staging-next 2026-01-12 (#479279)

# Node.js

/pkgs/build-support/node/build-npm-package      @winterqt

/pkgs/build-support/node/fetch-npm-deps         @winterqt

/pkgs/build-support/node/prefetch-npm-deps      @winterqt

/doc/languages-frameworks/javascript.section.md @winterqt

/pkgs/development/tools/pnpm                    @Scrumplex @gepbird

/pkgs/build-support/node/fetch-pnpm-deps        @Scrumplex @gepbird

      fullName = "Historical Permission Notice and Disclaimer - sell xserver variant with MIT disclaimer";

    };

    hpndSellVariantSafetyClause = {

      fullName = "HPND - sell variant with safety critical systems clause";

      url = "https://gitlab.freedesktop.org/xorg/driver/xf86-video-voodoo/-/blob/68a5b6d98ae34749cca889f4373b4043d00bfe6a/src/voodoo_dga.c#L12-33";

      # TODO: if the license gets accepted to spdx then

      #   add spdxId

      # else

      #   remove license

      #   && replace reference with whatever this license is supposed to be then

      # https://github.com/spdx/license-list-XML/issues/2922

      # spdxId = "HPND-sell-variant-safety-clause";

    };

    hpndDec = {

      fullName = "Historical Permission Notice and Disclaimer - DEC variant";

      spdxId = "HPND-DEC";

        BLK_DEV_DM m

        DM_CRYPT m

        MD y

        REISERFS_FS m

        BTRFS_FS m

        XFS_FS m

        JFS_FS m

        BLK_DEV_DM m

        DM_CRYPT m

        MD y

        REISERFS_FS m

        EXT4_FS m

        USB_STORAGE_CYPRESS_ATACB m

        FRAMEBUFFER_CONSOLE y

        EXT2_FS y

        EXT3_FS y

        REISERFS_FS y

        MAGIC_SYSRQ y

        # The kernel doesn't boot at all, with FTRACE

Bootstrap files should always be fetched from hydra and uploaded to `tarballs.nixos.org` to guarantee that all the binaries were built from the code committed into `nixpkgs` repository.

The uploads to `tarballs.nixos.org` are done by `@lovesegfault` today.

The uploads to `tarballs.nixos.org` are done by `@NixOS/infra` team members who have S3 write access.

This document describes the procedure of updating bootstrap files in `nixpkgs`.

## How to upload bootstrap files (for infra team)

When a PR updates bootstrap files, the commit message contains the upload commands.

Infra team members with S3 access can upload as follows:

1. Clone or navigate to the [nixos-infra](https://github.com/NixOS/nixos-infra) repository and enter the `terraform` directory:

   ```

   $ cd nixos-infra/terraform

   ```

2. Authenticate with AWS SSO:

   ```

   $ aws sso login

   ```

3. Realize the build output locally (fetch from hydra cache):

   ```

   $ nix-store --realize /nix/store/<hash>-stdenv-bootstrap-tools

   ```

4. Upload to S3 with public-read ACL:

   ```

   $ aws s3 cp --recursive --acl public-read \

       /nix/store/<hash>-stdenv-bootstrap-tools/on-server/ \

       s3://nixpkgs-tarballs/stdenv/<target>/<nixpkgs-revision>/

   ```

5. Verify the upload by downloading and checking hashes:

   ```

   $ aws s3 cp --recursive s3://nixpkgs-tarballs/stdenv/<target>/<nixpkgs-revision>/ ./

   $ sha256sum bootstrap-tools.tar.xz busybox

   $ sha256sum /nix/store/<hash>-stdenv-bootstrap-tools/on-server/*

   ```

   Compare these hashes with those shown in the PR's commit message.

The exact paths and hashes are provided in each bootstrap update commit message generated by `refresh-tarballs.bash`.

## How to request the bootstrap seed update

To get the tarballs updated let's use an example `i686-unknown-linux-gnu` target:

   To validate cross-targets `binfmt` `NixOS` helper can be useful.

   For `riscv64-unknown-linux-gnu` the `/etc/nixos/configuration.nix` entry would be `boot.binfmt.emulatedSystems = [ "riscv64-linux" ]`.

3. Propose the commit as a PR to update bootstrap tarballs, tag people who can help you test the updated architecture and once reviewed tag `@lovesegfault` to upload the tarballs.

3. Propose the commit as a PR to update bootstrap tarballs, tag people who can help you test the updated architecture and once reviewed tag `@NixOS/infra-build` to upload the tarballs.

## How to add bootstrap files for a new target

- `services.openssh` now supports generating host SSH keys by setting `services.openssh.generateHostKeys = true` while leaving `services.openssh.enable` disabled.  This is particularly useful for systems that have no need of an SSH daemon but want SSH host keys for other purposes such as using agenix or sops-nix.

- `services.slurm` now supports slurmrestd usage through the `services.slurm.rest` NixOS options.

- `glibc` has been updated to version 2.42.

  This version no longer makes the stack executable when a shared library requires this. A symptom

  is an error like

  > cannot enable executable stack as shared object requires: Invalid argument

  This is usually a bug. Please consider reporting it to the software maintainers.

  In a lot of cases, the library requires the execstack by mistake only. The following workarounds exist:

  * When building the shared library in question from source, use the following linker flags to force turning off the

    executable flag:

    ```nix

    mkDerivation {

      # …

      env.NIX_LDFLAGS = "-z,noexecstack";

    }

    ```

  * If the sources are not available, the execstack-flag can be cleared with `patchelf`:

    ```

    patchelf --clear-execstack binary-only.so

    ```

  * If the shared library to be loaded actually requires an executable stack and it isn't turned

    on by the application loading it, you may force allowing that behavior by setting the

    following environment variable:

    ```

    GLIBC_TUNABLES=glibc.rtld.execstack=2

    ```

    **Do not set this globally!** This makes your setup inherently less secure.