release notes: add a bunch of them

Also fix typos introduced by the commits I read. I have run the addDrvOutputDependencies release note past Ericson since I was confused by what the heck it was doing, and he was saying it was reasonable. Change-Id: Id015353b00938682f7faae7de43df7f991a5237e
author: Jade Lovelace <lix@jade.fyi> 2024-05-20 12:17:54 -0700
committer: eldritch horrors <pennae@lix.systems> 2024-05-22 21:13:56 +0200
commit: dcc7ea54986e0712666b15b502b6f89dd42b000c (patch)
tree: b61015050de043a02c0b78a9cac6fe4b985d0398 /doc
parent: 0bf4c2971f6b57dbba3b79986d9f65ae7924260f (diff)
15 files changed, 230 insertions, 1 deletions
diff --git a/doc/manual/change-authors.yml b/doc/manual/change-authors.yml
index 1b59da9ca..6f0008eea 100644
--- a/doc/manual/change-authors.yml
+++ b/doc/manual/change-authors.yml
@@ -62,6 +62,27 @@ roberth:
   display_name: Robert Hensing
   github: roberth
 
+ericson:
+  display_name: John Ericson
+  github: ericson2314
+
+tomberek:
+  display_name: Tom Bereknyei
+  github: tomberek
+
+valentin:
+  display_name: Valentin Gagarin
+  github: fricklerhandwerk
+
+lovesegfault:
+  github: lovesegfault
+
+yshui:
+  github: yshui
+
+ncfavier:
+  github: ncfavier
+
 midnightveil:
   display_name: julia
   forgejo: midnightveil
@@ -75,3 +96,16 @@ puck:
 alois31:
   forgejo: alois31
   github: alois31
+
+DavHau:
+  github: DavHau
+
+SharzyL:
+  github: SharzyL
+
+r-vdp:
+  github: r-vdp
+
+artemist:
+  display_name: Artemis Tosini
+  forgejo: artemist
diff --git a/doc/manual/rl-next/addDrvOutputDependencies.md b/doc/manual/rl-next/addDrvOutputDependencies.md
new file mode 100644
index 000000000..0442383ec
--- /dev/null
+++ b/doc/manual/rl-next/addDrvOutputDependencies.md
@@ -0,0 +1,14 @@
+---
+synopsis: "Add a builtin `addDrvOutputDependencies`"
+prs: 9216
+issues: 7910
+credits: [ericson, horrors]
+category: Features
+---
+
+This builtin allows taking a `drvPath`-like string and turning it into a string
+with context such that, when it lands in a derivation, it will create
+dependencies on *all the outputs* in its closure (!). Although `drvPath` does this
+today, this builtin starts forming a path to migrate to making `drvPath` have a
+more normal and less surprising string context behaviour (see linked issue and
+PR for more details).
diff --git a/doc/manual/rl-next/always-allow-substitutes.md b/doc/manual/rl-next/always-allow-substitutes.md
new file mode 100644
index 000000000..60b588fd7
--- /dev/null
+++ b/doc/manual/rl-next/always-allow-substitutes.md
@@ -0,0 +1,13 @@
+---
+synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations"
+prs: 8047
+credits: [lovesegfault, horrors]
+category: Improvements
+---
+
+You can set this setting to force a system to always allow substituting even
+trivial derivations like `pkgs.writeText`. This is useful for
+[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also
+ignore trivial derivations.
+
+[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads
diff --git a/doc/manual/rl-next/cve-fod-fix.md b/doc/manual/rl-next/cve-fod-fix.md
new file mode 100644
index 000000000..4499f639b
--- /dev/null
+++ b/doc/manual/rl-next/cve-fod-fix.md
@@ -0,0 +1,21 @@
+---
+synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
+cls: 266
+credits: [puck, jade, thufschmitt, tomberek, valentin]
+category: Fixes
+---
+
+Since Lix fixed-output derivations run in the host network namespace (which we
+wish to change in the future, see
+[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
+abstract-namespace Unix sockets to each other and to programs on the host. Lix
+contained a now-fixed time-of-check/time-of-use vulnerability where one
+derivation could send writable handles to files in their final location in the
+store to another over an abstract-namespace Unix socket, exit, then the other
+derivation could wait for Lix to hash the paths and overwrite them.
+
+The impact of this vulnerability is that two malicious fixed-output derivations
+could create a poisoned path for the sources to Bash or similarly important
+software containing a backdoor, leading to local privilege execution.
+
+CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
diff --git a/doc/manual/rl-next/gc-roots-darwin.md b/doc/manual/rl-next/gc-roots-darwin.md
new file mode 100644
index 000000000..e8e90a397
--- /dev/null
+++ b/doc/manual/rl-next/gc-roots-darwin.md
@@ -0,0 +1,8 @@
+---
+synopsis: Find GC roots using libproc on Darwin
+cls: 723
+credits: artemist
+category: Improvements
+---
+
+Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s.
diff --git a/doc/manual/rl-next/macos-stack-size.md b/doc/manual/rl-next/macos-stack-size.md
new file mode 100644
index 000000000..efbba1577
--- /dev/null
+++ b/doc/manual/rl-next/macos-stack-size.md
@@ -0,0 +1,9 @@
+---
+synopsis: Increase default stack size on macOS
+prs: 9860
+credits: 9999years
+category: Improvements
+---
+
+Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size.
+This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks.
diff --git a/doc/manual/rl-next/more-logs.md b/doc/manual/rl-next/more-logs.md
new file mode 100644
index 000000000..e239da5ad
--- /dev/null
+++ b/doc/manual/rl-next/more-logs.md
@@ -0,0 +1,9 @@
+---
+synopsis: Show more log context for failed builds
+prs: 9670
+credits: DavHau
+category: Improvements
+---
+
+Show 25 lines of log tail instead of 10 for failed builds.
+This increases the chances of having useful information in the shown logs.
diff --git a/doc/manual/rl-next/nix-eval-derivations.md b/doc/manual/rl-next/nix-eval-derivations.md
new file mode 100644
index 000000000..ae1952283
--- /dev/null
+++ b/doc/manual/rl-next/nix-eval-derivations.md
@@ -0,0 +1,9 @@
+---
+synopsis: Print derivation paths in `nix eval`
+cls: 446
+credits: 9999years
+category: Improvements
+---
+
+`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault.
+It now prints the `.drv` path the derivation generates instead.
diff --git a/doc/manual/rl-next/nix-store-prefetch-unpack.md b/doc/manual/rl-next/nix-store-prefetch-unpack.md
new file mode 100644
index 000000000..5627c2c75
--- /dev/null
+++ b/doc/manual/rl-next/nix-store-prefetch-unpack.md
@@ -0,0 +1,18 @@
+---
+synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`"
+prs: 9805
+cls: 224
+credits: [yshui, horrors]
+category: Improvements
+---
+
+It is now possible to fetch an archive then NAR-hash it (as in, hash it in the
+same manner as `builtins.fetchTarball` or fixed-output derivations with
+recursive hash type) in one command.
+
+Example:
+
+```
+~ » nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz
+Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ=').
+```
diff --git a/doc/manual/rl-next/print-in-repl.md b/doc/manual/rl-next/print-in-repl.md
new file mode 100644
index 000000000..e0ac8e17f
--- /dev/null
+++ b/doc/manual/rl-next/print-in-repl.md
@@ -0,0 +1,55 @@
+---
+synopsis: "REPL printing improvements"
+prs: [9931, 10208]
+cls: [375, 492]
+credits: [9999years, horrors]
+category: Improvements
+---
+
+The REPL printer has been improved to do the following:
+- If a string is passed to `:print`, it is printed literally to the screen
+- Structures will be printed as multiple lines when necessary
+
+Before:
+
+```
+nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; }
+
+nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+
+nix-repl> :p "meow"
+"meow"
+```
+
+After:
+
+```
+nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{
+  attrs = { ... };
+  list = [ ... ];
+  list' = [ ... ];
+}
+
+nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{
+  attrs = {
+    a = {
+      b = {
+        c = { };
+      };
+    };
+  };
+  list = [ 1 ];
+  list' = [
+    1
+    2
+    3
+  ];
+}
+
+nix-repl> :p "meow"
+meow
+```
diff --git a/doc/manual/rl-next/shebang-single-quotes.md b/doc/manual/rl-next/shebang-single-quotes.md
new file mode 100644
index 000000000..f60caad84
--- /dev/null
+++ b/doc/manual/rl-next/shebang-single-quotes.md
@@ -0,0 +1,13 @@
+---
+synopsis: Allow single quotes in nix-shell shebangs
+prs: 8470
+credits: [ncfavier, horrors]
+category: Improvements
+---
+
+Example:
+
+```bash
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])'
+```
diff --git a/doc/manual/rl-next/ssh-ng-phase-reporting.md b/doc/manual/rl-next/ssh-ng-phase-reporting.md
new file mode 100644
index 000000000..02f357410
--- /dev/null
+++ b/doc/manual/rl-next/ssh-ng-phase-reporting.md
@@ -0,0 +1,8 @@
+---
+synopsis: Include phase reporting in log file for ssh-ng builds
+prs: 9280
+credits: r-vdp
+category: Fixes
+---
+
+Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds.
diff --git a/doc/manual/rl-next/ssh-ng-substitute.md b/doc/manual/rl-next/ssh-ng-substitute.md
new file mode 100644
index 000000000..20f79c106
--- /dev/null
+++ b/doc/manual/rl-next/ssh-ng-substitute.md
@@ -0,0 +1,9 @@
+---
+synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination`
+prs: 9600
+credits: SharzyL
+category: Fixes
+---
+
+`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores.
+Previously this was always set by `builders-use-substitutes` setting.
diff --git a/doc/manual/rl-next/warn-ignored-client-settings.md b/doc/manual/rl-next/warn-ignored-client-settings.md
new file mode 100644
index 000000000..88edd27fb
--- /dev/null
+++ b/doc/manual/rl-next/warn-ignored-client-settings.md
@@ -0,0 +1,9 @@
+---
+synopsis: Warn about ignored client settings
+cls: 1026
+credits: jade
+category: Improvements
+---
+
+Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user.
+Previously this was only a debug message.
diff --git a/doc/manual/src/language/derivations.md b/doc/manual/src/language/derivations.md
index c10e8149d..28e686889 100644
--- a/doc/manual/src/language/derivations.md
+++ b/doc/manual/src/language/derivations.md
@@ -125,7 +125,7 @@ The builder is executed as follows:
         directory (typically, `/nix/store`).
 
       - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
-        is set to `true` for the dervation. A detailed explanation of this
+        is set to `true` for the derivation. A detailed explanation of this
         behavior can be found in the
         [section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).
author	Jade Lovelace <lix@jade.fyi>	2024-05-20 12:17:54 -0700
committer	eldritch horrors <pennae@lix.systems>	2024-05-22 21:13:56 +0200
commit	dcc7ea54986e0712666b15b502b6f89dd42b000c (patch)
tree	b61015050de043a02c0b78a9cac6fe4b985d0398 /doc
parent	0bf4c2971f6b57dbba3b79986d9f65ae7924260f (diff)