Merge master into staging-next

2020-05-11 22:08:13 +02:00 · 2020-05-11 22:08:13 +02:00 · 568cef433d
commit 568cef433d
parent d20d734bcf 82ca249c92
91 changed files with 1088 additions and 557 deletions
--- a/lib/kernel.nix
+++ b/lib/kernel.nix
@ -14,7 +14,7 @@ with lib;
  freeform = x: { freeform = x; };
  /*
-    Common patterns/legacy used in common-config/hardened-config.nix
+    Common patterns/legacy used in common-config/hardened/config.nix
   */
  whenHelpers = version: {
    whenAtLeast = ver: mkIf (versionAtLeast version ver);
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -279,6 +279,13 @@ php.override {
 </programlisting>
    </para>
   </listitem>
   <listitem>
    <para>
      The Nginx log directory has been moved to <literal>/var/log/nginx</literal>, the cache directory
      to <literal>/var/cache/nginx</literal>. The option <literal>services.nginx.stateDir</literal> has
      been removed.
    </para>
   </listitem>
   <listitem>
    <para>
     The httpd web server previously started its main process as root
--- a/nixos/lib/test-driver/test-driver.py
+++ b/nixos/lib/test-driver/test-driver.py
@ -369,7 +369,7 @@ class Machine:
            q = q.replace("'", "\\'")
            return self.execute(
                (
-                    "su -l {} -c "
+                    "su -l {} --shell /bin/sh -c "
                    "$'XDG_RUNTIME_DIR=/run/user/`id -u` "
                    "systemctl --user {}'"
                ).format(user, q)
--- a/nixos/modules/services/logging/awstats.nix
+++ b/nixos/modules/services/logging/awstats.nix
@ -24,7 +24,7 @@ let
      logFile = mkOption {
        type = types.str;
-        example = "/var/spool/nginx/logs/access.log";
+        example = "/var/log/nginx/access.log";
        description = ''
          The log file to be scanned.
@ -110,7 +110,7 @@ in
        {
          "mysite" = {
            domain = "example.com";
-            logFile = "/var/spool/nginx/logs/access.log";
+            logFile = "/var/log/nginx/access.log";
          };
        }
      '';
--- a/nixos/modules/services/networking/monero.nix
+++ b/nixos/modules/services/networking/monero.nix
@ -26,7 +26,7 @@ let
      rpc-login=${rpc.user}:${rpc.password}
    ''}
    ${optionalString rpc.restricted ''
-      restrict-rpc=1
+      restricted-rpc=1
    ''}
    limit-rate-up=${toString limits.upload}
--- a/nixos/modules/services/web-servers/nginx/default.nix
+++ b/nixos/modules/services/web-servers/nginx/default.nix
@ -187,7 +187,7 @@ let
    then "/etc/nginx/nginx.conf"
    else configFile;
-  execCommand = "${cfg.package}/bin/nginx -c '${configPath}' -p '${cfg.stateDir}'";
+  execCommand = "${cfg.package}/bin/nginx -c '${configPath}'";
  vhosts = concatStringsSep "\n" (mapAttrsToList (vhostName: vhost:
    let
@ -463,13 +463,6 @@ in
        '';
      };
      stateDir = mkOption {
        default = "/var/spool/nginx";
        description = "
          Directory holding all state for nginx to run.
        ";
      };
      user = mkOption {
        type = types.str;
        default = "nginx";
@ -636,6 +629,13 @@ in
    };
  };
  imports = [
    (mkRemovedOptionModule [ "services" "nginx" "stateDir" ] ''
      The Nginx log directory has been moved to /var/log/nginx, the cache directory
      to /var/cache/nginx. The option services.nginx.stateDir has been removed.
    '')
  ];
  config = mkIf cfg.enable {
    # TODO: test user supplied config file pases syntax test
@ -680,12 +680,6 @@ in
      }
    ];
    systemd.tmpfiles.rules = [
      "d '${cfg.stateDir}' 0750 ${cfg.user} ${cfg.group} - -"
      "d '${cfg.stateDir}/logs' 0750 ${cfg.user} ${cfg.group} - -"
      "Z '${cfg.stateDir}' - ${cfg.user} ${cfg.group} - -"
    ];
    systemd.services.nginx = {
      description = "Nginx Web Server";
      wantedBy = [ "multi-user.target" ];
@ -708,6 +702,12 @@ in
        # Runtime directory and mode
        RuntimeDirectory = "nginx";
        RuntimeDirectoryMode = "0750";
        # Cache directory and mode
        CacheDirectory = "nginx";
        CacheDirectoryMode = "0750";
        # Logs directory and mode
        LogsDirectory = "nginx";
        LogsDirectoryMode = "0750";
        # Capabilities
        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_SYS_RESOURCE" ];
      };
--- a/nixos/tests/service-runner.nix
+++ b/nixos/tests/service-runner.nix
@ -23,7 +23,7 @@ import ./make-test-python.nix ({ pkgs, ... }: {
        machine.fail(f"curl {url}")
        machine.succeed(
            """
-            mkdir -p /run/nginx /var/spool/nginx/logs
+            mkdir -p /run/nginx /var/log/nginx /var/cache/nginx
            ${nodes.machine.config.systemd.services.nginx.runner} &
            echo $!>my-nginx.pid
            """
--- a/pkgs/applications/editors/mg/default.nix
+++ b/pkgs/applications/editors/mg/default.nix
@ -1,12 +1,14 @@
-{ stdenv, fetchurl, pkgconfig, libbsd, ncurses, buildPackages }:
+{ stdenv, fetchFromGitHub, pkgconfig, ncurses, buildPackages }:
 stdenv.mkDerivation rec {
  pname = "mg";
-  version = "20171014";
+  version = "6.7";
-  src = fetchurl {
+  src = fetchFromGitHub {
-    url = "http://homepage.boetes.org/software/mg/${pname}-${version}.tar.gz";
+    owner = "ibara";
-    sha256 = "0hakfikzsml7z0hja8m8mcahrmfy2piy81bq9nccsjplyfc9clai";
+    repo = "mg";
    rev = "mg-6.7";
    sha256 = "15adwibq6xrfxbrxzk765g9250iyfn4wbcxd7kcsabiwn6apm0ai";
  };
  enableParallelBuilding = true;
@ -17,14 +19,13 @@ stdenv.mkDerivation rec {
    install -m 555 -Dt $out/bin mg
    install -m 444 -Dt $out/share/man/man1 mg.1
  '';
  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ libbsd ncurses ];
+  buildInputs = [ ncurses ];
  meta = with stdenv.lib; {
    description = "Micro GNU/emacs, a portable version of the mg maintained by the OpenBSD team";
-    homepage = "https://homepage.boetes.org/software/mg";
+    homepage = "https://man.openbsd.org/OpenBSD-current/man1/mg.1";
    license = licenses.publicDomain;
    platforms = platforms.all;
  };
--- a/pkgs/applications/graphics/yed/default.nix
+++ b/pkgs/applications/graphics/yed/default.nix
@ -2,11 +2,11 @@
 stdenv.mkDerivation rec {
  pname = "yEd";
-  version = "3.19.1.1";
+  version = "3.20";
  src = fetchzip {
    url = "https://www.yworks.com/resources/yed/demo/${pname}-${version}.zip";
-    sha256 = "0px88rc1slf7n1n8lpk56hf29ppbnnd4lrqfyggihcr0pxmw157c";
+    sha256 = "08j8lpn2nd41gavgrj03rlrxl04wcamq1y02f1x1569ykbhycb3m";
  };
  nativeBuildInputs = [ makeWrapper unzip ];
--- a/pkgs/applications/kde/kdegraphics-thumbnailers.nix
+++ b/pkgs/applications/kde/kdegraphics-thumbnailers.nix
@ -1,5 +1,5 @@
 {
-  mkDerivation, lib,
+  mkDerivation, lib, fetchpatch,
  extra-cmake-modules, karchive, kio, libkexiv2, libkdcraw
 }:
@ -9,6 +9,14 @@ mkDerivation {
    license = [ lib.licenses.lgpl21 ];
    maintainers = [ lib.maintainers.ttuegel ];
  };
  patches = [
    # Fix a bug with thumbnail.so processes hanging:
    # https://bugs.kde.org/show_bug.cgi?id=404652
    (fetchpatch {
      url = "https://phabricator.kde.org/file/data/tnk4b6roouixzifi6vre/PHID-FILE-qkkedevt7svx7lv56ea5/D26635.diff";
      sha256 = "0fq85zhymmrq8vl0y6vgh87qf4c6fhcq704p4kpkaq7y0isxj4h1";
    })
  ];
  nativeBuildInputs = [ extra-cmake-modules ];
  buildInputs = [ karchive kio libkexiv2 libkdcraw ];
 }
--- a/pkgs/applications/misc/bemenu/default.nix
+++ b/pkgs/applications/misc/bemenu/default.nix
@ -1,32 +1,33 @@
-{ stdenv, fetchFromGitHub, cairo, cmake, libxkbcommon
+{ stdenv, lib, fetchFromGitHub, cairo, libxkbcommon
 , pango, fribidi, harfbuzz, pcre, pkgconfig
 , ncursesSupport ? true, ncurses ? null
-, waylandSupport ? true, wayland ? null
+, waylandSupport ? true, wayland ? null, wayland-protocols ? null
 , x11Support ? true, xlibs ? null, xorg ? null
 }:
 assert ncursesSupport -> ncurses != null;
-assert waylandSupport -> wayland != null;
+assert waylandSupport -> ! lib.elem null [wayland wayland-protocols];
 assert x11Support -> xlibs != null && xorg != null;
 stdenv.mkDerivation rec {
  pname = "bemenu";
-  version = "0.3.0";
+  version = "0.4.1";
  src = fetchFromGitHub {
    owner = "Cloudef";
    repo = pname;
    rev = version;
-    sha256 = "03k8wijdgj5nwmvgjhsrlh918n719789fhs4dqm23pd00rapxipk";
+    sha256 = "1fjcs9d3533ay3nz79cx3c0lmy2chgragr2lhsy0xl2ckr0iins0";
  };
-  nativeBuildInputs = [ cmake pkgconfig pcre ];
+  nativeBuildInputs = [ pkgconfig pcre ];
-  cmakeFlags =  [
+  makeFlags = ["PREFIX=$(out)"];
-    "-DBEMENU_CURSES_RENDERER=${if ncursesSupport then "ON" else "OFF"}"
+
-    "-DBEMENU_WAYLAND_RENDERER=${if waylandSupport then "ON" else "OFF"}"
+  buildFlags = ["clients"]
-    "-DBEMENU_X11_RENDERER=${if x11Support then "ON" else "OFF"}"
+    ++ lib.optional ncursesSupport "curses"
-  ];
+    ++ lib.optional waylandSupport "wayland"
    ++ lib.optional x11Support "x11";
  buildInputs = with stdenv.lib; [
    cairo
@ -34,18 +35,18 @@ stdenv.mkDerivation rec {
    harfbuzz
    libxkbcommon
    pango
-  ] ++ optionals ncursesSupport [ ncurses ]
+  ] ++ optional ncursesSupport ncurses
-    ++ optionals waylandSupport [ wayland ]
+    ++ optionals waylandSupport [ wayland wayland-protocols ]
    ++ optionals x11Support [
      xlibs.libX11 xlibs.libXinerama xlibs.libXft
      xorg.libXdmcp xorg.libpthreadstubs xorg.libxcb
    ];
-  meta = with stdenv.lib; {
+  meta = with lib; {
    homepage = "https://github.com/Cloudef/bemenu";
    description = "Dynamic menu library and client program inspired by dmenu";
    license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ thiagokokada ];
+    maintainers = with maintainers; [ lheckemann ];
    platforms = with platforms; linux;
  };
 }
--- a/pkgs/applications/misc/cura/default.nix
+++ b/pkgs/applications/misc/cura/default.nix
@ -2,25 +2,26 @@
 mkDerivation rec {
  pname = "cura";
-  version = "4.5.0";
+  version = "4.6.1";
  src = fetchFromGitHub {
    owner = "Ultimaker";
    repo = "Cura";
    rev = version;
-    sha256 = "0fm04s912sgmr66wyb55ly4jh39ijsj6lx4fx9wn7hchlqmw5jxi";
+    sha256 = "0h1r9caa579d3gfpcmch54rdbkg5df64ds2v84iqsbxwjp0rmn4n";
  };
  materials = fetchFromGitHub {
    owner = "Ultimaker";
    repo = "fdm_materials";
    rev = version;
-    sha256 = "0fgkwz1anw49macq1jxjhjr79slhmx7g3zwij7g9fqyzzhrrmwqn";
+    sha256 = "1k5c3qmixhpz3z2yi0fysxcyyf1yhcwmdlrcypkw827lhsialqp4";
  };
  buildInputs = [ qtbase qtquickcontrols2 qtgraphicaleffects ];
  propagatedBuildInputs = with python3.pkgs; [
    libsavitar numpy-stl pyserial requests uranium zeroconf
    sentry-sdk trimesh
  ] ++ plugins;
  nativeBuildInputs = [ cmake python3.pkgs.wrapPython ];
--- a/pkgs/applications/misc/cura/plugins.nix
+++ b/pkgs/applications/misc/cura/plugins.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, fetchpatch, cmake, python3Packages }:
+{ stdenv, fetchFromGitHub, fetchpatch, python3Packages }:
 let
@ -6,21 +6,24 @@ let
    octoprint = stdenv.mkDerivation rec {
      pname = "Cura-OctoPrintPlugin";
-      version = "3.5.11";
+      version = "3.5.12";
      src = fetchFromGitHub {
        owner = "fieldOfView";
        repo = pname;
-        rev = "3cef0a955ae7ccfa5c07d20d9d147c530cc9d6ec";
+        rev = "ad522c0b7ead5fbe28da686a3cc75e351274c2bc";
-        sha256 = "0q9bkwgpsbfwkp1bfaxq3wm9pbwx5d7ji0jr7cwc4y5nizji81is";
+        sha256 = "0ln11ng32bh0smfsk54mv2j3sadh0gwf031nmm95zrvbj9cr6yc0";
      };
      nativeBuildInputs = [ cmake ];
      propagatedBuildInputs = with python3Packages; [
        netifaces
      ];
      installPhase = ''
        mkdir -p $out/lib/cura/plugins/OctoPrintPlugin
        cp -rv . $out/lib/cura/plugins/OctoPrintPlugin/
      '';
      meta = with stdenv.lib; {
        description = "Enables printing directly to OctoPrint and monitoring the process";
        homepage = "https://github.com/fieldOfView/Cura-OctoPrintPlugin";
--- a/pkgs/applications/misc/genxword/default.nix
+++ b/pkgs/applications/misc/genxword/default.nix
@ -0,0 +1,54 @@
 { lib
 , python3
 , fetchFromGitHub
 , gettext
 , gobject-introspection
 , wrapGAppsHook
 , pango
 , gtksourceview3
 }:
 python3.pkgs.buildPythonApplication rec {
  pname = "genxword";
  version = "2.0.1";
  src = fetchFromGitHub {
    owner = "riverrun";
    repo = pname;
    rev = "v${version}";
    sha256 = "00czdvyb5wnrk3x0g529afisl8v4frfys9ih0nzf1fs4jkzjcijg";
  };
  nativeBuildInputs = [
    gettext
    gobject-introspection
    wrapGAppsHook
  ];
  buildInputs = [
    gobject-introspection
    pango
    gtksourceview3
  ];
  propagatedBuildInputs = with python3.pkgs; [
    pycairo
    pygobject3
  ];
  # to prevent double wrapping
  dontWrapGApps = true;
  preFixup = ''
    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
  '';
  # there are no tests
  doCheck = false;
  meta = with lib; {
    inherit (src.meta) homepage;
    description = "Crossword generator";
    license = licenses.gpl3Plus;
    maintainers = with maintainers; [ dotlambda ];
  };
 }
--- a/pkgs/applications/misc/yubioath-desktop/default.nix
+++ b/pkgs/applications/misc/yubioath-desktop/default.nix
@ -6,11 +6,11 @@
 mkDerivation rec {
  pname = "yubioath-desktop";
-  version = "5.0.2";
+  version = "5.0.3";
  src = fetchurl {
    url = "https://developers.yubico.com/yubioath-desktop/Releases/yubioath-desktop-${version}.tar.gz";
-    sha256 = "19ingk0ab88a22s04apcw8kx9xygxlbk8kp4xnb8pmf8z3k6l2gf";
+    sha256 = "1g0jd7mmch6a6n8k5pp3w27qd5cijnvzk05lwraf0i96m68h7x1k";
  };
  doCheck = false;
@ -38,13 +38,13 @@ mkDerivation rec {
      --prefix LD_LIBRARY_PATH : "${stdenv.lib.getLib pcsclite}/lib:${yubikey-personalization}/lib"
      mkdir -p $out/share/applications
-      cp resources/yubioath-desktop.desktop \
+      cp resources/com.yubico.yubioath.desktop \
-        $out/share/applications/yubioath-desktop.desktop
+        $out/share/applications/com.yubico.yubioath.desktop
      mkdir -p $out/share/yubioath/icons
-      cp resources/icons/*.{icns,ico,png,xpm} $out/share/yubioath/icons
+      cp resources/icons/*.{icns,ico,png,svg} $out/share/yubioath/icons
-      substituteInPlace $out/share/applications/yubioath-desktop.desktop \
+      substituteInPlace $out/share/applications/com.yubico.yubioath.desktop \
        --replace 'Exec=yubioath-desktop' "Exec=$out/bin/yubioath-desktop" \
-        --replace 'Icon=yubioath' "Icon=$out/share/yubioath/icons/yubioath.png"
+        --replace 'Icon=yubioath' "Icon=$out/share/yubioath/icons/com.yubico.yubioath.png"
  '';
  meta = with stdenv.lib; {
--- a/pkgs/applications/radio/xlog/default.nix
+++ b/pkgs/applications/radio/xlog/default.nix
@ -1,11 +1,11 @@
 { stdenv, fetchurl, glib, gtk2, pkgconfig, hamlib }:
 stdenv.mkDerivation rec {
  pname = "xlog";
-  version = "2.0.17";
+  version = "2.0.19";
  src = fetchurl {
    url = "https://download.savannah.gnu.org/releases/xlog/${pname}-${version}.tar.gz";
-    sha256 = "0vmn8518zk7qk1mbp1h8dm0f8fx0z0jvmy42c1n15il714lj7vsl";
+    sha256 = "0y38gkcm4mgv6wn31pjq6d5bm22m63rpwa55qjmrlywrmw76rppy";
  };
  # glib-2.62 deprecations
--- a/pkgs/applications/science/electronics/kicad/base.nix
+++ b/pkgs/applications/science/electronics/kicad/base.nix
@ -2,7 +2,6 @@
 , libX11, gettext, glew, glm, cairo, curl, openssl, boost, pkgconfig
 , doxygen, pcre, libpthreadstubs, libXdmcp, fetchpatch, lndir, callPackages
 , pname ? "kicad"
 , stable ? true
 , baseName ? "kicad"
 , versions ? { }
@ -20,26 +19,26 @@ with lib;
 let
  versionConfig = versions.${baseName};
  baseVersion = "${versions.${baseName}.kicadVersion.version}";
  # oce on aarch64 fails a test
  withOCE = oceSupport && !stdenv.isAarch64;
  withOCC = (withOCCT && !withOCE) || (oceSupport && stdenv.isAarch64);
-  kicad-libraries = callPackages ./libraries.nix versionConfig.libVersion;
+  libraries = callPackages ./libraries.nix versionConfig.libVersion;
 in
 stdenv.mkDerivation rec {
-  inherit pname;
+  i18n = libraries.i18n;
-  version = "base-${baseVersion}";
+
  pname = "kicad-base";
  version = "${versions.${baseName}.kicadVersion.version}";
  src = fetchFromGitLab (
    {
      group = "kicad";
      owner = "code";
      repo = "kicad";
      rev = baseVersion;
    } // versionConfig.kicadVersion.src
  );
@ -57,9 +56,11 @@ stdenv.mkDerivation rec {
  # tagged releases don't have "unknown"
  # kicad nightlies use git describe --dirty
  # nix removes .git, so its approximated here
  # "-1" appended to indicate we're adding a patch
  postPatch = ''
    substituteInPlace CMakeModules/KiCadVersion.cmake \
-      --replace "unknown" ${builtins.substring 0 10 src.rev}
+      --replace "unknown" "${builtins.substring 0 10 src.rev}-1" \
      --replace "${version}" "${version}-1"
  '';
  makeFlags = optional (debug) [ "CFLAGS+=-Og" "CFLAGS+=-ggdb" ];
@ -113,7 +114,7 @@ stdenv.mkDerivation rec {
  postInstall = optional (withI18n) ''
    mkdir -p $out/share
-    lndir ${kicad-libraries.i18n}/share $out/share
+    lndir ${i18n}/share $out/share
  '';
  meta = {
@ -124,7 +125,6 @@ stdenv.mkDerivation rec {
    '';
    homepage = "https://www.kicad-pcb.org/";
    license = licenses.agpl3;
-    maintainers = with maintainers; [ evils kiwi berce ];
+    platforms = platforms.all;
    platforms = with platforms; linux;
  };
 }
--- a/pkgs/applications/science/electronics/kicad/default.nix
+++ b/pkgs/applications/science/electronics/kicad/default.nix
@ -4,6 +4,7 @@
 , librsvg, cups
 , pname ? "kicad"
 , stable ? true
 , oceSupport ? false, opencascade
 , withOCCT ? true, opencascade-occt
 , ngspiceSupport ? true, libngspice
@ -18,7 +19,6 @@ assert ngspiceSupport -> libngspice != null;
 with lib;
 let
  stable = pname != "kicad-unstable";
  baseName = if (stable) then "kicad" else "kicad-unstable";
  versions =  import ./versions.nix;
@ -35,17 +35,16 @@ let
  python = python3;
  wxPython = python3Packages.wxPython_4_0;
-  libraries = callPackages ./libraries.nix versionConfig.libVersion;
+in
 stdenv.mkDerivation rec {
  passthru.libraries = callPackages ./libraries.nix versionConfig.libVersion;
  base = callPackage ./base.nix {
    pname = baseName;
    inherit versions stable baseName;
    inherit wxGTK python wxPython;
    inherit debug withI18n withOCCT oceSupport ngspiceSupport scriptingSupport;
  };
 in
 stdenv.mkDerivation rec {
  inherit pname;
  version = versions.${baseName}.kicadVersion.version;
@ -63,7 +62,7 @@ stdenv.mkDerivation rec {
  # wrapGAppsHook added the equivalent to ${base}/share
  # though i noticed no difference without it
-  makeWrapperArgs = [
+  makeWrapperArgs = with passthru.libraries; [
    "--prefix XDG_DATA_DIRS : ${base}/share"
    "--prefix XDG_DATA_DIRS : ${hicolor-icon-theme}/share"
    "--prefix XDG_DATA_DIRS : ${gnome3.defaultIconTheme}/share"
@ -73,47 +72,40 @@ stdenv.mkDerivation rec {
    "--prefix XDG_DATA_DIRS : ${cups}/share"
    "--prefix GIO_EXTRA_MODULES : ${gnome3.dconf}/lib/gio/modules"
-    "--set KISYSMOD ${libraries.footprints}/share/kicad/modules"
+    "--set KISYSMOD ${footprints}/share/kicad/modules"
-    "--set KICAD_SYMBOL_DIR ${libraries.symbols}/share/kicad/library"
+    "--set KICAD_SYMBOL_DIR ${symbols}/share/kicad/library"
-    "--set KICAD_TEMPLATE_DIR ${libraries.templates}/share/kicad/template"
+    "--set KICAD_TEMPLATE_DIR ${templates}/share/kicad/template"
-    "--prefix KICAD_TEMPLATE_DIR : ${libraries.symbols}/share/kicad/template"
+    "--prefix KICAD_TEMPLATE_DIR : ${symbols}/share/kicad/template"
-    "--prefix KICAD_TEMPLATE_DIR : ${libraries.footprints}/share/kicad/template"
+    "--prefix KICAD_TEMPLATE_DIR : ${footprints}/share/kicad/template"
  ]
-  ++ optionals (with3d) [ "--set KISYS3DMOD ${libraries.packages3d}/share/kicad/modules/packages3d" ]
+  ++ optionals (with3d) [ "--set KISYS3DMOD ${packages3d}/share/kicad/modules/packages3d" ]
  ++ optionals (ngspiceSupport) [ "--prefix LD_LIBRARY_PATH : ${libngspice}/lib" ]
  # infinisil's workaround for #39493
  ++ [ "--set GDK_PIXBUF_MODULE_FILE ${librsvg}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache" ]
  ;
-  # dunno why i have to add $makeWrapperArgs manually...
+  # why does $makeWrapperArgs have to be added explicitly?
  # $out and $program_PYTHONPATH don't exist when makeWrapperArgs gets set?
-  # not sure if anything has to be done with the other stuff in base/bin
+  # kicad-ogltest's source seems to indicate that crashing is expected behaviour...
-  # dxf2idf, idf2vrml, idfcyl, idfrect, kicad2step, kicad-ogltest
+  installPhase = with lib;
-  installPhase =
+    let
-    optionalString (scriptingSupport) '' buildPythonPath "${base} $pythonPath"
+      tools = [ "kicad" "pcbnew" "eeschema" "gerbview" "pcb_calculator" "pl_editor" "bitmap2component" ];
-    '' +
+      utils = [ "dxf2idf" "idf2vrml" "idfcyl" "idfrect" "kicad2step" "kicad-ogltest" ];
-    '' makeWrapper ${base}/bin/kicad $out/bin/kicad $makeWrapperArgs ''
+    in
-    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
+    ( concatStringsSep "\n"
-    '' +
+      ( flatten [
-    '' makeWrapper ${base}/bin/pcbnew $out/bin/pcbnew $makeWrapperArgs ''
+        ( optionalString (scriptingSupport) "buildPythonPath \"${base} $pythonPath\" \n" )
-    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
+
-    '' +
+        # wrap each of the directly usable tools
-    '' makeWrapper ${base}/bin/eeschema $out/bin/eeschema $makeWrapperArgs ''
+        ( map ( tool: "makeWrapper ${base}/bin/${tool} $out/bin/${tool} $makeWrapperArgs"
-    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
+          + optionalString (scriptingSupport) " --set PYTHONPATH \"$program_PYTHONPATH\""
-    '' +
+            ) tools )
-    '' makeWrapper ${base}/bin/gerbview $out/bin/gerbview $makeWrapperArgs ''
+
-    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
+        # link in the CLI utils
-    '' +
+        ( map ( util: "ln -s ${base}/bin/${util} $out/bin/${util}" ) utils )
-    '' makeWrapper ${base}/bin/pcb_calculator $out/bin/pcb_calculator $makeWrapperArgs ''
+      ])
-    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
+    )
    '' +
    '' makeWrapper ${base}/bin/pl_editor $out/bin/pl_editor $makeWrapperArgs ''
    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
    '' +
    '' makeWrapper ${base}/bin/bitmap2component $out/bin/bitmap2component $makeWrapperArgs ''
    + optionalString (scriptingSupport) '' --set PYTHONPATH "$program_PYTHONPATH"
    ''
  ;
  # can't run this for each pname
@ -123,10 +115,11 @@ stdenv.mkDerivation rec {
  # and can't git commit if this could be running in parallel with other scripts
  passthru.updateScript = [ ./update.sh "all" ];
-  meta = {
+  meta = rec {
-    description = if (stable)
+    description = (if (stable)
-      then "Open Source Electronics Design Automation Suite"
+      then "Open Source Electronics Design Automation suite"
-      else "Open Source EDA Suite, Development Build";
+      else "Open Source EDA suite, development build")
      + (if (!with3d) then ", without 3D models" else "");
    homepage = "https://www.kicad-pcb.org/";
    longDescription = ''
      KiCad is an open source software suite for Electronic Design Automation.
@ -134,12 +127,20 @@ stdenv.mkDerivation rec {
    '';
    license = licenses.agpl3;
    # berce seems inactive...
-    maintainers = with maintainers; [ evils kiwi berce ];
+    maintainers = with stdenv.lib.maintainers; [ evils kiwi berce ];
-    # kicad's cross-platform, not sure what to fill in here
+    # kicad is cross platform
-    platforms = with platforms; linux;
+    platforms = stdenv.lib.platforms.all;
-  } // optionalAttrs with3d {
+    # despite that, nipkgs' wxGTK for darwin is "wxmac"
-    # We can't download the 3d models on Hydra - they are a ~1 GiB download and
+    # and wxPython_4_0 does not account for this
-    # they occupy ~5 GiB in store.
+    # adjusting this package to downgrade to python2Packages.wxPython (wxPython 3),
-    hydraPlatforms = [];
+    # seems like more trouble than fixing wxPython_4_0 would be
    # additionally, libngspice is marked as linux only, though it should support darwin
    hydraPlatforms = if (with3d) then [ ] else platforms;
    # We can't download the 3d models on Hydra,
    # they are a ~1 GiB download and they occupy ~5 GiB in store.
    # as long as the base and libraries (minus 3d) are build,
    # this wrapper does not need to get built
    # the kicad-*small "packages" cause this to happen
  };
 }
--- a/pkgs/applications/science/electronics/kicad/libraries.nix
+++ b/pkgs/applications/science/electronics/kicad/libraries.nix
@ -13,21 +13,27 @@
 with lib;
 let
  mkLib = name:
-    stdenv.mkDerivation
+    stdenv.mkDerivation {
-      {
+      pname = "kicad-${name}";
-        pname = "kicad-${name}";
+      version = "${version}";
-        version = "${version}";
+      src = fetchFromGitHub (
-        src = fetchFromGitHub (
+        {
-          {
+          owner = "KiCad";
-            owner = "KiCad";
+          repo = "kicad-${name}";
-            repo = "kicad-${name}";
+          rev = version;
-            rev = version;
+          inherit name;
-            inherit name;
+        } // (libSources.${name} or { })
-          } // (libSources.${name} or { })
+      );
-        );
+      nativeBuildInputs = [ cmake ];
-        nativeBuildInputs = [ cmake ];
+
-        meta.license = licenses.cc-by-sa-40;
+      meta = rec {
        license = licenses.cc-by-sa-40;
        platforms = stdenv.lib.platforms.all;
        # the 3d models are a ~1 GiB download and occupy ~5 GiB in store.
        # this would exceed the hydra output limit
        hydraPlatforms = if (name == "packages3d" ) then [ ] else platforms;
      };
    };
 in
 {
  symbols = mkLib "symbols";
@ -56,6 +62,9 @@ in
      );
      buildInputs = [ gettext ];
      nativeBuildInputs = [ cmake ];
-      meta.license = licenses.gpl2; # https://github.com/KiCad/kicad-i18n/issues/3
+      meta = {
        license = licenses.gpl2; # https://github.com/KiCad/kicad-i18n/issues/3
        platforms = stdenv.lib.platforms.all;
      };
    };
 }
--- a/pkgs/applications/science/electronics/kicad/versions.nix
+++ b/pkgs/applications/science/electronics/kicad/versions.nix
@ -27,25 +27,25 @@
  };
  "kicad-unstable" = {
    kicadVersion = {
-      version =			"2020-04-25";
+      version =			"2020-05-06";
      src = {
-        rev =			"3759799d1e03b2da6a0dcd72273e4978880fc8f1";
+        rev =			"c92181621e2e51dc8aae1bd9f4483bb3301ffaa5";
-        sha256 =		"0ba14fla8m5zli68wfjkfc4ymvj4j8z92y3jigxs8hys0450bybi";
+        sha256 =		"0s50xn5gbjy7yxnp9yiynxvxi2mkcrp6yghgdzclpm40rnfyi0v5";
      };
    };
    libVersion = {
-      version =			"2020-04-25";
+      version =			"2020-05-06";
      libSources = {
-        i18n.rev =		"fc14baa52ca56a58b0048ab860bf31887d3cf8eb";
+        i18n.rev =		"f29cab831eb823165fa2c5efab5d9c9b443e62e2";
-        i18n.sha256 =		"05nayab7dkjyq7g3i9q7k55hcckpc0cmq4bbklmxx16rx4rbhzc6";
+        i18n.sha256 =		"0cc0zvpml75yxphay3281f762ls08fzvv538cd5hmkr8xqlj3vbi";
-        symbols.rev =		"0f9ff2d17237f90bb649bf0a52b6d454f68197e8";
+        symbols.rev =		"d4245ae8cf633095a0994ab01492bd56cd124112";
-        symbols.sha256 =	"1a54428syn2xksc00n2bvh1alrx2vrqmp7cg7d2rn8nlq8yk4qd5";
+        symbols.sha256 =	"11pynjgji3skw42q5mryz98f8z418k43jy6s2k90w6jv638z3cb0";
        templates.rev =		"7db8d4d0ea0711f1961d117853547fb3edbc3857";
        templates.sha256 =	"1hppcsrkn4dk6ggby6ckh0q65qxkywrbyxa4lwpaf7pxjyv498xg";
-        footprints.rev =	"61df6d8853b4c68cca0ac87784c0a33cff9394d3";
+        footprints.rev =	"3bff23ee339bc48490bb39deba5d8b2f1f42733e";
-        footprints.sha256 =	"0blmhk8pwd4mi6rlsr4lf4lq7j01h6xbpbvr3pm8pmw8zylhi54v";
+        footprints.sha256 =	"0430r8k49ib6w1sjr8fx42szbz960yhlzg4w80jl5bwasq67nqwd";
-        packages3d.rev =	"88bcf2e817fe000bb2c05e14489afc3b1a4e10ed";
+        packages3d.rev =	"889a3dd550233ec51baed4a04a01d4cc64a8d747";
-        packages3d.sha256 =	"0z9p1fn5xbz940kr5jz2ibzf09hpdi1c9izmabkffvrnfy6408x6";
+        packages3d.sha256 =	"152zv4j51v8skqlvrabblpcqpbn5yf3grisjj8vnwf7kdd41chb2";
      };
    };
  };
--- a/pkgs/desktops/plasma-5/kwin/default.nix
+++ b/pkgs/desktops/plasma-5/kwin/default.nix
@ -11,11 +11,10 @@
  kcoreaddons, kcrash, kdeclarative, kdecoration, kglobalaccel, ki18n,
  kiconthemes, kidletime, kinit, kio, knewstuff, knotifications, kpackage,
  kscreenlocker, kservice, kwayland, kwidgetsaddons, kwindowsystem, kxmlgui,
-  plasma-framework, qtsensors, libcap, libdrm
+  plasma-framework, qtsensors, libcap, libdrm, mesa
 }:
 # TODO (ttuegel): investigate qmlplugindump failure
 # TODO (ttuegel): investigate gbm dependency
 mkDerivation {
  name = "kwin";
@ -30,7 +29,7 @@ mkDerivation {
    kcoreaddons kcrash kdeclarative kdecoration kglobalaccel ki18n kiconthemes
    kidletime kinit kio knewstuff knotifications kpackage kscreenlocker kservice
    kwayland kwidgetsaddons kwindowsystem kxmlgui plasma-framework
-    libcap libdrm
+    libcap libdrm mesa
  ];
  outputs = [ "bin" "dev" "out" ];
  patches = [
--- a/pkgs/development/compilers/llvm/10/compiler-rt-armv7l.patch
+++ b/pkgs/development/compilers/llvm/10/compiler-rt-armv7l.patch
@ -0,0 +1,32 @@
 diff -ur compiler-rt-10.0.0.src/cmake/builtin-config-ix.cmake compiler-rt-10.0.0.src-patched/cmake/builtin-config-ix.cmake
 --- compiler-rt-10.0.0.src/cmake/builtin-config-ix.cmake	2020-03-24 00:01:02.000000000 +0900
 +++ compiler-rt-10.0.0.src-patched/cmake/builtin-config-ix.cmake	2020-05-10 03:42:00.883450706 +0900
@@ -24,7 +24,7 @@
 set(ARM64 aarch64)
 -set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k)
 +set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k armv7l)
 set(HEXAGON hexagon)
 set(X86 i386)
 set(X86_64 x86_64)
 diff -ur compiler-rt-10.0.0.src/lib/builtins/CMakeLists.txt compiler-rt-10.0.0.src-patched/lib/builtins/CMakeLists.txt
 --- compiler-rt-10.0.0.src/lib/builtins/CMakeLists.txt	2020-03-24 00:01:02.000000000 +0900
 +++ compiler-rt-10.0.0.src-patched/lib/builtins/CMakeLists.txt	2020-05-10 03:44:49.468579650 +0900
@@ -474,6 +474,7 @@
 set(armv7_SOURCES ${arm_SOURCES})
 set(armv7s_SOURCES ${arm_SOURCES})
 set(armv7k_SOURCES ${arm_SOURCES})
 +set(armv7l_SOURCES ${arm_SOURCES})
 set(arm64_SOURCES ${aarch64_SOURCES})
 # macho_embedded archs
@@ -595,7 +596,7 @@
   foreach (arch ${BUILTIN_SUPPORTED_ARCH})
     if (CAN_TARGET_${arch})
       # For ARM archs, exclude any VFP builtins if VFP is not supported
 -      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         string(REPLACE ";" " " _TARGET_${arch}_CFLAGS "${TARGET_${arch}_CFLAGS}")
         check_compile_definition(__VFP_FP__ "${CMAKE_C_FLAGS} ${_TARGET_${arch}_CFLAGS}" COMPILER_RT_HAS_${arch}_VFP)
         if(NOT COMPILER_RT_HAS_${arch}_VFP)
--- a/pkgs/development/compilers/llvm/10/compiler-rt.nix
+++ b/pkgs/development/compilers/llvm/10/compiler-rt.nix
@ -48,7 +48,9 @@ stdenv.mkDerivation rec {
  patches = [
    ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory
    ./find-darwin-sdk-version.patch # don't test for macOS being >= 10.15
-  ];# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
+  ]# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
    ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch;
  # TSAN requires XPC on Darwin, which we have no public/free source files for. We can depend on the Apple frameworks
  # to get it, but they're unfree. Since LLVM is rather central to the stdenv, we patch out TSAN support so that Hydra
--- a/pkgs/development/compilers/llvm/5/compiler-rt-armv7l.patch
+++ b/pkgs/development/compilers/llvm/5/compiler-rt-armv7l.patch
@ -0,0 +1,23 @@
 diff -ur compiler-rt-5.0.2.src/cmake/builtin-config-ix.cmake compiler-rt-5.0.2.src-patched/cmake/builtin-config-ix.cmake
 --- compiler-rt-5.0.2.src/cmake/builtin-config-ix.cmake	2017-05-25 00:53:24.000000000 +0900
 +++ compiler-rt-5.0.2.src-patched/cmake/builtin-config-ix.cmake	2020-05-10 03:24:24.937433155 +0900
@@ -24,7 +24,7 @@
 set(ARM64 aarch64)
 -set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k)
 +set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k armv7l)
 set(X86 i386 i686)
 set(X86_64 x86_64)
 set(MIPS32 mips mipsel)
 diff -ur compiler-rt-5.0.2.src/lib/builtins/CMakeLists.txt compiler-rt-5.0.2.src-patched/lib/builtins/CMakeLists.txt
 --- compiler-rt-5.0.2.src/lib/builtins/CMakeLists.txt	2017-07-13 04:33:30.000000000 +0900
 +++ compiler-rt-5.0.2.src-patched/lib/builtins/CMakeLists.txt	2020-05-10 03:24:45.945075423 +0900
@@ -444,6 +444,7 @@
 set(armv7_SOURCES ${arm_SOURCES})
 set(armv7s_SOURCES ${arm_SOURCES})
 set(armv7k_SOURCES ${arm_SOURCES})
 +set(armv7l_SOURCES ${arm_SOURCES})
 set(arm64_SOURCES ${aarch64_SOURCES})
 # macho_embedded archs
--- a/pkgs/development/compilers/llvm/5/compiler-rt.nix
+++ b/pkgs/development/compilers/llvm/5/compiler-rt.nix
@ -48,7 +48,8 @@ stdenv.mkDerivation {
  patches = [
    ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory
  ] ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
-    ++ stdenv.lib.optional (stdenv.hostPlatform.libc == "glibc") ./compiler-rt-sys-ustat.patch;
+    ++ stdenv.lib.optional (stdenv.hostPlatform.libc == "glibc") ./compiler-rt-sys-ustat.patch
    ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch;
  # TSAN requires XPC on Darwin, which we have no public/free source files for. We can depend on the Apple frameworks
  # to get it, but they're unfree. Since LLVM is rather central to the stdenv, we patch out TSAN support so that Hydra
--- a/pkgs/development/compilers/llvm/6/compiler-rt-armv7l.patch
+++ b/pkgs/development/compilers/llvm/6/compiler-rt-armv7l.patch
@ -0,0 +1,32 @@
 diff -ur compiler-rt-6.0.1.src/cmake/builtin-config-ix.cmake compiler-rt-6.0.1.src-patched/cmake/builtin-config-ix.cmake
 --- compiler-rt-6.0.1.src/cmake/builtin-config-ix.cmake	2017-12-01 06:04:11.000000000 +0900
 +++ compiler-rt-6.0.1.src-patched/cmake/builtin-config-ix.cmake	2020-05-10 03:30:01.939694303 +0900
@@ -24,7 +24,7 @@
 set(ARM64 aarch64)
 -set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k)
 +set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k armv7l)
 set(X86 i386)
 set(X86_64 x86_64)
 set(MIPS32 mips mipsel)
 diff -ur compiler-rt-6.0.1.src/lib/builtins/CMakeLists.txt compiler-rt-6.0.1.src-patched/lib/builtins/CMakeLists.txt
 --- compiler-rt-6.0.1.src/lib/builtins/CMakeLists.txt	2017-12-25 06:11:32.000000000 +0900
 +++ compiler-rt-6.0.1.src-patched/lib/builtins/CMakeLists.txt	2020-05-10 03:30:44.814964156 +0900
@@ -452,6 +452,7 @@
 set(armv7_SOURCES ${arm_SOURCES})
 set(armv7s_SOURCES ${arm_SOURCES})
 set(armv7k_SOURCES ${arm_SOURCES})
 +set(armv7l_SOURCES ${arm_SOURCES})
 set(arm64_SOURCES ${aarch64_SOURCES})
 # macho_embedded archs
@@ -521,7 +522,7 @@
       set(_arch ${arch})
       if("${arch}" STREQUAL "armv6m")
         set(_arch "arm|armv6m")
 -      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         set(_arch "arm")
       endif()
--- a/pkgs/development/compilers/llvm/6/compiler-rt.nix
+++ b/pkgs/development/compilers/llvm/6/compiler-rt.nix
@ -47,7 +47,8 @@ stdenv.mkDerivation {
  patches = [
    ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory
-  ] ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch;
+  ] ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
    ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch;
  # TSAN requires XPC on Darwin, which we have no public/free source files for. We can depend on the Apple frameworks
  # to get it, but they're unfree. Since LLVM is rather central to the stdenv, we patch out TSAN support so that Hydra
--- a/pkgs/development/compilers/llvm/7/compiler-rt-armv7l.patch
+++ b/pkgs/development/compilers/llvm/7/compiler-rt-armv7l.patch
@ -0,0 +1,38 @@
 diff -ur compiler-rt-7.1.0.src/cmake/builtin-config-ix.cmake compiler-rt-7.1.0.src-patched/cmake/builtin-config-ix.cmake
 --- compiler-rt-7.1.0.src/cmake/builtin-config-ix.cmake	2018-05-25 06:36:27.000000000 +0900
 +++ compiler-rt-7.1.0.src-patched/cmake/builtin-config-ix.cmake	2020-05-09 20:26:33.030608692 +0900
@@ -24,7 +24,7 @@
 set(ARM64 aarch64)
 -set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k)
 +set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k armv7l)
 set(HEXAGON hexagon)
 set(X86 i386)
 set(X86_64 x86_64)
 diff -ur compiler-rt-7.1.0.src/lib/builtins/CMakeLists.txt compiler-rt-7.1.0.src-patched/lib/builtins/CMakeLists.txt
 --- compiler-rt-7.1.0.src/lib/builtins/CMakeLists.txt	2018-07-31 03:18:59.000000000 +0900
 +++ compiler-rt-7.1.0.src-patched/lib/builtins/CMakeLists.txt	2020-05-09 20:27:38.893409318 +0900
@@ -453,6 +453,7 @@
 set(armv7_SOURCES ${arm_SOURCES})
 set(armv7s_SOURCES ${arm_SOURCES})
 set(armv7k_SOURCES ${arm_SOURCES})
 +set(armv7l_SOURCES ${arm_SOURCES})
 set(arm64_SOURCES ${aarch64_SOURCES})
 # macho_embedded archs
@@ -563,12 +564,12 @@
       set(_arch ${arch})
       if("${arch}" STREQUAL "armv6m")
         set(_arch "arm|armv6m")
 -      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         set(_arch "arm")
       endif()
       # For ARM archs, exclude any VFP builtins if VFP is not supported
 -      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         string(REPLACE ";" " " _TARGET_${arch}_CFLAGS "${TARGET_${arch}_CFLAGS}")
         check_compile_definition(__VFP_FP__ "${CMAKE_C_FLAGS} ${_TARGET_${arch}_CFLAGS}" COMPILER_RT_HAS_${arch}_VFP)
         if(NOT COMPILER_RT_HAS_${arch}_VFP)
--- a/pkgs/development/compilers/llvm/7/compiler-rt.nix
+++ b/pkgs/development/compilers/llvm/7/compiler-rt.nix
@ -48,7 +48,8 @@ stdenv.mkDerivation {
  patches = [
    ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory
  ] ++ stdenv.lib.optional (useLLVM) ./crtbegin-and-end.patch
-    ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch;
+    ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
    ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch;
  # TSAN requires XPC on Darwin, which we have no public/free source files for. We can depend on the Apple frameworks
  # to get it, but they're unfree. Since LLVM is rather central to the stdenv, we patch out TSAN support so that Hydra
--- a/pkgs/development/compilers/llvm/8/compiler-rt-armv7l.patch
+++ b/pkgs/development/compilers/llvm/8/compiler-rt-armv7l.patch
@ -0,0 +1,38 @@
 diff -ur compiler-rt-7.1.0.src/cmake/builtin-config-ix.cmake compiler-rt-7.1.0.src-patched/cmake/builtin-config-ix.cmake
 --- compiler-rt-7.1.0.src/cmake/builtin-config-ix.cmake	2018-05-25 06:36:27.000000000 +0900
 +++ compiler-rt-7.1.0.src-patched/cmake/builtin-config-ix.cmake	2020-05-09 20:26:33.030608692 +0900
@@ -24,7 +24,7 @@
 set(ARM64 aarch64)
 -set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k)
 +set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k armv7l)
 set(HEXAGON hexagon)
 set(X86 i386)
 set(X86_64 x86_64)
 diff -ur compiler-rt-7.1.0.src/lib/builtins/CMakeLists.txt compiler-rt-7.1.0.src-patched/lib/builtins/CMakeLists.txt
 --- compiler-rt-7.1.0.src/lib/builtins/CMakeLists.txt	2018-07-31 03:18:59.000000000 +0900
 +++ compiler-rt-7.1.0.src-patched/lib/builtins/CMakeLists.txt	2020-05-09 20:27:38.893409318 +0900
@@ -453,6 +453,7 @@
 set(armv7_SOURCES ${arm_SOURCES})
 set(armv7s_SOURCES ${arm_SOURCES})
 set(armv7k_SOURCES ${arm_SOURCES})
 +set(armv7l_SOURCES ${arm_SOURCES})
 set(arm64_SOURCES ${aarch64_SOURCES})
 # macho_embedded archs
@@ -563,12 +564,12 @@
       set(_arch ${arch})
       if("${arch}" STREQUAL "armv6m")
         set(_arch "arm|armv6m")
 -      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         set(_arch "arm")
       endif()
       # For ARM archs, exclude any VFP builtins if VFP is not supported
 -      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         string(REPLACE ";" " " _TARGET_${arch}_CFLAGS "${TARGET_${arch}_CFLAGS}")
         check_compile_definition(__VFP_FP__ "${CMAKE_C_FLAGS} ${_TARGET_${arch}_CFLAGS}" COMPILER_RT_HAS_${arch}_VFP)
         if(NOT COMPILER_RT_HAS_${arch}_VFP)
--- a/pkgs/development/compilers/llvm/8/compiler-rt.nix
+++ b/pkgs/development/compilers/llvm/8/compiler-rt.nix
@ -48,7 +48,8 @@ stdenv.mkDerivation {
  patches = [
    ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory
  ]# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
-    ++ stdenv.lib.optional (useLLVM) ./crtbegin-and-end.patch;
+    ++ stdenv.lib.optional (useLLVM) ./crtbegin-and-end.patch
    ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch;
  # TSAN requires XPC on Darwin, which we have no public/free source files for. We can depend on the Apple frameworks
  # to get it, but they're unfree. Since LLVM is rather central to the stdenv, we patch out TSAN support so that Hydra
--- a/pkgs/development/compilers/llvm/9/compiler-rt-armv7l.patch
+++ b/pkgs/development/compilers/llvm/9/compiler-rt-armv7l.patch
@ -0,0 +1,38 @@
 diff -ur compiler-rt-7.1.0.src/cmake/builtin-config-ix.cmake compiler-rt-7.1.0.src-patched/cmake/builtin-config-ix.cmake
 --- compiler-rt-7.1.0.src/cmake/builtin-config-ix.cmake	2018-05-25 06:36:27.000000000 +0900
 +++ compiler-rt-7.1.0.src-patched/cmake/builtin-config-ix.cmake	2020-05-09 20:26:33.030608692 +0900
@@ -24,7 +24,7 @@
 set(ARM64 aarch64)
 -set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k)
 +set(ARM32 arm armhf armv6m armv7m armv7em armv7 armv7s armv7k armv7l)
 set(HEXAGON hexagon)
 set(X86 i386)
 set(X86_64 x86_64)
 diff -ur compiler-rt-7.1.0.src/lib/builtins/CMakeLists.txt compiler-rt-7.1.0.src-patched/lib/builtins/CMakeLists.txt
 --- compiler-rt-7.1.0.src/lib/builtins/CMakeLists.txt	2018-07-31 03:18:59.000000000 +0900
 +++ compiler-rt-7.1.0.src-patched/lib/builtins/CMakeLists.txt	2020-05-09 20:27:38.893409318 +0900
@@ -453,6 +453,7 @@
 set(armv7_SOURCES ${arm_SOURCES})
 set(armv7s_SOURCES ${arm_SOURCES})
 set(armv7k_SOURCES ${arm_SOURCES})
 +set(armv7l_SOURCES ${arm_SOURCES})
 set(arm64_SOURCES ${aarch64_SOURCES})
 # macho_embedded archs
@@ -563,12 +564,12 @@
       set(_arch ${arch})
       if("${arch}" STREQUAL "armv6m")
         set(_arch "arm|armv6m")
 -      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      elseif("${arch}" MATCHES "^(armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         set(_arch "arm")
       endif()
       # For ARM archs, exclude any VFP builtins if VFP is not supported
 -      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7m|armv7em)$")
 +      if (${arch} MATCHES "^(arm|armhf|armv7|armv7s|armv7k|armv7l|armv7m|armv7em)$")
         string(REPLACE ";" " " _TARGET_${arch}_CFLAGS "${TARGET_${arch}_CFLAGS}")
         check_compile_definition(__VFP_FP__ "${CMAKE_C_FLAGS} ${_TARGET_${arch}_CFLAGS}" COMPILER_RT_HAS_${arch}_VFP)
         if(NOT COMPILER_RT_HAS_${arch}_VFP)
--- a/pkgs/development/compilers/llvm/9/compiler-rt.nix
+++ b/pkgs/development/compilers/llvm/9/compiler-rt.nix
@ -47,7 +47,8 @@ stdenv.mkDerivation rec {
  patches = [
    ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory
-  ];# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
+  ]# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch
    ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch;
  # TSAN requires XPC on Darwin, which we have no public/free source files for. We can depend on the Apple frameworks
  # to get it, but they're unfree. Since LLVM is rather central to the stdenv, we patch out TSAN support so that Hydra
--- a/pkgs/development/libraries/libfm/default.nix
+++ b/pkgs/development/libraries/libfm/default.nix
@ -28,6 +28,11 @@ stdenv.mkDerivation rec {
    "sysconfdir=${placeholder "out"}/etc"
  ];
  # libfm-extra is pulled in by menu-cache and thus leads to a collision for libfm
  postInstall = optional (!extraOnly) ''
     rm $out/lib/libfm-extra.so $out/lib/libfm-extra.so.* $out/lib/libfm-extra.la $out/lib/pkgconfig/libfm-extra.pc
  '';
  enableParallelBuilding = true;
  meta = with stdenv.lib; {
--- a/pkgs/development/ocaml-modules/async/default.nix
+++ b/pkgs/development/ocaml-modules/async/default.nix
@ -1,23 +0,0 @@
 {stdenv, buildOcaml, fetchurl, async_kernel_p4,
 async_unix_p4, async_extra_p4, pa_ounit}:
 buildOcaml rec {
  name = "async";
  version = "112.24.00";
  minimumSupportedOcamlVersion = "4.02";
  src = fetchurl {
    url = "https://github.com/janestreet/async/archive/${version}.tar.gz";
    sha256 = "ecc4ca939ab098e689332921b110dbaacd06d9f8d8bf697023dfff3ca37dc1e9";
  };
  propagatedBuildInputs = [ async_kernel_p4 async_unix_p4 async_extra_p4 pa_ounit ];
  meta = with stdenv.lib; {
    homepage = "https://github.com/janestreet/async";
    description = "Jane Street Capital's asynchronous execution library";
    license = licenses.asl20;
    maintainers = [ maintainers.ericbmerritt ];
  };
 }
--- a/pkgs/development/ocaml-modules/janestreet/async.nix
+++ b/pkgs/development/ocaml-modules/janestreet/async.nix
@ -1,16 +0,0 @@
 {stdenv, buildOcamlJane, async_kernel,
 async_unix, async_extra}:
 buildOcamlJane {
  name = "async";
  version = "113.33.03";
  hash = "0wyspkp8k833fh03r3h016nbfn6kjfhvb2bg42cly6agcak59fmr";
  propagatedBuildInputs = [ async_kernel async_unix async_extra ];
  meta = with stdenv.lib; {
    homepage = "https://github.com/janestreet/async";
    description = "Jane Street Capital's asynchronous execution library";
    license = licenses.asl20;
    maintainers = [ maintainers.maurer maintainers.ericbmerritt ];
  };
 }
--- a/pkgs/development/ocaml-modules/lablgtk3/default.nix
+++ b/pkgs/development/ocaml-modules/lablgtk3/default.nix
@ -1,14 +1,14 @@
 { lib, fetchurl, pkgconfig, buildDunePackage, gtk3, cairo2 }:
 buildDunePackage rec {
-  version = "3.0.beta6";
+  version = "3.1.0";
  pname = "lablgtk3";
  minimumOCamlVersion = "4.05";
  src = fetchurl {
    url = "https://github.com/garrigue/lablgtk/releases/download/${version}/lablgtk3-${version}.tbz";
-    sha256 = "1jni5cbp54qs7y0dc5zkm28v2brpfwy5miighv7cy0nmmxrsq520";
+    sha256 = "1fn04qwgkwc86jndlrnv4vxcmasjsp1mmcgfznahj1ccc7bv47sv";
  };
  nativeBuildInputs = [ pkgconfig ];
--- a/pkgs/development/python-modules/fastapi/default.nix
+++ b/pkgs/development/python-modules/fastapi/default.nix
@ -16,7 +16,7 @@
 buildPythonPackage rec {
  pname = "fastapi";
-  version = "0.54.0";
+  version = "0.54.1";
  format = "flit";
  disabled = !isPy3k;
@ -24,9 +24,14 @@ buildPythonPackage rec {
    owner = "tiangolo";
    repo = "fastapi";
    rev = version;
-    sha256 = "17bicrpr801z71wrn9iimvh7qk6iwyxvr89ialf0s2rxxa2s0yb5";
+    sha256 = "0k0lss8x6lzf0szcli48v28r269fsx1jdkr9q78liz47dz5x03d8";
  };
  postPatch = ''
    substituteInPlace pyproject.toml \
      --replace "starlette ==0.13.2" "starlette"
  '';
  propagatedBuildInputs = [
    uvicorn
    starlette
--- a/pkgs/development/python-modules/jc/default.nix
+++ b/pkgs/development/python-modules/jc/default.nix
@ -1,6 +1,6 @@
 { stdenv
 , buildPythonPackage
-, fetchPypi
+, fetchFromGitHub
 , ruamel_yaml
 , xmltodict
 , pygments
@ -9,12 +9,14 @@
 buildPythonPackage rec {
  pname = "jc";
-  version = "1.10.7";
+  version = "1.10.10";
  disabled = isPy27;
-  src = fetchPypi {
+  src = fetchFromGitHub {
-    inherit pname version;
+    owner = "kellyjonbrazil";
-    sha256 = "198vsnh6j0nv9d7msnvw6qr1bzf0nffjsz7clm11bs7fh3ri3qxp";
+    repo = "jc";
    rev = "v${version}";
    sha256 = "1rkgk1d1gijic6l6rsvz5mpfhdj8l7qc60aqafj27s4yi5bbqrc7";
  };
  propagatedBuildInputs = [ ruamel_yaml xmltodict pygments ];
--- a/pkgs/development/python-modules/ldap3/default.nix
+++ b/pkgs/development/python-modules/ldap3/default.nix
@ -2,11 +2,11 @@
 buildPythonPackage rec {
  pname = "ldap3";
-  version = "2.6.1";
+  version = "2.7";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0ag5xqlki6pjk3f50b8ar8vynx2fmkna7rfampv3kdgwg8z6gjr7";
+    sha256 = "1h1q8g1c2nkhx8p5n91bzkvjx5js5didi9xqbnmfrxqbnyc45w0p";
  };
  propagatedBuildInputs = [ pyasn1 ];
--- a/pkgs/development/python-modules/libarcus/default.nix
+++ b/pkgs/development/python-modules/libarcus/default.nix
@ -3,7 +3,7 @@
 buildPythonPackage rec {
  pname = "libarcus";
-  version = "4.5.0";
+  version = "4.6.1";
  format = "other";
  src = fetchFromGitHub {
--- a/pkgs/development/python-modules/libsavitar/default.nix
+++ b/pkgs/development/python-modules/libsavitar/default.nix
@ -2,14 +2,14 @@
 buildPythonPackage rec {
  pname = "libsavitar";
-  version = "4.5.0";
+  version = "4.6.1";
  format = "other";
  src = fetchFromGitHub {
    owner = "Ultimaker";
    repo = "libSavitar";
    rev = version;
-    sha256 = "1l3l8cgaxzqdk93880p2ijrabshdj5sq05cwj1i6jpmhlqc5b9rx";
+    sha256 = "0nk8zl5b0b36wrrkj271ck4phzxsigkjsazndscjslc9nkldmnpq";
  };
  postPatch = ''
--- a/pkgs/development/python-modules/onnx/default.nix
+++ b/pkgs/development/python-modules/onnx/default.nix
@ -18,29 +18,18 @@
 buildPythonPackage rec {
  pname = "onnx";
-  version = "1.6.0";
+  version = "1.7.0";
  # Due to Protobuf packaging issues this build of Onnx with Python 2 gives
-  # errors on import
+  # errors on import.
  # Also support for Python 2 will be deprecated from Onnx v1.8.
  disabled = isPy27;
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0ig33jl3591041lyylxp52yi20rfrcqx3i030hd6al8iabzc721v";
+    sha256 = "0j6rgfbhsw3a8id8pyg18y93k68lbjbj1kq6qia36h69f6pvlyjy";
  };
  # Remove the unqualified requirement for the typing package for running the
  # tests. typing is already required for the installation, where it is
  # correctly qualified so as to only be required for sufficiently old Python
  # versions.
  # This patch should be in the next release (>1.6).
  patches = [
    (fetchpatch {
      url = "https://github.com/onnx/onnx/commit/c963586d0f8dd5740777b2fd06f04ec60816de9f.patch";
      sha256 = "1hl26cw5zckc91gmh0bdah87jyprccxiw0f4i5h1gwkq28hm6wbj";
    })
  ];
  nativeBuildInputs = [ cmake ];
  propagatedBuildInputs = [
@ -61,13 +50,17 @@ buildPythonPackage rec {
    patchShebangs tools/protoc-gen-mypy.py
  '';
  preBuild = ''
    export MAX_JOBS=$NIX_BUILD_CORES
  '';
  # The executables are just utility scripts that aren't too important
  postInstall = ''
    rm -r $out/bin
  '';
-  # The setup.py does all the configuration (running CMake)
+  # The setup.py does all the configuration
-  dontConfigure = true;
+  dontUseCmakeConfigure = true;
  meta = {
    homepage    = "http://onnx.ai";
--- a/pkgs/development/python-modules/parver/default.nix
+++ b/pkgs/development/python-modules/parver/default.nix
@ -11,11 +11,11 @@
 buildPythonPackage rec {
  pname = "parver";
-  version = "0.2.1";
+  version = "0.3.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0jzyylcmjxb0agc4fpdnzdnv2ajvp99rs9pz7qcklnhlmy8scdqv";
+    sha256 = "0a6jp17c1ag6b9yp5xgy9wvznk3g0v2f8gpwkcwxpyc9ygk98zdm";
  };
  propagatedBuildInputs = [ six attrs arpeggio ];
--- a/pkgs/development/python-modules/plotly/default.nix
+++ b/pkgs/development/python-modules/plotly/default.nix
@ -11,11 +11,11 @@
 buildPythonPackage rec {
  pname = "plotly";
-  version = "4.4.1";
+  version = "4.6.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "acc94f17452471ca3446c2ce491c4d1affb99b9ddd9eac4e05614ac4318f8780";
+    sha256 = "0br996lqbyq1prq9hhrzkgpicz5fgvxamzjrrpms20a2y1alkwv1";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/pyGithub/default.nix
+++ b/pkgs/development/python-modules/pyGithub/default.nix
@ -12,14 +12,14 @@
 buildPythonPackage rec {
  pname = "PyGithub";
-  version = "1.47";
+  version = "1.51";
  disabled = !isPy3k;
  src = fetchFromGitHub {
    owner = "PyGithub";
    repo = "PyGithub";
    rev = "v${version}";
-    sha256 = "0zvp1gib2lryw698vxkbdv40n3lsmdlhwp7vdcg41dqqa5nfryhn";
+    hash = "sha256-8uQCFiw1ByPOX8ZRUlSLYPIibjmd19r/JtTnmQdz5cM=";
  };
  checkInputs = [ httpretty parameterized pytestCheckHook ];
--- a/pkgs/development/python-modules/pyenchant/default.nix
+++ b/pkgs/development/python-modules/pyenchant/default.nix
@ -1,16 +1,18 @@
 { stdenv
 , buildPythonPackage
 , isPy27
 , fetchPypi
 , enchant2
 }:
 buildPythonPackage rec {
  pname = "pyenchant";
-  version = "2.0.0";
+  version = "3.0.1";
  disabled = isPy27;
  src = fetchPypi {
    inherit pname version;
-    sha256 = "fc31cda72ace001da8fe5d42f11c26e514a91fa8c70468739216ddd8de64e2a0";
+    sha256 = "0nfmckqm45fbfz795qw5hgvygdxgxchdiwp3kmm1k05z99j6mlhv";
  };
  propagatedBuildInputs = [ enchant2 ];
--- a/pkgs/development/python-modules/pytest-metadata/default.nix
+++ b/pkgs/development/python-modules/pytest-metadata/default.nix
@ -3,11 +3,11 @@
 buildPythonPackage rec {
  pname = "pytest-metadata";
-  version = "1.8.0";
+  version = "1.9.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "1fk6icip2x1nh4kzhbc8cnqrs77avpqvj7ny3xadfh6yhn9aaw90";
+    sha256 = "1711gippwsl7c1wi8pc2y75xqq5sn1sscpqvrxjvpjm8pcx2138n";
  };
  nativeBuildInputs = [ setuptools_scm ];
--- a/pkgs/development/python-modules/pyudev/default.nix
+++ b/pkgs/development/python-modules/pyudev/default.nix
@ -4,11 +4,11 @@
 buildPythonPackage rec {
  pname = "pyudev";
-  version = "0.21.0";
+  version = "0.22.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0arz0dqp75sszsmgm6vhg92n1lsx91ihddx3m944f4ah0487ljq9";
+    sha256 = "0xmj6l08iih2js9skjqpv4w7y0dhxyg91zmrs6v5aa65gbmipfv9";
  };
  postPatch = ''
--- a/pkgs/development/python-modules/rdflib/default.nix
+++ b/pkgs/development/python-modules/rdflib/default.nix
@ -10,11 +10,11 @@
 buildPythonPackage rec {
  pname = "rdflib";
-  version = "4.2.2";
+  version = "5.0.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0398c714znnhaa2x7v51b269hk20iz073knq2mvmqp2ma92z27fs";
+    sha256 = "0mdi7xh4zcr3ngqwlgqdqf0i5bxghwfddyxdng1zwpiqkpa9s53q";
  };
  propagatedBuildInputs = [isodate html5lib SPARQLWrapper ];
--- a/pkgs/development/python-modules/rfc3986/default.nix
+++ b/pkgs/development/python-modules/rfc3986/default.nix
@ -3,11 +3,11 @@
 buildPythonPackage rec {
  pname = "rfc3986";
-  version = "1.3.2";
+  version = "1.4.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0344d0bd428126ce554e7ca2b61787b6a28d2bbd19fc70ed2dd85efe31176405";
+    sha256 = "17dvx15m3r49bmif5zlli8kzjd6bys6psixzbp14sd5367d9h8qi";
  };
  checkInputs = [ pytest ];
--- a/pkgs/development/python-modules/snakeviz/default.nix
+++ b/pkgs/development/python-modules/snakeviz/default.nix
@ -2,11 +2,11 @@
 buildPythonPackage rec {
  pname = "snakeviz";
-  version = "2.0.1";
+  version = "2.1.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "11a8cd4g98vq2x61i99ncl5w83clnndwg909ya4y1cdf0k1ckb40";
+    sha256 = "0s6byw23hr2khqx2az36hpi52fk4v6bfm1bb7biaf0d2nrpqgbcj";
  };
  # Upstream doesn't run tests from setup.py
--- a/pkgs/development/python-modules/sparse/default.nix
+++ b/pkgs/development/python-modules/sparse/default.nix
@ -10,13 +10,13 @@
 buildPythonPackage rec {
  pname = "sparse";
-  version = "0.8.0";
+  version = "0.9.1";
  disabled = !isPy3k;
  src = fetchPypi {
    inherit pname version;
-    sha256 = "a3dc14ee5314caa2e64331b0b50c8f92e8999d7d275179a804a114e6cb1f8b81";
+    sha256 = "04gfwm1y9knryx992biniqa3978n3chr38iy3y4i2b8wy52fzy3d";
  };
  checkInputs = [ pytest ];
--- a/pkgs/development/python-modules/starlette/default.nix
+++ b/pkgs/development/python-modules/starlette/default.nix
@ -26,14 +26,14 @@ buildPythonPackage rec {
  # https://github.com/tiangolo/fastapi/issues/683. Please update when
  # possible. FastAPI is currently Starlette's only dependent.
-  version = "0.13.2";
+  version = "0.13.4";
  disabled = isPy27;
  src = fetchFromGitHub {
    owner = "encode";
    repo = pname;
    rev = version;
-    sha256 = "1ls8d121zyyhry5ji7gf7vjvhyqdpr4za3qx1llq48943fmaxxpq";
+    sha256 = "1rk20rj62iigkkikb80bmalriyg1j3g28s25l8z2gijagv1v5c7l";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/stripe/default.nix
+++ b/pkgs/development/python-modules/stripe/default.nix
@ -2,7 +2,7 @@
 buildPythonPackage rec {
  pname = "stripe";
-  version = "2.44.0";
+  version = "2.47.0";
  # Tests require network connectivity and there's no easy way to disable
  # them. ~ C.
@ -10,7 +10,7 @@ buildPythonPackage rec {
  src = fetchPypi {
    inherit pname version;
-    sha256 = "0aaaf8dp989im2n0cdmslq0ys4ia970yl1irhxiwwqarmh6fap5i";
+    sha256 = "14skddrf2nl25bvcyys0bgibjqkcivvfdywzldqjzyqvbwr4mkal";
  };
  propagatedBuildInputs = [ requests ];
--- a/pkgs/development/python-modules/subliminal/default.nix
+++ b/pkgs/development/python-modules/subliminal/default.nix
@ -28,11 +28,11 @@
 buildPythonPackage rec {
  pname = "subliminal";
-  version = "2.0.5";
+  version = "2.1.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "1dzv5csjcwgz69aimarx2c6606ckm2gbn4x2mzydcqnyai7sayhl";
+    sha256 = "12v2clnbic8320fjsvkg3xfxfa7x8inhjk61z00pzwx46g3rqhy6";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/testfixtures/default.nix
+++ b/pkgs/development/python-modules/testfixtures/default.nix
@ -3,11 +3,11 @@
 buildPythonPackage rec {
  pname = "testfixtures";
-  version = "6.10.3";
+  version = "6.14.1";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "8f22100d4fb841b958f64e71c8820a32dc46f57d4d7e077777b932acd87b7327";
+    sha256 = "0rh38zj8wywgqlsi5j75c7drpqhkrg50qknj1kdmvg4kdlab7ljq";
  };
  checkInputs = [ pytest mock sybil zope_component twisted ];
--- a/pkgs/development/python-modules/trimesh/default.nix
+++ b/pkgs/development/python-modules/trimesh/default.nix
@ -0,0 +1,24 @@
 { lib, buildPythonPackage, fetchPypi, numpy }:
 buildPythonPackage rec {
  pname = "trimesh";
  version = "3.6.36";
  src = fetchPypi {
    inherit pname version;
    sha256 = "1m8dqqyzazrjk4d32cqn4d8gvbfcwgs2qbmgvpi2f2mi5vnp6d85";
  };
  propagatedBuildInputs = [ numpy ];
  # tests are not included in pypi distributions and would require lots of
  # optional dependencies
  doCheck = false;
  meta = with lib; {
    description = "Python library for loading and using triangular meshes.";
    homepage = "https://trimsh.org/";
    license = licenses.mit;
    maintainers = with maintainers; [ gebner ];
  };
 }
--- a/pkgs/development/python-modules/uranium/default.nix
+++ b/pkgs/development/python-modules/uranium/default.nix
@ -2,7 +2,7 @@
 , pyqt5, numpy, scipy, shapely, libarcus, doxygen, gettext, pythonOlder }:
 buildPythonPackage rec {
-  version = "4.5.0";
+  version = "4.6.1";
  pname = "uranium";
  format = "other";
@ -10,7 +10,7 @@ buildPythonPackage rec {
    owner = "Ultimaker";
    repo = "Uranium";
    rev = version;
-    sha256 = "1l8fwj521irla42bdbw298d3c5rjpn1nm9xhjnx7hidbqixr5d27";
+    sha256 = "07pksjbgxs1ks2i6pgxkwfg9c56pcql7f9p89dnwaf2rcn7yhx6r";
  };
  disabled = pythonOlder "3.5.0";
--- a/pkgs/development/python-modules/xapp/default.nix
+++ b/pkgs/development/python-modules/xapp/default.nix
@ -11,13 +11,13 @@
 buildPythonPackage rec {
  pname = "xapp";
-  version = "1.8.1";
+  version = "2.0.1";
  src = fetchFromGitHub {
    owner = "linuxmint";
    repo = "python-xapp";
    rev = version;
-    sha256 = "0vw3cn09nx75lv4d9idp5fdhd81xs279zhbyyilynq29cxxs2zil";
+    sha256 = "1pp3z4q6ryxcc26kaq222j53ji110n2v7rx29c7vy1fbb8mq64im";
  };
  propagatedBuildInputs = [
--- a/pkgs/development/python-modules/yamllint/default.nix
+++ b/pkgs/development/python-modules/yamllint/default.nix
@ -3,11 +3,11 @@
 buildPythonPackage rec {
  pname = "yamllint";
-  version = "1.21.0";
+  version = "1.23.0";
  src = fetchPypi {
    inherit pname version;
-    sha256 = "14yijcnmanyd3s2ir38sxl07rzpxgpgw9s6b8sy68jrl7n5nj7ky";
+    sha256 = "1agl80csxhiqglm0idwhw98iqfpp61c9inzcdaz4czsfyivzzwsr";
  };
  checkInputs = [ nose ];
--- a/pkgs/development/r-modules/default.nix
+++ b/pkgs/development/r-modules/default.nix
@ -444,6 +444,7 @@ let
    sundialr = [ pkgs.libiconv ];
    ucminf = [ pkgs.libiconv ];
    glmnet = [ pkgs.libiconv ];
    mvtnorm = [ pkgs.libiconv ];
  };
  packagesRequireingX = [
--- a/pkgs/development/tools/misc/texlab/default.nix
+++ b/pkgs/development/tools/misc/texlab/default.nix
@ -6,16 +6,16 @@
 rustPlatform.buildRustPackage rec {
  pname = "texlab";
-  version = "2.0.0";
+  version = "2.1.0";
  src = fetchFromGitHub {
    owner = "latex-lsp";
    repo = pname;
    rev = "v${version}";
-    sha256 = "0y8cv8y92a4nqwrvqk2cxgs6nspqjk8jm4spr8rgkwlpfbrg74xn";
+    sha256 = "0cmciadiknw6w573v71spzf5ydaz2xxm2snv3n1hks732nahlr56";
  };
-  cargoSha256 = "1qi1c4v5d5a4xcf1bjbdicrv35w6chl5swlm96c1h3pr9s09lqy7";
+  cargoSha256 = "0dhbbni8ia0dkwjacx5jlr5rj7173nsbivm9gjsx9j8ais0f0hff";
  buildInputs = stdenv.lib.optionals stdenv.isDarwin [ Security ];
--- a/pkgs/development/tools/misc/ycmd/default.nix
+++ b/pkgs/development/tools/misc/ycmd/default.nix
@ -2,6 +2,7 @@
 , gocode ? null
 , godef ? null
 , gotools ? null
 , nodePackages ? null
 , rustracerd ? null
 , fixDarwinDylibNames, Cocoa ? null
 }:
@ -69,6 +70,9 @@ stdenv.mkDerivation {
    TARGET=$out/lib/ycmd/third_party/go/src/golang.org/x/tools/cmd/gopls
    mkdir -p $TARGET
    ln -sf ${gotools}/bin/gopls $TARGET
  '' + lib.optionalString (nodePackages != null) ''
    TARGET=$out/lib/ycmd/third_party/tsserver
    ln -sf ${nodePackages.typescript} $TARGET
  '' + lib.optionalString (rustracerd != null) ''
    TARGET=$out/lib/ycmd/third_party/racerd/target/release
    mkdir -p $TARGET
--- a/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
+++ b/pkgs/os-specific/linux/kernel/hardened/anthraxx.asc
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
--- a/pkgs/os-specific/linux/kernel/hardened/patches.json
+++ b/pkgs/os-specific/linux/kernel/hardened/patches.json
--- a/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
+++ b/pkgs/os-specific/linux/kernel/hardened/tag-hardened.patch
--- a/pkgs/os-specific/linux/kernel/hardened/update.py
+++ b/pkgs/os-specific/linux/kernel/hardened/update.py
@ -0,0 +1,277 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i python -p "python38.withPackages (ps: [ps.PyGithub])" git gnupg
 # This is automatically called by ../update.sh.
 from __future__ import annotations
 import json
 import os
 import re
 import subprocess
 import sys
 from dataclasses import dataclass
 from pathlib import Path
 from tempfile import TemporaryDirectory
 from typing import (
    Dict,
    Iterator,
    List,
    Optional,
    Sequence,
    Tuple,
    TypedDict,
    Union,
 )
 from github import Github
 from github.GitRelease import GitRelease
 VersionComponent = Union[int, str]
 Version = List[VersionComponent]
 Patch = TypedDict("Patch", {"name": str, "url": str, "sha256": str})
@dataclass
 class ReleaseInfo:
    version: Version
    release: GitRelease
 HERE = Path(__file__).resolve().parent
 NIXPKGS_KERNEL_PATH = HERE.parent
 NIXPKGS_PATH = HERE.parents[4]
 HARDENED_GITHUB_REPO = "anthraxx/linux-hardened"
 HARDENED_TRUSTED_KEY = HERE / "anthraxx.asc"
 HARDENED_PATCHES_PATH = HERE / "patches.json"
 MIN_KERNEL_VERSION: Version = [4, 14]
 def run(*args: Union[str, Path]) -> subprocess.CompletedProcess[bytes]:
    try:
        return subprocess.run(
            args,
            check=True,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE,
            encoding="utf-8",
        )
    except subprocess.CalledProcessError as err:
        print(
            f"error: `{err.cmd}` failed unexpectedly\n"
            f"status code: {err.returncode}\n"
            f"stdout:\n{err.stdout.strip()}\n"
            f"stderr:\n{err.stderr.strip()}",
            file=sys.stderr,
        )
        sys.exit(1)
 def nix_prefetch_url(url: str) -> Tuple[str, Path]:
    output = run("nix-prefetch-url", "--print-path", url).stdout
    sha256, path = output.strip().split("\n")
    return sha256, Path(path)
 def verify_openpgp_signature(
    *, name: str, trusted_key: Path, sig_path: Path, data_path: Path,
 ) -> bool:
    with TemporaryDirectory(suffix=".nixpkgs-gnupg-home") as gnupg_home_str:
        gnupg_home = Path(gnupg_home_str)
        run("gpg", "--homedir", gnupg_home, "--import", trusted_key)
        keyring = gnupg_home / "pubring.kbx"
        try:
            subprocess.run(
                ("gpgv", "--keyring", keyring, sig_path, data_path),
                check=True,
                stderr=subprocess.PIPE,
                encoding="utf-8",
            )
            return True
        except subprocess.CalledProcessError as err:
            print(
                f"error: signature for {name} failed to verify!",
                file=sys.stderr,
            )
            print(err.stderr, file=sys.stderr, end="")
            return False
 def fetch_patch(*, name: str, release: GitRelease) -> Optional[Patch]:
    def find_asset(filename: str) -> str:
        try:
            it: Iterator[str] = (
                asset.browser_download_url
                for asset in release.get_assets()
                if asset.name == filename
            )
            return next(it)
        except StopIteration:
            raise KeyError(filename)
    patch_filename = f"{name}.patch"
    try:
        patch_url = find_asset(patch_filename)
        sig_url = find_asset(patch_filename + ".sig")
    except KeyError:
        print(f"error: {patch_filename}{{,.sig}} not present", file=sys.stderr)
        return None
    sha256, patch_path = nix_prefetch_url(patch_url)
    _, sig_path = nix_prefetch_url(sig_url)
    sig_ok = verify_openpgp_signature(
        name=name,
        trusted_key=HARDENED_TRUSTED_KEY,
        sig_path=sig_path,
        data_path=patch_path,
    )
    if not sig_ok:
        return None
    return Patch(name=patch_filename, url=patch_url, sha256=sha256)
 def parse_version(version_str: str) -> Version:
    version: Version = []
    for component in version_str.split("."):
        try:
            version.append(int(component))
        except ValueError:
            version.append(component)
    return version
 def version_string(version: Version) -> str:
    return ".".join(str(component) for component in version)
 def major_kernel_version_key(kernel_version: Version) -> str:
    return version_string(kernel_version[:-1])
 def commit_patches(*, kernel_key: str, message: str) -> None:
    new_patches_path = HARDENED_PATCHES_PATH.with_suffix(".new")
    with open(new_patches_path, "w") as new_patches_file:
        json.dump(patches, new_patches_file, indent=4, sort_keys=True)
        new_patches_file.write("\n")
    os.rename(new_patches_path, HARDENED_PATCHES_PATH)
    message = f"linux/hardened/patches/{kernel_key}: {message}"
    print(message)
    if os.environ.get("COMMIT"):
        run(
            "git",
            "-C",
            NIXPKGS_PATH,
            "commit",
            f"--message={message}",
            HARDENED_PATCHES_PATH,
        )
 # Load the existing patches.
 patches: Dict[str, Patch]
 with open(HARDENED_PATCHES_PATH) as patches_file:
    patches = json.load(patches_file)
 # Get the set of currently packaged kernel versions.
 kernel_versions = {}
 for filename in os.listdir(NIXPKGS_KERNEL_PATH):
    filename_match = re.fullmatch(r"linux-(\d+)\.(\d+)\.nix", filename)
    if filename_match:
        nix_version_expr = f"""
            with import {NIXPKGS_PATH} {{}};
            (callPackage {NIXPKGS_KERNEL_PATH / filename} {{}}).version
        """
        kernel_version = parse_version(
            run(
                "nix", "eval", "--impure", "--raw", "--expr", nix_version_expr,
            ).stdout
        )
        if kernel_version < MIN_KERNEL_VERSION:
            continue
        kernel_key = major_kernel_version_key(kernel_version)
        kernel_versions[kernel_key] = kernel_version
 # Remove patches for unpackaged kernel versions.
 for kernel_key in sorted(patches.keys() - kernel_versions.keys()):
    commit_patches(kernel_key=kernel_key, message="remove")
 g = Github(os.environ.get("GITHUB_TOKEN"))
 repo = g.get_repo(HARDENED_GITHUB_REPO)
 failures = False
 # Match each kernel version with the best patch version.
 releases = {}
 for release in repo.get_releases():
    version = parse_version(release.tag_name)
    # needs to look like e.g. 5.6.3.a
    if len(version) < 4:
        continue
    kernel_version = version[:-1]
    kernel_key = major_kernel_version_key(kernel_version)
    try:
        packaged_kernel_version = kernel_versions[kernel_key]
    except KeyError:
        continue
    release_info = ReleaseInfo(version=version, release=release)
    if kernel_version == packaged_kernel_version:
        releases[kernel_key] = release_info
    else:
        # Fall back to the latest patch for this major kernel version,
        # skipping patches for kernels newer than the packaged one.
        if kernel_version > packaged_kernel_version:
            continue
        elif (
            kernel_key not in releases or releases[kernel_key].version < version
        ):
            releases[kernel_key] = release_info
 # Update hardened-patches.json for each release.
 for kernel_key in sorted(releases.keys()):
    release_info = releases[kernel_key]
    release = release_info.release
    version = release_info.version
    version_str = release.tag_name
    name = f"linux-hardened-{version_str}"
    old_version: Optional[Version] = None
    old_version_str: Optional[str] = None
    update: bool
    try:
        old_filename = patches[kernel_key]["name"]
        old_version_str = old_filename.replace("linux-hardened-", "").replace(
            ".patch", ""
        )
        old_version = parse_version(old_version_str)
        update = old_version < version
    except KeyError:
        update = True
    if update:
        patch = fetch_patch(name=name, release=release)
        if patch is None:
            failures = True
        else:
            patches[kernel_key] = patch
            if old_version:
                message = f"{old_version_str} -> {version_str}"
            else:
                message = f"init at {version_str}"
            commit_patches(kernel_key=kernel_key, message=message)
 missing_kernel_versions = kernel_versions.keys() - patches.keys()
 if missing_kernel_versions:
    print(
        f"warning: no patches for kernel versions "
        + ", ".join(missing_kernel_versions),
        file=sys.stderr,
    )
 if failures:
    sys.exit(1)
--- a/pkgs/os-specific/linux/kernel/linux-4.14.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.14.nix
@ -3,7 +3,7 @@
 with stdenv.lib;
 buildLinux (args // rec {
-  version = "4.14.179";
+  version = "4.14.180";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "10arrj3ppbxkn15yxqpxlz4k8yp2afzbfpp2nwfy6klhjiffp9sx";
+    sha256 = "03pd4wpg526n391jwc0kbmbxi059mvq8d42a9qbym9mnv5rzjkj4";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-4.19.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.19.nix
@ -3,7 +3,7 @@
 with stdenv.lib;
 buildLinux (args // rec {
-  version = "4.19.121";
+  version = "4.19.122";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "11bhjdaihhc42xhf4qxdkkjznc0i6igh0ahjbzr3fb8bmq9sirgv";
+    sha256 = "1980vza1vf6cl772dynn4m0rgdjazbn125kd6sb3s06gqn72cl2h";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-4.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.4.nix
@ -1,11 +1,11 @@
 { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
 buildLinux (args // rec {
-  version = "4.4.222";
+  version = "4.4.223";
  extraMeta.branch = "4.4";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "02zxy5vjxgrqs0mkz5aj70v6pazhif7x5cm26rf8zh4idpmhk2zh";
+    sha256 = "09fln0sdfif2zv2jifp24yiqi0vcyj8fqx2jz91g21zvsxk3x5nd";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-4.9.nix
+++ b/pkgs/os-specific/linux/kernel/linux-4.9.nix
@ -1,11 +1,11 @@
 { stdenv, buildPackages, fetchurl, perl, buildLinux, ... } @ args:
 buildLinux (args // rec {
-  version = "4.9.222";
+  version = "4.9.223";
  extraMeta.branch = "4.9";
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v4.x/linux-${version}.tar.xz";
-    sha256 = "0aajgflf96bj7chbd83rdmgcdwd025c6mz6li4cwbfx7xcb91kjc";
+    sha256 = "1r9ag1fhy0g429q44qlqh0qkf42qkhzxa04gxlmnrinqypk00lyg";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-5.4.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.4.nix
@ -3,7 +3,7 @@
 with stdenv.lib;
 buildLinux (args // rec {
-  version = "5.4.39";
+  version = "5.4.40";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1j35yf1nilb9z7lw8w2drpww7q2zy8zfr0ip8hwcbcd7c5d9chai";
+    sha256 = "1ar001rljlr15rcl77la5y1cj3plaqhdblnh87xsmv47fq13yml3";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/linux-5.6.nix
+++ b/pkgs/os-specific/linux/kernel/linux-5.6.nix
@ -3,7 +3,7 @@
 with stdenv.lib;
 buildLinux (args // rec {
-  version = "5.6.11";
+  version = "5.6.12";
  # modDirVersion needs to be x.y.z, will automatically add .0 if needed
  modDirVersion = if (modDirVersionArg == null) then concatStringsSep "." (take 3 (splitVersion "${version}.0")) else modDirVersionArg;
@ -13,6 +13,6 @@ buildLinux (args // rec {
  src = fetchurl {
    url = "mirror://kernel/linux/kernel/v5.x/linux-${version}.tar.xz";
-    sha256 = "1ahv4a3mnszqs3qcnwmhbvjgis1jg37anj5jvn70i7s2k6z6rpfn";
+    sha256 = "0892ar2irfhd612sb8jpx85w0wwh4n76jgsv8wb92fp6mim37sns";
  };
 } // (args.argsOverride or {}))
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@ -35,7 +35,7 @@
  tag_hardened = {
    name = "tag-hardened";
-    patch = ./tag-hardened.patch;
+    patch = ./hardened/tag-hardened.patch;
  };
  hardened = let
@ -43,7 +43,7 @@
      name = lib.removeSuffix ".patch" src.name;
      patch = fetchurl src;
    };
-    patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json);
+    patches = builtins.fromJSON (builtins.readFile ./hardened/patches.json);
  in lib.mapAttrs mkPatch patches;
  # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6
--- a/pkgs/os-specific/linux/kernel/update-hardened.py
+++ b/pkgs/os-specific/linux/kernel/update-hardened.py
@ -1,229 +0,0 @@
 #! /usr/bin/env nix-shell
 #! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg
 # This is automatically called by ./update.sh.
 import re
 import json
 import sys
 import os.path
 from glob import glob
 import subprocess
 from tempfile import TemporaryDirectory
 from github import Github
 HERE = os.path.dirname(os.path.realpath(__file__))
 HARDENED_GITHUB_REPO = 'anthraxx/linux-hardened'
 HARDENED_TRUSTED_KEY = os.path.join(HERE, 'anthraxx.asc')
 HARDENED_PATCHES_PATH = os.path.join(HERE, 'hardened-patches.json')
 MIN_KERNEL_VERSION = [4, 14]
 def run(*args, **kwargs):
    try:
        return subprocess.run(
            args, **kwargs,
            check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
        )
    except subprocess.CalledProcessError as err:
        print(
            f'error: `{err.cmd}` failed unexpectedly\n'
            f'status code: {err.returncode}\n'
            f'stdout:\n{err.stdout.decode("utf-8").strip()}\n'
            f'stderr:\n{err.stderr.decode("utf-8").strip()}',
            file=sys.stderr,
        )
        sys.exit(1)
 def nix_prefetch_url(url):
    output = run('nix-prefetch-url', '--print-path', url).stdout
    return output.decode('utf-8').strip().split('\n')
 def verify_openpgp_signature(*, name, trusted_key, sig_path, data_path):
    with TemporaryDirectory(suffix='.nixpkgs-gnupg-home') as gnupg_home:
        run('gpg', '--homedir', gnupg_home, '--import', trusted_key)
        keyring = os.path.join(gnupg_home, 'pubring.kbx')
        try:
            subprocess.run(
                ('gpgv', '--keyring', keyring, sig_path, data_path),
                check=True, stderr=subprocess.PIPE,
            )
            return True
        except subprocess.CalledProcessError as err:
            print(
                f'error: signature for {name} failed to verify!',
                file=sys.stderr,
            )
            print(err.stderr.decode('utf-8'), file=sys.stderr, end='')
            return False
 def fetch_patch(*, name, release):
    def find_asset(filename):
        try:
            return next(
                asset.browser_download_url
                for asset in release.get_assets()
                if asset.name == filename
            )
        except StopIteration:
            raise KeyError(filename)
    patch_filename = f'{name}.patch'
    try:
        patch_url = find_asset(patch_filename)
        sig_url = find_asset(patch_filename + '.sig')
    except KeyError:
        print(f'error: {patch_filename}{{,.sig}} not present', file=sys.stderr)
        return None
    sha256, patch_path = nix_prefetch_url(patch_url)
    _, sig_path = nix_prefetch_url(sig_url)
    sig_ok = verify_openpgp_signature(
        name=name,
        trusted_key=HARDENED_TRUSTED_KEY,
        sig_path=sig_path,
        data_path=patch_path,
    )
    if not sig_ok:
        return None
    return {
        'name': patch_filename,
        'url': patch_url,
        'sha256': sha256,
    }
 def parse_version(version_str):
    version = []
    for component in version_str.split('.'):
        try:
            version.append(int(component))
        except ValueError:
            version.append(component)
    return version
 def version_string(version):
    return '.'.join(str(component) for component in version)
 def major_kernel_version_key(kernel_version):
    return version_string(kernel_version[:-1])
 def commit_patches(*, kernel_key, message):
    with open(HARDENED_PATCHES_PATH + '.new', 'w') as new_patches_file:
        json.dump(patches, new_patches_file, indent=4, sort_keys=True)
        new_patches_file.write('\n')
    os.rename(HARDENED_PATCHES_PATH + '.new', HARDENED_PATCHES_PATH)
    message = f'linux/hardened-patches/{kernel_key}: {message}'
    print(message)
    if os.environ.get('COMMIT'):
        run(
            'git', '-C', HERE, 'commit', f'--message={message}',
            'hardened-patches.json',
        )
 # Load the existing patches.
 with open(HARDENED_PATCHES_PATH) as patches_file:
    patches = json.load(patches_file)
 NIX_VERSION_RE = re.compile(r'''
    \s* version \s* =
    \s* " (?P<version> [^"]*) "
    \s* ; \s* \n
 ''', re.VERBOSE)
 # Get the set of currently packaged kernel versions.
 kernel_versions = {}
 for filename in os.listdir(HERE):
    filename_match = re.fullmatch(r'linux-(\d+)\.(\d+)\.nix', filename)
    if filename_match:
        with open(os.path.join(HERE, filename)) as nix_file:
            for nix_line in nix_file:
                match = NIX_VERSION_RE.fullmatch(nix_line)
                if match:
                    kernel_version = parse_version(match.group('version'))
                    if kernel_version < MIN_KERNEL_VERSION:
                        continue
                    kernel_key = major_kernel_version_key(kernel_version)
                    kernel_versions[kernel_key] = kernel_version
 # Remove patches for unpackaged kernel versions.
 for kernel_key in sorted(patches.keys() - kernel_versions.keys()):
    commit_patches(kernel_key=kernel_key, message='remove')
 g = Github(os.environ.get('GITHUB_TOKEN'))
 repo = g.get_repo(HARDENED_GITHUB_REPO)
 failures = False
 # Match each kernel version with the best patch version.
 releases = {}
 for release in repo.get_releases():
    version = parse_version(release.tag_name)
    # needs to look like e.g. 5.6.3.a
    if len(version) < 4:
        continue
    kernel_version = version[:-1]
    kernel_key = major_kernel_version_key(kernel_version)
    try:
        packaged_kernel_version = kernel_versions[kernel_key]
    except KeyError:
        continue
    release_info = {
        'version': version,
        'release': release,
    }
    if kernel_version == packaged_kernel_version:
        releases[kernel_key] = release_info
    else:
        # Fall back to the latest patch for this major kernel version,
        # skipping patches for kernels newer than the packaged one.
        if kernel_version > packaged_kernel_version:
            continue
        elif (kernel_key not in releases or
                releases[kernel_key]['version'] < version):
            releases[kernel_key] = release_info
 # Update hardened-patches.json for each release.
 for kernel_key, release_info in releases.items():
    release = release_info['release']
    version = release_info['version']
    version_str = release.tag_name
    name = f'linux-hardened-{version_str}'
    try:
        old_filename = patches[kernel_key]['name']
        old_version_str = (old_filename
            .replace('linux-hardened-', '')
            .replace('.patch', ''))
        old_version = parse_version(old_version_str)
        update = old_version < version
    except KeyError:
        update = True
        old_version = None
    if update:
        patch = fetch_patch(name=name, release=release)
        if patch is None:
            failures = True
        else:
            patches[kernel_key] = patch
            if old_version:
                message = f'{old_version_str} -> {version_str}'
            else:
                message = f'init at {version_str}'
            commit_patches(kernel_key=kernel_key, message=message)
 missing_kernel_versions = kernel_versions.keys() - patches.keys()
 if missing_kernel_versions:
    print(
        f'warning: no patches for kernel versions ' +
        ', '.join(missing_kernel_versions),
        file=sys.stderr,
    )
 if failures:
    sys.exit(1)
--- a/pkgs/os-specific/linux/kernel/update.sh
+++ b/pkgs/os-specific/linux/kernel/update.sh
@ -62,4 +62,4 @@ done
 COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh
 # Update linux-hardened
-COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py
+COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/hardened/update.py
--- a/pkgs/os-specific/linux/uclibc/default.nix
+++ b/pkgs/os-specific/linux/uclibc/default.nix
@ -48,7 +48,7 @@ let
    UCLIBC_HAS_FPU n
  '';
-  version = "1.0.32";
+  version = "1.0.33";
 in
 stdenv.mkDerivation {
@ -58,7 +58,7 @@ stdenv.mkDerivation {
  src = fetchurl {
    url = "https://downloads.uclibc-ng.org/releases/${version}/uClibc-ng-${version}.tar.bz2";
    # from "${url}.sha256";
-    sha256 = "0cp4xf3k0ib76xaz6n6i7yybw7s92s607ak8svq1kakwk0d1jjbv";
+    sha256 = "0qy9xsqacrhhrxd16azm26pqb2ks6c43wbrlq3i8xmq2917kw3xi";
  };
  # 'ftw' needed to build acl, a coreutils dependency
--- a/pkgs/servers/http/nginx/generic.nix
+++ b/pkgs/servers/http/nginx/generic.nix
@ -68,6 +68,14 @@ stdenv.mkDerivation {
    "--with-http_stub_status_module"
    "--with-threads"
    "--with-pcre-jit"
    "--http-log-path=/var/log/nginx/access.log"
    "--error-log-path=/var/log/nginx/error.log"
    "--pid-path=/var/log/nginx/nginx.pid"
    "--http-client-body-temp-path=/var/cache/nginx/client_body"
    "--http-proxy-temp-path=/var/cache/nginx/proxy"
    "--http-fastcgi-temp-path=/var/cache/nginx/fastcgi"
    "--http-uwsgi-temp-path=/var/cache/nginx/uwsgi"
    "--http-scgi-temp-path=/var/cache/nginx/scgi"
  ] ++ optionals withDebug [
    "--with-debug"
  ] ++ optionals withStream [
@ -99,26 +107,28 @@ stdenv.mkDerivation {
  preConfigure = preConfigure
    + concatMapStringsSep "\n" (mod: mod.preConfigure or "") modules;
-  patches = map fixPatch
+  patches = map fixPatch ([
-    (singleton (substituteAll {
+    (substituteAll {
      src = ./nix-etag-1.15.4.patch;
      preInstall = ''
        export nixStoreDir="$NIX_STORE" nixStoreDirLen="''${#NIX_STORE}"
      '';
-    }) ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
+    })
-      (fetchpatch {
+    ./nix-skip-check-logs-path.patch
-        url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/102-sizeof_test_fix.patch";
+  ] ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
-        sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
+    (fetchpatch {
-      })
+      url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/102-sizeof_test_fix.patch";
-      (fetchpatch {
+      sha256 = "0i2k30ac8d7inj9l6bl0684kjglam2f68z8lf3xggcc2i5wzhh8a";
-        url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/101-feature_test_fix.patch";
+    })
-        sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
+    (fetchpatch {
-      })
+      url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/101-feature_test_fix.patch";
-      (fetchpatch {
+      sha256 = "0v6890a85aqmw60pgj3mm7g8nkaphgq65dj4v9c6h58wdsrc6f0y";
-        url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/103-sys_nerr.patch";
+    })
-        sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
+    (fetchpatch {
-      })
+      url = "https://raw.githubusercontent.com/openwrt/packages/master/net/nginx/patches/103-sys_nerr.patch";
-    ] ++ mapModules "patches");
+      sha256 = "0s497x6mkz947aw29wdy073k8dyjq8j99lax1a1mzpikzr4rxlmd";
    })
  ] ++ mapModules "patches");
  hardeningEnable = optional (!stdenv.isDarwin) "pie";
--- a/pkgs/servers/http/nginx/nix-skip-check-logs-path.patch
+++ b/pkgs/servers/http/nginx/nix-skip-check-logs-path.patch
@ -0,0 +1,27 @@
 diff --git a/auto/install b/auto/install
 index d884487..dccc411 100644
 --- a/auto/install
 +++ b/auto/install
@@ -148,12 +148,6 @@ install:	build $NGX_INSTALL_PERL_MODULES
 		|| cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PATH'
 	cp conf/nginx.conf '\$(DESTDIR)$NGX_CONF_PREFIX/nginx.conf.default'
 -	test -d '\$(DESTDIR)`dirname "$NGX_PID_PATH"`' \\
 -		|| mkdir -p '\$(DESTDIR)`dirname "$NGX_PID_PATH"`'
 -
 -	test -d '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`' \\
 -		|| mkdir -p '\$(DESTDIR)`dirname "$NGX_HTTP_LOG_PATH"`'
 -
 	test -d '\$(DESTDIR)$NGX_PREFIX/html' \\
 		|| cp -R $NGX_HTML '\$(DESTDIR)$NGX_PREFIX'
 END
@@ -161,9 +155,6 @@ END
 if test -n "$NGX_ERROR_LOG_PATH"; then
     cat << END                                                >> $NGX_MAKEFILE
 -
 -	test -d '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`' \\
 -		|| mkdir -p '\$(DESTDIR)`dirname "$NGX_ERROR_LOG_PATH"`'
 END
 fi
--- a/pkgs/servers/http/openresty/default.nix
+++ b/pkgs/servers/http/openresty/default.nix
@ -16,10 +16,11 @@ callPackage ../nginx/generic.nix args rec {
    sha256 = "1a1la7vszv1parsnhphydblz64ffhycazncn3ividnvqg2mg735n";
  };
-  fixPatch = patch:
+  fixPatch = patch: let name = patch.name or (builtins.baseNameOf patch); in
-    runCommand "openresty-${patch.name}" { src = patch; } ''
+    runCommand "openresty-${name}" { src = patch; } ''
      substitute $src $out \
-        --replace "src/" "bundle/nginx-${nginxVersion}/src/"
+        --replace "a/" "a/bundle/nginx-${nginxVersion}/" \
        --replace "b/" "b/bundle/nginx-${nginxVersion}/"
    '';
  buildInputs = [ postgresql ];
--- a/pkgs/servers/http/tengine/default.nix
+++ b/pkgs/servers/http/tengine/default.nix
@ -1,5 +1,5 @@
 { stdenv, fetchFromGitHub, openssl, zlib, pcre, libxml2, libxslt
-, gd, geoip, gperftools, jemalloc
+, substituteAll, gd, geoip, gperftools, jemalloc
 , withDebug ? false
 , withMail ? false
 , withStream ? false
@ -24,8 +24,14 @@ stdenv.mkDerivation rec {
    [ openssl zlib pcre libxml2 libxslt gd geoip gperftools jemalloc ]
    ++ concatMap (mod: mod.inputs or []) modules;
-  patches = [
+  patches = singleton (substituteAll {
    src = ../nginx/nix-etag-1.15.4.patch;
    preInstall = ''
      export nixStoreDir="$NIX_STORE" nixStoreDirLen="''${#NIX_STORE}"
    '';
  }) ++ [
    ./check-resolv-conf.patch
    ../nginx/nix-skip-check-logs-path.patch
  ];
  configureFlags = [
@ -53,6 +59,14 @@ stdenv.mkDerivation rec {
    "--with-poll_module"
    "--with-google_perftools_module"
    "--with-jemalloc"
    "--http-log-path=/var/log/nginx/access.log"
    "--error-log-path=/var/log/nginx/error.log"
    "--pid-path=/var/log/nginx/nginx.pid"
    "--http-client-body-temp-path=/var/cache/nginx/client_body"
    "--http-proxy-temp-path=/var/cache/nginx/proxy"
    "--http-fastcgi-temp-path=/var/cache/nginx/fastcgi"
    "--http-uwsgi-temp-path=/var/cache/nginx/uwsgi"
    "--http-scgi-temp-path=/var/cache/nginx/scgi"
  ] ++ optionals withDebug [
    "--with-debug"
  ] ++ optionals withMail [
--- a/pkgs/tools/misc/nix-direnv/default.nix
+++ b/pkgs/tools/misc/nix-direnv/default.nix
@ -0,0 +1,36 @@
 { lib, stdenv, fetchFromGitHub, gnugrep, nix }:
 stdenv.mkDerivation rec {
  pname = "nix-direnv";
  version = "1.0.0";
  src = fetchFromGitHub {
    owner = "nix-community";
    repo = "nix-direnv";
    rev = "${version}";
    sha256 = "1lwmg6mn3lf7s0345v53zadxn9v0x8z6pcbj90v5dx3pgrq41gs8";
  };
  # Substitute instead of wrapping because the resulting file is
  # getting sourced, not executed:
  postPatch = ''
    substituteInPlace direnvrc \
      --replace "grep" "${gnugrep}/bin/grep" \
      --replace "nix-shell" "${nix}/bin/nix-shell" \
      --replace "nix-instantiate" "${nix}/bin/nix-instantiate"
  '';
  installPhase = ''
    runHook preInstall
    install -m500 -D direnvrc $out/share/nix-direnv/direnvrc
    runHook postInstall
  '';
  meta = with stdenv.lib; {
    description = "A fast, persistent use_nix implementation for direnv";
    homepage    = "https://github.com/nix-community/nix-direnv";
    license     = licenses.mit;
    platforms   = platforms.unix;
    maintainers = with maintainers; [ mic92 ];
  };
 }
--- a/pkgs/tools/networking/amass/default.nix
+++ b/pkgs/tools/networking/amass/default.nix
@ -5,16 +5,16 @@
 buildGoModule rec {
  pname = "amass";
-  version = "3.5.5";
+  version = "3.6.0";
  src = fetchFromGitHub {
    owner = "OWASP";
    repo = "Amass";
    rev = "v${version}";
-    sha256 = "1w93ia9jr2afgkbaklx2rj0ccd0ghg1qbdg363aqqvyw40ccya1r";
+    sha256 = "05rh61dx4f9kv5p8sahhwwiyivwq438fl30j9d97i4sagvb5jvvm";
  };
-  modSha256 = "051fxfh7lwrj3hzsgr2c2ga6hksz56673lg35y36sz4d93yldj6f";
+  modSha256 = "1k7yd2lh6hwz3qm6ywrlr1qw0asqwdgrpj594v1gvav426yqyr6s";
  outputs = [ "out" "wordlists" ];
--- a/pkgs/tools/networking/wireguard-tools/default.nix
+++ b/pkgs/tools/networking/wireguard-tools/default.nix
@ -13,11 +13,11 @@ with stdenv.lib;
 stdenv.mkDerivation rec {
  pname = "wireguard-tools";
-  version = "1.0.20200319";
+  version = "1.0.20200510";
  src = fetchzip {
    url = "https://git.zx2c4.com/wireguard-tools/snapshot/wireguard-tools-${version}.tar.xz";
-    sha256 = "0g9vlngg9dnh7qqfhaycw35fq8ij5hfz6p1cykh4ncjgr93i7rbx";
+    sha256 = "0xqchidfn1j3jq5w7ck570aib12q9z0mfvwhmnyzqxx7d3qh76j6";
  };
  outputs = [ "out" "man" ];
--- a/pkgs/tools/security/jadx/default.nix
+++ b/pkgs/tools/security/jadx/default.nix
@ -0,0 +1,103 @@
 { stdenv, fetchFromGitHub, gradle, jdk, makeWrapper, perl }:
 let
  pname = "jadx";
  version = "1.1.0";
  src = fetchFromGitHub {
    owner = "skylot";
    repo = pname;
    rev = "v${version}";
    sha256 = "1dx3g0sm46qy57gggpg8bpmin5glzbxdbf0qzvha9r2dwh4mrwlg";
  };
  deps = stdenv.mkDerivation {
    name = "${pname}-deps";
    inherit src;
    nativeBuildInputs = [ gradle jdk perl ];
    buildPhase = ''
      export GRADLE_USER_HOME=$(mktemp -d)
      export JADX_VERSION=${version}
      gradle --no-daemon jar
    '';
    # Mavenize dependency paths
    # e.g. org.codehaus.groovy/groovy/2.4.0/{hash}/groovy-2.4.0.jar -> org/codehaus/groovy/groovy/2.4.0/groovy-2.4.0.jar
    installPhase = ''
      find $GRADLE_USER_HOME/caches/modules-2 -type f -regex '.*\.\(jar\|pom\)' \
        | perl -pe 's#(.*/([^/]+)/([^/]+)/([^/]+)/[0-9a-f]{30,40}/([^/\s]+))$# ($x = $2) =~ tr|\.|/|; "install -Dm444 $1 \$out/$x/$3/$4/$5" #e' \
        | sh
    '';
    outputHashAlgo = "sha256";
    outputHashMode = "recursive";
    outputHash = "083r4hg6m9cxzm2m8nckf10awq8kh901v5i39r60x47xk5yw84ps";
  };
 in stdenv.mkDerivation {
  inherit pname version src;
  nativeBuildInputs = [ gradle jdk makeWrapper ];
  buildPhase = ''
    # The installDist Gradle build phase tries to copy some dependency .jar
    # files multiple times into the build directory. This ends up failing when
    # the dependencies are read directly from the Nix store since they are not
    # marked as chmod +w. To work around this, get a local copy of the
    # dependency store, and give write permissions.
    depsDir=$(mktemp -d)
    cp -R ${deps}/* $depsDir
    chmod -R u+w $depsDir
    gradleInit=$(mktemp)
    cat >$gradleInit <<EOF
      gradle.projectsLoaded {
        rootProject.allprojects {
          buildscript {
            repositories {
              clear()
              maven { url '$depsDir' }
            }
          }
          repositories {
            clear()
            maven { url '$depsDir' }
          }
        }
      }
      settingsEvaluated { settings ->
        settings.pluginManagement {
          repositories {
            maven { url '$depsDir' }
          }
        }
      }
    EOF
    export GRADLE_USER_HOME=$(mktemp -d)
    export JADX_VERSION=${version}
    gradle --offline --no-daemon --info --init-script $gradleInit pack
  '';
  installPhase = ''
    mkdir $out $out/bin
    cp -R build/jadx/lib $out
    for prog in jadx jadx-gui; do
      cp build/jadx/bin/$prog $out/bin
      wrapProgram $out/bin/$prog --set JAVA_HOME ${jdk.home}
    done
  '';
  meta = with stdenv.lib; {
    description = "Dex to Java decompiler";
    longDescription = ''
      Command line and GUI tools for produce Java source code from Android Dex
      and Apk files.
    '';
    license = licenses.asl20;
    platforms = platforms.unix;
    maintainers = with maintainers; [ delroth ];
  };
 }
--- a/pkgs/tools/system/ytop/default.nix
+++ b/pkgs/tools/system/ytop/default.nix
@ -4,18 +4,18 @@ assert stdenv.isDarwin -> IOKit != null;
 rustPlatform.buildRustPackage rec {
  pname = "ytop";
-  version = "0.6.0";
+  version = "0.6.1";
  src = fetchFromGitHub {
    owner = "cjbassi";
    repo = pname;
    rev = version;
-    sha256 = "1zajgzhhxigga5wc94bmbk8iwx7yc2jq3f0hqadfsa4f0wmpi0nf";
+    sha256 = "1p746v9xrfm6avc6v9dvcnpckhvdizzf53pcg9bpcp0lw5sh85da";
  };
  buildInputs = stdenv.lib.optionals stdenv.isDarwin [ IOKit ];
-  cargoSha256 = "1ka9d81ddzz52w75xdiwd2xkv1rlamyvvdax09wanb61zxxwm0i7";
+  cargoSha256 = "15cpi0b5yqjwi1liry2q17sn9hpc4xf9gn33ri3rs6ls5qs7j7pa";
  meta = with stdenv.lib; {
    description = "A TUI system monitor written in Rust";
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -2058,6 +2058,8 @@ in
  nfstrace = callPackage ../tools/networking/nfstrace { };
  nix-direnv = callPackage ../tools/misc/nix-direnv { };
  nixpkgs-pytools = with python3.pkgs; toPythonApplication nixpkgs-pytools;
  noteshrink = callPackage ../tools/misc/noteshrink { };
@ -4373,6 +4375,8 @@ in
  jade = callPackage ../tools/text/sgml/jade { };
  jadx = callPackage ../tools/security/jadx { };
  jazzy = callPackage ../development/tools/jazzy { };
  jc = with python3Packages; toPythonApplication jc;
@ -17063,7 +17067,7 @@ in
  # Hardened linux
  hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
-    structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
+    structuredExtraConfig = import ../os-specific/linux/kernel/hardened/config.nix {
      inherit stdenv;
      inherit (kernel) version;
    };
@ -19385,6 +19389,8 @@ in
  geany = callPackage ../applications/editors/geany { };
  geany-with-vte = callPackage ../applications/editors/geany/with-vte.nix { };
  genxword = callPackage ../applications/misc/genxword { };
  geoipupdate = callPackage ../applications/misc/geoipupdate/default.nix { };
  ghostwriter = libsForQt5.callPackage ../applications/editors/ghostwriter { };
@ -24954,9 +24960,16 @@ in
  fped = callPackage ../applications/science/electronics/fped { };
  # this is a wrapper for kicad.base and kicad.libraries
  kicad = callPackage ../applications/science/electronics/kicad { };
  kicad-small = kicad.override { pname = "kicad-small"; with3d = false; };
-  kicad-unstable = kicad.override { pname = "kicad-unstable"; debug = true; };
+  kicad-unstable = kicad.override { pname = "kicad-unstable"; stable = false; };
  # mostly here so the kicad-unstable components (except packages3d) get built
  kicad-unstable-small = kicad.override {
    pname = "kicad-unstable-small";
    stable = false;
    with3d = false;
  };
  librepcb = libsForQt5.callPackage ../applications/science/electronics/librepcb { };
--- a/pkgs/top-level/ocaml-packages.nix
+++ b/pkgs/top-level/ocaml-packages.nix
@ -42,11 +42,6 @@ let
    async_unix_p4 = callPackage ../development/ocaml-modules/async_unix { };
    async_p4 =
      if lib.versionOlder "4.02" ocaml.version
      then callPackage ../development/ocaml-modules/async { }
      else null;
    atd = callPackage ../development/ocaml-modules/atd { };
    atdgen = callPackage ../development/ocaml-modules/atdgen { };
@ -1213,13 +1208,6 @@ let
      then callPackage ../development/ocaml-modules/janestreet/async-extra.nix {}
      else async_extra_p4;
    async =
      if lib.versionOlder "4.03" ocaml.version
      then janeStreet.async
      else if lib.versionOlder "4.02" ocaml.version
      then callPackage ../development/ocaml-modules/janestreet/async.nix {}
      else async_p4;
    # Apps / from all-packages
    ocamlnat = callPackage  ../development/ocaml-modules/ocamlnat { };
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -1479,6 +1479,8 @@ in {
  transforms3d = callPackage ../development/python-modules/transforms3d { };
  trimesh = callPackage ../development/python-modules/trimesh {};
  sentinel = callPackage ../development/python-modules/sentinel { };
  sentry-sdk = callPackage ../development/python-modules/sentry-sdk {};