From f6cca718a2dc32695991e89c650d84656a7cdb8d Mon Sep 17 00:00:00 2001
From: Sefa Eyeoglu <contact@scrumplex.net>
Date: Mon, 21 Oct 2024 10:23:06 +0200
Subject: [PATCH 1/4] unbound: 1.21.1 -> 1.22.0

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit 0298669377cdc25af94c77f170cab3eebe0584fa)
---
 pkgs/by-name/un/unbound/package.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
index c9d9a7a26cf6b..083fd738cc283 100644
--- a/pkgs/by-name/un/unbound/package.nix
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -50,11 +50,11 @@
 
 stdenv.mkDerivation (finalAttrs: {
   pname = "unbound";
-  version = "1.21.1";
+  version = "1.22.0";
 
   src = fetchurl {
     url = "https://nlnetlabs.nl/downloads/unbound/unbound-${finalAttrs.version}.tar.gz";
-    hash = "sha256-MDbSPCNiKzbTyH6UMRe97BrI+Bljbrl42AZBaw+p6kY=";
+    hash = "sha256-xd0b3vXVaFss7bdJFY3RUsUtRPZVKaNKwVzYjUsbPUM=";
   };
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB

From 7f22717d4c6fc801f894950d67c3e58c6f422894 Mon Sep 17 00:00:00 2001
From: Sefa Eyeoglu <contact@scrumplex.net>
Date: Mon, 21 Oct 2024 10:28:25 +0200
Subject: [PATCH 2/4] unbound: fetch source from GitHub

To avoid a xz-style supply chain attack.

Signed-off-by: Sefa Eyeoglu <contact@scrumplex.net>
(cherry picked from commit c011c36c003c801a21d60d884128c87710a00c02)
---
 pkgs/by-name/un/unbound/package.nix | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
index 083fd738cc283..eac74c88fc93c 100644
--- a/pkgs/by-name/un/unbound/package.nix
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -1,9 +1,10 @@
 { stdenv
 , lib
-, fetchurl
+, fetchFromGitHub
 , openssl
 , nettle
 , expat
+, flex
 , libevent
 , libsodium
 , protobufc
@@ -52,9 +53,11 @@ stdenv.mkDerivation (finalAttrs: {
   pname = "unbound";
   version = "1.22.0";
 
-  src = fetchurl {
-    url = "https://nlnetlabs.nl/downloads/unbound/unbound-${finalAttrs.version}.tar.gz";
-    hash = "sha256-xd0b3vXVaFss7bdJFY3RUsUtRPZVKaNKwVzYjUsbPUM=";
+  src = fetchFromGitHub {
+    owner = "NLnetLabs";
+    repo = "unbound";
+    rev = "refs/tags/release-${finalAttrs.version}";
+    hash = "sha256-CFsd8tdFL+JbxmDZoWdStvWcs9azSaLtMG8Ih5oXE/A=";
   };
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
@@ -62,7 +65,7 @@ stdenv.mkDerivation (finalAttrs: {
   nativeBuildInputs =
     lib.optionals withMakeWrapper [ makeWrapper ]
     ++ lib.optionals withDNSTAP [ protobufc ]
-    ++ [ pkg-config ]
+    ++ [ pkg-config flex ]
     ++ lib.optionals withPythonModule [ swig ];
 
   buildInputs = [ openssl nettle expat libevent ]

From 1efeefee95882137b84813c2078a19d72f724cb0 Mon Sep 17 00:00:00 2001
From: Arne Keller <2012gdwu+github@posteo.de>
Date: Wed, 11 Dec 2024 12:39:59 +0100
Subject: [PATCH 3/4] unbound: support dynlib module (#333301)

(cherry picked from commit eafaee722ece971b77011e8ea85a07ecf957efdc)
---
 pkgs/by-name/un/unbound/package.nix | 4 ++++
 pkgs/top-level/all-packages.nix     | 1 +
 2 files changed, 5 insertions(+)

diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
index eac74c88fc93c..a6afe5399be45 100644
--- a/pkgs/by-name/un/unbound/package.nix
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -41,6 +41,8 @@
 # enable support for python plugins in unbound: note this is distinct from pyunbound
 # see https://unbound.docs.nlnetlabs.nl/en/latest/developer/python-modules.html
 , withPythonModule ? false
+# enable support for .so plugins
+, withDynlibModule ? false
 , withLto ? !stdenv.hostPlatform.isStatic && !stdenv.hostPlatform.isMinGW
 , withMakeWrapper ? !stdenv.hostPlatform.isMinGW
 , libnghttp2
@@ -91,6 +93,8 @@ stdenv.mkDerivation (finalAttrs: {
     "--enable-systemd"
   ] ++ lib.optionals withPythonModule [
     "--with-pythonmodule"
+  ] ++ lib.optionals withDynlibModule [
+    "--with-dynlibmodule"
   ] ++ lib.optionals withDoH [
     "--with-libnghttp2=${libnghttp2.dev}"
   ] ++ lib.optionals withECS [
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 83f338d0e972e..cac209b792f69 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -5696,6 +5696,7 @@ with pkgs;
   unbound-full = unbound.override {
     python = python3;
     withSystemd = true;
+    withDynlibModule = true;
     withPythonModule = true;
     withDoH = true;
     withECS = true;

From bb8689ce87bcd099f7405c8dbc2fd0577e8b6ef9 Mon Sep 17 00:00:00 2001
From: misuzu <bakalolka@gmail.com>
Date: Thu, 12 Dec 2024 19:10:16 +0200
Subject: [PATCH 4/4] unbound: bison is required when cross-compiling

(cherry picked from commit 6e40f855105b0c458eeef2d64db6d21ae7fc2ccf)
---
 pkgs/by-name/un/unbound/package.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/pkgs/by-name/un/unbound/package.nix b/pkgs/by-name/un/unbound/package.nix
index a6afe5399be45..963ed960da378 100644
--- a/pkgs/by-name/un/unbound/package.nix
+++ b/pkgs/by-name/un/unbound/package.nix
@@ -64,10 +64,9 @@ stdenv.mkDerivation (finalAttrs: {
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
-  nativeBuildInputs =
-    lib.optionals withMakeWrapper [ makeWrapper ]
+  nativeBuildInputs = [ bison flex pkg-config ]
+    ++ lib.optionals withMakeWrapper [ makeWrapper ]
     ++ lib.optionals withDNSTAP [ protobufc ]
-    ++ [ pkg-config flex ]
     ++ lib.optionals withPythonModule [ swig ];
 
   buildInputs = [ openssl nettle expat libevent ]
@@ -121,8 +120,6 @@ stdenv.mkDerivation (finalAttrs: {
     sed -E '/CONFCMDLINE/ s;${storeDir}/[a-z0-9]{32}-;${storeDir}/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-;g' -i config.h
   '';
 
-  nativeCheckInputs = [ bison ];
-
   doCheck = true;
 
   postPatch = lib.optionalString withPythonModule ''