Merge staging-next into staging

doc/builders/images.xml

@@ -11,4 +11,5 @@
  <xi:include href="images/snaptools.section.xml" />
  <xi:include href="images/portableservice.section.xml" />
  <xi:include href="images/makediskimage.section.xml" />
+ <xi:include href="images/binarycache.section.xml" />
 </chapter>

doc/builders/images/binarycache.section.md

@@ -0,0 +1,49 @@
+# pkgs.mkBinaryCache {#sec-pkgs-binary-cache}
+
+`pkgs.mkBinaryCache` is a function for creating Nix flat-file binary caches. Such a cache exists as a directory on disk, and can be used as a Nix substituter by passing `--substituter file:///path/to/cache` to Nix commands.
+
+Nix packages are most commonly shared between machines using [HTTP, SSH, or S3](https://nixos.org/manual/nix/stable/package-management/sharing-packages.html), but a flat-file binary cache can still be useful in some situations. For example, you can copy it directly to another machine, or make it available on a network file system. It can also be a convenient way to make some Nix packages available inside a container via bind-mounting.
+
+Note that this function is meant for advanced use-cases. The more idiomatic way to work with flat-file binary caches is via the [nix-copy-closure](https://nixos.org/manual/nix/stable/command-ref/nix-copy-closure.html) command. You may also want to consider [dockerTools](#sec-pkgs-dockerTools) for your containerization needs.
+
+## Example
+
+The following derivation will construct a flat-file binary cache containing the closure of `hello`.
+
+```nix
+mkBinaryCache {
+  rootPaths = [hello];
+}
+```
+
+- `rootPaths` specifies a list of root derivations. The transitive closure of these derivations' outputs will be copied into the cache.
+
+Here's an example of building and using the cache.
+
+Build the cache on one machine, `host1`:
+
+```shellSession
+nix-build -E 'with import <nixpkgs> {}; mkBinaryCache { rootPaths = [hello]; }'
+```
+
+```shellSession
+/nix/store/cc0562q828rnjqjyfj23d5q162gb424g-binary-cache
+```
+
+Copy the resulting directory to the other machine, `host2`:
+
+```shellSession
+scp result host2:/tmp/hello-cache
+```
+
+Substitute the derivation using the flat-file binary cache on the other machine, `host2`:
+```shellSession
+nix-build -A hello '<nixpkgs>' \
+  --option require-sigs false \
+  --option trusted-substituters file:///tmp/hello-cache \
+  --option substituters file:///tmp/hello-cache
+```
+
+```shellSession
+/nix/store/gl5a41azbpsadfkfmbilh9yk40dh5dl0-hello-2.12.1
+```

maintainers/maintainer-list.nix

@@ -16108,6 +16108,12 @@
     githubId = 2242427;
     name = "Yoann Ono";
   };
+  yajo = {
+    email = "yajo.sk8@gmail.com";
+    github = "yajo";
+    githubId = 973709;
+    name = "Jairo Llopis";
+  };
   yana = {
     email = "yana@riseup.net";
     github = "yanalunaterra";

nixos/tests/all-tests.nix

@@ -92,6 +92,7 @@ in {
   bcachefs = handleTestOn ["x86_64-linux" "aarch64-linux"] ./bcachefs.nix {};
   beanstalkd = handleTest ./beanstalkd.nix {};
   bees = handleTest ./bees.nix {};
+  binary-cache = handleTest ./binary-cache.nix {};
   bind = handleTest ./bind.nix {};
   bird = handleTest ./bird.nix {};
   bitcoind = handleTest ./bitcoind.nix {};

nixos/tests/binary-cache.nix

@@ -0,0 +1,62 @@
+import ./make-test-python.nix ({ lib, ... }:
+
+with lib;
+
+{
+  name = "binary-cache";
+  meta.maintainers = with maintainers; [ thomasjm ];
+
+  nodes.machine =
+    { pkgs, ... }: {
+      imports = [ ../modules/installer/cd-dvd/channel.nix ];
+      environment.systemPackages = with pkgs; [python3];
+      system.extraDependencies = with pkgs; [hello.inputDerivation];
+      nix.extraOptions = ''
+        experimental-features = nix-command
+      '';
+    };
+
+  testScript = ''
+    # Build the cache, then remove it from the store
+    cachePath = machine.succeed("nix-build --no-out-link -E 'with import <nixpkgs> {}; mkBinaryCache { rootPaths = [hello]; }'").strip()
+    machine.succeed("cp -r %s/. /tmp/cache" % cachePath)
+    machine.succeed("nix-store --delete " + cachePath)
+
+    # Sanity test of cache structure
+    status, stdout = machine.execute("ls /tmp/cache")
+    cache_files = stdout.split()
+    assert ("nix-cache-info" in cache_files)
+    assert ("nar" in cache_files)
+
+    # Nix store ping should work
+    machine.succeed("nix store ping --store file:///tmp/cache")
+
+    # Cache should contain a .narinfo referring to "hello"
+    grepLogs = machine.succeed("grep -l 'StorePath: /nix/store/[[:alnum:]]*-hello-.*' /tmp/cache/*.narinfo")
+
+    # Get the store path referenced by the .narinfo
+    narInfoFile = grepLogs.strip()
+    narInfoContents = machine.succeed("cat " + narInfoFile)
+    import re
+    match = re.match(r"^StorePath: (/nix/store/[a-z0-9]*-hello-.*)$", narInfoContents, re.MULTILINE)
+    if not match: raise Exception("Couldn't find hello store path in cache")
+    storePath = match[1]
+
+    # Delete the store path
+    machine.succeed("nix-store --delete " + storePath)
+    machine.succeed("[ ! -d %s ] || exit 1" % storePath)
+
+    # Should be able to build hello using the cache
+    logs = machine.succeed("nix-build -A hello '<nixpkgs>' --option require-sigs false --option trusted-substituters file:///tmp/cache --option substituters file:///tmp/cache 2>&1")
+    logLines = logs.split("\n")
+    if not "this path will be fetched" in logLines[0]: raise Exception("Unexpected first log line")
+    def shouldBe(got, desired):
+      if got != desired: raise Exception("Expected '%s' but got '%s'" % (desired, got))
+    shouldBe(logLines[1], "  " + storePath)
+    shouldBe(logLines[2], "copying path '%s' from 'file:///tmp/cache'..." % storePath)
+    shouldBe(logLines[3], storePath)
+
+    # Store path should exist in the store now
+    machine.succeed("[ -d %s ] || exit 1" % storePath)
+  '';
+})

pkgs/applications/audio/praat/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "praat";
-  version = "6.3.06";
+  version = "6.3.07";
 
   src = fetchFromGitHub {
     owner = "praat";
     repo = "praat";
     rev = "v${version}";
-    sha256 = "sha256-KwJ8ia1yQmmG+N44ipvGCbuoR2cL03STSTKzUwlDqms=";
+    sha256 = "sha256-hWR6mYD0vBJbX07D/HtFE9qwdbxMliHLCsNDXVYcm1Y=";
   };
 
   configurePhase = ''

pkgs/applications/audio/reaper/default.nix

@@ -23,13 +23,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "reaper";
-  version = "6.73";
+  version = "6.75";
 
   src = fetchurl {
     url = url_for_platform version stdenv.hostPlatform.qemuArch;
     hash = {
-      x86_64-linux = "sha256-omQ2XdL4C78BQRuYKy90QlMko2XYHoVhd4X0C+Zyp8E=";
-      aarch64-linux = "sha256-XHohznrfFMHHgif4iFrpXb0FNddYiBb0gB7ZznlU834=";
+      x86_64-linux = "sha256-wtXClHL+SeuLxMROaZKZOwYnLo6MXC7lAiwCj80X0Ck=";
+      aarch64-linux = "sha256-xCkAbKzXH7E1Ud6iGsnzgZT/2Sy6qpRItYUHFF6ggpQ=";
     }.${stdenv.hostPlatform.system};
   };
 

pkgs/applications/networking/browsers/ladybird/default.nix

@@ -10,28 +10,25 @@
 , nixosTests
 }:
 
-let serenity = fetchFromGitHub {
-  owner = "SerenityOS";
-  repo = "serenity";
-  rev = "a0f3e2c9a2b82117aa7c1a3444ad0d31baa070d5";
-  hash = "sha256-8Xde59ZfdkTD39mYSv0lfFjBHFDWTUwfozE+Q9Yq6C8=";
-};
-in
 stdenv.mkDerivation {
   pname = "ladybird";
-  version = "unstable-2022-09-29";
+  version = "unstable-2023-01-17";
 
-  # Remember to update `serenity` too!
   src = fetchFromGitHub {
     owner = "SerenityOS";
-    repo = "ladybird";
-    rev = "d69ad7332477de33bfd1963026e057d55c6f222d";
-    hash = "sha256-XQj2Bohk8F6dGCAManOmmDP5b/SqEeZXZbLDYPfvi2E=";
+    repo = "serenity";
+    rev = "45e85d20b64862df119f643f24e2d500c76c58f3";
+    hash = "sha256-n2mLg9wNfdMGsJuGj+ukjto9qYjGOIz4cZjgvMGQUrY=";
   };
 
+  sourceRoot = "source/Ladybird";
+
   postPatch = ''
     substituteInPlace CMakeLists.txt \
       --replace "MACOSX_BUNDLE TRUE" "MACOSX_BUNDLE FALSE"
+    # https://github.com/SerenityOS/serenity/issues/17062
+    substituteInPlace main.cpp \
+      --replace "./SQLServer/SQLServer" "$out/bin/SQLServer"
   '';
 
   nativeBuildInputs = [
@@ -47,17 +44,18 @@ stdenv.mkDerivation {
   ];
 
   cmakeFlags = [
-    "-DSERENITY_SOURCE_DIR=${serenity}"
     # Disable network operations
     "-DENABLE_TIME_ZONE_DATABASE_DOWNLOAD=false"
     "-DENABLE_UNICODE_DATABASE_DOWNLOAD=false"
   ];
 
-  # error: use of undeclared identifier 'aligned_alloc'
-  NIX_CFLAGS_COMPILE = toString (lib.optionals (stdenv.isDarwin && lib.versionOlder stdenv.targetPlatform.darwinSdkVersion "11.0") [
+  NIX_CFLAGS_COMPILE = [
+    "-Wno-error"
+  ] ++ lib.optionals (stdenv.isDarwin && lib.versionOlder stdenv.targetPlatform.darwinSdkVersion "11.0") [
+    # error: use of undeclared identifier 'aligned_alloc'
     "-include mm_malloc.h"
     "-Daligned_alloc=_mm_malloc"
-  ]);
+  ];
 
   # https://github.com/NixOS/nixpkgs/issues/201254
   NIX_LDFLAGS = lib.optionalString (stdenv.isLinux && stdenv.isAarch64 && stdenv.cc.isGNU) "-lgcc";

pkgs/applications/networking/cluster/glooctl/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "glooctl";
-  version = "1.13.5";
+  version = "1.13.6";
 
   src = fetchFromGitHub {
     owner = "solo-io";
     repo = "gloo";
     rev = "v${version}";
-    hash = "sha256-mBmjGP7O1uX+uVM4/us4RWeJcXB1lSEvZQWT/3Ygzik=";
+    hash = "sha256-CBWKKW5VIkRgl7wY63OCm/CowWHO389se3kEraqaDCI=";
   };
 
   subPackages = [ "projects/gloo/cli/cmd" ];

pkgs/applications/networking/cluster/k3s/1_23/0001-script-download-strip-downloading-just-package-CRD.patch

@@ -1,41 +0,0 @@
-From 6f53bd36a40da4c71486e3b79f6e32d53d6eea5d Mon Sep 17 00:00:00 2001
-From: Euan Kemp <euank@euank.com>
-Date: Thu, 3 Feb 2022 23:50:40 -0800
-Subject: [PATCH 2/2] scrips/download: strip downloading, just package CRD
-
-The CRD packaging is a complicated set of commands, so let's reuse it.
----
- scripts/download | 10 ++--------
- 1 file changed, 2 insertions(+), 8 deletions(-)
-
-diff --git a/scripts/download b/scripts/download
-index 5effc0562a..82361803ee 100755
---- a/scripts/download
-+++ b/scripts/download
-@@ -24,12 +24,6 @@ rm -rf ${CONTAINERD_DIR}
- mkdir -p ${CHARTS_DIR}
- mkdir -p ${DATA_DIR}
- 
--curl --compressed -sfL https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-${ARCH}.tar | tar xf - --exclude=bin/socat
--
--git clone --single-branch --branch=${VERSION_RUNC} --depth=1 https://github.com/opencontainers/runc ${RUNC_DIR}
--
--git clone --single-branch --branch=${VERSION_CONTAINERD} --depth=1 https://github.com/k3s-io/containerd ${CONTAINERD_DIR}
--
- setup_tmp() {
-     TMP_DIR=$(mktemp -d --tmpdir=${CHARTS_DIR})
-     cleanup() {
-@@ -44,8 +38,8 @@ setup_tmp() {
- 
- download_and_package_traefik () {
-   echo "Downloading Traefik Helm chart from ${TRAEFIK_URL}"
--  curl -sfL ${TRAEFIK_URL} -o ${TMP_DIR}/${TRAEFIK_FILE}
--  code=$?
-+  # nixpkgs: copy in our known traefik chart instead
-+  cp $TRAEFIK_CHART_FILE ${TMP_DIR}/${TRAEFIK_FILE}
- 
-   if [ $code -ne 0 ]; then
-     echo "Error: Failed to download Traefik Helm chart!"
--- 
-2.34.1
-

pkgs/applications/networking/cluster/k3s/1_23/chart-versions.nix

@@ -0,0 +1,10 @@
+{
+    traefik-crd  = {
+        url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-20.3.1+up20.3.0.tgz";
+        sha256 = "1775vjldvqvhzdbzanxhbaqbmkih09yb91im651q8bc7z5sb9ckn";
+    };
+    traefik = {
+        url = "https://k3s.io/k3s-charts/assets/traefik/traefik-20.3.1+up20.3.0.tgz";
+        sha256 = "1rj0f0n0vgjcbzfwzhqmsd501i2f6vw145w9plbp8gwdyzmg2nc6";
+    };
+}

pkgs/applications/networking/cluster/k3s/1_23/default.nix

@@ -48,30 +48,32 @@ with lib;
 # Those pieces of software we entirely ignore upstream's handling of, and just
 # make sure they're in the path if desired.
 let
-  k3sVersion = "1.23.6+k3s1";     # k3s git tag
-  k3sCommit = "418c3fa858b69b12b9cefbcff0526f666a6236b9"; # k3s git commit at the above version
-  k3sRepoSha256 = "0fmw491dn5mpi058mr7sij51i5m4qg2grx30cnl3h2v4s0sdkx2i";
-  k3sVendorSha256 = "sha256-iHg5ySMaiSWXs98YGmxPwdZr4zdBIFma12dNEuf30Hs=";
+  k3sVersion = "1.23.16+k3s1";     # k3s git tag
+  k3sCommit = "64b0feeb36c2a26976a364a110f23ebcf971f976"; # k3s git commit at the above version
+  k3sRepoSha256 = "sha256-H6aaYa5OYAaD5hjSi8+RNXiP1zhRZCgKXQA6eU7AWBk=";
+  k3sVendorSha256 = "sha256-+xygljXp27NahsHSgoigMANBQCRwGFYwGHQEwlI9YsQ=";
 
-  # taken from ./manifests/traefik.yaml, extracted from '.spec.chart' https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/download#L9
-  # The 'patch' and 'minor' versions are currently hardcoded as single digits only, so ignore the trailing two digits. Weird, I know.
-  traefikChartVersion = "10.19.3";
-  traefikChartSha256 = "04zg5li957svgscdmkzmzjkwljaljyav68rzxmhakkwgav6q9058";
+  # Based on the traefik charts here: https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/scripts/download#L29-L32
+  # see also https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/manifests/traefik.yaml#L8-L16
+  # At the time of writing, there are two traefik charts, and that's it
+  charts = import ./chart-versions.nix;
 
-  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
-  k3sRootVersion = "0.11.0";
-  k3sRootSha256 = "016n56vi09xkvjph7wgzb2m86mhd5x65fs4d11pmh20hl249r620";
+  # taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/scripts/version.sh#L54
+  k3sRootVersion = "0.12.1";
+  k3sRootSha256 = "sha256-xCXbarWztnvW2xn3cGa84hie3OevVZeGEDWh+Uf3RBw=";
 
-  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
-  k3sCNIVersion = "1.0.1-k3s1";
-  k3sCNISha256 = "11ihlzzdnqf9p21y0a4ckpbxac016nm7746dcykhj26ym9zxyv92";
+  # taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/scripts/version.sh#L47
+  k3sCNIVersion = "1.1.1-k3s1";
+  k3sCNISha256 = "sha256-1Br7s+iMtfiPjM0EcNPuFdSlp9dVPjSG1UGuiPUfq5I=";
 
   # taken from go.mod, the 'github.com/containerd/containerd' line
   # run `grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}'`
-  containerdVersion = "1.5.11-k3s2";
-  containerdSha256 = "16132snvrg8r0vwm6c0lz0q6fx686s2ix53nm3aka9a83xs75vf2";
+  # https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/go.mod#L9
+  containerdVersion = "1.5.16-k3s2-1-22";
+  containerdSha256 = "sha256-PRrp05Jgx368Ox4hTC66lbCInWuex0OtAuCY4l8geqA=";
 
   # run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
+  # https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/go.mod#L19
   criCtlVersion = "1.22.0-k3s1";
 
   baseMeta = k3s.meta;
@@ -94,10 +96,9 @@ let
   ];
 
   # bundled into the k3s binary
-  traefikChart = fetchurl {
-    url = "https://helm.traefik.io/traefik/traefik-${traefikChartVersion}.tgz";
-    sha256 = traefikChartSha256;
-  };
+  traefikChart = fetchurl charts.traefik;
+  traefik-crdChart = fetchurl charts.traefik-crd;
+
   # so, k3s is a complicated thing to package
   # This derivation attempts to avoid including any random binaries from the
   # internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
@@ -181,12 +182,13 @@ let
     postInstall = ''
       mv $out/bin/server $out/bin/k3s
       pushd $out
-      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
+      # taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.16%2Bk3s1/scripts/build#L123-L131
       ln -s k3s ./bin/k3s-agent
       ln -s k3s ./bin/k3s-server
       ln -s k3s ./bin/k3s-etcd-snapshot
       ln -s k3s ./bin/k3s-secrets-encrypt
       ln -s k3s ./bin/k3s-certificate
+      ln -s k3s ./bin/k3s-completion
       ln -s k3s ./bin/kubectl
       ln -s k3s ./bin/crictl
       ln -s k3s ./bin/ctr
@@ -219,10 +221,6 @@ buildGoModule rec {
   src = k3sRepo;
   vendorSha256 = k3sVendorSha256;
 
-  patches = [
-    ./0001-script-download-strip-downloading-just-package-CRD.patch
-  ];
-
   postPatch = ''
     # Nix prefers dynamically linked binaries over static binary.
 
@@ -290,11 +288,9 @@ buildGoModule rec {
     ln -vsf ${k3sContainerd}/bin/* ./bin/
     rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
     mkdir -p ./build/static/charts
-    # Note, upstream's chart has a 00 suffix. This seems to not matter though, so we're ignoring that naming detail.
-    export TRAEFIK_CHART_FILE=${traefikChart}
-    # place the traefik chart using their code since it's complicated
-    # We trim the actual download, see patches
-    ./scripts/download
+
+    cp ${traefikChart} ./build/static/charts
+    cp ${traefik-crdChart} ./build/static/charts
 
     export ARCH=$GOARCH
     export DRONE_TAG="v${k3sVersion}"

pkgs/applications/networking/cluster/k3s/1_26/default.nix

@@ -75,7 +75,7 @@ let
     description = "A lightweight Kubernetes distribution";
     license = licenses.asl20;
     homepage = "https://k3s.io";
-    maintainers = with maintainers; [ euank mic92 superherointj ];
+    maintainers = with maintainers; [ euank mic92 superherointj yajo ];
     platforms = platforms.linux;
   };
 

pkgs/build-support/binary-cache/default.nix

@@ -0,0 +1,40 @@
+{ stdenv, buildPackages }:
+
+# This function is for creating a flat-file binary cache, i.e. the kind created by
+# nix copy --to file:///some/path and usable as a substituter (with the file:// prefix).
+
+# For example, in the Nixpkgs repo:
+# nix-build -E 'with import ./. {}; mkBinaryCache { rootPaths = [hello]; }'
+
+{ name ? "binary-cache"
+, rootPaths
+}:
+
+stdenv.mkDerivation {
+  inherit name;
+
+  __structuredAttrs = true;
+
+  exportReferencesGraph.closure = rootPaths;
+
+  preferLocalBuild = true;
+
+  PATH = "${buildPackages.coreutils}/bin:${buildPackages.jq}/bin:${buildPackages.python3}/bin:${buildPackages.nix}/bin:${buildPackages.xz}/bin";
+
+  builder = builtins.toFile "builder" ''
+    . .attrs.sh
+
+    export out=''${outputs[out]}
+
+    mkdir $out
+    mkdir $out/nar
+
+    python ${./make-binary-cache.py}
+
+    # These directories must exist, or Nix might try to create them in LocalBinaryCacheStore::init(),
+    # which fails if mounted read-only
+    mkdir $out/realisations
+    mkdir $out/debuginfo
+    mkdir $out/log
+  '';
+}

pkgs/build-support/binary-cache/make-binary-cache.py

@@ -0,0 +1,43 @@
+
+import json
+import os
+import subprocess
+
+with open(".attrs.json", "r") as f:
+  closures = json.load(f)["closure"]
+
+os.chdir(os.environ["out"])
+
+nixPrefix = os.environ["NIX_STORE"] # Usually /nix/store
+
+with open("nix-cache-info", "w") as f:
+  f.write("StoreDir: " + nixPrefix + "\n")
+
+def dropPrefix(path):
+  return path[len(nixPrefix + "/"):]
+
+for item in closures:
+  narInfoHash = dropPrefix(item["path"]).split("-")[0]
+
+  xzFile = "nar/" + narInfoHash + ".nar.xz"
+  with open(xzFile, "w") as f:
+    subprocess.run("nix-store --dump %s | xz -c" % item["path"], stdout=f, shell=True)
+
+  fileHash = subprocess.run(["nix-hash", "--base32", "--type", "sha256", item["path"]], capture_output=True).stdout.decode().strip()
+  fileSize = os.path.getsize(xzFile)
+
+  # Rename the .nar.xz file to its own hash to match "nix copy" behavior
+  finalXzFile = "nar/" + fileHash + ".nar.xz"
+  os.rename(xzFile, finalXzFile)
+
+  with open(narInfoHash + ".narinfo", "w") as f:
+    f.writelines((x + "\n" for x in [
+      "StorePath: " + item["path"],
+      "URL: " + finalXzFile,
+      "Compression: xz",
+      "FileHash: sha256:" + fileHash,
+      "FileSize: " + str(fileSize),
+      "NarHash: " + item["narHash"],
+      "NarSize: " + str(item["narSize"]),
+      "References: " + " ".join(dropPrefix(ref) for ref in item["references"]),
+    ]))

pkgs/development/interpreters/python/default.nix

@@ -196,9 +196,9 @@ in {
       major = "3";
       minor = "12";
       patch = "0";
-      suffix = "a3";
+      suffix = "a5";
     };
-    sha256 = "sha256-G2SzB14KkkGXTlgOCbCckRehxOK+aYA5IB7x2Kc0U9E=";
+    sha256 = "sha256-1m73o0L+OjVvnO47uXrcHl+0hA9rbP994P991JX4Mjs=";
     inherit (darwin) configd;
     inherit passthruFun;
   };

pkgs/development/libraries/ldb/default.nix

@@ -16,11 +16,11 @@
 
 stdenv.mkDerivation rec {
   pname = "ldb";
-  version = "2.3.0";
+  version = "2.6.1";
 
   src = fetchurl {
     url = "mirror://samba/ldb/${pname}-${version}.tar.gz";
-    sha256 = "0bcjj4gv48ddg44wyxpsvrs26xry6yy9x9k16qgz0bljs2rhilx4";
+    sha256 = "sha256-RnQD9334Z4LDlluxdUQLqi7XUan+uVYBlL2MBr8XNsk=";
   };
 
   outputs = [ "out" "dev" ];
@@ -44,6 +44,13 @@ stdenv.mkDerivation rec {
     cmocka
   ];
 
+  # otherwise the configure script fails with
+  # PYTHONHASHSEED=1 missing! Don't use waf directly, use ./configure and make!
+  preConfigure = ''
+    export PKGCONFIG="$PKG_CONFIG"
+    export PYTHONHASHSEED=1
+  '';
+
   wafPath = "buildtools/bin/waf";
 
   wafConfigureFlags = [

pkgs/development/libraries/talloc/default.nix

@@ -13,11 +13,11 @@
 
 stdenv.mkDerivation rec {
   pname = "talloc";
-  version = "2.3.3";
+  version = "2.3.4";
 
   src = fetchurl {
     url = "mirror://samba/talloc/${pname}-${version}.tar.gz";
-    sha256 = "sha256-a+lbI2i9CvHEzXqIFG62zuoY5Gw//JMwv2JitA0diqo=";
+    sha256 = "sha256-F5+eviZeZ+SrLCbK0rfeS2p3xsIS+WaQM4KGnwa+ZQU=";
   };
 
   nativeBuildInputs = [
@@ -37,6 +37,13 @@ stdenv.mkDerivation rec {
     libxcrypt
   ];
 
+  # otherwise the configure script fails with
+  # PYTHONHASHSEED=1 missing! Don't use waf directly, use ./configure and make!
+  preConfigure = ''
+    export PKGCONFIG="$PKG_CONFIG"
+    export PYTHONHASHSEED=1
+  '';
+
   wafPath = "buildtools/bin/waf";
 
   wafConfigureFlags = [

pkgs/development/libraries/tdb/default.nix

@@ -12,11 +12,11 @@
 
 stdenv.mkDerivation rec {
   pname = "tdb";
-  version = "1.4.6";
+  version = "1.4.7";
 
   src = fetchurl {
     url = "mirror://samba/tdb/${pname}-${version}.tar.gz";
-    sha256 = "sha256-1okr2L7+BKd2QqHdVuSoeTSb8c9bLAv1+4QQYZON7ws=";
+    sha256 = "sha256-pPsWje9TPzH/LAf32YRLsxMeZ5nwlOvnfQOArcmHwg4=";
   };
 
   nativeBuildInputs = [
@@ -34,6 +34,13 @@ stdenv.mkDerivation rec {
     libxcrypt
   ];
 
+  # otherwise the configure script fails with
+  # PYTHONHASHSEED=1 missing! Don't use waf directly, use ./configure and make!
+  preConfigure = ''
+    export PKGCONFIG="$PKG_CONFIG"
+    export PYTHONHASHSEED=1
+  '';
+
   wafPath = "buildtools/bin/waf";
 
   wafConfigureFlags = [

pkgs/development/libraries/tevent/default.nix

@@ -2,6 +2,7 @@
 , fetchurl
 , python3
 , pkg-config
+, cmocka
 , readline
 , talloc
 , libxslt
@@ -13,11 +14,11 @@
 
 stdenv.mkDerivation rec {
   pname = "tevent";
-  version = "0.10.2";
+  version = "0.13.0";
 
   src = fetchurl {
     url = "mirror://samba/tevent/${pname}-${version}.tar.gz";
-    sha256 = "15k6i8ad5lpxfjsjyq9h64zlyws8d3cm0vwdnaw8z1xjwli7hhpq";
+    sha256 = "sha256-uUN6kX+lU0Q2G+tk7J4AQumcroh5iCpi3Tj2q+I3HQw=";
   };
 
   nativeBuildInputs = [
@@ -32,10 +33,18 @@ stdenv.mkDerivation rec {
 
   buildInputs = [
     python3
+    cmocka
     readline # required to build python
     talloc
   ];
 
+  # otherwise the configure script fails with
+  # PYTHONHASHSEED=1 missing! Don't use waf directly, use ./configure and make!
+  preConfigure = ''
+    export PKGCONFIG="$PKG_CONFIG"
+    export PYTHONHASHSEED=1
+  '';
+
   wafPath = "buildtools/bin/waf";
 
   wafConfigureFlags = [

pkgs/development/mobile/androidenv/ndk-bundle/default.nix

@@ -49,7 +49,7 @@ deployAndroidPackage {
     done
 
     # Patch executables
-    if [ -d prebuild/linux-x86_64 ]; then
+    if [ -d prebuilt/linux-x86_64 ]; then
         autoPatchelf prebuilt/linux-x86_64
     fi
 

pkgs/development/python-modules/gbulb/default.nix

@@ -10,13 +10,13 @@
 
 buildPythonPackage rec {
   pname = "gbulb";
-  version = "0.6.3";
+  version = "0.6.4";
 
   src = fetchFromGitHub {
     owner = "beeware";
     repo = "gbulb";
-    rev = "v${version}";
-    sha256 = "sha256-QNpZf1zfe6r6MtmYMWSrXPsXm5iX36oMx4GnXiTYPaQ=";
+    rev = "refs/tags/v${version}";
+    sha256 = "sha256-AdZSvxix0cpoFQSrslGl+hB/s6Nh0EsWMQmXZAJVJOg=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/google-cloud-error-reporting/default.nix

@@ -14,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-error-reporting";
-  version = "1.8.1";
+  version = "1.8.2";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-Xl+Jc05daQZPh4xggf/JYYlJ5Lx6LafqWhMcVdk/r6o=";
+    hash = "sha256-bwl1gWLux5LJMZIS/tJFMhHs1LcaDVCTgNrke6ASiBI=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/karton-asciimagic/default.nix

@@ -3,30 +3,39 @@
 , fetchFromGitHub
 , karton-core
 , unittestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "karton-asciimagic";
   version = "1.2.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "CERT-Polska";
     repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-sY5ik9efzLBa6Fbh17Vh4q7PlwOGYjuodU9yvp/8E3k=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-sY5ik9efzLBa6Fbh17Vh4q7PlwOGYjuodU9yvp/8E3k=";
   };
 
   propagatedBuildInputs = [
     karton-core
   ];
 
-  nativeCheckInputs = [ unittestCheckHook ];
+  nativeCheckInputs = [
+    unittestCheckHook
+  ];
 
-  pythonImportsCheck = [ "karton.asciimagic" ];
+  pythonImportsCheck = [
+    "karton.asciimagic"
+  ];
 
   meta = with lib; {
     description = "Decoders for ascii-encoded executables for the Karton framework";
     homepage = "https://github.com/CERT-Polska/karton-asciimagic";
+    changelog = "https://github.com/CERT-Polska/karton-asciimagic/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/karton-autoit-ripper/default.nix

@@ -18,8 +18,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "CERT-Polska";
     repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-D+M3JsIN8LUWg8GVweEzySHI7KaBb6cNHHn4pXoq55M=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-D+M3JsIN8LUWg8GVweEzySHI7KaBb6cNHHn4pXoq55M=";
   };
 
   propagatedBuildInputs = [
@@ -46,6 +46,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "AutoIt script ripper for Karton framework";
     homepage = "https://github.com/CERT-Polska/karton-autoit-ripper";
+    changelog = "https://github.com/CERT-Polska/karton-autoit-ripper/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/karton-classifier/default.nix

@@ -18,7 +18,7 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "CERT-Polska";
     repo = pname;
-    rev = "v${version}";
+    rev = "refs/tags/v${version}";
     hash = "sha256-TRmAin0TAOIwR5EBMwTOJ9QaHO+mOx/eAjgqvyQZDj4=";
   };
 
@@ -51,6 +51,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "File type classifier for the Karton framework";
     homepage = "https://github.com/CERT-Polska/karton-classifier";
+    changelog = "https://github.com/CERT-Polska/karton-classifier/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/karton-config-extractor/default.nix

@@ -16,8 +16,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "CERT-Polska";
     repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-ep69Rrm8Ek0lkgctz6vDAZ1MZ8kWKZSyIvMMAmzTngA=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-ep69Rrm8Ek0lkgctz6vDAZ1MZ8kWKZSyIvMMAmzTngA=";
   };
 
   propagatedBuildInputs = [
@@ -40,6 +40,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Static configuration extractor for the Karton framework";
     homepage = "https://github.com/CERT-Polska/karton-config-extractor";
+    changelog = "https://github.com/CERT-Polska/karton-config-extractor/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/karton-core/default.nix

@@ -3,12 +3,16 @@
 , buildPythonPackage
 , fetchFromGitHub
 , unittestCheckHook
+, pythonOlder
 , redis
 }:
 
 buildPythonPackage rec {
   pname = "karton-core";
   version = "5.0.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "CERT-Polska";
@@ -22,7 +26,9 @@ buildPythonPackage rec {
     redis
   ];
 
-  nativeCheckInputs = [ unittestCheckHook ];
+  nativeCheckInputs = [
+    unittestCheckHook
+  ];
 
   pythonImportsCheck = [
     "karton.core"
@@ -31,6 +37,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Distributed malware processing framework";
     homepage = "https://karton-core.readthedocs.io/";
+    changelog = "https://github.com/CERT-Polska/karton/releases/tag/v${version}";
     license = licenses.bsd3;
     maintainers = with maintainers; [ chivay fab ];
   };

pkgs/development/python-modules/karton-dashboard/default.nix

@@ -53,6 +53,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Web application that allows for Karton task and queue introspection";
     homepage = "https://github.com/CERT-Polska/karton-dashboard";
+    changelog = "https://github.com/CERT-Polska/karton-dashboard/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/karton-mwdb-reporter/default.nix

@@ -16,7 +16,7 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "CERT-Polska";
     repo = pname;
-    rev = "v${version}";
+    rev = "refs/tags/v${version}";
     hash = "sha256-QVxczXT74Xt0AtCSDm4nhIK4qtHQ6bqmVNb/CALZSE4=";
   };
 
@@ -35,6 +35,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "Karton service that uploads analyzed artifacts and metadata to MWDB Core";
     homepage = "https://github.com/CERT-Polska/karton-mwdb-reporter";
+    changelog = "https://github.com/CERT-Polska/karton-mwdb-reporter/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/karton-yaramatcher/default.nix

@@ -3,18 +3,22 @@
 , fetchFromGitHub
 , karton-core
 , unittestCheckHook
+, pythonOlder
 , yara-python
 }:
 
 buildPythonPackage rec {
   pname = "karton-yaramatcher";
   version = "1.2.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "CERT-Polska";
     repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-ulWwPXbjqQXwSRi8MFdcx7vC7P19yu66Ll8jkuTesao=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-ulWwPXbjqQXwSRi8MFdcx7vC7P19yu66Ll8jkuTesao=";
   };
 
   propagatedBuildInputs = [
@@ -22,13 +26,18 @@ buildPythonPackage rec {
     yara-python
   ];
 
-  nativeCheckInputs = [ unittestCheckHook ];
+  nativeCheckInputs = [
+    unittestCheckHook
+  ];
 
-  pythonImportsCheck = [ "karton.yaramatcher" ];
+  pythonImportsCheck = [
+    "karton.yaramatcher"
+  ];
 
   meta = with lib; {
     description = "File and analysis artifacts yara matcher for the Karton framework";
     homepage = "https://github.com/CERT-Polska/karton-yaramatcher";
+    changelog = "https://github.com/CERT-Polska/karton-yaramatcher/releases/tag/v${version}";
     license = with licenses; [ bsd3 ];
     maintainers = with maintainers; [ fab ];
   };

pkgs/development/python-modules/nomadnet/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "nomadnet";
-  version = "0.3.2";
+  version = "0.3.3";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "markqvist";
     repo = "NomadNet";
     rev = "refs/tags/${version}";
-    hash = "sha256-QIme76Y7rhPCooazX+pr5ETbAmShVHZ9polJ964NLFg=";
+    hash = "sha256-7EiAvWYhYJ7S/quME6B4Iw5nw+xOnL7PMCWXLPx0O+4=";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/continuous-integration/dagger/default.nix

@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "dagger";
-  version = "0.3.10";
+  version = "0.3.12";
 
   src = fetchFromGitHub {
     owner = "dagger";
     repo = "dagger";
     rev = "v${version}";
-    hash = "sha256-/JbKnDjC3C0mF4WHOmmvblrr/e1MhOws3Q/oXZCgdEM=";
+    hash = "sha256-70qN5cZb0EjBPE5xpeKUv46JD+B8rYaDejAfaqC0Y4M=";
   };
 
-  vendorHash = "sha256-wufztmiOwgY0Q6x9oMrJo28JGx8iprC1gr9zZjSWwuw=";
+  vendorHash = "sha256-9a5W8+tQ5rhtq4uul84AtxcKOc25lfe7bMpgbhRT9/Y=";
   proxyVendor = true;
 
   subPackages = [

pkgs/development/tools/gosec/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "gosec";
-  version = "2.14.0";
+  version = "2.15.0";
 
   src = fetchFromGitHub {
     owner = "securego";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-OPMXU24INpdeQrNlRIPJBag6TtHFFIdxlBTfMgRZc2U=";
+    sha256 = "sha256-GB+BAGIVPtyY2Bsm/yDTYjJixLGvGwsIoOLCyy/0AJk=";
   };
 
-  vendorSha256 = "sha256-F/wtDYPF4qUujU+fJx2v9uwlkxQ1LMPECKxHR4EB1zk=";
+  vendorHash = "sha256-5LIIXf+8ZN7WcFSPzsJ5Tt+d40AgF5YI3O1oXms1WgI=";
 
   subPackages = [
     "cmd/gosec"

pkgs/development/tools/micronaut/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "micronaut";
-  version = "3.8.3";
+  version = "3.8.4";
 
   src = fetchzip {
     url = "https://github.com/micronaut-projects/micronaut-starter/releases/download/v${version}/micronaut-cli-${version}.zip";
-    sha256 = "sha256-IrgypySq5RUi9X3pVC0t+Ezw7aNu8mIKZYY4CEaKhU4=";
+    sha256 = "sha256-PbTuhJ+l3s+vwo5Y93GpQIah71zah5aFgV/pBSyJDKY=";
   };
 
   nativeBuildInputs = [ makeWrapper installShellFiles ];

pkgs/development/web/grails/default.nix

@@ -11,11 +11,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "grails";
-  version = "5.2.5";
+  version = "5.3.0";
 
   src = fetchurl {
     url = "https://github.com/grails/grails-core/releases/download/v${version}/grails-${version}.zip";
-    sha256 = "sha256-RI1O10kObIaEjOuUFuAchjIgjrNDKmwRY0+Vep6UT54=";
+    sha256 = "sha256-0Ow3G0QbKXQSpjLf371CYNxC3XoO5sv1SQD4MlHeOQ4=";
   };
 
   nativeBuildInputs = [ unzip ];

pkgs/games/chessx/default.nix

@@ -12,11 +12,11 @@
 
 mkDerivation rec {
   pname = "chessx";
-  version = "1.5.7";
+  version = "1.5.8";
 
   src = fetchurl {
     url = "mirror://sourceforge/chessx/chessx-${version}.tgz";
-    sha256 = "sha256-wadIO3iNvj8LgIzExHTmeXxXnWOI+ViLrdhAlzZ79Jw=";
+    sha256 = "sha256-ev+tK1CHLFt/RvmzyPVZ2c0nxfRwwb9ke7uTmm7REaM=";
   };
 
   nativeBuildInputs = [

pkgs/os-specific/linux/nvidia-x11/default.nix

@@ -25,11 +25,11 @@ rec {
   stable = if stdenv.hostPlatform.system == "i686-linux" then legacy_390 else latest;
 
   production = generic {
-    version = "525.85.05";
-    sha256_64bit = "sha256-6mO0JTQDsiS7cxOol3qSDf6dID1mHdX2/CZYWnAXkUA=";
-    openSha256 = "sha256-iI41eex/pQhWdQwk9qc9AlnVYcO0HRA9ISoqNdVKN7g=";
-    settingsSha256 = "sha256-ck6ra8y8nn5kA3L9/VcRR2W2RaWvfVbgBiOh2dRJr/8=";
-    persistencedSha256 = "sha256-dt/Tqxp7ZfnbLel9BavjWDoEdLJvdJRwFjTFOBYYKLI=";
+    version = "525.89.02";
+    sha256_64bit = "sha256-DkEsiMW9mPhCqDmm9kYU8g5MCVDvfP+xKxWKcWM1k+k=";
+    openSha256 = "sha256-MP9ir0Fuodar239r3PbqVxIHd0vHvpDj8Rw55TeFtZM=";
+    settingsSha256 = "sha256-7rHaJWm0XHJXsKL8VnU9XT15t/DU8jdsCXQwQT+KaV0=";
+    persistencedSha256 = "sha256-4AmOL6b3GKCjGs6bRDpQAkEG4n41X395znyQF1x9VEs=";
   };
 
   latest = selectHighestVersion production (generic {

pkgs/servers/matrix-synapse/matrix-appservice-irc/default.nix

@@ -9,16 +9,16 @@
 
 buildNpmPackage rec {
   pname = "matrix-appservice-irc";
-  version = "0.36.0";
+  version = "0.37.0";
 
   src = fetchFromGitHub {
     owner = "matrix-org";
     repo = "matrix-appservice-irc";
     rev = "refs/tags/${version}";
-    hash = "sha256-8/jLONqf+0JRAK/SLj3qlG6Dm0VRl4h6YWeZnz4pVXc=";
+    hash = "sha256-krF/eUyGHB4M3sQVaBh7+OaHnM/g9XVaBa8gizPkLKE=";
   };
 
-  npmDepsHash = "sha256-fGft7au5js9DRoXYccBPdJyaZ3zfsuCwUwWPOxwAodo=";
+  npmDepsHash = "sha256-VkVpFt3cwnBkN0AGDaE5Bd6xINGL6XugZ4TBsDONWCg=";
 
   nativeBuildInputs = [
     python3

pkgs/servers/samba/4.x.nix

@@ -20,9 +20,12 @@
 , gnutls
 , systemd
 , samba
+, talloc
 , jansson
+, ldb
 , libtasn1
 , tdb
+, tevent
 , libxcrypt
 , cmocka
 , rpcsvc-proto
@@ -100,8 +103,11 @@ stdenv.mkDerivation rec {
     libarchive
     zlib
     gnutls
+    ldb
+    talloc
     libtasn1
     tdb
+    tevent
     libxcrypt
   ] ++ optionals stdenv.isLinux [ liburing systemd ]
     ++ optionals stdenv.isDarwin [ libiconv ]
@@ -143,6 +149,7 @@ stdenv.mkDerivation rec {
   ++ optionals (!enableLDAP) [
     "--without-ldap"
     "--without-ads"
+    "--bundled-libraries=!ldb,!pyldb-util!talloc,!pytalloc-util,!tevent,!tdb,!pytdb"
   ] ++ optional enableLibunwind "--with-libunwind"
     ++ optional enableProfiling "--with-profiling-data"
     ++ optional (!enableAcl) "--without-acl-support"

pkgs/tools/misc/broot/default.nix

@@ -15,16 +15,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "broot";
-  version = "1.20.0";
+  version = "1.20.1";
 
   src = fetchFromGitHub {
     owner = "Canop";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-+bOdUjBMxYT4qbZ8g5l0pDZJhXaeuYVygb13sx7mg28=";
+    hash = "sha256-W8B4e8x9IoINR4NSm8jVBqXZbe1T/4z3RVmNrLVzV1M=";
   };
 
-  cargoHash = "sha256-r/oj5ZgBjJXowFa95GKPACruH3bnPHjjyaSRewogXHQ=";
+  cargoHash = "sha256-XEvIqzSkusOv+boNZbTRxXVN566SduNDcZSkomJRMsk=";
 
   nativeBuildInputs = [
     installShellFiles

pkgs/tools/misc/nb/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "nb";
-  version = "7.3.0";
+  version = "7.4.1";
 
   src = fetchFromGitHub {
     owner = "xwmx";
     repo = "nb";
     rev = version;
-    sha256 = "sha256-R5B49648X9UP2al4VRRAl/T9clgvCztYxpbDHwQmDM8=";
+    sha256 = "sha256-5QuNv6sRr/pfw0Vk+jfSjpowWfsD4kh7c2YoEEuUeKE=";
   };
 
   nativeBuildInputs = [ installShellFiles ];

pkgs/tools/networking/drill/default.nix

@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "drill";
-  version = "0.8.1";
+  version = "0.8.2";
 
   src = fetchFromGitHub {
     owner = "fcsonline";
     repo = pname;
     rev = version;
-    sha256 = "sha256-J4zg5mAZ/xXKxBbEYYZRNjlbyUD/SDD/LSu43FrCbBE=";
+    sha256 = "sha256-x+ljh96RkmZQBPxUcXwcYQhRQAxMB8YOAsdg3aiht+U=";
   };
 
-  cargoSha256 = "sha256-N0Rj6n8mQHZR4/4m1FHcqCKDqG7GeVxUs2XN0oxQVqQ=";
+  cargoHash = "sha256-GPa3gfqY3fiBI75+hLlqnR1+vUUWCxkracOdR6SsJFk=";
 
   nativeBuildInputs = lib.optionals stdenv.isLinux [
     pkg-config

pkgs/tools/networking/tinyfecvpn/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "tinyfecvpn";
-  version = "20210116.0";
+  version = "20230206.0";
 
   src = fetchFromGitHub {
     owner = "wangyu-";
     repo = pname;
     rev = version;
-    sha256 = "sha256-Ng5AZJfrnNXSSbhJKBc+giNp2yOWta0EozWHB7lFUmw=";
+    sha256 = "sha256-g4dduREH64TDK3Y2PKc5RZiISW4h2ALRh8vQK7jvCZU=";
     fetchSubmodules = true;
   };
 

pkgs/tools/networking/xrootd/default.nix

@@ -24,14 +24,14 @@
 
 stdenv.mkDerivation rec {
   pname = "xrootd";
-  version = "5.5.1";
+  version = "5.5.2";
 
   src = fetchFromGitHub {
     owner = "xrootd";
     repo = "xrootd";
     rev = "v${version}";
     fetchSubmodules = true;
-    hash = "sha256-PaLT3+5FucPnWLStWxtBBqTKs8hvogKMrZteSNY+xXI=";
+    hash = "sha256-2zVCOcjL8TUbo38Dx7W8431ziouzuAdCfogsIMSOOmQ=";
   };
 
   outputs = [ "bin" "out" "dev" "man" ];

pkgs/tools/package-management/repro-get/default.nix

@@ -0,0 +1,73 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, installShellFiles
+, testers
+, repro-get
+, cacert
+}:
+
+buildGoModule rec {
+  pname = "repro-get";
+  version = "0.2.1";
+
+  src = fetchFromGitHub {
+    owner = "reproducible-containers";
+    repo = "repro-get";
+    rev = "v${version}";
+    sha256 = "sha256-3cvKHwAyPYwR5VlhpPJH+3BK9Kw7dTGOPN1q2RnwsG0=";
+  };
+
+  vendorSha256 = "sha256-ebvtPc0QiP7fNiWYjd7iLG/4iH4DqWV/eaDHvmV/H3Y=";
+
+  nativeBuildInputs = [ installShellFiles ];
+
+  # The pkg/version test requires internet access, so disable it here and run it
+  # in passthru.pkg-version
+  preCheck = ''
+    rm -rf pkg/version
+  '';
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/reproducible-containers/${pname}/pkg/version.Version=v${version}"
+  ];
+
+  postInstall = ''
+    installShellCompletion --cmd repro-get \
+      --bash <($out/bin/repro-get completion bash) \
+      --fish <($out/bin/repro-get completion fish) \
+      --zsh <($out/bin/repro-get completion zsh)
+  '';
+
+  passthru.tests = {
+    "pkg-version" = repro-get.overrideAttrs (old: {
+      # see invalidateFetcherByDrvHash
+      name = "${repro-get.pname}-${builtins.unsafeDiscardStringContext (lib.substring 0 12 (baseNameOf repro-get.drvPath))}";
+      subPackages = [ "pkg/version" ];
+      installPhase = ''
+        rm -rf $out
+        touch $out
+      '';
+      preCheck = "";
+      outputHash = "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=";
+      outputHashAlgo = "sha256";
+      outputHashMode = "flat";
+      outputs = [ "out" ];
+      nativeBuildInputs = old.nativeBuildInputs ++ [ cacert ];
+    });
+    version = testers.testVersion {
+      package = repro-get;
+      command = "HOME=$(mktemp -d) repro-get -v";
+      inherit version;
+    };
+  };
+
+  meta = with lib; {
+    description = "Reproducible apt/dnf/apk/pacman, with content-addressing";
+    homepage = "https://github.com/reproducible-containers/repro-get";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ matthewcroughan ];
+  };
+}

pkgs/tools/package-management/reuse/default.nix

@@ -2,14 +2,14 @@
 
 python3Packages.buildPythonApplication rec {
   pname = "reuse";
-  version = "1.1.0";
+  version = "1.1.1";
   format = "pyproject";
 
   src = fetchFromGitHub {
     owner = "fsfe";
     repo = "reuse-tool";
-    rev = "v${version}";
-    hash = "sha256-bjUDImMFwMhRjCa7XzGlqR8h+KfTsyxonrQlRGgApwo=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-4L5VQtjpJ1P95S3vkbgLYTO/lTFReGiSAVuWSwh14i4=";
   };
 
   nativeBuildInputs = with python3Packages; [

pkgs/tools/security/ffuf/default.nix

@@ -10,8 +10,8 @@ buildGoModule rec {
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
-    rev = "v${version}";
-    sha256 = "sha256-TfPglATKQ3RIGODcIpSRL6FjbLyCjDzbi70jTLKYlLk=";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-TfPglATKQ3RIGODcIpSRL6FjbLyCjDzbi70jTLKYlLk=";
   };
 
   vendorHash = "sha256-nqv45e1W7MA8ElsJ7b4XWs26OicJ7IXmh93+wkueZg4=";
@@ -24,6 +24,7 @@ buildGoModule rec {
       or web servers.
     '';
     homepage = "https://github.com/ffuf/ffuf";
+    changelog = "https://github.com/ffuf/ffuf/releases/tag/v${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ fab ];
   };

pkgs/tools/system/htop/default.nix

@@ -11,13 +11,13 @@ assert systemdSupport -> stdenv.isLinux;
 
 stdenv.mkDerivation rec {
   pname = "htop";
-  version = "3.2.1";
+  version = "3.2.2";
 
   src = fetchFromGitHub {
     owner = "htop-dev";
     repo = pname;
     rev = version;
-    sha256 = "sha256-MwtsvdPHcUdegsYj9NGyded5XJQxXri1IM1j4gef1Xk=";
+    sha256 = "sha256-OrlNE1A71q4XAauYNfumV1Ev1wBpFIBxPiw7aF++yjM=";
   };
 
   nativeBuildInputs = [ autoreconfHook ]

pkgs/tools/text/mdbook-katex/default.nix

@@ -2,14 +2,14 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "mdbook-katex";
-  version = "0.3.4";
+  version = "0.3.7";
 
   src = fetchCrate {
     inherit pname version;
-    hash = "sha256-Bc9nUY2XyNlgOI436omg885Qm0BtqcrFsJz6qr2Zhys=";
+    hash = "sha256-DZ+5rYRHS5m4Alw6/Ak98UH2FD3EPBGDtB+vD0v8EMk=";
   };
 
-  cargoHash = "sha256-pH5ZN6bTjstrSTv0hdOoyWAdRLRjALarML3ZVoYvGRI=";
+  cargoHash = "sha256-i6u7kriLFgMSJDfA6JRjTLc3Oi8GfHjE7wEJbTLnMN8=";
 
   OPENSSL_DIR = "${lib.getDev openssl}";
   OPENSSL_LIB_DIR = "${lib.getLib openssl}/lib";

pkgs/top-level/all-packages.nix

@@ -1033,6 +1033,8 @@ with pkgs;
       inherit kernel firmware rootModules allowMissing;
     };
 
+  mkBinaryCache = callPackage ../build-support/binary-cache { };
+
   mkShell = callPackage ../build-support/mkshell { };
   mkShellNoCC = mkShell.override { stdenv = stdenvNoCC; };
 
@@ -25163,6 +25165,8 @@ with pkgs;
 
   reproxy = callPackage ../servers/reproxy { };
 
+  repro-get = callPackage ../tools/package-management/repro-get { };
+
   restic = callPackage ../tools/backup/restic { };
 
   restic-rest-server = callPackage ../tools/backup/restic/rest-server.nix { };