wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-25 02:21:16 +02:00
Code Activity
nix/doc/manual/source/release-notes/rl-2.25.md
Eelco Dolstra cd42f7664e release notes: 2.25.0
2024-11-07 17:53:26 +01:00

8.2 KiB
Raw Blame History

Release 2.25.0 (2024-11-07)

  • Use envvars NIX_CACHE_HOME, NIX_CONFIG_HOME, NIX_DATA_HOME, NIX_STATE_HOME if defined #11351

    Added new environment variables:

    • NIX_CACHE_HOME
    • NIX_CONFIG_HOME
    • NIX_DATA_HOME
    • NIX_STATE_HOME

    Each, if defined, takes precedence over the corresponding XDG environment variable. This provides more fine-grained control over where Nix looks for files, and allows to have a stand-alone Nix environment, which only uses files in a specific directory, and doesn't interfere with the user environment.

  • Define integer overflow in the Nix language as an error #10968 #11188

    Previously, integer overflow in the Nix language invoked C++ level signed overflow, which was undefined behaviour, but usually manifested as wrapping around on overflow.

    Since prior to the public release of Lix, Lix had C++ signed overflow defined to crash the process and nobody noticed this having accidentally removed overflow from the Nix language for three months until it was caught by fiddling around. Given the significant body of actual Nix code that has been evaluated by Lix in that time, it does not appear that nixpkgs or much of importance depends on integer overflow, so it appears safe to turn into an error.

    Some other overflows were fixed:

    • builtins.fromJSON of values greater than the maximum representable value in a signed 64-bit integer will generate an error.
    • nixConfig in flakes will no longer accept negative values for configuration options.

    Integer overflow now looks like the following:

    $ nix eval --expr '9223372036854775807 + 1'
error: integer overflow in adding 9223372036854775807 + 1

  • The build-hook setting's default is less useful when using libnixstore as a library #11178

    This is an obscure issue that only affects usage of the libnixstore library outside of the Nix executable.

    As part the ongoing rewrite of the build system to use Meson, we are also switching to packaging individual Nix components separately (and building them in separate derivations). This means that when building libnixstore we do not know where the Nix binaries will be installed --- libnixstore doesn't know about downstream consumers like the Nix binaries at all.

    This is also unrelated to the post-build-hook, which is often used for pushing to a cache.*

    This has a small adverse affect on remote building --- the build-remote executable that is specified from the build-hook setting will not be gotten from the (presumed) installation location, but instead looked up on the PATH. This means that other applications linking libnixstore that wish to use remote building must arrange for the nix command to be on the PATH (or manually overriding build-hook) in order for that to work.

    Long term we don't envision this being a downside, because we plan to get rid of build-remote and the build hook setting entirely. There should simply be no need to have an extra, intermediate layer of remote-procedure-calling when we want to connect to a remote builder. The build hook protocol did in principle support custom ways of remote building, but that can also be accomplished with a custom service for the ssh or daemon/ssh-ng protocols, or with a custom store type i.e. Store subclass.

    The Perl bindings no longer expose getBinDir either, since the underlying C++ libraries those bindings wrap no longer know the location of installed binaries as described above.

  • wrap filesystem exceptions more correctly #11378

    With the switch to std::filesystem in different places, Nix started to throw std::filesystem::filesystem_error in many places instead of its own exceptions.

    This lead to no longer generating error traces, for example when listing a non-existing directory, and can also lead to crashes inside the Nix REPL.

    This version catches these types of exception correctly and wrap them into Nix's own exeception type.

    Author: @Mic92

  • Add setting fsync-store-paths #1218 #7126

    Nix now has a setting fsync-store-paths that ensures that new store paths are durably written to disk before they are registered as "valid" in Nix's database. This can prevent Nix store corruption if the system crashes or there is a power loss. This setting defaults to false.

    Author: @squalus

  • Show package descriptions with nix flake show #10977 #10980

    nix flake show will now display a package's meta.description if it exists. If the description does not fit in the terminal it will be truncated to fit the terminal width. If the size of the terminal width is unknown the description will be capped at 80 characters.

    $ nix flake show
└───packages
    └───x86_64-linux
        ├───builderImage: package 'docker-image-ara-builder-image.tar.gz' - 'Docker image hosting the nix build environment'
        └───runnerImage: package 'docker-image-gitlab-runner.tar.gz' - 'Docker image hosting the gitlab-runner executable'

    In a narrower terminal:

    $ nix flake show
└───packages
    └───x86_64-linux
        ├───builderImage: package 'docker-image-ara-builder-image.tar.gz' - 'Docker image hosting the nix b...
        └───runnerImage: package 'docker-image-gitlab-runner.tar.gz' - 'Docker image hosting the gitlab-run...

  • Removing the default argument passed to the nix fmt formatter #11438

    The underlying formatter no longer receives the ". " default argument when nix fmt is called with no arguments.

    This change was necessary as the formatter wasn't able to distinguish between a user wanting to format the current folder with nix fmt . or the generic nix fmt.

    The default behaviour is now the responsibility of the formatter itself, and allows tools such as treefmt to format the whole tree instead of only the current directory and below.

    Author: @zimbatm

  • Flakes are no longer substituted #10612

    Nix will no longer attempt to substitute the source code of flakes from a binary cache. This functionality was broken because it could lead to different evaluation results depending on whether the flake was available in the binary cache, or even depending on whether the flake was already in the local store.

    Author: @edolstra

  • <nix/fetchurl.nix> uses TLS verification #11585

    Previously <nix/fetchurl.nix> did not do TLS verification. This was because the Nix sandbox in the past did not have access to TLS certificates, and Nix checks the hash of the fetched file anyway. However, this can expose authentication data from netrc and URLs to man-in-the-middle attackers. In addition, Nix now in some cases (such as when using impure derivations) does not check the hash. Therefore we have now enabled TLS verification. This means that downloads by <nix/fetchurl.nix> will now fail if you're fetching from a HTTPS server that does not have a valid certificate.

    <nix/fetchurl.nix> is also known as the builtin derivation builder builtin:fetchurl. It's not to be confused with the evaluation-time function builtins.fetchurl, which was not affected by this issue.

Contributors

Querying GitHub API for 2e7466a4e0, to get handle for 145775305+xokdvium@users.noreply.github.com