Merge commit '93883402a445ad467320925a0a5dbe43a949f25b'

Conflicts:
	nixpkgs/nixos/modules/programs/ssh.nix
	nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix
	nixpkgs/pkgs/data/fonts/noto-fonts/default.nix
	nixpkgs/pkgs/development/go-modules/generic/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/default.nix
	nixpkgs/pkgs/development/libraries/mesa/default.nix

3 files changed, 37 insertions, 26 deletions

diff --git a/nixpkgs/pkgs/tools/security/gnupg/22.nix b/nixpkgs/pkgs/tools/security/gnupg/23.nix
index 83b04a9fe790..ef7a5cf85e71 100644
--- a/nixpkgs/pkgs/tools/security/gnupg/22.nix
+++ b/nixpkgs/pkgs/tools/security/gnupg/23.nix
@@ -3,10 +3,10 @@
 
 # Each of the dependencies below are optional.
 # Gnupg can be built without them at the cost of reduced functionality.
-, guiSupport ? true, enableMinimal ? false
-, adns ? null , bzip2 ? null , gnutls ? null , libusb1 ? null , openldap ? null
-, pcsclite ? null , pinentry ? null , readline ? null , sqlite ? null , zlib ?
-null
+, guiSupport ? stdenv.isDarwin, enableMinimal ? false
+, adns ? null, bzip2 ? null , gnutls ? null , libusb1 ? null , openldap ? null
+, tpm2-tss ? null
+, pcsclite ? null , pinentry ? null , readline ? null , sqlite ? null , zlib ? null
 }:
 
 with lib;
@@ -15,12 +15,11 @@ assert guiSupport -> pinentry != null && enableMinimal == false;
 
 stdenv.mkDerivation rec {
   pname = "gnupg";
-
-  version = "2.2.27";
+  version = "2.3.3";
 
   src = fetchurl {
     url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";
-    sha256 = "1693s2rp9sjwvdslj94n03wnb6rxysjy0dli0q1698af044h1ril";
+    sha256 = "0dz9x0r5021bhk1kjh29m1q13xbslwb8yn9qzcp7b9m1lrnvi2ap";
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -28,21 +27,27 @@ stdenv.mkDerivation rec {
   buildInputs = [
     libgcrypt libassuan libksba libiconv npth gettext
     readline libusb1 gnutls adns openldap zlib bzip2 sqlite
-  ];
+  ] ++ optional (!stdenv.isDarwin) tpm2-tss ;
 
   patches = [
     ./fix-libusb-include-path.patch
-    ./0001-dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch
     ./tests-add-test-cases-for-import-without-uid.patch
     ./allow-import-of-previously-known-keys-even-without-UI.patch
     ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+  ] ++ lib.optional stdenv.isDarwin [
+    # Remove an innocent warning printed on systems without procfs
+    # https://dev.gnupg.org/T5656
+    (fetchpatch {
+      url = "https://raw.githubusercontent.com/Homebrew/formula-patches/890be5f6af88e7913d177af87a50129049e681bb/gnupg/2.3.3-proc-error.patch";
+      sha256 = "sha256-oiTa7Nf+AEmhZ683CJEaCb559PXJ6RpSSgRLpxz4CKU=";
+    })
   ];
   postPatch = ''
     sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1
     # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update
     sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am
     sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in
-  '' + lib.optionalString ( stdenv.isLinux && pcsclite != null) ''
+  '' + lib.optionalString (stdenv.isLinux && pcsclite != null) ''
     sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c
   '';
 
@@ -53,12 +58,12 @@ stdenv.mkDerivation rec {
     "--with-libassuan-prefix=${libassuan.dev}"
     "--with-ksba-prefix=${libksba.dev}"
     "--with-npth-prefix=${npth}"
-  ] ++ optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}";
-
+  ] ++ optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"
+  ++ optional ( (!stdenv.isDarwin) && (tpm2-tss != null) ) "--with-tss=intel";
   postInstall = if enableMinimal
   then ''
     rm -r $out/{libexec,sbin,share}
-    for f in `find $out/bin -type f -not -name gpg`
+    for f in $(find $out/bin -type f -not -name gpg)
     do
       rm $f
     done
@@ -73,12 +78,17 @@ stdenv.mkDerivation rec {
     ln -s $out/bin/gpg $out/bin/gpg2
 
     # Make libexec tools available in PATH
-    ln -s -t $out/bin $out/libexec/*
+    for f in $out/libexec/; do
+      if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi
+      ln -s $f $out/bin/$(basename $f)
+    done
   '';
 
+  enableParallelBuilding = true;
+
   meta = with lib; {
     homepage = "https://gnupg.org";
-    description = "Modern (2.1) release of the GNU Privacy Guard, a GPL OpenPGP implementation";
+    description = "Modern release of the GNU Privacy Guard, a GPL OpenPGP implementation";
     license = licenses.gpl3Plus;
     longDescription = ''
       The GNU Privacy Guard is the GNU project's complete and free
diff --git a/nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch b/nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch
index 723a6952044e..98dda54fc7fa 100644
--- a/nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch
+++ b/nixpkgs/pkgs/tools/security/gnupg/allow-import-of-previously-known-keys-even-without-UI.patch
@@ -17,10 +17,10 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  1 file changed, 11 insertions(+), 33 deletions(-)
 
 diff --git a/g10/import.c b/g10/import.c
-index 95d419a..4fdf248 100644
+index 5d3162c..f9acf95 100644
 --- a/g10/import.c
 +++ b/g10/import.c
-@@ -1792,7 +1792,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
    size_t an;
    char pkstrbuf[PUBKEY_STRING_SIZE];
    int merge_keys_done = 0;
@@ -28,12 +28,12 @@ index 95d419a..4fdf248 100644
    KEYDB_HANDLE hd = NULL;
  
    if (r_valid)
-@@ -1829,14 +1828,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
        log_printf ("\n");
      }
  
 -
--  if (!uidnode )
+-  if (!uidnode)
 -    {
 -      if (!silent)
 -        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@@ -43,16 +43,17 @@ index 95d419a..4fdf248 100644
    if (screener && screener (keyblock, screener_arg))
      {
        log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -1911,17 +1902,10 @@ import_one_real (ctrl_t ctrl,
+@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,
  	  }
      }
  
--  if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
+-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options))
 -    {
 -      if (!silent)
 -        {
--          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
--          if (!opt.quiet )
+-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet)
 -            log_info(_("this may be caused by a missing self-signature\n"));
 -        }
 -      stats->no_user_id++;
@@ -65,7 +66,7 @@ index 95d419a..4fdf248 100644
  
    /* Get rid of deleted nodes.  */
    commit_kbnode (&keyblock);
-@@ -1931,24 +1915,11 @@ import_one_real (ctrl_t ctrl,
+@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
      {
        apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
        commit_kbnode (&keyblock);
@@ -90,7 +91,7 @@ index 95d419a..4fdf248 100644
      }
  
    /* The keyblock is valid and ready for real import.  */
-@@ -2006,6 +1977,13 @@ import_one_real (ctrl_t ctrl,
+@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
        err = 0;
        stats->skipped_new_keys++;
      }
diff --git a/nixpkgs/pkgs/tools/security/gnupg/fix-libusb-include-path.patch b/nixpkgs/pkgs/tools/security/gnupg/fix-libusb-include-path.patch
index a5432f8e3d95..f20249b1cad1 100644
--- a/nixpkgs/pkgs/tools/security/gnupg/fix-libusb-include-path.patch
+++ b/nixpkgs/pkgs/tools/security/gnupg/fix-libusb-include-path.patch
@@ -1,6 +1,6 @@
 --- a/configure
 +++ b/configure
-@@ -8987,8 +8987,7 @@
+@@ -9281,8 +9281,7 @@ fi
     { $as_echo "$as_me:${as_lineno-$LINENO}: checking libusb include dir" >&5
  $as_echo_n "checking libusb include dir... " >&6; }
     usb_incdir_found="no"