Merge staging-next into staging

nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

@@ -167,6 +167,16 @@
           using this default will print a warning when rebuilt.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          The option
+          <link linkend="opt-services.ssh.enableAskPassword">services.ssh.enableAskPassword</link>
+          was added, decoupling the setting of
+          <literal>SSH_ASKPASS</literal> from
+          <literal>services.xserver.enable</literal>. This allows easy
+          usage in non-X11 environments, e.g. Wayland.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
 </section>

nixos/doc/manual/release-notes/rl-2205.section.md

@@ -68,3 +68,9 @@ In addition to numerous new and upgraded packages, this release has the followin
 
 - The `services.unifi.openPorts` option default value of `true` is now deprecated and will be changed to `false` in 22.11.
   Configurations using this default will print a warning when rebuilt.
+
+- The option
+  [services.ssh.enableAskPassword](#opt-services.ssh.enableAskPassword) was
+  added, decoupling the setting of `SSH_ASKPASS` from
+  `services.xserver.enable`. This allows easy usage in non-X11 environments,
+  e.g. Wayland.

nixos/modules/programs/ssh.nix

@@ -33,6 +33,13 @@ in
 
     programs.ssh = {
 
+      enableAskPassword = mkOption {
+        type = types.bool;
+        default = config.services.xserver.enable;
+        defaultText = literalExpression "config.services.xserver.enable";
+        description = "Whether to configure SSH_ASKPASS in the environment.";
+      };
+
       askPassword = mkOption {
         type = types.str;
         default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
@@ -287,7 +294,7 @@ in
         # Allow ssh-agent to ask for confirmation. This requires the
         # unit to know about the user's $DISPLAY (via ‘systemctl
         # import-environment’).
-        environment.SSH_ASKPASS = optionalString config.services.xserver.enable askPasswordWrapper;
+        environment.SSH_ASKPASS = optionalString cfg.enableAskPassword askPasswordWrapper;
         environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
       };
 
@@ -298,7 +305,7 @@ in
         fi
       '';
 
-    environment.variables.SSH_ASKPASS = optionalString config.services.xserver.enable askPassword;
+    environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword askPassword;
 
   };
 }

pkgs/applications/networking/instant-messengers/psi-plus/default.nix

@@ -4,6 +4,7 @@
 , cmake
 , qtbase
 , qtmultimedia
+, qtimageformats
 , qtx11extras
 , qttools
 , libidn
@@ -67,6 +68,7 @@ mkDerivation rec {
   buildInputs = [
     qtbase
     qtmultimedia
+    qtimageformats
     qtx11extras
     libidn
     qca-qt5

pkgs/data/icons/luna-icons/default.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "luna-icons";
-  version = "1.7";
+  version = "1.8";
 
   src = fetchFromGitHub {
     owner = "darkomarko42";
     repo = pname;
     rev = version;
-    sha256 = "sha256-L8bkO2zGEXfwqoWZRDCm/PdBxwedkx57kduwlMoyAME=";
+    sha256 = "1c317ac43ff70sxn1syx20qhs4nkccv6hbf69fmi3acswqsll1z4";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/amdvlk/default.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchRepoProject
+, writeScript
 , cmake
 , ninja
 , patchelf
@@ -21,17 +22,18 @@ let
 
 in stdenv.mkDerivation rec {
   pname = "amdvlk";
-  version = "2021.Q4.1";
+  version = "2021.Q4.2";
 
   src = fetchRepoProject {
     name = "${pname}-src";
     manifest = "https://github.com/GPUOpen-Drivers/AMDVLK.git";
     rev = "refs/tags/v-${version}";
-    sha256 = "sha256-yvpHLreBNhiSxnZis5+XcTOSZPRLq5K8YNJsjpYqD6s=";
+    sha256 = "DpylZjIqWmCnUI0lEvd/HQcY+lr8asMurt1K9MI3qQw=";
   };
 
   buildInputs = [
     expat
+    libdrm
     ncurses
     openssl
     wayland
@@ -66,16 +68,36 @@ in stdenv.mkDerivation rec {
   cmakeDir = "../drivers/xgl";
 
   installPhase = ''
+    runHook preInstall
+
     install -Dm755 -t $out/lib icd/amdvlk${suffix}.so
     install -Dm644 -t $out/share/vulkan/icd.d icd/amd_icd${suffix}.json
     install -Dm644 -t $out/share/vulkan/implicit_layer.d icd/amd_icd${suffix}.json
 
     patchelf --set-rpath "$rpath" $out/lib/amdvlk${suffix}.so
+
+    runHook postInstall
   '';
 
   # Keep the rpath, otherwise vulkaninfo and vkcube segfault
   dontPatchELF = true;
 
+  passthru.updateScript = writeScript "update.sh" ''
+    #!/usr/bin/env nix-shell
+    #!nix-shell -i bash -p coreutils curl gnused jq common-updater-scripts
+
+    function setHash() {
+      sed -i "pkgs/development/libraries/amdvlk/default.nix" -e 's,sha256 = "[^.'"'"']*",sha256 = "'"$1"'",'
+    }
+
+    version="$(curl -sL "https://api.github.com/repos/GPUOpen-Drivers/AMDVLK/releases?per_page=1" | jq '.[0].tag_name | split("-") | .[1]' --raw-output)"
+    sed -i "pkgs/development/libraries/amdvlk/default.nix" -e 's/version = "[^.'"'"']*"/version = "'"$version"'"/'
+
+    setHash "$(nix-instantiate --eval -A lib.fakeSha256 | xargs echo)"
+    hash="$(nix to-base64 $(nix-build -A amdvlk 2>&1 | tail -n3 | grep 'got:' | cut -d: -f2- | xargs echo || true))"
+    setHash "$hash"
+  '';
+
   meta = with lib; {
     description = "AMD Open Source Driver For Vulkan";
     homepage = "https://github.com/GPUOpen-Drivers/AMDVLK";

pkgs/development/libraries/gtk/2.x.nix

@@ -4,7 +4,7 @@
 , cupsSupport ? config.gtk2.cups or stdenv.isLinux, cups
 , gdktarget ? if stdenv.isDarwin then "quartz" else "x11"
 , AppKit, Cocoa
-, fetchpatch
+, fetchpatch, buildPackages
 }:
 
 with lib;
@@ -38,6 +38,7 @@ stdenv.mkDerivation rec {
     gtkCleanImmodulesCache
   ];
 
+
   nativeBuildInputs = setupHooks ++ [ perl pkg-config gettext gobject-introspection ];
 
   patches = [
@@ -72,6 +73,9 @@ stdenv.mkDerivation rec {
     "--disable-glibtest"
     "--disable-introspection"
     "--disable-visibility"
+  ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
+    "ac_cv_path_GTK_UPDATE_ICON_CACHE=${buildPackages.gtk2}/bin/gtk-update-icon-cache"
+    "ac_cv_path_GDK_PIXBUF_CSOURCE=${buildPackages.gdk-pixbuf.dev}/bin/gdk-pixbuf-csource"
   ];
 
   doCheck = false; # needs X11

pkgs/development/python-modules/pywizlight/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "pywizlight";
-  version = "0.4.15";
+  version = "0.4.16";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -19,7 +19,7 @@ buildPythonPackage rec {
     owner = "sbidy";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-Ud6/aLvAWqTcvCJTiprkj9yG6DXdDOPzFEr+T0/qnBw=";
+    sha256 = "sha256-Da5hkmzGJtfqiDPV9X02opv54Ry6sGiSbDnej9a2QDA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/tensorflow/default.nix

@@ -6,13 +6,13 @@
 , numpy, tensorflow-tensorboard, absl-py
 , setuptools, wheel, keras, keras-preprocessing, google-pasta
 , opt-einsum, astunparse, h5py
-, termcolor, grpcio, six, wrapt, protobuf, tensorflow-estimator
+, termcolor, grpcio, six, wrapt, protobuf-python, tensorflow-estimator
 , dill, flatbuffers-python, tblib, typing-extensions
 # Common deps
 , git, pybind11, which, binutils, glibcLocales, cython, perl
 # Common libraries
 , jemalloc, mpi, gast, grpc, sqlite, boringssl, jsoncpp
-, curl, snappy, flatbuffers-core, lmdb-core, icu, double-conversion, libpng, libjpeg_turbo, giflib
+, curl, snappy, flatbuffers-core, lmdb-core, icu, double-conversion, libpng, libjpeg_turbo, giflib, protobuf-core
 # Upsteam by default includes cuda support since tensorflow 1.15. We could do
 # that in nix as well. It would make some things easier and less confusing, but
 # it would also make the default tensorflow package unfree. See
@@ -90,7 +90,7 @@ let
       keras-preprocessing
       numpy
       opt-einsum
-      protobuf
+      protobuf-python
       setuptools
       six
       tblib
@@ -188,11 +188,16 @@ let
       sha256 = "sha256-n7jRDPeXsyq4pEWSWmOCas4c8VsArIKlCuwvSU/Ro/c=";
     };
 
+    patches = [
+      # Patch the sources to compile with protobuf >= 3.16.
+      ./system-protobuf.patch
+    ];
+
     # On update, it can be useful to steal the changes from gentoo
     # https://gitweb.gentoo.org/repo/gentoo.git/tree/sci-libs/tensorflow
 
     nativeBuildInputs = [
-      which pythonEnv cython perl
+      which pythonEnv cython perl protobuf-core
     ] ++ lib.optional cudaSupport addOpenGLRunpath;
 
     buildInputs = [
@@ -241,12 +246,7 @@ let
       # "com_github_googleapis_googleapis"
       # "com_github_googlecloudplatform_google_cloud_cpp"
       "com_github_grpc_grpc"
-      # Multiple issues with custom protobuf.
+      "com_google_protobuf"
-      # First `com_github_googleapis` fails to configure. Can be worked around by disabling `com_github_googleapis`
-      # and related functionality, but then the next error is about "dangling symbolic link", and in general
-      # looks like that's only the beginning: see
-      # https://stackoverflow.com/questions/55578884/how-to-build-tensorflow-1-13-1-with-custom-protobuf
-      # "com_google_protobuf"
       # Fails with the error: external/org_tensorflow/tensorflow/core/profiler/utils/tf_op_utils.cc:46:49: error: no matching function for call to 're2::RE2::FullMatch(absl::lts_2020_02_25::string_view&, re2::RE2&)'
       # "com_googlesource_code_re2"
       "curl"
@@ -281,6 +281,11 @@ let
 
     INCLUDEDIR = "${includes_joined}/include";
 
+    # This is needed for the Nix-provided protobuf dependency to work,
+    # as otherwise the rule `link_proto_files` tries to create the links
+    # to `/usr/include/...` which results in build failures.
+    PROTOBUF_INCLUDE_PATH = "${protobuf-core}/include";
+
     PYTHON_BIN_PATH = pythonEnv.interpreter;
 
     TF_NEED_GCP = true;
@@ -356,12 +361,12 @@ let
     fetchAttrs = {
       # cudaSupport causes fetch of ncclArchive, resulting in different hashes
       sha256 = if cudaSupport then
-        "sha256-GIBs1BAUuefwlavu7dr9rFb4n1A3uwnvvCAvsBnSSqQ="
+        "sha256-+szc2mRoImwijzbj3nw6HmZp3DeRjjPRU5yC+5AEbkg="
       else
         if stdenv.isDarwin then
-          "sha256-156eOnnjk+wzIiGLd6k/+SAgm4AyImsV/qBsHFlxe+k="
+          "sha256-+bwIzp6t7gRJPcI8B5oyuf9z0AjCAyggUR7x+vv5kFs="
         else
-          "sha256-Fj/wWapsre55VctJ1k1kcYKAn3uDCMPN5rVX8y76ypM=";
+          "sha256-5yOYmeGpJq4Chi55H7iblxyRXVktgnePtpYTPvBs538=";
     };
 
     buildAttrs = {
@@ -454,7 +459,7 @@ in buildPythonPackage {
     keras-preprocessing
     numpy
     opt-einsum
-    protobuf
+    protobuf-python
     six
     tblib
     tensorflow-estimator

pkgs/development/python-modules/tensorflow/system-protobuf.patch

@@ -0,0 +1,13 @@
+diff --git a/tensorflow/core/kernels/example_parsing_ops.cc b/tensorflow/core/kernels/example_parsing_ops.cc
+index a1265cfb5c6..ada919bbd7b 100644
+--- a/tensorflow/core/kernels/example_parsing_ops.cc
++++ b/tensorflow/core/kernels/example_parsing_ops.cc
+@@ -1218,7 +1218,7 @@ class DecodeJSONExampleOp : public OpKernel {
+           resolver_.get(), "type.googleapis.com/tensorflow.Example", &in, &out);
+       OP_REQUIRES(ctx, status.ok(),
+                   errors::InvalidArgument("Error while parsing JSON: ",
+-                                          string(status.error_message())));
++                                          string(status.message())));
+     }
+   }
+ 

pkgs/development/tools/analysis/checkov/default.nix

@@ -46,13 +46,13 @@ with py.pkgs;
 
 buildPythonApplication rec {
   pname = "checkov";
-  version = "2.0.668";
+  version = "2.0.672";
 
   src = fetchFromGitHub {
     owner = "bridgecrewio";
     repo = pname;
     rev = version;
-    sha256 = "sha256-kCqhNxqI+9F9nQvZDOYjC2Bb5a1x4a9b9aqvDe/siP0=";
+    sha256 = "sha256-bxJQYCAQnSOaXXczvLxdpMzlBAehgctwMNvItR6FsgM=";
   };
 
   nativeBuildInputs = with py.pkgs; [

pkgs/development/tools/gosec/default.nix

@@ -5,16 +5,16 @@
 
 buildGoModule rec {
   pname = "gosec";
-  version = "2.9.3";
+  version = "2.9.5";
 
   src = fetchFromGitHub {
     owner = "securego";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-WjHNiFfa0YXuRq/FfWcamBwAVqRqLv9Qf+vy74rsCS4=";
+    sha256 = "sha256-YXAUDICQhZFeafP/wezd+dLpXpd7waz3wUCVCwVb12I=";
   };
 
-  vendorSha256 = "sha256-X2qxoq6bCQJH0B/jq670WWuTkDEurFI+Zx/5bcvXtVY=";
+  vendorSha256 = "sha256-Mob8XxTALtuG9q7gMWKvp1k2cUDKI0QHAeXfQK47NDo=";
 
   subPackages = [
     "cmd/gosec"

pkgs/tools/security/grype/default.nix

@@ -6,16 +6,16 @@
 
 buildGoModule rec {
   pname = "grype";
-  version = "0.26.1";
+  version = "0.27.3";
 
   src = fetchFromGitHub {
     owner = "anchore";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-B+b+Fb5nUBLSGeZ+ZUpvcZ+jOIotskXEPFoaQ48ob34=";
+    sha256 = "sha256-W1HP+bzsLY8SaZQK+H33mibM7lfxoGnKnOvsStwzv4E=";
   };
 
-  vendorSha256 = "sha256-w4mN9O5FKZNCksS8OwF3Ty9c1V552MAbMhqisQDK9GY=";
+  vendorSha256 = "sha256-IwEQkdspSjdlm4siwhaBZsIaRz8oKKG6d6PAK1MvHlw=";
 
   propagatedBuildInputs = [ docker ];
 

pkgs/tools/security/log4j-sniffer/default.nix

@@ -0,0 +1,36 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+, git
+}:
+
+buildGoModule rec {
+  pname = "log4j-sniffer";
+  version = "0.7.0";
+
+  src = fetchFromGitHub {
+    owner = "palantir";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-5KoZ0QiHqyy0Zn1K0kLCYAaszD6hkng260WYSeZN0Ac=";
+  };
+
+  vendorSha256 = null;
+
+  checkInputs = [
+    git
+  ];
+
+  preCheck = ''
+    export HOME=$(mktemp -d);
+    cd $HOME
+    git init
+  '';
+
+  meta = with lib; {
+    description = "Tool that scans archives to check for vulnerable log4j versions";
+    homepage = "https://github.com/palantir/log4j-sniffer";
+    license = with licenses; [ asl20 ];
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/tools/system/stress-ng/default.nix

@@ -1,14 +1,16 @@
-{ lib, stdenv, fetchurl
+{ lib, stdenv, fetchFromGitHub
 , attr, judy, keyutils, libaio, libapparmor, libbsd, libcap, libgcrypt, lksctp-tools, zlib
 }:
 
 stdenv.mkDerivation rec {
   pname = "stress-ng";
-  version = "0.13.03";
+  version = "0.13.08";
 
-  src = fetchurl {
+  src = fetchFromGitHub {
-    url = "https://kernel.ubuntu.com/~cking/tarballs/${pname}/${pname}-${version}.tar.xz";
+    owner = "ColinIanKing";
-    sha256 = "sha256-PmDWBeN42GqFkaMNblV77XCdgqWxlhY3gALNj/ADeos=";
+    repo = pname;
+    rev = "V${version}";
+    sha256 = "sha256-LHGtx7H8Cv9ZM5hRNrC1mjsl1k9lNx/5k7V8lqvJ7yw=";
   };
 
   postPatch = ''
@@ -62,9 +64,9 @@ stdenv.mkDerivation rec {
       hardware. However, it has never been intended to be used as a precise benchmark
       test suite, so do NOT use it in this manner.
     '';
-    homepage = "https://kernel.ubuntu.com/~cking/stress-ng/";
+    homepage = "https://github.com/ColinIanKing/stress-ng";
-    downloadPage = "https://kernel.ubuntu.com/~cking/tarballs/stress-ng/";
+    downloadPage = "https://github.com/ColinIanKing/stress-ng/tags";
-    changelog = "https://kernel.ubuntu.com/git/cking/stress-ng.git/plain/debian/changelog?h=V${version}";
+    changelog = "https://github.com/ColinIanKing/stress-ng/raw/V${version}/debian/changelog";
     license = licenses.gpl2Plus;
     maintainers = with maintainers; [ c0bw3b ];
     platforms = platforms.unix;

pkgs/top-level/all-packages.nix

@@ -7490,6 +7490,8 @@ with pkgs;
 
   log4j-scan = callPackage ../tools/security/log4j-scan { };
 
+  log4j-sniffer = callPackage ../tools/security/log4j-sniffer { };
+
   log4j-vuln-scanner = callPackage ../tools/security/log4j-vuln-scanner { };
 
   log4jcheck = callPackage ../tools/security/log4jcheck { };

pkgs/top-level/python-packages.nix

@@ -9407,6 +9407,8 @@ in {
     inherit (pkgs.darwin.apple_sdk.frameworks) Foundation Security;
     flatbuffers-core = pkgs.flatbuffers;
     flatbuffers-python = self.flatbuffers;
+    protobuf-core = pkgs.protobuf;
+    protobuf-python = self.protobuf;
     lmdb-core = pkgs.lmdb;
   };