forked from lix-project/lix
release notes: add a bunch of them
Also fix typos introduced by the commits I read.
I have run the addDrvOutputDependencies release note past Ericson since
I was confused by what the heck it was doing, and he was saying it was
reasonable.
Change-Id: Id015353b00938682f7faae7de43df7f991a5237e
This commit is contained in:
parent
0bf4c2971f
commit
dcc7ea5498
16 changed files with 233 additions and 4 deletions
|
@ -62,6 +62,27 @@ roberth:
|
||||||
display_name: Robert Hensing
|
display_name: Robert Hensing
|
||||||
github: roberth
|
github: roberth
|
||||||
|
|
||||||
|
ericson:
|
||||||
|
display_name: John Ericson
|
||||||
|
github: ericson2314
|
||||||
|
|
||||||
|
tomberek:
|
||||||
|
display_name: Tom Bereknyei
|
||||||
|
github: tomberek
|
||||||
|
|
||||||
|
valentin:
|
||||||
|
display_name: Valentin Gagarin
|
||||||
|
github: fricklerhandwerk
|
||||||
|
|
||||||
|
lovesegfault:
|
||||||
|
github: lovesegfault
|
||||||
|
|
||||||
|
yshui:
|
||||||
|
github: yshui
|
||||||
|
|
||||||
|
ncfavier:
|
||||||
|
github: ncfavier
|
||||||
|
|
||||||
midnightveil:
|
midnightveil:
|
||||||
display_name: julia
|
display_name: julia
|
||||||
forgejo: midnightveil
|
forgejo: midnightveil
|
||||||
|
@ -75,3 +96,16 @@ puck:
|
||||||
alois31:
|
alois31:
|
||||||
forgejo: alois31
|
forgejo: alois31
|
||||||
github: alois31
|
github: alois31
|
||||||
|
|
||||||
|
DavHau:
|
||||||
|
github: DavHau
|
||||||
|
|
||||||
|
SharzyL:
|
||||||
|
github: SharzyL
|
||||||
|
|
||||||
|
r-vdp:
|
||||||
|
github: r-vdp
|
||||||
|
|
||||||
|
artemist:
|
||||||
|
display_name: Artemis Tosini
|
||||||
|
forgejo: artemist
|
||||||
|
|
14
doc/manual/rl-next/addDrvOutputDependencies.md
Normal file
14
doc/manual/rl-next/addDrvOutputDependencies.md
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
synopsis: "Add a builtin `addDrvOutputDependencies`"
|
||||||
|
prs: 9216
|
||||||
|
issues: 7910
|
||||||
|
credits: [ericson, horrors]
|
||||||
|
category: Features
|
||||||
|
---
|
||||||
|
|
||||||
|
This builtin allows taking a `drvPath`-like string and turning it into a string
|
||||||
|
with context such that, when it lands in a derivation, it will create
|
||||||
|
dependencies on *all the outputs* in its closure (!). Although `drvPath` does this
|
||||||
|
today, this builtin starts forming a path to migrate to making `drvPath` have a
|
||||||
|
more normal and less surprising string context behaviour (see linked issue and
|
||||||
|
PR for more details).
|
13
doc/manual/rl-next/always-allow-substitutes.md
Normal file
13
doc/manual/rl-next/always-allow-substitutes.md
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations"
|
||||||
|
prs: 8047
|
||||||
|
credits: [lovesegfault, horrors]
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
You can set this setting to force a system to always allow substituting even
|
||||||
|
trivial derivations like `pkgs.writeText`. This is useful for
|
||||||
|
[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also
|
||||||
|
ignore trivial derivations.
|
||||||
|
|
||||||
|
[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads
|
21
doc/manual/rl-next/cve-fod-fix.md
Normal file
21
doc/manual/rl-next/cve-fod-fix.md
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
---
|
||||||
|
synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
|
||||||
|
cls: 266
|
||||||
|
credits: [puck, jade, thufschmitt, tomberek, valentin]
|
||||||
|
category: Fixes
|
||||||
|
---
|
||||||
|
|
||||||
|
Since Lix fixed-output derivations run in the host network namespace (which we
|
||||||
|
wish to change in the future, see
|
||||||
|
[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
|
||||||
|
abstract-namespace Unix sockets to each other and to programs on the host. Lix
|
||||||
|
contained a now-fixed time-of-check/time-of-use vulnerability where one
|
||||||
|
derivation could send writable handles to files in their final location in the
|
||||||
|
store to another over an abstract-namespace Unix socket, exit, then the other
|
||||||
|
derivation could wait for Lix to hash the paths and overwrite them.
|
||||||
|
|
||||||
|
The impact of this vulnerability is that two malicious fixed-output derivations
|
||||||
|
could create a poisoned path for the sources to Bash or similarly important
|
||||||
|
software containing a backdoor, leading to local privilege execution.
|
||||||
|
|
||||||
|
CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
|
8
doc/manual/rl-next/gc-roots-darwin.md
Normal file
8
doc/manual/rl-next/gc-roots-darwin.md
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
synopsis: Find GC roots using libproc on Darwin
|
||||||
|
cls: 723
|
||||||
|
credits: artemist
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s.
|
9
doc/manual/rl-next/macos-stack-size.md
Normal file
9
doc/manual/rl-next/macos-stack-size.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
synopsis: Increase default stack size on macOS
|
||||||
|
prs: 9860
|
||||||
|
credits: 9999years
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size.
|
||||||
|
This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks.
|
9
doc/manual/rl-next/more-logs.md
Normal file
9
doc/manual/rl-next/more-logs.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
synopsis: Show more log context for failed builds
|
||||||
|
prs: 9670
|
||||||
|
credits: DavHau
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
Show 25 lines of log tail instead of 10 for failed builds.
|
||||||
|
This increases the chances of having useful information in the shown logs.
|
9
doc/manual/rl-next/nix-eval-derivations.md
Normal file
9
doc/manual/rl-next/nix-eval-derivations.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
synopsis: Print derivation paths in `nix eval`
|
||||||
|
cls: 446
|
||||||
|
credits: 9999years
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault.
|
||||||
|
It now prints the `.drv` path the derivation generates instead.
|
18
doc/manual/rl-next/nix-store-prefetch-unpack.md
Normal file
18
doc/manual/rl-next/nix-store-prefetch-unpack.md
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`"
|
||||||
|
prs: 9805
|
||||||
|
cls: 224
|
||||||
|
credits: [yshui, horrors]
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
It is now possible to fetch an archive then NAR-hash it (as in, hash it in the
|
||||||
|
same manner as `builtins.fetchTarball` or fixed-output derivations with
|
||||||
|
recursive hash type) in one command.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```
|
||||||
|
~ » nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz
|
||||||
|
Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ=').
|
||||||
|
```
|
55
doc/manual/rl-next/print-in-repl.md
Normal file
55
doc/manual/rl-next/print-in-repl.md
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
---
|
||||||
|
synopsis: "REPL printing improvements"
|
||||||
|
prs: [9931, 10208]
|
||||||
|
cls: [375, 492]
|
||||||
|
credits: [9999years, horrors]
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
The REPL printer has been improved to do the following:
|
||||||
|
- If a string is passed to `:print`, it is printed literally to the screen
|
||||||
|
- Structures will be printed as multiple lines when necessary
|
||||||
|
|
||||||
|
Before:
|
||||||
|
|
||||||
|
```
|
||||||
|
nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||||
|
{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; }
|
||||||
|
|
||||||
|
nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||||
|
{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||||
|
|
||||||
|
nix-repl> :p "meow"
|
||||||
|
"meow"
|
||||||
|
```
|
||||||
|
|
||||||
|
After:
|
||||||
|
|
||||||
|
```
|
||||||
|
nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||||
|
{
|
||||||
|
attrs = { ... };
|
||||||
|
list = [ ... ];
|
||||||
|
list' = [ ... ];
|
||||||
|
}
|
||||||
|
|
||||||
|
nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||||
|
{
|
||||||
|
attrs = {
|
||||||
|
a = {
|
||||||
|
b = {
|
||||||
|
c = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
list = [ 1 ];
|
||||||
|
list' = [
|
||||||
|
1
|
||||||
|
2
|
||||||
|
3
|
||||||
|
];
|
||||||
|
}
|
||||||
|
|
||||||
|
nix-repl> :p "meow"
|
||||||
|
meow
|
||||||
|
```
|
13
doc/manual/rl-next/shebang-single-quotes.md
Normal file
13
doc/manual/rl-next/shebang-single-quotes.md
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
synopsis: Allow single quotes in nix-shell shebangs
|
||||||
|
prs: 8470
|
||||||
|
credits: [ncfavier, horrors]
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
#! /usr/bin/env nix-shell
|
||||||
|
#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])'
|
||||||
|
```
|
8
doc/manual/rl-next/ssh-ng-phase-reporting.md
Normal file
8
doc/manual/rl-next/ssh-ng-phase-reporting.md
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
synopsis: Include phase reporting in log file for ssh-ng builds
|
||||||
|
prs: 9280
|
||||||
|
credits: r-vdp
|
||||||
|
category: Fixes
|
||||||
|
---
|
||||||
|
|
||||||
|
Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds.
|
9
doc/manual/rl-next/ssh-ng-substitute.md
Normal file
9
doc/manual/rl-next/ssh-ng-substitute.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination`
|
||||||
|
prs: 9600
|
||||||
|
credits: SharzyL
|
||||||
|
category: Fixes
|
||||||
|
---
|
||||||
|
|
||||||
|
`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores.
|
||||||
|
Previously this was always set by `builders-use-substitutes` setting.
|
9
doc/manual/rl-next/warn-ignored-client-settings.md
Normal file
9
doc/manual/rl-next/warn-ignored-client-settings.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
synopsis: Warn about ignored client settings
|
||||||
|
cls: 1026
|
||||||
|
credits: jade
|
||||||
|
category: Improvements
|
||||||
|
---
|
||||||
|
|
||||||
|
Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user.
|
||||||
|
Previously this was only a debug message.
|
|
@ -125,7 +125,7 @@ The builder is executed as follows:
|
||||||
directory (typically, `/nix/store`).
|
directory (typically, `/nix/store`).
|
||||||
|
|
||||||
- `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
|
- `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
|
||||||
is set to `true` for the dervation. A detailed explanation of this
|
is set to `true` for the derivation. A detailed explanation of this
|
||||||
behavior can be found in the
|
behavior can be found in the
|
||||||
[section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).
|
[section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).
|
||||||
|
|
||||||
|
|
|
@ -36,7 +36,7 @@ static RegisterPrimOp primop_hasContext({
|
||||||
|
|
||||||
> **Example**
|
> **Example**
|
||||||
>
|
>
|
||||||
> Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally loosing track of string context elements.
|
> Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally losing track of string context elements.
|
||||||
> `builtins.hasContext` can help create better domain-specific errors in those case.
|
> `builtins.hasContext` can help create better domain-specific errors in those case.
|
||||||
>
|
>
|
||||||
> ```nix
|
> ```nix
|
||||||
|
@ -137,14 +137,14 @@ static RegisterPrimOp primop_addDrvOutputDependencies({
|
||||||
.name = "__addDrvOutputDependencies",
|
.name = "__addDrvOutputDependencies",
|
||||||
.args = {"s"},
|
.args = {"s"},
|
||||||
.doc = R"(
|
.doc = R"(
|
||||||
Create a copy of the given string where a single consant string context element is turned into a "derivation deep" string context element.
|
Create a copy of the given string where a single constant string context element is turned into a "derivation deep" string context element.
|
||||||
|
|
||||||
The store path that is the constant string context element should point to a valid derivation, and end in `.drv`.
|
The store path that is the constant string context element should point to a valid derivation, and end in `.drv`.
|
||||||
|
|
||||||
The original string context element must not be empty or have multiple elements, and it must not have any other type of element other than a constant or derivation deep element.
|
The original string context element must not be empty or have multiple elements, and it must not have any other type of element other than a constant or derivation deep element.
|
||||||
The latter is supported so this function is idempotent.
|
The latter is supported so this function is idempotent.
|
||||||
|
|
||||||
This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-addDrvOutputDependencies).
|
This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-unsafeDiscardOutputDependency).
|
||||||
)",
|
)",
|
||||||
.fun = prim_addDrvOutputDependencies
|
.fun = prim_addDrvOutputDependencies
|
||||||
});
|
});
|
||||||
|
|
Loading…
Reference in a new issue