staging-nixos merge for 2025-11-14 (#461577)

2025-11-14 13:26:33 +00:00
parent 04c7e724cf 50360aa196
commit 14dc5ea9de
5 changed files with 13 additions and 19 deletions
--- a/nixos/lib/test-driver/src/test_driver/machine/init.py
+++ b/nixos/lib/test-driver/src/test_driver/machine/init.py
@@ -194,8 +194,7 @@ class StartCommand:


 class NixStartScript(StartCommand):
-    """A start script from nixos/modules/virtualiation/qemu-vm.nix
-    that also satisfies the requirement of the BaseStartCommand.
+    """A start script from nixos/modules/virtualiation/qemu-vm.nix.
    These Nix commands have the particular characteristic that the
    machine name can be extracted out of them via a regex match.
    (Admittedly a _very_ implicit contract, evtl. TODO fix)
--- a/nixos/modules/system/activation/top-level.nix
+++ b/nixos/modules/system/activation/top-level.nix
@@ -53,8 +53,6 @@ let
      ${config.boot.bootspec.writer}
      ${optionalString config.boot.bootspec.enableValidation ''${config.boot.bootspec.validator} "$out/${config.boot.bootspec.filename}"''}
    ''}
-
-    ${config.system.extraSystemBuilderCmds}
  '';

  # Putting it all together.  This builds a store path containing
@@ -129,6 +127,7 @@ in
      [ "system" "replaceRuntimeDependencies" ]
      [ "system" "replaceDependencies" "replacements" ]
    )
+    (mkRenamedOptionModule [ "system" "extraSystemBuilderCmds" ] [ "system" "systemBuilderCommands" ])
  ];

  options = {
@@ -213,15 +212,6 @@ in
      '';
    };

-    system.extraSystemBuilderCmds = mkOption {
-      type = types.lines;
-      internal = true;
-      default = "";
-      description = ''
-        This code will be added to the builder creating the system store path.
-      '';
-    };
-
    system.extraDependencies = mkOption {
      type = types.listOf types.pathInStore;
      default = [ ];
@@ -343,7 +333,7 @@ in
      }
    ];

-    system.extraSystemBuilderCmds =
+    system.systemBuilderCommands =
      optionalString config.system.copySystemConfiguration ''
        ln -s '${import ../../../lib/from-env.nix "NIXOS_CONFIG" <nixos-config>}' \
          "$out/configuration.nix"
--- a/nixos/tests/switch-test.nix
+++ b/nixos/tests/switch-test.nix
@@ -64,7 +64,7 @@ in
        boot.loader.grub.enable = false;

        specialisation = rec {
-          brokenInitInterface.configuration.config.system.extraSystemBuilderCmds = ''
+          brokenInitInterface.configuration.config.system.systemBuilderCommands = ''
            echo "systemd 0" > $out/init-interface-version
          '';

--- a/pkgs/os-specific/linux/kernel/kernels-org.json
+++ b/pkgs/os-specific/linux/kernel/kernels-org.json
@@ -25,13 +25,13 @@
        "lts": true
    },
    "6.12": {
-        "version": "6.12.57",
-        "hash": "sha256:06jlsawz1wgk13gyxphkglb8a4iiwg0vg5hrfc7bj1s6gk1s2p0n",
+        "version": "6.12.58",
+        "hash": "sha256:1b0k8snqa2hhviv9imn02y6jrbbb62an3ypx8q8ai9k0cra4q72z",
        "lts": true
    },
    "6.17": {
-        "version": "6.17.7",
-        "hash": "sha256:03lxl2p8hvi4hdzbf72v3xh8yigr58826dmy6rqxbq9r8h6ymwnx",
+        "version": "6.17.8",
+        "hash": "sha256:1nmi5xmsys023xgy55dikm1ihim7fp7pf2kc3k00d9zwfm5fd3as",
        "lts": false
    }
 }
--- a/pkgs/tools/misc/grub/default.nix
+++ b/pkgs/tools/misc/grub/default.nix
@@ -505,6 +505,11 @@ stdenv.mkDerivation rec {
      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=348cd416a3574348f4255bf2b04ec95938990997";
      hash = "sha256-WBLYQxv8si2tvdPAvbm0/4NNqYWBMJpFV4GC0HhN/kE=";
    })
+    (fetchpatch {
+      name = "CVE-2025-4382.patch";
+      url = "https://git.savannah.gnu.org/cgit/grub.git/patch/?id=c448f511e74cb7c776b314fcb7943f98d3f22b6d";
+      hash = "sha256-64gMhCEW0aYHt46crX/qN/3Hj8MgvWLazgQlVXqe8LE=";
+    })
  ];

  postPatch =