Merge staging-next into staging

nixos/doc/manual/release-notes/rl-2105.xml

@@ -330,7 +330,7 @@
    </listitem>
    <listitem>
     <para>
-      <literal>vim</literal> switched to Python 3, dropping all Python 2 support.
+      <literal>vim</literal> and <literal>neovim</literal> switched to Python 3, dropping all Python 2 support.
     </para>
    </listitem>
    <listitem>

nixos/modules/services/misc/home-assistant.nix

@@ -245,22 +245,85 @@ in {
         rm -f "${cfg.configDir}/ui-lovelace.yaml"
         ln -s ${lovelaceConfigFile} "${cfg.configDir}/ui-lovelace.yaml"
       '');
-      serviceConfig = {
+      serviceConfig = let
-        ExecStart = "${package}/bin/hass --config '${cfg.configDir}'";
+        # List of capabilities to equip home-assistant with, depending on configured components
+        capabilities = [
+          # Empty string first, so we will never accidentally have an empty capability bounding set
+          # https://github.com/NixOS/nixpkgs/issues/120617#issuecomment-830685115
+          ""
+        ] ++ (unique (optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
+          # Required for interaction with hci devices and bluetooth sockets
+          # https://www.home-assistant.io/integrations/bluetooth_le_tracker/#rootless-setup-on-core-installs
+          "CAP_NET_ADMIN"
+          "CAP_NET_RAW"
+        ] ++ lib.optionals (useComponent "emulated_hue") [
+          # Alexa looks for the service on port 80
+          # https://www.home-assistant.io/integrations/emulated_hue
+          "CAP_NET_BIND_SERVICE"
+        ] ++ lib.optionals (useComponent "nmap_tracker") [
+          # https://www.home-assistant.io/integrations/nmap_tracker#linux-capabilities
+          "CAP_NET_ADMIN"
+          "CAP_NET_BIND_SERVICE"
+          "CAP_NET_RAW"
+        ]));
+      in {
+        ExecStart = "${package}/bin/hass --runner --config '${cfg.configDir}'";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
         User = "hass";
         Group = "hass";
         Restart = "on-failure";
+        RestartForceExitStatus = "100";
+        SuccessExitStatus = "100";
+        KillSignal = "SIGINT";
+
+        # Hardening
+        AmbientCapabilities = capabilities;
+        CapabilityBoundingSet = capabilities;
+        DeviceAllow = [
+          "char-ttyACM rw"
+          "char-ttyAMA rw"
+          "char-ttyUSB rw"
+        ];
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateTmp = true;
+        PrivateUsers = false; # prevents gaining capabilities in the host namespace
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
         ProtectSystem = "strict";
+        RemoveIPC = true;
         ReadWritePaths = let
+          # Allow rw access to explicitly configured paths
           cfgPath = [ "config" "homeassistant" "allowlist_external_dirs" ];
           value = attrByPath cfgPath [] cfg;
           allowPaths = if isList value then value else singleton value;
         in [ "${cfg.configDir}" ] ++ allowPaths;
-        KillSignal = "SIGINT";
+        RestrictAddressFamilies = [
-        PrivateTmp = true;
+          "AF_UNIX"
-        RemoveIPC = true;
+          "AF_INET"
-        AmbientCapabilities = "cap_net_raw,cap_net_admin+eip";
+          "AF_INET6"
+        ] ++ optionals (useComponent "bluetooth_tracker" || useComponent "bluetooth_le_tracker") [
+          "AF_BLUETOOTH"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SupplementaryGroups = [ "dialout" ];
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+        ];
+        UMask = "0077";
       };
       path = [
         "/run/wrappers" # needed for ping
@@ -278,7 +341,6 @@ in {
       home = cfg.configDir;
       createHome = true;
       group = "hass";
-      extraGroups = [ "dialout" ];
       uid = config.ids.uids.hass;
     };
 

nixos/modules/services/networking/mosquitto.nix

@@ -20,8 +20,7 @@ let
     acl_file ${aclFile}
     persistence true
     allow_anonymous ${boolToString cfg.allowAnonymous}
-    bind_address ${cfg.host}
+    listener ${toString cfg.port} ${cfg.host}
-    port ${toString cfg.port}
     ${passwordConf}
     ${listenerConf}
     ${cfg.extraConf}
@@ -233,15 +232,50 @@ in
         ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
 
-        ProtectSystem = "strict";
+        # Hardening
-        ProtectHome = true;
+        CapabilityBoundingSet = "";
+        DevicePolicy = "closed";
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
         PrivateDevices = true;
         PrivateTmp = true;
-        ReadWritePaths = "${cfg.dataDir}";
+        PrivateUsers = true;
+        ProtectClock = true;
         ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
         ProtectKernelModules = true;
         ProtectKernelTunables = true;
-        NoNewPrivileges = true;
+        ProtectProc = "invisible";
+        ProcSubset = "pid";
+        ProtectSystem = "strict";
+        ReadWritePaths = [
+          cfg.dataDir
+          "/tmp"  # mosquitto_passwd creates files in /tmp before moving them
+        ];
+        ReadOnlyPaths = with cfg.ssl; lib.optionals (enable) [
+          certfile
+          keyfile
+          cafile
+        ];
+        RemoveIPC = true;
+        RestrictAddressFamilies = [
+          "AF_UNIX"  # for sd_notify() call
+          "AF_INET"
+          "AF_INET6"
+        ];
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = [
+          "@system-service"
+          "~@privileged"
+          "~@resources"
+        ];
+        UMask = "0077";
       };
       preStart = ''
         rm -f ${cfg.dataDir}/passwd

nixos/tests/home-assistant.nix

@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, ... }:
+import ./make-test-python.nix ({ pkgs, lib, ... }:
 
 let
   configDir = "/var/lib/foobar";
@@ -6,9 +6,7 @@ let
   mqttPassword = "secret";
 in {
   name = "home-assistant";
-  meta = with pkgs.lib; {
+  meta.maintainers = lib.teams.home-assistant.members;
-    maintainers = with maintainers; [ dotlambda ];
-  };
 
   nodes.hass = { pkgs, ... }: {
     environment.systemPackages = with pkgs; [ mosquitto ];
@@ -47,6 +45,10 @@ in {
           payload_on = "let_there_be_light";
           payload_off = "off";
         }];
+        emulated_hue = {
+          host_ip = "127.0.0.1";
+          listen_port = 80;
+        };
         logger = {
           default = "info";
           logs."homeassistant.components.mqtt" = "debug";
@@ -82,6 +84,9 @@ in {
         hass.succeed(
             "mosquitto_pub -V mqttv5 -t home-assistant/test -u ${mqttUsername} -P '${mqttPassword}' -m let_there_be_light"
         )
+    with subtest("Check that capabilities are passed for emulated_hue to bind to port 80"):
+        hass.wait_for_open_port(80)
+        hass.succeed("curl --fail http://localhost:80/description.xml")
     with subtest("Print log to ease debugging"):
         output_log = hass.succeed("cat ${configDir}/home-assistant.log")
         print("\n### home-assistant.log ###\n")
@@ -93,5 +98,8 @@ in {
     # example line: 2020-06-20 10:01:32 DEBUG (MainThread) [homeassistant.components.mqtt] Received message on home-assistant/test: b'let_there_be_light'
     with subtest("Check we received the mosquitto message"):
         assert "let_there_be_light" in output_log
+
+    with subtest("Check systemd unit hardening"):
+        hass.log(hass.succeed("systemd-analyze security home-assistant.service"))
   '';
 })

nixos/tests/mosquitto.nix

@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ pkgs, ... }:
+import ./make-test-python.nix ({ pkgs, lib, ... }:
 
 let
   port = 1888;
@@ -30,6 +30,9 @@ in {
           ];
         };
       };
+
+      # disable private /tmp for this test
+      systemd.services.mosquitto.serviceConfig.PrivateTmp = lib.mkForce false;
     };
 
     client1 = client;

pkgs/applications/editors/neovim/default.nix

@@ -6,7 +6,7 @@
 
 # now defaults to false because some tests can be flaky (clipboard etc)
 , doCheck ? false
-, nodejs ? null, fish ? null, python ? null
+, nodejs ? null, fish ? null, python3 ? null
 }:
 
 with lib;
@@ -19,7 +19,7 @@ let
       ]
     ));
 
-  pyEnv = python.withPackages(ps: [ ps.pynvim ps.msgpack ]);
+  pyEnv = python3.withPackages(ps: with ps; [ pynvim msgpack ]);
 
   # FIXME: this is verry messy and strange.
   # see https://github.com/NixOS/nixpkgs/pull/80528

pkgs/applications/editors/neovim/neovim-qt.nix

@@ -1,5 +1,5 @@
 { lib, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper
-, msgpack, neovim, pythonPackages, qtbase }:
+, msgpack, neovim, python3Packages, qtbase }:
 
 mkDerivation rec {
   pname = "neovim-qt-unwrapped";
@@ -20,7 +20,7 @@ mkDerivation rec {
   buildInputs = [
     neovim.unwrapped # only used to generate help tags at build time
     qtbase
-  ] ++ (with pythonPackages; [
+  ] ++ (with python3Packages; [
     jinja2 python msgpack
   ]);
 

pkgs/applications/editors/neovim/neovim-remote.nix

@@ -1,11 +1,14 @@
-{ lib, fetchFromGitHub, pythonPackages }:
+{ lib
+, fetchFromGitHub
+, python3
+, neovim
+}:
 
 with lib;
 
-pythonPackages.buildPythonApplication rec {
+with python3.pkgs; buildPythonApplication rec {
   pname = "neovim-remote";
   version = "2.4.0";
-  disabled = !pythonPackages.isPy3k;
 
   src = fetchFromGitHub {
     owner = "mhinz";
@@ -14,12 +17,24 @@ pythonPackages.buildPythonApplication rec {
     sha256 = "0jlw0qksak4bdzddpsj74pm2f2bgpj3cwrlspdjjy0j9qzg0mpl9";
   };
 
-  propagatedBuildInputs = with pythonPackages; [
+  propagatedBuildInputs = [
     pynvim
     psutil
     setuptools
   ];
 
+  checkInputs = [
+    neovim
+    pytestCheckHook
+  ];
+
+  disabledTests = [
+    # these tests get stuck and never return
+    "test_escape_filenames_properly"
+    "test_escape_single_quotes_in_filenames"
+    "test_escape_double_quotes_in_filenames"
+  ];
+
   meta = {
     description = "A tool that helps controlling nvim processes from a terminal";
     homepage = "https://github.com/mhinz/neovim-remote/";

pkgs/applications/editors/neovim/qt.nix

@@ -1,5 +1,4 @@
-{ lib, stdenv, mkDerivation, fetchFromGitHub, cmake, doxygen, makeWrapper
+{ stdenv, makeWrapper, neovim, neovim-qt-unwrapped }:
-, msgpack, neovim, pythonPackages, qtbase, neovim-qt-unwrapped }:
 
 let
   unwrapped = neovim-qt-unwrapped;

pkgs/applications/editors/neovim/utils.nix

@@ -4,7 +4,6 @@
 , neovim-unwrapped
 , bundlerEnv
 , ruby
-, pythonPackages
 , python3Packages
 , writeText
 , wrapNeovimUnstable
@@ -48,12 +47,6 @@ let
       requiredPlugins = vimUtils.requiredPlugins configure;
       getDeps = attrname: map (plugin: plugin.${attrname} or (_: [ ]));
 
-      pluginPython2Packages = getDeps "pythonDependencies" requiredPlugins;
-      python2Env = pythonPackages.python.withPackages (ps:
-        [ ps.pynvim ]
-        ++ (extraPython2Packages ps)
-        ++ (lib.concatMap (f: f ps) pluginPython2Packages));
-
       pluginPython3Packages = getDeps "python3Dependencies" requiredPlugins;
       python3Env = python3Packages.python.withPackages (ps:
         [ ps.pynvim ]
@@ -69,7 +62,6 @@ let
       # While the latter tells nvim that this provider is not available
       hostprog_check_table = {
         node = withNodeJs;
-        python = withPython2;
         python3 = withPython3;
         ruby = withRuby;
       };
@@ -99,11 +91,12 @@ let
       manifestRc = vimUtils.vimrcContent (configure // { customRC = ""; });
       neovimRcContent = vimUtils.vimrcContent configure;
     in
+    assert withPython2 -> throw "Python2 support has been removed from neovim, please remove withPython2 and extraPython2Packages.";
+
     args // {
       wrapperArgs = makeWrapperArgs;
       inherit neovimRcContent;
       inherit manifestRc;
-      inherit python2Env;
       inherit python3Env;
       inherit withNodeJs;
     } // lib.optionalAttrs withRuby {
@@ -120,7 +113,7 @@ let
   # to keep backwards compatibility
   legacyWrapper = neovim: {
     extraMakeWrapperArgs ? ""
-    , withPython ? true
+    , withPython ? false
     /* the function you would have passed to python.withPackages */
     , extraPythonPackages ? (_: [])
     /* the function you would have passed to python.withPackages */
@@ -138,14 +131,14 @@ let
       else funOrList);
 
       res = makeNeovimConfig {
-        withPython2 = withPython;
-        extraPythonPackages = compatFun extraPythonPackages;
         inherit withPython3;
         extraPython3Packages = compatFun extraPython3Packages;
         inherit withNodeJs withRuby viAlias vimAlias;
         inherit configure;
       };
     in
+    assert withPython -> throw "Python2 support has been removed from neovim, please remove withPython and extraPythonPackages.";
+
     wrapNeovimUnstable neovim (res // {
       wrapperArgs = lib.escapeShellArgs (
         res.wrapperArgs ++ lib.optionals (configure != {}) [

pkgs/applications/editors/neovim/wrapper.nix

@@ -3,7 +3,6 @@
 , bundlerEnv, ruby
 , nodejs
 , nodePackages
-, pythonPackages
 , python3Packages
 }:
 with lib;
@@ -15,7 +14,7 @@ let
       # should contain all args but the binary
       wrapperArgs ? ""
     , manifestRc ? null
-    , withPython2 ? true, python2Env ? null
+    , withPython2 ? false
     , withPython3 ? true,  python3Env ? null
     , withNodeJs ? false
     , rubyEnv ? null
@@ -35,6 +34,8 @@ let
     [ "${neovim}/bin/nvim" "${placeholder "out"}/bin/nvim" ] ++
       [ "--set" "NVIM_SYSTEM_RPLUGIN_MANIFEST" "${placeholder "out"}/rplugin.vim" ];
   in
+  assert withPython2 -> throw "Python2 support has been removed from the neovim wrapper, please remove withPython2 and python2Env.";
+
   symlinkJoin {
       name = "neovim-${lib.getVersion neovim}";
       # Remove the symlinks created by symlinkJoin which we need to perform
@@ -44,9 +45,6 @@ let
         substitute ${neovim}/share/applications/nvim.desktop $out/share/applications/nvim.desktop \
           --replace 'Name=Neovim' 'Name=WrappedNeovim'
       ''
-      + optionalString withPython2 ''
-        makeWrapper ${python2Env}/bin/python $out/bin/nvim-python --unset PYTHONPATH
-      ''
       + optionalString withPython3 ''
         makeWrapper ${python3Env}/bin/python3 $out/bin/nvim-python3 --unset PYTHONPATH
       ''

pkgs/applications/editors/vscode/generic.nix

@@ -1,7 +1,8 @@
 { stdenv, lib, makeDesktopItem
 , unzip, libsecret, libXScrnSaver, libxshmfence, wrapGAppsHook
 , gtk2, atomEnv, at-spi2-atk, autoPatchelfHook
-, systemd, fontconfig, libdbusmenu
+, systemd, fontconfig, libdbusmenu, buildFHSUserEnvBubblewrap
+, writeShellScriptBin
 
 # Populate passthru.tests
 , tests
@@ -13,13 +14,14 @@
 
 let
   inherit (stdenv.hostPlatform) system;
-in
+  unwrapped = stdenv.mkDerivation {
-  stdenv.mkDerivation {
 
     inherit pname version src sourceRoot;
 
     passthru = {
       inherit executableName tests;
+      fhs = fhs {};
+      fhsWithPackages = f: fhs { additionalPkgs = f; };
     };
 
     desktopItem = makeDesktopItem {
@@ -97,4 +99,64 @@ in
     '';
 
     inherit meta;
-  }
+  };
+
+  # Vscode and variants allow for users to download and use extensions
+  # which often include the usage of pre-built binaries.
+  # This has been an on-going painpoint for many users, as
+  # a full extension update cycle has to be done through nixpkgs
+  # in order to create or update extensions.
+  # See: #83288 #91179 #73810 #41189
+  #
+  # buildFHSUserEnv allows for users to use the existing vscode
+  # extension tooling without significant pain.
+  fhs = { additionalPkgs ? pkgs: [] }: buildFHSUserEnvBubblewrap {
+    # also determines the name of the wrapped command
+    name = executableName;
+
+    # additional libraries which are commonly needed for extensions
+    targetPkgs = pkgs: (with pkgs; [
+      # ld-linux-x86-64-linux.so.2 and others
+      glibc
+
+      # dotnet
+      curl
+      icu
+      libunwind
+      libuuid
+      openssl
+      zlib
+
+      # mono
+      krb5
+    ]) ++ additionalPkgs pkgs;
+
+    # restore desktop item icons
+    extraInstallCommands = ''
+      mkdir -p $out/share/applications
+      for item in ${unwrapped}/share/applications/*.desktop; do
+        ln -s $item $out/share/applications/
+      done
+    '';
+
+    runScript = "${unwrapped}/bin/${executableName}";
+
+    # vscode likes to kill the parent so that the
+    # gui application isn't attached to the terminal session
+    dieWithParent = false;
+
+    passthru = {
+      inherit executableName;
+      inherit (unwrapped) pname version; # for home-manager module
+    };
+
+    meta = meta // {
+      description = ''
+        Wrapped variant of ${pname} which launches in a FHS compatible envrionment.
+        Should allow for easy usage of extensions without nix-specific modifications.
+      '';
+    };
+  };
+in
+  unwrapped
+

pkgs/applications/networking/cluster/kubelogin-oidc/default.nix

@@ -2,18 +2,18 @@
 
 buildGoModule rec {
   pname = "kubelogin";
-  version = "1.23.0";
+  version = "1.23.1";
 
   src = fetchFromGitHub {
     owner = "int128";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0n94nx17c6ln2nd6d9yr93vc251y1xphq1wj2vzs4j2l8dqfyjpn";
+    sha256 = "sha256-YK/QGx6QzSeyeZ61KgdYO3POJQFK1F6yJayd2gcRWS4=";
   };
 
   subPackages = ["."];
 
-  vendorSha256 = "1dvrk6z6k66wawgb50n8hbgdd8fly399mlbgnvxi671vfi7lkz09";
+  vendorSha256 = "sha256-tnjgs8Ziqdo1ciVOWtL0D8puv2SZGqSHgo2SV7N8F0M=";
 
   # Rename the binary instead of symlinking to avoid conflict with the
   # Azure version of kubelogin

pkgs/build-support/build-fhs-userenv-bubblewrap/default.nix

@@ -14,6 +14,7 @@ args @ {
 , unshareNet ? false
 , unshareUts ? true
 , unshareCgroup ? true
+, dieWithParent ? true
 , ...
 }:
 
@@ -22,7 +23,7 @@ let
   buildFHSEnv = callPackage ./env.nix { };
 
   env = buildFHSEnv (removeAttrs args [
-    "runScript" "extraInstallCommands" "meta" "passthru"
+    "runScript" "extraInstallCommands" "meta" "passthru" "dieWithParent"
     "unshareUser" "unshareCgroup" "unshareUts" "unshareNet" "unsharePid" "unshareIpc"
   ]);
 
@@ -30,6 +31,13 @@ let
     files = [
       # NixOS Compatibility
       "static"
+      "nix" # mainly for nixUnstable users, but also for access to nix/netrc
+      # Shells
+      "bashrc"
+      "zshenv"
+      "zshrc"
+      "zinputrc"
+      "zprofile"
       # Users, Groups, NSS
       "passwd"
       "group"
@@ -136,7 +144,7 @@ let
       ${lib.optionalString unshareNet "--unshare-net"}
       ${lib.optionalString unshareUts "--unshare-uts"}
       ${lib.optionalString unshareCgroup "--unshare-cgroup"}
-      --die-with-parent
+      ${lib.optionalString dieWithParent "--die-with-parent"}
       --ro-bind /nix /nix
       # Our glibc will look for the cache in its own path in `/nix/store`.
       # As such, we need a cache to exist there, because pressure-vessel

pkgs/data/icons/tela-icon-theme/default.nix

@@ -1,6 +1,6 @@
-{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenv }:
+{ fetchFromGitHub, gtk3, hicolor-icon-theme, jdupes, lib, stdenvNoCC }:
 
-stdenv.mkDerivation rec {
+stdenvNoCC.mkDerivation rec {
   pname = "tela-icon-theme";
   version = "2021-01-21";
 
@@ -17,6 +17,10 @@ stdenv.mkDerivation rec {
 
   dontDropIconThemeCache = true;
 
+  # These fixup steps are slow and unnecessary.
+  dontPatchELF = true;
+  dontRewriteSymlinks = true;
+
   installPhase = ''
     runHook preInstall
 
@@ -31,7 +35,7 @@ stdenv.mkDerivation rec {
   meta = with lib; {
     description = "A flat colorful Design icon theme";
     homepage = "https://github.com/vinceliuice/tela-icon-theme";
-    license = licenses.gpl3Plus;
+    license = licenses.gpl3Only;
     platforms = platforms.unix;
     maintainers = with maintainers; [ figsoda ];
   };

pkgs/development/libraries/py3c/default.nix

@@ -11,6 +11,11 @@ stdenv.mkDerivation rec {
     sha256 = "04i2z7hrig78clc59q3i1z2hh24g7z1bfvxznlzxv00d4s57nhpi";
   };
 
+  postPatch = lib.optionalString stdenv.cc.isClang ''
+    substituteInPlace test/setup.py \
+      --replace "'-Werror', " ""
+  '';
+
   makeFlags = [
     "prefix=${placeholder "out"}"
   ];
@@ -26,6 +31,6 @@ stdenv.mkDerivation rec {
     homepage = "https://github.com/encukou/py3c";
     description = "Python 2/3 compatibility layer for C extensions";
     license = licenses.mit;
-    maintainers = with maintainers; [ ajs124 ];
+    maintainers = with maintainers; [ ajs124 dotlambda ];
   };
 }

pkgs/development/python-modules/csvw/default.nix

@@ -14,14 +14,14 @@
 
 buildPythonPackage rec {
   pname = "csvw";
-  version = "1.10.1";
+  version = "1.10.2";
   disabled = isPy27;
 
   src = fetchFromGitHub {
     owner = "cldf";
     repo = "csvw";
     rev = "v${version}";
-    sha256 = "1764nfa4frjdd7v6wj35y7prnciaqz57wwygy5zfavl4laxn4nxd";
+    sha256 = "0z0qxlsfxwz1qapxb4d0mz3wkj99d7zi9yrg1cbd2xp7giagb6d4";
   };
 
   patchPhase = ''

pkgs/tools/graphics/pngquant/default.nix

@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "pngquant";
-  version = "2.12.5";
+  version = "2.14.1";
 
   src = fetchFromGitHub {
-    owner = "pornel";
+    owner = "kornelski";
     repo = "pngquant";
     rev = version;
-    sha256 = "0sq398iv5cacblz6pb4j2hn16cnszsbkahikdpfq84rb9bj0ya40";
+    sha256 = "054hi33qp3jc7hv0141wi8drwdg24v5zfp8znwjmz4mcdls8vxbb";
     fetchSubmodules = true;
   };
 
@@ -17,11 +17,14 @@ stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkg-config ];
   buildInputs = [ libpng zlib lcms2 ];
 
+  doCheck = true;
+
   meta = with lib; {
     homepage = "https://pngquant.org/";
     description = "A tool to convert 24/32-bit RGBA PNGs to 8-bit palette with alpha channel preserved";
+    changelog = "https://github.com/kornelski/pngquant/raw/${version}/CHANGELOG";
     platforms = platforms.unix;
-    license = licenses.gpl3;
+    license = with licenses; [ gpl3Plus hpnd bsd2 ];
     maintainers = [ maintainers.volth ];
   };
 }

pkgs/top-level/all-packages.nix

@@ -26636,7 +26636,7 @@ in
 
   gnvim = callPackage ../applications/editors/neovim/gnvim/wrapper.nix { };
 
-  neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { pythonPackages = python3Packages; };
+  neovim-remote = callPackage ../applications/editors/neovim/neovim-remote.nix { };
 
   vis = callPackage ../applications/editors/vis {
     inherit (lua52Packages) lpeg;
@@ -26754,6 +26754,8 @@ in
   };
 
   vscode = callPackage ../applications/editors/vscode/vscode.nix { };
+  vscode-fhs = vscode.fhs;
+  vscode-fhsWithPackages = vscode.fhsWithPackages;
 
   vscode-with-extensions = callPackage ../applications/editors/vscode/with-extensions.nix {};
 
@@ -26762,6 +26764,8 @@ in
   vscode-extensions = recurseIntoAttrs (callPackage ../misc/vscode-extensions {});
 
   vscodium = callPackage ../applications/editors/vscode/vscodium.nix { };
+  vscodium-fhs = vscodium.fhs;
+  vscodium-fhsWithPackages = vscodium.fhsWithPackages;
 
   code-server = callPackage ../servers/code-server {
     inherit (darwin.apple_sdk.frameworks) AppKit Cocoa Security;