From f885dcd605396d14d9480d17f04f3f33feee5583 Mon Sep 17 00:00:00 2001 From: Jared Baur Date: Thu, 23 Oct 2025 23:02:47 -0700 Subject: [PATCH 1/5] nixos/test-driver: remove irrevelant comment BaseStartCommand is no longer thing. --- nixos/lib/test-driver/src/test_driver/machine/__init__.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nixos/lib/test-driver/src/test_driver/machine/__init__.py b/nixos/lib/test-driver/src/test_driver/machine/__init__.py index 5f17006f90da..31ea0d1364ae 100644 --- a/nixos/lib/test-driver/src/test_driver/machine/__init__.py +++ b/nixos/lib/test-driver/src/test_driver/machine/__init__.py @@ -194,8 +194,7 @@ class StartCommand: class NixStartScript(StartCommand): - """A start script from nixos/modules/virtualiation/qemu-vm.nix - that also satisfies the requirement of the BaseStartCommand. + """A start script from nixos/modules/virtualiation/qemu-vm.nix. These Nix commands have the particular characteristic that the machine name can be extracted out of them via a regex match. (Admittedly a _very_ implicit contract, evtl. TODO fix) From 753b67e7d99f792eb6909a8da7d4cb2cf55124fc Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Sat, 8 Nov 2025 16:58:05 +0100 Subject: [PATCH 2/5] grub2: apply patch for CVE-2025-4382 --- pkgs/tools/misc/grub/default.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/tools/misc/grub/default.nix b/pkgs/tools/misc/grub/default.nix index 4980c1db61a9..68f3921354a1 100644 --- a/pkgs/tools/misc/grub/default.nix +++ b/pkgs/tools/misc/grub/default.nix @@ -505,6 +505,11 @@ stdenv.mkDerivation rec { url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=348cd416a3574348f4255bf2b04ec95938990997"; hash = "sha256-WBLYQxv8si2tvdPAvbm0/4NNqYWBMJpFV4GC0HhN/kE="; }) + (fetchpatch { + name = "CVE-2025-4382.patch"; + url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c448f511e74cb7c776b314fcb7943f98d3f22b6d"; + hash = "sha256-64gMhCEW0aYHt46crX/qN/3Hj8MgvWLazgQlVXqe8LE="; + }) ]; postPatch = From 41b98b4a8a38ee9aa96a0cf42414e9308514fc66 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Wed, 12 Nov 2025 17:12:58 +0100 Subject: [PATCH 3/5] nixos: Shuffle definitions and deprecate system.extraSystemBuilderCmds Shuffle: The definitions are now combined into a single option. Since they have no interdependencies, that's ok, but you may notice this trivial change by a changed hash, and analyzing with nix-diff. Deprecation: Use the option `system.systemBuilderCommands` instead. --- nixos/modules/system/activation/top-level.nix | 14 ++------------ nixos/tests/switch-test.nix | 2 +- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/nixos/modules/system/activation/top-level.nix b/nixos/modules/system/activation/top-level.nix index 9a1cde27bf77..f09bd38aa393 100644 --- a/nixos/modules/system/activation/top-level.nix +++ b/nixos/modules/system/activation/top-level.nix @@ -53,8 +53,6 @@ let ${config.boot.bootspec.writer} ${optionalString config.boot.bootspec.enableValidation ''${config.boot.bootspec.validator} "$out/${config.boot.bootspec.filename}"''} ''} - - ${config.system.extraSystemBuilderCmds} ''; # Putting it all together. This builds a store path containing @@ -129,6 +127,7 @@ in [ "system" "replaceRuntimeDependencies" ] [ "system" "replaceDependencies" "replacements" ] ) + (mkRenamedOptionModule [ "system" "extraSystemBuilderCmds" ] [ "system" "systemBuilderCommands" ]) ]; options = { @@ -213,15 +212,6 @@ in ''; }; - system.extraSystemBuilderCmds = mkOption { - type = types.lines; - internal = true; - default = ""; - description = '' - This code will be added to the builder creating the system store path. - ''; - }; - system.extraDependencies = mkOption { type = types.listOf types.pathInStore; default = [ ]; @@ -343,7 +333,7 @@ in } ]; - system.extraSystemBuilderCmds = + system.systemBuilderCommands = optionalString config.system.copySystemConfiguration '' ln -s '${import ../../../lib/from-env.nix "NIXOS_CONFIG" }' \ "$out/configuration.nix" diff --git a/nixos/tests/switch-test.nix b/nixos/tests/switch-test.nix index c01dbc90ec7a..3ff6dcbc4e02 100644 --- a/nixos/tests/switch-test.nix +++ b/nixos/tests/switch-test.nix @@ -64,7 +64,7 @@ in boot.loader.grub.enable = false; specialisation = rec { - brokenInitInterface.configuration.config.system.extraSystemBuilderCmds = '' + brokenInitInterface.configuration.config.system.systemBuilderCommands = '' echo "systemd 0" > $out/init-interface-version ''; From 1a41aa87c3f40f7493b3e4da391b2ff3af9ffb24 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Thu, 13 Nov 2025 22:31:13 +0000 Subject: [PATCH 4/5] linux_6_17: 6.17.7 -> 6.17.8 --- pkgs/os-specific/linux/kernel/kernels-org.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index bcbd01d44244..bd919565e029 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -30,8 +30,8 @@ "lts": true }, "6.17": { - "version": "6.17.7", - "hash": "sha256:03lxl2p8hvi4hdzbf72v3xh8yigr58826dmy6rqxbq9r8h6ymwnx", + "version": "6.17.8", + "hash": "sha256:1nmi5xmsys023xgy55dikm1ihim7fp7pf2kc3k00d9zwfm5fd3as", "lts": false } } From 9ffa607fce9e1dbe0061d15e1112b64c69c85ac6 Mon Sep 17 00:00:00 2001 From: zowoq <59103226+zowoq@users.noreply.github.com> Date: Thu, 13 Nov 2025 22:31:15 +0000 Subject: [PATCH 5/5] linux_6_12: 6.12.57 -> 6.12.58 --- pkgs/os-specific/linux/kernel/kernels-org.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/kernels-org.json b/pkgs/os-specific/linux/kernel/kernels-org.json index bd919565e029..62cb8fdd903c 100644 --- a/pkgs/os-specific/linux/kernel/kernels-org.json +++ b/pkgs/os-specific/linux/kernel/kernels-org.json @@ -25,8 +25,8 @@ "lts": true }, "6.12": { - "version": "6.12.57", - "hash": "sha256:06jlsawz1wgk13gyxphkglb8a4iiwg0vg5hrfc7bj1s6gk1s2p0n", + "version": "6.12.58", + "hash": "sha256:1b0k8snqa2hhviv9imn02y6jrbbb62an3ypx8q8ai9k0cra4q72z", "lts": true }, "6.17": {