239 lines
9.5 KiB
XML
239 lines
9.5 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-16.09">
|
|
|
|
<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
|
|
|
|
<para>In addition to numerous new and upgraded packages, this release
|
|
has the following highlights: </para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>Many NixOS configurations and Nix packages now use
|
|
significantly less disk space, thanks to the <link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
|
|
work on closure size reduction</link>. For example, the closure
|
|
size of a minimal NixOS container went down from ~424 MiB in 16.03
|
|
to ~212 MiB in 16.09, while the closure size of Firefox went from
|
|
~651 MiB to ~259 MiB.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>To improve security, packages are now <link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
|
|
using various hardening features</link>. See the Nixpkgs manual
|
|
for more information.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Support for PXE netboot. See <xref
|
|
linkend="sec-booting-from-pxe" /> for documentation.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>X.org server 1.18. If you use the
|
|
<literal>ati_unfree</literal> driver, 1.17 is still used due to an
|
|
ABI incompatibility.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd
|
|
231. The default Linux kernel remains 4.4.</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
<para>The following new services were added since the last release:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>When upgrading from a previous release, please be aware of the
|
|
following incompatible changes:</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>A large number of packages have been converted to use the multiple outputs feature
|
|
of Nix to greatly reduce the amount of required disk space, as
|
|
mentioned above. This may require changes
|
|
to any custom packages to make them build again; see the relevant chapter in the
|
|
Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
|
|
related to multiple-output packages
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
|
|
late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Previous versions of Nixpkgs had support for all versions of the LTS
|
|
Haskell package set. That support has been dropped. The previously provided
|
|
<literal>haskell.packages.lts-x_y</literal> package sets still exist in
|
|
name to aviod breaking user code, but these package sets don't actually
|
|
contain the versions mandated by the corresponding LTS release. Instead,
|
|
our package set it loosely based on the latest available LTS release, i.e.
|
|
LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
|
|
drop those old names entirely. <link
|
|
xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020585.html">The
|
|
motivation for this change</link> has been discussed at length on the
|
|
<literal>nix-dev</literal> mailing list and in <link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue
|
|
#14897</link>. Development strategies for Haskell hackers who want to rely
|
|
on Nix and NixOS have been described in <link
|
|
xlink:href="http://lists.science.uu.nl/pipermail/nix-dev/2016-June/020642.html">another
|
|
nix-dev article</link>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shell aliases for systemd sub-commands
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
|
|
<command>start</command>, <command>stop</command>,
|
|
<command>restart</command>, <command>status</command>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default
|
|
behavior of Redis 3.2</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command>
|
|
to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
|
|
the pull request</link> for what bugs this caused.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Gitlab's maintainance script
|
|
<command>gitlab-runner</command> was removed and split up into the
|
|
more clearer <command>gitlab-run</command> and
|
|
<command>gitlab-rake</command> scripts, because
|
|
<command>gitlab-runner</command> is a component of Gitlab
|
|
CI.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>services.xserver.libinput.accelProfile</literal> default
|
|
changed from <literal>flat</literal> to <literal>adaptive</literal>,
|
|
as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
|
|
official documentation</link>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
|
|
because our presets were obsolete for some time. New presets are hardcoded
|
|
into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
|
|
You can customize those presets via ordinary environment variables, using
|
|
<literal>environment.variables</literal>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <literal>audit</literal> service is no longer enabled by default.
|
|
Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
<literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
|
|
kernel modules instead of the VirtualBox user space binaries.
|
|
If you want to reference the user space binaries, you have to use the new
|
|
<literal>pkgs.virtualbox</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>goPackages</literal> was replaced with separated Go
|
|
applications in appropriate <literal>nixpkgs</literal>
|
|
categories. Each Go package uses its own dependency set. There's
|
|
also a new <literal>go2nix</literal> tool introduced to generate a
|
|
Go package definition from its Go source automatically.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>services.mongodb.extraConfig</literal> configuration format
|
|
was changed to YAML.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>
|
|
PHP has been upgraded to 7.0
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<para>Other notable improvements:</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>Revamped grsecurity/PaX support. There is now only a single
|
|
general-purpose distribution kernel and the configuration interface has been
|
|
streamlined. Desktop users should be able to simply set
|
|
<programlisting>security.grsecurity.enable = true</programlisting> to get
|
|
a reasonably secure system without having to sacrifice too much
|
|
functionality. See <xref linkend="sec-grsecurity" /> for documentation
|
|
</para></listitem>
|
|
|
|
<listitem><para>Special filesystems, like <literal>/proc</literal>,
|
|
<literal>/run</literal> and others, now have the same mount options
|
|
as recommended by systemd and are unified across different places in
|
|
NixOS. Mount options are updated during <command>nixos-rebuild
|
|
switch</command> if possible. One benefit from this is improved
|
|
security — most such filesystems are now mounted with
|
|
<literal>noexec</literal>, <literal>nodev</literal> and/or
|
|
<literal>nosuid</literal> options.</para></listitem>
|
|
|
|
<listitem><para>The reverse path filter was interfering with DHCPv4 server
|
|
operation in the past. An exception for DHCPv4 and a new option to log
|
|
packets that were dropped due to the reverse path filter was added
|
|
(<literal>networking.firewall.logReversePathDrops</literal>) for easier
|
|
debugging.</para></listitem>
|
|
|
|
<listitem><para>Containers configuration within
|
|
<literal>containers.<name>.config</literal> is <link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
|
|
properly typed and checked</link>. In particular, partial
|
|
configurations are merged correctly.</para></listitem>
|
|
|
|
<listitem>
|
|
<para>The directory container setuid wrapper programs,
|
|
<filename>/var/setuid-wrappers</filename>, <link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
|
|
updated atomically to prevent failures if the switch to a new
|
|
configuration is interrupted.</link></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>services.xserver.startGnuPGAgent</literal>
|
|
has been removed due to GnuPG 2.1.x bump. See <link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
|
|
how to achieve similar behavior</link>. You might need to
|
|
<literal>pkill gpg-agent</literal> after the upgrade
|
|
to prevent a stale agent being in the way.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem><para>
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
|
|
Declarative users could share the uid due to the bug in
|
|
the script handling conflict resolution.
|
|
</link>
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Gummi boot has been replaced using systemd-boot.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Hydra package and NixOS module were added for convenience.
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
</section>
|