staging-next 2025-08-30 (#438642)

{

  nativeBuildInputs = [ installShellFiles ];

  # Sometimes the manpage file has an undesirable name; e.g., it conflicts with

  # another software with an equal name. It should be renamed before being

  # installed via installManPage

  # Sometimes the manpage file has an undersirable name; e.g., it conflicts with

  # another software with an equal name. To install it with a different name,

  # the installed name must be provided before the path to the file.

  #

  # Below install a manpage "foobar.1" from the source file "./foobar.1", and

  # also installs the manpage "fromsea.3" from the source file "./delmar.3".

  postInstall = ''

    mv fromsea.3 delmar.3

    installManPage foobar.1 delmar.3

    installManPage \

        foobar.1 \

        --name fromsea.3 delmar.3

  '';

}

```

The manpage may be the result of a piped input (e.g. `<(cmd)`), in which

case the name must be provided before the pipe with the `--name` flag.

```nix

{

  nativeBuildInputs = [ installShellFiles ];

  postInstall = ''

    installManPage --name foobar.1 <($out/bin/foobar --manpage)

  '';

}

```

If no parsing of arguments is desired, pass `--` to opt-out of all subsequent

arguments.

```nix

{

  nativeBuildInputs = [ installShellFiles ];

  # Installs a manpage from a file called "--name"

  postInstall = ''

    installManPage -- --name

  '';

}

```

completion files.

By default it will autodetect the shell type from the completion file extension,

but you may also specify it by passing one of `--bash`, `--fish`, or

`--zsh`. These flags apply to all paths listed after them (up until another

but you may also specify it by passing one of `--bash`, `--fish`, `--zsh`, or

`--nushell`. These flags apply to all paths listed after them (up until another

shell flag is given). Each path may also have a custom installation name

provided by providing a flag `--name NAME` before the path. If this flag is not

provided, zsh completions will be renamed automatically such that `foobar.zsh`

    # explicit behavior

    installShellCompletion --bash --name foobar.bash share/completions.bash

    installShellCompletion --fish --name foobar.fish share/completions.fish

    installShellCompletion --nushell --name foobar share/completions.nu

    installShellCompletion --zsh --name _foobar share/completions.zsh

    # implicit behavior

    installShellCompletion share/completions/foobar.{bash,fish,zsh}

    installShellCompletion share/completions/foobar.{bash,fish,zsh,nu}

  '';

}

```

    installShellCompletion --cmd foobar \

      --bash <($out/bin/foobar --bash-completion) \

      --fish <($out/bin/foobar --fish-completion) \

      --nushell <($out/bin/foobar --nushell-completion) \

      --zsh <($out/bin/foobar --zsh-completion)

  '';

}

Defaults to `null`

### `buildTestBinaries` {#var-go-buildTestBinaries}

This option allows to compile test binaries instead of the usual binaries produced by a package.

Go can [compile test into binaries](https://pkg.go.dev/cmd/go#hdr-Test_packages) using the `go test -c` command.

These binaries can then be executed at a later point (outside the Nix sandbox) to run the tests.

This is mostly useful for downstream consumers to run integration or end-to-end tests that won't work in the Nix sandbox, for example because they require network access.

## Versioned toolchains and builders {#ssec-go-toolchain-versions}

  "strictflexarrays3": [

    "index.html#strictflexarrays3"

  ],

  "glibcxxassertions": [

    "index.html#glibcxxassertions"

  ],

  "tester-shfmt": [

    "index.html#tester-shfmt"

  ],

  "typst-package-scope-and-usage": [

    "index.html#typst-package-scope-and-usage"

  ],

  "var-go-buildTestBinaries": [

    "index.html#var-go-buildTestBinaries"

  ],

  "var-meta-teams": [

    "index.html#var-meta-teams"

  ],

- The `offrss` package was removed due to lack of upstream maintenance since 2012. It's recommended for users to migrate to another RSS reader

- `installShellFiles`: Allow installManPage to take a piped input, add the `--name` flag for renaming the file when installed. Can also append `--` to opt-out of all subsequent parsing.

- GCC 9, 10, 11, and 12 have been removed, as they have reached end‐of‐life upstream and are no longer supported.

- GHCJS 8.10, exposed via `haskell.compiler.ghcjs` and `haskell.compiler.ghcjs810`, has been removed. Downstream users should migrate their projects to the new JavaScript backend of GHC proper which can be used via `pkgsCross.ghcjs` from Nixpkgs. Haskell packaging code, like `haskellPackages.mkDerivation`, `ghcWithPackages` and `hoogleWithPackages`, also no longer supports GHCJS.

- `kbd` package's `outputs` now include a `man` and `scripts` outputs. The `unicode_start` and `unicode_stop` Bash scripts are now part of the `scripts` output, allowing most usages of the `kbd` package to not pull in `bash`.

- `spidermonkey_91` has been removed, as it has been EOL since September 2022.

- `cudaPackages.cudatoolkit-legacy-runfile` has been removed.

- `conduwuit` was removed due to upstream ceasing development and deleting their repository. For existing data, a migration to `matrix-conduit`, `matrix-continuwuity` or `matrix-tuwunel` may be possible.

- `gnome-keyring` no longer ships with an SSH agent anymore because it has been deprecated upstream. You should use `gcr_4` instead, which provides the same features. More information on why this was done can be found on [the relevant GCR upstream PR](https://gitlab.gnome.org/GNOME/gcr/-/merge_requests/67).

- `python3Full` and its versioned attributes (python3xxFull) have been removed. Bluetooth support is now enabled in the default python3 attributes. The X11 support built the tkinter module, which is available as a dedicated attribute on the package set.

- `stdenv.mkDerivation` and other derivation builders that use it no longer allow the value of `env` to be anything but an attribute set, for the purpose of setting environment variables that are available to the [builder](https://nix.dev/manual/nix/latest/store/derivation/#builder) process. An environment variable called `env` can still be provided by means of `mkDerivation { env.env = ...; }`, though we recommend to use a more specific name than "env".

- The default Android NDK version has been raised to 27, and the default SDK version to 35.

- [`homebox` 0.20.0](https://github.com/sysadminsmedia/homebox/releases/tag/v0.20.0) changed how assets are stored and hashed. It is recommended to back up your database before this update.

- `installShellCompletion`: now supports Nushell completion files

- New hardening flags, `strictflexarrays1` and `strictflexarrays3` were made available, corresponding to the gcc/clang options `-fstrict-flex-arrays=1` and `-fstrict-flex-arrays=3` respectively.

- `gramps` has been updated to 6.0.0

- `searx` was updated to use `envsubst` instead of `sed` for parsing secrets from environment variables.

  If your previous configuration included a secret reference like `server.secret_key = "@SEARX_SECRET_KEY@"`, you must migrate to the new envsubst syntax: `server.secret_key = "$SEARX_SECRET_KEY"`.

- A new hardening flag, `glibcxxassertions` was made available, corresponding to the glibc `_GLIBCXX_ASSERTIONS` option.

- `versionCheckHook`: Packages that previously relied solely on `pname` to locate the program used to version check, but have a differing `meta.mainProgram` entry, might now fail.

sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates

```

#### `glibcxxassertions` {#glibcxxassertions}

Adds the `-D_GLIBCXX_ASSERTIONS` compiler flag. This flag only has an effect on libstdc++ targets, and when defined, enables extra error checking in the form of precondition assertions, such as bounds checking in c++ strings and null pointer checks when dereferencing c++ smart pointers.

These checks may have an impact on performance in some cases.

#### `pacret` {#pacret}

This flag adds the `-mbranch-protection=pac-ret` compiler option on aarch64-linux targets. This uses ARM v8.3's Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer's authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.