10 files changed, 73 insertions, 65 deletions
diff --git a/pkgs/build-support/appimage/default.nix b/pkgs/build-support/appimage/default.nix
index 0d44a5ab23e96..c4ea9371cfcd6 100644
--- a/pkgs/build-support/appimage/default.nix
+++ b/pkgs/build-support/appimage/default.nix
@@ -162,7 +162,7 @@ rec {
       vulkan-loader
 
       flac
-      freeglut
+      libglut
       libjpeg
       libpng12
       libpulseaudio
diff --git a/pkgs/build-support/bintools-wrapper/default.nix b/pkgs/build-support/bintools-wrapper/default.nix
index 2a1fe1344e205..e7fcf173c6026 100644
--- a/pkgs/build-support/bintools-wrapper/default.nix
+++ b/pkgs/build-support/bintools-wrapper/default.nix
@@ -45,6 +45,7 @@
     "relro"
     "stackprotector"
     "strictoverflow"
+    "zerocallusedregs"
   ] ++ lib.optional (with stdenvNoCC;
     # Musl-based platforms will keep "pie", other platforms will not.
     # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
diff --git a/pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh b/pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh
index a1d06b9c6b0ae..51bfeb18f58a1 100644
--- a/pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh
+++ b/pkgs/build-support/cc-wrapper/add-clang-cc-cflags-before.sh
@@ -7,5 +7,5 @@ for p in "${params[@]}"; do
 done
 
 if $needsTarget; then
-    extraBefore+=(-target @defaultTarget@ @march@)
+    extraBefore+=(-target @defaultTarget@ @machineFlags@)
 fi
diff --git a/pkgs/build-support/cc-wrapper/add-hardening.sh b/pkgs/build-support/cc-wrapper/add-hardening.sh
index ef166e2f50c5e..0dca3b3347e5b 100644
--- a/pkgs/build-support/cc-wrapper/add-hardening.sh
+++ b/pkgs/build-support/cc-wrapper/add-hardening.sh
@@ -32,7 +32,7 @@ if [[ -n "${hardeningEnableMap[fortify3]-}" ]]; then
 fi
 
 if (( "${NIX_DEBUG:-0}" >= 1 )); then
-  declare -a allHardeningFlags=(fortify fortify3 stackprotector pie pic strictoverflow format trivialautovarinit zerocallusedregs)
+  declare -a allHardeningFlags=(fortify fortify3 stackprotector stackclashprotection pie pic strictoverflow format trivialautovarinit zerocallusedregs)
   declare -A hardeningDisableMap=()
 
   # Determine which flags were effectively disabled so we can report below.
@@ -79,6 +79,10 @@ for flag in "${!hardeningEnableMap[@]}"; do
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stackprotector >&2; fi
       hardeningCFlagsBefore+=('-fstack-protector-strong' '--param' 'ssp-buffer-size=4')
       ;;
+    stackclashprotection)
+      if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling stack-clash-protection >&2; fi
+      hardeningCFlagsBefore+=('-fstack-clash-protection')
+      ;;
     pie)
       # NB: we do not use `+=` here, because PIE flags must occur before any PIC flags
       if (( "${NIX_DEBUG:-0}" >= 1 )); then echo HARDENING: enabling CFlags -fPIE >&2; fi
diff --git a/pkgs/build-support/cc-wrapper/default.nix b/pkgs/build-support/cc-wrapper/default.nix
index 4adc1dcb1f8d8..d842f3fc70909 100644
--- a/pkgs/build-support/cc-wrapper/default.nix
+++ b/pkgs/build-support/cc-wrapper/default.nix
@@ -67,6 +67,7 @@ let
     concatMapStrings
     concatStringsSep
     escapeShellArg
+    escapeShellArgs
     getBin
     getDev
     getLib
@@ -234,6 +235,32 @@ let
        then guess
        else null;
 
+  thumb = if targetPlatform.gcc.thumb then "thumb" else "arm";
+  tune = if targetPlatform ? gcc.tune
+         then findBestTuneApproximation targetPlatform.gcc.tune
+         else null;
+
+  # Machine flags. These are necessary to support
+
+  # TODO: We should make a way to support miscellaneous machine
+  # flags and other gcc flags as well.
+
+  machineFlags =
+    # Always add -march based on cpu in triple. Sometimes there is a
+    # discrepency (x86_64 vs. x86-64), so we provide an "arch" arg in
+    # that case.
+    optional (targetPlatform ? gcc.arch && !(targetPlatform.isDarwin && targetPlatform.isAarch64) && isGccArchSupported targetPlatform.gcc.arch) "-march=${targetPlatform.gcc.arch}" ++
+    # TODO: aarch64-darwin has mcpu incompatible with gcc
+    optional (targetPlatform ? gcc.cpu && !(targetPlatform.isDarwin && targetPlatform.isAarch64)) "-mcpu=${targetPlatform.gcc.cpu}" ++
+    # -mfloat-abi only matters on arm32 but we set it here
+    # unconditionally just in case. If the abi specifically sets hard
+    # vs. soft floats we use it here.
+    optional (targetPlatform ? gcc.float-abi) "-mfloat-abi=${targetPlatform.gcc.float-abi}" ++
+    optional (targetPlatform ? gcc.fpu) "-mfpu=${targetPlatform.gcc.fpu}" ++
+    optional (targetPlatform ? gcc.mode) "-mmode=${targetPlatform.gcc.mode}" ++
+    optional (targetPlatform ? gcc.thumb) "-m${thumb}" ++
+    optional (tune != null) "-mtune=${tune}";
+
   defaultHardeningFlags = bintools.defaultHardeningFlags or [];
 
   # if cc.hardeningUnsupportedFlagsByTargetPlatform exists, this is
@@ -610,53 +637,11 @@ stdenvNoCC.mkDerivation {
       export hardening_unsupported_flags="${concatStringsSep " " ccHardeningUnsupportedFlags}"
     ''
 
-    # Machine flags. These are necessary to support
-
-    # TODO: We should make a way to support miscellaneous machine
-    # flags and other gcc flags as well.
-
-    # Always add -march based on cpu in triple. Sometimes there is a
-    # discrepency (x86_64 vs. x86-64), so we provide an "arch" arg in
-    # that case.
-    #
     # For clang, this is handled in add-clang-cc-cflags-before.sh
-
-    # TODO: aarch64-darwin has mcpu incompatible with gcc
-    + optionalString ((targetPlatform ? gcc.arch) && !isClang && !(targetPlatform.isDarwin && targetPlatform.isAarch64) &&
-                      isGccArchSupported targetPlatform.gcc.arch) ''
-      echo "-march=${targetPlatform.gcc.arch}" >> $out/nix-support/cc-cflags-before
-    ''
-
-    # -mcpu is not very useful, except on PowerPC where it is used
-    # instead of march. On all other platforms you should use mtune
-    # and march instead.
-    # TODO: aarch64-darwin has mcpu incompatible with gcc
-    + optionalString ((targetPlatform ? gcc.cpu) && (isClang || !(targetPlatform.isDarwin && targetPlatform.isAarch64))) ''
-      echo "-mcpu=${targetPlatform.gcc.cpu}" >> $out/nix-support/cc-cflags-before
+    + lib.optionalString (!isClang && machineFlags != []) ''
+      printf "%s\n" ${lib.escapeShellArgs machineFlags} >> $out/nix-support/cc-cflags-before
     ''
 
-    # -mfloat-abi only matters on arm32 but we set it here
-    # unconditionally just in case. If the abi specifically sets hard
-    # vs. soft floats we use it here.
-    + optionalString (targetPlatform ? gcc.float-abi) ''
-      echo "-mfloat-abi=${targetPlatform.gcc.float-abi}" >> $out/nix-support/cc-cflags-before
-    ''
-    + optionalString (targetPlatform ? gcc.fpu) ''
-      echo "-mfpu=${targetPlatform.gcc.fpu}" >> $out/nix-support/cc-cflags-before
-    ''
-    + optionalString (targetPlatform ? gcc.mode) ''
-      echo "-mmode=${targetPlatform.gcc.mode}" >> $out/nix-support/cc-cflags-before
-    ''
-    + optionalString (targetPlatform ? gcc.thumb) ''
-      echo "-m${if targetPlatform.gcc.thumb then "thumb" else "arm"}" >> $out/nix-support/cc-cflags-before
-    ''
-    + (let tune = if targetPlatform ? gcc.tune
-                  then findBestTuneApproximation targetPlatform.gcc.tune
-                  else null;
-      in optionalString (tune != null) ''
-      echo "-mtune=${tune}" >> $out/nix-support/cc-cflags-before
-    '')
-
     # TODO: categorize these and figure out a better place for them
     + optionalString targetPlatform.isWindows ''
       hardening_unsupported_flags+=" pic"
@@ -718,9 +703,7 @@ stdenvNoCC.mkDerivation {
     ##
     + optionalString isClang ''
       # Escape twice: once for this script, once for the one it gets substituted into.
-      export march=${escapeShellArg
-        (optionalString (targetPlatform ? gcc.arch)
-          (escapeShellArg "-march=${targetPlatform.gcc.arch}"))}
+      export machineFlags=${escapeShellArg (escapeShellArgs machineFlags)}
       export defaultTarget=${targetPlatform.config}
       substituteAll ${./add-clang-cc-cflags-before.sh} $out/nix-support/add-local-cc-cflags-before.sh
     ''
diff --git a/pkgs/build-support/emacs/melpa.nix b/pkgs/build-support/emacs/melpa.nix
index c8f6567049180..29b3567ec6f40 100644
--- a/pkgs/build-support/emacs/melpa.nix
+++ b/pkgs/build-support/emacs/melpa.nix
@@ -38,6 +38,11 @@ in
     Default: pname
   */
 , ename ? pname
+  /*
+    version: Either a stable version such as "1.2" or an unstable version.
+    An unstable version can use either Nix format (preferred) such as
+    "1.2-unstable-2024-06-01" or MELPA format such as "20240601.1230".
+  */
 , version
   /*
     commit: Optional package history commit.
@@ -71,6 +76,19 @@ genericBuild ({
 
   inherit packageBuild commit ename recipe;
 
+  melpaVersion =
+    let
+      parsed = lib.flip builtins.match version
+        # match <version>-unstable-YYYY-MM-DD format
+        "^.*-unstable-([[:digit:]]{4})-([[:digit:]]{2})-([[:digit:]]{2})$";
+      unstableVersionInNixFormat = parsed != null; # heuristics
+      date = builtins.concatStringsSep "" parsed;
+      time = "0"; # unstable version in nix format lacks this info
+    in
+    if unstableVersionInNixFormat
+    then date + "." + time
+    else version;
+
   preUnpack = ''
     mkdir -p "$NIX_BUILD_TOP/recipes"
     if [ -n "$recipe" ]; then
@@ -96,7 +114,7 @@ genericBuild ({
         -L "$NIX_BUILD_TOP/package-build" \
         -l "$melpa2nix" \
         -f melpa2nix-build-package \
-        $ename $version $commit
+        $ename $melpaVersion $commit
 
     runHook postBuild
     '';
@@ -104,9 +122,9 @@ genericBuild ({
   installPhase = ''
     runHook preInstall
 
-    archive="$NIX_BUILD_TOP/packages/$ename-$version.el"
+    archive="$NIX_BUILD_TOP/packages/$ename-$melpaVersion.el"
     if [ ! -f "$archive" ]; then
-        archive="$NIX_BUILD_TOP/packages/$ename-$version.tar"
+        archive="$NIX_BUILD_TOP/packages/$ename-$melpaVersion.tar"
     fi
 
     emacs --batch -Q \
diff --git a/pkgs/build-support/go/module.nix b/pkgs/build-support/go/module.nix
index bc28fbf6fc420..a5e722b0ac08e 100644
--- a/pkgs/build-support/go/module.nix
+++ b/pkgs/build-support/go/module.nix
@@ -218,8 +218,7 @@ let
       buildGoDir() {
         local cmd="$1" dir="$2"
 
-        . $TMPDIR/buildFlagsArray
-
+        declare -ga buildFlagsArray
         declare -a flags
         flags+=($buildFlags "''${buildFlagsArray[@]}")
         flags+=(''${tags:+-tags=''${tags// /,}})
@@ -258,11 +257,6 @@ let
         buildFlagsArray+=(-x)
       fi
 
-      if [ ''${#buildFlagsArray[@]} -ne 0 ]; then
-        declare -p buildFlagsArray > $TMPDIR/buildFlagsArray
-      else
-        touch $TMPDIR/buildFlagsArray
-      fi
       if [ -z "$enableParallelBuilding" ]; then
           export NIX_BUILD_CORES=1
       fi
diff --git a/pkgs/build-support/rust/hooks/maturin-build-hook.sh b/pkgs/build-support/rust/hooks/maturin-build-hook.sh
index b3cc1ced79647..c1e701425f00d 100644
--- a/pkgs/build-support/rust/hooks/maturin-build-hook.sh
+++ b/pkgs/build-support/rust/hooks/maturin-build-hook.sh
@@ -3,6 +3,9 @@ maturinBuildHook() {
 
     runHook preBuild
 
+    # Put the wheel to dist/ so that regular Python tooling can find it.
+    local dist="$PWD/dist"
+
     if [ ! -z "${buildAndTestSubdir-}" ]; then
         pushd "${buildAndTestSubdir}"
     fi
@@ -16,6 +19,7 @@ maturinBuildHook() {
         --manylinux off \
         --strip \
         --release \
+        --out "$dist" \
         ${maturinBuildFlags-}
     )
 
@@ -23,10 +27,6 @@ maturinBuildHook() {
         popd
     fi
 
-    # Move the wheel to dist/ so that regular Python tooling can find it.
-    mkdir -p dist
-    mv ${cargoRoot:+$cargoRoot/}target/wheels/*.whl dist/
-
     # These are python build hooks and may depend on ./dist
     runHook postBuild
 
diff --git a/pkgs/build-support/setup-hooks/fix-darwin-dylib-names.sh b/pkgs/build-support/setup-hooks/fix-darwin-dylib-names.sh
index e103fe77d9be7..0b03460eacb65 100644
--- a/pkgs/build-support/setup-hooks/fix-darwin-dylib-names.sh
+++ b/pkgs/build-support/setup-hooks/fix-darwin-dylib-names.sh
@@ -23,10 +23,13 @@ fixDarwinDylibNames() {
     for fn in "$@"; do
         if [ -L "$fn" ]; then continue; fi
         echo "$fn: fixing dylib"
+        set +e
         int_out=$(@targetPrefix@install_name_tool -id "$fn" "${flags[@]}" "$fn" 2>&1)
         result=$?
+        set -e
         if [ "$result" -ne 0 ] &&
-            ! grep "shared library stub file and can't be changed" <<< "$out"
+            ! grep -q -e "shared library stub file and can't be changed" \
+                      -e "is not a Mach-O file" <<< "$int_out"
         then
             echo "$int_out" >&2
             exit "$result"
diff --git a/pkgs/build-support/setup-hooks/install-shell-files.sh b/pkgs/build-support/setup-hooks/install-shell-files.sh
index 194b408b10501..4f4e215da4df2 100644
--- a/pkgs/build-support/setup-hooks/install-shell-files.sh
+++ b/pkgs/build-support/setup-hooks/install-shell-files.sh
@@ -219,6 +219,11 @@ installShellCompletion() {
         else
             install -Dm644 -T "$arg" "$outPath"
         fi || return
+
+        if [ ! -s "$outPath" ]; then
+            echo "installShellCompletion: error: installed shell completion file \`$outPath' does not exist or has zero size" >&2
+            return 1
+        fi
         # Clear the per-path flags
         name=
     done