Merge master into staging-next

doc/contributing/submitting-changes.chapter.md

@@ -68,15 +68,16 @@
 
 Security fixes are submitted in the same way as other changes and thus the same guidelines apply.
 
-If the security fix comes in the form of a patch and a CVE is available, then the name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch` in the case of a patch that is included in the Nixpkgs tree. If a patch is fetched the name needs to be set as well, e.g.:
-
-```nix
-(fetchpatch {
-  name = "CVE-2019-11068.patch";
-  url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
-  sha256 = "0pkpb4837km15zgg6h57bncp66d5lwrlvkr73h0lanywq7zrwhj8";
-})
-```
+- If a new version fixing the vulnerability has been released, update the package;
+- If the security fix comes in the form of a patch and a CVE is available, then add the patch to the Nixpkgs tree, and apply it to the package.
+  The name of the patch should be the CVE identifier, so e.g. `CVE-2019-13636.patch`; If a patch is fetched the name needs to be set as well, e.g.:
+  ```nix
+  (fetchpatch {
+    name = "CVE-2019-11068.patch";
+    url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
+    sha256 = "0pkpb4837km15zgg6h57bncp66d5lwrlvkr73h0lanywq7zrwhj8";
+  })
+  ```
 
 If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.
 

doc/contributing/vulnerability-roundup.chapter.md

@@ -0,0 +1,45 @@
+# Vulnerability Roundup {#chap-vulnerability-roundup}
+
+## Issues {#vulnerability-roundup-issues}
+
+Vulnerable packages in Nixpkgs are managed using issues.
+Currently opened ones can be found using the following:
+
+[github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22)
+
+Each issue correspond to a vulnerable version of a package; As a consequence:
+
+- One issue can contain several CVEs;
+- One CVE can be shared across several issues;
+- A single package can be concerned by several issues.
+
+
+A "Vulnerability roundup" issue usually respects the following format:
+
+```txt
+<link to relevant package search on search.nix.gsc.io>, <link to relevant files in Nixpkgs on GitHub>
+
+<list of related CVEs, their CVSS score, and the impacted NixOS version>
+
+<list of the scanned Nixpkgs versions>
+
+<list of relevant contributors>
+```
+
+Note that there can be an extra comment containing links to previously reported (and still open) issues for the same package.
+
+
+## Triaging and Fixing {#vulnerability-roundup-triaging-and-fixing}
+
+**Note**: An issue can be a "false positive" (i.e. automatically opened, but without the package it refers to being actually vulnerable).
+If you find such a "false positive", comment on the issue an explanation of why it falls into this category, linking as much information as the necessary to help maintainers double check.
+
+If you are investigating a "true positive":
+
+- Find the earliest patched version or a code patch in the CVE details;
+- Is the issue already patched (version up-to-date or patch applied manually) in Nixpkgs's `master` branch?
+  - **No**:
+    - [Submit a security fix](#submitting-changes-submitting-security-fixes);
+    - Once the fix is merged into `master`, [submit the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches);
+  - **Yes**: [Backport the change to the vulnerable release branch(es)](https://nixos.org/manual/nixpkgs/stable/#submitting-changes-stable-release-branches).
+- When the patch has made it into all the relevant branches (`master`, and the vulnerable releases), close the relevant issue(s).

doc/manual.xml

@@ -35,6 +35,7 @@
   <xi:include href="contributing/quick-start.xml" />
   <xi:include href="contributing/coding-conventions.xml" />
   <xi:include href="contributing/submitting-changes.chapter.xml" />
+  <xi:include href="contributing/vulnerability-roundup.chapter.xml" />
   <xi:include href="contributing/reviewing-contributions.xml" />
   <xi:include href="contributing/contributing-to-documentation.xml" />
  </part>

nixos/modules/module-list.nix

@@ -155,6 +155,7 @@
   ./programs/nm-applet.nix
   ./programs/npm.nix
   ./programs/oblogout.nix
+  ./programs/partition-manager.nix
   ./programs/plotinus.nix
   ./programs/proxychains.nix
   ./programs/qt5ct.nix

nixos/modules/programs/partition-manager.nix

@@ -0,0 +1,19 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  meta.maintainers = [ maintainers.oxalica ];
+
+  ###### interface
+  options = {
+    programs.partition-manager.enable = mkEnableOption "KDE Partition Manager";
+  };
+
+  ###### implementation
+  config = mkIf config.programs.partition-manager.enable {
+    services.dbus.packages = [ pkgs.libsForQt5.kpmcore ];
+    # `kpmcore` need to be installed to pull in polkit actions.
+    environment.systemPackages = [ pkgs.libsForQt5.kpmcore pkgs.partition-manager ];
+  };
+}

nixos/modules/system/boot/systemd-lib.nix

@@ -182,18 +182,7 @@ in rec {
       # upstream unit.
       for i in ${toString (mapAttrsToList (n: v: v.unit) units)}; do
         fn=$(basename $i/*)
-
-        case $fn in
-          # if file name is a template specialization, use the template's name
-          *@?*.service)
-            # remove @foo.service and replace it with @.service
-            ofn="''${fn%@*.service}@.service"
-            ;;
-          *)
-            ofn="$fn"
-        esac
-
-        if [ -e $out/$ofn ]; then
+        if [ -e $out/$fn ]; then
           if [ "$(readlink -f $i/$fn)" = /dev/null ]; then
             ln -sfn /dev/null $out/$fn
           else

nixos/tests/systemd-template-override.nix

@@ -1,41 +0,0 @@
-import ./make-test-python.nix {
-  name = "systemd-template-override";
-
-  machine = { pkgs, lib, ... }: let
-    touchTmp = pkgs.writeTextFile {
-      name = "touch-tmp@.service";
-      text = ''
-        [Service]
-        Type=oneshot
-        ExecStart=${pkgs.coreutils}/bin/touch /tmp/%I
-      '';
-      destination = "/etc/systemd/system/touch-tmp@.service";
-    };
-  in {
-    systemd.packages = [ touchTmp ];
-
-    systemd.services."touch-tmp@forbidden" = {
-      serviceConfig.ExecStart = [ "" ''
-        ${pkgs.coreutils}/bin/true
-      ''];
-    };
-
-    systemd.services."touch-tmp@intercept" = {
-      serviceConfig.ExecStart = [ "" ''
-        ${pkgs.coreutils}/bin/touch /tmp/renamed
-      ''];
-    };
-  };
-
-  testScript = ''
-    machine.wait_for_unit("default.target")
-
-    machine.succeed("systemctl start touch-tmp@normal")
-    machine.succeed("systemctl start touch-tmp@forbbidden")
-    machine.succeed("systemctl start touch-tmp@intercept")
-
-    machine.succeed("[ -e /tmp/normal ]")
-    machine.succeed("[ ! -e /tmp/forbidden ]")
-    machine.succeed("[ -e /tmp/renamed ]")
-  '';
-}

pkgs/applications/audio/samplv1/default.nix

@@ -5,11 +5,11 @@
 
 mkDerivation rec {
   pname = "samplv1";
-  version = "0.9.18";
+  version = "0.9.20";
 
   src = fetchurl {
     url = "mirror://sourceforge/samplv1/${pname}-${version}.tar.gz";
-    sha256 = "ePhM9OTLJp1Wa2D9Y1Dqq/69WlEhEp3ih9yNUIJU5Y4=";
+    sha256 = "sha256-9tm72lV9i/155TVweNwO2jpPsCJkh6r82g7Z1wCI1ho=";
   };
 
   nativeBuildInputs = [ qttools pkg-config ];

pkgs/applications/networking/browsers/chromium/upstream-info.json

@@ -31,15 +31,15 @@
     }
   },
   "dev": {
-    "version": "91.0.4442.4",
-    "sha256": "0cmm2pimkghb6s956bkqf2k77lj69dz51nlydgkqbvw0sc8n784k",
-    "sha256bin64": "1hbfx8n51p7dwwz1vbp94jdmlb96vvxrbql2af4kmvx1bmzr2ism",
+    "version": "91.0.4449.6",
+    "sha256": "1y6z7p64fi4dxyrxrnlmg0wwczgw58cinrsywhnrpl2wp2y3v6m3",
+    "sha256bin64": "1baxra0hg981awinyyvm1x46rlskjmhs2m1h0zf72l11y1jyj5vc",
     "deps": {
       "gn": {
-        "version": "2021-02-09",
+        "version": "2021-03-12",
         "url": "https://gn.googlesource.com/gn",
-        "rev": "dfcbc6fed0a8352696f92d67ccad54048ad182b3",
-        "sha256": "1941bzg37c4dpsk3sh6ga3696gpq6vjzpcw9rsnf6kdr9mcgdxvn"
+        "rev": "64b3b9401c1c3ed5f3c43c1cac00b91f83597ab8",
+        "sha256": "14whk4gyx21cqxy1560xm8p1mc1581dh9g7xy120g8vvcylknjlm"
       }
     }
   },

pkgs/applications/networking/instant-messengers/deltachat-electron/default.nix

@@ -2,12 +2,12 @@
 
 let
   pname = "deltachat-electron";
-  version = "1.15.2";
+  version = "1.15.3";
   name = "${pname}-${version}";
 
   src = fetchurl {
     url = "https://download.delta.chat/desktop/v${version}/DeltaChat-${version}.AppImage";
-    sha256 = "sha256-iw2tU8qqXWbtEdLGlW8HNBHx8F2CgnCGCBUWpM407us=";
+    sha256 = "sha256-cYb0uruuWpNr1jF5WZ48quBZRIVXiHr99mLPLKMOX5M=";
   };
 
   appimageContents = appimageTools.extract { inherit name src; };

pkgs/applications/networking/instant-messengers/pidgin-plugins/carbons/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pidgin-carbons";
-  version = "0.2.2";
+  version = "0.2.3";
 
   src = fetchFromGitHub {
     owner = "gkdr";
     repo  = "carbons";
     rev   = "v${version}";
-    sha256 = "1aq9bwgpmbwrigq6ywf0pjkngqcm0qxncygaj1fi57npjhcjs6ln";
+    sha256 = "sha256-qiyIvmJbRmCrAi/93UxDVtO76nSdtzUVfT/sZGxxAh8=";
   };
 
   makeFlags = [ "PURPLE_PLUGIN_DIR=$(out)/lib/pidgin" ];

pkgs/applications/science/electronics/gtkwave/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "gtkwave";
-  version = "3.3.107";
+  version = "3.3.108";
 
   src = fetchurl {
     url    = "mirror://sourceforge/gtkwave/${pname}-gtk3-${version}.tar.gz";
-    sha256 = "0ma30jyc94iid3v3m8aw4i2lyiqfxkpsdvdmmaibynk400cbzivl";
+    sha256 = "sha256-LtlexZKih+Si/pH3oQpWdpzfZ6j+41Otgfx7nLMfFSQ=";
   };
 
   nativeBuildInputs = [ pkg-config wrapGAppsHook ];

pkgs/applications/video/clipgrab/default.nix

@@ -5,10 +5,10 @@
 
 mkDerivation rec {
   pname = "clipgrab";
-  version = "3.9.5";
+  version = "3.9.6";
 
   src = fetchurl {
-    sha256 = "1p8pqa5s70basdm2zpmahc54shsxrr0fr7chvv425n5a9sqba4dh";
+    sha256 = "sha256-1rQu2Gh9PKSbC0tuQxLwFhzy280z4obpa+eXvDBzDW0=";
     # The .tar.bz2 "Download" link is a binary blob, the source is the .tar.gz!
     url = "https://download.clipgrab.org/${pname}-${version}.tar.gz";
   };

pkgs/development/libraries/cutelyst/default.nix

@@ -4,13 +4,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cutelyst";
-  version = "2.14.0";
+  version = "2.14.2";
 
   src = fetchFromGitHub {
     owner = "cutelyst";
     repo = "cutelyst";
     rev = "v${version}";
-    sha256 = "sha256-RidUZqDnzRrgW/7LVF+BF01zNcf1cJ/kS7OF/t1Q65c=";
+    sha256 = "sha256-JUffOeUTeaZvEssP5hfSGipeRuQ7FzLF4bOizCFhe5o=";
   };
 
   nativeBuildInputs = [ cmake pkg-config wrapQtAppsHook ];

pkgs/development/libraries/kpmcore/default.nix

@@ -1,25 +1,38 @@
-{ stdenv, lib, fetchurl, extra-cmake-modules
-, qtbase, kio
-, libatasmart, parted
-, util-linux }:
+{ stdenv, lib, fetchurl, fetchpatch, extra-cmake-modules
+, qca-qt5, kauth, kio, polkit-qt, qtbase
+, util-linux
+}:
 
 stdenv.mkDerivation rec {
   pname = "kpmcore";
-  version = "3.3.0";
+  # NOTE: When changing this version, also change the version of `partition-manager`.
+  version = "4.2.0";
 
   src = fetchurl {
     url = "mirror://kde/stable/${pname}/${version}/src/${pname}-${version}.tar.xz";
-    sha256 = "0s6v0jfrhjg31ri5p6h9n4w29jvasf5dj954j3vfpzl91lygmmmq";
+    hash = "sha256-MvW0CqvFZtzcJlya6DIpzorPbKJai6fxt7nKsKpJn54=";
   };
 
+  patches = [
+    # Fix build with `kcoreaddons` >= 5.77.0
+    (fetchpatch {
+      url = "https://github.com/KDE/kpmcore/commit/07e5a3ac2858e6d38cc698e0f740e7a693e9f302.patch";
+      sha256 = "sha256-LYzea888euo2HXM+acWaylSw28iwzOdZBvPBt/gjP1s=";
+    })
+    # Fix crash when `fstab` omits mount options.
+    (fetchpatch {
+      url = "https://github.com/KDE/kpmcore/commit/eea84fb60525803a789e55bb168afb968464c130.patch";
+      sha256 = "sha256-NJ3PvyRC6SKNSOlhJPrDDjepuw7IlAoufPgvml3fap0=";
+    })
+  ];
+
   buildInputs = [
-    qtbase
-    libatasmart
-    parted # we only need the library
-
+    qca-qt5
+    kauth
     kio
+    polkit-qt
 
-    util-linux # needs blkid (note that this is not provided by util-linux-compat)
+    util-linux # Needs blkid in configure script (note that this is not provided by util-linux-compat)
   ];
 
   nativeBuildInputs = [ extra-cmake-modules ];
@@ -27,8 +40,11 @@ stdenv.mkDerivation rec {
   dontWrapQtApps = true;
 
   meta = with lib; {
-    maintainers = with lib.maintainers; [ peterhoeg ];
+    description = "KDE Partition Manager core library";
+    homepage = "https://invent.kde.org/system/kpmcore";
+    license = with licenses; [ cc-by-40 cc0 gpl3Plus mit ];
+    maintainers = with maintainers; [ peterhoeg oxalica ];
     # The build requires at least Qt 5.14:
-    broken = lib.versionOlder qtbase.version "5.14";
+    broken = versionOlder qtbase.version "5.14";
   };
 }

pkgs/development/ocaml-modules/bitstring/default.nix

@@ -2,7 +2,7 @@
 
 buildDunePackage rec {
   pname = "bitstring";
-  version = "4.0.1";
+  version = "4.1.0";
 
   useDune2 = true;
 
@@ -10,7 +10,7 @@ buildDunePackage rec {
     owner = "xguerin";
     repo = pname;
     rev = "v${version}";
-    sha256 = "1z7jmgljvp52lvn3ml2cp6gssxqp4sikwyjf6ym97cycbcw0fjjm";
+    sha256 = "0mghsl8b2zd2676mh1r9142hymhvzy9cw8kgkjmirxkn56wbf56b";
   };
 
   propagatedBuildInputs = [ stdlib-shims ];

pkgs/development/ocaml-modules/bitstring/ppx.nix

@@ -3,6 +3,10 @@
 , ounit
 }:
 
+if !lib.versionAtLeast ppxlib.version "0.18.0"
+then throw "ppx_bitstring is not available with ppxlib-${ppxlib.version}"
+else
+
 buildDunePackage rec {
   pname = "ppx_bitstring";
   inherit (bitstring) version useDune2 src;

pkgs/development/ocaml-modules/ppx_import/default.nix

@@ -1,27 +1,28 @@
-{ lib, fetchurl, buildDunePackage, ocaml
-, ounit, ppx_deriving, ppx_tools_versioned
-, ppxlib, ocaml-migrate-parsetree
+{ lib, fetchurl, buildDunePackage
+, ppx_tools_versioned
+, ocaml-migrate-parsetree
+, ounit, ppx_deriving, ppxlib
 }:
 
 buildDunePackage rec {
   pname = "ppx_import";
-  version = "1.7.1";
+  version = "1.8.0";
 
   useDune2 = true;
 
   minimumOCamlVersion = "4.04";
 
   src = fetchurl {
-    url = "https://github.com/ocaml-ppx/ppx_import/releases/download/v${version}/ppx_import-v${version}.tbz";
-    sha256 = "16dyxfb7syz659rqa7yq36ny5vzl7gkqd7f4m6qm2zkjc1gc8j4v";
+    url = "https://github.com/ocaml-ppx/ppx_import/releases/download/v${version}/ppx_import-${version}.tbz";
+    sha256 = "0zqcj70yyp4ik4jc6jz3qs2xhb94vxc6yq9ij0d5cyak28klc3gv";
   };
 
   propagatedBuildInputs = [
-    ppxlib ppx_tools_versioned ocaml-migrate-parsetree
+    ppx_tools_versioned ocaml-migrate-parsetree
   ];
 
   doCheck = true;
-  checkInputs = [ ounit ppx_deriving ];
+  checkInputs = [ ounit ppx_deriving ppxlib ];
 
   meta = {
     description = "A syntax extension that allows to pull in types or signatures from other compiled interface files";

pkgs/development/python-modules/databricks-cli/default.nix

@@ -9,11 +9,11 @@
 
 buildPythonPackage rec {
   pname = "databricks-cli";
-  version = "0.14.2";
+  version = "0.14.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "9e956f0efb7aad100d9963f223db986392cf2dc3e9922f2f83e55d372e84ef16";
+    sha256 = "bdf89a3917a3f8f8b99163e38d40e66dc478c7408954747f145cd09816b05e2c";
   };
 
   checkInputs = [

pkgs/development/python-modules/gradient/default.nix

@@ -7,11 +7,11 @@
 
 buildPythonPackage rec {
   pname = "gradient";
-  version = "1.4.2";
+  version = "1.4.3";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "2ed10db306d4c8632b7d04d71d44a04331a6e80e5ebab7296a98e67e8a50fb71";
+    sha256 = "a8fa91669c97440049132119019e90d0a9cf09e96352cf43c7c6ca244894bd4e";
   };
 
   postPatch = ''

pkgs/development/python-modules/jenkins-job-builder/default.nix

@@ -10,11 +10,11 @@
 
 buildPythonPackage rec {
   pname = "jenkins-job-builder";
-  version = "3.8.0";
+  version = "3.9.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "sha256-uRyeRP1y3GS7tXb0kHLBi7+trJRme/Ke3xgOY+LqZ6k=";
+    sha256 = "4a53e146843d567c375c2e61e70a840d75a412402fd78c1dd3da5642a6aaa375";
   };
 
   postPatch = ''

pkgs/development/tools/misc/cproto/default.nix

@@ -2,7 +2,7 @@
 
 stdenv.mkDerivation rec {
   pname = "cproto";
-  version = "4.7q";
+  version = "4.7r";
 
   src = fetchurl {
     urls = [
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
       # No version listings and apparently no versioned tarball over http(s).
       "ftp://ftp.invisible-island.net/cproto/cproto-${version}.tgz"
     ];
-    sha256 = "138n5j6lkanbbdcs63irzxny4nfgp0zk66z621xjbnybf920svpk";
+    sha256 = "sha256-bgRg2yVZXHobUz8AUaV4ZKBkp2KjP+2oXbDXmPTUX8U=";
   };
 
   # patch made by Joe Khoobyar copied from gentoo bugs

pkgs/games/cbonsai/default.nix

@@ -1,14 +1,14 @@
 { stdenv, lib, fetchFromGitLab, ncurses, pkg-config, nix-update-script }:
 
 stdenv.mkDerivation rec {
-  version = "1.0.1";
+  version = "1.0.4";
   pname = "cbonsai";
 
   src = fetchFromGitLab {
     owner = "jallbrit";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-UTjbc0kGHOQse4sZF94p4LAwMk9vsZg1QHq8iuDcTDk=";
+    sha256 = "sha256-5yyvisExf4Minyr1ApJQ2SoctfjhdU6kEbgBGgHDtCg=";
   };
 
   nativeBuildInputs = [ pkg-config ];

pkgs/os-specific/linux/pax-utils/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "pax-utils";
-  version = "1.2.6";
+  version = "1.2.8";
 
   src = fetchurl {
     url = "http://distfiles.gentoo.org/distfiles/${pname}-${version}.tar.xz";
-    sha256 = "08bzvgv1z3371sqf7zlm9i0b1y3wdymj2dqdvzvf192k3nix4hlp";
+    sha256 = "sha256-urTIhG4dLMNmnPqSMdIdszWEHX1Y+eGc0Jn+bOYmsVc=";
   };
 
   makeFlags = [ "PREFIX=$(out)" ];

pkgs/servers/matterbridge/default.nix

@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "matterbridge";
-  version = "1.21.0";
+  version = "1.22.0";
 
   vendorSha256 = null;
 
@@ -10,7 +10,7 @@ buildGoModule rec {
 
   src = fetchurl {
     url = "https://github.com/42wim/matterbridge/archive/v${version}.tar.gz";
-    sha256 = "sha256-ehn6KdPpDpfdyWCVfLuZLq2dDmZXc6InlnovqNsdG6Y=";
+    sha256 = "sha256-jwatqxQh4t4tgNiOEjS9vxIM+9XtnH8QNch887+xDnI=";
   };
 
   meta = with lib; {

pkgs/servers/mattermost/default.nix

@@ -1,7 +1,7 @@
 { lib, stdenv, fetchurl, fetchFromGitHub, buildGoPackage, buildEnv }:
 
 let
-  version = "5.25.3";
+  version = "5.32.1";
 
   mattermost-server = buildGoPackage rec {
     pname = "mattermost-server";
@@ -11,7 +11,7 @@ let
       owner = "mattermost";
       repo = "mattermost-server";
       rev = "v${version}";
-      sha256 = "03xcwlbb9ff5whsdn2m3kqskxpwpfciikjjndbhksc8k8963z07j";
+      sha256 = "BssrTfkIxUbXYXIfz9i+5b4rEYSzBim+/riK78m8Bxo=";
     };
 
     goPackagePath = "github.com/mattermost/mattermost-server";
@@ -29,7 +29,7 @@ let
 
     src = fetchurl {
       url = "https://releases.mattermost.com/${version}/mattermost-${version}-linux-amd64.tar.gz";
-      sha256 = "1p1qxzrd6rj1i43vj18ysknrw2v02s7llx94nrdd5lk10ayzmg63";
+      sha256 = "kRerl3fYRTrotj86AIFSor3GpjhABkCmego1ms9HmkQ=";
     };
 
     installPhase = ''

pkgs/servers/monitoring/grafana/default.nix

@@ -2,7 +2,7 @@
 
 buildGoModule rec {
   pname = "grafana";
-  version = "7.4.3";
+  version = "7.4.5";
 
   excludedPackages = [ "release_publisher" ];
 
@@ -10,15 +10,15 @@ buildGoModule rec {
     rev = "v${version}";
     owner = "grafana";
     repo = "grafana";
-    sha256 = "sha256-FPQa6q1ks9Lpod5sI29YBnGZvVRU12hTiw6GR85/mEs=";
+    sha256 = "10pnwd4d19ry7w2x46acc3j8gjn73b45fzc579gz1hc8hx2b3s0s";
   };
 
   srcStatic = fetchurl {
     url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz";
-    sha256 = "sha256-idbG+K9NVnNhEB0f7DfP7iaEnHMf59ieQtYnmT6CvVM=";
+    sha256 = "1x9jx3ww37cn6r6cn6gqlavmllxydks23vm8w4934bv8zppj1zwz";
   };
 
-  vendorSha256 = "sha256-LL+EkDZbbaNo/fPMGlPsB8jgBYHoe6SdkBbQoW5y4EU=";
+  vendorSha256 = "0ig0f9pa3l0nj2fs8yz8h42y1j07xi9imk7kzmla6vav6s889grc";
 
   postPatch = ''
     substituteInPlace pkg/cmd/grafana-server/main.go \

pkgs/tools/misc/nncp/default.nix

@@ -1,6 +1,7 @@
 { lib, stdenv
 , go
 , fetchurl
+, redo-apenwarr
 , curl
 , perl
 , genericUpdater
@@ -9,24 +10,33 @@
 
 stdenv.mkDerivation rec {
   pname = "nncp";
-  version = "5.3.3";
+  version = "6.2.0";
 
   src = fetchurl {
     url = "http://www.nncpgo.org/download/${pname}-${version}.tar.xz";
-    sha256 = "1l35ndzrvpfim29jn1p0bwmc8w892z44nsrdnay28k229r9dhz3h";
+    sha256 = "1zj0v82zqigcxhpc50mvafvi1ihs92ck35vjfrwb7wzzd7nysb17";
   };
 
-  nativeBuildInputs = [ go ];
+  nativeBuildInputs = [ go redo-apenwarr ];
 
-  preConfigure = ''
+  buildPhase = ''
+    runHook preBuild
     export GOCACHE=$PWD/.cache
+    export CFGPATH=/etc/nncp.hjson
+    export SENDMAIL=sendmail # default value for generated config file
+    redo ''${enableParallelBuilding:+-j''${NIX_BUILD_CORES}}
+    runHook postBuild
   '';
 
-  makeFlags = [
-    "PREFIX=${placeholder "out"}"
-    "CFGPATH=/etc/nncp.hjson"
-    "SENDMAIL=/run/wrappers/bin/sendmail"
-  ];
+  installPhase = ''
+    runHook preInstall
+    export PREFIX=$out
+    rm -f INSTALL # work around case insensitivity
+    redo install
+    runHook postInstall
+  '';
+
+  enableParallelBuilding = true;
 
   passthru.updateScript = genericUpdater {
     inherit pname version;
@@ -54,7 +64,7 @@ stdenv.mkDerivation rec {
       transmission exists.
     '';
     homepage = "http://www.nncpgo.org/";
-    license = licenses.gpl3;
+    license = licenses.gpl3Only;
     platforms = platforms.all;
     maintainers = [ maintainers.woffs ];
   };

pkgs/tools/misc/partition-manager/default.nix

@@ -1,30 +1,66 @@
-{ mkDerivation, fetchurl, lib
+{ mkDerivation, fetchurl, lib, makeWrapper
 , extra-cmake-modules, kdoctools, wrapGAppsHook, wrapQtAppsHook
 , kconfig, kcrash, kinit, kpmcore
-, eject, libatasmart , util-linux, qtbase
+, cryptsetup, lvm2, mdadm, smartmontools, systemdMinimal, util-linux
+, btrfs-progs, dosfstools, e2fsprogs, exfat, f2fs-tools, fatresize, hfsprogs
+, jfsutils, nilfs-utils, ntfs3g, reiser4progs, reiserfsprogs, udftools, xfsprogs, zfs
 }:
 
 let
-  pname = "partitionmanager";
+  # External programs are resolved by `partition-manager` and then
+  # invoked by `kpmcore_externalcommand` from `kpmcore` as root.
+  # So these packages should be in PATH of `partition-manager`.
+  # https://github.com/KDE/kpmcore/blob/06f15334ecfbe871730a90dbe2b694ba060ee998/src/util/externalcommand_whitelist.h
+  runtimeDeps = lib.makeBinPath [
+    cryptsetup
+    lvm2
+    mdadm
+    smartmontools
+    systemdMinimal
+    util-linux
+
+    btrfs-progs
+    dosfstools
+    e2fsprogs
+    exfat
+    f2fs-tools
+    fatresize
+    hfsprogs
+    jfsutils
+    nilfs-utils
+    ntfs3g
+    reiser4progs
+    reiserfsprogs
+    udftools
+    xfsprogs
+    zfs
+
+    # FIXME: Missing command: tune.exfat hfsck hformat fsck.nilfs2 {fsck,mkfs,debugfs,tunefs}.ocfs2
+  ];
+
 in mkDerivation rec {
-  name = "${pname}-${version}";
-  version = "3.3.1";
+  pname = "partitionmanager";
+  # NOTE: When changing this version, also change the version of `kpmcore`.
+  version = "4.2.0";
 
   src = fetchurl {
-    url = "mirror://kde/stable/${pname}/${version}/src/${name}.tar.xz";
-    sha256 = "0jhggb4xksb0k0mj752n6pz0xmccnbzlp984xydqbz3hkigra1si";
+    url = "mirror://kde/stable/${pname}/${version}/src/${pname}-${version}.tar.xz";
+    hash = "sha256-6Qlt1c47Eek6TkWWBzTyBZYJ1jfhtwsC9X5q5h6IhPg=";
   };
 
-  nativeBuildInputs = [ extra-cmake-modules kdoctools wrapGAppsHook wrapQtAppsHook ];
+  nativeBuildInputs = [ extra-cmake-modules kdoctools wrapGAppsHook wrapQtAppsHook makeWrapper ];
 
-  # refer to kpmcore for the use of eject
-  buildInputs = [ eject libatasmart util-linux ];
   propagatedBuildInputs = [ kconfig kcrash kinit kpmcore ];
 
+  postFixup = ''
+    wrapProgram $out/bin/partitionmanager \
+      --prefix PATH : "${runtimeDeps}"
+  '';
+
   meta = with lib; {
     description = "KDE Partition Manager";
-    license = licenses.gpl2;
+    license = with licenses; [ cc-by-40 cc0 gpl3Plus lgpl3Plus mit ];
     homepage = "https://www.kde.org/applications/system/kdepartitionmanager/";
-    maintainers = with maintainers; [ peterhoeg ];
+    maintainers = with maintainers; [ peterhoeg oxalica ];
   };
 }

pkgs/top-level/ocaml-packages.nix

@@ -929,7 +929,9 @@ let
 
     ppx_bap = callPackage ../development/ocaml-modules/ppx_bap { };
 
-    ppx_bitstring = callPackage ../development/ocaml-modules/bitstring/ppx.nix { };
+    ppx_bitstring = callPackage ../development/ocaml-modules/bitstring/ppx.nix {
+      ppxlib = ppxlib.override { version = "0.22.0"; };
+    };
 
     ppxfind = callPackage ../development/ocaml-modules/ppxfind { };