unzip: Patch for CVE-2014-81{39,40,41}.

(Cherry-picked from 173f41cf0bc618f0b2c313b1915fee8d8a6d0ee2.)

lib/lists.nix

@@ -238,4 +238,6 @@ in rec {
     in zipTwoLists' 0;
 
   deepSeqList = xs: y: if any (x: deepSeq x false) xs then y else y;
+
+  crossLists = f: foldl (fs: args: concatMap (f: map f args) fs) [f];
 }

lib/modules.nix

@@ -12,7 +12,7 @@ rec {
      and ‘config’: the nested set of all option values. */
   evalModules = { modules, prefix ? [], args ? {}, check ? true }:
     let
-      args' = args // result;
+      args' = args // { lib = import ./.; } // result;
       closed = closeModules modules args';
       # Note: the list of modules is reversed to maintain backward
       # compatibility with the old module system.  Not sure if this is
@@ -300,6 +300,8 @@ rec {
   mkForce = mkOverride 50;
   mkVMOverride = mkOverride 10; # used by ‘nixos-rebuild build-vm’
 
+  mkStrict = builtins.trace "`mkStrict' is obsolete; use `mkOverride 0' instead." (mkOverride 0);
+
   mkFixStrictness = id; # obsolete, no-op
 
   # FIXME: Add mkOrder back in. It's not currently used anywhere in

maintainers/scripts/copy-tarball.sh

@@ -1,45 +0,0 @@
-#! /bin/sh -e
-
-distDir=${NIX_TARBALLS_CACHE:-/tarballs}
-
-url="$1"
-file="$2"
-if [ -z "$url" ]; then echo "syntax: $0 URL"; exit 0; fi
-
-base="$(basename "$url")"
-if [ -z "$base" ]; then echo "bad URL"; exit 1; fi
-dstPath="$distDir/$base"
-
-if [ -e "$dstPath" ]; then if [ -n "$VERBOSE" ]; then echo "$dstPath already exists"; fi; exit 0; fi
-
-if [ -z "$file" ]; then
-
-    echo "downloading $url to $dstPath"
-
-    if [ -n "$DRY_RUN" ]; then exit 0; fi
-
-    declare -a res
-    if ! res=($(PRINT_PATH=1 nix-prefetch-url "$url")); then
-        exit
-    fi
-
-    storePath=${res[1]}
-
-else
-    storePath="$file"
-fi
-
-cp $storePath "$dstPath.tmp.$$"
-mv -f "$dstPath.tmp.$$" "$dstPath"
-
-echo "hashing $dstPath"
-
-md5=$(nix-hash --flat --type md5 "$dstPath")
-ln -sfn "../$base" $distDir/md5/$md5
-
-sha1=$(nix-hash --flat --type sha1 "$dstPath")
-ln -sfn "../$base" $distDir/sha1/$sha1
-
-sha256=$(nix-hash --flat --type sha256 "$dstPath")
-ln -sfn "../$base" $distDir/sha256/$sha256
-ln -sfn "../$base" $distDir/sha256/$(nix-hash --type sha256 --to-base32 "$sha256")

maintainers/scripts/copy-tarballs.pl

@@ -0,0 +1,95 @@
+#! /run/current-system/sw/bin/perl -w
+
+use strict;
+use XML::Simple;
+use File::Basename;
+use File::Path;
+use File::Copy 'cp';
+use IPC::Open2;
+use Nix::Store;
+
+my $myDir = dirname($0);
+
+my $tarballsCache = $ENV{'NIX_TARBALLS_CACHE'} // "/tarballs";
+
+my $xml = `nix-instantiate --eval-only --xml --strict '<nixpkgs/maintainers/scripts/find-tarballs.nix>'`;
+die "$0: evaluation failed\n" if $? != 0;
+
+my $data = XMLin($xml) or die;
+
+mkpath($tarballsCache);
+mkpath("$tarballsCache/md5");
+mkpath("$tarballsCache/sha1");
+mkpath("$tarballsCache/sha256");
+
+foreach my $file (@{$data->{list}->{attrs}}) {
+    my $url = $file->{attr}->{url}->{string}->{value};
+    my $algo = $file->{attr}->{type}->{string}->{value};
+    my $hash = $file->{attr}->{hash}->{string}->{value};
+
+    if ($url !~ /^http:/ && $url !~ /^https:/ && $url !~ /^ftp:/ && $url !~ /^mirror:/) {
+        print STDERR "skipping $url (unsupported scheme)\n";
+        next;
+    }
+
+    $url =~ /([^\/]+)$/;
+    my $fn = $1;
+
+    if (!defined $fn) {
+        print STDERR "skipping $url (no file name)\n";
+        next;
+    }
+
+    if ($fn =~ /[&?=%]/ || $fn =~ /^\./) {
+        print STDERR "skipping $url (bad character in file name)\n";
+        next;
+    }
+
+    if ($fn !~ /[a-zA-Z]/) {
+        print STDERR "skipping $url (no letter in file name)\n";
+        next;
+    }
+
+    if ($fn !~ /[0-9]/) {
+        print STDERR "skipping $url (no digit in file name)\n";
+        next;
+    }
+
+    if ($fn !~ /[-_\.]/) {
+        print STDERR "skipping $url (no dash/dot/underscore in file name)\n";
+        next;
+    }
+
+    my $dstPath = "$tarballsCache/$fn";
+
+    next if -e $dstPath;
+
+    print "downloading $url to $dstPath...\n";
+
+    next if $ENV{DRY_RUN};
+
+    $ENV{QUIET} = 1;
+    $ENV{PRINT_PATH} = 1;
+    my $fh;
+    my $pid = open($fh, "-|", "nix-prefetch-url", "--type", $algo, $url, $hash) or die;
+    waitpid($pid, 0) or die;
+    if ($? != 0) {
+        print STDERR "failed to fetch $url: $?\n";
+        last if $? >> 8 == 255;
+        next;
+    }
+    <$fh>; my $storePath = <$fh>; chomp $storePath;
+
+    die unless -e $storePath;
+
+    cp($storePath, $dstPath) or die;
+
+    my $md5 = hashFile("md5", 0, $storePath) or die;
+    symlink("../$fn", "$tarballsCache/md5/$md5");
+
+    my $sha1 = hashFile("sha1", 0, $storePath) or die;
+    symlink("../$fn", "$tarballsCache/sha1/$sha1");
+
+    my $sha256 = hashFile("sha256", 0, $storePath) or die;
+    symlink("../$fn", "$tarballsCache/sha256/$sha256");
+}

maintainers/scripts/copy-tarballs.sh

@@ -1,27 +0,0 @@
-#! /bin/sh -e
-
-urls=$(nix-instantiate --eval-only --xml --strict '<nixpkgs/maintainers/scripts/eval-release.nix>' \
-    | grep -A2 'name="urls"' \
-    | grep '<string value=' \
-    | sed 's/.*"\(.*\)".*/\1/' \
-    | sort | uniq)
-
-for url in $urls; do
-    if echo "$url" | grep -q -E "www.cs.uu.nl|nixos.org|.stratego-language.org|java.sun.com|ut2004|linuxq3a|RealPlayer|Adbe|belastingdienst|microsoft|armijn/.nix|sun.com|archive.eclipse.org"; then continue; fi
-
-    # Check the URL scheme.
-    if ! echo "$url" | grep -q -E "^[a-z]+://"; then echo "skipping $url (no URL scheme)"; continue; fi
-
-    # Check the basename.  It should include something resembling a version.
-    base="$(basename "$url")"
-    #if ! echo "$base" | grep -q -E "[-_].*[0-9].*"; then echo "skipping $url (no version)"; continue; fi
-    if ! echo "$base" | grep -q -E "[a-zA-Z]"; then echo "skipping $url (no letter in name)"; continue; fi
-    if ! echo "$base" | grep -q -E "[0-9]"; then echo "skipping $url (no digit in name)"; continue; fi
-    if ! echo "$base" | grep -q -E "[-_\.]"; then echo "skipping $url (no dot/underscore in name)"; continue; fi
-    if echo "$base" | grep -q -E "[&?=%]"; then echo "skipping $url (bad character in name)"; continue; fi
-    if [ "${base:0:1}" = "." ]; then echo "skipping $url (starts with a dot)"; continue; fi
-
-    $(dirname $0)/copy-tarball.sh "$url"
-done
-
-echo DONE

maintainers/scripts/find-tarballs.nix

@@ -0,0 +1,45 @@
+# This expression returns a list of all fetchurl calls used by all
+# packages reachable from release.nix.
+
+with import ../.. { };
+with lib;
+
+let
+
+  root = removeAttrs (import ../../pkgs/top-level/release.nix { }) [ "tarball" "unstable" ];
+
+  uniqueUrls = map (x: x.file) (genericClosure {
+    startSet = map (file: { key = file.url; inherit file; }) urls;
+    operator = const [ ];
+  });
+
+  urls = map (drv: { url = head drv.urls; hash = drv.outputHash; type = drv.outputHashAlgo; }) fetchurlDependencies;
+
+  fetchurlDependencies = filter (drv: drv.outputHash or "" != "" && drv ? urls) dependencies;
+
+  dependencies = map (x: x.value) (genericClosure {
+    startSet = map keyDrv (derivationsIn' root);
+    operator = { key, value }: map keyDrv (immediateDependenciesOf value);
+  });
+
+  derivationsIn' = x:
+    if !canEval x then []
+    else if isDerivation x then optional (canEval x.drvPath) x
+    else if isList x then concatLists (map derivationsIn' x)
+    else if isAttrs x then concatLists (mapAttrsToList (n: v: derivationsIn' v) x)
+    else [ ];
+
+  keyDrv = drv: if canEval drv.drvPath then { key = drv.drvPath; value = drv; } else { };
+
+  immediateDependenciesOf = drv:
+    concatLists (mapAttrsToList (n: v: derivationsIn v) (removeAttrs drv ["meta" "passthru"]));
+
+  derivationsIn = x:
+    if !canEval x then []
+    else if isDerivation x then optional (canEval x.drvPath) x
+    else if isList x then concatLists (map derivationsIn x)
+    else [ ];
+
+  canEval = val: (builtins.tryEval val).success;
+
+in uniqueUrls

nixos/doc/manual/configuration.xml

@@ -1235,7 +1235,7 @@ with other kernel modules.</para>
 <para>On 64-bit systems, if you want full acceleration for 32-bit
 programs such as Wine, you should also set the following:
 <programlisting>
-service.xserver.driSupport32Bit = true;
+services.xserver.driSupport32Bit = true;
 </programlisting>
 </para>
 

nixos/doc/manual/default.nix

@@ -1,6 +1,4 @@
-{ pkgs, options
-, revision ? "master"
-}:
+{ pkgs, options, version, revision }:
 
 with pkgs.lib;
 
@@ -60,6 +58,7 @@ in rec {
     buildCommand = ''
       ln -s $sources/*.xml . # */
       ln -s ${optionsDocBook} options-db.xml
+      echo "${version}" > version
 
       # Check the validity of the manual sources.
       xmllint --noout --nonet --xinclude --noxincludenode \

nixos/doc/manual/manual.xml

@@ -5,6 +5,7 @@
   <info>
 
     <title>NixOS Manual</title>
+    <subtitle>Version <xi:include href="version" parse="text" /></subtitle>
 
     <author>
       <personname>

nixos/maintainers/scripts/ec2/amazon-base-config.nix

@@ -0,0 +1,5 @@
+{ modulesPath, ...}:
+{
+  imports = [ "${modulesPath}/virtualisation/amazon-config.nix" ];
+  services.journald.rateLimitBurst = 0;
+}

nixos/maintainers/scripts/ec2/create-ebs-amis.py

@@ -8,15 +8,17 @@ import nixops.util
 from nixops import deployment
 from boto.ec2.blockdevicemapping import BlockDeviceMapping, BlockDeviceType
 import boto.ec2
+from nixops.statefile import StateFile, get_default_state_file
 
 parser = argparse.ArgumentParser(description='Create an EBS-backed NixOS AMI')
 parser.add_argument('--region', dest='region', required=True, help='EC2 region to create the image in')
+parser.add_argument('--channel', dest='channel', default="13.10", help='Channel to use')
 parser.add_argument('--keep', dest='keep', action='store_true', help='Keep NixOps machine after use')
 parser.add_argument('--hvm', dest='hvm', action='store_true', help='Create HVM image')
 parser.add_argument('--key', dest='key_name', action='store_true', help='Keypair used for HVM instance creation', default="rob")
 args = parser.parse_args()
 
-instance_type = "cc1.4xlarge" if args.hvm else "m1.small"
+instance_type = "m3.xlarge" if args.hvm else "m1.small"
 ebs_size = 8 if args.hvm else 20
 
 
@@ -37,11 +39,11 @@ f.write('''{{
 '''.format(args.region, ebs_size))
 f.close()
 
-db = deployment.open_database(deployment.get_default_state_file())
+db = StateFile(get_default_state_file())
 try:
-    depl = deployment.open_deployment(db, "ebs-creator")
+    depl = db.open_deployment("ebs-creator")
 except Exception:
-    depl = deployment.create_deployment(db)
+    depl = db.create_deployment()
     depl.name = "ebs-creator"
 depl.auto_response = "y"
 depl.nix_exprs = [os.path.abspath("./ebs-creator.nix"), os.path.abspath("./ebs-creator-config.nix")]
@@ -64,7 +66,7 @@ m.run_command("mkdir -p /mnt")
 m.run_command("mount {0} /mnt".format(device))
 m.run_command("touch /mnt/.ebs")
 m.run_command("mkdir -p /mnt/etc/nixos")
-m.run_command("nix-channel --add http://nixos.org/channels/nixos-unstable")
+m.run_command("nix-channel --add http://nixos.org/channels/nixos-{} nixos".format(args.channel))
 m.run_command("nix-channel --update")
 m.run_command("nixos-rebuild switch")
 version = m.run_command("nixos-version", capture_stdout=True).replace('"', '').rstrip()
@@ -72,7 +74,8 @@ print >> sys.stderr, "NixOS version is {0}".format(version)
 m.upload_file("./amazon-base-config.nix", "/mnt/etc/nixos/configuration.nix")
 m.run_command("nixos-install")
 if args.hvm:
-    m.run_command('cp /mnt/nix/store/*-grub-0.97*/lib/grub/i386-pc/* /mnt/boot/grub')
+    m.run_command('nix-env -iA nixos.pkgs.grub')
+    m.run_command('cp /nix/store/*-grub-0.97*/lib/grub/i386-pc/* /mnt/boot/grub')
     m.run_command('sed -i "s|hd0|hd0,0|" /mnt/boot/grub/menu.lst')
     m.run_command('echo "(hd1) /dev/xvdg" > device.map')
     m.run_command('echo -e "root (hd1,0)\nsetup (hd1)" | grub --device-map=device.map --batch')
@@ -98,7 +101,7 @@ def check():
 m.connect()
 volume = m._conn.get_all_volumes([], filters={'attachment.instance-id': m.resource_id, 'attachment.device': "/dev/sdg"})[0]
 if args.hvm:
-    instance = m._conn.run_instances( image_id="ami-6a9e4503"
+    instance = m._conn.run_instances( image_id="ami-5f491f36"
                                     , instance_type=instance_type
                                     , key_name=args.key_name
                                     , placement=m.zone
@@ -185,7 +188,7 @@ f.write(
     '''.format(args.region, ami_id, instance_type))
 f.close()
 
-test_depl = deployment.create_deployment(db)
+test_depl = db.create_deployment()
 test_depl.auto_response = "y"
 test_depl.name = "ebs-creator-test"
 test_depl.nix_exprs = [os.path.abspath("./ebs-test.nix")]

nixos/maintainers/scripts/ec2/create-s3-amis.sh

@@ -1,9 +1,8 @@
 #! /bin/sh -e
 
-nixos=$(nix-instantiate --find-file nixos)
 export NIXOS_CONFIG=$(dirname $(readlink -f $0))/amazon-base-config.nix
 
-version=$(nix-instantiate --eval-only '<nixos>' -A config.system.nixosVersion | sed s/'"'//g)
+version=$(nix-instantiate --eval-only '<nixpkgs/nixos>' -A config.system.nixosVersion | sed s/'"'//g)
 echo "NixOS version is $version"
 
 buildAndUploadFor() {
@@ -11,13 +10,13 @@ buildAndUploadFor() {
     arch="$2"
 
     echo "building $system image..."
-    nix-build '<nixos>' \
+    nix-build '<nixpkgs/nixos>' \
         -A config.system.build.amazonImage --argstr system "$system" -o ec2-ami
 
     ec2-bundle-image -i ./ec2-ami/nixos.img --user "$AWS_ACCOUNT" --arch "$arch" \
         -c "$EC2_CERT" -k "$EC2_PRIVATE_KEY"
 
-    for region in eu-west-1 us-east-1 us-west-1 us-west-2; do
+    for region in eu-west-1; do
         echo "uploading $system image for $region..."
 
         name=nixos-$version-$arch-s3

nixos/maintainers/scripts/gce/create-gce.sh

@@ -0,0 +1,14 @@
+#! /bin/sh -e
+
+export NIX_PATH=nixpkgs=../../../..
+export NIXOS_CONFIG=$(dirname $(readlink -f $0))/../../../modules/virtualisation/google-compute-image.nix
+export TIMESTAMP=$(date +%Y%m%d%H%M)
+
+nix-build '<nixpkgs/nixos>' \
+   -A config.system.build.googleComputeImage --argstr system x86_64-linux -o gce --option extra-binary-caches http://hydra.nixos.org -j 10
+
+img=$(echo gce/*.tar.gz)
+if ! gsutil ls gs://nixos/$(basename $img); then
+  gsutil cp $img gs://nixos/$(basename $img)
+fi
+gcutil addimage $(basename $img .raw.tar.gz | sed 's|\.|-|' | sed 's|_|-|') gs://nixos/$(basename $img)

nixos/modules/config/users-groups.nix

@@ -188,6 +188,20 @@ in
       options = [ groupOpts ];
     };
 
+    security.initialRootPassword = mkOption {
+      type = types.str;
+      default = "";
+      example = "!";
+      description = ''
+        The (hashed) password for the root account set on initial
+        installation.  The empty string denotes that root can login
+        locally without a password (but not via remote services such
+        as SSH, or indirectly via <command>su</command> or
+        <command>sudo</command>).  The string <literal>!</literal>
+        prevents root from logging in using a password.
+      '';
+    };
+
   };
 
 
@@ -240,7 +254,23 @@ in
             # Can't use useradd, since it complains that it doesn't know us
             # (bootstrap problem!).
             echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
-            echo "root::::::::" >> /etc/shadow
+            echo "root:${config.security.initialRootPassword}:::::::" >> /etc/shadow
+        fi
+      '';
+
+    # Print a reminder for users to set a root password.
+    environment.interactiveShellInit =
+      ''
+        if [ "$UID" = 0 ]; then
+            read _l < /etc/shadow
+            if [ "''${_l:0:6}" = root:: ]; then
+                cat >&2 <<EOF
+        Warning: Your root account has a null password, allowing local users
+        to login as root.  Please set a non-null password using \`passwd', or
+        disable password-based root logins using \`passwd -l'.
+        EOF
+            fi
+            unset _l
         fi
       '';
 

nixos/modules/installer/tools/nixos-generate-config.pl

@@ -96,9 +96,9 @@ my $videoDriver;
 
 sub pciCheck {
     my $path = shift;
-    my $vendor = read_file "$path/vendor";
-    my $device = read_file "$path/device";
-    my $class = read_file "$path/class";
+    my $vendor = read_file "$path/vendor"; chomp $vendor;
+    my $device = read_file "$path/device"; chomp $device;
+    my $class = read_file "$path/class"; chomp $class;
 
     my $module;
     if (-e "$path/driver/module") {
@@ -130,6 +130,7 @@ sub pciCheck {
 
     # broadcom STA driver (wl.ko)
     # list taken from http://www.broadcom.com/docs/linux_sta/README.txt
+    # FIXME: still needed?
     if ($vendor eq "0x14e4" &&
         ($device eq "0x4311" || $device eq "0x4312" || $device eq "0x4313" ||
          $device eq "0x4315" || $device eq "0x4327" || $device eq "0x4328" ||
@@ -156,6 +157,7 @@ sub pciCheck {
 
     # Assume that all NVIDIA cards are supported by the NVIDIA driver.
     # There may be exceptions (e.g. old cards).
+    # FIXME: do we want to enable an unfree driver here?
     $videoDriver = "nvidia" if $vendor eq "0x10de" && $class =~ /^0x03/;
 }
 
@@ -170,9 +172,9 @@ push @attrs, "services.xserver.videoDrivers = [ \"$videoDriver\" ];" if $videoDr
 
 sub usbCheck {
     my $path = shift;
-    my $class = read_file "$path/bInterfaceClass";
-    my $subclass = read_file "$path/bInterfaceSubClass";
-    my $protocol = read_file "$path/bInterfaceProtocol";
+    my $class = read_file "$path/bInterfaceClass"; chomp $class;
+    my $subclass = read_file "$path/bInterfaceSubClass"; chomp $subclass;
+    my $protocol = read_file "$path/bInterfaceProtocol"; chomp $protocol;
 
     my $module;
     if (-e "$path/driver/module") {

nixos/modules/misc/nixpkgs.nix

@@ -72,6 +72,6 @@ in
   };
 
   config = {
-    nixpkgs.system = pkgs.stdenv.system;
+    nixpkgs.system = mkDefault pkgs.stdenv.system;
   };
 }

nixos/modules/programs/venus.nix

@@ -40,7 +40,7 @@ in
       };
 
       dates = mkOption {
-        default = "*:0,15,30,45";
+        default = "*:0/15";
         type = types.string;
         description = ''
           Specification (in the format described by
@@ -167,7 +167,7 @@ in
         serviceConfig.User = "${cfg.user}";
         serviceConfig.Group = "${cfg.group}";
         environment.OPENSSL_X509_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
-        startOn = cfg.dates;
+        startAt = cfg.dates;
       };
 
   };

nixos/modules/security/setuid-wrapper.c

@@ -30,8 +30,8 @@ int main(int argc, char * * argv)
        creating hard link `X' from some other location, along with a
        false `X.real' file, to allow arbitrary programs from being
        executed setuid.  */
-    assert ((strncmp(self, wrapperDir, sizeof(wrapperDir)) == 0) &&
-	    (self[strlen(wrapperDir)] == '/'));
+    assert ((strncmp(self, wrapperDir, strlen(wrapperDir)) == 0) &&
+            (self[strlen(wrapperDir)] == '/'));
 
     /* Make *really* *really* sure that we were executed as `self',
        and not, say, as some other setuid program.  That is, our
@@ -42,12 +42,12 @@ int main(int argc, char * * argv)
     assert (lstat(self, &st) != -1);
 
     //printf("%d %d\n", st.st_uid, st.st_gid);
-    
+
     assert ((st.st_mode & S_ISUID) == 0 ||
-	    (st.st_uid == geteuid()));
+            (st.st_uid == geteuid()));
 
     assert ((st.st_mode & S_ISGID) == 0 ||
-	    st.st_gid == getegid());
+            st.st_gid == getegid());
 
     /* And, of course, we shouldn't be writable. */
     assert (!(st.st_mode & (S_IWGRP | S_IWOTH)));
@@ -69,13 +69,13 @@ int main(int argc, char * * argv)
     real[len] = 0;
 
     close(fdSelf);
-    
+
     //printf("real = %s, len = %d\n", real, len);
 
     execve(real, argv, environ);
 
     fprintf(stderr, "%s: cannot run `%s': %s\n",
         argv[0], real, strerror(errno));
-    
+
     exit(1);
 }

nixos/modules/services/databases/postgresql.nix

@@ -30,6 +30,7 @@ let
       hba_file = '${pkgs.writeText "pg_hba.conf" cfg.authentication}'
       ident_file = '${pkgs.writeText "pg_ident.conf" cfg.identMap}'
       log_destination = 'stderr'
+      port = ${toString cfg.port}
       ${cfg.extraConfig}
     '';
 
@@ -63,9 +64,9 @@ in
 
       port = mkOption {
         type = types.int;
-        default = "5432";
+        default = 5432;
         description = ''
-          Port for PostgreSQL.
+          The port on which PostgreSQL listens.
         '';
       };
 
@@ -105,7 +106,9 @@ in
         type = types.bool;
         default = false;
         description = ''
-          Whether to run PostgreSQL with -i flag to enable TCP/IP connections.
+          Whether PostgreSQL should listen on all network interfaces.
+          If disabled, the database can only be accessed via its Unix
+          domain socket or via TCP connections to localhost.
         '';
       };
 
@@ -203,6 +206,7 @@ in
             # Shut down Postgres using SIGINT ("Fast Shutdown mode").  See
             # http://www.postgresql.org/docs/current/static/server-shutdown.html
             KillSignal = "SIGINT";
+            KillMode = "process"; # FIXME: this may cause processes to be left behind in the cgroup even after the final SIGKILL
 
             # Give Postgres a decent amount of time to clean up after
             # receiving systemd's SIGINT.

nixos/modules/services/misc/nixos-manual.nix

@@ -23,6 +23,7 @@ let
 
   manual = import ../../../doc/manual {
     inherit pkgs;
+    version = config.system.nixosVersion;
     revision = config.system.nixosRevision;
     options = eval.options;
   };

nixos/modules/services/networking/ntpd.nix

@@ -15,6 +15,9 @@ let
     # chroot to ${stateDir}, we have to specify it as /ntp.drift.
     driftfile /ntp.drift
 
+    restrict default kod nomodify notrap nopeer noquery
+    restrict -6 default kod nomodify notrap nopeer noquery
+
     ${toString (map (server: "server " + server + " iburst\n") config.services.ntp.servers)}
   '';
 

nixos/modules/services/networking/ssh/sshd.nix

@@ -39,7 +39,7 @@ let
       };
 
       keyFiles = mkOption {
-        type = types.listOf types.str;
+        type = types.listOf types.unspecified;
         default = [];
         description = ''
           A list of files each containing one OpenSSH public key that should be
@@ -172,7 +172,7 @@ in
       };
 
       authorizedKeysFiles = mkOption {
-        type = types.listOf types.str;
+        type = types.listOf types.unspecified;
         default = [];
         description = "Files from with authorized keys are read.";
       };

nixos/modules/services/printing/cupsd.nix

@@ -149,7 +149,7 @@ in
       ''
         LogLevel info
 
-        SystemGroup root
+        SystemGroup root wheel
 
         Listen localhost:631
         Listen /var/run/cups/cups.sock

nixos/modules/services/security/fail2ban.nix

@@ -106,7 +106,7 @@ in
         serviceConfig =
           { ExecStart = "${pkgs.fail2ban}/bin/fail2ban-server -f";
             ReadOnlyDirectories = "/";
-            ReadWriteDirectories = "/run/fail2ban /var/tmp";
+            ReadWriteDirectories = "/run /var/tmp";
             CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW";
           };
 

nixos/modules/services/web-servers/apache-httpd/mediawiki.nix

@@ -72,11 +72,11 @@ let
 
   # Unpack Mediawiki and put the config file in its root directory.
   mediawikiRoot = pkgs.stdenv.mkDerivation rec {
-    name= "mediawiki-1.20.5";
+    name= "mediawiki-1.20.8";
 
     src = pkgs.fetchurl {
       url = "http://download.wikimedia.org/mediawiki/1.20/${name}.tar.gz";
-      sha256 = "0ix6khrilfdncjqnh41xjs0bd49i1q0rywycjaixjfpwj6vjbqbl";
+      sha256 = "0yfmh5vnfbgpvicfqh7nh4hwdk4qbc6gfniv02vchkg5al0nn7ag";
     };
 
     skins = config.skins;

nixos/modules/services/x11/terminal-server.nix

@@ -17,27 +17,17 @@ let
       #! ${pkgs.stdenv.shell}
       export XKB_BINDIR=${pkgs.xorg.xkbcomp}/bin
       export XORG_DRI_DRIVER_PATH=${pkgs.mesa}/lib/dri
-      exec ${pkgs.xorg.xorgserver}/bin/Xvfb "$@" -xkbdir "${pkgs.xkeyboard_config}/etc/X11/xkb"
+      exec ${pkgs.xorg.xorgserver}/bin/Xvfb "$@" -xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb
     '';
 
-  # ‘xinetd’ is insanely braindamaged in that it sends stderr to
-  # stdout.  Thus requires just about any xinetd program to be
-  # wrapped to redirect its stderr.  Sigh.
-  x11vncWrapper = pkgs.writeScriptBin "x11vnc-wrapper"
-    ''
-      #! ${pkgs.stdenv.shell}
-      export PATH=${makeSearchPath "bin" [ xvfbWrapper pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth pkgs.nettools pkgs.shadow pkgs.procps pkgs.utillinux pkgs.bash ]}:$PATH
-      export FD_GEOM=1024x786x24
-      exec ${pkgs.x11vnc}/bin/x11vnc -inetd -display WAIT:1024x786:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp -unixpw -ssl SAVE 2> /var/log/x11vnc.log
-    '';
-
-in 
+in
 
 {
 
   config = {
-  
+
     services.xserver.enable = true;
+    services.xserver.videoDrivers = [];
 
     # Enable KDM.  Any display manager will do as long as it supports XDMCP.
     services.xserver.displayManager.kdm.enable = true;
@@ -52,13 +42,38 @@ in
         Xaccess=${pkgs.writeText "Xaccess" "localhost"}
       '';
 
-    services.xinetd.enable = true;
-    services.xinetd.services = singleton
-      { name = "x11vnc";
-        port = 5900;
-        unlisted = true;
-        user = "root";
-        server = "${x11vncWrapper}/bin/x11vnc-wrapper";
+    networking.firewall.allowedTCPPorts = [ 5900 ];
+
+    systemd.sockets.terminal-server =
+      { description = "Terminal Server Socket";
+        wantedBy = [ "sockets.target" ];
+        before = [ "multi-user.target" ];
+        socketConfig.Accept = true;
+        socketConfig.ListenStream = 5900;
+      };
+
+    systemd.services."terminal-server@" =
+      { description = "Terminal Server";
+
+        path =
+          [ xvfbWrapper pkgs.gawk pkgs.which pkgs.openssl pkgs.xorg.xauth
+            pkgs.nettools pkgs.shadow pkgs.procps pkgs.utillinux pkgs.bash
+          ];
+
+        environment.FD_GEOM = "1024x786x24";
+        environment.FD_XDMCP_IF = "127.0.0.1";
+        #environment.FIND_DISPLAY_OUTPUT = "/tmp/foo"; # to debug the "find display" script
+
+        serviceConfig =
+          { StandardInput = "socket";
+            StandardOutput = "socket";
+            StandardError = "journal";
+            ExecStart = "@${pkgs.x11vnc}/bin/x11vnc x11vnc -inetd -display WAIT:1024x786:cmd=FINDCREATEDISPLAY-Xvfb.xdmcp -unixpw -ssl SAVE";
+            # Don't kill the X server when the user quits the VNC
+            # connection.  FIXME: the X server should run in a
+            # separate systemd session.
+            KillMode = "process";
+          };
       };
 
   };

nixos/modules/services/x11/xserver.nix

@@ -523,9 +523,9 @@ in
         preStart =
           ''
             rm -f /run/opengl-driver{,-32}
-            ${optionalString (!cfg.driSupport32Bit) "ln -sf opengl-driver /run/opengl-driver-32"}
+            ${optionalString (pkgs.stdenv.isi686) "ln -sf opengl-driver /run/opengl-driver-32"}
 
-            ${# !!! The OpenGL driver depends on what's detected at runtime.
+            ${#TODO:  The OpenGL driver should depend on what's detected at runtime.
               if elem "nvidia" driverNames then
                 ''
                   ln -sf ${kernelPackages.nvidia_x11} /run/opengl-driver

nixos/modules/system/activation/switch-to-configuration.pl

@@ -62,7 +62,7 @@ $SIG{PIPE} = "IGNORE";
 sub getActiveUnits {
     # FIXME: use D-Bus or whatever to query this, since parsing the
     # output of list-units is likely to break.
-    my $lines = `@systemd@/bin/systemctl list-units --full`;
+    my $lines = `LANG= systemctl list-units --full --no-legend`;
     my $res = {};
     foreach my $line (split '\n', $lines) {
         chomp $line;
@@ -123,7 +123,7 @@ while (my ($unit, $state) = each %{$activePrev}) {
     $baseName =~ s/\.[a-z]*$//;
 
     if (-e $prevUnitFile && ($state->{state} eq "active" || $state->{state} eq "activating")) {
-        if (! -e $newUnitFile) {
+        if (! -e $newUnitFile || abs_path($newUnitFile) eq "/dev/null") {
             push @unitsToStop, $unit;
         }
 
@@ -277,7 +277,7 @@ foreach my $device (keys %$prevSwaps) {
 if (scalar @unitsToStop > 0) {
     @unitsToStop = unique(@unitsToStop);
     print STDERR "stopping the following units: ", join(", ", sort(@unitsToStop)), "\n";
-    system("@systemd@/bin/systemctl", "stop", "--", @unitsToStop); # FIXME: ignore errors?
+    system("systemctl", "stop", "--", @unitsToStop); # FIXME: ignore errors?
 }
 
 print STDERR "NOT restarting the following units: ", join(", ", sort(@unitsToSkip)), "\n"

nixos/modules/system/boot/kernel.nix

@@ -199,7 +199,7 @@ in
         "unix"
 
         # Misc. stuff.
-        "pcips2" "xtkbd"
+        "pcips2" "xtkbd" "atkbd"
 
         # To wait for SCSI devices to appear.
         "scsi_wait_scan"
@@ -230,10 +230,8 @@ in
       { description = "Load Kernel Modules";
         wantedBy = [ "sysinit.target" "multi-user.target" ];
         before = [ "sysinit.target" "shutdown.target" ];
-        unitConfig =
-          { DefaultDependencies = "no";
-            Conflicts = "shutdown.target";
-          };
+        conflicts = [ "shutdown.target" ];
+        unitConfig.DefaultDependencies = "no";
         serviceConfig =
           { Type = "oneshot";
             RemainAfterExit = true;

nixos/modules/system/boot/modprobe.nix

@@ -68,7 +68,10 @@ with pkgs.lib;
 
   config = {
 
-    environment.etc = singleton
+    environment.etc = [
+      { source = "${pkgs.kmod-blacklist-ubuntu}/modprobe.conf";
+        target = "modprobe.d/ubuntu.conf";
+      }
       { source = pkgs.writeText "modprobe.conf"
           ''
             ${flip concatMapStrings config.boot.blacklistedKernelModules (name: ''
@@ -77,26 +80,11 @@ with pkgs.lib;
             ${config.boot.extraModprobeConfig}
           '';
         target = "modprobe.d/nixos.conf";
-      };
+      }
+    ];
 
     environment.systemPackages = [ config.system.sbin.modprobe pkgs.kmod ];
 
-    boot.blacklistedKernelModules =
-      [ # This module is for debugging and generates gigantic amounts
-        # of log output, so it should never be loaded automatically.
-        "evbug"
-
-        # This module causes ALSA to occassionally select the wrong
-        # default sound device, and is little more than an annoyance
-        # on modern machines.
-        "snd_pcsp"
-
-        # The cirrusfb module prevents X11 from starting.  FIXME:
-        # Ubuntu blacklists all framebuffer devices because they're
-        # "buggy" and cause suspend problems.  Maybe we should too?
-        "cirrusfb"
-      ];
-
     system.activationScripts.modprobe =
       ''
         # Allow the kernel to find our wrapped modprobe (which searches

nixos/modules/system/boot/systemd-unit-options.nix

@@ -14,6 +14,18 @@ let
     in if errors == [] then true
        else builtins.trace (concatStringsSep "\n" errors) false;
 
+  unitOption = mkOptionType {
+    name = "systemd option";
+    merge = loc: defs:
+      let
+        defs' = filterOverrides defs;
+        defs'' = getValues defs';
+      in
+        if isList (head defs'')
+        then concatLists defs''
+        else mergeOneOption loc defs';
+  };
+
 in rec {
 
   unitOptions = {
@@ -37,7 +49,7 @@ in rec {
 
     requires = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         Start the specified units when this unit is started, and stop
         this unit when the specified units are stopped or fail.
@@ -46,7 +58,7 @@ in rec {
 
     wants = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         Start the specified units when this unit is started.
       '';
@@ -54,7 +66,7 @@ in rec {
 
     after = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         If the specified units are started at the same time as
         this unit, delay this unit until they have started.
@@ -63,7 +75,7 @@ in rec {
 
     before = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         If the specified units are started at the same time as
         this unit, delay them until this unit has started.
@@ -72,7 +84,7 @@ in rec {
 
     bindsTo = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         Like ‘requires’, but in addition, if the specified units
         unexpectedly disappear, this unit will be stopped as well.
@@ -81,7 +93,7 @@ in rec {
 
     partOf = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         If the specified units are stopped or restarted, then this
         unit is stopped or restarted as well.
@@ -90,7 +102,7 @@ in rec {
 
     conflicts = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = ''
         If the specified units are started, then this unit is stopped
         and vice versa.
@@ -99,20 +111,20 @@ in rec {
 
     requiredBy = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = "Units that require (i.e. depend on and need to go down with) this unit.";
     };
 
     wantedBy = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       description = "Units that want (i.e. depend on) this unit.";
     };
 
     unitConfig = mkOption {
       default = {};
       example = { RequiresMountsFor = "/data"; };
-      type = types.attrs;
+      type = types.attrsOf unitOption;
       description = ''
         Each attribute in this set specifies an option in the
         <literal>[Unit]</literal> section of the unit.  See
@@ -137,7 +149,7 @@ in rec {
 
     environment = mkOption {
       default = {};
-      type = types.attrs;
+      type = types.attrs; # FIXME
       example = { PATH = "/foo/bar/bin"; LANG = "nl_NL.UTF-8"; };
       description = "Environment variables passed to the service's processes.";
     };
@@ -159,7 +171,7 @@ in rec {
         { StartLimitInterval = 10;
           RestartSec = 5;
         };
-      type = types.addCheck types.attrs checkService;
+      type = types.addCheck (types.attrsOf unitOption) checkService;
       description = ''
         Each attribute in this set specifies an option in the
         <literal>[Service]</literal> section of the unit.  See
@@ -169,7 +181,7 @@ in rec {
     };
 
     script = mkOption {
-      type = types.str;
+      type = types.lines;
       default = "";
       description = "Shell commands executed as the service's main process.";
     };
@@ -181,7 +193,7 @@ in rec {
     };
 
     preStart = mkOption {
-      type = types.string;
+      type = types.lines;
       default = "";
       description = ''
         Shell commands executed before the service's main process
@@ -190,7 +202,7 @@ in rec {
     };
 
     postStart = mkOption {
-      type = types.string;
+      type = types.lines;
       default = "";
       description = ''
         Shell commands executed after the service's main process
@@ -198,8 +210,16 @@ in rec {
       '';
     };
 
+    preStop = mkOption {
+      type = types.lines;
+      default = "";
+      description = ''
+        Shell commands executed to stop the service.
+      '';
+    };
+
     postStop = mkOption {
-      type = types.string;
+      type = types.lines;
       default = "";
       description = ''
         Shell commands executed after the service's main process
@@ -252,7 +272,7 @@ in rec {
 
     listenStreams = mkOption {
       default = [];
-      type = types.listOf types.string;
+      type = types.listOf types.str;
       example = [ "0.0.0.0:993" "/run/my-socket" ];
       description = ''
         For each item in this list, a <literal>ListenStream</literal>
@@ -263,7 +283,7 @@ in rec {
     socketConfig = mkOption {
       default = {};
       example = { ListenStream = "/run/my-socket"; };
-      type = types.attrs;
+      type = types.attrsOf unitOption;
       description = ''
         Each attribute in this set specifies an option in the
         <literal>[Socket]</literal> section of the unit.  See
@@ -280,7 +300,7 @@ in rec {
     timerConfig = mkOption {
       default = {};
       example = { OnCalendar = "Sun 14:00:00"; Unit = "foo.service"; };
-      type = types.attrs;
+      type = types.attrsOf unitOption;
       description = ''
         Each attribute in this set specifies an option in the
         <literal>[Timer]</literal> section of the unit.  See
@@ -328,7 +348,7 @@ in rec {
     mountConfig = mkOption {
       default = {};
       example = { DirectoryMode = "0775"; };
-      type = types.attrs;
+      type = types.attrsOf unitOption;
       description = ''
         Each attribute in this set specifies an option in the
         <literal>[Mount]</literal> section of the unit.  See
@@ -352,7 +372,7 @@ in rec {
     automountConfig = mkOption {
       default = {};
       example = { DirectoryMode = "0775"; };
-      type = types.attrs;
+      type = types.attrsOf unitOption;
       description = ''
         Each attribute in this set specifies an option in the
         <literal>[Automount]</literal> section of the unit.  See

nixos/modules/system/boot/systemd.nix

@@ -11,14 +11,18 @@ let
   systemd = cfg.package;
 
   makeUnit = name: unit:
-    pkgs.runCommand "unit" { inherit (unit) text; preferLocalBuild = true; }
-      (if unit.enable then  ''
-        mkdir -p $out
-        echo -n "$text" > $out/${name}
-      '' else ''
-        mkdir -p $out
-        ln -s /dev/null $out/${name}
-      '');
+    if unit.enable then
+      pkgs.runCommand "unit" { preferLocalBuild = true; inherit (unit) text; }
+        ''
+          mkdir -p $out
+          echo -n "$text" > $out/${name}
+        ''
+    else
+      pkgs.runCommand "unit" { preferLocalBuild = true; }
+        ''
+          mkdir -p $out
+          ln -s /dev/null $out/${name}
+        '';
 
   upstreamUnits =
     [ # Targets.
@@ -160,16 +164,48 @@ let
   };
 
   serviceConfig = { name, config, ... }: {
-    config = {
-      # Default path for systemd services.  Should be quite minimal.
-      path =
-        [ pkgs.coreutils
-          pkgs.findutils
-          pkgs.gnugrep
-          pkgs.gnused
-          systemd
-        ];
-    };
+    config = mkMerge
+      [ { # Default path for systemd services.  Should be quite minimal.
+          path =
+            [ pkgs.coreutils
+              pkgs.findutils
+              pkgs.gnugrep
+              pkgs.gnused
+              systemd
+            ];
+          environment.PATH = config.path;
+        }
+        (mkIf (config.preStart != "")
+          { serviceConfig.ExecStartPre = makeJobScript "${name}-pre-start" ''
+              #! ${pkgs.stdenv.shell} -e
+              ${config.preStart}
+            '';
+          })
+        (mkIf (config.script != "")
+          { serviceConfig.ExecStart = makeJobScript "${name}-start" ''
+              #! ${pkgs.stdenv.shell} -e
+              ${config.script}
+            '' + " " + config.scriptArgs;
+          })
+        (mkIf (config.postStart != "")
+          { serviceConfig.ExecStartPost = makeJobScript "${name}-post-start" ''
+              #! ${pkgs.stdenv.shell} -e
+              ${config.postStart}
+            '';
+          })
+        (mkIf (config.preStop != "")
+          { serviceConfig.ExecStop = makeJobScript "${name}-pre-stop" ''
+              #! ${pkgs.stdenv.shell} -e
+              ${config.preStop}
+            '';
+          })
+        (mkIf (config.postStop != "")
+          { serviceConfig.ExecStopPost = makeJobScript "${name}-post-stop" ''
+              #! ${pkgs.stdenv.shell} -e
+              ${config.postStop}
+            '';
+          })
+      ];
   };
 
   mountConfig = { name, config, ... }: {
@@ -223,41 +259,10 @@ let
           ${attrsToSection def.unitConfig}
 
           [Service]
-          Environment=PATH=${def.path}
-          Environment=LD_LIBRARY_PATH=
           ${let env = cfg.globalEnvironment // def.environment;
             in concatMapStrings (n: "Environment=\"${n}=${getAttr n env}\"\n") (attrNames env)}
           ${optionalString (!def.restartIfChanged) "X-RestartIfChanged=false"}
           ${optionalString (!def.stopIfChanged) "X-StopIfChanged=false"}
-
-          ${optionalString (def.preStart != "") ''
-            ExecStartPre=${makeJobScript "${name}-pre-start" ''
-              #! ${pkgs.stdenv.shell} -e
-              ${def.preStart}
-            ''}
-          ''}
-
-          ${optionalString (def.script != "") ''
-            ExecStart=${makeJobScript "${name}-start" ''
-              #! ${pkgs.stdenv.shell} -e
-              ${def.script}
-            ''} ${def.scriptArgs}
-          ''}
-
-          ${optionalString (def.postStart != "") ''
-            ExecStartPost=${makeJobScript "${name}-post-start" ''
-              #! ${pkgs.stdenv.shell} -e
-              ${def.postStart}
-            ''}
-          ''}
-
-          ${optionalString (def.postStop != "") ''
-            ExecStopPost=${makeJobScript "${name}-post-stop" ''
-              #! ${pkgs.stdenv.shell} -e
-              ${def.postStop}
-            ''}
-          ''}
-
           ${attrsToSection def.serviceConfig}
         '';
     };
@@ -348,14 +353,14 @@ let
 
       ${concatStrings (mapAttrsToList (name: unit:
           concatMapStrings (name2: ''
-            mkdir -p $out/${name2}.wants
-            ln -sfn ../${name} $out/${name2}.wants/
+            mkdir -p $out/'${name2}.wants'
+            ln -sfn '../${name}' $out/'${name2}.wants'/
           '') unit.wantedBy) cfg.units)}
 
       ${concatStrings (mapAttrsToList (name: unit:
           concatMapStrings (name2: ''
-            mkdir -p $out/${name2}.requires
-            ln -sfn ../${name} $out/${name2}.requires/
+            mkdir -p $out/'${name2}.requires'
+            ln -sfn '../${name}' $out/'${name2}.requires'/
           '') unit.requiredBy) cfg.units)}
 
       ln -s ${cfg.defaultUnit} $out/default.target

nixos/modules/tasks/kbd.nix

@@ -55,9 +55,9 @@ in
       { description = "Setup Virtual Console";
         wantedBy = [ "sysinit.target" "multi-user.target" ];
         before = [ "sysinit.target" "shutdown.target" ];
+        conflicts = [ "shutdown.target" ];
         unitConfig =
           { DefaultDependencies = "no";
-            Conflicts = "shutdown.target";
             ConditionPathExists = "/dev/tty1";
           };
         serviceConfig =

nixos/modules/virtualisation/amazon-image.nix

@@ -160,4 +160,9 @@ with pkgs.lib;
   environment.systemPackages = [ pkgs.cryptsetup ];
 
   boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
+
+  # Prevent logging in as root without a password.  This doesn't really matter,
+  # since the only PAM services that allow logging in with a null
+  # password are local ones that are inaccessible on EC2 machines.
+  security.initialRootPassword = "!";
 }

nixos/modules/virtualisation/virtualbox-image.nix

@@ -107,4 +107,9 @@ with pkgs.lib;
   boot.loader.grub.device = "/dev/sda";
 
   services.virtualbox.enable = true;
+
+  # Prevent logging in as root without a password.  For NixOps, we
+  # don't need this because the user can login via SSH, and for the
+  # demo images, there is a demo user account that can sudo to root.
+  security.initialRootPassword = "!";
 }

pkgs/applications/audio/gmpc/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, libtool, intltool, pkgconfig, glib
-, gtk, curl, mpd_clientlib, libsoup, gob2, vala
+, gtk, curl, mpd_clientlib, libsoup, gob2, vala, libunique
 }:
 
 stdenv.mkDerivation rec {
@@ -15,22 +15,6 @@ stdenv.mkDerivation rec {
     buildInputs = [ pkgconfig glib ];
   };
 
-  libunique = stdenv.mkDerivation {
-    name = "libunique-1.1.6";
-    src = fetchurl {
-      url = http://ftp.gnome.org/pub/GNOME/sources/libunique/1.1/libunique-1.1.6.tar.gz;
-      sha256 = "2cb918dde3554228a211925ba6165a661fd782394bd74dfe15e3853dc9c573ea";
-    };
-    buildInputs = [ pkgconfig glib gtk ];
-
-    patches = [
-      (fetchurl {
-        url = "https://projects.archlinux.org/svntogit/packages.git/plain/trunk/remove_G_CONST_RETURN.patch?h=packages/libunique";
-        sha256 = "0da2qi7cyyax4rr1p25drlhk360h8d3lapgypi5w95wj9k6bykhr";
-      })
-    ];
-  };
-
   src = fetchurl {
     url = "http://download.sarine.nl/Programs/gmpc/11.8/gmpc-11.8.16.tar.gz";
     sha256 = "0b3bnxf98i5lhjyljvgxgx9xmb6p46cn3a9cccrng14nagri9556";

pkgs/applications/graphics/ImageMagick/default.nix

@@ -1,6 +1,8 @@
 { stdenv
 , fetchurl
+, pkgconfig
 , bzip2
+, fontconfig
 , freetype
 , ghostscript ? null
 , libjpeg
@@ -16,14 +18,14 @@
 }:
 
 let
-  version = "6.8.6-9";
+  version = "6.8.8-7";
 in
 stdenv.mkDerivation rec {
   name = "ImageMagick-${version}";
 
   src = fetchurl {
     url = "mirror://imagemagick/${name}.tar.xz";
-    sha256 = "1bpj8676mph5cvyjsdgf27i6yg2iw9iskk5c69mvpxkyawgjw1vg";
+    sha256 = "1x5jkbrlc10rx7vm344j7xrs74c80xk3n1akqx8w5c194fj56mza";
   };
 
   enableParallelBuilding = true;
@@ -42,17 +44,18 @@ stdenv.mkDerivation rec {
   '';
 
   propagatedBuildInputs =
-    [ bzip2 freetype libjpeg libpng libtiff libxml2 zlib librsvg
+    [ bzip2 fontconfig freetype libjpeg libpng libtiff libxml2 zlib librsvg
       libtool jasper libX11
     ] ++ stdenv.lib.optional (ghostscript != null && stdenv.system != "x86_64-darwin") ghostscript;
 
-  buildInputs = [ tetex ];
+  buildInputs = [ tetex pkgconfig ];
 
   postInstall = ''(cd "$out/include" && ln -s ImageMagick* ImageMagick)'';
 
-  meta = {
+  meta = with stdenv.lib; {
     homepage = http://www.imagemagick.org/;
     description = "A software suite to create, edit, compose, or convert bitmap images";
-    platforms = stdenv.lib.platforms.linux;
+    platforms = platforms.linux ++ [ "x86_64-darwin" ];
+    maintainers = with maintainers; [ the-kenny ];
   };
 }

pkgs/applications/graphics/digikam/default.nix

@@ -4,11 +4,11 @@ liblqr1, lensfun, pkgconfig, qjson, libkdcraw, opencv, libkexiv2, libkipi, boost
 shared_desktop_ontologies, marble, mysql }:
 
 stdenv.mkDerivation rec {
-  name = "digikam-3.2.0";
+  name = "digikam-3.5.0";
 
   src = fetchurl {
     url = "http://download.kde.org/stable/digikam/${name}.tar.bz2";
-    sha256 = "06j858d2nvbqh0bw6m60rh1bsws06fm5vfjpwwi3zxsf5ka08wmx";
+    sha256 = "0an4awlg0b8pwl6v8p5zfl3aghgnxck2pc322cyk6i6yznj2mgap";
   };
 
   nativeBuildInputs = [ cmake automoc4 pkgconfig ];

pkgs/applications/graphics/graphicsmagick/default.nix

@@ -2,14 +2,14 @@
 , libjpeg, libpng, libtiff, libxml2, zlib, libtool, xz
 , libX11}:
 
-let version = "1.3.13"; in
+let version = "1.3.18"; in
 
 stdenv.mkDerivation {
   name = "graphicsmagick-${version}";
 
   src = fetchurl {
     url = "mirror://sourceforge/graphicsmagick/GraphicsMagick-${version}.tar.xz";
-    sha256 = "08lgjvhvhw3by5h4kfpl7072dbvkcpsajy5f6izq69cv61vadqs5";
+    sha256 = "1axh4j2jr3l92dan15b2nmx9da4l7i0rcz9b5bvfd4q742zfwj7x";
   };
 
   configureFlags = "--enable-shared";

pkgs/applications/misc/adobe-reader/default.nix

@@ -3,7 +3,7 @@
 
 assert stdenv.system == "i686-linux";
 
-let version = "9.5.1"; in
+let version = "9.5.5"; in
 
 stdenv.mkDerivation {
   name = "adobe-reader-${version}-1";
@@ -12,7 +12,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "http://ardownload.adobe.com/pub/adobe/reader/unix/9.x/${version}/enu/AdbeRdr${version}-1_i486linux_enu.tar.bz2";
-    sha256 = "19mwhbfsivb21zmrz2hllf0kh4i225ac697y026bakyysn0vig56";
+    sha256 = "0h35misxrqkl5zlmmvray1bqf4ywczkm89n9qw7d9arqbg3aj3pf";
   };
 
   # !!! Adobe Reader contains copies of OpenSSL, libcurl, and libicu.

pkgs/applications/misc/mupdf/default.nix

@@ -8,6 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "0y247nka5gkr1ajn47jrlp5rcnf6h4ff7dfsprma3h4wxqdv7a5b";
   };
 
+  patches = [(fetchurl {
+    name = "CVE-2014-2013.patch";
+    url = "http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;"
+      + "h=60dabde18d7fe12b19da8b509bdfee9cc886aafc";
+    sha256 = "1walj3wir9x50i6lph33bx14c8593r9xrn08gkd3v7r6d15lmjps";
+  })];
+
   buildInputs = [ pkgconfig zlib freetype libjpeg jbig2dec openjpeg libX11 libXext ];
 
   preBuild = ''

pkgs/applications/misc/xmobar/default.nix

@@ -1,5 +1,5 @@
 { cabal, filepath, libXrandr, mtl, parsec, regexCompat, stm, time
-, utf8String, X11, X11Xft
+, utf8String, wirelesstools, X11, X11Xft
 }:
 
 cabal.mkDerivation (self: {
@@ -11,8 +11,8 @@ cabal.mkDerivation (self: {
   buildDepends = [
     filepath mtl parsec regexCompat stm time utf8String X11 X11Xft
   ];
-  extraLibraries = [ libXrandr ];
-  configureFlags = "-fwith_xft";
+  extraLibraries = [ libXrandr wirelesstools ];
+  configureFlags = "-fwith_xft -fwith_iwlib";
   meta = {
     homepage = "http://projects.haskell.org/xmobar/";
     description = "A Minimalistic Text Based Status Bar";

pkgs/applications/networking/browsers/firefox/default.nix

@@ -15,12 +15,11 @@
 
 assert stdenv.gcc ? libc && stdenv.gcc.libc != null;
 
-let optional = stdenv.lib.optional;
-in rec {
+rec {
 
-  firefoxVersion = "25.0";
+  firefoxVersion = "25.0.1";
 
-  xulVersion = "25.0"; # this attribute is used by other packages
+  xulVersion = "25.0.1"; # this attribute is used by other packages
 
 
   src = fetchurl {
@@ -30,7 +29,7 @@ in rec {
         # Fall back to this url for versions not available at releases.mozilla.org.
         "http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/${firefoxVersion}/source/firefox-${firefoxVersion}.source.tar.bz2"
     ];
-    sha1 = "854722e283659d2b6b2eacd38f757b3c5b63a448";
+    sha1 = "592ebd242c4839ef0e18707a7e959d8bed2a98f3";
   };
 
   commonConfigureFlags =

pkgs/applications/networking/browsers/mozilla-plugins/flashplayer-11/default.nix

@@ -35,6 +35,8 @@
 }:
 
 let
+  # -> http://get.adobe.com/flashplayer/
+  version = "11.2.202.336";
 
   src =
     if stdenv.system == "x86_64-linux" then
@@ -43,10 +45,9 @@ let
         # http://labs.adobe.com/technologies/flashplayer10/faq.html
         throw "no x86_64 debugging version available"
       else rec {
-        # -> http://labs.adobe.com/downloads/flashplayer10.html
-        version = "11.2.202.297";
+        inherit version;
         url = "http://fpdownload.macromedia.com/get/flashplayer/pdc/${version}/install_flash_player_11_linux.x86_64.tar.gz";
-        sha256 = "0jfigq56p6zp61pmc4jl12p8gv2jhfmim18j1b30iikw3iv26lh8";
+        sha256 = "1wri6y5vllgs452dfklv23k7bp5daajnaqblkn5cb2gl28l5xcni";
       }
     else if stdenv.system == "i686-linux" then
       if debug then {
@@ -55,9 +56,9 @@ let
         url = http://fpdownload.macromedia.com/pub/flashplayer/updaters/11/flashplayer_11_plugin_debug.i386.tar.gz;
         sha256 = "1z3649lv9sh7jnwl8d90a293nkaswagj2ynhsr4xmwiy7c0jz2lk";
       } else rec {
-        version = "11.2.202.297";
+        inherit version;
         url = "http://fpdownload.macromedia.com/get/flashplayer/pdc/${version}/install_flash_player_11_linux.i386.tar.gz";
-        sha256 = "0mpj25b2ar7gccqmw5lffdzlr3yyfalphpgwnl18s05wy1fx484y";
+        sha256 = "0mjxjbj75r74gqpmqzqa6vlrk2wv7r358wcqbmg132bhv8kaph85";
       }
     else throw "Flash Player is not supported on this platform";
 
@@ -87,5 +88,6 @@ stdenv.mkDerivation {
   meta = {
     description = "Adobe Flash Player browser plugin";
     homepage = http://www.adobe.com/products/flashplayer/;
+    license = "unfree";
   };
 }

pkgs/applications/networking/browsers/mozilla-plugins/fribid/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, openssl, glib, libX11, gtk3, gettext, intltool }:
+{ stdenv, fetchurl, pkgconfig, openssl, glib, libX11, gtk2, gettext, intltool }:
 
 let version = "1.0.2"; in
 stdenv.mkDerivation rec {
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     sha256 = "d7cd9adf04fedf50b266a5c14ddb427cbb263d3bc160ee0ade03aca9d5356e5c";
   };
 
-  buildInputs = [ pkgconfig openssl libX11 gtk3 glib gettext intltool ];
+  buildInputs = [ pkgconfig openssl libX11 gtk2 glib gettext intltool ];
   patches = [
     ./translation-xgettext-to-intltool.patch
     ./plugin-linkfix.patch

pkgs/applications/networking/browsers/mozilla-plugins/google-talk-plugin/default.nix

@@ -45,20 +45,22 @@ in
 
 stdenv.mkDerivation rec {
   name = "google-talk-plugin-${version}";
-  # Use the following to determine the current upstream version:
-  # curl -s http://dl.google.com/linux/talkplugin/deb/dists/stable/main/binary-amd64/Packages | sed -nr 's/^Version: *([^ ]+)-1$/\1/p'
-  version = "4.2.1.0";
+
+  # You can get the upstream version and SHA-1 hash from the following URLs:
+  # http://dl.google.com/linux/talkplugin/deb/dists/stable/main/binary-amd64/Package
+  # http://dl.google.com/linux/talkplugin/deb/dists/stable/main/binary-i386/Packages
+  version = "5.1.5.0";
 
   src =
     if stdenv.system == "x86_64-linux" then
       fetchurl {
         url = "${baseURL}/google-talkplugin_${version}-1_amd64.deb";
-        sha256 = "1g7kpz2lzzz1gri5rd3isp7cfyls6gzwcw2kc8jgrgrixq9iixfd";
+        sha1 = "fc830f4c7f5816f4578ec73e6d4aef059ad4a0b1";
       }
     else if stdenv.system == "i686-linux" then
       fetchurl {
         url = "${baseURL}/google-talkplugin_${version}-1_i386.deb";
-        sha256 = "1z0zbblzlky9nyifxmnl49v4zafpqp3l08b9v1486sinm35rf58r";
+        sha1 = "9b7043c3585b3479ba11aabb7b8af755a61df963";
       }
     else throw "Google Talk does not support your platform.";
 

pkgs/applications/networking/cluster/hadoop/default.nix

@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
 
-  name = "hadoop-2.0.2-alpha";
+  name = "hadoop-2.2.0";
 
   src = fetchurl {
     url = "mirror://apache/hadoop/common/${name}/${name}.tar.gz";
-    sha256 = "1r7ailmqhny3pl5nb8bcblnhckszy6hb9n58kwa3s4b8qfk87gkb";
+    sha256 = "0r0kx8arsrvmcfy0693hpv4cz3i0razvk1xa3yhlf3ybb80a8106";
   };
 
   buildInputs = [ makeWrapper ];

pkgs/applications/networking/esniper/default.nix

@@ -1,16 +1,17 @@
 { stdenv, fetchurl, openssl, curl, coreutils, gawk, bash, which }:
 
 stdenv.mkDerivation {
-  name = "esniper-2.28.0";
+  name = "esniper-2.30.0";
 
   src = fetchurl {
-    url = "mirror://sourceforge/esniper/esniper-2-28-0.tgz";
-    sha256 = "c2b0ccb757616b32f2d6cf54a4a5e367405fa7bcd6e6ed11835fe4f8a06a016b";
+    url    = "mirror://sourceforge/esniper/esniper-2-30-0.tgz";
+    sha256 = "1p85d5qfr3f35xfj5555ck4wwk5hqkh65ivam1527p8dwcz00wpl";
   };
 
   buildInputs = [openssl curl];
 
   # Add support for CURL_CA_BUNDLE variable.
+  # Fix <http://sourceforge.net/p/esniper/bugs/648/>.
   patches = [ ./find-ca-bundle.patch ];
 
   postInstall = ''

pkgs/applications/networking/instant-messengers/pidgin/default.nix

@@ -21,10 +21,10 @@
 } :
 
 stdenv.mkDerivation rec {
-  name = "pidgin-2.10.7";
+  name = "pidgin-2.10.9";
   src = fetchurl {
     url = "mirror://sourceforge/pidgin/${name}.tar.bz2";
-    sha256 = "14piyx4xpc3l8286x4nh5pna2wfyn9cv0qa29br1q3d2xja2k8zb";
+    sha256 = "06gka47myl9f5x0flkq74ml75akkf28rx9sl8pm3wqkzazc2wdnw";
   };
 
   inherit nss ncurses;
@@ -51,8 +51,10 @@ stdenv.mkDerivation rec {
   configureFlags="--with-nspr-includes=${nspr}/include/nspr --with-nspr-libs=${nspr}/lib --with-nss-includes=${nss}/include/nss --with-nss-libs=${nss}/lib --with-ncurses-headers=${ncurses}/include --disable-meanwhile --disable-nm --disable-tcl"
   + (lib.optionalString (gnutls != null) " --enable-gnutls=yes --enable-nss=no")
   ;
-  meta = {
+  meta = with stdenv.lib; {
     description = "Pidgin IM - XMPP(Jabber), AIM/ICQ, IRC, SIP etc client";
     homepage = http://pidgin.im;
+    license = licenses.gpl2Plus;
+    platforms = platforms.linux;
   };
 }

pkgs/applications/networking/irc/ii/default.nix

@@ -1,11 +1,11 @@
 {stdenv, fetchurl}:
 
 stdenv.mkDerivation rec {
-  name = "ii-1.6";
+  name = "ii-1.7";
   
   src = fetchurl {
     url = "http://dl.suckless.org/tools/${name}.tar.gz";
-    sha256 = "0afccbcm7i9lfch5mwzs3l1ax79dg3g6rrw0z8rb7d2kn8wsckvr";
+    sha256 = "176cqwnn6h7w4kbfd66hzqa243l26pqp2b06bii0nmnm0rkaqwis";
   };
 
   installPhase = ''

pkgs/applications/networking/irc/quassel/default.nix

@@ -11,11 +11,11 @@ let
 
 in with stdenv; mkDerivation rec {
 
-  name = "quassel-0.9.0";
+  name = "quassel-0.9.2";
 
   src = fetchurl {
     url = "http://quassel-irc.org/pub/${name}.tar.bz2";
-    sha256 = "09v0igjkzan3hllk47w39hkav6v1419vpxn2lfd8473kwdmf0grf";
+    sha256 = "1h2kzi4pgfv3qmvhxix9fffdjixs3bsya0i5c18dkh894mh02kgh";
   };
 
   buildInputs = [ cmake qt4 ]

pkgs/applications/networking/mailreaders/thunderbird/default.nix

@@ -12,14 +12,14 @@
   enableOfficialBranding ? false
 }:
 
-let version = "17.0.8"; in
+let version = "17.0.11esr"; in
 
 stdenv.mkDerivation {
   name = "thunderbird-${version}";
 
   src = fetchurl {
     url = "ftp://ftp.mozilla.org/pub/thunderbird/releases/${version}/source/thunderbird-${version}.source.tar.bz2";
-    sha1 = "4bcbb33f0b3ea050e805723680b5669d80438812";
+    sha256 = "1m2lph8x82kgxqzlyaxr1l1x7s4qnqfzfnqck4b777914mrv1mdp";
   };
 
   #enableParallelBuilding = true;

pkgs/applications/networking/sniffers/wireshark/default.nix

@@ -4,14 +4,14 @@
 , makeDesktopItem
 }:
 
-let version = "1.8.7"; in
+let version = "1.8.11"; in
 
 stdenv.mkDerivation {
   name = "wireshark-${version}";
 
   src = fetchurl {
     url = "mirror://sourceforge/wireshark/wireshark-${version}.tar.bz2";
-    sha256 = "0hm8zisy5dg7sfhh7rvgnpffq2qcw0syd8k5kns8j0j13sf44zjw";
+    sha256 = "1nwgizs9z1dalicpp2fd9pqafidy49j0v3d1rml0spfqrkbjpfpw";
   };
 
   buildInputs =

pkgs/applications/office/gnucash/default.nix

@@ -1,7 +1,7 @@
 { fetchurl, stdenv, pkgconfig, libxml2, gconf, glib, gtk, libgnomeui, libofx
 , libgtkhtml, gtkhtml, libgnomeprint, goffice, enchant, gettext, libbonoboui
 , intltool, perl, guile, slibGuile, swig, isocodes, bzip2, makeWrapper, libglade
-, libgsf, libart_lgpl
+, libgsf, libart_lgpl, perlPackages
 }:
 
 /* If you experience GConf errors when running GnuCash on NixOS, see
@@ -10,34 +10,42 @@
  */
 
 stdenv.mkDerivation rec {
-  name = "gnucash-2.4.13";
+  name = "gnucash-2.4.15";
 
   src = fetchurl {
     url = "mirror://sourceforge/gnucash/${name}.tar.bz2";
-    sha256 = "0j4m00a3r1hcrhkfjkx3sgi2r4id4wrc639i4s00j35rx80540pn";
+    sha256 = "058mgfwic6a2g7jq6iip5hv45md1qaxy25dj4lvlzjjr141wm4gx";
   };
 
   buildInputs = [
     pkgconfig libxml2 gconf glib gtk libgnomeui libgtkhtml gtkhtml
     libgnomeprint goffice enchant gettext intltool perl guile slibGuile
     swig isocodes bzip2 makeWrapper libofx libglade libgsf libart_lgpl
+    perlPackages.DateManip perlPackages.FinanceQuote
   ];
 
   configureFlags = "CFLAGS=-O3 CXXFLAGS=-O3 --disable-dbi --enable-ofx";
 
   postInstall = ''
-    sed -i $out/bin/update-gnucash-gconf                                \
+    # Auto-updaters don't make sense in Nix.
+    rm $out/bin/gnc-fq-update
+
+    sed -i $out/bin/update-gnucash-gconf \
        -e 's|--config-source=[^ ]* --install-schema-file|--makefile-install-rule|'
-    for prog in "$out/bin/"*
+
+    for prog in $(echo "$out/bin/"*)
     do
+      # Don't wrap the gnc-fq-* scripts, since gnucash calls them as
+      # "perl <script>', i.e. they must be Perl scripts.
+      if [[ $prog =~ gnc-fq ]]; then continue; fi
       wrapProgram "$prog"                                               \
         --set SCHEME_LIBRARY_PATH "$SCHEME_LIBRARY_PATH"                \
         --prefix GUILE_LOAD_PATH ":" "$GUILE_LOAD_PATH"                 \
         --prefix LD_LIBRARY_PATH ":" "${libgnomeui}/lib/libglade/2.0"   \
         --prefix LD_LIBRARY_PATH ":" "${libbonoboui}/lib/libglade/2.0"  \
+        --prefix PERL5LIB ":" "$PERL5LIB"                               \
         --set GCONF_CONFIG_SOURCE 'xml::~/.gconf'                       \
-        --prefix PATH ":" "${gconf}/bin"                                \
-        --suffix PATH ":" "$out/bin"
+        --prefix PATH ":" "$out/bin:${perl}/bin:${gconf}/bin"
     done
   '';
 

pkgs/applications/office/gnumeric/default.nix

@@ -4,11 +4,11 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "gnumeric-1.12.0";
+  name = "gnumeric-1.12.9";
 
   src = fetchurl {
     url = "mirror://gnome/sources/gnumeric/1.12/${name}.tar.xz";
-    sha256 = "037b53d909e5d1454b2afda8c4fb1e7838e260343e36d4e36245f4a5d0e04111";
+    sha256 = "1rv2ifw6rp0iza4fkf3bffvdkyi77dwvzdnvcbpqcyn2kxfsvlsc";
   };
 
   configureFlags = "--disable-component";

pkgs/applications/office/hledger-irr/default.nix

@@ -2,8 +2,8 @@
 
 cabal.mkDerivation (self: {
   pname = "hledger-irr";
-  version = "0.1.1.2";
-  sha256 = "1mh1lzhnxc8ps8n5j37wrmbqafwdyap60j8rqr6xdfa2syfyq8i2";
+  version = "0.1.1.3";
+  sha256 = "0vjf478b9msmgr1nxyy8pgc9mvn61i768ypcr5gbinsnsr9kxqsm";
   isLibrary = false;
   isExecutable = true;
   buildDepends = [ Cabal hledgerLib statistics time ];

pkgs/applications/science/electronics/kicad/default.nix

@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     sed -i -e 's,/usr/local/kicad,'$out,g common/gestfich.cpp
   '';
 
-  enableParallelBuilding = true;
+  #enableParallelBuilding = true; # often fails on Hydra: fatal error: pcb_plot_params_lexer.h: No such file or directory
 
   buildInputs = [ unzip cmake mesa wxGTK zlib libX11 gettext ];
 

pkgs/applications/version-management/darcs/default.nix

@@ -21,10 +21,13 @@ cabal.mkDerivation (self: {
     mv contrib/darcs_completion $out/etc/bash_completion.d/darcs
   '';
   meta = {
-    homepage = "http://darcs.net/";
-    description = "a distributed, interactive, smart revision control system";
+    homepage = http://darcs.net/;
+    description = "A distributed, interactive, smart revision control system";
     license = "GPL";
-    platforms = self.ghc.meta.platforms;
+    # FIXME: this gives an infinite recursion in the "darcs" attribute
+    # in all-packages.nix.
+    #platforms = self.ghc.meta.platforms;
+    platforms = [ "x86_64-linux" "i686-linux" "x86_64-darwin" ];
     maintainers = [ self.stdenv.lib.maintainers.andres ];
   };
 })

pkgs/applications/version-management/git-and-tools/git-annex/default.nix

@@ -2,32 +2,33 @@
 , caseInsensitive, clientsession, cryptoApi, cryptohash, curl
 , dataDefault, dataenc, DAV, dbus, dlist, dns, editDistance
 , extensibleExceptions, feed, filepath, git, gnupg1, gnutls, hamlet
-, hinotify, hS3, hslogger, HTTP, httpConduit, httpTypes, HUnit
-, IfElse, json, lsof, MissingH, MonadCatchIOTransformers
-, monadControl, mtl, network, networkInfo, networkMulticast
+, hinotify, hS3, hslogger, HTTP, httpConduit, httpTypes, IfElse
+, json, lsof, MissingH, MonadCatchIOTransformers, monadControl, mtl
+, network, networkConduit, networkInfo, networkMulticast
 , networkProtocolXmpp, openssh, perl, QuickCheck, random, regexTdfa
-, rsync, SafeSemaphore, SHA, stm, text, time, transformers
-, unixCompat, utf8String, uuid, wai, waiLogger, warp, which
-, xmlConduit, xmlTypes, yesod, yesodCore, yesodDefault, yesodForm
-, yesodStatic
+, rsync, SafeSemaphore, SHA, stm, tasty, tastyHunit
+, tastyQuickcheck, text, time, transformers, unixCompat, utf8String
+, uuid, wai, waiLogger, warp, which, xmlConduit, xmlTypes, yesod
+, yesodCore, yesodDefault, yesodForm, yesodStatic
 }:
 
 cabal.mkDerivation (self: {
   pname = "git-annex";
-  version = "4.20131024";
-  sha256 = "1a4mrx8zr5znhcy2cszv5ri9avqj7lcn467nmaj172f00vn4fd5x";
+  version = "5.20131221";
+  sha256 = "1gkb8fc0fjjn0rigajgliqy381pmkpx4ha1rx65dcw15rqnrawb3";
   isLibrary = false;
   isExecutable = true;
   buildDepends = [
     aeson async blazeBuilder bloomfilter caseInsensitive clientsession
     cryptoApi cryptohash dataDefault dataenc DAV dbus dlist dns
     editDistance extensibleExceptions feed filepath gnutls hamlet
-    hinotify hS3 hslogger HTTP httpConduit httpTypes HUnit IfElse json
+    hinotify hS3 hslogger HTTP httpConduit httpTypes IfElse json
     MissingH MonadCatchIOTransformers monadControl mtl network
-    networkInfo networkMulticast networkProtocolXmpp QuickCheck random
-    regexTdfa SafeSemaphore SHA stm text time transformers unixCompat
-    utf8String uuid wai waiLogger warp xmlConduit xmlTypes yesod
-    yesodCore yesodDefault yesodForm yesodStatic
+    networkConduit networkInfo networkMulticast networkProtocolXmpp
+    QuickCheck random regexTdfa SafeSemaphore SHA stm tasty tastyHunit
+    tastyQuickcheck text time transformers unixCompat utf8String uuid
+    wai waiLogger warp xmlConduit xmlTypes yesod yesodCore yesodDefault
+    yesodForm yesodStatic
   ];
   buildTools = [ bup curl git gnupg1 lsof openssh perl rsync which ];
   configureFlags = "-fS3
@@ -41,11 +42,13 @@ cabal.mkDerivation (self: {
                     -fDNS
                     -fProduction
                     -fTDFA";
-  preConfigure = "patchShebangs .";
-  installPhase = "./Setup install";
-  checkPhase = ''
+  doCheck = false;
+  installPhase = ''
     export HOME="$NIX_BUILD_TOP/tmp"
     mkdir "$HOME"
+    ./Setup install
+  '';
+  checkPhase = ''
     cp dist/build/git-annex/git-annex git-annex
     ./git-annex test
   '';

pkgs/applications/version-management/git-and-tools/git/default.nix

@@ -10,7 +10,7 @@
 
 let
 
-  version = "1.8.4";
+  version = "1.8.4.3";
 
   svn = subversionClient.override { perlBindings = true; };
 
@@ -21,7 +21,7 @@ stdenv.mkDerivation {
 
   src = fetchurl {
     url = "http://git-core.googlecode.com/files/git-${version}.tar.gz";
-    sha256 = "156bwqqgaw65rsvbb4wih5jfg94bxyf6p16mdwf0ky3f4ln55s2i";
+    sha256 = "08fbdxh2cjd4hffm0nydwysh5zh6nrssbi9x01yy0n2y8rqzly0a";
   };
 
   patches = [ ./docbook2texi.patch ./symlinks-in-bin.patch ];

pkgs/applications/version-management/git-and-tools/github-backup/default.nix

@@ -4,8 +4,8 @@
 
 cabal.mkDerivation (self: {
   pname = "github-backup";
-  version = "1.20131006";
-  sha256 = "0yc2hszi509mc0d6245dc8cq20mjjmr8mgrd8571dy9sgda532pf";
+  version = "1.20131203";
+  sha256 = "0156g7zbqsp58g8hniqsilyc79sam7plwhn3w56wbzf8m380mwba";
   isLibrary = false;
   isExecutable = true;
   buildDepends = [

pkgs/applications/version-management/subversion/default.nix

@@ -21,13 +21,13 @@ assert compressionSupport -> neon.compressionSupport;
 
 stdenv.mkDerivation rec {
 
-  version = "1.7.13";
+  version = "1.7.14";
 
   name = "subversion-${version}";
 
   src = fetchurl {
     url = "mirror://apache/subversion//${name}.tar.bz2";
-    sha1 = "844bb756ec505edaa12b9610832bcd21567139f1";
+    sha256 = "038jbcpwm083abp0rvk0fhnx65kp9mz1qvzs3f83ig8fxcvqzb64";
   };
 
   buildInputs = [ zlib apr aprutil sqlite ]

pkgs/applications/video/gnash/default.nix

@@ -10,7 +10,13 @@
 
 assert stdenv ? glibc;
 
-let version = "0.8.10"; in
+let version = "0.8.10";
+    patch_CVE = fetchurl {
+      url = "http://git.savannah.gnu.org/cgit/gnash.git/patch/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527";
+      sha256 = "1g7ymbq9vxi0mwcgs2dpyd2sf30gaam7blza0ywiwj32f5wk62v1";
+      name = "CVE-2012-1175.patch";
+    };
+in
 
 stdenv.mkDerivation rec {
   name = "gnash-${version}";
@@ -21,6 +27,8 @@ stdenv.mkDerivation rec {
   };
 
   patchPhase = ''
+    patch -p1 < ${patch_CVE}
+
     # Add all libs to `macros/libslist', a list of library search paths.
     for lib in ${lib.concatStringsSep " "
                                       (map (lib: "\"${lib}\"/lib")

pkgs/applications/video/vlc/default.nix

@@ -10,11 +10,11 @@
 
 stdenv.mkDerivation rec {
   name = "vlc-${version}";
-  version = "2.1.0";
+  version = "2.1.1";
 
   src = fetchurl {
     url = "http://download.videolan.org/pub/videolan/vlc/${version}/${name}.tar.xz";
-    sha256 = "1xs1zsjip6ljqyy5jlqf14ncda4pjx166bqvjqgcyskq66m7s5yj";
+    sha256 = "14mrcswz5mz976dmplbrdm3mkwjrksspvkignhbnbvrrp77r571k";
   };
 
   buildInputs =

pkgs/applications/window-managers/weston/default.nix

@@ -2,30 +2,32 @@
 , cairo, libxcb, libXcursor, x11, udev, libdrm, mtdev
 , libjpeg, pam, autoconf, automake, libtool }:
 
-let version = "1.0.5"; in
+let version = "1.3.1"; in
 
 stdenv.mkDerivation rec {
   name = "weston-${version}";
 
   src = fetchurl {
     url = "http://wayland.freedesktop.org/releases/${name}.tar.xz";
-    sha256 = "0g2k82pnlxl8b70ykazj7kn8xffjfsmgcgx427qdrm4083z2hgm0";
+    sha256 = "1isvh66irrz707r69495767n5yxp07dvy0xx6mj1mbj1n4s1657p";
   };
 
   buildInputs = [ pkgconfig wayland mesa libxkbcommon
     cairo libxcb libXcursor x11 udev libdrm mtdev
-    libjpeg pam autoconf automake libtool ];
+    libjpeg pam /*autoconf automake libtool*/ ];
 
-  preConfigure = "autoreconf -vfi";
+  #preConfigure = "autoreconf -vfi";
 
-  # prevent install target to chown root weston-launch, which fails
-  configureFlags = ''
-    --disable-setuid-install
-  '';
+  NIX_CFLAGS_COMPILE = "-I${libdrm}/include/libdrm";
+
+  configureFlags = [
+    "--disable-setuid-install" # prevent install target to chown root weston-launch, which fails
+  ];
 
   meta = {
     description = "Reference implementation of a Wayland compositor";
     homepage = http://wayland.freedesktop.org/;
     license = stdenv.lib.licenses.mit;
+    platforms = stdenv.lib.platforms.linux;
   };
 }

pkgs/applications/window-managers/xmonad/default.nix

@@ -13,6 +13,12 @@ cabal.mkDerivation (self: {
     mkdir -p $out/share/man/man1
     mv $out/share/xmonad-*/man/*.1 $out/share/man/man1/
   '';
+
+  patches = [
+    # Patch to make xmonad use XMONAD_{GHC,XMESSAGE} (if available).
+    ./xmonad_ghc_var_0.11.patch
+  ];
+
   meta = {
     homepage = "http://xmonad.org";
     description = "A tiling window manager";

pkgs/applications/window-managers/xmonad/xmonad_ghc_var_0.11.patch

@@ -0,0 +1,44 @@
+--- xmonad-0.11/XMonad/Core.hs	2013-01-01 01:31:47.000000000 +0000
++++ new-xmonad/XMonad/Core.hs	2013-12-23 17:36:40.862146910 +0000
+@@ -47,6 +47,7 @@
+ import System.Process
+ import System.Directory
+ import System.Exit
++import System.Environment (lookupEnv)
+ import Graphics.X11.Xlib
+ import Graphics.X11.Xlib.Extras (Event)
+ import Data.Typeable
+@@ -452,6 +453,7 @@
+         err  = base ++ ".errors"
+         src  = base ++ ".hs"
+         lib  = dir </> "lib"
++    ghc <- fromMaybe "ghc" <$> liftIO (lookupEnv "XMONAD_GHC")
+     libTs <- mapM getModTime . Prelude.filter isSource =<< allFiles lib
+     srcT <- getModTime src
+     binT <- getModTime bin
+@@ -460,7 +462,7 @@
+         -- temporarily disable SIGCHLD ignoring:
+         uninstallSignalHandlers
+         status <- bracket (openFile err WriteMode) hClose $ \h ->
+-            waitForProcess =<< runProcess "ghc" ["--make", "xmonad.hs", "-i", "-ilib", "-fforce-recomp", "-v0", "-o",binn] (Just dir)
++            waitForProcess =<< runProcess ghc ["--make", "xmonad.hs", "-i", "-ilib", "-fforce-recomp", "-v0", "-o",binn] (Just dir)
+                                     Nothing Nothing Nothing (Just h)
+ 
+         -- re-enable SIGCHLD:
+@@ -469,6 +471,7 @@
+         -- now, if it fails, run xmessage to let the user know:
+         when (status /= ExitSuccess) $ do
+             ghcErr <- readFile err
++            xmessage <- fromMaybe "xmessage" <$> liftIO (lookupEnv "XMONAD_XMESSAGE")
+             let msg = unlines $
+                     ["Error detected while loading xmonad configuration file: " ++ src]
+                     ++ lines (if null ghcErr then show status else ghcErr)
+@@ -476,7 +479,7 @@
+             -- nb, the ordering of printing, then forking, is crucial due to
+             -- lazy evaluation
+             hPutStrLn stderr msg
+-            forkProcess $ executeFile "xmessage" True ["-default", "okay", msg] Nothing
++            forkProcess $ executeFile xmessage True ["-default", "okay", msg] Nothing
+             return ()
+         return (status == ExitSuccess)
+       else return True

pkgs/build-support/cabal/default.nix

@@ -1,9 +1,11 @@
 # generic builder for Cabal packages
 
 { stdenv, fetchurl, lib, pkgconfig, ghc, Cabal, jailbreakCabal, glibcLocales
+, gnugrep, coreutils
 , enableLibraryProfiling ? false
 , enableSharedLibraries ? false
 , enableSharedExecutables ? false
+, enableStaticLibraries ? true
 , enableCheckPhase ? stdenv.lib.versionOlder "7.4" ghc.version
 }:
 
@@ -25,6 +27,9 @@ assert enableSharedExecutables -> versionOlder "7.4" ghc.version;
 # Our GHC 6.10.x builds do not provide sharable versions of their core libraries.
 assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
 
+# Our GHC 6.10.x builds do not provide sharable versions of their core libraries.
+assert !enableStaticLibraries -> versionOlder "7.7" ghc.version;
+
 {
   mkDerivation =
     args : # arguments for the individual package, can modify the defaults
@@ -42,6 +47,7 @@ assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
           x : (removeAttrs x internalAttrs) // {
                 buildInputs           = filter (y : ! (y == null)) x.buildInputs;
                 propagatedBuildInputs = filter (y : ! (y == null)) x.propagatedBuildInputs;
+                propagatedUserEnvPkgs = filter (y : ! (y == null)) x.propagatedUserEnvPkgs;
                 doCheck               = enableCheckPhase && x.doCheck;
               };
 
@@ -92,12 +98,19 @@ assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
             # have to check for its existence
             propagatedBuildInputs = if self.isLibrary then self.buildDepends ++ self.extraLibraries ++ self.pkgconfigDepends else [];
 
+            # By default, also propagate all dependencies to the user environment. This is required, otherwise packages would be broken, because
+            # GHC also needs all dependencies to be available.
+            propagatedUserEnvPkgs = if self.isLibrary then self.buildDepends else [];
+
             # library directories that have to be added to the Cabal files
             extraLibDirs = [];
 
             # build-depends Cabal field
             buildDepends = [];
 
+            # target(s) passed to the cabal build phase as an argument
+            buildTarget = "";
+
             # build-depends Cabal fields stated in test-suite stanzas
             testDepends = [];
 
@@ -128,6 +141,14 @@ assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
             # and run any regression test suites the package might have
             doCheck = enableCheckPhase;
 
+            # abort the build if the configure phase detects that the package
+            # depends on multiple versions of the same build input
+            strictConfigurePhase = true;
+
+            # pass the '--enable-library-vanilla' flag to cabal in the
+            # configure stage to enable building shared libraries
+            inherit enableStaticLibraries;
+
             # pass the '--enable-shared' flag to cabal in the configure
             # stage to enable building shared libraries
             inherit enableSharedLibraries;
@@ -140,6 +161,7 @@ assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
               (enableFeature self.enableSplitObjs "split-objs")
               (enableFeature enableLibraryProfiling "library-profiling")
               (enableFeature self.enableSharedLibraries "shared")
+              (optional (versionOlder "7" ghc.version) (enableFeature self.enableStaticLibraries "library-vanilla"))
               (optional (versionOlder "7.4" ghc.version) (enableFeature self.enableSharedExecutables "executable-dynamic"))
               (optional (versionOlder "7" ghc.version) (enableFeature self.doCheck "tests"))
             ];
@@ -173,8 +195,20 @@ assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
                 done
               done
 
+              ${optionalString self.enableSharedExecutables ''
+                configureFlags+=" --ghc-option=-optl=-Wl,-rpath=$out/lib/${ghc.ghc.name}/${self.pname}-${self.version}";
+              ''}
+
               echo "configure flags: $extraConfigureFlags $configureFlags"
-              ./Setup configure --verbose --prefix="$out" --libdir='$prefix/lib/$compiler' --libsubdir='$pkgid' $extraConfigureFlags $configureFlags
+              ./Setup configure --verbose --prefix="$out" --libdir='$prefix/lib/$compiler' \
+                --libsubdir='$pkgid' $extraConfigureFlags $configureFlags 2>&1 \
+              ${optionalString self.strictConfigurePhase ''
+                | ${coreutils}/bin/tee "$NIX_BUILD_TOP/cabal-configure.log"
+                if ${gnugrep}/bin/egrep -q '^Warning:.*depends on multiple versions' "$NIX_BUILD_TOP/cabal-configure.log"; then
+                  echo >&2 "*** abort because of serious configure-time warning from Cabal"
+                  exit 1
+                fi
+              ''}
 
               eval "$postConfigure"
             '';
@@ -183,7 +217,7 @@ assert enableSharedLibraries -> versionOlder "6.12" ghc.version;
             buildPhase = ''
               eval "$preBuild"
 
-              ./Setup build
+              ./Setup build ${self.buildTarget}
 
               export GHC_PACKAGE_PATH=$(${ghc.GHCPackages})
               test -n "$noHaddock" || ./Setup haddock

pkgs/build-support/fetchbower/default.nix

@@ -0,0 +1,9 @@
+{ stdenv, fetch-bower, git }: name: version: target: outputHash: stdenv.mkDerivation {
+  name = "${name}-${version}";
+  realBuilder = "${fetch-bower}/bin/fetch-bower";
+  args = [ name version target ];
+  outputHashMode = "recursive";
+  outputHashAlgo = "sha256";
+  inherit outputHash;
+  PATH = "${git}/bin";
+}

pkgs/build-support/fetchurl/default.nix

@@ -66,6 +66,7 @@ in
   showURLs ? false
 }:
 
+assert builtins.isList urls;
 assert urls != [] -> url == "";
 assert url != "" -> urls == [];
 

pkgs/build-support/release/maven-build.nix

@@ -78,7 +78,7 @@ stdenv.mkDerivation ( rec {
 
     zip=$(ls target/*.zip| head -1)
     releaseName=$(basename $zip .zip)
-    releaseName="$releaseName-r${toString src.rev}"
+    releaseName="$releaseName-r${toString src.rev or "0"}"
     cp $zip $out/release/$releaseName.zip
     
     echo "$releaseName" > $out/nix-support/hydra-release-name

pkgs/data/fonts/andagii/default.nix

@@ -19,6 +19,7 @@ in
 rec {
   src = a.fetchurl {
     url = sourceInfo.url;
+    curlOpts = "--user-agent 'Mozilla/5.0'";
     sha256 = sourceInfo.hash;
   };
 

pkgs/data/misc/cacert/default.nix

@@ -1,11 +1,11 @@
 { stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  name = "cacert-20121229";
+  name = "cacert-20131205";
 
   src = fetchurl {
     url = "http://tarballs.nixos.org/${name}.pem.bz2";
-    sha256 = "031s86pqvn620zkj6w97hqgjvkp6vsvlymzz7rwvkv25zvrjsgif";
+    sha256 = "049cm3nrhawkh9xpfjhgis6w58zji5ppi4d9yyjzrr7mpw0a34df";
   };
 
   unpackPhase = "true";

pkgs/data/misc/shared-mime-info/default.nix

@@ -2,11 +2,11 @@
 , libxml2, glib}:
 
 stdenv.mkDerivation rec {
-  name = "shared-mime-info-1.1";
+  name = "shared-mime-info-1.2";
 
   src = fetchurl {
     url = "http://freedesktop.org/~hadess/${name}.tar.xz";
-    sha256 = "0v70z5b6340jsjvdhf7brczpzq766wc1lsnjg9hc57ks2m5hjk8q";
+    sha256 = "0y5vi0vr6rbhvfzcfg57cfskn362bpvcpca9cy598nmr87i6lld5";
   };
 
   buildInputs = [

pkgs/desktops/gnome-2/default.nix

@@ -1,4 +1,4 @@
-{ callPackage, self, stdenv, gettext, overrides ? {} }:
+{ callPackage, self, stdenv, gettext, gvfs, libunique, overrides ? {} }:
 {
   __overrides = overrides;
 
@@ -67,7 +67,7 @@
   startup_notification = callPackage ./platform/startup-notification { };
 
   # Required for nautilus
-  libunique = callPackage ./platform/libunique { };
+  inherit (libunique);
 
   gtkglext = callPackage ./platform/gtkglext { };
 

pkgs/desktops/gnome-2/platform/libunique/default.nix

@@ -1,14 +0,0 @@
-{stdenv, fetchurl_gnome, pkgconfig, gtk}:
-
-stdenv.mkDerivation rec {
-  name = src.pkgname;
-
-  src = fetchurl_gnome {
-    project = "libunique";
-    major = "1"; minor = "1"; patchlevel = "6";
-    sha256 = "1fsgvmncd9caw552lyfg8swmsd6bh4ijjsph69bwacwfxwf09j75";
-  };
-
-  nativeBuildInputs = [ pkgconfig ];
-  buildInputs = [ gtk ];
-}

pkgs/desktops/gnome-3/core/libcroco/default.nix

@@ -1,11 +1,11 @@
 { stdenv, fetchurl, pkgconfig, libxml2, glib }:
 
 stdenv.mkDerivation rec {
-  name = "libcroco-0.6.6"; # 3.6.2 release
+  name = "libcroco-0.6.8";
 
   src = fetchurl {
     url = "mirror://gnome/sources/libcroco/0.6/${name}.tar.xz";
-    sha256 = "1nbb12420v1zacn6jwa1x4ixikkcqw66sg4j5dgs45nhygiarv3j";
+    sha256 = "0w453f3nnkbkrly7spx5lx5pf6mwynzmd5qhszprq8amij2invpa";
   };
 
   configureFlags = stdenv.lib.optional stdenv.isDarwin "--disable-Bsymbolic";

pkgs/desktops/kde-4.10/kde-workspace.nix

@@ -1,7 +1,8 @@
 { kde, kdelibs, qimageblitz, libdbusmenu_qt, xorg, shared_desktop_ontologies,
   lm_sensors, pciutils, libraw1394, libusb, libxklavier, python, libqalculate,
   xkeyboard_config, kdepimlibs, pam, boost, gpsd, prison, akonadi,
-  libjpeg, pkgconfig, libXft, libXxf86misc, kactivities, qjson, networkmanager
+  libjpeg, pkgconfig, libXft, libXxf86misc, kactivities, qjson, networkmanager,
+  fetchurl
 }:
 
 kde {
@@ -17,6 +18,12 @@ kde {
       kactivities
     ];
 
+  patches = [(fetchurl {
+    url = "https://git.reviewboard.kde.org/r/111261/diff/raw/";
+    sha256 = "0g8qjna1s0imz7801k4iy2ap5z81izi4bncvks7z3n9agji4zf40";
+    name = "CVE-2013-4132.patch";
+  })];
+
   nativeBuildInputs = [ pkgconfig ];
 
   preConfigure =

pkgs/desktops/kde-4.10/kdeutils/kdf.nix

@@ -3,6 +3,8 @@
 kde {
   buildInputs = [ kdelibs ];
 
+  enableParallelBuilding = false;
+
   meta = {
     description = "KDE free disk space utility";
   };

pkgs/desktops/xfce/applications/terminal.nix

@@ -5,11 +5,11 @@
 stdenv.mkDerivation rec {
   p_name  = "xfce4-terminal";
   ver_maj = "0.6";
-  ver_min = "2";
+  ver_min = "3";
 
   src = fetchurl {
     url = "mirror://xfce/src/apps/${p_name}/${ver_maj}/${name}.tar.bz2";
-    sha256 = "0d9vbkvbxxhv022mwyihrabmj8y9097bp57n1a412qyji0i454ix";
+    sha256 = "023y0lkfijifh05yz8grimxadqpi98mrivr00sl18nirq8b4fbwi";
   };
   name = "${p_name}-${ver_maj}.${ver_min}";
 

pkgs/development/compilers/elm/elm.nix

@@ -1,18 +1,18 @@
 { cabal, aeson, aesonPretty, binary, blazeHtml, blazeMarkup
 , cmdargs, filepath, HTF, indents, languageEcmascript, mtl, pandoc
-, parsec, text, transformers, unionFind, uniplate
+, parsec, text, transformers, unionFind, unorderedContainers
 }:
 
 cabal.mkDerivation (self: {
   pname = "Elm";
-  version = "0.10.0.1";
-  sha256 = "1r7z2fw9v6ngr9w4lmj1l6sc78rmxvqkqlxv4a9yc5jm80k3ar0i";
+  version = "0.10.1";
+  sha256 = "1y533vanhrxc14x304ig6q8ch6zih8yqgpfgw4h5vk5fpdmn09a2";
   isLibrary = true;
   isExecutable = true;
   buildDepends = [
     aeson aesonPretty binary blazeHtml blazeMarkup cmdargs filepath
     indents languageEcmascript mtl pandoc parsec text transformers
-    unionFind uniplate
+    unionFind unorderedContainers
   ];
   testDepends = [ HTF ];
   doCheck = false;

pkgs/development/compilers/ghc/head.nix

@@ -1,15 +1,15 @@
-{ stdenv, fetchurl, ghc, perl, gmp, ncurses }:
+{ stdenv, fetchurl, ghc, perl, gmp, ncurses, happy, alex }:
 
 stdenv.mkDerivation rec {
-  version = "7.7.20130828";
+  version = "7.7.20131202";
   name = "ghc-${version}";
 
   src = fetchurl {
-    url = "http://darcs.haskell.org/ghcBuilder/uploads/tn23/${name}-src.tar.bz2";
-    sha256 = "180nkd77kz3mv4g7yq8ipx34p5q8k714l0z2527y49lghy118jzv";
+    url = "http://cryp.to/${name}.tar.xz";
+    sha256 = "1gnp5c3x7dbaz7s2yvkw2fmvqh5by2gpp0zlcyj8p2gv13gxi2cb";
   };
 
-  buildInputs = [ ghc perl gmp ncurses ];
+  buildInputs = [ ghc perl gmp ncurses happy alex ];
 
   enableParallelBuilding = true;
 

pkgs/development/compilers/ghc/with-packages.nix

@@ -1,16 +1,42 @@
-{ stdenv, ghc, packages, buildEnv, makeWrapper }:
+{ stdenv, ghc, packages, buildEnv, makeWrapper, ignoreCollisions ? false }:
 
-assert packages != [];
+# This wrapper works only with GHC 6.12 or later.
+assert stdenv.lib.versionOlder "6.12" ghc.version;
+
+# It's probably a good idea to include the library "ghc-paths" in the
+# compiler environment, because we have a specially patched version of
+# that package in Nix that honors these environment variables
+#
+#   NIX_GHC
+#   NIX_GHCPKG
+#   NIX_GHC_DOCDIR
+#   NIX_GHC_LIBDIR
+#
+# instead of hard-coding the paths. The wrapper sets these variables
+# appropriately to configure ghc-paths to point back to the wrapper
+# instead of to the pristine GHC package, which doesn't know any of the
+# additional libraries.
+#
+# A good way to import the environment set by the wrapper below into
+# your shell is to add the following snippet to your ~/.bashrc:
+#
+#   if [ -e ~/.nix-profile/bin/ghc ]; then
+#     eval $(grep export ~/.nix-profile/bin/ghc)
+#   fi
 
 let
   ghc761OrLater = stdenv.lib.versionOlder "7.6.1" ghc.version;
-  packageDBFlag = if ghc761OrLater then "--package-db" else "--package-conf";
+  packageDBFlag = if ghc761OrLater then "--global-package-db" else "--global-conf";
   libDir        = "$out/lib/ghc-${ghc.version}";
+  docDir        = "$out/share/doc/ghc/html";
   packageCfgDir = "${libDir}/package.conf.d";
+  isHaskellPkg  = x: (x ? pname) && (x ? version);
 in
+if packages == [] then ghc else
 buildEnv {
   name = "haskell-env-${ghc.name}";
-  paths = stdenv.lib.filter (x: x ? ghc) (stdenv.lib.closePropagation packages) ++ [ghc];
+  paths = stdenv.lib.filter isHaskellPkg (stdenv.lib.closePropagation packages) ++ [ghc];
+  inherit ignoreCollisions;
   postBuild = ''
     . ${makeWrapper}/nix-support/setup-hook
 
@@ -20,6 +46,7 @@ buildEnv {
         --add-flags '"-B$NIX_GHC_LIBDIR"'               \
         --set "NIX_GHC"        "$out/bin/ghc"           \
         --set "NIX_GHCPKG"     "$out/bin/ghc-pkg"       \
+        --set "NIX_GHC_DOCDIR" "${docDir}"              \
         --set "NIX_GHC_LIBDIR" "${libDir}"
     done
 
@@ -29,12 +56,13 @@ buildEnv {
         --add-flags "-f $out/bin/ghc"                   \
         --set "NIX_GHC"        "$out/bin/ghc"           \
         --set "NIX_GHCPKG"     "$out/bin/ghc-pkg"       \
+        --set "NIX_GHC_DOCDIR" "${docDir}"              \
         --set "NIX_GHC_LIBDIR" "${libDir}"
     done
 
     for prg in ghc-pkg ghc-pkg-${ghc.version}; do
       rm -f $out/bin/$prg
-      makeWrapper ${ghc}/bin/$prg $out/bin/$prg --add-flags "${packageDBFlag} ${packageCfgDir}"
+      makeWrapper ${ghc}/bin/$prg $out/bin/$prg --add-flags "${packageDBFlag}=${packageCfgDir}"
     done
 
     $out/bin/ghc-pkg recache

pkgs/development/compilers/idris/default.nix

@@ -1,21 +1,21 @@
 { cabal, ansiTerminal, ansiWlPprint, binary, boehmgc, Cabal
-, filepath, gmp, happy, haskeline, languageJava, libffi
-, llvmGeneral, llvmGeneralPure, mtl, parsec, parsers, split, text
-, time, transformers, trifecta, unorderedContainers, utf8String
-, vector, vectorBinaryInstances
+, deepseq, filepath, gmp, happy, haskeline, languageJava, mtl
+, network, parsers, split, text, time, transformers, trifecta
+, unorderedContainers, utf8String, vector, vectorBinaryInstances
+, xml
 }:
 
 cabal.mkDerivation (self: {
   pname = "idris";
-  version = "0.9.9.3";
-  sha256 = "1l19xx0xbcwlnnh2w0rmri7wwixffzfrafpbji64nwyx1awz4iab";
+  version = "0.9.10.1";
+  sha256 = "194gbpk8fy64maj9lcwj9hkbndc3287bh9mz2jm09vd11i23iyg1";
   isLibrary = false;
   isExecutable = true;
   buildDepends = [
-    ansiTerminal ansiWlPprint binary Cabal filepath haskeline
-    languageJava libffi llvmGeneral llvmGeneralPure mtl parsec parsers
-    split text time transformers trifecta unorderedContainers
-    utf8String vector vectorBinaryInstances
+    ansiTerminal ansiWlPprint binary Cabal deepseq filepath haskeline
+    languageJava mtl network parsers split text time transformers
+    trifecta unorderedContainers utf8String vector
+    vectorBinaryInstances xml
   ];
   buildTools = [ happy ];
   extraLibraries = [ boehmgc gmp ];

pkgs/development/compilers/jdk/jdk7-linux.nix

@@ -0,0 +1,135 @@
+{ swingSupport ? true
+, stdenv
+, requireFile
+, unzip
+, xlibs ? null
+, installjdk ? true
+, pluginSupport ? true
+, installjce ? false
+}:
+
+assert stdenv.system == "i686-linux" || stdenv.system == "x86_64-linux";
+assert swingSupport -> xlibs != null;
+
+let
+
+  /**
+   * The JRE libraries are in directories that depend on the CPU.
+   */
+  architecture =
+    if stdenv.system == "i686-linux" then
+      "i386"
+    else if stdenv.system == "x86_64-linux" then
+      "amd64"
+    else
+      abort "jdk requires i686-linux or x86_64 linux";
+
+  jce =
+    if installjce then
+      requireFile {
+        name = "UnlimitedJCEPolicyJDK7.zip";
+        url = http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html;
+        sha256 = "7a8d790e7bd9c2f82a83baddfae765797a4a56ea603c9150c87b7cdb7800194d";
+      }
+    else
+      "";
+in
+
+stdenv.mkDerivation {
+  name =
+    if installjdk then "jdk-1.7.0_45" else "jre-1.7.0_45";
+
+  src =
+    if stdenv.system == "i686-linux" then
+      requireFile {
+        name = "jdk-7u45-linux-i586.tar.gz";
+        url = http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html;
+        sha256 = "1q0nw2rwmavcrssyigq76p1h00hm8kd3rhb5bdv7rbdcs0jxrjsa";
+      }
+    else if stdenv.system == "x86_64-linux" then
+      requireFile {
+        name = "jdk-7u45-linux-x64.tar.gz";
+        url = http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html;
+        sha256 = "06jbz536zycqkdpc7zriay0jidmj9nriqva60afsgpv93kcf9spj";
+      }
+    else
+      abort "jdk requires i686-linux or x86_64 linux";
+
+  buildInputs = if installjce then [ unzip ] else [];
+
+  installPhase = ''
+    cd ..
+    if test -z "$installjdk"; then
+      mv $sourceRoot/jre $out
+    else
+      mv $sourceRoot $out
+    fi
+
+    for file in $out/*
+    do
+      if test -f $file ; then
+        rm $file
+      fi
+    done
+
+    if test -n "$installjdk"; then
+      for file in $out/jre/*
+      do
+        if test -f $file ; then
+          rm $file
+        fi
+      done
+    fi
+
+    # construct the rpath
+    rpath=
+    for i in $libraries; do
+        rpath=$rpath''${rpath:+:}$i/lib
+    done
+
+    if test -z "$installjdk"; then
+      jrePath=$out
+    else
+      jrePath=$out/jre
+    fi
+
+    if test -n "${jce}"; then
+      unzip ${jce}
+      cp -v UnlimitedJCEPolicy/*.jar $jrePath/lib/security
+    fi
+
+    rpath=$rpath''${rpath:+:}$jrePath/lib/${architecture}/jli
+    rpath=$rpath''${rpath:+:}$jrePath/lib/${architecture}
+
+    # set all the dynamic linkers
+    find $out -type f -perm +100 \
+        -exec patchelf --interpreter "$(cat $NIX_GCC/nix-support/dynamic-linker)" \
+        --set-rpath "$rpath" {} \;
+
+    find $out -name "*.so" -exec patchelf --set-rpath "$rpath" {} \;
+
+    if test -z "$pluginSupport"; then
+      rm -f $out/bin/javaws
+      if test -n "$installjdk"; then
+        rm -f $out/jre/bin/javaws
+      fi
+    fi
+
+    mkdir $jrePath/lib/${architecture}/plugins
+    ln -s $jrePath/lib/${architecture}/libnpjp2.so $jrePath/lib/${architecture}/plugins
+  '';
+
+  inherit installjdk pluginSupport;
+
+  /**
+   * libXt is only needed on amd64
+   */
+  libraries =
+    [stdenv.gcc.libc] ++
+    (if swingSupport then [xlibs.libX11 xlibs.libXext xlibs.libXtst xlibs.libXi xlibs.libXp xlibs.libXt] else []);
+
+  passthru.mozillaPlugin = if installjdk then "/jre/lib/${architecture}/plugins" else "/lib/${architecture}/plugins";
+
+  meta.license = "unfree";
+}
+

pkgs/development/compilers/llvm/dragonegg.nix

@@ -1,12 +1,12 @@
 {stdenv, fetchurl, llvm, gmp, mpfr, mpc}:
 
 stdenv.mkDerivation rec {
-  version = "3.2";
+  version = "3.3";
   name = "dragonegg-${version}";
 
   src = fetchurl {
     url = "http://llvm.org/releases/${version}/${name}.src.tar.gz";
-    sha256 = "0jfxhqy3177drlvzgp6m0kwnbfyzrd4vzidnxjhck8a7a69a26bg";
+    sha256 = "1kfryjaz5hxh3q6m50qjrwnyjb3smg2zyh025lhz9km3x4kshlri";
   };
 
   # The gcc the plugin will be built for (the same used building dragonegg)

pkgs/development/compilers/scala/2.9.nix

@@ -0,0 +1,34 @@
+{ stdenv, fetchurl }:
+
+# at runtime, need jre or jdk
+
+stdenv.mkDerivation rec {
+  name = "scala-2.9.2";
+
+  src = fetchurl {
+    url = "http://www.scala-lang.org/downloads/distrib/files/${name}.tgz";
+    sha256 = "0s1shpzw2hyz7bwxdqq19rcrzbpq4d7b0kvdvjvhy7h05x496b46";
+  };
+
+  installPhase = ''
+    mkdir -p $out
+    rm bin/*.bat
+    rm lib/scalacheck.jar
+    mv * $out
+  '';
+
+  meta = {
+    description = "Scala is a general purpose programming language";
+    longDescription = ''
+      Scala is a general purpose programming language designed to express
+      common programming patterns in a concise, elegant, and type-safe way.
+      It smoothly integrates features of object-oriented and functional
+      languages, enabling Java and other programmers to be more productive.
+      Code sizes are typically reduced by a factor of two to three when
+      compared to an equivalent Java application.
+    '';
+    homepage = http://www.scala-lang.org/;
+    license = "BSD";
+    platforms = stdenv.lib.platforms.all;
+  };
+}

pkgs/development/compilers/scala/default.nix

@@ -1,20 +1,23 @@
-{ stdenv, fetchurl }:
-
-# at runtime, need jre or jdk
+{ stdenv, fetchurl, makeWrapper, jre }:
 
 stdenv.mkDerivation rec {
-  name = "scala-2.9.2";
+  name = "scala-2.10.3";
 
   src = fetchurl {
-    url = "http://www.scala-lang.org/downloads/distrib/files/${name}.tgz";
-    sha256 = "0s1shpzw2hyz7bwxdqq19rcrzbpq4d7b0kvdvjvhy7h05x496b46";
+    url = "http://www.scala-lang.org/files/archive/${name}.tgz";
+    sha256 = "16ac935wydrxrvijv4ldnz4vl2xk8yb3yzb9bsi3nb9sic7fxl95";
   };
 
+  buildInputs = [ jre makeWrapper ] ;
+
   installPhase = ''
     mkdir -p $out
     rm bin/*.bat
-    rm lib/scalacheck.jar
     mv * $out
+
+    for p in $(ls $out/bin/) ; do
+      wrapProgram $out/bin/$p --prefix PATH ":" ${jre}/bin ;
+    done
   '';
 
   meta = {

pkgs/development/interpreters/perl/5.16/cpp-precomp.patch

@@ -0,0 +1,11 @@
+--- a/hints/darwin.sh	2013-05-08 11:13:45.000000000 -0600
++++ b/hints/darwin.sh	2013-05-08 11:15:04.000000000 -0600
+@@ -129,7 +129,7 @@
+ 
+ # Avoid Apple's cpp precompiler, better for extensions
+ if [ "X`echo | ${cc} -no-cpp-precomp -E - 2>&1 >/dev/null`" = "X" ]; then
+-    cppflags="${cppflags} -no-cpp-precomp"
++    #cppflags="${cppflags} -no-cpp-precomp"
+ 
+     # This is necessary because perl's build system doesn't
+     # apply cppflags to cc compile lines as it should.

pkgs/development/interpreters/perl/5.16/default.nix

@@ -18,7 +18,7 @@ stdenv.mkDerivation rec {
     [ # Do not look in /usr etc. for dependencies.
       ./no-sys-dirs.patch
     ]
-    ++ stdenv.lib.optional stdenv.isDarwin ./no-libutil.patch;
+    ++ stdenv.lib.optionals stdenv.isDarwin [ ./cpp-precomp.patch ./no-libutil.patch ] ;
 
   # Build a thread-safe Perl with a dynamic libperls.o.  We need the
   # "installstyle" option to ensure that modules are put under

pkgs/development/interpreters/php/5.3.nix

@@ -10,7 +10,7 @@ in
 
 composableDerivation.composableDerivation {} ( fixed : let inherit (fixed.fixed) version; in {
 
-  version = "5.3.27";
+  version = "5.3.28";
 
   name = "php-${version}";
 
@@ -224,7 +224,7 @@ composableDerivation.composableDerivation {} ( fixed : let inherit (fixed.fixed)
 
   src = fetchurl {
     url = "http://nl1.php.net/get/php-${version}.tar.bz2/from/this/mirror";
-    sha256 = "11xj6v65m6l2lq2s2j5pq5l0iwjsnxmv1nad9hja50ivc8fb4bg1";
+    sha256 = "04w53nn6qacpkd1x381mzd41kqh6k8kjnbyg44yvnkqwcl69db0c";
     name = "php-${version}.tar.bz2";
   };
 

pkgs/development/interpreters/php/5.4.nix

@@ -9,7 +9,7 @@ in
 
 composableDerivation.composableDerivation {} ( fixed : let inherit (fixed.fixed) version; in {
 
-  version = "5.4.20";
+  version = "5.4.23";
 
   name = "php-${version}";
 
@@ -235,7 +235,7 @@ composableDerivation.composableDerivation {} ( fixed : let inherit (fixed.fixed)
       "http://nl1.php.net/get/php-${version}.tar.bz2/from/this/mirror"
       "http://se1.php.net/get/php-${version}.tar.bz2/from/this/mirror"
     ];
-    sha256 = "1qarcxj46rzkmql3w2dln0hxzs349ph31fxcslizxch1ig7l43nd";
+    sha256 = "1k4iplqqcaqkmyq10h6a5qcpkfpkd05r2kclxw9n9qdrm47hfz5f";
     name = "php-${version}.tar.bz2";
   };
 

pkgs/development/interpreters/python/2.7/CVE-2014-1912.patch

@@ -0,0 +1,57 @@
+# Edited from Mercurial patch: deleted the NEWS hunk, since it didn't apply cleanly.
+# It added the following line to NEWS:
+# - Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1389671978 18000
+# Node ID 87673659d8f7ba1623cd4914f09ad3d2ade034e9
+# Parent  2631d33ee7fbd5f0288931ef37872218d511d2e8
+complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- a/Lib/test/test_socket.py
++++ b/Lib/test/test_socket.py
+@@ -1620,6 +1620,16 @@ class BufferIOTest(SocketConnectedTest):
+ 
+     _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+ 
++    def testRecvFromIntoSmallBuffer(self):
++        # See issue #20246.
++        buf = bytearray(8)
++        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++    def _testRecvFromIntoSmallBuffer(self):
++        with test_support.check_py3k_warnings():
++            buf = buffer(MSG*2048)
++        self.serv_conn.send(buf)
++
+ 
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+diff --git a/Misc/ACKS b/Misc/ACKS
+--- a/Misc/ACKS
++++ b/Misc/ACKS
+@@ -979,6 +979,7 @@ Eric V. Smith
+ Christopher Smith
+ Gregory P. Smith
+ Roy Smith
++Ryan Smith-Roberts
+ Rafal Smotrzyk
+ Dirk Soede
+ Paul Sokolovsky
+diff --git a/Misc/NEWS b/Misc/NEWS
+--- a/Modules/socketmodule.c
++++ b/Modules/socketmodule.c
+@@ -2742,6 +2742,10 @@ sock_recvfrom_into(PySocketSockObject *s
+     if (recvlen == 0) {
+         /* If nbytes was not specified, use the buffer's length */
+         recvlen = buflen;
++    } else if (recvlen > buflen) {
++        PyErr_SetString(PyExc_ValueError,
++                        "nbytes is greater than the length of the buffer");
++        goto error;
+     }
+ 
+     readlen = sock_recvfrom_guts(s, buf.buf, recvlen, flags, &addr);
+

pkgs/development/interpreters/python/2.7/default.nix

@@ -8,11 +8,11 @@ with stdenv.lib;
 let
 
   majorVersion = "2.7";
-  version = "${majorVersion}.5";
+  version = "${majorVersion}.6";
 
   src = fetchurl {
-    url = "http://www.python.org/ftp/python/${version}/Python-${version}.tar.bz2";
-    sha256 = "0nc091f19sllibvxm6n3qw5pflcphkwwxmz43q26lqafhra7airv";
+    url = "http://www.python.org/ftp/python/${version}/Python-${version}.tar.xz";
+    sha256 = "18gnpyh071dxa0rv3silrz92jw9qpblswzwv4gzqcwxzz20qxmhz";
   };
 
   patches =
@@ -28,6 +28,10 @@ let
       # patch python to put zero timestamp into pyc
       # if DETERMINISTIC_BUILD env var is set
       ./deterministic-build.patch
+
+      # See http://bugs.python.org/issue20246
+      # This will be fixed in 2.7.7.
+      ./CVE-2014-1912.patch
     ];
 
   postPatch = stdenv.lib.optionalString (stdenv.gcc.libc != null) ''

pkgs/development/interpreters/python/3.2/CVE-2014-1912.patch

@@ -0,0 +1,57 @@
+# Edited from Mercurial patch: deleted the NEWS hunk, since it didn't apply cleanly.
+# It added the following line to NEWS:
+# - Issue #20246: Fix buffer overflow in socket.recvfrom_into.
+
+
+# HG changeset patch
+# User Benjamin Peterson <benjamin@python.org>
+# Date 1389671978 18000
+# Node ID 9c56217e5c793685eeaf0ee224848c402bdf1e4c
+# Parent  2b5cd6d4d149dea6c6941b7e07ada248b29fc9f6
+complain when nbytes > buflen to fix possible buffer overflow (closes #20246)
+
+diff --git a/Lib/test/test_socket.py b/Lib/test/test_socket.py
+--- a/Lib/test/test_socket.py
++++ b/Lib/test/test_socket.py
+@@ -1968,6 +1968,14 @@ class BufferIOTest(SocketConnectedTest):
+ 
+     _testRecvFromIntoMemoryview = _testRecvFromIntoArray
+ 
++    def testRecvFromIntoSmallBuffer(self):
++        # See issue #20246.
++        buf = bytearray(8)
++        self.assertRaises(ValueError, self.cli_conn.recvfrom_into, buf, 1024)
++
++    def _testRecvFromIntoSmallBuffer(self):
++        self.serv_conn.send(MSG*2048)
++
+ 
+ TIPC_STYPE = 2000
+ TIPC_LOWER = 200
+diff --git a/Misc/ACKS b/Misc/ACKS
+--- a/Misc/ACKS
++++ b/Misc/ACKS
+@@ -1020,6 +1020,7 @@ Eric V. Smith
+ Christopher Smith
+ Gregory P. Smith
+ Roy Smith
++Ryan Smith-Roberts
+ Rafal Smotrzyk
+ Dirk Soede
+ Paul Sokolovsky
+diff --git a/Misc/NEWS b/Misc/NEWS
+--- a/Modules/socketmodule.c
++++ b/Modules/socketmodule.c
+@@ -2598,6 +2598,11 @@ sock_recvfrom_into(PySocketSockObject *s
+     if (recvlen == 0) {
+         /* If nbytes was not specified, use the buffer's length */
+         recvlen = buflen;
++    } else if (recvlen > buflen) {
++        PyBuffer_Release(&pbuf);
++        PyErr_SetString(PyExc_ValueError,
++                        "nbytes is greater than the length of the buffer");
++        return NULL;
+     }
+ 
+     readlen = sock_recvfrom_guts(s, buf, recvlen, flags, &addr);
+

pkgs/development/interpreters/python/3.2/default.nix

@@ -32,6 +32,12 @@ stdenv.mkDerivation {
     sha256 = "0pxs234g08v3lar09lvzxw4vqdpwkbqmvkv894j2w7aklskcjd6v";
   };
 
+  patches =
+    [
+      # See http://bugs.python.org/issue20246
+      ./CVE-2014-1912.patch
+    ];
+
   NIX_LDFLAGS = stdenv.lib.optionalString stdenv.isLinux "-lgcc_s";
 
   preConfigure = ''

pkgs/development/interpreters/racket/default.nix

@@ -27,7 +27,7 @@ stdenv.mkDerivation rec {
     sed -e 's@</fontconfig>@@' -i chroot-fontconfig/fonts.conf
     echo "<dir>${liberation_ttf}</dir>" >> chroot-fontconfig/fonts.conf
     echo "</fontconfig>" >> chroot-fontconfig/fonts.conf
-   
+
     export FONTCONFIG_FILE=$(pwd)/chroot-fontconfig/fonts.conf
 
     cd src
@@ -37,6 +37,8 @@ stdenv.mkDerivation rec {
 
   configureFlags = [ "--enable-shared" "--enable-lt=${libtool}/bin/libtool" ];
 
+  NIX_LDFLAGS = "-lgcc_s";
+
   postInstall = ''
     for p in $(ls $out/bin/) ; do
       wrapProgram $out/bin/$p --prefix LD_LIBRARY_PATH ":" "${ffiSharedLibs}" ;

pkgs/development/interpreters/ruby/ruby-18.nix

@@ -17,8 +17,8 @@ stdenv.mkDerivation rec {
   name = "ruby-${version}";
   
   src = fetchurl {
-    url = "ftp://ftp.ruby-lang.org/pub/ruby/1.8/${name}.tar.gz";
-    sha256 = "0g2dsn8lmiqwqsp13ryzi97qxr7742v5l7v506x6wq9aiwpk42p6";
+    url = "http://cache.ruby-lang.org/pub/ruby/1.8/${name}.tar.bz2";
+    sha256 = "b4e34703137f7bfb8761c4ea474f7438d6ccf440b3d35f39cc5e4d4e239c07e3";
   };
 
   # Have `configure' avoid `/usr/bin/nroff' in non-chroot builds.
@@ -45,7 +45,7 @@ stdenv.mkDerivation rec {
   passthru = rec {
     majorVersion = "1.8";
     minorVersion = "7";
-    patchLevel = "371";
+    patchLevel = "374";
     libPath = "lib/ruby/${majorVersion}";
     gemPath = "lib/ruby/gems/${majorVersion}";
   };

pkgs/development/interpreters/ruby/ruby-19.nix

@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   
   src = fetchurl {
     url = "ftp://ftp.ruby-lang.org/pub/ruby/1.9/${name}.tar.bz2";
-    sha256 = "0w1avj8qfskvkgvrjxxc1cxjm14bf1v60ipvcl5q3zpn9k14k2cx";
+    sha256 = "0fdc6e860d0023ba7b94c7a0cf1f7d32908b65b526246de9dfd5bb39d0d7922b";
   };
 
   # Have `configure' avoid `/usr/bin/nroff' in non-chroot builds.
@@ -62,7 +62,7 @@ stdenv.mkDerivation rec {
   passthru = rec {
     majorVersion = "1.9";
     minorVersion = "3";
-    patchLevel = "429";
+    patchLevel = "484";
     libPath = "lib/ruby/${majorVersion}";
     gemPath = "lib/ruby/gems/${majorVersion}";
   };

pkgs/development/interpreters/ruby/ruby-2.0.nix

@@ -19,7 +19,7 @@ stdenv.mkDerivation rec {
   
   src = fetchurl {
     url = "ftp://ftp.ruby-lang.org/pub/ruby/2.0/${name}.tar.bz2";
-    sha256 = "0pr9jf01cfap93xcngyd5zpns67ffjsgaxkm0qr1r464rj9d7066";
+    sha256 = "3de4e4d9aff4682fa4f8ed2b70bd0d746fae17452fc3d3a8e8f505ead9105ad9";
   };
 
   # Have `configure' avoid `/usr/bin/nroff' in non-chroot builds.
@@ -50,7 +50,7 @@ stdenv.mkDerivation rec {
   passthru = rec {
     majorVersion = "2.0";
     minorVersion = "0";
-    patchLevel = "0";
+    patchLevel = "353";
     libPath = "lib/ruby/${majorVersion}";
     gemPath = "lib/ruby/gems/${majorVersion}";
   };