release notes: add a bunch of them

Also fix typos introduced by the commits I read.

I have run the addDrvOutputDependencies release note past Ericson since
I was confused by what the heck it was doing, and he was saying it was
reasonable.

Change-Id: Id015353b00938682f7faae7de43df7f991a5237e
This commit is contained in:
Jade Lovelace 2024-05-20 12:17:54 -07:00 committed by eldritch horrors
parent 0bf4c2971f
commit dcc7ea5498
16 changed files with 233 additions and 4 deletions

View file

@ -62,6 +62,27 @@ roberth:
display_name: Robert Hensing display_name: Robert Hensing
github: roberth github: roberth
ericson:
display_name: John Ericson
github: ericson2314
tomberek:
display_name: Tom Bereknyei
github: tomberek
valentin:
display_name: Valentin Gagarin
github: fricklerhandwerk
lovesegfault:
github: lovesegfault
yshui:
github: yshui
ncfavier:
github: ncfavier
midnightveil: midnightveil:
display_name: julia display_name: julia
forgejo: midnightveil forgejo: midnightveil
@ -75,3 +96,16 @@ puck:
alois31: alois31:
forgejo: alois31 forgejo: alois31
github: alois31 github: alois31
DavHau:
github: DavHau
SharzyL:
github: SharzyL
r-vdp:
github: r-vdp
artemist:
display_name: Artemis Tosini
forgejo: artemist

View file

@ -0,0 +1,14 @@
---
synopsis: "Add a builtin `addDrvOutputDependencies`"
prs: 9216
issues: 7910
credits: [ericson, horrors]
category: Features
---
This builtin allows taking a `drvPath`-like string and turning it into a string
with context such that, when it lands in a derivation, it will create
dependencies on *all the outputs* in its closure (!). Although `drvPath` does this
today, this builtin starts forming a path to migrate to making `drvPath` have a
more normal and less surprising string context behaviour (see linked issue and
PR for more details).

View file

@ -0,0 +1,13 @@
---
synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations"
prs: 8047
credits: [lovesegfault, horrors]
category: Improvements
---
You can set this setting to force a system to always allow substituting even
trivial derivations like `pkgs.writeText`. This is useful for
[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also
ignore trivial derivations.
[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads

View file

@ -0,0 +1,21 @@
---
synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
cls: 266
credits: [puck, jade, thufschmitt, tomberek, valentin]
category: Fixes
---
Since Lix fixed-output derivations run in the host network namespace (which we
wish to change in the future, see
[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
abstract-namespace Unix sockets to each other and to programs on the host. Lix
contained a now-fixed time-of-check/time-of-use vulnerability where one
derivation could send writable handles to files in their final location in the
store to another over an abstract-namespace Unix socket, exit, then the other
derivation could wait for Lix to hash the paths and overwrite them.
The impact of this vulnerability is that two malicious fixed-output derivations
could create a poisoned path for the sources to Bash or similarly important
software containing a backdoor, leading to local privilege execution.
CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37

View file

@ -0,0 +1,8 @@
---
synopsis: Find GC roots using libproc on Darwin
cls: 723
credits: artemist
category: Improvements
---
Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s.

View file

@ -0,0 +1,9 @@
---
synopsis: Increase default stack size on macOS
prs: 9860
credits: 9999years
category: Improvements
---
Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size.
This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks.

View file

@ -0,0 +1,9 @@
---
synopsis: Show more log context for failed builds
prs: 9670
credits: DavHau
category: Improvements
---
Show 25 lines of log tail instead of 10 for failed builds.
This increases the chances of having useful information in the shown logs.

View file

@ -0,0 +1,9 @@
---
synopsis: Print derivation paths in `nix eval`
cls: 446
credits: 9999years
category: Improvements
---
`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault.
It now prints the `.drv` path the derivation generates instead.

View file

@ -0,0 +1,18 @@
---
synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`"
prs: 9805
cls: 224
credits: [yshui, horrors]
category: Improvements
---
It is now possible to fetch an archive then NAR-hash it (as in, hash it in the
same manner as `builtins.fetchTarball` or fixed-output derivations with
recursive hash type) in one command.
Example:
```
~ » nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz
Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ=').
```

View file

@ -0,0 +1,55 @@
---
synopsis: "REPL printing improvements"
prs: [9931, 10208]
cls: [375, 492]
credits: [9999years, horrors]
category: Improvements
---
The REPL printer has been improved to do the following:
- If a string is passed to `:print`, it is printed literally to the screen
- Structures will be printed as multiple lines when necessary
Before:
```
nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; }
nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
nix-repl> :p "meow"
"meow"
```
After:
```
nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
{
attrs = { ... };
list = [ ... ];
list' = [ ... ];
}
nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
{
attrs = {
a = {
b = {
c = { };
};
};
};
list = [ 1 ];
list' = [
1
2
3
];
}
nix-repl> :p "meow"
meow
```

View file

@ -0,0 +1,13 @@
---
synopsis: Allow single quotes in nix-shell shebangs
prs: 8470
credits: [ncfavier, horrors]
category: Improvements
---
Example:
```bash
#! /usr/bin/env nix-shell
#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])'
```

View file

@ -0,0 +1,8 @@
---
synopsis: Include phase reporting in log file for ssh-ng builds
prs: 9280
credits: r-vdp
category: Fixes
---
Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds.

View file

@ -0,0 +1,9 @@
---
synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination`
prs: 9600
credits: SharzyL
category: Fixes
---
`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores.
Previously this was always set by `builders-use-substitutes` setting.

View file

@ -0,0 +1,9 @@
---
synopsis: Warn about ignored client settings
cls: 1026
credits: jade
category: Improvements
---
Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user.
Previously this was only a debug message.

View file

@ -125,7 +125,7 @@ The builder is executed as follows:
directory (typically, `/nix/store`). directory (typically, `/nix/store`).
- `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs` - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
is set to `true` for the dervation. A detailed explanation of this is set to `true` for the derivation. A detailed explanation of this
behavior can be found in the behavior can be found in the
[section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs). [section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).

View file

@ -36,7 +36,7 @@ static RegisterPrimOp primop_hasContext({
> **Example** > **Example**
> >
> Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally loosing track of string context elements. > Many operations require a string context to be empty because they are intended only to work with "regular" strings, and also to help users avoid unintentionally losing track of string context elements.
> `builtins.hasContext` can help create better domain-specific errors in those case. > `builtins.hasContext` can help create better domain-specific errors in those case.
> >
> ```nix > ```nix
@ -137,14 +137,14 @@ static RegisterPrimOp primop_addDrvOutputDependencies({
.name = "__addDrvOutputDependencies", .name = "__addDrvOutputDependencies",
.args = {"s"}, .args = {"s"},
.doc = R"( .doc = R"(
Create a copy of the given string where a single consant string context element is turned into a "derivation deep" string context element. Create a copy of the given string where a single constant string context element is turned into a "derivation deep" string context element.
The store path that is the constant string context element should point to a valid derivation, and end in `.drv`. The store path that is the constant string context element should point to a valid derivation, and end in `.drv`.
The original string context element must not be empty or have multiple elements, and it must not have any other type of element other than a constant or derivation deep element. The original string context element must not be empty or have multiple elements, and it must not have any other type of element other than a constant or derivation deep element.
The latter is supported so this function is idempotent. The latter is supported so this function is idempotent.
This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-addDrvOutputDependencies). This is the opposite of [`builtins.unsafeDiscardOutputDependency`](#builtins-unsafeDiscardOutputDependency).
)", )",
.fun = prim_addDrvOutputDependencies .fun = prim_addDrvOutputDependencies
}); });