staging-next 2025-05-30 (#412425)

Author: vcunat

doc/hooks/versionCheckHook.section.md

@@ -33,6 +33,7 @@ The variables that this phase control are:
 - `dontVersionCheck`: Disable adding this hook to the [`preInstallCheckHooks`](#ssec-installCheck-phase). Useful if you do want to load the bash functions of the hook, but run them differently.
 - `versionCheckProgram`: The full path to the program that should print the `${version}` string. Defaults roughly to `${placeholder "out"}/bin/${pname}`. Using `$out` in the value of this variable won't work, as environment variables from this variable are not expanded by the hook. Hence using `placeholder` is unavoidable.
 - `versionCheckProgramArg`: The argument that needs to be passed to `versionCheckProgram`. If undefined the hook tries first `--help` and then `--version`. Examples: `version`, `-V`, `-v`.
+- `versionCheckKeepEnvironment`: A list of environment variables to keep and pass to the command. Only those variables should be added to this list that are actually required for the version command to work. If it is not feasible to explicitly list all these environment variables you can set this parameter to the special value `"*"` to disable the `--ignore-environment` flag and thus keep all environment variables.
 - `preVersionCheck`: A hook to run before the check is done.
 - `postVersionCheck`: A hook to run after the check is done.
 

doc/languages-frameworks/python.section.md

@@ -61,7 +61,7 @@ sets are
 and the aliases
 
 * `pkgs.python2Packages` pointing to `pkgs.python27Packages`
-* `pkgs.python3Packages` pointing to `pkgs.python312Packages`
+* `pkgs.python3Packages` pointing to `pkgs.python313Packages`
 * `pkgs.pythonPackages` pointing to `pkgs.python2Packages`
 * `pkgs.pypy2Packages` pointing to `pkgs.pypy27Packages`
 * `pkgs.pypy3Packages` pointing to `pkgs.pypy310Packages`
@@ -582,9 +582,9 @@ are used in [`buildPythonPackage`](#buildpythonpackage-function).
 
 Several versions of the Python interpreter are available on Nix, as well as a
 high amount of packages. The attribute `python3` refers to the default
-interpreter, which is currently CPython 3.12. The attribute `python` refers to
+interpreter, which is currently CPython 3.13. The attribute `python` refers to
 CPython 2.7 for backwards-compatibility. It is also possible to refer to
-specific versions, e.g. `python312` refers to CPython 3.12, and `pypy` refers to
+specific versions, e.g. `python313` refers to CPython 3.13, and `pypy` refers to
 the default PyPy interpreter.
 
 Python is used a lot, and in different ways. This affects also how it is
@@ -600,10 +600,10 @@ however, are in separate sets, with one set per interpreter version.
 The interpreters have several common attributes. One of these attributes is
 `pkgs`, which is a package set of Python libraries for this specific
 interpreter. E.g., the `toolz` package corresponding to the default interpreter
-is `python3.pkgs.toolz`, and the CPython 3.12 version is `python312.pkgs.toolz`.
+is `python3.pkgs.toolz`, and the CPython 3.13 version is `python313.pkgs.toolz`.
 The main package set contains aliases to these package sets, e.g.
-`pythonPackages` refers to `python.pkgs` and `python312Packages` to
-`python312.pkgs`.
+`pythonPackages` refers to `python.pkgs` and `python313Packages` to
+`python313.pkgs`.
 
 #### Installing Python and packages {#installing-python-and-packages}
 
@@ -628,7 +628,7 @@ with [`python.buildEnv`](#python.buildenv-function) or [`python.withPackages`](#
 executables are wrapped to be able to find each other and all of the modules.
 
 In the following examples we will start by creating a simple, ad-hoc environment
-with a nix-shell that has `numpy` and `toolz` in Python 3.12; then we will create
+with a nix-shell that has `numpy` and `toolz` in Python 3.13; then we will create
 a re-usable environment in a single-file Python script; then we will create a
 full Python environment for development with this same environment.
 
@@ -644,18 +644,18 @@ temporary shell session with a Python and a *precise* list of packages (plus
 their runtime dependencies), with no other Python packages in the Python
 interpreter's scope.
 
-To create a Python 3.12 session with `numpy` and `toolz` available, run:
+To create a Python 3.13 session with `numpy` and `toolz` available, run:
 
 ```sh
-$ nix-shell -p 'python312.withPackages(ps: with ps; [ numpy toolz ])'
+$ nix-shell -p 'python313.withPackages(ps: with ps; [ numpy toolz ])'
 ```
 
 By default `nix-shell` will start a `bash` session with this interpreter in our
 `PATH`, so if we then run:
 
 ```Python console
 [nix-shell:~/src/nixpkgs]$ python3
-Python 3.12.4 (main, Jun  6 2024, 18:26:44) [GCC 13.3.0] on linux
+Python 3.13.3 (main, Apr  8 2025, 13:54:08) [GCC 14.2.1 20250322] on linux
 Type "help", "copyright", "credits" or "license" for more information.
 >>> import numpy; import toolz
 ```
@@ -675,8 +675,8 @@ will still get 1 wrapped Python interpreter. We can start the interpreter
 directly like so:
 
 ```sh
-$ nix-shell -p "python312.withPackages (ps: with ps; [ numpy toolz requests ])" --run python3
-Python 3.12.4 (main, Jun  6 2024, 18:26:44) [GCC 13.3.0] on linux
+$ nix-shell -p "python313.withPackages (ps: with ps; [ numpy toolz requests ])" --run python3
+Python 3.13.3 (main, Apr  8 2025, 13:54:08) [GCC 14.2.1 20250322] on linux
 Type "help", "copyright", "credits" or "license" for more information.
 >>> import requests
 >>>
@@ -716,7 +716,7 @@ Executing this script requires a `python3` that has `numpy`. Using what we learn
 in the previous section, we could startup a shell and just run it like so:
 
 ```ShellSession
-$ nix-shell -p 'python312.withPackages (ps: with ps; [ numpy ])' --run 'python3 foo.py'
+$ nix-shell -p 'python313.withPackages (ps: with ps; [ numpy ])' --run 'python3 foo.py'
 The dot product of [1 2] and [3 4] is: 11
 ```
 
@@ -779,12 +779,12 @@ create a single script with Python dependencies, but in the course of normal
 development we're usually working in an entire package repository.
 
 As explained [in the `nix-shell` section](https://nixos.org/manual/nix/stable/command-ref/nix-shell) of the Nix manual, `nix-shell` can also load an expression from a `.nix` file.
-Say we want to have Python 3.12, `numpy` and `toolz`, like before,
+Say we want to have Python 3.13, `numpy` and `toolz`, like before,
 in an environment. We can add a `shell.nix` file describing our dependencies:
 
 ```nix
 with import <nixpkgs> { };
-(python312.withPackages (
+(python313.withPackages (
   ps: with ps; [
     numpy
     toolz
@@ -803,7 +803,7 @@ What's happening here?
    imports the `<nixpkgs>` function, `{}` calls it and the `with` statement
    brings all attributes of `nixpkgs` in the local scope. These attributes form
    the main package set.
-2. Then we create a Python 3.12 environment with the [`withPackages`](#python.withpackages-function) function, as before.
+2. Then we create a Python 3.13 environment with the [`withPackages`](#python.withpackages-function) function, as before.
 3. The [`withPackages`](#python.withpackages-function) function expects us to provide a function as an argument
    that takes the set of all Python packages and returns a list of packages to
    include in the environment. Here, we select the packages `numpy` and `toolz`
@@ -814,7 +814,7 @@ To combine this with `mkShell` you can:
 ```nix
 with import <nixpkgs> { };
 let
-  pythonEnv = python312.withPackages (ps: [
+  pythonEnv = python313.withPackages (ps: [
     ps.numpy
     ps.toolz
   ]);
@@ -976,8 +976,8 @@ information. The output of the function is a derivation.
 
 An expression for `toolz` can be found in the Nixpkgs repository. As explained
 in the introduction of this Python section, a derivation of `toolz` is available
-for each interpreter version, e.g. `python312.pkgs.toolz` refers to the `toolz`
-derivation corresponding to the CPython 3.12 interpreter.
+for each interpreter version, e.g. `python313.pkgs.toolz` refers to the `toolz`
+derivation corresponding to the CPython 3.13 interpreter.
 
 The above example works when you're directly working on
 `pkgs/top-level/python-packages.nix` in the Nixpkgs repository. Often though,
@@ -991,7 +991,7 @@ with import <nixpkgs> { };
 
 (
   let
-    my_toolz = python312.pkgs.buildPythonPackage rec {
+    my_toolz = python313.pkgs.buildPythonPackage rec {
       pname = "toolz";
       version = "0.10.0";
       pyproject = true;
@@ -1002,7 +1002,7 @@ with import <nixpkgs> { };
       };
 
       build-system = [
-        python312.pkgs.setuptools
+        python313.pkgs.setuptools
       ];
 
       # has no tests
@@ -1016,7 +1016,7 @@ with import <nixpkgs> { };
     };
 
   in
-  python312.withPackages (
+  python313.withPackages (
     ps: with ps; [
       numpy
       my_toolz
@@ -1026,7 +1026,7 @@ with import <nixpkgs> { };
 ```
 
 Executing `nix-shell` will result in an environment in which you can use
-Python 3.12 and the `toolz` package. As you can see we had to explicitly mention
+Python 3.13 and the `toolz` package. As you can see we had to explicitly mention
 for which Python version we want to build a package.
 
 So, what did we do here? Well, we took the Nix expression that we used earlier
@@ -2136,7 +2136,7 @@ has security implications and is relevant for those using Python in a
 
 When the environment variable `DETERMINISTIC_BUILD` is set, all bytecode will
 have timestamp 1. The [`buildPythonPackage`](#buildpythonpackage-function) function sets `DETERMINISTIC_BUILD=1`
-and [PYTHONHASHSEED=0](https://docs.python.org/3.12/using/cmdline.html#envvar-PYTHONHASHSEED).
+and [PYTHONHASHSEED=0](https://docs.python.org/3.13/using/cmdline.html#envvar-PYTHONHASHSEED).
 Both are also exported in `nix-shell`.
 
 ### How to provide automatic tests to Python packages? {#automatic-tests}
@@ -2186,10 +2186,10 @@ The following rules are desired to be respected:
   It does not need to be set explicitly unless the package requires a specific platform.
 * The file is formatted with `nixfmt-rfc-style`.
 * Commit names of Python libraries must reflect that they are Python
-  libraries (e.g. `python312Packages.numpy: 1.11 -> 1.12` rather than `numpy: 1.11 -> 1.12`).
+  libraries (e.g. `python313Packages.numpy: 1.11 -> 1.12` rather than `numpy: 1.11 -> 1.12`).
 * The current default version of python should be included
   in commit messages to enable automatic builds by ofborg.
-  For example `python312Packages.numpy: 1.11 -> 1.12` should be used rather
+  For example `python313Packages.numpy: 1.11 -> 1.12` should be used rather
   than `python3Packages.numpy: 1.11 -> 1.12`.
   Note that `pythonPackages` is an alias for `python27Packages`.
 * Attribute names in `python-packages.nix` as well as `pname`s should match the

doc/redirects.json

@@ -478,6 +478,12 @@
   "footnote-stdenv-find-inputs-location.__back.0": [
     "index.html#footnote-stdenv-find-inputs-location.__back.0"
   ],
+  "strictflexarrays1": [
+    "index.html#strictflexarrays1"
+  ],
+  "strictflexarrays3": [
+    "index.html#strictflexarrays3"
+  ],
   "tester-shfmt": [
     "index.html#tester-shfmt"
   ],

doc/release-notes/rl-2511.section.md

@@ -30,8 +30,8 @@
 
 - Added `rewriteURL` attribute to the nixpkgs `config`, to allow for rewriting the URLs downloaded by `fetchurl`.
 
-- `vmalert` now supports multiple instances with the option `services.vmalert.instances."".enable`
-  et al..
+- New hardening flags, `strictflexarrays1` and `strictflexarrays3` were made available, corresponding to the gcc/clang options `-fstrict-flex-arrays=1` and `-fstrict-flex-arrays=3` respectively.
+
 - `gramps` has been updated to 6.0.0
   Upstream recommends [backing up your Family Trees](https://gramps-project.org/wiki/index.php/Gramps_6.0_Wiki_Manual_-_Manage_Family_Trees#Backing_up_a_Family_Tree) before upgrading.
 

doc/stdenv/stdenv.chapter.md

@@ -1622,6 +1622,22 @@ Adds the `-fPIE` compiler and `-pie` linker options. Position Independent Execut
 Static libraries need to be compiled with `-fPIE` so that executables can link them in with the `-pie` linker option.
 If the libraries lack `-fPIE`, you will get the error `recompile with -fPIE`.
 
+#### `strictflexarrays1` {#strictflexarrays1}
+
+This flag adds the `-fstrict-flex-arrays=1` compiler option, which reduces the cases the compiler treats as "flexible arrays" to those declared with length `[1]`, `[0]` or (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.
+
+Enabling this flag on packages that still use length declarations of flexible arrays >1 may cause the package to fail to compile citing accesses beyond the bounds of an array or even crash at runtime by detecting an array access as an "overrun". Few projects still use length declarations of flexible arrays >1.
+
+Disabling `strictflexarrays1` implies disablement of `strictflexarrays3`.
+
+#### `strictflexarrays3` {#strictflexarrays3}
+
+This flag adds the `-fstrict-flex-arrays=3` compiler option, which reduces the cases the compiler treats as "flexible arrays" to only those declared with length as (the correct) `[]`. This increases the coverage of fortify checks, because such arrays declared as the trailing element of a structure can normally not have their intended length determined by the compiler.
+
+Enabling this flag on packages that still use non-empty length declarations for flexible arrays may cause the package to fail to compile citing accesses beyond the bounds of an array or even crash at runtime by detecting an array access as an "overrun". Many projects still use such non-empty length declarations for flexible arrays.
+
+Enabling this flag implies enablement of `strictflexarrays1`. Disabling this flag does not imply disablement of `strictflexarrays1`.
+
 #### `shadowstack` {#shadowstack}
 
 Adds the `-fcf-protection=return` compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program's stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.

lib/licenses.nix

@@ -232,6 +232,17 @@ lib.mapAttrs mkLicense (
       fullName = "Lawrence Berkeley National Labs BSD variant license";
     };
 
+    bsd3TheodoreTso = {
+      fullName = "BSD 3 Clause Theodore Tso Variant";
+      # TODO: if the license gets accepted to spdx then
+      #   add spdxId
+      # else
+      #   remove license
+      #   && replace all references with bsd3
+      # https://tools.spdx.org/app/license_requests/442/
+      # https://github.com/spdx/license-list-XML/issues/2702
+    };
+
     bsdAxisNoDisclaimerUnmodified = {
       fullName = "BSD-Axis without Warranty Disclaimer with Unmodified requirement";
       url = "https://scancode-licensedb.aboutcode.org/bsd-no-disclaimer-unmodified.html";
@@ -691,6 +702,18 @@ lib.mapAttrs mkLicense (
       fullName = "Historic Permission Notice and Disclaimer";
     };
 
+    hpndDifferentDisclaimer = {
+      fullName = "HPND with different disclaimer";
+      url = "https://gitlab.freedesktop.org/xorg/proto/xorgproto/-/blob/1914233e662d23ffb3812b80fadd0bbd064ad91c/COPYING-x11proto#L69-88";
+      # TODO: if the license gets accepted to spdx then
+      #   add spdxId
+      # else
+      #   remove license
+      #   && replace reference with whatever this license is supposed to be then
+      # https://tools.spdx.org/app/license_requests/456
+      # https://github.com/spdx/license-list-xml/issues/2753
+    };
+
     hpndSellVariant = {
       fullName = "Historical Permission Notice and Disclaimer - sell variant";
       spdxId = "HPND-sell-variant";

maintainers/scripts/haskell/mark-broken.sh

@@ -35,19 +35,19 @@ trap "rm ${tmpfile}" 0
 
 echo "Remember that you need to manually run 'maintainers/scripts/haskell/hydra-report.hs get-report' sometime before running this script."
 echo "Generating a list of broken builds and displaying for manual confirmation ..."
-maintainers/scripts/haskell/hydra-report.hs mark-broken-list $mark_broken_list_flags | sort -i > "$tmpfile"
+maintainers/scripts/haskell/hydra-report.hs mark-broken-list $mark_broken_list_flags | LC_ALL=C.UTF-8 sort --ignore-case > "$tmpfile"
 
 $EDITOR "$tmpfile"
 
 tail -n +3 "$broken_config" >> "$tmpfile"
 
 cat > "$broken_config" << EOF
+# These packages don't compile.
 broken-packages:
-  # These packages don't compile.
 EOF
 
 # clear environment here to avoid things like allowing broken builds in
-sort -iu "$tmpfile" >> "$broken_config"
+LC_ALL=C.UTF-8 sort --ignore-case --unique "$tmpfile" >> "$broken_config"
 clear="env -u HOME -u NIXPKGS_CONFIG"
 $clear maintainers/scripts/haskell/regenerate-hackage-packages.sh
 evalline=$(maintainers/scripts/haskell/hydra-report.hs eval-info)

maintainers/scripts/haskell/regenerate-transitive-broken-packages.sh

@@ -20,6 +20,6 @@ cat > $tmpfile << EOF
 dont-distribute-packages:
 EOF
 
-nix-instantiate --eval --option restrict-eval true -I . --strict --json maintainers/scripts/haskell/transitive-broken-packages.nix | jq -r . | LC_ALL=C.UTF-8 sort -i >> $tmpfile
+nix-instantiate --eval --option restrict-eval true -I . --strict --json maintainers/scripts/haskell/transitive-broken-packages.nix | jq -r . | LC_ALL=C.UTF-8 sort --ignore-case >> $tmpfile
 
 mv $tmpfile $config_file

maintainers/scripts/haskell/update-stackage.sh

@@ -46,7 +46,7 @@ sed -r \
     -e '/^with-compiler:/d' \
     -e '/installed$/d' \
     -e '/^$/d' \
-    < "${tmpfile}" | sort --ignore-case >"${tmpfile_new}"
+    < "${tmpfile}" | LC_ALL=C.UTF-8 sort --ignore-case >"${tmpfile_new}"
 
 cat > $stackage_config << EOF
 # Stackage $version

maintainers/scripts/kde/collect-missing-deps.py

@@ -62,6 +62,9 @@
     "krfb": {
         "Qt6XkbCommonSupport",  # not real
     },
+    "ksystemstats": {
+        "Libcap",  # used to call setcap at build time and nothing else
+    },
     "kuserfeedback": {
         "Qt6Svg",  # all used for backend console stuff we don't ship
         "QmlLint",
@@ -75,6 +78,9 @@
         "display-info",  # newer versions identify as libdisplay-info
         "Libcap",  # used to call setcap at build time and nothing else
     },
+    "kwin-x11": {
+        "Libcap",  # used to call setcap at build time and nothing else
+    },
     "libksysguard": {
         "Libcap",  # used to call setcap at build time and nothing else
     },
@@ -84,6 +90,12 @@
     },
     "plasma-desktop": {
         "scim",  # upstream is dead, not packaged in Nixpkgs
+        "KAccounts6",  # dead upstream
+        "AccountsQt6",  # dead upstream
+        "signon-oauth2plugin",  # dead upstream
+    },
+    "plasma-dialer": {
+        "KTactileFeedback",  # dead?
     },
     "poppler-qt6": {
         "gobject-introspection-1.0",  # we don't actually want to build the GTK variant