aboutsummaryrefslogtreecommitdiff
path: root/doc/manual
diff options
context:
space:
mode:
Diffstat (limited to 'doc/manual')
-rw-r--r--doc/manual/change-authors.yml111
-rw-r--r--doc/manual/rl-next/addDrvOutputDependencies.md14
-rw-r--r--doc/manual/rl-next/always-allow-substitutes.md13
-rw-r--r--doc/manual/rl-next/cve-fod-fix.md21
-rw-r--r--doc/manual/rl-next/gc-roots-darwin.md8
-rw-r--r--doc/manual/rl-next/macos-stack-size.md9
-rw-r--r--doc/manual/rl-next/more-logs.md9
-rw-r--r--doc/manual/rl-next/nix-eval-derivations.md9
-rw-r--r--doc/manual/rl-next/nix-store-prefetch-unpack.md18
-rw-r--r--doc/manual/rl-next/print-in-repl.md55
-rw-r--r--doc/manual/rl-next/print-value-in-installable-flake-error.md20
-rw-r--r--doc/manual/rl-next/repl-fix-history.md9
-rw-r--r--doc/manual/rl-next/repl-interrupt.md2
-rw-r--r--doc/manual/rl-next/shebang-single-quotes.md13
-rw-r--r--doc/manual/rl-next/ssh-ng-phase-reporting.md8
-rw-r--r--doc/manual/rl-next/ssh-ng-substitute.md9
-rw-r--r--doc/manual/rl-next/warn-ignored-client-settings.md9
-rw-r--r--doc/manual/src/language/derivations.md2
18 files changed, 304 insertions, 35 deletions
diff --git a/doc/manual/change-authors.yml b/doc/manual/change-authors.yml
index 8c07d7e90..98a135397 100644
--- a/doc/manual/change-authors.yml
+++ b/doc/manual/change-authors.yml
@@ -3,66 +3,109 @@
#
# It's used for crediting people accurately in release notes. The release notes
# script will link to forgejo, then to GitHub if forgejo is not present.
+9999years:
+ display_name: wiggles
+ forgejo: rbt
+ github: 9999years
+
+Artturin:
+ github: Artturin
+
+DavHau:
+ github: DavHau
+
+Kha:
+ github: Kha
+
+Lunaphied:
+ forgejo: Lunaphied
+ github: Lunaphied
+
+Qyriad:
+ forgejo: Qyriad
+ github: Qyriad
+
+SharzyL:
+ github: SharzyL
+
+alois31:
+ forgejo: alois31
+ github: alois31
+
+artemist:
+ display_name: Artemis Tosini
+ forgejo: artemist
+
+edolstra:
+ display_name: Eelco Dolstra
+ github: edolstra
+
+ericson:
+ display_name: John Ericson
+ github: ericson2314
+
horrors:
display_name: eldritch horrors
forgejo: pennae
github: pennae
-Qyriad:
- forgejo: Qyriad
- github: Qyriad
+iFreilicht:
+ github: iFreilicht
jade:
forgejo: jade
github: lf-
-iFreilicht:
- github: iFreilicht
+lovesegfault:
+ github: lovesegfault
ma27:
forgejo: ma27
github: ma27
-Lunaphied:
- forgejo: Lunaphied
- github: Lunaphied
-
-9999years:
- display_name: wiggles
- github: 9999years
- forgejo: rbt
-
matthewbauer:
github: matthewbauer
+midnightveil:
+ display_name: julia
+ forgejo: midnightveil
+ github: midnightveil
+
+ncfavier:
+ github: ncfavier
+
+puck:
+ display_name: puck
+ forgejo: puck
+ github: puckipedia
+
+r-vdp:
+ github: r-vdp
+
raito:
display_name: Raito Bezarius
- github: RaitoBezarius
forgejo: raito
+ github: RaitoBezarius
-winter:
- github: winterqt
- forgejo: winter
-
-Kha:
- github: Kha
-
-Artturin:
- github: Artturin
+roberth:
+ display_name: Robert Hensing
+ github: roberth
thufschmitt:
display_name: Théophane Hufschmitt
github: thufschmitt
-edolstra:
- display_name: Eelco Dolstra
- github: edolstra
+tomberek:
+ display_name: Tom Bereknyei
+ github: tomberek
-roberth:
- display_name: Robert Hensing
- github: roberth
+valentin:
+ display_name: Valentin Gagarin
+ github: fricklerhandwerk
-midnightveil:
- display_name: julia
- forgejo: midnightveil
- github: midnightveil
+winter:
+ forgejo: winter
+ github: winterqt
+
+yshui:
+ github: yshui
diff --git a/doc/manual/rl-next/addDrvOutputDependencies.md b/doc/manual/rl-next/addDrvOutputDependencies.md
new file mode 100644
index 000000000..0442383ec
--- /dev/null
+++ b/doc/manual/rl-next/addDrvOutputDependencies.md
@@ -0,0 +1,14 @@
+---
+synopsis: "Add a builtin `addDrvOutputDependencies`"
+prs: 9216
+issues: 7910
+credits: [ericson, horrors]
+category: Features
+---
+
+This builtin allows taking a `drvPath`-like string and turning it into a string
+with context such that, when it lands in a derivation, it will create
+dependencies on *all the outputs* in its closure (!). Although `drvPath` does this
+today, this builtin starts forming a path to migrate to making `drvPath` have a
+more normal and less surprising string context behaviour (see linked issue and
+PR for more details).
diff --git a/doc/manual/rl-next/always-allow-substitutes.md b/doc/manual/rl-next/always-allow-substitutes.md
new file mode 100644
index 000000000..60b588fd7
--- /dev/null
+++ b/doc/manual/rl-next/always-allow-substitutes.md
@@ -0,0 +1,13 @@
+---
+synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations"
+prs: 8047
+credits: [lovesegfault, horrors]
+category: Improvements
+---
+
+You can set this setting to force a system to always allow substituting even
+trivial derivations like `pkgs.writeText`. This is useful for
+[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also
+ignore trivial derivations.
+
+[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads
diff --git a/doc/manual/rl-next/cve-fod-fix.md b/doc/manual/rl-next/cve-fod-fix.md
new file mode 100644
index 000000000..4499f639b
--- /dev/null
+++ b/doc/manual/rl-next/cve-fod-fix.md
@@ -0,0 +1,21 @@
+---
+synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
+cls: 266
+credits: [puck, jade, thufschmitt, tomberek, valentin]
+category: Fixes
+---
+
+Since Lix fixed-output derivations run in the host network namespace (which we
+wish to change in the future, see
+[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
+abstract-namespace Unix sockets to each other and to programs on the host. Lix
+contained a now-fixed time-of-check/time-of-use vulnerability where one
+derivation could send writable handles to files in their final location in the
+store to another over an abstract-namespace Unix socket, exit, then the other
+derivation could wait for Lix to hash the paths and overwrite them.
+
+The impact of this vulnerability is that two malicious fixed-output derivations
+could create a poisoned path for the sources to Bash or similarly important
+software containing a backdoor, leading to local privilege execution.
+
+CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
diff --git a/doc/manual/rl-next/gc-roots-darwin.md b/doc/manual/rl-next/gc-roots-darwin.md
new file mode 100644
index 000000000..e8e90a397
--- /dev/null
+++ b/doc/manual/rl-next/gc-roots-darwin.md
@@ -0,0 +1,8 @@
+---
+synopsis: Find GC roots using libproc on Darwin
+cls: 723
+credits: artemist
+category: Improvements
+---
+
+Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s.
diff --git a/doc/manual/rl-next/macos-stack-size.md b/doc/manual/rl-next/macos-stack-size.md
new file mode 100644
index 000000000..efbba1577
--- /dev/null
+++ b/doc/manual/rl-next/macos-stack-size.md
@@ -0,0 +1,9 @@
+---
+synopsis: Increase default stack size on macOS
+prs: 9860
+credits: 9999years
+category: Improvements
+---
+
+Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size.
+This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks.
diff --git a/doc/manual/rl-next/more-logs.md b/doc/manual/rl-next/more-logs.md
new file mode 100644
index 000000000..e239da5ad
--- /dev/null
+++ b/doc/manual/rl-next/more-logs.md
@@ -0,0 +1,9 @@
+---
+synopsis: Show more log context for failed builds
+prs: 9670
+credits: DavHau
+category: Improvements
+---
+
+Show 25 lines of log tail instead of 10 for failed builds.
+This increases the chances of having useful information in the shown logs.
diff --git a/doc/manual/rl-next/nix-eval-derivations.md b/doc/manual/rl-next/nix-eval-derivations.md
new file mode 100644
index 000000000..ae1952283
--- /dev/null
+++ b/doc/manual/rl-next/nix-eval-derivations.md
@@ -0,0 +1,9 @@
+---
+synopsis: Print derivation paths in `nix eval`
+cls: 446
+credits: 9999years
+category: Improvements
+---
+
+`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault.
+It now prints the `.drv` path the derivation generates instead.
diff --git a/doc/manual/rl-next/nix-store-prefetch-unpack.md b/doc/manual/rl-next/nix-store-prefetch-unpack.md
new file mode 100644
index 000000000..5627c2c75
--- /dev/null
+++ b/doc/manual/rl-next/nix-store-prefetch-unpack.md
@@ -0,0 +1,18 @@
+---
+synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`"
+prs: 9805
+cls: 224
+credits: [yshui, horrors]
+category: Improvements
+---
+
+It is now possible to fetch an archive then NAR-hash it (as in, hash it in the
+same manner as `builtins.fetchTarball` or fixed-output derivations with
+recursive hash type) in one command.
+
+Example:
+
+```
+~ » nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz
+Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ=').
+```
diff --git a/doc/manual/rl-next/print-in-repl.md b/doc/manual/rl-next/print-in-repl.md
new file mode 100644
index 000000000..e0ac8e17f
--- /dev/null
+++ b/doc/manual/rl-next/print-in-repl.md
@@ -0,0 +1,55 @@
+---
+synopsis: "REPL printing improvements"
+prs: [9931, 10208]
+cls: [375, 492]
+credits: [9999years, horrors]
+category: Improvements
+---
+
+The REPL printer has been improved to do the following:
+- If a string is passed to `:print`, it is printed literally to the screen
+- Structures will be printed as multiple lines when necessary
+
+Before:
+
+```
+nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; }
+
+nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+
+nix-repl> :p "meow"
+"meow"
+```
+
+After:
+
+```
+nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{
+ attrs = { ... };
+ list = [ ... ];
+ list' = [ ... ];
+}
+
+nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; }
+{
+ attrs = {
+ a = {
+ b = {
+ c = { };
+ };
+ };
+ };
+ list = [ 1 ];
+ list' = [
+ 1
+ 2
+ 3
+ ];
+}
+
+nix-repl> :p "meow"
+meow
+```
diff --git a/doc/manual/rl-next/print-value-in-installable-flake-error.md b/doc/manual/rl-next/print-value-in-installable-flake-error.md
new file mode 100644
index 000000000..ae23b4dda
--- /dev/null
+++ b/doc/manual/rl-next/print-value-in-installable-flake-error.md
@@ -0,0 +1,20 @@
+---
+synopsis: New-cli flake commands that expect derivations now print the failing value and its type
+credits: Qyriad
+category: Improvements
+cls: 1177
+---
+
+In errors like `flake output attribute 'legacyPackages.x86_64-linux.lib' is not a derivation or path`, the message now includes the failing value and type.
+
+Before:
+
+```
+ error: flake output attribute 'nixosConfigurations.yuki.config' is not a derivation or path
+````
+
+After:
+
+```
+ error: expected flake output attribute 'nixosConfigurations.yuki.config' to be a derivation or path but found a set: { appstream = «thunk»; assertions = «thunk»; boot = { bcache = «thunk»; binfmt = «thunk»; binfmtMiscRegistrations = «thunk»; blacklistedKernelModules = «thunk»; bootMount = «thunk»; bootspec = «thunk»; cleanTmpDir = «thunk»; consoleLogLevel = «thunk»; «43 attributes elided» }; «48 attributes elided» }
+```
diff --git a/doc/manual/rl-next/repl-fix-history.md b/doc/manual/rl-next/repl-fix-history.md
new file mode 100644
index 000000000..1517f68e7
--- /dev/null
+++ b/doc/manual/rl-next/repl-fix-history.md
@@ -0,0 +1,9 @@
+---
+synopsis: "`nix repl` history is saved more reliably"
+cls: 1164
+credits: puck
+---
+
+`nix repl` now saves its history file after each line, rather than at the end
+of the session; ensuring that it will remember what you typed even after it
+crashes.
diff --git a/doc/manual/rl-next/repl-interrupt.md b/doc/manual/rl-next/repl-interrupt.md
index 61a8ab71e..da0bc698e 100644
--- a/doc/manual/rl-next/repl-interrupt.md
+++ b/doc/manual/rl-next/repl-interrupt.md
@@ -1,6 +1,8 @@
---
synopsis: Interrupting builds in the REPL works more than once
cls: 1097
+category: Fixes
+credits: alois31
---
Builds in the REPL can be interrupted by pressing Ctrl+C.
diff --git a/doc/manual/rl-next/shebang-single-quotes.md b/doc/manual/rl-next/shebang-single-quotes.md
new file mode 100644
index 000000000..f60caad84
--- /dev/null
+++ b/doc/manual/rl-next/shebang-single-quotes.md
@@ -0,0 +1,13 @@
+---
+synopsis: Allow single quotes in nix-shell shebangs
+prs: 8470
+credits: [ncfavier, horrors]
+category: Improvements
+---
+
+Example:
+
+```bash
+#! /usr/bin/env nix-shell
+#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])'
+```
diff --git a/doc/manual/rl-next/ssh-ng-phase-reporting.md b/doc/manual/rl-next/ssh-ng-phase-reporting.md
new file mode 100644
index 000000000..02f357410
--- /dev/null
+++ b/doc/manual/rl-next/ssh-ng-phase-reporting.md
@@ -0,0 +1,8 @@
+---
+synopsis: Include phase reporting in log file for ssh-ng builds
+prs: 9280
+credits: r-vdp
+category: Fixes
+---
+
+Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds.
diff --git a/doc/manual/rl-next/ssh-ng-substitute.md b/doc/manual/rl-next/ssh-ng-substitute.md
new file mode 100644
index 000000000..20f79c106
--- /dev/null
+++ b/doc/manual/rl-next/ssh-ng-substitute.md
@@ -0,0 +1,9 @@
+---
+synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination`
+prs: 9600
+credits: SharzyL
+category: Fixes
+---
+
+`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores.
+Previously this was always set by `builders-use-substitutes` setting.
diff --git a/doc/manual/rl-next/warn-ignored-client-settings.md b/doc/manual/rl-next/warn-ignored-client-settings.md
new file mode 100644
index 000000000..88edd27fb
--- /dev/null
+++ b/doc/manual/rl-next/warn-ignored-client-settings.md
@@ -0,0 +1,9 @@
+---
+synopsis: Warn about ignored client settings
+cls: 1026
+credits: jade
+category: Improvements
+---
+
+Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user.
+Previously this was only a debug message.
diff --git a/doc/manual/src/language/derivations.md b/doc/manual/src/language/derivations.md
index c10e8149d..28e686889 100644
--- a/doc/manual/src/language/derivations.md
+++ b/doc/manual/src/language/derivations.md
@@ -125,7 +125,7 @@ The builder is executed as follows:
directory (typically, `/nix/store`).
- `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
- is set to `true` for the dervation. A detailed explanation of this
+ is set to `true` for the derivation. A detailed explanation of this
behavior can be found in the
[section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).