Merge master into staging-next

lib/default.nix

@@ -66,7 +66,8 @@ let
       stringLength sub substring tail trace;
     inherit (self.trivial) id const pipe concat or and bitAnd bitOr bitXor
       bitNot boolToString mergeAttrs flip mapNullable inNixShell isFloat min max
-      importJSON importTOML warn warnIf info showWarnings nixpkgsVersion version
+      importJSON importTOML warn warnIf throwIfNot
+      info showWarnings nixpkgsVersion version
       mod compare splitByAndCompare functionArgs setFunctionArgs isFunction
       toHexString toBaseDigits;
     inherit (self.fixedPoints) fix fix' converge extends composeExtensions

lib/trivial.nix

@@ -325,6 +325,28 @@ rec {
   */
   warnIf = cond: msg: if cond then warn msg else id;
 
+  /*
+    Like the `assert b; e` expression, but with a custom error message and
+    without the semicolon.
+
+    If true, return the identity function, `r: r`.
+
+    If false, throw the error message.
+
+    Calls can be juxtaposed using function application, as `(r: r) a = a`, so
+    `(r: r) (r: r) a = a`, and so forth.
+
+    Type: bool -> string -> a -> a
+
+    Example:
+
+        throwIfNot (lib.isList overlays) "The overlays argument to nixpkgs must be a list."
+        lib.foldr (x: throwIfNot (lib.isFunction x) "All overlays passed to nixpkgs must be functions.") (r: r) overlays
+        pkgs
+
+  */
+  throwIfNot = cond: msg: if cond then x: x else throw msg;
+
   info = msg: builtins.trace "INFO: ${msg}";
 
   showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;

maintainers/maintainer-list.nix

@@ -8220,6 +8220,12 @@
     githubId = 4996739;
     name = "Masayuki Takeda";
   };
+  mtesseract = {
+    email = "moritz@stackrox.com";
+    github = "mtesseract";
+    githubId = 11706080;
+    name = "Moritz Clasmeier";
+  };
   MtP = {
     email = "marko.nixos@poikonen.de";
     github = "MtP76";

pkgs/applications/networking/instant-messengers/gajim/default.nix

@@ -1,4 +1,4 @@
-{ lib, fetchurl, gettext, wrapGAppsHook
+{ lib, fetchurl, fetchFromGitLab, gettext, wrapGAppsHook
 
 # Native dependencies
 , python3, gtk3, gobject-introspection, gnome
@@ -41,6 +41,21 @@ python3.pkgs.buildPythonApplication rec {
     gettext wrapGAppsHook
   ];
 
+  # Workaround for https://dev.gajim.org/gajim/gajim/-/issues/10719.
+  # We don't use plugin release URL because it's updated in place.
+  plugins = fetchFromGitLab {
+    domain = "dev.gajim.org";
+    owner = "gajim";
+    repo = "gajim-plugins";
+    rev = "fea522e4360cec6ceacbf1df92644ab3343d4b99";
+    sha256 = "sha256-CmwEiLsdldoOfgHfWL/5hf/dp0HEDNAIlc5N0Np20KE=";
+  };
+
+  postPatch = ''
+    mkdir -p gajim/data/plugins
+    cp -r $plugins/plugin_installer gajim/data/plugins
+  '';
+
   dontWrapGApps = true;
 
   preFixup = ''
@@ -59,7 +74,8 @@ python3.pkgs.buildPythonApplication rec {
   checkPhase = ''
     xvfb-run dbus-run-session \
       --config-file=${dbus.daemon}/share/dbus-1/session.conf \
-      ${python3.interpreter} setup.py test
+      ${python3.interpreter} -m unittest discover -s test/unit -v
+    ${python3.interpreter} -m unittest discover -s test/no_gui -v
   '';
 
   # necessary for wrapGAppsHook

pkgs/development/libraries/box2d/default.nix

@@ -12,8 +12,6 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-Z2J17YMzQNZqABIa5eyJDT7BWfXveymzs+DWsrklPIs=";
   };
 
-  sourceRoot = "source/Box2D";
-
   nativeBuildInputs = [ cmake pkg-config ];
   buildInputs = [ libGLU libGL freeglut libX11 xorgproto libXi ];
 
@@ -24,6 +22,7 @@ stdenv.mkDerivation rec {
   ];
 
   prePatch = ''
+    cd Box2D
     substituteInPlace Box2D/Common/b2Settings.h \
       --replace 'b2_maxPolygonVertices	8' 'b2_maxPolygonVertices	15'
   '';

pkgs/development/python-modules/deezer-py/default.nix

@@ -7,12 +7,12 @@
 
 buildPythonPackage rec {
   pname = "deezer-py";
-  version = "1.3.2";
+  version = "1.3.5";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-G4GREc+PWvaphnOuzBePraj4pHgmhhKqsyVHKOPwGik=";
+    sha256 = "5bc30e8887a7dc1dfec2970d825a69c7c932564300fc84b4e68cbf59bf109baa";
   };
 
   propagatedBuildInputs = [ requests ];

pkgs/development/python-modules/env-canada/default.nix

@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "env-canada";
-  version = "0.5.18";
+  version = "0.5.20";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -23,7 +23,7 @@ buildPythonPackage rec {
     owner = "michaeldavie";
     repo = "env_canada";
     rev = "v${version}";
-    sha256 = "1w2fclpmcb41k2a3226jk62hdclc8b18kxih2ads90r4yxgpxc8p";
+    sha256 = "sha256-gYl5+rtOzci3nhgP74VM37tNk9pPWgcNBfcSSG1fSJs=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/goodwe/default.nix

@@ -7,7 +7,7 @@
 
 buildPythonPackage rec {
   pname = "goodwe";
-  version = "0.2.9";
+  version = "0.2.10";
   format = "pyproject";
 
   disabled = pythonOlder "3.8";
@@ -16,7 +16,7 @@ buildPythonPackage rec {
     owner = "marcelblijleven";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0l895nyq2g7isvim2fx4ivdh3xzhyc10yzqvqnlg3fr56l5srfch";
+    sha256 = "1c4wks67vm2dwzmm3xqkidyss04vkx4mpkkr8l1c7c5myfk1n157";
   };
 
   checkInputs = [

pkgs/development/python-modules/google-nest-sdm/default.nix

@@ -13,7 +13,7 @@
 
 buildPythonPackage rec {
   pname = "google-nest-sdm";
-  version = "1.2.1";
+  version = "1.3.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.8";
@@ -22,7 +22,7 @@ buildPythonPackage rec {
     owner = "allenporter";
     repo = "python-google-nest-sdm";
     rev = version;
-    sha256 = "sha256-gg5JAkTUuch6HcRLl1Xm/LAoC32EcayG1w3Fk7GrZD8=";
+    sha256 = "sha256-E0e4lLUBzHKA3clmb/JUBE0KGciQ1xrmLTSeSkGDsWo=";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/ipympl/default.nix

@@ -7,12 +7,12 @@
 
 buildPythonPackage rec {
   pname = "ipympl";
-  version = "0.8.4";
+  version = "0.8.5";
   format = "wheel";
 
   src = fetchPypi {
     inherit pname version format;
-    sha256 = "2f955c1c04d8e6df883d57866450657040bfc568edeabcace801cbdbaf4d0295";
+    sha256 = "120a084d84e6a6a00fc39c73e10345dcd9855efb3fa6e774f3e72057a866715c";
   };
 
 

pkgs/development/python-modules/mypy-boto3-s3/default.nix

@@ -8,13 +8,13 @@
 
 buildPythonPackage rec {
   pname = "mypy-boto3-s3";
-  version = "1.20.17";
+  version = "1.20.28";
 
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-7Zw8NxOEXDRmLChxHQXVU/HzR8z6HuLxX8bB3pZuCqc=";
+    sha256 = "85ac23d06f9d0d794f60041b4c4f271d2bb8f5a83375c963e4a9e73e51ba9ca5";
   };
 
   propagatedBuildInputs = [

pkgs/development/python-modules/watermark/default.nix

@@ -9,14 +9,14 @@
 
 buildPythonPackage rec {
   pname = "watermark";
-  version = "2.2.0";
+  version = "2.3.0";
   disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "rasbt";
     repo = pname;
-    rev = "d3553b68dd30ac5b0951a6fae6083236e4c7f3bd";
+    rev = "v${version}";
-    sha256 = "0w2mzi344x1mrv8d9jca67bhig34jissr9sqrk68gpg5n10alblb";
+    sha256 = "1kl9yn1pkl84d3lcz7bvphqkydsgs0p5k0ja0msy3hrxxfzdzd16";
   };
 
   propagatedBuildInputs = [

pkgs/development/tools/electron/default.nix

@@ -115,14 +115,14 @@ rec {
     headers = "1idam1xirxqxqg4g7n33kdx2skk0r351m00g59a8yx9z82g06ah9";
   };
 
-  electron_13 = mkElectron "13.6.3" {
+  electron_13 = mkElectron "13.6.6" {
-    armv7l-linux = "a293a9684e16a427a9f68d101814575a4b1dd232dc3fca47552f906019a6cadc";
+    armv7l-linux = "4d8a8bde1c993bfc20afb2b23e55101ad2048f5ddd89ab86043f510470aeba8d";
-    aarch64-linux = "1599d259832c806b98751a68fb93112711963d259024f0e36f12f064995b3251";
+    aarch64-linux = "6d1480f80d43cdebd9f74cb62b64c9d16bee29b68b863faf7c50fcb91f63985c";
-    x86_64-linux = "7607422a4ba80cda4bd7fefb2fbe2f4e0b9a73db92e1e82dc01012a85b5d0d2b";
+    x86_64-linux = "62b9ba2fea4f0f54fd54bce8a532d14132302a66ec99173764f44234fa76925e";
-    i686-linux = "db9261c05ed57af2fcd4a84b89d299c76948b9d57ce0dba38e3240eb43935257";
+    i686-linux = "b83860318b2e591b150dc9578ea749f66ab9a18aafbe69dadb622b9ca131e695";
-    x86_64-darwin = "6bf09794d6f020bbaaf806a7758da125137b3c96646f4503eb81b9541e50e02f";
+    x86_64-darwin = "a59b7270f86286e4ee217552b8729621f4b282360ad15391886d5686008b6933";
-    aarch64-darwin = "374ddf0581794b31eee900828172f9218193c032c0e46bffcfac6aec95c22f1a";
+    aarch64-darwin = "1f445d2f02d1054a760bdaafb755677a35c495e64385e2d2a5547b6750a82dfa";
-    headers = "0v1n8izy83qq3ljs6191a7mzr6nnda5ib9ava1cjddkshl8pampq";
+    headers = "0qdlw17jxhhcamr8g2ybbs2jkijzdq82qgc3knr4kdxb425q898r";
   };
 
   electron_14 = mkElectron "14.2.3" {
@@ -145,13 +145,13 @@ rec {
     headers = "1xnbzskvf8p5a07bha41qqnw1hb68f019qrda3z2jn96m3qnj46r";
   };
 
-  electron_16 = mkElectron "16.0.5" {
+  electron_16 = mkElectron "16.0.6" {
-    armv7l-linux = "16381d22f6f3c7990435598fc50addf8addde2fa749ab23672733ec90b8d53ef";
+    armv7l-linux = "f15d665cbf487538f5448a318519e16e3c07a5f7b55895541df1c067c9cfcb55";
-    aarch64-linux = "6274bdf2a3894ce9ddb70800df497a034893e1be5e2d07763e339550009d53b6";
+    aarch64-linux = "92037b0886a9404c7f9027e7597df552b2c0011ded100537f4287e4e925db6dc";
-    x86_64-linux = "2830a9f8fc5e7fa4f70997e11d55b250e90db511b29da22699e1fe23b153128c";
+    x86_64-linux = "0017aba47756b962b9571ccd9dcf6297af0f603b879e26f49bab8728bb64567d";
-    i686-linux = "363e2588f57f3d31e506e759f723768b543baf248dfb518d06747ffa0a8d8ab1";
+    i686-linux = "11ae3628d27d12612a8742b72b0dc4521c9b2cd303619046c6f6a36282f43c72";
-    x86_64-darwin = "0bb7f2c506d8c3e9ef7ec4049baf87a3365cbf80c569f6eb98ddc1a2ddb653e6";
+    x86_64-darwin = "250489ca6b1bec91f4d59766c1d4f65407f016765395517a6dfd5625e93d646f";
-    aarch64-darwin = "de4eac412a942a0b238792a38c0c80691d1a7ef2eba850c15619c0db9da89f1a";
+    aarch64-darwin = "a4416627a3055308259689fd156a7d4fd704983420a20e8939409b08195af204";
-    headers = "1pdi86sq60z9bqd81fvgl14c3bk21wk9mwkqyn653yq4zk0mqpi5";
+    headers = "00iq8v3nm42f9fphwd50vdng51bd291rk33zcavpidiw29hrqi9m";
   };
 }

pkgs/development/tools/kube-linter/default.nix

@@ -0,0 +1,31 @@
+{ lib, buildGoModule, fetchFromGitHub, testVersion, kube-linter }:
+
+buildGoModule rec {
+  pname = "kube-linter";
+  version = "0.2.5";
+
+  src = fetchFromGitHub {
+    owner = "stackrox";
+    repo = pname;
+    rev = "${version}";
+    sha256 = "GUDrUEBorV4/ZqPnfNYcsbW4Zr1LpS3yL+4OgxFbTOk=";
+  };
+
+  vendorSha256 = "xGghTP9thICOGIfc5VPJK06DeXfLiTckwa4nXv83/P8=";
+
+  ldflags = [
+    "-s" "-w" "-X golang.stackrox.io/kube-linter/internal/version.version=${version}"
+  ];
+
+  passthru.tests.version = testVersion {
+    package = kube-linter;
+    command = "kube-linter version";
+  };
+
+  meta = with lib; {
+    description = "A static analysis tool that checks Kubernetes YAML files and Helm charts";
+    homepage = "https://kubelinter.io";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ mtesseract ];
+  };
+}

pkgs/os-specific/linux/bionic-prebuilt/default.nix

@@ -1,4 +1,6 @@
-{ stdenvNoCC, lib, fetchzip, pkgs
+{ stdenv, stdenvNoCC, lib, fetchzip, pkgs
+, enableStatic ? stdenv.hostPlatform.isStatic
+, enableShared ? !stdenv.hostPlatform.isStatic
 }:
 let
 
@@ -92,10 +94,17 @@ stdenvNoCC.mkDerivation rec {
     cp -v ${prebuilt_crt.out}/*.o $out/lib/
     cp -v ${prebuilt_crt.out}/libgcc.a $out/lib/
     cp -v ${prebuilt_ndk_crt.out}/*.o $out/lib/
+  '' + lib.optionalString enableShared ''
     for i in libc.so libm.so libdl.so liblog.so; do
       cp -v ${prebuilt_libs.out}/$i $out/lib/
     done
-
+  '' + lib.optionalString enableStatic ''
+    # no liblog.a; while it's also part of the base libraries,
+    # it's only available as shared object in the prebuilts.
+    for i in libc.a libm.a libdl.a; do
+      cp -v ${prebuilt_ndk_crt.out}/$i $out/lib/
+    done
+  '' + ''
     mkdir -p $dev/include
     cp -v $out/include/*.h $dev/include/
   '';

pkgs/tools/networking/openssh/common.nix

@@ -4,6 +4,7 @@
 , src
 , extraPatches ? []
 , extraNativeBuildInputs ? []
+, extraConfigureFlags ? []
 , extraMeta ? {}
 }:
 
@@ -94,7 +95,8 @@ stdenv.mkDerivation rec {
     ++ optional withFIDO "--with-security-key-builtin=yes"
     ++ optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
     ++ optional stdenv.isDarwin "--disable-libutil"
-    ++ optional (!linkOpenssl) "--without-openssl";
+    ++ optional (!linkOpenssl) "--without-openssl"
+    ++ extraConfigureFlags;
 
   buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
 

pkgs/tools/networking/openssh/default.nix

@@ -19,29 +19,30 @@ in
 
   openssh_hpn = common rec {
     pname = "openssh-with-hpn";
-    version = "8.4p1";
+    version = "8.8p1";
     extraDesc = " with high performance networking patches";
 
-    src = fetchFromGitHub {
+    src = fetchurl {
-      owner = "rapier1";
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
-      repo = "openssh-portable";
+      sha256 = "1s8z6f7mi1pwsl79cqai8cr350m5lf2ifcxff57wx6mvm478k425";
-      rev = "hpn-KitchenSink-${builtins.replaceStrings [ "." "p" ] [ "_" "_P" ] version}";
-      hash = "sha256-SYQPDGxZR41m4g603RaZaOYm4vCr9uZnFnZoKhruueY=";
     };
 
     extraPatches = [
-      ./ssh-keysign-8.4.patch
+      ./ssh-keysign-8.5.patch
 
-      # See https://github.com/openssh/openssh-portable/pull/206
+      # HPN Patch from FreeBSD ports
-      ./ssh-copy-id-fix-eof.patch
+      (fetchpatch {
+        name = "ssh-hpn.patch";
+        url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/a981593e/security/openssh-portable/files/extra-patch-hpn";
+        stripLen = 1;
+        sha256 = "sha256-+JvpPxktZAjhxLLK1lF4ijG9VlSWkqbRwotaLe6en64=";
+      })
     ];
 
     extraNativeBuildInputs = [ autoreconfHook ];
 
-    extraMeta.knownVulnerabilities = [
+    extraConfigureFlags = [ "--with-hpn" ];
-      "CVE-2021-28041"
+    extraMeta.maintainers = with lib.maintainers; [ abbe ];
-      "CVE-2021-41617"
-    ];
   };
 
   openssh_gssapi = common rec {

pkgs/tools/security/honggfuzz/default.nix

@@ -1,17 +1,16 @@
-{ lib, stdenv, fetchFromGitHub, callPackage, makeWrapper
+{ lib, stdenv, fetchFromGitHub, callPackage, makeWrapper, clang, llvm, libbfd
-, clang, llvm, libbfd, libopcodes, libunwind, libblocksruntime
+, libopcodes, libunwind, libblocksruntime }:
-}:
 
 let
   honggfuzz = stdenv.mkDerivation rec {
     pname = "honggfuzz";
-    version = "2.4";
+    version = "2.5";
 
     src = fetchFromGitHub {
       owner = "google";
       repo = pname;
       rev = version;
-      sha256 = "sha256-sU5lmlfmvVWo4K96sI+xQsPfTMd1wsLbihcKI4aTj6g=";
+      sha256 = "sha256-TkyUKmiiSAfCnfQhSOUxuce6+dRyMmHy7vFK59jPIxM=";
     };
 
     postPatch = ''
@@ -28,7 +27,8 @@ let
     makeFlags = [ "PREFIX=$(out)" ];
 
     meta = {
-      description = "A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer";
+      description =
+        "A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer";
       longDescription = ''
         Honggfuzz is a security oriented, feedback-driven, evolutionary,
         easy-to-use fuzzer with interesting analysis options. It is

pkgs/top-level/all-packages.nix

@@ -14969,6 +14969,8 @@ with pkgs;
 
   kubectx = callPackage ../development/tools/kubectx { };
 
+  kube-linter = callPackage ../development/tools/kube-linter { };
+
   kube-prompt = callPackage ../development/tools/kube-prompt { };
 
   kubei = callPackage ../tools/security/kubei { };

pkgs/top-level/default.nix

@@ -49,6 +49,15 @@ let # Rename the function arguments
 in let
   lib = import ../../lib;
 
+  inherit (lib) throwIfNot;
+
+  checked =
+    throwIfNot (lib.isList overlays) "The overlays argument to nixpkgs must be a list."
+    lib.foldr (x: throwIfNot (lib.isFunction x) "All overlays passed to nixpkgs must be functions.") (r: r) overlays
+    throwIfNot (lib.isList crossOverlays) "The crossOverlays argument to nixpkgs must be a list."
+    lib.foldr (x: throwIfNot (lib.isFunction x) "All crossOverlays passed to nixpkgs must be functions.") (r: r) crossOverlays
+    ;
+
   localSystem = lib.systems.elaborate args.localSystem;
 
   # Condition preserves sharing which in turn affects equality.
@@ -121,4 +130,4 @@ in let
 
   pkgs = boot stages;
 
-in pkgs
+in checked pkgs