Merge staging-next into staging

lib/trivial.nix

@@ -307,14 +307,14 @@ rec {
 
   /* Reads a JSON file.
 
-     Type :: path -> any
+     Type: importJSON :: path -> any
   */
   importJSON = path:
     builtins.fromJSON (builtins.readFile path);
 
   /* Reads a TOML file.
 
-     Type :: path -> any
+     Type: importTOML :: path -> any
   */
   importTOML = path:
     builtins.fromTOML (builtins.readFile path);

nixos/modules/image/repart.nix

@@ -88,6 +88,13 @@ in
       '';
     };
 
+    package = lib.mkPackageOption pkgs "systemd-repart" {
+      default = "systemd";
+      example = lib.literalExpression ''
+        pkgs.systemdMinimal.override { withCryptsetup = true; }
+      '';
+    };
+
     partitions = lib.mkOption {
       type = with lib.types; attrsOf (submodule partitionOptions);
       default = { };
@@ -178,9 +185,9 @@ in
       in
       pkgs.runCommand cfg.name
         {
-          nativeBuildInputs = with pkgs; [
-            fakeroot
-            systemd
+          nativeBuildInputs = [
+            cfg.package
+            pkgs.fakeroot
           ] ++ fileSystemTools;
         } ''
         amendedRepartDefinitions=$(${amendRepartDefinitions} ${partitions} ${definitionsDirectory})

nixos/modules/security/wrappers/wrapper.c

@@ -1,3 +1,4 @@
+#define _GNU_SOURCE
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -16,7 +17,10 @@
 #include <syscall.h>
 #include <byteswap.h>
 
+// aborts when false, printing the failed expression
 #define ASSERT(expr) ((expr) ? (void) 0 : assert_failure(#expr))
+// aborts when returns non-zero, printing the failed expression and errno
+#define MUSTSUCCEED(expr) ((expr) ? print_errno_and_die(#expr) : (void) 0)
 
 extern char **environ;
 
@@ -41,6 +45,12 @@ static noreturn void assert_failure(const char *assertion) {
     abort();
 }
 
+static noreturn void print_errno_and_die(const char *assertion) {
+    fprintf(stderr, "Call `%s` in NixOS's wrapper.c failed: %s\n", assertion, strerror(errno));
+    fflush(stderr);
+    abort();
+}
+
 int get_last_cap(unsigned *last_cap) {
     FILE* file = fopen("/proc/sys/kernel/cap_last_cap", "r");
     if (file == NULL) {
@@ -177,6 +187,17 @@ int main(int argc, char **argv) {
         fprintf(stderr, "cannot readlink /proc/self/exe: %s", strerror(-self_path_size));
     }
 
+    unsigned int ruid, euid, suid, rgid, egid, sgid;
+    MUSTSUCCEED(getresuid(&ruid, &euid, &suid));
+    MUSTSUCCEED(getresgid(&rgid, &egid, &sgid));
+
+    // If true, then we did not benefit from setuid privilege escalation,
+    // where the original uid is still in ruid and different from euid == suid.
+    int didnt_suid = (ruid == euid) && (euid == suid);
+    // If true, then we did not benefit from setgid privilege escalation
+    int didnt_sgid = (rgid == egid) && (egid == sgid);
+
+
     // Make sure that we are being executed from the right location,
     // i.e., `safe_wrapper_dir'.  This is to prevent someone from creating
     // hard link `X' from some other location, along with a false
@@ -189,15 +210,22 @@ int main(int argc, char **argv) {
     ASSERT('/' == wrapper_dir[0]);
     ASSERT('/' == self_path[len]);
 
-    // Make *really* *really* sure that we were executed as
-    // `self_path', and not, say, as some other setuid program. That
-    // is, our effective uid/gid should match the uid/gid of
-    // `self_path'.
+    // If we got privileges with the fs set[ug]id bit, check that the privilege we
+    // got matches the one one we expected, ie that our effective uid/gid
+    // matches the uid/gid of `self_path`. This ensures that we were executed as
+    // `self_path', and not, say, as some other setuid program.
+    // We don't check that if we did not benefit from the set[ug]id bit, as
+    // can be the case in nosuid mounts or user namespaces.
     struct stat st;
     ASSERT(lstat(self_path, &st) != -1);
 
-    ASSERT(!(st.st_mode & S_ISUID) || (st.st_uid == geteuid()));
-    ASSERT(!(st.st_mode & S_ISGID) || (st.st_gid == getegid()));
+    // if the wrapper gained privilege with suid, check that we got the uid of the file owner
+    ASSERT(!((st.st_mode & S_ISUID) && !didnt_suid) || (st.st_uid == euid));
+    // if the wrapper gained privilege with sgid, check that we got the gid of the file group
+    ASSERT(!((st.st_mode & S_ISGID) && !didnt_sgid) || (st.st_gid == egid));
+    // same, but with suid instead of euid
+    ASSERT(!((st.st_mode & S_ISUID) && !didnt_suid) || (st.st_uid == suid));
+    ASSERT(!((st.st_mode & S_ISGID) && !didnt_sgid) || (st.st_gid == sgid));
 
     // And, of course, we shouldn't be writable.
     ASSERT(!(st.st_mode & (S_IWGRP | S_IWOTH)));

nixos/modules/services/matrix/synapse.md

@@ -27,7 +27,8 @@ please refer to the
 { pkgs, lib, config, ... }:
 let
   fqdn = "${config.networking.hostName}.${config.networking.domain}";
-  clientConfig."m.homeserver".base_url = "https://${fqdn}";
+  baseUrl = "https://${fqdn}";
+  clientConfig."m.homeserver".base_url = baseUrl;
   serverConfig."m.server" = "${fqdn}:443";
   mkWellKnown = data: ''
     add_header Content-Type application/json;
@@ -97,6 +98,11 @@ in {
   services.matrix-synapse = {
     enable = true;
     settings.server_name = config.networking.domain;
+    # The public base URL value must match the `base_url` value set in `clientConfig` above.
+    # The default value here is based on `server_name`, so if your `server_name` is different
+    # from the value of `fqdn` above, you will likely run into some mismatched domain names
+    # in client applications.
+    settings.public_baseurl = baseUrl;
     settings.listeners = [
       { port = 8008;
         bind_addresses = [ "::1" ];

nixos/tests/wrappers.nix

@@ -55,6 +55,10 @@ in
         out = machine.succeed(cmd_as_regular(cmd)).strip()
         assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out)
 
+      def test_as_regular_in_userns_mapped_as_root(cmd, expected):
+        out = machine.succeed(f"su -l regular -c '${pkgs.util-linux}/bin/unshare -rm {cmd}'").strip()
+        assert out == expected, "Expected {0} to output {1}, but got {2}".format(cmd, expected, out)
+
       test_as_regular('${busybox pkgs}/bin/busybox id -u', '${toString userUid}')
       test_as_regular('${busybox pkgs}/bin/busybox id -ru', '${toString userUid}')
       test_as_regular('${busybox pkgs}/bin/busybox id -g', '${toString usersGid}')
@@ -70,10 +74,27 @@ in
       test_as_regular('/run/wrappers/bin/sgid_root_busybox id -g', '0')
       test_as_regular('/run/wrappers/bin/sgid_root_busybox id -rg', '${toString usersGid}')
 
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -u', '0')
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -ru', '0')
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -g', '0')
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/suid_root_busybox id -rg', '0')
+
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -u', '0')
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -ru', '0')
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -g', '0')
+      test_as_regular_in_userns_mapped_as_root('/run/wrappers/bin/sgid_root_busybox id -rg', '0')
+
       # We are only testing the permitted set, because it's easiest to look at with capsh.
       machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_CHOWN'))
       machine.fail(cmd_as_regular('${pkgs.libcap}/bin/capsh --has-p=CAP_SYS_ADMIN'))
       machine.succeed(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_CHOWN'))
       machine.fail(cmd_as_regular('/run/wrappers/bin/capsh_with_chown --has-p=CAP_SYS_ADMIN'))
+
+      # test a few "attacks" against which the wrapper protects itself
+      machine.succeed("cp /run/wrappers/bin/suid_root_busybox{,.real} /tmp/")
+      machine.fail(cmd_as_regular("/tmp/suid_root_busybox id -u"))
+
+      machine.succeed("chmod u+s,a+w /run/wrappers/bin/suid_root_busybox")
+      machine.fail(cmd_as_regular("/run/wrappers/bin/suid_root_busybox id -u"))
     '';
 })

pkgs/applications/networking/cluster/k3sup/default.nix

@@ -9,18 +9,18 @@
 
 buildGoModule rec {
   pname = "k3sup";
-  version = "0.12.13";
+  version = "0.12.14";
 
   src = fetchFromGitHub {
     owner = "alexellis";
     repo = "k3sup";
     rev = version;
-    sha256 = "sha256-lnr2zMp6gpOM1DtUFIniDd38zR1qnXCmcftlt7dL6P4=";
+    sha256 = "sha256-8zXcW1jVNVpFWpVYONjc0cwRQr8YTVbLYIH1IYCe9Nw=";
   };
 
   nativeBuildInputs = [ makeWrapper installShellFiles ];
 
-  vendorHash = "sha256-97m8xz46lvTtZoxO2+pjWmZyZnB2atPuVzYgS9DV+gI=";
+  vendorHash = "sha256-cCodzX7/JBEEFAwlspaITju4Ev1Gno+DsrEkUpAFwxM=";
 
   postConfigure = ''
     substituteInPlace vendor/github.com/alexellis/go-execute/pkg/v1/exec.go \
@@ -49,6 +49,6 @@ buildGoModule rec {
     homepage = "https://github.com/alexellis/k3sup";
     description = "Bootstrap Kubernetes with k3s over SSH";
     license = licenses.mit;
-    maintainers = with maintainers; [ welteki ];
+    maintainers = with maintainers; [ welteki qjoly ];
   };
 }

pkgs/applications/networking/cluster/kaniko/default.nix

@@ -9,13 +9,13 @@
 
 buildGoModule rec {
   pname = "kaniko";
-  version = "1.12.1";
+  version = "1.13.0";
 
   src = fetchFromGitHub {
     owner = "GoogleContainerTools";
     repo = "kaniko";
     rev = "v${version}";
-    hash = "sha256-RMkIqz0k/5XWa/QjmjBCst4od4mzR9KTCLZrI/HYtMk=";
+    hash = "sha256-bzMhK60BwJ7A1sGV0rutLOfgvbH/deDQNFZ8BB1hREc=";
   };
 
   vendorHash = null;

pkgs/applications/networking/cluster/waypoint/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "waypoint";
-  version = "0.11.2";
+  version = "0.11.4";
 
   src = fetchFromGitHub {
     owner = "hashicorp";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-mYds46+35sdo9aF5XETwZuvYKW5vExEgm/hAwv2g3do=";
+    sha256 = "sha256-Zn11mVQV8lN62BVYfhXauKets7/mIqA0r+mG2TkRyPk=";
   };
 
   vendorHash = "sha256-z0qe8zSQ9PopGeyvMDhRpU+3jUgHoh+8jTsYGLPk3i4=";

pkgs/applications/networking/compactor/default.nix

@@ -6,14 +6,14 @@
 
 stdenv.mkDerivation rec {
   pname = "compactor";
-  version = "1.2.2";
+  version = "1.2.3";
 
   src = fetchFromGitHub {
     owner = "dns-stats";
     repo = pname;
     rev = version;
     fetchSubmodules = true;
-    hash = "sha256-SgmtlbYOrSMzVfzsrbg4qs+yGkXQialiJTI99EBsUjQ=";
+    hash = "sha256-5Z14suhO5ghhmZsSj4DsSoKm+ct2gQFO6qxhjmx4Xm4=";
   };
 
   nativeBuildInputs = [

pkgs/applications/networking/deck/default.nix

@@ -3,13 +3,13 @@ let
   short_hash = "86497a5";
 in buildGoModule rec {
   pname = "deck";
-  version = "1.25.0";
+  version = "1.26.0";
 
   src = fetchFromGitHub {
     owner = "Kong";
     repo = "deck";
     rev = "v${version}";
-    hash = "sha256-dmzxCgZ0HLT9he8jS7lMtSFg5vbEbs8q368vE3lafhQ=";
+    hash = "sha256-DxmIHJfvRZKsMyFllbfpriT4Ts9f7ha4aZcfVr/b9eA=";
   };
 
   nativeBuildInputs = [ installShellFiles ];
@@ -21,7 +21,7 @@ in buildGoModule rec {
     "-X github.com/kong/deck/cmd.COMMIT=${short_hash}"
   ];
 
-  vendorHash = "sha256-ucwJQSZSBvSJzNQYLeNyCnZETmrNgVPFLjjkr1zP6b4=";
+  vendorHash = "sha256-jhLZvusYpX5fW1NCmJtwE/p9/wTwzA2hbwt657VsZts=";
 
   postInstall = ''
     installShellCompletion --cmd deck \

pkgs/applications/networking/instant-messengers/chatty/default.nix

@@ -29,7 +29,7 @@
 
 stdenv.mkDerivation rec {
   pname = "chatty";
-  version = "0.7.2";
+  version = "0.7.3";
 
   src = fetchFromGitLab {
     domain = "source.puri.sm";
@@ -37,7 +37,7 @@ stdenv.mkDerivation rec {
     repo = "chatty";
     rev = "v${version}";
     fetchSubmodules = true;
-    hash = "sha256-H9cW19Eoz8cSv26Cyw5BIZSEWsWJktsEw92CHeecFsM=";
+    hash = "sha256-zsZDpncnoj+0klJ2/220gY93c7mD0wIvQaP3QF8F3zQ=";
   };
 
   postPatch = ''

pkgs/applications/version-management/git-town/default.nix

@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "git-town";
-  version = "9.0.0";
+  version = "9.0.1";
 
   src = fetchFromGitHub {
     owner = "git-town";
     repo = "git-town";
     rev = "v${version}";
-    hash = "sha256-huo0PRqc2iBBYXGBVdgtPJhbPoIqqjN2loXQ3CqVaOA=";
+    hash = "sha256-JvN7te59uRMC0TOWsBUYNEPLIn4nLlIvXI5gOQfQaCU=";
   };
 
   vendorHash = null;

pkgs/desktops/plasma-5/plasma-workspace/default.nix

@@ -65,6 +65,7 @@
 , polkit-qt
 , pipewire
 , libdrm
+, fetchpatch
 }:
 
 let inherit (lib) getBin getLib; in
@@ -147,6 +148,13 @@ mkDerivation {
   patches = [
     ./0001-startkde.patch
     ./0002-absolute-wallpaper-install-dir.patch
+
+    # backport patch fixing a Wayland crash
+    # FIXME: remove in next release
+    (fetchpatch {
+      url = "https://invent.kde.org/plasma/plasma-workspace/-/commit/fc01a7f837d06ee9e92d02f13acb79c2b06e9e3c.diff";
+      hash = "sha256-cHupiD6fKZ7ICFb4AcuUErrA4646sNGxeGiACPs8IHQ=";
+    })
   ];
 
   # QT_INSTALL_BINS refers to qtbase, and qdbus is in qttools

pkgs/development/compilers/zig/0.10.nix

@@ -19,7 +19,7 @@ import ./generic.nix args {
   patches = [
     # Backport alignment related panics from zig-master to 0.10.
     # Upstream issue: https://github.com/ziglang/zig/issues/14559
-    ./zig_14559.patch
+    ./002-0.10-macho-fixes.patch
   ];
 
   cmakeFlags = [

pkgs/development/compilers/zig/0.9.nix

@@ -16,12 +16,11 @@ import ./generic.nix args {
 
   patches = [
     # Fix index out of bounds reading RPATH (cherry-picked from 0.10-dev)
-    ./rpath.patch
+    ./000-0.9-read-dynstr-at-rpath-offset.patch
     # Fix build on macOS 13 (cherry-picked from 0.10-dev)
-    ./ventura.patch
+    ./001-0.9-bump-macos-supported-version.patch
   ];
 
-  # TODO: remove on next upgrade
   prePatch =
     let
       zig_0_10_0 = fetchFromGitHub {

pkgs/development/libraries/hunspell/dictionaries-chromium.nix

@@ -0,0 +1,70 @@
+{ lib, stdenv, fetchgit }:
+
+let
+  mkDictFromChromium = { shortName, dictFileName, shortDescription }:
+    stdenv.mkDerivation {
+      pname = "hunspell-dict-${shortName}-chromium";
+      version = "115.0.5790.170";
+
+      src = fetchgit {
+        url = "https://chromium.googlesource.com/chromium/deps/hunspell_dictionaries";
+        rev = "41cdffd71c9948f63c7ad36e1fb0ff519aa7a37e";
+        hash = "sha256-67mvpJRFFa9eMfyqFMURlbxOaTJBICnk+gl0b0mEHl8=";
+      };
+
+      dontBuild = true;
+
+      installPhase = ''
+        cp ${dictFileName} $out
+      '';
+
+      passthru = {
+        # As chromium needs the exact filename in ~/.config/chromium/Dictionaries,
+        # this value needs to be known to tools using the package if they want to
+        # link the file correctly.
+        inherit dictFileName;
+
+        updateScript = ./update-chromium-dictionaries.py;
+      };
+
+      meta = {
+        homepage = "https://chromium.googlesource.com/chromium/deps/hunspell_dictionaries/";
+        description = "Chromium compatible hunspell dictionary for ${shortDescription}";
+        longDescription = ''
+          Humspell directories in Chromium's custom bdic format
+
+          See https://www.chromium.org/developers/how-tos/editing-the-spell-checking-dictionaries/
+        '';
+        license = with lib.licenses; [ gpl2 lgpl21 mpl11 lgpl3 ];
+        maintainers = with lib.maintainers; [ networkexception ];
+        platforms = lib.platforms.all;
+      };
+    };
+in
+rec {
+
+  /* ENGLISH */
+
+  en_US = en-us;
+  en-us = mkDictFromChromium {
+    shortName = "en-us";
+    dictFileName = "en-US-10-1.bdic";
+    shortDescription = "English (United States)";
+  };
+
+  en_GB = en-us;
+  en-gb = mkDictFromChromium {
+    shortName = "en-gb";
+    dictFileName = "en-GB-10-1.bdic";
+    shortDescription = "English (United Kingdom)";
+  };
+
+  /* GERMAN */
+
+  de_DE = de-de;
+  de-de = mkDictFromChromium {
+    shortName = "de-de";
+    dictFileName = "de-DE-3-0.bdic";
+    shortDescription = "German (Germany)";
+  };
+}

pkgs/development/libraries/hunspell/update-chromium-dictionaries.py

@@ -0,0 +1,77 @@
+#! /usr/bin/env nix-shell
+#! nix-shell -i python3 -p python3 nix nix-prefetch-git
+
+import base64
+import fileinput
+import json
+import os
+import re
+import subprocess
+import sys
+
+from urllib.request import urlopen, Request
+
+
+DICTIONARIES_CHROMIUM_NIX = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'dictionaries-chromium.nix')
+
+
+def get_latest_chromium_stable_release():
+    RELEASES_URL = 'https://versionhistory.googleapis.com/v1/chrome/platforms/linux/channels/stable/versions/all/releases'
+    print(f'GET {RELEASES_URL}')
+    with urlopen(RELEASES_URL) as resp:
+        return json.load(resp)['releases'][0]
+
+
+def get_file_revision(revision, file_path):
+    """Fetches the requested Git revision of the given Chromium file."""
+    url = f'https://chromium.googlesource.com/chromium/src/+/refs/tags/{revision}/{file_path}?format=TEXT'
+    with urlopen(url) as http_response:
+        resp = http_response.read()
+        return base64.b64decode(resp)
+
+
+def nix_prefetch_git(url, rev):
+    """Prefetches the requested Git revision of the given repository URL."""
+    print(f'nix-prefetch-git {url} {rev}')
+    out = subprocess.check_output(['nix-prefetch-git', '--quiet', '--url', url, '--rev', rev])
+    return json.loads(out)
+
+
+def get_current_revision():
+    with open(DICTIONARIES_CHROMIUM_NIX) as f:
+        for line in f:
+            rev = re.search(r'^        rev = "(.*)";', line)
+            if rev:
+                return rev.group(1)
+    sys.exit(1)
+
+
+print('Getting latest chromium version...')
+chromium_release = get_latest_chromium_stable_release()
+chromium_version = chromium_release['version']
+print(f'chromium version: {chromium_version}')
+
+print('Getting corresponding hunspell_dictionaries commit...')
+deps = get_file_revision(chromium_version, 'DEPS')
+hunspell_dictionaries_pattern = r"^\s*Var\('chromium_git'\)\s*\+\s*'\/chromium\/deps\/hunspell_dictionaries\.git'\s*\+\s*'@'\s*\+\s*'(\w*)',$"
+hunspell_dictionaries_commit = re.search(hunspell_dictionaries_pattern, deps.decode(), re.MULTILINE).group(1)
+print(f'hunspell_dictionaries commit: {hunspell_dictionaries_commit}')
+
+current_commit = get_current_revision()
+if current_commit == hunspell_dictionaries_commit:
+    print('Commit is already packaged, no update needed.')
+    sys.exit(0)
+
+print('Commit has changed compared to the current package, updating...')
+
+print('Getting hash of hunspell_dictionaries revision...')
+hunspell_dictionaries_git = nix_prefetch_git("https://chromium.googlesource.com/chromium/deps/hunspell_dictionaries", hunspell_dictionaries_commit)
+hunspell_dictionaries_hash = hunspell_dictionaries_git['hash']
+print(f'hunspell_dictionaries commit hash: {hunspell_dictionaries_hash}')
+
+with fileinput.FileInput(DICTIONARIES_CHROMIUM_NIX, inplace=True) as file:
+    for line in file:
+        result = re.sub(r'^      version = ".+";', f'      version = "{chromium_version}";', line)
+        result = re.sub(r'^        rev = ".*";', f'        rev = "{hunspell_dictionaries_commit}";', result)
+        result = re.sub(r'^        hash = ".+";', f'        hash = "{hunspell_dictionaries_hash}";', result)
+        print(result, end='')

pkgs/development/php-packages/php-cs-fixer/default.nix

@@ -2,14 +2,14 @@
 
 let
   pname = "php-cs-fixer";
-  version = "3.21.1";
+  version = "3.22.0";
 in
 mkDerivation {
   inherit pname version;
 
   src = fetchurl {
     url = "https://github.com/FriendsOfPHP/PHP-CS-Fixer/releases/download/v${version}/php-cs-fixer.phar";
-    sha256 = "sha256-f/hD2it/l2hWGVoIXQBJYDC7s7JPSE+7RzbpdeNNRvg=";
+    sha256 = "sha256-iP5dmJkYZ/E1TAm4oLOCCQ5DCc4+I3CcEr8tOezzCt4=";
   };
 
   dontUnpack = true;

pkgs/development/php-packages/phpstan/default.nix

@@ -2,14 +2,14 @@
 
 let
   pname = "phpstan";
-  version = "1.10.26";
+  version = "1.10.28";
 in
 mkDerivation {
   inherit pname version;
 
   src = fetchurl {
     url = "https://github.com/phpstan/phpstan/releases/download/${version}/phpstan.phar";
-    sha256 = "sha256-YDRUVctcUs9wUyL/rCUT9W9at+0118VpbV371+amyvg=";
+    sha256 = "sha256-Jbsamdtxui2esC9WyxLakWLxWg33mhKJKi/iaEV9nbA=";
   };
 
   dontUnpack = true;

pkgs/development/python-modules/coinmetrics-api-client/default.nix

@@ -17,7 +17,7 @@
 
 buildPythonPackage rec {
   pname = "coinmetrics-api-client";
-  version = "2023.7.11.17";
+  version = "2023.8.2.13";
   format = "pyproject";
 
   disabled = pythonOlder "3.9";
@@ -27,7 +27,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     inherit version;
     pname = "coinmetrics_api_client";
-    hash = "sha256-s5hg9qaa5j/l/qy5DS6f1w5LH2URVyG1Uf02BSIplbc=";
+    hash = "sha256-R7EbzH8ftHqoCbe8plXPOmTL01mow7t+zgVfL4+bZXQ=";
   };
 
   pythonRelaxDeps = [

pkgs/development/python-modules/google-cloud-datacatalog/default.nix

@@ -14,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-datacatalog";
-  version = "3.14.0";
+  version = "3.15.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-4+zlMv5GJCKuXTck2QmaEctu6mkZKXeiY4SgM+7RYSk=";
+    hash = "sha256-TY/HrTDlo6cq50bSaRVuZyt1rThB9BPiQW0RS98gIo8=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/oci/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "oci";
-  version = "2.109.0";
+  version = "2.110.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "oracle";
     repo = "oci-python-sdk";
     rev = "refs/tags/v${version}";
-    hash = "sha256-vG3ICLvLGu6Lu3Sxd7zmzSy2IhPTu9S0GnR5NxlAklQ=";
+    hash = "sha256-aZo/Xv5+AzAEgEGN1GNtqEtUtuhDnOYneG/0f+hByc0=";
   };
 
   pythonRelaxDeps = [

pkgs/development/python-modules/setuptools-git-versioning/default.nix

@@ -0,0 +1,73 @@
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, build
+, coverage
+, git
+, packaging
+, pytestCheckHook
+, pytest-rerunfailures
+, pythonOlder
+, setuptools
+, toml
+, wheel
+}:
+
+buildPythonPackage rec {
+  pname = "setuptools-git-versioning";
+  version = "1.13.5";
+  format = "pyproject";
+
+  src = fetchFromGitHub {
+    owner = "dolfinus";
+    repo = "setuptools-git-versioning";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-MAHB6hMAcMo1+HCc6g7xQUD2sG+TLjM/6Oa/BKuXpRc=";
+  };
+
+  nativeBuildInputs = [
+    setuptools
+    wheel
+  ];
+
+  propagatedBuildInputs = [
+    packaging
+    setuptools
+  ] ++ lib.optionals (pythonOlder "3.11") [
+    toml
+  ];
+
+  pythonImportsCheck = [
+    "setuptools_git_versioning"
+  ];
+
+  nativeCheckInputs = [
+    build
+    coverage
+    git
+    pytestCheckHook
+    pytest-rerunfailures
+    toml
+  ];
+
+  preCheck = ''
+    # so that its built binary is accessible by tests
+    export PATH="$out/bin:$PATH"
+  '';
+
+  # limit tests because the full suite takes several minutes to run
+  pytestFlagsArray = [ "-m" "important" ];
+
+  disabledTests = [
+    # runs an isolated build that uses internet to download dependencies
+    "test_config_not_used"
+  ];
+
+  meta = with lib; {
+    description = "Use git repo data (latest tag, current commit hash, etc) for building a version number according PEP-440";
+    homepage = "https://github.com/dolfinus/setuptools-git-versioning";
+    changelog = "https://github.com/dolfinus/setuptools-git-versioning/blob/${src.rev}/CHANGELOG.rst";
+    license = licenses.mit;
+    maintainers = with maintainers; [ tjni ];
+  };
+}

pkgs/development/python-modules/tplink-omada-client/default.nix

@@ -10,7 +10,7 @@
 
 buildPythonPackage rec {
   pname = "tplink-omada-client";
-  version = "1.3.0";
+  version = "1.3.2";
   format = "pyproject";
 
   disabled = pythonOlder "3.9";
@@ -18,7 +18,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "tplink_omada_client";
     inherit version;
-    hash = "sha256-+6HEJBMYaw/8VTdl3YK5uaAYTiyhqe1Zvuxsk2ltci8=";
+    hash = "sha256-AR0jCoYePll6pZA1Nw/lrH4AhFL6WmGQjzLlYJl7IsQ=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/tubeup/default.nix

@@ -11,14 +11,14 @@
 
 buildPythonPackage rec {
   pname = "tubeup";
-  version = "2023.7.23";
+  version = "2023.8.9";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-lI+Ws1uVC8cnRERmfY7j5vPjQGEAH6zef7nBnd/hC+I=";
+    sha256 = "sha256-v2fDB76OM/cpi/lJRKH/JnVXl9r/W9jCzlTAJ31N7VU=";
   };
 
   nativeBuildInputs = [

pkgs/development/python-modules/unstructured/default.nix

@@ -56,7 +56,7 @@
 , grpcio
 }:
 let
-  version = "0.8.1";
+  version = "0.9.1";
   optional-dependencies = {
     huggingflace = [
       langdetect
@@ -89,8 +89,8 @@ buildPythonPackage {
   src = fetchFromGitHub {
     owner = "Unstructured-IO";
     repo = "unstructured";
-    rev = version;
-    hash = "sha256-I9pRycg3uGn7Xfd4YGxic16SXi8+gslsIVarzDT8X2w=";
+    rev = "refs/tags/${version}";
+    hash = "sha256-9O/rZ07vZC0XN5XgevFvWuG8gwyTM+gfn+OqgaIHld8=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/yamlloader/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "yamlloader";
-  version = "1.2.2";
+  version = "1.3.2";
   format = "setuptools";
 
-  disabled = pythonOlder "3.6";
+  disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-NWaf17n4xrONuGGlFwFULEJnK0boq2MlNIaoy4N3toc=";
+    hash = "sha256-fb2YQh2AkMUhZV8bBsoDAGfynfUlOoh4EmvOOpD1aBc=";
   };
 
   propagatedBuildInputs = [
@@ -36,6 +36,7 @@ buildPythonPackage rec {
   meta = with lib; {
     description = "A case-insensitive list for Python";
     homepage = "https://github.com/Phynix/yamlloader";
+    changelog = "https://github.com/Phynix/yamlloader/releases/tag/${version}";
     license = licenses.mit;
     maintainers = with maintainers; [ freezeboy ];
   };

pkgs/games/anki/bin.nix

@@ -58,7 +58,7 @@ let
     targetPkgs = pkgs: (with pkgs; [ xorg.libxkbfile xcb-util-cursor-HEAD krb5 ]);
 
     runScript = writeShellScript "anki-wrapper.sh" ''
-      exec ${unpacked}/bin/anki ${ lib.strings.escapeShellArgs commandLineArgs }
+      exec ${unpacked}/bin/anki ${ lib.strings.escapeShellArgs commandLineArgs } "$@"
     '';
 
     extraInstallCommands = ''

pkgs/misc/screensavers/betterlockscreen/default.nix

@@ -51,6 +51,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "Fast and sweet looking lockscreen for linux systems with effects!";
     homepage = "https://github.com/pavanjadhaw/betterlockscreen";
+    mainProgram = "betterlockscreen";
     license = licenses.mit;
     platforms = platforms.linux;
     maintainers = with maintainers; [ eyjhb sebtm ];

pkgs/servers/domoticz/default.nix

@@ -19,13 +19,13 @@
 
 stdenv.mkDerivation rec {
   pname = "domoticz";
-  version = "2023.1";
+  version = "2023.2";
 
   src = fetchFromGitHub {
     owner = "domoticz";
     repo = pname;
     rev = version;
-    sha256 = "sha256-fXNS7EVMqGM4tYppgG+l/adBt9eyW8RBK3Cs/pb2kg4=";
+    sha256 = "sha256-DxY9rBeRc20wmt4pDdBS16vyoOjCzczuxhOdUX/Lxao=";
     fetchSubmodules = true;
   };
 

pkgs/servers/mail/rspamd/default.nix

@@ -11,13 +11,13 @@ assert withHyperscan -> stdenv.isx86_64;
 
 stdenv.mkDerivation rec {
   pname = "rspamd";
-  version = "3.5";
+  version = "3.6";
 
   src = fetchFromGitHub {
     owner = "rspamd";
     repo = "rspamd";
     rev = version;
-    hash = "sha256-3+ve5cPt4As6Hfvxw77waJgl2Imi9LpredFkYzTchbQ=";
+    hash = "sha256-GuWuJK73RE+cS8451m+bcmpZNQEzmZtexm19xgdDQeU=";
   };
 
   hardeningEnable = [ "pie" ];

pkgs/servers/mail/stalwart/default.nix

@@ -13,7 +13,7 @@
 }:
 
 let
-  version = "0.3.2";
+  version = "0.3.4";
 in
 rustPlatform.buildRustPackage {
   pname = "stalwart-mail";
@@ -23,7 +23,7 @@ rustPlatform.buildRustPackage {
     owner = "stalwartlabs";
     repo = "mail-server";
     rev = "v${version}";
-    hash = "sha256-5+r1xWpxIwyvRUPw2X4vIvbvqUe6lBcYurbxwNySXAY=";
+    hash = "sha256-SFHlcoc/8wCWPFGHOvU3SIVztBtW4nxU5/pvZzbjzsg=";
     fetchSubmodules = true;
   };
 
@@ -33,7 +33,7 @@ rustPlatform.buildRustPackage {
       "hyper-util-0.0.0" = "sha256-wGtB6hUjIOKR7UZJrX9ve4x4/7TDQuSPG0Sq9VyW7iI=";
       "jmap-client-0.3.0" = "sha256-GNqSPygiVq5Z9y8Kfhzacq3lTIEg2o4UxzOMDbBO7xY=";
       "mail-auth-0.3.2" = "sha256-CTafQCXPo91ZUlfS9JUqU+RfUf4+6EbdG97+nIqQtNw=";
-      "mail-builder-0.3.0" = "sha256-0o/fV7ZKiRKeitBBt8yOM/2nXIEgOGSMEMaBj+3i7Kw=";
+      "mail-builder-0.3.1" = "sha256-r32iiHtQp0C94Qqc4Vspc08QaXZ+e1u7e39fNYoQGsY=";
       "mail-parser-0.8.2" = "sha256-XvKEgzQ+HDoLI16CmqE/RRgApg0q9Au9sqOOEpZz6W0=";
       "mail-send-0.4.0" = "sha256-bMPI871hBj/RvrW4kESGS9XzfnkSo8r2/9uUwgE12EU=";
       "sieve-rs-0.3.1" = "sha256-FJBQorFRXQYhiCzprAqiv69Qae9YI5OAipjayooFDAw=";

pkgs/shells/zsh/zsh-defer/default.nix

@@ -0,0 +1,29 @@
+{ lib, stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  pname = "zsh-defer";
+  version = "unstable-2022-06-13";
+
+  src = fetchFromGitHub {
+    owner = "romkatv";
+    repo = pname;
+    rev = "57a6650ff262f577278275ddf11139673e01e471";
+    sha256 = "sha256-/rcIS2AbTyGw2HjsLPkHtt50c2CrtAFDnLuV5wsHcLc=";
+  };
+
+  strictDeps = true;
+  dontConfigure = true;
+  dontBuild = true;
+  installPhase = ''
+    mkdir -p $out/share/zsh-defer
+    cp zsh-defer* $out/share/zsh-defer
+  '';
+
+  meta = with lib; {
+    description = "Deferred execution of zsh commands";
+    homepage = "https://github.com/romkatv/zsh-defer";
+    license = licenses.gpl3Only;
+    platforms = platforms.unix;
+    maintainers = [ maintainers.vinnymeller ];
+  };
+}

pkgs/tools/graphics/dpic/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "dpic";
-  version = "2023.02.01";
+  version = "2023.06.01";
 
   src = fetchurl {
     url = "https://ece.uwaterloo.ca/~aplevich/dpic/${pname}-${version}.tar.gz";
-    sha256 = "sha256-0Fn/KMBFUgZsFk+xRv7o4BAblT5G51kZs9z6qZsDGuY=";
+    sha256 = "sha256-7sIGSHMsxEsO9b7nutY6cBxS59mrT3bepNNDQi2L+X4=";
   };
 
   # The prefix passed to configure is not used.

pkgs/tools/graphics/scrot/default.nix

@@ -43,6 +43,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     homepage = "https://github.com/resurrecting-open-source-projects/scrot";
     description = "A command-line screen capture utility";
+    mainProgram = "scrot";
     platforms = platforms.linux;
     maintainers = with maintainers; [ globin ];
     license = licenses.mitAdvertising;

pkgs/tools/misc/flameshot/default.nix

@@ -39,6 +39,7 @@ mkDerivation rec {
   meta = with lib; {
     description = "Powerful yet simple to use screenshot software";
     homepage = "https://github.com/flameshot-org/flameshot";
+    mainProgram = "flameshot";
     maintainers = with maintainers; [ scode oxalica ];
     license = licenses.gpl3Plus;
     platforms = platforms.linux ++ platforms.darwin;

pkgs/tools/misc/zsh-history-to-fish/default.nix

@@ -0,0 +1,33 @@
+{ lib
+, fetchPypi
+, python3
+}:
+
+python3.pkgs.buildPythonApplication rec {
+  pname = "zsh-history-to-fish";
+  version = "0.3.0";
+  format = "setuptools";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-expPuffZttyXNRreplPC5Ee/jfWAyOnmjTIMXONtrnw=";
+  };
+
+  propagatedBuildInputs = with python3.pkgs; [
+    click
+  ];
+
+  # upstream has no tests
+  doCheck = false;
+
+  pythonImportsCheck = [
+    "zsh_history_to_fish"
+  ];
+
+  meta = with lib; {
+    description = "Bring your ZSH history to Fish shell";
+    homepage = "https://github.com/rsalmei/zsh-history-to-fish";
+    license = licenses.mit;
+    maintainers = with maintainers; [ alanpearce ];
+  };
+}

pkgs/tools/security/scorecard/default.nix

@@ -8,13 +8,13 @@
 
 buildGoModule rec {
   pname = "scorecard";
-  version = "4.10.5";
+  version = "4.12.0";
 
   src = fetchFromGitHub {
     owner = "ossf";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-ysdgdU/Et87NxpdSTZuTtLJOv5uaYGVHDGyCj6kKuUQ=";
+    sha256 = "sha256-Ys7uO+xMSlcD8OGw7fV+aR0+Q1UXrxPKVLQbphV4rKk=";
     # populate values otherwise taken care of by goreleaser,
     # unfortunately these require us to use git. By doing
     # this in postFetch we can delete .git afterwards and
@@ -28,7 +28,7 @@ buildGoModule rec {
       find "$out" -name .git -print0 | xargs -0 rm -rf
     '';
   };
-  vendorHash = "sha256-6wIzg9gbH+nAE4sZg+C3NZZbVzbEcovhGwajBZ7ZjdY=";
+  vendorHash = "sha256-L6HFZryniy3Gp8NKdjM4SK82ZG5eQPM7blkSE3YFhOw=";
 
   nativeBuildInputs = [ installShellFiles ];
 

pkgs/top-level/all-packages.nix

@@ -2018,6 +2018,8 @@ with pkgs;
 
   yarn-lock-converter = callPackage ../tools/package-management/yarn-lock-converter { };
 
+  zsh-history-to-fish = callPackage ../tools/misc/zsh-history-to-fish { };
+
   archi = callPackage ../tools/misc/archi { };
 
   breitbandmessung = callPackage ../applications/networking/breitbandmessung { };
@@ -14994,6 +14996,8 @@ with pkgs;
 
   zsh-clipboard = callPackage ../shells/zsh/zsh-clipboard { };
 
+  zsh-defer = callPackage ../shells/zsh/zsh-defer { };
+
   zsh-edit = callPackage ../shells/zsh/zsh-edit { };
 
   zsh-git-prompt = callPackage ../shells/zsh/zsh-git-prompt { };
@@ -21859,6 +21863,8 @@ with pkgs;
 
   hunspellDicts = recurseIntoAttrs (callPackages ../development/libraries/hunspell/dictionaries.nix {});
 
+  hunspellDictsChromium = recurseIntoAttrs (callPackages ../development/libraries/hunspell/dictionaries-chromium.nix {});
+
   hunspellWithDicts = dicts: callPackage ../development/libraries/hunspell/wrapper.nix { inherit dicts; };
 
   hwloc = callPackage ../development/libraries/hwloc { };
@@ -25533,7 +25539,7 @@ with pkgs;
   libzra = callPackage ../development/libraries/libzra { };
 
   # requires a newer Apple SDK
-  zig_0_9 = darwin.apple_sdk_11_0.callPackage ../development/compilers/zig/0.9.1.nix {
+  zig_0_9 = darwin.apple_sdk_11_0.callPackage ../development/compilers/zig/0.9.nix {
     llvmPackages = llvmPackages_13;
   };
   # requires a newer Apple SDK

pkgs/top-level/python-packages.nix

@@ -11523,6 +11523,8 @@ self: super: with self; {
 
   setuptools-git = callPackage ../development/python-modules/setuptools-git { };
 
+  setuptools-git-versioning = callPackage ../development/python-modules/setuptools-git-versioning { };
+
   setuptools-lint = callPackage ../development/python-modules/setuptools-lint { };
 
   setuptools-rust = callPackage ../development/python-modules/setuptools-rust { };