Merge staging-next into staging

doc/contributing/submitting-changes.chapter.md

@@ -96,7 +96,7 @@ We use jbidwatcher as an example for a discontinued project here.
 
 1. Have Nixpkgs checked out locally and up to date.
 1. Create a new branch for your change, e.g. `git checkout -b jbidwatcher`
-1. Remove the actual package including its directory, e.g. `rm -rf pkgs/applications/misc/jbidwatcher`
+1. Remove the actual package including its directory, e.g. `git rm -rf pkgs/applications/misc/jbidwatcher`
 1. Remove the package from the list of all packages (`pkgs/top-level/all-packages.nix`).
 1. Add an alias for the package name in `pkgs/top-level/aliases.nix` (There is also `pkgs/applications/editors/vim/plugins/aliases.nix`. Package sets typically do not have aliases, so we can't add them there.)
 

nixos/modules/hardware/all-firmware.nix

@@ -72,7 +72,7 @@ in {
     })
     (mkIf cfg.enableAllFirmware {
       assertions = [{
-        assertion = !cfg.enableAllFirmware || (config.nixpkgs.config.allowUnfree or false);
+        assertion = !cfg.enableAllFirmware || config.nixpkgs.config.allowUnfree;
         message = ''
           the list of hardware.enableAllFirmware contains non-redistributable licensed firmware files.
             This requires nixpkgs.config.allowUnfree to be true.

nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix

@@ -33,7 +33,7 @@ let
     netbootxyz = if cfg.netbootxyz.enable then pkgs.netbootxyz-efi else "";
 
     copyExtraFiles = pkgs.writeShellScript "copy-extra-files" ''
-      empty_file=$(mktemp)
+      empty_file=$(${pkgs.coreutils}/bin/mktemp)
 
       ${concatStrings (mapAttrsToList (n: v: ''
         ${pkgs.coreutils}/bin/install -Dp "${v}" "${efi.efiSysMountPoint}/"${escapeShellArg n}

nixos/modules/system/boot/stage-1-init.sh

@@ -318,11 +318,7 @@ checkFS() {
 
     echo "checking $device..."
 
-    fsckFlags=
-    if test "$fsType" != "btrfs"; then
-        fsckFlags="-V -a"
-    fi
-    fsck $fsckFlags "$device"
+    fsck -V -a "$device"
     fsckResult=$?
 
     if test $(($fsckResult | 2)) = $fsckResult; then

nixos/release-combined.nix

@@ -132,12 +132,14 @@ in rec {
         # fails with kernel >= 5.15 https://github.com/NixOS/nixpkgs/pull/152505#issuecomment-1005049314
         #(onFullSupported "nixos.tests.nfs3.simple")
         (onFullSupported "nixos.tests.nfs4.simple")
+        (onSystems ["x86_64-linux"] "nixos.tests.oci-containers.podman")
         (onFullSupported "nixos.tests.openssh")
         (onFullSupported "nixos.tests.pantheon")
         (onFullSupported "nixos.tests.php.fpm")
         (onFullSupported "nixos.tests.php.httpd")
         (onFullSupported "nixos.tests.php.pcre")
         (onFullSupported "nixos.tests.plasma5")
+        (onSystems ["x86_64-linux"] "nixos.tests.podman")
         (onFullSupported "nixos.tests.predictable-interface-names.predictableNetworkd")
         (onFullSupported "nixos.tests.predictable-interface-names.predictable")
         (onFullSupported "nixos.tests.predictable-interface-names.unpredictableNetworkd")

pkgs/applications/audio/plexamp/default.nix

@@ -2,12 +2,12 @@
 
 let
   pname = "plexamp";
-  version = "4.2.0";
+  version = "4.2.1";
 
   src = fetchurl {
     url = "https://plexamp.plex.tv/plexamp.plex.tv/desktop/Plexamp-${version}.AppImage";
     name="${pname}-${version}.AppImage";
-    sha512 = "yIdZoKTJJEpUzEqvixQ7JJBxzrtCRov31dGBDOjMiK/oA2q00Xo6XVDvAhYuIn6ocZqK+I5jHfmf4qYaRePDvg==";
+    sha512 = "S2/T+T24X6D0oTbGPMp2BVfWTvzsUCWS1xsigLT/vFr12PlZgPfOWgo987W3YE30WJJDdybLqnkTl+uhNndC+A==";
   };
 
   appimageContents = appimageTools.extractType2 {
@@ -33,7 +33,7 @@ in appimageTools.wrapType2 {
   meta = with lib; {
     description = "A beautiful Plex music player for audiophiles, curators, and hipsters";
     homepage = "https://plexamp.com/";
-    changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/43";
+    changelog = "https://forums.plex.tv/t/plexamp-release-notes/221280/44";
     license = licenses.unfree;
     maintainers = with maintainers; [ killercup synthetica ];
     platforms = [ "x86_64-linux" ];

pkgs/applications/gis/qgis/unwrapped-ltr.nix

@@ -69,14 +69,14 @@ let
     six
   ];
 in mkDerivation rec {
-  version = "3.22.5";
+  version = "3.22.6";
   pname = "qgis-ltr-unwrapped";
 
   src = fetchFromGitHub {
     owner = "qgis";
     repo = "QGIS";
     rev = "final-${lib.replaceStrings [ "." ] [ "_" ] version}";
-    sha256 = "sha256-G7ckAj0vb6030L2gL11+e5pp0OK1NxwECQ295B9sI4o=";
+    sha256 = "sha256-ACNEIU+kYmOa+/1nbFPTSDgyvviXqKP9kvL6aRykueY=";
   };
 
   passthru = {

pkgs/applications/gis/qgis/unwrapped.nix

@@ -69,14 +69,14 @@ let
     six
   ];
 in mkDerivation rec {
-  version = "3.24.1";
+  version = "3.24.2";
   pname = "qgis-unwrapped";
 
   src = fetchFromGitHub {
     owner = "qgis";
     repo = "QGIS";
     rev = "final-${lib.replaceStrings [ "." ] [ "_" ] version}";
-    sha256 = "sha256-3dAwFR7L6NNDkDqNg9MzOJOGh1CDEJfckwo72dQECDg=";
+    sha256 = "sha256-skoepsX9xREqN5SoA4eUN7LKa6KGvixPd5k0KKXzKJo=";
   };
 
   passthru = {

pkgs/applications/networking/browsers/firefox/common.nix

@@ -19,7 +19,6 @@
 
 { lib
 , stdenv
-, fetchpatch
 
 # build time
 , autoconf
@@ -178,14 +177,6 @@ buildStdenv.mkDerivation ({
   ];
 
   patches = [
-    (fetchpatch {
-      # RDD Sandbox paths for NixOS, remove with Firefox>=100
-      # https://hg.mozilla.org/integration/autoland/rev/5ac6a69a01f47ca050d90704a9791b8224d30f14
-      # https://bugzilla.mozilla.org/show_bug.cgi?id=1761692
-      name = "mozbz-1761692-rdd-sandbox-paths.patch";
-      url = "https://hg.mozilla.org/integration/autoland/raw-rev/5ac6a69a01f47ca050d90704a9791b8224d30f14";
-      hash = "sha256-+NGRUxXA7HGvPaAwvDveqRsdXof5nBIc+l4hdf7cC/Y=";
-    })
   ]
   ++ lib.optional (lib.versionAtLeast version "86") ./env_var_for_system_dir-ff86.patch
   ++ lib.optional (lib.versionAtLeast version "90" && lib.versionOlder version "95") ./no-buildconfig-ffx90.patch

pkgs/applications/networking/browsers/firefox/packages.nix

@@ -7,10 +7,10 @@ in
 rec {
   firefox = common rec {
     pname = "firefox";
-    version = "99.0.1";
+    version = "100.0";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "0006b773ef1057a6e0b959d4f39849ad4a79272b38d565da98062b9aaf0effd2b729349c1f9fa10fccf7d2462d2c536b02c167ae6ad4556d6e519c6d22c25a7f";
+      sha512 = "29c56391c980209ff94c02a9aba18fe27bea188bdcbcf7fe0c0f27f61e823f4507a3ec343b27cb5285cf3901843e9cc4aca8e568beb623c4b69b7282e662b2aa";
     };
 
     meta = {
@@ -32,10 +32,10 @@ rec {
 
   firefox-esr-91 = common rec {
     pname = "firefox-esr";
-    version = "91.8.0esr";
+    version = "91.9.0esr";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "edea2c7d4d3d0322091b20b623019ef041090d9f89f33c8e3140f66a54624261f278257393db70d2038154de8ee02da0bee6ecf85c281f3558338da71fc173c3";
+      sha512 = "fd69d489429052013d2c1b8b766a47920ecee62f0688505758f593b27ae66d6343b9107163749406251aedebdf836147e4d562415a811b04d7ab2ae31e32f133";
     };
 
     meta = {

pkgs/applications/networking/nextcloud-client/default.nix

@@ -26,7 +26,7 @@
 
 mkDerivation rec {
   pname = "nextcloud-client";
-  version = "3.4.4";
+  version = "3.5.0";
 
   outputs = [ "out" "dev" ];
 
@@ -34,7 +34,7 @@ mkDerivation rec {
     owner = "nextcloud";
     repo = "desktop";
     rev = "v${version}";
-    sha256 = "sha256-e4me4mpK0N3UyM5MuJP3jxwM5h1dGBd+JzAr5f3BOGQ=";
+    sha256 = "sha256-eFtBdnwHaLirzZaHDw6SRfmsqO3dmBB8Y9csJuiTf1A=";
   };
 
   patches = [

pkgs/applications/version-management/git-repo/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "git-repo";
-  version = "2.24.1";
+  version = "2.25";
 
   src = fetchFromGitHub {
     owner = "android";
     repo = "tools_repo";
     rev = "v${version}";
-    sha256 = "sha256-mYCKmvI15a0ohQwxPIG8IuzNt4QvEs6Q35oMO+e5hbg=";
+    sha256 = "sha256-3S4peybytlO432ui+bECVWQTbyNfs2kSMqcqQyVc1os=";
   };
 
   # Fix 'NameError: name 'ssl' is not defined'

pkgs/applications/version-management/gitlab/data.json

@@ -1,14 +1,14 @@
 {
-  "version": "14.10.0",
-  "repo_hash": "0j4dx32d4i8b44zfmqshkc19g3g9a2c2rg1r8mifjv67p7hvacnx",
+  "version": "14.10.1",
+  "repo_hash": "13868wb0zr862xaxapp8nxh16gjsawklw66rlxx95bhhm3r81nrp",
   "yarn_hash": "17wxqvig34namf8kvh8bwci3y0f3k2nl4zs99jcvskdad9p45rlc",
   "owner": "gitlab-org",
   "repo": "gitlab",
-  "rev": "v14.10.0-ee",
+  "rev": "v14.10.1-ee",
   "passthru": {
-    "GITALY_SERVER_VERSION": "14.10.0",
+    "GITALY_SERVER_VERSION": "14.10.1",
     "GITLAB_PAGES_VERSION": "1.56.1",
     "GITLAB_SHELL_VERSION": "13.25.1",
-    "GITLAB_WORKHORSE_VERSION": "14.10.0"
+    "GITLAB_WORKHORSE_VERSION": "14.10.1"
   }
 }

pkgs/applications/version-management/gitlab/gitaly/default.nix

@@ -11,7 +11,7 @@ let
     gemdir = ./.;
   };
 
-  version = "14.10.0";
+  version = "14.10.1";
   gitaly_package = "gitlab.com/gitlab-org/gitaly/v${lib.versions.major version}";
 in
 
@@ -23,7 +23,7 @@ buildGoModule {
     owner = "gitlab-org";
     repo = "gitaly";
     rev = "v${version}";
-    sha256 = "sha256-E0tIbcm/yI1oSn4CD8oZo8WfZVJNAZBUw2QRlhAujTI=";
+    sha256 = "sha256-4TbCfe41Nea1p0aDqGbF4SskUl5r9LRHKA16DH97jMI=";
   };
 
   vendorSha256 = "sha256-ZL61t+Ii2Ns3TmitiF93exinod54+RCqrbdpU67HeY0=";

pkgs/applications/version-management/gitlab/gitlab-workhorse/default.nix

@@ -5,7 +5,7 @@ in
 buildGoModule rec {
   pname = "gitlab-workhorse";
 
-  version = "14.10.0";
+  version = "14.10.1";
 
   src = fetchFromGitLab {
     owner = data.owner;

pkgs/applications/virtualization/podman/default.nix

@@ -88,6 +88,7 @@ buildGoModule rec {
       podman-tls-ghostunnel
       podman-dnsname
       ;
+    oci-containers-podman = nixosTests.oci-containers.podman;
   };
 
   meta = with lib; {

pkgs/data/fonts/uni-vga/default.nix

@@ -2,8 +2,6 @@
 , libfaketime, fonttosfnt, mkfontscale
 }:
 
-with lib;
-
 stdenv.mkDerivation {
   name = "uni-vga";
 
@@ -15,7 +13,7 @@ stdenv.mkDerivation {
   nativeBuildInputs =
     [ bdftopcf libfaketime
       fonttosfnt mkfontscale
-    ] ++ optionals stdenv.isLinux [ perl kbd ];
+    ] ++ lib.optionals stdenv.isLinux [ perl kbd ];
 
   postPatch = "patchShebangs .";
 
@@ -26,7 +24,7 @@ stdenv.mkDerivation {
     # convert bdf font to otb
     faketime -f "1970-01-01 00:00:01" \
     fonttosfnt -v -o u_vga16.otb u_vga16.bdf
-  '' + optionalString stdenv.isLinux ''
+  '' + lib.optionalString stdenv.isLinux ''
     # convert font to compressed psf
     ./bdf2psf.pl -s UniCyrX.sfm u_vga16.bdf \
       | psfaddtable - UniCyrX.sfm - \
@@ -42,14 +40,14 @@ stdenv.mkDerivation {
     install -m 644 -D *.bdf -t "$bdf/share/fonts"
     mkfontdir "$bdf/share/fonts"
 
-  '' + optionalString stdenv.isLinux ''
+  '' + lib.optionalString stdenv.isLinux ''
     # install psf (for linux virtual terminal)
     install -m 644 -D *.psf.gz -t "$out/share/consolefonts"
   '';
 
   outputs = [ "out" "bdf" ];
 
-  meta = {
+  meta = with lib; {
     description = "Unicode VGA font";
     maintainers = [ maintainers.ftrvxmtrx ];
     homepage = "http://www.inp.nsk.su/~bolkhov/files/fonts/univga/";

pkgs/development/libraries/inih/default.nix

@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "inih";
-  version = "r53";
+  version = "53";
 
   src = fetchFromGitHub {
     owner = "benhoyt";
     repo = pname;
-    rev = version;
+    rev = "r${version}";
     sha256 = "0dqf5j2sw4hq68rqvxbrsf44ygfzx9ypiyzipk4cvp9aimbvsbc6";
   };
 
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Simple .INI file parser in C, good for embedded systems";
     homepage = "https://github.com/benhoyt/inih";
-    changelog = "https://github.com/benhoyt/inih/releases/tag/${version}";
+    changelog = "https://github.com/benhoyt/inih/releases/tag/r${version}";
     license = licenses.bsd3;
     maintainers = with maintainers; [ TredwellGit ];
     platforms = platforms.all;

pkgs/development/libraries/nss/85_security_load_3.77+.patch

@@ -0,0 +1,76 @@
+diff --git nss/cmd/shlibsign/shlibsign.c nss/cmd/shlibsign/shlibsign.c
+index ad8f3b84e..74676d039 100644
+--- nss/cmd/shlibsign/shlibsign.c
++++ nss/cmd/shlibsign/shlibsign.c
+@@ -875,6 +875,8 @@ main(int argc, char **argv)
+         goto cleanup;
+     }
+     lib = PR_LoadLibrary(libname);
++    if (!lib)
++        lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
+     assert(lib != NULL);
+     if (!lib) {
+         PR_fprintf(PR_STDERR, "loading softokn3 failed");
+diff --git nss/lib/pk11wrap/pk11load.c nss/lib/pk11wrap/pk11load.c
+index 119c8c512..720d39ccc 100644
+--- nss/lib/pk11wrap/pk11load.c
++++ nss/lib/pk11wrap/pk11load.c
+@@ -486,6 +486,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
+ #else
+         library = PR_LoadLibrary(mod->dllName);
+ #endif // defined(_WIN32)
++#ifndef NSS_STATIC_SOFTOKEN
++        if ((library == NULL) &&
++            !rindex(mod->dllName, PR_GetDirectorySeparator())) {
++            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
++                (PRFuncPtr) &softoken_LoadDSO,
++                mod->dllName);
++        }
++#endif
++
+         mod->library = (void *)library;
+ 
+         if (library == NULL) {
+diff --git nss/lib/util/secload.c nss/lib/util/secload.c
+index 12efd2f75..8b74478f6 100644
+--- nss/lib/util/secload.c
++++ nss/lib/util/secload.c
+@@ -70,9 +70,14 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+ 
+     /* Remove the trailing filename from referencePath and add the new one */
+     c = strrchr(referencePath, PR_GetDirectorySeparator());
++    if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
++               * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */
++        referencePath = NIX_NSS_LIBDIR;
++        c = (char*) &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */
++    }
+     if (c) {
+         size_t referencePathSize = 1 + c - referencePath;
+-        fullName = (char*)PORT_Alloc(strlen(name) + referencePathSize + 1);
++        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5);
+         if (fullName) {
+             memcpy(fullName, referencePath, referencePathSize);
+             strcpy(fullName + referencePathSize, name);
+@@ -82,6 +87,11 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+ #endif
+             libSpec.type = PR_LibSpec_Pathname;
+             libSpec.value.pathname = fullName;
++            if ((referencePathSize >= 4) &&
++                (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
++                memcpy(fullName + referencePathSize -4, "lib", 3);
++            }
++            strcpy(fullName + referencePathSize, name);
+             dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
+ #ifdef PR_LD_ALT_SEARCH_PATH
+                                                        /* allow library's dependencies to be found in the same directory
+@@ -89,6 +99,10 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+                                                        | PR_LD_ALT_SEARCH_PATH
+ #endif
+                                           );
++            if (! dlh) {
++                strcpy(fullName + referencePathSize, name);
++                dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
++            }
+             PORT_Free(fullName);
+         }
+     }

pkgs/development/libraries/nss/generic.nix

@@ -62,7 +62,11 @@ stdenv.mkDerivation rec {
 
   patches = [
     # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
-    ./85_security_load.patch
+    (if (lib.versionOlder version "3.77") then
+      ./85_security_load.patch
+    else
+      ./85_security_load_3.77+.patch
+    )
     ./ckpem.patch
     ./fix-cross-compilation.patch
   ];

pkgs/development/libraries/nss/latest.nix

@@ -5,6 +5,6 @@
 #       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
 
 import ./generic.nix {
-  version = "3.76.1";
-  sha256 = "0ai37ncg50n4s5243bfvsip8isqq1y6w2swg1n4xgqg2fk1h8cg1";
+  version = "3.78";
+  sha256 = "sha256-9FXzQeeHwRZzKOgKhPd7mlV9WVBm3aZIahh01y2miAA=";
 }

pkgs/development/python-modules/bpython/default.nix

@@ -3,10 +3,12 @@
 , fetchPypi
 , curtsies
 , cwcwidth
+, dataclasses
 , greenlet
 , jedi
 , pygments
 , pytestCheckHook
+, pythonOlder
 , pyperclip
 , pyxdg
 , requests
@@ -19,10 +21,13 @@
 buildPythonPackage rec {
   pname = "bpython";
   version = "0.22.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1fb1e0a52332579fc4e3dcf75e21796af67aae2be460179ecfcce9530a49a200";
+    hash = "sha256-H7HgpSMyV5/E49z3XiF5avZ6rivkYBeez8zpUwpJogA=";
   };
 
   propagatedBuildInputs = [
@@ -37,6 +42,8 @@ buildPythonPackage rec {
     typing-extensions
     urwid
     watchdog
+  ] ++ lib.optionals (pythonOlder "3.7") [
+    dataclasses
   ];
 
   postInstall = ''
@@ -48,7 +55,14 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  pythonImportsCheck = [ "bpython" ];
+  pythonImportsCheck = [
+    "bpython"
+  ];
+
+  disabledTests = [
+    # Check for syntax error ends with an AssertionError
+    "test_syntaxerror"
+  ];
 
   meta = with lib; {
     description = "A fancy curses interface to the Python interactive interpreter";

pkgs/development/python-modules/canonicaljson/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "canonicaljson";
-  version = "1.6.0";
+  version = "1.6.1";
   format = "setuptools";
 
-  disabled = pythonOlder "3.6";
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-hznV/ZGspygdQlZgrmWvdmOAjIF3d4ll9n6QsWorJCc=";
+    hash = "sha256-qTZk9phVbb1Lq5w/xPs1g0zyU12h6gC2t3WNj+K7uCQ=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/cert-chain-resolver/default.nix

@@ -1,35 +1,50 @@
 { lib
-, fetchFromGitHub
 , buildPythonPackage
+, cryptography
+, fetchFromGitHub
 , pytestCheckHook
 , pytest-mock
-, cryptography
+, pythonOlder
+, six
 }:
 
 buildPythonPackage rec {
   pname = "cert-chain-resolver";
   version = "1.0.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "rkoopmans";
     repo = "python-certificate-chain-resolver";
     rev = version;
-    sha256 = "1kmig4ksbx1wvgcjn4r9jjg2pn1ag5rq871bjwxkp9kslb3x3d1l";
+    hash = "sha256-NLTRx6J6pjs7lyschHN5KtgrnpQpEyvZ2zz0pSd5sc4=";
   };
 
-  propagatedBuildInputs = [ cryptography ];
+  propagatedBuildInputs = [
+    cryptography
+  ];
 
-  checkInputs = [ pytestCheckHook pytest-mock ];
+  checkInputs = [
+    pytestCheckHook
+    pytest-mock
+    six
+  ];
 
-  # online tests
   disabledTests = [
+    # Tests require network access
     "test_cert_returns_completed_chain"
     "test_display_flag_is_properly_formatted"
   ];
 
+  pythonImportsCheck = [
+    "cert_chain_resolver"
+  ];
+
   meta = with lib; {
-    homepage = "https://github.com/rkoopmans/python-certificate-chain-resolver";
     description = "Resolve / obtain the certificate intermediates of a x509 certificate";
+    homepage = "https://github.com/rkoopmans/python-certificate-chain-resolver";
     license = licenses.mit;
     maintainers = with maintainers; [ veehaitch ];
   };

pkgs/development/python-modules/envs/default.nix

@@ -1,29 +1,29 @@
 { lib
 , buildPythonPackage
-, fetchPypi
-, fetchpatch
 , click
+, fetchPypi
 , jinja2
-, terminaltables
 , mock
 , nose
+, poetry-core
+, pythonOlder
+, terminaltables
 }:
 
 buildPythonPackage rec {
   pname = "envs";
-  version = "1.3";
+  version = "1.4";
+  format = "pyproject";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "ccf5cd85ddb8ed335e39ed8a22e0d23658f5a6d7da430f225e6f750c6f50ae42";
+    hash = "sha256-nYQ1xphdHN1oKZ4ExY4r24rmz2ayWWqAeeb5qT8qA5g=";
   };
 
-  patches = [
-    # https://github.com/capless/envs/pull/19
-    (fetchpatch {
-      url = "https://github.com/capless/envs/commit/6947043fa9120a7b17094fd43ee0e1edf808f42b.patch";
-      sha256 = "0zswg8kp2g922mkc7x34ps37qli1d1mjwna2jfrbnsq2fg4mk818";
-    })
+  nativeBuildInputs = [
+    poetry-core
   ];
 
   propagatedBuildInputs = [
@@ -45,6 +45,10 @@ buildPythonPackage rec {
     runHook postCheck
   '';
 
+  pythonImportsCheck = [
+    "envs"
+  ];
+
   meta = with lib; {
     description = "Easy access to environment variables from Python";
     homepage = "https://github.com/capless/envs";

pkgs/development/python-modules/glances-api/default.nix

@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "glances-api";
-  version = "0.3.4";
+  version = "0.3.5";
   format = "pyproject";
 
   disabled = pythonOlder "3.8";
@@ -20,7 +20,7 @@ buildPythonPackage rec {
     owner = "home-assistant-ecosystem";
     repo = "python-glances-api";
     rev = version;
-    sha256 = "sha256-mV67mppzx3lka04bxQ5CdufknZTTqWqGJzqPaHb4C2o=";
+    sha256 = "sha256-8NWrsiiKevIMeD++C2weRdG0FPm5T4fHMUSJM4J+AOo=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/jug/default.nix

@@ -1,33 +1,46 @@
-{ lib, buildPythonPackage, fetchPypi, nose, numpy
-, bottle, pyyaml, redis, six
-, zlib
-, pytestCheckHook }:
+{ lib
+, bottle
+, buildPythonPackage
+, fetchPypi
+, numpy
+, pytestCheckHook
+, pythonOlder
+, pyyaml
+, redis
+}:
 
 buildPythonPackage rec {
-  pname = "Jug";
-  version = "2.1.1";
-  buildInputs = [ nose numpy ];
+  pname = "jug";
+  version = "2.2.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    pname = "Jug";
+    inherit version;
+    hash = "sha256-2Y9xRr5DyV9UqG6tiq9rYET2Z7LaPXfzwYKKGwR3OSs=";
+  };
+
   propagatedBuildInputs = [
     bottle
+  ];
+
+  checkInputs = [
+    numpy
+    pytestCheckHook
     pyyaml
     redis
-    six
-
-    zlib
   ];
 
-  src = fetchPypi {
-    inherit pname version;
-    sha256 = "8ae7bb45d4495cf3d0dc5dd9df104a35bba2ca83eb4576732cadf8469e7cf1a1";
-  };
-
-  checkInputs = [ pytestCheckHook ];
-  pythonImportsCheck = [ "jug" ];
+  pythonImportsCheck = [
+    "jug"
+  ];
 
   meta = with lib; {
     description = "A Task-Based Parallelization Framework";
-    license = licenses.mit;
     homepage = "https://jug.readthedocs.io/";
+    license = licenses.mit;
     maintainers = with maintainers; [ luispedro ];
   };
 }

pkgs/development/python-modules/namedlist/default.nix

@@ -1,33 +1,54 @@
 { lib
 , buildPythonPackage
 , fetchPypi
-, pytest
+, fetchpatch
+, pytestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "namedlist";
   version = "1.8";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "34f89fc992592c80b39a709e136edcf41ea17f24ba31eaf84a314a02c8b9bcef";
+    hash = "sha256-NPifyZJZLICzmnCeE27c9B6hfyS6Mer4SjFKAsi5vO8=";
   };
 
+  checkInputs = [
+    pytestCheckHook
+  ];
+
+  patches = [
+    # Deprecation warning using collections.abc, https://gitlab.com/ericvsmith/namedlist/-/merge_requests/1
+    (fetchpatch {
+      url = "https://gitlab.com/ericvsmith/namedlist/-/commit/102d15b455e6f058b9c95fe135167be82b34c14a.patch";
+      sha256 = "sha256-IfDgiObFFSOUnAlXR/+ye8uutGaFJ/AyQvCb76iNaMM=";
+    })
+  ];
+
   # Test file has a `unittest.main()` at the bottom that fails the tests;
   # py.test can run the tests without it.
   postPatch = ''
     substituteInPlace test/test_namedlist.py --replace "unittest.main()" ""
   '';
 
-  checkInputs = [ pytest ];
-  checkPhase = ''
-    py.test
-  '';
+  pythonImportsCheck = [
+    "namedlist"
+  ];
+
+  disabledTests = [
+    # AttributeError: module 'collections' has no attribute 'Container'
+    "test_ABC"
+  ];
 
-  meta = {
+  meta = with lib; {
     description = "Similar to namedtuple, but instances are mutable";
     homepage = "https://gitlab.com/ericvsmith/namedlist";
-    license = lib.licenses.asl20;
-    maintainers = with lib.maintainers; [ ivan ];
+    license = licenses.asl20;
+    maintainers = with maintainers; [ ivan ];
   };
 }

pkgs/development/python-modules/pyomo/default.nix

@@ -1,48 +1,60 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
-, isPy27
-, pyutilib
-, appdirs
+, parameterized
 , ply
-, six
-, nose
-, glpk
+, pytestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
   pname = "pyomo";
-  version = "6.3.0";
-  disabled = isPy27; # unable to import pyutilib.th
+  version = "6.4.0";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     repo = "pyomo";
     owner = "pyomo";
     rev = version;
-    sha256 = "sha256-xyjiB5fDRf5y9Av5Cr+8wtU4pHzMHsM45mcmJEOaTWs=";
+    hash = "sha256-FdUhne5Dn5hTIXMce1G6Zu6nx+AuP/JdK0a5fCE3hg8=";
   };
 
-  checkInputs = [ nose glpk ];
   propagatedBuildInputs = [
-    pyutilib
-    appdirs
     ply
-    six
   ];
 
-  checkPhase = ''
-    rm pyomo/bilevel/tests/test_blp.py \
-       pyomo/version/tests/test_installer.py \
-       pyomo/common/tests/test_download.py \
-       pyomo/core/tests/examples/test_pyomo.py
-    export HOME=$TMPDIR
-    nosetests
+  checkInputs = [
+    parameterized
+    pytestCheckHook
+  ];
+
+  pythonImportsCheck = [
+    "pyomo"
+  ];
+
+  preCheck = ''
+    export HOME=$(mktemp -d);
   '';
 
+  disabledTestPaths = [
+    # Don't test the documentation and the examples
+    "doc/"
+    "examples/"
+    # Tests don't work properly in the sandbox
+    "pyomo/environ/tests/test_environ.py"
+  ];
+
+  disabledTests = [
+    # Test requires lsb_release
+    "test_get_os_version"
+  ];
+
   meta = with lib; {
-    description = "Pyomo: Python Optimization Modeling Objects";
+    description = "Python Optimization Modeling Objects";
     homepage = "http://pyomo.org";
     license = licenses.bsd3;
-    maintainers = [ maintainers.costrouc ];
+    maintainers = with maintainers; [ costrouc ];
   };
 }

pkgs/development/python-modules/types-paramiko/default.nix

@@ -6,11 +6,11 @@
 
 buildPythonPackage rec {
   pname = "types-paramiko";
-  version = "2.8.21";
+  version = "2.10.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-ZAyFCsqK3EGw1aIl7jaseBJonhpDcMMS+OS5Ks7I5AU=";
+    sha256 = "sha256-q2iT1fzl7QaWTWGTntanFoqxSVKUWpCZWmKKXoKl4WE=";
   };
 
   pythonImportsCheck = [

pkgs/development/tools/unityhub/default.nix

@@ -1,15 +1,14 @@
 { lib, fetchurl, appimageTools, gsettings-desktop-schemas, gtk3 }:
 
-let
+appimageTools.wrapType2 rec {
+  pname = "unityhub";
   version = "2.3.2";
+
   src = fetchurl {
     # mirror of https://public-cdn.cloud.unity3d.com/hub/prod/UnityHub.AppImage
     url = "https://archive.org/download/unity-hub-${version}/UnityHub.AppImage";
     sha256 = "07nfyfp9apshqarc6pgshsczila6x4943hiyyizc55kp85aw0imn";
   };
-  name = "unityhub";
-in appimageTools.wrapType2 rec {
-  inherit name src;
 
   extraPkgs = (pkgs: with pkgs; with xorg; [ gtk2 gdk-pixbuf glib libGL libGLU nss nspr
     alsa-lib cups libcap fontconfig freetype pango
@@ -23,11 +22,11 @@ in appimageTools.wrapType2 rec {
   ]);
 
   extraInstallCommands =
-    let appimageContents = appimageTools.extractType2 { inherit name src; }; in
+    let appimageContents = appimageTools.extractType2 { inherit pname version src; }; in
     ''
       install -Dm444 ${appimageContents}/unityhub.desktop -t $out/share/applications
       substituteInPlace $out/share/applications/unityhub.desktop \
-        --replace 'Exec=AppRun' 'Exec=${name}'
+        --replace 'Exec=AppRun' 'Exec=${pname}'
       install -m 444 -D ${appimageContents}/unityhub.png \
         $out/share/icons/hicolor/64x64/apps/unityhub.png
     '';

pkgs/development/tools/yarn2nix-moretea/yarn2nix/lib/generateNix.js

@@ -49,7 +49,8 @@ function fetchgit(fileName, url, rev, branch, builtinFetchGit) {
           url = "${url}";
           ref = "${branch}";
           rev = "${rev}";
-        } // (if builtins.substring 0 3 builtins.nixVersion == "2.4" then {
+        } // (if builtins.compareVersions "2.4pre" builtins.nixVersion < 0 then {
+          # workaround for https://github.com/NixOS/nix/issues/5128
           allRefs = true;
         } else {}));
       ` : `

pkgs/games/mindustry/default.nix

@@ -128,15 +128,6 @@ stdenv.mkDerivation rec {
     rm Arc/backends/backend-sdl/libs/linux64/libsdl-arc*.so
   '' + cleanupMindustrySrc;
 
-  # Propagate glew to prevent it from being cleaned up.
-  # Since a jar is a compressed archive, nix can't figure out that the dependency is actually in there,
-  # and will assume that it's not actually needed.
-  # This can cause issues.
-  # See https://github.com/NixOS/nixpkgs/issues/109798.
-  propagatedBuildInputs = lib.optionals enableClient [
-    glew.out
-  ];
-
   buildInputs = lib.optionals enableClient [
     SDL2
     glew
@@ -183,6 +174,17 @@ stdenv.mkDerivation rec {
     makeWrapper ${jdk}/bin/java $out/bin/mindustry \
       --add-flags "-jar $out/share/mindustry.jar" \
       --set ALSA_PLUGIN_DIR ${alsa-plugins}/lib/alsa-lib/
+
+    # Retain runtime depends to prevent them from being cleaned up.
+    # Since a jar is a compressed archive, nix can't figure out that the dependency is actually in there,
+    # and will assume that it's not actually needed.
+    # This can cause issues.
+    # See https://github.com/NixOS/nixpkgs/issues/109798.
+    echo "# Retained runtime dependencies: " >> $out/bin/mindustry
+    for dep in ${SDL2.out} ${alsa-lib.out} ${glew.out}; do
+      echo "# $dep" >> $out/bin/mindustry
+    done
+
     install -Dm644 core/assets/icons/icon_64.png $out/share/icons/hicolor/64x64/apps/mindustry.png
   '' + optionalString enableServer ''
     install -Dm644 server/build/libs/server-release.jar $out/share/mindustry-server.jar

pkgs/games/quake2/yquake2/default.nix

@@ -1,63 +1,55 @@
-{ stdenv, lib, fetchFromGitHub, buildEnv, cmake, makeWrapper
+{ stdenv, lib, fetchFromGitHub, buildEnv, makeWrapper
 , SDL2, libGL, curl
-, oggSupport ? true, libogg, libvorbis
 , openalSupport ? true, openal
-, zipSupport ? true, zlib
 , Cocoa, OpenAL
 }:
 
 let
-  mkFlag = b: if b then "ON" else "OFF";
+  mkFlag = b: if b then "yes" else "no";
 
-  games = import ./games.nix { inherit stdenv lib fetchFromGitHub cmake; };
+  games = import ./games.nix { inherit stdenv lib fetchFromGitHub; };
 
   wrapper = import ./wrapper.nix { inherit stdenv lib buildEnv makeWrapper yquake2; };
 
   yquake2 = stdenv.mkDerivation rec {
     pname = "yquake2";
-    version = "8.00";
+    version = "8.01";
 
     src = fetchFromGitHub {
       owner = "yquake2";
       repo = "yquake2";
       rev = "QUAKE2_${builtins.replaceStrings ["."] ["_"] version}";
-      sha256 = "0xnpmh0pl1095dykhc76rp242x587yh9zh6wayqzaam6cn3xlz3w";
+      sha256 = "1dll5lx4bnls5w5f2zwjhwpcpxa97rjn6ymb2v3vrjm19jbd16yd";
     };
 
     postPatch = ''
-      substituteInPlace src/common/filesystem.c \
-        --replace /usr/share/games/quake2 $out/share/games/quake2
+      substituteInPlace src/client/curl/qcurl.c \
+        --replace "\"libcurl.so.3\", \"libcurl.so.4\"" "\"${curl.out}/lib/libcurl.so\", \"libcurl.so.3\", \"libcurl.so.4\""
+    '' + lib.optionalString (openalSupport && !stdenv.isDarwin) ''
+      substituteInPlace Makefile \
+        --replace "\"libopenal.so.1\"" "\"${openal}/lib/libopenal.so.1\""
     '';
 
-    nativeBuildInputs = [ cmake ];
-
     buildInputs = [ SDL2 libGL curl ]
       ++ lib.optionals stdenv.isDarwin [ Cocoa OpenAL ]
-      ++ lib.optionals oggSupport [ libogg libvorbis ]
-      ++ lib.optional openalSupport openal
-      ++ lib.optional zipSupport zlib;
-
-    cmakeFlags = [
-      "-DCMAKE_BUILD_TYPE=Release"
-      "-DOGG_SUPPORT=${mkFlag oggSupport}"
-      "-DOPENAL_SUPPORT=${mkFlag openalSupport}"
-      "-DZIP_SUPPORT=${mkFlag zipSupport}"
-      "-DSYSTEMWIDE_SUPPORT=ON"
+      ++ lib.optional openalSupport openal;
+
+    makeFlags = [
+      "WITH_OPENAL=${mkFlag openalSupport}"
+      "WITH_SYSTEMWIDE=yes"
+      "WITH_SYSTEMDIR=$\{out}/share/games/quake2"
     ];
 
-    preConfigure = ''
-      # Since we can't expand $out in `cmakeFlags`
-      cmakeFlags="$cmakeFlags -DSYSTEMDIR=$out/share/games/quake2"
-    '';
+    enableParallelBuilding = true;
 
     installPhase = ''
       # Yamagi Quake II expects all binaries (executables and libs) to be in the
       # same directory.
-      mkdir -p $out/bin $out/lib/yquake2 $out/share/games/quake2
+      mkdir -p $out/bin $out/lib/yquake2 $out/share/games/quake2/baseq2
       cp -r release/* $out/lib/yquake2
       ln -s $out/lib/yquake2/quake2 $out/bin/yquake2
       ln -s $out/lib/yquake2/q2ded $out/bin/yq2ded
-      cp $src/stuff/yq2.cfg $out/share/games/quake2
+      cp $src/stuff/yq2.cfg $out/share/games/quake2/baseq2
     '';
 
     meta = with lib; {

pkgs/games/quake2/yquake2/games.nix

@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchFromGitHub, cmake }:
+{ stdenv, lib, fetchFromGitHub }:
 
 let
   games = {
@@ -37,11 +37,9 @@ let
       rev = "${lib.toUpper id}_${builtins.replaceStrings ["."] ["_"] version}";
     };
 
-    nativeBuildInputs = [ cmake ];
-
     installPhase = ''
       mkdir -p $out/lib/yquake2/${id}
-      cp Release/* $out/lib/yquake2/${id}
+      cp release/* $out/lib/yquake2/${id}
     '';
 
     meta = with lib; {

pkgs/stdenv/generic/check-meta.nix

@@ -13,7 +13,7 @@ let
   # for why this defaults to false, but I (@copumpkin) want to default it to true soon.
   shouldCheckMeta = config.checkMeta or false;
 
-  allowUnfree = config.allowUnfree or false
+  allowUnfree = config.allowUnfree
     || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1";
 
   allowlist = config.allowlistedLicenses or config.whitelistedLicenses or [];
@@ -34,10 +34,10 @@ let
   hasBlocklistedLicense = assert areLicenseListsValid; attrs:
     hasLicense attrs && lib.lists.any (l: builtins.elem l blocklist) (lib.lists.toList attrs.meta.license);
 
-  allowBroken = config.allowBroken or false
+  allowBroken = config.allowBroken
     || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1";
 
-  allowUnsupportedSystem = config.allowUnsupportedSystem or false
+  allowUnsupportedSystem = config.allowUnsupportedSystem
     || builtins.getEnv "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" == "1";
 
   isUnfree = licenses: lib.lists.any (l: !l.free or true) licenses;

pkgs/tools/security/john/default.nix

@@ -1,5 +1,5 @@
-{ lib, stdenv, fetchurl, openssl, nss, nspr, libkrb5, gmp, zlib, libpcap, re2
-, gcc, python3Packages, perl, perlPackages, makeWrapper
+{ lib, stdenv, fetchFromGitHub, openssl, nss, nspr, libkrb5, gmp, zlib, libpcap, re2
+, gcc, python3Packages, perl, perlPackages, makeWrapper, fetchpatch
 }:
 
 with lib;
@@ -8,11 +8,21 @@ stdenv.mkDerivation rec {
   pname = "john";
   version = "1.9.0-jumbo-1";
 
-  src = fetchurl {
-    url = "http://www.openwall.com/john/k/${pname}-${version}.tar.xz";
-    sha256 = "0fvz3v41hnaiv1ggpxanfykyfjq79cwp9qcqqn63vic357w27lgm";
+  src = fetchFromGitHub {
+    owner = "openwall";
+    repo = pname;
+    rev = "1.9.0-Jumbo-1";
+    sha256 = "sha256-O1iPh5QTMjZ78sKvGbvSpaHFbBuVc1z49UKTbMa24Rs=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "fix-gcc-11-struct-allignment-incompatibility.patch";
+      url = "https://github.com/openwall/john/commit/154ee1156d62dd207aff0052b04c61796a1fde3b.patch";
+      sha256 = "sha256-3rfS2tu/TF+KW2MQiR+bh4w/FVECciTooDQNTHNw31A=";
+    })
+  ];
+
   postPatch = ''
     sed -ri -e '
       s!^(#define\s+CFG_[A-Z]+_NAME\s+).*/!\1"'"$out"'/etc/john/!
@@ -69,8 +79,8 @@ stdenv.mkDerivation rec {
 
   meta = {
     description = "John the Ripper password cracker";
-    license = licenses.gpl2;
-    homepage = "https://github.com/magnumripper/JohnTheRipper/";
+    license = licenses.gpl2Plus;
+    homepage = "https://github.com/openwall/john/";
     maintainers = with maintainers; [ offline matthewbauer ];
     platforms = platforms.unix;
   };

pkgs/top-level/config.nix

@@ -58,6 +58,42 @@ let
       '';
     };
 
+    allowUnfree = mkOption {
+      type = types.bool;
+      default = false;
+      # getEnv part is in check-meta.nix
+      defaultText = literalExpression ''false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1"'';
+      description = ''
+        Whether to allow unfree packages.
+
+        See <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-allow-unfree">Installing unfree packages</link> in the NixOS manual.
+      '';
+    };
+
+    allowBroken = mkOption {
+      type = types.bool;
+      default = false;
+      # getEnv part is in check-meta.nix
+      defaultText = literalExpression ''false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1"'';
+      description = ''
+        Whether to allow broken packages.
+
+        See <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-allow-broken">Installing broken packages</link> in the NixOS manual.
+      '';
+    };
+
+    allowUnsupportedSystem = mkOption {
+      type = types.bool;
+      default = false;
+      # getEnv part is in check-meta.nix
+      defaultText = literalExpression ''false || builtins.getEnv "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" == "1"'';
+      description = ''
+        Whether to allow unsupported packages.
+
+        See <link xlink:href="https://nixos.org/manual/nixpkgs/stable/#sec-allow-unsupported-system">Installing packages on unsupported systems</link> in the NixOS manual.
+      '';
+    };
+
   };
 
 in {