Merge staging-next into staging

nixos/doc/manual/from_md/installation/installing-kexec.section.xml

@@ -0,0 +1,94 @@
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-booting-via-kexec">
+  <title><quote>Booting</quote> into NixOS via kexec</title>
+  <para>
+    In some cases, your system might already be booted into/preinstalled
+    with another Linux distribution, and booting NixOS by attaching an
+    installation image is quite a manual process.
+  </para>
+  <para>
+    This is particularly useful for (cloud) providers where you can’t
+    boot a custom image, but get some Debian or Ubuntu installation.
+  </para>
+  <para>
+    In these cases, it might be easier to use <literal>kexec</literal>
+    to <quote>jump into NixOS</quote> from the running system, which
+    only assumes <literal>bash</literal> and <literal>kexec</literal> to
+    be installed on the machine.
+  </para>
+  <para>
+    Note that kexec may not work correctly on some hardware, as devices
+    are not fully re-initialized in the process. In practice, this
+    however is rarely the case.
+  </para>
+  <para>
+    To build the necessary files from your current version of nixpkgs,
+    you can run:
+  </para>
+  <programlisting>
+nix-build -A kexec.x86_64-linux '&lt;nixpkgs/nixos/release.nix&gt;'
+</programlisting>
+  <para>
+    This will create a <literal>result</literal> directory containing
+    the following:
+  </para>
+  <itemizedlist spacing="compact">
+    <listitem>
+      <para>
+        <literal>bzImage</literal> (the Linux kernel)
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        <literal>initrd</literal> (the initrd file)
+      </para>
+    </listitem>
+    <listitem>
+      <para>
+        <literal>kexec-boot</literal> (a shellscript invoking
+        <literal>kexec</literal>)
+      </para>
+    </listitem>
+  </itemizedlist>
+  <para>
+    These three files are meant to be copied over to the other already
+    running Linux Distribution.
+  </para>
+  <para>
+    Note it’s symlinks pointing elsewhere, so <literal>cd</literal> in,
+    and use <literal>scp * root@$destination</literal> to copy it over,
+    rather than rsync.
+  </para>
+  <para>
+    Once you finished copying, execute <literal>kexec-boot</literal>
+    <emphasis>on the destination</emphasis>, and after some seconds, the
+    machine should be booting into an (ephemeral) NixOS installation
+    medium.
+  </para>
+  <para>
+    In case you want to describe your own system closure to kexec into,
+    instead of the default installer image, you can build your own
+    <literal>configuration.nix</literal>:
+  </para>
+  <programlisting language="bash">
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + &quot;/installer/netboot/netboot-minimal.nix&quot;)
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    &quot;my-ssh-pubkey&quot;
+  ];
+}
+</programlisting>
+  <programlisting>
+nix-build '&lt;nixpkgs/nixos&gt;' \
+  --arg configuration ./configuration.nix
+  --attr config.system.build.kexecTree
+</programlisting>
+  <para>
+    Make sure your <literal>configuration.nix</literal> does still
+    import <literal>netboot-minimal.nix</literal> (or
+    <literal>netboot-base.nix</literal>).
+  </para>
+</section>

nixos/doc/manual/from_md/installation/installing.chapter.xml

@@ -638,6 +638,7 @@ $ passwd eelco
     <title>Additional installation notes</title>
     <xi:include href="installing-usb.section.xml" />
     <xi:include href="installing-pxe.section.xml" />
+    <xi:include href="installing-kexec.section.xml" />
     <xi:include href="installing-virtualbox-guest.section.xml" />
     <xi:include href="installing-from-other-distro.section.xml" />
     <xi:include href="installing-behind-a-proxy.section.xml" />

nixos/doc/manual/installation/installing-kexec.section.md

@@ -0,0 +1,64 @@
+# "Booting" into NixOS via kexec {#sec-booting-via-kexec}
+
+In some cases, your system might already be booted into/preinstalled with
+another Linux distribution, and booting NixOS by attaching an installation
+image is quite a manual process.
+
+This is particularly useful for (cloud) providers where you can't boot a custom
+image, but get some Debian or Ubuntu installation.
+
+In these cases, it might be easier to use `kexec` to "jump into NixOS" from the
+running system, which only assumes `bash` and `kexec` to be installed on the
+machine.
+
+Note that kexec may not work correctly on some hardware, as devices are not
+fully re-initialized in the process. In practice, this however is rarely the
+case.
+
+To build the necessary files from your current version of nixpkgs,
+you can run:
+
+```ShellSession
+nix-build -A kexec.x86_64-linux '<nixpkgs/nixos/release.nix>'
+```
+
+This will create a `result` directory containing the following:
+ - `bzImage` (the Linux kernel)
+ - `initrd` (the initrd file)
+ - `kexec-boot` (a shellscript invoking `kexec`)
+
+These three files are meant to be copied over to the other already running
+Linux Distribution.
+
+Note it's symlinks pointing elsewhere, so `cd` in, and use
+`scp * root@$destination` to copy it over, rather than rsync.
+
+Once you finished copying, execute `kexec-boot` *on the destination*, and after
+some seconds, the machine should be booting into an (ephemeral) NixOS
+installation medium.
+
+In case you want to describe your own system closure to kexec into, instead of
+the default installer image, you can build your own `configuration.nix`:
+
+```nix
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/installer/netboot/netboot-minimal.nix")
+  ];
+
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "my-ssh-pubkey"
+  ];
+}
+```
+
+
+```ShellSession
+nix-build '<nixpkgs/nixos>' \
+  --arg configuration ./configuration.nix
+  --attr config.system.build.kexecTree
+```
+
+Make sure your `configuration.nix` does still import `netboot-minimal.nix` (or
+`netboot-base.nix`).

nixos/doc/manual/installation/installing.chapter.md

@@ -476,6 +476,7 @@ With a partitioned disk.
 ```{=docbook}
 <xi:include href="installing-usb.section.xml" />
 <xi:include href="installing-pxe.section.xml" />
+<xi:include href="installing-kexec.section.xml" />
 <xi:include href="installing-virtualbox-guest.section.xml" />
 <xi:include href="installing-from-other-distro.section.xml" />
 <xi:include href="installing-behind-a-proxy.section.xml" />

nixos/modules/installer/kexec/kexec-boot.nix

@@ -1,51 +0,0 @@
-# This module exposes a config.system.build.kexecBoot attribute,
-# which returns a directory with kernel, initrd and a shell script
-# running the necessary kexec commands.
-
-# It's meant to be scp'ed to a machine with working ssh and kexec binary
-# installed.
-
-# This is useful for (cloud) providers where you can't boot a custom image, but
-# get some Debian or Ubuntu installation.
-
-{ pkgs
-, modulesPath
-, config
-, ...
-}:
-{
-  imports = [
-    (modulesPath + "/installer/netboot/netboot-minimal.nix")
-  ];
-
-  config = {
-    system.build.kexecBoot =
-      let
-        kexecScript = pkgs.writeScript "kexec-boot" ''
-          #!/usr/bin/env bash
-          if ! kexec -v >/dev/null 2>&1; then
-            echo "kexec not found: please install kexec-tools" 2>&1
-            exit 1
-          fi
-          SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
-          kexec --load ''${SCRIPT_DIR}/bzImage \
-            --initrd=''${SCRIPT_DIR}/initrd.gz \
-            --command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
-          kexec -e
-        ''; in
-      pkgs.linkFarm "kexec-tree" [
-        {
-          name = "initrd.gz";
-          path = "${config.system.build.netbootRamdisk}/initrd";
-        }
-        {
-          name = "bzImage";
-          path = "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}";
-        }
-        {
-          name = "kexec-boot";
-          path = kexecScript;
-        }
-      ];
-  };
-}

nixos/modules/installer/netboot/netboot.nix

@@ -101,6 +101,37 @@ with lib;
       boot
     '';
 
+    # A script invoking kexec on ./bzImage and ./initrd.gz.
+    # Usually used through system.build.kexecTree, but exposed here for composability.
+    system.build.kexecScript = pkgs.writeScript "kexec-boot" ''
+      #!/usr/bin/env bash
+      if ! kexec -v >/dev/null 2>&1; then
+        echo "kexec not found: please install kexec-tools" 2>&1
+        exit 1
+      fi
+      SCRIPT_DIR=$( cd -- "$( dirname -- "''${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+      kexec --load ''${SCRIPT_DIR}/bzImage \
+        --initrd=''${SCRIPT_DIR}/initrd.gz \
+        --command-line "init=${config.system.build.toplevel}/init ${toString config.boot.kernelParams}"
+      kexec -e
+    '';
+
+    # A tree containing initrd.gz, bzImage and a kexec-boot script.
+    system.build.kexecTree = pkgs.linkFarm "kexec-tree" [
+      {
+        name = "initrd.gz";
+        path = "${config.system.build.netbootRamdisk}/initrd";
+      }
+      {
+        name = "bzImage";
+        path = "${config.system.build.kernel}/${config.system.boot.loader.kernelFile}";
+      }
+      {
+        name = "kexec-boot";
+        path = config.system.build.kexecScript;
+      }
+    ];
+
     boot.loader.timeout = 10;
 
     boot.postBootCommands =

nixos/modules/system/boot/systemd.nix

@@ -8,8 +8,6 @@ let
 
   cfg = config.systemd;
 
-  systemd = cfg.package;
-
   inherit (systemdUtils.lib)
     generateUnits
     targetToUnit
@@ -439,7 +437,7 @@ in
 
     system.build.units = cfg.units;
 
-    system.nssModules = [ systemd.out ];
+    system.nssModules = [ cfg.package.out ];
     system.nssDatabases = {
       hosts = (mkMerge [
         (mkOrder 400 ["mymachines"]) # 400 to ensure it comes before resolve (which is mkBefore'd)
@@ -453,7 +451,7 @@ in
       ]);
     };
 
-    environment.systemPackages = [ systemd ];
+    environment.systemPackages = [ cfg.package ];
 
     environment.etc = let
       # generate contents for /etc/systemd/system-${type} from attrset of links and packages

nixos/release.nix

@@ -151,6 +151,13 @@ in rec {
   # Build the initial ramdisk so Hydra can keep track of its size over time.
   initialRamdisk = buildFromConfig ({ ... }: { }) (config: config.system.build.initialRamdisk);
 
+  kexec = forMatchingSystems supportedSystems (system: (import lib/eval-config.nix {
+    inherit system;
+    modules = [
+      ./modules/installer/netboot/netboot-minimal.nix
+    ];
+  }).config.system.build.kexecTree);
+
   netboot = forMatchingSystems supportedSystems (system: makeNetboot {
     module = ./modules/installer/netboot/netboot-minimal.nix;
     inherit system;

nixos/tests/kexec.nix

@@ -18,8 +18,7 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
       virtualisation.vlans = [ ];
       environment.systemPackages = [ pkgs.hello ];
       imports = [
-        "${modulesPath}/installer/kexec/kexec-boot.nix"
-        "${modulesPath}/profiles/minimal.nix"
+        "${modulesPath}/installer/netboot/netboot-minimal.nix"
       ];
     };
   };
@@ -33,14 +32,14 @@ import ./make-test-python.nix ({ pkgs, lib, ... }: {
     node1.connect()
     node1.wait_for_unit("multi-user.target")
 
-    # Check if the machine with kexec-boot.nix profile boots up
+    # Check if the machine with netboot-minimal.nix profile boots up
     node2.wait_for_unit("multi-user.target")
     node2.shutdown()
 
     # Kexec node1 to the toplevel of node2 via the kexec-boot script
     node1.succeed('touch /run/foo')
     node1.fail('hello')
-    node1.execute('${nodes.node2.config.system.build.kexecBoot}/kexec-boot', check_return=False)
+    node1.execute('${nodes.node2.config.system.build.kexecTree}/kexec-boot', check_return=False)
     node1.succeed('! test -e /run/foo')
     node1.succeed('hello')
     node1.succeed('[ "$(hostname)" = "node2" ]')

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -45,9 +45,9 @@
     }
   },
   "ungoogled-chromium": {
-    "version": "102.0.5005.61",
-    "sha256": "07vbi3gn9g4n04b2qi2hm34r122snrqaifa46yk3pyh1d79rfdqs",
-    "sha256bin64": "100n8k3d9k5bq58irc36ig6m5m0lxggffyk4crqqqcib2anqd0zv",
+    "version": "102.0.5005.115",
+    "sha256": "1rj7vy824vn513hiivc90lnxvxyi2s0qkdmfqsdssv9v6zjl079h",
+    "sha256bin64": "0b32sscbjnvr98lk962i9k2srckv2s7fp9pifmsv5jlwndjhzm7y",
     "deps": {
       "gn": {
         "version": "2022-04-14",
@@ -56,8 +56,8 @@
         "sha256": "0b5xs0chcv3hfhy71rycsmgxnqbm375a333hwav8929k9cbi5p9h"
       },
       "ungoogled-patches": {
-        "rev": "102.0.5005.61-1",
-        "sha256": "1hlyi6k894blkkqmqsizx72bag2vj6wlpza0fvi8db5wp6i5b58g"
+        "rev": "102.0.5005.115-1",
+        "sha256": "1z2xkxxviggyyksga74cqa4v73gynlgzi22ckg8yv84qxrklik6p"
       }
     }
   }

pkgs/applications/office/gtg/default.nix

@@ -7,33 +7,27 @@
 , gtk3
 , wrapGAppsHook
 , glib
+, gtksourceview4
 , itstool
 , gettext
 , pango
 , gdk-pixbuf
+, libsecret
 , gobject-introspection
 , xvfb-run
 }:
 
 python3Packages.buildPythonApplication rec {
   pname = "gtg";
-  version = "0.5";
+  version = "0.6";
 
   src = fetchFromGitHub {
     owner = "getting-things-gnome";
     repo = "gtg";
     rev = "v${version}";
-    sha256 = "0b2slm7kjq6q8c7v4m7aqc8m1ynjxn3bl7445srpv1xc0dilq403";
+    sha256 = "sha256-O8qBD92P2g8QrBdMXa6j0Ozk+W80Ny5yk0KNTy7ekfE=";
   };
 
-  patches = [
-    # fix build with meson 0.60 (https://github.com/getting-things-gnome/gtg/pull/729)
-    (fetchpatch {
-      url = "https://github.com/getting-things-gnome/gtg/commit/1809d10663ae3d8f69c04138b66f9b4e66ee14f6.patch";
-      sha256 = "sha256-bYr5PAsuvcSqTf0vaJj2APtuBrwHdhXJxtXoAb7CfGk=";
-    })
-  ];
-
   nativeBuildInputs = [
     meson
     ninja
@@ -46,8 +40,10 @@ python3Packages.buildPythonApplication rec {
   buildInputs = [
     glib
     gtk3
+    gtksourceview4
     pango
     gdk-pixbuf
+    libsecret
   ];
 
   propagatedBuildInputs = with python3Packages; [
@@ -56,12 +52,14 @@ python3Packages.buildPythonApplication rec {
     lxml
     gst-python
     liblarch
+    caldav
   ];
 
   checkInputs = with python3Packages; [
     nose
     mock
     xvfb-run
+    pytest
   ];
 
   preBuild = ''
@@ -71,7 +69,7 @@ python3Packages.buildPythonApplication rec {
   format = "other";
   strictDeps = false; # gobject-introspection does not run with strictDeps (https://github.com/NixOS/nixpkgs/issues/56943)
 
-  checkPhase = "xvfb-run python3 ../run-tests";
+  checkPhase = "xvfb-run pytest ../tests/";
 
   meta = with lib; {
     description = " A personal tasks and TODO-list items organizer";

pkgs/applications/version-management/git-and-tools/lefthook/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "lefthook";
-  version = "0.7.7";
+  version = "0.8.0";
 
   src = fetchFromGitHub {
     rev = "v${version}";
     owner = "evilmartians";
     repo = "lefthook";
-    sha256 = "sha256-XyuXegCTJSW4uO6fEaRKq/jZnE+JbrxZw0kcDvhpsVo=";
+    sha256 = "sha256-ahkTxuBjMbvBzPuLtW7AhM2OUtL9Rw+ZqgnGGTkeCQQ=";
   };
 
   vendorSha256 = "sha256-Rp67FnFU27u85t02MIs7wZQoOa8oGsHVVPQ9OdIyTJg=";

pkgs/development/interpreters/clojure/default.nix

@@ -2,12 +2,12 @@
 
 stdenv.mkDerivation rec {
   pname = "clojure";
-  version = "1.11.1.1119";
+  version = "1.11.1.1124";
 
   src = fetchurl {
     # https://clojure.org/releases/tools
     url = "https://download.clojure.org/install/clojure-tools-${version}.tar.gz";
-    sha256 = "sha256-DPFLExCMWheI5IIa8aNz/ZggftJpxgOUIOYZZKBdvIc=";
+    sha256 = "sha256-QucUcLCzLPe/OpVyI8++Z+RFukNNRQ39imBaxZuH324=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/libdigidocpp/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, fetchpatch, cmake, makeWrapper, minizip, pcsclite, opensc, openssl
+{ lib, stdenv, fetchurl, fetchpatch, cmake, minizip, pcsclite, opensc, openssl
 , xercesc, xml-security-c, pkg-config, xsd, zlib, xalanc, xxd }:
 
 stdenv.mkDerivation rec {
@@ -22,7 +22,7 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  nativeBuildInputs = [ cmake makeWrapper pkg-config xxd ];
+  nativeBuildInputs = [ cmake pkg-config xxd ];
 
   buildInputs = [
     minizip pcsclite opensc openssl xercesc
@@ -31,11 +31,11 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "lib" "dev" "bin" ];
 
-  # replace this hack with a proper cmake variable or environment variable
-  # once https://github.com/open-eid/cmake/pull/34 (or #35) gets merged.
-  postInstall = ''
-    wrapProgram $bin/bin/digidoc-tool \
-      --prefix LD_LIBRARY_PATH : ${opensc}/lib/pkcs11/
+  # libdigidocpp.so's `PKCS11Signer::PKCS11Signer()` dlopen()s "opensc-pkcs11.so"
+  # itself, so add OpenSC to its DT_RUNPATH after the fixupPhase shrinked it.
+  # https://github.com/open-eid/cmake/pull/35 might be an alternative.
+  postFixup = ''
+    patchelf --add-rpath ${opensc}/lib/pkcs11 $lib/lib/libdigidocpp.so
   '';
 
   meta = with lib; {

pkgs/development/python-modules/aioskybell/default.nix

@@ -11,7 +11,7 @@
 
 buildPythonPackage rec {
   pname = "aioskybell";
-  version = "22.6.0";
+  version = "22.6.1";
   format = "setuptools";
 
   disabled = pythonOlder "3.9";
@@ -19,8 +19,8 @@ buildPythonPackage rec {
   src = fetchFromGitHub {
     owner = "tkdrob";
     repo = pname;
-    rev = version;
-    hash = "sha256-2AsEVGZ4cA1GeoxtGFuvjZ05W4FjQ5GFSM8euu9iY4s==";
+    rev = "refs/tags/${version}";
+    hash = "sha256-VaG8r4ULbjI7LkIPCit3bILZgOi9k7ddRQXwVzplaCM=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/cyclonedx-python-lib/default.nix

@@ -9,6 +9,7 @@
 , python
 , pythonOlder
 , requirements-parser
+, sortedcontainers
 , setuptools
 , toml
 , types-setuptools
@@ -18,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "cyclonedx-python-lib";
-  version = "2.4.0";
+  version = "2.5.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.9";
@@ -27,7 +28,7 @@ buildPythonPackage rec {
     owner = "CycloneDX";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-IrMXHWeksEmON3LxJvQ3WSKwQTY0aRZ8XItWMr3p4gw=";
+    hash = "sha256-w/av9U42fC4g7NUw7PSW+K822klH4e1xYFPh7I4jrRA=";
   };
 
   nativeBuildInputs = [
@@ -39,6 +40,7 @@ buildPythonPackage rec {
     packageurl-python
     requirements-parser
     setuptools
+    sortedcontainers
     toml
     types-setuptools
     types-toml

pkgs/development/python-modules/dogpile-cache/default.nix

@@ -11,13 +11,13 @@
 
 buildPythonPackage rec {
   pname = "dogpile-cache";
-  version = "1.1.5";
+  version = "1.1.6";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     pname = "dogpile.cache";
     inherit version;
-    sha256 = "0f01bdc329329a8289af9705ff40fadb1f82a28c336f3174e12142b70d31c756";
+    sha256 = "sha256-7tweMn5myT8MFah0BWmrdO89iSkELxCPmP3tnjX6/1U=";
   };
 
   preCheck = ''

pkgs/development/python-modules/mkdocs-material/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonApplication rec {
   pname = "mkdocs-material";
-  version = "8.3.3";
+  version = "8.3.4";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -22,7 +22,7 @@ buildPythonApplication rec {
     owner = "squidfunk";
     repo = pname;
     rev = "refs/tags/${version}";
-    hash = "sha256-4rJ1fKYIQli4j6x1/xipQeCXMfbILyroxrwbpcPGYiU=";
+    hash = "sha256-UQGszU1ICundexXSHMdDm15FjlnzK1ifuRn2M5fp1sA=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/peaqevcore/default.nix

@@ -6,14 +6,14 @@
 
 buildPythonPackage rec {
   pname = "peaqevcore";
-  version = "0.4.2";
+  version = "0.4.7";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-s7vJ4rAOQPZBhCA8Q+ZJl6RBTBmP90XA9c6B/xwoHU0=";
+    hash = "sha256-DEK8vOWHv+O6zpzluUkhozsihhM9Ad2lOCEf4YnT+Yk=";
   };
 
   postPatch = ''

pkgs/development/python-modules/pulumi-aws/default.nix

@@ -12,7 +12,7 @@
 buildPythonPackage rec {
   pname = "pulumi-aws";
   # Version is independant of pulumi's.
-  version = "5.7.2";
+  version = "5.8.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -21,7 +21,7 @@ buildPythonPackage rec {
     owner = "pulumi";
     repo = "pulumi-aws";
     rev = "refs/tags/v${version}";
-    hash = "sha256-oy2TBxE9zDbRc6cSml4nwibAAEq3anWngoxj6h4sYbU=";
+    hash = "sha256-exMPHz5sq6AW3hyv+pl66RmHR4nEBIeDu7NPPyH1mig=";
   };
 
   sourceRoot = "${src.name}/sdk/python";

pkgs/development/python-modules/py-sneakers/default.nix

@@ -0,0 +1,32 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, pythonOlder
+}:
+
+buildPythonPackage rec {
+  pname = "py-sneakers";
+  version = "1.0.1";
+  format = "setuptools";
+
+  disabled = pythonOlder "3.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-bIhkYTzRe4uM0kbNhbDTr6TiaOEBSiCSkPJKKCivDZY=";
+  };
+
+  # Module has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "py_sneakers"
+  ];
+
+  meta = with lib; {
+    description = "Library to emulate the Sneakers movie effect";
+    homepage = "https://github.com/aenima-x/py-sneakers";
+    license = licenses.mit;
+    maintainers = with maintainers; [ fab ];
+  };
+}

pkgs/development/python-modules/pydal/default.nix

@@ -6,12 +6,12 @@
 
 buildPythonPackage rec {
   pname = "pydal";
-  version = "20220213.2";
+  version = "20220609.1";
   format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-7DBLcHSEkoT8wV6824TGWRLi9vK2t+r1RwwWmRBYD9I=";
+    sha256 = "sha256-c9cWdQ+V1Phw1cfe5MUif2edXIrFQaDZC9qGBDevedI=";
   };
 
   postPatch = ''

pkgs/development/python-modules/transformers/default.nix

@@ -24,7 +24,7 @@
 
 buildPythonPackage rec {
   pname = "transformers";
-  version = "4.19.3";
+  version = "4.19.4";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -33,7 +33,7 @@ buildPythonPackage rec {
     owner = "huggingface";
     repo = pname;
     rev = "refs/tags/v${version}";
-    hash = "sha256-kXgxIjU5L4YYCqHGvhqjX4YZ3VKNLYIxIKqT1Nmv/GU=";
+    hash = "sha256-MxP87tmRsjAOkTkJ7VmlUjG4RE3mh/wF76TZQE/UOoQ=";
   };
 
   propagatedBuildInputs = [

pkgs/os-specific/linux/firejail/default.nix

@@ -11,13 +11,13 @@
 
 stdenv.mkDerivation rec {
   pname = "firejail";
-  version = "0.9.68";
+  version = "0.9.70";
 
   src = fetchFromGitHub {
     owner = "netblue30";
     repo = "firejail";
     rev = version;
-    sha256 = "18yy1mykx7h78yj7sz729i3dlsrgi25m17m5x9gbrvsx7f87rw7j";
+    sha256 = "sha256-x1txt0uER66bZN6BD6c/31Zu6fPPwC9kl/3bxEE6Ce8=";
   };
 
   nativeBuildInputs = [
@@ -41,41 +41,6 @@ stdenv.mkDerivation rec {
     # By default fbuilder hardcodes the firejail binary to the install path.
     # On NixOS the firejail binary is a setuid wrapper available in $PATH.
     ./fbuilder-call-firejail-on-path.patch
-
-    # NixOS specific whitelist to resolve binary paths in user environment
-    # Fixes https://github.com/NixOS/nixpkgs/issues/170784
-    # Upstream fix https://github.com/netblue30/firejail/pull/5131
-    # Upstream hopefully fixed in later versions > 0.9.68
-   ./whitelist-nix-profile.patch
-
-    # Fix OpenGL support for various applications including Firefox
-    # Issue: https://github.com/NixOS/nixpkgs/issues/55191
-    # Upstream fix: https://github.com/netblue30/firejail/pull/5132
-    # Hopefully fixed upstream in version > 0.9.68
-    ./fix-opengl-support.patch
-
-    # Fix CVE-2022-31214 by patching in 4 commits from upstream
-    # https://seclists.org/oss-sec/2022/q2/188
-    (fetchpatch {
-      name = "CVE-2022-31214-patch1"; # "fixing CVE-2022-31214"
-      url  = "https://github.com/netblue30/firejail/commit/27cde3d7d1e4e16d4190932347c7151dc2a84c50.patch";
-      sha256 = "sha256-XXmnYCn4TPUvU43HifZDk4tEZQvOho9/7ehU6889nN4=";
-    })
-    (fetchpatch {
-      name = "CVE-2022-31214-patch2"; # "shutdown testing"
-      url  = "https://github.com/netblue30/firejail/commit/04ff0edf74395ddcbbcec955279c74ed9a6c0f86.patch";
-      sha256 = "sha256-PV73hRlvYEQihuljSCQMNO34KJ0hDVFexhirpHcTK1I=";
-    })
-    (fetchpatch {
-      name = "CVE-2022-31214-patch3"; # "CVE-2022-31214: fixing the fix"
-      url  = "https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7.patch";
-      sha256 = "sha256-6plBIliW/nLKR7TdGeB88eQ65JHEasnaRsP3HPXAFyA=";
-    })
-    (fetchpatch {
-      name = "CVE-2022-31214-patch4"; # "CVE-2022-31214: fixing the fix, one more time "
-      url  = "https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54.patch";
-      sha256 = "sha256-inkpcdC5rl5w+CTAwwQVBOELlHTXb8UGlpU+8kMY95s=";
-    })
   ];
 
   prePatch = ''

pkgs/tools/admin/pebble/default.nix

@@ -1,15 +1,13 @@
-{ buildGoPackage
+{ lib
+, buildGoModule
 , fetchFromGitHub
-, lib
 , nixosTests
 }:
 
-buildGoPackage rec {
+buildGoModule rec {
   pname = "pebble";
   version = "2.3.1";
 
-  goPackagePath = "github.com/letsencrypt/${pname}";
-
   src = fetchFromGitHub {
     owner = "letsencrypt";
     repo = pname;
@@ -17,6 +15,8 @@ buildGoPackage rec {
     sha256 = "sha256-S9+iRaTSRt4F6yMKK0OJO6Zto9p0dZ3q/mULaipudVo=";
   };
 
+  vendorSha256 = null;
+
   passthru.tests = {
     smoke-test = nixosTests.acme;
   };

pkgs/tools/misc/lsd/default.nix

@@ -9,16 +9,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "lsd";
-  version = "0.21.0";
+  version = "0.22.0";
 
   src = fetchFromGitHub {
     owner = "Peltoche";
     repo = pname;
     rev = version;
-    sha256 = "sha256-4pa8yJjUTO5MUDuljfU9Vo2ZjbsIwWJsJj6VVNfN25A=";
+    sha256 = "sha256-YeSEaamtIjip2nLBw/1/RSkr6ZL0p1GG2pHU14Ry6XU=";
   };
 
-  cargoSha256 = "sha256-P0HJVp2ReJuLSZrArw/EAfLFDOZqswI0nD1SCHwegoE=";
+  cargoSha256 = "sha256-JsPGw5hjNy+yTZiSBeF05o9Zl6pYXxEI4kIDLY6Q54Q=";
 
   nativeBuildInputs = [ installShellFiles pandoc ];
   postInstall = ''

pkgs/tools/package-management/nix/default.nix

@@ -93,15 +93,5 @@ in lib.makeExtensible (self: {
 
   stable = self.nix_2_9;
 
-  # remember to backport updates to the stable branch!
-  unstable = lib.lowPrio (common rec {
-    version = "2.9";
-    suffix = "pre20220610_${lib.substring 0 7 src.rev}";
-    src = fetchFromGitHub {
-      owner = "NixOS";
-      repo = "nix";
-      rev = "45ebaab66594692035f028796200a6db2b1fedaf";
-      sha256 = "sha256-82M5jKdGUxQBfYj+8nK2SvfVv4Uo0YrPxiuWV/fnvtI=";
-    };
-  });
+  unstable = self.stable;
 })

pkgs/tools/security/faraday-cli/default.nix

@@ -5,13 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "faraday-cli";
-  version = "2.0.2";
+  version = "2.1.5";
+  format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "infobyte";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-J3YlFsX/maOqWo4ILEMXzIJeQ8vr47ApGGiaBWrUCMs=";
+    hash = "sha256-kl5yOJTMobccZoaIoWwQubCrswPa69I5Kmuox7JqAXs=";
   };
 
   propagatedBuildInputs = with python3.pkgs; [
@@ -22,8 +23,10 @@ python3.pkgs.buildPythonApplication rec {
     faraday-plugins
     jsonschema
     log-symbols
+    luddite
     packaging
     pyyaml
+    py-sneakers
     simple-rest-client
     spinners
     tabulate

pkgs/tools/security/qdigidoc/default.nix

@@ -35,10 +35,14 @@ mkDerivation rec {
     qttranslations
   ];
 
-  # replace this hack with a proper cmake variable or environment variable
-  # once https://github.com/open-eid/cmake/pull/34 (or #35) gets merged.
+  # qdigidoc4's `QPKCS11::reload()` dlopen()s "opensc-pkcs11.so" in QLibrary,
+  # i.e. OpenSC's module is searched for in libQt5Core's DT_RUNPATH and fixing
+  # qdigidoc4's DT_RUNPATH has no effect on Linux (at least OpenBSD's ld.so(1)
+  # searches the program's runtime path as well).
+  # LD_LIBRARY_PATH takes precedence for all calling objects, see dlopen(3).
+  # https://github.com/open-eid/cmake/pull/35 might be an alternative.
   qtWrapperArgs = [
-      "--prefix LD_LIBRARY_PATH : ${opensc}/lib/pkcs11/"
+    "--prefix LD_LIBRARY_PATH : ${opensc}/lib/pkcs11/"
   ];
 
   meta = with lib; {

pkgs/top-level/metrics.nix

@@ -4,8 +4,7 @@ with pkgs;
 
 runCommand "nixpkgs-metrics"
   { nativeBuildInputs = with pkgs.lib; map getBin [ nix time jq ];
-    # see https://github.com/NixOS/nixpkgs/issues/52436
-    #requiredSystemFeatures = [ "benchmark" ]; # dedicated `t2a` machine, by @vcunat
+    requiredSystemFeatures = [ "benchmark" ]; # dedicated `t2a` machine, by @vcunat
   }
   ''
     export NIX_STORE_DIR=$TMPDIR/store

pkgs/top-level/python-packages.nix

@@ -6980,6 +6980,8 @@ in {
 
   py-synologydsm-api = callPackage ../development/python-modules/py-synologydsm-api { };
 
+  py-sneakers = callPackage ../development/python-modules/py-sneakers { };
+
   py-tes = callPackage ../development/python-modules/py-tes { };
 
   py-ubjson = callPackage ../development/python-modules/py-ubjson { };