Merge release-25.11 into staging-next-25.11

maintainers/maintainer-list.nix

@@ -25085,6 +25085,13 @@
     github = "StayBlue";
     githubId = 23127866;
   };
+  stealthybox = {
+    email = "leigh@null.net";
+    github = "stealthybox";
+    githubId = 2754700;
+    name = "Leigh Capili";
+    keys = [ { fingerprint = "05E7 89C9 142C DD05 8261 4EF8 5943 2144 444F B382"; } ];
+  };
   steamwalker = {
     email = "steamwalker@xs4all.nl";
     github = "steamwalker";
@@ -25374,6 +25381,13 @@
     githubId = 36031171;
     name = "Supa";
   };
+  superherointj = {
+    email = "sergiomarcelo@yandex.com";
+    github = "superherointj";
+    githubId = 5861043;
+    matrix = "@superherointj:matrix.org";
+    name = "Sérgio Marcelo";
+  };
   SuperSandro2000 = {
     email = "sandro.jaeckel@gmail.com";
     matrix = "@sandro:supersandro.de";

pkgs/by-name/bi/bind/package.nix

@@ -29,11 +29,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "bind";
-  version = "9.20.21";
+  version = "9.20.23";
 
   src = fetchurl {
     url = "https://downloads.isc.org/isc/bind9/${finalAttrs.version}/bind-${finalAttrs.version}.tar.xz";
-    hash = "sha256-FeG1oifSiQ98ToI6bqAY3nDuLzoOhZy/89gqrYWQ3gM=";
+    hash = "sha256-XUR1rtP55QDvVUsrFNlyvbg9M94hSps76SkY6kaQg3E=";
   };
 
   outputs = [

pkgs/by-name/bo/boringssl/package.nix

@@ -11,12 +11,12 @@
 # reference: https://boringssl.googlesource.com/boringssl/+/refs/tags/0.20250818.0/BUILDING.md
 stdenv.mkDerivation (finalAttrs: {
   pname = "boringssl";
-  version = "0.20260413.0";
+  version = "0.20260508.0";
 
   src = fetchgit {
     url = "https://boringssl.googlesource.com/boringssl";
     tag = finalAttrs.version;
-    hash = "sha256-JFKQleui4nNmEsx4k5L7xhvEFh3Ne3MEPnHDSRqEwPc=";
+    hash = "sha256-7fW0OmOj+Hduq5YCc5xpcfICpC8qAc/05/UMgZ70jhM=";
   };
 
   patches = [

pkgs/by-name/ev/evince/package.nix

@@ -42,7 +42,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "evince";
-  version = "48.1";
+  version = "48.4";
 
   outputs = [
     "out"
@@ -52,7 +52,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "mirror://gnome/sources/evince/${lib.versions.major finalAttrs.version}/evince-${finalAttrs.version}.tar.xz";
-    hash = "sha256-fYuab6OgXT9bkEiFkCdojHOniP9ukjvDlFEmiElD+hA=";
+    hash = "sha256-8pbFxmKIZjXUzVl+isCvzeeYK+RIZTPCt/CVsmi+hmg=";
   };
 
   depsBuildBuild = [

pkgs/by-name/fl/fluxcd-operator-mcp/package.nix

@@ -62,6 +62,7 @@ buildGoModule (finalAttrs: {
     license = lib.licenses.agpl3Only;
     maintainers = with lib.maintainers; [
       mattfield
+      stealthybox
     ];
     mainProgram = "flux-operator-mcp";
   };

pkgs/by-name/fl/fluxcd/package.nix

@@ -1,17 +1,18 @@
 {
-  buildGoModule,
+  buildGo126Module,
   fetchFromGitHub,
   fetchzip,
   installShellFiles,
   lib,
   stdenv,
+  writableTmpDirAsHomeHook,
 }:
 
 let
-  version = "2.7.5";
-  srcHash = "sha256-vTb1YE73xxCC4GlR6UW5Ibu+ck+N+KKYUg50csb7eUA=";
-  vendorHash = "sha256-AgWDvlXVZXXprWCeoNeAMDb6LeYfa9yG5afc7TNISQs=";
-  manifestsHash = "sha256-CmYuHhEiKxkSRtN+fri2/4ILxpwRy2xGwGqCqcfsQwU=";
+  version = "2.8.6";
+  srcHash = "sha256-pKP4g2pTMYtx/B/Y3ow7tvDdhCSuwbszzeLVXB0W7Bo=";
+  vendorHash = "sha256-VBafft9/AuXaHWvZymy7P9gaSuO8D6IZHfK68Ixp3mI=";
+  manifestsHash = "sha256-h/HR/rJwPWXiuoj9T+LajdsdT4Jo8/EuN+O1I7e9sjI=";
 
   manifests = fetchzip {
     url = "https://github.com/fluxcd/flux2/releases/download/v${version}/manifests.tar.gz";
@@ -20,7 +21,7 @@ let
   };
 in
 
-buildGoModule rec {
+buildGo126Module rec {
   pname = "fluxcd";
   inherit vendorHash version;
 
@@ -38,6 +39,8 @@ buildGoModule rec {
     rm source/cmd/flux/create_secret_git_test.go
   '';
 
+  env.CGO_ENABLED = 0;
+
   ldflags = [
     "-s"
     "-w"
@@ -46,11 +49,11 @@ buildGoModule rec {
 
   subPackages = [ "cmd/flux" ];
 
+  nativeBuildInputs = [ installShellFiles ];
+
   # Required to workaround test error:
   #   panic: mkdir /homeless-shelter: permission denied
-  HOME = "$TMPDIR";
-
-  nativeBuildInputs = [ installShellFiles ];
+  nativeCheckInputs = [ writableTmpDirAsHomeHook ];
 
   doInstallCheck = true;
   installCheckPhase = ''
@@ -78,9 +81,11 @@ buildGoModule rec {
     homepage = "https://fluxcd.io";
     license = lib.licenses.asl20;
     maintainers = with lib.maintainers; [
-      bryanasdev000
       jlesquembre
       ryan4yin
+      SchahinRohani
+      stealthybox
+      superherointj
     ];
     mainProgram = "flux";
   };

pkgs/by-name/fl/fluxcd/update.sh

@@ -1,50 +1,21 @@
 #!/usr/bin/env nix-shell
-#!nix-shell -i bash -p curl gnugrep gnused jq
+#!nix-shell -i bash -p gnused nix-update
 
-set -x -eu -o pipefail
+set -eu -o pipefail
+set -x
 
-NIXPKGS_PATH="$(git rev-parse --show-toplevel)"
-FLUXCD_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
+# Compute the relative dir of the update script
+SCRIPT_DIR="$(cd -- "$(dirname "$0")" >/dev/null 2>&1; pwd -P)"
 
-OLD_VERSION="$(nix-instantiate --eval -E "with import $NIXPKGS_PATH {}; fluxcd.version or (builtins.parseDrvName fluxcd.name).version" | tr -d '"')"
-LATEST_TAG=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} --silent https://api.github.com/repos/fluxcd/flux2/releases/latest | jq -r '.tag_name')
-LATEST_VERSION=$(echo "${LATEST_TAG}" | sed 's/^v//')
+# Update version, src hash, and vendor hash
+nix-update fluxcd
 
-if [ ! "$OLD_VERSION" = "$LATEST_VERSION" ]; then
-    SRC_SHA256=$(nix-prefetch-url --quiet --unpack "https://github.com/fluxcd/flux2/archive/refs/tags/${LATEST_TAG}.tar.gz")
-    SRC_HASH=$(nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri "$SRC_SHA256")
-    MANIFESTS_SHA256=$(nix-prefetch-url --quiet --unpack "https://github.com/fluxcd/flux2/releases/download/${LATEST_TAG}/manifests.tar.gz")
-    MANIFESTS_HASH=$(nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri "$MANIFESTS_SHA256")
+# Read the potentially updated version from `nix-update fluxcd` using SCRIPT_DIR
+VERSION=$(sed -n 's/.*version = "\(.*\)".*/\1/p' "${SCRIPT_DIR}/package.nix" | head -1)
 
-    setKV () {
-        sed -i "s|$1 = \".*\"|$1 = \"${2:-}\"|" "${FLUXCD_PATH}/package.nix"
-    }
-
-    setKV version "${LATEST_VERSION}"
-    setKV srcHash "${SRC_HASH}"
-    setKV manifestsHash "${MANIFESTS_HASH}"
-    setKV vendorHash "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" # The same as lib.fakeHash
-
-    set +e
-    VENDOR_SHA256=$(nix-build --no-out-link -A fluxcd "$NIXPKGS_PATH" 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g')
-    VENDOR_HASH=$(nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri "$VENDOR_SHA256")
-    set -e
-
-    if [ -n "${VENDOR_HASH:-}" ]; then
-        setKV vendorHash "${VENDOR_HASH}"
-    else
-        echo "Update failed. VENDOR_HASH is empty."
-        exit 1
-    fi
-
-    # `git` flag here is to be used by local maintainers to speed up the bump process
-    if [ $# -eq 1 ] && [ "$1" = "git" ]; then
-        git switch -c "package-fluxcd-${LATEST_VERSION}"
-        git add "$FLUXCD_PATH"/package.nix
-        git commit -m "fluxcd: ${OLD_VERSION} -> ${LATEST_VERSION}
-
-Release: https://github.com/fluxcd/flux2/releases/tag/v${LATEST_VERSION}"
-    fi
-else
-    echo "fluxcd is already up-to-date at $OLD_VERSION"
-fi
+# Update the additional fluxcd manifests hash
+# This is idempotent and will run regardless of whether nix-update changes the package.nix version
+# note: tag format is assumed to be v${VERSION} which matches the fetchZip in package.nix
+MANIFESTS_SHA256=$(nix-prefetch-url --quiet --unpack "https://github.com/fluxcd/flux2/releases/download/v${VERSION}/manifests.tar.gz")
+MANIFESTS_HASH=$(nix --extra-experimental-features nix-command hash convert --hash-algo sha256 --to sri "$MANIFESTS_SHA256")
+sed -i "s|manifestsHash = \".*\"|manifestsHash = \"${MANIFESTS_HASH}\"|" "${SCRIPT_DIR}/package.nix"

pkgs/by-name/gn/gnome-desktop/package.nix

@@ -110,6 +110,7 @@ stdenv.mkDerivation (finalAttrs: {
       lgpl2Plus
     ];
     platforms = lib.platforms.unix;
+    badPlatforms = lib.platforms.darwin;
     teams = [ lib.teams.gnome ];
   };
 })

pkgs/by-name/ne/netron/package.nix

@@ -2,30 +2,30 @@
   lib,
   stdenv,
   buildNpmPackage,
-  electron_39,
+  electron_42,
   fetchFromGitHub,
   jq,
   makeDesktopItem,
 }:
 
 let
-  electron = electron_39;
+  electron = electron_42;
   description = "Visualizer for neural network, deep learning and machine learning models";
   icon = "netron";
 
 in
 buildNpmPackage (finalAttrs: {
   pname = "netron";
-  version = "8.8.2";
+  version = "9.0.8";
 
   src = fetchFromGitHub {
     owner = "lutzroeder";
     repo = "netron";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-DeI82vixVJwAfYYUOTTZCeRTYvmkAutuQQm1fCdj8fs=";
+    hash = "sha256-vWzifB8A0VzzSkPVrcFtrR/tLBeFh1n+xwefhNo4PDQ=";
   };
 
-  npmDepsHash = "sha256-HyqfrkO9Cbo6KVY1QuA4i6od6M7ZQaIfkUWA2P/bvfI=";
+  npmDepsHash = "sha256-3Vaoym7o3sTmEHTNTG90i/NgdJ2x+skJ1slpp0dmv64=";
 
   nativeBuildInputs = [ jq ];
 

pkgs/by-name/po/pocket-id/CVE-2026-43983.patch

@@ -0,0 +1,57 @@
+diff --git a/backend/internal/service/oidc_service.go b/backend/internal/service/oidc_service.go
+index ef765b277..6c09cb8c5 100644
+--- a/backend/internal/service/oidc_service.go
++++ b/backend/internal/service/oidc_service.go
+@@ -534,6 +534,36 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, input dto
+ 		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
+ 	}
+ 
++	if storedRefreshToken.User.Disabled {
++		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
++	}
++
++	var authorizedClient model.UserAuthorizedOidcClient
++	err = tx.
++		WithContext(ctx).
++		Where("user_id = ? AND client_id = ?", storedRefreshToken.UserID, input.ClientID).
++		First(&authorizedClient).
++		Error
++	if errors.Is(err, gorm.ErrRecordNotFound) {
++		err = tx.WithContext(ctx).Delete(&storedRefreshToken).Error
++		if err != nil {
++			return CreatedTokens{}, err
++		}
++
++		err = tx.Commit().Error
++		if err != nil {
++			return CreatedTokens{}, err
++		}
++
++		return CreatedTokens{}, &common.OidcInvalidRefreshTokenError{}
++	} else if err != nil {
++		return CreatedTokens{}, err
++	}
++
++	if !s.IsUserGroupAllowedToAuthorize(storedRefreshToken.User, *client) {
++		return CreatedTokens{}, &common.OidcAccessDeniedError{}
++	}
++
+ 	// Generate a new access token
+ 	authenticationMethods := storedRefreshToken.AuthenticationMethod
+ 	accessToken, err := s.jwtService.GenerateOAuthAccessToken(storedRefreshToken.User, input.ClientID, authenticationMethods)
+@@ -1500,6 +1537,15 @@ func (s *OidcService) RevokeAuthorizedClient(ctx context.Context, userID string,
+ 		return err
+ 	}
+ 
++	err = tx.
++		WithContext(ctx).
++		Where("user_id = ? AND client_id = ?", userID, clientID).
++		Delete(&model.OidcRefreshToken{}).
++		Error
++	if err != nil {
++		return err
++	}
++
+ 	err = tx.Commit().Error
+ 	if err != nil {
+ 		return err

pkgs/by-name/po/pocket-id/package.nix

@@ -13,13 +13,13 @@
 }:
 buildGo125Module (finalAttrs: {
   pname = "pocket-id";
-  version = "1.15.0";
+  version = "1.16.0";
 
   src = fetchFromGitHub {
     owner = "pocket-id";
     repo = "pocket-id";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-mnmBwQ79sScTPM4Gh9g0x/QTmqm1TgxaOkww+bvs1b4=";
+    hash = "sha256-2tGd/gl0Pm5b5GfkTsChvZoWov4dwljwqDcitX5NKCY=";
   };
 
   patches = [
@@ -28,13 +28,18 @@ buildGo125Module (finalAttrs: {
       url = "https://github.com/pocket-id/pocket-id/commit/34890235ba8c2d856e3a121fdf59fe9d627e8596.patch?full_index=1";
       hash = "sha256-Th1/J9M7kxcXyuNa0CZIIX1CuIS31Dx12+O4bzSxS0E=";
     })
+    # based on https://github.com/pocket-id/pocket-id/commit/978ac87deffec58beaccd15aead975e91b94c8a5.patch, modifications:
+    # - remove added tests due to merge conflicts
+    # - remove group restriction check as it's a v2 feature: https://github.com/pocket-id/pocket-id/pull/1164
+    # - adapt to IsUserGroupAllowedToAuthorize function signature changes
+    ./CVE-2026-43983.patch
   ];
 
   patchFlags = [ "-p2" ];
 
   sourceRoot = "${finalAttrs.src.name}/backend";
 
-  vendorHash = "sha256-CmhPURPNwcpmD9shLrQPVKFGBirEMjq0Z4lmgMCpxS8=";
+  vendorHash = "sha256-ttbiuYRWbn8KRZtg499R4NF/E9+B+fOylxZcMwNg69M=";
 
   env.CGO_ENABLED = 0;
   ldflags = [
@@ -50,6 +55,13 @@ buildGo125Module (finalAttrs: {
     mv $out/bin/cmd $out/bin/pocket-id
   '';
 
+  checkFlags = [
+    # requires networking
+    "-skip=TestOidcService_downloadAndSaveLogoFromURL"
+  ];
+
+  doCheck = !stdenvNoCC.hostPlatform.isDarwin;
+
   frontend = stdenvNoCC.mkDerivation {
     pname = "pocket-id-frontend";
     inherit (finalAttrs) version src;
@@ -62,8 +74,8 @@ buildGo125Module (finalAttrs: {
     pnpmDeps = fetchPnpmDeps {
       inherit (finalAttrs) pname version src;
       pnpm = pnpm_10;
-      fetcherVersion = 1;
-      hash = "sha256-/e1zBHdy3exqbMvlv0Jth7vpJd7DDnWXGfMV+Cdr56I=";
+      fetcherVersion = 3;
+      hash = "sha256-Ybief+B7M1ATqHf9GlBlPFjII+ybCN4ATU94p0GKtI4=";
     };
 
     env.BUILD_OUTPUT_PATH = "dist";

pkgs/by-name/sh/sharkey/package.nix

@@ -23,14 +23,14 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "sharkey";
-  version = "2025.4.6";
+  version = "2025.4.7";
 
   src = fetchFromGitLab {
     domain = "activitypub.software";
     owner = "TransFem-org";
     repo = "Sharkey";
     tag = finalAttrs.version;
-    hash = "sha256-TtwlveTIjzDYpFR+F5c0If6E1D2E5MI9I2IoDIV0u7E=";
+    hash = "sha256-Gfn/oB9cc7LCeQxrfxuCmF7Z9A3VUGZwnhBip07c0kY=";
     fetchSubmodules = true;
   };
 

pkgs/by-name/vr/vrcx/deps.json

@@ -91,8 +91,8 @@
   },
   {
     "pname": "NLog",
-    "version": "6.0.7",
-    "hash": "sha256-Le6ocjCN29rtgRiAroVfjUbMXCrjk0pSv2GEtZZy0qU="
+    "version": "6.1.2",
+    "hash": "sha256-rcBEHtjkg3ZaG3zVoy5aPLTPxbuV2gMdEU3vPpneKfI="
   },
   {
     "pname": "runtime.native.System.Data.SqlClient.sni",
@@ -146,8 +146,8 @@
   },
   {
     "pname": "System.CodeDom",
-    "version": "10.0.2",
-    "hash": "sha256-MAKLNGx7mczcSE6n7b3HvQOLPC8Afk5Mv6PUV2hlHC0="
+    "version": "10.0.7",
+    "hash": "sha256-6ZKsH6PnSzrPrvAuLZppePupB2RaQ+lddqpsY8kth54="
   },
   {
     "pname": "System.CodeDom",
@@ -201,8 +201,8 @@
   },
   {
     "pname": "System.Management",
-    "version": "10.0.2",
-    "hash": "sha256-u0Dn4zJUvSpftmtvR24enqKPDxxAMXJpav2/sfiwYiE="
+    "version": "10.0.7",
+    "hash": "sha256-qIFAiT52Fkg2yMziif3O6E1ApvlUllqeMT1Iq48gsKg="
   },
   {
     "pname": "System.Memory",

pkgs/by-name/vr/vrcx/package.nix

@@ -1,8 +1,8 @@
 {
   lib,
   stdenv,
-  nodejs_22,
-  electron_39,
+  nodejs_24,
+  electron_40,
   makeWrapper,
   fetchFromGitHub,
   buildNpmPackage,
@@ -12,34 +12,34 @@
   dotnetCorePackages,
 }:
 let
-  node = nodejs_22;
-  electron = electron_39;
+  node = nodejs_24;
+  electron = electron_40;
   dotnet = dotnetCorePackages.dotnet_9;
 in
 buildNpmPackage (finalAttrs: {
   pname = "vrcx";
-  version = "2026.02.11";
+  version = "2026.05.03";
 
   src = fetchFromGitHub {
     repo = "VRCX";
     owner = "vrcx-team";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-/CMxFjIcLqk2oTnXUV519NkrImsnq3/kUGiew5E3Zyw=";
+    hash = "sha256-TIRX1DllUaq73Aue5/2mg98luBnDoptiiMDQcZ9aBTM=";
   };
 
   nodejs = node;
   makeCacheWritable = true;
   npmFlags = [ "--ignore-scripts" ];
-  npmDepsHash = "sha256-bli8TKzxcASuCegEGwiHM5siMXGK4WuzhweNr5HaCvg=";
+  npmDepsHash = "sha256-hOfbDvBJgoPQ6QxnZ77kpeSHDXH9dSnidmrx9Mp9q08=";
 
   nativeBuildInputs = [
     makeWrapper
     copyDesktopItems
   ];
 
-  preBuild = ''
-    # Build fails at executing dart from sass-embedded
-    rm -r node_modules/sass-embedded*
+  postPatch = ''
+    # V2026.05.03 seems to have an out of date lockfile
+    cp ${./package-lock.json} package-lock.json
   '';
 
   buildPhase = ''

pkgs/os-specific/linux/kernel/kernels-org.json

@@ -20,23 +20,23 @@
         "lts": true
     },
     "6.6": {
-        "version": "6.6.140",
-        "hash": "sha256:1nxpckv5kq4i0vhg0nszzkq1sf9lsjjkaf8q8wvpyc6ll9s9cz6n",
+        "version": "6.6.141",
+        "hash": "sha256:1qbzxgqs7q9gyqfrf0j7p0pgjxnjj5mibamhm280mf9anqp6bhiv",
         "lts": true
     },
     "6.12": {
-        "version": "6.12.90",
-        "hash": "sha256:1a521y1gins69ir1dskhavmrn9bq28c1vknkhii8m2s6azq1y6hz",
+        "version": "6.12.91",
+        "hash": "sha256:0sbrb612b653w64g5jkpbf68y0fka2sgnwblam41k7wz2sgapwhg",
         "lts": true
     },
     "6.18": {
-        "version": "6.18.32",
-        "hash": "sha256:195xsf4d2rpzkkjdp570sgz4128djzvi5wsqc7m890jp8paasz86",
+        "version": "6.18.33",
+        "hash": "sha256:10mp1ypsdz42jr26g1xxbw806mvpy0n35418fhsgxxlr4lqgy5kg",
         "lts": true
     },
     "7.0": {
-        "version": "7.0.9",
-        "hash": "sha256:1i7ihfnidi3q91g24swa7i9rk9m1f016g8l7a7622ingfvgsq1xc",
+        "version": "7.0.10",
+        "hash": "sha256:1p1j9s0b4qv9m0pm6vj477rqgyd1b0lsk0gy74cks3n2cbmpfj89",
         "lts": false
     }
 }

pkgs/os-specific/linux/kernel/xanmod-kernels.nix

@@ -15,14 +15,14 @@ let
   variants = {
     # ./update-xanmod.sh lts
     lts = {
-      version = "6.18.32";
-      hash = "sha256-XgqytdTnL3Jjcs9riMRGgRVfyy76jxdBcC0hSt4rc58=";
+      version = "6.18.33";
+      hash = "sha256-J/dbwzxkNE7bnhFygInJ3Ve67yrMQ34z10nMb/vtoWY=";
       isLTS = true;
     };
     # ./update-xanmod.sh main
     main = {
-      version = "7.0.9";
-      hash = "sha256-QlCbzTqHtVROdIEoqwrAf8mylLh2WHSqFY/eQ3jvrW8=";
+      version = "7.0.10";
+      hash = "sha256-6sanwas9XXjeGVHe7WvLOVnbHJ6g0RXek9sfOCE8080=";
     };
   };
 

pkgs/servers/kanidm/1_10.nix

@@ -1,5 +1,5 @@
 import ./generic.nix {
-  version = "1.10.2";
-  hash = "sha256-VkFsJPP3oGy307d7E0h9wanZC2EsXziy5XC10/6aoTI=";
-  cargoHash = "sha256-ureHJ5I8emHsltpe8PuzWUSQjokbXZQ7Kh0e2eTz0LE=";
+  version = "1.10.3";
+  hash = "sha256-xf8/fHMkGGApPpKoOgpUJtttorOjf51E/S5KKguwiTM=";
+  cargoHash = "sha256-zu2uKtJnMi8En5btKQWgACs3mLkHnbrxA5XUkwLP+yc=";
 }

pkgs/tools/networking/openssh/default.nix

@@ -39,33 +39,44 @@ in
 
   openssh_hpn = common rec {
     pname = "openssh-with-hpn";
-    version = "10.2p1";
+    version = "10.3p1";
     extraDesc = " with high performance networking patches";
 
     src = fetchurl {
       url = urlFor version;
-      hash = "sha256-zMQsBBmTeVkmP6Hb0W2vwYxWuYTANWLSk3zlamD3mLI=";
+      hash = "sha256-VmgqNruS3PS08Bb9jsjnQFm3mo3iXBXWcNcx59GORfQ=";
     };
 
     extraPatches =
       let
-        url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/7d4f03d56d19a19a15399a03b3ceca8a0f5924b4/security/openssh-portable/files/extra-patch-hpn";
+        urlBase = "https://raw.githubusercontent.com/freebsd/freebsd-ports/294be7ad9ef5106b696d830e06b9f322bd79d6f5/security/openssh-portable/files";
+        noBlocklistdHpnGluePatch = "${urlBase}/extra-patch-no-blocklistd-hpn-glue";
+        hpnPatch = "${urlBase}/extra-patch-hpn";
       in
       [
         ./ssh-keysign-8.5.patch
 
+        # the blocklistd patch from FreeBSD ports is now required for HPN,
+        # unless we apply this HPN glue patch
+        (fetchpatch {
+          name = "ssh-no-blocklistd-hpn-glue.patch";
+          url = noBlocklistdHpnGluePatch;
+          extraPrefix = "";
+          hash = "sha256-+AeJ9fLmmT/P07JZvGaXpNft+2F9PoFsbzr+s9wfdro=";
+        })
+
         # HPN Patch from FreeBSD ports
         (fetchpatch {
           name = "ssh-hpn-wo-channels.patch";
-          inherit url;
+          url = hpnPatch;
           stripLen = 1;
           excludes = [ "channels.c" ];
-          hash = "sha256-BGR0Jn1JoD/0q9/TKjygg9C3UWeVf0R2DrH0esMzmpY=";
+          hash = "sha256-dEYCSBcUXbSBzoMV/6QwLl5tj0c0/DPTtArchfRRQvM=";
         })
 
         (fetchpatch {
           name = "ssh-hpn-channels.patch";
-          inherit url;
+          url = hpnPatch;
           extraPrefix = "";
           includes = [ "channels.c" ];
           hash = "sha256-pDLUbjv5XIyByEbiRAXC3WMUPKmn15af1stVmcvr7fE=";