staging-next-24.05 iteration 6 - 2024-11-01

nixos/modules/system/boot/stage-1.nix

@@ -410,7 +410,7 @@ let
         ${lib.optionalString (config.boot.initrd.secrets == {})
             "exit 0"}
 
-        export PATH=${pkgs.coreutils}/bin:${pkgs.libarchive}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
+        export PATH=${pkgs.coreutils}/bin:${pkgs.cpio}/bin:${pkgs.gzip}/bin:${pkgs.findutils}/bin
 
         function cleanup {
           if [ -n "$tmp" -a -d "$tmp" ]; then
@@ -431,7 +431,7 @@ let
          }
 
         # mindepth 1 so that we don't change the mode of /
-        (cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @-) | \
+        (cd "$tmp" && find . -mindepth 1 | xargs touch -amt 197001010000 && find . -mindepth 1 -print0 | sort -z | cpio --quiet -o -H newc -R +0:+0 --reproducible --null) | \
           ${compressorExe} ${lib.escapeShellArgs initialRamdisk.compressorArgs} >> "$1"
       '';
 

pkgs/applications/audio/mpg123/default.nix

@@ -22,11 +22,11 @@ assert withConplay -> !libOnly;
 
 stdenv.mkDerivation rec {
   pname = "${lib.optionalString libOnly "lib"}mpg123";
-  version = "1.32.6";
+  version = "1.32.8";
 
   src = fetchurl {
     url = "mirror://sourceforge/mpg123/mpg123-${version}.tar.bz2";
-    hash = "sha256-zN0dCrwx1z2LQ1/GWMeQSdCpBbMGabakKgOtFp3GCeY=";
+    hash = "sha256-/u4TdMeVQODkBd8LxF/eIK1nARQlw2GidZ4hRolKJ6c=";
   };
 
   outputs = [ "out" "dev" "man" ] ++ lib.optional withConplay "conplay";

pkgs/applications/editors/vim/common.nix

@@ -1,14 +1,14 @@
 { lib, fetchFromGitHub }:
 rec {
-  version = "9.1.0707";
+  version = "9.1.0765";
 
   outputs = [ "out" "xxd" ];
 
   src = fetchFromGitHub {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    hash = "sha256-iHOLABPk5B7Sh7EBYnM7wdxnK2Wv7q4WS3FEp780SV4=";
+    hash = "sha256-LtEEMpdWXA6qyjAIjgsZoc4hNXXG2ZXxCsbWKC5aEPI=";
   };
 
   enableParallelBuilding = true;

pkgs/applications/networking/sync/rsync/configure.ac-fix-failing-IPv6-check.patch

@@ -0,0 +1,12 @@
+diff -rup rsync-3.2.7/configure.sh rsync-3.2.7-fixed/configure.sh
+--- rsync-3.2.7/configure.sh	2022-10-20 17:57:22
++++ rsync-3.2.7-fixed/configure.sh	2024-01-01 19:51:58
+@@ -7706,7 +7706,7 @@ else $as_nop
+ #include <stdlib.h>
+ #include <sys/types.h>
+ #include <sys/socket.h>
+-main()
++int main()
+ {
+    if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
+      exit(1);

pkgs/applications/networking/sync/rsync/default.nix

@@ -30,6 +30,11 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ perl ];
 
+  patches = [
+    # https://github.com/WayneD/rsync/pull/558
+    ./configure.ac-fix-failing-IPv6-check.patch
+  ];
+
   buildInputs = [ libiconv zlib popt ]
     ++ lib.optional enableACLs acl
     ++ lib.optional enableZstd zstd

pkgs/applications/version-management/git/default.nix

@@ -29,7 +29,7 @@ assert sendEmailSupport -> perlSupport;
 assert svnSupport -> perlSupport;
 
 let
-  version = "2.44.1";
+  version = "2.44.2";
   svn = subversionClient.override { perlBindings = perlSupport; };
   gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ];
 in
@@ -42,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
-    hash = "sha256-e2CmJMD3AJoWuFYlBiGq/c3YXrjUS7AgYXtlJbhyYeQ=";
+    hash = "sha256-dlTJSO4LTXGx502MK0tHwvgeA6JqA6tjd8WdYZzGccU=";
   };
 
   outputs = [ "out" ] ++ lib.optional withManual "doc";

pkgs/build-support/kernel/make-initrd-ng.nix

@@ -8,7 +8,7 @@ let
   # compression type and filename extension.
   compressorName = fullCommand: builtins.elemAt (builtins.match "([^ ]*/)?([^ ]+).*" fullCommand) 1;
 in
-{ stdenvNoCC, libarchive, ubootTools, lib, pkgsBuildHost, makeInitrdNGTool, binutils, runCommand
+{ stdenvNoCC, cpio, ubootTools, lib, pkgsBuildHost, makeInitrdNGTool, binutils, runCommand
 # Name of the derivation (not of the resulting file!)
 , name ? "initrd"
 
@@ -74,7 +74,7 @@ in
   passAsFile = ["contents"];
   contents = lib.concatMapStringsSep "\n" ({ object, symlink, ... }: "${object}\n${lib.optionalString (symlink != null) symlink}") contents + "\n";
 
-  nativeBuildInputs = [makeInitrdNGTool libarchive] ++ lib.optional makeUInitrd ubootTools ++ lib.optional strip binutils;
+  nativeBuildInputs = [makeInitrdNGTool cpio] ++ lib.optional makeUInitrd ubootTools ++ lib.optional strip binutils;
 
   STRIP = if strip then "${pkgsBuildHost.binutils.targetPrefix}strip" else null;
 }) ''
@@ -85,7 +85,7 @@ in
   for PREP in $prepend; do
     cat $PREP >> $out/initrd
   done
-  (cd root && find . -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- | eval -- $compress >> "$out/initrd")
+  (cd root && find . -print0 | sort -z | cpio --quiet -o -H newc -R +0:+0 --reproducible --null | eval -- $compress >> "$out/initrd")
 
   if [ -n "$makeUInitrd" ]; then
       mkimage -A "$uInitrdArch" -O linux -T ramdisk -C "$uInitrdCompression" -d "$out/initrd" $out/initrd.img

pkgs/build-support/kernel/make-initrd.nix

@@ -18,7 +18,7 @@ let
   # compression type and filename extension.
   compressorName = fullCommand: builtins.elemAt (builtins.match "([^ ]*/)?([^ ]+).*" fullCommand) 1;
 in
-{ stdenvNoCC, perl, libarchive, ubootTools, lib, pkgsBuildHost
+{ stdenvNoCC, perl, cpio, ubootTools, lib, pkgsBuildHost
 # Name of the derivation (not of the resulting file!)
 , name ? "initrd"
 
@@ -82,7 +82,7 @@ in stdenvNoCC.mkDerivation rec {
 
   builder = ./make-initrd.sh;
 
-  nativeBuildInputs = [ perl libarchive ]
+  nativeBuildInputs = [ perl cpio ]
     ++ lib.optional makeUInitrd ubootTools;
 
   compress = "${_compressorExecutable} ${lib.escapeShellArgs _compressorArgsReal}";

pkgs/build-support/kernel/make-initrd.sh

@@ -40,7 +40,7 @@ for PREP in $prepend; do
   cat $PREP >> $out/initrd
 done
 (cd root && find * .[^.*] -exec touch -h -d '@1' '{}' +)
-(cd root && find * .[^.*] -print0 | sort -z | bsdtar --uid 0 --gid 0 -cnf - -T - | bsdtar --null -cf - --format=newc @- | eval -- $compress >> "$out/initrd")
+(cd root && find * .[^.*] -print0 | sort -z | cpio --quiet -o -H newc -R +0:+0 --reproducible --null | eval -- $compress >> "$out/initrd")
 
 if [ -n "$makeUInitrd" ]; then
     mkimage -A "$uInitrdArch" -O linux -T ramdisk -C "$uInitrdCompression" -d "$out/initrd" $out/initrd.img

pkgs/by-name/un/unbound/package.nix

@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchurl
+, fetchpatch
 , openssl
 , nettle
 , expat
@@ -57,6 +58,14 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-VrTO7TNjlSIAD9lndVdt34eCuzYXYQcV1/Hnd8XsHb8=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2024-8508.patch";
+      url = "https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff";
+      hash = "sha256-u9een9NSm0WgDYhCIQjLDT743Smm0df7xBXnpPBvhJs=";
+    })
+  ];
+
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
   nativeBuildInputs =

pkgs/data/misc/tzdata/default.nix

@@ -2,16 +2,16 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "tzdata";
-  version = "2024a";
+  version = "2024b";
 
   srcs = [
     (fetchurl {
       url = "https://data.iana.org/time-zones/releases/tzdata${finalAttrs.version}.tar.gz";
-      hash = "sha256-DQQ0RZrL0gWaeo2h8zBKhKhlkfbtacYkj/+lArbt/+M=";
+      hash = "sha256-cOdU2xJqjQ2z0W1rTLX37B4E1fJhJV5FWKZ/6S055VA=";
     })
     (fetchurl {
       url = "https://data.iana.org/time-zones/releases/tzcode${finalAttrs.version}.tar.gz";
-      hash = "sha256-gAcolK3/WkWPHRQ+FuTKHYsqEiycU5naSCy2jLpqH/g=";
+      hash = "sha256-XkOPxEliSQavFqGP9Fc3OfDNqYYuXsKNO8sZy67Q9nI=";
     })
   ];
 
@@ -34,6 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
     "LIBDIR=${placeholder "dev"}/lib"
     "MANDIR=${placeholder "man"}/share/man"
     "AWK=awk"
+    "CURL=:" # disable network access
     "CFLAGS=-DHAVE_LINK=0"
     "CFLAGS+=-DZIC_BLOAT_DEFAULT=\\\"fat\\\""
     "cc=${stdenv.cc.targetPrefix}cc"
@@ -45,11 +46,10 @@ stdenv.mkDerivation (finalAttrs: {
     "CFLAGS+=-DRESERVE_STD_EXT_IDS"
   ];
 
+  enableParallelBuilding = true;
+
   doCheck = true;
-  # everything except for:
-  # - check_web, because that needs curl and wants to talk to https://validator.w3.org
-  # - check_now, because that depends on the current time
-  checkTarget = "check_back check_character_set check_white_space check_links check_name_lengths check_slashed_abbrs check_sorted check_tables check_ziguard check_zishrink check_tzs";
+  checkTarget = "check";
 
   installFlags = lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
     "zic=${buildPackages.tzdata.bin}/bin/zic"

pkgs/development/compilers/go/1.22.nix

@@ -47,11 +47,11 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "go";
-  version = "1.22.6";
+  version = "1.22.8";
 
   src = fetchurl {
     url = "https://go.dev/dl/go${finalAttrs.version}.src.tar.gz";
-    hash = "sha256-nkjZnVGYgleZF9gYnBfpjDc84lq667mHcuKScIiZKlE=";
+    hash = "sha256-3xLCPr8Z3qD0v0aiLL7aSj7Kb0dPMYOQzndJdCeEQLg=";
   };
 
   strictDeps = true;

pkgs/development/interpreters/python/default.nix

@@ -20,10 +20,10 @@
       sourceVersion = {
         major = "3";
         minor = "11";
-        patch = "9";
+        patch = "10";
         suffix = "";
       };
-      hash = "sha256-mx6JZSP8UQaREmyGRAbZNgo9Hphqy9pZzaV7Wr2kW4c=";
+      hash = "sha256-B6Q1bpEpAOYaFcsJSaBsSgUBLiE+zWtOhND2equ+43I=";
     };
   };
 
@@ -79,10 +79,10 @@ in {
     sourceVersion = {
       major = "3";
       minor = "12";
-      patch = "5";
+      patch = "6";
       suffix = "";
     };
-    hash = "sha256-+oouEsXmILCfU+ZbzYdVDS5aHi4Ev4upkdzFUROHY5c=";
+    hash = "sha256-GZllgpjPL7g33/7Y/zwDPvDJjvIM9zxdX2a+1auJaXw=";
     inherit (darwin) configd;
     inherit passthruFun;
   };

pkgs/development/libraries/libarchive/default.nix

@@ -28,13 +28,13 @@
 assert xarSupport -> libxml2 != null;
 stdenv.mkDerivation (finalAttrs: {
   pname = "libarchive";
-  version = "3.7.4";
+  version = "3.7.7";
 
   src = fetchFromGitHub {
     owner = "libarchive";
     repo = "libarchive";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-czNKXHoEn1x4deNErnqp/NZfCglF1CxNoLtZ8tcl394=";
+    hash = "sha256-maV2+Whi4aDG1VLAYpOTxluO9I0zNiZ8fA3w7epGlDg=";
   };
 
   outputs = [ "out" "lib" "dev" ];

pkgs/development/libraries/libpcap/default.nix

@@ -23,11 +23,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libpcap";
-  version = "1.10.4";
+  version = "1.10.5";
 
   src = fetchurl {
     url = "https://www.tcpdump.org/release/${pname}-${version}.tar.gz";
-    hash = "sha256-7RmgOD+tcuOtQ1/SOdfNgNZJFrhyaVUBWdIORxYOvl8=";
+    hash = "sha256-N87ZChmjAqfzLkWCJKAMNlwReQXCzTWsVEtogKgUiPA=";
   };
 
   buildInputs = lib.optionals stdenv.isLinux [ libnl ]

pkgs/development/libraries/libtiff/default.nix

@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitLab
+, fetchpatch
 , nix-update-script
 
 , autoreconfHook
@@ -41,6 +42,18 @@ stdenv.mkDerivation (finalAttrs: {
     # libc++abi 11 has an `#include <version>`, this picks up files name
     # `version` in the project's include paths
     ./rename-version.patch
+    # https://gitlab.com/libtiff/libtiff/-/issues/622
+    (fetchpatch {
+      name = "CVE-2023-52356.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a.patch";
+      hash = "sha256-A1G23MEUS1AvoREcKFqoqV2sYtCqIMfzPaIIFpZNBWE=";
+    })
+    # https://gitlab.com/libtiff/libtiff/-/issues/624
+    (fetchpatch {
+      name = "CVE-2024-7006.patch";
+      url = "https://gitlab.com/libtiff/libtiff/-/commit/818fb8ce881cf839fbc710f6690aadb992aa0f9e.patch";
+      hash = "sha256-XbRQtNxbNMofKTbeTsbHBKv96KTKSGngCepWPIVWLH4=";
+    })
   ];
 
   postPatch = ''

pkgs/development/libraries/nspr/default.nix

@@ -8,11 +8,11 @@
 
 stdenv.mkDerivation rec {
   pname = "nspr";
-  version = "4.35";
+  version = "4.36";
 
   src = fetchurl {
     url = "mirror://mozilla/nspr/releases/v${version}/src/nspr-${version}.tar.gz";
-    hash = "sha256-fqMpfqWWm10lpd2NR/JEPNqI6e50YwH24eFCb4pqvI8=";
+    hash = "sha256-Vd7DF/FAHNLl26hE00C5MKt1R/gYF5pAArzmLm8caJU=";
   };
 
   patches = [

pkgs/development/libraries/pipewire/default.nix

@@ -75,7 +75,7 @@ assert ldacbtSupport -> bluezSupport;
 
 stdenv.mkDerivation(finalAttrs: {
   pname = "pipewire";
-  version = "1.0.7";
+  version = "1.0.9";
 
   outputs = [
     "out"
@@ -91,7 +91,7 @@ stdenv.mkDerivation(finalAttrs: {
     owner = "pipewire";
     repo = "pipewire";
     rev = finalAttrs.version;
-    sha256 = "sha256-YzI+hkX1ZdeTfxuKaw5P9OYPtkWtUg9cNo32wLCgjNU=";
+    sha256 = "sha256-8CwT6wF0BETp2dLqF9kVUeB3q36if/ILDv9kO1FYvH8=";
   };
 
   patches = [

pkgs/development/python-modules/executing/default.nix

@@ -19,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "executing";
-  version = "2.0.1";
+  version = "2.1.0";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
@@ -28,13 +28,14 @@ buildPythonPackage rec {
     owner = "alexmojaki";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-PBvfkv9GQ5Vj5I5SygtmHXtqqHMJ4XgNV1/I+lSU0/U=";
+    hash = "sha256-epgKMPOvPdkpRp0n5A22gZ5DeXLyI60bqzLTx5JFlLk=";
   };
 
-  patches = lib.optionals (pythonAtLeast "3.12") [
-    (fetchpatch { # https://github.com/alexmojaki/executing/pull/83
-      url = "https://github.com/alexmojaki/executing/commit/230ef110f004a8cecf03e983561f26a5fecede8f.diff";
-      hash = "sha256-McMUIbOWozoDDQSfrJqcxBjuAZ/rrHePfqp5+AVUKI4=";
+  patches = [
+    (fetchpatch {
+      name = "python-3.12.6.patch";
+      url = "https://github.com/alexmojaki/executing/commit/3f11fdcd7a017fbdca8a3a9de23dab18d3ba2100.patch";
+      hash = "sha256-ZnTO9lT+bj4nekPx4D0DxjhJOCkZn6lDm5xdLrziB+4=";
     })
   ];
 

pkgs/development/python-modules/furl/default.nix

@@ -36,7 +36,7 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  disabledTests = lib.optionals (pythonAtLeast "3.12") [
+  disabledTests = [
     # AssertionError: assert '//////path' == '////path'
     "test_odd_urls"
   ];