12 files changed, 122 insertions, 92 deletions
diff --git a/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh b/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
index cca65661f8a..6a254cd8212 100644
--- a/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
+++ b/pkgs/os-specific/darwin/signing-utils/auto-sign-hook.sh
@@ -25,7 +25,7 @@ signDarwinBinariesIn() {
 signDarwinBinariesInAllOutputs() {
   local output
 
-  for output in $outputs; do
+  for output in $(getAllOutputNames); do
      signDarwinBinariesIn "${!output}"
   done
 }
diff --git a/pkgs/os-specific/linux/ell/default.nix b/pkgs/os-specific/linux/ell/default.nix
index 1e188fbe607..3306d875272 100644
--- a/pkgs/os-specific/linux/ell/default.nix
+++ b/pkgs/os-specific/linux/ell/default.nix
@@ -7,14 +7,14 @@
 
 stdenv.mkDerivation rec {
   pname = "ell";
-  version = "0.54";
+  version = "0.55";
 
   outputs = [ "out" "dev" ];
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/libs/ell/ell.git";
     rev = version;
-    sha256 = "sha256-Oi+S4DWXuTUL36Xh3iWIZj9rdN2qUDHmZiFSH1csW+8=";
+    sha256 = "sha256-vMWs+0iaszq+p55Z9AhqkNHWeOwlgt2iq7uuA8xGjJ4=";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/os-specific/linux/fxload/default.nix b/pkgs/os-specific/linux/fxload/default.nix
index 8c1a778ec8b..3c5443f3432 100644
--- a/pkgs/os-specific/linux/fxload/default.nix
+++ b/pkgs/os-specific/linux/fxload/default.nix
@@ -1,37 +1,31 @@
-{lib, stdenv, fetchurl}:
+{ lib
+, stdenv
+, libusb1
+}:
 
 stdenv.mkDerivation rec {
   pname = "fxload";
-  version = "2002.04.11";
+  version = libusb1.version;
+  dontUnpack = true;
+  dontBuild = true;
+  dontConfigure = true;
+  dontInstall = true;
+  dontPatch = true;
+  dontPatchELF = true;
 
-  src = fetchurl {
-    url = "mirror://sourceforge/linux-hotplug/fxload-${lib.replaceStrings ["."] ["_"] version}.tar.gz";
-    sha256 = "1hql93bp3dxrv1p67nc63xsbqwljyynm997ysldrc3n9ifi6s48m";
-  };
-
-  patches = [
-    # Will be needed after linux-headers is updated to >= 2.6.21.
-    (fetchurl {
-      url = "http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/sys-apps/fxload/files/fxload-20020411-linux-headers-2.6.21.patch?rev=1.1";
-      sha256 = "0ij0c8nr1rbyl5wmyv1cklhkxglvsqz32h21cjw4bjm151kgmk7p";
-    })
-  ];
-
-  preBuild = ''
-    substituteInPlace Makefile --replace /usr /
-    makeFlagsArray=(INSTALL=install prefix=$out)
-  '';
-
-  preInstall = ''
+  # fxload binary exist inside the `examples/bin` directory of `libusb1`
+  postFixup = ''
     mkdir -p $out/sbin
-    mkdir -p $out/share/man/man8
-    mkdir -p $out/share/usb
+    ln -s ${passthru.libusb}/examples/bin/fxload $out/sbin/fxload
   '';
 
+  passthru.libusb = libusb1.override { withExamples = true; };
+
   meta = with lib; {
-    homepage = "http://linux-hotplug.sourceforge.net/?selected=usb";
-    description = "Tool to upload firmware to Cypress EZ-USB microcontrollers";
-    license = licenses.gpl2;
+    homepage = "https://github.com/libusb/libusb";
+    description = "Tool to upload firmware to into an21, fx, fx2, fx2lp and fx3 ez-usb devices";
+    license = licenses.gpl2Only;
     platforms = platforms.linux;
+    maintainers = with maintainers; [ realsnick ];
   };
 }
diff --git a/pkgs/os-specific/linux/iproute/default.nix b/pkgs/os-specific/linux/iproute/default.nix
index 89c191cb7f3..9a63a28a7a9 100644
--- a/pkgs/os-specific/linux/iproute/default.nix
+++ b/pkgs/os-specific/linux/iproute/default.nix
@@ -6,11 +6,11 @@
 
 stdenv.mkDerivation rec {
   pname = "iproute2";
-  version = "6.0.0";
+  version = "6.1.0";
 
   src = fetchurl {
     url = "mirror://kernel/linux/utils/net/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "UjE56ecq7JljdPot50vkxT0t0FWJSIk00h/5e64ZWAo=";
+    sha256 = "sha256-XOEqD+xrIScl7yGHNZQbLat2JE235yZGp2AhsFN7Q6s=";
   };
 
   patches = [
diff --git a/pkgs/os-specific/linux/iwd/default.nix b/pkgs/os-specific/linux/iwd/default.nix
index b3895c286c5..54a9a53a036 100644
--- a/pkgs/os-specific/linux/iwd/default.nix
+++ b/pkgs/os-specific/linux/iwd/default.nix
@@ -12,12 +12,12 @@
 
 stdenv.mkDerivation rec {
   pname = "iwd";
-  version = "2.0";
+  version = "2.1";
 
   src = fetchgit {
     url = "https://git.kernel.org/pub/scm/network/wireless/iwd.git";
     rev = version;
-    sha256 = "sha256-9eQ2fW3ha69ngugYonbYdqrpERqt8aM0Ed4HM0CrmUU=";
+    sha256 = "sha256-Aq038SG8vuxCA6mYOP5I6VWCUty5vgdbpAa9J+bIfZM=";
   };
 
   outputs = [ "out" "man" "doc" ]
diff --git a/pkgs/os-specific/linux/kernel-headers/default.nix b/pkgs/os-specific/linux/kernel-headers/default.nix
index d8bfb59bf12..34fbde9d676 100644
--- a/pkgs/os-specific/linux/kernel-headers/default.nix
+++ b/pkgs/os-specific/linux/kernel-headers/default.nix
@@ -114,12 +114,12 @@ let
 in {
   inherit makeLinuxHeaders;
 
-  linuxHeaders = let version = "6.0"; in
+  linuxHeaders = let version = "6.1"; in
     makeLinuxHeaders {
       inherit version;
       src = fetchurl {
         url = "mirror://kernel/linux/kernel/v${lib.versions.major version}.x/linux-${version}.tar.xz";
-        sha256 = "sha256-XCRDpVON5SaI77VcJ6sFOcH161jAz9FqK5+7CP2BeI4=";
+        sha256 = "sha256-LKHxcFGkMPb+0RluSVJxdQcXGs/ZfZZXchJQJwOyXes=";
       };
       patches = [
          ./no-relocs.patch # for building x86 kernel headers on non-ELF platforms
diff --git a/pkgs/os-specific/linux/libbpf/default.nix b/pkgs/os-specific/linux/libbpf/default.nix
index 04322a35b4f..d6bb9d4a431 100644
--- a/pkgs/os-specific/linux/libbpf/default.nix
+++ b/pkgs/os-specific/linux/libbpf/default.nix
@@ -9,13 +9,13 @@
 
 stdenv.mkDerivation rec {
   pname = "libbpf";
-  version = "1.0.1";
+  version = "1.1.0";
 
   src = fetchFromGitHub {
     owner = "libbpf";
     repo = "libbpf";
     rev = "v${version}";
-    sha256 = "sha256-2rzVah+CxCztKnlEWMIQrUS2JJTLiWscfIA1aOBtIzs=";
+    sha256 = "sha256-/vt6IA1o0gjFtXUWhEKIZ1DUWIN2LOvrhLfFzJBACGY=";
   };
 
   nativeBuildInputs = [ pkg-config ];
diff --git a/pkgs/os-specific/linux/nvidia-x11/builder.sh b/pkgs/os-specific/linux/nvidia-x11/builder.sh
index eadf88fd116..1cf1400f996 100755
--- a/pkgs/os-specific/linux/nvidia-x11/builder.sh
+++ b/pkgs/os-specific/linux/nvidia-x11/builder.sh
@@ -1,3 +1,4 @@
+if [ -e .attrs.sh ]; then source .attrs.sh; fi
 source $stdenv/setup
 
 unpackManually() {
diff --git a/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh b/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
index cd21899e60e..34f9b157945 100644
--- a/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
+++ b/pkgs/os-specific/linux/opengl/xorg-sys/builder.sh
@@ -1,3 +1,4 @@
+if [ -e .attrs.sh ]; then source .attrs.sh; fi
 source $stdenv/setup
 
 mkdir -p $out/lib
diff --git a/pkgs/os-specific/linux/shadow/default.nix b/pkgs/os-specific/linux/shadow/default.nix
index c6fd417d0d6..2d0e6071629 100644
--- a/pkgs/os-specific/linux/shadow/default.nix
+++ b/pkgs/os-specific/linux/shadow/default.nix
@@ -1,57 +1,62 @@
-{ lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, autoreconfHook, libxslt
-, libxml2 , docbook_xml_dtd_45, docbook_xsl, itstool, flex, bison, runtimeShell
-, libxcrypt, pam ? null, glibcCross ? null
+{ lib, stdenv, fetchFromGitHub
+, runtimeShell, nixosTests, fetchpatch
+, autoreconfHook, bison, flex
+, docbook_xml_dtd_45, docbook_xsl
+, itstool , libxml2, libxslt
+, libxcrypt
+, glibcCross ? null
+, pam ? null
+, withTcb ? stdenv.isLinux, tcb
 }:
-
 let
-
   glibc =
-    if stdenv.hostPlatform != stdenv.buildPlatform
-    then glibcCross
+    if stdenv.hostPlatform != stdenv.buildPlatform then glibcCross
     else assert stdenv.hostPlatform.libc == "glibc"; stdenv.cc.libc;
 
-  dots_in_usernames = fetchpatch {
-    url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-apps/shadow/files/shadow-4.1.3-dots-in-usernames.patch";
-    sha256 = "1fj3rg6x3jppm5jvi9y7fhd2djbi4nc5pgwisw00xlh4qapgz692";
-  };
-
 in
 
 stdenv.mkDerivation rec {
   pname = "shadow";
-  version = "4.11.1";
+  version = "4.13";
 
   src = fetchFromGitHub {
     owner = "shadow-maint";
-    repo = "shadow";
-    rev = "v${version}";
-    sha256 = "sha256-PxLX5V0t18JftT5wT41krNv18Ew7Kz3MfZkOi/80ODA=";
+    repo = pname;
+    rev = version;
+    sha256 = "sha256-L54DhdBYthfB9436t/XWXiqKhW7rfd0GLS7pYGB32rA=";
   };
 
-  buildInputs = [ libxcrypt ]
-    ++ lib.optional (pam != null && stdenv.isLinux) pam;
-  nativeBuildInputs = [autoreconfHook libxslt libxml2
-    docbook_xml_dtd_45 docbook_xsl flex bison itstool
-    ];
-
-  patches =
-    [ ./keep-path.patch
-      # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
-      ./respect-xml-catalog-files-var.patch
-      dots_in_usernames
-      ./runtime-shell.patch
-    ];
+  outputs = [ "out" "su" "dev" "man" ];
 
   RUNTIME_SHELL = runtimeShell;
 
-  # The nix daemon often forbids even creating set[ug]id files.
-  postPatch =
-    ''sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
-    '';
+  nativeBuildInputs = [
+    autoreconfHook bison flex
+    docbook_xml_dtd_45 docbook_xsl
+    itstool libxml2 libxslt
+  ];
 
-  outputs = [ "out" "su" "man" ];
+  buildInputs = [ libxcrypt ]
+    ++ lib.optional (pam != null && stdenv.isLinux) pam
+    ++ lib.optional withTcb tcb;
+
+  patches = [
+    ./keep-path.patch
+    # Obtain XML resources from XML catalog (patch adapted from gtk-doc)
+    ./respect-xml-catalog-files-var.patch
+    ./runtime-shell.patch
+    ./fix-install-with-tcb.patch
+    # Fix HAVE_SHADOWGRP configure check
+    (fetchpatch {
+      url = "https://github.com/shadow-maint/shadow/commit/a281f241b592aec636d1b93a99e764499d68c7ef.patch";
+      sha256 = "sha256-GJWg/8ggTnrbIgjI+HYa26DdVbjTHTk/IHhy7GU9G5w=";
+    })
+  ];
 
-  enableParallelBuilding = true;
+  # The nix daemon often forbids even creating set[ug]id files.
+  postPatch = ''
+    sed 's/^\(s[ug]idperms\) = [0-9]755/\1 = 0755/' -i src/Makefile.am
+  '';
 
   # Assume System V `setpgrp (void)', which is the default on GNU variants
   # (`AC_FUNC_SETPGRP' is not cross-compilation capable.)
@@ -65,23 +70,24 @@ stdenv.mkDerivation rec {
     "--with-group-name-max-length=32"
     "--with-bcrypt"
     "--with-yescrypt"
-  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd";
-
-  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc")
-    ''
-      substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
-    '';
-
-  postInstall =
-    ''
-      # Don't install ‘groups’, since coreutils already provides it.
-      rm $out/bin/groups
-      rm $man/share/man/man1/groups.*
-
-      # Move the su binary into the su package
-      mkdir -p $su/bin
-      mv $out/bin/su $su/bin
-    '';
+  ] ++ lib.optional (stdenv.hostPlatform.libc != "glibc") "--disable-nscd"
+    ++ lib.optional withTcb "--with-tcb";
+
+  preBuild = lib.optionalString (stdenv.hostPlatform.libc == "glibc") ''
+    substituteInPlace lib/nscd.c --replace /usr/sbin/nscd ${glibc.bin}/bin/nscd
+  '';
+
+  postInstall = ''
+    # Don't install ‘groups’, since coreutils already provides it.
+    rm $out/bin/groups
+    rm $man/share/man/man1/groups.*
+
+    # Move the su binary into the su package
+    mkdir -p $su/bin
+    mv $out/bin/su $su/bin
+  '';
+
+  enableParallelBuilding = true;
 
   disallowedReferences = lib.optional (stdenv.buildPlatform != stdenv.hostPlatform) stdenv.shellPackage;
 
diff --git a/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch b/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
new file mode 100644
index 00000000000..ff6166b92f1
--- /dev/null
+++ b/pkgs/os-specific/linux/shadow/fix-install-with-tcb.patch
@@ -0,0 +1,28 @@
+diff --git a/src/Makefile.am b/src/Makefile.am
+index a1a2e4e..fa17f9d 100644
+--- a/src/Makefile.am
++++ b/src/Makefile.am
+@@ -74,10 +74,6 @@ suidubins += newgidmap newuidmap
+ endif
+ endif
+ 
+-if WITH_TCB
+-shadowsgidubins = passwd
+-endif
+-
+ LDADD          = $(INTLLIBS) \
+ 		 $(top_builddir)/libmisc/libmisc.la \
+ 		 $(top_builddir)/lib/libshadow.la \
+@@ -146,12 +142,6 @@ install-am: all-am
+ 	set -e; for i in $(suidusbins); do \
+ 		chmod $(suidperms) $(DESTDIR)$(usbindir)/$$i; \
+ 	done
+-if WITH_TCB
+-	set -e; for i in $(shadowsgidubins); do \
+-		chown root:shadow $(DESTDIR)$(ubindir)/$$i; \
+-		chmod $(sgidperms) $(DESTDIR)$(ubindir)/$$i; \
+-	done
+-endif
+ if ENABLE_SUBIDS
+ if FCAPS
+ 	setcap cap_setuid+ep $(DESTDIR)$(ubindir)/newuidmap
diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix
index 4e3f3762370..4c16e96fdb1 100644
--- a/pkgs/os-specific/linux/systemd/default.nix
+++ b/pkgs/os-specific/linux/systemd/default.nix
@@ -89,7 +89,7 @@
 , withDocumentation ? true
 , withEfi ? stdenv.hostPlatform.isEfi && !stdenv.hostPlatform.isMusl
 , withFido2 ? true
-, withHomed ? false
+, withHomed ? true
 , withHostnamed ? true
 , withHwdb ? true
 , withImportd ? !stdenv.hostPlatform.isMusl
@@ -130,7 +130,7 @@ assert withHomed -> withCryptsetup;
 let
   wantCurl = withRemote || withImportd;
   wantGcrypt = withResolved || withImportd;
-  version = "252.1";
+  version = "252.4";
 
   # Bump this variable on every (major) version change. See below (in the meson options list) for why.
   # command:
@@ -147,7 +147,7 @@ stdenv.mkDerivation {
     owner = "systemd";
     repo = "systemd-stable";
     rev = "v${version}";
-    hash = "sha256-G43qbNF7znTITSM78sOL0qi8nqaA7qIhmiqP/rZKjXY=";
+    hash = "sha256-8ejSEt3QyCSARGGVbXWac2dB9jdUpC4eX2rN0iENQX0=";
   };
 
   # On major changes, or when otherwise required, you *must* reformat the patches,