Merge master into staging-next

2024-04-03 12:01:21 +00:00 · 2024-04-03 12:01:21 +00:00 · e74231f370
commit e74231f370
parent 273330912a 33fcd9cff8
116 changed files with 1335 additions and 581 deletions
--- a/doc/build-helpers/fetchers.chapter.md
+++ b/doc/build-helpers/fetchers.chapter.md
@ -1,66 +1,161 @@
 # Fetchers {#chap-pkgs-fetchers}
 Building software with Nix often requires downloading source code and other files from the internet.
-To this end, Nixpkgs provides *fetchers*: functions to obtain remote sources via various protocols and services.
+To this end, we use functions that we call _fetchers_, which obtain remote sources via various protocols and services.
 Nix provides built-in fetchers such as [`builtins.fetchTarball`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-fetchTarball).
 Nixpkgs provides its own fetchers, which work differently:
 Nixpkgs fetchers differ from built-in fetchers such as [`builtins.fetchTarball`](https://nixos.org/manual/nix/stable/language/builtins.html#builtins-fetchTarball):
 - A built-in fetcher will download and cache files at evaluation time and produce a [store path](https://nixos.org/manual/nix/stable/glossary#gloss-store-path).
-  A Nixpkgs fetcher will create a ([fixed-output](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation)) [derivation](https://nixos.org/manual/nix/stable/language/derivations), and files are downloaded at build time.
+  A Nixpkgs fetcher will create a ([fixed-output](https://nixos.org/manual/nix/stable/glossary#gloss-fixed-output-derivation)) [derivation](https://nixos.org/manual/nix/stable/glossary#gloss-derivation), and files are downloaded at build time.
 - Built-in fetchers will invalidate their cache after [`tarball-ttl`](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-tarball-ttl) expires, and will require network activity to check if the cache entry is up to date.
-  Nixpkgs fetchers only re-download if the specified hash changes or the store object is not otherwise available.
+  Nixpkgs fetchers only re-download if the specified hash changes or the store object is not available.
 - Built-in fetchers do not use [substituters](https://nixos.org/manual/nix/stable/command-ref/conf-file#conf-substituters).
  Derivations produced by Nixpkgs fetchers will use any configured binary cache transparently.
-This significantly reduces the time needed to evaluate the entirety of Nixpkgs, and allows [Hydra](https://nixos.org/hydra) to retain and re-distribute sources used by Nixpkgs in the [public binary cache](https://cache.nixos.org).
+This significantly reduces the time needed to evaluate Nixpkgs, and allows [Hydra](https://nixos.org/hydra) to retain and re-distribute sources used by Nixpkgs in the [public binary cache](https://cache.nixos.org).
-For these reasons, built-in fetchers are not allowed in Nixpkgs source code.
+For these reasons, Nix's built-in fetchers are not allowed in Nixpkgs.
-The following table shows an overview of the differences:
+The following table summarises the differences:
 | Fetchers | Download | Output | Cache | Re-download when |
 |-|-|-|-|-|
 | `builtins.fetch*` | evaluation time | store path | `/nix/store`, `~/.cache/nix` | `tarball-ttl` expires, cache miss in `~/.cache/nix`, output store object not in local store |
 | `pkgs.fetch*` | build time | derivation | `/nix/store`, substituters | output store object not available |
 :::{.tip}
 `pkgs.fetchFrom*` helpers retrieve _snapshots_ of version-controlled sources, as opposed to the entire version history, which is more efficient.
 `pkgs.fetchgit` by default also has the same behaviour, but can be changed through specific attributes given to it.
 :::
 ## Caveats {#chap-pkgs-fetchers-caveats}
-The fact that the hash belongs to the Nix derivation output and not the file itself can lead to confusion.
+Because Nixpkgs fetchers are fixed-output derivations, an [output hash](https://nixos.org/manual/nix/stable/language/advanced-attributes#adv-attr-outputHash) has to be specified, usually indirectly through a `hash` attribute.
-For example, consider the following fetcher:
+This hash refers to the derivation output, which can be different from the remote source itself!
-```nix
+This has the following implications that you should be aware of:
 fetchurl {
  url = "http://www.example.org/hello-1.0.tar.gz";
  hash = "sha256-lTeyxzJNQeMdu1IVdovNMtgn77jRIhSybLdMbTkf2Ww=";
 }
 ```
-A common mistake is to update a fetcher’s URL, or a version parameter, without updating the hash.
+- Use Nix (or Nix-aware) tooling to produce the output hash.
-```nix
+- When changing any fetcher parameters, always update the output hash.
-fetchurl {
+  Use one of the methods from [](#sec-pkgs-fetchers-updating-source-hashes).
-  url = "http://www.example.org/hello-1.1.tar.gz";
+  Otherwise, existing store objects that match the output hash will be re-used rather than fetching new content.
  hash = "sha256-lTeyxzJNQeMdu1IVdovNMtgn77jRIhSybLdMbTkf2Ww=";
 }
 ```
-**This will reuse the old contents**.
+  :::{.note}
-Remember to invalidate the hash argument, in this case by setting the `hash` attribute to an empty string.
+  A similar problem arises while testing changes to a fetcher's implementation.
  If the output of the derivation already exists in the Nix store, test failures can go undetected.
  The [`invalidateFetcherByDrvHash`](#tester-invalidateFetcherByDrvHash) function helps prevent reusing cached derivations.
  :::
-```nix
+## Updating source hashes {#sec-pkgs-fetchers-updating-source-hashes}
 fetchurl {
  url = "http://www.example.org/hello-1.1.tar.gz";
  hash = "";
 }
 ```
-Use the resulting error message to determine the correct hash.
+There are several ways to obtain the hash corresponding to a remote source.
 Unless you understand how the fetcher you're using calculates the hash from the downloaded contents, you should use [the fake hash method](#sec-pkgs-fetchers-updating-source-hashes-fakehash-method).
-```
+1. []{#sec-pkgs-fetchers-updating-source-hashes-fakehash-method} The fake hash method: In your package recipe, set the hash to one of
 error: hash mismatch in fixed-output derivation '/path/to/my.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-lTeyxzJNQeMdu1IVdovNMtgn77jRIhSybLdMbTkf2Ww=
 ```
-A similar problem arises while testing changes to a fetcher's implementation. If the output of the derivation already exists in the Nix store, test failures can go undetected. The [`invalidateFetcherByDrvHash`](#tester-invalidateFetcherByDrvHash) function helps prevent reusing cached derivations.
+   - `""`
   - `lib.fakeHash`
   - `lib.fakeSha256`
   - `lib.fakeSha512`
   Attempt to build, extract the calculated hashes from error messages, and put them into the recipe.
   :::{.warning}
   You must use one of these four fake hashes and not some arbitrarily-chosen hash.
   See [](#sec-pkgs-fetchers-secure-hashes) for details.
   :::
   :::{.example #ex-fetchers-update-fod-hash}
   # Update source hash with the fake hash method
   Consider the following recipe that produces a plain file:
   ```nix
   { fetchurl }:
   fetchurl {
     url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.05/.version";
     hash = "sha256-ZHl1emidXVojm83LCVrwULpwIzKE/mYwfztVkvpruOM=";
   }
   ```
   A common mistake is to update a fetcher parameter, such as `url`, without updating the hash:
   ```nix
   { fetchurl }:
   fetchurl {
     url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
     hash = "sha256-ZHl1emidXVojm83LCVrwULpwIzKE/mYwfztVkvpruOM=";
   }
   ```
   **This will produce the same output as before!**
   Set the hash to an empty string:
   ```nix
   { fetchurl }:
   fetchurl {
     url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
     hash = "";
   }
   ```
   When building the package, use the error message to determine the correct hash:
   ```shell
   $ nix-build
   (some output removed for clarity)
   error: hash mismatch in fixed-output derivation '/nix/store/7yynn53jpc93l76z9zdjj4xdxgynawcw-version.drv':
           specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
               got:    sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=
   error: build of '/nix/store/bqdjcw5ij5ymfbm41dq230chk9hdhqff-version.drv' failed
   ```
   :::
 2. Prefetch the source with [`nix-prefetch-<type> <URL>`](https://search.nixos.org/packages?buckets={%22package_attr_set%22%3A[%22No%20package%20set%22]%2C%22package_license_set%22%3A[]%2C%22package_maintainers_set%22%3A[]%2C%22package_platforms%22%3A[]}&query=nix-prefetch), where `<type>` is one of
   - `url`
   - `git`
   - `hg`
   - `cvs`
   - `bzr`
   - `svn`
   The hash is printed to stdout.
 3. Prefetch by package source (with `nix-prefetch-url '<nixpkgs>' -A <package>.src`, where `<package>` is package attribute name).
   The hash is printed to stdout.
   This works well when you've upgraded the existing package version and want to find out new hash, but is useless if the package can't be accessed by attribute or the package has multiple sources (`.srcs`, architecture-dependent sources, etc).
 4. Upstream hash: use it when upstream provides `sha256` or `sha512`.
   Don't use it when upstream provides `md5`, compute `sha256` instead.
   A little nuance is that `nix-prefetch-*` tools produce hashes with the `nix32` encoding (a Nix-specific base32 adaptation), but upstream usually provides hexadecimal (`base16`) encoding.
   Fetchers understand both formats.
   Nixpkgs does not standardise on any one format.
   You can convert between hash formats with [`nix-hash`](https://nixos.org/manual/nix/stable/command-ref/nix-hash).
 5. Extract the hash from a local source archive with `sha256sum`.
   Use `nix-prefetch-url file:///path/to/archive` if you want the custom Nix `base32` hash.
 ## Obtaining hashes securely {#sec-pkgs-fetchers-secure-hashes}
 It's always a good idea to avoid Man-in-the-Middle (MITM) attacks when downloading source contents.
 Otherwise, you could unknowingly download malware instead of the intended source, and instead of the actual source hash, you'll end up using the hash of malware.
 Here are security considerations for this scenario:
 - `http://` URLs are not secure to prefetch hashes.
 - Upstream hashes should be obtained via a secure protocol.
 - `https://` URLs give you more protections when using `nix-prefetch-*` or for upstream hashes.
 - `https://` URLs are secure when using the [fake hash method](#sec-pkgs-fetchers-updating-source-hashes-fakehash-method) *only if* you use one of the listed fake hashes.
  If you use any other hash, the download will be exposed to MITM attacks even if you use HTTPS URLs.
  In more concrete terms, if you use any other hash, the [`--insecure` flag](https://curl.se/docs/manpage.html#-k) will be passed to the underlying call to `curl` when downloading content.
 ## `fetchurl` and `fetchzip` {#fetchurl}
--- a/doc/manpage-urls.json
+++ b/doc/manpage-urls.json
@ -320,5 +320,7 @@
  "login.defs(5)": "https://man.archlinux.org/man/login.defs.5",
  "unshare(1)": "https://man.archlinux.org/man/unshare.1.en",
  "nix-shell(1)": "https://nixos.org/manual/nix/stable/command-ref/nix-shell.html",
-  "mksquashfs(1)": "https://man.archlinux.org/man/extra/squashfs-tools/mksquashfs.1.en"
+  "mksquashfs(1)": "https://man.archlinux.org/man/extra/squashfs-tools/mksquashfs.1.en",
  "curl(1)": "https://curl.se/docs/manpage.html",
  "netrc(5)": "https://man.cx/netrc"
 }
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -18594,6 +18594,12 @@
    githubId = 20756843;
    name = "Sofi";
  };
  soyouzpanda = {
    name = "soyouzpanda";
    email = "soyouzpanda@soyouzpanda.fr";
    github = "soyouzpanda";
    githubId = 23421201;
  };
  soywod = {
    name = "Clément DOUIN";
    email = "clement.douin@posteo.net";
--- a/nixos/modules/services/networking/nsd.nix
+++ b/nixos/modules/services/networking/nsd.nix
@ -81,7 +81,6 @@ let
      zonesdir: "${stateDir}"
      # the list of dynamically added zones.
      database:     "${stateDir}/var/nsd.db"
      pidfile:      "${pidFile}"
      xfrdfile:     "${stateDir}/var/xfrd.state"
      xfrdir:       "${stateDir}/tmp"
@ -112,6 +111,7 @@ let
      ${maybeString "version: " cfg.version}
      xfrd-reload-timeout: ${toString cfg.xfrdReloadTimeout}
      zonefiles-check:     ${yesOrNo  cfg.zonefilesCheck}
      zonefiles-write:     ${toString cfg.zonefilesWrite}
      ${maybeString "rrl-ipv4-prefix-length: " cfg.ratelimit.ipv4PrefixLength}
      ${maybeString "rrl-ipv6-prefix-length: " cfg.ratelimit.ipv6PrefixLength}
@ -173,6 +173,7 @@ let
      ${maybeToString "min-retry-time:   " zone.minRetrySecs}
      allow-axfr-fallback: ${yesOrNo       zone.allowAXFRFallback}
      multi-master-check: ${yesOrNo        zone.multiMasterCheck}
    ${forEach     "  allow-notify: "       zone.allowNotify}
    ${forEach     "  request-xfr: "        zone.requestXFR}
@ -201,7 +202,7 @@ let
      allowAXFRFallback = mkOption {
        type = types.bool;
        default = true;
-        description = lib.mdDoc ''
+        description = ''
          If NSD as secondary server should be allowed to AXFR if the primary
          server does not allow IXFR.
        '';
@ -213,7 +214,7 @@ let
        example = [ "192.0.2.0/24 NOKEY" "10.0.0.1-10.0.0.5 my_tsig_key_name"
                    "10.0.3.4&255.255.0.0 BLOCKED"
                  ];
-        description = lib.mdDoc ''
+        description = ''
          Listed primary servers are allowed to notify this secondary server.
          Format: `<ip> <key-name | NOKEY | BLOCKED>`
@ -243,7 +244,7 @@ let
        # to default values, breaking the parent inheriting function.
        type = types.attrsOf types.anything;
        default = {};
-        description = lib.mdDoc ''
+        description = ''
          Children zones inherit all options of their parents. Attributes
          defined in a child will overwrite the ones of its parent. Only
          leaf zones will be actually served. This way it's possible to
@ -256,29 +257,29 @@ let
      data = mkOption {
        type = types.lines;
        default = "";
-        description = lib.mdDoc ''
+        description = ''
          The actual zone data. This is the content of your zone file.
          Use imports or pkgs.lib.readFile if you don't want this data in your config file.
        '';
      };
-      dnssec = mkEnableOption (lib.mdDoc "DNSSEC");
+      dnssec = mkEnableOption "DNSSEC";
      dnssecPolicy = {
        algorithm = mkOption {
          type = types.str;
          default = "RSASHA256";
-          description = lib.mdDoc "Which algorithm to use for DNSSEC";
+          description = "Which algorithm to use for DNSSEC";
        };
        keyttl = mkOption {
          type = types.str;
          default = "1h";
-          description = lib.mdDoc "TTL for dnssec records";
+          description = "TTL for dnssec records";
        };
        coverage = mkOption {
          type = types.str;
          default = "1y";
-          description = lib.mdDoc ''
+          description = ''
            The length of time to ensure that keys will be correct; no action will be taken to create new keys to be activated after this time.
          '';
        };
@ -289,7 +290,7 @@ let
                      postPublish = "1w";
                      rollPeriod = "1mo";
                    };
-          description = lib.mdDoc "Key policy for zone signing keys";
+          description = "Key policy for zone signing keys";
        };
        ksk = mkOption {
          type = keyPolicy;
@ -298,14 +299,14 @@ let
                      postPublish = "1mo";
                      rollPeriod = "0";
                    };
-          description = lib.mdDoc "Key policy for key signing keys";
+          description = "Key policy for key signing keys";
        };
      };
      maxRefreshSecs = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          Limit refresh time for secondary zones. This is the timer which
          checks to see if the zone has to be refetched when it expires.
          Normally the value from the SOA record is used, but this  option
@ -316,7 +317,7 @@ let
      minRefreshSecs = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          Limit refresh time for secondary zones.
        '';
      };
@ -324,7 +325,7 @@ let
      maxRetrySecs = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          Limit retry time for secondary zones. This is the timeout after
          a failed fetch attempt for the zone. Normally the value from
          the SOA record is used, but this option restricts that value.
@ -334,17 +335,26 @@ let
      minRetrySecs = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          Limit retry time for secondary zones.
        '';
      };
      multiMasterCheck = mkOption {
        type = types.bool;
        default = false;
        description = ''
          If enabled, checks all masters for the last zone version.
          It uses the higher version from all configured masters.
          Useful if you have multiple masters that have different version numbers served.
        '';
      };
      notify = mkOption {
        type = types.listOf types.str;
        default = [];
        example = [ "10.0.0.1@3721 my_key" "::5 NOKEY" ];
-        description = lib.mdDoc ''
+        description = ''
          This primary server will notify all given secondary servers about
          zone changes.
@ -361,7 +371,7 @@ let
      notifyRetry = mkOption {
        type = types.int;
        default = 5;
-        description = lib.mdDoc ''
+        description = ''
          Specifies the number of retries for failed notifies. Set this along with notify.
        '';
      };
@ -370,7 +380,7 @@ let
        type = types.nullOr types.str;
        default = null;
        example = "2000::1@1234";
-        description = lib.mdDoc ''
+        description = ''
          This address will be used for zone-transfer requests if configured
          as a secondary server or notifications in case of a primary server.
          Supply either a plain IPv4 or IPv6 address with an optional port
@ -382,7 +392,7 @@ let
        type = types.listOf types.str;
        default = [];
        example = [ "192.0.2.0/24 NOKEY" "192.0.2.0/24 my_tsig_key_name" ];
-        description = lib.mdDoc ''
+        description = ''
          Allow these IPs and TSIG to transfer zones, addr TSIG|NOKEY|BLOCKED
          address range 192.0.2.0/24, 1.2.3.4&255.255.0.0, 3.0.2.20-3.0.2.40
        '';
@ -391,7 +401,7 @@ let
      requestXFR = mkOption {
        type = types.listOf types.str;
        default = [];
-        description = lib.mdDoc ''
+        description = ''
          Format: `[AXFR|UDP] <ip-address> <key-name | NOKEY>`
        '';
      };
@ -399,7 +409,7 @@ let
      rrlWhitelist = mkOption {
        type = with types; listOf (enum [ "nxdomain" "error" "referral" "any" "rrsig" "wildcard" "nodata" "dnskey" "positive" "all" ]);
        default = [];
-        description = lib.mdDoc ''
+        description = ''
          Whitelists the given rrl-types.
        '';
      };
@ -408,7 +418,7 @@ let
        type = types.nullOr types.str;
        default = null;
        example = "%s";
-        description = lib.mdDoc ''
+        description = ''
          When set to something distinct to null NSD is able to collect
          statistics per zone. All statistics of this zone(s) will be added
          to the group specified by this given name. Use "%s" to use the zones
@ -423,19 +433,19 @@ let
    options = {
      keySize = mkOption {
        type = types.int;
-        description = lib.mdDoc "Key size in bits";
+        description = "Key size in bits";
      };
      prePublish = mkOption {
        type = types.str;
-        description = lib.mdDoc "How long in advance to publish new keys";
+        description = "How long in advance to publish new keys";
      };
      postPublish = mkOption {
        type = types.str;
-        description = lib.mdDoc "How long after deactivation to keep a key in the zone";
+        description = "How long after deactivation to keep a key in the zone";
      };
      rollPeriod = mkOption {
        type = types.str;
-        description = lib.mdDoc "How frequently to change keys";
+        description = "How frequently to change keys";
      };
    };
  };
@ -478,14 +488,14 @@ in
  # options are ordered alphanumerically
  options.services.nsd = {
-    enable = mkEnableOption (lib.mdDoc "NSD authoritative DNS server");
+    enable = mkEnableOption "NSD authoritative DNS server";
-    bind8Stats = mkEnableOption (lib.mdDoc "BIND8 like statistics");
+    bind8Stats = mkEnableOption "BIND8 like statistics";
    dnssecInterval = mkOption {
      type = types.str;
      default = "1h";
-      description = lib.mdDoc ''
+      description = ''
        How often to check whether dnssec key rollover is required
      '';
    };
@ -493,7 +503,7 @@ in
    extraConfig = mkOption {
      type = types.lines;
      default = "";
-      description = lib.mdDoc ''
+      description = ''
        Extra nsd config.
      '';
    };
@ -501,7 +511,7 @@ in
    hideVersion = mkOption {
      type = types.bool;
      default = true;
-      description = lib.mdDoc ''
+      description = ''
        Whether NSD should answer VERSION.BIND and VERSION.SERVER CHAOS class queries.
      '';
    };
@ -509,7 +519,7 @@ in
    identity = mkOption {
      type = types.str;
      default = "unidentified server";
-      description = lib.mdDoc ''
+      description = ''
        Identify the server (CH TXT ID.SERVER entry).
      '';
    };
@ -517,7 +527,7 @@ in
    interfaces = mkOption {
      type = types.listOf types.str;
      default = [ "127.0.0.0" "::1" ];
-      description = lib.mdDoc ''
+      description = ''
        What addresses the server should listen to.
      '';
    };
@ -525,7 +535,7 @@ in
    ipFreebind = mkOption {
      type = types.bool;
      default = false;
-      description = lib.mdDoc ''
+      description = ''
        Whether to bind to nonlocal addresses and interfaces that are down.
        Similar to ip-transparent.
      '';
@ -534,7 +544,7 @@ in
    ipTransparent = mkOption {
      type = types.bool;
      default = false;
-      description = lib.mdDoc ''
+      description = ''
        Allow binding to non local addresses.
      '';
    };
@ -542,7 +552,7 @@ in
    ipv4 = mkOption {
      type = types.bool;
      default = true;
-      description = lib.mdDoc ''
+      description = ''
        Whether to listen on IPv4 connections.
      '';
    };
@ -550,7 +560,7 @@ in
    ipv4EDNSSize = mkOption {
      type = types.int;
      default = 4096;
-      description = lib.mdDoc ''
+      description = ''
        Preferred EDNS buffer size for IPv4.
      '';
    };
@ -558,7 +568,7 @@ in
    ipv6 = mkOption {
      type = types.bool;
      default = true;
-      description = lib.mdDoc ''
+      description = ''
        Whether to listen on IPv6 connections.
      '';
    };
@ -566,7 +576,7 @@ in
    ipv6EDNSSize = mkOption {
      type = types.int;
      default = 4096;
-      description = lib.mdDoc ''
+      description = ''
        Preferred EDNS buffer size for IPv6.
      '';
    };
@ -574,7 +584,7 @@ in
    logTimeAscii = mkOption {
      type = types.bool;
      default = true;
-      description = lib.mdDoc ''
+      description = ''
        Log time in ascii, if false then in unix epoch seconds.
      '';
    };
@ -582,7 +592,7 @@ in
    nsid = mkOption {
      type = types.nullOr types.str;
      default = null;
-      description = lib.mdDoc ''
+      description = ''
        NSID identity (hex string, or "ascii_somestring").
      '';
    };
@ -590,7 +600,7 @@ in
    port = mkOption {
      type = types.port;
      default = 53;
-      description = lib.mdDoc ''
+      description = ''
        Port the service should bind do.
      '';
    };
@ -599,7 +609,7 @@ in
      type = types.bool;
      default = pkgs.stdenv.isLinux;
      defaultText = literalExpression "pkgs.stdenv.isLinux";
-      description = lib.mdDoc ''
+      description = ''
        Whether to enable SO_REUSEPORT on all used sockets. This lets multiple
        processes bind to the same port. This speeds up operation especially
        if the server count is greater than one and makes fast restarts less
@ -610,18 +620,18 @@ in
    rootServer = mkOption {
      type = types.bool;
      default = false;
-      description = lib.mdDoc ''
+      description = ''
        Whether this server will be a root server (a DNS root server, you
        usually don't want that).
      '';
    };
-    roundRobin = mkEnableOption (lib.mdDoc "round robin rotation of records");
+    roundRobin = mkEnableOption "round robin rotation of records";
    serverCount = mkOption {
      type = types.int;
      default = 1;
-      description = lib.mdDoc ''
+      description = ''
        Number of NSD servers to fork. Put the number of CPUs to use here.
      '';
    };
@ -629,7 +639,7 @@ in
    statistics = mkOption {
      type = types.nullOr types.int;
      default = null;
-      description = lib.mdDoc ''
+      description = ''
        Statistics are produced every number of seconds. Prints to log.
        If null no statistics are logged.
      '';
@ -638,7 +648,7 @@ in
    tcpCount = mkOption {
      type = types.int;
      default = 100;
-      description = lib.mdDoc ''
+      description = ''
        Maximum number of concurrent TCP connections per server.
      '';
    };
@ -646,7 +656,7 @@ in
    tcpQueryCount = mkOption {
      type = types.int;
      default = 0;
-      description = lib.mdDoc ''
+      description = ''
        Maximum number of queries served on a single TCP connection.
        0 means no maximum.
      '';
@ -655,7 +665,7 @@ in
    tcpTimeout = mkOption {
      type = types.int;
      default = 120;
-      description = lib.mdDoc ''
+      description = ''
        TCP timeout in seconds.
      '';
    };
@ -663,7 +673,7 @@ in
    verbosity = mkOption {
      type = types.int;
      default = 0;
-      description = lib.mdDoc ''
+      description = ''
        Verbosity level.
      '';
    };
@ -671,7 +681,7 @@ in
    version = mkOption {
      type = types.nullOr types.str;
      default = null;
-      description = lib.mdDoc ''
+      description = ''
        The version string replied for CH TXT version.server and version.bind
        queries. Will use the compiled package version on null.
        See hideVersion for enabling/disabling this responses.
@ -681,7 +691,7 @@ in
    xfrdReloadTimeout = mkOption {
      type = types.int;
      default = 1;
-      description = lib.mdDoc ''
+      description = ''
        Number of seconds between reloads triggered by xfrd.
      '';
    };
@ -689,11 +699,22 @@ in
    zonefilesCheck = mkOption {
      type = types.bool;
      default = true;
-      description = lib.mdDoc ''
+      description = ''
        Whether to check mtime of all zone files on start and sighup.
      '';
    };
    zonefilesWrite = mkOption {
      type = types.int;
      default = 0;
      description = ''
        Write changed secondary zones to their zonefile every N seconds.
        If the zone (pattern) configuration has "" zonefile, it is not written.
        Zones that have received zone transfer updates are written to their zonefile.
        0 disables writing to zone files.
      '';
    };
    keys = mkOption {
      type = types.attrsOf (types.submodule {
@ -702,14 +723,14 @@ in
          algorithm = mkOption {
            type = types.str;
            default = "hmac-sha256";
-            description = lib.mdDoc ''
+            description = ''
              Authentication algorithm for this key.
            '';
          };
          keyFile = mkOption {
            type = types.path;
-            description = lib.mdDoc ''
+            description = ''
              Path to the file which contains the actual base64 encoded
              key. The key will be copied into "${stateDir}/private" before
              NSD starts. The copied file is only accessibly by the NSD
@ -727,7 +748,7 @@ in
          };
        }
      '';
-      description = lib.mdDoc ''
+      description = ''
        Define your TSIG keys here.
      '';
    };
@ -735,12 +756,12 @@ in
    ratelimit = {
-      enable = mkEnableOption (lib.mdDoc "ratelimit capabilities");
+      enable = mkEnableOption "ratelimit capabilities";
      ipv4PrefixLength = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          IPv4 prefix length. Addresses are grouped by netblock.
        '';
      };
@ -748,7 +769,7 @@ in
      ipv6PrefixLength = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          IPv6 prefix length. Addresses are grouped by netblock.
        '';
      };
@ -756,7 +777,7 @@ in
      ratelimit = mkOption {
        type = types.int;
        default = 200;
-        description = lib.mdDoc ''
+        description = ''
          Max qps allowed from any query source.
          0 means unlimited. With an verbosity of 2 blocked and
          unblocked subnets will be logged.
@ -766,7 +787,7 @@ in
      slip = mkOption {
        type = types.nullOr types.int;
        default = null;
-        description = lib.mdDoc ''
+        description = ''
          Number of packets that get discarded before replying a SLIP response.
          0 disables SLIP responses. 1 will make every response a SLIP response.
        '';
@ -775,7 +796,7 @@ in
      size = mkOption {
        type = types.int;
        default = 1000000;
-        description = lib.mdDoc ''
+        description = ''
          Size of the hashtable. More buckets use more memory but lower
          the chance of hash hash collisions.
        '';
@ -784,7 +805,7 @@ in
      whitelistRatelimit = mkOption {
        type = types.int;
        default = 2000;
-        description = lib.mdDoc ''
+        description = ''
          Max qps allowed from whitelisted sources.
          0 means unlimited. Set the rrl-whitelist option for specific
          queries to apply this limit instead of the default to them.
@ -796,12 +817,12 @@ in
    remoteControl = {
-      enable = mkEnableOption (lib.mdDoc "remote control via nsd-control");
+      enable = mkEnableOption "remote control via nsd-control";
      controlCertFile = mkOption {
        type = types.path;
        default = "/etc/nsd/nsd_control.pem";
-        description = lib.mdDoc ''
+        description = ''
          Path to the client certificate signed with the server certificate.
          This file is used by nsd-control and generated by nsd-control-setup.
        '';
@ -810,7 +831,7 @@ in
      controlKeyFile = mkOption {
        type = types.path;
        default = "/etc/nsd/nsd_control.key";
-        description = lib.mdDoc ''
+        description = ''
          Path to the client private key, which is used by nsd-control
          but not by the server. This file is generated by nsd-control-setup.
        '';
@ -819,7 +840,7 @@ in
      interfaces = mkOption {
        type = types.listOf types.str;
        default = [ "127.0.0.1" "::1" ];
-        description = lib.mdDoc ''
+        description = ''
          Which interfaces NSD should bind to for remote control.
        '';
      };
@ -827,7 +848,7 @@ in
      port = mkOption {
        type = types.port;
        default = 8952;
-        description = lib.mdDoc ''
+        description = ''
          Port number for remote control operations (uses TLS over TCP).
        '';
      };
@ -835,7 +856,7 @@ in
      serverCertFile = mkOption {
        type = types.path;
        default = "/etc/nsd/nsd_server.pem";
-        description = lib.mdDoc ''
+        description = ''
          Path to the server self signed certificate, which is used by the server
          but and by nsd-control. This file is generated by nsd-control-setup.
        '';
@ -844,7 +865,7 @@ in
      serverKeyFile = mkOption {
        type = types.path;
        default = "/etc/nsd/nsd_server.key";
-        description = lib.mdDoc ''
+        description = ''
          Path to the server private key, which is used by the server
          but not by nsd-control. This file is generated by nsd-control-setup.
        '';
@ -886,7 +907,7 @@ in
          };
        }
      '';
-      description = lib.mdDoc ''
+      description = ''
        Define your zones here. Zones can cascade other zones and therefore
        inherit settings from parent zones. Look at the definition of
        children to learn about inheritance and child zones.
--- a/pkgs/README.md
+++ b/pkgs/README.md
@ -94,11 +94,7 @@ Now that this is out of the way. To add a package to Nixpkgs:
   - All other [`meta`](https://nixos.org/manual/nixpkgs/stable/#chap-meta) attributes are optional, but it’s still a good idea to provide at least the `description`, `homepage` and [`license`](https://nixos.org/manual/nixpkgs/stable/#sec-meta-license).
-   - You can use `nix-prefetch-url url` to get the SHA-256 hash of source distributions. There are similar commands as `nix-prefetch-git` and `nix-prefetch-hg` available in `nix-prefetch-scripts` package.
+   - The exact syntax and semantics of the Nix expression language, including the built-in functions, are [Nix language reference](https://nixos.org/manual/nix/stable/language/).
   - A list of schemes for `mirror://` URLs can be found in [`pkgs/build-support/fetchurl/mirrors.nix`](build-support/fetchurl/mirrors.nix).
   The exact syntax and semantics of the Nix expression language, including the built-in function, are [described in the Nix manual](https://nixos.org/manual/nix/stable/language/).
 5. To test whether the package builds, run the following command from the root of the nixpkgs source tree:
@ -397,7 +393,7 @@ All versions of a package _must_ be included in `all-packages.nix` to make sure
 See the Nixpkgs manual for more details on [standard meta-attributes](https://nixos.org/nixpkgs/manual/#sec-standard-meta-attributes).
-### Import From Derivation
+## Import From Derivation
 [Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs for performance reasons:
 [Hydra](https://github.com/NixOS/hydra) evaluates the entire package set, and sequential builds during evaluation would increase evaluation times to become impractical.
@ -406,13 +402,16 @@ Import From Derivation can be worked around in some cases by committing generate
 ## Sources
-### Fetching Sources
+Always fetch source files using [Nixpkgs fetchers](https://nixos.org/manual/nixpkgs/unstable/#chap-pkgs-fetchers).
 Use reproducible sources with a high degree of availability.
 Prefer protocols that support proxies.
-There are multiple ways to fetch a package source in nixpkgs. The general guideline is that you should package reproducible sources with a high degree of availability. Right now there is only one fetcher which has mirroring support and that is `fetchurl`. Note that you should also prefer protocols which have a corresponding proxy environment variable.
+A list of schemes for `mirror://` URLs can be found in [`pkgs/build-support/fetchurl/mirrors.nix`](build-support/fetchurl/mirrors.nix), and is supported by [`fetchurl`](https://nixos.org/manual/nixpkgs/unstable/#fetchurl).
 Other fetchers which end up relying on `fetchurl` may also support mirroring.
-You can find many source fetch helpers in `pkgs/build-support/fetch*`.
+The preferred source hash type is `sha256`.
-In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these have names on the form `fetchFrom*`. The intention of these are to provide snapshot fetches but using the same api as some of the version controlled fetchers from `pkgs/build-support/`. As an example going from bad to good:
+Examples going from bad to best practices:
 - Bad: Uses `git://` which won't be proxied.
@ -438,7 +437,7 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these
  }
  ```
- Best: Fetches a snapshot archive and you get the rev you want.
+- Best: Fetches a snapshot archive for the given revision.
  ```nix
  {
@ -451,63 +450,14 @@ In the file `pkgs/top-level/all-packages.nix` you can find fetch helpers, these
  }
  ```
-When fetching from GitHub, commits must always be referenced by their full commit hash. This is because GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous. It already happens for some short, 6-character commit hashes in `nixpkgs`.
+> [!Note]
-It is a practical vector for a denial-of-service attack by pushing large amounts of auto generated commits into forks and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html).
+> When fetching from GitHub, always reference revisions by their full commit hash.
 > GitHub shares commit hashes among all forks and returns `404 Not Found` when a short commit hash is ambiguous.
 > It already happened in Nixpkgs for short, 6-character commit hashes.
 >
 > Pushing large amounts of auto generated commits into forks is a practical vector for a denial-of-service attack, and was already [demonstrated against GitHub Actions Beta](https://blog.teddykatz.com/2019/11/12/github-actions-dos.html).
-Find the value to put as `hash` by running `nix-shell -p nix-prefetch-github --run "nix-prefetch-github --rev 1f795f9f44607cc5bec70d1300150bfefcef2aae NixOS nix"`.
+## Patches
 #### Obtaining source hash
 Preferred source hash type is sha256. There are several ways to get it.
 1. Prefetch URL (with `nix-prefetch-XXX URL`, where `XXX` is one of `url`, `git`, `hg`, `cvs`, `bzr`, `svn`). Hash is printed to stdout.
 2. Prefetch by package source (with `nix-prefetch-url '<nixpkgs>' -A PACKAGE.src`, where `PACKAGE` is package attribute name). Hash is printed to stdout.
    This works well when you've upgraded existing package version and want to find out new hash, but is useless if package can't be accessed by attribute or package has multiple sources (`.srcs`, architecture-dependent sources, etc).
 3. Upstream provided hash: use it when upstream provides `sha256` or `sha512` (when upstream provides `md5`, don't use it, compute `sha256` instead).
    A little nuance is that `nix-prefetch-*` tools produce hash encoded with `base32`, but upstream usually provides hexadecimal (`base16`) encoding. Fetchers understand both formats. Nixpkgs does not standardize on any one format.
    You can convert between formats with nix-hash, for example:
    ```ShellSession
    $ nix-hash --type sha256 --to-base32 HASH
    ```
 4. Extracting hash from local source tarball can be done with `sha256sum`. Use `nix-prefetch-url file:///path/to/tarball` if you want base32 hash.
 5. Fake hash: set the hash to one of
   - `""`
   - `lib.fakeHash`
   - `lib.fakeSha256`
   - `lib.fakeSha512`
   in the package expression, attempt build and extract correct hash from error messages.
   > [!Warning]
   > You must use one of these four fake hashes and not some arbitrarily-chosen hash.
   > See [here][secure-hashes]
   This is last resort method when reconstructing source URL is non-trivial and `nix-prefetch-url -A` isn’t applicable (for example, [one of `kodi` dependencies](https://github.com/NixOS/nixpkgs/blob/d2ab091dd308b99e4912b805a5eb088dd536adb9/pkgs/applications/video/kodi/default.nix#L73)). The easiest way then would be replace hash with a fake one and rebuild. Nix build will fail and error message will contain desired hash.
 #### Obtaining hashes securely
 [secure-hashes]: #obtaining-hashes-securely
 Let's say Man-in-the-Middle (MITM) sits close to your network. Then instead of fetching source you can fetch malware, and instead of source hash you get hash of malware. Here are security considerations for this scenario:
 - `http://` URLs are not secure to prefetch hash from;
 - hashes from upstream (in method 3) should be obtained via secure protocol;
 - `https://` URLs are secure in methods 1, 2, 3;
 - `https://` URLs are secure in method 5 *only if* you use one of the listed fake hashes. If you use any other hash, `fetchurl` will pass `--insecure` to `curl` and may then degrade to HTTP in case of TLS certificate expiration.
 ### Patches
 Patches available online should be retrieved using `fetchpatch`.
--- a/pkgs/applications/emulators/ripes/default.nix
+++ b/pkgs/applications/emulators/ripes/default.nix
@ -14,14 +14,14 @@
 stdenv.mkDerivation rec {
  pname = "ripes";
  # Pulling unstable version as latest stable does not build against gcc-13.
-  version = "2.2.6-unstable-2024-03-03";
+  version = "2.2.6-unstable-2024-04-02";
  src = fetchFromGitHub {
    owner = "mortbopet";
    repo = "Ripes";
-    rev = "b71f0ddd5d2d346cb97b28fd3f70fef55bb9b6b7";
+    rev = "027e678a44b7b9f3e81e5b6863b0d68af05fd69c";
    fetchSubmodules = true;
-    hash = "sha256-zQrrWBHNIacRoAEIjR0dlgUTncBCiodcBeT/wbDClWg=";
+    hash = "sha256-u6JxXCX1BMdbHTF7EBGEnXOV+eF6rgoZZcHqB/1nVjE=";
  };
  nativeBuildInputs = [
--- a/pkgs/applications/misc/obsidian/default.nix
+++ b/pkgs/applications/misc/obsidian/default.nix
@ -12,7 +12,7 @@
 let
  inherit (stdenv.hostPlatform) system;
  pname = "obsidian";
-  version = "1.5.11";
+  version = "1.5.12";
  appname = "Obsidian";
  meta = with lib; {
    description = "A powerful knowledge base that works on top of a local folder of plain text Markdown files";
@ -25,7 +25,7 @@ let
  filename = if stdenv.isDarwin then "Obsidian-${version}-universal.dmg" else "obsidian-${version}.tar.gz";
  src = fetchurl {
    url = "https://github.com/obsidianmd/obsidian-releases/releases/download/v${version}/${filename}";
-    hash = if stdenv.isDarwin then "sha256-RtIEjVaqYygylhZwFB9ObZPPhSSzvJTJniGVFzAa/VY=" else "sha256-QDxMgisyYc2lJ0OKn2hR0VA8OeAwysCq6Z4Q59qRvtU=";
+    hash = if stdenv.isDarwin then "sha256-MSJmF5WddxbC/S7w2nWjlDxt5HPUDCoRFwJ2MZMH9Ks=" else "sha256-UQLljP7eZELTuHwX+OylXY+Wy2YK1ZEJX1IQfIvBLe8=";
  };
  icon = fetchurl {
--- a/pkgs/applications/misc/syncthingtray/default.nix
+++ b/pkgs/applications/misc/syncthingtray/default.nix
@ -34,14 +34,14 @@ https://github.com/NixOS/nixpkgs/issues/199596#issuecomment-1310136382 */
 }:
 stdenv.mkDerivation (finalAttrs: {
-  version = "1.5.0";
+  version = "1.5.1";
  pname = "syncthingtray";
  src = fetchFromGitHub {
    owner = "Martchus";
    repo = "syncthingtray";
    rev = "v${finalAttrs.version}";
-    hash = "sha256-O8FLjse2gY8KNWGXpUeZ83cNk0ZuRAZJJ3Am33/ABVw=";
+    hash = "sha256-6Q3nf6WjFgpBK7VR+ykmtIM68vwsmrYqmJPXsPpWjs4=";
  };
  buildInputs = [
--- a/pkgs/applications/networking/cluster/k3s/1_27/versions.nix
+++ b/pkgs/applications/networking/cluster/k3s/1_27/versions.nix
@ -1,8 +1,8 @@
 {
-  k3sVersion = "1.27.11+k3s1";
+  k3sVersion = "1.27.12+k3s1";
-  k3sCommit = "06d6bc80b469a61e5e90438b1f2639cd136a89e7";
+  k3sCommit = "78ad57567c9eb1fd1831986f5fd7b4024add1767";
-  k3sRepoSha256 = "0qkm8yqs9p34kb5k2q0j5wiykj78qc12n65n0clas5by23jrqcqa";
+  k3sRepoSha256 = "1j6xb3af4ypqq5m6a8x2yc2515zvlgqzfsfindjm9cbmq5iisphq";
-  k3sVendorHash = "sha256-+z8pr30+28puv7yjA7ZvW++I0ipNEmen2OhCxFMzYOY=";
+  k3sVendorHash = "sha256-65cmpRwD9C+fcbBSv1YpeukO7bfGngsLv/rk6sM59gU=";
  chartVersions = import ./chart-versions.nix;
  k3sRootVersion = "0.12.2";
  k3sRootSha256 = "1gjynvr350qni5mskgm7pcc7alss4gms4jmkiv453vs8mmma9c9k";
--- a/pkgs/applications/networking/cluster/kns/default.nix
+++ b/pkgs/applications/networking/cluster/kns/default.nix
@ -33,6 +33,6 @@ stdenvNoCC.mkDerivation {
    homepage = "https://github.com/blendle/kns";
    license = licenses.isc;
    maintainers = with maintainers; [ mmlb ];
-    platforms = platforms.linux;
+    platforms = platforms.unix;
  };
 }
--- a/pkgs/applications/networking/cluster/kubergrunt/default.nix
+++ b/pkgs/applications/networking/cluster/kubergrunt/default.nix
@ -2,16 +2,16 @@
 buildGoModule rec {
  pname = "kubergrunt";
-  version = "0.14.2";
+  version = "0.15.0";
  src = fetchFromGitHub {
    owner = "gruntwork-io";
    repo = "kubergrunt";
    rev = "v${version}";
-    sha256 = "sha256-r2lx+R/TQxD/miCJK3V//N3gKiCrg/mneT9BS+ZqRiU=";
+    sha256 = "sha256-yN5tpe3ayQPhTlBvxlt7CD6mSURCB4lxGatEK9OThzs=";
  };
-  vendorHash = "sha256-K24y41qpuyBHqljUAtNQu3H8BNqznxYOsvEVo+57OtY=";
+  vendorHash = "sha256-VJkqg2cnpYHuEYOv5+spoyRWFAdFWE7YIVYaN9OmIZM=";
  # Disable tests since it requires network access and relies on the
  # presence of certain AWS infrastructure
--- a/pkgs/applications/networking/cluster/kubevpn/default.nix
+++ b/pkgs/applications/networking/cluster/kubevpn/default.nix
@ -2,13 +2,13 @@
 buildGoModule rec {
  pname = "kubevpn";
-  version = "2.2.3";
+  version = "2.2.4";
  src = fetchFromGitHub {
    owner  = "KubeNetworks";
    repo   = "kubevpn";
    rev    = "v${version}";
-    hash = "sha256-C1Fw7E7lXy9BRj8bTVUMzPK6wBiL6A3VGDYUqdD2Rjs=";
+    hash = "sha256-taeCOmjZqULxQf4dgLzSYgN43fFYH04Ev4O/SHHG+xI=";
  };
  vendorHash = null;
--- a/pkgs/applications/networking/cluster/waagent/default.nix
+++ b/pkgs/applications/networking/cluster/waagent/default.nix
@ -14,12 +14,12 @@ let
 in
 python.pkgs.buildPythonApplication rec {
  pname = "waagent";
-  version = "2.9.1.1";
+  version = "2.10.0.8";
  src = fetchFromGitHub {
    owner = "Azure";
    repo = "WALinuxAgent";
    rev = "refs/tags/v${version}";
-    sha256 = "sha256-lnCDGUhAPNP8RNfDi+oUTEJ4x3ln6COqTrgk9rZWWEM=";
+    sha256 = "sha256-Ilm29z+BJToVxdJTUAZO3Lr2DyOIvK6GW79GxAmfeM4=";
  };
  patches = [
    # Suppress the following error when waagent tries to configure sshd:
--- a/pkgs/applications/networking/nextcloud-client/default.nix
+++ b/pkgs/applications/networking/nextcloud-client/default.nix
@ -26,7 +26,7 @@
 stdenv.mkDerivation rec {
  pname = "nextcloud-client";
-  version = "3.12.2";
+  version = "3.12.3";
  outputs = [ "out" "dev" ];
@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
    owner = "nextcloud";
    repo = "desktop";
    rev = "v${version}";
-    hash = "sha256-qVb0omSWzwkbqdtYXy8VWYyCM0CDCAW9L78pli9TbO4=";
+    hash = "sha256-ScWkEOx2tHoCQbFwBvJQgk2YoYOTPi3PrVsaDNJBEUI=";
  };
  patches = [
--- a/pkgs/applications/networking/xpipe/default.nix
+++ b/pkgs/applications/networking/xpipe/default.nix
@ -33,14 +33,14 @@ let
  }.${system} or throwSystem;
  hash = {
-    x86_64-linux = "sha256-GcFds6PCEuvZ7oIfWMEkRIWMWU/jmCsj4zCkMe3+QM0=";
+    x86_64-linux = "sha256-s/1XyEXOyvAQNf32ckKotQ4jYdlo/Y+O9PY3wIUs80A=";
  }.${system} or throwSystem;
  displayname = "XPipe";
 in stdenvNoCC.mkDerivation rec {
  pname = "xpipe";
-  version = "8.5";
+  version = "8.6";
  src = fetchzip {
    url = "https://github.com/xpipe-io/xpipe/releases/download/${version}/xpipe-portable-linux-${arch}.tar.gz";
--- a/pkgs/applications/office/qownnotes/default.nix
+++ b/pkgs/applications/office/qownnotes/default.nix
@ -19,14 +19,14 @@
 let
  pname = "qownnotes";
  appname = "QOwnNotes";
-  version = "24.3.5";
+  version = "24.4.0";
 in
 stdenv.mkDerivation {
  inherit pname version;
  src = fetchurl {
    url = "https://github.com/pbek/QOwnNotes/releases/download/v${version}/qownnotes-${version}.tar.xz";
-    hash = "sha256-s3OeTK6XodIMrNTuImdljbQYX1Abj7SFOZmPJgm2teo=";
+    hash = "sha256-SxoZD5DYuPAJZwBiw38jZYI+e9FExj+TiUlczvbXkWA=";
  };
  nativeBuildInputs = [
--- a/pkgs/applications/terminal-emulators/foot/default.nix
+++ b/pkgs/applications/terminal-emulators/foot/default.nix
@ -27,7 +27,7 @@
 }:
 let
-  version = "1.16.2";
+  version = "1.17.0";
  # build stimuli file for PGO build and the script to generate it
  # independently of the foot's build, so we can cache the result
@ -40,7 +40,7 @@ let
    src = fetchurl {
      url = "https://codeberg.org/dnkl/foot/raw/tag/${version}/scripts/generate-alt-random-writes.py";
-      hash = "sha256-NvkKJ75n/OzgEd2WHX1NQIXPn9R0Z+YI1rpFmNxaDhk=";
+      hash = "sha256-/KykHPqM0WQ1HO83bOrxJ88mvEAf0Ah3S8gSvKb3AJM=";
    };
    dontUnpack = true;
@ -99,7 +99,7 @@ stdenv.mkDerivation {
    owner = "dnkl";
    repo = "foot";
    rev = version;
-    hash = "sha256-hT+btlfqfwGBDWTssYl8KN6SbR9/Y2ors4ipECliigM=";
+    hash = "sha256-H4a9WQox7vD5HsY9PP0nrNDZtyaRFpsphsv8/qstNH8=";
  };
  separateDebugInfo = true;
--- a/pkgs/applications/terminal-emulators/st/default.nix
+++ b/pkgs/applications/terminal-emulators/st/default.nix
@ -66,7 +66,7 @@ stdenv.mkDerivation (finalAttrs: {
    homepage = "https://st.suckless.org/";
    description = "Simple Terminal for X from Suckless.org Community";
    license = licenses.mit;
-    maintainers = with maintainers; [ andsild qusic ];
+    maintainers = with maintainers; [ qusic ];
    platforms = platforms.unix;
    mainProgram = "st";
  };
--- a/pkgs/applications/video/qmplay2/default.nix
+++ b/pkgs/applications/video/qmplay2/default.nix
@ -26,14 +26,14 @@
 stdenv.mkDerivation (finalAttrs: {
  pname = "qmplay2";
-  version = "24.03.16";
+  version = "24.04.02";
  src = fetchFromGitHub {
    owner = "zaps166";
    repo = "QMPlay2";
    rev = finalAttrs.version;
    fetchSubmodules = true;
-    hash = "sha256-yIBQBRdmaY7qaBirANxMqfm5vn3T4usokJUxwSYUHjQ=";
+    hash = "sha256-eJWXTcJU24QzPChFTKbvNcuL9UpIQD8rFzd5h591tjg=";
  };
  nativeBuildInputs = [
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@ -53,10 +53,6 @@
 , gccForLibs ? if useCcForLibs then cc else null
 , fortify-headers ? null
 , includeFortifyHeaders ? null
 # https://github.com/NixOS/nixpkgs/issues/295322
 # should -march flag be used
 , disableMarch ? false
 }:
 assert nativeTools -> !propagateDoc && nativePrefix != "";
@ -633,7 +629,7 @@ stdenv.mkDerivation {
    # TODO: aarch64-darwin has mcpu incompatible with gcc
    + optionalString ((targetPlatform ? gcc.arch) && !isClang && !(stdenv.isDarwin && stdenv.isAarch64) &&
-                      isGccArchSupported targetPlatform.gcc.arch && !disableMarch) ''
+                      isGccArchSupported targetPlatform.gcc.arch) ''
      echo "-march=${targetPlatform.gcc.arch}" >> $out/nix-support/cc-cflags-before
    ''
@ -729,7 +725,7 @@ stdenv.mkDerivation {
    + optionalString isClang ''
      # Escape twice: once for this script, once for the one it gets substituted into.
      export march=${escapeShellArg
-        (optionalString (targetPlatform ? gcc.arch && !disableMarch)
+        (optionalString (targetPlatform ? gcc.arch)
          (escapeShellArg "-march=${targetPlatform.gcc.arch}"))}
      export defaultTarget=${targetPlatform.config}
      substituteAll ${./add-clang-cc-cflags-before.sh} $out/nix-support/add-local-cc-cflags-before.sh
--- a/pkgs/by-name/ep/epub-thumbnailer/package.nix
+++ b/pkgs/by-name/ep/epub-thumbnailer/package.nix
@ -6,14 +6,14 @@
 python3.pkgs.buildPythonApplication {
  pname = "epub-thumbnailer";
-  version = "0-unstable-2024-03-16";
+  version = "0-unstable-2024-03-26";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "marianosimone";
    repo = "epub-thumbnailer";
-    rev = "035c31e9269bcb30dcc20fed31b6dc54e9bfed63";
+    rev = "de4b5bf0fcd1817d560f180231f7bd22d330f1be";
-    hash = "sha256-G/CeYmr+wgJidbavfvIuCbRLJGQzoxAnpo3t4YFJq0c=";
+    hash = "sha256-r0t2enybUEminXOHjx6uH6LvQtmzTRPZm/gY3Vi2c64=";
  };
  nativeBuildInputs = with python3.pkgs; [
--- a/pkgs/by-name/fl/flatito/Gemfile
+++ b/pkgs/by-name/fl/flatito/Gemfile
@ -0,0 +1,13 @@
 # frozen_string_literal: true
 source "https://rubygems.org"
 # Specify your gem's dependencies in flatito.gemspec
 gemspec
 gem "minitest", "~> 5.22"
 gem "rake", "~> 13.0"
 gem "rubocop", "~> 1.62"
 gem "rubocop-minitest", "~> 0.35"
 gem "rubocop-performance", "~> 1.11"
 gem "rubocop-rake", "~> 0.6"
--- a/pkgs/by-name/fl/flatito/Gemfile.lock
+++ b/pkgs/by-name/fl/flatito/Gemfile.lock
@ -0,0 +1,62 @@
 PATH
  remote: .
  specs:
    flatito (0.1.1)
      colorize
 GEM
  remote: https://rubygems.org/
  specs:
    ast (2.4.2)
    colorize (1.1.0)
    json (2.7.1)
    language_server-protocol (3.17.0.3)
    minitest (5.22.3)
    parallel (1.24.0)
    parser (3.3.0.5)
      ast (~> 2.4.1)
      racc
    racc (1.7.3)
    rainbow (3.1.1)
    rake (13.1.0)
    regexp_parser (2.9.0)
    rexml (3.2.6)
    rubocop (1.62.1)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.31.2)
      parser (>= 3.3.0.4)
    rubocop-minitest (0.35.0)
      rubocop (>= 1.61, < 2.0)
      rubocop-ast (>= 1.31.1, < 2.0)
    rubocop-performance (1.20.2)
      rubocop (>= 1.48.1, < 2.0)
      rubocop-ast (>= 1.30.0, < 2.0)
    rubocop-rake (0.6.0)
      rubocop (~> 1.0)
    ruby-progressbar (1.13.0)
    unicode-display_width (2.5.0)
 PLATFORMS
  arm64-darwin-22
  ruby
 DEPENDENCIES
  flatito!
  minitest (~> 5.22)
  rake (~> 13.0)
  rubocop (~> 1.62)
  rubocop-minitest (~> 0.35)
  rubocop-performance (~> 1.11)
  rubocop-rake (~> 0.6)
 BUNDLED WITH
   2.5.6
--- a/pkgs/by-name/fl/flatito/flatito.gemspec
+++ b/pkgs/by-name/fl/flatito/flatito.gemspec
@ -0,0 +1,40 @@
 # frozen_string_literal: true
 require_relative "lib/flatito/version"
 Gem::Specification.new do |spec|
  spec.name = "flatito"
  spec.version = Flatito::VERSION
  spec.authors = ["José Galisteo"]
  spec.email = ["ceritium@gmail.com"]
  spec.summary = "Grep for YAML and JSON files"
  spec.description = "A kind of grep for YAML and JSON files. It allows you to search for a key and get the value and the line number where it is located."
  spec.homepage = "https://github.com/ceritium/flatito"
  spec.license = "MIT"
  spec.required_ruby_version = ">= 3.0.0"
  spec.metadata["homepage_uri"] = spec.homepage
  spec.metadata["source_code_uri"] = spec.homepage
  # spec.metadata["changelog_uri"] = "TODO: Put your gem's CHANGELOG.md URL here."
  # Specify which files should be added to the gem when it is released.
  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
  spec.files = Dir.chdir(__dir__) do
    `git ls-files -z`.split("\x0").reject do |f|
      (File.expand_path(f) == __FILE__) ||
        f.start_with?(*%w[bin/ test/ spec/ features/ .git .github appveyor Gemfile])
    end
  end
  spec.bindir = "exe"
  spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
  spec.require_paths = ["lib"]
  # Uncomment to register a new dependency of your gem
  spec.add_dependency "colorize"
  # For more information and examples about making a new gem, check out our
  # guide at: https://bundler.io/guides/creating_gem.html
  spec.metadata["rubygems_mfa_required"] = "true"
 end
--- a/pkgs/by-name/fl/flatito/gemset.nix
+++ b/pkgs/by-name/fl/flatito/gemset.nix
@ -0,0 +1,208 @@
 {
  ast = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "04nc8x27hlzlrr5c2gn7mar4vdr0apw5xg22wp6m8dx3wqr04a0y";
      type = "gem";
    };
    version = "2.4.2";
  };
  colorize = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0dy8ryhcdzgmbvj7jpa1qq3bhhk1m7a2pz6ip0m6dxh30rzj7d9h";
      type = "gem";
    };
    version = "1.1.0";
  };
  flatito = {
    dependencies = [ "colorize" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      path = ./.;
      type = "path";
    };
    version = "0.1.1";
  };
  json = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0r9jmjhg2ly3l736flk7r2al47b5c8cayh0gqkq0yhjqzc9a6zhq";
      type = "gem";
    };
    version = "2.7.1";
  };
  language_server-protocol = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0gvb1j8xsqxms9mww01rmdl78zkd72zgxaap56bhv8j45z05hp1x";
      type = "gem";
    };
    version = "3.17.0.3";
  };
  minitest = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "07lq26b86giy3ha3fhrywk9r1ajhc2pm2mzj657jnpnbj1i6g17a";
      type = "gem";
    };
    version = "5.22.3";
  };
  parallel = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "15wkxrg1sj3n1h2g8jcrn7gcapwcgxr659ypjf75z1ipkgxqxwsv";
      type = "gem";
    };
    version = "1.24.0";
  };
  parser = {
    dependencies = [ "ast" "racc" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "11r6kp8wam0nkfvnwyc1fmvky102r1vcfr84vi2p1a2wa0z32j3p";
      type = "gem";
    };
    version = "3.3.0.5";
  };
  racc = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "01b9662zd2x9bp4rdjfid07h09zxj7kvn7f5fghbqhzc625ap1dp";
      type = "gem";
    };
    version = "1.7.3";
  };
  rainbow = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0smwg4mii0fm38pyb5fddbmrdpifwv22zv3d3px2xx497am93503";
      type = "gem";
    };
    version = "3.1.1";
  };
  rake = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "1ilr853hawi09626axx0mps4rkkmxcs54mapz9jnqvpnlwd3wsmy";
      type = "gem";
    };
    version = "13.1.0";
  };
  regexp_parser = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "1ndxm0xnv27p4gv6xynk6q41irckj76q1jsqpysd9h6f86hhp841";
      type = "gem";
    };
    version = "2.9.0";
  };
  rexml = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "05i8518ay14kjbma550mv0jm8a6di8yp5phzrd8rj44z9qnrlrp0";
      type = "gem";
    };
    version = "3.2.6";
  };
  rubocop = {
    dependencies = [ "json" "language_server-protocol" "parallel" "parser" "rainbow" "regexp_parser" "rexml" "rubocop-ast" "ruby-progressbar" "unicode-display_width" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0daamn13fbm77rdwwa4w6j6221iq6091asivgdhk6n7g398frcdf";
      type = "gem";
    };
    version = "1.62.1";
  };
  rubocop-ast = {
    dependencies = [ "parser" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "1v3q8n48w8h809rqbgzihkikr4g3xk72m1na7s97jdsmjjq6y83w";
      type = "gem";
    };
    version = "1.31.2";
  };
  rubocop-minitest = {
    dependencies = [ "rubocop" "rubocop-ast" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "001f4xcs3p0g04cyqfdkb2i1lld0yjmnx1s11y9z2id4b2lg64c4";
      type = "gem";
    };
    version = "0.35.0";
  };
  rubocop-performance = {
    dependencies = [ "rubocop" "rubocop-ast" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0cf7fn4dwf45r3nhnda0dhnwn8qghswyqbfxr2ippb3z8a6gmc8v";
      type = "gem";
    };
    version = "1.20.2";
  };
  rubocop-rake = {
    dependencies = [ "rubocop" ];
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "1nyq07sfb3vf3ykc6j2d5yq824lzq1asb474yka36jxgi4hz5djn";
      type = "gem";
    };
    version = "0.6.0";
  };
  ruby-progressbar = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "0cwvyb7j47m7wihpfaq7rc47zwwx9k4v7iqd9s1xch5nm53rrz40";
      type = "gem";
    };
    version = "1.13.0";
  };
  unicode-display_width = {
    groups = [ "default" ];
    platforms = [ ];
    source = {
      remotes = [ "https://rubygems.org" ];
      sha256 = "1d0azx233nags5jx3fqyr23qa2rhgzbhv8pxp46dgbg1mpf82xky";
      type = "gem";
    };
    version = "2.5.0";
  };
 }
--- a/pkgs/by-name/fl/flatito/package.nix
+++ b/pkgs/by-name/fl/flatito/package.nix
@ -0,0 +1,36 @@
 { lib, fetchFromGitHub, ruby, buildRubyGem, bundlerEnv }:
 let
  deps = bundlerEnv rec {
    inherit ruby;
    name = "flatito-${version}";
    version = "0.1.1";
    gemdir = ./.;
    gemset = lib.recursiveUpdate (import ./gemset.nix) {
      flatito.source = {
        remotes = [ "https://rubygems.org" ];
        sha256 = "9f5a8f899a14c1a0fe74cb89288f24ddc47bd5d83ac88ac8023d19b056ecb50f";
        type = "gem";
      };
    };
  };
 in
 buildRubyGem rec {
  inherit ruby;
  gemName = "flatito";
  pname = gemName;
  version = "0.1.1";
  source.sha256 = "sha256-n1qPiZoUwaD+dMuJKI8k3cR71dg6yIrIAj0ZsFbstQ8=";
  propagatedBuildInputs = [ deps ];
  meta = with lib; {
    description = "It allows you to search for a key and get the value and the line number where it is located in YAML and JSON files.";
    homepage = "https://github.com/ceritium/flatito";
    license = licenses.mit;
    maintainers = with maintainers; [ rucadi ];
    platforms = platforms.unix;
    mainProgram = "flatito";
  };
 }
--- a/pkgs/by-name/id/ida-free/package.nix
+++ b/pkgs/by-name/id/ida-free/package.nix
@ -0,0 +1,133 @@
 { autoPatchelfHook
 , cairo
 , copyDesktopItems
 , dbus
 , fetchurl
 , fontconfig
 , freetype
 , glib
 , gtk3
 , lib
 , libdrm
 , libGL
 , libkrb5
 , libsecret
 , libsForQt5
 , libunwind
 , libxkbcommon
 , makeDesktopItem
 , makeWrapper
 , openssl
 , stdenv
 , xorg
 , zlib
 }:
 let
  srcs = builtins.fromJSON (builtins.readFile ./srcs.json);
 in
 stdenv.mkDerivation rec {
  pname = "ida-free";
  version = "8.4.240320";
  src = fetchurl {
    inherit (srcs.${stdenv.system} or (throw "Unsupported system: ${stdenv.hostPlatform.system}")) urls sha256;
  };
  icon = fetchurl {
    urls = [
      "https://www.hex-rays.com/products/ida/news/8_1/images/icon_free.png"
      "https://web.archive.org/web/20221105181231if_/https://hex-rays.com/products/ida/news/8_1/images/icon_free.png"
    ];
    sha256 = "sha256-widkv2VGh+eOauUK/6Sz/e2auCNFAsc8n9z0fdrSnW0=";
  };
  desktopItem = makeDesktopItem {
    name = "ida-free";
    exec = "ida64";
    icon = icon;
    comment = meta.description;
    desktopName = "IDA Free";
    genericName = "Interactive Disassembler";
    categories = [ "Development" ];
  };
  nativeBuildInputs = [ makeWrapper copyDesktopItems autoPatchelfHook libsForQt5.wrapQtAppsHook ];
  # We just get a runfile in $src, so no need to unpack it.
  dontUnpack = true;
  # Add everything to the RPATH, in case IDA decides to dlopen things.
  runtimeDependencies = [
    cairo
    dbus
    fontconfig
    freetype
    glib
    gtk3
    libdrm
    libGL
    libkrb5
    libsecret
    libsForQt5.qtbase
    libunwind
    libxkbcommon
    openssl
    stdenv.cc.cc
    xorg.libICE
    xorg.libSM
    xorg.libX11
    xorg.libXau
    xorg.libxcb
    xorg.libXext
    xorg.libXi
    xorg.libXrender
    xorg.xcbutilimage
    xorg.xcbutilkeysyms
    xorg.xcbutilrenderutil
    xorg.xcbutilwm
    zlib
  ];
  buildInputs = runtimeDependencies;
  dontWrapQtApps = true;
  installPhase = ''
    runHook preInstall
    mkdir -p $out/bin $out/lib $out/opt
    # IDA depends on quite some things extracted by the runfile, so first extract everything
    # into $out/opt, then remove the unnecessary files and directories.
    IDADIR=$out/opt
    # Invoke the installer with the dynamic loader directly, avoiding the need
    # to copy it to fix permissions and patch the executable.
    $(cat $NIX_CC/nix-support/dynamic-linker) $src \
      --mode unattended --prefix $IDADIR --installpassword ""
    # Copy the exported libraries to the output.
    cp $IDADIR/libida64.so $out/lib
    # Some libraries come with the installer.
    addAutoPatchelfSearchPath $IDADIR
    for bb in ida64 assistant; do
      wrapProgram $IDADIR/$bb \
        --prefix QT_PLUGIN_PATH : $IDADIR/plugins/platforms
      ln -s $IDADIR/$bb $out/bin/$bb
    done
    runHook postInstall
  '';
  meta = with lib; {
    description = "Freeware version of the world's smartest and most feature-full disassembler";
    homepage = "https://hex-rays.com/ida-free/";
    license = licenses.unfree;
    mainProgram = "ida64";
    maintainers = with maintainers; [ msanft ];
    platforms = [ "x86_64-linux" ]; # Right now, the installation script only supports Linux.
    sourceProvenance = with sourceTypes; [ binaryNativeCode ];
  };
 }
--- a/pkgs/by-name/id/ida-free/srcs.json
+++ b/pkgs/by-name/id/ida-free/srcs.json
@ -0,0 +1,20 @@
 {
    "x86_64-linux": {
        "urls": [
            "https://web.archive.org/web/20240330140328/https://out7.hex-rays.com/files/idafree84_linux.run"
        ],
        "sha256": "1wg60afkhjj7my2la4x4qf6gdxzl2aqdbvd6zfnwf8n3bl7ckn2a"
    },
    "x86_64-darwin": {
        "urls": [
            "https://web.archive.org/web/20240330140623/https://out7.hex-rays.com/files/idafree84_mac.app.zip"
        ],
        "sha256": "0a97xb0ah6rcq69whs5xvkar43ci8r5nan9wa29ad19w8k25ryym"
    },
    "aarch64-darwin": {
        "urls": [
            "https://web.archive.org/web/20240330140634/https://out7.hex-rays.com/files/arm_idafree84_mac.app.zip"
        ],
        "sha256": "10wwq7ia1z1kxfigj4i7xr037bzv1cg3pyvrl27jdq9v7bghdf3m"
    }
 }
--- a/pkgs/by-name/mi/minijinja/package.nix
+++ b/pkgs/by-name/mi/minijinja/package.nix
@ -2,16 +2,16 @@
 rustPlatform.buildRustPackage rec {
  pname = "minijinja";
-  version = "1.0.15";
+  version = "1.0.16";
  src = fetchFromGitHub {
    owner = "mitsuhiko";
    repo = "minijinja";
    rev = version;
-    hash = "sha256-ync0MkLi+CV1g9eBDLcV1dnV101H5Gc6K0NrnVeh8Jw=";
+    hash = "sha256-/mWXtAu+4B0VTZsID7FOQkSnuTxOLUUrl+vubqPClCw=";
  };
-  cargoHash = "sha256-j8GLpMU7xwc3BWkjcFmGODiKieedNIB8VbHjJcrq8z4=";
+  cargoHash = "sha256-iMRcQL7/Q/9UmwPwaQslMruyUQ2QSU+5y7VNeAFMzk8=";
  # The tests relies on the presence of network connection
  doCheck = false;
--- a/pkgs/by-name/my/mystmd/package.nix
+++ b/pkgs/by-name/my/mystmd/package.nix
@ -2,16 +2,16 @@
 buildNpmPackage rec {
  pname = "mystmd";
-  version = "1.1.48";
+  version = "1.1.50";
  src = fetchFromGitHub {
    owner = "executablebooks";
    repo = "mystmd";
    rev = "mystmd@${version}";
-    hash = "sha256-Uw/00EzgnrQYunABx7O35V+YwFnDDW+EI5NqMEUV8zk=";
+    hash = "sha256-2KzvjKtI3TK0y1zNX33MAz/I7x+09XVcwKBWhBTD0+M=";
  };
-  npmDepsHash = "sha256-JSVdHhzOgzIwB61ST6vYVENtohjU6Q3lrp+hVPye02g=";
+  npmDepsHash = "sha256-mJXLmq6KZiKjctvGCf7YG6ivF1ut6qynzyM147pzGwM=";
  dontNpmInstall = true;
--- a/pkgs/by-name/ot/oterm/package.nix
+++ b/pkgs/by-name/ot/oterm/package.nix
@ -5,14 +5,14 @@
 python3Packages.buildPythonApplication rec {
  pname = "oterm";
-  version = "0.2.4";
+  version = "0.2.5";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "ggozad";
    repo = "oterm";
    rev = "refs/tags/${version}";
-    hash = "sha256-p0ns+8qmcyX4gcg0CfYdDMn1Ie0atVBuQbVQoDRQ9+c=";
+    hash = "sha256-s+TqDrgy7sR0sli8BGKlF546TW1+vzF0k3IkAQV6TpM=";
  };
  pythonRelaxDeps = [
--- a/pkgs/by-name/pl/plasticity/package.nix
+++ b/pkgs/by-name/pl/plasticity/package.nix
@ -33,11 +33,11 @@
 }:
 stdenv.mkDerivation rec  {
  pname = "plasticity";
-  version = "1.4.18";
+  version = "1.4.19";
  src = fetchurl {
    url = "https://github.com/nkallen/plasticity/releases/download/v${version}/Plasticity-${version}-1.x86_64.rpm";
-    hash = "sha256-iSGYc8Ms6Kk4JhR2q/yUq26q1adbrZe4Gnpw5YAN1L4=";
+    hash = "sha256-pbq00eMabouGP33d4wbjVvw+AZ+aBWg0e3lc3ZcAwmQ=";
  };
  passthru.updateScript = ./update.sh;
--- a/pkgs/by-name/pv/pvsneslib/package.nix
+++ b/pkgs/by-name/pv/pvsneslib/package.nix
@ -0,0 +1,73 @@
 { lib
 , stdenv
 , fetchFromGitHub
 , cmake
 , gcc
 }:
 stdenv.mkDerivation rec {
  pname = "pvsneslib";
  version = "4.2.0";
  src = fetchFromGitHub {
    owner = "alekmaul";
    repo = "pvsneslib";
    rev = version;
    hash = "sha256-Cl4+WvjKbq5IPqf7ivVYwBYwDDWWHGNeq4nWXPxsUHw=";
    fetchSubmodules = true;
  };
  nativeBuildInputs = [ gcc cmake ];
  dontConfigure = true;
  postPatch = ''
    substituteInPlace tools/816-opt/Makefile \
      --replace-fail 'LDFLAGS := -lpthread' 'LDFLAGS :=' \
      --replace-fail 'LDFLAGS := -pthread' 'LDFLAGS += -pthread' \
      --replace-fail 'LDFLAGS += -lpthread -static' '# LDFLAGS += -lpthread -static'
    substituteInPlace tools/bin2txt/Makefile \
                                    tools/gfx2snes/Makefile \
                                    tools/gfx4snes/Makefile \
                                    tools/snestools/Makefile \
                                    tools/816-opt/Makefile \
                                    tools/tmx2snes/Makefile \
      --replace-fail '$(CFLAGS) $(OBJS)' '$(LDFLAGS) $(OBJS)'
    substituteInPlace tools/smconv/Makefile \
      --replace-fail '$(CFLAGS) $(LDFLAGS)' '$(LDFLAGS)'
    substituteInPlace tools/constify/Makefile \
      --replace-fail '$(CFLAGS) $(DEFINES) $(OBJS)' '$(LDFLAGS) $(DEFINES) $(OBJS)'
    substituteInPlace tools/snestools/Makefile \
      --replace-fail '-Wno-format' ' '
    substituteInPlace tools/snesbrr/brr/Makefile \
      --replace-fail 'LDFLAGS ' 'LDFLAGS :=
      LDFLAGS '
    substituteInPlace compiler/wla-dx/wlalink/write.c \
      --replace-fail 'sort_anonymous_labels()' 'sort_anonymous_labels(void)'
  '';
  preBuild = ''
    export PVSNESLIB_HOME=$(pwd)
  '';
  installPhase = ''
    runHook preInstall
    cp -r . $out
    runHook postInstall
  '';
  meta = {
    description = "Free and open source development kit for the Nintendo SNES";
    homepage = "https://github.com/alekmaul/pvsneslib";
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ soyouzpanda ];
    mainProgram = "pvsneslib";
    platforms = lib.platforms.all;
  };
 }
--- a/pkgs/by-name/sh/shopware-cli/package.nix
+++ b/pkgs/by-name/sh/shopware-cli/package.nix
@ -9,12 +9,12 @@
 buildGoModule rec {
  pname = "shopware-cli";
-  version = "0.4.30";
+  version = "0.4.33";
  src = fetchFromGitHub {
    repo = "shopware-cli";
    owner = "FriendsOfShopware";
    rev = version;
-    hash = "sha256-QfeQ73nTvLavUIpHlTBTkY1GGqZCednlXRBigwPCt48=";
+    hash = "sha256-BwoCp92tE/fsYIgez/BcU4f23IU5lMQ6jQKOCZ/oTEk=";
  };
  nativeBuildInputs = [ installShellFiles makeWrapper ];
--- a/pkgs/by-name/ta/tabby/package.nix
+++ b/pkgs/by-name/ta/tabby/package.nix
@ -11,6 +11,7 @@
 , llama-cpp
 , autoAddDriverRunpath
 , cudaSupport ? config.cudaSupport
 , cudaPackages ? { }
@ -135,9 +136,7 @@ rustPlatform.buildRustPackage {
    protobuf
    git
  ] ++ optionals enableCuda [
-    # TODO: Replace with autoAddDriverRunpath
+    autoAddDriverRunpath
    # once https://github.com/NixOS/nixpkgs/pull/275241 has been merged
    cudaPackages.autoAddDriverRunpath
  ];
  buildInputs = [ openssl ]
--- a/pkgs/by-name/wi/wireguard-vanity-keygen/package.nix
+++ b/pkgs/by-name/wi/wireguard-vanity-keygen/package.nix
@ -5,16 +5,16 @@
 buildGoModule rec {
  pname = "wireguard-vanity-keygen";
-  version = "0.0.7";
+  version = "0.0.8";
  src = fetchFromGitHub {
    owner = "axllent";
    repo = "wireguard-vanity-keygen";
    rev = version;
-    hash = "sha256-+q6l2531APm67JqvFNQb4Zj5pyWnHgncwxcgWNiBCJw=";
+    hash = "sha256-qTVPPr7lmjMvUqetDupZCo8RdoBHr++0V9CB4b6Bp4Y=";
  };
-  vendorHash = "sha256-F3AoN8NgXjePy7MmI8jzLDxaIZBCfOPRbe0ZYmt6vm8=";
+  vendorHash = "sha256-9/waDAfHYgKh+FsGZEp7HbgI83urRDQPuvtuEKHOf58=";
  ldflags = [ "-s" "-w" "-X main.appVersion=${version}" ];
--- a/pkgs/development/compilers/aspectj/builder.sh
+++ b/pkgs/development/compilers/aspectj/builder.sh
@ -1,28 +0,0 @@
 if [ -e "$NIX_ATTRS_SH_FILE" ]; then . "$NIX_ATTRS_SH_FILE"; elif [ -f .attrs.sh ]; then . .attrs.sh; fi
 source $stdenv/setup
 export JAVA_HOME=$jre
 cat >> props <<EOF
 output.dir=$out
 context.javaPath=$jre
 EOF
 mkdir -p $out
 $jre/bin/java -jar $src -text props
 echo "Removing files at top level"
 for file in $out/*
 do
  if test -f $file ; then
    rm $file
  fi
 done
 cat >> $out/bin/aj-runtime-env <<EOF
 #! $SHELL
 export CLASSPATH=$CLASSPATH:.:$out/lib/aspectjrt.jar
 EOF
 chmod u+x $out/bin/aj-runtime-env
--- a/pkgs/development/compilers/aspectj/default.nix
+++ b/pkgs/development/compilers/aspectj/default.nix
@ -1,25 +1,56 @@
-{lib, stdenv, fetchurl, jre}:
+{
  lib,
  stdenvNoCC,
  fetchurl,
  jre,
 }:
-stdenv.mkDerivation rec {
+let
  pname = "aspectj";
  version = "1.9.21.2";
-  builder = ./builder.sh;
+  versionSnakeCase = builtins.replaceStrings [ "." ] [ "_" ] version;
 in
 stdenvNoCC.mkDerivation {
  pname = "aspectj";
  inherit version;
-  src = let
+  __structuredAttrs = true;
-    versionSnakeCase = builtins.replaceStrings ["."] ["_"] version;
+
-  in fetchurl {
+  src = fetchurl {
    url = "https://github.com/eclipse/org.aspectj/releases/download/V${versionSnakeCase}/aspectj-${version}.jar";
-    sha256 = "sha256-wqQtyopS03zX+GJme5YZwWiACqO4GAYFr3XAjzqSFnQ=";
+    hash = "sha256-wqQtyopS03zX+GJme5YZwWiACqO4GAYFr3XAjzqSFnQ=";
  };
-  inherit jre;
+  dontUnpack = true;
-  buildInputs = [jre];
+
  nativeBuildInputs = [ jre ];
  installPhase = ''
    runHook preInstall
    cat >> props <<EOF
    output.dir=$out
    context.javaPath=${jre}
    EOF
    mkdir -p $out
    java -jar $src -text props
    cat >> $out/bin/aj-runtime-env <<EOF
    #! ${stdenvNoCC.shell}
    export CLASSPATH=$CLASSPATH:.:$out/lib/aspectjrt.jar
    EOF
    chmod u+x $out/bin/aj-runtime-env
    runHook postInstall
  '';
  meta = {
    homepage = "https://www.eclipse.org/aspectj/";
    description = "A seamless aspect-oriented extension to the Java programming language";
    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
    platforms = lib.platforms.unix;
    license = lib.licenses.epl10;
    platforms = lib.platforms.unix;
    sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
  };
 }
--- a/pkgs/development/compilers/circt/default.nix
+++ b/pkgs/development/compilers/circt/default.nix
@ -17,12 +17,12 @@ let
 in
 stdenv.mkDerivation rec {
  pname = "circt";
-  version = "1.70.0";
+  version = "1.71.0";
  src = fetchFromGitHub {
    owner = "llvm";
    repo = "circt";
    rev = "firtool-${version}";
-    hash = "sha256-OELkfyN0fxnQIGQxfwuRM/+DYdb+8m5wlT/H+eQNjq0=";
+    hash = "sha256-Y6SkMpF5Gpi1Jm3OrWaMkr3uP/vTzawJ9UsxsuOsvpo=";
    fetchSubmodules = true;
  };
--- a/pkgs/development/compilers/swift/default.nix
+++ b/pkgs/development/compilers/swift/default.nix
@ -25,13 +25,9 @@ let
    #
    # The following selects the correct Clang version, matching the version
    # used in Swift, and applies the same libc overrides as `apple_sdk.stdenv`.
-    clang = let
+    clang = if pkgs.stdenv.isDarwin
      # https://github.com/NixOS/nixpkgs/issues/295322
      clangNoMarch = swiftLlvmPackages.clang.override { disableMarch = true; };
    in
    if pkgs.stdenv.isDarwin
      then
-        clangNoMarch.override rec {
+        swiftLlvmPackages.clang.override rec {
          libc = apple_sdk.Libsystem;
          bintools = pkgs.bintools.override { inherit libc; };
          # Ensure that Swift’s internal clang uses the same libc++ and libc++abi as the
@ -41,7 +37,7 @@ let
          inherit (llvmPackages) libcxx;
        }
      else
-        clangNoMarch;
+        swiftLlvmPackages.clang;
    # Overrides that create a useful environment for swift packages, allowing
    # packaging with `swiftPackages.callPackage`. These are similar to
--- a/pkgs/development/compilers/swift/wrapper/wrapper.sh
+++ b/pkgs/development/compilers/swift/wrapper/wrapper.sh
@ -242,17 +242,26 @@ if [[ -e $cc_wrapper/nix-support/add-local-cc-cflags-before.sh ]]; then
    source $cc_wrapper/nix-support/add-local-cc-cflags-before.sh
 fi
-# May need to transform the triple injected by the above.
+for ((i=0; i < ${#extraBefore[@]}; i++));do
-for ((i = 1; i < ${#extraBefore[@]}; i++)); do
+    case "${extraBefore[i]}" in
-    if [[ "${extraBefore[i]}" = -target ]]; then
+    -target)
        i=$((i + 1))
        # On Darwin only, need to change 'aarch64' to 'arm64'.
        extraBefore[i]="${extraBefore[i]/aarch64-apple-/arm64-apple-}"
        # On Darwin, Swift requires the triple to be annotated with a version.
        # TODO: Assumes macOS.
        extraBefore[i]="${extraBefore[i]/-apple-darwin/-apple-macosx${MACOSX_DEPLOYMENT_TARGET:-11.0}}"
-        break
+        ;;
-    fi
+    -march=*)
        [[ i -gt 0 && ${extraBefore[i-1]} == -Xcc ]] && continue
        extraBefore=(
            "${extraBefore[@]:0:i}"
            -Xcc
            "${extraBefore[@]:i:${#extraBefore[@]}}"
        )
        i=$((i + 1))
        ;;
    esac
 done
 # As a very special hack, if the arguments are just `-v', then don't
--- a/pkgs/development/gnuradio-modules/osmosdr/default.nix
+++ b/pkgs/development/gnuradio-modules/osmosdr/default.nix
@ -29,8 +29,8 @@ let
  version = {
    "3.7" = "0.1.5";
    "3.8" = "0.2.3";
-    "3.9" = "0.2.4";
+    "3.9" = "0.2.5";
-    "3.10" = "0.2.4";
+    "3.10" = "0.2.5";
  }.${gnuradio.versionAttr.major};
  src = fetchgit {
    url = "https://gitea.osmocom.org/sdr/gr-osmosdr";
@ -38,8 +38,8 @@ let
    sha256 = {
      "3.7" = "0bf9bnc1c3c4yqqqgmg3nhygj6rcfmyk6pybi27f7461d2cw1drv";
      "3.8" = "sha256-ZfI8MshhZOdJ1U5FlnZKXsg2Rsvb6oKg943ZVYd/IWo=";
-      "3.9" = "sha256-d0hbiJ44lEu8V4XX7JpZVSTQwwykwKPUfiqetRBI6uI=";
+      "3.9" = "sha256-pYPDkSnBzccZ/Tbs5x3bwk34FQewkG42y/vlaVkr2YE=";
-      "3.10" = "sha256-d0hbiJ44lEu8V4XX7JpZVSTQwwykwKPUfiqetRBI6uI=";
+      "3.10" = "sha256-pYPDkSnBzccZ/Tbs5x3bwk34FQewkG42y/vlaVkr2YE=";
    }.${gnuradio.versionAttr.major};
  };
 in mkDerivation {
--- a/pkgs/development/interpreters/wasmtime/default.nix
+++ b/pkgs/development/interpreters/wasmtime/default.nix
@ -2,19 +2,19 @@
 rustPlatform.buildRustPackage rec {
  pname = "wasmtime";
-  version = "18.0.3";
+  version = "19.0.1";
  src = fetchFromGitHub {
    owner = "bytecodealliance";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-qG6WRac4n/hFa4aMSmHIMf1OXcsK9ZoNtm/dgN4NZ3M=";
+    hash = "sha256-MHoIVJ+x8GFzbO2YaknnzS/qSMyODvel88IHif9L97A=";
    fetchSubmodules = true;
  };
  # Disable cargo-auditable until https://github.com/rust-secure-code/cargo-auditable/issues/124 is solved.
  auditable = false;
-  cargoHash = "sha256-cf1oUylROlbgWcKTrCR12CfVVxNuQqaoo1dr5NfiDQQ=";
+  cargoHash = "sha256-r07neWK7d4407U941XtyUOlRcjQVNUsXJKavSNHvYZM=";
  cargoBuildFlags = [ "--package" "wasmtime-cli" "--package" "wasmtime-c-api" ];
  outputs = [ "out" "dev" ];
--- a/pkgs/development/libraries/fontconfig/make-fonts-conf.nix
+++ b/pkgs/development/libraries/fontconfig/make-fonts-conf.nix
@ -1,5 +1,11 @@
-{ runCommand, stdenv, lib, libxslt, fontconfig, dejavu_fonts, fontDirectories
+{ runCommand, stdenv, lib, libxslt, fontconfig, dejavu_fonts }:
-, impureFontDirectories ? [
+
 let fontconfig_ = fontconfig; in
 {
  fontconfig ? fontconfig_
  # an array of fonts, e.g. `[ pkgs.dejavu_fonts.minimal ]`
 ,  fontDirectories
  , impureFontDirectories ? [
    # nix user profile
    "~/.nix-profile/lib/X11/fonts" "~/.nix-profile/share/fonts"
  ]
@ -11,7 +17,8 @@
  # darwin paths
  ++ lib.optionals stdenv.isDarwin [ "/Library/Fonts" "/System/Library/Fonts" ]
  # nix default profile
-  ++ [ "/nix/var/nix/profiles/default/lib/X11/fonts" "/nix/var/nix/profiles/default/share/fonts" ] }:
+  ++ [ "/nix/var/nix/profiles/default/lib/X11/fonts" "/nix/var/nix/profiles/default/share/fonts" ]
 }:
 runCommand "fonts.conf"
  {
--- a/pkgs/development/libraries/libint/default.nix
+++ b/pkgs/development/libraries/libint/default.nix
@ -109,7 +109,7 @@ assert (builtins.elem shellSet [ "standard" "orca" ]);
 let
  pname = "libint";
-  version = "2.8.1";
+  version = "2.9.0";
  meta = with lib; {
    description = "Library for the evaluation of molecular integrals of many-body operators over Gaussian functions";
@ -126,7 +126,7 @@ let
      owner = "evaleev";
      repo = pname;
      rev = "v${version}";
-      hash = "sha256-0QWOJUjK7Jq4KCk77vNIrBNKOzPcc/1+Ji13IN5xUKM=";
+      hash = "sha256-y+Mo8J/UWDrkkNEDAoostb/k6jrhYYeU0u9Incrd2cE=";
    };
    # Replace hardcoded "/bin/rm" with normal "rm"
@ -139,7 +139,7 @@ let
        tests/eri/Makefile \
        tests/hartree-fock/Makefile \
        tests/unit/Makefile; do
-          substituteInPlace $f --replace "/bin/rm" "rm"
+          substituteInPlace $f --replace-warn "/bin/rm" "rm"
      done
    '';
@ -211,7 +211,7 @@ let
    buildInputs = [ boost eigen ];
    # Default is just "double", but SSE2 is available on all x86_64 CPUs.
-    # AVX support is advertised, but does not work in 2.6 (possibly in 2.7).
+    # AVX support is advertised, but does not work.
    # Fortran interface is incompatible with changing the LIBINT2_REALTYPE.
    cmakeFlags = [
      "-DLIBINT2_SHGAUSS_ORDERING=${shGaussOrd}"
--- a/pkgs/development/libraries/libvirt/default.nix
+++ b/pkgs/development/libraries/libvirt/default.nix
@ -271,7 +271,7 @@ stdenv.mkDerivation rec {
      "--sysconfdir=/var/lib"
      (cfg "install_prefix" (placeholder "out"))
      (cfg "localstatedir" "/var")
-      (cfg "runstatedir" "/run")
+      (cfg "runstatedir" (if isDarwin then "/var/run" else "/run"))
      (cfg "init_script" (if isDarwin then "none" else "systemd"))
      (cfg "qemu_datadir" (lib.optionalString isDarwin "${qemu}/share/qemu"))
--- a/pkgs/development/libraries/mongoc/default.nix
+++ b/pkgs/development/libraries/mongoc/default.nix
@ -14,13 +14,13 @@
 stdenv.mkDerivation rec {
  pname = "mongoc";
-  version = "1.26.1";
+  version = "1.26.2";
  src = fetchFromGitHub {
    owner = "mongodb";
    repo = "mongo-c-driver";
    rev = "refs/tags/${version}";
-    hash = "sha256-LUtKOAlQVpN5Y+mHsNTlgDSeCjodG4RDleO1eXzTdMg=";
+    hash = "sha256-4+PXvWYEy4Bi+qpyp7PvqtsOxJuYhjiHrmwmdn5RiX8=";
  };
  nativeBuildInputs = [
--- a/pkgs/development/libraries/qtutilities/default.nix
+++ b/pkgs/development/libraries/qtutilities/default.nix
@ -9,13 +9,13 @@
 stdenv.mkDerivation (finalAttrs: {
  pname = "qtutilities";
-  version = "6.13.5";
+  version = "6.14.0";
  src = fetchFromGitHub {
    owner = "Martchus";
    repo = "qtutilities";
    rev = "v${finalAttrs.version}";
-    hash = "sha256-ZPfyJAQHtE5ae/X9f8s/69UNiB4CnyACPLvYp8RgpKg=";
+    hash = "sha256-pg2SaFfFkP2v1qHo8CRCn7b9B4XKX+R4UqRNzNG4to4=";
  };
  nativeBuildInputs = [
--- a/pkgs/development/libraries/xgboost/default.nix
+++ b/pkgs/development/libraries/xgboost/default.nix
@ -5,6 +5,7 @@
 , cmake
 , gtest
 , doCheck ? true
 , autoAddDriverRunpath
 , cudaSupport ? config.cudaSupport
 , ncclSupport ? false
 , rLibrary ? false
@ -57,7 +58,7 @@ stdenv.mkDerivation rec {
  nativeBuildInputs = [ cmake ]
    ++ lib.optionals stdenv.isDarwin [ llvmPackages.openmp ]
-    ++ lib.optionals cudaSupport [ cudaPackages.autoAddDriverRunpath ]
+    ++ lib.optionals cudaSupport [ autoAddDriverRunpath ]
    ++ lib.optionals rLibrary [ R ];
  buildInputs = [ gtest ] ++ lib.optional cudaSupport cudaPackages.cudatoolkit
--- a/pkgs/development/lua-modules/aliases.nix
+++ b/pkgs/development/lua-modules/aliases.nix
@ -7,31 +7,31 @@ lib: self: super:
 ### Use `./remove-attr.py [attrname]` in this directory to remove your alias
 ### from the `luaPackages` set without regenerating the entire file.
 with self;
 let
  inherit (lib) dontDistribute hasAttr isDerivation mapAttrs;
  # Removing recurseForDerivation prevents derivations of aliased attribute
  # set to appear while listing all the packages available.
-  removeRecurseForDerivations = alias: with lib;
+  removeRecurseForDerivations = alias:
    if alias.recurseForDerivations or false
    then removeAttrs alias ["recurseForDerivations"]
    else alias;
  # Disabling distribution prevents top-level aliases for non-recursed package
  # sets from building on Hydra.
-  removeDistribute = alias: with lib;
+  removeDistribute = alias:
    if isDerivation alias then
      dontDistribute alias
    else alias;
  # Make sure that we are not shadowing something from node-packages.nix.
  checkInPkgs = n: alias:
-    if builtins.hasAttr n super
+    if hasAttr n super
    then throw "Alias ${n} is still in generated.nix"
    else alias;
  mapAliases = aliases:
-    lib.mapAttrs (n: alias:
+    mapAttrs (n: alias:
      removeDistribute
        (removeRecurseForDerivations
          (checkInPkgs n alias)))
--- a/pkgs/development/lua-modules/overrides.nix
+++ b/pkgs/development/lua-modules/overrides.nix
@ -56,7 +56,9 @@
 }:
 final: prev:
-with prev;
+let
  inherit (prev) luaOlder luaAtLeast lua isLuaJIT;
 in
 {
  argparse = prev.argparse.overrideAttrs(oa: {
@ -176,10 +178,12 @@ with prev;
  });
  ldbus = prev.ldbus.overrideAttrs (oa: {
-    luarocksConfig.variables = {
+    luarocksConfig = oa.luarocksConfig // {
-      DBUS_DIR = "${dbus.lib}";
+      variables = {
-      DBUS_ARCH_INCDIR = "${dbus.lib}/lib/dbus-1.0/include";
+        DBUS_DIR = "${dbus.lib}";
-      DBUS_INCDIR = "${dbus.dev}/include/dbus-1.0";
+        DBUS_ARCH_INCDIR = "${dbus.lib}/lib/dbus-1.0/include";
        DBUS_INCDIR = "${dbus.dev}/include/dbus-1.0";
      };
    };
    buildInputs = [
      dbus
@ -202,7 +206,7 @@ with prev;
    '';
    meta.broken = luaOlder "5.1" || luaAtLeast "5.3";
-    propagatedBuildInputs = with lib; oa.propagatedBuildInputs ++ optional (!isLuaJIT) luaffi;
+    propagatedBuildInputs = with lib; oa.propagatedBuildInputs ++ optional (!isLuaJIT) final.luaffi;
  });
  lgi = prev.lgi.overrideAttrs (oa: {
@ -349,7 +353,7 @@ with prev;
  luaevent = prev.luaevent.overrideAttrs (oa: {
    propagatedBuildInputs = oa.propagatedBuildInputs ++ [
-      luasocket
+      final.luasocket
    ];
    externalDeps = [
      { name = "EVENT"; dep = libevent; }
@ -535,8 +539,8 @@ with prev;
    buildInputs = [ libuv ];
    # Use system libuv instead of building local and statically linking
-    luarocksConfig.variables = {
+    luarocksConfig = lib.recursiveUpdate oa.luarocksConfig {
-      WITH_SHARED_LIBUV = "ON";
+      variables = { WITH_SHARED_LIBUV = "ON"; };
    };
    # we unset the LUA_PATH since the hook erases the interpreter defaults (To fix)
--- a/pkgs/development/octave-modules/instrument-control/default.nix
+++ b/pkgs/development/octave-modules/instrument-control/default.nix
@ -5,11 +5,11 @@
 buildOctavePackage rec {
  pname = "instrument-control";
-  version = "0.9.2";
+  version = "0.9.3";
  src = fetchurl {
    url = "mirror://sourceforge/octave/${pname}-${version}.tar.gz";
-    sha256 = "sha256-N7lSJBA+DRex2jHWhSG7nUpJaFoSz26HhTtoc5/rdA0=";
+    sha256 = "sha256-5ZufEs761qz0nKt0YYikJccqEtK+Qs9UcnJlRsW8VCM=";
  };
  meta = with lib; {
--- a/pkgs/development/python-modules/aiounifi/default.nix
+++ b/pkgs/development/python-modules/aiounifi/default.nix
@ -15,7 +15,7 @@
 buildPythonPackage rec {
  pname = "aiounifi";
-  version = "73";
+  version = "74";
  pyproject = true;
  disabled = pythonOlder "3.11";
@ -24,7 +24,7 @@ buildPythonPackage rec {
    owner = "Kane610";
    repo = "aiounifi";
    rev = "refs/tags/v${version}";
-    hash = "sha256-xs3+2f/CNabdXm8g2V+sEIR5kQguxi3nMeJLb8TVrck=";
+    hash = "sha256-5xxgpbnTqR8AWUvRQJiXGJECn0neV8QQyjYKw09sqZg=";
  };
  postPatch = ''
--- a/pkgs/development/python-modules/aws-secretsmanager-caching/default.nix
+++ b/pkgs/development/python-modules/aws-secretsmanager-caching/default.nix
@ -11,7 +11,7 @@
 buildPythonPackage rec {
  pname = "aws-secretsmanager-caching";
-  version = "1.1.1.5";
+  version = "1.1.2";
  pyprject = true;
  disabled = pythonOlder "3.7";
@ -19,7 +19,7 @@ buildPythonPackage rec {
  src = fetchPypi {
    pname = "aws_secretsmanager_caching";
    inherit version;
-    hash = "sha256-XO4nYruJty8+USP+7o5F++RP/hY7/KCLKPJ7Lit3cuE=";
+    hash = "sha256-hhdo+I1yA/pLA+YFDFi8Ekrv27xQLpxiqXh1+4XqteA=";
  };
  patches = [
@ -32,11 +32,11 @@ buildPythonPackage rec {
      --replace-fail "'pytest-runner'," ""
  '';
-  nativeBuildInputs = [
+  build-system = [
    setuptools-scm
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    botocore
    setuptools  # Needs pkg_resources at runtime.
  ];
--- a/pkgs/development/python-modules/dploot/default.nix
+++ b/pkgs/development/python-modules/dploot/default.nix
@ -1,49 +1,61 @@
 { lib
 , buildPythonPackage
-, poetry-core
+, cryptography
 , pythonRelaxDepsHook
 , fetchPypi
 , impacket
 , cryptography
 , pyasn1
 , lxml
 , poetry-core
 , pyasn1
 , pythonOlder
 , pythonRelaxDepsHook
 }:
 buildPythonPackage rec {
  pname = "dploot";
-  version = "2.6.2";
+  version = "2.7.0";
  pyproject = true;
  disabled = pythonOlder "3.7";
  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-Fko8zsIjVG1Cmeiect239HGCStJ8VccGTE102cTIr58=";
+    hash = "sha256-76+cTukQOXE8tjaBrWVJY56+zVO5yqB5BT9q7+TBpnA=";
  };
-  pythonRelaxDeps = true;
+  pythonRelaxDeps = [
    "cryptography"
    "lxml"
    "pyasn1"
  ];
  nativeBuildInputs = [
    poetry-core
    pythonRelaxDepsHook
  ];
-  propagatedBuildInputs = [
+  build-system = [
    poetry-core
  ];
  dependencies = [
    impacket
    cryptography
    pyasn1
    lxml
  ];
-  pythonImportsCheck = [ "dploot" ];
+  pythonImportsCheck = [
    "dploot"
  ];
  # No tests
  doCheck = false;
-  meta = {
+  meta = with lib; {
    homepage = "https://github.com/zblurx/dploot";
    description = "DPAPI looting remotely in Python";
-    mainProgram = "dploot";
+    homepage = "https://github.com/zblurx/dploot";
    changelog = "https://github.com/zblurx/dploot/releases/tag/${version}";
-    license = lib.licenses.mit;
+    license = licenses.mit;
-    maintainers = with lib.maintainers; [ vncsb ];
+    maintainers = with maintainers; [ vncsb ];
    mainProgram = "dploot";
  };
 }
--- a/pkgs/development/python-modules/edk2-pytool-library/default.nix
+++ b/pkgs/development/python-modules/edk2-pytool-library/default.nix
@ -16,7 +16,7 @@
 buildPythonPackage rec {
  pname = "edk2-pytool-library";
-  version = "0.21.4";
+  version = "0.21.5";
  pyproject = true;
  disabled = pythonOlder "3.10";
@ -25,15 +25,15 @@ buildPythonPackage rec {
    owner = "tianocore";
    repo = "edk2-pytool-library";
    rev = "refs/tags/v${version}";
-    hash = "sha256-LzIK4GGVWAp4JXlKE7Mo0cPIH2srnJIlu36bzovNkwE=";
+    hash = "sha256-4Sb8Lu/nYUXgGt9gVv+j32cwW7TjXfH8z+fwzKaOeM8=";
  };
-  nativeBuildInputs = [
+  build-system = [
    setuptools
    setuptools-scm
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    pyasn1
    pyasn1-modules
    cryptography
@ -52,7 +52,9 @@ buildPythonPackage rec {
    "test_basic_parse"
  ];
-  pythonImportsCheck = [ "edk2toollib" ];
+  pythonImportsCheck = [
    "edk2toollib"
  ];
  meta = with lib; {
    description = "Python library package that supports UEFI development";
--- a/pkgs/development/python-modules/google-cloud-firestore/default.nix
+++ b/pkgs/development/python-modules/google-cloud-firestore/default.nix
@ -17,21 +17,21 @@
 buildPythonPackage rec {
  pname = "google-cloud-firestore";
-  version = "2.15.0";
+  version = "2.16.0";
  pyproject = true;
  disabled = pythonOlder "3.7";
  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-WJzknGuNcxWiSDJ+ShJKRBQ/WlMU6naPfIUWYMIeYyE=";
+    hash = "sha256-5hrnAimm5TLkOcjRZEejICREfy7kojA/xNBUwljWh38=";
  };
-  nativeBuildInputs = [
+  build-system = [
    setuptools
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    google-api-core
    google-cloud-core
    proto-plus
--- a/pkgs/development/python-modules/iceportal/default.nix
+++ b/pkgs/development/python-modules/iceportal/default.nix
@ -11,7 +11,7 @@
 buildPythonPackage rec {
  pname = "iceportal";
-  version = "1.1.2";
+  version = "1.2.0";
  pyproject = true;
  disabled = pythonOlder "3.9";
@ -20,14 +20,14 @@ buildPythonPackage rec {
    owner = "home-assistant-ecosystem";
    repo = "python-iceportal";
    rev = "refs/tags/${version}";
-    hash = "sha256-s+jEpxKsa3eIV4a/Ltso51jqZC4jzsvPLTjDFMV9FIA=";
+    hash = "sha256-kpAUgGi2fAHzQYuZAaQW9wdrYjwbduRsoTwSuzcjJa8=";
  };
-  nativeBuildInputs = [
+  build-system = [
    poetry-core
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    httpx
  ];
--- a/pkgs/development/python-modules/ignite/default.nix
+++ b/pkgs/development/python-modules/ignite/default.nix
@ -15,14 +15,14 @@
 buildPythonPackage rec {
  pname = "ignite";
-  version = "0.4.13";
+  version = "0.5.0.post2";
  format = "setuptools";
  src = fetchFromGitHub {
    owner = "pytorch";
    repo = pname;
    rev = "refs/tags/v${version}";
-    hash = "sha256-+olp+zphcHMvcGKHt0JhxXza1wd7UiydwVFnSQ310Vg=";
+    hash = "sha256-Lg7ASODYwWWhC45X4+Bk50gSlSWwgn2tM4atLXWbQLI=";
  };
  nativeCheckInputs = [ pytestCheckHook matplotlib mock pytest-xdist torchvision ];
--- a/pkgs/development/python-modules/jaxlib/default.nix
+++ b/pkgs/development/python-modules/jaxlib/default.nix
@ -4,6 +4,7 @@
  # Build-time dependencies:
 , addOpenGLRunpath
 , autoAddDriverRunpath
 , bazel_6
 , binutils
 , buildBazelPackage
@ -51,7 +52,7 @@
 }@inputs:
 let
-  inherit (cudaPackagesGoogle) autoAddDriverRunpath cudaFlags cudaVersion cudnn nccl;
+  inherit (cudaPackagesGoogle) cudaFlags cudaVersion cudnn nccl;
  pname = "jaxlib";
  version = "0.4.24";
--- a/pkgs/development/python-modules/llama-index-core/default.nix
+++ b/pkgs/development/python-modules/llama-index-core/default.nix
@ -30,7 +30,7 @@
 buildPythonPackage rec {
  pname = "llama-index-core";
-  version = "0.10.25";
+  version = "0.10.26";
  pyproject = true;
  disabled = pythonOlder "3.8";
@ -39,7 +39,7 @@ buildPythonPackage rec {
    owner = "run-llama";
    repo = "llama_index";
    rev = "refs/tags/v${version}";
-    hash = "sha256-E06Fxj6dD0BVYpme107IdgGg0Y7vhNR9zFvyKL0Yqws=";
+    hash = "sha256-X/g+/+MxYCPJM2z0eUT/O6uziPUORX9yy2gLr8E3rCA=";
  };
  sourceRoot = "${src.name}/${pname}";
--- a/pkgs/development/python-modules/marimo/default.nix
+++ b/pkgs/development/python-modules/marimo/default.nix
@ -19,14 +19,14 @@
 buildPythonPackage rec {
  pname = "marimo";
-  version = "0.3.5";
+  version = "0.3.8";
  pyproject = true;
  disabled = pythonOlder "3.8";
  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-XBOffkPJaGeyuK/mesN1nXXARRpoZpmiu5WVYS1tFvI=";
+    hash = "sha256-xl8hN1Bg3uGbAMaKNLPAgw06vkqZkJaNRe5lmOY8fPA=";
  };
  build-system = [
--- a/pkgs/development/python-modules/mkdocstrings/default.nix
+++ b/pkgs/development/python-modules/mkdocstrings/default.nix
@ -16,7 +16,7 @@
 buildPythonPackage rec {
  pname = "mkdocstrings";
-  version = "0.24.1";
+  version = "0.24.2";
  pyproject = true;
  disabled = pythonOlder "3.8";
@ -25,19 +25,19 @@ buildPythonPackage rec {
    owner = "mkdocstrings";
    repo = "mkdocstrings";
    rev = "refs/tags/${version}";
-    hash = "sha256-6Th/HckxcCIupQWQglK+4ReXB6sdIDE8/nWgP42iqIQ=";
+    hash = "sha256-RlEr9NA6GV/XXjGvX/Yipu6FQAi7HuE9SvIH/snQJRM=";
  };
  postPatch = ''
    substituteInPlace pyproject.toml \
-      --replace 'dynamic = ["version"]' 'version = "${version}"'
+      --replace-fail 'dynamic = ["version"]' 'version = "${version}"'
  '';
-  nativeBuildInputs = [
+  build-system = [
    pdm-backend
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    jinja2
    markdown
    markupsafe
--- a/pkgs/development/python-modules/mypy-boto3/default.nix
+++ b/pkgs/development/python-modules/mypy-boto3/default.nix
@ -157,7 +157,7 @@ rec {
  mypy-boto3-cloudtrail-data = buildMypyBoto3Package "cloudtrail-data" "1.34.0" "sha256-ACiJrI+VTHr06i8PKgDY/K8houFUZQNS1lluouadCTQ=";
-  mypy-boto3-cloudwatch = buildMypyBoto3Package "cloudwatch" "1.34.40" "sha256-M/C3Rzie5dcv6TGVl7ilI5WiT1uYFrCGL+7Fga+xSLw=";
+  mypy-boto3-cloudwatch = buildMypyBoto3Package "cloudwatch" "1.34.75" "sha256-Q0Qz809o6FcN5OVotLLF3fgebt+2mbFnhfBCKTZO0aU=";
  mypy-boto3-codeartifact = buildMypyBoto3Package "codeartifact" "1.34.68" "sha256-Ey0cmx0OxN1/VXIyvn0EOBP9qYIuc/XyFVZniHLaNEY=";
@ -277,7 +277,7 @@ rec {
  mypy-boto3-elbv2 = buildMypyBoto3Package "elbv2" "1.34.63" "sha256-snXMLMHLEpJjfX1GJp6FfYgIjkS8vkbf/hESBdhxIfk=";
-  mypy-boto3-emr = buildMypyBoto3Package "emr" "1.34.44" "sha256-zM1VpAaBSxqdZiSrNiaAKfvliNRXMLEmvFvXcFmkZO0=";
+  mypy-boto3-emr = buildMypyBoto3Package "emr" "1.34.75" "sha256-Irxd4i5b1bbZuWBhXfLOuvoS1X5SoZH8GsgbQyy3UrY=";
  mypy-boto3-emr-containers = buildMypyBoto3Package "emr-containers" "1.34.70" "sha256-uZADsQWfrkoVrQZosfqogcKERWsykIqdk+tJpgmcai4=";
@ -435,7 +435,7 @@ rec {
  mypy-boto3-license-manager-user-subscriptions = buildMypyBoto3Package "license-manager-user-subscriptions" "1.34.0" "sha256-PR+u+i5zSHFTN6+GuOcWBcON1E2SNABbPavByXz3unE=";
-  mypy-boto3-lightsail = buildMypyBoto3Package "lightsail" "1.34.41" "sha256-Y7Zg/eorUegxh+Br+ULbedzGskkHKR2opnEEDpfBVk0=";
+  mypy-boto3-lightsail = buildMypyBoto3Package "lightsail" "1.34.75" "sha256-ICBUixptVS5sWBHgYms9GgrY2XQblTZkq3Qr614qZMc=";
  mypy-boto3-location = buildMypyBoto3Package "location" "1.34.18" "sha256-rsjIGenXgdEdgxvilA3IKJkYkpDDQNDfjDQRoj/mxSU=";
--- a/pkgs/development/python-modules/neo4j/default.nix
+++ b/pkgs/development/python-modules/neo4j/default.nix
@ -12,7 +12,7 @@
 buildPythonPackage rec {
  pname = "neo4j";
-  version = "5.18.0";
+  version = "5.19.0";
  pyproject = true;
  disabled = pythonOlder "3.7";
@ -21,22 +21,22 @@ buildPythonPackage rec {
    owner = "neo4j";
    repo = "neo4j-python-driver";
    rev = "refs/tags/${version}";
-    hash = "sha256-rp0N2k23WZ86hqqz4ByW5gdyU2eYLVppyEJEdY/Yk8w=";
+    hash = "sha256-bI6LIzh2+Kf6IIWEt1vT0E821lAPy/Nj2hkeAnRfV4M=";
  };
  postPatch = ''
    # The dynamic versioning adds a postfix (.dev0) to the version
    substituteInPlace pyproject.toml \
-      --replace '"tomlkit ~= 0.11.6"' '"tomlkit >= 0.11.6"' \
+      --replace-fail '"tomlkit ~= 0.11.6"' '"tomlkit >= 0.11.6"' \
-      --replace 'dynamic = ["version", "readme"]' 'dynamic = ["readme"]' \
+      --replace-fail 'dynamic = ["version", "readme"]' 'dynamic = ["readme"]' \
-      --replace '#readme = "README.rst"' 'version = "${version}"'
+      --replace-fail '#readme = "README.rst"' 'version = "${version}"'
  '';
-  nativeBuildInputs = [
+  build-system = [
    setuptools
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    pytz
    tomlkit
  ];
--- a/pkgs/development/python-modules/netdata/default.nix
+++ b/pkgs/development/python-modules/netdata/default.nix
@ -12,7 +12,7 @@
 buildPythonPackage rec {
  pname = "netdata";
-  version = "1.1.0";
+  version = "1.2.0";
  format = "pyproject";
  disabled = pythonOlder "3.8";
@ -21,7 +21,7 @@ buildPythonPackage rec {
    owner = "home-assistant-ecosystem";
    repo = "python-netdata";
    rev = "refs/tags/${version}";
-    hash = "sha256-XWlUSKGgndHtJjzA0mYvhCkJsRJ1SUbl8DGdmyFUmoo=";
+    hash = "sha256-ViiGh5CsRpMJ6zvPmje+eB5LuO6t47bjObaYh5a2Kw8=";
  };
  nativeBuildInputs = [
--- a/pkgs/development/python-modules/nuitka/default.nix
+++ b/pkgs/development/python-modules/nuitka/default.nix
@ -7,27 +7,28 @@
 , python3
 , setuptools
 , zstandard
 , wheel
 }:
 buildPythonPackage rec {
  pname = "nuitka";
-  version = "1.8.4";
+  version = "2.1.4";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "Nuitka";
    repo = "Nuitka";
    rev = version;
-    hash = "sha256-spa3V9KEjqmwnHSuxLLIu9hJk5PrRwNyOw72sfxBVKo=";
+    hash = "sha256-bV5zTYwhR/3dTM1Ij+aC6TbcPODZ5buwQi7xN8axZi0=";
  };
  # default lto off for darwin
  patches = [ ./darwin-lto.patch ];
-  nativeBuildInputs = [ setuptools ];
+  build-system = [ setuptools wheel ];
  nativeCheckInputs = [ ccache  ];
-  propagatedBuildInputs = [
+  dependencies = [
    ordered-set
    zstandard
  ];
--- a/pkgs/development/python-modules/orbax-checkpoint/default.nix
+++ b/pkgs/development/python-modules/orbax-checkpoint/default.nix
@ -22,7 +22,7 @@
 buildPythonPackage rec {
  pname = "orbax-checkpoint";
-  version = "0.5.5";
+  version = "0.5.7";
  pyproject = true;
  disabled = pythonOlder "3.9";
@ -30,7 +30,7 @@ buildPythonPackage rec {
  src = fetchPypi {
    pname = "orbax_checkpoint";
    inherit version;
-    hash = "sha256-zry5byLxFzah+e52x4yIi6roU3Jox/9mY62cujB2xlU=";
+    hash = "sha256-3hRUm4mSIKT0RUU5Z8GsLXFluBUlM0JYd0YAXwOpgTs=";
  };
  nativeBuildInputs = [
@ -60,6 +60,7 @@ buildPythonPackage rec {
  pythonImportsCheck = [
    "orbax"
    "orbax.checkpoint"
  ];
  disabledTestPaths = [
@ -73,6 +74,6 @@ buildPythonPackage rec {
    homepage = "https://github.com/google/orbax/tree/main/checkpoint";
    changelog = "https://github.com/google/orbax/blob/${version}/CHANGELOG.md";
    license = licenses.asl20;
-    maintainers = with maintainers; [fab ];
+    maintainers = with maintainers; [ fab ];
  };
 }
--- a/pkgs/development/python-modules/oslo-log/default.nix
+++ b/pkgs/development/python-modules/oslo-log/default.nix
@ -17,7 +17,7 @@
 buildPythonPackage rec {
  pname = "oslo-log";
-  version = "5.5.0";
+  version = "5.5.1";
  format = "setuptools";
  disabled = pythonOlder "3.8";
@ -25,7 +25,7 @@ buildPythonPackage rec {
  src = fetchPypi {
    pname = "oslo.log";
    inherit version;
-    hash = "sha256-TO3RZpx94o2OZrZ6X21sb+g5KFNfqHzWm/ZhG1n1Z+c=";
+    hash = "sha256-SEFIUSxdsqizXIPNmX6ZU3Vf2L+oqvbuDMjHrrdCkhA=";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/peaqevcore/default.nix
+++ b/pkgs/development/python-modules/peaqevcore/default.nix
@ -7,21 +7,21 @@
 buildPythonPackage rec {
  pname = "peaqevcore";
-  version = "19.7.7";
+  version = "19.7.12";
  pyproject = true;
  disabled = pythonOlder "3.7";
  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-HJ+8EpxcMhUPJILapNk9esA0iUm8PiHPDm3MmBQDny4=";
+    hash = "sha256-/oo24hOH2aIXZH0CwmgTNIvA2MJWvOR084rZEOdldGM=";
  };
  postPatch = ''
    sed -i "/extras_require/d" setup.py
  '';
-  nativeBuildInputs = [
+  build-system = [
    setuptools
  ];
--- a/pkgs/development/python-modules/piccolo-theme/default.nix
+++ b/pkgs/development/python-modules/piccolo-theme/default.nix
@ -2,13 +2,13 @@
 buildPythonPackage rec {
  pname = "piccolo-theme";
-  version = "0.20.0";
+  version = "0.21.0";
  format = "setuptools";
  src = fetchPypi {
    pname = "piccolo_theme";
    inherit version;
-    hash = "sha256-/I6Q///oZ1OlSQEOwQ4KtUuj73ra6poyDhfhiF5nJrE=";
+    hash = "sha256-mQqZ6Rwx0VoDBVQ0zbvCOmAMKAMv67Xd1ksYW6w2QPM=";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/pipenv-poetry-migrate/default.nix
+++ b/pkgs/development/python-modules/pipenv-poetry-migrate/default.nix
@ -11,7 +11,7 @@
 buildPythonPackage rec {
  pname = "pipenv-poetry-migrate";
-  version = "0.5.4";
+  version = "0.5.5";
  format = "pyproject";
  disabled = pythonOlder "3.8";
@ -20,7 +20,7 @@ buildPythonPackage rec {
    owner = "yhino";
    repo = "pipenv-poetry-migrate";
    rev = "refs/tags/v${version}";
-    hash = "sha256-5qOOklwjTGrlvaPg7hVYLAAHvQ7633VAt3L2PHw2V9U=";
+    hash = "sha256-6K8rTfASpK7OvBwUy40X6xzgpfWL7lIJvpfRiGfBK6U=";
  };
  nativeBuildInputs = [
--- a/pkgs/development/python-modules/ring-doorbell/default.nix
+++ b/pkgs/development/python-modules/ring-doorbell/default.nix
@ -18,7 +18,7 @@
 buildPythonPackage rec {
  pname = "ring-doorbell";
-  version = "0.8.8";
+  version = "0.8.9";
  pyproject = true;
  disabled = pythonOlder "3.8";
@ -26,14 +26,14 @@ buildPythonPackage rec {
  src = fetchPypi {
    pname = "ring_doorbell";
    inherit version;
-    hash = "sha256-Rz12Qpawi4/u14ywJGt9Yw7IqjYP4bg6zNr9oN3iQxQ=";
+    hash = "sha256-FUPXia4lCDJDbzEzuewa5ShiIm0EvOrDE8GGZxYWvhk=";
  };
-  nativeBuildInputs = [
+  build-system = [
    poetry-core
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    asyncclick
    oauthlib
    pytz
--- a/pkgs/development/python-modules/tencentcloud-sdk-python/default.nix
+++ b/pkgs/development/python-modules/tencentcloud-sdk-python/default.nix
@ -9,7 +9,7 @@
 buildPythonPackage rec {
  pname = "tencentcloud-sdk-python";
-  version = "3.0.1121";
+  version = "3.0.1122";
  pyproject = true;
  disabled = pythonOlder "3.9";
@ -18,7 +18,7 @@ buildPythonPackage rec {
    owner = "TencentCloud";
    repo = "tencentcloud-sdk-python";
    rev = "refs/tags/${version}";
-    hash = "sha256-McSF0s6ACEDSrfOBCBVT2yEoUmKKeYiPoQpLoc5hHDU=";
+    hash = "sha256-rJpgtyBVJn6jURSSEVlT4BadDTr9npeISgKtQdQdgnM=";
  };
  build-system = [
--- a/pkgs/development/python-modules/volkszaehler/default.nix
+++ b/pkgs/development/python-modules/volkszaehler/default.nix
@ -4,23 +4,28 @@
 , buildPythonPackage
 , fetchFromGitHub
 , pythonOlder
 , setuptools
 }:
 buildPythonPackage rec {
  pname = "volkszaehler";
-  version = "0.4.0";
+  version = "0.5.0";
-  format = "setuptools";
+  pyproject = true;
-  disabled = pythonOlder "3.9";
+  disabled = pythonOlder "3.10";
  src = fetchFromGitHub {
    owner = "home-assistant-ecosystem";
    repo = "python-volkszaehler";
    rev = "refs/tags/${version}";
-    hash = "sha256-jX0nwBsBYU383LG8f08FVI7Lo9gnyPSQ0fiEF8dQc/M=";
+    hash = "sha256-7SB0x0BO9SMeMG1M/hH4fX7oDbtwPgCzyRrrUq1/WPo=";
  };
-  propagatedBuildInputs = [
+  nativeBuildInputs = [
    setuptools
  ];
  dependencies = [
    aiohttp
    async-timeout
  ];
--- a/pkgs/development/python-modules/whenever/default.nix
+++ b/pkgs/development/python-modules/whenever/default.nix
@ -13,7 +13,7 @@
 buildPythonPackage rec {
  pname = "whenever";
-  version = "0.5.0";
+  version = "0.5.1";
  pyproject = true;
  disabled = pythonOlder "3.8";
@ -22,7 +22,7 @@ buildPythonPackage rec {
    owner = "ariebovenberg";
    repo = "whenever";
    rev = "refs/tags/${version}";
-    hash = "sha256-5Ik9+i5T5ztb+2zqFZ+SBmrZFLDxji66e3lK0z2w92c=";
+    hash = "sha256-RH2614M91zYULNTQsr6JoKfxlnGyAJsCkB7oeiz7urs=";
  };
  postPatch = ''
@ -31,18 +31,16 @@ buildPythonPackage rec {
      --replace-fail '--benchmark-disable' '#--benchmark-disable'
  '';
-  nativeBuildInputs = [
+  build-system = [
    poetry-core
  ];
-  propagatedBuildInputs = [
+  dependencies = [
    tzdata
  ] ++ lib.optionals (pythonOlder "3.9") [
    backports-zoneinfo
  ];
  pythonImportsCheck = [ "whenever" ];
  nativeCheckInputs = [
    pytestCheckHook
    pytest-mypy-plugins
@ -50,6 +48,10 @@ buildPythonPackage rec {
    freezegun
  ];
  pythonImportsCheck = [
    "whenever"
  ];
  # early TDD, many tests are failing
  # TODO: try enabling on bump
  doCheck = false;
--- a/pkgs/development/tools/algolia-cli/default.nix
+++ b/pkgs/development/tools/algolia-cli/default.nix
@ -2,13 +2,13 @@
 buildGoModule rec {
  pname = "algolia-cli";
-  version = "1.6.5";
+  version = "1.6.6";
  src = fetchFromGitHub {
    owner = "algolia";
    repo = "cli";
    rev = "v${version}";
-    hash = "sha256-bS/xSrb1vCeYuDZj8NwEyclbYMXlejAxIoItEX8YnOs=";
+    hash = "sha256-yLsyby3u1oz5fnQ/zQ0sjy2w+Pv0KHySojsDc4vnFF0=";
  };
  vendorHash = "sha256-cNuBTH7L2K4TgD0H9FZ9CjhE5AGXADaniGLD9Lhrtrk=";
--- a/pkgs/development/tools/analysis/checkov/default.nix
+++ b/pkgs/development/tools/analysis/checkov/default.nix
@ -5,14 +5,14 @@
 python3.pkgs.buildPythonApplication rec {
  pname = "checkov";
-  version = "3.2.50";
+  version = "3.2.51";
  pyproject = true;
  src = fetchFromGitHub {
    owner = "bridgecrewio";
    repo = "checkov";
    rev = "refs/tags/${version}";
-    hash = "sha256-XOH4RrkyjTZY1N5XSR71GEGofPgqI7XkE8c3/ojoHGI=";
+    hash = "sha256-aUu1sxP4YUuF2E4oPh8QJ/hpqLSvAz0aYei+QSj9qqQ=";
  };
  patches = [
--- a/pkgs/development/tools/build-managers/gradle/default.nix
+++ b/pkgs/development/tools/build-managers/gradle/default.nix
@ -160,9 +160,9 @@ rec {
  # https://docs.gradle.org/current/userguide/compatibility.html
  gradle_8 = gen {
-    version = "8.6";
+    version = "8.7";
    nativeVersion = "0.22-milestone-25";
-    hash = "sha256-ljHVPPPnS/pyaJOu4fiZT+5OBgxAEzWUbbohVvRA8kw=";
+    hash = "sha256-VEw11r2Emuil7QvOo5umd9xA9J330YNVYVgtogCblh0=";
    defaultJava = jdk21;
  };
--- a/pkgs/development/tools/build-managers/rake/Gemfile.lock
+++ b/pkgs/development/tools/build-managers/rake/Gemfile.lock
@ -1,7 +1,7 @@
 GEM
  remote: https://rubygems.org/
  specs:
-    rake (13.1.0)
+    rake (13.2.0)
 PLATFORMS
  ruby
@ -10,4 +10,4 @@ DEPENDENCIES
  rake
 BUNDLED WITH
-   2.5.3
+   2.5.6
--- a/pkgs/development/tools/build-managers/rake/default.nix
+++ b/pkgs/development/tools/build-managers/rake/default.nix
@ -13,5 +13,6 @@ bundlerApp {
    license  = with licenses; mit;
    maintainers = with maintainers; [ manveru nicknovitski ];
    platforms = platforms.unix;
    mainProgram = "rake";
  };
 }
--- a/pkgs/development/tools/build-managers/rake/gemset.nix
+++ b/pkgs/development/tools/build-managers/rake/gemset.nix
@ -4,9 +4,9 @@
    platforms = [];
    source = {
      remotes = ["https://rubygems.org"];
-      sha256 = "1ilr853hawi09626axx0mps4rkkmxcs54mapz9jnqvpnlwd3wsmy";
+      sha256 = "0lwv4rniry7k9dvz1n462d7j0dq9mrl6a95y6cvs6139h0ksxhgn";
      type = "gem";
    };
-    version = "13.1.0";
+    version = "13.2.0";
  };
 }
--- a/pkgs/development/tools/phpactor/default.nix
+++ b/pkgs/development/tools/phpactor/default.nix
@ -6,16 +6,16 @@
 php.buildComposerProject (finalAttrs: {
  pname = "phpactor";
-  version = "2023.12.03.0";
+  version = "2024.03.09.0";
  src = fetchFromGitHub {
    owner = "phpactor";
    repo = "phpactor";
    rev = finalAttrs.version;
-    hash = "sha256-zLSGzaUzroWkvFNCj3uA9KdZ3K/EIQOZ7HzV6Ms5/BE=";
+    hash = "sha256-1QPBq8S3mOkSackXyCuFdoxfAdUQaRuUfoOfKOGuiR0=";
  };
-  vendorHash = "sha256-0jvWbQubPXDhsXqEp8q5R0Y7rQX3UiccGDF3HDBeh7o=";
+  vendorHash = "sha256-9YN+fy+AvNnF0Astrirpewjmh/bSINAhW9fLvN5HGGI=";
  nativeBuildInputs = [ installShellFiles ];
--- a/pkgs/development/tools/pscale/default.nix
+++ b/pkgs/development/tools/pscale/default.nix
@ -8,16 +8,16 @@
 buildGoModule rec {
  pname = "pscale";
-  version = "0.186.0";
+  version = "0.191.0";
  src = fetchFromGitHub {
    owner = "planetscale";
    repo = "cli";
    rev = "v${version}";
-    sha256 = "sha256-LXUvVctOFreDlIozA17pfDblZ6QugVA/dJ+IKE3fBeY=";
+    sha256 = "sha256-+QGzLPJQbIql5Xomve/v3vGB5kdCDamxkRM6weIZMMw=";
  };
-  vendorHash = "sha256-ubMr2gm4t0731niC2Mx1Lcmdl48SUVjfoIWbtgt3X+I=";
+  vendorHash = "sha256-dcMKi12YFTpQShGRm97Zptiw9JK55CAXm0r8UG+c1Dg=";
  ldflags = [
    "-s" "-w"
--- a/pkgs/development/tools/quilt/default.nix
+++ b/pkgs/development/tools/quilt/default.nix
@ -18,11 +18,11 @@
 stdenv.mkDerivation rec {
  pname = "quilt";
-  version = "0.67";
+  version = "0.68";
  src = fetchurl {
    url = "mirror://savannah/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "sha256-O+O+CYfnKmw2Rni7gn4+H8wQMitWvF8CtXZpj1UBPMI=";
+    sha256 = "sha256-/owJ3gPBBuhbNzfI8DreFHyVa3ntevSFocijhY2zhCY=";
  };
  nativeBuildInputs = [ makeWrapper ];
--- a/pkgs/development/tools/rain/default.nix
+++ b/pkgs/development/tools/rain/default.nix
@ -7,16 +7,16 @@
 buildGoModule rec {
  pname = "rain";
-  version = "1.8.2";
+  version = "1.8.3";
  src = fetchFromGitHub {
    owner = "aws-cloudformation";
    repo = pname;
    rev = "v${version}";
-    sha256 = "sha256-QJAcIk+XPQF5iLlcK62t2htOVjne3K/74Am0pvLS1r8=";
+    sha256 = "sha256-l5Exm31pQlmYh9VizdrARFgtIxb48ALR1IYaNFfCMWk=";
  };
-  vendorHash = "sha256-+UJyPwb4/KPeXyrsGQvX2SfYWfTeoR93WGyTTBf3Ya8=";
+  vendorHash = "sha256-PjdM52qCR7zVjQDRWwGXcJwqLYUt9LTi9SX85A4z2SA=";
  subPackages = [ "cmd/rain" ];
--- a/pkgs/development/tools/rust/cargo-public-api/default.nix
+++ b/pkgs/development/tools/rust/cargo-public-api/default.nix
@ -10,14 +10,14 @@
 rustPlatform.buildRustPackage rec {
  pname = "cargo-public-api";
-  version = "0.34.0";
+  version = "0.34.1";
  src = fetchCrate {
    inherit pname version;
-    hash = "sha256-xD+0eplrtrTlYYnfl1R6zIO259jP18OAp9p8eg1CqbI=";
+    hash = "sha256-fNQ4FfOaS38KGhI/hCRLdtYmb0FXkoXyJsbcT+1K6Ow=";
  };
-  cargoHash = "sha256-EjMzOilTnPSC7FYxrNBxX+sugYvPIxiCzlwQcl3VMog=";
+  cargoHash = "sha256-DwhaVn6nuy2KbXaRcIUQN6iS85ONwAbCWX+vxfa0F7U=";
  nativeBuildInputs = [ pkg-config ];
--- a/pkgs/development/tools/typos/default.nix
+++ b/pkgs/development/tools/typos/default.nix
@ -2,16 +2,16 @@
 rustPlatform.buildRustPackage rec {
  pname = "typos";
-  version = "1.20.1";
+  version = "1.20.3";
  src = fetchFromGitHub {
    owner = "crate-ci";
    repo = pname;
    rev = "v${version}";
-    hash = "sha256-X9m+2zJsHYbek/G9oyH3394/StolG3cDjVigTJZNzu0=";
+    hash = "sha256-0z00e8lRDA/KdAPGAwOGlRXgpXkag4htZ+ykXEAmtJE=";
  };
-  cargoHash = "sha256-eCcuDfolsjv6Xt+sqo8VxWZhy5DLoukuI9rQiNXrUVs=";
+  cargoHash = "sha256-8XWU7/z1LhfB5rp9LKqdaoaORF68ZI5Pl8zkrxKSQQE=";
  meta = with lib; {
    description = "Source code spell checker";
--- a/pkgs/misc/fastly/default.nix
+++ b/pkgs/misc/fastly/default.nix
@ -10,13 +10,13 @@
 buildGoModule rec {
  pname = "fastly";
-  version = "10.8.8";
+  version = "10.8.9";
  src = fetchFromGitHub {
    owner = "fastly";
    repo = "cli";
    rev = "refs/tags/v${version}";
-    hash = "sha256-GdreswHR+avk5AYJwcoxqF/MlrcHX9NLNpgST5+0kVc=";
+    hash = "sha256-s3tsLCON8F1N7pK7xp8Fwmo8KNctmUnA7I1MxhQeDtA=";
    # The git commit is part of the `fastly version` original output;
    # leave that output the same in nixpkgs. Use the `.git` directory
    # to retrieve the commit SHA, and remove the directory afterwards,
--- a/pkgs/os-specific/darwin/insert_dylib/default.nix
+++ b/pkgs/os-specific/darwin/insert_dylib/default.nix
@ -1,22 +1,43 @@
-{ lib, stdenv, fetchFromGitHub, xcbuildHook }:
+{
  lib,
  stdenv,
  fetchFromGitHub,
 }:
 stdenv.mkDerivation {
-  pname = "insert_dylib";
+  pname = "insert-dylib";
-  version = "unstable-2016-08-28";
+  version = "0-unstable-2016-08-28";
  src = fetchFromGitHub {
    owner = "Tyilo";
    repo = "insert_dylib";
    rev = "c8beef66a08688c2feeee2c9b6eaf1061c2e67a9";
-    sha256 = "0az38y06pvvy9jf2wnzdwp9mp98lj6nr0ldv0cs1df5p9x2qvbya";
+    hash = "sha256-yq+NRU+3uBY0A7tRkK2RFKVb0+XtWy6cTH7va4BH4ys=";
  };
-  nativeBuildInputs = [ xcbuildHook ];
+  buildPhase = ''
    runHook preBuild
-  installPhase = ''
+    mkdir -p Products/Release
-    mkdir -p $out/bin
+    $CC -o Products/Release/insert_dylib insert_dylib/main.c
-    install -m755 Products/Release/insert_dylib $out/bin
+
    runHook postBuild
  '';
-  meta.platforms = lib.platforms.darwin;
+  installPhase = ''
    runHook preInstall
    install -Dm755 Products/Release/insert_dylib -t $out/bin
    runHook postInstall
  '';
  meta = {
    description = "Command line utility for inserting a dylib load command into a Mach-O binary";
    homepage = "https://github.com/tyilo/insert_dylib";
    license = lib.licenses.unfree; # no license specified
    mainProgram = "insert_dylib";
    maintainers = with lib.maintainers; [ wegank ];
    platforms = lib.platforms.darwin;
  };
 }
--- a/pkgs/servers/http/unit/default.nix
+++ b/pkgs/servers/http/unit/default.nix
@ -28,14 +28,14 @@ let
  php82-unit = php82.override phpConfig;
 in stdenv.mkDerivation rec {
-  version = "1.32.0";
+  version = "1.32.1";
  pname = "unit";
  src = fetchFromGitHub {
    owner = "nginx";
    repo = pname;
    rev = version;
-    sha256 = "sha256-u693Q6Gp8lFm3DX1q5i6W021bxD962NGBGDRxUtvGrk=";
+    sha256 = "sha256-YqejETJTbnmXoPsYITJ6hSnd1fIWUc1p5FldYkw2HQI=";
  };
  nativeBuildInputs = [ which ];
--- a/pkgs/servers/search/opensearch/default.nix
+++ b/pkgs/servers/search/opensearch/default.nix
@ -11,11 +11,11 @@
 stdenvNoCC.mkDerivation (finalAttrs: {
  pname = "opensearch";
-  version = "2.12.0";
+  version = "2.13.0";
  src = fetchurl {
    url = "https://artifacts.opensearch.org/releases/bundle/opensearch/${finalAttrs.version}/opensearch-${finalAttrs.version}-linux-x64.tar.gz";
-    hash = "sha256-t9s633qDzxvG1x+VVATpczzvD+ojnfTiwB/EambMKtA=";
+    hash = "sha256-cF2JZX5psuh7h8acazK9tcjNu6wralJtliwqaBnd/V8=";
  };
  nativeBuildInputs = [
--- a/pkgs/servers/sql/postgresql/ext/pg_partman.nix
+++ b/pkgs/servers/sql/postgresql/ext/pg_partman.nix
@ -2,7 +2,7 @@
 stdenv.mkDerivation rec {
  pname = "pg_partman";
-  version = "5.0.1";
+  version = "5.1.0";
  buildInputs = [ postgresql ];
@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
    owner  = "pgpartman";
    repo   = pname;
    rev    = "refs/tags/v${version}";
-    sha256 = "sha256-sJODpyRgqpeg/Lb584wNgCCFRaH22ELcbof1bA612aw=";
+    sha256 = "sha256-GrVOJ5ywZMyqyDroYDLdKkXDdIJSDGhDfveO/ZvrmYs=";
  };
  installPhase = ''
--- a/pkgs/servers/ttyd/default.nix
+++ b/pkgs/servers/ttyd/default.nix
@ -8,12 +8,12 @@ with builtins;
 stdenv.mkDerivation rec {
  pname = "ttyd";
-  version = "1.7.4";
+  version = "1.7.5";
  src = fetchFromGitHub {
    owner = "tsl0922";
    repo = pname;
    rev = "refs/tags/${version}";
-    sha256 = "sha256-BNvJkDOSlcNXt5W9/3/4I+MhQYn0W37zrJRYpAoZWaA=";
+    sha256 = "sha256-ci6PLrFQa/aX48kjAqQfCtOOhS06ikfEtYoCgmGhGdU=";
  };
  nativeBuildInputs = [ pkg-config cmake xxd ];
--- a/pkgs/servers/web-apps/changedetection-io/default.nix
+++ b/pkgs/servers/web-apps/changedetection-io/default.nix
@ -5,19 +5,19 @@
 python3.pkgs.buildPythonApplication rec {
  pname = "changedetection-io";
-  version = "0.45.16";
+  version = "0.45.17";
  format = "setuptools";
  src = fetchFromGitHub {
    owner = "dgtlmoon";
    repo = "changedetection.io";
    rev = version;
-    hash = "sha256-ln522U3XqZfhvLvMEzrqXV3SjhpgnrRk2MxQQRBL5VU=";
+    hash = "sha256-3LaNZourDjFjdSh5+hwc2l2DRMEI/rbfyksFD9uUebg=";
  };
  postPatch = ''
    substituteInPlace requirements.txt \
-      --replace "apprise~=1.7.1" "apprise" \
+      --replace "apprise~=1.7.4" "apprise" \
      --replace "cryptography~=3.4" "cryptography" \
      --replace "dnspython~=2.4" "dnspython" \
      --replace "pytest ~=7.2" "" \
--- a/pkgs/servers/xandikos/default.nix
+++ b/pkgs/servers/xandikos/default.nix
@ -6,7 +6,7 @@
 python3Packages.buildPythonApplication rec {
  pname = "xandikos";
-  version = "0.2.10";
+  version = "0.2.11";
  format = "pyproject";
  disabled = python3Packages.pythonOlder "3.9";
@ -14,8 +14,8 @@ python3Packages.buildPythonApplication rec {
  src = fetchFromGitHub {
    owner = "jelmer";
    repo = "xandikos";
-    rev = "v${version}";
+    rev = "refs/tags/v${version}";
-    hash = "sha256-SqU/K3b8OML3PvFmP7L5R3Ub9vbW66xRpf79mgFZPfc=";
+    hash = "sha256-cBsceJ6tib8OYx5L2Hv2AqRS+ADRSLIuJGIULNpAmEI=";
  };
  nativeBuildInputs = with python3Packages; [
--- a/pkgs/tools/admin/trinsic-cli/default.nix
+++ b/pkgs/tools/admin/trinsic-cli/default.nix
@ -2,11 +2,11 @@
 rustPlatform.buildRustPackage rec {
  pname = "trinsic-cli";
-  version = "1.13.0";
+  version = "1.14.0";
  src = fetchurl {
    url = "https://github.com/trinsic-id/sdk/releases/download/v${version}/trinsic-cli-vendor-${version}.tar.gz";
-    sha256 = "sha256-uW4PNlDfyxzec9PzfXr25gPrFZQGr8qm0jLMOeIazoE=";
+    sha256 = "sha256-lPw55QcGMvY2YRYJGq4WC0fPbKiika4NF55tlb+i6So=";
  };
  cargoVendorDir = "vendor";
--- a/pkgs/tools/backup/zfs-replicate/default.nix
+++ b/pkgs/tools/backup/zfs-replicate/default.nix
@ -11,12 +11,12 @@
 buildPythonApplication rec {
  pname = "zfs_replicate";
-  version = "3.2.11";
+  version = "3.2.12";
  pyproject = true;
  src = fetchPypi {
    inherit pname version;
-    hash = "sha256-8u65Ht7s2RqBYetKf/3erb6B2+/iZgnqHBogYa4J/rs=";
+    hash = "sha256-Pyn/ehXVb5knHS1A/MFTYE0t+IVgtBe1dAnYdaHutyk=";
  };
  postPatch = ''
--- a/pkgs/tools/misc/ollama/cmake-include.patch
+++ b/pkgs/tools/misc/ollama/cmake-include.patch
@ -1,7 +0,0 @@
 --- a/llm/llama.cpp/examples/server/CMakeLists.txt
 +++ b/llm/llama.cpp/examples/server/CMakeLists.txt
@@ -11,3 +11,4 @@
     TARGET_LINK_LIBRARIES(${TARGET} PRIVATE ws2_32)
 endif()
 target_compile_features(${TARGET} PRIVATE cxx_std_11)
 +include (../../../ext_server/CMakeLists.txt) # ollama
--- a/pkgs/tools/misc/ollama/default.nix
+++ b/pkgs/tools/misc/ollama/default.nix
@ -28,14 +28,32 @@
 let
  pname = "ollama";
-  version = "0.1.29";
+  # don't forget to invalidate all hashes each update
  version = "0.1.30";
  src = fetchFromGitHub {
    owner = "jmorganca";
    repo = "ollama";
    rev = "v${version}";
-    hash = "sha256-M2G53DJF/22ZVCAb4jGjyErKO6q2argehHSV7AEef6w=";
+    hash = "sha256-+cdYT5NUf00Rx0fpCvWUNg4gi+PAOmZVDUdB3omibm0=";
    fetchSubmodules = true;
  };
  vendorHash = "sha256-Lj7CBvS51RqF63c01cOCgY7BCQeCKGu794qzb/S80C0=";
  # ollama's patches of llama.cpp's example server
  # `ollama/llm/generate/gen_common.sh` -> "apply temporary patches until fix is upstream"
  # each update, these patches should be synchronized with the contents of `ollama/llm/patches/`
  llamacppPatches = [
    (preparePatch "03-load_exception.diff" "sha256-1DfNahFYYxqlx4E4pwMKQpL+XR0bibYnDFGt6dCL4TM=")
    (preparePatch "04-locale.diff" "sha256-r5nHiP6yN/rQObRu2FZIPBKpKP9yByyZ6sSI2SKj6Do=")
  ];
  preparePatch = patch: hash: fetchpatch {
    url = "file://${src}/llm/patches/${patch}";
    inherit hash;
    stripLen = 1;
    extraPrefix = "llm/llama.cpp/";
  };
  validAccel = lib.assertOneOf "ollama.acceleration" acceleration [ null "rocm" "cuda" ];
@ -45,6 +63,7 @@ let
  enableRocm = validAccel && (acceleration == "rocm") && (warnIfNotLinux "rocm");
  enableCuda = validAccel && (acceleration == "cuda") && (warnIfNotLinux "cuda");
  rocmClang = linkFarm "rocm-clang" {
    llvm = rocmPackages.llvm.clang;
  };
@ -94,12 +113,6 @@ let
      buildGo122Module.override { stdenv = overrideCC stdenv gcc12; }
    else
      buildGo122Module;
  preparePatch = patch: hash: fetchpatch {
    url = "file://${src}/llm/patches/${patch}";
    inherit hash;
    stripLen = 1;
    extraPrefix = "llm/llama.cpp/";
  };
  inherit (lib) licenses platforms maintainers;
 in
 goBuild ((lib.optionalAttrs enableRocm {
@ -110,8 +123,7 @@ goBuild ((lib.optionalAttrs enableRocm {
  CUDACXX = "${cudaToolkit}/bin/nvcc";
  CUDAToolkit_ROOT = cudaToolkit;
 }) // {
-  inherit pname version src;
+  inherit pname version src vendorHash;
  vendorHash = "sha256-Lj7CBvS51RqF63c01cOCgY7BCQeCKGu794qzb/S80C0=";
  nativeBuildInputs = [
    cmake
@ -133,31 +145,20 @@ goBuild ((lib.optionalAttrs enableRocm {
    metalFrameworks;
  patches = [
-    # remove uses of `git` in the `go generate` script
+    # disable uses of `git` in the `go generate` script
-    # instead use `patch` where necessary
+    # ollama's build script assumes the source is a git repo, but nix removes the git directory
-    ./remove-git.patch
+    # this also disables necessary patches contained in `ollama/llm/patches/`
-    # replace a hardcoded use of `g++` with `$CXX`
+    # those patches are added to `llamacppPatches`, and reapplied here in the patch phase
-    ./replace-gcc.patch
+    ./disable-git.patch
-
+  ] ++ llamacppPatches;
    # ollama's patches of llama.cpp's example server
    # `ollama/llm/generate/gen_common.sh` -> "apply temporary patches until fix is upstream"
    (preparePatch "01-cache.diff" "sha256-VDwu/iK6taBCyscpndQiOJ3eGqonnLVwmS2rJNMBVGU=")
    (preparePatch "02-cudaleaks.diff" "sha256-nxsWgrePUMsZBWWQAjqVHWMJPzr1owH1zSJvUU7Q5pA=")
    (preparePatch "03-load_exception.diff" "sha256-1DfNahFYYxqlx4E4pwMKQpL+XR0bibYnDFGt6dCL4TM=")
    (preparePatch "04-locale.diff" "sha256-r5nHiP6yN/rQObRu2FZIPBKpKP9yByyZ6sSI2SKj6Do=")
    (preparePatch "05-fix-clip-free.diff" "sha256-EFZ+QTtZCvstVxYgVdFKHsQqdkL98T0eXOEBOqCrlL4=")
  ];
  postPatch = ''
-    # use a patch from the nix store in the `go generate` script
+    # replace a hardcoded use of `g++` with `$CXX` so clang can be used on darwin
-    substituteInPlace llm/generate/gen_common.sh \
+    substituteInPlace llm/generate/gen_common.sh --replace-fail 'g++' '$CXX'
      --subst-var-by cmakeIncludePatch '${./cmake-include.patch}'
    # `ollama/llm/generate/gen_common.sh` -> "avoid duplicate main symbols when we link into the cgo binary"
    substituteInPlace llm/llama.cpp/examples/server/server.cpp \
      --replace-fail 'int main(' 'int __main('
    # replace inaccurate version number with actual release version
    substituteInPlace version/version.go --replace-fail 0.0.0 '${version}'
  '';
  preBuild = ''
    # disable uses of `git`, since nix removes the git directory
    export OLLAMA_SKIP_PATCHING=true
    # build llama.cpp libraries for ollama
    go generate ./...
@ -168,9 +169,10 @@ goBuild ((lib.optionalAttrs enableRocm {
  '' + lib.optionalString (enableRocm || enableCuda) ''
    # expose runtime libraries necessary to use the gpu
    mv "$out/bin/ollama" "$out/bin/.ollama-unwrapped"
-    makeWrapper "$out/bin/.ollama-unwrapped" "$out/bin/ollama" \
+    makeWrapper "$out/bin/.ollama-unwrapped" "$out/bin/ollama" ${
-      --suffix LD_LIBRARY_PATH : '/run/opengl-driver/lib:${lib.makeLibraryPath runtimeLibs}' '' + lib.optionalString enableRocm ''\
+      lib.optionalString enableRocm
-      --set-default HIP_PATH ${rocmPath}
+        ''--set-default HIP_PATH '${rocmPath}' ''} \
      --suffix LD_LIBRARY_PATH : '/run/opengl-driver/lib:${lib.makeLibraryPath runtimeLibs}'
  '';
  ldflags = [
@ -191,9 +193,9 @@ goBuild ((lib.optionalAttrs enableRocm {
  };
  meta = {
    changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
    description = "Get up and running with large language models locally";
-    homepage = "https://github.com/jmorganca/ollama";
+    homepage = "https://github.com/ollama/ollama";
    changelog = "https://github.com/ollama/ollama/releases/tag/v${version}";
    license = licenses.mit;
    platforms = platforms.unix;
    mainProgram = "ollama";
--- a/Show More
+++ b/Show More