diff options
Diffstat (limited to 'doc/manual')
-rw-r--r-- | doc/manual/change-authors.yml | 111 | ||||
-rw-r--r-- | doc/manual/rl-next/addDrvOutputDependencies.md | 14 | ||||
-rw-r--r-- | doc/manual/rl-next/always-allow-substitutes.md | 13 | ||||
-rw-r--r-- | doc/manual/rl-next/cve-fod-fix.md | 21 | ||||
-rw-r--r-- | doc/manual/rl-next/gc-roots-darwin.md | 8 | ||||
-rw-r--r-- | doc/manual/rl-next/macos-stack-size.md | 9 | ||||
-rw-r--r-- | doc/manual/rl-next/more-logs.md | 9 | ||||
-rw-r--r-- | doc/manual/rl-next/nix-eval-derivations.md | 9 | ||||
-rw-r--r-- | doc/manual/rl-next/nix-store-prefetch-unpack.md | 18 | ||||
-rw-r--r-- | doc/manual/rl-next/print-in-repl.md | 55 | ||||
-rw-r--r-- | doc/manual/rl-next/print-value-in-installable-flake-error.md | 20 | ||||
-rw-r--r-- | doc/manual/rl-next/repl-fix-history.md | 9 | ||||
-rw-r--r-- | doc/manual/rl-next/repl-interrupt.md | 2 | ||||
-rw-r--r-- | doc/manual/rl-next/shebang-single-quotes.md | 13 | ||||
-rw-r--r-- | doc/manual/rl-next/ssh-ng-phase-reporting.md | 8 | ||||
-rw-r--r-- | doc/manual/rl-next/ssh-ng-substitute.md | 9 | ||||
-rw-r--r-- | doc/manual/rl-next/warn-ignored-client-settings.md | 9 | ||||
-rw-r--r-- | doc/manual/src/language/derivations.md | 2 |
18 files changed, 304 insertions, 35 deletions
diff --git a/doc/manual/change-authors.yml b/doc/manual/change-authors.yml index 8c07d7e90..98a135397 100644 --- a/doc/manual/change-authors.yml +++ b/doc/manual/change-authors.yml @@ -3,66 +3,109 @@ # # It's used for crediting people accurately in release notes. The release notes # script will link to forgejo, then to GitHub if forgejo is not present. +9999years: + display_name: wiggles + forgejo: rbt + github: 9999years + +Artturin: + github: Artturin + +DavHau: + github: DavHau + +Kha: + github: Kha + +Lunaphied: + forgejo: Lunaphied + github: Lunaphied + +Qyriad: + forgejo: Qyriad + github: Qyriad + +SharzyL: + github: SharzyL + +alois31: + forgejo: alois31 + github: alois31 + +artemist: + display_name: Artemis Tosini + forgejo: artemist + +edolstra: + display_name: Eelco Dolstra + github: edolstra + +ericson: + display_name: John Ericson + github: ericson2314 + horrors: display_name: eldritch horrors forgejo: pennae github: pennae -Qyriad: - forgejo: Qyriad - github: Qyriad +iFreilicht: + github: iFreilicht jade: forgejo: jade github: lf- -iFreilicht: - github: iFreilicht +lovesegfault: + github: lovesegfault ma27: forgejo: ma27 github: ma27 -Lunaphied: - forgejo: Lunaphied - github: Lunaphied - -9999years: - display_name: wiggles - github: 9999years - forgejo: rbt - matthewbauer: github: matthewbauer +midnightveil: + display_name: julia + forgejo: midnightveil + github: midnightveil + +ncfavier: + github: ncfavier + +puck: + display_name: puck + forgejo: puck + github: puckipedia + +r-vdp: + github: r-vdp + raito: display_name: Raito Bezarius - github: RaitoBezarius forgejo: raito + github: RaitoBezarius -winter: - github: winterqt - forgejo: winter - -Kha: - github: Kha - -Artturin: - github: Artturin +roberth: + display_name: Robert Hensing + github: roberth thufschmitt: display_name: Théophane Hufschmitt github: thufschmitt -edolstra: - display_name: Eelco Dolstra - github: edolstra +tomberek: + display_name: Tom Bereknyei + github: tomberek -roberth: - display_name: Robert Hensing - github: roberth +valentin: + display_name: Valentin Gagarin + github: fricklerhandwerk -midnightveil: - display_name: julia - forgejo: midnightveil - github: midnightveil +winter: + forgejo: winter + github: winterqt + +yshui: + github: yshui diff --git a/doc/manual/rl-next/addDrvOutputDependencies.md b/doc/manual/rl-next/addDrvOutputDependencies.md new file mode 100644 index 000000000..0442383ec --- /dev/null +++ b/doc/manual/rl-next/addDrvOutputDependencies.md @@ -0,0 +1,14 @@ +--- +synopsis: "Add a builtin `addDrvOutputDependencies`" +prs: 9216 +issues: 7910 +credits: [ericson, horrors] +category: Features +--- + +This builtin allows taking a `drvPath`-like string and turning it into a string +with context such that, when it lands in a derivation, it will create +dependencies on *all the outputs* in its closure (!). Although `drvPath` does this +today, this builtin starts forming a path to migrate to making `drvPath` have a +more normal and less surprising string context behaviour (see linked issue and +PR for more details). diff --git a/doc/manual/rl-next/always-allow-substitutes.md b/doc/manual/rl-next/always-allow-substitutes.md new file mode 100644 index 000000000..60b588fd7 --- /dev/null +++ b/doc/manual/rl-next/always-allow-substitutes.md @@ -0,0 +1,13 @@ +--- +synopsis: "Add an option `always-allow-substitutes` to ignore `allowSubstitutes` in derivations" +prs: 8047 +credits: [lovesegfault, horrors] +category: Improvements +--- + +You can set this setting to force a system to always allow substituting even +trivial derivations like `pkgs.writeText`. This is useful for +[`nix-fast-build --skip-cached`][skip-cached] and similar to be able to also +ignore trivial derivations. + +[skip-cached]: https://github.com/Mic92/nix-fast-build?tab=readme-ov-file#avoiding-redundant-package-downloads diff --git a/doc/manual/rl-next/cve-fod-fix.md b/doc/manual/rl-next/cve-fod-fix.md new file mode 100644 index 000000000..4499f639b --- /dev/null +++ b/doc/manual/rl-next/cve-fod-fix.md @@ -0,0 +1,21 @@ +--- +synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)" +cls: 266 +credits: [puck, jade, thufschmitt, tomberek, valentin] +category: Fixes +--- + +Since Lix fixed-output derivations run in the host network namespace (which we +wish to change in the future, see +[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open +abstract-namespace Unix sockets to each other and to programs on the host. Lix +contained a now-fixed time-of-check/time-of-use vulnerability where one +derivation could send writable handles to files in their final location in the +store to another over an abstract-namespace Unix socket, exit, then the other +derivation could wait for Lix to hash the paths and overwrite them. + +The impact of this vulnerability is that two malicious fixed-output derivations +could create a poisoned path for the sources to Bash or similarly important +software containing a backdoor, leading to local privilege execution. + +CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 diff --git a/doc/manual/rl-next/gc-roots-darwin.md b/doc/manual/rl-next/gc-roots-darwin.md new file mode 100644 index 000000000..e8e90a397 --- /dev/null +++ b/doc/manual/rl-next/gc-roots-darwin.md @@ -0,0 +1,8 @@ +--- +synopsis: Find GC roots using libproc on Darwin +cls: 723 +credits: artemist +category: Improvements +--- + +Previously, the garbage collector found runtime roots on Darwin by shelling out to `lsof -n -w -F n` then parsing the result. The version of `lsof` packaged in Nixpkgs is very slow on Darwin, so Lix now uses `libproc` directly to speed up GC root discovery, in some tests taking 250ms now instead of 40s. diff --git a/doc/manual/rl-next/macos-stack-size.md b/doc/manual/rl-next/macos-stack-size.md new file mode 100644 index 000000000..efbba1577 --- /dev/null +++ b/doc/manual/rl-next/macos-stack-size.md @@ -0,0 +1,9 @@ +--- +synopsis: Increase default stack size on macOS +prs: 9860 +credits: 9999years +category: Improvements +--- + +Increase the default stack size on macOS to the same value as on Linux, subject to system restrictions to maximum stack size. +This should reduce the number of stack overflow crashes on macOS when evaluating Nix code with deep call stacks. diff --git a/doc/manual/rl-next/more-logs.md b/doc/manual/rl-next/more-logs.md new file mode 100644 index 000000000..e239da5ad --- /dev/null +++ b/doc/manual/rl-next/more-logs.md @@ -0,0 +1,9 @@ +--- +synopsis: Show more log context for failed builds +prs: 9670 +credits: DavHau +category: Improvements +--- + +Show 25 lines of log tail instead of 10 for failed builds. +This increases the chances of having useful information in the shown logs. diff --git a/doc/manual/rl-next/nix-eval-derivations.md b/doc/manual/rl-next/nix-eval-derivations.md new file mode 100644 index 000000000..ae1952283 --- /dev/null +++ b/doc/manual/rl-next/nix-eval-derivations.md @@ -0,0 +1,9 @@ +--- +synopsis: Print derivation paths in `nix eval` +cls: 446 +credits: 9999years +category: Improvements +--- + +`nix eval` previously printed derivations as attribute sets, so commands that print derivations (e.g. `nix eval nixpkgs#bash`) would infinitely loop and segfault. +It now prints the `.drv` path the derivation generates instead. diff --git a/doc/manual/rl-next/nix-store-prefetch-unpack.md b/doc/manual/rl-next/nix-store-prefetch-unpack.md new file mode 100644 index 000000000..5627c2c75 --- /dev/null +++ b/doc/manual/rl-next/nix-store-prefetch-unpack.md @@ -0,0 +1,18 @@ +--- +synopsis: "Add an option `--unpack` to unpack archives in `nix store prefetch-file`" +prs: 9805 +cls: 224 +credits: [yshui, horrors] +category: Improvements +--- + +It is now possible to fetch an archive then NAR-hash it (as in, hash it in the +same manner as `builtins.fetchTarball` or fixed-output derivations with +recursive hash type) in one command. + +Example: + +``` +~ » nix store prefetch-file --name source --unpack https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz +Downloaded 'https://git.lix.systems/lix-project/lix/archive/2.90-beta.1.tar.gz' to '/nix/store/yvfqnq52ryjc3janw02ziv7kr6gd0cs1-source' (hash 'sha256-REWlo2RYHfJkxnmZTEJu3Cd/2VM+wjjpPy7Xi4BdDTQ='). +``` diff --git a/doc/manual/rl-next/print-in-repl.md b/doc/manual/rl-next/print-in-repl.md new file mode 100644 index 000000000..e0ac8e17f --- /dev/null +++ b/doc/manual/rl-next/print-in-repl.md @@ -0,0 +1,55 @@ +--- +synopsis: "REPL printing improvements" +prs: [9931, 10208] +cls: [375, 492] +credits: [9999years, horrors] +category: Improvements +--- + +The REPL printer has been improved to do the following: +- If a string is passed to `:print`, it is printed literally to the screen +- Structures will be printed as multiple lines when necessary + +Before: + +``` +nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ attrs = { ... }; list = [ ... ]; list' = [ ... ]; } + +nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } + +nix-repl> :p "meow" +"meow" +``` + +After: + +``` +nix-repl> { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ + attrs = { ... }; + list = [ ... ]; + list' = [ ... ]; +} + +nix-repl> :p { attrs = { a = { b = { c = { }; }; }; }; list = [ 1 ]; list' = [ 1 2 3 ]; } +{ + attrs = { + a = { + b = { + c = { }; + }; + }; + }; + list = [ 1 ]; + list' = [ + 1 + 2 + 3 + ]; +} + +nix-repl> :p "meow" +meow +``` diff --git a/doc/manual/rl-next/print-value-in-installable-flake-error.md b/doc/manual/rl-next/print-value-in-installable-flake-error.md new file mode 100644 index 000000000..ae23b4dda --- /dev/null +++ b/doc/manual/rl-next/print-value-in-installable-flake-error.md @@ -0,0 +1,20 @@ +--- +synopsis: New-cli flake commands that expect derivations now print the failing value and its type +credits: Qyriad +category: Improvements +cls: 1177 +--- + +In errors like `flake output attribute 'legacyPackages.x86_64-linux.lib' is not a derivation or path`, the message now includes the failing value and type. + +Before: + +``` + error: flake output attribute 'nixosConfigurations.yuki.config' is not a derivation or path +```` + +After: + +``` + error: expected flake output attribute 'nixosConfigurations.yuki.config' to be a derivation or path but found a set: { appstream = «thunk»; assertions = «thunk»; boot = { bcache = «thunk»; binfmt = «thunk»; binfmtMiscRegistrations = «thunk»; blacklistedKernelModules = «thunk»; bootMount = «thunk»; bootspec = «thunk»; cleanTmpDir = «thunk»; consoleLogLevel = «thunk»; «43 attributes elided» }; «48 attributes elided» } +``` diff --git a/doc/manual/rl-next/repl-fix-history.md b/doc/manual/rl-next/repl-fix-history.md new file mode 100644 index 000000000..1517f68e7 --- /dev/null +++ b/doc/manual/rl-next/repl-fix-history.md @@ -0,0 +1,9 @@ +--- +synopsis: "`nix repl` history is saved more reliably" +cls: 1164 +credits: puck +--- + +`nix repl` now saves its history file after each line, rather than at the end +of the session; ensuring that it will remember what you typed even after it +crashes. diff --git a/doc/manual/rl-next/repl-interrupt.md b/doc/manual/rl-next/repl-interrupt.md index 61a8ab71e..da0bc698e 100644 --- a/doc/manual/rl-next/repl-interrupt.md +++ b/doc/manual/rl-next/repl-interrupt.md @@ -1,6 +1,8 @@ --- synopsis: Interrupting builds in the REPL works more than once cls: 1097 +category: Fixes +credits: alois31 --- Builds in the REPL can be interrupted by pressing Ctrl+C. diff --git a/doc/manual/rl-next/shebang-single-quotes.md b/doc/manual/rl-next/shebang-single-quotes.md new file mode 100644 index 000000000..f60caad84 --- /dev/null +++ b/doc/manual/rl-next/shebang-single-quotes.md @@ -0,0 +1,13 @@ +--- +synopsis: Allow single quotes in nix-shell shebangs +prs: 8470 +credits: [ncfavier, horrors] +category: Improvements +--- + +Example: + +```bash +#! /usr/bin/env nix-shell +#! nix-shell -i bash --packages 'terraform.withPlugins (plugins: [ plugins.openstack ])' +``` diff --git a/doc/manual/rl-next/ssh-ng-phase-reporting.md b/doc/manual/rl-next/ssh-ng-phase-reporting.md new file mode 100644 index 000000000..02f357410 --- /dev/null +++ b/doc/manual/rl-next/ssh-ng-phase-reporting.md @@ -0,0 +1,8 @@ +--- +synopsis: Include phase reporting in log file for ssh-ng builds +prs: 9280 +credits: r-vdp +category: Fixes +--- + +Store phase information of remote builds run via `ssh-ng` remotes in the local log file, matching logging behavior of local builds. diff --git a/doc/manual/rl-next/ssh-ng-substitute.md b/doc/manual/rl-next/ssh-ng-substitute.md new file mode 100644 index 000000000..20f79c106 --- /dev/null +++ b/doc/manual/rl-next/ssh-ng-substitute.md @@ -0,0 +1,9 @@ +--- +synopsis: Fix `ssh-ng://` remotes not respecting `--substitute-on-destination` +prs: 9600 +credits: SharzyL +category: Fixes +--- + +`nix copy ssh-ng://` now respects `--substitute-on-destination`, as does `nix-copy-closure` and other commands that operate on remote `ssh-ng` stores. +Previously this was always set by `builders-use-substitutes` setting. diff --git a/doc/manual/rl-next/warn-ignored-client-settings.md b/doc/manual/rl-next/warn-ignored-client-settings.md new file mode 100644 index 000000000..88edd27fb --- /dev/null +++ b/doc/manual/rl-next/warn-ignored-client-settings.md @@ -0,0 +1,9 @@ +--- +synopsis: Warn about ignored client settings +cls: 1026 +credits: jade +category: Improvements +--- + +Emit a warning for every client-provided setting the daemon ignores because the requesting client is not run by a trusted user. +Previously this was only a debug message. diff --git a/doc/manual/src/language/derivations.md b/doc/manual/src/language/derivations.md index c10e8149d..28e686889 100644 --- a/doc/manual/src/language/derivations.md +++ b/doc/manual/src/language/derivations.md @@ -125,7 +125,7 @@ The builder is executed as follows: directory (typically, `/nix/store`). - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs` - is set to `true` for the dervation. A detailed explanation of this + is set to `true` for the derivation. A detailed explanation of this behavior can be found in the [section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs). |