forked from lix-project/lix
release notes: add a bunch of them
Also fix typos introduced by the commits I read.
I have run the addDrvOutputDependencies release note past Ericson since
I was confused by what the heck it was doing, and he was saying it was
reasonable.
Change-Id: Id015353b00938682f7faae7de43df7f991a5237e
This commit is contained in:
parent
0bf4c2971f
commit
dcc7ea5498
16 changed files with 233 additions and 4 deletions
|
@ -62,6 +62,27 @@ roberth:
|
|||
display_name: Robert Hensing
|
||||
github: roberth
|
||||
|
||||
ericson:
|
||||
display_name: John Ericson
|
||||
github: ericson2314
|
||||
|
||||
tomberek:
|
||||
display_name: Tom Bereknyei
|
||||
github: tomberek
|
||||
|
||||
valentin:
|
||||
display_name: Valentin Gagarin
|
||||
github: fricklerhandwerk
|
||||
|
||||
lovesegfault:
|
||||
github: lovesegfault
|
||||
|
||||
yshui:
|
||||
github: yshui
|
||||
|
||||
ncfavier:
|
||||
github: ncfavier
|
||||
|
||||
midnightveil:
|
||||
display_name: julia
|
||||
forgejo: midnightveil
|
||||
|
@ -75,3 +96,16 @@ puck:
|
|||
alois31:
|
||||
forgejo: alois31
|
||||
github: alois31
|
||||
|
||||
DavHau:
|
||||
github: DavHau
|
||||
|
||||
SharzyL:
|
||||
github: SharzyL
|
||||
|
||||
r-vdp:
|
||||
github: r-vdp
|
||||
|
||||
artemist:
|
||||
display_name: Artemis Tosini
|
||||
forgejo: artemist
|
||||
|
|
14
doc/manual/rl-next/addDrvOutputDependencies.md
Normal file
14
doc/manual/rl-next/addDrvOutputDependencies.md
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
synopsis: "Add a builtin `addDrvOutputDependencies`"
|
||||
prs: 9216
|
||||
issues: 7910
|
||||
credits: [ericson, horrors]
|
||||
category: Features
|
||||
---
|
||||
|
||||
This builtin allows taking a `drvPath`-like string and turning it into a string
|
||||
with context such that, when it lands in a derivation, it will create
|
||||
dependencies on *all the outputs* in its closure (!). Although `drvPath` does this
|
||||
today, this builtin starts forming a path to migrate to making `drvPath` have a
|
||||
more normal and less surprising string context behaviour (see linked issue and
|
||||
PR for more details).
|
13
doc/manual/rl-next/always-allow-substitutes.md
Normal file
13
doc/manual/rl-next/always-allow-substitutes.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations"
|
||||
prs: 8047
|
||||
credits: [lovesegfault, horrors]
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
You can set this setting to force a system to always allow substituting even
|
||||
trivial derivations like `pkgs.writeText`. This is useful for
|
||||
[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also
|
||||
ignore trivial derivations.
|
||||
|
||||
[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads
|
21
doc/manual/rl-next/cve-fod-fix.md
Normal file
21
doc/manual/rl-next/cve-fod-fix.md
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
|
||||
cls: 266
|
||||
credits: [puck, jade, thufschmitt, tomberek, valentin]
|
||||
category: Fixes
|
||||
---
|
||||
|
||||
Since Lix fixed-output derivations run in the host network namespace (which we
|
||||
wish to change in the future, see
|
||||
[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
|
||||
abstract-namespace Unix sockets to each other and to programs on the host. Lix
|
||||
contained a now-fixed time-of-check/time-of-use vulnerability where one
|
||||
derivation could send writable handles to files in their final location in the
|
||||
store to another over an abstract-namespace Unix socket, exit, then the other
|
||||
derivation could wait for Lix to hash the paths and overwrite them.
|
||||
|
||||
The impact of this vulnerability is that two malicious fixed-output derivations
|
||||
could create a poisoned path for the sources to Bash or similarly important
|
||||
software containing a backdoor, leading to local privilege execution.
|
||||
|
||||
CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
|
8
doc/manual/rl-next/gc-roots-darwin.md
Normal file
8
doc/manual/rl-next/gc-roots-darwin.md
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
synopsis: Find GC roots using libproc on Darwin
|
||||
cls: 723
|
||||
credits: artemist
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s.
|
9
doc/manual/rl-next/macos-stack-size.md
Normal file
9
doc/manual/rl-next/macos-stack-size.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
synopsis: Increase default stack size on macOS
|
||||
prs: 9860
|
||||
credits: 9999years
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size.
|
||||
This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks.
|
9
doc/manual/rl-next/more-logs.md
Normal file
9
doc/manual/rl-next/more-logs.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
synopsis: Show more log context for failed builds
|
||||
prs: 9670
|
||||
credits: DavHau
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
Show 25 lines of log tail instead of 10 for failed builds.
|
||||
This increases the chances of having useful information in the shown logs.
|
9
doc/manual/rl-next/nix-eval-derivations.md
Normal file
9
doc/manual/rl-next/nix-eval-derivations.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
synopsis: Print derivation paths in `nix eval`
|
||||
cls: 446
|
||||
credits: 9999years
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault.
|
||||
It now prints the `.drv` path the derivation generates instead.
|
18
doc/manual/rl-next/nix-store-prefetch-unpack.md
Normal file
18
doc/manual/rl-next/nix-store-prefetch-unpack.md
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`"
|
||||
prs: 9805
|
||||
cls: 224
|
||||
credits: [yshui, horrors]
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
It is now possible to fetch an archive then NAR-hash it (as in, hash it in the
|
||||
same manner as `builtins.fetchTarball` or fixed-output derivations with
|
||||
recursive hash type) in one command.
|
||||
|
||||
Example:
|
||||
|
||||
```
|
||||
~ » nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz
|
||||
Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ=').
|
||||
```
|
55
doc/manual/rl-next/print-in-repl.md
Normal file
55
doc/manual/rl-next/print-in-repl.md
Normal file
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
synopsis: "REPL printing improvements"
|
||||
prs: [9931, 10208]
|
||||
cls: [375, 492]
|
||||
credits: [9999years, horrors]
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
The REPL printer has been improved to do the following:
|
||||
- If a string is passed to `:print`, it is printed literally to the screen
|
||||
- Structures will be printed as multiple lines when necessary
|
||||
|
||||
Before:
|
||||
|
||||
```
|
||||
nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||
{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; }
|
||||
|
||||
nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||
{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||
|
||||
nix-repl> :p "meow"
|
||||
"meow"
|
||||
```
|
||||
|
||||
After:
|
||||
|
||||
```
|
||||
nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||
{
|
||||
attrs = { ... };
|
||||
list = [ ... ];
|
||||
list' = [ ... ];
|
||||
}
|
||||
|
||||
nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
|
||||
{
|
||||
attrs = {
|
||||
a = {
|
||||
b = {
|
||||
c = { };
|
||||
};
|
||||
};
|
||||
};
|
||||
list = [ 1 ];
|
||||
list' = [
|
||||
1
|
||||
2
|
||||
3
|
||||
];
|
||||
}
|
||||
|
||||
nix-repl> :p "meow"
|
||||
meow
|
||||
```
|
13
doc/manual/rl-next/shebang-single-quotes.md
Normal file
13
doc/manual/rl-next/shebang-single-quotes.md
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
synopsis: Allow single quotes in nix-shell shebangs
|
||||
prs: 8470
|
||||
credits: [ncfavier, horrors]
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
Example:
|
||||
|
||||
```bash
|
||||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])'
|
||||
```
|
8
doc/manual/rl-next/ssh-ng-phase-reporting.md
Normal file
8
doc/manual/rl-next/ssh-ng-phase-reporting.md
Normal file
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
synopsis: Include phase reporting in log file for ssh-ng builds
|
||||
prs: 9280
|
||||
credits: r-vdp
|
||||
category: Fixes
|
||||
---
|
||||
|
||||
Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds.
|
9
doc/manual/rl-next/ssh-ng-substitute.md
Normal file
9
doc/manual/rl-next/ssh-ng-substitute.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination`
|
||||
prs: 9600
|
||||
credits: SharzyL
|
||||
category: Fixes
|
||||
---
|
||||
|
||||
`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores.
|
||||
Previously this was always set by `builders-use-substitutes` setting.
|
9
doc/manual/rl-next/warn-ignored-client-settings.md
Normal file
9
doc/manual/rl-next/warn-ignored-client-settings.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
synopsis: Warn about ignored client settings
|
||||
cls: 1026
|
||||
credits: jade
|
||||
category: Improvements
|
||||
---
|
||||
|
||||
Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user.
|
||||
Previously this was only a debug message.
|
|
@ -125,7 +125,7 @@ The builder is executed as follows:
|
|||
directory (typically, `/nix/store`).
|
||||
|
||||
- `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
|
||||
is set to `true` for the dervation. A detailed explanation of this
|
||||
is set to `true` for the derivation. A detailed explanation of this
|
||||
behavior can be found in the
|
||||
[section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ static RegisterPrimOp primop_hasContext({
|
|||
|
||||
> **Example**
|
||||
>
|
||||
> Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally loosing track of string context elements.
|
||||
> Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally losing track of string context elements.
|
||||
> `builtins.hasContext` can help create better domain-specific errors in those case.
|
||||
>
|
||||
> ```nix
|
||||
|
@ -137,14 +137,14 @@ static RegisterPrimOp primop_addDrvOutputDependencies({
|
|||
.name = "__addDrvOutputDependencies",
|
||||
.args = {"s"},
|
||||
.doc = R"(
|
||||
Create a copy of the given string where a single consant string context element is turned into a "derivation deep" string context element.
|
||||
Create a copy of the given string where a single constant string context element is turned into a "derivation deep" string context element.
|
||||
|
||||
The store path that is the constant string context element should point to a valid derivation, and end in `.drv`.
|
||||
|
||||
The original string context element must not be empty or have multiple elements, and it must not have any other type of element other than a constant or derivation deep element.
|
||||
The latter is supported so this function is idempotent.
|
||||
|
||||
This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-addDrvOutputDependencies).
|
||||
This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-unsafeDiscardOutputDependency).
|
||||
)",
|
||||
.fun = prim_addDrvOutputDependencies
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue