Merge master into staging-next

NixOS · Dec 4, 2024 · 421b067 · 421b067
2 parents 6bd69b5 + ae92b4b
commit 421b067
Show file tree

Hide file tree

Showing 54 changed files with 1,314 additions and 894 deletions.
diff --git a/maintainers/maintainer-list.nix b/maintainers/maintainer-list.nix
@@ -21638,6 +21638,17 @@
     githubId = 6064962;
     name = "TakWolf";
   };
+  talhaHavadar = {
+    email = "[email protected]";
+    github = "talhaHavadar";
+    githubId = 6908462;
+    name = "Talha Can Havadar";
+    keys = [
+      {
+        fingerprint = "1E13 12DF 4B71 58B6 EBF9  DE78 2574 3879 62FE B0D1";
+      }
+    ];
+  };
   talkara = {
     email = "[email protected]";
     github = "talkara";

diff --git a/nixos/doc/manual/release-notes/rl-2505.section.md b/nixos/doc/manual/release-notes/rl-2505.section.md
@@ -31,6 +31,9 @@
 
 - `buildGoPackage` has been removed. Use `buildGoModule` instead. See the [Go section in the nixpkgs manual](https://nixos.org/manual/nixpkgs/unstable/#sec-language-go) for details.
 
+- `strawberry` has been updated to 1.2, which drops support for the VLC backend and Qt 5. The `strawberry-qt5` package
+  and `withGstreamer`/`withVlc` override options have been removed due to this.
+
 - `timescaledb` requires manual upgrade steps.
     After you run ALTER EXTENSION, you must run [this SQL script](https://github.com/timescale/timescaledb-extras/blob/master/utils/2.15.X-fix_hypertable_foreign_keys.sql). For more details, see the following pull requests [#6797](https://github.com/timescale/timescaledb/pull/6797).
     PostgreSQL 13 is no longer supported in TimescaleDB v2.16.
@@ -53,6 +56,8 @@
   [official website](https://www.nerdfonts.com/font-downloads) as the titles in preview images, with the "Nerd Font"
   suffix and any whitespaces trimmed.
 
+- `retroarch` has been refactored and the older `retroarch.override { cores = [ ... ]; }` to create a RetroArch derivation with custom cores doesn't work anymore, use `retroarch.withCores (cores: [ ... ])` instead. If you need more customization (e.g.: custom settings), use `wrapRetroArch` instead.
+
 - `gkraken` software and `hardware.gkraken.enable` option have been removed, use `coolercontrol` via `programs.coolercontrol.enable` option instead.
 
 - `containerd` has been updated to v2, which contains breaking changes. See the [containerd

diff --git a/pkgs/README.md b/pkgs/README.md
@@ -492,7 +492,9 @@ Examples going from bad to best practices:
 Sometimes, changes are needed to the source to allow building a derivation in nixpkgs, or to get earlier access to an upstream fix or improvement.
 When using the `patches` parameter to `mkDerivation`, make sure the patch name clearly describes the reason for the patch, or add a comment.
 
-Patches already merged upstream or published elsewhere should be retrieved using `fetchpatch`.
+### Fetching patches
+
+In the interest of keeping our maintenance burden and the size of Nixpkgs to a minimum, patches already merged upstream or published elsewhere _should_ be retrieved using `fetchpatch`:
 
 ```nix
 {
@@ -506,15 +508,22 @@ Patches already merged upstream or published elsewhere should be retrieved using
 }
 ```
 
-Otherwise, you can add a `.patch` file to the `nixpkgs` repository.
-In the interest of keeping our maintenance burden and the size of nixpkgs to a minimum, only do this for patches that are unique to `nixpkgs` or that have been proposed upstream but are not merged yet, cannot be easily fetched or have a high chance to disappear in the future due to unstable or unreliable URLs.
-The latter avoids link rot when the upstream abandons, squashes or rebases their change, in which case the commit may get garbage-collected.
-
 If a patch is available online but does not cleanly apply, it can be modified in some fixed ways by using additional optional arguments for `fetchpatch`. Check [the `fetchpatch` reference](https://nixos.org/manual/nixpkgs/unstable/#fetchpatch) for details.
 
+### Vendoring patches
+
+In the following cases, a `.patch` file _should_ be added to Nixpkgs repository, instead of retrieved:
+
+- solves problems unique to packaging in Nixpkgs
+- is already proposed upstream but not merged yet
+- cannot be fetched easily
+- has a high chance to disappear in the future due to unstable or unreliable URLs
+
+The latter avoids link rot when the upstream abandons, squashes or rebases their change, in which case the commit may get garbage-collected.
+
 ```nix
 {
-  patches = [ ./0001-changes.patch ];
+  patches = [ ./0001-add-missing-include.patch ];
 }
 ```
 

diff --git a/pkgs/applications/audio/strawberry/default.nix b/pkgs/applications/audio/strawberry/default.nix
@@ -1,57 +1,52 @@
-{ stdenv
-, lib
-, fetchFromGitHub
-, cmake
-, pkg-config
-, wrapQtAppsHook
-, alsa-lib
-, boost
-, chromaprint
-, fftw
-, gnutls
-, libcdio
-, libebur128
-, libmtp
-, libpthreadstubs
-, libtasn1
-, libXdmcp
-, ninja
-, pcre
-, protobuf
-, sqlite
-, taglib
-, libgpod
-, libidn2
-, libpulseaudio
-, libselinux
-, libsepol
-, p11-kit
-, util-linux
-, qtbase
-, qtx11extras ? null # doesn't exist in qt6
-, qttools
-, withGstreamer ? true
-, glib-networking
-, gst_all_1
-, withVlc ? true
-, libvlc
-, nix-update-script
+{
+  alsa-lib,
+  boost,
+  chromaprint,
+  cmake,
+  fetchFromGitHub,
+  fftw,
+  glib-networking,
+  gnutls,
+  gst_all_1,
+  kdsingleapplication,
+  lib,
+  libXdmcp,
+  libcdio,
+  libebur128,
+  libgpod,
+  libidn2,
+  libmtp,
+  libpthreadstubs,
+  libpulseaudio,
+  libselinux,
+  libsepol,
+  libtasn1,
+  ninja,
+  nix-update-script,
+  p11-kit,
+  pkg-config,
+  qtbase,
+  qttools,
+  sqlite,
+  stdenv,
+  taglib,
+  util-linux,
+  wrapQtAppsHook,
 }:
 
 let
-  inherit (lib) optionals optionalString;
+  inherit (lib) optionals;
 
 in
 stdenv.mkDerivation rec {
   pname = "strawberry";
-  version = "1.1.3";
+  version = "1.2.2";
 
   src = fetchFromGitHub {
     owner = "jonaski";
     repo = pname;
     rev = version;
-    hash = "sha256-yca1BJWhSUVamqSKfvEzU3xbzdR+kwfSs0pyS08oUR0=";
-    fetchSubmodules = true;
+    hash = "sha256-X752GsP2b7rumQHzw52zI7PeE8tdM9Scgl3nHVcpO/s=";
   };
 
   # the big strawberry shown in the context menu is *very* much in your face, so use the grey version instead
@@ -60,52 +55,55 @@ stdenv.mkDerivation rec {
       --replace pictures/strawberry.png pictures/strawberry-grey.png
   '';
 
-  buildInputs = [
-    alsa-lib
-    boost
-    chromaprint
-    fftw
-    gnutls
-    libcdio
-    libebur128
-    libidn2
-    libmtp
-    libpthreadstubs
-    libtasn1
-    libXdmcp
-    pcre
-    protobuf
-    sqlite
-    taglib
-    qtbase
-    qtx11extras
-  ] ++ optionals stdenv.hostPlatform.isLinux [
-    libgpod
-    libpulseaudio
-    libselinux
-    libsepol
-    p11-kit
-  ] ++ optionals withGstreamer (with gst_all_1; [
-    glib-networking
-    gstreamer
-    gst-libav
-    gst-plugins-base
-    gst-plugins-good
-    gst-plugins-bad
-    gst-plugins-ugly
-  ]) ++ optionals withVlc [ libvlc ];
+  buildInputs =
+    [
+      alsa-lib
+      boost
+      chromaprint
+      fftw
+      gnutls
+      kdsingleapplication
+      libXdmcp
+      libcdio
+      libebur128
+      libidn2
+      libmtp
+      libpthreadstubs
+      libtasn1
+      qtbase
+      sqlite
+      taglib
+    ]
+    ++ optionals stdenv.hostPlatform.isLinux [
+      libgpod
+      libpulseaudio
+      libselinux
+      libsepol
+      p11-kit
+    ]
+    ++ (with gst_all_1; [
+      glib-networking
+      gst-libav
+      gst-plugins-bad
+      gst-plugins-base
+      gst-plugins-good
+      gst-plugins-ugly
+      gstreamer
+    ]);
 
-  nativeBuildInputs = [
-    cmake
-    ninja
-    pkg-config
-    qttools
-    wrapQtAppsHook
-  ] ++ optionals stdenv.hostPlatform.isLinux [
-    util-linux
-  ];
+  nativeBuildInputs =
+    [
+      cmake
+      ninja
+      pkg-config
+      qttools
+      wrapQtAppsHook
+    ]
+    ++ optionals stdenv.hostPlatform.isLinux [
+      util-linux
+    ];
 
-  postInstall = optionalString withGstreamer ''
+  postInstall = ''
     qtWrapperArgs+=(
       --prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0"
       --prefix GIO_EXTRA_MODULES : "${glib-networking.out}/lib/gio/modules"

diff --git a/pkgs/applications/networking/browsers/chromium/info.json b/pkgs/applications/networking/browsers/chromium/info.json
@@ -1,9 +1,9 @@
 {
   "chromium": {
-    "version": "131.0.6778.85",
+    "version": "131.0.6778.108",
     "chromedriver": {
-      "hash_darwin": "sha256-li9wQkcgh5ORPu2kjdyfwvvuykRz1gTL3b8UVQs+MY4=",
-      "hash_darwin_aarch64": "sha256-r/C6QpmkVzovLJKfMTjUome9nL5WoEvPGRFB+AJJFqk="
+      "hash_darwin": "sha256-X0kzihCQsICn5SRdU+THdthov0EPxsmMcrm6YJ6hMhs=",
+      "hash_darwin_aarch64": "sha256-3Qdj44cZD4wQTzkBx47ZCfqHE2HckkLuqYKpJxxfESk="
     },
     "deps": {
       "depot_tools": {
@@ -19,8 +19,8 @@
     "DEPS": {
       "src": {
         "url": "https://chromium.googlesource.com/chromium/src.git",
-        "rev": "3d81e41b6f3ac8bcae63b32e8145c9eb0cd60a2d",
-        "hash": "sha256-fREToEHVbTD0IVGx/sn7csSju4BYajWZ+LDCiKWV4cI=",
+        "rev": "3b014839fbc4fb688b2f5af512d6ce312ad208b1",
+        "hash": "sha256-ypzu3LveMFcOFm7+JlaERjzs3SK/n9+sfm5wOKB8/zw=",
         "recompress": true
       },
       "src/third_party/clang-format/script": {
@@ -120,8 +120,8 @@
       },
       "src/third_party/dawn": {
         "url": "https://dawn.googlesource.com/dawn.git",
-        "rev": "7e742cac42c29a14ab7f54b134b2f17592711267",
-        "hash": "sha256-K2gwKNwonzCIu4hnlYuOaYyKaRV11hwDzF4oykiKsl0="
+        "rev": "740d2502dbbd719a76c5a8d3fb4dac1b5363f42e",
+        "hash": "sha256-R41YVv4uWCU6SsACXPRppeCDguTs+/NVJckvMGGTgJE="
       },
       "src/third_party/dawn/third_party/glfw": {
         "url": "https://chromium.googlesource.com/external/github.com/glfw/glfw",
@@ -600,8 +600,8 @@
       },
       "src/third_party/skia": {
         "url": "https://skia.googlesource.com/skia.git",
-        "rev": "94631d9b9a10697325589e1642af63a0137cac94",
-        "hash": "sha256-SKKLOxjimQWt8W+Q3wlCJaUC/lxw6EIZDFBuVQKmnVY="
+        "rev": "f14f6b1ab7cf544c0190074488d17821281cfa4d",
+        "hash": "sha256-0p57otDuIShl6MngYs22XA1QYxptDVa3vCwJsH59H34="
       },
       "src/third_party/smhasher/src": {
         "url": "https://chromium.googlesource.com/external/smhasher.git",
@@ -725,8 +725,8 @@
       },
       "src/third_party/webrtc": {
         "url": "https://webrtc.googlesource.com/src.git",
-        "rev": "8445abdf8069cadcbd134369b70d0ebd436ef477",
-        "hash": "sha256-EitEjXNtm0gB9wtAwIYHBHkU7paHg5zvsTz171hRmK4="
+        "rev": "79aff54b0fa9238ce3518dd9eaf9610cd6f22e82",
+        "hash": "sha256-xkMnUduSG88EWiwq6PITN0KgAKjFd4QOis3dgxedK30="
       },
       "src/third_party/wuffs/src": {
         "url": "https://skia.googlesource.com/external/github.com/google/wuffs-mirror-release-c.git",
@@ -760,8 +760,8 @@
       },
       "src/v8": {
         "url": "https://chromium.googlesource.com/v8/v8.git",
-        "rev": "bd2671b973062afc614b852ec190524b80aaef8a",
-        "hash": "sha256-uq0CE7Chqzy2d+iifC3hV9RTnDVinpwjl1pOzyNGbSo="
+        "rev": "e38771cb283b9689683c5ac0b5831dd89f8ec690",
+        "hash": "sha256-csSDnepYxil0R3PD/LVxW7JBcasOKG4l6q6vj8zHV/I="
       }
     }
   },

diff --git a/pkgs/by-name/au/authentik/package.nix b/pkgs/by-name/au/authentik/package.nix
@@ -30,6 +30,12 @@ let
     license = licenses.mit;
     platforms = platforms.linux;
     maintainers = with maintainers; [ jvanbruegge risson ];
+    knownVulnerabilities = [
+      "CVE-2024-52307"
+      "CVE-2024-52287"
+      "CVE-2024-52289"
+      "Authentik 2024.6.x is end-of-life, consider using https://github.com/nix-community/authentik-nix for an up-to-date alternative"
+    ];
   };
 
   website = buildNpmPackage {