diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
index d85b18ecb3e..7cfeeb6f1a6 100644
--- a/nixos/doc/manual/release-notes/rl-2105.xml
+++ b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -330,7 +330,7 @@
- vim switched to Python 3, dropping all Python 2 support.
+ vim and neovim switched to Python 3, dropping all Python 2 support.
diff --git a/nixos/modules/services/misc/home-assistant.nix b/nixos/modules/services/misc/home-assistant.nix
index 0590f54ae60..1985f130881 100644
--- a/nixos/modules/services/misc/home-assistant.nix
+++ b/nixos/modules/services/misc/home-assistant.nix
@@ -245,22 +245,85 @@ in {
rm -f "${cfg.configDir}/ui-lovelace.yaml"
ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
'');
- serviceConfig = {
- ExecStart = "${package}/bin/hass --config '${cfg.configDir}'";
+ serviceConfig = let
+ # List of capabilities to equip home-assistant with, depending on configured components
+ capabilities = [
+ # Empty string first, so we will never accidentally have an empty capability bounding set
+ # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115
+ ""
+ ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
+ # Required for interaction with hci devices and bluetooth sockets
+ # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs
+ "CAP_NET_ADMIN"
+ "CAP_NET_RAW"
+ ] ++ lib.optionals (useComponent "emulated_hue") [
+ # Alexa looks for the service on port 80
+ # https://www.home-assistant.io/integrations/emulated_hue
+ "CAP_NET_BIND_SERVICE"
+ ] ++ lib.optionals (useComponent "nmap_tracker") [
+ # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities
+ "CAP_NET_ADMIN"
+ "CAP_NET_BIND_SERVICE"
+ "CAP_NET_RAW"
+ ]));
+ in {
+ ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
User = "hass";
Group = "hass";
Restart = "on-failure";
+ RestartForceExitStatus = "100";
+ SuccessExitStatus = "100";
+ KillSignal = "SIGINT";
+
+ # Hardening
+ AmbientCapabilities = capabilities;
+ CapabilityBoundingSet = capabilities;
+ DeviceAllow = [
+ "char-ttyACM rw"
+ "char-ttyAMA rw"
+ "char-ttyUSB rw"
+ ];
+ DevicePolicy = "closed";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
+ PrivateTmp = true;
+ PrivateUsers = false; # prevents gaining capabilities in the host namespace
+ ProtectClock = true;
+ ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
+ ProtectKernelModules = true;
+ ProtectKernelTunables = true;
+ ProtectProc = "invisible";
+ ProcSubset = "pid";
ProtectSystem = "strict";
+ RemoveIPC = true;
ReadWritePaths = let
+ # Allow rw access to explicitly configured paths
cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ];
value = attrByPath cfgPath [] cfg;
allowPaths = if isList value then value else singleton value;
in [ "${cfg.configDir}" ] ++ allowPaths;
- KillSignal = "SIGINT";
- PrivateTmp = true;
- RemoveIPC = true;
- AmbientCapabilities = "cap_net_raw,cap_net_admin+eip";
+ RestrictAddressFamilies = [
+ "AF_UNIX"
+ "AF_INET"
+ "AF_INET6"
+ ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
+ "AF_BLUETOOTH"
+ ];
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SupplementaryGroups = [ "dialout" ];
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged"
+ ];
+ UMask = "0077";
};
path = [
"/run/wrappers" # needed for ping
@@ -278,7 +341,6 @@ in {
home = cfg.configDir;
createHome = true;
group = "hass";
- extraGroups = [ "dialout" ];
uid = config.ids.uids.hass;
};
diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix
index 10b49d9b220..8e814ffd0b9 100644
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -20,8 +20,7 @@ let
acl_file ${aclFile}
persistence true
allow_anonymous ${boolToString cfg.allowAnonymous}
- bind_address ${cfg.host}
- port ${toString cfg.port}
+ listener ${toString cfg.port} ${cfg.host}
${passwordConf}
${listenerConf}
${cfg.extraConf}
@@ -233,15 +232,50 @@ in
ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
- ProtectSystem = "strict";
- ProtectHome = true;
+ # Hardening
+ CapabilityBoundingSet = "";
+ DevicePolicy = "closed";
+ LockPersonality = true;
+ MemoryDenyWriteExecute = true;
+ NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
- ReadWritePaths = "${cfg.dataDir}";
+ PrivateUsers = true;
+ ProtectClock = true;
ProtectControlGroups = true;
+ ProtectHome = true;
+ ProtectHostname = true;
+ ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
- NoNewPrivileges = true;
+ ProtectProc = "invisible";
+ ProcSubset = "pid";
+ ProtectSystem = "strict";
+ ReadWritePaths = [
+ cfg.dataDir
+ "/tmp" # mosquitto_passwd creates files in /tmp before moving them
+ ];
+ ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [
+ certfile
+ keyfile
+ cafile
+ ];
+ RemoveIPC = true;
+ RestrictAddressFamilies = [
+ "AF_UNIX" # for sd_notify() call
+ "AF_INET"
+ "AF_INET6"
+ ];
+ RestrictNamespaces = true;
+ RestrictRealtime = true;
+ RestrictSUIDSGID = true;
+ SystemCallArchitectures = "native";
+ SystemCallFilter = [
+ "@system-service"
+ "~@privileged"
+ "~@resources"
+ ];
+ UMask = "0077";
};
preStart = ''
rm -f ${cfg.dataDir}/passwd
diff --git a/nixos/tests/home-assistant.nix b/nixos/tests/home-assistant.nix
index 3b7295324a1..c75dd248ecb 100644
--- a/nixos/tests/home-assistant.nix
+++ b/nixos/tests/home-assistant.nix
@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, ... }:
+import ./make-test-python.nix ({ pkgs, lib, ... }:
let
configDir = "/var/lib/foobar";
@@ -6,9 +6,7 @@ let
mqttPassword = "secret";
in {
name = "home-assistant";
- meta = with pkgs.lib; {
- maintainers = with maintainers; [ dotlambda ];
- };
+ meta.maintainers = lib.teams.home-assistant.members;
nodes.hass = { pkgs, ... }: {
environment.systemPackages = with pkgs; [ mosquitto ];
@@ -47,6 +45,10 @@ in {
payload_on = "let_there_be_light";
payload_off = "off";
}];
+ emulated_hue = {
+ host_ip = "127.0.0.1";
+ listen_port = 80;
+ };
logger = {
default = "info";
logs."homeassistant.components.mqtt" = "debug";
@@ -82,6 +84,9 @@ in {
hass.succeed(
"mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light"
)
+ with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"):
+ hass.wait_for_open_port(80)
+ hass.succeed("curl --fail http://localhost:80/description.xml")
with subtest("Print log to ease debugging"):
output_log = hass.succeed("cat ${configDir}/home-assistant.log")
print("\n### home-assistant.log ###\n")
@@ -93,5 +98,8 @@ in {
# example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light'
with subtest("Check we received the mosquitto message"):
assert "let_there_be_light" in output_log
+
+ with subtest("Check systemd unit hardening"):
+ hass.log(hass.succeed("systemd-analyze security home-assistant.service"))
'';
})
diff --git a/nixos/tests/mosquitto.nix b/nixos/tests/mosquitto.nix
index 308c1396013..e29bd559ed9 100644
--- a/nixos/tests/mosquitto.nix
+++ b/nixos/tests/mosquitto.nix
@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, ... }:
+import ./make-test-python.nix ({ pkgs, lib, ... }:
let
port = 1888;
@@ -30,6 +30,9 @@ in {
];
};
};
+
+ # disable private /tmp for this test
+ systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false;
};
client1 = client;
diff --git a/pkgs/applications/editors/neovim/default.nix b/pkgs/applications/editors/neovim/default.nix
index 3e5de3d5fc1..1b4835064f9 100644
--- a/pkgs/applications/editors/neovim/default.nix
+++ b/pkgs/applications/editors/neovim/default.nix
@@ -6,7 +6,7 @@
# now defaults to false because some tests can be flaky (clipboard etc)
, doCheck ? false
-, nodejs ? null, fish ? null, python ? null
+, nodejs ? null, fish ? null, python3 ? null
}:
with lib;
@@ -19,7 +19,7 @@ let
]
));
- pyEnv = python.withPackages(ps: [ ps.pynvim ps.msgpack ]);
+ pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]);
# FIXME: this is verry messy and strange.
# see https://github.com/NixOS/nixpkgs/pull/80528
diff --git a/pkgs/applications/editors/neovim/neovim-qt.nix b/pkgs/applications/editors/neovim/neovim-qt.nix
index d925ddd2a52..0a4d17d997b 100644
--- a/pkgs/applications/editors/neovim/neovim-qt.nix
+++ b/pkgs/applications/editors/neovim/neovim-qt.nix
@@ -1,5 +1,5 @@
{ lib, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper
-, msgpack, neovim, pythonPackages, qtbase }:
+, msgpack, neovim, python3Packages, qtbase }:
mkDerivation rec {
pname = "neovim-qt-unwrapped";
@@ -20,7 +20,7 @@ mkDerivation rec {
buildInputs = [
neovim.unwrapped # only used to generate help tags at build time
qtbase
- ] ++ (with pythonPackages; [
+ ] ++ (with python3Packages; [
jinja2 python msgpack
]);
diff --git a/pkgs/applications/editors/neovim/neovim-remote.nix b/pkgs/applications/editors/neovim/neovim-remote.nix
index 867e2275128..2b1281ae21b 100644
--- a/pkgs/applications/editors/neovim/neovim-remote.nix
+++ b/pkgs/applications/editors/neovim/neovim-remote.nix
@@ -1,11 +1,14 @@
-{ lib, fetchFromGitHub, pythonPackages }:
+{ lib
+, fetchFromGitHub
+, python3
+, neovim
+}:
with lib;
-pythonPackages.buildPythonApplication rec {
+with python3.pkgs; buildPythonApplication rec {
pname = "neovim-remote";
version = "2.4.0";
- disabled = !pythonPackages.isPy3k;
src = fetchFromGitHub {
owner = "mhinz";
@@ -14,12 +17,24 @@ pythonPackages.buildPythonApplication rec {
sha256 = "0jlw0qksak4bdzddpsj74pm2f2bgpj3cwrlspdjjy0j9qzg0mpl9";
};
- propagatedBuildInputs = with pythonPackages; [
+ propagatedBuildInputs = [
pynvim
psutil
setuptools
];
+ checkInputs = [
+ neovim
+ pytestCheckHook
+ ];
+
+ disabledTests = [
+ # these tests get stuck and never return
+ "test_escape_filenames_properly"
+ "test_escape_single_quotes_in_filenames"
+ "test_escape_double_quotes_in_filenames"
+ ];
+
meta = {
description = "A tool that helps controlling nvim processes from a terminal";
homepage = "https://github.com/mhinz/neovim-remote/";
diff --git a/pkgs/applications/editors/neovim/qt.nix b/pkgs/applications/editors/neovim/qt.nix
index 5210b6b67c8..1da7e7e966e 100644
--- a/pkgs/applications/editors/neovim/qt.nix
+++ b/pkgs/applications/editors/neovim/qt.nix
@@ -1,5 +1,4 @@
-{ lib, stdenv, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper
-, msgpack, neovim, pythonPackages, qtbase, neovim-qt-unwrapped }:
+{ stdenv, makeWrapper, neovim, neovim-qt-unwrapped }:
let
unwrapped = neovim-qt-unwrapped;
diff --git a/pkgs/applications/editors/neovim/utils.nix b/pkgs/applications/editors/neovim/utils.nix
index d992ccd3f6a..6d04fa6851a 100644
--- a/pkgs/applications/editors/neovim/utils.nix
+++ b/pkgs/applications/editors/neovim/utils.nix
@@ -4,7 +4,6 @@
, neovim-unwrapped
, bundlerEnv
, ruby
-, pythonPackages
, python3Packages
, writeText
, wrapNeovimUnstable
@@ -48,12 +47,6 @@ let
requiredPlugins = vimUtils.requiredPlugins configure;
getDeps = attrname: map (plugin: plugin.${attrname} or (_: [ ]));
- pluginPython2Packages = getDeps "pythonDependencies" requiredPlugins;
- python2Env = pythonPackages.python.withPackages (ps:
- [ ps.pynvim ]
- ++ (extraPython2Packages ps)
- ++ (lib.concatMap (f: f ps) pluginPython2Packages));
-
pluginPython3Packages = getDeps "python3Dependencies" requiredPlugins;
python3Env = python3Packages.python.withPackages (ps:
[ ps.pynvim ]
@@ -69,7 +62,6 @@ let
# While the latter tells nvim that this provider is not available
hostprog_check_table = {
node = withNodeJs;
- python = withPython2;
python3 = withPython3;
ruby = withRuby;
};
@@ -99,11 +91,12 @@ let
manifestRc = vimUtils.vimrcContent (configure // { customRC = ""; });
neovimRcContent = vimUtils.vimrcContent configure;
in
+ assert withPython2 -> throw "Python2 support has been removed from neovim, please remove withPython2 and extraPython2Packages.";
+
args // {
wrapperArgs = makeWrapperArgs;
inherit neovimRcContent;
inherit manifestRc;
- inherit python2Env;
inherit python3Env;
inherit withNodeJs;
} // lib.optionalAttrs withRuby {
@@ -120,7 +113,7 @@ let
# to keep backwards compatibility
legacyWrapper = neovim: {
extraMakeWrapperArgs ? ""
- , withPython ? true
+ , withPython ? false
/* the function you would have passed to python.withPackages */
, extraPythonPackages ? (_: [])
/* the function you would have passed to python.withPackages */
@@ -138,14 +131,14 @@ let
else funOrList);
res = makeNeovimConfig {
- withPython2 = withPython;
- extraPythonPackages = compatFun extraPythonPackages;
inherit withPython3;
extraPython3Packages = compatFun extraPython3Packages;
inherit withNodeJs withRuby viAlias vimAlias;
inherit configure;
};
in
+ assert withPython -> throw "Python2 support has been removed from neovim, please remove withPython and extraPythonPackages.";
+
wrapNeovimUnstable neovim (res // {
wrapperArgs = lib.escapeShellArgs (
res.wrapperArgs ++ lib.optionals (configure != {}) [
diff --git a/pkgs/applications/editors/neovim/wrapper.nix b/pkgs/applications/editors/neovim/wrapper.nix
index 66127980bf6..db30832d239 100644
--- a/pkgs/applications/editors/neovim/wrapper.nix
+++ b/pkgs/applications/editors/neovim/wrapper.nix
@@ -3,7 +3,6 @@
, bundlerEnv, ruby
, nodejs
, nodePackages
-, pythonPackages
, python3Packages
}:
with lib;
@@ -15,7 +14,7 @@ let
# should contain all args but the binary
wrapperArgs ? ""
, manifestRc ? null
- , withPython2 ? true, python2Env ? null
+ , withPython2 ? false
, withPython3 ? true, python3Env ? null
, withNodeJs ? false
, rubyEnv ? null
@@ -35,6 +34,8 @@ let
[ "${neovim}/bin/nvim" "${placeholder "out"}/bin/nvim" ] ++
[ "--set" "NVIM_SYSTEM_RPLUGIN_MANIFEST" "${placeholder "out"}/rplugin.vim" ];
in
+ assert withPython2 -> throw "Python2 support has been removed from the neovim wrapper, please remove withPython2 and python2Env.";
+
symlinkJoin {
name = "neovim-${lib.getVersion neovim}";
# Remove the symlinks created by symlinkJoin which we need to perform
@@ -44,9 +45,6 @@ let
substitute ${neovim}/share/applications/nvim.desktop $out/share/applications/nvim.desktop \
--replace 'Name=Neovim' 'Name=WrappedNeovim'
''
- + optionalString withPython2 ''
- makeWrapper ${python2Env}/bin/python $out/bin/nvim-python --unset PYTHONPATH
- ''
+ optionalString withPython3 ''
makeWrapper ${python3Env}/bin/python3 $out/bin/nvim-python3 --unset PYTHONPATH
''
diff --git a/pkgs/applications/editors/vscode/generic.nix b/pkgs/applications/editors/vscode/generic.nix
index 060078cd57b..2d8f639a0c6 100644
--- a/pkgs/applications/editors/vscode/generic.nix
+++ b/pkgs/applications/editors/vscode/generic.nix
@@ -1,7 +1,8 @@
{ stdenv, lib, makeDesktopItem
, unzip, libsecret, libXScrnSaver, libxshmfence, wrapGAppsHook
, gtk2, atomEnv, at-spi2-atk, autoPatchelfHook
-, systemd, fontconfig, libdbusmenu
+, systemd, fontconfig, libdbusmenu, buildFHSUserEnvBubblewrap
+, writeShellScriptBin
# Populate passthru.tests
, tests
@@ -13,13 +14,14 @@
let
inherit (stdenv.hostPlatform) system;
-in
- stdenv.mkDerivation {
+ unwrapped = stdenv.mkDerivation {
inherit pname version src sourceRoot;
passthru = {
inherit executableName tests;
+ fhs = fhs {};
+ fhsWithPackages = f: fhs { additionalPkgs = f; };
};
desktopItem = makeDesktopItem {
@@ -97,4 +99,64 @@ in
'';
inherit meta;
- }
+ };
+
+ # Vscode and variants allow for users to download and use extensions
+ # which often include the usage of pre-built binaries.
+ # This has been an on-going painpoint for many users, as
+ # a full extension update cycle has to be done through nixpkgs
+ # in order to create or update extensions.
+ # See: #83288 #91179 #73810 #41189
+ #
+ # buildFHSUserEnv allows for users to use the existing vscode
+ # extension tooling without significant pain.
+ fhs = { additionalPkgs ? pkgs: [] }: buildFHSUserEnvBubblewrap {
+ # also determines the name of the wrapped command
+ name = executableName;
+
+ # additional libraries which are commonly needed for extensions
+ targetPkgs = pkgs: (with pkgs; [
+ # ld-linux-x86-64-linux.so.2 and others
+ glibc
+
+ # dotnet
+ curl
+ icu
+ libunwind
+ libuuid
+ openssl
+ zlib
+
+ # mono
+ krb5
+ ]) ++ additionalPkgs pkgs;
+
+ # restore desktop item icons
+ extraInstallCommands = ''
+ mkdir -p $out/share/applications
+ for item in ${unwrapped}/share/applications/*.desktop; do
+ ln -s $item $out/share/applications/
+ done
+ '';
+
+ runScript = "${unwrapped}/bin/${executableName}";
+
+ # vscode likes to kill the parent so that the
+ # gui application isn't attached to the terminal session
+ dieWithParent = false;
+
+ passthru = {
+ inherit executableName;
+ inherit (unwrapped) pname version; # for home-manager module
+ };
+
+ meta = meta // {
+ description = ''
+ Wrapped variant of ${pname} which launches in a FHS compatible envrionment.
+ Should allow for easy usage of extensions without nix-specific modifications.
+ '';
+ };
+ };
+in
+ unwrapped
+
diff --git a/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix b/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix
index 7cbe5558533..a51230d5ff4 100644
--- a/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix
+++ b/pkgs/applications/networking/cluster/kubelogin-oidc/default.nix
@@ -2,18 +2,18 @@
buildGoModule rec {
pname = "kubelogin";
- version = "1.23.0";
+ version = "1.23.1";
src = fetchFromGitHub {
owner = "int128";
repo = pname;
rev = "v${version}";
- sha256 = "0n94nx17c6ln2nd6d9yr93vc251y1xphq1wj2vzs4j2l8dqfyjpn";
+ sha256 = "sha256-YK/QGx6QzSeyeZ61KgdYO3POJQFK1F6yJayd2gcRWS4=";
};
subPackages = ["."];
- vendorSha256 = "1dvrk6z6k66wawgb50n8hbgdd8fly399mlbgnvxi671vfi7lkz09";
+ vendorSha256 = "sha256-tnjgs8Ziqdo1ciVOWtL0D8puv2SZGqSHgo2SV7N8F0M=";
# Rename the binary instead of symlinking to avoid conflict with the
# Azure version of kubelogin
diff --git a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
index 1911d08d2a1..868686bd5c0 100644
--- a/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
+++ b/pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix
@@ -14,6 +14,7 @@ args @ {
, unshareNet ? false
, unshareUts ? true
, unshareCgroup ? true
+, dieWithParent ? true
, ...
}:
@@ -22,7 +23,7 @@ let
buildFHSEnv = callPackage ./env.nix { };
env = buildFHSEnv (removeAttrs args [
- "runScript" "extraInstallCommands" "meta" "passthru"
+ "runScript" "extraInstallCommands" "meta" "passthru" "dieWithParent"
"unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
]);
@@ -30,6 +31,13 @@ let
files = [
# NixOS Compatibility
"static"
+ "nix" # mainly for nixUnstable users, but also for access to nix/netrc
+ # Shells
+ "bashrc"
+ "zshenv"
+ "zshrc"
+ "zinputrc"
+ "zprofile"
# Users, Groups, NSS
"passwd"
"group"
@@ -136,7 +144,7 @@ let
${lib.optionalString unshareNet "--unshare-net"}
${lib.optionalString unshareUts "--unshare-uts"}
${lib.optionalString unshareCgroup "--unshare-cgroup"}
- --die-with-parent
+ ${lib.optionalString dieWithParent "--die-with-parent"}
--ro-bind /nix /nix
# Our glibc will look for the cache in its own path in `/nix/store`.
# As such, we need a cache to exist there, because pressure-vessel
diff --git a/pkgs/data/icons/tela-icon-theme/default.nix b/pkgs/data/icons/tela-icon-theme/default.nix
index 23e56e6107c..aaf32fdf16d 100644
--- a/pkgs/data/icons/tela-icon-theme/default.nix
+++ b/pkgs/data/icons/tela-icon-theme/default.nix
@@ -1,6 +1,6 @@
-{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenv }:
+{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenvNoCC }:
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
pname = "tela-icon-theme";
version = "2021-01-21";
@@ -17,6 +17,10 @@ stdenv.mkDerivation rec {
dontDropIconThemeCache = true;
+ # These fixup steps are slow and unnecessary.
+ dontPatchELF = true;
+ dontRewriteSymlinks = true;
+
installPhase = ''
runHook preInstall
@@ -31,7 +35,7 @@ stdenv.mkDerivation rec {
meta = with lib; {
description = "A flat colorful Design icon theme";
homepage = "https://github.com/vinceliuice/tela-icon-theme";
- license = licenses.gpl3Plus;
+ license = licenses.gpl3Only;
platforms = platforms.unix;
maintainers = with maintainers; [ figsoda ];
};
diff --git a/pkgs/development/libraries/py3c/default.nix b/pkgs/development/libraries/py3c/default.nix
index 2a89161ef38..eec051f0cc1 100644
--- a/pkgs/development/libraries/py3c/default.nix
+++ b/pkgs/development/libraries/py3c/default.nix
@@ -11,6 +11,11 @@ stdenv.mkDerivation rec {
sha256 = "04i2z7hrig78clc59q3i1z2hh24g7z1bfvxznlzxv00d4s57nhpi";
};
+ postPatch = lib.optionalString stdenv.cc.isClang ''
+ substituteInPlace test/setup.py \
+ --replace "'-Werror', " ""
+ '';
+
makeFlags = [
"prefix=${placeholder "out"}"
];
@@ -26,6 +31,6 @@ stdenv.mkDerivation rec {
homepage = "https://github.com/encukou/py3c";
description = "Python 2/3 compatibility layer for C extensions";
license = licenses.mit;
- maintainers = with maintainers; [ ajs124 ];
+ maintainers = with maintainers; [ ajs124 dotlambda ];
};
}
diff --git a/pkgs/development/python-modules/csvw/default.nix b/pkgs/development/python-modules/csvw/default.nix
index e4bd7ab2b62..cf388409c57 100644
--- a/pkgs/development/python-modules/csvw/default.nix
+++ b/pkgs/development/python-modules/csvw/default.nix
@@ -14,14 +14,14 @@
buildPythonPackage rec {
pname = "csvw";
- version = "1.10.1";
+ version = "1.10.2";
disabled = isPy27;
src = fetchFromGitHub {
owner = "cldf";
repo = "csvw";
rev = "v${version}";
- sha256 = "1764nfa4frjdd7v6wj35y7prnciaqz57wwygy5zfavl4laxn4nxd";
+ sha256 = "0z0qxlsfxwz1qapxb4d0mz3wkj99d7zi9yrg1cbd2xp7giagb6d4";
};
patchPhase = ''
diff --git a/pkgs/tools/graphics/pngquant/default.nix b/pkgs/tools/graphics/pngquant/default.nix
index b3b1773faf1..7463e2a45e0 100644
--- a/pkgs/tools/graphics/pngquant/default.nix
+++ b/pkgs/tools/graphics/pngquant/default.nix
@@ -2,13 +2,13 @@
stdenv.mkDerivation rec {
pname = "pngquant";
- version = "2.12.5";
+ version = "2.14.1";
src = fetchFromGitHub {
- owner = "pornel";
+ owner = "kornelski";
repo = "pngquant";
rev = version;
- sha256 = "0sq398iv5cacblz6pb4j2hn16cnszsbkahikdpfq84rb9bj0ya40";
+ sha256 = "054hi33qp3jc7hv0141wi8drwdg24v5zfp8znwjmz4mcdls8vxbb";
fetchSubmodules = true;
};
@@ -17,11 +17,14 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ pkg-config ];
buildInputs = [ libpng zlib lcms2 ];
+ doCheck = true;
+
meta = with lib; {
homepage = "https://pngquant.org/";
description = "A tool to convert 24/32-bit RGBA PNGs to 8-bit palette with alpha channel preserved";
+ changelog = "https://github.com/kornelski/pngquant/raw/${version}/CHANGELOG";
platforms = platforms.unix;
- license = licenses.gpl3;
+ license = with licenses; [ gpl3Plus hpnd bsd2 ];
maintainers = [ maintainers.volth ];
};
}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index f0be0d9632d..47811b42036 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -26636,7 +26636,7 @@ in
gnvim = callPackage ../applications/editors/neovim/gnvim/wrapper.nix { };
- neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { pythonPackages = python3Packages; };
+ neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { };
vis = callPackage ../applications/editors/vis {
inherit (lua52Packages) lpeg;
@@ -26754,6 +26754,8 @@ in
};
vscode = callPackage ../applications/editors/vscode/vscode.nix { };
+ vscode-fhs = vscode.fhs;
+ vscode-fhsWithPackages = vscode.fhsWithPackages;
vscode-with-extensions = callPackage ../applications/editors/vscode/with-extensions.nix {};
@@ -26762,6 +26764,8 @@ in
vscode-extensions = recurseIntoAttrs (callPackage ../misc/vscode-extensions {});
vscodium = callPackage ../applications/editors/vscode/vscodium.nix { };
+ vscodium-fhs = vscodium.fhs;
+ vscodium-fhsWithPackages = vscodium.fhsWithPackages;
code-server = callPackage ../servers/code-server {
inherit (darwin.apple_sdk.frameworks) AppKit Cocoa Security;