14 files changed, 65 insertions, 53 deletions

diff --git a/nixos/modules/services/networking/mosquitto.nix b/nixos/modules/services/networking/mosquitto.nix
index 4a85b3956dae..10b49d9b2206 100644
--- a/nixos/modules/services/networking/mosquitto.nix
+++ b/nixos/modules/services/networking/mosquitto.nix
@@ -232,6 +232,16 @@ in
         Restart = "on-failure";
         ExecStart = "${pkgs.mosquitto}/bin/mosquitto -c ${mosquittoConf}";
         ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        PrivateDevices = true;
+        PrivateTmp = true;
+        ReadWritePaths = "${cfg.dataDir}";
+        ProtectControlGroups = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        NoNewPrivileges = true;
       };
       preStart = ''
         rm -f ${cfg.dataDir}/passwd
diff --git a/pkgs/applications/editors/jetbrains/default.nix b/pkgs/applications/editors/jetbrains/default.nix
index 9fbab346907d..80528617d64d 100644
--- a/pkgs/applications/editors/jetbrains/default.nix
+++ b/pkgs/applications/editors/jetbrains/default.nix
@@ -268,12 +268,12 @@ in
 
   clion = buildClion rec {
     name = "clion-${version}";
-    version = "2020.2.4"; /* updated by script */
+    version = "2020.2.5"; /* updated by script */
     description  = "C/C++ IDE. New. Intelligent. Cross-platform";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/cpp/CLion-${version}.tar.gz";
-      sha256 = "0xkra8l3ga8qsmzbvfisn99lxm5wxa8c4d4jzljjwn8855bs20a3"; /* updated by script */
+      sha256 = "0j7gxh8wqshn2i1f22bl9099sx8a4092qwkp4fwny4649rbkfyrz"; /* updated by script */
     };
     wmClass = "jetbrains-clion";
     update-channel = "CLion RELEASE"; # channel's id as in http://www.jetbrains.com/updates/updates.xml
@@ -281,12 +281,12 @@ in
 
   datagrip = buildDataGrip rec {
     name = "datagrip-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.3"; /* updated by script */
     description = "Your Swiss Army Knife for Databases and SQL";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/datagrip/${name}.tar.gz";
-      sha256 = "0iv1zmdpbqk8f4cjd6dhgj9mrvxli4dg83jzkhv566sy8wrrx7kb"; /* updated by script */
+      sha256 = "1j0mlsiqh80mspi2x9mi0h5hxhg5gw6395hyl9w33q8dxm95mx2d"; /* updated by script */
     };
     wmClass = "jetbrains-datagrip";
     update-channel = "DataGrip RELEASE";
@@ -307,12 +307,12 @@ in
 
   idea-community = buildIdea rec {
     name = "idea-community-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "Integrated Development Environment (IDE) by Jetbrains, community edition";
     license = stdenv.lib.licenses.asl20;
     src = fetchurl {
       url = "https://download.jetbrains.com/idea/ideaIC-${version}.tar.gz";
-      sha256 = "092swkz7l1p3asrna6fxj6j324sh7pdbgzrlapdwka8kq9y40ajz"; /* updated by script */
+      sha256 = "1rlw01aq6ci46xv4d4877k30309jjws29kwhriy98xf804msyzyb"; /* updated by script */
     };
     wmClass = "jetbrains-idea-ce";
     update-channel = "IntelliJ IDEA RELEASE";
@@ -320,12 +320,12 @@ in
 
   idea-ultimate = buildIdea rec {
     name = "idea-ultimate-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "Integrated Development Environment (IDE) by Jetbrains, requires paid license";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/idea/ideaIU-${version}-no-jbr.tar.gz";
-      sha256 = "1416ikna169d2hx77yd0bb8hpxkpnf27jgyq5yrgla1w6h1fp1p0"; /* updated by script */
+      sha256 = "05qr8jiasqxmkgi9v52g7hgpdf7pkkjcp42bbkh1f4zgvq81p5py"; /* updated by script */
     };
     wmClass = "jetbrains-idea";
     update-channel = "IntelliJ IDEA RELEASE";
@@ -346,12 +346,12 @@ in
 
   phpstorm = buildPhpStorm rec {
     name = "phpstorm-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "Professional IDE for Web and PHP developers";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/webide/PhpStorm-${version}.tar.gz";
-      sha256 = "0bdxmxml6337cdpb2amhdqlvxicng50cgzlnmiw0wqnmwj5ihpih"; /* updated by script */
+      sha256 = "111dr1a6695msh13cd484yk671jnh2ps6q1k2dl0kmryk9dqnvhd"; /* updated by script */
     };
     wmClass = "jetbrains-phpstorm";
     update-channel = "PhpStorm RELEASE";
@@ -359,12 +359,12 @@ in
 
   pycharm-community = buildPycharm rec {
     name = "pycharm-community-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "PyCharm Community Edition";
     license = stdenv.lib.licenses.asl20;
     src = fetchurl {
       url = "https://download.jetbrains.com/python/${name}.tar.gz";
-      sha256 = "0wqhcag32fxqxg6aml2a3d0rpds0d48rgbcl7cp0ah8xj6x72047"; /* updated by script */
+      sha256 = "196hhb4n52a50w50awx01ksyl5dkrbdmnz8sb9di5ihni7043p97"; /* updated by script */
     };
     wmClass = "jetbrains-pycharm-ce";
     update-channel = "PyCharm RELEASE";
@@ -372,12 +372,12 @@ in
 
   pycharm-professional = buildPycharm rec {
     name = "pycharm-professional-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "PyCharm Professional Edition";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/python/${name}.tar.gz";
-      sha256 = "0g7bki4bzi3a1w3rlwik2w0ma10xb4g450qxm4fr4fp8dy2xaysc"; /* updated by script */
+      sha256 = "0dwd9gvi8n3igza95pil3mf7azxn131830rvfzdvnvrzj9yb2q8l"; /* updated by script */
     };
     wmClass = "jetbrains-pycharm";
     update-channel = "PyCharm RELEASE";
@@ -398,12 +398,12 @@ in
 
   ruby-mine = buildRubyMine rec {
     name = "ruby-mine-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "The Most Intelligent Ruby and Rails IDE";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/ruby/RubyMine-${version}.tar.gz";
-      sha256 = "03f1z7xhz90j9l8xp3il115yvb15kda0i6ba5ndhby7nf52vnphk"; /* updated by script */
+      sha256 = "0bpkl8phc16yjm7qjfbg42rm7sbfwbrjva7w0qiwiw9ibwvs90id"; /* updated by script */
     };
     wmClass = "jetbrains-rubymine";
     update-channel = "RubyMine RELEASE";
@@ -411,12 +411,12 @@ in
 
   webstorm = buildWebStorm rec {
     name = "webstorm-${version}";
-    version = "2020.2.3"; /* updated by script */
+    version = "2020.2.4"; /* updated by script */
     description = "Professional IDE for Web and JavaScript development";
     license = stdenv.lib.licenses.unfree;
     src = fetchurl {
       url = "https://download.jetbrains.com/webstorm/WebStorm-${version}.tar.gz";
-      sha256 = "1c60k38ai63s4779fs55vaiswfc6bi7ki6p96hrmmkrnpzgsipg5"; /* updated by script */
+      sha256 = "0l97nk9psb8g0sxm148fcz0x2v9mwqblffigrz2rmac3gd275s7f"; /* updated by script */
     };
     wmClass = "jetbrains-webstorm";
     update-channel = "WebStorm RELEASE";
diff --git a/pkgs/applications/networking/browsers/ephemeral/default.nix b/pkgs/applications/networking/browsers/ephemeral/default.nix
index 550076787788..6d8aa3649a90 100644
--- a/pkgs/applications/networking/browsers/ephemeral/default.nix
+++ b/pkgs/applications/networking/browsers/ephemeral/default.nix
@@ -20,13 +20,13 @@
 
 stdenv.mkDerivation rec {
   pname = "ephemeral";
-  version = "6.4.1";
+  version = "7.0.4";
 
   src = fetchFromGitHub {
     owner = "cassidyjames";
     repo = "ephemeral";
     rev = version;
-    sha256 = "1lzcwaczh601kwbx7fzg32nrzlg67asby7p86qy10qz86xf4g608";
+    sha256 = "18chvfdmka21zvjgqfpinm3nrj0ba09szxhhm39anpvpbj92ra8j";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/applications/networking/browsers/google-chrome/default.nix b/pkgs/applications/networking/browsers/google-chrome/default.nix
index f2e10f323305..543d59255472 100644
--- a/pkgs/applications/networking/browsers/google-chrome/default.nix
+++ b/pkgs/applications/networking/browsers/google-chrome/default.nix
@@ -150,10 +150,10 @@ in stdenv.mkDerivation {
     description = "A freeware web browser developed by Google";
     homepage = "https://www.google.com/chrome/browser/";
     license = licenses.unfree;
-    maintainers = with maintainers; [ primeos msteen ];
+    maintainers = with maintainers; [ primeos ];
     # Note from primeos: By updating Chromium I also update Google Chrome and
     # will try to merge PRs and respond to issues but I'm not actually using
-    # Google Chrome. msteen is the actual user/maintainer.
+    # Google Chrome.
     platforms = [ "x86_64-linux" ];
   };
 }
diff --git a/pkgs/applications/networking/datovka/default.nix b/pkgs/applications/networking/datovka/default.nix
index 2e598b1a7639..22bf982ec4cc 100644
--- a/pkgs/applications/networking/datovka/default.nix
+++ b/pkgs/applications/networking/datovka/default.nix
@@ -11,11 +11,11 @@
 
 mkDerivation rec {
   pname = "datovka";
-  version = "4.15.5";
+  version = "4.15.6";
 
   src = fetchurl {
     url = "https://secure.nic.cz/files/datove_schranky/${version}/${pname}-${version}.tar.xz";
-    sha256 = "1mnw1m3wjkw8rfh6fwwrhfmkna6j19pza9cs7kyp8qj1fzzqi8my";
+    sha256 = "1qs1yd9qqsf56jm9w6sffkqb2l8s3i9qgi2q8vd59ss19ym6yky2";
   };
 
   buildInputs = [ libisds qmake qtbase qtsvg libxml2 ];
diff --git a/pkgs/applications/networking/mailreaders/neomutt/default.nix b/pkgs/applications/networking/mailreaders/neomutt/default.nix
index c068357a0f65..cf78da9a5048 100644
--- a/pkgs/applications/networking/mailreaders/neomutt/default.nix
+++ b/pkgs/applications/networking/mailreaders/neomutt/default.nix
@@ -6,14 +6,14 @@
 }:
 
 stdenv.mkDerivation rec {
-  version = "20201120";
+  version = "20201127";
   pname = "neomutt";
 
   src = fetchFromGitHub {
     owner  = "neomutt";
     repo   = "neomutt";
     rev    = version;
-    sha256 = "0z6xavgd0zv9pqvfsdyvhhi1q3y7zxhgg24isbnn9r6mldafqwna";
+    sha256 = "sha256-BkDGKZmpwahDw1vD67CyWfxD93H83kcpv5JBGVL5F/o=";
   };
 
   buildInputs = [
diff --git a/pkgs/applications/science/logic/z3/default.nix b/pkgs/applications/science/logic/z3/default.nix
index dd71cf2cb1a8..48512eff5300 100644
--- a/pkgs/applications/science/logic/z3/default.nix
+++ b/pkgs/applications/science/logic/z3/default.nix
@@ -60,7 +60,7 @@ stdenv.mkDerivation rec {
     description = "A high-performance theorem prover and SMT solver";
     homepage    = "https://github.com/Z3Prover/z3";
     license     = stdenv.lib.licenses.mit;
-    platforms   = stdenv.lib.platforms.x86_64;
+    platforms   = stdenv.lib.platforms.unix;
     maintainers = with stdenv.lib.maintainers; [ thoughtpolice ttuegel ];
   };
 }
diff --git a/pkgs/desktops/enlightenment/evisum/default.nix b/pkgs/desktops/enlightenment/evisum/default.nix
index fef15ce79fe5..f89ff2cee305 100644
--- a/pkgs/desktops/enlightenment/evisum/default.nix
+++ b/pkgs/desktops/enlightenment/evisum/default.nix
@@ -2,11 +2,11 @@
 
 stdenv.mkDerivation rec {
   pname = "evisum";
-  version = "0.5.7";
+  version = "0.5.8";
 
   src = fetchurl {
     url = "https://download.enlightenment.org/rel/apps/${pname}/${pname}-${version}.tar.xz";
-    sha256 = "0pm63n3rls8vkjv3awq0f3zlqk33ddql3g0rl2bc46n48g2mcmbd";
+    sha256 = "0cg4vqd069h89k3wrvl550p29y3yzbdnvii58gwc8rghwym621jx";
   };
 
   nativeBuildInputs = [
diff --git a/pkgs/development/libraries/cimg/default.nix b/pkgs/development/libraries/cimg/default.nix
index 400326f6fcaf..61d3996a4f5b 100644
--- a/pkgs/development/libraries/cimg/default.nix
+++ b/pkgs/development/libraries/cimg/default.nix
@@ -2,13 +2,13 @@
 
 stdenv.mkDerivation rec {
   pname = "cimg";
-  version = "2.9.3";
+  version = "2.9.4";
 
   src = fetchFromGitHub {
     owner = "dtschump";
     repo = "CImg";
     rev = "v.${version}";
-    sha256 = "1pkjbwpi0047lbc55cva99rj6p70gbw09l14vrym0igwipnxxx0z";
+    sha256 = "1sb0z5ryh34y80ghlr2agsl64gayjmxpl96l9fjaylf5k2m3fg2b";
   };
 
   installPhase = ''
diff --git a/pkgs/development/tools/ammonite/default.nix b/pkgs/development/tools/ammonite/default.nix
index c3a578f18b8c..20b26437e75f 100644
--- a/pkgs/development/tools/ammonite/default.nix
+++ b/pkgs/development/tools/ammonite/default.nix
@@ -9,7 +9,7 @@ let
   common = { scalaVersion, sha256 }:
     stdenv.mkDerivation rec {
       pname = "ammonite";
-      version = "2.2.0";
+      version = "2.3.8";
 
       src = fetchurl {
         url =
@@ -23,7 +23,7 @@ let
         install -Dm755 $src $out/bin/amm
         sed -i '0,/java/{s|java|${jre}/bin/java|}' $out/bin/amm
       '' + optionalString (disableRemoteLogging) ''
-        sed -i '0,/ammonite.Main/{s|ammonite.Main|ammonite.Main --no-remote-logging|}' $out/bin/amm
+        sed -i "0,/ammonite.Main/{s|ammonite.Main'|ammonite.Main' --no-remote-logging|}" $out/bin/amm
         sed -i '1i #!/bin/sh' $out/bin/amm
       '';
 
@@ -75,10 +75,10 @@ let
 in {
   ammonite_2_12 = common {
     scalaVersion = "2.12";
-    sha256 = "9xe4GT5YpVCtDPaZvi9PZwFW/wcNhg+QCdbJ4Tl2lFk=";
+    sha256 = "1kzk0437h2wd9jhwkvjkiaj6mscz4bh85iv266x9zz4zssb355hs";
   };
   ammonite_2_13 = common {
     scalaVersion = "2.13";
-    sha256 = "KRwh2YOcHpXLA9BlBKzkc9oswdOQbcm3WVqgYaGyi4A=";
+    sha256 = "0js84m6yqjd7d77md38z6nk3qzlm1ms8brzczaw05zq2c90pdbz7";
   };
 }
diff --git a/pkgs/os-specific/linux/autofs/default.nix b/pkgs/os-specific/linux/autofs/default.nix
index baf3cc6ad55e..ab78c590017f 100644
--- a/pkgs/os-specific/linux/autofs/default.nix
+++ b/pkgs/os-specific/linux/autofs/default.nix
@@ -1,5 +1,5 @@
 { stdenv, fetchurl, flex, bison, linuxHeaders, libtirpc, mount, umount, nfs-utils, e2fsprogs
-, libxml2, kerberos, kmod, openldap, sssd, cyrus_sasl, openssl }:
+, libxml2, kerberos, kmod, openldap, sssd, cyrus_sasl, openssl, rpcsvc-proto }:
 
 let
   version = "5.1.6";
@@ -28,13 +28,16 @@ in stdenv.mkDerivation {
     unset STRIP # Makefile.rules defines a usable STRIP only without the env var.
   '';
 
+  # configure script is not finding the right path
+  NIX_CFLAGS_COMPILE = [ "-I${libtirpc.dev}/include/tirpc" ];
+
   installPhase = ''
     make install SUBDIRS="lib daemon modules man" # all but samples
     #make install SUBDIRS="samples" # impure!
   '';
 
   buildInputs = [ linuxHeaders libtirpc libxml2 kerberos kmod openldap sssd
-                  openssl cyrus_sasl ];
+                  openssl cyrus_sasl rpcsvc-proto ];
 
   nativeBuildInputs = [ flex bison ];
 
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 94558b890de1..47e49dbe01d7 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -775,6 +775,8 @@ let
       X86_CHECK_BIOS_CORRUPTION = yes;
       X86_MCE                   = yes;
 
+      RAS = yes; # Needed for EDAC support
+
       # Our initrd init uses shebang scripts, so can't be modular.
       BINFMT_SCRIPT = yes;
       # For systemd-binfmt
diff --git a/pkgs/servers/http/nginx/mainline.nix b/pkgs/servers/http/nginx/mainline.nix
index 7b7de1a00f4a..edb87258d6b7 100644
--- a/pkgs/servers/http/nginx/mainline.nix
+++ b/pkgs/servers/http/nginx/mainline.nix
@@ -1,6 +1,6 @@
 { callPackage, ... }@args:
 
 callPackage ./generic.nix args {
-  version = "1.19.4";
-  sha256 = "03h0hhrbfy3asla9gki2cp97zjn7idxbp5lk9xi0snlh4xlm9pv1";
+  version = "1.19.5";
+  sha256 = "173rv8gacd9bakb0r9jmkr4pqgjw9mzpdh3f7x2d8ln4ssplc2jw";
 }
diff --git a/pkgs/tools/typesetting/tex/nix/run-latex.sh b/pkgs/tools/typesetting/tex/nix/run-latex.sh
index 7a5767f9c063..3f8a16580ea5 100644
--- a/pkgs/tools/typesetting/tex/nix/run-latex.sh
+++ b/pkgs/tools/typesetting/tex/nix/run-latex.sh
@@ -41,7 +41,11 @@ showError() {
     exit 1
 }
 
+pass=0
+
 runLaTeX() {
+    ((pass=pass+1))
+    echo "PASS $pass..."
     if ! $latex $latexFlags $rootName >$tmpFile 2>&1; then showError; fi
     runNeeded=
     if fgrep -q \
@@ -51,6 +55,7 @@ runLaTeX() {
         "$tmpFile"; then
         runNeeded=1
     fi
+    echo
 }
 
 echo
@@ -61,10 +66,7 @@ if test -n "$copySources"; then
 fi
 
 
-echo "PASS 1..."
 runLaTeX
-echo
-
 
 for auxFile in $(find . -name "*.aux"); do
     # Run bibtex to process all bibliographies.  There may be several
@@ -89,11 +91,8 @@ for auxFile in $(find . -name "*.aux"); do
     fi
 done
 
-
 if test "$runNeeded"; then
-    echo "PASS 2..."
     runLaTeX
-    echo
 fi
 
 
@@ -105,20 +104,18 @@ if test -f $rootNameBase.idx; then
     makeindex $makeindexFlags $rootNameBase.idx
     runNeeded=1
     echo
-fi    
-
+fi
 
-if test "$runNeeded"; then
-    echo "PASS 3..."
+# We check that pass is less than 2 to catch situations where the document is
+# simple enough (no bibtex, etc.) so that it would otherwise require only one
+# pass but also contains a ToC.
+# In essence this check ensures that we do at least two passes on all documents.
+if test "$runNeeded" = 1 -o "$pass" -lt 2 ; then
     runLaTeX
-    echo
 fi
 
-
 if test "$runNeeded"; then
-    echo "PASS 4..."
     runLaTeX
-    echo
 fi