Tagging release 2.24.9

-----BEGIN PGP SIGNATURE----- iQFHBAABCAAxFiEEtUHVUwEnDgvPFcpdgXC0cm1xmN4FAmb3K78THGVkb2xzdHJh QGdtYWlsLmNvbQAKCRCBcLRybXGY3t5xB/4mKlFd8hka45CuQrGN6lJrIs76kvn5 mXDLWpHTOyipUZN1ZKACUPlKD/8cP8sHwd3/fILlwKAOurgWCd/+QwAPltT01r/w T02E4haXGLmWwdZ+uPcm/lBdZVq8IZ1oU/9+EFKsbaYpa4O4kZPHe3joPr4ebVlO zXndiR5FDSSEg05qAXr62KndgydTf/xtjEEv6jONzMaO1MCK6OAHIKCZg2ybsV/S 5ayfUESRFwGg4/BbzSEkEO0wl8mgwo6PbD0BI83FSC9W1gaR2ImadjA9GPKBkS1o 8Rj/KrP55JZkQExEQWquptEMlKoDdruQUelXXBBeqnXErG2bORV+Z7xG =SUre -----END PGP SIGNATURE----- Merge tag '2.24.9' into sync-2.24.9 Tagging release 2.24.9
2025-07-07 10:11:47 +02:00 · 2024-10-29 16:04:00 +01:00 · 2024-10-29 16:04:00 +01:00 · d8d38c4257
commit d8d38c4257
parent c963ac8827 048cfe51c9
58 changed files with 605 additions and 415 deletions
--- a/doc/manual/rl-next/filesystem-errors.md
+++ b/doc/manual/rl-next/filesystem-errors.md
@ -0,0 +1,14 @@
+---
+synopsis: wrap filesystem exceptions more correctly
+issues: []
+prs: [11378]
+---
+
+
+With the switch to `std::filesystem` in different places, Nix started to throw `std::filesystem::filesystem_error` in many places instead of its own exceptions.
+
+This lead to no longer generating error traces, for example when listing a non-existing directory.
+
+This version catches these types of exception correctly and wrap them into Nix's own exeception type.
+
+Author: [**@Mic92**](https://github.com/Mic92)
--- a/doc/manual/rl-next/verify-tls.md
+++ b/doc/manual/rl-next/verify-tls.md
@ -0,0 +1,8 @@
+---
+synopsis: "`<nix/fetchurl.nix>` uses TLS verification"
+prs: [11585]
+---
+
+Previously `<nix/fetchurl.nix>` did not do TLS verification. This was because the Nix sandbox in the past did not have access to TLS certificates, and Nix checks the hash of the fetched file anyway. However, this can expose authentication data from `netrc` and URLs to man-in-the-middle attackers. In addition, Nix now in some cases (such as when using impure derivations) does *not* check the hash. Therefore we have now enabled TLS verification. This means that downloads by `<nix/fetchurl.nix>` will now fail if you're fetching from a HTTPS server that does not have a valid certificate.
+
+`<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue.
--- a/doc/manual/src/installation/index.md
+++ b/doc/manual/src/installation/index.md
@ -14,6 +14,14 @@ This option requires either:
 * Linux running systemd, with SELinux disabled
 * MacOS

+> **Updating to macOS 15 Sequoia**
+>
+> If you recently updated to macOS 15 Sequoia and are getting
+> ```console
+> error: the user '_nixbld1' in the group 'nixbld' does not exist
+> ```
+> when running Nix commands, refer to GitHub issue [NixOS/nix#10892](https://github.com/NixOS/nix/issues/10892) for instructions to fix your installation without reinstalling.
+
 ```console
 $ bash <(curl -L https://nixos.org/nix/install) --daemon
 ```
--- a/doc/manual/src/installation/installing-binary.md
+++ b/doc/manual/src/installation/installing-binary.md
@ -1,5 +1,13 @@
 # Installing a Binary Distribution

+> **Updating to macOS 15 Sequoia**
+>
+> If you recently updated to macOS 15 Sequoia and are getting
+> ```console
+> error: the user '_nixbld1' in the group 'nixbld' does not exist
+> ```
+> when running Nix commands, refer to GitHub issue [NixOS/nix#10892](https://github.com/NixOS/nix/issues/10892) for instructions to fix your installation without reinstalling.
+
 To install the latest version Nix, run the following command:

 ```console
--- a/doc/manual/src/installation/prerequisites-source.md
+++ b/doc/manual/src/installation/prerequisites-source.md
@ -39,8 +39,6 @@
    `pkgconfig` and the Boehm garbage collector, and pass the flag
    `--enable-gc` to `configure`.

-    For `bdw-gc` <= 8.2.4 Nix needs a [small patch](https://github.com/NixOS/nix/blob/ac4d2e7b857acdfeac35ac8a592bdecee2d29838/boehmgc-traceable_allocator-public.diff) to be applied.
-
  - The `boost` library of version 1.66.0 or higher. It can be obtained
    from the official web site <https://www.boost.org/>.

--- a/doc/manual/src/installation/uninstall.md
+++ b/doc/manual/src/installation/uninstall.md
@ -43,6 +43,14 @@ which you may remove.

 ### macOS

+> **Updating to macOS 15 Sequoia**
+>
+> If you recently updated to macOS 15 Sequoia and are getting
+> ```console
+> error: the user '_nixbld1' in the group 'nixbld' does not exist
+> ```
+> when running Nix commands, refer to GitHub issue [NixOS/nix#10892](https://github.com/NixOS/nix/issues/10892) for instructions to fix your installation without reinstalling.
+
 1. If system-wide shell initialisation files haven't been altered since installing Nix, use the backups made by the installer:

   ```console