Merge pull request #332764 from NixOS/staging-next

staging-next 2024-08-06

.git-blame-ignore-revs

@@ -159,3 +159,6 @@ fbdcdde04a7caa007e825a8b822c75fab9adb2d6
 
 # step-cli: format package.nix with nixfmt (#331629)
 fc7a83f8b62e90de5679e993d4d49ca014ea013d
+
+# darwin.stdenv: format with nixfmt-rfc-style (#333962)
+93c10ac9e561c6594d3baaeaff2341907390d9b8

doc/languages-frameworks/python.section.md

@@ -477,7 +477,6 @@ are used in [`buildPythonPackage`](#buildpythonpackage-function).
   See [example usage](#using-pythonrelaxdepshook).
 - `pythonRemoveBinBytecode` to remove bytecode from the `/bin` folder.
 - `setuptoolsBuildHook` to build a wheel using `setuptools`.
-- `setuptoolsCheckHook` to run tests with `python setup.py test`.
 - `sphinxHook` to build documentation and manpages using Sphinx.
 - `venvShellHook` to source a Python 3 `venv` at the `venvDir` location. A
   `venv` is created if it does not yet exist. `postVenvCreation` can be used to

doc/stdenv/stdenv.chapter.md

@@ -1538,6 +1538,16 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
 Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
 If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
 
+#### `shadowstack` {#shadowstack}
+
+Adds the `-fcf-protection=return` compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program's stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.
+
+For the Shadow Stack to be enabled at runtime, all code linked into a process must be built with Shadow Stack enabled, so this is probably only useful to enable on a wide scale, so that all of a packages dependencies also have the feature enabled.
+
+This is currently only supported on some newer Intel and AMD processors as part of the Intel CET set of features. However, the generated code should continue to work on older processors which will simply omit any of this checking.
+
+This breaks some code that does advanced stack management or exception handling. If enabling this hardening flag it is important to test the result on a system that has known working and enabled CET support, so that any such breakage can be discovered.
+
 #### `trivialautovarinit` {#trivialautovarinit}
 
 Adds the `-ftrivial-auto-var-init=pattern` compiler option. This causes "trivially-initializable" uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables.
@@ -1554,6 +1564,14 @@ sorry, unimplemented: __builtin_clear_padding not supported for variable length
 
 This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.
 
+#### `pacret` {#pacret}
+
+This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.
+
+This may cause problems with code that does advanced stack manipulation, and debugging/stack-unwinding tools need to be pac-ret aware to work correctly when these features are in operation.
+
+Pre-ARM v8.3 processors will ignore Pointer Authentication instructions, so code built with this flag will continue to work on older processors, though without any of the intended protections. If enabling this flag, it is recommended to ensure the resultant packages are tested against an ARM v8.3+ linux system with known-working Pointer Authentication support so that any breakage caused by this feature is actually detected.
+
 [^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
 [^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
 [^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -10,6 +10,8 @@
   This also allows configuring runtime settings of AMDVLK and enabling experimental features.
 - The `moonlight-qt` package ([Moonlight game streaming](https://moonlight-stream.org/)) now has HDR support on Linux systems.
 
+- PostgreSQL now defaults to major version 16.
+
 - `authelia` has been upgraded to version 4.38. This version brings several features and improvements which are detailed in the [release blog post](https://www.authelia.com/blog/4.38-release-notes/).
   This release also deprecates some configuration keys, which are likely to be removed in future version 5.0, but they are still supported and expected to be working in the current version.
 
@@ -317,6 +319,8 @@
 
 - The `stackclashprotection` hardening flag has been added, though disabled by default.
 
+- The `pacret` hardening flag has been added, though disabled by default.
+
 - `cargoSha256` in `rustPlatform.buildRustPackage` has been deprecated in favor
   of `cargoHash` which supports SRI hashes. See
   [buildRustPackage: Compiling Rust applications with Cargo](https://nixos.org/manual/nixpkgs/unstable/#compiling-rust-applications-with-cargo)
@@ -336,6 +340,9 @@
   The derivation now installs "impl" headers selectively instead of by a wildcard.
   Use `imgui.src` if you just want to access the unpacked sources.
 
+- Unprivileged access to the kernel syslog via `dmesg` is now restricted by default. Users wanting to keep an
+  unrestricted access to it can set `boot.kernel.sysctl."kernel.dmesg_restrict" = false`.
+
 - The `i18n.inputMethod` module introduces two new properties:
   `enable` and `type`, for declaring whether to enable an alternative input method and defining which input method respectfully. The options available in `type` are the same as the existing `enabled` option. `enabled` is now deprecated, and will be removed in a future release.
 
@@ -351,6 +358,8 @@
   - Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop
     listed as a regular entry in Cinnamon Wayland session's window list applet.
 
+- The `shadowstack` hardening flag has been added, though disabled by default.
+
 - `restic` module now has an option for inhibiting system sleep while backups are running, defaulting to off (not inhibiting sleep), available as [`services.restic.backups.<name>.inhibitsSleep`](#opt-services.restic.backups._name_.inhibitsSleep).
 
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)

nixos/modules/services/databases/postgresql.nix

@@ -483,7 +483,8 @@ in
 
     services.postgresql.package = let
         mkThrow = ver: throw "postgresql_${ver} was removed, please upgrade your postgresql version.";
-        base = if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
+        base = if versionAtLeast config.system.stateVersion "24.11" then pkgs.postgresql_16
+            else if versionAtLeast config.system.stateVersion "23.11" then pkgs.postgresql_15
             else if versionAtLeast config.system.stateVersion "22.05" then pkgs.postgresql_14
             else if versionAtLeast config.system.stateVersion "21.11" then pkgs.postgresql_13
             else if versionAtLeast config.system.stateVersion "20.03" then mkThrow "11"

nixos/tests/all-tests.nix

@@ -764,6 +764,7 @@ in {
   php81 = handleTest ./php { php = pkgs.php81; };
   php82 = handleTest ./php { php = pkgs.php82; };
   php83 = handleTest ./php { php = pkgs.php83; };
+  php84 = handleTest ./php { php = pkgs.php84; };
   phylactery = handleTest ./web-apps/phylactery.nix {};
   pict-rs = handleTest ./pict-rs.nix {};
   pinnwand = handleTest ./pinnwand.nix {};

nixos/tests/systemd-boot.nix

@@ -241,18 +241,31 @@ in
     testScript = ''
       machine.succeed("mount -o remount,rw /boot")
 
-      # Replace version inside sd-boot with something older. See magic[] string in systemd src/boot/efi/boot.c
-      machine.succeed(
-          """
-        find /boot -iname '*boot*.efi' -print0 | \
-        xargs -0 -I '{}' sed -i 's/#### LoaderInfo: systemd-boot .* ####/#### LoaderInfo: systemd-boot 000.0-1-notnixos ####/' '{}'
-      """
-      )
-
-      output = machine.succeed("/run/current-system/bin/switch-to-configuration boot 2>&1")
+      def switch():
+          # Replace version inside sd-boot with something older. See magic[] string in systemd src/boot/efi/boot.c
+          machine.succeed(
+            """
+            find /boot -iname '*boot*.efi' -print0 | \
+            xargs -0 -I '{}' sed -i 's/#### LoaderInfo: systemd-boot .* ####/#### LoaderInfo: systemd-boot 000.0-1-notnixos ####/' '{}'
+            """
+          )
+          return machine.succeed("/run/current-system/bin/switch-to-configuration boot 2>&1")
+
+      output = switch()
       assert "updating systemd-boot from 000.0-1-notnixos to " in output, "Couldn't find systemd-boot update message"
       assert 'to "/boot/EFI/systemd/systemd-bootx64.efi"' in output, "systemd-boot not copied to to /boot/EFI/systemd/systemd-bootx64.efi"
       assert 'to "/boot/EFI/BOOT/BOOTX64.EFI"' in output, "systemd-boot not copied to to /boot/EFI/BOOT/BOOTX64.EFI"
+
+      with subtest("Test that updating works with lowercase bootx64.efi"):
+          machine.succeed(
+              # Move to tmp file name first, otherwise mv complains the new location is the same
+              "mv /boot/EFI/BOOT/BOOTX64.EFI /boot/EFI/BOOT/bootx64.efi.new",
+              "mv /boot/EFI/BOOT/bootx64.efi.new /boot/EFI/BOOT/bootx64.efi",
+          )
+          output = switch()
+          assert "updating systemd-boot from 000.0-1-notnixos to " in output, "Couldn't find systemd-boot update message"
+          assert 'to "/boot/EFI/systemd/systemd-bootx64.efi"' in output, "systemd-boot not copied to to /boot/EFI/systemd/systemd-bootx64.efi"
+          assert 'to "/boot/EFI/BOOT/BOOTX64.EFI"' in output, "systemd-boot not copied to to /boot/EFI/BOOT/BOOTX64.EFI"
     '';
   };
 

pkgs/applications/audio/whipper/default.nix

@@ -21,6 +21,7 @@ let
 in python3.pkgs.buildPythonApplication rec {
   pname = "whipper";
   version = "0.10.0";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "whipper-team";
@@ -38,14 +39,15 @@ in python3.pkgs.buildPythonApplication rec {
     })
   ];
 
-  nativeBuildInputs = with python3.pkgs; [
+  nativeBuildInputs = [
     installShellFiles
     wrapGAppsNoGuiHook
     gobject-introspection
+  ];
 
-    setuptools-scm
+  build-system = with python3.pkgs; [
     docutils
-    setuptoolsCheckHook
+    setuptools-scm
   ];
 
   propagatedBuildInputs = with python3.pkgs; [
@@ -63,6 +65,7 @@ in python3.pkgs.buildPythonApplication rec {
 
   nativeCheckInputs = with python3.pkgs; [
     twisted
+    pytestCheckHook
   ] ++ bins;
 
   makeWrapperArgs = [

pkgs/applications/editors/emacs/build-support/elpa.nix

@@ -1,10 +1,10 @@
 # builder for Emacs packages built for packages.el
 
-{ lib, stdenv, emacs, texinfo, writeText, gcc }:
+{ lib, stdenv, emacs, texinfo, writeText }:
 
 let
   handledArgs = [ "meta" ];
-  genericBuild = import ./generic.nix { inherit lib stdenv emacs texinfo writeText gcc; };
+  genericBuild = import ./generic.nix { inherit lib stdenv emacs texinfo writeText; };
 
 in
 

pkgs/applications/editors/emacs/build-support/generic.nix

@@ -1,11 +1,11 @@
 # generic builder for Emacs packages
 
-{ lib, stdenv, emacs, texinfo, writeText, gcc, ... }:
+{ lib, stdenv, emacs, texinfo, writeText, ... }:
 
 let
-  inherit (lib) optionalAttrs getLib;
-  handledArgs = [ "buildInputs" "packageRequires" "propagatedUserEnvPkgs" "meta" ]
-    ++ lib.optionals (emacs.withNativeCompilation or false) [ "nativeBuildInputs" "postInstall" ];
+  inherit (lib) optionalAttrs;
+  handledArgs = [ "buildInputs" "nativeBuildInputs" "packageRequires" "propagatedUserEnvPkgs" "meta" ]
+    ++ lib.optionals (emacs.withNativeCompilation or false) [ "postInstall" ];
 
   setupHook = writeText "setup-hook.sh" ''
     source ${./emacs-funcs.sh}
@@ -55,7 +55,8 @@ stdenv.mkDerivation (finalAttrs: ({
     esac
   '';
 
-  buildInputs = [emacs texinfo] ++ packageRequires ++ buildInputs;
+  buildInputs = packageRequires ++ buildInputs;
+  nativeBuildInputs = [ emacs texinfo ] ++ nativeBuildInputs;
   propagatedBuildInputs = packageRequires;
   propagatedUserEnvPkgs = packageRequires ++ propagatedUserEnvPkgs;
 
@@ -73,10 +74,6 @@ stdenv.mkDerivation (finalAttrs: ({
 
 // optionalAttrs (emacs.withNativeCompilation or false) {
 
-  LIBRARY_PATH = "${getLib stdenv.cc.libc}/lib";
-
-  nativeBuildInputs = [ gcc ] ++ nativeBuildInputs;
-
   addEmacsNativeLoadPath = true;
 
   inherit turnCompilationWarningToError ignoreCompilationError;

pkgs/applications/editors/emacs/build-support/melpa.nix

@@ -1,11 +1,11 @@
 # builder for Emacs packages built for packages.el
 # using MELPA package-build.el
 
-{ lib, stdenv, fetchFromGitHub, emacs, texinfo, writeText, gcc }:
+{ lib, stdenv, fetchFromGitHub, emacs, texinfo, writeText }:
 
 let
   handledArgs = [ "meta" "preUnpack" "postUnpack" ];
-  genericBuild = import ./generic.nix { inherit lib stdenv emacs texinfo writeText gcc; };
+  genericBuild = import ./generic.nix { inherit lib stdenv emacs texinfo writeText; };
 
   packageBuild = stdenv.mkDerivation {
     name = "package-build";

pkgs/applications/editors/emacs/build-support/wrapper.nix

@@ -32,7 +32,7 @@ in customEmacsPackages.withPackages (epkgs: [ epkgs.evil epkgs.magit ])
 
 */
 
-{ lib, lndir, makeBinaryWrapper, runCommand, gcc }:
+{ lib, lndir, makeBinaryWrapper, runCommand }:
 self:
 let
   inherit (self) emacs;
@@ -60,7 +60,6 @@ runCommand
     deps = runCommand "emacs-packages-deps"
       ({
         inherit explicitRequires lndir emacs;
-        nativeBuildInputs = lib.optional withNativeCompilation gcc;
       } // lib.optionalAttrs withNativeCompilation {
         inherit (emacs) LIBRARY_PATH;
       })

pkgs/applications/graphics/darktable/default.nix

@@ -53,8 +53,6 @@
 , libaom
 , portmidi
 , lua
-, dav1d
-, libyuv
 }:
 
 stdenv.mkDerivation rec {
@@ -108,8 +106,6 @@ stdenv.mkDerivation rec {
     libaom
     portmidi
     lua
-    dav1d
-    libyuv
   ] ++ lib.optionals stdenv.isLinux [
     colord
     colord-gtk

pkgs/applications/misc/electrum/ltc.nix

@@ -138,6 +138,11 @@ python3.pkgs.buildPythonApplication {
   disabledTests = [
     "test_loop"  # test tries to bind 127.0.0.1 causing permission error
     "test_is_ip_address"  # fails spuriously https://github.com/spesmilo/electrum/issues/7307
+    # electrum_ltc.lnutil.RemoteMisbehaving: received commitment_signed without pending changes
+    "test_reestablish_replay_messages_rev_then_sig"
+    "test_reestablish_replay_messages_sig_then_rev"
+    # stuck on hydra
+    "test_reestablish_with_old_state"
   ];
 
   postCheck = ''

pkgs/applications/networking/browsers/ladybird/default.nix

@@ -8,16 +8,13 @@
 , unicode-emoji
 , unicode-character-database
 , cmake
-, dav1d
 , ninja
 , pkg-config
-, libaom
 , libavif
 , libjxl
 , libtiff
 , libwebp
 , libxcrypt
-, libyuv
 , python3
 , qt6Packages
 , woff2
@@ -137,14 +134,11 @@ stdenv.mkDerivation (finalAttrs: {
   ];
 
   buildInputs = with qt6Packages; [
-    dav1d
     ffmpeg
-    libaom
     libavif
     libjxl
     libwebp
     libxcrypt
-    libyuv
     qtbase
     qtmultimedia
     simdutf
@@ -178,7 +172,7 @@ stdenv.mkDerivation (finalAttrs: {
   '';
 
   # Only Ladybird and WebContent need wrapped, if Qt is enabled.
-  # On linux we end up wrapping some non-Qt apps, like headless-browser.
+  # On linux we end up wraping some non-Qt apps, like headless-browser.
   dontWrapQtApps = stdenv.isDarwin;
 
   passthru.tests = {

pkgs/applications/networking/browsers/w3m/default.nix

@@ -5,7 +5,7 @@
 , x11Support ? graphicsSupport, libX11
 , mouseSupport ? !stdenv.isDarwin, gpm-ncurses
 , perl, man, pkg-config, buildPackages, w3m
-, testers
+, testers, updateAutotoolsGnuConfigScriptsHook
 }:
 
 let
@@ -53,7 +53,9 @@ in stdenv.mkDerivation rec {
     sed -ie 's!mktable.*:.*!mktable:!' Makefile.in
   '';
 
-  nativeBuildInputs = [ pkg-config gettext ];
+  # updateAutotoolsGnuConfigScriptsHook necessary to build on FreeBSD native pending inclusion of
+  # https://git.savannah.gnu.org/cgit/config.git/commit/?id=e4786449e1c26716e3f9ea182caf472e4dbc96e0
+  nativeBuildInputs = [ pkg-config gettext updateAutotoolsGnuConfigScriptsHook ];
   buildInputs = [ ncurses boehmgc zlib ]
     ++ lib.optional sslSupport openssl
     ++ lib.optional mouseSupport gpm-ncurses

pkgs/applications/networking/warp/default.nix

@@ -1,6 +1,7 @@
 { lib
 , stdenv
 , fetchFromGitLab
+, fetchpatch2
 , appstream-glib
 , cargo
 , desktop-file-utils
@@ -33,14 +34,23 @@ stdenv.mkDerivation rec {
     hash = "sha256-GRxZ3y1PdJpBDnGCfmOmZgN8n1aaYf9IhyszRwo3MjQ=";
   };
 
+  patches = [
+    # https://gitlab.gnome.org/World/warp/-/merge_requests/74
+    (fetchpatch2 {
+      name = "rust-1.80-compat.patch";
+      url = "https://gitlab.gnome.org/World/warp/-/commit/38747cc2dde79089df53fd8451ea2db13f9f3714.patch";
+      hash = "sha256-9P5LwCHaC6J5WR2OnjCaNE+4de/Jv6XGXS7bOfYrM7w=";
+    })
+  ];
+
   postPatch = ''
     patchShebangs build-aux
   '';
 
   cargoDeps = rustPlatform.fetchCargoTarball {
-    inherit src;
+    inherit src patches;
     name = "${pname}-${version}";
-    hash = "sha256-v/MhVcQmMYD/n/8wmPCYUy4YpXhL0v4fq8h6cllo/pw=";
+    hash = "sha256-xF9AzcO2uawHu7XZay7Wwr2r+OVLbXhfSynnBYbVkZM=";
   };
 
   nativeBuildInputs = [