beta release

.git-blame-ignore-revs

@@ -266,6 +266,3 @@ a034fb50f79816c6738fb48b48503b09ea3b0132
 
 # treewide: switch instances of lib.teams.*.members to the new meta.teams attribute
 05580f4b4433fda48fff30f60dfd303d6ee05d21
-
-# nixos/redmine: Get rid of global lib expansions
-d7f1102f04c58b2edfc74c9a1d577e3aebfca775

.github/ISSUE_TEMPLATE/01_bug_report.yml

@@ -34,9 +34,9 @@ body:
         > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
       options:
         - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/02_bug_report_darwin.yml

@@ -34,9 +34,9 @@ body:
         > If you are using an older version, please update to the latest stable version and check if the issue persists before continuing this bug report.
       options:
         - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/03_bug_report_nixos.yml

@@ -34,9 +34,9 @@ body:
         > If you are using an older version, please [update to the latest stable version](https://nixos.org/download) and check if the issue persists before continuing this bug report.
       options:
         - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/04_build_failure.yml

@@ -35,9 +35,9 @@ body:
         > If you are purposefully trying to build an ancient version of a package in an older Nixpkgs, please coordinate with the [NixOS Archivists](https://matrix.to/#/#archivists:nixos.org).
       options:
         - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/05_update_request.yml

@@ -35,9 +35,9 @@ body:
         > If the package has been updated in unstable, but you believe the update should be backported to the stable release of Nixpkgs, please file the '**Request: backport to stable**' form instead.
       options:
         - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
       default: 0
     validations:
       required: true

.github/ISSUE_TEMPLATE/06_module_request.yml

@@ -34,9 +34,9 @@ body:
         > If you are using an older or stable version, please update to the latest **unstable** version and check if the module still does not exist before continuing this request.
       options:
         - "Please select a version."
-        - "- Unstable (25.11)"
-        - "- Stable (25.05)"
-        - "- Previous Stable (24.11)"
+        - "- Unstable (25.05)"
+        - "- Stable (24.11)"
+        - "- Previous Stable (24.05)"
       default: 0
     validations:
       required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -25,9 +25,8 @@ For new packages please briefly describe the package or provide a link to its ho
   - made sure NixOS tests are [linked](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#linking-nixos-module-tests-to-a-package) to the relevant packages
 - [ ] Tested compilation of all packages that depend on this change using `nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"`. Note: all changes have to be committed, also see [nixpkgs-review usage](https://github.com/Mic92/nixpkgs-review#usage)
 - [ ] Tested basic functionality of all binary files (usually in `./result/bin/`)
-- [Nixpkgs 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/doc/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/doc/manual/release-notes/rl-2505.section.md) Nixpkgs Release notes)
+- [25.05 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) Release notes)
   - [ ] (Package updates) Added a release notes entry if the change is major or breaking
-- [NixOS 25.11 Release Notes](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2511.section.md) (or backporting [24.11](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2411.section.md) and [25.05](https://github.com/NixOS/nixpkgs/blob/master/nixos/doc/manual/release-notes/rl-2505.section.md) NixOS Release notes)
   - [ ] (Module updates) Added a release notes entry if the change is significant
   - [ ] (Module addition) Added a release notes entry if adding a new NixOS module
 - [ ] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/CONTRIBUTING.md).

.github/actions/get-merge-commit/action.yml

@@ -1,88 +0,0 @@
-name: Get merge commit
-
-description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
-
-inputs:
-  merged-as-untrusted:
-    description: "Whether to checkout the merge commit in the ./untrusted folder."
-    type: boolean
-  target-as-trusted:
-    description: "Whether to checkout the target commit in the ./trusted folder."
-    type: boolean
-
-outputs:
-  mergedSha:
-    description: "The merge commit SHA"
-    value: ${{ steps.commits.outputs.mergedSha }}
-  targetSha:
-    description: "The target commit SHA"
-    value: ${{ steps.commits.outputs.targetSha }}
-
-runs:
-  using: composite
-  steps:
-    - id: commits
-      uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-      with:
-        script: |
-          if (context.eventName == 'push') return core.setOutput('mergedSha', context.sha)
-
-          for (const retryInterval of [5, 10, 20, 40, 80]) {
-            console.log("Checking whether the pull request can be merged...")
-            const prInfo = (await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.pull_request.number
-            })).data
-
-            if (prInfo.state != 'open') throw new Error ("PR is not open anymore.")
-
-            if (prInfo.mergeable == null) {
-              console.log(`GitHub is still computing whether this PR can be merged, waiting ${retryInterval} seconds before trying again...`)
-              await new Promise(resolve => setTimeout(resolve, retryInterval * 1000))
-              continue
-            }
-
-            let mergedSha, targetSha
-
-            if (prInfo.mergeable) {
-              console.log("The PR can be merged.")
-
-              mergedSha = prInfo.merge_commit_sha
-              targetSha = (await github.rest.repos.getCommit({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                ref: prInfo.merge_commit_sha
-              })).data.parents[0].sha
-            } else {
-              console.log("The PR has a merge conflict.")
-
-              mergedSha = prInfo.head.sha
-              targetSha = (await github.rest.repos.compareCommitsWithBasehead({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                basehead: `${prInfo.base.sha}...${prInfo.head.sha}`
-              })).data.merge_base_commit.sha
-            }
-
-            console.log(`Checking the commits:\nmerged:${mergedSha}\ntarget:${targetSha}`)
-            core.setOutput('mergedSha', mergedSha)
-            core.setOutput('targetSha', targetSha)
-            return
-          }
-          throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
-
-      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
-      # but Nix is broken with them:
-      # https://github.com/NixOS/nix/issues/6073
-    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.mergedSha }}
-        path: untrusted
-
-    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        ref: ${{ steps.commits.outputs.targetSha }}
-        path: trusted

.github/labeler-no-sync.yml

@@ -22,7 +22,7 @@
         - doc/**/*
         - nixos/doc/**/*
 
-"backport release-25.05":
+"backport release-24.11":
   - any:
     - changed-files:
       - any-glob-to-any-file:

.github/labeler.yml

@@ -162,7 +162,7 @@
       - any-glob-to-any-file:
         - doc/languages-frameworks/gnome.section.md
         - nixos/modules/services/desktops/gnome/**/*
-        - nixos/modules/services/desktop-managers/gnome.nix
+        - nixos/modules/services/x11/desktop-managers/gnome.nix
         - nixos/tests/gnome-xorg.nix
         - nixos/tests/gnome.nix
         - pkgs/desktops/gnome/**/*

.github/workflows/backport.yml

@@ -9,9 +9,7 @@ on:
   pull_request_target:
     types: [closed, labeled]
 
-permissions:
-  contents: read
-  pull-requests: write
+permissions: {}
 
 jobs:
   backport:
@@ -50,8 +48,7 @@ jobs:
       - name: "Add 'has: port to stable' label"
         if: steps.backport.outputs.created_pull_numbers != ''
         env:
-          # Not the app on purpose to avoid triggering another workflow run after adding this label
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY: ${{ github.repository }}
           NUMBER: ${{ github.event.number }}
         run: |

.github/workflows/check-cherry-picks.yml

@@ -20,12 +20,11 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          filter: tree:0
-          path: trusted
+          filter: blob:none
 
       - name: Check cherry-picks
         env:
           BASE_SHA: ${{ github.event.pull_request.base.sha }}
           HEAD_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
-          ./trusted/ci/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"
+          ./maintainers/scripts/check-cherry-picks.sh "$BASE_SHA" "$HEAD_SHA"

.github/workflows/check-format.yml

@@ -5,21 +5,23 @@ on:
     paths:
       - .github/workflows/check-format.yml
   pull_request_target:
+    types: [opened, synchronize, reopened, edited]
 
 permissions: {}
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   nixos:
     name: fmt-check
     runs-on: ubuntu-24.04-arm
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
@@ -30,7 +32,7 @@ jobs:
           # Note that it's fine to run this on untrusted code because:
           # - There's no secrets accessible here
           # - The build is sandboxed
-          if ! nix-build untrusted/ci -A fmt.check; then
+          if ! nix-build ci -A fmt.check; then
             echo "Some files are not properly formatted"
             echo "Please format them by going to the Nixpkgs root directory and running one of:"
             echo "  nix-shell --run treefmt"

.github/workflows/check-shell.yml

@@ -32,13 +32,9 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 
       - name: Build shell
-        run: nix-build untrusted/ci -A shell
+        run: nix-build ci -A shell

.github/workflows/codeowners-v2.yml

@@ -27,7 +27,7 @@ on:
     paths:
       - .github/workflows/codeowners-v2.yml
   pull_request_target:
-    types: [opened, ready_for_review, synchronize, reopened]
+    types: [opened, ready_for_review, synchronize, reopened, edited]
 
 permissions: {}
 
@@ -37,21 +37,17 @@ env:
   DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
 
 jobs:
+  get-merge-commit:
+    if: github.repository_owner == 'NixOS'
+    uses: ./.github/workflows/get-merge-commit.yml
+
   # Check that code owners is valid
   check:
     name: Check
     runs-on: ubuntu-24.04-arm
-    if: github.repository_owner == 'NixOS'
+    needs: get-merge-commit
+    if: github.repository_owner == 'NixOS' && needs.get-merge-commit.outputs.mergedSha
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
-
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 
       - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
@@ -60,8 +56,15 @@ jobs:
           name: nixpkgs-ci
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
+      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
+      # We later build and run code from the base branch with access to secrets,
+      # so it's important this is not the PRs code.
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+
       - name: Build codeowners validator
-        run: nix-build trusted/ci -A codeownersValidator
+        run: nix-build base/ci -A codeownersValidator
 
       - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         if: vars.OWNER_RO_APP_ID
@@ -72,16 +75,21 @@ jobs:
           permission-administration: read
           permission-members: read
 
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: pr
+
       - name: Validate codeowners
         if: steps.app-token.outputs.token
+        run: result/bin/codeowners-validator
         env:
-          OWNERS_FILE: untrusted/${{ env.OWNERS_FILE }}
+          OWNERS_FILE: pr/${{ env.OWNERS_FILE }}
           GITHUB_ACCESS_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY_PATH: untrusted
+          REPOSITORY_PATH: pr
           OWNER_CHECKER_REPOSITORY: ${{ github.repository }}
           # Set this to "notowned,avoid-shadowing" to check that all files are owned by somebody
           EXPERIMENTAL_CHECKS: "avoid-shadowing"
-        run: result/bin/codeowners-validator
 
   # Request reviews from code owners
   request:
@@ -94,8 +102,6 @@ jobs:
       # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR head.
       # This is intentional, because we need to request the review of owners as declared in the base branch.
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
 
       - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
         if: vars.OWNER_APP_ID
@@ -108,10 +114,10 @@ jobs:
           permission-pull-requests: write
 
       - name: Build review request package
-        run: nix-build trusted/ci -A requestReviews
+        run: nix-build ci -A requestReviews
 
       - name: Request reviews
         if: steps.app-token.outputs.token
+        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
-        run: result/bin/request-code-owner-reviews.sh ${{ github.repository }} ${{ github.event.number }} "$OWNERS_FILE"

.github/workflows/edited.yml

@@ -1,49 +0,0 @@
-# Some workflows depend on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
-# Instead it causes an `edited` event.
-# Since `edited` is also triggered when PR title/body is changed, we use this wrapper workflow, to run the other workflows conditionally only.
-# There are already feature requests for adding a `base_changed` event:
-# - https://github.com/orgs/community/discussions/35058
-# - https://github.com/orgs/community/discussions/64119
-#
-# Instead of adding this to each workflow's pull_request_target event, we trigger this in a separate workflow.
-# This has the advantage, that we can actually skip running those jobs for simple edits like changing the title or description.
-# The actual trigger happens by closing and re-opening the pull request, which triggers the default pull_request_target events.
-# This is much simpler and reliable than other approaches.
-
-name: "Edited base branch"
-
-on:
-  pull_request_target:
-    types: [edited]
-
-permissions: {}
-
-jobs:
-  base:
-    name: Trigger jobs
-    runs-on: ubuntu-24.04
-    if: github.event.changes.base.ref.from && github.event.changes.base.ref.from != github.event.pull_request.base.ref
-    steps:
-      # Use a GitHub App to create the PR so that CI gets triggered
-      # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs
-      # We only need Pull Requests: write here, but the app is also used for backports.
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        id: app-token
-        with:
-          app-id: ${{ vars.NIXPKGS_CI_APP_ID }}
-          private-key: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}
-          permission-pull-requests: write
-
-      - env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-        run: |
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=closed"
-          gh api \
-            --method PATCH \
-            /repos/"$REPOSITORY"/pulls/"$NUMBER" \
-            -f "state=open"

.github/workflows/eval-aliases.yml

@@ -9,17 +9,19 @@ on:
 permissions: {}
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   eval-aliases:
     name: Eval nixpkgs with aliases enabled
     runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit ]
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs
 
       - name: Install Nix
         uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -27,8 +29,8 @@ jobs:
           extra_nix_config: sandbox = true
 
       - name: Ensure flake outputs on all systems still evaluate
-        run: nix flake check --all-systems --no-build ./untrusted
+        run: nix flake check --all-systems --no-build ./nixpkgs
 
       - name: Query nixpkgs with aliases enabled to check for basic syntax errors
         run: |
-          time nix-env -I ./untrusted -f ./untrusted -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null
+          time nix-env -I ./nixpkgs -f ./nixpkgs -qa '*' --option restrict-eval true --option allow-import-from-derivation false >/dev/null

.github/workflows/eval.yml

@@ -4,8 +4,8 @@ on:
   pull_request:
     paths:
       - .github/workflows/eval.yml
-      - .github/workflows/reviews.yml # needs eval results from the same event type
   pull_request_target:
+    types: [opened, ready_for_review, synchronize, reopened]
   push:
     # Keep this synced with ci/request-reviews/dev-branches.txt
     branches:
@@ -19,36 +19,17 @@ on:
 permissions: {}
 
 jobs:
-  prepare:
-    name: Prepare
-    runs-on: ubuntu-24.04-arm
-    outputs:
-      mergedSha: ${{ steps.get-merge-commit.outputs.mergedSha }}
-      targetSha: ${{ steps.get-merge-commit.outputs.targetSha }}
-      systems: ${{ steps.systems.outputs.systems }}
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          sparse-checkout: |
-            .github/actions
-            ci/supportedSystems.json
-      - name: Check if the PR can be merged and get the test merge commit
-        uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - name: Load supported systems
-        id: systems
-        run: |
-          echo "systems=$(jq -c <ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
 
   outpaths:
     name: Outpaths
     runs-on: ubuntu-24.04-arm
-    needs: [ prepare ]
+    needs: [ get-merge-commit ]
     strategy:
       fail-fast: false
       matrix:
-        system: ${{ fromJSON(needs.prepare.outputs.systems) }}
+        system: ${{ fromJSON(needs.get-merge-commit.outputs.systems) }}
     steps:
       - name: Enable swap
         run: |
@@ -60,8 +41,8 @@ jobs:
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.prepare.outputs.mergedSha }}
-          path: untrusted
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          path: nixpkgs
 
       - name: Install Nix
         uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -72,26 +53,57 @@ jobs:
         env:
           MATRIX_SYSTEM: ${{ matrix.system }}
         run: |
-          nix-build untrusted/ci -A eval.singleSystem \
+          nix-build nixpkgs/ci -A eval.singleSystem \
             --argstr evalSystem "$MATRIX_SYSTEM" \
-            --arg chunkSize 10000 \
-            --out-link merged
+            --arg chunkSize 10000
           # If it uses too much memory, slightly decrease chunkSize
 
       - name: Upload the output paths and eval stats
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: merged-${{ matrix.system }}
-          path: merged/*
+          name: intermediate-${{ matrix.system }}
+          path: result/*
+
+  process:
+    name: Process
+    runs-on: ubuntu-24.04-arm
+    needs: [ outpaths, get-merge-commit ]
+    outputs:
+      targetRunId: ${{ steps.targetRunId.outputs.targetRunId }}
+    steps:
+      - name: Download output paths and eval stats for all systems
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          pattern: intermediate-*
+          path: intermediate
+
+      - name: Check out the PR at the test merge commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          fetch-depth: 2
+          path: nixpkgs
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+        with:
+          extra_nix_config: sandbox = true
+
+      - name: Combine all output paths and eval stats
+        run: |
+          nix-build nixpkgs/ci -A eval.combine \
+            --arg resultsDir ./intermediate \
+            -o prResult
+
+      - name: Upload the combined results
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: result
+          path: prResult/*
 
       - name: Get target run id
-        if: needs.prepare.outputs.targetSha
+        if: needs.get-merge-commit.outputs.targetSha
         id: targetRunId
-        env:
-          GH_TOKEN: ${{ github.token }}
-          MATRIX_SYSTEM: ${{ matrix.system }}
-          REPOSITORY: ${{ github.repository }}
-          TARGET_SHA: ${{ needs.prepare.outputs.targetSha }}
         run: |
           # Get the latest eval.yml workflow run for the PR's target commit
           if ! run=$(gh api --method GET /repos/"$REPOSITORY"/actions/workflows/eval.yml/runs \
@@ -103,124 +115,106 @@ jobs:
           fi
           echo "Comparing against $(jq .html_url <<< "$run")"
           runId=$(jq .id <<< "$run")
-
-          if ! job=$(gh api --method GET /repos/"$REPOSITORY"/actions/runs/"$runId"/jobs \
-            --jq ".jobs[] | select (.name == \"Outpaths ($MATRIX_SYSTEM)\")") \
-            || [[ -z "$job" ]]; then
-            echo "Could not find the Outpaths ($MATRIX_SYSTEM) job for workflow run $runId, cannot make comparison"
-            exit 1
-          fi
-          jobId=$(jq .id <<< "$job")
-          conclusion=$(jq -r .conclusion <<< "$job")
+          conclusion=$(jq -r .conclusion <<< "$run")
 
           while [[ "$conclusion" == null || "$conclusion" == "" ]]; do
-            echo "Job not done, waiting 10 seconds before checking again"
+            echo "Workflow not done, waiting 10 seconds before checking again"
             sleep 10
-            conclusion=$(gh api /repos/"$REPOSITORY"/actions/jobs/"$jobId" --jq '.conclusion')
+            conclusion=$(gh api /repos/"$REPOSITORY"/actions/runs/"$runId" --jq '.conclusion')
           done
 
           if [[ "$conclusion" != "success" ]]; then
-            echo "Job was not successful (conclusion: $conclusion), cannot make comparison"
+            echo "Workflow was not successful (conclusion: $conclusion), cannot make comparison"
             exit 1
           fi
 
           echo "targetRunId=$runId" >> "$GITHUB_OUTPUT"
+        env:
+          REPOSITORY: ${{ github.repository }}
+          TARGET_SHA: ${{ needs.get-merge-commit.outputs.targetSha }}
+          GH_TOKEN: ${{ github.token }}
 
       - uses: actions/download-artifact@v4
         if: steps.targetRunId.outputs.targetRunId
         with:
-          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
-          name: merged-${{ matrix.system }}
-          path: target
+          name: result
+          path: targetResult
           github-token: ${{ github.token }}
-          merge-multiple: true
-
-      - name: Compare outpaths against the target branch
-        if: steps.targetRunId.outputs.targetRunId
-        env:
-          MATRIX_SYSTEM: ${{ matrix.system }}
-        run: |
-          nix-build untrusted/ci -A eval.diff \
-            --arg beforeDir ./target \
-            --arg afterDir "$(readlink ./merged)" \
-            --argstr evalSystem "$MATRIX_SYSTEM" \
-            --out-link diff
-
-      - name: Upload outpaths diff and stats
-        if: steps.targetRunId.outputs.targetRunId
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: diff-${{ matrix.system }}
-          path: diff/*
-
-  compare:
-    name: Comparison
-    runs-on: ubuntu-24.04-arm
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    permissions:
-      issues: write # needed to create *new* labels
-      pull-requests: write
-      statuses: write
-    steps:
-      - name: Download output paths and eval stats for all systems
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: diff-*
-          path: diff
-          merge-multiple: true
-
-      - name: Check out the PR at the target commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ needs.prepare.outputs.targetSha }}
-          path: trusted
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Combine all output paths and eval stats
-        run: |
-          nix-build trusted/ci -A eval.combine \
-            --arg diffDir ./diff \
-            --out-link combined
+          run-id: ${{ steps.targetRunId.outputs.targetRunId }}
 
       - name: Compare against the target branch
-        env:
-          AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+        if: steps.targetRunId.outputs.targetRunId
         run: |
-          git -C trusted fetch --depth 1 origin ${{ needs.prepare.outputs.mergedSha }}
-          git -C trusted diff --name-only ${{ needs.prepare.outputs.mergedSha }} \
+          git -C nixpkgs worktree add ../target ${{ needs.get-merge-commit.outputs.targetSha }}
+          git -C nixpkgs diff --name-only ${{ needs.get-merge-commit.outputs.targetSha }} \
             | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
 
           # Use the target branch to get accurate maintainer info
-          nix-build trusted/ci -A eval.compare \
-            --arg combinedDir "$(realpath ./combined)" \
+          nix-build target/ci -A eval.compare \
+            --arg beforeResultDir ./targetResult \
+            --arg afterResultDir "$(realpath prResult)" \
             --arg touchedFilesJson ./touched-files.json \
-            --argstr githubAuthorId "$AUTHOR_ID" \
-            --out-link comparison
+            -o comparison
 
           cat comparison/step-summary.md >> "$GITHUB_STEP_SUMMARY"
 
-      - name: Upload the comparison results
+      - name: Upload the combined results
+        if: steps.targetRunId.outputs.targetRunId
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: comparison
           path: comparison/*
 
+  # Separate job to have a very tightly scoped PR write token
+  tag:
+    name: Tag
+    runs-on: ubuntu-24.04-arm
+    needs: [ get-merge-commit, process ]
+    if: needs.process.outputs.targetRunId
+    permissions:
+      pull-requests: write
+      statuses: write
+    steps:
+      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
+      # Can't use the token received from permissions above, because it can't get enough permissions
+      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
+        if: vars.OWNER_APP_ID
+        id: app-token
+        with:
+          app-id: ${{ vars.OWNER_APP_ID }}
+          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
+          permission-administration: read
+          permission-members: read
+          permission-pull-requests: write
+
+      - name: Download process result
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: comparison
+          path: comparison
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
+
+      # Important: This workflow job runs with extra permissions,
+      # so we need to make sure to not run untrusted code from PRs
+      - name: Check out Nixpkgs at the base commit
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.targetSha }}
+          path: base
+          sparse-checkout: ci
+
+      - name: Build the requestReviews derivation
+        run: nix-build base/ci -A requestReviews
+
       - name: Labelling pull request
-        if: ${{ github.event_name == 'pull_request_target' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
         run: |
-          # Get all currently set labels that we manage
+          # Get all currently set rebuild labels
           gh api \
             /repos/"$REPOSITORY"/issues/"$NUMBER"/labels \
-            --jq '.[].name | select(startswith("10.rebuild") or . == "11.by: package-maintainer")' \
+            --jq '.[].name | select(startswith("10.rebuild"))' \
             | sort > before
 
           # And the labels that should be there
@@ -244,12 +238,13 @@ jobs:
               -f "labels[]=$toAdd"
           done < <(comm -13 before after)
 
-      - name: Add eval summary to commit statuses
-        if: ${{ github.event_name == 'pull_request_target' }}
         env:
           GH_TOKEN: ${{ github.token }}
-          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          REPOSITORY: ${{ github.repository }}
           NUMBER: ${{ github.event.number }}
+
+      - name: Add eval summary to commit statuses
+        if: ${{ github.event_name == 'pull_request_target' && github.repository_owner == 'NixOS' }}
         run: |
           description=$(jq -r '
           "Package: added " + (.attrdiff.added | length | tostring) +
@@ -263,13 +258,24 @@ jobs:
             -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
             "/repos/$GITHUB_REPOSITORY/statuses/$PR_HEAD_SHA" \
             -f "context=Eval / Summary" -f "state=success" -f "description=$description" -f "target_url=$target_url"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          NUMBER: ${{ github.event.number }}
 
-  reviewers:
-    name: Reviewers
-    # No dependency on "compare", so that it can start at the same time.
-    # We only wait for the "comparison" artifact to be available, which makes the start-to-finish time
-    # for the eval workflow considerably faster.
-    needs: [ prepare, outpaths ]
-    if: needs.prepare.outputs.targetSha
-    uses: ./.github/workflows/reviewers.yml
-    secrets: inherit
+      - name: Requesting maintainer reviews
+        if: ${{ steps.app-token.outputs.token && github.repository_owner == 'NixOS' }}
+        run: |
+          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
+          # There appears to be no API to request reviews based on GitHub IDs
+          jq -r 'keys[]' comparison/maintainers.json \
+            | while read -r id; do gh api /user/"$id" --jq .login; done \
+            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+
+        env:
+          GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
+          NUMBER: ${{ github.event.number }}
+          AUTHOR: ${{ github.event.pull_request.user.login }}
+          # Don't request reviewers on draft PRs
+          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}

.github/workflows/get-merge-commit.yml

@@ -0,0 +1,58 @@
+name: Get merge commit
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/get-merge-commit.yml
+  workflow_call:
+    outputs:
+      mergedSha:
+        description: "The merge commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.mergedSha }}
+      targetSha:
+        description: "The target commit SHA"
+        value: ${{ jobs.resolve-merge-commit.outputs.targetSha }}
+      systems:
+        description: "The supported systems"
+        value: ${{ jobs.resolve-merge-commit.outputs.systems }}
+
+permissions: {}
+
+jobs:
+  resolve-merge-commit:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      mergedSha: ${{ steps.merged.outputs.mergedSha }}
+      targetSha: ${{ steps.merged.outputs.targetSha }}
+      systems: ${{ steps.systems.outputs.systems }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          path: base
+          sparse-checkout: ci
+
+      - name: Check if the PR can be merged and get the test merge commit
+        id: merged
+        env:
+          GH_TOKEN: ${{ github.token }}
+          GH_EVENT: ${{ github.event_name }}
+        run: |
+          case "$GH_EVENT" in
+            push)
+              echo "mergedSha=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+              ;;
+            pull_request*)
+              if commits=$(base/ci/get-merge-commit.sh ${{ github.repository }} ${{ github.event.number }}); then
+                echo -e "Checking the commits:\n$commits"
+                echo "$commits" >> "$GITHUB_OUTPUT"
+              else
+                # Skipping so that no notifications are sent
+                echo "Skipping the rest..."
+              fi
+              ;;
+          esac
+
+      - name: Load supported systems
+        id: systems
+        run: |
+          echo "systems=$(jq -c <base/ci/supportedSystems.json)" >> "$GITHUB_OUTPUT"

.github/workflows/labels.yml

@@ -7,17 +7,17 @@ name: "Label PR"
 
 on:
   pull_request_target:
+    types: [edited, opened, synchronize, reopened]
 
 permissions:
   contents: read
-  issues: write # needed to create *new* labels
   pull-requests: write
 
 jobs:
   labels:
     name: label-pr
     runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    if: "github.repository_owner == 'NixOS' && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
       - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         if: |

.github/workflows/lib-tests.yml

@@ -12,17 +12,18 @@ on:
 permissions: {}
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   nixpkgs-lib-tests:
     name: nixpkgs-lib-tests
     runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
@@ -30,4 +31,4 @@ jobs:
 
       - name: Building Nixpkgs lib-tests
         run: |
-          nix-build untrusted/ci -A lib-tests
+          nix-build ci -A lib-tests

.github/workflows/manual-nixos-v2.yml

@@ -34,11 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
@@ -52,7 +48,7 @@ jobs:
 
       - name: Build NixOS manual
         id: build-manual
-        run: NIX_PATH=nixpkgs=$(pwd)/untrusted nix-build --option restrict-eval true untrusted/ci -A manual-nixos --argstr system ${{ matrix.system }}
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixos --argstr system ${{ matrix.system }}
 
       - name: Upload NixOS manual
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/manual-nixpkgs-v2.yml

@@ -5,6 +5,8 @@ on:
     paths:
       - .github/workflows/manual-nixpkgs-v2.yml
   pull_request_target:
+    branches:
+      - master
     paths:
       - 'doc/**'
       - 'lib/**'
@@ -19,11 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
@@ -36,4 +34,4 @@ jobs:
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
       - name: Building Nixpkgs manual
-        run: nix-build untrusted/ci -A manual-nixpkgs -A manual-nixpkgs-tests
+        run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true ci -A manual-nixpkgs -A manual-nixpkgs-tests

.github/workflows/nix-parse-v2.yml

@@ -9,18 +9,18 @@ on:
 permissions: {}
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   tests:
     name: nix-files-parseable-check
     runs-on: ubuntu-24.04-arm
-    if: "!contains(github.event.pull_request.title, '[skip treewide]')"
+    needs: get-merge-commit
+    if: "needs.get-merge-commit.outputs.mergedSha && !contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout the merge commit
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
@@ -30,4 +30,4 @@ jobs:
       - name: Parse all nix files
         run: |
           # Tests multiple versions at once, let's make sure all of them run, so keep-going.
-          nix-build untrusted/ci -A parse --keep-going
+          nix-build ci -A parse --keep-going

.github/workflows/nixpkgs-vet.yml

@@ -10,6 +10,11 @@ on:
     paths:
       - .github/workflows/nixpkgs-vet.yml
   pull_request_target:
+    # This workflow depends on the base branch of the PR, but changing the base branch is not included in the default trigger events, which would be `opened`, `synchronize` or `reopened`.
+    # Instead it causes an `edited` event, so we need to add it explicitly here.
+    # While `edited` is also triggered when the PR title/body is changed, this PR action is fairly quick, and PRs don't get edited **that** often, so it shouldn't be a problem.
+    # There is a feature request for adding a `base_changed` event: https://github.com/orgs/community/discussions/35058
+    types: [opened, synchronize, reopened, edited]
 
 permissions: {}
 
@@ -17,29 +22,51 @@ permissions: {}
 # There is a feature request for suppressing notifications on concurrency-canceled runs: https://github.com/orgs/community/discussions/13015
 
 jobs:
+  get-merge-commit:
+    uses: ./.github/workflows/get-merge-commit.yml
+
   check:
     name: nixpkgs-vet
-    runs-on: ubuntu-24.04-arm
+    # This needs to be x86_64-linux, because we depend on the tooling being pre-built in the GitHub releases.
+    runs-on: ubuntu-24.04
     # This should take 1 minute at most, but let's be generous. The default of 6 hours is definitely too long.
     timeout-minutes: 10
+    needs: get-merge-commit
+    if: needs.get-merge-commit.outputs.mergedSha
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and checkout merged and target commits
-        uses: ./.github/actions/get-merge-commit
-        with:
-          merged-as-untrusted: true
-          target-as-trusted: true
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+          # Fetches the merge commit and its parents
+          fetch-depth: 2
+
+      - name: Checking out target branch
+        run: |
+          target=$(mktemp -d)
+          git worktree add "$target" "$(git rev-parse HEAD^1)"
+          echo "target=$target" >> "$GITHUB_ENV"
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 
+      - name: Fetching the pinned tool
+        # Update the pinned version using ci/nixpkgs-vet/update-pinned-tool.sh
+        run: |
+          # The pinned version of the tooling to use.
+          toolVersion=$(<ci/nixpkgs-vet/pinned-version.txt)
+
+          # Fetch the x86_64-linux-specific release artifact containing the gzipped NAR of the pre-built tool.
+          toolPath=$(curl -sSfL https://github.com/NixOS/nixpkgs-vet/releases/download/"$toolVersion"/x86_64-linux.nar.gz \
+            | gzip -cd | nix-store --import | tail -1)
+
+          # Adds a result symlink as a GC root.
+          nix-store --realise "$toolPath" --add-root result
+
       - name: Running nixpkgs-vet
         env:
           # Force terminal colors to be enabled. The library that `nixpkgs-vet` uses respects https://bixense.com/clicolors/
           CLICOLOR_FORCE: 1
         run: |
-          if nix-build untrusted/ci -A nixpkgs-vet --arg base "./trusted" --arg head "./untrusted"; then
+          if result/bin/nixpkgs-vet --base "$target" .; then
             exit 0
           else
             exitCode=$?

.github/workflows/no-channel.yml

@@ -5,6 +5,8 @@ on:
     paths:
       - .github/workflows/no-channel.yml
   pull_request_target:
+    # Re-run should be triggered when the base branch is updated, instead of silently failing
+    types: [opened, synchronize, reopened, edited]
 
 permissions: {}
 

.github/workflows/periodic-merge-24h.yml

@@ -31,16 +31,14 @@ jobs:
             into: staging-next-24.11
           - from: staging-next-24.11
             into: staging-24.11
-          - from: release-25.05
+          - from: master
             into: staging-next-25.05
           - from: staging-next-25.05
             into: staging-25.05
-          - name: merge-base(master,staging) → haskell-updates
-            from: master staging
+          - from: master staging
             into: haskell-updates
     uses: ./.github/workflows/periodic-merge.yml
     with:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
-    name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
     secrets: inherit

.github/workflows/periodic-merge-6h.yml

@@ -35,5 +35,4 @@ jobs:
     with:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
-    name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
     secrets: inherit

.github/workflows/periodic-merge.yml

@@ -15,6 +15,7 @@ on:
 jobs:
   merge:
     runs-on: ubuntu-24.04-arm
+    name: ${{ inputs.from }} → ${{ inputs.into }}
     steps:
       # Use a GitHub App to create the PR so that CI gets triggered
       # The App is scoped to Repository > Contents and Pull Requests: write for Nixpkgs

.github/workflows/reviewers.yml

@@ -1,98 +0,0 @@
-# This workflow will request reviews from the maintainers of each package
-# listed in the PR's most recent eval comparison artifact.
-
-name: Reviewers
-
-on:
-  pull_request:
-    paths:
-      - .github/workflows/reviewers.yml
-  pull_request_target:
-    types: [ready_for_review]
-  workflow_call:
-
-permissions: {}
-
-jobs:
-  request:
-    name: Request
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Check out the PR at the base commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          path: trusted
-          sparse-checkout: ci
-
-      - name: Install Nix
-        uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
-        with:
-          extra_nix_config: sandbox = true
-
-      - name: Build the requestReviews derivation
-        run: nix-build trusted/ci -A requestReviews
-
-      # See ./codeowners-v2.yml, reuse the same App because we need the same permissions
-      # Can't use the token received from permissions above, because it can't get enough permissions
-      - uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
-        if: vars.OWNER_APP_ID
-        id: app-token
-        with:
-          app-id: ${{ vars.OWNER_APP_ID }}
-          private-key: ${{ secrets.OWNER_APP_PRIVATE_KEY }}
-          permission-administration: read
-          permission-members: read
-          permission-pull-requests: write
-
-
-      # In the regular case, this workflow is called via workflow_call from the eval workflow directly.
-      # In the more special case, when a PR is undrafted an eval run will have started already.
-      - name: Wait for comparison to be done
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
-        with:
-          script: |
-            const run_id = (await github.rest.actions.listWorkflowRuns({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              workflow_id: 'eval.yml',
-              event: context.eventName,
-              head_sha: context.payload.pull_request.head.sha
-            })).data.workflow_runs[0].id
-
-            // Waiting 120 * 5 sec = 10 min. max.
-            // The extreme case is an Eval run that just started when the PR is undrafted.
-            // Eval takes max 5-6 minutes, normally.
-            for (let i = 0; i < 120; i++) {
-              const result = await github.rest.actions.listWorkflowRunArtifacts({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                run_id,
-                name: 'comparison'
-              })
-              if (result.data.total_count > 0) return
-              await new Promise(resolve => setTimeout(resolve, 5000))
-            }
-            throw new Error("No comparison artifact found.")
-
-      - name: Download the comparison results
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          pattern: comparison
-          path: comparison
-          merge-multiple: true
-
-      - name: Requesting maintainer reviews
-        if: ${{ steps.app-token.outputs.token }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPOSITORY: ${{ github.repository }}
-          NUMBER: ${{ github.event.number }}
-          AUTHOR: ${{ github.event.pull_request.user.login }}
-          # Don't request reviewers on draft PRs
-          DRY_MODE: ${{ github.event.pull_request.draft && '1' || '' }}
-        run: |
-          # maintainers.json contains GitHub IDs. Look up handles to request reviews from.
-          # There appears to be no API to request reviews based on GitHub IDs
-          jq -r 'keys[]' comparison/maintainers.json \
-            | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"

CONTRIBUTING.md

@@ -345,7 +345,7 @@ See [Nix Channel Status](https://status.nixos.org/) for the current channels and
 Here's a brief overview of the main Git branches and what channels they're used for:
 
 - `master`: The main branch, used for the unstable channels such as `nixpkgs-unstable`, `nixos-unstable` and `nixos-unstable-small`.
-- `release-YY.MM` (e.g. `release-25.11`): The NixOS release branches, used for the stable channels such as `nixos-25.11`, `nixos-25.11-small` and `nixpkgs-25.11-darwin`.
+- `release-YY.MM` (e.g. `release-25.05`): The NixOS release branches, used for the stable channels such as `nixos-25.05`, `nixos-25.05-small` and `nixpkgs-25.05-darwin`.
 
 When a channel is updated, a corresponding Git branch is also updated to point to the corresponding commit.
 So e.g. the [`nixpkgs-unstable` branch](https://github.com/nixos/nixpkgs/tree/nixpkgs-unstable) corresponds to the Git commit from the [`nixpkgs-unstable` channel](https://channels.nixos.org/nixpkgs-unstable).
@@ -533,7 +533,7 @@ Names of files and directories should be in lowercase, with dashes between words
 
 ### Formatting
 
-CI [enforces](./.github/workflows/check-format.yml) all Nix files to be
+CI [enforces](./.github/workflows/check-nix-format.yml) all Nix files to be
 formatted using the [official Nix formatter](https://github.com/NixOS/nixfmt).
 
 You can ensure this locally using either of these commands:

README.md

@@ -1,9 +1,9 @@
 <p align="center">
   <a href="https://nixos.org">
     <picture>
-      <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg">
+      <source media="(prefers-color-scheme: light)" srcset="https://nixos.org/logo/nixos-hires.png">
       <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos-white.png">
-      <img src="https://raw.githubusercontent.com/NixOS/nixos-artwork/master/logo/nixos.svg" width="500px" alt="NixOS logo">
+      <img src="https://nixos.org/logo/nixos-hires.png" width="500px" alt="NixOS logo">
     </picture>
   </a>
 </p>

ci/OWNERS

@@ -15,7 +15,6 @@
 
 # CI
 /.github/*_TEMPLATE*                    @SigmaSquadron
-/.github/actions                        @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
 /.github/workflows                      @NixOS/Security @Mic92 @zowoq @infinisil @azuwis @wolfgangwalther
 /.github/workflows/check-format.yml     @infinisil @wolfgangwalther
 /.github/workflows/codeowners-v2.yml    @infinisil @wolfgangwalther
@@ -131,8 +130,7 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /nixos/modules/system/boot/loader/systemd-boot      @JulienMalka
 
 # Limine
-/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi @johnrtitor
-/nixos/tests/limine                             @johnrtitor
+/nixos/modules/system/boot/loader/limine        @lzcunt @phip1611 @programmerlexi
 
 # Images and installer media
 /nixos/modules/profiles/installation-device.nix @ElvishJerricco
@@ -165,13 +163,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 ## common-updater-scripts
 /pkgs/common-updater/scripts/update-source-version    @jtojnar
 
-# Android tools, libraries, and environments
-/pkgs/development/android*                    @NixOS/android
-/pkgs/development/mobile/android*             @NixOS/android
-/pkgs/applications/editors/android-studio*    @NixOS/android
-/doc/languages-frameworks/android*            @NixOS/android
-/pkgs/by-name/an/android*                     @NixOS/android
-
 # Python-related code and docs
 /doc/languages-frameworks/python.section.md   @mweinelt @natsukium
 /maintainers/scripts/update-python-libraries  @mweinelt @natsukium
@@ -220,7 +211,6 @@ nixos/modules/installer/tools/nix-fallback-paths.nix  @NixOS/nix-team @raitobeza
 /pkgs/development/compilers/gcc
 /pkgs/development/compilers/llvm @alyssais @RossComputerGuy @NixOS/llvm
 /pkgs/development/compilers/emscripten @raitobezarius
-/doc/toolchains/llvm.chapter.md @alyssais @RossComputerGuy @NixOS/llvm
 /doc/languages-frameworks/emscripten.section.md @raitobezarius
 
 # Audio
@@ -250,7 +240,7 @@ pkgs/development/python-modules/buildcatrust/ @ajs124 @lukegb @mweinelt
 /pkgs/applications/editors/jetbrains @edwtjo @leona-ya @theCapypara
 
 # Licenses
-/lib/licenses.nix @alyssais @emilazy
+/lib/licenses.nix @alyssais
 
 # Qt
 /pkgs/development/libraries/qt-5 @K900 @NickCao @SuperSandro2000 @ttuegel
@@ -477,14 +467,11 @@ pkgs/development/interpreters/erlang/   @NixOS/beam
 pkgs/development/interpreters/elixir/   @NixOS/beam
 pkgs/development/interpreters/lfe/      @NixOS/beam
 
-# Authelia
-pkgs/servers/authelia/ @06kellyjac @dit7ya @nicomem
-
 # OctoDNS
 pkgs/by-name/oc/octodns/ @anthonyroussel
 
 # Teleport
-pkgs/by-name/te/teleport*   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
+pkgs/servers/teleport   @arianvp @justinas @sigma @tomberek @freezeboy @techknowlogick @JuliusFreudenberger
 
 # Warp-terminal
 pkgs/by-name/wa/warp-terminal/  @emilytrau @imadnyc @donteatoreo @johnrtitor

ci/README.md

@@ -40,3 +40,46 @@ Why not just build the tooling right from the PRs Nixpkgs version?
 - Because it makes the CI check very fast, since no Nix builds need to be done, even for mass rebuilds.
 - Because it improves security, since we don't have to build potentially untrusted code from PRs.
   The tool only needs a very minimal Nix evaluation at runtime, which can work with [readonly-mode](https://nixos.org/manual/nix/stable/command-ref/opt-common.html#opt-readonly-mode) and [restrict-eval](https://nixos.org/manual/nix/stable/command-ref/conf-file.html#conf-restrict-eval).
+
+## `get-merge-commit.sh GITHUB_REPO PR_NUMBER`
+
+Check whether a PR is mergeable and return the test merge commit as
+[computed by GitHub](https://docs.github.com/en/rest/guides/using-the-rest-api-to-interact-with-your-git-database?apiVersion=2022-11-28#checking-mergeability-of-pull-requests) and its parent.
+
+Arguments:
+- `GITHUB_REPO`: The repository of the PR, e.g. `NixOS/nixpkgs`
+- `PR_NUMBER`: The PR number, e.g. `1234`
+
+Exit codes:
+- 0: The PR can be merged, the hashes of the test merge commit and the target commit are returned on stdout
+- 1: The PR cannot be merged because it's not open anymore
+- 2: The PR cannot be merged because it has a merge conflict
+- 3: The merge commit isn't being computed, GitHub is likely having internal issues, unknown if the PR is mergeable
+
+### Usage
+
+This script is implemented as a reusable GitHub Actions workflow, and can be used as follows:
+
+```yaml
+on: pull_request_target
+
+# We need a token to query the API, but it doesn't need any special permissions
+permissions: {}
+
+jobs:
+  get-merge-commit:
+    # use the relative path of the get-merge-commit workflow yaml here
+    uses: ./.github/workflows/get-merge-commit.yml
+
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    needs: get-merge-commit
+    steps:
+      - uses: actions/checkout@<VERSION>
+        # Add this to _all_ subsequent steps to skip them
+        if: needs.get-merge-commit.outputs.mergedSha
+        with:
+          ref: ${{ needs.get-merge-commit.outputs.mergedSha }}
+      - ...
+```

ci/default.nix

@@ -82,9 +82,8 @@ in
   # CI jobs
   lib-tests = import ../lib/tests/release.nix { inherit pkgs; };
   manual-nixos = (import ../nixos/release.nix { }).manual.${system} or null;
-  manual-nixpkgs = (import ../doc { });
-  manual-nixpkgs-tests = (import ../doc { }).tests;
-  nixpkgs-vet = pkgs.callPackage ./nixpkgs-vet.nix { };
+  manual-nixpkgs = (import ../pkgs/top-level/release.nix { }).manual;
+  manual-nixpkgs-tests = (import ../pkgs/top-level/release.nix { }).manual.tests;
   parse = pkgs.lib.recurseIntoAttrs {
     latest = pkgs.callPackage ./parse.nix { nix = pkgs.nixVersions.latest; };
     lix = pkgs.callPackage ./parse.nix { nix = pkgs.lix; };

ci/eval/compare/default.nix

@@ -1,15 +1,15 @@
 {
-  callPackage,
   lib,
   jq,
   runCommand,
   writeText,
   python3,
+  ...
 }:
 {
-  combinedDir,
+  beforeResultDir,
+  afterResultDir,
   touchedFilesJson,
-  githubAuthorId,
   byName ? false,
 }:
 let
@@ -19,7 +19,7 @@ let
 
     ---
     Inputs:
-    - beforeDir, afterDir: The evaluation result from before and after the change.
+    - beforeResultDir, afterResultDir: The evaluation result from before and after the change.
       They can be obtained by running `nix-build -A ci.eval.full` on both revisions.
 
     ---
@@ -65,6 +65,7 @@ let
       Example: { name = "python312Packages.numpy"; platform = "x86_64-linux"; }
   */
   inherit (import ./utils.nix { inherit lib; })
+    diff
     groupByKernel
     convertToPackagePlatformAttrs
     groupByPlatform
@@ -72,10 +73,22 @@ let
     getLabels
     ;
 
+  getAttrs =
+    dir:
+    let
+      raw = builtins.readFile "${dir}/outpaths.json";
+      # The file contains Nix paths; we need to ignore them for evaluation purposes,
+      # else there will be a "is not allowed to refer to a store path" error.
+      data = builtins.unsafeDiscardStringContext raw;
+    in
+    builtins.fromJSON data;
+  beforeAttrs = getAttrs beforeResultDir;
+  afterAttrs = getAttrs afterResultDir;
+
   # Attrs
   # - keys: "added", "changed" and "removed"
   # - values: lists of `packagePlatformPath`s
-  diffAttrs = builtins.fromJSON (builtins.readFile "${combinedDir}/combined-diff.json");
+  diffAttrs = diff beforeAttrs afterAttrs;
 
   rebuilds = diffAttrs.added ++ diffAttrs.changed;
   rebuildsPackagePlatformAttrs = convertToPackagePlatformAttrs rebuilds;
@@ -101,19 +114,11 @@ let
           # Adds "10.rebuild-*-stdenv" label if the "stdenv" attribute was changed
           ++ lib.mapAttrsToList (kernel: _: "10.rebuild-${kernel}-stdenv") (
             lib.filterAttrs (_: kernelRebuilds: kernelRebuilds ? "stdenv") rebuildsByKernel
-          )
-          # Adds the "11.by: package-maintainer" label if all of the packages directly
-          # changed are maintained by the PR's author. (https://github.com/NixOS/ofborg/blob/df400f44502d4a4a80fa283d33f2e55a4e43ee90/ofborg/src/tagger.rs#L83-L88)
-          ++ lib.optional (
-            maintainers ? ${githubAuthorId}
-            && lib.all (lib.flip lib.elem maintainers.${githubAuthorId}) (
-              lib.flatten (lib.attrValues maintainers)
-            )
-          ) "11.by: package-maintainer";
+          );
       }
     );
 
-  maintainers = callPackage ./maintainers.nix { } {
+  maintainers = import ./maintainers.nix {
     changedattrs = lib.attrNames (lib.groupBy (a: a.name) rebuildsPackagePlatformAttrs);
     changedpathsjson = touchedFilesJson;
     inherit byName;
@@ -135,8 +140,8 @@ runCommand "compare"
     maintainers = builtins.toJSON maintainers;
     passAsFile = [ "maintainers" ];
     env = {
-      BEFORE_DIR = "${combinedDir}/before";
-      AFTER_DIR = "${combinedDir}/after";
+      BEFORE_DIR = "${beforeResultDir}";
+      AFTER_DIR = "${afterResultDir}";
     };
   }
   ''

ci/eval/compare/maintainers.nix

@@ -1,6 +1,3 @@
-{
-  lib,
-}:
 # Almost directly vendored from https://github.com/NixOS/ofborg/blob/5a4e743f192fb151915fcbe8789922fa401ecf48/ofborg/src/maintainers.nix
 {
   changedattrs,
@@ -13,6 +10,7 @@ let
     config = { };
     overlays = [ ];
   };
+  inherit (pkgs) lib;
 
   changedpaths = builtins.fromJSON (builtins.readFile changedpathsjson);
 

ci/eval/compare/utils.nix

@@ -93,6 +93,32 @@ rec {
     in
     uniqueStrings (builtins.map (p: p.name) packagePlatformAttrs);
 
+  /*
+    Computes the key difference between two attrs
+
+    {
+      added: [ <keys only in the second object> ],
+      removed: [ <keys only in the first object> ],
+      changed: [ <keys with different values between the two objects> ],
+    }
+  */
+  diff =
+    let
+      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
+    in
+    old: new: {
+      added = filterKeys (n: _: !(old ? ${n})) new;
+      removed = filterKeys (n: _: !(new ? ${n})) old;
+      changed = filterKeys (
+        n: v:
+        # Filter out attributes that don't exist anymore
+        (new ? ${n})
+
+        # Filter out attributes that are the same as the new value
+        && (v != (new.${n}))
+      ) old;
+    };
+
   /*
     Group a list of `packagePlatformAttr`s by platforms
 

ci/eval/default.nix

@@ -1,14 +1,14 @@
 {
-  callPackage,
   lib,
   runCommand,
   writeShellScript,
   writeText,
-  symlinkJoin,
+  linkFarm,
   time,
   procps,
   nixVersions,
   jq,
+  sta,
   python3,
 }:
 
@@ -31,14 +31,11 @@ let
       );
     };
 
-  nix = nixVersions.latest;
+  nix = nixVersions.nix_2_24;
 
   supportedSystems = builtins.fromJSON (builtins.readFile ../supportedSystems.json);
 
   attrpathsSuperset =
-    {
-      evalSystem,
-    }:
     runCommand "attrpaths-superset.json"
       {
         src = nixpkgs;
@@ -58,7 +55,6 @@ let
             -I "$src" \
             --option restrict-eval true \
             --option allow-import-from-derivation false \
-            --option eval-system "${evalSystem}" \
             --arg enableWarnings false > $out/paths.json
       '';
 
@@ -69,13 +65,11 @@ let
       # because `--argstr system` would only be passed to the ci/default.nix file!
       evalSystem,
       # The path to the `paths.json` file from `attrpathsSuperset`
-      attrpathFile ? "${attrpathsSuperset { inherit evalSystem; }}/paths.json",
+      attrpathFile ? "${attrpathsSuperset}/paths.json",
       # The number of attributes per chunk, see ./README.md for more info.
       chunkSize,
       checkMeta ? true,
-
-      # Don't try to eval packages marked as broken.
-      includeBroken ? false,
+      includeBroken ? true,
       # Whether to just evaluate a single chunk for quick testing
       quickTest ? false,
     }:
@@ -98,7 +92,7 @@ let
           --option restrict-eval true \
           --option allow-import-from-derivation false \
           --query --available \
-          --out-path --json \
+          --no-name --attr-path --out-path \
           --show-trace \
           --arg chunkSize "$chunkSize" \
           --arg myChunk "$myChunk" \
@@ -150,7 +144,7 @@ let
         chunkCount=$(( (attrCount - 1) / chunkSize + 1 ))
         echo "Chunk count: $chunkCount"
 
-        mkdir -p $out/${evalSystem}
+        mkdir $out
 
         # Record and print stats on free memory and swap in the background
         (
@@ -159,11 +153,11 @@ let
             freeSwap=$(free -b | grep Swap | awk '{print $4}')
             echo "Available memory: $(( availMemory / 1024 / 1024 )) MiB, free swap: $(( freeSwap / 1024 / 1024 )) MiB"
 
-            if [[ ! -f "$out/${evalSystem}/min-avail-memory" ]] || (( availMemory < $(<$out/${evalSystem}/min-avail-memory) )); then
-              echo "$availMemory" > $out/${evalSystem}/min-avail-memory
+            if [[ ! -f "$out/min-avail-memory" ]] || (( availMemory < $(<$out/min-avail-memory) )); then
+              echo "$availMemory" > $out/min-avail-memory
             fi
-            if [[ ! -f $out/${evalSystem}/min-free-swap ]] || (( availMemory < $(<$out/${evalSystem}/min-free-swap) )); then
-              echo "$freeSwap" > $out/${evalSystem}/min-free-swap
+            if [[ ! -f $out/min-free-swap ]] || (( availMemory < $(<$out/min-free-swap) )); then
+              echo "$freeSwap" > $out/min-free-swap
             fi
             sleep 4
           done
@@ -179,56 +173,104 @@ let
         mkdir "$chunkOutputDir"/{result,stats,timestats,stderr}
 
         seq -w 0 "$seq_end" |
-          command time -f "%e" -o "$out/${evalSystem}/total-time" \
+          command time -f "%e" -o "$out/total-time" \
           xargs -I{} -P"$cores" \
           ${singleChunk} "$chunkSize" {} "$evalSystem" "$chunkOutputDir"
 
-        cp -r "$chunkOutputDir"/stats $out/${evalSystem}/stats-by-chunk
+        cp -r "$chunkOutputDir"/stats $out/stats-by-chunk
 
         if (( chunkSize * chunkCount != attrCount )); then
           # A final incomplete chunk would mess up the stats, don't include it
           rm "$chunkOutputDir"/stats/"$seq_end"
         fi
 
-        cat "$chunkOutputDir"/result/* | jq -s 'add | map_values(.outputs)' > $out/${evalSystem}/paths.json
+        # Make sure the glob doesn't break when there's no files
+        shopt -s nullglob
+        cat "$chunkOutputDir"/result/* > $out/paths
+        cat "$chunkOutputDir"/stats/* > $out/stats.jsonstream
       '';
 
-  diff = callPackage ./diff.nix { };
-
   combine =
     {
-      diffDir,
+      resultsDir,
     }:
-    runCommand "combined-eval"
+    runCommand "combined-result"
       {
         nativeBuildInputs = [
           jq
+          sta
         ];
       }
       ''
         mkdir -p $out
 
-        # Combine output paths from all systems
-        cat ${diffDir}/*/diff.json | jq -s '
-          reduce .[] as $item ({}; {
-            added: (.added + $item.added),
-            changed: (.changed + $item.changed),
-            removed: (.removed + $item.removed)
-          })
-        ' > $out/combined-diff.json
+        # Transform output paths to JSON
+        cat ${resultsDir}/*/paths |
+          jq --sort-keys --raw-input --slurp '
+            split("\n") |
+            map(select(. != "") | split(" ") | map(select(. != ""))) |
+            map(
+              {
+                key: .[0],
+                value: .[1] | split(";") | map(split("=") |
+                  if length == 1 then
+                    { key: "out", value: .[0] }
+                  else
+                    { key: .[0], value: .[1] }
+                  end) | from_entries}
+            ) | from_entries
+          ' > $out/outpaths.json
 
-        mkdir -p $out/before/stats
-        for d in ${diffDir}/before/*; do
-          cp -r "$d"/stats-by-chunk $out/before/stats/$(basename "$d")
-        done
+        # Computes min, mean, error, etc. for a list of values and outputs a JSON from that
+        statistics() {
+          local stat=$1
+          sta --transpose |
+            jq --raw-input --argjson stat "$stat" -n '
+              [
+                inputs |
+                  split("\t") |
+                  { key: .[0], value: (.[1] | fromjson) }
+              ] |
+                from_entries |
+                {
+                  key: ($stat | join(".")),
+                  value: .
+                }'
+        }
 
-        mkdir -p $out/after/stats
-        for d in ${diffDir}/after/*; do
-          cp -r "$d"/stats-by-chunk $out/after/stats/$(basename "$d")
+        # Gets all available number stats (without .sizes because those are constant and not interesting)
+        readarray -t stats < <(jq -cs '.[0] | del(.sizes) | paths(type == "number")' ${resultsDir}/*/stats.jsonstream)
+
+        # Combines the statistics from all evaluations
+        {
+          echo "{ \"key\": \"minAvailMemory\", \"value\": $(cat ${resultsDir}/*/min-avail-memory | sta --brief --min) }"
+          echo "{ \"key\": \"minFreeSwap\", \"value\": $(cat ${resultsDir}/*/min-free-swap | sta --brief --min) }"
+          cat ${resultsDir}/*/total-time | statistics '["totalTime"]'
+          for stat in "''${stats[@]}"; do
+            cat ${resultsDir}/*/stats.jsonstream |
+              jq --argjson stat "$stat" 'getpath($stat)' |
+              statistics "$stat"
+          done
+        } |
+          jq -s from_entries > $out/stats.json
+
+        mkdir -p $out/stats
+
+        for d in ${resultsDir}/*; do
+          cp -r "$d"/stats-by-chunk $out/stats/$(basename "$d")
         done
       '';
 
-  compare = callPackage ./compare { };
+  compare = import ./compare {
+    inherit
+      lib
+      jq
+      runCommand
+      writeText
+      supportedSystems
+      python3
+      ;
+  };
 
   full =
     {
@@ -239,26 +281,17 @@ let
       quickTest ? false,
     }:
     let
-      diffs = symlinkJoin {
-        name = "diffs";
-        paths = map (
-          evalSystem:
-          let
-            eval = singleSystem {
-              inherit quickTest evalSystem chunkSize;
-            };
-          in
-          diff {
-            inherit evalSystem;
-            # Local "full" evaluation doesn't do a real diff.
-            beforeDir = eval;
-            afterDir = eval;
-          }
-        ) evalSystems;
-      };
+      results = linkFarm "results" (
+        map (evalSystem: {
+          name = evalSystem;
+          path = singleSystem {
+            inherit quickTest evalSystem chunkSize;
+          };
+        }) evalSystems
+      );
     in
     combine {
-      diffDir = diffs;
+      resultsDir = results;
     };
 
 in
@@ -266,7 +299,6 @@ in
   inherit
     attrpathsSuperset
     singleSystem
-    diff
     combine
     compare
     # The above three are used by separate VMs in a GitHub workflow,

ci/eval/diff.nix

@@ -1,61 +0,0 @@
-{
-  lib,
-  runCommand,
-  writeText,
-}:
-
-{
-  beforeDir,
-  afterDir,
-  evalSystem,
-}:
-
-let
-  /*
-    Computes the key difference between two attrs
-
-    {
-      added: [ <keys only in the second object> ],
-      removed: [ <keys only in the first object> ],
-      changed: [ <keys with different values between the two objects> ],
-    }
-  */
-  diff =
-    let
-      filterKeys = cond: attrs: lib.attrNames (lib.filterAttrs cond attrs);
-    in
-    old: new: {
-      added = filterKeys (n: _: !(old ? ${n})) new;
-      removed = filterKeys (n: _: !(new ? ${n})) old;
-      changed = filterKeys (
-        n: v:
-        # Filter out attributes that don't exist anymore
-        (new ? ${n})
-
-        # Filter out attributes that are the same as the new value
-        && (v != (new.${n}))
-      ) old;
-    };
-
-  getAttrs =
-    dir:
-    let
-      raw = builtins.readFile "${dir}/${evalSystem}/paths.json";
-      # The file contains Nix paths; we need to ignore them for evaluation purposes,
-      # else there will be a "is not allowed to refer to a store path" error.
-      data = builtins.unsafeDiscardStringContext raw;
-    in
-    builtins.fromJSON data;
-
-  beforeAttrs = getAttrs beforeDir;
-  afterAttrs = getAttrs afterDir;
-  diffAttrs = diff beforeAttrs afterAttrs;
-  diffJson = writeText "diff.json" (builtins.toJSON diffAttrs);
-in
-runCommand "diff" { } ''
-  mkdir -p $out/${evalSystem}
-
-  cp -r ${beforeDir} $out/before
-  cp -r ${afterDir} $out/after
-  cp ${diffJson} $out/${evalSystem}/diff.json
-''

ci/get-merge-commit.sh

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# See ./README.md for docs
+
+set -euo pipefail
+
+log() {
+    echo "$@" >&2
+}
+
+if (( $# < 2 )); then
+    log "Usage: $0 GITHUB_REPO PR_NUMBER"
+    exit 99
+fi
+repo=$1
+prNumber=$2
+
+# Retry the API query this many times
+retryCount=5
+# Start with 5 seconds, but double every retry
+retryInterval=5
+
+while true; do
+    log "Checking whether the pull request can be merged"
+    prInfo=$(gh api \
+        -H "Accept: application/vnd.github+json" \
+        -H "X-GitHub-Api-Version: 2022-11-28" \
+        "/repos/$repo/pulls/$prNumber")
+
+    # Non-open PRs won't have their mergeability computed no matter what
+    state=$(jq -r .state <<< "$prInfo")
+    if [[ "$state" != open ]]; then
+        log "PR is not open anymore"
+        exit 1
+    fi
+
+    mergeable=$(jq -r .mergeable <<< "$prInfo")
+    if [[ "$mergeable" == "null" ]]; then
+        if (( retryCount == 0 )); then
+            log "Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com/"
+            exit 3
+        else
+            (( retryCount -= 1 )) || true
+
+            # null indicates that GitHub is still computing whether it's mergeable
+            # Wait a couple seconds before trying again
+            log "GitHub is still computing whether this PR can be merged, waiting $retryInterval seconds before trying again ($retryCount retries left)"
+            sleep "$retryInterval"
+
+            (( retryInterval *= 2 )) || true
+        fi
+    else
+        break
+    fi
+done
+
+if [[ "$mergeable" == "true" ]]; then
+    log "The PR can be merged"
+    mergedSha="$(jq -r .merge_commit_sha <<< "$prInfo")"
+    echo "mergedSha=$mergedSha"
+    targetSha="$(gh api "/repos/$repo/commits/$mergedSha" --jq '.parents[0].sha')"
+    echo "targetSha=$targetSha"
+else
+    log "The PR has a merge conflict"
+    exit 2
+fi

ci/nixpkgs-vet.nix

@@ -1,31 +0,0 @@
-{
-  lib,
-  nix,
-  nixpkgs-vet,
-  runCommand,
-}:
-{
-  base ? ../.,
-  head ? ../.,
-}:
-let
-  filtered =
-    with lib.fileset;
-    path:
-    toSource {
-      fileset = (gitTracked path);
-      root = path;
-    };
-in
-runCommand "nixpkgs-vet"
-  {
-    nativeBuildInputs = [
-      nixpkgs-vet
-    ];
-    env.NIXPKGS_VET_NIX_PACKAGE = nix;
-  }
-  ''
-    nixpkgs-vet --base ${filtered base} ${filtered head}
-
-    touch $out
-  ''

ci/nixpkgs-vet.sh

@@ -65,5 +65,7 @@ trace -n "Reading pinned nixpkgs-vet version from pinned-version.txt.. "
 toolVersion=$(<"$tmp/merged/ci/nixpkgs-vet/pinned-version.txt")
 trace -e "\e[34m$toolVersion\e[0m"
 
+trace -n "Building tool.. "
+nix-build https://github.com/NixOS/nixpkgs-vet/tarball/"$toolVersion" -o "$tmp/tool" -A build
 trace "Running nixpkgs-vet.."
-nix-build ci -A nixpkgs-vet --argstr base "$tmp/base" --argstr head "$tmp/merged"
+"$tmp/tool/bin/nixpkgs-vet" --base "$tmp/base" "$tmp/merged"

ci/pinned-nixpkgs.json

@@ -1,4 +1,4 @@
 {
-  "rev": "3d1f29646e4b57ed468d60f9d286cde23a8d1707",
-  "sha256": "1wzvc9h9a6l9wyhzh892xb5x88kxmbzxb1k8s7fizyyw2q4nqw07"
+  "rev": "eaeed9530c76ce5f1d2d8232e08bec5e26f18ec1",
+  "sha256": "132nimgi1g88fbhddk4b8b1qk68jly494x2mnphyk3xa1d2wy9q7"
 }

doc/README.md

@@ -34,27 +34,7 @@ $ nix-build doc
 
 If the build succeeds, the manual will be in `./result/share/doc/nixpkgs/manual.html`.
 
-### Development environment
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the Nixpkgs documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/doc
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-#### `devmode`
+### devmode
 
 The shell in the manual source directory makes available a command, `devmode`.
 It is a daemon, that:

doc/build-helpers/fetchers.chapter.md

@@ -795,10 +795,6 @@ Additionally, the following optional arguments can be given:
 : Clone the entire repository as opposing to just creating a shallow clone.
   This implies `leaveDotGit`.
 
-*`fetchTags`* (Boolean)
-
-: Whether to fetch all tags from the remote repository. This is useful when the build process needs to run `git describe` or other commands that require tag information to be available. This parameter implies `leaveDotGit`, as tags are stored in the `.git` directory.
-
 *`sparseCheckout`* (List of String)
 
 : Prevent git from fetching unnecessary blobs from server.

doc/build-helpers/special/checkpoint-build.section.md

@@ -37,7 +37,7 @@ let
   helloCheckpoint = prepareCheckpointBuild pkgs.hello;
   changedHello = pkgs.hello.overrideAttrs (_: {
     doCheck = false;
-    postPatch = ''
+    patchPhase = ''
       sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
     '';
   });

doc/default.nix

@@ -1,6 +1,6 @@
 {
-  pkgs ? (import ../ci { }).pkgs,
+  pkgs ? (import ./.. { }),
   nixpkgs ? { },
 }:
 
-pkgs.callPackage ./doc-support/package.nix { inherit nixpkgs; }
+pkgs.nixpkgs-manual.override { inherit nixpkgs; }

doc/doc-support/lib-function-docs.nix

@@ -102,8 +102,6 @@ stdenvNoCC.mkDerivation {
   ];
 
   installPhase = ''
-    runHook preInstall
-
     cd ..
 
     export NIX_STATE_DIR=$(mktemp -d)
@@ -145,7 +143,5 @@ stdenvNoCC.mkDerivation {
     ) libsets}
 
     echo '```' >> "$out/index.md"
-
-    runHook postInstall
   '';
 }

doc/doc-support/package.nix

@@ -14,8 +14,8 @@
   nixpkgs ? { },
   markdown-code-runner,
   roboto,
-  treefmt,
 }:
+
 stdenvNoCC.mkDerivation (
   finalAttrs:
   let
@@ -47,8 +47,6 @@ stdenvNoCC.mkDerivation (
 
     postPatch = ''
       ln -s ${optionsJSON}/share/doc/nixos/options.json ./config-options.json
-      ln -s ${treefmt.functionsDoc.markdown} ./packages/treefmt-functions.section.md
-      ln -s ${treefmt.optionsDoc.optionsJSON}/share/doc/nixos/options.json ./treefmt-options.json
     '';
 
     buildPhase = ''
@@ -99,14 +97,14 @@ stdenvNoCC.mkDerivation (
       dest="$out/share/doc/nixpkgs"
       mkdir -p "$(dirname "$dest")"
       mv out "$dest"
-      cp "$dest/index.html" "$dest/manual.html"
+      mv "$dest/index.html" "$dest/manual.html"
 
       cp ${roboto.src}/web/Roboto\[ital\,wdth\,wght\].ttf "$dest/Roboto.ttf"
 
       cp ${epub} "$dest/nixpkgs-manual.epub"
 
       mkdir -p $out/nix-support/
-      echo "doc manual $dest index.html" >> $out/nix-support/hydra-build-products
+      echo "doc manual $dest manual.html" >> $out/nix-support/hydra-build-products
       echo "doc manual $dest nixpkgs-manual.epub" >> $out/nix-support/hydra-build-products
 
       runHook postInstall
@@ -125,7 +123,7 @@ stdenvNoCC.mkDerivation (
         let
           devmode' = devmode.override {
             buildArgs = toString ../.;
-            open = "/share/doc/nixpkgs/index.html";
+            open = "/share/doc/nixpkgs/manual.html";
           };
           nixos-render-docs-redirects' = writeShellScriptBin "redirects" "${lib.getExe nixos-render-docs-redirects} --file ${toString ../redirects.json} $@";
         in

doc/hooks/tauri.section.md

@@ -30,8 +30,8 @@ rustPlatform.buildRustPackage (finalAttrs: {
 
   # Assuming our app's frontend uses `npm` as a package manager
   npmDeps = fetchNpmDeps {
-    name = "${finalAttrs.pname}-${finalAttrs.version}-npm-deps";
-    inherit (finalAttrs) src;
+    name = "${finalAttrs.pname}-npm-deps-${finalAttrs.version}";
+    inherit src;
     hash = "...";
   };
 
@@ -51,16 +51,17 @@ rustPlatform.buildRustPackage (finalAttrs: {
       wrapGAppsHook4
     ];
 
-  buildInputs = lib.optionals stdenv.hostPlatform.isLinux [
-    glib-networking # Most Tauri apps need networking
-    openssl
-    webkitgtk_4_1
-  ];
+  buildInputs =
+    [ openssl ]
+    ++ lib.optionals stdenv.hostPlatform.isLinux [
+      glib-networking # Most Tauri apps need networking
+      webkitgtk_4_1
+    ];
 
   # Set our Tauri source directory
   cargoRoot = "src-tauri";
   # And make sure we build there too
-  buildAndTestSubdir = finalAttrs.cargoRoot;
+  buildAndTestSubdir = cargoRoot;
 
   # ...
 })

doc/languages-frameworks/agda.section.md

@@ -121,8 +121,6 @@ agda.withPackages {
 }
 ```
 
-To install Agda without GHC, use `ghc = null;`.
-
 ## Writing Agda packages {#writing-agda-packages}
 
 To write a nix derivation for an Agda library, first check that the library has a `*.agda-lib` file.

doc/languages-frameworks/bower.section.md

@@ -118,13 +118,7 @@ pkgs.stdenv.mkDerivation {
     runHook postBuild
   '';
 
-  installPhase = ''
-    runHook preInstall
-
-    mv gulpdist $out
-
-    runHook postInstall
-  '';
+  installPhase = "mv gulpdist $out";
 }
 ```
 

doc/languages-frameworks/cuda.section.md

@@ -115,8 +115,8 @@ All new projects should use the CUDA redistributables available in [`cudaPackage
 
 ### Updating supported compilers and GPUs {#updating-supported-compilers-and-gpus}
 
-1. Update `nvccCompatibilities` in `pkgs/development/cuda-modules/_cuda/data/nvcc.nix` to include the newest release of NVCC, as well as any newly supported host compilers.
-2. Update `cudaCapabilityToInfo` in `pkgs/development/cuda-modules/_cuda/data/cuda.nix` to include any new GPUs supported by the new release of CUDA.
+1. Update `nvcc-compatibilities.nix` in `pkgs/development/cuda-modules/` to include the newest release of NVCC, as well as any newly supported host compilers.
+2. Update `gpus.nix` in `pkgs/development/cuda-modules/` to include any new GPUs supported by the new release of CUDA.
 
 ### Updating the CUDA Toolkit runfile installer {#updating-the-cuda-toolkit}
 

doc/languages-frameworks/emscripten.section.md

@@ -192,7 +192,6 @@ pkgs.buildEmscriptenPackage {
     cp *.json $out/share
     cp *.rng $out/share
     cp README.md $doc/share/${name}
-
     runHook postInstall
   '';
 

doc/languages-frameworks/java.section.md

@@ -69,13 +69,9 @@ script to run it using a JRE. You can use `makeWrapper` for this:
   nativeBuildInputs = [ makeWrapper ];
 
   installPhase = ''
-    runHook preInstall
-
     mkdir -p $out/bin
     makeWrapper ${jre}/bin/java $out/bin/foo \
       --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
-
-    runHook postInstall
   '';
 }
 ```

doc/languages-frameworks/javascript.section.md

@@ -690,11 +690,7 @@ The configure phase can sometimes fail because it makes many assumptions which m
 ```nix
 {
   configurePhase = ''
-    runHook preConfigure
-
     ln -s $node_modules node_modules
-
-    runHook postConfigure
   '';
 }
 ```
@@ -704,12 +700,8 @@ or if you need a writeable node_modules directory:
 ```nix
 {
   configurePhase = ''
-    runHook preConfigure
-
     cp -r $node_modules node_modules
     chmod +w node_modules
-
-    runHook postConfigure
   '';
 }
 ```

doc/languages-frameworks/lisp.section.md

@@ -59,11 +59,7 @@ Such a Lisp can be now used e.g. to compile your sources:
 ```nix
 {
   buildPhase = ''
-    runHook preBuild
-
     ${sbcl'}/bin/sbcl --load my-build-file.lisp
-
-    runHook postBuild
   '';
 }
 ```

doc/languages-frameworks/neovim.section.md

@@ -59,7 +59,7 @@ For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs
 - `neovimRcContent`: Extra vimL code sourced by the generated `init.lua`.
 - `wrapperArgs`: Extra arguments forwarded to the `makeWrapper` call.
 - `wrapRc`: Nix, not being able to write in your `$HOME`, loads the
-  generated Neovim configuration via the `$VIMINIT` environment variable, i.e. : `export VIMINIT='lua dofile("/nix/store/…-init.lua")'`. This has side effects like preventing Neovim from sourcing your `init.lua` in `$XDG_CONFIG_HOME/nvim` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#startup) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse the generated vimscript init code via `neovim.passthru.initRc`.
+  generated Neovim configuration via its  `-u` argument, i.e. : `-u /nix/store/...generatedInit.lua`. This has side effects like preventing Neovim from reading your config in `$XDG_CONFIG_HOME` (see bullet 7 of [`:help startup`](https://neovim.io/doc/user/starting.html#_initialization) in Neovim). Disable it if you want to generate your own wrapper. You can still reuse while reusing the logic of the nixpkgs wrapper and access the generated config via `neovim.passthru.initRc`.
 - `plugins`: A list of plugins to add to the wrapper.
 
 ```

doc/languages-frameworks/swift.section.md

@@ -103,13 +103,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   # The helper provides a configure snippet that will prepare all dependencies
   # in the correct place, where SwiftPM expects them.
-  configurePhase = ''
-    runHook preConfigure
-
-    ${generated.configure}
-
-    runHook postConfigure
-  '';
+  configurePhase = generated.configure;
 
   installPhase = ''
     runHook preInstall
@@ -174,17 +168,11 @@ with a writable copy:
 
 ```nix
 {
-  configurePhase = ''
-    runHook preConfigure
-
-    ${generated.configure}
-
+  configurePhase = generated.configure ++ ''
     # Replace the dependency symlink with a writable copy.
     swiftpmMakeMutable swift-crypto
     # Now apply a patch.
     patch -p1 -d .build/checkouts/swift-crypto -i ${./some-fix.patch}
-
-    runHook postConfigure
   '';
 }
 ```

doc/languages-frameworks/vim.section.md

@@ -177,7 +177,7 @@ Finally, there are some plugins that are also packaged in nodePackages because t
 Run the update script with a GitHub API token that has at least `public_repo` access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to [GitHub's token documentation](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token).
 
 ```sh
-nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_TOKEN environment variable
+nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_API_TOKEN environment variable
 ```
 
 Alternatively, set the number of processes to a lower count to avoid rate-limiting.

doc/manual.md.in

@@ -9,7 +9,6 @@ preface.chapter.md
 using-nixpkgs.md
 lib.md
 stdenv.md
-toolchains.md
 build-helpers.md
 development.md
 contributing.md

doc/packages/index.md

@@ -25,7 +25,6 @@ nginx.section.md
 opengl.section.md
 shell-helpers.section.md
 python-tree-sitter.section.md
-treefmt.section.md
 steam.section.md
 cataclysm-dda.section.md
 urxvt.section.md

doc/packages/treefmt.section.md

@@ -1,23 +0,0 @@
-# treefmt {#treefmt}
-
-[treefmt](https://github.com/numtide/treefmt) streamlines the process of applying formatters to your project, making it a breeze with just one command line.
-
-The [`treefmt` package](https://search.nixos.org/packages?channel=unstable&show=treefmt)
-provides functions for configuring treefmt using the module system, which are [documented below](#sec-functions-library-treefmt), along with [their options](#sec-treefmt-options-reference).
-
-Alternatively, treefmt can be configured using [treefmt-nix](https://github.com/numtide/treefmt-nix).
-
-```{=include=} sections auto-id-prefix=auto-generated-treefmt-functions
-treefmt-functions.section.md
-```
-
-## Options Reference {#sec-treefmt-options-reference}
-
-The following attributes can be passed to [`withConfig`](#pkgs.treefmt.withConfig) or [`evalConfig`](#pkgs.treefmt.evalConfig):
-
-```{=include=} options
-id-prefix: opt-treefmt-
-list-id: configuration-variable-list
-source: ../treefmt-options.json
-```
-

doc/packages/weechat.section.md

@@ -113,13 +113,9 @@ stdenv.mkDerivation {
     "bar.lua"
   ];
   installPhase = ''
-    runHook preInstall
-
     mkdir $out/share
     cp foo.py $out/share
     cp bar.lua $out/share
-
-    runHook postInstall
   '';
 }
 ```

doc/redirects.json

@@ -5,9 +5,6 @@
   "chap-release-notes": [
     "release-notes.html#chap-release-notes"
   ],
-  "chap-toolchains": [
-    "index.html#chap-toolchains"
-  ],
   "cmake-ctest": [
     "index.html#cmake-ctest"
   ],
@@ -69,18 +66,6 @@
   "pkgs-replacevarswith": [
     "index.html#pkgs-replacevarswith"
   ],
-  "part-toolchains": [
-    "index.html#part-toolchains"
-  ],
-  "pkgs.treefmt.buildConfig": [
-    "index.html#pkgs.treefmt.buildConfig"
-  ],
-  "pkgs.treefmt.evalConfig": [
-    "index.html#pkgs.treefmt.evalConfig"
-  ],
-  "pkgs.treefmt.withConfig": [
-    "index.html#pkgs.treefmt.withConfig"
-  ],
   "preface": [
     "index.html#preface"
   ],
@@ -114,15 +99,6 @@
   "sec-build-helper-extendMkDerivation": [
     "index.html#sec-build-helper-extendMkDerivation"
   ],
-  "sec-building-packages-with-llvm": [
-    "index.html#sec-building-packages-with-llvm"
-  ],
-  "sec-building-packages-with-llvm-using-clang-stdenv": [
-    "index.html#sec-building-packages-with-llvm-using-clang-stdenv"
-  ],
-  "sec-functions-library-treefmt": [
-    "index.html#sec-functions-library-treefmt"
-  ],
   "sec-inkscape": [
     "index.html#sec-inkscape"
   ],
@@ -150,30 +126,6 @@
   "chap-overlays": [
     "index.html#chap-overlays"
   ],
-  "sec-nixpkgs-release-25.11": [
-    "release-notes.html#sec-nixpkgs-release-25.11"
-  ],
-  "sec-nixpkgs-release-25.11-highlights": [
-    "release-notes.html#sec-nixpkgs-release-25.11-highlights"
-  ],
-  "sec-nixpkgs-release-25.11-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.11-incompatibilities"
-  ],
-  "sec-nixpkgs-release-25.11-lib": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib"
-  ],
-  "sec-nixpkgs-release-25.11-lib-breaking": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-breaking"
-  ],
-  "sec-nixpkgs-release-25.11-lib-deprecations": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-deprecations"
-  ],
-  "sec-nixpkgs-release-25.11-lib-additions-improvements": [
-    "release-notes.html#sec-nixpkgs-release-25.11-lib-additions-improvements"
-  ],
-  "sec-nixpkgs-release-25.11-notable-changes": [
-    "release-notes.html#sec-nixpkgs-release-25.11-notable-changes"
-  ],
   "sec-nixpkgs-release-25.05": [
     "release-notes.html#sec-nixpkgs-release-25.05"
   ],
@@ -181,8 +133,7 @@
     "release-notes.html#sec-nixpkgs-release-25.05-highlights"
   ],
   "sec-nixpkgs-release-25.05-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities",
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities"
   ],
   "sec-nixpkgs-release-25.05-incompatibilities-titanium-removed": [
     "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed",
@@ -190,6 +141,9 @@
     "index.html#building-a-titanium-app",
     "index.html#emulating-or-simulating-the-app"
   ],
+  "sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded": [
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
+  ],
   "sec-nixpkgs-release-25.05-lib": [
     "release-notes.html#sec-nixpkgs-release-25.05-lib"
   ],
@@ -406,9 +360,6 @@
   "chap-stdenv": [
     "index.html#chap-stdenv"
   ],
-  "sec-using-llvm": [
-    "index.html#sec-using-llvm"
-  ],
   "sec-using-stdenv": [
     "index.html#sec-using-stdenv"
   ],
@@ -418,9 +369,6 @@
   "sec-tools-of-stdenv": [
     "index.html#sec-tools-of-stdenv"
   ],
-  "sec-treefmt-options-reference": [
-    "index.html#sec-treefmt-options-reference"
-  ],
   "ssec-cosmic-common-issues": [
     "index.html#ssec-cosmic-common-issues"
   ],
@@ -496,9 +444,6 @@
   "tester-testEqualArrayOrMap-return": [
     "index.html#tester-testEqualArrayOrMap-return"
   ],
-  "treefmt": [
-    "index.html#treefmt"
-  ],
   "typst": [
     "index.html#typst",
     "doc/languages-frameworks/typst.section.md#typst"

doc/release-notes/release-notes.md

@@ -3,6 +3,5 @@
 This section lists the release notes for each stable version of Nixpkgs and current unstable revision.
 
 ```{=include=} sections
-rl-2511.section.md
 rl-2505.section.md
 ```

doc/release-notes/rl-2505.section.md

@@ -1,4 +1,4 @@
-# Nixpkgs 25.05 (2025.05/23) {#sec-nixpkgs-release-25.05}
+# Nixpkgs 25.05 (2025.05/??) {#sec-nixpkgs-release-25.05}
 
 ## Highlights {#sec-nixpkgs-release-25.05-highlights}
 
@@ -17,26 +17,17 @@
 
 - The default GHC version has been updated from 9.6 to 9.8.
   `haskellPackages` also uses Stackage LTS 23 (instead of LTS 22) as a baseline.
-  We aim to remove the old GHC versions 8.10, 9.0 and 9.2 in the next release in accordance with [the new GHC deprecation policy](https://discourse.nixos.org/t/nixpkgs-ghc-deprecation-policy-user-feedback-necessary/64153).
 
 - LLVM has been updated from LLVM 16 (on Darwin) and LLVM 18 (on other platforms) to LLVM 19.
   This introduces some backwards‐incompatible changes; see the [upstream release notes](https://releases.llvm.org/) for details.
 
 - The Factor programming language packages were reworked. `factor-lang-scope` is now named `factorPackages` and provides a `buildFactorApplication` function to deploy Factor programs as binaries. It has also received proper documentation in the Nixpkgs manual.
 
-- The packaging of Mesa graphics drivers has been significantly reworked, in particular:
-  - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
-  - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively
-
-- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
-
 - Emacs has been updated to 30.1.
   This introduces some backwards‐incompatible changes; see the NEWS for details.
   NEWS can been viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar.
   It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30).
 
-- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.
-
 - The default openexr version has been updated to 3.2.4.
 
 - The default PHP version has been updated to 8.4.
@@ -45,6 +36,8 @@
 
 - The default Elixir version has been updated to 1.18.
 
+- `buildPythonPackage`, `buildPythonApplication` and the Python building setup hooks now support both `__structuredAttrs = true` and `__structuredAttrs = false`.
+
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Backward Incompatibilities {#sec-nixpkgs-release-25.05-incompatibilities}
@@ -64,8 +57,6 @@
   The hook can be disabled by providing `dontCheckForBrokenSymlinks = true;` as an argument to `mkDerivation`.
   For more information, [check the docs](https://nixos.org/manual/nixpkgs/unstable/#no-broken-symlinks.sh) or [see this PR](https://github.com/NixOS/nixpkgs/pull/370750).
 
-- `gkraken` has been removed. The recommended alternative is `coolercontrol`.
-
 - `opensmtpd-extras` has been deprecated by upstream and is not compatible with
   OpenSMTPD 7.6.0 or later. The package has been removed in favor of a set of new
   `opensmtpd-table-*` packages.
@@ -74,42 +65,20 @@
   configuration settings. Notably, it now defaults to listening on a socket
   rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details.
 
-- `renovate` was updated to v39. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/39.0.0) for breaking changes.
-  Like upstream's docker images, renovate now runs on NodeJS 22.
-
 - The hand written `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible)
   `perlPackages.Xapian`.
 
-- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
-[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).
-
 - The `config` triple for `aarch64-darwin` has been changed from `aarch64-apple-darwin` to `arm64-apple-darwin` to match the Apple toolchain and LLVM’s expectations.
 
 - The `electron` packages will now provide their headers (available via `electron.headers`) in extracted form instead of in a tarball.
 
-- The udev rules of the `libjaylink` package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.
-
 - The `ephemeral` package was removed due to upstream archival in early 2022.
 
-- The `gotenberg` package has been updated to 8.16.0, which brings breaking changes to the configuration from version 8.13.0. See the [upstream release notes](https://github.com/gotenberg/gotenberg/releases/tag/v8.13.0) for that release to get all the details.
-
-- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
-
 - The `vocal` package was removed due to upstream archival. The upstream developer suggests using `gnome-podcasts` or `kasts` instead.
 
-- `timescaledb` requires manual upgrade steps.
-    After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
-    PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
-
-- `paperless-ngx` has been updated to minor version 2.15 which switched the web server from Gunicorn to Granian. If you set Gunicorn specific envs (usually contain GUNICORN) they must be updated.
-
 - [testers.shellcheck](https://nixos.org/manual/nixpkgs/unstable/#tester-shellcheck) now warns when `name` is not provided.
   The `name` argument will become mandatory in a future release.
 
-- `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`.
-
-- `aws-workspaces` has dropped support for PCoiP networking.
-
 - [GIMP 3.0](https://www.gimp.org/news/2025/03/16/gimp-3-0-released/) available as `gimp3`.
 
 - `grafana-agent` and `services.grafana-agent` have been removed in favor of
@@ -118,35 +87,10 @@
   Grafana recommends migrating to `grafana-alloy` (`services.alloy`).
   See https://grafana.com/docs/alloy/latest/set-up/migrate/ for details.
 
-- `slskd` has been updated to v0.22.3, which includes breaking changes to `script` integrations. Please review the [changelog](https://github.com/slskd/slskd/releases/tag/0.22.3)
-  and the accompanying [pull request](https://github.com/slskd/slskd/pull/1292).
-
-- `forgejo` and `forgejo-lts` have been updated to v11.
-  See upstreams [release blog post](https://forgejo.org/2025-04-release-v11-0/) for more information.
-
-- `unifi` has been updated to v9.1.
-  This version should be backward compatible with v8.x, however as a result, `unifi8` package has been removed.
-
 - `xdragon` package has been renamed to `dragon-drop`.
   `xdragon` is an alias to `dragon-drop` and the package still provides `bin/xdragon`.
   `bin/dragon` is no longer supplied.
 
-- `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
-
-- `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.
-
-- `rocmPackages_6` has been updated to ROCm 6.3.
-
-- `rocmPackages_5` has been removed.
-
-- `rocmPackages.rocm-thunk` has been removed and its functionality has been integrated with the ROCm CLR. Use `rocmPackages.clr` instead.
-
-- `rocmPackages.clang-ocl` has been removed. [It was deprecated by AMD in 2023.](https://github.com/ROCm/clang-ocl)
-
-- `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
-
-- The default version of `z3` has been updated from 4.8 to 4.13. There are still a few packages that need specific older versions; those will continue to be maintained as long as other packages depend on them but may be removed in the future.
-
 - The `nixLog*` family of functions made available through the standard environment have been rewritten to prefix messages with both the debug level and the function name of the caller.
   The `nixLog` function, which logs unconditionally, was also re-introduced and modified to prefix messages with the function name of the caller.
   For more information, [see this PR](https://github.com/NixOS/nixpkgs/pull/370742).
@@ -169,10 +113,6 @@
   and the [4.2 release](https://github.com/netbox-community/netbox/releases/tag/v4.2.0),
   make the required changes to your database, if needed, then upgrade by setting `services.netbox.package = pkgs.netbox_4_2;` in your configuration.
 
-- `nodePackages.expo-cli` has been removed, as it was deprecated by upstream. The suggested replacement is the `npx expo` command.
-
-- The `conduwuit` matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.
-
 - NetBox version 4.0.X available as `netbox_4_0` was removed. Please upgrade to `4.2`.
 
 - `golangci-lint` has reached `v2`. Please read the changes and view the migration guide [here](https://golangci-lint.run/product/changelog/#200).
@@ -187,8 +127,6 @@
 
 - Default ICU version updated from 74 to 76
 
-- The packages `signald`, `signaldctl` and `purple-signald` have been dropped as they are unmaintained upstream and have been incompatible with the official Signal servers for a long while.
-
 - Apache Kafka was updated to `>= 4.0.0`. Please note that this is the first release which operates
   entirely without Apache ZooKeeper support, and all clusters need to be migrated to KRaft mode. See
   the [release announcement](https://kafka.apache.org/blog#apache_kafka_400_release_announcement)
@@ -247,10 +185,6 @@
 - `strawberry` has been updated to 1.2, which drops support for the VLC backend and Qt 5. The `strawberry-qt5` package
   and `withGstreamer`/`withVlc` override options have been removed due to this.
 
-- `nexusmods-app` has been upgraded from version 0.6.3. If you were running a version older than 0.7.0, then before upgrading, you **must reset all app state** (mods, games, settings, etc). Otherwise, NexusMods.App will crash due to app state files incompatibility.
-  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
-  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).
-
 - `nezha` and its agent `nezha-agent` have been updated to v1, which contains breaking changes. See the [official wiki](https://nezha.wiki/en_US/) for more details.
 
 - `ps3-disc-dumper` was updated to 4.2.5, which removed the CLI project and now exclusively offers the GUI
@@ -298,8 +232,6 @@
 
 - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest.
 
-- `tpm2-pkcs11` now is compiled without abrmd (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with abrmd support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`.
-
 - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead.
 
 - `webpack-cli` was updated to major version 6, which has breaking changes from the previous version 5.1.4. See the [upstream release notes](https://github.com/webpack/webpack-cli/releases/tag/webpack-cli%406.0.0) for details on these changes.
@@ -327,6 +259,9 @@
 
 - `tldr` now uses [`tldr-python-client`](https://github.com/tldr-pages/tldr-python-client) instead of [`tldr-c-client`](https://github.com/tldr-pages/tldr-c-client) which is unmaintained.
 
+- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
+  Like upstream's docker images, renovate now runs on NodeJS 22.
+
 - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.
 
 - `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
@@ -335,7 +270,7 @@
 
 - `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
 
-- The default version of `z3` has been updated from 4.8 to 4.15, and all old versions have been dropped. Note that `fstar` still depends on specific versions, and maintains them as overrides.
+- The default version of `z3` has been updated from 4.8 to 4.14, and all old versions have been dropped. Note that `fstar` still depends on specific versions, and maintains them as overrides.
 
 - `prometheus` has been updated from 2.55.0 to 3.1.0.
   Read the [release blog post](https://prometheus.io/blog/2024/11/14/prometheus-3-0/) and
@@ -393,22 +328,12 @@
 - `docker_24` has been removed, as it was EOL with vulnerabilities since June 08, 2024.
 
 - Emacs 28 and 29 have been removed.
-
 - Emacs 28 Macport has been removed, while CVEs of Emacs 29 Macport are patched.
 
 - `containerd` has been updated to v2, which contains breaking changes. See the [containerd
   2.0](https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md) documentation for more
   details.
 
-- The `tinycc` package now has the `dev`, `doc` and `lib` outputs, thus,
-`tinycc.out` may now only provide the tcc and cross compilers binaries.
-
-- The `testTarget` argument of `haskellPackages.mkDerivation` has been deprecated in favour of `testTargets`.
-  `testTarget` took a space separated string of targets, whereas the new `testTargets` argument takes a list of targets.
-  For instance, `testTarget = "foo bar baz"` should become `testTargets = [ "foo" "bar" "baz" ]`.
-
-- `rustPlatform.buildRustPackage` stops handling the deprecated argument `cargoSha256`. Out-of-tree packages that haven't migrated from `cargoSha256` to `cargoHash` now receive errors.
-
 - `nodePackages.stackdriver-statsd-backend` has been removed, as the StackDriver service has been discontinued by Google, and therefore the package no longer works.
 
 - `python3Packages.opentracing` has been removed due to being unmaintained upstream. [OpenTelemetry](https://opentelemetry.io/) is the recommended replacement.
@@ -441,10 +366,6 @@
   There is also a breaking change in the handling of CUDA. Instead of using a CUDA compatible jaxlib
   as before, you can use plugins like `python3Packages.jax-cuda12-plugin`.
 
-- Added `allowVariants` to gate availability of package sets like `pkgsLLVM`, `pkgsMusl`, `pkgsZig`, etc. This was done in an effort to
-  decrease evaluation times by limiting the number of instances of nixpkgs to evaluate. The option will be removed in the future as a
-  new mechanism is in the works for handling cross compilation.
-
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
 ## Other Notable Changes {#sec-nixpkgs-release-25.05-notable-changes}
@@ -453,16 +374,9 @@
   - `i18n.extraLocales` should now be the preferred way to install additional locales.
   - `i18n.supportedLocales` is now considered an implementation detail and will be hidden from the documentation. But the option will still continue to work.
   - `i18n.supportedLocales` will now trigger a warning when it omits any locale set in `i18n.defaultLocale`, `i18n.extraLocales` or `i18n.extraLocaleSettings`.
-  - The options `i18n.defaultCharset` & `i18n.localeCharsets` were added, and they complement `i18n.defaultLocale` & `i18n.extraLocaleSettings` respectively - allowing to control the character set used per locale setting.
-
-- Plasma 5 and Qt 5 based versions of associated software are deprecated in NixOS 25.05, and will be removed in NixOS 25.11. Users are encouraged to upgrade to Plasma 6.
 
 - `titaniumenv`, `titanium`, and `titanium-alloy` have been removed due to lack of maintenance in Nixpkgs []{#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed}.
 
-- [Cursor](https://cursor.com/) — a vscode-based editor that uses AI to help you write code faster — has been packaged as `cursor`.
-
-- `octave` (and `octaveFull`) was updated to version `10.x`. The update broke a few `octavePackages`, and `librsb`. See [the PR's commits](https://github.com/NixOS/nixpkgs/pull/394495/commits) for more details.
-
 - androidenv has been improved:
   - All versions specified in composeAndroidPackages now track the latest. Android packages are automatically updated on unstable, and run the androidenv test suite on every update.
   - Many androidenv packages are now searchable on [search.nixos.org](https://search.nixos.org).
@@ -472,76 +386,28 @@
 
 - `gerbera` now has wavpack support.
 
-- `buildPythonPackage`, `buildPythonApplication` and the Python building setup hooks now support both `__structuredAttrs = true` and `__structuredAttrs = false`.
-
-- `buildGoModule` now supports a self-referencing `finalAttrs:` parameter
-  containing the final arguments including overrides.
-  This allows packaging configuration to be overridden in a consistent manner by
-  providing an alternative to `rec {}` syntax.
-
-- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
-
-  Example:
-  ```nix
-  let
-    pkgs = import <nixpkgs> { };
-  in
-
-  pkgs.caddy.withPlugins {
-    plugins = [
-      # tagged upstream
-      "github.com/caddy-dns/powerdns@v1.0.1"
-      # pseudo-version number generated by Go
-      "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
-      "github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d"
-    ];
-    hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
-  }
-  ```
-
-  To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
-
-  Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get <plugin>` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.
-
-- The `godot-export-templates` package now has its content at `share/godot/export_templates/$version` instead of the output root. This makes it more convenient for for symlinking into `~/.local`, but scripts expecting the old layout will need to be changed.
-
 - GOverlay has been updated to 1.2, please check the [upstream changelog](https://github.com/benjamimgois/goverlay/releases) for more details.
 
 - `tpm2-pkcs11` now has the variant `tpm2-pkcs11-fapi`, which has been patched to default to the Feature API backend. It has also been split into `tpm2-pkcs11-esapi`, which _only_ supports the older Enhanced System API backend. Note the [differences](https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.1/docs/FAPI.md), and that `tpm2-pkcs11` itself still needs `TPM2_PKCS11_BACKEND=fapi` exported in order to use the Feature API, whereas `tpm2-pkcs11-fapi` does not, and `tpm2-pkcs11-esapi` just does not support fapi entirely.
 
 - For matrix homeserver Synapse we are now following the upstream recommendation to enable jemalloc as the memory allocator by default.
 
-- Mattermost, a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.
-  - A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixos/unstable#sec-mattermost-plugins-build) for an example.
-  - The Mattermost frontend is now built from source and can be overridden. Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now.
-  - `pkgs.mattermost` has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
-  - `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`.
-
-- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
-
-- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
-
 - In `dovecot` package removed hard coding path to module directory.
 
-- `authelia` version 4.39.0 has made some changes which deprecate older configurations.
-  They are still expected to be working until future version 5.0.0, but will generate warnings in logs.
-  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes.
-
-- `hddfancontrol` has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes.
-
-- `nextcloud-news-updater` is unmaintained and was removed from nixpkgs.
-
-- KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed.
-  ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and
-  [is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0)
-  in Linux 6.13.
-
-- `gerbera` now has wavpack support.
-
 - `signal-desktop` has been migrated to a from source build. No state migration is necessary. In case there's no working source build available (like on Darwin), the the binary build is still available at `signal-desktop-bin`.
 
 - `ddclient` was updated from 3.11.2 to 4.0.0 [Release notes](https://github.com/ddclient/ddclient/releases/tag/v4.0.0)
 
+### NexusMods.App upgraded {#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded}
+
+- `nexusmods-app` has been upgraded from version 0.6.3 to 0.10.2.
+
+  - Before upgrading, you **must reset all app state** (mods, games, settings, etc). NexusMods.App will crash if any state from a version older than 0.7.0 is still present.
+
+  - Typically, you can can reset to a clean state by running `NexusMods.App uninstall-app`. See Nexus Mod's [how to uninstall the app](https://nexus-mods.github.io/NexusMods.App/users/Uninstall) documentation for more detail and alternative methods.
+
+  - This should not be necessary going forward, because loading app state from 0.7.0 or newer is now supported. This is documented in the [0.7.1 changelog](https://github.com/Nexus-Mods/NexusMods.App/releases/tag/v0.7.1).
+
 ## Nixpkgs Library {#sec-nixpkgs-release-25.05-lib}
 
 ### Breaking changes {#sec-nixpkgs-release-25.05-lib-breaking}
@@ -550,7 +416,15 @@
   - [`lib.types.enum`](https://nixos.org/manual/nixos/unstable/#sec-option-types-basic): Previously the `functor.payload` was the list of enum values directly. Now it is an attribute set containing the values in the `values` attribute.
   - [`lib.types.separatedString`](https://nixos.org/manual/nixos/unstable/#sec-option-types-string): Previously the `functor.payload` was the separator directly. Now it is an attribute set containing the separator in the `sep` attribute.
 
-- [`lib.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive) now rejects unknown arguments.
+- The `tinycc` package now has the `dev`, `doc` and `lib` outputs, thus,
+`tinycc.out` may now only provide the tcc and cross compilers binaries.
+
+- The `virtualisation.hypervGuest.videoMode` option has been removed. Standard tooling can now be used to configure display modes for Hyper-V VMs.
+
+- [`lib.packagesFromDirectoryRecursive`] now rejects unknown arguments.
+  [`lib.packagesFromDirectoryRecursive`]: https://nixos.org/manual/nixpkgs/stable/#function-library-lib.filesystem.packagesFromDirectoryRecursive
+
+- The `godot-export-templates` package now has its content at `share/godot/export_templates/$version` instead of the output root. This makes it more convenient for for symlinking into `~/.local`, but scripts expecting the old layout will need to be changed.
 
 ### Deprecations {#sec-nixpkgs-release-25.05-lib-deprecations}
 
@@ -564,6 +438,14 @@
     - `lib.types.coercedTo`
     - `lib.types.either`
 
+- The `testTarget` argument of `haskellPackages.mkDerivation` has been deprecated in favour of `testTargets`.
+  `testTarget` took a space separated string of targets, whereas the new `testTargets` argument takes a list of targets.
+  For instance, `testTarget = "foo bar baz"` should become `testTargets = [ "foo" "bar" "baz" ]`.
+
+- Plasma 5 and Qt 5 based versions of associated software are deprecated in NixOS 25.05, and will be removed in NixOS 25.11. Users are encouraged to upgrade to Plasma 6.
+
+- `rustPlatform.buildRustPackage` stops handling the deprecated argument `cargoSha256`. Out-of-tree packages that haven't migrated from `cargoSha256` to `cargoHash` now receive errors.
+
 ### Additions and Improvements {#sec-nixpkgs-release-25.05-lib-additions-improvements}
 
-- [`lib.packagesFromDirectoryRecursive`](https://nixos.org/manual/nixpkgs/unstable/#function-library-lib.filesystem.packagesFromDirectoryRecursive) can now construct nested scopes matching the directory tree passed as input.
+- [`lib.packagesFromDirectoryRecursive`] can now construct nested scopes matching the directory tree passed as input.

doc/release-notes/rl-2511.section.md

@@ -1,13 +1,9 @@
-# Nixpkgs 25.11 ("Xantusia", 2025.11/??) {#sec-nixpkgs-release-25.11}
+# Nixpkgs 25.11 (2025.11/??) {#sec-nixpkgs-release-25.11}
 
 ## Highlights {#sec-nixpkgs-release-25.11-highlights}
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-- The initial work to support native compilation on LoongArch64 has completed, with further changes currently
-  in preparation. In accordance with the [Software Development and Build Convention for LoongArch Architectures](https://github.com/loongson/la-softdev-convention),
-  this release sets the default march level to `la64v1.0`, covering the desktop and server processors of 3X5000
-  and newer series. However, embedded chips without LSX (Loongson SIMD eXtension), such as 2K0300 SoC, are not
-  supported. `pkgsCross.loongarch64-linux-embedded` can be used to build software and systems for these platforms.
+- Create the first release note entry in this section!
 
 ## Backward Incompatibilities {#sec-nixpkgs-release-25.11-incompatibilities}
 
@@ -37,6 +33,5 @@
 
 ### Additions and Improvements {#sec-nixpkgs-release-25.11-lib-additions-improvements}
 
-- `neovim`: Added support for the `vim.o.exrc` option, the `VIMINIT` environment variable, and sourcing of `sysinit.vim`.
+- Create the first release note entry in this section!
 
-  See the neovim help page [`:help startup`](https://neovim.io/doc/user/starting.html#startup) for more information, as well as [the nixpkgs neovim wrapper documentation](#neovim-custom-configuration).

doc/shell.nix

@@ -1 +1,7 @@
-(import ./default.nix { }).shell
+let
+  pkgs = import ../. {
+    config = { };
+    overlays = [ ];
+  };
+in
+pkgs.nixpkgs-manual.shell

doc/stdenv/stdenv.chapter.md

@@ -261,7 +261,7 @@ stdenv.mkDerivation (finalAttrs: {
     util-linux
     qemu
   ];
-  # `checkPhase` elided
+  checkPhase = ''[elided]'';
 })
 ```
 

doc/toolchains.md

@@ -1,5 +0,0 @@
-# Toolchains {#part-toolchains}
-
-```{=include=} chapters
-toolchains/llvm.chapter.md
-```

doc/toolchains/llvm.chapter.md

@@ -1,35 +0,0 @@
-# The LLVM Toolchain {#chap-toolchains}
-
-LLVM is a target-independent optimizer and code generator and serves as the basis for many compilers such as Haskell's GHC, rustc, Zig, and many others. It forms the base tools for Apple's Darwin platform.
-
-## Using LLVM {#sec-using-llvm}
-
-LLVM has two ways of being used. One is by using it across all of Nixpkgs and the other is to compile and build individual packages.
-
-### Building packages with LLVM {#sec-building-packages-with-llvm}
-
-Nixpkgs supports two methods of compiling the world with LLVM. One is via setting `useLLVM` in `crossSystem` while importing. This is the recommended way when cross compiling as it is more expressive. An example of doing `aarch64-linux` cross compilation from `x86_64-linux` with LLVM on the target is the following:
-
-```nix
-import <nixpkgs> {
-  localSystem = {
-    system = "x86_64-linux";
-  };
-  crossSystem = {
-    useLLVM = true;
-    linker = "lld";
-  };
-}
-```
-
-Note that we set `linker` to `lld`. This is because LLVM has its own linker called "lld". By setting it, we utilize Clang and lld within this new instance of Nixpkgs. There is a shorthand method for building everything with LLVM: `pkgsLLVM`. This is easier to use with `nix-build` (or `nix build`):
-
-```bash
-nix-build -A pkgsLLVM.hello
-```
-
-This will compile the GNU hello package with LLVM and the lld linker like previously mentioned.
-
-#### Using `clangStdenv` {#sec-building-packages-with-llvm-using-clang-stdenv}
-
-Another simple way is to override the stdenv with `clangStdenv`. This causes a single package to be built with Clang. However, this `stdenv` does not override platform defaults to use compiler-rt, libc++, and libunwind. This is the preferred way to make a single package in Nixpkgs build with Clang. There are cases where just Clang isn't enough. For these situations, there is `libcxxStdenv`, which uses Clang with libc++ and compiler-rt.

flake.nix

@@ -20,24 +20,6 @@
       );
     in
     {
-      /**
-        The Nixpkgs repository/flake houses multiple components that provide functions.
-
-        These include the Nixpkgs `lib` library, with a larger number of functions for various purposes, as well as the `nixpkgs` (TBD) and `nixos` libraries whose main purpose is to provide configurability for those respective components.
-       */
-      # This attribute set is intentionally not extensible. Its purpose is not dependency injection.
-      libs = {
-        /**
-          [The Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4)
-         */
-        lib = import ./lib;
-
-        /**
-          Entrypoints into [NixOS](https://nixos.org/manual/nixos/unstable/), including [`runTest`](https://nixos.org/manual/nixos/unstable/#sec-call-nixos-test-outside-nixos).
-        */
-        nixos = import ./nixos/lib { };
-      };
-
       /**
         `nixpkgs.lib` is a combination of the [Nixpkgs library](https://nixos.org/manual/nixpkgs/unstable/#id-1.4), and other attributes
         that are _not_ part of the Nixpkgs library, but part of the Nixpkgs flake:

lib/.version

@@ -1 +1 @@
-25.11
+25.05

lib/default.nix

@@ -309,7 +309,6 @@ let
         stringLength
         substring
         isString
-        replaceString
         replaceStrings
         intersperse
         concatStringsSep
@@ -346,7 +345,6 @@ let
         upperChars
         toLower
         toUpper
-        toCamelCase
         toSentenceCase
         addContextFrom
         splitString

lib/fileset/default.nix

@@ -703,7 +703,7 @@ in
     # Type
 
     ```
-    difference :: FileSet -> FileSet -> FileSet
+    union :: FileSet -> FileSet -> FileSet
     ```
 
     # Examples

lib/gvariant.nix

@@ -18,7 +18,7 @@ let
     concatStrings
     escape
     head
-    replaceString
+    replaceStrings
     ;
 
   mkPrimitive = t: v: {
@@ -451,7 +451,7 @@ rec {
   mkString =
     v:
     let
-      sanitize = s: replaceString "\n" "\\n" (escape [ "'" "\\" ] s);
+      sanitize = s: replaceStrings [ "\n" ] [ "\\n" ] (escape [ "'" "\\" ] s);
     in
     mkPrimitive type.string v
     // {

lib/meta.nix

@@ -289,7 +289,8 @@ rec {
   */
   availableOn =
     platform: pkg:
-    ((!pkg ? meta.platforms) || any (platformMatch platform) pkg.meta.platforms)
+    pkg != null
+    && ((!pkg ? meta.platforms) || any (platformMatch platform) pkg.meta.platforms)
     && all (elem: !platformMatch platform elem) (pkg.meta.badPlatforms or [ ]);
 
   /**

lib/strings.nix

@@ -332,41 +332,6 @@ rec {
   */
   concatLines = concatMapStrings (s: s + "\n");
 
-  /**
-    Given string `s`, replace every occurrence of the string `from` with the string `to`.
-
-    # Inputs
-
-    `from`
-    : The string to be replaced
-
-    `to`
-    : The string to replace with
-
-    `s`
-    : The original string where replacements will be made
-
-    # Type
-
-    ```
-    replaceString :: string -> string -> string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.replaceString` usage example
-
-    ```nix
-    replaceString "world" "Nix" "Hello, world!"
-    => "Hello, Nix!"
-    replaceString "." "_" "v1.2.3"
-    => "v1_2_3"
-    ```
-
-    :::
-  */
-  replaceString = from: to: replaceStrings [ from ] [ to ];
-
   /**
     Repeat a string `n` times,
     and concatenate the parts into a new string.
@@ -1173,7 +1138,7 @@ rec {
       string = toString arg;
     in
     if match "[[:alnum:],._+:@%/-]+" string == null then
-      "'${replaceString "'" "'\\''" string}'"
+      "'${replaceStrings [ "'" ] [ "'\\''" ] string}'"
     else
       string;
 
@@ -1535,63 +1500,6 @@ rec {
         addContextFrom str (toUpper firstChar + toLower rest)
       );
 
-  /**
-    Converts a string to camelCase. Handles snake_case, PascalCase,
-    kebab-case strings as well as strings delimited by spaces.
-
-    # Inputs
-
-    `string`
-    : The string to convert to camelCase
-
-    # Type
-
-    ```
-    toCamelCase :: string -> string
-    ```
-
-    # Examples
-    :::{.example}
-    ## `lib.strings.toCamelCase` usage example
-
-    ```nix
-    toCamelCase "hello-world"
-    => "helloWorld"
-    toCamelCase "hello_world"
-    => "helloWorld"
-    toCamelCase "hello world"
-    => "helloWorld"
-    toCamelCase "HelloWorld"
-    => "helloWorld"
-    ```
-
-    :::
-  */
-  toCamelCase =
-    str:
-    lib.throwIfNot (isString str) "toCamelCase does only accepts string values, but got ${typeOf str}" (
-      let
-        separators = splitStringBy (
-          prev: curr:
-          elem curr [
-            "-"
-            "_"
-            " "
-          ]
-        ) false str;
-
-        parts = lib.flatten (
-          map (splitStringBy (
-            prev: curr: match "[a-z]" prev != null && match "[A-Z]" curr != null
-          ) true) separators
-        );
-
-        first = if length parts > 0 then toLower (head parts) else "";
-        rest = if length parts > 1 then map toSentenceCase (tail parts) else [ ];
-      in
-      concatStrings (map (addContextFrom str) ([ first ] ++ rest))
-    );
-
   /**
     Appends string context from string like object `src` to `target`.
 

lib/systems/architectures.nix

@@ -329,39 +329,6 @@ rec {
       "avx512"
       "fma"
     ];
-    # LoongArch64
-    # https://github.com/loongson/la-toolchain-conventions
-    loongarch64 = [
-      "fpu64"
-    ];
-    la464 = [
-      "fpu64"
-      "lsx"
-      "lasx"
-    ];
-    la664 = [
-      "fpu64"
-      "lsx"
-      "lasx"
-      "div32"
-      "frecipe"
-      "lam-bh"
-      "lamcas"
-      "ld-seq-sa"
-    ];
-    "la64v1.0" = [
-      "fpu64"
-      "lsx"
-    ];
-    "la64v1.1" = [
-      "fpu64"
-      "lsx"
-      "div32"
-      "frecipe"
-      "lam-bh"
-      "lamcas"
-      "ld-seq-sa"
-    ];
     # other
     armv5te = [ ];
     armv6 = [ ];
@@ -519,16 +486,6 @@ rec {
       ampere1a = [ "ampere1" ] ++ inferiors.ampere1;
       ampere1b = [ "ampere1a" ] ++ inferiors.ampere1a;
 
-      # LoongArch64
-      loongarch64 = [ ];
-      "la64v1.0" = [ "loongarch64" ];
-      la464 = [ "la64v1.0" ] ++ inferiors."la64v1.0";
-      "la64v1.1" = [ "la64v1.0" ] ++ inferiors."la64v1.0";
-      la664 = withInferiors [
-        "la464"
-        "la64v1.1"
-      ];
-
       # other
       armv5te = [ ];
       armv6 = [ ];
@@ -537,70 +494,6 @@ rec {
       loongson2f = [ ];
     };
 
-  /**
-    Check whether one GCC architecture has the the other inferior architecture.
-
-    # Inputs
-
-    `arch1`
-    : GCC architecture in string
-
-    `arch2`
-    : GCC architecture in string
-
-    # Type
-
-    ```
-    hasInferior :: string -> string -> bool
-    ```
-
-    # Examples
-    ::: {.example}
-    ## `lib.systems.architectures.hasInferior` usage example
-
-    ```nix
-    hasInferior "x86-64-v3" "x86-64"
-    => true
-    hasInferior "x86-64" "x86-64-v3"
-    => false
-    hasInferior "x86-64" "x86-64"
-    => false
-    ```
-  */
-  hasInferior = arch1: arch2: inferiors ? ${arch1} && lib.elem arch2 inferiors.${arch1};
-
-  /**
-    Check whether one GCC architecture can execute the other.
-
-    # Inputs
-
-    `arch1`
-    : GCC architecture in string
-
-    `arch2`
-    : GCC architecture in string
-
-    # Type
-
-    ```
-    canExecute :: string -> string -> bool
-    ```
-
-    # Examples
-    ::: {.example}
-    ## `lib.systems.architectures.canExecute` usage example
-
-    ```nix
-    canExecute "x86-64" "x86-64-v3"
-    => false
-    canExecute "x86-64-v3" "x86-64"
-    => true
-    canExecute "x86-64" "x86-64"
-    => true
-    ```
-  */
-  canExecute = arch1: arch2: arch1 == arch2 || hasInferior arch1 arch2;
-
   predicates =
     let
       featureSupport = feature: x: builtins.elem feature features.${x} or [ ];
@@ -617,7 +510,5 @@ rec {
       aesSupport = featureSupport "aes";
       fmaSupport = featureSupport "fma";
       fma4Support = featureSupport "fma4";
-      lsxSupport = featureSupport "lsx";
-      lasxSupport = featureSupport "lasx";
     };
 }

lib/systems/default.nix

@@ -14,7 +14,7 @@ let
     optionalAttrs
     optionalString
     removeSuffix
-    replaceString
+    replaceStrings
     toUpper
     ;
 
@@ -97,21 +97,7 @@ let
             platform:
             final.isAndroid == platform.isAndroid
             && parse.isCompatible final.parsed.cpu platform.parsed.cpu
-            && final.parsed.kernel == platform.parsed.kernel
-            && (
-              # Only perform this check when cpus have the same type;
-              # assume compatible cpu have all the instructions included
-              final.parsed.cpu == platform.parsed.cpu
-              ->
-                # if both have gcc.arch defined, check whether final can execute the given platform
-                (
-                  (final ? gcc.arch && platform ? gcc.arch)
-                  -> architectures.canExecute final.gcc.arch platform.gcc.arch
-                )
-                # if platform has gcc.arch defined but final doesn't, don't assume it can be executed
-                || (platform ? gcc.arch -> !(final ? gcc.arch))
-            );
-
+            && final.parsed.kernel == platform.parsed.kernel;
           isCompatible =
             _:
             throw "2022-05-23: isCompatible has been removed in favor of canExecute, refer to the 22.11 changelog for details";
@@ -522,7 +508,7 @@ let
             #
             # https://github.com/rust-lang/cargo/pull/9169
             # https://github.com/rust-lang/cargo/issues/8285#issuecomment-634202431
-            cargoEnvVarTarget = replaceString "-" "_" (toUpper final.rust.cargoShortTarget);
+            cargoEnvVarTarget = replaceStrings [ "-" ] [ "_" ] (toUpper final.rust.cargoShortTarget);
 
             # True if the target is no_std
             # https://github.com/rust-lang/rust/blob/2e44c17c12cec45b6a682b1e53a04ac5b5fcc9d2/src/bootstrap/config.rs#L415-L421
@@ -556,7 +542,7 @@ let
                 "x86_64" = "amd64";
                 "wasm32" = "wasm";
               }
-              .${final.parsed.cpu.name} or null;
+              .${final.parsed.cpu.name} or (throw "Unknown CPU variant ${final.parsed.cpu.name} by Go");
             GOOS = if final.isWasi then "wasip1" else final.parsed.kernel.name;
 
             # See https://go.dev/wiki/GoArm

lib/systems/examples.nix

@@ -170,17 +170,9 @@ rec {
     libc = "newlib";
   };
 
-  # https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#10-operating-system-package-build-requirements
-  loongarch64-linux = lib.recursiveUpdate platforms.loongarch64-multiplatform {
+  loongarch64-linux = {
     config = "loongarch64-unknown-linux-gnu";
   };
-  loongarch64-linux-embedded = lib.recursiveUpdate platforms.loongarch64-multiplatform {
-    config = "loongarch64-unknown-linux-gnu";
-    gcc = {
-      arch = "loongarch64";
-      strict-align = true;
-    };
-  };
 
   mmix = {
     config = "mmix-unknown-mmixware";

lib/systems/platforms.nix

@@ -572,27 +572,6 @@ rec {
     };
   };
 
-  loongarch64-multiplatform = {
-    gcc = {
-      # https://github.com/loongson/la-softdev-convention/blob/master/la-softdev-convention.adoc#10-operating-system-package-build-requirements
-      arch = "la64v1.0";
-      strict-align = false;
-      # Avoid text sections of large apps exceeding default code model
-      # Will be default behavior in LLVM 21 and hopefully GCC16
-      # https://github.com/loongson-community/discussions/issues/43
-      # https://github.com/llvm/llvm-project/pull/132173
-      cmodel = "medium";
-    };
-    linux-kernel = {
-      name = "loongarch-multiplatform";
-      target = "vmlinuz.efi";
-      autoModules = true;
-      preferBuiltin = true;
-      baseConfig = "defconfig";
-      DTB = true;
-    };
-  };
-
   # This function takes a minimally-valid "platform" and returns an
   # attrset containing zero or more additional attrs which should be
   # included in the platform in order to further elaborate it.
@@ -619,9 +598,6 @@ rec {
     else if platform.isAarch64 then
       if platform.isDarwin then apple-m1 else aarch64-multiplatform
 
-    else if platform.isLoongArch64 then
-      loongarch64-multiplatform
-
     else if platform.isRiscV then
       riscv-multiplatform
 
@@ -631,8 +607,6 @@ rec {
     else if platform.parsed.cpu == lib.systems.parse.cpuTypes.powerpc64le then
       powernv
 
-    else if platform.isLoongArch64 then
-      loongarch64-multiplatform
     else
       { };
 }

lib/tests/maintainers.nix

@@ -1,6 +1,6 @@
 # to run these tests (and the others)
 # nix-build nixpkgs/lib/tests/release.nix
-# These tests should stay in sync with the comment in maintainers/maintainer-list.nix
+# These tests should stay in sync with the comment in maintainers/maintainers-list.nix
 {
   # The pkgs used for dependencies for the testing itself
   pkgs ? import ../.. { },

lib/tests/misc.nix

@@ -91,7 +91,6 @@ let
     range
     recursiveUpdateUntil
     removePrefix
-    replaceString
     replicate
     runTests
     setFunctionArgs
@@ -498,11 +497,6 @@ runTests {
     expected = "/usr/include:/usr/local/include";
   };
 
-  testReplaceStringString = {
-    expr = strings.replaceString "." "_" "v1.2.3";
-    expected = "v1_2_3";
-  };
-
   testReplicateString = {
     expr = strings.replicate 5 "hello";
     expected = "hellohellohellohellohello";
@@ -975,28 +969,6 @@ runTests {
 
   testToSentenceCasePath = testingThrow (strings.toSentenceCase ./.);
 
-  testToCamelCase = {
-    expr = strings.toCamelCase "hello world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromKebab = {
-    expr = strings.toCamelCase "hello-world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromSnake = {
-    expr = strings.toCamelCase "hello_world";
-    expected = "helloWorld";
-  };
-
-  testToCamelCaseFromPascal = {
-    expr = strings.toCamelCase "HelloWorld";
-    expected = "helloWorld";
-  };
-
-  testToCamelCasePath = testingThrow (strings.toCamelCase ./.);
-
   testToInt = testAllTrue [
     # Naive
     (123 == toInt "123")
@@ -1734,11 +1706,6 @@ runTests {
     ];
   };
 
-  testReplaceString = {
-    expr = replaceString "world" "Nix" "Hello, world!";
-    expected = "Hello, Nix!";
-  };
-
   testReplicate = {
     expr = replicate 3 "a";
     expected = [

lib/trivial.nix

@@ -439,7 +439,7 @@ in
     On each release the first letter is bumped and a new animal is chosen
     starting with that new letter.
   */
-  codeName = "Xantusia";
+  codeName = "Warbler";
 
   /**
     Returns the current nixpkgs version suffix as string.

maintainers/README.md

@@ -40,10 +40,6 @@ In order to do so, add yourself to the
 [`maintainer-list.nix`](./maintainer-list.nix), and then to the desired
 package's `meta.maintainers` list, and send a PR with the changes.
 
-If you're adding yourself as a maintainer as part of another PR (in which
-you become a maintainer of a package, for example), make your change to
-`maintainer-list.nix` in a separate commit.
-
 ### How to lose maintainer status
 
 Maintainers who have become inactive on a given package can be removed. This

maintainers/maintainer-list.nix

@@ -2135,11 +2135,6 @@
     githubId = 56650223;
     name = "Artturi N";
   };
-  artur-sannikov = {
-    name = "Artur Sannikov";
-    github = "artur-sannikov";
-    githubId = 40318410;
-  };
   arturcygan = {
     email = "arczicygan@gmail.com";
     github = "arcz";
@@ -2343,10 +2338,11 @@
     githubId = 11548989;
   };
   atalii = {
-    email = "me@tali.network";
+    email = "taliauster@gmail.com";
     github = "atalii";
     githubId = 120901234;
-    name = "Tali Auster";
+    name = "tali auster";
+    matrix = "@atalii:matrix.org";
   };
   atar13 = {
     name = "Anthony Tarbinian";
@@ -3059,12 +3055,6 @@
     github = "benhiemer";
     githubId = 16649926;
   };
-  benjajaja = {
-    name = "Benjamin Große";
-    email = "ste3ls@gmail.com";
-    github = "benjajaja";
-    githubId = 310215;
-  };
   benjaminedwardwebb = {
     name = "Ben Webb";
     email = "benjaminedwardwebb@gmail.com";
@@ -3486,11 +3476,6 @@
     githubId = 50839;
     name = "Brian Jones";
   };
-  bokicoder = {
-    github = "bokicoder";
-    githubId = 193465580;
-    name = "bokicoder";
-  };
   boldikoller = {
     email = "boldi.koller@wtss.eu";
     github = "boldikoller";
@@ -4011,18 +3996,6 @@
     githubId = 141733;
     name = "Andrew Bruce";
   };
-  Cameo007 = {
-    name = "Pascal Dietrich";
-    email = "pascal.1.dietrich@hotmail.com";
-    matrix = "@cameo007:mintux.de";
-    github = "Cameo007";
-    githubId = 80521473;
-    keys = [
-      {
-        fingerprint = "2D62 24B9 1250 86AF E318 12A0 F1D1 5228 0511 FB91";
-      }
-    ];
-  };
   camerondugan = {
     email = "cameron.dugan@protonmail.com";
     github = "camerondugan";
@@ -4438,13 +4411,6 @@
     githubId = 631802;
     keys = [ { fingerprint = "099E 3F97 FA08 3D47 8C75  EBEC E0EB AD78 F019 0BD9"; } ];
   };
-  chillcicada = {
-    email = "2210227279@qq.com";
-    name = "chillcicada";
-    github = "chillcicada";
-    githubId = 116548943;
-    keys = [ { fingerprint = "734C 20B3 33C4 FAB3 0BD0  743A 34C2 1231 0A99 754B"; } ];
-  };
   chiroptical = {
     email = "chiroptical@gmail.com";
     github = "chiroptical";
@@ -5674,12 +5640,6 @@
     githubId = 4971975;
     name = "Janne Heß";
   };
-  dashietm = {
-    email = "fabio.lenherr@gmail.com";
-    github = "DashieTM";
-    githubId = 72016555;
-    name = "Fabio Lenherr";
-  };
   dasisdormax = {
     email = "dasisdormax@mailbox.org";
     github = "dasisdormax";
@@ -6519,12 +6479,6 @@
     githubId = 131907205;
     name = "David Thievon";
   };
-  dolphindalt = {
-    email = "dolphindalt@gmail.com";
-    github = "dolphindalt";
-    githubId = 13937320;
-    name = "Dalton Caron";
-  };
   domenkozar = {
     email = "domen@dev.si";
     github = "domenkozar";
@@ -6554,7 +6508,7 @@
     name = "DontEatOreo";
     github = "DontEatOreo";
     githubId = 57304299;
-    matrix = "@donteatoreo:matrix.org";
+    keys = [ { fingerprint = "33CD 5C0A 673C C54D 661E  5E4C 0DB5 361B EEE5 30AB"; } ];
   };
   dopplerian = {
     name = "Dopplerian";
@@ -6606,12 +6560,6 @@
     github = "dottybot";
     githubId = 12519979;
   };
-  douzebis = {
-    email = "fred@atlant.is";
-    github = "douzebis";
-    githubId = 61088438;
-    name = "Frédéric Ruget";
-  };
   dpaetzel = {
     email = "david.paetzel@posteo.de";
     github = "dpaetzel";
@@ -7247,6 +7195,7 @@
     email = "fedi.jamoussi@protonmail.ch";
     github = "eljamm";
     githubId = 83901271;
+    keys = [ { fingerprint = "FF59 E027 4EE2 E792 512B  BDC8 7630 FDF7 C8FB 1F3F"; } ];
   };
   elkowar = {
     email = "thereal.elkowar@gmail.com";
@@ -7474,11 +7423,6 @@
     githubId = 5085029;
     name = "Emanuele Peruffo";
   };
-  epireyn = {
-    github = "epireyn";
-    githubId = 48213068;
-    name = "Edgar Pireyn";
-  };
   equirosa = {
     email = "eduardo@eduardoquiros.com";
     github = "equirosa";
@@ -7881,12 +7825,6 @@
     github = "hatch01";
     githubId = 42416805;
   };
-  ezrizhu = {
-    name = "Ezri Zhu";
-    email = "me@ezrizhu.com";
-    github = "ezrizhu";
-    githubId = 44515009;
-  };
   f--t = {
     email = "git@f-t.me";
     github = "f--t";
@@ -8156,12 +8094,6 @@
     githubId = 8182846;
     name = "Francesco Gazzetta";
   };
-  fgrcl = {
-    email = "fgrclaberge@gmail.com";
-    github = "FGRCL";
-    githubId = 35940434;
-    name = "Francois LaBerge";
-  };
   fidgetingbits = {
     name = "fidgetingbits";
     email = "nixpkgs.xe7au@passmail.net";
@@ -10130,12 +10062,6 @@
     githubId = 130903;
     name = "Ana Hobden";
   };
-  hpfr = {
-    email = "liam@hpfr.net";
-    github = "hpfr";
-    githubId = 44043764;
-    name = "Liam Hupfer";
-  };
   hqurve = {
     email = "hqurve@outlook.com";
     github = "hqurve";
@@ -11200,7 +11126,6 @@
     name = "Jappie Klooster";
   };
   jappie3 = {
-    email = "jappie3+git@jappie.dev";
     name = "Jappie3";
     matrix = "@jappie:jappie.dev";
     github = "Jappie3";
@@ -11531,12 +11456,6 @@
     githubId = 30251156;
     name = "Jesse Moore";
   };
-  jethair = {
-    email = "jethair@duck.com";
-    github = "JetHair";
-    githubId = 106916147;
-    name = "JetHair";
-  };
   jethro = {
     email = "jethrokuan95@gmail.com";
     github = "jethrokuan";
@@ -13037,6 +12956,12 @@
     githubId = 843652;
     name = "Kim Burgess";
   };
+  kindrowboat = {
+    email = "hello@kindrobot.ca";
+    github = "kindrowboat";
+    githubId = 777773;
+    name = "Stef Dunlap";
+  };
   kini = {
     email = "keshav.kini@gmail.com";
     github = "kini";
@@ -13643,12 +13568,6 @@
     github = "L0L1P0P1";
     githubId = 73695812;
   };
-  l0r3v = {
-    email = "l0r3v@pasqui.casa";
-    github = "l0r3v";
-    githubId = 27364685;
-    name = "Lorenzo Pasqui";
-  };
   l1npengtul = {
     email = "l1npengtul@l1npengtul.lol";
     github = "l1npengtul";
@@ -14028,12 +13947,6 @@
     github = "LogicalOverflow";
     githubId = 5919957;
   };
-  lheintzmann1 = {
-    email = "lheintzmann1@disroot.org";
-    github = "lheintzmann1";
-    githubId = 141759313;
-    name = "Lucas Heintzmann";
-  };
   lhvwb = {
     email = "nathaniel.baxter@gmail.com";
     github = "nathanielbaxter";
@@ -15720,16 +15633,6 @@
     name = "John McParland";
     keys = [ { fingerprint = "39D2 171D D733 C718 DD21  285E B326 E14B 05D8 7A4E"; } ];
   };
-  MCSeekeri = {
-    email = "mcseekeri@outlook.com";
-    github = "mcseekeri";
-    githubId = 20928094;
-    name = "MCSeekeri";
-    keys = [
-      { fingerprint = "5922 79AB D9D6 85EB 9D16  754C ECDC AD89 5A38 4A12"; }
-      { fingerprint = "0762 A387 F160 76F1 116C  BF13 3276 6666 6666 6666"; }
-    ];
-  };
   McSinyx = {
     email = "cnx@loang.net";
     github = "McSinyx";
@@ -16174,12 +16077,6 @@
     githubId = 978196;
     name = "Michaël Faille";
   };
-  mikehorn = {
-    email = "mikehornproton@proton.me";
-    github = "MikeHorn-git";
-    githubId = 123373126;
-    name = "Mike Horn";
-  };
   mikesperber = {
     email = "sperber@deinprogramm.de";
     github = "mikesperber";
@@ -16608,10 +16505,8 @@
   moraxyc = {
     name = "Moraxyc Xu";
     email = "i@qaq.li";
-    matrix = "@moraxyc:qaq.li";
     github = "Moraxyc";
     githubId = 69713071;
-    keys = [ { fingerprint = "7DD1 A4DF 7DD6 AEEB F07B  1108 8296 4F3A B1D9 DE79"; } ];
   };
   moredread = {
     email = "code@apb.name";
@@ -16836,12 +16731,6 @@
     githubId = 7026881;
     name = "Jarosław Jedynak";
   };
-  msoos = {
-    email = "soos.mate@gmail.com";
-    github = "msoos";
-    githubId = 1334841;
-    name = "Mate Soos";
-  };
   mstarzyk = {
     email = "mstarzyk@gmail.com";
     github = "mstarzyk";
@@ -16891,6 +16780,12 @@
     githubId = 72663763;
     keys = [ { fingerprint = "DB3E A12D B291 594A 79C5 F6B3 10AB 6868 37F6 FA3F"; } ];
   };
+  mtreca = {
+    email = "maxime.treca@gmail.com";
+    github = "mtreca";
+    githubId = 16440823;
+    name = "Maxime Tréca";
+  };
   mtreskin = {
     email = "zerthurd@gmail.com";
     github = "Zert";
@@ -17615,7 +17510,7 @@
   };
   nicoo = {
     email = "nicoo@debian.org";
-    github = "nicoonoclaste";
+    github = "nbraud";
     githubId = 1155801;
     name = "nicoo";
     keys = [ { fingerprint = "E44E 9EA5 4B8E 256A FB73 49D3 EC9D 3708 72BC 7A8C"; } ];
@@ -18323,11 +18218,10 @@
     name = "Dakota";
   };
   ohheyrj = {
-    email = "richard@ohheyrj.co.uk";
+    email = "richard+nix@ohheyrj.co.uk";
     github = "ohheyrj";
     name = "ohheyrj";
     githubId = 5339261;
-    keys = [ { fingerprint = "4258 3FE7 12E9 6071 E84D  53C7 6E1D A270 0B72 746D"; } ];
   };
   oida = {
     email = "oida@posteo.de";
@@ -18746,12 +18640,6 @@
     name = "Philipp Rintz";
     matrix = "@philipp:srv.icu";
   };
-  p0lyw0lf = {
-    email = "p0lyw0lf@protonmail.com";
-    name = "PolyWolf";
-    github = "p0lyw0lf";
-    githubId = 31190026;
-  };
   p3psi = {
     name = "Elliot Boo";
     email = "p3psi.boo@gmail.com";
@@ -20881,12 +20769,6 @@
     githubId = 3302;
     name = "Renzo Carbonara";
   };
-  repparw = {
-    email = "ubritos@gmail.com";
-    github = "repparw";
-    githubId = 45952970;
-    name = "repparw";
-  };
   reputable2772 = {
     name = "Reputable2772";
     github = "Reputable2772";
@@ -21085,12 +20967,6 @@
     githubId = 807447;
     name = "Robert Scott";
   };
-  Rishabh5321 = {
-    name = "Rishabh Singh";
-    email = "rishabh98818@gmail.com";
-    github = "Rishabh5321";
-    githubId = 40533251;
-  };
   Rishik-Y = {
     name = "Rishik Yalamanchili";
     email = "202301258@daiict.ac.in";
@@ -21778,12 +21654,6 @@
     githubId = 7309170;
     name = "Ryota Kameoka";
   };
-  ryota2357 = {
-    email = "contact@ryota2357.com";
-    github = "ryota2357";
-    githubId = 61523777;
-    name = "Ryota Otsuki";
-  };
   rypervenche = {
     email = "git@ryper.org";
     github = "rypervenche";
@@ -22936,11 +22806,6 @@
     matrix = "@c3n21:matrix.org";
     githubId = 37077738;
   };
-  sinjin2300 = {
-    name = "Sinjin";
-    github = "Sinjin2300";
-    githubId = 35543336;
-  };
   sioodmy = {
     name = "Antoni Sokołowski";
     github = "sioodmy";
@@ -23454,13 +23319,6 @@
     githubId = 16364318;
     name = "Jeffrey Harmon";
   };
-  squat = {
-    matrix = "@squat:beeper.com";
-    name = "squat";
-    github = "squat";
-    githubId = 20484159;
-    keys = [ { fingerprint = "F246 425A 7650 6F37 0552  BA8D DEA9 C405 09D9 65F5"; } ];
-  };
   srghma = {
     email = "srghma@gmail.com";
     github = "srghma";
@@ -24083,12 +23941,6 @@
     githubId = 40228615;
     name = "Taha Yassine";
   };
-  tahlonbrahic = {
-    email = "tahlonbrahic@proton.me";
-    github = "tahlonbrahic";
-    githubId = 104690672;
-    name = "Tahlon Brahic";
-  };
   taikx4 = {
     email = "taikx4@taikx4szlaj2rsdupcwabg35inbny4jk322ngeb7qwbbhd5i55nf5yyd.onion";
     github = "taikx4";
@@ -24717,32 +24569,12 @@
     githubId = 6579555;
     name = "Jeroen Jetten";
   };
-  thetaoofsu = {
-    email = "TheTaoOfSu@protonmail.com";
-    github = "TheTaoOfSu";
-    githubId = 45526311;
-    name = "TheTaoOfSu";
-  };
   theuni = {
     email = "ct@flyingcircus.io";
     github = "ctheune";
     githubId = 1220572;
     name = "Christian Theune";
   };
-  thevar1able = {
-    email = "var1able+nixpkgs@var1able.network";
-    github = "thevar1able";
-    githubId = 875885;
-    name = "Konstantin Bogdanov";
-    keys = [
-      { fingerprint = "3221 7A73 EB95 0E9E E550  36A3 DB39 9448 D9FE 52F1"; }
-    ];
-  };
-  theverygaming = {
-    name = "theverygaming";
-    github = "theverygaming";
-    githubId = 18639279;
-  };
   thiagokokada = {
     email = "thiagokokada@gmail.com";
     github = "thiagokokada";
@@ -25252,12 +25084,6 @@
     github = "totoroot";
     githubId = 39650930;
   };
-  tournev = {
-    name = "Vincent Tourneur";
-    email = "vincent@pimoid.fr";
-    github = "vtourneur";
-    githubId = 48284424;
-  };
   ToxicFrog = {
     email = "toxicfrog@ancilla.ca";
     github = "ToxicFrog";
@@ -25802,11 +25628,6 @@
     github = "deviant";
     githubId = 68829907;
   };
-  vaavaav = {
-    name = "Pedro Peixoto";
-    github = "vaavaav";
-    githubId = 56087034;
-  };
   vaci = {
     email = "vaci@vaci.org";
     github = "vaci";
@@ -26396,12 +26217,6 @@
     github = "waynr";
     githubId = 1441126;
   };
-  wcarlsen = {
-    name = "Willi Carlsen";
-    email = "carlsenwilli@gmail.com";
-    github = "wcarlsen";
-    githubId = 17003032;
-  };
   wchresta = {
     email = "wchresta.nix@chrummibei.ch";
     github = "wchresta";
@@ -26741,12 +26556,6 @@
     githubId = 9132420;
     keys = [ { fingerprint = "F943 A0BC 720C 5BEF 73CD E02D B398 93FA 5F65 CAE1"; } ];
   };
-  womeier = {
-    name = "Wolfgang Meier";
-    email = "womeier@posteo.de";
-    github = "womeier";
-    githubId = 55190123;
-  };
   womfoo = {
     email = "kranium@gikos.net";
     github = "womfoo";

maintainers/scripts/README.md

@@ -16,7 +16,7 @@ a given nixpkgs maintainer, equivalent to `lib.maintainers.${x} // { handle = x;
 
 This allows looking up a maintainer's attrset (including GitHub and Matrix
 handles, email address etc.) based on any of their handles, more correctly and
-robustly than text search through `maintainer-list.nix`.
+robustly than text search through `maintainers-list.nix`.
 
 ```
 ❯ ./get-maintainer.sh nicoo

maintainers/scripts/check-cherry-picks.sh

@@ -1,25 +1,17 @@
 #!/usr/bin/env bash
 # Find alleged cherry-picks
 
-set -eo pipefail
+set -e
 
 if [ $# != "2" ] ; then
   echo "usage: check-cherry-picks.sh base_rev head_rev"
   exit 2
 fi
 
-# Make sure we are inside the nixpkgs repo, even when called from outside
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-PICKABLE_BRANCHES="master staging release-??.?? staging-??.?? haskell-updates python-updates staging-next staging-next-??.??"
+PICKABLE_BRANCHES=${PICKABLE_BRANCHES:-master staging release-??.?? staging-??.??}
 problem=0
 
-# Not everyone calls their remote "origin"
-remote="$(git remote -v | grep -i 'NixOS/nixpkgs' | head -n1 | cut -f1 || true)"
-
-commits="$(git rev-list --reverse "$1..$2")"
-
-while read -r new_commit_sha ; do
+while read new_commit_sha ; do
   if [ -z "$new_commit_sha" ] ; then
     continue  # skip empty lines
   fi
@@ -34,47 +26,30 @@ while read -r new_commit_sha ; do
   original_commit_sha=$(
     git rev-list --max-count=1 --format=format:%B "$new_commit_sha" \
     | grep -Ei -m1 "cherry.*[0-9a-f]{40}" \
-    | grep -Eoi -m1 '[0-9a-f]{40}' || true
+    | grep -Eoi -m1 '[0-9a-f]{40}'
   )
-  if [ -z "$original_commit_sha" ] ; then
-    if [ "$GITHUB_ACTIONS" = 'true' ] ; then
-      echo ::endgroup::
-      echo -n "::error ::"
-    else
-      echo -n "  ✘ "
-    fi
-    echo "Couldn't locate original commit hash in message"
-    echo "Note this should not necessarily be treated as a hard fail, but a reviewer's attention should" \
-      "be drawn to it and github actions have no way of doing that but to raise a 'failure'"
-    problem=1
+  if [ "$?" != "0" ] ; then
+    echo "  ? Couldn't locate original commit hash in message"
+    [ "$GITHUB_ACTIONS" = 'true' ] && echo ::endgroup::
     continue
   fi
 
   set -f # prevent pathname expansion of patterns
-  for pattern in $PICKABLE_BRANCHES ; do
+  for branch_pattern in $PICKABLE_BRANCHES ; do
     set +f # re-enable pathname expansion
 
-    # Reverse sorting by refname and taking one match only means we can only backport
-    # from unstable and the latest stable. That makes sense, because even right after
-    # branch-off, when we have two supported stable branches, we only ever want to cherry-pick
-    # **to** the older one, but never **from** it.
-    # This makes the job significantly faster in the case when commits can't be found,
-    # because it doesn't need to iterate through 20+ branches, which all need to be fetched.
-    branches="$(git for-each-ref --sort=-refname --format="%(refname)" \
-      "refs/remotes/${remote:-origin}/$pattern" | head -n1)"
-
     while read -r picked_branch ; do
       if git merge-base --is-ancestor "$original_commit_sha" "$picked_branch" ; then
         echo "  ✔ $original_commit_sha present in branch $picked_branch"
 
-        range_diff_common='git --no-pager range-diff
+        range_diff_common='git range-diff
           --no-notes
           --creation-factor=100
           '"$original_commit_sha~..$original_commit_sha"'
           '"$new_commit_sha~..$new_commit_sha"'
         '
 
-        if $range_diff_common --no-color 2> /dev/null | grep -E '^ {4}[+-]{2}' > /dev/null ; then
+        if $range_diff_common --no-color | grep -E '^ {4}[+-]{2}' > /dev/null ; then
           if [ "$GITHUB_ACTIONS" = 'true' ] ; then
             echo ::endgroup::
             echo -n "::warning ::"
@@ -97,7 +72,11 @@ while read -r new_commit_sha ; do
         # move on to next commit
         continue 3
       fi
-    done <<< "$branches"
+    done <<< "$(
+      git for-each-ref \
+      --format="%(refname)" \
+      "refs/remotes/origin/$branch_pattern"
+    )"
   done
 
   if [ "$GITHUB_ACTIONS" = 'true' ] ; then
@@ -109,6 +88,10 @@ while read -r new_commit_sha ; do
   echo "$original_commit_sha not found in any pickable branch"
 
   problem=1
-done <<< "$commits"
+done <<< "$(
+  git rev-list \
+    -E -i --grep="cherry.*[0-9a-f]{40}" --reverse \
+    "$1..$2"
+)"
 
 exit $problem

maintainers/scripts/pluginupdate-py/pluginupdate.py

@@ -558,16 +558,7 @@ class Editor:
         }
 
         for plugin_desc, plugin, redirect in fetched:
-            # Check if plugin is a Plugin object and has normalized_name attribute
-            if isinstance(plugin, Plugin) and hasattr(plugin, 'normalized_name'):
-                result[plugin.normalized_name] = (plugin_desc, plugin, redirect)
-            elif isinstance(plugin, Exception):
-                # For exceptions, we can't determine the normalized_name
-                # Just log the error and continue
-                log.error(f"Error fetching plugin {plugin_desc.name}: {plugin!r}")
-            else:
-                # For unexpected types, log the issue
-                log.error(f"Unexpected plugin type for {plugin_desc.name}: {type(plugin)}")
+            result[plugin.normalized_name] = (plugin_desc, plugin, redirect)
 
         return list(result.values())
 
@@ -624,9 +615,9 @@ class Editor:
             "--github-token",
             "-t",
             type=str,
-            default=os.getenv("GITHUB_TOKEN"),
+            default=os.getenv("GITHUB_API_TOKEN"),
             help="""Allows to set --proc to higher values.
-            Uses GITHUB_TOKEN environment variables as the default value.""",
+            Uses GITHUB_API_TOKEN environment variables as the default value.""",
         )
         common.add_argument(
             "--no-commit",

maintainers/team-list.nix

@@ -63,6 +63,7 @@ with lib.maintainers;
     shortName = "apm employees";
     # Edits to this list should only be done by an already existing member.
     members = [
+      wolfgangwalther
       DutchGerman
     ];
   };
@@ -1191,12 +1192,7 @@ with lib.maintainers;
   };
 
   systemd = {
-    members = [
-      flokli
-      arianvp
-      elvishjerricco
-      aanderse
-    ];
+    members = [ ];
     githubTeams = [ "systemd" ];
     scope = "Maintain systemd for NixOS.";
     shortName = "systemd";

nixos/doc/manual/configuration/x-windows.chapter.md

@@ -29,7 +29,7 @@ Thus you should pick one or more of the following lines:
 {
   services.xserver.desktopManager.plasma5.enable = true;
   services.xserver.desktopManager.xfce.enable = true;
-  services.desktopManager.gnome.enable = true;
+  services.xserver.desktopManager.gnome.enable = true;
   services.xserver.desktopManager.mate.enable = true;
   services.xserver.windowManager.xmonad.enable = true;
   services.xserver.windowManager.twm.enable = true;
@@ -46,7 +46,7 @@ alternative one by picking one of the following lines:
 ```nix
 {
   services.displayManager.sddm.enable = true;
-  services.displayManager.gdm.enable = true;
+  services.xserver.displayManager.gdm.enable = true;
 }
 ```
 

nixos/doc/manual/contributing-to-this-manual.chapter.md

@@ -17,28 +17,6 @@ There's also [a convenient development daemon](https://nixos.org/manual/nixpkgs/
 
 The above instructions don't deal with the appendix of available `configuration.nix` options, and the manual pages related to NixOS. These are built, and written in a different location and in a different format, as explained in the next sections.
 
-## Development environment {#sec-contributing-development-env}
-
-In order to reduce repetition, consider using tools from the provided development environment:
-
-Load it from the NixOS documentation directory with
-
-```ShellSession
-$ cd /path/to/nixpkgs/nixos/doc/manual
-$ nix-shell
-```
-
-To load the development utilities automatically when entering that directory, [set up `nix-direnv`](https://nix.dev/guides/recipes/direnv).
-
-Make sure that your local files aren't added to Git history by adding the following lines to `.git/info/exclude` at the root of the Nixpkgs repository:
-
-```
-/**/.envrc
-/**/.direnv
-```
-
-You might want to also use [`devmode`](https://github.com/NixOS/nixpkgs/blob/master/doc/README.md#devmode) while editing the manual.
-
 ## Testing redirects {#sec-contributing-redirects}
 
 Once you have a successful build, you can open the relevant HTML (path mentioned above) in a browser along with the anchor, and observe the redirection.

nixos/doc/manual/installation/upgrading.chapter.md

@@ -4,11 +4,9 @@ The best way to keep your NixOS installation up to date is to use one of
 the NixOS *channels*. A channel is a Nix mechanism for distributing Nix
 expressions and associated binaries. The NixOS channels are updated
 automatically from NixOS's Git repository after certain tests have
-passed and a selection of packages has been built successfully
-(see `nixos/release-combined.nix` and `nixos/release-small.nix`).
-These channels are:
+passed and all packages have been built. These channels are:
 
--   *Stable channels*, such as [`nixos-25.05`](https://channels.nixos.org/nixos-25.05).
+-   *Stable channels*, such as [`nixos-24.11`](https://channels.nixos.org/nixos-24.11).
     These only get conservative bug fixes and package upgrades. For
     instance, a channel update may cause the Linux kernel on your system
     to be upgraded from 4.19.34 to 4.19.38 (a minor bug fix), but not
@@ -21,7 +19,7 @@ These channels are:
     radical changes between channel updates. It's not recommended for
     production systems.
 
--   *Small channels*, such as [`nixos-25.05-small`](https://channels.nixos.org/nixos-25.05-small)
+-   *Small channels*, such as [`nixos-24.11-small`](https://channels.nixos.org/nixos-24.11-small)
     or [`nixos-unstable-small`](https://channels.nixos.org/nixos-unstable-small).
     These are identical to the stable and unstable channels described above,
     except that they contain fewer binary packages. This means they get updated
@@ -40,8 +38,8 @@ supported stable release.
 
 When you first install NixOS, you're automatically subscribed to the
 NixOS channel that corresponds to your installation source. For
-instance, if you installed from a 25.05 ISO, you will be subscribed to
-the `nixos-25.05` channel. To see which NixOS channel you're subscribed
+instance, if you installed from a 24.11 ISO, you will be subscribed to
+the `nixos-24.11` channel. To see which NixOS channel you're subscribed
 to, run the following as root:
 
 ```ShellSession
@@ -56,16 +54,16 @@ To switch to a different NixOS channel, do
 ```
 
 (Be sure to include the `nixos` parameter at the end.) For instance, to
-use the NixOS 25.05 stable channel:
+use the NixOS 24.11 stable channel:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-25.05 nixos
+# nix-channel --add https://channels.nixos.org/nixos-24.11 nixos
 ```
 
 If you have a server, you may want to use the "small" channel instead:
 
 ```ShellSession
-# nix-channel --add https://channels.nixos.org/nixos-25.05-small nixos
+# nix-channel --add https://channels.nixos.org/nixos-24.11-small nixos
 ```
 
 And if you want to live on the bleeding edge:
@@ -119,6 +117,6 @@ modules. You can also specify a channel explicitly, e.g.
 
 ```nix
 {
-  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-25.05";
+  system.autoUpgrade.channel = "https://channels.nixos.org/nixos-24.11";
 }
 ```

nixos/doc/manual/redirects.json

@@ -50,12 +50,6 @@
   "module-services-crab-hole-upstream-options": [
     "index.html#module-services-crab-hole-upstream-options"
   ],
-  "module-services-opencloud": [
-    "index.html#module-services-opencloud"
-  ],
-  "module-services-opencloud-basic-usage": [
-    "index.html#module-services-opencloud-basic-usage"
-  ],
   "module-services-strfry": [
     "index.html#module-services-strfry"
   ],
@@ -77,9 +71,6 @@
   "ch-installation": [
     "index.html#ch-installation"
   ],
-  "sec-contributing-development-env": [
-    "index.html#sec-contributing-development-env"
-  ],
   "sec-mattermost": [
     "index.html#sec-mattermost"
   ],
@@ -1988,21 +1979,6 @@
   "ch-release-notes": [
     "release-notes.html#ch-release-notes"
   ],
-  "sec-release-25.11": [
-    "release-notes.html#sec-release-25.11"
-  ],
-  "sec-release-25.11-highlights": [
-    "release-notes.html#sec-release-25.11-highlights"
-  ],
-  "sec-release-25.11-new-modules": [
-    "release-notes.html#sec-release-25.11-new-modules"
-  ],
-  "sec-release-25.11-incompatibilities": [
-    "release-notes.html#sec-release-25.11-incompatibilities"
-  ],
-  "sec-release-25.11-notable-changes": [
-    "release-notes.html#sec-release-25.11-notable-changes"
-  ],
   "sec-release-25.05": [
     "release-notes.html#sec-release-25.05"
   ],
@@ -2025,8 +2001,7 @@
     "release-notes.html#sec-nixpkgs-release-25.05"
   ],
   "sec-nixpkgs-release-25.05-incompatibilities": [
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities",
-    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities"
   ],
   "sec-nixpkgs-release-25.05-incompatibilities-titanium-removed": [
     "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-titanium-removed",
@@ -2034,6 +2009,9 @@
     "index.html#building-a-titanium-app",
     "index.html#emulating-or-simulating-the-app"
   ],
+  "sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded": [
+    "release-notes.html#sec-nixpkgs-release-25.05-incompatibilities-nexusmods-app-upgraded"
+  ],
   "sec-nixpkgs-release-25.05-lib": [
     "release-notes.html#sec-nixpkgs-release-25.05-lib"
   ],

nixos/doc/manual/release-notes/release-notes.md

@@ -3,7 +3,6 @@
 This section lists the release notes for each stable version of NixOS and current unstable revision.
 
 ```{=include=} sections
-rl-2511.section.md
 rl-2505.section.md
 rl-2411.section.md
 rl-2405.section.md

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -1,36 +1,38 @@
-# Release 25.05 (“Warbler”, 2025.05/23) {#sec-release-25.05}
+# Nixos 25.05 (“Warbler”, 2025.05/??) {#sec-release-25.05}
 
 ## Highlights {#sec-release-25.05-highlights}
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
-Alongside many enhancements to NixOS modules and general system improvements, this release features the following highlights:
-
 - NixOS now has initial support for the [**COSMIC DE**](https://system76.com/cosmic) which is currently at **Alpha 7**. COSMIC is a Rust-based Desktop Environment by System76, makers of Pop!_OS. You can use COSMIC by enabling the greeter (login manager) with [](#opt-services.displayManager.cosmic-greeter.enable), and the DE itself by enabling [](#opt-services.desktopManager.cosmic.enable). The support in NixOS/Nixpkgs is stable but still considered experimental because of the recent the addition. The COSMIC maintainers will be waiting for one more release of NixOS to determine if the experimental tag should be removed or not. Until then, please report any issues to the [COSMIC DE tracker in Nixpkgs](https://github.com/NixOS/nixpkgs/issues/259641) instead of upstream.
 
 - `nixos-rebuild-ng`, a full rewrite of `nixos-rebuild` in Python, is available for testing. You can enable it by setting [](#opt-system.rebuild.enableNg) in your configuration (this will replace the old `nixos-rebuild`), or by adding `nixos-rebuild-ng` to your `environment.systemPackages` (in this case, it will live side-by-side with `nixos-rebuild` as `nixos-rebuild-ng`). It is expected that the next major version of NixOS (25.11) will enable `system.rebuild.enableNg` by default.
 
+- The `nixos-generate-config` command now supports a optional `--flake` option, which will generate a flake.nix file alongside the `configuration.nix` and `hardware-configuration.nix`, providing an easy introduction into flake-based system configurations.
+
 - A `nixos-rebuild build-image` sub-command has been added.
   It allows users to build platform-specific (disk) images from their NixOS configurations. `nixos-rebuild build-image` works similar to the popular [nix-community/nixos-generators](https://github.com/nix-community/nixos-generators) project. See new [section on image building in the NixOS manual](#sec-image-nixos-rebuild-build-image). It is also available for `nixos-rebuild-ng`.
 
 - `nixos-option` has been rewritten to a Nix expression called by a simple bash script. This lowers our maintenance threshold, makes eval errors less verbose, adds support for flake-based configurations, descending into `attrsOf` and `listOf` submodule options, and `--show-trace`.
 
-- The global Mesa version can now be managed without a mass rebuild by setting [](#opt-hardware.graphics.package).
+- The packaging of Mesa graphics drivers has been significantly reworked, in particular:
+  - Applications linked against different Mesa versions than installed on the system should now work correctly going forward (however, applications against older Mesa, e.g. from Nixpkgs releases before 25.05, remain broken)
+  - The global Mesa version can now be managed without a mass rebuild by setting [](#opt-hardware.graphics.package)
+  - Packages that used to depend on Mesa for libgbm or libdri should use `libgbm` or `dri-pkgconfig-stub` as inputs, respectively
+
+- OpenSSH has been updated from 9.9p2 to 10.0p2, dropping support for DSA keys and adding a new `ssh-auth` binary to handle user authentication in a different address space from unauthenticated sessions. Additionally, we now enable a configure option by default that attempts to lock sshd into RAM to prevent it from being swapped out, which may improve performance if the system is under memory pressure. See the [full changelog](https://www.openwall.com/lists/oss-security/2025/04/09/1) for more details.
 
 - GNOME has been updated to version 48.
 
   - `decibels` music player is now installed by default. You can disable it using [](#opt-environment.gnome.excludePackages).
-  - `gnome-shell-extensions` extension collection (which included GNOME Classic extensions, Apps Menu, and User Themes, among others) are no longer installed by default. You can install them again with {option}`services.xserver.desktopManager.gnome.sessionPath`.
+  - `gnome-shell-extensions` extension collection (which included GNOME Classic extensions, Apps Menu, and User Themes, among others) are no longer installed by default. You can install them again with [](#opt-services.xserver.desktopManager.gnome.sessionPath).
   - Option [](#opt-services.gnome.core-developer-tools.enable) now also installs `sysprof` and `d-spy`.
   - Option `services.gnome.core-utilities.enable` has been renamed to [](#opt-services.gnome.core-apps.enable).
   - `cantarell-fonts`, `source-code-pro` and `source-sans` fonts are no longer installed by default. They have been replaced by `adwaita-fonts`.
 
   Refer to the [GNOME release notes](https://release.gnome.org/48/) for more details.
 
-- [channels.nixos.org](https://channels.nixos.org) now supports the Lockable HTTP Tarball Protocol. This allows using the channel `nixexprs.tar` as Nix Flake input, e.g.:
-  ```
-  inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz";
-  ```
+- The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced.
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
@@ -42,49 +44,48 @@ Alongside many enhancements to NixOS modules and general system improvements, th
   - [programs.amnezia-vpn](#opt-programs.amnezia-vpn.enable): a GUI client which can also deploy a VPN endpoint to a remote server
   - {option}`networking.wireguard` adds support for the [AmneziaWG](https://docs.amnezia.org/documentation/amnezia-wg/) variant of the protocol, featuring better masking against Deep Packet Inspection. The variant to be used is set per interface as `networking.wireguard.interfaces.<name>.type`, defaulting to wireguard.
 
-- [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products. Available as [programs.bazecor](#opt-programs.bazecor.enable).
+
+- [Bazecor](https://github.com/Dygmalab/Bazecor), the graphical configurator for Dygma Products.
 
 - [Bonsai](https://git.sr.ht/~stacyharper/bonsai), a general-purpose event mapper/state machine primarily used to create complex key shortcuts, and as part of the [SXMO](https://sxmo.org/) desktop environment. Available as [services.bonsaid](#opt-services.bonsaid.enable).
 
 - [scanservjs](https://github.com/sbs20/scanservjs/), a web UI for SANE scanners. Available at [services.scanservjs](#opt-services.scanservjs.enable).
 
-- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](#opt-services.kimai.sites).
+- [Kimai](https://www.kimai.org/), a web-based multi-user time-tracking application. Available as [services.kimai](options.html#opt-services.kimai).
 
-- [Kismet](https://www.kismetwireless.net/), a Wi-Fi, Bluetooth, and RF monitoring application supporting a wide range of hardware. Available as [services.kismet](#opt-services.kismet.enable).
+- [Kismet](https://www.kismetwireless.net/), a Wi-Fi, Bluetooth, and RF monitoring application supporting a wide range of hardware. Available as {option}`services.kismet`.
 
-- [vwifi](https://github.com/Raizo62/vwifi), a Wi-Fi simulator daemon leveraging the `mac80211_hwsim` and `vhost_vsock` kernel modules for efficient simulation of multi-node Wi-Fi networks. Available as [services.vwifi](#opt-services.vwifi.client.enable).
+- [vwifi](https://github.com/Raizo62/vwifi), a Wi-Fi simulator daemon leveraging the `mac80211_hwsim` and `vhost_vsock` kernel modules for efficient simulation of multi-node Wi-Fi networks. Available as {option}`services.vwifi`.
 
-- [Oncall](https://oncall.tools), a web-based calendar tool designed for scheduling and managing on-call shifts. Available as [services.oncall](#opt-services.oncall.enable).
+- [Oncall](https://oncall.tools), a web-based calendar tool designed for scheduling and managing on-call shifts. Available as [services.oncall](options.html#opt-services.oncall).
 
-- [Homer](https://homer-demo.netlify.app/), a very simple static homepage for your server. Available as [services.homer](#opt-services.homer.enable).
+- [Homer](https://homer-demo.netlify.app/), a very simple static homepage for your server. Available as [services.homer](options.html#opt-services.homer).
 
-- [Ghidra](https://ghidra-sre.org/), a software reverse engineering (SRE) suite of tools. Available as [programs.ghidra](#opt-programs.ghidra.enable).
+- [Ghidra](https://ghidra-sre.org/), a software reverse engineering (SRE) suite of tools. Available as [programs.ghidra](options.html#opt-programs.ghidra).
 
-- [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](#opt-services.omnom.enable).
+- [Omnom](https://github.com/asciimoo/omnom), a webpage bookmarking and snapshotting service. Available as [services.omnom](options.html#opt-services.omnom.enable).
 
-- [Yggdrasil-Jumper](https://github.com/one-d-wide/yggdrasil-jumper), an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes. Available as [services.yggdrasil-jumper](#opt-services.yggdrasil-jumper.enable).
+- [Yggdrasil-Jumper](https://github.com/one-d-wide/yggdrasil-jumper) is an independent project that aims to transparently reduce latency of a connection over Yggdrasil network, utilizing NAT traversal to automatically bypass intermediary nodes.
 
-- [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed — especially useful for people who want to use an XBox One controller under the `xone` driver and an Xbox 360 controller under the `xpad` driver at the same time. Available as [hardware.xpad-noone](#opt-hardware.xpad-noone.enable).
+- [xpad-noone](https://github.com/medusalix/xpad-noone) is the original upstream xpad driver from the Linux kernel with support for Xbox One controllers removed， especially useful for people who want to use an XBox One controller under the xone driver and an Xbox 360 controller under the xpad driver at the same time. Available as [hardware.xpad-noone](options.html#hardware.xpad-noone).
 
-- [uMurmur](https://umurmur.net), minimalistic Mumble server primarily targeted to run on embedded computers. Available as [services.umurmur](#opt-services.umurmur.enable).
+- [uMurmur](https://umurmur.net), minimalistic Mumble server primarily targeted to run on embedded computers. Available as [services.umurmur](options.html#opt-services.umurmur).
 
-- [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](#opt-services.zenohd.enable).
+- [Zenoh](https://zenoh.io/), a pub/sub/query protocol with low overhead. The Zenoh router daemon is available as [services.zenohd](options.html#opt-services.zenohd.enable)
 
-- [ytdl-sub](https://github.com/jmbannon/ytdl-sub), a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as [services.ytdl-sub](#opt-services.ytdl-sub.instances).
+- [ytdl-sub](https://github.com/jmbannon/ytdl-sub), a tool that downloads media via yt-dlp and prepares it for your favorite media player, including Kodi, Jellyfin, Plex, Emby, and modern music players. Available as [services.ytdl-sub](options.html#opt-services.ytdl-sub.instances).
 
-- [MaryTTS](https://github.com/marytts/marytts), an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as [services.marytts](#opt-services.marytts.enable).
+- [MaryTTS](https://github.com/marytts/marytts), an open-source, multilingual text-to-speech synthesis system written in pure Java. Available as [services.marytts](options.html#opt-services.marytts).
 
-- [Continuwuity](https://continuwuity.org/), a federated chat server implementing the Matrix protocol, forked from Conduwuit. Available as [services.matrix-continuwuity](#opt-services.matrix-continuwuity.enable).
+- [Reposilite](https://reposilite.com), a lightweight and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. Available as [services.reposilite](options.html#opt-services.reposilite).
 
-- [Reposilite](https://reposilite.com), a lightweight and easy-to-use repository manager for Maven-based artifacts in the JVM ecosystem. Available as [services.reposilite](#opt-services.reposilite.enable).
+- [networking.modemmanager](options.html#opt-networking.modemmanager) has been split out of [networking.networkmanager](options.html#opt-networking.networkmanager). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.
 
-- [networking.modemmanager](#opt-networking.modemmanager.enable) has been split out of [networking.networkmanager](#opt-networking.networkmanager.enable). NetworkManager still enables ModemManager by default, but options exist now to run NetworkManager without ModemManager.
+- [Routinator 3000](https://nlnetlabs.nl/projects/routing/routinator/), a full-featured RPKI Relying Party software package that runs as a service which periodically downloads and verifies RPKI data.
 
-- [Routinator 3000](https://nlnetlabs.nl/projects/routing/routinator/), a full-featured RPKI Relying Party software package that runs as a service which periodically downloads and verifies RPKI data. Available as [services.routinator](#opt-services.routinator.enable).
+- [doh-server](https://github.com/m13253/dns-over-https), a high performance DNS over HTTPS server. Available as [services.doh-server](options.html#opt-services.doh-server.enable).
 
-- [doh-server](https://github.com/m13253/dns-over-https), a high performance DNS over HTTPS server. Available as [services.doh-server](#opt-services.doh-server.enable).
-
-- [ncps](https://github.com/kalbasit/ncps), a Nix binary cache proxy service implemented in Go using [go-nix](https://github.com/nix-community/go-nix). Available as [services.ncps](#opt-services.ncps.enable).
+- [ncps](https://github.com/kalbasit/ncps), a Nix binary cache proxy service implemented in Go using [go-nix](https://github.com/nix-community/go-nix). Available as [services.ncps](options.html#opt-services.ncps.enable).
 
 - [Readeck](https://readeck.org/), a read-it later web-application. Available as [services.readeck](#opt-services.readeck.enable).
 
@@ -96,27 +97,25 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - [crab-hole](https://github.com/LuckyTurtleDev/crab-hole), a cross platform Pi-hole clone written in Rust using hickory-dns/trust-dns. Available as [services.crab-hole](#opt-services.crab-hole.enable).
 
-- [agnos](https://github.com/krtab/agnos), a program that obtains TLS certificates from an ACME provider via the DNS-01 challenge without using third-party DNS provider APIs. Available as [security.agnos](#opt-security.agnos.enable).
-
 - [zwave-js-ui](https://zwave-js.github.io/zwave-js-ui/), a full featured Z-Wave Control Panel and MQTT Gateway. Available as [services.zwave-js-ui](#opt-services.zwave-js-ui.enable).
 
 - [Pinchflat](https://github.com/kieraneglin/pinchflat), a selfhosted YouTube media manager used to track channels and download videos on release. Available as [services.pinchflat](#opt-services.pinchflat.enable).
 
-- [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](#opt-services.amazon-cloudwatch-agent.enable).
+- [Amazon CloudWatch Agent](https://github.com/aws/amazon-cloudwatch-agent), the official telemetry collector for AWS CloudWatch and AWS X-Ray. Available as [services.amazon-cloudwatch-agent](options.html#opt-services.amazon-cloudwatch-agent.enable).
 
 - [Fluent Bit](https://github.com/fluent/fluent-bit), a fast Log, Metrics and Traces Processor and Forwarder. Available as [services.fluent-bit](#opt-services.fluent-bit.enable).
 
-- [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](#opt-programs.bat.enable).
+- [Bat](https://github.com/sharkdp/bat), a {manpage}`cat(1)` clone with wings. Available as [programs.bat](options.html#opt-programs.bat).
 
-- [Autotier](https://github.com/45Drives/autotier), a passthrough FUSE filesystem. Available as [services.autotierfs](#opt-services.autotierfs.enable).
+- [Autotier](https://github.com/45Drives/autotier), a passthrough FUSE filesystem. Available as [services.autotierfs](options.html#opt-services.autotierfs.enable).
 
-- [PostgREST](https://postgrest.org), a standalone web server that turns your PostgreSQL database directly into a RESTful API. Available as [services.postgrest](#opt-services.postgrest.enable).
+- [PostgREST](https://postgrest.org), a standalone web server that turns your PostgreSQL database directly into a RESTful API. Available as [services.postgrest](options.html#opt-services.postgrest.enable).
 
-- [postgres-websockets](https://github.com/diogob/postgres-websockets), a middleware that adds websockets capabilities on top of PostgreSQL's asynchronous notifications using LISTEN and NOTIFY commands. Available as [services.postgres-websockets](#opt-services.postgres-websockets.enable).
+- [postgres-websockets](https://github.com/diogob/postgres-websockets), a middleware that adds websockets capabilities on top of PostgreSQL's asynchronous notifications using LISTEN and NOTIFY commands. Available as [services.postgres-websockets](options.html#opt-services.postgres-websockets.enable).
 
-- [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](#opt-services.ustreamer.enable).
+- [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](options.html#opt-services.ustreamer).
 
-- [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](#opt-services.whoogle-search.enable).
+- [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable).
 
 - [autobrr](https://autobrr.com), a modern download automation tool for torrents and usenets. Available as [services.autobrr](#opt-services.autobrr.enable).
 
@@ -124,33 +123,33 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - [Froide-Govplan](https://github.com/okfde/froide-govplan), a web application government planer. Available as [services.froide-govplan](#opt-services.froide-govplan.enable).
 
-- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](#opt-services.agorakit.enable).
+- [agorakit](https://github.com/agorakit/agorakit), an organization tool for citizens' collectives. Available with [services.agorakit](options.html#opt-services.agorakit.enable).
 
-- [vivid](https://github.com/sharkdp/vivid), a generator for `LS_COLOR`. Available as [programs.vivid](#opt-programs.vivid.enable).
+- [vivid](https://github.com/sharkdp/vivid), a generator for LS_COLOR. Available as [programs.vivid](#opt-programs.vivid.enable).
 
-- [matrix-alertmanager](https://github.com/jaywink/matrix-alertmanager), a bot to receive Alertmanager webhook events and forward them to chosen Matrix rooms. Available as [services.matrix-alertmanager](#opt-services.matrix-alertmanager.enable).
+- [matrix-alertmanager](https://github.com/jaywink/matrix-alertmanager), a bot to receive Alertmanager webhook events and forward them to chosen Matrix rooms. Available as [services.matrix-alertmanager](options.html#opt-services.matrix-alertmanager.enable).
 
-- [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](#opt-services.waagent.enable).
+- [waagent](https://github.com/Azure/WALinuxAgent), the Microsoft Azure Linux Agent (waagent) manages Linux provisioning and VM interaction with the Azure Fabric Controller. Available with [services.waagent](options.html#opt-services.waagent.enable).
 
 - [nfc-nci](https://github.com/StarGate01/ifdnfc-nci), an alternative NFC stack and PC/SC driver for the NXP PN54x chipset, commonly found in Lenovo systems as NXP1001 (NPC300). Available as [hardware.nfc-nci](#opt-hardware.nfc-nci.enable).
 
-- [grav](https://getgrav.org/), a modern flat-file CMS. Available with [services.grav](#opt-services.grav.enable).
+- [grav](https://getgrav.org/), a modern flat-file CMS. Available with [services.grav](options.html#opt-services.grav.enable).
 
-- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](#opt-services.duckdns.enable).
+- [duckdns](https://www.duckdns.org), free dynamic DNS. Available with [services.duckdns](options.html#opt-services.duckdns.enable)
 
-- [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](#opt-programs.zoxide.enable).
+- [Zoxide](https://github.com/ajeetdsouza/zoxide), a smarter cd command, inspired by z and autojump. Available as [programs.zoxide](options.html#opt-programs.zoxide.enable)
 
-- [victorialogs](https://docs.victoriametrics.com/victorialogs/), log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable).
+- [victorialogs](https://docs.victoriametrics.com/victorialogs/), log database from VictoriaMetrics. Available as [services.victorialogs](#opt-services.victorialogs.enable)
 
-- [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](#opt-services.gokapi.enable).
+- [gokapi](https://github.com/Forceu/Gokapi), Lightweight selfhosted Firefox Send alternative without public upload. AWS S3 supported. Available with [services.gokapi](options.html#opt-services.gokapi.enable)
 
-- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](#opt-services.nostr-rs-relay.enable).
+- [nostr-rs-relay](https://git.sr.ht/~gheartsfield/nostr-rs-relay/), This is a nostr relay, written in Rust. Available as [services.nostr-rs-relay](options.html#opt-services.nostr-rs-relay.enable).
 
-- [haven](https://github.com/bitvora/haven), is a high availability vault for events on nostr. Available as [services.haven](#opt-services.haven.enable).
+- [haven](https://github.com/bitvora/haven), is a high availability vault for events on nostr. Available as [services.haven](options.html#opt-services.haven.enable).
 
-- [strfry](https://github.com/hoytech/strfry), a relay for the nostr protocol. Available as [services.strfry](#opt-services.strfry.enable).
+- [strfry](https://github.com/hoytech/strfry), a relay for the nostr protocol. Available as [services.strfry](options.html#opt-services.strfry.enable).
 
-- [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available as [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).
+- [Prometheus Node Cert Exporter](https://github.com/amimof/node-cert-exporter), a prometheus exporter to check for SSL cert expiry. Available under [services.prometheus.exporters.node-cert](#opt-services.prometheus.exporters.node-cert.enable).
 
 - [Actual Budget](https://actualbudget.org/), a local-first personal finance app. Available as [services.actual](#opt-services.actual.enable).
 
@@ -166,15 +165,15 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - [alertmanager-ntfy](https://github.com/alexbakker/alertmanager-ntfy), forwards Prometheus Alertmanager notifications to ntfy.sh. Available as [services.prometheus.alertmanager-ntfy](#opt-services.prometheus.alertmanager-ntfy.enable).
 
-- [Stash](https://github.com/stashapp/stash), an organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable).
+- [Stash](https://github.com/stashapp/stash), An organizer for your adult videos/images, written in Go. Available as [services.stash](#opt-services.stash.enable).
 
 - [vsmartcard-vpcd](https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html), a virtual smart card driver. Available as [services.vsmartcard-vpcd](#opt-services.vsmartcard-vpcd.enable).
 
 - [Fider](https://fider.io/), an open platform to collect and prioritize feedback. Available as [services.fider](#opt-services.fider.enable).
 
-- [PDS](https://github.com/bluesky-social/pds), Personal Data Server for [bsky](https://bsky.social/). Available as [services.pds](#opt-services.pds.enable).
+- [PDS](https://github.com/bluesky-social/pds), Personal Data Server for [bsky](https://bsky.social/). Available as [services.pds](option.html#opt-services.pds).
 
-- [Anubis](https://github.com/TecharoHQ/anubis), a scraper defense software. Available as [services.anubis](#opt-services.anubis.defaultOptions).
+- [Anubis](https://github.com/TecharoHQ/anubis), a scraper defense software. Available as [services.anubis](options.html#opt-services.anubis).
 
 - [synapse-auto-compressor](https://github.com/matrix-org/rust-synapse-compress-state?tab=readme-ov-file#automated-tool-synapse_auto_compressor), a rust-based matrix-synapse state compressor for postgresql. Available as [services.synapse-auto-compressor](#opt-services.synapse-auto-compressor.enable).
 
@@ -196,45 +195,45 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - [`g3proxy`](https://github.com/bytedance/g3), an open source enterprise forward proxy from ByteDance, similar to Squid or tinyproxy. Available as [services.g3proxy](#opt-services.g3proxy.enable).
 
-- [OpenCloud](https://opencloud.eu/), an open-source, modern file-sync and sharing platform. It is a fork of oCIS, a ground-up rewrite of the well-known PHP-based NextCloud server. Available as [services.opencloud](#opt-services.opencloud.enable).
-
 - [echoip](https://github.com/mpolden/echoip), a simple service for looking up your IP address. Available as [services.echoip](#opt-services.echoip.enable).
 
 - [whoami](https://github.com/traefik/whoami), a tiny Go server that prints OS information and HTTP request to output. Available as [services.whoami](#opt-services.whoami.enable).
 
 - [LiteLLM](https://github.com/BerriAI/litellm), a LLM Gateway to provide model access, fallbacks and spend tracking across 100+ LLMs. All in the OpenAI format. Available as [services.litellm](#opt-services.litellm.enable).
 
-- [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](#opt-services.buffyboard.enable).
+- [Buffyboard](https://gitlab.postmarketos.org/postmarketOS/buffybox/-/tree/master/buffyboard), a framebuffer on-screen keyboard. Available as [services.buffyboard](option.html#opt-services.buffyboard).
 
 - [KanBoard](https://github.com/kanboard/kanboard), a project management tool that focuses on the Kanban methodology. Available as [services.kanboard](#opt-services.kanboard.enable).
 
-- [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable).
+- [git-worktree-switcher](https://github.com/mateusauler/git-worktree-switcher), switch between git worktrees with speed. Available as [programs.git-worktree-switcher](#opt-programs.git-worktree-switcher.enable)
 
-- [GLPI-Agent](https://github.com/glpi-project/glpi-agent), GLPI Agent. Available as [services.glpiAgent](#opt-services.glpiAgent.enable).
+- [GLPI-Agent](https://github.com/glpi-project/glpi-agent), GLPI Agent. Available as [services.glpiAgent](options.html#opt-services.glpiAgent.enable).
 
-- [pgBackRest](https://pgbackrest.org), a reliable backup and restore solution for PostgreSQL. Available as [services.pgbackrest](#opt-services.pgbackrest.enable).
+- [pgBackRest](https://pgbackrest.org), a reliable backup and restore solution for PostgreSQL. Available as [services.pgbackrest](options.html#opt-services.pgbackrest.enable).
 
 - [Recyclarr](https://github.com/recyclarr/recyclarr) a TRaSH Guides synchronizer for Sonarr and Radarr. Available as [services.recyclarr](#opt-services.recyclarr.enable).
 
 - [Rebuilderd](https://github.com/kpcyrd/rebuilderd) an independent verification of binary packages - Reproducible Builds. Available as [services.rebuilderd](#opt-services.rebuilderd.enable).
 
-- [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable).
+- [Limine](https://github.com/limine-bootloader/limine) a modern, advanced, portable, multiprotocol bootloader and boot manager. Available as [boot.loader.limine](#opt-boot.loader.limine.enable)
 
 - [Orthanc](https://orthanc.uclouvain.be/) a lightweight, RESTful DICOM server for healthcare and medical research. Available as [services.orthanc](#opt-services.orthanc.enable).
 
 - [Docling Serve](https://github.com/docling-project/docling-serve) running [Docling](https://github.com/docling-project/docling) as an API service. Available as [services.docling-serve](#opt-services.docling-serve.enable).
 
-- [Pareto Security](https://paretosecurity.com/) is an alternative to corporate compliance solutions for companies that care about security but know it doesn't have to be invasive. Available as [services.paretosecurity](#opt-services.paretosecurity.enable).
+- [Pareto Security](https://paretosecurity.com/) is an alternative to corporate compliance solutions for companies that care about security but know it doesn't have to be invasive. Available as [services.paretosecurity](#opt-services.paretosecurity.enable)
+
+- [Cursor](https://cursor.com/) is a vscode-based editor that uses AI to help you write code faster.
 
 - [GNU Rush](https://gnu.org/software/rush/) is a Restricted User Shell, designed for systems providing limited remote access to their resources. Available as [programs.rush](#opt-programs.rush.enable).
 
-- [ipfs-cluster](https://ipfscluster.io/), Pinset orchestration for IPFS. Available as [services.ipfs-cluster](#opt-services.ipfs-cluster.enable).
+- [ipfs-cluster](https://ipfscluster.io/), Pinset orchestration for IPFS. Available as [services.ipfs-cluster](#opt-services.ipfs-cluster.enable)
 
 - [bitbox-bridge](https://github.com/BitBoxSwiss/bitbox-bridge), a bridge software that connects BitBox hardware wallets to computers & web wallets like [Rabby](https://rabby.io/). Allows one to interact & transact with smart contracts, Web3 websites & financial services without storing private keys anywhere other than the hardware wallet. Available as [services.bitbox-bridge](#opt-services.bitbox-bridge.enable).
 
-- [GoDNS](https://github.com/TimothyYe/godns), a dynamic DNS client written in Go, which supports multiple DNS providers. Available as [services.godns](#opt-services.godns.enable).
+- [GoDNS](https://github.com/TimothyYe/godns), a dynamic DNS client written in Go, which supports multiple DNS providers. Available as [services.godns](option.html#opt-services.godns.enable).
 
-- [CookCLI](https://cooklang.org/cli/) Server, a web UI for cooklang recipes. Available as [services.cook-cli](#opt-services.cook-cli.enable).
+- [CookCLI](https://cooklang.org/cli/) Server, a web UI for cooklang recipes.
 
 - [Prometheus eBPF Exporter](https://github.com/cloudflare/ebpf_exporter),
   Prometheus exporter for custom eBPF metrics. Available as
@@ -254,11 +253,13 @@ Alongside many enhancements to NixOS modules and general system improvements, th
   and error starting 25.05 with instructions the following instructions:
   The canonical source for NixOS AMIs is the AWS API. Please see https://nixos.org/download/#nixos-amazon or  https://nixos.github.io/amis/ for instructions.
 
+- The udev rules of the libjaylink package require users to be in the `jlink` instead of `plugdev` group now, since the `plugdev` group is very uncommon for NixOS. Alternatively, access is granted to seat sessions.
+
 - The latest available version of Nextcloud is v31 (available as `pkgs.nextcloud31`). The installation logic is as follows:
   - If [`services.nextcloud.package`](#opt-services.nextcloud.package) is specified explicitly, this package will be installed (**recommended**)
   - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.11, `pkgs.nextcloud30` will be installed by default.
   - If [`system.stateVersion`](#opt-system.stateVersion) is >=24.05, `pkgs.nextcloud31` will be installed by default.
-  - Please note that an upgrade from v29 (or older) to v31 directly is not possible. Please upgrade to `nextcloud30` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](#opt-services.nextcloud.package).
+  - Please note that an upgrade from v29 (or older) to v31 directly is not possible. Please upgrade to `nextcloud30` (or earlier) first. Nextcloud prohibits skipping major versions while upgrading. You can upgrade by declaring [`services.nextcloud.package = pkgs.nextcloud30;`](options.html#opt-services.nextcloud.package).
 
 - `services.cloudflare-dyndns.apiTokenFile` now must be just your Cloudflare api token. Previously it was supposed to be a file of the form `CLOUDFLARE_API_TOKEN=...`.
 
@@ -267,20 +268,11 @@ Alongside many enhancements to NixOS modules and general system improvements, th
   [not recommended by upstream](https://docs.nextcloud.com/server/30/admin_manual/installation/system_requirements.html)
   and thus doesn't qualify as default.
 
-- PowerDNS Recursor has been updated to version 5.1.2, which comes with a new YAML configuration format (`recursor.yml`)
-  and deprecates the previous format (`recursor.conf`). Accordingly, the NixOS option `services.pdns-recursor.settings`
-  has been renamed to [old-settings](#opt-services.pdns-recursor.old-settings) and will be provided for backward compatibility
-  until the next NixOS release. Users are asked to migrate their settings to the new [yaml-settings](#opt-services.pdns-recursor.old-settings)
-  option following this [guide](https://doc.powerdns.com/recursor/appendices/yamlconversion.html).
-  Note that options other than `services.pdns-recursor.settings` are unaffacted by this change.
-
-- The `virtualisation.hypervGuest.videoMode` option has been removed. Standard tooling can now be used to configure display modes for Hyper-V VMs.
-
 - Nextcloud's default FPM pool settings have been increased according to upstream recommentations. It's advised
   to review the new defaults and description of
   [](#opt-services.nextcloud.poolSettings).
 
-- In `users.users` subuid allocation on systems with multiple users it could happen that some users' allocated subuid ranges collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly.
+- In `users.users` allocation on systems with multiple users it could happen that collided with others. Now these users get new subuid ranges assigned. When this happens, a warning is issued on the first activation. If the subuids were used (e.g. with rootless container managers like podman), please change the ownership of affected files accordingly.
 
 - The `services.locate` module does no longer support findutil's `locate` due to its inferior performance compared to `mlocate` and `plocate`. The new default is `plocate`.
   As the `service.locate.localuser` option only applied when using findutil's `locate`, it has also been removed.
@@ -288,6 +280,12 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 - `services.paperless` now installs `paperless-manage` as a normal system package instead of creating a symlink in `/var/lib/paperless`.
   `paperless-manage` now also changes to the appropriate user when being executed.
 
+- The `gotenberg` package has been updated to 8.16.0, which brings breaking changes to the configuration from version 8.13.0. See the [upstream release notes](https://github.com/gotenberg/gotenberg/releases/tag/v8.13.0)
+  for that release to get all the details. The `services.gotenberg` module has been updated appropriately to ensure your configuration is valid with this new release.
+
+- `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and
+[Varnish 7.7.0 upgrade guide](https://varnish-cache.org/docs/7.7/whats-new/upgrading-7.7.html#whatsnew-upgrading-7-7).
+
 - `asusd` has been upgraded to version 6 which supports multiple aura devices. To account for this, the single `auraConfig` configuration option has been replaced with `auraConfigs` which is an attribute set of config options per each device. The config files may also be now specified as either source files or text strings; to account for this you will need to specify that `text` is used for your existing configs, e.g.:
   ```diff
   -services.asusd.asusdConfig = '''file contents'''
@@ -296,13 +294,21 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - `linuxPackages.nvidiaPackages.stable` now defaults to the `production` variant instead of `latest`.
 
-- `services.paperless.address` no longer accepts a domain name or Unix domain socket.
+- `paperless-ngx` has been updated to minor version 2.15 which switched the web server from Gunicorn to Granian. If you set Gunicorn specific envs (usually contain GUNICORN) they must be updated. Also `services.paperless.address` no longer accepts a domain name and Granian also does not support listening on unix domain sockets.
+
+- `timescaledb` requires manual upgrade steps.
+    After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
+    PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
 
 - `networking.wireguard.enable = true` does not always add `wireguard-tools` to system packages anymore. Only when wireguard interfaces are configured, the backing implementation packages are added to system PATH.
 
 - `virtualisation/azure-common.nix`'s filesystem and grub configurations have been moved to `virtualisation/azure-image.nix`. This makes `azure-common.nix` more generic so it could be used for users who generate Azure image using other methods (e.g. nixos-generators and disko). For existing users depending on these configurations, please also import `azure-image.nix`.
 
-- `services.signald` has been removed as `signald` is unmaintained upstream and has been incompatible to official Signal servers for a long while.
+- `zammad` has had its support for MySQL removed, since it was never working correctly and is now deprecated upstream. Check the [migration guide](https://docs.zammad.org/en/latest/appendix/migrate-to-postgresql.html) for how to convert your database to PostgreSQL.
+
+- `tauon` 7.9.0+ when launched for the first time, migrates its database to a new schema that is not backwards compatible. Older versions will refuse to start at all with that database afterwards. If you need to still use older tauon versions, make sure to back up `~/.local/share/TauonMusicBox`.
+
+- `aws-workspaces` has dropped support for PCoiP networking.
 
 - The `earlyoom` service is now using upstream systemd service, which enables
   hardening and filesystem isolation by default. If you need filesystem write
@@ -323,18 +329,58 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - `services.bird2` has been renamed to `services.bird` and the default bird package has been switched to `bird3`. `bird2` can still be chosen via the `services.bird.package` option.
 
+- `renovate` was updated to v39. See the [upstream release notes](https://docs.renovatebot.com/release-notes-for-major-versions/#version-39) for breaking changes.
+  Like upstream's docker images, renovate now runs on NodeJS 22.
+
 - The behavior of the `networking.nat.externalIP` and `networking.nat.externalIPv6` options has been changed. `networking.nat.forwardPorts` now only forwards packets destined for the specified IP addresses.
 
-- `gitlab` has been updated from 17.x to 18.x and requires `postgresql` >= 16, as stated in the [documentation](https://docs.gitlab.com/18.0/install/requirements/#postgresql). Check the [upgrade guide](#module-services-postgres-upgrading) in the NixOS manual on how to upgrade your PostgreSQL installation.
-
 - `services.gitlab` now requires the setting of `activeRecordPrimaryKeyFile`, `activeRecordDeterministicKeyFile`, `activeRecordSaltFile` as GitLab introduced Rails ActiveRecord encryption.
 
+- `python3Packages.bpycv` has been removed due to being incompatible with Blender 4 and unmaintained.
+
+- `python3Packages.jaeger-client` was removed because it was deprecated upstream. [OpenTelemetry](https://opentelemetry.io) is the recommended replacement.
+
+- `rocmPackages_6` has been updated to ROCm 6.3.
+
+- `rocmPackages_5` has been removed.
+
+- `rocmPackages.rocm-thunk` has been removed and its functionality has been integrated with the ROCm CLR. Use `rocmPackages.clr` instead.
+
+- `rocmPackages.clang-ocl` has been removed. [It was deprecated by AMD in 2023.](https://github.com/ROCm/clang-ocl)
+
+- `nodePackages.meshcommander` has been removed, as the package was deprecated by Intel.
+
+- The default version of `z3` has been updated from 4.8 to 4.13. There are still a few packages that need specific older versions; those will continue to be maintained as long as other packages depend on them but may be removed in the future.
+
+- `prometheus` has been updated from 2.55.0 to 3.1.0.
+  Read the [release blog post](https://prometheus.io/blog/2024/11/14/prometheus-3-0/) and
+  [migration guide](https://prometheus.io/docs/prometheus/3.1/migration/).
+
 - The Mattermost module ([`services.mattermost`](#opt-services.mattermost.enable)) and packages (`mattermost` and `mmctl`) have been substantially updated:
   - `services.mattermost.listenAddress` has been split into [](#opt-services.mattermost.host) and [](#opt-services.mattermost.port). If your `listenAddress` contained a port, you will need to edit your configuration. This will be the only truly breaking change in this release for most configurations.
   - [](#opt-services.mattermost.preferNixConfig) now defaults to true if you advance [](#opt-system.stateVersion) to 25.05. This means that if you have [](#opt-services.mattermost.mutableConfig) set, NixOS will override settings set in the Admin Console to those that you define in the module configuration. It is recommended to leave this at the default, even if you used a fully mutable configuration before, because it will ensure that your Mattermost data directories are correct. If you moved your data directories, you may want to review the module changes before upgrading.
   - Mattermost now supports peer authentication on both MySQL and Postgres database backends. Updating [](#opt-system.stateVersion) to 25.05 or later will result in peer authentication being used by default if the Mattermost server would otherwise be connecting to localhost. This is the recommended configuration.
   - Note that the Mattermost module will create an account _without_ a well-known UID if the username differs from the default (`mattermost`). If you used Mattermost with a nonstandard username, you may want to review the module changes before upgrading.
 
+- `kanata` was updated to v1.8.0, which introduces several breaking changes.
+  See the release notes of
+  [v1.7.0](https://github.com/jtroo/kanata/releases/tag/v1.7.0) and
+  [v1.8.0](https://github.com/jtroo/kanata/releases/tag/v1.8.0)
+  for more information.
+
+- `authelia` version 4.39.0 has made changes on the default claims for ID Tokens, to mirror the standard claims from the specification.
+  This change may affect some clients in unexpected ways, so manual intervention may be required.
+  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/), along with [the guide](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter) to work around issues that may be encountered.
+
+- `ags` was updated to v2, which is just a CLI for Astal now. Components are available as a different package set `astal.*`.
+  If you want to use v1, it is available as `ags_1` package.
+
+  See the release notes of
+  [v2.0.0](https://github.com/Aylur/ags/releases/tag/v2.0.0)
+  for more information.
+
+- `nodePackages.expo-cli` has been removed, as it was deprecated by upstream. The suggested replacement is the `npx expo` command.
+
 - DokuWiki with the Caddy webserver (`services.dokuwiki.webserver = "caddy"`) now sets up sites with Caddy's automatic HTTPS instead of HTTP-only.
   To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
   If you set custom Caddy options for a DokuWiki site, migrate these options by removing `http://` from `services.caddy.virtualHosts."http://example.com"`.
@@ -343,10 +389,21 @@ Alongside many enhancements to NixOS modules and general system improvements, th
   Given a site example.com, http://example.com now 301 redirects to https://example.com.
   To keep the old behavior for a site `example.com`, set `services.caddy.virtualHosts."example.com".hostName = "http://example.com"`.
 
+- `slskd` has been updated to v0.22.3, which includes breaking changes to `script` integrations. Please review the [changelog](https://github.com/slskd/slskd/releases/tag/0.22.3)
+  and the accompanying [pull request](https://github.com/slskd/slskd/pull/1292).
+
+- `forgejo` and `forgejo-lts` have been updated to v11.
+  See upstreams [release blog post](https://forgejo.org/2025-04-release-v11-0/) for more information.
+
+- `unifi` has been updated to v9.1.
+  This version should be backward compatible with v8.x, however as a result, `unifi8` package has been removed.
+
 - The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.
   Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.
 
-- The `hardware.gkraken` module has been removed. The recommended alternative is [`programs.coolercontrol`](#opt-programs.coolercontrol.enable).
+- The `conduwuit` matrix server implementation has officially been discontinued by upstream and the package has thus been marked as vulnerable, as it is a security-sensitive package that has reached EOL.
+
+- `gkraken` software and `hardware.gkraken.enable` option have been removed, use `coolercontrol` via `programs.coolercontrol.enable` option instead.
 
 - To avoid delaying user logins unnecessarily the `multi-user.target` is no longer ordered after `network-online.target`.
   System services requiring a connection to start correctly must explicitly state so, i.e.
@@ -377,7 +434,7 @@ Alongside many enhancements to NixOS modules and general system improvements, th
   Names are now known at evaluation time and customizable via the new options `image.baseName`, `image.extension`, `image.fileName` and `image.filePath` with the latter returning a path relative to the derivations out path (e.g. `iso/${image.fileName` for iso images).
 
   | `system.build` Option    | Old Filename                                               | New Filename                                                    |
-  | ------------------------ | ---------------------------------------------------------- | ----------------------------------------------------------------|
+  |--------------------------+------------------------------------------------------------+-----------------------------------------------------------------|
   | amazonImage              | nixos-amazon-image-25.05pre-git-x86_64-linux.vhd           | nixos-image-amazon-25.05pre-git-x86_64-linux.vhd                |
   | azureImage               | disk.vhd                                                   | nixos-image-azure-25.05pre-git-x86_64-linux.vhd                 |
   | digitalOceanImage        | nixos.qcow2.gz                                             | nixos-image-digital-ocean-25.05pre-git-x86_64-linux.qcow2.gz    |
@@ -400,10 +457,10 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - `security.apparmor.policies.<name>.enforce` and `security.apparmor.policies.<name>.enable` were removed.
   Configuring the state of apparmor policies must now be done using `security.apparmor.policies.<name>.state` tristate option.
-
 - `services.graylog.package` now defaults to `graylog-6_0` as previous default `graylog-5_1` is EOL and therefore removed.
   Check the migration guides on [5.1→5.2](https://go2docs.graylog.org/5-2/upgrading_graylog/upgrading_to_graylog_5.2.x.htm) and [5.2→6.0](https://go2docs.graylog.org/6-0/upgrading_graylog/upgrading_to_graylog_6.0.x.html) for breaking changes.
 
+
 - `programs.clash-verge.tunMode` was deprecated and removed because now service mode is necessary to start program. Without `programs.clash-verge.enable`, clash-verge-rev will refuse to start.
 - `services.discourse` now requires PostgreSQL 15 per default. Please update before upgrading.
 
@@ -442,11 +499,9 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - PAM services for `i3lock`/`i3lock-color`, `vlock`, `xlock`, and `xscreensaver` now default to disabled unless other corresponding NixOS options are set (`programs.i3lock.enable`, `console.enable`, `services.xserver.enable`, and `services.xscreensaver.enable`, respectively). If for some reason you want one of them back without setting the corresponding option, set, e.g., `security.pam.services.xlock.enable = true`.
 
-- The `nixos-generate-config` command now supports a optional `--flake` option, which will generate a flake.nix file alongside the `configuration.nix` and `hardware-configuration.nix`, providing an easy introduction into flake-based system configurations.
-
 - [`system.stateVersion`](#opt-system.stateVersion) is now validated and must be in the `"YY.MM"` format, ideally corresponding to a prior NixOS release.
 
-- [`hardware.xone`](#opt-hardware.xone.enable) will also enable [`hardware.xpad-noone`](#opt-hardware.xpad-noone.enable) to provide Xbox 360 driver by default.
+- [`hardware.xone`](options.html#opt-hardware.xone.enable) will also enable [`hardware.xpad-noone`](options.html#opt-hardware.xpad-noone.enable) to provide Xbox 360 driver by default.
 
 - `services.mysql` now supports easy cluster setup via [`services.mysql.galeraCluster`](#opt-services.mysql.galeraCluster.enable) option.
 
@@ -487,15 +542,21 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - `networking.wireguard` now has an optional networkd backend. It is enabled by default when `networking.useNetworkd` is enabled, and it can be enabled alongside scripted networking with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.
 
+- The `stackclashprotection` hardening flag has been enabled by default on compilers that support it.
+
 - `services.rss-bridge` now has a `package` option as well as support for `caddy` as reverse proxy.
 
 - `services.avahi.ipv6` now defaults to true.
 
+- A new hardening flag, `nostrictaliasing` was made available, corresponding to the gcc/clang option `-fno-strict-aliasing`.
+
 - In the `services.xserver.displayManager.startx` module, two new options [generateScript](#opt-services.xserver.displayManager.startx.generateScript) and [extraCommands](#opt-services.xserver.displayManager.startx.extraCommands) have been added to to declaratively configure the .xinitrc script.
 
 - All services that require a root certificate bundle now use the value of a new read-only option, `security.pki.caBundle`.
 
-- [`services.hddfancontrol`](#opt-services.hddfancontrol.enable) has been modified to use an attribute set for settings, enabling configurations with multiple instances of the daemon running at once (e.g., for two separate drive bays).
+- hddfancontrol has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. The settings options have been modified to use an attrset, enabling configurations with multiple instances of the daemon running at once, eg, for two separate drive bays.
+
+- `nextcloud-news-updater` is unmaintained and was removed from nixpkgs.
 
 - `services.cloudflared` now uses a dynamic user, and its `user` and `group` options have been removed. If the user or group is still necessary, they can be created manually.
 
@@ -515,38 +576,73 @@ Alongside many enhancements to NixOS modules and general system improvements, th
 
 - `bind.cacheNetworks` now only controls access for recursive queries, where it previously controlled access for all queries.
 
-- The [Starship](https://starship.rs) module now automatically loads the starship prompt when using [`xonsh`](https://xon.sh).
-
 - [`services.mongodb.enableAuth`](#opt-services.mongodb.enableAuth) now uses the newer [mongosh](https://github.com/mongodb-js/mongosh) shell instead of the legacy shell to configure the initial superuser. You can configure the mongosh package to use through the [`services.mongodb.mongoshPackage`](#opt-services.mongodb.mongoshPackage) option.
 
 - There is a new set of NixOS test tools for testing virtual Wi-Fi networks in many different topologies. See the {option}`services.vwifi` module, {option}`services.kismet` NixOS test, and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-nixos-test-wifi) for documentation and examples.
 
-- The paperless module now has an option for regular automatic export of documents data using the integrated document exporter.
+- The paperless module now has an option for regular automatic export of
+  documents data using the integrated document exporter.
 
-- Exposed the `paperless-manage` script package via the `services.paperless.manage` read-only option.
-
-- New options for the declarative configuration of the user space part of ALSA have been introduced under [hardware.alsa](#opt-hardware.alsa.enable), including setting the default capture and playback device, defining sound card aliases and volume controls.
+- New options for the declarative configuration of the user space part of ALSA have been introduced under [hardware.alsa](options.html#opt-hardware.alsa.enable), including setting the default capture and playback device, defining sound card aliases and volume controls.
   Note: these are intended for users not running a sound server like PulseAudio or PipeWire, but having ALSA as their only sound system.
 
 - `services.k3s` now provides the `autoDeployCharts` option that allows to automatically deploy Helm charts via the k3s Helm controller.
 
+- Caddy can now be built with plugins by using `caddy.withPlugins`, a `passthru` function that accepts an attribute set as a parameter. The `plugins` argument represents a list of Caddy plugins, with each Caddy plugin being a versioned module. The `hash` argument represents the `vendorHash` of the resulting Caddy source code with the plugins added.
+
+  Example:
+  ```nix
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [
+        # tagged upstream
+        "github.com/caddy-dns/powerdns@v1.0.1"
+        # pseudo-version number generated by Go
+        "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+        "github.com/mholt/caddy-webdav@v0.0.0-20241008162340-42168ba04c9d"
+      ];
+      hash = "sha256-wqXSd1Ep9TVpQi570TTb96LwzNYvWL5EBJXMJfYWCAk=";
+    };
+  };
+  ```
+
+  To get the necessary hash of the vendored dependencies, omit `hash`. The build will fail and tell you the correct value.
+
+  Note that all provided plugins must have versions/tags (string after `@`), even if upstream repo does not tag each release. For untagged plugins, you can either create an empty Go project and run `go get <plugin>` and see changes in `go.mod` to get the pseudo-version number, or provide a commit hash in place of version/tag for the first run, and update the plugin string based on the error output.
+
+- `buildGoModule` now supports a self-referencing `finalAttrs:` parameter
+  containing the final arguments including overrides.
+  This allows packaging configuration to be overridden in a consistent manner by
+  providing an alternative to `rec {}` syntax.
+
 - [Mattermost](#opt-services.mattermost.enable), a self-hosted chat collaboration platform supporting calls, playbooks, and boards, has been updated. It now has multiple versions, disabled telemetry, and a native frontend build in nixpkgs, removing all upstream prebuilt blobs.
+  - A new `pkgs.mattermost.buildPlugin` function has been added, which allows plugins to be built from source, including webapp frontends with a supported package-lock.json. See the Mattermost NixOS test and [manual](https://nixos.org/manual/nixpkgs/unstable/#sec-mattermost-plugins-build) for an example.
   - Mattermost telemetry reporting is now disabled by default, though security update notifications are enabled. Look at [`services.mattermost.telemetry`](#opt-services.mattermost.telemetry.enableDiagnostics) for options to control this behavior.
+  - The Mattermost frontend is now built from source and can be overridden. Note that the Mattermost derivation containing both the webapp and server is now wrapped to allow them to be built independently, so overrides to both webapp and server look like `mattermost.overrideAttrs (prev: { webapp = prev.webapp.override { ... }; server = prev.server.override { ... }; })` now.
+  - `pkgs.mattermost` has been updated from 9.11 to 10.5 to track the latest extended support release, since 9.11 will become end-of-life during the lifetime of NixOS 25.05.
+  - `pkgs.mattermostLatest` is now an option to track the latest (non-prerelease) Mattermost release. We test upgrade migrations from ESR releases (`pkgs.mattermost`) to `pkgs.mattermostLatest`.
   - The Mattermost module will produce eval warnings if a database password would end up in the Nix store, and recommend alternatives such as peer authentication or using the environment file.
   - We now support `mmctl` for Mattermost administration if both [](#opt-services.mattermost.socket.enable) and [](#opt-services.mattermost.socket.export) are set, which export the Mattermost control socket path into the system environment.
 
+- KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed.
+  ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and
+  [is removed](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c01f664e4ca210823b7594b50669bbd9b0a3c3b0)
+  in Linux 6.13.
+
 - `services.geoclue2` now uses [beaconDB](https://beacondb.net/) as a default geolocation service, replacing Mozilla Location Services which was [retired in June 2024](https://github.com/mozilla/ichnaea/issues/2065).
 
-- `security.acme` now supports renewal using CSRs (Certificate Signing Request) through the options `security.acme.*.csr` and `security.acme.*.csrKey`.
+- `authelia` version 4.39.0 has made some changes which deprecate older configurations.
+  They are still expected to be working until future version 5.0.0, but will generate warnings in logs.
+  Read the [release notes](https://www.authelia.com/blog/4.39-release-notes/) for human readable summaries of the changes.
 
 - `programs.fzf.keybindings` now supports the fish shell.
 
-- A toggle has been added under `users.users.<name>.enable` to allow toggling individual users conditionally. If set to false, the user account will not be created.
+- `gerbera` now has wavpack support.
 
-- New hooks were added:
-  - `writableTmpDirAsHomeHook`: This setup hook ensures that the directory specified by the `HOME` environment variable is writable.
-  - `addBinToPathHook`: This setup hook checks if the `bin/` directory exists in the `$out` output path and, if so, adds it to the `PATH` environment variable.
-  - `gitSetupHook`: This setup hook sets up a valid Git configuration, including the `user.name` and `user.email` fields.
+- `octave` (and `octaveFull`) was updated to version `10.x`. The update broke a few `octavePackages`, and `librsb`. See [the PR's commits](https://github.com/NixOS/nixpkgs/pull/394495/commits) for more details.
+
+- A toggle has been added under `users.users.<name>.enable` to allow toggling individual users conditionally. If set to false, the user account will not be created.
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->