Merge pull request NixOS#257792 from NixOS/staging-next

staging-next 2023-09-28

maintainers/team-list.nix

@@ -350,6 +350,7 @@ with lib.maintainers; {
       mic92
       zowoq
       qbit
+      mfrw
     ];
     githubTeams = [
       "golang"

nixos/doc/manual/development/settings-options.section.md

@@ -58,7 +58,7 @@ have a predefined type and string generator already declared under
     and returning a set with YAML-specific attributes `type` and
     `generate` as specified [below](#pkgs-formats-result).
 
-`pkgs.formats.ini` { *`listsAsDuplicateKeys`* ? false, *`listToValue`* ? null, \... }
+`pkgs.formats.ini` { *`listsAsDuplicateKeys`* ? false, *`listToValue`* ? null, \.\.\. }
 
 :   A function taking an attribute set with values
 

nixos/doc/manual/release-notes/rl-1509.section.md

@@ -2,7 +2,7 @@
 
 In addition to numerous new and upgraded packages, this release has the following highlights:
 
-- The [Haskell](http://haskell.org/) packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on [Hackage](http://hackage.haskell.org/) \-- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the [User's Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure). Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single [LTS Haskell](http://www.stackage.org/) release since version 0.0 as well as the most recent [Stackage Nightly](http://www.stackage.org/) snapshot. The announcement ["Full Stackage Support in Nixpkgs"](https://nixos.org/nix-dev/2015-September/018138.html) gives additional details.
+- The [Haskell](http://haskell.org/) packages infrastructure has been re-designed from the ground up ("Haskell NG"). NixOS now distributes the latest version of every single package registered on [Hackage](http://hackage.haskell.org/) -- well in excess of 8,000 Haskell packages. Detailed instructions on how to use that infrastructure can be found in the [User's Guide to the Haskell Infrastructure](https://nixos.org/nixpkgs/manual/#users-guide-to-the-haskell-infrastructure). Users migrating from an earlier release may find helpful information below, in the list of backwards-incompatible changes. Furthermore, we distribute 51(!) additional Haskell package sets that provide every single [LTS Haskell](http://www.stackage.org/) release since version 0.0 as well as the most recent [Stackage Nightly](http://www.stackage.org/) snapshot. The announcement ["Full Stackage Support in Nixpkgs"](https://nixos.org/nix-dev/2015-September/018138.html) gives additional details.
 
 - Nix has been updated to version 1.10, which among other improvements enables cryptographic signatures on binary caches for improved security.
 
@@ -178,7 +178,7 @@ The new option `system.stateVersion` ensures that certain configuration changes
 
 - Nix now requires binary caches to be cryptographically signed. If you have unsigned binary caches that you want to continue to use, you should set `nix.requireSignedBinaryCaches = false`.
 
-- Steam now doesn't need root rights to work. Instead of using `*-steam-chrootenv`, you should now just run `steam`. `steamChrootEnv` package was renamed to `steam`, and old `steam` package \-- to `steamOriginal`.
+- Steam now doesn't need root rights to work. Instead of using `*-steam-chrootenv`, you should now just run `steam`. `steamChrootEnv` package was renamed to `steam`, and old `steam` package -- to `steamOriginal`.
 
 - CMPlayer has been renamed to bomi upstream. Package `cmplayer` was accordingly renamed to `bomi`
 

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -4,6 +4,8 @@
 
 - FoundationDB now defaults to major version 7.
 
+- PostgreSQL now defaults to major version 15.
+
 - Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.
 
 - LXD now supports virtual machine instances to complement the existing container support
@@ -24,6 +26,8 @@
   - `root` and `wheel` are not given the ability to set (or preserve)
     arbitrary environment variables.
 
+- [glibc](https://www.gnu.org/software/libc/) has been updated from version 2.37 to 2.38, see [the release notes](https://sourceware.org/glibc/wiki/Release/2.38) for what was changed.
+
 [`sudo-rs`]: https://github.com/memorysafety/sudo-rs/
 
 - All [ROCm](https://rocm.docs.amd.com/en/latest/) packages have been updated to 5.7.0.
@@ -444,6 +448,8 @@ The module update takes care of the new config syntax and the data itself (user
 
   If you use this feature, updates to CoreDNS may require updating `vendorHash` by following these steps again.
 
+- `ffmpeg` default upgraded from `ffmpeg_5` to `ffmpeg_6`.
+
 - `fusuma` now enables the following plugins: [appmatcher](https://github.com/iberianpig/fusuma-plugin-appmatcher), [keypress](https://github.com/iberianpig/fusuma-plugin-keypress), [sendkey](https://github.com/iberianpig/fusuma-plugin-sendkey), [tap](https://github.com/iberianpig/fusuma-plugin-tap) and [wmctrl](https://github.com/iberianpig/fusuma-plugin-wmctrl).
 
 ## Nixpkgs internals {#sec-release-23.11-nixpkgs-internals}

nixos/modules/services/databases/postgresql.nix

@@ -458,7 +458,8 @@ in
 
     services.postgresql.package = let
         mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
-        base = if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
+        base = if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
+            else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
             else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13
             else if versionAtLeast config.system.stateVersion "20.03" then pkgs.postgresql_11
             else if versionAtLeast config.system.stateVersion "17.09" then mkThrow "9_6"

nixos/modules/services/mail/mailman.nix

@@ -592,7 +592,7 @@ in {
           # Since the mailman-web settings.py obstinately creates a logs
           # dir in the cwd, change to the (writable) runtime directory before
           # starting uwsgi.
-          ExecStart = "${pkgs.coreutils}/bin/env -C $RUNTIME_DIRECTORY ${pkgs.uwsgi.override { plugins = ["python3"]; }}/bin/uwsgi --json ${uwsgiConfigFile}";
+          ExecStart = "${pkgs.coreutils}/bin/env -C $RUNTIME_DIRECTORY ${pkgs.uwsgi.override { plugins = ["python3"]; python3 = webEnv.python; }}/bin/uwsgi --json ${uwsgiConfigFile}";
           User = cfg.webUser;
           Group = "mailman";
           RuntimeDirectory = "mailman-uwsgi";

nixos/tests/systemd.nix

@@ -76,6 +76,17 @@ import ./make-test-python.nix ({ pkgs, ... }: {
     # wait for user services
     machine.wait_for_unit("default.target", "alice")
 
+    with subtest("systemctl edit suggests --runtime"):
+        # --runtime is suggested when using `systemctl edit`
+        ret, out = machine.execute("systemctl edit testservice1.service 2>&1")
+        assert ret == 1
+        assert out.rstrip("\n") == "The unit-directory '/etc/systemd/system' is read-only on NixOS, so it's not possible to edit system-units directly. Use 'systemctl edit --runtime' instead."
+        # editing w/o `--runtime` is possible for user-services, however
+        # it's not possible because we're not in a tty when grepping
+        # (i.e. hacky way to ensure that the error from above doesn't appear here).
+        _, out = machine.execute("systemctl --user edit testservice2.service 2>&1")
+        assert out.rstrip("\n") == "Cannot edit units if not on a tty."
+
     # Regression test for https://github.com/NixOS/nixpkgs/issues/105049
     with subtest("systemd reads timezone database in /etc/zoneinfo"):
         timer = machine.succeed("TZ=UTC systemctl show --property=TimersCalendar oncalendar-test.timer")

pkgs/applications/audio/ams-lv2/default.nix

@@ -15,6 +15,12 @@ stdenv.mkDerivation  rec {
   nativeBuildInputs = [ pkg-config wafHook python3 ];
   buildInputs = [ cairo fftw gtkmm2 lv2 lvtk ];
 
+  postPatch = ''
+    # U was removed in python 3.11 because it had no effect
+    substituteInPlace waflib/*.py \
+      --replace "m='rU" "m='r"
+  '';
+
   meta = with lib; {
     description = "An LV2 port of the internal modules found in Alsa Modular Synth";
     homepage = "https://github.com/blablack/ams-lv2";

pkgs/applications/audio/mamba/default.nix

@@ -37,5 +37,8 @@ stdenv.mkDerivation rec {
     license = licenses.bsd0;
     maintainers = with maintainers; [ magnetophon orivej ];
     platforms = platforms.linux;
+    # 2023-08-19, `-Werror=format-security` fails for xputty
+    # reported as https://github.com/brummer10/libxputty/issues/12
+    broken = true;
   };
 }

pkgs/applications/audio/mbrola/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, stdenvNoCC, lib, symlinkJoin, fetchFromGitHub }:
+{ stdenv, lib, fetchFromGitHub, runCommandLocal }:
 
 let
   pname = "mbrola";
@@ -12,26 +12,14 @@ let
     homepage = "https://github.com/numediart/MBROLA";
   };
 
-  voices = stdenvNoCC.mkDerivation {
-    pname = "${pname}-voices";
-    inherit version;
-
-    src = fetchFromGitHub {
-      owner = "numediart";
-      repo = "MBROLA-voices";
-      rev = "fe05a0ccef6a941207fd6aaad0b31294a1f93a51";  # using latest commit
-      sha256 = "1w0y2xjp9rndwdjagp2wxh656mdm3d6w9cs411g27rjyfy1205a0";
-    };
-
-    dontBuild = true;
-    installPhase = ''
-      runHook preInstall
-      install -d $out/share/mbrola/voices
-      cp -R $src/data/* $out/share/mbrola/voices/
-      runHook postInstall
-    '';
-    dontFixup = true;
+  # Very big (0.65 G) so kept as a fixed-output derivation to limit "duplicates".
+  voices = fetchFromGitHub {
+    owner = "numediart";
+    repo = "MBROLA-voices";
+    rev = "fe05a0ccef6a941207fd6aaad0b31294a1f93a51";  # using latest commit
+    sha256 = "1w0y2xjp9rndwdjagp2wxh656mdm3d6w9cs411g27rjyfy1205a0";
 
+    name = "${pname}-voices-${version}";
     meta = meta // {
       description = "Speech synthesizer based on the concatenation of diphones (voice files)";
       homepage = "https://github.com/numediart/MBROLA-voices";
@@ -65,8 +53,14 @@ let
   };
 
 in
-symlinkJoin {
-  inherit pname version meta;
-  name = "${pname}-${version}";
-  paths = [ bin voices ];
-}
+  runCommandLocal
+    "${pname}-${version}"
+    {
+      inherit pname version meta;
+    }
+    ''
+      mkdir -p "$out/share/mbrola"
+      ln -s '${voices}/data' "$out/share/mbrola/voices"
+      ln -s '${bin}/bin' "$out/"
+    ''
+

pkgs/applications/blockchains/atomic-swap/default.nix

@@ -1,7 +1,9 @@
-{ lib, buildGoModule, fetchFromGitHub, nix-update-script, makeWrapper, monero-cli }:
+{ lib, buildGo120Module, fetchFromGitHub, nix-update-script, makeWrapper, monero-cli }:
+
 let
   pname = "atomic-swap";
   version = "0.4.2";
+  buildGoModule = buildGo120Module;
 in
 buildGoModule {
   inherit pname version;

pkgs/applications/misc/haxor-news/default.nix

@@ -1,4 +1,4 @@
-{ lib, fetchFromGitHub, python3 }:
+{ lib, fetchFromGitHub, fetchPypi, python3 }:
 
 
 let
@@ -18,7 +18,8 @@ let
       # Use click 7
       click = super.click.overridePythonAttrs (old: rec {
         version = "7.1.2";
-        src = old.src.override {
+        src = fetchPypi {
+          pname = "click";
           inherit version;
           hash = "sha256-0rUlXHxjSbwb0eWeCM0SrLvWPOZJ8liHVXg6qU37axo=";
         };

pkgs/applications/networking/instant-messengers/matrix-dl/default.nix

@@ -1,8 +1,12 @@
-{ lib, python3Packages, fetchFromGitHub }:
+{ lib
+, python3Packages
+, fetchFromGitHub
+}:
 
 python3Packages.buildPythonApplication rec {
   pname = "matrix-dl";
   version = "unstable-2020-07-14";
+  format = "pyproject";
 
   src = fetchFromGitHub {
     owner = "rubo77";
@@ -11,6 +15,10 @@ python3Packages.buildPythonApplication rec {
     sha256 = "1l8nh8z7kz24v0wcy3ll3w6in2yxwa1yz8lyc3x0blz37d8ss4ql";
   };
 
+  nativeBuildInputs = with python3Packages; [
+    setuptools
+  ];
+
   propagatedBuildInputs = with python3Packages; [
     matrix-client
   ];

pkgs/applications/networking/remote/freerdp/default.nix

@@ -8,7 +8,7 @@
 , alsa-lib
 , faac
 , faad2
-, ffmpeg
+, ffmpeg_5 # Depends on deprecated libav features
 , glib
 , openh264
 , openssl
@@ -112,7 +112,7 @@ stdenv.mkDerivation rec {
     cairo
     cups
     faad2
-    ffmpeg
+    ffmpeg_5
     glib
     gst-plugins-base
     gst-plugins-good

pkgs/applications/office/paperless-ngx/default.nix

@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , buildNpmPackage
 , nixosTests
 , gettext
@@ -19,13 +20,13 @@
 }:
 
 let
-  version = "1.17.2";
+  version = "1.17.4";
 
   src = fetchFromGitHub {
     owner = "paperless-ngx";
     repo = "paperless-ngx";
     rev = "refs/tags/v${version}";
-    hash = "sha256-/0Ml3NRTghqNykB1RZfqDW9TtENnSRM7wqG7Vn4Kl04=";
+    hash = "sha256-Kl8AUfHfEiEy40qeDI8x2rxdXcj01mpitw7T/96ibQQ=";
   };
 
   # Use specific package versions required by paperless-ngx
@@ -51,7 +52,7 @@ let
     pname = "paperless-ngx-frontend";
     inherit version src;
 
-    npmDepsHash = "sha256-6EvC9Ka8gl0eRgJtHooB3yQNVGYzuH/WRga4AtzQ0EY=";
+    npmDepsHash = "sha256-5Q9NtIO7k/6AiF9Er10HhmEBFyQOP9CiTkTZglUeChg=";
 
     nativeBuildInputs = [
       python3
@@ -91,6 +92,16 @@ python.pkgs.buildPythonApplication rec {
 
   inherit version src;
 
+  patches = [
+    # https://github.com/paperless-ngx/paperless-ngx/pull/4146
+    (fetchpatch {
+      name = "fix-tests-for-python311.patch";
+      url = "https://github.com/paperless-ngx/paperless-ngx/commit/73f6c0a056e3859061339e295f57213fd4239b2d.patch";
+      hash = "sha256-sZcRug5T4cw5ppKpGYrrfz9RxtYxnkeNOlXcMgdWT0E=";
+    })
+  ];
+
+
   nativeBuildInputs = [
     gettext
   ];

pkgs/applications/radio/direwolf/default.nix

@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
     sha256 = "0xmz64m02knbrpasfij4rrq53ksxna5idxwgabcw4n2b1ig7pyx5";
   };
 
+  patches = [ ./fix-strlcpy-usage.patch ];
+
   nativeBuildInputs = [ cmake ];
 
   strictDeps = true;

pkgs/applications/radio/direwolf/fix-strlcpy-usage.patch

@@ -0,0 +1,89 @@
+strlcpy is now part of glibc, so there's absolutely no reason for a custom implementation, especially
+one with printf debugging. Hence, removing all of that.
+
+See also https://hydra.nixos.org/build/230546596
+See glibc commit 454a20c8756c9c1d55419153255fc7692b3d2199
+
+diff --git a/external/misc/strlcpy.c b/external/misc/strlcpy.c
+index ff18800..b1cb443 100644
+--- a/external/misc/strlcpy.c
++++ b/external/misc/strlcpy.c
+@@ -56,65 +56,3 @@
+
+ #include "textcolor.h"
+
+-/*
+- * Copy src to string dst of size siz.  At most siz-1 characters
+- * will be copied.  Always NUL terminates (unless siz == 0).
+- * Returns strlen(src); if retval >= siz, truncation occurred.
+- */
+-
+-#if DEBUG_STRL
+-size_t strlcpy_debug(char *__restrict__ dst, const char *__restrict__ src, size_t siz, const char *file, const char *func, int line)
+-#else
+-size_t strlcpy_debug(char *__restrict__ dst, const char *__restrict__ src, size_t siz)
+-#endif
+-{
+-	char *d = dst;
+-	const char *s = src;
+-	size_t n = siz;
+-	size_t retval;
+-
+-#if DEBUG_STRL
+-	if (dst == NULL) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("ERROR: strlcpy dst is NULL.  (%s %s %d)\n", file, func, line);
+-		return (0);
+-	}
+-	if (src == NULL) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("ERROR: strlcpy src is NULL.  (%s %s %d)\n", file, func, line);
+-		return (0);
+-	}
+-	if (siz == 1 || siz == 4) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("Suspicious strlcpy siz.  Is it using sizeof a pointer variable?  (%s %s %d)\n", file, func, line);
+-	}
+-#endif
+-
+-	/* Copy as many bytes as will fit */
+-	if (n != 0 && --n != 0) {
+-		do {
+-			if ((*d++ = *s++) == 0)
+-				break;
+-		} while (--n != 0);
+-	}
+-
+-	/* Not enough room in dst, add NUL and traverse rest of src */
+-	if (n == 0) {
+-		if (siz != 0)
+-			*d = '\0';		/* NUL-terminate dst */
+-		while (*s++)
+-			;
+-	}
+-
+-	retval = s - src - 1;	/* count does not include NUL */
+-
+-#if DEBUG_STRL
+-	if (retval >= siz) {
+-		text_color_set (DW_COLOR_ERROR);
+-		dw_printf ("WARNING: strlcpy result length %d exceeds maximum length %d.  (%s %s %d)\n",
+-				(int)retval, (int)(siz-1), file, func, line);
+-	}
+-#endif
+-	return (retval);
+-}
+-
+diff --git a/src/direwolf.h b/src/direwolf.h
+index efc329b..22eb748 100644
+--- a/src/direwolf.h
++++ b/src/direwolf.h
+@@ -294,7 +294,7 @@ char *strcasestr(const char *S, const char *FIND);
+ #define HAVE_STRLCPY 1
+
+
+-#define DEBUG_STRL 1
++#define DEBUG_STRL 0
+
+ #if DEBUG_STRL
+