Merge #275620: staging-next 2023-12-20

maintainers/scripts/luarocks-packages.csv

@@ -7,7 +7,7 @@ binaryheap,,,,,,vcunat
 busted,,,,,,
 cassowary,,,,,,marsam alerque
 cldr,,,,,,alerque
-compat53,,,,0.7-1,,vcunat
+compat53,,,,,,vcunat
 cosmo,,,,,,marsam
 coxpcall,,,,1.17.0-1,,
 cqueues,,,,,,vcunat
@@ -15,6 +15,7 @@ cyan,,,,,,
 digestif,https://github.com/astoff/digestif.git,,,,5.3,
 dkjson,,,,,,
 fennel,,,,,,misterio77
+fidget.nvim,,,,,,mrcjkb
 fifo,,,,,,
 fluent,,,,,,alerque
 fzy,,,,,,mrcjkb
@@ -55,7 +56,7 @@ lua-subprocess,https://github.com/0x0ade/lua-subprocess,,,,5.1,scoder12
 lua-term,,,,,,
 lua-toml,,,,,,
 lua-zlib,,,,,,koral
-lua_cliargs,https://github.com/amireh/lua_cliargs.git,,,,,
+lua_cliargs,,,,,,
 luabitop,https://github.com/teto/luabitop.git,,,,,
 luacheck,,,,,,
 luacov,,,,,,
@@ -86,7 +87,7 @@ luautf8,,,,,,pstn
 luazip,,,,,,
 lua-yajl,,,,,,pstn
 lua-iconv,,,,7.0.0,,
-luuid,,,,,,
+luuid,,,,20120509-2,,
 luv,,,,1.44.2-1,,
 lush.nvim,https://github.com/rktjmp/lush.nvim,,,,,teto
 lyaml,,,,,,lblasc

nixos/doc/manual/release-notes/rl-2405.section.md

@@ -26,6 +26,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).
 
+- systemd's gateway, upload, and remote services, which provides ways of sending journals across the network. Enable using [services.journald.gateway](#opt-services.journald.gateway.enable), [services.journald.upload](#opt-services.journald.upload.enable), and [services.journald.remote](#opt-services.journald.remote.enable).
+
 - [GNS3](https://www.gns3.com/), a network software emulator. Available as [services.gns3-server](#opt-services.gns3-server.enable).
 
 - [rspamd-trainer](https://gitlab.com/onlime/rspamd-trainer), script triggered by a helper which reads mails from a specific mail inbox and feeds them into rspamd for spam/ham training.

nixos/lib/make-options-doc/default.nix

@@ -120,7 +120,7 @@ in rec {
     { meta.description = "List of NixOS options in JSON format";
       nativeBuildInputs = [
         pkgs.brotli
-        pkgs.python3Minimal
+        pkgs.python3
       ];
       options = builtins.toFile "options.json"
         (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix));

nixos/lib/test-driver/default.nix

@@ -18,7 +18,7 @@ python3Packages.buildPythonApplication {
   pname = "nixos-test-driver";
   version = "1.1";
   src = ./.;
-  format = "pyproject";
+  pyproject = true;
 
   propagatedBuildInputs = [
     coreutils
@@ -32,6 +32,10 @@ python3Packages.buildPythonApplication {
     ++ (lib.optionals enableOCR [ imagemagick_light tesseract4 ])
     ++ extraPythonPackages python3Packages;
 
+  nativeBuildInputs = [
+    python3Packages.setuptools
+  ];
+
   passthru.tests = {
     inherit (nixosTests.nixos-test-driver) driver-timeout;
   };

nixos/modules/hardware/video/webcam/ipu6.nix

@@ -13,11 +13,12 @@ in
     enable = mkEnableOption (lib.mdDoc "support for Intel IPU6/MIPI cameras");
 
     platform = mkOption {
-      type = types.enum [ "ipu6" "ipu6ep" ];
+      type = types.enum [ "ipu6" "ipu6ep" "ipu6epmtl" ];
       description = lib.mdDoc ''
         Choose the version for your hardware platform.
 
-        Use `ipu6` for Tiger Lake and `ipu6ep` for Alder Lake respectively.
+        Use `ipu6` for Tiger Lake, `ipu6ep` for Alder Lake or Raptor Lake,
+        and `ipu6epmtl` for Meteor Lake.
       '';
     };
 
@@ -29,9 +30,7 @@ in
       ipu6-drivers
     ];
 
-    hardware.firmware = with pkgs; [ ]
+    hardware.firmware = [ pkgs.ipu6-camera-bins ];
-      ++ optional (cfg.platform == "ipu6") ipu6-camera-bin
-      ++ optional (cfg.platform == "ipu6ep") ipu6ep-camera-bin;
 
     services.udev.extraRules = ''
       SUBSYSTEM=="intel-ipu6-psys", MODE="0660", GROUP="video"
@@ -44,14 +43,13 @@ in
 
       extraPackages = with pkgs.gst_all_1; [ ]
         ++ optional (cfg.platform == "ipu6") icamerasrc-ipu6
-        ++ optional (cfg.platform == "ipu6ep") icamerasrc-ipu6ep;
+        ++ optional (cfg.platform == "ipu6ep") icamerasrc-ipu6ep
+        ++ optional (cfg.platform == "ipu6epmtl") icamerasrc-ipu6epmtl;
 
       input = {
         pipeline = "icamerasrc";
-        format = mkIf (cfg.platform == "ipu6ep") (mkDefault "NV12");
+        format = mkIf (cfg.platform != "ipu6") (mkDefault "NV12");
       };
     };
-
   };
-
 }

nixos/modules/module-list.nix

@@ -1476,6 +1476,9 @@
   ./system/boot/systemd/initrd-secrets.nix
   ./system/boot/systemd/initrd.nix
   ./system/boot/systemd/journald.nix
+  ./system/boot/systemd/journald-gateway.nix
+  ./system/boot/systemd/journald-remote.nix
+  ./system/boot/systemd/journald-upload.nix
   ./system/boot/systemd/logind.nix
   ./system/boot/systemd/nspawn.nix
   ./system/boot/systemd/oomd.nix

nixos/modules/system/boot/systemd/journald-gateway.nix

@@ -0,0 +1,135 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.journald.gateway;
+
+  cliArgs = lib.cli.toGNUCommandLineShell { } {
+    # If either of these are null / false, they are not passed in the command-line
+    inherit (cfg) cert key trust system user merge;
+  };
+in
+{
+  meta.maintainers = [ lib.maintainers.raitobezarius ];
+  options.services.journald.gateway = {
+    enable = lib.mkEnableOption "the HTTP gateway to the journal";
+
+    port = lib.mkOption {
+      default = 19531;
+      type = lib.types.port;
+      description = ''
+        The port to listen to.
+      '';
+    };
+
+    cert = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr str;
+      description = lib.mdDoc ''
+        The path to a file or `AF_UNIX` stream socket to read the server
+        certificate from.
+
+        The certificate must be in PEM format. This option switches
+        `systemd-journal-gatewayd` into HTTPS mode and must be used together
+        with {option}`services.journald.gateway.key`.
+      '';
+    };
+
+    key = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr str;
+      description = lib.mdDoc ''
+        Specify the path to a file or `AF_UNIX` stream socket to read the
+        secret server key corresponding to the certificate specified with
+        {option}`services.journald.gateway.cert` from.
+
+        The key must be in PEM format.
+
+        This key should not be world-readable, and must be readably by the
+        `systemd-journal-gateway` user.
+      '';
+    };
+
+    trust = lib.mkOption {
+      default = null;
+      type = with lib.types; nullOr str;
+      description = lib.mdDoc ''
+        Specify the path to a file or `AF_UNIX` stream socket to read a CA
+        certificate from.
+
+        The certificate must be in PEM format.
+
+        Setting this option enforces client certificate checking.
+      '';
+    };
+
+    system = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+      description = lib.mdDoc ''
+        Serve entries from system services and the kernel.
+
+        This has the same meaning as `--system` for {manpage}`journalctl(1)`.
+      '';
+    };
+
+    user = lib.mkOption {
+      default = true;
+      type = lib.types.bool;
+      description = lib.mdDoc ''
+        Serve entries from services for the current user.
+
+        This has the same meaning as `--user` for {manpage}`journalctl(1)`.
+      '';
+    };
+
+    merge = lib.mkOption {
+      default = false;
+      type = lib.types.bool;
+      description = lib.mdDoc ''
+        Serve entries interleaved from all available journals, including other
+        machines.
+
+        This has the same meaning as `--merge` option for
+        {manpage}`journalctl(1)`.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        # This prevents the weird case were disabling "system" and "user"
+        # actually enables both because the cli flags are not present.
+        assertion = cfg.system || cfg.user;
+        message = ''
+          systemd-journal-gatewayd cannot serve neither "system" nor "user"
+          journals.
+        '';
+      }
+    ];
+
+    systemd.additionalUpstreamSystemUnits = [
+      "systemd-journal-gatewayd.socket"
+      "systemd-journal-gatewayd.service"
+    ];
+
+    users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
+    users.users.systemd-journal-gateway.group = "systemd-journal-gateway";
+    users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;
+
+    systemd.services.systemd-journal-gatewayd.serviceConfig.ExecStart = [
+        # Clear the default command line
+        ""
+        "${pkgs.systemd}/lib/systemd/systemd-journal-gatewayd ${cliArgs}"
+    ];
+
+    systemd.sockets.systemd-journal-gatewayd = {
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [
+        # Clear the default port
+        ""
+        (toString cfg.port)
+      ];
+    };
+  };
+}

nixos/modules/system/boot/systemd/journald-remote.nix

@@ -0,0 +1,163 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.journald.remote;
+  format = pkgs.formats.systemd;
+
+  cliArgs = lib.cli.toGNUCommandLineShell { } {
+    inherit (cfg) output;
+    # "-3" specifies the file descriptor from the .socket unit.
+    "listen-${cfg.listen}" = "-3";
+  };
+in
+{
+  meta.maintainers = [ lib.maintainers.raitobezarius ];
+  options.services.journald.remote = {
+    enable = lib.mkEnableOption "receiving systemd journals from the network";
+
+    listen = lib.mkOption {
+      default = "https";
+      type = lib.types.enum [ "https" "http" ];
+      description = lib.mdDoc ''
+        Which protocol to listen to.
+      '';
+    };
+
+    output = lib.mkOption {
+      default = "/var/log/journal/remote/";
+      type = lib.types.str;
+      description = lib.mdDoc ''
+        The location of the output journal.
+
+        In case the output file is not specified, journal files will be created
+        underneath the selected directory. Files will be called
+        {file}`remote-hostname.journal`, where the `hostname` part is the
+        escaped hostname of the source endpoint of the connection, or the
+        numerical address if the hostname cannot be determined.
+      '';
+    };
+
+    port = lib.mkOption {
+      default = 19532;
+      type = lib.types.port;
+      description = ''
+        The port to listen to.
+
+        Note that this option is used only if
+        {option}`services.journald.upload.listen` is configured to be either
+        "https" or "http".
+      '';
+    };
+
+    settings = lib.mkOption {
+      default = { };
+
+      description = lib.mdDoc ''
+        Configuration in the journal-remote configuration file. See
+        {manpage}`journal-remote.conf(5)` for available options.
+      '';
+
+      type = lib.types.submodule {
+        freeformType = format.type;
+
+        options.Remote = {
+          Seal = lib.mkOption {
+            default = false;
+            example = true;
+            type = lib.types.bool;
+            description = ''
+              Periodically sign the data in the journal using Forward Secure
+              Sealing.
+            '';
+          };
+
+          SplitMode = lib.mkOption {
+            default = "host";
+            example = "none";
+            type = lib.types.enum [ "host" "none" ];
+            description = lib.mdDoc ''
+              With "host", a separate output file is used, based on the
+              hostname of the other endpoint of a connection. With "none", only
+              one output journal file is used.
+            '';
+          };
+
+          ServerKeyFile = lib.mkOption {
+            default = "/etc/ssl/private/journal-remote.pem";
+            type = lib.types.str;
+            description = lib.mdDoc ''
+              A path to a SSL secret key file in PEM format.
+
+              Note that due to security reasons, `systemd-journal-remote` will
+              refuse files from the world-readable `/nix/store`. This file
+              should be readable by the "" user.
+
+              This option can be used with `listen = "https"`. If the path
+              refers to an `AF_UNIX` stream socket in the file system a
+              connection is made to it and the key read from it.
+            '';
+          };
+
+          ServerCertificateFile = lib.mkOption {
+            default = "/etc/ssl/certs/journal-remote.pem";
+            type = lib.types.str;
+            description = lib.mdDoc ''
+              A path to a SSL certificate file in PEM format.
+
+              This option can be used with `listen = "https"`. If the path
+              refers to an `AF_UNIX` stream socket in the file system a
+              connection is made to it and the certificate read from it.
+            '';
+          };
+
+          TrustedCertificateFile = lib.mkOption {
+            default = "/etc/ssl/ca/trusted.pem";
+            type = lib.types.str;
+            description = lib.mdDoc ''
+              A path to a SSL CA certificate file in PEM format, or `all`.
+
+              If `all` is set, then client certificate checking will be
+              disabled.
+
+              This option can be used with `listen = "https"`. If the path
+              refers to an `AF_UNIX` stream socket in the file system a
+              connection is made to it and the certificate read from it.
+            '';
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.additionalUpstreamSystemUnits = [
+      "systemd-journal-remote.service"
+      "systemd-journal-remote.socket"
+    ];
+
+    systemd.services.systemd-journal-remote.serviceConfig.ExecStart = [
+      # Clear the default command line
+      ""
+      "${pkgs.systemd}/lib/systemd/systemd-journal-remote ${cliArgs}"
+    ];
+
+    systemd.sockets.systemd-journal-remote = {
+      wantedBy = [ "sockets.target" ];
+      listenStreams = [
+        # Clear the default port
+        ""
+        (toString cfg.port)
+      ];
+    };
+
+    # User and group used by systemd-journal-remote.service
+    users.groups.systemd-journal-remote = { };
+    users.users.systemd-journal-remote = {
+      isSystemUser = true;
+      group = "systemd-journal-remote";
+    };
+
+    environment.etc."systemd/journal-remote.conf".source =
+      format.generate "journal-remote.conf" cfg.settings;
+  };
+}

nixos/modules/system/boot/systemd/journald-upload.nix

@@ -0,0 +1,111 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.services.journald.upload;
+  format = pkgs.formats.systemd;
+in
+{
+  meta.maintainers = [ lib.maintainers.raitobezarius ];
+  options.services.journald.upload = {
+    enable = lib.mkEnableOption "uploading the systemd journal to a remote server";
+
+    settings = lib.mkOption {
+      default = { };
+
+      description = lib.mdDoc ''
+        Configuration for journal-upload. See {manpage}`journal-upload.conf(5)`
+        for available options.
+      '';
+
+      type = lib.types.submodule {
+        freeformType = format.type;
+
+        options.Upload = {
+          URL = lib.mkOption {
+            type = lib.types.str;
+            example = "https://192.168.1.1";
+            description = ''
+              The URL to upload the journal entries to.
+
+              See the description of `--url=` option in
+              {manpage}`systemd-journal-upload(8)` for the description of
+              possible values.
+            '';
+          };
+
+          ServerKeyFile = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = lib.literalExpression "./server-key.pem";
+            # Since systemd-journal-upload uses a DynamicUser, permissions must
+            # be done using groups
+            description = ''
+              SSL key in PEM format.
+
+              In contrary to what the name suggests, this option configures the
+              client private key sent to the remote journal server.
+
+              This key should not be world-readable, and must be readably by
+              the `systemd-journal` group.
+            '';
+            default = null;
+          };
+
+          ServerCertificateFile = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = lib.literalExpression "./server-ca.pem";
+            description = ''
+              SSL CA certificate in PEM format.
+
+              In contrary to what the name suggests, this option configures the
+              client certificate sent to the remote journal server.
+            '';
+            default = null;
+          };
+
+          TrustedCertificateFile = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = lib.literalExpression "./ca";
+            description = ''
+              SSL CA certificate.
+
+              This certificate will be used to check the remote journal HTTPS
+              server certificate.
+            '';
+            default = null;
+          };
+
+          NetworkTimeoutSec = lib.mkOption {
+            type = with lib.types; nullOr str;
+            example = "1s";
+            description = ''
+              When network connectivity to the server is lost, this option
+              configures the time to wait for the connectivity to get restored.
+
+              If the server is not reachable over the network for the
+              configured time, `systemd-journal-upload` exits. Takes a value in
+              seconds (or in other time units if suffixed with "ms", "min",
+              "h", etc). For details, see {manpage}`systemd.time(5)`.
+            '';
+            default = null;
+          };
+        };
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.additionalUpstreamSystemUnits = [ "systemd-journal-upload.service" ];
+
+    systemd.services."systemd-journal-upload" = {
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Restart = "always";
+        # To prevent flooding the server in case the server is struggling
+        RestartSec = "3sec";
+      };
+    };
+
+    environment.etc."systemd/journal-upload.conf".source =
+      format.generate "journal-upload.conf" cfg.settings;
+  };
+}

nixos/modules/system/boot/systemd/journald.nix

@@ -5,6 +5,10 @@ with lib;
 let
   cfg = config.services.journald;
 in {
+  imports = [
+    (mkRenamedOptionModule [ "services" "journald" "enableHttpGateway" ] [ "services" "journald" "gateway" "enable" ])
+  ];
+
   options = {
     services.journald.console = mkOption {
       default = "";
@@ -71,14 +75,6 @@ in {
       '';
     };
 
-    services.journald.enableHttpGateway = mkOption {
-      default = false;
-      type = types.bool;
-      description = lib.mdDoc ''
-        Whether to enable the HTTP gateway to the journal.
-      '';
-    };
-
     services.journald.forwardToSyslog = mkOption {
       default = config.services.rsyslogd.enable || config.services.syslog-ng.enable;
       defaultText = literalExpression "services.rsyslogd.enable || services.syslog-ng.enable";
@@ -101,9 +97,6 @@ in {
       ] ++ (optional (!config.boot.isContainer) "systemd-journald-audit.socket") ++ [
       "systemd-journald-dev-log.socket"
       "syslog.socket"
-      ] ++ optionals cfg.enableHttpGateway [
-      "systemd-journal-gatewayd.socket"
-      "systemd-journal-gatewayd.service"
       ];
 
     environment.etc = {
@@ -124,12 +117,6 @@ in {
     };
 
     users.groups.systemd-journal.gid = config.ids.gids.systemd-journal;
-    users.users.systemd-journal-gateway.uid = config.ids.uids.systemd-journal-gateway;
-    users.users.systemd-journal-gateway.group = "systemd-journal-gateway";
-    users.groups.systemd-journal-gateway.gid = config.ids.gids.systemd-journal-gateway;
-
-    systemd.sockets.systemd-journal-gatewayd.wantedBy =
-      optional cfg.enableHttpGateway "sockets.target";
 
     systemd.services.systemd-journal-flush.restartIfChanged = false;
     systemd.services.systemd-journald.restartTriggers = [ config.environment.etc."systemd/journald.conf".source ];

nixos/modules/system/boot/timesyncd.nix

@@ -46,6 +46,13 @@ with lib;
       wantedBy = [ "sysinit.target" ];
       aliases = [ "dbus-org.freedesktop.timesync1.service" ];
       restartTriggers = [ config.environment.etc."systemd/timesyncd.conf".source ];
+      # systemd-timesyncd disables DNSSEC validation in the nss-resolve module by setting SYSTEMD_NSS_RESOLVE_VALIDATE to 0 in the unit file.
+      # This is required in order to solve the chicken-and-egg problem when DNSSEC validation needs the correct time to work, but to set the
+      # correct time, we need to connect to an NTP server, which usually requires resolving its hostname.
+      # In order for nss-resolve to be able to read this environment variable we patch systemd-timesyncd to disable NSCD and use NSS modules directly.
+      # This means that systemd-timesyncd needs to have NSS modules path in LD_LIBRARY_PATH. When systemd-resolved is disabled we still need to set
+      # NSS module path so that systemd-timesyncd keeps using other NSS modules that are configured in the system.
+      environment.LD_LIBRARY_PATH = config.system.nssModules.path;
 
       preStart = (
         # Ensure that we have some stored time to prevent

nixos/tests/all-tests.nix

@@ -843,6 +843,8 @@ in {
   systemd-initrd-networkd-openvpn = handleTestOn [ "x86_64-linux" "i686-linux" ] ./initrd-network-openvpn { systemdStage1 = true; };
   systemd-initrd-vlan = handleTest ./systemd-initrd-vlan.nix {};
   systemd-journal = handleTest ./systemd-journal.nix {};
+  systemd-journal-gateway = handleTest ./systemd-journal-gateway.nix {};
+  systemd-journal-upload = handleTest ./systemd-journal-upload.nix {};
   systemd-machinectl = handleTest ./systemd-machinectl.nix {};
   systemd-networkd = handleTest ./systemd-networkd.nix {};
   systemd-networkd-dhcpserver = handleTest ./systemd-networkd-dhcpserver.nix {};
@@ -858,6 +860,7 @@ in {
   systemd-shutdown = handleTest ./systemd-shutdown.nix {};
   systemd-sysupdate = runTest ./systemd-sysupdate.nix;
   systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
+  systemd-timesyncd-nscd-dnssec = handleTest ./systemd-timesyncd-nscd-dnssec.nix {};
   systemd-user-tmpfiles-rules = handleTest ./systemd-user-tmpfiles-rules.nix {};
   systemd-misc = handleTest ./systemd-misc.nix {};
   systemd-userdbd = handleTest ./systemd-userdbd.nix {};

nixos/tests/installer.nix

@@ -510,14 +510,8 @@ let
             ntp
             perlPackages.ListCompare
             perlPackages.XMLLibXML
-            python3Minimal
             # make-options-doc/default.nix
-            (let
+            python3.withPackages (p: [ p.mistune ])
-                self = (pkgs.python3Minimal.override {
-                  inherit self;
-                  includeSiteCustomize = true;
-                });
-              in self.withPackages (p: [ p.mistune ]))
             shared-mime-info
             sudo
             texinfo

nixos/tests/os-prober.nix

@@ -95,7 +95,7 @@ in {
           ntp
           perlPackages.ListCompare
           perlPackages.XMLLibXML
-          python3Minimal
+          python3
           shared-mime-info
           stdenv
           sudo

nixos/tests/systemd-journal-gateway.nix

@@ -0,0 +1,90 @@
+import ./make-test-python.nix ({ lib, pkgs, ... }:
+{
+  name = "systemd-journal-gateway";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ minijackson raitobezarius ];
+  };
+
+  # Named client for coherence with the systemd-journal-upload test, and for
+  # certificate validation
+  nodes.client = {
+    services.journald.gateway = {
+      enable = true;
+      cert = "/run/secrets/client/cert.pem";
+      key = "/run/secrets/client/key.pem";
+      trust = "/run/secrets/ca.cert.pem";
+    };
+  };
+
+  testScript = ''
+    import json
+    import subprocess
+    import tempfile
+
+    tmpdir_o = tempfile.TemporaryDirectory()
+    tmpdir = tmpdir_o.name
+
+    def generate_pems(domain: str):
+      subprocess.run(
+        [
+          "${pkgs.minica}/bin/minica",
+          "--ca-key=ca.key.pem",
+          "--ca-cert=ca.cert.pem",
+          f"--domains={domain}",
+        ],
+        cwd=str(tmpdir),
+      )
+
+    with subtest("Creating keys and certificates"):
+      generate_pems("server")
+      generate_pems("client")
+
+    client.wait_for_unit("multi-user.target")
+
+    def copy_pem(file: str):
+      machine.copy_from_host(source=f"{tmpdir}/{file}", target=f"/run/secrets/{file}")
+      machine.succeed(f"chmod 644 /run/secrets/{file}")
+
+    with subtest("Copying keys and certificates"):
+      machine.succeed("mkdir -p /run/secrets/{client,server}")
+      copy_pem("server/cert.pem")
+      copy_pem("server/key.pem")
+      copy_pem("client/cert.pem")
+      copy_pem("client/key.pem")
+      copy_pem("ca.cert.pem")
+
+    client.wait_for_unit("multi-user.target")
+
+    curl = '${pkgs.curl}/bin/curl'
+    accept_json = '--header "Accept: application/json"'
+    cacert = '--cacert /run/secrets/ca.cert.pem'
+    cert = '--cert /run/secrets/server/cert.pem'
+    key = '--key /run/secrets/server/key.pem'
+    base_url = 'https://client:19531'
+
+    curl_cli = f"{curl} {accept_json} {cacert} {cert} {key} --fail"
+
+    machine_info = client.succeed(f"{curl_cli} {base_url}/machine")
+    assert json.loads(machine_info)["hostname"] == "client", "wrong machine name"
+
+    # The HTTP request should have started the gateway service, triggered by
+    # the .socket unit
+    client.wait_for_unit("systemd-journal-gatewayd.service")
+
+    identifier = "nixos-test"
+    message = "Hello from NixOS test infrastructure"
+
+    client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
+
+    # max-time is a workaround against a bug in systemd-journal-gatewayd where
+    # if TLS is enabled, the connection is never closed. Since it will timeout,
+    # we ignore the return code.
+    entries = client.succeed(
+        f"{curl_cli} --max-time 5 {base_url}/entries?SYSLOG_IDENTIFIER={identifier} || true"
+    )
+
+    # Number of entries should be only 1
+    added_entry = json.loads(entries)
+    assert added_entry["SYSLOG_IDENTIFIER"] == identifier and added_entry["MESSAGE"] == message, "journal entry does not correspond"
+  '';
+})

nixos/tests/systemd-journal-upload.nix

@@ -0,0 +1,101 @@
+import ./make-test-python.nix ({ pkgs, ... }:
+{
+  name = "systemd-journal-upload";
+  meta = with pkgs.lib.maintainers; {
+    maintainers = [ minijackson raitobezarius ];
+  };
+
+  nodes.server = { nodes, ... }: {
+    services.journald.remote = {
+      enable = true;
+      listen = "http";
+      settings.Remote = {
+        ServerCertificateFile = "/run/secrets/sever.cert.pem";
+        ServerKeyFile = "/run/secrets/sever.key.pem";
+        TrustedCertificateFile = "/run/secrets/ca.cert.pem";
+        Seal = true;
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ nodes.server.services.journald.remote.port ];
+  };
+
+  nodes.client = { lib, nodes, ... }: {
+    services.journald.upload = {
+      enable = true;
+      settings.Upload = {
+        URL = "http://server:${toString nodes.server.services.journald.remote.port}";
+        ServerCertificateFile = "/run/secrets/client.cert.pem";
+        ServerKeyFile = "/run/secrets/client.key.pem";
+        TrustedCertificateFile = "/run/secrets/ca.cert.pem";
+      };
+    };
+
+    # Wait for the PEMs to arrive
+    systemd.services.systemd-journal-upload.wantedBy = lib.mkForce [];
+    systemd.paths.systemd-journal-upload = {
+      wantedBy = [ "default.target" ];
+      # This file must be copied last
+      pathConfig.PathExists = [ "/run/secrets/ca.cert.pem" ];
+    };
+  };
+
+  testScript = ''
+    import subprocess
+    import tempfile
+
+    tmpdir_o = tempfile.TemporaryDirectory()
+    tmpdir = tmpdir_o.name
+
+    def generate_pems(domain: str):
+      subprocess.run(
+        [
+          "${pkgs.minica}/bin/minica",
+          "--ca-key=ca.key.pem",
+          "--ca-cert=ca.cert.pem",
+          f"--domains={domain}",
+        ],
+        cwd=str(tmpdir),
+      )
+
+    with subtest("Creating keys and certificates"):
+      generate_pems("server")
+      generate_pems("client")
+
+    server.wait_for_unit("multi-user.target")
+    client.wait_for_unit("multi-user.target")
+
+    def copy_pems(machine: Machine, domain: str):
+      machine.succeed("mkdir /run/secrets")
+      machine.copy_from_host(
+        source=f"{tmpdir}/{domain}/cert.pem",
+        target=f"/run/secrets/{domain}.cert.pem",
+      )
+      machine.copy_from_host(
+        source=f"{tmpdir}/{domain}/key.pem",
+        target=f"/run/secrets/{domain}.key.pem",
+      )
+      # Should be last
+      machine.copy_from_host(
+        source=f"{tmpdir}/ca.cert.pem",
+        target="/run/secrets/ca.cert.pem",
+      )
+
+    with subtest("Copying keys and certificates"):
+      copy_pems(server, "server")
+      copy_pems(client, "client")
+
+    client.wait_for_unit("systemd-journal-upload.service")
+    # The journal upload should have started the remote service, triggered by
+    # the .socket unit
+    server.wait_for_unit("systemd-journal-remote.service")
+
+    identifier = "nixos-test"
+    message = "Hello from NixOS test infrastructure"
+
+    client.succeed(f"systemd-cat --identifier={identifier} <<< '{message}'")
+    server.wait_until_succeeds(
+      f"journalctl --file /var/log/journal/remote/remote-*.journal --identifier={identifier} | grep -F '{message}'"
+    )
+  '';
+})

nixos/tests/systemd-journal.nix

@@ -6,17 +6,11 @@ import ./make-test-python.nix ({ pkgs, ... }:
     maintainers = [ lewo ];
   };
 
-  nodes.machine = { pkgs, lib, ... }: {
+  nodes.machine = { };
-    services.journald.enableHttpGateway = true;
-  };
 
   testScript = ''
     machine.wait_for_unit("multi-user.target")
 
     machine.succeed("journalctl --grep=systemd")
-
-    machine.succeed(
-        "${pkgs.curl}/bin/curl -s localhost:19531/machine | ${pkgs.jq}/bin/jq -e '.hostname == \"machine\"'"
-    )
   '';
 })

nixos/tests/systemd-timesyncd-nscd-dnssec.nix

@@ -0,0 +1,61 @@
+# This test verifies that systemd-timesyncd can resolve the NTP server hostname when DNSSEC validation
+# fails even though it is enforced in the systemd-resolved settings. It is required in order to solve
+# the chicken-and-egg problem when DNSSEC validation needs the correct time to work, but to set the
+# correct time, we need to connect to an NTP server, which usually requires resolving its hostname.
+#
+# This test does the following:
+# - Sets up a DNS server (tinydns) listening on the eth1 ip addess, serving .ntp and fake.ntp records.
+# - Configures that DNS server as a resolver and enables DNSSEC in systemd-resolved settings.
+# - Configures systemd-timesyncd to use fake.ntp hostname as an NTP server.
+# - Performs a regular DNS lookup, to ensure it fails due to broken DNSSEC.
+# - Waits until systemd-timesyncd resolves fake.ntp by checking its debug output.
+#   Here, we don't expect systemd-timesyncd to connect and synchronize time because there is no NTP
+#   server running. For this test to succeed, we only need to ensure that systemd-timesyncd
+#   resolves the IP address of the fake.ntp host.
+
+import ./make-test-python.nix ({ pkgs, ... }:
+
+let
+  ntpHostname = "fake.ntp";
+  ntpIP = "192.0.2.1";
+in
+{
+  name = "systemd-timesyncd";
+  nodes.machine = { pkgs, lib, config, ... }:
+    let
+      eth1IP = (lib.head config.networking.interfaces.eth1.ipv4.addresses).address;
+    in
+    {
+      # Setup a local DNS server for the NTP domain on the eth1 IP address
+      services.tinydns = {
+        enable = true;
+        ip = eth1IP;
+        data = ''
+          .ntp:${eth1IP}
+          +.${ntpHostname}:${ntpIP}
+        '';
+      };
+
+      # Enable systemd-resolved with DNSSEC and use the local DNS as a name server
+      services.resolved.enable = true;
+      services.resolved.dnssec = "true";
+      networking.nameservers = [ eth1IP ];
+
+      # Configure systemd-timesyncd to use our NTP hostname
+      services.timesyncd.enable = lib.mkForce true;
+      services.timesyncd.servers = [ ntpHostname ];
+      services.timesyncd.extraConfig = ''
+        FallbackNTP=${ntpHostname}
+      '';
+
+      # The debug output is necessary to determine whether systemd-timesyncd successfully resolves our NTP hostname or not
+      systemd.services.systemd-timesyncd.environment.SYSTEMD_LOG_LEVEL = "debug";
+    };
+
+  testScript = ''
+    machine.wait_for_unit("tinydns.service")
+    machine.wait_for_unit("systemd-timesyncd.service")
+    machine.fail("resolvectl query ${ntpHostname}")
+    machine.wait_until_succeeds("journalctl -u systemd-timesyncd.service --grep='Resolved address ${ntpIP}:123 for ${ntpHostname}'")
+  '';
+})

pkgs/applications/audio/ardour/7.nix

@@ -2,6 +2,7 @@
 , stdenv
 , fetchgit
 , fetchzip
+, fetchpatch
 , alsa-lib
 , aubio
 , boost
@@ -79,6 +80,12 @@ stdenv.mkDerivation rec {
     # AS=as in the environment causes build failure https://tracker.ardour.org/view.php?id=8096
     ./as-flags.patch
     ./default-plugin-search-paths.patch
+
+    # Fix build with libxml2 2.12.
+    (fetchpatch {
+      url = "https://github.com/Ardour/ardour/commit/e995daa37529715214c6c4a2587e4134aaaba02f.patch";
+      hash = "sha256-EpXOIIObOwwcNgNma0E3nvaBad3930sagDjBpa+78WI=";
+    })
   ];
 
   # Ardour's wscript requires git revision and date to be available.

pkgs/applications/audio/quodlibet/default.nix

@@ -66,6 +66,7 @@ python3.pkgs.buildPythonApplication rec {
   ] ++ (with python3.pkgs; [
     sphinx-rtd-theme
     sphinxHook
+    setuptools
   ]);
 
   buildInputs = [

pkgs/applications/audio/whipper/default.nix

@@ -64,10 +64,6 @@ in python3.pkgs.buildPythonApplication rec {
     "--prefix" "PATH" ":" (lib.makeBinPath bins)
   ];
 
-  preBuild = ''
-    export SETUPTOOLS_SCM_PRETEND_VERSION="${version}"
-  '';
-
   outputs = [ "out" "man" ];
   postBuild = ''
     make -C man

pkgs/applications/blockchains/polkadot/default.nix

@@ -4,7 +4,7 @@
 , rocksdb
 , rust-jemalloc-sys-unprefixed
 , rustPlatform
-, rustc-wasm32
+, rustc
 , stdenv
 , Security
 , SystemConfiguration
@@ -63,8 +63,8 @@ rustPlatform.buildRustPackage rec {
 
   nativeBuildInputs = [
     rustPlatform.bindgenHook
-    rustc-wasm32
+    rustc
-    rustc-wasm32.llvmPackages.lld
+    rustc.llvmPackages.lld
   ];
 
   # NOTE: jemalloc is used by default on Linux with unprefixed enabled

pkgs/applications/editors/scite/default.nix

@@ -13,6 +13,12 @@ stdenv.mkDerivation {
   buildInputs = [ gtk2 ];
   sourceRoot = "scintilla/gtk";
 
+  CXXFLAGS = [
+    # GCC 13: error: 'intptr_t' does not name a type
+    "-include cstdint"
+    "-include system_error"
+  ];
+
   buildPhase = ''
     make
     cd ../../lexilla/src

pkgs/applications/graphics/hdrmerge/default.nix

@@ -37,6 +37,11 @@ mkDerivation rec {
     "-DALGLIB_DIR:PATH=${alglib}"
   ];
 
+  CXXFLAGS = [
+    # GCC 13: error: 'uint32_t' does not name a type
+    "-include cstdint"
+  ];
+
   patches = [
     # https://github.com/jcelaya/hdrmerge/pull/222
     (fetchpatch {

pkgs/applications/graphics/inkscape/default.nix

@@ -6,6 +6,7 @@
 , cmake
 , desktopToDarwinBundle
 , fetchurl
+, fetchpatch
 , gettext
 , ghostscript
 , glib
@@ -92,6 +93,13 @@ stdenv.mkDerivation rec {
       src = ./fix-ps2pdf-path.patch;
       inherit ghostscript;
     })
+
+    # Fix build with libxml2 2.12
+    # https://gitlab.com/inkscape/inkscape/-/merge_requests/6089
+    (fetchpatch {
+      url = "https://gitlab.com/inkscape/inkscape/-/commit/694d8ae43d06efff21adebf377ce614d660b24cd.patch";
+      hash = "sha256-9IXJzpZbNU5fnt7XKgqCzUDrwr08qxGwo8TqnL+xc6E=";
+    })
   ];
 
   postPatch = ''

pkgs/applications/graphics/krita/generic.nix

@@ -21,6 +21,15 @@ mkDerivation rec {
     inherit hash;
   };
 
+  patches = [
+    # Fixes build with SIP 6.8
+    (fetchpatch {
+      name = "bump-SIP-ABI-version-to-12.8.patch";
+      url = "https://invent.kde.org/graphics/krita/-/commit/2d71c47661d43a4e3c1ab0c27803de980bdf2bb2.diff";
+      hash = "sha256-U3E44nj4vra++PJV20h4YHjES78kgrJtr4ktNeQfOdA=";
+    })
+  ];
+
   nativeBuildInputs = [ cmake extra-cmake-modules pkg-config python3Packages.sip makeWrapper ];
 
   buildInputs = [

pkgs/applications/graphics/meshlab/default.nix

@@ -75,6 +75,11 @@ mkDerivation rec {
     "-DALLOW_BUNDLED_LEVMAR=ON"
   ];
 
+  CXXFLAGS = [
+    # GCC 13: error: 'int16_t' has not been declared in 'std'
+    "-include cstdint"
+  ];
+
   postFixup = ''
     patchelf --add-needed $out/lib/meshlab/libmeshlab-common.so $out/bin/.meshlab-wrapped
   '';

pkgs/applications/graphics/tesseract/tesseract4.nix

@@ -16,6 +16,14 @@ stdenv.mkDerivation rec {
   # great, but tesseract4's days are numbered anyway
   postPatch = ''
     sed -i '/allheaders.h/a#include "pix_internal.h"' src/textord/devanagari_processing.cpp
+
+    # gcc-13 compat fix, simulate this upstream patch:
+    #   https://github.com/tesseract-ocr/tesseract/commit/17e795aaae7d40dbcb7d3365835c2f55ecc6355d.patch
+    #   https://github.com/tesseract-ocr/tesseract/commit/c0db7b7e930322826e09981360e39fdbd16cc9b0.patch
+
+    sed -i src/ccutil/helpers.h -e '1i #include <climits>'
+    sed -i src/ccutil/helpers.h -e '1i #include <cstdint>'
+    sed -i src/dict/matchdefs.h -e '1i #include <cstdint>'
   '';
 
   enableParallelBuilding = true;

pkgs/applications/misc/ablog/default.nix

@@ -34,6 +34,7 @@ python3.pkgs.buildPythonApplication rec {
   ];
 
   pytestFlagsArray = [
+    "-W" "ignore::sphinx.deprecation.RemovedInSphinx90Warning"
     "--rootdir" "src/ablog"
   ];
 

pkgs/applications/misc/acpic/default.nix

@@ -6,15 +6,21 @@
 python3Packages.buildPythonApplication rec {
   pname = "acpic";
   version = "1.0.0";
-  format = "setuptools";
+  pyproject = true;
 
   src = fetchPypi {
     inherit version pname;
     hash = "sha256-vQ9VxCNbOmqHIY3e1wq1wNJl5ywfU2tm62gDg3vKvcg=";
   };
 
-  nativeBuildInputs = [
+  postPatch = ''
-    python3Packages.pbr
+    substituteInPlace setup.py \
+      --replace "pbr>=5.8.1,<6" "pbr"
+  '';
+
+  nativeBuildInputs = with python3Packages; [
+    pbr
+    setuptools
   ];
 
   # no tests

pkgs/applications/misc/audio/sox/default.nix

@@ -79,6 +79,8 @@ stdenv.mkDerivation rec {
     ++ lib.optional enableLibpulseaudio libpulseaudio
     ++ lib.optional stdenv.isDarwin CoreAudio;
 
+  enableParallelBuilding = true;
+
   meta = with lib; {
     description = "Sample Rate Converter for audio";
     homepage = "https://sox.sourceforge.net/";

pkgs/applications/misc/barrier/default.nix

@@ -26,6 +26,11 @@ mkDerivation rec {
     })
   ];
 
+  CXXFLAGS = [
+    # error: 'uint8_t' is not a member of 'std'; did you mean 'wint_t'?
+    "-include cstdint"
+  ];
+
   buildInputs = [ curl xorg.libX11 xorg.libXext xorg.libXtst avahiWithLibdnssdCompat qtbase ];
   nativeBuildInputs = [ cmake wrapGAppsHook ];
 

pkgs/applications/misc/buku/default.nix

@@ -19,6 +19,7 @@ in
 with python3.pkgs; buildPythonApplication rec {
   version = "4.8";
   pname = "buku";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "jarun";
@@ -27,6 +28,10 @@ with python3.pkgs; buildPythonApplication rec {
     sha256 = "sha256-kPVlfTYUusf5CZnKB53WZcCHo3MEnA2bLUHTRPGPn+8=";
   };
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   nativeCheckInputs = [
     hypothesis
     pytest

pkgs/applications/misc/keepmenu/default.nix

@@ -17,8 +17,6 @@ python3Packages.buildPythonApplication rec {
     hatch-vcs
   ];
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   propagatedBuildInputs = with python3Packages; [
     pykeepass
     pynput

pkgs/applications/misc/khal/default.nix

@@ -17,8 +17,6 @@ python3.pkgs.buildPythonApplication rec {
     hash = "sha256-yI33pB/t+UISvSbLUzmsZqBxLF6r8R3j9iPNeosKcYw=";
   };
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   nativeBuildInputs = [
     glibcLocales
     installShellFiles

pkgs/applications/misc/khard/default.nix

@@ -9,7 +9,6 @@ python3.pkgs.buildPythonApplication rec {
     sha256 = "sha256-WfMKDaPD2j6wT02+GO5HY5E7aF2Z7IQY/VdKiMSRxJA=";
   };
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
   nativeBuildInputs = with python3.pkgs; [
     setuptools-scm
     sphinxHook

pkgs/applications/misc/mozphab/default.nix

@@ -30,8 +30,6 @@ python3.pkgs.buildPythonApplication rec {
     setuptools-scm
   ];
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   propagatedBuildInputs = with python3.pkgs; [
     colorama
     distro

pkgs/applications/misc/mupdf/default.nix

@@ -165,10 +165,14 @@ stdenv.mkDerivation rec {
     EOF
 
     moveToOutput "bin" "$bin"
-  '' + lib.optionalString (enableX11 || enableGL) ''
+  '' + (lib.optionalString (stdenv.isDarwin) ''
+    for exe in $bin/bin/*; do
+      install_name_tool -change build/shared-release/libmupdf.dylib $out/lib/libmupdf.dylib "$exe"
+    done
+  '') + (lib.optionalString (enableX11 || enableGL) ''
     mkdir -p $bin/share/icons/hicolor/48x48/apps
     cp docs/logo/mupdf.png $bin/share/icons/hicolor/48x48/apps
-  '' + (if enableGL then ''
+  '') + (if enableGL then ''
     ln -s "$bin/bin/mupdf-gl" "$bin/bin/mupdf"
   '' else lib.optionalString (enableX11) ''
     ln -s "$bin/bin/mupdf-x11" "$bin/bin/mupdf"

pkgs/applications/misc/octoprint/default.nix

@@ -163,7 +163,7 @@ let
                 zeroconf
                 zipstream-ng
                 class-doc
-                pydantic
+                pydantic_1
               ] ++ lib.optionals stdenv.isDarwin [
                 py.pkgs.appdirs
               ] ++ lib.optionals (!stdenv.isDarwin) [

pkgs/applications/misc/pagefind/default.nix

@@ -7,7 +7,7 @@
 , binaryen
 , gzip
 , nodejs
-, rustc-wasm32
+, rustc
 , wasm-bindgen-cli
 , wasm-pack
 }:
@@ -66,8 +66,8 @@ rustPlatform.buildRustPackage rec {
     binaryen
     gzip
     nodejs
-    rustc-wasm32
+    rustc
-    rustc-wasm32.llvmPackages.lld
+    rustc.llvmPackages.lld
     wasm-bindgen-84
     wasm-pack
   ];

pkgs/applications/misc/pysentation/default.nix

@@ -15,9 +15,14 @@ python3.pkgs.buildPythonApplication rec {
     hash = "sha256-TwHDXWgGWuQVgatBDc1iympnb6dy4xYThLR5MouEZHA=";
   };
 
-  nativeBuildInputs = [
+  nativeBuildInputs = with python3.pkgs; [
-    python3.pkgs.setuptools
+    setuptools
-    python3.pkgs.wheel
+    pythonRelaxDepsHook
+  ];
+
+  pythonRelaxDeps = [
+    "click"
+    "rich"
   ];
 
   propagatedBuildInputs = with python3.pkgs; [

pkgs/applications/misc/urlscan/default.nix

@@ -15,8 +15,6 @@ python3.pkgs.buildPythonApplication rec {
     hash = "sha256-OzcoOIgEiadWrsUPIxBJTuZQYjScJBYKyqCu1or6fz8=";
   };
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   nativeBuildInputs = with python3.pkgs; [
     hatchling
     hatch-vcs

pkgs/applications/misc/yambar/default.nix

@@ -82,6 +82,7 @@ stdenv.mkDerivation (finalAttrs: {
   mesonBuildType = "release";
 
   mesonFlags = [
+    (lib.mesonBool "werror" false)
     (lib.mesonEnable "backend-x11" x11Support)
     (lib.mesonEnable "backend-wayland" waylandSupport)
   ];

pkgs/applications/networking/cloudflare-dyndns/default.nix

@@ -24,7 +24,7 @@ python3.pkgs.buildPythonApplication rec {
     attrs
     click
     cloudflare
-    pydantic
+    pydantic_1
     requests
   ];
 

pkgs/applications/networking/instant-messengers/deltachat-cursed/default.nix

@@ -23,8 +23,6 @@ python3.pkgs.buildPythonApplication rec {
     setuptools-scm
   ];
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   propagatedBuildInputs = with python3.pkgs; [
     appdirs
     deltachat

pkgs/applications/networking/mailreaders/notmuch/default.nix

@@ -85,19 +85,26 @@ stdenv.mkDerivation rec {
     patchShebangs notmuch-git
   '';
 
-  preCheck = let
+  preCheck =
-    test-database = fetchurl {
+    let
-      url = "https://notmuchmail.org/releases/test-databases/database-v1.tar.xz";
+      test-database = fetchurl {
-      sha256 = "1lk91s00y4qy4pjh8638b5lfkgwyl282g1m27srsf7qfn58y16a2";
+        url = "https://notmuchmail.org/releases/test-databases/database-v1.tar.xz";
-    };
+        sha256 = "1lk91s00y4qy4pjh8638b5lfkgwyl282g1m27srsf7qfn58y16a2";
-  in ''
+      };
-    mkdir -p test/test-databases
+    in
-    ln -s ${test-database} test/test-databases/database-v1.tar.xz
+    ''
-  ''
+      mkdir -p test/test-databases
-  # Issues since gnupg: 2.4.0 -> 2.4.1
+      ln -s ${test-database} test/test-databases/database-v1.tar.xz
-  + ''
+    ''
-    rm test/{T350-crypto,T357-index-decryption}.sh
+    + ''
-  '';
+      # Issues since gnupg: 2.4.0 -> 2.4.1
+      rm test/{T350-crypto,T357-index-decryption}.sh
+      # Issues since pbr 6.0.0 bump (ModuleNotFoundError: No module named 'notmuch2')
+      rm test/T055-path-config.sh
+      # Flaky, seems to get its paths wrong sometimes (?)
+      # *ERROR*: Opening output file: Permission denied, /nix/store/bzy21v2cd5sq1djzwa9b19q08wpp9mm0-emacs-29.1/bin/OUTPUT
+      rm test/T460-emacs-tree.sh
+    '';
 
   doCheck = !stdenv.hostPlatform.isDarwin && (lib.versionAtLeast gmime3.version "3.0.3");
   checkTarget = "test";

pkgs/applications/networking/newsreaders/liferea/default.nix

@@ -1,5 +1,6 @@
 { lib, stdenv
 , fetchurl
+, fetchpatch
 , pkg-config
 , intltool
 , python3Packages
@@ -31,6 +32,16 @@ stdenv.mkDerivation rec {
     hash = "sha256-7lanrs63N6ZnqxvjcW/+cUZVDqUbML2gftQUc/sLr3Q=";
   };
 
+  patches = [
+    # Pull upstream fix for libxml2-2.12 compatibility:
+    #   https://github.com/lwindolf/liferea/pull/1329
+    (fetchpatch {
+      name = "libxml2-2.12.patch";
+      url = "https://github.com/lwindolf/liferea/commit/be8ef494586d9ef73c04ec4ca058a9a158ae3562.patch";
+      hash = "sha256-K1R7dJMm7ui6QKQqAHCo/ZrLCW3PhPU1EKRPEICtCsQ=";
+    })
+  ];
+
   nativeBuildInputs = [
     wrapGAppsHook
     python3Packages.wrapPython

pkgs/applications/office/abiword/default.nix

@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchurl
+, fetchpatch
 , pkg-config
 , gtk3
 , fribidi
@@ -28,6 +29,14 @@ stdenv.mkDerivation rec {
     hash = "sha256-ElckfplwUI1tFFbT4zDNGQnEtCsl4PChvDJSbW86IbQ=";
   };
 
+  patches = [
+    # Fix build with libxml2 2.12
+    (fetchpatch {
+      url = "https://gitlab.gnome.org/World/AbiWord/-/commit/2a06be6a10a0718f8a3d8e00c317f5042c99a467.patch";
+      hash = "sha256-vfh81tGXe9dgnjcAtoWHOK8CtW7MZ75FFjnfKTkiKkk=";
+    })
+  ];
+
   nativeBuildInputs = [
     pkg-config
     wrapGAppsHook

pkgs/applications/office/libreoffice/default.nix

@@ -13,6 +13,7 @@
 , IOCompress
 , zlib
 , libjpeg
+, liblangtag
 , expat
 , freetype
 , libwpd
@@ -225,6 +226,17 @@ in stdenv.mkDerivation (finalAttrs: {
       url = "https://cgit.freedesktop.org/libreoffice/core/patch/?id=ececb678b8362e3be8e02768ddd5e4197d87dc2a";
       hash = "sha256-TUfKlwNxUTOJ95VLqwVD+ez1xhu7bW6xZlgIaCyIiNg=";
     })
+
+    # Backport libxml 2.12 build fixes
+    # FIXME: remove in next release
+    (fetchpatch {
+      url = "https://cgit.freedesktop.org/libreoffice/core/patch/?id=c8f7408db73d2f2ccacb25a2b4fef8dfebdfc6cb";
+      hash = "sha256-uEgRx1eyS3Wx2ZDWEsUmpIbuKezVrIbO++qSL2QI8Lk=";
+    })
+    (fetchpatch {
+      url = "https://cgit.freedesktop.org/libreoffice/core/patch/?id=cbb17a548b5cc6a99b6ed7735479bb4f2bc40f26";
+      hash = "sha256-ofhif37uvQI+gidaUpyr6XlyBc3gTJUDBRb3ootrzz0=";
+    })
   ];
 
   # libreoffice tries to reference the BUILDCONFIG (e.g. PKG_CONFIG_PATH)
@@ -436,6 +448,7 @@ in stdenv.mkDerivation (finalAttrs: {
     "--with-system-headers"
     "--with-system-openssl"
     "--with-system-libabw"
+    "--with-system-liblangtag"
     "--without-system-libcmis"
     "--with-system-libwps"
     "--with-system-openldap"
@@ -466,7 +479,6 @@ in stdenv.mkDerivation (finalAttrs: {
     "--without-system-lpsolve"
     "--without-system-libetonyek"
     "--without-system-libfreehand"
-    "--without-system-liblangtag"
     "--without-system-libmspub"
     "--without-system-libnumbertext"
     "--without-system-libpagemaker"
@@ -566,6 +578,7 @@ in stdenv.mkDerivation (finalAttrs: {
     libepoxy
     libexttextcat
     libjpeg
+    liblangtag
     libmspack
     libmwaw
     libmysqlclient

pkgs/applications/office/paperwork/openpaperwork-core.nix

@@ -29,8 +29,6 @@ buildPythonPackage rec {
     patchShebangs ../tools
   '';
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   propagatedBuildInputs = [
     distro
     setuptools

pkgs/applications/office/paperwork/openpaperwork-gtk.nix

@@ -29,8 +29,6 @@ buildPythonPackage rec {
     patchShebangs ../tools
   '';
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   nativeBuildInputs = [
     pkgs.gettext
     pkgs.which

pkgs/applications/office/paperwork/paperwork-backend.nix

@@ -44,8 +44,6 @@ buildPythonPackage rec {
     patchShebangs ../tools
   '';
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   propagatedBuildInputs = [
     distro
     gtk3

pkgs/applications/office/paperwork/paperwork-gtk.nix

@@ -42,8 +42,6 @@ python3Packages.buildPythonApplication rec {
 
   sourceRoot = "${src.name}/paperwork-gtk";
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   postPatch = ''
     chmod a+w -R ..
     patchShebangs ../tools

pkgs/applications/office/paperwork/paperwork-shell.nix

@@ -32,8 +32,6 @@ buildPythonPackage rec {
     chmod a+w -R ..
     patchShebangs ../tools
   '';
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   propagatedBuildInputs = [
     openpaperwork-core
     paperwork-backend

pkgs/applications/office/todoman/default.nix

@@ -19,8 +19,6 @@ python3.pkgs.buildPythonApplication rec {
     hash = "sha256-5tQaNT6QVN9mxa9t6OvMux4ZGy4flUqszTAwet2QL0w=";
   };
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   nativeBuildInputs = [
     installShellFiles
   ] ++ (with python3.pkgs; [

pkgs/applications/science/electronics/nanovna-saver/default.nix

@@ -31,8 +31,6 @@ python3.pkgs.buildPythonApplication rec {
     setuptools-scm
   ];
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   doCheck = false;
 
   dontWrapGApps = true;

pkgs/applications/science/machine-learning/fasttext/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "fasttext";
-  version = "0.9.2";
+  version = "0.9.2-unstable-2023-11-28";
 
   src = fetchFromGitHub {
     owner = "facebookresearch";
     repo = "fastText";
-    rev = "v${version}";
+    rev = "6c2204ba66776b700095ff73e3e599a908ffd9c3";
-    sha256 = "07cz2ghfq6amcljaxpdr5chbd64ph513y8zqmibfx2xwfp74xkhn";
+    hash = "sha256-lSIah4T+QqZwCRpeI3mxJ7PZT6pSHBO26rcEFfK8DSk=";
   };
 
   nativeBuildInputs = [ cmake ];

pkgs/applications/science/math/gmsh/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, cmake, blas, lapack, gfortran, gmm, fltk, libjpeg
+{ lib, stdenv, fetchurl, fetchpatch, cmake, blas, lapack, gfortran, gmm, fltk, libjpeg
 , zlib, libGL, libGLU, xorg, opencascade-occt
 , python ? null, enablePython ? false }:
 
@@ -24,7 +24,22 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  patches = [ ./fix-python.patch ];
+  patches = [
+    ./fix-python.patch
+
+    # Pull upstream fix git gcc-13:
+    #   https://gitlab.onelab.info/gmsh/gmsh/-/issues/2416
+    (fetchpatch {
+      name = "gcc-13-p1.patch";
+      url = "https://gitlab.onelab.info/gmsh/gmsh/-/commit/fb81a9c9026700e078de947b4522cb39e543a86b.patch";
+      hash = "sha256-1GInFqQZvOgflC3eQTjmZ9uBGFASRNCpCwDACN3yTQ4=";
+    })
+    (fetchpatch {
+      name = "gcc-13-p2.patch";
+      url = "https://gitlab.onelab.info/gmsh/gmsh/-/commit/aceb09c807b78ea26555f99fcb16c4f87c31fb5a.patch";
+      hash = "sha256-6FI0hIvj8hglCvxoKV0GzT2/F/Wz+ddkxV/TLzzJBLU=";
+    })
+  ];
 
   postPatch = ''
     substituteInPlace api/gmsh.py --subst-var-by LIBPATH ${placeholder "out"}/lib/libgmsh.so

pkgs/applications/search/recoll/default.nix

@@ -97,7 +97,10 @@ mkDerivation rec {
     (lib.withFeature stdenv.isLinux "inotify")
   ];
 
-  env.NIX_CFLAGS_COMPILE = toString [ "-DNIXPKGS" ];
+  env.NIX_CFLAGS_COMPILE = toString [
+    "-DNIXPKGS"
+    "-fpermissive" # libxml2-2.12 changed const qualifiers
+  ];
 
   patches = [
     # fix "No/bad main configuration file" error

pkgs/applications/terminal-emulators/guake/default.nix

@@ -52,8 +52,6 @@ python3.pkgs.buildPythonApplication rec {
     pyyaml
   ];
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   makeFlags = [
     "PREFIX=${placeholder "out"}"
   ];

pkgs/applications/version-management/git-cola/default.nix

@@ -11,8 +11,6 @@ python3Packages.buildPythonApplication rec {
     hash = "sha256-PtV2mzxOfZ88THiFD4K+qtOi41GeLF1GcdiFFhUR8Ak=";
   };
 
-  env.SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   buildInputs = lib.optionals stdenv.isLinux [ qt5.qtwayland ];
   propagatedBuildInputs = with python3Packages; [ git pyqt5 qtpy send2trash ];
   nativeBuildInputs = with python3Packages; [ setuptools-scm gettext qt5.wrapQtAppsHook ];

pkgs/applications/version-management/git/default.nix

@@ -29,7 +29,7 @@ assert sendEmailSupport -> perlSupport;
 assert svnSupport -> perlSupport;
 
 let
-  version = "2.42.0";
+  version = "2.43.0";
   svn = subversionClient.override { perlBindings = perlSupport; };
   gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ];
 in
@@ -42,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
-    hash = "sha256-MnghDp/SmUuEhN1+Pd2eqLlA71IXDNtgbaqU2IfJOw0=";
+    hash = "sha256-VEZgPnPZEXgdJZ5WV1Dc0nekKDbI45LKyRzxN6qbduw=";
   };
 
   outputs = [ "out" ] ++ lib.optional withManual "doc";

pkgs/applications/version-management/gitlint/default.nix

@@ -17,8 +17,6 @@ python3.pkgs.buildPythonApplication rec {
     hash = "sha256-4SGkkC4LjZXTDXwK6jMOIKXR1qX76CasOwSqv8XUrjs=";
   };
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   # Upstream splitted the project into gitlint and gitlint-core to
   # simplify the dependency handling
   sourceRoot = "${src.name}/gitlint-core";

pkgs/applications/version-management/mercurial/default.nix

@@ -1,6 +1,8 @@
 { lib, stdenv, fetchurl, fetchpatch, python3Packages, makeWrapper, gettext, installShellFiles
 , re2Support ? true
-, rustSupport ? stdenv.hostPlatform.isLinux, cargo, rustPlatform, rustc
+# depends on rust-cpython which won't support python312
+# https://github.com/dgrunwald/rust-cpython/commit/e815555629e557be084813045ca1ddebc2f76ef9
+, rustSupport ? (stdenv.hostPlatform.isLinux && python3Packages.pythonOlder "3.12"), cargo, rustPlatform, rustc
 , fullBuild ? false
 , gitSupport ? fullBuild
 , guiSupport ? fullBuild, tk
@@ -21,11 +23,11 @@ let
 
   self = python3Packages.buildPythonApplication rec {
     pname = "mercurial${lib.optionalString fullBuild "-full"}";
-    version = "6.5.3";
+    version = "6.6.1";
 
     src = fetchurl {
       url = "https://mercurial-scm.org/release/mercurial-${version}.tar.gz";
-      sha256 = "sha256-LNyB+t4SnPVrEoQXUn8ZC6cv13ZWc5TOVO7XZOZn59U=";
+      sha256 = "sha256-opRlo/5Ao+jUm6g0MTSsKrooa2g//rg42gz25FIflpU=";
     };
 
     format = "other";
@@ -35,7 +37,7 @@ let
     cargoDeps = if rustSupport then rustPlatform.fetchCargoTarball {
       inherit src;
       name = "mercurial-${version}";
-      sha256 = "sha256-ob81zMUY4AVNIbkFKyImnj7QhHTh7LVOCcGeZDtTAXc=";
+      sha256 = "sha256-wLV0qdCfMgGpZRxnZik/lRwZHm/66p0sJn/mYVRvRkQ=";
       sourceRoot = "mercurial-${version}/rust";
     } else null;
     cargoRoot = if rustSupport then "rust" else null;
@@ -43,7 +45,7 @@ let
     propagatedBuildInputs = lib.optional re2Support fb-re2
       ++ lib.optional gitSupport pygit2
       ++ lib.optional highlightSupport pygments;
-    nativeBuildInputs = [ makeWrapper gettext installShellFiles ]
+    nativeBuildInputs = [ makeWrapper gettext installShellFiles python3Packages.setuptools ]
       ++ lib.optionals rustSupport [
            rustPlatform.cargoSetupHook
            cargo

pkgs/applications/video/deface/default.nix

@@ -42,9 +42,6 @@ python3.pkgs.buildPythonApplication rec {
     substituteInPlace pyproject.toml requirements.txt --replace "opencv-python" "opencv"
   '';
 
-  # Let setuptools know deface version
-  SETUPTOOLS_SCM_PRETEND_VERSION = "v${version}";
-
   pythonImportsCheck = [ "deface" "onnx" "onnxruntime" ];
 
   meta = with lib; {

pkgs/applications/video/frigate/default.nix

@@ -25,6 +25,12 @@ let
 
   python = python3.override {
     packageOverrides = self: super: {
+      pydantic = super.pydantic_1;
+
+      versioningit = super.versioningit.overridePythonAttrs {
+        # checkPhase requires pydantic>=2
+        doCheck = false;
+      };
     };
   };
 

pkgs/applications/video/handbrake/default.nix

@@ -10,6 +10,7 @@
 { stdenv
 , lib
 , fetchFromGitHub
+, fetchpatch
   # For tests
 , testers
 , runCommand
@@ -135,6 +136,11 @@ let
       "${src}/contrib/ffmpeg/A28-avcodec-amfenc-HDR-metadata.patch"
       # This patch is not applying since ffmpeg 5.1.1, probably it was backported by upstream
       # "${src}/contrib/ffmpeg/A30-svt-av1-backports.patch"
+      (fetchpatch {
+        name = "vulkan-remove-extensions.patch";
+        url = "https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff_plain/eb0455d64690";
+        hash = "sha256-qvLrb7b+9/bel8A2lZuSmBiJtHXsABw0Lvgn1ggnmCU=";
+      })
     ];
   });
 

pkgs/applications/video/obs-studio/default.nix

@@ -2,10 +2,11 @@
 , lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , addOpenGLRunpath
 , cmake
 , fdk_aac
-, ffmpeg_4
+, ffmpeg
 , jansson
 , libjack2
 , libxkbcommon
@@ -74,6 +75,25 @@ stdenv.mkDerivation (finalAttrs: {
     # Lets obs-browser build against CEF 90.1.0+
     ./Enable-file-access-and-universal-access-for-file-URL.patch
     ./fix-nix-plugin-path.patch
+
+    # Backport ffmpeg 6.1 / GCC 13 build fixes
+    # FIXME: remove in next release
+    (fetchpatch {
+      url = "https://github.com/obsproject/obs-studio/commit/cd784644f5e82b9988043f229c19603289c6d32c.patch";
+      hash = "sha256-S4JE5kgr4x3uMHY2GRh0GBJpb7o/wYZb/v0CDITFNnQ=";
+    })
+    (fetchpatch {
+      url = "https://github.com/obsproject/obs-studio/commit/758b47d4ed9a25b8d64ad481d8d039990b9e57c9.patch";
+      hash = "sha256-jYpjwhx6e+dhN3kzbd6FcdjQ+WhIX0/BOu9PSkt+2yI=";
+    })
+    (fetchpatch {
+      url = "https://github.com/obsproject/obs-studio/commit/4b5be75c7e4b8cee908ed4a02fe0078285b4e8c9.patch";
+      hash = "sha256-tuOevhyxchwG42ilrplbiWoiDAKaY4HgzShlvp4VSQI=";
+    })
+    (fetchpatch {
+      url = "https://github.com/obsproject/obs-studio/commit/6e080a68067b27fe5463f0f4eee7df690451f3d7.patch";
+      hash = "sha256-nbn/q3uszoHaDvaW8Et1MS1sgQzMsJRmjGSMHzUxV70=";
+    })
   ];
 
   nativeBuildInputs = [
@@ -87,7 +107,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [
     curl
-    ffmpeg_4
+    ffmpeg
     jansson
     libcef
     libjack2

pkgs/applications/virtualization/kvmtool/default.nix

@@ -1,13 +1,12 @@
-{ stdenv, fetchgit, lib, dtc }:
+{ stdenv, fetchzip, lib, dtc }:
 
 stdenv.mkDerivation {
   pname = "kvmtool";
   version = "unstable-2023-07-12";
 
-  src = fetchgit {
+  src = fetchzip {
-    url = "https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git";
+    url = "https://git.kernel.org/pub/scm/linux/kernel/git/will/kvmtool.git/snapshot/kvmtool-106e2ea7756d980454d68631b87d5e25ba4e4881.tar.gz";
-    rev = "106e2ea7756d980454d68631b87d5e25ba4e4881";
+    hash = "sha256-wpc5DfHnui0lBVH4uOq6a7pXVUZStjNLRvauu6QpRvE=";
-    sha256 = "sha256-wpc5DfHnui0lBVH4uOq6a7pXVUZStjNLRvauu6QpRvE=";
   };
 
   patches = [ ./strlcpy-glibc-2.38-fix.patch ];

pkgs/applications/virtualization/rust-hypervisor-firmware/default.nix

@@ -1,8 +1,6 @@
 { lib
 , fetchFromGitHub
 , hostPlatform
-, cargo
-, rustc
 , lld
 }:
 
@@ -24,12 +22,7 @@ let
     };
   };
 
-  # inherit (cross) rustPlatform;
+  inherit (cross) rustPlatform;
-  # ^ breaks because we are doing a no_std embedded build with a custom sysroot,
-  # but the fast_cross rustc wrapper already passes a sysroot argument
-  rustPlatform = cross.makeRustPlatform {
-    inherit rustc cargo;
-  };
 
 in
 

pkgs/build-support/bintools-wrapper/default.nix

@@ -33,6 +33,28 @@
 , useMacosReexportHack ? false
 , wrapGas ? false
 
+# Note: the hardening flags are part of the bintools-wrapper, rather than
+# the cc-wrapper, because a few of them are handled by the linker.
+, defaultHardeningFlags ? with stdenvNoCC; [
+    "bindnow"
+    "format"
+    "fortify"
+    "fortify3"
+    "pic"
+    "relro"
+    "stackprotector"
+    "strictoverflow"
+  ] ++ lib.optional (
+    # Musl-based platforms will keep "pie", other platforms will not.
+    # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
+    # in the nixpkgs manual to inform users about the defaults.
+    targetPlatform.libc == "musl"
+    # Except when:
+    #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
+    #    - static armv7l, where compilation fails.
+    && !(targetPlatform.isAarch && targetPlatform.isStatic)
+  ) "pie"
+
 # Darwin code signing support utilities
 , postLinkSignHook ? null, signingUtils ? null
 }:
@@ -124,6 +146,8 @@ stdenv.mkDerivation {
             (setenv "NIX_LDFLAGS_${suffixSalt}" (concat (getenv "NIX_LDFLAGS_${suffixSalt}") " -L" arg "/lib64"))))
         '(${concatStringsSep " " (map (pkg: "\"${pkg}\"") pkgs)}))
     '';
+
+    inherit defaultHardeningFlags;
   };
 
   dontBuild = true;
@@ -380,6 +404,7 @@ stdenv.mkDerivation {
     wrapperName = "BINTOOLS_WRAPPER";
     inherit dynamicLinker targetPrefix suffixSalt coreutils_bin;
     inherit bintools_bin libc_bin libc_dev libc_lib;
+    default_hardening_flags_str = builtins.toString defaultHardeningFlags;
   };
 
   meta =

pkgs/build-support/bintools-wrapper/setup-hook.sh

@@ -65,7 +65,7 @@ do
 done
 
 # If unset, assume the default hardening flags.
-: ${NIX_HARDENING_ENABLE="fortify stackprotector pic strictoverflow format relro bindnow"}
+: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
 export NIX_HARDENING_ENABLE
 
 # No local scope in sourced file

pkgs/build-support/cc-wrapper/add-hardening.sh

@@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify stackprotector pie pic strictoverflow format)
+  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.

pkgs/build-support/cc-wrapper/default.nix

@@ -218,6 +218,8 @@ let
        then guess
        else null;
 
+  defaultHardeningFlags = bintools.defaultHardeningFlags or [];
+
   darwinPlatformForCC = optionalString stdenv.targetPlatform.isDarwin (
     if (targetPlatform.darwinPlatform == "macos" && isGNU) then "macosx"
     else targetPlatform.darwinPlatform
@@ -271,6 +273,8 @@ stdenv.mkDerivation {
     inherit expand-response-params;
 
     inherit nixSupport;
+
+    inherit defaultHardeningFlags;
   };
 
   dontBuild = true;
@@ -706,6 +710,7 @@ stdenv.mkDerivation {
     inherit suffixSalt coreutils_bin bintools;
     inherit libc_bin libc_dev libc_lib;
     inherit darwinPlatformForCC darwinMinVersion darwinMinVersionVariable;
+    default_hardening_flags_str = builtins.toString defaultHardeningFlags;
   };
 
   meta =

pkgs/build-support/cc-wrapper/fortran-hook.sh

@@ -4,8 +4,7 @@ getTargetRoleWrapper
 export FC${role_post}=@named_fc@
 
 # If unset, assume the default hardening flags.
-# These are different for fortran.
+: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
-: ${NIX_HARDENING_ENABLE="stackprotector pic strictoverflow relro bindnow"}
 export NIX_HARDENING_ENABLE
 
 unset -v role_post

pkgs/build-support/cc-wrapper/setup-hook.sh

@@ -111,7 +111,7 @@ export CC${role_post}=@named_cc@
 export CXX${role_post}=@named_cxx@
 
 # If unset, assume the default hardening flags.
-: ${NIX_HARDENING_ENABLE="fortify fortify3 stackprotector pic strictoverflow format relro bindnow"}
+: ${NIX_HARDENING_ENABLE="@default_hardening_flags_str@"}
 export NIX_HARDENING_ENABLE
 
 # No local scope in sourced file

pkgs/build-support/emacs/melpa.nix

@@ -11,8 +11,8 @@ let
     src = fetchFromGitHub {
       owner = "melpa";
       repo = "package-build";
-      rev = "c3c535e93d9dc92acd21ebc4b15016b5c3b90e7d";
+      rev = "c48aa078c01b4f07b804270c4583a0a58ffea1c0";
-      sha256 = "17z0wbqdd6fspbj43yq8biff6wfggk74xgnaf1xx6ynsp1i74is5";
+      sha256 = "sha256-MzPj375upIiYXdQR+wWXv3A1zMqbSrZlH0taLuxx/1M=";
     };
 
     patches = [ ./package-build-dont-use-mtime.patch ];

pkgs/build-support/emacs/melpa2nix.el

@@ -11,22 +11,22 @@
 ;; Allow installing package tarfiles larger than 10MB
 (setq large-file-warning-threshold nil)
 
-(defun melpa2nix-build-package-1 (rcp version commit)
+(defun melpa2nix-build-package-1 (rcp)
-  (let ((source-dir (package-recipe--working-tree rcp)))
+  (let* ((default-directory (package-recipe--working-tree rcp)))
     (unwind-protect
         (let ((files (package-build-expand-files-spec rcp t)))
-          (cond
+          (unless files
-           ((= (length files) 1)
+            (error "Unable to find files matching recipe patterns"))
-            (package-build--build-single-file-package
+          (if (> (length files) 1)
-             rcp version commit files source-dir))
+              (package-build--build-multi-file-package rcp files)
-           ((> (length files) 1)
+            (package-build--build-single-file-package rcp files))))))
-            (package-build--build-multi-file-package
-             rcp version commit files source-dir))
-           (t (error "Unable to find files matching recipe patterns")))))))
 
 (defun melpa2nix-build-package ()
-  (if (not noninteractive)
+  (unless noninteractive
-      (error "`melpa2nix-build-package' is to be used only with -batch"))
+    (error "`melpa2nix-build-package' is to be used only with -batch"))
   (pcase command-line-args-left
     (`(,package ,version ,commit)
-     (melpa2nix-build-package-1 (package-recipe-lookup package) version commit))))
+     (let ((recipe (package-recipe-lookup package)))
+       (setf (oref recipe commit) commit)
+       (setf (oref recipe version) version)
+       (melpa2nix-build-package-1 recipe)))))

pkgs/build-support/emacs/package-build-dont-use-mtime.patch

@@ -1,40 +1,21 @@
 diff --git a/package-build.el b/package-build.el
-index e572045..9eb0f82 100644
+index 29cdb61..c19be1b 100644
 --- a/package-build.el
 +++ b/package-build.el
-@@ -415,7 +415,7 @@ (defun package-build--write-pkg-file (desc dir)
+@@ -923,7 +923,6 @@ DIRECTORY is a temporary directory that contains the directory
-       (princ ";; Local Variables:\n;; no-byte-compile: t\n;; End:\n"
+ that is put in the tarball."
-              (current-buffer)))))
+   (let* ((name (oref rcp name))
- 
+          (version (oref rcp version))
--(defun package-build--create-tar (name version directory mtime)
+-         (time (oref rcp time))
-+(defun package-build--create-tar (name version directory)
+          (tar (expand-file-name (concat name "-" version ".tar")
-   "Create a tar file containing the contents of VERSION of package NAME.
+                                 package-build-archive-dir))
- DIRECTORY is a temporary directory that contains the directory
+          (dir (concat name "-" version)))
- that is put in the tarball.  MTIME is used as the modification
+@@ -939,7 +938,7 @@ that is put in the tarball."
-@@ -434,7 +434,7 @@ (defun package-build--create-tar (name version directory mtime)
+        ;; prevent a reproducible tarball as described at
-        ;; prevent a reproducable tarball as described at
         ;; https://reproducible-builds.org/docs/archives.
         "--sort=name"
--       (format "--mtime=@%d" mtime)
+-       (format "--mtime=@%d" time)
 +       "--mtime=@0"
         "--owner=0" "--group=0" "--numeric-owner"
         "--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime"))
      (when (and package-build-verbose noninteractive)
-@@ -848,12 +848,11 @@ (defun package-build--build-multi-file-package (rcp version commit files source-
-                            (package-build--desc-from-library
-                             name version commit files 'tar)
-                            (error "%s[-pkg].el matching package name is missing"
--                                  name))))
--               (mtime (package-build--get-commit-time rcp commit)))
-+                                  name)))))
-           (package-build--copy-package-files files source-dir target)
-           (package-build--write-pkg-file desc target)
-           (package-build--generate-info-files files source-dir target)
--          (package-build--create-tar name version tmp-dir mtime)
-+          (package-build--create-tar name version tmp-dir)
-           (package-build--write-pkg-readme name files source-dir)
-           (package-build--write-archive-entry desc))
-       (delete-directory tmp-dir t nil))))
--- 
-2.37.2
-

pkgs/build-support/fetchurl/mirrors.nix

@@ -125,6 +125,7 @@
 
   # Mirrors from https://download.kde.org/ls-lR.mirrorlist
   kde = [
+    "https://cdn.download.kde.org/"
     "https://download.kde.org/download.php?url="
     "https://ftp.gwdg.de/pub/linux/kde/"
     "https://mirrors.ocf.berkeley.edu/kde/"

pkgs/build-support/rust/hooks/maturin-build-hook.sh

@@ -25,7 +25,7 @@ maturinBuildHook() {
 
     # Move the wheel to dist/ so that regular Python tooling can find it.
     mkdir -p dist
-    mv target/wheels/*.whl dist/
+    mv ${cargoRoot:+$cargoRoot/}target/wheels/*.whl dist/
 
     # These are python build hooks and may depend on ./dist
     runHook postBuild

pkgs/build-support/rust/rustc-wrapper/rustc-wrapper.sh

@@ -1,6 +1,19 @@
 #!@shell@
 
-extraBefore=(@sysroot@)
+defaultSysroot=(@sysroot@)
+
+for arg; do
+    case "$arg" in
+        --sysroot)
+            defaultSysroot=()
+            ;;
+        --)
+            break
+            ;;
+    esac
+done
+
+extraBefore=("${defaultSysroot[@]}")
 extraAfter=($NIX_RUSTFLAGS)
 
 # Optionally print debug info.

pkgs/build-support/setup-hooks/auto-patchelf.sh

@@ -53,17 +53,30 @@ autoPatchelf() {
         esac
     done
 
-    readarray -td' ' ignoreMissingDepsArray < <(echo -n "$autoPatchelfIgnoreMissingDeps")
+    if [ -n "$__structuredAttrs" ]; then
-    if [ "$autoPatchelfIgnoreMissingDeps" == "1" ]; then
+        local ignoreMissingDepsArray=( "${autoPatchelfIgnoreMissingDeps[@]}" )
-        echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \
+        local appendRunpathsArray=( "${appendRunpaths[@]}" )
-             "= true;' is deprecated and will be removed in a future release." \
+        local runtimeDependenciesArray=( "${runtimeDependencies[@]}" )
-             "Use 'autoPatchelfIgnoreMissingDeps = [ \"*\" ];' instead." >&2
+        local patchelfFlagsArray=( "${patchelfFlags[@]}" )
-        ignoreMissingDepsArray=( "*" )
+    else
+        readarray -td' ' ignoreMissingDepsArray < <(echo -n "$autoPatchelfIgnoreMissingDeps")
+        local appendRunpathsArray=($appendRunpaths)
+        local runtimeDependenciesArray=($runtimeDependencies)
+        local patchelfFlagsArray=($patchelfFlags)
     fi
 
-    local appendRunpathsArray=($appendRunpaths)
+    # Check if ignoreMissingDepsArray contains "1" and if so, replace it with
-    local runtimeDependenciesArray=($runtimeDependencies)
+    # "*", printing a deprecation warning.
-    local patchelfFlagsArray=($patchelfFlags)
+    for dep in "${ignoreMissingDepsArray[@]}"; do
+        if [ "$dep" == "1" ]; then
+            echo "autoPatchelf: WARNING: setting 'autoPatchelfIgnoreMissingDeps" \
+                 "= true;' is deprecated and will be removed in a future release." \
+                 "Use 'autoPatchelfIgnoreMissingDeps = [ \"*\" ];' instead." >&2
+            ignoreMissingDepsArray=( "*" )
+            break
+        fi
+    done
+
     @pythonInterpreter@ @autoPatchelfScript@                            \
         ${norecurse:+--no-recurse}                                      \
         --ignore-missing "${ignoreMissingDepsArray[@]}"                 \

pkgs/by-name/ai/airlift/package.nix

@@ -1,7 +1,6 @@
 { lib
 , python3
 , fetchPypi
-, argparse
 , kubernetes-helm
 , kind
 , docker
@@ -17,16 +16,22 @@ python3.pkgs.buildPythonApplication rec {
     inherit pname version;
     hash = "sha256-1LE3fpfX4NExJdUdSjt4BXvxQTLJ8zrRkGHkxo/6Pb8=";
   };
+
+  postPatch = ''
+    sed -i '/argparse/d' pyproject.toml
+  '';
+
+   nativeBuildInputs = [
+    python3.pkgs.poetry-core
+  ];
+
   buildInputs = [
     kubernetes-helm
     kind
     docker
   ];
-  nativeBuildInputs = [
+
-    python3.pkgs.poetry-core
-  ];
   propagatedBuildInputs = with python3.pkgs; [
-    argparse
     halo
     pyyaml
     hiyapyco

pkgs/by-name/bi/bitbake-language-server/package.nix

@@ -26,8 +26,6 @@ python3.pkgs.buildPythonApplication rec {
     pygls
   ];
 
-  SETUPTOOLS_SCM_PRETEND_VERSION = version;
-
   passthru.updateScript = nix-update-script { };
 
   meta = with lib; {

pkgs/by-name/cm/cmake/package.nix

@@ -138,8 +138,6 @@ stdenv.mkDerivation (finalAttrs: {
     "CFLAGS=-D_FILE_OFFSET_BITS=64"
     "CXXFLAGS=-D_FILE_OFFSET_BITS=64"
   ]
-  # Workaround missing atomic ops with gcc <13
-  ++ lib.optional stdenv.hostPlatform.isRiscV "LDFLAGS=-latomic"
   ++ [
     "--"
     # We should set the proper `CMAKE_SYSTEM_NAME`.

pkgs/by-name/ho/homeassistant-satellite/package.nix

@@ -16,8 +16,12 @@ python3.pkgs.buildPythonApplication rec {
   };
 
   nativeBuildInputs = with python3.pkgs; [
+    pythonRelaxDepsHook
     setuptools
-    wheel
+  ];
+
+  pythonRelaxDeps = [
+    "aiohttp"
   ];
 
   propagatedBuildInputs = with python3.pkgs; [

pkgs/by-name/me/meson/007-darwin-case-sensitivity.patch

@@ -0,0 +1,27 @@
+From a908a574daf8bac10bb2a0ee3771052d2167a85f Mon Sep 17 00:00:00 2001
+From: Randy Eckenrode <randy@largeandhighquality.com>
+Date: Sun, 3 Dec 2023 15:41:20 -0500
+Subject: [PATCH] Fix test failure on Darwin on a case-sensitive fs
+
+This was encountered while looking into an issue with
+https://github.com/NixOS/nixpkgs/pull/268583.
+
+I run my Nix store on case-sensitive APFS, so the test fails due to
+trying to link `-framework ldap` instead of `-framework LDAP`.
+---
+ test cases/osx/5 extra frameworks/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/test cases/osx/5 extra frameworks/meson.build b/test cases/osx/5 extra frameworks/meson.build
+index f6c01e63a1bd..96532846c632 100644
+--- a/test cases/osx/5 extra frameworks/meson.build	
++++ b/test cases/osx/5 extra frameworks/meson.build	
+@@ -7,7 +7,7 @@ dep_main = dependency('Foundation')
+ assert(dep_main.type_name() == 'extraframeworks', 'type_name is ' + dep_main.type_name())
+ 
+ # https://github.com/mesonbuild/meson/issues/10002
+-ldap_dep = dependency('ldap', method : 'extraframework')
++ldap_dep = dependency('LDAP', method : 'extraframework')
+ assert(ldap_dep.type_name() == 'extraframeworks', 'type_name is ' + ldap_dep.type_name())
+ 
+ stlib = static_library('stat', 'stat.c', install : true, dependencies: [opengl_dep, ldap_dep])

pkgs/by-name/me/meson/package.nix

@@ -1,11 +1,11 @@
 { lib
 , stdenv
 , fetchFromGitHub
-, fetchpatch
 , installShellFiles
 , coreutils
 , darwin
 , libxcrypt
+, openldap
 , ninja
 , pkg-config
 , python3
@@ -14,17 +14,17 @@
 }:
 
 let
-  inherit (darwin.apple_sdk.frameworks) AppKit Cocoa Foundation OpenGL;
+  inherit (darwin.apple_sdk.frameworks) AppKit Cocoa Foundation LDAP OpenGL;
 in
 python3.pkgs.buildPythonApplication rec {
   pname = "meson";
-  version = "1.2.3";
+  version = "1.3.0";
 
   src = fetchFromGitHub {
     owner = "mesonbuild";
     repo = "meson";
     rev = "refs/tags/${version}";
-    hash = "sha256-dgYYz3tQDG6Z4eE77WO2dXdardxVzzGaFLQ5znPcTlw=";
+    hash = "sha256-Jt3PWnbv/8P6Rvf3E/Yli2vdtfgx3CmsW+jlc9CK5KA=";
   };
 
   patches = [
@@ -66,15 +66,8 @@ python3.pkgs.buildPythonApplication rec {
     # Nixpkgs cctools does not have bitcode support.
     ./006-disable-bitcode.patch
 
-    # Fix passing multiple --define-variable arguments to pkg-config.
+    # https://github.com/mesonbuild/meson/pull/12587
-    # https://github.com/mesonbuild/meson/pull/10670
+    ./007-darwin-case-sensitivity.patch
-    (fetchpatch {
-      url = "https://github.com/mesonbuild/meson/commit/d5252c5d4cf1c1931fef0c1c98dd66c000891d21.patch";
-      hash = "sha256-GiUNVul1N5Fl8mfqM7vA/r1FdKqImiDYLXMVDt77gvw=";
-      excludes = [
-        "docs/yaml/objects/dep.yaml"
-      ];
-    })
   ];
 
   buildInputs = lib.optionals (python3.pythonOlder "3.9") [
@@ -95,7 +88,9 @@ python3.pkgs.buildPythonApplication rec {
     AppKit
     Cocoa
     Foundation
+    LDAP
     OpenGL
+    openldap
   ];
 
   checkPhase = lib.concatStringsSep "\n" ([

pkgs/by-name/si/sirius/package.nix

@@ -85,6 +85,11 @@ stdenv.mkDerivation rec {
 
   propagatedBuildInputs = [ mpi ];
 
+  CXXFLAGS = [
+    # GCC 13: error: 'uintptr_t' in namespace 'std' does not name a type
+    "-include cstdint"
+  ];
+
   cmakeFlags = [
     "-DUSE_SCALAPACK=ON"
     "-DBUILD_TESTING=ON"

pkgs/by-name/uc/ucode/package.nix

@@ -0,0 +1,36 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, cmake
+, pkg-config
+, json_c
+}:
+
+stdenv.mkDerivation rec {
+  pname = "ucode";
+  version = "0.0.20231102";
+
+  src = fetchFromGitHub {
+    owner = "jow-";
+    repo = "ucode";
+    rev = "v${version}";
+    hash = "sha256-dJjlwuQLS73D6W/bmhWLPPaT7himQyO1RvD+MXVxBMw=";
+  };
+
+  buildInputs = [
+    json_c
+  ];
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+  ];
+
+  meta = with lib; {
+    description = "JavaScript-like language with optional templating";
+    homepage = "https://github.com/jow-/ucode";
+    license = licenses.isc;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mkg20001 ];
+  };
+}

pkgs/by-name/ud/udebug/package.nix

@@ -0,0 +1,41 @@
+{ lib
+, stdenv
+, cmake
+, fetchgit
+, pkg-config
+, ubus
+, libubox
+, ucode
+, json_c
+}:
+
+stdenv.mkDerivation {
+  pname = "udebug";
+  version = "unstable-2023-11-28";
+
+  src = fetchgit {
+    url = "https://git.openwrt.org/project/udebug.git";
+    rev = "d49aadabb7a147b99a3e6299a77d7fda4e266091";
+    hash = "sha256-5I50q+oUQ5f82ngKl7bX50J+3pBviNk3iVEChNjt5wY=";
+  };
+
+  buildInputs = [
+    ubus
+    libubox
+    ucode
+    json_c
+  ];
+
+  nativeBuildInputs = [
+    cmake
+    pkg-config
+  ];
+
+  meta = with lib; {
+    description = "OpenWrt debugging helper library/service";
+    homepage = "https://git.openwrt.org/?p=project/udebug.git;a=summary";
+    license = licenses.free;
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ mkg20001 ];
+  };
+}

pkgs/by-name/we/websecprobe/package.nix

@@ -5,18 +5,17 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "websecprobe";
-  version = "0.0.10";
+  version = "0.0.11";
   pyproject = true;
 
   src = fetchPypi {
     pname = "WebSecProbe";
     inherit version;
-    hash = "sha256-QvXOyQUptMyim/bgvhihjgGs7vX0qX8MqK2ol8q9ePc=";
+    hash = "sha256-OKbKz3HSTtwyx/JNUtLJBTaHQcxkUWroMg9/msVWgk4=";
   };
 
   nativeBuildInputs = with python3.pkgs; [
     setuptools
-    wheel
   ];
 
   propagatedBuildInputs = with python3.pkgs; [

pkgs/data/misc/tzdata/default.nix

@@ -2,16 +2,16 @@
 
 stdenv.mkDerivation rec {
   pname = "tzdata";
-  version = "2023c";
+  version = "2023d";
 
   srcs = [
     (fetchurl {
       url = "https://data.iana.org/time-zones/releases/tzdata${version}.tar.gz";
-      hash = "sha256-P1ELXRtK6bs45IWqMCp3azF/s2N722QExK33tsrdllw=";
+      hash = "sha256-28ohlwsKi4wM7O7B17kfqQO+D27KWucytTKWciMqCPM=";
     })
     (fetchurl {
       url = "https://data.iana.org/time-zones/releases/tzcode${version}.tar.gz";
-      hash = "sha256-RtF/K7Ga1zKQ8DogMAYVLg+g17EeW3FGfEqCOBGyFOc=";
+      hash = "sha256-6aX54RiIbS3pK2K7BVEKKMxsBY15HJO9a4TTKSw8Fh4=";
     })
   ];
 

pkgs/desktops/gnome/apps/gnome-clocks/default.nix

@@ -9,7 +9,6 @@
 , itstool
 , desktop-file-utils
 , vala
-, gobject-introspection
 , libxml2
 , gtk4
 , glib
@@ -43,7 +42,6 @@ stdenv.mkDerivation rec {
     wrapGAppsHook4
     desktop-file-utils
     libxml2
-    gobject-introspection # for finding vapi files
   ];
 
   buildInputs = [

pkgs/desktops/gnome/apps/seahorse/default.nix

@@ -57,10 +57,6 @@ stdenv.mkDerivation rec {
     gnupg
     desktop-file-utils
     gcr
-    # error: Package `...' not found in specified Vala API directories or GObject-Introspection GIR directories
-    # TODO: the vala setuphook should look for vala filess in targetOffset instead of hostOffset
-    libhandy
-    libsecret
   ];
 
   buildInputs = [

pkgs/desktops/gnome/core/baobab/default.nix

@@ -36,10 +36,6 @@ stdenv.mkDerivation rec {
     pkg-config
     vala
     wrapGAppsHook4
-    # Prevents “error: Package `libadwaita-1' not found in specified Vala API
-    # directories or GObject-Introspection GIR directories” with strictDeps,
-    # even though it should only be a runtime dependency.
-    libadwaita
   ];
 
   buildInputs = [

pkgs/desktops/gnome/core/gnome-calculator/default.nix

@@ -12,7 +12,6 @@
 , glib
 , gtksourceview5
 , wrapGAppsHook4
-, gobject-introspection
 , gnome
 , mpfr
 , gmp
@@ -40,7 +39,6 @@ stdenv.mkDerivation rec {
     gettext
     itstool
     wrapGAppsHook4
-    gobject-introspection # for finding vapi files
   ];
 
   buildInputs = [

pkgs/desktops/gnome/games/gnome-mines/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, meson, ninja, vala, gobject-introspection, pkg-config, gnome, gtk3, wrapGAppsHook
+{ lib, stdenv, fetchurl, meson, ninja, vala, pkg-config, gnome, gtk3, wrapGAppsHook
 , librsvg, gettext, itstool, python3, libxml2, libgnome-games-support, libgee, desktop-file-utils }:
 
 stdenv.mkDerivation rec {
@@ -10,9 +10,8 @@ stdenv.mkDerivation rec {
     sha256 = "NQLps/ccs7LnEcDmAZGH/rzCvKh349RW3KtwD3vjEnI=";
   };
 
-  # gobject-introspection for finding vapi files
   nativeBuildInputs = [
-    meson ninja vala gobject-introspection pkg-config gettext itstool python3
+    meson ninja vala pkg-config gettext itstool python3
     libxml2 wrapGAppsHook desktop-file-utils
   ];
   buildInputs = [ gtk3 librsvg gnome.adwaita-icon-theme libgnome-games-support libgee ];

pkgs/development/compilers/binaryen/default.nix

@@ -13,13 +13,20 @@ stdenv.mkDerivation rec {
     hash = "sha256-gMwbWiP+YDCVafQMBWhTuJGWmkYtnhEdn/oofKaUT08=";
   };
 
-  # Fix build with Node 20
   # FIXME: remove for next release
   patches = [
     (fetchpatch {
+      name = "nodejs-20.patch";
       url = "https://github.com/WebAssembly/binaryen/commit/889422e0c92552ff484659f9b41e777ba7ab35c1.patch";
       hash = "sha256-acM8mytL9nhm4np9tpUbd1X0wJ7y308HV2fvgcAW1lY=";
     })
+
+    # Fix fmin tests on gcc-13: https://github.com/WebAssembly/binaryen/pull/5994
+    (fetchpatch {
+      name = "gcc-13.patch";
+      url = "https://github.com/WebAssembly/binaryen/commit/1e17dfb695a19d5d41f1f88411fbcbc5f2408c8f.patch";
+      hash = "sha256-5JZh15CXkg5XdTG8eRJXPwO+zmymYeFjKbHutRPTmlU=";
+    })
   ];
 
   nativeBuildInputs = [ cmake python3 ];