Merge fort-nix/nix-bitcoin#819: Update nixpkgs

e6e3a13dbb work around CVE-2024-23342 for pkgs `hwi`, `trezor` (Erik Arvstedt) c4cd252753 update nixpkgs (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK e6e3a13dbb Tree-SHA512: f0f5bcbe0ea28f5870aed7bd983904fe3d57aedad45955835ace1fb151f48f169977f453d41a071b60e0e27af6fc92572c629627dfc8d81012c0bb4241a7f459
2025-11-24 12:50:16 +00:00 · 2025-11-24 12:50:16 +00:00 · f1ebb5d2cd
commit f1ebb5d2cd
parent b217b6019c e6e3a13dbb
6 changed files with 27 additions and 9 deletions
--- a/flake.lock
+++ b/flake.lock
@ -44,11 +44,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761016216,
+        "lastModified": 1763622513,
-        "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=",
+        "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "481cf557888e05d3128a76f14c76397b7d7cc869",
+        "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b",
        "type": "github"
      },
      "original": {
@ -60,11 +60,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1760965567,
+        "lastModified": 1763618868,
-        "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=",
+        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93",
+        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
        "type": "github"
      },
      "original": {
--- a/modules/hardware-wallets.nix
+++ b/modules/hardware-wallets.nix
@ -62,7 +62,7 @@ in {
      });
    })
    (mkIf cfg.trezor {
-      environment.systemPackages = [ pkgs.python3.pkgs.trezor ];
+      environment.systemPackages = [ config.nix-bitcoin.pkgs.pyPkgs.nbPython3PackagesWithUnlockedEcdsa.trezor ];
      # Don't use rules from nixpkgs because we want to use our own group.
      services.udev.packages = lib.singleton (pkgs.writeTextFile {
        name = "trezord-udev-rules";
--- a/pkgs/clnrest/default.nix
+++ b/pkgs/clnrest/default.nix
@ -11,7 +11,7 @@ rustPlatform.buildRustPackage rec {
  inherit (clightning) src;
-  cargoHash = "sha256-UxMXBO/rpanNU8vz8y4V5wSbCNHKYmVXtoGRpOqI+A0=";
+  cargoHash = "sha256-2xOLwj42Ua85+kn73y+5q3YmzKYMCjxLlq/UrYjiZv0=";
  depsExtraArgs = {
    nativeBuildInputs = [ unzip ];
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -26,6 +26,7 @@ let self = {
  trustedcoin = pkgs.callPackage ./trustedcoin { };
  bitcoind_29 = pkgs.callPackage ./bitcoind_29 {};
  inherit (self.pyPkgs.nbPython3PackagesWithUnlockedEcdsa) hwi;
  pyPkgs = import ./python-packages self pkgs.python3;
  inherit (self.pyPkgs)
--- a/pkgs/pinned.nix
+++ b/pkgs/pinned.nix
@ -5,7 +5,6 @@ pkgs: pkgsUnstable:
    elementsd
    extra-container
    fulcrum
    hwi
    lightning-pool
    lndconnect;
--- a/pkgs/python-packages/default.nix
+++ b/pkgs/python-packages/default.nix
@ -33,4 +33,22 @@ rec {
  }).pkgs;
  nbPython3PackagesJoinmarket = nbPython3Packages;
  # Re-enable pkgs `hwi`, `trezor` that are unaffected by `CVE-2024-23342` because
  # they don't use python pkg `ecdsa` for signing.
  # These packages no longer evaluate in nixpkgs after `ecdsa` was tagged with this CVE.
  nbPython3PackagesWithUnlockedEcdsa = let
    python3PackagesWithUnlockedEcdsa = (python3.override {
      packageOverrides = self: super: {
        ecdsa = super.ecdsa.overrideAttrs (old: {
          meta = old.meta // {
            knownVulnerabilities = builtins.filter (x: x != "CVE-2024-23342") old.meta.knownVulnerabilities;
          };
        });
      };
    }).pkgs;
  in {
    hwi = with python3PackagesWithUnlockedEcdsa; toPythonApplication hwi;
    inherit (python3PackagesWithUnlockedEcdsa) trezor;
  };
 }