From 121e2f7e1554794e7392427cf77e94ab9887871e Mon Sep 17 00:00:00 2001
From: wucke13 <wucke13@gmail.com>
Date: Sun, 19 Dec 2021 13:39:42 +0100
Subject: [PATCH 01/53] honor sdImage.compressImage in intermediate build steps

---
 nixos/lib/make-ext4-fs.nix                   |  9 +++++++++
 nixos/modules/installer/sd-card/sd-image.nix | 15 ++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/nixos/lib/make-ext4-fs.nix b/nixos/lib/make-ext4-fs.nix
index 416beeb32f2f..b8e1b8d24c48 100644
--- a/nixos/lib/make-ext4-fs.nix
+++ b/nixos/lib/make-ext4-fs.nix
@@ -78,6 +78,15 @@ pkgs.stdenv.mkDerivation {
       # get rid of the unnecessary slack here--but see
       # https://github.com/NixOS/nixpkgs/issues/125121 for caveats.
 
+      # shrink to fit
+      resize2fs -M $img
+
+      # Add 16 MebiByte to the current_size
+      new_size=$(dumpe2fs -h $img | awk -F: \
+        '/Block count/{count=$2} /Block size/{size=$2} END{print (count*size+16*2**20)/size}')
+
+      resize2fs $img $new_size
+
       if [ ${builtins.toString compressImage} ]; then
         echo "Compressing image"
         zstd -v --no-progress ./$img -o $out
diff --git a/nixos/modules/installer/sd-card/sd-image.nix b/nixos/modules/installer/sd-card/sd-image.nix
index a964cf2d6f85..1fd2db39fc56 100644
--- a/nixos/modules/installer/sd-card/sd-image.nix
+++ b/nixos/modules/installer/sd-card/sd-image.nix
@@ -18,7 +18,7 @@ with lib;
 let
   rootfsImage = pkgs.callPackage ../../../lib/make-ext4-fs.nix ({
     inherit (config.sdImage) storePaths;
-    compressImage = true;
+    compressImage = config.sdImage.compressImage;
     populateImageCommands = config.sdImage.populateRootCommands;
     volumeLabel = "NIXOS_SD";
   } // optionalAttrs (config.sdImage.rootPartitionUUID != null) {
@@ -174,7 +174,8 @@ in
     mtools, libfaketime, util-linux, zstd }: stdenv.mkDerivation {
       name = config.sdImage.imageName;
 
-      nativeBuildInputs = [ dosfstools e2fsprogs mtools libfaketime util-linux zstd ];
+      nativeBuildInputs = [ dosfstools e2fsprogs libfaketime mtools util-linux ]
+      ++ lib.optional config.sdImage.compressImage zstd;
 
       inherit (config.sdImage) compressImage;
 
@@ -189,14 +190,18 @@ in
           echo "file sd-image $img" >> $out/nix-support/hydra-build-products
         fi
 
+        root_fs=${rootfsImage}
+        ${lib.optionalString config.sdImage.compressImage ''
+        root_fs=./root-fs.img
         echo "Decompressing rootfs image"
-        zstd -d --no-progress "${rootfsImage}" -o ./root-fs.img
+        zstd -d --no-progress "${rootfsImage}" -o $root_fs
+        ''}
 
         # Gap in front of the first partition, in MiB
         gap=${toString config.sdImage.firmwarePartitionOffset}
 
         # Create the image file sized to fit /boot/firmware and /, plus slack for the gap.
-        rootSizeBlocks=$(du -B 512 --apparent-size ./root-fs.img | awk '{ print $1 }')
+        rootSizeBlocks=$(du -B 512 --apparent-size $root_fs | awk '{ print $1 }')
         firmwareSizeBlocks=$((${toString config.sdImage.firmwareSize} * 1024 * 1024 / 512))
         imageSize=$((rootSizeBlocks * 512 + firmwareSizeBlocks * 512 + gap * 1024 * 1024))
         truncate -s $imageSize $img
@@ -214,7 +219,7 @@ in
 
         # Copy the rootfs into the SD image
         eval $(partx $img -o START,SECTORS --nr 2 --pairs)
-        dd conv=notrunc if=./root-fs.img of=$img seek=$START count=$SECTORS
+        dd conv=notrunc if=$root_fs of=$img seek=$START count=$SECTORS
 
         # Create a FAT32 /boot/firmware partition of suitable size into firmware_part.img
         eval $(partx $img -o START,SECTORS --nr 1 --pairs)

From 83602a5aba89105ba5b8d6cbf30c88e497d1e482 Mon Sep 17 00:00:00 2001
From: FliegendeWurst <2012gdwu+github@posteo.de>
Date: Sun, 22 May 2022 17:54:13 +0200
Subject: [PATCH 02/53] htmldoc: 1.9.15 -> 1.9.16

---
 pkgs/tools/typesetting/htmldoc/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/typesetting/htmldoc/default.nix b/pkgs/tools/typesetting/htmldoc/default.nix
index 9ce2de02d302..06c660625ae5 100644
--- a/pkgs/tools/typesetting/htmldoc/default.nix
+++ b/pkgs/tools/typesetting/htmldoc/default.nix
@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "htmldoc";
-  version = "1.9.15";
+  version = "1.9.16";
   src = fetchFromGitHub {
     owner = "michaelrsweet";
     repo = "htmldoc";
     rev = "v${version}";
-    sha256 = "sha256-WNsYJacZBYoZ8Bxj+InQ9ePvelqhU5y9nY7aikUNxEk=";
+    sha256 = "117cj5sfzl18gan53ld8lxb0wycizcp9jcakcs3nsvnss99rw3a6";
   };
 
   nativeBuildInputs = [ pkg-config ];

From fa22eab4c1313eeb57a8c77b4bf6b01bd3f05e6e Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sun, 22 May 2022 18:20:49 +0200
Subject: [PATCH 03/53] metabase: 0.42.1 -> 0.43.1

Fixes CVE-2022-24853, CVE-2022-24854 and CVE-2022-24855

https://github.com/metabase/metabase/releases/tag/v0.43.1
https://github.com/metabase/metabase/releases/tag/v0.43.0
---
 pkgs/servers/metabase/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/metabase/default.nix b/pkgs/servers/metabase/default.nix
index 814626fec125..f31b2547f52c 100644
--- a/pkgs/servers/metabase/default.nix
+++ b/pkgs/servers/metabase/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "metabase";
-  version = "0.42.1";
+  version = "0.43.1";
 
   src = fetchurl {
     url = "https://downloads.metabase.com/v${version}/metabase.jar";
-    hash = "sha256-PmcVVAS/5mDhmOSoFvkZeYkbvFD/KOcgVYuScwD4Olg=";
+    hash = "sha256-WGbIsmCWsSxgE7Ktr539qTt/o5cJrYi0yu3ZkfbxOV0=";
   };
 
   nativeBuildInputs = [ makeWrapper ];

From c3182eace3fe93b30e4e245254bd0503c6bd183f Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Sun, 22 May 2022 18:45:16 +0200
Subject: [PATCH 04/53] panotools: 2.9.20 -> 2.9.21

Fixes CVE-2021-33293

https://sourceforge.net/projects/panotools/files/libpano13/libpano13-2.9.21/
---
 pkgs/applications/graphics/panotools/default.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkgs/applications/graphics/panotools/default.nix b/pkgs/applications/graphics/panotools/default.nix
index 52351fab4ce5..dbc5b973fe9c 100644
--- a/pkgs/applications/graphics/panotools/default.nix
+++ b/pkgs/applications/graphics/panotools/default.nix
@@ -1,15 +1,16 @@
-{ fetchurl, lib, stdenv, libjpeg, libpng, libtiff, perl }:
+{ fetchurl, lib, stdenv, libjpeg, libpng, libtiff, perl, cmake }:
 
 stdenv.mkDerivation rec {
   pname = "libpano13";
-  version = "2.9.20";
+  version = "2.9.21";
 
   src = fetchurl {
     url = "mirror://sourceforge/panotools/${pname}-${version}.tar.gz";
-    sha256 = "12cv4886l1czfjwy7k6ipgf3zjksgwhdjzr2s9fdg33vqcv2hlrv";
+    sha256 = "sha256-eeWhRSGZMF4pYUYnIO9ZQRUnecEnxblvw0DSSS5jNZA=";
   };
 
   buildInputs = [ perl libjpeg libpng libtiff ];
+  nativeBuildInputs = [ cmake ];
 
   # one of the tests succeeds on my machine but fails on Hydra (no idea why)
   #doCheck = true;

From 116832edbf8da93dedaca69384083e57b7c9f9a0 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Fri, 3 Dec 2021 12:23:23 +0000
Subject: [PATCH 05/53] dockerTools: Add example of using NixOS' etc

(cherry picked from commit 9b2af8673be82d48ce76c8c152de85ad921d26ba)
---
 nixos/tests/docker-tools.nix           |  5 ++++
 pkgs/build-support/docker/examples.nix | 41 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/nixos/tests/docker-tools.nix b/nixos/tests/docker-tools.nix
index 80859ac7a96e..99a968f17af2 100644
--- a/nixos/tests/docker-tools.nix
+++ b/nixos/tests/docker-tools.nix
@@ -419,5 +419,10 @@ import ./make-test-python.nix ({ pkgs, ... }: {
             "docker rmi layered-image-with-path",
         )
 
+    with subtest("etc"):
+        docker.succeed("${examples.etc} | docker load")
+        docker.succeed("docker run --rm etc | grep localhost")
+        docker.succeed("docker image rm etc:latest")
+
   '';
 })
diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix
index 9b9a21a1469c..a1be3a111fb3 100644
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@@ -9,6 +9,16 @@
 
 { pkgs, buildImage, buildLayeredImage, fakeNss, pullImage, shadowSetup, buildImageWithNixDb, pkgsCross }:
 
+let
+  nixosLib = import ../../../nixos/lib {
+    # Experimental features need testing too, but there's no point in warning
+    # about it, so we enable the feature flag.
+    featureFlags.minimalModules = {};
+  };
+  evalMinimalConfig = module: nixosLib.evalModules { modules = [ module ]; };
+
+in
+
 rec {
   # 1. basic example
   bash = buildImage {
@@ -582,6 +592,37 @@ rec {
     includeStorePaths = false;
   };
 
+  etc =
+    let
+      inherit (pkgs) lib;
+      nixosCore = (evalMinimalConfig ({ config, ... }: {
+        imports = [
+          pkgs.pkgsModule
+          ../../../nixos/modules/system/etc/etc.nix
+        ];
+        environment.etc."hosts" = {
+          text = ''
+            127.0.0.1 localhost
+            ::1 localhost
+          '';
+          # For executables:
+          # mode = "0755";
+        };
+      }));
+    in pkgs.dockerTools.streamLayeredImage {
+      name = "etc";
+      tag = "latest";
+      enableFakechroot = true;
+      fakeRootCommands = ''
+        mkdir -p /etc
+        ${nixosCore.config.system.build.etcActivationCommands}
+      '';
+      config.Cmd = pkgs.writeScript "etc-cmd" ''
+        #!${pkgs.busybox}/bin/sh
+        ${pkgs.busybox}/bin/cat /etc/hosts
+      '';
+    };
+
   # Example export of the bash image
   exportBash = pkgs.dockerTools.exportImage { fromImage = bash; };
 

From 44522c1d5996ac1a16a2f7672b7306d557bd5a26 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Mon, 30 May 2022 14:32:14 +0200
Subject: [PATCH 06/53] dockerTools.examples.etc: Make it a reliable test

/etc/hosts is generally also provided by the container runtime.
---
 pkgs/build-support/docker/examples.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/docker/examples.nix b/pkgs/build-support/docker/examples.nix
index a1be3a111fb3..f0535f59dfcc 100644
--- a/pkgs/build-support/docker/examples.nix
+++ b/pkgs/build-support/docker/examples.nix
@@ -600,7 +600,7 @@ rec {
           pkgs.pkgsModule
           ../../../nixos/modules/system/etc/etc.nix
         ];
-        environment.etc."hosts" = {
+        environment.etc."some-config-file" = {
           text = ''
             127.0.0.1 localhost
             ::1 localhost
@@ -619,7 +619,7 @@ rec {
       '';
       config.Cmd = pkgs.writeScript "etc-cmd" ''
         #!${pkgs.busybox}/bin/sh
-        ${pkgs.busybox}/bin/cat /etc/hosts
+        ${pkgs.busybox}/bin/cat /etc/some-config-file
       '';
     };
 

From 95052027078143e62c65869474d33bb2023ab184 Mon Sep 17 00:00:00 2001
From: Nikolay Korotkiy <sikmir@disroot.org>
Date: Tue, 7 Jun 2022 23:44:08 +0300
Subject: [PATCH 07/53] =?UTF-8?q?gpxsee:=2011.0=20=E2=86=92=2011.1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pkgs/applications/misc/gpxsee/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/misc/gpxsee/default.nix b/pkgs/applications/misc/gpxsee/default.nix
index fa85ad367ec2..7ce85dc6f767 100644
--- a/pkgs/applications/misc/gpxsee/default.nix
+++ b/pkgs/applications/misc/gpxsee/default.nix
@@ -1,14 +1,14 @@
-{ lib, stdenv, fetchFromGitHub, qmake, qttools, qttranslations, qtlocation, wrapQtAppsHook, substituteAll }:
+{ lib, stdenv, fetchFromGitHub, qmake, qttools, qttranslations, qtlocation, qtpbfimageplugin, wrapQtAppsHook, substituteAll }:
 
 stdenv.mkDerivation rec {
   pname = "gpxsee";
-  version = "11.0";
+  version = "11.1";
 
   src = fetchFromGitHub {
     owner = "tumic0";
     repo = "GPXSee";
     rev = version;
-    sha256 = "sha256-UT3Q7pirEXvwQmqHHiSivX/VNZPVLwRJ/aiP7wpkhqQ=";
+    sha256 = "sha256-0n1XPrJ+gssIP/7k9CI8AWXs9ddKOg3Lo3DfrXGUl84=";
   };
 
   patches = (substituteAll {
@@ -17,7 +17,7 @@ stdenv.mkDerivation rec {
     inherit qttranslations;
   });
 
-  buildInputs = [ qtlocation ];
+  buildInputs = [ qtlocation qtpbfimageplugin ];
 
   nativeBuildInputs = [ qmake qttools wrapQtAppsHook ];
 

From a12e52541099e5239d645018daf26a02cc60dd5d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 9 Jun 2022 21:05:16 +0200
Subject: [PATCH 08/53] nixos/bitlbee: allow writing to configDir

---
 nixos/modules/services/networking/bitlbee.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nixos/modules/services/networking/bitlbee.nix b/nixos/modules/services/networking/bitlbee.nix
index 8bf04e3a1a23..f76cffc79bfa 100644
--- a/nixos/modules/services/networking/bitlbee.nix
+++ b/nixos/modules/services/networking/bitlbee.nix
@@ -174,6 +174,7 @@ in
         serviceConfig = {
           DynamicUser = true;
           StateDirectory = "bitlbee";
+          ReadWritePaths = [ cfg.configDir ];
           ExecStart = "${bitlbeePkg}/sbin/bitlbee -F -n -c ${bitlbeeConfig}";
         };
       };

From f6281356b46526e11c47ed3240ed733fdac81e59 Mon Sep 17 00:00:00 2001
From: Azat Bahawi <azat@bahawi.net>
Date: Sun, 12 Jun 2022 02:55:48 +0300
Subject: [PATCH 09/53] elfinfo: use buildGoModule

---
 pkgs/development/tools/misc/elfinfo/default.nix | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/pkgs/development/tools/misc/elfinfo/default.nix b/pkgs/development/tools/misc/elfinfo/default.nix
index e3ee51c58fdc..b9a6dc0c39b4 100644
--- a/pkgs/development/tools/misc/elfinfo/default.nix
+++ b/pkgs/development/tools/misc/elfinfo/default.nix
@@ -1,20 +1,25 @@
-{ lib, buildGoPackage, fetchFromGitHub }:
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
 
-buildGoPackage rec {
+buildGoModule rec {
   pname = "elfinfo";
   version = "1.1.0";
 
-  goPackagePath = "github.com/xyproto/elfinfo";
   src = fetchFromGitHub {
-    rev = version;
     owner = "xyproto";
     repo = "elfinfo";
+    rev = version;
     sha256 = "1n8bg0rcq9fqa6rdnk6x9ngvm59hcayblkpjv9j5myn2vmm6fv8m";
   };
 
+  vendorSha256 = null;
+
   meta = with lib; {
     description = "Small utility for showing information about ELF files";
     homepage = "https://elfinfo.roboticoverlords.org/";
+    changelog = "https://github.com/xyproto/elfinfo/releases/tag/${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ dtzWill ];
   };

From cee66a8cd5288493c001376e9bf22825777d5326 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Wed, 25 May 2022 11:49:17 +0200
Subject: [PATCH 10/53] make-options-doc: Support Nix-provided declaration
 links

Previously, the location logic was hardcoded, supporting only
Nixpkgs and NixOps properly, leaving other uses of the module
system without good location support.
---
 .../lib/make-options-doc/options-to-docbook.xsl | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/nixos/lib/make-options-doc/options-to-docbook.xsl b/nixos/lib/make-options-doc/options-to-docbook.xsl
index 03e14365cda9..07d69649523f 100644
--- a/nixos/lib/make-options-doc/options-to-docbook.xsl
+++ b/nixos/lib/make-options-doc/options-to-docbook.xsl
@@ -213,6 +213,23 @@
 
   <xsl:template match="attr[@name = 'declarations' or @name = 'definitions']">
     <simplelist>
+      <!--
+        Example:
+          opt.declarations = [ { name = "foo/bar.nix"; url = "https://github.com/....."; } ];
+      -->
+      <xsl:for-each select="list/attrs[attr[@name = 'name']]">
+        <member><filename>
+          <xsl:if test="attr[@name = 'url']">
+            <xsl:attribute name="xlink:href"><xsl:value-of select="attr[@name = 'url']/string/@value"/></xsl:attribute>
+          </xsl:if>
+          <xsl:value-of select="attr[@name = 'name']/string/@value"/>
+        </filename></member>
+      </xsl:for-each>
+
+      <!--
+        When the declarations/definitions are raw strings,
+        fall back to hardcoded location logic, specific to Nixpkgs.
+      -->
       <xsl:for-each select="list/string">
         <member><filename>
           <!-- Hyperlink the filename either to the NixOS Subversion

From 11b33fcdccf8d40738ba28f9e9eb7133559d9aa8 Mon Sep 17 00:00:00 2001
From: Robert Hensing <robert@roberthensing.nl>
Date: Wed, 15 Jun 2022 00:44:09 +0200
Subject: [PATCH 11/53] doc: Fix config options reference file links

---
 doc/doc-support/default.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/doc-support/default.nix b/doc/doc-support/default.nix
index 7c00195ab390..429c7a5fbe80 100644
--- a/doc/doc-support/default.nix
+++ b/doc/doc-support/default.nix
@@ -1,5 +1,8 @@
 { pkgs ? (import ../.. {}), nixpkgs ? { }}:
 let
+  inherit (pkgs) lib;
+  inherit (lib) hasPrefix removePrefix;
+
   locationsXml = import ./lib-function-locations.nix { inherit pkgs nixpkgs; };
   functionDocs = import ./lib-function-docs.nix { inherit locationsXml pkgs; };
   version = pkgs.lib.version;
@@ -29,6 +32,18 @@ let
   optionsDoc = pkgs.nixosOptionsDoc {
     inherit (pkgs.lib.evalModules { modules = [ ../../pkgs/top-level/config.nix ]; }) options;
     documentType = "none";
+    transformOptions = opt:
+      opt // {
+        declarations =
+          map
+            (decl:
+              if hasPrefix (toString ../..) (toString decl)
+              then
+                let subpath = removePrefix "/" (removePrefix (toString ../..) (toString decl));
+                in { url = "https://github.com/NixOS/nixpkgs/blob/master/${subpath}"; name = subpath; }
+              else decl)
+            opt.declarations;
+        };
   };
 
 in pkgs.runCommand "doc-support" {}

From f13c61a3b9c91c75e3dafaeb0c155f2b3da64c6d Mon Sep 17 00:00:00 2001
From: Sophie Taylor <sophie@spacekitteh.moe>
Date: Sun, 19 Jun 2022 11:40:41 +1000
Subject: [PATCH 12/53] xpra: Add the ability to perform a start-desktop

---
 nixos/modules/services/x11/display-managers/xpra.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/x11/display-managers/xpra.nix b/nixos/modules/services/x11/display-managers/xpra.nix
index c23e479140f0..f4ab2b4bd682 100644
--- a/nixos/modules/services/x11/display-managers/xpra.nix
+++ b/nixos/modules/services/x11/display-managers/xpra.nix
@@ -25,6 +25,13 @@ in
         type = types.nullOr types.str;
         description = "Bind xpra to TCP";
       };
+      
+      desktop = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "gnome-shell";
+        description = "Start a desktop environment instead of seamless mode";
+      };
 
       auth = mkOption {
         type = types.str;
@@ -222,7 +229,7 @@ in
     services.xserver.displayManager.job.execCmd = ''
       ${optionalString (cfg.pulseaudio)
         "export PULSE_COOKIE=/run/pulse/.config/pulse/cookie"}
-      exec ${pkgs.xpra}/bin/xpra start \
+      exec ${pkgs.xpra}/bin/xpra ${if cfg.desktop == null then "start" else "start-desktop --start=${cfg.desktop}"} \
         --daemon=off \
         --log-dir=/var/log \
         --log-file=xpra.log \

From 62494281d81d2378a594dfa24d94379caf2940c7 Mon Sep 17 00:00:00 2001
From: Sophie Taylor <sophie@spacekitteh.moe>
Date: Sun, 19 Jun 2022 18:26:10 +1000
Subject: [PATCH 13/53] xpra: fix whitespace

---
 nixos/modules/services/x11/display-managers/xpra.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/modules/services/x11/display-managers/xpra.nix b/nixos/modules/services/x11/display-managers/xpra.nix
index f4ab2b4bd682..1566e38da083 100644
--- a/nixos/modules/services/x11/display-managers/xpra.nix
+++ b/nixos/modules/services/x11/display-managers/xpra.nix
@@ -25,7 +25,7 @@ in
         type = types.nullOr types.str;
         description = "Bind xpra to TCP";
       };
-      
+
       desktop = mkOption {
         type = types.nullOr types.str;
         default = null;

From 7e68dc4d9b02c42da54083e9b9c869168644966f Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 20 Jun 2022 12:30:24 +0200
Subject: [PATCH 14/53] ergochat: 2.9.1 -> 2.10.0

---
 pkgs/servers/irc/ergochat/default.nix | 4 ++--
 pkgs/top-level/all-packages.nix       | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/irc/ergochat/default.nix b/pkgs/servers/irc/ergochat/default.nix
index 57f79ff916c3..cbcc0cfaad21 100644
--- a/pkgs/servers/irc/ergochat/default.nix
+++ b/pkgs/servers/irc/ergochat/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "ergo";
-  version = "2.9.1";
+  version = "2.10.0";
 
   src = fetchFromGitHub {
     owner = "ergochat";
     repo = "ergo";
     rev = "v${version}";
-    sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
+    sha256 = "sha256-SydseZSEuFhbaU4OMnT8zFLbRfmeKwXsZZeDh8mbZco=";
   };
 
   vendorSha256 = null;
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6bfcb1a151bb..62a1e2c1cd5f 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21843,7 +21843,9 @@ with pkgs;
     gn = gn1924;
   };
 
-  ergochat = callPackage ../servers/irc/ergochat { };
+  ergochat = callPackage ../servers/irc/ergochat {
+    buildGoModule = buildGo118Module;
+  };
 
   etcd = etcd_3_3;
   etcd_3_3 = callPackage ../servers/etcd/3.3.nix { };

From 56f0c6eade0deaa1f7fba93ebc85ea11ee9e709b Mon Sep 17 00:00:00 2001
From: "M. A" <mak@nyantec.com>
Date: Mon, 20 Jun 2022 10:56:18 +0000
Subject: [PATCH 15/53] gitlab-runner: 15.0.0 -> 15.1.0

https://gitlab.com/gitlab-org/gitlab-runner/-/tags/v15.1.0
---
 .../tools/continuous-integration/gitlab-runner/default.nix  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/tools/continuous-integration/gitlab-runner/default.nix b/pkgs/development/tools/continuous-integration/gitlab-runner/default.nix
index 039c54cf9df1..d5e4edb2abfe 100644
--- a/pkgs/development/tools/continuous-integration/gitlab-runner/default.nix
+++ b/pkgs/development/tools/continuous-integration/gitlab-runner/default.nix
@@ -1,7 +1,7 @@
 { lib, buildGoModule, fetchFromGitLab, fetchurl }:
 
 let
-  version = "15.0.0";
+  version = "15.1.0";
 in
 buildGoModule rec {
   inherit version;
@@ -14,13 +14,13 @@ buildGoModule rec {
     "-X ${commonPackagePath}.REVISION=v${version}"
   ];
 
-  vendorSha256 = "0ag3pmcrxksgikdcvl9rv2s3kn7l0dj41pf2m9dq0g2a1j45nydn";
+  vendorSha256 = "sha256-5MzhDBCsgcACzImnfvetr3Z6SO+fHozChIhvZG0JwBc=";
 
   src = fetchFromGitLab {
     owner = "gitlab-org";
     repo = "gitlab-runner";
     rev = "v${version}";
-    sha256 = "1s7jqhrwy5wl0db37d3pms499mmy7msx4ch46w5qa25nfbxcr07c";
+    sha256 = "sha256-G6V0l9kzbpl9XEYiiVBYjY7xOHemtOrb1xyB1HjhhTc=";
   };
 
   patches = [

From c777fbbf5d03a2395ad50f79c9907fc5835eba7b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Mon, 20 Jun 2022 19:11:57 +0000
Subject: [PATCH 16/53] prs: 0.3.2 -> 0.3.4

https://gitlab.com/timvisee/prs/-/blob/v0.3.4/CHANGELOG.md

fixes: CVE-2020-36205, CVE-2021-45707
---
 pkgs/tools/security/prs/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/security/prs/default.nix b/pkgs/tools/security/prs/default.nix
index 5a020dde9cc4..2a901a599d49 100644
--- a/pkgs/tools/security/prs/default.nix
+++ b/pkgs/tools/security/prs/default.nix
@@ -14,16 +14,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "prs";
-  version = "0.3.2";
+  version = "0.3.4";
 
   src = fetchFromGitLab {
     owner = "timvisee";
     repo = "prs";
     rev = "v${version}";
-    sha256 = "sha256-90Ed/mafACSJvH+DjCbdXs3eeyT+pGflRzDD9l3b0/s=";
+    hash = "sha256-dfyTaWwV2hNZPZfvM+AqqR1zbChjT6Y/TEkQPEXRtGA=";
   };
 
-  cargoSha256 = "sha256-5teiF8s11Ml8UtbVn6fXur2OQzE52JZnsgyDihbEFTQ=";
+  cargoHash = "sha256-yf46le0jG4EXo60kGKc0GwSO5vl4Dw0gmYJ4yr+TFdE=";
 
   postPatch = ''
     # The GPGME backend is recommended

From 12fb03569f3ef59b627d9b03440809f0a97e759d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 00:12:24 +0000
Subject: [PATCH 17/53] python310Packages.beaker: mark insecure

---
 pkgs/development/python-modules/beaker/default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/development/python-modules/beaker/default.nix b/pkgs/development/python-modules/beaker/default.nix
index c455ee50284a..9b692ef92f2a 100644
--- a/pkgs/development/python-modules/beaker/default.nix
+++ b/pkgs/development/python-modules/beaker/default.nix
@@ -70,6 +70,11 @@ buildPythonPackage rec {
 
   meta = {
     description = "A Session and Caching library with WSGI Middleware";
+    homepage = "https://github.com/bbangert/beaker";
+    license = lib.licenses.bsd3;
     maintainers = with lib.maintainers; [ domenkozar ];
+    knownVulnerabilities = [
+      "CVE-2013-7489"
+    ];
   };
 }

From 5301f373925eafde470cb148fe3b3f5fa86ced84 Mon Sep 17 00:00:00 2001
From: Gary Wan <garywan666@gmail.com>
Date: Tue, 21 Jun 2022 12:23:01 +0800
Subject: [PATCH 18/53] rt: 5.0.1 -> 5.0.2

---
 pkgs/servers/rt/default.nix      | 5 +++--
 pkgs/top-level/perl-packages.nix | 6 +++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/pkgs/servers/rt/default.nix b/pkgs/servers/rt/default.nix
index 2b5188f743ad..a113c25f396c 100644
--- a/pkgs/servers/rt/default.nix
+++ b/pkgs/servers/rt/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "rt";
-  version = "5.0.1";
+  version = "5.0.2";
 
   src = fetchFromGitHub {
     repo = pname;
     rev = "${pname}-${version}";
     owner = "bestpractical";
-    sha256 = "1qqh6w094x7dljz001va802v4s6mixs9lkhs2cs47lf5ph3vwq2q";
+    sha256 = "1qdvbsmdynjw2v0clnmhdmrky7w4dsiysv92n7d7jdbawnicqahn";
   };
 
   patches = [
@@ -88,6 +88,7 @@ stdenv.mkDerivation rec {
         MozillaCA
         NetCIDR
         NetIP
+        ParallelForkManager
         PathDispatcher
         PerlIOeol
         Plack
diff --git a/pkgs/top-level/perl-packages.nix b/pkgs/top-level/perl-packages.nix
index 94347ea4e8c6..0e519f92498c 100644
--- a/pkgs/top-level/perl-packages.nix
+++ b/pkgs/top-level/perl-packages.nix
@@ -9536,10 +9536,10 @@ let
 
   GnuPGInterface = buildPerlPackage {
     pname = "GnuPG-Interface";
-    version = "1.00";
+    version = "1.02";
     src = fetchurl {
-      url = "mirror://cpan/authors/id/J/JE/JESSE/GnuPG-Interface-1.00.tar.gz";
-      sha256 = "97e9c809491a061b2e99fb4e50c7bf74eb42e1deb11c64b081b21b4dbe6aec2f";
+      url = "mirror://cpan/authors/id/B/BP/BPS/GnuPG-Interface-1.02.tar.gz";
+      sha256 = "c27a48c3d48e1a9205e362eeea66d46b032bd84637991fdf0b13828bcafdd3e6";
     };
     buildInputs = [ pkgs.which pkgs.gnupg1compat ];
     propagatedBuildInputs = [ MooXHandlesVia MooXlate ];

From 2303746e118a232922ac854283055b2c32fb2fc7 Mon Sep 17 00:00:00 2001
From: Alex James <alex@alextjam.es>
Date: Mon, 20 Jun 2022 23:19:25 -0500
Subject: [PATCH 19/53] nodePackages.sqlite3: fix sha256

Dependent packages (such as nodePackages.thelounge) started breaking
after 7245b3fb673e8c81596ee13b797d6538b6a91955:

error: hash mismatch in fixed-output derivation '/nix/store/llqji7lm9vrnrb6ha8zvqx0lqlz384hq-node-sqlite3-918052b.drv':
         specified: sha256-ec96SZpzXrYMPJVhlWmRAWIBjfhpj/XEOzc4ZjToB18=
            got:    sha256-aVBFmkxZsosRJtUuZ+cipdEVD7rP7tt6nfpGd4oWigQ=

This commit reverts the sha256 change.
---
 pkgs/development/node-packages/node-packages.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/node-packages/node-packages.nix b/pkgs/development/node-packages/node-packages.nix
index 9c6889ae8880..eed3c82c4a48 100644
--- a/pkgs/development/node-packages/node-packages.nix
+++ b/pkgs/development/node-packages/node-packages.nix
@@ -62291,7 +62291,7 @@ let
       src = fetchgit {
         url = "https://github.com/mapbox/node-sqlite3.git";
         rev = "918052b538b0effe6c4a44c74a16b2749c08a0d2";
-        sha256 = "79cf7a499a735eb60c3c95619569910162018df8698ff5c43b37386634e8075f";
+        sha256 = "6950459a4c59b28b1126d52e67e722a5d1150fbacfeedb7a9dfa46778a168a04";
       };
     };
     "sqlstring-2.3.1" = {

From 376dfe8766d20706eda0a97d8d6228d22ed61a95 Mon Sep 17 00:00:00 2001
From: Robbert Gurdeep Singh <git@beardhatcode.be>
Date: Tue, 21 Jun 2022 08:40:33 +0200
Subject: [PATCH 20/53] nextcloud: 23.0.5 -> 23.0.6, 24.0.1 -> 24.0.2

---
 pkgs/servers/nextcloud/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/servers/nextcloud/default.nix b/pkgs/servers/nextcloud/default.nix
index 94d69ad81dc2..a666c3fee358 100644
--- a/pkgs/servers/nextcloud/default.nix
+++ b/pkgs/servers/nextcloud/default.nix
@@ -46,13 +46,13 @@ in {
   '';
 
   nextcloud23 = generic {
-    version = "23.0.5";
-    sha256 = "3cf51a795f8439e5d34f0a521d939cefafbae38450cce64c6673016984195f29";
+    version = "23.0.6";
+    sha256 = "34fbc3a6c16a623f57971b8c4df7c5e62b3650728edec7d05ec116b295040548";
   };
 
   nextcloud24 = generic {
-    version = "24.0.1";
-    sha256 = "d32a8f6c4722a45cb67de7018163cfafcfa22a871fbac0f623c3875fa4304e5a";
+    version = "24.0.2";
+    sha256 = "30d6cac1265dff221836bec46a937dcafd7e7d52ee59b939841750b514e5033d";
   };
 
   # tip: get she sha with:

From 78d4dc263993aa683d9b056f7785bfb3d5c1f7b0 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Tue, 21 Jun 2022 09:10:52 -0500
Subject: [PATCH 21/53] duckdb: 0.3.4 -> 0.4.0

---
 pkgs/development/libraries/duckdb/default.nix | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/duckdb/default.nix b/pkgs/development/libraries/duckdb/default.nix
index b128ed709452..cd70bd2bdeea 100644
--- a/pkgs/development/libraries/duckdb/default.nix
+++ b/pkgs/development/libraries/duckdb/default.nix
@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , cmake
 , ninja
 , openssl
@@ -16,16 +17,23 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "duckdb";
-  version = "0.3.4";
+  version = "0.4.0";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-2PBc5qe2md87u2nvMTx/XZVzLsr8QrvUkw46/6VTlGs=";
+    sha256 = "sha256-pQ/t26dv9ZWLl0MHcAn0sgxryW2T2hM8XyOkXyfC5CY=";
   };
 
-  patches = [ ./version.patch ];
+  patches = [
+    ./version.patch
+    (fetchpatch {
+      url = "https://patch-diff.githubusercontent.com/raw/duckdb/duckdb/pull/3927.patch";
+      sha256 = "sha256-m0Bs0DOJQtkadbKZKk88NHyBFJkjxXUsiWYciuRIJLU=";
+    })
+  ];
+
   postPatch = ''
     substituteInPlace CMakeLists.txt --subst-var-by DUCKDB_VERSION "v${version}"
   '';
@@ -62,6 +70,7 @@ stdenv.mkDerivation rec {
         "test/common/test_cast_hugeint.test"
         "test/sql/copy/csv/test_csv_remote.test"
         "test/sql/copy/parquet/test_parquet_remote.test"
+        "test/sql/copy/parquet/test_parquet_remote_foreign_files.test"
       ] ++ lib.optionals stdenv.isAarch64 [
         "test/sql/aggregate/aggregates/test_kurtosis.test"
         "test/sql/aggregate/aggregates/test_skewness.test"

From 16f1c3ea1ef5f757508bf333141bfa1ef0defdd3 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Tue, 21 Jun 2022 10:14:55 -0500
Subject: [PATCH 22/53] python3Packages.duckdb: add checkInputs

---
 pkgs/development/python-modules/duckdb/default.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkgs/development/python-modules/duckdb/default.nix b/pkgs/development/python-modules/duckdb/default.nix
index 787a54f26769..dd7ad8737975 100644
--- a/pkgs/development/python-modules/duckdb/default.nix
+++ b/pkgs/development/python-modules/duckdb/default.nix
@@ -1,9 +1,11 @@
 { lib
 , buildPythonPackage
 , duckdb
+, google-cloud-storage
 , mypy
 , numpy
 , pandas
+, psutil
 , pybind11
 , setuptools-scm
 , pytestCheckHook
@@ -29,7 +31,9 @@ buildPythonPackage rec {
   ];
 
   checkInputs = [
+    google-cloud-storage
     mypy
+    psutil
     pytestCheckHook
   ];
 

From a0d48a151571165567a2d45df82e9791d7d239de Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Tue, 21 Jun 2022 12:14:47 -0500
Subject: [PATCH 23/53] duckdb: use upstream patch and name patch derivation

---
 pkgs/development/libraries/duckdb/default.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/duckdb/default.nix b/pkgs/development/libraries/duckdb/default.nix
index cd70bd2bdeea..059c79bfcbb5 100644
--- a/pkgs/development/libraries/duckdb/default.nix
+++ b/pkgs/development/libraries/duckdb/default.nix
@@ -29,7 +29,8 @@ stdenv.mkDerivation rec {
   patches = [
     ./version.patch
     (fetchpatch {
-      url = "https://patch-diff.githubusercontent.com/raw/duckdb/duckdb/pull/3927.patch";
+      name = "fix-tpce-test.patch";
+      url = "https://github.com/duckdb/duckdb/commit/82e13a4bb9f0683af6c52468af2fb903cce4286d.patch";
       sha256 = "sha256-m0Bs0DOJQtkadbKZKk88NHyBFJkjxXUsiWYciuRIJLU=";
     })
   ];

From 68ead458d39660e346f05276c890184d4ec7ea68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 00:22:37 +0000
Subject: [PATCH 24/53] python310Packages.cookiecutter: 1.7.3 -> 2.1.1

fixes CVE-2022-24065
---
 .../python-modules/cookiecutter/default.nix    | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/python-modules/cookiecutter/default.nix b/pkgs/development/python-modules/cookiecutter/default.nix
index de42f7284112..fdad4febcdaf 100644
--- a/pkgs/development/python-modules/cookiecutter/default.nix
+++ b/pkgs/development/python-modules/cookiecutter/default.nix
@@ -1,23 +1,31 @@
 { lib, buildPythonPackage, fetchPypi, isPyPy
 , pytest, pytest-cov, pytest-mock, freezegun
-, jinja2, future, binaryornot, click, whichcraft, poyo, jinja2_time, requests
-, python-slugify }:
+, jinja2, future, binaryornot, click, jinja2_time, requests
+, python-slugify
+, pyyaml
+}:
 
 buildPythonPackage rec {
   pname = "cookiecutter";
-  version = "1.7.3";
+  version = "2.1.1";
 
   # not sure why this is broken
   disabled = isPyPy;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-a5pNcoguJDvgd6c5fQ8fdv5mzz35HzEV27UzDiFPpFc=";
+    sha256 = "sha256-85gr6NnFPawSYYZAE/3sf4Ov0uQu3m9t0GnF4UnFQNU=";
   };
 
   checkInputs = [ pytest pytest-cov pytest-mock freezegun ];
   propagatedBuildInputs = [
-    jinja2 future binaryornot click whichcraft poyo jinja2_time requests python-slugify
+    binaryornot
+    jinja2
+    click
+    pyyaml
+    jinja2_time
+    python-slugify
+    requests
   ];
 
   # requires network access for cloning git repos

From be19a33c51f09b5bcad64554a64d51e3b5beea4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 00:33:25 +0000
Subject: [PATCH 25/53] python310Packages.flask-caching: 1.10.1 -> 1.11.1

---
 .../python-modules/flask-caching/default.nix  | 28 +++++++++++++++----
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/pkgs/development/python-modules/flask-caching/default.nix b/pkgs/development/python-modules/flask-caching/default.nix
index 9fd80ac6d677..6e78841ab8c3 100644
--- a/pkgs/development/python-modules/flask-caching/default.nix
+++ b/pkgs/development/python-modules/flask-caching/default.nix
@@ -1,18 +1,34 @@
-{ lib, buildPythonPackage, fetchPypi, isPy27, flask, pytestCheckHook, pytest-cov, pytest-xprocess, pytestcache }:
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchPypi
+, cachelib
+, flask
+, pytest-asyncio
+, pytest-xprocess
+, pytestCheckHook
+}:
 
 buildPythonPackage rec {
   pname = "Flask-Caching";
-  version = "1.10.1";
-  disabled = isPy27; # invalid python2 syntax
+  version = "1.11.1";
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "cf19b722fcebc2ba03e4ae7c55b532ed53f0cbf683ce36fafe5e881789a01c00";
+    sha256 = "28af189e97defb9e39b43ebe197b54a58aaee81bdeb759f46d969c26d7aa7810";
   };
 
-  propagatedBuildInputs = [ flask ];
+  propagatedBuildInputs = [
+    cachelib
+    flask
+  ];
 
-  checkInputs = [ pytestCheckHook pytest-cov pytest-xprocess pytestcache ];
+  checkInputs = [
+    pytest-asyncio
+    pytest-xprocess
+    pytestCheckHook
+  ];
 
   disabledTests = [
     # backend_cache relies on pytest-cache, which is a stale package from 2013

From cb8ab777b86338badbb9b4ed9ffd0490a760cf9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 00:48:29 +0000
Subject: [PATCH 26/53] python310Packages.flower: mark insecure

---
 pkgs/development/python-modules/flower/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/python-modules/flower/default.nix b/pkgs/development/python-modules/flower/default.nix
index c7a2ba59db3e..c8c9b7f4b19d 100644
--- a/pkgs/development/python-modules/flower/default.nix
+++ b/pkgs/development/python-modules/flower/default.nix
@@ -54,5 +54,8 @@ buildPythonPackage rec {
     homepage = "https://github.com/mher/flower";
     license = licenses.bsdOriginal;
     maintainers = with maintainers; [ arnoldfarkas ];
+    knownVulnerabilities = [
+      "CVE-2022-30034"
+    ];
   };
 }

From af1bf5dc715da311163012c33fd4d4ad79f0f0ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 00:52:07 +0000
Subject: [PATCH 27/53] python310Packages.jupyterhub: 1.3.0 -> 1.5.0

https://github.com/jupyterhub/jupyterhub/blob/1.5.0/docs/source/changelog.md

fixes CVE-2021-41247
---
 pkgs/development/python-modules/jupyterhub/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/jupyterhub/default.nix b/pkgs/development/python-modules/jupyterhub/default.nix
index c2855d6c8773..04db4d4d0c22 100644
--- a/pkgs/development/python-modules/jupyterhub/default.nix
+++ b/pkgs/development/python-modules/jupyterhub/default.nix
@@ -61,12 +61,12 @@ in
 
 buildPythonPackage rec {
   pname = "jupyterhub";
-  version = "1.3.0";
+  version = "1.5.0";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "13pf6qhimpaxj20871ff5rvwwan59320cdhhrn9cfh6314971zq5";
+    sha256 = "sha256-3GGPZXwjukYoDjYlflCTGAZnS6Dp5kmK+wke/GIm1p0=";
   };
 
   # Most of this only applies when building from source (e.g. js/css assets are
@@ -158,6 +158,7 @@ buildPythonPackage rec {
     broken = (stdenv.isLinux && stdenv.isAarch64) || stdenv.isDarwin;
     description = "Serves multiple Jupyter notebook instances";
     homepage = "https://jupyter.org/";
+    changelog = "https://github.com/jupyterhub/jupyterhub/blob/${version}/docs/source/changelog.md";
     license = licenses.bsd3;
     maintainers = with maintainers; [ ixxie cstrahan ];
   };

From b9f50b7803a0d85bea6ef51ab3a75ec43add7a57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 00:55:26 +0000
Subject: [PATCH 28/53] python310Packages.jupyter_server: 1.11.2 -> 1.17.1

https://github.com/jupyter-server/jupyter_server/blob/v1.17.1/CHANGELOG.md

fixes CVE-2022-24757 and CVE-2022-29241
---
 .../python-modules/jupyter_server/default.nix | 33 +++++++++----------
 1 file changed, 15 insertions(+), 18 deletions(-)

diff --git a/pkgs/development/python-modules/jupyter_server/default.nix b/pkgs/development/python-modules/jupyter_server/default.nix
index 0001dd5e9373..a140e2930b31 100644
--- a/pkgs/development/python-modules/jupyter_server/default.nix
+++ b/pkgs/development/python-modules/jupyter_server/default.nix
@@ -1,10 +1,12 @@
 { lib
 , stdenv
 , buildPythonPackage
-, fetchpatch
 , fetchPypi
 , pythonOlder
+, pandoc
 , pytestCheckHook
+, pytest-console-scripts
+, pytest-timeout
 , pytest-tornasync
 , argon2-cffi
 , jinja2
@@ -28,21 +30,14 @@
 
 buildPythonPackage rec {
   pname = "jupyter_server";
-  version = "1.11.2";
-  disabled = pythonOlder "3.6";
+  version = "1.17.1";
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "c1f32e0c1807ab2de37bf70af97a36b4436db0bc8af3124632b1f4441038bf95";
+    sha256 = "a36781656645ae17b12819a49ace377c045bf633823b3e4cd4b0c88c01e7711b";
   };
 
-  patches = [ (fetchpatch
-    { name = "Normalize-file-name-and-path.patch";
-      url = "https://github.com/jupyter-server/jupyter_server/pull/608/commits/345e26cdfd78651954b68708fa44119c2ac0dbd5.patch";
-      sha256 = "1kqz3dyh2w0h1g1fbvqa13q17hb6y32694rlaasyg213mq6g4k32";
-    })
-  ];
-
   propagatedBuildInputs = [
     argon2-cffi
     jinja2
@@ -64,7 +59,10 @@ buildPythonPackage rec {
 
   checkInputs = [
     ipykernel
+    pandoc
     pytestCheckHook
+    pytest-console-scripts
+    pytest-timeout
     pytest-tornasync
     requests
   ];
@@ -74,19 +72,18 @@ buildPythonPackage rec {
     export PATH=$out/bin:$PATH
   '';
 
-  pytestFlagsArray = [ "jupyter_server" ];
-
-  # disabled failing tests
   disabledTests = [
-    "test_server_extension_list"
-    "test_list_formats"
-    "test_base_url"
-    "test_culling"
+    "test_cull_idle"
   ] ++ lib.optionals stdenv.isDarwin [
     # attempts to use trashcan, build env doesn't allow this
     "test_delete"
   ];
 
+  disabledTestPaths = [
+    "tests/services/kernels/test_api.py"
+    "tests/services/sessions/test_api.py"
+  ];
+
   __darwinAllowLocalNetworking = true;
 
   meta = with lib; {

From c8dbbe5c3236dbc5445b31c69e5bf8251f172c0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 01:16:39 +0000
Subject: [PATCH 29/53] python310Packages.kerberos: mark insecure

---
 pkgs/development/python-modules/kerberos/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/kerberos/default.nix b/pkgs/development/python-modules/kerberos/default.nix
index c4772d606518..a584e38810fc 100644
--- a/pkgs/development/python-modules/kerberos/default.nix
+++ b/pkgs/development/python-modules/kerberos/default.nix
@@ -20,8 +20,10 @@ buildPythonPackage rec {
 
   meta = with lib; {
     description = "Kerberos high-level interface";
-    homepage = "https://pypi.python.org/pypi/kerberos";
+    homepage = "https://pypi.org/project/kerberos/";
     license = licenses.asl20;
+    knownVulnerabilities = [
+      "CVE-2015-3206"
+    ];
   };
-
 }

From 7b3c3d6cedc5864f5fe20c03ff2ad27c06544d94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 01:25:36 +0000
Subject: [PATCH 30/53] python310Packages.notebook: 6.4.10 -> 6.4.12

fixes CVE-2022-29238
---
 pkgs/development/python-modules/notebook/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/notebook/default.nix b/pkgs/development/python-modules/notebook/default.nix
index d76909efdcfe..4efaaf3f9ec9 100644
--- a/pkgs/development/python-modules/notebook/default.nix
+++ b/pkgs/development/python-modules/notebook/default.nix
@@ -27,12 +27,12 @@
 
 buildPythonPackage rec {
   pname = "notebook";
-  version = "6.4.10";
+  version = "6.4.12";
   disabled = !isPy3k;
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-JAina8YokoOo7s/KZ+KY7IPGfbUaTC4bcT3RgLs56Q4=";
+    sha256 = "sha256-YmjJ7JBIz/ekVAXJkMKaycpAsLw+wpJj0hjF4B8rToY=";
   };
 
   LC_ALL = "en_US.utf8";

From a1b860e67a25f4609b2ab17dbb297cb74a323a73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 01:31:30 +0000
Subject: [PATCH 31/53] python310Packages.pypdf2: 1.26.0 -> 1.28.4

https://github.com/py-pdf/PyPDF2/blob/1.28.4/CHANGELOG

fixes CVE-2022-24859
---
 pkgs/development/python-modules/pypdf2/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/pypdf2/default.nix b/pkgs/development/python-modules/pypdf2/default.nix
index 26d27f4455af..d147de042c9f 100644
--- a/pkgs/development/python-modules/pypdf2/default.nix
+++ b/pkgs/development/python-modules/pypdf2/default.nix
@@ -8,11 +8,11 @@
 
 buildPythonPackage rec {
   pname = "PyPDF2";
-  version = "1.26.0";
+  version = "1.28.4";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "11a3aqljg4sawjijkvzhs3irpw0y67zivqpbjpm065ha5wpr13z2";
+    sha256 = "sha256-BM5CzQVweIH+28oxZHRFEYBf6MMGGK5M+yuUDjNo1a0=";
   };
 
   LC_ALL = "en_US.UTF-8";

From 2447fc09ec68ebfc6b1c1de9931ec8deffdabb68 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 01:40:34 +0000
Subject: [PATCH 32/53] python310Packages.rencode: 1.0.6 -> unstable-2021-08-10

fixes CVE-2021-40839
---
 .../python-modules/rencode/default.nix        | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/pkgs/development/python-modules/rencode/default.nix b/pkgs/development/python-modules/rencode/default.nix
index 464bbd78515c..86192cbc29ca 100644
--- a/pkgs/development/python-modules/rencode/default.nix
+++ b/pkgs/development/python-modules/rencode/default.nix
@@ -2,25 +2,37 @@
 , buildPythonPackage
 , fetchFromGitHub
 , cython
+, pytestCheckHook
 }:
 
 buildPythonPackage rec {
   pname = "rencode";
-  version = "1.0.6";
+  version = "unstable-2021-08-10";
+
+  format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "aresch";
     repo = "rencode";
-    rev = "v${version}";
-    sha256 = "sha256-PGjjrZuoGYSPMNqXG1KXoZnOoWIe4g6s056jFhqrJ60=";
+    rev = "572ff74586d9b1daab904c6f7f7009ce0143bb75";
+    hash = "sha256-cL1hV3RMDuSdcjpPXXDYIEbzQrxiPeRs82PU8HTEQYk=";
   };
 
-  buildInputs = [ cython ];
+  nativeBuildInputs = [ cython ];
+
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  preCheck = ''
+    # import from $out
+    rm -r rencode
+  '';
 
   meta = with lib; {
     homepage = "https://github.com/aresch/rencode";
     description = "Fast (basic) object serialization similar to bencode";
-    license = licenses.gpl3;
+    license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ ];
   };
-
 }

From 701b918dc3ce1565cb440ed792b0b8813c3576ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 01:43:47 +0000
Subject: [PATCH 33/53] python310Packages.waitress: 2.1.1 -> 2.1.2

https://github.com/Pylons/waitress/blob/v2.1.2/HISTORY.txt

fixes CVE-2022-31015
---
 pkgs/development/python-modules/waitress/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/waitress/default.nix b/pkgs/development/python-modules/waitress/default.nix
index e2cbe59ab286..898b1093159d 100644
--- a/pkgs/development/python-modules/waitress/default.nix
+++ b/pkgs/development/python-modules/waitress/default.nix
@@ -5,11 +5,11 @@
 
 buildPythonPackage rec {
   pname = "waitress";
-  version = "2.1.1";
+  version = "2.1.2";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-4uYFds8UoVOdp597fuHnmnHmTzZqC0fbVKFelx9XuxY=";
+    sha256 = "780a4082c5fbc0fde6a2fcfe5e26e6efc1e8f425730863c04085769781f51eba";
   };
 
   doCheck = false;

From 587c6869266d1e6b2471d50fa2cd7d2564a5835f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=BCtz?= <nix@dotlambda.de>
Date: Tue, 21 Jun 2022 01:49:17 +0000
Subject: [PATCH 34/53] python310Packages.vyper: mark insecure

---
 pkgs/development/compilers/vyper/default.nix | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pkgs/development/compilers/vyper/default.nix b/pkgs/development/compilers/vyper/default.nix
index ee24cc646e49..00d39d6f93e6 100644
--- a/pkgs/development/compilers/vyper/default.nix
+++ b/pkgs/development/compilers/vyper/default.nix
@@ -69,5 +69,8 @@ buildPythonPackage rec {
     homepage = "https://github.com/vyperlang/vyper";
     license = licenses.asl20;
     maintainers = with maintainers; [ siraben ];
+    knownVulnerabilities = [
+      "CVE-2022-29255"
+    ];
   };
 }

From a276ef6f1ba72e2dea60d7181c71ca7f18928f81 Mon Sep 17 00:00:00 2001
From: Ilan Joselevich <personal@ilanjoselevich.com>
Date: Wed, 22 Jun 2022 02:32:07 +0300
Subject: [PATCH 35/53] mpd-discord-rpc: 1.5.1 -> 1.5.2

---
 pkgs/tools/audio/mpd-discord-rpc/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/tools/audio/mpd-discord-rpc/default.nix b/pkgs/tools/audio/mpd-discord-rpc/default.nix
index 1565ac040c3b..cbaeb9e01145 100644
--- a/pkgs/tools/audio/mpd-discord-rpc/default.nix
+++ b/pkgs/tools/audio/mpd-discord-rpc/default.nix
@@ -8,16 +8,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "mpd-discord-rpc";
-  version = "1.5.1";
+  version = "1.5.2";
 
   src = fetchFromGitHub {
     owner = "JakeStanger";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-jwsfUepGJ7IB1H6Er1EszYkkYIOSyuFvTX7NF9UhhGo=";
+    sha256 = "sha256-/QWIoP6KcrI8cYTh3x2lQz7nPSvzb1zRWg8TFoYY9vE=";
   };
 
-  cargoSha256 = "sha256-4MUfjXWDZmfsUzvWo8I2fgzm4jOfX1ZgHYqUmxXJ/BU=";
+  cargoSha256 = "sha256-46PS1+ud7GYuMOJMp93Hf7+nlngvgL67zedaF44TcYY=";
 
   nativeBuildInputs = [ pkg-config ];
 

From cf78484db0f9be10aa0440a0d8d106f3f1d3f746 Mon Sep 17 00:00:00 2001
From: Luflosi <luflosi@luflosi.de>
Date: Thu, 16 Jun 2022 13:14:23 +0200
Subject: [PATCH 36/53] python3Packages.sphinx-basic-ng: init at 0.0.1.a11

---
 .../sphinx-basic-ng/default.nix               | 44 +++++++++++++++++++
 pkgs/top-level/python-packages.nix            |  2 +
 2 files changed, 46 insertions(+)
 create mode 100644 pkgs/development/python-modules/sphinx-basic-ng/default.nix

diff --git a/pkgs/development/python-modules/sphinx-basic-ng/default.nix b/pkgs/development/python-modules/sphinx-basic-ng/default.nix
new file mode 100644
index 000000000000..df55a1316fbb
--- /dev/null
+++ b/pkgs/development/python-modules/sphinx-basic-ng/default.nix
@@ -0,0 +1,44 @@
+{ lib
+, buildPythonPackage
+, pythonOlder
+, fetchFromGitHub
+, fetchpatch
+, sphinx
+}:
+
+buildPythonPackage rec {
+  pname = "sphinx-basic-ng";
+  version = "0.0.1.a11";
+  disable = pythonOlder "3.7";
+
+  src = fetchFromGitHub {
+    owner = "pradyunsg";
+    repo = "sphinx-basic-ng";
+    rev = version;
+    sha256 = "sha256-Eur3CadC2NTuBXosG4SN9t2L0qkqN+Q79bcvhvlG/f8=";
+  };
+
+  patches = [
+    (fetchpatch {
+      name = "fix-import-error.patch";
+      url = "https://github.com/pradyunsg/sphinx-basic-ng/pull/32/commits/323a0085721b908aa11bc3c36c51e16f517ee023.patch";
+      sha256 = "sha256-/G1wLG/08u2s3YENSKSYekLrV1fUkxDAlxc3crTQNHk=";
+    })
+  ];
+
+  propagatedBuildInputs = [
+    sphinx
+  ];
+
+  # no tests implemented
+  doCheck = false;
+
+  pythonImportsCheck = [ "sphinx_basic_ng" ];
+
+  meta = with lib; {
+    description = "A modernised skeleton for Sphinx themes";
+    homepage = "https://sphinx-basic-ng.readthedocs.io/en/latest/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ Luflosi ];
+  };
+}
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index 9ffa21b26996..ab184d0d67e4 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -10014,6 +10014,8 @@ in {
 
   sphinx-autobuild = callPackage ../development/python-modules/sphinx-autobuild { };
 
+  sphinx-basic-ng = callPackage ../development/python-modules/sphinx-basic-ng { };
+
   sphinx-copybutton = callPackage ../development/python-modules/sphinx-copybutton { };
 
   sphinx-inline-tabs = callPackage ../development/python-modules/sphinx-inline-tabs { };

From 85ab2e42569b6ee0cf4dc934cd9576a26ec29e67 Mon Sep 17 00:00:00 2001
From: Luflosi <luflosi@luflosi.de>
Date: Thu, 16 Jun 2022 13:18:10 +0200
Subject: [PATCH 37/53] python3Packages.furo: 2022.4.7 -> 2022.6.21

https://github.com/pradyunsg/furo/releases/tag/2022.6.21
---
 pkgs/development/python-modules/furo/default.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/furo/default.nix b/pkgs/development/python-modules/furo/default.nix
index 60fbc917f7d9..cd97c2b5697c 100644
--- a/pkgs/development/python-modules/furo/default.nix
+++ b/pkgs/development/python-modules/furo/default.nix
@@ -4,11 +4,12 @@
 , fetchPypi
 , sphinx
 , beautifulsoup4
+, sphinx-basic-ng
 }:
 
 buildPythonPackage rec {
   pname = "furo";
-  version = "2022.4.7";
+  version = "2022.6.21";
   format = "wheel";
   disable = pythonOlder "3.6";
 
@@ -16,12 +17,13 @@ buildPythonPackage rec {
     inherit pname version format;
     dist = "py3";
     python = "py3";
-    sha256 = "sha256-fz49L7l3SDWQ+Oyyws1RG9gmYbecGO+yTelVi8nN8tc=";
+    sha256 = "sha256-Bhto4yM0Xif8ugJM8zoed/Pf2NmYdBC+gidJpwbirdY=";
   };
 
   propagatedBuildInputs = [
     sphinx
     beautifulsoup4
+    sphinx-basic-ng
   ];
 
   installCheckPhase = ''

From f18ee7aabd1b10bd6d4ef428b71bb609a9cad7a1 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Wed, 22 Jun 2022 11:17:29 +0000
Subject: [PATCH 38/53] python310Packages.casbin: 1.16.5 -> 1.16.6

---
 pkgs/development/python-modules/casbin/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/casbin/default.nix b/pkgs/development/python-modules/casbin/default.nix
index 5df8ae38bebe..6350fda9650e 100644
--- a/pkgs/development/python-modules/casbin/default.nix
+++ b/pkgs/development/python-modules/casbin/default.nix
@@ -9,7 +9,7 @@
 
 buildPythonPackage rec {
   pname = "casbin";
-  version = "1.16.5";
+  version = "1.16.6";
   format = "setuptools";
 
   disabled = pythonOlder "3.6";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
     owner = pname;
     repo = "pycasbin";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-27j1iuqf0af4Cm3r32FJnWnjvvUcacuv2+1OL6z/mwM=";
+    sha256 = "sha256-i7XwB1qV2WQD1dWxi4ncXsAwGUR5tWQhp+Z/jVvv1oo=";
   };
 
   propagatedBuildInputs = [

From c9b79ecf8807d3be209244bafbe208ff1d1fc21f Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 22 Jun 2022 13:30:44 +0200
Subject: [PATCH 39/53] python3Packages.nexia: 1.0.1 -> 1.0.2

---
 pkgs/development/python-modules/nexia/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/nexia/default.nix b/pkgs/development/python-modules/nexia/default.nix
index e96a2b260b90..184271a5fe67 100644
--- a/pkgs/development/python-modules/nexia/default.nix
+++ b/pkgs/development/python-modules/nexia/default.nix
@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "nexia";
-  version = "1.0.1";
+  version = "1.0.2";
   format = "setuptools";
 
   disabled = pythonOlder "3.5";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "bdraco";
     repo = pname;
     rev = version;
-    sha256 = "sha256-f1IUyeOmRmnr7zWoMKF895FKsNgiiCbw7inmXDGZrVw=";
+    sha256 = "sha256-+3nWf9GjX7ovnumwSq3l1dcHrgWIPPzKsPmI8/tT7Lo=";
   };
 
   propagatedBuildInputs = [

From f3e7e834b3a7eeb550be9d401ad7b5a9c2c562c7 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 22 Jun 2022 13:41:54 +0200
Subject: [PATCH 40/53] home-assistant: 2022.6.6 -> 2022.6.7

https://github.com/home-assistant/core/releases/tag/2022.6.7
---
 pkgs/servers/home-assistant/component-packages.nix | 2 +-
 pkgs/servers/home-assistant/default.nix            | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/servers/home-assistant/component-packages.nix b/pkgs/servers/home-assistant/component-packages.nix
index 4acf3aa87ad7..467c628c5666 100644
--- a/pkgs/servers/home-assistant/component-packages.nix
+++ b/pkgs/servers/home-assistant/component-packages.nix
@@ -2,7 +2,7 @@
 # Do not edit!
 
 {
-  version = "2022.6.6";
+  version = "2022.6.7";
   components = {
     "abode" = ps: with ps; [
       abodepy
diff --git a/pkgs/servers/home-assistant/default.nix b/pkgs/servers/home-assistant/default.nix
index fbfa29ff4bf1..b1b731642b8c 100644
--- a/pkgs/servers/home-assistant/default.nix
+++ b/pkgs/servers/home-assistant/default.nix
@@ -176,7 +176,7 @@ let
   extraPackagesFile = writeText "home-assistant-packages" (lib.concatMapStringsSep "\n" (pkg: pkg.pname) extraBuildInputs);
 
   # Don't forget to run parse-requirements.py after updating
-  hassVersion = "2022.6.6";
+  hassVersion = "2022.6.7";
 
 in python.pkgs.buildPythonApplication rec {
   pname = "homeassistant";
@@ -194,7 +194,7 @@ in python.pkgs.buildPythonApplication rec {
     owner = "home-assistant";
     repo = "core";
     rev = version;
-    hash = "sha256-scwj3VrSoFk/pSVzfwvGFM5fRci3+7iqr7TAwLantFQ=";
+    hash = "sha256-RR0CsPOzOdWRPSgmKGl3egrPXS1CDI+ODWZeLkVCSGQ=";
   };
 
   # leave this in, so users don't have to constantly update their downstream patch handling

From c3ef5cdc082971bf3d54fa7affaa2eadfc1829c1 Mon Sep 17 00:00:00 2001
From: Philipp Arras <c@philipp-arras.de>
Date: Wed, 22 Jun 2022 14:18:46 +0200
Subject: [PATCH 41/53] python3Packages.ducc0: 0.23.0 -> 0.24.0

---
 pkgs/development/python-modules/ducc0/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/ducc0/default.nix b/pkgs/development/python-modules/ducc0/default.nix
index ce2d0e4ef6e8..218af92608d4 100644
--- a/pkgs/development/python-modules/ducc0/default.nix
+++ b/pkgs/development/python-modules/ducc0/default.nix
@@ -2,7 +2,7 @@
 
 buildPythonPackage rec {
   pname = "ducc0";
-  version = "0.23.0";
+  version = "0.24.0";
 
   disabled = pythonOlder "3.7";
 
@@ -11,7 +11,7 @@ buildPythonPackage rec {
     owner = "mtr";
     repo = "ducc";
     rev = "ducc0_${lib.replaceStrings ["."] ["_"] version}";
-    sha256 = "dOc3TihtoRuLfniC9zQ1MEbnvGJHzFZfZ8+J8Dnw6Lk=";
+    sha256 = "sFgEO6f9D3AFV62yLEocgrPrj03H60e2NtdA/Ws6lQw=";
   };
 
   buildInputs = [ pybind11 ];

From 9191e226dba97ca2a32b7312fbdecb5fbf7b765a Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 22 Jun 2022 14:21:24 +0200
Subject: [PATCH 42/53] python3Packages.aesara: 2.7.2 -> 2.7.3

Fixes a hash mismatch and adds additional libraries to the check phase
so that tests work again.

https://github.com/aesara-devs/aesara/releases/tag/rel-2.7.3
---
 pkgs/development/python-modules/aesara/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/aesara/default.nix b/pkgs/development/python-modules/aesara/default.nix
index 7f7007ff0e93..efa9715a0f00 100644
--- a/pkgs/development/python-modules/aesara/default.nix
+++ b/pkgs/development/python-modules/aesara/default.nix
@@ -6,6 +6,8 @@
 , etuples
 , fetchFromGitHub
 , filelock
+, jax
+, jaxlib
 , logical-unification
 , minikanren
 , numba
@@ -19,7 +21,7 @@
 
 buildPythonPackage rec {
   pname = "aesara";
-  version = "2.7.2";
+  version = "2.7.3";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -28,7 +30,7 @@ buildPythonPackage rec {
     owner = "aesara-devs";
     repo = "aesara";
     rev = "refs/tags/rel-${version}";
-    hash = "sha256-NJxklOpIbSbi/SB/rafBNllpnNb1yWLVpyB2f/U0i78=";
+    hash = "sha256-LeZEWKSfVmU7k7qMjniUjwoDJ5xJUHoYux7Qy5/w4Cg=";
   };
 
   nativeBuildInputs = [
@@ -47,6 +49,8 @@ buildPythonPackage rec {
   ];
 
   checkInputs = [
+    jax
+    jaxlib
     numba
     numba-scipy
     pytestCheckHook

From 6cfccb5648d9c94f4baaa68a3fa2a6d1f48d1a2d Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 22 Jun 2022 14:39:04 +0200
Subject: [PATCH 43/53] etesync-dav: update dependencies

---
 pkgs/applications/misc/etesync-dav/default.nix | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkgs/applications/misc/etesync-dav/default.nix b/pkgs/applications/misc/etesync-dav/default.nix
index 42d16c3eaf81..1c590451a9b8 100644
--- a/pkgs/applications/misc/etesync-dav/default.nix
+++ b/pkgs/applications/misc/etesync-dav/default.nix
@@ -46,12 +46,15 @@ in python.pkgs.buildPythonApplication rec {
   };
 
   propagatedBuildInputs = with python.pkgs; [
+    appdirs
     etebase
     etesync
     flask
     flask-wtf
+    msgpack
     (python.pkgs.toPythonModule (radicale3.override { python3 = python; }))
-  ];
+    requests
+  ] ++ requests.optional-dependencies.socks;
 
   doCheck = false;
 

From 6614cd8b2bacf4f808f8ccbd9a8febe347b2107f Mon Sep 17 00:00:00 2001
From: Martin Messer <martin.messer@cyberus-technology.de>
Date: Wed, 22 Jun 2022 10:00:26 +0200
Subject: [PATCH 44/53] linuxPackages.ax99100: init at 1.8.0

---
 pkgs/os-specific/linux/ax99100/default.nix | 29 ++++++++++++++++++++++
 pkgs/top-level/linux-kernels.nix           |  2 ++
 2 files changed, 31 insertions(+)
 create mode 100644 pkgs/os-specific/linux/ax99100/default.nix

diff --git a/pkgs/os-specific/linux/ax99100/default.nix b/pkgs/os-specific/linux/ax99100/default.nix
new file mode 100644
index 000000000000..9167b4e5f89d
--- /dev/null
+++ b/pkgs/os-specific/linux/ax99100/default.nix
@@ -0,0 +1,29 @@
+{ kernel, stdenv, kmod, lib, fetchzip }:
+stdenv.mkDerivation
+{
+  pname = "ax99100";
+  version = "1.8.0";
+  nativeBuildInputs = [ kmod ] ++ kernel.moduleBuildDependencies;
+  src = fetchzip {
+    url = "https://www.asix.com.tw/en/support/download/file/1229";
+    sha256 = "1rbp1m01qr6b3nbr72vpbw89pjh8mddc60im78z2yjd951xkbcjh";
+    extension = "tar.bz2";
+  };
+
+  makeFlags = [ "KDIR='${kernel.dev}/lib/modules/${kernel.modDirVersion}/build'" ];
+
+  installPhase = ''
+    mkdir -p $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/tty/serial
+    cp ax99100.ko $out/lib/modules/${kernel.modDirVersion}/kernel/drivers/tty/serial
+  '';
+
+  meta = {
+    description = "ASIX AX99100 Serial and Parralel Port driver";
+    homepage = "https://www.asix.com.tw/en/product/Interface/PCIe_Bridge/AX99100";
+    # According to the source code in the tarball, the license is gpl2.
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.linux;
+    # currently, the build fails with kernels newer than 5.17
+    broken = lib.versionAtLeast kernel.version "5.18.0";
+  };
+}
diff --git a/pkgs/top-level/linux-kernels.nix b/pkgs/top-level/linux-kernels.nix
index 6e9f5fd5fc09..fe8969b43add 100644
--- a/pkgs/top-level/linux-kernels.nix
+++ b/pkgs/top-level/linux-kernels.nix
@@ -282,6 +282,8 @@ in {
 
     apfs = callPackage ../os-specific/linux/apfs { };
 
+    ax99100 = callPackage ../os-specific/linux/ax99100 {};
+
     batman_adv = callPackage ../os-specific/linux/batman-adv {};
 
     bbswitch = callPackage ../os-specific/linux/bbswitch {};

From e53c4b9205b91525afd42507c39319342561c435 Mon Sep 17 00:00:00 2001
From: adisbladis <adisbladis@gmail.com>
Date: Tue, 21 Jun 2022 23:43:34 +0800
Subject: [PATCH 45/53] crun: Don't use hard-coded /usr/bin paths

The paths to newuidmap & newgidmap are currently hard-coded in the binary.
---
 pkgs/applications/virtualization/crun/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkgs/applications/virtualization/crun/default.nix b/pkgs/applications/virtualization/crun/default.nix
index 2d35b1c4a039..1a49d7688865 100644
--- a/pkgs/applications/virtualization/crun/default.nix
+++ b/pkgs/applications/virtualization/crun/default.nix
@@ -11,6 +11,7 @@
 , yajl
 , nixosTests
 , criu
+, fetchpatch
 }:
 
 let
@@ -48,6 +49,15 @@ stdenv.mkDerivation rec {
     fetchSubmodules = true;
   };
 
+  patches = [
+    # Should dropped in next release after 1.4.5
+    (fetchpatch {
+      name = "usrbin-paths.patch";
+      url = "https://github.com/containers/crun/commit/dd29f7f7f713c49784ac30f7cdca33b2ef94d5b8.patch";
+      sha256 = "sha256-kHHix8CUL+c8HbOe5qx4PeF1P19113U4bRZyleMUjqk=";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook go-md2man pkg-config python3 ];
 
   buildInputs = [ libcap libseccomp systemd yajl ]

From 56e02acbb221bf7de7fc955b26a88e28181e9c7f Mon Sep 17 00:00:00 2001
From: Florian Brandes <florian.brandes@posteo.de>
Date: Wed, 22 Jun 2022 15:22:35 +0200
Subject: [PATCH 46/53] python3Packages.python-jenkins: remove deprecated
 unittest2

Signed-off-by: Florian Brandes <florian.brandes@posteo.de>
---
 .../python-modules/python-jenkins/default.nix        | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/development/python-modules/python-jenkins/default.nix b/pkgs/development/python-modules/python-jenkins/default.nix
index 7c1d64fc827d..dad933966aea 100644
--- a/pkgs/development/python-modules/python-jenkins/default.nix
+++ b/pkgs/development/python-modules/python-jenkins/default.nix
@@ -10,8 +10,8 @@
 , multi_key_dict
 , testscenarios
 , requests
-, unittest2
 , requests-mock
+, stestr
 }:
 
 buildPythonPackage rec {
@@ -33,16 +33,16 @@ buildPythonPackage rec {
   buildInputs = [ mock ];
   propagatedBuildInputs = [ pbr pyyaml setuptools six multi_key_dict requests ];
 
-  checkInputs = [ unittest2 testscenarios requests-mock ];
-  checkPhase = ''
-    unit2
-  '';
+   checkInputs = [ stestr testscenarios requests-mock ];
+   checkPhase = ''
+     stestr run
+   '';
 
   meta = with lib; {
     description = "Python bindings for the remote Jenkins API";
     homepage = "https://pypi.python.org/pypi/python-jenkins";
     license = licenses.bsd3;
-    maintainers = with maintainers; [ ];
+    maintainers = with maintainers; [ gador ];
   };
 
 }

From cfbcf381c27f0494f86f97056f43d1101ada715a Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Sat, 18 Dec 2021 23:01:33 +0100
Subject: [PATCH 47/53] nixos/home-assistant: reload the daemon when
 configuration changed

Reload the service when configuration changes. This means that we don't
have a potentially slow startup for every small configuration change.
---
 .../home-automation/home-assistant.nix        | 19 +++++++++--
 nixos/tests/home-assistant.nix                | 32 ++++++++++++++++++-
 2 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/nixos/modules/services/home-automation/home-assistant.nix b/nixos/modules/services/home-automation/home-assistant.nix
index e255e5d22188..2aacc5e55c6e 100644
--- a/nixos/modules/services/home-automation/home-assistant.nix
+++ b/nixos/modules/services/home-automation/home-assistant.nix
@@ -369,6 +369,17 @@ in {
 
     networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.config.http.server_port ];
 
+    # symlink the configuration to /etc/home-assistant
+    environment.etc = lib.mkMerge [
+      (lib.mkIf (cfg.config != null && !cfg.configWritable) {
+        "home-assistant/configuration.yaml".source = configFile;
+      })
+
+      (lib.mkIf (cfg.lovelaceConfig != null && !cfg.lovelaceConfigWritable) {
+        "home-assistant/ui-lovelace.yaml".source = lovelaceConfigFile;
+      })
+    ];
+
     systemd.services.home-assistant = {
       description = "Home Assistant";
       after = [
@@ -378,18 +389,22 @@ in {
         "mysql.service"
         "postgresql.service"
       ];
+      reloadTriggers = [
+        configFile
+        lovelaceConfigFile
+      ];
       preStart = let
         copyConfig = if cfg.configWritable then ''
           cp --no-preserve=mode ${configFile} "${cfg.configDir}/configuration.yaml"
         '' else ''
           rm -f "${cfg.configDir}/configuration.yaml"
-          ln -s ${configFile} "${cfg.configDir}/configuration.yaml"
+          ln -s /etc/home-assistant/configuration.yaml "${cfg.configDir}/configuration.yaml"
         '';
         copyLovelaceConfig = if cfg.lovelaceConfigWritable then ''
           cp --no-preserve=mode ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
         '' else ''
           rm -f "${cfg.configDir}/ui-lovelace.yaml"
-          ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
+          ln -s /etc/home-assistant/ui-lovelace.yaml "${cfg.configDir}/ui-lovelace.yaml"
         '';
       in
         (optionalString (cfg.config != null) copyConfig) +
diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix
index f7b9d283e457..341374e636ae 100644
--- a/nixos/tests/home-assistant.nix
+++ b/nixos/tests/home-assistant.nix
@@ -98,9 +98,26 @@ in {
       };
       lovelaceConfigWritable = true;
     };
+
+    # Cause a configuration change inside `configuration.yml` and verify that the process is being reloaded.
+    specialisation.differentName = {
+      inheritParentConfig = true;
+      configuration.services.home-assistant.config.homeassistant.name = lib.mkForce "Test Home";
+    };
+
+    # Cause a configuration change that requires a service restart as we added a new runtime dependency
+    specialisation.newFeature = {
+      inheritParentConfig = true;
+      configuration.services.home-assistant.config.device_tracker = [
+        { platform = "bluetooth_tracker"; }
+      ];
+    };
   };
 
-  testScript = ''
+  testScript = { nodes, ... }: let
+    system = nodes.hass.config.system.build.toplevel;
+  in
+  ''
     import re
 
     start_all()
@@ -142,6 +159,19 @@ in {
     with subtest("Check extra components are considered in systemd unit hardening"):
         hass.succeed("systemctl show -p DeviceAllow home-assistant.service | grep -q char-ttyUSB")
 
+    with subtest("Check service reloads when configuration changes"):
+      # store the old pid of the process
+      pid = hass.succeed("systemctl show --property=MainPID home-assistant.service")
+      hass.succeed("${system}/specialisation/differentName/bin/switch-to-configuration test")
+      new_pid = hass.succeed("systemctl show --property=MainPID home-assistant.service")
+      assert pid == new_pid, "The PID of the process should not change between process reloads"
+
+    with subtest("check service restarts when package changes"):
+      pid = new_pid
+      hass.succeed("${system}/specialisation/newFeature/bin/switch-to-configuration test")
+      new_pid = hass.succeed("systemctl show --property=MainPID home-assistant.service")
+      assert pid != new_pid, "The PID of the process shoudl change when the HA binary changes"
+
     with subtest("Print log to ease debugging"):
         output_log = hass.succeed("cat ${configDir}/home-assistant.log")
         print("\n### home-assistant.log ###\n")

From d26a6e377dbac403f02bdb43400615906049acb2 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Wed, 22 Jun 2022 16:23:26 +0200
Subject: [PATCH 48/53] nixos/tests/home-assistant: stop printing log

With multiple specialization changes this isn't very helpful anymore,
but no biggie since we check the log for errors anyway and the log is
not too verbose anyway.
---
 nixos/tests/home-assistant.nix | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix
index 341374e636ae..59b82593abcd 100644
--- a/nixos/tests/home-assistant.nix
+++ b/nixos/tests/home-assistant.nix
@@ -172,12 +172,8 @@ in {
       new_pid = hass.succeed("systemctl show --property=MainPID home-assistant.service")
       assert pid != new_pid, "The PID of the process shoudl change when the HA binary changes"
 
-    with subtest("Print log to ease debugging"):
-        output_log = hass.succeed("cat ${configDir}/home-assistant.log")
-        print("\n### home-assistant.log ###\n")
-        print(output_log + "\n")
-
     with subtest("Check that no errors were logged"):
+        output_log = hass.succeed("cat ${configDir}/home-assistant.log")
         assert "ERROR" not in output_log
 
     with subtest("Check systemd unit hardening"):

From 6cbcd261f3a3797604fd9b14b781ac4e2667db72 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Wed, 22 Jun 2022 11:50:01 +0000
Subject: [PATCH 49/53] python310Packages.cloudflare: 2.9.10 -> 2.9.11

---
 pkgs/development/python-modules/cloudflare/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/cloudflare/default.nix b/pkgs/development/python-modules/cloudflare/default.nix
index e6498216aa03..97c23c17dd35 100644
--- a/pkgs/development/python-modules/cloudflare/default.nix
+++ b/pkgs/development/python-modules/cloudflare/default.nix
@@ -12,14 +12,14 @@
 
 buildPythonPackage rec {
   pname = "cloudflare";
-  version = "2.9.10";
+  version = "2.9.11";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-LsUMB0zqlelHqWsgdmJ8v+Qn/reYuxCTKTODBT9K0bg=";
+    hash = "sha256-kvCSazLBU2sBzobdZrVXcdlEpMoAe5wb7rBWxzhDuus=";
   };
 
   propagatedBuildInputs = [

From 59bd6ce4c86db54f207f15684fe445848fcfa707 Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Wed, 22 Jun 2022 09:58:03 +0000
Subject: [PATCH 50/53] python310Packages.azure-mgmt-eventhub: 10.0.0 -> 10.1.0

---
 .../python-modules/azure-mgmt-eventhub/default.nix            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix b/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix
index 70103df64cfc..05b231d4df2b 100644
--- a/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix
+++ b/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix
@@ -11,12 +11,12 @@
 
 buildPythonPackage rec {
   pname = "azure-mgmt-eventhub";
-  version = "10.0.0";
+  version = "10.1.0";
 
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
-    sha256 = "0856574ef4b73bbbc62834051061e2081400aba7e3715e10ef5181d639e86a0b";
+    sha256 = "sha256-MZqhSBkwypvEefhoEWEPsBUFidWYD7qAX6edcBDDSSA=";
   };
 
   propagatedBuildInputs = [

From 05180cfb01ffae135499007a1f85f186a70dfe4c Mon Sep 17 00:00:00 2001
From: Fabian Affolter <mail@fabian-affolter.ch>
Date: Wed, 22 Jun 2022 14:12:57 +0200
Subject: [PATCH 51/53] python310Packages.azure-mgmt-eventhub: disable on older
 Python releases

---
 .../python-modules/azure-mgmt-eventhub/default.nix     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix b/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix
index 05b231d4df2b..4955655607d2 100644
--- a/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix
+++ b/pkgs/development/python-modules/azure-mgmt-eventhub/default.nix
@@ -5,18 +5,20 @@
 , msrestazure
 , azure-common
 , azure-mgmt-core
-, azure-mgmt-nspkg
-, isPy3k
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "azure-mgmt-eventhub";
   version = "10.1.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
     extension = "zip";
-    sha256 = "sha256-MZqhSBkwypvEefhoEWEPsBUFidWYD7qAX6edcBDDSSA=";
+    hash = "sha256-MZqhSBkwypvEefhoEWEPsBUFidWYD7qAX6edcBDDSSA=";
   };
 
   propagatedBuildInputs = [
@@ -24,8 +26,6 @@ buildPythonPackage rec {
     msrestazure
     azure-common
     azure-mgmt-core
-  ] ++ lib.optionals (!isPy3k) [
-    azure-mgmt-nspkg
   ];
 
   # has no tests

From 73258f3468039869c6a4fdeaf518a3ae937dc7ea Mon Sep 17 00:00:00 2001
From: "R. Ryantm" <ryantm-bot@ryantm.com>
Date: Wed, 22 Jun 2022 11:28:03 +0000
Subject: [PATCH 52/53] python310Packages.tensorflow-metadata: 1.8.0 -> 1.9.0

---
 .../python-modules/tensorflow-metadata/default.nix            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/tensorflow-metadata/default.nix b/pkgs/development/python-modules/tensorflow-metadata/default.nix
index bdf6cc08aa64..5204e2158dc7 100644
--- a/pkgs/development/python-modules/tensorflow-metadata/default.nix
+++ b/pkgs/development/python-modules/tensorflow-metadata/default.nix
@@ -8,13 +8,13 @@
 
 buildPythonPackage rec {
   pname = "tensorflow-metadata";
-  version = "1.8.0";
+  version = "1.9.0";
 
   src = fetchFromGitHub {
     owner = "tensorflow";
     repo = "metadata";
     rev = "refs/tags/v${version}";
-    sha256 = "sha256-IaLr6XYEy1EcyWi5GWzDFa7TeVZ59v8Wj5qkNdVbOqw=";
+    sha256 = "sha256-6BtKHyVrprtEb2Bi7g2YuctUykWSRXmKwADfHzGkYjc=";
   };
 
   patches = [

From 39e6ebdfe1552028cd33eec26678a54d2f848f52 Mon Sep 17 00:00:00 2001
From: Johannes Maier <kenranunderscore@users.noreply.github.com>
Date: Wed, 22 Jun 2022 18:06:54 +0200
Subject: [PATCH 53/53] buildDhallUrl: fix impure proxy variable passing
 (#178544)

PR #177891 tried fixing a problem with `buildDhallUrl` in environments
where proxy variables are necessary for internet access to work.  The
`impureEnvVars` should be set in `downloadEncodedFile` instead of the
final `runCommand`, as the former is an FOD, the latter isn't.
---
 pkgs/development/interpreters/dhall/build-dhall-url.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/interpreters/dhall/build-dhall-url.nix b/pkgs/development/interpreters/dhall/build-dhall-url.nix
index 9dcd885d25c3..6d7103f78e6f 100644
--- a/pkgs/development/interpreters/dhall/build-dhall-url.nix
+++ b/pkgs/development/interpreters/dhall/build-dhall-url.nix
@@ -59,6 +59,7 @@ let
         outputHash = hash;
         name = baseNameOf url;
         nativeBuildInputs = [ cacert ];
+        impureEnvVars = lib.fetchers.proxyImpureEnvVars;
       }
       ''
         echo "${url} ${dhallHash}" > in-dhall-file
@@ -76,7 +77,7 @@ let
    sourceFile = "source.dhall";
 
 in
-  runCommand name { impureEnvVars = lib.fetchers.proxyImpureEnvVars; }
+  runCommand name { }
  (''
     set -eu