From 5c382b7f0e4705f447ac554dcfc7069849766710 Mon Sep 17 00:00:00 2001
From: DavHau <hsngrmpf+github@gmail.com>
Date: Tue, 20 Oct 2020 19:09:32 +0700
Subject: [PATCH 01/43] autoPatchelfHook: optimize performance, better error
 handling

---
 .../setup-hooks/auto-patchelf.sh              | 72 ++++++++++++-------
 1 file changed, 45 insertions(+), 27 deletions(-)

diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index 4f7c0c14304..7df454f4f01 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -1,9 +1,16 @@
 declare -a autoPatchelfLibs
+declare -Ag autoPatchelfFailedDeps
 
 gatherLibraries() {
     autoPatchelfLibs+=("$1/lib")
 }
 
+# wrapper around patchelf to raise proper error messages
+# containing the tried file name and command
+runPatchelf() {
+  patchelf $@ || (echo "Command failed: patchelf $@" && exit 1)
+}
+
 addEnvHooks "$targetOffset" gatherLibraries
 
 isExecutable() {
@@ -23,14 +30,19 @@ isExecutable() {
 
 # We cache dependencies so that we don't need to search through all of them on
 # every consecutive call to findDependency.
-declare -a cachedDependencies
+declare -Ag autoPatchelfCachedDepsAssoc
+declare -ag autoPatchelfCachedDeps
+
 
 addToDepCache() {
-    local existing
-    for existing in "${cachedDependencies[@]}"; do
-        if [ "$existing" = "$1" ]; then return; fi
-    done
-    cachedDependencies+=("$1")
+    if [[ ${autoPatchelfCachedDepsAssoc[$1]+f} ]]; then return; fi
+
+    # store deps in an assoc. array for efficient lookups
+    # otherwise findDependency would have quadratic complexity
+    autoPatchelfCachedDepsAssoc["$1"]=""
+
+    # also store deps in normal array to maintian their order
+    autoPatchelfCachedDeps+=("$1")
 }
 
 declare -gi depCacheInitialised=0
@@ -43,7 +55,7 @@ getDepsFromSo() {
 
 populateCacheWithRecursiveDeps() {
     local so found foundso
-    for so in "${cachedDependencies[@]}"; do
+    for so in "${autoPatchelfCachedDeps[@]}"; do
         for found in $(getDepsFromSo "$so"); do
             local libdir="${found%/*}"
             local base="${found##*/}"
@@ -76,7 +88,7 @@ findDependency() {
         depCacheInitialised=1
     fi
 
-    for dep in "${cachedDependencies[@]}"; do
+    for dep in "${autoPatchelfCachedDeps[@]}"; do
         if [ "$filename" = "${dep##*/}" ]; then
             if [ "$(getSoArch "$dep")" = "$arch" ]; then
                 foundDependency="$dep"
@@ -103,7 +115,7 @@ autoPatchelfFile() {
 
     local interpreter="$(< "$NIX_CC/nix-support/dynamic-linker")"
     if isExecutable "$toPatch"; then
-        patchelf --set-interpreter "$interpreter" "$toPatch"
+        runPatchelf --set-interpreter "$interpreter" "$toPatch"
         if [ -n "$runtimeDependencies" ]; then
             for dep in $runtimeDependencies; do
                 rpath="$rpath${rpath:+:}$dep/lib"
@@ -115,7 +127,7 @@ autoPatchelfFile() {
 
     # We're going to find all dependencies based on ldd output, so we need to
     # clear the RPATH first.
-    patchelf --remove-rpath "$toPatch"
+    runPatchelf --remove-rpath "$toPatch"
 
     local missing="$(
         ldd "$toPatch" 2> /dev/null | \
@@ -134,18 +146,13 @@ autoPatchelfFile() {
             echo "found: $foundDependency" >&2
         else
             echo "not found!" >&2
-            depNotFound=1
+            autoPatchelfFailedDeps["$dep"]=""
         fi
     done
 
-    # This makes sure the builder fails if we didn't find a dependency, because
-    # the stdenv setup script is run with set -e. The actual error is emitted
-    # earlier in the previous loop.
-    [ $depNotFound -eq 0 -o -n "$autoPatchelfIgnoreMissingDeps" ]
-
     if [ -n "$rpath" ]; then
         echo "setting RPATH to: $rpath" >&2
-        patchelf --set-rpath "$rpath" "$toPatch"
+        runPatchelf --set-rpath "$rpath" "$toPatch"
     fi
 }
 
@@ -168,10 +175,10 @@ addAutoPatchelfSearchPath() {
         esac
     done
 
-    cachedDependencies+=(
-        $(find "$@" "${findOpts[@]}" \! -type d \
-               \( -name '*.so' -o -name '*.so.*' \))
-    )
+    for file in \
+      $(find "$@" "${findOpts[@]}" \! -type d \
+          \( -name '*.so' -o -name '*.so.*' \))
+    do addToDepCache "$file"; done
 }
 
 autoPatchelf() {
@@ -197,14 +204,9 @@ autoPatchelf() {
     echo "automatically fixing dependencies for ELF files" >&2
 
     # Add all shared objects of the current output path to the start of
-    # cachedDependencies so that it's choosen first in findDependency.
+    # autoPatchelfCachedDeps so that it's choosen first in findDependency.
     addAutoPatchelfSearchPath ${norecurse:+--no-recurse} -- "$@"
 
-    # Here we actually have a subshell, which also means that
-    # $cachedDependencies is final at this point, so whenever we want to run
-    # findDependency outside of this, the dependency cache needs to be rebuilt
-    # from scratch, so keep this in mind if you want to run findDependency
-    # outside of this function.
     while IFS= read -r -d $'\0' file; do
       isELF "$file" || continue
       segmentHeaders="$(LANG=C $READELF -l "$file")"
@@ -215,8 +217,24 @@ autoPatchelf() {
           # Skip if the executable is statically linked.
           [ -n "$(echo "$segmentHeaders" | grep "^ *INTERP\\>")" ] || continue
       fi
+      # Jump file if patchelf is unable to parse it
+      # Some programs contain binary blobs for testing,
+      # which are identified as ELF but fail to be parsed by patchelf
+      patchelf $file || continue
       autoPatchelfFile "$file"
     done < <(find "$@" ${norecurse:+-maxdepth 1} -type f -print0)
+
+    # fail if any dependencies were not found and
+    # autoPatchelfIgnoreMissingDeps is not set
+    local depsMissing=0
+    for failedDep in "${!autoPatchelfFailedDeps[@]}"; do
+      echo "autoPatchelfHook could not satisfy dependency $failedDep"
+      depsMissing=1
+    done
+    if [ $depsMissing == 1 -a -z "$autoPatchelfIgnoreMissingDeps" ]; then
+      echo "Add the missing dependencies to the build inputs or set autoPatchelfIgnoreMissingDeps=true"
+      exit 1
+    fi
 }
 
 # XXX: This should ultimately use fixupOutputHooks but we currently don't have

From 11a08bcfad2523aa94a3cf54abce5894e78feaca Mon Sep 17 00:00:00 2001
From: DavHau <hsngrmpf+github@gmail.com>
Date: Thu, 22 Oct 2020 10:15:42 +0700
Subject: [PATCH 02/43] Apply suggestions from code review

Co-authored-by: symphorien <symphorien@users.noreply.github.com>
Co-authored-by: Sandro <sandro.jaeckel@gmail.com>
---
 pkgs/build-support/setup-hooks/auto-patchelf.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index 7df454f4f01..a48071e24eb 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -8,7 +8,7 @@ gatherLibraries() {
 # wrapper around patchelf to raise proper error messages
 # containing the tried file name and command
 runPatchelf() {
-  patchelf $@ || (echo "Command failed: patchelf $@" && exit 1)
+  patchelf "$@" || (echo "Command failed: patchelf $*" && exit 1)
 }
 
 addEnvHooks "$targetOffset" gatherLibraries
@@ -231,7 +231,7 @@ autoPatchelf() {
       echo "autoPatchelfHook could not satisfy dependency $failedDep"
       depsMissing=1
     done
-    if [ $depsMissing == 1 -a -z "$autoPatchelfIgnoreMissingDeps" ]; then
+    if [[ $depsMissing == 1 && -z "$autoPatchelfIgnoreMissingDeps" ]]; then
       echo "Add the missing dependencies to the build inputs or set autoPatchelfIgnoreMissingDeps=true"
       exit 1
     fi

From f833f0406fb561e788de239a0ed9070d3818e442 Mon Sep 17 00:00:00 2001
From: DavHau <hsngrmpf+github@gmail.com>
Date: Fri, 23 Oct 2020 13:16:23 +0700
Subject: [PATCH 03/43] autoPatchelfHook: print dependant for missing deps

---
 pkgs/build-support/setup-hooks/auto-patchelf.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index a48071e24eb..df2cbb4e9a2 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -228,7 +228,7 @@ autoPatchelf() {
     # autoPatchelfIgnoreMissingDeps is not set
     local depsMissing=0
     for failedDep in "${!autoPatchelfFailedDeps[@]}"; do
-      echo "autoPatchelfHook could not satisfy dependency $failedDep"
+      echo "autoPatchelfHook could not satisfy dependency $failedDep wanted by ${autoPatchelfFailedDeps[$failedDep]}"
       depsMissing=1
     done
     if [[ $depsMissing == 1 && -z "$autoPatchelfIgnoreMissingDeps" ]]; then

From b9d2541a3700ec2ad4c75df11821c4f387a4512d Mon Sep 17 00:00:00 2001
From: DavHau <hsngrmpf+github@gmail.com>
Date: Fri, 23 Oct 2020 13:21:08 +0700
Subject: [PATCH 04/43] autoPatchelfHook: store dependant for dependency

---
 pkgs/build-support/setup-hooks/auto-patchelf.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index df2cbb4e9a2..55481200b8b 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -146,7 +146,7 @@ autoPatchelfFile() {
             echo "found: $foundDependency" >&2
         else
             echo "not found!" >&2
-            autoPatchelfFailedDeps["$dep"]=""
+            autoPatchelfFailedDeps["$dep"]="$toPatch"
         fi
     done
 

From 112f275f4db95ef465ea4d24c0be2a2ca0b3decc Mon Sep 17 00:00:00 2001
From: DavHau <hsngrmpf+github@gmail.com>
Date: Mon, 26 Oct 2020 17:17:07 +0700
Subject: [PATCH 05/43] autoPatchelfHook: fix typos in comments

---
 pkgs/build-support/setup-hooks/auto-patchelf.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index 55481200b8b..f51f016c334 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -41,7 +41,7 @@ addToDepCache() {
     # otherwise findDependency would have quadratic complexity
     autoPatchelfCachedDepsAssoc["$1"]=""
 
-    # also store deps in normal array to maintian their order
+    # also store deps in normal array to maintain their order
     autoPatchelfCachedDeps+=("$1")
 }
 
@@ -204,7 +204,7 @@ autoPatchelf() {
     echo "automatically fixing dependencies for ELF files" >&2
 
     # Add all shared objects of the current output path to the start of
-    # autoPatchelfCachedDeps so that it's choosen first in findDependency.
+    # autoPatchelfCachedDeps so that it's chosen first in findDependency.
     addAutoPatchelfSearchPath ${norecurse:+--no-recurse} -- "$@"
 
     while IFS= read -r -d $'\0' file; do

From 05fa0f1a2ec5ad455e16a72bdb304f7c0e098b76 Mon Sep 17 00:00:00 2001
From: DavHau <hsngrmpf+github@gmail.com>
Date: Sat, 7 Nov 2020 18:08:48 +0700
Subject: [PATCH 06/43] improve things shellcheck complains about

---
 pkgs/build-support/setup-hooks/auto-patchelf.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkgs/build-support/setup-hooks/auto-patchelf.sh b/pkgs/build-support/setup-hooks/auto-patchelf.sh
index f51f016c334..49e84f84ceb 100644
--- a/pkgs/build-support/setup-hooks/auto-patchelf.sh
+++ b/pkgs/build-support/setup-hooks/auto-patchelf.sh
@@ -57,7 +57,6 @@ populateCacheWithRecursiveDeps() {
     local so found foundso
     for so in "${autoPatchelfCachedDeps[@]}"; do
         for found in $(getDepsFromSo "$so"); do
-            local libdir="${found%/*}"
             local base="${found##*/}"
             local soname="${base%.so*}"
             for foundso in "${found%/*}/$soname".so*; do
@@ -113,7 +112,8 @@ findDependency() {
 autoPatchelfFile() {
     local dep rpath="" toPatch="$1"
 
-    local interpreter="$(< "$NIX_CC/nix-support/dynamic-linker")"
+    local interpreter
+    interpreter="$(< "$NIX_CC/nix-support/dynamic-linker")"
     if isExecutable "$toPatch"; then
         runPatchelf --set-interpreter "$interpreter" "$toPatch"
         if [ -n "$runtimeDependencies" ]; then
@@ -129,7 +129,8 @@ autoPatchelfFile() {
     # clear the RPATH first.
     runPatchelf --remove-rpath "$toPatch"
 
-    local missing="$(
+    local missing
+    missing="$(
         ldd "$toPatch" 2> /dev/null | \
             sed -n -e 's/^[\t ]*\([^ ]\+\) => not found.*/\1/p'
     )"
@@ -137,7 +138,6 @@ autoPatchelfFile() {
     # This ensures that we get the output of all missing dependencies instead
     # of failing at the first one, because it's more useful when working on a
     # new package where you don't yet know its dependencies.
-    local -i depNotFound=0
 
     for dep in $missing; do
         echo -n "  $dep -> " >&2
@@ -220,7 +220,7 @@ autoPatchelf() {
       # Jump file if patchelf is unable to parse it
       # Some programs contain binary blobs for testing,
       # which are identified as ELF but fail to be parsed by patchelf
-      patchelf $file || continue
+      patchelf "$file" || continue
       autoPatchelfFile "$file"
     done < <(find "$@" ${norecurse:+-maxdepth 1} -type f -print0)
 

From 612ec252564dd38bc29fb99e0cdfb042001d7dfa Mon Sep 17 00:00:00 2001
From: Kovacsics Robert <rmk35@cam.ac.uk>
Date: Thu, 21 May 2020 23:52:01 +0100
Subject: [PATCH 07/43] guile: setup hook, use compiled files

Often packages install the compiled files to
`$(libdir)/guile/$(GUILE_EFFECTIVE_VERSION)/ccache` (e.g. see
guile-opengl). This path is not explicitly given in the info page, but
is used in a couple of places, and is also part of `%load-compiled-path`
variable in guile (for `"${guile}/lib/guile/2.2/ccache`).

Similarly, the site-ccache is also part of `%load-compiled-path` in
guile.
---
 pkgs/development/interpreters/guile/setup-hook-2.0.sh | 10 ++++++++++
 pkgs/development/interpreters/guile/setup-hook-2.2.sh | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/pkgs/development/interpreters/guile/setup-hook-2.0.sh b/pkgs/development/interpreters/guile/setup-hook-2.0.sh
index 6bb3910aaff..288f7e242f9 100644
--- a/pkgs/development/interpreters/guile/setup-hook-2.0.sh
+++ b/pkgs/development/interpreters/guile/setup-hook-2.0.sh
@@ -8,6 +8,16 @@ addGuileLibPath () {
         export GUILE_LOAD_PATH="${GUILE_LOAD_PATH-}${GUILE_LOAD_PATH:+:}$1/share/guile/site"
         export GUILE_LOAD_COMPILED_PATH="${GUILE_LOAD_COMPILED_PATH-}${GUILE_LOAD_COMPILED_PATH:+:}$1/share/guile/site"
     fi
+
+    if test -d "$1/lib/guile/2.0/ccache"
+    then
+        export GUILE_LOAD_COMPILED_PATH="${GUILE_LOAD_COMPILED_PATH-}${GUILE_LOAD_COMPILED_PATH:+:}$1/lib/guile/2.0/ccache"
+    fi
+
+    if test -d "$1/lib/guile/2.0/site-ccache"
+    then
+        export GUILE_LOAD_COMPILED_PATH="${GUILE_LOAD_COMPILED_PATH-}${GUILE_LOAD_COMPILED_PATH:+:}$1/lib/guile/2.0/site-ccache"
+    fi
 }
 
 addEnvHooks "$hostOffset" addGuileLibPath
diff --git a/pkgs/development/interpreters/guile/setup-hook-2.2.sh b/pkgs/development/interpreters/guile/setup-hook-2.2.sh
index 4b3541fcc7f..1430dbe0720 100644
--- a/pkgs/development/interpreters/guile/setup-hook-2.2.sh
+++ b/pkgs/development/interpreters/guile/setup-hook-2.2.sh
@@ -8,6 +8,16 @@ addGuileLibPath () {
         export GUILE_LOAD_PATH="${GUILE_LOAD_PATH-}${GUILE_LOAD_PATH:+:}$1/share/guile/site"
         export GUILE_LOAD_COMPILED_PATH="${GUILE_LOAD_COMPILED_PATH-}${GUILE_LOAD_COMPILED_PATH:+:}$1/share/guile/site"
     fi
+
+    if test -d "$1/lib/guile/2.2/ccache"
+    then
+        export GUILE_LOAD_COMPILED_PATH="${GUILE_LOAD_COMPILED_PATH-}${GUILE_LOAD_COMPILED_PATH:+:}$1/lib/guile/2.2/ccache"
+    fi
+
+    if test -d "$1/lib/guile/2.2/site-ccache"
+    then
+        export GUILE_LOAD_COMPILED_PATH="${GUILE_LOAD_COMPILED_PATH-}${GUILE_LOAD_COMPILED_PATH:+:}$1/lib/guile/2.2/site-ccache"
+    fi
 }
 
 addEnvHooks "$hostOffset" addGuileLibPath

From b4ca0dd5f5cf7f9161245339a0070f371a02fad3 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sat, 28 Nov 2020 18:45:36 +0000
Subject: [PATCH 08/43] pulseaudio: 13.0 -> 14.0

---
 pkgs/servers/pulseaudio/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/servers/pulseaudio/default.nix b/pkgs/servers/pulseaudio/default.nix
index c9e2c3aa6e5..70a964039fc 100644
--- a/pkgs/servers/pulseaudio/default.nix
+++ b/pkgs/servers/pulseaudio/default.nix
@@ -31,11 +31,11 @@
 
 stdenv.mkDerivation rec {
   name = "${if libOnly then "lib" else ""}pulseaudio-${version}";
-  version = "13.0";
+  version = "14.0";
 
   src = fetchurl {
     url = "http://freedesktop.org/software/pulseaudio/releases/pulseaudio-${version}.tar.xz";
-    sha256 = "0mw0ybrqj7hvf8lqs5gjzip464hfnixw453lr0mqzlng3b5266wn";
+    sha256 = "0qf20rgg0ysrnvg3359j56ndls07qmfn5rsy9r85bc42jdfpfd58";
   };
 
   outputs = [ "out" "dev" ];

From d29428523eef3070671148b8ec78ad46264d17f7 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sun, 29 Nov 2020 01:35:33 +0000
Subject: [PATCH 09/43] rl-21.03: add PulseAudio 13.0 -> 14.0 upgrade to
 release notes

---
 nixos/doc/manual/release-notes/rl-2103.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
index 44497c7ba91..33c31800a41 100644
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -344,6 +344,18 @@
      and rebooting.
     </para>
    </listitem>
+   <listitem>
+    <para>
+     PulseAudio was upgraded to 14.0, with changes to the handling of default sinks.
+     See its <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release notes</link>.
+    </para>
+
+    <para>
+     GNOME users may wish to delete their <literal>~/.config/pulse</literal> due to the changes to stream routing
+     logic. See <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio bug 832</link>
+     for more information.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 </section>

From ecd5d8f11937c65b7ff77a0ac96d352f3405ec89 Mon Sep 17 00:00:00 2001
From: Pavol Rusnak <pavol@rusnak.io>
Date: Thu, 26 Nov 2020 12:25:05 +0100
Subject: [PATCH 10/43] python3Packages.hidapi: 0.10.0 -> 0.10.1

---
 pkgs/development/python-modules/hidapi/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/python-modules/hidapi/default.nix b/pkgs/development/python-modules/hidapi/default.nix
index 05557b096df..856a36f7791 100644
--- a/pkgs/development/python-modules/hidapi/default.nix
+++ b/pkgs/development/python-modules/hidapi/default.nix
@@ -2,11 +2,11 @@
 
 buildPythonPackage rec {
   pname = "hidapi";
-  version = "0.10.0.post1";
+  version = "0.10.1";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "27c04d42a7187becf7a8309d4846aa4f235ac8b7dafd758335b109f5cbd3b962";
+    sha256 = "a1170b18050bc57fae3840a51084e8252fd319c0fc6043d68c8501deb0e25846";
   };
 
   propagatedBuildInputs =

From b1f9e9c25935b3fbc02c23331315b75d8e43cc93 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Tue, 1 Dec 2020 09:49:47 +0000
Subject: [PATCH 11/43] cacert: fix blacklist

It's broken under Python 3, ironically due to the patch we're carrying.
Fix it, and add a test to check it works.

Fixes #93230.
---
 pkgs/data/misc/cacert/default.nix             | 53 ++++++++++++++++++-
 .../misc/cacert/fix-unicode-ca-names.patch    | 20 -------
 2 files changed, 52 insertions(+), 21 deletions(-)
 delete mode 100644 pkgs/data/misc/cacert/fix-unicode-ca-names.patch

diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index 34e0ec132a9..7ac6f96f66e 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -1,6 +1,11 @@
 { stdenv, fetchurl, nss, python3
 , blacklist ? []
 , includeEmail ? false
+
+# Used for tests only
+, runCommand
+, cacert
+, openssl
 }:
 
 with stdenv.lib;
@@ -37,7 +42,6 @@ stdenv.mkDerivation {
     EOF
 
     cat ${certdata2pem} > certdata2pem.py
-    patch -p1 < ${./fix-unicode-ca-names.patch}
     ${optionalString includeEmail ''
       # Disable CAs used for mail signing
       substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] '''
@@ -66,6 +70,53 @@ stdenv.mkDerivation {
   setupHook = ./setup-hook.sh;
 
   passthru.updateScript = ./update.sh;
+  passthru.tests = {
+    # Test that building this derivation with a blacklist works, and that UTF-8 is supported.
+    blacklist-utf8 = let
+      blacklistCAToFingerprint = {
+        # "blacklist" uses the CA name from the NSS bundle, but we check for presence using the SHA256 fingerprint.
+        "CFCA EV ROOT" = "5C:C3:D7:8E:4E:1D:5E:45:54:7A:04:E6:87:3E:64:F9:0C:F9:53:6D:1C:CC:2E:F8:00:F3:55:C4:C5:FD:70:FD";
+        "NetLock Arany (Class Gold) Főtanúsítvány" = "6C:61:DA:C3:A2:DE:F0:31:50:6B:E0:36:D2:A6:FE:40:19:94:FB:D1:3D:F9:C8:D4:66:59:92:74:C4:46:EC:98";
+      };
+      mapBlacklist = f: concatStringsSep "\n" (mapAttrsToList f blacklistCAToFingerprint);
+    in runCommand "verify-the-cacert-filter-output" {
+      cacert = cacert.unbundled;
+      cacertWithExcludes = (cacert.override {
+        blacklist = builtins.attrNames blacklistCAToFingerprint;
+      }).unbundled;
+
+      nativeBuildInputs = [ openssl ];
+    } ''
+      isPresent() {
+        # isPresent <unbundled-dir> <ca name> <ca sha256 fingerprint>
+        for f in $1/etc/ssl/certs/*.crt; do
+          fingerprint="$(openssl x509 -in "$f" -noout -fingerprint -sha256 | cut -f2 -d=)"
+          if [[ "x$fingerprint" == "x$3" ]]; then
+            return 0
+          fi
+        done
+        return 1
+      }
+
+      # Ensure that each certificate is in the main "cacert".
+      ${mapBlacklist (caName: caFingerprint: ''
+        isPresent "$cacert" "${caName}" "${caFingerprint}" || ({
+          echo "CA fingerprint ${caFingerprint} (${caName}) is missing from the CA bundle. Consider picking a different CA for the blacklist test." >&2
+          exit 1
+        })
+      '')}
+
+      # Ensure that each certificate is NOT in the "cacertWithExcludes".
+      ${mapBlacklist (caName: caFingerprint: ''
+        isPresent "$cacertWithExcludes" "${caName}" "${caFingerprint}" && ({
+          echo "CA fingerprint ${caFingerprint} (${caName}) is present in the cacertWithExcludes bundle." >&2
+          exit 1
+        })
+      '')}
+
+      touch $out
+    '';
+  };
 
   meta = {
     homepage = "https://curl.haxx.se/docs/caextract.html";
diff --git a/pkgs/data/misc/cacert/fix-unicode-ca-names.patch b/pkgs/data/misc/cacert/fix-unicode-ca-names.patch
deleted file mode 100644
index 07d3629196a..00000000000
--- a/pkgs/data/misc/cacert/fix-unicode-ca-names.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- a/certdata2pem.py	2017-08-01 23:10:00.000000000 +0300
-+++ b/certdata2pem.py	2017-08-01 23:08:21.131297636 +0300
-@@ -88,7 +88,7 @@
- \# Read blacklist.
- blacklist = []
- if os.path.exists('blacklist.txt'):
--    for line in open('blacklist.txt', 'r'):
-+    for line in io.open('blacklist.txt', 'r', encoding='utf-8'):
-         line = line.strip()
-         if line.startswith('#') or len(line) == 0:
-             continue
-@@ -101,7 +101,7 @@
-     if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
-         continue
-     if obj['CKA_LABEL'] in blacklist:
--        print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
-+        print("Certificate %s blacklisted, ignoring." % unicode(obj['CKA_LABEL']).encode('utf-8'))
-     elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
-         trust[obj['CKA_LABEL']] = True
-     elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':

From b28436a7e9f38f9998e1351b9db7b22ba96ca675 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Tue, 1 Dec 2020 15:19:44 +0000
Subject: [PATCH 12/43] cacert: remove broken includeEmail option

This doesn't do anything. Building with includeEmail = true produces
the same set as includeEmail = false, and the substitute rule removes
a random dictionary index operation.
---
 pkgs/data/misc/cacert/default.nix | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index 7ac6f96f66e..b6fb0107205 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -1,6 +1,5 @@
 { stdenv, fetchurl, nss, python3
 , blacklist ? []
-, includeEmail ? false
 
 # Used for tests only
 , runCommand
@@ -42,10 +41,6 @@ stdenv.mkDerivation {
     EOF
 
     cat ${certdata2pem} > certdata2pem.py
-    ${optionalString includeEmail ''
-      # Disable CAs used for mail signing
-      substituteInPlace certdata2pem.py --replace \[\'CKA_TRUST_EMAIL_PROTECTION\'\] '''
-    ''}
   '';
 
   buildPhase = ''

From 17b1bde9c5b900e72b01db66a6ad8d0699bb10f4 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Tue, 1 Dec 2020 17:51:05 +0100
Subject: [PATCH 13/43] cacert: add myself as maintainer

---
 pkgs/data/misc/cacert/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index b6fb0107205..adbfa24c4ac 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -117,7 +117,7 @@ stdenv.mkDerivation {
     homepage = "https://curl.haxx.se/docs/caextract.html";
     description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
     platforms = platforms.all;
-    maintainers = with maintainers; [ fpletz ];
+    maintainers = with maintainers; [ andir fpletz ];
     license = licenses.mpl20;
   };
 }

From 87f46764926fd727d80de278d358fb67a294ed5d Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Tue, 1 Dec 2020 17:55:59 +0000
Subject: [PATCH 14/43] cacert: add lukegb as maintainer

---
 pkgs/data/misc/cacert/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/data/misc/cacert/default.nix b/pkgs/data/misc/cacert/default.nix
index adbfa24c4ac..0545c0e5efa 100644
--- a/pkgs/data/misc/cacert/default.nix
+++ b/pkgs/data/misc/cacert/default.nix
@@ -117,7 +117,7 @@ stdenv.mkDerivation {
     homepage = "https://curl.haxx.se/docs/caextract.html";
     description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";
     platforms = platforms.all;
-    maintainers = with maintainers; [ andir fpletz ];
+    maintainers = with maintainers; [ andir fpletz lukegb ];
     license = licenses.mpl20;
   };
 }

From fe0e6737df38bbe5c2bdbd7961de02d24cd84f29 Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Sun, 29 Nov 2020 03:10:20 +0000
Subject: [PATCH 15/43] ocamlPackages.eliom: 6.12.1 -> 6.12.4

---
 pkgs/development/ocaml-modules/eliom/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/ocaml-modules/eliom/default.nix b/pkgs/development/ocaml-modules/eliom/default.nix
index 4734d83d55f..de2955e57c9 100644
--- a/pkgs/development/ocaml-modules/eliom/default.nix
+++ b/pkgs/development/ocaml-modules/eliom/default.nix
@@ -14,11 +14,11 @@ else
 stdenv.mkDerivation rec
 {
   pname = "eliom";
-  version = "6.12.1";
+  version = "6.12.4";
 
   src = fetchzip {
     url = "https://github.com/ocsigen/eliom/archive/${version}.tar.gz";
-    sha256 = "04c1sz113015gyhj3w7flw7l4bv0v50q6n04kk8dybcravzy2xgx";
+    sha256 = "00m6v2k4mg8705dy41934lznl6gj91i6dk7p1nkaccm51nna25kz";
   };
 
   buildInputs = [ ocaml which findlib js_of_ocaml-ocamlbuild js_of_ocaml-ppx_deriving_json opaline

From 3fef582e8a9a599c96215c699a6777aa27d06d3b Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Mon, 30 Nov 2020 18:44:32 +0000
Subject: [PATCH 16/43] elementary-planner: 2.5.4 -> 2.5.7

---
 pkgs/applications/office/elementary-planner/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/office/elementary-planner/default.nix b/pkgs/applications/office/elementary-planner/default.nix
index 671613ddd32..acade32d744 100644
--- a/pkgs/applications/office/elementary-planner/default.nix
+++ b/pkgs/applications/office/elementary-planner/default.nix
@@ -21,13 +21,13 @@
 
 stdenv.mkDerivation rec {
   pname = "elementary-planner";
-  version = "2.5.4";
+  version = "2.5.7";
 
   src = fetchFromGitHub {
     owner = "alainm23";
     repo = "planner";
     rev = version;
-    sha256 = "0q5zmjh0d1mapgqb2a38spss280jkkc2n835kc7grzvs9jgq1k1k";
+    sha256 = "0s2f9q7i31c2splflfnaiqviwnxbsp2zvibr70xafhbhnkmzlrsk";
   };
 
   nativeBuildInputs = [

From edf43c7c6fa93628bbb1db0a3dc1abc659837089 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edward=20Tj=C3=B6rnhammar?= <ed@cflags.cc>
Date: Wed, 2 Dec 2020 14:46:53 +0100
Subject: [PATCH 17/43] procps-ng: apply sanity check patch of SC_ARG_MAX

---
 pkgs/os-specific/linux/procps-ng/default.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkgs/os-specific/linux/procps-ng/default.nix b/pkgs/os-specific/linux/procps-ng/default.nix
index 466e66a8713..4942710f755 100644
--- a/pkgs/os-specific/linux/procps-ng/default.nix
+++ b/pkgs/os-specific/linux/procps-ng/default.nix
@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, ncurses, pkgconfig
+{ lib, stdenv, fetchurl, fetchpatch, ncurses, pkgconfig
 
 # `ps` with systemd support is able to properly report different
 # attributes like unit name, so we want to have it on linux.
@@ -22,6 +22,14 @@ stdenv.mkDerivation rec {
     sha256 = "1br0g93ysqhlv13i1k4lfbimsgxnpy5rgs4lxfc9rkzdbpbaqplj";
   };
 
+  patches = [
+    (fetchpatch {
+      url = "https://gitlab.com/procps-ng/procps/-/commit/bb96fc42956c9ed926a1b958ab715f8b4a663dec.diff";
+      sha256 = "0fzsb6ns3fvrszyzsz28qvbmcn135ilr4nwh2z1a0vlpl2fw961z";
+      name = "sysconf-argmax-sanity.patch";
+    })
+  ];
+
   buildInputs = [ ncurses ]
     ++ lib.optional withSystemd systemd;
   nativeBuildInputs = [ pkgconfig ];

From b3aa4e2945e74718adbc124c076fb182267337b1 Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Wed, 2 Dec 2020 15:00:42 +0000
Subject: [PATCH 18/43] libinput: 1.16.3 -> 1.16.4

---
 pkgs/development/libraries/libinput/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libinput/default.nix b/pkgs/development/libraries/libinput/default.nix
index 18a5dcbab65..dff2ca82955 100644
--- a/pkgs/development/libraries/libinput/default.nix
+++ b/pkgs/development/libraries/libinput/default.nix
@@ -27,14 +27,14 @@ in
 with stdenv.lib;
 stdenv.mkDerivation rec {
   pname = "libinput";
-  version = "1.16.3";
+  version = "1.16.4";
 
   src = fetchFromGitLab {
     domain = "gitlab.freedesktop.org";
     owner = pname;
     repo = pname;
     rev = version;
-    sha256 = "0dj2m92kh3xpnjmzp416c73hpw6ban0f6yj39chwxckdgyliak6z";
+    sha256 = "1c81429kh9av9fanxmnjw5rvsjbzcyi7d0dx0gkyq5yysmpmrppi";
   };
 
   outputs = [ "bin" "out" "dev" ];

From ef050bc3d18d4c72da4ba238fccbf0d82565eeb9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 1 Nov 2020 15:35:11 +0100
Subject: [PATCH 19/43] systemd: 246.6 -> 247-rc2

---
 ...ts-for-uninitialised-encrypted-devic.patch |   6 +-
 ...on-t-try-to-unmount-nix-or-nix-store.patch |  10 +-
 .../systemd/0003-Fix-NixOS-containers.patch   |  10 +-
 ...004-Look-for-fsck-in-the-right-place.patch |   8 +-
 ...some-NixOS-specific-unit-directories.patch |   8 +-
 ...f-a-useless-message-in-user-sessions.patch |   8 +-
 ...d-timedated-disable-methods-that-cha.patch |  16 +-
 .../linux/systemd/0008-Fix-hwdb-paths.patch   |   6 +-
 ...e-usr-share-zoneinfo-to-etc-zoneinfo.patch |  24 +-
 ...calectl-use-etc-X11-xkb-for-list-x11.patch |   6 +-
 ...te-statedir-and-don-t-touch-prefixdi.patch |   8 +-
 ...configuration-into-out-share-factory.patch | 326 ------------------
 ...environment-when-calling-generators.patch} |  10 +-
 ...-add-rootprefix-to-lookup-dir-paths.patch} |   8 +-
 ...execute-scripts-in-etc-systemd-syst.patch} |   8 +-
 ...cute-scripts-in-etc-systemd-system-.patch} |  10 +-
 ....service-Update-ConditionFileNotEmp.patch} |   8 +-
 ...placeholder-for-DEFAULT_PATH_NORMAL.patch} |   8 +-
 ...at-debus-show-CanMultiSession-again.patch} |  10 +-
 pkgs/os-specific/linux/systemd/default.nix    |  30 +-
 pkgs/top-level/all-packages.nix               |   1 +
 21 files changed, 104 insertions(+), 425 deletions(-)
 delete mode 100644 pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch
 rename pkgs/os-specific/linux/systemd/{0013-inherit-systemd-environment-when-calling-generators.patch => 0012-inherit-systemd-environment-when-calling-generators.patch} (88%)
 rename pkgs/os-specific/linux/systemd/{0014-add-rootprefix-to-lookup-dir-paths.patch => 0013-add-rootprefix-to-lookup-dir-paths.patch} (88%)
 rename pkgs/os-specific/linux/systemd/{0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch => 0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch} (85%)
 rename pkgs/os-specific/linux/systemd/{0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch => 0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch} (70%)
 rename pkgs/os-specific/linux/systemd/{0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch => 0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch} (83%)
 rename pkgs/os-specific/linux/systemd/{0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch => 0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch} (87%)
 rename pkgs/os-specific/linux/systemd/{0019-logind-seat-debus-show-CanMultiSession-again.patch => 0018-logind-seat-debus-show-CanMultiSession-again.patch} (82%)

diff --git a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
index 1f75fc63ffe..b3b241b570a 100644
--- a/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
+++ b/pkgs/os-specific/linux/systemd/0001-Start-device-units-for-uninitialised-encrypted-devic.patch
@@ -1,4 +1,4 @@
-From 46c8ccfeb61253cd3dff5f34013670c7e3366ef5 Mon Sep 17 00:00:00 2001
+From dd2ec741aaa7c587eb7719bbf4b305fe28168b77 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Tue, 8 Jan 2013 15:46:30 +0100
 Subject: [PATCH 01/18] Start device units for uninitialised encrypted devices
@@ -13,7 +13,7 @@ unit.  (However, this ignores the fsck unit, so it's not perfect...)
  1 file changed, 4 deletions(-)
 
 diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
-index 1c60eec587..b2486da130 100644
+index d2f595d18e..941a7c1ba3 100644
 --- a/rules.d/99-systemd.rules.in
 +++ b/rules.d/99-systemd.rules.in
 @@ -17,10 +17,6 @@ SUBSYSTEM=="ubi", TAG+="systemd"
@@ -28,5 +28,5 @@ index 1c60eec587..b2486da130 100644
  SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}!="crypto_LUKS", SYMLINK+="gpt-auto-root"
  SUBSYSTEM=="block", ENV{ID_PART_GPT_AUTO_ROOT}=="1", ENV{ID_FS_TYPE}=="crypto_LUKS", SYMLINK+="gpt-auto-root-luks"
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
index 7c025cbb7d7..1f3a1b64684 100644
--- a/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
+++ b/pkgs/os-specific/linux/systemd/0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -1,4 +1,4 @@
-From 139c420de62e078182eaf48b541c4b912d445fd9 Mon Sep 17 00:00:00 2001
+From ab3dab997695db5346f8efbf8566ac96612f0c6e Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 12 Apr 2013 13:16:57 +0200
 Subject: [PATCH 02/18] Don't try to unmount /nix or /nix/store
@@ -12,7 +12,7 @@ https://github.com/NixOS/nixos/issues/126
  2 files changed, 4 insertions(+)
 
 diff --git a/src/shared/fstab-util.c b/src/shared/fstab-util.c
-index 806dda8475..0220741c91 100644
+index 292b97cd69..791b8e6b7e 100644
 --- a/src/shared/fstab-util.c
 +++ b/src/shared/fstab-util.c
 @@ -40,6 +40,8 @@ bool fstab_is_extrinsic(const char *mount, const char *opts) {
@@ -25,10 +25,10 @@ index 806dda8475..0220741c91 100644
                          "/etc"))
                  return true;
 diff --git a/src/shutdown/umount.c b/src/shutdown/umount.c
-index 8a5e80eeaa..fab35ed6f3 100644
+index 3a72a13e1a..541320dc9d 100644
 --- a/src/shutdown/umount.c
 +++ b/src/shutdown/umount.c
-@@ -414,6 +414,8 @@ static int delete_dm(dev_t devnum) {
+@@ -500,6 +500,8 @@ static int delete_md(MountPoint *m) {
  
  static bool nonunmountable_path(const char *path) {
          return path_equal(path, "/")
@@ -38,5 +38,5 @@ index 8a5e80eeaa..fab35ed6f3 100644
                  || path_equal(path, "/usr")
  #endif
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
index 1f0b8aaf38b..56f52b9971e 100644
--- a/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
+++ b/pkgs/os-specific/linux/systemd/0003-Fix-NixOS-containers.patch
@@ -1,4 +1,4 @@
-From a889dbe796cd72425f38dec3d2aaab44a914ac60 Mon Sep 17 00:00:00 2001
+From 3581f8f30270e6340c671a640fe551e954715f8e Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Wed, 16 Apr 2014 10:59:28 +0200
 Subject: [PATCH 03/18] Fix NixOS containers
@@ -10,10 +10,10 @@ container, so checking early whether it exists will fail.
  1 file changed, 2 insertions(+)
 
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 43712565c2..07f294c78a 100644
+index 0842731c18..f790853104 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -5122,6 +5122,7 @@ static int run(int argc, char *argv[]) {
+@@ -5319,6 +5319,7 @@ static int run(int argc, char *argv[]) {
                                  goto finish;
                          }
                  } else {
@@ -21,7 +21,7 @@ index 43712565c2..07f294c78a 100644
                          const char *p, *q;
  
                          if (arg_pivot_root_new)
-@@ -5136,6 +5137,7 @@ static int run(int argc, char *argv[]) {
+@@ -5333,6 +5334,7 @@ static int run(int argc, char *argv[]) {
                                  r = -EINVAL;
                                  goto finish;
                          }
@@ -30,5 +30,5 @@ index 43712565c2..07f294c78a 100644
  
          } else {
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
index f9e7bc9d876..4d3729556d6 100644
--- a/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
+++ b/pkgs/os-specific/linux/systemd/0004-Look-for-fsck-in-the-right-place.patch
@@ -1,4 +1,4 @@
-From 5098b1aad07356e04fcd12f2c77ea4fd17460411 Mon Sep 17 00:00:00 2001
+From 12b63d8c1d2ca85d9bb7ea07e8eb5e623e1b58e9 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Thu, 1 May 2014 14:10:10 +0200
 Subject: [PATCH 04/18] Look for fsck in the right place
@@ -8,10 +8,10 @@ Subject: [PATCH 04/18] Look for fsck in the right place
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
-index 80f7107b9d..74e48a385f 100644
+index 04752fe9dc..ad0ccf91c0 100644
 --- a/src/fsck/fsck.c
 +++ b/src/fsck/fsck.c
-@@ -370,7 +370,7 @@ static int run(int argc, char *argv[]) {
+@@ -369,7 +369,7 @@ static int run(int argc, char *argv[]) {
                  } else
                          dash_c[0] = 0;
  
@@ -21,5 +21,5 @@ index 80f7107b9d..74e48a385f 100644
                  cmdline[i++] = "-T";
  
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
index 91d6fbf41d6..476ebe06e70 100644
--- a/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
+++ b/pkgs/os-specific/linux/systemd/0005-Add-some-NixOS-specific-unit-directories.patch
@@ -1,4 +1,4 @@
-From b46f1b20e990f01af4bdf3dd6fef45f5b4a5993e Mon Sep 17 00:00:00 2001
+From 6ede8baac88aba769030f5bc5f5b2070098c7428 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Fri, 19 Dec 2014 14:46:17 +0100
 Subject: [PATCH 05/18] Add some NixOS-specific unit directories
@@ -15,7 +15,7 @@ Also, remove /usr and /lib as these don't exist on NixOS.
  2 files changed, 8 insertions(+), 17 deletions(-)
 
 diff --git a/src/basic/path-lookup.c b/src/basic/path-lookup.c
-index 52968dee34..bba2eb09b8 100644
+index 96b82170d0..b9fbed5c61 100644
 --- a/src/basic/path-lookup.c
 +++ b/src/basic/path-lookup.c
 @@ -94,17 +94,14 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
@@ -102,7 +102,7 @@ index 52968dee34..bba2eb09b8 100644
  
                  if (!add)
 diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index 8424837824..b1c541bc52 100644
+index f2c045511d..ccb382e421 100644
 --- a/src/core/systemd.pc.in
 +++ b/src/core/systemd.pc.in
 @@ -38,10 +38,11 @@ systemdsystemconfdir=${systemd_system_conf_dir}
@@ -120,5 +120,5 @@ index 8424837824..b1c541bc52 100644
  
  systemd_system_generator_dir=${root_prefix}/lib/systemd/system-generators
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
index 8021472ea33..99e68c37c20 100644
--- a/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
+++ b/pkgs/os-specific/linux/systemd/0006-Get-rid-of-a-useless-message-in-user-sessions.patch
@@ -1,4 +1,4 @@
-From 4c9f9d192182f1051dba1c547e182e7c8f549b0f Mon Sep 17 00:00:00 2001
+From 3aeb3a10c4a7ad387b004bf41efbd171913bcca9 Mon Sep 17 00:00:00 2001
 From: Eelco Dolstra <eelco.dolstra@logicblox.com>
 Date: Mon, 11 May 2015 15:39:38 +0200
 Subject: [PATCH 06/18] Get rid of a useless message in user sessions
@@ -13,10 +13,10 @@ in containers.
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/src/core/unit.c b/src/core/unit.c
-index 1bda568560..5b44970763 100644
+index 45a417a090..8af3cb08d6 100644
 --- a/src/core/unit.c
 +++ b/src/core/unit.c
-@@ -2150,7 +2150,8 @@ static void unit_check_binds_to(Unit *u) {
+@@ -2163,7 +2163,8 @@ static void unit_check_binds_to(Unit *u) {
          }
  
          assert(other);
@@ -27,5 +27,5 @@ index 1bda568560..5b44970763 100644
          /* A unit we need to run is gone. Sniff. Let's stop this. */
          r = manager_add_job(u->manager, JOB_STOP, u, JOB_FAIL, NULL, &error, NULL);
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
index 6c24821c2a0..aeb734f94df 100644
--- a/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
+++ b/pkgs/os-specific/linux/systemd/0007-hostnamed-localed-timedated-disable-methods-that-cha.patch
@@ -1,4 +1,4 @@
-From 539f3af04963a6826d2b2d0ba2095af99a7a6294 Mon Sep 17 00:00:00 2001
+From a1454e8edb7a1a87093808dc7db540232147df3d Mon Sep 17 00:00:00 2001
 From: Gabriel Ebner <gebner@gebner.org>
 Date: Sun, 6 Dec 2015 14:26:36 +0100
 Subject: [PATCH 07/18] hostnamed, localed, timedated: disable methods that
@@ -11,10 +11,10 @@ Subject: [PATCH 07/18] hostnamed, localed, timedated: disable methods that
  3 files changed, 25 insertions(+)
 
 diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
-index 7f6607a527..b5a9388916 100644
+index a1794bdab1..77134731e1 100644
 --- a/src/hostname/hostnamed.c
 +++ b/src/hostname/hostnamed.c
-@@ -626,6 +626,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
+@@ -643,6 +643,9 @@ static int method_set_static_hostname(sd_bus_message *m, void *userdata, sd_bus_
          if (r < 0)
                  return r;
  
@@ -24,7 +24,7 @@ index 7f6607a527..b5a9388916 100644
          name = empty_to_null(name);
  
          context_read_etc_hostname(c);
-@@ -685,6 +688,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
+@@ -702,6 +705,9 @@ static int set_machine_info(Context *c, sd_bus_message *m, int prop, sd_bus_mess
          if (r < 0)
                  return r;
  
@@ -35,7 +35,7 @@ index 7f6607a527..b5a9388916 100644
  
          context_read_machine_info(c);
 diff --git a/src/locale/localed.c b/src/locale/localed.c
-index 715ce5cac7..014f7dcf6c 100644
+index 736dacdee9..53e0ee935e 100644
 --- a/src/locale/localed.c
 +++ b/src/locale/localed.c
 @@ -317,6 +317,9 @@ static int method_set_locale(sd_bus_message *m, void *userdata, sd_bus_error *er
@@ -69,7 +69,7 @@ index 715ce5cac7..014f7dcf6c 100644
          model = empty_to_null(model);
          variant = empty_to_null(variant);
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index c467b85477..3e78b2f575 100644
+index 8bfcfd5cdc..a0ee03f134 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
 @@ -646,6 +646,10 @@ static int method_set_timezone(sd_bus_message *m, void *userdata, sd_bus_error *
@@ -93,7 +93,7 @@ index c467b85477..3e78b2f575 100644
          if (lrtc == c->local_rtc)
                  return sd_bus_reply_method_return(m, NULL);
  
-@@ -917,6 +924,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
+@@ -905,6 +912,9 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error
          if (r < 0)
                  return r;
  
@@ -104,5 +104,5 @@ index c467b85477..3e78b2f575 100644
          if (r < 0)
                  return r;
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
index 7b17c3bcb2b..0da52477bb3 100644
--- a/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0008-Fix-hwdb-paths.patch
@@ -1,4 +1,4 @@
-From 5c2a1a6d33f7cdbcb8ddcc70b91ba4c7f3c383b3 Mon Sep 17 00:00:00 2001
+From 27680c555713e36d16198fc5f60b0f85e0777d30 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 7 Jul 2016 02:47:13 +0300
 Subject: [PATCH 08/18] Fix hwdb paths
@@ -9,7 +9,7 @@ Patch by vcunat.
  1 file changed, 1 insertion(+), 6 deletions(-)
 
 diff --git a/src/libsystemd/sd-hwdb/sd-hwdb.c b/src/libsystemd/sd-hwdb/sd-hwdb.c
-index b3febdbb31..eba00a5bc7 100644
+index cb3c77ce96..7b8c80071f 100644
 --- a/src/libsystemd/sd-hwdb/sd-hwdb.c
 +++ b/src/libsystemd/sd-hwdb/sd-hwdb.c
 @@ -297,13 +297,8 @@ static int trie_search_f(sd_hwdb *hwdb, const char *search) {
@@ -28,5 +28,5 @@ index b3febdbb31..eba00a5bc7 100644
  _public_ int sd_hwdb_new(sd_hwdb **ret) {
          _cleanup_(sd_hwdb_unrefp) sd_hwdb *hwdb = NULL;
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
index e0fab399feb..2b05cea435c 100644
--- a/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
+++ b/pkgs/os-specific/linux/systemd/0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
@@ -1,4 +1,4 @@
-From a8ccba372d865429b578e72fd104a693b96101b3 Mon Sep 17 00:00:00 2001
+From b423ce2560bd380abd80796a890454d95cd8926c Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Tue, 11 Oct 2016 13:12:08 +0300
 Subject: [PATCH 09/18] Change /usr/share/zoneinfo to /etc/zoneinfo
@@ -13,7 +13,7 @@ NixOS uses this path.
  5 files changed, 12 insertions(+), 12 deletions(-)
 
 diff --git a/man/localtime.xml b/man/localtime.xml
-index 0f1652ee2e..71c4f95c2e 100644
+index 73c1b8e5a3..4ab4276283 100644
 --- a/man/localtime.xml
 +++ b/man/localtime.xml
 @@ -20,7 +20,7 @@
@@ -35,10 +35,10 @@ index 0f1652ee2e..71c4f95c2e 100644
      <literal>Etc/UTC</literal>. The resulting link should lead to the
      corresponding binary
 diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index 15cc1b8851..d0abde5933 100644
+index 5318d6378d..04069dc27b 100644
 --- a/src/basic/time-util.c
 +++ b/src/basic/time-util.c
-@@ -1259,7 +1259,7 @@ int get_timezones(char ***ret) {
+@@ -1277,7 +1277,7 @@ int get_timezones(char ***ret) {
          n_allocated = 2;
          n_zones = 1;
  
@@ -47,7 +47,7 @@ index 15cc1b8851..d0abde5933 100644
          if (f) {
                  for (;;) {
                          _cleanup_free_ char *line = NULL;
-@@ -1354,7 +1354,7 @@ bool timezone_is_valid(const char *name, int log_level) {
+@@ -1372,7 +1372,7 @@ bool timezone_is_valid(const char *name, int log_level) {
          if (p - name >= PATH_MAX)
                  return false;
  
@@ -56,7 +56,7 @@ index 15cc1b8851..d0abde5933 100644
  
          fd = open(t, O_RDONLY|O_CLOEXEC);
          if (fd < 0) {
-@@ -1452,7 +1452,7 @@ int get_timezone(char **ret) {
+@@ -1470,7 +1470,7 @@ int get_timezone(char **ret) {
          if (r < 0)
                  return r; /* returns EINVAL if not a symlink */
  
@@ -66,10 +66,10 @@ index 15cc1b8851..d0abde5933 100644
                  return -EINVAL;
  
 diff --git a/src/firstboot/firstboot.c b/src/firstboot/firstboot.c
-index c9fc8dd5cd..44fc04dc88 100644
+index 742b43f9fc..f2cb121816 100644
 --- a/src/firstboot/firstboot.c
 +++ b/src/firstboot/firstboot.c
-@@ -460,7 +460,7 @@ static int process_timezone(void) {
+@@ -459,7 +459,7 @@ static int process_timezone(void) {
          if (isempty(arg_timezone))
                  return 0;
  
@@ -79,10 +79,10 @@ index c9fc8dd5cd..44fc04dc88 100644
          (void) mkdir_parents(etc_localtime, 0755);
          if (symlink(e, etc_localtime) < 0)
 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index 07f294c78a..cf86d1f494 100644
+index f790853104..74b51f4d28 100644
 --- a/src/nspawn/nspawn.c
 +++ b/src/nspawn/nspawn.c
-@@ -1699,8 +1699,8 @@ static int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t u
+@@ -1810,8 +1810,8 @@ static int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t u
  static const char *timezone_from_path(const char *path) {
          return PATH_STARTSWITH_SET(
                          path,
@@ -94,7 +94,7 @@ index 07f294c78a..cf86d1f494 100644
  
  static bool etc_writable(void) {
 diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
-index 3e78b2f575..de5477a08f 100644
+index a0ee03f134..9ecacad25e 100644
 --- a/src/timedate/timedated.c
 +++ b/src/timedate/timedated.c
 @@ -269,7 +269,7 @@ static int context_read_data(Context *c) {
@@ -128,5 +128,5 @@ index 3e78b2f575..de5477a08f 100644
                          return -ENOMEM;
  
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
index 44ed04d9e7e..1d17bc4cf77 100644
--- a/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
+++ b/pkgs/os-specific/linux/systemd/0010-localectl-use-etc-X11-xkb-for-list-x11.patch
@@ -1,4 +1,4 @@
-From 84a2d35d4e75295edf7e190a94dfaf65db4973b6 Mon Sep 17 00:00:00 2001
+From aff592e0bf9a911e7f44ce07b66517c38456b627 Mon Sep 17 00:00:00 2001
 From: Imuli <i@imu.li>
 Date: Wed, 19 Oct 2016 08:46:47 -0400
 Subject: [PATCH 10/18] localectl: use /etc/X11/xkb for list-x11-*
@@ -10,7 +10,7 @@ NixOS has an option to link the xkb data files to /etc/X11, but not to
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/locale/localectl.c b/src/locale/localectl.c
-index e0664de826..c521f33a2a 100644
+index 7d2e887660..91c5139eed 100644
 --- a/src/locale/localectl.c
 +++ b/src/locale/localectl.c
 @@ -277,7 +277,7 @@ static int list_x11_keymaps(int argc, char **argv, void *userdata) {
@@ -23,5 +23,5 @@ index e0664de826..c521f33a2a 100644
                  return log_error_errno(errno, "Failed to open keyboard mapping list. %m");
  
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
index e5d4f1701ba..8c185c52a27 100644
--- a/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
+++ b/pkgs/os-specific/linux/systemd/0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
@@ -1,4 +1,4 @@
-From 81ee9b5cd46f78de139c39e2a18f39e658c60169 Mon Sep 17 00:00:00 2001
+From d410a7a6d1bb0fe730c3ef690676232bfaa49f85 Mon Sep 17 00:00:00 2001
 From: Franz Pletz <fpletz@fnordicwalking.de>
 Date: Sun, 11 Feb 2018 04:37:44 +0100
 Subject: [PATCH 11/18] build: don't create statedir and don't touch prefixdir
@@ -8,10 +8,10 @@ Subject: [PATCH 11/18] build: don't create statedir and don't touch prefixdir
  1 file changed, 3 deletions(-)
 
 diff --git a/meson.build b/meson.build
-index ba9e7afe53..2ef9d4d770 100644
+index f406d595e6..f05f579816 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -3371,9 +3371,6 @@ install_data('LICENSE.GPL2',
+@@ -3517,9 +3517,6 @@ install_data('LICENSE.GPL2',
               'src/libsystemd/sd-bus/GVARIANT-SERIALIZATION',
               install_dir : docdir)
  
@@ -22,5 +22,5 @@ index ba9e7afe53..2ef9d4d770 100644
  
  check_help = find_program('tools/check-help.sh')
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch b/pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch
deleted file mode 100644
index a2d08753d4d..00000000000
--- a/pkgs/os-specific/linux/systemd/0012-Install-default-configuration-into-out-share-factory.patch
+++ /dev/null
@@ -1,326 +0,0 @@
-From 7dbe84b7c43669dccd90db8ac33c38a70e6b6914 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
-Date: Mon, 26 Feb 2018 14:25:57 +0000
-Subject: [PATCH 12/18] Install default configuration into $out/share/factory
-
-By default systemd should read all its configuration from /etc. Therefor
-we rely on -Dsysconfdir=/etc in meson as default value. Unfortunately
-this would also lead to installation of systemd's own configuration
-files to `/etc` whereas we are limited to /nix/store. To counter that
-this commit introduces two new configuration variables `factoryconfdir`
-and `factorypkgconfdir` to install systemd's own configuration into nix
-store again, while having executables looking up files in /etc.
----
- hwdb.d/meson.build             |  2 +-
- meson.build                    | 11 +++++++----
- network/meson.build            |  2 +-
- src/core/meson.build           | 10 +++++-----
- src/coredump/meson.build       |  2 +-
- src/home/meson.build           |  2 +-
- src/journal-remote/meson.build |  4 ++--
- src/journal/meson.build        |  2 +-
- src/kernel-install/meson.build |  2 +-
- src/login/meson.build          |  2 +-
- src/network/meson.build        |  2 +-
- src/pstore/meson.build         |  2 +-
- src/resolve/meson.build        |  2 +-
- src/timesync/meson.build       |  2 +-
- src/udev/meson.build           |  4 ++--
- sysctl.d/meson.build           |  2 +-
- tmpfiles.d/meson.build         |  2 +-
- units/meson.build              |  2 +-
- 18 files changed, 30 insertions(+), 27 deletions(-)
-
-diff --git a/hwdb.d/meson.build b/hwdb.d/meson.build
-index 5c77387a26..6404bc01ba 100644
---- a/hwdb.d/meson.build
-+++ b/hwdb.d/meson.build
-@@ -43,7 +43,7 @@ if conf.get('ENABLE_HWDB') == 1
-                      install_dir : udevhwdbdir)
- 
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'udev/hwdb.d')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'udev/hwdb.d')))
- 
-         meson.add_install_script('sh', '-c',
-                                  'test -n "$DESTDIR" || @0@/systemd-hwdb update'
-diff --git a/meson.build b/meson.build
-index 2ef9d4d770..ae7acbd769 100644
---- a/meson.build
-+++ b/meson.build
-@@ -163,6 +163,9 @@ udevhwdbdir = join_paths(udevlibexecdir, 'hwdb.d')
- catalogdir = join_paths(prefixdir, 'lib/systemd/catalog')
- kernelinstalldir = join_paths(prefixdir, 'lib/kernel/install.d')
- factorydir = join_paths(datadir, 'factory')
-+factoryconfdir = join_paths(datadir, 'factory/etc')
-+factorypkgconfdir = join_paths(datadir, 'factory/etc/systemd')
-+factoryxinitrcdir = join_paths(datadir, 'factory/etc/X11/xinit/xinitrc.d')
- bootlibdir = join_paths(prefixdir, 'lib/systemd/boot/efi')
- testsdir = join_paths(prefixdir, 'lib/systemd/tests')
- systemdstatedir = join_paths(localstatedir, 'lib/systemd')
-@@ -2653,7 +2656,7 @@ if conf.get('ENABLE_BINFMT') == 1
-         meson.add_install_script('sh', '-c',
-                                  mkdir_p.format(binfmtdir))
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'binfmt.d')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'binfmt.d')))
- endif
- 
- if conf.get('ENABLE_REPART') == 1
-@@ -2769,7 +2772,7 @@ executable(
-         install_dir : rootlibexecdir)
- 
- install_data('src/sleep/sleep.conf',
--             install_dir : pkgsysconfdir)
-+             install_dir : factorypkgconfdir)
- 
- public_programs += executable(
-         'systemd-sysctl',
-@@ -3103,7 +3106,7 @@ if conf.get('HAVE_KMOD') == 1
-         meson.add_install_script('sh', '-c',
-                                  mkdir_p.format(modulesloaddir))
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'modules-load.d')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'modules-load.d')))
- endif
- 
- public_programs += executable(
-@@ -3354,7 +3357,7 @@ install_subdir('factory/etc',
-                install_dir : factorydir)
- 
- install_data('xorg/50-systemd-user.sh',
--             install_dir : xinitrcdir)
-+             install_dir : factoryxinitrcdir)
- install_data('modprobe.d/systemd.conf',
-              install_dir : modprobedir)
- install_data('LICENSE.GPL2',
-diff --git a/network/meson.build b/network/meson.build
-index 99a650eac3..8105a4e48d 100644
---- a/network/meson.build
-+++ b/network/meson.build
-@@ -11,7 +11,7 @@ if conf.get('ENABLE_NETWORKD') == 1
-                      install_dir : networkdir)
- 
-         meson.add_install_script('sh', '-c',
--                                 mkdir_p.format(join_paths(sysconfdir, 'systemd/network')))
-+                                 mkdir_p.format(join_paths(factoryconfdir, 'systemd/network')))
- endif
- 
- install_data('99-default.link',
-diff --git a/src/core/meson.build b/src/core/meson.build
-index fa95108523..60ee0e31c1 100644
---- a/src/core/meson.build
-+++ b/src/core/meson.build
-@@ -183,8 +183,8 @@ libcore = static_library(
- systemd_sources = files('main.c')
- 
- in_files = [['macros.systemd',   rpmmacrosdir],
--            ['system.conf',      pkgsysconfdir],
--            ['user.conf',        pkgsysconfdir],
-+            ['system.conf',      factorypkgconfdir],
-+            ['user.conf',        factorypkgconfdir],
-             ['systemd.pc',       pkgconfigdatadir],
-             ['triggers.systemd', '']]
- 
-@@ -216,6 +216,6 @@ meson.add_install_script('sh', '-c', mkdir_p.format(systemsleepdir))
- meson.add_install_script('sh', '-c', mkdir_p.format(systemgeneratordir))
- meson.add_install_script('sh', '-c', mkdir_p.format(usergeneratordir))
- 
--meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(pkgsysconfdir, 'system')))
--meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(pkgsysconfdir, 'user')))
--meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(sysconfdir, 'xdg/systemd')))
-+meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(factorypkgconfdir, 'system')))
-+meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(factorypkgconfdir, 'user')))
-+meson.add_install_script('sh', '-c', mkdir_p.format(join_paths(factorypkgconfdir, 'xdg/systemd')))
-diff --git a/src/coredump/meson.build b/src/coredump/meson.build
-index 7fa5942697..34c865dfa0 100644
---- a/src/coredump/meson.build
-+++ b/src/coredump/meson.build
-@@ -15,7 +15,7 @@ coredumpctl_sources = files('coredumpctl.c')
- 
- if conf.get('ENABLE_COREDUMP') == 1
-         install_data('coredump.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- endif
- 
- tests += [
-diff --git a/src/home/meson.build b/src/home/meson.build
-index 797f3a3c6d..232904ab42 100644
---- a/src/home/meson.build
-+++ b/src/home/meson.build
-@@ -98,5 +98,5 @@ if conf.get('ENABLE_HOMED') == 1
-                      install_dir : polkitpolicydir)
-
-         install_data('homed.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factoryconfdir)
- endif
-diff --git a/src/journal-remote/meson.build b/src/journal-remote/meson.build
-index 87b8ba6495..daff8ec967 100644
---- a/src/journal-remote/meson.build
-+++ b/src/journal-remote/meson.build
-@@ -49,7 +49,7 @@ if conf.get('ENABLE_REMOTE') ==1 and conf.get('HAVE_LIBCURL') == 1
-                 output : 'journal-upload.conf',
-                 configuration : substs)
-         install_data(journal_upload_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- endif
- 
- if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
-@@ -58,7 +58,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
-                 output : 'journal-remote.conf',
-                 configuration : substs)
-         install_data(journal_remote_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         install_data('browse.html',
-                      install_dir : join_paths(pkgdatadir, 'gatewayd'))
-diff --git a/src/journal/meson.build b/src/journal/meson.build
-index 5796f77cac..75d975c260 100644
---- a/src/journal/meson.build
-+++ b/src/journal/meson.build
-@@ -109,7 +109,7 @@ if conf.get('HAVE_QRENCODE') == 1
- endif
- 
- install_data('journald.conf',
--             install_dir : pkgsysconfdir)
-+             install_dir : factorypkgconfdir)
- 
- if get_option('create-log-dirs')
-         meson.add_install_script(
-diff --git a/src/kernel-install/meson.build b/src/kernel-install/meson.build
-index 9ae342dfba..65df666337 100644
---- a/src/kernel-install/meson.build
-+++ b/src/kernel-install/meson.build
-@@ -14,5 +14,5 @@ if want_kernel_install
- 		install_dir : kernelinstalldir)
- 
- 	meson.add_install_script('sh', '-c',
--				mkdir_p.format(join_paths(sysconfdir, 'kernel/install.d')))
-+				mkdir_p.format(join_paths(factoryconfdir, 'kernel/install.d')))
- endif
-diff --git a/src/login/meson.build b/src/login/meson.build
-index 0a7d3d5440..ff90149c1c 100644
---- a/src/login/meson.build
-+++ b/src/login/meson.build
-@@ -75,7 +75,7 @@ if conf.get('ENABLE_LOGIND') == 1
-                 output : 'logind.conf',
-                 configuration : substs)
-         install_data(logind_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         install_data('org.freedesktop.login1.conf',
-                      install_dir : dbuspolicydir)
-diff --git a/src/network/meson.build b/src/network/meson.build
-index b3a88d9910..be56d1e9d7 100644
---- a/src/network/meson.build
-+++ b/src/network/meson.build
-@@ -229,7 +229,7 @@ if conf.get('ENABLE_NETWORKD') == 1
-         endif
- 
-         install_data('networkd.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         fuzzers += [
-     [['src/network/fuzz-netdev-parser.c',
-diff --git a/src/pstore/meson.build b/src/pstore/meson.build
-index adbac24b54..e9dc88dfa2 100644
---- a/src/pstore/meson.build
-+++ b/src/pstore/meson.build
-@@ -6,5 +6,5 @@ systemd_pstore_sources = files('''
- 
- if conf.get('ENABLE_PSTORE') == 1
-         install_data('pstore.conf',
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- endif
-diff --git a/src/resolve/meson.build b/src/resolve/meson.build
-index 92b67b6333..ac5b9a0b0a 100644
---- a/src/resolve/meson.build
-+++ b/src/resolve/meson.build
-@@ -168,7 +168,7 @@ if conf.get('ENABLE_RESOLVE') == 1
-                 output : 'resolved.conf',
-                 configuration : substs)
-         install_data(resolved_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
- 
-         install_data('resolv.conf',
-                      install_dir : rootlibexecdir)
-diff --git a/src/timesync/meson.build b/src/timesync/meson.build
-index e5c118c8db..19235df9ca 100644
---- a/src/timesync/meson.build
-+++ b/src/timesync/meson.build
-@@ -27,7 +27,7 @@ if conf.get('ENABLE_TIMESYNCD') == 1
-                 output : 'timesyncd.conf',
-                 configuration : substs)
-         install_data(timesyncd_conf,
--                     install_dir : pkgsysconfdir)
-+                     install_dir : factorypkgconfdir)
-         install_data('org.freedesktop.timesync1.conf',
-                      install_dir : dbuspolicydir)
-         install_data('org.freedesktop.timesync1.service',
-diff --git a/src/udev/meson.build b/src/udev/meson.build
-index aa23b07090..ad004d803a 100644
---- a/src/udev/meson.build
-+++ b/src/udev/meson.build
-@@ -186,7 +186,7 @@ foreach prog : [['ata_id/ata_id.c'],
- endforeach
- 
- install_data('udev.conf',
--             install_dir : join_paths(sysconfdir, 'udev'))
-+             install_dir : join_paths(factoryconfdir, 'udev'))
- 
- configure_file(
-         input : 'udev.pc.in',
-@@ -195,7 +195,7 @@ configure_file(
-         install_dir : pkgconfigdatadir == 'no' ? '' : pkgconfigdatadir)
- 
- meson.add_install_script('sh', '-c',
--                         mkdir_p.format(join_paths(sysconfdir, 'udev/rules.d')))
-+                         mkdir_p.format(join_paths(factoryconfdir, 'udev/rules.d')))
- 
- fuzzers += [
-         [['src/udev/net/fuzz-link-parser.c',
-diff --git a/sysctl.d/meson.build b/sysctl.d/meson.build
-index 3f072e3db7..bd9f843eba 100644
---- a/sysctl.d/meson.build
-+++ b/sysctl.d/meson.build
-@@ -27,4 +27,4 @@ foreach file : in_files
- endforeach
- 
- meson.add_install_script('sh', '-c',
--                         mkdir_p.format(join_paths(sysconfdir, 'sysctl.d')))
-+                         mkdir_p.format(join_paths(factoryconfdir, 'sysctl.d')))
-diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
-index 0a9582d8b9..3c56ca7d83 100644
---- a/tmpfiles.d/meson.build
-+++ b/tmpfiles.d/meson.build
-@@ -58,5 +58,5 @@ endforeach
- if enable_tmpfiles
-         meson.add_install_script(
-                 'sh', '-c',
--                mkdir_p.format(join_paths(sysconfdir, 'tmpfiles.d')))
-+                mkdir_p.format(join_paths(factoryconfdir, 'tmpfiles.d')))
- endif
-diff --git a/units/meson.build b/units/meson.build
-index 275daad3f4..491abd8eef 100644
---- a/units/meson.build
-+++ b/units/meson.build
-@@ -324,7 +324,7 @@ install_data('user-.slice.d/10-defaults.conf',
- 
- meson.add_install_script(meson_make_symlink,
-                          join_paths(pkgsysconfdir, 'user'),
--                         join_paths(sysconfdir, 'xdg/systemd/user'))
-+                         join_paths(factorypkgconfdir, 'xdg/systemd/user'))
- meson.add_install_script(meson_make_symlink,
-                          join_paths(dbussystemservicedir, 'org.freedesktop.systemd1.service'),
-                          join_paths(dbussessionservicedir, 'org.freedesktop.systemd1.service'))
--- 
-2.28.0
-
diff --git a/pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch b/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
similarity index 88%
rename from pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch
rename to pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
index 8df92b3e14f..00d085d8a70 100644
--- a/pkgs/os-specific/linux/systemd/0013-inherit-systemd-environment-when-calling-generators.patch
+++ b/pkgs/os-specific/linux/systemd/0012-inherit-systemd-environment-when-calling-generators.patch
@@ -1,7 +1,7 @@
-From 4cbc82570aa8671d260c37df58688cc07106e4b6 Mon Sep 17 00:00:00 2001
+From a569dc0bdb43edb79e338c897f06de2dfa81cfc7 Mon Sep 17 00:00:00 2001
 From: Andreas Rammhold <andreas@rammhold.de>
 Date: Fri, 2 Nov 2018 21:15:42 +0100
-Subject: [PATCH 13/18] inherit systemd environment when calling generators.
+Subject: [PATCH 12/18] inherit systemd environment when calling generators.
 
 Systemd generators need access to the environment configured in
 stage-2-init.sh since it schedules fsck and mkfs executions based on
@@ -16,10 +16,10 @@ executables that are being called from managers.
  1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/src/core/manager.c b/src/core/manager.c
-index 6b7908fc6c..dff265c76f 100644
+index 1f1450b97c..26b9e41d78 100644
 --- a/src/core/manager.c
 +++ b/src/core/manager.c
-@@ -4098,9 +4098,14 @@ static int manager_run_generators(Manager *m) {
+@@ -4111,9 +4111,14 @@ static int manager_run_generators(Manager *m) {
          argv[4] = NULL;
  
          RUN_WITH_UMASK(0022)
@@ -38,5 +38,5 @@ index 6b7908fc6c..dff265c76f 100644
  
  finish:
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch b/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
similarity index 88%
rename from pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch
rename to pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
index bb7a9f9474f..51fc4cc30d7 100644
--- a/pkgs/os-specific/linux/systemd/0014-add-rootprefix-to-lookup-dir-paths.patch
+++ b/pkgs/os-specific/linux/systemd/0013-add-rootprefix-to-lookup-dir-paths.patch
@@ -1,7 +1,7 @@
-From 1f39dba787e07d0a6944416ec172ee5d7cc86acd Mon Sep 17 00:00:00 2001
+From d36d688e32b8f2368499af091c67a7825fadf5ad Mon Sep 17 00:00:00 2001
 From: Andreas Rammhold <andreas@rammhold.de>
 Date: Thu, 9 May 2019 11:15:22 +0200
-Subject: [PATCH 14/18] add rootprefix to lookup dir paths
+Subject: [PATCH 13/18] add rootprefix to lookup dir paths
 
 systemd does not longer use the UDEVLIBEXEC directory as root for
 discovery default udev rules. By adding `$out/lib` to the lookup paths
@@ -12,7 +12,7 @@ files that I might have missed.
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/src/basic/def.h b/src/basic/def.h
-index 970654a1ad..bb261040f8 100644
+index 2e60abb4f1..732ec51d36 100644
 --- a/src/basic/def.h
 +++ b/src/basic/def.h
 @@ -39,13 +39,15 @@
@@ -34,5 +34,5 @@ index 970654a1ad..bb261040f8 100644
  #define CONF_PATHS(n)                           \
          CONF_PATHS_USR(n)                       \
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch b/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
similarity index 85%
rename from pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
rename to pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
index 86ab43c1908..57499d1feec 100644
--- a/pkgs/os-specific/linux/systemd/0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+++ b/pkgs/os-specific/linux/systemd/0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
@@ -1,7 +1,7 @@
-From f7c462d37063b0077345395f54377c39d1ef0590 Mon Sep 17 00:00:00 2001
+From c02b7eb62e46145ec5b544ebd9338c29b9b8f32c Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 25 Jul 2019 20:45:55 +0300
-Subject: [PATCH 15/18] systemd-shutdown: execute scripts in
+Subject: [PATCH 14/18] systemd-shutdown: execute scripts in
  /etc/systemd/system-shutdown
 
 This is needed for NixOS to use such scripts as systemd directory is immutable.
@@ -10,7 +10,7 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/shutdown/shutdown.c b/src/shutdown/shutdown.c
-index 06c9710c6e..dadcc3117d 100644
+index 0d07865542..26d974ef73 100644
 --- a/src/shutdown/shutdown.c
 +++ b/src/shutdown/shutdown.c
 @@ -312,7 +312,7 @@ int main(int argc, char *argv[]) {
@@ -23,5 +23,5 @@ index 06c9710c6e..dadcc3117d 100644
          /* The log target defaults to console, but the original systemd process will pass its log target in through a
           * command line argument, which will override this default. Also, ensure we'll never log to the journal or
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch b/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
similarity index 70%
rename from pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
rename to pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
index 8d20b3723af..fa72b66911a 100644
--- a/pkgs/os-specific/linux/systemd/0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+++ b/pkgs/os-specific/linux/systemd/0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
@@ -1,7 +1,7 @@
-From ff7cfe2d112eb166cd1937c3cc8c25491e508313 Mon Sep 17 00:00:00 2001
+From f01b73709d68d4581ad561fbb20c59f895132a99 Mon Sep 17 00:00:00 2001
 From: Nikolay Amiantov <ab@fmap.me>
 Date: Thu, 25 Jul 2019 20:46:58 +0300
-Subject: [PATCH 16/18] systemd-sleep: execute scripts in
+Subject: [PATCH 15/18] systemd-sleep: execute scripts in
  /etc/systemd/system-sleep
 
 This is needed for NixOS to use such scripts as systemd directory is immutable.
@@ -10,10 +10,10 @@ This is needed for NixOS to use such scripts as systemd directory is immutable.
  1 file changed, 1 insertion(+)
 
 diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c
-index 600e9c23c0..66ef1a99e1 100644
+index 39ab554290..880ac7ccb0 100644
 --- a/src/sleep/sleep.c
 +++ b/src/sleep/sleep.c
-@@ -182,6 +182,7 @@ static int execute(char **modes, char **states) {
+@@ -178,6 +178,7 @@ static int execute(char **modes, char **states) {
          };
          static const char* const dirs[] = {
                  SYSTEM_SLEEP_PATH,
@@ -22,5 +22,5 @@ index 600e9c23c0..66ef1a99e1 100644
          };
  
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch b/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
similarity index 83%
rename from pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
rename to pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
index 6dc33fd0341..887864baec3 100644
--- a/pkgs/os-specific/linux/systemd/0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
+++ b/pkgs/os-specific/linux/systemd/0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
@@ -1,7 +1,7 @@
-From 600ac2dd3fc15c5717fcdf8f37899fdabf97268c Mon Sep 17 00:00:00 2001
+From 3db343c08a09a0009da049f37e3f981519eac62f Mon Sep 17 00:00:00 2001
 From: Florian Klink <flokli@flokli.de>
 Date: Sat, 7 Mar 2020 22:40:27 +0100
-Subject: [PATCH 17/18] kmod-static-nodes.service: Update ConditionFileNotEmpty
+Subject: [PATCH 16/18] kmod-static-nodes.service: Update ConditionFileNotEmpty
 
 On NixOS, kernel modules of the currently booted systems are located at
 /run/booted-system/kernel-modules/lib/modules/%v/, not /lib/modules/%v/.
@@ -10,7 +10,7 @@ On NixOS, kernel modules of the currently booted systems are located at
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/units/kmod-static-nodes.service.in b/units/kmod-static-nodes.service.in
-index 0971edf9ec..87105a87b9 100644
+index f4170d6a99..9a6a591bea 100644
 --- a/units/kmod-static-nodes.service.in
 +++ b/units/kmod-static-nodes.service.in
 @@ -12,7 +12,7 @@ Description=Create list of static device nodes for the current kernel
@@ -23,5 +23,5 @@ index 0971edf9ec..87105a87b9 100644
  [Service]
  Type=oneshot
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch b/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
similarity index 87%
rename from pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
rename to pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
index bf011f701ec..ad92291c258 100644
--- a/pkgs/os-specific/linux/systemd/0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+++ b/pkgs/os-specific/linux/systemd/0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
@@ -1,7 +1,7 @@
-From 42419ff4dc7a36607189f8d3765aa836d5c5eaf9 Mon Sep 17 00:00:00 2001
+From 6f0e9a60dcd2160bcab01366bd521630f6f5dc76 Mon Sep 17 00:00:00 2001
 From: Florian Klink <flokli@flokli.de>
 Date: Sun, 8 Mar 2020 01:05:54 +0100
-Subject: [PATCH 18/18] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
+Subject: [PATCH 17/18] path-util.h: add placeholder for DEFAULT_PATH_NORMAL
 
 This will be the $PATH used to lookup ExecStart= etc. options, which
 systemd itself uses extensively.
@@ -10,7 +10,7 @@ systemd itself uses extensively.
  1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/src/basic/path-util.h b/src/basic/path-util.h
-index 30031fca8e..d97145539a 100644
+index d613709f0b..5cced4c115 100644
 --- a/src/basic/path-util.h
 +++ b/src/basic/path-util.h
 @@ -24,11 +24,11 @@
@@ -29,5 +29,5 @@ index 30031fca8e..d97145539a 100644
  #if HAVE_SPLIT_USR
  #  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/0019-logind-seat-debus-show-CanMultiSession-again.patch b/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
similarity index 82%
rename from pkgs/os-specific/linux/systemd/0019-logind-seat-debus-show-CanMultiSession-again.patch
rename to pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
index 4f8cc0822d3..52a749a16b6 100644
--- a/pkgs/os-specific/linux/systemd/0019-logind-seat-debus-show-CanMultiSession-again.patch
+++ b/pkgs/os-specific/linux/systemd/0018-logind-seat-debus-show-CanMultiSession-again.patch
@@ -1,7 +1,7 @@
-From 3999d8949ddaf9296928f603661abcea13576d83 Mon Sep 17 00:00:00 2001
+From 120b53a3279ba098ee8e5a346b39cb2b7ef4a106 Mon Sep 17 00:00:00 2001
 From: Thomas Tuegel <ttuegel@mailbox.org>
 Date: Mon, 26 Oct 2020 21:21:38 +0100
-Subject: [PATCH 19/19] logind-seat-debus: show CanMultiSession again
+Subject: [PATCH 18/18] logind-seat-debus: show CanMultiSession again
 
 Fixes the "switch user" function in Plasma < 5.20.
 ---
@@ -9,10 +9,10 @@ Fixes the "switch user" function in Plasma < 5.20.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/login/logind-seat-dbus.c b/src/login/logind-seat-dbus.c
-index a91765205c..742aeb1064 100644
+index a60ed2d3c2..69b6271075 100644
 --- a/src/login/logind-seat-dbus.c
 +++ b/src/login/logind-seat-dbus.c
-@@ -451,7 +451,7 @@ static const sd_bus_vtable seat_vtable[] = {
+@@ -450,7 +450,7 @@ static const sd_bus_vtable seat_vtable[] = {
  
          SD_BUS_PROPERTY("Id", "s", NULL, offsetof(Seat, id), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("ActiveSession", "(so)", property_get_active_session, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
@@ -22,5 +22,5 @@ index a91765205c..742aeb1064 100644
          SD_BUS_PROPERTY("CanGraphical", "b", property_get_can_graphical, 0, SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
          SD_BUS_PROPERTY("Sessions", "a(so)", property_get_sessions, 0, 0),
 -- 
-2.28.0
+2.29.2
 
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index f7a51ff9a03..52a227e2af2 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -1,6 +1,7 @@
 { stdenv
 , lib
 , fetchFromGitHub
+, fetchpatch
 , buildPackages
 , ninja
 , meson
@@ -71,6 +72,7 @@
 , withMachined ? true
 , withNetworkd ? true
 , withNss ? true
+, withOomd ? false
 , withPCRE2 ? true
 , withPolkit ? true
 , withPortabled ? false
@@ -80,8 +82,8 @@
 , withTimedated ? true
 , withTimesyncd ? true
 , withUserDb ? true
-, p11-kit
 , libfido2
+, p11-kit
 
   # name argument
 , pname ? "systemd"
@@ -109,7 +111,7 @@ assert withCryptsetup ->
 let
   wantCurl = withRemote || withImportd;
 
-  version = "246.6";
+  version = "247";
 in
 stdenv.mkDerivation {
   inherit version pname;
@@ -118,14 +120,15 @@ stdenv.mkDerivation {
   # This has proven to be less error-prone than the previous systemd fork.
   src = fetchFromGitHub {
     owner = "systemd";
-    repo = "systemd-stable";
+    repo = "systemd";
     rev = "v${version}";
-    sha256 = "1yhj2jlighqqpw1xk9q52f3pncjn47ipi224k35d6syb94q2b988";
+    sha256 = "1nwsr6p65zy5jpabvjbszq5g556l1npaf2xsik4p4pvjjwnn1nx6";
   };
 
   # If these need to be regenerated, `git am path/to/00*.patch` them into a
   # systemd worktree, rebase to the more recent systemd version, and export the
   # patches again via `git format-patch v${version}`.
+  # Use `find . -name "*.patch" | sort` to get an up-to-date listing of all patches
   patches = [
     ./0001-Start-device-units-for-uninitialised-encrypted-devic.patch
     ./0002-Don-t-try-to-unmount-nix-or-nix-store.patch
@@ -138,14 +141,13 @@ stdenv.mkDerivation {
     ./0009-Change-usr-share-zoneinfo-to-etc-zoneinfo.patch
     ./0010-localectl-use-etc-X11-xkb-for-list-x11.patch
     ./0011-build-don-t-create-statedir-and-don-t-touch-prefixdi.patch
-    ./0012-Install-default-configuration-into-out-share-factory.patch
-    ./0013-inherit-systemd-environment-when-calling-generators.patch
-    ./0014-add-rootprefix-to-lookup-dir-paths.patch
-    ./0015-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
-    ./0016-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
-    ./0017-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
-    ./0018-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
-    ./0019-logind-seat-debus-show-CanMultiSession-again.patch
+    ./0012-inherit-systemd-environment-when-calling-generators.patch
+    ./0013-add-rootprefix-to-lookup-dir-paths.patch
+    ./0014-systemd-shutdown-execute-scripts-in-etc-systemd-syst.patch
+    ./0015-systemd-sleep-execute-scripts-in-etc-systemd-system-.patch
+    ./0016-kmod-static-nodes.service-Update-ConditionFileNotEmp.patch
+    ./0017-path-util.h-add-placeholder-for-DEFAULT_PATH_NORMAL.patch
+    ./0018-logind-seat-debus-show-CanMultiSession-again.patch
   ];
 
   postPatch = ''
@@ -239,6 +241,7 @@ stdenv.mkDerivation {
     "-Dhostnamed=${lib.boolToString withHostnamed}"
     "-Dmachined=${lib.boolToString withMachined}"
     "-Dnetworkd=${lib.boolToString withNetworkd}"
+    "-Doomd=${lib.boolToString withOomd}"
     "-Dpolkit=${lib.boolToString withPolkit}"
     "-Dcryptsetup=${lib.boolToString withCryptsetup}"
     "-Dportabled=${lib.boolToString withPortabled}"
@@ -259,6 +262,7 @@ stdenv.mkDerivation {
     "-Dldconfig=false"
     "-Dsmack=true"
     "-Db_pie=true"
+    "-Dinstall-sysconfdir=false"
     /*
     As of now, systemd doesn't allow runtime configuration of these values. So
     the settings in /etc/login.defs have no effect on it. Many people think this
@@ -338,7 +342,7 @@ stdenv.mkDerivation {
         --replace /bin/plymouth /run/current-system/sw/bin/plymouth # To avoid dependency
     done
 
-    for dir in tools src/resolve test src/test; do
+    for dir in tools src/resolve test src/test src/shared; do
       patchShebangs $dir
     done
 
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a1be2f4623c..7ceda951ef9 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -19094,6 +19094,7 @@ in
     withMachined = false;
     withNetworkd = false;
     withNss = false;
+    withOomd = false;
     withPCRE2 = false;
     withPolkit = false;
     withRemote = false;

From e4b36a1f05712cdf32f95199fa54adf52411fd2b Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Wed, 2 Dec 2020 15:48:12 +0000
Subject: [PATCH 20/43] libarchive: 3.4.3 -> 3.5.0

---
 pkgs/development/libraries/libarchive/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix
index 3c97ce21ce0..04d848cdc50 100644
--- a/pkgs/development/libraries/libarchive/default.nix
+++ b/pkgs/development/libraries/libarchive/default.nix
@@ -12,13 +12,13 @@ assert xarSupport -> libxml2 != null;
 
 stdenv.mkDerivation rec {
   pname = "libarchive";
-  version = "3.4.3";
+  version = "3.5.0";
 
   src = fetchFromGitHub {
     owner = "libarchive";
     repo = "libarchive";
     rev = "v${version}";
-    sha256 = "1y0v03p6zyv6plr2p0pid1qfgmk8hd427spj8xa93mcdmq5yc3s0";
+    sha256 = "0dj01ayyac3q5a62rqxyskr4fjiq6iappd85zn3rx64xny5fl07d";
   };
 
   outputs = [ "out" "lib" "dev" ];

From d35b703ccda3e7b0b87ff27e23644810a3f5b2a1 Mon Sep 17 00:00:00 2001
From: Jonathan Ringer <jonringer117@gmail.com>
Date: Wed, 2 Dec 2020 09:19:06 -0800
Subject: [PATCH 21/43] libarchive: add changelog

---
 pkgs/development/libraries/libarchive/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/development/libraries/libarchive/default.nix b/pkgs/development/libraries/libarchive/default.nix
index 04d848cdc50..787745a6bda 100644
--- a/pkgs/development/libraries/libarchive/default.nix
+++ b/pkgs/development/libraries/libarchive/default.nix
@@ -57,6 +57,7 @@ stdenv.mkDerivation rec {
       compressed with gzip, bzip2, lzma, xz, ...
     '';
     homepage = "http://libarchive.org";
+    changelog = "https://github.com/libarchive/libarchive/releases/tag/v${version}";
     license = stdenv.lib.licenses.bsd3;
     platforms = with stdenv.lib.platforms; all;
     maintainers = with stdenv.lib.maintainers; [ jcumming ];

From 777cb35eb82b1e26613e7b16717cf78b4a959354 Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Thu, 3 Dec 2020 20:03:20 +0100
Subject: [PATCH 22/43] compress-man-pages: symlink compressed manpages
 deterministically

For example graphviz has chained symlinked manpages: dot2gxl.1 is
a symlink to gv2gxl.1 which is a symlink to gxl2gv.1

The second loop replaces each non-compressed symlink to a compressed
symlink. The target is determined with 'readlink -f', which follows
links recursively until the first name that is not a link (so either
the 'target name' or the first 'dangling' symlink).

This means that if the loop converted dot2gxl.1 before converting
gv2gxl.1 it would add a symlink `dot2gxl.1.gz->gxl2gv.1.gz`. When
it converted gv2gxl.1 first, it would then add a
`dot2gxl.1.gz->gv2gxl.1.gz` symlink.

Both are 'correct', but it's weird the result depends on the order
in which 'find' returns the files. This PR makes the behaviour
deterministic.

fixes #104708
---
 pkgs/build-support/setup-hooks/compress-man-pages.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/build-support/setup-hooks/compress-man-pages.sh b/pkgs/build-support/setup-hooks/compress-man-pages.sh
index 82e48cd8aa7..f5af76e8168 100644
--- a/pkgs/build-support/setup-hooks/compress-man-pages.sh
+++ b/pkgs/build-support/setup-hooks/compress-man-pages.sh
@@ -21,6 +21,7 @@ compressManPages() {
 
     # Point symlinks to compressed manpages.
     find "$dir"/share/man/ -type l -a '!' -regex '.*\.\(bz2\|gz\)$' -print0 \
+        | sort -z \
         | while IFS= read -r -d $'\0' f
     do
         local target

From 8c198469124d70e891df885f163a7818e3362bcd Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Sat, 5 Dec 2020 13:26:32 +0100
Subject: [PATCH 23/43] mesa: 20.2.3 -> 20.2.4 (#105959)

---
 pkgs/development/libraries/mesa/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/mesa/default.nix b/pkgs/development/libraries/mesa/default.nix
index 891e11dbadf..dc82af49030 100644
--- a/pkgs/development/libraries/mesa/default.nix
+++ b/pkgs/development/libraries/mesa/default.nix
@@ -31,7 +31,7 @@ with stdenv.lib;
 let
   # Release calendar: https://www.mesa3d.org/release-calendar.html
   # Release frequency: https://www.mesa3d.org/releasing.html#schedule
-  version = "20.2.3";
+  version = "20.2.4";
   branch  = versions.major version;
 in
 
@@ -46,7 +46,7 @@ stdenv.mkDerivation {
       "ftp://ftp.freedesktop.org/pub/mesa/${version}/mesa-${version}.tar.xz"
       "ftp://ftp.freedesktop.org/pub/mesa/older-versions/${branch}.x/${version}/mesa-${version}.tar.xz"
     ];
-    sha256 = "0axqrqg1fas91fx30qjwhcp4yasdvk919hjds4lga7ak247286xf";
+    sha256 = "14m09bk7akj0k02lg8fhvvzbdsashlbdsgl2cw7wbqfj2mhdqwh5";
   };
 
   prePatch = "patchShebangs .";

From 8f13d3cadac4dd7f4dc147c5ee59d119efb3ddf5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Fri, 20 Nov 2020 19:33:39 +0100
Subject: [PATCH 24/43] asciidoctor: add revealjs support

This allows creating HTML presentations with
`asciidoctor-revealjs presentation.adoc`.

NOTE: The generated HTML file implicitly depend on reveal.js (and I see
no good way to bundle it with Nix). Either provide reveal.js in a local
path next to the generated HTML file[1], or override the revealjsdir
attribute, for example by pointing to an URL (can also be a path):

  asciidoctor-revealjs -a revealjsdir=https://cdn.jsdelivr.net/npm/reveal.js@3.9.2 presentation.adoc

Implementation details:
1. Added "gem 'asciidoctor-revealjs'" to the Gemfile.
2. Ran "nix-shell -p bundler --run 'bundle lock --update'"
   from pkgs/tools/typesetting/asciidoctor/.
3. Hand edited Gemfile.lock to remove all but the asciidoctor-revealjs
   changes. (Rationale: allow backporting to release-20.09.)
4. Finish off with "nix-shell -p bundix --run 'bundix'".

[1] Of course Nix can help with _that_, but that's external to the
asciidoctor-revealjs program.
---
 pkgs/tools/typesetting/asciidoctor/Gemfile    |  1 +
 .../typesetting/asciidoctor/Gemfile.lock      |  9 ++++
 .../tools/typesetting/asciidoctor/default.nix |  1 +
 pkgs/tools/typesetting/asciidoctor/gemset.nix | 42 +++++++++++++++++++
 4 files changed, 53 insertions(+)

diff --git a/pkgs/tools/typesetting/asciidoctor/Gemfile b/pkgs/tools/typesetting/asciidoctor/Gemfile
index f9329a80a81..702dabee2e0 100644
--- a/pkgs/tools/typesetting/asciidoctor/Gemfile
+++ b/pkgs/tools/typesetting/asciidoctor/Gemfile
@@ -4,6 +4,7 @@ gem 'asciidoctor-diagram'
 gem 'asciidoctor-pdf'
 gem 'asciidoctor-epub3'
 gem 'asciidoctor-mathematical'
+gem 'asciidoctor-revealjs'
 gem 'coderay'
 gem 'pygments.rb'
 gem 'rouge'
diff --git a/pkgs/tools/typesetting/asciidoctor/Gemfile.lock b/pkgs/tools/typesetting/asciidoctor/Gemfile.lock
index c928e954875..06a1716251a 100644
--- a/pkgs/tools/typesetting/asciidoctor/Gemfile.lock
+++ b/pkgs/tools/typesetting/asciidoctor/Gemfile.lock
@@ -28,6 +28,11 @@ GEM
       safe_yaml (~> 1.0.0)
       thread_safe (~> 0.3.0)
       treetop (~> 1.5.0)
+    asciidoctor-revealjs (4.0.1)
+      asciidoctor (>= 2.0.0, < 3.0.0)
+      concurrent-ruby (~> 1.0)
+      thread_safe (~> 0.3.5)
+    asciimath (2.0.1)
     coderay (1.1.2)
     concurrent-ruby (1.1.5)
     css_parser (1.7.0)
@@ -40,6 +45,9 @@ GEM
       concurrent-ruby (~> 1.0)
     mathematical (1.6.12)
       ruby-enum (~> 0.4)
+    mime-types (3.3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2020.1104)
     mini_portile2 (2.4.0)
     multi_json (1.13.1)
     nokogiri (1.10.3)
@@ -88,6 +96,7 @@ DEPENDENCIES
   asciidoctor-epub3
   asciidoctor-mathematical
   asciidoctor-pdf
+  asciidoctor-revealjs
   coderay
   pygments.rb
   rouge
diff --git a/pkgs/tools/typesetting/asciidoctor/default.nix b/pkgs/tools/typesetting/asciidoctor/default.nix
index 7a01dc2ff0a..29b2b567be2 100644
--- a/pkgs/tools/typesetting/asciidoctor/default.nix
+++ b/pkgs/tools/typesetting/asciidoctor/default.nix
@@ -13,6 +13,7 @@ let
       "asciidoctor"
       "asciidoctor-pdf"
       "asciidoctor-epub3"
+      "asciidoctor-revealjs"
     ];
 
     buildInputs = [ makeWrapper ];
diff --git a/pkgs/tools/typesetting/asciidoctor/gemset.nix b/pkgs/tools/typesetting/asciidoctor/gemset.nix
index 02700962eb2..db47fbf2285 100644
--- a/pkgs/tools/typesetting/asciidoctor/gemset.nix
+++ b/pkgs/tools/typesetting/asciidoctor/gemset.nix
@@ -84,6 +84,27 @@
     };
     version = "1.5.0.alpha.18";
   };
+  asciidoctor-revealjs = {
+    dependencies = ["asciidoctor" "concurrent-ruby" "thread_safe"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "084aq9frv4irzgd9ab3xad9i0ml9lb58w0wvg76gnwwr51plbpp4";
+      type = "gem";
+    };
+    version = "4.0.1";
+  };
+  asciimath = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1aapydwwkydbwgz07n7ma3a5jy9n3v0shy6q6j8mi4wr3crhx45a";
+      type = "gem";
+    };
+    version = "2.0.1";
+  };
   coderay = {
     groups = ["default"];
     platforms = [];
@@ -158,6 +179,27 @@
     };
     version = "1.6.12";
   };
+  mime-types = {
+    dependencies = ["mime-types-data"];
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "1zj12l9qk62anvk9bjvandpa6vy4xslil15wl6wlivyf51z773vh";
+      type = "gem";
+    };
+    version = "3.3.1";
+  };
+  mime-types-data = {
+    groups = ["default"];
+    platforms = [];
+    source = {
+      remotes = ["https://rubygems.org"];
+      sha256 = "0ipjyfwn9nlvpcl8knq3jk4g5f12cflwdbaiqxcq1s7vwfwfxcag";
+      type = "gem";
+    };
+    version = "3.2020.1104";
+  };
   mini_portile2 = {
     groups = ["default"];
     platforms = [];

From 1e8d2972708565aaf8c1697ce8738f4e92845bdf Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Thu, 3 Dec 2020 20:18:56 +0100
Subject: [PATCH 25/43] libva: 2.9.1 -> 2.10.0

For libva-utils there is no new release (yet).
---
 pkgs/development/libraries/libva/default.nix | 4 ++--
 pkgs/development/libraries/libva/utils.nix   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/pkgs/development/libraries/libva/default.nix b/pkgs/development/libraries/libva/default.nix
index f6c8c9d0bb8..f37780f5d6d 100644
--- a/pkgs/development/libraries/libva/default.nix
+++ b/pkgs/development/libraries/libva/default.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   name = "libva-${lib.optionalString minimal "minimal-"}${version}";
-  version = "2.9.1"; # Also update the hash for libva-utils!
+  version = "2.10.0";
 
   src = fetchFromGitHub {
     owner  = "intel";
     repo   = "libva";
     rev    = version;
-    sha256 = "1c9rwrz30q2p47spzb9gsakwci9c5mw6i309z7p7hr2d8233ay4x";
+    sha256 = "1xyxnxmq04s3s6135v6av1rl5z809j9vxvg7af9wvyh3dgsxrlds";
   };
 
   outputs = [ "dev" "out" ];
diff --git a/pkgs/development/libraries/libva/utils.nix b/pkgs/development/libraries/libva/utils.nix
index 675d85508b5..66294848b19 100644
--- a/pkgs/development/libraries/libva/utils.nix
+++ b/pkgs/development/libraries/libva/utils.nix
@@ -4,7 +4,7 @@
 
 stdenv.mkDerivation rec {
   pname = "libva-utils";
-  inherit (libva) version;
+  version = "2.9.1";
 
   src = fetchFromGitHub {
     owner  = "intel";

From 3313a5a347b5308f1554d43ac806df76b24b52fa Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Sat, 5 Dec 2020 18:26:30 +0000
Subject: [PATCH 26/43] gnuplot: 5.4.0 -> 5.4.1

---
 pkgs/tools/graphics/gnuplot/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/graphics/gnuplot/default.nix b/pkgs/tools/graphics/gnuplot/default.nix
index ce2a87981e7..26dec6d42c8 100644
--- a/pkgs/tools/graphics/gnuplot/default.nix
+++ b/pkgs/tools/graphics/gnuplot/default.nix
@@ -20,11 +20,11 @@ let
 in
 (if withQt then mkDerivation else stdenv.mkDerivation) rec {
   pname = "gnuplot";
-  version = "5.4.0";
+  version = "5.4.1";
 
   src = fetchurl {
     url = "mirror://sourceforge/gnuplot/${pname}-${version}.tar.gz";
-    sha256 = "0iwwliq5a6qcawbpxk4d7l17fpkq9xxcz05kwblx37rr7bq84h7b";
+    sha256 = "03jrqs5lvxmbbz2c4g17dn2hrxqwd3hfadk9q8wbkbkyas2h8sbb";
   };
 
   nativeBuildInputs = [ makeWrapper pkgconfig texinfo ] ++ lib.optional withQt qttools;

From 348d0df18c132f6c5c107f184905467a0bf38ecc Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Sat, 5 Dec 2020 23:10:24 +0000
Subject: [PATCH 27/43] hwloc: 2.3.0 -> 2.4.0

---
 pkgs/development/libraries/hwloc/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/hwloc/default.nix b/pkgs/development/libraries/hwloc/default.nix
index fb315150e08..561a4693c1d 100644
--- a/pkgs/development/libraries/hwloc/default.nix
+++ b/pkgs/development/libraries/hwloc/default.nix
@@ -7,7 +7,7 @@ assert x11Support -> libX11 != null && cairo != null;
 with stdenv.lib;
 
 let
-  version = "2.3.0";
+  version = "2.4.0";
   versmm = versions.major version + "." + versions.minor version;
   name = "hwloc-${version}";
 
@@ -16,7 +16,7 @@ in stdenv.mkDerivation {
 
   src = fetchurl {
     url = "https://www.open-mpi.org/software/hwloc/v${versmm}/downloads/${name}.tar.bz2";
-    sha256 = "0r4a07ag1fv48ql2g64px0wrjpxlvkh6c7mhnkv9xxkkg04zc1xn";
+    sha256 = "1s9q70mrr4igbjw4m26din81i68f4wbfpv6wdc4i2aalvd51n7rb";
   };
 
   configureFlags = [

From 101c5a96ad5df1b1b0d74b0a0f6d071d5a296873 Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Mon, 7 Dec 2020 16:37:19 +0100
Subject: [PATCH 28/43] fuse3: 3.10.0 -> 3.10.1 (#106162)

---
 pkgs/os-specific/linux/fuse/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/fuse/default.nix b/pkgs/os-specific/linux/fuse/default.nix
index f159a4cbf77..0ed6f54a1dc 100644
--- a/pkgs/os-specific/linux/fuse/default.nix
+++ b/pkgs/os-specific/linux/fuse/default.nix
@@ -11,7 +11,7 @@ in {
   };
 
   fuse_3 = mkFuse {
-    version = "3.10.0";
-    sha256Hash = "05ipzmlk6xci9v4sf0pap542b37aszghlchswl6s76fg6h3w4yms";
+    version = "3.10.1";
+    sha256Hash = "0bb22mac8m0z6qp0s6g4r0x4aj6gc19pfyqr6sdy4hkpwxicgmaf";
   };
 }

From b9116f712f04fa2f7cd66e7e16783b572dc32d75 Mon Sep 17 00:00:00 2001
From: Michal Sojka <michal.sojka@cvut.cz>
Date: Mon, 9 Nov 2020 22:22:21 +0100
Subject: [PATCH 29/43] libunwind: Add devman output

Installing the man pages is a bit more tricky. The configure script
completely disables the documentation unless latex2man is found.
However, just installing the man pages can be done without latex2man,
because the man pages are pre-built in the source tarball. Therefore
we pass ${coreutils}/bin/true as latex2man, which allows to install
the pre-build man pages without depending on full texlive.
---
 pkgs/development/libraries/libunwind/default.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libunwind/default.nix b/pkgs/development/libraries/libunwind/default.nix
index 0f0143b9c1f..3816788f929 100644
--- a/pkgs/development/libraries/libunwind/default.nix
+++ b/pkgs/development/libraries/libunwind/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, lib, fetchurl, autoreconfHook, xz }:
+{ stdenv, lib, fetchurl, autoreconfHook, xz, coreutils }:
 
 stdenv.mkDerivation rec {
   pname = "libunwind";
@@ -17,7 +17,11 @@ stdenv.mkDerivation rec {
 
   nativeBuildInputs = [ autoreconfHook ];
 
-  outputs = [ "out" "dev" ];
+  outputs = [ "out" "dev" "devman" ];
+
+  # Without latex2man, no man pages are installed despite being
+  # prebuilt in the source tarball.
+  configureFlags = "LATEX2MAN=${coreutils}/bin/true";
 
   propagatedBuildInputs = [ xz ];
 

From 098a7b67ac848aee28fc437893638bc0d59fec02 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <v@cunat.cz>
Date: Sat, 17 Oct 2020 12:28:07 +0200
Subject: [PATCH 30/43] glibc: 2.32 -> 2.32-10

This should fix #100799 thanks to
https://sourceware.org/bugzilla/show_bug.cgi?id=26534#c5
---
 .../libraries/glibc/2.32-10.patch.gz            | Bin 0 -> 24498 bytes
 pkgs/development/libraries/glibc/common.nix     |  11 ++++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 pkgs/development/libraries/glibc/2.32-10.patch.gz

diff --git a/pkgs/development/libraries/glibc/2.32-10.patch.gz b/pkgs/development/libraries/glibc/2.32-10.patch.gz
new file mode 100644
index 0000000000000000000000000000000000000000..6141f08efadb0cecc27bc54baedfa5f7027d0add
GIT binary patch
literal 24498
zcmb2|=3oE;Cgv;Fw~KD?m~?*et^Na6rD|a+r&L^DJxU2$Y*Dnxc;AwmlPT(+g$@i;
zES7ob>X*$4u}hKvo_wx8*W4j!ii`C%nf+@f32DYi_3kTYPP<t1Zg~sm^p|YKw)c{k
z-Tl7nSpZK@<8A33>mJT>s!;pdVwcmisYLAP?<Xct{{NEyC|)W3_jUbI(MrKqn`Lt&
zr*y22Utau*T~_RDyjk4kkT=3kb>ee+Hfb7GyKMh<_TIj=!olXHmzwnVUTjc&a(cn?
zuWM?HUeqhLA6M=!n8-ElSD;7DkN2sH%JT7l9p}xk-JM-Kt@z3HjwRc>IoJ)iN;|*r
zmV0Y-*~Dl1x6J8LO<yHNne7ZJ_rLyn^TM-T-V$epCQc|(Q&HHd)xAT3d)7G*DZ%gw
zQ{p-&FbJK@oz!L7w@lM>(@~|a;5nDn9z`iMaXg>)!Q&9u;;D{d?(ekc{^UFq8XYWq
zy7$ednH`U#H+{G%DsZNIapgwU&E9(t29)ofm)F^NF0=kZY36w$+wI5OuN^RH%`3Q_
zWhQm!yUn7^;2Eyp88Y?6PRa>fe;HYQPwDpTbjMehXPo_};%l1kxAt7m4u1LDADs2}
zO{hCB_wDV$4f$nOhraFby*Xj0L+#%5NM7H|+amX0%-Xu`(8KHTo!3ln*It@*|3h(6
zMP<>0IsN^|*u|Hpr+l~iR2eKJW@rE3hwomjRr}+MN1xujvC~F=ua%Vb`-W%TXFjs{
zZjMmNHLCi5Fz4CiB*tDv%i3~7%Xxnc)pl<v`dry;V$yWyUM+{s1A~U_T+@TQ_!+&E
z0<O<gIn;8_P0#SI<N0m7^fs?q`1b1?#&n-A65Dqqa&WsGe;0k_Rb|=AOZnFS-%MEC
zvuDO%(UMCVT$A>%KB@lr{`v1GpEezqdE{Ccn%nujK5}xP4BwjL?s}2e4wSLasg`?N
zvLaD3hG+Mj^<L9t*0s3pTV!+Ntz72K+`|rq7UE2%lR74Nt3+(s@%6B#jq|(3k)94;
z@3A(iHK|y<ID1mnQlatvF_9@3T78c(eKl9SZpXT5$xEf1_iuYI(n)*Nc5IRG(aW|H
z->>pB?fSmSaTAO9k76!^8^I<XJN}(h>Z>?*N%qDr4hx-M^1auN@@NXPT;x5+Ai>Gl
zupvQ+^}53&X?b3OsO|_4k?+#FB8&SiMH5>q)jK<GzMS=>=2KcxNy}^9MYHd!J)G&F
ztbBH+yjtcQO=GVAhc&KjkWHL;X9;7<r??}We2x_w@yEaDD@1DKc__~My)>nAQM%Ct
zWrHQL$9PUvO<OL#DF1R}`pgG<HnkZ>@1{*M?fQSpsmN~eL($%o++Ftdy{zocyR>53
zH}dC13tU!f+nWFN``3GI1wRv|8a7;-z`o)1j5be)tM4|IOk8@YPMv9nn&*rZIS!c{
zKVn#RH|HHKmRZ5e+q>{)`R_INH}6XM?sMme9mhKUrXt@(tt|T%Y<#koC7CBT`G@3-
zH^o~%3tjP1JfdMWMS8<yuODF(Cly5;v}9CfUDV3_e@>T)X#Az+LbKeT*A;jx^)EO%
z*?D%#JO6Y|of2J+*48G6BPx*`&zfTj1&SkB0z;zP*k=pQ@+c5bUp)Eq;*+e6Pu27N
z{LUYf&2V|im7vza#cDX4Y4TE@CpW?`u6g%Gt!sTj&!l%r>BgrRyP|eKy7WY;^^S+z
z1C>{98#wJf9Rlv&p0vYcPpnan<G}@rMM8a#3!Xh!X)4?x_MG9h+9ab{T`E^aUS9U_
zIuX~U%e9?PdqGV1jqiDk^DW%Izvfa{#{WuZ<;3Ec=9fx*nE{jJ#O5dUA5OZ!`cUDl
zs>KoJ?UR={sFgi0F_jGPeEcHp+_YVCZsrLQLic%H6mJwMeUNn(-x7ICaHm(>k^>qX
z+qW%oX}8s>dQr^Nkdr9UW@*B<?V@q%wZ$S=ZoF#rWqrv0eeLJ3FC5=x=x^ucjJS2R
z?M@W`inozxUh{wPYroC*HRtl;yP?^8%>r+}-RidGfo;i)z25|Qcij1Fe&_b=#V1!Y
zKfinP$=?@AYi4m&Zo0xd=}g0-omWGuxZTR7F7K3zG7vcN?81TNormu}*IwJh^fheu
zvxKe8itUSz$2)b3Db>WOi=3a@8|Uh~$&aNoAS-l3DDNM`6Pq?_*;jG|#Coh{KGnjc
znLeS0d9_MF7VkIRHr098H(DQO)L2z=d~N>unfH@>UjMbTX!2t}#5MQQ!wZ{V&)9Fb
zUyJ#5tp?Y!i`nI#-12VXPZ@Jw)~SAKWWVsR+WAzc@n=hM#Q@GnYox5qCYtt&wYBty
z$$Bc*O{z1x9(MD~nwr*^_a`LB@i-pMySZksi>|XVb7OdHxs<N8=&cXG_Fmj2{8Y>9
ztbB2L89QsYz}>fev9%torV1|dMu$xt{g3wVG~V5At@ULa+grT?b~)PzzRfm`xjz;v
z<n#IY-?Kh-(&F*v&6hV9KmYUTL&2xUH!H5mirj14_T9&_J*YvGWkq+0Wk-#!&?U<o
zUrq$4g|Wq5l2e-b$Kd<#P2sCF9?fJovd9wDHTsaika*HFRXM}sNPYT0Q(l)DVaq%<
zcKWAs?eY2k?8`KTB@)JmoG!0AHM@F(=pI#rr&|(Zyd1xVnoJZ~sMx|>d}Mz~Rgt08
z1E*6v#X7dC8eE)N*3k2O`7B1BH*aI(WU`v~9@_n$L1?mwt~|59UY5p9wSOi(NguWf
z&G`~<ctO5w*Q2`C6=Fj7!c;;JT>bFsjZA_p%TktxJ3CLcH&$ggmzAHgb?8uX6g_k)
zWMP|ls$x7-^N!Y22V4U=?^JF&utDy^Cnl?-jo#C|E3{_1dp%fV;asEV%)z`U^F{q#
z7f#!fM~f>O?4Q*g$~eR7&Q;ANw`sjVY{%9a0x~aWKdYKIVd;sTQ(~u{IJLvKP)lC(
z;oKM}miY(O6uy0C=Gc*VV)Nd%u;i&yQN4}3@7HY=oUJnTlEb{II-zyBkAr2SqYTz&
zZFb;Eu>aZ?cDP>pR_`*w6;doIYA>439JOhRV6AgkuwVTvq%lm$ku4%)Z=#6r<s0S3
z5|1X_y{qF=+cG8c_PrI^_a`uYmn?m2w|Jdy@2+pL?`G$`k>2DNzd$NOkR#yEw3MYh
zCN_bJQAan~`p$bMrVysMkRh6NSp!?Q<kdqtd=Iq`OW1LxDm3z^{#CG7vF^K;`TqS|
z0p7zds=1=pnv8aPBW+k)nRcq#^oen=JbqxZ$GXifyibE?u84WKG)233ikI2Fx3d#I
z^6po;T{K^XZEs@vft4@Ht>W&R%y{vN;g#R~CC~DHDPQf|cVdID&!3Npr@RDOjtO`v
zONRA);V)U@`0me?i^7%5g!XP@>D#7uu<4BLu10S2gAcdL-F~=L?&!m<a+jg_I#lfZ
z!>w{R5%^tM#oCzi*MH((U;GpI`eEJruL1k7uL}HFfBd!RlpnV(PygMqK21vZ<u1O9
zR}*=K-ts+|t0MSWb<rxh&YjAuHW-O8G#>q@#M)l+A?jgFdS#@5YSK<UfgNj3>D%r+
zw9!od>vXg9nLT0B#rqHK%-uQR5y#%k8}F`LciZgpTC4q=jCQ_?2(x;^csM}LfafY>
zbNok@*_(p&vwf$oQg&?E@MOAa`<G(ZkovSezF!`-EbO~$zusW_gsO!Rl1sy;OD>!J
zlQBZiy(Ti@Yj*fNbBn%HH~i|eC;k7k^jGl57q{=~927du<{gqeu`cTFx~G9z-!~eW
z$b4(Btv>NC&C{-OvT9{}$v0;1%0+S)4BX8(cYj&>amv=>PltbhJ%0Y_Oa2qzCVI?Q
zOW<d{6)ySi4o9fZ)Q^*OQa+_}v`jNT**fdVa>Lsj`0e=<6HRyh5R~>j=XE4yZn*tg
z<E*_w9U`&$r*Eco*}eYiGo5jE%)PgV@|!Q4n&qB3yK~D$y_qR9s%~#+^!=3D&{K5i
zz{do~^m#tsr$t>vPP}7jldF=LYWG;s=*mI)+&f=|Zy1Jo$mlRCW!C@l6imAOB~)l%
zk^p00t@2za$%o=D%*E|R?^GCl8$L#uO=WbR{pO9y?W-$)ynOO*dtTC%rQgr7F8nRK
zX#0b<dumVG+Aaw@>$t8mwJ=yxIcf900y~arZtwSY&g{t%Fz#pTjClKxZ_`%>r>U%`
zcPrl$4UZQ6Ui8}A$V7Ed(%rY)>e;29Hog9GV5!H(DO=Xr2l!PyzvW%CWxDWdd#|-_
z@BP)+&z&6n=VA@R(s!3XbFKQitRi&&#l8i8|5>7X?@yW`yuNBth}`!dT5o(6?i>}@
zF;q8Qmhjc)$lA;^y^Y6z?_yPJ2-K0RvQ6Z!eQ{Ny`RYm0><zaRy?3fjD~SGK5VG|G
zf8>P5xV;`h@7(9!JiXP7BgRb1u;=)(u%&^lH>z{gZcLqXLBl`!&=$vvCl780REj%1
z`+dq;#i;)L-y*REF)z;>wyLXeGnNX*InSswv8pV#tYS|5`FZQS%cr}`r;DFEc>Chb
zpFfn|x5x3kJuu;|oUFy-#mXCaVl37lmpzln#$3HZ(jw%T*xqfNVw<wJ`c}s6?bBA&
zD`4qewW)JMn%~vAW|p;I&zHB$GwgWtsBTZN1?Pk*+cj7p+%0-}N|jAPXX1%mz674%
zdgrbtG)f*>o#cMiEFh%uRnEQ!^_(Z${bNrby0@&T;69iAc7}6H<ou3%Tt9KR=HT~}
z_LKY-6K0#t7f<$1lCHd5er0v{N6QJHzWliRBInJV_&L6Q_a@x+-LlH#L0R<o{P48y
zrTp$$R^CNcM^C0sU1MEzs;}s5wBpio`<dQHwy-O2Gv%JfefK<DakN>+>8h}Me{Ix1
z%nv#G|EA4?$X_9|=DaeT<m2;y$)n87Q}QmaFaA83vT6I7XWN%qo#niG>f@e>Qk@6Y
zlRV_Y)n{ZliZ~XYKboss>CEkO<(tL-*)yJ*T)X-*)LFaFPsL`>;Sxhj+sIkW3B{Qo
z%B<$vR^FH!)9J9}fz3_7xwcc1E8fIAKRX*Y&D^}oIedp%@!rO>D-0see{hlS*}L}j
z6v<x+3yQCmfBpCA8Qc8MogM2l9sVs?$id_lcVW}o&!JoYO8rpmRo=t5dC%!W9-af;
zPO;4r$M)U5yPdamy7T4TM`QU?FJGN%Um;#7b2MUm;UQN?)d)4=r>si1*WI}nAtv%E
zxPm3@$~hICsS_PvT%302+vO!bQGs@4pI-|ey>x@!+kE3TQBiX%fg87Vo>?BToEmz0
zTaNtvxt7NlmkZq0a4>xG{rb_H);;`xSh5!`kUiS}s_`$!k>G=lWe>lymQHkB$b6&l
zj0b~%%7p_3?T1Wf@0fO{=griDMSs-TemOKvWK~a$vt*lhx^2mh&jNSE%<aWYj&dtC
zG_x@I8P0j6+8lD%KP7Nm!`=1oToPBGk?dK!$wQE#+k-1tLgdGp<4HnsRfWnM<UeK4
zJs%Moo!r2}YUlefdgr=k>kyT|@64tGd){=L@fvd;d(T^ST204NQ&=E9fxDqNT<N}+
z5ZA^@!UZpy^8yVX^5*s%2S@D6<GT3zR;}HGX?lC=rt|(-kpJB`wq&;bp8MPOT)y_Q
zMDuCv-K9={e$?F-IDMzm@KOF9g~`@6TclH#R5kk?Wc{jBS~d5)jgVJC@ydzEg#}MP
zQ*w!%<kTXu?ygJp-m_f?7qz|VIJ7tU!SXYbcYl3*RMvHseVODuyOxS;pG(Y+L?6iB
z9+Lh1xp`3b?<cXMkupvBGw&^WrIsSUNw~sDs%q2G&Y!+(u2d;*7J9)dF4(f_tar-}
zrTGdcj`R6e7M%T?b!+d!jXC?jeVQjdf4Q-Q+6=Ys4(Z^%t!n32+d10pxW?yHz<M*%
zSG(ufx210<s(-0;K4V~a&@=Ld)1O0H3|i|?hM)Cs(wOr}<FK@E`RBDJt*?*hT6Z<g
zORRRAK1(e{X+nQRTjrNv*KFrRGp$IxyD2zLrK*~Pvvb|LX(69^E^wboy0(d5>iCyy
zoGuo=>00L**1v9zn0aC@gUN(D6QAquPMq9wK}W&vy8-)}YwTBdGyi)0WQOHY)(!ph
zPwMlE-Vj~bSiDbqTj0`JskeR_wj|!T(x&=Oa+}LCnfROGnYRkJ&%D!Ld@n$hrSk0I
zjK^QSPoJAS#b#&Fjr4`<-yMA{wq)LNuJ@nJPJH|+&C$cB{&?~AV|o#37hQPf*&Mun
zEAZ!nS)Jd7oG)$RI#$@Hrk;E}v(D$wdZkYWU3qnNb^0soc%FE67|40-V^Ui4G4Oci
zeeW{mwJE7tlaD$q@NF|YIr)QP&TqZzxoe6wKQ334`*G$&zu+p1AAh=qwprOsX>gUh
zu|niq+~GH6wp(YFO8-!)J+jK+pY08Pg~Ok#&-foblRIm{)N`8@ly-1_oNoA{q+<Vj
zKAybSf2+@2(3&6>yv52vbn9)gc?tZt_U_Z<4XS;aT>5^Y&YX<zk(!%kN<TUO_0y>|
z)ukex!s+5OCuMW(OWL$UDJ69Av|?AUX=-O9D)rjlNzI$!>UJxnrSjVjp_D_jD$`<4
zr~AH|w#~(_v$NQ7npwtL{__(<?|Yqp^0hscKf~#4lT?|el=jOYhSm0rTw=X-5hasO
z-u?aY=93TmQ@rAP%TKOLGdZch|AcYi)W!Gh_nb=KG+X(0409vnJ3T2qb|d-7yG_Tr
zgY3nBMXmkX#1tmamG*1C_lwif&K0NlA8yk)&9znYBik>#Cr7+@oRt@AGGll#BV_(#
z$&yKTruVErz94H++_j9Xl`(vE62Ye){<ohQv}nGutCvm5q%c?0u$^CA=AP)e-+R7K
z{+zL;%*py)8n29J@E+hlvGxF0&e7vSGioLVcN?re@a{=TP0>cysv?_R>ptZqJXZ;-
zcU3$qX5hDUNnp)x*>#pF4q^MQCRNv!eJJBjDYS6XF*uXIGN(P9(PiJ2BvVVq<nIM*
z3M`oBBq&Iyb60+JRqOa9cB1Tt=z%BRwq?t2KPX#e(9Dyz-oojiV6;-{ssO9C;yd}H
z7q%Q;?epZ(t@NM^8qYsod!uvU<n*XNXTm3&M?YvkEcifU-YK2A3(hKLiU^+hyv=!C
zgKGS{OV{}yH@_7TQ}b95&!YS)?$rInEY=BCYmdIa`r_+Du^SHySblaDrP@#1p1SSu
zItG>aEJN!GYs;#=tXV}hdKEcsPY-=!yIZzmYQvRi-J<o!7hiYZpW8Th)`qN(^PjXm
z9b8T|cf<;IZM?e8Z!rTe$Lj0WEFUXs_Dq#IRKZf^;2b&QY<~IE?R&RPJt{M!YPD-Y
zNr8dgeI`dsxx{_W@vHwG>+imBe_D;I%-68)+YeuS`tPxO+t(w7Du1;0IGnGGf0p;2
zW5$;42bbk~s28Unm}$UxM(V}9y5DP?RpgbvzIh+B)FtHUB-N>}mVA=2EM2<)u6py4
zd5aeWBzT2?zn~Pt^3Z$QY{9dp&o5kiQJvi(c|kw^+D~Jp_!ZWZ=j?Jm{OoP7*>>(7
zuXGF<_uO&yFYG(B`b+vG<7u@|@0S!ce14^&@#N{NOetF?pThF1O#8&!|K@F3yZZFg
z$un;s{`aM=FykbrKt#Dj^QHfLy&Ck)PfvGP$ZObZoZ~Few8>2=Z--XSNr?;VZ#<PK
zz7((a&1jCPyUW4`yFV85oVg6Y=C9vzXhqNpt(+4YPf~LYyPpdlnDr%nmiDFReRGcM
zJ>(1vJ<$6~L-R>|zCwBDrJUCca(0$+OTV%1;F3M=IpcB3)~aJ>CtmG5U09=aZb{_a
zY`=waZ&$zls_^aq24CGLrT5qTF{=8yWmo$-0oMtx2Q;~*e46?D+qxM4b}^<^pXu4F
zaJ+qn%$Cvv<!PB50yCb}bk3Bya{tux;)BcGeiq4g+L@;K@tU^&scTH#<6_qLMZB}v
zVoJRjyI%!czp1;EqJDIwm9t5}yK^GOLHF%L)z5K0sFdAQuB*xTXHtQjddE8Tzt)o`
zgffP3L@9AqN-{6M<af9>wvctz=YKrw^v(MZX3kmGvCw&M^*_VC6FpX+nU_81@i9q@
zSx&4`=_{q|zFgn`?AS@>Pyd$GcO*{!pLS!d<#*PYcCWeOO3ro8ZxdzII~E@M%REg#
zcS>=nxasuPopZb1AN?1Q!>4fh8Dq{tLy-%G(;|OOaINIiv=Uo+y6*P%-_Do3cj&O^
zJl=Y;TP$Vvzw37APwaB%b7~fRwAbQ_%8oj|=l3r@H(y`i@$$rF&WsgCZqq-{@wxWt
zRM#ZQ2G83&PrTpoXd!>V)#k+gSI)|R`oZtP9Llq7&jRzPKaqT2bhmLt-q5e#Trzdt
zJVV8t!d>|lC(B=MyPEiAv0B;Ae+$H{q(8Mq_a{W=MmMr5{r8_9k#bmxl}#~jb)wKx
z-{`Q8+_v<FDRaLT%}moSk&=0&-&VNMJdgd1WB0zf9N#C$TP{AkLCR>3-lFo)rzZV6
z(DAE3p>*Bn$>lCDCw;dlWng<;aA;Be2aTvLnGEZm#>Z@S)Xx6qfBMvwq~9lA&H6g+
z+MDZ}4dhHF6=tX;m#(g2S9*H=jK@LawdN~6+Vf^vsRq54nYfSdxc!1_J8O0?SQX$r
zYv%T~3a__(I@bTVg0Cq5;x6V56Pvix(>lX<?)i|yQ`Ar{pUjqA|6#t;#jII%&L+Xl
zip%mVr*bv?=Fa?S?;yM1_4px0zU!PXJp%&vIKImK%X@sg@Y)$~UpEx5bB(SvKP&Ki
z$y_(>o=V4$oAr)H{irG`wVJ9Yx_er*<_n86$t5C}KDdisR*}4aIj?WQjilzQ_SfRp
z#TbWX>y^6&<#>oRPCWiC+2Y@gEzQl2=|>)Z`IdKh$DaC$3sNH=GiRtB+REg0|F2Zh
zc8x>3W2T*b`_$E|ZPVkd4f~caalM{w@Zi96K}We7w-=T*Kh36JIj{EWc~^ecJL#GE
z*Z8YMZnJmJo_}zHEF0f}gg^Gm2`B9*RDTySJ=XNczf)#DQ{)%Xu07Uk-dQYL`^foO
zhm-`@TN|fCAJ)CSzQKO|#l@!<RrtrO{2a5#W9P!}lZz|&#(p$jTdDB+#<GXy7nZ+F
znq!kLxMg;9L}Q0X?4^Br{<lAU$`@L16|k?C_1)WZ%{OM>-}3ixr}#yaSY@NDi#&F@
zD0{5`tsMV)SL1Sr*|W0$IQ={Cad7q_^@fD663fibEx#c!^Zkjfx8s&QPjP3yQ}q1+
zljW5Ar<<pU?*3zwrxhjTTyy6aL(&|^{dZ*aE3Tfo%+mRF%Z8W}?s*<O#q3|fI_;NR
zY9;G%UH%^vyYBFmhi0PJIW~2?KCG)Fym?h-_sOIC!jq)Zx2<K|erut!NtDh-fmI7U
zqPlq>oi2=&J0EUy`G8<Cum18a|BYPay#M>{>2Pu6eW&W~qWE9)U+G+>L!rN3pWeNv
z_h0qubw^kHnf-dp!Q)$&E}8H@Bd&MhgneJ8@A<2J{rCii1#uhM`lG$w73)`ML|y1n
z-l*g_;mwz`@iD6%*PWGHtt};5RKg>1L%R6FN&9gAnnRxoewRtE+k1YlcD)_vQu}A;
zXKZx*>za3aQF+nTe-(C9s<w*rb=gP%Zc^A^X?R}oXxOjs#l|Lz?fQ-Lw}}>?mYn@(
z<;=6^S3kM@_s08E%j6_7(q0JPJe8m^C1B49`3+N&oHm@C<lZ~;z{w+REsTHPmvhCw
zdGKyh(T2r8pY;b`*(SjB;}VZ7;~&RmUu#6`+qNimD<!JUyLbK7nNs$j9*&YZmy3D>
z9^J1nJ!bTu<KUZ*v5u3fKZtE_;gOi+5HYDm$>64?W}nIq{l&hK^G+=I702h%QF>E|
ztL@W<g>M!A-nX<pV>WR~%cnzPt6RbztjXD&&BArkS7)Ko^qj*X#sWK>3-_2DHBVfb
zxmoM8&XIduPyFBCpTUy+F<ja#@m^Tp&I6(Iz8IcL`}{>(sLV*?u4Mg`B165zGf!@R
zoO*t4o_5Wr+3bZJr%Vn#^fg(f+4<A#n#qH2UCN6BE(Ec!EeR|*sk46PB<^=FHmb0E
znEm8&iqKiZ>N^Wc@&)s{FK@FsaIB(xTK13Y&$g?a`mv8=lZ9^IhF_0EK0S4`_;FM1
z(iW#@VPd`&rJvHD8Z2JjdgJrWc+0}j>}@$OZPvHTxW|6V>e*Vy_2T`K+s+65n=gic
z+Vfptr@*1N8y<hUp^~?rRqjHmzp!omg9B&R@O*0V_&@LQq?{$el@fFFj`OZv^pG>V
zZClK>Q%vh7{EVGsukPWt=HQD@HtFS;U-&7XwfDb$eb=N(j~DDdIVr7w@}atA_5XQd
zEhqh3bdqEC{>etg4dD&Sivk)p>KvCi{fRG``B8OWn^WCBp`1{!`sKfBD-^AYxPI0e
zovdK}xl2TG!oh{DA3|Dp#{Kk;e~=UX>diVq1BGVwN}kTRSO5JIm)`d|c`y2Jqruz>
zVwv6n37eaLKU=ps|6SYL+1A_h-#Ptm)49xH+`agl?CekZYg5^yk4@a#y;vYx@>tlj
z@0K%a`up#2oYPrdSNbb++dSo&T9@MUgI@2J-h1c5?_a#UjZD@la~#Z{?A&kI)g8RG
zxxCRaT*G2@y!wMZb#u3f&zXB(_e_HG=>|oy;*8~5PP31mUbySf8c8X(FPqK07b;0#
zx*yxU-tXC^iTCcZOKw>r!nI~Qi}#_2|L*$kUhueyn{DQSy(_m?UfLs5VyR~Kv29^M
z(|hqVFCG6LZPD45|K_>Cb8T^3TbY9GJqwoxD2TojJk>C{d&Ohfdb6y0&GsAH+t~i|
zhWJG~cnAFQmRV#Mw*B&gF2TMwr^X4NlNgWA67Q~Cbn#<__09E0nO`H<O>#T$`1o9R
zE2o9NSYx%rYE7{$A(ow&Oi$nazPN4AskTXs&d=Ujb?#3p(@p+zMY~VyGvC7RUPjUH
zTzPJvY}+wwGY@-qo6o^TihK9$jND$v@qAZa*W4@8hxupUyb>xjvyCZz@_GJ<2R#B`
z^5ol3$J9+&sm{}Wp2w8=m+18$bvBJXA&wQ(1(vWiiU>-JZV|BX%i6D!vyX{iYx^_H
zHFvorlK#sTscAatvsS&{=cTrEZtvvB$!G3Mhfi)&eD>M1$<Uu8_F26$n`d9<mI-1d
zAEQ<8dzc??_&JST<33B<kGP)s2KzV{e!pazb0q(7lqXwn-GZ}A7)$Q`lPi6AoBfpq
z2Tw1v&g2w>JueGX#r?FZP9F=s*Y>kKbqbHn3F#9Ttj~5W+{rAZ_VDzEX1;fAQ(FK2
zYd>itrF=R@@YlQG?4z4=6em__bYGV9P2V)-=68jJ7Y#ngBCaaAy{MMAIQCgY_2Xof
zgtupoZu`rye!al;#}f}YY?G*1sPr*rslw?1$$e9fKl&5(ar?$LE8kh#BA!1!xy(t{
zkNUOyk&1lP+P*1H`#owKUtNfta!ph2zqahAy|<>sC`Y7ZORc|X72T8chw+Qt_w9@8
z)P>h?Oy%6!W`Ez|A8VXs?t~wV_n$PaNEG9@E9=}kt8x1;)k8+_R@DDLwDVbM|GiW5
z<#$VHEqTf-{3LaHUH`mkg>0;h(keeUaTT6C$<f?2B{pbnTE}gjswD>-?no_pm%XjV
zTgWxGZv8zrgZCQRpO;Cd{j<NA(ptPe;{DC%{1dM{jsK-Nfp?{SYVUQ2mo^9aoNw2C
zH2W>&yw2D4$JMJ>ie0<Dw5`?o`@+@i_m^$%d*^>M)cMZx<@v|D=w*fToK_xVTl#$J
zCH|B1ZazMIx<h2g+&k-}6t>J(FNj*7$x^%2`%3sK)w~z|e+3@?J0zy_P9xT=?~=pD
zIg%PH)8FfVE6+CTEDqw!-n6IPLNnd3=zNn?^~|M{P1kU5-B86e=blM5$C72w`?mU@
zYn-@CG~=1ybIDl=Nw@2sKd5Rw@@B{G9qjqn!_Ud&RPS<-U${`E;r?M!=cfMM-fTTJ
zfopbzIe#+O5oG*xDaSJM$WNx8(rp{wT-zkyIK4<@!IM`(+1vNp*r!}{p0jSENMiS;
z*cIphGcz#!|9?uK^_qOAr6p(?$p8OKV!eZJdkE}%9{ys=fn$n{lQx9#aaZbi>q-ZC
z#>|dZ$~k(CX_`0xfvJ!7=hxr0<<E30do#x&%s+eC@_6O5U$%Rk_<hgllZXRTfkeh$
zMT>t|>WeRCXQwa!za}&N%A&3J>kk+0l+*rP-`~=2&+l))UOV|R#~*)<eWsPMCRf#-
zU3vC2wrqFy_G_MVXFP0w`{dzam;dZbUb?ZWPMLab)}0N{nvxg&|Mv3mNj9+;=G=SN
z|GE`#c<LLoOT6E-Sx;X-Hm{#wV<W#W{(bG{%q==xyR4jgo=of0Q&$a(ogF&&`}~s+
z@5CGnznvXcdHv|~*^jF3J(%*`^`g%*)B4T7=S|B#wm&%fz3rx+uO<KQe|~uL_Vsj)
z$wz*@Uw4!3nlAIRjjuhU^HcvzooiZSt~B4Y_jK&HDTWo_%g)Zoo8_^TW6G9-gSBsW
zy^+(e7VLlbx}|Kx@8q){dWn0kx8_XQH}}i3{9}!O4t?5vH2$x<N@=po0WrBuX^YIj
z-p!R?ON_GTSy`O!{_&n``j@0VyJz?EfBSaa+FJkncfQTy_rLRhw=VF!_^oS-$ll`$
zp3QropL`tasKgxQFI|5&>9@oL%{GxcVJQdItsbez+viF$EjYO6|E{MKQntz4EW3Ta
zDSoop6VFdywzG3CzNYqkMe4~FclI0)-{@X>b3^O-tvrV^zkSJ{9X6@on@iE6_YbS-
zUZ$4!yr%OmykA_xRv@y*>Ir9Y_jJAjm3#>{9@e?<Si>hSG<@lG>PUvWwD(bI^Tn16
zrJO&#oxMO>B+|4x#Cz#`_kNYv23I(wm;7PqjLmp@uWHt{uJD!V*N^|0#`I>^n{{d{
z4JKLkRx@fHKB3fq$>^>~(*yN3Bf|yS60d}0#6`J-|FaY-NFK}m$l|=VG)psdjr(Pv
zjhRomE7OwGihh~B+03-*$KDN!Vb)xe;<^@;_uOx~XZYmd!-R7E%01tO>KPQe_-5BB
zOST{DUFI5iQt;syw%Z4u_{huqWUez_J9mPbMvTj^Q<rCiS4}9kF?i##dBM+;*^}6c
z5`Lr{>#A$<4YJ>n{C$1E95YKL-X9O&UNO_Ln_`)nQa3sD`@$t6GHgXJSZ4=zHkPQS
zYV0ho4{HxS{90sP%;D27UoN_2wMbK5X^-ybsQdduCcc|@`&`=(<7M-opZ0K?{AW>Y
z%9LZZ3KQ+>mz~&P#ClWacYFG;GCk4OxC=JXsWKc{dUkt*>=-|*{<joM3A6jU`SPan
z7spGdolChUJGJ20Ylqz*JNQGj9(-W<<S2ZYM|Um5RMw5@8C(n&)1#DJZ{N1veZea$
z`$mt+@$MV{#I--D-mp6MWxvEp{iVEW4F^lku<Ti|qDAtDZ2cP%o`rf(PNtlnv2r5!
zi>IrC)Tf=vc)I%IJ)Sp8%@QASx2@!zkZ*X}r$kWr(A(<scH8@&m2X&5ey7KrO``6G
zQ_=ppB8vl!<4-)#;t77>xkP3HW2@SK>vO6a4-(|RTDtdWrL|obY<-#;+;_BYmAv5X
zkQMSCTlg(KT=`Fhwrq@O;eRl%bXV_w39BO2`tU>x6Orr_S-<by3SPM)!`A#MXZRAS
zUh7YyGKaeugm*SLr+BYuDm4B#!Tgmyx6E0u!lKFp_g@FhIeuUBNLbcB!-&N@wH8$I
zh)?P>6k?0dF@3`HJ7{UNt@Mit=MU)dsISSp{5F80E4-!Abz^@BgF>{ID2GEr-!9LN
zH{G)@RhiCq42+%kWD?KihIrK#Ph*#FuDKVJSbO`RgH*)iqyMT;`JT|<cJEh&{j*|D
z*2D`FuWV)U@Ydo`i*^&`a8jJw^WM@zMkXMx=7UiEn)jAsB1#uSd&|TW-LCb^JX|WU
zEhYY1a>R_KTI;2Ktt1O#BqMd+drqFF**e3=xN+8=tD@maUrk#3V-7x!$eU{DHPe=5
zYM1lnmWnvj#iv=_m))|vxIyUH<M4`0rF~QX*88&R&iCzjDp>7s&#=7Bi1R!1wS=yS
zERBaMkscZ+>N(F$@tZc`KTGM6T*lB<OZUz^?PPTzkTvt3Z``CU>#q3jzH#8|=Zrrc
z$Di!_T*cVl_V<@zx=KdSi#&O&siht+ySj`draA<cx*a`cvpphMqj$1I+jb$Yvp;{Q
zu9jjpZ`E_1uzJgVpRFw#FE%NJRL0sJlQZd5h+*qFBv&LUtW<U<O24O$xiVEZOGhy{
z_M-O1=WEJN8f{Vznp&`g?a--;!+BkYzAxUcoOR42{NIN!+S5{Ay*cyb?8MlTTVHaW
zZf?stQM~NdsXJR<NdM6ZY7667b-FdLXL9b<l+v}P@sq-4wM3Qc-10v!eeRQWUDeZ*
z#>>ueEjc==gSj}el<g(gDT8B7&8t;+uX~<iIBD-B34No@g?jI&ExOyu_VSPQYZgwf
zAgT12B9&ZU{%H3|k(zCKzHYov4;Y_n<h2*eRr?sU%WOl{HlHG{53HGAnA&C@@L8g*
z$$XO2F5>p8iqvzOZGi^cdD2ubU)`to?enb3eAZXKOuEu2X0S<S>N4)LGY%TcEN$d*
zejdFe*~(;}{9f6f_K8Pt9S&Tsn)u(Sx#{`!3U5ER^VN>Q$AmvG^j)<>{o#f5ATi5O
zr;}povNL>sl%I4t`0d`ZZ}m%`S{#%-)3xbm_p-8&TeV`cgCyP*h41|&cDLy8#@`*;
zKKv<;I?k0^2WGDEs#d%lvP0n?=dF(8uR5d@k7%zx-)cRhwK#B3krC&v8-07ER>klc
z`+J`f)i8Gs{kN&CCaLZy@0RX8X@5Iq<2(dEA965=e%ShU_R_xG4<Wy{7l-E=zY<~H
z;q&VnV|wws2_03Lhpx-dxB7eiyYregpZ&h?2|aY6`lzK+f5htF4yFtKGlCirJ+Z#o
zhYfiCYVTa%Ub^Ou9h>rnr58%u=epet<M`XO<ZkZ&+A9BPZvsr;gcuY#&&%<CZ@KNq
z#IAeR9PHZ~Gty0OSakjR;G0o&R!QJMzy@6bz4M)HTawPJJa=EAx6OO|r9-oYQq#C6
z->KeqekRMaa~jW+uV~*d@VTXa#mr3ksaN*Ssluw^t;J`(de+^J*|SWn-q^`tuC33z
zyw$T`zLDGS$N9?n>yKYY&ivY0Is1j<wvt)Z#u}^Lw$;4qn^L497s+B^QYP@+Mv7~W
z)&x(V9R7lu{)JIjXDe7`9!dK4?#4P%hu6_BWKLK94O(wEi#6_}xvlsdM(={|$u>Dc
zeh*aQrf;{Lb&^9ju)oDcJC1$DVXuml%3GvOcgL{Y(X31icAMGHQ)B2<w=8+W4`<2P
zHQDSe8}hG3>Ihn-KC4R?%w4<1q*@@D+dTVquiyv8&l}<_g+!Ko(wt%{W9-`V_j0eW
z!)lexS$CaWUUj^(pRyoL=FX;?`D=q08}M7ZtbX^ZR)c5i?Hd<7{xN`}qDd{=WxF$b
z&@^Ud&Wm-dvae#9UU@S}zwKxX=h|_z`{J6TQ3~xYhl(x!X)_2OE%s2^Xl3w+ckg%p
zd4JF9miG8I-n@T@$K~*5`;-o;pi(BVnNE2{hoom_F!vvL@!enBlQlJO%EKd5t}MCq
zrR2hkx_wT8nk%##&W1ak>P<?Jm$;&J&O?X!<>{7d5+{;94=8a2u7MacC)T(BiiN;m
z?b>7kWf%YVMr)q62(0<m@Qgty{E&*Td&#70D!iw?KHo2_-IWvWk*2?;ZQI?lr7`QO
zLO)u|z4ZHWr15S{gLK2ZGZvu<lNSDeem>YK<j0efpO-ILVkEPFS@cYCHE!3v2hX-D
zKkV@@c)`Z|LYg7=P_yp*l|?d(($Z2o{|Kx+8#CF6PxQ}?M~rXlc`N@t*>lp=v|_sG
z@?e9muqQ#i&Vs>iB4*D6rmP6Mczsjj=Isrd7k$19X9YVM9^Kql!+&P|#O15PmbF!T
z)-#6*$S(R3p|^ig-i!-n8#8CFJ#5}D^Fks*=xmbS5se3{9;7NCw-%e{a%U^&?L|*s
zEol5-YiO(z^5rpa0pIRbc^X^RDRM})ujAa!I!V=5?i}CRB+JBQekyNHsU|(?bUxf#
zwv@X`oGa~DPoki#^NOnp9xQXkpYD^kT3mBJSR*b;%*Qv)jp<S5*=>_wE_$}r?Qy#o
zFEdx*4%vt6r`b&B{L}GOapDIXHFc5uOLf;Vnas=%JmG696ujm3^y#<vo1I^`&H6{k
z<-cY!d+oWOPtvgn&5wA%qQ7XtiVxYBoBhny^pp<P{dk`L<0<>GWqB)hr<A_@Fx#SX
z?X%kcZBvW)9=q&r!O7p#-~PGd-`p@6V+Eg^OLlkOaq(FZpeB*7n9Q2aSM>Pp5!bgr
zoS%trI%z#spwL@w%gms^3#5&HZ#!}$|Ne5$giSkSpKLvBKVw(VN%O87za)4P&T<}l
z!nTud+D8rzg{6iwm5Z6buWDtyl~52c`{~1^X<XW8WUl-Q3%Hxg<>$CA|Ni>-fwR<~
z+^bpQAaGh~p6?|0*&fcqS7vOS{Fq5;qQXR5hocV<&i_5@U%?qk<AP<~MV+=s*E#l2
zmGxR7z4}MV@_l!lPW^p#KHTj2KgP{6?GNi#EofnnsqO4Jw6daqmVaVetBpwYjx4F<
zlZO{P3r&8pp?;}(f^UOQyX=*^e(Op4o46;jv@kofnJ}zLEYRP1YyZA!PWn9i4t{)T
z_2d3ygE@<C=5A10@bZALra<K~e&0><n~yAEy5PM0Ywa9?xSt-OKd$dSZSU~wy8eUU
zqw}YD7QXtdU9qCpH;tqBZwI^IZN{dv`6d0CdgsNocuM4dOi!~9a1@GF)ChO$R|+vp
zKl6@rqp-7D*6m3f%5wS=Z?GqyX4l%sV0-0mF;nCLP5tgk2NQCQT7S7Y-SZdSdHsP_
zd&cp#vkhHVRf<NqU04;-QWAM_@g37MM`!Ia`>43|!cHF5MzND|!Z!~jcBwl?Ea5$4
zrs8`($nDwHl6QJbS7+#ajl6l3+j-)VQpUf^s{-VIJ$^r}z+NrwXwp&EQ`aRjoR)8`
z_0sQ;j7xtkwllBtNbyqt>zRiodSaJsu}}K<f7{)ihd;{P_pXdf{HB_|=12UMoPD7$
zn>7t{_URoyy3#U#o~eAk)7|p){MV9GgD(~a^4!%<(-mKla<p_}UUs!*)yg{?B{xWa
z^_Rb1&?UF*N}19VH_n;1*QT5BUDM-E@Bd>nD?qgUnvL!1`?~)wy_j}MBJXC(#mK}h
zTHCk8XT8gIP`Uf%YJ=>y|I0ay?z!H`ZGUBQ>&J~RVIQ|%JRo21)$}XVW_e&sK10%S
zA^u6v4)^SfTy@UL<QcE@>YQ8YE4?MtmhaiI|7OVB8GO%OZd&%Q-54Y1zV669&+Vdn
zyIhZ$Pe1bZM(kU?_1kBs?_MqbVP#(X!(9uigg^1y=r$ah{?m#{w|JSxx>uH-9gCA>
zIQO-GT=%o#i^-*%v$9@ntYKTd-Ow)Qy$bK5Xu0j##rz9TZZ9|!z5nk4jZE7Oq6b78
z*k43^y0_`ko|?2<bsH;p*5B7%dHW2rU{K7dIj8hu!cI@QWPVfLE`GzCHRZ*(v(`nw
z3_81htJloB#j);NP4ZknX|LhqTKJ9Q5u4)|;ncknEE;dD;@e)_Dm}kozh29>d9xyF
zHpkTUOD+^yS|pU-)U)b<k?_fBOXY4B9{XH4*>_s;jdQlo4X17O`n>eoyIoT@{1Ei^
z<~t>QMQUx_!b?-ltg;WXIhfhK3O%|ecjb8l!wrl_Q`}YL4yWDp+!j>T_WVZJs<WRo
zq&>Z^U$ymS@5-EfnQ7sjPQ8cuJCi4LIkw6Bg;{)3Qnr{Ftkd1>yf#g`(pc=)4tM`5
zoBEd*^S%Xts8V_9yCmX=MDi!IhoNQS;xiv_TB+W0rf}w+x|KV(CoKBuJ5BqO`JBTg
zm7JHptJU4m2iIClVs95ooAdk?-FtQBs=3#~^yb;E+%&1eZQ|^y!sh;Sd-tp=SIV@V
zbf?GYalJkxlY&Q5c+saxr@2(hD_IXP%lzDRuO>L}z0YCo0FBq%UoXkvi*IwCA7aGr
zq@DIGd7tplsfzoh*Bn?{xLb6yW_9RGfoS8!)15Cq_MR1A@@I!&TkS)~H_;a7X1B}6
zSXce$x&Kjbi=4=|`2|nC%Q$;~bs7E5TXo)d^I{K?17>SPf48m(t&#Z`Zhl&fVfC|$
zW46nuT1J&Fn<XFnsjakK<>JY-|4VPJS^d;M`cd7zP1zocpCoSBlRWF(=F_H+or9)|
z`0ro;w2pfV-`T4DOySG=UOS0=Tzq`rx>L4F_68-YM&h**Dr|Be1lqrEeB<zF&a&70
z%;d5SnH~RdWHNtkS#!R#w5MHePMHbs;l|_UFC^7VvzA?SSoeQxOwk#SUU9eMMRD9x
zTwL}$*F4=k$=^Nr`5#L*(K&PHy9Kg(E%ckYMlf>2y~VW-_s&avR~B#$RIm{c>zu)O
zwfT=vh3p~QJI7D5>Roi*d-I(H%d7)}OqQlQRX3;|QlFmn{lIC}s=vZ4p%#|1m8xk`
zH<ayS8h#$qP@DCvYum4lve#s9?7H2quE@-vx6AqQEK!p~E=-&iG7DeT={-F6_}YW7
zZuLuk2fgzOeD}5C*zP6=|J`g?WLo#JUB7wwj@7=Z`wLIWul>R2Yw<4dY;4Liq34Q6
z`?RP2c9^mAj+y(xxo5pE3%|T;`zC6Nv#Y_nkn71S&)igWnp%@CYx%;XaOUxVnH{b+
zyI9{p&`js?)%Y`I)6d(6rj^@obqB8qDKm=UK4?>-UiUO-cJ%f$58mv}Kk%~h_l7`m
z{tiW@kJUS_8kaG+2F#Or(e-hT{oIt@uF)at=X2z0*IY~OTz9AaY_UM!!q~ZQzJ32X
zXTqEn2Reft%;ugw92Lo&<o)YO{rOv46w++Zf023=*l(gB@@~@ED#n$UzIs_7sk!%?
zE5gTozQKZ|$I3#}d_S|!mHyt7+NBf9;%vsznS8_G$AxFVe{MPzeWJSQ$K~V%4{c-X
zuN)#(PBZ_cgim>6RduB{_Q=M2){XW*%Z}x*uIF8Ue^>bb-yi!~LUwcPl;zN5mYR3t
z+p0^mUKhEu|9SV&W}(IXwl?{tx+-Dmev$9DZx*mLyu16rO(CXAyNKq3={eWB4++k<
z3_hgv*>2kgm7cGm+i(8w;*z_k^=!)W@^r~)m$;wq@fVzpw;0~vobh7wb$_2fJvni;
zt~qz5Crzt+b@R#9=aM2HYq?aJeyIPk=iK<<iy}kFquzD$---i6IG^ZL@j7i|mD6dA
z4%)f$m*H=lEPk=swHLkyYza1cE#M!O&l*>Cue@)qv&*{sf2J;0Ze6I{xVPzEYYo2u
z>qE6e^YWDp@=iy#-(mPRk)6Xo{`{xDgn7R+m=8Z&!W^)~SLu3I;{?0E1p?)6?{XjP
z{eIZi-H+W_Tcxi0{^OtyZWdF4Css#`_VRnYbWZA<&LJ$drz63M%iHsWe#8m8-)sJz
z)jiD1G^yqmN7?q@)sk<Uny0?qWzT2ptf27BT5%Su(e9}|Je7fWr++;r|2l9T3!8%H
zljnz}k_8m6wHrS_v_8bfO?qQWL*_Qe;EmUBeBYuisr*W?!LglnCEr4sZEcz-u4c@6
zoZ+xyPuG;~3%9MauV3g9cF%Qj;pbJ4mFCEor*fS5+-3WED#LfKuYo_7efis|5`0O=
zo*_ud^=hd?Z@B!Se{)_rSxYWElT)>!Q=9vmXp!@!8QXhSf9mGhbg1i^wqMhq*PCV1
z+vlDrulRRNaH8e~b;juSptnxPrrAlhs<1VO>lbFk@qW4Baxv=3+QV|{0s;Af=Uy+J
zz4EFVe|lgg!y^wdizfp8r(Q&?x&1;{G}$vFk%{})97(C;E$8@Snzz_Q`s!WZ@#e_a
zsXQx7OMF<a8s~oS-o9*l_8|+o=u=G}>bWF#9sJq-??LP9kDrZyMDLRMdH70eS!dzz
zzj2|D-#Je7RAyARF5M8NSH=7P%D;tsrS1IJRv5g9?O0KFBcz5^_7Bf1p=gF;ju*=L
zDlzdYbspc>_V=iV*{Poja7jEeXW?X{*DdRn><=3*ekzr;cXGV$OJ~`wA2Q1#%)Wd3
zrETPY{_Nay??U<4b5*p>wO^mF_DKt3^4fCiNX8?}V=RmP;=J}Tvpzi5&SOzneB))u
zYs)CpfY;NkkF?*fV-2s);JCJ8{e=&ChgPdU?6U}8vi8HP2VPxSe0hE=p0aCgob+<f
z?7b(2uJ1_K;$=>}S#nBBJ>lOx{+q5J^<H*zdtN&3=6iJE##0Nc5B~g_vruN@_r#*w
zpVuPy8;11FGYaF|^?cn<{!VkIs6Lh5ENf@HefZUYdr{f>L&sX}tg`PjZRFE@y`bU3
zq>{-zg%Td#Iw@SyH*PI<6@O$HrMk96_vN1h?hk)UyzD4^8olJqhc9x93%UHK<z;3s
z*4q@@c6iZx8^2m_7Y~`~yRXjnDU7(1^~EYbbkmzaJ&rxb%cV-Y=OnFn)nN~>l@VXB
z9&XN=&@nG)w!C46gHy8x&n5M{M=OQDnv2&ZMM`sJIJ^j&;Xmg*x9cqxpYJK}G*gUM
z#)Zyy$XIlzS$F?)yMqr)Oy*5+7Px$w_uQ}j{Bd9F>g;~-{uk8T?{krFdgUqes70(6
z>un4e9=`wTr+(l0!_EisZM&rU?fBL0lAis&8FTHd{l0t0_kCNsPLXj|OY)WI!f&rv
zd-cqCaNFY6Z_Y(i?s#=bXSU>iZJQo$>o_IygV4JzJZp~46__(c<)-S4^FL<4+|lqQ
z@Z^-|$M5Joo4EI?WS`5CNgHfbk5;gBC;oVzGN)4YO8&t+w?dzMotT~Xc5Z+x-xPy4
z`stfQudlRi<llX{yeQ*zI*;P5se&DSSwGfs^=v6R`o(wF&b0#RO0I`*Z}~py(AtFh
zM~olu6xLeJt)0~;<i4@~#Bu41YadT#U%T<w>{on3_BwO7*RhFwD7>AXuPQ!u{cE3&
zdpm6fGAA3{(nyPxKB|+e%yw#lOSi+lLnhLWHA}8GuY2hH@bIRc{CQnl7&q?E_R{>l
zc=Cg?;AY>B<4UT=yzlgN3S$_PxAvz^f2ma7-!$vdKj$OX36YV%W=ytlyES9i&nK3?
z>gO}fD*Yy(EWTx0Ip>t^xh-D`ll((mqSlLkE!^F4)nlS*kV>z?$=!2LZL)B)@HhJU
z>u}1XB{5CzlWec-H#v5?-NswtqEf<{{)b<*=E}bdoFV^ID)M!z*$(;7_s{56+n=(2
z`*+3C+yB@>Ll1N2=H?w%;Awjw<~nOxpI_GUn1t{94>$GZZiqi{_y6?=Q>IM#@%ZQ4
z^u(u89m{Hd{`OV;`q$&kuI(%1;_V{@mMhHqYvH{3O!neS2i8pQTvf1^d3Er|FL|YM
zv-Gz)o_{^bRwXefyCJLT-9yuM%@14T6IblHdi##OnbU+>HNUpp3%<NiRxNIG`T3O$
zCMo)Lysg*#(x(glS{Hk@TPIGSp`%*U?nvyG)6ckWt#f=A6qFS()o)H&IQKn<S0Rbq
z8E>K(;!3q8t-OUw@5(Dl|DIFU$r^aKZ^BiD#qGZR{Ws!&yind7Y*BSR^T&yofeZ^j
zUHJRGplwRAr}46Rx5Gbr@1A_jU0e9v@$}UPjz<6U>x$FkkKI&zU1VqJXMKY%-sScg
zU0!*9cb_a(%kGF-WmEKCNciCE6VcapR2EAv&7GhuYVb}rafx~Cqun10ir+{*xu2}y
zzOr%G_bu7c^OiKvZoYQfCYOt8`5D&o!h`A8FEL--Z));m%QLwM@$>I_e#)JH?{quw
zu@A$&qB8ZbaXn?%ye58=)_y#9t><Hwqq)+rQzu+%-lDLIw`itGZ06av)oXv6gavKh
z%JB2rLwA8ATfddhiM8RpzRT0%$7kuI=2ImEId3?(1Sbf3u+6R$eri?nH1AL5U#mah
zXr40nwBKO|9@p<RuHQwDc)P|P<eDPtQNyUQAdF*0#wxvl|8qa~tUoSX?e=n2_pO;W
zbA4)x`_m$|-SfCsyWNa)I2JnnE(7nxWv!M0SzDM@wg|q=Q7>HXE<N+d`ONsMGcRr0
zs958*MKaoPNw=uRgL7MAn!BDYEKV>zCoQ7$;^P9zQ)|S-ispSjA#<1STYLJf&9d<Y
zry|m(URiTpIn~!|lX%!7qv_K{J5KQBta6JvHdQRR|IC(Iwg;wpuZ&tIt6tw><{`Pt
z^xUjjPyA-gpUb(~;+|zgifMG)&AHO4Ygvz;Zi@S-zv6Jcp>?c|{)_OqzuNp~G<bS)
z1;eg<IrVUwp_aO;!K+SFtpMqb0`*_NUY57<-*oAZO;k?W#sg&$!k-`Jo}H)o#A(r=
z*6Uvkwf3K@uatlE+28E<_qb>FE0W9^U-GygiTSRkTDe!*(X!v#qiacz^34M#&$kJE
zQd@SD)0|P}v}Adb)-iT3@x48j<sI4WH#xJyPhF^8&s?^kwdRy%^pS@OY)`J8J7AM`
zL+CIE_m&BYpJ#mx_y4uJR>bFsSwqmuw`QO3+)VOU{c0+Fto%#!+$-VE9mh&`I~$fN
z<uHaSyx7zwR+2V{QF)WjskFY_mRTEFU)cP5w>JL!=HCH1PWSHDeYKK#ccw1jL8{bx
z-;!rrUCwP0`7Wf~^!dhRYr~Wydz7whGY)D!WbjLR!CH%#qRF8imWOXnS=!CzKWSBz
zg|i+1r59g%mOj6eAa`hT*Rj+{`Ru6rZ5zw>M$Hh2U6H73(!m^Ec&<=v%@+Q^uAl=?
zHk;mlQ^z^A<ef~>(Y9q5b+e-QOq5<XR;l(kdUF4M@hq!O@?Gxs>)yYnR!4u4zSH+U
z@^1UKtJnOxk0z^S-&;^BTpG43Qp;6=D_qkmyOw{(gex;PL{?7_3F`c?uGM{iPS1~v
z8f>CQU+uxYLMIii@-s{<%jI-(WqycW`S8QglvVe&iMgp$<bNKW!oc+t!Was<6JCEv
zXwPTf9HWt;Xz_+g@kY{<M^{30ZVM#7zAd;s;Lx{%L+2*>vY7cgn6kF;+wt!f3tXy@
zUwVpJelo9pu8GQ#%luoiStF0wi<DJp?MeA?%0H-}?TwxLnp_X&eq$#o-V1C0YRuDX
z3ynLvGT?L9#@JPDC7EVvzgs@=-u<vm<%~>G@4+`mb}PlYWajbh>%4SF=BbufdkU-S
zm+l>mJ+Y2LO$I!Fx*kiuulS}~`ofX@XrR8#pWSzTX9aM*=wy~;o3$a+_~bgKZ}T(_
z*FJdoOYU6Z7s-~FCQYdq!Z&-{D~m9hsGO;uWLA}N!;aZS{coRD$tQ;r>$2&MdzN-g
zx9+o6p1riGr}Bx-Bv-YWyTorv@6FqwXE{$>EX?|bQLN*U{VK=Ka_2f770a`D6y=l8
zZS?Ab{p@thV1c}iju~!7yy3O$jTLMwdj&N#P5#zS-`C;g_tVFr(UR4@{vrR=1v#(f
z<r!^nOqL1JFIJ3>o5#hiSrVIR{y%Z=0r^E;&yA1q3oD7=>x;U6hr{kj(diBMOzOeY
z3`=6;^KY98)K9Z#eLelA$D$6AujR4Q=7qZ%9EFZVTIEQvbWKSz<(qTM^D^Jx4||ne
zJ-1EPz4s^Kq|LoRrGEE$Yj)qSvf$o#m%nzk<HWCOZu?*NbnZBjJh#Xp`eAR!+;`f4
ze+0a_{Krkb#No_EE90EGU*+zv*!C>!`l}ABS;^1l{aXKY`8LgK9D8%ich7B7pT6?>
zo<;n#<1QM%cs|!P>#%aww4-s}{Fmz+WfScBBPEX(O0cc!`RjDjg5QFB@{T8tks5Lw
zVu81u`_uP%oLm@j=9zcVH{lX5#^w)EubP@&7bd902>f1F&hl!ukkdVVts=I0mdbIH
zjO@QMAF_Ei(YC)jj(_4c&WiPAilxh+B-I$n`5t?b{bjlpZ_#|7d$uvcVs7)yugLu3
zo_Z*3pX&_G$=6*^am5RXRe4@nsPNZy;o0Q-@0=2PwzmAvytpXcyw{X7pvSkhQfHlD
z!1m_%ynbeBXV<nid~yuky5(KqzlMUTYX4U6FZca+E@S)4T|JI7ck=MKtzLIA*OW0T
zw&V7{hrcIZY(J@gf&H1!eG#@jFAR1pydBNDJpZ?0{`qWyUpJ<AsU=Q1vM#zM$VI8I
zIYYE%-&4Z_pWo&)o2}pY%<wy_pZ{g$ThdoEw2m1`KaOP1FtJ{ur{t}-(A=<XQ|t2W
z%r|>N^V6F{_yu0%`|gyA_vt(D=Q)3;-D~q-Z>AQ$6zyUadKWgWl1VD|(}b=?Ax;+$
zERPY1Q;@Fx7jgE<9GTGhc?UKNKl!@YXgT|aKRH>SIZ6%HOuU$96`f!4xzByARlggz
zC2yrypCAWskL^22IaZ6`98xPC=Vx(L*O+d)n*RI4i)~D?VhW3$TDGwNIldtH{;lP{
z3#Vr0WnT5tPyGH%p8XD^pPqh?*Gi|yoG;UP%{EK)98bwxD{U0Da0Yv{_hHesJEoT3
zH(Iz)XLa<`S1IWlGi$FN+Wq0#<kQ95_ipZf<Q-}wmZkrH+N6oInjUXxP@Voq@j{J5
zd-t+4e{WBbJtN?o_U@ec_53Y8jVup;)NH(D`Mz{RpzXb#pM=+~@K^ns66A3#<%HyN
z&nfPl?S&6{uFX-ATz6J9Vq$3F_B-NE{5SUXO+WDYZ?E;)?JHu=n;k6{{K#Rq?(}0D
z{!kUx__?{!9Hy5Gx!L9l&-uxAPp;qYU8Nse5#LpVXR6sD88g0hOy0eDY4Qoh^Bd}o
z|7LLL<niAK5L~e5^ycR}@88b}{8l-A&*Am<qRZSvcFz#`vi=@lfcQD7#<pn&x1K1R
z^I3Z$T5rihwF7BU)-H!GYUQ6;d%={cU-w}_^W)IFG42VMWl{~}&VEuX&zWi4CZo^7
z5jM@1$+1{RcCKyW^egPK^LAf8Rk?_NVfNaKT`PGi&V)Yd*5FDOJnVEVb*01X<f$7R
zTIYpyivMF@{8jK7x86aKE$9844N|{UE@s`QdU8|L?0~5S%r#LDq|Z87rv47!GWUk^
z(i0DV=9|t)mNmJya?Rcy&%TS^y~?U)_%lkI!z)NyH+awe8>U}kw{KAUe|?U~l%}l#
zI?o*i#9Jq%N?umznBw!`_U9EEmcohq)>;-m<yPCEo&8zxq>+a0ef@-ueUn()?K_{A
zJ!5X!dnU)hRrX)TqfIZ@mGu|QJy-I4vg5Ru@ypCAKK6ayCc8iAOrAky>*FOU1vV%3
z>RH39YCc*kH{bTsZF};&{F1Jn{8g3|#U;uw>sBq)-Dfl-#li5AU#ZCHlsR*QPH+G0
ze`VLsX$Qh?JlGueuxnimf8<V;kaNpya!<cjIq3Z756|ZxPggZ~{e8dd19)NAnb=(K
z!v+HX_S6dsn7OWfd3sZs#fD9*noIj4+4mV<(rG;;!Tk2d`R|j|UULZ>2X46URa~z4
zeM0rSODd__tZWIoGrBYz9ds10B(L<o-F`%9=~)KeRZBHxTt3IzbbOCzY6<yzUO@5p
z7Ji{m&4OxOsrv-=Uvtlx+;#REcTVV>^f_LK)L;HiWa844RNnV~tKsu$t%hHp&G@-z
zv%F?o*Xsp_B3kAVa|Ji<UZvx7I<x%!<(x$o7v`Ti_E1IA_SmWPy>f@7b&T!Ket&%~
z^ljhLHwtq6i!G#7zfbnsC%SFQ^b4yCA|6Lq8^oxGJ_|g4rtzC!@0-el;@_5iyMN>G
zr1NhhdLDhacHqj6t2ZQ1%U1<Wo~y9+u7c{y{L5xvR5k>k+c0<Mjn)^Z6wak(w#nMx
zm^9bU!*R>Js0@ya^__a+pTCO6)_Cwt3yj@7cS%D``}zsO3=d!4+VMIewy?nTw&0Jm
z;cL3{icZ8Xs`xgc<)n^`?aIxLtD_ejxx4Mf(_fOZmMuHxZtrTlb5hvs)umlo8r;h#
zoPOQ^=-Q&(uOV~yuJrXtb(o#i_38Vo3tSglv)+c53sg*bFfnYeoYFLb9e)@ZYCrgc
zn=4CVz5Q=H2<-c;UDVPfdwb(t_D2DVE0h@5hIGnlrL3Lb<&h(GTl44lx%p|=Z>(^*
zQshx~e0Hs&we`QW@@08K3=&IT9^hxX@LJkuy5$oe<@?vaE6-vt7QDVd@QtQfwc62X
z_x~PEfAZ;e>Xtpb|5>@YPfXaXvUskH`iUJ|#B`>v4r*n3qxh_QTZ-`|i4B$PJElF_
zc&(?_W)90t>391(vzI?spFR8V{#!lH86Rh_HS-mHt)*64uy<9jA=kT|Fa4RVjhgp%
z?sj2*wDWJJnA^g9!{|uYn??MIyxi%D{Z%@`JGpb>r$6X2xw`%CgC+6xshZCo|GyGx
z9~9H9$yw*V^PJAPJ5xeJo=!Mt6?)EO!Sy8fv+0vpu1@+IRk(NeuSWBjnwPODi$bgl
zlUid{)MJz9{rqVn`%Wn)<{O)zk=+xAN0*mBc<t~(d&f2AYXaL_72fP9+Ivs3p<7o(
z>Puuoi~U}M89(?hn46icl}@l;{Qk85>DkhKMj?Og><rcCuFJRo-LvN52Y>wt{ufG1
zSW3;mvK?gh;|eSns}Yobp?}W9?dfIjJsiRUJ&P}@t}Xj{P^P-%)K>?A4R%`&Z1iJU
zEc+q%+_$_}a@_s*CcTf*S~RauzR=M4Hs5vglrMYT&KWSaYYA_EWjOglzr5JR|F0_F
zXzDARe0}qq%{>1(Ij`CuCUQB4U;VA+6z&tj61E}urxMeV5L>Ig5~iies@XqW-v!<C
zE;@8lrY~9GwXo!*zS7WDUsv7y{Oz1ep<AoSyGpkVvs+xNj&6}kSiN;s*+n;7<F%RJ
z-mLOiwcuXF5wTR&)pNZkR83z#ahi=!!%7#c?=7Ea#J-NUJCv~2>sHJ~-3zO1MBPnJ
zh*+$c`fXB8P`}oOB~8m5=6(AVckWA#`yREuR+Az(Tl|tu3V!v{*f-MPLgMy={Nb!B
zR-VOMBy3d^bQ>qF-EX%%d~&zo*^>9qc3qver6sug<Mm$#ep6ZvE6!K0?g)&%+qrs=
zf&a2?Z`D?IUCx<S-Cmd!e)ad98=}H~UtFRxjcsgmPG9JsrB!t$b4ON=+etOs!&hbY
zwWyT*txYpoxR!T$O7$$uzb>DiKdbaP^La(_9!=@SjRJuN3miLis!}(8_PQCqMcdhl
z-Q!rm=P#A(9^dWO;fs-s6*>9f>;jGLixOX^+{{xso4hsm_mlj$-ocOkFU0P!P56;t
z@^Zc#=hmbfr{uwzu&e+02KH<J8h-E95i|-~xnN?%0_IPRYAPH(J-QB#2`NbpA_o_|
zI4ZqcAc%e2A`zLqnVJVmCI+opz?z!<sN;KMSLuq)3+|a2vsX)RyTc&%Sy}BK;~UxR
z;#+PXia%-Vl|15buDD^b&H0gJlj|bQ8*&Hw?)tS0dR&>6bVMQ1`th&*<?`jrCr>E6
z<!8TiW>4efcU!k_Uw`}d-McH58OqAPU1E?(j5_jbw>&%Fnuho9WVI|>jNiLEwY^UY
z$-YyneEwABZ&j<nNf%r*%~kg&%?rEyUu){Idt2&Wysy~(`^cG9^XjALuAgu_|4C$}
z?W0%MPMO+tua&=$nZxPu^<-~Tr^pJS-24L59Ugh|s#&oi3%_QxcjupGkj-0DHc|BH
zxl8N}tEZ^SmXuA>`^YEt$lFPReZS;(&Yq@QZS!8{N$=6Vf6iushuIBpmFmn_1?3A=
zSTz>)hre0E@+#CcCdk<6e6>I^Q_5RW@tJeWKiU*)+69Xoo@o)?n|`omRe3Y#(oB}U
zHH}MWoNzn&z~6VLrt_ab=Iv1m>sQOA&Mt{Oz|`42sit_=iA4)GT+!QQvNHIK?+1@%
zZ#C6Vzb;t#Y4Nc)?~ImhSa<pA8Xw+;@(04xe?0wCqY?1=$E{c2qty?uUUp9Q!Tn#I
zht*Vrm%dnO_^UKf*mn2*e@vxO^XIHH-gBt4WX{7*TZxWynekg#ZWYb>R=NGEc>43d
zn=d!^wjbTMUg6w^v(3BOEK*-NKbgGm02kksw8_esCWKGnGwA;wD}MjqvrR!V_H$?H
zvff|jb2)BV#f*s8hf8Jj7k$6_>h9fG){v?zn^qg=X|0mmSkKh+X?cR(%(V&8^$oTW
zybd<|>`qNP^z77>No*5qjlVgh#^}qmKg`){^5E6Vpt9<<lWbL@o$Z{(bAzf<az9;k
zQ1>cd`FZjym&-MsEXvDQ&6r<wtKzHlH2%e`UAZBBvv&Cu_o|ucbLSss2#Ml5(f-FZ
zA|j|JvdSUiutZMD*EuO?%|Z^UPET6&a>Jc{-D3JGiA!A9PqVu$tvKiY^M$*7R2DJV
zDq6gI&-?UB;KfwVehcaOJOUceRi>=U^IR6LExi5Z_c_Tw81F3lvcpVOUq;uUN5919
zkI;;ZOLQJG-OsQ8>+4&T!QZx+d-wa2b#C958jFa%?pEHbbVy5L$(|sMZe5mK!C2Az
z*Gm7NGOE6|J@NTXCCR3rA~)mTf4L!cB>O?5;(=3w4=WgV`OdOBy~(6_QnIIS1N&;r
zs_U257M&?-+^ocC7Rw&ypCc@MEb!FS<;!;jDgW%cs6XY7%bl&iEc?&QfA~o4ugL{n
z=3N$TiH0)C%S=B<U5(~S_1t#4W$ny!M^c29t(710wYe$_FEVmp7ipyJGwG&@<T=f<
z&AVzB>rNN^%)qtq__JI07DO*QKbf(1-n_3r8fKr8nS4uo^;;dT(%UlvjLIsfhV9$b
z9QQ>pb@B5*H?0<*|2*%kiM;iKvJC|vx?gQb{ccg)KPxuyoK}aD*)&6e1UC^zS-bs)
z;i}K{W9v2adu7&`oN}EdmR7dgdy|S+tb+BE2hBJ7o|<p<wDP+yc6-GJpO4#w-*7Nl
zdRd3Q6Uo$k({pH3K+2yPhn9R`c*vs6V5s?G%ba&F{<x^^+0q|s{OVLwmpbo;6WMWl
z!!ESfFG|?qZdQ3!z;L?71&$UW85W*bTh*`pcbb`<zfyCbZPFb5^zLVY+c*mB_kXi_
z;JN<tB-N$`3y+yCjmbAq^EJu1zQxzNa+7g~veohF9tQ(dRL%e0@M&Il)?>?0$x|uk
zr?0EYn7lZwZrgg5psm%%Iou`xN5~gTEUTIFX7h~ZHSbb8KLjXqUc7o>xBla^&jNeu
zw+b!#pys_V<!(z8i=6hsH8&EHw;E*|PIHv#e&p!UTIpT-|Ad13qQg9CrptHST5~Nq
zK&7^Af}Op<OlcmE5|!0aXD@13=EeNHZo~2M=Aws67mt575)%Ee{Oz2WExSs>diD2A
zirVW^l{sbJp>y9wyPTqTX%^=zoV$`3?$L1J(o5Azp1QiPzCX@h&vCnVpY|K2H`(*Q
zb^MMH@)N!Dl6%5dNAbm?P4;Y??EYG<a!EbAZr*C9L*mDZ*RS5F5&Wm<Y5EUi9qWzh
zLZU&B*bMGg3rt_@A``ealjU%&Y<oRNwx8U;e7pUgD|l_|xE6(UEB=Vvv+v@Srm(I+
zfx{KiEQ_qTCEo7iP53`~-|gvd^=f>Zo3BljzOiA_jl8(?mL=wFhN18KdFI{=;`eoO
z-+TXb6Z<>+!~f2zJ*|1)Ydd|~$_am;<k*HiPW*iG*p+9-4h8d@4zksR-F<RUr8{xc
z?yf}_3U@j1K6>fparkk`!Oc@AoLa8sc(DA7NJ{l2n}-vZvz25yIG$E6b)Q}&zd}~8
zRdSi>|02cE>i_yr>bFdY|GQ^#?)ikf3RCX8o{~u5+P`CZIA^%yzEgq$6E=B@DS9kQ
z`NnnB^g`p&_WrE(-3vk{b$?!P&7<$+(QZA%d#?*lZW3PeTWyJOS9F*1qf~XP-A>{k
z+?MY1m)!8=OT;gQXIaONx$iGlxL#84(8zo{VPVAQI6pl_i!jC3O{S_-OfO_!$Y5u3
zexR{=LZYA6L5pJ#(^oy%J6oLJ!iTr)<l?xD)%7orDsTTWW5et4FW<g@dbP#;NXr`)
zj>-!RKa=b`H?W%iO!?L+a{6{*^R3@&zD(Gxs~Wy8bE@fa9>!UE?b&O6`mVj%@S^(g
zdyU+PSuw?O8qQgFrTv%h?v33ZB>DcmjLDx{I|?_HS<JZJV7C65?Gk2TE6v*v9}DeS
zxHWH+pyjr?SGr#Wf7p`izJ%9J!bJI$=JaQ(6SL!j_61LF>)!tP?%u=9+wH#bWnJDo
zx3l_1|K3~wuH>71yDxiX&#}a!=-2WwJ5GFGdds$E|M$Gj`cs!ZTQT(;+x(yGs>)82
z&&0o(8=ZgIK&0XRPtmlFwXK(y=FKwmVai>^#JP=8R)0^(&XNGf_HCZkxB8#Q<Q&hN
zY{Ge0VnywZOGoTJKD}Z2{Kx8KhgBDtR`%63o=bkJAS$dRv*Vo7)mN-(PkQR-$1jzf
zXS!V8_fWdO?K83K_X|$EySab+sdcfF{%>$!diX7u4)eSv5^OGeAIx>yvEwz9)nUQ?
zOESI*d)-u8z|HNtS@CV2+K1~~J~S4^UtAqqx<}&q!<Qnn*}kvl|Fi!<&dhZ;WHz@d
zWlp=q{$F%+Xj7!8{--@6XV$Aou{>1poTTyTuVB$l<(bD8t9V|%sL*viIZQI@YU^$F
zc|3<rzG@|e@#wvH%Pf@~R^Q{?$@?%MNtSQv&eZ|;IgVN0)2QDU==x7A_Na-|yZ)t@
z{)B9oKC@^6d(?x<=xML=H-%V!xgxde)Eq|H-{lqBaso@UuUmDRt!z7dK>k#T!RxZc
z_jZ0+9PvxEQd@adOti1jm1_bUFFgOS-8@06aeWqF`@C~v^$9<ucP;oKJ;Rd2D?q%m
zY(wy$fHXb5^BjEA!VS&S46N4nmuf_Ac>TF4w@#Pwrhci<OY5ZRs!eZKPui4F`s=`_
zxtr#<>)+HrRb!Y~%J<)0+l*Ul*-iE1pW;s_Mg~-zI8(lTyVKlDo8@+?#B2*od~K7>
zz4w#zG_H!SV-r_iVwsV*^WTGK9A(8vgb&V^_F3LO`Q-G+A4P65>wLQS{POq5!d;cV
z=jGOhWg6LKf9?@$S)sBwal;bTrB;i0cZ>clnBp#5rXd=#ZdqBv;TdH&O%HwOb2HzP
zQ2VoSWxHOSc6rX)%e|M_6poi~{Wh&Az&d_{Eo0`Ji|ebVR!vE{;#z*jC6@E<#-MQ5
z@}_;|d}&b{lignQ)w)aHmE_Z2V7>0<o}=a4ew-7#e^X;0^Wx77A6ZL%Z}9vx`E>Oi
z&Ku6cg^D+r!`}<OX^dOR^(}+j(bj#_2Q}N%?}gtuhGwySyYaf>Rb&1~lLEGwHO#+X
zyS}N*WxJ5D|EA;2J*>HX|3rdKZXMECnla-@po*{CMTfYme&&Dnmaj6*_et6^OR7&^
zuaaX_H@nfOWOBdF(?cJRU%t%$%rAYu-IZf$5;GMGO*cqJZCrLWB1d7VWeE4u@`_~>
zrX1{^{Wxh}-1;}~IkUW3H%x2I=j-y6xKdOYd}{TVqDs-tH3h*u>vwGSENy80snHbi
zic!a^MRUr^q;`|j3Sy=~uN`!bg$Gt{4)kGZ{8$zs5qV^{)<fAQEx+pBYfdG}uHKXo
z*19V6+^Q);e5>wV@%CT;HdH-nsZM&^ua{eITs&_5DD@kwb&mS{l)$q$TK|W7Oq=?|
zXVVPzkGpK9f63;`Z&u+p`FMA-&XxW(?UE-a&6M9Rd1=yJkEfb1Z*hI-lJnx*lN5I0
zCnLwxsCf?IoKAkLo_V?-aE*yP;5tV;Aujg79Y@ZUou4?RV++O4Jm9(3k|1f`bt;0h
zZVT^(#K#g*L56*a{d?6c*tS=s@7#V$ku&e<xg!416DINJLL?_{)R}7IvMkO&Bk}e;
zjhCHD$Bxz>l0J7diY<p_`-;Rc{=CBL`tN1(60>(GK3F7PtGNI7hI1Cv&!`1n=!)H6
zb8e}@>1USW(T6{WPq<#B*Z0n1h4)V79oK$5XuKv<Z1}tX*h2Y=l~ar@rGC`TJhji}
zd#cfwTFI|VdD8a&sJZgp<@MbkA9^c3dj014y~Aeb{*D8lyI*z0|F&Fyd-icFw!PE;
zT16axa<@?MnqUs!>wre<s6xYqA6~!bUS=J2EcWsBFA<!}v|9DjqS?=Wb+g`PaL6%1
zKz7rzv$4TD1=uT(q^;|1DRHqA`ZS?n!u>aQ9l4qf1XwSuu4wEkRqHICqj>T{uhQGU
z3k?mAxvpHWWyc4enSZW6{{QspKFtYR89b-<REwNge#3un;O9Sy^Per+CV4`V)8nYe
zxejMTDO<_xNR2<`EExgXSvOXPty!MS9CXJ$*8gufTL^ne=v$p9&gq{R-{#&r#C6}S
z<*OFMo5}J07U@sg=Ln?o>m2<Xv-fE`$03XO`16k?miPaA8nH^b@2Pv%Qje(xjTsw+
zH@>S|IkkA@RC92b^Ux-()+ePp9Hx@aFI5)u98%{@T`)%_C2v|%Vq#L#jI<TY(`O`Q
z%*@EkoamC$)h6xwKxJW1jE#1*!ln<4%Z!RPuFqlgeh_=JX^E0_7Eh;kbb?xgziHD3
z!P8bo8`kHXRLD=|exk+tV?maZMx#*1&WG9CCvG^wxQ_k0l*E$>$2Om9oN>S@l6kUY
zx2XZ!vj?9p3Y1iFr=H}Tv!J0AGLiNcTun)|{rB3^ohdH5A~?~N<ATXT){UY|-gV7h
z<t#YOBf>Q#!Q)T)pSd+ze14aLM8E14C7EyBe`EdI?fzR1SRY=RVQ*IRq-#RRsu#{q
zv7Y(TL7dN=%;ss{tWZ0seenm2(h2Pxn{$glCh|-3Pv!rko_Q-cIAUvWyTAOK-5WB0
zy!@nO5;isc$HuQ$5`Jt9JoEOwWSv2d-ZF`w`p4>?ly}XlJyK(SVZtjGsi3)z&f<?h
zzcjKwe{6Ey0>w~fsVXsMsZVL;?%OY2Tw7A2ohxp(q>N2^Q|7Mh3nv{Hy{kAYe|=8M
zoDWl?w^}<s-&MVRa)-I!A+gpkSEqj}x4rA}H+a{?uI17nJx(ruBIg?*u<)>NfX<{J
zY&^?PY?)-Y|IFv<Th)*1ht_V=&p#2r`_1ENLY3E!>n{BqcaNc1W3TIVk@d%#qqPiH
zuKC)0$mUstjQcKGiIwNMYrk(OW?cKJ_Al@Lo^`8#{$%l=cw$?9!}R01n{?)?d|rK1
zisjAA`p3~iqFVb@!>5`ZDi10D(RU)}ob;jc5W!#5ejNJyW7;A~>nw$2cTvH8s+axp
zCkb1+-Jf(j!E~SMx?}1Fx;=^?TBaK}s^=<vu!ub6(_g17!@QmIVIbQfW>x1s7p!uM
zw#|swwTp|}KX?D{Cm#x4th(j3{!C2jlpBhl+(m_cT+`Tk=+x@P|CUH!kq_N+B#h^)
zduTxYjc*CRk7_&?;+_3N`@_Pgv-vl_Zk5X@SeRJG-X5~1Zsz^jseEgb6L;&!i)ruf
z?ojIOYR;P-KJoPNNB<nlg{~YteaP9x{r$RnhogTz;!ev-D)ZVXEkF48vU=XfIZroS
z;NANu@lk*J2PH?rX#ZcAE-1R~QrfkMxn1JeA$@DHb8-pm@4dOv7M<q(vfbT6|8ahP
zSWb&{Yv=A)QO|1r{o?rKa$YF2F8b88b;{OXf3ub<cD0lQFj;kYH}@XhdTq~>!*SwQ
zDyu(ru<N{2NOYTV@Sj}ivkcjUB}qy1gU(M|d$9N0<+noO-;8XUooDmp9J7erxnX|f
zyxAM`o12zsX?l2Rc+6J1wY}oz(PdfP)2CcHU>C%E(_Nx^u|ZyRhl|9I#UFe#&Ob@+
z2~qEvxO}SZl#2ng#rJE=O1iyFH0V*%i3{7uIb9>yRq|@;O~z9vItzYIT^{##d(@si
cH$G;%^<KUcHrMRRqp#vScO`z3n#RZg0MVglLI3~&

literal 0
HcmV?d00001

diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix
index 630b6b82446..dd76745e1fe 100644
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@@ -42,7 +42,7 @@
 
 let
   version = "2.32";
-  patchSuffix = "";
+  patchSuffix = "-10";
   sha256 = "0di848ibffrnwq7g2dvgqrnn4xqhj3h96csn69q4da51ymafl9qn";
 in
 
@@ -59,6 +59,15 @@ stdenv.mkDerivation ({
 
   patches =
     [
+      /* No tarballs for stable upstream branch, only https://sourceware.org/git/?p=glibc.git
+         and using git or something would complicate bootstrapping.
+         Fortunately it's not too big with 2.32-10.
+          $ git checkout release/2.32/master; git describe
+          glibc-2.32-10-g0b9460d22e
+          $ git show --reverse glibc-2.32.. | gzip -n -9 --rsyncable - > 2.32-10.patch.gz
+       */
+      ./2.32-10.patch.gz
+
       /* Allow NixOS and Nix to handle the locale-archive. */
       ./nix-locale-archive.patch
 

From 88fcd687d0defd1aee87733780667a7de6c3c3e3 Mon Sep 17 00:00:00 2001
From: TredwellGit <tredwell@tutanota.com>
Date: Tue, 17 Nov 2020 14:38:25 +0000
Subject: [PATCH 31/43] xorg.xrandr: 1.5.0 -> 1.5.1

https://lists.x.org/archives/xorg-announce/2019-August/003018.html
---
 pkgs/servers/x11/xorg/default.nix   | 6 +++---
 pkgs/servers/x11/xorg/tarballs.list | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/servers/x11/xorg/default.nix b/pkgs/servers/x11/xorg/default.nix
index 27a2b47387f..42b2c69f688 100644
--- a/pkgs/servers/x11/xorg/default.nix
+++ b/pkgs/servers/x11/xorg/default.nix
@@ -2744,11 +2744,11 @@ lib.makeScope newScope (self: with self; {
   }) {};
 
   xrandr = callPackage ({ stdenv, pkgconfig, fetchurl, libX11, xorgproto, libXrandr, libXrender }: stdenv.mkDerivation {
-    name = "xrandr-1.5.0";
+    name = "xrandr-1.5.1";
     builder = ./builder.sh;
     src = fetchurl {
-      url = "mirror://xorg/individual/app/xrandr-1.5.0.tar.bz2";
-      sha256 = "1kaih7rmzxr1vp5a5zzjhm5x7dn9mckya088sqqw026pskhx9ky1";
+      url = "mirror://xorg/individual/app/xrandr-1.5.1.tar.xz";
+      sha256 = "0ql75s1n3dm2m3g1ilb9l6hqh15r0v709bgghpwazy3jknpnvivv";
     };
     hardeningDisable = [ "bindnow" "relro" ];
     nativeBuildInputs = [ pkgconfig ];
diff --git a/pkgs/servers/x11/xorg/tarballs.list b/pkgs/servers/x11/xorg/tarballs.list
index d4773075a25..4fc3f3304e1 100644
--- a/pkgs/servers/x11/xorg/tarballs.list
+++ b/pkgs/servers/x11/xorg/tarballs.list
@@ -61,7 +61,7 @@ mirror://xorg/individual/app/xmodmap-1.0.10.tar.bz2
 mirror://xorg/individual/app/xmore-1.0.3.tar.bz2
 mirror://xorg/individual/app/xpr-1.0.5.tar.bz2
 mirror://xorg/individual/app/xprop-1.2.5.tar.bz2
-mirror://xorg/individual/app/xrandr-1.5.0.tar.bz2
+mirror://xorg/individual/app/xrandr-1.5.1.tar.xz
 mirror://xorg/individual/app/xrdb-1.2.0.tar.bz2
 mirror://xorg/individual/app/xrefresh-1.0.6.tar.bz2
 mirror://xorg/individual/app/xset-1.2.4.tar.bz2

From 4fe23ed6cae572b295d0595ad4a4b39021a1468a Mon Sep 17 00:00:00 2001
From: Joe Hermaszewski <git@monoid.al>
Date: Tue, 10 Nov 2020 15:54:52 +0800
Subject: [PATCH 32/43] libcap: fix static build

This makes the build correct when cap==null

It also patches the Makefiles so that shared libraries aren't built during the install phase
---
 pkgs/os-specific/linux/libcap/default.nix     | 12 ++++++----
 .../linux/libcap/no-shared-lib.patch          | 22 +++++++++++++++++++
 pkgs/top-level/static.nix                     |  2 ++
 3 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/os-specific/linux/libcap/no-shared-lib.patch

diff --git a/pkgs/os-specific/linux/libcap/default.nix b/pkgs/os-specific/linux/libcap/default.nix
index 7931e35a844..713c4b5d13d 100644
--- a/pkgs/os-specific/linux/libcap/default.nix
+++ b/pkgs/os-specific/linux/libcap/default.nix
@@ -1,4 +1,5 @@
-{ stdenv, buildPackages, fetchurl, attr, perl, pam }:
+{ stdenv, lib, buildPackages, fetchurl, attr, perl, pam
+, static ? stdenv.targetPlatform.isStatic }:
 
 stdenv.mkDerivation rec {
   pname = "libcap";
@@ -9,7 +10,10 @@ stdenv.mkDerivation rec {
     sha256 = "1qf80lifygbnxwvqjf8jz5j24n6fqqx4ixnkbf76xs2vrmcq664j";
   };
 
-  outputs = [ "out" "dev" "lib" "man" "doc" "pam" ];
+  patches = lib.optional static ./no-shared-lib.patch;
+
+  outputs = [ "out" "dev" "lib" "man" "doc" ]
+    ++ lib.optional (pam != null) "pam";
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
   nativeBuildInputs = [ perl ];
@@ -20,7 +24,7 @@ stdenv.mkDerivation rec {
 
   makeFlags = [
     "lib=lib"
-    "PAM_CAP=yes"
+    "PAM_CAP=${if pam == null then "no" else "yes"}"
     "BUILD_CC=$(CC_FOR_BUILD)"
     "CC:=$(CC)"
   ];
@@ -44,7 +48,7 @@ stdenv.mkDerivation rec {
   installFlags = [ "RAISE_SETFCAP=no" ];
 
   postInstall = ''
-    rm "$lib"/lib/*.a
+    ${lib.optionalString (!static) ''rm "$lib"/lib/*.a''}
     mkdir -p "$doc/share/doc/${pname}-${version}"
     cp License "$doc/share/doc/${pname}-${version}/"
   '' + stdenv.lib.optionalString (pam != null) ''
diff --git a/pkgs/os-specific/linux/libcap/no-shared-lib.patch b/pkgs/os-specific/linux/libcap/no-shared-lib.patch
new file mode 100644
index 00000000000..73dc7de063d
--- /dev/null
+++ b/pkgs/os-specific/linux/libcap/no-shared-lib.patch
@@ -0,0 +1,22 @@
+diff --git a/libcap/Makefile b/libcap/Makefile
+index de6a28d..7e4d8ac 100644
+--- a/libcap/Makefile
++++ b/libcap/Makefile
+@@ -22,7 +22,7 @@ MAJLIBNAME=$(LIBNAME).$(VERSION)
+ MINLIBNAME=$(MAJLIBNAME).$(MINOR)
+ GPERF_OUTPUT = _caps_output.gperf
+ 
+-all: $(MINLIBNAME) $(STACAPLIBNAME) pcs $(STAPSXLIBNAME)
++all: $(STACAPLIBNAME) pcs $(STAPSXLIBNAME)
+ 
+ pcs: libcap.pc libpsx.pc
+ 
+@@ -93,7 +93,7 @@ cap_test: cap_test.c libcap.h
+ test: cap_test
+ 	./cap_test
+ 
+-install: install-static install-shared
++install: install-static
+ 
+ install-static: install-static-cap install-static-psx
+ 
diff --git a/pkgs/top-level/static.nix b/pkgs/top-level/static.nix
index b3851ba20f0..7fb5aef5f1c 100644
--- a/pkgs/top-level/static.nix
+++ b/pkgs/top-level/static.nix
@@ -314,4 +314,6 @@ in {
       configureFlags = attrs.configureFlags ++ [ "--disable-shared" ];
     });
   });
+
+  libcap = super.libcap.override { pam = null; };
 }

From e8959c4660f53d866c89606b8f64bfb771ad35b4 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 3 Dec 2020 11:46:02 +0100
Subject: [PATCH 33/43] unbound: 1.12.0 -> 1.13.0

https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-December/007102.html

Fixes: CVE-2020-28935
---
 pkgs/tools/networking/unbound/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index b6d9eb3448f..ce27f111377 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -22,11 +22,11 @@
 
 stdenv.mkDerivation rec {
   pname = "unbound";
-  version = "1.12.0";
+  version = "1.13.0";
 
   src = fetchurl {
     url = "https://unbound.net/downloads/${pname}-${version}.tar.gz";
-    sha256 = "0daqxzvknvcz7sgag3wcrxhp4a39ik93lsrfpwcl9whjg2lm74jv";
+    sha256 = "18dj7migq6379hps59793457l81s3z7dll3y0fj6qcmhjlx08m59";
   };
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB

From fb51f058c577cdf2fe6ed283df6b3c94f4b40200 Mon Sep 17 00:00:00 2001
From: Christian Kampka <christian@kampka.net>
Date: Mon, 7 Dec 2020 11:17:24 +0100
Subject: [PATCH 34/43] e2fsprogs: 1.45.5 -> 1.45.6

---
 pkgs/tools/filesystems/e2fsprogs/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/tools/filesystems/e2fsprogs/default.nix b/pkgs/tools/filesystems/e2fsprogs/default.nix
index 469ed6fdf34..f846bf1f200 100644
--- a/pkgs/tools/filesystems/e2fsprogs/default.nix
+++ b/pkgs/tools/filesystems/e2fsprogs/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "e2fsprogs";
-  version = "1.45.5";
+  version = "1.45.6";
 
   src = fetchurl {
     url = "mirror://sourceforge/${pname}/${pname}-${version}.tar.gz";
-    sha256 = "1n8ffss5044j9382rlvmhyr1f6kmnfjfbv6q4jbbh8gfdwpjmrwi";
+    sha256 = "sha256-X2SsUKK2C45nxbOCuxN97Dk0QBcQPK/8OmFVRCTy1pM=";
   };
 
   outputs = [ "bin" "dev" "out" "man" "info" ];

From b46c670ed96b66eede05e9fe5ea7fdc4c3254cb3 Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Sun, 6 Dec 2020 15:46:07 +0000
Subject: [PATCH 35/43] pcre2: 10.35 -> 10.36

---
 pkgs/development/libraries/pcre2/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/pcre2/default.nix b/pkgs/development/libraries/pcre2/default.nix
index b127eb0a31e..8f06630882c 100644
--- a/pkgs/development/libraries/pcre2/default.nix
+++ b/pkgs/development/libraries/pcre2/default.nix
@@ -2,10 +2,10 @@
 
 stdenv.mkDerivation rec {
   pname = "pcre2";
-  version = "10.35";
+  version = "10.36";
   src = fetchurl {
     url = "https://ftp.pcre.org/pub/pcre/${pname}-${version}.tar.bz2";
-    sha256 = "04s6kmk9qdd4rjz477h547j4bx7hfz0yalpvrm381rqc5ghaijww";
+    sha256 = "0p3699msps07p40g9426lvxa3b41rg7k2fn7qxl2jm0kh4kkkvx9";
   };
 
   configureFlags = [

From 17c840055e86b63267850c95e7acc791fe986eac Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Wed, 2 Dec 2020 11:11:28 +0100
Subject: [PATCH 36/43] setuptools: stable file ordering for sdist

We already re-pack the source distribution to make the
timestamps consistent, but the result is still not
entirely stable because by default tar does not sort
the files in the archive deterministically. This PR
makes sure the entries are sorted by name.

https://github.com/NixOS/nixpkgs/issues/105502
---
 pkgs/development/python-modules/setuptools/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/development/python-modules/setuptools/default.nix b/pkgs/development/python-modules/setuptools/default.nix
index f30e8dd5cdb..987c75ba5a0 100644
--- a/pkgs/development/python-modules/setuptools/default.nix
+++ b/pkgs/development/python-modules/setuptools/default.nix
@@ -38,7 +38,7 @@ let
       # Here we untar the sdist and retar it in order to control the timestamps
       # of all the files included
       tar -xzf dist/${pname}-${version}.post0.tar.gz -C dist/
-      tar -czf dist/${name} -C dist/ --mtime="@$SOURCE_DATE_EPOCH"  ${pname}-${version}.post0
+      tar -czf dist/${name} -C dist/ --mtime="@$SOURCE_DATE_EPOCH" --sort=name ${pname}-${version}.post0
     '';
 
     installPhase = ''

From 13456d6ceb6552cd5e42b7a207a5902d96a29c3d Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Mon, 30 Nov 2020 15:14:10 +0100
Subject: [PATCH 37/43] pyopenssl: 19.1.0 -> 20.0.0

This is needed to build 'master' of mitmproxy,
verified that this works with this change.
---
 .../python-modules/pyopenssl/default.nix      | 25 ++-----------------
 1 file changed, 2 insertions(+), 23 deletions(-)

diff --git a/pkgs/development/python-modules/pyopenssl/default.nix b/pkgs/development/python-modules/pyopenssl/default.nix
index 33fd3c6e10d..d9d2b382f50 100644
--- a/pkgs/development/python-modules/pyopenssl/default.nix
+++ b/pkgs/development/python-modules/pyopenssl/default.nix
@@ -65,11 +65,11 @@ in
 
 buildPythonPackage rec {
   pname = "pyOpenSSL";
-  version = "19.1.0";
+  version = "20.0.0";
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "9a24494b2602aaf402be5c9e30a0b82d4a5c67528fe8fb475e3f3bc00dd69507";
+    sha256 = "1i8ab5zn9i9iq2ksizp3rd42v157kacddzz88kviqw3kpp68xw4j";
   };
 
   outputs = [ "out" "dev" ];
@@ -81,27 +81,6 @@ buildPythonPackage rec {
     runHook postCheck
   '';
 
-  patches = [
-    # 4 patches for 2020 bug
-    # https://github.com/pyca/pyopenssl/pull/828
-    (fetchpatch {
-      url = "https://github.com/pyca/pyopenssl/commit/0d2fd1a24b30077ead6960bd63b4a9893a57c101.patch";
-      sha256 = "1c27g53qrwxddyx04sxf8yvj7xgbaabla7mc1cgbfd426rncbqf3";
-    })
-    (fetchpatch {
-      url = "https://github.com/pyca/pyopenssl/commit/d08a742573c3205348a4eec9a65abaf6c16110c4.patch";
-      sha256 = "18xn8s1wpycz575ivrbsbs0qd2q48z8pdzsjzh8i60xba3f8yj2f";
-    })
-    (fetchpatch {
-      url = "https://github.com/pyca/pyopenssl/commit/60b9e10e6da7ccafaf722def630285f54510ed12.patch";
-      sha256 = "0aw8qvy8m0bhgp39lmbcrpprpg4bhpssm327hyrk476wwgajk01j";
-    })
-    (fetchpatch {
-      url = "https://github.com/pyca/pyopenssl/commit/7a37cc23fcbe43abe785cd4badd14bdc7acfb175.patch";
-      sha256 = "1c7zb568rs71rsl16p6dq7aixwlkgzfnba4vzmfvbmy3zsnaslq2";
-    })
-  ];
-
   # Seems to fail unpredictably on Darwin. See https://hydra.nixos.org/build/49877419/nixlog/1
   # for one example, but I've also seen ContextTests.test_set_verify_callback_exception fail.
   doCheck = !stdenv.isDarwin;

From 46b8c00d0dce394e8b13c2644ce13c1b7f705d88 Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Sat, 28 Nov 2020 10:40:17 +0000
Subject: [PATCH 38/43] libksba: 1.4.0 -> 1.5.0

---
 pkgs/development/libraries/libksba/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libksba/default.nix b/pkgs/development/libraries/libksba/default.nix
index d627bf81cba..7e14c1b533b 100644
--- a/pkgs/development/libraries/libksba/default.nix
+++ b/pkgs/development/libraries/libksba/default.nix
@@ -1,11 +1,11 @@
 { buildPackages, stdenv, fetchurl, gettext, libgpgerror }:
 
 stdenv.mkDerivation rec {
-  name = "libksba-1.4.0";
+  name = "libksba-1.5.0";
 
   src = fetchurl {
     url = "mirror://gnupg/libksba/${name}.tar.bz2";
-    sha256 = "1dj1razn35srkgadx3i30yr0q037cr0dn54m6a54vxgh3zlsirmz";
+    sha256 = "1fm0mf3wq9fmyi1rmc1vk2fafn6liiw2mgxml3g7ybbb44lz2jmf";
   };
 
   outputs = [ "out" "dev" "info" ];

From e4d17dc558f61f8565df025fa46de7035c4a1d93 Mon Sep 17 00:00:00 2001
From: Emery Hemingway <ehmry@posteo.net>
Date: Wed, 25 Nov 2020 17:27:31 +0100
Subject: [PATCH 39/43] setup-hooks/strip: more robust stripping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use "find -exec" to strip rather than "find … | xargs …". The former
ensures that stripping is attempted for each file, whereas the latter
will stop stripping at the first failure. Unstripped files can fool
runtime dependency detection and bloat closure sizes.
---
 pkgs/build-support/setup-hooks/strip.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/setup-hooks/strip.sh b/pkgs/build-support/setup-hooks/strip.sh
index f5fa9378fd7..a7cdfd1d276 100644
--- a/pkgs/build-support/setup-hooks/strip.sh
+++ b/pkgs/build-support/setup-hooks/strip.sh
@@ -51,7 +51,7 @@ stripDirs() {
 
     if [ -n "${dirs}" ]; then
         header "stripping (with command $cmd and flags $stripFlags) in$dirs"
-        find $dirs -type f -print0 | xargs -0 ${xargsFlags:--r} $cmd $commonStripFlags $stripFlags 2>/dev/null || true
+        find $dirs -type f -exec $cmd $commonStripFlags $stripFlags '{}' \; #
         stopNest
     fi
 }

From cfc56fb90bed519da166a9d440204b0dd7a6b6aa Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Wed, 2 Dec 2020 18:23:08 +1000
Subject: [PATCH 40/43] sqlite: 3.33.0 -> 3.34.0

https://www.sqlite.org/releaselog/3_34_0.html
---
 pkgs/development/libraries/sqlite/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/sqlite/default.nix b/pkgs/development/libraries/sqlite/default.nix
index 4393b631461..f0bbc93a6f1 100644
--- a/pkgs/development/libraries/sqlite/default.nix
+++ b/pkgs/development/libraries/sqlite/default.nix
@@ -10,12 +10,12 @@ in
 
 stdenv.mkDerivation rec {
   pname = "sqlite";
-  version = "3.33.0";
+  version = "3.34.0";
 
   # NB! Make sure to update ./tools.nix src (in the same directory).
   src = fetchurl {
     url = "https://sqlite.org/2020/sqlite-autoconf-${archiveVersion version}.tar.gz";
-    sha256 = "05dvdfaxd552gj5p7k0i72sfam7lykaw1g2pfn52jnppqx42qshh";
+    sha256 = "1vlsvlp5nvhd5pdjpmdczfsv7mml2gsalykl6x3palbxwgxbfvdz";
   };
 
   outputs = [ "bin" "dev" "out" ];

From b7a700e63974920b4274d9095f355f929b2e47b6 Mon Sep 17 00:00:00 2001
From: zowoq <59103226+zowoq@users.noreply.github.com>
Date: Wed, 2 Dec 2020 18:27:57 +1000
Subject: [PATCH 41/43] sqldiff, sqlite-analyzer: 3.33.0 -> 3.34.0

---
 pkgs/development/libraries/sqlite/tools.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/sqlite/tools.nix b/pkgs/development/libraries/sqlite/tools.nix
index 3ac1f617862..0eb913adb3b 100644
--- a/pkgs/development/libraries/sqlite/tools.nix
+++ b/pkgs/development/libraries/sqlite/tools.nix
@@ -4,11 +4,11 @@ let
   archiveVersion = import ./archive-version.nix stdenv.lib;
   mkTool = { pname, makeTarget, description, homepage }: stdenv.mkDerivation rec {
     inherit pname;
-    version = "3.33.0";
+    version = "3.34.0";
 
     src = assert version == sqlite.version; fetchurl {
       url = "https://sqlite.org/2020/sqlite-src-${archiveVersion version}.zip";
-      sha256 = "1f09srlrmcab1sf8j2d89s2kvknlbxk7mbsiwpndw9mall27dgwh";
+      sha256 = "0giklai05shqalj1wwadi9hg5dx6vff8nrblqh9xxljnrq701hm5";
     };
 
     nativeBuildInputs = [ unzip ];

From a4462a98b3cfba0faf2d37f1b613aebf2f76464d Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Mon, 7 Dec 2020 22:59:43 +0000
Subject: [PATCH 42/43] libgphoto2: 2.5.23 -> 2.5.26

---
 pkgs/development/libraries/libgphoto2/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/libgphoto2/default.nix b/pkgs/development/libraries/libgphoto2/default.nix
index 93c98bb1f12..89bca2ee75f 100644
--- a/pkgs/development/libraries/libgphoto2/default.nix
+++ b/pkgs/development/libraries/libgphoto2/default.nix
@@ -7,13 +7,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libgphoto2";
-  version = "2.5.23";
+  version = "2.5.26";
 
   src = fetchFromGitHub {
     owner = "gphoto";
     repo = "libgphoto2";
     rev = "libgphoto2-${builtins.replaceStrings [ "." ] [ "_" ] version}-release";
-    sha256 = "1sc2ycx11khf0qzp1cqxxx1qymv6bjfbkx3vvbwz6wnbyvsigxz2";
+    sha256 = "0lnlxflj04ng9a0hm2nb2067kqs4kp9kx1z4gg395cgbfd7lx6j6";
   };
 
   patches = [];

From 71184f0cf55e63871f1ebd469c82accc98ff7423 Mon Sep 17 00:00:00 2001
From: "R. RyanTM" <ryantm-bot@ryantm.com>
Date: Wed, 18 Nov 2020 14:32:32 +0000
Subject: [PATCH 43/43] libcap_ng: 0.7.11 -> 0.8

---
 pkgs/os-specific/linux/libcap-ng/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/os-specific/linux/libcap-ng/default.nix b/pkgs/os-specific/linux/libcap-ng/default.nix
index cfcaea694e5..27f4ddcce18 100644
--- a/pkgs/os-specific/linux/libcap-ng/default.nix
+++ b/pkgs/os-specific/linux/libcap-ng/default.nix
@@ -6,11 +6,11 @@ stdenv.mkDerivation rec {
   pname = "libcap-ng";
   # When updating make sure to test that the version with
   # all of the python bindings still works
-  version = "0.7.11";
+  version = "0.8";
 
   src = fetchurl {
     url = "${meta.homepage}/${pname}-${version}.tar.gz";
-    sha256 = "1s8akhnnazk0b5c6z5i3x54rjb26p8pz2wdl1m21ml3231qmr0c5";
+    sha256 = "08cy59iassiwbmfxa5v0kb374r80290vv32f5q1mnip11av26kgi";
   };
 
   nativeBuildInputs = [ swig ];