,7 +81,7 @@ in
     src.overrideAttrs (base: {
       # attributes needed for update scripts
       pname = "nixpkgs";
-      version = "0-unstable-2024-08-12";
+      version = "0-unstable-2024-08-13";
       passthru = (base.passthru or {}) // nixpkgs // {
         src = unpatchedSrc // {
           inherit (lock') rev;

pkgs/additional/nixpkgs/list.nix

@@ -39,6 +39,16 @@ in
     hash = "sha256-9UrJB/ijXL07H/SESquCCqI1boVoYpDcYqxD+Mx2Mwc=";
   })
 
+  (fetchpatch' {
+    # branch: pr-flatpak-cross
+    title = "flatpak: support cross compilation";
+    prUrl = "https://github.com/NixOS/nixpkgs/pull/334324";
+    saneCommit = "0656837e8bb3aae72245145ea8b2250eadad653d";
+    hash = "sha256-etogClsQ8USoBzfx8eYXUYp+C5VQ0wJs/1LumjtE+9E=";
+    # hash = "sha256-Jo37TmzEbqZQVlFtLQ/hI1AAPXS0dnkXh58eHpuwT5M=";
+    # hash = "sha256-/N3FQ0CZ8IOxEYci2UKOG0POYuTyCTH/ZWTRyjIOlEc=";
+  })
+
   (fetchpatch' {
     title = "syshud: 0-unstable-2024-07-29 -> 0-unstable-2024-08-10";
     prUrl = "https://github.com/NixOS/nixpkgs/pull/333975";

pkgs/additional/sops-nix/default.nix

@@ -6,8 +6,8 @@ let
   src = fetchFromGitHub {
     owner = "Mic92";
     repo = "sops-nix";
-    rev = "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9";
-    hash = "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=";
+    rev = "be0eec2d27563590194a9206f551a6f73d52fa34";
+    hash = "sha256-N9IcHgj/p1+2Pvk8P4Zc1bfrMwld5PcosVA0nL6IGdE=";
   };
   flake = import "${src}/flake.nix";
   evaluated = flake.outputs {
@@ -21,7 +21,7 @@ in src.overrideAttrs (base: {
   # attributes required by update scripts
   pname = "sops-nix";
   # nix-update-script insists on this weird `assets-` version format
-  version = "assets-unstable-2024-08-05";
+  version = "assets-unstable-2024-08-12";
   src = src;
 
   passthru = base.passthru

pkgs/additional/syshud/default.nix

@@ -9,13 +9,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "syshud";
-  version = "0-unstable-2024-08-03";
+  version = "0-unstable-2024-08-10";
 
   src = fetchFromGitHub {
     owner = "System64fumo";
     repo = "syshud";
-    rev = "ea0b6a52e110d18783a418013c1be82ff32709a7";
-    hash = "sha256-MLVjdPcnSHCxQ9KbmM1V/jnmh7NrzZZAg13D3a240Q0=";
+    rev = "c7165dc7e28752b49be4ca81ab5db35019d6fcd0";
+    hash = "sha256-P8NgWooRMFl1iuFKQlWDJwMlZ/CIwvf2ctkqvRXt6SA=";
   };
   postPatch = ''
     substituteInPlace Makefile \

pkgs/additional/uassets/default.nix

@@ -5,12 +5,12 @@
 }:
 stdenv.mkDerivation {
   pname = "uassets";
-  version = "0-unstable-2024-08-09";
+  version = "0-unstable-2024-08-13";
   src = fetchFromGitHub {
     owner = "uBlockOrigin";
     repo = "uAssets";
-    rev = "bc41ce0623aedbdbbca0197efbc1b89ee4c7c546";
-    hash = "sha256-wF99LsD0KHO6TXTN2SrW3RsagWoP9vAuYN291CNjGqQ=";
+    rev = "dbd7c4dd0cd3840cc1705f6707d05d6ce10a1870";
+    hash = "sha256-XMXorzdbHv504I+u+2QWXk2YyykdlDGx8GK3meIkI0s=";
   };
 
   dontBuild = true;