about summary refs log tree commit diff
path: root/pkgs
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs')
-rw-r--r--pkgs/applications/audio/cozy/default.nix8
-rw-r--r--pkgs/applications/blockchains/clightning/default.nix8
-rw-r--r--pkgs/applications/emulators/citra/default.nix45
-rw-r--r--pkgs/applications/emulators/citra/generic.nix149
-rwxr-xr-xpkgs/applications/emulators/citra/update.sh84
-rw-r--r--pkgs/applications/emulators/yuzu/compat-list.nix18
-rw-r--r--pkgs/applications/emulators/yuzu/default.nix12
-rw-r--r--pkgs/applications/emulators/yuzu/early-access/default.nix37
-rw-r--r--pkgs/applications/emulators/yuzu/early-access/sources.nix7
-rwxr-xr-xpkgs/applications/emulators/yuzu/early-access/update.sh44
-rw-r--r--pkgs/applications/emulators/yuzu/mainline.nix191
-rw-r--r--pkgs/applications/emulators/yuzu/nx_tzdb.nix20
-rwxr-xr-xpkgs/applications/emulators/yuzu/update.sh7
-rw-r--r--pkgs/applications/misc/jetbrains-toolbox/default.nix4
-rw-r--r--pkgs/applications/misc/mediainfo/default.nix4
-rw-r--r--pkgs/applications/networking/cluster/popeye/default.nix11
-rw-r--r--pkgs/build-support/dotnet/build-dotnet-module/default.nix1
-rw-r--r--pkgs/build-support/dotnet/make-nuget-deps/default.nix2
-rwxr-xr-xpkgs/build-support/dotnet/nuget-to-nix/nuget-to-nix.sh17
-rw-r--r--pkgs/build-support/php/hooks/composer-install-hook.sh47
-rw-r--r--pkgs/build-support/php/hooks/composer-repository-hook.sh23
-rw-r--r--pkgs/build-support/php/hooks/php-script-utils.bash24
-rw-r--r--pkgs/build-support/php/pkgs/composer-local-repo-plugin.nix4
-rw-r--r--pkgs/by-name/au/audiness/package.nix4
-rw-r--r--pkgs/by-name/ls/lsd2dsl/package.nix (renamed from pkgs/applications/misc/lsd2dsl/default.nix)37
-rw-r--r--pkgs/by-name/nh/nh/package.nix6
-rw-r--r--pkgs/development/compilers/dotnet/8/default.nix9
-rw-r--r--pkgs/development/compilers/dotnet/8/deps.nix10
-rw-r--r--pkgs/development/compilers/dotnet/8/release-info.json5
-rw-r--r--pkgs/development/compilers/dotnet/8/release.json9
-rw-r--r--pkgs/development/compilers/dotnet/build-dotnet.nix66
-rw-r--r--pkgs/development/compilers/dotnet/combine-deps.nix40
-rw-r--r--pkgs/development/compilers/dotnet/common.nix63
-rw-r--r--pkgs/development/compilers/dotnet/default.nix5
-rw-r--r--pkgs/development/compilers/dotnet/dotnet.nix50
-rw-r--r--pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch25
-rw-r--r--pkgs/development/compilers/dotnet/fix-tmp-path.patch27
-rw-r--r--pkgs/development/compilers/dotnet/packages.nix99
-rw-r--r--pkgs/development/compilers/dotnet/patch-nupkgs.nix62
-rw-r--r--pkgs/development/compilers/dotnet/patch-restored-packages.proj8
-rw-r--r--pkgs/development/compilers/dotnet/record-downloaded-packages.patch42
-rw-r--r--pkgs/development/compilers/dotnet/record-downloaded-packages.proj13
-rw-r--r--pkgs/development/compilers/dotnet/sign-apphost.nix10
-rw-r--r--pkgs/development/compilers/dotnet/sign-apphost.proj11
-rw-r--r--pkgs/development/compilers/dotnet/sigtool.nix27
-rw-r--r--pkgs/development/compilers/dotnet/stage0.nix126
-rw-r--r--pkgs/development/compilers/dotnet/stage1.nix27
-rw-r--r--pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch31
-rw-r--r--pkgs/development/compilers/dotnet/update.nix123
-rwxr-xr-xpkgs/development/compilers/dotnet/update.sh18
-rw-r--r--pkgs/development/compilers/dotnet/versions/8.0.102.nix179
-rw-r--r--pkgs/development/compilers/dotnet/vmr.nix332
-rw-r--r--pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch43
-rw-r--r--pkgs/development/compilers/qbe/default.nix8
-rw-r--r--pkgs/development/libraries/libmediainfo/default.nix4
-rw-r--r--pkgs/development/libraries/rapidfuzz-cpp/default.nix10
-rw-r--r--pkgs/development/php-packages/composer/default.nix33
-rw-r--r--pkgs/development/python-modules/asyncua/default.nix4
-rw-r--r--pkgs/development/python-modules/django-storages/default.nix48
-rw-r--r--pkgs/development/python-modules/environs/default.nix8
-rw-r--r--pkgs/development/python-modules/flask-marshmallow/default.nix25
-rw-r--r--pkgs/development/python-modules/google-cloud-bigquery/default.nix4
-rw-r--r--pkgs/development/python-modules/google-cloud-securitycenter/default.nix4
-rw-r--r--pkgs/development/python-modules/google-cloud-storage/default.nix5
-rw-r--r--pkgs/development/python-modules/marshmallow-oneofschema/default.nix21
-rw-r--r--pkgs/development/python-modules/marshmallow/default.nix10
-rw-r--r--pkgs/development/python-modules/oauthenticator/default.nix20
-rw-r--r--pkgs/development/python-modules/pykeepass/default.nix47
-rw-r--r--pkgs/development/tools/ruff/default.nix6
-rw-r--r--pkgs/development/tools/taplo/default.nix18
-rw-r--r--pkgs/games/katago/default.nix27
-rw-r--r--pkgs/os-specific/darwin/bartender/default.nix20
-rw-r--r--pkgs/os-specific/linux/wpa_supplicant/default.nix1
-rw-r--r--pkgs/servers/etebase/default.nix46
-rw-r--r--pkgs/servers/home-assistant/custom-components/better_thermostat/default.nix24
-rw-r--r--pkgs/servers/home-assistant/custom-components/default.nix2
-rw-r--r--pkgs/servers/web-apps/pict-rs/default.nix6
-rw-r--r--pkgs/tools/package-management/dnf5/default.nix4
-rw-r--r--pkgs/top-level/aliases.nix13
-rw-r--r--pkgs/top-level/all-packages.nix13
80 files changed, 1755 insertions, 950 deletions
diff --git a/pkgs/applications/audio/cozy/default.nix b/pkgs/applications/audio/cozy/default.nix
index 8f7461683be17..e07217567d340 100644
--- a/pkgs/applications/audio/cozy/default.nix
+++ b/pkgs/applications/audio/cozy/default.nix
@@ -8,7 +8,7 @@
 , gtk3
 , gst_all_1
 , gobject-introspection
-, libhandy
+, libadwaita
 , libdazzle
 , python3Packages
 , cairo
@@ -22,13 +22,13 @@ python3Packages.buildPythonApplication rec {
   format = "other"; # no setup.py
 
   pname = "cozy";
-  version = "1.2.1";
+  version = "1.3.0";
 
   src = fetchFromGitHub {
     owner = "geigi";
     repo = pname;
     rev = version;
-    hash = "sha256-cRqfLFLvje8lxUZ4S83UAFyYUX0vj1ZgLG0Y6gpCfmI=";
+    hash = "sha256-oMgdz2dny0u1XV13aHu5s8/pcAz8z/SAOf4hbCDsdjw";
   };
 
   nativeBuildInputs = [
@@ -44,8 +44,8 @@ python3Packages.buildPythonApplication rec {
     cairo
     gettext
     gnome.adwaita-icon-theme
+    libadwaita
     libdazzle
-    libhandy
     pantheon.granite
   ] ++ (with gst_all_1; [
     gstreamer
diff --git a/pkgs/applications/blockchains/clightning/default.nix b/pkgs/applications/blockchains/clightning/default.nix
index 823c0a158d6da..2e3ec0e3143af 100644
--- a/pkgs/applications/blockchains/clightning/default.nix
+++ b/pkgs/applications/blockchains/clightning/default.nix
@@ -44,8 +44,7 @@ stdenv.mkDerivation rec {
       tools/generate-wire.py \
       tools/update-mocks.sh \
       tools/mockup.sh \
-      devtools/sql-rewrite.py \
-      plugins/clnrest/clnrest.py
+      devtools/sql-rewrite.py
   '' else ''
     substituteInPlace external/libwally-core/tools/autogen.sh --replace gsed sed && \
     substituteInPlace external/libwally-core/configure.ac --replace gsed sed
@@ -62,6 +61,11 @@ stdenv.mkDerivation rec {
   #                 char buf[CMSG_SPACE(sizeof(fd))];
   env.NIX_CFLAGS_COMPILE = lib.optionalString (stdenv.isDarwin && stdenv.isx86_64) "-Wno-error=gnu-folding-constant";
 
+  # The `clnrest` plugin requires a Python environment to run
+  postInstall = ''
+    rm -r $out/libexec/c-lightning/plugins/clnrest
+  '';
+
   meta = with lib; {
     description = "A Bitcoin Lightning Network implementation in C";
     longDescription = ''
diff --git a/pkgs/applications/emulators/citra/default.nix b/pkgs/applications/emulators/citra/default.nix
deleted file mode 100644
index a4e4578632aef..0000000000000
--- a/pkgs/applications/emulators/citra/default.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{ branch
-, qt6Packages
-, fetchFromGitHub
-, fetchurl
-}:
-
-let
-  # Fetched from https://api.citra-emu.org/gamedb
-  # Please make sure to update this when updating citra!
-  compat-list = fetchurl {
-    name = "citra-compat-list";
-    url = "https://web.archive.org/web/20231111133415/https://api.citra-emu.org/gamedb";
-    hash = "sha256-J+zqtWde5NgK2QROvGewtXGRAWUTNSKHNMG6iu9m1fU=";
-  };
-in {
-  nightly = qt6Packages.callPackage ./generic.nix rec {
-    pname = "citra-nightly";
-    version = "2088";
-
-    src = fetchFromGitHub {
-      owner = "citra-emu";
-      repo = "citra-nightly";
-      rev = "nightly-${version}";
-      sha256 = "0l9w4i0zbafcv2s6pd1zqb11vh0i7gzwbqnzlz9al6ihwbsgbj3k";
-      fetchSubmodules = true;
-    };
-
-    inherit branch compat-list;
-  };
-
-  canary = qt6Packages.callPackage ./generic.nix rec {
-    pname = "citra-canary";
-    version = "2766";
-
-    src = fetchFromGitHub {
-      owner = "citra-emu";
-      repo = "citra-canary";
-      rev = "canary-${version}";
-      sha256 = "1gm3ajphpzwhm3qnchsx77jyl51za8yw3r0j0h8idf9y1ilcjvi4";
-      fetchSubmodules = true;
-    };
-
-    inherit branch compat-list;
-  };
-}.${branch}
diff --git a/pkgs/applications/emulators/citra/generic.nix b/pkgs/applications/emulators/citra/generic.nix
deleted file mode 100644
index d247a181e07cb..0000000000000
--- a/pkgs/applications/emulators/citra/generic.nix
+++ /dev/null
@@ -1,149 +0,0 @@
-{ pname
-, version
-, src
-, branch
-, compat-list
-
-, lib
-, stdenv
-, cmake
-, boost
-, pkg-config
-, catch2_3
-, cpp-jwt
-, cryptopp
-, enet
-, ffmpeg
-, fmt
-, gamemode
-, glslang
-, httplib
-, inih
-, libusb1
-, nlohmann_json
-, openal
-, openssl
-, SDL2
-, soundtouch
-, spirv-tools
-, zstd
-, vulkan-headers
-, vulkan-loader
-, enableSdl2Frontend ? true
-, enableQt ? true, qtbase, qtmultimedia, qtwayland, wrapQtAppsHook
-, enableQtTranslation ? enableQt, qttools
-, enableWebService ? true
-, enableCubeb ? true, cubeb
-, useDiscordRichPresence ? false, rapidjson
-}:
-stdenv.mkDerivation {
-  inherit pname version src;
-
-  nativeBuildInputs = [
-    cmake
-    pkg-config
-    ffmpeg
-    glslang
-  ] ++ lib.optionals enableQt [ wrapQtAppsHook ];
-
-  buildInputs = [
-    boost
-    catch2_3
-    cpp-jwt
-    cryptopp
-    # intentionally omitted: dynarmic - prefer vendored version for compatibility
-    enet
-    fmt
-    httplib
-    inih
-    libusb1
-    nlohmann_json
-    openal
-    openssl
-    SDL2
-    soundtouch
-    spirv-tools
-    vulkan-headers
-    # intentionally omitted: xbyak - prefer vendored version for compatibility
-    zstd
-  ] ++ lib.optionals enableQt [ qtbase qtmultimedia qtwayland ]
-    ++ lib.optional enableQtTranslation qttools
-    ++ lib.optional enableCubeb cubeb
-    ++ lib.optional useDiscordRichPresence rapidjson;
-
-  cmakeFlags = [
-    (lib.cmakeBool "USE_SYSTEM_LIBS" true)
-
-    (lib.cmakeBool "DISABLE_SYSTEM_DYNARMIC" true)
-    (lib.cmakeBool "DISABLE_SYSTEM_GLSLANG" true) # The following imported targets are referenced, but are missing: SPIRV-Tools-opt
-    (lib.cmakeBool "DISABLE_SYSTEM_LODEPNG" true) # Not packaged in nixpkgs
-    (lib.cmakeBool "DISABLE_SYSTEM_VMA" true)
-    (lib.cmakeBool "DISABLE_SYSTEM_XBYAK" true)
-
-    # We don't want to bother upstream with potentially outdated compat reports
-    (lib.cmakeBool "CITRA_ENABLE_COMPATIBILITY_REPORTING" true)
-    (lib.cmakeBool "ENABLE_COMPATIBILITY_LIST_DOWNLOAD" false) # We provide this deterministically
-
-    (lib.cmakeBool "ENABLE_SDL2_FRONTEND" enableSdl2Frontend)
-    (lib.cmakeBool "ENABLE_QT" enableQt)
-    (lib.cmakeBool "ENABLE_QT_TRANSLATION" enableQtTranslation)
-    (lib.cmakeBool "ENABLE_WEB_SERVICE" enableWebService)
-    (lib.cmakeBool "ENABLE_CUBEB" enableCubeb)
-    (lib.cmakeBool "USE_DISCORD_PRESENCE" useDiscordRichPresence)
-  ];
-
-  # causes redefinition of _FORTIFY_SOURCE
-  hardeningDisable = [ "fortify3" ];
-
-  postPatch = let
-    branchCaptialized = (lib.toUpper (lib.substring 0 1 branch) + lib.substring 1 (-1) branch);
-  in ''
-    # Fix file not found when looking in var/empty instead of opt
-    mkdir externals/dynarmic/src/dynarmic/ir/var
-    ln -s ../opt externals/dynarmic/src/dynarmic/ir/var/empty
-
-    # Prep compatibilitylist
-    ln -s ${compat-list} ./dist/compatibility_list/compatibility_list.json
-
-    # We already know the submodules are present
-    substituteInPlace CMakeLists.txt \
-      --replace "check_submodules_present()" ""
-
-    # Add versions
-    echo 'set(BUILD_FULLNAME "${branchCaptialized} ${version}")' >> CMakeModules/GenerateBuildInfo.cmake
-
-    # Add gamemode
-    substituteInPlace externals/gamemode/include/gamemode_client.h --replace "libgamemode.so.0" "${lib.getLib gamemode}/lib/libgamemode.so.0"
-  '';
-
-  postInstall = let
-    libs = lib.makeLibraryPath [ vulkan-loader ];
-  in lib.optionalString enableSdl2Frontend ''
-    wrapProgram "$out/bin/citra" \
-      --prefix LD_LIBRARY_PATH : ${libs}
-  '' + lib.optionalString enableQt ''
-    qtWrapperArgs+=(
-      --prefix LD_LIBRARY_PATH : ${libs}
-    )
-  '';
-
-  meta = with lib; {
-    broken = (stdenv.isLinux && stdenv.isAarch64);
-    homepage = "https://citra-emu.org";
-    description = "The ${branch} branch of an open-source emulator for the Nintendo 3DS";
-    longDescription = ''
-      A Nintendo 3DS Emulator written in C++
-      Using the nightly branch is recommended for general usage.
-      Using the canary branch is recommended if you would like to try out
-      experimental features, with a cost of stability.
-    '';
-    mainProgram = if enableQt then "citra-qt" else "citra";
-    platforms = platforms.linux;
-    license = licenses.gpl2Plus;
-    maintainers = with maintainers; [
-      abbradar
-      ashley
-      ivar
-    ];
-  };
-}
diff --git a/pkgs/applications/emulators/citra/update.sh b/pkgs/applications/emulators/citra/update.sh
deleted file mode 100755
index e76121dac6ee4..0000000000000
--- a/pkgs/applications/emulators/citra/update.sh
+++ /dev/null
@@ -1,84 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p nix nix-prefetch-git coreutils curl jq gnused
-
-set -euo pipefail
-
-# Will be replaced with the actual branch when running this from passthru.updateScript
-BRANCH="@branch@"
-
-if [[ ! "$(basename $PWD)" = "citra" ]]; then
-    echo "error: Script must be ran from citra's directory!"
-    exit 1
-fi
-
-getLocalVersion() {
-    pushd ../../../.. >/dev/null
-    nix eval --raw -f default.nix "$1".version
-    popd >/dev/null
-}
-
-getLocalHash() {
-    pushd ../../../.. >/dev/null
-    nix eval --raw -f default.nix "$1".src.drvAttrs.outputHash
-    popd >/dev/null
-}
-
-updateNightly() {
-    OLD_NIGHTLY_VERSION="$(getLocalVersion "citra-nightly")"
-    OLD_NIGHTLY_HASH="$(getLocalHash "citra-nightly")"
-
-    NEW_NIGHTLY_VERSION="$(curl -s ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} \
-        "https://api.github.com/repos/citra-emu/citra-nightly/releases?per_page=1" | jq -r '.[0].name' | cut -d"-" -f2 | cut -d" " -f2)"
-
-    if [[ "${OLD_NIGHTLY_VERSION}" = "${NEW_NIGHTLY_VERSION}" ]]; then
-        echo "citra-nightly is already up to date!"
-
-        [ "$KEEP_GOING" ] && return || exit
-    else
-        echo "citra-nightly: ${OLD_NIGHTLY_VERSION} -> ${NEW_NIGHTLY_VERSION}"
-    fi
-
-    echo "  Fetching source code..."
-
-    NEW_NIGHTLY_HASH="$(nix-prefetch-git --quiet --fetch-submodules --rev "nightly-${NEW_NIGHTLY_VERSION}" "https://github.com/citra-emu/citra-nightly" | jq -r '.sha256')"
-
-    echo "  Successfully fetched. hash: ${NEW_NIGHTLY_HASH}"
-
-    sed -i "s|${OLD_NIGHTLY_VERSION}|${NEW_NIGHTLY_VERSION}|" ./default.nix
-    sed -i "s|${OLD_NIGHTLY_HASH}|${NEW_NIGHTLY_HASH}|" ./default.nix
-}
-
-updateCanary() {
-    OLD_CANARY_VERSION="$(getLocalVersion "citra-canary")"
-    OLD_CANARY_HASH="$(getLocalHash "citra-canary")"
-
-    NEW_CANARY_VERSION="$(curl -s ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} \
-        "https://api.github.com/repos/citra-emu/citra-canary/releases?per_page=1" | jq -r '.[0].name' | cut -d"-" -f2 | cut -d" " -f1)"
-
-    if [[ "${OLD_CANARY_VERSION}" = "${NEW_CANARY_VERSION}" ]]; then
-        echo "citra-canary is already up to date!"
-
-        [ "$KEEP_GOING" ] && return || exit
-    else
-        echo "citra-canary: ${OLD_CANARY_VERSION} -> ${NEW_CANARY_VERSION}"
-    fi
-
-    echo "  Fetching source code..."
-
-    NEW_CANARY_HASH="$(nix-prefetch-git --quiet --fetch-submodules --rev "canary-${NEW_CANARY_VERSION}" "https://github.com/citra-emu/citra-canary" | jq -r '.sha256')"
-
-    echo "  Successfully fetched. hash: ${NEW_CANARY_HASH}"
-
-    sed -i "s|${OLD_CANARY_VERSION}|${NEW_CANARY_VERSION}|" ./default.nix
-    sed -i "s|${OLD_CANARY_HASH}|${NEW_CANARY_HASH}|" ./default.nix
-}
-
-if [[ "$BRANCH" = "nightly" ]]; then
-    updateNightly
-elif [[ "$BRANCH" = "early-access" ]]; then
-    updateCanary
-else
-    KEEP_GOING=1
-    updateNightly
-    updateCanary
-fi
diff --git a/pkgs/applications/emulators/yuzu/compat-list.nix b/pkgs/applications/emulators/yuzu/compat-list.nix
deleted file mode 100644
index 79b56948aeab0..0000000000000
--- a/pkgs/applications/emulators/yuzu/compat-list.nix
+++ /dev/null
@@ -1,18 +0,0 @@
-{ stdenv, fetchFromGitHub, unstableGitUpdater }:
-stdenv.mkDerivation {
-  pname = "yuzu-compatibility-list";
-  version = "unstable-2024-02-26";
-
-  src = fetchFromGitHub {
-    owner = "flathub";
-    repo = "org.yuzu_emu.yuzu";
-    rev = "9c2032a3c7e64772a8112b77ed8b660242172068";
-    hash = "sha256-ITh/W4vfC9w9t+TJnPeTZwWifnhTNKX54JSSdpgaoBk=";
-  };
-
-  buildCommand = ''
-    cp $src/compatibility_list.json $out
-  '';
-
-  passthru.updateScript = unstableGitUpdater {};
-}
diff --git a/pkgs/applications/emulators/yuzu/default.nix b/pkgs/applications/emulators/yuzu/default.nix
deleted file mode 100644
index 6852da378650f..0000000000000
--- a/pkgs/applications/emulators/yuzu/default.nix
+++ /dev/null
@@ -1,12 +0,0 @@
-{ qt6Packages, makeScopeWithSplicing', generateSplicesForMkScope }:
-
-makeScopeWithSplicing' {
-  otherSplices = generateSplicesForMkScope "yuzuPackages";
-  f = self: qt6Packages // {
-    compat-list = self.callPackage ./compat-list.nix {};
-    nx_tzdb = self.callPackage ./nx_tzdb.nix {};
-
-    mainline = self.callPackage ./mainline.nix {};
-    early-access = self.callPackage ./early-access {};
-  };
-}
diff --git a/pkgs/applications/emulators/yuzu/early-access/default.nix b/pkgs/applications/emulators/yuzu/early-access/default.nix
deleted file mode 100644
index f2ad5197d0bba..0000000000000
--- a/pkgs/applications/emulators/yuzu/early-access/default.nix
+++ /dev/null
@@ -1,37 +0,0 @@
-{ mainline, fetchzip, fetchgit, runCommand, gnutar }:
-# The mirror repo for early access builds is missing submodule info,
-# but the Windows distributions include a source tarball, which in turn
-# includes the full git metadata. So, grab that and rehydrate it.
-# This has the unfortunate side effect of requiring two FODs, one
-# for the Windows download and one for the full repo with submodules.
-let
-  sources = import ./sources.nix;
-
-  zip = fetchzip {
-    name = "yuzu-ea-windows-dist";
-    url = "https://github.com/pineappleEA/pineapple-src/releases/download/EA-${sources.version}/Windows-Yuzu-EA-${sources.version}.zip";
-    hash = sources.distHash;
-  };
-
-  gitSrc = runCommand "yuzu-ea-dist-unpacked" {
-    src = zip;
-    nativeBuildInputs = [ gnutar ];
-  }
-  ''
-    mkdir $out
-    tar xf $src/*.tar.xz --directory=$out --strip-components=1
-  '';
-
-  rehydratedSrc = fetchgit {
-    name = "yuzu-ea-rehydrated";
-    url = gitSrc;
-    fetchSubmodules = true;
-    hash = sources.fullHash;
-  };
-in mainline.overrideAttrs(old: {
-  pname = "yuzu-early-access";
-  version = sources.version;
-  src = rehydratedSrc;
-  passthru.updateScript = ./update.sh;
-  meta = old.meta // { description = old.meta.description + " - early access branch"; };
-})
diff --git a/pkgs/applications/emulators/yuzu/early-access/sources.nix b/pkgs/applications/emulators/yuzu/early-access/sources.nix
deleted file mode 100644
index c7653444a2e51..0000000000000
--- a/pkgs/applications/emulators/yuzu/early-access/sources.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-# Generated by ./update.sh - do not update manually!
-# Last updated: 2024-02-27
-{
-  version = "4174";
-  distHash = "sha256:1hzwfsm4m2q29a2ihipk0ij0qakn4730283d6gwbrgr8lzmj8q49";
-  fullHash = "sha256:1ayn7y595iz4smbxq10jjgip04ss35v4vrn8pa1mpnrmyikv79l9";
-}
diff --git a/pkgs/applications/emulators/yuzu/early-access/update.sh b/pkgs/applications/emulators/yuzu/early-access/update.sh
deleted file mode 100755
index f7ea2ca34a412..0000000000000
--- a/pkgs/applications/emulators/yuzu/early-access/update.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-#! /usr/bin/env nix-shell
-#! nix-shell -i bash -p nix nix-prefetch-git gnutar curl jq unzip
-
-set -euo pipefail
-
-cd "$(dirname "$(readlink -f "$0")")"
-
-log() {
-    tput bold
-    echo "#" "$@"
-    tput sgr0
-}
-
-oldVersion="$(nix --experimental-features nix-command eval -f sources.nix --raw version)"
-newVersion="$(curl "https://api.github.com/repos/pineappleEA/pineapple-src/releases?per_page=1" | jq -r '.[0].tag_name' | cut -d"-" -f2)"
-
-if [ "$oldVersion" == "$newVersion" ]; then
-    log "Already up to date"
-    exit 0
-fi
-
-fetched="$(nix-prefetch-url --unpack --print-path "https://github.com/pineappleEA/pineapple-src/releases/download/EA-${newVersion}/Windows-Yuzu-EA-${newVersion}.zip")"
-
-eaDistHash="$(echo "${fetched}" | head -n1)"
-eaDist="$(echo "${fetched}" | tail -n1)"
-
-eaDistUnpacked="$(mktemp -d)"
-trap 'rm -rf "$eaDistUnpacked"' EXIT
-
-log "Unpacking dist..."
-tar xf "$eaDist"/*.tar.xz --directory="$eaDistUnpacked" --strip-components=1
-
-log "Rehydrating..."
-eaFullHash="$(nix-prefetch-git --fetch-submodules --quiet "$eaDistUnpacked" | jq -r '.sha256')"
-
-cat >sources.nix <<EOF
-# Generated by ./update.sh - do not update manually!
-# Last updated: $(date +%F)
-{
-  version = "$newVersion";
-  distHash = "sha256:$eaDistHash";
-  fullHash = "sha256:$eaFullHash";
-}
-EOF
diff --git a/pkgs/applications/emulators/yuzu/mainline.nix b/pkgs/applications/emulators/yuzu/mainline.nix
deleted file mode 100644
index 2f735cac07827..0000000000000
--- a/pkgs/applications/emulators/yuzu/mainline.nix
+++ /dev/null
@@ -1,191 +0,0 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, nix-update-script
-, wrapQtAppsHook
-, autoconf
-, boost
-, catch2_3
-, cmake
-, compat-list
-, cpp-jwt
-, cubeb
-, discord-rpc
-, enet
-, fmt
-, glslang
-, libopus
-, libusb1
-, libva
-, lz4
-, nlohmann_json
-, nv-codec-headers-12
-, nx_tzdb
-, pkg-config
-, qtbase
-, qtmultimedia
-, qttools
-, qtwayland
-, qtwebengine
-, SDL2
-, vulkan-headers
-, vulkan-loader
-, yasm
-, zlib
-, zstd
-}:
-stdenv.mkDerivation(finalAttrs: {
-  pname = "yuzu";
-  version = "1727";
-
-  src = fetchFromGitHub {
-    owner = "yuzu-emu";
-    repo = "yuzu-mainline";
-    rev = "mainline-0-${finalAttrs.version}";
-    hash = "sha256-DKIVXy3OGUfdw/mZtPzom40KU51CvXaV+KqRjQseDyk=";
-    fetchSubmodules = true;
-  };
-
-  nativeBuildInputs = [
-    cmake
-    glslang
-    pkg-config
-    qttools
-    wrapQtAppsHook
-  ];
-
-  buildInputs = [
-    # vulkan-headers must come first, so the older propagated versions
-    # don't get picked up by accident
-    vulkan-headers
-
-    boost
-    catch2_3
-    cpp-jwt
-    cubeb
-    discord-rpc
-    # intentionally omitted: dynarmic - prefer vendored version for compatibility
-    enet
-
-    # vendored ffmpeg deps
-    autoconf
-    yasm
-    libva  # for accelerated video decode on non-nvidia
-    nv-codec-headers-12  # for accelerated video decode on nvidia
-    # end vendored ffmpeg deps
-
-    fmt
-    # intentionally omitted: gamemode - loaded dynamically at runtime
-    # intentionally omitted: httplib - upstream requires an older version than what we have
-    libopus
-    libusb1
-    # intentionally omitted: LLVM - heavy, only used for stack traces in the debugger
-    lz4
-    nlohmann_json
-    qtbase
-    qtmultimedia
-    qtwayland
-    qtwebengine
-    # intentionally omitted: renderdoc - heavy, developer only
-    SDL2
-    # not packaged in nixpkgs: simpleini
-    # intentionally omitted: stb - header only libraries, vendor uses git snapshot
-    # not packaged in nixpkgs: vulkan-memory-allocator
-    # intentionally omitted: xbyak - prefer vendored version for compatibility
-    zlib
-    zstd
-  ];
-
-  # This changes `ir/opt` to `ir/var/empty` in `externals/dynarmic/src/dynarmic/CMakeLists.txt`
-  # making the build fail, as that path does not exist
-  dontFixCmake = true;
-
-  cmakeFlags = [
-    # actually has a noticeable performance impact
-    "-DYUZU_ENABLE_LTO=ON"
-
-    # build with qt6
-    "-DENABLE_QT6=ON"
-    "-DENABLE_QT_TRANSLATION=ON"
-
-    # use system libraries
-    # NB: "external" here means "from the externals/ directory in the source",
-    # so "off" means "use system"
-    "-DYUZU_USE_EXTERNAL_SDL2=OFF"
-    "-DYUZU_USE_EXTERNAL_VULKAN_HEADERS=OFF"
-
-    # don't use system ffmpeg, yuzu uses internal APIs
-    "-DYUZU_USE_BUNDLED_FFMPEG=ON"
-
-    # don't check for missing submodules
-    "-DYUZU_CHECK_SUBMODULES=OFF"
-
-    # enable some optional features
-    "-DYUZU_USE_QT_WEB_ENGINE=ON"
-    "-DYUZU_USE_QT_MULTIMEDIA=ON"
-    "-DUSE_DISCORD_PRESENCE=ON"
-
-    # We dont want to bother upstream with potentially outdated compat reports
-    "-DYUZU_ENABLE_COMPATIBILITY_REPORTING=OFF"
-    "-DENABLE_COMPATIBILITY_LIST_DOWNLOAD=OFF" # We provide this deterministically
-  ];
-
-  # Does some handrolled SIMD
-  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.hostPlatform.isx86_64 "-msse4.1";
-
-  # Fixes vulkan detection.
-  # FIXME: patchelf --add-rpath corrupts the binary for some reason, investigate
-  qtWrapperArgs = [
-    "--prefix LD_LIBRARY_PATH : ${vulkan-loader}/lib"
-  ];
-
-  preConfigure = ''
-    # see https://github.com/NixOS/nixpkgs/issues/114044, setting this through cmakeFlags does not work.
-    cmakeFlagsArray+=(
-      "-DTITLE_BAR_FORMAT_IDLE=${finalAttrs.pname} | ${finalAttrs.version} (nixpkgs) {}"
-      "-DTITLE_BAR_FORMAT_RUNNING=${finalAttrs.pname} | ${finalAttrs.version} (nixpkgs) | {}"
-    )
-
-    # provide pre-downloaded tz data
-    mkdir -p build/externals/nx_tzdb
-    ln -s ${nx_tzdb} build/externals/nx_tzdb/nx_tzdb
-  '';
-
-  # This must be done after cmake finishes as it overwrites the file
-  postConfigure = ''
-    ln -sf ${compat-list} ./dist/compatibility_list/compatibility_list.json
-  '';
-
-  postInstall = ''
-    install -Dm444 $src/dist/72-yuzu-input.rules $out/lib/udev/rules.d/72-yuzu-input.rules
-  '';
-
-  passthru.updateScript = nix-update-script {
-    extraArgs = [ "--version-regex" "mainline-0-(.*)" ];
-  };
-
-  meta = with lib; {
-    homepage = "https://yuzu-emu.org";
-    changelog = "https://yuzu-emu.org/entry";
-    description = "An experimental Nintendo Switch emulator written in C++";
-    longDescription = ''
-      An experimental Nintendo Switch emulator written in C++.
-      Using the mainline branch is recommended for general usage.
-      Using the early-access branch is recommended if you would like to try out experimental features, with a cost of stability.
-    '';
-    mainProgram = "yuzu";
-    platforms = [ "aarch64-linux" "x86_64-linux" ];
-    license = with licenses; [
-      gpl3Plus
-      # Icons
-      asl20 mit cc0
-    ];
-    maintainers = with maintainers; [
-      ashley
-      ivar
-      joshuafern
-      sbruder
-      k900
-    ];
-  };
-})
diff --git a/pkgs/applications/emulators/yuzu/nx_tzdb.nix b/pkgs/applications/emulators/yuzu/nx_tzdb.nix
deleted file mode 100644
index de847e2b0c782..0000000000000
--- a/pkgs/applications/emulators/yuzu/nx_tzdb.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ stdenv, fetchurl, unzip, gitUpdater }:
-stdenv.mkDerivation rec {
-  pname = "nx_tzdb";
-  version = "221202";
-
-  src = fetchurl {
-    url = "https://github.com/lat9nq/tzdb_to_nx/releases/download/${version}/${version}.zip";
-    hash = "sha256-mRzW+iIwrU1zsxHmf+0RArU8BShAoEMvCz+McXFFK3c=";
-  };
-
-  nativeBuildInputs = [ unzip ];
-
-  buildCommand = ''
-    unzip $src -d $out
-  '';
-
-  passthru.updateScript = gitUpdater {
-    url = "https://github.com/lat9nq/tzdb_to_nx.git";
-  };
-}
diff --git a/pkgs/applications/emulators/yuzu/update.sh b/pkgs/applications/emulators/yuzu/update.sh
deleted file mode 100755
index 25ea10fc9aa0c..0000000000000
--- a/pkgs/applications/emulators/yuzu/update.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p nix-update
-#shellcheck shell=bash
-nix-update -u yuzuPackages.nx_tzdb "$@"
-nix-update -u yuzuPackages.compat-list "$@"
-nix-update -u yuzuPackages.mainline "$@"
-nix-update -u yuzuPackages.early-access --override-filename pkgs/applications/emulators/yuzu/early-access/sources.nix "$@"
diff --git a/pkgs/applications/misc/jetbrains-toolbox/default.nix b/pkgs/applications/misc/jetbrains-toolbox/default.nix
index 1cb77d4e05f6e..f9e942ca9411e 100644
--- a/pkgs/applications/misc/jetbrains-toolbox/default.nix
+++ b/pkgs/applications/misc/jetbrains-toolbox/default.nix
@@ -9,11 +9,11 @@
 }:
 let
   pname = "jetbrains-toolbox";
-  version = "2.2.1.19765";
+  version = "2.2.2.20062";
 
   src = fetchzip {
     url = "https://download.jetbrains.com/toolbox/jetbrains-toolbox-${version}.tar.gz";
-    sha256 = "sha256-53CsE1hmtys5hNY2V+tskgwKg9jDLrEsYF6iY2fJGHU=";
+    sha256 = "sha256-wIO9QQa+YfNNqO5HlijVxBDOgVSsJhtGmfChKA8QpPo=";
     stripRoot = false;
   };
 
diff --git a/pkgs/applications/misc/mediainfo/default.nix b/pkgs/applications/misc/mediainfo/default.nix
index b6a5166bd213d..3891715e7b237 100644
--- a/pkgs/applications/misc/mediainfo/default.nix
+++ b/pkgs/applications/misc/mediainfo/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "mediainfo";
-  version = "23.11";
+  version = "24.01.1";
 
   src = fetchurl {
     url = "https://mediaarea.net/download/source/mediainfo/${version}/mediainfo_${version}.tar.xz";
-    hash = "sha256-gByxsNG//MEibeymISoe41Mi6LsSYwozu7B6kqioycM=";
+    hash = "sha256-MupkbVyGxj1UQY0QsnNiYKtD5Lcn+B6N1ez16bXj/TQ=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
diff --git a/pkgs/applications/networking/cluster/popeye/default.nix b/pkgs/applications/networking/cluster/popeye/default.nix
index f1db435c443cd..95a4377041202 100644
--- a/pkgs/applications/networking/cluster/popeye/default.nix
+++ b/pkgs/applications/networking/cluster/popeye/default.nix
@@ -1,4 +1,4 @@
-{ lib, buildGoModule, fetchFromGitHub }:
+{ lib, buildGoModule, fetchFromGitHub, installShellFiles }:
 
 buildGoModule rec {
   pname = "popeye";
@@ -19,6 +19,15 @@ buildGoModule rec {
 
   vendorHash = "sha256-ThldEPzAwMfNnhUEgHL5/asc+SETKxTrPIJt307tqsg=";
 
+  nativeBuildInputs = [ installShellFiles ];
+
+  postInstall = ''
+    installShellCompletion --cmd popeye \
+      --bash <($out/bin/popeye completion bash) \
+      --fish <($out/bin/popeye completion fish) \
+      --zsh <($out/bin/popeye completion zsh)
+  '';
+
   doInstallCheck = true;
   installCheckPhase = ''
     $out/bin/popeye version | grep ${version} > /dev/null
diff --git a/pkgs/build-support/dotnet/build-dotnet-module/default.nix b/pkgs/build-support/dotnet/build-dotnet-module/default.nix
index af960fb1d617d..15a753df07728 100644
--- a/pkgs/build-support/dotnet/build-dotnet-module/default.nix
+++ b/pkgs/build-support/dotnet/build-dotnet-module/default.nix
@@ -114,7 +114,6 @@ let
       then nugetDeps
       else mkNugetDeps {
         inherit name;
-        nugetDeps = import nugetDeps;
         sourceFile = nugetDeps;
       }
     else throw "Defining the `nugetDeps` attribute is required, as to lock the NuGet dependencies. This file can be generated by running the `passthru.fetch-deps` script.";
diff --git a/pkgs/build-support/dotnet/make-nuget-deps/default.nix b/pkgs/build-support/dotnet/make-nuget-deps/default.nix
index 8281976df6260..fcd3f9f076b27 100644
--- a/pkgs/build-support/dotnet/make-nuget-deps/default.nix
+++ b/pkgs/build-support/dotnet/make-nuget-deps/default.nix
@@ -1,5 +1,5 @@
 { linkFarmFromDrvs, fetchurl }:
-{ name, nugetDeps, sourceFile ? null }:
+{ name, nugetDeps ? import sourceFile, sourceFile ? null }:
 linkFarmFromDrvs "${name}-nuget-deps" (nugetDeps {
   fetchNuGet = { pname, version, sha256
     , url ? "https://www.nuget.org/api/v2/package/${pname}/${version}" }:
diff --git a/pkgs/build-support/dotnet/nuget-to-nix/nuget-to-nix.sh b/pkgs/build-support/dotnet/nuget-to-nix/nuget-to-nix.sh
index 34c42929857d1..def59954e4806 100755
--- a/pkgs/build-support/dotnet/nuget-to-nix/nuget-to-nix.sh
+++ b/pkgs/build-support/dotnet/nuget-to-nix/nuget-to-nix.sh
@@ -23,10 +23,17 @@ export DOTNET_CLI_TELEMETRY_OPTOUT=1
 
 mapfile -t sources < <(dotnet nuget list source --format short | awk '/^E / { print $2 }')
 
+declare -a remote_sources
 declare -A base_addresses
 
 for index in "${sources[@]}"; do
-  base_addresses[$index]=$(
+    if [[ -d "$index" ]]; then
+        continue
+    fi
+
+    remote_sources+=($index)
+
+    base_addresses[$index]=$(
     curl --compressed --netrc -fsL "$index" | \
       jq -r '.resources[] | select(."@type" == "PackageBaseAddress/3.0.0")."@id"')
 done
@@ -35,6 +42,7 @@ echo "{ fetchNuGet }: ["
 
 cd "$pkgs"
 for package in *; do
+  [[ -d "$package" ]] || continue
   cd "$package"
   for version in *; do
     id=$(xq -r .package.metadata.id "$version"/*.nuspec)
@@ -44,7 +52,12 @@ for package in *; do
     fi
 
     used_source="$(jq -r '.source' "$version"/.nupkg.metadata)"
-    for source in "${sources[@]}"; do
+
+    if [[ -d "$used_source" ]]; then
+        continue
+    fi
+
+    for source in "${remote_sources[@]}"; do
       url="${base_addresses[$source]}$package/$version/$package.$version.nupkg"
       if [[ "$source" == "$used_source" ]]; then
         sha256="$(nix-hash --type sha256 --flat --base32 "$version/$package.$version".nupkg)"
diff --git a/pkgs/build-support/php/hooks/composer-install-hook.sh b/pkgs/build-support/php/hooks/composer-install-hook.sh
index a84a9e3aa8628..edba0e5eec4e6 100644
--- a/pkgs/build-support/php/hooks/composer-install-hook.sh
+++ b/pkgs/build-support/php/hooks/composer-install-hook.sh
@@ -83,28 +83,7 @@ composerInstallBuildHook() {
 
     # Since this file cannot be generated in the composer-repository-hook.sh
     # because the file contains hardcoded nix store paths, we generate it here.
-    composer-local-repo-plugin --no-ansi build-local-repo -m "${composerRepository}" .
-
-    # Remove all the repositories of type "composer" and "vcs"
-    # from the composer.json file.
-    jq -r -c 'del(try .repositories[] | select(.type == "composer" or .type == "vcs"))' composer.json | sponge composer.json
-
-    # Configure composer to disable packagist and avoid using the network.
-    composer config repo.packagist false
-    # Configure composer to use the local repository.
-    composer config repo.composer composer file://"$PWD"/packages.json
-
-    # Since the composer.json file has been modified in the previous step, the
-    # composer.lock file needs to be updated.
-    composer \
-      --lock \
-      --no-ansi \
-      --no-install \
-      --no-interaction \
-      ${composerNoDev:+--no-dev} \
-      ${composerNoPlugins:+--no-plugins} \
-      ${composerNoScripts:+--no-scripts} \
-      update
+    composer-local-repo-plugin --no-ansi build-local-repo-lock -m "${composerRepository}" .
 
     echo "Finished composerInstallBuildHook"
 }
@@ -112,26 +91,7 @@ composerInstallBuildHook() {
 composerInstallCheckHook() {
     echo "Executing composerInstallCheckHook"
 
-    if ! composer validate --strict --no-ansi --no-interaction --quiet; then
-        if [ ! -z "${composerStrictValidation-}" ]; then
-            echo
-            echo -e "\e[31mERROR: composer files validation failed\e[0m"
-            echo
-            echo -e '\e[31mThe validation of the composer.json and composer.lock failed.\e[0m'
-            echo -e '\e[31mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
-            echo
-            exit 1
-        else
-            echo
-            echo -e "\e[33mWARNING: composer files validation failed\e[0m"
-            echo
-            echo -e '\e[33mThe validation of the composer.json and composer.lock failed.\e[0m'
-            echo -e '\e[33mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
-            echo
-            echo -e '\e[33mThis check is not blocking, but it is recommended to fix the issue.\e[0m'
-            echo
-        fi
-    fi
+    checkComposerValidate
 
     echo "Finished composerInstallCheckHook"
 }
@@ -151,9 +111,6 @@ composerInstallInstallHook() {
       ${composerNoScripts:+--no-scripts} \
       install
 
-    # Remove packages.json, we don't need it in the store.
-    rm packages.json
-
     # Copy the relevant files only in the store.
     mkdir -p "$out"/share/php/"${pname}"
     cp -r . "$out"/share/php/"${pname}"/
diff --git a/pkgs/build-support/php/hooks/composer-repository-hook.sh b/pkgs/build-support/php/hooks/composer-repository-hook.sh
index bb3017bd98c9f..762e762761cc4 100644
--- a/pkgs/build-support/php/hooks/composer-repository-hook.sh
+++ b/pkgs/build-support/php/hooks/composer-repository-hook.sh
@@ -63,7 +63,7 @@ composerRepositoryBuildHook() {
     # Build the local composer repository
     # The command 'build-local-repo' is provided by the Composer plugin
     # nix-community/composer-local-repo-plugin.
-    composer-local-repo-plugin --no-ansi build-local-repo ${composerNoDev:+--no-dev} -r repository
+    composer-local-repo-plugin --no-ansi build-local-repo-lock ${composerNoDev:+--no-dev} -r repository
 
     echo "Finished composerRepositoryBuildHook"
 }
@@ -71,26 +71,7 @@ composerRepositoryBuildHook() {
 composerRepositoryCheckHook() {
     echo "Executing composerRepositoryCheckHook"
 
-    if ! composer validate --strict --no-ansi --no-interaction --quiet; then
-        if [ ! -z "${composerStrictValidation-}" ]; then
-            echo
-            echo -e "\e[31mERROR: composer files validation failed\e[0m"
-            echo
-            echo -e '\e[31mThe validation of the composer.json and composer.lock failed.\e[0m'
-            echo -e '\e[31mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
-            echo
-            exit 1
-        else
-            echo
-            echo -e "\e[33mWARNING: composer files validation failed\e[0m"
-            echo
-            echo -e '\e[33mThe validation of the composer.json and composer.lock failed.\e[0m'
-            echo -e '\e[33mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
-            echo
-            echo -e '\e[33mThis check is not blocking, but it is recommended to fix the issue.\e[0m'
-            echo
-        fi
-    fi
+    checkComposerValidate
 
     echo "Finished composerRepositoryCheckHook"
 }
diff --git a/pkgs/build-support/php/hooks/php-script-utils.bash b/pkgs/build-support/php/hooks/php-script-utils.bash
index 163d9306f5f4a..60afacbed0af1 100644
--- a/pkgs/build-support/php/hooks/php-script-utils.bash
+++ b/pkgs/build-support/php/hooks/php-script-utils.bash
@@ -1,4 +1,5 @@
 declare version
+declare composerStrictValidation
 
 setComposeRootVersion() {
     set +e # Disable exit on error
@@ -10,3 +11,26 @@ setComposeRootVersion() {
 
     set -e
 }
+
+checkComposerValidate() {
+    if ! composer validate --strict --no-ansi --no-interaction; then
+        if [ "1" == "${composerStrictValidation-}" ]; then
+            echo
+            echo -e "\e[31mERROR: composer files validation failed\e[0m"
+            echo
+            echo -e '\e[31mThe validation of the composer.json and composer.lock failed.\e[0m'
+            echo -e '\e[31mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
+            echo
+            exit 1
+        else
+            echo
+            echo -e "\e[33mWARNING: composer files validation failed\e[0m"
+            echo
+            echo -e '\e[33mThe validation of the composer.json and composer.lock failed.\e[0m'
+            echo -e '\e[33mMake sure that the file composer.lock is consistent with composer.json.\e[0m'
+            echo
+            echo -e '\e[33mThis check is not blocking, but it is recommended to fix the issue.\e[0m'
+            echo
+        fi
+    fi
+}
diff --git a/pkgs/build-support/php/pkgs/composer-local-repo-plugin.nix b/pkgs/build-support/php/pkgs/composer-local-repo-plugin.nix
index 48d05b7a00089..bfdc3d4f98d1b 100644
--- a/pkgs/build-support/php/pkgs/composer-local-repo-plugin.nix
+++ b/pkgs/build-support/php/pkgs/composer-local-repo-plugin.nix
@@ -29,13 +29,13 @@ let
 in
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "composer-local-repo-plugin";
-  version = "1.0.3";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "nix-community";
     repo = "composer-local-repo-plugin";
     rev = finalAttrs.version;
-    hash = "sha256-fLJlxcAQ7X28GDK8PVYKxJgTzbspfWxvgRmRK4NZRIA=";
+    hash = "sha256-edbn07r/Uc1g0qOuVBZBs6N1bMN5kIfA1b4FCufdw5M=";
   };
 
   COMPOSER_CACHE_DIR = "/dev/null";
diff --git a/pkgs/by-name/au/audiness/package.nix b/pkgs/by-name/au/audiness/package.nix
index adff57321ee88..3fe2b2491184c 100644
--- a/pkgs/by-name/au/audiness/package.nix
+++ b/pkgs/by-name/au/audiness/package.nix
@@ -5,14 +5,14 @@
 
 python3.pkgs.buildPythonApplication rec {
   pname = "audiness";
-  version = "0.2.0";
+  version = "0.2.1";
   pyproject = true;
 
   src = fetchFromGitHub {
     owner = "audiusGmbH";
     repo = "audiness";
     rev = "refs/tags/${version}";
-    hash = "sha256-FSZ3EyLGtTCmeIRg2aHB/U14yPa5CpTLdqIZ6eyRtXQ=";
+    hash = "sha256-QznJdm9wSmxdWxaRYgiaUqFfRs2apLuQOIr226eFIGA=";
   };
 
   nativeBuildInputs = with python3.pkgs; [
diff --git a/pkgs/applications/misc/lsd2dsl/default.nix b/pkgs/by-name/ls/lsd2dsl/package.nix
index b46c6ea2afa3c..4ab26b40a7c2e 100644
--- a/pkgs/applications/misc/lsd2dsl/default.nix
+++ b/pkgs/by-name/ls/lsd2dsl/package.nix
@@ -1,23 +1,40 @@
-{ lib, stdenv, mkDerivation, fetchFromGitHub
+{ lib, stdenv, fetchFromGitHub
 , makeDesktopItem, copyDesktopItems, cmake
-, boost, libvorbis, libsndfile, minizip, gtest, qtwebkit }:
+, boost, cups, fmt, libvorbis, libsndfile, minizip, gtest, qt6 }:
 
-mkDerivation rec {
+stdenv.mkDerivation rec {
   pname = "lsd2dsl";
-  version = "0.5.4";
+  version = "0.6.0";
 
   src = fetchFromGitHub {
     owner = "nongeneric";
-    repo = pname;
+    repo = "lsd2dsl";
     rev = "v${version}";
-    sha256 = "sha256-PLgfsVVrNBTxI4J0ukEOFRoBkbmB55/sLNn5KyiHeAc=";
+    hash = "sha256-0UsxDNpuWpBrfjh4q3JhZnOyXhHatSa3t/cApiG2JzM=";
   };
 
-  nativeBuildInputs = [ cmake ] ++ lib.optional stdenv.isLinux copyDesktopItems;
-
-  buildInputs = [ boost libvorbis libsndfile minizip gtest qtwebkit ];
+  postPatch = ''
+    substituteInPlace CMakeLists.txt --replace "-Werror" ""
+  '';
 
-  env.NIX_CFLAGS_COMPILE = "-Wno-error=unused-result -Wno-error=missing-braces";
+  nativeBuildInputs = [
+    cmake
+    qt6.wrapQtAppsHook
+  ] ++ lib.optional stdenv.isLinux copyDesktopItems;
+
+  buildInputs = [
+    boost
+    cups
+    fmt
+    libvorbis
+    libsndfile
+    minizip
+    gtest
+    qt6.qt5compat
+    qt6.qtwebengine
+  ];
+
+  env.NIX_CFLAGS_COMPILE = lib.optionalString stdenv.cc.isClang "-Wno-int-conversion";
 
   desktopItems = lib.singleton (makeDesktopItem {
     name = "lsd2dsl";
diff --git a/pkgs/by-name/nh/nh/package.nix b/pkgs/by-name/nh/nh/package.nix
index acb5709da6adf..028f8d057bea7 100644
--- a/pkgs/by-name/nh/nh/package.nix
+++ b/pkgs/by-name/nh/nh/package.nix
@@ -14,7 +14,7 @@
 assert use-nom -> nix-output-monitor != null;
 
 let
-  version = "3.5.2";
+  version = "3.5.3";
   runtimeDeps = [ nvd ] ++ lib.optionals use-nom [ nix-output-monitor ];
 in
 rustPlatform.buildRustPackage {
@@ -25,7 +25,7 @@ rustPlatform.buildRustPackage {
     owner = "viperML";
     repo = "nh";
     rev = "refs/tags/v${version}";
-    hash = "sha256-TwCR7tZvrjsvz6SmgjWYOne7Qz7J2jn4Cr4Er0Yj+LA=";
+    hash = "sha256-37BcFt67NZj4YQ9kqm69O+OJkgt+TXWTu53bvJvOtn8=";
   };
 
   strictDeps = true;
@@ -52,7 +52,7 @@ rustPlatform.buildRustPackage {
       ${lib.optionalString use-nom "--set-default NH_NOM 1"}
   '';
 
-  cargoHash = "sha256-/mYEjIq4dtt9noRDzFWwLZ3CSz7cmlViEGubi6m9R1o=";
+  cargoHash = "sha256-uRibycYznqzdf8QVX6bHfq3J3Imu8KnWCL0ZS1w4KFk=";
 
   passthru.updateScript = nix-update-script { };
 
diff --git a/pkgs/development/compilers/dotnet/8/default.nix b/pkgs/development/compilers/dotnet/8/default.nix
new file mode 100644
index 0000000000000..8b98aa962dc9e
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/default.nix
@@ -0,0 +1,9 @@
+{ callPackage
+, dotnetCorePackages
+, bootstrapSdk
+}: callPackage ../dotnet.nix {
+  releaseManifestFile = ./release.json;
+  releaseInfoFile = ./release-info.json;
+  depsFile = ./deps.nix;
+  inherit bootstrapSdk;
+}
diff --git a/pkgs/development/compilers/dotnet/8/deps.nix b/pkgs/development/compilers/dotnet/8/deps.nix
new file mode 100644
index 0000000000000..ce7ee48bb102a
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/deps.nix
@@ -0,0 +1,10 @@
+{ fetchNuGet }: [
+  (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.ILAsm"; sha256 = "8985f0b9855daaf8b4a38f32a91902bdbb99a2f1801a98c68a5013d94842524e"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-arm64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.linux-arm64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.ILDAsm"; sha256 = "0496a403691e50662c5aef598248d8cd92ad1da1e93a859aedee5bb91bb9c821"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-arm64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.linux-arm64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.ILAsm"; sha256 = "0c5k9ckp7zjspyqqzz817jr8pglnn7wxhmv2hfk700swb96qhg0w"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-x64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.linux-x64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.ILDAsm"; sha256 = "1pyydnypv9x25p7y35j85f8pxnyxq3w2vc8i84klq90kzgzig5a8"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.linux-x64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.linux-x64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.ILAsm"; sha256 = "7609cfc7fd617a580caba18d458ed644ab799346139b3ead9df9502abe8d0541"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-arm64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.osx-arm64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.ILDAsm"; sha256 = "6a969c2f6261834ab8ec9829cffed5a1a1f35667bf382b7c902d1b26db192e27"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-arm64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.osx-arm64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.ILAsm"; sha256 = "a8b90caa9ead7defdf8b9570dcb3e0cec146dff892a88fb825fedb7ee0fe620f"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-x64.microsoft.netcore.ilasm/8.0.1-servicing.23580.1/runtime.osx-x64.microsoft.netcore.ilasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+  (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.ILDAsm"; sha256 = "eade428d642bdbb2271610c5d781a61ab367dbd3e776477a7b5948bda62252b5"; url = "https://pkgs.dev.azure.com/dnceng/9ee6d478-d288-47f7-aacc-f6e6d082ae6d/_packaging/a65e5cb4-26c0-410f-9457-06db3c5254be/nuget/v3/flat2/runtime.osx-x64.microsoft.netcore.ildasm/8.0.1-servicing.23580.1/runtime.osx-x64.microsoft.netcore.ildasm.8.0.1-servicing.23580.1.nupkg"; version = "8.0.1-servicing.23580.1"; })
+]
diff --git a/pkgs/development/compilers/dotnet/8/release-info.json b/pkgs/development/compilers/dotnet/8/release-info.json
new file mode 100644
index 0000000000000..2a316ed2de944
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/release-info.json
@@ -0,0 +1,5 @@
+{
+  "tarballHash": "sha256-OTCFPhQ9PHnQ0f7UzgHryEsBIaKCOm/L6pkURw/RY2s=",
+  "artifactsUrl": "https://dotnetcli.azureedge.net/source-built-artifacts/assets/Private.SourceBuilt.Artifacts.8.0.101-servicing.23601.1.centos.8-x64.tar.gz",
+  "artifactsHash": "sha256-RLrEPFkB9NvnzJFJ0zSFbGNpMKR4EsyBu3T/JwAxgzc="
+}
diff --git a/pkgs/development/compilers/dotnet/8/release.json b/pkgs/development/compilers/dotnet/8/release.json
new file mode 100644
index 0000000000000..de0aaf95f3ebe
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/8/release.json
@@ -0,0 +1,9 @@
+{
+  "release": "8.0.2",
+  "channel": "8.0",
+  "tag": "v8.0.2",
+  "sdkVersion": "8.0.102",
+  "runtimeVersion": "8.0.2",
+  "sourceRepository": "https://github.com/dotnet/dotnet",
+  "sourceVersion": "d396b0c4d3e51c2d8d679b2f7233912bc5bfc2fa"
+}
diff --git a/pkgs/development/compilers/dotnet/build-dotnet.nix b/pkgs/development/compilers/dotnet/build-dotnet.nix
index be2ec26c55a7d..8ee0bd9e7b3a3 100644
--- a/pkgs/development/compilers/dotnet/build-dotnet.nix
+++ b/pkgs/development/compilers/dotnet/build-dotnet.nix
@@ -24,6 +24,7 @@ assert if type == "sdk" then packages != null else true;
 , runCommand
 , writeShellScript
 , mkNugetDeps
+, callPackage
 }:
 
 let
@@ -41,13 +42,10 @@ let
     sdk = ".NET SDK ${version}";
   };
 
-  packageDeps = if type == "sdk" then mkNugetDeps {
-    name = "${pname}-${version}-deps";
-    nugetDeps = packages;
-  } else null;
+  mkCommon = callPackage ./common.nix {};
 
 in
-stdenv.mkDerivation (finalAttrs: rec {
+mkCommon type rec {
   inherit pname version;
 
   # Some of these dependencies are `dlopen()`ed.
@@ -88,11 +86,6 @@ stdenv.mkDerivation (finalAttrs: rec {
     runHook postInstall
   '';
 
-  doInstallCheck = true;
-  installCheckPhase = ''
-    $out/bin/dotnet --info
-  '';
-
   # Tell autoPatchelf about runtime dependencies.
   # (postFixup phase is run before autoPatchelfHook.)
   postFixup = lib.optionalString stdenv.isLinux ''
@@ -112,23 +105,15 @@ stdenv.mkDerivation (finalAttrs: rec {
       $out/packs/Microsoft.NETCore.App.Host.linux-x64/*/runtimes/linux-x64/native/singlefilehost
   '';
 
-  setupHook = writeText "dotnet-setup-hook" ''
-    if [ ! -w "$HOME" ]; then
-      export HOME=$(mktemp -d) # Dotnet expects a writable home directory for its configuration files
-    fi
-
-    export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 # Dont try to expand NuGetFallbackFolder to disk
-    export DOTNET_NOLOGO=1 # Disables the welcome message
-    export DOTNET_CLI_TELEMETRY_OPTOUT=1
-    export DOTNET_SKIP_WORKLOAD_INTEGRITY_CHECK=1 # Skip integrity check on first run, which fails due to read-only directory
-  '';
-
   passthru = {
     inherit icu;
-    packages = packageDeps;
+  } // lib.optionalAttrs (type == "sdk") {
+    packages = mkNugetDeps {
+      name = "${pname}-${version}-deps";
+      nugetDeps = packages;
+    };
 
     updateScript =
-      if type == "sdk" then
       let
         majorVersion =
           with lib;
@@ -137,40 +122,7 @@ stdenv.mkDerivation (finalAttrs: rec {
       writeShellScript "update-dotnet-${majorVersion}" ''
         pushd pkgs/development/compilers/dotnet
         exec ${./update.sh} "${majorVersion}"
-      '' else null;
-
-    tests = {
-      version = testers.testVersion {
-        package = finalAttrs.finalPackage;
-      };
-
-      console = runCommand "dotnet-test-console" {
-        nativeBuildInputs = [ finalAttrs.finalPackage ];
-      } ''
-        HOME=$(pwd)/fake-home
-        dotnet new nugetconfig
-        dotnet nuget disable source nuget
-        dotnet new console -n test -o .
-        output="$(dotnet run)"
-        # yes, older SDKs omit the comma
-        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
-      '';
-
-      single-file = let build = runCommand "dotnet-test-build-single-file" {
-        nativeBuildInputs = [ finalAttrs.finalPackage ];
-      } ''
-        HOME=$(pwd)/fake-home
-        dotnet new nugetconfig
-        dotnet nuget disable source nuget
-        dotnet nuget add source ${finalAttrs.finalPackage.packages}
-        dotnet new console -n test -o .
-        dotnet publish --use-current-runtime -p:PublishSingleFile=true -o $out
-      ''; in runCommand "dotnet-test-run-single-file" {} ''
-        output="$(${build}/test)"
-        # yes, older SDKs omit the comma
-        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
       '';
-    };
   };
 
   meta = with lib; {
@@ -181,4 +133,4 @@ stdenv.mkDerivation (finalAttrs: rec {
     mainProgram = "dotnet";
     platforms = attrNames srcs;
   };
-})
+}
diff --git a/pkgs/development/compilers/dotnet/combine-deps.nix b/pkgs/development/compilers/dotnet/combine-deps.nix
new file mode 100644
index 0000000000000..a7c4356b34b03
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/combine-deps.nix
@@ -0,0 +1,40 @@
+{
+  list,
+  baseRid,
+  otherRids,
+  pkgs ? import ../../../.. {}
+}:
+with pkgs.lib;
+let
+  inherit (pkgs) writeText;
+
+  fns = map (file: import file) list;
+  packages = unique
+    (concatMap (fn: fn { fetchNuGet = package: package; }) fns);
+
+  changePackageRid = package: rid:
+    let replace = replaceStrings [".${baseRid}"] [".${rid}"];
+    in rec {
+      pname = replace package.pname;
+      inherit (package) version;
+      url = replace package.url;
+      sha256 = builtins.hashFile "sha256" (builtins.fetchurl url);
+    };
+
+  expandPackage = package:
+    [ package ] ++
+    optionals (strings.match ".*\\.${baseRid}(\\..*|$)" package.pname != null)
+    (map (changePackageRid package) otherRids);
+
+  allPackages =
+    sortOn (package: [ package.pname package.version package ])
+    (concatMap expandPackage packages);
+
+  fetchExpr = package:
+    "  (fetchNuGet ${generators.toPretty { multiline = false; } package})";
+
+in writeText "deps.nix" ''
+  { fetchNuGet }: [
+  ${concatMapStringsSep "\n" fetchExpr allPackages}
+  ]
+''
diff --git a/pkgs/development/compilers/dotnet/common.nix b/pkgs/development/compilers/dotnet/common.nix
new file mode 100644
index 0000000000000..0d8890e61da2b
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/common.nix
@@ -0,0 +1,63 @@
+# TODO: switch to stdenvNoCC
+{ stdenv
+, lib
+, writeText
+, testers
+, runCommand
+}: type: args: stdenv.mkDerivation (finalAttrs: args // {
+  doInstallCheck = true;
+
+  # TODO: this should probably be postInstallCheck
+  # TODO: send output to /dev/null
+  installCheckPhase = args.installCheckPhase or "" + ''
+    $out/bin/dotnet --info
+  '';
+
+  # TODO: move this to sdk section?
+  setupHook = writeText "dotnet-setup-hook" (''
+    if [ ! -w "$HOME" ]; then
+      export HOME=$(mktemp -d) # Dotnet expects a writable home directory for its configuration files
+    fi
+
+    export DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 # Dont try to expand NuGetFallbackFolder to disk
+    export DOTNET_NOLOGO=1 # Disables the welcome message
+    export DOTNET_CLI_TELEMETRY_OPTOUT=1
+    export DOTNET_SKIP_WORKLOAD_INTEGRITY_CHECK=1 # Skip integrity check on first run, which fails due to read-only directory
+  '' + args.setupHook or "");
+
+} // lib.optionalAttrs (type == "sdk") {
+  passthru = {
+    tests = {
+      version = testers.testVersion {
+        package = finalAttrs.finalPackage;
+      };
+
+      console = runCommand "dotnet-test-console" {
+        nativeBuildInputs = [ finalAttrs.finalPackage ];
+      } ''
+        HOME=$(pwd)/fake-home
+        dotnet new nugetconfig
+        dotnet nuget disable source nuget
+        dotnet new console -n test -o .
+        output="$(dotnet run)"
+        # yes, older SDKs omit the comma
+        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
+      '';
+
+      single-file = let build = runCommand "dotnet-test-build-single-file" {
+        nativeBuildInputs = [ finalAttrs.finalPackage ];
+      } ''
+        HOME=$(pwd)/fake-home
+        dotnet new nugetconfig
+        dotnet nuget disable source nuget
+        dotnet nuget add source ${finalAttrs.finalPackage.packages}
+        dotnet new console -n test -o .
+        dotnet publish --use-current-runtime -p:PublishSingleFile=true -o $out
+      ''; in runCommand "dotnet-test-run-single-file" {} ''
+        output="$(${build}/test)"
+        # yes, older SDKs omit the comma
+        [[ "$output" =~ Hello,?\ World! ]] && touch "$out"
+      '';
+    } // args.passthru.tests or {};
+  } // args.passthru or {};
+})
diff --git a/pkgs/development/compilers/dotnet/default.nix b/pkgs/development/compilers/dotnet/default.nix
index 814560e49bee2..1960488f840a2 100644
--- a/pkgs/development/compilers/dotnet/default.nix
+++ b/pkgs/development/compilers/dotnet/default.nix
@@ -5,7 +5,7 @@ dotnetCombined = with dotnetCorePackages; combinePackages [ sdk_6_0 aspnetcore_7
 Hashes and urls are retrieved from:
 https://dotnet.microsoft.com/download/dotnet
 */
-{ lib, config, callPackage }:
+{ lib, config, callPackage, recurseIntoAttrs }:
 let
   buildDotnet = attrs: callPackage (import ./build-dotnet.nix attrs) {};
   buildAttrs = {
@@ -18,6 +18,7 @@ let
   dotnet_6_0 = import ./versions/6.0.nix buildAttrs;
   dotnet_7_0 = import ./versions/7.0.nix buildAttrs;
   dotnet_8_0 = import ./versions/8.0.nix buildAttrs;
+  dotnet_8_0_102 = import ./versions/8.0.102.nix buildAttrs;
 
   runtimeIdentifierMap = {
     "x86_64-linux" = "linux-x64";
@@ -35,6 +36,8 @@ in
   inherit systemToDotnetRid;
 
   combinePackages = attrs: callPackage (import ./combine-packages.nix attrs) {};
+
+  dotnet_8 = recurseIntoAttrs (callPackage ./8 { bootstrapSdk = dotnet_8_0_102.sdk_8_0; });
 } // lib.optionalAttrs config.allowAliases {
   # EOL
   sdk_2_1 = throw "Dotnet SDK 2.1 is EOL, please use 6.0 (LTS) or 7.0 (Current)";
diff --git a/pkgs/development/compilers/dotnet/dotnet.nix b/pkgs/development/compilers/dotnet/dotnet.nix
new file mode 100644
index 0000000000000..90541215f9493
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/dotnet.nix
@@ -0,0 +1,50 @@
+{ callPackage
+, lib
+, releaseManifestFile
+, releaseInfoFile
+, allowPrerelease ? false
+, depsFile
+, bootstrapSdk
+, pkgsBuildHost
+}:
+
+let
+  inherit (lib.importJSON releaseInfoFile) tarballHash artifactsUrl artifactsHash;
+
+  pkgs = callPackage ./stage1.nix {
+    inherit releaseManifestFile tarballHash depsFile;
+    bootstrapSdk =
+      { stdenvNoCC
+      , dotnetCorePackages
+      , fetchurl
+      }: bootstrapSdk.overrideAttrs (old: {
+        passthru = old.passthru or {} // {
+          artifacts = stdenvNoCC.mkDerivation rec {
+            name = lib.nameFromURL artifactsUrl ".tar.gz";
+
+            src = fetchurl {
+              url = artifactsUrl;
+              hash = artifactsHash;
+            };
+
+            sourceRoot = ".";
+
+            installPhase = ''
+              mkdir -p $out
+              cp -r * $out/
+              ln -fs ${old.passthru.packages}/* $out/
+            '';
+          };
+        };
+      });
+  };
+
+in pkgs // {
+  vmr = pkgs.vmr.overrideAttrs(old: {
+    passthru = old.passthru // {
+      updateScript = pkgsBuildHost.callPackage ./update.nix {
+        inherit releaseManifestFile releaseInfoFile allowPrerelease;
+      };
+    };
+  });
+}
diff --git a/pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch b/pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch
new file mode 100644
index 0000000000000..47c6f997a8117
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/fix-aspnetcore-portable-build.patch
@@ -0,0 +1,25 @@
+From ebc2540f8d0aba2e5ec2f0d5f5889100475ad93e Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Mon, 1 Jan 2024 12:45:41 -0400
+Subject: [PATCH] fix aspnetcore portable build
+
+https://github.com/dotnet/installer/pull/15163#issuecomment-1873396096
+---
+ repo-projects/aspnetcore.proj | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/repo-projects/aspnetcore.proj b/repo-projects/aspnetcore.proj
+index e3f4b1664a..947532add9 100644
+--- a/repo-projects/aspnetcore.proj
++++ b/repo-projects/aspnetcore.proj
+@@ -8,6 +8,7 @@
+     <OverrideTargetRid Condition="'$(TargetOS)' == 'Windows_NT'">win-$(Platform)</OverrideTargetRid>
+     <_portableRidOverridden Condition="'$(TargetRid)' != '$(OverrideTargetRid)'">true</_portableRidOverridden>
+     <_portableRidOverridden Condition="'$(TargetRid)' == '$(OverrideTargetRid)'">false</_portableRidOverridden>
++    <_portableRidOverridden Condition="'$(PortableBuild)' != ''">$(PortableBuild)</_portableRidOverridden>
+ 
+     <!-- StandardSourceBuildArgs include -publish which is not supported by the aspnetcore build script. -->
+     <BuildCommandArgs>$(StandardSourceBuildArgs.Replace('--publish', ''))</BuildCommandArgs>
+-- 
+2.40.1
+
diff --git a/pkgs/development/compilers/dotnet/fix-tmp-path.patch b/pkgs/development/compilers/dotnet/fix-tmp-path.patch
new file mode 100644
index 0000000000000..54d7cf2c81dff
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/fix-tmp-path.patch
@@ -0,0 +1,27 @@
+From e0bd79c04c3647dd5abec5e60c031b1f2762a84c Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Wed, 10 Jan 2024 02:25:46 -0400
+Subject: [PATCH] fix-tmp-path
+
+---
+ build.sh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/build.sh b/build.sh
+index a1224e4369..555a88fc95 100755
+--- a/build.sh
++++ b/build.sh
+@@ -211,8 +211,8 @@ elif [ -d "$packagesArchiveDir" ]; then
+   if [ -f "${packagesPreviouslySourceBuiltDir}}PackageVersions.props" ]; then
+     packageVersionsPath=${packagesPreviouslySourceBuiltDir}PackageVersions.props
+   elif [ -f "$sourceBuiltArchive" ]; then
+-    tar -xzf "$sourceBuiltArchive" -C /tmp PackageVersions.props
+-    packageVersionsPath=/tmp/PackageVersions.props
++    tar -xzf "$sourceBuiltArchive" PackageVersions.props
++    packageVersionsPath=$PWD/PackageVersions.props
+   fi
+ fi
+ 
+-- 
+2.40.1
+
diff --git a/pkgs/development/compilers/dotnet/packages.nix b/pkgs/development/compilers/dotnet/packages.nix
new file mode 100644
index 0000000000000..3eef77ff7144f
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/packages.nix
@@ -0,0 +1,99 @@
+{ stdenv
+, callPackage
+, vmr
+}:
+
+let
+  mkCommon = callPackage ./common.nix {};
+  inherit (vmr) targetRid releaseManifest;
+
+in {
+  inherit vmr;
+  sdk = mkCommon "sdk" rec {
+    pname = "dotnet-sdk";
+    version = releaseManifest.sdkVersion;
+
+    src = vmr;
+    dontUnpack = true;
+
+    outputs = [ "out" "packages" "artifacts" ];
+
+    installPhase = ''
+      runHook preInstall
+
+      cp -r "$src"/dotnet-sdk-${version}-${targetRid} "$out"
+      chmod +w "$out"
+      mkdir "$out"/bin
+      ln -s "$out"/dotnet "$out"/bin/dotnet
+
+      mkdir "$packages"
+      # this roughly corresponds to the {sdk,aspnetcore}_packages in ../update.sh
+      cp -r "$src"/Private.SourceBuilt.Artifacts.*.${targetRid}/*Microsoft.{NET.ILLink.Tasks,NETCore,DotNet,AspNetCore}.*.nupkg "$packages"
+
+      cp -r "$src"/Private.SourceBuilt.Artifacts.*.${targetRid} "$artifacts"
+
+      runHook postInstall
+    '';
+
+    passthru = {
+      inherit (vmr) icu targetRid updateScript;
+    };
+
+    meta = vmr.meta // {
+      mainProgram = "dotnet";
+    };
+  };
+
+  runtime = mkCommon "runtime" rec {
+    pname = "dotnet-runtime";
+    version = releaseManifest.runtimeVersion;
+
+    src = vmr;
+    dontUnpack = true;
+
+    outputs = [ "out" ];
+
+    installPhase = ''
+      runHook preInstall
+
+      cp -r "$src/dotnet-runtime-${version}-${targetRid}" "$out"
+      chmod +w "$out"
+      mkdir "$out"/bin
+      ln -s "$out"/dotnet "$out"/bin/dotnet
+
+      runHook postInstall
+    '';
+
+    meta = vmr.meta // {
+      mainProgram = "dotnet";
+    };
+  };
+
+  aspnetcore = mkCommon "aspnetcore" rec {
+    pname = "dotnet-aspnetcore-runtime";
+    version = releaseManifest.aspnetcoreRuntimeVersion or releaseManifest.runtimeVersion;
+
+    src = vmr;
+    dontUnpack = true;
+
+    outputs = [ "out" ];
+
+    installPhase = ''
+      runHook preInstall
+
+      cp -r "$src/dotnet-runtime-${releaseManifest.runtimeVersion}-${targetRid}" "$out"
+      chmod +w "$out"
+      mkdir "$out"/bin
+      ln -s "$out"/dotnet "$out"/bin/dotnet
+
+      chmod +w "$out"/shared
+      cp -Tr "$src/aspnetcore-runtime-${version}-${targetRid}" "$out"
+
+      runHook postInstall
+    '';
+
+    meta = vmr.meta // {
+      mainProgram = "dotnet";
+    };
+  };
+}
diff --git a/pkgs/development/compilers/dotnet/patch-nupkgs.nix b/pkgs/development/compilers/dotnet/patch-nupkgs.nix
new file mode 100644
index 0000000000000..0f1173056f047
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/patch-nupkgs.nix
@@ -0,0 +1,62 @@
+{ stdenv
+, lib
+, dotnetCorePackages
+, zlib
+, curl
+, icu
+, libunwind
+, libuuid
+, openssl
+, lttng-ust_2_12
+, writeShellScriptBin
+}:
+
+let
+  buildRid = dotnetCorePackages.systemToDotnetRid stdenv.buildPlatform.system;
+
+  binaryRPath = lib.makeLibraryPath ([
+    stdenv.cc.cc
+    zlib
+    curl
+    icu
+    libunwind
+    libuuid
+    openssl
+  ] ++ lib.optional stdenv.isLinux lttng-ust_2_12);
+
+in writeShellScriptBin "patch-nupkgs" ''
+  set -euo pipefail
+  shopt -s nullglob
+  isELF() {
+      local fn="$1"
+      local fd
+      local magic
+      exec {fd}< "$fn"
+      read -r -n 4 -u "$fd" magic
+      exec {fd}<&-
+      if [ "$magic" = $'\177ELF' ]; then return 0; else return 1; fi
+  }
+  cd "$1"
+  for x in *.${buildRid}/* *.${buildRid}.*/*; do
+    [[ -d "$x" ]] && [[ ! -f "$x"/.nix-patched ]] || continue
+    echo "Patching package $x"
+    pushd "$x"
+    for p in $(find -type f); do
+      if [[ "$p" != *.nix-patched ]] && isELF "$p"; then
+        tmp="$p".$$.nix-patched
+        # if this fails to copy then another process must have patched it
+        cp --reflink=auto "$p" "$tmp" || continue
+        echo "Patchelfing $p as $tmp"
+        patchelf \
+          --set-interpreter "${stdenv.cc.bintools.dynamicLinker}" \
+          "$tmp" ||:
+        patchelf \
+          --set-rpath "${binaryRPath}" \
+          "$tmp" ||:
+        mv "$tmp" "$p"
+      fi
+    done
+    touch .nix-patched
+    popd
+  done
+''
diff --git a/pkgs/development/compilers/dotnet/patch-restored-packages.proj b/pkgs/development/compilers/dotnet/patch-restored-packages.proj
new file mode 100644
index 0000000000000..bef12d6308f94
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/patch-restored-packages.proj
@@ -0,0 +1,8 @@
+<Project>
+  <Target Name="PatchIlasm" AfterTargets="ResolveIlToolPaths">
+    <Exec Command="patch-nupkgs $(NUGET_PACKAGES) 2>&amp;1"/>
+  </Target>
+  <Target Name="PatchCrossgen" AfterTargets="Restore;_PrepareForReadyToRunCompilation;PrepareForCrossGen">
+    <Exec Command="patch-nupkgs $(NUGET_PACKAGES) 2>&amp;1"/>
+  </Target>
+</Project>
diff --git a/pkgs/development/compilers/dotnet/record-downloaded-packages.patch b/pkgs/development/compilers/dotnet/record-downloaded-packages.patch
new file mode 100644
index 0000000000000..4c5b45939d763
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/record-downloaded-packages.patch
@@ -0,0 +1,42 @@
+From a5a4a77dd77ed5c997bec6519adf7b6be3108af2 Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Sun, 31 Dec 2023 01:48:31 -0400
+Subject: [PATCH 2/2] record downloaded packages
+
+---
+ .../buildBootstrapPreviouslySB.csproj         |  6 +++++
+ repo-projects/Directory.Build.targets         | 27 +++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/eng/bootstrap/buildBootstrapPreviouslySB.csproj b/eng/bootstrap/buildBootstrapPreviouslySB.csproj
+index d85e32ca76..280c9eaf89 100644
+--- a/eng/bootstrap/buildBootstrapPreviouslySB.csproj
++++ b/eng/bootstrap/buildBootstrapPreviouslySB.csproj
+@@ -102,6 +102,12 @@
+     </ItemGroup>
+   </Target>
+ 
++  <Target Name="NuGetToNix" AfterTargets="Restore">
++    <Exec
++        Command="nuget-to-nix $(RestorePackagesPath) >$(ArchiveDir)deps.nix 2>&amp;1"
++        WorkingDirectory="$(MSBuildProjectDirectory)"/>
++  </Target>
++
+   <Target Name="BuildBoostrapPreviouslySourceBuilt"
+           AfterTargets="Restore"
+           DependsOnTargets="GetPackagesToDownload">
+diff --git a/repo-projects/Directory.Build.targets b/repo-projects/Directory.Build.targets
+index 3fa15da862..afd7b87088 100644
+--- a/repo-projects/Directory.Build.targets
++++ b/repo-projects/Directory.Build.targets
+@@ -471,6 +497,7 @@
+     <ItemGroup>
+       <LogFilesToCopy Include="$(ProjectDirectory)artifacts/**/*.log" />
+       <LogFilesToCopy Include="$(ProjectDirectory)artifacts/**/*.binlog" />
++      <LogFilesToCopy Include="$(ProjectDirectory)artifacts/**/deps.nix" />
+       <ObjFilesToCopy Include="$(ProjectDirectory)artifacts/**/project.assets.json" />
+     </ItemGroup>
+     <MakeDir Directories="$(BuildLogsDir)" Condition="Exists('$(ProjectDirectory)artifacts')"/>
+-- 
+2.40.1
+
diff --git a/pkgs/development/compilers/dotnet/record-downloaded-packages.proj b/pkgs/development/compilers/dotnet/record-downloaded-packages.proj
new file mode 100644
index 0000000000000..f85da42ec2be8
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/record-downloaded-packages.proj
@@ -0,0 +1,13 @@
+<Project>
+  <Target Name="NuGetToNix"
+    BeforeTargets="CopyInnerBuildRestoredPackages">
+    <ItemGroup>
+      <_NuGetToNixPackageCache Include="$(ProjectDirectory)artifacts/sb/package-cache/"/>
+      <_NuGetToNixPackageCache Include="$(ProjectDirectory)artifacts/source-build/self/package-cache/"/>
+    </ItemGroup>
+    <Exec
+      Command="nuget-to-nix '@(_NuGetToNixPackageCache)' >'$(ProjectDirectory)deps.nix' 2>'$(ProjectDirectory)deps.out'"
+      WorkingDirectory="$(ProjectDirectory)"
+      Condition="Exists('%(Identity)')"/>
+  </Target>
+</Project>
diff --git a/pkgs/development/compilers/dotnet/sign-apphost.nix b/pkgs/development/compilers/dotnet/sign-apphost.nix
new file mode 100644
index 0000000000000..f804ab79d3321
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/sign-apphost.nix
@@ -0,0 +1,10 @@
+{ substituteAll
+, callPackage
+}:
+let
+  sigtool = callPackage ./sigtool.nix {};
+
+in substituteAll {
+  src = ./sign-apphost.proj;
+  codesign = "${sigtool}/bin/codesign";
+}
diff --git a/pkgs/development/compilers/dotnet/sign-apphost.proj b/pkgs/development/compilers/dotnet/sign-apphost.proj
new file mode 100644
index 0000000000000..e401739bdd70a
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/sign-apphost.proj
@@ -0,0 +1,11 @@
+<Project>
+  <Target Name="SignAppHost" AfterTargets="_CreateAppHost" Condition="'$(AppHostIntermediatePath)' != ''">
+    <Exec Command='@codesign@ -f -s - "$(AppHostIntermediatePath)" 2>&amp;1'/>
+  </Target>
+  <Target Name="UnsignBundle" BeforeTargets="GenerateSingleFileBundle" Condition="'$(PublishedSingleFileName)' != ''">
+    <Exec Command='@codesign@ --remove-signature "@(FilesToBundle)" 2>&amp;1' Condition="'%(FilesToBundle.RelativePath)' == '$(PublishedSingleFileName)'"/>
+  </Target>
+  <Target Name="SignBundle" AfterTargets="GenerateSingleFileBundle" Condition="'$(PublishedSingleFilePath)' != ''">
+    <Exec Command='@codesign@ -f -s - "$(PublishedSingleFilePath)" 2>&amp;1'/>
+  </Target>
+</Project>
diff --git a/pkgs/development/compilers/dotnet/sigtool.nix b/pkgs/development/compilers/dotnet/sigtool.nix
new file mode 100644
index 0000000000000..658ee578ae983
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/sigtool.nix
@@ -0,0 +1,27 @@
+{ darwin
+, fetchFromGitHub
+, makeWrapper
+}:
+let
+  cctools = darwin.cctools;
+
+in darwin.sigtool.overrideAttrs (old: {
+  # this is a fork of sigtool that supports -v and --remove-signature, which are
+  # used by the dotnet sdk
+  src = fetchFromGitHub {
+    owner = "corngood";
+    repo = "sigtool";
+    rev = "new-commands";
+    sha256 = "sha256-EVM5ZG3sAHrIXuWrnqA9/4pDkJOpWCeBUl5fh0mkK4k=";
+  };
+
+  nativeBuildInputs = old.nativeBuildInputs or [] ++ [
+    makeWrapper
+  ];
+
+  postInstall = old.postInstall or "" + ''
+    wrapProgram $out/bin/codesign \
+      --set-default CODESIGN_ALLOCATE \
+        "${cctools}/bin/${cctools.targetPrefix}codesign_allocate"
+  '';
+})
diff --git a/pkgs/development/compilers/dotnet/stage0.nix b/pkgs/development/compilers/dotnet/stage0.nix
new file mode 100644
index 0000000000000..d12d1a6c3d13a
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/stage0.nix
@@ -0,0 +1,126 @@
+{ stdenv
+, stdenvNoCC
+, callPackage
+, lib
+, writeShellScript
+, pkgsBuildHost
+, mkNugetDeps
+, nix
+, cacert
+, nuget-to-nix
+, dotnetCorePackages
+, xmlstarlet
+
+, releaseManifestFile
+, tarballHash
+, depsFile
+, bootstrapSdk
+}:
+
+let
+  mkPackages = callPackage ./packages.nix;
+  mkVMR = callPackage ./vmr.nix;
+
+  dotnetSdk = pkgsBuildHost.callPackage bootstrapSdk {};
+
+  patchNupkgs = pkgsBuildHost.callPackage ./patch-nupkgs.nix {};
+
+  signAppHost = callPackage ./sign-apphost.nix {};
+
+  deps = mkNugetDeps {
+    name = "dotnet-vmr-deps";
+    sourceFile = depsFile;
+  };
+
+  vmr = (mkVMR {
+    inherit releaseManifestFile tarballHash dotnetSdk;
+  }).overrideAttrs (old: rec {
+    prebuiltPackages = mkNugetDeps {
+      name = "dotnet-vmr-deps";
+      sourceFile = depsFile;
+    };
+
+    nativeBuildInputs =
+      old.nativeBuildInputs or []
+      ++ [ xmlstarlet ]
+      ++ lib.optional stdenv.isLinux patchNupkgs;
+
+    postPatch = old.postPatch or "" + lib.optionalString stdenv.isLinux ''
+      xmlstarlet ed \
+        --inplace \
+        -s //Project -t elem -n Import \
+        -i \$prev -t attr -n Project -v "${./patch-restored-packages.proj}" \
+        src/*/Directory.Build.targets
+    '' + lib.optionalString stdenv.isDarwin ''
+      xmlstarlet ed \
+        --inplace \
+        -s //Project -t elem -n Import \
+        -i \$prev -t attr -n Project -v "${signAppHost}" \
+        src/runtime/Directory.Build.targets
+    '';
+
+    postConfigure = old.postConfigure or "" + ''
+      [[ ! -v prebuiltPackages ]] || ln -sf "$prebuiltPackages"/* prereqs/packages/prebuilt/
+    '';
+
+    passthru = old.passthru or {} // { fetch-deps =
+      let
+        inherit (vmr) targetRid updateScript;
+        otherRids =
+          lib.remove targetRid (
+            map (system: dotnetCorePackages.systemToDotnetRid system)
+              vmr.meta.platforms);
+
+        pkg = vmr.overrideAttrs (old: {
+          nativeBuildInputs = old.nativeBuildInputs ++ [
+            nix
+            cacert
+            (nuget-to-nix.override { dotnet-sdk = dotnetSdk; })
+          ];
+          postPatch = old.postPatch or "" + ''
+            xmlstarlet ed \
+              --inplace \
+              -s //Project -t elem -n Import \
+              -i \$prev -t attr -n Project -v "${./record-downloaded-packages.proj}" \
+              repo-projects/Directory.Build.targets
+            # make nuget-client use the standard arcade package-cache dir, which
+            # is where we scan for dependencies
+            xmlstarlet ed \
+              --inplace \
+              -s //Project -t elem -n ItemGroup \
+              -s \$prev -t elem -n EnvironmentVariables \
+              -i \$prev -t attr -n Include -v 'NUGET_PACKAGES=$(ProjectDirectory)artifacts/sb/package-cache/' \
+              repo-projects/nuget-client.proj
+          '';
+          buildFlags = [ "--online" ] ++ old.buildFlags;
+          prebuiltPackages = null;
+        });
+
+        drv = builtins.unsafeDiscardOutputDependency pkg.drvPath;
+      in
+        writeShellScript "fetch-dotnet-sdk-deps" ''
+          ${nix}/bin/nix-shell --pure --run 'source /dev/stdin' "${drv}" << 'EOF'
+          set -e
+
+          tmp=$(mktemp -d)
+          trap 'rm -fr "$tmp"' EXIT
+
+          HOME=$tmp/.home
+          cd "$tmp"
+
+          phases="''${prePhases[*]:-} unpackPhase patchPhase ''${preConfigurePhases[*]:-} \
+            configurePhase ''${preBuildPhases[*]:-} buildPhase checkPhase" \
+            genericBuild
+
+          depsFiles=(./src/*/deps.nix)
+
+          cat $(nix-build ${toString ./combine-deps.nix} \
+            --arg list "[ ''${depsFiles[*]} ]" \
+            --argstr baseRid ${targetRid} \
+            --arg otherRids '${lib.generators.toPretty { multiline = false; } otherRids}' \
+            ) > "${toString prebuiltPackages.sourceFile}"
+          EOF
+        '';
+    };
+  });
+in mkPackages { inherit vmr; }
diff --git a/pkgs/development/compilers/dotnet/stage1.nix b/pkgs/development/compilers/dotnet/stage1.nix
new file mode 100644
index 0000000000000..4212aaaab0249
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/stage1.nix
@@ -0,0 +1,27 @@
+{ stdenv
+, lib
+, callPackage
+, pkgsBuildHost
+
+, releaseManifestFile
+, tarballHash
+, depsFile
+, bootstrapSdk
+}@args:
+
+let
+  mkPackages = callPackage ./packages.nix;
+  mkVMR = callPackage ./vmr.nix;
+
+  stage0 = pkgsBuildHost.callPackage ./stage0.nix args;
+
+  vmr = (mkVMR {
+    inherit releaseManifestFile tarballHash;
+    dotnetSdk = stage0.sdk;
+  }).overrideAttrs (old: {
+    passthru = old.passthru or {} // {
+      inherit (stage0.vmr) fetch-deps;
+    };
+  });
+
+in mkPackages { inherit vmr; }
diff --git a/pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch b/pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch
new file mode 100644
index 0000000000000..fa2606c0c6cd9
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/stop-passing-bare-sdk-arg-to-swiftc.patch
@@ -0,0 +1,31 @@
+From 85a940f3f039704da73ee177c1848cd4b6ed029f Mon Sep 17 00:00:00 2001
+From: David McFarland <corngood@gmail.com>
+Date: Tue, 9 Jan 2024 15:10:00 -0400
+Subject: [PATCH] stop passing bare sdk arg to swiftc
+
+---
+ .../CMakeLists.txt                                          | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt b/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt
+index b847f5c3cd..cf8344ead0 100644
+--- a/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt
++++ b/src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt
+@@ -49,9 +49,13 @@ if (NOT SWIFT_COMPILER_TARGET AND CLR_CMAKE_TARGET_OSX)
+     set(SWIFT_COMPILER_TARGET "${CMAKE_OSX_ARCHITECTURES}-apple-${SWIFT_PLATFORM}${SWIFT_DEPLOYMENT_TARGET}${SWIFT_PLATFORM_SUFFIX}")
+ endif()
+ 
++if (CMAKE_OSX_SYSROOT)
++    set(SWIFT_ARGS -sdk ${CMAKE_OSX_SYSROOT})
++endif()
++
+ add_custom_command(
+     OUTPUT pal_swiftbindings.o
+-    COMMAND xcrun swiftc -emit-object -static -parse-as-library -runtime-compatibility-version none -sdk ${CMAKE_OSX_SYSROOT} -target ${SWIFT_COMPILER_TARGET} ${CMAKE_CURRENT_SOURCE_DIR}/pal_swiftbindings.swift -o pal_swiftbindings.o
++    COMMAND xcrun swiftc -emit-object -static -parse-as-library -runtime-compatibility-version none ${SWIFT_ARGS} -target ${SWIFT_COMPILER_TARGET} ${CMAKE_CURRENT_SOURCE_DIR}/pal_swiftbindings.swift -o pal_swiftbindings.o
+     MAIN_DEPENDENCY ${CMAKE_CURRENT_SOURCE_DIR}/pal_swiftbindings.swift
+     COMMENT "Compiling Swift file pal_swiftbindings.swift"
+ )
+-- 
+2.42.0
+
diff --git a/pkgs/development/compilers/dotnet/update.nix b/pkgs/development/compilers/dotnet/update.nix
new file mode 100644
index 0000000000000..89291d2461d8d
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/update.nix
@@ -0,0 +1,123 @@
+{ stdenvNoCC
+, lib
+, fetchurl
+, writeScript
+, nix
+, runtimeShell
+, curl
+, cacert
+, jq
+, yq
+, gnupg
+
+, releaseManifestFile
+, releaseInfoFile
+, allowPrerelease
+}:
+
+let
+  inherit (lib.importJSON releaseManifestFile) channel release;
+
+  pkg = stdenvNoCC.mkDerivation {
+    name = "update-dotnet-vmr-env";
+
+    nativeBuildInputs = [
+      nix
+      curl
+      cacert
+      jq
+      yq
+      gnupg
+    ];
+  };
+
+  releaseKey = fetchurl {
+    url = "https://dotnet.microsoft.com/download/dotnet/release-key-2023.asc";
+    hash = "sha256-F668QB55md0GQvoG0jeA66Fb2RbrsRhFTzTbXIX3GUo=";
+  };
+
+  drv = builtins.unsafeDiscardOutputDependency pkg.drvPath;
+
+in writeScript "update-dotnet-vmr.sh" ''
+  #! ${nix}/bin/nix-shell
+  #! nix-shell -i ${runtimeShell} --pure ${drv}
+  set -euo pipefail
+
+  query=$(cat <<EOF
+      map(
+          select(
+              ${lib.optionalString (!allowPrerelease) ".prerelease == false and"}
+              .draft == false and
+              (.name | startswith(".NET ${channel}")))) |
+      first | (
+          .name,
+          .tag_name,
+          (.assets |
+              .[] |
+              select(.name == "release.json") |
+              .browser_download_url),
+          (.assets |
+              .[] |
+              select(.name | endswith(".tar.gz.sig")) |
+              .browser_download_url))
+  EOF
+  )
+
+  (
+      curl -fsL https://api.github.com/repos/dotnet/dotnet/releases | \
+      jq -r "$query" \
+  ) | (
+      read name
+      read tagName
+      read releaseUrl
+      read sigUrl
+
+      if [[ "$name" == ".NET ${release}" ]]; then
+          >&2 echo "release is already $name"
+          exit
+      fi
+
+      tmp="$(mktemp -d)"
+      trap 'rm -rf "$tmp"' EXIT
+
+      tarballUrl=https://github.com/dotnet/dotnet/archive/refs/tags/$tagName.tar.gz
+
+      mapfile -t prefetch < <(nix-prefetch-url --print-path "$tarballUrl")
+      tarballHash=$(nix-hash --to-sri --type sha256 "''${prefetch[0]}")
+      tarball=''${prefetch[1]}
+
+      cd "$tmp"
+      curl -L "$sigUrl" -o release.sig
+
+      export GNUPGHOME=$PWD/.gnupg
+      gpg --batch --import ${releaseKey}
+      gpg --batch --verify release.sig "$tarball"
+
+      tar --strip-components=1 --no-wildcards-match-slash --wildcards -xzf "$tarball" \*/eng/Versions.props
+      artifactsVersion=$(xq -r '.Project.PropertyGroup |
+          map(select(.PrivateSourceBuiltArtifactsVersion))
+          | .[] | .PrivateSourceBuiltArtifactsVersion' eng/Versions.props)
+
+      if [[ "$artifactsVersion" != "" ]]; then
+          artifactsUrl=https://dotnetcli.azureedge.net/source-built-artifacts/assets/Private.SourceBuilt.Artifacts.$artifactsVersion.centos.8-x64.tar.gz
+      else
+          artifactsUrl=$(xq -r '.Project.PropertyGroup |
+              map(select(.PrivateSourceBuiltArtifactsUrl))
+              | .[] | .PrivateSourceBuiltArtifactsUrl' eng/Versions.props)
+      fi
+
+      artifactsHash=$(nix-hash --to-sri --type sha256 "$(nix-prefetch-url "$artifactsUrl")")
+
+      jq --null-input \
+          --arg _0 "$tarballHash" \
+          --arg _1 "$artifactsUrl" \
+          --arg _2 "$artifactsHash" \
+          '{
+              "tarballHash": $_0,
+              "artifactsUrl": $_1,
+              "artifactsHash": $_2,
+          }' > "${toString releaseInfoFile}"
+
+      curl -fsL "$releaseUrl" -o ${toString releaseManifestFile}
+  )
+''
diff --git a/pkgs/development/compilers/dotnet/update.sh b/pkgs/development/compilers/dotnet/update.sh
index 6dbf3c1943b37..f9f198b05e2f0 100755
--- a/pkgs/development/compilers/dotnet/update.sh
+++ b/pkgs/development/compilers/dotnet/update.sh
@@ -8,7 +8,7 @@ release () {
   local content="$1"
   local version="$2"
 
-  jq -r '.releases[] | select(."release-version" == "'"$version"'")' <<< "$content"
+  jq -r '.releases[] | select(.sdks[] | ."version" == "'"$version"'")' <<< "$content"
 }
 
 release_files () {
@@ -18,6 +18,14 @@ release_files () {
   jq -r '[."'"$type"'".files[] | select(.name | test("^.*.tar.gz$"))]' <<< "$release"
 }
 
+sdk_files () {
+  local release="$1"
+  local version="$2"
+
+  jq -r '[.sdks[] | select(.version == "'"$version"'") | .files[] | select(.name | test("^.*.tar.gz$"))]' <<< "$release"
+}
+
+
 release_platform_attr () {
   local release_files="$1"
   local platform="$2"
@@ -321,13 +329,13 @@ Examples:
     # Then get the json file and parse it to find the latest patch release.
     major_minor=$(sed 's/^\([0-9]*\.[0-9]*\).*$/\1/' <<< "$sem_version")
     content=$(curl -sL https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/"$major_minor"/releases.json)
-    major_minor_patch=$([ "$patch_specified" == true ] && echo "$sem_version" || jq -r '."latest-release"' <<< "$content")
+    major_minor_patch=$([ "$patch_specified" == true ] && echo "$sem_version" || jq -r '."latest-sdk"' <<< "$content")
     major_minor_underscore=${major_minor/./_}
 
-    release_content=$(release "$content" "$major_minor_patch")
+    sdk_version=$major_minor_patch
+    release_content=$(release "$content" "$sdk_version")
     aspnetcore_version=$(jq -r '."aspnetcore-runtime".version' <<< "$release_content")
     runtime_version=$(jq -r '.runtime.version' <<< "$release_content")
-    sdk_version=$(jq -r '.sdk.version' <<< "$release_content")
 
     # If patch was not specified, check if the package is already the latest version
     # If it is, exit early
@@ -346,7 +354,7 @@ Examples:
 
     aspnetcore_files="$(release_files "$release_content" "aspnetcore-runtime")"
     runtime_files="$(release_files "$release_content" "runtime")"
-    sdk_files="$(release_files "$release_content" "sdk")"
+    sdk_files="$(sdk_files "$release_content" "$sdk_version")"
 
     channel_version=$(jq -r '."channel-version"' <<< "$content")
     support_phase=$(jq -r '."support-phase"' <<< "$content")
diff --git a/pkgs/development/compilers/dotnet/versions/8.0.102.nix b/pkgs/development/compilers/dotnet/versions/8.0.102.nix
new file mode 100644
index 0000000000000..2cbba9f84f37e
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/versions/8.0.102.nix
@@ -0,0 +1,179 @@
+{ buildAspNetCore, buildNetRuntime, buildNetSdk }:
+
+# v8.0 (active)
+{
+  aspnetcore_8_0 = buildAspNetCore {
+    version = "8.0.2";
+    srcs = {
+      x86_64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/d6d79cc3-df2f-4680-96ff-a7198f461139/df025000eaf5beb85d9137274a8c53ea/aspnetcore-runtime-8.0.2-linux-x64.tar.gz";
+        sha512  = "c8d4f9ad45cc97570ac607c0d14064da6c1215ef864afd73688ec7470af774f80504a937cbb5aadbb0083250122aae361770d2bca68f30ac7b62b4717bee6fca";
+      };
+      aarch64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/bdfd0216-539e-4dfd-81ea-1b7a77dda929/59a62884bdb8684ef0e4f434eaea0ca3/aspnetcore-runtime-8.0.2-linux-arm64.tar.gz";
+        sha512  = "9e5733a0d40705df17a1c96025783fd2544ad344ac98525f9d11947ea6ef632a23b0d2bf536314e4aeda8ae9c0f65b8f8feee184e1a1aabfda30059f59b1b9a6";
+      };
+      x86_64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/a44da2c3-cb74-4ffe-af5a-34286598a885/263f113228e88df3f654510c9092f68b/aspnetcore-runtime-8.0.2-osx-x64.tar.gz";
+        sha512  = "a7edf091509305d27275d5d7911c3c61a2546e0d3b5b0fe9fcb9e704daf3c550ea0a5ae659272a29b5e218d02f28b7d331ab0905e9459711624692f1589d7285";
+      };
+      aarch64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/a5692569-6092-4db1-9d5c-4862265a7b5b/7173de926da466e21ab9c7666a31dee3/aspnetcore-runtime-8.0.2-osx-arm64.tar.gz";
+        sha512  = "9e79556cf58f9d0b0f302a50ef9724122a9b18daba70e715b7334f9ed97a4983be0386e4132f5273d120f00d18f8af8a8ad7ea1ef0a82c610e268a33e76a30e4";
+      };
+    };
+  };
+
+  runtime_8_0 = buildNetRuntime {
+    version = "8.0.2";
+    srcs = {
+      x86_64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/307e4bf7-53c1-4b03-a2e5-379151ab3a04/140e7502609d45dfd83e4750b4bb5178/dotnet-runtime-8.0.2-linux-x64.tar.gz";
+        sha512  = "f30f72f55b9e97e36107f920e932477183867726a963ea0d4d151f291981877ba253a7175614c60b386b6a37f9192d97d7402dafdad2529369f512698cb9d1dd";
+      };
+      aarch64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/9de452db-acbe-48eb-b3f0-305a4e48e32a/515bbe7e3e1deef5ab9a4b8123b901ca/dotnet-runtime-8.0.2-linux-arm64.tar.gz";
+        sha512  = "12c5f49b7bd63d73cae57949e1520eaebc47732f559f68199ecd3bcca597f2da702352313a20aa100c667ede1d701dc6822f7a4eee9063d1c73d1f451ed832ac";
+      };
+      x86_64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/414af43f-fdc6-4e8e-bbff-8b544a6627a8/0719a2eafa1d0d5f73ee0a7aae4ce670/dotnet-runtime-8.0.2-osx-x64.tar.gz";
+        sha512  = "e8945057f5fdf55994675caeff07ff53ba96324edbfe148ea60f58c883548be59cd1d891552b55ed5a594c1cfa549bd783ce9e25b5467ae48ab3f97590f36003";
+      };
+      aarch64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/c7b73f69-39ca-4d2a-bd02-a72abb3a4fc5/6d68aa25f4576b70fff4925fb4e69c4b/dotnet-runtime-8.0.2-osx-arm64.tar.gz";
+        sha512  = "c410f56283f0d51484d26755349a7b62364e2c54650c87dcee6fea0a370fa84b14b4ebc8c5e121e2b3ea4f0ac2880ebe40a43bcb02aa30ce360fd0dbc12fbfbb";
+      };
+    };
+  };
+
+  sdk_8_0 = buildNetSdk {
+    version = "8.0.102";
+    srcs = {
+      x86_64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/672cfd95-c7fe-42e3-8b68-30c74f7af88e/ecdaa65fe42b6572ed37d407c26de8a2/dotnet-sdk-8.0.102-linux-x64.tar.gz";
+        sha512  = "f5928f5b947441065f2f34b25ae8de1fbf7dbae2c0ba918bfb4224d2d08849c79cbdc1825c0d42a5822f12757f78efa58e295a8ee0f0e6fce39cc7c6ed977b8f";
+      };
+      aarch64-linux = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/23568042-614a-41d3-a6b9-51e178e42977/cb1e1f4f5fb5d46080a60cd14d631660/dotnet-sdk-8.0.102-linux-arm64.tar.gz";
+        sha512  = "5e0b5762ab2f038de50859a2e18a3964ea6b754faa01d72f9824100546a271148908e84d666bb63d25e5d9a92038bc8a2f944d0342bbf8834cb5d5e936878c76";
+      };
+      x86_64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/e60574bc-0bb6-45c6-ad3f-5c5fa29c75b7/1d903893164d767b98e9998153ed4c88/dotnet-sdk-8.0.102-osx-x64.tar.gz";
+        sha512  = "963432c5c7d7d0b204a92248c61d1be227369c6bc1d47f977c913c416c61584451fd05d0e95a6fbe51f0e1958e1c1a71f2530f478dd036ed2b0e123944b3ce00";
+      };
+      aarch64-darwin = {
+        url     = "https://download.visualstudio.microsoft.com/download/pr/e89e4d12-89c6-419c-a2be-9b2ec96b209f/0f393a6b611b26d7e4599694dff857e2/dotnet-sdk-8.0.102-osx-arm64.tar.gz";
+        sha512  = "69d702b561ae7ddf4c47fe228c16472fd8d7065de1a4a206fc07c6906db49e7da25b21c06f0ef080f41658aeddc0f3c0a23ce1de7e65b830c308bfe13cf95fe8";
+      };
+    };
+    packages = { fetchNuGet }: [
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm"; version = "8.0.2"; sha256 = "06s21b9k4niwb2qlrz4faccfmqyxfv08vzd85izla3zjxmqv3jxb"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-arm64"; version = "8.0.2"; sha256 = "1bxsrlsyvia4v3fswxl9pnf9107zwf1n1hlwffyxs0kd5iq7jabr"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-musl-arm64"; version = "8.0.2"; sha256 = "14yysn896flzsisnc3bhfc98slj2xg3f5jr39m62w2p54km0jcrj"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-musl-x64"; version = "8.0.2"; sha256 = "1486lnpn9al764f4q9p2xry38qrk1127m62j5n8ikcx8iazrbkqm"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "8.0.2"; sha256 = "0fh2lvjrl41r1r4q3v9mylr16arb190x4xs0m5nsg6qak93y6pip"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.osx-x64"; version = "8.0.2"; sha256 = "0ihhhsypb0f8lffl5lbm4nw0l9cwcv6dgylxbgvs10yfpvpix8av"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.win-arm64"; version = "8.0.2"; sha256 = "1pfwb7j3gg62z10k799w2hr8yqmiv9gjvqzw6g72navzk322901s"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.win-x64"; version = "8.0.2"; sha256 = "0anifybcb7yipazd0qsiz6g1kj7liw6qz3lmqhkw3ipbr0zip0vv"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.win-x86"; version = "8.0.2"; sha256 = "0ag84bb4p9w41njyf7yh5h2wgz49qgx1xzhb6q4ls0m03mknp2g6"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Ref"; version = "8.0.2"; sha256 = "1iv12b2pdngn9pzd9cx0n7v3q6dsw8c38vx1ypd6fb27qqwrdrr6"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-musl-arm"; version = "8.0.2"; sha256 = "1a0zy0sfd4k7pwwk7fkgyd4vph91nfbxhjzvha96ravdh8isxngx"; })
+      (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.osx-arm64"; version = "8.0.2"; sha256 = "0xfwnqbbzg1xb6zxlms5v1dj3jh46lh6vzfjbqxj55fj87qr73yi"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm"; version = "8.0.2"; sha256 = "1217mw4mw978f2d84h0vf0bbzl55kp8z1n4620rphqh6l4r1gr52"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-arm64"; version = "8.0.2"; sha256 = "1pi4s9sn64cyvarba1vgb17k92ank7q95xmn7dz9zb1z9n6v19hm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-musl-arm64"; version = "8.0.2"; sha256 = "13ckd4w7ysa5ay5wmklsnws7hhzw6nnlblhcda7r11m0fjfly6lr"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-musl-x64"; version = "8.0.2"; sha256 = "0vy2r79sgr6p665943rb44d1m5xv8m6h96rqlr03g6ipk1gzz6xw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-x64"; version = "8.0.2"; sha256 = "1kbdpqfq64h3dy2mj90sfi2pjks77fmp74fqkvps35fh3lacb3dq"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.osx-x64"; version = "8.0.2"; sha256 = "1xlnlp4ckqn0myl5pzsqhmpall1pnbmqhb62rr7m61dy83xhvm6l"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.win-arm64"; version = "8.0.2"; sha256 = "131kgy0787a38zmb3y002yr1lrnkfc4mk2xmh8jx5pqkl7bp5p67"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.win-x64"; version = "8.0.2"; sha256 = "1p7152v1wyhrxh1mqq29bm06xcfilzngr89cl8kxv5lcars3yc00"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.win-x86"; version = "8.0.2"; sha256 = "0yyix9cypm53b0q6zfw5bqbm18x2s54ns7a1w7apxfzs8cckjfp7"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm"; version = "8.0.2"; sha256 = "0j31y9qwcm76zsxbid52zn4350sbq489pa7znmkzdrxgbcn19dmq"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-arm64"; version = "8.0.2"; sha256 = "1g2n69s8sa9ik9jhkc6xcdjcvghwr5m9glbxr1f22dbj6nw433c4"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-musl-arm64"; version = "8.0.2"; sha256 = "0h148hmzrplhw2cx9yd2jmrw6ilpc9ys98w6jcaphzb7n184y374"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-musl-x64"; version = "8.0.2"; sha256 = "1xcfs5yxsxis9hx1dkp5bkhgl0n95ja2ibwwnxmg2agc8134y935"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "8.0.2"; sha256 = "0zvivfiz8lja1k6vcmwswh4lz6ch8x0nlap3x35psfw3p7j51163"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.osx-x64"; version = "8.0.2"; sha256 = "0x3fsfkv2gcilhsj31pjgg2vfibq2xvqhprw3hpm4gig4c2qi4fg"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.win-arm64"; version = "8.0.2"; sha256 = "1w6bads6vyiikbfds95zpw91qmb87a20my67c5pri3q6qqwcny6d"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.win-x64"; version = "8.0.2"; sha256 = "1cfd2bq41y3m86528hxlh3cj975rvhj8gigalfxaw5jsv8hw6cdm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.win-x86"; version = "8.0.2"; sha256 = "0s92zdr0midkjk5xip0l3s8md7gcfh4dz81pqz2p7wwhcm29k1hq"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0c99m8sh056wkk7h3f9bj8l67dxwzwnmz0ix398ff1w1pdpiabcm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "13l2xa4fxnm6i6kpjwr173hyd61s2ks7sjzp2ah3l1n71wds3vag"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "16qhn61di7gz5a68sc2rg5y2y4293rsbks4rvplyjr68scnba4hb"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "0mz7h7silzjgf6p4f0qk8izvjf0dlppvxjf44f381kkamm6viiqd"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0bvivl9ffgpsq4rbv8n8ivw9jr8yykbsp8r77n23xjm5vz8fcaks"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1k6vv7mpa81pjx1v8wd8d7ns3wr3ydql1ihx59s6cfg8fx18j5w9"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "05480dq2mzzfvk9whlz16lq0rs2kzy55d905cl832df6j36yzy9w"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1gm5yrbyh6h09lsr7izbg7izqiq3nwf7cx4y12hwk63544hprh2j"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0wqdx4h3isn1la8wbm8mvip0ai3fspvr8q2g2hx04lylpilcwnfy"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "16l4dzmqsjnppl8ra3dz3062na1324zqpibcb9kk6aliayzkwjmp"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0qzqbpwa79qizj7yzmmk2kr1ibwdg0m104rp2ava2qp8c9mxx1lq"; })
+      (fetchNuGet { pname = "runtime.linux-arm.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "10k85lqnczpdnzw43ylkma0iv1wxzqv9x4pfr31zwfb5z5p3m7ja"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0yd9vf8z1p264411p4y2aka4dnzhjvi7zhxc9dy6yfjwndlqfz03"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1vhi86iwln4pv2k0v6xfx5rp2vk5l6l4p399rj63wmm928n3v2la"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0i7l7zw99nfq1s43d4cyhs9p5bx719x0q1fmlkp8am4mwga554kf"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1ny0hjyip2n9mv0iiv2rpikb3apk4cjhvcdi17xn6vf3m79xxbwi"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0cllix46qh7lxihkaaxhb3islwn8vqn5lkr4c8c3bynvyblskjvw"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1f20gw4sq0s8idysdbpgrdh5l8ik3lry0i3nq60km9z9n183svxd"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0c31vfab355bi27wlz18azpyir9y89nn8dcg43j074whc469q0vx"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1xmy68m6vslqbl4njllgqscdslqj7xgkgjzpx4pq344mxh6r9agc"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0s93dmisai8wgjid697rgdx3lw2a0s0krr1gcnaav8jz9dg9i8lc"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "0ikwfn1q8jkvzyx77b8ycm7k7004j2w8zgjzkf8kgyw55gy8xfjm"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0gcwjjaw1lajqmwaji0x03w24721dczgnqrzqjw5ayjh8ib3dir2"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1i6wijgpksz81hg01c2pwi06k413x6vni4x8v3y38jyazg7qkfp0"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0hsby9ssa974cqkcc29xrjrrqmxyhfkkssmmhrrimh46n7sxzqab"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "0vwlfcpvbjhw0qmqnscnin75a5lb5llhzjizcp3nh5mjnkdghd8q"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "00kv6ijg6yway8km36yj7jq9y1p87iw8b8ysga66qv05y4fvjch1"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "05dz9mxc94y59y6ja05zamdp63qfdss831816y28kjjw4v4crz1q"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "0qbm5zgvcwmmqlcj4jaixbw4a1zzyrf8ap81nlqjfdxp03bv9zqa"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1jsnxh1hgy7jrjhbz4kf6gq2x3smfx071cb2w1fa3a740h3i0f4m"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "1738mc91wy3yn2bf4srs2wxksd864hm565nmll396q6gw97a4df4"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "152jc4v2zxcax55vmd9xrsxq76q4cqpjlgrd1mfszipnngrlrc71"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1z9fa5ryi23sn163j7jry45f64rxqkgv7v91r04b9cpb4hc1qgym"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "14qz0ypylcwldyjn1ins8syjzbqpmfsy4nfkzri12mfn0626qmn2"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "136ss58j9wpxp6sj81mijlk32l2f6h81rvaq4l7x0s8wb9fzzbb5"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "02562zc9nrkfwikzff7km6mixxb1qf632r60jpzykizgx6w0nrck"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1sylbjvrr1jnlgd1215czr3xql2gdqy5h5sz7rnfq31hb1j5nc20"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "0ia1igli2r5gnli0r0yzqm012l56zrjf1jk42viahlil2ic3i144"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0h1kydv3dxnd9s32fd68x44jhc2pm79gv44mb7jf4227lr1dcxss"; })
+      (fetchNuGet { pname = "runtime.win-x86.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1njywfwlq2785yk4b0114nzdb33zsgsmqj5fhpr6ii1crym649hl"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.linux-musl-arm"; version = "8.0.2"; sha256 = "16lp15z1msadrhiqlwwp0ni9k0slp3am05gqs5bagzwk35mcn27q"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Host.osx-arm64"; version = "8.0.2"; sha256 = "1v8nngksh0cp51g221bizz52jjpc4rzm1avcy5psl81ywmkwmj93"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-musl-arm"; version = "8.0.2"; sha256 = "142s1ricyk351nqg298w5qlzd4scz8pc66x5mw9qh75vcyxsr83f"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.osx-arm64"; version = "8.0.2"; sha256 = "116rkq5ri5dbhp5g7zyc71ml2v92vb5bw5f3nx96llb1pqk74grh"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Ref"; version = "8.0.2"; sha256 = "1c2n7cfc7b6sjgk84hxppv57sh1n4dy49cmdd16ki1l6yl2f3j9d"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-arm"; version = "8.0.2"; sha256 = "0c6v2mdfshy5966fl2pfkfhgfs8y1sd0r47lfx7d4igy933dqfga"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-arm64"; version = "8.0.2"; sha256 = "1g8asdz9f3i0mjyh1mkxzfc6x8x77z0d88fa6irpyhh0w45qfccw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64"; version = "8.0.2"; sha256 = "14djb55i8nwsr3170b82lr89dqxjghnkkghxxy2sl4d2bxw0bsfa"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.linux-x64"; version = "8.0.2"; sha256 = "0h0cc31c1izakpx554kivjqw3s5030a9zy3q4a2apwyj16znv2cw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.osx-arm64"; version = "8.0.2"; sha256 = "18599d4y8n4y0w489pg7zm4nd4a23iz4zwx317pr5z57b4wrk61k"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.osx-x64"; version = "8.0.2"; sha256 = "04wvf035rr5kw6bj46ici8353lx5k95slydpm42kv1fcy3slqb4p"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.win-x64"; version = "8.0.2"; sha256 = "1adxkh9y3y9cxisrn52c75dmzgfkbnz9aqs2p97ln9qdxxvhzhc2"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.Mono.win-x86"; version = "8.0.2"; sha256 = "0721kp5l7k25ivi2sdxx12kjpddas5l6y5qjmfw8pjcyximhqn0b"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1kkjmyhrnghihhfvm3qjrkrjbml2nqv8vyslj0g79pjanaqv3prs"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1j5qhbgy9d1d89xcgdyjcnww0ziad846nd6x5l8fa109z8wvsnki"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "12n0m0rbxp05ggrkxa9yr6kn46pnn3pc4c22p6kkv5ijyg8nhd74"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "1mhwggjfpwssyzxl2mj3j9017xc8qwnw4xlm2rn96yfgsd1pxfpv"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetAppHost"; version = "8.0.2"; sha256 = "1nvis5p0gvymv6sdrmgpgg94sr2w3maskm0c3d8p861wfiwwh0hv"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetHost"; version = "8.0.2"; sha256 = "1vjrnga6inham84hggkx1kkpx4yn7v7z1xnwxas9lisxd0ych7k1"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetHostPolicy"; version = "8.0.2"; sha256 = "0rrblgydpz3yf5gj9kpjc8b17x739nzr1956pwwyarhvh9y0vqrd"; })
+      (fetchNuGet { pname = "runtime.osx-arm64.Microsoft.NETCore.DotNetHostResolver"; version = "8.0.2"; sha256 = "0xpsaxi54g0xac80gy5nv7qk5b513ak1s397b36vwg7mivwc4yhh"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-musl-arm"; version = "8.0.2"; sha256 = "1nm6ibys303xlawqibqygpg1gqc8wm1nxb6pl6vgwmp5w4q02r5h"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-musl-arm64"; version = "8.0.2"; sha256 = "0h6wwlz3mqb8758laczcaq7a0wmnmjf797dh5xwyiq50j1ss1mhw"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-musl-x64"; version = "8.0.2"; sha256 = "09id8hnx0s4x5qvmvifb6jhkfaxzj53yvhl84pvrr4wv4p6ns7cm"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-arm"; version = "8.0.2"; sha256 = "0cg7b57fysgw809m77nb9dqr56g48ya6bjlh7x880ih5b76bnlak"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-arm64"; version = "8.0.2"; sha256 = "1rqr95ix3khc7mbaji520l2vv8vjbrg8zzpv6h1i3p3rdbzjm3l2"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.linux-x64"; version = "8.0.2"; sha256 = "0kzvyghyj95p2qxidp1g8nx5d9qd7wlchpg1a5dqbpv9skljdn7m"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.osx-x64"; version = "8.0.2"; sha256 = "0hmk25bvlpn3sfx4vlvysj2myx4dd8fc2pv3gmhfgb2y01dnswjh"; })
+      (fetchNuGet { pname = "Microsoft.NETCore.App.Crossgen2.osx-arm64"; version = "8.0.2"; sha256 = "1z76l5mpvik3517lcl3qygsfsws4yp37j37sslb4sq7gls4aa0w2"; })
+      (fetchNuGet { pname = "runtime.linux-arm64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "1kjlc67bqz7d04ga42l7jm9d3jm773a9i77zc5w7cd591wa8vbbv"; })
+      (fetchNuGet { pname = "runtime.linux-musl-arm64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "0bx7jv4q8dapx6fb6dbk1im057qmk43isvzygp5ci6nd07p419qf"; })
+      (fetchNuGet { pname = "runtime.linux-musl-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "1nf6m85f10j5qcyk0w18qxd06n79w0jvnifis08shdsq1isz403z"; })
+      (fetchNuGet { pname = "runtime.linux-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "0pl0w114qrlb8bv6d4jw1gv29dz2cs86y3r0nj5z2fxd1r30khym"; })
+      (fetchNuGet { pname = "runtime.osx-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "05bs32vhcvpd1dbvmk1rgqm2swp4gn5yv4mwfsisa4q5qi2xlaza"; })
+      (fetchNuGet { pname = "runtime.win-arm64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "12q0adp0hakl9qrf4bqzkvfsy4az55im6sm1nv7g3k5q4vwkqh30"; })
+      (fetchNuGet { pname = "runtime.win-x64.Microsoft.DotNet.ILCompiler"; version = "8.0.2"; sha256 = "1k1iwpsranma2mrljfz9yr63pxbv5l9j4n0zmancbsxlhx31m30s"; })
+      (fetchNuGet { pname = "Microsoft.NET.ILLink.Tasks"; version = "8.0.2"; sha256 = "1fd7ws4qf0354np3lvd735p5r1mdj3zy6gbmv5fzz5cx2bdlplwy"; })
+    ];
+  };
+}
diff --git a/pkgs/development/compilers/dotnet/vmr.nix b/pkgs/development/compilers/dotnet/vmr.nix
new file mode 100644
index 0000000000000..36b75c40e6c8b
--- /dev/null
+++ b/pkgs/development/compilers/dotnet/vmr.nix
@@ -0,0 +1,332 @@
+{ clangStdenv
+, stdenvNoCC
+, lib
+, fetchurl
+, fetchFromGitHub
+, dotnetCorePackages
+, jq
+, curl
+, git
+, cmake
+, pkg-config
+, llvm
+, zlib
+, icu
+, lttng-ust_2_12
+, libkrb5
+, glibcLocales
+, ensureNewerSourcesForZipFilesHook
+, darwin
+, xcbuild
+, swiftPackages
+, openssl
+, getconf
+, makeWrapper
+, python3
+, xmlstarlet
+, callPackage
+
+, dotnetSdk
+, releaseManifestFile
+, tarballHash
+}:
+
+let
+  stdenv = if clangStdenv.isDarwin
+    then swiftPackages.stdenv
+    else clangStdenv;
+
+  inherit (stdenv)
+    isLinux
+    isDarwin
+    buildPlatform
+    targetPlatform;
+  inherit (darwin) cctools;
+  inherit (swiftPackages) apple_sdk swift;
+
+  releaseManifest = lib.importJSON releaseManifestFile;
+  inherit (releaseManifest) release sourceRepository tag;
+
+  buildRid = dotnetCorePackages.systemToDotnetRid buildPlatform.system;
+  targetRid = dotnetCorePackages.systemToDotnetRid targetPlatform.system;
+  targetArch = lib.elemAt (lib.splitString "-" targetRid) 1;
+
+  sigtool = callPackage ./sigtool.nix {};
+
+  # we need dwarfdump from cctools, but can't have e.g. 'ar' overriding stdenv
+  dwarfdump = stdenvNoCC.mkDerivation {
+    name = "dwarfdump-wrapper";
+    dontUnpack = true;
+    installPhase = ''
+      mkdir -p "$out/bin"
+      ln -s "${cctools}/bin/dwarfdump" "$out/bin"
+    '';
+  };
+
+  _icu = if isDarwin then darwin.ICU else icu;
+
+in stdenv.mkDerivation rec {
+  pname = "dotnet-vmr";
+  version = release;
+
+  # TODO: fix this in the binary sdk packages
+  preHook = lib.optionalString stdenv.isDarwin ''
+    addToSearchPath DYLD_LIBRARY_PATH "${_icu}/lib"
+    export DYLD_LIBRARY_PATH
+  '';
+
+  src = fetchurl {
+    url = "${sourceRepository}/archive/refs/tags/${tag}.tar.gz";
+    hash = tarballHash;
+  };
+
+  nativeBuildInputs = [
+    ensureNewerSourcesForZipFilesHook
+    jq
+    curl.bin
+    git
+    cmake
+    pkg-config
+    python3
+    xmlstarlet
+  ]
+  ++ lib.optionals isDarwin [
+    getconf
+  ];
+
+  buildInputs = [
+    # this gets copied into the tree, but we still want the hooks to run
+    dotnetSdk
+    # the propagated build inputs in llvm.dev break swift compilation
+    llvm.out
+    zlib
+    _icu
+    openssl
+  ]
+  ++ lib.optionals isLinux [
+    libkrb5
+    lttng-ust_2_12
+  ]
+  ++ lib.optionals isDarwin (with apple_sdk.frameworks; [
+    xcbuild.xcrun
+    swift
+    (libkrb5.overrideAttrs (old: {
+      # the propagated build inputs break swift compilation
+      buildInputs = old.buildInputs ++ old.propagatedBuildInputs;
+      propagatedBuildInputs = [];
+    }))
+    dwarfdump
+    sigtool
+    Foundation
+    CoreFoundation
+    CryptoKit
+    System
+  ]);
+
+  # This is required to fix the error:
+  # > CSSM_ModuleLoad(): One or more parameters passed to a function were not valid.
+  # The error occurs during
+  # AppleCryptoNative_X509ImportCollection -> ReadX509 -> SecItemImport
+  # while importing trustedroots/codesignctl.pem. This happens during any dotnet
+  # restore operation.
+  # Enabling com.apple.system.opendirectoryd.membership causes swiftc to use
+  # /var/folders for its default cache path, so the swiftc -module-cache-path
+  # patch below is required.
+  sandboxProfile = ''
+    (allow file-read* (subpath "/private/var/db/mds/system"))
+    (allow mach-lookup (global-name "com.apple.SecurityServer")
+                       (global-name "com.apple.system.opendirectoryd.membership"))
+  '';
+
+  patches = [
+    ./fix-aspnetcore-portable-build.patch
+    ./fix-tmp-path.patch
+  ]
+  ++ lib.optionals isDarwin [
+    ./stop-passing-bare-sdk-arg-to-swiftc.patch
+  ];
+
+  postPatch = ''
+    # set the sdk version in global.json to match the bootstrap sdk
+    jq '(.tools.dotnet=$dotnet)' global.json --arg dotnet "$(${dotnetSdk}/bin/dotnet --version)" > global.json~
+    mv global.json{~,}
+
+    patchShebangs $(find -name \*.sh -type f -executable)
+
+    # I'm not sure why this is required, but these files seem to use the wrong
+    # property name.
+    # TODO: not needed in 9.0?
+    [[ ! -f src/xliff-tasks/eng/Versions.props ]] || \
+      sed -i 's:\bVersionBase\b:VersionPrefix:g' \
+        src/xliff-tasks/eng/Versions.props
+
+    # at least in 9.0 preview 1, this package depends on a specific beta build
+    # of System.CommandLine
+    xmlstarlet ed \
+      --inplace \
+      -s //Project -t elem -n PropertyGroup \
+      -s \$prev -t elem -n NoWarn -v '$(NoWarn);NU1603' \
+      src/nuget-client/src/NuGet.Core/NuGet.CommandLine.XPlat/NuGet.CommandLine.XPlat.csproj
+
+    # AD0001 crashes intermittently in source-build-reference-packages with
+    # CSC : error AD0001: Analyzer 'Microsoft.NetCore.CSharp.Analyzers.Runtime.CSharpDetectPreviewFeatureAnalyzer' threw an exception of type 'System.NullReferenceException' with message 'Object reference not set to an instance of an object.'.
+    # possibly related to https://github.com/dotnet/runtime/issues/90356
+    xmlstarlet ed \
+      --inplace \
+      -s //Project -t elem -n PropertyGroup \
+      -s \$prev -t elem -n NoWarn -v '$(NoWarn);AD0001' \
+      src/source-build-reference-packages/src/referencePackages/Directory.Build.props
+
+    # https://github.com/microsoft/ApplicationInsights-dotnet/issues/2848
+    xmlstarlet ed \
+      --inplace \
+      -u //_:Project/_:PropertyGroup/_:BuildNumber -v 0 \
+      src/source-build-externals/src/application-insights/.props/_GlobalStaticVersion.props
+
+    # this fixes compile errors with clang 15 (e.g. darwin)
+    substituteInPlace \
+      src/runtime/src/native/libs/CMakeLists.txt \
+      --replace-fail 'add_compile_options(-Weverything)' 'add_compile_options(-Wall)'
+  ''
+  + lib.optionalString isLinux ''
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Security.Cryptography.Native/opensslshim.c \
+      --replace-fail '"libssl.so"' '"${openssl.out}/lib/libssl.so"'
+
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Net.Security.Native/pal_gssapi.c \
+      --replace-fail '"libgssapi_krb5.so.2"' '"${libkrb5}/lib/libgssapi_krb5.so.2"'
+
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Globalization.Native/pal_icushim.c \
+      --replace-fail '"libicui18n.so"' '"${icu}/lib/libicui18n.so"' \
+      --replace-fail '"libicuuc.so"' '"${icu}/lib/libicuuc.so"'
+
+    # TODO: we should really make sure the first one (9.0) or the rest (8.0)
+    # works, but --replace-fail results in an empty file
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Globalization.Native/pal_icushim.c \
+      --replace-warn '#define VERSIONED_LIB_NAME_LEN 64' '#define VERSIONED_LIB_NAME_LEN 256' \
+      --replace-warn 'libicuucName[64]' 'libicuucName[256]' \
+      --replace-warn 'libicui18nName[64]' 'libicui18nName[256]'
+  ''
+  + lib.optionalString isDarwin ''
+    substituteInPlace \
+      src/runtime/src/mono/CMakeLists.txt \
+      src/runtime/src/native/libs/System.Globalization.Native/CMakeLists.txt \
+      --replace-fail '/usr/lib/libicucore.dylib' '${darwin.ICU}/lib/libicucore.dylib'
+
+    substituteInPlace \
+      src/runtime/src/installer/managed/Microsoft.NET.HostModel/HostModelUtils.cs \
+      src/sdk/src/Tasks/Microsoft.NET.Build.Tasks/targets/Microsoft.NET.Sdk.targets \
+      --replace-fail '/usr/bin/codesign' '${sigtool}/bin/codesign'
+
+    # [...]/build.proj(123,5): error : Did not find PDBs for the following SDK files:
+    # [...]/build.proj(123,5): error : sdk/8.0.102/System.Resources.Extensions.dll
+    # [...]/build.proj(123,5): error : sdk/8.0.102/System.CodeDom.dll
+    # [...]/build.proj(123,5): error : sdk/8.0.102/FSharp/System.Resources.Extensions.dll
+    # [...]/build.proj(123,5): error : sdk/8.0.102/FSharp/System.CodeDom.dll
+    substituteInPlace \
+      build.proj \
+      --replace-warn 'FailOnMissingPDBs="true"' 'FailOnMissingPDBs="false"'
+
+    # [...]/installer.singlerid.targets(434,5): error MSB3073: The command "pkgbuild [...]" exited with code 127
+    xmlstarlet ed \
+      --inplace \
+      -s //Project -t elem -n PropertyGroup \
+      -s \$prev -t elem -n InnerBuildArgs -v '$(InnerBuildArgs) /p:SkipInstallerBuild=true' \
+      src/runtime/eng/SourceBuild.props
+
+    # fixes swift errors, see sandboxProfile
+    # <unknown>:0: error: unable to open output file '/var/folders/[...]/C/clang/ModuleCache/[...]/SwiftShims-[...].pcm': 'Operation not permitted'
+    # <unknown>:0: error: could not build Objective-C module 'SwiftShims'
+    substituteInPlace \
+      src/runtime/src/native/libs/System.Security.Cryptography.Native.Apple/CMakeLists.txt \
+      --replace-fail 'xcrun swiftc' 'xcrun swiftc -module-cache-path "$ENV{HOME}/.cache/module-cache"'
+  '';
+
+  prepFlags = [
+    "--no-artifacts"
+    "--no-prebuilts"
+  ];
+
+  configurePhase = ''
+    runHook preConfigure
+
+    # The build process tries to overwrite some things in the sdk (e.g.
+    # SourceBuild.MSBuildSdkResolver.dll), so it needs to be mutable.
+    cp -Tr ${dotnetSdk} .dotnet
+    chmod -R +w .dotnet
+
+    ./prep.sh $prepFlags
+
+    runHook postConfigure
+  '';
+
+  dontUseCmakeConfigure = true;
+
+  # https://github.com/NixOS/nixpkgs/issues/38991
+  # bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
+  LOCALE_ARCHIVE = lib.optionalString isLinux
+    "${glibcLocales}/lib/locale/locale-archive";
+
+  buildFlags = [
+    "--with-packages" dotnetSdk.artifacts
+    "--clean-while-building"
+    "--release-manifest" releaseManifestFile
+    "--"
+    "-p:PortableBuild=true"
+  ] ++ lib.optional (targetRid != buildRid) "-p:TargetRid=${targetRid}";
+
+  buildPhase = ''
+    runHook preBuild
+
+    # on darwin, in a sandbox, this causes:
+    # CSSM_ModuleLoad(): One or more parameters passed to a function were not valid.
+    export DOTNET_GENERATE_ASPNET_CERTIFICATE=0
+
+    # CLR_CC/CXX need to be set to stop the build system from using clang-11,
+    # which is unwrapped
+    version= \
+    CLR_CC=$(command -v clang) \
+    CLR_CXX=$(command -v clang++) \
+      ./build.sh $buildFlags
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir "$out"
+
+    pushd "artifacts/${targetArch}/Release"
+    for archive in *.tar.gz; do
+      target=$out/''${archive%.tar.gz}
+      mkdir "$target"
+      tar -C "$target" -xzf "$PWD/$archive"
+    done
+    popd
+
+    runHook postInstall
+  '';
+
+  passthru = {
+    inherit releaseManifest buildRid targetRid;
+    icu = _icu;
+  };
+
+  meta = with lib; {
+    description = "Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI";
+    homepage = "https://dotnet.github.io/";
+    license = licenses.mit;
+    maintainers = with maintainers; [ corngood ];
+    mainProgram = "dotnet";
+    platforms = [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ];
+  };
+}
diff --git a/pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch b/pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch
new file mode 100644
index 0000000000000..556dc5aab2a6a
--- /dev/null
+++ b/pkgs/development/compilers/qbe/001-dont-hardcode-tmp.patch
@@ -0,0 +1,43 @@
+diff --git a/minic/mcc b/minic/mcc
+index 492947e..5258aac 100755
+--- a/minic/mcc
++++ b/minic/mcc
+@@ -31,9 +31,9 @@ then
+ fi
+ 
+ 
+-$DIR/minic < $file          > /tmp/minic.ssa &&
+-$QBE       < /tmp/minic.ssa > /tmp/minic.s   &&
+-cc /tmp/minic.s $flags
++$DIR/minic < $file          > ${TMPDIR:-/tmp}/minic.ssa &&
++$QBE       < ${TMPDIR:-/tmp}/minic.ssa > ${TMPDIR:-/tmp}/minic.s   &&
++cc ${TMPDIR:-/tmp}/minic.s $flags
+ 
+ if test $? -ne 0
+ then
+diff --git a/tools/cra.sh b/tools/cra.sh
+index 5988267..57a4b34 100755
+--- a/tools/cra.sh
++++ b/tools/cra.sh
+@@ -2,7 +2,7 @@
+ 
+ DIR=`cd $(dirname "$0"); pwd`
+ QBE=$DIR/../qbe
+-BUGF=/tmp/bug.id
++BUGF=${TMPDIR:-/tmp}/bug.id
+ FIND=$1
+ FIND=${FIND:-afl-find}
+ 
+diff --git a/tools/test.sh b/tools/test.sh
+index 23c6663..fb36222 100755
+--- a/tools/test.sh
++++ b/tools/test.sh
+@@ -4,7 +4,7 @@ dir=`dirname "$0"`
+ bin=$dir/../qbe
+ binref=$dir/../qbe.ref
+ 
+-tmp=/tmp/qbe.zzzz
++tmp=${TMPDIR:-/tmp}/qbe.zzzz
+ 
+ drv=$tmp.c
+ asm=$tmp.s
diff --git a/pkgs/development/compilers/qbe/default.nix b/pkgs/development/compilers/qbe/default.nix
index d9694c9b4bce6..aeb739bb84d0b 100644
--- a/pkgs/development/compilers/qbe/default.nix
+++ b/pkgs/development/compilers/qbe/default.nix
@@ -16,6 +16,14 @@ stdenv.mkDerivation (finalAttrs: {
 
   doCheck = true;
 
+  enableParallelBuilding = true;
+
+  patches = [
+    # Use "${TMPDIR:-/tmp}" instead of the latter directly
+    # see <https://lists.sr.ht/~mpu/qbe/patches/49613>
+    ./001-dont-hardcode-tmp.patch
+  ];
+
   passthru = {
     tests.can-run-hello-world = callPackage ./test-can-run-hello-world.nix { };
   };
diff --git a/pkgs/development/libraries/libmediainfo/default.nix b/pkgs/development/libraries/libmediainfo/default.nix
index 94acb13205b50..ee81e63ba5e4a 100644
--- a/pkgs/development/libraries/libmediainfo/default.nix
+++ b/pkgs/development/libraries/libmediainfo/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "libmediainfo";
-  version = "23.11";
+  version = "24.01";
 
   src = fetchurl {
     url = "https://mediaarea.net/download/source/libmediainfo/${version}/libmediainfo_${version}.tar.xz";
-    hash = "sha256-GX5U/MeePA1d9EqPWNxOAYvC+F0T+jvtVK89xW1ehT0=";
+    hash = "sha256-oC38Zon0hc7Ab6EqNBTDw6ooU7Td4YrqtLVKVsgxYlk=";
   };
 
   nativeBuildInputs = [ autoreconfHook pkg-config ];
diff --git a/pkgs/development/libraries/rapidfuzz-cpp/default.nix b/pkgs/development/libraries/rapidfuzz-cpp/default.nix
index f24da2c899f12..1544eff83621d 100644
--- a/pkgs/development/libraries/rapidfuzz-cpp/default.nix
+++ b/pkgs/development/libraries/rapidfuzz-cpp/default.nix
@@ -8,13 +8,13 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "rapidfuzz-cpp";
-  version = "3.0.0";
+  version = "3.0.1";
 
   src = fetchFromGitHub {
-    owner = "maxbachmann";
+    owner = "rapidfuzz";
     repo = "rapidfuzz-cpp";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-N9yGOxlk1+wgRXWLbDIXWQz+/pwbnYVs3ub4/16Nzws=";
+    hash = "sha256-v/apbqRyv93PZsO397lvyIMtA1JtYrOpbWAVAbMCmP4=";
   };
 
   nativeBuildInputs = [
@@ -43,8 +43,8 @@ stdenv.mkDerivation (finalAttrs: {
 
   meta = {
     description = "Rapid fuzzy string matching in C++ using the Levenshtein Distance";
-    homepage = "https://github.com/maxbachmann/rapidfuzz-cpp";
-    changelog = "https://github.com/maxbachmann/rapidfuzz-cpp/blob/${finalAttrs.src.rev}/CHANGELOG.md";
+    homepage = "https://github.com/rapidfuzz/rapidfuzz-cpp";
+    changelog = "https://github.com/rapidfuzz/rapidfuzz-cpp/blob/${finalAttrs.src.rev}/CHANGELOG.md";
     license = lib.licenses.mit;
     maintainers = with lib.maintainers; [ dotlambda ];
     platforms = lib.platforms.unix;
diff --git a/pkgs/development/php-packages/composer/default.nix b/pkgs/development/php-packages/composer/default.nix
index 8a626f46181a8..1f9a16b197bec 100644
--- a/pkgs/development/php-packages/composer/default.nix
+++ b/pkgs/development/php-packages/composer/default.nix
@@ -1,11 +1,22 @@
-{ lib, callPackage, fetchFromGitHub, fetchpatch, php, unzip, _7zz, xz, git, curl, cacert, makeBinaryWrapper }:
+{ lib
+, callPackage
+, fetchFromGitHub
+, php
+, unzip
+, _7zz
+, xz
+, git
+, curl
+, cacert
+, makeBinaryWrapper
+}:
 
 php.buildComposerProject (finalAttrs: {
   # Hash used by ../../../build-support/php/pkgs/composer-phar.nix to
   # use together with the version from this package to keep the
   # bootstrap phar file up-to-date together with the end user composer
   # package.
-  passthru.pharHash = "sha256-cmACAcc8fEshjxwFEbNthTeWPjaq+iRHV/UjCfiFsxQ=";
+  passthru.pharHash = "sha256-H/0L4/J+I3sa5H+ejyn5asf1CgvZ7vT4jNvpTdBL//A=";
 
   composer = callPackage ../../../build-support/php/pkgs/composer-phar.nix {
     inherit (finalAttrs) version;
@@ -13,27 +24,15 @@ php.buildComposerProject (finalAttrs: {
   };
 
   pname = "composer";
-  version = "2.6.6";
+  version = "2.7.1";
 
   src = fetchFromGitHub {
     owner = "composer";
     repo = "composer";
     rev = finalAttrs.version;
-    hash = "sha256-KsTZi7dSlQcAxoen9rpofbptVdLYhK+bZeDSXQY7o5M=";
+    hash = "sha256-OThWqY3m/pIas4qvR/kiYgc/2QrAbnsYEOxpHxKhDfM=";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2024-24821.patch";
-      url = "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7.patch";
-      hash = "sha256-Q7gkPLf59+p++DpfJZeOrAOiWePuGkdGYRaS/rK+Nv4=";
-      excludes = [
-        # Skipping test files, they are not included in the source tarball
-        "tests/*"
-      ];
-    })
-  ];
-
   nativeBuildInputs = [ makeBinaryWrapper ];
 
   postInstall = ''
@@ -41,7 +40,7 @@ php.buildComposerProject (finalAttrs: {
       --prefix PATH : ${lib.makeBinPath [ _7zz cacert curl git unzip xz ]}
   '';
 
-  vendorHash = "sha256-50M1yeAKl9KRsjs34cdb5ZTBFgbukgg0cMtHTYGJ/EM=";
+  vendorHash = "sha256-NJa6nu60HQeBJr7dd79ATptjcekgY35Jq9V40SrN9Ds";
 
   meta = {
     changelog = "https://github.com/composer/composer/releases/tag/${finalAttrs.version}";
diff --git a/pkgs/development/python-modules/asyncua/default.nix b/pkgs/development/python-modules/asyncua/default.nix
index e2417b6a2463a..3666d8716d960 100644
--- a/pkgs/development/python-modules/asyncua/default.nix
+++ b/pkgs/development/python-modules/asyncua/default.nix
@@ -19,7 +19,7 @@
 
 buildPythonPackage rec {
   pname = "asyncua";
-  version = "1.0.6";
+  version = "1.1.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -28,7 +28,7 @@ buildPythonPackage rec {
     owner = "FreeOpcUa";
     repo = "opcua-asyncio";
     rev = "refs/tags/v${version}";
-    hash = "sha256-16OzTxYafK1a/WVH46bL7VhxNI+XpkPHi2agbArpHUk=";
+    hash = "sha256-tHlo5oNsb8E6r0vmSi0eVbk4RCMg0xe97LITzW9FQWA=";
     fetchSubmodules = true;
   };
 
diff --git a/pkgs/development/python-modules/django-storages/default.nix b/pkgs/development/python-modules/django-storages/default.nix
index 1bce8c0d751e1..29b4aff063096 100644
--- a/pkgs/development/python-modules/django-storages/default.nix
+++ b/pkgs/development/python-modules/django-storages/default.nix
@@ -1,38 +1,33 @@
 { lib
-, buildPythonPackage
-, fetchFromGitHub
-
-# build-system
-, setuptools
-
-# dependencies
-, django
-
-# optional-dependencies
 , azure-storage-blob
 , boto3
+, buildPythonPackage
+, cryptography
+, django
 , dropbox
+, fetchFromGitHub
 , google-cloud-storage
 , libcloud
-, paramiko
-
-# tests
-, cryptography
 , moto
+, paramiko
 , pytestCheckHook
+, pythonOlder
 , rsa
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "django-storages";
-  version = "1.14";
-  format = "pyproject";
+  version = "1.14.2";
+  pyproject = true;
+
+  disabled = pythonOlder "3.7";
 
   src = fetchFromGitHub {
     owner = "jschneier";
     repo = "django-storages";
     rev = "refs/tags/${version}";
-    hash = "sha256-q+vQm1T5/ueGPfwzuUOmSI/nESchqJc4XizJieBsLWc=";
+    hash = "sha256-V0uFZvnBi0B31b/j/u3Co6dd9XcdVefiSkl3XmCTJG4=";
   };
 
   nativeBuildInputs = [
@@ -67,12 +62,6 @@ buildPythonPackage rec {
     ];
   };
 
-  pythonImportsCheck = [
-    "storages"
-  ];
-
-  env.DJANGO_SETTINGS_MODULE = "tests.settings";
-
   nativeCheckInputs = [
     cryptography
     moto
@@ -80,9 +69,20 @@ buildPythonPackage rec {
     rsa
   ] ++ lib.flatten (builtins.attrValues passthru.optional-dependencies);
 
+  pythonImportsCheck = [
+    "storages"
+  ];
+
+  env.DJANGO_SETTINGS_MODULE = "tests.settings";
+
+  disabledTests = [
+    # AttributeError: 'str' object has no attribute 'universe_domain'
+    "test_storage_save_gzip"
+  ];
+
   meta = with lib; {
-    changelog = "https://github.com/jschneier/django-storages/blob/${version}/CHANGELOG.rst";
     description = "Collection of custom storage backends for Django";
+    changelog = "https://github.com/jschneier/django-storages/blob/${version}/CHANGELOG.rst";
     downloadPage = "https://github.com/jschneier/django-storages/";
     homepage = "https://django-storages.readthedocs.io";
     license = licenses.bsd3;
diff --git a/pkgs/development/python-modules/environs/default.nix b/pkgs/development/python-modules/environs/default.nix
index 8c179349e18eb..67bca70171e4a 100644
--- a/pkgs/development/python-modules/environs/default.nix
+++ b/pkgs/development/python-modules/environs/default.nix
@@ -4,16 +4,16 @@
 , dj-email-url
 , django-cache-url
 , fetchFromGitHub
+, flit-core
 , marshmallow
 , pytestCheckHook
 , python-dotenv
 , pythonOlder
-, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "environs";
-  version = "10.3.0";
+  version = "11.0.0";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -22,11 +22,11 @@ buildPythonPackage rec {
     owner = "sloria";
     repo = "environs";
     rev = "refs/tags/${version}";
-    hash = "sha256-D6Kp8aHiUls7+cACJ3DwrS4OftA5uMbAu4l5IyR4F5U=";
+    hash = "sha256-9BqIlA2HcUlBiyTB7zxaLO0CzBRkx5mKMMdhvdr2Uqg=";
   };
 
   nativeBuildInputs = [
-    setuptools
+    flit-core
   ];
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/flask-marshmallow/default.nix b/pkgs/development/python-modules/flask-marshmallow/default.nix
index be74af2d5f9a8..fdc40c2443039 100644
--- a/pkgs/development/python-modules/flask-marshmallow/default.nix
+++ b/pkgs/development/python-modules/flask-marshmallow/default.nix
@@ -1,13 +1,13 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
-, pythonOlder
-, flit-core
 , flask
-, marshmallow
-, pytestCheckHook
 , flask-sqlalchemy
+, flit-core
+, marshmallow
 , marshmallow-sqlalchemy
+, pytestCheckHook
+, pythonOlder
 }:
 
 buildPythonPackage rec {
@@ -33,6 +33,13 @@ buildPythonPackage rec {
     marshmallow
   ];
 
+  passthru.optional-dependencies = {
+    sqlalchemy = [
+      flask-sqlalchemy
+      marshmallow-sqlalchemy
+    ];
+  };
+
   nativeCheckInputs = [
     pytestCheckHook
   ] ++ passthru.optional-dependencies.sqlalchemy;
@@ -41,12 +48,10 @@ buildPythonPackage rec {
     "flask_marshmallow"
   ];
 
-  passthru.optional-dependencies = {
-    sqlalchemy = [
-      flask-sqlalchemy
-      marshmallow-sqlalchemy
-    ];
-  };
+  pytestFlagsArray = [
+    "-W"
+    "ignore::DeprecationWarning"
+  ];
 
   meta = {
     description = "Flask + marshmallow for beautiful APIs";
diff --git a/pkgs/development/python-modules/google-cloud-bigquery/default.nix b/pkgs/development/python-modules/google-cloud-bigquery/default.nix
index b59372f294a03..0a7c67ec7aa72 100644
--- a/pkgs/development/python-modules/google-cloud-bigquery/default.nix
+++ b/pkgs/development/python-modules/google-cloud-bigquery/default.nix
@@ -28,14 +28,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-bigquery";
-  version = "3.17.1";
+  version = "3.18.0";
   format = "setuptools";
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-CuB7kNUFK6OilqIhCiFEwoRpMA1x9vRViB+Uwt9UMFc=";
+    hash = "sha256-dPD8bwupR3+AjSWSTcigUsVffKkQZOg+FtPuX7fKd6s=";
   };
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/google-cloud-securitycenter/default.nix b/pkgs/development/python-modules/google-cloud-securitycenter/default.nix
index 83634833d4cbe..d27b35b56b1e4 100644
--- a/pkgs/development/python-modules/google-cloud-securitycenter/default.nix
+++ b/pkgs/development/python-modules/google-cloud-securitycenter/default.nix
@@ -13,14 +13,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-securitycenter";
-  version = "1.27.0";
+  version = "1.28.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-ALdAT+C5LBTrSAXk6ko9KidutN5Tub+ufDAxfZsSGtk=";
+    hash = "sha256-80syqWoK2J+CjsBFO6LJEuF+pimJGpufgRLObHSKcAw=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/python-modules/google-cloud-storage/default.nix b/pkgs/development/python-modules/google-cloud-storage/default.nix
index 525af0451f1c0..b999d28147f83 100644
--- a/pkgs/development/python-modules/google-cloud-storage/default.nix
+++ b/pkgs/development/python-modules/google-cloud-storage/default.nix
@@ -18,14 +18,14 @@
 
 buildPythonPackage rec {
   pname = "google-cloud-storage";
-  version = "2.14.0";
+  version = "2.15.0";
   pyproject = true;
 
   disabled = pythonOlder "3.7";
 
   src = fetchPypi {
     inherit pname version;
-    hash = "sha256-LSP89ZtV57RTNnKcFIuxxGRGjGnV77ruMPcgHdkOuX4=";
+    hash = "sha256-dWCjxIoD1mxVPcVSFdNYg8aA/gq0TCOqSDKADMyFXHQ=";
   };
 
   nativeBuildInputs = [
@@ -72,6 +72,7 @@ buildPythonPackage rec {
     "test_open"
     "test_anonymous_client_access_to_public_bucket"
     "test_ctor_w_custom_endpoint_use_auth"
+    "test_ctor_w_api_endpoint_override"
   ];
 
   disabledTestPaths = [
diff --git a/pkgs/development/python-modules/marshmallow-oneofschema/default.nix b/pkgs/development/python-modules/marshmallow-oneofschema/default.nix
index 3e4faf8c60313..933f5cc4c8b91 100644
--- a/pkgs/development/python-modules/marshmallow-oneofschema/default.nix
+++ b/pkgs/development/python-modules/marshmallow-oneofschema/default.nix
@@ -4,26 +4,29 @@
 , marshmallow
 , pytestCheckHook
 , pythonOlder
-, setuptools
+, flit-core
 }:
 
 buildPythonPackage rec {
   pname = "marshmallow-oneofschema";
-  version = "3.0.2";
-  format = "setuptools";
+  version = "3.1.1";
+  pyproject = true;
 
-  disabled = pythonOlder "3.6";
+  disabled = pythonOlder "3.8";
 
   src = fetchFromGitHub {
     owner = "marshmallow-code";
-    repo = pname;
-    rev = version;
-    hash = "sha256-Em2jQmvI5IiWREeOX/JAcdOQlpwP7k+cbCirkh82sf0=";
+    repo = "marshmallow-oneofschema";
+    rev = "refs/tags/${version}";
+    hash = "sha256-HXuyUxU8bT5arpUzmgv7m+X2fNT0qHY8S8Rz6klOGiA=";
   };
 
+  nativeBuildInputs = [
+    flit-core
+  ];
+
   propagatedBuildInputs = [
     marshmallow
-    setuptools
   ];
 
   nativeCheckInputs = [
@@ -35,8 +38,8 @@ buildPythonPackage rec {
   ];
 
   meta = with lib; {
-    changelog = "https://github.com/marshmallow-code/marshmallow-oneofschema/blob/${src.rev}/CHANGELOG.rst";
     description = "Marshmallow library extension that allows schema (de)multiplexing";
+    changelog = "https://github.com/marshmallow-code/marshmallow-oneofschema/blob/${version}/CHANGELOG.rst";
     homepage = "https://github.com/marshmallow-code/marshmallow-oneofschema";
     license = licenses.mit;
     maintainers = with maintainers; [ ivan-tkatchev ];
diff --git a/pkgs/development/python-modules/marshmallow/default.nix b/pkgs/development/python-modules/marshmallow/default.nix
index 880e3c869aabf..bbb336884c192 100644
--- a/pkgs/development/python-modules/marshmallow/default.nix
+++ b/pkgs/development/python-modules/marshmallow/default.nix
@@ -1,17 +1,17 @@
 { lib
 , buildPythonPackage
 , fetchFromGitHub
+, flit-core
+, packaging
 , pytestCheckHook
 , pythonOlder
 , pytz
 , simplejson
-, packaging
-, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "marshmallow";
-  version = "3.20.2";
+  version = "3.21.1";
   pyproject = true;
 
   disabled = pythonOlder "3.8";
@@ -20,11 +20,11 @@ buildPythonPackage rec {
     owner = "marshmallow-code";
     repo = "marshmallow";
     rev = "refs/tags/${version}";
-    hash = "sha256-z6Quf6uTelGwB/uYayVXtVmculwaoI5LL8I0kKiM/e8=";
+    hash = "sha256-KhXasYKooZRokRoFlWKOaQzSUe6tXDtUlrf65eGGUi8=";
   };
 
   nativeBuildInputs = [
-    setuptools
+    flit-core
   ];
 
   propagatedBuildInputs = [
diff --git a/pkgs/development/python-modules/oauthenticator/default.nix b/pkgs/development/python-modules/oauthenticator/default.nix
index 9bc3ced1208bf..de26b60caac2a 100644
--- a/pkgs/development/python-modules/oauthenticator/default.nix
+++ b/pkgs/development/python-modules/oauthenticator/default.nix
@@ -10,12 +10,13 @@
 , pytest-asyncio
 , pytestCheckHook
 , requests-mock
+, setuptools
 }:
 
 buildPythonPackage rec {
   pname = "oauthenticator";
   version = "16.2.1";
-  format = "setuptools";
+  pyproject = true;
 
   disabled = pythonOlder "3.7";
 
@@ -26,9 +27,13 @@ buildPythonPackage rec {
 
   postPatch = ''
     substituteInPlace pyproject.toml \
-      --replace " --cov=oauthenticator" ""
+      --replace-fail " --cov=oauthenticator" ""
   '';
 
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
     jupyterhub
   ];
@@ -56,6 +61,16 @@ buildPythonPackage rec {
     # Tests are outdated, https://github.com/jupyterhub/oauthenticator/issues/432
     "test_azuread"
     "test_mediawiki"
+    # Tests require network access
+    "test_allowed"
+    "test_auth0"
+    "test_bitbucket"
+    "test_cilogon"
+    "test_github"
+    "test_gitlab"
+    "test_globus"
+    "test_google"
+    "test_openshift"
   ];
 
   pythonImportsCheck = [
@@ -67,5 +82,6 @@ buildPythonPackage rec {
     homepage =  "https://github.com/jupyterhub/oauthenticator";
     changelog = "https://github.com/jupyterhub/oauthenticator/blob/${version}/docs/source/reference/changelog.md";
     license = licenses.bsd3;
+    maintainers = with maintainers; [ ];
   };
 }
diff --git a/pkgs/development/python-modules/pykeepass/default.nix b/pkgs/development/python-modules/pykeepass/default.nix
index 2b482295e4222..da2e8d5bc837b 100644
--- a/pkgs/development/python-modules/pykeepass/default.nix
+++ b/pkgs/development/python-modules/pykeepass/default.nix
@@ -1,32 +1,51 @@
-{ lib, fetchFromGitHub, buildPythonPackage
-, lxml, pycryptodomex, construct
-, argon2-cffi, python-dateutil
-, python
+{ lib
+, buildPythonPackage
+, fetchFromGitHub
+, setuptools
+, argon2-cffi
+, construct
+, lxml
+, pycryptodomex
+, pyotp
+, unittestCheckHook
 }:
 
 buildPythonPackage rec {
-  pname   = "pykeepass";
-  version = "4.0.6";
-
-  format = "setuptools";
+  pname = "pykeepass";
+  version = "4.0.7";
+  pyproject = true;
 
   src = fetchFromGitHub {
     owner = "libkeepass";
     repo = "pykeepass";
     rev = "v${version}";
-    hash = "sha256-832cTVzI/MFdwiw6xWzRG35z3iwqb5Qpf6W6XYBIFWs=";
+    hash = "sha256-qUNMjnIhQpUSQY0kN9bA4IxQx8fiFIA6p8rPqNqdjNo=";
   };
 
+  postPatch = ''
+    # https://github.com/libkeepass/pykeepass/pull/378
+    substituteInPlace pyproject.toml \
+      --replace-fail 'packages = ["pykeepass"]' 'packages = ["pykeepass", "pykeepass.kdbx_parsing"]'
+  '';
+
+  nativeBuildInputs = [
+    setuptools
+  ];
+
   propagatedBuildInputs = [
-    lxml pycryptodomex construct
-    argon2-cffi python-dateutil
+    argon2-cffi
+    construct
+    lxml
+    pycryptodomex
+    setuptools
   ];
 
   propagatedNativeBuildInputs = [ argon2-cffi ];
 
-  checkPhase = ''
-    ${python.interpreter} -m unittest tests.tests
-  '';
+  nativeCheckInputs = [
+    pyotp
+    unittestCheckHook
+  ];
 
   pythonImportsCheck = [ "pykeepass" ];
 
diff --git a/pkgs/development/tools/ruff/default.nix b/pkgs/development/tools/ruff/default.nix
index ce737d343b702..b51b7b6e578dc 100644
--- a/pkgs/development/tools/ruff/default.nix
+++ b/pkgs/development/tools/ruff/default.nix
@@ -10,16 +10,16 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "ruff";
-  version = "0.2.2";
+  version = "0.3.0";
 
   src = fetchFromGitHub {
     owner = "astral-sh";
     repo = "ruff";
     rev = "refs/tags/v${version}";
-    hash = "sha256-wCjPlKlw0IAh5oH4W7DUw3KBxR4bt9Ho7ncRL5TbD/0=";
+    hash = "sha256-U77Bwgbt2T8xkamrWOnOpNRF+8skLWhX8JqgPqowcQw=";
   };
 
-  cargoHash = "sha256-EHAlsEh3YnAhjIGC9rSgyK3gbKPCJqI6F3uAqZxv2nU=";
+  cargoHash = "sha256-IBcZRElbeu7Ab/7Q7N5TLhAznXxKsupifR83gfpY61Q=";
 
   nativeBuildInputs = [
     installShellFiles
diff --git a/pkgs/development/tools/taplo/default.nix b/pkgs/development/tools/taplo/default.nix
index 43026331f5c75..2f497d6eb9319 100644
--- a/pkgs/development/tools/taplo/default.nix
+++ b/pkgs/development/tools/taplo/default.nix
@@ -1,6 +1,8 @@
 { lib
 , rustPlatform
 , fetchCrate
+, pkg-config
+, openssl
 , stdenv
 , Security
 , withLsp ? true
@@ -8,17 +10,25 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "taplo";
-  version = "0.8.1";
+  version = "0.9.0";
 
   src = fetchCrate {
     inherit version;
     pname = "taplo-cli";
-    sha256 = "sha256-evNW6OA7rArj0TvOaQgktcQy0tWnel3ZL+ic78e6lOk=";
+    hash = "sha256-vvb00a6rppx9kKx+pzObT/hW/IsG6RyYFEDp9M5gvqc=";
   };
 
-  cargoSha256 = "sha256-jeLjoqEieR96mUZQmQtv7P78lmOaF18ruVhZLi/TieQ=";
+  cargoHash = "sha256-oT7U9htu7J22MqLZb+YXohlB1CVGxHGQvHJu18PeLf8=";
 
-  buildInputs = lib.optional stdenv.isDarwin Security;
+  nativeBuildInputs = [
+    pkg-config
+  ];
+
+  buildInputs = [
+    openssl
+  ] ++ lib.optionals stdenv.isDarwin [
+    Security
+  ];
 
   buildFeatures = lib.optional withLsp "lsp";
 
diff --git a/pkgs/games/katago/default.nix b/pkgs/games/katago/default.nix
index 4a66f6cc711e7..834ec0774d7ae 100644
--- a/pkgs/games/katago/default.nix
+++ b/pkgs/games/katago/default.nix
@@ -19,6 +19,7 @@
 , enableBigBoards ? false
 , enableContrib ? false
 , enableTcmalloc ? true
+, enableTrtPlanCache ? false
 }:
 
 assert lib.assertOneOf "backend" backend [ "opencl" "cuda" "tensorrt" "eigen" ];
@@ -67,25 +68,15 @@ stdenv.mkDerivation rec {
   ];
 
   cmakeFlags = [
-    "-DNO_GIT_REVISION=ON"
-  ] ++ lib.optionals enableAVX2 [
-    "-DUSE_AVX2=ON"
-  ] ++ lib.optionals (backend == "eigen") [
-    "-DUSE_BACKEND=EIGEN"
-  ] ++ lib.optionals (backend == "cuda") [
-    "-DUSE_BACKEND=CUDA"
-  ] ++ lib.optionals (backend == "tensorrt") [
-    "-DUSE_BACKEND=TENSORRT"
-  ] ++ lib.optionals (backend == "opencl") [
-    "-DUSE_BACKEND=OPENCL"
+    (lib.cmakeFeature "USE_BACKEND" (lib.toUpper backend))
+    (lib.cmakeBool "USE_AVX2" enableAVX2)
+    (lib.cmakeBool "USE_TCMALLOC" enableTcmalloc)
+    (lib.cmakeBool "USE_BIGGER_BOARDS_EXPENSIVE" enableBigBoards)
+    (lib.cmakeBool "USE_CACHE_TENSORRT_PLAN" enableTrtPlanCache)
+    (lib.cmakeBool "NO_GIT_REVISION" (!enableContrib))
   ] ++ lib.optionals enableContrib [
-    "-DBUILD_DISTRIBUTED=1"
-    "-DNO_GIT_REVISION=OFF"
-    "-DGIT_EXECUTABLE=${fakegit}/bin/git"
-  ] ++ lib.optionals enableTcmalloc [
-    "-DUSE_TCMALLOC=ON"
-  ] ++ lib.optionals enableBigBoards [
-    "-DUSE_BIGGER_BOARDS_EXPENSIVE=ON"
+    (lib.cmakeBool "BUILD_DISTRIBUTED" true)
+    (lib.cmakeFeature "GIT_EXECUTABLE" "${fakegit}/bin/git")
   ];
 
   preConfigure = ''
diff --git a/pkgs/os-specific/darwin/bartender/default.nix b/pkgs/os-specific/darwin/bartender/default.nix
index 4aca240cba163..011a356e54124 100644
--- a/pkgs/os-specific/darwin/bartender/default.nix
+++ b/pkgs/os-specific/darwin/bartender/default.nix
@@ -1,17 +1,17 @@
 { lib
 , stdenvNoCC
 , fetchurl
-, undmg
+, _7zz
 }:
 
 stdenvNoCC.mkDerivation (finalAttrs: {
   pname = "bartender";
-  version = "4.2.21";
+  version = "5.0.49";
 
   src = fetchurl {
-    name = "Bartender 4.dmg";
-    url = "https://www.macbartender.com/B2/updates/${builtins.replaceStrings [ "." ] [ "-" ] finalAttrs.version}/Bartender%204.dmg";
-    hash = "sha256-KL4Wy8adGiYmxaDkhGJjwobU5szpW2j7ObgHyp02Dow=";
+    name = "Bartender ${lib.versions.major finalAttrs.version}.dmg";
+    url = "https://www.macbartender.com/B2/updates/${builtins.replaceStrings [ "." ] [ "-" ] finalAttrs.version}/Bartender%20${lib.versions.major finalAttrs.version}.dmg";
+    hash = "sha256-DOQLtdbwYFyRri3GBdjLfFNII65QJMvAQu9Be4ATBx0=";
   };
 
   dontPatch = true;
@@ -19,15 +19,15 @@ stdenvNoCC.mkDerivation (finalAttrs: {
   dontBuild = true;
   dontFixup = true;
 
-  nativeBuildInputs = [ undmg ];
+  nativeBuildInputs = [ _7zz ];
 
-  sourceRoot = "Bartender 4.app";
+  sourceRoot = "Bartender ${lib.versions.major finalAttrs.version}.app";
 
   installPhase = ''
     runHook preInstall
 
-    mkdir -p $out/Applications/Bartender\ 4.app
-    cp -R . $out/Applications/Bartender\ 4.app
+    mkdir -p "$out/Applications/${finalAttrs.sourceRoot}"
+    cp -R . "$out/Applications/${finalAttrs.sourceRoot}"
 
     runHook postInstall
   '';
@@ -39,7 +39,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
       Bartender improves your workflow with quick reveal, search, custom hotkeys and triggers, and lots more.
     '';
     homepage = "https://www.macbartender.com";
-    changelog = "https://www.macbartender.com/Bartender4/release_notes";
+    changelog = "https://www.macbartender.com/Bartender${lib.versions.major finalAttrs.version}/release_notes/";
     license = with licenses; [ unfree ];
     sourceProvenance = with sourceTypes; [ binaryNativeCode ];
     maintainers = with maintainers; [ stepbrobd ];
diff --git a/pkgs/os-specific/linux/wpa_supplicant/default.nix b/pkgs/os-specific/linux/wpa_supplicant/default.nix
index 621cd5d79a277..49355de17784e 100644
--- a/pkgs/os-specific/linux/wpa_supplicant/default.nix
+++ b/pkgs/os-specific/linux/wpa_supplicant/default.nix
@@ -55,6 +55,7 @@ stdenv.mkDerivation rec {
     CONFIG_INTERNETWORKING=y
     CONFIG_L2_PACKET=linux
     CONFIG_LIBNL32=y
+    CONFIG_MESH=y
     CONFIG_OWE=y
     CONFIG_P2P=y
     CONFIG_SAE_PK=y
diff --git a/pkgs/servers/etebase/default.nix b/pkgs/servers/etebase/default.nix
index f397b78eca0bf..2a8233e5e0dcf 100644
--- a/pkgs/servers/etebase/default.nix
+++ b/pkgs/servers/etebase/default.nix
@@ -1,24 +1,22 @@
 { lib
 , fetchFromGitHub
-, buildPythonPackage
-, aiofiles
-, django_3
-, fastapi
-, msgpack
-, pynacl
-, redis
-, typing-extensions
 , withLdap ? true
-, python-ldap
+, python3
 , withPostgres ? true
-, psycopg2
 , nix-update-script
+, nixosTests
 }:
 
-buildPythonPackage rec {
+let
+  python = python3.override {
+    packageOverrides = self: super: {
+      pydantic = super.pydantic_1;
+    };
+  };
+in
+python.pkgs.buildPythonPackage rec {
   pname = "etebase-server";
   version = "0.11.0";
-  format = "other";
 
   src = fetchFromGitHub {
     owner = "etesync";
@@ -29,32 +27,46 @@ buildPythonPackage rec {
 
   patches = [ ./secret.patch ];
 
-  propagatedBuildInputs = [
+  doCheck = false;
+
+  propagatedBuildInputs = with python.pkgs; [
     aiofiles
     django_3
     fastapi
     msgpack
     pynacl
     redis
+    uvicorn
+    websockets
+    watchfiles
+    uvloop
+    pyyaml
+    python-dotenv
+    httptools
     typing-extensions
   ] ++ lib.optional withLdap python-ldap
     ++ lib.optional withPostgres psycopg2;
 
-  installPhase = ''
+  postInstall = ''
     mkdir -p $out/bin $out/lib
-    cp -r . $out/lib/etebase-server
-    ln -s $out/lib/etebase-server/manage.py $out/bin/etebase-server
+    cp manage.py $out/bin/etebase-server
     wrapProgram $out/bin/etebase-server --prefix PYTHONPATH : "$PYTHONPATH"
     chmod +x $out/bin/etebase-server
   '';
 
   passthru.updateScript = nix-update-script {};
+  passthru.python = python;
+  # PYTHONPATH of all dependencies used by the package
+  passthru.pythonPath = python.pkgs.makePythonPath propagatedBuildInputs;
+  passthru.tests = {
+    nixosTest = nixosTests.etebase-server;
+  };
 
   meta = with lib; {
     homepage = "https://github.com/etesync/server";
     description = "An Etebase (EteSync 2.0) server so you can run your own";
     changelog = "https://github.com/etesync/server/blob/${version}/ChangeLog.md";
     license = licenses.agpl3Only;
-    maintainers = with maintainers; [ felschr ];
+    maintainers = with maintainers; [ felschr phaer ];
   };
 }
diff --git a/pkgs/servers/home-assistant/custom-components/better_thermostat/default.nix b/pkgs/servers/home-assistant/custom-components/better_thermostat/default.nix
new file mode 100644
index 0000000000000..a4a514b2693c1
--- /dev/null
+++ b/pkgs/servers/home-assistant/custom-components/better_thermostat/default.nix
@@ -0,0 +1,24 @@
+{ lib, fetchFromGitHub, buildHomeAssistantComponent }:
+
+buildHomeAssistantComponent rec {
+  owner = "KartoffelToby";
+  domain = "better_thermostat";
+  version = "1.5.0-beta7";
+
+  src = fetchFromGitHub {
+    owner = "KartoffelToby";
+    repo = "better_thermostat";
+    rev = "refs/tags/${version}";
+    hash = "sha256-bJURpeBgoxXGR7C9MY/gmNY7OFvBxrJKz2cA61b5hNo=";
+  };
+
+  meta = with lib; {
+    changelog =
+      "https://github.com/KartoffelToby/better_thermostat/releases/tag/${version}";
+    description =
+      "Smart TRV control integrates room-temp sensors, window/door sensors, weather forecasts, and ambient probes for efficient heating and calibration, enhancing energy savings and comfort.";
+    homepage = "https://better-thermostat.org/";
+    maintainers = with maintainers; [ mguentner ];
+    license = licenses.agpl3;
+  };
+}
diff --git a/pkgs/servers/home-assistant/custom-components/default.nix b/pkgs/servers/home-assistant/custom-components/default.nix
index 8fc059586bd01..81e708b637bc9 100644
--- a/pkgs/servers/home-assistant/custom-components/default.nix
+++ b/pkgs/servers/home-assistant/custom-components/default.nix
@@ -6,6 +6,8 @@
 
   auth-header = callPackage ./auth-header {};
 
+  better_thermostat = callPackage ./better_thermostat {};
+
   emporia_vue = callPackage ./emporia_vue {};
 
   govee-lan = callPackage ./govee-lan {};
diff --git a/pkgs/servers/web-apps/pict-rs/default.nix b/pkgs/servers/web-apps/pict-rs/default.nix
index 9d4db81a69a7a..82a701e021673 100644
--- a/pkgs/servers/web-apps/pict-rs/default.nix
+++ b/pkgs/servers/web-apps/pict-rs/default.nix
@@ -13,17 +13,17 @@
 
 rustPlatform.buildRustPackage rec {
   pname = "pict-rs";
-  version = "0.5.6";
+  version = "0.5.7";
 
   src = fetchFromGitea {
     domain = "git.asonix.dog";
     owner = "asonix";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-YK31z7tFRxLuf3C8ojDIV+mYHvK0dlV8zLHJoWjPzIU=";
+    sha256 = "sha256-MBV92+mu41ulT6wuzTGbobbspoQA0hNbRIiISol0n48=";
   };
 
-  cargoHash = "sha256-W6pDWjalyBBqFmm4uZDDTRvTWiwogdOeXbdazz4uM3s=";
+  cargoHash = "sha256-p7s/gs+sMXR1l08C81tY4K3oV9fWgm07C0nRGspfoR8=";
 
   # needed for internal protobuf c wrapper library
   PROTOC = "${protobuf}/bin/protoc";
diff --git a/pkgs/tools/package-management/dnf5/default.nix b/pkgs/tools/package-management/dnf5/default.nix
index 129b98867cb0b..fc22001a51922 100644
--- a/pkgs/tools/package-management/dnf5/default.nix
+++ b/pkgs/tools/package-management/dnf5/default.nix
@@ -30,7 +30,7 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "dnf5";
-  version = "5.1.13";
+  version = "5.1.14";
 
   outputs = [ "out" "man" ];
 
@@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: {
     owner = "rpm-software-management";
     repo = "dnf5";
     rev = finalAttrs.version;
-    hash = "sha256-6fgQA9L6yBDdtCzxPg+EyxERr/dzW1PWVaT1+lRCXmo=";
+    hash = "sha256-LVemkL3Ysv2hS0/c+ZTqzEKq3kFu+T1rEBwZpjssE2k=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix
index 1d55f600d2f97..be6927bc33ed5 100644
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@@ -161,7 +161,9 @@ mapAliases ({
   chrome-gnome-shell = gnome-browser-connector; # Added 2022-07-27
   chromiumBeta = throw "'chromiumBeta' has been removed due to the lack of maintenance in nixpkgs. Consider using 'chromium' instead."; # Added 2023-10-18
   chromiumDev = throw "'chromiumDev' has been removed due to the lack of maintenance in nixpkgs. Consider using 'chromium' instead."; # Added 2023-10-18
-  citra = citra-nightly; # added 2022-05-17
+  citra = throw "citra has been removed from nixpkgs, as it has been taken down upstream"; # added 2024-03-04
+  citra-nightly = throw "citra-nightly has been removed from nixpkgs, as it has been taken down upstream"; # added 2024-03-04
+  citra-canary = throw "citra-canary has been removed from nixpkgs, as it has been taken down upstream"; # added 2024-03-04
   clang-ocl = throw "'clang-ocl' has been replaced with 'rocmPackages.clang-ocl'"; # Added 2023-10-08
   inherit (libsForQt5.mauiPackages) clip; # added 2022-05-17
   collada-dom = opencollada; # added 2024-02-21
@@ -1220,10 +1222,11 @@ mapAliases ({
   yafaray-core = libyafaray; # Added 2022-09-23
   yarn2nix-moretea-openssl_1_1 = throw "'yarn2nix-moretea-openssl_1_1' has been removed."; # Added 2023-02-04
   yubikey-manager4 = throw "yubikey-manager4 has been removed, since it is no longer required by yubikey-manager-qt. Please update to yubikey-manager."; # Added 2024-01-14
-  yuzu-ea = yuzuPackages.early-access; # Added 2022-08-18
-  yuzu-early-access = yuzuPackages.early-access; # Added 2023-12-29
-  yuzu = yuzuPackages.mainline; # Added 2021-01-25
-  yuzu-mainline = yuzuPackages.mainline; # Added 2023-12-29
+  yuzu-ea = throw "yuzu-ea has been removed from nixpkgs, as it has been taken down upstream"; # Added 2024-03-04
+  yuzu-early-access = throw "yuzu-early-access has been removed from nixpkgs, as it has been taken down upstream"; # Added 2024-03-04
+  yuzu = throw "yuzu has been removed from nixpkgs, as it has been taken down upstream"; # Added 2024-03-04
+  yuzu-mainline = throw "yuzu-mainline has been removed from nixpkgs, as it has been taken down upstream"; # Added 2024-03-04
+  yuzuPackages = throw "yuzuPackages has been removed from nixpkgs, as it has been taken down upstream"; # Added 2024-03-04
 
   ### Z ###
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 557b4956b353f..9a88f1d229af5 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -2648,14 +2648,6 @@ with pkgs;
 
   webfontkitgenerator = callPackage ../applications/misc/webfontkitgenerator { };
 
-  citra-canary = callPackage ../applications/emulators/citra {
-    branch = "canary";
-  };
-
-  citra-nightly = callPackage ../applications/emulators/citra {
-    branch = "nightly";
-  };
-
   collapseos-cvm = callPackage ../applications/emulators/collapseos-cvm { };
 
   coltrane = callPackage ../applications/misc/coltrane { };
@@ -2918,9 +2910,6 @@ with pkgs;
   kodi-retroarch-advanced-launchers =
     callPackage ../applications/emulators/retroarch/kodi-advanced-launchers.nix { };
 
-  ### APPLICATIONS/EMULATORS/YUZU
-  yuzuPackages = callPackage ../applications/emulators/yuzu {};
-
   # Aliases kept here because they are easier to use
   x16-emulator = x16.emulator;
   x16-rom = x16.rom;
@@ -33127,8 +33116,6 @@ with pkgs;
 
   loxodo = callPackage ../applications/misc/loxodo { };
 
-  lsd2dsl = libsForQt5.callPackage ../applications/misc/lsd2dsl { };
-
   lrzsz = callPackage ../tools/misc/lrzsz { };
 
   lsp-plugins = callPackage ../applications/audio/lsp-plugins { php = php81; };