Project import generated by Copybara.

GitOrigin-RevId: ff377a78794d412a35245e05428c8f95fef3951f

third_party/nixpkgs/.github/workflows/update-terraform-providers.yml

@@ -0,0 +1,47 @@
+name: "Update terraform-providers"
+
+on:
+  schedule:
+    - cron: "14 3 * * 1"
+  workflow_dispatch:
+
+jobs:
+  tf-providers:
+    if: github.repository_owner == 'NixOS' && github.ref == 'refs/heads/master' # ensure workflow_dispatch only runs on master
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: cachix/install-nix-action@v16
+      - name: setup
+        id: setup
+        run: |
+          echo ::set-output name=title::"terraform-providers: update $(date -u +"%Y-%m-%d")"
+      - name: update terraform-providers
+        run: |
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git config user.name "github-actions[bot]"
+          pushd pkgs/applications/networking/cluster/terraform-providers
+          ./update-all-providers
+          git commit -m "${{ steps.setup.outputs.title }}" providers.json
+          popd
+      - name: create PR
+        uses: peter-evans/create-pull-request@v3
+        with:
+          body: |
+            Automatic update of terraform providers.
+
+            Created by [update-terraform-providers](https://github.com/NixOS/nixpkgs/blob/master/.github/workflows/update-terraform-providers.yml) action.
+
+            Check that all providers build with `@ofborg build terraform-full`
+          branch: terraform-providers-update
+          delete-branch: false
+          labels: "2.status: work-in-progress"
+          title: ${{ steps.setup.outputs.title }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: comment on failure
+        uses: peter-evans/create-or-update-comment@v1
+        if: ${{ failure() }}
+        with:
+          issue-number: 153416
+          body: |
+            Automatic update of terraform providers [failed](https://github.com/NixOS/nixpkgs/actions/runs/${{ github.run_id }}).

third_party/nixpkgs/doc/builders/fetchers.chapter.md

@@ -82,4 +82,11 @@ This is used with repo.or.cz repositories. The arguments expected are very simil
 
 ## `fetchFromSourcehut` {#fetchfromsourcehut}
 
-This is used with sourcehut repositories. The arguments expected are very similar to fetchFromGitHub above. Don't forget the tilde (~) in front of the user name!
+This is used with sourcehut repositories. Similar to `fetchFromGitHub` above,
+it expects `owner`, `repo`, `rev` and `sha256`, but don't forget the tilde (~)
+in front of the username! Expected arguments also include `vc` ("git" (default)
+or "hg"), `domain` and `fetchSubmodules`.
+
+If `fetchSubmodules` is `true`, `fetchFromSourcehut` uses `fetchgit`
+or `fetchhg` with `fetchSubmodules` or `fetchSubrepos` set to `true`,
+respectively. Otherwise the fetcher uses `fetchzip`.

third_party/nixpkgs/doc/languages-frameworks/beam.section.md

@@ -74,7 +74,7 @@ there are 3 steps, frontend dependencies (javascript), backend dependencies (eli
 
 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps}
 
-for phoenix projects, inside of nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix#L39). An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage)
+For phoenix projects, inside of nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix#L39). An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage)
 
 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps}
 
@@ -82,13 +82,13 @@ There are 2 ways to package backend dependencies. With mix2nix and with a fixed-
 
 ###### mix2nix {#mix2nix}
 
-mix2nix is a cli tool available in nixpkgs. it will generate a nix expression from a mix.lock file. It is quite standard in the 2nix tool series.
+`mix2nix` is a cli tool available in nixpkgs. it will generate a nix expression from a mix.lock file. It is quite standard in the 2nix tool series.
 
 Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method.
 
 The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won't trigger a full rebuild and download of all the dependencies, where FOD will do so.
 
-practical steps:
+Practical steps:
 
 - run `mix2nix > mix_deps.nix` in the upstream repo.
 - pass `mixNixDeps = with pkgs; import ./mix_deps.nix { inherit lib beamPackages; };` as an argument to mixRelease.
@@ -280,6 +280,30 @@ mkShell {
 }
 ```
 
+### Using an overlay
+
+If you need to use an overlay to change some attributes of a derivation, e.g. if you need a bugfix from a version that is not yet available in nixpkgs, you can override attributes such as `version` (and the corresponding `sha256`) and then use this overlay in your development environment:
+
+#### `shell.nix`
+
+```nix
+let
+  elixir_1_13_1_overlay = (self: super: {
+      elixir_1_13 = super.elixir_1_13.override {
+        version = "1.13.1";
+        sha256 = "0z0b1w2vvw4vsnb99779c2jgn9bgslg7b1pmd9vlbv02nza9qj5p";
+      };
+    });
+  pkgs = import <nixpkgs> { overlays = [ elixir_1_13_1_overlay ]; };
+in
+with pkgs;
+mkShell {
+  buildInputs = [
+    elixir_1_13
+  ];
+}
+```
+
 #### Elixir - Phoenix project {#elixir---phoenix-project}
 
 Here is an example `shell.nix`.

third_party/nixpkgs/doc/languages-frameworks/go.section.md

@@ -12,8 +12,7 @@ The function `buildGoModule` builds Go programs managed with Go modules. It buil
 In the following is an example expression using `buildGoModule`, the following arguments are of special significance to the function:
 
 - `vendorSha256`: is the hash of the output of the intermediate fetcher derivation. `vendorSha256` can also take `null` as an input. When `null` is used as a value, rather than fetching the dependencies and vendoring them, we use the vendoring included within the source repo. If you'd like to not have to update this field on dependency changes, run `go mod vendor` in your source repo and set `vendorSha256 = null;`
-- `runVend`: runs the vend command to generate the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build.
+- `proxyVendor`: Fetches (go mod download) and proxies the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build or if any dependency has case-insensitive conflicts which will produce platform dependant `vendorSha256` checksums.
-- `proxyVendor`: Fetches (go mod download) and proxies the vendor directory. This is useful if any dependency has case-insensitive conflicts which will produce platform dependant `vendorSha256` checksums.
 
 ```nix
 pet = buildGoModule rec {
@@ -34,7 +33,6 @@ pet = buildGoModule rec {
     homepage = "https://github.com/knqyf263/pet";
     license = licenses.mit;
     maintainers = with maintainers; [ kalbasit ];
-    platforms = platforms.linux ++ platforms.darwin;
   };
 }
 ```

third_party/nixpkgs/lib/default.nix

@@ -66,7 +66,8 @@ let
       stringLength sub substring tail trace;
     inherit (self.trivial) id const pipe concat or and bitAnd bitOr bitXor
       bitNot boolToString mergeAttrs flip mapNullable inNixShell isFloat min max
-      importJSON importTOML warn warnIf info showWarnings nixpkgsVersion version
+      importJSON importTOML warn warnIf throwIfNot
+      info showWarnings nixpkgsVersion version
       mod compare splitByAndCompare functionArgs setFunctionArgs isFunction
       toHexString toBaseDigits;
     inherit (self.fixedPoints) fix fix' converge extends composeExtensions

third_party/nixpkgs/lib/options.nix

@@ -177,7 +177,7 @@ rec {
         docOption = rec {
           loc = opt.loc;
           name = showOption opt.loc;
-          description = opt.description or (lib.warn "Option `${name}' has no description." "This option has no description.");
+          description = opt.description or null;
           declarations = filter (x: x != unknownModule) opt.declarations;
           internal = opt.internal or false;
           visible =

third_party/nixpkgs/lib/trivial.nix

@@ -325,6 +325,28 @@ rec {
   */
   warnIf = cond: msg: if cond then warn msg else id;
 
+  /*
+    Like the `assert b; e` expression, but with a custom error message and
+    without the semicolon.
+
+    If true, return the identity function, `r: r`.
+
+    If false, throw the error message.
+
+    Calls can be juxtaposed using function application, as `(r: r) a = a`, so
+    `(r: r) (r: r) a = a`, and so forth.
+
+    Type: bool -> string -> a -> a
+
+    Example:
+
+        throwIfNot (lib.isList overlays) "The overlays argument to nixpkgs must be a list."
+        lib.foldr (x: throwIfNot (lib.isFunction x) "All overlays passed to nixpkgs must be functions.") (r: r) overlays
+        pkgs
+
+  */
+  throwIfNot = cond: msg: if cond then x: x else throw msg;
+
   info = msg: builtins.trace "INFO: ${msg}";
 
   showWarnings = warnings: res: lib.foldr (w: x: warn w x) res warnings;

third_party/nixpkgs/maintainers/maintainer-list.nix

@@ -95,6 +95,12 @@
     githubId = 7414843;
     name = "Nicholas von Klitzing";
   };
+  _13r0ck = {
+    name = "Brock Szuszczewicz";
+    email = "bnr@tuta.io";
+    github = "13r0ck";
+    githubId = 58987761;
+  };
   _3noch = {
     email = "eacameron@gmail.com";
     github = "3noch";
@@ -946,6 +952,12 @@
     githubId = 59696216;
     name = "Arnold Farkas";
   };
+  arnoutkroeze = {
+    email = "nixpkgs@arnoutkroeze.nl";
+    github = "arnoutkroeze";
+    githubId = 37151054;
+    name = "Arnout Kroeze";
+  };
   arobyn = {
     email = "shados@shados.net";
     github = "shados";
@@ -2663,6 +2675,12 @@
     email = "christoph.senjak@googlemail.com";
     name = "Christoph-Simon Senjak";
   };
+  datafoo = {
+    email = "34766150+datafoo@users.noreply.github.com";
+    github = "datafoo";
+    githubId = 34766150;
+    name = "datafoo";
+  };
   davhau = {
     email = "d.hauer.it@gmail.com";
     name = "David Hauer";
@@ -2800,6 +2818,12 @@
     email = "d4delta@outlook.fr";
     name = "Delta";
   };
+  deltadelta = {
+    email = "contact@libellules.eu";
+    name = "Dara Ly";
+    github = "tournemire";
+    githubId = 20159432;
+  };
   deltaevo = {
     email = "deltaduartedavid@gmail.com";
     github = "DeltaEvo";
@@ -3314,12 +3338,6 @@
     github = "edlimerkaj";
     githubId = 71988351;
   };
-  edibopp = {
-    email = "eduard.bopp@aepsil0n.de";
-    github = "edibopp";
-    githubId = 3098430;
-    name = "Eduard Bopp";
-  };
   emantor = {
     email = "rouven+nixos@czerwinskis.de";
     github = "emantor";
@@ -4760,6 +4778,12 @@
     github = "higebu";
     githubId = 733288;
   };
+  hiljusti = {
+    name = "J.R. Hill";
+    email = "hiljusti@so.dang.cool";
+    github = "hiljusti";
+    githubId = 17605298;
+  };
   hinton = {
     email = "t@larkery.com";
     name = "Tom Hinton";
@@ -7809,6 +7833,12 @@
     githubId = 38543128;
     name = "Miles Breslin";
   };
+  milibopp = {
+    email = "contact@ebopp.de";
+    github = "milibopp";
+    githubId = 3098430;
+    name = "Emilia Bopp";
+  };
   millerjason = {
     email = "mailings-github@millerjason.com";
     github = "millerjason";
@@ -8202,6 +8232,12 @@
     githubId = 4996739;
     name = "Masayuki Takeda";
   };
+  mtesseract = {
+    email = "moritz@stackrox.com";
+    github = "mtesseract";
+    githubId = 11706080;
+    name = "Moritz Clasmeier";
+  };
   MtP = {
     email = "marko.nixos@poikonen.de";
     github = "MtP76";
@@ -11599,6 +11635,12 @@
     githubId = 2389333;
     name = "Andy Tockman";
   };
+  techknowlogick = {
+    email = "techknowlogick@gitea.io";
+    github = "techknowlogick";
+    githubId = 164197;
+    name = "techknowlogick";
+  };
   Technical27 = {
     email = "38222826+Technical27@users.noreply.github.com";
     github = "Technical27";
@@ -12653,6 +12695,12 @@
     email = "tim.williams.public@gmail.com";
     name = "Tim Philip Williams";
   };
+  willcohen = {
+    email = "willcohen@users.noreply.github.com";
+    github = "willcohen";
+    githubId = 5185341;
+    name = "Will Cohen";
+  };
   winden = {
     email = "windenntw@gmail.com";
     name = "Antonio Vargas Gonzalez";

third_party/nixpkgs/nixos/doc/manual/default.nix

@@ -1,4 +1,13 @@
-{ pkgs, options, config, version, revision, extraSources ? [] }:
+{ pkgs
+, options
+, config
+, version
+, revision
+, extraSources ? []
+, baseOptionsJSON ? null
+, warningsAreErrors ? true
+, prefix ? ../../..
+}:
 
 with pkgs;
 
@@ -11,11 +20,11 @@ let
   #
   # E.g. if some `options` came from modules in ${pkgs.customModules}/nix,
   # you'd need to include `extraSources = [ pkgs.customModules ]`
-  prefixesToStrip = map (p: "${toString p}/") ([ ../../.. ] ++ extraSources);
+  prefixesToStrip = map (p: "${toString p}/") ([ prefix ] ++ extraSources);
   stripAnyPrefixes = lib.flip (lib.foldr lib.removePrefix) prefixesToStrip;
 
   optionsDoc = buildPackages.nixosOptionsDoc {
-    inherit options revision;
+    inherit options revision baseOptionsJSON warningsAreErrors;
     transformOptions = opt: opt // {
       # Clean up declaration sites to not refer to the NixOS source tree.
       declarations = map stripAnyPrefixes opt.declarations;
@@ -161,7 +170,7 @@ let
 in rec {
   inherit generatedSources;
 
-  inherit (optionsDoc) optionsJSON optionsDocBook;
+  inherit (optionsDoc) optionsJSON optionsNix optionsDocBook;
 
   # Generate the NixOS manual.
   manualHTML = runCommand "nixos-manual-html"

third_party/nixpkgs/nixos/doc/manual/development/meta-attributes.section.md

@@ -5,7 +5,7 @@ extra information. Module meta attributes are defined in the `meta.nix`
 special module.
 
 `meta` is a top level attribute like `options` and `config`. Available
-meta-attributes are `maintainers` and `doc`.
+meta-attributes are `maintainers`, `doc`, and `buildDocsInSandbox`.
 
 Each of the meta-attributes must be defined at most once per module
 file.
@@ -24,6 +24,7 @@ file.
   meta = {
     maintainers = with lib.maintainers; [ ericsagnes ];
     doc = ./default.xml;
+    buildDocsInSandbox = true;
   };
 }
 ```
@@ -38,3 +39,28 @@ file.
     ```ShellSession
     $ nix-build nixos/release.nix -A manual.x86_64-linux
     ```
+
+-  `buildDocsInSandbox` indicates whether the option documentation for the
+   module can be built in a derivation sandbox. This option is currently only
+   honored for modules shipped by nixpkgs. User modules and modules taken from
+   `NIXOS_EXTRA_MODULE_PATH` are always built outside of the sandbox, as has
+   been the case in previous releases.
+
+   Building NixOS option documentation in a sandbox allows caching of the built
+   documentation, which greatly decreases the amount of time needed to evaluate
+   a system configuration that has NixOS documentation enabled. The sandbox also
+   restricts which attributes may be referenced by documentation attributes
+   (such as option descriptions) to the `options` and `lib` module arguments and
+   the `pkgs.formats` attribute of the `pkgs` argument, `config` and the rest of
+   `pkgs` are disallowed and will cause doc build failures when used. This
+   restriction is necessary because we cannot reproduce the full nixpkgs
+   instantiation with configuration and overlays from a system configuration
+   inside the sandbox. The `options` argument only includes options of modules
+   that are also built inside the sandbox, referencing an option of a module
+   that isn't built in the sandbox is also forbidden.
+
+   The default is `true` and should usually not be changed; set it to `false`
+   only if the module requires access to `pkgs` in its documentation (e.g.
+   because it loads information from a linked package to build an option type)
+   or if its documentation depends on other modules that also aren't sandboxed
+   (e.g. by using types defined in the other module).

third_party/nixpkgs/nixos/doc/manual/from_md/development/meta-attributes.section.xml

@@ -8,8 +8,8 @@
   <para>
     <literal>meta</literal> is a top level attribute like
     <literal>options</literal> and <literal>config</literal>. Available
-    meta-attributes are <literal>maintainers</literal> and
+    meta-attributes are <literal>maintainers</literal>,
-    <literal>doc</literal>.
+    <literal>doc</literal>, and <literal>buildDocsInSandbox</literal>.
   </para>
   <para>
     Each of the meta-attributes must be defined at most once per module
@@ -29,6 +29,7 @@
   meta = {
     maintainers = with lib.maintainers; [ ericsagnes ];
     doc = ./default.xml;
+    buildDocsInSandbox = true;
   };
 }
 </programlisting>
@@ -51,5 +52,44 @@
 $ nix-build nixos/release.nix -A manual.x86_64-linux
 </programlisting>
     </listitem>
+    <listitem>
+      <para>
+        <literal>buildDocsInSandbox</literal> indicates whether the
+        option documentation for the module can be built in a derivation
+        sandbox. This option is currently only honored for modules
+        shipped by nixpkgs. User modules and modules taken from
+        <literal>NIXOS_EXTRA_MODULE_PATH</literal> are always built
+        outside of the sandbox, as has been the case in previous
+        releases.
+      </para>
+      <para>
+        Building NixOS option documentation in a sandbox allows caching
+        of the built documentation, which greatly decreases the amount
+        of time needed to evaluate a system configuration that has NixOS
+        documentation enabled. The sandbox also restricts which
+        attributes may be referenced by documentation attributes (such
+        as option descriptions) to the <literal>options</literal> and
+        <literal>lib</literal> module arguments and the
+        <literal>pkgs.formats</literal> attribute of the
+        <literal>pkgs</literal> argument, <literal>config</literal> and
+        the rest of <literal>pkgs</literal> are disallowed and will
+        cause doc build failures when used. This restriction is
+        necessary because we cannot reproduce the full nixpkgs
+        instantiation with configuration and overlays from a system
+        configuration inside the sandbox. The <literal>options</literal>
+        argument only includes options of modules that are also built
+        inside the sandbox, referencing an option of a module that isn’t
+        built in the sandbox is also forbidden.
+      </para>
+      <para>
+        The default is <literal>true</literal> and should usually not be
+        changed; set it to <literal>false</literal> only if the module
+        requires access to <literal>pkgs</literal> in its documentation
+        (e.g. because it loads information from a linked package to
+        build an option type) or if its documentation depends on other
+        modules that also aren’t sandboxed (e.g. by using types defined
+        in the other module).
+      </para>
+    </listitem>
   </itemizedlist>
 </section>

third_party/nixpkgs/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml

@@ -325,6 +325,15 @@
           files.
         </para>
       </listitem>
+      <listitem>
+        <para>
+          <literal>fetchFromSourcehut</literal> now allows fetching
+          repositories recursively using <literal>fetchgit</literal> or
+          <literal>fetchhg</literal> if the argument
+          <literal>fetchSubmodules</literal> is set to
+          <literal>true</literal>.
+        </para>
+      </listitem>
     </itemizedlist>
   </section>
 </section>

third_party/nixpkgs/nixos/doc/manual/release-notes/rl-2205.section.md

@@ -120,3 +120,7 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The `services.stubby` module was converted to a [settings-style](https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md) configuration.
 
 - The option `services.duplicati.dataDir` has been added to allow changing the location of duplicati's files.
+
+- `fetchFromSourcehut` now allows fetching repositories recursively
+  using `fetchgit` or `fetchhg` if the argument `fetchSubmodules`
+  is set to `true`.

third_party/nixpkgs/nixos/lib/eval-cacheable-options.nix

@@ -0,0 +1,53 @@
+{ libPath
+, pkgsLibPath
+, nixosPath
+, modules
+, stateVersion
+, release
+}:
+
+let
+  lib = import libPath;
+  modulesPath = "${nixosPath}/modules";
+  # dummy pkgs set that contains no packages, only `pkgs.lib` from the full set.
+  # not having `pkgs.lib` causes all users of `pkgs.formats` to fail.
+  pkgs = import pkgsLibPath {
+    inherit lib;
+    pkgs = null;
+  };
+  utils = import "${nixosPath}/lib/utils.nix" {
+    inherit config lib;
+    pkgs = null;
+  };
+  # this is used both as a module and as specialArgs.
+  # as a module it sets the _module special values, as specialArgs it makes `config`
+  # unusable. this causes documentation attributes depending on `config` to fail.
+  config = {
+    _module.check = false;
+    _module.args = {};
+    system.stateVersion = stateVersion;
+  };
+  eval = lib.evalModules {
+    modules = (map (m: "${modulesPath}/${m}") modules) ++ [
+      config
+    ];
+    specialArgs = {
+      inherit config pkgs utils;
+    };
+  };
+  docs = import "${nixosPath}/doc/manual" {
+    pkgs = pkgs // {
+      inherit lib;
+      # duplicate of the declaration in all-packages.nix
+      buildPackages.nixosOptionsDoc = attrs:
+        (import "${nixosPath}/lib/make-options-doc")
+          ({ inherit pkgs lib; } // attrs);
+    };
+    config = config.config;
+    options = eval.options;
+    version = release;
+    revision = "release-${release}";
+    prefix = modulesPath;
+  };
+in
+  docs.optionsNix

third_party/nixpkgs/nixos/lib/make-options-doc/default.nix

@@ -21,6 +21,13 @@
 , options
 , transformOptions ? lib.id  # function for additional tranformations of the options
 , revision ? "" # Specify revision for the options
+# a set of options the docs we are generating will be merged into, as if by recursiveUpdate.
+# used to split the options doc build into a static part (nixos/modules) and a dynamic part
+# (non-nixos modules imported via configuration.nix, other module sources).
+, baseOptionsJSON ? null
+# instead of printing warnings for eg options with missing descriptions (which may be lost
+# by nix build unless -L is given), emit errors instead and fail the build
+, warningsAreErrors ? true
 }:
 
 let
@@ -51,10 +58,15 @@ let
   # ../../../lib/options.nix influences.
   #
   # Each element of `relatedPackages` can be either
-  # - a string:  that will be interpreted as an attribute name from `pkgs`,
+  # - a string:  that will be interpreted as an attribute name from `pkgs` and turned into a link
-  # - a list:    that will be interpreted as an attribute path from `pkgs`,
+  #              to search.nixos.org,
-  # - an attrset: that can specify `name`, `path`, `package`, `comment`
+  # - a list:    that will be interpreted as an attribute path from `pkgs` and turned into a link
+  #              to search.nixos.org,
+  # - an attrset: that can specify `name`, `path`, `comment`
   #   (either of `name`, `path` is required, the rest are optional).
+  #
+  # NOTE: No checks against `pkgs` are made to ensure that the referenced package actually exists.
+  # Such checks are not compatible with option docs caching.
   genRelatedPackages = packages: optName:
     let
       unpack = p: if lib.isString p then { name = p; }
@@ -64,16 +76,16 @@ let
         let
           title = args.title or null;
           name = args.name or (lib.concatStringsSep "." args.path);
-          path = args.path or [ args.name ];
+        in ''
-          package = args.package or (lib.attrByPath path (throw "Invalid package attribute path `${toString path}' found while evaluating `relatedPackages' of option `${optName}'") pkgs);
+          <listitem>
-        in "<listitem>"
+            <para>
-        + "<para><literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name} (${package.meta.name})</literal>"
+              <link xlink:href="https://search.nixos.org/packages?show=${name}&amp;sort=relevance&amp;query=${name}">
-        + lib.optionalString (!package.meta.available) " <emphasis>[UNAVAILABLE]</emphasis>"
+                <literal>${lib.optionalString (title != null) "${title} aka "}pkgs.${name}</literal>
-        + ": ${package.meta.description or "???"}.</para>"
+              </link>
-        + lib.optionalString (args ? comment) "\n<para>${args.comment}</para>"
+            </para>
-        # Lots of `longDescription's break DocBook, so we just wrap them into <programlisting>
+            ${lib.optionalString (args ? comment) "<para>${args.comment}</para>"}
-        + lib.optionalString (package.meta ? longDescription) "\n<programlisting>${package.meta.longDescription}</programlisting>"
+          </listitem>
-        + "</listitem>";
+        '';
     in "<itemizedlist>${lib.concatStringsSep "\n" (map (p: describe (unpack p)) packages)}</itemizedlist>";
 
   # Remove invisible and internal options.
@@ -99,13 +111,24 @@ in rec {
   optionsJSON = pkgs.runCommand "options.json"
     { meta.description = "List of NixOS options in JSON format";
       buildInputs = [ pkgs.brotli ];
+      options = builtins.toFile "options.json"
+        (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix));
     }
     ''
       # Export list of options in different format.
       dst=$out/share/doc/nixos
       mkdir -p $dst
 
-      cp ${builtins.toFile "options.json" (builtins.unsafeDiscardStringContext (builtins.toJSON optionsNix))} $dst/options.json
+      ${
+        if baseOptionsJSON == null
+          then "cp $options $dst/options.json"
+          else ''
+            ${pkgs.python3Minimal}/bin/python ${./mergeJSON.py} \
+              ${lib.optionalString warningsAreErrors "--warnings-are-errors"} \
+              ${baseOptionsJSON} $options \
+              > $dst/options.json
+          ''
+      }
 
       brotli -9 < $dst/options.json > $dst/options.json.br
 

third_party/nixpkgs/nixos/lib/make-options-doc/mergeJSON.py

@@ -0,0 +1,86 @@
+import collections
+import json
+import sys
+from typing import Any, Dict, List
+
+JSON = Dict[str, Any]
+
+class Key:
+    def __init__(self, path: List[str]):
+        self.path = path
+    def __hash__(self):
+        result = 0
+        for id in self.path:
+            result ^= hash(id)
+        return result
+    def __eq__(self, other):
+        return type(self) is type(other) and self.path == other.path
+
+Option = collections.namedtuple('Option', ['name', 'value'])
+
+# pivot a dict of options keyed by their display name to a dict keyed by their path
+def pivot(options: Dict[str, JSON]) -> Dict[Key, Option]:
+    result: Dict[Key, Option] = dict()
+    for (name, opt) in options.items():
+        result[Key(opt['loc'])] = Option(name, opt)
+    return result
+
+# pivot back to indexed-by-full-name
+# like the docbook build we'll just fail if multiple options with differing locs
+# render to the same option name.
+def unpivot(options: Dict[Key, Option]) -> Dict[str, JSON]:
+    result: Dict[str, Dict] = dict()
+    for (key, opt) in options.items():
+        if opt.name in result:
+            raise RuntimeError(
+                'multiple options with colliding ids found',
+                opt.name,
+                result[opt.name]['loc'],
+                opt.value['loc'],
+            )
+        result[opt.name] = opt.value
+    return result
+
+warningsAreErrors = sys.argv[1] == "--warnings-are-errors"
+optOffset = 1 if warningsAreErrors else 0
+options = pivot(json.load(open(sys.argv[1 + optOffset], 'r')))
+overrides = pivot(json.load(open(sys.argv[2 + optOffset], 'r')))
+
+# fix up declaration paths in lazy options, since we don't eval them from a full nixpkgs dir
+for (k, v) in options.items():
+    v.value['declarations'] = list(map(lambda s: f'nixos/modules/{s}', v.value['declarations']))
+
+# merge both descriptions
+for (k, v) in overrides.items():
+    cur = options.setdefault(k, v).value
+    for (ok, ov) in v.value.items():
+        if ok == 'declarations':
+            decls = cur[ok]
+            for d in ov:
+                if d not in decls:
+                    decls += [d]
+        elif ok == "type":
+            # ignore types of placeholder options
+            if ov != "_unspecified" or cur[ok] == "_unspecified":
+                cur[ok] = ov
+        elif ov is not None or cur.get(ok, None) is None:
+            cur[ok] = ov
+
+# check that every option has a description
+hasWarnings = False
+for (k, v) in options.items():
+    if v.value.get('description', None) is None:
+        severity = "error" if warningsAreErrors else "warning"
+        hasWarnings = True
+        print(f"\x1b[1;31m{severity}: option {v.name} has no description\x1b[0m", file=sys.stderr)
+        v.value['description'] = "This option has no description."
+if hasWarnings and warningsAreErrors:
+    print(
+        "\x1b[1;31m" +
+        "Treating warnings as errors. Set documentation.nixos.options.warningsAreErrors " +
+        "to false to ignore these warnings." +
+        "\x1b[0m",
+        file=sys.stderr)
+    sys.exit(1)
+
+json.dump(unpivot(options), fp=sys.stdout)

third_party/nixpkgs/nixos/modules/hardware/onlykey/onlykey.udev

@@ -14,5 +14,5 @@ KERNEL=="ttyACM*", ATTRS{idVendor}=="1d50", ATTRS{idProduct}=="60fc", MODE:="066
 #
 ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", ENV{ID_MM_DEVICE_IGNORE}="1"
 ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789A]?", ENV{MTP_NO_PROBE}="1"
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", GROUP+="plugdev"
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789ABCD]?", GROUP="plugdev"
-KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", GROUP+="plugdev"
+KERNEL=="ttyACM*", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="04[789B]?", GROUP="plugdev"

third_party/nixpkgs/nixos/modules/i18n/input-method/fcitx.nix

@@ -40,4 +40,7 @@ in
     };
     services.xserver.displayManager.sessionCommands = "${fcitxPackage}/bin/fcitx";
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/i18n/input-method/ibus.nix

@@ -80,4 +80,7 @@ in
       ibusPackage
     ];
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/i18n/input-method/kime.nix

@@ -45,5 +45,7 @@ in
 
     environment.etc."xdg/kime/config.yaml".text = replaceStrings [ "\\\\" ] [ "\\" ] (builtins.toJSON cfg.config);
   };
-}
 
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
+}

third_party/nixpkgs/nixos/modules/installer/tools/nixos-install.sh

@@ -143,6 +143,23 @@ export TMPDIR=${TMPDIR:-$tmpdir}
 
 sub="auto?trusted=1"
 
+# Copy the NixOS/Nixpkgs sources to the target as the initial contents
+# of the NixOS channel.
+if [[ -z $noChannelCopy ]]; then
+    if [[ -z $channelPath ]]; then
+        channelPath="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")"
+    fi
+    if [[ -n $channelPath ]]; then
+        echo "copying channel..."
+        mkdir -p "$mountPoint"/nix/var/nix/profiles/per-user/root
+        nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \
+                -p "$mountPoint"/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet \
+                "${verbosity[@]}"
+        install -m 0700 -d "$mountPoint"/root/.nix-defexpr
+        ln -sfn /nix/var/nix/profiles/per-user/root/channels "$mountPoint"/root/.nix-defexpr/channels
+    fi
+fi
+
 # Build the system configuration in the target filesystem.
 if [[ -z $system ]]; then
     outLink="$tmpdir/system"
@@ -167,23 +184,6 @@ nix-env --store "$mountPoint" "${extraBuildFlags[@]}" \
         --extra-substituters "$sub" \
         -p "$mountPoint"/nix/var/nix/profiles/system --set "$system" "${verbosity[@]}"
 
-# Copy the NixOS/Nixpkgs sources to the target as the initial contents
-# of the NixOS channel.
-if [[ -z $noChannelCopy ]]; then
-    if [[ -z $channelPath ]]; then
-        channelPath="$(nix-env -p /nix/var/nix/profiles/per-user/root/channels -q nixos --no-name --out-path 2>/dev/null || echo -n "")"
-    fi
-    if [[ -n $channelPath ]]; then
-        echo "copying channel..."
-        mkdir -p "$mountPoint"/nix/var/nix/profiles/per-user/root
-        nix-env --store "$mountPoint" "${extraBuildFlags[@]}" --extra-substituters "$sub" \
-                -p "$mountPoint"/nix/var/nix/profiles/per-user/root/channels --set "$channelPath" --quiet \
-                "${verbosity[@]}"
-        install -m 0700 -d "$mountPoint"/root/.nix-defexpr
-        ln -sfn /nix/var/nix/profiles/per-user/root/channels "$mountPoint"/root/.nix-defexpr/channels
-    fi
-fi
-
 # Mark the target as a NixOS installation, otherwise switch-to-configuration will chicken out.
 mkdir -m 0755 -p "$mountPoint/etc"
 touch "$mountPoint/etc/NIXOS"

third_party/nixpkgs/nixos/modules/misc/documentation.nix

@@ -1,19 +1,35 @@
-{ config, lib, pkgs, extendModules, noUserModules, ... }:
+{ config, options, lib, pkgs, utils, modules, baseModules, extraModules, modulesPath, ... }:
 
 with lib;
 
 let
 
   cfg = config.documentation;
+  allOpts = options;
 
   /* Modules for which to show options even when not imported. */
   extraDocModules = [ ../virtualisation/qemu-vm.nix ];
 
-  /* For the purpose of generating docs, evaluate options with each derivation
+  canCacheDocs = m:
-    in `pkgs` (recursively) replaced by a fake with path "\${pkgs.attribute.path}".
+    let
-    It isn't perfect, but it seems to cover a vast majority of use cases.
+      f = import m;
-    Caveat: even if the package is reached by a different means,
+      instance = f (mapAttrs (n: _: abort "evaluating ${n} for `meta` failed") (functionArgs f));
-    the path above will be shown and not e.g. `${config.services.foo.package}`. */
+    in
+      cfg.nixos.options.splitBuild
+        && builtins.isPath m
+        && isFunction f
+        && instance ? options
+        && instance.meta.buildDocsInSandbox or true;
+
+  docModules =
+    let
+      p = partition canCacheDocs (baseModules ++ extraDocModules);
+    in
+      {
+        lazy = p.right;
+        eager = p.wrong ++ optionals cfg.nixos.includeAllModules (extraModules ++ modules);
+      };
+
   manual = import ../../doc/manual rec {
     inherit pkgs config;
     version = config.system.nixos.release;
@@ -21,10 +37,17 @@ let
     extraSources = cfg.nixos.extraModuleSources;
     options =
       let
-        extendNixOS = if cfg.nixos.includeAllModules then extendModules else noUserModules.extendModules;
+        scrubbedEval = evalModules {
-        scrubbedEval = extendNixOS {
+          modules = [ {
-          modules = extraDocModules;
+            _module.check = false;
-          specialArgs.pkgs = scrubDerivations "pkgs" pkgs;
+          } ] ++ docModules.eager;
+          specialArgs = {
+            pkgs = scrubDerivations "pkgs" pkgs;
+            # allow access to arbitrary options for eager modules, eg for getting
+            # option types from lazy modules
+            options = allOpts;
+            inherit modulesPath utils;
+          };
         };
         scrubDerivations = namePrefix: pkgSet: mapAttrs
           (name: value:
@@ -36,6 +59,49 @@ let
           )
           pkgSet;
       in scrubbedEval.options;
+    baseOptionsJSON =
+      let
+        filter =
+          builtins.filterSource
+            (n: t:
+              (t == "directory" -> baseNameOf n != "tests")
+              && (t == "file" -> hasSuffix ".nix" n)
+            );
+      in
+        pkgs.runCommand "lazy-options.json" {
+          libPath = filter "${toString pkgs.path}/lib";
+          pkgsLibPath = filter "${toString pkgs.path}/pkgs/pkgs-lib";
+          nixosPath = filter "${toString pkgs.path}/nixos";
+          modules = map (p: ''"${removePrefix "${modulesPath}/" (toString p)}"'') docModules.lazy;
+        } ''
+          export NIX_STORE_DIR=$TMPDIR/store
+          export NIX_STATE_DIR=$TMPDIR/state
+          ${pkgs.nix}/bin/nix-instantiate \
+            --show-trace \
+            --eval --json --strict \
+            --argstr libPath "$libPath" \
+            --argstr pkgsLibPath "$pkgsLibPath" \
+            --argstr nixosPath "$nixosPath" \
+            --arg modules "[ $modules ]" \
+            --argstr stateVersion "${options.system.stateVersion.default}" \
+            --argstr release "${config.system.nixos.release}" \
+            $nixosPath/lib/eval-cacheable-options.nix > $out \
+            || {
+              echo -en "\e[1;31m"
+              echo 'Cacheable portion of option doc build failed.'
+              echo 'Usually this means that an option attribute that ends up in documentation (eg' \
+                '`default` or `description`) depends on the restricted module arguments' \
+                '`config` or `pkgs`.'
+              echo
+              echo 'Rebuild your configuration with `--show-trace` to find the offending' \
+                'location. Remove the references to restricted arguments (eg by escaping' \
+                'their antiquotations or adding a `defaultText`) or disable the sandboxed' \
+                'build for the failing module by setting `meta.buildDocsInSandbox = false`.'
+              echo -en "\e[0m"
+              exit 1
+            } >&2
+        '';
+    inherit (cfg.nixos.options) warningsAreErrors;
   };
 
 
@@ -178,6 +244,25 @@ in
         '';
       };
 
+      nixos.options.splitBuild = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Whether to split the option docs build into a cacheable and an uncacheable part.
+          Splitting the build can substantially decrease the amount of time needed to build
+          the manual, but some user modules may be incompatible with this splitting.
+        '';
+      };
+
+      nixos.options.warningsAreErrors = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Treat warning emitted during the option documentation build (eg for missing option
+          descriptions) as errors.
+        '';
+      };
+
       nixos.includeAllModules = mkOption {
         type = types.bool;
         default = false;

third_party/nixpkgs/nixos/modules/misc/ids.nix

@@ -352,6 +352,7 @@ in
       moonraker = 320;
       distcc = 321;
       webdav = 322;
+      pipewire = 323;
 
       # When adding a uid, make sure it doesn't match an existing gid. And don't use uids above 399!
 
@@ -658,6 +659,7 @@ in
       moonraker = 320;
       distcc = 321;
       webdav = 322;
+      pipewire = 323;
 
       # When adding a gid, make sure it doesn't match an existing
       # uid. Users and groups with the same name should have equal

third_party/nixpkgs/nixos/modules/misc/meta.nix

@@ -54,6 +54,21 @@ in
         '';
       };
 
+      buildDocsInSandbox = mkOption {
+        type = types.bool // {
+          merge = loc: defs: defs;
+        };
+        internal = true;
+        default = true;
+        description = ''
+          Whether to include this module in the split options doc build.
+          Disable if the module references `config`, `pkgs` or other module
+          arguments that cannot be evaluated as constants.
+
+          This option should be defined at most once per module.
+        '';
+      };
+
     };
   };
 

third_party/nixpkgs/nixos/modules/misc/nixpkgs.nix

@@ -248,4 +248,7 @@ in
       )
     ];
   };
+
+  # needs a full nixpkgs path to import nixpkgs
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/misc/version.nix

@@ -119,4 +119,6 @@ in
 
   };
 
+  # uses version info nixpkgs, which requires a full nixpkgs path
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/programs/gnupg.nix

@@ -149,4 +149,6 @@ in
     ];
   };
 
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/backup/sanoid.nix

@@ -51,7 +51,10 @@ let
   datasetOptions = rec {
     use_template = mkOption {
       description = "Names of the templates to use for this dataset.";
-      type = types.listOf (types.enum (attrNames cfg.templates));
+      type = types.listOf (types.str // {
+        check = (types.enum (attrNames cfg.templates)).check;
+        description = "configured template name";
+      });
       default = [ ];
     };
     useTemplate = use_template;

third_party/nixpkgs/nixos/modules/services/cluster/kubernetes/controller-manager.nix

@@ -6,6 +6,7 @@ let
   top = config.services.kubernetes;
   otop = options.services.kubernetes;
   cfg = top.controllerManager;
+  klib = options.services.kubernetes.lib.default;
 in
 {
   imports = [
@@ -56,7 +57,7 @@ in
       type = int;
     };
 
-    kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes controller manager";
+    kubeconfig = klib.mkKubeConfigOptions "Kubernetes controller manager";
 
     leaderElect = mkOption {
       description = "Whether to start leader election before executing main loop.";
@@ -129,7 +130,7 @@ in
             "--cluster-cidr=${cfg.clusterCidr}"} \
           ${optionalString (cfg.featureGates != [])
             "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
-          --kubeconfig=${top.lib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \
+          --kubeconfig=${klib.mkKubeConfig "kube-controller-manager" cfg.kubeconfig} \
           --leader-elect=${boolToString cfg.leaderElect} \
           ${optionalString (cfg.rootCaFile!=null)
             "--root-ca-file=${cfg.rootCaFile}"} \
@@ -156,7 +157,7 @@ in
       path = top.path;
     };
 
-    services.kubernetes.pki.certs = with top.lib; {
+    services.kubernetes.pki.certs = with klib; {
       controllerManager = mkCert {
         name = "kube-controller-manager";
         CN = "kube-controller-manager";

third_party/nixpkgs/nixos/modules/services/cluster/kubernetes/default.nix

@@ -193,12 +193,17 @@ in {
         inherit mkKubeConfigOptions;
       };
       type = types.attrs;
+      readOnly = true;
+      internal = true;
     };
 
     secretsPath = mkOption {
       description = "Default location for kubernetes secrets. Not a store location.";
       type = types.path;
       default = cfg.dataDir + "/secrets";
+      defaultText = literalExpression ''
+        config.${opt.dataDir} + "/secrets"
+      '';
     };
   };
 

third_party/nixpkgs/nixos/modules/services/cluster/kubernetes/kubelet.nix

@@ -6,6 +6,7 @@ let
   top = config.services.kubernetes;
   otop = options.services.kubernetes;
   cfg = top.kubelet;
+  klib = options.services.kubernetes.lib.default;
 
   cniConfig =
     if cfg.cni.config != [] && cfg.cni.configDir != null then
@@ -27,7 +28,7 @@ let
     config.Cmd = ["/bin/pause"];
   };
 
-  kubeconfig = top.lib.mkKubeConfig "kubelet" cfg.kubeconfig;
+  kubeconfig = klib.mkKubeConfig "kubelet" cfg.kubeconfig;
 
   manifestPath = "kubernetes/manifests";
 
@@ -177,7 +178,7 @@ in
       type = str;
     };
 
-    kubeconfig = top.lib.mkKubeConfigOptions "Kubelet";
+    kubeconfig = klib.mkKubeConfigOptions "Kubelet";
 
     manifests = mkOption {
       description = "List of manifests to bootstrap with kubelet (only pods can be created as manifest entry)";
@@ -358,7 +359,7 @@ in
       services.kubernetes.kubelet.hostname = with config.networking;
         mkDefault (hostName + optionalString (domain != null) ".${domain}");
 
-      services.kubernetes.pki.certs = with top.lib; {
+      services.kubernetes.pki.certs = with klib; {
         kubelet = mkCert {
           name = "kubelet";
           CN = top.kubelet.hostname;

third_party/nixpkgs/nixos/modules/services/cluster/kubernetes/pki.nix

@@ -1,10 +1,11 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 
 with lib;
 
 let
   top = config.services.kubernetes;
   cfg = top.pki;
+  klib = options.services.kubernetes.lib;
 
   csrCA = pkgs.writeText "kube-pki-cacert-csr.json" (builtins.toJSON {
     key = {
@@ -29,7 +30,7 @@ let
   cfsslAPITokenLength = 32;
 
   clusterAdminKubeconfig = with cfg.certs.clusterAdmin;
-    top.lib.mkKubeConfig "cluster-admin" {
+    klib.mkKubeConfig "cluster-admin" {
         server = top.apiserverAddress;
         certFile = cert;
         keyFile = key;
@@ -250,7 +251,7 @@ in
       # - it would be better with a more Nix-oriented way of managing addons
       systemd.services.kube-addon-manager = mkIf top.addonManager.enable (mkMerge [{
         environment.KUBECONFIG = with cfg.certs.addonManager;
-          top.lib.mkKubeConfig "addon-manager" {
+          klib.mkKubeConfig "addon-manager" {
             server = top.apiserverAddress;
             certFile = cert;
             keyFile = key;
@@ -343,7 +344,7 @@ in
       '';
 
       services.flannel = with cfg.certs.flannelClient; {
-        kubeconfig = top.lib.mkKubeConfig "flannel" {
+        kubeconfig = klib.mkKubeConfig "flannel" {
           server = top.apiserverAddress;
           certFile = cert;
           keyFile = key;

third_party/nixpkgs/nixos/modules/services/cluster/kubernetes/proxy.nix

@@ -6,6 +6,7 @@ let
   top = config.services.kubernetes;
   otop = options.services.kubernetes;
   cfg = top.proxy;
+  klib = options.services.kubernetes.lib.default;
 in
 {
   imports = [
@@ -43,7 +44,7 @@ in
       type = str;
     };
 
-    kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes proxy";
+    kubeconfig = klib.mkKubeConfigOptions "Kubernetes proxy";
 
     verbosity = mkOption {
       description = ''
@@ -72,7 +73,7 @@ in
           ${optionalString (cfg.featureGates != [])
             "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
           --hostname-override=${cfg.hostname} \
-          --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \
+          --kubeconfig=${klib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \
           ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
           ${cfg.extraOpts}
         '';
@@ -88,7 +89,7 @@ in
     services.kubernetes.proxy.hostname = with config.networking; mkDefault hostName;
 
     services.kubernetes.pki.certs = {
-      kubeProxyClient = top.lib.mkCert {
+      kubeProxyClient = klib.mkCert {
         name = "kube-proxy-client";
         CN = "system:kube-proxy";
         action = "systemctl restart kube-proxy.service";

third_party/nixpkgs/nixos/modules/services/cluster/kubernetes/scheduler.nix

@@ -6,6 +6,7 @@ let
   top = config.services.kubernetes;
   otop = options.services.kubernetes;
   cfg = top.scheduler;
+  klib = options.services.kubernetes.lib.default;
 in
 {
   ###### interface
@@ -32,7 +33,7 @@ in
       type = listOf str;
     };
 
-    kubeconfig = top.lib.mkKubeConfigOptions "Kubernetes scheduler";
+    kubeconfig = klib.mkKubeConfigOptions "Kubernetes scheduler";
 
     leaderElect = mkOption {
       description = "Whether to start leader election before executing main loop.";
@@ -69,7 +70,7 @@ in
           --address=${cfg.address} \
           ${optionalString (cfg.featureGates != [])
             "--feature-gates=${concatMapStringsSep "," (feature: "${feature}=true") cfg.featureGates}"} \
-          --kubeconfig=${top.lib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \
+          --kubeconfig=${klib.mkKubeConfig "kube-scheduler" cfg.kubeconfig} \
           --leader-elect=${boolToString cfg.leaderElect} \
           --port=${toString cfg.port} \
           ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
@@ -87,7 +88,7 @@ in
     };
 
     services.kubernetes.pki.certs = {
-      schedulerClient = top.lib.mkCert {
+      schedulerClient = klib.mkCert {
         name = "kube-scheduler-client";
         CN = "system:kube-scheduler";
         action = "systemctl restart kube-scheduler.service";

third_party/nixpkgs/nixos/modules/services/databases/couchdb.nix

@@ -1,9 +1,10 @@
-{ config, lib, pkgs, ... }:
+{ config, options, lib, pkgs, ... }:
 
 with lib;
 
 let
   cfg = config.services.couchdb;
+  opt = options.services.couchdb;
   configFile = pkgs.writeText "couchdb.ini" (
     ''
       [couchdb]
@@ -153,6 +154,7 @@ in {
       argsFile = mkOption {
         type = types.path;
         default = "${cfg.package}/etc/vm.args";
+        defaultText = literalExpression ''"config.${opt.package}/etc/vm.args"'';
         description = ''
           vm.args configuration. Overrides Couchdb's Erlang VM parameters file.
         '';

third_party/nixpkgs/nixos/modules/services/desktops/gvfs.nix

@@ -54,7 +54,7 @@ in
 
     systemd.packages = [ cfg.package ];
 
-    services.udev.packages = [ pkgs.libmtp ];
+    services.udev.packages = [ pkgs.libmtp.out ];
 
     # Needed for unwrapped applications
     environment.variables.GIO_EXTRA_MODULES = [ "${cfg.package}/lib/gio/modules" ];

third_party/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire-media-session.nix

@@ -29,6 +29,8 @@ in {
 
   meta = {
     maintainers = teams.freedesktop.members;
+    # uses attributes of the linked package
+    buildDocsInSandbox = false;
   };
 
   ###### interface
@@ -94,6 +96,12 @@ in {
   config = mkIf cfg.enable {
     environment.systemPackages = [ cfg.package ];
     systemd.packages = [ cfg.package ];
+
+    # Enable either system or user units.
+    systemd.services.pipewire-media-session.enable = config.services.pipewire.systemWide;
+    systemd.user.services.pipewire-media-session.enable = !config.services.pipewire.systemWide;
+
+    systemd.services.pipewire-media-session.wantedBy = [ "pipewire.service" ];
     systemd.user.services.pipewire-media-session.wantedBy = [ "pipewire.service" ];
 
     environment.etc."pipewire/media-session.d/media-session.conf" = {

third_party/nixpkgs/nixos/modules/services/desktops/pipewire/pipewire.nix

@@ -40,6 +40,8 @@ in {
 
   meta = {
     maintainers = teams.freedesktop.members;
+    # uses attributes of the linked package
+    buildDocsInSandbox = false;
   };
 
   ###### interface
@@ -123,6 +125,22 @@ in {
       pulse = {
         enable = mkEnableOption "PulseAudio server emulation";
       };
+
+      systemWide = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = ''
+          If true, a system-wide PipeWire service and socket is enabled
+          allowing all users in the "pipewire" group to use it simultaneously.
+          If false, then user units are used instead, restricting access to
+          only one user.
+
+          Enabling system-wide PipeWire is however not recommended and disabled
+          by default according to
+          https://github.com/PipeWire/pipewire/blob/master/NEWS
+        '';
+      };
+
     };
   };
 
@@ -148,9 +166,20 @@ in {
 
     # PipeWire depends on DBUS but doesn't list it. Without this booting
     # into a terminal results in the service crashing with an error.
+    systemd.services.pipewire.bindsTo = [ "dbus.service" ];
+    systemd.user.services.pipewire.bindsTo = [ "dbus.service" ];
+
+    # Enable either system or user units.  Note that for pipewire-pulse there
+    # are only user units, which work in both cases.
+    systemd.sockets.pipewire.enable = cfg.systemWide;
+    systemd.services.pipewire.enable = cfg.systemWide;
+    systemd.user.sockets.pipewire.enable = !cfg.systemWide;
+    systemd.user.services.pipewire.enable = !cfg.systemWide;
+
+    systemd.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ];
     systemd.user.sockets.pipewire.wantedBy = lib.mkIf cfg.socketActivation [ "sockets.target" ];
     systemd.user.sockets.pipewire-pulse.wantedBy = lib.mkIf (cfg.socketActivation && cfg.pulse.enable) ["sockets.target"];
-    systemd.user.services.pipewire.bindsTo = [ "dbus.service" ];
+
     services.udev.packages = [ cfg.package ];
 
     # If any paths are updated here they must also be updated in the package test.
@@ -194,7 +223,22 @@ in {
     environment.sessionVariables.LD_LIBRARY_PATH =
       lib.optional cfg.jack.enable "${cfg.package.jack}/lib";
 
+    users = lib.mkIf cfg.systemWide {
+      users.pipewire = {
+        uid = config.ids.uids.pipewire;
+        group = "pipewire";
+        extraGroups = [
+          "audio"
+          "video"
+        ] ++ lib.optional config.security.rtkit.enable "rtkit";
+        description = "Pipewire system service user";
+        isSystemUser = true;
+      };
+      groups.pipewire.gid = config.ids.gids.pipewire;
+    };
+
     # https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/464#note_723554
+    systemd.services.pipewire.environment."PIPEWIRE_LINK_PASSIVE" = "1";
     systemd.user.services.pipewire.environment."PIPEWIRE_LINK_PASSIVE" = "1";
   };
 }

third_party/nixpkgs/nixos/modules/services/games/minecraft-server.nix

@@ -182,6 +182,27 @@ in {
         Restart = "always";
         User = "minecraft";
         WorkingDirectory = cfg.dataDir;
+        # Hardening
+        CapabilityBoundingSet = [ "" ];
+        DeviceAllow = [ "" ];
+        LockPersonality = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        UMask = "0077";
       };
 
       preStart = ''

third_party/nixpkgs/nixos/modules/services/misc/matrix-appservice-irc.nix

@@ -226,4 +226,7 @@ in {
       isSystemUser = true;
     };
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/misc/sourcehut/default.nix

@@ -678,7 +678,7 @@ in
                 rev = "ff96a0fa5635770390b184ae74debea75c3fd534";
                 ref = "nixos-unstable";
             };
-            image_from_nixpkgs = (import ("${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") {
+            image_from_nixpkgs = (import ("''${pkgs.sourcehut.buildsrht}/lib/images/nixos/image.nix") {
               pkgs = (import pkgs_unstable {});
             });
           in
@@ -696,6 +696,7 @@ in
       package = mkOption {
         type = types.package;
         default = pkgs.git;
+        defaultText = literalExpression "pkgs.git";
         example = literalExpression "pkgs.gitFull";
         description = ''
           Git package for git.sr.ht. This can help silence collisions.
@@ -712,6 +713,7 @@ in
       package = mkOption {
         type = types.package;
         default = pkgs.mercurial;
+        defaultText = literalExpression "pkgs.mercurial";
         description = ''
           Mercurial package for hg.sr.ht. This can help silence collisions.
         '';

third_party/nixpkgs/nixos/modules/services/monitoring/prometheus/default.nix

@@ -251,6 +251,13 @@ let
 
   promTypes.scrape_config = types.submodule {
     options = {
+      authorization = mkOption {
+        type = types.attrs;
+        default = {};
+        description = ''
+          Sets the `Authorization` header on every scrape request with the configured credentials.
+        '';
+      };
       job_name = mkOption {
         type = types.str;
         description = ''

third_party/nixpkgs/nixos/modules/services/networking/adguardhome.nix

@@ -10,12 +10,20 @@ let
     "--pidfile /run/AdGuardHome/AdGuardHome.pid"
     "--work-dir /var/lib/AdGuardHome/"
     "--config /var/lib/AdGuardHome/AdGuardHome.yaml"
-    "--host ${cfg.host}"
-    "--port ${toString cfg.port}"
   ] ++ cfg.extraArgs);
 
-in
+  baseConfig = {
-{
+    bind_host = cfg.host;
+    bind_port = cfg.port;
+  };
+
+  configFile = pkgs.writeTextFile {
+    name = "AdGuardHome.yaml";
+    text = builtins.toJSON (recursiveUpdate cfg.settings baseConfig);
+    checkPhase = "${pkgs.adguardhome}/bin/adguardhome -c $out --check-config";
+  };
+
+in {
   options.services.adguardhome = with types; {
     enable = mkEnableOption "AdGuard Home network-wide ad blocker";
 
@@ -44,6 +52,31 @@ in
       '';
     };
 
+    mutableSettings = mkOption {
+      default = true;
+      type = bool;
+      description = ''
+        Allow changes made on the AdGuard Home web interface to persist between
+        service restarts.
+      '';
+    };
+
+    settings = mkOption {
+      type = (pkgs.formats.yaml { }).type;
+      default = { };
+      description = ''
+        AdGuard Home configuration. Refer to
+        <link xlink:href="https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration#configuration-file"/>
+        for details on supported values.
+
+        <note><para>
+          On start and if <option>mutableSettings</option> is <literal>true</literal>,
+          these options are merged into the configuration file on start, taking
+          precedence over configuration changes made on the web interface.
+        </para></note>
+      '';
+    };
+
     extraArgs = mkOption {
       default = [ ];
       type = listOf str;
@@ -62,6 +95,19 @@ in
         StartLimitIntervalSec = 5;
         StartLimitBurst = 10;
       };
+
+      preStart = ''
+        if    [ -e "$STATE_DIRECTORY/AdGuardHome.yaml" ] \
+           && [ "${toString cfg.mutableSettings}" = "1" ]; then
+          # Writing directly to AdGuardHome.yaml results in empty file
+          ${pkgs.yaml-merge}/bin/yaml-merge "$STATE_DIRECTORY/AdGuardHome.yaml" "${configFile}" > "$STATE_DIRECTORY/AdGuardHome.yaml.tmp"
+          mv "$STATE_DIRECTORY/AdGuardHome.yaml.tmp" "$STATE_DIRECTORY/AdGuardHome.yaml"
+        else
+          cp --force "${configFile}" "$STATE_DIRECTORY/AdGuardHome.yaml"
+          chmod 600 "$STATE_DIRECTORY/AdGuardHome.yaml"
+        fi
+      '';
+
       serviceConfig = {
         DynamicUser = true;
         ExecStart = "${pkgs.adguardhome}/bin/adguardhome ${args}";

third_party/nixpkgs/nixos/modules/services/networking/dnscrypt-proxy2.nix

@@ -118,4 +118,7 @@ in
       };
     };
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/networking/kea.nix

@@ -378,4 +378,6 @@ in
   ]);
 
   meta.maintainers = with maintainers; [ hexa ];
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/networking/searx.nix

@@ -228,5 +228,4 @@ in
   };
 
   meta.maintainers = with maintainers; [ rnhmjoj ];
-
 }

third_party/nixpkgs/nixos/modules/services/networking/tinc.nix

@@ -435,5 +435,5 @@ in
     );
   };
 
-  meta.maintainers = with maintainers; [ minijackson ];
+  meta.maintainers = with maintainers; [ minijackson mic92 ];
 }

third_party/nixpkgs/nixos/modules/services/networking/xrdp.nix

@@ -100,6 +100,7 @@ in
       confDir = mkOption {
         type = types.path;
         default = confDir;
+        defaultText = literalDocBook "generated from configuration";
         description = "The location of the config files for xrdp.";
       };
     };

third_party/nixpkgs/nixos/modules/services/security/aesmd.nix

@@ -1,7 +1,8 @@
-{ config, pkgs, lib, ... }:
+{ config, options, pkgs, lib, ... }:
 with lib;
 let
   cfg = config.services.aesmd;
+  opt = options.services.aesmd;
 
   sgx-psw = pkgs.sgx-psw.override { inherit (cfg) debug; };
 
@@ -43,6 +44,9 @@ in
         options.proxyType = mkOption {
           type = with types; nullOr (enum [ "default" "direct" "manual" ]);
           default = if (cfg.settings.proxy != null) then "manual" else null;
+          defaultText = literalExpression ''
+            if (config.${opt.settings}.proxy != null) then "manual" else null
+          '';
           example = "default";
           description = ''
             Type of proxy to use. The <literal>default</literal> uses the system's default proxy.

third_party/nixpkgs/nixos/modules/services/security/vaultwarden/default.nix

@@ -179,4 +179,7 @@ in {
       wantedBy = [ "multi-user.target" ];
     };
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/web-apps/bookstack.nix

@@ -329,9 +329,6 @@ in {
         ${pkgs.php}/bin/php artisan cache:clear
         ${pkgs.php}/bin/php artisan config:clear
         ${pkgs.php}/bin/php artisan view:clear
-        ${pkgs.php}/bin/php artisan config:cache
-        ${pkgs.php}/bin/php artisan route:cache
-        ${pkgs.php}/bin/php artisan view:cache
       '';
     };
 

third_party/nixpkgs/nixos/modules/services/web-apps/dex.nix

@@ -112,4 +112,7 @@ in
       };
     };
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/web-apps/gerrit.nix

@@ -237,4 +237,6 @@ in
   };
 
   meta.maintainers = with lib.maintainers; [ edef zimbatm ];
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/web-apps/jirafeau.nix

@@ -167,4 +167,7 @@ in
       "d ${cfg.dataDir}/async/ 0750 ${user} ${group} - -"
     ];
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/web-apps/powerdns-admin.nix

@@ -146,4 +146,7 @@ in
       group = "powerdnsadmin";
     };
   };
+
+  # uses attributes of the linked package
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/services/web-apps/wordpress.nix

@@ -359,7 +359,7 @@ in
 
             DirectoryIndex index.php
             Require all granted
-            Options +FollowSymLinks
+            Options +FollowSymLinks -Indexes
           </Directory>
 
           # https://wordpress.org/support/article/hardening-wordpress/#securing-wp-config-php

third_party/nixpkgs/nixos/modules/services/x11/desktop-managers/enlightenment.nix

@@ -36,6 +36,7 @@ in
       enlightenment.econnman
       enlightenment.efl
       enlightenment.enlightenment
+      enlightenment.ecrire
       enlightenment.ephoto
       enlightenment.rage
       enlightenment.terminology

third_party/nixpkgs/nixos/modules/services/x11/xserver.nix

@@ -865,4 +865,6 @@ in
 
   };
 
+  # uses relatedPackages
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/system/activation/top-level.nix

@@ -317,4 +317,6 @@ in
 
   };
 
+  # uses extendModules to generate a type
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/system/boot/binfmt.nix

@@ -20,16 +20,20 @@ let
                  optionalString fixBinary "F";
   in ":${name}:${type}:${offset'}:${magicOrExtension}:${mask'}:${interpreter}:${flags}";
 
-  activationSnippet = name: { interpreter, ... }: ''
+  activationSnippet = name: { interpreter, wrapInterpreterInShell, ... }: if wrapInterpreterInShell then ''
     rm -f /run/binfmt/${name}
     cat > /run/binfmt/${name} << 'EOF'
     #!${pkgs.bash}/bin/sh
     exec -- ${interpreter} "$@"
     EOF
     chmod +x /run/binfmt/${name}
+  '' else ''
+    rm -f /run/binfmt/${name}
+    ln -s ${interpreter} /run/binfmt/${name}
   '';
 
   getEmulator = system: (lib.systems.elaborate { inherit system; }).emulator pkgs;
+  getQemuArch = system: (lib.systems.elaborate { inherit system; }).qemuArch;
 
   # Mapping of systems to “magicOrExtension” and “mask”. Mostly taken from:
   # - https://github.com/cleverca22/nixos-configs/blob/master/qemu.nix
@@ -238,6 +242,25 @@ in {
               '';
               type = types.bool;
             };
+
+            wrapInterpreterInShell = mkOption {
+              default = true;
+              description = ''
+                Whether to wrap the interpreter in a shell script.
+
+                This allows a shell command to be set as the interpreter.
+              '';
+              type = types.bool;
+            };
+
+            interpreterSandboxPath = mkOption {
+              internal = true;
+              default = null;
+              description = ''
+                Path of the interpreter to expose in the build sandbox.
+              '';
+              type = types.nullOr types.path;
+            };
           };
         }));
       };
@@ -258,16 +281,37 @@ in {
   config = {
     boot.binfmt.registrations = builtins.listToAttrs (map (system: {
       name = system;
-      value = {
+      value = let
         interpreter = getEmulator system;
+        qemuArch = getQemuArch system;
+
+        preserveArgvZero = "qemu-${qemuArch}" == baseNameOf interpreter;
+        interpreterReg = let
+          wrapperName = "qemu-${qemuArch}-binfmt-P";
+          wrapper = pkgs.wrapQemuBinfmtP wrapperName interpreter;
+        in
+          if preserveArgvZero then "${wrapper}/bin/${wrapperName}"
+          else interpreter;
+      in {
+        inherit preserveArgvZero;
+
+        interpreter = interpreterReg;
+        wrapInterpreterInShell = !preserveArgvZero;
+        interpreterSandboxPath = dirOf (dirOf interpreterReg);
       } // (magics.${system} or (throw "Cannot create binfmt registration for system ${system}"));
     }) cfg.emulatedSystems);
     # TODO: add a nix.extraPlatforms option to NixOS!
     nix.extraOptions = lib.mkIf (cfg.emulatedSystems != []) ''
       extra-platforms = ${toString (cfg.emulatedSystems ++ lib.optional pkgs.stdenv.hostPlatform.isx86_64 "i686-linux")}
     '';
-    nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != [])
+    nix.sandboxPaths = lib.mkIf (cfg.emulatedSystems != []) (
-      ([ "/run/binfmt" "${pkgs.bash}" ] ++ (map (system: dirOf (dirOf (getEmulator system))) cfg.emulatedSystems));
+      let
+        ruleFor = system: cfg.registrations.${system};
+        hasWrappedRule = lib.any (system: (ruleFor system).wrapInterpreterInShell) cfg.emulatedSystems;
+      in [ "/run/binfmt" ]
+        ++ lib.optional hasWrappedRule "${pkgs.bash}"
+        ++ (map (system: (ruleFor system).interpreterSandboxPath) cfg.emulatedSystems)
+      );
 
     environment.etc."binfmt.d/nixos.conf".source = builtins.toFile "binfmt_nixos.conf"
       (lib.concatStringsSep "\n" (lib.mapAttrsToList makeBinfmtLine config.boot.binfmt.registrations));

third_party/nixpkgs/nixos/modules/virtualisation/qemu-vm.nix

@@ -999,4 +999,7 @@ in
       ];
 
   };
+
+  # uses types of services/x11/xserver.nix
+  meta.buildDocsInSandbox = false;
 }

third_party/nixpkgs/nixos/modules/virtualisation/xen-dom0.nix

@@ -450,5 +450,4 @@ in
     };
 
   };
-
 }

third_party/nixpkgs/nixos/tests/sudo.nix

@@ -73,7 +73,7 @@ in
             machine.fail('su - test1 -c "sudo -n -u root true"')
 
         with subtest("users in group 'foobar' should be able to use sudo with password"):
-            machine.succeed("sudo -u test2 echo ${password} | sudo -S -u root true")
+            machine.succeed('su - test2 -c "echo ${password} | sudo -S -u root true"')
 
         with subtest("users in group 'barfoo' should be able to use sudo without password"):
             machine.succeed("sudo -u test3 sudo -n -u root true")

third_party/nixpkgs/nixos/tests/systemd-binfmt.nix

@@ -1,24 +1,90 @@
 # Teach the kernel how to run armv7l and aarch64-linux binaries,
 # and run GNU Hello for these architectures.
-import ./make-test-python.nix ({ pkgs, ... }: {
+
-  name = "systemd-binfmt";
+{ system ? builtins.currentSystem,
-  machine = {
+  config ? {},
-    boot.binfmt.emulatedSystems = [
+  pkgs ? import ../.. { inherit system config; }
-      "armv7l-linux"
+}:
-      "aarch64-linux"
+
-    ];
+with import ../lib/testing-python.nix { inherit system pkgs; };
+
+let
+  expectArgv0 = xpkgs: xpkgs.runCommandCC "expect-argv0" {
+    src = pkgs.writeText "expect-argv0.c" ''
+      #include <stdio.h>
+      #include <string.h>
+
+      int main(int argc, char **argv) {
+        fprintf(stderr, "Our argv[0] is %s\n", argv[0]);
+
+        if (strcmp(argv[0], argv[1])) {
+          fprintf(stderr, "ERROR: argv[0] is %s, should be %s\n", argv[0], argv[1]);
+          return 1;
+        }
+
+        return 0;
+      }
+    '';
+  } ''
+    $CC -o $out $src
+  '';
+in {
+  basic = makeTest {
+    name = "systemd-binfmt";
+    machine = {
+      boot.binfmt.emulatedSystems = [
+        "armv7l-linux"
+        "aarch64-linux"
+      ];
+    };
+
+    testScript = let
+      helloArmv7l = pkgs.pkgsCross.armv7l-hf-multiplatform.hello;
+      helloAarch64 = pkgs.pkgsCross.aarch64-multiplatform.hello;
+    in ''
+      machine.start()
+
+      assert "world" in machine.succeed(
+          "${helloArmv7l}/bin/hello"
+      )
+
+      assert "world" in machine.succeed(
+          "${helloAarch64}/bin/hello"
+      )
+    '';
   };
 
-  testScript = let
+  preserveArgvZero = makeTest {
-    helloArmv7l = pkgs.pkgsCross.armv7l-hf-multiplatform.hello;
+    name = "systemd-binfmt-preserve-argv0";
-    helloAarch64 = pkgs.pkgsCross.aarch64-multiplatform.hello;
+    machine = {
-  in ''
+      boot.binfmt.emulatedSystems = [
-    machine.start()
+        "aarch64-linux"
-    assert "world" in machine.succeed(
+      ];
-        "${helloArmv7l}/bin/hello"
+    };
-    )
+    testScript = let
-    assert "world" in machine.succeed(
+      testAarch64 = expectArgv0 pkgs.pkgsCross.aarch64-multiplatform;
-        "${helloAarch64}/bin/hello"
+    in ''
-    )
+      machine.start()
-  '';
+      machine.succeed("exec -a meow ${testAarch64} meow")
-})
+    '';
+  };
+
+  ldPreload = makeTest {
+    name = "systemd-binfmt-ld-preload";
+    machine = {
+      boot.binfmt.emulatedSystems = [
+        "aarch64-linux"
+      ];
+    };
+    testScript = let
+      helloAarch64 = pkgs.pkgsCross.aarch64-multiplatform.hello;
+      libredirectAarch64 = pkgs.pkgsCross.aarch64-multiplatform.libredirect;
+    in ''
+      machine.start()
+
+      assert "error" not in machine.succeed(
+          "LD_PRELOAD='${libredirectAarch64}/lib/libredirect.so' ${helloAarch64}/bin/hello 2>&1"
+      ).lower()
+    '';
+  };
+}

third_party/nixpkgs/pkgs/applications/audio/bucklespring/default.nix

@@ -19,13 +19,13 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "bucklespring";
-  version = "1.5.0";
+  version = "1.5.1";
 
   src = fetchFromGitHub {
     owner = "zevv";
     repo = pname;
-    rev = version;
+    rev = "v${version}";
-    sha256 = "114dib4npb7r1z2zd1fwsx71xbf9r6psxqd7n7590cwz1w3r51mz";
+    sha256 = "0prhqibivxzmz90k79zpwx3c97h8wa61rk5ihi9a5651mnc46mna";
   };
 
   nativeBuildInputs = [ pkg-config makeWrapper ];

third_party/nixpkgs/pkgs/applications/audio/gnome-podcasts/default.nix

@@ -21,20 +21,20 @@
 
 stdenv.mkDerivation rec {
   pname = "gnome-podcasts";
-  version = "0.5.0";
+  version = "0.5.1";
 
   src = fetchFromGitLab {
     domain = "gitlab.gnome.org";
     owner = "World";
     repo = "podcasts";
     rev = version;
-    hash = "sha256-Jk++/QrQt/fjOz2OaEIr1Imq2DmqTjcormCebjO4/Kk=";
+    sha256 = "00vy1qkkpn76jdpybsq9qp8s6fh1ih10j73p2x43sl97m5g8944h";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     name = "${pname}-${version}";
-    hash = "sha256-jlXpeVabc1h2GU1j9Ff6GZJec+JgFyOdJzsOtdkrEWI=";
+    sha256 = "0y34b5rnr75h7dxbx93mafrmwsh187wq5js7fmkb1m1yyybj1v1x";
   };
 
   nativeBuildInputs = [
@@ -79,5 +79,6 @@ stdenv.mkDerivation rec {
     license = licenses.gpl3Plus;
     maintainers = teams.gnome.members;
     platforms = platforms.unix;
+    broken = stdenv.isDarwin; # never built on Hydra https://hydra.nixos.org/job/nixpkgs/trunk/gnome-podcasts.x86_64-darwin
   };
 }

third_party/nixpkgs/pkgs/applications/audio/miniaudicle/default.nix

@@ -7,7 +7,7 @@
 , alsa-lib
 , libsndfile
 , qt4
-, qscintilla
+, qscintilla-qt4
 , libpulseaudio
 , libjack2
 , audioBackend ? "pulse" # "pulse", "alsa", or "jack"
@@ -39,7 +39,7 @@ stdenv.mkDerivation rec {
     alsa-lib
     libsndfile
     qt4
-    qscintilla
+    qscintilla-qt4
   ] ++ lib.optional (audioBackend == "pulse") libpulseaudio
     ++ lib.optional (audioBackend == "jack")  libjack2;
 

third_party/nixpkgs/pkgs/applications/audio/mopidy/default.nix

@@ -21,6 +21,8 @@ lib.makeScope newScope (self: with self; {
 
   mopidy-mpris = callPackage ./mpris.nix { };
 
+  mopidy-muse = callPackage ./muse.nix { };
+
   mopidy-musicbox-webclient = callPackage ./musicbox-webclient.nix { };
 
   mopidy-podcast = callPackage ./podcast.nix { };

third_party/nixpkgs/pkgs/applications/audio/mopidy/muse.nix

@@ -0,0 +1,29 @@
+{ lib, pythonPackages, mopidy }:
+
+pythonPackages.buildPythonApplication rec {
+  pname = "mopidy-muse";
+  version = "0.0.27";
+
+  src = pythonPackages.fetchPypi {
+    inherit version;
+    pname = "Mopidy-Muse";
+    sha256 = "0jx9dkgxr07avzz9zskzhqy98zsxkdrf7iid2ax5vygwf8qsx8ks";
+  };
+
+  propagatedBuildInputs = [
+    mopidy
+    pythonPackages.pykka
+  ];
+
+  pythonImportsCheck = [ "mopidy_muse" ];
+
+  # has no tests
+  doCheck = false;
+
+  meta = with lib; {
+    description = "Mopidy web client with Snapcast support";
+    homepage = "https://github.com/cristianpb/muse";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ hexa ];
+  };
+}

third_party/nixpkgs/pkgs/applications/audio/paprefs/default.nix

@@ -13,11 +13,11 @@
 
 stdenv.mkDerivation rec {
   pname = "paprefs";
-  version = "1.1";
+  version = "1.2";
 
   src = fetchurl {
     url = "https://freedesktop.org/software/pulseaudio/paprefs/paprefs-${version}.tar.xz";
-    sha256 = "189z5p20hk0xv9vwvym293503j4pwl03xqk9hl7cl6dwgv0l7wkf";
+    sha256 = "sha256-s/IeQNw5NtFeP/yRD7DAfBS4jowodxW0VqlIwXY49jM=";
   };
 
   nativeBuildInputs = [

third_party/nixpkgs/pkgs/applications/audio/snapcast/default.nix

@@ -37,13 +37,13 @@ in
 
 stdenv.mkDerivation rec {
   pname = "snapcast";
-  version = "0.25.0";
+  version = "0.26.0";
 
   src = fetchFromGitHub {
     owner  = "badaix";
     repo   = "snapcast";
     rev    = "v${version}";
-    sha256 = "064pcpr5dsv9hncqkrnxriva4xjv1vcxhvc69h1an8x8vn4dwgmf";
+    sha256 = "sha256-CCifn9OEFM//Hk1PJj8T3MXIV8pXCTdBBXPsHuZwLyQ=";
   };
 
   nativeBuildInputs = [ cmake pkg-config ];

third_party/nixpkgs/pkgs/applications/blockchains/bitcoin-classic/default.nix

@@ -25,7 +25,7 @@ stdenv.mkDerivation rec {
     owner = "bitcoinclassic";
     repo = "bitcoinclassic";
     rev = "v${version}";
-    sha256 = "sha256-V1cOB5FLotGS5jup/aVaiDiyr/v2KJ2SLcIu/Hrjuwk=";
+    sha256 = "sha256-fVmFD1B4kKoejd2cmPPF5TJJQTAA6AVsGlVY8IIUNK4=";
   };
 
   nativeBuildInputs = [ pkg-config autoreconfHook ];

third_party/nixpkgs/pkgs/applications/blockchains/dashpay/default.nix

@@ -15,7 +15,7 @@ stdenv.mkDerivation rec {
     owner = "dashpay";
     repo= "dash";
     rev = "v${version}";
-    sha256 = "0l1gcj2xf2bal9ph9y11x8yd28fd25f55f48xbm45bfw3ij7nbaa";
+    sha256 = "sha256-DMoiUX8Q0HcBHA6ZIN58uPsTnHjEJMi8eGG2DW8z17Q=";
   };
 
   nativeBuildInputs = [ pkg-config autoreconfHook ];

third_party/nixpkgs/pkgs/applications/blockchains/electrs/default.nix

@@ -12,16 +12,16 @@ let
 in
 rustPlatform.buildRustPackage rec {
   pname = "electrs";
-  version = "0.9.3";
+  version = "0.9.4";
 
   src = fetchFromGitHub {
     owner = "romanz";
     repo = pname;
     rev = "v${version}";
-    hash = "sha256-sTQ/dX1uXJkEmrNZ47qjBlrexO50y0NGNhw71rHc9bw=";
+    hash = "sha256-37KTcLFVzuXlLpz9INXbasUdzuY+T34ef8EtfczQ+D8=";
   };
 
-  cargoHash = "sha256-1ZQt8LaqgxNxFfgCVCK0GVwbcVfX3v9iz7tHvzgyI0g=";
+  cargoHash = "sha256-aOSCpvejMUfSZCDwShqMPEc3vXw9ri2QvTaCuHODTwA=";
 
   # needed for librocksdb-sys
   nativeBuildInputs = [ llvmPackages.clang ];

third_party/nixpkgs/pkgs/applications/blockchains/erigon.nix

@@ -11,8 +11,8 @@ buildGoModule rec {
     sha256 = "0l0w1badhvlh1rgqzvlmy5k7xhb1nf4f5dmhkl935a5ila08aak3";
   };
 
-  vendorSha256 = "1hbfmq76zm50zwmlh3jblriwq2k1mp99d8lg8xzxwy56hncgfj8k";
+  vendorSha256 = "sha256-kA7pOSP4wkzKuFmUqhZmjXJ0ao64cIgZMrQtQ0bQ++U=";
-  runVend = true;
+  proxyVendor = true;
 
   # Build errors in mdbx when format hardening is enabled:
   #   cc1: error: '-Wformat-security' ignored without '-Wformat' [-Werror=format-security]

third_party/nixpkgs/pkgs/applications/editors/em/default.nix

@@ -0,0 +1,29 @@
+{ lib
+, stdenv
+, fetchurl
+}:
+
+stdenv.mkDerivation rec {
+  pname = "em";
+  version = "1.0.0";
+
+  src = fetchurl {
+    url = "http://pgas.freeshell.org/C/em/${pname}-${version}.tar.gz";
+    hash = "sha256-ijMBkl7U1f9MTXgli9kUFB8ttMG6TMQnxfDMP9AblTQ=";
+  };
+
+  meta = with lib; {
+    homepage = "http://pgas.freeshell.org/C/em/";
+    description = "Editor for Mortals";
+    longDescription = ''
+      Em is a QMC variant of the standard Unix text editor - ed. It includes all
+      of ed, so the documentation for ed is fully applicable to em. Em also has
+      a number of new commands and facilities designed to improve its
+      interaction and increase its usefulness to users at fast vdu terminals
+      (such as the ITT's at QMC).
+    '';
+    license = licenses.publicDomain;
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = platforms.unix;
+  };
+}

third_party/nixpkgs/pkgs/applications/editors/helix/default.nix

@@ -2,17 +2,17 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "helix";
-  version = "0.5.0";
+  version = "0.6.0";
 
   src = fetchFromGitHub {
     owner = "helix-editor";
     repo = pname;
     rev = "v${version}";
     fetchSubmodules = true;
-    sha256 = "sha256-NoVg/8oJIgMQtxlCSjrLnYCG8shigYqZzWAQwmiqxgA=";
+    sha256 = "sha256-d/USOtcPLjdgzN7TBCouBRmoSDH5LZD4R5Qq7lUrWZw=";
   };
 
-  cargoSha256 = "sha256-kqPI8WpGpr0VL7CbBTSsjKl3xqJrv/6Qjr6UFnIgaVo=";
+  cargoSha256 = "sha256-/EATU7HsGNB35YOBp8sofbPd1nl4d3Ggj1ay3QuHkCI=";
 
   nativeBuildInputs = [ makeWrapper ];
 

third_party/nixpkgs/pkgs/applications/gis/qgis/unwrapped.nix

@@ -114,7 +114,7 @@ in mkDerivation rec {
   cmakeFlags = [
     "-DCMAKE_SKIP_BUILD_RPATH=OFF"
     "-DPYQT5_SIP_DIR=${python3Packages.pyqt5}/${python3Packages.python.sitePackages}/PyQt5/bindings"
-    "-DQSCI_SIP_DIR=${python3Packages.qscintilla-qt5}/share/sip/PyQt5"
+    "-DQSCI_SIP_DIR=${python3Packages.qscintilla-qt5}/${python3Packages.python.sitePackages}/PyQt5/bindings"
   ] ++ lib.optional (!withWebKit) "-DWITH_QTWEBKIT=OFF"
     ++ lib.optional withGrass "-DGRASS_PREFIX7=${grass}/${grass.name}";
 

third_party/nixpkgs/pkgs/applications/graphics/odafileconverter/default.nix

@@ -14,7 +14,7 @@ in mkDerivation {
 
   src = fetchurl {
     # NB: this URL is not stable (i.e. the underlying file and the corresponding version will change over time)
-    url = "http://web.archive.org/web/20201206221727if_/https://download.opendesign.com/guestfiles/Demo/ODAFileConverter_QT5_lnxX64_7.2dll_21.11.deb";
+    url = "https://web.archive.org/web/20201206221727if_/https://download.opendesign.com/guestfiles/Demo/ODAFileConverter_QT5_lnxX64_7.2dll_21.11.deb";
     sha256 = "10027a3ab18efd04ca75aa699ff550eca3bdfe6f7084460d3c00001bffb50070";
   };
 

third_party/nixpkgs/pkgs/applications/graphics/opentoonz/default.nix

@@ -1,6 +1,6 @@
 { boost, cmake, fetchFromGitHub, freeglut, freetype, glew, libjpeg, libmypaint
-, libpng, libtiff, libusb1, lz4, xz, lzo, openblas, pkg-config, qtbase
+, libpng, libtiff, libusb1, lz4, xz, lzo, openblas, opencv, pkg-config, qtbase
-, qtmultimedia, qtscript, lib, stdenv, superlu, wrapQtAppsHook, }:
+, qtmultimedia, qtscript, qtserialport, lib, stdenv, superlu, wrapQtAppsHook, }:
 let source = import ./source.nix { inherit fetchFromGitHub; };
 in stdenv.mkDerivation rec {
   inherit (source) src;
@@ -24,9 +24,11 @@ in stdenv.mkDerivation rec {
     xz
     lzo
     openblas
+    opencv
     qtbase
     qtmultimedia
     qtscript
+    qtserialport
     superlu
   ];
 

third_party/nixpkgs/pkgs/applications/graphics/opentoonz/libtiff.nix

@@ -2,20 +2,55 @@
 # opentoonz requires its own modified version of libtiff.  We still build it as
 # a separate package
 #  1. For visibility for tools like vulnix, and
-#  2. To avoid a diamond-dependency problem with qt linking the normal libtiff
+#  2. To avoid a diamond-dependency problem with opencv linking the normal libtiff
-#     and opentoonz linking qt and this modified libtiff, we build a qt against
+#     and opentoonz linking opencv and this modified libtiff, we build an opencv
-#     this modified libtiff as well.
+#     against this modified libtiff as well.
+#
+# We use a separate mkDerivation rather than a minimal libtiff.overrideAttrs
+# because the main libtiff builds with cmake and this version of libtiff was
+# forked before libtiff gained CMake build capability (added in libtiff-4.0.5).
+
+{ lib, fetchFromGitHub, stdenv, pkg-config, zlib, libjpeg, xz, libtiff, }:
 
-{ fetchFromGitHub, libtiff }:
 let source = import ./source.nix { inherit fetchFromGitHub; };
-in libtiff.overrideAttrs (old: {
+
-  inherit (source) src;
+in stdenv.mkDerivation {
+  pname = "libtiff";
   version = source.versions.libtiff + "-opentoonz";
-  postUnpack = (old.postUnpack or "") + ''
+
+  inherit (source) src;
+  outputs = [ "bin" "dev" "out" "man" "doc" ];
+
+  nativeBuildInputs = [ pkg-config ];
+  propagatedBuildInputs = [ zlib libjpeg xz ];
+
+  postUnpack = ''
     sourceRoot="$sourceRoot/thirdparty/tiff-${source.versions.libtiff}"
   '';
+
   # opentoonz uses internal libtiff headers
-  postInstall = (old.postInstall or "") + ''
+  postInstall = ''
     cp libtiff/{tif_config,tif_dir,tiffiop}.h $dev/include
   '';
-})
+
+  meta = libtiff.meta // {
+    knownVulnerabilities = [''
+      Do not open untrusted files with Opentoonz:
+      Opentoonz uses an old custom fork of tibtiff from 2012 that is known to
+      be affected by at least these 50 vulnerabilities:
+        CVE-2012-4564 CVE-2013-4232 CVE-2013-4243 CVE-2013-4244 CVE-2014-8127
+        CVE-2014-8128 CVE-2014-8129 CVE-2014-8130 CVE-2014-9330 CVE-2015-1547
+        CVE-2015-8781 CVE-2015-8782 CVE-2015-8783 CVE-2015-8784 CVE-2015-8870
+        CVE-2016-3620 CVE-2016-3621 CVE-2016-3623 CVE-2016-3624 CVE-2016-3625
+        CVE-2016-3631 CVE-2016-3632 CVE-2016-3633 CVE-2016-3634 CVE-2016-3658
+        CVE-2016-3945 CVE-2016-3990 CVE-2016-3991 CVE-2016-5102 CVE-2016-5314
+        CVE-2016-5315 CVE-2016-5316 CVE-2016-5318 CVE-2016-5319 CVE-2016-5321
+        CVE-2016-5322 CVE-2016-5323 CVE-2016-6223 CVE-2016-9453 CVE-2016-9532
+        CVE-2017-9935 CVE-2017-9937 CVE-2018-10963 CVE-2018-5360
+        CVE-2019-14973 CVE-2019-17546 CVE-2020-35521 CVE-2020-35522
+        CVE-2020-35523 CVE-2020-35524
+      More info at https://github.com/opentoonz/opentoonz/issues/4193
+    ''];
+    maintainers = with lib.maintainers; [ chkno ];
+  };
+}

third_party/nixpkgs/pkgs/applications/graphics/opentoonz/source.nix

@@ -3,14 +3,14 @@
 
 { fetchFromGitHub, }: rec {
   versions = {
-    opentoonz = "1.4.0";
+    opentoonz = "1.5.0";
-    libtiff = "4.0.3";
+    libtiff = "4.0.3";  # The version in thirdparty/tiff-*
   };
 
   src = fetchFromGitHub {
     owner = "opentoonz";
     repo = "opentoonz";
     rev = "v${versions.opentoonz}";
-    sha256 = "0vgclx2yydsm5i2smff3fj8m750nhf35wfhva37kywgws01s189b";
+    sha256 = "1rw30ksw3zjph1cwxkfvqj0330v8wd4333gn0fdf3cln1w0549lk";
   };
 }

third_party/nixpkgs/pkgs/applications/graphics/ovito/default.nix

@@ -1,16 +1,33 @@
-{ mkDerivation, lib, fetchFromGitLab, cmake
+{ mkDerivation
-, boost, netcdf, hdf5, fftwSinglePrec, muparser, openssl, ffmpeg, python
+, lib
-, qtbase, qtsvg, qttools, qscintilla }:
+, stdenv
+, fetchFromGitLab
+, cmake
+, boost
+, bzip2
+, ffmpeg
+, fftwSinglePrec
+, hdf5
+, muparser
+, netcdf
+, openssl
+, python3
+, qscintilla
+, qtbase
+, qtsvg
+, qttools
+, VideoDecodeAcceleration
+}:
 
 mkDerivation rec {
   pname = "ovito";
-  version = "3.4.0";
+  version = "3.6.0";
 
   src = fetchFromGitLab {
     owner = "stuko";
     repo = "ovito";
     rev = "v${version}";
-    sha256 = "1y3wr6yzpsl0qm7cicp2mppfszxd0fgx8hm99in9wff9qd0r16b5";
+    sha256 = "sha256-yQ8gSe/QM1RRNxk4bDJ+K5QX0eYjZ+iG3QOHj01tJhY=";
   };
 
   nativeBuildInputs = [
@@ -19,17 +36,20 @@ mkDerivation rec {
 
   buildInputs = [
     boost
-    netcdf
+    bzip2
-    hdf5
-    fftwSinglePrec
-    muparser
-    openssl
     ffmpeg
-    python
+    fftwSinglePrec
+    hdf5
+    muparser
+    netcdf
+    openssl
+    python3
+    qscintilla
     qtbase
     qtsvg
     qttools
-    qscintilla
+  ] ++ lib.optionals stdenv.isDarwin [
+    VideoDecodeAcceleration
   ];
 
   meta = with lib; {
@@ -37,5 +57,6 @@ mkDerivation rec {
     homepage = "https://ovito.org";
     license = with licenses;  [ gpl3Only mit ];
     maintainers = with maintainers; [ twhitehead ];
+    broken = stdenv.isDarwin; # clang-11: error: no such file or directory: '$-DOVITO_COPYRIGHT_NOTICE=...
   };
 }

third_party/nixpkgs/pkgs/applications/graphics/pinta/default.nix

@@ -1,91 +1,87 @@
 { lib
+, buildDotnetModule
+, dotnetCorePackages
 , fetchFromGitHub
-, buildDotnetPackage
+, gtk3
-, dotnetPackages
+, installShellFiles
-, gtksharp
+, librsvg
-, gettext
+, makeDesktopItem
+, wrapGAppsHook
 }:
 
-let
+buildDotnetModule rec {
-  mono-addins = dotnetPackages.MonoAddins;
-in
-buildDotnetPackage rec {
   pname = "Pinta";
-  version = "1.7.1";
+  version = "2.0";
 
-  outputFiles = [ "bin/*" ];
+  nativeBuildInputs = [
-  buildInputs = [ gtksharp mono-addins gettext ];
+    installShellFiles
-  xBuildFiles = [ "Pinta.sln" ];
+    wrapGAppsHook
+  ];
+
+  runtimeDeps = [ gtk3 ];
+
+  dotnet-sdk = dotnetCorePackages.sdk_6_0;
+  dotnet-runtime = dotnetCorePackages.runtime_6_0;
+
+  # How-to update deps:
+  # $ nix-build -A pinta.fetch-deps
+  # $ ./result
+  # $ cp /tmp/Pinta-deps.nix ./pkgs/applications/graphics/pinta/default.nix
+  # TODO: create update script
+  nugetDeps = ./deps.nix;
+
+  projectFile = "Pinta";
 
   src = fetchFromGitHub {
     owner = "PintaProject";
     repo = "Pinta";
     rev = version;
-    sha256 = "sha256-yRp/dpJ9T4DieqHTj3vhyuASPGe4vjHw0rSXFrTNZVc=";
+    sha256 = "sha256-wqqNPyy5h/hTDm2u5MDZx1ds5qWAxy1/BY/fX4PeA88=";
   };
 
-  # Remove version information from nodes <Reference Include="... Version=... ">
+  # FIXME: this should be propagated by wrapGAppsHook already, however for some
-  postPatch = with lib; let
+  # reason it is not working. Maybe a bug in buildDotnetModule?
-    csprojFiles = [
+  preInstall = ''
-      "Pinta/Pinta.csproj"
+    gappsWrapperArgs+=(
-      "Pinta.Core/Pinta.Core.csproj"
+      --prefix XDG_DATA_DIRS : "${gtk3}/share/gsettings-schemas/${gtk3.name}"
-      "Pinta.Effects/Pinta.Effects.csproj"
+      --set GDK_PIXBUF_MODULE_FILE ${librsvg}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
-      "Pinta.Gui.Widgets/Pinta.Gui.Widgets.csproj"
+    )
-      "Pinta.Resources/Pinta.Resources.csproj"
-      "Pinta.Tools/Pinta.Tools.csproj"
-    ];
-    versionedNames = [
-      "Mono\\.Addins"
-      "Mono\\.Posix"
-      "Mono\\.Addins\\.Gui"
-      "Mono\\.Addins\\.Setup"
-    ];
-
-    stripVersion = name: file:
-      let
-        match = ''<Reference Include="${name}([ ,][^"]*)?"'';
-        replace = ''<Reference Include="${name}"'';
-      in
-      "sed -i -re 's/${match}/${replace}/g' ${file}\n";
-
-    # Map all possible pairs of two lists
-    map2 = f: listA: listB: concatMap (a: map (f a) listB) listA;
-    concatMap2Strings = f: listA: listB: concatStrings (map2 f listA listB);
-  in
-  concatMap2Strings stripVersion versionedNames csprojFiles
-  + ''
-    # For some reason there is no Microsoft.Common.tasks file
-    # in ''${mono}/lib/mono/3.5 .
-    substituteInPlace Pinta.Install.proj \
-      --replace 'ToolsVersion="3.5"' 'ToolsVersion="4.0"' \
-      --replace "/usr/local" "$out"
   '';
 
-  makeWrapperArgs = [
-    "--prefix MONO_GAC_PREFIX : ${gtksharp}"
-    "--prefix LD_LIBRARY_PATH : ${gtksharp}/lib"
-    "--prefix LD_LIBRARY_PATH : ${gtksharp.gtk.out}/lib"
-  ];
-
   postInstall = ''
-    # Do automake's job manually
+    # Rename the binary
-    substitute xdg/pinta.desktop.in xdg/pinta.desktop \
+    mv $out/bin/Pinta $out/bin/pinta
+
+    # Copy desktop icons
+    for size in 16x16 22x22 24x24 32x32 96x96 scalable; do
+      mkdir -p $out/share/icons/hicolor/$size/apps
+      cp xdg/$size/* $out/share/icons/hicolor/$size/apps/
+    done
+
+    # Copy runtime icons
+    cp -r Pinta.Resources/icons/hicolor/16x16/* $out/share/icons/hicolor/16x16/
+
+    # Install manpage
+    installManPage xdg/pinta.1
+
+    # Fix and copy desktop file
+    # TODO: fix this propely by using the autoreconf+pkg-config build system
+    # from upstream
+    mkdir -p $out/share/applications
+    substitute xdg/pinta.desktop.in $out/share/applications/Pinta.desktop \
       --replace _Name Name \
       --replace _Comment Comment \
       --replace _GenericName GenericName \
-      --replace _X-GNOME-FullName X-GNOME-FullName
+      --replace _X-GNOME-FullName X-GNOME-FullName \
-    substitute xdg/pinta.appdata.xml.in xdg/pinta.appdata.xml \
+      --replace _Keywords Keywords
-      --replace _p p
-
-    xbuild /target:CompileTranslations Pinta.Install.proj
-    xbuild /target:Install Pinta.Install.proj
   '';
 
   meta = {
     homepage = "https://www.pinta-project.com/";
     description = "Drawing/editing program modeled after Paint.NET";
     license = lib.licenses.mit;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = with lib.maintainers; [ thiagokokada ];
     platforms = with lib.platforms; linux;
+    mainProgram = "pinta";
   };
 }

third_party/nixpkgs/pkgs/applications/graphics/pinta/deps.nix

@@ -0,0 +1,12 @@
+{ fetchNuGet }: [
+  (fetchNuGet { pname = "AtkSharp"; version = "3.24.24.34"; sha256 = "1jn1vgi9xm0jp7769k6sbdi8d273kigjrsh93i6s4c03hqxv7cqs"; })
+  (fetchNuGet { pname = "CairoSharp"; version = "3.24.24.34"; sha256 = "0pydn1k0cam1gclg9sc1sbnmbyzh28qlc5qanyxcylwghink3kgz"; })
+  (fetchNuGet { pname = "GdkSharp"; version = "3.24.24.34"; sha256 = "0r0x0yib7chwsyrbpvicrfwldwqx5lyqq4p86zaxpmzd6zdaj0x5"; })
+  (fetchNuGet { pname = "GioSharp"; version = "3.24.24.34"; sha256 = "02hxvgjd4w9jpzbkk7qf9q9bkvyp5hfzwxfqp10vg5lpl9yl3xpx"; })
+  (fetchNuGet { pname = "GLibSharp"; version = "3.24.24.34"; sha256 = "0kvp033fgdwc8p2abfp5z9pzq66cvwbnjfvr4v4bkpy5s5h181kq"; })
+  (fetchNuGet { pname = "GtkSharp"; version = "3.24.24.34"; sha256 = "0028hzmmqyfx87qqmaf9cgb5psn7gkbmqvixcid67x1d6mzxjicb"; })
+  (fetchNuGet { pname = "NGettext"; version = "0.6.7"; sha256 = "1lnq1lgd80xqn80qwq5ipfjnd7nl1ghinjc3krnd546r0c7hwqky"; })
+  (fetchNuGet { pname = "PangoSharp"; version = "3.24.24.34"; sha256 = "1r0h14cklglfpv1lhv93cxmzi2w7d5s03gzpq3j5dmrz43flg9zw"; })
+  (fetchNuGet { pname = "ParagonClipper"; version = "6.4.2"; sha256 = "0pam44f7iayqjz8nh1x29gxdd4dj00i7m5883cpa64i192pgl94c"; })
+  (fetchNuGet { pname = "SharpZipLib"; version = "1.3.3"; sha256 = "1gij11wfj1mqm10631cjpnhzw882bnzx699jzwhdqakxm1610q8x"; })
+]

third_party/nixpkgs/pkgs/applications/misc/copyq/default.nix

@@ -17,13 +17,13 @@
 
 mkDerivation rec {
   pname = "CopyQ";
-  version = "4.1.0";
+  version = "6.0.1";
 
   src = fetchFromGitHub {
     owner = "hluk";
     repo = "CopyQ";
     rev = "v${version}";
-    sha256 = "1iacnd9dn0mrajff80r2g5nlks5sch9lmpl633mnyqmih9dwx2li";
+    sha256 = "sha256-edrRgnjbszqJLbGLE4anCJSGApymvK0O+2ks5jWe8aw=";
   };
 
   nativeBuildInputs = [
@@ -42,15 +42,6 @@ mkDerivation rec {
     wayland
   ];
 
-  patches = [
-    # Install the bash completion script correctly
-    # Remove once 4.1.1 is released
-    (fetchpatch {
-      url = "https://github.com/hluk/CopyQ/commit/aca7222ec28589af0b08f63686104b992d63ee42.patch";
-      sha256 = "0d440d0zsdzm9cd0b6c42y9qbrvxg7gdam0qmif62mr8qa0ylidl";
-    })
-  ];
-
   postPatch = ''
     substituteInPlace shared/com.github.hluk.copyq.desktop.in \
       --replace copyq "$out/bin/copyq"

third_party/nixpkgs/pkgs/applications/misc/free42/default.nix

@@ -10,17 +10,24 @@
 
 stdenv.mkDerivation rec {
   pname = "free42";
-  version = "3.0.8";
+  version = "3.0.9";
 
   src = fetchFromGitHub {
     owner = "thomasokken";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-nZCuFumAyeUxRmmtd6/qvXk3LVZgbDhlsDygXMWDfp0=";
+    hash = "sha256-ZSwqgHsfe9apyYZ1fkvDMnQxdNb9E8U1l9jvC9t693w=";
   };
 
-  nativeBuildInputs = [ copyDesktopItems pkg-config ];
+  nativeBuildInputs = [
-  buildInputs = [ gtk3 alsa-lib ];
+    copyDesktopItems
+    pkg-config
+  ];
+
+  buildInputs = [
+    alsa-lib
+    gtk3
+  ];
 
   postPatch = ''
     sed -i -e "s|/bin/ls|ls|" gtk/Makefile
@@ -30,23 +37,24 @@ stdenv.mkDerivation rec {
 
   buildPhase = ''
     runHook preBuild
+
     make -C gtk cleaner
     make --jobs=$NIX_BUILD_CORES -C gtk
     make -C gtk clean
     make --jobs=$NIX_BUILD_CORES -C gtk BCD_MATH=1
+
     runHook postBuild
   '';
 
-  preInstall = ''
+  installPhase = ''
+    runHook preInstall
+
     install --directory $out/bin \
                         $out/share/doc/${pname} \
                         $out/share/${pname}/skins \
                         $out/share/icons/hicolor/48x48/apps \
                         $out/share/icons/hicolor/128x128/apps
-  '';
 
-  installPhase = ''
-    runHook preInstall
     install -m755 gtk/free42dec gtk/free42bin $out/bin
     install -m644 gtk/README $out/share/doc/${pname}/README-GTK
     install -m644 README $out/share/doc/${pname}/README
@@ -54,6 +62,7 @@ stdenv.mkDerivation rec {
     install -m644 gtk/icon-48x48.xpm $out/share/icons/hicolor/48x48/apps
     install -m644 gtk/icon-128x128.xpm $out/share/icons/hicolor/128x128/apps
     install -m644 skins/* $out/share/${pname}/skins
+
     runHook postInstall
   '';
 

third_party/nixpkgs/pkgs/applications/misc/gpxsee/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "gpxsee";
-  version = "10.0";
+  version = "10.1";
 
   src = fetchFromGitHub {
     owner = "tumic0";
     repo = "GPXSee";
     rev = version;
-    sha256 = "sha256-XACexj91TLd/i2GoFr0zZ3Yqcg+KjKoWWPfCGsEIR04=";
+    sha256 = "sha256-tU37dKBxzz+sxe4R7xbscpD28if8QOm6xpZEOdhK8lE=";
   };
 
   patches = (substituteAll {

third_party/nixpkgs/pkgs/applications/misc/hugo/default.nix

@@ -11,11 +11,11 @@ buildGoModule rec {
     sha256 = "sha256-6bqtw0hUrRBhTwEDURaTjgl3aVVCbfxjoPRfhSd3LK8=";
   };
 
-  vendorSha256 = "sha256-CO+7WgoTsFCd9vkcALKcJP6Kj3CIWr5FF75/WgbK04g=";
+  vendorSha256 = "sha256-M4pKAxNd8rqluVm+c+X+nxC/vcaVclebo9HP17yEpfo=";
 
   doCheck = false;
 
-  runVend = true;
+  proxyVendor = true;
 
   tags = [ "extended" ];
 

third_party/nixpkgs/pkgs/applications/misc/mdzk/default.nix

@@ -2,16 +2,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "mdzk";
-  version = "0.4.3";
+  version = "0.5.0";
 
   src = fetchFromGitHub {
     owner = "mdzk-rs";
     repo = "mdzk";
     rev = version;
-    sha256 = "sha256-VUvV1XA9Bd3ugYHcKOcAQLUt0etxS/Cw2EgnFGxX0z0=";
+    sha256 = "sha256-NkoKQKcww5ktEbxbOY6WP8OemCB+rvXbuN9oSPjLE3Y=";
   };
 
-  cargoSha256 = "sha256-lZ4fc/94ESlhpfa5ylg45oZNeaF1mZPxQUSLZrl2V3o=";
+  cargoSha256 = "sha256-uJ00tGiKtcYghFUh0fcYg4nZc/o8yhvlVs+6/aRNY5s=";
 
   buildInputs = lib.optionals stdenv.isDarwin [ CoreServices ];
 

third_party/nixpkgs/pkgs/applications/misc/minigalaxy/default.nix

@@ -0,0 +1,76 @@
+{ lib
+, fetchFromGitHub
+, docutils
+, gettext
+, glibcLocales
+, glib-networking
+, gobject-introspection
+, gtk3
+, python3
+, python3Packages
+, steam-run-native
+, unzip
+, webkitgtk
+, wrapGAppsHook
+}:
+
+python3Packages.buildPythonApplication rec {
+  pname = "minigalaxy";
+  version = "1.1.0";
+
+  src = fetchFromGitHub {
+    owner = "sharkwouter";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-BbtwLuG5TH/+06Ez8+mwSAjG1IWg9/3uxzjmgPHczAw=";
+  };
+
+  checkPhase = ''
+    runHook preCheck
+    env HOME=$PWD LC_ALL=en_US.UTF-8 pytest
+    runHook postCheck
+  '';
+
+  nativeBuildInputs = [
+    gettext
+    wrapGAppsHook
+  ];
+
+  buildInputs = [
+    glib-networking
+    gobject-introspection
+    gtk3
+  ];
+
+  checkInputs = with python3Packages; [
+    glibcLocales
+    pytest
+    tox
+  ];
+
+  pythonPath = [
+    docutils
+    python3.pkgs.pygobject3
+    python3.pkgs.requests
+    python3.pkgs.setuptools
+    python3.pkgs.simplejson
+    steam-run-native
+    unzip
+    webkitgtk
+  ];
+
+  # Run Linux games using the Steam Runtime by using steam-run in the wrapper
+  postFixup = ''
+    sed -e 's#exec -a "$0"#exec -a "$0" ${steam-run-native}/bin/steam-run#' -i $out/bin/minigalaxy
+  '';
+
+  meta = with lib; {
+    homepage = "https://sharkwouter.github.io/minigalaxy/";
+    changelog = "https://github.com/sharkwouter/minigalaxy/blob/${version}/CHANGELOG.md";
+    downloadPage = "https://github.com/sharkwouter/minigalaxy/releases";
+    description = "A simple GOG client for Linux";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ srapenne ];
+    platforms = platforms.linux;
+  };
+}

third_party/nixpkgs/pkgs/applications/misc/mob/default.nix

@@ -1,9 +1,15 @@
-{ lib, buildGoPackage, fetchFromGitHub}:
+{ lib
+, buildGoPackage
+, fetchFromGitHub
+
+, withSpeech ? true
+, makeWrapper
+, espeak-ng
+}:
 
 buildGoPackage rec {
   pname = "mob";
   version = "2.1.0";
-  goPackagePath = "github.com/remotemobprogramming/mob";
 
   src = fetchFromGitHub {
     rev = "v${version}";
@@ -12,11 +18,22 @@ buildGoPackage rec {
     sha256 = "sha256-K8ID8cetzCaMc/PVRNMyIhrshtEUiD6U/jI4e0TcOO4=";
   };
 
+  nativeBuildInputs = [
+    makeWrapper
+  ];
+
+  goPackagePath = "github.com/remotemobprogramming/mob";
+
+  preFixup = lib.optionalString withSpeech ''
+    wrapProgram $out/bin/mob \
+      --set MOB_VOICE_COMMAND "${lib.getBin espeak-ng}/bin/espeak"
+  '';
+
   meta = with lib; {
-    description = "Tool for swift git handover";
+    description = "Tool for smooth git handover";
     homepage = "https://github.com/remotemobprogramming/mob";
     license = licenses.mit;
-    maintainers = [ maintainers.ericdallo ];
+    maintainers = with maintainers; [ ericdallo ];
     platforms = platforms.linux ++ platforms.darwin;
   };
 }

third_party/nixpkgs/pkgs/applications/misc/prusa-slicer/super-slicer.nix

@@ -5,8 +5,8 @@ let
   description = "PrusaSlicer fork with more features and faster development cycle";
 
   versions = {
-    stable = { version = "2.3.57.8"; sha256 = "sha256-k1G9sFukYyCqVeJIbYgjJX9T8zqmFTmjmj9OXZ78+LY="; };
+    stable = { version = "2.3.57.9"; sha256 = "sha256-JWZ6PdzKwxdyp7StYuW69XGbTPoxaIJ2R4Ynmc65hvE="; };
-    latest = { version = "2.3.57.8"; sha256 = "sha256-k1G9sFukYyCqVeJIbYgjJX9T8zqmFTmjmj9OXZ78+LY="; };
+    latest = { version = "2.3.57.9"; sha256 = "sha256-JWZ6PdzKwxdyp7StYuW69XGbTPoxaIJ2R4Ynmc65hvE="; };
   };
 
   override = { version, sha256 }: super: {

third_party/nixpkgs/pkgs/applications/misc/sigi/default.nix

@@ -0,0 +1,24 @@
+{ lib, rustPlatform, fetchFromGitHub, testVersion, sigi }:
+
+rustPlatform.buildRustPackage rec {
+  pname = "sigi";
+  version = "2.1.1";
+
+  src = fetchFromGitHub {
+    owner = "hiljusti";
+    repo = pname;
+    rev = "v${version}";
+    sha256 = "sha256-y0m1AQE5qoUfPZjJfo7w5h+zZ1pbz8FkLFDM13MTWvQ=";
+  };
+
+  cargoSha256 = "sha256-NTjL57Y1Uzk5F34BW3lB3xUpD60Opt0fGWuXHQU5L3g=";
+
+  passthru.tests.version = testVersion { package = sigi; };
+
+  meta = with lib; {
+    description = "CLI tool for organization and planning";
+    homepage = "https://github.com/hiljusti/sigi";
+    license = licenses.gpl3;
+    maintainers = with maintainers; [ hiljusti ];
+  };
+}

third_party/nixpkgs/pkgs/applications/misc/smos/default.nix

@@ -1,27 +0,0 @@
-{ lib, stdenv
-, fetchurl
-, unzip
-}:
-
-stdenv.mkDerivation rec {
-  pname = "smos";
-  version = "0.1.0";
-
-  src = fetchurl {
-    url = "https://github.com/NorfairKing/smos/releases/download/v${version}/smos-release.zip";
-    sha256 = "sha256:07yavk7xl92yjwwjdig90yq421n8ldv4fjfw7izd4hfpzw849a12";
-  };
-
-  dontInstall = true;
-
-  unpackCmd = "${unzip}/bin/unzip -d $out $curSrc";
-  sourceRoot = ".";
-
-  meta = with lib; {
-    description = "A comprehensive self-management system";
-    homepage = "https://smos.online";
-    license = licenses.mit;
-    maintainers = with maintainers; [ norfair ];
-    platforms = platforms.linux ++ platforms.darwin;
-  };
-}

third_party/nixpkgs/pkgs/applications/misc/sqliteman/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, cmake, qt4, qscintilla }:
+{ lib, stdenv, fetchFromGitHub, cmake, qt4, qscintilla-qt4 }:
 
 stdenv.mkDerivation rec {
   pname = "sqliteman";
@@ -12,7 +12,7 @@ stdenv.mkDerivation rec {
   };
 
   nativeBuildInputs = [ cmake ];
-  buildInputs = [ qt4 qscintilla ];
+  buildInputs = [ qt4 qscintilla-qt4 ];
 
   prePatch = ''
     sed -i 's,m_file(0),m_file(QString()),' Sqliteman/sqliteman/main.cpp
@@ -20,8 +20,8 @@ stdenv.mkDerivation rec {
 
   preConfigure = ''
     cd Sqliteman
-    sed -i 's,/usr/include/Qsci,${qscintilla}/include/Qsci,' cmake/modules/FindQScintilla.cmake
+    sed -i 's,/usr/include/Qsci,${qscintilla-qt4}/include/Qsci,' cmake/modules/FindQScintilla.cmake
-    sed -i 's,PATHS ''${QT_LIBRARY_DIR},PATHS ${qscintilla}/libs,' cmake/modules/FindQScintilla.cmake
+    sed -i 's,PATHS ''${QT_LIBRARY_DIR},PATHS ${qscintilla-qt4}/libs,' cmake/modules/FindQScintilla.cmake
   '';
 
   meta = with lib; {

third_party/nixpkgs/pkgs/applications/misc/udevil/default.nix

@@ -1,4 +1,13 @@
-{ lib, stdenv, fetchFromGitHub, intltool, glib, pkg-config, udev, util-linux, acl }:
+{ lib
+, stdenv
+, fetchFromGitHub
+, acl
+, glib
+, intltool
+, pkg-config
+, udev
+, util-linux
+}:
 
 stdenv.mkDerivation rec {
   pname = "udevil";
@@ -13,32 +22,41 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkg-config ];
 
-  buildInputs = [ intltool glib udev ];
+  buildInputs = [
+    glib
+    intltool
+    udev
+  ];
 
-  configurePhase = ''
+  preConfigure = ''
     substituteInPlace src/Makefile.in --replace "-o root -g root" ""
     # do not set setuid bit in nix store
     substituteInPlace src/Makefile.in --replace 4755 0755
-    ./configure \
-      --prefix=$out \
-      --with-mount-prog=${util-linux}/bin/mount \
-      --with-umount-prog=${util-linux}/bin/umount \
-      --with-losetup-prog=${util-linux}/bin/losetup \
-      --with-setfacl-prog=${acl.bin}/bin/setfacl \
-      --sysconfdir=$prefix/etc
   '';
 
+  configureFlags = [
+    "--with-mount-prog=${util-linux}/bin/mount"
+    "--with-umount-prog=${util-linux}/bin/umount"
+    "--with-losetup-prog=${util-linux}/bin/losetup"
+    "--with-setfacl-prog=${acl.bin}/bin/setfacl"
+    "--sysconfdir=${placeholder "out"}/etc"
+  ];
+
   postInstall = ''
     substituteInPlace $out/lib/systemd/system/devmon@.service \
       --replace /usr/bin/devmon "$out/bin/devmon"
   '';
 
-  patches = [ ./device-info-sys-stat.patch ];
+  patches = [
+    # sys/stat.h header missing on src/device-info.h
+    ./device-info-sys-stat.patch
+  ];
 
   meta = with lib; {
-    description = "A command line Linux program which mounts and unmounts removable devices without a password, shows device info, and monitors device changes";
     homepage = "https://ignorantguru.github.io/udevil/";
-    platforms = platforms.linux;
+    description = "Mount without password";
     license = licenses.gpl3Plus;
+    maintainers = with maintainers; [ AndersonTorres ];
+    platforms = platforms.linux;
   };
 }

third_party/nixpkgs/pkgs/applications/misc/udiskie/default.nix

@@ -1,7 +1,7 @@
 { lib
 , fetchFromGitHub
-, asciidoc-full
 , buildPythonApplication
+, asciidoc-full
 , docopt
 , gettext
 , gobject-introspection
@@ -19,15 +19,17 @@
 
 buildPythonApplication rec {
   pname = "udiskie";
-  version = "2.3.3";
+  version = "2.4.0";
 
   src = fetchFromGitHub {
     owner = "coldfix";
     repo = "udiskie";
     rev = "v${version}";
-    hash = "sha256-OeNAcL7jd8GiPVUGxWwX4N/G/jzxfyifaoSD/hXXwyM=";
+    hash = "sha256-T4kMPMXfehZT7P+TOd1llR2TbHPA/quNL545xxlmJfE=";
   };
 
+  outputs = [ "out" "man" ];
+
   nativeBuildInputs = [
     asciidoc-full # Man page
     gettext
@@ -40,7 +42,7 @@ buildPythonApplication rec {
     gtk3
     libappindicator-gtk3
     libnotify
-    librsvg # Because it uses SVG icons
+    librsvg # SVG icons
     udisks2
   ];
 
@@ -50,11 +52,13 @@ buildPythonApplication rec {
     pyyaml
   ];
 
-  postBuild = "make -C doc";
+  postBuild = ''
+    make -C doc
+  '';
 
   postInstall = ''
-    mkdir -p $out/share/man/man8
+    mkdir -p $man/share/man/man8
-    cp -v doc/udiskie.8 $out/share/man/man8/
+    cp -v doc/udiskie.8 $man/share/man/man8/
   '';
 
   checkInputs = [

third_party/nixpkgs/pkgs/applications/networking/browsers/chromium/common.nix

@@ -161,6 +161,18 @@ let
       ./patches/no-build-timestamps.patch
       # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags:
       ./patches/widevine-79.patch
+    ] ++ lib.optionals (versionRange "98" "99") [
+      # A critical Ozone/Wayland fix:
+      (githubPatch {
+        # [linux/wayland] Fixed terminate caused by binding to wrong version.
+        commit = "dd4c3ddadbb9869f59cee201a38e9ca3b9154f4d";
+        sha256 = "sha256-FH7lBQTruMzkBT2XQ+kgADmJA0AxJfaV/gvtoqfQ4a4=";
+      })
+      (githubPatch {
+        # [linux/wayland] Fixed terminate caused by binding to wrong version. (fixup)
+        commit = "a84b79daa8897b822336b8f348ef4daaae07af37";
+        sha256 = "sha256-2x6/rGGzTC6lKLMkVyD9RNCTsMVrtRQyr/NjSpaj2is=";
+      })
     ];
 
     postPatch = ''

third_party/nixpkgs/pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -1,21 +1,21 @@
 {
   "stable": {
-    "version": "96.0.4664.110",
+    "version": "97.0.4692.71",
-    "sha256": "1s3ilq0ik36qgqp7l88gfd1yx97zscn8yr2kprsrjfp9q8lrva9n",
+    "sha256": "0z7ximvm4a78kxyp4j0i2jzklxazpw6jcqi9jkaf8bvq9ga8kqca",
-    "sha256bin64": "17cyj1jx47fz6y26f196xhlngrw5gnjgcvapvgkgswlwd7y67jcb",
+    "sha256bin64": "1z1d50i5pvqaw6hjdxwasbznzgqwrnd1z8jmy2x05b6i49vd7r9j",
     "deps": {
       "gn": {
-        "version": "2021-09-24",
+        "version": "2021-11-03",
         "url": "https://gn.googlesource.com/gn",
-        "rev": "0153d369bbccc908f4da4993b1ba82728055926a",
+        "rev": "90294ccdcf9334ed25a76ac9b67689468e506342",
-        "sha256": "0y4414h8jqsbz5af6pn91c0vkfp4s281s85g992xfyl785c5zbsi"
+        "sha256": "0n0jml8s00ayy186jzrf207hbz70pxiq426znxwxd4gjcp60scsa"
       }
     },
     "chromedriver": {
-      "version": "96.0.4664.45",
+      "version": "97.0.4692.36",
-      "sha256_linux": "15wybxlh38sw7f2bzalf9ivfp8262cpcvhq08nw9d2cj3j39f13m",
+      "sha256_linux": "11x28m31bsfq1flqrsa5mawss39kznia2ig5ams5qkm2v5p3y39d",
-      "sha256_darwin": "0r3b8wgbd8xjb09f4vc402gp77y2aqjk9hpqvvr6xgdr7nqym20f",
+      "sha256_darwin": "1ysnfvj0795yc3g8sbz7g9mhc5j0sxm2r3ad2fh13sarnhn6wrs4",
-      "sha256_darwin_aarch64": "1yynw8ngs2655blnf1s6r9flbxlwgaybdvgl6r6h7ppl974dl7rm"
+      "sha256_darwin_aarch64": "09m1qpk6901gqs4c7isgryffhb92szfzbxfybxhn2g5i4wrns6j7"
     }
   },
   "beta": {