From dcc7ea54986e0712666b15b502b6f89dd42b000c Mon Sep 17 00:00:00 2001 From: Jade Lovelace Date: Mon, 20 May 2024 12:17:54 -0700 Subject: [PATCH] release notes: add a bunch of them Also fix typos introduced by the commits I read. I have run the addDrvOutputDependencies release note past Ericson since I was confused by what the heck it was doing, and he was saying it was reasonable. Change-Id: Id015353b00938682f7faae7de43df7f991a5237e --- doc/manual/change-authors.yml | 34 ++++++++++++ .../rl-next/addDrvOutputDependencies.md | 14 +++++ .../rl-next/always-allow-substitutes.md | 13 +++++ doc/manual/rl-next/cve-fod-fix.md | 21 +++++++ doc/manual/rl-next/gc-roots-darwin.md | 8 +++ doc/manual/rl-next/macos-stack-size.md | 9 +++ doc/manual/rl-next/more-logs.md | 9 +++ doc/manual/rl-next/nix-eval-derivations.md | 9 +++ .../rl-next/nix-store-prefetch-unpack.md | 18 ++++++ doc/manual/rl-next/print-in-repl.md | 55 +++++++++++++++++++ doc/manual/rl-next/shebang-single-quotes.md | 13 +++++ doc/manual/rl-next/ssh-ng-phase-reporting.md | 8 +++ doc/manual/rl-next/ssh-ng-substitute.md | 9 +++ .../rl-next/warn-ignored-client-settings.md | 9 +++ doc/manual/src/language/derivations.md | 2 +- src/libexpr/primops/context.cc | 6 +- 16 files changed, 233 insertions(+), 4 deletions(-) create mode 100644 doc/manual/rl-next/addDrvOutputDependencies.md create mode 100644 doc/manual/rl-next/always-allow-substitutes.md create mode 100644 doc/manual/rl-next/cve-fod-fix.md create mode 100644 doc/manual/rl-next/gc-roots-darwin.md create mode 100644 doc/manual/rl-next/macos-stack-size.md create mode 100644 doc/manual/rl-next/more-logs.md create mode 100644 doc/manual/rl-next/nix-eval-derivations.md create mode 100644 doc/manual/rl-next/nix-store-prefetch-unpack.md create mode 100644 doc/manual/rl-next/print-in-repl.md create mode 100644 doc/manual/rl-next/shebang-single-quotes.md create mode 100644 doc/manual/rl-next/ssh-ng-phase-reporting.md create mode 100644 doc/manual/rl-next/ssh-ng-substitute.md create mode 100644 doc/manual/rl-next/warn-ignored-client-settings.md diff --git a/doc/manual/change-authors.yml b/doc/manual/change-authors.yml index 1b59da9ca..6f0008eea 100644 --- a/doc/manual/change-authors.yml +++ b/doc/manual/change-authors.yml @@ -62,6 +62,27 @@ roberth: display_name: Robert Hensing github: roberth +ericson: + display_name: John Ericson + github: ericson2314 + +tomberek: + display_name: Tom Bereknyei + github: tomberek + +valentin: + display_name: Valentin Gagarin + github: fricklerhandwerk + +lovesegfault: + github: lovesegfault + +yshui: + github: yshui + +ncfavier: + github: ncfavier + midnightveil: display_name: julia forgejo: midnightveil @@ -75,3 +96,16 @@ puck: alois31: forgejo: alois31 github: alois31 + +DavHau: + github: DavHau + +SharzyL: + github: SharzyL + +r-vdp: + github: r-vdp + +artemist: + display_name: Artemis Tosini + forgejo: artemist diff --git a/doc/manual/rl-next/addDrvOutputDependencies.md b/doc/manual/rl-next/addDrvOutputDependencies.md new file mode 100644 index 000000000..0442383ec --- /dev/null +++ b/doc/manual/rl-next/addDrvOutputDependencies.md @@ -0,0 +1,14 @@ +--- +synopsis: "Add a builtin `addDrvOutputDependencies`" +prs: 9216 +issues: 7910 +credits: [ericson, horrors] +category: Features +--- + +This builtin allows taking a `drvPath`-like string and turning it into a string +with context such that, when it lands in a derivation, it will create +dependencies on *all the outputs* in its closure (!). Although `drvPath` does this +today, this builtin starts forming a path to migrate to making `drvPath` have a +more normal and less surprising string context behaviour (see linked issue and +PR for more details). diff --git a/doc/manual/rl-next/always-allow-substitutes.md b/doc/manual/rl-next/always-allow-substitutes.md new file mode 100644 index 000000000..60b588fd7 --- /dev/null +++ b/doc/manual/rl-next/always-allow-substitutes.md @@ -0,0 +1,13 @@ +--- +synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations" +prs: 8047 +credits: [lovesegfault, horrors] +category: Improvements +--- + +You can set this setting to force a system to always allow substituting even +trivial derivations like `pkgs.writeText`. This is useful for +[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also +ignore trivial derivations. + +[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads diff --git a/doc/manual/rl-next/cve-fod-fix.md b/doc/manual/rl-next/cve-fod-fix.md new file mode 100644 index 000000000..4499f639b --- /dev/null +++ b/doc/manual/rl-next/cve-fod-fix.md @@ -0,0 +1,21 @@ +--- +synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)" +cls: 266 +credits: [puck, jade, thufschmitt, tomberek, valentin] +category: Fixes +--- + +Since Lix fixed-output derivations run in the host network namespace (which we +wish to change in the future, see +[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open +abstract-namespace Unix sockets to each other and to programs on the host. Lix +contained a now-fixed time-of-check/time-of-use vulnerability where one +derivation could send writable handles to files in their final location in the +store to another over an abstract-namespace Unix socket, exit, then the other +derivation could wait for Lix to hash the paths and overwrite them. + +The impact of this vulnerability is that two malicious fixed-output derivations +could create a poisoned path for the sources to Bash or similarly important +software containing a backdoor, leading to local privilege execution. + +CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 diff --git a/doc/manual/rl-next/gc-roots-darwin.md b/doc/manual/rl-next/gc-roots-darwin.md new file mode 100644 index 000000000..e8e90a397 --- /dev/null +++ b/doc/manual/rl-next/gc-roots-darwin.md @@ -0,0 +1,8 @@ +--- +synopsis: Find GC roots using libproc on Darwin +cls: 723 +credits: artemist +category: Improvements +--- + +Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s. diff --git a/doc/manual/rl-next/macos-stack-size.md b/doc/manual/rl-next/macos-stack-size.md new file mode 100644 index 000000000..efbba1577 --- /dev/null +++ b/doc/manual/rl-next/macos-stack-size.md @@ -0,0 +1,9 @@ +--- +synopsis: Increase default stack size on macOS +prs: 9860 +credits: 9999years +category: Improvements +--- + +Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size. +This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks. diff --git a/doc/manual/rl-next/more-logs.md b/doc/manual/rl-next/more-logs.md new file mode 100644 index 000000000..e239da5ad --- /dev/null +++ b/doc/manual/rl-next/more-logs.md @@ -0,0 +1,9 @@ +--- +synopsis: Show more log context for failed builds +prs: 9670 +credits: DavHau +category: Improvements +--- + +Show 25 lines of log tail instead of 10 for failed builds. +This increases the chances of having useful information in the shown logs. diff --git a/doc/manual/rl-next/nix-eval-derivations.md b/doc/manual/rl-next/nix-eval-derivations.md new file mode 100644 index 000000000..ae1952283 --- /dev/null +++ b/doc/manual/rl-next/nix-eval-derivations.md @@ -0,0 +1,9 @@ +--- +synopsis: Print derivation paths in `nix eval` +cls: 446 +credits: 9999years +category: Improvements +--- + +`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault. +It now prints the `.drv` path the derivation generates instead. diff --git a/doc/manual/rl-next/nix-store-prefetch-unpack.md b/doc/manual/rl-next/nix-store-prefetch-unpack.md new file mode 100644 index 000000000..5627c2c75 --- /dev/null +++ b/doc/manual/rl-next/nix-store-prefetch-unpack.md @@ -0,0 +1,18 @@ +--- +synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`" +prs: 9805 +cls: 224 +credits: [yshui, horrors] +category: Improvements +--- + +It is now possible to fetch an archive then NAR-hash it (as in, hash it in the +same manner as `builtins.fetchTarball` or fixed-output derivations with +recursive hash type) in one command. + +Example: + +``` +~ ยป nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz +Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ='). +``` diff --git a/doc/manual/rl-next/print-in-repl.md b/doc/manual/rl-next/print-in-repl.md new file mode 100644 index 000000000..e0ac8e17f --- /dev/null +++ b/doc/manual/rl-next/print-in-repl.md @@ -0,0 +1,55 @@ +--- +synopsis: "REPL printing improvements" +prs: [9931, 10208] +cls: [375, 492] +credits: [9999years, horrors] +category: Improvements +--- + +The REPL printer has been improved to do the following: +- If a string is passed to `:print`, it is printed literally to the screen +- Structures will be printed as multiple lines when necessary + +Before: + +``` +nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; } + +nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } + +nix-repl> :p "meow" +"meow" +``` + +After: + +``` +nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ + attrs = { ... }; + list = [ ... ]; + list' = [ ... ]; +} + +nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ + attrs = { + a = { + b = { + c = { }; + }; + }; + }; + list = [ 1 ]; + list' = [ + 1 + 2 + 3 + ]; +} + +nix-repl> :p "meow" +meow +``` diff --git a/doc/manual/rl-next/shebang-single-quotes.md b/doc/manual/rl-next/shebang-single-quotes.md new file mode 100644 index 000000000..f60caad84 --- /dev/null +++ b/doc/manual/rl-next/shebang-single-quotes.md @@ -0,0 +1,13 @@ +--- +synopsis: Allow single quotes in nix-shell shebangs +prs: 8470 +credits: [ncfavier, horrors] +category: Improvements +--- + +Example: + +```bash +#! /usr/bin/env nix-shell +#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])' +``` diff --git a/doc/manual/rl-next/ssh-ng-phase-reporting.md b/doc/manual/rl-next/ssh-ng-phase-reporting.md new file mode 100644 index 000000000..02f357410 --- /dev/null +++ b/doc/manual/rl-next/ssh-ng-phase-reporting.md @@ -0,0 +1,8 @@ +--- +synopsis: Include phase reporting in log file for ssh-ng builds +prs: 9280 +credits: r-vdp +category: Fixes +--- + +Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds. diff --git a/doc/manual/rl-next/ssh-ng-substitute.md b/doc/manual/rl-next/ssh-ng-substitute.md new file mode 100644 index 000000000..20f79c106 --- /dev/null +++ b/doc/manual/rl-next/ssh-ng-substitute.md @@ -0,0 +1,9 @@ +--- +synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination` +prs: 9600 +credits: SharzyL +category: Fixes +--- + +`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores. +Previously this was always set by `builders-use-substitutes` setting. diff --git a/doc/manual/rl-next/warn-ignored-client-settings.md b/doc/manual/rl-next/warn-ignored-client-settings.md new file mode 100644 index 000000000..88edd27fb --- /dev/null +++ b/doc/manual/rl-next/warn-ignored-client-settings.md @@ -0,0 +1,9 @@ +--- +synopsis: Warn about ignored client settings +cls: 1026 +credits: jade +category: Improvements +--- + +Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user. +Previously this was only a debug message. diff --git a/doc/manual/src/language/derivations.md b/doc/manual/src/language/derivations.md index c10e8149d..28e686889 100644 --- a/doc/manual/src/language/derivations.md +++ b/doc/manual/src/language/derivations.md @@ -125,7 +125,7 @@ The builder is executed as follows: directory (typically, `/nix/store`). - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs` - is set to `true` for the dervation. A detailed explanation of this + is set to `true` for the derivation. A detailed explanation of this behavior can be found in the [section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs). diff --git a/src/libexpr/primops/context.cc b/src/libexpr/primops/context.cc index 1eec8b316..36692aafb 100644 --- a/src/libexpr/primops/context.cc +++ b/src/libexpr/primops/context.cc @@ -36,7 +36,7 @@ static RegisterPrimOp primop_hasContext({ > **Example** > - > Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally loosing track of string context elements. + > Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally losing track of string context elements. > `builtins.hasContext` can help create better domain-specific errors in those case. > > ```nix @@ -137,14 +137,14 @@ static RegisterPrimOp primop_addDrvOutputDependencies({ .name = "__addDrvOutputDependencies", .args = {"s"}, .doc = R"( - Create a copy of the given string where a single consant string context element is turned into a "derivation deep" string context element. + Create a copy of the given string where a single constant string context element is turned into a "derivation deep" string context element. The store path that is the constant string context element should point to a valid derivation, and end in `.drv`. The original string context element must not be empty or have multiple elements, and it must not have any other type of element other than a constant or derivation deep element. The latter is supported so this function is idempotent. - This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-addDrvOutputDependencies). + This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-unsafeDiscardOutputDependency). )", .fun = prim_addDrvOutputDependencies });