R updates (#523821)

After fixing the registration bug I determined that the module was way
too verbose and did not need to provide all of the options provided in
the application. I've stopped explicitly declaring all options that
aren't needed to make a basic version of the module function. The
assertions have also been updated to mirror this fact and will alert a
user when the specific required options are unset. A new documnetation
file was also added as this module, like other mautrix modules, is quite
complex and may need more explaining.

nixos/doc/manual/redirects.json

@@ -65,6 +65,42 @@
   "module-services-keycloak-unix-socket": [
     "index.html#module-services-keycloak-unix-socket"
   ],
+  "module-services-mautrix-discord": [
+    "index.html#module-services-mautrix-discord"
+  ],
+  "module-services-mautrix-discord-advanced": [
+    "index.html#module-services-mautrix-discord-advanced"
+  ],
+  "module-services-mautrix-discord-authentication": [
+    "index.html#module-services-mautrix-discord-authentication"
+  ],
+  "module-services-mautrix-discord-backfill": [
+    "index.html#module-services-mautrix-discord-backfill"
+  ],
+  "module-services-mautrix-discord-basic-example": [
+    "index.html#module-services-mautrix-discord-basic-example"
+  ],
+  "module-services-mautrix-discord-basic-usage": [
+    "index.html#module-services-mautrix-discord-basic-usage"
+  ],
+  "module-services-mautrix-discord-double-puppet": [
+    "index.html#module-services-mautrix-discord-double-puppet"
+  ],
+  "module-services-mautrix-discord-encryption": [
+    "index.html#module-services-mautrix-discord-encryption"
+  ],
+  "module-services-mautrix-discord-server-defaults": [
+    "index.html#module-services-mautrix-discord-server-defaults"
+  ],
+  "module-services-mautrix-discord-setup": [
+    "index.html#module-services-mautrix-discord-setup"
+  ],
+  "module-services-mautrix-discord-synapse": [
+    "index.html#module-services-mautrix-discord-synapse"
+  ],
+  "module-services-mautrix-discord-troubleshooting": [
+    "index.html#module-services-mautrix-discord-troubleshooting"
+  ],
   "module-services-tandoor-recipes-migrating-media-option-move": [
     "index.html#module-services-tandoor-recipes-migrating-media-option-move",
     "index.html#module-services-tandoor-recipes-migrating-media-option-1"

nixos/lib/systemd-lib.nix

@@ -78,13 +78,16 @@ rec {
         {
           preferLocalBuild = true;
           allowSubstitutes = false;
-          text = unit.text or "";
-          __structuredAttrs = true;
+          # unit.text can be null. But variables that are null listed in
+          # passAsFile are ignored by nix, resulting in no file being created,
+          # making the mv operation fail.
+          text = optionalString (unit.text != null) unit.text;
+          passAsFile = [ "text" ];
         }
         ''
           name=${shellEscape name}
           mkdir -p "$out/$(dirname -- "$name")"
-          printf "%s" "$text" > "$out/$name"
+          mv "$textPath" "$out/$name"
         ''
     else
       pkgs.runCommand "unit-${mkPathSafeName name}-disabled"

nixos/lib/test-driver/default.nix

@@ -11,7 +11,6 @@
   ptpython,
   pydantic,
   python,
-  ovmfvartool,
   remote-pdb,
   ruff,
   ty,
@@ -50,7 +49,6 @@ buildPythonApplication {
     junit-xml
     ptpython
     pydantic
-    ovmfvartool
     remote-pdb
   ]
   ++ extraPythonPackages python.pkgs;

nixos/lib/test-driver/src/test_driver/efi.py

@@ -1,233 +0,0 @@
-import binascii
-import io
-import os.path
-import uuid
-from collections.abc import Generator
-from contextlib import contextmanager
-from pathlib import Path
-from typing import IO, Any, TypeVar
-
-from ovmfvartool import (
-    AuthenticatedVariable,
-    FirmwareVolumeHeader,
-    UEFITime,
-    VariableStoreHeader,
-    resolveUUID,
-)
-
-import test_driver.machine
-from test_driver.errors import RequestedAssertionFailed
-
-EfiVariableT = TypeVar("EfiVariableT", bound="EfiVariable")
-
-# See edk2.git/OvmfPkg/Bhyve/VarStore.fdf.inc
-_NV_FTW_WORKING_OFFSET = 0x41000
-_NV_FTW_WORKING_VALUE = binascii.unhexlify(
-    b"2b29589e687c7d49a0ce6500fd9f1b952caf2c64feffffffe00f000000000000"
-)
-_NV_FTW_SIZE = 0x42000
-_NV_FTW_MAIN_PLUS_SPARE_SIZE = _NV_FTW_SIZE * 2
-
-
-class EfiVariable(AuthenticatedVariable):
-    class Flags:
-        NON_VOLATILE = 0x1
-        BOOTSERVICE_ACCESS = 0x2
-        RUNTIME_ACCESS = 0x4
-        TIME_BASED_AUTHENTICATED_WRITE_ACCESS = 0x20
-
-    class State:
-        VAR_HEADER_VALID_ONLY = 0x7F
-        VAR_ADDED = 0x3F
-
-    volatile = False
-    boot_access = False
-    runtime_access = False
-    hardware_error_record = False
-    authenticated_write_access = False
-    time_based_authenticated_write_access = False
-    append_write = False
-
-    def __init__(
-        self,
-        vendor_uuid: uuid.UUID | None = None,
-        name: str | None = None,
-        data: bytes | None = None,
-        state: int | None = None,
-        flags: int | None = None,
-    ) -> None:
-        self.magic = 0x55AA
-        self.reserved1 = 0
-        self.monotonicCount = 0
-        self.timestamp = UEFITime()
-        self.pubKeyIdx = 0
-        self.state = 0
-        self.flags = 0
-
-        if vendor_uuid is not None:
-            self.vendorUUID = uuid.UUID(bytes=vendor_uuid.bytes_le)
-
-        if state is not None:
-            self.state = state ^ 0xFF
-        else:
-            self.state = (0x40 | 0x80) ^ 0xFF
-
-        if flags is not None:
-            self.flags = flags
-
-        if name is not None:
-            self.name = name
-            self.nameLen = len(name) * 2 + 2
-
-        if data is not None:
-            self.data = data
-            self.dataLen = len(data)
-
-    def _read_flags(self) -> None:
-        if not (self.flags & 0x1):
-            self.volatile = True
-        if self.flags & 0x2:
-            self.boot_access = True
-        if self.flags & 0x4:
-            self.runtime_access = True
-        if self.flags & 0x8:
-            self.hardware_error_record = True
-        if self.flags & 0x10:
-            self.authenticated_write_access = True
-        if self.flags & 0x20:
-            self.time_based_authenticated_write_access = True
-        if self.flags & 0x40:
-            self.append_write = True
-
-        self.flags &= ~(0x1 | 0x2 | 0x4 | 0x8 | 0x10 | 0x20 | 0x40)
-
-    @classmethod
-    def deserialize(cls: type[EfiVariableT], f: Any) -> EfiVariableT | None:
-        # pylint: disable=no-member
-        # false positive https://github.com/PyCQA/pylint/issues/981
-        ret = super().deserialize(f)
-        if ret:
-            ret._read_flags()
-        return ret
-
-    @classmethod
-    def deserializeFromDocument(  # noqa: N802
-        cls: type[EfiVariableT],
-        vendorID: str,  # noqa: N803
-        name: str,
-        doc: dict[str, Any],
-    ) -> EfiVariableT:
-        # pylint: disable=no-member
-        # false positive https://github.com/PyCQA/pylint/issues/981
-        ret = super(cls, cls).deserializeFromDocument(vendorID, name, doc)
-        if ret:
-            ret._read_flags()
-        return ret
-
-
-class EfiVars:
-    """A container around the ovmf variables"""
-
-    state_path: Path
-    machine: "test_driver.machine.QemuMachine"
-
-    def __init__(self, state_path: Path, machine: Any):
-        self.state_path = state_path
-        self.machine = machine
-
-    def _assert_stopped(self) -> None:
-        if self.machine.booted:
-            raise RequestedAssertionFailed(
-                "System is currently running and concurrent reads / writes to the OVMF variables is unsupported"
-            )
-
-    def read_content(self) -> dict[str, dict[str, EfiVariable]] | None:
-        self._assert_stopped()
-        try:
-            with open(self.state_path, "rb") as f:
-                fvh = FirmwareVolumeHeader.deserialize(f)
-                vsh = VariableStoreHeader.deserialize(f)
-                _ = fvh
-                _ = vsh
-                variables: dict[str, dict[str, EfiVariable]] = {}
-
-                while True:
-                    v = EfiVariable.deserialize(f)
-                    if not v:
-                        break
-                    if v.isDeleted:
-                        continue
-
-                    k = resolveUUID(v.vendorUUID)
-                    variables.setdefault(k, {})
-                    variables[k][v.name] = v
-
-                return variables
-
-        except FileNotFoundError:
-            return None
-
-    @contextmanager
-    def _write_store(self, *args, **kwargs) -> Generator[IO[bytes]]:
-        with open(self.state_path, "wb") as fo:
-            fm = io.BytesIO(b"\xff" * _NV_FTW_MAIN_PLUS_SPARE_SIZE)
-            fm.write(FirmwareVolumeHeader.create().serialize())
-            fm.write(VariableStoreHeader.create().serialize())
-
-            try:
-                yield fm
-            finally:
-                fm.seek(_NV_FTW_WORKING_OFFSET)
-                fm.write(_NV_FTW_WORKING_VALUE)
-                fm.seek(0)
-                fo.write(fm.read())
-
-    def create_empty(self) -> None:
-        self._assert_stopped()
-
-        if os.path.exists(self.state_path):
-            raise RequestedAssertionFailed("OVMF variables store exists")
-
-        with self._write_store():
-            pass
-
-    def write(self, add: list[EfiVariable]) -> None:
-        self._assert_stopped()
-
-        variables = self.read_content()
-        if not variables:
-            variables = {}
-
-        for var in add:
-            k = resolveUUID(var.vendorUUID)
-            variables.setdefault(k, {})
-            variables[k][var.name] = var
-
-        with self._write_store() as fm:
-            for _, vendor in variables.items():
-                for _, v in vendor.items():
-                    fm.write(v.serialize())
-                    if fm.tell() % 4:
-                        fm.write(b"\xff" * (4 - (fm.tell() % 4)))
-                    assert (fm.tell() % 4) == 0
-
-
-class EfiGuid:
-    from ovmfvartool import (
-        gEdkiiVarErrorFlagGuid,
-        gEfiAuthenticatedVariableGuid,
-        gEfiCertDbGuid,
-        gEfiCustomModeEnableGuid,
-        gEfiGlobalVariableGuid,
-        gEfiImageSecurityDatabaseGuid,
-        gEfiIp4Config2ProtocolGuid,
-        gEfiIScsiInitiatorNameProtocolGuid,
-        gEfiMemoryTypeInformationGuid,
-        gEfiSecureBootEnableDisableGuid,
-        gEfiSystemNvDataFvGuid,
-        gEfiVendorKeysNvGuid,
-        gIScsiConfigGuid,
-        gMicrosoftVendorGuid,
-        gMtcVendorGuid,
-        mBmHardDriveBootVariableGuid,
-    )

nixos/lib/test-driver/src/test_driver/machine/__init__.py

@@ -22,7 +22,6 @@ from pathlib import Path
 from queue import Queue
 from typing import Any
 
-from test_driver.efi import EfiVariable, EfiVars
 from test_driver.errors import MachineError, RequestedAssertionFailed
 from test_driver.logger import AbstractLogger
 from test_driver.machine.ocr import (
@@ -193,7 +192,6 @@ class QemuStartCommand:
     def build_environment(
         state_dir: Path,
         shared_dir: Path,
-        efi_vars_path: Path | None = None,
     ) -> dict:
         # We make a copy to not update the current environment
         env = dict(os.environ)
@@ -204,13 +202,6 @@ class QemuStartCommand:
                 "USE_TMPDIR": "1",
             }
         )
-        if efi_vars_path is not None:
-            env.update(
-                {
-                    "NIX_EFI_VARS": str(efi_vars_path),
-                }
-            )
-
         return env
 
     def run(
@@ -221,7 +212,6 @@ class QemuStartCommand:
         qmp_socket_path: Path,
         shell_socket_path: Path,
         allow_reboot: bool,
-        efi_vars_path: Path | None = None,
         vsock_guest: Path | None = None,
     ) -> subprocess.Popen:
         return subprocess.Popen(
@@ -237,9 +227,7 @@ class QemuStartCommand:
             stderr=subprocess.STDOUT,
             shell=True,
             cwd=state_dir,
-            env=self.build_environment(
-                state_dir, shared_dir, efi_vars_path=efi_vars_path
-            ),
+            env=self.build_environment(state_dir, shared_dir),
         )
 
 
@@ -762,9 +750,6 @@ class QemuMachine(BaseMachine):
     # Store all console output for full log retrieval
     full_console_log: list[str]
 
-    efi_vars_path: Path
-    efi_vars: EfiVars
-
     def __init__(
         self,
         out_dir: Path,
@@ -806,9 +791,6 @@ class QemuMachine(BaseMachine):
         self.booted = False
         self.connected = False
 
-        self.efi_vars_path = self.state_dir / f"{self.name}-efi-vars.fd"
-        self.efi_vars = EfiVars(self.efi_vars_path, self)
-
     def ssh_backdoor_command(self) -> str:
         assert self.vsock_host is not None
         return f"ssh -o User=root vsock-mux/{self.vsock_host}"
@@ -1182,25 +1164,24 @@ class QemuMachine(BaseMachine):
         # to match multiline regexes.
         console = io.StringIO()
 
-        def console_matches(_last_try: bool, block: bool = False) -> bool:
+        def console_matches(_last_try: bool) -> bool:
             nonlocal console
             try:
-                while True:
-                    # This will return as soon as possible and
-                    # sleep 1 second.
-                    console.write(self.last_lines.get(block=block))
-                    console.seek(0)
-                    matches = re.search(regex, console.read())
-                    if matches is not None:
-                        return True
+                # This will return as soon as possible and
+                # sleep 1 second.
+                console.write(self.last_lines.get(block=False))
             except queue.Empty:
-                return False
+                pass
+            console.seek(0)
+            matches = re.search(regex, console.read())
+            return matches is not None
 
         with self.nested(f"waiting for {regex} to appear on console"):
             if timeout is not None:
                 retry(console_matches, timeout)
             else:
-                console_matches(False, block=True)
+                while not console_matches(False):
+                    pass
 
     def get_console_log(self) -> str:
         """
@@ -1267,7 +1248,6 @@ class QemuMachine(BaseMachine):
             self.qmp_path,
             self.shell_path,
             allow_reboot,
-            self.efi_vars_path,
             self.vsock_guest,
         )
 
@@ -1452,28 +1432,6 @@ class QemuMachine(BaseMachine):
         self.connected = False
         self.connect()
 
-    def dump_efi_vars(self) -> None:
-        for var in self.read_efi_vars():
-            var.print()
-
-    def read_efi_vars(self) -> list[EfiVariable]:
-        config = self.efi_vars.read_content()
-        if not config:
-            return []
-
-        out = []
-        for vendor, variables in config.items():
-            for name, v in variables.items():
-                out.append(v)
-
-        return out
-
-    def create_efi_vars(self) -> None:
-        self.efi_vars.create_empty()
-
-    def write_efi_vars(self, add: list[EfiVariable]) -> None:
-        self.efi_vars.write(add)
-
 
 class NspawnMachine(BaseMachine):
     """

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -505,7 +505,7 @@ EOF
     # This should work for single and multi-device systems.
     # still needs subvolume support
     if ($fsType eq "bcachefs") {
-        my ($status, @info) = runCommand("@bcachefs@ fs usage $rootDir$mountPoint");
+        my ($status, @info) = runCommand("bcachefs fs usage $rootDir$mountPoint");
         my $UUID = $info[0];
 
         if ($status == 0 && $UUID =~ /^Filesystem:[ \t\n]*([0-9a-z-]+)/) {

nixos/modules/installer/tools/tools.nix

@@ -30,20 +30,15 @@ let
     name = "nixos-generate-config";
     src = ./nixos-generate-config.pl;
     replacements = {
-      perl = lib.getExe (
+      perl = "${
         pkgs.perl.withPackages (p: [
           p.FileSlurp
           p.ConfigIniFiles
         ])
-      );
+      }/bin/perl";
       hostPlatformSystem = pkgs.stdenv.hostPlatform.system;
-      detectvirt = lib.getExe' config.systemd.package "systemd-detect-virt";
-      bcachefs =
-        if pkgs.bcachefs-tools.meta.broken then
-          lib.getExe' pkgs.coreutils "false"
-        else
-          lib.getExe pkgs.bcachefs-tools;
-      btrfs = lib.getExe pkgs.btrfs-progs;
+      detectvirt = "${config.systemd.package}/bin/systemd-detect-virt";
+      btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
       inherit (config.system.nixos-generate-config) configuration desktopConfiguration flake;
       xserverEnabled = config.services.xserver.enable;
     };

nixos/modules/services/matrix/mautrix-discord.md

@@ -0,0 +1,156 @@
+# Mautrix-Discord {#module-services-mautrix-discord}
+
+*Source:* {file}`modules/services/matrix/mautrix-discord`
+
+*Upstream documentation:* <https://docs.mau.fi/bridges/go/discord/index.html>
+
+[Mautrix-Discord](https://github.com/mautrix/discord) is a Matrix-Discord bridge.
+
+## Basic Usage {#module-services-mautrix-discord-basic-usage}
+
+The common setup is to enable the bridge, point it at your homeserver, and set the permissions you want to allow:
+
+1. Set `services.mautrix-discord.enable` to `true`.
+2. Set `services.mautrix-discord.settings.homeserver.address` and `services.mautrix-discord.settings.homeserver.domain`.
+3. Override `services.mautrix-discord.settings.bridge.permissions` if the default relay permissions do not fit your deployment.
+
+The module provides sensible defaults for the appservice listener, registration tokens, and relay permissions.
+
+### Basic Example {#module-services-mautrix-discord-basic-example}
+
+```nix
+{
+  services.mautrix-discord = {
+    enable = true;
+    registerToSynapse = true;
+    settings = {
+      homeserver = {
+        address = "http://localhost:8008";
+        domain = "example.com";
+      };
+      bridge.permissions = {
+        "example.com" = "user";
+        "@admin:example.com" = "admin";
+      };
+    };
+  };
+}
+```
+
+### Server Defaults {#module-services-mautrix-discord-server-defaults}
+
+By default, the bridge listens on `http://localhost:29334` and generates its appservice tokens automatically.
+
+## Authentication {#module-services-mautrix-discord-authentication}
+
+If you want to store the bridge database outside the default SQLite file, set `settings.appservice.database` to use PostgreSQL instead of SQLite:
+
+```nix
+{
+  services.mautrix-discord.settings.appservice.database = {
+    type = "postgres";
+    uri = "postgresql:///mautrix-discord?host=/run/postgresql";
+  };
+}
+```
+
+If the connection needs a password, combine it with `services.mautrix-discord.environmentFile`:
+
+```nix
+{
+  services.mautrix-discord = {
+    environmentFile = "/run/secrets/mautrix-discord-env";
+    settings.appservice.database.uri = "postgresql://mautrix:$DB_PASSWORD@localhost/mautrix-discord";
+  };
+}
+```
+
+Use `services.mautrix-discord.environmentFile` for any secret you do not want in the Nix store.
+This includes database passwords, shared secrets, and similar values.
+
+Example:
+
+```nix
+{
+  services.mautrix-discord = {
+    environmentFile = "/run/secrets/mautrix-discord-env";
+    settings.bridge.login_shared_secret_map = {
+      "example.com" = "$SHARED_SECRET";
+    };
+  };
+}
+```
+
+## Bridge Setup {#module-services-mautrix-discord-setup}
+
+After the service starts, open a chat with `@discordbot:example.com`, send `login`, and follow the instructions to link your Discord account.
+
+For more detail, see the [Mautrix-Discord documentation](https://docs.mau.fi/bridges/go/discord/index.html).
+
+## Advanced Configuration {#module-services-mautrix-discord-advanced}
+
+The upstream default configuration is available at [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml). To print the generated default configuration from the package, run:
+
+```bash
+nix-shell -p mautrix-discord --run "mautrix-discord -e"
+```
+
+### Encryption {#module-services-mautrix-discord-encryption}
+
+```nix
+{
+  services.mautrix-discord.settings.bridge.encryption = {
+    allow = true;
+    default = true;
+    require = false;
+  };
+}
+```
+
+Encryption needs additional bridge-side setup. See the [bridge encryption documentation](https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html) for details.
+
+### Backfill {#module-services-mautrix-discord-backfill}
+
+```nix
+{
+  services.mautrix-discord.settings.bridge.backfill.forward_limits.initial = {
+    dm = 50;
+    channel = 50;
+    thread = 50;
+  };
+}
+```
+
+### Double Puppeting {#module-services-mautrix-discord-double-puppet}
+
+```nix
+{
+  services.mautrix-discord = {
+    environmentFile = "/run/secrets/mautrix-discord-env";
+    settings.bridge.login_shared_secret_map = {
+      "example.com" = "$SHARED_SECRET";
+    };
+  };
+}
+```
+where  `/run/secrets/mautrix-discord-env` contains
+```
+SHARED_SECRET=aProtectedSecret
+```
+
+## Synapse Integration {#module-services-mautrix-discord-synapse}
+
+When `services.mautrix-discord.registerToSynapse` is `true`, the bridge writes its registration file automatically and Synapse picks it up.
+
+If Synapse is enabled, this option defaults to `true`.
+
+## Troubleshooting {#module-services-mautrix-discord-troubleshooting}
+
+- View logs with `journalctl -u mautrix-discord.service -f`.
+- Check `systemctl status mautrix-discord` if the bridge does not start.
+- Verify the homeserver can reach the configured appservice address.
+- Ensure the registration file exists and Synapse can read it.
+
+For more help, see the
+[Mautrix-Discord documentation](https://docs.mau.fi/bridges/go/discord/index.html)
+or the support room at [#discord:maunium.net](https://matrix.to/#/#discord:maunium.net).

nixos/modules/services/matrix/mautrix-discord.nix

@@ -5,15 +5,59 @@
   ...
 }:
 let
+  defaultDataDir = "/var/lib/mautrix-discord";
   cfg = config.services.mautrix-discord;
   dataDir = cfg.dataDir;
   format = pkgs.formats.yaml { };
+  serviceDependencies = [
+    "mautrix-discord-registration.service"
+  ]
+  ++ (lib.lists.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
+  ++ (lib.lists.optional config.services.matrix-conduit.enable "matrix-conduit.service")
+  ++ (lib.lists.optional config.services.dendrite.enable "dendrite.service");
 
   registrationFile = "${dataDir}/discord-registration.yaml";
 
   settingsFile = "${dataDir}/config.yaml";
   settingsFileUnformatted = format.generate "discord-config-unsubstituted.yaml" cfg.settings;
   default_token = "This value is generated when generating the registration";
+  settingsDefault = {
+    homeserver = {
+      address = "";
+      domain = "";
+    };
+
+    appservice = {
+      address = "http://localhost:29334";
+      hostname = "0.0.0.0";
+      port = 29334;
+      database = {
+        type = "sqlite3";
+        uri = "file:${defaultDataDir}/mautrix-discord.db?_txlock=immediate";
+      };
+      id = "discord";
+      bot = {
+        username = "discordbot";
+        displayname = "Discord bridge bot";
+        avatar = "mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC";
+      };
+      as_token = default_token;
+      hs_token = default_token;
+    };
+
+    bridge.permissions."*" = "relay";
+
+    logging = {
+      min_level = "info";
+      writers = [
+        {
+          type = "stdout";
+          format = "pretty-colored";
+          time_format = " ";
+        }
+      ];
+    };
+  };
 in
 {
   options = {
@@ -23,238 +67,14 @@ in
       package = lib.mkPackageOption pkgs "mautrix-discord" { };
 
       settings = lib.mkOption {
-        type = lib.types.submodule {
-          freeformType = format.type;
-
-          config = {
-            _module.args = { inherit cfg lib; };
-          };
-
-          options = {
-            homeserver = lib.mkOption {
-              type = lib.types.attrs;
-              default = {
-                software = "standard";
-                status_endpoint = null;
-                message_send_checkpoint_endpoint = null;
-                async_media = false;
-                websocket = false;
-                ping_interval_seconds = 0;
-              };
-              description = ''
-                fullDataDiration.
-                                See [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml)
-                                for more information.
-              '';
-            };
-
-            appservice = lib.mkOption {
-              type = lib.types.attrs;
-              default = {
-                address = "http://localhost:29334";
-                hostname = "0.0.0.0";
-                port = 29334;
-                database = {
-                  type = "sqlite3";
-                  uri = "file:/var/lib/mautrix-discord/mautrix-discord.db?_txlock=immediate";
-                  max_open_conns = 20;
-                  max_idle_conns = 2;
-                  max_conn_idle_time = null;
-                  max_conn_lifetime = null;
-                };
-                id = "discord";
-                bot = {
-                  username = "discordbot";
-                  displayname = "Discord bridge bot";
-                  avatar = "mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC";
-                };
-                ephemeral_events = true;
-                async_transactions = false;
-                as_token = "This value is generated when generating the registration";
-                hs_token = "This value is generated when generating the registration";
-              };
-              defaultText = lib.literalExpression ''
-                {
-                  address = "http://localhost:29334";
-                  hostname = "0.0.0.0";
-                  port = 29334;
-                  database = {
-                    type = "sqlite3";
-                    uri = "file:''${config.services.mautrix-discord.dataDir}/mautrix-discord.db?_txlock=immediate";
-                    max_open_conns = 20;
-                    max_idle_conns = 2;
-                    max_conn_idle_time = null;
-                    max_conn_lifetime = null;
-                  };
-                  id = "discord";
-                  bot = {
-                    username = "discordbot";
-                    displayname = "Discord bridge bot";
-                    avatar = "mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC";
-                  };
-                  ephemeral_events = true;
-                  async_transactions = false;
-                  as_token = "This value is generated when generating the registration";
-                  hs_token = "This value is generated when generating the registration";
-                }
-              '';
-              description = ''
-                Appservice configuration.
-                See [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml)
-                for more information.
-              '';
-            };
-
-            bridge = lib.mkOption {
-              type = lib.types.attrs;
-              default = {
-                username_template = "discord_{{.}}";
-                displayname_template = "{{if .Webhook}}Webhook{{else}}{{or .GlobalName .Username}}{{if .Bot}} (bot){{end}}{{end}}";
-                channel_name_template = "{{if or (eq .Type 3) (eq .Type 4)}}{{.Name}}{{else}}#{{.Name}}{{end}}";
-                guild_name_template = "{{.Name}}";
-                private_chat_portal_meta = "default";
-                public_address = null;
-                avatar_proxy_key = "generate";
-                portal_message_buffer = 128;
-                startup_private_channel_create_limit = 5;
-                delivery_receipts = false;
-                message_status_events = false;
-                message_error_notices = true;
-                restricted_rooms = true;
-                autojoin_thread_on_open = true;
-                embed_fields_as_tables = true;
-                mute_channels_on_create = false;
-                sync_direct_chat_list = false;
-                resend_bridge_info = false;
-                custom_emoji_reactions = true;
-                delete_portal_on_channel_delete = false;
-                delete_guild_on_leave = true;
-                federate_rooms = true;
-                prefix_webhook_messages = true;
-                enable_webhook_avatars = false;
-                use_discord_cdn_upload = true;
-                #proxy =
-                cache_media = "unencrypted";
-                direct_media = {
-                  enabled = false;
-                  #server_name = "discord-media.example.com";
-                  #well_known_response =
-                  allow_proxy = true;
-                  server_key = "generate";
-                };
-                animated_sticker = {
-                  target = "webp";
-                  args = {
-                    width = 320;
-                    height = 320;
-                    fps = 25;
-                  };
-                };
-                double_puppet_server_map = {
-                  #"example.com" = "https://example.com";
-                };
-                double_puppet_allow_discovery = false;
-                login_shared_secret_map = {
-                  #"example.com" = "foobar";
-                };
-                command_prefix = "!discord";
-                management_room_text = {
-                  welcome = "Hello, I'm a Discord bridge bot.";
-                  welcome_connected = "Use `help` for help.";
-                  welcome_unconnected = "Use `help` for help or `login` to log in.";
-                  additional_help = "";
-                };
-                backfill = {
-                  forward_limits = {
-                    initial = {
-                      dm = 0;
-                      channel = 0;
-                      thread = 0;
-                    };
-                    missed = {
-                      dm = 0;
-                      channel = 0;
-                      thread = 0;
-                    };
-                    max_guild_members = -1;
-                  };
-                };
-                encryption = {
-                  allow = false;
-                  default = false;
-                  appservice = false;
-                  msc4190 = false;
-                  require = false;
-                  allow_key_sharing = false;
-                  plaintext_mentions = false;
-                  delete_keys = {
-                    delete_outbound_on_ack = false;
-                    dont_store_outbound = false;
-                    ratchet_on_decrypt = false;
-                    delete_fully_used_on_decrypt = false;
-                    delete_prev_on_new_session = false;
-                    delete_on_device_delete = false;
-                    periodically_delete_expired = false;
-                    delete_outdated_inbound = false;
-                  };
-                  verification_levels = {
-                    receive = "unverified";
-                    send = "unverified";
-                    share = "cross-signed-tofu";
-                  };
-                  rotation = {
-                    enable_custom = false;
-                    milliseconds = 604800000;
-                    messages = 100;
-                    disable_device_change_key_rotation = false;
-                  };
-                };
-                provisioning = {
-                  prefix = "/_matrix/provision";
-                  shared_secret = "generate";
-                  debug_endpoints = false;
-                };
-                permissions = {
-                  "*" = "relay";
-                  #"example.com" = "user";
-                  #"@admin:example.com": "admin";
-                };
-              };
-              description = ''
-                Bridge configuration.
-                See [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml)
-                for more information.
-              '';
-            };
-            logging = lib.mkOption {
-              type = lib.types.attrs;
-              default = {
-                min_level = "info";
-                writers = lib.singleton {
-                  type = "stdout";
-                  format = "pretty-colored";
-                  time_format = " ";
-                };
-              };
-              description = ''
-                Logging configuration.
-                See [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml)
-                for more information.
-              '';
-            };
-          };
-        };
-        default = { };
+        apply = lib.recursiveUpdate settingsDefault;
+        type = format.type;
+        default = settingsDefault;
         example = lib.literalExpression ''
           {
             homeserver = {
               address = "http://localhost:8008";
-              domain = "public-domain.tld";
-            };
-
-            appservice.public = {
-              prefix = "/public";
-              external = "https://public-appservice-address/public";
+              domain = "example.com";
             };
 
             bridge.permissions = {
@@ -265,8 +85,12 @@ in
         '';
         description = ''
           {file}`config.yaml` configuration as a Nix attribute set.
+
           Configuration options should match those described in
           [example-config.yaml](https://github.com/mautrix/discord/blob/main/example-config.yaml).
+
+          Secret tokens should be specified using {option}`environmentFile`
+          instead of this world-readable attribute set.
         '';
       };
 
@@ -282,12 +106,9 @@ in
 
       dataDir = lib.mkOption {
         type = lib.types.path;
-        default = "/var/lib/mautrix-discord";
-        defaultText = "/var/lib/mautrix-discord";
-        description = ''
-          Directory to store the bridge's configuration and database files.
-          This directory will be created if it does not exist.
-        '';
+        default = defaultDataDir;
+        defaultText = defaultDataDir;
+        description = "Directory to store the bridge's data.";
       };
 
       # TODO: Get upstream to add an environment File option. Refer to https://github.com/NixOS/nixpkgs/pull/404871#issuecomment-2895663652 and https://github.com/mautrix/discord/issues/187
@@ -295,92 +116,31 @@ in
         type = lib.types.nullOr lib.types.path;
         default = null;
         description = ''
-          File containing environment variables to substitute when copying the configuration
-          out of Nix store to the `services.mautrix-discord.dataDir`.
-          Can be used for storing the secrets without making them available in the Nix store.
-          For example, you can set `services.mautrix-discord.settings.appservice.as_token = "$MAUTRIX_DISCORD_APPSERVICE_AS_TOKEN"`
-          and then specify `MAUTRIX_DISCORD_APPSERVICE_AS_TOKEN="{token}"` in the environment file.
-          This value will get substituted into the configuration file as a token.
+          File containing environment variables for secret substitution.
+          Variables in the config like `$VARIABLE` will be replaced.
         '';
       };
 
-      serviceUnit = lib.mkOption {
-        type = lib.types.str;
-        readOnly = true;
-        default = "mautrix-discord.service";
-        description = ''
-          The systemd unit (a service or a target) for other services to depend on if they
-          need to be started after matrix-synapse.
-          This option is useful as the actual parent unit for all matrix-synapse processes
-          changes when configuring workers.
-        '';
-      };
-
-      registrationServiceUnit = lib.mkOption {
-        type = lib.types.str;
-        readOnly = true;
-        default = "mautrix-discord-registration.service";
-        description = ''
-          The registration service that generates the registration file.
-          Systemd unit (a service or a target) for other services to depend on if they
-          need to be started after mautrix-discord registration service.
-          This option is useful as the actual parent unit for all matrix-synapse processes
-          changes when configuring workers.
-        '';
-      };
-
-      serviceDependencies = lib.mkOption {
-        type = lib.types.listOf lib.types.str;
-        default = [
-          cfg.registrationServiceUnit
-        ]
-        ++ (lib.lists.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit)
-        ++ (lib.lists.optional config.services.matrix-conduit.enable "matrix-conduit.service")
-        ++ (lib.lists.optional config.services.dendrite.enable "dendrite.service");
-
-        defaultText = ''
-          [ cfg.registrationServiceUnit ] ++
-          (lib.lists.optional config.services.matrix-synapse.enable config.services.matrix-synapse.serviceUnit) ++
-          (lib.lists.optional config.services.matrix-conduit.enable "matrix-conduit.service") ++
-          (lib.lists.optional config.services.dendrite.enable "dendrite.service");
-        '';
-        description = ''
-          List of Systemd services to require and wait for when starting the application service.
-        '';
-      };
     };
   };
   config = lib.mkIf cfg.enable {
+
     assertions = [
       {
         assertion =
-          cfg.settings.homeserver.domain or "" != "" && cfg.settings.homeserver.address or "" != "";
-        message = ''
-          The options with information about the homeserver:
-          `services.mautrix-discord.settings.homeserver.domain` and
-          `services.mautrix-discord.settings.homeserver.address` have to be set.
-        '';
-      }
-      {
-        assertion = cfg.settings.bridge.permissions or { } != { };
-        message = ''
-          The option `services.mautrix-discord.settings.bridge.permissions` has to be set.
-        '';
+          cfg.settings.homeserver.address or "" != "" && cfg.settings.homeserver.domain or "" != "";
+        message = "services.mautrix-discord.settings.homeserver.{address,domain} must be set.";
       }
     ];
 
     users.users.mautrix-discord = {
       isSystemUser = true;
       group = "mautrix-discord";
-      extraGroups = [ "mautrix-discord-registration" ];
       home = dataDir;
       description = "Mautrix-Discord bridge user";
     };
 
     users.groups.mautrix-discord = { };
-    users.groups.mautrix-discord-registration = {
-      members = lib.lists.optional config.services.matrix-synapse.enable "matrix-synapse";
-    };
 
     services.matrix-synapse = lib.mkIf cfg.registerToSynapse {
       settings.app_service_config_files = [ registrationFile ];
@@ -392,7 +152,9 @@ in
 
     systemd.services = {
       matrix-synapse = lib.mkIf cfg.registerToSynapse {
-        serviceConfig.SupplementaryGroups = [ "mautrix-discord-registration" ];
+        serviceConfig.SupplementaryGroups = [
+          "mautrix-discord"
+        ];
         # Make synapse depend on the registration service when auto-registering
         wants = [ "mautrix-discord-registration.service" ];
         after = [ "mautrix-discord-registration.service" ];
@@ -471,15 +233,18 @@ in
             '${settingsFile}' '${registrationFile}' > '${registrationFile}.tmp'
           mv '${registrationFile}.tmp' '${registrationFile}'
 
+          # Application services should not be rate limited by default.
+          yq -Y '.rate_limited = false' '${registrationFile}' > '${registrationFile}.tmp'
+          mv '${registrationFile}.tmp' '${registrationFile}'
+
           umask $old_umask
-          chown :mautrix-discord-registration '${registrationFile}'
           chmod 640 '${registrationFile}'
         '';
 
         serviceConfig = {
           Type = "oneshot";
           RemainAfterExit = true;
-          UMask = 27;
+          UMask = "027";
 
           User = "mautrix-discord";
           Group = "mautrix-discord";
@@ -501,8 +266,8 @@ in
         description = "Mautrix-Discord, a Matrix-Discord puppeting/relaybot bridge";
 
         wantedBy = [ "multi-user.target" ];
-        wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
-        after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+        wants = [ "network-online.target" ] ++ serviceDependencies;
+        after = [ "network-online.target" ] ++ serviceDependencies;
         path = [
           pkgs.lottieconverter
           pkgs.ffmpeg-headless
@@ -536,6 +301,8 @@ in
           ProtectHostname = true;
           ProtectClock = true;
 
+          UMask = "027";
+
           SystemCallArchitectures = "native";
           SystemCallErrorNumber = "EPERM";
           SystemCallFilter = "@system-service";
@@ -546,10 +313,12 @@ in
       };
     };
 
-    meta = {
-      maintainers = with lib.maintainers; [
-        mistyttm
-      ];
-    };
+  };
+
+  meta = {
+    maintainers = with lib.maintainers; [
+      mistyttm
+    ];
+    doc = ./mautrix-discord.md;
   };
 }

nixos/tests/all-tests.nix

@@ -153,7 +153,6 @@ in
     console-log = runTest ./nixos-test-driver/console-log.nix;
     containers = runTest ./nixos-test-driver/containers.nix;
     skip-typecheck = runTest ./nixos-test-driver/skip-typecheck.nix;
-    console-timeout = runTest ./nixos-test-driver/console-timeout.nix;
     options-doc-regression = import ./nixos-test-driver/options-doc-regression.nix { inherit pkgs; };
     driver-timeout =
       pkgs.runCommand "ensure-timeout-induced-failure"
@@ -168,7 +167,6 @@ in
           [[ 143 = $(cat $failed/testBuildFailure.exit) ]]
           touch $out
         '';
-    efivars = runTestOn [ "x86_64-linux" ] ./nixos-test-driver/efivars.nix;
   };
 
   # NixOS vm tests and non-vm unit tests

nixos/tests/matrix/mautrix-discord.nix

@@ -1,4 +1,4 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 let
   homeserverUrl = "http://homeserver:8008";
 in
@@ -53,6 +53,7 @@ in
 
             appservice = {
               address = "http://homeserver:8009";
+              hostname = "0.0.0.0";
               port = 8009;
               id = "discord";
               bot = {
@@ -60,8 +61,6 @@ in
                 displayname = "Discord bridge bot";
                 avatar = "mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC";
               };
-              # Don't override as_token/hs_token - let them use the default placeholder
-              # which will trigger automatic generation
 
               database = {
                 type = "sqlite3";
@@ -75,6 +74,17 @@ in
                 "*" = "relay";
               };
             };
+
+            logging = {
+              min_level = "info";
+              writers = [
+                {
+                  type = "stdout";
+                  format = "pretty-colored";
+                  time_format = " ";
+                }
+              ];
+            };
           };
         };
 
@@ -157,6 +167,57 @@ in
     with subtest("verify registration file was created"):
         homeserver.wait_until_succeeds("test -f /var/lib/mautrix-discord/discord-registration.yaml")
 
+        # Verify the module wrote the expected bridge configuration.
+        config_homeserver_address = homeserver.succeed("yq -r '.homeserver.address' /var/lib/mautrix-discord/config.yaml").strip()
+        config_homeserver_domain = homeserver.succeed("yq -r '.homeserver.domain' /var/lib/mautrix-discord/config.yaml").strip()
+        config_appservice_address = homeserver.succeed("yq -r '.appservice.address' /var/lib/mautrix-discord/config.yaml").strip()
+        config_appservice_hostname = homeserver.succeed("yq -r '.appservice.hostname' /var/lib/mautrix-discord/config.yaml").strip()
+        config_appservice_port = homeserver.succeed("yq -r '.appservice.port' /var/lib/mautrix-discord/config.yaml").strip()
+        config_appservice_id = homeserver.succeed("yq -r '.appservice.id' /var/lib/mautrix-discord/config.yaml").strip()
+        config_bot_username = homeserver.succeed("yq -r '.appservice.bot.username' /var/lib/mautrix-discord/config.yaml").strip()
+        config_bot_displayname = homeserver.succeed("yq -r '.appservice.bot.displayname' /var/lib/mautrix-discord/config.yaml").strip()
+        config_bot_avatar = homeserver.succeed("yq -r '.appservice.bot.avatar' /var/lib/mautrix-discord/config.yaml").strip()
+        config_database_type = homeserver.succeed("yq -r '.appservice.database.type' /var/lib/mautrix-discord/config.yaml").strip()
+        config_database_uri = homeserver.succeed("yq -r '.appservice.database.uri' /var/lib/mautrix-discord/config.yaml").strip()
+        config_permission = homeserver.succeed("yq -r '.bridge.permissions[\"*\"]' /var/lib/mautrix-discord/config.yaml").strip()
+        config_logging_min_level = homeserver.succeed("yq -r '.logging.min_level' /var/lib/mautrix-discord/config.yaml").strip()
+        config_logging_writer_type = homeserver.succeed("yq -r '.logging.writers[0].type' /var/lib/mautrix-discord/config.yaml").strip()
+        config_logging_writer_format = homeserver.succeed("yq -r '.logging.writers[0].format' /var/lib/mautrix-discord/config.yaml").strip()
+        reg_rate_limited = homeserver.succeed("yq -r '.rate_limited' /var/lib/mautrix-discord/discord-registration.yaml").strip()
+
+        assert config_homeserver_address == "http://homeserver:8008", \
+          f"Unexpected homeserver address: {config_homeserver_address}"
+        assert config_homeserver_domain == "homeserver", \
+          f"Unexpected homeserver domain: {config_homeserver_domain}"
+        assert config_appservice_address == "http://homeserver:8009", \
+          f"Unexpected appservice address: {config_appservice_address}"
+        assert config_appservice_hostname == "0.0.0.0", \
+          f"Unexpected appservice hostname: {config_appservice_hostname}"
+        assert config_appservice_port == "8009", \
+          f"Unexpected appservice port: {config_appservice_port}"
+        assert config_appservice_id == "discord", \
+          f"Unexpected appservice id: {config_appservice_id}"
+        assert config_bot_username == "discordbot", \
+          f"Unexpected bot username: {config_bot_username}"
+        assert config_bot_displayname == "Discord bridge bot", \
+          f"Unexpected bot displayname: {config_bot_displayname}"
+        assert config_bot_avatar == "mxc://maunium.net/nIdEykemnwdisvHbpxflpDlC", \
+          f"Unexpected bot avatar: {config_bot_avatar}"
+        assert config_database_type == "sqlite3-fk-wal", \
+          f"Unexpected database type: {config_database_type}"
+        assert config_database_uri == "file:/var/lib/mautrix-discord/mautrix-discord.db?_txlock=immediate", \
+          f"Unexpected database uri: {config_database_uri}"
+        assert config_permission == "relay", \
+          f"Unexpected default permission mapping: {config_permission}"
+        assert config_logging_min_level == "info", \
+          f"Unexpected logging min_level: {config_logging_min_level}"
+        assert config_logging_writer_type == "stdout", \
+          f"Unexpected logging writer type: {config_logging_writer_type}"
+        assert config_logging_writer_format == "pretty-colored", \
+          f"Unexpected logging writer format: {config_logging_writer_format}"
+        assert reg_rate_limited == "false", \
+          f"Registration file should disable rate limiting by default, got: {reg_rate_limited}"
+
         # Verify tokens were generated and are not default values
         config_as_token = homeserver.succeed("yq -r '.appservice.as_token' /var/lib/mautrix-discord/config.yaml").strip()
         config_hs_token = homeserver.succeed("yq -r '.appservice.hs_token' /var/lib/mautrix-discord/config.yaml").strip()

nixos/tests/nixos-test-driver/console-timeout.nix

@@ -1,26 +0,0 @@
-{ pkgs, lib, ... }:
-{
-  name = "console-timeout";
-
-  nodes.machine = {
-    systemd.services.generate-output.script = ''
-      echo "match that"
-      sleep 1
-
-      for i in $(seq 15); do
-        echo "line $i"
-      done
-
-      echo "match this"
-    '';
-  };
-
-  testScript = ''
-    machine.start()
-    machine.wait_for_unit("multi-user.target")
-
-    machine.systemctl("start generate-output")
-    machine.wait_for_console_text("match that")
-    machine.wait_for_console_text("match this", timeout=10)
-  '';
-}

nixos/tests/nixos-test-driver/efivars.nix

@@ -1,110 +0,0 @@
-{ pkgs, lib, ... }:
-let
-  vendorUuid = "a19f72f8-b554-4bd7-a0c2-2762bd854691";
-  varName = "Demo";
-  readWriteVar = pkgs.writers.writePython3 "read-increment-efi-var" { } ''
-    import os
-    import sys
-    import fcntl
-    import array
-
-    if len(sys.argv) != 3:
-        print(f"Usage: {sys.argv[0]} NAME UUID", file=sys.stderr)
-        sys.exit(1)
-
-    name = sys.argv[1]
-    uuid = sys.argv[2]
-    path = f"/sys/firmware/efi/efivars/{name}-{uuid}"
-
-    FS_IMMUTABLE_FL = 0x00000010
-    FS_IOC_GETFLAGS = 0x80086601
-    FS_IOC_SETFLAGS = 0x40086602
-
-    if not os.path.exists(path):
-        print(f"{path}: does not exist", file=sys.stderr)
-        sys.exit(1)
-
-    with open(path, "rb") as f:
-        data = f.read()
-
-    # The first 4 bytes are attributes, the rest is the data
-    if data[4:] != b"\x2a":
-        print(f"0x2a value expected, got {data[4:]!r}", file=sys.stderr)
-        sys.exit(1)
-
-    fd = os.open(path, os.O_RDONLY)
-    arg = array.array("L", [0])
-    fcntl.ioctl(fd, FS_IOC_GETFLAGS, arg)
-    if arg[0] & FS_IMMUTABLE_FL:
-        arg[0] &= ~FS_IMMUTABLE_FL
-        fcntl.ioctl(fd, FS_IOC_SETFLAGS, arg)
-    os.close(fd)
-
-    with open(path, "wb") as f:
-        # Write 0x2b
-        data = bytes(list(data[:4]) + [0x2b])
-        f.write(data)
-  '';
-in
-{
-  name = "efivars";
-
-  nodes.machine = {
-    boot.loader.efi.canTouchEfiVariables = true;
-    virtualisation.useEFIBoot = true;
-  };
-
-  testScript = ''
-    import uuid
-    import unittest
-
-    from test_driver.efi import EfiVariable
-    from test_driver.errors import RequestedAssertionFailed
-
-
-    class TestConcurrentRead(unittest.TestCase):
-        def __init__(self, machine):
-            super().__init__()
-            self.machine = machine
-
-        def test_concurrent_read(self):
-            with self.assertRaises(RequestedAssertionFailed):
-                self.machine.read_efi_vars()
-
-
-    vendor_uuid = uuid.UUID('${vendorUuid}')
-    machine.create_efi_vars()
-    machine.write_efi_vars([
-        EfiVariable(
-            vendor_uuid=vendor_uuid,
-            name="${varName}",
-            data=bytes([0x2a]),
-            flags=EfiVariable.Flags.NON_VOLATILE | EfiVariable.Flags.BOOTSERVICE_ACCESS | EfiVariable.Flags.RUNTIME_ACCESS,
-        )
-    ])
-
-    machine.start()
-    machine.wait_for_unit("multi-user.target")
-
-    print(machine.succeed('${readWriteVar} "${varName}" "${vendorUuid}"'))
-
-    TestConcurrentRead(machine).test_concurrent_read()
-    machine.crash()
-
-    machine.dump_efi_vars()
-    vars = machine.read_efi_vars()
-
-    guid = uuid.UUID(bytes=vendor_uuid.bytes_le)
-    predicate = lambda v: v.name == "${varName}" and v.vendorUUID == guid
-    var = next((v for v in vars if predicate(v)), None)
-
-    if var:
-        var.print()
-        if var.data == bytes([0x2b]):
-            print("Congrats!")
-        else:
-            raise ValueError("Value 0x2b expected")
-    else:
-        raise ValueError("Could not find ${varName} variable")
-  '';
-}

pkgs/applications/audio/mpg123/default.nix

@@ -21,11 +21,11 @@ assert withConplay -> !libOnly;
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "${lib.optionalString libOnly "lib"}mpg123";
-  version = "1.33.5";
+  version = "1.33.4";
 
   src = fetchurl {
     url = "mirror://sourceforge/mpg123/mpg123-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-DX68jaCv88o4PIxrWmrb5ALuW7JWaFuMVJnzpzn51t0=";
+    hash = "sha256-OujJ/4Cpe/wOIuifvNdGh+yk/B2zFbEmB/J/ActaR9k=";
   };
 
   outputs = [

pkgs/applications/editors/vim/common.nix

@@ -4,7 +4,7 @@
   stdenv,
 }:
 rec {
-  version = "9.2.0541";
+  version = "9.2.0389";
 
   outputs = [
     "out"
@@ -15,7 +15,7 @@ rec {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    hash = "sha256-M2vdIAM3P2MZdcMvFX/3/fixliTosR06nvPIX7NXFNo=";
+    hash = "sha256-shhdJn1bPJ/68a54UZMn1fla7P4tjVUN4DGLbx3ohOg=";
   };
 
   enableParallelBuilding = true;

pkgs/applications/science/math/R/default.nix

@@ -45,7 +45,7 @@ assert (!blas.isILP64) && (!lapack.isILP64);
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "R";
-  version = "4.5.3";
+  version = "4.6.0";
 
   src =
     let
@@ -53,7 +53,7 @@ stdenv.mkDerivation (finalAttrs: {
     in
     fetchurl {
       url = "https://cran.r-project.org/src/base/R-${lib.versions.major version}/${pname}-${version}.tar.gz";
-      hash = "sha256-qlwe1Ck8cnGsUT1lRnA1asDopq1eQr4BQ2XREVC1uPI=";
+      hash = "sha256-uNybRUNmDHtZa4eTjfUyOUNQNgl2Un00QijuDtEuRew=";
     };
 
   outputs = [

pkgs/build-support/bintools-wrapper/setup-hook.sh

@@ -60,8 +60,7 @@ do
     if
         PATH=$_PATH type -p "@targetPrefix@${cmd}" > /dev/null
     then
-        upper_case="$(echo "$cmd" | tr "a-z" "A-Z")"
-        export "${upper_case}${role_post}=@targetPrefix@${cmd}";
+        export "${cmd^^}${role_post}=@targetPrefix@${cmd}";
     fi
 done
 

pkgs/build-support/build-mozilla-mach/default.nix

@@ -58,7 +58,6 @@ in
   pkg-config,
   pkgsCross, # wasm32 rlbox
   python3,
-  python313,
   runCommand,
   rustc,
   rust-cbindgen,
@@ -365,7 +364,7 @@ buildStdenv.mkDerivation {
     makeBinaryWrapper
     nodejs
     perl
-    (if lib.versionAtLeast version "143.0" then python3 else python313)
+    python3
     rust-cbindgen
     rustPlatform.bindgenHook
     rustc

pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh

@@ -36,6 +36,6 @@ elif [[ $0 != *cpp ]]; then
     fi
 fi
 
-if [[ "@darwinMinVersion@" ]] && [ "@isFlang@" != 1 ]; then
+if [[ "@darwinMinVersion@" ]]; then
     extraBefore+=(-Werror=unguarded-availability)
 fi

pkgs/build-support/cc-wrapper/add-flags.sh

@@ -11,8 +11,6 @@ var_templates_list=(
     NIX_CXXSTDLIB_COMPILE
     NIX_CXXSTDLIB_LINK
     NIX_GNATFLAGS_COMPILE
-    NIX_FFLAGS_COMPILE
-    NIX_FFLAGS_COMPILE_BEFORE
 )
 var_templates_bool=(
     NIX_ENFORCE_NO_NATIVE

pkgs/build-support/cc-wrapper/cc-wrapper.sh

@@ -44,7 +44,7 @@ while (( "$n" < "$nParams" )); do
 
     case "$p" in
         -[cSEM] | -MM) dontLink=1 ;;
-        -cc1 | -fc1 ) cc1=1 ;;
+        -cc1) cc1=1 ;;
         -nostdinc) cInclude=0 cxxInclude=0 ;;
         -nostdinc++) cxxInclude=0 ;;
         -nostdlib) cxxLibrary=0 ;;
@@ -185,19 +185,9 @@ fi
 
 source @out@/nix-support/add-hardening.sh
 
-# Add the flags for the compiler proper. Flang reads its user-supplied
-# flags from the Fortran-specific NIX_FFLAGS_COMPILE channel so that
-# C-only flags injected by setup hooks (e.g. -frandom-seed= from
-# reproducible-builds.sh, which Flang does not accept) never reach the
-# Fortran driver. This mirrors the NIX_GNATFLAGS_COMPILE channel that
-# the Ada/GNAT wrapper uses for the same reason.
-if [ "@isFlang@" = 1 ]; then
-    extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_FFLAGS_COMPILE_@suffixSalt@)
-    extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_FFLAGS_COMPILE_BEFORE_@suffixSalt@)
-else
-    extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
-    extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
-fi
+# Add the flags for the C compiler proper.
+extraAfter=(${hardeningCFlagsAfter[@]+"${hardeningCFlagsAfter[@]}"} $NIX_CFLAGS_COMPILE_@suffixSalt@)
+extraBefore=(${hardeningCFlagsBefore[@]+"${hardeningCFlagsBefore[@]}"} $NIX_CFLAGS_COMPILE_BEFORE_@suffixSalt@)
 
 if [ "$dontLink" != 1 ]; then
     linkType=$(checkLinkType $NIX_LDFLAGS_BEFORE_@suffixSalt@ "${params[@]}" ${NIX_CFLAGS_LINK_@suffixSalt@:-} $NIX_LDFLAGS_@suffixSalt@)

pkgs/build-support/cc-wrapper/default.nix

@@ -26,8 +26,6 @@
   nixSupport ? { },
   isGNU ? false,
   isClang ? cc.isClang or false,
-  isFlang ? cc.isFlang or false,
-  isAlireGNAT ? false,
   isZig ? cc.isZig or false,
   isArocc ? cc.isArocc or false,
   isCcache ? cc.isCcache or false,
@@ -389,9 +387,7 @@ let
   #
   # TODO: Drop `mangle-NIX_STORE-in-__FILE__.patch` from GCC and make
   # this unconditional once the upstream bug is fixed.
-  useMacroPrefixMap = !isGNU && !isFlang;
-  systemIncludeFlag = if isFlang || isArocc then "-I" else "-idirafter";
-  fortifyIncludeFlag = if isFlang then "-I" else "-isystem";
+  useMacroPrefixMap = !isGNU;
 in
 
 assert includeFortifyHeaders' -> fortify-headers != null;
@@ -578,18 +574,10 @@ stdenvNoCC.mkDerivation {
   ''
 
   + optionalString cc.langFortran or false ''
-    if [ -e $ccPath/${targetPrefix}gfortran ]; then
-      wrap ${targetPrefix}gfortran $wrapper $ccPath/${targetPrefix}gfortran
-      ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}g77
-      ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}f77
-      export named_fc=${targetPrefix}gfortran
-    elif [ -e $ccPath/${targetPrefix}flang ]; then
-      wrap ${targetPrefix}flang $wrapper $ccPath/${targetPrefix}flang
-      export named_fc=${targetPrefix}flang
-    elif [ -e $ccPath/flang ]; then
-      wrap ${targetPrefix}flang $wrapper $ccPath/flang
-      export named_fc=${targetPrefix}flang
-    fi
+    wrap ${targetPrefix}gfortran $wrapper $ccPath/${targetPrefix}gfortran
+    ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}g77
+    ln -sv ${targetPrefix}gfortran $out/bin/${targetPrefix}f77
+    export named_fc=${targetPrefix}gfortran
   ''
 
   + optionalString cc.langGo or false ''
@@ -721,11 +709,13 @@ stdenvNoCC.mkDerivation {
         touch "$out/nix-support/libc-cflags"
         touch "$out/nix-support/libc-ldflags"
       ''
-      + optionalString (!isArocc && !(isAlireGNAT && targetPlatform.isDarwin)) ''
+      + optionalString (!isArocc) ''
         echo "-B${libc_lib}${libc.libdir or "/lib/"}" >> $out/nix-support/libc-crt1-cflags
       ''
       + ''
-        include "${systemIncludeFlag}" "${libc_dev}${libc.incdir or "/include"}" >> $out/nix-support/libc-cflags
+        include "-${
+          if isArocc then "I" else "idirafter"
+        }" "${libc_dev}${libc.incdir or "/include"}" >> $out/nix-support/libc-cflags
       ''
       + optionalString isGNU ''
         for dir in "${cc}"/lib/gcc/*/*/include-fixed; do
@@ -733,9 +723,9 @@ stdenvNoCC.mkDerivation {
         done
       ''
       + optionalString (libc.w32api or null != null) ''
-        include "${systemIncludeFlag}" "${lib.getDev libc.w32api}${
+        echo '-idirafter ${lib.getDev libc.w32api}${
           libc.incdir or "/include/w32api"
-        }" >> $out/nix-support/libc-cflags
+        }' >> $out/nix-support/libc-cflags
       ''
       + ''
 
@@ -750,7 +740,7 @@ stdenvNoCC.mkDerivation {
       # like option that forces the libc headers before all -idirafter,
       # hence -isystem here.
       + optionalString includeFortifyHeaders' ''
-        include "${fortifyIncludeFlag}" "${fortify-headers}/include" >> $out/nix-support/libc-cflags
+        include -isystem "${fortify-headers}/include" >> $out/nix-support/libc-cflags
       ''
     )
 
@@ -771,7 +761,7 @@ stdenvNoCC.mkDerivation {
     # already knows how to find its own libstdc++, and adding
     # additional -isystem flags will confuse gfortran (see
     # https://github.com/NixOS/nixpkgs/pull/209870#issuecomment-1500550903)
-    + optionalString (libcxx == null && isClang && useGccForLibs && (cc.langCC or false)) ''
+    + optionalString (libcxx == null && isClang && (useGccForLibs && gccForLibs.langCC or false)) ''
       for dir in ${gccForLibs}/include/c++/*; do
         include -cxx-isystem "$dir" >> $out/nix-support/libcxx-cxxflags
       done
@@ -796,9 +786,7 @@ stdenvNoCC.mkDerivation {
     # ${cc_solib}/lib64 (even though it does actually search there...)..
     # This confuses libtool.  So add it to the compiler tool search
     # path explicitly.
-    # Injecting CFlags and LDFlags causes duplicate rpath at linking
-    # stage for Alire GNAT. Skip adding flags here.
-    + optionalString (!nativeTools && !isArocc && !isAlireGNAT) ''
+    + optionalString (!nativeTools && !isArocc) ''
       ccLDFlags=()
       ccCFlags=()
       if [ -e "${cc_solib}/lib64" -a ! -L "${cc_solib}/lib64" ]; then
@@ -813,6 +801,7 @@ stdenvNoCC.mkDerivation {
       touch "$out/nix-support/gnat-cflags"
       touch "$out/nix-support/gnat-ldflags"
       basePath=$(echo $cc/lib/*/*/*)
+      ccCFlags+=("-B$basePath" "-I$basePath/adainclude")
       gnatCFlags="-I$basePath/adainclude -I$basePath/adalib"
 
       echo "$gnatCFlags" >> $out/nix-support/gnat-cflags
@@ -839,7 +828,6 @@ stdenvNoCC.mkDerivation {
       optionalString
         (
           (cc.isClang or false)
-          && !isFlang
           && !(cc.isROCm or false)
           && !targetPlatform.isDarwin
           && !targetPlatform.isAndroid
@@ -874,8 +862,7 @@ stdenvNoCC.mkDerivation {
       let
         enable_fp = !targetPlatform.isx86_32 && !targetPlatform.isS390;
         enable_leaf_fp =
-          !isFlang
-          && enable_fp
+          enable_fp
           && (
             targetPlatform.isx86_64
             || targetPlatform.isAarch64
@@ -941,7 +928,7 @@ stdenvNoCC.mkDerivation {
     # well with multi line flags, so make the flags single line again
     + ''
       for flags in "$out/nix-support"/*flags*; do
-        substituteInPlace "$flags" --replace-quiet $'\n' ' '
+        substituteInPlace "$flags" --replace $'\n' ' '
       done
 
       substituteAll ${./add-flags.sh} $out/nix-support/add-flags.sh
@@ -987,7 +974,6 @@ stdenvNoCC.mkDerivation {
 
   env = {
     inherit isClang;
-    inherit isFlang;
 
     # for substitution in utils.bash
     # TODO(@sternenseemann): invent something cleaner than passing in "" in case of absence

pkgs/build-support/rust/fetch-cargo-vendor-util-v2.py

@@ -0,0 +1,416 @@
+import functools
+import hashlib
+import json
+import multiprocessing as mp
+import re
+import shutil
+import subprocess
+import sys
+import tomllib
+from os.path import islink, realpath
+from pathlib import Path
+from typing import Any, TypedDict, cast
+from urllib.parse import unquote
+
+import requests
+import tomli_w
+from requests.adapters import HTTPAdapter, Retry
+
+eprint = functools.partial(print, file=sys.stderr)
+
+
+def load_toml(path: Path) -> dict[str, Any]:
+    with open(path, "rb") as f:
+        return tomllib.load(f)
+
+
+def get_lockfile_version(cargo_lock_toml: dict[str, Any]) -> int:
+    # lockfile v1 and v2 don't have the `version` key, so assume v2
+    version = cargo_lock_toml.get("version", 2)
+
+    # TODO: add logic for differentiating between v1 and v2
+
+    return version
+
+
+def create_http_session() -> requests.Session:
+    retries = Retry(
+        total=5,
+        backoff_factor=0.5,
+        status_forcelist=[500, 502, 503, 504]
+    )
+    session = requests.Session()
+    session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)"
+    session.mount('http://', HTTPAdapter(max_retries=retries))
+    session.mount('https://', HTTPAdapter(max_retries=retries))
+    return session
+
+
+def download_file_with_checksum(session: requests.Session, url: str, destination_path: Path) -> str:
+    sha256_hash = hashlib.sha256()
+    with session.get(url, stream=True) as response:
+        if not response.ok:
+            raise Exception(f"Failed to fetch file from {url}. Status code: {response.status_code}")
+        with open(destination_path, "wb") as file:
+            for chunk in response.iter_content(1024):  # Download in chunks
+                if chunk:  # Filter out keep-alive chunks
+                    file.write(chunk)
+                    sha256_hash.update(chunk)
+
+    # Compute the final checksum
+    checksum = sha256_hash.hexdigest()
+    return checksum
+
+
+def get_download_url_for_tarball(pkg: dict[str, Any]) -> str:
+    # TODO: support other registries
+    #       maybe fetch config.json from the registry root and get the dl key
+    #       See: https://doc.rust-lang.org/cargo/reference/registry-index.html#index-configuration
+    if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index":
+        raise Exception("Only the default crates.io registry is supported.")
+
+    # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
+    # rate limit on the API servers.
+    return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download"
+
+
+def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None:
+
+    url = get_download_url_for_tarball(pkg)
+    filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz"
+
+    # TODO: allow legacy checksum specification, see importCargoLock for example
+    #       also, don't forget about the other usage of the checksum
+    expected_checksum = pkg["checksum"]
+
+    tarball_out_dir = out_dir / "tarballs" / filename
+    eprint(f"Fetching {url} -> tarballs/{filename}")
+
+    calculated_checksum = download_file_with_checksum(session, url, tarball_out_dir)
+
+    if calculated_checksum != expected_checksum:
+        raise Exception(f"Hash mismatch! File fetched from {url} had checksum {calculated_checksum}, expected {expected_checksum}.")
+
+
+def download_git_tree(url: str, git_sha_rev: str, out_dir: Path) -> None:
+
+    tree_out_dir = out_dir / "git" / git_sha_rev
+    eprint(f"Fetching {url}#{git_sha_rev} -> git/{git_sha_rev}")
+
+    cmd = ["nix-prefetch-git", "--builder", "--quiet", "--fetch-submodules", "--url", url, "--rev", git_sha_rev, "--out", str(tree_out_dir)]
+    subprocess.check_output(cmd)
+
+
+GIT_SOURCE_REGEX = re.compile("git\\+(?P<url>[^?]+)(\\?(?P<type>rev|tag|branch)=(?P<value>.*))?#(?P<git_sha_rev>.*)")
+
+
+class GitSourceInfo(TypedDict):
+    url: str
+    type: str | None
+    value: str | None
+    git_sha_rev: str
+
+
+def parse_git_source(source: str, lockfile_version: int) -> GitSourceInfo:
+    match = GIT_SOURCE_REGEX.match(source)
+    if match is None:
+        raise Exception(f"Unable to process git source: {source}.")
+
+    source_info = cast(GitSourceInfo, match.groupdict(default=None))
+
+    # the source URL is URL-encoded in lockfile_version >=4
+    # since we just used regex to parse it we have to manually decode the escaped branch/tag name
+    if lockfile_version >= 4 and source_info["value"] is not None:
+        source_info["value"] = unquote(source_info["value"])
+
+    return source_info
+
+
+def create_vendor_staging(lockfile_path: Path, out_dir: Path) -> None:
+    cargo_lock_toml = load_toml(lockfile_path)
+    lockfile_version = get_lockfile_version(cargo_lock_toml)
+
+    git_packages: list[dict[str, Any]] = []
+    registry_packages: list[dict[str, Any]] = []
+
+    for pkg in cargo_lock_toml["package"]:
+        # ignore local dependenices
+        if "source" not in pkg.keys():
+            eprint(f"Skipping local dependency: {pkg["name"]}")
+            continue
+        source = pkg["source"]
+
+        if source.startswith("git+"):
+            git_packages.append(pkg)
+        elif source.startswith("registry+"):
+            registry_packages.append(pkg)
+        else:
+            raise Exception(f"Can't process source: {source}.")
+
+    git_sha_rev_to_url: dict[str, str] = {}
+    for pkg in git_packages:
+        source_info = parse_git_source(pkg["source"], lockfile_version)
+        git_sha_rev_to_url[source_info["git_sha_rev"]] = source_info["url"]
+
+    out_dir.mkdir(exist_ok=True)
+    shutil.copy(lockfile_path, out_dir / "Cargo.lock")
+
+    # fetch git trees sequentially, since fetching concurrently leads to flaky behaviour
+    if len(git_packages) != 0:
+        (out_dir / "git").mkdir()
+        for git_sha_rev, url in git_sha_rev_to_url.items():
+            download_git_tree(url, git_sha_rev, out_dir)
+
+    # run tarball download jobs in parallel, with at most 5 concurrent download jobs
+    with mp.Pool(min(5, mp.cpu_count())) as pool:
+        if len(registry_packages) != 0:
+            (out_dir / "tarballs").mkdir()
+            session = create_http_session()
+            tarball_args_gen = ((session, pkg, out_dir) for pkg in registry_packages)
+            pool.starmap(download_tarball, tarball_args_gen)
+
+
+def get_manifest_metadata(manifest_path: Path) -> dict[str, Any]:
+    cmd = ["cargo", "metadata", "--format-version", "1", "--no-deps", "--manifest-path", str(manifest_path)]
+    output = subprocess.check_output(cmd)
+    return json.loads(output)
+
+
+def try_get_crate_manifest_path_from_manifest_path(manifest_path: Path, crate_name: str) -> Path | None:
+    try:
+        metadata = get_manifest_metadata(manifest_path)
+    except subprocess.CalledProcessError:
+        eprint(f"Warning: cargo metadata failed for {manifest_path}, skipping")
+        return None
+
+    for pkg in metadata["packages"]:
+        if pkg["name"] == crate_name:
+            return Path(pkg["manifest_path"])
+
+    return None
+
+
+def find_crate_manifest_in_tree(tree: Path, crate_name: str) -> Path:
+    # Scan all Cargo.toml files; sort by depth/path to make ordering deterministic
+    # and prefer less-nested manifests first.
+    manifest_paths = sorted(
+        tree.glob("**/Cargo.toml"),
+        key=lambda path: (len(path.parts), str(path)),
+    )
+
+    for manifest_path in manifest_paths:
+        res = try_get_crate_manifest_path_from_manifest_path(manifest_path, crate_name)
+        if res is not None:
+            return res
+
+    raise Exception(f"Couldn't find manifest for crate {crate_name} inside {tree}.")
+
+
+def copy_and_patch_git_crate_subtree(git_tree: Path, crate_name: str, crate_out_dir: Path) -> None:
+
+    # This function will get called by copytree to decide which entries of a directory should be copied
+    # We'll copy everything except symlinks that are invalid
+    def ignore_func(dir_str: str, path_strs: list[str]) -> list[str]:
+        ignorelist: list[str] = []
+
+        dir = Path(realpath(dir_str, strict=True))
+
+        for path_str in path_strs:
+            path = dir / path_str
+            if not islink(path):
+                continue
+
+            # Filter out cyclic symlinks and symlinks pointing at nonexistant files
+            try:
+                target_path = Path(realpath(path, strict=True))
+            except OSError:
+                ignorelist.append(path_str)
+                eprint(f"Failed to resolve symlink, ignoring: {path}")
+                continue
+
+            # Filter out symlinks that point outside of the current crate's base git tree
+            # This can be useful if the nix build sandbox is turned off and there is a symlink to a common absolute path
+            if not target_path.is_relative_to(git_tree):
+                ignorelist.append(path_str)
+                eprint(f"Symlink points outside of the crate's base git tree, ignoring: {path} -> {target_path}")
+                continue
+
+        return ignorelist
+
+    crate_manifest_path = find_crate_manifest_in_tree(git_tree, crate_name)
+    crate_tree = crate_manifest_path.parent
+
+    eprint(f"Copying to {crate_out_dir}")
+    shutil.copytree(crate_tree, crate_out_dir, ignore=ignore_func)
+    crate_out_dir.chmod(0o755)
+
+    with open(crate_manifest_path, "r") as f:
+        manifest_data = f.read()
+
+    if "workspace" in manifest_data:
+        crate_manifest_metadata = get_manifest_metadata(crate_manifest_path)
+        workspace_root = Path(crate_manifest_metadata["workspace_root"])
+
+        root_manifest_path = workspace_root / "Cargo.toml"
+        manifest_path = crate_out_dir / "Cargo.toml"
+
+        manifest_path.chmod(0o644)
+        eprint(f"Patching {manifest_path}")
+
+        cmd = ["replace-workspace-values", str(manifest_path), str(root_manifest_path)]
+        subprocess.check_output(cmd)
+
+
+def extract_crate_tarball_contents(tarball_path: Path, crate_out_dir: Path) -> None:
+    eprint(f"Unpacking to {crate_out_dir}")
+    crate_out_dir.mkdir()
+    cmd = ["tar", "xf", str(tarball_path), "-C", str(crate_out_dir), "--strip-components=1"]
+    subprocess.check_output(cmd)
+
+
+def make_git_source_selector(source_info: GitSourceInfo) -> dict[str, str]:
+    selector = {}
+    selector["git"] = source_info["url"]
+    if source_info["type"] is not None:
+        selector[source_info["type"]] = source_info["value"]
+    return selector
+
+
+def make_registry_source_selector(source: str) -> dict[str, str]:
+    registry = source[9:] if source.startswith("registry+") else source
+    selector = {}
+    selector["registry"] = registry
+    return selector
+
+
+def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
+    lockfile_path = vendor_staging_dir / "Cargo.lock"
+    out_dir.mkdir(exist_ok=True)
+    shutil.copy(lockfile_path, out_dir / "Cargo.lock")
+
+    cargo_lock_toml = load_toml(lockfile_path)
+    lockfile_version = get_lockfile_version(cargo_lock_toml)
+
+    source_to_ind: dict[str, str] = {}
+    source_config = {}
+    next_registry_ind = 0
+    next_git_ind = 0
+
+    def add_source_replacement(
+        orig_key: str,
+        orig_selector: dict[str, str],
+        vendored_key: str,
+        vendored_dir: str
+    ) -> None:
+        source_config[vendored_key] = {}
+        source_config[vendored_key]["directory"] = vendored_dir
+        source_config[orig_key] = orig_selector
+        source_config[orig_key]["replace-with"] = vendored_key
+
+    # we reserve registry index 0 for crates-io
+    source_to_ind["registry+https://github.com/rust-lang/crates.io-index"] = "registry-0"
+    source_to_ind["sparse+https://index.crates.io/"] = "registry-0"
+    add_source_replacement(
+        orig_key="crates-io",
+        orig_selector={},  # there is an internal selector defined for the `crates-io` source
+        vendored_key="vendored-source-registry-0",
+        vendored_dir="@vendor@/source-registry-0"
+    )
+    next_registry_ind += 1
+
+    for pkg in cargo_lock_toml["package"]:
+        # ignore local dependencies
+        if "source" not in pkg.keys():
+            continue
+        source: str = pkg["source"]
+        if source in source_to_ind:
+            continue
+
+        if source.startswith("git+"):
+            ind = f"git-{next_git_ind}"
+            next_git_ind += 1
+            source_info = parse_git_source(source, lockfile_version)
+            selector = make_git_source_selector(source_info)
+        elif source.startswith("registry+") or source.startswith("sparse+"):
+            ind = f"registry-{next_registry_ind}"
+            next_registry_ind += 1
+            selector = make_registry_source_selector(source)
+        else:
+            raise Exception(f"Can't process source: {source}.")
+
+        source_to_ind[source] = ind
+        add_source_replacement(
+            orig_key=f"original-source-{ind}",
+            orig_selector=selector,
+            vendored_key=f"vendored-source-{ind}",
+            vendored_dir=f"@vendor@/source-{ind}"
+        )
+
+    config_path = out_dir / ".cargo" / "config.toml"
+    config_path.parent.mkdir()
+
+    with open(config_path, "wb") as config_file:
+        tomli_w.dump({"source": source_config}, config_file)
+
+    for pkg in cargo_lock_toml["package"]:
+
+        # ignore local dependenices
+        if "source" not in pkg.keys():
+            continue
+
+        source: str = pkg["source"]
+        source_ind = source_to_ind[source]
+        crate_dir_name = f"{pkg["name"]}-{pkg["version"]}"
+        source_dir_name = f"source-{source_ind}"
+        crate_out_dir = out_dir / source_dir_name / crate_dir_name
+        crate_out_dir.parent.mkdir(exist_ok=True)
+
+        if source.startswith("git+"):
+
+            source_info = parse_git_source(source, lockfile_version)
+
+            git_sha_rev = source_info["git_sha_rev"]
+            git_tree = vendor_staging_dir / "git" / git_sha_rev
+
+            copy_and_patch_git_crate_subtree(git_tree, pkg["name"], crate_out_dir)
+
+            # git based crates allow having no checksum information
+            with open(crate_out_dir / ".cargo-checksum.json", "w") as f:
+                json.dump({"files": {}}, f)
+
+        elif source.startswith("registry+") or source.startswith("sparse+"):
+            filename = f"{pkg["name"]}-{pkg["version"]}.tar.gz"
+
+            # TODO: change this when non-crates-io registries are supported
+            dir_name = "tarballs"
+
+            tarball_path = vendor_staging_dir / dir_name / filename
+
+            extract_crate_tarball_contents(tarball_path, crate_out_dir)
+
+            # non-git based crates need the package checksum at minimum
+            with open(crate_out_dir / ".cargo-checksum.json", "w") as f:
+                json.dump({"files": {}, "package": pkg["checksum"]}, f)
+
+        else:
+            raise Exception(f"Can't process source: {source}.")
+
+
+def main() -> None:
+    subcommand = sys.argv[1]
+
+    subcommand_func_dict = {
+        "create-vendor-staging": lambda: create_vendor_staging(lockfile_path=Path(sys.argv[2]), out_dir=Path(sys.argv[3])),
+        "create-vendor": lambda: create_vendor(vendor_staging_dir=Path(sys.argv[2]), out_dir=Path(sys.argv[3]))
+    }
+
+    subcommand_func = subcommand_func_dict.get(subcommand)
+
+    if subcommand_func is None:
+        raise Exception(f"Unknown subcommand: '{subcommand}'. Must be one of {list(subcommand_func_dict.keys())}")
+
+    subcommand_func()
+
+
+if __name__ == "__main__":
+    main()

pkgs/build-support/rust/fetch-cargo-vendor-util.py

@@ -40,7 +40,6 @@ def create_http_session() -> requests.Session:
         status_forcelist=[500, 502, 503, 504]
     )
     session = requests.Session()
-    session.headers["User-Agent"] = "nixpkgs-fetchCargoVendor/2 (https://github.com/NixOS/nixpkgs)"
     session.mount('http://', HTTPAdapter(max_retries=retries))
     session.mount('https://', HTTPAdapter(max_retries=retries))
     return session
@@ -69,9 +68,7 @@ def get_download_url_for_tarball(pkg: dict[str, Any]) -> str:
     if pkg["source"] != "registry+https://github.com/rust-lang/crates.io-index":
         raise Exception("Only the default crates.io registry is supported.")
 
-    # Use static.crates.io (CDN) instead of crates.io/api to avoid the 1 req/sec
-    # rate limit on the API servers.
-    return f"https://static.crates.io/crates/{pkg["name"]}/{pkg["version"]}/download"
+    return f"https://crates.io/api/v1/crates/{pkg["name"]}/{pkg["version"]}/download"
 
 
 def download_tarball(session: requests.Session, pkg: dict[str, Any], out_dir: Path) -> None:
@@ -292,7 +289,6 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
     lockfile_version = get_lockfile_version(cargo_lock_toml)
 
     source_to_ind: dict[str, str] = {}
-    selector_to_ind: dict[tuple, str] = {}
     source_config = {}
     next_registry_ind = 0
     next_git_ind = 0
@@ -328,35 +324,24 @@ def create_vendor(vendor_staging_dir: Path, out_dir: Path) -> None:
             continue
 
         if source.startswith("git+"):
+            ind = f"git-{next_git_ind}"
+            next_git_ind += 1
             source_info = parse_git_source(source, lockfile_version)
             selector = make_git_source_selector(source_info)
-            selector_key = (source_info["url"], source_info["type"], source_info["value"])
-            if selector_key in selector_to_ind:
-                ind = selector_to_ind[selector_key]
-            else:
-                ind = f"git-{next_git_ind}"
-                next_git_ind += 1
-                selector_to_ind[selector_key] = ind
-                add_source_replacement(
-                    orig_key=f"original-source-{ind}",
-                    orig_selector=selector,
-                    vendored_key=f"vendored-source-{ind}",
-                    vendored_dir=f"@vendor@/source-{ind}"
-                )
         elif source.startswith("registry+") or source.startswith("sparse+"):
             ind = f"registry-{next_registry_ind}"
             next_registry_ind += 1
             selector = make_registry_source_selector(source)
-            add_source_replacement(
-                orig_key=f"original-source-{ind}",
-                orig_selector=selector,
-                vendored_key=f"vendored-source-{ind}",
-                vendored_dir=f"@vendor@/source-{ind}"
-            )
         else:
             raise Exception(f"Can't process source: {source}.")
 
         source_to_ind[source] = ind
+        add_source_replacement(
+            orig_key=f"original-source-{ind}",
+            orig_selector=selector,
+            vendored_key=f"vendored-source-{ind}",
+            vendored_dir=f"@vendor@/source-{ind}"
+        )
 
     config_path = out_dir / ".cargo" / "config.toml"
     config_path.parent.mkdir()

pkgs/build-support/rust/fetch-cargo-vendor.nix

@@ -3,7 +3,7 @@
   stdenvNoCC,
   runCommand,
   writers,
-  python3,
+  python3Packages,
   cargo,
   gitMinimal,
   nix-prefetch-git,
@@ -11,16 +11,6 @@
 }:
 
 let
-  python = python3.override {
-    self = python;
-    packageOverrides = final: prev: {
-      # The ast-serialize package, a dependency for mypy, depends on
-      # fetchCargoVendor and is part of the bootstrap chain for requests.
-      charset-normalizer = prev.charset-normalizer.override { withMypyc = false; };
-    };
-  };
-  python3Packages = python.pkgs;
-
   replaceWorkspaceValues = writers.writePython3Bin "replace-workspace-values" {
     libraries = with python3Packages; [
       tomli
@@ -47,18 +37,29 @@ let
     "hash"
   ];
 
-  fetchCargoVendorUtil = writers.writePython3Bin "fetch-cargo-vendor-util" {
-    libraries =
-      with python3Packages;
-      [
-        requests
-        tomli-w
-      ]
-      ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests
-    flakeIgnore = [
-      "E501"
-    ];
-  } (builtins.readFile ./fetch-cargo-vendor-util.py);
+  mkFetchCargoVendorUtil =
+    name: src:
+    writers.writePython3Bin name {
+      libraries =
+        with python3Packages;
+        [
+          requests
+          tomli-w
+        ]
+        ++ requests.optional-dependencies.socks; # to support socks proxy envs like ALL_PROXY in requests
+      flakeIgnore = [
+        "E501"
+      ];
+    } (builtins.readFile src);
+
+  # Separate util used only by the FOD `vendorStaging` stage below. Kept
+  # distinct from fetchCargoVendorUtil so that changes to the network-facing
+  # bits (User-Agent, download URL) don't invalidate the input-addressed
+  # `-vendor` stage and force a mass rebuild of every Rust package in nixpkgs.
+  # vendorStaging is an FOD, so swapping its util is free for consumers.
+  # TODO: unify with fetchCargoVendorUtil on the next `staging` cycle.
+  fetchCargoVendorUtilV2 = mkFetchCargoVendorUtil "fetch-cargo-vendor-util-v2" ./fetch-cargo-vendor-util-v2.py;
+  fetchCargoVendorUtil = mkFetchCargoVendorUtil "fetch-cargo-vendor-util" ./fetch-cargo-vendor-util.py;
 in
 
 {
@@ -78,7 +79,7 @@ let
       impureEnvVars = lib.fetchers.proxyImpureEnvVars;
 
       nativeBuildInputs = [
-        fetchCargoVendorUtil
+        fetchCargoVendorUtilV2
         cacert
         nix-prefetch-git'
       ]
@@ -91,7 +92,7 @@ let
           cd "$cargoRoot"
         fi
 
-        fetch-cargo-vendor-util create-vendor-staging ./Cargo.lock "$out"
+        fetch-cargo-vendor-util-v2 create-vendor-staging ./Cargo.lock "$out"
 
         runHook postBuild
       '';

pkgs/build-support/setup-hooks/wrap-gapps-hook/wrap-gapps-hook.sh

@@ -42,13 +42,11 @@ wrapGApp() {
     wrapProgram "$program" "${gappsWrapperArgs[@]}" "$@"
 }
 
-declare -gA wrapGAppsHookHasRunForOutput
-
 # Note: $gappsWrapperArgs still gets defined even if ${dontWrapGApps-} is set.
 wrapGAppsHook() {
-    # guard against running multiple times for the same output (e.g. due to propagation)
-    [ "${wrapGAppsHookHasRunForOutput["$output"]:-}" = 1 ] && return 0
-    wrapGAppsHookHasRunForOutput["$output"]=1
+    # guard against running multiple times (e.g. due to propagation)
+    [ -z "$wrapGAppsHookHasRun" ] || return 0
+    wrapGAppsHookHasRun=1
 
     if [[ -z "${dontWrapGApps:-}" ]]; then
         targetDirsThatExist=()

pkgs/by-name/ab/abseil-cpp_202505/package.nix

@@ -6,8 +6,6 @@
   gtest,
   static ? stdenv.hostPlatform.isStatic,
   cxxStandard ? null,
-  testers,
-  validatePkgConfig,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -32,19 +30,10 @@ stdenv.mkDerivation (finalAttrs: {
 
   strictDeps = true;
 
-  nativeBuildInputs = [
-    cmake
-    validatePkgConfig
-  ];
+  nativeBuildInputs = [ cmake ];
 
   buildInputs = [ gtest ];
 
-  passthru.tests = {
-    pkg-config = testers.hasPkgConfigModules {
-      package = finalAttrs.finalPackage;
-    };
-  };
-
   meta = {
     description = "Open-source collection of C++ code designed to augment the C++ standard library";
     homepage = "https://abseil.io/";
@@ -52,208 +41,5 @@ stdenv.mkDerivation (finalAttrs: {
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;
     maintainers = [ lib.maintainers.GaetanLepage ];
-    pkgConfigModules = [
-      "absl_log_internal_check_op"
-      "absl_absl_check"
-      "absl_strerror"
-      "absl_common_policy_traits"
-      "absl_graphcycles_internal"
-      "absl_raw_hash_set"
-      "absl_random_internal_entropy_pool"
-      "absl_time_zone"
-      "absl_prefetch"
-      "absl_compressed_tuple"
-      "absl_nullability"
-      "absl_vlog_is_on"
-      "absl_utf8_for_code_point"
-      "absl_base_internal"
-      "absl_bad_variant_access"
-      "absl_flags_parse"
-      "absl_exponential_biased"
-      "absl_log_internal_nullstream"
-      "absl_log_internal_structured_proto"
-      "absl_log_internal_check_impl"
-      "absl_tracing_internal"
-      "absl_random_bit_gen_ref"
-      "absl_meta"
-      "absl_random_distributions"
-      "absl_numeric"
-      "absl_flat_hash_set"
-      "absl_random_internal_randen_hwaes_impl"
-      "absl_malloc_internal"
-      "absl_layout"
-      "absl_type_traits"
-      "absl_random_internal_mock_helpers"
-      "absl_log_streamer"
-      "absl_function_ref"
-      "absl_log"
-      "absl_dynamic_annotations"
-      "absl_non_temporal_memcpy"
-      "absl_random_internal_randen"
-      "absl_stacktrace"
-      "absl_log_internal_globals"
-      "absl_log_internal_strip"
-      "absl_atomic_hook"
-      "absl_flags_usage_internal"
-      "absl_log_internal_voidify"
-      "absl_synchronization"
-      "absl_debugging_internal"
-      "absl_bind_front"
-      "absl_crc_internal"
-      "absl_random_internal_platform"
-      "absl_flags_path_util"
-      "absl_hash_testing"
-      "absl_flags_commandlineflag_internal"
-      "absl_hashtable_debug"
-      "absl_hashtablez_sampler"
-      "absl_random_internal_randen_engine"
-      "absl_log_globals"
-      "absl_optional"
-      "absl_crc_cpu_detect"
-      "absl_demangle_internal"
-      "absl_node_hash_map"
-      "absl_core_headers"
-      "absl_statusor"
-      "absl_str_format_internal"
-      "absl_crc32c"
-      "absl_cordz_update_scope"
-      "absl_cordz_handle"
-      "absl_log_internal_nullguard"
-      "absl_numeric_representation"
-      "absl_log_internal_log_impl"
-      "absl_raw_hash_set_resize_impl"
-      "absl_random_internal_distribution_test_util"
-      "absl_kernel_timeout_internal"
-      "absl_random_internal_uniform_helper"
-      "absl_random_seed_sequences"
-      "absl_cordz_info"
-      "absl_spy_hash_state"
-      "absl_vlog_config_internal"
-      "absl_flags_program_name"
-      "absl_hashtable_debug_hooks"
-      "absl_crc_cord_state"
-      "absl_decode_rust_punycode"
-      "absl_debugging"
-      "absl_overload"
-      "absl_config"
-      "absl_random_internal_fast_uniform_bits"
-      "absl_raw_hash_map"
-      "absl_random_internal_randen_hwaes"
-      "absl_bad_any_cast"
-      "absl_variant"
-      "absl_has_ostream_operator"
-      "absl_span"
-      "absl_btree"
-      "absl_random_internal_distribution_caller"
-      "absl_failure_signal_handler"
-      "absl_any"
-      "absl_poison"
-      "absl_str_format"
-      "absl_cord"
-      "absl_random_internal_wide_multiply"
-      "absl_random_internal_pcg_engine"
-      "absl_flags_internal"
-      "absl_check"
-      "absl_random_internal_seed_material"
-      "absl_log_flags"
-      "absl_no_destructor"
-      "absl_low_level_hash"
-      "absl_hashtable_control_bytes"
-      "absl_periodic_sampler"
-      "absl_log_internal_format"
-      "absl_log_initialize"
-      "absl_random_internal_generate_real"
-      "absl_raw_logging_internal"
-      "absl_inlined_vector"
-      "absl_log_internal_log_sink_set"
-      "absl_log_internal_flags"
-      "absl_flat_hash_map"
-      "absl_scoped_mock_log"
-      "absl_cordz_functions"
-      "absl_random_mocking_bit_gen"
-      "absl_fast_type_id"
-      "absl_sample_recorder"
-      "absl_log_internal_message"
-      "absl_bits"
-      "absl_random_seed_gen_exception"
-      "absl_log_sink_registry"
-      "absl_flags_marshalling"
-      "absl_leak_check"
-      "absl_examine_stack"
-      "absl_status_matchers"
-      "absl_flags_commandlineflag"
-      "absl_absl_vlog_is_on"
-      "absl_any_invocable"
-      "absl_cleanup_internal"
-      "absl_log_severity"
-      "absl_random_internal_salted_seed_seq"
-      "absl_flags_config"
-      "absl_log_structured"
-      "absl_die_if_null"
-      "absl_fixed_array"
-      "absl_cord_internal"
-      "absl_endian"
-      "absl_strings_internal"
-      "absl_symbolize"
-      "absl_log_internal_config"
-      "absl_absl_log"
-      "absl_memory"
-      "absl_container_common"
-      "absl_compare"
-      "absl_civil_time"
-      "absl_int128"
-      "absl_log_internal_append_truncated"
-      "absl_cordz_statistics"
-      "absl_log_internal_fnmatch"
-      "absl_flags"
-      "absl_non_temporal_arm_intrinsics"
-      "absl_random_internal_traits"
-      "absl_base"
-      "absl_algorithm_container"
-      "absl_hash"
-      "absl_log_internal_conditions"
-      "absl_time"
-      "absl_node_slot_policy"
-      "absl_errno_saver"
-      "absl_random_internal_randen_slow"
-      "absl_charset"
-      "absl_bounded_utf8_length_sequence"
-      "absl_city"
-      "absl_bad_optional_access"
-      "absl_random_internal_nonsecure_base"
-      "absl_flags_usage"
-      "absl_utility"
-      "absl_iterator_traits_internal"
-      "absl_spinlock_wait"
-      "absl_pretty_function"
-      "absl_algorithm"
-      "absl_log_sink"
-      "absl_status"
-      "absl_demangle_rust"
-      "absl_node_hash_set"
-      "absl_hash_policy_traits"
-      "absl_flags_private_handle_accessor"
-      "absl_cord_test_helpers"
-      "absl_strings"
-      "absl_log_internal_proto"
-      "absl_inlined_vector_internal"
-      "absl_iterator_traits_test_helper_internal"
-      "absl_random_random"
-      "absl_flags_reflection"
-      "absl_scoped_set_env"
-      "absl_throw_delegate"
-      "absl_hash_function_defaults"
-      "absl_weakly_mixed_integer"
-      "absl_cleanup"
-      "absl_random_internal_iostream_state_saver"
-      "absl_cordz_sample_token"
-      "absl_cordz_update_tracker"
-      "absl_string_view"
-      "absl_hash_container_defaults"
-      "absl_random_internal_fastmath"
-      "absl_log_internal_structured"
-      "absl_container_memory"
-      "absl_log_entry"
-    ];
   };
 })

pkgs/by-name/ab/abseil-cpp_202508/package.nix

@@ -6,8 +6,6 @@
   gtest,
   static ? stdenv.hostPlatform.isStatic,
   cxxStandard ? null,
-  testers,
-  validatePkgConfig,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
@@ -37,19 +35,10 @@ stdenv.mkDerivation (finalAttrs: {
 
   strictDeps = true;
 
-  nativeBuildInputs = [
-    cmake
-    validatePkgConfig
-  ];
+  nativeBuildInputs = [ cmake ];
 
   buildInputs = [ gtest ];
 
-  passthru.tests = {
-    pkg-config = testers.hasPkgConfigModules {
-      package = finalAttrs.finalPackage.dev;
-    };
-  };
-
   meta = {
     description = "Open-source collection of C++ code designed to augment the C++ standard library";
     homepage = "https://abseil.io/";
@@ -57,99 +46,5 @@ stdenv.mkDerivation (finalAttrs: {
     license = lib.licenses.asl20;
     platforms = lib.platforms.all;
     maintainers = [ lib.maintainers.GaetanLepage ];
-    pkgConfigModules = [
-      "absl_base"
-      "absl_city"
-      "absl_civil_time"
-      "absl_cord_internal"
-      "absl_cord"
-      "absl_cordz_functions"
-      "absl_cordz_handle"
-      "absl_cordz_info"
-      "absl_cordz_sample_token"
-      "absl_crc_cord_state"
-      "absl_crc_cpu_detect"
-      "absl_crc_internal"
-      "absl_crc32c"
-      "absl_debugging_internal"
-      "absl_decode_rust_punycode"
-      "absl_demangle_internal"
-      "absl_demangle_rust"
-      "absl_die_if_null"
-      "absl_examine_stack"
-      "absl_exponential_biased"
-      "absl_failure_signal_handler"
-      "absl_flags_commandlineflag_internal"
-      "absl_flags_commandlineflag"
-      "absl_flags_config"
-      "absl_flags_internal"
-      "absl_flags_marshalling"
-      "absl_flags_parse"
-      "absl_flags_private_handle_accessor"
-      "absl_flags_program_name"
-      "absl_flags_reflection"
-      "absl_flags_usage_internal"
-      "absl_flags_usage"
-      "absl_graphcycles_internal"
-      "absl_hash"
-      "absl_hashtable_profiler"
-      "absl_hashtablez_sampler"
-      "absl_int128"
-      "absl_kernel_timeout_internal"
-      "absl_leak_check"
-      "absl_log_entry"
-      "absl_log_flags"
-      "absl_log_globals"
-      "absl_log_initialize"
-      "absl_log_internal_check_op"
-      "absl_log_internal_conditions"
-      "absl_log_internal_fnmatch"
-      "absl_log_internal_format"
-      "absl_log_internal_globals"
-      "absl_log_internal_log_sink_set"
-      "absl_log_internal_message"
-      "absl_log_internal_nullguard"
-      "absl_log_internal_proto"
-      "absl_log_internal_structured_proto"
-      "absl_log_severity"
-      "absl_log_sink"
-      "absl_malloc_internal"
-      "absl_periodic_sampler"
-      "absl_poison"
-      "absl_profile_builder"
-      "absl_random_distributions"
-      "absl_random_internal_distribution_test_util"
-      "absl_random_internal_entropy_pool"
-      "absl_random_internal_platform"
-      "absl_random_internal_randen_hwaes_impl"
-      "absl_random_internal_randen_hwaes"
-      "absl_random_internal_randen_slow"
-      "absl_random_internal_randen"
-      "absl_random_internal_seed_material"
-      "absl_random_seed_gen_exception"
-      "absl_random_seed_sequences"
-      "absl_raw_hash_set"
-      "absl_raw_logging_internal"
-      "absl_scoped_mock_log"
-      "absl_scoped_set_env"
-      "absl_spinlock_wait"
-      "absl_stacktrace"
-      "absl_status_matchers"
-      "absl_status"
-      "absl_statusor"
-      "absl_str_format_internal"
-      "absl_strerror"
-      "absl_string_view"
-      "absl_strings_internal"
-      "absl_strings"
-      "absl_symbolize"
-      "absl_synchronization"
-      "absl_throw_delegate"
-      "absl_time_zone"
-      "absl_time"
-      "absl_tracing_internal"
-      "absl_utf8_for_code_point"
-      "absl_vlog_config_internal"
-    ];
   };
 })

pkgs/by-name/af/afew/package.nix

@@ -19,7 +19,7 @@ python3Packages.buildPythonApplication (finalAttrs: {
 
   nativeBuildInputs = with python3Packages; [
     sphinxHook
-    setuptools_80
+    setuptools
     setuptools-scm
   ];
 

pkgs/by-name/al/alerta-server/package.nix

@@ -7,16 +7,14 @@
 python3.pkgs.buildPythonApplication (finalAttrs: {
   pname = "alerta-server";
   version = "9.0.1";
-  pyproject = true;
+  format = "setuptools";
 
   src = fetchPypi {
     inherit (finalAttrs) pname version;
     hash = "sha256-v4+0l5Sx9RTxmNFnKCoKrWFl1xu1JIRZ/kiI6zi/y0I=";
   };
 
-  build-system = [ python3.pkgs.setuptools_80 ];
-
-  dependencies = with python3.pkgs; [
+  propagatedBuildInputs = with python3.pkgs; [
     bcrypt
     blinker
     cryptography

pkgs/by-name/am/amf-headers/package.nix

@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "amf-headers";
-  version = "1.5.2";
+  version = "1.5.0";
 
   src = fetchFromGitHub {
     owner = "GPUOpen-LibrariesAndSDKs";
     repo = "AMF";
     tag = "v${finalAttrs.version}";
-    sha256 = "sha256-+jVYm/Zmt+1bzKnKTiClgoMRsyhqpuKZj79DvGHpPTM=";
+    sha256 = "sha256-ZVC1e4S5CNpfl3ewHR9aVfYwxDBE7/BJ6OyH2kF00fQ=";
   };
 
   installPhase = ''

pkgs/by-name/ap/apparmor-parser/package.nix

@@ -6,8 +6,6 @@
   bison,
   linuxHeaders ? stdenv.cc.libc.linuxHeaders,
   buildPackages,
-  zstd,
-  fetchpatch,
 
   # apparmor deps
   libapparmor,
@@ -25,27 +23,17 @@ stdenv.mkDerivation (finalAttrs: {
 
   postPatch = ''
     patchShebangs .
-
-    substituteInPlace init/rc.apparmor.functions \
-      --replace-fail "/sbin/apparmor_parser" "$out/bin/apparmor_parser" \
-      --replace-fail "/usr/sbin/aa-status" "${lib.getExe' apparmor-bin-utils "aa-status"}"
-    sed -i init/rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
-
     cd parser
 
     substituteInPlace Makefile \
       --replace-fail "/usr/include/linux/capability.h" "${linuxHeaders}/include/linux/capability.h"
+    substituteInPlace rc.apparmor.functions \
+      --replace-fail "/sbin/apparmor_parser" "$out/bin/apparmor_parser" # FIXME
+    substituteInPlace rc.apparmor.functions \
+      --replace-fail "/usr/sbin/aa-status" "${lib.getExe' apparmor-bin-utils "aa-status"}"
+    sed -i rc.apparmor.functions -e '2i . ${./fix-rc.apparmor.functions.sh}'
   '';
 
-  patches = [
-    (fetchpatch {
-      # https://gitlab.com/apparmor/apparmor/-/merge_requests/2133
-      # Patches generated yacc parser code to compile with format-security
-      url = "https://gitlab.com/apparmor/apparmor/-/commit/6bdec74d5e74660b97e00b4b8fafc014b05907b7.diff";
-      hash = "sha256-7c5EFByrGIDj2lc31bRttyeybwndDm4iS4qdPMVaG/I=";
-    })
-  ];
-
   nativeBuildInputs = [
     bison
     flex
@@ -54,7 +42,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [
     libapparmor
-    zstd
     runtimeShellPackage
   ];
 

pkgs/by-name/ap/apparmor-profiles/package.nix

@@ -1,9 +1,7 @@
 {
-  lib,
   stdenv,
   which,
   callPackage,
-  python3,
 
   # apparmor deps
   libapparmor,
@@ -30,16 +28,9 @@ stdenv.mkDerivation {
     apparmor-utils
   ];
 
-  checkInputs = [
-    python3
-  ];
-
   preCheck = ''
     export USE_SYSTEM=1
     export LOGPROF="aa-logprof --configdir ${callPackage ./test_config.nix { }} --no-check-mountpoint"
-    patchShebangs ../parser/tst
-    substituteInPlace ../parser/tst/test_profile.py \
-      --replace-fail '../parser/apparmor_parser' '${lib.getExe apparmor-parser}'
   '';
 
   doCheck = true;

pkgs/by-name/ap/apple-sdk/metadata/versions.json

@@ -17,10 +17,10 @@
   },
   "26": {
     "urls": [
-      "https://swcdn.apple.com/content/downloads/09/08/047-91568-A_Y1CFZWQCD4/4xekpyz43i26dbp4enxfro8eb1q7wiujh5/CLTools_macOSNMOS_SDK.pkg",
-      "https://web.archive.org/web/20260512015547/https://swcdn.apple.com/content/downloads/09/08/047-91568-A_Y1CFZWQCD4/4xekpyz43i26dbp4enxfro8eb1q7wiujh5/CLTools_macOSNMOS_SDK.pkg"
+      "https://swcdn.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/CLTools_macOSNMOS_SDK.pkg",
+      "https://web.archive.org/web/20260406133131/https://swcdn.apple.com/content/downloads/32/53/047-96692-A_OAHIHT53YB/ybtshxmrcju8m2qvw3w5elr4rajtg1x3y3/CLTools_macOSNMOS_SDK.pkg"
     ],
-    "version": "26.5",
-    "hash": "sha256-IkDNtiO7PP4GI6OszCNWE1Xb4iepCUKwQHYUyc9NgNA="
+    "version": "26.4",
+    "hash": "sha256-7nrbCv1pNlpzEqwZWVfUPCvDfXEJJNOl7ApkeFpIOC0="
   }
 }

pkgs/by-name/as/assimp/package.nix

@@ -9,7 +9,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "assimp";
-  version = "6.0.5";
+  version = "6.0.4";
   outputs = [
     "out"
     "lib"
@@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "assimp";
     repo = "assimp";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-QWBi1pl5C76UtPhB6SmFipm9oEdnfhELMT3MqfV6oxg=";
+    hash = "sha256-ryTgsN0z9BZBz7i9aUMKuneN5oqfxpduwJlb+Q0q3Mk=";
   };
 
   postPatch = ''

pkgs/by-name/at/at-spi2-core/package.nix

@@ -29,7 +29,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "at-spi2-core";
-  version = "2.60.4";
+  version = "2.60.1";
 
   outputs = [
     "out"
@@ -39,7 +39,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "mirror://gnome/sources/at-spi2-core/${lib.versions.majorMinor finalAttrs.version}/at-spi2-core-${finalAttrs.version}.tar.xz";
-    hash = "sha256-Gh9bqYBZF/QfxqpoI9z4h6KR1gekJ+LVr7a136ZQcMc=";
+    hash = "sha256-+ZuH48FnT1+8QXzJwdniYcDymqsFUK1jaYBQMdEvaFI=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/au/audit/package.nix

@@ -30,13 +30,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "audit";
-  version = "4.1.4";
+  version = "4.1.2-unstable-2025-09-06"; # fixes to non-static builds right after 4.1.2 release
 
   src = fetchFromGitHub {
     owner = "linux-audit";
     repo = "audit-userspace";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-GdJ9nzlDAdOazOHH/YWuEoELrJh+G5ZJUKwIqAKAzpo=";
+    rev = "cb13fe75ee2c36d5c525ed9de22aae10dbc8caf4";
+    hash = "sha256-NX0TWA+LtcZgbM9aQfokWv2rGNAAb3ksGqAH8URAkYM=";
   };
 
   postPatch = ''
@@ -132,6 +132,10 @@ stdenv.mkDerivation (finalAttrs: {
   # Instead, we load audit rules in a dedicated module.
   postFixup = ''
     moveToOutput bin/augenrules $scripts
+    substituteInPlace $scripts/bin/augenrules \
+      --replace-fail "/sbin/auditctl -R" "$bin/bin/auditctl -R" \
+      --replace-fail "auditctl -s" "$bin/bin/auditctl -s" \
+      --replace-fail "/bin/ls" "ls"
     wrapProgram $scripts/bin/augenrules \
       --prefix PATH : ${
         lib.makeBinPath [

pkgs/by-name/av/avahi/package.nix

@@ -11,7 +11,6 @@
   expat,
   gettext,
   glib,
-  autoconf-archive,
   autoreconfHook,
   libiconv,
   libevent,
@@ -181,12 +180,6 @@ stdenv.mkDerivation rec {
 
   ];
 
-  postPatch = ''
-    # Remove the vendored ACX_PTHREAD macro in favor of the more up-to-date
-    # implementation from autoconf-archive, especially to support static builds.
-    rm common/acx_pthread.m4
-  '';
-
   depsBuildBuild = [
     pkg-config
   ];
@@ -195,7 +188,6 @@ stdenv.mkDerivation rec {
     pkg-config
     gettext
     glib
-    autoconf-archive
     autoreconfHook
   ];
 

pkgs/by-name/bm/bmake/package.nix

@@ -67,8 +67,6 @@ stdenv.mkDerivation (finalAttrs: {
     ) "export"
   );
 
-  __structuredAttrs = true;
-
   strictDeps = true;
 
   doCheck = true;
@@ -95,11 +93,7 @@ stdenv.mkDerivation (finalAttrs: {
   installPhase = ''
     runHook preInstall
 
-    # `boot-strap op=install` runs the built bmake, which breaks cross builds.
-    install -Dm755 bmake $out/bin/bmake
-    install -Dm644 bmake.1 $man/share/man/man1/bmake.1
-    install -Dm755 -d $out/share/mk
-    sh mk/install-mk -v -m 444 $out/share/mk
+    ./boot-strap --prefix=$out -o . op=install
 
     runHook postInstall
   '';

pkgs/by-name/bo/boost-build/package.nix

@@ -35,9 +35,7 @@ stdenv.mkDerivation {
   patches =
     useBoost.boostBuildPatches or [ ]
     ++ lib.optional (
-      useBoost ? version
-      && lib.versionAtLeast useBoost.version "1.81"
-      && lib.versionOlder useBoost.version "1.88"
+      useBoost ? version && lib.versionAtLeast useBoost.version "1.81"
     ) ./fix-clang-target.patch;
 
   postPatch =

pkgs/by-name/by/byacc/package.nix

@@ -6,14 +6,14 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "byacc";
-  version = "20260126";
+  version = "20241231";
 
   src = fetchurl {
     urls = [
       "https://invisible-mirror.net/archives/byacc/byacc-${finalAttrs.version}.tgz"
       "https://invisible-island.net/archives/byacc/byacc-${finalAttrs.version}.tgz"
     ];
-    hash = "sha256-thjF+0TC9fBIhD25D30bJPePR7B5E8jHuoyULT6ySwA=";
+    hash = "sha256-GSwvrgSNTn9RS6RRYn+cTmEnZQmfgZwZGR+f3j5glnM=";
   };
 
   configureFlags = [

pkgs/by-name/ca/cargo-c/package.nix

@@ -12,19 +12,19 @@
 
 let
   # this version may need to be updated along with package version
-  cargoVersion = "0.96.0";
+  cargoVersion = "0.93.0";
 in
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "cargo-c";
-  version = "0.10.22";
+  version = "0.10.19";
 
   src = fetchCrate {
     inherit (finalAttrs) pname;
     version = "${finalAttrs.version}+cargo-${cargoVersion}";
-    hash = "sha256-yqSrpBZUa0NmsPawYKKgywmbbG4zgguwfDF667s7zdo=";
+    hash = "sha256-PrBmB+0tmU2MAUnRr+wx4g9hu0Y9i6WfR8U89bwiLVY=";
   };
 
-  cargoHash = "sha256-yeJWZtkgCRB0ipyTslsGcJi9Fi/XoWziuv74exRhAIk=";
+  cargoHash = "sha256-EM/vAfW/ucOfK/XmAQn9Zk75eFb7pp8uZoByKbALCyo=";
 
   nativeBuildInputs = [
     pkg-config

pkgs/by-name/ca/catch2_3/package.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "catch2";
-  version = "3.15.0";
+  version = "3.14.0";
 
   src = fetchFromGitHub {
     owner = "catchorg";
     repo = "Catch2";
     tag = "v${version}";
-    hash = "sha256-1GBzS8jgJXb82BMMRuHWqszB1Xwg6wohmCuINWE7QoU=";
+    hash = "sha256-tegAa+cNF7pJcW33B+VZ86ZlDG7dwS3o6QnN/XvTI2A=";
   };
 
   patches = lib.optionals stdenv.cc.isClang [

pkgs/by-name/cm/cmocka/package.nix

@@ -7,11 +7,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "cmocka";
-  version = "2.0.2";
+  version = "2.0.1";
 
   src = fetchurl {
     url = "https://cmocka.org/files/${lib.versions.majorMinor finalAttrs.version}/cmocka-${finalAttrs.version}.tar.xz";
-    hash = "sha256-OfkvNmvfPxoCr02nW0pcUt9sn35zbH1l3hMoP58O9BY=";
+    hash = "sha256-PzUzOCuimrOr9cT0snt50WXw31HqWH3nSbEbaLQBkYA=";
   };
 
   patches = [

pkgs/by-name/cu/curlMinimal/fix-wakeup-consumption.patch

@@ -1,32 +0,0 @@
-From 2a2104f3cff44bb28bb570a093be52bbeeed8f23 Mon Sep 17 00:00:00 2001
-From: Stefan Eissing <stefan@eissing.org>
-Date: Mon, 11 May 2026 14:56:04 +0200
-Subject: [PATCH] event: fix wakeup consumption
-
-The events on a multi wakeup socketpair were only consumed via
-curl_multi_poll()/curl_multi_wait() but not in event based processing on
-a curl_multi_socket() call. That led to busy loops as reported in
-
-Fixes #21547
-Reported-by: Earnestly on github
-Closes #21549
----
- lib/multi.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/lib/multi.c b/lib/multi.c
-index be32740a7097..5e84133f13fd 100644
---- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -2703,6 +2703,11 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
-   Curl_uint32_bset_remove(&multi->dirty, data->mid);
- 
-   if(data == multi->admin) {
-+#ifdef ENABLE_WAKEUP
-+    /* Consume any pending wakeup signals before processing.
-+     * This is necessary for event based processing. See #21547 */
-+    (void)Curl_wakeup_consume(multi->wakeup_pair, TRUE);
-+#endif
- #ifdef USE_RESOLV_THREADED
-     Curl_async_thrdd_multi_process(multi);
- #endif

pkgs/by-name/cu/curlMinimal/package.nix

@@ -96,13 +96,6 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-Y/4twUi6DOromSLvg49+XJRicsLni3xZ+rS3nTziuJY=";
   };
 
-  patches = [
-    # https://github.com/curl/curl/commit/2a2104f3cff44bb28bb570a093be52bbeeed8f23
-    # According to <https://curl.se/mail/distros-2026-05/0000.html>, this fixes
-    # a performance regression, causing high CPU usage
-    ./fix-wakeup-consumption.patch
-  ];
-
   # this could be accomplished by updateAutotoolsGnuConfigScriptsHook, but that causes infinite recursion
   # necessary for FreeBSD code path in configure
   postPatch = ''
@@ -122,7 +115,6 @@ stdenv.mkDerivation (finalAttrs: {
   enableParallelBuilding = true;
 
   strictDeps = true;
-  __structuredAttrs = true;
 
   env = {
     CXX = "${stdenv.cc.targetPrefix}c++";

pkgs/by-name/da/dash/package.nix

@@ -15,11 +15,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "dash";
-  version = "0.5.13.4";
+  version = "0.5.13.3";
 
   src = fetchurl {
     url = "http://gondor.apana.org.au/~herbert/dash/files/dash-${finalAttrs.version}.tar.gz";
-    hash = "sha256-0Q39Qc2lkWVWDbOcqRXCxKdjb/8EKB2NLfd62Sx1Pis=";
+    hash = "sha256-qDcnwSmaxMPZ1Dl5OTs6TrACddVjauAlJueXnVHW+9E=";
   };
 
   strictDeps = true;

pkgs/by-name/db/dbus/package.nix

@@ -129,9 +129,6 @@ stdenv.mkDerivation (finalAttrs: {
     "-Dselinux=disabled"
   ]
   ++ lib.optionals stdenv.hostPlatform.isDarwin [
-    # D-Bus defaults to launchd-activation on Darwin, but that requires the launch agent be installed. It also breaks
-    # anything that uses `dbus-run-session` in tests. Changing the default aligns Darwin with other UNIX platforms.
-    "-Ddbus_session_bus_listen_address=unix:tmpdir=/tmp"
     # `launchctl` is only needed at runtime. Lie to `find_program` because it will always be present on a Darwin host.
     "--cross-file=${writeText "darwin.ini" ''
       [binaries]
@@ -159,14 +156,6 @@ stdenv.mkDerivation (finalAttrs: {
       --replace-fail 'DBUS_DAEMONDIR"/dbus-daemon"' '"/run/current-system/sw/bin/dbus-daemon"'
   '';
 
-  postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
-    # For some reason, only these binaries reference the dylib by rpath instead of by an absolute install name.
-    for exe in bin/dbus-daemon bin/dbus-run-session libexec/dbus-daemon-launch-helper; do
-      install_name_tool "$out/$exe" \
-        -change "@rpath/libdbus-1.3.dylib" "$lib/lib/libdbus-1.3.dylib"
-    done
-  '';
-
   postFixup = ''
     # It's executed from $lib by absolute path
     moveToOutput bin/dbus-launch "$lib"

pkgs/by-name/dj/djvulibre/package.nix

@@ -11,11 +11,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "djvulibre";
-  version = "3.5.30";
+  version = "3.5.29";
 
   src = fetchurl {
     url = "mirror://sourceforge/djvu/djvulibre-${finalAttrs.version}.tar.gz";
-    hash = "sha256-7l5FfUz+vlZvlLmeXj08x/XHndt0HCrCui5FbwAylkQ=";
+    hash = "sha256-07SwOuK9yoUWo2726ye3d/BSjJ7aJnRdmWKCSj/f7M8=";
   };
 
   outputs = [

pkgs/by-name/do/doctest/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "doctest";
-  version = "2.5.2";
+  version = "2.5.0";
 
   src = fetchFromGitHub {
     owner = "doctest";
     repo = "doctest";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-4jW6xPFCFxk1l47EkSUVojhycrtluPhOc5Adf/25R7M=";
+    hash = "sha256-7t/eknv7VtHoBgcuJmI07x//HIyqzE9HUuH5u2y7X8A=";
   };
 
   nativeBuildInputs = [ cmake ];
@@ -27,7 +27,6 @@ stdenv.mkDerivation (finalAttrs: {
   doCheck = true;
 
   meta = {
-    changelog = "https://github.com/doctest/doctest/releases/tag/${finalAttrs.src.tag}";
     homepage = "https://github.com/doctest/doctest";
     description = "Fastest feature-rich C++11/14/17/20 single-header testing framework";
     platforms = lib.platforms.all;

pkgs/by-name/do/double-conversion/package.nix

@@ -2,6 +2,7 @@
   stdenv,
   lib,
   fetchFromGitHub,
+  fetchpatch,
   cmake,
   ninja,
   ctestCheckHook,
@@ -10,15 +11,34 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "double-conversion";
-  version = "3.4.0";
+  version = "3.3.1";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "double-conversion";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-gxaPqQ51RyXZaTHkvh4RBpedPopcRiuWDoT+PPbI1uw=";
+    rev = "v${finalAttrs.version}";
+    sha256 = "sha256-M80H+azCzQYa4/gBLWv5GNNhEuHsH7LbJ/ajwmACnrM=";
   };
 
+  patches = [
+    # Fix the build with CMake 4.
+    (fetchpatch {
+      name = "double-conversion-fix-cmake-4-1.patch";
+      url = "https://github.com/google/double-conversion/commit/101e1ba89dc41ceb75090831da97c43a76cd2906.patch";
+      hash = "sha256-VRmuNXdzt/I+gWbz5mwWkx5IGn8Vsl9WkdwRsuwZdkU=";
+    })
+    (fetchpatch {
+      name = "double-conversion-fix-cmake-4-2.patch";
+      url = "https://github.com/google/double-conversion/commit/0604b4c18815aadcf7f4b78dfa6bfcb91a634ed7.patch";
+      hash = "sha256-cJBp1ou1O/bMQ/7kvcX52dWbUdhmPfQ9aWmEhQdyhis=";
+    })
+    (fetchpatch {
+      name = "double-conversion-add-pkg-config.patch";
+      url = "https://github.com/google/double-conversion/commit/ddfd18c58ecc32fc74afc1083bb8774240b54efb.patch";
+      hash = "sha256-/pKCL19vS8fNwCm27yTNP+32ApHTH5dEGpnsMI11Lf4=";
+    })
+  ];
+
   outputs = [
     "out"
     "dev"
@@ -48,7 +68,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     pkgConfigModules = [ "double-conversion" ];
-    changelog = "https://github.com/google/double-conversion/blob/${finalAttrs.src.tag}/Changelog";
     description = "Binary-decimal and decimal-binary routines for IEEE doubles";
     homepage = "https://github.com/google/double-conversion";
     license = lib.licenses.bsd3;

pkgs/by-name/do/doxygen/package.nix

@@ -16,13 +16,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "doxygen";
-  version = "1.17.0";
+  version = "1.16.1";
 
   src = fetchFromGitHub {
     owner = "doxygen";
     repo = "doxygen";
     tag = "Release_${lib.replaceStrings [ "." ] [ "_" ] finalAttrs.version}";
-    hash = "sha256-SSq/sFB9y2CFMeL58vgcHa2ulo+tPPUGT347ABoHoD4=";
+    hash = "sha256-MszJpYdXaC8BYK1lSV1LpJncKN1LrFoyJXZajpz0HIA=";
   };
 
   # https://github.com/doxygen/doxygen/issues/10928#issuecomment-2179320509

pkgs/by-name/du/duplicity/package.nix

@@ -75,17 +75,20 @@ let
       glib
     ];
 
-    pythonPath = with python3.pkgs; [
-      b2sdk
-      boto3
-      idna
-      pygobject3
-      fasteners
-      paramiko
-      pexpect
-      # Currently marked as broken.
-      # pydrive2
-    ];
+    pythonPath =
+      with python3.pkgs;
+      [
+        b2sdk
+        boto3
+        idna
+        pygobject3
+        fasteners
+        paramiko
+        pexpect
+        # Currently marked as broken.
+        # pydrive2
+      ]
+      ++ paramiko.optional-dependencies.invoke;
 
     nativeCheckInputs = [
       gnupg # Add 'gpg' to PATH.

pkgs/by-name/e2/e2fsprogs/package.nix

@@ -3,6 +3,7 @@
   stdenv,
   buildPackages,
   fetchurl,
+  fetchpatch,
   pkg-config,
   libuuid,
   gettext,
@@ -19,15 +20,25 @@
 
 stdenv.mkDerivation rec {
   pname = "e2fsprogs";
-  version = "1.47.4";
+  version = "1.47.3";
 
   __structuredAttrs = true;
 
   src = fetchurl {
     url = "mirror://kernel/linux/kernel/people/tytso/e2fsprogs/v${version}/e2fsprogs-${version}.tar.xz";
-    hash = "sha256-/VvziMvb4Aaj07MY2YOylIOCRArMhah/Hn0QhlPo2ws=";
+    hash = "sha256-hX5u+AD+qiu0V4+8gQIUvl08iLBy6lPFOEczqWVzcyk=";
   };
 
+  patches = [
+    # Upstream patch that fixes musl build (and probably others).
+    # Should be included in next release after 1.47.3.
+    (fetchpatch {
+      name = "stdio-portability.patch";
+      url = "https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/patch/?id=f79abd8554e600eacc2a7c864a8332b670c9e262";
+      hash = "sha256-zZ7zmSMTwGyS3X3b/D/mVG0bV2ul5xtY5DJx9YUvQO8=";
+    })
+  ];
+
   # fuse2fs adds 14mb of dependencies
   outputs = [
     "bin"

pkgs/by-name/el/elfutils/package.nix

@@ -28,11 +28,11 @@
 # TODO: Look at the hardcoded paths to kernel, modules etc.
 stdenv.mkDerivation (finalAttrs: {
   pname = "elfutils";
-  version = "0.195";
+  version = "0.194";
 
   src = fetchurl {
     url = "https://sourceware.org/elfutils/ftp/${finalAttrs.version}/elfutils-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-N2Kf338fPcKBjhOPyiuAlBd9bC0PcB07tlClYSGNwCY=";
+    hash = "sha256-CeL/Az05uqiziKLX+8U5C/3pmuO3xnx9qvdDP7zw8B4=";
   };
 
   patches = [
@@ -57,6 +57,13 @@ stdenv.mkDerivation (finalAttrs: {
       url = "https://git.alpinelinux.org/aports/plain/main/elfutils/musl-strndupa.patch?id=2e3d4976eeffb4704cf83e2cc3306293b7c7b2e9";
       sha256 = "sha256-7daehJj1t0wPtQzTv+/Rpuqqs5Ng/EYnZzrcf2o/Lb0=";
     })
+    (fetchpatch {
+      name = "fix-aarch64_attributes.patch";
+      url = "https://sourceware.org/git/?p=elfutils.git;a=patch;h=b27adc5262e807f341ca0a4910ce04294144f79a";
+      hash = "sha256-hksO5HXL9Jv5E4o2rI4NAgQp+4z+Lg7Wn/AdW7fpr0c=";
+    })
+    # https://patchwork.sourceware.org/project/elfutils/patch/20251205145241.1165646-1-arnout@bzzt.net/
+    ./test-run-sysroot-reliability.patch
   ]
   ++ lib.optionals stdenv.hostPlatform.isMusl [ ./musl-error_h.patch ];
 

pkgs/by-name/el/elfutils/test-run-sysroot-reliability.patch

@@ -0,0 +1,44 @@
+commit 898804bed022d1ef26e5c0b12550f87fc86f29ed
+Author: Arnout Engelen <arnout@bzzt.net>
+Date:   Thu Dec 4 21:42:40 2025 +0100
+
+    tests: improve reliability of run-sysroot.sh
+    
+    Previously, the 'second' test would test the `RESOLVE_IN_ROOT` feature
+    when the current libc supports it, even when the currently running
+    kernel did not yet support it.
+    
+    Signed-off-by: Arnout Engelen <arnout@bzzt.net>
+
+diff --git a/tests/run-sysroot.sh b/tests/run-sysroot.sh
+index fe302446..d2041e8a 100755
+--- a/tests/run-sysroot.sh
++++ b/tests/run-sysroot.sh
+@@ -46,10 +46,14 @@ TID 431185:
+ #8  0x0000aaaae56127f0 _start
+ EOF
+ 
+-HAVE_OPENAT2=$(grep '^#define HAVE_OPENAT2_RESOLVE_IN_ROOT' \
+-                    ${abs_builddir}/../config.h | awk '{print $3}')
++libc_has_openat2_resolve_in_root() {
++  grep '^#define HAVE_OPENAT2_RESOLVE_IN_ROOT' ${abs_builddir}/../config.h | awk '{print $3}'
++}
++kernel_has_openat2_resolve_in_root() {
++  printf "%s\n%s" "5.6.0" "$(uname -r)" | sort -V -C
++}
+ 
+-if [[ "$HAVE_OPENAT2" = 1 ]]; then
++if libc_has_openat2_resolve_in_root && kernel_has_openat2_resolve_in_root; then
+     # Change the layout of files in sysroot to test symlink escape scenario
+     rm -f "${tmpdir}/sysroot/bin"
+     mkdir "${tmpdir}/sysroot/bin"
+@@ -57,7 +61,8 @@ if [[ "$HAVE_OPENAT2" = 1 ]]; then
+     ln -s /bin/bash "${tmpdir}/sysroot/usr/bin/bash"
+ 
+     # Check that stack with --sysroot generates correct backtrace even if target
+-    # binary is actually absolute symlink pointing outside of sysroot directory
++    # binary is actually absolute symlink to be interpreted relative to the sysroot
++    # directory
+     testrun "${abs_top_builddir}"/src/stack --core "${tmpdir}/core.bash" \
+ 	    --sysroot "${tmpdir}/sysroot" >"${tmpdir}/stack.out"
+ 

pkgs/by-name/ex/expat/package.nix

@@ -18,7 +18,7 @@
 # files.
 
 let
-  version = "2.8.1";
+  version = "2.8.0";
   tag = "R_${lib.replaceStrings [ "." ] [ "_" ] version}";
 in
 stdenv.mkDerivation (finalAttrs: {
@@ -29,7 +29,7 @@ stdenv.mkDerivation (finalAttrs: {
     url =
       with finalAttrs;
       "https://github.com/libexpat/libexpat/releases/download/${tag}/${pname}-${version}.tar.xz";
-    hash = "sha256-ELGV7ngWCpCDiBgKj+NgPU6aEvR1X79fOBayOp11DaA=";
+    hash = "sha256-o3v64KqXdb2FIevYXcRW1Ibw/zETj2yR/ZAupzJiRUI=";
   };
 
   strictDeps = true;

pkgs/by-name/ff/fftw/package.nix

@@ -1,5 +1,6 @@
 {
   fetchurl,
+  fetchpatch,
   stdenv,
   lib,
   gfortran,
@@ -21,16 +22,24 @@ assert lib.elem precision [
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fftw-${precision}";
-  version = "3.3.11";
+  version = "3.3.10";
 
   src = fetchurl {
     urls = [
       "https://fftw.org/fftw-${finalAttrs.version}.tar.gz"
       "ftp://ftp.fftw.org/pub/fftw/fftw-${finalAttrs.version}.tar.gz"
     ];
-    hash = "sha256-VjDCTN6zOxMWEvfrSxqZNCNHVPnziP+GF0WNC+byOaE=";
+    hash = "sha256-VskyVJhSzdz6/as4ILAgDHdCZ1vpIXnlnmIVs0DiZGc=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "remove_missing_FFTW3LibraryDepends.patch";
+      url = "https://github.com/FFTW/fftw3/pull/338/commits/f69fef7aa546d4477a2a3fd7f13fa8b2f6c54af7.patch";
+      hash = "sha256-lzX9kAHDMY4A3Td8necXwYLcN6j8Wcegi3A7OIECKeU=";
+    })
+  ];
+
   outputs = [
     "out"
     "dev"
@@ -98,7 +107,6 @@ stdenv.mkDerivation (finalAttrs: {
   __structuredAttrs = true;
 
   meta = {
-    changelog = "https://github.com/FFTW/fftw3/blob/fftw-${finalAttrs.version}/NEWS";
     description = "Fastest Fourier Transform in the West library";
     homepage = "https://www.fftw.org/";
     license = lib.licenses.gpl2Plus;

pkgs/by-name/fl/fluidsynth/package.nix

@@ -13,13 +13,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "fluidsynth";
-  version = "2.5.4";
+  version = "2.5.3";
 
   src = fetchFromGitHub {
     owner = "FluidSynth";
     repo = "fluidsynth";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-uL9K2Bc5PA6qm/QVFvEUDyGBst9L/sNP0+HculCWCZk=";
+    hash = "sha256-k8IHS6Mh1b1iMSuBg3svlf7A2dsg6VHEKqlDhvyJnbo=";
     fetchSubmodules = true;
   };
 

pkgs/by-name/fo/forgejo-cli/package.nix

@@ -10,11 +10,14 @@
   oniguruma,
   openssl,
   zlib,
+  versionCheckHook,
 }:
 rustPlatform.buildRustPackage (finalAttrs: {
   pname = "forgejo-cli";
   version = "0.5.0";
 
+  __structuredAttrs = true;
+
   src = fetchFromCodeberg {
     owner = "forgejo-contrib";
     repo = "forgejo-cli";
@@ -49,6 +52,10 @@ rustPlatform.buildRustPackage (finalAttrs: {
       --zsh <($out/bin/fj completion zsh)
   '';
 
+  nativeInstallCheckInputs = [ versionCheckHook ];
+  versionCheckProgramArg = "version";
+  doInstallCheck = true;
+
   meta = {
     description = "CLI application for interacting with Forgejo";
     homepage = "https://codeberg.org/forgejo-contrib/forgejo-cli";

pkgs/by-name/fr/freetype/package.nix

@@ -39,7 +39,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "freetype";
-  version = "2.14.3";
+  version = "2.14.2";
 
   src =
     let
@@ -47,7 +47,7 @@ stdenv.mkDerivation (finalAttrs: {
     in
     fetchurl {
       url = "mirror://savannah/freetype/freetype-${version}.tar.xz";
-      sha256 = "sha256-NrxPHMQTM1No7mVsQq/KZcWjmH6HaMwozxG6d154Wl8=";
+      sha256 = "sha256-S2Lcq0ySChqGA2mTMiGBQ2LmmeJvVXklFtZx5v9VteE=";
     };
 
   propagatedBuildInputs = [

pkgs/by-name/ga/game-music-emu/package.nix

@@ -8,14 +8,14 @@
 }:
 
 stdenv.mkDerivation (finalAttrs: {
-  version = "0.6.5";
+  version = "0.6.4";
   pname = "game-music-emu";
 
   src = fetchFromGitHub {
     owner = "libgme";
     repo = "game-music-emu";
     tag = finalAttrs.version;
-    hash = "sha256-zn1t0oDj8hz/sfbG7lrstkv2Kf6cL7zAEMpIu9X4dyQ=";
+    hash = "sha256-qGNWFFUUjv2R5e/nQrriAyDJCARISqNB8e5/1zEJ3fk=";
   };
   nativeBuildInputs = [
     cmake

pkgs/by-name/gb/gbenchmark/package.nix

@@ -5,19 +5,18 @@
   cmake,
   ninja,
   gtest,
-  glibcLocales,
   prometheus-cpp,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gbenchmark";
-  version = "1.9.5";
+  version = "1.9.4";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "benchmark";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-Mm4pG7zMB00iof32CxreoNBFnduPZTMp3reHMCIAFPQ=";
+    rev = "v${finalAttrs.version}";
+    hash = "sha256-P7wJcKkIBoWtN9FCRticpBzYbEZPq71a0iW/2oDTZRU=";
   };
 
   nativeBuildInputs = [
@@ -27,30 +26,20 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [ gtest ];
 
-  nativeCheckInputs = lib.optionals stdenv.hostPlatform.isLinux [ glibcLocales ];
-
   cmakeFlags = [
     (lib.cmakeBool "BENCHMARK_USE_BUNDLED_GTEST" false)
     (lib.cmakeBool "BENCHMARK_ENABLE_WERROR" false)
   ];
 
-  env = {
-    # We ran into issues with gtest 1.8.5 conditioning on
-    # `#if __has_cpp_attribute(maybe_unused)`, which was, for some
-    # reason, going through even when C++14 was being used and
-    # breaking the build on Darwin by triggering errors about using
-    # C++17 features.
-    #
-    # This might be a problem with our Clang, as it does not reproduce
-    # with Xcode, but we just work around it by silencing the warning.
-    NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang "-Wno-c++17-attribute-extensions";
-  }
-  // lib.optionalAttrs stdenv.hostPlatform.isLinux {
-    # For test:locale_impermeability_test
-    LANG = "en_US.UTF-8";
-    LC_ALL = "en_US.UTF-8";
-    LOCALE_ARCHIVE = "${glibcLocales}/lib/locale/locale-archive";
-  };
+  # We ran into issues with gtest 1.8.5 conditioning on
+  # `#if __has_cpp_attribute(maybe_unused)`, which was, for some
+  # reason, going through even when C++14 was being used and
+  # breaking the build on Darwin by triggering errors about using
+  # C++17 features.
+  #
+  # This might be a problem with our Clang, as it does not reproduce
+  # with Xcode, but we just work around it by silencing the warning.
+  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang "-Wno-c++17-attribute-extensions";
 
   # Tests fail on 32-bit due to not enough precision
   doCheck = stdenv.hostPlatform.is64bit;
@@ -64,6 +53,6 @@ stdenv.mkDerivation (finalAttrs: {
     homepage = "https://github.com/google/benchmark";
     license = lib.licenses.asl20;
     platforms = lib.platforms.linux ++ lib.platforms.darwin ++ lib.platforms.freebsd;
-    maintainers = with lib.maintainers; [ miniharinn ];
+    maintainers = [ ];
   };
 })

pkgs/by-name/gd/gdb/package.nix

@@ -5,6 +5,7 @@
 
   # Build time
   fetchurl,
+  fetchpatch,
   pkg-config,
   perl,
   texinfo,
@@ -67,11 +68,11 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   inherit pname;
-  version = "17.2";
+  version = "17.1";
 
   src = fetchurl {
     url = "mirror://gnu/gdb/gdb-${finalAttrs.version}.tar.xz";
-    hash = "sha256-HANsDXLks9H7XJTIhjKt1vnXb018TS6nk8EqnxmjIow=";
+    hash = "sha256-FJlvX3TJ9o9aVD/cRbyngAIH+R+SrupsLnkYIsfG2HY=";
   };
 
   postPatch =
@@ -89,6 +90,17 @@ stdenv.mkDerivation (finalAttrs: {
 
   patches = [
     ./debug-info-from-env.patch
+
+    (fetchurl {
+      name = "musl.patch";
+      url = "https://inbox.sourceware.org/gdb-patches/20260324164527.1446549-2-sunilkumar.dora@windriver.com/raw";
+      hash = "sha256-FC4DDVS4wtE/HXtbUqvkxu9+e7nE3DYi1zIuQP9yQO8=";
+    })
+    (fetchpatch {
+      name = "musl-aarch64.patch";
+      url = "https://sourceware.org/git/?p=binutils-gdb.git;a=patch;h=1ccc3f6a2e28fa1f3357826374cba165b3ba3ff7";
+      hash = "sha256-Q2oTo2b+9yNN3PSsxqgxV4/9/05uFE/JMLe1CPs9Y7I=";
+    })
   ]
   ++ optionals stdenv.hostPlatform.isDarwin [
     ./darwin-target-match.patch

pkgs/by-name/gf/gflags/package.nix

@@ -2,21 +2,31 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  fetchpatch,
   cmake,
   enableShared ? !stdenv.hostPlatform.isStatic,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gflags";
-  version = "2.3.0";
+  version = "2.2.2";
 
   src = fetchFromGitHub {
     owner = "gflags";
     repo = "gflags";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-sud3c6XH24YA6vzGQ7LhSoiKycan5JYehC5l2gH6DEo=";
+    rev = "v${finalAttrs.version}";
+    sha256 = "147i3md3nxkjlrccqg4mq1kyzc7yrhvqv5902iibc7znkvzdvlp0";
   };
 
+  patches = [
+    # Fix the build with CMake 4.
+    (fetchpatch {
+      name = "gflags-fix-cmake-4.patch";
+      url = "https://github.com/gflags/gflags/commit/70c01a642f08734b7bddc9687884844ca117e080.patch";
+      hash = "sha256-TYdroBbF27Wvvm/rOahBEvhezuKCcxbtgh/ZhpA5ESo=";
+    })
+  ];
+
   nativeBuildInputs = [ cmake ];
 
   # This isn't used by the build and breaks the CMake build on case-insensitive filesystems (e.g., on Darwin)
@@ -38,7 +48,6 @@ stdenv.mkDerivation (finalAttrs: {
       It was owned by Google. google-gflags project has been renamed to gflags and maintained by new community.
     '';
     homepage = "https://gflags.github.io/gflags/";
-    changelog = "https://github.com/gflags/gflags/blob/${finalAttrs.src.tag}/ChangeLog.txt";
     license = lib.licenses.bsd3;
     maintainers = [ ];
     platforms = lib.platforms.all;

pkgs/by-name/gh/ghostscript/package.nix

@@ -67,13 +67,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "ghostscript${lib.optionalString x11Support "-with-X"}";
-  version = "10.07.1";
+  version = "10.07.0";
 
   src = fetchurl {
     url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${
       lib.replaceStrings [ "." ] [ "" ] finalAttrs.version
     }/ghostscript-${finalAttrs.version}.tar.xz";
-    hash = "sha256-HNt2bejbjx5YnIF/CcWFXqX2XfyFQORlpprBTBhBYCU=";
+    hash = "sha256-3azk4XIflnpVA5uv9WSEAiXguqHU9UMiR8oczRRzt8E=";
   };
 
   patches = [
@@ -233,7 +233,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://www.ghostscript.com/";
-    changelog = "https://ghostscript.readthedocs.io/en/gs${finalAttrs.version}/News.html";
     description = "PostScript interpreter (mainline version)";
     longDescription = ''
       Ghostscript is the name of a set of tools that provides (i) an

pkgs/by-name/gi/giflib/CVE-2021-40633.patch

@@ -0,0 +1,26 @@
+From ccbc956432650734c91acb3fc88837f7b81267ff Mon Sep 17 00:00:00 2001
+From: "Eric S. Raymond" <esr@thyrsus.com>
+Date: Wed, 21 Feb 2024 18:55:00 -0500
+Subject: [PATCH] Clean up memory better at end of run (CVE-2021-40633)
+
+---
+ gif2rgb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/gif2rgb.c b/gif2rgb.c
+index d51226d..fc2e683 100644
+--- a/gif2rgb.c
++++ b/gif2rgb.c
+@@ -517,6 +517,9 @@ static void GIF2RGB(int NumFiles, char *FileName, bool OneFileFlag,
+ 	DumpScreen2RGB(OutFileName, OneFileFlag, ColorMap, ScreenBuffer,
+ 	               GifFile->SWidth, GifFile->SHeight);
+ 
++	for (i = 0; i < GifFile->SHeight; i++) {
++        	(void)free(ScreenBuffer[i]);
++	}
+ 	(void)free(ScreenBuffer);
+ 
+ 	{
+-- 
+2.44.0
+

pkgs/by-name/gi/giflib/CVE-2025-31344.patch

@@ -0,0 +1,15 @@
+diff -up giflib-5.2.2/gif2rgb.c.omv~ giflib-5.2.2/gif2rgb.c
+--- giflib-5.2.2/gif2rgb.c.omv~	2025-04-07 21:44:54.956355983 +0200
++++ giflib-5.2.2/gif2rgb.c	2025-04-07 21:45:29.630769589 +0200
+@@ -329,6 +329,11 @@ static void DumpScreen2RGB(char *FileNam
+ 			GifRow = ScreenBuffer[i];
+ 			GifQprintf("\b\b\b\b%-4d", ScreenHeight - i);
+ 			for (j = 0; j < ScreenWidth; j++) {
++				/* Check if color is within color palete */
++				if (GifRow[j] >= ColorMap->ColorCount) {
++					GIF_EXIT(GifErrorString(
++					    D_GIF_ERR_IMAGE_DEFECT));
++				}
+ 				ColorMapEntry = &ColorMap->Colors[GifRow[j]];
+ 				Buffers[0][j] = ColorMapEntry->Red;
+ 				Buffers[1][j] = ColorMapEntry->Green;

pkgs/by-name/gi/giflib/package.nix

@@ -3,30 +3,21 @@
   lib,
   fetchurl,
   fixDarwinDylibNames,
-
-  # for passthru.tests
-  SDL2_image,
-  SDL_image,
-  gdal,
-  imlib2,
-  leptonica,
-  libjxl,
-  libwebp,
-  openimageio,
-  openjdk,
   pkgsStatic,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "giflib";
-  version = "6.1.3";
+  version = "5.2.2";
 
   src = fetchurl {
     url = "mirror://sourceforge/giflib/giflib-${finalAttrs.version}.tar.gz";
-    hash = "sha256-tltmuZ8EJLk1JfmHOG8i/F77naK/ySrUpTIkmq/7qw4=";
+    hash = "sha256-vn/70FfK3r4qoURUL9kMaDjGoIO16KkEi47jtmsp1fs=";
   };
 
   patches = [
+    ./CVE-2021-40633.patch
+    ./CVE-2025-31344.patch
   ]
   ++ lib.optionals stdenv.hostPlatform.isMinGW [
     # Build dll libraries.
@@ -63,16 +54,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   passthru.tests = {
     static = pkgsStatic.giflib;
-    inherit
-      SDL2_image
-      SDL_image
-      gdal
-      imlib2
-      leptonica
-      libjxl
-      openimageio
-      openjdk
-      ;
   };
 
   meta = {

pkgs/by-name/gl/glslang/external-gtest.patch

@@ -0,0 +1,69 @@
+From ab20ba112e6fa5117bfeadde199fdc6c18cbdfb5 Mon Sep 17 00:00:00 2001
+From: OPNA2608 <opna2608@protonmail.com>
+Date: Mon, 12 Jan 2026 16:41:53 +0100
+Subject: [PATCH] Look for external gtest build, if not building in-tree
+
+---
+ CMakeLists.txt        | 12 ++++++++++++
+ gtests/CMakeLists.txt |  8 +++-----
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 1e7d3ec9..ecda9c53 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -321,6 +321,18 @@ if(ENABLE_GLSLANG_BINARIES)
+     add_subdirectory(StandAlone)
+ endif()
+ 
++option(ALLOW_EXTERNAL_GTEST "Allows to build against installed googletest. This is unsupported if the commit isn't the one in known_good.json")
++set(GMOCK_TARGET gmock)
++if(NOT TARGET ${GMOCK_TARGET})
++    if(ALLOW_EXTERNAL_GTEST)
++        message(STATUS "Trying to find local googletest")
++        find_package(GTest)
++        if(TARGET GTest::gmock)
++            set(GMOCK_TARGET GTest::gmock)
++        endif()
++    endif()
++endif()
++
+ if(GLSLANG_TESTS)
+     enable_testing()
+     add_subdirectory(gtests)
+diff --git a/gtests/CMakeLists.txt b/gtests/CMakeLists.txt
+index 27a5500c..21125775 100644
+--- a/gtests/CMakeLists.txt
++++ b/gtests/CMakeLists.txt
+@@ -32,7 +32,7 @@
+ # POSSIBILITY OF SUCH DAMAGE.
+ 
+ if(GLSLANG_TESTS)
+-    if(TARGET gmock)
++    if(TARGET ${GMOCK_TARGET})
+         message(STATUS "Google Mock found - building tests")
+ 
+         set(TEST_SOURCES
+@@ -76,9 +76,7 @@ if(GLSLANG_TESTS)
+                                    PRIVATE GLSLANG_TEST_BUILD=1)
+         target_include_directories(glslangtests PRIVATE
+                                    ${CMAKE_CURRENT_SOURCE_DIR}
+-                                   ${PROJECT_SOURCE_DIR}
+-                                   ${gmock_SOURCE_DIR}/include
+-                                   ${gtest_SOURCE_DIR}/include)
++                                   ${PROJECT_SOURCE_DIR})
+ 
+         if(ENABLE_OPT)
+             target_link_libraries(glslangtests
+@@ -90,7 +88,7 @@ if(GLSLANG_TESTS)
+             glslang glslang-default-resource-limits
+             $<$<AND:$<CXX_COMPILER_ID:GNU>,$<VERSION_LESS:$<CXX_COMPILER_VERSION>,9.0>>:stdc++fs>)
+ 
+-        target_link_libraries(glslangtests PRIVATE ${LIBRARIES} gmock)
++        target_link_libraries(glslangtests PRIVATE ${LIBRARIES} ${GMOCK_TARGET})
+ 
+         # The TARGET_RUNTIME_DLL_DIRS feature requires CMake 3.27 or greater.
+         if(WIN32 AND BUILD_SHARED_LIBS AND CMAKE_VERSION VERSION_LESS "3.27")
+-- 
+2.51.2
+

pkgs/by-name/gl/glslang/package.nix

@@ -12,15 +12,21 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "glslang";
-  version = "16.3.0";
+  version = "16.2.0";
 
   src = fetchFromGitHub {
     owner = "KhronosGroup";
     repo = "glslang";
     tag = finalAttrs.version;
-    hash = "sha256-wclcJ0NfqFXSUHGVsxjn2I8XxWbrkzOB4WXqsN1XtmE=";
+    hash = "sha256-2uWnZZNGdZorHaiLzMb/rpM6bL9oBClKqiFkUH3krJQ=";
   };
 
+  patches = [
+    # Allow building against our already-built gtest, without eating a rebuild
+    # https://github.com/KhronosGroup/glslang/pull/4140
+    ./external-gtest.patch
+  ];
+
   outputs = [
     "bin"
     "out"

pkgs/by-name/gn/gn/package.nix

@@ -11,11 +11,11 @@
   version ?
     # This is a workaround for update-source-version to be able to update this
     let
-      _version = "0-unstable-2026-04-01";
+      _version = "0-unstable-2026-03-05";
     in
     _version,
-  rev ? "6e8dcdebbadf4f8aa75e6a4b6e0bdf89dce1513a",
-  hash ? "sha256-BTPD8WM1pVAMkFDlHekMdWFGyf63KdhKkKwsqikqoBQ=",
+  rev ? "d8c2f07d653520568da7cace755a87dad241b72d",
+  hash ? "sha256-3AfExm7NL5GJXyC5JCPbGC70D59doRfIZIgpt6MLy9Y=",
 }:
 
 stdenv.mkDerivation {

pkgs/by-name/gn/gnutls/package.nix

@@ -1,6 +1,7 @@
 {
   lib,
   stdenv,
+  buildPackages,
   fetchurl,
   zlib,
   libtasn1,
@@ -8,6 +9,7 @@
   pkg-config,
   perl,
   gmp,
+  automake,
   libidn2,
   libiconv,
   texinfo,
@@ -165,6 +167,10 @@ stdenv.mkDerivation rec {
     pkg-config
     texinfo
   ]
+  ++ [
+    buildPackages.autoconf269
+    automake
+  ]
   ++ lib.optionals doCheck [
     which
     net-tools

pkgs/by-name/gp/gperftools/package.nix

@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gperftools";
-  version = "2.18.1";
+  version = "2.17.2";
 
   src = fetchFromGitHub {
     owner = "gperftools";
     repo = "gperftools";
     tag = "gperftools-${finalAttrs.version}";
-    hash = "sha256-LvLsq0UuMu51vcgxDrBkdnoUJ3qFH+tbXbTjreBxBqs=";
+    hash = "sha256-WCEuiSjNIX/KhEBWndyVhrKlWs7H60mcHoPlWd7YWC4=";
   };
 
   patches = [

pkgs/by-name/gp/gpgme/package.nix

@@ -22,7 +22,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gpgme";
-  version = "2.1.0";
+  version = "2.0.1";
 
   outputs = [
     "out"
@@ -34,7 +34,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "mirror://gnupg/gpgme/gpgme-${finalAttrs.version}.tar.bz2";
-    hash = "sha256-hBxepT/CYln0+/DovemC3qG4ocoMt35oHIKwUFZr+Ss=";
+    hash = "sha256-ghqwaVyELqtRdSqBmAySsEEMfq3QQQP3kdXSpSZ4SWY=";
   };
 
   postPatch = ''
@@ -110,7 +110,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://gnupg.org/software/gpgme/index.html";
-    changelog = "https://dev.gnupg.org/source/gpgme/browse/master/NEWS;gpgme-${finalAttrs.version}?as=remarkup";
+    changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpgme.git;f=NEWS;hb=gpgme-${finalAttrs.version}";
     description = "Library for making GnuPG easier to use";
     longDescription = ''
       GnuPG Made Easy (GPGME) is a library designed to make access to GnuPG

pkgs/by-name/gp/gpgmepp/package.nix

@@ -10,11 +10,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gpgmepp";
-  version = "2.1.0";
+  version = "2.0.0";
 
   src = fetchurl {
     url = "mirror://gnupg/gpgmepp/gpgmepp-${finalAttrs.version}.tar.xz";
-    hash = "sha256-V/gERo8CBFBLFyxrE5ywUSS0JjvnrVFJMsfExQYqFuI=";
+    hash = "sha256-1HlgScBnCKJvMJb3SO8JU0fho8HlcFYXAf6VLD9WU4I=";
   };
 
   postPatch = ''

pkgs/by-name/gr/graphviz/package.nix

@@ -39,13 +39,13 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "graphviz";
-  version = "14.1.2";
+  version = "12.2.1";
 
   src = fetchFromGitLab {
     owner = "graphviz";
     repo = "graphviz";
-    tag = finalAttrs.version;
-    hash = "sha256-LkyiKl0ulS9ujEdVLfyeoc4CtjITd6CAc35IUtlHSfw=";
+    rev = finalAttrs.version;
+    hash = "sha256-Uxqg/7+LpSGX4lGH12uRBxukVw0IswFPfpb2EkLsaiI=";
   };
 
   nativeBuildInputs = [
@@ -136,7 +136,6 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     homepage = "https://graphviz.org";
-    changelog = "https://gitlab.com/graphviz/graphviz/-/blob/${finalAttrs.src.tag}/CHANGELOG.md";
     description = "Graph visualization tools";
     license = lib.licenses.epl10;
     platforms = lib.platforms.unix;

pkgs/by-name/gr/groff/package.nix

@@ -48,7 +48,8 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-dOKBl5W2r/QxrqyYPWOpyJaO6roqLrp9+LpMe0Hnz9g=";
   };
 
-  patches = [
+  patches = lib.optionals stdenv.isLinux [
+    # TODO: apply everywhere on rebuild
     # This revert a upstream refactor in continuous rendering mode, but this
     # causes a big performance regression for big manpages like
     # `man 5 configuration.nix`.

pkgs/by-name/gt/gtk-doc/package.nix

@@ -16,7 +16,7 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "gtk-doc";
-  version = "1.36.1";
+  version = "1.35.1";
 
   outputDevdoc = "out";
 
@@ -26,10 +26,14 @@ python3.pkgs.buildPythonApplication rec {
     domain = "gitlab.gnome.org";
     owner = "GNOME";
     repo = "gtk-doc";
-    tag = version;
-    hash = "sha256-8hB43BCAtT1B7/ak2i0FAlYD3Kb4rNCWfsJ+wqGu3FA=";
+    rev = version;
+    hash = "sha256-EqU7lnBnOn3gR3hT95yjdTUb3cqX2XJK5UAKsFw2Q10=";
   };
 
+  patches = [
+    passthru.respect_xml_catalog_files_var_patch
+  ];
+
   postPatch = ''
     substituteInPlace meson.build \
       --replace "pkg-config" "$PKG_CONFIG"
@@ -79,6 +83,8 @@ python3.pkgs.buildPythonApplication rec {
   '';
 
   passthru = {
+    # Consumers are expected to copy the m4 files to their source tree, let them reuse the patch
+    respect_xml_catalog_files_var_patch = ./respect-xml-catalog-files-var.patch;
     updateScript = gnome.updateScript {
       packageName = "gtk-doc";
       versionPolicy = "none";
@@ -86,7 +92,6 @@ python3.pkgs.buildPythonApplication rec {
   };
 
   meta = {
-    changelog = "https://gitlab.gnome.org/GNOME/gtk-doc/-/blob/${src.tag}/NEWS";
     description = "Tools to extract documentation embedded in GTK and GNOME source code";
     homepage = "https://gitlab.gnome.org/GNOME/gtk-doc";
     license = lib.licenses.gpl2Plus;

pkgs/by-name/gt/gtk-doc/respect-xml-catalog-files-var.patch

@@ -0,0 +1,13 @@
+--- a/m4/gtkdoc_jh_check_xml_catalog.m4
++++ b/m4/gtkdoc_jh_check_xml_catalog.m4
+@@ -5,8 +5,8 @@
+ [
+ 	AC_REQUIRE([JH_PATH_XML_CATALOG],[JH_PATH_XML_CATALOG(,[:])])dnl
+ 	AC_MSG_CHECKING([for ifelse([$2],,[$1],[$2]) in XML catalog])
+-	if $jh_found_xmlcatalog && \
+-		AC_RUN_LOG([$XMLCATALOG --noout "$XML_CATALOG_FILE" "$1" >&2]); then
++	# empty argument forces libxml to use XML_CATALOG_FILES variable
++	if AC_RUN_LOG([$XMLCATALOG --noout "" "$1" >&2]); then
+ 		AC_MSG_RESULT([found])
+ 		ifelse([$3],,,[$3])
+ 	else

pkgs/by-name/gt/gtk4/package.nix

@@ -95,13 +95,11 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-Ub2fYMfSOmZaVWxzZMIfsuTiglZrPn4JJFXo+RAzCJM=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "fix-32bit-VkImage-null.patch";
-      url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch";
-      hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ=";
-    })
-  ];
+  patches = lib.optional stdenv.hostPlatform.is32bit (fetchpatch {
+    name = "fix-32bit-VkImage-null.patch";
+    url = "https://gitlab.gnome.org/GNOME/gtk/-/commit/10d43de8f4f942cb591ada3103474bd7213425f1.patch";
+    hash = "sha256-DJIL6M3XcsjBoMO77OxNi84d1DxAphAfot3N7Nq1QqQ=";
+  });
 
   depsBuildBuild = [
     pkg-config

pkgs/by-name/ha/handbrake/package.nix

@@ -10,10 +10,7 @@
 {
   stdenv,
   lib,
-  applyPatches,
   fetchFromGitHub,
-  fetchFromGitLab,
-  fetchpatch2,
   # For tests
   testers,
   runCommand,
@@ -29,7 +26,7 @@
   numactl,
   writeText,
   # Processing, video codecs, containers
-  ffmpeg_8-full,
+  ffmpeg_7-full,
   nv-codec-headers,
   libogg,
   x264,
@@ -88,35 +85,14 @@
 }:
 
 let
-  version = "1.11.1";
+  version = "1.10.2";
 
-  src = applyPatches {
-    src = fetchFromGitHub {
-      owner = "HandBrake";
-      repo = "HandBrake";
-      # uses version commit for logic in version.txt
-      rev = "4ce99a885cde39b3511016efdb5124726819defb";
-      hash = "sha256-oWXNiRK0wbmINnjM3GrOIawcSULTuy3yANfgW8li9F0=";
-    };
-
-    patches = [
-      # Only needed so the subsequent patch applies
-      (fetchpatch2 {
-        url = "https://github.com/HandBrake/HandBrake/commit/c8e16778a330881af36fa32004f887bd73874d15.patch";
-        hash = "sha256-i3/X9opDzsZIO7bjLHHZltuQH93uENRF0t7FP7DDdBM=";
-      })
-      # Update x265 submodule to v4.2, drop in next release
-      (fetchpatch2 {
-        url = "https://github.com/HandBrake/HandBrake/commit/432514bf839e7280511e4a7afc35fb4868ef4d0b.patch";
-        excludes = [
-          "contrib/x265/module.defs"
-          "contrib/x265_8bit/module.defs"
-          "contrib/x265_10bit/module.defs"
-          "contrib/x265_12bit/module.defs"
-        ];
-        hash = "sha256-xwIY1pO9mKbrQFjQCENuvntIoiZTHeUVg8axrl3zxxo=";
-      })
-    ];
+  src = fetchFromGitHub {
+    owner = "HandBrake";
+    repo = "HandBrake";
+    # uses version commit for logic in version.txt
+    rev = "dddf75f756e56d2b8dbb0609175bc12047a4841d";
+    hash = "sha256-CIMpJDJ0IIz95f3/zxeQqpCFpHWEmdgA+VaaUDY516A=";
   };
 
   # Handbrake maintains a set of ffmpeg patches. In particular, these
@@ -124,67 +100,70 @@ let
   # https://github.com/HandBrake/HandBrake/issues/4029
   # base ffmpeg version is specified in:
   # https://github.com/HandBrake/HandBrake/blob/master/contrib/ffmpeg/module.defs
-  ffmpeg-hb = ffmpeg_8-full.overrideAttrs (old: {
-    patches = (old.patches or [ ]) ++ [
-      "${src}/contrib/ffmpeg/A01-mov-read-name-track-tag-written-by-movenc.patch"
-      "${src}/contrib/ffmpeg/A02-movenc-write-3gpp-track-titl-tag.patch"
-      "${src}/contrib/ffmpeg/A03-mov-read-3gpp-udta-tags.patch"
-      "${src}/contrib/ffmpeg/A04-movenc-write-3gpp-track-names-tags-for-all-available.patch"
-      "${src}/contrib/ffmpeg/A05-avformat-mov-add-support-audio-fallback-track-ref.patch"
-      "${src}/contrib/ffmpeg/A06-avformat-mov-read-and-write-additional-iTunes-style-.patch"
-      "${src}/contrib/ffmpeg/A07-avformat-movenc-write-iTunEXTC-and-iTunMOVI-metadata.patch"
-      "${src}/contrib/ffmpeg/A08-dvdsubdec-fix-processing-of-partial-packets.patch"
-      "${src}/contrib/ffmpeg/A09-dvdsubdec-return-number-of-bytes-used.patch"
-      "${src}/contrib/ffmpeg/A10-dvdsubdec-use-pts-of-initial-packet.patch"
-      "${src}/contrib/ffmpeg/A11-dvdsubdec-add-an-option-to-output-subtitles-with-emp.patch"
-      "${src}/contrib/ffmpeg/A12-ccaption_dec-fix-pts-in-real_time-mode.patch"
-      "${src}/contrib/ffmpeg/A13-avformat-matroskaenc-return-error-if-aac-extradata-c.patch"
-      "${src}/contrib/ffmpeg/A14-Expose-the-unmodified-Dolby-Vision-RPU-T35-buffers.patch"
-      "${src}/contrib/ffmpeg/A15-lavc-pgssubdec-Add-graphic-plane-and-cropping.patch"
-      "${src}/contrib/ffmpeg/A16-libavcodec-qsvenc.c-update-has_b_frames-value-after-.patch"
-      "${src}/contrib/ffmpeg/A17-qsv-enable-av1-scc.patch"
-      "${src}/contrib/ffmpeg/A18-fixed-BT2020-BT709-conversion-via-VPP.patch"
-      "${src}/contrib/ffmpeg/A19-videotoolbox-disable-H.264-10-bit-on-Intel-macOS-it-.patch"
-      "${src}/contrib/ffmpeg/A20-videotoolbox-speedup-decoding.patch"
-      "${src}/contrib/ffmpeg/A21-Revert-avcodec-amfenc-GPU-driver-version-check.patch"
-      "${src}/contrib/ffmpeg/A22-fix-d3d11-static-pool-size-error.patch"
-      "${src}/contrib/ffmpeg/A23-movenc-set-the-chapters-track-language-to-the-same-a.patch"
-      "${src}/contrib/ffmpeg/A24-movenc-use-version-2-audio-descriptor-for-2-channels.patch"
-    ];
-  });
+  ffmpeg-version = "7.1.1";
+  ffmpeg-hb =
+    (ffmpeg_7-full.override {
+      version = ffmpeg-version;
+      hash = "sha256-GyS8imOqfOUPxXrzCiQtzCQIIH6bvWmQAB0fKUcRsW4=";
+    }).overrideAttrs
+      (old: {
+        patches = (old.patches or [ ]) ++ [
+          "${src}/contrib/ffmpeg/A01-mov-read-name-track-tag-written-by-movenc.patch"
+          "${src}/contrib/ffmpeg/A02-movenc-write-3gpp-track-titl-tag.patch"
+          "${src}/contrib/ffmpeg/A03-mov-read-3gpp-udta-tags.patch"
+          "${src}/contrib/ffmpeg/A04-movenc-write-3gpp-track-names-tags-for-all-available.patch"
+          "${src}/contrib/ffmpeg/A05-avformat-mov-add-support-audio-fallback-track-ref.patch"
+          "${src}/contrib/ffmpeg/A06-dvdsubdec-fix-processing-of-partial-packets.patch"
+          "${src}/contrib/ffmpeg/A07-dvdsubdec-return-number-of-bytes-used.patch"
+          "${src}/contrib/ffmpeg/A08-dvdsubdec-use-pts-of-initial-packet.patch"
+          "${src}/contrib/ffmpeg/A09-dvdsubdec-add-an-option-to-output-subtitles-with-emp.patch"
+          "${src}/contrib/ffmpeg/A10-ccaption_dec-fix-pts-in-real_time-mode.patch"
+          "${src}/contrib/ffmpeg/A11-avformat-matroskaenc-return-error-if-aac-extradata-c.patch"
+          "${src}/contrib/ffmpeg/A12-videotoolbox-disable-H.264-10-bit-on-Intel-macOS-it-.patch"
+
+          # patch to fix <https://github.com/HandBrake/HandBrake/issues/5011>
+          # commented out because it causes ffmpeg's filter-pixdesc-p010le test to fail.
+          # "${src}/contrib/ffmpeg/A13-libswscale-fix-yuv420p-to-p01xle-color-conversion-bu.patch"
+
+          "${src}/contrib/ffmpeg/A14-hevc_mp4toannexb.c-fix-qsv-decode-of-10bit-hdr.patch"
+          "${src}/contrib/ffmpeg/A15-Expose-the-unmodified-Dolby-Vision-RPU-T35-buffers.patch"
+          "${src}/contrib/ffmpeg/A16-avcodec-amfenc-Add-support-for-on-demand-key-frames.patch"
+          "${src}/contrib/ffmpeg/A17-avcodec-amfenc-properly-set-primaries-transfer-and-m.patch"
+          "${src}/contrib/ffmpeg/A18-libavcodec-qsvenc-update-has_b_frames-value.patch"
+          "${src}/contrib/ffmpeg/A19-libavcodec-qsv-enable-av1-scc.patch"
+          "${src}/contrib/ffmpeg/A20-Revert-avcodec-amfenc-GPU-driver-version-check.patch"
+          "${src}/contrib/ffmpeg/A21-lavc-pgssubdec-Add-graphic-plane-and-cropping.patch"
+          "${src}/contrib/ffmpeg/A22-avformat-mov-read-and-write-additional-iTunes-style-.patch"
+          "${src}/contrib/ffmpeg/A23-avformat-movenc-write-iTunEXTC-and-iTunMOVI-metadata.patch"
+          "${src}/contrib/ffmpeg/A24-AV1-videotoolbox.patch"
+          "${src}/contrib/ffmpeg/A25-videotoolbox-speedup-decoding.patch"
+          "${src}/contrib/ffmpeg/A28-enable-av1_mf-encoder.patch"
+          "${src}/contrib/ffmpeg/A30-qsv-fixed-BT2020-BT709-conversion.patch"
+          "${src}/contrib/ffmpeg/A31-Parse-EAC3-Atmos-ComplexityIndex-for-MP4-remuxing.patch"
+        ];
+      });
 
   x265-hb = x265.overrideAttrs (old: {
-    version = "4.2";
-    sourceRoot = "x265_4.2/source";
+    version = "4.1";
+    sourceRoot = "x265_4.1/source";
     src = fetchurl {
-      url = "https://bitbucket.org/multicoreware/x265_git/downloads/x265_4.2.tar.gz";
-      hash = "sha256-QLHqBFPgMJ8OupNODd9TP49ilZZmeeiJTo8cHI1eEhA=";
+      url = "https://bitbucket.org/multicoreware/x265_git/downloads/x265_4.1.tar.gz";
+      hash = "sha256-oxaZxqiYBrdLAVHl5qffZd5LSQUEgv5ev4pDedevjyk=";
     };
     # nixpkgs' x265 sourceRoot is x265-.../source whereas handbrake's x265 patches
     # are written with respect to the parent directory instead of that source directory.
     # patches which don't cleanly apply are commented out.
     postPatch = (old.postPatch or "") + ''
       pushd ..
-        for p in ${src}/contrib/x265/*.patch; do
-          patch -p1 < "$p"
-        done
-      popd
-    '';
-  });
-
-  svt-av1-hb = svt-av1.overrideAttrs (old: rec {
-    version = "4.0.1";
-    src = fetchFromGitLab {
-      owner = "AOMediaCodec";
-      repo = "SVT-AV1";
-      rev = "v${version}";
-      hash = "sha256-7krVkLZxgolqPTkuyKAx07BekAPacftcGZ44lQTQFZQ=";
-    };
-    postPatch = (old.postPatch or "") + ''
-      pushd ..
-        for p in ${src}/contrib/svt-av1/*.patch; do
-          patch -p1 < "$p"
-        done
+      patch -p1 < ${src}/contrib/x265/A01-Do-not-set-thread-priority-on-Windows.patch
+      patch -p1 < ${src}/contrib/x265/A02-Apple-Silicon-tuning.patch
+      patch -p1 < ${src}/contrib/x265/A03-Implement-ambient-viewing-environment-sei.patch
+      patch -p1 < ${src}/contrib/x265/A04-add-new-matrix-coefficients-from-H.273-v3.patch
+      patch -p1 < ${src}/contrib/x265/A05-Fix-Dolby-Vision-RPU-memory-management.patch
+      # patch -p1 < ${src}/contrib/x265/A06-Update-version-strings.patch
+      patch -p1 < ${src}/contrib/x265/A07-Fix-macOS-cross-compilation.patch
+      # patch -p1 < ${src}/contrib/x265/A08-Fix-inconsistent-bitrate-in-second-pass.patch
+      patch -p1 < ${src}/contrib/x265/A09-Ensuring-the-mvdLX-is-compliant.patch
       popd
     '';
   });
@@ -289,7 +268,7 @@ let
       libvpx
       libxml2
       speex
-      svt-av1-hb
+      svt-av1
       x264
       x265-hb
       xz

pkgs/by-name/ho/hotdoc/clang.patch

@@ -1,78 +0,0 @@
-diff --git a/hotdoc/extensions/c/c_extension.py b/hotdoc/extensions/c/c_extension.py
-index 1cfd5b3..1e1926f 100644
---- a/hotdoc/extensions/c/c_extension.py
-+++ b/hotdoc/extensions/c/c_extension.py
-@@ -44,14 +44,6 @@ from hotdoc.utils.loggable import (info as core_info, warn, Logger,
-                                    debug as core_debug)
- 
- 
--LLVM_CONFIG = os.environ.get("LLVM_CONFIG")
--if LLVM_CONFIG is None:
--    LLVM_CONFIG = shutil.which('llvm-config')
--
--if LLVM_CONFIG is None:
--    raise ImportError()
--
--
- def ast_node_is_function_pointer(ast_node):
-     if ast_node.kind == cindex.TypeKind.POINTER and \
-             ast_node.get_pointee().get_result().kind != \
-@@ -80,42 +72,26 @@ Logger.register_warning_code('clang-headers-not-found', HotdocException,
-                              'c-extension')
- 
- 
--CLANG_HEADERS_WARNING = (
--    'Did not find clang headers. Please report a bug with the output of the'
--    '\'llvm-config --version\' and \'llvm-config --prefix\' commands')
--
--
- def get_clang_headers():
-     try:
-         # Clang 5.0+ can tell us directly
-         resource_dir = subprocess.check_output(
--            ['clang', '--print-resource-dir']).strip().decode()
-+            ['@clang@', '--print-resource-dir']).strip().decode()
-         if len(resource_dir) > 0:
-             include_dir = os.path.join(resource_dir, 'include')
-             if os.path.exists(include_dir):
-                 return include_dir
-     except subprocess.CalledProcessError:
-         pass
--    version = subprocess.check_output(
--        [LLVM_CONFIG, '--version']).strip().decode()
--    prefix = subprocess.check_output(
--        [LLVM_CONFIG, '--prefix']).strip().decode()
--    versions = (version, version.split('.').pop(0))
--    for (ver, lib) in itertools.product(
--            versions,
--            ['lib', 'lib64']):
--        p = os.path.join(prefix, lib, 'clang', ver, 'include')
--        if os.path.exists(p):
--            return p
- 
--    warn('clang-headers-not-found', CLANG_HEADERS_WARNING)
-+    warn('clang-headers-not-found', 'Did not find clang headers. Make sure you\'re using Clang 5.0+')
- 
- 
- CLANG_HEADERS = get_clang_headers()
- 
- 
- def get_clang_libdir():
--    return subprocess.check_output([LLVM_CONFIG, '--libdir']).strip().decode()
-+    return '@libclang_lib_dir@'
- 
- 
- class ClangScanner(object):
-diff --git a/hotdoc/extensions/c/clang/cindex.py b/hotdoc/extensions/c/clang/cindex.py
-index fc93fda..0a16651 100644
---- a/hotdoc/extensions/c/clang/cindex.py
-+++ b/hotdoc/extensions/c/clang/cindex.py
-@@ -3949,6 +3949,8 @@ class Config:
- 
-         if Config.library_path:
-             file = Config.library_path + '/' + file
-+        else:
-+            file = "@libclang_lib_dir@" + '/' + file
- 
-         return file
- 

pkgs/by-name/hu/hunspell/package.nix

@@ -14,7 +14,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "hunspell";
-  version = "1.7.3";
+  version = "1.7.2";
 
   outputs = [
     "bin"
@@ -27,7 +27,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "hunspell";
     repo = "hunspell";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-NoLlH+4Hb6w+HYl2fSBzroav1Pb3GojFSTJGBxlteBM=";
+    sha256 = "sha256-x2FXxnVIqsf5/UEQcvchAndXBv/3mW8Z55djQAFgNA8=";
   };
 
   patches = [ ./0001-Make-hunspell-look-in-XDG_DATA_DIRS-for-dictionaries.patch ];

pkgs/by-name/hw/hwdata/package.nix

@@ -6,13 +6,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "hwdata";
-  version = "0.408";
+  version = "0.406";
 
   src = fetchFromGitHub {
     owner = "vcrhonek";
     repo = "hwdata";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-fgKOvVGAdB3uBFuKfGPFfF9wQEdLtnlMdQrLNIr3teo=";
+    hash = "sha256-6GXXkDzunbtea+MmmWV2gpHgCgdGi75U+TV9H/6Emtk=";
   };
 
   doCheck = false; # this does build machine-specific checks (e.g. enumerates PCI bus)

pkgs/by-name/im/imagemagick/package.nix

@@ -88,13 +88,13 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "imagemagick";
-  version = "7.1.2-24";
+  version = "7.1.2-23";
 
   src = fetchFromGitHub {
     owner = "ImageMagick";
     repo = "ImageMagick";
     tag = finalAttrs.version;
-    hash = "sha256-oSH0dsQ3cuFNYJIIr6LHbv82FbFxxcmkjQ5csTNsYCA=";
+    hash = "sha256-zYk75q+EyWq5g/AHFU6v8a7gye0aDAEe/ZZvjqR9ZTc=";
   };
 
   outputs = [

pkgs/by-name/kr/krb5/CVE-2026-40355-and-CVE-2026-40356.patch

@@ -1,61 +0,0 @@
-From acea6182e46fff3d1d64a3172cdff307b07ca441 Mon Sep 17 00:00:00 2001
-From: Greg Hudson <ghudson@mit.edu>
-Date: Wed, 8 Apr 2026 17:57:59 -0400
-Subject: [PATCH] Fix two NegoEx parsing vulnerabilities
-
-In parse_nego_message(), check the result of the second call to
-vector_base() before dereferencing it.  In parse_message(), check for
-a short header_len to prevent an integer underflow when calculating
-the remaining message length.
-
-Reported by Cem Onat Karagun.
-
-CVE-2026-40355:
-
-In MIT krb5 release 1.18 and later, if an application calls
-gss_accept_sec_context() on a system with a NegoEx mechanism
-registered in /etc/gss/mech, an unauthenticated remote attacker can
-trigger a null pointer dereference, causing the process to terminate.
-
-CVE-2026-40356:
-
-In MIT krb5 release 1.18 and later, if an application calls
-gss_accept_sec_context() on a system with a NegoEx mechanism
-registered in /etc/gss/mech, an unauthenticated remote attacker can
-trigger a read overrun of up to 52 bytes, possibly causing the process
-to terminate.  Exfiltration of the bytes read does not appear
-possible.
-
-(cherry picked from commit 2e75f0d9362fb979f5fc92829431a590a130929f)
-
-ticket: 9205
-version_fixed: 1.22.3
----
- lib/gssapi/spnego/negoex_util.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/gssapi/spnego/negoex_util.c b/src/lib/gssapi/spnego/negoex_util.c
-index edc5462e844..a65238e5730 100644
---- a/lib/gssapi/spnego/negoex_util.c
-+++ b/lib/gssapi/spnego/negoex_util.c
-@@ -253,6 +253,10 @@ parse_nego_message(OM_uint32 *minor, struct k5input *in,
-     offset = k5_input_get_uint32_le(in);
-     count = k5_input_get_uint16_le(in);
-     p = vector_base(offset, count, EXTENSION_LENGTH, msg_base, msg_len);
-+    if (p == NULL) {
-+        *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
-+        return GSS_S_DEFECTIVE_TOKEN;
-+    }
-     for (i = 0; i < count; i++) {
-         extension_type = load_32_le(p + i * EXTENSION_LENGTH);
-         if (extension_type & EXTENSION_FLAG_CRITICAL) {
-@@ -391,7 +395,8 @@ parse_message(OM_uint32 *minor, spnego_gss_ctx_id_t ctx, struct k5input *in,
-     msg_len = k5_input_get_uint32_le(in);
-     conv_id = k5_input_get_bytes(in, GUID_LENGTH);
- 
--    if (in->status || msg_len > token_remaining || header_len > msg_len) {
-+    if (in->status || msg_len > token_remaining ||
-+        header_len < (size_t)(in->ptr - msg_base) || header_len > msg_len) {
-         *minor = ERR_NEGOEX_INVALID_MESSAGE_SIZE;
-         return GSS_S_DEFECTIVE_TOKEN;
-     }

pkgs/by-name/kr/krb5/package.nix

@@ -34,20 +34,16 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "krb5";
-  version = "1.22.2";
+  version = "1.22.1";
 
   __structuredAttrs = true;
 
   src = fetchurl {
     url = "https://kerberos.org/dist/krb5/${lib.versions.majorMinor finalAttrs.version}/krb5-${finalAttrs.version}.tar.gz";
-    hash = "sha256-MkP/vI6k1Kwi3cfdKh3FTFeHTEBki2D/lwCXY1VOrxM=";
+    hash = "sha256-GogyuMrZI+u/E5T2fi789B46SfRgKFpm41reyPoAU68=";
   };
 
-  patches = [
-    # https://github.com/krb5/krb5/pull/1506
-    ./CVE-2026-40355-and-CVE-2026-40356.patch
-  ]
-  ++ lib.optionals stdenv.hostPlatform.isFreeBSD [
+  patches = lib.optionals stdenv.hostPlatform.isFreeBSD [
     (fetchpatch {
       name = "fix-missing-ENODATA.patch";
       url = "https://cgit.freebsd.org/ports/plain/security/krb5-122/files/patch-lib_krad_packet.c?id=0501f716c4aff7880fde56e42d641ef504593b7d";
@@ -174,7 +170,6 @@ stdenv.mkDerivation (finalAttrs: {
   ];
 
   meta = {
-    changelog = "https://web.mit.edu/Kerberos/krb5-${lib.versions.majorMinor finalAttrs.version}/";
     description = "MIT Kerberos 5";
     homepage = "http://web.mit.edu/kerberos/";
     license = lib.licenses.mit;

pkgs/by-name/lc/lcms2/package.nix

@@ -9,11 +9,11 @@
 
 stdenv.mkDerivation rec {
   pname = "lcms2";
-  version = "2.19.1";
+  version = "2.18";
 
   src = fetchurl {
     url = "mirror://sourceforge/lcms/lcms2-${version}.tar.gz";
-    hash = "sha256-v8VPe6tZ+8khASAUqAMuTLpKvUbbR9RrdkFqjAsoFcg=";
+    hash = "sha256-7me+NWb0WTYsHuCU/eLBWdM/oDkKpO1fWvZ2+eUAQ0c=";
   };
 
   outputs = [

pkgs/by-name/ld/ld64/package.nix

@@ -47,7 +47,7 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
   pname = "ld64";
-  version = "957.1";
+  version = "956.6";
 
   outputs = [
     "out"
@@ -59,7 +59,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "apple-oss-distributions";
     repo = "ld64";
     tag = "ld64-${finalAttrs.version}";
-    hash = "sha256-KUkEKz2jQq815ls25u0JMYmad4cN9PS/nC3E5eV19co=";
+    hash = "sha256-2VlBjlCZ+ZPKGZ0f5UuG3jJTLZIBXf8IZOiD6snheh4=";
   };
 
   patches = [

pkgs/by-name/ld/ldacbt/0001-abr-drop-support-for-dynamic-loading-libldac.patch

@@ -1,164 +0,0 @@
-From 040210591a5e90fc3e0ca0ec438426273e86c497 Mon Sep 17 00:00:00 2001
-From: "yshuiv7@gmail.com" <Yuxuan Shui>
-Date: Mon, 27 Apr 2026 15:30:10 +0100
-Subject: [PATCH] abr: drop support for dynamic loading libldac
-
----
- abr/inc/ldacBT_abr.h |  2 +-
- abr/src/ldacBT_abr.c | 76 +-------------------------------------------
- 2 files changed, 2 insertions(+), 76 deletions(-)
-
-diff --git a/abr/inc/ldacBT_abr.h b/abr/inc/ldacBT_abr.h
-index 294e230..735ea67 100644
---- a/abr/inc/ldacBT_abr.h
-+++ b/abr/inc/ldacBT_abr.h
-@@ -89,7 +89,7 @@ typedef struct _ldacbt_abr_param * HANDLE_LDAC_ABR;
-  *  Return value
-  *      HANDLE_LDAC_ABR for success, NULL for failure.
-  */
--LDAC_ABR_API HANDLE_LDAC_ABR ldac_ABR_get_handle(const char *libpath);
-+LDAC_ABR_API HANDLE_LDAC_ABR ldac_ABR_get_handle(void);
- 
- /* Release of LDAC ABR handle.
-  *  Format
-diff --git a/abr/src/ldacBT_abr.c b/abr/src/ldacBT_abr.c
-index 0af6278..fad2dd0 100644
---- a/abr/src/ldacBT_abr.c
-+++ b/abr/src/ldacBT_abr.c
-@@ -8,10 +8,6 @@
- 
- #include <stdlib.h>
- #include <string.h>
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--#include <dlfcn.h>
--#include <errno.h>
--#endif
- 
- #define LDAC_ABR_OBSERVING_TIME_MS 500   /* [ms] the time length for storing Tx Queue Depth */
- #define LDAC_ABR_PENALTY_MAX 4
-@@ -56,18 +52,11 @@ typedef int (*tLDACBT_GET_ERR)(HANDLE_LDAC_BT hLdacBt);
- 
- typedef struct _ldacbt_api_param
- {
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--    const char *lib_name;
--    void *lib_handle;
--#endif
-     tLDACBT_ALTER_EQMID_PRIORITY alter_eqmid_priority;
-     tLDACBT_GET_EQMID            get_eqmid;
-     tLDACBT_GET_ERR              get_error_code;
- } LDACBT_API_PARAMS, * HANDLE_LDACBT_API;
- 
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--static int open_lib(HANDLE_LDACBT_API hLdacBtApi, const char *lib_name );
--#endif
- 
- static int load_ldacbt_api_functions(HANDLE_LDACBT_API hLdacBtApi);
- 
-@@ -122,7 +111,7 @@ static const int sizeOfEqmidToBitrateSortedIdTable = (int)(sizeof(aEqmidToAbrQua
-                                                      / sizeof(aEqmidToAbrQualityModeID[0]));
- 
- /* Get LDAC ABR handle */
--HANDLE_LDAC_ABR ldac_ABR_get_handle(const char *libpath)
-+HANDLE_LDAC_ABR ldac_ABR_get_handle(void)
- {
-     HANDLE_LDAC_ABR hLdacAbr;
-     ABRDBG( "" );
-@@ -131,15 +120,6 @@ HANDLE_LDAC_ABR ldac_ABR_get_handle(const char *libpath)
-         return NULL;
-     }
-     clear_data( hLdacAbr, sizeof(LDAC_ABR_PARAMS) );
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--    if (libpath != NULL) {
--        if (open_lib( &hLdacAbr->ldacBtApi, libpath ) < 0) {
--            ABRDBG( "[ERR] Failed to open shared library \"%s\".", libpath );
--            ldac_ABR_free_handle(hLdacAbr);
--            return NULL;
--        }
--    }
--#endif
-     if( load_ldacbt_api_functions(&hLdacAbr->ldacBtApi) != 0 ){
-         ldac_ABR_free_handle(hLdacAbr);
-         return NULL;
-@@ -156,12 +136,6 @@ void ldac_ABR_free_handle(HANDLE_LDAC_ABR hLdacAbr)
-         if (hLdacAbr->TxQD_Info.pHist){
-             free(hLdacAbr->TxQD_Info.pHist);
-         }
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--        if (hLdacAbr->ldacBtApi.lib_handle != NULL) {
--            dlclose(hLdacAbr->ldacBtApi.lib_handle);
--            hLdacAbr->ldacBtApi.lib_handle = NULL;
--        }
--#endif
-         free(hLdacAbr);
-     }
- }
-@@ -408,65 +382,17 @@ int ldac_ABR_Proc( HANDLE_LDAC_BT hLDAC, HANDLE_LDAC_ABR hLdacAbr,
- }
- 
- 
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--static void *load_func(void *lib_handle, const char* func_name)
--{
--    void *func_ptr = dlsym(lib_handle, func_name);
--    if(func_ptr == NULL){
--        ABRDBG("[ERR] cannot find function '%s' in the library.\n", func_name);
--        return NULL;
--    }
--    return func_ptr;
--}
--
--static int open_lib(HANDLE_LDACBT_API hLdacBtApi, const char *lib_name )
--{
--    if( hLdacBtApi == NULL ){
--        ABRDBG("[ERR] handle is NULL");
--        return -1;
--    }
--    if( lib_name == NULL ){
--        ABRDBG("[ERR] lib_name is NULL");
--        return -1;
--    }
--    // open library
--    hLdacBtApi->lib_handle = dlopen(lib_name, RTLD_NOW);
--    if(hLdacBtApi->lib_handle == NULL){
--#ifdef LOCAL_DEBUG
--        char buffer_str[1024];
--        strerror_r(errno, buffer_str, sizeof(buffer_str));
--        ABRDBG("[ERR] cannot open library '%s': errno = %d (%s)\n",
--                lib_name, errno, buffer_str);
--#endif
--        return -1;
--    }
--    return 0;
--}
--#endif /* LDAC_ABR_DYNAMIC_LINK_LDAC_API */
--
- // Load functions
- static int load_ldacbt_api_functions(HANDLE_LDACBT_API hLdacBtApi)
- {
-     hLdacBtApi->alter_eqmid_priority =
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--      load_func(hLdacBtApi->lib_handle, "ldacBT_alter_eqmid_priority");
--#else
-       ldacBT_alter_eqmid_priority;
--#endif
- 
-     hLdacBtApi->get_eqmid =
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--      load_func(hLdacBtApi->lib_handle, "ldacBT_get_eqmid");
--#else
-       ldacBT_get_eqmid;
--#endif
- 
-     hLdacBtApi->get_error_code =
--#ifdef LDAC_ABR_DYNAMIC_LINK_LDAC_API
--      load_func(hLdacBtApi->lib_handle, "ldacBT_get_error_code");
--#else
-       ldacBT_get_error_code;
--#endif
- 
-     if( (hLdacBtApi->alter_eqmid_priority == NULL) ||
-         (hLdacBtApi->get_eqmid == NULL) ||
--- 
-2.53.0
-

pkgs/by-name/ld/ldacbt/package.nix

@@ -2,17 +2,19 @@
   lib,
   stdenv,
   fetchFromGitHub,
+  cmake,
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "ldacBT";
-  version = "2.0.72";
+  version = "2.0.2.3";
 
   src = fetchFromGitHub {
-    owner = "open-vela";
-    repo = "external_libldac";
-    rev = "5b4bf66096ba0d69615efb2422ba3d023c34c2fd";
-    hash = "sha256-5jeqTyhSBtYky15Xw1lIbUxeGZMQQQdM/EQUFicyi3Y=";
+    repo = "ldacBT";
+    owner = "ehfive";
+    tag = "v${finalAttrs.version}";
+    sha256 = "09dalysx4fgrgpfdm9a51x6slnf4iik1sqba4xjgabpvq91bnb63";
+    fetchSubmodules = true;
   };
 
   outputs = [
@@ -20,99 +22,31 @@ stdenv.mkDerivation (finalAttrs: {
     "dev"
   ];
 
-  patches = [
-    ./0001-abr-drop-support-for-dynamic-loading-libldac.patch
+  nativeBuildInputs = [
+    cmake
   ];
 
-  env.NIX_CFLAGS_COMPILE = "-O2 -fPIC -fno-merge-constants -Wall -Iinc -Isrc -Iabr/inc";
+  cmakeFlags = [
+    # CMakeLists.txt by default points to $out
+    "-DINSTALL_INCLUDEDIR=${placeholder "dev"}/include"
+  ];
 
-  # Verify finalAttrs.version matches LDACBT_LIB_VER_* in upstream source.
-  # Guards against silent version drift when the pinned commit changes.
-  preBuild = ''
-    awk -v want=${finalAttrs.version} '
-      /^#define LDACBT_LIB_VER_/ { v = v sep ($3+0); sep = "." }
-      END {
-        if (v != want) { print "version mismatch: package says " want ", source reports " v > "/dev/stderr"; exit 1 }
-      }
-    ' src/ldacBT_api.c
-  '';
-
-  # Upstream ships AOSP build files and a gcc/ makefile that only knows
-  # about the in-tree layout. Compile and link directly; the entire
-  # library is two umbrella translation units.
-  buildPhase = ''
-    runHook preBuild
-
-    soname=libldacBT.so.${lib.versions.major finalAttrs.version}
-    sofile=libldacBT.so.${finalAttrs.version}
-
-    $CC -shared -Wl,-soname,$soname src/ldaclib.c src/ldacBT.c abr/src/ldacBT_abr.c -lm -o $sofile
-
-    runHook postBuild
-  '';
-
-  installPhase = ''
-    runHook preInstall
-
-    install -Dm644 -t $out/lib $sofile
-    ln -s $sofile $out/lib/$soname
-    ln -s $sofile $out/lib/libldacBT.so
-
-    install -Dm644 inc/ldacBT.h $dev/include/ldac/ldacBT.h
-    install -Dm644 abr/inc/ldacBT_abr.h $dev/include/ldac/ldacBT_abr.h
-
-    mkdir -p $dev/lib/pkgconfig
-    cat > $dev/lib/pkgconfig/ldacBT-dec.pc <<EOF
-    prefix=$out
-    exec_prefix=\''${prefix}
-    libdir=$out/lib
-    includedir=$dev/include/ldac
-
-    Name: ldacBT-dec
-    Description: LDAC Bluetooth decoder
-    Version: ${finalAttrs.version}
-    Libs: -L\''${libdir} -lldacBT
-    Libs.private: -lm
-    Cflags: -I\''${includedir}
-    EOF
-
-    cat > $dev/lib/pkgconfig/ldacBT-enc.pc <<EOF
-    prefix=$out
-    exec_prefix=\''${prefix}
-    libdir=$out/lib
-    includedir=$dev/include/ldac
-
-    Name: ldacBT-enc
-    Description: LDAC Bluetooth encoder
-    Version: ${finalAttrs.version}
-    Libs: -L\''${libdir} -lldacBT
-    Libs.private: -lm
-    Cflags: -I\''${includedir}
-    EOF
-
-    cat > $dev/lib/pkgconfig/ldacBT-abr.pc <<EOF
-    prefix=$out
-    exec_prefix=\''${prefix}
-    libdir=$out/lib
-    includedir=$dev/include/ldac
-
-    Name: ldacBT-abr
-    Description: LDAC Bluetooth ABR library
-    Version: ${finalAttrs.version}
-    Libs: -L\''${libdir} -lldacBT
-    Libs.private: -lm
-    Cflags: -I\''${includedir}
-    EOF
-
-    runHook postInstall
+  # Fix the build with CMake 4.
+  #
+  # See: <https://github.com/EHfive/ldacBT/pull/1>
+  postPatch = ''
+    substituteInPlace CMakeLists.txt \
+      --replace-fail \
+        'cmake_minimum_required(VERSION 3.0)' \
+        'cmake_minimum_required(VERSION 3.0...3.10)'
   '';
 
   meta = {
-    description = "Sony LDAC Bluetooth decoder library (from AOSP via open-vela)";
-    homepage = "https://github.com/open-vela/external_libldac";
+    description = "AOSP libldac dispatcher";
+    homepage = "https://github.com/EHfive/ldacBT";
     license = lib.licenses.asl20;
-    # LDAC bitstream format assumes LE; source has endian checks
+    # libldac code detects & #error's out on non-LE byte order
     platforms = lib.platforms.littleEndian;
-    maintainers = with lib.maintainers; [ qweered ];
+    maintainers = [ ];
   };
 })

pkgs/by-name/le/less/package.nix

@@ -11,7 +11,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "less";
-  version = "702";
+  version = "692";
 
   # `less` is provided by the following sources:
   # - meta.homepage
@@ -20,7 +20,7 @@ stdenv.mkDerivation (finalAttrs: {
   # homepage, and only those not marked as beta.
   src = fetchurl {
     url = "https://www.greenwoodsoftware.com/less/less-${finalAttrs.version}.tar.gz";
-    hash = "sha256-JCpkwA8C2W+O4gjPY4rhcotyfH9f34Kn1PTK4y+whOI=";
+    hash = "sha256-YTAPYDeY7PHXeGVweJ8P8/WhrPB1pvufdWg30WbjfRQ=";
   };
 
   buildInputs = [

pkgs/by-name/li/libadwaita/package.nix

@@ -23,7 +23,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libadwaita";
-  version = "1.9.1";
+  version = "1.9.0";
 
   outputs = [
     "out"
@@ -37,7 +37,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "GNOME";
     repo = "libadwaita";
     tag = finalAttrs.version;
-    hash = "sha256-Oy3WcsymNbbmAacm5hEOrorI1wKXjSp063mh4jCJRAE=";
+    hash = "sha256-JAKP8CjLCKGZvHoB26ih/J3xAru4wiVf/ObG0L8r4pY=";
   };
 
   depsBuildBuild = [

pkgs/by-name/li/libaec/package.nix

@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libaec";
-  version = "1.1.7";
+  version = "1.1.6";
 
   src = fetchFromGitHub {
     owner = "Deutsches-Klimarechenzentrum";
     repo = "libaec";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-aBm+CXCq7sdJb6Qq9sNuTzNj0nRwTJI20HsqUg1Qi/8=";
+    hash = "sha256-cxDP+JNwokxgzH9hO2zw+rIcz8XG7E8ujbAbWpgUEW8=";
   };
 
   nativeBuildInputs = [

pkgs/by-name/li/libapparmor/package.nix

@@ -32,13 +32,13 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "libapparmor";
-  version = "5.0.0";
+  version = "4.1.7";
 
   src = fetchFromGitLab {
     owner = "apparmor";
     repo = "apparmor";
     tag = "v${finalAttrs.version}";
-    hash = "sha256-seEREIc83alEPyZGD/GY48hjpqiw3QENnqYsdjHOGgs=";
+    hash = "sha256-yjqdUwHkQ1uiPKPZQVf/o8tGixQeIKNMOIYo4aVK7N0=";
   };
   sourceRoot = "${finalAttrs.src.name}/libraries/libapparmor";
 

pkgs/by-name/li/libass/package.nix

@@ -44,7 +44,9 @@ stdenv.mkDerivation (finalAttrs: {
     fribidi
     harfbuzz
   ]
-  ++ lib.optional fontconfigSupport fontconfig;
+  ++ lib.optional fontconfigSupport fontconfig
+  # TODO: remove dep after branchoff (in darwin stdenv)
+  ++ lib.optional stdenv.hostPlatform.isDarwin libiconv.out;
 
   meta = {
     description = "Portable ASS/SSA subtitle renderer";

pkgs/by-name/li/libavif/package.nix

@@ -31,7 +31,7 @@ in
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "libavif";
-  version = "1.4.2";
+  version = "1.4.1";
 
   outputs = [
     "out"
@@ -42,7 +42,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "AOMediaCodec";
     repo = "libavif";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-AMQ1TRPGpuBBW7tJ8xuLEVTAeOsLWTHuE0dFJjI7+W4=";
+    hash = "sha256-035SoxHfN121mp3LGwGykReCi1WJbl2/nZH8c/VwABU=";
   };
 
   postPatch = ''

pkgs/by-name/li/libcaca/package.nix

@@ -2,7 +2,6 @@
   lib,
   stdenv,
   fetchFromGitHub,
-  fetchpatch,
   autoreconfHook,
   imlib2,
   libxext,
@@ -24,14 +23,6 @@ stdenv.mkDerivation (finalAttrs: {
     hash = "sha256-N0Lfi0d4kjxirEbIjdeearYWvStkKMyV6lgeyNKXcVw=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2026-42046.patch";
-      url = "https://github.com/cacalabs/libcaca/commit/fb77acff9ba6bb01d53940da34fb10f20b156a23.patch";
-      hash = "sha256-AdpiE5Gw/CVET//7TTYZCb0glW5HY+T8xZkYs1XCBvY=";
-    })
-  ];
-
   nativeBuildInputs = [
     autoreconfHook
     pkg-config

pkgs/by-name/li/libcap/package.nix

@@ -3,6 +3,7 @@
   lib,
   buildPackages,
   fetchurl,
+  fetchpatch,
   runtimeShell,
   pkgsBuildHost,
   usePam ? !isStatic,
@@ -30,11 +31,11 @@ assert usePam -> pam != null;
 
 stdenv.mkDerivation rec {
   pname = "libcap";
-  version = "2.78";
+  version = "2.77";
 
   src = fetchurl {
     url = "mirror://kernel/linux/libs/security/linux-privs/libcap2/${pname}-${version}.tar.xz";
-    hash = "sha256-DWIeVi/ZMsz2e5Zg+wGORopoPXuCdUHfJ4EyKMmWuxE=";
+    hash = "sha256-iXvBi0Svwmxw54zq09uzHhVKzCS+4IWloJB5qI2/b1I=";
   };
 
   outputs = [
@@ -75,6 +76,13 @@ stdenv.mkDerivation rec {
     "LIBCSTATIC=yes"
   ];
 
+  patches = [
+    (fetchpatch {
+      url = "https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=d628b3bfe40338d4efff6b0ae50f250a0eb884c7";
+      hash = "sha256-Eiv/BOJZkduL+hOEJd8K1LQd9wvOeCKchE2GaLcerVc=";
+    })
+  ];
+
   postPatch = ''
     patchShebangs ./progs/mkcapshdoc.sh