Merge master into staging-next

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -111,6 +111,8 @@
 
 - [PostgREST](https://postgrest.org), a standalone web server that turns your PostgreSQL database directly into a RESTful API. Available as [services.postgrest](options.html#opt-services.postgrest.enable).
 
+- [postgres-websockets](https://github.com/diogob/postgres-websockets), a middleware that adds websockets capabilites on top of PostgreSQL's asynchronous notifications using LISTEN and NOTIFY commands. Available as [services.postgres-websockets](options.html#opt-services.postgres-websockets.enable).
+
 - [µStreamer](https://github.com/pikvm/ustreamer), a lightweight MJPEG-HTTP streamer. Available as [services.ustreamer](options.html#opt-services.ustreamer).
 
 - [Whoogle Search](https://github.com/benbusby/whoogle-search), a self-hosted, ad-free, privacy-respecting metasearch engine. Available as [services.whoogle-search](options.html#opt-services.whoogle-search.enable).

nixos/modules/module-list.nix

@@ -515,6 +515,7 @@
   ./services/databases/opentsdb.nix
   ./services/databases/pgbouncer.nix
   ./services/databases/pgmanage.nix
+  ./services/databases/postgres-websockets.nix
   ./services/databases/postgresql.nix
   ./services/databases/postgrest.nix
   ./services/databases/redis.nix

nixos/modules/services/databases/postgres-websockets.nix

@@ -0,0 +1,221 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.services.postgres-websockets;
+
+  # Turns an attrset of libpq connection params:
+  #   {
+  #     dbname = "postgres";
+  #     user = "authenticator";
+  #   }
+  # into a libpq connection string:
+  #   dbname=postgres user=authenticator
+  PGWS_DB_URI = lib.pipe cfg.environment.PGWS_DB_URI [
+    (lib.filterAttrs (_: v: v != null))
+    (lib.mapAttrsToList (k: v: "${k}='${lib.escape [ "'" "\\" ] v}'"))
+    (lib.concatStringsSep " ")
+  ];
+in
+
+{
+  meta = {
+    maintainers = with lib.maintainers; [ wolfgangwalther ];
+  };
+
+  options.services.postgres-websockets = {
+    enable = lib.mkEnableOption "postgres-websockets";
+
+    pgpassFile = lib.mkOption {
+      type =
+        with lib.types;
+        nullOr (pathWith {
+          inStore = false;
+          absolute = true;
+        });
+      default = null;
+      example = "/run/keys/db_password";
+      description = ''
+        The password to authenticate to PostgreSQL with.
+        Not needed for peer or trust based authentication.
+
+        The file must be a valid `.pgpass` file as described in:
+        <https://www.postgresql.org/docs/current/libpq-pgpass.html>
+
+        In most cases, the following will be enough:
+        ```
+        *:*:*:*:<password>
+        ```
+      '';
+    };
+
+    jwtSecretFile = lib.mkOption {
+      type =
+        with lib.types;
+        nullOr (pathWith {
+          inStore = false;
+          absolute = true;
+        });
+      example = "/run/keys/jwt_secret";
+      description = ''
+        Secret used to sign JWT tokens used to open communications channels.
+      '';
+    };
+
+    environment = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = with lib.types; attrsOf str;
+
+        options = {
+          PGWS_DB_URI = lib.mkOption {
+            type = lib.types.submodule {
+              freeformType = with lib.types; attrsOf str;
+
+              # This should not be used; use pgpassFile instead.
+              options.password = lib.mkOption {
+                default = null;
+                readOnly = true;
+                internal = true;
+              };
+              # This should not be used; use pgpassFile instead.
+              options.passfile = lib.mkOption {
+                default = null;
+                readOnly = true;
+                internal = true;
+              };
+            };
+            default = { };
+            description = ''
+              libpq connection parameters as documented in:
+
+              <https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS>
+
+              ::: {.note}
+              The `environment.PGWS_DB_URI.password` and `environment.PGWS_DB_URI.passfile` options are blocked.
+              Use [`pgpassFile`](#opt-services.postgres-websockets.pgpassFile) instead.
+              :::
+            '';
+            example = lib.literalExpression ''
+              {
+                host = "localhost";
+                dbname = "postgres";
+              }
+            '';
+          };
+
+          # This should not be used; use jwtSecretFile instead.
+          PGWS_JWT_SECRET = lib.mkOption {
+            default = null;
+            readOnly = true;
+            internal = true;
+          };
+
+          PGWS_HOST = lib.mkOption {
+            type = with lib.types; nullOr str;
+            default = "127.0.0.1";
+            description = ''
+              Address the server will listen for websocket connections.
+            '';
+          };
+        };
+      };
+      default = { };
+      description = ''
+        postgres-websockets configuration as defined in:
+        <https://github.com/diogob/postgres-websockets/blob/master/src/PostgresWebsockets/Config.hs#L71-L87>
+
+        `PGWS_DB_URI` is represented as an attribute set, see [`environment.PGWS_DB_URI`](#opt-services.postgres-websockets.environment.PGWS_DB_URI)
+
+        ::: {.note}
+        The `environment.PGWS_JWT_SECRET` option is blocked.
+        Use [`jwtSecretFile`](#opt-services.postgres-websockets.jwtSecretFile) instead.
+        :::
+      '';
+      example = lib.literalExpression ''
+        {
+          PGWS_LISTEN_CHANNEL = "my_channel";
+          PGWS_DB_URI.dbname = "postgres";
+        }
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.postgres-websockets.environment.PGWS_DB_URI.application_name =
+      with pkgs.postgres-websockets;
+      "${pname} ${version}";
+
+    systemd.services.postgres-websockets = {
+      description = "postgres-websockets";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ];
+      after = [
+        "network-online.target"
+        "postgresql.service"
+      ];
+
+      environment =
+        cfg.environment
+        // {
+          inherit PGWS_DB_URI;
+          PGWS_JWT_SECRET = "@%d/jwt_secret";
+        }
+        // lib.optionalAttrs (cfg.pgpassFile != null) {
+          PGPASSFILE = "%C/postgres-websockets/pgpass";
+        };
+
+      serviceConfig = {
+        CacheDirectory = "postgres-websockets";
+        CacheDirectoryMode = "0700";
+        LoadCredential = [
+          "jwt_secret:${cfg.jwtSecretFile}"
+        ] ++ lib.optional (cfg.pgpassFile != null) "pgpass:${cfg.pgpassFile}";
+        Restart = "always";
+        User = "postgres-websockets";
+
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DevicePolicy = "closed";
+        DynamicUser = true;
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateIPC = true;
+        PrivateMounts = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [
+          "AF_INET"
+          "AF_INET6"
+          "AF_UNIX"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [ "" ];
+        UMask = "0077";
+      };
+
+      # Copy the pgpass file to different location, to have it report mode 0400.
+      # Fixes: https://github.com/systemd/systemd/issues/29435
+      script = ''
+        if [ -f "$CREDENTIALS_DIRECTORY/pgpass" ]; then
+            cp -f "$CREDENTIALS_DIRECTORY/pgpass" "$CACHE_DIRECTORY/pgpass"
+        fi
+        exec ${lib.getExe pkgs.postgres-websockets}
+      '';
+    };
+  };
+}

nixos/tests/all-tests.nix

@@ -1081,6 +1081,7 @@ in
     handleTest ./postfix-raise-smtpd-tls-security-level.nix
       { };
   postfixadmin = handleTest ./postfixadmin.nix { };
+  postgres-websockets = runTest ./postgres-websockets.nix;
   postgresql = handleTest ./postgresql { };
   postgrest = runTest ./postgrest.nix;
   powerdns = handleTest ./powerdns.nix { };

nixos/tests/postgres-websockets.nix

@@ -0,0 +1,84 @@
+{ lib, ... }:
+{
+  name = "postgres-websockets";
+
+  meta = {
+    maintainers = with lib.maintainers; [ wolfgangwalther ];
+  };
+
+  nodes.machine =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      environment.systemPackages = [ pkgs.websocat ];
+
+      services.postgresql = {
+        enable = true;
+        initialScript = pkgs.writeText "init.sql" ''
+          CREATE ROLE "postgres-websockets" LOGIN NOINHERIT;
+          CREATE ROLE "postgres-websockets_with_password" LOGIN NOINHERIT PASSWORD 'password';
+        '';
+      };
+
+      services.postgres-websockets = {
+        enable = true;
+        jwtSecretFile = "/run/secrets/jwt.secret";
+        environment.PGWS_DB_URI.dbname = "postgres";
+        environment.PGWS_LISTEN_CHANNEL = "websockets-listener";
+      };
+
+      specialisation.withPassword.configuration = {
+        services.postgresql.enableTCPIP = true;
+        services.postgres-websockets = {
+          pgpassFile = "/run/secrets/.pgpass";
+          environment.PGWS_DB_URI.host = "localhost";
+          environment.PGWS_DB_URI.user = "postgres-websockets_with_password";
+        };
+      };
+    };
+
+  extraPythonPackages = p: [ p.pyjwt ];
+
+  testScript =
+    { nodes, ... }:
+    let
+      withPassword = "${nodes.machine.system.build.toplevel}/specialisation/withPassword";
+    in
+    ''
+      machine.execute("""
+        mkdir -p /run/secrets
+        echo reallyreallyreallyreallyverysafe > /run/secrets/jwt.secret
+      """)
+
+      import jwt
+      token = jwt.encode({ "mode": "rw" }, "reallyreallyreallyreallyverysafe")
+
+      def test():
+          machine.wait_for_unit("postgresql.service")
+          machine.wait_for_unit("postgres-websockets.service")
+
+          machine.succeed(f"echo 'hi there' | websocat --no-close 'ws://localhost:3000/test/{token}' > output &")
+          machine.sleep(1)
+          machine.succeed("grep 'hi there' output")
+
+          machine.succeed("""
+            sudo -u postgres psql -c "SELECT pg_notify('websockets-listener', json_build_object('channel', 'test', 'event', 'message', 'payload', 'Hello World')::text);" >/dev/null
+          """)
+          machine.sleep(1)
+          machine.succeed("grep 'Hello World' output")
+
+      with subtest("without password"):
+          test()
+
+      with subtest("with password"):
+          machine.execute("""
+            echo "*:*:*:*:password" > /run/secrets/.pgpass
+          """)
+          machine.succeed("${withPassword}/bin/switch-to-configuration test >&2")
+          test()
+    '';
+}

pkgs/by-name/fa/fabric-ai/package.nix

@@ -7,16 +7,19 @@
 
 buildGoModule rec {
   pname = "fabric-ai";
-  version = "1.4.122";
+  version = "1.4.167";
 
   src = fetchFromGitHub {
     owner = "danielmiessler";
     repo = "fabric";
-    rev = "v${version}";
-    hash = "sha256-wFVb2IdYB1T7wozQcjxLE7uVRsIFkPL5rS/8V0LnRcg=";
+    tag = "v${version}";
+    hash = "sha256-M6YL111YQahrFLaZt+b3EooziCTDpZnO5hGBj1XBVxY=";
   };
 
-  vendorHash = "sha256-eV+Wb3IL8veO7NF5Y5zLgTW9eHJF6ke/0SrDojHF3X8=";
+  vendorHash = "sha256-ax0ZLvLfbmpzO93xRqonHJz1zHs6u0+Mu0WegR1eW60=";
+
+  # Fabric introduced plugin tests that fail in the nix build sandbox.
+  doCheck = false;
 
   ldflags = [
     "-s"

pkgs/by-name/sm/smpmgr/package.nix

@@ -20,7 +20,11 @@ python3Packages.buildPythonApplication rec {
   build-system = with python3Packages; [
     poetry-core
     poetry-dynamic-versioning
-    setuptools
+  ];
+
+  pythonRelaxDeps = [
+    "typer"
+    "smpclient"
   ];
 
   dependencies = with python3Packages; [
@@ -33,17 +37,9 @@ python3Packages.buildPythonApplication rec {
     pytestCheckHook
     versionCheckHook
   ];
+  versionCheckProgramArg = "--version";
 
-  pythonRelaxDeps = [
-    "typer"
-    "smpclient"
-  ];
-
-  versionCheckProgramArg = [ "--version" ];
-
-  pythonImportsCheck = [
-    "smpmgr"
-  ];
+  pythonImportsCheck = [ "smpmgr" ];
 
   meta = {
     description = "Simple Management Protocol (SMP) Manager for remotely managing MCU firmware";

pkgs/by-name/ti/tiledb/FindMagic_EP.cmake.patch

@@ -1,14 +0,0 @@
-diff --git a/FindMagic_EP.cmake b/FindMagic_EP.cmake
---- a/cmake/Modules/FindMagic_EP.cmake
-+++ b/cmake/Modules/FindMagic_EP.cmake
-@@ -126,9 +126,7 @@ if(NOT TILEDB_LIBMAGIC_EP_BUILT)
-     # that was modified by tiledb to also build with cmake for nix
-     ExternalProject_Add(ep_magic
-       PREFIX "externals"
--      GIT_REPOSITORY "https://github.com/TileDB-Inc/file-windows.git"
--      GIT_TAG "5.38.2.tiledb"
--      GIT_SUBMODULES_RECURSE TRUE
-+      DOWNLOAD_COMMAND true
-       UPDATE_COMMAND ""
-       CMAKE_ARGS
-         -DCMAKE_INSTALL_PREFIX=${TILEDB_EP_INSTALL_PREFIX}

pkgs/by-name/ti/tiledb/generate_embedded_data_header.patch

@@ -0,0 +1,14 @@
+--- a/tiledb/sm/misc/generate_embedded_data_header.script.cmake
++++ b/tiledb/sm/misc/generate_embedded_data_header.script.cmake
+@@ -40,11 +40,7 @@
+ string(MAKE_C_IDENTIFIER ${INPUT_FILENAME} INPUT_VARIABLE)
+
+ message(DEBUG "Compressing ${INPUT_FILE} to ${compressed_file}")
+-file(ARCHIVE_CREATE OUTPUT "${compressed_file}" PATHS ${INPUT_FILE} FORMAT raw COMPRESSION Zstd
+-    # Level 12 was found to have the best balance between compression ratio and speed
+-    # but is available in CMake 3.26+.
+-    COMPRESSION_LEVEL 9
+-)
++execute_process(COMMAND zstd -9 -c "${INPUT_FILE}" OUTPUT_FILE "${compressed_file}")
+ file(SIZE ${compressed_file} COMPRESSED_SIZE)
+ message(DEBUG "Compressed size: ${COMPRESSED_SIZE} bytes")

pkgs/by-name/ti/tiledb/package.nix

@@ -2,7 +2,6 @@
   lib,
   stdenv,
   fetchFromGitHub,
-
   cmake,
   zlib,
   lz4,
@@ -16,70 +15,58 @@
   clang-tools,
   catch2_3,
   python3,
-  gtest,
   doxygen,
   fixDarwinDylibNames,
+  gtest,
+  rapidcheck,
+  libpng,
+  file,
+  runCommand,
+  catch2,
   useAVX2 ? stdenv.hostPlatform.avx2Support,
 }:
 
 let
-  # pre-fetch ExternalProject from cmake/Modules/FindMagic_EP.cmake
-  ep-file-windows = fetchFromGitHub {
-    owner = "TileDB-Inc";
-    repo = "file-windows";
-    rev = "5.38.2.tiledb";
-    hash = "sha256-TFn30VCuWZr252VN1T5NNCZe2VEN3xQSomS7XxxKGF8=";
-    fetchSubmodules = true;
-  };
-
+  rapidcheck' = runCommand "rapidcheck" { } ''
+    cp -r ${rapidcheck.out} $out
+    chmod -R +w $out
+    cp -r ${rapidcheck.dev}/* $out
+  '';
 in
 stdenv.mkDerivation rec {
   pname = "tiledb";
-  version = "2.18.2";
+  version = "2.27.2";
 
   src = fetchFromGitHub {
     owner = "TileDB-Inc";
     repo = "TileDB";
-    rev = version;
-    hash = "sha256-uLiXhigYz3v7NgY38twot3sBHxZS5QCrOiPfME4wWzE=";
+    tag = version;
+    hash = "sha256-zk4jkXJMh6wpuEKaCvuKUDod+F8B/6W5Lw8gwelcPEM=";
   };
 
-  patches = [
-    ./FindMagic_EP.cmake.patch
-  ];
+  patches = lib.optionals stdenv.hostPlatform.isDarwin [ ./generate_embedded_data_header.patch ];
 
-  postPatch =
-    ''
-      # copy pre-fetched external project to directory where it is expected to be
-      mkdir -p build/externals/src
-      cp -a ${ep-file-windows} build/externals/src/ep_magic
-      chmod -R u+w build/externals/src/ep_magic
+  # libcxx (as of llvm-19) does not yet support `stop_token` and `jthread`
+  # without the -fexperimental-library flag. Tiledb adds its own
+  # implementations in the std namespace which conflict with libcxx. This
+  # test can be re-enabled once libcxx supports stop_token and jthread.
+  postPatch = lib.optionalString (stdenv.cc.libcxx != null) ''
+    truncate -s0 tiledb/stdx/test/CMakeLists.txt
+  '';
 
-      # add openssl on path
-      sed -i '49i list(APPEND OPENSSL_PATHS "${openssl.dev}" "${openssl.out}")' \
-        cmake/Modules/FindOpenSSL_EP.cmake
-    ''
-    # libcxx (as of llvm-19) does not yet support `stop_token` and `jthread`
-    # without the -fexperimental-library flag. Tiledb adds its own
-    # implementations in the std namespace which conflict with libcxx. This
-    # test can be re-enabled once libcxx supports stop_token and jthread.
-    + lib.optionalString (stdenv.cc.libcxx != null) ''
-      truncate -s0 tiledb/stdx/test/CMakeLists.txt
-    '';
-
-  # upstream will hopefully fix this in some newer release
-  env.CXXFLAGS = "-include random";
+  env.TILEDB_DISABLE_AUTO_VCPKG = "1";
 
   # (bundled) blosc headers have a warning on some archs that it will be using
   # unaccelerated routines.
   cmakeFlags = [
-    "-DTILEDB_VCPKG=OFF"
     "-DTILEDB_WEBP=OFF"
     "-DTILEDB_WERROR=OFF"
+    # https://github.com/NixOS/nixpkgs/issues/144170
+    "-DCMAKE_INSTALL_INCLUDEDIR=include"
+    "-DCMAKE_INSTALL_LIBDIR=lib"
   ] ++ lib.optional (!useAVX2) "-DCOMPILER_SUPPORTS_AVX2=FALSE";
 
   nativeBuildInputs = [
-    ep-file-windows
     catch2_3
     clang-tools
     cmake
@@ -87,10 +74,6 @@ stdenv.mkDerivation rec {
     doxygen
   ] ++ lib.optional stdenv.hostPlatform.isDarwin fixDarwinDylibNames;
 
-  nativeCheckInputs = [
-    gtest
-  ];
-
   buildInputs = [
     zlib
     lz4
@@ -101,20 +84,34 @@ stdenv.mkDerivation rec {
     openssl
     boost
     libpqxx
+    libpng
+    file
+    rapidcheck'
+    catch2
+  ];
+
+  # fatal error: catch.hpp: No such file or directory
+  doCheck = false;
+
+  nativeCheckInputs = [
+    gtest
+    catch2
   ];
 
   # test commands taken from
   # https://github.com/TileDB-Inc/TileDB/blob/dev/.github/workflows/unit-test-runs.yml
   checkPhase = ''
     runHook preCheck
-    make -C tiledb tests -j$NIX_BUILD_CORES
-    make -C tiledb test ARGS="-R '^unit_'" -R "test_assert"
-    make -C tiledb test ARGS="-R 'test_ci_asserts'"
+
+    pushd ..
+    cmake --build build --target tests
+    ctest --test-dir build -R '(^unit_|test_assert)' --no-tests=error
+    ctest --test-dir build -R 'test_ci_asserts'
+    popd
+
     runHook postCheck
   '';
 
-  doCheck = true;
-
   installTargets = [
     "install-tiledb"
     "doc"
@@ -124,11 +121,11 @@ stdenv.mkDerivation rec {
     install_name_tool -add_rpath ${tbb}/lib $out/lib/libtiledb.dylib
   '';
 
-  meta = with lib; {
+  meta = {
     description = "TileDB allows you to manage the massive dense and sparse multi-dimensional array data";
     homepage = "https://github.com/TileDB-Inc/TileDB";
-    license = licenses.mit;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ rakesh4g ];
+    license = lib.licenses.mit;
+    platforms = lib.platforms.unix;
+    maintainers = with lib.maintainers; [ rakesh4g ];
   };
 }

pkgs/by-name/xd/xdg-desktop-portal-termfilechooser/package.nix

@@ -9,16 +9,17 @@
   inih,
   systemd,
   scdoc,
+  nix-update-script,
 }:
-stdenv.mkDerivation {
+stdenv.mkDerivation (finalAttrs: {
   pname = "xdg-desktop-portal-termfilechooser";
-  version = "0.4.0";
+  version = "1.0.5";
 
   src = fetchFromGitHub {
     owner = "hunkyburrito";
     repo = "xdg-desktop-portal-termfilechooser";
-    rev = "c35af27e323a492cbb3b19bdd135657ae523caef";
-    hash = "sha256-9bxhKkk5YFBhR2ylcDzlvt4ltYuF174w00EJK5r3aY0=";
+    tag = "v${finalAttrs.version}";
+    hash = "sha256-uwUND1K0UCztDS68APZf578zhvVm0BhL3f7dLrdKTHE=";
   };
 
   nativeBuildInputs = [
@@ -36,12 +37,17 @@ stdenv.mkDerivation {
 
   mesonFlags = [ "-Dsd-bus-provider=libsystemd" ];
 
+  passthru.updateScript = nix-update-script { };
+
   meta = with lib; {
     description = "xdg-desktop-portal backend for choosing files with your favorite file chooser";
     homepage = "https://github.com/hunkyburrito/xdg-desktop-portal-termfilechooser";
     license = licenses.mit;
     platforms = platforms.linux;
-    maintainers = with lib.maintainers; [ body20002 ];
+    maintainers = with lib.maintainers; [
+      body20002
+      ltrump
+    ];
     mainProgram = "xdg-desktop-portal-termfilechooser";
   };
-}
+})

pkgs/by-name/zi/zint/package.nix

@@ -2,43 +2,60 @@
   lib,
   stdenv,
   fetchFromGitHub,
-  wrapQtAppsHook,
   cmake,
-  qtbase,
-  qtsvg,
-  qttools,
-  testers,
-  zint,
+  ninja,
+  libpng,
+  qt6,
+  versionCheckHook,
+  zlib,
 }:
-
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "zint";
-  version = "2.13.0";
+  version = "2.15.0";
+
+  outputs = [
+    "out"
+    "lib"
+    "dev"
+  ];
 
   src = fetchFromGitHub {
     owner = "zint";
     repo = "zint";
-    rev = version;
-    hash = "sha256-/ILq/7A8Lffe2NuiABiV3KeYXapuL1SO55Qk3wXfC/8=";
+    tag = finalAttrs.version;
+    hash = "sha256-+dXIU66HIS2mE0pa99UemMMFBGCYjupUX8P7q3G7Nis=";
   };
 
-  outputs = [
-    "out"
-    "dev"
-  ];
+  postPatch = ''
+    # Fix cmake file installation
+    # https://github.com/zint/zint/pull/8
+    substituteInPlace CMakeLists.txt \
+      --replace-fail 'DESTINATION "''${CMAKE_INSTALL_DATADIR}/zint"' 'DESTINATION lib/cmake/zint'
+    substituteInPlace backend/CMakeLists.txt \
+      --replace-fail 'DESTINATION "''${CMAKE_INSTALL_DATADIR}/zint"' 'DESTINATION lib/cmake/zint'
+  '';
 
   nativeBuildInputs = [
     cmake
-    wrapQtAppsHook
+    ninja
+    qt6.wrapQtAppsHook
   ];
 
   buildInputs = [
-    qtbase
-    qtsvg
-    qttools
+    qt6.qtbase
+    qt6.qtsvg
+    qt6.qttools
   ];
 
-  cmakeFlags = [ "-DZINT_QT6:BOOL=ON" ];
+  propagatedBuildInputs = [
+    libpng
+    zlib
+  ];
+
+  cmakeFlags = [ (lib.cmakeBool "ZINT_QT6" true) ];
+
+  doInstallCheck = true;
+  nativeCheckInputs = [ versionCheckHook ];
 
   postInstall = ''
     install -Dm644 -t $out/share/applications $src/zint-qt.desktop
@@ -46,12 +63,6 @@ stdenv.mkDerivation rec {
     install -Dm644 -t $out/share/icons/hicolor/scalable/apps $src/frontend_qt/images/scalable/zint-qt.svg
   '';
 
-  passthru.tests.version = testers.testVersion {
-    package = zint;
-    command = "zint --version";
-    inherit version;
-  };
-
   meta = with lib; {
     description = "Barcode generating tool and library";
     longDescription = ''
@@ -61,9 +72,10 @@ stdenv.mkDerivation rec {
       developers access to the capabilities of Zint.
     '';
     homepage = "https://www.zint.org.uk";
-    changelog = "https://github.com/zint/zint/blob/${version}/ChangeLog";
+    changelog = "https://github.com/zint/zint/blob/${finalAttrs.src.rev}/ChangeLog";
     license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ azahi ];
+    maintainers = [ lib.maintainers.azahi ];
     platforms = platforms.all;
+    mainProgram = "zint";
   };
-}
+})

pkgs/development/compilers/corretto/11.nix

@@ -26,12 +26,12 @@ let
       # Corretto, too.
       "--disable-warnings-as-errors"
     ];
-    version = "11.0.25.9.1";
+    version = "11.0.26.4.1";
     src = fetchFromGitHub {
       owner = "corretto";
       repo = "corretto-11";
       rev = version;
-      hash = "sha256-ewGGj4BHmwoPdULeT3PSI0Fo9T3cFbTO7cZXhzuKISY=";
+      hash = "sha256-buJlSvmyOVeMwaP9oDcHhG+Sabr1exf0nRUt4O7MaIY=";
     };
   };
 in

pkgs/development/compilers/corretto/17.nix

@@ -21,12 +21,12 @@ let
       ;
     jdk = jdk17;
     gradle = gradle_7;
-    version = "17.0.13.11.1";
+    version = "17.0.14.7.1";
     src = fetchFromGitHub {
       owner = "corretto";
       repo = "corretto-17";
       rev = version;
-      hash = "sha256-2jMre5aI02uDFjSgToTyVNriyb4EuZ01lKsNi822o5Q=";
+      hash = "sha256-ohQrguEJ8QvTaNjyQxKFujGhXNxCQTGkLILurzD7cy0=";
     };
   };
 in

pkgs/development/compilers/corretto/21.nix

@@ -21,12 +21,12 @@ let
       ;
     jdk = jdk21;
     gradle = gradle_7;
-    version = "21.0.5.11.1";
+    version = "21.0.6.7.1";
     src = fetchFromGitHub {
       owner = "corretto";
       repo = "corretto-21";
       rev = version;
-      hash = "sha256-Df2Pq2aPrTxD4FeqG12apE/USfQULmMGsDsgXrmCINc=";
+      hash = "sha256-kF7Quf8bU5scfunmwfEYLkje/jEJOx7CFnBIUWCovzI=";
     };
   };
 in

pkgs/development/compilers/corretto/mk-corretto.nix

@@ -18,12 +18,13 @@
 # builds. However, Corretto uses `gradle` as build tool (which in turn will
 # invoke `make`). The configure/build phases are adapted as needed.
 
-let
-  pname = "corretto";
-in
 # The version scheme is different between OpenJDK & Corretto.
 # See https://github.com/corretto/corretto-17/blob/release-17.0.8.8.1/build.gradle#L40
 # "major.minor.security.build.revision"
+let
+  majorVersion = builtins.head (lib.strings.splitString "." version); # same as "featureVersion" for OpenJDK
+  pname = "corretto${majorVersion}";
+in
 jdk.overrideAttrs (
   finalAttrs: oldAttrs: {
     inherit pname version src;

pkgs/development/haskell-modules/configuration-nix.nix

@@ -480,6 +480,12 @@ builtins.intersectAttrs super {
   hasql-pool = dontCheck super.hasql-pool;
   hasql-transaction = dontCheck super.hasql-transaction;
 
+  # Avoid compiling twice by providing executable as a separate output (with small closure size),
+  postgres-websockets = lib.pipe super.postgres-websockets [
+    enableSeparateBinOutput
+    (overrideCabal { passthru.tests = pkgs.nixosTests.postgres-websockets; })
+  ];
+
   # Test suite requires a running postgresql server,
   # avoid compiling twice by providing executable as a separate output (with small closure size),
   # generate shell completion

pkgs/development/libraries/mapnik/default.nix

@@ -29,13 +29,13 @@
 
 stdenv.mkDerivation rec {
   pname = "mapnik";
-  version = "4.0.5";
+  version = "4.0.7";
 
   src = fetchFromGitHub {
     owner = "mapnik";
     repo = "mapnik";
     rev = "v${version}";
-    hash = "sha256-pReoyMdu8RYrberKcwGw0DKmkxVRJezZYcPAM/UAn6o=";
+    hash = "sha256-gJktRWcJiSGxxjvWFt+Kl9d7g+TOSPk2PfGP0LIVxt4=";
     fetchSubmodules = true;
   };
 
@@ -43,7 +43,7 @@ stdenv.mkDerivation rec {
 
   postPatch = ''
     substituteInPlace configure \
-      --replace '$PYTHON scons/scons.py' ${buildPackages.scons}/bin/scons
+      --replace-fail '$PYTHON scons/scons.py' ${buildPackages.scons}/bin/scons
     rm -r scons
     # Remove bundled 'sparsehash' directory in favor of 'sparsehash' package
     rm -r deps/mapnik/sparsehash
@@ -134,15 +134,5 @@ stdenv.mkDerivation rec {
       ];
     license = licenses.lgpl21Plus;
     platforms = platforms.all;
-
-    # 29-03-2025: On darwin, the libc++ standard library is used to compile C++ programs.
-    # 29-03-2025: Since the base template for `std::char_traits` was removed in LLVM 19,
-    # 29-03-2025: usages of `boost::u32regex` will no longer compile.
-    # 29-03-2025: Linux builds do not fail as they use libstdc++, which has not removed
-    # 29-03-2025: such `std::char_trait` declarations.
-    #
-    # 29-03-2025: See https://github.com/mapnik/mapnik/issues/4499 for more information
-    # 29-03-2025: and a Minimal Reproducible Example.
-    badPlatforms = platforms.darwin;
   };
 }

pkgs/development/python-modules/hf-xet/default.nix

@@ -0,0 +1,58 @@
+{
+  lib,
+  buildPythonPackage,
+  fetchFromGitHub,
+  pkg-config,
+  rustPlatform,
+  openssl,
+}:
+
+buildPythonPackage rec {
+  pname = "hf-xet";
+  version = "1.0.3";
+  pyproject = true;
+
+  src = fetchFromGitHub {
+    owner = "huggingface";
+    repo = "xet-core";
+    tag = "v${version}";
+    hash = "sha256-ZbLSPLRsRVSF9HD+R8k/GR7yq3Ej+c+AyYbyHhKOf3w=";
+  };
+
+  sourceRoot = "${src.name}/hf_xet";
+
+  cargoDeps = rustPlatform.fetchCargoVendor {
+    inherit
+      pname
+      version
+      src
+      sourceRoot
+      ;
+    hash = "sha256-gO5A457CJUdV7nfy69yliL6uqMu5Fc3rY2uXyMM/Na0=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    rustPlatform.cargoSetupHook
+    rustPlatform.maturinBuildHook
+  ];
+
+  buildInputs = [
+    openssl
+  ];
+
+  env.OPENSSL_NO_VENDOR = 1;
+
+  pythonImportsCheck = [ "hf_xet" ];
+
+  # No tests (yet?)
+  doCheck = false;
+
+  meta = {
+    description = "Xet client tech, used in huggingface_hub";
+    homepage = "https://github.com/huggingface/xet-core/hf_xet";
+    changelog = "https://github.com/huggingface/xet-core/releases/tag/v${version}";
+    license = lib.licenses.asl20;
+    maintainers = with lib.maintainers; [ GaetanLepage ];
+  };
+}

pkgs/development/python-modules/mapclassify/default.nix

@@ -50,6 +50,8 @@ buildPythonPackage rec {
   disabledTestPaths = [
     "mapclassify/tests/test_greedy.py"
     "mapclassify/tests/test_rgba.py"
+    # Abort trap: 6
+    "mapclassify/tests/test_mapclassify.py"
   ];
 
   pythonImportsCheck = [ "mapclassify" ];

pkgs/development/python-modules/pygmt/default.nix

@@ -18,7 +18,7 @@
 
 buildPythonPackage rec {
   pname = "pygmt";
-  version = "0.14.2";
+  version = "0.15.0";
   pyproject = true;
 
   disabled = pythonOlder "3.11";
@@ -27,7 +27,7 @@ buildPythonPackage rec {
     owner = "GenericMappingTools";
     repo = "pygmt";
     tag = "v${version}";
-    hash = "sha256-UwqkJxO+LbJz7BVbQnulxm4sMrKHoY3ayqLHfZy7Ji4=";
+    hash = "sha256-sse1Cxzsrhg9X9zH/XSUtF/7YHrSUHYGtn4qoq5qdM4=";
   };
 
   postPatch = ''

pkgs/development/python-modules/python-mapnik/default.nix

@@ -114,6 +114,7 @@ buildPythonPackage rec {
       "test_pdf_printing"
       "test_render_with_scale_factor"
       "test_raster_warping"
+      "test_pycairo_svg_surface1"
     ]
     ++ lib.optionals stdenv.hostPlatform.isDarwin [
       "test_passing_pycairo_context_png"
@@ -121,7 +122,6 @@ buildPythonPackage rec {
       "test_pycairo_pdf_surface1"
       "test_pycairo_pdf_surface2"
       "test_pycairo_pdf_surface3"
-      "test_pycairo_svg_surface1"
       "test_pycairo_svg_surface2"
       "test_pycairo_svg_surface3"
     ];

pkgs/development/python-modules/torchio/default.nix

@@ -32,7 +32,7 @@ buildPythonPackage rec {
   pyproject = true;
 
   src = fetchFromGitHub {
-    owner = "fepegar";
+    owner = "TorchIO-project";
     repo = "torchio";
     tag = "v${version}";
     hash = "sha256-pcUc0pnpb3qQLMOYU9yh7cljyCQ+Ngf8fJDcrRrK8LQ=";

pkgs/top-level/all-packages.nix

@@ -5750,8 +5750,6 @@ with pkgs;
   zpaq = callPackage ../tools/archivers/zpaq { };
   zpaqd = callPackage ../tools/archivers/zpaq/zpaqd.nix { };
 
-  zint = qt6Packages.callPackage ../development/libraries/zint { };
-
   zstd = callPackage ../tools/compression/zstd {
     cmake = buildPackages.cmakeMinimal;
   };
@@ -12466,6 +12464,7 @@ with pkgs;
   postgresql16JitPackages = recurseIntoAttrs postgresql_16_jit.pkgs;
   postgresql17JitPackages = recurseIntoAttrs postgresql_17_jit.pkgs;
 
+  postgres-websockets = haskellPackages.postgres-websockets.bin;
   postgrest = haskellPackages.postgrest.bin;
 
   prom2json = callPackage ../servers/monitoring/prometheus/prom2json.nix { };

pkgs/top-level/python-packages.nix

@@ -6210,6 +6210,8 @@ self: super: with self; {
 
   hf-transfer = callPackage ../development/python-modules/hf-transfer { };
 
+  hf-xet = callPackage ../development/python-modules/hf-xet { };
+
   hfst = callPackage ../development/python-modules/hfst { };
 
   hg-commitsigs = callPackage ../development/python-modules/hg-commitsigs { };