zola: 0.18.0 -> 0.19.1

doc/languages-frameworks/python.section.md

@@ -1315,9 +1315,6 @@ we can do:
 
 ```nix
 {
-  nativeBuildInputs = [
-    pythonRelaxDepsHook
-  ];
   pythonRelaxDeps = [
     "pkg1"
     "pkg3"
@@ -1340,7 +1337,6 @@ example:
 
 ```nix
 {
-  nativeBuildInputs = [ pythonRelaxDepsHook ];
   pythonRelaxDeps = true;
 }
 ```
@@ -1362,8 +1358,11 @@ instead of a dev dependency).
 Keep in mind that while the examples above are done with `requirements.txt`,
 `pythonRelaxDepsHook` works by modifying the resulting wheel file, so it should
 work with any of the [existing hooks](#setup-hooks).
-It indicates that `pythonRelaxDepsHook` has no effect on build time dependencies, such as in `build-system`.
-If a package requires incompatible build time dependencies, they should be removed in `postPatch` with `substituteInPlace` or something similar.
+
+The `pythonRelaxDepsHook` has no effect on build time dependencies, such as
+those specified in `build-system`. If a package requires incompatible build
+time dependencies, they should be removed in `postPatch` through
+`substituteInPlace` or similar.
 
 #### Using unittestCheckHook {#using-unittestcheckhook}
 

doc/languages-frameworks/texlive.section.md

@@ -83,12 +83,13 @@ Release 23.11 ships with a new interface that will eventually replace `texlive.c
   ```nix
   stdenvNoCC.mkDerivation rec {
     src = texlive.pkgs.iwona;
+    dontUnpack = true;
 
     inherit (src) pname version;
 
     installPhase = ''
       runHook preInstall
-      install -Dm644 fonts/opentype/nowacki/iwona/*.otf -t $out/share/fonts/opentype
+      install -Dm644 $src/fonts/opentype/nowacki/iwona/*.otf -t $out/share/fonts/opentype
       runHook postInstall
     '';
   }

doc/stdenv/stdenv.chapter.md

@@ -1515,6 +1515,10 @@ This flag can break dynamic shared object loading. For instance, the module syst
 intel_drv.so: undefined symbol: vgaHWFreeHWRec
 ```
 
+#### `zerocallusedregs` {#zerocallusedregs}
+
+Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
+
 ### Hardening flags disabled by default {#sec-hardening-flags-disabled-by-default}
 
 The following flags are disabled by default and should be enabled with `hardeningEnable` for packages that take untrusted input like network services.
@@ -1528,16 +1532,22 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
 Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
 If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
 
-#### `zerocallusedregs` {#zerocallusedregs}
-
-Adds the `-fzero-call-used-regs=used-gpr` compiler option. This causes the general-purpose registers that an architecture's calling convention considers "call-used" to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.
-
 #### `trivialautovarinit` {#trivialautovarinit}
 
 Adds the `-ftrivial-auto-var-init=pattern` compiler option. This causes "trivially-initializable" uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables.
 
 Use of this flag is controversial as it can prevent tools that detect uninitialized variable use (such as valgrind) from operating correctly.
 
+This should be turned off or fixed for build errors such as:
+
+```
+sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates
+```
+
+#### `stackclashprotection` {#stackclashprotection}
+
+This flag adds the `-fstack-clash-protection` compiler option, which causes growth of a program's stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to "jump over" this guard page to crash.
+
 [^footnote-stdenv-ignored-build-platform]: The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always *specified* as interfaces, not concrete implementation.
 [^footnote-stdenv-native-dependencies-in-path]: Currently, this means for native builds all dependencies are put on the `PATH`. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the `depsBuild*` and `nativeBuildInputs` would be added to the `PATH`.
 [^footnote-stdenv-propagated-dependencies]: Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like [setup hooks](#ssec-setup-hooks) also are run as if it were a propagated dependency.

maintainers/scripts/luarocks-packages.csv

@@ -97,7 +97,7 @@ lua-utils.nvim,,,,,,mrcjkb
 lua-yajl,,,,,,pstn
 lua-iconv,,,,7.0.0,,
 luuid,,,,20120509-2,,
-luv,,,,1.44.2-1,,
+luv,,,,1.48.0-2,,
 lush.nvim,,,https://luarocks.org/dev,,,teto
 lyaml,,,,,,lblasc
 lz.n,,,,,,mrcjkb

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -154,6 +154,10 @@
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
+- The `zerocallusedregs` hardening flag is enabled by default on compilers that support it.
+
+- The `stackclashprotection` hardening flag has been added, though disabled by default.
+
 - `hareHook` has been added as the language framework for Hare. From now on, it,
   not the `hare` package, should be added to `nativeBuildInputs` when building
   Hare programs.

nixos/modules/config/fonts/ghostscript.nix

@@ -18,6 +18,6 @@ with lib;
   };
 
   config = mkIf config.fonts.enableGhostscriptFonts {
-    fonts.packages = [ "${pkgs.ghostscript}/share/ghostscript/fonts" ];
+    fonts.packages = [ pkgs.ghostscript.fonts ];
   };
 }

nixos/modules/programs/nix-required-mounts.nix

@@ -47,7 +47,7 @@ let
     );
 
   driverPaths = [
-    pkgs.addOpenGLRunpath.driverLink
+    pkgs.addDriverRunpath.driverLink
 
     # mesa:
     config.hardware.opengl.package
@@ -84,7 +84,7 @@ in
           {
             opengl.paths = config.hardware.opengl.extraPackages ++ [
               config.hardware.opengl.package
-              pkgs.addOpenGLRunpath.driverLink
+              pkgs.addDriverRunpath.driverLink
               "/dev/dri"
             ];
           }

nixos/tests/kernel-generic.nix

@@ -47,6 +47,9 @@ in mapAttrs (_: lP: testsForLinuxPackages lP) kernels // {
   passthru = {
     inherit testsForLinuxPackages;
 
+    # Useful for development testing of all Kernel configs without building full Kernel
+    configfiles = mapAttrs (_: lP: lP.kernel.configfile) kernels;
+
     testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel);
   };
 }

pkgs/applications/audio/ledfx/default.nix

@@ -26,7 +26,6 @@ python3.pkgs.buildPythonPackage rec {
     poetry-core
   ];
 
-  nativeBuildInputs = with python3.pkgs; [ pythonRelaxDepsHook ];
 
   dependencies = with python3.pkgs; [
     aiohttp

pkgs/applications/audio/pd-plugins/gem/default.nix

@@ -7,7 +7,7 @@
 , libGL
 , libGLU
 , glew
-, freeglut
+, libglut
 , libv4l
 , libX11
 , file
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec {
     libGL
     libGLU
     glew
-    freeglut
+    libglut
     libv4l
     libX11
   ];

pkgs/applications/audio/puddletag/default.nix

@@ -45,7 +45,6 @@ python3.pkgs.buildPythonApplication rec {
   ];
 
   nativeBuildInputs = [
-    python3.pkgs.pythonRelaxDepsHook
     wrapQtAppsHook
   ];
 

pkgs/applications/audio/sndpeek/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, libsndfile, freeglut, alsa-lib, mesa, libGLU, libX11, libXmu
+{ lib, stdenv, fetchurl, libsndfile, libglut, alsa-lib, mesa, libGLU, libX11, libXmu
 , libXext, libXi }:
 
 stdenv.mkDerivation rec {
@@ -16,7 +16,7 @@ stdenv.mkDerivation rec {
   patches = [ ./pthread.patch ];
 
   buildInputs = [
-    freeglut
+    libglut
     alsa-lib
     mesa
     libGLU

pkgs/applications/backup/unifi-protect-backup/default.nix

@@ -40,7 +40,6 @@ python.pkgs.buildPythonApplication rec {
 
   nativeBuildInputs = with python.pkgs; [
     poetry-core
-    pythonRelaxDepsHook
   ];
 
   propagatedBuildInputs = with python.pkgs; [

pkgs/applications/blockchains/polkadot/default.nix

@@ -92,8 +92,5 @@ rustPlatform.buildRustPackage rec {
     maintainers = with maintainers; [ akru andresilva FlorianFranzen RaghavSood ];
     # See Iso::from_arch in src/isa/mod.rs in cranelift-codegen-meta.
     platforms = intersectLists platforms.unix (platforms.aarch64 ++ platforms.s390x ++ platforms.riscv64 ++ platforms.x86);
-    # See comment about wasm32-unknown-unknown in rustc.nix.
-    broken = lib.any (a: lib.hasAttr a stdenv.hostPlatform.gcc) [ "cpu" "float-abi" "fpu" ] ||
-      !stdenv.hostPlatform.gcc.thumb or true;
   };
 }

pkgs/applications/editors/emacs/elisp-packages/libgenerated.nix

@@ -79,7 +79,8 @@ in {
         lib.nameValuePair ename (
           self.callPackage ({ melpaBuild, fetchurl, ... }@pkgargs:
           melpaBuild {
-            inherit pname ename commit;
+            inherit pname ename;
+            inherit (sourceArgs) commit;
             version = lib.optionalString (version != null)
               (lib.concatStringsSep "." (map toString
                 # Hack: Melpa archives contains versions with parse errors such as [ 4 4 -4 413 ] which should be 4.4-413

pkgs/applications/editors/emacs/sources.nix

@@ -104,10 +104,10 @@ in
 
   emacs29 = import ./make-emacs.nix (mkArgs {
     pname = "emacs";
-    version = "29.3";
+    version = "29.4";
     variant = "mainline";
-    rev = "29.3";
-    hash = "sha256-4yN81djeKb9Hlr6MvaDdXqf4XOl0oolXEYGqkA+KUO0=";
+    rev = "29.4";
+    hash = "sha256-FCP6ySkN9mAdp2T09n6foS2OciqZXc/54guRZ0B4Z2s=";
   });
 
   emacs28-macport = import ./make-emacs.nix (mkArgs {

pkgs/applications/editors/neovim/tests/default.nix

@@ -43,6 +43,14 @@ let
     '';
   };
 
+  nvim-with-luasnip = wrapNeovim2 "-with-lua-packages" (makeNeovimConfig {
+    plugins = [ {
+        plugin = vimPlugins.luasnip;
+
+      }
+    ];
+  });
+
   nvimAutoDisableWrap = makeNeovimConfig { };
 
   wrapNeovim2 = suffix: config:
@@ -281,4 +289,16 @@ rec {
     export HOME=$TMPDIR
     ${nvim_with_opt_plugin}/bin/nvim -i NONE +quit! -e
   '';
+
+  inherit nvim-with-luasnip;
+
+  # check that bringing in one plugin with lua deps makes those deps visible from wrapper
+  # for instance luasnip has a dependency on jsregexp
+  can_require_transitive_deps =
+    runTest nvim-with-luasnip ''
+    export HOME=$TMPDIR
+    cat ${nvim-with-luasnip}/bin/nvim
+    ${nvim-with-luasnip}/bin/nvim -i NONE --cmd "lua require'jsregexp'" -e
+  '';
+
 })

pkgs/applications/editors/neovim/utils.nix

@@ -245,12 +245,36 @@ let
         fi
       '');
 
+  /*
+    Fork of vimUtils.packDir that additionnally generates a propagated-build-inputs-file that
+    can be used by the lua hooks to generate a proper LUA_PATH
+
+    Generates a packpath folder as expected by vim
+       Example:
+       packDir ( {myVimPackage = { start = [ vimPlugins.vim-fugitive ]; opt = []; }; })
+       => "/nix/store/xxxxx-pack-dir"
+  */
+  packDir = packages:
+  let
+    rawPackDir = vimUtils.packDir packages;
+
+  in
+    rawPackDir.override ({
+    postBuild = ''
+      mkdir $out/nix-support
+      for i in $(find -L $out -name propagated-build-inputs ); do
+        cat "$i" >> $out/nix-support/propagated-build-inputs
+      done
+      '';});
+
+
 in
 {
   inherit makeNeovimConfig;
   inherit generateProviderRc;
   inherit legacyWrapper;
   inherit grammarToPlugin;
+  inherit packDir;
 
   inherit buildNeovimPlugin;
   buildNeovimPluginFrom2Nix = lib.warn "buildNeovimPluginFrom2Nix was renamed to buildNeovimPlugin" buildNeovimPlugin;

pkgs/applications/editors/neovim/wrapper.nix

@@ -13,6 +13,9 @@
 neovim-unwrapped:
 
 let
+  # inherit interpreter from neovim
+  lua = neovim-unwrapped.lua;
+
   wrapper = {
       extraName ? ""
     # should contain all args but the binary. Can be either a string or list
@@ -24,6 +27,8 @@ let
     , withNodeJs ? false
     , withPerl ? false
     , rubyEnv ? null
+
+    # wether to create symlinks in $out/bin/vi(m) -> $out/bin/nvim
     , vimAlias ? false
     , viAlias ? false
 
@@ -45,6 +50,8 @@ let
   stdenv.mkDerivation (finalAttrs:
   let
 
+    finalPackdir = neovimUtils.packDir packpathDirs;
+
     rcContent = ''
       ${luaRcContent}
     '' + lib.optionalString (!isNull neovimRcContent) ''
@@ -57,10 +64,10 @@ let
       # vim accepts a limited number of commands so we join them all
           [
             "--add-flags" ''--cmd "lua ${providerLuaRc}"''
-            # (lib.intersperse "|" hostProviderViml)
-          ] ++ lib.optionals (packpathDirs.myNeovimPackages.start != [] || packpathDirs.myNeovimPackages.opt != []) [
-            "--add-flags" ''--cmd "set packpath^=${vimUtils.packDir packpathDirs}"''
-            "--add-flags" ''--cmd "set rtp^=${vimUtils.packDir packpathDirs}"''
+          ]
+          ++ lib.optionals (packpathDirs.myNeovimPackages.start != [] || packpathDirs.myNeovimPackages.opt != []) [
+            "--add-flags" ''--cmd "set packpath^=${finalPackdir}"''
+            "--add-flags" ''--cmd "set rtp^=${finalPackdir}"''
           ]
           ;
 
@@ -160,7 +167,17 @@ let
       + ''
         rm $out/bin/nvim
         touch $out/rplugin.vim
-        makeWrapper ${lib.escapeShellArgs finalMakeWrapperArgs} ${wrapperArgsStr}
+
+        echo "Looking for lua dependencies..."
+        source ${lua}/nix-support/utils.sh
+
+        _addToLuaPath "${finalPackdir}"
+
+        echo "LUA_PATH towards the end of packdir: $LUA_PATH"
+
+        makeWrapper ${lib.escapeShellArgs finalMakeWrapperArgs} ${wrapperArgsStr} \
+            --prefix LUA_PATH ';' "$LUA_PATH" \
+            --prefix LUA_CPATH ';' "$LUA_CPATH"
       '';
 
     buildPhase = ''

pkgs/applications/editors/vim/common.nix

@@ -1,14 +1,14 @@
 { lib, fetchFromGitHub }:
 rec {
-  version = "9.1.0412";
+  version = "9.1.0509";
 
   outputs = [ "out" "xxd" ];
 
   src = fetchFromGitHub {
     owner = "vim";
     repo = "vim";
     rev = "v${version}";
-    hash = "sha256-uLdXFZ8eW+iMXrvkaEkArZmRfAiyORaEZxFFPt0TrdI=";
+    hash = "sha256-CATjUalRjvVjEfWT5evFAk//Oj4iB1fDBsRU5MhDyn4=";
   };
 
   enableParallelBuilding = true;

pkgs/applications/emulators/darling/default.nix

@@ -38,7 +38,7 @@
 
 , xdg-user-dirs
 
-, addOpenGLRunpath
+, addDriverRunpath
 
 # Whether to pre-compile Python 2 bytecode for performance.
 , compilePy2Bytecode ? false
@@ -217,7 +217,7 @@ in stdenv.mkDerivation {
       exit 1
     fi
 
-    patchelf --add-rpath "${lib.makeLibraryPath wrappedLibs}:${addOpenGLRunpath.driverLink}/lib" \
+    patchelf --add-rpath "${lib.makeLibraryPath wrappedLibs}:${addDriverRunpath.driverLink}/lib" \
       $out/libexec/darling/usr/libexec/darling/mldr
   '';