Merge #179844: staging-next 2022-07-01

doc/languages-frameworks/perl.section.md

@@ -1,6 +1,6 @@
 # Perl {#sec-language-perl}
 
-## Running perl programs on the shell {#ssec-perl-running}
+## Running Perl programs on the shell {#ssec-perl-running}
 
 When executing a Perl script, it is possible you get an error such as `./myscript.pl: bad interpreter: /usr/bin/perl: no such file or directory`. This happens when the script expects Perl to be installed at `/usr/bin/perl`, which is not the case when using Perl from nixpkgs. You can fix the script by changing the first line to:
 
@@ -35,15 +35,16 @@ Perl packages from CPAN are defined in [pkgs/top-level/perl-packages.nix](https:
 
 ```nix
 ClassC3 = buildPerlPackage rec {
-  name = "Class-C3-0.21";
+  pname = "Class-C3";
+  version = "0.21";
   src = fetchurl {
-    url = "mirror://cpan/authors/id/F/FL/FLORA/${name}.tar.gz";
+    url = "mirror://cpan/authors/id/F/FL/FLORA/${pname}-${version}.tar.gz";
     sha256 = "1bl8z095y4js66pwxnm7s853pi9czala4sqc743fdlnk27kq94gz";
   };
 };
 ```
 
-Note the use of `mirror://cpan/`, and the `${name}` in the URL definition to ensure that the name attribute is consistent with the source that we’re actually downloading. Perl packages are made available in `all-packages.nix` through the variable `perlPackages`. For instance, if you have a package that needs `ClassC3`, you would typically write
+Note the use of `mirror://cpan/`, and the `pname` and `version` in the URL definition to ensure that the `pname` attribute is consistent with the source that we’re actually downloading. Perl packages are made available in `all-packages.nix` through the variable `perlPackages`. For instance, if you have a package that needs `ClassC3`, you would typically write
 
 ```nix
 foo = import ../path/to/foo.nix {
@@ -72,10 +73,11 @@ So what does `buildPerlPackage` do? It does the following:
 { buildPerlPackage, fetchurl, db }:
 
 buildPerlPackage rec {
-  name = "BerkeleyDB-0.36";
+  pname = "BerkeleyDB";
+  version = "0.36";
 
   src = fetchurl {
-    url = "mirror://cpan/authors/id/P/PM/PMQS/${name}.tar.gz";
+    url = "mirror://cpan/authors/id/P/PM/PMQS/${pname}-${version}.tar.gz";
     sha256 = "07xf50riarb60l1h6m2dqmql8q5dij619712fsgw7ach04d8g3z1";
   };
 
@@ -90,9 +92,10 @@ Dependencies on other Perl packages can be specified in the `buildInputs` and `p
 
 ```nix
 ClassC3Componentised = buildPerlPackage rec {
-  name = "Class-C3-Componentised-1.0004";
+  pname = "Class-C3-Componentised";
+  version = "1.0004";
   src = fetchurl {
-    url = "mirror://cpan/authors/id/A/AS/ASH/${name}.tar.gz";
+    url = "mirror://cpan/authors/id/A/AS/ASH/${pname}-${version}.tar.gz";
     sha256 = "0xql73jkcdbq4q9m0b0rnca6nrlvf5hyzy8is0crdk65bynvs8q1";
   };
   propagatedBuildInputs = [
@@ -111,7 +114,7 @@ ImageExifTool = buildPerlPackage {
   version = "11.50";
 
   src = fetchurl {
-    url = "https://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-11.50.tar.gz";
+    url = "https://www.sno.phy.queensu.ca/~phil/exiftool/${pname}-${version}.tar.gz";
     sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
   };
 
@@ -139,9 +142,10 @@ This program takes a Perl module name, looks it up on CPAN, fetches and unpacks
 ```ShellSession
 $ nix-generate-from-cpan XML::Simple
   XMLSimple = buildPerlPackage rec {
-    name = "XML-Simple-2.22";
+    pname = "XML-Simple";
+    version = "2.22";
     src = fetchurl {
-      url = "mirror://cpan/authors/id/G/GR/GRANTM/${name}.tar.gz";
+      url = "mirror://cpan/authors/id/G/GR/GRANTM/XML-Simple-2.22.tar.gz";
       sha256 = "b9450ef22ea9644ae5d6ada086dc4300fa105be050a2030ebd4efd28c198eb49";
     };
     propagatedBuildInputs = [ XMLNamespaceSupport XMLSAX XMLSAXExpat ];

pkgs/applications/networking/cluster/kompose/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub, installShellFiles, testers, kompose }:
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles, testers, kompose, git }:
 
 buildGoModule rec {
   pname = "kompose";
@@ -13,7 +13,7 @@ buildGoModule rec {
 
   vendorSha256 = "sha256-OR5U2PnebO0a+lwU09Dveh0Yxk91cmSRorTxQIO5lHc=";
 
-  nativeBuildInputs = [ installShellFiles ];
+  nativeBuildInputs = [ installShellFiles git ];
 
   ldflags = [ "-s" "-w" ];
 

pkgs/applications/version-management/git-and-tools/gitbatch/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, git }:
 
 buildGoModule rec {
   pname = "gitbatch";
@@ -15,7 +15,15 @@ buildGoModule rec {
 
   ldflags = [ "-s" "-w" ];
 
-  checkFlags = [ "-short" ];
+  nativeBuildInputs = [
+    git # required by unit tests
+  ];
+
+  preCheck = ''
+    HOME=$(mktemp -d)
+    # Disable tests requiring network access to gitlab.com
+    buildFlagsArray+=("-run" "[^(Test(Run|Start|(Fetch|Pull)With(Go|)Git))]")
+  '';
 
   meta = with lib; {
     description = "Running git UI commands";

pkgs/data/misc/cacert/default.nix

@@ -20,7 +20,7 @@ let
   blocklist = writeText "cacert-blocklist.txt" (lib.concatStringsSep "\n" blacklist);
   extraCertificatesBundle = writeText "cacert-extra-certificates-bundle.crt" (lib.concatStringsSep "\n\n" extraCertificateStrings);
 
-  srcVersion = "3.77";
+  srcVersion = "3.80";
   version = if nssOverride != null then nssOverride.version else srcVersion;
   meta = with lib; {
     homepage = "https://curl.haxx.se/docs/caextract.html";
@@ -35,7 +35,7 @@ let
 
     src = if nssOverride != null then nssOverride.src else fetchurl {
       url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings ["."] ["_"] version}_RTM/src/nss-${version}.tar.gz";
-      sha256 = "1pfy33b51914sivqyaxdwfd930hzb77gm07z4f57hnyk5xddypl2";
+      sha256 = "sha256-wL8f0sfimmsCswliK6r8RD7skMiTS7FV2ku5iYh4S2o=";
     };
 
     dontBuild = true;

pkgs/development/compilers/gcc/10/default.nix

@@ -53,11 +53,11 @@ with lib;
 with builtins;
 
 let majorVersion = "10";
-    version = "${majorVersion}.3.0";
+    version = "${majorVersion}.4.0";
 
     inherit (stdenv) buildPlatform hostPlatform targetPlatform;
 
-    patches = [ ./gcc10-asan-glibc-2.34.patch ]
+    patches = [ ]
       ++ optional (targetPlatform != hostPlatform) ../libstdc++-target.patch
       ++ optional noSysDirs ../no-sys-dirs.patch
       ++ optional (noSysDirs && hostPlatform.isRiscV) ../no-sys-dirs-riscv.patch
@@ -73,8 +73,6 @@ let majorVersion = "10";
       # Obtain latest patch with ../update-mcfgthread-patches.sh
       ++ optional (!crossStageStatic && targetPlatform.isMinGW) ./Added-mcf-thread-model-support-from-mcfgthread.patch
 
-      ++ [ ../libsanitizer-no-cyclades.patch ]
-
       ++ optional (buildPlatform.system == "aarch64-darwin" && targetPlatform != buildPlatform) (fetchpatch {
         url = "https://raw.githubusercontent.com/richard-vd/musl-cross-make/5e9e87f06fc3220e102c29d3413fbbffa456fcd6/patches/gcc-${version}/0008-darwin-aarch64-self-host-driver.patch";
         sha256 = "sha256-XtykrPd5h/tsnjY1wGjzSOJ+AyyNLsfnjuOZ5Ryq9vA=";
@@ -95,7 +93,7 @@ stdenv.mkDerivation ({
 
   src = fetchurl {
     url = "mirror://gcc/releases/gcc-${version}/gcc-${version}.tar.xz";
-    sha256 = "0i6378ig6h397zkhd7m4ccwjx5alvzrf2hm27p1pzwjhlv0h9x34";
+    sha256 = "1wg4xdizkksmwi66mvv2v4pk3ja8x64m7v9gzhykzd3wrmdpsaf9";
   };
 
   inherit patches;

pkgs/development/compilers/gcc/10/gcc10-asan-glibc-2.34.patch

@@ -1,70 +0,0 @@
-From 950bac27d63c1c2ac3a6ed867692d6a13f21feb3 Mon Sep 17 00:00:00 2001
-From: Jakub Jelinek <jakub@redhat.com>
-Date: Sat, 17 Apr 2021 11:27:14 +0200
-Subject: [PATCH] sanitizer: Fix asan against glibc 2.34 [PR100114]
-
-As mentioned in the PR, SIGSTKSZ is no longer a compile time constant in
-glibc 2.34 and later, so
-static const uptr kAltStackSize = SIGSTKSZ * 4;
-needs dynamic initialization, but is used by a function called indirectly
-from .preinit_array and therefore before the variable is constructed.
-This results in using 0 size instead and all asan instrumented programs
-die with:
-==91==ERROR: AddressSanitizer failed to allocate 0x0 (0) bytes of SetAlternateSignalStack (error code: 22)
-
-Here is a cherry-pick from upstream to fix this.
-
-2021-04-17  Jakub Jelinek  <jakub@redhat.com>
-
-	PR sanitizer/100114
-	* sanitizer_common/sanitizer_posix_libcdep.cpp: Cherry-pick
-	llvm-project revisions 82150606fb11d28813ae6da1101f5bda638165fe
-	and b93629dd335ffee2fc4b9b619bf86c3f9e6b0023.
-
-(cherry picked from commit d9f462fb372fb02da032cefd6b091d7582c425ae)
----
- .../sanitizer_common/sanitizer_posix_libcdep.cpp    | 13 ++++++++-----
- 1 file changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp b/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp
-index 304b3a01a08..ac88fbe074e 100644
---- a/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp
-+++ b/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cpp
-@@ -169,7 +169,11 @@ bool SupportsColoredOutput(fd_t fd) {
- 
- #if !SANITIZER_GO
- // TODO(glider): different tools may require different altstack size.
--static const uptr kAltStackSize = SIGSTKSZ * 4;  // SIGSTKSZ is not enough.
-+static uptr GetAltStackSize() {
-+  // SIGSTKSZ is not enough.
-+  static const uptr kAltStackSize = SIGSTKSZ * 4;
-+  return kAltStackSize;
-+}
- 
- void SetAlternateSignalStack() {
-   stack_t altstack, oldstack;
-@@ -180,10 +184,9 @@ void SetAlternateSignalStack() {
-   // TODO(glider): the mapped stack should have the MAP_STACK flag in the
-   // future. It is not required by man 2 sigaltstack now (they're using
-   // malloc()).
--  void* base = MmapOrDie(kAltStackSize, __func__);
--  altstack.ss_sp = (char*) base;
-+  altstack.ss_size = GetAltStackSize();
-+  altstack.ss_sp = (char *)MmapOrDie(altstack.ss_size, __func__);
-   altstack.ss_flags = 0;
--  altstack.ss_size = kAltStackSize;
-   CHECK_EQ(0, sigaltstack(&altstack, nullptr));
- }
- 
-@@ -191,7 +194,7 @@ void UnsetAlternateSignalStack() {
-   stack_t altstack, oldstack;
-   altstack.ss_sp = nullptr;
-   altstack.ss_flags = SS_DISABLE;
--  altstack.ss_size = kAltStackSize;  // Some sane value required on Darwin.
-+  altstack.ss_size = GetAltStackSize();  // Some sane value required on Darwin.
-   CHECK_EQ(0, sigaltstack(&altstack, &oldstack));
-   UnmapOrDie(oldstack.ss_sp, oldstack.ss_size);
- }
--- 
-2.27.0
-

pkgs/development/compilers/ghc/8.6.5-binary.nix

@@ -12,7 +12,8 @@ assert stdenv.targetPlatform == stdenv.hostPlatform;
 let
   useLLVM = !stdenv.targetPlatform.isx86;
 
-  useNcurses6 = stdenv.hostPlatform.system == "x86_64-linux";
+  useNcurses6 = stdenv.hostPlatform.system == "x86_64-linux"
+                || (with stdenv.hostPlatform; isPower64 && isLittleEndian);
 
   ourNcurses = if useNcurses6 then ncurses6 else ncurses5;
 
@@ -73,6 +74,10 @@ stdenv.mkDerivation rec {
       url = "${downloadsUrl}/${version}/ghc-${version}-x86_64-apple-darwin.tar.xz";
       sha256 = "0s9188vhhgf23q3rjarwhbr524z6h2qga5xaaa2pma03sfqvvhfz";
     };
+    powerpc64le-linux = {
+      url = "https://downloads.haskell.org/~ghc/${version}/ghc-${version}-powerpc64le-fedora29-linux.tar.xz";
+      sha256 = "sha256-tWSsJdPVrCiqDyIKzpBt5DaXb3b6j951tCya584kWs4=";
+    };
   }.${stdenv.hostPlatform.system}
     or (throw "cannot bootstrap GHC on this platform"));
 
@@ -211,7 +216,7 @@ stdenv.mkDerivation rec {
 
   meta = rec {
     license = lib.licenses.bsd3;
-    platforms = ["x86_64-linux" "i686-linux" "x86_64-darwin"];
+    platforms = ["x86_64-linux" "i686-linux" "x86_64-darwin" "powerpc64le-linux" ];
     # build segfaults, use ghc8102Binary which has proper musl support instead
     broken = stdenv.hostPlatform.isMusl;
     maintainers = with lib.maintainers; [

pkgs/development/go-modules/generic/default.nix

@@ -178,12 +178,22 @@ let
       exclude+='\)'
 
       buildGoDir() {
-        local d; local cmd;
+        local cmd="$1" dir="$2"
-        cmd="$1"
+
-        d="$2"
         . $TMPDIR/buildFlagsArray
+
+        declare -a flags
+        flags+=($buildFlags "''${buildFlagsArray[@]}")
+        flags+=(''${tags:+-tags=${lib.concatStringsSep "," tags}})
+        flags+=(''${ldflags:+-ldflags="$ldflags"})
+        flags+=("-v" "-p" "$NIX_BUILD_CORES")
+
+        if [ "$cmd" = "test" ]; then
+          flags+=($checkFlags)
+        fi
+
         local OUT
-        if ! OUT="$(go $cmd $buildFlags "''${buildFlagsArray[@]}" ''${tags:+-tags=${lib.concatStringsSep "," tags}} ''${ldflags:+-ldflags="$ldflags"} -v -p $NIX_BUILD_CORES $d 2>&1)"; then
+        if ! OUT="$(go $cmd "''${flags[@]}" $dir 2>&1)"; then
           if ! echo "$OUT" | grep -qE '(no( buildable| non-test)?|build constraints exclude all) Go (source )?files'; then
             echo "$OUT" >&2
             return 1
@@ -241,7 +251,7 @@ let
       runHook preCheck
 
       for pkg in $(getGoDirs test); do
-        buildGoDir test $checkFlags "$pkg"
+        buildGoDir test "$pkg"
       done
 
       runHook postCheck

pkgs/development/go-packages/generic/default.nix

@@ -160,12 +160,22 @@ let
       exclude+='\)'
 
       buildGoDir() {
-        local d; local cmd;
+        local cmd="$1" dir="$2"
-        cmd="$1"
+
-        d="$2"
         . $TMPDIR/buildFlagsArray
+
+        declare -a flags
+        flags+=($buildFlags "''${buildFlagsArray[@]}")
+        flags+=(''${tags:+-tags=${lib.concatStringsSep "," tags}})
+        flags+=(''${ldflags:+-ldflags="$ldflags"})
+        flags+=("-v" "-p" "$NIX_BUILD_CORES")
+
+        if [ "$cmd" = "test" ]; then
+          flags+=($checkFlags)
+        fi
+
         local OUT
-        if ! OUT="$(go $cmd $buildFlags "''${buildFlagsArray[@]}" ''${tags:+-tags=${lib.concatStringsSep "," tags}} ''${ldflags:+-ldflags="$ldflags"} -v -p $NIX_BUILD_CORES $d 2>&1)"; then
+        if ! OUT="$(go $cmd "''${flags[@]}" $dir 2>&1)"; then
           if ! echo "$OUT" | grep -qE '(no( buildable| non-test)?|build constraints exclude all) Go (source )?files'; then
             echo "$OUT" >&2
             return 1
@@ -225,7 +235,7 @@ let
       runHook preCheck
 
       for pkg in $(getGoDirs test); do
-        buildGoDir test $checkFlags "$pkg"
+        buildGoDir test "$pkg"
       done
 
       runHook postCheck

pkgs/development/libraries/audio/libopenmpt/default.nix

@@ -16,13 +16,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libopenmpt";
-  version = "0.6.3";
+  version = "0.6.4";
 
   outputs = [ "out" "dev" "bin" ];
 
   src = fetchurl {
     url = "https://lib.openmpt.org/files/libopenmpt/src/libopenmpt-${version}+release.autotools.tar.gz";
-    sha256 = "pBCv63zVlwsWuabOfazPSVsaXpEhqdZELeDAKP1Uols=";
+    sha256 = "4J+4RcMpJwCnrBPDsx1mns072+vL/hMo66I3bOvkAWI=";
   };
 
   enableParallelBuilding = true;

pkgs/development/libraries/glib/default.nix

@@ -45,11 +45,11 @@ in
 
 stdenv.mkDerivation rec {
   pname = "glib";
-  version = "2.72.2";
+  version = "2.72.3";
 
   src = fetchurl {
     url = "mirror://gnome/sources/glib/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "eNWZoTPbp/4gNt+o24+2Exq5ZCeD/JV4sHogmVJS0t4=";
+    sha256 = "Sjmi9iS4US1QDVhAFz7af6hfUcEJBS6ugGrOzoXTRfA=";
   };
 
   patches = optionals stdenv.isDarwin [

pkgs/development/libraries/gnu-efi/default.nix

@@ -12,6 +12,16 @@ stdenv.mkDerivation rec {
     sha256 = "tztkOg1Wl9HzltdDFEjoht2AVmh4lXjj4aKCd8lShDU=";
   };
 
+  patches = [
+    # Pull fix pending upstream inclusion for parallel builds
+    #  https://sourceforge.net/p/gnu-efi/patches/84/
+    (fetchurl {
+      name = "parallel-build.patch";
+      url = "https://sourceforge.net/p/gnu-efi/patches/84/attachment/0001-lib-Makefile-add-.o-file-dependency-on-libsubdirs-ta.patch";
+      sha256 = "sha256-+2UwV2lopdB/tazib1BLzO1E3GgB1L8dZsSQKWVoLwA=";
+    })
+  ];
+
   buildInputs = [ pciutils ];
 
   hardeningDisable = [ "stackprotector" ];

pkgs/development/libraries/gpgme/default.nix

@@ -47,6 +47,9 @@ stdenv.mkDerivation rec {
     ./python-310-detection-without-distutils.patch
     # Find correct version string for Python >= 3.10, https://dev.gnupg.org/D546
     ./python-find-version-string-above-310.patch
+    # Fix a test after disallowing compressed signatures in gpg (PR #180336)
+    ./test_t-verify_double-plaintext.patch
+
     # Disable python tests on Darwin as they use gpg (see configureFlags below)
   ] ++ lib.optional stdenv.isDarwin ./disable-python-tests.patch
   # Fix _AC_UNDECLARED_WARNING for autoconf>=2.70

pkgs/development/libraries/gpgme/test_t-verify_double-plaintext.patch

@@ -0,0 +1,31 @@
+--- a/tests/gpg/t-verify.c
++++ b/tests/gpg/t-verify.c
+@@ -304,7 +304,7 @@
+   err = gpgme_data_new (&text);
+   fail_if_err (err);
+   err = gpgme_op_verify (ctx, sig, NULL, text);
+-  if (gpgme_err_code (err) != GPG_ERR_BAD_DATA)
++  if (gpgme_err_code (err) == GPG_ERR_NO_ERROR)
+     {
+       fprintf (stderr, "%s:%i: Double plaintext message not detected\n",
+ 	       PGM, __LINE__);
+--- a/lang/python/tests/t-verify.py
++++ b/lang/python/tests/t-verify.py
+@@ -142,7 +142,7 @@
+     c.op_verify(sig, None, text)
+ except Exception as e:
+     assert type(e) == gpg.errors.GPGMEError
+-    assert e.getcode() == gpg.errors.BAD_DATA
++    assert e.getcode() != gpg.errors.NO_ERROR
+ else:
+     assert False, "Expected an error but got none."
+ 
+@@ -178,7 +178,7 @@
+     try:
+         c.verify(double_plaintext_sig)
+     except gpg.errors.GPGMEError as e:
+-        assert e.getcode() == gpg.errors.BAD_DATA
++        assert e.getcode() != gpg.errors.NO_ERROR
+     else:
+         assert False, "Expected an error but got none."
+ 

pkgs/development/libraries/libaom/default.nix

@@ -1,15 +1,15 @@
 { lib, stdenv, fetchzip, yasm, perl, cmake, pkg-config, python3
-, enableButteraugli ? false, libjxl # Broken
+, enableButteraugli ? true, libjxl
 , enableVmaf ? true, libvmaf
 }:
 
 stdenv.mkDerivation rec {
   pname = "libaom";
-  version = "3.3.0";
+  version = "3.4.0";
 
   src = fetchzip {
     url = "https://aomedia.googlesource.com/aom/+archive/v${version}.tar.gz";
-    sha256 = "sha256-g6QkKLrk+SH1s5fRmseAQMmM6y4QwmKmVDPxdbqGmwg=";
+    sha256 = "sha256-NgzpVxQmsgOPzKkGpJIJrLiNQcruhpEoCi/CYJx5b3A=";
     stripRoot = false;
   };
 

pkgs/development/libraries/libjxl/default.nix

@@ -48,6 +48,17 @@ stdenv.mkDerivation rec {
       url = "https://github.com/libjxl/libjxl/commit/204f87a5e4d684544b13900109abf040dc0b402b.patch";
       sha256 = "sha256-DoAaYWLmQ+R9GZbHMTYGe0gBL9ZesgtB+2WhmbARna8=";
     })
+
+    # fix build with asciidoc wrapped in shell script
+    (fetchpatch {
+      url = "https://github.com/libjxl/libjxl/commit/b8ec58c58c6281987f42ebec892f513824c0cc0e.patch";
+      hash = "sha256-g8U+YVhLfgSHJ+PWJgvVOI66+FElJSC8IgSRodNnsMw=";
+    })
+    (fetchpatch {
+      url = "https://github.com/libjxl/libjxl/commit/ca8e276aacf63a752346a6a44ba673b0af993237.patch";
+      excludes = [ "AUTHORS" ];
+      hash = "sha256-9VXy1LdJ0JhYbCGPNMySpnGLBxUrr8BYzE+oU3LnUGw=";
+    })
   ];
 
   nativeBuildInputs = [

pkgs/development/libraries/libsoup/3.x.nix

@@ -21,13 +21,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libsoup";
-  version = "3.0.6";
+  version = "3.0.7";
 
   outputs = [ "out" "dev" ];
 
   src = fetchurl {
     url = "mirror://gnome/sources/${pname}/${lib.versions.majorMinor version}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-tF1Z+EC5rPm7Rf1FhU4+9nL1fjq5V0AcOtjXUCrCPaY=";
+    sha256 = "sha256-69+QzzWZwRrLtoGKnZ4/ydLGjlbrgpuTlilyaD4b98g=";
   };
 
   nativeBuildInputs = [

pkgs/development/libraries/liburing/default.nix

@@ -4,12 +4,12 @@
 
 stdenv.mkDerivation rec {
   pname = "liburing";
-  version = "2.1"; # remove patch when updating
+  version = "2.2";
 
   src = fetchgit {
     url    = "http://git.kernel.dk/${pname}";
     rev    = "liburing-${version}";
-    sha256 = "sha256-7wSpKqjIdQeOdsQu4xN3kFHV49n6qQ3xVbjUcY1tmas=";
+    sha256 = "sha256-M/jfxZ+5DmFvlAt8sbXrjBTPf2gLd9UyTNymtjD+55g";
   };
 
   separateDebugInfo = true;
@@ -43,15 +43,6 @@ stdenv.mkDerivation rec {
     cp ./examples/ucontext-cp $bin/bin/io_uring-ucontext-cp
   '';
 
-  # fix for compilation on 32-bit ARM, merged by upstream but not released; remove when
-  # upstream releases an update
-  patches = lib.optional stdenv.isAarch32 [
-    (fetchpatch {
-      url = "https://github.com/axboe/liburing/commit/e75a6cfa085fc9b5dbf5140fc1efb5a07b6b829e.diff";
-      sha256 = "sha256-qQEQXYm5mkws2klLxwuuoPSPRkpP1s6tuylAAEp7+9E=";
-    })
-  ];
-
   meta = with lib; {
     description = "Userspace library for the Linux io_uring API";
     homepage    = "https://git.kernel.dk/cgit/liburing/";

pkgs/development/libraries/pcre2/default.nix

@@ -6,16 +6,20 @@
 stdenv.mkDerivation rec {
   pname = "pcre2";
   version = "10.40";
+
   src = fetchurl {
     url = "https://github.com/PhilipHazel/pcre2/releases/download/pcre2-${version}/pcre2-${version}.tar.bz2";
     hash = "sha256-FOS4PEeDkz3BfpZDGOYyT3yuG8ddjzx5vGlp8AwVnWg=";
   };
 
-  # Disable jit on Apple Silicon, https://github.com/zherczeg/sljit/issues/51
   configureFlags = [
     "--enable-pcre2-16"
     "--enable-pcre2-32"
-  ] ++ lib.optional (!(stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)) "--enable-jit=auto";
+    # only enable jit on supported platforms which excludes Apple Silicon, see https://github.com/zherczeg/sljit/issues/51
+    "--enable-jit=auto"
+    # fix pcre jit in systemd units that set MemoryDenyWriteExecute=true like gitea
+    "--enable-jit-sealloc"
+  ];
 
   outputs = [ "bin" "dev" "out" "doc" "man" "devdoc" ];
 
@@ -24,7 +28,7 @@ stdenv.mkDerivation rec {
   '';
 
   meta = with lib; {
-    homepage = "http://www.pcre.org/";
+    homepage = "https://www.pcre.org/";
     description = "Perl Compatible Regular Expressions";
     license = licenses.bsd3;
     maintainers = with maintainers; [ ttuegel ];

pkgs/development/libraries/proj/7.nix

@@ -27,6 +27,7 @@ stdenv.mkDerivation rec {
       url = "https://github.com/OSGeo/PROJ/commit/6f1a3c4648bf06862dca0b3725cbb3b7ee0284e3.diff";
       sha256 = "0gapny0a9c3r0x9szjgn86sspjrrf4vwbija77b17w6ci5cq4pdf";
     })
+    ./tests-sqlite-3.39.patch
   ];
 
   postPatch = lib.optionalString (version == "7.2.1") ''

pkgs/development/libraries/proj/tests-sqlite-3.39.patch

@@ -0,0 +1,13 @@
+Drop tests that time out with newest sqlite.
+https://github.com/OSGeo/PROJ/issues/3254
+
+--- a/test/cli/CMakeLists.txt
++++ b/test/cli/CMakeLists.txt
+@@ -16 +15,0 @@
+-proj_add_test_script_sh("testprojinfo" PROJINFO_BIN)
+--- a/test/unit/CMakeLists.txt
++++ b/test/unit/CMakeLists.txt
+@@ -144,3 +143,0 @@
+-add_test(NAME proj_test_cpp_api COMMAND proj_test_cpp_api)
+-set_property(TEST proj_test_cpp_api
+-  PROPERTY ENVIRONMENT ${PROJ_TEST_ENVIRONMENT})

pkgs/development/libraries/re2/default.nix

@@ -15,13 +15,13 @@
 
 stdenv.mkDerivation rec {
   pname = "re2";
-  version = "2022-04-01";
+  version = "2022-06-01";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "re2";
     rev = version;
-    sha256 = "sha256-ywmXIAyVWYMKBOsAndcq7dFYpn9ZgNz5YWTPjylXxsk=";
+    sha256 = "sha256-UontAjOXpnPcOgoFHjf+1WSbCR7h58/U7nn4meT200Y=";
   };
 
   preConfigure = ''
@@ -33,11 +33,6 @@ stdenv.mkDerivation rec {
   buildFlags = lib.optionals stdenv.hostPlatform.isStatic [ "static" ];
 
   enableParallelBuilding = true;
-  # Broken when shared/static are tested in parallel:
-  #   cp: cannot create regular file 'obj/testinstall.cc': File exists
-  #   make: *** [Makefile:334: static-testinstall] Error 1
-  # Will be fixed by https://code-review.googlesource.com/c/re2/+/59830
-  enableParallelChecking = false;
 
   preCheck = "patchShebangs runtests";
   doCheck = true;

pkgs/development/libraries/sqlite/default.nix

@@ -12,13 +12,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "sqlite${optionalString interactive "-interactive"}";
-  version = "3.38.5";
+  version = "3.39.0";
 
   # nixpkgs-update: no auto update
   # NB! Make sure to update ./tools.nix src (in the same directory).
   src = fetchurl {
     url = "https://sqlite.org/2022/sqlite-autoconf-${archiveVersion version}.tar.gz";
-    sha256 = "sha256-WvB96YK6ZY/ZGgMXDJRfmclx9pVbx53zJmVENz45hpw=";
+    sha256 = "sha256-6QvK723VgT/N7k6Gf2tl88m/0K7A8QF/nzu84eTtCeI=";
   };
 
   outputs = [ "bin" "dev" "out" ];

pkgs/development/libraries/sqlite/tools.nix

@@ -4,12 +4,12 @@ let
   archiveVersion = import ./archive-version.nix lib;
   mkTool = { pname, makeTarget, description, homepage, mainProgram }: stdenv.mkDerivation rec {
     inherit pname;
-    version = "3.38.5";
+    version = "3.39.0";
 
     # nixpkgs-update: no auto update
     src = assert version == sqlite.version; fetchurl {
       url = "https://sqlite.org/2022/sqlite-src-${archiveVersion version}.zip";
-      sha256 = "sha256-ZQO7WeOeyGYwg2lpQOyBjNVVUZbmylQ9QClEDMp7ANk=";
+      sha256 = "sha256-s1hfN90Qbbs9RsjBei0nX5pLh9+MRQm9LWpbQAMkJuY=";
     };
 
     nativeBuildInputs = [ unzip ];

pkgs/development/libraries/tracker/default.nix

@@ -38,6 +38,14 @@ stdenv.mkDerivation rec {
     sha256 = "Wtb1vJd4Hr9V7NaUfNSuf/QZJRZYDRC9g4Dx3UcZbtI=";
   };
 
+  patches = [
+    ./fix-test-order.patch
+  ];
+
+  postPatch = ''
+    patchShebangs utils/data-generators/cc/generate
+  '';
+
   nativeBuildInputs = [
     meson
     ninja
@@ -78,10 +86,6 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
 
-  postPatch = ''
-    patchShebangs utils/data-generators/cc/generate
-  '';
-
   preCheck = ''
     # (tracker-store:6194): Tracker-CRITICAL **: 09:34:07.722: Cannot initialize database: Could not open sqlite3 database:'/homeless-shelter/.cache/tracker/meta.db': unable to open database file
     export HOME=$(mktemp -d)

pkgs/development/libraries/tracker/fix-test-order.patch

@@ -0,0 +1,9 @@
+diff --git a/tests/libtracker-data/algebra/filter-scope-1.rq b/tests/libtracker-data/algebra/filter-scope-1.rq
+index 7ee5a24ad..a8cd89ca9 100644
+--- a/tests/libtracker-data/algebra/filter-scope-1.rq
++++ b/tests/libtracker-data/algebra/filter-scope-1.rq
+@@ -7,3 +7,4 @@ SELECT ?v ?w ?v2
+       OPTIONAL {  :x :p ?v2 FILTER(?v = 1) }
+     }
+ }
++ORDER BY ?v ?w ?v2

pkgs/development/perl-modules/generic/default.nix

@@ -27,27 +27,16 @@
 , ...
 }@attrs:
 
-assert attrs?pname -> attrs?version;
+lib.throwIf (attrs ? name) "buildPerlPackage: `name` (\"${attrs.name}\") is deprecated, use `pname` and `version` instead"
-assert attrs?pname -> !(attrs?name);
-
-lib.warnIf (attrs ? name) "builtPerlPackage: `name' (\"${attrs.name}\") is deprecated, use `pname' and `version' instead"
 
 (let
   defaultMeta = {
-    homepage = "https://metacpan.org/release/${lib.getName attrs}"; # TODO: phase-out `attrs.name`
+    homepage = "https://metacpan.org/dist/${attrs.pname}";
-    mainProgram = attrs.pname or (builtins.parseDrvName attrs.name).name;
+    inherit (perl.meta) platforms;
-    platforms = perl.meta.platforms;
   };
 
-  cleanedAttrs = builtins.removeAttrs attrs [
+  package = stdenv.mkDerivation (attrs // {
-    "meta" "builder" "version" "pname" "fullperl"
+    name = "perl${perl.version}-${attrs.pname}-${attrs.version}";
-    "buildInputs" "nativeBuildInputs" "buildInputs"
-    "PERL_AUTOINSTALL" "AUTOMATED_TESTING" "PERL_USE_UNSAFE_INC"
-    ];
-
-  package = stdenv.mkDerivation ({
-    pname = "perl${perl.version}-${lib.getName attrs}"; # TODO: phase-out `attrs.name`
-    version = lib.getVersion attrs;                     # TODO: phase-out `attrs.name`
 
     builder = ./builder.sh;
 
@@ -60,6 +49,6 @@ lib.warnIf (attrs ? name) "builtPerlPackage: `name' (\"${attrs.name}\") is depre
     inherit PERL_AUTOINSTALL AUTOMATED_TESTING PERL_USE_UNSAFE_INC;
 
     meta = defaultMeta // (attrs.meta or { });
-  } // cleanedAttrs);
+  });
 
 in toPerlModule package)

pkgs/development/python-modules/Cython/default.nix

@@ -4,7 +4,6 @@
 , fetchPypi
 , fetchpatch
 , python
-, glibcLocales
 , pkg-config
 , gdb
 , numpy
@@ -24,12 +23,13 @@ let
   ;
 
 in buildPythonPackage rec {
-  pname = "Cython";
+  pname = "cython";
-  version = "0.29.28";
+  version = "0.29.30";
 
   src = fetchPypi {
-    inherit pname version;
+    pname = "Cython";
-    sha256 = "sha256-1vrCNCgCww5RQmgo/ghP9N6xszhzZ8+Yl2uy5ktvjkU=";
+    inherit version;
+    sha256 = "sha256-IjW2Laj+b6i5lCLI5YPy+5XhQ4Z9M3tcdeS5oahl+eM=";
   };
 
   nativeBuildInputs = [
@@ -40,7 +40,6 @@ in buildPythonPackage rec {
     gdb numpy ncurses
   ];
 
-  buildInputs = [ glibcLocales ];
   LC_ALL = "en_US.UTF-8";
 
   patches = [

pkgs/development/python-modules/babel/default.nix

@@ -2,12 +2,12 @@
 
 buildPythonPackage rec {
   pname = "babel";
-  version = "2.10.1";
+  version = "2.10.3";
 
   src = fetchPypi {
     pname = "Babel";
     inherit version;
-    sha256 = "sha256-mK6soIYTPvs+HiqtA5aYdJDIQlkp3bz+BVAYT9xUzRM=";
+    sha256 = "sha256-dhRVNxHul0kPcyEm3Ad/jQrghOvGqW4j2xSCr6vbLFE=";
   };
 
   propagatedBuildInputs = [ pytz ];

pkgs/development/python-modules/certifi/default.nix

@@ -7,7 +7,7 @@
 
 buildPythonPackage rec {
   pname = "certifi";
-  version = "2022.05.18.1";
+  version = "2022.06.15";
 
   disabled = pythonOlder "3.5";
 
@@ -15,7 +15,7 @@ buildPythonPackage rec {
     owner = pname;
     repo = "python-certifi";
     rev = version;
-    sha256 = "sha256-uDNVzKcT45mz0zXBwPkttKV21fEcgbRamE3+QutNLjA=";
+    sha256 = "sha256-CKO8wF5FMGLIZbTd7YrKE9OWV9MbfQ2+BMc5IPk1FFU=";
   };
 
   checkInputs = [

pkgs/development/python-modules/google-auth/default.nix

@@ -4,6 +4,7 @@
 , fetchPypi
 , pytestCheckHook
 , cachetools
+, cryptography
 , flask
 , freezegun
 , mock
@@ -32,6 +33,7 @@ buildPythonPackage rec {
   ];
 
   checkInputs = [
+    cryptography
     flask
     freezegun
     mock
@@ -46,21 +48,11 @@ buildPythonPackage rec {
     "google.oauth2"
   ];
 
-  disabledTests = lib.optionals stdenv.isDarwin [
+  disabledTestPaths = [
-    "test_request_with_timeout_success"
+    # Disable tests related to pyopenssl
-    "test_request_with_timeout_failure"
+    "tests/transport/test__mtls_helper.py"
-    "test_request_headers"
+    "tests/transport/test_requests.py"
-    "test_request_error"
+    "tests/transport/test_urllib3.py"
-    "test_request_basic"
-  ] ++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [
-    # E MemoryError: Cannot allocate write+execute memory for ffi.callback().
-    # You might be running on a system that prevents this.
-    # For more information, see https://cffi.readthedocs.io/en/latest/using.html#callbacks
-    "test_configure_mtls_channel_with_callback"
-    "test_configure_mtls_channel_with_metadata"
-    "TestDecryptPrivateKey"
-    "TestMakeMutualTlsHttp"
-    "TestMutualTlsAdapter"
   ];
 
   meta = with lib; {

pkgs/development/python-modules/jsonschema/default.nix

@@ -14,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "jsonschema";
-  version = "4.6.0";
+  version = "4.6.1";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-nWOXukpsC/AwBzYFf2SePhLsvAfT6BoNrLct5OmAGVc=";
+    sha256 = "sha256-7CgC5qN1F/CdR9m6EHlHWJrh0l/1V7kl2DoyH8KqXTs=";
   };
 
   postPatch = ''

pkgs/development/python-modules/pycares/default.nix

@@ -8,11 +8,11 @@
 
 buildPythonPackage rec {
   pname = "pycares";
-  version = "4.1.2";
+  version = "4.2.1";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-A0kL4Oe1GgyAc/h3vsNH7/MQA/ZPV9lRjUGdk2lFKDc=";
+    sha256 = "sha256-c1tPdf0PWVxOkYTaGM2Hc39GvIGmTqQfTtzitraNRtI=";
   };
 
   buildInputs = [

pkgs/development/python-modules/pycryptodome/default.nix

@@ -11,14 +11,14 @@ let
 in
 buildPythonPackage rec {
   pname = "pycryptodome";
-  version = "3.14.1";
+  version = "3.15.0";
   format = "setuptools";
 
   src = fetchFromGitHub {
     owner = "Legrandin";
     repo = "pycryptodome";
     rev = "v${version}";
-    hash = "sha256-0GjpKNyALe2Q1R3dEjeAEn6E8hxYDic/vbN1YkVaUfs=";
+    hash = "sha256-SPRoAfwP1MFlVzZsVWmXDWUY5Yje7eg7d+9zJhZNXrw=";
   };
 
   postPatch = ''

pkgs/development/python-modules/pytest-mock/default.nix

@@ -1,6 +1,6 @@
 { lib
 , buildPythonPackage
-, fetchpatch
+, pythonOlder
 , fetchPypi
 , pytest
 , pytest-asyncio
@@ -10,24 +10,20 @@
 
 buildPythonPackage rec {
   pname = "pytest-mock";
-  version = "3.7.0";
+  version = "3.8.1";
+
+  disabled = pythonOlder "3.7";
+
+  format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-URK9ksyfGG7pbhqS78hJaepJSTnDrq05xQ9CHEzGlTQ=";
+    hash = "sha256-LG11bV07+Y4ugHl6lZyn+B9Hnn0fX1cWEbD91tF0UkA=";
   };
 
-  patches = [
-    (fetchpatch {
-      # pytest7 compatbilitya
-      url = "https://github.com/pytest-dev/pytest-mock/commit/0577f1ad051fb8d0da94ea22dcb02346d74064b2.patch";
-      hash = "sha256-eim4v7U8Mjigr462bXI0pKH/M0ANBzSRc0lT4RpbZ0w=";
-    })
-  ];
-
   nativeBuildInputs = [ setuptools-scm ];
 
-  propagatedBuildInputs = [
+  buildInputs = [
     pytest
   ];
 
@@ -36,18 +32,13 @@ buildPythonPackage rec {
     pytestCheckHook
   ];
 
-  disabledTests = [
-    # output of pytest has changed
-    "test_used_with_"
-    "test_plain_stopall"
-  ];
-
   pythonImportsCheck = [ "pytest_mock" ];
 
   meta = with lib; {
-    description = "Thin-wrapper around the mock package for easier use with pytest";
+    description = "Thin wrapper around the mock package for easier use with pytest";
     homepage = "https://github.com/pytest-dev/pytest-mock";
-    license = with licenses; [ mit ];
+    changelog = "https://github.com/pytest-dev/pytest-mock/blob/v${version}/CHANGELOG.rst";
+    license = licenses.mit;
     maintainers = with maintainers; [ dotlambda ];
   };
 }

pkgs/development/python-modules/pythran/0001-hardcode-path-to-libgomp.patch

@@ -1,64 +1,79 @@
-From 208fe98f10c580a5a2fb6a8cfdd56de109073925 Mon Sep 17 00:00:00 2001
-From: Frederik Rietdijk <fridh@fridh.nl>
-Date: Sat, 17 Jul 2021 18:36:27 +0200
-Subject: [PATCH] hardcode path to libgomp
-
----
- omp/__init__.py | 40 ++++------------------------------------
- 1 file changed, 4 insertions(+), 36 deletions(-)
-
 diff --git a/omp/__init__.py b/omp/__init__.py
-index bddae3063..9ba3678d8 100644
+index 3801d1c8c..a93a74d6f 100644
 --- a/omp/__init__.py
 +++ b/omp/__init__.py
-@@ -69,43 +69,11 @@ class OpenMP(object):
+@@ -48,72 +48,8 @@ class OpenMP(object):
+         return ['omp', 'gomp', 'iomp5']
  
      def init_not_msvc(self):
-         """ Find OpenMP library and try to load if using ctype interface. """
+-        """ Find OpenMP library and try to load if using ctype interface. """
--        # find_library() does not search automatically LD_LIBRARY_PATH
+-        # find_library() does not automatically search LD_LIBRARY_PATH
--        paths = os.environ.get('LD_LIBRARY_PATH', '').split(':')
+-        # until Python 3.6+, so we explicitly add it.
-+        libgomp_path = "@gomp@"
+-        # LD_LIBRARY_PATH is used on Linux, while macOS uses DYLD_LIBRARY_PATH
- 
+-        # and DYLD_FALLBACK_LIBRARY_PATH.
--        for libomp_name in self.get_libomp_names():
+-        env_vars = []
--            if cxx is None or sys.platform == 'win32':
+-        if sys.platform == 'darwin':
--                # Note: Clang supports -print-file-name, but not yet for
+-            env_vars = ['DYLD_LIBRARY_PATH', 'DYLD_FALLBACK_LIBRARY_PATH']
--                # clang-cl as of v12.0.0 (April '21)
--                continue
--
--            cmd = [cxx, '-print-file-name=' + libomp_name]
--            # the subprocess can fail in various ways in that case just give up
--            try:
--                path = os.path.dirname(check_output(cmd).decode().strip())
--                if path:
--                    paths.append(path)
--            except (OSError, CalledProcessError):
--                pass
--
--        # Try to load find libgomp shared library using loader search dirs
--        libgomp_path = find_library("gomp")
--
--        # Try to use custom paths if lookup failed
--        for path in paths:
--            if libgomp_path:
--                break
--            path = path.strip()
--            if os.path.isdir(path):
--                libgomp_path = find_library(os.path.join(str(path), "libgomp"))
--
--        if not libgomp_path:
--            raise ImportError("I can't find a shared library for libgomp,"
--                              " you may need to install it or adjust the "
--                              "LD_LIBRARY_PATH environment variable.")
 -        else:
--            # Load the library (shouldn't fail with an absolute path right?)
+-            env_vars = ['LD_LIBRARY_PATH']
--            self.libomp = ctypes.CDLL(libgomp_path)
+-
--            self.version = 45
+-        paths = []
-+        # Load the library (shouldn't fail with an absolute path right?)
+-        for env_var in env_vars:
-+        self.libomp = ctypes.CDLL(libgomp_path)
+-            env_paths = os.environ.get(env_var, '')
+-            if env_paths:
+-                paths.extend(env_paths.split(os.pathsep))
+-
+-
+-        libomp_names = self.get_libomp_names()
+-
+-        if cxx is not None:
+-            for libomp_name in libomp_names:
+-                cmd = [cxx,
+-                       '-print-file-name=lib{}{}'.format(
+-                           libomp_name,
+-                           get_shared_lib_extension())]
+-                # The subprocess can fail in various ways, including because it
+-                # doesn't support '-print-file-name'. In that case just give up.
+-                try:
+-                    output = check_output(cmd,
+-                                          stderr=DEVNULL)
+-                    path = os.path.dirname(output.decode().strip())
+-                    if path:
+-                        paths.append(path)
+-                except (OSError, CalledProcessError):
+-                    pass
+-
+-
+-        for libomp_name in libomp_names:
+-            # Try to load find libomp shared library using loader search dirs
+-            libomp_path = find_library(libomp_name)
+-
+-            # Try to use custom paths if lookup failed
+-            if not libomp_path:
+-                for path in paths:
+-                    candidate_path = os.path.join(
+-                        path,
+-                        'lib{}{}'.format(libomp_name,
+-                                         get_shared_lib_extension()))
+-                    if os.path.isfile(candidate_path):
+-                        libomp_path = candidate_path
+-                        break
+-
+-            # Load the library
+-            if libomp_path:
+-                try:
+-                    self.libomp = ctypes.CDLL(libomp_path)
+-                except OSError:
+-                    raise ImportError("found openMP library '{}' but couldn't load it. "
+-                                      "This may happen if you are cross-compiling.".format(libomp_path))
+-                self.version = 45
+-                return
+-
+-        raise ImportError("I can't find a shared library for libomp, you may need to install it "
+-                          "or adjust the {} environment variable.".format(env_vars[0]))
+-
++        self.libomp = ctypes.CDLL("@gomp@")
 +        self.version = 45
  
      def __getattr__(self, name):
          """
--- 
-2.32.0
-

pkgs/development/python-modules/pythran/default.nix

@@ -3,7 +3,6 @@
 , buildPythonPackage
 , fetchFromGitHub
 , openmp
-, pytest-runner
 , ply
 , networkx
 , decorator
@@ -11,8 +10,6 @@
 , six
 , numpy
 , beniget
-, pytestCheckHook
-, scipy
 , isPy3k
 , substituteAll
 }:
@@ -22,13 +19,13 @@ let
 
 in buildPythonPackage rec {
   pname = "pythran";
-  version = "0.9.12";
+  version = "0.11.0";
 
   src = fetchFromGitHub {
     owner = "serge-sans-paille";
     repo = "pythran";
     rev = version;
-    sha256 = "sha256-lQbVq4K/Q8RzlFhE+l3HPCmUGmauXawcKe31kfbUHsI=";
+    sha256 = "sha256-F9gUZOTSuiqvfGoN4yQqwUg9mnCeBntw5eHO7ZnjpzI=";
   };
 
   patches = [
@@ -39,10 +36,6 @@ in buildPythonPackage rec {
     })
   ];
 
-  nativeBuildInputs = [
-    pytest-runner
-  ];
-
   propagatedBuildInputs = [
     ply
     networkx
@@ -62,14 +55,7 @@ in buildPythonPackage rec {
     "pythran.spec"
   ];
 
-  checkInputs = [
+  # Test suite is huge and has a circular dependency on scipy.
-    pytestCheckHook
-    numpy
-    scipy
-  ];
-
-  # Test suite is huge.
-  # Also, in the future scipy will rely on it resulting in a circular test dependency
   doCheck = false;
 
   disabled = !isPy3k;
@@ -79,5 +65,4 @@ in buildPythonPackage rec {
     homepage = "https://github.com/serge-sans-paille/pythran";
     license = lib.licenses.bsd3;
   };
-
 }

pkgs/development/python-modules/requests/default.nix

@@ -17,12 +17,12 @@
 
 buildPythonPackage rec {
   pname = "requests";
-  version = "2.28.0";
+  version = "2.28.1";
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-1WhyOn69JYddjR6vXfoGjNL8gZSy5IPXsffIGRjb7Gs=";
+    hash = "sha256-fFWZsQL+3apmHIJsVqtP7ii/0X9avKHrvj5/GdfJeYM=";
   };
 
   patches = [

pkgs/development/python-modules/setuptools-scm/default.nix

@@ -3,6 +3,7 @@
 , fetchPypi
 , packaging
 , tomli
+, setuptools
 , lib
 }:
 
@@ -19,6 +20,7 @@ buildPythonPackage rec {
   propagatedBuildInputs = [
     packaging
     tomli
+    setuptools
   ];
 
   pythonImportsCheck = [

pkgs/development/python-modules/sqlalchemy/default.nix

@@ -13,11 +13,11 @@
 
 buildPythonPackage rec {
   pname = "SQLAlchemy";
-  version = "1.4.37";
+  version = "1.4.39";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-Noj5LGLbbF3yaOImSJEHjxfsuR4xQbQA8uKND3V5beo=";
+    hash = "sha256-gZSJYDh1O0awigsK6JpdgMiX+2Ad1R4kPtVyDx8VXSc=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/twisted/default.nix

@@ -119,7 +119,8 @@ buildPythonPackage rec {
     pyhamcrest
   ]
   ++ passthru.optional-dependencies.conch
-  ++ passthru.optional-dependencies.tls;
+  # not supported on aarch64-darwin: https://github.com/pyca/pyopenssl/issues/873
+  ++ lib.optionals (!(stdenv.isDarwin && stdenv.isAarch64)) passthru.optional-dependencies.tls;
 
   checkPhase = ''
     export SOURCE_DATE_EPOCH=315532800

pkgs/development/python-modules/urllib3/default.nix

@@ -4,16 +4,16 @@
 , buildPythonPackage
 , certifi
 , cryptography
-, python-dateutil
 , fetchPypi
-, isPyPy
 , idna
+, isPyPy
 , mock
 , pyopenssl
 , pysocks
 , pytest-freezegun
 , pytest-timeout
 , pytestCheckHook
+, python-dateutil
 , tornado
 , trustme
 }:
@@ -30,7 +30,7 @@ buildPythonPackage rec {
 
   # FIXME: remove backwards compatbility hack
   propagatedBuildInputs = passthru.optional-dependencies.brotli
-    ++ passthru.optional-dependencies.secure;
+    ++ passthru.optional-dependencies.socks;
 
   checkInputs = [
     python-dateutil
@@ -65,6 +65,7 @@ buildPythonPackage rec {
 
   passthru.optional-dependencies = {
     brotli = if isPyPy then [ brotlicffi ] else [ brotli ];
+    # Use carefully since pyopenssl is not supported aarch64-darwin
     secure = [ certifi cryptography idna pyopenssl ];
     socks = [ pysocks ];
   };

pkgs/development/tools/build-managers/cmake/005-remove-systemconfiguration-dep.diff

@@ -1,23 +1,19 @@
-diff --git a/Utilities/cmcurl/CMakeLists.txt b/Utilities/cmcurl/CMakeLists.txt
-index 9eef01aaf0..d141d4086c 100644
 --- a/Utilities/cmcurl/CMakeLists.txt
 +++ b/Utilities/cmcurl/CMakeLists.txt
-@@ -537,12 +537,7 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "Darwin")
+@@ -391,13 +391,6 @@ if(ENABLE_IPV6 AND NOT WIN32)
-       message(FATAL_ERROR "CoreFoundation framework not found")
-   endif()
  
--  find_library(SYSTEMCONFIGURATION_FRAMEWORK "SystemConfiguration")
+   if(CMAKE_SYSTEM_NAME STREQUAL "Darwin" AND NOT ENABLE_ARES)
--  if(NOT SYSTEMCONFIGURATION_FRAMEWORK)
+     set(use_core_foundation ON)
--     message(FATAL_ERROR "SystemConfiguration framework not found")
--  endif()
 -
--  list(APPEND CURL_LIBS "-framework CoreFoundation" "-framework SystemConfiguration")
+-    find_library(SYSTEMCONFIGURATION_FRAMEWORK "SystemConfiguration")
-+  list(APPEND CURL_LIBS "-framework CoreFoundation")
+-    if(NOT SYSTEMCONFIGURATION_FRAMEWORK)
+-      message(FATAL_ERROR "SystemConfiguration framework not found")
+-    endif()
+-
+-    list(APPEND CURL_LIBS "-framework SystemConfiguration")
+   endif()
+ endif()
  
-   if(CMAKE_USE_SECTRANSP)
-     find_library(SECURITY_FRAMEWORK "Security")
-diff --git a/Utilities/cmcurl/lib/curl_setup.h b/Utilities/cmcurl/lib/curl_setup.h
-index 554dcc1e67..059f14e632 100644
 --- a/Utilities/cmcurl/lib/curl_setup.h
 +++ b/Utilities/cmcurl/lib/curl_setup.h
 @@ -257,11 +257,7 @@
@@ -32,8 +28,6 @@ index 554dcc1e67..059f14e632 100644
  #endif
  
  #ifdef USE_LWIPSOCK
-diff --git a/Utilities/cmcurl/lib/hostip.c b/Utilities/cmcurl/lib/hostip.c
-index 117caa2957..9f7c709e44 100644
 --- a/Utilities/cmcurl/lib/hostip.c
 +++ b/Utilities/cmcurl/lib/hostip.c
 @@ -68,10 +68,6 @@
@@ -47,7 +41,7 @@ index 117caa2957..9f7c709e44 100644
  #if defined(CURLRES_SYNCH) && \
      defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP)
  /* alarm-based timeouts can only be used with all the dependencies satisfied */
-@@ -653,23 +649,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
+@@ -661,23 +657,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data,
          return CURLRESOLV_ERROR;
      }
  

pkgs/development/tools/build-managers/cmake/default.nix

@@ -1,62 +1,91 @@
-{ stdenv, lib, fetchurl, pkg-config
+{ lib
-, bzip2, curlMinimal, expat, libarchive, xz, zlib, libuv, rhash
+, stdenv
 , buildPackages
-# darwin attributes
+, bzip2
+, curlMinimal
+, expat
+, fetchurl
+, libarchive
+, libuv
+, ncurses
+, openssl
+, pkg-config
+, qtbase
+, rhash
+, sphinx
+, texinfo
+, wrapQtAppsHook
+, xz
+, zlib
 , SystemConfiguration
 , ps
 , isBootstrap ? false
+, useOpenSSL ? !isBootstrap
 , useSharedLibraries ? (!isBootstrap && !stdenv.isCygwin)
-, useOpenSSL ? !isBootstrap, openssl
+, uiToolkits ? [] # can contain "ncurses" and/or "qt5"
-, useNcurses ? false, ncurses
+, buildDocs ? !(isBootstrap || (uiToolkits == []))
-, withQt5 ? false, qtbase, wrapQtAppsHook
-, buildDocs ? (!isBootstrap && (useNcurses || withQt5)), sphinx, texinfo
 }:
 
+let
+  cursesUI = lib.elem "ncurses" uiToolkits;
+  qt5UI = lib.elem "qt5" uiToolkits;
+in
+# Accepts only "ncurses" and "qt5" as possible uiToolkits
+assert lib.subtractLists [ "ncurses" "qt5" ] uiToolkits == [];
 stdenv.mkDerivation rec {
   pname = "cmake"
     + lib.optionalString isBootstrap "-boot"
-    + lib.optionalString useNcurses "-cursesUI"
+    + lib.optionalString cursesUI "-cursesUI"
-    + lib.optionalString withQt5 "-qt5UI";
+    + lib.optionalString qt5UI "-qt5UI";
-  version = "3.22.3";
+  version = "3.23.2";
 
   src = fetchurl {
     url = "https://cmake.org/files/v${lib.versions.majorMinor version}/cmake-${version}.tar.gz";
-    sha256 = "sha256-n4RpFm+UVTtpeKFu4pIn7Emi61zrYIJ13sQNiuDRtaA=";
+    sha256 = "sha256-8xa0AFNGb5pBat+YHv2kGxYMqFnpf2pIS0R+opn/Jqo=";
   };
 
   patches = [
     # Don't search in non-Nix locations such as /usr, but do search in our libc.
-    ./search-path.patch
+    ./001-search-path.diff
-
     # Don't depend on frameworks.
-    ./application-services.patch
+    ./002-application-services.diff
-
     # Derived from https://github.com/libuv/libuv/commit/1a5d4f08238dd532c3718e210078de1186a5920d
-    ./libuv-application-services.patch
+    ./003-libuv-application-services.diff
-
+  ]
-  ] ++ lib.optional stdenv.isCygwin ./3.2.2-cygwin.patch
+  ++ lib.optional stdenv.isCygwin ./004-cygwin.diff
   # Derived from https://github.com/curl/curl/commit/31f631a142d855f069242f3e0c643beec25d1b51
-  ++ lib.optional (stdenv.isDarwin && isBootstrap) ./remove-systemconfiguration-dep.patch
+  ++ lib.optional (stdenv.isDarwin && isBootstrap) ./005-remove-systemconfiguration-dep.diff
   # On Darwin, always set CMAKE_SHARED_LIBRARY_RUNTIME_C_FLAG.
-  ++ lib.optional stdenv.isDarwin ./darwin-always-set-runtime-c-flag.patch;
+  ++ lib.optional stdenv.isDarwin ./006-darwin-always-set-runtime-c-flag.diff;
 
-  outputs = [ "out" ]
+  outputs = [ "out" ] ++ lib.optionals buildDocs [ "man" "info" ];
-    ++ lib.optionals buildDocs [ "man" "info" ];
   setOutputFlags = false;
 
   setupHook = ./setup-hook.sh;
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
 
-  nativeBuildInputs = [ setupHook pkg-config ]
+  nativeBuildInputs = [
-    ++ lib.optionals buildDocs [ texinfo ]
+    pkg-config
-    ++ lib.optionals withQt5 [ wrapQtAppsHook ];
+    setupHook
+  ]
+  ++ lib.optionals buildDocs [ texinfo ]
+  ++ lib.optionals qt5UI [ wrapQtAppsHook ];
 
-  buildInputs = lib.optionals useSharedLibraries [ bzip2 curlMinimal expat libarchive xz zlib libuv rhash ]
+  buildInputs = lib.optionals useSharedLibraries [
-    ++ lib.optional useOpenSSL openssl
+    bzip2
-    ++ lib.optional useNcurses ncurses
+    curlMinimal
-    ++ lib.optional withQt5 qtbase
+    expat
-    ++ lib.optional (stdenv.isDarwin && !isBootstrap) SystemConfiguration;
+    libarchive
+    xz
+    zlib
+    libuv
+    rhash
+  ]
+  ++ lib.optional useOpenSSL openssl
+  ++ lib.optional cursesUI ncurses
+  ++ lib.optional qt5UI qtbase
+  ++ lib.optional (stdenv.isDarwin && !isBootstrap) SystemConfiguration;
 
   propagatedBuildInputs = lib.optional stdenv.isDarwin ps;
 
@@ -73,18 +102,21 @@ stdenv.mkDerivation rec {
   configureFlags = [
     "CXXFLAGS=-Wno-elaborated-enum-base"
     "--docdir=share/doc/${pname}${version}"
-  ] ++ (if useSharedLibraries then [ "--no-system-jsoncpp" "--system-libs" ] else [ "--no-system-libs" ]) # FIXME: cleanup
+  ] ++ (if useSharedLibraries
-  ++ lib.optional withQt5 "--qt-gui"
+        then [ "--no-system-jsoncpp" "--system-libs" ]
+        else [ "--no-system-libs" ]) # FIXME: cleanup
+  ++ lib.optional qt5UI "--qt-gui"
   ++ lib.optionals buildDocs [
     "--sphinx-build=${sphinx}/bin/sphinx-build"
-    "--sphinx-man"
     "--sphinx-info"
+    "--sphinx-man"
   ]
   # Workaround https://gitlab.kitware.com/cmake/cmake/-/issues/20568
   ++ lib.optionals stdenv.hostPlatform.is32bit [
     "CFLAGS=-D_FILE_OFFSET_BITS=64"
     "CXXFLAGS=-D_FILE_OFFSET_BITS=64"
-  ] ++ [
+  ]
+  ++ [
     "--"
     # We should set the proper `CMAKE_SYSTEM_NAME`.
     # http://www.cmake.org/Wiki/CMake_Cross_Compiling
@@ -100,7 +132,7 @@ stdenv.mkDerivation rec {
 
     "-DCMAKE_USE_OPENSSL=${if useOpenSSL then "ON" else "OFF"}"
     # Avoid depending on frameworks.
-    "-DBUILD_CursesDialog=${if useNcurses then "ON" else "OFF"}"
+    "-DBUILD_CursesDialog=${if cursesUI then "ON" else "OFF"}"
   ];
 
   # make install attempts to use the just-built cmake
@@ -118,19 +150,19 @@ stdenv.mkDerivation rec {
   doCheck = false; # fails
 
   meta = with lib; {
-    broken = (withQt5 && stdenv.isDarwin);
     homepage = "https://cmake.org/";
-    changelog = "https://cmake.org/cmake/help/v${lib.versions.majorMinor version}/release/${lib.versions.majorMinor version}.html";
+    description = "Cross-platform, open-source build system generator";
-    description = "Cross-Platform Makefile Generator";
     longDescription = ''
-      CMake is an open-source, cross-platform family of tools designed to
+      CMake is an open-source, cross-platform family of tools designed to build,
-      build, test and package software. CMake is used to control the software
+      test and package software. CMake is used to control the software
       compilation process using simple platform and compiler independent
-      configuration files, and generate native makefiles and workspaces that
+      configuration files, and generate native makefiles and workspaces that can
-      can be used in the compiler environment of your choice.
+      be used in the compiler environment of your choice.
     '';
-    platforms = platforms.all;
+    changelog = "https://cmake.org/cmake/help/v${lib.versions.majorMinor version}/release/${lib.versions.majorMinor version}.html";
-    maintainers = with maintainers; [ ttuegel lnl7 ];
     license = licenses.bsd3;
+    maintainers = with maintainers; [ ttuegel lnl7 AndersonTorres ];
+    platforms = platforms.all;
+    broken = (qt5UI && stdenv.isDarwin);
   };
 }

pkgs/development/tools/build-managers/ninja/setup-hook.sh

@@ -14,7 +14,7 @@ ninjaBuildPhase() {
     )
 
     echoCmd 'build flags' "${flagsArray[@]}"
-    ninja "${flagsArray[@]}" | cat
+    TERM=dumb ninja "${flagsArray[@]}"
 
     runHook postBuild
 }
@@ -33,7 +33,7 @@ ninjaInstallPhase() {
     )
 
     echoCmd 'install flags' "${flagsArray[@]}"
-    ninja "${flagsArray[@]}" | cat
+    TERM=dumb ninja "${flagsArray[@]}"
 
     runHook postInstall
 }
@@ -67,7 +67,7 @@ ninjaCheckPhase() {
         )
 
         echoCmd 'check flags' "${flagsArray[@]}"
-        ninja "${flagsArray[@]}" | cat
+        TERM=dumb ninja "${flagsArray[@]}"
     fi
 
     runHook postCheck

pkgs/development/tools/delve/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub, makeWrapper }:
+{ lib, buildGoModule, fetchFromGitHub, makeWrapper, stdenv }:
 
 buildGoModule rec {
   pname = "delve";
@@ -17,7 +17,19 @@ buildGoModule rec {
 
   nativeBuildInputs = [ makeWrapper ];
 
-  checkFlags = [ "-short" ];
+  hardeningDisable = [ "fortify" ];
+
+  preCheck = ''
+    XDG_CONFIG_HOME=$(mktemp -d)
+  '';
+
+  # Disable tests on Darwin as they require various workarounds.
+  #
+  # - Tests requiring local networking fail with or without sandbox,
+  #   even with __darwinAllowLocalNetworking allowed.
+  # - CGO_FLAGS warnings break tests' expected stdout/stderr outputs.
+  # - DAP test binaries exit prematurely.
+  doCheck = !stdenv.isDarwin;
 
   postInstall = ''
     # fortify source breaks build since delve compiles with -O0

pkgs/development/tools/documentation/doxygen/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "doxygen";
-  version = "1.9.3";
+  version = "1.9.4";
 
   src = fetchFromGitHub {
     owner = "doxygen";
     repo = "doxygen";
     rev = "Release_${lib.replaceStrings [ "." ] [ "_" ] version}";
-    sha256 = "1xfsv31ffrv03qhxlscav0r5mdi3qz4654ib9cq35rvmxfj999bw";
+    sha256 = "sha256-Dnr8d+ngSBkgL/BITvsvoERAHQyEXCoQDltbnQ2nXKM=";
   };
 
   nativeBuildInputs = [

pkgs/development/tools/misc/autoconf-archive/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "autoconf-archive";
-  version = "2021.02.19";
+  version = "2022.02.11";
 
   src = fetchurl {
     url = "mirror://gnu/autoconf-archive/autoconf-archive-${version}.tar.xz";
-    sha256 = "sha256-6KbrnSjdy6j/7z+iEWUyOem/I5q6agGmt8/Hzq7GnL0=";
+    sha256 = "sha256-eKYbYR4u61WongOY4M44e8r1f+LdU8b+QnEw93etHow=";
   };
 
   strictDeps = true;

pkgs/development/tools/misc/luarocks/default.nix

@@ -26,6 +26,10 @@ stdenv.mkDerivation rec {
     substituteInPlace src/luarocks/core/cfg.lua --subst-var-by 'darwinMinVersion' '${stdenv.targetPlatform.darwinMinVersion}'
   '';
 
+  # Manually written ./configure does not support --build= or --host=:
+  #   Error: Unknown flag: --build=x86_64-unknown-linux-gnu
+  configurePlatforms = [ ];
+
   preConfigure = ''
     lua -e "" || {
         luajit -e "" && {

pkgs/development/tools/misc/texinfo/common.nix

@@ -36,8 +36,7 @@ stdenv.mkDerivation {
   strictDeps = true;
   enableParallelBuilding = true;
 
-  # We need a native compiler to build perl XS extensions
+  # A native compiler is needed to build tools needed at build time
-  # when cross-compiling.
   depsBuildBuild = [ buildPackages.stdenv.cc perl ];
 
   buildInputs = [ xz.bin bash libintl ]
@@ -45,6 +44,9 @@ stdenv.mkDerivation {
     ++ optional interactive ncurses;
 
   configureFlags = [ "PERL=${buildPackages.perl}/bin/perl" ]
+    # Perl XS modules are difficult to cross-compile and texinfo has pure Perl
+    # fallbacks.
+    ++ optional crossBuildTools "--enable-perl-xs=no"
     ++ lib.optional stdenv.isSunOS "AWK=${gawk}/bin/awk";
 
   installFlags = [ "TEXMF=$(out)/texmf-dist" ];
@@ -62,6 +64,13 @@ stdenv.mkDerivation {
     "XFAIL_TESTS=test_scripts/layout_formatting_fr_icons.sh"
   ];
 
+  postFixup = optionalString crossBuildTools ''
+    for f in "$out"/bin/{pod2texi,texi2any}; do
+      substituteInPlace "$f" \
+        --replace ${buildPackages.perl}/bin/perl ${perl}/bin/perl
+    done
+  '';
+
   meta = {
     homepage = "https://www.gnu.org/software/texinfo/";
     description = "The GNU documentation system";

pkgs/os-specific/linux/alsa-project/alsa-lib/default.nix

@@ -7,11 +7,11 @@
 
 stdenv.mkDerivation rec {
   pname = "alsa-lib";
-  version = "1.2.6.1";
+  version = "1.2.7.1";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
-    hash = "sha256-rVgpk9Us21+xWaC+q2CmrFfqsMwb34XcTbbWGX8CMz8=";
+    hash = "sha256-BG3ELfz60mkhe+BZVGhhN+XnOX8wQTcvjG3NfXlGHmE=";
   };
 
   patches = [

pkgs/os-specific/linux/alsa-project/alsa-plugins/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "alsa-plugins";
-  version = "1.2.6";
+  version = "1.2.7.1";
 
   src = fetchurl {
     url = "mirror://alsa/plugins/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-BogYpLVdjAKdqgABXYU9RRE/VrIkt8ZOHhF5iMglsqA=";
+    hash = "sha256-jDN4FJVLt8FnRWczpgRhQqKTHxLsy6PsKkrmGKNDJRE=";
   };
 
   nativeBuildInputs = [ pkg-config ];

pkgs/os-specific/linux/alsa-project/alsa-ucm-conf/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "alsa-ucm-conf";
-  version = "1.2.6.3";
+  version = "1.2.7.1";
 
   src = fetchurl {
     url = "mirror://alsa/lib/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-uKA6o4emJKL2XtwgG/d3QhGQtgUpqSCHZGgjr72Wxc0=";
+    hash = "sha256-rFsqEnV4Pv8H4cs0w2xsWYd0JnmjQAN1B8BKncHSLKw=";
   };
 
   dontBuild = true;

pkgs/os-specific/linux/ell/default.nix

@@ -7,14 +7,14 @@
 
 stdenv.mkDerivation rec {
   pname = "ell";
-  version = "0.50";
+  version = "0.51";
 
   outputs = [ "out" "dev" ];
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
     rev = version;
-    sha256 = "sha256-LQAbE/pAKjVFsn9FjIbvY6sTBcVBdi4LCOnDVZ/WGV0=";
+    sha256 = "sha256-UGc6msj+V3U7IzquD4+KDLWt1vUxdV2Qm9Y0FOmsqtc=";
   };
 
   nativeBuildInputs = [

pkgs/os-specific/linux/iproute/default.nix

@@ -6,11 +6,11 @@
 
 stdenv.mkDerivation rec {
   pname = "iproute2";
-  version = "5.17.0";
+  version = "5.18.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "bjhPG0LHXhqdqsV4Zto33P+QkJC6huslpudk2niTZg4=";
+    sha256 = "W6PUZNUcjCg1UNUH/6w9EPeuxYe3xmsMy2lQZDZGOJ4=";
   };
 
   patches = [

pkgs/os-specific/linux/iptables/default.nix

@@ -24,6 +24,11 @@ stdenv.mkDerivation rec {
       url = "https://git.netfilter.org/iptables/patch/?id=f319389525b066b7dc6d389c88f16a0df3b8f189";
       sha256 = "sha256-rOxCEWZoI8Ac5fQDp286YHAwvreUAoDVAbomboKrGyM=";
     })
+    # fix Musl build
+    (fetchpatch {
+      url = "https://git.netfilter.org/iptables/patch/?id=0e7cf0ad306cdf95dc3c28d15a254532206a888e";
+      sha256 = "18mnvqfxzd7ifq3zjb4vyifcyadpxdi8iqcj8wsjgw23n49lgrbj";
+    })
   ];
 
   outputs = [ "out" "dev" "man" ];

pkgs/os-specific/linux/iwd/default.nix

@@ -12,12 +12,12 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "1.27";
+  version = "1.28";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    sha256 = "sha256-gN9+9Cc6zjZBXDhcHBH5wyucO5/vL7bKSLWM5laFqaA=";
+    sha256 = "sha256-UAhgmXTbCgxja8nniexr6+jkzHIOMn9k1Cp8oMuskk0=";
   };
 
   outputs = [ "out" "man" "doc" ]

pkgs/os-specific/linux/libsepol/default.nix

@@ -31,6 +31,8 @@ stdenv.mkDerivation rec {
 
   NIX_CFLAGS_COMPILE = "-Wno-error";
 
+  enableParallelBuilding = true;
+
   passthru = { inherit se_url; };
 
   meta = with lib; {

pkgs/os-specific/linux/v4l-utils/default.nix

@@ -1,5 +1,5 @@
 { stdenv, lib, fetchurl, pkg-config, perl
-, libjpeg, udev
+, argp-standalone, libjpeg, udev
 , withUtils ? true
 , withGUI ? true, alsa-lib, libX11, qtbase, libGLU, wrapQtAppsHook
 }:
@@ -35,7 +35,9 @@ in stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkg-config perl ] ++ lib.optional withQt wrapQtAppsHook;
 
-  buildInputs = [ udev ] ++ lib.optionals withQt [ alsa-lib libX11 qtbase libGLU ];
+  buildInputs = [ udev ]
+    ++ lib.optional (!stdenv.hostPlatform.isGnu) argp-standalone
+    ++ lib.optionals withQt [ alsa-lib libX11 qtbase libGLU ];
 
   propagatedBuildInputs = [ libjpeg ];
 

pkgs/stdenv/linux/default.nix

@@ -304,15 +304,18 @@ in
         binutils coreutils gnugrep
         perl patchelf linuxHeaders gnum4 bison libidn2 libunistring;
       ${localSystem.libc} = getLibc prevStage;
-      # Link GCC statically against GMP etc.  This makes sense because
+      gcc-unwrapped =
-      # these builds of the libraries are only used by GCC, so it
+        let makeStaticLibrariesAndMark = pkg:
-      # reduces the size of the stdenv closure.
+              lib.makeOverridable (pkg.override { stdenv = self.makeStaticLibraries self.stdenv; })
-      gmp = super.gmp.override { stdenv = self.makeStaticLibraries self.stdenv; };
+                .overrideAttrs (a: { pname = "${a.pname}-stage3"; });
-      mpfr = super.mpfr.override { stdenv = self.makeStaticLibraries self.stdenv; };
+        in super.gcc-unwrapped.override {
-      libmpc = super.libmpc.override { stdenv = self.makeStaticLibraries self.stdenv; };
+        # Link GCC statically against GMP etc.  This makes sense because
-      isl_0_20 = super.isl_0_20.override { stdenv = self.makeStaticLibraries self.stdenv; };
+        # these builds of the libraries are only used by GCC, so it
-      gcc-unwrapped = super.gcc-unwrapped.override {
+        # reduces the size of the stdenv closure.
-        isl = isl_0_20;
+        gmp = makeStaticLibrariesAndMark super.gmp;
+        mpfr = makeStaticLibrariesAndMark super.mpfr;
+        libmpc = makeStaticLibrariesAndMark super.libmpc;
+        isl = makeStaticLibrariesAndMark super.isl_0_20;
         # Use a deterministically built compiler
         # see https://github.com/NixOS/nixpkgs/issues/108475 for context
         reproducibleBuild = true;
@@ -336,7 +339,7 @@ in
       # because gcc (since JAR support) already depends on zlib, and
       # then if we already have a zlib we want to use that for the
       # other purposes (binutils and top-level pkgs) too.
-      inherit (prevStage) gettext gnum4 bison gmp perl texinfo zlib linuxHeaders libidn2 libunistring;
+      inherit (prevStage) gettext gnum4 bison perl texinfo zlib linuxHeaders libidn2 libunistring;
       ${localSystem.libc} = getLibc prevStage;
       binutils = super.binutils.override {
         # Don't use stdenv's shell but our own
@@ -347,6 +350,14 @@ in
         };
       };
 
+      # force gmp to rebuild so we have the option of dynamically linking
+      # libgmp without creating a reference path from:
+      #   stage5.gcc -> stage4.coreutils -> stage3.glibc -> bootstrap
+      gmp = lib.makeOverridable (super.gmp.override { stdenv = self.stdenv; }).overrideAttrs (a: { pname = "${a.pname}-stage4"; });
+
+      # coreutils gets rebuilt both here and also in the final stage; we rename this one to avoid confusion
+      coreutils = super.coreutils.overrideAttrs (a: { pname = "${a.pname}-stage4"; });
+
       gcc = lib.makeOverridable (import ../../build-support/cc-wrapper) {
         nativeTools = false;
         nativeLibc = false;
@@ -417,7 +428,7 @@ in
         # Simple executable tools
         concatMap (p: [ (getBin p) (getLib p) ]) [
             gzip bzip2 xz bash binutils.bintools coreutils diffutils findutils
-            gawk gnumake gnused gnutar gnugrep gnupatch patchelf ed file
+            gawk gmp gnumake gnused gnutar gnugrep gnupatch patchelf ed file
           ]
         # Library dependencies
         ++ map getLib (

pkgs/tools/filesystems/go-mtpfs/default.nix

@@ -18,7 +18,11 @@ buildGoModule rec {
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libusb1 ];
 
-  checkFlags = [ "-short" ];
+  preCheck = ''
+    # Only run tests under mtp/encoding_test.go
+    # Other tests require an Android deviced attached over USB.
+    buildFlagsArray+=("-run" "Test(Encode|Decode|Variant).*")
+  '';
 
   meta = with lib; {
     description = "A simple FUSE filesystem for mounting Android devices as a MTP device";

pkgs/tools/misc/coreutils/default.nix

@@ -39,6 +39,11 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-YaH0ENeLp+fzelpPUObRMgrKMzdUhKMlXt3xejhYBCM=";
   };
 
+  patches = lib.optionals (stdenv.isDarwin && stdenv.isx86_64) [
+    # Workaround for https://debbugs.gnu.org/cgi/bugreport.cgi?bug=51433
+    ./disable-seek-hole.patch
+  ];
+
   postPatch = ''
     # The test tends to fail on btrfs, f2fs and maybe other unusual filesystems.
     sed '2i echo Skipping dd sparse test && exit 77' -i ./tests/dd/sparse.sh

pkgs/tools/misc/coreutils/disable-seek-hole.patch

@@ -0,0 +1,43 @@
+diff --git a/src/copy.c b/src/copy.c
+index cb9018f93..2a4ccc061 100644
+--- a/src/copy.c
++++ b/src/copy.c
+@@ -502,7 +502,7 @@ write_zeros (int fd, off_t n_bytes)
+   return true;
+ }
+
+-#ifdef SEEK_HOLE
++#if 0
+ /* Perform an efficient extent copy, if possible.  This avoids
+    the overhead of detecting holes in hole-introducing/preserving
+    copy, and thus makes copying sparse files much more efficient.
+@@ -1095,7 +1095,7 @@ infer_scantype (int fd, struct stat const *sb,
+          && ST_NBLOCKS (*sb) < sb->st_size / ST_NBLOCKSIZE))
+     return PLAIN_SCANTYPE;
+
+-#ifdef SEEK_HOLE
++#if 0
+   scan_inference->ext_start = lseek (fd, 0, SEEK_DATA);
+   if (0 <= scan_inference->ext_start)
+     return LSEEK_SCANTYPE;
+@@ -1377,7 +1377,7 @@ copy_reg (char const *src_name, char const *dst_name,
+       off_t n_read;
+       bool wrote_hole_at_eof = false;
+       if (! (
+-#ifdef SEEK_HOLE
++#if 0
+              scantype == LSEEK_SCANTYPE
+              ? lseek_copy (source_desc, dest_desc, buf, buf_size, hole_size,
+                            scan_inference.ext_start, src_open_sb.st_size,
+diff --git a/tests/seek-data-capable b/tests/seek-data-capable
+index cc6372214..6e7a9ec1e 100644
+--- a/tests/seek-data-capable
++++ b/tests/seek-data-capable
+@@ -1,5 +1,7 @@
+ import sys, os, errno, platform
+
++sys.exit(1)
++
+ # Pass an _empty_ file
+ if len(sys.argv) != 2:
+     sys.exit(1)

pkgs/tools/misc/mmake/default.nix

@@ -15,7 +15,8 @@ buildGoModule rec {
 
   ldflags = [ "-s" "-w" ];
 
-  checkFlags = [ "-short" ];
+  # Almost all tests require non-local networking, trying to resolve githubusercontent.com.
+  doCheck = false;
 
   meta = with lib; {
     homepage = "https://github.com/tj/mmake";

pkgs/tools/security/gnupg/23.nix

@@ -15,11 +15,11 @@ assert guiSupport -> pinentry != null && enableMinimal == false;
 
 stdenv.mkDerivation rec {
   pname = "gnupg";
-  version = "2.3.4";
+  version = "2.3.6";
 
   src = fetchurl {
     url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-80aOyvsdf5rXtR/R23rr8XzridLvqKBc8vObTUBUAq4=";
+    sha256 = "sha256-Iff+L8XC8hQYSrBQl37HqOME5Yv64qsJj+xp+Pq9qcE=";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -34,6 +34,12 @@ stdenv.mkDerivation rec {
     ./tests-add-test-cases-for-import-without-uid.patch
     ./allow-import-of-previously-known-keys-even-without-UI.patch
     ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+
+    # Patch from upstream 34c649b36013, https://dev.gnupg.org/T6027
+    ./CVE-2022-34903-g10-fix-garbled-status-messages-in-NOTATION_DATA.patch
+
+    # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27
+    ./v3-0001-Disallow-compressed-signatures-and-certificates.patch
   ];
   postPatch = ''
     sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1

pkgs/tools/security/gnupg/CVE-2022-34903-g10-fix-garbled-status-messages-in-NOTATION_DATA.patch

@@ -0,0 +1,45 @@
+commit 34c649b3601383cd11dbc76221747ec16fd68e1b
+Author: Werner Koch <wk@gnupg.org>
+Date:   2022-06-14 11:33:27 +0200
+
+    g10: Fix garbled status messages in NOTATION_DATA
+    
+    * g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+    --
+    
+    Depending on the escaping and line wrapping the computed remaining
+    buffer length could be wrong.  Fixed by always using a break to
+    terminate the escape detection loop.  Might have happened for all
+    status lines which may wrap.
+    
+    GnuPG-bug-id: T6027
+
+diff --git a/g10/cpr.c b/g10/cpr.c
+index 9bfdd3c34..fa8005d6f 100644
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);

pkgs/tools/security/gnupg/v3-0001-Disallow-compressed-signatures-and-certificates.patch

@@ -0,0 +1,216 @@
+From 459b61fa21db755d6c879c3ef9ab85b3d1786c9f Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi () invisiblethingslab com>
+Date: Fri, 27 May 2022 19:51:19 -0400
+Subject: [PATCH GnuPG v3] Disallow compressed signatures and certificates
+
+Compressed packets have significant attack surface, due to the potential
+for both denial of service (zip bombs and the like) and for code
+execution via memory corruption vulnerabilities in the decompressor.
+Furthermore, I am not aware of any implementation that uses them in keys
+or detached signatures.  Therefore, disallow their use in such contexts
+entirely.  This includes signatures that are part of a cleartext-signed
+message.
+
+When parsing detached signatures, forbid any packet that is not a
+signature or marker packet.  When parsing keys, return an error when
+encountering a compressed packet, instead of decompressing the packet.
+
+Furthermore, certificates, keys, and signatures are not allowed to
+contain partial-length or indeterminate-length packets.  Reject those in
+parse_packet, rather than activating the partial-length filter code.
+This is not (yet) implemented for cleartext-signed messages, as these
+messages are internally represented as inline-signed messages.
+
+GnuPG-bug-id: T5993
+Signed-off-by: Demi Marie Obenour <demiobenour () gmail com>
+---
+ g10/import.c       | 18 ++----------------
+ g10/mainproc.c     | 24 +++++++++++++++++++++---
+ g10/packet.h       |  2 ++
+ g10/parse-packet.c | 44 +++++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 68 insertions(+), 20 deletions(-)
+
+diff --git a/g10/import.c b/g10/import.c
+index bb0bf67934a8316130cde182cd43d56353e0171d..a8136351f6f7dae8c65634ed8e1c242d323e2009 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1042,22 +1042,8 @@ read_block( IOBUF a, unsigned int options,
+       switch (pkt->pkttype)
+         {
+         case PKT_COMPRESSED:
+-          if (check_compress_algo (pkt->pkt.compressed->algorithm))
+-            {
+-              rc = GPG_ERR_COMPR_ALGO;
+-              goto ready;
+-            }
+-          else
+-            {
+-              compress_filter_context_t *cfx = xmalloc_clear( sizeof *cfx );
+-              pkt->pkt.compressed->buf = NULL;
+-              if (push_compress_filter2 (a, cfx,
+-                                         pkt->pkt.compressed->algorithm, 1))
+-                xfree (cfx); /* e.g. in case of compression_algo NONE.  */
+-            }
+-          free_packet (pkt, &parsectx);
+-          init_packet(pkt);
+-          break;
++          rc = GPG_ERR_UNEXPECTED;
++          goto ready;
+ 
+         case PKT_RING_TRUST:
+           /* Skip those packets unless we are in restore mode.  */
+diff --git a/g10/mainproc.c b/g10/mainproc.c
+index af11877aa257e46662c42b6ff573ee01c3ad1547..3629fc921b742afd131e8d8e2664b201095990f0 100644
+--- a/g10/mainproc.c
++++ b/g10/mainproc.c
+@@ -152,6 +152,7 @@ add_onepass_sig (CTX c, PACKET *pkt)
+ {
+   kbnode_t node;
+ 
++  log_assert(!(c->sigs_only && c->signed_data.used));
+   if (c->list) /* Add another packet. */
+     add_kbnode (c->list, new_kbnode (pkt));
+   else /* Insert the first one.  */
+@@ -1076,8 +1077,16 @@ proc_compressed (CTX c, PACKET *pkt)
+   int rc;
+ 
+   /*printf("zip: compressed data packet\n");*/
+-  if (c->sigs_only)
+-    rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
++  if ( literals_seen )
++    {
++      log_error ("Compressed packet follows literal data packet\n");
++      rc = GPG_ERR_UNEXPECTED;
++    }
++  else if ( c->sigs_only )
++    {
++      log_assert(!c->signed_data.used);
++      rc = handle_compressed (c->ctrl, c, zd, proc_compressed_cb, c);
++    }
+   else if( c->encrypt_only )
+     rc = handle_compressed (c->ctrl, c, zd, proc_encrypt_cb, c);
+   else
+@@ -1596,6 +1605,7 @@ do_proc_packets (CTX c, iobuf_t a)
+   c->iobuf = a;
+   init_packet(pkt);
+   init_parse_packet (&parsectx, a);
++  parsectx.sigs_only = c->sigs_only && c->signed_data.used;
+   while ((rc=parse_packet (&parsectx, pkt)) != -1)
+     {
+       any_data = 1;
+@@ -1607,6 +1617,12 @@ do_proc_packets (CTX c, iobuf_t a)
+           if (gpg_err_code (rc) == GPG_ERR_INV_PACKET
+               && opt.list_packets == 0)
+             break;
++
++          if (gpg_err_code (rc) == GPG_ERR_UNEXPECTED)
++            {
++              write_status_text( STATUS_UNEXPECTED, "0" );
++              goto leave;
++            }
+           continue;
+ 	}
+       newpkt = -1;
+@@ -1644,7 +1660,9 @@ do_proc_packets (CTX c, iobuf_t a)
+             case PKT_COMPRESSED:  rc = proc_compressed (c, pkt); break;
+             case PKT_ONEPASS_SIG: newpkt = add_onepass_sig (c, pkt); break;
+             case PKT_GPG_CONTROL: newpkt = add_gpg_control (c, pkt); break;
+-            default: newpkt = 0; break;
++            default:
++	      log_assert(!c->signed_data.used);
++	      newpkt = 0; break;
+ 	    }
+ 	}
+       else if (c->encrypt_only)
+diff --git a/g10/packet.h b/g10/packet.h
+index 5a14015a16c872fe7b0b15468598daf7a05ffc02..82dfe786b46051491e7015e64441678140defa9e 100644
+--- a/g10/packet.h
++++ b/g10/packet.h
+@@ -657,6 +657,7 @@ struct parse_packet_ctx_s
+   int free_last_pkt; /* Indicates that LAST_PKT must be freed.  */
+   int skip_meta;     /* Skip ring trust packets.  */
+   unsigned int n_parsed_packets;	/* Number of parsed packets.  */
++  int sigs_only;     /* Only accept detached signature packets */
+ };
+ typedef struct parse_packet_ctx_s *parse_packet_ctx_t;
+ 
+@@ -667,6 +668,7 @@ typedef struct parse_packet_ctx_s *parse_packet_ctx_t;
+     (a)->free_last_pkt = 0;         \
+     (a)->skip_meta = 0;             \
+     (a)->n_parsed_packets = 0;      \
++    (a)->sigs_only = 0;             \
+   } while (0)
+ 
+ #define deinit_parse_packet(a) do { \
+diff --git a/g10/parse-packet.c b/g10/parse-packet.c
+index cea1f7ebc5daec3863ae963c1ab25500f86796fe..dca66ff427ea6778e536782ec6bda83584877342 100644
+--- a/g10/parse-packet.c
++++ b/g10/parse-packet.c
+@@ -738,6 +738,20 @@ parse (parse_packet_ctx_t ctx, PACKET *pkt, int onlykeypkts, off_t * retpos,
+             case PKT_ENCRYPTED_MDC:
+             case PKT_ENCRYPTED_AEAD:
+             case PKT_COMPRESSED:
++              if (ctx->sigs_only)
++                {
++                  log_error (_("partial length packet of type %d in detached"
++                               " signature\n"), pkttype);
++                  rc = gpg_error (GPG_ERR_UNEXPECTED);
++                  goto leave;
++                }
++              if (onlykeypkts)
++                {
++                  log_error (_("partial length packet of type %d in keyring\n"),
++                             pkttype);
++                  rc = gpg_error (GPG_ERR_UNEXPECTED);
++                  goto leave;
++                }
+               iobuf_set_partial_body_length_mode (inp, c & 0xff);
+               pktlen = 0;	/* To indicate partial length.  */
+               partial = 1;
+@@ -775,6 +789,20 @@ parse (parse_packet_ctx_t ctx, PACKET *pkt, int onlykeypkts, off_t * retpos,
+ 	      rc = gpg_error (GPG_ERR_INV_PACKET);
+ 	      goto leave;
+ 	    }
++	  else if (ctx->sigs_only)
++	    {
++	      log_error (_("indeterminate length packet of type %d in detached"
++                           " signature\n"), pkttype);
++	      rc = gpg_error (GPG_ERR_UNEXPECTED);
++	      goto leave;
++	    }
++	  else if (onlykeypkts)
++	    {
++	      log_error (_("indeterminate length packet of type %d in"
++                           " keyring\n"), pkttype);
++	      rc = gpg_error (GPG_ERR_UNEXPECTED);
++	      goto leave;
++	    }
+ 	}
+       else
+ 	{
+@@ -828,7 +856,21 @@ parse (parse_packet_ctx_t ctx, PACKET *pkt, int onlykeypkts, off_t * retpos,
+       goto leave;
+     }
+ 
+-  if (with_uid && pkttype == PKT_USER_ID)
++  if (ctx->sigs_only)
++    switch (pkttype)
++      {
++      case PKT_SIGNATURE:
++      case PKT_MARKER:
++	break;
++      default:
++        log_error(_("Packet type %d not allowed in detached signature\n"),
++                  pkttype);
++	iobuf_skip_rest (inp, pktlen, partial);
++	*skip = 1;
++	rc = GPG_ERR_UNEXPECTED;
++	goto leave;
++      }
++  else if (with_uid && pkttype == PKT_USER_ID)
+     /* If ONLYKEYPKTS is set to 2, then we never skip user id packets,
+        even if DO_SKIP is set.  */
+     ;
+-- 
+2.36.1
+

pkgs/tools/system/skeema/default.nix

@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, coreutils }:
 
 buildGoModule rec {
   pname = "skeema";
@@ -17,6 +17,29 @@ buildGoModule rec {
 
   ldflags = [ "-s" "-w" ];
 
+  preCheck = ''
+    # Disable tests requiring network access to gitlab.com
+    buildFlagsArray+=("-run" "[^(Test(ParseDir(Symlinks|))|DirRelPath)]")
+
+    # Fix tests expecting /usr/bin/printf and /bin/echo
+    substituteInPlace skeema_cmd_test.go \
+      --replace /usr/bin/printf "${coreutils}/bin/printf"
+
+    substituteInPlace internal/fs/dir_test.go \
+      --replace /bin/echo "${coreutils}/bin/echo" \
+      --replace /usr/bin/printf "${coreutils}/bin/printf"
+
+    substituteInPlace internal/applier/ddlstatement_test.go \
+      --replace /bin/echo "${coreutils}/bin/echo"
+
+    substituteInPlace internal/util/shellout_unix_test.go \
+      --replace /bin/echo "${coreutils}/bin/echo" \
+      --replace /usr/bin/printf "${coreutils}/bin/printf"
+
+    substituteInPlace internal/util/shellout_unix_test.go \
+      --replace /bin/echo "${coreutils}/bin/echo"
+  '';
+
   checkFlags = [ "-short" ];
 
   meta = with lib; {

pkgs/tools/text/gucci/default.nix

@@ -21,6 +21,14 @@ buildGoModule rec {
 
   checkFlags = [ "-short" ];
 
+  # Integration tests rely on Ginkgo but fail.
+  # Related: https://github.com/onsi/ginkgo/issues/602
+  #
+  # Disable integration tests.
+  preCheck = ''
+    buildFlagsArray+=("-run" "[^(TestIntegration)]")
+  '';
+
   meta = with lib; {
     description = "A simple CLI templating tool written in golang";
     homepage = "https://github.com/noqcks/gucci";

pkgs/tools/typesetting/asciidoc/default.nix

@@ -1,39 +1,39 @@
 { fetchurl, lib, stdenv, python3
 , fetchFromGitHub, autoreconfHook
+, installShellFiles
 , enableStandardFeatures ? false
-, sourceHighlight ? null
+, sourceHighlight
-, highlight ? null
+, highlight
-, pygments ? null
+, pygments
-, graphviz ? null
+, graphviz
-, texlive ? null
+, texlive
-, dblatexFull ? null
+, dblatexFull
-, libxslt ? null
+, libxslt
-, w3m ? null
+, w3m
-, lynx ? null
+, lynx
-, imagemagick ? null
+, imagemagick
-, lilypond ? null
+, lilypond
-, libxml2 ? null
+, libxml2
-, docbook_xml_dtd_45 ? null
+, docbook_xml_dtd_45
-, docbook_xsl_ns ? null
+, docbook_xsl_ns
-, docbook_xsl ? null
+, docbook_xsl
-, fop ? null
+, fop
-# TODO: Package this:
+, epubcheck
-#, epubcheck ? null
+, gnused
-, gnused ? null
+, coreutils
-, coreutils ? null
 
 # if true, enable all the below filters and backends
 , enableExtraPlugins ? false
 
 # unzip is needed to extract filter and backend plugins
-, unzip ? null
+, unzip
 # filters
-, enableDitaaFilter ? false, jre ? null
+, enableDitaaFilter ? false, jre
-, enableMscgenFilter ? false, mscgen ? null
+, enableMscgenFilter ? false, mscgen
-, enableDiagFilter ? false, blockdiag ? null, seqdiag ? null, actdiag ? null, nwdiag ? null
+, enableDiagFilter ? false, blockdiag, seqdiag, actdiag, nwdiag
-, enableQrcodeFilter ? false, qrencode ? null
+, enableQrcodeFilter ? false, qrencode
-, enableMatplotlibFilter ? false, matplotlib ? null, numpy ? null
+, enableMatplotlibFilter ? false, matplotlib, numpy
-, enableAafigureFilter ? false, aafigure ? null, recursivePthLoader ? null
+, enableAafigureFilter ? false, aafigure, recursivePthLoader
 # backends
 , enableDeckjsBackend ? false
 , enableOdfBackend ? false
@@ -44,38 +44,6 @@
 , buildPackages
 }:
 
-assert enableStandardFeatures ->
-  sourceHighlight != null &&
-  highlight != null &&
-  pygments != null &&
-  graphviz != null &&
-  texlive != null &&
-  dblatexFull != null &&
-  libxslt != null &&
-  w3m != null &&
-  lynx != null &&
-  imagemagick != null &&
-  lilypond != null &&
-  libxml2 != null &&
-  docbook_xml_dtd_45 != null &&
-  docbook_xsl_ns != null &&
-  docbook_xsl != null &&
-  (fop != null || !enableJava) &&
-# TODO: Package this:
-#  epubcheck != null &&
-  gnused != null &&
-  coreutils != null;
-
-# filters
-assert enableExtraPlugins || enableDitaaFilter || enableMscgenFilter || enableDiagFilter || enableQrcodeFilter || enableAafigureFilter -> unzip != null;
-assert (enableExtraPlugins && enableJava) || enableDitaaFilter -> jre != null;
-assert enableExtraPlugins || enableMscgenFilter -> mscgen != null;
-assert enableExtraPlugins || enableDiagFilter -> blockdiag != null && seqdiag != null && actdiag != null && nwdiag != null;
-assert enableExtraPlugins || enableMatplotlibFilter -> matplotlib != null && numpy != null;
-assert enableExtraPlugins || enableAafigureFilter -> aafigure != null && recursivePthLoader != null;
-# backends
-assert enableExtraPlugins || enableDeckjsBackend || enableOdfBackend -> unzip != null;
-
 let
 
   _enableDitaaFilter = (enableExtraPlugins && enableJava) || enableDitaaFilter;
@@ -144,26 +112,24 @@ let
     sha256 = "08ya4bskygzqkfqwjllpg31qc5k08xp2k78z9b2480g8y57bfy10";
   };
 
-in
+in python3.pkgs.buildPythonApplication rec {
-
-stdenv.mkDerivation rec {
   pname = "asciidoc"
     + lib.optionalString enableStandardFeatures "-full"
     + lib.optionalString enableExtraPlugins "-with-plugins";
-  version = "9.1.0";
+  version = "10.2.0";
 
-  # Note: a substitution to improve reproducibility should be updated once 10.0.0 is
-  # released. See the comment in `patchPhase` for more information.
   src = fetchFromGitHub {
-    owner = "asciidoc";
+    owner = "asciidoc-py";
-    repo = "asciidoc-py3";
+    repo = "asciidoc-py";
     rev = version;
-    sha256 = "1clf1axkns23wfmh48xfspzsnw04pjh4mq1pshpzvj0cwxhz0yaq";
+    hash = "sha256-TqC0x9xB6e2d6Wc9bgnlqgZVOmYHmUUKfE/CKAiEtag=";
   };
 
-  strictDeps = true;
+  nativeBuildInputs = [
-  nativeBuildInputs = [ python3 unzip autoreconfHook ];
+    autoreconfHook
-  buildInputs = [ python3 ];
+    installShellFiles
+    unzip
+  ];
 
   # install filters early, so their shebangs are patched too
   postPatch = with lib; ''
@@ -230,22 +196,22 @@ stdenv.mkDerivation rec {
         -e "s|twopi|${graphviz}/bin/twopi|g" \
         -e "s|circo|${graphviz}/bin/circo|g" \
         -e "s|fdp|${graphviz}/bin/fdp|g" \
-        -i "filters/graphviz/graphviz2png.py"
+        -i "asciidoc/resources/filters/graphviz/graphviz2png.py"
 
     sed -e "s|run('latex|run('${texlive}/bin/latex|g" \
         -e "s|cmd = 'dvipng'|cmd = '${texlive}/bin/dvipng'|g" \
         -e "s|cmd = 'dvisvgm'|cmd = '${texlive}/bin/dvisvgm'|g" \
-        -i "filters/latex/latex2img.py"
+        -i "asciidoc/resources/filters/latex/latex2img.py"
 
     sed -e "s|run('abc2ly|run('${lilypond}/bin/abc2ly|g" \
         -e "s|run('lilypond|run('${lilypond}/bin/lilypond|g" \
         -e "s|run('convert|run('${imagemagick.out}/bin/convert|g" \
-        -i "filters/music/music2png.py"
+        -i "asciidoc/resources/filters/music/music2png.py"
 
     sed -e 's|filter="source-highlight|filter="${sourceHighlight}/bin/source-highlight|' \
         -e 's|filter="highlight|filter="${highlight}/bin/highlight|' \
         -e 's|filter="pygmentize|filter="${pygments}/bin/pygmentize|' \
-        -i "filters/source/source-highlight-filter.conf"
+        -i "asciidoc/resources/filters/source/source-highlight-filter.conf"
 
     # ENV is custom environment passed to programs that a2x invokes. Here we
     # use it to work around an impurity in the tetex package; tetex tools
@@ -260,55 +226,45 @@ stdenv.mkDerivation rec {
         -e "s|^W3M =.*|W3M = '${w3m}/bin/w3m'|" \
         -e "s|^LYNX =.*|LYNX = '${lynx}/bin/lynx'|" \
         -e "s|^XMLLINT =.*|XMLLINT = '${libxml2.bin}/bin/xmllint'|" \
-        -e "s|^EPUBCHECK =.*|EPUBCHECK = 'nixpkgs_is_missing_epubcheck'|" \
+        -e "s|^EPUBCHECK =.*|EPUBCHECK = '${epubcheck}/bin/epubcheck'|" \
-        -i a2x.py
+        -i asciidoc/a2x.py
   '' else ''
     sed -e "s|^ENV =.*|ENV = dict(XML_CATALOG_FILES='${docbook_xml_dtd_45}/xml/dtd/docbook/catalog.xml ${docbook_xsl_ns}/xml/xsl/docbook/catalog.xml ${docbook_xsl}/xml/xsl/docbook/catalog.xml')|" \
         -e "s|^XSLTPROC =.*|XSLTPROC = '${libxslt.bin}/bin/xsltproc'|" \
         -e "s|^XMLLINT =.*|XMLLINT = '${libxml2.bin}/bin/xmllint'|" \
-        -i a2x.py
+        -i asciidoc/a2x.py
   '') + ''
-    patchShebangs --host \
-      asciidoc.py \
-      a2x.py \
-      tests/testasciidoc.py \
-      filters/code/code-filter.py \
-      filters/latex/latex2img.py \
-      filters/music/music2png.py \
-      filters/unwraplatex.py \
-      filters/graphviz/graphviz2png.py
-
-    # Hardcode the path to its own asciidoc.
-    # This helps with cross-compilation.
-    substituteInPlace a2x.py \
-      --replace "find_executable(ASCIIDOC)" "'${placeholder "out"}/bin/asciidoc'"
-
-    # Note: this substitution will not work in the planned 10.0.0 release:
-    #
-    # https://github.com/asciidoc/asciidoc-py3/commit/dfffda23381014481cd13e8e9d8f131e1f93f08a
-    #
-    # Update this substitution to:
-    #
-    # --replace "python3 -m asciidoc.a2x" "python3 -m asciidoc.a2x -a revdate=01/01/1980"
-    substituteInPlace Makefile.in \
-      --replace "python3 a2x.py" "python3 a2x.py -a revdate=01/01/1980"
-
     # Fix tests
     for f in $(grep -R --files-with-matches "2002-11-25") ; do
-      substituteInPlace $f --replace "2002-11-25" "1970-01-01"
+      substituteInPlace $f --replace "2002-11-25" "1980-01-02"
-      substituteInPlace $f --replace "00:37:42" "00:00:01"
+      substituteInPlace $f --replace "00:37:42" "00:00:00"
     done
   '' + lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
     # We want to use asciidoc from the build platform to build the documentation.
     substituteInPlace Makefile.in \
-      --replace "python3 a2x.py" "python3 ${buildPackages.asciidoc}/bin/a2x.py"
+      --replace "python3 -m asciidoc.a2x" "${buildPackages.asciidoc}/bin/a2x"
   '';
 
-  preInstall = "mkdir -p $out/etc/vim";
+  postBuild = ''
-  makeFlags = lib.optional stdenv.isCygwin "DESTDIR=/.";
+    make manpages
+  '';
 
-  checkInputs = [ sourceHighlight ];
+  postInstall = ''
-  doCheck = true;
+    installManPage doc/asciidoc.1 doc/a2x.1 doc/testasciidoc.1
+  '';
+
+  checkInputs = with python3.pkgs; [
+    pytest
+    pytest-mock
+  ];
+
+  checkPhase = ''
+    runHook preCheck
+
+    make test
+
+    runHook postCheck
+  '';
 
   meta = with lib; {
     description = "Text-based document generation system";
@@ -325,9 +281,10 @@ stdenv.mkDerivation rec {
     sourceProvenance = with sourceTypes; [
       fromSource
     ] ++ lib.optional _enableDitaaFilter binaryBytecode;
-    homepage = "http://www.methods.co.nz/asciidoc/";
+    homepage = "https://asciidoc-py.github.io/";
+    changelog = "https://github.com/asciidoc-py/asciidoc-py/blob/${src.rev}/CHANGELOG.adoc";
     license = licenses.gpl2Plus;
     platforms = platforms.unix;
-    maintainers = [ maintainers.bjornfor ];
+    maintainers = with maintainers; [ bjornfor dotlambda ];
   };
 }

pkgs/top-level/all-packages.nix

@@ -4601,21 +4601,17 @@ with pkgs;
   arpoison = callPackage ../tools/networking/arpoison { };
 
   asciidoc = callPackage ../tools/typesetting/asciidoc {
-    inherit (python3.pkgs) matplotlib numpy aafigure recursivePthLoader;
+    inherit (python3.pkgs) pygments matplotlib numpy aafigure recursivePthLoader;
+    texlive = texlive.combine { inherit (texlive) scheme-minimal dvipng; };
+    w3m = w3m-batch;
     enableStandardFeatures = false;
   };
 
   asciidoc-full = asciidoc.override {
-    inherit (python3.pkgs) pygments;
-    texlive = texlive.combine { inherit (texlive) scheme-minimal dvipng; };
-    w3m = w3m-batch;
     enableStandardFeatures = true;
   };
 
   asciidoc-full-with-plugins = asciidoc.override {
-    inherit (python3.pkgs) pygments;
-    texlive = texlive.combine { inherit (texlive) scheme-minimal dvipng; };
-    w3m = w3m-batch;
     enableStandardFeatures = true;
     enableExtraPlugins = true;
   };
@@ -15527,20 +15523,27 @@ with pkgs;
 
   ctmg = callPackage ../tools/security/ctmg { };
 
-  cmake = libsForQt5.callPackage ../development/tools/build-managers/cmake {
+  cmake = callPackage ../development/tools/build-managers/cmake {
     inherit (darwin.apple_sdk.frameworks) SystemConfiguration;
+    inherit (libsForQt5) qtbase wrapQtAppsHook;
   };
 
-  cmakeMinimal = libsForQt5.callPackage ../development/tools/build-managers/cmake {
+  cmakeMinimal = callPackage ../development/tools/build-managers/cmake {
     isBootstrap = true;
+    qtbase = null;
+    wrapQtAppsHook = null;
     # There is no SystemConfiguration in bootstrapTools, so this version gets
     # patched to remove that dependency.
     SystemConfiguration = null;
   };
 
-  cmakeCurses = cmake.override { useNcurses = true; };
+  cmakeCurses = cmake.override {
+    uiToolkits = [ "ncurses" ];
+  };
 
-  cmakeWithGui = cmakeCurses.override { withQt5 = true; };
+  cmakeWithGui = cmake.override {
+    uiToolkits = [ "ncurses" "qt5" ];
+  };
 
   cmake-format = python3Packages.callPackage ../development/tools/cmake-format { };
 
@@ -21042,23 +21045,6 @@ with pkgs;
 
   sphinx = with python3Packages; toPythonApplication sphinx;
 
-  # A variation of sphinx that is only suitable for offline use as it excludes
-  # pyopenssl, which is broken on aarch64-darwin.
-  # https://github.com/NixOS/nixpkgs/issues/175875
-  sphinx_offline =
-    if !(stdenv.buildPlatform.isDarwin && stdenv.buildPlatform.isAarch64)
-    then sphinx
-    else
-      sphinx.override (o: {
-        requests = pkgsBuildTarget.python3Packages.requests.override (o: {
-          urllib3 = pkgsBuildTarget.python3Packages.urllib3.overrideAttrs (o: {
-            # urllib3 adds the optional pyopenssl to propagatedBuildInputs
-            # pkgs/development/python-modules/urllib3/default.nix
-            propagatedBuildInputs = [];
-          });
-        });
-      });
-
   sphinx-autobuild = with python3Packages; toPythonApplication sphinx-autobuild;
 
   sphinx-serve = with python3Packages; toPythonApplication sphinx-serve;
@@ -23452,7 +23438,7 @@ with pkgs;
 
     # latest 6.8 mysteriously fails to parse '@headings single':
     #   https://lists.gnu.org/archive/html/bug-texinfo/2021-09/msg00011.html
-    texinfo = texinfo6_7;
+    texinfo = buildPackages.texinfo6_7;
   };
 
   gpm-ncurses = gpm.override { inherit ncurses; };

pkgs/top-level/haskell-packages.nix

@@ -49,8 +49,6 @@ let
   # Use this rather than `rec { ... }` below for sake of overlays.
   inherit (pkgs.haskell) compiler packages;
 
-  sphinx = buildPackages.sphinx_offline;
-
 in {
   lib = haskellLibUncomposable;
 
@@ -99,7 +97,7 @@ in {
           packages.ghc8102Binary
         else
           packages.ghc865Binary;
-      inherit sphinx;
+      inherit (buildPackages.python3Packages) sphinx;
       buildTargetLlvmPackages = pkgsBuildTarget.llvmPackages_7;
       llvmPackages = pkgs.llvmPackages_7;
     };
@@ -110,9 +108,12 @@ in {
         # Musl bindists do not exist for ghc 8.6.5, so we use 8.10.* for them
         if stdenv.isAarch64 || stdenv.isAarch32 then
           packages.ghc8107BinaryMinimal
+        else if stdenv.hostPlatform.isPower64 && stdenv.hostPlatform.isLittleEndian then
+          # to my (@a-m-joseph) knowledge there are no newer official binaries for this platform
+          packages.ghc865Binary
         else
           packages.ghc8107Binary;
-      inherit sphinx;
+      inherit (buildPackages.python3Packages) sphinx;
       # Need to use apple's patched xattr until
       # https://github.com/xattr/xattr/issues/44 and
       # https://github.com/xattr/xattr/issues/55 are solved.
@@ -126,9 +127,11 @@ in {
         # the oldest ghc with aarch64-darwin support is 8.10.5
         if stdenv.isAarch64 || stdenv.isAarch32 then
           packages.ghc8107BinaryMinimal
+        else if stdenv.hostPlatform.isPower64 && stdenv.hostPlatform.isLittleEndian then
+          packages.ghc8107
         else
           packages.ghc8107Binary;
-      inherit sphinx;
+      inherit (buildPackages.python3Packages) sphinx;
       inherit (buildPackages.darwin) autoSignDarwinBinariesHook xattr;
       buildTargetLlvmPackages = pkgsBuildTarget.llvmPackages_12;
       llvmPackages = pkgs.llvmPackages_12;
@@ -138,9 +141,11 @@ in {
         # aarch64 ghc8107Binary exceeds max output size on hydra
         if stdenv.isAarch64 || stdenv.isAarch32 then
           packages.ghc8107BinaryMinimal
+        else if stdenv.hostPlatform.isPower64 && stdenv.hostPlatform.isLittleEndian then
+          packages.ghc8107
         else
           packages.ghc8107Binary;
-      inherit sphinx;
+      inherit (buildPackages.python3Packages) sphinx;
       # Need to use apple's patched xattr until
       # https://github.com/xattr/xattr/issues/44 and
       # https://github.com/xattr/xattr/issues/55 are solved.
@@ -149,8 +154,12 @@ in {
       llvmPackages = pkgs.llvmPackages_12;
     };
     ghcHEAD = callPackage ../development/compilers/ghc/head.nix {
-      bootPkgs = packages.ghc8107Binary;
+      bootPkgs =
-      inherit sphinx;
+        if stdenv.hostPlatform.isPower64 && stdenv.hostPlatform.isLittleEndian then
+          packages.ghc8107
+        else
+          packages.ghc8107Binary;
+      inherit (buildPackages.python3Packages) sphinx;
       # Need to use apple's patched xattr until
       # https://github.com/xattr/xattr/issues/44 and
       # https://github.com/xattr/xattr/issues/55 are solved.