tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch patches from salsa by conatsera · Pull Request #465685 · NixOS/nixpkgs

conatsera · 2025-11-27T17:34:45Z

Patch level 33 is no longer available from Debian mirrors. This also changes to fetch from the Debian salsa gitlab which will prevent this issue from reoccurring. This is an alternate PR to #456509
closes #456509

This also needs to be backported to release-25.11 as this blocks building the ISO from source due to the dependency chain zfs -> nfs-utils -> tcp_wrappers

Things done

Add a 👍 reaction to pull requests you find important.

SuperSandro2000

As a follow up, we could clean up the prePatch and split it into patches and postPatch and use --replace-fail

dotlambda

Follow https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#commit-conventions.

raboof

Seems like a good improvement, thanks. One comment for your consideration, and it might be nice to include the -> notation in the commit message, but otherwise LGTM.

raboof · 2025-11-28T17:51:11Z

pkgs/by-name/tc/tcp_wrappers/package.nix

-  debian = fetchurl {
-    url = "mirror://debian/pool/main/t/tcp-wrappers/tcp-wrappers_${version}.debian.tar.xz";
-    hash = "sha256-Lykjyu4hKDS/DqQ8JAFhKDffHrbJ9W1gjBKNpdaNRew=";
+  src = fetchFromGitLab {


I wonder if it would be slightly better to take src from http://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz and only rely on the Debian repo for the patches

I agree. That would be better.

dotlambda · 2025-11-28T18:39:54Z

Follow https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#commit-conventions.

I changed the PR title to something that would be okay.

conatsera · 2025-11-28T18:41:29Z

I changed the PR title to something that would be okay.

thanks, I was about to ask what you meant because this isn't just version update so it falls into "etc".

Oh whoops, was mid-edit when I amended that. Give me a moment to finish it. I've confirmed porcupine matches what was in debian's salsa

dotlambda · 2025-11-28T18:47:04Z

pkgs/by-name/tc/tcp_wrappers/package.nix

  };

  prePatch = ''
-    tar -xaf $debian
    patches="$(cat debian/patches/series | sed 's,^,debian/patches/,') $patches"


Suggested change

patches="$(cat debian/patches/series | sed 's,^,debian/patches/,') $patches"

patches="$(cat ${debian}/patches/series | sed 's,^,debian/patches/,') $patches"

Actually, this only works if a substituteInPlace below is no longer needed.

dotlambda · 2025-11-28T18:48:16Z

pkgs/by-name/tc/tcp_wrappers/package.nix

  };

  prePatch = ''
-    tar -xaf $debian
    patches="$(cat debian/patches/series | sed 's,^,debian/patches/,') $patches"

    substituteInPlace Makefile --replace STRINGS STRINGDEFS


Is this and the line below still needed? I would be good to use --replace-fail in that case.

Honestly I can't tell you why this substitution is being made, but it is making one functional substitution in both files. I'm inclined to leave it be

conatsera · 2025-11-28T19:25:02Z

If someone could also add the backport 25.11 label that would be appreciated. This is a blocker for building the ISOs unless a user disables zfs

dotlambda · 2025-11-28T20:31:16Z

This is a blocker for building the ISOs unless a user disables zfs

Not anymore I assume since #465984 was merged.

dotlambda · 2025-11-28T20:31:58Z

pkgs/by-name/tc/tcp_wrappers/package.nix

-    url = "mirror://debian/pool/main/t/tcp-wrappers/tcp-wrappers_${vanillaVersion}.orig.tar.gz";
-    sha256 = "0p9ilj4v96q32klavx0phw9va21fjp8vpk11nbh6v2ppxnnxfhwm";
+    url = "http://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz";
+    sha256 = "sha256-lUPXre33im3gsiHMu9GVLgi1E4cX9K3oFAObtImkMV0=";


Suggested change

sha256 = "sha256-lUPXre33im3gsiHMu9GVLgi1E4cX9K3oFAObtImkMV0=";

hash = "sha256-lUPXre33im3gsiHMu9GVLgi1E4cX9K3oFAObtImkMV0=";

@conatsera Mind making this change? Then I'll merge.

conatsera · 2025-11-28T21:31:21Z

This is a blocker for building the ISOs unless a user disables zfs

Not anymore I assume since #465984 was merged.

That PR hasn't backported yet, but yeah that would unblock it too. Not sure how many users of tcp_wrappers there are but I think it's still reasonable to backport this one anyways. The existing package.nix is non-functional as it is.

nixpkgs-ci · 2025-11-29T20:53:28Z

Successfully created backport PR for release-25.11:

[Backport release-25.11] tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch patches from salsa #466371

nixpkgs-ci bot added 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Nov 27, 2025

SuperSandro2000 approved these changes Nov 28, 2025

View reviewed changes

nixpkgs-ci bot added 12.approvals: 1 This PR was reviewed and approved by one person. and removed 9.needs: reviewer This PR currently has no reviewers requested and needs attention. labels Nov 28, 2025

dotlambda requested changes Nov 28, 2025

View reviewed changes

dotlambda requested a review from raboof November 28, 2025 17:38

raboof approved these changes Nov 28, 2025

View reviewed changes

nixpkgs-ci bot added 12.approvals: 2 This PR was reviewed and approved by two persons. and removed 12.approvals: 1 This PR was reviewed and approved by one person. labels Nov 28, 2025

conatsera changed the title ~~tcp_wrappers: update to 36 and fetch src with patches from salsa~~ tcp_wrappers: patch level 33 -> 36 and fetch src with patches from salsa Nov 28, 2025

conatsera force-pushed the tcp_wrappers-update-to-36 branch from 9f295d6 to aef3bb0 Compare November 28, 2025 18:29

dotlambda changed the title ~~tcp_wrappers: patch level 33 -> 36 and fetch src with patches from salsa~~ tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch src with patches from salsa Nov 28, 2025

conatsera force-pushed the tcp_wrappers-update-to-36 branch from aef3bb0 to ae0005e Compare November 28, 2025 18:40

dotlambda reviewed Nov 28, 2025

View reviewed changes

conatsera force-pushed the tcp_wrappers-update-to-36 branch 2 times, most recently from a6abd5b to 110c5c3 Compare November 28, 2025 19:06

nixpkgs-ci bot added 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. and removed 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels Nov 28, 2025

conatsera requested a review from dotlambda November 28, 2025 19:19

raboof added the backport release-25.11 Backport PR automatically label Nov 28, 2025

dotlambda approved these changes Nov 28, 2025

View reviewed changes

dotlambda changed the title ~~tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch src with patches from salsa~~ tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch src patches from salsa Nov 28, 2025

dotlambda changed the title ~~tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch src patches from salsa~~ tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch patches from salsa Nov 28, 2025

nixpkgs-ci bot added 12.approvals: 3+ This PR was reviewed and approved by three or more persons. and removed 12.approvals: 2 This PR was reviewed and approved by two persons. labels Nov 28, 2025

conatsera force-pushed the tcp_wrappers-update-to-36 branch from 110c5c3 to 0f61c40 Compare November 29, 2025 20:34

tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch patches from salsa

1df3a50

conatsera force-pushed the tcp_wrappers-update-to-36 branch from 0f61c40 to 1df3a50 Compare November 29, 2025 20:35

dotlambda enabled auto-merge November 29, 2025 20:43

dotlambda added this pull request to the merge queue Nov 29, 2025

Merged via the queue into NixOS:master with commit 695c875 Nov 29, 2025
26 of 30 checks passed

nixpkgs-ci bot mentioned this pull request Nov 29, 2025

[Backport release-25.11] tcp_wrappers: 7.6.q-33 -> 7.6.q-36 and fetch patches from salsa #466371

Merged

github-actions bot added the 8.has: port to stable This PR already has a backport to the stable release. label Nov 29, 2025

	patches="$(cat debian/patches/series \| sed 's,^,debian/patches/,') $patches"
	patches="$(cat ${debian}/patches/series \| sed 's,^,debian/patches/,') $patches"

	sha256 = "sha256-lUPXre33im3gsiHMu9GVLgi1E4cX9K3oFAObtImkMV0=";
	hash = "sha256-lUPXre33im3gsiHMu9GVLgi1E4cX9K3oFAObtImkMV0=";

Uh oh!

Conversation

conatsera commented Nov 27, 2025 • edited by dotlambda Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Things done

Uh oh!

SuperSandro2000 left a comment

Choose a reason for hiding this comment

Uh oh!

dotlambda left a comment

Choose a reason for hiding this comment

Uh oh!

raboof left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

dotlambda commented Nov 28, 2025

Uh oh!

conatsera commented Nov 28, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

conatsera commented Nov 28, 2025

Uh oh!

dotlambda commented Nov 28, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

conatsera commented Nov 28, 2025

Uh oh!

Uh oh!

nixpkgs-ci bot commented Nov 29, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

conatsera commented Nov 27, 2025 •

edited by dotlambda

Loading

conatsera commented Nov 28, 2025 •

edited

Loading