summary refs log tree commit diff
diff options
context:
space:
mode:
authorVladimír Čunát <v@cunat.cz>2023-04-26 18:31:35 +0200
committerVladimír Čunát <v@cunat.cz>2023-04-26 18:35:28 +0200
commitd6b863fd9b7bb962e6f9fdf292419a775e772891 (patch)
tree8a5534f2435672c4f2a7a3884ff59af5591c8b88
parent7b57f59155b55250ea2d0871a7c0102d63fbba93 (diff)
parent72fb66768e1ea1180b170ebea6ac5ac465e9f568 (diff)
Merge #226795: staging-next 2023-04-18
-rw-r--r--nixos/tests/installed-tests/pipewire.nix12
-rw-r--r--pkgs/applications/audio/fluidsynth/default.nix8
-rw-r--r--pkgs/applications/audio/mpg123/default.nix4
-rw-r--r--pkgs/applications/editors/vim/default.nix11
-rw-r--r--pkgs/applications/misc/privacyidea/default.nix3
-rw-r--r--pkgs/applications/networking/mailreaders/notmuch/default.nix4
-rw-r--r--pkgs/applications/office/libreoffice/default.nix3
-rw-r--r--pkgs/applications/version-management/git/default.nix13
-rw-r--r--pkgs/applications/version-management/gitlab/default.nix5
-rw-r--r--pkgs/applications/version-management/subversion/default.nix2
-rw-r--r--pkgs/applications/window-managers/dwl/default.nix14
-rw-r--r--pkgs/applications/window-managers/labwc/default.nix4
-rw-r--r--pkgs/applications/window-managers/sway/default.nix8
-rw-r--r--pkgs/applications/window-managers/wayfire/default.nix1
-rw-r--r--pkgs/applications/window-managers/wayfire/wf-config.nix4
-rw-r--r--pkgs/build-support/cc-wrapper/default.nix6
-rw-r--r--pkgs/build-support/setup-hooks/auto-patchelf.py20
-rw-r--r--pkgs/build-support/setup-hooks/auto-patchelf.sh4
-rw-r--r--pkgs/build-support/setup-hooks/strip.sh4
-rw-r--r--pkgs/development/compilers/cudatoolkit/redist/build-cuda-redist-package.nix6
-rw-r--r--pkgs/development/compilers/gcc/12/default.nix2
-rw-r--r--pkgs/development/compilers/gcc/builder.sh2
-rw-r--r--pkgs/development/compilers/gcc/common/configure-flags.nix5
-rw-r--r--pkgs/development/compilers/gcc/common/platform-flags.nix20
-rw-r--r--pkgs/development/compilers/llvm/13/default.nix5
-rw-r--r--pkgs/development/compilers/llvm/rocm/default.nix3
-rw-r--r--pkgs/development/compilers/rust/1_68.nix14
-rw-r--r--pkgs/development/compilers/rust/rustc.nix2
-rw-r--r--pkgs/development/compilers/sbcl/2.x.nix4
-rw-r--r--pkgs/development/interpreters/python/default.nix8
-rw-r--r--pkgs/development/interpreters/ruby/default.nix2
-rw-r--r--pkgs/development/interpreters/ruby/rubygems/default.nix4
-rw-r--r--pkgs/development/libraries/SDL2/default.nix12
-rw-r--r--pkgs/development/libraries/apr-util/default.nix2
-rw-r--r--pkgs/development/libraries/audiofile/default.nix2
-rw-r--r--pkgs/development/libraries/celt/generic.nix2
-rw-r--r--pkgs/development/libraries/directfb/default.nix8
-rw-r--r--pkgs/development/libraries/directx-headers/default.nix4
-rw-r--r--pkgs/development/libraries/egl-wayland/default.nix4
-rw-r--r--pkgs/development/libraries/ffmpeg/generic.nix6
-rw-r--r--pkgs/development/libraries/gettext/default.nix12
-rw-r--r--pkgs/development/libraries/glibc/default.nix7
-rw-r--r--pkgs/development/libraries/gnu-config/default.nix10
-rw-r--r--pkgs/development/libraries/goffice/default.nix1
-rw-r--r--pkgs/development/libraries/gpgme/default.nix2
-rw-r--r--pkgs/development/libraries/gstreamer/bad/default.nix30
-rw-r--r--pkgs/development/libraries/gstreamer/bad/fix-paths.patch18
-rw-r--r--pkgs/development/libraries/gstreamer/base/default.nix30
-rw-r--r--pkgs/development/libraries/gstreamer/core/default.nix19
-rw-r--r--pkgs/development/libraries/gstreamer/default.nix4
-rw-r--r--pkgs/development/libraries/gstreamer/devtools/default.nix14
-rw-r--r--pkgs/development/libraries/gstreamer/ges/default.nix14
-rw-r--r--pkgs/development/libraries/gstreamer/good/default.nix20
-rw-r--r--pkgs/development/libraries/gstreamer/libav/default.nix10
-rw-r--r--pkgs/development/libraries/gstreamer/rtsp-server/default.nix14
-rw-r--r--pkgs/development/libraries/gstreamer/ugly/default.nix10
-rw-r--r--pkgs/development/libraries/gstreamer/vaapi/default.nix19
-rw-r--r--pkgs/development/libraries/gtk/4.x.nix2
-rw-r--r--pkgs/development/libraries/ldacbt/default.nix7
-rw-r--r--pkgs/development/libraries/libcbor/default.nix5
-rw-r--r--pkgs/development/libraries/libde265/default.nix24
-rw-r--r--pkgs/development/libraries/libde265/test-corpus-decode.nix48
-rw-r--r--pkgs/development/libraries/libdecor/default.nix2
-rw-r--r--pkgs/development/libraries/libdisplay-info/default.nix5
-rw-r--r--pkgs/development/libraries/libgcrypt/1.5.nix53
-rw-r--r--pkgs/development/libraries/libgcrypt/1.8.nix75
-rw-r--r--pkgs/development/libraries/libhwy/default.nix4
-rw-r--r--pkgs/development/libraries/libinput/default.nix5
-rw-r--r--pkgs/development/libraries/libjxl/default.nix10
-rw-r--r--pkgs/development/libraries/liblc3/default.nix2
-rw-r--r--pkgs/development/libraries/libmodplug/default.nix12
-rw-r--r--pkgs/development/libraries/libnice/default.nix4
-rw-r--r--pkgs/development/libraries/libpcap/default.nix4
-rw-r--r--pkgs/development/libraries/libqmi/default.nix5
-rw-r--r--pkgs/development/libraries/libtiff/default.nix15
-rw-r--r--pkgs/development/libraries/libva/default.nix2
-rw-r--r--pkgs/development/libraries/libwebp/default.nix10
-rw-r--r--pkgs/development/libraries/libxml2/default.nix4
-rw-r--r--pkgs/development/libraries/mesa/22.3.nix (renamed from pkgs/development/libraries/mesa/22.3.7.nix)0
-rw-r--r--pkgs/development/libraries/mesa/23.0.1.nix4
-rw-r--r--pkgs/development/libraries/mesa/23.0.nix4
-rw-r--r--pkgs/development/libraries/mesa/generic.nix7
-rw-r--r--pkgs/development/libraries/mpfr/default.nix10
-rw-r--r--pkgs/development/libraries/openjpeg/default.nix2
-rw-r--r--pkgs/development/libraries/openssl/default.nix34
-rw-r--r--pkgs/development/libraries/pipewire/0090-pipewire-config-template-paths.patch24
-rw-r--r--pkgs/development/libraries/pipewire/default.nix11
-rw-r--r--pkgs/development/libraries/qt-5/5.15/default.nix2
-rw-r--r--pkgs/development/libraries/qt-5/5.15/srcs-generated.json164
-rw-r--r--pkgs/development/libraries/qt-5/5.15/srcs.nix6
-rw-r--r--pkgs/development/libraries/qt-6/default.nix2
-rw-r--r--pkgs/development/libraries/qt-6/modules/qtmultimedia.nix4
-rw-r--r--pkgs/development/libraries/quictls/default.nix35
-rw-r--r--pkgs/development/libraries/science/math/or-tools/default.nix18
-rw-r--r--pkgs/development/libraries/serf/scons.patch3
-rw-r--r--pkgs/development/python-modules/aiohttp/default.nix4
-rw-r--r--pkgs/development/python-modules/aioquic/default.nix9
-rw-r--r--pkgs/development/python-modules/anyio/default.nix7
-rw-r--r--pkgs/development/python-modules/cryptography/default.nix8
-rw-r--r--pkgs/development/python-modules/cryptography/vectors.nix2
-rw-r--r--pkgs/development/python-modules/ctap-keyring-device/default.nix1
-rw-r--r--pkgs/development/python-modules/dbus-deviation/default.nix35
-rw-r--r--pkgs/development/python-modules/fido2/default.nix8
-rw-r--r--pkgs/development/python-modules/flaky/default.nix10
-rw-r--r--pkgs/development/python-modules/gst-python/default.nix4
-rw-r--r--pkgs/development/python-modules/hypothesis/default.nix4
-rw-r--r--pkgs/development/python-modules/kaldi-active-grammar/fork.nix4
-rw-r--r--pkgs/development/python-modules/matplotlib/default.nix3
-rw-r--r--pkgs/development/python-modules/nose/default.nix3
-rw-r--r--pkgs/development/python-modules/passlib/default.nix2
-rw-r--r--pkgs/development/python-modules/protobuf/default.nix2
-rw-r--r--pkgs/development/python-modules/pybind11/default.nix17
-rw-r--r--pkgs/development/python-modules/pybind11/setup-hook.sh12
-rw-r--r--pkgs/development/python-modules/pyopenssl/default.nix4
-rw-r--r--pkgs/development/python-modules/pyquery/default.nix6
-rw-r--r--pkgs/development/python-modules/scikit-learn/default.nix3
-rw-r--r--pkgs/development/python-modules/sqlalchemy/default.nix27
-rw-r--r--pkgs/development/python-modules/virtualenv/default.nix10
-rw-r--r--pkgs/development/python-modules/wheezy-template/default.nix23
-rw-r--r--pkgs/development/python-modules/yapf/default.nix4
-rw-r--r--pkgs/development/ruby-modules/bundler/default.nix4
-rw-r--r--pkgs/development/tools/gnulib/default.nix11
-rw-r--r--pkgs/development/tools/gnulib/gnulib-longdouble-redirect.patch72
-rw-r--r--pkgs/development/tools/hotdoc/default.nix116
-rw-r--r--pkgs/development/tools/misc/elfutils/default.nix2
-rw-r--r--pkgs/development/tools/misc/gdb/default.nix2
-rw-r--r--pkgs/development/tools/misc/texinfo/7.0.nix4
-rw-r--r--pkgs/development/tools/misc/texinfo/common.nix9
-rw-r--r--pkgs/development/web/nodejs/v18.nix4
-rw-r--r--pkgs/misc/ghostscript/default.nix63
-rw-r--r--pkgs/misc/ghostscript/test-corpus-render.nix6
-rw-r--r--pkgs/os-specific/linux/audit/default.nix44
-rw-r--r--pkgs/os-specific/linux/audit/fix-static.patch12
-rw-r--r--pkgs/os-specific/linux/audit/patches/weak-symbols.patch147
-rw-r--r--pkgs/os-specific/linux/bcc/default.nix1
-rw-r--r--pkgs/os-specific/linux/kernel/common-config.nix1
-rw-r--r--pkgs/os-specific/linux/pam_mount/default.nix17
-rw-r--r--pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch6
-rw-r--r--pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch33
-rw-r--r--pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch152
-rw-r--r--pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch2
-rw-r--r--pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch105
-rw-r--r--pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch (renamed from pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch)9
-rw-r--r--pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch (renamed from pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch)14
-rw-r--r--pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch (renamed from pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch)0
-rw-r--r--pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch (renamed from pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch)4
-rw-r--r--pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch (renamed from pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch)2
-rw-r--r--pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch (renamed from pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch)0
-rw-r--r--pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch (renamed from pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch)4
-rw-r--r--pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch (renamed from pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch)0
-rw-r--r--pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch (renamed from pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch)0
-rw-r--r--pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch (renamed from pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch)2
-rw-r--r--pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch (renamed from pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch)4
-rw-r--r--pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch (renamed from pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch)2
-rw-r--r--pkgs/os-specific/linux/systemd/default.nix31
-rw-r--r--pkgs/servers/x11/xorg/default.nix40
-rw-r--r--pkgs/servers/x11/xorg/tarballs.list12
-rw-r--r--pkgs/stdenv/darwin/default.nix1
-rw-r--r--pkgs/stdenv/linux/default.nix9
-rw-r--r--pkgs/tools/admin/awscli2/default.nix28
-rw-r--r--pkgs/tools/backup/grab-site/default.nix3
-rw-r--r--pkgs/tools/compression/zstd/default.nix4
-rw-r--r--pkgs/tools/filesystems/squashfs/4k-align.patch62
-rw-r--r--pkgs/tools/filesystems/squashfs/default.nix9
-rw-r--r--pkgs/tools/graphics/vulkan-cts/default.nix6
-rw-r--r--pkgs/tools/misc/fontforge/default.nix17
-rw-r--r--pkgs/tools/misc/hdf5/default.nix21
-rw-r--r--pkgs/tools/networking/tcpdump/default.nix4
-rw-r--r--pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch34
-rw-r--r--pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch (renamed from pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch)26
-rw-r--r--pkgs/tools/security/gnupg/22.nix104
-rw-r--r--pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch107
-rw-r--r--pkgs/tools/security/gnupg/24.nix47
-rw-r--r--pkgs/tools/typesetting/tex/texlive/bin.nix42
-rw-r--r--pkgs/top-level/all-packages.nix90
-rw-r--r--pkgs/top-level/python-packages.nix4
176 files changed, 1890 insertions, 986 deletions
diff --git a/nixos/tests/installed-tests/pipewire.nix b/nixos/tests/installed-tests/pipewire.nix
index b04265658fcf4..6e69ada8612fd 100644
--- a/nixos/tests/installed-tests/pipewire.nix
+++ b/nixos/tests/installed-tests/pipewire.nix
@@ -1,15 +1,5 @@
-{ pkgs, lib, makeInstalledTest, ... }:
+{ pkgs, makeInstalledTest, ... }:
 
 makeInstalledTest {
   tested = pkgs.pipewire;
-  testConfig = {
-    hardware.pulseaudio.enable = false;
-    services.pipewire = {
-      enable = true;
-      pulse.enable = true;
-      jack.enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-    };
-  };
 }
diff --git a/pkgs/applications/audio/fluidsynth/default.nix b/pkgs/applications/audio/fluidsynth/default.nix
index df42258700cad..a49b683363b85 100644
--- a/pkgs/applications/audio/fluidsynth/default.nix
+++ b/pkgs/applications/audio/fluidsynth/default.nix
@@ -1,24 +1,24 @@
 { stdenv, lib, fetchFromGitHub, buildPackages, pkg-config, cmake
 , alsa-lib, glib, libjack2, libsndfile, libpulseaudio
-, AudioUnit, CoreAudio, CoreMIDI, CoreServices
+, AppKit, AudioUnit, CoreAudio, CoreMIDI, CoreServices
 }:
 
 stdenv.mkDerivation rec {
   pname = "fluidsynth";
-  version = "2.3.1";
+  version = "2.3.2";
 
   src = fetchFromGitHub {
     owner = "FluidSynth";
     repo = "fluidsynth";
     rev = "v${version}";
-    sha256 = "05lr9f0q4x1kvgfa3xrfmagpwvijv9m1s316aa9figqlkcc5vv4k";
+    sha256 = "sha256-BSJu3jB7b5G2ThXBUHUNnBGl55EXe3nIzdBdgfOWDSM=";
   };
 
   nativeBuildInputs = [ buildPackages.stdenv.cc pkg-config cmake ];
 
   buildInputs = [ glib libsndfile libjack2 ]
     ++ lib.optionals stdenv.isLinux [ alsa-lib libpulseaudio ]
-    ++ lib.optionals stdenv.isDarwin [ AudioUnit CoreAudio CoreMIDI CoreServices ];
+    ++ lib.optionals stdenv.isDarwin [ AppKit AudioUnit CoreAudio CoreMIDI CoreServices ];
 
   cmakeFlags = [
     "-Denable-framework=off"
diff --git a/pkgs/applications/audio/mpg123/default.nix b/pkgs/applications/audio/mpg123/default.nix
index 36c8a2409abb2..1e97b7badb48d 100644
--- a/pkgs/applications/audio/mpg123/default.nix
+++ b/pkgs/applications/audio/mpg123/default.nix
@@ -21,11 +21,11 @@ assert withConplay -> !libOnly;
 
 stdenv.mkDerivation rec {
   pname = "${lib.optionalString libOnly "lib"}mpg123";
-  version = "1.31.2";
+  version = "1.31.3";
 
   src = fetchurl {
     url = "mirror://sourceforge/mpg123/mpg123-${version}.tar.bz2";
-    sha256 = "sha256-sX8ikF4x9DtrQB399qce0Ru30Fb2jbRJ1wufmug5x94=";
+    hash = "sha256-HKd9Omml/4RbegU294P+5VThBBE5prl49q/hT1gUrRo=";
   };
 
   outputs = [ "out" ] ++ lib.optional withConplay "conplay";
diff --git a/pkgs/applications/editors/vim/default.nix b/pkgs/applications/editors/vim/default.nix
index 49af99fad144e..c5b9a607f20df 100644
--- a/pkgs/applications/editors/vim/default.nix
+++ b/pkgs/applications/editors/vim/default.nix
@@ -15,7 +15,7 @@ in
 stdenv.mkDerivation {
   pname = "vim";
 
-  inherit (common) version src postPatch hardeningDisable enableParallelBuilding meta;
+  inherit (common) version src postPatch hardeningDisable enableParallelBuilding enableParallelInstalling meta;
 
   nativeBuildInputs = [ gettext pkg-config ];
   buildInputs = [ ncurses bash gawk ]
@@ -50,6 +50,15 @@ stdenv.mkDerivation {
     ln -s $out/bin/vim $out/bin/vi
     mkdir -p $out/share/vim
     cp "${vimrc}" $out/share/vim/vimrc
+
+    # Prevent bugs in the upstream makefile from silently failing and missing outputs.
+    # Some of those are build-time requirements for other packages.
+    for tool in ex xxd vi view vimdiff; do
+      if [ ! -e "$out/bin/$tool" ]; then
+        echo "ERROR: install phase did not install '$tool'."
+        exit 1
+      fi
+    done
   '';
 
   __impureHostDeps = [ "/dev/ptmx" ];
diff --git a/pkgs/applications/misc/privacyidea/default.nix b/pkgs/applications/misc/privacyidea/default.nix
index f7f94d9940ab4..f5e13987aff40 100644
--- a/pkgs/applications/misc/privacyidea/default.nix
+++ b/pkgs/applications/misc/privacyidea/default.nix
@@ -11,7 +11,8 @@ let
     packageOverrides = self: super: {
       sqlalchemy = super.sqlalchemy.overridePythonAttrs (oldAttrs: rec {
         version = "1.3.24";
-        src = oldAttrs.src.override {
+        src = super.fetchPypi {
+          inherit (oldAttrs) pname;
           inherit version;
           hash = "sha256-67t3fL+TEjWbiXv4G6ANrg9ctp+6KhgmXcwYpvXvdRk=";
         };
diff --git a/pkgs/applications/networking/mailreaders/notmuch/default.nix b/pkgs/applications/networking/mailreaders/notmuch/default.nix
index 3dccf614fb964..0a62ee3e33796 100644
--- a/pkgs/applications/networking/mailreaders/notmuch/default.nix
+++ b/pkgs/applications/networking/mailreaders/notmuch/default.nix
@@ -42,6 +42,10 @@ stdenv.mkDerivation rec {
 
     substituteInPlace lib/Makefile.local \
       --replace '-install_name $(libdir)' "-install_name $out/lib"
+
+    # do not override CFLAGS of the Makefile created by mkmf
+    substituteInPlace bindings/Makefile.local \
+      --replace 'CFLAGS="$(CFLAGS) -pipe -fno-plt -fPIC"' ""
   '' + lib.optionalString withEmacs ''
     substituteInPlace emacs/notmuch-emacs-mua \
       --replace 'EMACS:-emacs' 'EMACS:-${emacs}/bin/emacs' \
diff --git a/pkgs/applications/office/libreoffice/default.nix b/pkgs/applications/office/libreoffice/default.nix
index e7633cdde0df3..25e8f18998e2e 100644
--- a/pkgs/applications/office/libreoffice/default.nix
+++ b/pkgs/applications/office/libreoffice/default.nix
@@ -356,6 +356,9 @@ in
       sed -e "s/DECLARE_SW_ROUNDTRIP_TEST(\([_a-zA-Z0-9.]\+\)[, ].*, *\([_a-zA-Z0-9.]\+\))/class \\1: public \\2 { public: void verify() override; }; void \\1::verify() /" -i "sw/qa/extras/ooxmlexport/ooxmlencryption.cxx"
       sed -e "s/DECLARE_SW_ROUNDTRIP_TEST(\([_a-zA-Z0-9.]\+\)[, ].*, *\([_a-zA-Z0-9.]\+\))/class \\1: public \\2 { public: void verify() override; }; void \\1::verify() /" -i "sw/qa/extras/odfexport/odfexport.cxx"
       sed -e "s/DECLARE_SW_ROUNDTRIP_TEST(\([_a-zA-Z0-9.]\+\)[, ].*, *\([_a-zA-Z0-9.]\+\))/class \\1: public \\2 { public: void verify() override; }; void \\1::verify() /" -i "sw/qa/extras/unowriter/unowriter.cxx"
+
+      # testReqIfTable fails since libxml2: 2.10.3 -> 2.10.4
+      sed -e 's@.*"/html/body/div/table/tr/th".*@//&@' -i sw/qa/extras/htmlexport/htmlexport.cxx
     ''
     # This to avoid using /lib:/usr/lib at linking
     + ''
diff --git a/pkgs/applications/version-management/git/default.nix b/pkgs/applications/version-management/git/default.nix
index ef1b8db97b03f..8cb1faf97fe9f 100644
--- a/pkgs/applications/version-management/git/default.nix
+++ b/pkgs/applications/version-management/git/default.nix
@@ -28,7 +28,7 @@ assert sendEmailSupport -> perlSupport;
 assert svnSupport -> perlSupport;
 
 let
-  version = "2.39.2";
+  version = "2.40.0";
   svn = subversionClient.override { perlBindings = perlSupport; };
   gitwebPerlLibs = with perlPackages; [ CGI HTMLParser CGIFast FCGI FCGIProcManager HTMLTagCloud ];
 in
@@ -41,7 +41,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   src = fetchurl {
     url = "https://www.kernel.org/pub/software/scm/git/git-${version}.tar.xz";
-    sha256 = "R1918Tc7LNTkOHBhhRdZZtXBH2jE2x5IwmJXxD3c8tY=";
+    hash = "sha256-sXpZj79Ycp7xO1d0ZeuTstSE3xIBUYtwi1BE/2I79G0=";
   };
 
   outputs = [ "out" ] ++ lib.optional withManual "doc";
@@ -185,12 +185,14 @@ stdenv.mkDerivation (finalAttrs: {
 
       # Fix references to the perl, sed, awk and various coreutil binaries used by
       # shell scripts that git calls (e.g. filter-branch)
+      # and completion scripts
       SCRIPT="$(cat <<'EOS'
         BEGIN{
           @a=(
             '${gnugrep}/bin/grep', '${gnused}/bin/sed', '${gawk}/bin/awk',
             '${coreutils}/bin/cut', '${coreutils}/bin/basename', '${coreutils}/bin/dirname',
-            '${coreutils}/bin/wc', '${coreutils}/bin/tr'
+            '${coreutils}/bin/wc', '${coreutils}/bin/tr',
+            '${coreutils}/bin/ls'
             ${lib.optionalString perlSupport ", '${perlPackages.perl}/bin/perl'"}
           );
         }
@@ -201,7 +203,8 @@ stdenv.mkDerivation (finalAttrs: {
       EOS
       )"
       perl -0777 -i -pe "$SCRIPT" \
-        $out/libexec/git-core/git-{sh-setup,filter-branch,merge-octopus,mergetool,quiltimport,request-pull,submodule,subtree,web--browse}
+        $out/libexec/git-core/git-{sh-setup,filter-branch,merge-octopus,mergetool,quiltimport,request-pull,submodule,subtree,web--browse} \
+        $out/share/bash-completion/completions/{git,gitk}
 
 
       # Also put git-http-backend into $PATH, so that we can use smart
@@ -214,8 +217,6 @@ stdenv.mkDerivation (finalAttrs: {
                   --set PERL5LIB   "$out/${perlPackages.perl.libPrefix}:${perlPackages.makePerlPath perlLibs}"
       wrapProgram $out/libexec/git-core/git-cvsimport \
                   --set GITPERLLIB "$out/${perlPackages.perl.libPrefix}:${perlPackages.makePerlPath perlLibs}"
-      wrapProgram $out/libexec/git-core/git-add--interactive \
-                  --set GITPERLLIB "$out/${perlPackages.perl.libPrefix}:${perlPackages.makePerlPath perlLibs}"
       wrapProgram $out/libexec/git-core/git-archimport \
                   --set GITPERLLIB "$out/${perlPackages.perl.libPrefix}:${perlPackages.makePerlPath perlLibs}"
       wrapProgram $out/libexec/git-core/git-instaweb \
diff --git a/pkgs/applications/version-management/gitlab/default.nix b/pkgs/applications/version-management/gitlab/default.nix
index c83478f05a915..8e20cc8a79443 100644
--- a/pkgs/applications/version-management/gitlab/default.nix
+++ b/pkgs/applications/version-management/gitlab/default.nix
@@ -1,5 +1,5 @@
 { stdenv, lib, fetchurl, fetchpatch, fetchFromGitLab, bundlerEnv
-, ruby, tzdata, git, nettools, nixosTests, nodejs, openssl
+, ruby_2_7, tzdata, git, nettools, nixosTests, nodejs, openssl
 , gitlabEnterprise ? false, callPackage, yarn
 , fixup_yarn_lock, replace, file, cacert, fetchYarnDeps, makeWrapper, pkg-config
 }:
@@ -17,7 +17,8 @@ let
 
   rubyEnv = bundlerEnv rec {
     name = "gitlab-env-${version}";
-    inherit ruby;
+    # GitLab doesn't support Ruby 3 https://gitlab.com/groups/gitlab-org/-/epics/5149
+    ruby = ruby_2_7;
     gemdir = ./rubyEnv;
     gemset =
       let x = import (gemdir + "/gemset.nix") src;
diff --git a/pkgs/applications/version-management/subversion/default.nix b/pkgs/applications/version-management/subversion/default.nix
index 25e3983c2b0a5..6f03b139cf1b0 100644
--- a/pkgs/applications/version-management/subversion/default.nix
+++ b/pkgs/applications/version-management/subversion/default.nix
@@ -61,6 +61,8 @@ let
       (lib.withFeatureAs httpSupport "serf" serf)
       "--with-zlib=${zlib.dev}"
       "--with-sqlite=${sqlite.dev}"
+      "--with-apr=${apr.dev}"
+      "--with-apr-util=${aprutil.dev}"
     ] ++ lib.optionals javahlBindings [
       "--enable-javahl"
       "--with-jdk=${jdk}"
diff --git a/pkgs/applications/window-managers/dwl/default.nix b/pkgs/applications/window-managers/dwl/default.nix
index 7bab957da046d..581dab562ebe0 100644
--- a/pkgs/applications/window-managers/dwl/default.nix
+++ b/pkgs/applications/window-managers/dwl/default.nix
@@ -9,6 +9,7 @@
 , pixman
 , pkg-config
 , substituteAll
+, wayland-scanner
 , wayland
 , wayland-protocols
 , wlroots_0_16
@@ -36,6 +37,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs = [
     installShellFiles
     pkg-config
+    wayland-scanner
   ];
 
   buildInputs = [
@@ -61,6 +63,13 @@ stdenv.mkDerivation (finalAttrs: {
                  else writeText "config.def.h" conf;
   in lib.optionalString (conf != null) "cp ${configFile} config.def.h";
 
+  makeFlags = [
+    "PKG_CONFIG=${stdenv.cc.targetPrefix}pkg-config"
+    "WAYLAND_SCANNER=wayland-scanner"
+    "PREFIX=$(out)"
+    "MANDIR=$(man)/share/man/man1"
+  ];
+
   preBuild = ''
     makeFlagsArray+=(
       XWAYLAND=${lib.optionalString enableXWayland "-DXWAYLAND"}
@@ -68,11 +77,6 @@ stdenv.mkDerivation (finalAttrs: {
     )
   '';
 
-  installFlags = [
-    "PREFIX=$(out)"
-    "MANDIR=$(man)/share/man/man1"
-  ];
-
   meta = {
     homepage = "https://github.com/djpohly/dwl/";
     description = "Dynamic window manager for Wayland";
diff --git a/pkgs/applications/window-managers/labwc/default.nix b/pkgs/applications/window-managers/labwc/default.nix
index 4182eb2c66677..2ae2d63f21db6 100644
--- a/pkgs/applications/window-managers/labwc/default.nix
+++ b/pkgs/applications/window-managers/labwc/default.nix
@@ -8,11 +8,13 @@
 , libxcb
 , libxkbcommon
 , libxml2
+, gettext
 , meson
 , ninja
 , pango
 , pkg-config
 , scdoc
+, wayland-scanner
 , wayland
 , wayland-protocols
 , wlroots_0_16
@@ -35,10 +37,12 @@ stdenv.mkDerivation (finalAttrs: {
   };
 
   nativeBuildInputs = [
+    gettext
     meson
     ninja
     pkg-config
     scdoc
+    wayland-scanner
   ];
 
   buildInputs = [
diff --git a/pkgs/applications/window-managers/sway/default.nix b/pkgs/applications/window-managers/sway/default.nix
index 32c8cf1b86a38..01506b391dfae 100644
--- a/pkgs/applications/window-managers/sway/default.nix
+++ b/pkgs/applications/window-managers/sway/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchFromGitHub, substituteAll, swaybg
+{ lib, stdenv, fetchFromGitHub, fetchpatch, substituteAll, swaybg
 , meson, ninja, pkg-config, wayland-scanner, scdoc
 , wayland, libxkbcommon, pcre2, json_c, libevdev
 , pango, cairo, libinput, libcap, pam, gdk-pixbuf, librsvg
@@ -38,6 +38,12 @@ stdenv.mkDerivation rec {
       src = ./fix-paths.patch;
       inherit swaybg;
     })
+
+    (fetchpatch {
+      name = "LIBINPUT_CONFIG_ACCEL_PROFILE_CUSTOM.patch";
+      url = "https://github.com/swaywm/sway/commit/dee032d0a0ecd958c902b88302dc59703d703c7f.diff";
+      hash = "sha256-dx+7MpEiAkxTBnJcsT3/1BO8rYRfNLecXmpAvhqGMD0=";
+    })
   ] ++ lib.optionals (!isNixOS) [
     # References to /nix/store/... will get GC'ed which causes problems when
     # copying the default configuration:
diff --git a/pkgs/applications/window-managers/wayfire/default.nix b/pkgs/applications/window-managers/wayfire/default.nix
index f5238180f5932..ab68bc58ee064 100644
--- a/pkgs/applications/window-managers/wayfire/default.nix
+++ b/pkgs/applications/window-managers/wayfire/default.nix
@@ -73,6 +73,7 @@ stdenv.mkDerivation rec {
     "--sysconfdir /etc"
     "-Duse_system_wlroots=enabled"
     "-Duse_system_wfconfig=enabled"
+    (lib.mesonEnable "wf-touch:tests" (stdenv.buildPlatform.canExecute stdenv.hostPlatform))
   ];
 
   passthru.providedSessions = [ "wayfire" ];
diff --git a/pkgs/applications/window-managers/wayfire/wf-config.nix b/pkgs/applications/window-managers/wayfire/wf-config.nix
index 0a8e5c0bcd71e..19435a87395b5 100644
--- a/pkgs/applications/window-managers/wayfire/wf-config.nix
+++ b/pkgs/applications/window-managers/wayfire/wf-config.nix
@@ -44,6 +44,10 @@ stdenv.mkDerivation rec {
   # CMake is just used for finding doctest.
   dontUseCmakeConfigure = true;
 
+  mesonFlags = [
+    (lib.mesonEnable "tests" (stdenv.buildPlatform.canExecute stdenv.hostPlatform))
+  ];
+
   doCheck = true;
 
   meta = with lib; {
diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix
index e0ee3dae41fb4..adab6f239a617 100644
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@@ -17,7 +17,6 @@
 , isGNU ? false, isClang ? cc.isClang or false, isCcache ? cc.isCcache or false, gnugrep ? null
 , buildPackages ? {}
 , libcxx ? null
-, grossHackForStagingNext ? false
 
 # Whether or not to add `-B` and `-L` to `nix-support/cc-{c,ld}flags`
 , useCcForLibs ?
@@ -52,7 +51,6 @@
 
 # the derivation at which the `-B` and `-L` flags added by `useCcForLibs` will point
 , gccForLibs ? if useCcForLibs then cc else null
-, tmpDropB ? false # temporary hack; see PR #225846
 }:
 
 with lib;
@@ -336,7 +334,7 @@ stdenv.mkDerivation {
     ##
     ## GCC libs for non-GCC support
     ##
-    + optionalString (useGccForLibs && !tmpDropB) ''
+    + optionalString (useGccForLibs && isClang) ''
 
       echo "-B${gccForLibs}/lib/gcc/${targetPlatform.config}/${gccForLibs.version}" >> $out/nix-support/cc-cflags
     ''
@@ -415,7 +413,7 @@ stdenv.mkDerivation {
     # already knows how to find its own libstdc++, and adding
     # additional -isystem flags will confuse gfortran (see
     # https://github.com/NixOS/nixpkgs/pull/209870#issuecomment-1500550903)
-    + optionalString (libcxx == null && (if grossHackForStagingNext then isClang else true) && (useGccForLibs && gccForLibs.langCC or false)) ''
+    + optionalString (libcxx == null && isClang && (useGccForLibs && gccForLibs.langCC or false)) ''
       for dir in ${gccForLibs}${lib.optionalString (hostPlatform != targetPlatform) "/${targetPlatform.config}"}/include/c++/*; do
         echo "-isystem $dir" >> $out/nix-support/libcxx-cxxflags
       done
diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.py b/pkgs/build-support/setup-hooks/auto-patchelf.py
index e731feb1b1256..bb13d2473f6dd 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.py
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.py
@@ -167,7 +167,7 @@ class Dependency:
     found: bool = False     # Whether it was found somewhere
 
 
-def auto_patchelf_file(path: Path, runtime_deps: list[Path]) -> list[Dependency]:
+def auto_patchelf_file(path: Path, runtime_deps: list[Path], append_rpaths: List[Path] = []) -> list[Dependency]:
     try:
         with open_elf(path) as elf:
 
@@ -235,6 +235,8 @@ def auto_patchelf_file(path: Path, runtime_deps: list[Path]) -> list[Dependency]
             dependencies.append(Dependency(path, dep, False))
             print(f"    {dep} -> not found!")
 
+    rpath.extend(append_rpaths)
+
     # Dedup the rpath
     rpath_str = ":".join(dict.fromkeys(map(Path.as_posix, rpath)))
 
@@ -251,8 +253,9 @@ def auto_patchelf(
         paths_to_patch: List[Path],
         lib_dirs: List[Path],
         runtime_deps: List[Path],
-        recursive: bool =True,
-        ignore_missing: List[str] = []) -> None:
+        recursive: bool = True,
+        ignore_missing: List[str] = [],
+        append_rpaths: List[Path] = []) -> None:
 
     if not paths_to_patch:
         sys.exit("No paths to patch, stopping.")
@@ -265,7 +268,7 @@ def auto_patchelf(
     dependencies = []
     for path in chain.from_iterable(glob(p, '*', recursive) for p in paths_to_patch):
         if not path.is_symlink() and path.is_file():
-            dependencies += auto_patchelf_file(path, runtime_deps)
+            dependencies += auto_patchelf_file(path, runtime_deps, append_rpaths)
 
     missing = [dep for dep in dependencies if not dep.found]
 
@@ -312,6 +315,12 @@ def main() -> None:
     parser.add_argument(
         "--runtime-dependencies", nargs="*", type=Path,
         help="Paths to prepend to the runtime path of executable binaries.")
+    parser.add_argument(
+        "--append-rpaths",
+        nargs="*",
+        type=Path,
+        help="Paths to append to all runtime paths unconditionally",
+    )
 
     print("automatically fixing dependencies for ELF files")
     args = parser.parse_args()
@@ -322,7 +331,8 @@ def main() -> None:
         args.libs,
         args.runtime_dependencies,
         args.recursive,
-        args.ignore_missing)
+        args.ignore_missing,
+        append_rpaths=args.append_rpaths)
 
 
 interpreter_path: Path  = None # type: ignore
diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index 55467b9ec7b8a..0625565606f3c 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -61,6 +61,7 @@ autoPatchelf() {
         ignoreMissingDepsArray=( "*" )
     fi
 
+    local appendRunpathsArray=($appendRunpaths)
     local runtimeDependenciesArray=($runtimeDependencies)
     @pythonInterpreter@ @autoPatchelfScript@                            \
         ${norecurse:+--no-recurse}                                      \
@@ -68,7 +69,8 @@ autoPatchelf() {
         --paths "$@"                                                    \
         --libs "${autoPatchelfLibs[@]}"                                 \
                "${extraAutoPatchelfLibs[@]}"                            \
-        --runtime-dependencies "${runtimeDependenciesArray[@]/%//lib}"
+        --runtime-dependencies "${runtimeDependenciesArray[@]/%//lib}"  \
+        --append-rpaths "${appendRunpathsArray[@]}"
 }
 
 # XXX: This should ultimately use fixupOutputHooks but we currently don't have
diff --git a/pkgs/build-support/setup-hooks/strip.sh b/pkgs/build-support/setup-hooks/strip.sh
index f5e3bdced6995..849148e92149d 100644
--- a/pkgs/build-support/setup-hooks/strip.sh
+++ b/pkgs/build-support/setup-hooks/strip.sh
@@ -39,8 +39,8 @@ _doStrip() {
         if [[ "${dontStrip-}" || "${flag-}" ]] || ! type -f "${stripCmd-}" 2>/dev/null 1>&2
         then continue; fi
 
-        stripDirs "$stripCmd" "$ranlibCmd" "$debugDirList" "${stripDebugFlags[*]:--S}"
-        stripDirs "$stripCmd" "$ranlibCmd" "$allDirList" "${stripAllFlags[*]:--s}"
+        stripDirs "$stripCmd" "$ranlibCmd" "$debugDirList" "${stripDebugFlags[*]:--S -p}"
+        stripDirs "$stripCmd" "$ranlibCmd" "$allDirList" "${stripAllFlags[*]:--s -p}"
     done
 }
 
diff --git a/pkgs/development/compilers/cudatoolkit/redist/build-cuda-redist-package.nix b/pkgs/development/compilers/cudatoolkit/redist/build-cuda-redist-package.nix
index a0242a91a03b3..e750cca5973c2 100644
--- a/pkgs/development/compilers/cudatoolkit/redist/build-cuda-redist-package.nix
+++ b/pkgs/development/compilers/cudatoolkit/redist/build-cuda-redist-package.nix
@@ -38,6 +38,12 @@ backendStdenv.mkDerivation {
     stdenv.cc.cc.lib
   ];
 
+  # Picked up by autoPatchelf
+  # Needed e.g. for libnvrtc to locate (dlopen) libnvrtc-builtins
+  appendRunpaths = [
+    "$ORIGIN"
+  ];
+
   dontBuild = true;
 
   # TODO: choose whether to install static/dynamic libs
diff --git a/pkgs/development/compilers/gcc/12/default.nix b/pkgs/development/compilers/gcc/12/default.nix
index 1b7d61bb2af18..a3e8faaed460b 100644
--- a/pkgs/development/compilers/gcc/12/default.nix
+++ b/pkgs/development/compilers/gcc/12/default.nix
@@ -29,7 +29,6 @@
 , buildPackages
 , libxcrypt
 , disableGdbPlugin ? !enablePlugin
-, disableBootstrap ? !stdenv.hostPlatform.isDarwin
 , nukeReferences
 , callPackage
 }:
@@ -57,6 +56,7 @@ with builtins;
 
 let majorVersion = "12";
     version = "${majorVersion}.2.0";
+    disableBootstrap = !stdenv.hostPlatform.isDarwin;
 
     inherit (stdenv) buildPlatform hostPlatform targetPlatform;
 
diff --git a/pkgs/development/compilers/gcc/builder.sh b/pkgs/development/compilers/gcc/builder.sh
index a2155360edeed..5147df1e4cc0d 100644
--- a/pkgs/development/compilers/gcc/builder.sh
+++ b/pkgs/development/compilers/gcc/builder.sh
@@ -262,7 +262,7 @@ postInstall() {
     fi
 
     # Get rid of some "fixed" header files
-    rm -rfv $out/lib/gcc/*/*/include-fixed/{root,linux,sys/mount.h}
+    rm -rfv $out/lib/gcc/*/*/include-fixed/{root,linux,sys/mount.h,bits/statx.h}
 
     # Replace hard links for i686-pc-linux-gnu-gcc etc. with symlinks.
     for i in $out/bin/*-gcc*; do
diff --git a/pkgs/development/compilers/gcc/common/configure-flags.nix b/pkgs/development/compilers/gcc/common/configure-flags.nix
index eadc6967acfc9..e0f7ccc7b59a3 100644
--- a/pkgs/development/compilers/gcc/common/configure-flags.nix
+++ b/pkgs/development/compilers/gcc/common/configure-flags.nix
@@ -44,6 +44,9 @@ let
   inherit (stdenv)
     buildPlatform hostPlatform targetPlatform;
 
+  # See https://github.com/NixOS/nixpkgs/pull/209870#issuecomment-1500550903
+  disableBootstrap' = disableBootstrap && !langFortran;
+
   crossMingw = targetPlatform != hostPlatform && targetPlatform.libc == "msvcrt";
   crossDarwin = targetPlatform != hostPlatform && targetPlatform.libc == "libSystem";
 
@@ -217,7 +220,7 @@ let
     # TODO: aarch64-darwin has clang stdenv and its arch and cpu flag values are incompatible with gcc
     ++ lib.optionals (!(stdenv.isDarwin && stdenv.isAarch64)) (import ../common/platform-flags.nix { inherit (stdenv)  targetPlatform; inherit lib; })
     ++ lib.optionals (targetPlatform != hostPlatform) crossConfigureFlags
-    ++ lib.optional disableBootstrap "--disable-bootstrap"
+    ++ lib.optional disableBootstrap' "--disable-bootstrap"
 
     # Platform-specific flags
     ++ lib.optional (targetPlatform == hostPlatform && targetPlatform.isx86_32) "--with-arch=${stdenv.hostPlatform.parsed.cpu.name}"
diff --git a/pkgs/development/compilers/gcc/common/platform-flags.nix b/pkgs/development/compilers/gcc/common/platform-flags.nix
index bd5a72f960364..c0593cd781ed4 100644
--- a/pkgs/development/compilers/gcc/common/platform-flags.nix
+++ b/pkgs/development/compilers/gcc/common/platform-flags.nix
@@ -1,7 +1,8 @@
 { lib, targetPlatform }:
 
 let
-  p =  targetPlatform.gcc or {}
+  gcc = targetPlatform.gcc or {};
+  p =  gcc
     // targetPlatform.parsed.abi;
 in lib.concatLists [
   (lib.optional (!targetPlatform.isx86_64 && p ? arch) "--with-arch=${p.arch}") # --with-arch= is unknown flag on x86_64
@@ -10,7 +11,18 @@ in lib.concatLists [
   (lib.optional (p ? fpu) "--with-fpu=${p.fpu}")
   (lib.optional (p ? float) "--with-float=${p.float}")
   (lib.optional (p ? mode) "--with-mode=${p.mode}")
-  (lib.optional
-    (let tp = targetPlatform; in tp.isPower && tp.libc == "glibc" && tp.is64bit)
-    "--with-long-double-128")
+  (lib.optionals targetPlatform.isPower64
+    # musl explicitly rejects 128-bit long double on
+    # powerpc64; see musl/arch/powerpc64/bits/float.h
+    (lib.optionals
+      (!targetPlatform.isMusl
+       && (targetPlatform.isLittleEndian ||
+           # "... --with-long-double-format is only supported if the default cpu is power7 or newer"
+           #  https://github.com/NixOS/nixpkgs/pull/170215#issuecomment-1202164709
+           (lib.lists.elem
+             (lib.strings.substring 0 6 (p.cpu or ""))
+             [ "power7" "power8" "power9" "power1"/*0, 11, etc*/ ]))) [
+      "--with-long-double-128"
+      "--with-long-double-format=${gcc.long-double-format or "ieee"}"
+    ]))
 ]
diff --git a/pkgs/development/compilers/llvm/13/default.nix b/pkgs/development/compilers/llvm/13/default.nix
index 528bfbe5314a4..0bc17119125b7 100644
--- a/pkgs/development/compilers/llvm/13/default.nix
+++ b/pkgs/development/compilers/llvm/13/default.nix
@@ -1,5 +1,4 @@
 { lowPrio, newScope, pkgs, lib, stdenv, cmake
-, stdenv-tmpDropB
 , gccForLibs, preLibcCrossHeaders
 , libxml2, python3, isl, fetchFromGitHub, overrideCC, wrapCCWith, wrapBintoolsWith
 , buildLlvmTools # tools, but from the previous stage, for cross
@@ -237,14 +236,14 @@ let
       inherit llvm_meta;
       stdenv = if stdenv.hostPlatform.useLLVM or false
                then overrideCC stdenv buildLlvmTools.clangNoCompilerRtWithLibc
-               else stdenv-tmpDropB;
+               else stdenv;
     };
 
     compiler-rt-no-libc = callPackage ./compiler-rt {
       inherit llvm_meta;
       stdenv = if stdenv.hostPlatform.useLLVM or false
                then overrideCC stdenv buildLlvmTools.clangNoCompilerRt
-               else stdenv-tmpDropB;
+               else stdenv;
     };
 
     # N.B. condition is safe because without useLLVM both are the same.
diff --git a/pkgs/development/compilers/llvm/rocm/default.nix b/pkgs/development/compilers/llvm/rocm/default.nix
index e47b69c56b874..7c82cc4330b96 100644
--- a/pkgs/development/compilers/llvm/rocm/default.nix
+++ b/pkgs/development/compilers/llvm/rocm/default.nix
@@ -1,6 +1,5 @@
 { lib
 , stdenv
-, stdenv-tmpDropB
 , callPackage
 , overrideCC
 , wrapCCWith
@@ -79,8 +78,6 @@ let
 
   # Runtimes
   runtimes = callPackage ./llvm.nix {
-    stdenv = stdenv-tmpDropB;
-
     buildDocs = false;
     buildMan = false;
     buildTests = false;
diff --git a/pkgs/development/compilers/rust/1_68.nix b/pkgs/development/compilers/rust/1_68.nix
index d691a30c51b5f..54c9c4a9f1ad0 100644
--- a/pkgs/development/compilers/rust/1_68.nix
+++ b/pkgs/development/compilers/rust/1_68.nix
@@ -17,6 +17,7 @@
 , makeRustPlatform
 , llvmPackages_11
 , llvmPackages_15, llvm_15
+, fetchpatch
 } @ args:
 
 import ./default.nix {
@@ -57,7 +58,16 @@ import ./default.nix {
 
   selectRustPackage = pkgs: pkgs.rust_1_68;
 
-  rustcPatches = [ ];
+  rustcPatches = [
+    # Fixes ICE.
+    # https://github.com/rust-lang/rust/pull/107688
+    (fetchpatch {
+      name = "re-erased-regions-are-local.patch";
+      url = "https://github.com/rust-lang/rust/commit/9d110847ab7f6aef56a8cd20cb6cea4fbcc51cd9.patch";
+      excludes = [ "*tests/*" ];
+      hash = "sha256-EZH5K1BEOOfi97xZr1xEHFP4jjvJ1+xqtRMvxBoL8pU=";
+    })
+  ];
 }
 
-(builtins.removeAttrs args [ "pkgsBuildHost" "llvmPackages_11" "llvmPackages_15" "llvm_15"])
+(builtins.removeAttrs args [ "fetchpatch" "pkgsBuildHost" "llvmPackages_11" "llvmPackages_15" "llvm_15"])
diff --git a/pkgs/development/compilers/rust/rustc.nix b/pkgs/development/compilers/rust/rustc.nix
index 75e8a451105c5..a8e8cf68fe3a3 100644
--- a/pkgs/development/compilers/rust/rustc.nix
+++ b/pkgs/development/compilers/rust/rustc.nix
@@ -21,7 +21,7 @@ let
   inherit (lib) optionals optional optionalString concatStringsSep;
   inherit (darwin.apple_sdk.frameworks) Security;
 in stdenv.mkDerivation rec {
-  pname = "rustc";
+  pname = "${pkgsBuildTarget.targetPackages.stdenv.cc.targetPrefix}rustc";
   inherit version;
 
   src = fetchurl {
diff --git a/pkgs/development/compilers/sbcl/2.x.nix b/pkgs/development/compilers/sbcl/2.x.nix
index 437e2e90562d6..73794e3ec7282 100644
--- a/pkgs/development/compilers/sbcl/2.x.nix
+++ b/pkgs/development/compilers/sbcl/2.x.nix
@@ -26,6 +26,10 @@ let
     "2.3.0" = {
       sha256 = "sha256-v3Q5SXEq4Cy3ST87i1fOJBlIv2ETHjaGDdszTaFDnJc=";
     };
+
+    "2.3.2" = {
+      sha256 = "sha256-RMwWLPpjMqmojHoSHRkDiCikuk9r/7d+8cexdAfLHqo=";
+    };
   };
 
 in with versionMap.${version};
diff --git a/pkgs/development/interpreters/python/default.nix b/pkgs/development/interpreters/python/default.nix
index dfbbdd74c7184..4643980a66ceb 100644
--- a/pkgs/development/interpreters/python/default.nix
+++ b/pkgs/development/interpreters/python/default.nix
@@ -121,20 +121,20 @@
       sourceVersion = {
         major = "3";
         minor = "10";
-        patch = "10";
+        patch = "11";
         suffix = "";
       };
-      hash = "sha256-BBnpCFv1G3pnIAmz9Q2/GFms3xi6cl0OwZqlyFA/DqM=";
+      hash = "sha256-PDvDBIMDchyQSgPrgya2Mekh8RzDvimIRWpC8RXa8Ew=";
     };
 
     python311 = {
       sourceVersion = {
         major = "3";
         minor = "11";
-        patch = "2";
+        patch = "3";
         suffix = "";
       };
-      hash = "sha256-KeS49fFlhUKowT4t0nc1jJxI8rL3MYZS7xZ15AK50q8=";
+      hash = "sha256-il25nJYafs8nx1lWGJyWAslodR8R2+riuQDb/xwIW14=";
     };
   };
 
diff --git a/pkgs/development/interpreters/ruby/default.nix b/pkgs/development/interpreters/ruby/default.nix
index 99a77bfedc7c0..702780b999b3a 100644
--- a/pkgs/development/interpreters/ruby/default.nix
+++ b/pkgs/development/interpreters/ruby/default.nix
@@ -51,7 +51,7 @@ let
       , buildEnv, bundler, bundix
       , libiconv, libobjc, libunwind, Foundation
       , makeBinaryWrapper, buildRubyGem, defaultGemConfig
-      , baseRuby ? buildPackages.ruby_3_1.override {
+      , baseRuby ? buildPackages.ruby.override {
           docSupport = false;
           rubygemsSupport = false;
         }
diff --git a/pkgs/development/interpreters/ruby/rubygems/default.nix b/pkgs/development/interpreters/ruby/rubygems/default.nix
index 2ff5b6985747d..4577d6d33b37b 100644
--- a/pkgs/development/interpreters/ruby/rubygems/default.nix
+++ b/pkgs/development/interpreters/ruby/rubygems/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "rubygems";
-  version = "3.4.8";
+  version = "3.4.12";
 
   src = fetchurl {
     url = "https://rubygems.org/rubygems/rubygems-${version}.tgz";
-    sha256 = "sha256-0FlDZJNJJGVkvBmKWNBqNRaTto6ciCOuQEK6uq6dotQ=";
+    sha256 = "sha256-WFCnwvw4DN09pwShznuwSNQtSACTPfULiSAmW1hF4Vs=";
   };
 
   patches = [
diff --git a/pkgs/development/libraries/SDL2/default.nix b/pkgs/development/libraries/SDL2/default.nix
index 681dd6515cd13..c017948dd0ce2 100644
--- a/pkgs/development/libraries/SDL2/default.nix
+++ b/pkgs/development/libraries/SDL2/default.nix
@@ -23,7 +23,7 @@
 , wayland
 , wayland-protocols
 , wayland-scanner
-, drmSupport ? stdenv.isLinux && !stdenv.hostPlatform.isAndroid
+, drmSupport ? false
 , libdrm
 , mesa
 , libxkbcommon
@@ -86,13 +86,14 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ pkg-config ] ++ lib.optionals waylandSupport [ wayland wayland-scanner ];
 
-  propagatedBuildInputs = dlopenPropagatedBuildInputs;
-
   dlopenPropagatedBuildInputs = [ ]
     # Propagated for #include <GLES/gl.h> in SDL_opengles.h.
     ++ lib.optional openglSupport libGL
     # Propagated for #include <X11/Xlib.h> and <X11/Xatom.h> in SDL_syswm.h.
-    ++ lib.optionals x11Support [ libX11 xorgproto ];
+    ++ lib.optionals x11Support [ libX11 ];
+
+  propagatedBuildInputs = lib.optionals x11Support [ xorgproto ]
+    ++ dlopenPropagatedBuildInputs;
 
   dlopenBuildInputs = lib.optionals alsaSupport [ alsa-lib audiofile ]
     ++ lib.optional dbusSupport dbus
@@ -100,13 +101,14 @@ stdenv.mkDerivation rec {
     ++ lib.optional pipewireSupport pipewire
     ++ lib.optional pulseaudioSupport libpulseaudio
     ++ lib.optional udevSupport udev
-    ++ lib.optionals waylandSupport [ wayland wayland-protocols libxkbcommon ]
+    ++ lib.optionals waylandSupport [ wayland libxkbcommon ]
     ++ lib.optionals x11Support [ libICE libXi libXScrnSaver libXcursor libXinerama libXext libXrandr libXxf86vm ]
     ++ lib.optionals drmSupport [ libdrm mesa ];
 
   buildInputs = [ libiconv ]
     ++ dlopenBuildInputs
     ++ lib.optional ibusSupport ibus
+    ++ lib.optionals waylandSupport [ wayland-protocols ]
     ++ lib.optionals stdenv.isDarwin [ AudioUnit Cocoa CoreAudio CoreServices ForceFeedback OpenGL ];
 
   enableParallelBuilding = true;
diff --git a/pkgs/development/libraries/apr-util/default.nix b/pkgs/development/libraries/apr-util/default.nix
index 594ecfbdb306a..dd4b157d7a239 100644
--- a/pkgs/development/libraries/apr-util/default.nix
+++ b/pkgs/development/libraries/apr-util/default.nix
@@ -48,6 +48,8 @@ stdenv.mkDerivation rec {
     lib.optionalString (stdenv.buildPlatform != stdenv.hostPlatform) ''
       substituteInPlace Makefile \
         --replace "-ldb-6.9" "-ldb"
+      substituteInPlace apu-1-config \
+        --replace "-ldb-6.9" "-ldb"
   '';
 
   propagatedBuildInputs = [ apr expat libiconv libxcrypt ]
diff --git a/pkgs/development/libraries/audiofile/default.nix b/pkgs/development/libraries/audiofile/default.nix
index 64c6d8ee4f516..7366c6e36377a 100644
--- a/pkgs/development/libraries/audiofile/default.nix
+++ b/pkgs/development/libraries/audiofile/default.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
     sha256 = "0rb927zknk9kmhprd8rdr4azql4gn2dp75a36iazx2xhkbqhvind";
   };
 
+  outputs = [ "out" "dev" "man" ];
+
   # fix build with gcc9
   NIX_CFLAGS_LINK = lib.optional (stdenv.system == "i686-linux") "-lgcc";
 
diff --git a/pkgs/development/libraries/celt/generic.nix b/pkgs/development/libraries/celt/generic.nix
index 3b47b1d5e72bd..1ddc016d66b1c 100644
--- a/pkgs/development/libraries/celt/generic.nix
+++ b/pkgs/development/libraries/celt/generic.nix
@@ -12,6 +12,8 @@ stdenv.mkDerivation {
 
   inherit src;
 
+  outputs = [ "out" "dev" ];
+
   inherit prePatch;
 
   buildInputs = []
diff --git a/pkgs/development/libraries/directfb/default.nix b/pkgs/development/libraries/directfb/default.nix
index 0f4e62789a27b..6e2b28a46168e 100644
--- a/pkgs/development/libraries/directfb/default.nix
+++ b/pkgs/development/libraries/directfb/default.nix
@@ -25,6 +25,14 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  postPatch = ''
+    # https://github.com/deniskropp/DirectFB/blob/master/src/core/Makefile.am#L15
+    # BUILDTIME is embedded in the result
+    # if switching to cmake then a similar substitution has to be done
+    substituteInPlace src/core/Makefile.am \
+      --replace '`date -u "+%Y-%m-%d %H:%M"`' "`date -u \"+%Y-%m-%d %H:%M\" --date="@''${SOURCE_DATE_EPOCH}"`"
+  '';
+
   nativeBuildInputs = [ autoreconfHook perl pkg-config flux ];
 
   buildInputs = [ zlib libjpeg freetype giflib libpng ]
diff --git a/pkgs/development/libraries/directx-headers/default.nix b/pkgs/development/libraries/directx-headers/default.nix
index 6d3cc19754641..233b96304a02c 100644
--- a/pkgs/development/libraries/directx-headers/default.nix
+++ b/pkgs/development/libraries/directx-headers/default.nix
@@ -1,13 +1,13 @@
 { lib, stdenv, fetchFromGitHub, meson, ninja }:
 stdenv.mkDerivation rec {
   pname = "directx-headers";
-  version = "1.608.2b";
+  version = "1.610.0";
 
   src = fetchFromGitHub {
     owner = "microsoft";
     repo = "DirectX-Headers";
     rev = "v${version}";
-    hash = "sha256-o4p8L2VKvMHdu1L2I1JI6pwIRtnyVCoKebg9yKTk1T8=";
+    hash = "sha256-lPYXAMFSyU3FopWdE6dDRWD6sVKcjxDVsTbgej/T2sk=";
   };
 
   nativeBuildInputs = [ meson ninja ];
diff --git a/pkgs/development/libraries/egl-wayland/default.nix b/pkgs/development/libraries/egl-wayland/default.nix
index 1a8c0921a8071..e6468abf4edc9 100644
--- a/pkgs/development/libraries/egl-wayland/default.nix
+++ b/pkgs/development/libraries/egl-wayland/default.nix
@@ -7,7 +7,7 @@
 , wayland-scanner
 , libGL
 , libX11
-, mesa
+, libdrm
 , wayland
 , wayland-protocols
 }:
@@ -68,7 +68,7 @@ in stdenv.mkDerivation rec {
     eglexternalplatform
     libGL
     libX11
-    mesa
+    libdrm
     wayland
     wayland-protocols
   ];
diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix
index 0ece46f326687..0870a9fde1f7a 100644
--- a/pkgs/development/libraries/ffmpeg/generic.nix
+++ b/pkgs/development/libraries/ffmpeg/generic.nix
@@ -52,6 +52,7 @@
 , withIlbc ? withFullDeps
 , withJack ? withFullDeps && !stdenv.isDarwin # Jack audio
 , withLadspa ? withFullDeps # LADSPA audio filtering
+, withLibplacebo ? withFullDeps && !stdenv.isDarwin # libplacebo video processing library
 , withLzma ? withHeadlessDeps # xz-utils
 , withMfx ? withFullDeps && (with stdenv.targetPlatform; isLinux && !isAarch) # Hardware acceleration via intel-media-sdk/libmfx
 , withModplug ? withFullDeps && !stdenv.isDarwin # ModPlug support
@@ -209,6 +210,7 @@
 , libogg
 , libopenmpt
 , libopus
+, libplacebo
 , librsvg
 , libssh
 , libtheora
@@ -288,7 +290,7 @@
  */
 
 let
-  inherit (lib) optional optionals optionalString enableFeature;
+  inherit (lib) optional optionals optionalString enableFeature versionAtLeast;
 in
 
 
@@ -469,6 +471,7 @@ stdenv.mkDerivation (finalAttrs: {
     (enableFeature withModplug "libmodplug")
     (enableFeature withMysofa "libmysofa")
     (enableFeature withOpus "libopus")
+    (optionalString (versionAtLeast version "5.0" && withLibplacebo) "--enable-libplacebo")
     (enableFeature withSvg "librsvg")
     (enableFeature withSrt "libsrt")
     (enableFeature withSsh "libssh")
@@ -571,6 +574,7 @@ stdenv.mkDerivation (finalAttrs: {
   ++ optionals withIconv [ libiconv ] # On Linux this should be in libc, do we really need it?
   ++ optionals withJack [ libjack2 ]
   ++ optionals withLadspa [ ladspaH ]
+  ++ optionals withLibplacebo [ libplacebo vulkan-headers ]
   ++ optionals withLzma [ xz ]
   ++ optionals withMfx [ intel-media-sdk ]
   ++ optionals withModplug [ libmodplug ]
diff --git a/pkgs/development/libraries/gettext/default.nix b/pkgs/development/libraries/gettext/default.nix
index 81f7abc90a388..5443f1eeac0d5 100644
--- a/pkgs/development/libraries/gettext/default.nix
+++ b/pkgs/development/libraries/gettext/default.nix
@@ -1,4 +1,6 @@
-{ stdenv, lib, fetchurl, fetchpatch, libiconv, xz, bash }:
+{ stdenv, lib, fetchurl, fetchpatch, libiconv, xz, bash
+, gnulib
+}:
 
 # Note: this package is used for bootstrapping fetchurl, and thus
 # cannot use fetchpatch! All mutable patches (generated by GitHub or
@@ -45,6 +47,14 @@ stdenv.mkDerivation rec {
   '' + lib.optionalString stdenv.hostPlatform.isCygwin ''
     sed -i -e "s/\(cldr_plurals_LDADD = \)/\\1..\/gnulib-lib\/libxml_rpl.la /" gettext-tools/src/Makefile.in
     sed -i -e "s/\(libgettextsrc_la_LDFLAGS = \)/\\1..\/gnulib-lib\/libxml_rpl.la /" gettext-tools/src/Makefile.in
+  '' +
+  # This change to gettext's vendored copy of gnulib is already
+  # merged upstream; we can drop this patch on the next version
+  # bump.  It must be applied twice because gettext vendors gnulib
+  # not once, but twice!
+  ''
+    patch -p2 -d gettext-tools/gnulib-lib/ < ${gnulib.passthru.longdouble-redirect-patch}
+    patch -p2 -d gettext-tools/libgrep/    < ${gnulib.passthru.longdouble-redirect-patch}
   '';
 
   strictDeps = true;
diff --git a/pkgs/development/libraries/glibc/default.nix b/pkgs/development/libraries/glibc/default.nix
index 8ad9c90ff7ac7..1c0c1b09e1542 100644
--- a/pkgs/development/libraries/glibc/default.nix
+++ b/pkgs/development/libraries/glibc/default.nix
@@ -63,6 +63,13 @@ in
             # Same for musl: https://github.com/NixOS/nixpkgs/issues/78805
             "-Wno-error=missing-attributes"
           ])
+          (lib.optionals (stdenv.hostPlatform.isPower64) [
+            # Do not complain about the Processor Specific ABI (i.e. the
+            # choice to use IEEE-standard `long double`).  We pass this
+            # flag in order to mute a `-Werror=psabi` passed by glibc;
+            # hopefully future glibc releases will not pass that flag.
+            "-Wno-error=psabi"
+          ])
         ]);
     };
 
diff --git a/pkgs/development/libraries/gnu-config/default.nix b/pkgs/development/libraries/gnu-config/default.nix
index 0b7650199923e..be804859deb5e 100644
--- a/pkgs/development/libraries/gnu-config/default.nix
+++ b/pkgs/development/libraries/gnu-config/default.nix
@@ -1,20 +1,20 @@
 { lib, stdenv, fetchurl }:
 
 let
-  rev = "6faca61810d335c7837f320733fe8e15a1431fc2";
+  rev = "63acb96f92473ceb5e21d873d7c0aee266b3d6d3";
 
   # Don't use fetchgit as this is needed during Aarch64 bootstrapping
   configGuess = fetchurl {
     url = "https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=${rev}";
-    sha256 = "06wkkhpbx9slmknr2g7mcd8x3zsdhnmmay25l31h3rkdp1wkq7kx";
+    sha256 = "049qgfh4xjd4fxd7ygm1phd5faqphfvhfcv8dsdldprsp86lf55v";
   };
   configSub = fetchurl {
     url = "https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=${rev}";
-    sha256 = "1qkph8cqanmgy3s4a18bm1a4vk62i8pf8cy5pc1hkpqwn4g6l0di";
+    sha256 = "1rk30y27mzls49wyfdb5jhzjr08hkxl7xqhnxmhcmkvqlmpsjnxl";
   };
 in stdenv.mkDerivation {
   pname = "gnu-config";
-  version = "2021-01-25";
+  version = "2023-01-21";
 
   buildCommand = ''
     mkdir -p $out
@@ -34,7 +34,7 @@ in stdenv.mkDerivation {
     #   configuration script generated by Autoconf, you may include it under
     #   the same distribution terms that you use for the rest of that
     #   program.
-    maintainers = [ maintainers.dezgeg ];
+    maintainers = with maintainers; [ dezgeg emilytrau ];
     platforms = platforms.all;
   };
 }
diff --git a/pkgs/development/libraries/goffice/default.nix b/pkgs/development/libraries/goffice/default.nix
index 36a9c79ea6879..ece0f168ec55a 100644
--- a/pkgs/development/libraries/goffice/default.nix
+++ b/pkgs/development/libraries/goffice/default.nix
@@ -27,7 +27,6 @@ stdenv.mkDerivation rec {
   buildInputs = [ libxslt librsvg ];
 
   enableParallelBuilding = true;
-  doCheck = !stdenv.hostPlatform.isPower64;
 
   passthru = {
     updateScript = gnome.updateScript {
diff --git a/pkgs/development/libraries/gpgme/default.nix b/pkgs/development/libraries/gpgme/default.nix
index a2b7daa28de10..9571613ab8ef3 100644
--- a/pkgs/development/libraries/gpgme/default.nix
+++ b/pkgs/development/libraries/gpgme/default.nix
@@ -98,6 +98,8 @@ stdenv.mkDerivation rec {
     ++ lib.optional stdenv.hostPlatform.is32bit "-D_FILE_OFFSET_BITS=64"
   );
 
+  enableParallelBuilding = true;
+
   # prevent tests from being run during the buildPhase
   makeFlags = [ "tests=" ];
 
diff --git a/pkgs/development/libraries/gstreamer/bad/default.nix b/pkgs/development/libraries/gstreamer/bad/default.nix
index 1d2ae340a8068..717a61d82310b 100644
--- a/pkgs/development/libraries/gstreamer/bad/default.nix
+++ b/pkgs/development/libraries/gstreamer/bad/default.nix
@@ -57,7 +57,7 @@
 , neon
 , openal
 , opencv4
-, openexr
+, openexr_3
 , openh264
 , libopenmpt
 , pango
@@ -80,6 +80,7 @@
 , libGLU
 , libGL
 , addOpenGLRunpath
+, gtk3
 , libintl
 , game-music-emu
 , openssl
@@ -92,23 +93,26 @@
 , VideoToolbox
 , AudioToolbox
 , AVFoundation
+, Cocoa
 , CoreMedia
 , CoreVideo
 , Foundation
 , MediaToolbox
 , enableGplPlugins ? true
 , bluezSupport ? stdenv.isLinux
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation rec {
   pname = "gst-plugins-bad";
-  version = "1.20.3";
+  version = "1.22.2";
 
   outputs = [ "out" "dev" ];
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-ehHBO1XdHSOG3ZAiGeQcv83ajh4Ko+c4GGyVB0s12k8=";
+    hash = "sha256-PY+vHONALIU1zjqMThpslg5LVlXb2mtVlD25rHkCLQ8=";
   };
 
   patches = [
@@ -128,6 +132,8 @@ stdenv.mkDerivation rec {
     gettext
     gstreamer # for gst-tester-1.0
     gobject-introspection
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ] ++ lib.optionals stdenv.isLinux [
     wayland # for wayland-scanner
   ];
@@ -164,7 +170,7 @@ stdenv.mkDerivation rec {
     neon
     openal
     opencv4
-    openexr
+    openexr_3
     openh264
     rtmpdump
     pango
@@ -177,6 +183,7 @@ stdenv.mkDerivation rec {
     gnutls
     libGL
     libGLU
+    gtk3
     game-music-emu
     openssl
     libxml2
@@ -233,6 +240,7 @@ stdenv.mkDerivation rec {
     VideoToolbox
     AudioToolbox
     AVFoundation
+    Cocoa
     CoreMedia
     CoreVideo
     Foundation
@@ -241,10 +249,11 @@ stdenv.mkDerivation rec {
 
   mesonFlags = [
     "-Dexamples=disabled" # requires many dependencies and probably not useful for our users
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
     "-Dglib-asserts=disabled" # asserts should be disabled on stable releases
 
+    "-Damfcodec=disabled" # Windows-only
     "-Davtp=disabled"
+    "-Ddirectshow=disabled" # Windows-only
     "-Ddts=disabled" # required `libdca` library not packaged in nixpkgs as of writing, and marked as "BIG FAT WARNING: libdca is still in early development"
     "-Dzbar=${if enableZbar then "enabled" else "disabled"}"
     "-Dfaac=${if faacSupport then "enabled" else "disabled"}"
@@ -278,8 +287,11 @@ stdenv.mkDerivation rec {
     "-Donnx=disabled" # depends on `libonnxruntime` not packaged in nixpkgs as of writing
     "-Dopenaptx=enabled" # since gstreamer-1.20.1 `libfreeaptx` is supported for circumventing the dubious license conflict with `libopenaptx`
     "-Dbluez=${if bluezSupport then "enabled" else "disabled"}"
+    (lib.mesonEnable "doc" enableDocumentation)
   ]
   ++ lib.optionals (!stdenv.isLinux) [
+    "-Ddoc=disabled" # needs gstcuda to be enabled which is Linux-only
+    "-Dnvcodec=disabled" # Linux-only
     "-Dva=disabled" # see comment on `libva` in `buildInputs`
   ]
   ++ lib.optionals stdenv.isDarwin [
@@ -297,9 +309,12 @@ stdenv.mkDerivation rec {
     "-Dladspa=disabled" # requires lrdf
     "-Dwebrtc=disabled" # requires libnice, which as of writing doesn't work on Darwin in nixpkgs
     "-Dwildmidi=disabled" # see dependencies above
+  ] ++ lib.optionals (!stdenv.isLinux || !stdenv.isx86_64) [
+    "-Dqsv=disabled" # Linux (and Windows) x86 only
   ] ++ lib.optionals (!gst-plugins-base.glEnabled) [
     "-Dgl=disabled"
   ] ++ lib.optionals (!gst-plugins-base.waylandEnabled) [
+    "-Dgtk3=disabled" # Wayland-based GTK sink
     "-Dwayland=disabled"
   ] ++ lib.optionals (!gst-plugins-base.glEnabled) [
     # `applemedia/videotexturecache.h` requires `gst/gl/gl.h`,
@@ -323,11 +338,6 @@ stdenv.mkDerivation rec {
   postPatch = ''
     patchShebangs \
       scripts/extract-release-date-from-doap-file.py
-
-    # upstream bumps this version check one minor version at a time
-    # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/blob/main/subprojects/gst-plugins-bad/ext/opencv/meson.build#L74
-    substituteInPlace ext/opencv/meson.build \
-      --replace '< 4.7.0' '< 5.0.0'
   '';
 
   # This package has some `_("string literal")` string formats
diff --git a/pkgs/development/libraries/gstreamer/bad/fix-paths.patch b/pkgs/development/libraries/gstreamer/bad/fix-paths.patch
index dfb8f5462c454..ea832cc9f60b1 100644
--- a/pkgs/development/libraries/gstreamer/bad/fix-paths.patch
+++ b/pkgs/development/libraries/gstreamer/bad/fix-paths.patch
@@ -1,21 +1,21 @@
-diff --git a/sys/nvcodec/gstcudaloader.c b/sys/nvcodec/gstcudaloader.c
-index 4223ba1fbd..ca8bb5ceb1 100644
---- a/sys/nvcodec/gstcudaloader.c
-+++ b/sys/nvcodec/gstcudaloader.c
-@@ -135,6 +135,11 @@ gst_cuda_load_library (void)
+diff --git a/gst-libs/gst/cuda/gstcudaloader.c b/gst-libs/gst/cuda/gstcudaloader.c
+index fffcbefd2b..6f738d3af3 100644
+--- a/gst-libs/gst/cuda/gstcudaloader.c
++++ b/gst-libs/gst/cuda/gstcudaloader.c
+@@ -165,6 +165,11 @@ gst_cuda_load_library (void)
      return TRUE;
  
    module = g_module_open (filename, G_MODULE_BIND_LAZY);
 +
 +  if (module == NULL) {
-+    module = g_module_open("@driverLink@/lib/" CUDA_LIBNAME, G_MODULE_BIND_LAZY);
++    module = g_module_open ("@driverLink@/lib/" CUDA_LIBNAME, G_MODULE_BIND_LAZY);
 +  }
 +
    if (module == NULL) {
      GST_WARNING ("Could not open library %s, %s", filename, g_module_error ());
      return FALSE;
 diff --git a/sys/nvcodec/gstcuvidloader.c b/sys/nvcodec/gstcuvidloader.c
-index 3c7505ca36..eeb376fa80 100644
+index e957e062e0..004ec2dcd5 100644
 --- a/sys/nvcodec/gstcuvidloader.c
 +++ b/sys/nvcodec/gstcuvidloader.c
 @@ -85,6 +85,11 @@ gst_cuvid_load_library (guint api_major_ver, guint api_minor_ver)
@@ -31,10 +31,10 @@ index 3c7505ca36..eeb376fa80 100644
      GST_WARNING ("Could not open library %s, %s", filename, g_module_error ());
      return FALSE;
 diff --git a/sys/nvcodec/gstnvenc.c b/sys/nvcodec/gstnvenc.c
-index 19637671ad..39858ccdee 100644
+index 106857a954..3bab9989f0 100644
 --- a/sys/nvcodec/gstnvenc.c
 +++ b/sys/nvcodec/gstnvenc.c
-@@ -874,6 +874,11 @@ gst_nvenc_load_library (guint * api_major_ver, guint * api_minor_ver)
+@@ -907,6 +907,11 @@ gst_nvenc_load_library (guint * api_major_ver, guint * api_minor_ver)
    };
  
    module = g_module_open (NVENC_LIBRARY_NAME, G_MODULE_BIND_LAZY);
diff --git a/pkgs/development/libraries/gstreamer/base/default.nix b/pkgs/development/libraries/gstreamer/base/default.nix
index e03f9f0b844f0..652f949f72261 100644
--- a/pkgs/development/libraries/gstreamer/base/default.nix
+++ b/pkgs/development/libraries/gstreamer/base/default.nix
@@ -7,6 +7,7 @@
 , gettext
 , python3
 , gstreamer
+, graphene
 , orc
 , pango
 , libtheora
@@ -20,17 +21,16 @@
 , libGL
 , gobject-introspection
 , enableX11 ? stdenv.isLinux
-, libXv
 , libXext
+, libXi
+, libXv
 , enableWayland ? stdenv.isLinux
 , wayland
 , wayland-protocols
 , enableAlsa ? stdenv.isLinux
 , alsa-lib
-# Enabling Cocoa seems to currently not work, giving compile
-# errors. Suspected is that a newer version than clang
-# is needed than 5.0 but it is not clear.
-, enableCocoa ? false
+# TODO: fix once x86_64-darwin sdk updated
+, enableCocoa ? (stdenv.isDarwin && stdenv.isAarch64)
 , Cocoa
 , OpenGL
 , enableGl ? (enableX11 || enableWayland || enableCocoa)
@@ -38,11 +38,14 @@
 , cdparanoia
 , glib
 , testers
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform
+, hotdoc
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gst-plugins-base";
-  version = "1.20.3";
+  version = "1.22.2";
 
   outputs = [ "out" "dev" ];
 
@@ -50,7 +53,7 @@ stdenv.mkDerivation (finalAttrs: {
     inherit (finalAttrs) pname version;
   in fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-fjCz3YGnA4D/dVT5mEcdaZb/drvm/FRHCW+FHiRHPJ8=";
+    hash = "sha256-62USDE7nm3oVPDwZctXAFYwhUYd8xR7Hclu6V0lnnUk=";
   };
 
   strictDeps = true;
@@ -66,13 +69,16 @@ stdenv.mkDerivation (finalAttrs: {
     orc
     glib
     gstreamer
-    # docs
-    # TODO add hotdoc here
     gobject-introspection
-  ] ++ lib.optional enableWayland wayland;
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
+  ] ++ lib.optionals enableWayland [
+    wayland
+  ];
 
   buildInputs = [
     gobject-introspection
+    graphene
     orc
     libtheora
     libintl
@@ -91,6 +97,7 @@ stdenv.mkDerivation (finalAttrs: {
     alsa-lib
   ] ++ lib.optionals enableX11 [
     libXext
+    libXi
     libXv
   ] ++ lib.optionals enableWayland [
     wayland
@@ -104,10 +111,9 @@ stdenv.mkDerivation (finalAttrs: {
 
   mesonFlags = [
     "-Dexamples=disabled" # requires many dependencies and probably not useful for our users
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
-    "-Dgl-graphene=disabled" # not packaged in nixpkgs as of writing
     # See https://github.com/GStreamer/gst-plugins-base/blob/d64a4b7a69c3462851ff4dcfa97cc6f94cd64aef/meson_options.txt#L15 for a list of choices
     "-Dgl_winsys=${lib.concatStringsSep "," (lib.optional enableX11 "x11" ++ lib.optional enableWayland "wayland" ++ lib.optional enableCocoa "cocoa")}"
+    (lib.mesonEnable "doc" enableDocumentation)
   ] ++ lib.optionals (stdenv.buildPlatform != stdenv.hostPlatform) [
     "-Dtests=disabled"
   ]
diff --git a/pkgs/development/libraries/gstreamer/core/default.nix b/pkgs/development/libraries/gstreamer/core/default.nix
index 80fc921a3679e..88101ceea41d1 100644
--- a/pkgs/development/libraries/gstreamer/core/default.nix
+++ b/pkgs/development/libraries/gstreamer/core/default.nix
@@ -11,33 +11,32 @@
 , makeWrapper
 , libcap
 , libunwind
-, darwin
 , elfutils # for libdw
 , bash-completion
 , lib
+, Cocoa
 , CoreServices
 , gobject-introspection
 , testers
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "gstreamer";
-  version = "1.20.3";
+  version = "1.22.2";
 
   outputs = [
     "bin"
     "out"
     "dev"
-    # "devdoc" # disabled until `hotdoc` is packaged in nixpkgs, see:
-    # - https://github.com/NixOS/nixpkgs/pull/98767
-    # - https://github.com/NixOS/nixpkgs/issues/98769#issuecomment-702296551
   ];
 
   src = let
     inherit (finalAttrs) pname version;
   in fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-YH2vZLu9X7GK+dF+IcDSLE1wL//oOyPLItGxryyiOio=";
+    hash = "sha256-sq/nNgOSHGCLpIlp27fXQ3dnRL/l2AWeziQRN7f4jiE=";
   };
 
   depsBuildBuild = [
@@ -57,11 +56,10 @@ stdenv.mkDerivation (finalAttrs: {
     glib
     bash-completion
     gobject-introspection
-
-    # documentation
-    # TODO add hotdoc here
   ] ++ lib.optionals stdenv.isLinux [
     libcap # for setcap binary
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -72,6 +70,7 @@ stdenv.mkDerivation (finalAttrs: {
     libunwind
     elfutils
   ] ++ lib.optionals stdenv.isDarwin [
+    Cocoa
     CoreServices
   ];
 
@@ -82,7 +81,7 @@ stdenv.mkDerivation (finalAttrs: {
   mesonFlags = [
     "-Ddbghelp=disabled" # not needed as we already provide libunwind and libdw, and dbghelp is a fallback to those
     "-Dexamples=disabled" # requires many dependencies and probably not useful for our users
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ] ++ lib.optionals stdenv.isDarwin [
     # darwin.libunwind doesn't have pkg-config definitions so meson doesn't detect it.
     "-Dlibunwind=disabled"
diff --git a/pkgs/development/libraries/gstreamer/default.nix b/pkgs/development/libraries/gstreamer/default.nix
index 9acad3fb62444..662c364b96045 100644
--- a/pkgs/development/libraries/gstreamer/default.nix
+++ b/pkgs/development/libraries/gstreamer/default.nix
@@ -16,7 +16,7 @@
 }:
 
 {
-  gstreamer = callPackage ./core { inherit CoreServices; };
+  gstreamer = callPackage ./core { inherit Cocoa CoreServices; };
 
   gstreamermm = callPackage ./gstreamermm { };
 
@@ -24,7 +24,7 @@
 
   gst-plugins-good = callPackage ./good { inherit Cocoa; };
 
-  gst-plugins-bad = callPackage ./bad { inherit AudioToolbox AVFoundation CoreMedia CoreVideo Foundation MediaToolbox VideoToolbox; };
+  gst-plugins-bad = callPackage ./bad { inherit AudioToolbox AVFoundation Cocoa CoreMedia CoreVideo Foundation MediaToolbox VideoToolbox; };
 
   gst-plugins-ugly = callPackage ./ugly { inherit CoreFoundation DiskArbitration IOKit; };
 
diff --git a/pkgs/development/libraries/gstreamer/devtools/default.nix b/pkgs/development/libraries/gstreamer/devtools/default.nix
index a221231da6843..471de787e197d 100644
--- a/pkgs/development/libraries/gstreamer/devtools/default.nix
+++ b/pkgs/development/libraries/gstreamer/devtools/default.nix
@@ -11,21 +11,22 @@
 , python3
 , gobject-introspection
 , json-glib
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation rec {
   pname = "gst-devtools";
-  version = "1.20.3";
+  version = "1.22.2";
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-u71F6tcDNn6o9L6bPAgte2K+9HskCjkIPyeETih1jEc=";
+    hash = "sha256-62JybT4nqHgjaaJP1jZKiIXtJGKzu9qwkd/8gTnuBtg=";
   };
 
   outputs = [
     "out"
     "dev"
-    # "devdoc" # disabled until `hotdoc` is packaged in nixpkgs
   ];
 
   depsBuildBuild = [
@@ -37,9 +38,8 @@ stdenv.mkDerivation rec {
     ninja
     pkg-config
     gobject-introspection
-
-    # documentation
-    # TODO add hotdoc here
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -57,7 +57,7 @@ stdenv.mkDerivation rec {
   ];
 
   mesonFlags = [
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ];
 
   meta = with lib; {
diff --git a/pkgs/development/libraries/gstreamer/ges/default.nix b/pkgs/development/libraries/gstreamer/ges/default.nix
index 328c1830c7010..8beedddeeebba 100644
--- a/pkgs/development/libraries/gstreamer/ges/default.nix
+++ b/pkgs/development/libraries/gstreamer/ges/default.nix
@@ -12,21 +12,22 @@
 , flex
 , gettext
 , gobject-introspection
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation rec {
   pname = "gst-editing-services";
-  version = "1.20.3";
+  version = "1.22.2";
 
   outputs = [
     "out"
     "dev"
-    # "devdoc" # disabled until `hotdoc` is packaged in nixpkgs
   ];
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-X9iW3mn74kQh62sP+NL4tMPLo/MCXOrNMCFy85qKuqI=";
+    hash = "sha256-RTsUZPw4V94mmnyw69lmr+Ahcdl772cqC4oKbUPgzr8=";
   };
 
   nativeBuildInputs = [
@@ -37,9 +38,8 @@ stdenv.mkDerivation rec {
     gobject-introspection
     python3
     flex
-
-    # documentation
-    # TODO add hotdoc here
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -56,7 +56,7 @@ stdenv.mkDerivation rec {
   ];
 
   mesonFlags = [
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ];
 
   postPatch = ''
diff --git a/pkgs/development/libraries/gstreamer/good/default.nix b/pkgs/development/libraries/gstreamer/good/default.nix
index 1cd9eed123c54..c8efbbfd874c3 100644
--- a/pkgs/development/libraries/gstreamer/good/default.nix
+++ b/pkgs/development/libraries/gstreamer/good/default.nix
@@ -31,6 +31,7 @@
 , twolame
 , gtkSupport ? false, gtk3
 , qt5Support ? false, qt5
+, qt6Support ? false, qt6
 , raspiCameraSupport ? false, libraspberrypi
 , enableJack ? true, libjack2
 , libXdamage
@@ -43,19 +44,21 @@
 , libgudev
 , wavpack
 , glib
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 assert raspiCameraSupport -> (stdenv.isLinux && stdenv.isAarch64);
 
 stdenv.mkDerivation rec {
   pname = "gst-plugins-good";
-  version = "1.20.3";
+  version = "1.22.2";
 
   outputs = [ "out" "dev" ];
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-+PPCBr9c2rwAlTkgtHs1da8O8V6fhxwLaWb20KpYaLc=";
+    hash = "sha256-fIzFlCXysjL2DKfRPlbt1hXaT3Eec90Bp8/6Rua8DN0=";
   };
 
   strictDeps = true;
@@ -72,8 +75,13 @@ stdenv.mkDerivation rec {
     orc
     libshout
     glib
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ] ++ lib.optionals qt5Support (with qt5; [
     qtbase
+  ]) ++ lib.optionals qt6Support (with qt6; [
+    qtbase
+    qttools
   ]) ++ lib.optionals stdenv.isLinux [
     wayland-protocols
   ];
@@ -114,6 +122,10 @@ stdenv.mkDerivation rec {
     qtdeclarative
     qtwayland
     qtx11extras
+  ]) ++ lib.optionals qt6Support (with qt6; [
+    qtbase
+    qtdeclarative
+    qtwayland
   ]) ++ lib.optionals stdenv.isDarwin [
     Cocoa
   ] ++ lib.optionals stdenv.isLinux [
@@ -129,10 +141,12 @@ stdenv.mkDerivation rec {
 
   mesonFlags = [
     "-Dexamples=disabled" # requires many dependencies and probably not useful for our users
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
     "-Dglib-asserts=disabled" # asserts should be disabled on stable releases
+    (lib.mesonEnable "doc" enableDocumentation)
   ] ++ lib.optionals (!qt5Support) [
     "-Dqt5=disabled"
+  ] ++ lib.optionals (!qt6Support) [
+    "-Dqt6=disabled"
   ] ++ lib.optionals (!gtkSupport) [
     "-Dgtk3=disabled"
   ] ++ lib.optionals (!enableJack) [
diff --git a/pkgs/development/libraries/gstreamer/libav/default.nix b/pkgs/development/libraries/gstreamer/libav/default.nix
index 94e4871622ad8..b51a103c0855e 100644
--- a/pkgs/development/libraries/gstreamer/libav/default.nix
+++ b/pkgs/development/libraries/gstreamer/libav/default.nix
@@ -9,6 +9,8 @@
 , gst-plugins-base
 , gettext
 , libav
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 # Note that since gst-libav-1.6, libav is actually ffmpeg. See
@@ -16,11 +18,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gst-libav";
-  version = "1.20.3";
+  version = "1.22.2";
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-P+3RBWD836obZGLL95o4xOe1fX85A1k5P8DO9tvyff4=";
+    hash = "sha256-/Kr5h4/o87yCMX7xOhVYgky2jfH4loxnl/VWxeM7z/0=";
   };
 
   outputs = [ "out" "dev" ];
@@ -31,6 +33,8 @@ stdenv.mkDerivation rec {
     gettext
     pkg-config
     python3
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -40,7 +44,7 @@ stdenv.mkDerivation rec {
   ];
 
   mesonFlags = [
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ];
 
   postPatch = ''
diff --git a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix
index f32db82194656..0f8a2f59c577c 100644
--- a/pkgs/development/libraries/gstreamer/rtsp-server/default.nix
+++ b/pkgs/development/libraries/gstreamer/rtsp-server/default.nix
@@ -9,21 +9,22 @@
 , gobject-introspection
 , gst-plugins-base
 , gst-plugins-bad
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation rec {
   pname = "gst-rtsp-server";
-  version = "1.20.3";
+  version = "1.22.2";
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-7kAnGL6bEn8OXmbKTBtPQuSSbsk7owe3zMpdxsyXlMo=";
+    hash = "sha256-K+Suz7iHEBAOpxFe0CFkA+gJQ0Tr8UYJQnG41Nc4KL8=";
   };
 
   outputs = [
     "out"
     "dev"
-    # "devdoc" # disabled until `hotdoc` is packaged in nixpkgs
   ];
 
   nativeBuildInputs = [
@@ -33,9 +34,8 @@ stdenv.mkDerivation rec {
     gobject-introspection
     pkg-config
     python3
-
-    # documentation
-    # TODO add hotdoc here
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -46,7 +46,7 @@ stdenv.mkDerivation rec {
 
   mesonFlags = [
     "-Dexamples=disabled" # requires many dependencies and probably not useful for our users
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ];
 
   postPatch = ''
diff --git a/pkgs/development/libraries/gstreamer/ugly/default.nix b/pkgs/development/libraries/gstreamer/ugly/default.nix
index c4d21c464f1b4..0ebc61565ba62 100644
--- a/pkgs/development/libraries/gstreamer/ugly/default.nix
+++ b/pkgs/development/libraries/gstreamer/ugly/default.nix
@@ -20,17 +20,19 @@
 , CoreFoundation
 , DiskArbitration
 , enableGplPlugins ? true
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation rec {
   pname = "gst-plugins-ugly";
-  version = "1.20.3";
+  version = "1.22.2";
 
   outputs = [ "out" "dev" ];
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-jKogeJoJwwS0nPVj0zzKlCGxh1uE/MGH5KOF+gHWrv0=";
+    hash = "sha256-jzD0TbC9BjcJv2++VROOOpivCry2HDYPNVgrvhDoBpE=";
   };
 
   nativeBuildInputs = [
@@ -39,6 +41,8 @@ stdenv.mkDerivation rec {
     gettext
     pkg-config
     python3
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -60,8 +64,8 @@ stdenv.mkDerivation rec {
   ];
 
   mesonFlags = [
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
     "-Dsidplay=disabled" # sidplay / sidplay/player.h isn't packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ] ++ (if enableGplPlugins then [
     "-Dgpl=enabled"
   ] else [
diff --git a/pkgs/development/libraries/gstreamer/vaapi/default.nix b/pkgs/development/libraries/gstreamer/vaapi/default.nix
index faeffddfbf48c..b34581ed3435a 100644
--- a/pkgs/development/libraries/gstreamer/vaapi/default.nix
+++ b/pkgs/development/libraries/gstreamer/vaapi/default.nix
@@ -7,6 +7,7 @@
 , bzip2
 , libva
 , wayland
+, wayland-protocols
 , libdrm
 , udev
 , xorg
@@ -17,21 +18,22 @@
 , nasm
 , libvpx
 , python3
+# Checks meson.is_cross_build(), so even canExecute isn't enough.
+, enableDocumentation ? stdenv.hostPlatform == stdenv.buildPlatform, hotdoc
 }:
 
 stdenv.mkDerivation rec {
   pname = "gstreamer-vaapi";
-  version = "1.20.3";
+  version = "1.22.2";
 
   src = fetchurl {
     url = "https://gstreamer.freedesktop.org/src/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "sha256-bumesxar3emtNwApFb2MOGeRj2/cdLfPKsTBrg1pC0U=";
+    hash = "sha256-0uZC+XRfl9n3On9Qhedlmpox/iCbd05uRdrgQbQ13wY=";
   };
 
   outputs = [
     "out"
     "dev"
-    # "devdoc" # disabled until `hotdoc` is packaged in nixpkgs
   ];
 
   nativeBuildInputs = [
@@ -40,9 +42,9 @@ stdenv.mkDerivation rec {
     pkg-config
     python3
     bzip2
-
-    # documentation
-    # TODO add hotdoc here
+    wayland
+  ] ++ lib.optionals enableDocumentation [
+    hotdoc
   ];
 
   buildInputs = [
@@ -51,6 +53,7 @@ stdenv.mkDerivation rec {
     gst-plugins-bad
     libva
     wayland
+    wayland-protocols
     libdrm
     udev
     xorg.libX11
@@ -65,9 +68,11 @@ stdenv.mkDerivation rec {
     libvpx
   ];
 
+  strictDeps = true;
+
   mesonFlags = [
     "-Dexamples=disabled" # requires many dependencies and probably not useful for our users
-    "-Ddoc=disabled" # `hotdoc` not packaged in nixpkgs as of writing
+    (lib.mesonEnable "doc" enableDocumentation)
   ];
 
   postPatch = ''
diff --git a/pkgs/development/libraries/gtk/4.x.nix b/pkgs/development/libraries/gtk/4.x.nix
index 65bb57e066784..fe3549eee5725 100644
--- a/pkgs/development/libraries/gtk/4.x.nix
+++ b/pkgs/development/libraries/gtk/4.x.nix
@@ -168,7 +168,7 @@ stdenv.mkDerivation rec {
     "-Dvulkan=enabled"
   ] ++ lib.optionals (!cupsSupport) [
     "-Dprint-cups=disabled"
-  ] ++ lib.optionals stdenv.isDarwin [
+  ] ++ lib.optionals (stdenv.isDarwin && !stdenv.isAarch64) [
     "-Dmedia-gstreamer=disabled" # requires gstreamer-gl
   ] ++ lib.optionals (!x11Support) [
     "-Dx11-backend=false"
diff --git a/pkgs/development/libraries/ldacbt/default.nix b/pkgs/development/libraries/ldacbt/default.nix
index 36092507b8ae6..1d91cafc81c4d 100644
--- a/pkgs/development/libraries/ldacbt/default.nix
+++ b/pkgs/development/libraries/ldacbt/default.nix
@@ -15,10 +15,17 @@ stdenv.mkDerivation rec {
     fetchSubmodules = true;
   };
 
+  outputs = [ "out" "dev" ];
+
   nativeBuildInputs = [
     cmake
   ];
 
+  cmakeFlags = [
+    # CMakeLists.txt by default points to $out
+    "-DINSTALL_INCLUDEDIR=${placeholder "dev"}/include"
+  ];
+
   meta = with lib; {
     description = "AOSP libldac dispatcher";
     homepage    = "https://github.com/EHfive/ldacBT";
diff --git a/pkgs/development/libraries/libcbor/default.nix b/pkgs/development/libraries/libcbor/default.nix
index 8f8e33cbeab4d..fff5f705d7ce5 100644
--- a/pkgs/development/libraries/libcbor/default.nix
+++ b/pkgs/development/libraries/libcbor/default.nix
@@ -22,8 +22,13 @@ stdenv.mkDerivation (finalAttrs: {
     sha256 = "sha256-ZTa+wG1g9KsVoqJG/yqxo2fJ7OhPnaI9QcfOmpOT3pg=";
   };
 
+  strictDeps = true;
   nativeBuildInputs = [ cmake ];
 
+  buildInputs = [
+    cmocka # cmake expects cmocka module
+  ];
+
   cmakeFlags = lib.optional finalAttrs.doCheck "-DWITH_TESTS=ON"
     ++ lib.optional (!stdenv.hostPlatform.isStatic) "-DBUILD_SHARED_LIBS=ON";
 
diff --git a/pkgs/development/libraries/libde265/default.nix b/pkgs/development/libraries/libde265/default.nix
index c24209e4ab6c3..c7a5a85ae6b67 100644
--- a/pkgs/development/libraries/libde265/default.nix
+++ b/pkgs/development/libraries/libde265/default.nix
@@ -1,9 +1,12 @@
 { lib
 , stdenv
 , fetchFromGitHub
+, fetchpatch
 , autoreconfHook
 , pkg-config
 
+, callPackage
+
 # for passthru.tests
 , imagemagick
 , libheif
@@ -11,7 +14,7 @@
 , gst_all_1
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: rec {
   version = "1.0.11";
   pname = "libde265";
 
@@ -22,6 +25,19 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-0aRUh5h49fnjBjy42A5fWYHnhnQ4CFoeSIXZilZewW8=";
   };
 
+  patches = [
+    (fetchpatch {
+      name = "CVE-2023-27102.patch";
+      url = "https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1.patch";
+      sha256 = "sha256-q0NKuk2r5RQT9MJpRO3CTPj6VqYRBnffs9yZ+GM+lNc=";
+    })
+    (fetchpatch {
+      name = "CVE-2023-27103.patch";
+      url = "https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995.patch";
+      sha256 = "sha256-vxciVzSuVCVDpdz+TKg2tMWp2ArubYji5GLaR9VP4F0=";
+    })
+  ];
+
   nativeBuildInputs = [ autoreconfHook pkg-config ];
 
   enableParallelBuilding = true;
@@ -29,6 +45,10 @@ stdenv.mkDerivation rec {
   passthru.tests = {
     inherit imagemagick libheif imlib2Full;
     inherit (gst_all_1) gst-plugins-bad;
+
+    test-corpus-decode = callPackage ./test-corpus-decode.nix {
+      libde265 = finalAttrs.finalPackage;
+    };
   };
 
   meta = {
@@ -38,4 +58,4 @@ stdenv.mkDerivation rec {
     platforms = lib.platforms.unix;
     maintainers = with lib.maintainers; [ gebner ];
   };
-}
+})
diff --git a/pkgs/development/libraries/libde265/test-corpus-decode.nix b/pkgs/development/libraries/libde265/test-corpus-decode.nix
new file mode 100644
index 0000000000000..763c93e6a993b
--- /dev/null
+++ b/pkgs/development/libraries/libde265/test-corpus-decode.nix
@@ -0,0 +1,48 @@
+{ lib
+, stdenv
+, fetchFromGitHub
+, libde265
+}:
+
+stdenv.mkDerivation {
+  pname = "libde265-test-corpus-decode";
+  version = "unstable-2020-02-19";
+
+  src = fetchFromGitHub {
+    owner = "strukturag";
+    repo = "libde265-data";
+    rev = "bdfdfdbe682f514c5185c270c74eac42731a7fa8";
+    sha256 = "sha256-fOgu7vMoyH30Zzbkfm4a6JVDZtYLO/0R2syC2Wux+Z8=";
+  };
+
+  dontConfigure = true;
+  dontBuild = true;
+
+  doCheck = true;
+  nativeCheckInputs = [ libde265 ];
+  # based on invocations in https://github.com/strukturag/libde265/blob/0b1752abff97cb542941d317a0d18aa50cb199b1/scripts/ci-run.sh
+  checkPhase = ''
+    echo "Single-threaded:"
+    find . -name '*.bin' | while read f; do
+      echo "Decoding $f"
+      dec265 -q -c $f
+      dec265 -0 -q -c $f
+      dec265 -q --disable-deblocking --disable-sao $f
+    done
+    echo "Multi-threaded:"
+    find RandomAccess/ -name '*.bin' | while read f; do
+      echo "Decoding $f"
+      dec265 -t 4 -q -c $f
+      dec265 -t 4 -0 -q -c $f
+      dec265 -t 4 -q --disable-deblocking --disable-sao $f
+    done
+  '';
+  # a larger corpus of files can be found
+  # as an ubuntu package libde265-teststreams @
+  # https://launchpad.net/~strukturag/+archive/ubuntu/libde265/+packages
+  # but it is *much* larger
+
+  installPhase = ''
+    touch $out
+  '';
+}
diff --git a/pkgs/development/libraries/libdecor/default.nix b/pkgs/development/libraries/libdecor/default.nix
index 34b4e021b0f14..64fc11f500f04 100644
--- a/pkgs/development/libraries/libdecor/default.nix
+++ b/pkgs/development/libraries/libdecor/default.nix
@@ -26,6 +26,8 @@ stdenv.mkDerivation rec {
     sha256 = "0qdg3r7k086wzszr969s0ljlqdvfqm31zpl8p5h397bw076zr6p2";
   };
 
+  outputs = [ "out" "dev" ];
+
   strictDeps = true;
 
   nativeBuildInputs = [
diff --git a/pkgs/development/libraries/libdisplay-info/default.nix b/pkgs/development/libraries/libdisplay-info/default.nix
index 3e29f621cb046..783ee4ad483da 100644
--- a/pkgs/development/libraries/libdisplay-info/default.nix
+++ b/pkgs/development/libraries/libdisplay-info/default.nix
@@ -21,9 +21,8 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-7t1CoLus3rPba9paapM7+H3qpdsw7FlzJsSHFwM/2Lk=";
   };
 
-  nativeBuildInputs = [ meson pkg-config ninja edid-decode python3 ];
-
-  buildInputs = [ hwdata ];
+  depsBuildBuild = [ pkg-config ];
+  nativeBuildInputs = [ meson pkg-config ninja edid-decode hwdata python3 ];
 
   postPatch = ''
     patchShebangs tool/gen-search-table.py
diff --git a/pkgs/development/libraries/libgcrypt/1.5.nix b/pkgs/development/libraries/libgcrypt/1.5.nix
deleted file mode 100644
index 918ed20efaaf6..0000000000000
--- a/pkgs/development/libraries/libgcrypt/1.5.nix
+++ /dev/null
@@ -1,53 +0,0 @@
-{ lib, stdenv, fetchpatch, fetchurl, libgpg-error, enableCapabilities ? false, libcap }:
-
-assert enableCapabilities -> stdenv.isLinux;
-
-stdenv.mkDerivation rec {
-  pname = "libgcrypt";
-  version = "1.5.6";
-
-  src = fetchurl {
-    url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2";
-    sha256 = "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h";
-  };
-
-  patches = lib.optionals stdenv.isDarwin [
-    (fetchpatch {
-      name = "fix-x86_64-apple-darwin.patch";
-      sha256 = "138sfwl1avpy19320dbd63mskspc1khlc93j1f1zmylxx3w19csi";
-      url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=71939faa7c54e7b4b28d115e748a85f134876a02";
-    })
-  ];
-
-  buildInputs =
-    [ libgpg-error ]
-    ++ lib.optional enableCapabilities libcap;
-
-  # Make sure libraries are correct for .pc and .la files
-  # Also make sure includes are fixed for callers who don't use libgpgcrypt-config
-  postInstall = ''
-    sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' $out/include/gcrypt.h
-  '' + lib.optionalString enableCapabilities ''
-    sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la
-  '';
-
-  doCheck = true;
-
-  meta = with lib; {
-    homepage = "https://www.gnu.org/software/libgcrypt/";
-    description = "General-pupose cryptographic library";
-    license = licenses.lgpl2Plus;
-    platforms = platforms.all;
-    knownVulnerabilities = [
-      "CVE-2014-3591"
-      "CVE-2015-0837"
-      "CVE-2015-7511"
-      "CVE-2017-0379"
-      "CVE-2017-7526"
-      "CVE-2017-9526"
-      "CVE-2018-0495"
-      "CVE-2018-6829"
-      "CVE-2018-12437"
-    ];
-  };
-}
diff --git a/pkgs/development/libraries/libgcrypt/1.8.nix b/pkgs/development/libraries/libgcrypt/1.8.nix
new file mode 100644
index 0000000000000..cce79780f1cbe
--- /dev/null
+++ b/pkgs/development/libraries/libgcrypt/1.8.nix
@@ -0,0 +1,75 @@
+{ lib
+, stdenv
+, fetchurl
+, libgpg-error
+, enableCapabilities ? false, libcap
+, buildPackages
+# for passthru.tests
+, gnupg
+, libotr
+, rsyslog
+}:
+
+assert enableCapabilities -> stdenv.isLinux;
+
+stdenv.mkDerivation rec {
+  pname = "libgcrypt";
+  version = "1.8.10";
+
+  src = fetchurl {
+    url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2";
+    sha256 = "sha256-aJaRVQH5UeI9AtywRTRpwswiqk13oAH/c6JkfC0p590=";
+  };
+
+  outputs = [ "out" "dev" "info" ];
+  outputBin = "dev";
+
+  # The CPU Jitter random number generator must not be compiled with
+  # optimizations and the optimize -O0 pragma only works for gcc.
+  # The build enables -O2 by default for everything else.
+  hardeningDisable = lib.optional stdenv.cc.isClang "fortify";
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+
+  buildInputs = [ libgpg-error ]
+    ++ lib.optional enableCapabilities libcap;
+
+  strictDeps = true;
+
+  configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" ]
+      ++ lib.optional (stdenv.hostPlatform.isMusl || (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)) "--disable-asm"; # for darwin see https://dev.gnupg.org/T5157
+
+  # Necessary to generate correct assembly when compiling for aarch32 on
+  # aarch64
+  configurePlatforms = [ "host" "build" ];
+
+  postConfigure = ''
+    sed -i configure \
+        -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/'
+  '';
+
+  # Make sure libraries are correct for .pc and .la files
+  # Also make sure includes are fixed for callers who don't use libgpgcrypt-config
+  postFixup = ''
+    sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' "$dev/include/gcrypt.h"
+  '' + lib.optionalString enableCapabilities ''
+    sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la
+  '';
+
+  doCheck = true;
+
+  passthru.tests = {
+    inherit gnupg libotr rsyslog;
+  };
+
+  meta = with lib; {
+    homepage = "https://www.gnu.org/software/libgcrypt/";
+    changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";
+    description = "General-purpose cryptographic library";
+    license = licenses.lgpl2Plus;
+    platforms = platforms.all;
+    knownVulnerabilities = [
+      "CVE-2018-12437" # CVE is about LibTomCrypt
+    ];
+  };
+}
diff --git a/pkgs/development/libraries/libhwy/default.nix b/pkgs/development/libraries/libhwy/default.nix
index 66f273ba3f289..e9434c23aae4e 100644
--- a/pkgs/development/libraries/libhwy/default.nix
+++ b/pkgs/development/libraries/libhwy/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libhwy";
-  version = "1.0.2";
+  version = "1.0.4";
 
   src = fetchFromGitHub {
     owner = "google";
     repo = "highway";
     rev = version;
-    hash = "sha256-CHzDLzOnu/QfejWiRKE9I5UUyRxoEooNtYVe8FQwu7c=";
+    hash = "sha256-bQtfye+gn7GOyzCtji4st5hsV40rPzuaYDP7N1tZ8wg=";
   };
 
   nativeBuildInputs = [ cmake ninja ];
diff --git a/pkgs/development/libraries/libinput/default.nix b/pkgs/development/libraries/libinput/default.nix
index 268ddd3708104..c8e9efdfa7701 100644
--- a/pkgs/development/libraries/libinput/default.nix
+++ b/pkgs/development/libraries/libinput/default.nix
@@ -45,7 +45,7 @@ in
 
 stdenv.mkDerivation rec {
   pname = "libinput";
-  version = "1.22.1";
+  version = "1.23.0";
 
   outputs = [ "bin" "out" "dev" ];
 
@@ -54,7 +54,7 @@ stdenv.mkDerivation rec {
     owner = "libinput";
     repo = "libinput";
     rev = version;
-    sha256 = "RgwEp60Anr+CpJws6srIv/Qzk2r9NoekeNQ0UT3FRZ0=";
+    sha256 = "7Wxriy1fVsfAhcfhOhuvLehhmQYrQ2IgZTK53bt12HI=";
   };
 
   patches = [
@@ -132,5 +132,6 @@ stdenv.mkDerivation rec {
     license = licenses.mit;
     platforms = platforms.unix;
     maintainers = with maintainers; [ codyopel ] ++ teams.freedesktop.members;
+    changelog = "https://gitlab.freedesktop.org/libinput/libinput/-/releases/${version}";
   };
 }
diff --git a/pkgs/development/libraries/libjxl/default.nix b/pkgs/development/libraries/libjxl/default.nix
index 7dc0ae5b8ce2f..b62c95fa5c86a 100644
--- a/pkgs/development/libraries/libjxl/default.nix
+++ b/pkgs/development/libraries/libjxl/default.nix
@@ -1,4 +1,5 @@
 { stdenv, lib, fetchFromGitHub
+, fetchpatch
 , brotli
 , cmake
 , giflib
@@ -33,6 +34,15 @@ stdenv.mkDerivation rec {
     fetchSubmodules = true;
   };
 
+  patches = [
+    # Add missing <atomic> content to fix gcc compilation for RISCV architecture
+    # https://github.com/libjxl/libjxl/pull/2211
+    (fetchpatch {
+      url = "https://github.com/libjxl/libjxl/commit/22d12d74e7bc56b09cfb1973aa89ec8d714fa3fc.patch";
+      hash = "sha256-X4fbYTMS+kHfZRbeGzSdBW5jQKw8UN44FEyFRUtw0qo=";
+    })
+  ];
+
   nativeBuildInputs = [
     cmake
     gtest
diff --git a/pkgs/development/libraries/liblc3/default.nix b/pkgs/development/libraries/liblc3/default.nix
index 13ef2169e3b9c..e246732963cae 100644
--- a/pkgs/development/libraries/liblc3/default.nix
+++ b/pkgs/development/libraries/liblc3/default.nix
@@ -20,6 +20,8 @@ stdenv.mkDerivation {
     sha256 = "sha256-Be+dPUnxC2+cHzqL2FAqXOU7NjEAHiPBKh7spuYkvhc=";
   };
 
+  outputs = [ "out" "dev" ];
+
   nativeBuildInputs = [
     meson
     ninja
diff --git a/pkgs/development/libraries/libmodplug/default.nix b/pkgs/development/libraries/libmodplug/default.nix
index c4fa6fcd7ce7b..69c36dc718cbf 100644
--- a/pkgs/development/libraries/libmodplug/default.nix
+++ b/pkgs/development/libraries/libmodplug/default.nix
@@ -4,6 +4,13 @@ stdenv.mkDerivation rec {
   pname = "libmodplug";
   version = "0.8.9.0";
 
+  src = fetchurl {
+    url = "mirror://sourceforge/project/modplug-xmms/libmodplug/${version}/${pname}-${version}.tar.gz";
+    sha256 = "1pnri98a603xk47smnxr551svbmgbzcw018mq1k6srbrq6kaaz25";
+  };
+
+  outputs = [ "out" "dev" ];
+
   preConfigure = ''
      substituteInPlace configure \
         --replace ' -mmacosx-version-min=10.5' "" \
@@ -17,9 +24,4 @@ stdenv.mkDerivation rec {
     platforms   = platforms.unix;
     maintainers = with maintainers; [ raskin ];
   };
-
-  src = fetchurl {
-    url = "mirror://sourceforge/project/modplug-xmms/libmodplug/${version}/${pname}-${version}.tar.gz";
-    sha256 = "1pnri98a603xk47smnxr551svbmgbzcw018mq1k6srbrq6kaaz25";
-  };
 }
diff --git a/pkgs/development/libraries/libnice/default.nix b/pkgs/development/libraries/libnice/default.nix
index 3129c9c7ab937..ade70284ba688 100644
--- a/pkgs/development/libraries/libnice/default.nix
+++ b/pkgs/development/libraries/libnice/default.nix
@@ -18,14 +18,14 @@
 
 stdenv.mkDerivation rec {
   pname = "libnice";
-  version = "0.1.18";
+  version = "0.1.21";
 
   outputs = [ "bin" "out" "dev" ]
     ++ lib.optionals (stdenv.buildPlatform == stdenv.hostPlatform) [ "devdoc" ];
 
   src = fetchurl {
     url = "https://libnice.freedesktop.org/releases/${pname}-${version}.tar.gz";
-    sha256 = "1x3kj9b3dy9m2h6j96wgywfamas1j8k2ca43k5v82kmml9dx5asy";
+    hash = "sha256-cuc6Ks8g9ZCT4h1WAWBuQFhzUD6zXzRvpiHeI+mbOzk=";
   };
 
   patches = [
diff --git a/pkgs/development/libraries/libpcap/default.nix b/pkgs/development/libraries/libpcap/default.nix
index 04c8a0f16ad8d..37043e3e4bde4 100644
--- a/pkgs/development/libraries/libpcap/default.nix
+++ b/pkgs/development/libraries/libpcap/default.nix
@@ -13,11 +13,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libpcap";
-  version = "1.10.3";
+  version = "1.10.4";
 
   src = fetchurl {
     url = "https://www.tcpdump.org/release/${pname}-${version}.tar.gz";
-    sha256 = "sha256-KoiFxANRbPewkz7UsU1sqjDgIFJInr1BTcdaxS51WeY=";
+    hash = "sha256-7RmgOD+tcuOtQ1/SOdfNgNZJFrhyaVUBWdIORxYOvl8=";
   };
 
   buildInputs = lib.optionals stdenv.isLinux [ libnl ]
diff --git a/pkgs/development/libraries/libqmi/default.nix b/pkgs/development/libraries/libqmi/default.nix
index 05a44980f83cc..1a314563d4b87 100644
--- a/pkgs/development/libraries/libqmi/default.nix
+++ b/pkgs/development/libraries/libqmi/default.nix
@@ -22,7 +22,8 @@ stdenv.mkDerivation rec {
   pname = "libqmi";
   version = "1.32.2";
 
-  outputs = [ "out" "dev" "devdoc" ];
+  outputs = [ "out" "dev" ]
+    ++ lib.optionals (stdenv.buildPlatform == stdenv.hostPlatform) [ "devdoc" ];
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
@@ -47,6 +48,7 @@ stdenv.mkDerivation rec {
     pkg-config
     gobject-introspection
     python3
+  ] ++ lib.optionals (stdenv.buildPlatform == stdenv.hostPlatform) [
     gtk-doc
     docbook-xsl-nons
     docbook_xml_dtd_43
@@ -68,6 +70,7 @@ stdenv.mkDerivation rec {
     "-Dudevdir=${placeholder "out"}/lib/udev"
     (lib.mesonBool "gtk_doc" (stdenv.buildPlatform == stdenv.hostPlatform))
     (lib.mesonBool "introspection" (stdenv.buildPlatform == stdenv.hostPlatform))
+    (lib.mesonBool "man" (stdenv.buildPlatform == stdenv.hostPlatform))
   ];
 
   doCheck = true;
diff --git a/pkgs/development/libraries/libtiff/default.nix b/pkgs/development/libraries/libtiff/default.nix
index b88bb75748e0b..06dc76d92328c 100644
--- a/pkgs/development/libraries/libtiff/default.nix
+++ b/pkgs/development/libraries/libtiff/default.nix
@@ -1,4 +1,5 @@
-{ lib, stdenv
+{ lib
+, stdenv
 , fetchFromGitLab
 , fetchpatch
 , nix-update-script
@@ -12,7 +13,7 @@
 , xz
 , zlib
 
-# for passthru.tests
+  # for passthru.tests
 , libgeotiff
 , python3Packages
 , imagemagick
@@ -84,9 +85,13 @@ stdenv.mkDerivation rec {
   # sure cross-compilation works first!
   nativeBuildInputs = [ autoreconfHook pkg-config sphinx ];
 
-  propagatedBuildInputs = [ libjpeg xz zlib ]; #TODO: opengl support (bogus configure detection)
-
-  buildInputs = [ libdeflate ];
+  # TODO: opengl support (bogus configure detection)
+  propagatedBuildInputs = [
+    libdeflate
+    libjpeg
+    xz
+    zlib
+  ];
 
   enableParallelBuilding = true;
 
diff --git a/pkgs/development/libraries/libva/default.nix b/pkgs/development/libraries/libva/default.nix
index 9f958efe71b34..906e56c3da4b7 100644
--- a/pkgs/development/libraries/libva/default.nix
+++ b/pkgs/development/libraries/libva/default.nix
@@ -25,6 +25,8 @@ stdenv.mkDerivation rec {
 
   outputs = [ "dev" "out" ];
 
+  depsBuildBuild = [ pkg-config ];
+
   nativeBuildInputs = [ meson pkg-config ninja wayland-scanner ];
 
   buildInputs = [ libdrm ]
diff --git a/pkgs/development/libraries/libwebp/default.nix b/pkgs/development/libraries/libwebp/default.nix
index dff7abc7dd530..65fa55a787e15 100644
--- a/pkgs/development/libraries/libwebp/default.nix
+++ b/pkgs/development/libraries/libwebp/default.nix
@@ -1,4 +1,5 @@
 { lib, stdenv, fetchFromGitHub, autoreconfHook, libtool
+, fetchpatch
 , threadingSupport ? true # multi-threading
 , openglSupport ? false, freeglut, libGL, libGLU # OpenGL (required for vwebp)
 , pngSupport ? true, libpng # PNG image format
@@ -36,6 +37,15 @@ stdenv.mkDerivation rec {
     hash   = "sha256-nhXkq+qKpaa75YQB/W/cRozslTIFPdXeqj1y6emQeHk=";
   };
 
+  patches = [
+    # https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/#MFSA-TMP-2023-0001
+    (fetchpatch {
+      url = "https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129.patch";
+      name = "fix-msfa-tmp-2023-0001.patch";
+      hash = "sha256-TRKXpNkYVzftBw09mX+WeQRhRoOzBgXFTNZBzSdCKvc=";
+    })
+  ];
+
   configureFlags = [
     (lib.enableFeature threadingSupport "threading")
     (lib.enableFeature openglSupport "gl")
diff --git a/pkgs/development/libraries/libxml2/default.nix b/pkgs/development/libraries/libxml2/default.nix
index 23123940057dc..a5eafa0fdecb4 100644
--- a/pkgs/development/libraries/libxml2/default.nix
+++ b/pkgs/development/libraries/libxml2/default.nix
@@ -34,7 +34,7 @@ in
 let
 libxml = stdenv.mkDerivation rec {
   pname = "libxml2";
-  version = "2.10.3";
+  version = "2.10.4";
 
   outputs = [ "bin" "dev" "out" "doc" ]
     ++ lib.optional pythonSupport "py"
@@ -43,7 +43,7 @@ libxml = stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://gnome/sources/libxml2/${lib.versions.majorMinor version}/libxml2-${version}.tar.xz";
-    sha256 = "XSzD14vsPb4hKp1/pimtolp9qSivQyyTBg/1wX7iipw=";
+    sha256 = "7QyRxYRQCPGTZznk7uIDVTHByUdCxlQfRO5m2IWUjUU=";
   };
 
   patches = [
diff --git a/pkgs/development/libraries/mesa/22.3.7.nix b/pkgs/development/libraries/mesa/22.3.nix
index 1a1127dae508e..1a1127dae508e 100644
--- a/pkgs/development/libraries/mesa/22.3.7.nix
+++ b/pkgs/development/libraries/mesa/22.3.nix
diff --git a/pkgs/development/libraries/mesa/23.0.1.nix b/pkgs/development/libraries/mesa/23.0.1.nix
deleted file mode 100644
index 0c44d72da7dc9..0000000000000
--- a/pkgs/development/libraries/mesa/23.0.1.nix
+++ /dev/null
@@ -1,4 +0,0 @@
-import ./generic.nix {
-  version = "23.0.1";
-  hash = "sha256-6OWGhWtViTq66b3NuYtBwIHZCbsfrzcubnJiMHvzSt8=";
-}
diff --git a/pkgs/development/libraries/mesa/23.0.nix b/pkgs/development/libraries/mesa/23.0.nix
new file mode 100644
index 0000000000000..323e001961816
--- /dev/null
+++ b/pkgs/development/libraries/mesa/23.0.nix
@@ -0,0 +1,4 @@
+import ./generic.nix {
+  version = "23.0.3";
+  hash = "sha256-OGNipdgN87CWY2tn80Dhzme3BbRHZ9W90R0u0QNxktU=";
+}
diff --git a/pkgs/development/libraries/mesa/generic.nix b/pkgs/development/libraries/mesa/generic.nix
index 82055ecd3427d..0d959560e5da5 100644
--- a/pkgs/development/libraries/mesa/generic.nix
+++ b/pkgs/development/libraries/mesa/generic.nix
@@ -133,13 +133,6 @@ self = stdenv.mkDerivation {
 
     ./opencl.patch
     ./disk_cache-include-dri-driver-path-in-cache-key.patch
-
-    # FIXME: submitted upstream at https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/22133
-    # Remove when no longer applicable
-    (fetchpatch {
-      url = "https://gitlab.freedesktop.org/mesa/mesa/-/commit/1457f1b752f59258c0b33558619b0063b4ce6280.diff";
-      hash = "sha256-WFemyfmCWY4rJMfGxVZdYeGQvGcOTEDMrRt5OIWp348=";
-    })
   ];
 
   postPatch = ''
diff --git a/pkgs/development/libraries/mpfr/default.nix b/pkgs/development/libraries/mpfr/default.nix
index e0a33e27c12c0..aba3a413a6682 100644
--- a/pkgs/development/libraries/mpfr/default.nix
+++ b/pkgs/development/libraries/mpfr/default.nix
@@ -28,9 +28,13 @@ stdenv.mkDerivation rec {
   # mpfr.h requires gmp.h
   propagatedBuildInputs = [ gmp ];
 
-  configureFlags =
-    lib.optional stdenv.hostPlatform.isSunOS "--disable-thread-safe" ++
-    lib.optional stdenv.hostPlatform.is64bit "--with-pic";
+  configureFlags = lib.optional stdenv.hostPlatform.isSunOS "--disable-thread-safe"
+    ++ lib.optional stdenv.hostPlatform.is64bit "--with-pic"
+    ++ lib.optional stdenv.hostPlatform.isPower64 [
+      # Without this, the `tget_set_d128` test experiences a link
+      # error due to missing `__dpd_trunctdkf`.
+      "--disable-decimal-float"
+    ];
 
   doCheck = true; # not cross;
 
diff --git a/pkgs/development/libraries/openjpeg/default.nix b/pkgs/development/libraries/openjpeg/default.nix
index 5c6d6b8a13467..50098de03ddf1 100644
--- a/pkgs/development/libraries/openjpeg/default.nix
+++ b/pkgs/development/libraries/openjpeg/default.nix
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ cmake pkg-config ];
 
-  buildInputs = [ libdeflate libpng libtiff zlib lcms2 ]
+  buildInputs = [ libpng libtiff zlib lcms2 ]
     ++ lib.optionals jpipServerSupport [ curl fcgi ]
     ++ lib.optional (jpipLibSupport) jdk;
 
diff --git a/pkgs/development/libraries/openssl/default.nix b/pkgs/development/libraries/openssl/default.nix
index 30124d10e7984..c36219245a4b4 100644
--- a/pkgs/development/libraries/openssl/default.nix
+++ b/pkgs/development/libraries/openssl/default.nix
@@ -1,14 +1,11 @@
-{ lib, stdenv, fetchurl, buildPackages, perl, coreutils
+{ lib, stdenv, fetchurl, buildPackages, perl, coreutils, writeShellScript
+, makeWrapper
 , withCryptodev ? false, cryptodev
 , withZlib ? false, zlib
 , enableSSL2 ? false
 , enableSSL3 ? false
 , enableKTLS ? stdenv.isLinux
 , static ? stdenv.hostPlatform.isStatic
-# Used to avoid cross compiling perl, for example, in darwin bootstrap tools.
-# This will cause c_rehash to refer to perl via the environment, but otherwise
-# will produce a perfectly functional openssl binary and library.
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform
 # path to openssl.cnf file. will be placed in $etc/etc/ssl/openssl.cnf to replace the default
 , conf ? null
 , removeReferencesTo
@@ -72,12 +69,9 @@ let
       !(stdenv.hostPlatform.useLLVM or false) &&
       stdenv.cc.isGNU;
 
-    nativeBuildInputs = [ perl ]
+    nativeBuildInputs = [ makeWrapper perl ]
       ++ lib.optionals static [ removeReferencesTo ];
     buildInputs = lib.optional withCryptodev cryptodev
-      # perl is included to allow the interpreter path fixup hook to set the
-      # correct interpreter in c_rehash.
-      ++ lib.optional withPerl perl
       ++ lib.optional withZlib zlib;
 
     # TODO(@Ericson2314): Improve with mass rebuild
@@ -172,23 +166,17 @@ let
 
       # 'etc' is a separate output on static builds only.
       etc=$out
-    '') + lib.optionalString (!stdenv.hostPlatform.isWindows)
-      # Fix bin/c_rehash's perl interpreter line
-      #
-      # - openssl 1_0_2: embeds a reference to buildPackages.perl
-      # - openssl 1_1:   emits "#!/usr/bin/env perl"
-      #
-      # In the case of openssl_1_0_2, reset the invalid reference and let the
-      # interpreter hook take care of it.
-      #
-      # In both cases, if withPerl = false, the intepreter line is expected be
-      # "#!/usr/bin/env perl"
-    ''
-      substituteInPlace $out/bin/c_rehash --replace ${buildPackages.perl}/bin/perl "/usr/bin/env perl"
-    '' + ''
+    '') + ''
       mkdir -p $bin
       mv $out/bin $bin/bin
 
+      # c_rehash is a legacy perl script with the same functionality
+      # as `openssl rehash`
+      # this wrapper script is created to maintain backwards compatibility without
+      # depending on perl
+      makeWrapper $bin/bin/openssl $bin/bin/c_rehash \
+        --add-flags "rehash"
+
       mkdir $dev
       mv $out/include $dev/
 
diff --git a/pkgs/development/libraries/pipewire/0090-pipewire-config-template-paths.patch b/pkgs/development/libraries/pipewire/0090-pipewire-config-template-paths.patch
index b4c9f8ed2aab5..ca7d351257bf9 100644
--- a/pkgs/development/libraries/pipewire/0090-pipewire-config-template-paths.patch
+++ b/pkgs/development/libraries/pipewire/0090-pipewire-config-template-paths.patch
@@ -1,8 +1,8 @@
 diff --git a/src/daemon/minimal.conf.in b/src/daemon/minimal.conf.in
-index 6464839a0..05546201f 100644
+index 9c885a38f..c474eb45d 100644
 --- a/src/daemon/minimal.conf.in
 +++ b/src/daemon/minimal.conf.in
-@@ -110,7 +110,7 @@ context.modules = [
+@@ -111,7 +111,7 @@ context.modules = [
              # access.allowed to list an array of paths of allowed
              # apps.
              #access.allowed = [
@@ -11,7 +11,7 @@ index 6464839a0..05546201f 100644
              #]
  
              # An array of rejected paths.
-@@ -298,5 +298,5 @@ context.exec = [
+@@ -359,5 +359,5 @@ context.exec = [
      # It can be interesting to start another daemon here that listens
      # on another address with the -a option (eg. -a tcp:4713).
      #
@@ -19,10 +19,10 @@ index 6464839a0..05546201f 100644
 +    #@pulse_comment@{ path = "<pipewire_path>" args = "-c pipewire-pulse.conf" }
  ]
 diff --git a/src/daemon/pipewire.conf.in b/src/daemon/pipewire.conf.in
-index a948a1b9b..4ece43c6f 100644
+index 697bf094d..3a7b54ddd 100644
 --- a/src/daemon/pipewire.conf.in
 +++ b/src/daemon/pipewire.conf.in
-@@ -132,7 +132,7 @@ context.modules = [
+@@ -142,7 +142,7 @@ context.modules = [
              # access.allowed to list an array of paths of allowed
              # apps.
              #access.allowed = [
@@ -31,18 +31,20 @@ index a948a1b9b..4ece43c6f 100644
              #]
  
              # An array of rejected paths.
-@@ -246,12 +246,12 @@ context.exec = [
+@@ -294,7 +294,7 @@ context.exec = [
      # but it is better to start it as a systemd service.
      # Run the session manager with -h for options.
      #
--    @sm_comment@{ path = "@session_manager_path@" args = "@session_manager_args@" }
-+    @sm_comment@{ path = "<session_manager_path>" args = "@session_manager_args@" }
+-    @sm_comment@{ path = "@session_manager_path@" args = "@session_manager_args@"
++    @sm_comment@{ path = "<session_manager_path>" args = "@session_manager_args@"
+     @sm_comment@  condition = [ { exec.session-manager = null } { exec.session-manager = true } ] }
      #
      # You can optionally start the pulseaudio-server here as well
-     # but it is better to start it as a systemd service.
+@@ -302,6 +302,6 @@ context.exec = [
      # It can be interesting to start another daemon here that listens
      # on another address with the -a option (eg. -a tcp:4713).
      #
--    @pulse_comment@{ path = "@pipewire_path@" args = "-c pipewire-pulse.conf" }
-+    @pulse_comment@{ path = "<pipewire_path>" args = "-c pipewire-pulse.conf" }
+-    @pulse_comment@{ path = "@pipewire_path@" args = "-c pipewire-pulse.conf"
++    @pulse_comment@{ path = "<pipewire_path>" args = "-c pipewire-pulse.conf"
+     @pulse_comment@  condition = [ { exec.pipewire-pulse = null } { exec.pipewire-pulse = true } ] }
  ]
diff --git a/pkgs/development/libraries/pipewire/default.nix b/pkgs/development/libraries/pipewire/default.nix
index 7bfb2615a72c1..b9a2fdb5f0ef2 100644
--- a/pkgs/development/libraries/pipewire/default.nix
+++ b/pkgs/development/libraries/pipewire/default.nix
@@ -73,7 +73,7 @@ let
 
   self = stdenv.mkDerivation rec {
     pname = "pipewire";
-    version = "0.3.68";
+    version = "0.3.70";
 
     outputs = [
       "out"
@@ -91,7 +91,7 @@ let
       owner = "pipewire";
       repo = "pipewire";
       rev = version;
-      sha256 = "sha256-dm+mgtvXJEBjCYMBbiBHZq42ikfsEDaybMzLMPLxBcE=";
+      sha256 = "sha256-xhJzE6JcfNcLMm+TqTIPaBEnEthEqUZiTqhWz1fO5Ng=";
     };
 
     patches = [
@@ -107,13 +107,6 @@ let
       ./0090-pipewire-config-template-paths.patch
       # Place SPA data files in lib output to avoid dependency cycles
       ./0095-spa-data-dir.patch
-
-      # backport patch fixing no sound in some cases
-      # FIXME: remove for next release
-      (fetchpatch {
-        url = "https://gitlab.freedesktop.org/pipewire/pipewire/-/commit/8748c77451ce332dd24549b414200499ede4f184.diff";
-        hash = "sha256-nxWszqLUbO1XS/DWIBYrGpVZFy2c5+E2V9dlBMekShM=";
-      })
     ];
 
     strictDeps = true;
diff --git a/pkgs/development/libraries/qt-5/5.15/default.nix b/pkgs/development/libraries/qt-5/5.15/default.nix
index 9820470f7040f..32dfb05ade003 100644
--- a/pkgs/development/libraries/qt-5/5.15/default.nix
+++ b/pkgs/development/libraries/qt-5/5.15/default.nix
@@ -230,7 +230,7 @@ let
 
       wrapQtAppsHook = makeSetupHook {
         name = "wrap-qt5-apps-hook";
-        propagatedBuildInputs = [ self.qtbase.dev buildPackages.makeWrapper ]
+        propagatedBuildInputs = [ self.qtbase.dev buildPackages.makeBinaryWrapper ]
           ++ lib.optional stdenv.isLinux self.qtwayland.dev;
       } ../hooks/wrap-qt-apps-hook.sh;
     } // lib.optionalAttrs config.allowAliases {
diff --git a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json
index 377854f16f70a..03c409a381969 100644
--- a/pkgs/development/libraries/qt-5/5.15/srcs-generated.json
+++ b/pkgs/development/libraries/qt-5/5.15/srcs-generated.json
@@ -1,207 +1,207 @@
 {
   "qt3d": {
     "url": "https://invent.kde.org/qt/qt/qt3d.git",
-    "rev": "c3c7e6ebc29cce466d954f72f340a257d76b5ec2",
-    "sha256": "13ixg0gx7sp90k0db2xn7r2rj1w3zw3vs84pav0v8fwfvph9ki98"
+    "rev": "e94b0fa39a2f4bf260969fb18bf075dba39b2df1",
+    "sha256": "0mc7rym5pngpwpjghih7afjlyvvrlpdzw1wrbggykpmm8vrk5hzv"
   },
   "qtactiveqt": {
     "url": "https://invent.kde.org/qt/qt/qtactiveqt.git",
-    "rev": "2334cafc110c4e63bec3a5c7abdcd67e5e5ee754",
-    "sha256": "0p7pydqsrws5x9l74y37ldffd3yz4riyizl8669x6y6hj6177yd3"
+    "rev": "38635c3b343ce30b71e44c5a59f2f7393fba8259",
+    "sha256": "010jh2vdlymaxs1wd0agzb2gvgms9xrhs4vb5bjiiq5pys1sgkbp"
   },
   "qtandroidextras": {
     "url": "https://invent.kde.org/qt/qt/qtandroidextras.git",
-    "rev": "7ede0a6c555518a3fecba8930d5e4d9c58875d0d",
-    "sha256": "0nvdrbqm469iikkvzwjni3zb7dxwpy3x161m9yly4irklixhxkzh"
+    "rev": "b458aee3f907f2ce1880ad4031abecb2a1eab90a",
+    "sha256": "14vn9k80ilc2smaflnamyg5k0ddj3n4m123yfwb79rfg3lddhvs5"
   },
   "qtbase": {
     "url": "https://invent.kde.org/qt/qt/qtbase.git",
-    "rev": "6c09620dc84900c31a2d307a8640dbc15b1fcfdd",
-    "sha256": "0nr8xlfdrgjr6rrd5f99p8vzlxx6n8xch5l2z95pb2lx4w4pz26q"
+    "rev": "d3b21bc8b70eaa1af848371dc1d34c4617c1f73c",
+    "sha256": "11yww09fgcqsxv4sk4cflxdsdpdqc0x9b3qw63asfpwrnv9qry0a"
   },
   "qtcharts": {
     "url": "https://invent.kde.org/qt/qt/qtcharts.git",
-    "rev": "e30be213e483f2d6f3c40af0cbdc11a8e92e2026",
-    "sha256": "0vn1xh40lxa6vi87vr6qpskli2vh47mxi3d5srhf8rark0m51lf4"
+    "rev": "3d4a84eb6d62ce22a47794f309f9268729ac375f",
+    "sha256": "047hl5hd0l337b7bsc28lfx9p9jbrnqswfdk80ndvgvp96ziblg5"
   },
   "qtconnectivity": {
     "url": "https://invent.kde.org/qt/qt/qtconnectivity.git",
-    "rev": "2d241e0b79971917845a6ed448e838ef273d73d7",
-    "sha256": "15zk9q1n9yfg4nkr0rs7agsvzim8nlrqzm1h4h9r0iwr91g9vqp5"
+    "rev": "0f9e49cde3b7ca40cd94e63d2f5d29f5b586d3d6",
+    "sha256": "1iwqa98ihzqqpqgwsj0lm4zkfwgag9k634sxjnx6gxvfq0h6d4nx"
   },
   "qtdatavis3d": {
     "url": "https://invent.kde.org/qt/qt/qtdatavis3d.git",
-    "rev": "9f0f50ebef04d5ac5ed0ee2a3a71e7748fce3005",
-    "sha256": "151650nqq29m99cbf7ac02vxzw4ivm4spr4kd2ss3gwhfxby3zgj"
+    "rev": "7636478bb30f0af8afe9af429eb8512d6fbcc11b",
+    "sha256": "08xkhxwp5mlcp4q45adqn58p37wn2z2zabw23f51qvfw8rir9g62"
   },
   "qtdeclarative": {
     "url": "https://invent.kde.org/qt/qt/qtdeclarative.git",
-    "rev": "05c3f4921d81fb1b0eb497515c24ae56221d1e0a",
-    "sha256": "0101bbpnrj4rp51dcnn2gjcq7vw55g4c8y4lmg2nd5g69whmkl1c"
+    "rev": "0e1bed3c3e27d44d86d6f68a8b93b96a4821575c",
+    "sha256": "0v4c3pls67ww6ffiscbp05yb2vv583zrxj8p4jcy3yxa06khniy5"
   },
   "qtdoc": {
     "url": "https://invent.kde.org/qt/qt/qtdoc.git",
-    "rev": "79d6ef693b6241db4a86a90943c02180c4944214",
-    "sha256": "0ldskh9dd8qwa96nz1q5sbb8r2jdfcxvq589dyw87m3gpb8v16qq"
+    "rev": "701325d57940c6e54353d0d4b6c3ebac6f9688a3",
+    "sha256": "01x2075d71z3ag99dppixs1y85zrr0vck0piah62l9n0v3wz4r6p"
   },
   "qtgamepad": {
     "url": "https://invent.kde.org/qt/qt/qtgamepad.git",
-    "rev": "ad63dc64f4bdafb503f7015d04e8849cef5d99b4",
-    "sha256": "06ag3cmg56f4z9pc3ix9lddz5ydx48pf438xc2l1z3x4wxbkfbsy"
+    "rev": "7c05744e38d44afac687df3349d548c8790837db",
+    "sha256": "0j8rak512f96i0wy4n0d4fjsgfzn283k2kfpn93d2blld4r2rd5s"
   },
   "qtgraphicaleffects": {
     "url": "https://invent.kde.org/qt/qt/qtgraphicaleffects.git",
-    "rev": "4119e4e6dc94447d773a01c1d6e4de0fefb9235a",
-    "sha256": "0sdywxrbjzz9qmrywd54hqqssv59b9mlvra16hjxfd0di50brab2"
+    "rev": "06cfcbb6940d2729f5a6575e264873ce65ac99c3",
+    "sha256": "02jc7q7ijmhmffdp2ql2j3fw8ag7q98xlq40pywmzgrf1ggb34sw"
   },
   "qtimageformats": {
     "url": "https://invent.kde.org/qt/qt/qtimageformats.git",
-    "rev": "dbc9c396199ef78e820b40ddb8a4e76c0a86d48c",
-    "sha256": "18dhnvkv9hialjfcm80g9y38fsxfcfk4fgrrsm3hy2yda6a6g1c6"
+    "rev": "c249f58541afa45955c23b75c1fb88c5e3e4d18b",
+    "sha256": "025fxiy6ahgfqw3w7a08r2ff4ry2m1qn65haimpnn6bmi4vp88m8"
   },
   "qtlocation": {
     "url": "https://invent.kde.org/qt/qt/qtlocation.git",
-    "rev": "435f931a7e42172e12ceba8f0d9da06ba4ec0bee",
-    "sha256": "1p7hz09jv8whlv0m39cnjz3yc6pjzyxkc8zinl6f0qmrska6m4gp"
+    "rev": "2a8a48e9101236f118c2c4f0d79fae9c9d7b3f2a",
+    "sha256": "0ajvlqkm2641ahms34kg6a2hykvql1hxlm5nsaba7233hnfv3nsy"
   },
   "qtlottie": {
     "url": "https://invent.kde.org/qt/qt/qtlottie.git",
-    "rev": "56f94cb8e2da9801ada7aa06f86ccf807f5a4ed8",
-    "sha256": "1pyshl395qmf84h5lyw3rgn3gmz98sm1dq003jvr74w9i746hszf"
+    "rev": "f9f123a97989638c36b5c2b03f4ff6261ddaed9a",
+    "sha256": "06b5rjzqd1630c87spldxxd0bvkb94sbnaxwxbi7ac74k35ydq7s"
   },
   "qtmacextras": {
     "url": "https://invent.kde.org/qt/qt/qtmacextras.git",
-    "rev": "bc397be87f9b02e8279cfe2fc9b893c9f95219b9",
-    "sha256": "1dr8a7sv00dmk1hc6kzs93rhvjk2wkxx0mxl7riafdzxzyajcl7n"
+    "rev": "209e3ddcf0a6b48ff47a7dc97f2ea38470c8780d",
+    "sha256": "09aipbnalb44w6g3kzm9dc84ls2xmp1clwmy5zd012xsvjwqd3h5"
   },
   "qtmultimedia": {
     "url": "https://invent.kde.org/qt/qt/qtmultimedia.git",
-    "rev": "32557dbe01ba66005b8e28b38033eeee9819a4c6",
-    "sha256": "09mds5v3b3jq34r40hqg2a39q16p4q648wda7cqgm2yp249j06g8"
+    "rev": "ff4c7bc3bf7ba4b748fdeb9d09887271c2b28505",
+    "sha256": "14wx49mkqqzvwzhbx3jhbrjngq4vb3x2kmgzrq7f6nri0g7dpss8"
   },
   "qtnetworkauth": {
     "url": "https://invent.kde.org/qt/qt/qtnetworkauth.git",
-    "rev": "f082a4c84c54e888b8d023ba68b7085551403425",
-    "sha256": "03sd0a58b8z340in4avk6lqqa9qzkzkaxnk2yn1a270sxrsq6y0l"
+    "rev": "59311ee7d78a8b19d3dbe61cf49d42c5bd7c934a",
+    "sha256": "1rdgfmfsqp3hdkkq6bi8vdxgrh45xzf1b2nryhnk8pid81wa2bzq"
   },
   "qtpurchasing": {
     "url": "https://invent.kde.org/qt/qt/qtpurchasing.git",
-    "rev": "9dfea35b04dcb52d02d7a2883df88d89ba9999ef",
-    "sha256": "0swliqwzz3b297z7y6sr79ijgv3914s2g9ymq77plxglfdrnm74j"
+    "rev": "5737c10128c6eeb28c10df569c8492bb2e8f4230",
+    "sha256": "0iny9npc7w7b1rz9yx659bva66rllhbfqh4af9wdwbi9ssr4x5pc"
   },
   "qtquick3d": {
     "url": "https://invent.kde.org/qt/qt/qtquick3d.git",
-    "rev": "47defc8b33b7bdf1dbf289b65b301fba2def9b1c",
-    "sha256": "0kfwkxln3yz0c5rd1kfjmw0y2drwm1gg2s7f52kajfvg4274ha9c"
+    "rev": "ccd0284235e9e3e1f97d808125af5024d3f04140",
+    "sha256": "1mfw97v60fdszab0gqxjydw00f89rx8clw3dq72zx1rgv8rn2s67"
   },
   "qtquickcontrols": {
     "url": "https://invent.kde.org/qt/qt/qtquickcontrols.git",
-    "rev": "18977875d16e22ad68a1dc2d7ee0a9c9f873c941",
-    "sha256": "0n3930zzvp4s6m715rvx1bjh2s2fg7cadjs2hq6bc8k9mwlqibk1"
+    "rev": "eb9dead185ae209dd2364d09db74d8ab613d982d",
+    "sha256": "1pza9cjv49x59lvzyv45hwz01z8l9zzn8a3ssazycxvcq3w0pncb"
   },
   "qtquickcontrols2": {
     "url": "https://invent.kde.org/qt/qt/qtquickcontrols2.git",
-    "rev": "56ce8233382a091a8476c831edd416b5f704ae4f",
-    "sha256": "1h68s2fdgn1pbf5hsk6c8v4icz8c4cpbxv8iirz22yhlzabc3hdm"
+    "rev": "86a84eaa74c4071e5750f23b6e9911762880d391",
+    "sha256": "1zywq3ll49bzzvl6rzn4zpp96a4mdx0b9l5ic0x6zc4dr8c8jk5m"
   },
   "qtquicktimeline": {
     "url": "https://invent.kde.org/qt/qt/qtquicktimeline.git",
-    "rev": "4cd0142a30bfa5eef47c720ac24dd73e12764806",
-    "sha256": "13vhlgxq8ap796p3y9c3kj645p0370bqjwm5hkz13pazm15sbc9z"
+    "rev": "dd5d4af65890baad8baa85a445a752a877a4f7e3",
+    "sha256": "1m096pskaxhzxyvz17lksg1qlni7qacvqf3z71wvwvxzgjvs5bqh"
   },
   "qtremoteobjects": {
     "url": "https://invent.kde.org/qt/qt/qtremoteobjects.git",
-    "rev": "929c7ad0676f084b9ecc469cd47a307596923cb3",
-    "sha256": "0l94k9fdzk96j40gab2l5n4lmadzaqhvbg8s3m5f3v4im00xa2x9"
+    "rev": "27b496d5aff650e4cf9a3148857c723dce10ef25",
+    "sha256": "0wyf1nb6wjh4jd2n8cng7a6lzv1dkwrniabsvn1adl1nqknq7asv"
   },
   "qtscript": {
     "url": "https://invent.kde.org/qt/qt/qtscript.git",
-    "rev": "4d8e4bd20b7100b0b7192547b19c3c239aaf7034",
-    "sha256": "1pvihbjjmczby4934lir3h3kq0rqcvxnbw2vdkl9lhkds3lm0qhf"
+    "rev": "4f8c35a528586541ea55bb8b3361eaa6749e52b1",
+    "sha256": "01jddzy51ks899mszz35lcdgmpl5czcgh5g9fb84pxdnpgaxrx9b"
   },
   "qtscxml": {
     "url": "https://invent.kde.org/qt/qt/qtscxml.git",
-    "rev": "0c93f94a44e2dce7eed9d17d4976b0c1e14be7bb",
-    "sha256": "1vvzvin23ws6njhyg93s2dlkxb9p50mkipc611lsx7971gv1wih0"
+    "rev": "d30a77111835395828fdcaa89a88110c5d9f6857",
+    "sha256": "1yid5653653qlpk305y276gdrifdxpjzfa1629csq2b8hpwkddc2"
   },
   "qtsensors": {
     "url": "https://invent.kde.org/qt/qt/qtsensors.git",
-    "rev": "6add85fa1a234a7e1943ba175c6fc799ccbae48e",
-    "sha256": "1k02x3wzczwg7cqh6hav31akdsz9kk8s0vryd3q7zfrhqy9m88sh"
+    "rev": "391c710b88865a3e0311b61d93fcdbbfd6996d46",
+    "sha256": "19myf3w6g64clj9msy71is7b9krkfrzcqlyza37m3pimy7x305a0"
   },
   "qtserialbus": {
     "url": "https://invent.kde.org/qt/qt/qtserialbus.git",
-    "rev": "ced5c7223d037aece1e7f37d4314f388252de025",
-    "sha256": "009ajdry6lvf9pifzm2zl0w5zhkmrrxm53mjf9s76jqrsi6yqk30"
+    "rev": "f8684ae6b0c12b6b21f1547fabe38b60c39f8893",
+    "sha256": "0k60wibb2xis7gvx9d7q14a3sq1ij1m196ax4rfwwrzsz2vviir0"
   },
   "qtserialport": {
     "url": "https://invent.kde.org/qt/qt/qtserialport.git",
-    "rev": "e2851096dc6f6a7cfa635d69ea950b382e3658ab",
-    "sha256": "071g8d9i3wi8rqqy4lxpp3z25a55pd2xwsy3r8v0a6s6y5g5lcpf"
+    "rev": "7fb308ec721f034a0d673784d951577d764a8e67",
+    "sha256": "1f8sjyd7ksy4420lr6vn18mzb64jm0p8mml5d2vpgp344w2jbqm0"
   },
   "qtspeech": {
     "url": "https://invent.kde.org/qt/qt/qtspeech.git",
-    "rev": "255845e2b2e605363762be25932d92fc10d32749",
-    "sha256": "0apyk2z9r7i54sh0zgbs8vfncc4jrcrzzvi3q14d105pkhrschp9"
+    "rev": "4856b6e231d7e2373ec8f89e861603a0d815793a",
+    "sha256": "0v8lx6g43apfnyn37ccgjnq7abayplgnihx62fncgl2cpmy9nkha"
   },
   "qtsvg": {
     "url": "https://invent.kde.org/qt/qt/qtsvg.git",
-    "rev": "a7a0f2491334e8cb4ef5731f5eb741f3f7b9af76",
-    "sha256": "13zpzvwqv61dsd74s92nf46rhaw2rw3hl8m6d313wjlaaqi95ln6"
+    "rev": "9b5ab29cbba1908fd4928e2bda2b93e418e36187",
+    "sha256": "0vnwhbkk40wj9rfy3fhjm9slra3y3j1mk67n3vnrzvmzrmpl4443"
   },
   "qttools": {
     "url": "https://invent.kde.org/qt/qt/qttools.git",
-    "rev": "090e526e713d01eac34c64e4a09ad961c612febf",
-    "sha256": "1zrxv9wdnqayn5hhblwyqyrdn8mj7x2ks2f4qsr2w3cdidcjjz7y"
+    "rev": "5649efd376ed7dbb171905e9edebbd547d1f73eb",
+    "sha256": "1c49v7pni6bljnf4ppxrrdr0h0hpw4i7s6an91m7ca18s8x4m1rb"
   },
   "qttranslations": {
     "url": "https://invent.kde.org/qt/qt/qttranslations.git",
-    "rev": "af8cd030fed6a47cc1e8727e7ee5445e037bf712",
-    "sha256": "14fx3r9s3p16rhv9fyrwnv6bn24nvh5xnjwcw1mb04c44ddb9r86"
+    "rev": "2b802231af3eb21c3c781753aba804217f855e86",
+    "sha256": "1xdp1x6qkdm0xz8yg1j2c1fpav54c1rwxlpfj116xspfik4zy7gf"
   },
   "qtvirtualkeyboard": {
     "url": "https://invent.kde.org/qt/qt/qtvirtualkeyboard.git",
-    "rev": "5f66c9571303170f07954f73b09cad4cee1ce5d0",
-    "sha256": "0jzl7a2zr83nd9sskmz9fk2w2spn3v821j0l7kcp2hxydgyhk8v3"
+    "rev": "4191fd9098ae25ffd5917370427460842e73f0cb",
+    "sha256": "0jl9dw1azh961hcakmyxavfm0w7g1a89lyj2bal8dqvv9y3089cj"
   },
   "qtwayland": {
     "url": "https://invent.kde.org/qt/qt/qtwayland.git",
-    "rev": "df41e7e3e1f0e5495c5c8c52f1c9bb5a32b0da27",
-    "sha256": "0f292axj0ivgwgx97zc8x744243i7lgqcxbkjxham6md81m1xbwj"
+    "rev": "c4c3fc69250c01cb35aaae5ea1ea2bcc8236dff0",
+    "sha256": "040wgrxr2kkshpyg3gwcggdxlxrjd7pbnr3fj8v63byx34sz2w9b"
   },
   "qtwebchannel": {
     "url": "https://invent.kde.org/qt/qt/qtwebchannel.git",
-    "rev": "f8949655ccfacc2d34cfb0af23c540db84a2b9e5",
-    "sha256": "1303hghvk6avshb7imnkv24qv1ij5d3nbljba20l6v6dsr7zg7ba"
+    "rev": "c508ffb1996eeddfd10dda493974746e6b375080",
+    "sha256": "0hs7cqfiwc0mdsa9zngackfljy7d5306mpn3rwjfi5rawd85xsp0"
   },
   "qtwebglplugin": {
     "url": "https://invent.kde.org/qt/qt/qtwebglplugin.git",
-    "rev": "655be6c5406f8ba42acaca363fc55d78a6198733",
-    "sha256": "08biydqk1lhjzvrgl3zhbrrgnjcy611pmh9scyw42avdvj2qzpc2"
+    "rev": "64beacdd2d0f6fe0796bd291c9ab33f206a333c3",
+    "sha256": "1vqmxkfzggsalq2ic2b902jy0b47zkgzl95gg8dia8089vfny4kn"
   },
   "qtwebsockets": {
     "url": "https://invent.kde.org/qt/qt/qtwebsockets.git",
-    "rev": "90f3590c3c49a0820462af9a778dd13d8df42244",
-    "sha256": "1dxc3imh8455vy3pggrzjflb2v5382q9ha2fwplybxawld9wdw45"
+    "rev": "ed7416b1b8af9de9926388408469a35f2ad6a795",
+    "sha256": "1434bqqb1hm49b1acwb22b2lc9p936dlylg0m56h2pl4vv9w0v3b"
   },
   "qtwebview": {
     "url": "https://invent.kde.org/qt/qt/qtwebview.git",
-    "rev": "dfd86e07019488954cddcf2ba314df3cd0c01c0c",
-    "sha256": "1crph9sdmxxs0787il86j2dv6k3qylmy8a83hfzczcjcx3pwcf7a"
+    "rev": "23d67d0de3301dbed5d8c5880b6cf60bfa9eeb2a",
+    "sha256": "16rqz6jiiswaiwa7hn6pn0cq9la8843b4jxi8di30ymq9ysivbqq"
   },
   "qtwinextras": {
     "url": "https://invent.kde.org/qt/qt/qtwinextras.git",
-    "rev": "48318520a4031167c4c0ad559e1a11b2f4c053d6",
-    "sha256": "04smnp9pl3szizdp05dz7qmdgg8sk57d3r40sdy7v9zwi4lwaqi4"
+    "rev": "44d18eaff83b7491a130e41678cadcc3ba836a8d",
+    "sha256": "10fky86gcma9fwdbk3s733x7gqgxzsg6iaf9j42b0f8c2n5jhql3"
   },
   "qtx11extras": {
     "url": "https://invent.kde.org/qt/qt/qtx11extras.git",
-    "rev": "e44c85e8643f2724109993a7b9eaf0dff3530fec",
-    "sha256": "1vs1013zxw54xfmkpid99p5f38hlqds172vija7xjyjaww7j7y3b"
+    "rev": "8bba77a558049727d1bc88736dd03d1b5c41cead",
+    "sha256": "1lk4jm2pp0n8disxpcr1520bd798lif23fisnmkzysxcrlw1dflh"
   },
   "qtxmlpatterns": {
     "url": "https://invent.kde.org/qt/qt/qtxmlpatterns.git",
-    "rev": "3199d91de3f38e5ece3d36bcefe2c33b2c014f3f",
-    "sha256": "1l6babh2cjqwaqk12cqpkkl2qy909b1fd84p0ab19raw419ncawz"
+    "rev": "fa0c41677ab43bc50bc4d086dfce96602060b7e0",
+    "sha256": "1wrh1m9s4pdbvlgy93jv6acn9k1an6jb086cbxscgimgw3kb867p"
   }
 }
diff --git a/pkgs/development/libraries/qt-5/5.15/srcs.nix b/pkgs/development/libraries/qt-5/5.15/srcs.nix
index c7f2f86f357ba..8d910428feb3e 100644
--- a/pkgs/development/libraries/qt-5/5.15/srcs.nix
+++ b/pkgs/development/libraries/qt-5/5.15/srcs.nix
@@ -1,7 +1,7 @@
 { lib, fetchgit, fetchFromGitHub }:
 
 let
-  version = "5.15.8";
+  version = "5.15.9";
   overrides = {};
 
   mk = name: args:
@@ -64,7 +64,7 @@ lib.mapAttrs mk (lib.importJSON ./srcs-generated.json)
 
   qtwebengine =
     let
-      branchName = "5.15.12";
+      branchName = "5.15.13";
       rev = "v${branchName}-lts";
     in
     {
@@ -72,7 +72,7 @@ lib.mapAttrs mk (lib.importJSON ./srcs-generated.json)
 
       src = fetchgit {
         url = "https://github.com/qt/qtwebengine.git";
-        sha256 = "sha256-8EQqSvxw9rqf+64CIbcCb1VXhNx1GNC8eDIgLyYDyvk=";
+        sha256 = "sha256-gZmhJTA5A3+GeySJoppYGffNC6Ych2pOYlsu3w+fnmw=";
         inherit rev branchName;
         fetchSubmodules = true;
         leaveDotGit = true;
diff --git a/pkgs/development/libraries/qt-6/default.nix b/pkgs/development/libraries/qt-6/default.nix
index 90a25f34c2137..b3098466ac839 100644
--- a/pkgs/development/libraries/qt-6/default.nix
+++ b/pkgs/development/libraries/qt-6/default.nix
@@ -151,7 +151,7 @@ let
       wrapQtAppsHook = makeSetupHook
         {
           name = "wrap-qt6-apps-hook";
-          propagatedBuildInputs = [ buildPackages.makeWrapper ];
+          propagatedBuildInputs = [ buildPackages.makeBinaryWrapper ];
         } ./hooks/wrap-qt-apps-hook.sh;
 
       qmake = makeSetupHook
diff --git a/pkgs/development/libraries/qt-6/modules/qtmultimedia.nix b/pkgs/development/libraries/qt-6/modules/qtmultimedia.nix
index 5372def8aea1c..cb012ee8bef7b 100644
--- a/pkgs/development/libraries/qt-6/modules/qtmultimedia.nix
+++ b/pkgs/development/libraries/qt-6/modules/qtmultimedia.nix
@@ -26,8 +26,8 @@ qtModule {
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libunwind orc ]
     ++ lib.optionals stdenv.isLinux [ libpulseaudio elfutils alsa-lib wayland ];
-  propagatedBuildInputs = [ gstreamer gst-plugins-base gst-plugins-good gst-libav ]
-    ++ lib.optionals stdenv.isLinux [ gst-vaapi ]
+  propagatedBuildInputs =
+    lib.optionals stdenv.isLinux [ gstreamer gst-plugins-base gst-plugins-good gst-libav gst-vaapi ]
     ++ lib.optionals stdenv.isDarwin [ VideoToolbox ];
 
   env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.isDarwin
diff --git a/pkgs/development/libraries/quictls/default.nix b/pkgs/development/libraries/quictls/default.nix
index a9c07232035f9..052417f311744 100644
--- a/pkgs/development/libraries/quictls/default.nix
+++ b/pkgs/development/libraries/quictls/default.nix
@@ -1,12 +1,9 @@
 { lib, stdenv, fetchurl, buildPackages, perl, coreutils, fetchFromGitHub
+, makeWrapper
 , withCryptodev ? false, cryptodev
 , enableSSL2 ? false
 , enableSSL3 ? false
 , static ? stdenv.hostPlatform.isStatic
-# Used to avoid cross compiling perl, for example, in darwin bootstrap tools.
-# This will cause c_rehash to refer to perl via the environment, but otherwise
-# will produce a perfectly functional openssl binary and library.
-, withPerl ? stdenv.hostPlatform == stdenv.buildPlatform
 , removeReferencesTo
 }:
 
@@ -52,11 +49,8 @@ stdenv.mkDerivation rec {
     !(stdenv.hostPlatform.useLLVM or false) &&
     stdenv.cc.isGNU;
 
-  nativeBuildInputs = [ perl removeReferencesTo ];
-  buildInputs = lib.optional withCryptodev cryptodev
-    # perl is included to allow the interpreter path fixup hook to set the
-    # correct interpreter in c_rehash.
-    ++ lib.optional withPerl perl;
+  nativeBuildInputs = [ makeWrapper perl removeReferencesTo ];
+  buildInputs = lib.optional withCryptodev cryptodev;
 
   # TODO(@Ericson2314): Improve with mass rebuild
   configurePlatforms = [];
@@ -140,22 +134,17 @@ stdenv.mkDerivation rec {
     if [ -n "$(echo $out/lib/*.so $out/lib/*.dylib $out/lib/*.dll)" ]; then
         rm "$out/lib/"*.a
     fi
-  '') + lib.optionalString (!stdenv.hostPlatform.isWindows)
-    # Fix bin/c_rehash's perl interpreter line
-    #
-    # - openssl 1_0_2: embeds a reference to buildPackages.perl
-    # - openssl 1_1:   emits "#!/usr/bin/env perl"
-    #
-    # In the case of openssl_1_0_2, reset the invalid reference and let the
-    # interpreter hook take care of it.
-    #
-    # In both cases, if withPerl = false, the intepreter line is expected be
-    # "#!/usr/bin/env perl"
-  ''
-    substituteInPlace $out/bin/c_rehash --replace ${buildPackages.perl}/bin/perl "/usr/bin/env perl"
-  '' + ''
+  '') + ''
     mkdir -p $bin
     mv $out/bin $bin/bin
+
+    # c_rehash is a legacy perl script with the same functionality
+    # as `openssl rehash`
+    # this wrapper script is created to maintain backwards compatibility without
+    # depending on perl
+    makeWrapper $bin/bin/openssl $bin/bin/c_rehash \
+      --add-flags "rehash"
+
     mkdir $dev
     mv $out/include $dev/
     # remove dependency on Perl at runtime
diff --git a/pkgs/development/libraries/science/math/or-tools/default.nix b/pkgs/development/libraries/science/math/or-tools/default.nix
index 09657cea2f4eb..6d23008b69222 100644
--- a/pkgs/development/libraries/science/math/or-tools/default.nix
+++ b/pkgs/development/libraries/science/math/or-tools/default.nix
@@ -47,6 +47,12 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  # or-tools normally attempts to build Protobuf for the build platform when
+  # cross-compiling. Instead, just tell it where to find protoc.
+  postPatch = ''
+    echo "set(PROTOC_PRG $(type -p protoc))" > cmake/host.cmake
+  '';
+
   cmakeFlags = [
     "-DBUILD_DEPS=OFF"
     "-DBUILD_PYTHON=ON"
@@ -54,23 +60,25 @@ stdenv.mkDerivation rec {
     "-DFETCH_PYTHON_DEPS=OFF"
     "-DUSE_GLPK=ON"
     "-DUSE_SCIP=OFF"
+    "-DPython3_EXECUTABLE=${python.pythonForBuild.interpreter}"
   ] ++ lib.optionals stdenv.isDarwin [ "-DCMAKE_MACOSX_RPATH=OFF" ];
   nativeBuildInputs = [
     cmake
     ensureNewerSourcesForZipFilesHook
     pkg-config
-    python
-    python.pkgs.pip
+    python.pythonForBuild
     swig4
     unzip
-  ];
+  ] ++ (with python.pythonForBuild.pkgs; [
+    pip
+    mypy-protobuf
+  ]);
   buildInputs = [
     bzip2
     cbc
     eigen
     glpk
     python.pkgs.absl-py
-    python.pkgs.mypy-protobuf
     python.pkgs.pybind11
     python.pkgs.setuptools
     python.pkgs.wheel
@@ -101,7 +109,7 @@ stdenv.mkDerivation rec {
     pip install --prefix="$python" python/
   '';
 
-  outputs = [ "out" "python" ];
+  outputs = [ "out" "dev" "python" ];
 
   meta = with lib; {
     homepage = "https://github.com/google/or-tools";
diff --git a/pkgs/development/libraries/serf/scons.patch b/pkgs/development/libraries/serf/scons.patch
index acfece7ef5fed..5f168ce7f2eba 100644
--- a/pkgs/development/libraries/serf/scons.patch
+++ b/pkgs/development/libraries/serf/scons.patch
@@ -11,10 +11,11 @@ index 4358a23..6ce7776 100644
      if target in build_targets:
        return PathVariable.PathIsDirCreate(key, val, env)
      else:
-@@ -155,6 +155,7 @@ if sys.platform == 'win32':
+@@ -155,6 +155,8 @@ if sys.platform == 'win32':
  env = Environment(variables=opts,
                    tools=('default', 'textfile',),
                    CPPPATH=['.', ],
++                  AR=os.environ['AR'],
 +                  ENV=os.environ,
                    )
  
diff --git a/pkgs/development/python-modules/aiohttp/default.nix b/pkgs/development/python-modules/aiohttp/default.nix
index 9fcca373c38bd..91ab8c040fdb3 100644
--- a/pkgs/development/python-modules/aiohttp/default.nix
+++ b/pkgs/development/python-modules/aiohttp/default.nix
@@ -23,6 +23,7 @@
 , freezegun
 , gunicorn
 , pytest-mock
+, pytest-xdist
 , pytestCheckHook
 , re-assert
 , trustme
@@ -79,6 +80,7 @@ buildPythonPackage rec {
     freezegun
     gunicorn
     pytest-mock
+    pytest-xdist
     pytestCheckHook
     re-assert
   ] ++ lib.optionals (!(stdenv.isDarwin && stdenv.isAarch64)) [
@@ -116,7 +118,7 @@ buildPythonPackage rec {
   '' + lib.optionalString stdenv.isDarwin ''
     # Work around "OSError: AF_UNIX path too long"
     export TMPDIR="/tmp"
-   '';
+  '';
 
   meta = with lib; {
     changelog = "https://github.com/aio-libs/aiohttp/blob/v${version}/CHANGES.rst";
diff --git a/pkgs/development/python-modules/aioquic/default.nix b/pkgs/development/python-modules/aioquic/default.nix
index 5b18a77edd3d9..753ce73fb2dc9 100644
--- a/pkgs/development/python-modules/aioquic/default.nix
+++ b/pkgs/development/python-modules/aioquic/default.nix
@@ -25,10 +25,15 @@ buildPythonPackage rec {
       hash = "sha256-XjhyajDawN/G1nPtkMbNe66iJCo76UpdA7PqwtxO5ag=";
     })
     # https://github.com/aiortc/aioquic/pull/349, fixes test failure due pyopenssl==22
-    (assert lib.versions.major pyopenssl.version == "22"; fetchpatch {
+    (fetchpatch {
       url = "https://github.com/aiortc/aioquic/commit/c3b72be85868d67ee32d49ab9bd98a4357cbcde9.patch";
       hash = "sha256-AjW+U9DpNXgA5yqKkWnx0OYpY2sZR9KIdQ3pSzxU+uY=";
     })
+    # AssertionError: 'self-signed certificate' != 'self signed certificate'
+    (fetchpatch {
+      url = "https://github.com/aiortc/aioquic/commit/cfcd3ce12fb27f5b26deb011a82f66b5d68d521a.patch";
+      hash = "sha256-bCW817Z7jCxYySfUukNR4cibURH3qZWEQjeeyvRIqZY=";
+    })
   ];
 
   propagatedBuildInputs = [
@@ -43,6 +48,8 @@ buildPythonPackage rec {
 
   pythonImportsCheck = [ "aioquic" ];
 
+  __darwinAllowLocalNetworking = true;
+
   meta = with lib; {
     description = "Implementation of QUIC and HTTP/3";
     homepage = "https://github.com/aiortc/aioquic";
diff --git a/pkgs/development/python-modules/anyio/default.nix b/pkgs/development/python-modules/anyio/default.nix
index 83b5d27655c7f..5153a2b4d2621 100644
--- a/pkgs/development/python-modules/anyio/default.nix
+++ b/pkgs/development/python-modules/anyio/default.nix
@@ -2,7 +2,6 @@
 , lib
 , buildPythonPackage
 , fetchFromGitHub
-, fetchpatch
 , pythonOlder
 , setuptools
 , setuptools-scm
@@ -13,6 +12,7 @@
 , hypothesis
 , mock
 , pytest-mock
+, pytest-xdist
 , pytestCheckHook
 , trio
 , trustme
@@ -55,6 +55,7 @@ buildPythonPackage rec {
     curio
     hypothesis
     pytest-mock
+    pytest-xdist
     pytestCheckHook
     trio
     trustme
@@ -74,6 +75,10 @@ buildPythonPackage rec {
     "test_exception_group_children"
     "test_exception_group_host"
     "test_exception_group_filtering"
+    # regression in python 3.11.3 and 3.10.11
+    # https://github.com/agronholm/anyio/issues/550
+    "TestTLSStream"
+    "TestTLSListener"
   ];
 
   disabledTestPaths = [
diff --git a/pkgs/development/python-modules/cryptography/default.nix b/pkgs/development/python-modules/cryptography/default.nix
index ba2407923f33a..578d13acf43d1 100644
--- a/pkgs/development/python-modules/cryptography/default.nix
+++ b/pkgs/development/python-modules/cryptography/default.nix
@@ -11,6 +11,7 @@
 , six
 , isPyPy
 , cffi
+, pkg-config
 , pytestCheckHook
 , pytest-benchmark
 , pytest-subtests
@@ -28,26 +29,27 @@ let
 in
 buildPythonPackage rec {
   pname = "cryptography";
-  version = "39.0.1"; # Also update the hash in vectors.nix
+  version = "40.0.1"; # Also update the hash in vectors.nix
   format = "setuptools";
   disabled = pythonOlder "3.6";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-0fYZjubZFIQF5JiHgDkH/olioj5sb4PqfZjxwN43VpU=";
+    hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
   };
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     inherit src;
     sourceRoot = "${pname}-${version}/${cargoRoot}";
     name = "${pname}-${version}";
-    hash = "sha256-0x+KIqJznDEyIUqVuYfIESKmHBWfzirPeX2R/cWlngc=";
+    hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";
   };
 
   cargoRoot = "src/rust";
 
   nativeBuildInputs = lib.optionals (!isPyPy) [
     cffi
+    pkg-config
   ] ++ [
     rustPlatform.cargoSetupHook
     setuptools-rust
diff --git a/pkgs/development/python-modules/cryptography/vectors.nix b/pkgs/development/python-modules/cryptography/vectors.nix
index b054f89aa3a6d..71bd22bf738f0 100644
--- a/pkgs/development/python-modules/cryptography/vectors.nix
+++ b/pkgs/development/python-modules/cryptography/vectors.nix
@@ -9,7 +9,7 @@ buildPythonPackage rec {
   src = fetchPypi {
     pname = "cryptography_vectors";
     inherit version;
-    hash = "sha256-DLrrUL2388nXqTsmoEYu9ul8doynjZAoVP4EXDC2gMY=";
+    hash = "sha256-hGBwa1tdDOSoVXHKM4nPiPcAu2oMYTPcn+D1ovW9oEE=";
   };
 
   # No tests included
diff --git a/pkgs/development/python-modules/ctap-keyring-device/default.nix b/pkgs/development/python-modules/ctap-keyring-device/default.nix
index 6406440aa9632..ca2f9e4256ca5 100644
--- a/pkgs/development/python-modules/ctap-keyring-device/default.nix
+++ b/pkgs/development/python-modules/ctap-keyring-device/default.nix
@@ -14,6 +14,7 @@
 let
   fido2_0 = fido2.overridePythonAttrs (oldAttrs: rec {
     version = "0.9.3";
+    format = "setuptools";
     src = fetchPypi {
       inherit (oldAttrs) pname;
       inherit version;
diff --git a/pkgs/development/python-modules/dbus-deviation/default.nix b/pkgs/development/python-modules/dbus-deviation/default.nix
new file mode 100644
index 0000000000000..016b18f25081f
--- /dev/null
+++ b/pkgs/development/python-modules/dbus-deviation/default.nix
@@ -0,0 +1,35 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+, lxml
+, setuptools-git
+, sphinx
+}:
+
+buildPythonPackage rec {
+  pname = "dbus-deviation";
+  version = "0.6.1";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-4GuI7+IjiF0nJd9Rz3ybe0Y9HG8E6knUaQh0MY0Ot6M=";
+  };
+
+  nativeBuildInputs = [
+    setuptools-git
+    sphinx
+  ];
+
+  propagatedBuildInputs = [
+    lxml
+  ];
+
+  pythonImportsCheck = [ "dbusdeviation" ];
+
+  meta = with lib; {
+    homepage = "https://tecnocode.co.uk/dbus-deviation/";
+    description = "A project for parsing D-Bus introspection XML and processing it in various ways";
+    license = licenses.lgpl21Plus;
+    maintainers = with maintainers; [ lilyinstarlight ];
+  };
+}
diff --git a/pkgs/development/python-modules/fido2/default.nix b/pkgs/development/python-modules/fido2/default.nix
index c457d6e1cef42..459f0799477d9 100644
--- a/pkgs/development/python-modules/fido2/default.nix
+++ b/pkgs/development/python-modules/fido2/default.nix
@@ -1,6 +1,7 @@
 { lib
 , buildPythonPackage
 , fetchPypi
+, poetry-core
 , six
 , cryptography
 , mock
@@ -10,13 +11,16 @@
 
 buildPythonPackage rec {
   pname = "fido2";
-  version = "1.1.0";
+  version = "1.1.1";
+  format = "pyproject";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-K0tOYgwhAEQsIGeODpUa1tHvs7pcqOu3IMTI1UMpNnQ=";
+    hash = "sha256-XcSVyoxZwcM3ODtLjDFNRrktXG/GUOcZhMbX+VQHn8M=";
   };
 
+  nativeBuildInputs = [ poetry-core ];
+
   propagatedBuildInputs = [ six cryptography ];
 
   nativeCheckInputs = [ unittestCheckHook mock pyfakefs ];
diff --git a/pkgs/development/python-modules/flaky/default.nix b/pkgs/development/python-modules/flaky/default.nix
index 65efea30db6c5..43b3288f94b9b 100644
--- a/pkgs/development/python-modules/flaky/default.nix
+++ b/pkgs/development/python-modules/flaky/default.nix
@@ -2,27 +2,29 @@
 , buildPythonPackage
 , fetchPypi
 , mock
-, nose
 , pytest
 }:
 
 buildPythonPackage rec {
   pname = "flaky";
   version = "3.7.0";
+  format = "setuptools";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "3ad100780721a1911f57a165809b7ea265a7863305acb66708220820caf8aa0d";
+    hash = "sha256-OtEAeAchoZEfV6FlgJt+omWnhjMFrLZnCCIIIMr4qg0=";
   };
 
-  nativeCheckInputs = [ mock nose pytest ];
+  nativeCheckInputs = [
+    mock
+    pytest
+  ];
 
   checkPhase = ''
     # based on tox.ini
     pytest -k 'example and not options' --doctest-modules test/test_pytest/
     pytest -k 'example and not options' test/test_pytest/
     pytest -p no:flaky test/test_pytest/test_flaky_pytest_plugin.py
-    nosetests --with-flaky --force-flaky --max-runs 2 test/test_nose/test_nose_options_example.py
     pytest --force-flaky --max-runs 2  test/test_pytest/test_pytest_options_example.py
   '';
 
diff --git a/pkgs/development/python-modules/gst-python/default.nix b/pkgs/development/python-modules/gst-python/default.nix
index 52c7be56bc72d..9c30ebc68159f 100644
--- a/pkgs/development/python-modules/gst-python/default.nix
+++ b/pkgs/development/python-modules/gst-python/default.nix
@@ -14,7 +14,7 @@
 
 buildPythonPackage rec {
   pname = "gst-python";
-  version = "1.20.0";
+  version = "1.22.2";
 
   format = "other";
 
@@ -22,7 +22,7 @@ buildPythonPackage rec {
 
   src = fetchurl {
     url = "${meta.homepage}/src/gst-python/${pname}-${version}.tar.xz";
-    sha256 = "j2e9xWBrozYGxryJbonefc2M9PykWfcTibG2/gdbXlQ=";
+    hash = "sha256-vvKz2Czkvka3dbG7VjBcEAPuAbU1pTqC+f6JJJchU60=";
   };
 
   # Python 2.x is not supported.
diff --git a/pkgs/development/python-modules/hypothesis/default.nix b/pkgs/development/python-modules/hypothesis/default.nix
index b3f93e03f2830..bfa2ca0dc87e8 100644
--- a/pkgs/development/python-modules/hypothesis/default.nix
+++ b/pkgs/development/python-modules/hypothesis/default.nix
@@ -1,5 +1,6 @@
 { lib
 , buildPythonPackage
+, isPyPy
 , fetchFromGitHub
 , attrs
 , exceptiongroup
@@ -13,6 +14,7 @@
 , sphinx-rtd-theme
 , sphinx-hoverxref
 , sphinx-codeautolink
+, tzdata
 # Used to break internal dependency loop.
 , enableDocumentation ? true
 }:
@@ -65,6 +67,8 @@ buildPythonPackage rec {
     pexpect
     pytest-xdist
     pytestCheckHook
+  ] ++ lib.optionals (isPyPy) [
+    tzdata
   ];
 
   inherit doCheck;
diff --git a/pkgs/development/python-modules/kaldi-active-grammar/fork.nix b/pkgs/development/python-modules/kaldi-active-grammar/fork.nix
index 7b5b30b5ec7ef..7748e34df6f2d 100644
--- a/pkgs/development/python-modules/kaldi-active-grammar/fork.nix
+++ b/pkgs/development/python-modules/kaldi-active-grammar/fork.nix
@@ -9,7 +9,7 @@
 , python3
 , openblas
 , zlib
-, gfortran-tmp-noisystem
+, gfortran
 }:
 
 let
@@ -56,7 +56,7 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [
     pkg-config
     python3
-    gfortran-tmp-noisystem
+    gfortran
   ];
 
   buildFlags = [
diff --git a/pkgs/development/python-modules/matplotlib/default.nix b/pkgs/development/python-modules/matplotlib/default.nix
index b029b4cd26541..1fd70739b4c80 100644
--- a/pkgs/development/python-modules/matplotlib/default.nix
+++ b/pkgs/development/python-modules/matplotlib/default.nix
@@ -135,7 +135,6 @@ buildPythonPackage rec {
     libX11
     tcl
     tk
-    tkinter
   ] ++ lib.optionals stdenv.isDarwin [
     Cocoa
   ];
@@ -167,6 +166,8 @@ buildPythonPackage rec {
     tornado
   ] ++ lib.optionals enableNbagg [
     ipykernel
+  ] ++ lib.optionals enableTk [
+    tkinter
   ];
 
   passthru.config = {
diff --git a/pkgs/development/python-modules/nose/default.nix b/pkgs/development/python-modules/nose/default.nix
index c4a52a0e114b2..bb6f6decc1a58 100644
--- a/pkgs/development/python-modules/nose/default.nix
+++ b/pkgs/development/python-modules/nose/default.nix
@@ -26,7 +26,7 @@ buildPythonPackage rec {
       --replace "from setuptools.command.build_py import Mixin2to3" "from distutils.util import Mixin2to3"
   '';
 
-  preBuild = lib.optionalString (isPy3k && (!isPyPy)) ''
+  preBuild = lib.optionalString (isPy3k) ''
     ${python.pythonForBuild}/bin/2to3 -wn nose functional_tests unit_tests
   '';
 
@@ -41,6 +41,7 @@ buildPythonPackage rec {
   '';
 
   meta = with lib; {
+    broken = isPyPy; # missing 2to3 conversion utility
     description = "A unittest-based testing framework for python that makes writing and running tests easier";
     homepage = "https://nose.readthedocs.io/";
     license = licenses.lgpl3;
diff --git a/pkgs/development/python-modules/passlib/default.nix b/pkgs/development/python-modules/passlib/default.nix
index c2a7f15402cb5..cf264c504353a 100644
--- a/pkgs/development/python-modules/passlib/default.nix
+++ b/pkgs/development/python-modules/passlib/default.nix
@@ -6,6 +6,7 @@
 , cryptography
 , pytestCheckHook
 , pythonOlder
+, pytest-xdist
 }:
 
 buildPythonPackage rec {
@@ -28,6 +29,7 @@ buildPythonPackage rec {
 
   nativeCheckInputs = [
     pytestCheckHook
+    pytest-xdist
   ] ++ passthru.optional-dependencies.argon2
   ++ passthru.optional-dependencies.bcrypt
   ++ passthru.optional-dependencies.totp;
diff --git a/pkgs/development/python-modules/protobuf/default.nix b/pkgs/development/python-modules/protobuf/default.nix
index 8df8bb7c4a7d1..68177357ca6da 100644
--- a/pkgs/development/python-modules/protobuf/default.nix
+++ b/pkgs/development/python-modules/protobuf/default.nix
@@ -41,6 +41,8 @@ buildPythonPackage {
     fi
   '';
 
+  outputs = [ "out" "dev" ];
+
   buildInputs = [ protobuf ];
 
   propagatedNativeBuildInputs = [
diff --git a/pkgs/development/python-modules/pybind11/default.nix b/pkgs/development/python-modules/pybind11/default.nix
index 9727c4f2ada8d..ef112d3bb617e 100644
--- a/pkgs/development/python-modules/pybind11/default.nix
+++ b/pkgs/development/python-modules/pybind11/default.nix
@@ -11,9 +11,18 @@
 , numpy
 , pytestCheckHook
 , libxcrypt
-}:
-
-buildPythonPackage rec {
+, makeSetupHook
+}: let
+  setupHook = makeSetupHook {
+    name = "pybind11-setup-hook";
+    substitutions = {
+      out = placeholder "out";
+      pythonInterpreter = python.pythonForBuild.interpreter;
+      pythonIncludeDir = "${python}/include/python${python.pythonVersion}";
+      pythonSitePackages = "${python}/${python.sitePackages}";
+    };
+  } ./setup-hook.sh;
+in buildPythonPackage rec {
   pname = "pybind11";
   version = "2.10.4";
 
@@ -30,6 +39,7 @@ buildPythonPackage rec {
 
   nativeBuildInputs = [ cmake ];
   buildInputs = lib.optionals (pythonOlder "3.9") [ libxcrypt ];
+  propagatedBuildInputs = [ setupHook ];
 
   dontUseCmakeBuildDir = true;
 
@@ -43,7 +53,6 @@ buildPythonPackage rec {
   cmakeFlags = [
     "-DBoost_INCLUDE_DIR=${lib.getDev boost}/include"
     "-DEIGEN3_INCLUDE_DIR=${lib.getDev eigen}/include/eigen3"
-    "-DPYTHON_EXECUTABLE:FILEPATH=${python.pythonForBuild.interpreter}"
   ] ++ lib.optionals (python.isPy3k && !stdenv.cc.isClang) [
     "-DPYBIND11_CXX_STANDARD=-std=c++17"
   ];
diff --git a/pkgs/development/python-modules/pybind11/setup-hook.sh b/pkgs/development/python-modules/pybind11/setup-hook.sh
new file mode 100644
index 0000000000000..a86eed36f1ec7
--- /dev/null
+++ b/pkgs/development/python-modules/pybind11/setup-hook.sh
@@ -0,0 +1,12 @@
+# Tell the pybind11 CMake module where to find host platform Python. This is
+# required when cross-compiling.
+pybind11CMakeFlags () {
+  cmakeFlagsArray+=(
+    '-DPYBIND11_PYTHONLIBS_OVERWRITE=OFF'
+    '-DPYTHON_EXECUTABLE=@pythonInterpreter@'
+    '-DPYTHON_INCLUDE_DIR=@pythonIncludeDir@'
+    '-DPYTHON_SITE_PACKAGES=@pythonSitePackages@'
+  )
+}
+
+preConfigureHooks+=(pybind11CMakeFlags)
diff --git a/pkgs/development/python-modules/pyopenssl/default.nix b/pkgs/development/python-modules/pyopenssl/default.nix
index ec6acefeb49de..df5416ad993c9 100644
--- a/pkgs/development/python-modules/pyopenssl/default.nix
+++ b/pkgs/development/python-modules/pyopenssl/default.nix
@@ -13,13 +13,13 @@
 
 buildPythonPackage rec {
   pname = "pyopenssl";
-  version = "23.0.0";
+  version = "23.1.1";
   format = "setuptools";
 
   src = fetchPypi {
     pname = "pyOpenSSL";
     inherit version;
-    hash = "sha256-wcxfhrys78hNrafTEXXK4bFRjV9g09C7WVpngiqGim8=";
+    hash = "sha256-hBSYub7GFiOxtsR+u8AjZ8B9YODhlfGXkIF/EMyNsLc=";
   };
 
   outputs = [
diff --git a/pkgs/development/python-modules/pyquery/default.nix b/pkgs/development/python-modules/pyquery/default.nix
index 0e1203b901b02..4e3b1442ee317 100644
--- a/pkgs/development/python-modules/pyquery/default.nix
+++ b/pkgs/development/python-modules/pyquery/default.nix
@@ -22,6 +22,12 @@ buildPythonPackage rec {
     hash = "sha256-lj6NTpAmL/bY3sBy6pcoXcN0ovacrXd29AgqvPah2K4=";
   };
 
+  # https://github.com/gawel/pyquery/issues/248
+  postPatch = ''
+    substituteInPlace tests/test_pyquery.py \
+      --replace test_selector_html skip_test_selector_html
+  '';
+
   propagatedBuildInputs = [
     cssselect
     lxml
diff --git a/pkgs/development/python-modules/scikit-learn/default.nix b/pkgs/development/python-modules/scikit-learn/default.nix
index 4a365b86dadb0..bd2a9be69b67f 100644
--- a/pkgs/development/python-modules/scikit-learn/default.nix
+++ b/pkgs/development/python-modules/scikit-learn/default.nix
@@ -55,9 +55,6 @@ buildPythonPackage rec {
     export SKLEARN_BUILD_PARALLEL=$NIX_BUILD_CORES
   '';
 
-  # TODO: a proper fix?  See around PR #225220
-  NIX_LDFLAGS = if stdenv.cc.isGNU then "-L${stdenv.cc.cc.lib}/lib" else null;
-
   doCheck = !stdenv.isAarch64;
 
   disabledTests = [
diff --git a/pkgs/development/python-modules/sqlalchemy/default.nix b/pkgs/development/python-modules/sqlalchemy/default.nix
index 85bfccf8e0eb6..691b67df1696b 100644
--- a/pkgs/development/python-modules/sqlalchemy/default.nix
+++ b/pkgs/development/python-modules/sqlalchemy/default.nix
@@ -1,8 +1,8 @@
-{ stdenv
-, lib
+{ lib
 , isPyPy
 , pythonOlder
 , fetchPypi
+, fetchFromGitHub
 , buildPythonPackage
 
 # build
@@ -14,6 +14,7 @@
 , typing-extensions
 
 # optionals
+, aiomysql
 , aiosqlite
 , asyncmy
 , asyncpg
@@ -40,14 +41,16 @@
 
 buildPythonPackage rec {
   pname = "SQLAlchemy";
-  version = "2.0.6";
+  version = "2.0.9";
   format = "pyproject";
 
   disabled = pythonOlder "3.7";
 
-  src = fetchPypi {
-    inherit pname version;
-    hash = "sha256-w0PwtUZJX116I5xwv1CpmkjXMhwWW4Kvr6hIO56+v24=";
+  src = fetchFromGitHub {
+    owner = "sqlalchemy";
+    repo = "sqlalchemy";
+    rev = "refs/tags/rel_${lib.replaceStrings [ "." ] [ "_" ] version}";
+    hash = "sha256-0WlRZ7Kv6owtZB+PDFKk+8dxEL4p3QQrRPq8eQd2PqM=";
   };
 
   nativeBuildInputs =[
@@ -61,7 +64,7 @@ buildPythonPackage rec {
     typing-extensions
   ];
 
-  passthru.optional-dependencies = rec {
+  passthru.optional-dependencies = lib.fix (self: {
     asyncio = [
       greenlet
     ];
@@ -100,7 +103,7 @@ buildPythonPackage rec {
     ];
     postgresql_asyncpg = [
       asyncpg
-    ] ++ asyncio;
+    ] ++ self.asyncio;
     postgresql_psycopg2binary = [
       psycopg2
     ];
@@ -115,18 +118,18 @@ buildPythonPackage rec {
     ];
     aiomysql = [
       aiomysql
-    ] ++ asyncio;
+    ] ++ self.asyncio;
     asyncmy = [
       asyncmy
-    ] ++ asyncio;
+    ] ++ self.asyncio;
     aiosqlite = [
       aiosqlite
       typing-extensions
-    ] ++ asyncio;
+    ] ++ self.asyncio;
     sqlcipher = [
       # TODO: sqlcipher3
     ];
-  };
+  });
 
   nativeCheckInputs = [
     pytest-xdist
diff --git a/pkgs/development/python-modules/virtualenv/default.nix b/pkgs/development/python-modules/virtualenv/default.nix
index 30e3fc43d63f8..28100b8c55e7a 100644
--- a/pkgs/development/python-modules/virtualenv/default.nix
+++ b/pkgs/development/python-modules/virtualenv/default.nix
@@ -1,8 +1,8 @@
 { lib
-, stdenv
 , buildPythonPackage
 , pythonOlder
 , isPy27
+, isPyPy
 , cython
 , distlib
 , fetchPypi
@@ -12,7 +12,6 @@
 , hatchling
 , importlib-metadata
 , importlib-resources
-, pathlib2
 , platformdirs
 , pytest-freezegun
 , pytest-mock
@@ -76,6 +75,13 @@ buildPythonPackage rec {
     "test_seed_link_via_app_data"
     # Permission Error
     "test_bad_exe_py_info_no_raise"
+  ] ++ lib.optionals (isPyPy) [
+    # encoding problems
+    "test_bash"
+    # permission error
+    "test_can_build_c_extensions"
+    # fails to detect pypy version
+    "test_discover_ok"
   ];
 
   pythonImportsCheck = [
diff --git a/pkgs/development/python-modules/wheezy-template/default.nix b/pkgs/development/python-modules/wheezy-template/default.nix
new file mode 100644
index 0000000000000..ef70345c1a180
--- /dev/null
+++ b/pkgs/development/python-modules/wheezy-template/default.nix
@@ -0,0 +1,23 @@
+{ lib
+, buildPythonPackage
+, fetchPypi
+}:
+
+buildPythonPackage rec {
+  pname = "wheezy.template";
+  version = "3.1.0";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-4RAHysczaNzhKZjjS2bEdgFrtGFHH/weTVboQALslg8=";
+  };
+
+  pythonImportsCheck = [ "wheezy.template" ];
+
+  meta = with lib; {
+    homepage = "https://wheezytemplate.readthedocs.io/en/latest/";
+    description = "A lightweight template library";
+    license = licenses.mit;
+    maintainers = with maintainers; [ lilyinstarlight ];
+  };
+}
diff --git a/pkgs/development/python-modules/yapf/default.nix b/pkgs/development/python-modules/yapf/default.nix
index 80b84b73ff979..f5cba78a20268 100644
--- a/pkgs/development/python-modules/yapf/default.nix
+++ b/pkgs/development/python-modules/yapf/default.nix
@@ -1,6 +1,7 @@
 { lib
 , buildPythonPackage
 , fetchPypi
+, isPyPy
 , nose
 }:
 
@@ -13,6 +14,9 @@ buildPythonPackage rec {
     hash = "sha256-o/UIXTfvfj4ATEup+bPkDFT/GQHNER8FFFrjE6fGfRs=";
   };
 
+  # nose is unavailable on pypy
+  doCheck = !isPyPy;
+
   nativeCheckInputs = [
     nose
   ];
diff --git a/pkgs/development/ruby-modules/bundler/default.nix b/pkgs/development/ruby-modules/bundler/default.nix
index 5a64808f5f16a..4e807716a776e 100644
--- a/pkgs/development/ruby-modules/bundler/default.nix
+++ b/pkgs/development/ruby-modules/bundler/default.nix
@@ -4,8 +4,8 @@ buildRubyGem rec {
   inherit ruby;
   name = "${gemName}-${version}";
   gemName = "bundler";
-  version = "2.4.10";
-  source.sha256 = "sha256-uYBvqUQGOmqGdqj57Ux8d2o2w7yC8mxXYIZ6AoW0oSE=";
+  version = "2.4.12";
+  source.sha256 = "sha256-y1VM1Pi/Rx0XeTff5vUv7mCtcLtKr3ENcnD6SiTezk0=";
   dontPatchShebangs = true;
 
   postFixup = ''
diff --git a/pkgs/development/tools/gnulib/default.nix b/pkgs/development/tools/gnulib/default.nix
index afc91cb603092..a55589c5a634d 100644
--- a/pkgs/development/tools/gnulib/default.nix
+++ b/pkgs/development/tools/gnulib/default.nix
@@ -26,6 +26,17 @@ stdenv.mkDerivation {
   # do not change headers to not update all vendored build files
   dontFixup = true;
 
+  passthru = {
+    # This patch is used by multiple other packages (currently:
+    # gnused, gettext) which contain vendored copies of gnulib.
+    # Without it, compilation will fail with error messages about
+    # "__LDBL_REDIR1_DECL" or similar on platforms with longdouble
+    # redirects (currently powerpc64).  Once all of those other
+    # packages make a release with a newer gnulib we can drop this
+    # patch.
+    longdouble-redirect-patch = ./gnulib-longdouble-redirect.patch;
+  };
+
   meta = with lib; {
     description = "Central location for code to be shared among GNU packages";
     homepage = "https://www.gnu.org/software/gnulib/";
diff --git a/pkgs/development/tools/gnulib/gnulib-longdouble-redirect.patch b/pkgs/development/tools/gnulib/gnulib-longdouble-redirect.patch
new file mode 100644
index 0000000000000..f684292dc8bd3
--- /dev/null
+++ b/pkgs/development/tools/gnulib/gnulib-longdouble-redirect.patch
@@ -0,0 +1,72 @@
+
+Below is the subset of gnulib commit
+776af40e09b476a41073131a90022572f448c189 which deals with long double
+redirects.  The rest of that commit has been removed.
+
+diff --git a/lib/cdefs.h b/lib/cdefs.h
+index fd72b7b..4383e70 100644
+--- a/lib/cdefs.h
++++ b/lib/cdefs.h
+@@ -483,7 +493,37 @@
+ # include <bits/long-double.h>
+ #endif
+ 
+-#if defined __LONG_DOUBLE_MATH_OPTIONAL && defined __NO_LONG_DOUBLE_MATH
++#if __LDOUBLE_REDIRECTS_TO_FLOAT128_ABI == 1
++# ifdef __REDIRECT
++
++/* Alias name defined automatically.  */
++#  define __LDBL_REDIR(name, proto) ... unused__ldbl_redir
++#  define __LDBL_REDIR_DECL(name) \
++  extern __typeof (name) name __asm (__ASMNAME ("__" #name "ieee128"));
++
++/* Alias name defined automatically, with leading underscores.  */
++#  define __LDBL_REDIR2_DECL(name) \
++  extern __typeof (__##name) __##name \
++    __asm (__ASMNAME ("__" #name "ieee128"));
++
++/* Alias name defined manually.  */
++#  define __LDBL_REDIR1(name, proto, alias) ... unused__ldbl_redir1
++#  define __LDBL_REDIR1_DECL(name, alias) \
++  extern __typeof (name) name __asm (__ASMNAME (#alias));
++
++#  define __LDBL_REDIR1_NTH(name, proto, alias) \
++  __REDIRECT_NTH (name, proto, alias)
++#  define __REDIRECT_NTH_LDBL(name, proto, alias) \
++  __LDBL_REDIR1_NTH (name, proto, __##alias##ieee128)
++
++/* Unused.  */
++#  define __REDIRECT_LDBL(name, proto, alias) ... unused__redirect_ldbl
++#  define __LDBL_REDIR_NTH(name, proto) ... unused__ldbl_redir_nth
++
++# else
++_Static_assert (0, "IEEE 128-bits long double requires redirection on this platform");
++# endif
++#elif defined __LONG_DOUBLE_MATH_OPTIONAL && defined __NO_LONG_DOUBLE_MATH
+ # define __LDBL_COMPAT 1
+ # ifdef __REDIRECT
+ #  define __LDBL_REDIR1(name, proto, alias) __REDIRECT (name, proto, alias)
+@@ -492,6 +532,8 @@
+ #  define __LDBL_REDIR1_NTH(name, proto, alias) __REDIRECT_NTH (name, proto, alias)
+ #  define __LDBL_REDIR_NTH(name, proto) \
+   __LDBL_REDIR1_NTH (name, proto, __nldbl_##name)
++#  define __LDBL_REDIR2_DECL(name) \
++  extern __typeof (__##name) __##name __asm (__ASMNAME ("__nldbl___" #name));
+ #  define __LDBL_REDIR1_DECL(name, alias) \
+   extern __typeof (name) name __asm (__ASMNAME (#alias));
+ #  define __LDBL_REDIR_DECL(name) \
+@@ -502,11 +544,13 @@
+   __LDBL_REDIR1_NTH (name, proto, __nldbl_##alias)
+ # endif
+ #endif
+-#if !defined __LDBL_COMPAT || !defined __REDIRECT
++#if (!defined __LDBL_COMPAT && __LDOUBLE_REDIRECTS_TO_FLOAT128_ABI == 0) \
++    || !defined __REDIRECT
+ # define __LDBL_REDIR1(name, proto, alias) name proto
+ # define __LDBL_REDIR(name, proto) name proto
+ # define __LDBL_REDIR1_NTH(name, proto, alias) name proto __THROW
+ # define __LDBL_REDIR_NTH(name, proto) name proto __THROW
++# define __LDBL_REDIR2_DECL(name)
+ # define __LDBL_REDIR_DECL(name)
+ # ifdef __REDIRECT
+ #  define __REDIRECT_LDBL(name, proto, alias) __REDIRECT (name, proto, alias)
diff --git a/pkgs/development/tools/hotdoc/default.nix b/pkgs/development/tools/hotdoc/default.nix
new file mode 100644
index 0000000000000..50e2e43a67b36
--- /dev/null
+++ b/pkgs/development/tools/hotdoc/default.nix
@@ -0,0 +1,116 @@
+{ lib
+, stdenv
+, buildPythonApplication
+, fetchPypi
+, pytestCheckHook
+, pkg-config
+, cmake
+, flex
+, glib
+, json-glib
+, libxml2
+, appdirs
+, dbus-deviation
+, faust-cchardet
+, feedgen
+, lxml
+, networkx
+, pkgconfig
+, pyyaml
+, schema
+, setuptools
+, toposort
+, wheezy-template
+, libclang
+, gst_all_1
+}:
+
+buildPythonApplication rec {
+  pname = "hotdoc";
+  version = "0.13.7";
+
+  src = fetchPypi {
+    inherit pname version;
+    hash = "sha256-ESOmWeLJSXLDKBPsMBGR0zPbJHEqg/fj0G3VjUfPAJg=";
+  };
+
+  nativeBuildInputs = [
+    pkg-config
+    cmake
+    flex
+  ];
+
+  buildInputs = [
+    glib
+    json-glib
+    libxml2.dev
+  ];
+
+  propagatedBuildInputs = [
+    appdirs
+    dbus-deviation
+    faust-cchardet
+    feedgen
+    lxml
+    networkx
+    pkgconfig
+    pyyaml
+    schema
+    setuptools  # for pkg_resources
+    toposort
+    wheezy-template
+  ];
+
+  nativeCheckInputs = [
+    pytestCheckHook
+  ];
+
+  # CMake is used to build CMARK, but the build system is still python
+  dontUseCmakeConfigure = true;
+
+  # Ensure C+GI+GST extensions are built and can be imported
+  pythonImportsCheck = [
+    "hotdoc.extensions.c.c_extension"
+    "hotdoc.extensions.gi.gi_extension"
+    "hotdoc.extensions.gst.gst_extension"
+  ];
+
+  # Run the tests by package instead of current dir
+  pytestFlagsArray = [ "--pyargs" "hotdoc" ];
+
+  disabledTests = [
+    # Test does not correctly handle path normalization for test comparison
+    "test_cli_overrides"
+  ] ++ lib.optionals stdenv.isDarwin [
+    # Test does not correctly handle absolute /home paths on Darwin (even fake ones)
+    "test_index"
+  ];
+
+  # Hardcode libclang paths
+  postPatch = ''
+    substituteInPlace hotdoc/extensions/c/c_extension.py \
+      --replace "shutil.which('llvm-config')" 'True' \
+      --replace "subprocess.check_output(['llvm-config', '--version']).strip().decode()" '"${libclang.version}"' \
+      --replace "subprocess.check_output(['llvm-config', '--prefix']).strip().decode()" '"${libclang.lib}"' \
+      --replace "subprocess.check_output(['llvm-config', '--libdir']).strip().decode()" '"${libclang.lib}/lib"'
+  '';
+
+  # Make pytest run from a temp dir to have it pick up installed package for cmark
+  preCheck = ''
+    pushd $TMPDIR
+  '';
+  postCheck = ''
+    popd
+  '';
+
+  passthru.tests = {
+    inherit (gst_all_1) gstreamer gst-plugins-base;
+  };
+
+  meta = with lib; {
+    description = "The tastiest API documentation system";
+    homepage = "https://hotdoc.github.io/";
+    license = [ licenses.lgpl21Plus ];
+    maintainers = with maintainers; [ lilyinstarlight ];
+  };
+}
diff --git a/pkgs/development/tools/misc/elfutils/default.nix b/pkgs/development/tools/misc/elfutils/default.nix
index 1f4a40b4460d7..83a30f3e6f17f 100644
--- a/pkgs/development/tools/misc/elfutils/default.nix
+++ b/pkgs/development/tools/misc/elfutils/default.nix
@@ -1,7 +1,7 @@
 { lib, stdenv, fetchurl, fetchpatch, pkg-config, musl-fts
 , musl-obstack, m4, zlib, zstd, bzip2, bison, flex, gettext, xz, setupDebugInfoDirs
 , argp-standalone
-, enableDebuginfod ? false, sqlite, curl, libmicrohttpd, libarchive
+, enableDebuginfod ? true, sqlite, curl, libmicrohttpd, libarchive
 , gitUpdater
 }:
 
diff --git a/pkgs/development/tools/misc/gdb/default.nix b/pkgs/development/tools/misc/gdb/default.nix
index 1c4d6506b72ee..a805da0cf94bb 100644
--- a/pkgs/development/tools/misc/gdb/default.nix
+++ b/pkgs/development/tools/misc/gdb/default.nix
@@ -7,7 +7,7 @@
 , ncurses, readline, gmp, mpfr, expat, libipt, zlib, zstd, dejagnu, sourceHighlight
 
 , pythonSupport ? stdenv.hostPlatform == stdenv.buildPlatform && !stdenv.hostPlatform.isCygwin, python3 ? null
-, enableDebuginfod ? false, elfutils
+, enableDebuginfod ? true, elfutils
 , guile ? null
 , hostCpuOnly ? false
 , safePaths ? [
diff --git a/pkgs/development/tools/misc/texinfo/7.0.nix b/pkgs/development/tools/misc/texinfo/7.0.nix
index b92b923ddcd1d..01788f40d78d6 100644
--- a/pkgs/development/tools/misc/texinfo/7.0.nix
+++ b/pkgs/development/tools/misc/texinfo/7.0.nix
@@ -1,4 +1,4 @@
 import ./common.nix {
-  version = "7.0.2";
-  sha256 = "sha256-8hHsMmE4PhqJ5FVak7nQF/6Ae5w5kvst/0hx2ubaVK0=";
+  version = "7.0.3";
+  sha256 = "sha256-dLQg0J1/Uo6E+XqjMPDdaamKYFPnpOAXZ+7RFQOIB78=";
 }
diff --git a/pkgs/development/tools/misc/texinfo/common.nix b/pkgs/development/tools/misc/texinfo/common.nix
index af0d26fe1f3ee..364f9b148d8c3 100644
--- a/pkgs/development/tools/misc/texinfo/common.nix
+++ b/pkgs/development/tools/misc/texinfo/common.nix
@@ -1,6 +1,7 @@
 { version, sha256, patches ? [] }:
 
 { lib, stdenv, buildPackages, fetchurl, perl, xz, libintl, bash
+, gnulib
 
 # we are a dependency of gcc, this simplifies bootstraping
 , interactive ? false, ncurses, procps
@@ -30,6 +31,12 @@ stdenv.mkDerivation {
 
   postPatch = ''
     patchShebangs tp/maintain
+  ''
+  # This patch is needed for IEEE-standard long doubles on
+  # powerpc64; it does not apply cleanly to texinfo 5.x or
+  # earlier.  It is merged upstream in texinfo 6.8.
+  + lib.optionalString (version == "6.7") ''
+    patch -p1 -d gnulib < ${gnulib.passthru.longdouble-redirect-patch}
   '';
 
   # ncurses is required to build `makedoc'
@@ -82,6 +89,8 @@ stdenv.mkDerivation {
     license = licenses.gpl3Plus;
     platforms = platforms.all;
     maintainers = with maintainers; [ vrthra oxij ];
+    # see comment above in patches section
+    broken = stdenv.hostPlatform.isPower64 && lib.strings.versionOlder version "6.0";
 
     longDescription = ''
       Texinfo is the official documentation format of the GNU project.
diff --git a/pkgs/development/web/nodejs/v18.nix b/pkgs/development/web/nodejs/v18.nix
index 988a4ea5263c3..bb3a2545ea5f4 100644
--- a/pkgs/development/web/nodejs/v18.nix
+++ b/pkgs/development/web/nodejs/v18.nix
@@ -9,8 +9,8 @@ let
 in
 buildNodejs {
   inherit enableNpm;
-  version = "18.15.0";
-  sha256 = "sha256-jkTWUBj/lzKEGVwjGGRpoOpAgul+xCAOX1cG1VhNqjc=";
+  version = "18.16.0";
+  sha256 = "sha256-M9gaIz4jWlCa3aSk8iCQCNBFkZed5rPw9nwckGCT8Rg=";
   patches = [
     ./disable-darwin-v8-system-instrumentation.patch
     ./bypass-darwin-xcrun-node16.patch
diff --git a/pkgs/misc/ghostscript/default.nix b/pkgs/misc/ghostscript/default.nix
index 922941c55e8d9..2588e7e9140a3 100644
--- a/pkgs/misc/ghostscript/default.nix
+++ b/pkgs/misc/ghostscript/default.nix
@@ -1,8 +1,39 @@
-{ config, stdenv, lib, fetchurl, pkg-config, zlib, expat, openssl, autoconf
-, libjpeg, libpng, libtiff, freetype, fontconfig, libpaper, jbig2dec
-, libiconv, ijs, lcms2, callPackage, bash, buildPackages, openjpeg
-, cupsSupport ? config.ghostscript.cups or (!stdenv.isDarwin), cups
-, x11Support ? cupsSupport, xorg # with CUPS, X11 only adds very little
+{ config
+, stdenv
+, lib
+, fetchurl
+, pkg-config
+, zlib
+, expat
+, openssl
+, autoconf
+, libjpeg
+, libpng
+, libtiff
+, freetype
+, fontconfig
+, libpaper
+, jbig2dec
+, libiconv
+, ijs
+, lcms2
+, callPackage
+, bash
+, buildPackages
+, openjpeg
+, cupsSupport ? config.ghostscript.cups or (!stdenv.isDarwin)
+, cups
+, x11Support ? cupsSupport
+, xorg # with CUPS, X11 only adds very little
+, dynamicDrivers ? true
+
+# for passthru.tests
+, graphicsmagick
+, imagemagick
+, libspectre
+, lilypond
+, pstoedit
+, python3
 }:
 
 let
@@ -30,11 +61,11 @@ let
 in
 stdenv.mkDerivation rec {
   pname = "ghostscript${lib.optionalString (x11Support) "-with-X"}";
-  version = "9.56.1";
+  version = "10.01.1";
 
   src = fetchurl {
-    url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs9${lib.versions.minor version}${lib.versions.patch version}/ghostscript-${version}.tar.xz";
-    sha512 = "22ysgdprh960rxmxyk2fy2my47cdrhfhbrwar1955hvad54iw79l916drp92wh3qzbxw6z40i70wk00vz8bn2ryig7qgpc1q01m2npy";
+    url = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs${lib.replaceStrings ["."] [""] version}/ghostscript-${version}.tar.xz";
+    hash = "sha512-2US+norvaNEXbWTEDbb6htVdDJ4wBH8hR8AoBqthz+msLLANTlshj/PFHMbtR87/4brE3Z1MwXYLeXTzDGwnNQ==";
   };
 
   patches = [
@@ -77,11 +108,13 @@ stdenv.mkDerivation rec {
 
   configureFlags = [
     "--with-system-libtiff"
-    "--enable-dynamic"
     "--without-tesseract"
-  ]
-  ++ lib.optional x11Support "--with-x"
-  ++ lib.optionals cupsSupport [
+  ] ++ lib.optionals dynamicDrivers [
+    "--enable-dynamic"
+    "--disable-hidden-visibility"
+  ] ++ lib.optional x11Support [
+    "--with-x"
+  ] ++ lib.optionals cupsSupport [
     "--enable-cups"
   ];
 
@@ -133,7 +166,11 @@ stdenv.mkDerivation rec {
     runHook postInstallCheck
   '';
 
-  passthru.tests.test-corpus-render = callPackage ./test-corpus-render.nix {};
+  passthru.tests = {
+    test-corpus-render = callPackage ./test-corpus-render.nix {};
+    inherit graphicsmagick imagemagick libspectre lilypond pstoedit;
+    inherit (python3.pkgs) matplotlib;
+  };
 
   meta = {
     homepage = "https://www.ghostscript.com/";
diff --git a/pkgs/misc/ghostscript/test-corpus-render.nix b/pkgs/misc/ghostscript/test-corpus-render.nix
index 97a2a834232c1..26cad916e2091 100644
--- a/pkgs/misc/ghostscript/test-corpus-render.nix
+++ b/pkgs/misc/ghostscript/test-corpus-render.nix
@@ -5,12 +5,12 @@
 
 stdenv.mkDerivation {
   pname = "ghostscript-test-corpus-render";
-  version = "unstable-2020-02-19";
+  version = "unstable-2022-12-01";
 
   src = fetchgit {
     url = "git://git.ghostscript.com/tests.git";
-    rev = "efdd224340d9a407ed3ec22afa1cb127c8fee73c";
-    sha256 = "1v1iqz897zzrwa8ng22zcf3y61ab5798jdwidgv10w1r9mjrl7ax";
+    rev = "e81c3a1d7c679aab8230e9152165d8cffb687242";
+    hash = "sha256-h+UHpCHASYOhf4xG6gkVJK9TEG85kE3jNx5cD1I3LQg=";
   };
 
   dontConfigure = true;
diff --git a/pkgs/os-specific/linux/audit/default.nix b/pkgs/os-specific/linux/audit/default.nix
index bda8d8ab30c5b..34043ce083c61 100644
--- a/pkgs/os-specific/linux/audit/default.nix
+++ b/pkgs/os-specific/linux/audit/default.nix
@@ -12,11 +12,11 @@
 
 stdenv.mkDerivation rec {
   pname = "audit";
-  version = "2.8.5"; # at the next release, remove the patches below!
+  version = "3.1";
 
   src = fetchurl {
     url = "https://people.redhat.com/sgrubb/audit/audit-${version}.tar.gz";
-    sha256 = "1dzcwb2q78q7x41shcachn7f4aksxbxd470yk38zh03fch1l2p8f";
+    sha256 = "sha256-tc882rsnhsCLHeNZmjsaVH5V96n5wesgePW0TPROg3g=";
   };
 
   outputs = [ "bin" "dev" "out" "man" ];
@@ -37,40 +37,9 @@ stdenv.mkDerivation rec {
   ];
 
   enableParallelBuilding = true;
-
-  # TODO: Remove the musl patches when
-  #         https://github.com/linux-audit/audit-userspace/pull/25
-  #       is available with the next release.
   patches = [
-    ./patches/weak-symbols.patch
-    (fetchpatch {
-      # upstream build fix against -fno-common compilers like >=gcc-10
-      url = "https://github.com/linux-audit/audit-userspace/commit/017e6c6ab95df55f34e339d2139def83e5dada1f.patch";
-      sha256 = "100xa1rzkv0mvhjbfgpfm72f7c4p68syflvgc3xm6pxgrqqmfq8h";
-    })
+    ./fix-static.patch
 
-    (
-      let patch = fetchpatch {
-            url = "https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e.patch";
-            name = "Add-substitue-functions-for-strndupa-rawmemchr.patch";
-            sha256 = "015bvzflg1s1k5viap30nznlpjj44a66khyc8yq0waa68qwvdlsd";
-          };
-      in
-        runCommand "Add-substitue-functions-for-strndupa-rawmemchr.patch-fix-copyright-merge-conflict" {} ''
-          cp ${patch} $out
-          substituteInPlace $out --replace \
-              '-* Copyright (c) 2007-09,2011-16,2018 Red Hat Inc., Durham, North Carolina.' \
-              '-* Copyright (c) 2007-09,2011-16 Red Hat Inc., Durham, North Carolina.'
-        ''
-    )
-
-    # upstream fix for linux-headers-5.15 which removed ipx.h
-    (fetchpatch {
-      name = "no-ipx.patch";
-      url = "https://github.com/linux-audit/audit-userspace/commit/6b09724c69d91668418ddb3af00da6db6755208c.patch";
-      sha256 = "0qjq41ridyamajz9v9nyplgq7f8nn3fxw375s9sa5a0igsrx9pm0";
-      excludes = [ "ChangeLog" ];
-    })
     # Fix pending upstream inclusion for linux-headers-5.17 support:
     #  https://github.com/linux-audit/audit-userspace/pull/253
     (fetchpatch {
@@ -85,13 +54,6 @@ stdenv.mkDerivation rec {
     substituteInPlace bindings/swig/src/auditswig.i \
       --replace "/usr/include/linux/audit.h" \
                 "${linuxHeaders}/include/linux/audit.h"
-  ''
-  # According to https://stackoverflow.com/questions/13089166
-  # --whole-archive linker flag is required to be sure that linker
-  # correctly chooses strong version of symbol regardless of order of
-  # object files at command line.
-  + lib.optionalString stdenv.hostPlatform.isStatic ''
-    export LDFLAGS=-Wl,--whole-archive
   '';
   meta = {
     description = "Audit Library";
diff --git a/pkgs/os-specific/linux/audit/fix-static.patch b/pkgs/os-specific/linux/audit/fix-static.patch
new file mode 100644
index 0000000000000..ce76fc3b87a55
--- /dev/null
+++ b/pkgs/os-specific/linux/audit/fix-static.patch
@@ -0,0 +1,12 @@
+--- a/auparse/auparse.h
++++ b/auparse/auparse.h
+@@ -32,6 +32,9 @@
+ # define __attr_dealloc(dealloc, argno)
+ # define __attr_dealloc_free
+ #endif
++#ifndef __attribute_malloc__
++# define __attribute_malloc__ __attribute__ ((__malloc__))
++#endif
+ 
+ #ifdef __cplusplus
+ extern "C" {
\ No newline at end of file
diff --git a/pkgs/os-specific/linux/audit/patches/weak-symbols.patch b/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
deleted file mode 100644
index 301ea9a5476ce..0000000000000
--- a/pkgs/os-specific/linux/audit/patches/weak-symbols.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-Executables in src/ directory are built from source files in src/
-and are linked to libauparse, with both src/auditd-config.c and
-auparse/auditd-config.c defining "free_config" function.
-
-It is known (although obscure) behaviour of shared libraries that
-symbol defined in binary itself overrides symbol in shared library;
-with static linkage it expectedly results in multiple definition
-error.
-
-This set of fixes explicitly marks libauparse versions of
-conflicting functions as weak to have behaviour coherent with
-dynamic linkage version -- definitions in src/ overriding definition
-in auparse/.
-
-Still, this architecture is very strange and confusing.
-
-diff -r -U5 audit-2.8.5-orig/auparse/auditd-config.c audit-2.8.5/auparse/auditd-config.c
---- audit-2.8.5-orig/auparse/auditd-config.c	2019-03-01 20:19:13.000000000 +0000
-+++ audit-2.8.5/auparse/auditd-config.c	2021-01-13 11:36:12.716226498 +0000
-@@ -68,10 +68,11 @@
- };
- 
- /*
-  * Set everything to its default value
- */
-+#pragma weak clear_config
- void clear_config(struct daemon_conf *config)
- {
- 	config->local_events = 1;
- 	config->qos = QOS_NON_BLOCKING;
- 	config->sender_uid = 0;
-@@ -322,10 +323,11 @@
- 	if (config->log_file == NULL)
- 		return 1;
- 	return 0;
- }
- 
-+#pragma weak free_config
- void free_config(struct daemon_conf *config)
- {
- 	free((void*)config->log_file);
- }
- 
-diff -r -U5 audit-2.8.5-orig/auparse/interpret.c audit-2.8.5/auparse/interpret.c
---- audit-2.8.5-orig/auparse/interpret.c	2019-03-01 20:19:13.000000000 +0000
-+++ audit-2.8.5/auparse/interpret.c	2021-01-13 11:39:42.107217224 +0000
-@@ -545,10 +545,11 @@
- 	else
- 		snprintf(buf, size, "unknown(%d)", uid);
- 	return buf;
- }
- 
-+#pragma weak aulookup_destroy_uid_list
- void aulookup_destroy_uid_list(void)
- {
- 	if (uid_cache_created == 0)
- 		return;
- 
-@@ -2810,10 +2811,11 @@
- 
- /*
-  * This is the main entry point for the auparse library. Call chain is:
-  * auparse_interpret_field -> nvlist_interp_cur_val -> interpret
-  */
-+#pragma weak interpret
- const char *interpret(const rnode *r, auparse_esc_t escape_mode)
- {
- 	const nvlist *nv = &r->nv;
- 	int type;
- 	idata id;
-diff -r -U5 audit-2.8.5-orig/auparse/nvlist.c audit-2.8.5/auparse/nvlist.c
---- audit-2.8.5-orig/auparse/nvlist.c	2019-02-04 14:26:52.000000000 +0000
-+++ audit-2.8.5/auparse/nvlist.c	2021-01-13 11:37:37.190222757 +0000
-@@ -27,10 +27,11 @@
- #include "nvlist.h"
- #include "interpret.h"
- #include "auparse-idata.h"
- 
- 
-+#pragma weak nvlist_create
- void nvlist_create(nvlist *l)
- {
- 	l->head = NULL;
- 	l->cur = NULL;
- 	l->cnt = 0;
-@@ -47,17 +48,19 @@
- 	while (node->next)
- 		node = node->next;
- 	l->cur = node;
- }
- 
-+#pragma weak nvlist_next
- nvnode *nvlist_next(nvlist *l)
- {
- 	if (l->cur)
- 		l->cur = l->cur->next;
- 	return l->cur;
- }
- 
-+#pragma weak nvlist_append
- void nvlist_append(nvlist *l, nvnode *node)
- {
- 	nvnode* newnode = malloc(sizeof(nvnode));
- 
- 	newnode->name = node->name;
-@@ -141,10 +144,11 @@
- 	if (l->cur->interp_val)
- 		return l->cur->interp_val;
- 	return interpret(r, escape_mode);
- }
- 
-+#pragma weak nvlist_clear
- void nvlist_clear(nvlist* l)
- {
- 	nvnode* nextnode;
- 	register nvnode* current;
- 
-diff -r -U5 audit-2.8.5-orig/auparse/strsplit.c audit-2.8.5/auparse/strsplit.c
---- audit-2.8.5-orig/auparse/strsplit.c	2019-03-01 21:15:30.000000000 +0000
-+++ audit-2.8.5/auparse/strsplit.c	2021-01-13 11:38:04.306221556 +0000
-@@ -54,10 +54,11 @@
- 			return NULL;
- 		return s;
- 	}
- }
- 
-+#pragma weak audit_strsplit
- char *audit_strsplit(char *s)
- {
- 	static char *str = NULL;
- 	char *ptr;
- 
-diff -r -U5 audit-2.8.5-orig/lib/strsplit.c audit-2.8.5/lib/strsplit.c
---- audit-2.8.5-orig/lib/strsplit.c	2019-03-01 20:19:13.000000000 +0000
-+++ audit-2.8.5/lib/strsplit.c	2021-01-13 11:38:29.444220443 +0000
-@@ -23,10 +23,11 @@
- 
- #include <string.h>
- #include "libaudit.h"
- #include "private.h"
- 
-+#pragma weak audit_strsplit_r
- char *audit_strsplit_r(char *s, char **savedpp)
- {
- 	char *ptr;
- 
- 	if (s)
diff --git a/pkgs/os-specific/linux/bcc/default.nix b/pkgs/os-specific/linux/bcc/default.nix
index 772447ed0c96b..65aef69403835 100644
--- a/pkgs/os-specific/linux/bcc/default.nix
+++ b/pkgs/os-specific/linux/bcc/default.nix
@@ -40,6 +40,7 @@ python.pkgs.buildPythonApplication rec {
     "-DENABLE_USDT=ON"
     "-DENABLE_CPP_API=ON"
     "-DCMAKE_USE_LIBBPF_PACKAGE=ON"
+    "-DENABLE_LIBDEBUGINFOD=OFF"
   ];
 
   # to replace this executable path:
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index bee04112ad602..e6eff416a7700 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -904,6 +904,7 @@ let
 
       REGULATOR  = yes; # Voltage and Current Regulator Support
       RC_DEVICES = option yes; # Enable IR devices
+      RC_DECODERS = option yes; # Required for IR devices to work
 
       RT2800USB_RT53XX = yes;
       RT2800USB_RT55XX = yes;
diff --git a/pkgs/os-specific/linux/pam_mount/default.nix b/pkgs/os-specific/linux/pam_mount/default.nix
index c49351f3249d3..1613e11e0280f 100644
--- a/pkgs/os-specific/linux/pam_mount/default.nix
+++ b/pkgs/os-specific/linux/pam_mount/default.nix
@@ -18,9 +18,22 @@ stdenv.mkDerivation rec {
       --replace @@NIX_UTILLINUX@@ ${util-linux}/bin
   '';
 
-  nativeBuildInputs = [ autoreconfHook libtool pkg-config ];
+  nativeBuildInputs = [
+    autoreconfHook
+    libtool
+    perl
+    pkg-config
+  ];
 
-  buildInputs = [ pam libHX util-linux libxml2 pcre2 perl openssl cryptsetup ];
+  buildInputs = [
+    cryptsetup
+    libHX
+    libxml2
+    openssl
+    pam
+    pcre2
+    util-linux
+  ];
 
   enableParallelBuilding = true;
 
diff --git a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
index 349194fda45a5..c0d38c60202c2 100644
--- a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
+++ b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
@@ -10,10 +10,10 @@ container, so checking early whether it exists will fail.
  1 file changed, 2 insertions(+)
 
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 36d336dfc8..d62c5173ca 100644
+index a697ea5cb9..65d9e7e398 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -5634,6 +5634,7 @@ static int run(int argc, char *argv[]) {
+@@ -5635,6 +5635,7 @@ static int run(int argc, char *argv[]) {
                                  goto finish;
                          }
                  } else {
@@ -21,7 +21,7 @@ index 36d336dfc8..d62c5173ca 100644
                          _cleanup_free_ char *p = NULL;
  
                          if (arg_pivot_root_new)
-@@ -5648,6 +5649,7 @@ static int run(int argc, char *argv[]) {
+@@ -5649,6 +5650,7 @@ static int run(int argc, char *argv[]) {
                                                      "Directory %s doesn't look like it has an OS tree (/usr/ directory is missing). Refusing.", arg_directory);
                                  goto finish;
                          }
diff --git a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
deleted file mode 100644
index c31b9122b9005..0000000000000
--- a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Eelco Dolstra <eelco.dolstra@logicblox.com>
-Date: Thu, 1 May 2014 14:10:10 +0200
-Subject: [PATCH] Look for fsck in the right place
-
----
- src/fsck/fsck.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
-index e25c5d5efa..26f4e5669e 100644
---- a/src/fsck/fsck.c
-+++ b/src/fsck/fsck.c
-@@ -351,6 +351,7 @@ static int run(int argc, char *argv[]) {
-         if (r == 0) {
-                 char dash_c[STRLEN("-C") + DECIMAL_STR_MAX(int) + 1];
-                 int progress_socket = -1;
-+                _cleanup_free_ char *fsck_name = NULL;
-                 const char *cmdline[9];
-                 int i = 0;
- 
-@@ -371,7 +372,10 @@ static int run(int argc, char *argv[]) {
-                 } else
-                         dash_c[0] = 0;
- 
--                cmdline[i++] = "/sbin/fsck";
-+                r = find_executable("fsck", &fsck_name);
-+                if (r < 0)
-+                        return r;
-+                cmdline[i++] = fsck_name;
-                 cmdline[i++] =  arg_repair;
-                 cmdline[i++] = "-T";
- 
diff --git a/pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch b/pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch
new file mode 100644
index 0000000000000..617cef50cc3c6
--- /dev/null
+++ b/pkgs/os-specific/linux/systemd/0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch
@@ -0,0 +1,152 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Florian Klink <flokli@flokli.de>
+Date: Thu, 13 Apr 2023 22:54:54 +0200
+Subject: [PATCH] fsck: look for fsck binary not just in /sbin
+
+This removes remaining hardcoded occurences of `/sbin/fsck`, and instead
+uses `find_executable` to find `fsck`.
+
+We also use `fsck_exists_for_fstype` to check for the `fsck.*`
+executable, which also checks in `$PATH`, so it's fair to assume fsck
+itself is also available.
+---
+ man/systemd-fsck@.service.xml |  8 ++++----
+ src/fsck/fsck.c               |  9 ++++++++-
+ src/home/homework-luks.c      | 11 ++++++++++-
+ src/shared/dissect-image.c    | 13 +++++++++++--
+ 4 files changed, 33 insertions(+), 8 deletions(-)
+
+diff --git a/man/systemd-fsck@.service.xml b/man/systemd-fsck@.service.xml
+index e928aebdb3..403286829e 100644
+--- a/man/systemd-fsck@.service.xml
++++ b/man/systemd-fsck@.service.xml
+@@ -51,17 +51,17 @@
+     <para><filename>systemd-fsck</filename> does not know any details
+     about specific filesystems, and simply executes file system
+     checkers specific to each filesystem type
+-    (<filename>/sbin/fsck.<replaceable>type</replaceable></filename>). These checkers will decide if
++    (<filename>fsck.<replaceable>type</replaceable></filename>). These checkers will decide if
+     the filesystem should actually be checked based on the time since
+     last check, number of mounts, unclean unmount, etc.</para>
+ 
+     <para><filename>systemd-fsck-root.service</filename> and <filename>systemd-fsck-usr.service</filename>
+-    will activate <filename>reboot.target</filename> if <filename>/sbin/fsck</filename> returns the "System
+-    should reboot" condition, or <filename>emergency.target</filename> if <filename>/sbin/fsck</filename>
++    will activate <filename>reboot.target</filename> if <filename>fsck</filename> returns the "System
++    should reboot" condition, or <filename>emergency.target</filename> if <filename>fsck</filename>
+     returns the "Filesystem errors left uncorrected" condition.</para>
+ 
+     <para><filename>systemd-fsck@.service</filename> will fail if
+-    <filename>/sbin/fsck</filename> returns with either "System should reboot"
++    <filename>fsck</filename> returns with either "System should reboot"
+     or "Filesystem errors left uncorrected" conditions. For filesystems
+     listed in <filename>/etc/fstab</filename> without <literal>nofail</literal>
+     or <literal>noauto</literal> options, <literal>local-fs.target</literal>
+diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
+index e25c5d5efa..0e0e73c9ac 100644
+--- a/src/fsck/fsck.c
++++ b/src/fsck/fsck.c
+@@ -351,6 +351,7 @@ static int run(int argc, char *argv[]) {
+         if (r == 0) {
+                 char dash_c[STRLEN("-C") + DECIMAL_STR_MAX(int) + 1];
+                 int progress_socket = -1;
++                _cleanup_free_ char *fsck_path = NULL;
+                 const char *cmdline[9];
+                 int i = 0;
+ 
+@@ -371,7 +372,13 @@ static int run(int argc, char *argv[]) {
+                 } else
+                         dash_c[0] = 0;
+ 
+-                cmdline[i++] = "/sbin/fsck";
++                r = find_executable("fsck", &fsck_path);
++                if (r < 0) {
++                        log_error_errno(r, "Cannot find fsck binary: %m");
++                        _exit(FSCK_OPERATIONAL_ERROR);
++                }
++
++                cmdline[i++] = fsck_path;
+                 cmdline[i++] =  arg_repair;
+                 cmdline[i++] = "-T";
+ 
+diff --git a/src/home/homework-luks.c b/src/home/homework-luks.c
+index 2ea9887853..e267457b8e 100644
+--- a/src/home/homework-luks.c
++++ b/src/home/homework-luks.c
+@@ -215,6 +215,7 @@ static int block_get_size_by_path(const char *path, uint64_t *ret) {
+ static int run_fsck(const char *node, const char *fstype) {
+         int r, exit_status;
+         pid_t fsck_pid;
++        _cleanup_free_ char *fsck_path = NULL;
+ 
+         assert(node);
+         assert(fstype);
+@@ -227,6 +228,14 @@ static int run_fsck(const char *node, const char *fstype) {
+                 return 0;
+         }
+ 
++        r = find_executable("fsck", &fsck_path);
++        /* We proceed anyway if we can't determine whether the fsck
++         * binary for some specific fstype exists,
++         * but the lack of the main fsck binary should be considered
++         * an error. */
++        if (r < 0)
++                return log_error_errno(r, "Cannot find fsck binary: %m");
++
+         r = safe_fork("(fsck)",
+                       FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_STDOUT_TO_STDERR|FORK_CLOSE_ALL_FDS,
+                       &fsck_pid);
+@@ -234,7 +243,7 @@ static int run_fsck(const char *node, const char *fstype) {
+                 return r;
+         if (r == 0) {
+                 /* Child */
+-                execl("/sbin/fsck", "/sbin/fsck", "-aTl", node, NULL);
++                execl(fsck_path, fsck_path, "-aTl", node, NULL);
+                 log_open();
+                 log_error_errno(errno, "Failed to execute fsck: %m");
+                 _exit(FSCK_OPERATIONAL_ERROR);
+diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
+index 4749bdd230..2b6e1418dd 100644
+--- a/src/shared/dissect-image.c
++++ b/src/shared/dissect-image.c
+@@ -1423,6 +1423,7 @@ static int is_loop_device(const char *path) {
+ static int run_fsck(int node_fd, const char *fstype) {
+         int r, exit_status;
+         pid_t pid;
++        _cleanup_free_ char *fsck_path = NULL;
+ 
+         assert(node_fd >= 0);
+         assert(fstype);
+@@ -1437,6 +1438,14 @@ static int run_fsck(int node_fd, const char *fstype) {
+                 return 0;
+         }
+ 
++        r = find_executable("fsck", &fsck_path);
++        /* We proceed anyway if we can't determine whether the fsck
++         * binary for some specific fstype exists,
++         * but the lack of the main fsck binary should be considered
++         * an error. */
++        if (r < 0)
++                return log_error_errno(r, "Cannot find fsck binary: %m");
++
+         r = safe_fork_full(
+                         "(fsck)",
+                         &node_fd, 1, /* Leave the node fd open */
+@@ -1446,7 +1455,7 @@ static int run_fsck(int node_fd, const char *fstype) {
+                 return log_debug_errno(r, "Failed to fork off fsck: %m");
+         if (r == 0) {
+                 /* Child */
+-                execl("/sbin/fsck", "/sbin/fsck", "-aT", FORMAT_PROC_FD_PATH(node_fd), NULL);
++                execl(fsck_path, fsck_path, "-aT", FORMAT_PROC_FD_PATH(node_fd), NULL);
+                 log_open();
+                 log_debug_errno(errno, "Failed to execl() fsck: %m");
+                 _exit(FSCK_OPERATIONAL_ERROR);
+@@ -1454,7 +1463,7 @@ static int run_fsck(int node_fd, const char *fstype) {
+ 
+         exit_status = wait_for_terminate_and_check("fsck", pid, 0);
+         if (exit_status < 0)
+-                return log_debug_errno(exit_status, "Failed to fork off /sbin/fsck: %m");
++                return log_debug_errno(exit_status, "Failed to fork off %s: %m", fsck_path);
+ 
+         if ((exit_status & ~FSCK_ERROR_CORRECTED) != FSCK_SUCCESS) {
+                 log_debug("fsck failed with exit status %i.", exit_status);
diff --git a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
index 336e2b8831e7d..0a638dfbf0ea3 100644
--- a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
+++ b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
@@ -13,7 +13,7 @@ in containers.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 7b394794b0..50d092042c 100644
+index 380a4e30d7..817acb87b8 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
 @@ -1437,7 +1437,8 @@ static unsigned manager_dispatch_stop_when_bound_queue(Manager *m) {
diff --git a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
new file mode 100644
index 0000000000000..2c4c3f6564e1b
--- /dev/null
+++ b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
@@ -0,0 +1,105 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Gabriel Ebner <gebner@gebner.org>
+Date: Sun, 6 Dec 2015 14:26:36 +0100
+Subject: [PATCH] hostnamed, localed, timedated: disable methods that change
+ system settings.
+
+---
+ src/hostname/hostnamed.c |  6 ++++++
+ src/locale/localed.c     |  9 +++++++++
+ src/timedate/timedated.c | 10 ++++++++++
+ 3 files changed, 25 insertions(+)
+
+diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
+index 36ab0148b9..7d458d196d 100644
+--- a/src/hostname/hostnamed.c
++++ b/src/hostname/hostnamed.c
+@@ -1028,6 +1028,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         name = empty_to_null(name);
+ 
+         context_read_etc_hostname(c);
+@@ -1091,6 +1094,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         name = empty_to_null(name);
+ 
+         context_read_machine_info(c);
+diff --git a/src/locale/localed.c b/src/locale/localed.c
+index 841e5e3e91..a21e34430b 100644
+--- a/src/locale/localed.c
++++ b/src/locale/localed.c
+@@ -264,6 +264,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
+ 
+         use_localegen = locale_gen_check_available();
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         /* If single locale without variable name is provided, then we assume it is LANG=. */
+         if (strv_length(l) == 1 && !strchr(l[0], '=')) {
+                 if (!locale_is_valid(l[0]))
+@@ -382,6 +385,9 @@ static int method_set_vc_keyboard(sd_bus_message *m, void *userdata, sd_bus_erro
+         if (r < 0)
+                 return bus_log_parse_error(r);
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         vc_context_empty_to_null(&in);
+ 
+         FOREACH_STRING(name, in.keymap ?: in.toggle, in.keymap ? in.toggle : NULL) {
+@@ -607,6 +613,9 @@ static int method_set_x11_keyboard(sd_bus_message *m, void *userdata, sd_bus_err
+         if (r < 0)
+                 return bus_log_parse_error(r);
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         x11_context_empty_to_null(&in);
+ 
+         if (!x11_context_is_safe(&in))
+diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
+index ad483301ef..31ed86955b 100644
+--- a/src/timedate/timedated.c
++++ b/src/timedate/timedated.c
+@@ -665,6 +665,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
+         if (r < 0)
+                 return r;
+ 
++        if (getenv("NIXOS_STATIC_TIMEZONE"))
++                return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++                    "Changing timezone via systemd is not supported when it is set in NixOS configuration.");
++
+         if (!timezone_is_valid(z, LOG_DEBUG))
+                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid or not installed time zone '%s'", z);
+ 
+@@ -743,6 +747,9 @@ static int method_set_local_rtc(sd_bus_message *m, void *userdata, sd_bus_error
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         if (lrtc == c->local_rtc && !fix_system)
+                 return sd_bus_reply_method_return(m, NULL);
+ 
+@@ -923,6 +930,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+         if (r < 0)
+                 return r;
+ 
++        return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED,
++            "Changing system settings via systemd is not supported on NixOS.");
++
+         r = context_update_ntp_status(c, bus, m);
+         if (r < 0)
+                 return r;
diff --git a/pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
index 49e94b019c786..7777ba7e42593 100644
--- a/pkgs/os-specific/linux/systemd/0007-Fix-hwdb-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
@@ -5,14 +5,14 @@ Subject: [PATCH] Fix hwdb paths
 
 Patch by vcunat.
 ---
- src/libsystemd/sd-hwdb/hwdb-internal.h | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
+ src/libsystemd/sd-hwdb/hwdb-internal.h | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
 
 diff --git a/src/libsystemd/sd-hwdb/hwdb-internal.h b/src/libsystemd/sd-hwdb/hwdb-internal.h
-index 5302679a62..c681f3a984 100644
+index 5302679a62..39e59a527f 100644
 --- a/src/libsystemd/sd-hwdb/hwdb-internal.h
 +++ b/src/libsystemd/sd-hwdb/hwdb-internal.h
-@@ -83,8 +83,5 @@ struct trie_value_entry2_f {
+@@ -83,8 +83,4 @@ struct trie_value_entry2_f {
  } _packed_;
  
  #define hwdb_bin_paths                          \
@@ -22,4 +22,3 @@ index 5302679a62..c681f3a984 100644
 -        _CONF_PATHS_SPLIT_USR_NULSTR("systemd/hwdb/hwdb.bin") \
 -        UDEVLIBEXECDIR "/hwdb.bin\0"
 +        "/etc/udev/hwdb.bin\0"
-+
diff --git a/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
index 69823095a59de..52733a4c49209 100644
--- a/pkgs/os-specific/linux/systemd/0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+++ b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
@@ -35,10 +35,10 @@ index e486474c44..5f373d0723 100644
      <literal>Etc/UTC</literal>. The resulting link should lead to the
      corresponding binary
 diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index b700f364ef..116b1cec63 100644
+index 0bea149324..4b16115d43 100644
 --- a/src/basic/time-util.c
 +++ b/src/basic/time-util.c
-@@ -1282,7 +1282,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
+@@ -1283,7 +1283,7 @@ static int get_timezones_from_zone1970_tab(char ***ret) {
  
          assert(ret);
  
@@ -47,7 +47,7 @@ index b700f364ef..116b1cec63 100644
          if (!f)
                  return -errno;
  
-@@ -1321,7 +1321,7 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
+@@ -1322,7 +1322,7 @@ static int get_timezones_from_tzdata_zi(char ***ret) {
          _cleanup_strv_free_ char **zones = NULL;
          int r;
  
@@ -56,7 +56,7 @@ index b700f364ef..116b1cec63 100644
          if (!f)
                  return -errno;
  
-@@ -1433,7 +1433,7 @@ int verify_timezone(const char *name, int log_level) {
+@@ -1434,7 +1434,7 @@ int verify_timezone(const char *name, int log_level) {
          if (p - name >= PATH_MAX)
                  return -ENAMETOOLONG;
  
@@ -65,7 +65,7 @@ index b700f364ef..116b1cec63 100644
  
          fd = open(t, O_RDONLY|O_CLOEXEC);
          if (fd < 0)
-@@ -1491,7 +1491,7 @@ int get_timezone(char **ret) {
+@@ -1492,7 +1492,7 @@ int get_timezone(char **ret) {
          if (r < 0)
                  return r; /* returns EINVAL if not a symlink */
  
@@ -88,7 +88,7 @@ index 9e79f84691..1a1c75718c 100644
          (void) mkdir_parents(etc_localtime, 0755);
          r = symlink_atomic(e, etc_localtime);
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index d62c5173ca..84beac064b 100644
+index 65d9e7e398..dd44d529ca 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
 @@ -1915,8 +1915,8 @@ int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid
@@ -103,7 +103,7 @@ index d62c5173ca..84beac064b 100644
  
  static bool etc_writable(void) {
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index ad483301ef..a7f22b1c86 100644
+index 31ed86955b..8db8d8c288 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
 @@ -282,7 +282,7 @@ static int context_read_data(Context *c) {
diff --git a/pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
index fac9916cf3b4d..fac9916cf3b4d 100644
--- a/pkgs/os-specific/linux/systemd/0009-localectl-use-etc-X11-xkb-for-list-x11.patch
+++ b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
diff --git a/pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
index 01874c2be8e3d..eec57111b9132 100644
--- a/pkgs/os-specific/linux/systemd/0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+++ b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
@@ -8,10 +8,10 @@ Subject: [PATCH] build: don't create statedir and don't touch prefixdir
  1 file changed, 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index bfc86857d6..84e3e4c1db 100644
+index b1f5477836..1a39484855 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -4277,9 +4277,6 @@ install_data('LICENSE.GPL2',
+@@ -4278,9 +4278,6 @@ install_data('LICENSE.GPL2',
  install_subdir('LICENSES',
                 install_dir : docdir)
  
diff --git a/pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch b/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch
index 6f64dce5e4b9b..6e07928d5fbd8 100644
--- a/pkgs/os-specific/linux/systemd/0011-add-rootprefix-to-lookup-dir-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0012-add-rootprefix-to-lookup-dir-paths.patch
@@ -12,7 +12,7 @@ files that I might have missed.
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/src/basic/constants.h b/src/basic/constants.h
-index 5d68cc6332..a2ccc315e1 100644
+index 5d68cc6332..33c06c1f65 100644
 --- a/src/basic/constants.h
 +++ b/src/basic/constants.h
 @@ -73,13 +73,15 @@
diff --git a/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
index 84ac0d882d6d0..84ac0d882d6d0 100644
--- a/pkgs/os-specific/linux/systemd/0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+++ b/pkgs/os-specific/linux/systemd/0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
diff --git a/pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
index 99c0d93facb74..5fa3fb14f1ff9 100644
--- a/pkgs/os-specific/linux/systemd/0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+++ b/pkgs/os-specific/linux/systemd/0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
@@ -9,10 +9,10 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+)
 
 diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
-index 9c51a3367f..75d6b76a87 100644
+index 288fa4ae84..07deb19d7c 100644
 --- a/src/sleep/sleep.c
 +++ b/src/sleep/sleep.c
-@@ -184,6 +184,7 @@ static int execute(
+@@ -186,6 +186,7 @@ static int execute(
          };
          static const char* const dirs[] = {
                  SYSTEM_SLEEP_PATH,
diff --git a/pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
index b3d1db340ef8c..b3d1db340ef8c 100644
--- a/pkgs/os-specific/linux/systemd/0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+++ b/pkgs/os-specific/linux/systemd/0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
diff --git a/pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch b/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch
index 3fbfd7f10ab49..3fbfd7f10ab49 100644
--- a/pkgs/os-specific/linux/systemd/0015-pkg-config-derive-prefix-from-prefix.patch
+++ b/pkgs/os-specific/linux/systemd/0016-pkg-config-derive-prefix-from-prefix.patch
diff --git a/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch
index 1cfd939a6392e..236af4b2c97ba 100644
--- a/pkgs/os-specific/linux/systemd/0016-inherit-systemd-environment-when-calling-generators.patch
+++ b/pkgs/os-specific/linux/systemd/0017-inherit-systemd-environment-when-calling-generators.patch
@@ -16,7 +16,7 @@ executables that are being called from managers.
  1 file changed, 8 insertions(+)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 50d092042c..898f9ed2f1 100644
+index 817acb87b8..3f31359f8a 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
 @@ -3714,9 +3714,17 @@ static int build_generator_environment(Manager *m, char ***ret) {
diff --git a/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch
index 7a2e8dc670b00..18982ecd04bd1 100644
--- a/pkgs/os-specific/linux/systemd/0017-core-don-t-taint-on-unmerged-usr.patch
+++ b/pkgs/os-specific/linux/systemd/0018-core-don-t-taint-on-unmerged-usr.patch
@@ -17,10 +17,10 @@ See also: https://github.com/systemd/systemd/issues/24191
  1 file changed, 4 deletions(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 898f9ed2f1..5040d5b105 100644
+index 3f31359f8a..0c4ec0b4fb 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -4543,10 +4543,6 @@ char* manager_taint_string(const Manager *m) {
+@@ -4556,10 +4556,6 @@ char* manager_taint_string(const Manager *m) {
          if (m->taint_usr)
                  stage[n++] = "split-usr";
  
diff --git a/pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch b/pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch
index 115ce78d7134d..8d6eab5ed847d 100644
--- a/pkgs/os-specific/linux/systemd/0018-tpm2_context_init-fix-driver-name-checking.patch
+++ b/pkgs/os-specific/linux/systemd/0019-tpm2_context_init-fix-driver-name-checking.patch
@@ -27,7 +27,7 @@ filename_is_valid with path_is_valid.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
-index 259f280e0f..142e70a740 100644
+index 4345b95106..424a334df1 100644
 --- a/src/shared/tpm2-util.c
 +++ b/src/shared/tpm2-util.c
 @@ -176,7 +176,7 @@ int tpm2_context_new(const char *device, Tpm2Context **ret_context) {
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 4b4f4f808547d..110c3bbcb0a6f 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -144,7 +144,7 @@ assert withHomed -> withPam;
 let
   wantCurl = withRemote || withImportd;
   wantGcrypt = withResolved || withImportd;
-  version = "253.2";
+  version = "253.3";
 
   # Bump this variable on every (major) version change. See below (in the meson options list) for why.
   # command:
@@ -161,7 +161,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "systemd";
     repo = "systemd-stable";
     rev = "v${version}";
-    hash = "sha256-gtJEHLSeJoOSFnutn/+wM27sV9JiV5afsykyUd+XDKQ=";
+    hash = "sha256-iy1kyqiVeXIhFJAQ+nYorrXm/xb2gfakyrEfMyNR5l8=";
   };
 
   # On major changes, or when otherwise required, you *must* reformat the patches,
@@ -173,21 +173,22 @@ stdenv.mkDerivation (finalAttrs: {
     ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
     ./0002-Don-t-try-to-unmount-nix-or-nix-store.patch
     ./0003-Fix-NixOS-containers.patch
-    ./0004-Look-for-fsck-in-the-right-place.patch
+    ./0004-fsck-look-for-fsck-binary-not-just-in-sbin.patch
     ./0005-Add-some-NixOS-specific-unit-directories.patch
     ./0006-Get-rid-of-a-useless-message-in-user-sessions.patch
-    ./0007-Fix-hwdb-paths.patch
-    ./0008-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
-    ./0009-localectl-use-etc-X11-xkb-for-list-x11.patch
-    ./0010-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
-    ./0011-add-rootprefix-to-lookup-dir-paths.patch
-    ./0012-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
-    ./0013-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
-    ./0014-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
-    ./0015-pkg-config-derive-prefix-from-prefix.patch
-    ./0016-inherit-systemd-environment-when-calling-generators.patch
-    ./0017-core-don-t-taint-on-unmerged-usr.patch
-    ./0018-tpm2_context_init-fix-driver-name-checking.patch
+    ./0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
+    ./0008-Fix-hwdb-paths.patch
+    ./0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+    ./0010-localectl-use-etc-X11-xkb-for-list-x11.patch
+    ./0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+    ./0012-add-rootprefix-to-lookup-dir-paths.patch
+    ./0013-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+    ./0014-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+    ./0015-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0016-pkg-config-derive-prefix-from-prefix.patch
+    ./0017-inherit-systemd-environment-when-calling-generators.patch
+    ./0018-core-don-t-taint-on-unmerged-usr.patch
+    ./0019-tpm2_context_init-fix-driver-name-checking.patch
   ] ++ lib.optional stdenv.hostPlatform.isMusl (
     let
       oe-core = fetchzip {
diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index 30b5f0eb747e9..0f9aeee3e6998 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -1805,11 +1805,11 @@ self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   xcbutil = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xorgproto, m4 }: stdenv.mkDerivation {
     pname = "xcb-util";
-    version = "0.4.0";
+    version = "0.4.1";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "https://xcb.freedesktop.org/dist/xcb-util-0.4.0.tar.bz2";
-      sha256 = "1sahmrgbpyki4bb72hxym0zvxwnycmswsxiisgqlln9vrdlr9r26";
+      url = "https://xcb.freedesktop.org/dist/xcb-util-0.4.1.tar.xz";
+      sha256 = "04p54r0zjc44fpw1hdy4rhygv37sx2vr2lllxjihykz5v2xkpgjs";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;
@@ -1835,17 +1835,17 @@ self: with self; {
   }) {};
 
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
-  xcbutilerrors = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xcbproto, xorgproto, m4 }: stdenv.mkDerivation {
+  xcbutilerrors = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xcbproto, xorgproto, m4, python3 }: stdenv.mkDerivation {
     pname = "xcb-util-errors";
-    version = "1.0";
+    version = "1.0.1";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "https://xcb.freedesktop.org/dist/xcb-util-errors-1.0.tar.bz2";
-      sha256 = "158rm913dg3hxrrhyvvxr8bcm0pjy5jws70dhy2s12w1krv829k8";
+      url = "https://xcb.freedesktop.org/dist/xcb-util-errors-1.0.1.tar.xz";
+      sha256 = "0mzkh3xj1n690dw8hrdhyjykd71ib0ls9n5cgf9asna2k1xwha2n";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;
-    nativeBuildInputs = [ pkg-config m4 ];
+    nativeBuildInputs = [ pkg-config m4 python3 ];
     buildInputs = [ gperf libxcb xcbproto xorgproto ];
     meta.platforms = lib.platforms.unix;
   }) {};
@@ -1853,11 +1853,11 @@ self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   xcbutilimage = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xcbutil, xorgproto, m4 }: stdenv.mkDerivation {
     pname = "xcb-util-image";
-    version = "0.4.0";
+    version = "0.4.1";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "https://xcb.freedesktop.org/dist/xcb-util-image-0.4.0.tar.bz2";
-      sha256 = "1z1gxacg7q4cw6jrd26gvi5y04npsyavblcdad1xccc8swvnmf9d";
+      url = "https://xcb.freedesktop.org/dist/xcb-util-image-0.4.1.tar.xz";
+      sha256 = "0g8dwknrlz96k176qxh8ar84x9kpppci9b978zyp24nvvbjqxbfc";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;
@@ -1869,11 +1869,11 @@ self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   xcbutilkeysyms = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xorgproto, m4 }: stdenv.mkDerivation {
     pname = "xcb-util-keysyms";
-    version = "0.4.0";
+    version = "0.4.1";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "https://xcb.freedesktop.org/dist/xcb-util-keysyms-0.4.0.tar.bz2";
-      sha256 = "1nbd45pzc1wm6v5drr5338j4nicbgxa5hcakvsvm5pnyy47lky0f";
+      url = "https://xcb.freedesktop.org/dist/xcb-util-keysyms-0.4.1.tar.xz";
+      sha256 = "0f66snk179hmp8ppgv1zp9y7pl1vzn52znpikm1fsaj1ji90l9kw";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;
@@ -1885,11 +1885,11 @@ self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   xcbutilrenderutil = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xorgproto, m4 }: stdenv.mkDerivation {
     pname = "xcb-util-renderutil";
-    version = "0.3.9";
+    version = "0.3.10";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "https://xcb.freedesktop.org/dist/xcb-util-renderutil-0.3.9.tar.bz2";
-      sha256 = "0nza1csdvvxbmk8vgv8vpmq7q8h05xrw3cfx9lwxd1hjzd47xsf6";
+      url = "https://xcb.freedesktop.org/dist/xcb-util-renderutil-0.3.10.tar.xz";
+      sha256 = "1fh4dnlwlqyccrhmmwlv082a7mxc7ss7vmzmp7xxp39dwbqd859y";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;
@@ -1901,11 +1901,11 @@ self: with self; {
   # THIS IS A GENERATED FILE.  DO NOT EDIT!
   xcbutilwm = callPackage ({ stdenv, pkg-config, fetchurl, gperf, libxcb, xorgproto, m4 }: stdenv.mkDerivation {
     pname = "xcb-util-wm";
-    version = "0.4.1";
+    version = "0.4.2";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "https://xcb.freedesktop.org/dist/xcb-util-wm-0.4.1.tar.bz2";
-      sha256 = "0gra7hfyxajic4mjd63cpqvd20si53j1q3rbdlkqkahfciwq3gr8";
+      url = "https://xcb.freedesktop.org/dist/xcb-util-wm-0.4.2.tar.xz";
+      sha256 = "02wai17mxfbvlnj4l4bjbvah97rccdivzvd7mrznhr32s0hlxhv2";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     strictDeps = true;
diff --git a/pkgs/servers/x11/xorg/tarballs.list b/pkgs/servers/x11/xorg/tarballs.list
index 05de84ed586fd..a20aac1cc1ef8 100644
--- a/pkgs/servers/x11/xorg/tarballs.list
+++ b/pkgs/servers/x11/xorg/tarballs.list
@@ -1,12 +1,12 @@
 https://invisible-mirror.net/archives/luit/luit-20190106.tgz
 https://xcb.freedesktop.org/dist/libpthread-stubs-0.4.tar.bz2
-https://xcb.freedesktop.org/dist/xcb-util-0.4.0.tar.bz2
+https://xcb.freedesktop.org/dist/xcb-util-0.4.1.tar.xz
 https://xcb.freedesktop.org/dist/xcb-util-cursor-0.1.3.tar.bz2
-https://xcb.freedesktop.org/dist/xcb-util-errors-1.0.tar.bz2
-https://xcb.freedesktop.org/dist/xcb-util-image-0.4.0.tar.bz2
-https://xcb.freedesktop.org/dist/xcb-util-keysyms-0.4.0.tar.bz2
-https://xcb.freedesktop.org/dist/xcb-util-renderutil-0.3.9.tar.bz2
-https://xcb.freedesktop.org/dist/xcb-util-wm-0.4.1.tar.bz2
+https://xcb.freedesktop.org/dist/xcb-util-errors-1.0.1.tar.xz
+https://xcb.freedesktop.org/dist/xcb-util-image-0.4.1.tar.xz
+https://xcb.freedesktop.org/dist/xcb-util-keysyms-0.4.1.tar.xz
+https://xcb.freedesktop.org/dist/xcb-util-renderutil-0.3.10.tar.xz
+https://xcb.freedesktop.org/dist/xcb-util-wm-0.4.2.tar.xz
 mirror://xorg/individual/app/appres-1.0.5.tar.bz2
 https://xorg.freedesktop.org/archive/individual/util/bdftopcf-1.1.1.tar.xz
 mirror://xorg/individual/app/bitmap-1.0.9.tar.gz
diff --git a/pkgs/stdenv/darwin/default.nix b/pkgs/stdenv/darwin/default.nix
index 6cc6271eedbe6..ffe99da869225 100644
--- a/pkgs/stdenv/darwin/default.nix
+++ b/pkgs/stdenv/darwin/default.nix
@@ -63,6 +63,7 @@ rec {
     unset SDKROOT
 
     stripAllFlags=" " # the Darwin "strip" command doesn't know "-s"
+    stripDebugFlags="-S" # the Darwin "strip" command does something odd with "-p"
   '';
 
   bootstrapTools = derivation ({
diff --git a/pkgs/stdenv/linux/default.nix b/pkgs/stdenv/linux/default.nix
index e227b6850773c..17759d9fa1d7f 100644
--- a/pkgs/stdenv/linux/default.nix
+++ b/pkgs/stdenv/linux/default.nix
@@ -322,11 +322,11 @@ in
     assert            isFromBootstrapFiles prevStage.gcc-unwrapped;
     assert            isFromBootstrapFiles prevStage.coreutils;
     assert            isFromBootstrapFiles prevStage.gnugrep;
+    assert isBuiltByBootstrapFilesCompiler prevStage.patchelf;
     stageFun prevStage {
       name = "bootstrap-stage-xgcc";
       overrides = final: prev: {
-        inherit (prevStage) ccWrapperStdenv coreutils gnugrep gettext bison texinfo zlib gnum4 perl;
-        patchelf = bootstrapTools;
+        inherit (prevStage) ccWrapperStdenv coreutils gnugrep gettext bison texinfo zlib gnum4 perl patchelf;
         ${localSystem.libc} = getLibc prevStage;
         gmp      = prev.gmp.override { cxx = false; };
         gcc-unwrapped =
@@ -399,6 +399,7 @@ in
     assert isBuiltByBootstrapFilesCompiler prevStage.gcc-unwrapped;
     assert            isFromBootstrapFiles prevStage.coreutils;
     assert            isFromBootstrapFiles prevStage.gnugrep;
+    assert isBuiltByBootstrapFilesCompiler prevStage.patchelf;
     stageFun prevStage {
     name = "bootstrap-stage2";
 
@@ -484,6 +485,7 @@ in
     assert isBuiltByBootstrapFilesCompiler prevStage.gcc-unwrapped;
     assert            isFromBootstrapFiles prevStage.coreutils;
     assert            isFromBootstrapFiles prevStage.gnugrep;
+    assert        isBuiltByNixpkgsCompiler prevStage.patchelf;
     assert lib.all isBuiltByNixpkgsCompiler (with prevStage; [ gmp isl_0_20 libmpc mpfr ]);
     stageFun prevStage {
     name = "bootstrap-stage3";
@@ -524,6 +526,7 @@ in
     assert isBuiltByNixpkgsCompiler prevStage.gcc-unwrapped;
     assert     isFromBootstrapFiles prevStage.coreutils;
     assert     isFromBootstrapFiles prevStage.gnugrep;
+    assert isBuiltByNixpkgsCompiler prevStage.patchelf;
     stageFun prevStage {
     name = "bootstrap-stage4";
 
@@ -584,6 +587,7 @@ in
     assert isBuiltByNixpkgsCompiler prevStage.gcc-unwrapped;
     assert isBuiltByNixpkgsCompiler prevStage.coreutils;
     assert isBuiltByNixpkgsCompiler prevStage.gnugrep;
+    assert isBuiltByNixpkgsCompiler prevStage.patchelf;
     {
     inherit config overlays;
     stdenv = import ../generic rec {
@@ -673,5 +677,6 @@ in
     assert isBuiltByNixpkgsCompiler prevStage.gcc-unwrapped;
     assert isBuiltByNixpkgsCompiler prevStage.coreutils;
     assert isBuiltByNixpkgsCompiler prevStage.gnugrep;
+    assert isBuiltByNixpkgsCompiler prevStage.patchelf;
     { inherit (prevStage) config overlays stdenv; })
 ]
diff --git a/pkgs/tools/admin/awscli2/default.nix b/pkgs/tools/admin/awscli2/default.nix
index d41b25953b53a..0fb6c044358ad 100644
--- a/pkgs/tools/admin/awscli2/default.nix
+++ b/pkgs/tools/admin/awscli2/default.nix
@@ -11,48 +11,26 @@
 let
   py = python3 // {
     pkgs = python3.pkgs.overrideScope (self: super: {
-      ipython = super.ipython.overridePythonAttrs (oldAttrs: rec {
-        pname = "ipython";
-        version = "8.5.0";
-
-        src = self.fetchPypi {
-          inherit pname version;
-          sha256 = "sha256-CXvfXNh1dv0GYXnJ9/IIAE96aGTuGyDzfTRsC8sJn4Q=";
-        };
-
-        disabledTests = [ "testIPythonLexer" ] ++ oldAttrs.disabledTests;
-      });
-
-      prompt-toolkit = super.prompt-toolkit.overridePythonAttrs (oldAttrs: rec {
-        version = "3.0.28";
-        src = self.fetchPypi {
-          pname = "prompt_toolkit";
-          inherit version;
-          hash = "sha256-nxzRax6GwpaPJRnX+zHdnWaZFvUVYSwmnRTp7VK1FlA=";
-        };
-      });
+      # nothing right now
     });
   };
 
 in
 with py.pkgs; buildPythonApplication rec {
   pname = "awscli2";
-  version = "2.11.6"; # N.B: if you change this, check if overrides are still up-to-date
+  version = "2.11.15"; # N.B: if you change this, check if overrides are still up-to-date
   format = "pyproject";
 
   src = fetchFromGitHub {
     owner = "aws";
     repo = "aws-cli";
     rev = version;
-    hash = "sha256-6VEDGakOx2LJcDbBKicxxfOt0t2tf2iaRXkx1Em0Ieg=";
+    hash = "sha256-2FE5PJxdTqSrAIgkaZPf91B6bI6Bj9tbJjXg2nAaLdo=";
   };
 
   postPatch = ''
     substituteInPlace requirements/bootstrap.txt \
       --replace "pip>=22.0.0,<23.0.0" "pip>=22.0.0,<24.0.0"
-    substituteInPlace pyproject.toml \
-      --replace "distro>=1.5.0,<1.6.0" "distro>=1.5.0" \
-      --replace "cryptography>=3.3.2,<38.0.5" "cryptography>=3.3.2"
   '';
 
   nativeBuildInputs = [
diff --git a/pkgs/tools/backup/grab-site/default.nix b/pkgs/tools/backup/grab-site/default.nix
index f4e65ddbcd5dd..168343b4083ab 100644
--- a/pkgs/tools/backup/grab-site/default.nix
+++ b/pkgs/tools/backup/grab-site/default.nix
@@ -5,7 +5,8 @@ let
     packageOverrides = self: super: {
       sqlalchemy = super.sqlalchemy.overridePythonAttrs (oldAttrs: rec {
         version = "1.3.24";
-        src = oldAttrs.src.override {
+        src = super.fetchPypi {
+          inherit (oldAttrs) pname;
           inherit version;
           hash = "sha256-67t3fL+TEjWbiXv4G6ANrg9ctp+6KhgmXcwYpvXvdRk=";
         };
diff --git a/pkgs/tools/compression/zstd/default.nix b/pkgs/tools/compression/zstd/default.nix
index ca04ead396b72..3a51bdce190b2 100644
--- a/pkgs/tools/compression/zstd/default.nix
+++ b/pkgs/tools/compression/zstd/default.nix
@@ -21,13 +21,13 @@
 
 stdenv.mkDerivation rec {
   pname = "zstd";
-  version = "1.5.4";
+  version = "1.5.5";
 
   src = fetchFromGitHub {
     owner = "facebook";
     repo = "zstd";
     rev = "v${version}";
-    sha256 = "sha256-2blY4hY4eEcxY8K9bIhYPbfb//rt/+J2TmvxABPG78A=";
+    sha256 = "sha256-tHHHIsQU7vJySrVhJuMKUSq11MzkmC+Pcsj00uFJdnQ=";
   };
 
   nativeBuildInputs = [ cmake ]
diff --git a/pkgs/tools/filesystems/squashfs/4k-align.patch b/pkgs/tools/filesystems/squashfs/4k-align.patch
index db0af95601c5a..bbb4d99329a70 100644
--- a/pkgs/tools/filesystems/squashfs/4k-align.patch
+++ b/pkgs/tools/filesystems/squashfs/4k-align.patch
@@ -1,9 +1,11 @@
 This patch is an old patch; see below for the original message body. The patch
-has been updated twice: Once to apply to squashfs 4.4, commit
-52eb4c279cd283ed9802dd1ceb686560b22ffb67, and later to apply to squashfs 4.5,
-commit 0496d7c3de3e09da37ba492081c86159806ebb07.
+has been updated several times to be compatible with new releases.
 
-From 7bda7c75748f36b0a50f93e46144d5a4de4974ad Mon Sep 17 00:00:00 2001
+ * To apply to squashfs 4.4, commit 52eb4c279cd283ed9802dd1ceb686560b22ffb67.
+ * To apply to squashfs 4.5, commit 0496d7c3de3e09da37ba492081c86159806ebb07.
+ * To apply to squashfs 4.6, commit f7623b3d9953a1190fec181708c9489ef3522b9f.
+
+From af8a6dca694ddd38d8a775a2b5f9a24fe2d10153 Mon Sep 17 00:00:00 2001
 From: Amin Hassani <ahassani@google.com>
 Date: Thu, 15 Dec 2016 10:43:15 -0800
 Subject: [PATCH] mksquashfs 4K aligns the files inside the squashfs image
@@ -21,23 +23,23 @@ increased_size = (number_of_unfragmented_files_in_image + number of fragments) *
 
 The 4k alignment can be enabled by flag '-4k-align'
 ---
- squashfs-tools/mksquashfs.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
+ squashfs-tools/mksquashfs.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
 
 diff --git a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c
-index aaa4b00..eb2fb23 100644
+index 3429aac..db164c2 100644
 --- a/squashfs-tools/mksquashfs.c
 +++ b/squashfs-tools/mksquashfs.c
-@@ -99,6 +99,8 @@ int nopad = FALSE;
- int exit_on_error = FALSE;
- long long start_offset = 0;
- int sleep_time = 0;
+@@ -82,6 +82,8 @@ int noI = FALSE;
+ int noId = FALSE;
+ int noD = FALSE;
+ int noX = FALSE;
 +int do_4k_align = FALSE;
 +#define ALIGN_UP(bytes, size) (bytes = (bytes + size - 1) & ~(size - 1))
  
- long long global_uid = -1, global_gid = -1;
- 
-@@ -1553,6 +1555,9 @@ static void unlock_fragments()
+ /* block size used to build filesystem */
+ int block_size = SQUASHFS_FILE_SIZE;
+@@ -1624,6 +1626,9 @@ static void unlock_fragments()
  	 * queue at this time.
  	 */
  	while(!queue_empty(locked_fragment)) {
@@ -47,7 +49,7 @@ index aaa4b00..eb2fb23 100644
  		write_buffer = queue_get(locked_fragment);
  		frg = write_buffer->block;	
  		size = SQUASHFS_COMPRESSED_SIZE_BLOCK(fragment_table[frg].size);
-@@ -2460,6 +2465,9 @@ static void *frag_deflator(void *arg)
+@@ -2627,6 +2632,9 @@ static void *frag_deflator(void *arg)
  		write_buffer->size = compressed_size;
  		pthread_mutex_lock(&fragment_mutex);
  		if(fragments_locked == FALSE) {
@@ -57,7 +59,7 @@ index aaa4b00..eb2fb23 100644
  			fragment_table[file_buffer->block].size = c_byte;
  			fragment_table[file_buffer->block].start_block = bytes;
  			write_buffer->block = bytes;
-@@ -2850,6 +2858,10 @@ static struct file_info *write_file_blocks(int *status, struct dir_ent *dir_ent,
+@@ -3021,6 +3029,10 @@ static struct file_info *write_file_blocks(int *status, struct dir_ent *dir_ent,
  	struct file_info *file;
  	int bl_hash = 0;
  
@@ -68,15 +70,15 @@ index aaa4b00..eb2fb23 100644
  	if(pre_duplicate(read_size, dir_ent->inode, read_buffer, &bl_hash))
  		return write_file_blocks_dup(status, dir_ent, read_buffer, dup, bl_hash);
  
-@@ -5975,6 +5987,7 @@ static void print_options(FILE *stream, char *name, int total_mem)
- 	fprintf(stream, "actions from <f>\n");
- 	fprintf(stream, "-false-action-file <f>\tas -false-action, but read ");
- 	fprintf(stream, "actions from <f>\n");
+@@ -6169,6 +6181,7 @@ static void print_options(FILE *stream, char *name, int total_mem)
+ 	fprintf(stream, "or metadata.  This is\n\t\t\tequivalent to ");
+ 	fprintf(stream, "specifying -noI -noD -noF and -noX\n");
+ 	fprintf(stream, "\nFilesystem build options:\n");
 +	fprintf(stream, "-4k-align\t\tenables 4k alignment of all files\n");
- 	fprintf(stream, "\nFilesystem filter options:\n");
- 	fprintf(stream, "-p <pseudo-definition>\tAdd pseudo file definition\n");
- 	fprintf(stream, "-pf <pseudo-file>\tAdd list of pseudo file definitions\n");
-@@ -6198,6 +6211,7 @@ static void print_summary()
+ 	fprintf(stream, "-tar\t\t\tread uncompressed tar file from standard in (stdin)\n");
+ 	fprintf(stream, "-no-strip\t\tact like tar, and do not strip leading ");
+ 	fprintf(stream, "directories\n\t\t\tfrom source files\n");
+@@ -6690,6 +6703,7 @@ static void print_summary()
  		"compressed", no_fragments ? "no" : noF ? "uncompressed" :
  		"compressed", no_xattrs ? "no" : noX ? "uncompressed" :
  		"compressed", noI || noId ? "uncompressed" : "compressed");
@@ -84,15 +86,15 @@ index aaa4b00..eb2fb23 100644
  	printf("\tduplicates are %sremoved\n", duplicate_checking ? "" :
  		"not ");
  	printf("Filesystem size %.2f Kbytes (%.2f Mbytes)\n", bytes / 1024.0,
-@@ -7499,6 +7513,9 @@ print_compressor_options:
- 			root_name = argv[i];
- 		} else if(strcmp(argv[i], "-version") == 0) {
- 			print_version("mksquashfs");
-+
+@@ -8417,6 +8431,8 @@ print_compressor_options:
+ 		} else if(strcmp(argv[i], "-comp") == 0) {
+ 			/* parsed previously */
+ 			i++;
 +		} else if(strcmp(argv[i], "-4k-align") == 0) {
 +			do_4k_align = TRUE;
  		} else {
  			ERROR("%s: invalid option\n\n", argv[0]);
  			print_options(stderr, argv[0], total_mem);
 -- 
-2.32.0
+2.39.2
+
diff --git a/pkgs/tools/filesystems/squashfs/default.nix b/pkgs/tools/filesystems/squashfs/default.nix
index 54ed84f7a81e6..b1b6efc6993b4 100644
--- a/pkgs/tools/filesystems/squashfs/default.nix
+++ b/pkgs/tools/filesystems/squashfs/default.nix
@@ -14,21 +14,16 @@
 
 stdenv.mkDerivation rec {
   pname = "squashfs";
-  version = "4.5.1";
+  version = "4.6.1";
 
   src = fetchFromGitHub {
     owner = "plougher";
     repo = "squashfs-tools";
     rev = version;
-    sha256 = "sha256-Y3ZPjeE9HN1F+NtGe6EchYziWrTPVQ4SuKaCvNbXMKI=";
+    hash = "sha256-C/awQpp1Q/0adx3YVNTq6ruEAzcjL5G7SkOCgpvAA50=";
   };
 
   patches = [
-    # remove once https://github.com/plougher/squashfs-tools/pull/177 is merged and in a release
-    (fetchpatch {
-      url = "https://github.com/plougher/squashfs-tools/commit/6100e82c7e7f18f503c003c67c87791025d5f01b.patch";
-      sha256 = "sha256-bMBQsbSKQ4E7r9avns2QaomGAYl3s82m58gYyTQdB08=";
-    })
     # This patch adds an option to pad filesystems (increasing size) in
     # exchange for better chunking / binary diff calculation.
     ./4k-align.patch
diff --git a/pkgs/tools/graphics/vulkan-cts/default.nix b/pkgs/tools/graphics/vulkan-cts/default.nix
index 87eb76030e062..9daf215820821 100644
--- a/pkgs/tools/graphics/vulkan-cts/default.nix
+++ b/pkgs/tools/graphics/vulkan-cts/default.nix
@@ -18,6 +18,7 @@
 , vulkan-loader
 , wayland
 , wayland-protocols
+, wayland-scanner
 , zlib
 }:
 let
@@ -126,13 +127,16 @@ stdenv.mkDerivation (finalAttrs: {
     ninja
     pkg-config
     python3
+    wayland-scanner
   ];
 
-  # Fix cts cmake not coping with absolute install dirs
   cmakeFlags = [
+    # Fix cts cmake not coping with absolute install dirs
     "-DCMAKE_INSTALL_BINDIR=bin"
     "-DCMAKE_INSTALL_LIBDIR=lib"
     "-DCMAKE_INSTALL_INCLUDEDIR=include"
+
+    "-DWAYLAND_SCANNER=wayland-scanner"
   ];
 
   postInstall = ''
diff --git a/pkgs/tools/misc/fontforge/default.nix b/pkgs/tools/misc/fontforge/default.nix
index 6aee2be9118c9..f82da495662a0 100644
--- a/pkgs/tools/misc/fontforge/default.nix
+++ b/pkgs/tools/misc/fontforge/default.nix
@@ -14,28 +14,15 @@ assert withGTK -> withGUI;
 
 stdenv.mkDerivation rec {
   pname = "fontforge";
-  version = "20220308";
+  version = "20230101";
 
   src = fetchFromGitHub {
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "sha256-q+71PDPODl5fEEy3d1icRl+rBGY7AhH+2dMUKeBWGgI=";
+    sha256 = "sha256-/RYhvL+Z4n4hJ8dmm+jbA1Ful23ni2DbCRZC5A3+pP0=";
   };
 
-  patches = [
-    # Allow installing contrib files (e.g. extras and tools).
-    # Taken from https://salsa.debian.org/fonts-team/fontforge/-/blob/master/debian/patches/0001-add-extra-cmake-install-rules.patch
-    (fetchpatch {
-      url = "https://salsa.debian.org/fonts-team/fontforge/raw/76bffe6ccf8ab20a0c81476a80a87ad245e2fd1c/debian/patches/0001-add-extra-cmake-install-rules.patch";
-      excludes = [
-        # Already handled upstream: https://github.com/fontforge/fontforge/commit/f97a2cd7b344ec8fcb9f8bfb908e1b6f36326d20
-        "contrib/cidmap/CMakeLists.txt"
-      ];
-      sha256 = "iQwaGeBHUais979hGVbU2NxKozQSQkpYXjApxPuLI/4=";
-    })
-  ];
-
   # use $SOURCE_DATE_EPOCH instead of non-deterministic timestamps
   postPatch = ''
     find . -type f -name '*.c' -exec sed -r -i 's#\btime\(&(.+)\)#if (getenv("SOURCE_DATE_EPOCH")) \1=atol(getenv("SOURCE_DATE_EPOCH")); else &#g' {} \;
diff --git a/pkgs/tools/misc/hdf5/default.nix b/pkgs/tools/misc/hdf5/default.nix
index f32fba46d5500..66c20078afb03 100644
--- a/pkgs/tools/misc/hdf5/default.nix
+++ b/pkgs/tools/misc/hdf5/default.nix
@@ -91,11 +91,25 @@ stdenv.mkDerivation rec {
     moveToOutput 'bin/h5pcc' "''${!outputDev}"
   '';
 
+  # Remove reference to /build, which get introduced
+  # into AM_CPPFLAGS since hdf5-1.14.0. Cmake of various
+  # packages using HDF5 gets confused trying access the non-existent path.
+  postFixup = ''
+    for i in h5cc h5pcc h5c++; do
+      if [ -f $dev/bin/$i ]; then
+        substituteInPlace $dev/bin/$i --replace \
+          '-I/build/hdf5-${version}/src/H5FDsubfiling' ""
+      fi
+    done
+  '';
+
+  enableParallelBuilding = true;
+
   passthru.tests = {
     inherit (python3.pkgs) h5py;
   };
 
-  meta = {
+  meta = with lib; {
     description = "Data model, library, and file format for storing and managing data";
     longDescription = ''
       HDF5 supports an unlimited variety of datatypes, and is designed for flexible and efficient
@@ -103,8 +117,9 @@ stdenv.mkDerivation rec {
       applications to evolve in their use of HDF5. The HDF5 Technology suite includes tools and
       applications for managing, manipulating, viewing, and analyzing data in the HDF5 format.
     '';
-    license = lib.licenses.bsd3; # Lawrence Berkeley National Labs BSD 3-Clause variant
+    license = licenses.bsd3; # Lawrence Berkeley National Labs BSD 3-Clause variant
+    maintainers = [ maintainers.markuskowa ];
     homepage = "https://www.hdfgroup.org/HDF5/";
-    platforms = lib.platforms.unix;
+    platforms = platforms.unix;
   };
 }
diff --git a/pkgs/tools/networking/tcpdump/default.nix b/pkgs/tools/networking/tcpdump/default.nix
index 9ccf68aa54370..7fdea769b1c85 100644
--- a/pkgs/tools/networking/tcpdump/default.nix
+++ b/pkgs/tools/networking/tcpdump/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "tcpdump";
-  version = "4.99.3";
+  version = "4.99.4";
 
   src = fetchurl {
     url = "http://www.tcpdump.org/release/tcpdump-${version}.tar.gz";
-    sha256 = "sha256-rXWm7T3A2XMpRbLlSDy0Hci0tSihaTFeSZxoYZUuc7M=";
+    hash = "sha256-AjIjG7LynWvyQm5woIp+DGOg1ZqbRIY7f14jV6bkn+o=";
   };
 
   postPatch = ''
diff --git a/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch b/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
deleted file mode 100644
index 061fb0e8de9c1..0000000000000
--- a/pkgs/tools/security/gnupg/0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Sun, 30 Jun 2019 11:54:35 -0400
-Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool
-
-* dirmngr/http.c (http_session_new): when checking whether the
-keyserver is the HKPS pool, check specifically against the pool name,
-as ./configure might have been used to select a different default
-keyserver.  It makes no sense to apply Kristian's certificate
-authority to anything other than the literal host
-hkps.pool.sks-keyservers.net.
-
-Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-GnuPG-Bug-Id: 4593
----
- dirmngr/http.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dirmngr/http.c b/dirmngr/http.c
-index 384f2569d..8e5d53939 100644
---- a/dirmngr/http.c
-+++ b/dirmngr/http.c
-@@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session,
- 
-     is_hkps_pool = (intended_hostname
-                     && !ascii_strcasecmp (intended_hostname,
--                                          get_default_keyserver (1)));
-+                                          "hkps.pool.sks-keyservers.net"));
- 
-     /* If the user has not specified a CA list, and they are looking
-      * for the hkps pool from sks-keyservers.net, then default to
--- 
-2.22.0
-
diff --git a/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch b/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch
index 98dda54fc7fa3..e8fbe1688402d 100644
--- a/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch
+++ b/pkgs/tools/security/gnupg/22-allow-import-of-previously-known-keys-even-without-UI.patch
@@ -16,11 +16,12 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  g10/import.c | 44 +++++++++++---------------------------------
  1 file changed, 11 insertions(+), 33 deletions(-)
 
+
 diff --git a/g10/import.c b/g10/import.c
-index 5d3162c..f9acf95 100644
+index cd3363fc7..8f10771db 100644
 --- a/g10/import.c
 +++ b/g10/import.c
-@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl,
    size_t an;
    char pkstrbuf[PUBKEY_STRING_SIZE];
    int merge_keys_done = 0;
@@ -28,12 +29,11 @@ index 5d3162c..f9acf95 100644
    KEYDB_HANDLE hd = NULL;
  
    if (r_valid)
-@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
-       log_printf ("\n");
+@@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl,
      }
  
--
--  if (!uidnode)
+ 
+-  if (!uidnode )
 -    {
 -      if (!silent)
 -        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@@ -43,17 +43,17 @@ index 5d3162c..f9acf95 100644
    if (screener && screener (keyblock, screener_arg))
      {
        log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,
+@@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl,
  	  }
      }
  
 -  /* Delete invalid parts and bail out if there are no user ids left.  */
--  if (!delete_inv_parts (ctrl, keyblock, keyid, options))
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
 -    {
 -      if (!silent)
 -        {
--          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
--          if (!opt.quiet)
+-          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet )
 -            log_info(_("this may be caused by a missing self-signature\n"));
 -        }
 -      stats->no_user_id++;
@@ -62,11 +62,11 @@ index 5d3162c..f9acf95 100644
 +  /* Delete invalid parts, and note if we have any valid ones left.
 +   * We will later abort import if this key is new but contains
 +   * no valid uids.  */
-+  delete_inv_parts (ctrl, keyblock, keyid, options);
++  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
  
    /* Get rid of deleted nodes.  */
    commit_kbnode (&keyblock);
-@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
+@@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl,
      {
        apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
        commit_kbnode (&keyblock);
@@ -91,7 +91,7 @@ index 5d3162c..f9acf95 100644
      }
  
    /* The keyblock is valid and ready for real import.  */
-@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
+@@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl,
        err = 0;
        stats->skipped_new_keys++;
      }
diff --git a/pkgs/tools/security/gnupg/22.nix b/pkgs/tools/security/gnupg/22.nix
new file mode 100644
index 0000000000000..8a2cfeae06e5b
--- /dev/null
+++ b/pkgs/tools/security/gnupg/22.nix
@@ -0,0 +1,104 @@
+{ lib, stdenv, fetchurl, buildPackages
+, pkg-config, texinfo
+, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth
+, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib
+, enableMinimal ? false
+, withPcsc ? !enableMinimal, pcsclite
+, guiSupport ? stdenv.isDarwin, pinentry
+}:
+
+assert guiSupport -> enableMinimal == false;
+
+stdenv.mkDerivation rec {
+  pname = "gnupg";
+  version = "2.2.41";
+
+  src = fetchurl {
+    url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
+    hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E=";
+  };
+
+  depsBuildBuild = [ buildPackages.stdenv.cc ];
+  nativeBuildInputs = [ pkg-config texinfo ];
+  buildInputs = [
+    gettext libassuan libgcrypt libgpg-error libiconv libksba npth
+  ] ++ lib.optionals (!enableMinimal) [
+    adns bzip2 gnutls libusb1 openldap readline sqlite zlib
+  ];
+
+  patches = [
+    ./fix-libusb-include-path.patch
+    ./tests-add-test-cases-for-import-without-uid.patch
+    ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+    ./22-allow-import-of-previously-known-keys-even-without-UI.patch
+  ];
+
+  postPatch = ''
+    sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1
+    # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update
+    sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am
+    sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in
+    '' + lib.optionalString (stdenv.isLinux && withPcsc) ''
+      sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
+    '';
+
+  configureFlags = [
+    "--with-libgpg-error-prefix=${libgpg-error.dev}"
+    "--with-libgcrypt-prefix=${libgcrypt.dev}"
+    "--with-libassuan-prefix=${libassuan.dev}"
+    "--with-ksba-prefix=${libksba.dev}"
+    "--with-npth-prefix=${npth}"
+  ]
+  ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentry.binaryPath or "bin/pinentry"}"
+  ++ lib.optional stdenv.isDarwin "--disable-ccid-driver";
+
+  postInstall = if enableMinimal
+  then ''
+    rm -r $out/{libexec,sbin,share}
+    for f in $(find $out/bin -type f -not -name gpg)
+    do
+      rm $f
+    done
+  '' else ''
+    mkdir -p $out/lib/systemd/user
+    for f in doc/examples/systemd-user/*.{service,socket} ; do
+      substitute $f $out/lib/systemd/user/$(basename $f) \
+        --replace /usr/bin $out/bin
+    done
+
+    # add gpg2 symlink to make sure git does not break when signing commits
+    ln -s $out/bin/gpg $out/bin/gpg2
+
+    # Make libexec tools available in PATH
+    for f in $out/libexec/; do
+      if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
+      ln -s $f $out/bin/$(basename $f)
+    done
+
+    ln -s -t $out/bin $out/libexec/*
+  '';
+
+  enableParallelBuilding = true;
+
+  passthru.tests.connman = lib.nixosTests.gnupg;
+
+  meta = with lib; {
+    homepage = "https://gnupg.org";
+    description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation";
+    license = licenses.gpl3Plus;
+    longDescription = ''
+      The GNU Privacy Guard is the GNU project's complete and free
+      implementation of the OpenPGP standard as defined by RFC4880.  GnuPG
+      "modern" (2.1) is the latest development with a lot of new features.
+      GnuPG allows to encrypt and sign your data and communication, features a
+      versatile key management system as well as access modules for all kind of
+      public key directories.  GnuPG, also known as GPG, is a command line tool
+      with features for easy integration with other applications.  A wealth of
+      frontend applications and libraries are available.  Version 2 of GnuPG
+      also provides support for S/MIME.
+    '';
+    maintainers = with maintainers; [ fpletz vrthra ];
+    platforms = platforms.all;
+    mainProgram = "gpg";
+  };
+}
diff --git a/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch b/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch
new file mode 100644
index 0000000000000..8d4f703a3dd14
--- /dev/null
+++ b/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch
@@ -0,0 +1,107 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:42 +0200
+Subject: gpg: allow import of previously known keys, even without UIDs
+
+* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
+has no user id, as long as we already have a local variant of the cert
+that matches the primary key.
+
+--
+
+This fixes two of the three broken tests in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 44 +++++++++++---------------------------------
+ 1 file changed, 11 insertions(+), 33 deletions(-)
+
+
+diff --git a/g10/import.c b/g10/import.c
+index 9fab46ca6..61896a6bf 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
+   size_t an;
+   char pkstrbuf[PUBKEY_STRING_SIZE];
+   int merge_keys_done = 0;
+-  int any_filter = 0;
+   KEYDB_HANDLE hd = NULL;
+ 
+   if (r_valid)
+@@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl,
+     }
+ 
+ 
+-  if (!uidnode)
+-    {
+-      if (!silent)
+-        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
+-      return 0;
+-    }
+-
+   if (screener && screener (keyblock, screener_arg))
+     {
+       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
+@@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl,
+ 	  }
+     }
+ 
+-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
+-    {
+-      if (!silent)
+-        {
+-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet)
+-            log_info(_("this may be caused by a missing self-signature\n"));
+-        }
+-      stats->no_user_id++;
+-      return 0;
+-    }
++ /* Delete invalid parts, and note if we have any valid ones left.
++  * We will later abort import if this key is new but contains
++  * no valid uids.  */
++  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
+ 
+   /* Get rid of deleted nodes.  */
+   commit_kbnode (&keyblock);
+@@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl,
+     {
+       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+     }
+   if (import_filter.drop_sig)
+     {
+       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+-    }
+-
+-  /* If we ran any filter we need to check that at least one user id
+-   * is left in the keyring.  Note that we do not use log_error in
+-   * this case. */
+-  if (any_filter && !any_uid_left (keyblock))
+-    {
+-      if (!opt.quiet )
+-        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
+-      stats->no_user_id++;
+-      return 0;
+     }
+ 
+   /* The keyblock is valid and ready for real import.  */
+@@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl,
+       err = 0;
+       stats->skipped_new_keys++;
+     }
++  else if (err && !any_uid_left (keyblock))
++    {
++      if (!silent)
++        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
++      err = 0;
++      stats->no_user_id++;
++    }
+   else if (err)  /* Insert this key. */
+     {
+       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */
diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix
index c1f2825e8e93c..ee4e5d277b730 100644
--- a/pkgs/tools/security/gnupg/24.nix
+++ b/pkgs/tools/security/gnupg/24.nix
@@ -1,10 +1,10 @@
-{ fetchurl, fetchpatch, lib, stdenv, pkg-config, libgcrypt, libassuan, libksba
-, libgpg-error, libiconv, npth, gettext, texinfo, buildPackages
-, nixosTests
-, guiSupport ? stdenv.isDarwin, enableMinimal ? false
-, adns, bzip2, gnutls, libusb1, openldap
-, pinentry, readline, sqlite, zlib
+{ lib, stdenv, fetchurl, buildPackages
+, pkg-config, texinfo
+, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth
+, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib
+, enableMinimal ? false
 , withPcsc ? !enableMinimal, pcsclite
+, guiSupport ? stdenv.isDarwin, pinentry
 , withTpm2Tss ? !stdenv.isDarwin && !enableMinimal, tpm2-tss
 }:
 
@@ -16,44 +16,44 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
-    sha256 = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM=";
+    hash = "sha256-HXkVjdAdmSQx3S4/rLif2slxJ/iXhOosthDGAPsMFIM=";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [ pkg-config texinfo ];
   buildInputs = [
-    libgcrypt libassuan libksba libiconv npth gettext
-  ] ++ lib.optionals (!enableMinimal) ([
-    readline libusb1 gnutls adns openldap zlib bzip2 sqlite
-  ] ++ lib.optional withTpm2Tss tpm2-tss);
+    gettext libassuan libgcrypt libgpg-error libiconv libksba npth
+  ] ++ lib.optionals (!enableMinimal) [
+    adns bzip2 gnutls libusb1 openldap readline sqlite zlib
+  ] ++ lib.optionals withTpm2Tss [ tpm2-tss ];
 
   patches = [
     ./fix-libusb-include-path.patch
     ./tests-add-test-cases-for-import-without-uid.patch
-    # TODO: Refresh patch? Doesn't apply on 2.4.0
-    #./allow-import-of-previously-known-keys-even-without-UI.patch
     ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
-
+    ./24-allow-import-of-previously-known-keys-even-without-UI.patch
     # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27
     ./v3-0001-Disallow-compressed-signatures-and-certificates.patch
-
   ];
+
   postPatch = ''
     sed -i 's,\(hkps\|https\)://keyserver.ubuntu.com,hkps://keys.openpgp.org,g' configure configure.ac doc/dirmngr.texi doc/gnupg.info-1
-  '' + lib.optionalString (stdenv.isLinux && withPcsc) ''
-    sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
-  '';
+    '' + lib.optionalString (stdenv.isLinux && withPcsc) ''
+      sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
+    '';
 
-  pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";
   configureFlags = [
+    "--sysconfdir=/etc"
     "--with-libgpg-error-prefix=${libgpg-error.dev}"
     "--with-libgcrypt-prefix=${libgcrypt.dev}"
     "--with-libassuan-prefix=${libassuan.dev}"
     "--with-ksba-prefix=${libksba.dev}"
     "--with-npth-prefix=${npth}"
-  ] ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"
+  ]
+  ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentry.binaryPath or "bin/pinentry"}"
   ++ lib.optional withTpm2Tss "--with-tss=intel"
   ++ lib.optional stdenv.isDarwin "--disable-ccid-driver";
+
   postInstall = if enableMinimal
   then ''
     rm -r $out/{libexec,sbin,share}
@@ -76,11 +76,16 @@ stdenv.mkDerivation rec {
       if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
       ln -s $f $out/bin/$(basename $f)
     done
+
+    for f in $out/libexec/; do
+      if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
+      ln -s $f $out/bin/$(basename $f)
+    done
   '';
 
   enableParallelBuilding = true;
 
-  passthru.tests.connman = nixosTests.gnupg;
+  passthru.tests.connman = lib.nixosTests.gnupg;
 
   meta = with lib; {
     homepage = "https://gnupg.org";
diff --git a/pkgs/tools/typesetting/tex/texlive/bin.nix b/pkgs/tools/typesetting/tex/texlive/bin.nix
index 94e975dbb099d..b2d8530a5adca 100644
--- a/pkgs/tools/typesetting/tex/texlive/bin.nix
+++ b/pkgs/tools/typesetting/tex/texlive/bin.nix
@@ -38,7 +38,13 @@ let
       # http://mirrors.ctan.org/systems/doc/kpathsea/kpathsea.pdf for more
       # details
       sed -i '/^#define ST_NLINK_TRICK/d' texk/kpathsea/config.h
-    '';
+    '' +
+    # when cross compiling, we must use himktables from PATH
+    # (i.e. from buildPackages.texlive.bin.core.dev)
+    lib.optionalString (!stdenv.buildPlatform.canExecute stdenv.hostPlatform)  ''
+      sed -i 's|\./himktables|himktables|' texk/web2c/Makefile.in
+    ''
+;
 
     configureFlags = [
       "--with-banner-add=/nixos.org"
@@ -75,13 +81,15 @@ core = stdenv.mkDerivation rec {
 
   inherit (common) src prePatch;
 
-  outputs = [ "out" "doc" ];
+  outputs = [ "out" "doc" "dev" ];
 
   nativeBuildInputs = [
     pkg-config
-  ] ++ lib.optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+  ] ++ lib.optionals (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
     # configure: error: tangle was not found but is required when cross-compiling.
+    # dev (himktables) is used when building hitex to generate the additional source file hitables.c
     texlive.bin.core
+    texlive.bin.core.dev
   ];
 
   buildInputs = [
@@ -159,6 +167,9 @@ core = stdenv.mkDerivation rec {
     mv "$out"/share/{man,info} "$doc"/doc
   '' + /* remove manpages for utils that live in texlive.texlive-scripts to avoid a conflict in buildEnv */ ''
     (cd "$doc"/doc/man/man1; rm {fmtutil-sys.1,fmtutil.1,mktexfmt.1,mktexmf.1,mktexpk.1,mktextfm.1,texhash.1,updmap-sys.1,updmap.1})
+  '' + /* install himktables in separate output for use in cross compilation */ ''
+     mkdir -p $dev/bin
+     cp texk/web2c/.libs/himktables $dev/bin/himktables
   '' + cleanBrokenLinks;
 
   setupHook = ./setup-hook.sh; # TODO: maybe texmf-nix -> texmf (and all references)
@@ -195,7 +206,7 @@ core-big = stdenv.mkDerivation { #TODO: upmendex
 
   hardeningDisable = [ "format" ];
 
-  inherit (core) nativeBuildInputs;
+  inherit (core) nativeBuildInputs depsBuildBuild;
   buildInputs = core.buildInputs ++ [ core cairo harfbuzz icu graphite2 libX11 ];
 
   configureFlags = common.configureFlags
@@ -210,7 +221,15 @@ core-big = stdenv.mkDerivation { #TODO: upmendex
   # we use static libtexlua, because it's only used by a single binary
   postConfigure = let
     luajit = lib.optionalString withLuaJIT ",luajit";
-  in ''
+  in
+  lib.optionalString (stdenv.hostPlatform != stdenv.buildPlatform)
+  # without this, the native builds attempt to use the binary
+  # ${target-triple}-gcc, but we need to use the wrapper script.
+  ''
+    export BUILDCC=${buildPackages.stdenv.cc}/bin/cc
+  ''
+  +
+  ''
     mkdir ./WorkDir && cd ./WorkDir
     for path in libs/{pplib,teckit,lua53${luajit}} texk/web2c; do
       (
@@ -219,7 +238,18 @@ core-big = stdenv.mkDerivation { #TODO: upmendex
         else
           extraConfig=""
         fi
-
+  '' + lib.optionalString (!stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+    # results of the tests performed by the configure scripts are
+    # toolchain-dependent, so native components and cross components cannot use
+    # the same cached test results.
+    # Disable the caching for components with native subcomponents.
+  ''
+        if [[ "$path" =~ "libs/luajit" ]] || [[ "$path" =~ "texk/web2c" ]]; then
+          extraConfig="$extraConfig --cache-file=/dev/null"
+        fi
+  ''
+  +
+  ''
         mkdir -p "$path" && cd "$path"
         "../../../$path/configure" $configureFlags $extraConfig
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 3e4ab3b30a7be..2b5dd35abb254 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5882,13 +5882,7 @@ with pkgs;
     enableExtraPlugins = true;
   };
 
-  asciidoctor = callPackage ../tools/typesetting/asciidoctor {
-    bundlerApp = bundlerApp.override {
-      # asciidoc supports both ruby 2 and 3,
-      # but we don't want to be stuck on it:
-      ruby = ruby_3_1;
-    };
-  };
+  asciidoctor = callPackage ../tools/typesetting/asciidoctor { };
 
   asciidoctor-with-extensions = callPackage ../tools/typesetting/asciidoctor-with-extensions { };
 
@@ -7920,8 +7914,13 @@ with pkgs;
   gnupg1orig = callPackage ../tools/security/gnupg/1.nix { };
   gnupg1compat = callPackage ../tools/security/gnupg/1compat.nix { };
   gnupg1 = gnupg1compat;    # use config.packageOverrides if you prefer original gnupg1
+
+  gnupg22 = callPackage ../tools/security/gnupg/22.nix {
+    pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2;
+    libgcrypt = libgcrypt_1_8;
+  };
+
   gnupg24 = callPackage ../tools/security/gnupg/24.nix {
-    guiSupport = stdenv.isDarwin;
     pinentry = if stdenv.isDarwin then pinentry_mac else pinentry-gtk2;
   };
   gnupg = gnupg24;
@@ -8446,6 +8445,8 @@ with pkgs;
 
   hostname-debian = callPackage ../tools/networking/hostname-debian { };
 
+  hotdoc = python3Packages.callPackage ../development/tools/hotdoc { };
+
   hotpatch = callPackage ../development/libraries/hotpatch { };
 
   hotspot = libsForQt5.callPackage ../development/tools/analysis/hotspot { };
@@ -13980,7 +13981,23 @@ with pkgs;
 
   xxv = callPackage ../tools/misc/xxv { };
 
-  xvfb-run = callPackage ../tools/misc/xvfb-run { inherit (texFunctions) fontsConf; };
+  xvfb-run = callPackage ../tools/misc/xvfb-run {
+    inherit (texFunctions) fontsConf;
+
+    # xvfb-run is used by a bunch of things to run tests
+    # and doesn't support hardware accelerated rendering
+    # so remove it from the rebuild heavy path for mesa
+    xorgserver = xorg.xorgserver.overrideAttrs(old: {
+      buildInputs = lib.filter (pkg: lib.getName pkg != "mesa") old.buildInputs;
+      configureFlags = old.configureFlags ++ [
+        "--disable-glamor"
+        "--disable-glx"
+        "--disable-dri"
+        "--disable-dri2"
+        "--disable-dri3"
+      ];
+    });
+  };
 
   xvkbd = callPackage ../tools/X11/xvkbd { };
 
@@ -14943,15 +14960,6 @@ with pkgs;
     profiledCompiler = false;
   });
 
-  gfortran-tmp-noisystem = wrapCCWith { grossHackForStagingNext = true; cc = (gcc.cc.override {
-    name = "gfortran";
-    langFortran = true;
-    langCC = false;
-    langC = false;
-    profiledCompiler = false;
-    disableBootstrap = false;
-  }); };
-
   gfortran48 = wrapCC (gcc48.cc.override {
     name = "gfortran";
     langFortran = true;
@@ -15433,12 +15441,8 @@ with pkgs;
   julia_16-bin = callPackage ../development/compilers/julia/1.6-bin.nix { };
   julia_18-bin = callPackage ../development/compilers/julia/1.8-bin.nix { };
 
-  julia_18 = callPackage ../development/compilers/julia/1.8.nix {
-    gfortran = gfortran-tmp-noisystem;
-  };
-  julia_19 = callPackage ../development/compilers/julia/1.9.nix {
-    gfortran = gfortran-tmp-noisystem;
-  };
+  julia_18 = callPackage ../development/compilers/julia/1.8.nix { };
+  julia_19 = callPackage ../development/compilers/julia/1.9.nix { };
 
   julia-lts-bin = julia_16-bin;
   julia-stable-bin = julia_18-bin;
@@ -15638,9 +15642,6 @@ with pkgs;
 
   llvmPackages_rocm = recurseIntoAttrs (callPackage ../development/compilers/llvm/rocm { });
 
-  # temporary hack; see PR #225846
-  stdenv-tmpDropB = overrideCC stdenv (wrapCCWith { tmpDropB = true; inherit (stdenv.cc) cc; });
-
   lorri = callPackage ../tools/misc/lorri {
     inherit (darwin.apple_sdk.frameworks) CoreServices Security;
   };
@@ -17078,8 +17079,8 @@ with pkgs;
     ruby_3_1
     ruby_3_2;
 
-  ruby = ruby_2_7;
-  rubyPackages = rubyPackages_2_7;
+  ruby = ruby_3_1;
+  rubyPackages = rubyPackages_3_1;
 
   rubyPackages_2_7 = recurseIntoAttrs ruby_2_7.gems;
   rubyPackages_3_0 = recurseIntoAttrs ruby_3_0.gems;
@@ -21631,7 +21632,7 @@ with pkgs;
 
   libgcrypt = callPackage ../development/libraries/libgcrypt { };
 
-  libgcrypt_1_5 = callPackage ../development/libraries/libgcrypt/1.5.nix { };
+  libgcrypt_1_8 = callPackage ../development/libraries/libgcrypt/1.8.nix { };
 
   libgdiplus = callPackage ../development/libraries/libgdiplus {
       inherit (darwin.apple_sdk.frameworks) Carbon;
@@ -22659,27 +22660,17 @@ with pkgs;
   # Default libGLU
   libGLU = mesa_glu;
 
-  # When a new patch is out, add a new mesa attribute with the exact patch version
-  # Remove old mesa attributes when they're unused.
-  # Try to keep the previous version around for a bit in case there are new bugs.
-  mesa_22_3_7 = darwin.apple_sdk_11_0.callPackage ../development/libraries/mesa/22.3.7.nix {
+  # Keep Mesa 22.3 for now because 23.0 does not build on Darwin.
+  # FIXME: remove, also investigate why we even need Mesa on Darwin.
+  mesa_22_3 = darwin.apple_sdk_11_0.callPackage ../development/libraries/mesa/22.3.nix {
     inherit (darwin.apple_sdk_11_0.frameworks) OpenGL;
     inherit (darwin.apple_sdk_11_0.libs) Xplugin;
   };
-  mesa_23_0_1 = darwin.apple_sdk_11_0.callPackage ../development/libraries/mesa/23.0.1.nix {
+  mesa_23_0 = darwin.apple_sdk_11_0.callPackage ../development/libraries/mesa/23.0.nix {
     inherit (darwin.apple_sdk_11_0.frameworks) OpenGL;
     inherit (darwin.apple_sdk_11_0.libs) Xplugin;
   };
-  # Bump this immediately on patches; wait a bit for minor versions
-  mesa_22 = mesa_22_3_7;
-  mesa_23 = mesa_23_0_1;
-  # Bump on staging only, tonnes of packages depend on it.
-  # See https://github.com/NixOS/nixpkgs/issues/218232
-  # Major versions should be bumped when they have proven to be reasonably stable
-  # FIXME: split up libgbm properly
-  # darwin: deferred until stabilized; e.g. see around:
-  #   https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/21859
-  mesa = if stdenv.isDarwin then mesa_22_3_7 else mesa_23_0_1;
+  mesa = if stdenv.isDarwin then mesa_22_3 else mesa_23_0;
 
   mesa_glu =  callPackage ../development/libraries/mesa-glu {
     inherit (darwin.apple_sdk.frameworks) ApplicationServices;
@@ -24711,7 +24702,11 @@ with pkgs;
     pkg = callPackage ../development/compilers/sbcl/2.x.nix { version = "2.3.0"; };
     faslExt = "fasl";
   };
-  sbcl = sbcl_2_3_0;
+  sbcl_2_3_2 = wrapLisp {
+    pkg = callPackage ../development/compilers/sbcl/2.x.nix { version = "2.3.2"; };
+    faslExt = "fasl";
+  };
+  sbcl = sbcl_2_3_2;
 
   sbclPackages = recurseIntoAttrs sbcl.pkgs;
 
@@ -27352,7 +27347,6 @@ with pkgs;
     withHomed = false;
     withHwdb = false;
     withImportd = false;
-    withKmod = false;
     withLibBPF = false;
     withLibidn2 = false;
     withLocaled = false;
@@ -30070,7 +30064,7 @@ with pkgs;
   flwrap = callPackage ../applications/radio/flwrap { stdenv = gcc10StdenvCompat; };
 
   fluidsynth = callPackage ../applications/audio/fluidsynth {
-    inherit (darwin.apple_sdk.frameworks) AudioUnit CoreAudio CoreMIDI CoreServices;
+    inherit (darwin.apple_sdk.frameworks) AppKit AudioUnit CoreAudio CoreMIDI CoreServices;
   };
 
   fmit = libsForQt5.callPackage ../applications/audio/fmit { };
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index b88d3819cdfe4..6c94f88f841fe 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -2328,6 +2328,8 @@ self: super: with self; {
 
   dbus-client-gen = callPackage ../development/python-modules/dbus-client-gen { };
 
+  dbus-deviation = callPackage ../development/python-modules/dbus-deviation { };
+
   dbus-fast = callPackage ../development/python-modules/dbus-fast { };
 
   dbus-next = callPackage ../development/python-modules/dbus-next { };
@@ -12688,6 +12690,8 @@ self: super: with self; {
 
   wheel-inspect = callPackage ../development/python-modules/wheel-inspect { };
 
+  wheezy-template = callPackage ../development/python-modules/wheezy-template { };
+
   whichcraft = callPackage ../development/python-modules/whichcraft { };
 
   whirlpool-sixth-sense = callPackage ../development/python-modules/whirlpool-sixth-sense { };