Merge b99e1dabec into haskell-updates

too strict bounds on QuickCheck <2.16

maintainers/scripts/haskell/eval-pkg-sets.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
+#!nix-shell -p jq git
+# shellcheck shell=bash
+#
+# Usage: eval-pkg-sets.sh [extra flags for nix-* commands ...]
+#
+# Must be executed in a git checkout of Nixpkgs.
+
+set -euo pipefail
+
+NIXPKGS="$(git rev-parse --show-toplevel)"
+PKGSETS="$(nix-env --readonly-mode --json --drv-path -f "$NIXPKGS" -qaP -A haskell.compiler "$@" \
+  | jq -r 'to_entries | unique_by(.value.drvPath) .[] .key | sub("^haskell.compiler";"haskell.packages")')"
+
+trap 'exit 1' SIGINT SIGTERM
+
+set +e
+
+badsets=""
+for set in $PKGSETS; do
+  # Confirm an equivalent package set to haskell.compiler.$entry exists and is usable
+  if ! nix-instantiate --readonly-mode -A "$set.ghc" "$@" > /dev/null 2>&1; then
+    echo "Skipping $set... ($set.ghc does not evaluate)"
+  else
+    echo "Evaluating $set..."
+
+    if ! nix-env --readonly-mode -f "$NIXPKGS" -qaP --drv-path -A "$set" "$@" > /dev/null; then
+      badsets+="$set "
+    fi
+  fi
+done
+
+if [ -n "$badsets" ]; then
+  echo "Found potential eval issues in the following sets:" >&2
+  # shellcheck disable=SC2086
+  printf '%s\n' $badsets
+  exit 1
+fi

maintainers/scripts/haskell/update-stackage.sh

@@ -33,7 +33,7 @@ fi
 
 # Stackage solver to use, LTS or Nightly
 # (should be capitalized like the display name)
-SOLVER=LTS
+SOLVER=Nightly
 # Stackage solver verson, if any. Use latest if empty
 VERSION=
 TMP_TEMPLATE=update-stackage.XXXXXXX
@@ -105,6 +105,7 @@ sed -r \
     -e '/ hledger-ui /d' \
     -e '/ hledger-web /d' \
     -e '/ spacecookie /d' \
+    -e '/ hnix-store-core /d' \
     < "${tmpfile_new}" >> $stackage_config
 # Explanations:
 # cabal2nix, distribution-nixpkgs, jailbreak-cabal, language-nix: These are our packages and we know what we are doing.

nixos/lib/systemd-lib.nix

@@ -78,13 +78,16 @@ rec {
         {
           preferLocalBuild = true;
           allowSubstitutes = false;
-          text = unit.text or "";
-          __structuredAttrs = true;
+          # unit.text can be null. But variables that are null listed in
+          # passAsFile are ignored by nix, resulting in no file being created,
+          # making the mv operation fail.
+          text = optionalString (unit.text != null) unit.text;
+          passAsFile = [ "text" ];
         }
         ''
           name=${shellEscape name}
           mkdir -p "$out/$(dirname -- "$name")"
-          printf "%s" "$text" > "$out/$name"
+          mv "$textPath" "$out/$name"
         ''
     else
       pkgs.runCommand "unit-${mkPathSafeName name}-disabled"

nixos/lib/test-driver/default.nix

@@ -11,7 +11,6 @@
   ptpython,
   pydantic,
   python,
-  ovmfvartool,
   remote-pdb,
   ruff,
   ty,
@@ -50,7 +49,6 @@ buildPythonApplication {
     junit-xml
     ptpython
     pydantic
-    ovmfvartool
     remote-pdb
   ]
   ++ extraPythonPackages python.pkgs;

nixos/lib/test-driver/src/test_driver/efi.py

@@ -1,233 +0,0 @@
-import binascii
-import io
-import os.path
-import uuid
-from collections.abc import Generator
-from contextlib import contextmanager
-from pathlib import Path
-from typing import IO, Any, TypeVar
-
-from ovmfvartool import (
-    AuthenticatedVariable,
-    FirmwareVolumeHeader,
-    UEFITime,
-    VariableStoreHeader,
-    resolveUUID,
-)
-
-import test_driver.machine
-from test_driver.errors import RequestedAssertionFailed
-
-EfiVariableT = TypeVar("EfiVariableT", bound="EfiVariable")
-
-# See edk2.git/OvmfPkg/Bhyve/VarStore.fdf.inc
-_NV_FTW_WORKING_OFFSET = 0x41000
-_NV_FTW_WORKING_VALUE = binascii.unhexlify(
-    b"2b29589e687c7d49a0ce6500fd9f1b952caf2c64feffffffe00f000000000000"
-)
-_NV_FTW_SIZE = 0x42000
-_NV_FTW_MAIN_PLUS_SPARE_SIZE = _NV_FTW_SIZE * 2
-
-
-class EfiVariable(AuthenticatedVariable):
-    class Flags:
-        NON_VOLATILE = 0x1
-        BOOTSERVICE_ACCESS = 0x2
-        RUNTIME_ACCESS = 0x4
-        TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
-
-    class State:
-        VAR_HEADER_VALID_ONLY = 0x7F
-        VAR_ADDED = 0x3F
-
-    volatile = False
-    boot_access = False
-    runtime_access = False
-    hardware_error_record = False
-    authenticated_write_access = False
-    time_based_authenticated_write_access = False
-    append_write = False
-
-    def __init__(
-        self,
-        vendor_uuid: uuid.UUID | None = None,
-        name: str | None = None,
-        data: bytes | None = None,
-        state: int | None = None,
-        flags: int | None = None,
-    ) -> None:
-        self.magic = 0x55AA
-        self.reserved1 = 0
-        self.monotonicCount = 0
-        self.timestamp = UEFITime()
-        self.pubKeyIdx = 0
-        self.state = 0
-        self.flags = 0
-
-        if vendor_uuid is not None:
-            self.vendorUUID = uuid.UUID(bytes=vendor_uuid.bytes_le)
-
-        if state is not None:
-            self.state = state ^ 0xFF
-        else:
-            self.state = (0x40 | 0x80) ^ 0xFF
-
-        if flags is not None:
-            self.flags = flags
-
-        if name is not None:
-            self.name = name
-            self.nameLen = len(name) * 2 + 2
-
-        if data is not None:
-            self.data = data
-            self.dataLen = len(data)
-
-    def _read_flags(self) -> None:
-        if not (self.flags & 0x1):
-            self.volatile = True
-        if self.flags & 0x2:
-            self.boot_access = True
-        if self.flags & 0x4:
-            self.runtime_access = True
-        if self.flags & 0x8:
-            self.hardware_error_record = True
-        if self.flags & 0x10:
-            self.authenticated_write_access = True
-        if self.flags & 0x20:
-            self.time_based_authenticated_write_access = True
-        if self.flags & 0x40:
-            self.append_write = True
-
-        self.flags &= ~(0x1 | 0x2 | 0x4 | 0x8 | 0x10 | 0x20 | 0x40)
-
-    @classmethod
-    def deserialize(cls: type[EfiVariableT], f: Any) -> EfiVariableT | None:
-        # pylint: disable=no-member
-        # false positive https://github.com/PyCQA/pylint/issues/981
-        ret = super().deserialize(f)
-        if ret:
-            ret._read_flags()
-        return ret
-
-    @classmethod
-    def deserializeFromDocument(  # noqa: N802
-        cls: type[EfiVariableT],
-        vendorID: str,  # noqa: N803
-        name: str,
-        doc: dict[str, Any],
-    ) -> EfiVariableT:
-        # pylint: disable=no-member
-        # false positive https://github.com/PyCQA/pylint/issues/981
-        ret = super(cls, cls).deserializeFromDocument(vendorID, name, doc)
-        if ret:
-            ret._read_flags()
-        return ret
-
-
-class EfiVars:
-    """A container around the ovmf variables"""
-
-    state_path: Path
-    machine: "test_driver.machine.QemuMachine"
-
-    def __init__(self, state_path: Path, machine: Any):
-        self.state_path = state_path
-        self.machine = machine
-
-    def _assert_stopped(self) -> None:
-        if self.machine.booted:
-            raise RequestedAssertionFailed(
-                "System is currently running and concurrent reads / writes to the OVMF variables is unsupported"
-            )
-
-    def read_content(self) -> dict[str, dict[str, EfiVariable]] | None:
-        self._assert_stopped()
-        try:
-            with open(self.state_path, "rb") as f:
-                fvh = FirmwareVolumeHeader.deserialize(f)
-                vsh = VariableStoreHeader.deserialize(f)
-                _ = fvh
-                _ = vsh
-                variables: dict[str, dict[str, EfiVariable]] = {}
-
-                while True:
-                    v = EfiVariable.deserialize(f)
-                    if not v:
-                        break
-                    if v.isDeleted:
-                        continue
-
-                    k = resolveUUID(v.vendorUUID)
-                    variables.setdefault(k, {})
-                    variables[k][v.name] = v
-
-                return variables
-
-        except FileNotFoundError:
-            return None
-
-    @contextmanager
-    def _write_store(self, *args, **kwargs) -> Generator[IO[bytes]]:
-        with open(self.state_path, "wb") as fo:
-            fm = io.BytesIO(b"\xff" * _NV_FTW_MAIN_PLUS_SPARE_SIZE)
-            fm.write(FirmwareVolumeHeader.create().serialize())
-            fm.write(VariableStoreHeader.create().serialize())
-
-            try:
-                yield fm
-            finally:
-                fm.seek(_NV_FTW_WORKING_OFFSET)
-                fm.write(_NV_FTW_WORKING_VALUE)
-                fm.seek(0)
-                fo.write(fm.read())
-
-    def create_empty(self) -> None:
-        self._assert_stopped()
-
-        if os.path.exists(self.state_path):
-            raise RequestedAssertionFailed("OVMF variables store exists")
-
-        with self._write_store():
-            pass
-
-    def write(self, add: list[EfiVariable]) -> None:
-        self._assert_stopped()
-
-        variables = self.read_content()
-        if not variables:
-            variables = {}
-
-        for var in add:
-            k = resolveUUID(var.vendorUUID)
-            variables.setdefault(k, {})
-            variables[k][var.name] = var
-
-        with self._write_store() as fm:
-            for _, vendor in variables.items():
-                for _, v in vendor.items():
-                    fm.write(v.serialize())
-                    if fm.tell() % 4:
-                        fm.write(b"\xff" * (4 - (fm.tell() % 4)))
-                    assert (fm.tell() % 4) == 0
-
-
-class EfiGuid:
-    from ovmfvartool import (
-        gEdkiiVarErrorFlagGuid,
-        gEfiAuthenticatedVariableGuid,
-        gEfiCertDbGuid,
-        gEfiCustomModeEnableGuid,
-        gEfiGlobalVariableGuid,
-        gEfiImageSecurityDatabaseGuid,
-        gEfiIp4Config2ProtocolGuid,
-        gEfiIScsiInitiatorNameProtocolGuid,
-        gEfiMemoryTypeInformationGuid,
-        gEfiSecureBootEnableDisableGuid,
-        gEfiSystemNvDataFvGuid,
-        gEfiVendorKeysNvGuid,
-        gIScsiConfigGuid,
-        gMicrosoftVendorGuid,
-        gMtcVendorGuid,
-        mBmHardDriveBootVariableGuid,
-    )

nixos/lib/test-driver/src/test_driver/machine/__init__.py

@@ -22,7 +22,6 @@ from pathlib import Path
 from queue import Queue
 from typing import Any
 
-from test_driver.efi import EfiVariable, EfiVars
 from test_driver.errors import MachineError, RequestedAssertionFailed
 from test_driver.logger import AbstractLogger
 from test_driver.machine.ocr import (
@@ -193,7 +192,6 @@ class QemuStartCommand:
     def build_environment(
         state_dir: Path,
         shared_dir: Path,
-        efi_vars_path: Path | None = None,
     ) -> dict:
         # We make a copy to not update the current environment
         env = dict(os.environ)
@@ -204,13 +202,6 @@ class QemuStartCommand:
                 "USE_TMPDIR": "1",
             }
         )
-        if efi_vars_path is not None:
-            env.update(
-                {
-                    "NIX_EFI_VARS": str(efi_vars_path),
-                }
-            )
-
         return env
 
     def run(
@@ -221,7 +212,6 @@ class QemuStartCommand:
         qmp_socket_path: Path,
         shell_socket_path: Path,
         allow_reboot: bool,
-        efi_vars_path: Path | None = None,
         vsock_guest: Path | None = None,
     ) -> subprocess.Popen:
         return subprocess.Popen(
@@ -237,9 +227,7 @@ class QemuStartCommand:
             stderr=subprocess.STDOUT,
             shell=True,
             cwd=state_dir,
-            env=self.build_environment(
-                state_dir, shared_dir, efi_vars_path=efi_vars_path
-            ),
+            env=self.build_environment(state_dir, shared_dir),
         )
 
 
@@ -762,9 +750,6 @@ class QemuMachine(BaseMachine):
     # Store all console output for full log retrieval
     full_console_log: list[str]
 
-    efi_vars_path: Path
-    efi_vars: EfiVars
-
     def __init__(
         self,
         out_dir: Path,
@@ -806,9 +791,6 @@ class QemuMachine(BaseMachine):
         self.booted = False
         self.connected = False
 
-        self.efi_vars_path = self.state_dir / f"{self.name}-efi-vars.fd"
-        self.efi_vars = EfiVars(self.efi_vars_path, self)
-
     def ssh_backdoor_command(self) -> str:
         assert self.vsock_host is not None
         return f"ssh -o User=root vsock-mux/{self.vsock_host}"
@@ -1182,25 +1164,24 @@ class QemuMachine(BaseMachine):
         # to match multiline regexes.
         console = io.StringIO()
 
-        def console_matches(_last_try: bool, block: bool = False) -> bool:
+        def console_matches(_last_try: bool) -> bool:
             nonlocal console
             try:
-                while True:
-                    # This will return as soon as possible and
-                    # sleep 1 second.
-                    console.write(self.last_lines.get(block=block))
-                    console.seek(0)
-                    matches = re.search(regex, console.read())
-                    if matches is not None:
-                        return True
+                # This will return as soon as possible and
+                # sleep 1 second.
+                console.write(self.last_lines.get(block=False))
             except queue.Empty:
-                return False
+                pass
+            console.seek(0)
+            matches = re.search(regex, console.read())
+            return matches is not None
 
         with self.nested(f"waiting for {regex} to appear on console"):
             if timeout is not None:
                 retry(console_matches, timeout)
             else:
-                console_matches(False, block=True)
+                while not console_matches(False):
+                    pass
 
     def get_console_log(self) -> str:
         """
@@ -1267,7 +1248,6 @@ class QemuMachine(BaseMachine):
             self.qmp_path,
             self.shell_path,
             allow_reboot,
-            self.efi_vars_path,
             self.vsock_guest,
         )
 
@@ -1452,28 +1432,6 @@ class QemuMachine(BaseMachine):
         self.connected = False
         self.connect()
 
-    def dump_efi_vars(self) -> None:
-        for var in self.read_efi_vars():
-            var.print()
-
-    def read_efi_vars(self) -> list[EfiVariable]:
-        config = self.efi_vars.read_content()
-        if not config:
-            return []
-
-        out = []
-        for vendor, variables in config.items():
-            for name, v in variables.items():
-                out.append(v)
-
-        return out
-
-    def create_efi_vars(self) -> None:
-        self.efi_vars.create_empty()
-
-    def write_efi_vars(self, add: list[EfiVariable]) -> None:
-        self.efi_vars.write(add)
-
 
 class NspawnMachine(BaseMachine):
     """

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -505,7 +505,7 @@ EOF
     # This should work for single and multi-device systems.
     # still needs subvolume support
     if ($fsType eq "bcachefs") {
-        my ($status, @info) = runCommand("@bcachefs@ fs usage $rootDir$mountPoint");
+        my ($status, @info) = runCommand("bcachefs fs usage $rootDir$mountPoint");
         my $UUID = $info[0];
 
         if ($status == 0 && $UUID =~ /^Filesystem:[ \t\n]*([0-9a-z-]+)/) {

nixos/modules/installer/tools/tools.nix

@@ -30,20 +30,15 @@ let
     name = "nixos-generate-config";
     src = ./nixos-generate-config.pl;
     replacements = {
-      perl = lib.getExe (
+      perl = "${
         pkgs.perl.withPackages (p: [
           p.FileSlurp
           p.ConfigIniFiles
         ])
-      );
+      }/bin/perl";
       hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
-      detectvirt = lib.getExe' config.systemd.package "systemd-detect-virt";
-      bcachefs =
-        if pkgs.bcachefs-tools.meta.broken then
-          lib.getExe' pkgs.coreutils "false"
-        else
-          lib.getExe pkgs.bcachefs-tools;
-      btrfs = lib.getExe pkgs.btrfs-progs;
+      detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
+      btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
       inherit (config.system.nixos-generate-config) configuration desktopConfiguration flake;
       xserverEnabled = config.services.xserver.enable;
     };

nixos/tests/all-tests.nix

@@ -153,7 +153,6 @@ in
     console-log = runTest ./nixos-test-driver/console-log.nix;
     containers = runTest ./nixos-test-driver/containers.nix;
     skip-typecheck = runTest ./nixos-test-driver/skip-typecheck.nix;
-    console-timeout = runTest ./nixos-test-driver/console-timeout.nix;
     options-doc-regression = import ./nixos-test-driver/options-doc-regression.nix { inherit pkgs; };
     driver-timeout =
       pkgs.runCommand "ensure-timeout-induced-failure"
@@ -168,7 +167,6 @@ in
           [[ 143 = $(cat $failed/testBuildFailure.exit) ]]
           touch $out
         '';
-    efivars = runTestOn [ "x86_64-linux" ] ./nixos-test-driver/efivars.nix;
   };
 
   # NixOS vm tests and non-vm unit tests

nixos/tests/nixos-test-driver/console-timeout.nix

@@ -1,26 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  name = "console-timeout";
-
-  nodes.machine = {
-    systemd.services.generate-output.script = ''
-      echo "match that"
-      sleep 1
-
-      for i in $(seq 15); do
-        echo "line $i"
-      done
-
-      echo "match this"
-    '';
-  };
-
-  testScript = ''
-    machine.start()
-    machine.wait_for_unit("multi-user.target")
-
-    machine.systemctl("start generate-output")
-    machine.wait_for_console_text("match that")
-    machine.wait_for_console_text("match this", timeout=10)
-  '';
-}

nixos/tests/nixos-test-driver/efivars.nix

@@ -1,110 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  vendorUuid = "a19f72f8-b554-4bd7-a0c2-2762bd854691";
-  varName = "Demo";
-  readWriteVar = pkgs.writers.writePython3 "read-increment-efi-var" { } ''
-    import os
-    import sys
-    import fcntl
-    import array
-
-    if len(sys.argv) != 3:
-        print(f"Usage: {sys.argv[0]} NAME UUID", file=sys.stderr)
-        sys.exit(1)
-
-    name = sys.argv[1]
-    uuid = sys.argv[2]
-    path = f"/sys/firmware/efi/efivars/{name}-{uuid}"
-
-    FS_IMMUTABLE_FL = 0x00000010
-    FS_IOC_GETFLAGS = 0x80086601
-    FS_IOC_SETFLAGS = 0x40086602
-
-    if not os.path.exists(path):
-        print(f"{path}: does not exist", file=sys.stderr)
-        sys.exit(1)
-
-    with open(path, "rb") as f:
-        data = f.read()
-
-    # The first 4 bytes are attributes, the rest is the data
-    if data[4:] != b"\x2a":
-        print(f"0x2a value expected, got {data[4:]!r}", file=sys.stderr)
-        sys.exit(1)
-
-    fd = os.open(path, os.O_RDONLY)
-    arg = array.array("L", [0])
-    fcntl.ioctl(fd, FS_IOC_GETFLAGS, arg)
-    if arg[0] & FS_IMMUTABLE_FL:
-        arg[0] &= ~FS_IMMUTABLE_FL
-        fcntl.ioctl(fd, FS_IOC_SETFLAGS, arg)
-    os.close(fd)
-
-    with open(path, "wb") as f:
-        # Write 0x2b
-        data = bytes(list(data[:4]) + [0x2b])
-        f.write(data)
-  '';
-in
-{
-  name = "efivars";
-
-  nodes.machine = {
-    boot.loader.efi.canTouchEfiVariables = true;
-    virtualisation.useEFIBoot = true;
-  };
-
-  testScript = ''
-    import uuid
-    import unittest
-
-    from test_driver.efi import EfiVariable
-    from test_driver.errors import RequestedAssertionFailed
-
-
-    class TestConcurrentRead(unittest.TestCase):
-        def __init__(self, machine):
-            super().__init__()
-            self.machine = machine
-
-        def test_concurrent_read(self):
-            with self.assertRaises(RequestedAssertionFailed):
-                self.machine.read_efi_vars()
-
-
-    vendor_uuid = uuid.UUID('${vendorUuid}')
-    machine.create_efi_vars()
-    machine.write_efi_vars([
-        EfiVariable(
-            vendor_uuid=vendor_uuid,
-            name="${varName}",
-            data=bytes([0x2a]),
-            flags=EfiVariable.Flags.NON_VOLATILE | EfiVariable.Flags.BOOTSERVICE_ACCESS | EfiVariable.Flags.RUNTIME_ACCESS,
-        )
-    ])
-
-    machine.start()
-    machine.wait_for_unit("multi-user.target")
-
-    print(machine.succeed('${readWriteVar} "${varName}" "${vendorUuid}"'))
-
-    TestConcurrentRead(machine).test_concurrent_read()
-    machine.crash()
-
-    machine.dump_efi_vars()
-    vars = machine.read_efi_vars()
-
-    guid = uuid.UUID(bytes=vendor_uuid.bytes_le)
-    predicate = lambda v: v.name == "${varName}" and v.vendorUUID == guid
-    var = next((v for v in vars if predicate(v)), None)
-
-    if var:
-        var.print()
-        if var.data == bytes([0x2b]):
-            print("Congrats!")
-        else:
-            raise ValueError("Value 0x2b expected")
-    else:
-        raise ValueError("Could not find ${varName} variable")
-  '';
-}

pkgs/applications/audio/mpg123/default.nix

@@ -21,11 +21,11 @@ assert withConplay -> !libOnly;
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "${lib.optionalString libOnly "lib"}mpg123";
-  version = "1.33.5";
+  version = "1.33.4";
 
   src = fetchurl {
     url = "mirror://sourceforge/mpg123/mpg123-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-DX68jaCv88o4PIxrWmrb5ALuW7JWaFuMVJnzpzn51t0=";
+    hash = "sha256-OujJ/4Cpe/wOIuifvNdGh+yk/B2zFbEmB/J/ActaR9k=";
   };
 
   outputs = [

pkgs/applications/editors/vim/common.nix

@@ -4,7 +4,7 @@
   stdenv,
 }:
 rec {
-  version = "9.2.0541";
+  version = "9.2.0389";
 
   outputs = [
     "out"
@@ -15,7 +15,7 @@ rec {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    hash = "sha256-M2vdIAM3P2MZdcMvFX/3/fixliTosR06nvPIX7NXFNo=";
+    hash = "sha256-shhdJn1bPJ/68a54UZMn1fla7P4tjVUN4DGLbx3ohOg=";
   };
 
   enableParallelBuilding = true;

pkgs/build-support/bintools-wrapper/setup-hook.sh

@@ -60,8 +60,7 @@ do
     if
         PATH=$_PATH type -p "@targetPrefix@${cmd}" > /dev/null
     then
-        upper_case="$(echo "$cmd" | tr "a-z" "A-Z")"
-        export "${upper_case}${role_post}=@targetPrefix@${cmd}";
+        export "${cmd^^}${role_post}=@targetPrefix@${cmd}";
     fi
 done
 

pkgs/build-support/build-mozilla-mach/default.nix

@@ -58,7 +58,6 @@ in
   pkg-config,
   pkgsCross, # wasm32 rlbox
   python3,
-  python313,
   runCommand,
   rustc,
   rust-cbindgen,
@@ -365,7 +364,7 @@ buildStdenv.mkDerivation {
     makeBinaryWrapper
     nodejs
     perl
-    (if lib.versionAtLeast version "143.0" then python3 else python313)
+    python3
     rust-cbindgen
     rustPlatform.bindgenHook
     rustc

pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh

@@ -36,6 +36,6 @@ elif [[ $0 != *cpp ]]; then
     fi
 fi
 
-if [[ "@darwinMinVersion@" ]] && [ "@isFlang@" != 1 ]; then
+if [[ "@darwinMinVersion@" ]]; then
     extraBefore+=(-Werror=unguarded-availability)
 fi

pkgs/build-support/cc-wrapper/add-flags.sh

@@ -11,8 +11,6 @@ var_templates_list=(
     NIX_CXXSTDLIB_COMPILE
     NIX_CXXSTDLIB_LINK
     NIX_GNATFLAGS_COMPILE
-    NIX_FFLAGS_COMPILE
-    NIX_FFLAGS_COMPILE_BEFORE
 )
 var_templates_bool=(
     NIX_ENFORCE_NO_NATIVE

pkgs/build-support/cc-wrapper/cc-wrapper.sh

@@ -44,7 +44,7 @@ while (( "$n" < "$nParams" )); do
 
     case "$p" in
         -[cSEM] | -MM) dontLink=1 ;;
-        -cc1 | -fc1 ) cc1=1 ;;
+        -cc1) cc1=1 ;;
         -nostdinc) cInclude=0 cxxInclude=0 ;;
         -nostdinc++) cxxInclude=0 ;;
         -nostdlib) cxxLibrary=0 ;;
@@ -185,19 +185,9 @@ fi
 
 source @out@/nix-support/add-hardening.sh
 
-# Add the flags for the compiler proper. Flang reads its user-supplied
-# flags from the Fortran-specific NIX_FFLAGS_COMPILE channel so that
-# C-only flags injected by setup hooks (e.g. -frandom-seed= from
-# reproducible-builds.sh, which Flang does not accept) never reach the
-# Fortran driver. This mirrors the NIX_GNATFLAGS_COMPILE channel that
-# the Ada/GNAT wrapper uses for the same reason.
-if [ "@isFlang@" = 1 ]; then
-    extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_FFLAGS_COMPILE_@suffixSalt@)
-    extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_FFLAGS_COMPILE_BEFORE_@suffixSalt@)
-else
-    extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
-    extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
-fi
+# Add the flags for the C compiler proper.
+extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
+extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
 
 if [ "$dontLink" != 1 ]; then
     linkType=$(checkLinkType $NIX_LDFLAGS_BEFORE_@suffixSalt@ "${params[@]}" ${NIX_CFLAGS_LINK_@suffixSalt@:-} $NIX_LDFLAGS_@suffixSalt@)

pkgs/build-support/cc-wrapper/default.nix

@@ -26,8 +26,6 @@
   nixSupport ? { },
   isGNU ? false,
   isClang ? cc.isClang or false,
-  isFlang ? cc.isFlang or false,
-  isAlireGNAT ? false,
   isZig ? cc.isZig or false,
   isArocc ? cc.isArocc or false,
   isCcache ? cc.isCcache or false,
@@ -389,9 +387,7 @@ let
   #
   # TODO: Drop `mangle-NIX_STORE-in-__FILE__.patch` from GCC and make
   # this unconditional once the upstream bug is fixed.
-  useMacroPrefixMap = !isGNU && !isFlang;
-  systemIncludeFlag = if isFlang || isArocc then "-I" else "-idirafter";
-  fortifyIncludeFlag = if isFlang then "-I" else "-isystem";
+  useMacroPrefixMap = !isGNU;
 in
 
 assert includeFortifyHeaders' -> fortify-headers != null;
@@ -578,18 +574,10 @@ stdenvNoCC.mkDerivation {
   ''
 
   + optionalString cc.langFortran or false ''
-    if [ -e $ccPath/${targetPrefix}gfortran ]; then
-      wrap ${targetPrefix}gfortran $wrapper $ccPath/${targetPrefix}gfortran
-      ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}g77
-      ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}f77
-      export named_fc=${targetPrefix}gfortran
-    elif [ -e $ccPath/${targetPrefix}flang ]; then
-      wrap ${targetPrefix}flang $wrapper $ccPath/${targetPrefix}flang
-      export named_fc=${targetPrefix}flang
-    elif [ -e $ccPath/flang ]; then
-      wrap ${targetPrefix}flang $wrapper $ccPath/flang
-      export named_fc=${targetPrefix}flang
-    fi
+    wrap ${targetPrefix}gfortran $wrapper $ccPath/${targetPrefix}gfortran
+    ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}g77
+    ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}f77
+    export named_fc=${targetPrefix}gfortran
   ''
 
   + optionalString cc.langGo or false ''
@@ -721,11 +709,13 @@ stdenvNoCC.mkDerivation {
         touch "$out/nix-support/libc-cflags"
         touch "$out/nix-support/libc-ldflags"
       ''
-      + optionalString (!isArocc && !(isAlireGNAT && targetPlatform.isDarwin)) ''
+      + optionalString (!isArocc) ''
         echo "-B${libc_lib}${libc.libdir or "/lib/"}" >> $out/nix-support/libc-crt1-cflags
       ''
       + ''
-        include "${systemIncludeFlag}" "${libc_dev}${libc.incdir or "/include"}" >> $out/nix-support/libc-cflags
+        include "-${
+          if isArocc then "I" else "idirafter"
+        }" "${libc_dev}${libc.incdir or "/include"}" >> $out/nix-support/libc-cflags
       ''
       + optionalString isGNU ''
         for dir in "${cc}"/lib/gcc/*/*/include-fixed; do
@@ -733,9 +723,9 @@ stdenvNoCC.mkDerivation {
         done
       ''
       + optionalString (libc.w32api or null != null) ''
-        include "${systemIncludeFlag}" "${lib.getDev libc.w32api}${
+        echo '-idirafter ${lib.getDev libc.w32api}${
           libc.incdir or "/include/w32api"
-        }" >> $out/nix-support/libc-cflags
+        }' >> $out/nix-support/libc-cflags
       ''
       + ''
 
@@ -750,7 +740,7 @@ stdenvNoCC.mkDerivation {
       # like option that forces the libc headers before all -idirafter,
       # hence -isystem here.
       + optionalString includeFortifyHeaders' ''
-        include "${fortifyIncludeFlag}" "${fortify-headers}/include" >> $out/nix-support/libc-cflags
+        include -isystem "${fortify-headers}/include" >> $out/nix-support/libc-cflags
       ''
     )
 
@@ -771,7 +761,7 @@ stdenvNoCC.mkDerivation {
     # already knows how to find its own libstdc++, and adding
     # additional -isystem flags will confuse gfortran (see
     # https://github.com/NixOS/nixpkgs/pull/209870#issuecomment-1500550903)
-    + optionalString (libcxx == null && isClang && useGccForLibs && (cc.langCC or false)) ''
+    + optionalString (libcxx == null && isClang && (useGccForLibs && gccForLibs.langCC or false)) ''
       for dir in ${gccForLibs}/include/c++/*; do
         include -cxx-isystem "$dir" >> $out/nix-support/libcxx-cxxflags
       done
@@ -796,9 +786,7 @@ stdenvNoCC.mkDerivation {
     # ${cc_solib}/lib64 (even though it does actually search there...)..
     # This confuses libtool.  So add it to the compiler tool search
     # path explicitly.
-    # Injecting CFlags and LDFlags causes duplicate rpath at linking
-    # stage for Alire GNAT. Skip adding flags here.
-    + optionalString (!nativeTools && !isArocc && !isAlireGNAT) ''
+    + optionalString (!nativeTools && !isArocc) ''
       ccLDFlags=()
       ccCFlags=()
       if [ -e "${cc_solib}/lib64" -a ! -L "${cc_solib}/lib64" ]; then
@@ -813,6 +801,7 @@ stdenvNoCC.mkDerivation {
       touch "$out/nix-support/gnat-cflags"
       touch "$out/nix-support/gnat-ldflags"
       basePath=$(echo $cc/lib/*/*/*)
+      ccCFlags+=("-B$basePath" "-I$basePath/adainclude")
       gnatCFlags="-I$basePath/adainclude -I$basePath/adalib"
 
       echo "$gnatCFlags" >> $out/nix-support/gnat-cflags
@@ -839,7 +828,6 @@ stdenvNoCC.mkDerivation {
       optionalString
         (
           (cc.isClang or false)
-          && !isFlang
           && !(cc.isROCm or false)
           && !targetPlatform.isDarwin
           && !targetPlatform.isAndroid
@@ -874,8 +862,7 @@ stdenvNoCC.mkDerivation {
       let
         enable_fp = !targetPlatform.isx86_32 && !targetPlatform.isS390;
         enable_leaf_fp =
-          !isFlang
-          && enable_fp
+          enable_fp
           && (
             targetPlatform.isx86_64
             || targetPlatform.isAarch64
@@ -941,7 +928,7 @@ stdenvNoCC.mkDerivation {
     # well with multi line flags, so make the flags single line again
     + ''
       for flags in "$out/nix-support"/*flags*; do
-        substituteInPlace "$flags" --replace-quiet $'\n' ' '
+        substituteInPlace "$flags" --replace $'\n' ' '
       done
 
       substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
@@ -987,7 +974,6 @@ stdenvNoCC.mkDerivation {
 
   env = {
     inherit isClang;
-    inherit isFlang;
 
     # for substitution in utils.bash
     # TODO(@sternenseemann): invent something cleaner than passing in "" in case of absence

pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py

@@ -0,0 +1,416 @@
+import functools
+import hashlib
+import json
+import multiprocessing as mp
+import re
+import shutil
+import subprocess
+import sys
+import tomllib
+from os.path import islink, realpath
+from pathlib import Path
+from typing import Any, TypedDict, cast
+from urllib.parse import unquote
+
+import requests
+import tomli_w
+from requests.adapters import HTTPAdapter, Retry
+
+eprint = functools.partial(print, file=sys.stderr)
+
+
+def load_toml(path: Path) -> dict[str, Any]:
+    with open(path, "rb") as f:
+        return tomllib.load(f)
+
+
+def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int:
+    # lockfile v1 and v2 don't have the `version` key, so assume v2
+    version = cargo_lock_toml.get("version", 2)
+
+    # TODO: add logic for differentiating between v1 and v2
+
+    return version
+
+
+def create_http_session() -> requests.Session:
+    retries = Retry(
+        total=5,
+        backoff_factor=0.5,
+        status_forcelist=[500, 502, 503, 504]
+    )
+    session = requests.Session()
+    session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)"
+    session.mount('http://', HTTPAdapter(max_retries=retries))
+    session.mount('https://', HTTPAdapter(max_retries=retries))
+    return session
+
+
+def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str:
+    sha256_hash = hashlib.sha256()
+    with session.get(url, stream=True) as response:
+        if not response.ok:
+            raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}")
+        with open(destination_path, "wb") as file:
+            for chunk in response.iter_content(1024):  # Download in chunks
+                if chunk:  # Filter out keep-alive chunks
+                    file.write(chunk)
+                    sha256_hash.update(chunk)
+
+    # Compute the final checksum
+    checksum = sha256_hash.hexdigest()
+    return checksum
+
+
+def get_download_url_for_tarball(pkg: dict[str, Any]) -> str:
+    # TODO: support other registries
+    #       maybe fetch config.json from the registry root and get the dl key
+    #       See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration
+    if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index":
+        raise Exception("Only the default crates.io registry is supported.")
+
+    # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
+    # rate limit on the API servers.
+    return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download"
+
+
+def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None:
+
+    url = get_download_url_for_tarball(pkg)
+    filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz"
+
+    # TODO: allow legacy checksum specification, see importCargoLock for example
+    #       also, don't forget about the other usage of the checksum
+    expected_checksum = pkg["checksum"]
+
+    tarball_out_dir = out_dir / "tarballs" / filename
+    eprint(f"Fetching {url} -> tarballs/{filename}")
+
+    calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir)
+
+    if calculated_checksum != expected_checksum:
+        raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.")
+
+
+def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None:
+
+    tree_out_dir = out_dir / "git" / git_sha_rev
+    eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}")
+
+    cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)]
+    subprocess.check_output(cmd)
+
+
+GIT_SOURCE_REGEX = re.compile("git\\+(?P<url>[^?]+)(\\?(?P<type>rev|tag|branch)=(?P<value>.*))?#(?P<git_sha_rev>.*)")
+
+
+class GitSourceInfo(TypedDict):
+    url: str
+    type: str | None
+    value: str | None
+    git_sha_rev: str
+
+
+def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo:
+    match = GIT_SOURCE_REGEX.match(source)
+    if match is None:
+        raise Exception(f"Unable to process git source: {source}.")
+
+    source_info = cast(GitSourceInfo, match.groupdict(default=None))
+
+    # the source URL is URL-encoded in lockfile_version >=4
+    # since we just used regex to parse it we have to manually decode the escaped branch/tag name
+    if lockfile_version >= 4 and source_info["value"] is not None:
+        source_info["value"] = unquote(source_info["value"])
+
+    return source_info
+
+
+def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None:
+    cargo_lock_toml = load_toml(lockfile_path)
+    lockfile_version = get_lockfile_version(cargo_lock_toml)
+
+    git_packages: list[dict[str, Any]] = []
+    registry_packages: list[dict[str, Any]] = []
+
+    for pkg in cargo_lock_toml["package"]:
+        # ignore local dependenices
+        if "source" not in pkg.keys():
+            eprint(f"Skipping local dependency: {pkg["name"]}")
+            continue
+        source = pkg["source"]
+
+        if source.startswith("git+"):
+            git_packages.append(pkg)
+        elif source.startswith("registry+"):
+            registry_packages.append(pkg)
+        else:
+            raise Exception(f"Can't process source: {source}.")
+
+    git_sha_rev_to_url: dict[str, str] = {}
+    for pkg in git_packages:
+        source_info = parse_git_source(pkg["source"], lockfile_version)
+        git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"]
+
+    out_dir.mkdir(exist_ok=True)
+    shutil.copy(lockfile_path, out_dir / "Cargo.lock")
+
+    # fetch git trees sequentially, since fetching concurrently leads to flaky behaviour
+    if len(git_packages) != 0:
+        (out_dir / "git").mkdir()
+        for git_sha_rev, url in git_sha_rev_to_url.items():
+            download_git_tree(url, git_sha_rev, out_dir)
+
+    # run tarball download jobs in parallel, with at most 5 concurrent download jobs
+    with mp.Pool(min(5, mp.cpu_count())) as pool:
+        if len(registry_packages) != 0:
+            (out_dir / "tarballs").mkdir()
+            session = create_http_session()
+            tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages)
+            pool.starmap(download_tarball, tarball_args_gen)
+
+
+def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]:
+    cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)]
+    output = subprocess.check_output(cmd)
+    return json.loads(output)
+
+
+def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None:
+    try:
+        metadata = get_manifest_metadata(manifest_path)
+    except subprocess.CalledProcessError:
+        eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping")
+        return None
+
+    for pkg in metadata["packages"]:
+        if pkg["name"] == crate_name:
+            return Path(pkg["manifest_path"])
+
+    return None
+
+
+def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path:
+    # Scan all Cargo.toml files; sort by depth/path to make ordering deterministic
+    # and prefer less-nested manifests first.
+    manifest_paths = sorted(
+        tree.glob("**/Cargo.toml"),
+        key=lambda path: (len(path.parts), str(path)),
+    )
+
+    for manifest_path in manifest_paths:
+        res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name)
+        if res is not None:
+            return res
+
+    raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.")
+
+
+def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None:
+
+    # This function will get called by copytree to decide which entries of a directory should be copied
+    # We'll copy everything except symlinks that are invalid
+    def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]:
+        ignorelist: list[str] = []
+
+        dir = Path(realpath(dir_str, strict=True))
+
+        for path_str in path_strs:
+            path = dir / path_str
+            if not islink(path):
+                continue
+
+            # Filter out cyclic symlinks and symlinks pointing at nonexistant files
+            try:
+                target_path = Path(realpath(path, strict=True))
+            except OSError:
+                ignorelist.append(path_str)
+                eprint(f"Failed to resolve symlink, ignoring: {path}")
+                continue
+
+            # Filter out symlinks that point outside of the current crate's base git tree
+            # This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path
+            if not target_path.is_relative_to(git_tree):
+                ignorelist.append(path_str)
+                eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}")
+                continue
+
+        return ignorelist
+
+    crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name)
+    crate_tree = crate_manifest_path.parent
+
+    eprint(f"Copying to {crate_out_dir}")
+    shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func)
+    crate_out_dir.chmod(0o755)
+
+    with open(crate_manifest_path, "r") as f:
+        manifest_data = f.read()
+
+    if "workspace" in manifest_data:
+        crate_manifest_metadata = get_manifest_metadata(crate_manifest_path)
+        workspace_root = Path(crate_manifest_metadata["workspace_root"])
+
+        root_manifest_path = workspace_root / "Cargo.toml"
+        manifest_path = crate_out_dir / "Cargo.toml"
+
+        manifest_path.chmod(0o644)
+        eprint(f"Patching {manifest_path}")
+
+        cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)]
+        subprocess.check_output(cmd)
+
+
+def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None:
+    eprint(f"Unpacking to {crate_out_dir}")
+    crate_out_dir.mkdir()
+    cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"]
+    subprocess.check_output(cmd)
+
+
+def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]:
+    selector = {}
+    selector["git"] = source_info["url"]
+    if source_info["type"] is not None:
+        selector[source_info["type"]] = source_info["value"]
+    return selector
+
+
+def make_registry_source_selector(source: str) -> dict[str, str]:
+    registry = source[9:] if source.startswith("registry+") else source
+    selector = {}
+    selector["registry"] = registry
+    return selector
+
+
+def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
+    lockfile_path = vendor_staging_dir / "Cargo.lock"
+    out_dir.mkdir(exist_ok=True)
+    shutil.copy(lockfile_path, out_dir / "Cargo.lock")
+
+    cargo_lock_toml = load_toml(lockfile_path)
+    lockfile_version = get_lockfile_version(cargo_lock_toml)
+
+    source_to_ind: dict[str, str] = {}
+    source_config = {}
+    next_registry_ind = 0
+    next_git_ind = 0
+
+    def add_source_replacement(
+        orig_key: str,
+        orig_selector: dict[str, str],
+        vendored_key: str,
+        vendored_dir: str
+    ) -> None:
+        source_config[vendored_key] = {}
+        source_config[vendored_key]["directory"] = vendored_dir
+        source_config[orig_key] = orig_selector
+        source_config[orig_key]["replace-with"] = vendored_key
+
+    # we reserve registry index 0 for crates-io
+    source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0"
+    source_to_ind["sparse+https://index.crates.io/"] = "registry-0"
+    add_source_replacement(
+        orig_key="crates-io",
+        orig_selector={},  # there is an internal selector defined for the `crates-io` source
+        vendored_key="vendored-source-registry-0",
+        vendored_dir="@vendor@/source-registry-0"
+    )
+    next_registry_ind += 1
+
+    for pkg in cargo_lock_toml["package"]:
+        # ignore local dependencies
+        if "source" not in pkg.keys():
+            continue
+        source: str = pkg["source"]
+        if source in source_to_ind:
+            continue
+
+        if source.startswith("git+"):
+            ind = f"git-{next_git_ind}"
+            next_git_ind += 1
+            source_info = parse_git_source(source, lockfile_version)
+            selector = make_git_source_selector(source_info)
+        elif source.startswith("registry+") or source.startswith("sparse+"):
+            ind = f"registry-{next_registry_ind}"
+            next_registry_ind += 1
+            selector = make_registry_source_selector(source)
+        else:
+            raise Exception(f"Can't process source: {source}.")
+
+        source_to_ind[source] = ind
+        add_source_replacement(
+            orig_key=f"original-source-{ind}",
+            orig_selector=selector,
+            vendored_key=f"vendored-source-{ind}",
+            vendored_dir=f"@vendor@/source-{ind}"
+        )
+
+    config_path = out_dir / ".cargo" / "config.toml"
+    config_path.parent.mkdir()
+
+    with open(config_path, "wb") as config_file:
+        tomli_w.dump({"source": source_config}, config_file)
+
+    for pkg in cargo_lock_toml["package"]:
+
+        # ignore local dependenices
+        if "source" not in pkg.keys():
+            continue
+
+        source: str = pkg["source"]
+        source_ind = source_to_ind[source]
+        crate_dir_name = f"{pkg["name"]}-{pkg["version"]}"
+        source_dir_name = f"source-{source_ind}"
+        crate_out_dir = out_dir / source_dir_name / crate_dir_name
+        crate_out_dir.parent.mkdir(exist_ok=True)
+
+        if source.startswith("git+"):
+
+            source_info = parse_git_source(source, lockfile_version)
+
+            git_sha_rev = source_info["git_sha_rev"]
+            git_tree = vendor_staging_dir / "git" / git_sha_rev
+
+            copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir)
+
+            # git based crates allow having no checksum information
+            with open(crate_out_dir / ".cargo-checksum.json", "w") as f:
+                json.dump({"files": {}}, f)
+
+        elif source.startswith("registry+") or source.startswith("sparse+"):
+            filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz"
+
+            # TODO: change this when non-crates-io registries are supported
+            dir_name = "tarballs"
+
+            tarball_path = vendor_staging_dir / dir_name / filename
+
+            extract_crate_tarball_contents(tarball_path, crate_out_dir)
+
+            # non-git based crates need the package checksum at minimum
+            with open(crate_out_dir / ".cargo-checksum.json", "w") as f:
+                json.dump({"files": {}, "package": pkg["checksum"]}, f)
+
+        else:
+            raise Exception(f"Can't process source: {source}.")
+
+
+def main() -> None:
+    subcommand = sys.argv[1]
+
+    subcommand_func_dict = {
+        "create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])),
+        "create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3]))
+    }
+
+    subcommand_func = subcommand_func_dict.get(subcommand)
+
+    if subcommand_func is None:
+        raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}")
+
+    subcommand_func()
+
+
+if __name__ == "__main__":
+    main()

pkgs/build-support/rust/fetch-cargo-vendor-util.py

@@ -40,7 +40,6 @@ def create_http_session() -> requests.Session:
         status_forcelist=[500, 502, 503, 504]
     )
     session = requests.Session()
-    session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)"
     session.mount('http://', HTTPAdapter(max_retries=retries))
     session.mount('https://', HTTPAdapter(max_retries=retries))
     return session
@@ -69,9 +68,7 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str:
     if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index":
         raise Exception("Only the default crates.io registry is supported.")
 
-    # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
-    # rate limit on the API servers.
-    return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download"
+    return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download"
 
 
 def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None:
@@ -292,7 +289,6 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
     lockfile_version = get_lockfile_version(cargo_lock_toml)
 
     source_to_ind: dict[str, str] = {}
-    selector_to_ind: dict[tuple, str] = {}
     source_config = {}
     next_registry_ind = 0
     next_git_ind = 0
@@ -328,35 +324,24 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
             continue
 
         if source.startswith("git+"):
+            ind = f"git-{next_git_ind}"
+            next_git_ind += 1
             source_info = parse_git_source(source, lockfile_version)
             selector = make_git_source_selector(source_info)
-            selector_key = (source_info["url"], source_info["type"], source_info["value"])
-            if selector_key in selector_to_ind:
-                ind = selector_to_ind[selector_key]
-            else:
-                ind = f"git-{next_git_ind}"
-                next_git_ind += 1
-                selector_to_ind[selector_key] = ind
-                add_source_replacement(
-                    orig_key=f"original-source-{ind}",
-                    orig_selector=selector,
-                    vendored_key=f"vendored-source-{ind}",
-                    vendored_dir=f"@vendor@/source-{ind}"
-                )
         elif source.startswith("registry+") or source.startswith("sparse+"):
             ind = f"registry-{next_registry_ind}"
             next_registry_ind += 1
             selector = make_registry_source_selector(source)
-            add_source_replacement(
-                orig_key=f"original-source-{ind}",
-                orig_selector=selector,
-                vendored_key=f"vendored-source-{ind}",
-                vendored_dir=f"@vendor@/source-{ind}"
-            )
         else:
             raise Exception(f"Can't process source: {source}.")
 
         source_to_ind[source] = ind
+        add_source_replacement(
+            orig_key=f"original-source-{ind}",
+            orig_selector=selector,
+            vendored_key=f"vendored-source-{ind}",
+            vendored_dir=f"@vendor@/source-{ind}"
+        )
 
     config_path = out_dir / ".cargo" / "config.toml"
     config_path.parent.mkdir()

pkgs/build-support/rust/fetch-cargo-vendor.nix

@@ -3,7 +3,7 @@
   stdenvNoCC,
   runCommand,
   writers,
-  python3,
+  python3Packages,
   cargo,
   gitMinimal,
   nix-prefetch-git,
@@ -11,16 +11,6 @@
 }:
 
 let
-  python = python3.override {
-    self = python;
-    packageOverrides = final: prev: {
-      # The ast-serialize package, a dependency for mypy, depends on
-      # fetchCargoVendor and is part of the bootstrap chain for requests.
-      charset-normalizer = prev.charset-normalizer.override { withMypyc = false; };
-    };
-  };
-  python3Packages = python.pkgs;
-
   replaceWorkspaceValues = writers.writePython3Bin "replace-workspace-values" {
     libraries = with python3Packages; [
       tomli
@@ -47,18 +37,29 @@ let
     "hash"
   ];
 
-  fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" {
-    libraries =
-      with python3Packages;
-      [
-        requests
-        tomli-w
-      ]
-      ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests
-    flakeIgnore = [
-      "E501"
-    ];
-  } (builtins.readFile ./fetch-cargo-vendor-util.py);
+  mkFetchCargoVendorUtil =
+    name: src:
+    writers.writePython3Bin name {
+      libraries =
+        with python3Packages;
+        [
+          requests
+          tomli-w
+        ]
+        ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests
+      flakeIgnore = [
+        "E501"
+      ];
+    } (builtins.readFile src);
+
+  # Separate util used only by the FOD `vendorStaging` stage below. Kept
+  # distinct from fetchCargoVendorUtil so that changes to the network-facing
+  # bits (User-Agent, download URL) don't invalidate the input-addressed
+  # `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs.
+  # vendorStaging is an FOD, so swapping its util is free for consumers.
+  # TODO: unify with fetchCargoVendorUtil on the next `staging` cycle.
+  fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py;
+  fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py;
 in
 
 {
@@ -78,7 +79,7 @@ let
       impureEnvVars = lib.fetchers.proxyImpureEnvVars;
 
       nativeBuildInputs = [
-        fetchCargoVendorUtil
+        fetchCargoVendorUtilV2
         cacert
         nix-prefetch-git'
       ]
@@ -91,7 +92,7 @@ let
           cd "$cargoRoot"
         fi
 
-        fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out"
+        fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out"
 
         runHook postBuild
       '';

pkgs/build-support/setup-hooks/wrap-gapps-hook/wrap-gapps-hook.sh

@@ -42,13 +42,11 @@ wrapGApp() {
     wrapProgram "$program" "${gappsWrapperArgs[@]}" "$@"
 }
 
-declare -gA wrapGAppsHookHasRunForOutput
-
 # Note: $gappsWrapperArgs still gets defined even if ${dontWrapGApps-} is set.
 wrapGAppsHook() {
-    # guard against running multiple times for the same output (e.g. due to propagation)
-    [ "${wrapGAppsHookHasRunForOutput["$output"]:-}" = 1 ] && return 0
-    wrapGAppsHookHasRunForOutput["$output"]=1
+    # guard against running multiple times (e.g. due to propagation)
+    [ -z "$wrapGAppsHookHasRun" ] || return 0
+    wrapGAppsHookHasRun=1
 
     if [[ -z "${dontWrapGApps:-}" ]]; then
         targetDirsThatExist=()

pkgs/by-name/ab/abseil-cpp_202505/package.nix

@@ -6,8 +6,6 @@
   gtest,
   static ? stdenv.hostPlatform.isStatic,
   cxxStandard ? null,
-  testers,
-  validatePkgConfig,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -32,19 +30,10 @@ stdenv.mkDerivation (finalAttrs: {
 
   strictDeps = true;
 
-  nativeBuildInputs = [
-    cmake
-    validatePkgConfig
-  ];
+  nativeBuildInputs = [ cmake ];
 
   buildInputs = [ gtest ];
 
-  passthru.tests = {
-    pkg-config = testers.hasPkgConfigModules {
-      package = finalAttrs.finalPackage;
-    };
-  };
-
   meta = {
     description = "Open-source collection of C++ code designed to augment the C++ standard library";
     homepage = "https://abseil.io/";
@@ -52,208 +41,5 @@ stdenv.mkDerivation (finalAttrs: {
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;
     maintainers = [ lib.maintainers.GaetanLepage ];
-    pkgConfigModules = [
-      "absl_log_internal_check_op"
-      "absl_absl_check"
-      "absl_strerror"
-      "absl_common_policy_traits"
-      "absl_graphcycles_internal"
-      "absl_raw_hash_set"
-      "absl_random_internal_entropy_pool"
-      "absl_time_zone"
-      "absl_prefetch"
-      "absl_compressed_tuple"
-      "absl_nullability"
-      "absl_vlog_is_on"
-      "absl_utf8_for_code_point"
-      "absl_base_internal"
-      "absl_bad_variant_access"
-      "absl_flags_parse"
-      "absl_exponential_biased"
-      "absl_log_internal_nullstream"
-      "absl_log_internal_structured_proto"
-      "absl_log_internal_check_impl"
-      "absl_tracing_internal"
-      "absl_random_bit_gen_ref"
-      "absl_meta"
-      "absl_random_distributions"
-      "absl_numeric"
-      "absl_flat_hash_set"
-      "absl_random_internal_randen_hwaes_impl"
-      "absl_malloc_internal"
-      "absl_layout"
-      "absl_type_traits"
-      "absl_random_internal_mock_helpers"
-      "absl_log_streamer"
-      "absl_function_ref"
-      "absl_log"
-      "absl_dynamic_annotations"
-      "absl_non_temporal_memcpy"
-      "absl_random_internal_randen"
-      "absl_stacktrace"
-      "absl_log_internal_globals"
-      "absl_log_internal_strip"
-      "absl_atomic_hook"
-      "absl_flags_usage_internal"
-      "absl_log_internal_voidify"
-      "absl_synchronization"
-      "absl_debugging_internal"
-      "absl_bind_front"
-      "absl_crc_internal"
-      "absl_random_internal_platform"
-      "absl_flags_path_util"
-      "absl_hash_testing"
-      "absl_flags_commandlineflag_internal"
-      "absl_hashtable_debug"
-      "absl_hashtablez_sampler"
-      "absl_random_internal_randen_engine"
-      "absl_log_globals"
-      "absl_optional"
-      "absl_crc_cpu_detect"
-      "absl_demangle_internal"
-      "absl_node_hash_map"
-      "absl_core_headers"
-      "absl_statusor"
-      "absl_str_format_internal"
-      "absl_crc32c"
-      "absl_cordz_update_scope"
-      "absl_cordz_handle"
-      "absl_log_internal_nullguard"
-      "absl_numeric_representation"
-      "absl_log_internal_log_impl"
-      "absl_raw_hash_set_resize_impl"
-      "absl_random_internal_distribution_test_util"
-      "absl_kernel_timeout_internal"
-      "absl_random_internal_uniform_helper"
-      "absl_random_seed_sequences"
-      "absl_cordz_info"
-      "absl_spy_hash_state"
-      "absl_vlog_config_internal"
-      "absl_flags_program_name"
-      "absl_hashtable_debug_hooks"
-      "absl_crc_cord_state"
-      "absl_decode_rust_punycode"
-      "absl_debugging"
-      "absl_overload"
-      "absl_config"
-      "absl_random_internal_fast_uniform_bits"
-      "absl_raw_hash_map"
-      "absl_random_internal_randen_hwaes"
-      "absl_bad_any_cast"
-      "absl_variant"
-      "absl_has_ostream_operator"
-      "absl_span"
-      "absl_btree"
-      "absl_random_internal_distribution_caller"
-      "absl_failure_signal_handler"
-      "absl_any"
-      "absl_poison"
-      "absl_str_format"
-      "absl_cord"
-      "absl_random_internal_wide_multiply"
-      "absl_random_internal_pcg_engine"
-      "absl_flags_internal"
-      "absl_check"
-      "absl_random_internal_seed_material"
-      "absl_log_flags"
-      "absl_no_destructor"
-      "absl_low_level_hash"
-      "absl_hashtable_control_bytes"
-      "absl_periodic_sampler"
-      "absl_log_internal_format"
-      "absl_log_initialize"
-      "absl_random_internal_generate_real"
-      "absl_raw_logging_internal"
-      "absl_inlined_vector"
-      "absl_log_internal_log_sink_set"
-      "absl_log_internal_flags"
-      "absl_flat_hash_map"
-      "absl_scoped_mock_log"
-      "absl_cordz_functions"
-      "absl_random_mocking_bit_gen"
-      "absl_fast_type_id"
-      "absl_sample_recorder"
-      "absl_log_internal_message"
-      "absl_bits"
-      "absl_random_seed_gen_exception"
-      "absl_log_sink_registry"
-      "absl_flags_marshalling"
-      "absl_leak_check"
-      "absl_examine_stack"
-      "absl_status_matchers"
-      "absl_flags_commandlineflag"
-      "absl_absl_vlog_is_on"
-      "absl_any_invocable"
-      "absl_cleanup_internal"
-      "absl_log_severity"
-      "absl_random_internal_salted_seed_seq"
-      "absl_flags_config"
-      "absl_log_structured"
-      "absl_die_if_null"
-      "absl_fixed_array"
-      "absl_cord_internal"
-      "absl_endian"
-      "absl_strings_internal"
-      "absl_symbolize"
-      "absl_log_internal_config"
-      "absl_absl_log"
-      "absl_memory"
-      "absl_container_common"
-      "absl_compare"
-      "absl_civil_time"
-      "absl_int128"
-      "absl_log_internal_append_truncated"
-      "absl_cordz_statistics"
-      "absl_log_internal_fnmatch"
-      "absl_flags"
-      "absl_non_temporal_arm_intrinsics"
-      "absl_random_internal_traits"
-      "absl_base"
-      "absl_algorithm_container"
-      "absl_hash"
-      "absl_log_internal_conditions"
-      "absl_time"
-      "absl_node_slot_policy"
-      "absl_errno_saver"
-      "absl_random_internal_randen_slow"
-      "absl_charset"
-      "absl_bounded_utf8_length_sequence"
-      "absl_city"
-      "absl_bad_optional_access"
-      "absl_random_internal_nonsecure_base"
-      "absl_flags_usage"
-      "absl_utility"
-      "absl_iterator_traits_internal"
-      "absl_spinlock_wait"
-      "absl_pretty_function"
-      "absl_algorithm"
-      "absl_log_sink"
-      "absl_status"
-      "absl_demangle_rust"
-      "absl_node_hash_set"
-      "absl_hash_policy_traits"
-      "absl_flags_private_handle_accessor"
-      "absl_cord_test_helpers"
-      "absl_strings"
-      "absl_log_internal_proto"
-      "absl_inlined_vector_internal"
-      "absl_iterator_traits_test_helper_internal"
-      "absl_random_random"
-      "absl_flags_reflection"
-      "absl_scoped_set_env"
-      "absl_throw_delegate"
-      "absl_hash_function_defaults"
-      "absl_weakly_mixed_integer"
-      "absl_cleanup"
-      "absl_random_internal_iostream_state_saver"
-      "absl_cordz_sample_token"
-      "absl_cordz_update_tracker"
-      "absl_string_view"
-      "absl_hash_container_defaults"
-      "absl_random_internal_fastmath"
-      "absl_log_internal_structured"
-      "absl_container_memory"
-      "absl_log_entry"
-    ];
   };
 })

pkgs/by-name/ab/abseil-cpp_202508/package.nix

@@ -6,8 +6,6 @@
   gtest,
   static ? stdenv.hostPlatform.isStatic,
   cxxStandard ? null,
-  testers,
-  validatePkgConfig,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -37,19 +35,10 @@ stdenv.mkDerivation (finalAttrs: {
 
   strictDeps = true;
 
-  nativeBuildInputs = [
-    cmake
-    validatePkgConfig
-  ];
+  nativeBuildInputs = [ cmake ];
 
   buildInputs = [ gtest ];
 
-  passthru.tests = {
-    pkg-config = testers.hasPkgConfigModules {
-      package = finalAttrs.finalPackage.dev;
-    };
-  };
-
   meta = {
     description = "Open-source collection of C++ code designed to augment the C++ standard library";
     homepage = "https://abseil.io/";
@@ -57,99 +46,5 @@ stdenv.mkDerivation (finalAttrs: {
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;
     maintainers = [ lib.maintainers.GaetanLepage ];
-    pkgConfigModules = [
-      "absl_base"
-      "absl_city"
-      "absl_civil_time"
-      "absl_cord_internal"
-      "absl_cord"
-      "absl_cordz_functions"
-      "absl_cordz_handle"
-      "absl_cordz_info"
-      "absl_cordz_sample_token"
-      "absl_crc_cord_state"
-      "absl_crc_cpu_detect"
-      "absl_crc_internal"
-      "absl_crc32c"
-      "absl_debugging_internal"
-      "absl_decode_rust_punycode"
-      "absl_demangle_internal"
-      "absl_demangle_rust"
-      "absl_die_if_null"
-      "absl_examine_stack"
-      "absl_exponential_biased"
-      "absl_failure_signal_handler"
-      "absl_flags_commandlineflag_internal"
-      "absl_flags_commandlineflag"
-      "absl_flags_config"
-      "absl_flags_internal"
-      "absl_flags_marshalling"
-      "absl_flags_parse"
-      "absl_flags_private_handle_accessor"
-      "absl_flags_program_name"
-      "absl_flags_reflection"
-      "absl_flags_usage_internal"
-      "absl_flags_usage"
-      "absl_graphcycles_internal"
-      "absl_hash"
-      "absl_hashtable_profiler"
-      "absl_hashtablez_sampler"
-      "absl_int128"
-      "absl_kernel_timeout_internal"
-      "absl_leak_check"
-      "absl_log_entry"
-      "absl_log_flags"
-      "absl_log_globals"
-      "absl_log_initialize"
-      "absl_log_internal_check_op"
-      "absl_log_internal_conditions"
-      "absl_log_internal_fnmatch"
-      "absl_log_internal_format"
-      "absl_log_internal_globals"
-      "absl_log_internal_log_sink_set"
-      "absl_log_internal_message"
-      "absl_log_internal_nullguard"
-      "absl_log_internal_proto"
-      "absl_log_internal_structured_proto"
-      "absl_log_severity"
-      "absl_log_sink"
-      "absl_malloc_internal"
-      "absl_periodic_sampler"
-      "absl_poison"
-      "absl_profile_builder"
-      "absl_random_distributions"
-      "absl_random_internal_distribution_test_util"
-      "absl_random_internal_entropy_pool"
-      "absl_random_internal_platform"
-      "absl_random_internal_randen_hwaes_impl"
-      "absl_random_internal_randen_hwaes"
-      "absl_random_internal_randen_slow"
-      "absl_random_internal_randen"
-      "absl_random_internal_seed_material"
-      "absl_random_seed_gen_exception"
-      "absl_random_seed_sequences"
-      "absl_raw_hash_set"
-      "absl_raw_logging_internal"
-      "absl_scoped_mock_log"
-      "absl_scoped_set_env"
-      "absl_spinlock_wait"
-      "absl_stacktrace"
-      "absl_status_matchers"
-      "absl_status"
-      "absl_statusor"
-      "absl_str_format_internal"
-      "absl_strerror"
-      "absl_string_view"
-      "absl_strings_internal"
-      "absl_strings"
-      "absl_symbolize"
-      "absl_synchronization"
-      "absl_throw_delegate"
-      "absl_time_zone"
-      "absl_time"
-      "absl_tracing_internal"
-      "absl_utf8_for_code_point"
-      "absl_vlog_config_internal"
-    ];
   };
 })

pkgs/by-name/af/afew/package.nix

@@ -19,7 +19,7 @@ python3Packages.buildPythonApplication (finalAttrs: {
 
   nativeBuildInputs = with python3Packages; [
     sphinxHook
-    setuptools_80
+    setuptools
     setuptools-scm
   ];
 

pkgs/by-name/al/alerta-server/package.nix

@@ -7,16 +7,14 @@
 python3.pkgs.buildPythonApplication (finalAttrs: {
   pname = "alerta-server";
   version = "9.0.1";
-  pyproject = true;
+  format = "setuptools";
 
   src = fetchPypi {
     inherit (finalAttrs) pname version;
     hash = "sha256-v4+0l5Sx9RTxmNFnKCoKrWFl1xu1JIRZ/kiI6zi/y0I=";
   };
 
-  build-system = [ python3.pkgs.setuptools_80 ];
-
-  dependencies = with python3.pkgs; [
+  propagatedBuildInputs = with python3.pkgs; [
     bcrypt
     blinker
     cryptography

pkgs/by-name/am/amf-headers/package.nix

@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "amf-headers";
-  version = "1.5.2";
+  version = "1.5.0";
 
   src = fetchFromGitHub {
     owner = "GPUOpen-LibrariesAndSDKs";
     repo = "AMF";
     tag = "v${finalAttrs.version}";
-    sha256 = "sha256-+jVYm/Zmt+1bzKnKTiClgoMRsyhqpuKZj79DvGHpPTM=";
+    sha256 = "sha256-ZVC1e4S5CNpfl3ewHR9aVfYwxDBE7/BJ6OyH2kF00fQ=";
   };
 
   installPhase = ''

pkgs/by-name/ap/apparmor-parser/package.nix

@@ -6,8 +6,6 @@
   bison,
   linuxHeaders ? stdenv.cc.libc.linuxHeaders,
   buildPackages,
-  zstd,
-  fetchpatch,
 
   # apparmor deps
   libapparmor,
@@ -25,27 +23,17 @@ stdenv.mkDerivation (finalAttrs: {
 
   postPatch = ''
     patchShebangs .
-
-    substituteInPlace init/rc.apparmor.functions \
-      --replace-fail "/sbin/apparmor_parser" "$out/bin/apparmor_parser" \
-      --replace-fail "/usr/sbin/aa-status" "${lib.getExe' apparmor-bin-utils "aa-status"}"
-    sed -i init/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
-
     cd parser
 
     substituteInPlace Makefile \
       --replace-fail "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
+    substituteInPlace rc.apparmor.functions \
+      --replace-fail "/sbin/apparmor_parser" "$out/bin/apparmor_parser" # FIXME
+    substituteInPlace rc.apparmor.functions \
+      --replace-fail "/usr/sbin/aa-status" "${lib.getExe' apparmor-bin-utils "aa-status"}"
+    sed -i rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
   '';
 
-  patches = [
-    (fetchpatch {
-      # https://gitlab.com/apparmor/apparmor/-/merge_requests/2133
-      # Patches generated yacc parser code to compile with format-security
-      url = "https://gitlab.com/apparmor/apparmor/-/commit/6bdec74d5e74660b97e00b4b8fafc014b05907b7.diff";
-      hash = "sha256-7c5EFByrGIDj2lc31bRttyeybwndDm4iS4qdPMVaG/I=";
-    })
-  ];
-
   nativeBuildInputs = [
     bison
     flex
@@ -54,7 +42,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [
     libapparmor
-    zstd
     runtimeShellPackage
   ];
 

pkgs/by-name/ap/apparmor-profiles/package.nix

@@ -1,9 +1,7 @@
 {
-  lib,
   stdenv,
   which,
   callPackage,
-  python3,
 
   # apparmor deps
   libapparmor,
@@ -30,16 +28,9 @@ stdenv.mkDerivation {
     apparmor-utils
   ];
 
-  checkInputs = [
-    python3
-  ];
-
   preCheck = ''
     export USE_SYSTEM=1
     export LOGPROF="aa-logprof --configdir ${callPackage ./test_config.nix { }} --no-check-mountpoint"
-    patchShebangs ../parser/tst
-    substituteInPlace ../parser/tst/test_profile.py \
-      --replace-fail '../parser/apparmor_parser' '${lib.getExe apparmor-parser}'
   '';
 
   doCheck = true;

pkgs/by-name/ap/apple-sdk/metadata/versions.json

@@ -17,10 +17,10 @@
   },
   "26": {
     "urls": [
-      "https://swcdn.apple.com/content/downloads/09/08/047-91568-A_Y1CFZWQCD4/4xekpyz43i26dbp4enxfro8eb1q7wiujh5/CLTools_macOSNMOS_SDK.pkg",
-      "https://web.archive.org/web/20260512015547/https://swcdn.apple.com/content/downloads/09/08/047-91568-A_Y1CFZWQCD4/4xekpyz43i26dbp4enxfro8eb1q7wiujh5/CLTools_macOSNMOS_SDK.pkg"
+      "https://swcdn.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/CLTools_macOSNMOS_SDK.pkg",
+      "https://web.archive.org/web/20260406133131/https://swcdn.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/CLTools_macOSNMOS_SDK.pkg"
     ],
-    "version": "26.5",
-    "hash": "sha256-IkDNtiO7PP4GI6OszCNWE1Xb4iepCUKwQHYUyc9NgNA="
+    "version": "26.4",
+    "hash": "sha256-7nrbCv1pNlpzEqwZWVfUPCvDfXEJJNOl7ApkeFpIOC0="
   }
 }

pkgs/by-name/as/assimp/package.nix

@@ -9,7 +9,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "assimp";
-  version = "6.0.5";
+  version = "6.0.4";
   outputs = [
     "out"
     "lib"
@@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "assimp";
     repo = "assimp";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg=";
+    hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk=";
   };
 
   postPatch = ''

pkgs/by-name/at/at-spi2-core/package.nix

@@ -29,7 +29,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "at-spi2-core";
-  version = "2.60.4";
+  version = "2.60.1";
 
   outputs = [
     "out"
@@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz";
-    hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc=";
+    hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/au/audit/package.nix

@@ -30,13 +30,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "audit";
-  version = "4.1.4";
+  version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release
 
   src = fetchFromGitHub {
     owner = "linux-audit";
     repo = "audit-userspace";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo=";
+    rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4";
+    hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM=";
   };
 
   postPatch = ''
@@ -132,6 +132,10 @@ stdenv.mkDerivation (finalAttrs: {
   # Instead, we load audit rules in a dedicated module.
   postFixup = ''
     moveToOutput bin/augenrules $scripts
+    substituteInPlace $scripts/bin/augenrules \
+      --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \
+      --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \
+      --replace-fail "/bin/ls" "ls"
     wrapProgram $scripts/bin/augenrules \
       --prefix PATH : ${
         lib.makeBinPath [

pkgs/by-name/av/avahi/package.nix

@@ -11,7 +11,6 @@
   expat,
   gettext,
   glib,
-  autoconf-archive,
   autoreconfHook,
   libiconv,
   libevent,
@@ -181,12 +180,6 @@ stdenv.mkDerivation rec {
 
   ];
 
-  postPatch = ''
-    # Remove the vendored ACX_PTHREAD macro in favor of the more up-to-date
-    # implementation from autoconf-archive, especially to support static builds.
-    rm common/acx_pthread.m4
-  '';
-
   depsBuildBuild = [
     pkg-config
   ];
@@ -195,7 +188,6 @@ stdenv.mkDerivation rec {
     pkg-config
     gettext
     glib
-    autoconf-archive
     autoreconfHook
   ];
 

pkgs/by-name/bm/bmake/package.nix

@@ -67,8 +67,6 @@ stdenv.mkDerivation (finalAttrs: {
     ) "export"
   );
 
-  __structuredAttrs = true;
-
   strictDeps = true;
 
   doCheck = true;
@@ -95,11 +93,7 @@ stdenv.mkDerivation (finalAttrs: {
   installPhase = ''
     runHook preInstall
 
-    # `boot-strap op=install` runs the built bmake, which breaks cross builds.
-    install -Dm755 bmake $out/bin/bmake
-    install -Dm644 bmake.1 $man/share/man/man1/bmake.1
-    install -Dm755 -d $out/share/mk
-    sh mk/install-mk -v -m 444 $out/share/mk
+    ./boot-strap --prefix=$out -o . op=install
 
     runHook postInstall
   '';

pkgs/by-name/bo/boost-build/package.nix

@@ -35,9 +35,7 @@ stdenv.mkDerivation {
   patches =
     useBoost.boostBuildPatches or [ ]
     ++ lib.optional (
-      useBoost ? version
-      && lib.versionAtLeast useBoost.version "1.81"
-      && lib.versionOlder useBoost.version "1.88"
+      useBoost ? version && lib.versionAtLeast useBoost.version "1.81"
     ) ./fix-clang-target.patch;
 
   postPatch =

pkgs/by-name/by/byacc/package.nix

@@ -6,14 +6,14 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "byacc";
-  version = "20260126";
+  version = "20241231";
 
   src = fetchurl {
     urls = [
       "https://invisible-mirror.net/archives/byacc/byacc-${finalAttrs.version}.tgz"
       "https://invisible-island.net/archives/byacc/byacc-${finalAttrs.version}.tgz"
     ];
-    hash = "sha256-thjF+0TC9fBIhD25D30bJPePR7B5E8jHuoyULT6ySwA=";
+    hash = "sha256-GSwvrgSNTn9RS6RRYn+cTmEnZQmfgZwZGR+f3j5glnM=";
   };
 
   configureFlags = [

pkgs/by-name/ca/cargo-c/package.nix

@@ -12,19 +12,19 @@
 
 let
   # this version may need to be updated along with package version
-  cargoVersion = "0.96.0";
+  cargoVersion = "0.93.0";
 in
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "cargo-c";
-  version = "0.10.22";
+  version = "0.10.19";
 
   src = fetchCrate {
     inherit (finalAttrs) pname;
     version = "${finalAttrs.version}+cargo-${cargoVersion}";
-    hash = "sha256-yqSrpBZUa0NmsPawYKKgywmbbG4zgguwfDF667s7zdo=";
+    hash = "sha256-PrBmB+0tmU2MAUnRr+wx4g9hu0Y9i6WfR8U89bwiLVY=";
   };
 
-  cargoHash = "sha256-yeJWZtkgCRB0ipyTslsGcJi9Fi/XoWziuv74exRhAIk=";
+  cargoHash = "sha256-EM/vAfW/ucOfK/XmAQn9Zk75eFb7pp8uZoByKbALCyo=";
 
   nativeBuildInputs = [
     pkg-config

pkgs/by-name/ca/catch2_3/package.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "catch2";
-  version = "3.15.0";
+  version = "3.14.0";
 
   src = fetchFromGitHub {
     owner = "catchorg";
     repo = "Catch2";
     tag = "v${version}";
-    hash = "sha256-1GBzS8jgJXb82BMMRuHWqszB1Xwg6wohmCuINWE7QoU=";
+    hash = "sha256-tegAa+cNF7pJcW33B+VZ86ZlDG7dwS3o6QnN/XvTI2A=";
   };
 
   patches = lib.optionals stdenv.cc.isClang [

pkgs/by-name/cm/cmocka/package.nix

@@ -7,11 +7,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "cmocka";
-  version = "2.0.2";
+  version = "2.0.1";
 
   src = fetchurl {
     url = "https://cmocka.org/files/${lib.versions.majorMinor finalAttrs.version}/cmocka-${finalAttrs.version}.tar.xz";
-    hash = "sha256-OfkvNmvfPxoCr02nW0pcUt9sn35zbH1l3hMoP58O9BY=";
+    hash = "sha256-PzUzOCuimrOr9cT0snt50WXw31HqWH3nSbEbaLQBkYA=";
   };
 
   patches = [

pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch

@@ -1,32 +0,0 @@
-From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001
-From: Stefan Eissing <stefan@eissing.org>
-Date: Mon, 11 May 2026 14:56:04 +0200
-Subject: [PATCH] event: fix wakeup consumption
-
-The events on a multi wakeup socketpair were only consumed via
-curl_multi_poll()/curl_multi_wait() but not in event based processing on
-a curl_multi_socket() call. That led to busy loops as reported in
-
-Fixes #21547
-Reported-by: Earnestly on github
-Closes #21549
----
- lib/multi.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/lib/multi.c b/lib/multi.c
-index be32740a7097..5e84133f13fd 100644
---- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
-   Curl_uint32_bset_remove(&multi->dirty, data->mid);
- 
-   if(data == multi->admin) {
-+#ifdef ENABLE_WAKEUP
-+    /* Consume any pending wakeup signals before processing.
-+     * This is necessary for event based processing. See #21547 */
-+    (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE);
-+#endif
- #ifdef USE_RESOLV_THREADED
-     Curl_async_thrdd_multi_process(multi);
- #endif

pkgs/by-name/cu/curlMinimal/package.nix

@@ -96,13 +96,6 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY=";
   };
 
-  patches = [
-    # https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23
-    # According to <https://curl.se/mail/distros-2026-05/0000.html>, this fixes
-    # a performance regression, causing high CPU usage
-    ./fix-wakeup-consumption.patch
-  ];
-
   # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
   # necessary for FreeBSD code path in configure
   postPatch = ''
@@ -122,7 +115,6 @@ stdenv.mkDerivation (finalAttrs: {
   enableParallelBuilding = true;
 
   strictDeps = true;
-  __structuredAttrs = true;
 
   env = {
     CXX = "${stdenv.cc.targetPrefix}c++";

pkgs/by-name/da/dash/package.nix

@@ -15,11 +15,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "dash";
-  version = "0.5.13.4";
+  version = "0.5.13.3";
 
   src = fetchurl {
     url = "http://gondor.apana.org.au/~herbert/dash/files/dash-${finalAttrs.version}.tar.gz";
-    hash = "sha256-0Q39Qc2lkWVWDbOcqRXCxKdjb/8EKB2NLfd62Sx1Pis=";
+    hash = "sha256-qDcnwSmaxMPZ1Dl5OTs6TrACddVjauAlJueXnVHW+9E=";
   };
 
   strictDeps = true;

pkgs/by-name/db/dbus/package.nix

@@ -129,9 +129,6 @@ stdenv.mkDerivation (finalAttrs: {
     "-Dselinux=disabled"
   ]
   ++ lib.optionals stdenv.hostPlatform.isDarwin [
-    # D-Bus defaults to launchd-activation on Darwin, but that requires the launch agent be installed. It also breaks
-    # anything that uses `dbus-run-session` in tests. Changing the default aligns Darwin with other UNIX platforms.
-    "-Ddbus_session_bus_listen_address=unix:tmpdir=/tmp"
     # `launchctl` is only needed at runtime. Lie to `find_program` because it will always be present on a Darwin host.
     "--cross-file=${writeText "darwin.ini" ''
       [binaries]
@@ -159,14 +156,6 @@ stdenv.mkDerivation (finalAttrs: {
       --replace-fail 'DBUS_DAEMONDIR"/dbus-daemon"' '"/run/current-system/sw/bin/dbus-daemon"'
   '';
 
-  postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
-    # For some reason, only these binaries reference the dylib by rpath instead of by an absolute install name.
-    for exe in bin/dbus-daemon bin/dbus-run-session libexec/dbus-daemon-launch-helper; do
-      install_name_tool "$out/$exe" \
-        -change "@rpath/libdbus-1.3.dylib" "$lib/lib/libdbus-1.3.dylib"
-    done
-  '';
-
   postFixup = ''
     # It's executed from $lib by absolute path
     moveToOutput bin/dbus-launch "$lib"

pkgs/by-name/dj/djvulibre/package.nix

@@ -11,11 +11,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "djvulibre";
-  version = "3.5.30";
+  version = "3.5.29";
 
   src = fetchurl {
     url = "mirror://sourceforge/djvu/djvulibre-${finalAttrs.version}.tar.gz";
-    hash = "sha256-7l5FfUz+vlZvlLmeXj08x/XHndt0HCrCui5FbwAylkQ=";
+    hash = "sha256-07SwOuK9yoUWo2726ye3d/BSjJ7aJnRdmWKCSj/f7M8=";
   };
 
   outputs = [

pkgs/by-name/do/doctest/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "doctest";
-  version = "2.5.2";
+  version = "2.5.0";
 
   src = fetchFromGitHub {
     owner = "doctest";
     repo = "doctest";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M=";
+    hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A=";
   };
 
   nativeBuildInputs = [ cmake ];
@@ -27,7 +27,6 @@ stdenv.mkDerivation (finalAttrs: {
   doCheck = true;
 
   meta = {
-    changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}";
     homepage = "https://github.com/doctest/doctest";
     description = "Fastest feature-rich C++11/14/17/20 single-header testing framework";
     platforms = lib.platforms.all;

pkgs/by-name/do/double-conversion/package.nix

@@ -2,6 +2,7 @@
   stdenv,
   lib,
   fetchFromGitHub,
+  fetchpatch,
   cmake,
   ninja,
   ctestCheckHook,
@@ -10,15 +11,34 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "double-conversion";
-  version = "3.4.0";
+  version = "3.3.1";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "double-conversion";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-gxaPqQ51RyXZaTHkvh4RBpedPopcRiuWDoT+PPbI1uw=";
+    rev = "v${finalAttrs.version}";
+    sha256 = "sha256-M80H+azCzQYa4/gBLWv5GNNhEuHsH7LbJ/ajwmACnrM=";
   };
 
+  patches = [
+    # Fix the build with CMake 4.
+    (fetchpatch {
+      name = "double-conversion-fix-cmake-4-1.patch";
+      url = "https://github.com/google/double-conversion/commit/101e1ba89dc41ceb75090831da97c43a76cd2906.patch";
+      hash = "sha256-VRmuNXdzt/I+gWbz5mwWkx5IGn8Vsl9WkdwRsuwZdkU=";
+    })
+    (fetchpatch {
+      name = "double-conversion-fix-cmake-4-2.patch";
+      url = "https://github.com/google/double-conversion/commit/0604b4c18815aadcf7f4b78dfa6bfcb91a634ed7.patch";
+      hash = "sha256-cJBp1ou1O/bMQ/7kvcX52dWbUdhmPfQ9aWmEhQdyhis=";
+    })
+    (fetchpatch {
+      name = "double-conversion-add-pkg-config.patch";
+      url = "https://github.com/google/double-conversion/commit/ddfd18c58ecc32fc74afc1083bb8774240b54efb.patch";
+      hash = "sha256-/pKCL19vS8fNwCm27yTNP+32ApHTH5dEGpnsMI11Lf4=";
+    })
+  ];
+
   outputs = [
     "out"
     "dev"
@@ -48,7 +68,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     pkgConfigModules = [ "double-conversion" ];
-    changelog = "https://github.com/google/double-conversion/blob/${finalAttrs.src.tag}/Changelog";
     description = "Binary-decimal and decimal-binary routines for IEEE doubles";
     homepage = "https://github.com/google/double-conversion";
     license = lib.licenses.bsd3;

pkgs/by-name/do/doxygen/package.nix

@@ -16,13 +16,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "doxygen";
-  version = "1.17.0";
+  version = "1.16.1";
 
   src = fetchFromGitHub {
     owner = "doxygen";
     repo = "doxygen";
     tag = "Release_${lib.replaceStrings [ "." ] [ "_" ] finalAttrs.version}";
-    hash = "sha256-SSq/sFB9y2CFMeL58vgcHa2ulo+tPPUGT347ABoHoD4=";
+    hash = "sha256-MszJpYdXaC8BYK1lSV1LpJncKN1LrFoyJXZajpz0HIA=";
   };
 
   # https://github.com/doxygen/doxygen/issues/10928#issuecomment-2179320509

pkgs/by-name/du/duplicity/package.nix

@@ -75,17 +75,20 @@ let
       glib
     ];
 
-    pythonPath = with python3.pkgs; [
-      b2sdk
-      boto3
-      idna
-      pygobject3
-      fasteners
-      paramiko
-      pexpect
-      # Currently marked as broken.
-      # pydrive2
-    ];
+    pythonPath =
+      with python3.pkgs;
+      [
+        b2sdk
+        boto3
+        idna
+        pygobject3
+        fasteners
+        paramiko
+        pexpect
+        # Currently marked as broken.
+        # pydrive2
+      ]
+      ++ paramiko.optional-dependencies.invoke;
 
     nativeCheckInputs = [
       gnupg # Add 'gpg' to PATH.

pkgs/by-name/e2/e2fsprogs/package.nix

@@ -3,6 +3,7 @@
   stdenv,
   buildPackages,
   fetchurl,
+  fetchpatch,
   pkg-config,
   libuuid,
   gettext,
@@ -19,15 +20,25 @@
 
 stdenv.mkDerivation rec {
   pname = "e2fsprogs";
-  version = "1.47.4";
+  version = "1.47.3";
 
   __structuredAttrs = true;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz";
-    hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws=";
+    hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk=";
   };
 
+  patches = [
+    # Upstream patch that fixes musl build (and probably others).
+    # Should be included in next release after 1.47.3.
+    (fetchpatch {
+      name = "stdio-portability.patch";
+      url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262";
+      hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8=";
+    })
+  ];
+
   # fuse2fs adds 14mb of dependencies
   outputs = [
     "bin"

pkgs/by-name/el/elfutils/package.nix

@@ -28,11 +28,11 @@
 # TODO: Look at the hardcoded paths to kernel, modules etc.
 stdenv.mkDerivation (finalAttrs: {
   pname = "elfutils";
-  version = "0.195";
+  version = "0.194";
 
   src = fetchurl {
     url = "https://sourceware.org/elfutils/ftp/${finalAttrs.version}/elfutils-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-N2Kf338fPcKBjhOPyiuAlBd9bC0PcB07tlClYSGNwCY=";
+    hash = "sha256-CeL/Az05uqiziKLX+8U5C/3pmuO3xnx9qvdDP7zw8B4=";
   };
 
   patches = [
@@ -57,6 +57,13 @@ stdenv.mkDerivation (finalAttrs: {
       url = "https://git.alpinelinux.org/aports/plain/main/elfutils/musl-strndupa.patch?id=2e3d4976eeffb4704cf83e2cc3306293b7c7b2e9";
       sha256 = "sha256-7daehJj1t0wPtQzTv+/Rpuqqs5Ng/EYnZzrcf2o/Lb0=";
     })
+    (fetchpatch {
+      name = "fix-aarch64_attributes.patch";
+      url = "https://sourceware.org/git/?p=elfutils.git;a=patch;h=b27adc5262e807f341ca0a4910ce04294144f79a";
+      hash = "sha256-hksO5HXL9Jv5E4o2rI4NAgQp+4z+Lg7Wn/AdW7fpr0c=";
+    })
+    # https://patchwork.sourceware.org/project/elfutils/patch/20251205145241.1165646-1-arnout@bzzt.net/
+    ./test-run-sysroot-reliability.patch
   ]
   ++ lib.optionals stdenv.hostPlatform.isMusl [ ./musl-error_h.patch ];
 

pkgs/by-name/el/elfutils/test-run-sysroot-reliability.patch

@@ -0,0 +1,44 @@
+commit 898804bed022d1ef26e5c0b12550f87fc86f29ed
+Author: Arnout Engelen <arnout@bzzt.net>
+Date:   Thu Dec 4 21:42:40 2025 +0100
+
+    tests: improve reliability of run-sysroot.sh
+    
+    Previously, the 'second' test would test the `RESOLVE_IN_ROOT` feature
+    when the current libc supports it, even when the currently running
+    kernel did not yet support it.
+    
+    Signed-off-by: Arnout Engelen <arnout@bzzt.net>
+
+diff --git a/tests/run-sysroot.sh b/tests/run-sysroot.sh
+index fe302446..d2041e8a 100755
+--- a/tests/run-sysroot.sh
++++ b/tests/run-sysroot.sh
+@@ -46,10 +46,14 @@ TID 431185:
+ #8  0x0000aaaae56127f0 _start
+ EOF
+ 
+-HAVE_OPENAT2=$(grep '^#define HAVE_OPENAT2_RESOLVE_IN_ROOT' \
+-                    ${abs_builddir}/../config.h | awk '{print $3}')
++libc_has_openat2_resolve_in_root() {
++  grep '^#define HAVE_OPENAT2_RESOLVE_IN_ROOT' ${abs_builddir}/../config.h | awk '{print $3}'
++}
++kernel_has_openat2_resolve_in_root() {
++  printf "%s\n%s" "5.6.0" "$(uname -r)" | sort -V -C
++}
+ 
+-if [[ "$HAVE_OPENAT2" = 1 ]]; then
++if libc_has_openat2_resolve_in_root && kernel_has_openat2_resolve_in_root; then
+     # Change the layout of files in sysroot to test symlink escape scenario
+     rm -f "${tmpdir}/sysroot/bin"
+     mkdir "${tmpdir}/sysroot/bin"
+@@ -57,7 +61,8 @@ if [[ "$HAVE_OPENAT2" = 1 ]]; then
+     ln -s /bin/bash "${tmpdir}/sysroot/usr/bin/bash"
+ 
+     # Check that stack with --sysroot generates correct backtrace even if target
+-    # binary is actually absolute symlink pointing outside of sysroot directory
++    # binary is actually absolute symlink to be interpreted relative to the sysroot
++    # directory
+     testrun "${abs_top_builddir}"/src/stack --core "${tmpdir}/core.bash" \
+ 	    --sysroot "${tmpdir}/sysroot" >"${tmpdir}/stack.out"
+ 

pkgs/by-name/ex/expat/package.nix

@@ -18,7 +18,7 @@
 # files.
 
 let
-  version = "2.8.1";
+  version = "2.8.0";
   tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
 in
 stdenv.mkDerivation (finalAttrs: {
@@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       with finalAttrs;
       "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
-    hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA=";
+    hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI=";
   };
 
   strictDeps = true;

pkgs/by-name/ff/fftw/package.nix

@@ -1,5 +1,6 @@
 {
   fetchurl,
+  fetchpatch,
   stdenv,
   lib,
   gfortran,
@@ -21,16 +22,24 @@ assert lib.elem precision [
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fftw-${precision}";
-  version = "3.3.11";
+  version = "3.3.10";
 
   src = fetchurl {
     urls = [
       "https://fftw.org/fftw-${finalAttrs.version}.tar.gz"
       "ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz"
     ];
-    hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE=";
+    hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "remove_missing_FFTW3LibraryDepends.patch";
+      url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch";
+      hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU=";
+    })
+  ];
+
   outputs = [
     "out"
     "dev"
@@ -98,7 +107,6 @@ stdenv.mkDerivation (finalAttrs: {
   __structuredAttrs = true;
 
   meta = {
-    changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS";
     description = "Fastest Fourier Transform in the West library";
     homepage = "https://www.fftw.org/";
     license = lib.licenses.gpl2Plus;

pkgs/by-name/fl/fluidsynth/package.nix

@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fluidsynth";
-  version = "2.5.4";
+  version = "2.5.3";
 
   src = fetchFromGitHub {
     owner = "FluidSynth";
     repo = "fluidsynth";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-uL9K2Bc5PA6qm/QVFvEUDyGBst9L/sNP0+HculCWCZk=";
+    hash = "sha256-k8IHS6Mh1b1iMSuBg3svlf7A2dsg6VHEKqlDhvyJnbo=";
     fetchSubmodules = true;
   };
 

pkgs/by-name/fr/freetype/package.nix

@@ -39,7 +39,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "freetype";
-  version = "2.14.3";
+  version = "2.14.2";
 
   src =
     let
@@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: {
     in
     fetchurl {
       url = "mirror://savannah/freetype/freetype-${version}.tar.xz";
-      sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8=";
+      sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE=";
     };
 
   propagatedBuildInputs = [

pkgs/by-name/ga/game-music-emu/package.nix

@@ -8,14 +8,14 @@
 }:
 
 stdenv.mkDerivation (finalAttrs: {
-  version = "0.6.5";
+  version = "0.6.4";
   pname = "game-music-emu";
 
   src = fetchFromGitHub {
     owner = "libgme";
     repo = "game-music-emu";
     tag = finalAttrs.version;
-    hash = "sha256-zn1t0oDj8hz/sfbG7lrstkv2Kf6cL7zAEMpIu9X4dyQ=";
+    hash = "sha256-qGNWFFUUjv2R5e/nQrriAyDJCARISqNB8e5/1zEJ3fk=";
   };
   nativeBuildInputs = [
     cmake

pkgs/by-name/gb/gbenchmark/package.nix

@@ -5,19 +5,18 @@
   cmake,
   ninja,
   gtest,
-  glibcLocales,
   prometheus-cpp,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gbenchmark";
-  version = "1.9.5";
+  version = "1.9.4";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "benchmark";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-Mm4pG7zMB00iof32CxreoNBFnduPZTMp3reHMCIAFPQ=";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-P7wJcKkIBoWtN9FCRticpBzYbEZPq71a0iW/2oDTZRU=";
   };
 
   nativeBuildInputs = [
@@ -27,30 +26,20 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [ gtest ];
 
-  nativeCheckInputs = lib.optionals stdenv.hostPlatform.isLinux [ glibcLocales ];
-
   cmakeFlags = [
     (lib.cmakeBool "BENCHMARK_USE_BUNDLED_GTEST" false)
     (lib.cmakeBool "BENCHMARK_ENABLE_WERROR" false)
   ];
 
-  env = {
-    # We ran into issues with gtest 1.8.5 conditioning on
-    # `#if __has_cpp_attribute(maybe_unused)`, which was, for some
-    # reason, going through even when C++14 was being used and
-    # breaking the build on Darwin by triggering errors about using
-    # C++17 features.
-    #
-    # This might be a problem with our Clang, as it does not reproduce
-    # with Xcode, but we just work around it by silencing the warning.
-    NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang "-Wno-c++17-attribute-extensions";
-  }
-  // lib.optionalAttrs stdenv.hostPlatform.isLinux {
-    # For test:locale_impermeability_test
-    LANG = "en_US.UTF-8";
-    LC_ALL = "en_US.UTF-8";
-    LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive";
-  };
+  # We ran into issues with gtest 1.8.5 conditioning on
+  # `#if __has_cpp_attribute(maybe_unused)`, which was, for some
+  # reason, going through even when C++14 was being used and
+  # breaking the build on Darwin by triggering errors about using
+  # C++17 features.
+  #
+  # This might be a problem with our Clang, as it does not reproduce
+  # with Xcode, but we just work around it by silencing the warning.
+  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang "-Wno-c++17-attribute-extensions";
 
   # Tests fail on 32-bit due to not enough precision
   doCheck = stdenv.hostPlatform.is64bit;
@@ -64,6 +53,6 @@ stdenv.mkDerivation (finalAttrs: {
     homepage = "https://github.com/google/benchmark";
     license = lib.licenses.asl20;
     platforms = lib.platforms.linux ++ lib.platforms.darwin ++ lib.platforms.freebsd;
-    maintainers = with lib.maintainers; [ miniharinn ];
+    maintainers = [ ];
   };
 })

pkgs/by-name/gd/gdb/package.nix

@@ -5,6 +5,7 @@
 
   # Build time
   fetchurl,
+  fetchpatch,
   pkg-config,
   perl,
   texinfo,
@@ -67,11 +68,11 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   inherit pname;
-  version = "17.2";
+  version = "17.1";
 
   src = fetchurl {
     url = "mirror://gnu/gdb/gdb-${finalAttrs.version}.tar.xz";
-    hash = "sha256-HANsDXLks9H7XJTIhjKt1vnXb018TS6nk8EqnxmjIow=";
+    hash = "sha256-FJlvX3TJ9o9aVD/cRbyngAIH+R+SrupsLnkYIsfG2HY=";
   };
 
   postPatch =
@@ -89,6 +90,17 @@ stdenv.mkDerivation (finalAttrs: {
 
   patches = [
     ./debug-info-from-env.patch
+
+    (fetchurl {
+      name = "musl.patch";
+      url = "https://inbox.sourceware.org/gdb-patches/20260324164527.1446549-2-sunilkumar.dora@windriver.com/raw";
+      hash = "sha256-FC4DDVS4wtE/HXtbUqvkxu9+e7nE3DYi1zIuQP9yQO8=";
+    })
+    (fetchpatch {
+      name = "musl-aarch64.patch";
+      url = "https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=1ccc3f6a2e28fa1f3357826374cba165b3ba3ff7";
+      hash = "sha256-Q2oTo2b+9yNN3PSsxqgxV4/9/05uFE/JMLe1CPs9Y7I=";
+    })
   ]
   ++ optionals stdenv.hostPlatform.isDarwin [
     ./darwin-target-match.patch

pkgs/by-name/gf/gflags/package.nix

@@ -2,21 +2,31 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   cmake,
   enableShared ? !stdenv.hostPlatform.isStatic,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gflags";
-  version = "2.3.0";
+  version = "2.2.2";
 
   src = fetchFromGitHub {
     owner = "gflags";
     repo = "gflags";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-sud3c6XH24YA6vzGQ7LhSoiKycan5JYehC5l2gH6DEo=";
+    rev = "v${finalAttrs.version}";
+    sha256 = "147i3md3nxkjlrccqg4mq1kyzc7yrhvqv5902iibc7znkvzdvlp0";
   };
 
+  patches = [
+    # Fix the build with CMake 4.
+    (fetchpatch {
+      name = "gflags-fix-cmake-4.patch";
+      url = "https://github.com/gflags/gflags/commit/70c01a642f08734b7bddc9687884844ca117e080.patch";
+      hash = "sha256-TYdroBbF27Wvvm/rOahBEvhezuKCcxbtgh/ZhpA5ESo=";
+    })
+  ];
+
   nativeBuildInputs = [ cmake ];
 
   # This isn't used by the build and breaks the CMake build on case-insensitive filesystems (e.g., on Darwin)
@@ -38,7 +48,6 @@ stdenv.mkDerivation (finalAttrs: {
       It was owned by Google. google-gflags project has been renamed to gflags and maintained by new community.
     '';
     homepage = "https://gflags.github.io/gflags/";
-    changelog = "https://github.com/gflags/gflags/blob/${finalAttrs.src.tag}/ChangeLog.txt";
     license = lib.licenses.bsd3;
     maintainers = [ ];
     platforms = lib.platforms.all;

pkgs/by-name/gh/ghostscript/package.nix

@@ -67,13 +67,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "ghostscript${lib.optionalString x11Support "-with-X"}";
-  version = "10.07.1";
+  version = "10.07.0";
 
   src = fetchurl {
     url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${
       lib.replaceStrings [ "." ] [ "" ] finalAttrs.version
     }/ghostscript-${finalAttrs.version}.tar.xz";
-    hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU=";
+    hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E=";
   };
 
   patches = [
@@ -233,7 +233,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://www.ghostscript.com/";
-    changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html";
     description = "PostScript interpreter (mainline version)";
     longDescription = ''
       Ghostscript is the name of a set of tools that provides (i) an

pkgs/by-name/gi/giflib/CVE-2021-40633.patch

@@ -0,0 +1,26 @@
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ 	               GifFile->SWidth, GifFile->SHeight);
+ 
++	for (i = 0; i < GifFile->SHeight; i++) {
++        	(void)free(ScreenBuffer[i]);
++	}
+ 	(void)free(ScreenBuffer);
+ 
+ 	{
+-- 
+2.44.0
+

pkgs/by-name/gi/giflib/CVE-2025-31344.patch

@@ -0,0 +1,15 @@
+diff -up giflib-5.2.2/gif2rgb.c.omv~ giflib-5.2.2/gif2rgb.c
+--- giflib-5.2.2/gif2rgb.c.omv~	2025-04-07 21:44:54.956355983 +0200
++++ giflib-5.2.2/gif2rgb.c	2025-04-07 21:45:29.630769589 +0200
+@@ -329,6 +329,11 @@ static void DumpScreen2RGB(char *FileNam
+ 			GifRow = ScreenBuffer[i];
+ 			GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+ 			for (j = 0; j < ScreenWidth; j++) {
++				/* Check if color is within color palete */
++				if (GifRow[j] >= ColorMap->ColorCount) {
++					GIF_EXIT(GifErrorString(
++					    D_GIF_ERR_IMAGE_DEFECT));
++				}
+ 				ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+ 				Buffers[0][j] = ColorMapEntry->Red;
+ 				Buffers[1][j] = ColorMapEntry->Green;

pkgs/by-name/gi/giflib/package.nix

@@ -3,30 +3,21 @@
   lib,
   fetchurl,
   fixDarwinDylibNames,
-
-  # for passthru.tests
-  SDL2_image,
-  SDL_image,
-  gdal,
-  imlib2,
-  leptonica,
-  libjxl,
-  libwebp,
-  openimageio,
-  openjdk,
   pkgsStatic,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "giflib";
-  version = "6.1.3";
+  version = "5.2.2";
 
   src = fetchurl {
     url = "mirror://sourceforge/giflib/giflib-${finalAttrs.version}.tar.gz";
-    hash = "sha256-tltmuZ8EJLk1JfmHOG8i/F77naK/ySrUpTIkmq/7qw4=";
+    hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs=";
   };
 
   patches = [
+    ./CVE-2021-40633.patch
+    ./CVE-2025-31344.patch
   ]
   ++ lib.optionals stdenv.hostPlatform.isMinGW [
     # Build dll libraries.
@@ -63,16 +54,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   passthru.tests = {
     static = pkgsStatic.giflib;
-    inherit
-      SDL2_image
-      SDL_image
-      gdal
-      imlib2
-      leptonica
-      libjxl
-      openimageio
-      openjdk
-      ;
   };
 
   meta = {

pkgs/by-name/gl/glslang/external-gtest.patch

@@ -0,0 +1,69 @@
+From ab20ba112e6fa5117bfeadde199fdc6c18cbdfb5 Mon Sep 17 00:00:00 2001
+From: OPNA2608 <opna2608@protonmail.com>
+Date: Mon, 12 Jan 2026 16:41:53 +0100
+Subject: [PATCH] Look for external gtest build, if not building in-tree
+
+---
+ CMakeLists.txt        | 12 ++++++++++++
+ gtests/CMakeLists.txt |  8 +++-----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 1e7d3ec9..ecda9c53 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -321,6 +321,18 @@ if(ENABLE_GLSLANG_BINARIES)
+     add_subdirectory(StandAlone)
+ endif()
+ 
++option(ALLOW_EXTERNAL_GTEST "Allows to build against installed googletest. This is unsupported if the commit isn't the one in known_good.json")
++set(GMOCK_TARGET gmock)
++if(NOT TARGET ${GMOCK_TARGET})
++    if(ALLOW_EXTERNAL_GTEST)
++        message(STATUS "Trying to find local googletest")
++        find_package(GTest)
++        if(TARGET GTest::gmock)
++            set(GMOCK_TARGET GTest::gmock)
++        endif()
++    endif()
++endif()
++
+ if(GLSLANG_TESTS)
+     enable_testing()
+     add_subdirectory(gtests)
+diff --git a/gtests/CMakeLists.txt b/gtests/CMakeLists.txt
+index 27a5500c..21125775 100644
+--- a/gtests/CMakeLists.txt
++++ b/gtests/CMakeLists.txt
+@@ -32,7 +32,7 @@
+ # POSSIBILITY OF SUCH DAMAGE.
+ 
+ if(GLSLANG_TESTS)
+-    if(TARGET gmock)
++    if(TARGET ${GMOCK_TARGET})
+         message(STATUS "Google Mock found - building tests")
+ 
+         set(TEST_SOURCES
+@@ -76,9 +76,7 @@ if(GLSLANG_TESTS)
+                                    PRIVATE GLSLANG_TEST_BUILD=1)
+         target_include_directories(glslangtests PRIVATE
+                                    ${CMAKE_CURRENT_SOURCE_DIR}
+-                                   ${PROJECT_SOURCE_DIR}
+-                                   ${gmock_SOURCE_DIR}/include
+-                                   ${gtest_SOURCE_DIR}/include)
++                                   ${PROJECT_SOURCE_DIR})
+ 
+         if(ENABLE_OPT)
+             target_link_libraries(glslangtests
+@@ -90,7 +88,7 @@ if(GLSLANG_TESTS)
+             glslang glslang-default-resource-limits
+             $<$<AND:$<CXX_COMPILER_ID:GNU>,$<VERSION_LESS:$<CXX_COMPILER_VERSION>,9.0>>:stdc++fs>)
+ 
+-        target_link_libraries(glslangtests PRIVATE ${LIBRARIES} gmock)
++        target_link_libraries(glslangtests PRIVATE ${LIBRARIES} ${GMOCK_TARGET})
+ 
+         # The TARGET_RUNTIME_DLL_DIRS feature requires CMake 3.27 or greater.
+         if(WIN32 AND BUILD_SHARED_LIBS AND CMAKE_VERSION VERSION_LESS "3.27")
+-- 
+2.51.2
+

pkgs/by-name/gl/glslang/package.nix

@@ -12,15 +12,21 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "glslang";
-  version = "16.3.0";
+  version = "16.2.0";
 
   src = fetchFromGitHub {
     owner = "KhronosGroup";
     repo = "glslang";
     tag = finalAttrs.version;
-    hash = "sha256-wclcJ0NfqFXSUHGVsxjn2I8XxWbrkzOB4WXqsN1XtmE=";
+    hash = "sha256-2uWnZZNGdZorHaiLzMb/rpM6bL9oBClKqiFkUH3krJQ=";
   };
 
+  patches = [
+    # Allow building against our already-built gtest, without eating a rebuild
+    # https://github.com/KhronosGroup/glslang/pull/4140
+    ./external-gtest.patch
+  ];
+
   outputs = [
     "bin"
     "out"

pkgs/by-name/gn/gn/package.nix

@@ -11,11 +11,11 @@
   version ?
     # This is a workaround for update-source-version to be able to update this
     let
-      _version = "0-unstable-2026-04-01";
+      _version = "0-unstable-2026-03-05";
     in
     _version,
-  rev ? "6e8dcdebbadf4f8aa75e6a4b6e0bdf89dce1513a",
-  hash ? "sha256-BTPD8WM1pVAMkFDlHekMdWFGyf63KdhKkKwsqikqoBQ=",
+  rev ? "d8c2f07d653520568da7cace755a87dad241b72d",
+  hash ? "sha256-3AfExm7NL5GJXyC5JCPbGC70D59doRfIZIgpt6MLy9Y=",
 }:
 
 stdenv.mkDerivation {

pkgs/by-name/gn/gnutls/package.nix

@@ -1,6 +1,7 @@
 {
   lib,
   stdenv,
+  buildPackages,
   fetchurl,
   zlib,
   libtasn1,
@@ -8,6 +9,7 @@
   pkg-config,
   perl,
   gmp,
+  automake,
   libidn2,
   libiconv,
   texinfo,
@@ -165,6 +167,10 @@ stdenv.mkDerivation rec {
     pkg-config
     texinfo
   ]
+  ++ [
+    buildPackages.autoconf269
+    automake
+  ]
   ++ lib.optionals doCheck [
     which
     net-tools

pkgs/by-name/gp/gperftools/package.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gperftools";
-  version = "2.18.1";
+  version = "2.17.2";
 
   src = fetchFromGitHub {
     owner = "gperftools";
     repo = "gperftools";
     tag = "gperftools-${finalAttrs.version}";
-    hash = "sha256-LvLsq0UuMu51vcgxDrBkdnoUJ3qFH+tbXbTjreBxBqs=";
+    hash = "sha256-WCEuiSjNIX/KhEBWndyVhrKlWs7H60mcHoPlWd7YWC4=";
   };
 
   patches = [

pkgs/by-name/gp/gpgme/package.nix

@@ -22,7 +22,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gpgme";
-  version = "2.1.0";
+  version = "2.0.1";
 
   outputs = [
     "out"
@@ -34,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "mirror://gnupg/gpgme/gpgme-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-hBxepT/CYln0+/DovemC3qG4ocoMt35oHIKwUFZr+Ss=";
+    hash = "sha256-ghqwaVyELqtRdSqBmAySsEEMfq3QQQP3kdXSpSZ4SWY=";
   };
 
   postPatch = ''
@@ -110,7 +110,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://gnupg.org/software/gpgme/index.html";
-    changelog = "https://dev.gnupg.org/source/gpgme/browse/master/NEWS;gpgme-${finalAttrs.version}?as=remarkup";
+    changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;f=NEWS;hb=gpgme-${finalAttrs.version}";
     description = "Library for making GnuPG easier to use";
     longDescription = ''
       GnuPG Made Easy (GPGME) is a library designed to make access to GnuPG

pkgs/by-name/gp/gpgmepp/package.nix

@@ -10,11 +10,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gpgmepp";
-  version = "2.1.0";
+  version = "2.0.0";
 
   src = fetchurl {
     url = "mirror://gnupg/gpgmepp/gpgmepp-${finalAttrs.version}.tar.xz";
-    hash = "sha256-V/gERo8CBFBLFyxrE5ywUSS0JjvnrVFJMsfExQYqFuI=";
+    hash = "sha256-1HlgScBnCKJvMJb3SO8JU0fho8HlcFYXAf6VLD9WU4I=";
   };
 
   postPatch = ''

pkgs/by-name/gr/graphviz/package.nix

@@ -39,13 +39,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "graphviz";
-  version = "14.1.2";
+  version = "12.2.1";
 
   src = fetchFromGitLab {
     owner = "graphviz";
     repo = "graphviz";
-    tag = finalAttrs.version;
-    hash = "sha256-LkyiKl0ulS9ujEdVLfyeoc4CtjITd6CAc35IUtlHSfw=";
+    rev = finalAttrs.version;
+    hash = "sha256-Uxqg/7+LpSGX4lGH12uRBxukVw0IswFPfpb2EkLsaiI=";
   };
 
   nativeBuildInputs = [
@@ -136,7 +136,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://graphviz.org";
-    changelog = "https://gitlab.com/graphviz/graphviz/-/blob/${finalAttrs.src.tag}/CHANGELOG.md";
     description = "Graph visualization tools";
     license = lib.licenses.epl10;
     platforms = lib.platforms.unix;

pkgs/by-name/gr/groff/package.nix

@@ -48,7 +48,8 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g=";
   };
 
-  patches = [
+  patches = lib.optionals stdenv.isLinux [
+    # TODO: apply everywhere on rebuild
     # This revert a upstream refactor in continuous rendering mode, but this
     # causes a big performance regression for big manpages like
     # `man 5 configuration.nix`.

pkgs/by-name/gt/gtk-doc/package.nix

@@ -16,7 +16,7 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "gtk-doc";
-  version = "1.36.1";
+  version = "1.35.1";
 
   outputDevdoc = "out";
 
@@ -26,10 +26,14 @@ python3.pkgs.buildPythonApplication rec {
     domain = "gitlab.gnome.org";
     owner = "GNOME";
     repo = "gtk-doc";
-    tag = version;
-    hash = "sha256-8hB43BCAtT1B7/ak2i0FAlYD3Kb4rNCWfsJ+wqGu3FA=";
+    rev = version;
+    hash = "sha256-EqU7lnBnOn3gR3hT95yjdTUb3cqX2XJK5UAKsFw2Q10=";
   };
 
+  patches = [
+    passthru.respect_xml_catalog_files_var_patch
+  ];
+
   postPatch = ''
     substituteInPlace meson.build \
       --replace "pkg-config" "$PKG_CONFIG"
@@ -79,6 +83,8 @@ python3.pkgs.buildPythonApplication rec {
   '';
 
   passthru = {
+    # Consumers are expected to copy the m4 files to their source tree, let them reuse the patch
+    respect_xml_catalog_files_var_patch = ./respect-xml-catalog-files-var.patch;
     updateScript = gnome.updateScript {
       packageName = "gtk-doc";
       versionPolicy = "none";
@@ -86,7 +92,6 @@ python3.pkgs.buildPythonApplication rec {
   };
 
   meta = {
-    changelog = "https://gitlab.gnome.org/GNOME/gtk-doc/-/blob/${src.tag}/NEWS";
     description = "Tools to extract documentation embedded in GTK and GNOME source code";
     homepage = "https://gitlab.gnome.org/GNOME/gtk-doc";
     license = lib.licenses.gpl2Plus;

pkgs/by-name/gt/gtk-doc/respect-xml-catalog-files-var.patch

@@ -0,0 +1,13 @@
+--- a/m4/gtkdoc_jh_check_xml_catalog.m4
++++ b/m4/gtkdoc_jh_check_xml_catalog.m4
+@@ -5,8 +5,8 @@
+ [
+ 	AC_REQUIRE([JH_PATH_XML_CATALOG],[JH_PATH_XML_CATALOG(,[:])])dnl
+ 	AC_MSG_CHECKING([for ifelse([$2],,[$1],[$2]) in XML catalog])
+-	if $jh_found_xmlcatalog && \
+-		AC_RUN_LOG([$XMLCATALOG --noout "$XML_CATALOG_FILE" "$1" >&2]); then
++	# empty argument forces libxml to use XML_CATALOG_FILES variable
++	if AC_RUN_LOG([$XMLCATALOG --noout "" "$1" >&2]); then
+ 		AC_MSG_RESULT([found])
+ 		ifelse([$3],,,[$3])
+ 	else

pkgs/by-name/gt/gtk4/package.nix

@@ -95,13 +95,11 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "fix-32bit-VkImage-null.patch";
-      url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch";
-      hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ=";
-    })
-  ];
+  patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch {
+    name = "fix-32bit-VkImage-null.patch";
+    url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch";
+    hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ=";
+  });
 
   depsBuildBuild = [
     pkg-config

pkgs/by-name/ha/handbrake/package.nix

@@ -10,10 +10,7 @@
 {
   stdenv,
   lib,
-  applyPatches,
   fetchFromGitHub,
-  fetchFromGitLab,
-  fetchpatch2,
   # For tests
   testers,
   runCommand,
@@ -29,7 +26,7 @@
   numactl,
   writeText,
   # Processing, video codecs, containers
-  ffmpeg_8-full,
+  ffmpeg_7-full,
   nv-codec-headers,
   libogg,
   x264,
@@ -88,35 +85,14 @@
 }:
 
 let
-  version = "1.11.1";
+  version = "1.10.2";
 
-  src = applyPatches {
-    src = fetchFromGitHub {
-      owner = "HandBrake";
-      repo = "HandBrake";
-      # uses version commit for logic in version.txt
-      rev = "4ce99a885cde39b3511016efdb5124726819defb";
-      hash = "sha256-oWXNiRK0wbmINnjM3GrOIawcSULTuy3yANfgW8li9F0=";
-    };
-
-    patches = [
-      # Only needed so the subsequent patch applies
-      (fetchpatch2 {
-        url = "https://github.com/HandBrake/HandBrake/commit/c8e16778a330881af36fa32004f887bd73874d15.patch";
-        hash = "sha256-i3/X9opDzsZIO7bjLHHZltuQH93uENRF0t7FP7DDdBM=";
-      })
-      # Update x265 submodule to v4.2, drop in next release
-      (fetchpatch2 {
-        url = "https://github.com/HandBrake/HandBrake/commit/432514bf839e7280511e4a7afc35fb4868ef4d0b.patch";
-        excludes = [
-          "contrib/x265/module.defs"
-          "contrib/x265_8bit/module.defs"
-          "contrib/x265_10bit/module.defs"
-          "contrib/x265_12bit/module.defs"
-        ];
-        hash = "sha256-xwIY1pO9mKbrQFjQCENuvntIoiZTHeUVg8axrl3zxxo=";
-      })
-    ];
+  src = fetchFromGitHub {
+    owner = "HandBrake";
+    repo = "HandBrake";
+    # uses version commit for logic in version.txt
+    rev = "dddf75f756e56d2b8dbb0609175bc12047a4841d";
+    hash = "sha256-CIMpJDJ0IIz95f3/zxeQqpCFpHWEmdgA+VaaUDY516A=";
   };
 
   # Handbrake maintains a set of ffmpeg patches. In particular, these
@@ -124,67 +100,70 @@ let
   # https://github.com/HandBrake/HandBrake/issues/4029
   # base ffmpeg version is specified in:
   # https://github.com/HandBrake/HandBrake/blob/master/contrib/ffmpeg/module.defs
-  ffmpeg-hb = ffmpeg_8-full.overrideAttrs (old: {
-    patches = (old.patches or [ ]) ++ [
-      "${src}/contrib/ffmpeg/A01-mov-read-name-track-tag-written-by-movenc.patch"
-      "${src}/contrib/ffmpeg/A02-movenc-write-3gpp-track-titl-tag.patch"
-      "${src}/contrib/ffmpeg/A03-mov-read-3gpp-udta-tags.patch"
-      "${src}/contrib/ffmpeg/A04-movenc-write-3gpp-track-names-tags-for-all-available.patch"
-      "${src}/contrib/ffmpeg/A05-avformat-mov-add-support-audio-fallback-track-ref.patch"
-      "${src}/contrib/ffmpeg/A06-avformat-mov-read-and-write-additional-iTunes-style-.patch"
-      "${src}/contrib/ffmpeg/A07-avformat-movenc-write-iTunEXTC-and-iTunMOVI-metadata.patch"
-      "${src}/contrib/ffmpeg/A08-dvdsubdec-fix-processing-of-partial-packets.patch"
-      "${src}/contrib/ffmpeg/A09-dvdsubdec-return-number-of-bytes-used.patch"
-      "${src}/contrib/ffmpeg/A10-dvdsubdec-use-pts-of-initial-packet.patch"
-      "${src}/contrib/ffmpeg/A11-dvdsubdec-add-an-option-to-output-subtitles-with-emp.patch"
-      "${src}/contrib/ffmpeg/A12-ccaption_dec-fix-pts-in-real_time-mode.patch"
-      "${src}/contrib/ffmpeg/A13-avformat-matroskaenc-return-error-if-aac-extradata-c.patch"
-      "${src}/contrib/ffmpeg/A14-Expose-the-unmodified-Dolby-Vision-RPU-T35-buffers.patch"
-      "${src}/contrib/ffmpeg/A15-lavc-pgssubdec-Add-graphic-plane-and-cropping.patch"
-      "${src}/contrib/ffmpeg/A16-libavcodec-qsvenc.c-update-has_b_frames-value-after-.patch"
-      "${src}/contrib/ffmpeg/A17-qsv-enable-av1-scc.patch"
-      "${src}/contrib/ffmpeg/A18-fixed-BT2020-BT709-conversion-via-VPP.patch"
-      "${src}/contrib/ffmpeg/A19-videotoolbox-disable-H.264-10-bit-on-Intel-macOS-it-.patch"
-      "${src}/contrib/ffmpeg/A20-videotoolbox-speedup-decoding.patch"
-      "${src}/contrib/ffmpeg/A21-Revert-avcodec-amfenc-GPU-driver-version-check.patch"
-      "${src}/contrib/ffmpeg/A22-fix-d3d11-static-pool-size-error.patch"
-      "${src}/contrib/ffmpeg/A23-movenc-set-the-chapters-track-language-to-the-same-a.patch"
-      "${src}/contrib/ffmpeg/A24-movenc-use-version-2-audio-descriptor-for-2-channels.patch"
-    ];
-  });
+  ffmpeg-version = "7.1.1";
+  ffmpeg-hb =
+    (ffmpeg_7-full.override {
+      version = ffmpeg-version;
+      hash = "sha256-GyS8imOqfOUPxXrzCiQtzCQIIH6bvWmQAB0fKUcRsW4=";
+    }).overrideAttrs
+      (old: {
+        patches = (old.patches or [ ]) ++ [
+          "${src}/contrib/ffmpeg/A01-mov-read-name-track-tag-written-by-movenc.patch"
+          "${src}/contrib/ffmpeg/A02-movenc-write-3gpp-track-titl-tag.patch"
+          "${src}/contrib/ffmpeg/A03-mov-read-3gpp-udta-tags.patch"
+          "${src}/contrib/ffmpeg/A04-movenc-write-3gpp-track-names-tags-for-all-available.patch"
+          "${src}/contrib/ffmpeg/A05-avformat-mov-add-support-audio-fallback-track-ref.patch"
+          "${src}/contrib/ffmpeg/A06-dvdsubdec-fix-processing-of-partial-packets.patch"
+          "${src}/contrib/ffmpeg/A07-dvdsubdec-return-number-of-bytes-used.patch"
+          "${src}/contrib/ffmpeg/A08-dvdsubdec-use-pts-of-initial-packet.patch"
+          "${src}/contrib/ffmpeg/A09-dvdsubdec-add-an-option-to-output-subtitles-with-emp.patch"
+          "${src}/contrib/ffmpeg/A10-ccaption_dec-fix-pts-in-real_time-mode.patch"
+          "${src}/contrib/ffmpeg/A11-avformat-matroskaenc-return-error-if-aac-extradata-c.patch"
+          "${src}/contrib/ffmpeg/A12-videotoolbox-disable-H.264-10-bit-on-Intel-macOS-it-.patch"
+
+          # patch to fix <https://github.com/HandBrake/HandBrake/issues/5011>
+          # commented out because it causes ffmpeg's filter-pixdesc-p010le test to fail.
+          # "${src}/contrib/ffmpeg/A13-libswscale-fix-yuv420p-to-p01xle-color-conversion-bu.patch"
+
+          "${src}/contrib/ffmpeg/A14-hevc_mp4toannexb.c-fix-qsv-decode-of-10bit-hdr.patch"
+          "${src}/contrib/ffmpeg/A15-Expose-the-unmodified-Dolby-Vision-RPU-T35-buffers.patch"
+          "${src}/contrib/ffmpeg/A16-avcodec-amfenc-Add-support-for-on-demand-key-frames.patch"
+          "${src}/contrib/ffmpeg/A17-avcodec-amfenc-properly-set-primaries-transfer-and-m.patch"
+          "${src}/contrib/ffmpeg/A18-libavcodec-qsvenc-update-has_b_frames-value.patch"
+          "${src}/contrib/ffmpeg/A19-libavcodec-qsv-enable-av1-scc.patch"
+          "${src}/contrib/ffmpeg/A20-Revert-avcodec-amfenc-GPU-driver-version-check.patch"
+          "${src}/contrib/ffmpeg/A21-lavc-pgssubdec-Add-graphic-plane-and-cropping.patch"
+          "${src}/contrib/ffmpeg/A22-avformat-mov-read-and-write-additional-iTunes-style-.patch"
+          "${src}/contrib/ffmpeg/A23-avformat-movenc-write-iTunEXTC-and-iTunMOVI-metadata.patch"
+          "${src}/contrib/ffmpeg/A24-AV1-videotoolbox.patch"
+          "${src}/contrib/ffmpeg/A25-videotoolbox-speedup-decoding.patch"
+          "${src}/contrib/ffmpeg/A28-enable-av1_mf-encoder.patch"
+          "${src}/contrib/ffmpeg/A30-qsv-fixed-BT2020-BT709-conversion.patch"
+          "${src}/contrib/ffmpeg/A31-Parse-EAC3-Atmos-ComplexityIndex-for-MP4-remuxing.patch"
+        ];
+      });
 
   x265-hb = x265.overrideAttrs (old: {
-    version = "4.2";
-    sourceRoot = "x265_4.2/source";
+    version = "4.1";
+    sourceRoot = "x265_4.1/source";
     src = fetchurl {
-      url = "https://bitbucket.org/multicoreware/x265_git/downloads/x265_4.2.tar.gz";
-      hash = "sha256-QLHqBFPgMJ8OupNODd9TP49ilZZmeeiJTo8cHI1eEhA=";
+      url = "https://bitbucket.org/multicoreware/x265_git/downloads/x265_4.1.tar.gz";
+      hash = "sha256-oxaZxqiYBrdLAVHl5qffZd5LSQUEgv5ev4pDedevjyk=";
     };
     # nixpkgs' x265 sourceRoot is x265-.../source whereas handbrake's x265 patches
     # are written with respect to the parent directory instead of that source directory.
     # patches which don't cleanly apply are commented out.
     postPatch = (old.postPatch or "") + ''
       pushd ..
-        for p in ${src}/contrib/x265/*.patch; do
-          patch -p1 < "$p"
-        done
-      popd
-    '';
-  });
-
-  svt-av1-hb = svt-av1.overrideAttrs (old: rec {
-    version = "4.0.1";
-    src = fetchFromGitLab {
-      owner = "AOMediaCodec";
-      repo = "SVT-AV1";
-      rev = "v${version}";
-      hash = "sha256-7krVkLZxgolqPTkuyKAx07BekAPacftcGZ44lQTQFZQ=";
-    };
-    postPatch = (old.postPatch or "") + ''
-      pushd ..
-        for p in ${src}/contrib/svt-av1/*.patch; do
-          patch -p1 < "$p"
-        done
+      patch -p1 < ${src}/contrib/x265/A01-Do-not-set-thread-priority-on-Windows.patch
+      patch -p1 < ${src}/contrib/x265/A02-Apple-Silicon-tuning.patch
+      patch -p1 < ${src}/contrib/x265/A03-Implement-ambient-viewing-environment-sei.patch
+      patch -p1 < ${src}/contrib/x265/A04-add-new-matrix-coefficients-from-H.273-v3.patch
+      patch -p1 < ${src}/contrib/x265/A05-Fix-Dolby-Vision-RPU-memory-management.patch
+      # patch -p1 < ${src}/contrib/x265/A06-Update-version-strings.patch
+      patch -p1 < ${src}/contrib/x265/A07-Fix-macOS-cross-compilation.patch
+      # patch -p1 < ${src}/contrib/x265/A08-Fix-inconsistent-bitrate-in-second-pass.patch
+      patch -p1 < ${src}/contrib/x265/A09-Ensuring-the-mvdLX-is-compliant.patch
       popd
     '';
   });
@@ -289,7 +268,7 @@ let
       libvpx
       libxml2
       speex
-      svt-av1-hb
+      svt-av1
       x264
       x265-hb
       xz

pkgs/by-name/ho/hotdoc/clang.patch

@@ -1,78 +0,0 @@
-diff --git a/hotdoc/extensions/c/c_extension.py b/hotdoc/extensions/c/c_extension.py
-index 1cfd5b3..1e1926f 100644
---- a/hotdoc/extensions/c/c_extension.py
-+++ b/hotdoc/extensions/c/c_extension.py
-@@ -44,14 +44,6 @@ from hotdoc.utils.loggable import (info as core_info, warn, Logger,
-                                    debug as core_debug)
- 
- 
--LLVM_CONFIG = os.environ.get("LLVM_CONFIG")
--if LLVM_CONFIG is None:
--    LLVM_CONFIG = shutil.which('llvm-config')
--
--if LLVM_CONFIG is None:
--    raise ImportError()
--
--
- def ast_node_is_function_pointer(ast_node):
-     if ast_node.kind == cindex.TypeKind.POINTER and \
-             ast_node.get_pointee().get_result().kind != \
-@@ -80,42 +72,26 @@ Logger.register_warning_code('clang-headers-not-found', HotdocException,
-                              'c-extension')
- 
- 
--CLANG_HEADERS_WARNING = (
--    'Did not find clang headers. Please report a bug with the output of the'
--    '\'llvm-config --version\' and \'llvm-config --prefix\' commands')
--
--
- def get_clang_headers():
-     try:
-         # Clang 5.0+ can tell us directly
-         resource_dir = subprocess.check_output(
--            ['clang', '--print-resource-dir']).strip().decode()
-+            ['@clang@', '--print-resource-dir']).strip().decode()
-         if len(resource_dir) > 0:
-             include_dir = os.path.join(resource_dir, 'include')
-             if os.path.exists(include_dir):
-                 return include_dir
-     except subprocess.CalledProcessError:
-         pass
--    version = subprocess.check_output(
--        [LLVM_CONFIG, '--version']).strip().decode()
--    prefix = subprocess.check_output(
--        [LLVM_CONFIG, '--prefix']).strip().decode()
--    versions = (version, version.split('.').pop(0))
--    for (ver, lib) in itertools.product(
--            versions,
--            ['lib', 'lib64']):
--        p = os.path.join(prefix, lib, 'clang', ver, 'include')
--        if os.path.exists(p):
--            return p
- 
--    warn('clang-headers-not-found', CLANG_HEADERS_WARNING)
-+    warn('clang-headers-not-found', 'Did not find clang headers. Make sure you\'re using Clang 5.0+')
- 
- 
- CLANG_HEADERS = get_clang_headers()
- 
- 
- def get_clang_libdir():
--    return subprocess.check_output([LLVM_CONFIG, '--libdir']).strip().decode()
-+    return '@libclang_lib_dir@'
- 
- 
- class ClangScanner(object):
-diff --git a/hotdoc/extensions/c/clang/cindex.py b/hotdoc/extensions/c/clang/cindex.py
-index fc93fda..0a16651 100644
---- a/hotdoc/extensions/c/clang/cindex.py
-+++ b/hotdoc/extensions/c/clang/cindex.py
-@@ -3949,6 +3949,8 @@ class Config:
- 
-         if Config.library_path:
-             file = Config.library_path + '/' + file
-+        else:
-+            file = "@libclang_lib_dir@" + '/' + file
- 
-         return file
- 

pkgs/by-name/hu/hunspell/package.nix

@@ -14,7 +14,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "hunspell";
-  version = "1.7.3";
+  version = "1.7.2";
 
   outputs = [
     "bin"
@@ -27,7 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "hunspell";
     repo = "hunspell";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-NoLlH+4Hb6w+HYl2fSBzroav1Pb3GojFSTJGBxlteBM=";
+    sha256 = "sha256-x2FXxnVIqsf5/UEQcvchAndXBv/3mW8Z55djQAFgNA8=";
   };
 
   patches = [ ./0001-Make-hunspell-look-in-XDG_DATA_DIRS-for-dictionaries.patch ];

pkgs/by-name/hw/hwdata/package.nix

@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "hwdata";
-  version = "0.408";
+  version = "0.406";
 
   src = fetchFromGitHub {
     owner = "vcrhonek";
     repo = "hwdata";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-fgKOvVGAdB3uBFuKfGPFfF9wQEdLtnlMdQrLNIr3teo=";
+    hash = "sha256-6GXXkDzunbtea+MmmWV2gpHgCgdGi75U+TV9H/6Emtk=";
   };
 
   doCheck = false; # this does build machine-specific checks (e.g. enumerates PCI bus)

pkgs/by-name/im/imagemagick/package.nix

@@ -88,13 +88,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "7.1.2-24";
+  version = "7.1.2-23";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     tag = finalAttrs.version;
-    hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA=";
+    hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc=";
   };
 
   outputs = [

pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch

@@ -1,61 +0,0 @@
-From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 8 Apr 2026 17:57:59 -0400
-Subject: [PATCH] Fix two NegoEx parsing vulnerabilities
-
-In parse_nego_message(), check the result of the second call to
-vector_base() before dereferencing it.  In parse_message(), check for
-a short header_len to prevent an integer underflow when calculating
-the remaining message length.
-
-Reported by Cem Onat Karagun.
-
-CVE-2026-40355:
-
-In MIT krb5 release 1.18 and later, if an application calls
-gss_accept_sec_context() on a system with a NegoEx mechanism
-registered in /etc/gss/mech, an unauthenticated remote attacker can
-trigger a null pointer dereference, causing the process to terminate.
-
-CVE-2026-40356:
-
-In MIT krb5 release 1.18 and later, if an application calls
-gss_accept_sec_context() on a system with a NegoEx mechanism
-registered in /etc/gss/mech, an unauthenticated remote attacker can
-trigger a read overrun of up to 52 bytes, possibly causing the process
-to terminate.  Exfiltration of the bytes read does not appear
-possible.
-
-(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
-
-ticket: 9205
-version_fixed: 1.22.3
----
- lib/gssapi/spnego/negoex_util.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
-index edc5462e844..a65238e5730 100644
---- a/lib/gssapi/spnego/negoex_util.c
-+++ b/lib/gssapi/spnego/negoex_util.c
-@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
-     offset = k5_input_get_uint32_le(in);
-     count = k5_input_get_uint16_le(in);
-     p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
-+    if (p == NULL) {
-+        *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
-+        return GSS_S_DEFECTIVE_TOKEN;
-+    }
-     for (i = 0; i < count; i++) {
-         extension_type = load_32_le(p + i * EXTENSION_LENGTH);
-         if (extension_type & EXTENSION_FLAG_CRITICAL) {
-@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
-     msg_len = k5_input_get_uint32_le(in);
-     conv_id = k5_input_get_bytes(in, GUID_LENGTH);
- 
--    if (in->status || msg_len > token_remaining || header_len > msg_len) {
-+    if (in->status || msg_len > token_remaining ||
-+        header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
-         *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
-         return GSS_S_DEFECTIVE_TOKEN;
-     }

pkgs/by-name/kr/krb5/package.nix

@@ -34,20 +34,16 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "krb5";
-  version = "1.22.2";
+  version = "1.22.1";
 
   __structuredAttrs = true;
 
   src = fetchurl {
     url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz";
-    hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM=";
+    hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68=";
   };
 
-  patches = [
-    # https://github.com/krb5/krb5/pull/1506
-    ./CVE-2026-40355-and-CVE-2026-40356.patch
-  ]
-  ++ lib.optionals stdenv.hostPlatform.isFreeBSD [
+  patches = lib.optionals stdenv.hostPlatform.isFreeBSD [
     (fetchpatch {
       name = "fix-missing-ENODATA.patch";
       url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d";
@@ -174,7 +170,6 @@ stdenv.mkDerivation (finalAttrs: {
   ];
 
   meta = {
-    changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/";
     description = "MIT Kerberos 5";
     homepage = "http://web.mit.edu/kerberos/";
     license = lib.licenses.mit;

pkgs/by-name/lc/lcms2/package.nix

@@ -9,11 +9,11 @@
 
 stdenv.mkDerivation rec {
   pname = "lcms2";
-  version = "2.19.1";
+  version = "2.18";
 
   src = fetchurl {
     url = "mirror://sourceforge/lcms/lcms2-${version}.tar.gz";
-    hash = "sha256-v8VPe6tZ+8khASAUqAMuTLpKvUbbR9RrdkFqjAsoFcg=";
+    hash = "sha256-7me+NWb0WTYsHuCU/eLBWdM/oDkKpO1fWvZ2+eUAQ0c=";
   };
 
   outputs = [

pkgs/by-name/ld/ld64/package.nix

@@ -47,7 +47,7 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "ld64";
-  version = "957.1";
+  version = "956.6";
 
   outputs = [
     "out"
@@ -59,7 +59,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "apple-oss-distributions";
     repo = "ld64";
     tag = "ld64-${finalAttrs.version}";
-    hash = "sha256-KUkEKz2jQq815ls25u0JMYmad4cN9PS/nC3E5eV19co=";
+    hash = "sha256-2VlBjlCZ+ZPKGZ0f5UuG3jJTLZIBXf8IZOiD6snheh4=";
   };
 
   patches = [

pkgs/by-name/ld/ldacbt/0001-abr-drop-support-for-dynamic-loading-libldac.patch

@@ -1,164 +0,0 @@
-From 040210591a5e90fc3e0ca0ec438426273e86c497 Mon Sep 17 00:00:00 2001
-From: "yshuiv7@gmail.com" <Yuxuan Shui>
-Date: Mon, 27 Apr 2026 15:30:10 +0100
-Subject: [PATCH] abr: drop support for dynamic loading libldac
-
----
- abr/inc/ldacBT_abr.h |  2 +-
- abr/src/ldacBT_abr.c | 76 +-------------------------------------------
- 2 files changed, 2 insertions(+), 76 deletions(-)
-
-diff --git a/abr/inc/ldacBT_abr.h b/abr/inc/ldacBT_abr.h
-index 294e230..735ea67 100644
---- a/abr/inc/ldacBT_abr.h
-+++ b/abr/inc/ldacBT_abr.h
-@@ -89,7 +89,7 @@ typedef struct _ldacbt_abr_param * HANDLE_LDAC_ABR;
-  *  Return value
-  *      HANDLE_LDAC_ABR for success, NULL for failure.
-  */
--LDAC_ABR_API HANDLE_LDAC_ABR ldac_ABR_get_handle(const char *libpath);
-+LDAC_ABR_API HANDLE_LDAC_ABR ldac_ABR_get_handle(void);
- 
- /* Release of LDAC ABR handle.
-  *  Format
-diff --git a/abr/src/ldacBT_abr.c b/abr/src/ldacBT_abr.c
-index 0af6278..fad2dd0 100644
---- a/abr/src/ldacBT_abr.c
-+++ b/abr/src/ldacBT_abr.c
-@@ -8,10 +8,6 @@
- 
- #include <stdlib.h>
- #include <string.h>
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--#include <dlfcn.h>
--#include <errno.h>
--#endif
- 
- #define LDAC_ABR_OBSERVING_TIME_MS 500   /* [ms] the time length for storing Tx Queue Depth */
- #define LDAC_ABR_PENALTY_MAX 4
-@@ -56,18 +52,11 @@ typedef int (*tLDACBT_GET_ERR)(HANDLE_LDAC_BT hLdacBt);
- 
- typedef struct _ldacbt_api_param
- {
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--    const char *lib_name;
--    void *lib_handle;
--#endif
-     tLDACBT_ALTER_EQMID_PRIORITY alter_eqmid_priority;
-     tLDACBT_GET_EQMID            get_eqmid;
-     tLDACBT_GET_ERR              get_error_code;
- } LDACBT_API_PARAMS, * HANDLE_LDACBT_API;
- 
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--static int open_lib(HANDLE_LDACBT_API hLdacBtApi, const char *lib_name );
--#endif
- 
- static int load_ldacbt_api_functions(HANDLE_LDACBT_API hLdacBtApi);
- 
-@@ -122,7 +111,7 @@ static const int sizeOfEqmidToBitrateSortedIdTable = (int)(sizeof(aEqmidToAbrQua
-                                                      / sizeof(aEqmidToAbrQualityModeID[0]));
- 
- /* Get LDAC ABR handle */
--HANDLE_LDAC_ABR ldac_ABR_get_handle(const char *libpath)
-+HANDLE_LDAC_ABR ldac_ABR_get_handle(void)
- {
-     HANDLE_LDAC_ABR hLdacAbr;
-     ABRDBG( "" );
-@@ -131,15 +120,6 @@ HANDLE_LDAC_ABR ldac_ABR_get_handle(const char *libpath)
-         return NULL;
-     }
-     clear_data( hLdacAbr, sizeof(LDAC_ABR_PARAMS) );
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--    if (libpath != NULL) {
--        if (open_lib( &hLdacAbr->ldacBtApi, libpath ) < 0) {
--            ABRDBG( "[ERR] Failed to open shared library \"%s\".", libpath );
--            ldac_ABR_free_handle(hLdacAbr);
--            return NULL;
--        }
--    }
--#endif
-     if( load_ldacbt_api_functions(&hLdacAbr->ldacBtApi) != 0 ){
-         ldac_ABR_free_handle(hLdacAbr);
-         return NULL;
-@@ -156,12 +136,6 @@ void ldac_ABR_free_handle(HANDLE_LDAC_ABR hLdacAbr)
-         if (hLdacAbr->TxQD_Info.pHist){
-             free(hLdacAbr->TxQD_Info.pHist);
-         }
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--        if (hLdacAbr->ldacBtApi.lib_handle != NULL) {
--            dlclose(hLdacAbr->ldacBtApi.lib_handle);
--            hLdacAbr->ldacBtApi.lib_handle = NULL;
--        }
--#endif
-         free(hLdacAbr);
-     }
- }
-@@ -408,65 +382,17 @@ int ldac_ABR_Proc( HANDLE_LDAC_BT hLDAC, HANDLE_LDAC_ABR hLdacAbr,
- }
- 
- 
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--static void *load_func(void *lib_handle, const char* func_name)
--{
--    void *func_ptr = dlsym(lib_handle, func_name);
--    if(func_ptr == NULL){
--        ABRDBG("[ERR] cannot find function '%s' in the library.\n", func_name);
--        return NULL;
--    }
--    return func_ptr;
--}
--
--static int open_lib(HANDLE_LDACBT_API hLdacBtApi, const char *lib_name )
--{
--    if( hLdacBtApi == NULL ){
--        ABRDBG("[ERR] handle is NULL");
--        return -1;
--    }
--    if( lib_name == NULL ){
--        ABRDBG("[ERR] lib_name is NULL");
--        return -1;
--    }
--    // open library
--    hLdacBtApi->lib_handle = dlopen(lib_name, RTLD_NOW);
--    if(hLdacBtApi->lib_handle == NULL){
--#ifdef LOCAL_DEBUG
--        char buffer_str[1024];
--        strerror_r(errno, buffer_str, sizeof(buffer_str));
--        ABRDBG("[ERR] cannot open library '%s': errno = %d (%s)\n",
--                lib_name, errno, buffer_str);
--#endif
--        return -1;
--    }
--    return 0;
--}
--#endif /* LDAC_ABR_DYNAMIC_LINK_LDAC_API */
--
- // Load functions
- static int load_ldacbt_api_functions(HANDLE_LDACBT_API hLdacBtApi)
- {
-     hLdacBtApi->alter_eqmid_priority =
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--      load_func(hLdacBtApi->lib_handle, "ldacBT_alter_eqmid_priority");
--#else
-       ldacBT_alter_eqmid_priority;
--#endif
- 
-     hLdacBtApi->get_eqmid =
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--      load_func(hLdacBtApi->lib_handle, "ldacBT_get_eqmid");
--#else
-       ldacBT_get_eqmid;
--#endif
- 
-     hLdacBtApi->get_error_code =
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--      load_func(hLdacBtApi->lib_handle, "ldacBT_get_error_code");
--#else
-       ldacBT_get_error_code;
--#endif
- 
-     if( (hLdacBtApi->alter_eqmid_priority == NULL) ||
-         (hLdacBtApi->get_eqmid == NULL) ||
--- 
-2.53.0
-

pkgs/by-name/ld/ldacbt/package.nix

@@ -2,17 +2,19 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  cmake,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "ldacBT";
-  version = "2.0.72";
+  version = "2.0.2.3";
 
   src = fetchFromGitHub {
-    owner = "open-vela";
-    repo = "external_libldac";
-    rev = "5b4bf66096ba0d69615efb2422ba3d023c34c2fd";
-    hash = "sha256-5jeqTyhSBtYky15Xw1lIbUxeGZMQQQdM/EQUFicyi3Y=";
+    repo = "ldacBT";
+    owner = "ehfive";
+    tag = "v${finalAttrs.version}";
+    sha256 = "09dalysx4fgrgpfdm9a51x6slnf4iik1sqba4xjgabpvq91bnb63";
+    fetchSubmodules = true;
   };
 
   outputs = [
@@ -20,99 +22,31 @@ stdenv.mkDerivation (finalAttrs: {
     "dev"
   ];
 
-  patches = [
-    ./0001-abr-drop-support-for-dynamic-loading-libldac.patch
+  nativeBuildInputs = [
+    cmake
   ];
 
-  env.NIX_CFLAGS_COMPILE = "-O2 -fPIC -fno-merge-constants -Wall -Iinc -Isrc -Iabr/inc";
+  cmakeFlags = [
+    # CMakeLists.txt by default points to $out
+    "-DINSTALL_INCLUDEDIR=${placeholder "dev"}/include"
+  ];
 
-  # Verify finalAttrs.version matches LDACBT_LIB_VER_* in upstream source.
-  # Guards against silent version drift when the pinned commit changes.
-  preBuild = ''
-    awk -v want=${finalAttrs.version} '
-      /^#define LDACBT_LIB_VER_/ { v = v sep ($3+0); sep = "." }
-      END {
-        if (v != want) { print "version mismatch: package says " want ", source reports " v > "/dev/stderr"; exit 1 }
-      }
-    ' src/ldacBT_api.c
-  '';
-
-  # Upstream ships AOSP build files and a gcc/ makefile that only knows
-  # about the in-tree layout. Compile and link directly; the entire
-  # library is two umbrella translation units.
-  buildPhase = ''
-    runHook preBuild
-
-    soname=libldacBT.so.${lib.versions.major finalAttrs.version}
-    sofile=libldacBT.so.${finalAttrs.version}
-
-    $CC -shared -Wl,-soname,$soname src/ldaclib.c src/ldacBT.c abr/src/ldacBT_abr.c -lm -o $sofile
-
-    runHook postBuild
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    install -Dm644 -t $out/lib $sofile
-    ln -s $sofile $out/lib/$soname
-    ln -s $sofile $out/lib/libldacBT.so
-
-    install -Dm644 inc/ldacBT.h $dev/include/ldac/ldacBT.h
-    install -Dm644 abr/inc/ldacBT_abr.h $dev/include/ldac/ldacBT_abr.h
-
-    mkdir -p $dev/lib/pkgconfig
-    cat > $dev/lib/pkgconfig/ldacBT-dec.pc <<EOF
-    prefix=$out
-    exec_prefix=\''${prefix}
-    libdir=$out/lib
-    includedir=$dev/include/ldac
-
-    Name: ldacBT-dec
-    Description: LDAC Bluetooth decoder
-    Version: ${finalAttrs.version}
-    Libs: -L\''${libdir} -lldacBT
-    Libs.private: -lm
-    Cflags: -I\''${includedir}
-    EOF
-
-    cat > $dev/lib/pkgconfig/ldacBT-enc.pc <<EOF
-    prefix=$out
-    exec_prefix=\''${prefix}
-    libdir=$out/lib
-    includedir=$dev/include/ldac
-
-    Name: ldacBT-enc
-    Description: LDAC Bluetooth encoder
-    Version: ${finalAttrs.version}
-    Libs: -L\''${libdir} -lldacBT
-    Libs.private: -lm
-    Cflags: -I\''${includedir}
-    EOF
-
-    cat > $dev/lib/pkgconfig/ldacBT-abr.pc <<EOF
-    prefix=$out
-    exec_prefix=\''${prefix}
-    libdir=$out/lib
-    includedir=$dev/include/ldac
-
-    Name: ldacBT-abr
-    Description: LDAC Bluetooth ABR library
-    Version: ${finalAttrs.version}
-    Libs: -L\''${libdir} -lldacBT
-    Libs.private: -lm
-    Cflags: -I\''${includedir}
-    EOF
-
-    runHook postInstall
+  # Fix the build with CMake 4.
+  #
+  # See: <https://github.com/EHfive/ldacBT/pull/1>
+  postPatch = ''
+    substituteInPlace CMakeLists.txt \
+      --replace-fail \
+        'cmake_minimum_required(VERSION 3.0)' \
+        'cmake_minimum_required(VERSION 3.0...3.10)'
   '';
 
   meta = {
-    description = "Sony LDAC Bluetooth decoder library (from AOSP via open-vela)";
-    homepage = "https://github.com/open-vela/external_libldac";
+    description = "AOSP libldac dispatcher";
+    homepage = "https://github.com/EHfive/ldacBT";
     license = lib.licenses.asl20;
-    # LDAC bitstream format assumes LE; source has endian checks
+    # libldac code detects & #error's out on non-LE byte order
     platforms = lib.platforms.littleEndian;
-    maintainers = with lib.maintainers; [ qweered ];
+    maintainers = [ ];
   };
 })

pkgs/by-name/le/less/package.nix

@@ -11,7 +11,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "less";
-  version = "702";
+  version = "692";
 
   # `less` is provided by the following sources:
   # - meta.homepage
@@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: {
   # homepage, and only those not marked as beta.
   src = fetchurl {
     url = "https://www.greenwoodsoftware.com/less/less-${finalAttrs.version}.tar.gz";
-    hash = "sha256-JCpkwA8C2W+O4gjPY4rhcotyfH9f34Kn1PTK4y+whOI=";
+    hash = "sha256-YTAPYDeY7PHXeGVweJ8P8/WhrPB1pvufdWg30WbjfRQ=";
   };
 
   buildInputs = [

pkgs/by-name/li/libadwaita/package.nix

@@ -23,7 +23,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libadwaita";
-  version = "1.9.1";
+  version = "1.9.0";
 
   outputs = [
     "out"
@@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "GNOME";
     repo = "libadwaita";
     tag = finalAttrs.version;
-    hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE=";
+    hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY=";
   };
 
   depsBuildBuild = [

pkgs/by-name/li/libaec/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libaec";
-  version = "1.1.7";
+  version = "1.1.6";
 
   src = fetchFromGitHub {
     owner = "Deutsches-Klimarechenzentrum";
     repo = "libaec";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8=";
+    hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/li/libapparmor/package.nix

@@ -32,13 +32,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "libapparmor";
-  version = "5.0.0";
+  version = "4.1.7";
 
   src = fetchFromGitLab {
     owner = "apparmor";
     repo = "apparmor";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-seEREIc83alEPyZGD/GY48hjpqiw3QENnqYsdjHOGgs=";
+    hash = "sha256-yjqdUwHkQ1uiPKPZQVf/o8tGixQeIKNMOIYo4aVK7N0=";
   };
   sourceRoot = "${finalAttrs.src.name}/libraries/libapparmor";
 

pkgs/by-name/li/libass/package.nix

@@ -44,7 +44,9 @@ stdenv.mkDerivation (finalAttrs: {
     fribidi
     harfbuzz
   ]
-  ++ lib.optional fontconfigSupport fontconfig;
+  ++ lib.optional fontconfigSupport fontconfig
+  # TODO: remove dep after branchoff (in darwin stdenv)
+  ++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out;
 
   meta = {
     description = "Portable ASS/SSA subtitle renderer";

pkgs/by-name/li/libavif/package.nix

@@ -31,7 +31,7 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libavif";
-  version = "1.4.2";
+  version = "1.4.1";
 
   outputs = [
     "out"
@@ -42,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "AOMediaCodec";
     repo = "libavif";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-AMQ1TRPGpuBBW7tJ8xuLEVTAeOsLWTHuE0dFJjI7+W4=";
+    hash = "sha256-035SoxHfN121mp3LGwGykReCi1WJbl2/nZH8c/VwABU=";
   };
 
   postPatch = ''

pkgs/by-name/li/libcaca/package.nix

@@ -2,7 +2,6 @@
   lib,
   stdenv,
   fetchFromGitHub,
-  fetchpatch,
   autoreconfHook,
   imlib2,
   libxext,
@@ -24,14 +23,6 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2026-42046.patch";
-      url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch";
-      hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY=";
-    })
-  ];
-
   nativeBuildInputs = [
     autoreconfHook
     pkg-config

pkgs/by-name/li/libcap/package.nix

@@ -3,6 +3,7 @@
   lib,
   buildPackages,
   fetchurl,
+  fetchpatch,
   runtimeShell,
   pkgsBuildHost,
   usePam ? !isStatic,
@@ -30,11 +31,11 @@ assert usePam -> pam != null;
 
 stdenv.mkDerivation rec {
   pname = "libcap";
-  version = "2.78";
+  version = "2.77";
 
   src = fetchurl {
     url = "mirror://kernel/linux/libs/security/linux-privs/libcap2/${pname}-${version}.tar.xz";
-    hash = "sha256-DWIeVi/ZMsz2e5Zg+wGORopoPXuCdUHfJ4EyKMmWuxE=";
+    hash = "sha256-iXvBi0Svwmxw54zq09uzHhVKzCS+4IWloJB5qI2/b1I=";
   };
 
   outputs = [
@@ -75,6 +76,13 @@ stdenv.mkDerivation rec {
     "LIBCSTATIC=yes"
   ];
 
+  patches = [
+    (fetchpatch {
+      url = "https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=d628b3bfe40338d4efff6b0ae50f250a0eb884c7";
+      hash = "sha256-Eiv/BOJZkduL+hOEJd8K1LQd9wvOeCKchE2GaLcerVc=";
+    })
+  ];
+
   postPatch = ''
     patchShebangs ./progs/mkcapshdoc.sh
 

pkgs/by-name/li/libcbor/package.nix

@@ -14,13 +14,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libcbor";
-  version = "0.14.0";
+  version = "0.13.0";
 
   src = fetchFromGitHub {
     owner = "PJK";
     repo = "libcbor";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-zjajNtj4jKbt3pLjfLrgtYljyMDYJtnzAC5JPdt+Wys=";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-ePgVR7VHXWKqOShuAEQG3BJ08W2aZS/vfcPUCqTw7X4=";
   };
 
   outputs = [
@@ -61,7 +61,6 @@ stdenv.mkDerivation (finalAttrs: {
   };
 
   meta = {
-    changelog = "https://github.com/PJK/libcbor/blob/${finalAttrs.src.tag}/CHANGELOG.md";
     description = "CBOR protocol implementation for C and others";
     homepage = "https://github.com/PJK/libcbor";
     license = lib.licenses.mit;

pkgs/by-name/li/libde265/package.nix

@@ -15,14 +15,14 @@
 }:
 
 stdenv.mkDerivation (finalAttrs: {
-  version = "1.1.0";
+  version = "1.0.18";
   pname = "libde265";
 
   src = fetchFromGitHub {
     owner = "strukturag";
     repo = "libde265";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-QhBi23HttVdIJCueSeKj3ZKwqX1iFcuAX7GmnMRCyN8=";
+    hash = "sha256-N6K82ElrzrMSNKfPTDsc5onrxucIJ8niwFgbaEPPd2I=";
   };
 
   nativeBuildInputs = [
@@ -43,7 +43,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://github.com/strukturag/libde265";
-    changelog = "https://github.com/strukturag/libde265/releases/tag/${finalAttrs.src.tag}";
     description = "Open h.265 video codec implementation";
     mainProgram = "dec265";
     license = lib.licenses.lgpl3;

pkgs/by-name/li/libdrm/package.nix

@@ -16,11 +16,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libdrm";
-  version = "2.4.134";
+  version = "2.4.133";
 
   src = fetchurl {
     url = "https://dri.freedesktop.org/libdrm/libdrm-${finalAttrs.version}.tar.xz";
-    hash = "sha256-rF500VeDDri+5Exqa/OtSXdO8N0qcr2tdKjyAwi1KpU=";
+    hash = "sha256-/Gj50LoupjyUMqKZ4U/qCfrXqKZugDn814AspZ93tPU=";
   };
 
   outputs = [

pkgs/by-name/li/libedit/package.nix

@@ -8,11 +8,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libedit";
-  version = "20260508-3.1";
+  version = "20251016-3.1";
 
   src = fetchurl {
     url = "https://thrysoee.dk/editline/libedit-${finalAttrs.version}.tar.gz";
-    hash = "sha256-kfQtZXHdjZL67dE0ETTOWrygxdC0s1KBQYbTPysRJy4=";
+    hash = "sha256-ITYrAGU7v8HHH3GnV42ma1tSA1WdQxNNLddxnjE84EE=";
   };
 
   outputs = [