Merge remote-tracking branch 'nixpkgs/nixos-unstable-small'

Conflicts:
	nixpkgs/nixos/modules/services/mail/mailman.nix
	nixpkgs/nixos/modules/services/mail/public-inbox.nix
	nixpkgs/pkgs/build-support/go/module.nix

3 files changed, 55 insertions, 31 deletions

diff --git a/nixpkgs/pkgs/stdenv/generic/check-meta.nix b/nixpkgs/pkgs/stdenv/generic/check-meta.nix
index 63c853e3dc31..a61f3e1ae4d0 100644
--- a/nixpkgs/pkgs/stdenv/generic/check-meta.nix
+++ b/nixpkgs/pkgs/stdenv/generic/check-meta.nix
@@ -29,6 +29,14 @@ let
     toList
     isList
     elem
+    ;
+
+  inherit (lib.meta)
+    availableOn
+  ;
+
+  inherit (lib.generators)
+    toPretty
   ;
 
   # If we're in hydra, we can dispense with the more verbose error
@@ -84,7 +92,7 @@ let
     # was `licenses: lib.lists.any (l: !l.free or true) licenses;`
     # which always evaluates to `!true` for strings.
     else if isString licenses then false
-    else lib.lists.any (l: !l.free or true) licenses;
+    else any (l: !l.free or true) licenses;
 
   hasUnfreeLicense = attrs: hasLicense attrs && isUnfree attrs.meta.license;
 
@@ -94,7 +102,7 @@ let
   isMarkedBroken = attrs: attrs.meta.broken or false;
 
   hasUnsupportedPlatform =
-    pkg: !(lib.meta.availableOn hostPlatform pkg);
+    pkg: !(availableOn hostPlatform pkg);
 
   isMarkedInsecure = attrs: (attrs.meta.knownVulnerabilities or []) != [];
 
@@ -181,7 +189,7 @@ let
 
       Alternatively you can configure a predicate to allow specific packages:
         { nixpkgs.config.${predicateConfigAttr} = pkg: builtins.elem (lib.getName pkg) [
-            "${getName attrs}"
+            "${lib.getName attrs}"
           ];
         }
     '';
@@ -360,7 +368,7 @@ let
         [ ]
       else
         [ "key 'meta.${k}' has invalid value; expected ${metaTypes.${k}.name}, got\n    ${
-          lib.generators.toPretty { indent = "    "; } v
+          toPretty { indent = "    "; } v
         }" ]
     else
       [ "key 'meta.${k}' is unrecognized; expected one of: \n  [${concatMapStringsSep ", " (x: "'${x}'") (attrNames metaTypes)}]" ];
@@ -382,22 +390,24 @@ let
   # reason is one of "unfree", "blocklisted", "broken", "insecure", ...
   # !!! reason strings are hardcoded into OfBorg, make sure to keep them in sync
   # Along with a boolean flag for each reason
-  checkValidity = attrs:
+  checkValidity =
+    let
+      validYes = {
+        valid = "yes";
+        handled = true;
+      };
+    in
+    attrs:
     # Check meta attribute types first, to make sure it is always called even when there are other issues
     # Note that this is not a full type check and functions below still need to by careful about their inputs!
-    let res = checkMeta (attrs.meta or {}); in if res != [] then
-      { valid = "no"; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${concatMapStrings (x: "\n  - " + x) res}\n";
-        unfree = false; nonSource = false; broken = false; unsupported = false; insecure = false;
-      }
-    else {
-      unfree = hasUnfreeLicense attrs;
-      nonSource = hasNonSourceProvenance attrs;
-      broken = isMarkedBroken attrs;
-      unsupported = hasUnsupportedPlatform attrs;
-      insecure = isMarkedInsecure attrs;
-    } // (
+    let
+      res = checkMeta (attrs.meta or {});
+    in
+    if res != [] then
+      { valid = "no"; reason = "unknown-meta"; errormsg = "has an invalid meta attrset:${concatMapStrings (x: "\n  - " + x) res}\n"; }
+
     # --- Put checks that cannot be ignored here ---
-    if checkOutputsToInstall attrs then
+    else if checkOutputsToInstall attrs then
       { valid = "no"; reason = "broken-outputs"; errormsg = "has invalid meta.outputsToInstall"; }
 
     # --- Put checks that can be ignored here ---
@@ -410,7 +420,7 @@ let
     else if !allowBroken && attrs.meta.broken or false then
       { valid = "no"; reason = "broken"; errormsg = "is marked as broken"; }
     else if !allowUnsupportedSystem && hasUnsupportedPlatform attrs then
-      let toPretty = lib.generators.toPretty {
+      let toPretty' = toPretty {
             allowPrettyValues = true;
             indent = "  ";
           };
@@ -418,8 +428,8 @@ let
            errormsg = ''
              is not available on the requested hostPlatform:
                hostPlatform.config = "${hostPlatform.config}"
-               package.meta.platforms = ${toPretty (attrs.meta.platforms or [])}
-               package.meta.badPlatforms = ${toPretty (attrs.meta.badPlatforms or [])}
+               package.meta.platforms = ${toPretty' (attrs.meta.platforms or [])}
+               package.meta.badPlatforms = ${toPretty' (attrs.meta.badPlatforms or [])}
             '';
          }
     else if !(hasAllowedInsecure attrs) then
@@ -430,7 +440,7 @@ let
     else if hasNoMaintainers attrs then
       { valid = "warn"; reason = "maintainerless"; errormsg = "has no maintainers"; }
     # -----
-    else { valid = "yes"; });
+    else validYes;
 
 
   # The meta attribute is passed in the resulting attribute set,
@@ -443,6 +453,7 @@ let
   commonMeta = { validity, attrs, pos ? null, references ? [ ] }:
     let
       outputs = attrs.outputs or [ "out" ];
+      hasOutput = out: builtins.elem out outputs;
     in
     {
       # `name` derivation attribute includes cross-compilation cruft,
@@ -461,10 +472,13 @@ let
       #   Services and users should specify outputs explicitly,
       #   unless they are comfortable with this default.
       outputsToInstall =
-        let
-          hasOutput = out: builtins.elem out outputs;
-        in
-        [ (findFirst hasOutput null ([ "bin" "out" ] ++ outputs)) ]
+        [
+          (
+            if hasOutput "bin" then "bin"
+            else if hasOutput "out" then "out"
+            else findFirst hasOutput null outputs
+          )
+        ]
         ++ optional (hasOutput "man") "man";
     }
     // attrs.meta or { }
@@ -473,7 +487,10 @@ let
       position = pos.file + ":" + toString pos.line;
     } // {
       # Expose the result of the checks for everyone to see.
-      inherit (validity) unfree broken unsupported insecure;
+      unfree = hasUnfreeLicense attrs;
+      broken = isMarkedBroken attrs;
+      unsupported = hasUnsupportedPlatform attrs;
+      insecure = isMarkedInsecure attrs;
 
       available = validity.valid != "no"
       && (if config.checkMetaRecursively or false
@@ -484,7 +501,7 @@ let
   assertValidity = { meta, attrs }: let
       validity = checkValidity attrs;
       inherit (validity) valid;
-  in validity // {
+  in if validity ? handled then validity else validity // {
       # Throw an error if trying to evaluate a non-valid derivation
       # or, alternatively, just output a warning message.
       handled =
diff --git a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
index 08cded664254..1214d0101383 100644
--- a/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
+++ b/nixpkgs/pkgs/stdenv/generic/make-derivation.nix
@@ -574,6 +574,12 @@ let
         "The ‘env’ attribute set can only contain derivation, string, boolean or integer attributes. The ‘${n}’ attribute is of type ${builtins.typeOf v}."; v)
       env;
 
+  # Fixed-output derivations may not reference other paths, which means that
+  # for a fixed-output derivation, the corresponding inputDerivation should
+  # *not* be fixed-output. To achieve this we simply delete the attributes that
+  # would make it fixed-output.
+  deleteFixedOutputRelatedAttrs = lib.flip builtins.removeAttrs [ "outputHashAlgo" "outputHash" "outputHashMode" ];
+
 in
 
 extendDerivation
@@ -584,7 +590,7 @@ extendDerivation
      # This allows easy building and distributing of all derivations
      # needed to enter a nix-shell with
      #   nix-build shell.nix -A inputDerivation
-     inputDerivation = derivation (derivationArg // {
+     inputDerivation = derivation (deleteFixedOutputRelatedAttrs derivationArg // {
        # Add a name in case the original drv didn't have one
        name = derivationArg.name or "inputDerivation";
        # This always only has one output
diff --git a/nixpkgs/pkgs/stdenv/generic/setup.sh b/nixpkgs/pkgs/stdenv/generic/setup.sh
index 9c918b12f96e..45c73d7709c6 100644
--- a/nixpkgs/pkgs/stdenv/generic/setup.sh
+++ b/nixpkgs/pkgs/stdenv/generic/setup.sh
@@ -1069,12 +1069,12 @@ _defaultUnpack() {
                 # disregard the error code from the xz invocation. Otherwise,
                 # it can happen that tar exits earlier, causing xz to fail
                 # from a SIGPIPE.
-                (XZ_OPT="--threads=$NIX_BUILD_CORES" xz -d < "$fn"; true) | tar xf - --warning=no-timestamp
+                (XZ_OPT="--threads=$NIX_BUILD_CORES" xz -d < "$fn"; true) | tar xf - --mode=+w --warning=no-timestamp
                 ;;
             *.tar | *.tar.* | *.tgz | *.tbz2 | *.tbz)
                 # GNU tar can automatically select the decompression method
                 # (info "(tar) gzip").
-                tar xf "$fn" --warning=no-timestamp
+                tar xf "$fn" --mode=+w --warning=no-timestamp
                 ;;
             *)
                 return 1
@@ -1421,7 +1421,8 @@ fixupPhase() {
     # Make sure everything is writable so "strip" et al. work.
     local output
     for output in $(getAllOutputNames); do
-        if [ -e "${!output}" ]; then chmod -R u+w "${!output}"; fi
+        # for set*id bits see #300635
+        if [ -e "${!output}" ]; then chmod -R u+w,u-s,g-s "${!output}"; fi
     done
 
     runHook preFixup