[25.11] cosmic-greeter: apply upstream patch for security hardening

[a-kenji]

(cherry picked from commit 64db9dd)

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

[github-actions]

This report is automatically generated by the PR / Check / cherry-pick CI workflow.

Some of the commits in this PR require the author's and reviewer's attention.

Sometimes it is not possible to cherry-pick exactly the same patch.
This most frequently happens when resolving merge conflicts.
The range-diff will help to review the resolution of conflicts.

If you need to merge this PR despite the warnings, please dismiss this review shortly before merging.

Warning

Difference between 838c3f9 and original 64db9dd may warrant inspection.

Show diff

@@ Metadata
  ## Commit message ##
     cosmic-greeter: apply upstream patch for security hardening
 
+    (cherry picked from commit 64db9dd59be49b07d88409084dd94c1cf34b5097)
+
  ## pkgs/by-name/co/cosmic-greeter/package.nix ##
 @@
    nix-update-script,
@@ pkgs/by-name/co/cosmic-greeter/package.nix
  
  rustPlatform.buildRustPackage (finalAttrs: {
 @@ pkgs/by-name/co/cosmic-greeter/package.nix: rustPlatform.buildRustPackage (finalAttrs: {
-     hash = "sha256-U0JrxvMWzISSA0tP8moasN7iN7TfZreEwbvWZGHRn8E=";
+     hash = "sha256-HP2Dl/vEX4K3XaXtjOpN1EW6uE4RuLm2+RMLB3QvOXQ=";
    };
  
--  cargoHash = "sha256-sNJTXBInr/h8w5dhOOP9ceBYWBcJW3qGjDuaG6UTV90=";
-+  cargoHash = "sha256-J5ycaeKZsEBPcI9JH8bHsOAcXXwcx/D21GlVhJZbGwM=";
+-  cargoHash = "sha256-4yRBgFrH4RBpuvChTED+ynx+PyFumoT2Z+R1gXxF4Xc=";
++  cargoHash = "sha256-KLIUE3+iAZbNB6YPSl75I6jHwa1RBN+go5A7RFi5LxE=";
 +
 +  cargoPatches = [
 +    (fetchpatch2 {
@@ pkgs/by-name/co/cosmic-greeter/package.nix: rustPlatform.buildRustPackage (final
 +    })
 +  ];
  
-   env.VERGEN_GIT_SHA = finalAttrs.src.tag;
- 
+   env = {
+     VERGEN_GIT_COMMIT_DATE = "2025-12-05";

Hint: The full diffs are also available in the runner logs with slightly better highlighting.

[thefossguy]

I was alerted a bit when viewing the patch from GitHub's UI shows "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository." but its not a problem because I recall pulling the commit from the PR but GitHub didn't fast-forward it, hence the change in has for the commit SHA in the PR vs in-tree.

Commenting for documentation purposes.

[thefossguy]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 505350 --extra-nixpkgs-config '{ allowBroken = false; }' --additional-package nixosTests.cosmic --additional-package nixosTests.cosmic-autologin --additional-package nixosTests.cosmic-noxwayland --additional-package nixosTests.cosmic-autologin-noxwayland
Commit: 838c3f9bd486dc80f164b5d2e85ff7ea5e73f347

---

aarch64-linux

✅ 4 tests built:

• nixosTests.cosmic
• nixosTests.cosmic-autologin
• nixosTests.cosmic-autologin-noxwayland
• nixosTests.cosmic-noxwayland

✅ 2 packages built:

• cosmic-greeter
• nixpkgs-manual

[thefossguy]

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 505350 --extra-nixpkgs-config '{ allowBroken = false; }' --additional-package nixosTests.cosmic-autologin-noxwayland --additional-package nixosTests.cosmic-noxwayland --additional-package nixosTests.cosmic --additional-package nixosTests.cosmic-autologin
Commit: 838c3f9bd486dc80f164b5d2e85ff7ea5e73f347

---

x86_64-linux

✅ 4 tests built:

• nixosTests.cosmic
• nixosTests.cosmic-autologin
• nixosTests.cosmic-autologin-noxwayland
• nixosTests.cosmic-noxwayland

✅ 2 packages built:

• cosmic-greeter
• nixpkgs-manual

[thefossguy]

@NixOS/nixpkgs-merge-bot

[thefossguy]

@NixOS/nixpkgs-merge-bot merge

[nixpkgs-ci]

@thefossguy wants to merge this PR.

Requirements to merge this PR with @NixOS/nixpkgs-merge-bot merge:

• ✅ PR targets a development branch.
• ✅ PR touches only files of packages in pkgs/by-name/.
• ❌ PR is at least one of:
  • ⬜ Approved by a committer.
  • ⬜ Backported via label.
  • ⬜ Opened by a committer.
  • ⬜ Opened by @r-ryantm.
• ✅ PR is not a draft
• ✅ thefossguy is a member of @NixOS/nixpkgs-maintainers.
• ✅ thefossguy is a maintainer of all touched packages.

❌ Pull Request could not be merged (#305350)

[thefossguy]

My bad, I thought Kenji was a committer. I don't have commit access either.

Reviewed cherry-pick range-diff. Differences are expected for release-25.11