Merge remote-tracking branch 'upstream/master' into hardened-stdenv

25 files changed, 543 insertions, 97 deletions

diff --git a/pkgs/tools/archivers/p7zip/default.nix b/pkgs/tools/archivers/p7zip/default.nix
index 63487b460343..7c952a8f7294 100644
--- a/pkgs/tools/archivers/p7zip/default.nix
+++ b/pkgs/tools/archivers/p7zip/default.nix
@@ -1,14 +1,12 @@
 { stdenv, fetchurl }:
 
-let
-  version = "15.14.1";
-in
 stdenv.mkDerivation rec {
   name = "p7zip-${version}";
+  version = "16.02";
 
   src = fetchurl {
     url = "mirror://sourceforge/p7zip/p7zip_${version}_src_all.tar.bz2";
-    sha256 = "1m15iwglyjpiw82m7dbpykz8s55imch34w20w09l34116vdb97b9";
+    sha256 = "5eb20ac0e2944f6cb9c2d51dd6c4518941c185347d4089ea89087ffdd6e2341f";
   };
 
   preConfigure = ''
diff --git a/pkgs/tools/archivers/xarchiver/default.nix b/pkgs/tools/archivers/xarchiver/default.nix
index ea59cb8319e8..507e777a7c37 100644
--- a/pkgs/tools/archivers/xarchiver/default.nix
+++ b/pkgs/tools/archivers/xarchiver/default.nix
@@ -1,18 +1,20 @@
-{ stdenv, fetchurl, gtk2, pkgconfig, intltool }:
+{ stdenv, fetchFromGitHub, gtk, pkgconfig, intltool }:
 
 stdenv.mkDerivation rec {
-  version = "0.5.4";
+  version = "0.5.4.6";
   name = "xarchiver-${version}";
 
-  src = fetchurl {
-    url = "mirror://sourceforge/xarchiver/${name}.tar.bz2";
-    sha256 = "1x1f8m71cvv2p1364rz99iqs2caxj7yrb46aikz6xigwg4wsfgz6";
+  src = fetchFromGitHub {
+    owner = "ib";
+    repo = "xarchiver";
+    rev = "${name}";
+    sha256 = "1w6b4cchd4prswrn981a7bkq44ad51xm2qiwlpzy43ynql14q877";
   };
 
-  buildInputs = [ gtk2 pkgconfig intltool ];
+  buildInputs = [ gtk pkgconfig intltool ];
 
   meta = {
-    description = "GTK+2 only frontend to 7z,zip,rar,tar,bzip2, gzip,arj, lha, rpm and deb (open and extract only)";
+    description = "GTK+ frontend to 7z,zip,rar,tar,bzip2, gzip,arj, lha, rpm and deb (open and extract only)";
     homepage = http://sourceforge.net/projects/xarchiver/;
     maintainers = [ stdenv.lib.maintainers.domenkozar ];
     license = stdenv.lib.licenses.gpl2;
diff --git a/pkgs/tools/graphics/nip2/default.nix b/pkgs/tools/graphics/nip2/default.nix
index e61488e202d3..fb88a8c37d4c 100644
--- a/pkgs/tools/graphics/nip2/default.nix
+++ b/pkgs/tools/graphics/nip2/default.nix
@@ -1,17 +1,17 @@
 { stdenv, fetchurl, pkgconfig, glib, libxml2, flex, bison, vips, gnome,
-fftw, gsl, goffice_0_8, libgsf }:
+fftw, gsl, goffice, libgsf }:
 
 stdenv.mkDerivation rec {
-  name = "nip2-8.0";
+  name = "nip2-8.3.0";
 
   src = fetchurl {
     url = "http://www.vips.ecs.soton.ac.uk/supported/current/${name}.tar.gz";
-    sha256 = "10ybac0qrz63x1yk1d0gpv9z1vzpadyii2qhrai6lllplzw6jqx7";
+    sha256 = "0vr12gyfvhxx2a28y74lzfg379d1fk0g9isc69k0vdgpn4y1i8aa";
   };
 
   buildInputs =
   [ pkgconfig glib libxml2 flex bison vips
-    gnome.gtk fftw gsl goffice_0_8 libgsf
+    gnome.gtk fftw gsl goffice libgsf
   ];
 
   meta = with stdenv.lib; {
diff --git a/pkgs/tools/graphics/vips/default.nix b/pkgs/tools/graphics/vips/default.nix
index 7b0cbc16e11a..6ff2ee5cd442 100644
--- a/pkgs/tools/graphics/vips/default.nix
+++ b/pkgs/tools/graphics/vips/default.nix
@@ -4,11 +4,11 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "vips-8.2.2";
+  name = "vips-8.3.1";
 
   src = fetchurl {
     url = "http://www.vips.ecs.soton.ac.uk/supported/current/${name}.tar.gz";
-    sha256 = "12b319aicr129cpi5sixwd3q91y97vwwva6b044zy54px4s8ls0g";
+    sha256 = "01hh1baar2r474kny24fcq6ddshcvq104207mqxnkis0as6pzjq9";
   };
 
   buildInputs =
diff --git a/pkgs/tools/misc/disper/default.nix b/pkgs/tools/misc/disper/default.nix
index 777f7b486752..449f0f20b80d 100644
--- a/pkgs/tools/misc/disper/default.nix
+++ b/pkgs/tools/misc/disper/default.nix
@@ -1,14 +1,19 @@
-{stdenv, fetchurl, python}:
+{stdenv, fetchurl, python, xorg, makeWrapper}:
 
 stdenv.mkDerivation rec {
   name = "disper-0.3.1";
 
-  buildInputs = [python];
+  buildInputs = [python makeWrapper];
 
   preConfigure = ''
     export makeFlags="PREFIX=$out"
   '';
 
+  postInstall = ''
+      wrapProgram $out/bin/disper \
+        --prefix "LD_LIBRARY_PATH" : "${xorg.libXrandr.out}/lib:${xorg.libX11.out}/lib"
+  '';
+
   src = fetchurl {
     url = http://ppa.launchpad.net/disper-dev/ppa/ubuntu/pool/main/d/disper/disper_0.3.1.tar.gz;
     sha256 = "1l8brcpfn4iascb454ym0wrv5kqyz4f0h8k6db54nc3zhfwy7vvw";
diff --git a/pkgs/tools/misc/ethtool/default.nix b/pkgs/tools/misc/ethtool/default.nix
index 9ffc4723dfd3..363aaf3f389a 100644
--- a/pkgs/tools/misc/ethtool/default.nix
+++ b/pkgs/tools/misc/ethtool/default.nix
@@ -1,11 +1,12 @@
 { stdenv, fetchurl }:
 
 stdenv.mkDerivation rec {
-  name = "ethtool-4.5";
+  name = "ethtool-${version}";
+  version = "4.6";
 
   src = fetchurl {
     url = "mirror://kernel/software/network/ethtool/${name}.tar.xz";
-    sha256 = "0fyakzpcrjb7hkaj9ccpcgza7r2im17qzxy9w6xzbiss5hrk8a5v";
+    sha256 = "e90589a9349d008cce8c0510ac4e8878efdc0ddb1b732a9a4cc333b101313415";
   };
 
   meta = with stdenv.lib; {
diff --git a/pkgs/tools/misc/fzf/default.nix b/pkgs/tools/misc/fzf/default.nix
index e8c8d9830c7b..6ba2b8817849 100644
--- a/pkgs/tools/misc/fzf/default.nix
+++ b/pkgs/tools/misc/fzf/default.nix
@@ -2,7 +2,7 @@
 
 buildGoPackage rec {
   name = "fzf-${version}";
-  version = "0.13.2";
+  version = "0.13.3";
   rev = "${version}";
 
   goPackagePath = "github.com/junegunn/fzf";
@@ -11,13 +11,13 @@ buildGoPackage rec {
     inherit rev;
     owner = "junegunn";
     repo = "fzf";
-    sha256 = "12dr0wib2ajs64a8d3l3zmgj2y8rklkc3xrvgscxgiv29lrlmvfz";
+    sha256 = "0mfrlb91akzrj0qpjpaa9bkp6m9z95z56glamry73qy21vbnj58m";
   };
 
   buildInputs = [ ncurses ];
 
   goDeps = ./deps.json;
-  
+
   patchPhase = ''
     sed -i -e "s|expand('<sfile>:h:h').'/bin/fzf'|'$bin/bin/fzf'|" plugin/fzf.vim
     sed -i -e "s|expand('<sfile>:h:h').'/bin/fzf-tmux'|'$bin/bin/fzf-tmux'|" plugin/fzf.vim
@@ -28,4 +28,11 @@ buildGoPackage rec {
     mkdir -p $out/share/vim-plugins
     ln -s $out/share/go/src/github.com/junegunn/fzf $out/share/vim-plugins/${name}
   '';
+
+  meta = with stdenv.lib; {
+    homepage = https://github.com/junegunn/fzf;
+    description = "A command-line fuzzy finder written in Go";
+    license = licenses.mit;
+    platforms = platforms.unix;
+  };
 }
diff --git a/pkgs/tools/misc/gti/default.nix b/pkgs/tools/misc/gti/default.nix
index 39e28073abce..3705dd832e9d 100644
--- a/pkgs/tools/misc/gti/default.nix
+++ b/pkgs/tools/misc/gti/default.nix
@@ -11,6 +11,10 @@ stdenv.mkDerivation rec {
     sha256 = "1wki7d61kcmv9s3xayky9cz84qa773x3y1z88y768hq8ifwadcbn";
   };
 
+  prePatch = ''
+    substituteInPlace Makefile --replace gcc cc
+  '';
+
   installPhase = ''
     mkdir -p $out/bin $out/share/man/man6
     cp gti $out/bin
diff --git a/pkgs/tools/misc/youtube-dl/default.nix b/pkgs/tools/misc/youtube-dl/default.nix
index b6f55bdcc207..12ecf11517c7 100644
--- a/pkgs/tools/misc/youtube-dl/default.nix
+++ b/pkgs/tools/misc/youtube-dl/default.nix
@@ -12,11 +12,11 @@
 buildPythonApplication rec {
 
   name = "youtube-dl-${version}";
-  version = "2016.07.09.2";
+  version = "2016.07.16";
 
   src = fetchurl {
     url = "https://yt-dl.org/downloads/${version}/${name}.tar.gz";
-    sha256 = "0qs99ss1w22apx3n2173j5mly7h0ngfgkkgz07bn30235saf0fd3";
+    sha256 = "017x2hqc2bacypjmn9ac9f91y9y6afydl0z7dich5l627494hvfg";
   };
 
   buildInputs = [ makeWrapper zip pandoc ];
diff --git a/pkgs/tools/networking/ndjbdns/default.nix b/pkgs/tools/networking/ndjbdns/default.nix
index 2a7e996f8db2..256f50e5c546 100644
--- a/pkgs/tools/networking/ndjbdns/default.nix
+++ b/pkgs/tools/networking/ndjbdns/default.nix
@@ -1,11 +1,12 @@
 { stdenv, fetchurl, systemd, pkgconfig }:
 
 stdenv.mkDerivation rec {
-  version = "1.05.9";
+  version = "1.06";
   name = "ndjbdns-${version}";
+
   src = fetchurl {
     url = "http://pjp.dgplug.org/ndjbdns/${name}.tar.gz";
-    sha256 = "0gf3hlmr6grcn6dzflf83lqqfp6hk3ldhbc7z0a1rrh059m93ap5";
+    sha256 = "09qi5a9abqm08iqmxj74fzzq9x1w5lzr1jlbzj2hl8hz0g2sgraw";
   };
 
   buildInputs = [ pkgconfig systemd ];
@@ -21,4 +22,4 @@ stdenv.mkDerivation rec {
     platforms = platforms.linux;
   };
 
-}
\ No newline at end of file
+}
diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix
index 064745f88558..a0cb0795a261 100644
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@@ -45,6 +45,9 @@ stdenv.mkDerivation rec {
       ./locale_archive.patch
       ./fix-host-key-algorithms-plus.patch
       ./CVE-2015-8325.patch
+
+      # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
+      ./dont_create_privsep_path.patch
     ]
     ++ optional withGssapiPatches gssapiSrc;
 
@@ -66,11 +69,6 @@ stdenv.mkDerivation rec {
     ++ optional stdenv.isDarwin "--disable-libutil"
     ++ optional (!linkOpenssl) "--without-openssl";
 
-  preConfigure = ''
-    configureFlagsArray+=("--with-privsep-path=$out/empty")
-    mkdir -p $out/empty
-  '';
-
   enableParallelBuilding = true;
 
   hardeningEnable = [ "pie" ];
diff --git a/pkgs/tools/networking/openssh/dont_create_privsep_path.patch b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
new file mode 100644
index 000000000000..b6d432d5c5de
--- /dev/null
+++ b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
@@ -0,0 +1,11 @@
+diff -ur openssh-7.2p2_orig/Makefile.in openssh-7.2p2/Makefile.in
+--- openssh-7.2p2_orig/Makefile.in	2016-03-09 19:04:48.000000000 +0100
++++ openssh-7.2p2/Makefile.in	2016-07-16 09:56:05.643903293 +0200
+@@ -301,7 +301,6 @@
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
+ 	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
+-	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
diff --git a/pkgs/tools/networking/proxychains/default.nix b/pkgs/tools/networking/proxychains/default.nix
index 2b85cef70c55..ed19f9d1674f 100644
--- a/pkgs/tools/networking/proxychains/default.nix
+++ b/pkgs/tools/networking/proxychains/default.nix
@@ -1,10 +1,13 @@
-{ stdenv, fetchgit } :
-stdenv.mkDerivation {
-  name = "proxychains-4.0.1-head";
-  src = fetchgit {
-    url = https://github.com/haad/proxychains.git;
-    rev = "c9b8ce35b24f9d4e80563242b759dff54867163f";
-    sha256 = "163h3d3lpglbzjadf8a9kfaf0i1ds25r7si6ll6d5khn1835zik5";
+{ stdenv, fetchFromGitHub } :
+stdenv.mkDerivation rec {
+  name = "proxychains-${version}";
+  version = "4.2.0";
+
+  src = fetchFromGitHub {
+    owner = "haad";
+    repo = "proxychains";
+    rev = name;
+    sha256 = "015skh3z1jmm8kxbm3nkqv1w56kcvabdmcbmpwzywxr4xnh3x3pc";
   };
 
   meta = {
diff --git a/pkgs/tools/networking/shncpd/default.nix b/pkgs/tools/networking/shncpd/default.nix
new file mode 100644
index 000000000000..be2bc6a75a17
--- /dev/null
+++ b/pkgs/tools/networking/shncpd/default.nix
@@ -0,0 +1,27 @@
+{ stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  name = "shncpd-${version}";
+  version = "2016-06-22";
+
+  src = fetchFromGitHub {
+    owner = "jech";
+    repo = "shncpd";
+    rev = "62ef688db7a6535ce11e66c8c93ab64a1bb09484";
+    sha256 = "1sj7a77isc2jmh7gw2naw9l9366kjx6jb909h7spj7daxdwvji8f";
+  };
+
+  hardeningEnable = [ "pie" ];
+
+  preConfigure = ''
+    makeFlags=( "PREFIX=$out" )
+  '';
+
+  meta = with stdenv.lib; {
+    description = "Simple, stupid and slow HNCP daemon";
+    homepage = https://www.irif.univ-paris-diderot.fr/~jch/software/homenet/shncpd.html;
+    license = licenses.mit;
+    platforms = platforms.linux;
+    maintainers = [ maintainers.fpletz ];
+  };
+}
diff --git a/pkgs/tools/networking/vtun/default.nix b/pkgs/tools/networking/vtun/default.nix
index b0397149e60d..09f48d9fa1ad 100644
--- a/pkgs/tools/networking/vtun/default.nix
+++ b/pkgs/tools/networking/vtun/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, lzo, zlib, yacc, flex }:
+{ stdenv, fetchurl, fetchpatch, openssl, lzo, zlib, yacc, flex }:
 
 stdenv.mkDerivation rec {
   name = "vtun-3.0.3";
@@ -8,7 +8,13 @@ stdenv.mkDerivation rec {
     sha256 = "1jxrxp3klhc8az54d5qn84cbc0vdafg319jh84dxkrswii7vxp39";
   };
 
-  patchPhase = ''
+  patches = [
+    (fetchpatch { url = http://sources.debian.net/data/main/v/vtun/3.0.3-2.2/debian/patches/08-gcc5-inline.patch;
+                 sha256 = "18sys97v2hx6vac5zp3ld7sa6kz4izv3g9dnkm0lflbaxhym2vs1";
+                })
+  ];
+
+  postPatch = ''
     sed -i -e 's/-m 755//' -e 's/-o root -g 0//' Makefile.in
     sed -i '/strip/d' Makefile.in
   '';
diff --git a/pkgs/tools/package-management/packagekit/default.nix b/pkgs/tools/package-management/packagekit/default.nix
index bdd02e58cbb6..dbac7be10d79 100644
--- a/pkgs/tools/package-management/packagekit/default.nix
+++ b/pkgs/tools/package-management/packagekit/default.nix
@@ -1,57 +1,54 @@
-{ stdenv, fetchurl, intltool, glib, pkgconfig, polkit, python, sqlite }:
+{ stdenv, fetchFromGitHub, intltool, glib, pkgconfig, polkit, python, sqlite, systemd
+, gobjectIntrospection, vala, gtk_doc, autoreconfHook, autoconf-archive
+, nix, boost
+, enableCommandNotFound ? false
+, enableBashCompletion ? false, bashCompletion ? null }:
+
+with stdenv.lib;
 
 stdenv.mkDerivation rec {
-  name = "packagekit-${version}";
-  version = "1.1.1";
+  name = "packagekit-2016-06-03";
 
-  src = fetchurl {
-    sha256 = "1i6an483vmm6y39szr2alq5vf6kfxhk3j5ca79qrshcj9jjlhcs8";
-    url = "http://www.freedesktop.org/software/PackageKit/releases/PackageKit-${version}.tar.xz";
+  src = fetchFromGitHub {
+    owner = "hughsie";
+    repo = "PackageKit";
+    rev = "99fd83bbb26badf43c6a17a9f0c6dc054c7484c8";
+    sha256 = "0y42vl6r1wh57sbjfkn4khjs78q54wshf4p0v4nly9s7hydxpi6a";
   };
 
-  buildInputs = [ glib polkit python ];
-  propagatedBuildInputs = [ sqlite ];
-  nativeBuildInputs = [ intltool pkgconfig ];
+  buildInputs = [ glib polkit systemd python gobjectIntrospection vala ]
+                  ++ optional enableBashCompletion bashCompletion;
+  propagatedBuildInputs = [ sqlite nix boost ];
+  nativeBuildInputs = [ intltool pkgconfig autoreconfHook autoconf-archive gtk_doc ];
+
+  preAutoreconf = ''
+    gtkdocize
+    intltoolize
+  '';
 
   configureFlags = [
-    "--disable-static"
-    "--disable-python3"
-    "--disable-networkmanager"
-    "--disable-connman"
-    "--disable-systemd"
-    "--disable-bash-completion"
-    "--disable-gstreamer-plugin"
-    "--disable-gtk-module"
-    "--disable-command-not-found"
+    "--enable-systemd"
+    "--enable-nix"
+    "--disable-dummy"
     "--disable-cron"
-    "--disable-daemon-tests"
-    "--disable-alpm"
-    "--disable-aptcc"
-    "--enable-dummy"
-    "--disable-entropy"
-    "--disable-hif"
-    "--disable-pisi"
-    "--disable-poldek"
-    "--disable-portage"
-    "--disable-ports"
-    "--disable-katja"
-    "--disable-urpmi"
-    "--disable-yum"
-    "--disable-zypp"
-  ];
+    "--disable-introspection"
+    "--disable-offline-update"
+    "--localstatedir=/var"
+    "--sysconfdir=/etc"
+    "--with-dbus-sys=$(out)/etc/dbus-1/system.d"
+    "--with-systemdsystemunitdir=$(out)/lib/systemd/system/"
+  ]
+  ++ optional (!enableBashCompletion) "--disable-bash-completion"
+  ++ optional (!enableCommandNotFound) "--disable-command-not-found";
 
   enableParallelBuilding = true;
 
-  preInstall = ''
-    # Don't install anything to e.g. $out/var/cache:
-    for dir in src data; do
-      substituteInPlace $dir/Makefile \
-        --replace " install-data-hook" "" \
-        --replace " install-databaseDATA" ""
-    done
-  '';
+  installFlags = [
+    "sysconfdir=\${out}/etc"
+    "localstatedir=\${TMPDIR}"
+  ];
 
-  meta = with stdenv.lib; {
+  meta = {
     description = "System to facilitate installing and updating packages";
     longDescription = ''
       PackageKit is a system designed to make installing and updating software
@@ -66,6 +63,6 @@ stdenv.mkDerivation rec {
     homepage = http://www.packagekit.org/;
     license = licenses.gpl2Plus;
     platforms = platforms.linux;
-    maintainers = with maintainers; [ nckx ];
+    maintainers = with maintainers; [ nckx matthewbauer ];
   };
 }
diff --git a/pkgs/tools/security/keybase/default.nix b/pkgs/tools/security/keybase/default.nix
new file mode 100644
index 000000000000..87a0596f6f08
--- /dev/null
+++ b/pkgs/tools/security/keybase/default.nix
@@ -0,0 +1,28 @@
+{ stdenv, buildGoPackage, fetchFromGitHub }:
+
+buildGoPackage rec {
+  name = "keybase-${version}";
+  version = "1.0.16";
+  rev = "v${version}";
+
+  goPackagePath = "github.com/keybase/client";
+  subPackages = [ "go/keybase" ];
+
+  dontRenameImports = true;
+
+  src = fetchFromGitHub {
+    owner = "keybase";
+    repo = "client";
+    inherit rev;
+    sha256 = "0p62cqpfgx9b5kfnviqpig27i20yv9bg5mq61am5xrmkp68jk35b";
+  };
+
+  buildFlags = [ "-tags production" ];
+
+  meta = with stdenv.lib; {
+    homepage = https://www.keybase.io/;
+    description = "The Keybase official command-line utility and service.";
+    platforms = platforms.linux;
+    maintainers = with maintainers; [ carlsverre ];
+  };
+}
diff --git a/pkgs/tools/security/minisign/default.nix b/pkgs/tools/security/minisign/default.nix
index 373ebc1e6ff9..1a573048aa4e 100644
--- a/pkgs/tools/security/minisign/default.nix
+++ b/pkgs/tools/security/minisign/default.nix
@@ -1,12 +1,14 @@
-{ stdenv, fetchurl, cmake, libsodium }:
+{ stdenv, fetchFromGitHub, cmake, libsodium }:
 
 stdenv.mkDerivation rec {
   name = "minisign-${version}";
   version = "0.6";
 
-  src = fetchurl {
-    url = "https://github.com/jedisct1/minisign/archive/${version}.tar.gz";
-    sha256 = "029g8ian72fy07k73nf451dw1yggav6crjjc2x6kv4nfpq3pl9pj";
+  src = fetchFromGitHub {
+    repo = "minisign";
+    owner = "jedisct1";
+    rev = version;
+    sha256 = "1m71ngxaij3q1dw602kjgj22y5xfjlxrrkjdmx1v4p36y0n6wl92";
   };
 
   nativeBuildInputs = [ cmake ];
@@ -22,5 +24,6 @@ stdenv.mkDerivation rec {
     homepage = https://jedisct1.github.io/minisign/;
     license = licenses.isc;
     maintainers = with maintainers; [ joachifm ];
+    platforms = platforms.unix;
   };
 }
diff --git a/pkgs/tools/security/nasty/default.nix b/pkgs/tools/security/nasty/default.nix
index 35bbb3bae48d..fb078674ea74 100644
--- a/pkgs/tools/security/nasty/default.nix
+++ b/pkgs/tools/security/nasty/default.nix
@@ -9,6 +9,10 @@ stdenv.mkDerivation rec {
     sha256 = "1dznlxr728k1pgy1kwmlm7ivyl3j3rlvkmq34qpwbwbj8rnja1vn";
   };
 
+  # does not apply cleanly with patchPhase/fetchpatch
+  # https://sources.debian.net/src/nasty/0.6-3/debian/patches/02_add_largefile_support.patch
+  CFLAGS = "-D_FILE_OFFSET_BITS=64";
+
   buildInputs = [ gpgme ];
 
   installPhase = ''
diff --git a/pkgs/tools/security/sslscan/default.nix b/pkgs/tools/security/sslscan/default.nix
index 50cc380b970e..f6777a0e979f 100644
--- a/pkgs/tools/security/sslscan/default.nix
+++ b/pkgs/tools/security/sslscan/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   name = "sslscan-${version}";
-  version = "1.11.5";
+  version = "1.11.7";
 
   src = fetchurl {
     url = "https://github.com/rbsec/sslscan/archive/${version}-rbsec.tar.gz";
-    sha256 = "0mcg8hyx1r9sq716bw1r554fcsf512khgcms2ixxb1c31ng6lhq6";
+    sha256 = "0wygz2gm9asvhpfy44333y4pkdja1sbr41hc6mhkxg7a4ys8f9qs";
   };
 
   buildInputs = [ openssl ];
diff --git a/pkgs/tools/security/sudo/default.nix b/pkgs/tools/security/sudo/default.nix
index b2af5451b8b5..e2c69377df5a 100644
--- a/pkgs/tools/security/sudo/default.nix
+++ b/pkgs/tools/security/sudo/default.nix
@@ -4,14 +4,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  name = "sudo-1.8.16";
+  name = "sudo-1.8.17p1";
 
   src = fetchurl {
     urls =
       [ "ftp://ftp.sudo.ws/pub/sudo/${name}.tar.gz"
         "ftp://ftp.sudo.ws/pub/sudo/OLD/${name}.tar.gz"
       ];
-    sha256 = "0k86sm9ilhxhvnfwq3092zhfxazj3kddn0y2mirz0nqjqmpq50rd";
+    sha256 = "c690d707fb561b3ecdf6a6de5563bc0b769388eff201c851edbace408bb155cc";
   };
 
   configureFlags = [
diff --git a/pkgs/tools/text/platinum-searcher/default.nix b/pkgs/tools/text/platinum-searcher/default.nix
index 9eae37c6d1a7..21a49d493aa7 100644
--- a/pkgs/tools/text/platinum-searcher/default.nix
+++ b/pkgs/tools/text/platinum-searcher/default.nix
@@ -2,8 +2,8 @@
 
 buildGoPackage rec {
   name = "the_platinum_searcher-${version}";
-  version = "2.1.1";
-  rev = "v2.1.1";
+  version = "2.1.3";
+  rev = "v2.1.3";
 
   goPackagePath = "github.com/monochromegane/the_platinum_searcher";
 
@@ -11,7 +11,7 @@ buildGoPackage rec {
     inherit rev;
     owner = "monochromegane";
     repo = "the_platinum_searcher";
-    sha256 = "06cs936w3l64ikszcysdm9ijn52kwgi1ffjxkricxbdb677gsk23";
+    sha256 = "09pkdfh7fqn3x4l9zaw5wzk20k7nfdwry7br9vfy3vv3fwv61ynp";
   };
 
   goDeps = ./deps.json;
diff --git a/pkgs/tools/virtualization/nixos-container/default.nix b/pkgs/tools/virtualization/nixos-container/default.nix
new file mode 100644
index 000000000000..0763536533f0
--- /dev/null
+++ b/pkgs/tools/virtualization/nixos-container/default.nix
@@ -0,0 +1,17 @@
+{ substituteAll, perl, perlPackages, shadow, utillinux }:
+
+substituteAll {
+    name = "nixos-container";
+    dir = "bin";
+    isExecutable = true;
+    src = ./nixos-container.pl;
+    perl = "${perl}/bin/perl -I${perlPackages.FileSlurp}/lib/perl5/site_perl";
+    su = "${shadow.su}/bin/su";
+    inherit utillinux;
+
+    postInstall = ''
+      t=$out/etc/bash_completion.d
+      mkdir -p $t
+      cp ${./nixos-container-completion.sh} $t/nixos-container
+    '';
+}
diff --git a/pkgs/tools/virtualization/nixos-container/nixos-container-completion.sh b/pkgs/tools/virtualization/nixos-container/nixos-container-completion.sh
new file mode 100644
index 000000000000..0fe8ab811a17
--- /dev/null
+++ b/pkgs/tools/virtualization/nixos-container/nixos-container-completion.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+_nixos-container() {
+    local cur prev opts
+    COMPREPLY=()
+    cur="${COMP_WORDS[COMP_CWORD]}"
+    prev="${COMP_WORDS[COMP_CWORD-1]}"
+    opts="list create destroy start stop status update login root-login run show-ip show-host-key"
+    startstop_opts=$(nixos-container list)
+    update_opts="--config"
+
+    if [[ "$prev" == "nixos-container" ]]
+    then
+        COMPREPLY=( $(compgen -W "${opts}" -- ${cur}) )
+        return 0
+    fi
+
+    if [[ $(echo "$opts" | grep "$prev") ]]
+    then
+        if [[ "$prev" == "start" || "$prev" == "stop" ]]
+        then
+            COMPREPLY=( $(compgen -W "${startstop_opts}" -- ${cur}) )
+            return 0
+        elif [[ "$prev" == "update" ]]
+        then
+            COMPREPLY=( $(compgen -W "${update_opts}" -- ${cur}) )
+            return 0
+        fi
+    fi
+}
+
+complete -F _nixos-container nixos-container
+
diff --git a/pkgs/tools/virtualization/nixos-container/nixos-container.pl b/pkgs/tools/virtualization/nixos-container/nixos-container.pl
new file mode 100755
index 000000000000..eda57a9751eb
--- /dev/null
+++ b/pkgs/tools/virtualization/nixos-container/nixos-container.pl
@@ -0,0 +1,301 @@
+#! @perl@
+
+use strict;
+use POSIX;
+use File::Path;
+use File::Slurp;
+use Fcntl ':flock';
+use Getopt::Long qw(:config gnu_getopt);
+
+my $nsenter = "@utillinux@/bin/nsenter";
+my $su = "@su@";
+
+# Ensure a consistent umask.
+umask 0022;
+
+# Parse the command line.
+
+sub showHelp {
+    print <<EOF;
+Usage: nixos-container list
+       nixos-container create <container-name> [--system-path <path>] [--config <string>] [--ensure-unique-name] [--auto-start]
+       nixos-container destroy <container-name>
+       nixos-container start <container-name>
+       nixos-container stop <container-name>
+       nixos-container status <container-name>
+       nixos-container update <container-name> [--config <string>]
+       nixos-container login <container-name>
+       nixos-container root-login <container-name>
+       nixos-container run <container-name> -- args...
+       nixos-container show-ip <container-name>
+       nixos-container show-host-key <container-name>
+EOF
+    exit 0;
+}
+
+my $systemPath;
+my $ensureUniqueName = 0;
+my $autoStart = 0;
+my $extraConfig;
+
+GetOptions(
+    "help" => sub { showHelp() },
+    "ensure-unique-name" => \$ensureUniqueName,
+    "auto-start" => \$autoStart,
+    "system-path=s" => \$systemPath,
+    "config=s" => \$extraConfig
+    ) or exit 1;
+
+my $action = $ARGV[0] or die "$0: no action specified\n";
+
+
+# Execute the selected action.
+
+mkpath("/etc/containers", 0, 0755);
+mkpath("/var/lib/containers", 0, 0700);
+
+if ($action eq "list") {
+    foreach my $confFile (glob "/etc/containers/*.conf") {
+        $confFile =~ /\/([^\/]+).conf$/ or next;
+        print "$1\n";
+    }
+    exit 0;
+}
+
+my $containerName = $ARGV[1] or die "$0: no container name specified\n";
+$containerName =~ /^[a-zA-Z0-9\-]+$/ or die "$0: invalid container name\n";
+
+sub writeNixOSConfig {
+    my ($nixosConfigFile) = @_;
+
+    my $nixosConfig = <<EOF;
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{ boot.isContainer = true;
+  networking.hostName = mkDefault "$containerName";
+  networking.useDHCP = false;
+  $extraConfig
+}
+EOF
+
+    write_file($nixosConfigFile, $nixosConfig);
+}
+
+if ($action eq "create") {
+    # Acquire an exclusive lock to prevent races with other
+    # invocations of ‘nixos-container create’.
+    my $lockFN = "/run/lock/nixos-container";
+    open(my $lock, '>>', $lockFN) or die "$0: opening $lockFN: $!";
+    flock($lock, LOCK_EX) or die "$0: could not lock $lockFN: $!";
+
+    my $confFile = "/etc/containers/$containerName.conf";
+    my $root = "/var/lib/containers/$containerName";
+
+    # Maybe generate a unique name.
+    if ($ensureUniqueName) {
+        my $base = $containerName;
+        for (my $nr = 0; ; $nr++) {
+            $confFile = "/etc/containers/$containerName.conf";
+            $root = "/var/lib/containers/$containerName";
+            last unless -e $confFile || -e $root;
+            $containerName = "$base-$nr";
+        }
+    }
+
+    die "$0: container ‘$containerName’ already exists\n" if -e $confFile;
+
+    # Due to interface name length restrictions, container names must
+    # be restricted too.
+    die "$0: container name ‘$containerName’ is too long\n" if length $containerName > 11;
+
+    # Get an unused IP address.
+    my %usedIPs;
+    foreach my $confFile2 (glob "/etc/containers/*.conf") {
+        my $s = read_file($confFile2) or die;
+        $usedIPs{$1} = 1 if $s =~ /^HOST_ADDRESS=([0-9\.]+)$/m;
+        $usedIPs{$1} = 1 if $s =~ /^LOCAL_ADDRESS=([0-9\.]+)$/m;
+    }
+
+    my ($ipPrefix, $hostAddress, $localAddress);
+    for (my $nr = 1; $nr < 255; $nr++) {
+        $ipPrefix = "10.233.$nr";
+        $hostAddress = "$ipPrefix.1";
+        $localAddress = "$ipPrefix.2";
+        last unless $usedIPs{$hostAddress} || $usedIPs{$localAddress};
+        $ipPrefix = undef;
+    }
+
+    die "$0: out of IP addresses\n" unless defined $ipPrefix;
+
+    my @conf;
+    push @conf, "PRIVATE_NETWORK=1\n";
+    push @conf, "HOST_ADDRESS=$hostAddress\n";
+    push @conf, "LOCAL_ADDRESS=$localAddress\n";
+    push @conf, "AUTO_START=$autoStart\n";
+    write_file($confFile, \@conf);
+
+    close($lock);
+
+    print STDERR "host IP is $hostAddress, container IP is $localAddress\n";
+
+    # The per-container directory is restricted to prevent users on
+    # the host from messing with guest users who happen to have the
+    # same uid.
+    my $profileDir = "/nix/var/nix/profiles/per-container";
+    mkpath($profileDir, 0, 0700);
+    $profileDir = "$profileDir/$containerName";
+    mkpath($profileDir, 0, 0755);
+
+    # Build/set the initial configuration.
+    if (defined $systemPath) {
+        system("nix-env", "-p", "$profileDir/system", "--set", $systemPath) == 0
+            or die "$0: failed to set initial container configuration\n";
+    } else {
+        mkpath("$root/etc/nixos", 0, 0755);
+
+        my $nixosConfigFile = "$root/etc/nixos/configuration.nix";
+        writeNixOSConfig $nixosConfigFile;
+
+        system("nix-env", "-p", "$profileDir/system",
+               "-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>",
+               "--set", "-A", "system") == 0
+            or die "$0: failed to build initial container configuration\n";
+    }
+
+    print "$containerName\n" if $ensureUniqueName;
+    exit 0;
+}
+
+my $root = "/var/lib/containers/$containerName";
+my $profileDir = "/nix/var/nix/profiles/per-container/$containerName";
+my $gcRootsDir = "/nix/var/nix/gcroots/per-container/$containerName";
+my $confFile = "/etc/containers/$containerName.conf";
+if (!-e $confFile) {
+    if ($action eq "destroy") {
+        exit 0;
+    } elsif ($action eq "status") {
+        print "gone\n";
+    }
+    die "$0: container ‘$containerName’ does not exist\n" ;
+}
+
+sub isContainerRunning {
+    my $status = `systemctl show 'container\@$containerName'`;
+    return $status =~ /ActiveState=active/;
+}
+
+sub stopContainer {
+    system("systemctl", "stop", "container\@$containerName") == 0
+        or die "$0: failed to stop container\n";
+}
+
+# Return the PID of the init process of the container.
+sub getLeader {
+    my $s = `machinectl show "$containerName" -p Leader`;
+    chomp $s;
+    $s =~ /^Leader=(\d+)$/ or die "unable to get container's main PID\n";
+    return int($1);
+}
+
+# Run a command in the container.
+sub runInContainer {
+    my @args = @_;
+    my $leader = getLeader;
+    exec($nsenter, "-t", $leader, "-m", "-u", "-i", "-n", "-p", "--", @args);
+    die "cannot run ‘nsenter’: $!\n";
+}
+
+# Remove a directory while recursively unmounting all mounted filesystems within
+# that directory and unmounting/removing that directory afterwards as well.
+#
+# NOTE: If the specified path is a mountpoint, its contents will be removed,
+#       only mountpoints underneath that path will be unmounted properly.
+sub safeRemoveTree {
+    my ($path) = @_;
+    system("find", $path, "-mindepth", "1", "-xdev",
+           "(", "-type", "d", "-exec", "mountpoint", "-q", "{}", ";", ")",
+           "-exec", "umount", "-fR", "{}", "+");
+    system("rm", "--one-file-system", "-rf", $path);
+    if (-e $path) {
+        system("umount", "-fR", $path);
+        system("rm", "--one-file-system", "-rf", $path);
+    }
+}
+
+if ($action eq "destroy") {
+    die "$0: cannot destroy declarative container (remove it from your configuration.nix instead)\n"
+        unless POSIX::access($confFile, &POSIX::W_OK);
+
+    stopContainer if isContainerRunning;
+
+    safeRemoveTree($profileDir) if -e $profileDir;
+    safeRemoveTree($gcRootsDir) if -e $gcRootsDir;
+    safeRemoveTree($root) if -e $root;
+    unlink($confFile) or die;
+}
+
+elsif ($action eq "start") {
+    system("systemctl", "start", "container\@$containerName") == 0
+        or die "$0: failed to start container\n";
+}
+
+elsif ($action eq "stop") {
+    stopContainer;
+}
+
+elsif ($action eq "status") {
+    print isContainerRunning() ? "up" : "down", "\n";
+}
+
+elsif ($action eq "update") {
+    my $nixosConfigFile = "$root/etc/nixos/configuration.nix";
+
+    # FIXME: may want to be more careful about clobbering the existing
+    # configuration.nix.
+    writeNixOSConfig $nixosConfigFile if (defined $extraConfig && $extraConfig ne "");
+
+    system("nix-env", "-p", "$profileDir/system",
+           "-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>",
+           "--set", "-A", "system") == 0
+        or die "$0: failed to build container configuration\n";
+
+    if (isContainerRunning) {
+        print STDERR "reloading container...\n";
+        system("systemctl", "reload", "container\@$containerName") == 0
+            or die "$0: failed to reload container\n";
+    }
+}
+
+elsif ($action eq "login") {
+    exec("machinectl", "login", "--", $containerName);
+}
+
+elsif ($action eq "root-login") {
+    runInContainer("@su@", "root", "-l");
+}
+
+elsif ($action eq "run") {
+    shift @ARGV; shift @ARGV;
+    # Escape command.
+    my $s = join(' ', map { s/'/'\\''/g; "'$_'" } @ARGV);
+    runInContainer("@su@", "root", "-l", "-c", "exec " . $s);
+}
+
+elsif ($action eq "show-ip") {
+    my $s = read_file($confFile) or die;
+    $s =~ /^LOCAL_ADDRESS=([0-9\.]+)$/m or die "$0: cannot get IP address\n";
+    print "$1\n";
+}
+
+elsif ($action eq "show-host-key") {
+    my $fn = "$root/etc/ssh/ssh_host_ed25519_key.pub";
+    $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub" unless -e $fn;
+    exit 1 if ! -f $fn;
+    print read_file($fn);
+}
+
+else {
+    die "$0: unknown action ‘$action’\n";
+}