Merge master into staging-next

.github/CODEOWNERS

@@ -310,3 +310,8 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/build-support/node/build-npm-package      @winterqt
 /pkgs/build-support/node/fetch-npm-deps         @winterqt
 /doc/languages-frameworks/javascript.section.md @winterqt
+
+# OCaml
+/pkgs/build-support/ocaml           @romildo @superherointj @ulrikstrid
+/pkgs/development/compilers/ocaml   @romildo @superherointj @ulrikstrid
+/pkgs/development/ocaml-modules     @romildo @superherointj @ulrikstrid

pkgs/applications/graphics/jpegoptim/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, libjpeg }:
+{ lib, stdenv, fetchFromGitHub, fetchpatch, libjpeg }:
 
 stdenv.mkDerivation rec {
   version = "1.5.2";
@@ -11,6 +11,14 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-PROQvOqsis8we58OOZ/kuY+L/CoV7XfnY9wvrpsTJu8=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2023-27781.patch";
+      url = "https://github.com/tjko/jpegoptim/commit/29a073ad297a0954f5e865264e24755d0ffe53ed.patch";
+      hash = "sha256-YUjVg0cvElhzMG3b4t5bqcqnHAuzDoNvSqe0yvlgX4E=";
+    })
+  ];
+
   # There are no checks, it seems.
   doCheck = false;
 

pkgs/applications/networking/cluster/nomad/default.nix

@@ -62,9 +62,9 @@ rec {
 
   nomad_1_4 = generic {
     buildGoModule = buildGo120Module;
-    version = "1.4.4";
-    sha256 = "sha256-mAimuWolTJ3lMY/ArnLZFu+GZv9ADdGsriXsTcEgdYc=";
-    vendorSha256 = "sha256-QtP7pzsIBd2S79AUcbOeVG71Mb5qK706rq5DkT41VqM=";
+    version = "1.4.6";
+    sha256 = "sha256-l4GvQIS5JSSgjBjPivAKAb7gKlVLw4WoZpPR8LxnLNc=";
+    vendorSha256 = "sha256-05BhKF6kx0wbu74cidpTFhUN668R/AxV6qWmchCm/WE=";
     passthru.tests.nomad = nixosTests.nomad;
   };
 }

pkgs/applications/networking/instant-messengers/slack/default.nix

@@ -172,8 +172,7 @@ let
       makeWrapper $out/lib/slack/slack $out/bin/slack \
         --prefix XDG_DATA_DIRS : $GSETTINGS_SCHEMAS_PATH \
         --suffix PATH : ${lib.makeBinPath [xdg-utils]} \
-        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \
-        --add-flags "\''${WAYLAND_DISPLAY:+--enable-features=WebRTCPipeWireCapturer}"
+        --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations,WebRTCPipeWireCapturer}}"
 
       # Fix the desktop link
       substituteInPlace $out/share/applications/slack.desktop \

pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix

@@ -26,7 +26,7 @@ let
     "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
   ]);
 
-  etcBindFlags = let
+  etcBindEntries = let
     files = [
       # NixOS Compatibility
       "static"
@@ -69,8 +69,7 @@ let
       "ca-certificates"
       "pki"
     ];
-  in concatStringsSep "\n  "
-  (map (file: "--ro-bind-try $(${coreutils}/bin/readlink -m /etc/${file}) /etc/${file}") files);
+  in map (path: "/etc/${path}") files;
 
   # Create this on the fly instead of linking from /nix
   # The container might have to modify it and re-run ldconfig if there are
@@ -99,19 +98,20 @@ let
   '';
 
   bwrapCmd = { initArgs ? "" }: ''
-    blacklist=(/nix /dev /proc /etc)
+    ignored=(/nix /dev /proc /etc)
     ro_mounts=()
     symlinks=()
+    etc_ignored=()
     for i in ${env}/*; do
       path="/''${i##*/}"
       if [[ $path == '/etc' ]]; then
         :
       elif [[ -L $i ]]; then
         symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$path")
-        blacklist+=("$path")
+        ignored+=("$path")
       else
         ro_mounts+=(--ro-bind "$i" "$path")
-        blacklist+=("$path")
+        ignored+=("$path")
       fi
     done
 
@@ -124,14 +124,26 @@ let
           continue
         fi
         ro_mounts+=(--ro-bind "$i" "/etc$path")
+        etc_ignored+=("/etc$path")
       done
     fi
 
+    for i in ${lib.escapeShellArgs etcBindEntries}; do
+      if [[ "''${etc_ignored[@]}" =~ "$i" ]]; then
+        continue
+      fi
+      if [[ -L $i ]]; then
+        symlinks+=(--symlink "$(${coreutils}/bin/readlink "$i")" "$i")
+      else
+        ro_mounts+=(--ro-bind-try "$i" "$i")
+      fi
+    done
+
     declare -a auto_mounts
     # loop through all directories in the root
     for dir in /*; do
-      # if it is a directory and it is not in the blacklist
-      if [[ -d "$dir" ]] && [[ ! "''${blacklist[@]}" =~ "$dir" ]]; then
+      # if it is a directory and it is not ignored
+      if [[ -d "$dir" ]] && [[ ! "''${ignored[@]}" =~ "$dir" ]]; then
         # add it to the mount list
         auto_mounts+=(--bind "$dir" "$dir")
       fi
@@ -179,7 +191,6 @@ let
       --symlink /etc/ld.so.cache ${pkgsi686Linux.glibc}/etc/ld.so.cache \
       --ro-bind ${pkgsi686Linux.glibc}/etc/rpc ${pkgsi686Linux.glibc}/etc/rpc \
       --remount-ro ${pkgsi686Linux.glibc}/etc \
-      ${etcBindFlags}
       "''${ro_mounts[@]}"
       "''${symlinks[@]}"
       "''${auto_mounts[@]}"

pkgs/development/python-modules/lightning-utilities/default.nix

@@ -16,14 +16,14 @@
 
 buildPythonPackage rec {
   pname = "lightning-utilities";
-  version = "0.7.1";
+  version = "0.8.0";
   format = "pyproject";
 
   src = fetchFromGitHub {
     owner = "Lightning-AI";
     repo = "utilities";
     rev = "refs/tags/v${version}";
-    hash = "sha256-xjE5FsU1d/YcVHlfjtZE0T2LjGvsIOzbGJFU7PMDqdc=";
+    hash = "sha256-uwmX+/SK2zBkZQbN/t/DZ3i+XbdAJ/RM+Q649QwMUz0=";
   };
 
   nativeBuildInputs = [
@@ -57,7 +57,13 @@ buildPythonPackage rec {
 
   disabledTestPaths = [
     "docs"
+    # doctests that expect docs.txt in the wrong location
+    "src/lightning_utilities/install/requirements.py"
+  ];
 
+  pytestFlagsArray = [
+    # warns about distutils removal in python 3.12
+    "-W" "ignore::DeprecationWarning"
   ];
 
   meta = with lib; {

pkgs/development/python-modules/pdm-backend/default.nix

@@ -15,14 +15,14 @@
 
 buildPythonPackage rec {
   pname = "pdm-backend";
-  version = "2.0.2";
+  version = "2.0.5";
   format = "pyproject";
 
   src = fetchFromGitHub {
     owner = "pdm-project";
     repo = "pdm-backend";
     rev = "refs/tags/${version}";
-    hash = "sha256-3Wgc4kKQcE2FzfcqTs9jtfJ1Oj+qtHiDM4q8KuMNAak=";
+    hash = "sha256-d5kr5pr9tBc6So0wTy3/ASgk8KTOf2AV8Vfsmml5Qh0=";
   };
 
   propagatedBuildInputs = lib.optionals (pythonOlder "3.10") [

pkgs/development/python-modules/pypdf/default.nix

@@ -24,7 +24,7 @@
 
 buildPythonPackage rec {
   pname = "pypdf";
-  version = "3.5.1";
+  version = "3.5.2";
   format = "pyproject";
 
   src = fetchFromGitHub {
@@ -33,7 +33,7 @@ buildPythonPackage rec {
     rev = "refs/tags/${version}";
     # fetch sample files used in tests
     fetchSubmodules = true;
-    hash = "sha256-2Ewa6mTLSNiUFIplfmZDRXmoiX1IQMwg4wq5dAU0O+4=";
+    hash = "sha256-f+M4sfUzDy8hxHUiWG9hyu0EYvnjNA46OtHzBSJdID0=";
   };
 
   outputs = [

pkgs/os-specific/linux/usbguard-notifier/default.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  autoreconfHook,
+  pkg-config,
+  libqb,
+  usbguard,
+  librsvg,
+  libnotify,
+  catch2,
+  asciidoc,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "usbguard-notifier";
+  version = "0.1.0";
+
+  src = fetchFromGitHub {
+    owner = "Cropi";
+    repo = pname;
+    rev = "${pname}-${version}";
+    hash = "sha256-gWvCGSbOuey2ELAPD2WCG4q77IClL0S7rE2RaUJDc1I=";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkg-config asciidoc ];
+  buildInputs = [ libqb usbguard librsvg libnotify ];
+
+  configureFlags = [ "CPPFLAGS=-I${catch2}/include/catch2" ];
+
+  prePatch = ''
+    substituteInPlace configure.ac \
+      --replace 'AC_MSG_FAILURE([Cannot detect the systemd system unit dir])' \
+        'systemd_unit_dir="$out/lib/systemd/user"'
+  '';
+
+  meta = {
+    description = "Notifications for detecting usbguard policy and device presence changes";
+    homepage = "https://github.com/Cropi/usbguard-notifier";
+    maintainers = with lib.maintainers; [ fpletz ];
+    platforms = lib.platforms.linux;
+    license = lib.licenses.gpl2Plus;
+  };
+}

pkgs/servers/x11/xorg/default.nix

@@ -178,11 +178,11 @@ self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   fontalias = callPackage ({ stdenv, pkg-config, fetchurl }: stdenv.mkDerivation {
     pname = "font-alias";
-    version = "1.0.4";
+    version = "1.0.5";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "mirror://xorg/individual/font/font-alias-1.0.4.tar.bz2";
-      sha256 = "0xjjjindczv3g7m1597l0x19zz75xy70wh5garghz61fpzl1l4gk";
+      url = "mirror://xorg/individual/font/font-alias-1.0.5.tar.xz";
+      sha256 = "0vkb5mybc0fjfq29lgf5w1b536bwifzkyj8ad9iy7q3kpcby52cz";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;

pkgs/servers/x11/xorg/tarballs.list

@@ -135,7 +135,7 @@ mirror://xorg/individual/font/font-adobe-75dpi-1.0.3.tar.bz2
 mirror://xorg/individual/font/font-adobe-utopia-100dpi-1.0.4.tar.bz2
 mirror://xorg/individual/font/font-adobe-utopia-75dpi-1.0.4.tar.bz2
 mirror://xorg/individual/font/font-adobe-utopia-type1-1.0.4.tar.bz2
-mirror://xorg/individual/font/font-alias-1.0.4.tar.bz2
+mirror://xorg/individual/font/font-alias-1.0.5.tar.xz
 mirror://xorg/individual/font/font-arabic-misc-1.0.3.tar.bz2
 mirror://xorg/individual/font/font-bh-100dpi-1.0.3.tar.bz2
 mirror://xorg/individual/font/font-bh-75dpi-1.0.3.tar.bz2

pkgs/tools/admin/aws-vault/default.nix

@@ -7,16 +7,16 @@
 }:
 buildGoModule rec {
   pname = "aws-vault";
-  version = "7.0.2";
+  version = "7.1.1";
 
   src = fetchFromGitHub {
     owner = "99designs";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-uNe2dltwLoUBUH/p4CN6HCOvBsq2yASxxwkSEtkJRbQ=";
+    sha256 = "sha256-ydg//2t+B02eXwnwsmECx+I8oluPf6dKntz7L6gWV88=";
   };
 
-  vendorHash = "sha256-CPn4JLIZz23ZNcl3LPJumx20WOXTI13s69MVo/Pof+s=";
+  vendorHash = "sha256-4bJKDEZlO0DzEzTQ7m+SQuzhe+wKmL6wLueqgSz/46s=";
 
   nativeBuildInputs = [ installShellFiles makeWrapper ];
 

pkgs/tools/admin/balena-cli/default.nix

@@ -0,0 +1,61 @@
+{ lib
+, stdenv
+, fetchzip
+}:
+
+let
+  inherit (stdenv.hostPlatform) system;
+  throwSystem = throw "Unsupported system: ${system}";
+
+  plat = {
+    x86_64-linux = "linux-x64";
+    x86_64-darwin = "macOS-x64";
+    # Balena only packages for x86 so we rely on Rosetta for Apple Silicon
+    aarch64-darwin = "macOS-x64";
+    x86_64-windows = "windows-x64";
+  }.${system} or throwSystem;
+
+  sha256 = {
+    x86_64-linux = "0gxki6w8p7ihv0zy02978hg8i242algiw0wpcajrvbx1ncbcb7yn";
+    x86_64-darwin = "1ihxyf35px3s6q2yk4p3dy03rcj93hy96bj3pxqlv0rp05gnsf02";
+    aarch64-darwin = "1ihxyf35px3s6q2yk4p3dy03rcj93hy96bj3pxqlv0rp05gnsf02";
+    x86_64-windows = "104hc3qvs04l2hmjmp0bcjr5g5scp4frhprk1fpszziqhdmhwa40";
+  }.${system} or throwSystem;
+in
+stdenv.mkDerivation rec {
+  pname = "balena-cli";
+  version = "15.1.1";
+
+  src = fetchzip {
+    url = "https://github.com/balena-io/balena-cli/releases/download/v${version}/balena-cli-v${version}-${plat}-standalone.zip";
+    inherit sha256;
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/bin
+    cp -r ./* $out/
+
+    ln -s $out/balena $out/bin/balena
+
+    runHook postInstall
+  '';
+
+  meta = with lib; {
+    description = "A command line interface for balenaCloud or openBalena";
+    longDescription = ''
+      The balena CLI is a Command Line Interface for balenaCloud or openBalena. It is a software
+      tool available for Windows, macOS and Linux, used through a command prompt / terminal window.
+      It can be used interactively or invoked in scripts. The balena CLI builds on the balena API
+      and the balena SDK, and can also be directly imported in Node.js applications.
+    '';
+    homepage = "https://github.com/balena-io/balena-cli";
+    changelog = "https://github.com/balena-io/balena-cli/blob/v${version}/CHANGELOG.md";
+    license = licenses.asl20;
+    maintainers = [ maintainers.kalebpace ];
+    platforms = platforms.linux ++ platforms.darwin ++ platforms.cygwin ++ platforms.windows;
+    sourceProvenance = [ sourceTypes.binaryNativeCode ];
+    mainProgram = "balena";
+  };
+}

pkgs/tools/misc/tbls/default.nix

@@ -7,13 +7,13 @@
 
 buildGoModule rec {
   pname = "tbls";
-  version = "1.62.1";
+  version = "1.63.0";
 
   src = fetchFromGitHub {
     owner = "k1LoW";
     repo = "tbls";
     rev = "v${version}";
-    hash = "sha256-x3Bh/xB/x71xNjVL5zqp1ag8TPQoxOpuOyDE1f54sGQ=";
+    hash = "sha256-r0jCuSTNx5BVkJshPSAO5Wwz1C2Lw2AYXYA46cMB+qY=";
   };
 
   vendorHash = "sha256-YrDQSySBplYgakgvb6BwK1AK6h0Usy8MvCndHSSYrlQ=";

pkgs/tools/security/vault/vault-bin.nix

@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "vault-bin";
-  version = "1.12.2";
+  version = "1.13.0";
 
   src =
     let
@@ -16,11 +16,11 @@ stdenv.mkDerivation rec {
         aarch64-darwin = "darwin_arm64";
       };
       sha256 = selectSystem {
-        x86_64-linux = "sha256-viBGcd6MmevCOKBmizzTKzcAQ93kcvg4dZE70dhy4O4=";
-        aarch64-linux = "sha256-2Zy96bTP3N6CFCOJgPI0DTnsAvraBlFax3TeB+j/7Yw=";
-        i686-linux = "sha256-PZLDSeg9d01iL6e+EoRjpXwnoA8DUwTFcKL7X3S26mw=";
-        x86_64-darwin = "sha256-xV6bZVpTtEIZMeMVff+hmDKK7qVkItQ0ZRC0yycxad0=";
-        aarch64-darwin = "sha256-K0b8O04ZSrKbuM8tu3nt2tI7FktOpqwHEpoNTWYJpm4=";
+        x86_64-linux = "sha256-UIgFgfpqsWsjmyuU3Z/dA282S8gZ2RR2vUuvZngvQQk=";
+        aarch64-linux = "sha256-IEuFgfWmRl5ewrA0GX0Rv/88EbWnuWLag2InZ1oHaiU=";
+        i686-linux = "sha256-hm9SAZOanMckINTVUBQs+bn3X8p3m7gtw9F0gdMKJXA=";
+        x86_64-darwin = "sha256-/tjJFCBgsBvGa6icNIXz8DCmiKjjcoIC9/3dcSK4400=";
+        aarch64-darwin = "sha256-xdwSjDZdrUunhyBqZJMjuaFBI961JgU5mWw6UQr3oj0=";
       };
     in
     fetchzip {

pkgs/top-level/all-packages.nix

@@ -1429,6 +1429,8 @@ with pkgs;
 
   asleap = callPackage ../tools/networking/asleap { };
 
+  balena-cli = callPackage ../tools/admin/balena-cli { };
+
   butler = callPackage ../games/itch/butler.nix {
     inherit (darwin.apple_sdk.frameworks) Cocoa;
   };
@@ -27184,6 +27186,8 @@ with pkgs;
 
   usbguard = callPackage ../os-specific/linux/usbguard { };
 
+  usbguard-notifier = callPackage ../os-specific/linux/usbguard-notifier { };
+
   usbrelay = callPackage ../os-specific/linux/usbrelay { };
   usbrelayd = callPackage ../os-specific/linux/usbrelay/daemon.nix { };