This is primarily a bug fix release. It also has the following changes:
In derivations that use structured attributes (i.e. that specify set the __structuredAttrs
attribute to true
to cause all attributes to be passed to the builder in JSON format), you can now specify closure checks per output, e.g.:
outputChecks."out" = { # The closure of 'out' must not be larger than 256 MiB. maxClosureSize = 256 * 1024 * 1024; # It must not refer to C compiler or to the 'dev' output. disallowedRequisites = [ stdenv.cc "dev" ]; }; outputChecks."dev" = { # The 'dev' output must not be larger than 128 KiB. maxSize = 128 * 1024; };
The derivation attribute requiredSystemFeatures
is now enforced for local builds, and not just to route builds to remote builders. The supported features of a machine can be specified through the configuration setting system-features
.
By default, system-features
includes kvm
if /dev/kvm
exists. For compatibility, it also includes the pseudo-features nixos-test
, benchmark
and big-parallel
which are used by Nixpkgs to route builds to particular Hydra build machines.
Sandbox builds are now enabled by default on Linux.
The new command nix doctor shows potential issues with your Nix installation.
The fetchGit
builtin function now uses a caching scheme that puts different remote repositories in distinct local repositories, rather than a single shared repository. This may require more disk space but is faster.
The dirOf
builtin function now works on relative paths.
Nix now supports SRI hashes, allowing the hash algorithm and hash to be specified in a single string. For example, you can write:
import{ url = https://nixos.org/releases/nix/nix-2.1.3/nix-2.1.3.tar.xz; hash = "sha256-XSLa0FjVyADWWhFfkZ2iKTjFDda6mMXjoYMXLRSYQKQ="; };
instead of
import{ url = https://nixos.org/releases/nix/nix-2.1.3/nix-2.1.3.tar.xz; sha256 = "5d22dad058d5c800d65a115f919da22938c50dd6ba98c5e3a183172d149840a4"; };
In fixed-output derivations, the outputHashAlgo
attribute is no longer mandatory if outputHash
specifies the hash.
nix hash-file and nix hash-path now print hashes in SRI format by default. They also use SHA-256 by default instead of SHA-512 because that's what we use most of the time in Nixpkgs.
Integers are now 64 bits on all platforms.
The evaluator now prints profiling statistics (enabled via the NIX_SHOW_STATS
and NIX_COUNT_CALLS
environment variables) in JSON format.
The option --xml
in nix-store --query has been removed. Instead, there now is an option --graphml
to output the dependency graph in GraphML format.
All nix-*
commands are now symlinks to nix
. This saves a bit of disk space.
nix repl now uses libeditline
or libreadline
.
This is primarily a bug fix release. It also reduces memory consumption in certain situations. In addition, it has the following new features:
The Nix installer will no longer default to the Multi-User installation for macOS. You can still instruct the installer to run in multi-user mode.
The Nix installer now supports performing a Multi-User installation for Linux computers which are running systemd. You can select a Multi-User installation by passing the --daemon
flag to the installer: sh <(curl https://nixos.org/nix/install) --daemon.
The multi-user installer cannot handle systems with SELinux. If your system has SELinux enabled, you can force the installer to run in single-user mode.
New builtin functions: builtins.bitAnd
, builtins.bitOr
, builtins.bitXor
, builtins.fromTOML
, builtins.concatMap
, builtins.mapAttrs
.
The S3 binary cache store now supports uploading NARs larger than 5 GiB.
The S3 binary cache store now supports uploading to S3-compatible services with the endpoint
option.
The flag --fallback
is no longer required to recover from disappeared NARs in binary caches.
nix-daemon now respects --store
.
nix run now respects nix-support/propagated-user-env-packages
.
This release has contributions from Adrien Devresse, Aleksandr Pashkov, Alexandre Esteves, Amine Chikhaoui, Andrew Dunham, Asad Saeeduddin, aszlig, Ben Challenor, Ben Gamari, Benjamin Hipple, Bogdan Seniuc, Corey O'Connor, Daiderd Jordan, Daniel Peebles, Daniel Poelzleithner, Danylo Hlynskyi, Dmitry Kalinkin, Domen Kožar, Doug Beardsley, Eelco Dolstra, Erik Arvstedt, Félix Baylac-Jacqué, Gleb Peregud, Graham Christensen, Guillaume Maudoux, Ivan Kozik, John Arnold, Justin Humm, Linus Heckemann, Lorenzo Manacorda, Matthew Justin Bauer, Matthew O'Gorman, Maximilian Bosch, Michael Bishop, Michael Fiano, Michael Mercier, Michael Raskin, Michael Weiss, Nicolas Dudebout, Peter Simons, Ryan Trinkle, Samuel Dionne-Riel, Sean Seefried, Shea Levy, Symphorien Gibol, Tim Engler, Tim Sears, Tuomas Tynkkynen, volth, Will Dietz, Yorick van Pelt and zimbatm.
The following incompatible changes have been made:
The manifest-based substituter mechanism (download-using-manifests) has been removed. It has been superseded by the binary cache substituter mechanism since several years. As a result, the following programs have been removed:
nix-pull
nix-generate-patches
bsdiff
bspatch
The “copy from other stores” substituter mechanism (copy-from-other-stores and the NIX_OTHER_STORES
environment variable) has been removed. It was primarily used by the NixOS installer to copy available paths from the installation medium. The replacement is to use a chroot store as a substituter (e.g. --substituters /mnt
), or to build into a chroot store (e.g. --store /mnt --substituters /
).
The command nix-push has been removed as part of the effort to eliminate Nix's dependency on Perl. You can use nix copy instead, e.g. nix copy --to file:///tmp/my-binary-cache
paths…
The “nested” log output feature (--log-type pretty
) has been removed. As a result, nix-log2xml was also removed.
OpenSSL-based signing has been removed. This feature was never well-supported. A better alternative is provided by the secret-key-files
and trusted-public-keys
options.
Failed build caching has been removed. This feature was introduced to support the Hydra continuous build system, but Hydra no longer uses it.
nix-mode.el
has been removed from Nix. It is now a separate repository and can be installed through the MELPA package repository.
This release has the following new features:
It introduces a new command named nix, which is intended to eventually replace all nix-* commands with a more consistent and better designed user interface. It currently provides replacements for some (but not all) of the functionality provided by nix-store, nix-build, nix-shell -p, nix-env -qa, nix-instantiate --eval, nix-push and nix-copy-closure. It has the following major features:
Unlike the legacy commands, it has a consistent way to refer to packages and package-like arguments (like store paths). For example, the following commands all copy the GNU Hello package to a remote machine:
nix copy --to ssh://machine nixpkgs.hello
nix copy --to ssh://machine /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
nix copy --to ssh://machine '(with import{}; hello)'
By contrast, nix-copy-closure only accepted store paths as arguments.
It is self-documenting: --help
shows all available command-line arguments. If --help
is given after a subcommand, it shows examples for that subcommand. nix --help-configshows all configuration options.
It is much less verbose. By default, it displays a single-line progress indicator that shows how many packages are left to be built or downloaded, and (if there are running builds) the most recent line of builder output. If a build fails, it shows the last few lines of builder output. The full build log can be retrieved using nix log.
It provides all nix.conf
configuration options as command line flags. For example, instead of --option http-connections 100
you can write --http-connections 100
. Boolean options can be written as --
or foo
--no-
(e.g. foo
--no-auto-optimise-store
).
Many subcommands have a --json
flag to write results to stdout in JSON format.
Warning: Please note that the nix command is a work in progress and the interface is subject to change.
It provides the following high-level (“porcelain”) subcommands:
nix build is a replacement for nix-build.
nix run executes a command in an environment in which the specified packages are available. It is (roughly) a replacement for nix-shell -p. Unlike that command, it does not execute the command in a shell, and has a flag (-c) that specifies the unquoted command line to be executed.
It is particularly useful in conjunction with chroot stores, allowing Linux users who do not have permission to install Nix in /nix/store to still use binary substitutes that assume/nix/store. For example,
nix run --store ~/my-nix nixpkgs.hello -c hello --greeting 'Hi everybody!'
downloads (or if not substitutes are available, builds) the GNU Hello package into ~/my-nix/nix/store
, then runs hello in a mount namespace where ~/my-nix/nix/store
is mounted onto /nix/store.
nix search replaces nix-env -qa. It searches the available packages for occurrences of a search string in the attribute name, package name or description. Unlike nix-env -qa, it has a cache to speed up subsequent searches.
nix copy copies paths between arbitrary Nix stores, generalising nix-copy-closure and nix-push.
nix repl replaces the external program nix-repl. It provides an interactive environment for evaluating and building Nix expressions. Note that it uses linenoise-ng
instead of GNU Readline.
nix upgrade-nix upgrades Nix to the latest stable version. This requires that Nix is installed in a profile. (Thus it won’t work on NixOS, or if it’s installed outside of the Nix store.)
nix verify checks whether store paths are unmodified and/or “trusted” (see below). It replaces nix-store --verify and nix-store --verify-path.
nix log shows the build log of a package or path. If the build log is not available locally, it will try to obtain it from the configured substituters (such as cache.nixos.org
, which now provides build logs).
nix edit opens the source code of a package in your editor.
nix eval replaces nix-instantiate --eval.
nix why-depends shows why one store path has another in its closure. This is primarily useful to finding the causes of closure bloat. For example,
nix why-depends nixpkgs.vlc nixpkgs.libdrm.dev
shows a chain of files and fragments of file contents that cause the VLC package to have the “dev” output of libdrm
in its closure — an undesirable situation.
nix path-info shows information about store paths, replacing nix-store -q. A useful feature is the option --closure-size
(-S
). For example, the following command show the closure sizes of every path in the current NixOS system closure, sorted by size:
nix path-info -rS /run/current-system | sort -nk2
nix optimise-store replaces nix-store --optimise. The main difference is that it has a progress indicator.
A number of low-level (“plumbing”) commands are also available:
nix ls-store and nix ls-nar list the contents of a store path or NAR file. The former is primarily useful in conjunction with remote stores, e.g.
nix ls-store --store https://cache.nixos.org/ -lR /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
lists the contents of path in a binary cache.
nix cat-store and nix cat-nar allow extracting a file from a store path or NAR file.
nix dump-path writes the contents of a store path to stdout in NAR format. This replaces nix-store --dump.
nix show-derivation displays a store derivation in JSON format. This is an alternative to pp-aterm.
nix add-to-store replaces nix-store --add.
nix sign-paths signs store paths.
nix copy-sigs copies signatures from one store to another.
nix show-config shows all configuration options and their current values.
The store abstraction that Nix has had for a long time to support store access via the Nix daemon has been extended significantly. In particular, substituters (which used to be external programs such as download-from-binary-cache) are now subclasses of the abstract Store
class. This allows many Nix commands to operate on such store types. For example, nix path-info shows information about paths in your local Nix store, while nix path-info --store https://cache.nixos.org/ shows information about paths in the specified binary cache. Similarly, nix-copy-closure, nix-push and substitution are all instances of the general notion of copying paths between different kinds of Nix stores.
Stores are specified using an URI-like syntax, e.g. https://cache.nixos.org/
or ssh://machine
. The following store types are supported:
LocalStore
(stori URI local
or an absolute path) and the misnamed RemoteStore
(daemon
) provide access to a local Nix store, the latter via the Nix daemon. You can use auto
or the empty string to auto-select a local or daemon store depending on whether you have write permission to the Nix store. It is no longer necessary to set the NIX_REMOTE
environment variable to use the Nix daemon.
As noted above, LocalStore
now supports chroot builds, allowing the “physical” location of the Nix store (e.g. /home/alice/nix/store
) to differ from its “logical” location (typically/nix/store
). This allows non-root users to use Nix while still getting the benefits from prebuilt binaries from cache.nixos.org
.
BinaryCacheStore
is the abstract superclass of all binary cache stores. It supports writing build logs and NAR content listings in JSON format.
HttpBinaryCacheStore
(http://
, https://
) supports binary caches via HTTP or HTTPS. If the server supports PUT
requests, it supports uploading store paths via commands such as nix copy.
LocalBinaryCacheStore
(file://
) supports binary caches in the local filesystem.
S3BinaryCacheStore
(s3://
) supports binary caches stored in Amazon S3, if enabled at compile time.
LegacySSHStore
(ssh://
) is used to implement remote builds and nix-copy-closure.
SSHStore
(ssh-ng://
) supports arbitrary Nix operations on a remote machine via the same protocol used by nix-daemon.
Security has been improved in various ways:
Nix now stores signatures for local store paths. When paths are copied between stores (e.g., copied from a binary cache to a local store), signatures are propagated.
Locally-built paths are signed automatically using the secret keys specified by the secret-key-files
store option. Secret/public key pairs can be generated using nix-store --generate-binary-cache-key.
In addition, locally-built store paths are marked as “ultimately trusted”, but this bit is not propagated when paths are copied between stores.
Content-addressable store paths no longer require signatures — they can be imported into a store by unprivileged users even if they lack signatures.
The command nix verify checks whether the specified paths are trusted, i.e., have a certain number of trusted signatures, are ultimately trusted, or are content-addressed.
Substitutions from binary caches now require signatures by default. This was already the case on NixOS.
In Linux sandbox builds, we now use /build
instead of /tmp
as the temporary build directory. This fixes potential security problems when a build accidentally stores its TMPDIR
in some security-sensitive place, such as an RPATH.
Pure evaluation mode. This is a variant of the existing restricted evaluation mode. In pure mode, the Nix evaluator forbids access to anything that could cause different evaluations of the same command line arguments to produce a different result. This includes builtin functions such as builtins.getEnv
, but more importantly, all filesystem or network access unless a content hash or commit hash is specified. For example, calls to builtins.fetchGit
are only allowed if a rev
attribute is specified.
The goal of this feature is to enable true reproducibility and traceability of builds (including NixOS system configurations) at the evaluation level. For example, in the future, nixos-rebuild might build configurations from a Nix expression in a Git repository in pure mode. That expression might fetch other repositories such as Nixpkgs via builtins.fetchGit
. The commit hash of the top-level repository then uniquely identifies a running system, and, in conjunction with that repository, allows it to be reproduced or modified.
There are several new features to support binary reproducibility (i.e. to help ensure that multiple builds of the same derivation produce exactly the same output). When enforce-determinism
is set to false
, it’s no longer a fatal error if build rounds produce different output. Also, a hook named diff-hook
is provided to allow you to run tools such as diffoscopewhen build rounds produce different output.
Configuring remote builds is a lot easier now. Provided you are not using the Nix daemon, you can now just specify a remote build machine on the command line, e.g. --option builders 'ssh://my-mac x86_64-darwin'
. The environment variable NIX_BUILD_HOOK
has been removed and is no longer needed. The environment variable NIX_REMOTE_SYSTEMS
is still supported for compatibility, but it is also possible to specify builders in nix.conf by setting the option builders = @
.path
If a fixed-output derivation produces a result with an incorrect hash, the output path is moved to the location corresponding to the actual hash and registered as valid. Thus, a subsequent build of the fixed-output derivation with the correct hash is unnecessary.
nix-shell now sets the IN_NIX_SHELL
environment variable during evaluation and in the shell itself. This can be used to perform different actions depending on whether you’re in a Nix shell or in a regular build. Nixpkgs provides lib.inNixShell
to check this variable during evaluation.
NIX_PATH
is now lazy, so URIs in the path are only downloaded if they are needed for evaluation.
You can now use channel:
as a short-hand for channel-name
https://nixos.org/channels/
. For example, channel-name
/nixexprs.tar.xznix-build channel:nixos-15.09 -A hello
will build the GNU Hello package from the nixos-15.09
channel. In the future, this may use Git to fetch updates more efficiently.
When --no-build-output
is given, the last 10 lines of the build log will be shown if a build fails.
Networking has been improved:
HTTP/2 is now supported. This makes binary cache lookups much more efficient.
We now retry downloads on many HTTP errors, making binary caches substituters more resilient to temporary failures.
HTTP credentials can now be configured via the standard netrc
mechanism.
If S3 support is enabled at compile time, s3://
URIs are supported in all places where Nix allows URIs.
Brotli compression is now supported. In particular, cache.nixos.org
build logs are now compressed using Brotli.
nix-env now ignores packages with bad derivation names (in particular those starting with a digit or containing a dot).
Many configuration options have been renamed, either because they were unnecessarily verbose (e.g. build-use-sandbox
is now just sandbox
) or to reflect generalised behaviour (e.g. binary-caches
is now substituters
because it allows arbitrary store URIs). The old names are still supported for compatibility.
The max-jobs
option can now be set to auto
to use the number of CPUs in the system.
Hashes can now be specified in base-64 format, in addition to base-16 and the non-standard base-32.
nix-shell now uses bashInteractive
from Nixpkgs, rather than the bash command that happens to be in the caller’s PATH
. This is especially important on macOS where the bashprovided by the system is seriously outdated and cannot execute stdenv
’s setup script.
Nix can now automatically trigger a garbage collection if free disk space drops below a certain level during a build. This is configured using the min-free
and max-free
options.
nix-store -q --roots and nix-store --gc --print-roots now show temporary and in-memory roots.
Nix can now be extended with plugins. See the documentation of the plugin-files
option for more details.
The Nix language has the following new features:
It supports floating point numbers. They are based on the C++ float
type and are supported by the existing numerical operators. Export and import to and from JSON and XML works, too.
Derivation attributes can now reference the outputs of the derivation using the placeholder
builtin function. For example, the attribute
configureFlags = "--prefix=${placeholder "out"} --includedir=${placeholder "dev"}";
will cause the configureFlags
environment variable to contain the actual store paths corresponding to the out
and dev
outputs.
The following builtin functions are new or extended:
builtins.fetchGit
allows Git repositories to be fetched at evaluation time. Thus it differs from the fetchgit
function in Nixpkgs, which fetches at build time and cannot be used to fetch Nix expressions during evaluation. A typical use case is to import external NixOS modules from your configuration, e.g.
imports = [ (builtins.fetchGit https://github.com/edolstra/dwarffs + "/module.nix") ];
Similarly, builtins.fetchMercurial
allows you to fetch Mercurial repositories.
builtins.path
generalises builtins.filterSource
and path literals (e.g. ./foo
). It allows specifying a store path name that differs from the source path name (e.g. builtins.path { path = ./foo; name = "bar"; }
) and also supports filtering out unwanted files.
builtins.fetchurl
and builtins.fetchTarball
now support sha256
and name
attributes.
builtins.split
splits a string using a POSIX extended regular expression as the separator.
builtins.partition
partitions the elements of a list into two lists, depending on a Boolean predicate.
now uses the content-addressable tarball cache at http://tarballs.nixos.org/
, just like fetchurl
in Nixpkgs. (f2682e6e18a76ecbfb8a12c17e3a0ca15c084197)
In restricted and pure evaluation mode, builtin functions that download from the network (such as fetchGit
) are permitted to fetch underneath a list of URI prefixes specified in the option allowed-uris
.
The Nix build environment has the following changes:
Values such as Booleans, integers, (nested) lists and attribute sets can now be passed to builders in a non-lossy way. If the special attribute __structuredAttrs
is set to true
, the other derivation attributes are serialised in JSON format and made available to the builder via the file .attrs.json
in the builder’s temporary directory. This obviates the need forpassAsFile
since JSON files have no size restrictions, unlike process environments.
As a convenience to Bash builders, Nix writes a script named .attrs.sh
to the builder’s directory that initialises shell variables corresponding to all attributes that are representable in Bash. This includes non-nested (associative) arrays. For example, the attribute hardening.format = true
ends up as the Bash associative array element ${hardening[format]}
.
Builders can now communicate what build phase they are in by writing messages to the file descriptor specified in NIX_LOG_FD
. The current phase is shown by the nix progress indicator.
In Linux sandbox builds, we now provide a default /bin/sh
(namely ash
from BusyBox).
In structured attribute mode, exportReferencesGraph
exports extended information about closures in JSON format. In particular, it includes the sizes and hashes of paths. This is primarily useful for NixOS image builders.
Builds are now killed as soon as Nix receives EOF on the builder’s stdout or stderr. This fixes a bug that allowed builds to hang Nix indefinitely, regardless of timeouts.
The sandbox-paths
configuration option can now specify optional paths by appending a ?
, e.g. /dev/nvidiactl?
will bind-mount /dev/nvidiactl
only if it exists.
On Linux, builds are now executed in a user namespace with UID 1000 and GID 100.
A number of significant internal changes were made:
Nix no longer depends on Perl and all Perl components have been rewritten in C++ or removed. The Perl bindings that used to be part of Nix have been moved to a separate package,nix-perl
.
All Store
classes are now thread-safe. RemoteStore
supports multiple concurrent connections to the daemon. This is primarily useful in multi-threaded programs such as hydra-queue-runner.
This release has contributions from Adrien Devresse, Alexander Ried, Alex Cruice, Alexey Shmalko, AmineChikhaoui, Andy Wingo, Aneesh Agrawal, Anthony Cowley, Armijn Hemel, aszlig, Ben Gamari, Benjamin Hipple, Benjamin Staffin, Benno Fünfstück, Bjørn Forsman, Brian McKenna, Charles Strahan, Chase Adams, Chris Martin, Christian Theune, Chris Warburton, Daiderd Jordan, Dan Connolly, Daniel Peebles, Dan Peebles, davidak, David McFarland, Dmitry Kalinkin, Domen Kožar, Eelco Dolstra, Emery Hemingway, Eric Litak, Eric Wolf, Fabian Schmitthenner, Frederik Rietdijk, Gabriel Gonzalez, Giorgio Gallo, Graham Christensen, Guillaume Maudoux, Harmen, Iavael, James Broadhead, James Earl Douglas, Janus Troelsen, Jeremy Shaw, Joachim Schiele, Joe Hermaszewski, Joel Moberg, Johannes 'fish' Ziemke, Jörg Thalheim, Jude Taylor, kballou, Keshav Kini, Kjetil Orbekk, Langston Barrett, Linus Heckemann, Ludovic Courtès, Manav Rathi, Marc Scholten, Markus Hauck, Matt Audesse, Matthew Bauer, Matthias Beyer, Matthieu Coudron, N1X, Nathan Zadoks, Neil Mayhew, Nicolas B. Pierron, Niklas Hambüchen, Nikolay Amiantov, Ole Jørgen Brønner, Orivej Desh, Peter Simons, Peter Stuart, Pyry Jahkola, regnat, Renzo Carbonara, Rhys, Robert Vollmert, Scott Olson, Scott R. Parish, Sergei Trofimovich, Shea Levy, Sheena Artrip, Spencer Baugh, Stefan Junker, Susan Potter, Thomas Tuegel, Timothy Allen, Tristan Hume, Tuomas Tynkkynen, tv, Tyson Whitehead, Vladimír Čunát, Will Dietz, wmertens, Wout Mertens, zimbatm and Zoran Plesivčak.
This release fixes a security bug in Nix’s “build user” build isolation mechanism. Previously, Nix builders had the ability to create setuid binaries owned by a nixbld
user. Such a binary could then be used by an attacker to assume a nixbld
identity and interfere with subsequent builds running under the same UID.
To prevent this issue, Nix now disallows builders to create setuid and setgid binaries. On Linux, this is done using a seccomp BPF filter. Note that this imposes a small performance penalty (e.g. 1% when building GNU Hello). Using seccomp, we now also prevent the creation of extended attributes and POSIX ACLs since these cannot be represented in the NAR format and (in the case of POSIX ACLs) allow bypassing regular Nix store permissions. On macOS, the restriction is implemented using the existing sandbox mechanism, which now uses a minimal “allow all except the creation of setuid/setgid binaries” profile when regular sandboxing is disabled. On other platforms, the “build user” mechanism is now disabled.
Thanks go to Linus Heckemann for discovering and reporting this bug.
This is primarily a bug fix release. It also has a number of new features:
nix-prefetch-url can now download URLs specified in a Nix expression. For example,
$ nix-prefetch-url -A hello.src
will prefetch the file specified by the fetchurl
call in the attribute hello.src
from the Nix expression in the current directory, and print the cryptographic hash of the resulting file on stdout. This differs from nix-build -A hello.src
in that it doesn't verify the hash, and is thus useful when you’re updating a Nix expression.
You can also prefetch the result of functions that unpack a tarball, such as fetchFromGitHub
. For example:
$ nix-prefetch-url --unpack https://github.com/NixOS/patchelf/archive/0.8.tar.gz
or from a Nix expression:
$ nix-prefetch-url -A nix-repl.src
The builtin function
now supports downloading and unpacking NARs. This removes the need to have multiple downloads in the Nixpkgs stdenv bootstrap process (like a separate busybox binary for Linux, or curl/mkdir/sh/bzip2 for Darwin). Now all those files can be combined into a single NAR, optionally compressed using xz.
Nix now supports SHA-512 hashes for verifying fixed-output derivations, and in builtins.hashString
.
The new flag --option build-repeat
will cause every build to be executed N
N
+1 times. If the build output differs between any round, the build is rejected, and the output paths are not registered as valid. This is primarily useful to verify build determinism. (We already had a --check
option to repeat a previously succeeded build. However, with --check
, non-deterministic builds are registered in the DB. Preventing that is useful for Hydra to ensure that non-deterministic builds don't end up getting published to the binary cache.)
The options --check
and --option build-repeat
, if they detect a difference between two runs of the same derivation and N
-K
is given, will make the output of the other run available under
. This makes it easier to investigate the non-determinism using tools like diffoscope, e.g.,store-path
-check
$ nix-build pkgs/stdenv/linux -A stage1.pkgs.zlib --check -K error: derivation ‘/nix/store/l54i8wlw2265…-zlib-1.2.8.drv’ may not be deterministic: output ‘/nix/store/11a27shh6n2i…-zlib-1.2.8’ differs from ‘/nix/store/11a27shh6n2i…-zlib-1.2.8-check’ $ diffoscope /nix/store/11a27shh6n2i…-zlib-1.2.8 /nix/store/11a27shh6n2i…-zlib-1.2.8-check … ├── lib/libz.a │ ├── metadata │ │ @@ -1,15 +1,15 @@ │ │ -rw-r--r-- 30001/30000 3096 Jan 12 15:20 2016 adler32.o … │ │ +rw-r--r-- 30001/30000 3096 Jan 12 15:28 2016 adler32.o …
Improved FreeBSD support.
nix-env -qa --xml --meta now prints license information.
The maximum number of parallel TCP connections that the binary cache substituter will use has been decreased from 150 to 25. This should prevent upsetting some broken NAT routers, and also improves performance.
All "chroot"-containing strings got renamed to "sandbox". In particular, some Nix options got renamed, but the old names are still accepted as lower-priority aliases.
This release has contributions from Anders Claesson, Anthony Cowley, Bjørn Forsman, Brian McKenna, Danny Wilson, davidak, Eelco Dolstra, Fabian Schmitthenner, FrankHB, Ilya Novoselov, janus, Jim Garrison, John Ericson, Jude Taylor, Ludovic Courtès, Manuel Jacob, Mathnerd314, Pascal Wittmann, Peter Simons, Philip Potter, Preston Bennes, Rommel M. Martinez, Sander van der Burg, Shea Levy, Tim Cuthbertson, Tuomas Tynkkynen, Utku Demir and Vladimír Čunát.
This is primarily a bug fix release. It also has a number of new features:
A number of builtin functions have been added to reduce Nixpkgs/NixOS evaluation time and memory consumption: all
, any
, concatStringsSep
, foldl’
, genList
, replaceStrings
,sort
.
The garbage collector is more robust when the disk is full.
Nix supports a new API for building derivations that doesn’t require a .drv
file to be present on disk; it only requires an in-memory representation of the derivation. This is used by the Hydra continuous build system to make remote builds more efficient.
The function
now uses a builtin builder (i.e. it doesn’t require starting an external process; the download is performed by Nix itself). This ensures that derivation paths don’t change when Nix is upgraded, and obviates the need for ugly hacks to support chroot execution.
--version -v
now prints some configuration information, in particular what compile-time optional features are enabled, and the paths of various directories.
Build users have their supplementary groups set correctly.
This release has contributions from Eelco Dolstra, Guillaume Maudoux, Iwan Aucamp, Jaka Hudoklin, Kirill Elagin, Ludovic Courtès, Manolis Ragkousis, Nicolas B. Pierron and Shea Levy.
In addition to the usual bug fixes, this release has the following new features:
Signed binary cache support. You can enable signature checking by adding the following to nix.conf
:
signed-binary-caches = * binary-cache-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
This will prevent Nix from downloading any binary from the cache that is not signed by one of the keys listed in binary-cache-public-keys
.
Signature checking is only supported if you built Nix with the libsodium
package.
Note that while Nix has had experimental support for signed binary caches since version 1.7, this release changes the signature format in a backwards-incompatible way.
Automatic downloading of Nix expression tarballs. In various places, you can now specify the URL of a tarball containing Nix expressions (such as Nixpkgs), which will be downloaded and unpacked automatically. For example:
In nix-env:
$ nix-env -f https://github.com/NixOS/nixpkgs-channels/archive/nixos-14.12.tar.gz -iA firefox
This installs Firefox from the latest tested and built revision of the NixOS 14.12 channel.
In nix-build and nix-shell:
$ nix-build https://github.com/NixOS/nixpkgs/archive/master.tar.gz -A hello
This builds GNU Hello from the latest revision of the Nixpkgs master branch.
In the Nix search path (as specified via NIX_PATH
or -I
). For example, to start a shell containing the Pan package from a specific version of Nixpkgs:
$ nix-shell -p pan -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/8a3eea054838b55aca962c3fbde9c83c102b8bf2.tar.gz
In nixos-rebuild (on NixOS):
$ nixos-rebuild test -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz
In Nix expressions, via the new builtin function fetchTarball
:
with import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-14.12.tar.gz) {}; …
(This is not allowed in restricted mode.)
nix-shell improvements:
nix-shell now has a flag --run
to execute a command in the nix-shell environment, e.g. nix-shell --run make
. This is like the existing --command
flag, except that it uses a non-interactive shell (ensuring that hitting Ctrl-C won’t drop you into the child shell).
nix-shell can now be used as a #!
-interpreter. This allows you to write scripts that dynamically fetch their own dependencies. For example, here is a Haskell script that, when invoked, first downloads GHC and the Haskell packages on which it depends:
#! /usr/bin/env nix-shell #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP import Network.HTTP main = do resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/") body <- getResponseBody resp print (take 100 body)
Of course, the dependencies are cached in the Nix store, so the second invocation of this script will be much faster.
Chroot improvements:
Chroot builds are now supported on Mac OS X (using its sandbox mechanism).
If chroots are enabled, they are now used for all derivations, including fixed-output derivations (such as fetchurl
). The latter do have network access, but can no longer access the host filesystem. If you need the old behaviour, you can set the option build-use-chroot
to relaxed
.
On Linux, if chroots are enabled, builds are performed in a private PID namespace once again. (This functionality was lost in Nix 1.8.)
Store paths listed in build-chroot-dirs
are now automatically expanded to their closure. For instance, if you want /nix/store/…-bash/bin/sh
mounted in your chroot as /bin/sh
, you only need to say build-chroot-dirs = /bin/sh=/nix/store/…-bash/bin/sh
; it is no longer necessary to specify the dependencies of Bash.
The new derivation attribute passAsFile
allows you to specify that the contents of derivation attributes should be passed via files rather than environment variables. This is useful if you need to pass very long strings that exceed the size limit of the environment. The Nixpkgs function writeTextFile
uses this.
You can now use ~
in Nix file names to refer to your home directory, e.g. import ~/.nixpkgs/config.nix
.
Nix has a new option restrict-eval
that allows limiting what paths the Nix evaluator has access to. By passing --option restrict-eval true
to Nix, the evaluator will throw an exception if an attempt is made to access any file outside of the Nix search path. This is primarily intended for Hydra to ensure that a Hydra jobset only refers to its declared inputs (and is therefore reproducible).
nix-env now only creates a new “generation” symlink in /nix/var/nix/profiles
if something actually changed.
The environment variable NIX_PAGER
can now be set to override PAGER
. You can set it to cat
to disable paging for Nix commands only.
Failing <...>
lookups now show position information.
Improved Boehm GC use: we disabled scanning for interior pointers, which should reduce the “Repeated allocation of very large block
” warnings and associated retention of memory.
This release has contributions from aszlig, Benjamin Staffin, Charles Strahan, Christian Theune, Daniel Hahler, Danylo Hlynskyi Daniel Peebles, Dan Peebles, Domen Kožar, Eelco Dolstra, Harald van Dijk, Hoang Xuan Phu, Jaka Hudoklin, Jeff Ramnani, j-keck, Linquize, Luca Bruno, Michael Merickel, Oliver Dunkl, Rob Vermaas, Rok Garbas, Shea Levy, Tobias Geerinckx-Rice and William A. Kennington III.
Breaking change: to address a race condition, the remote build hook mechanism now uses nix-store --serve on the remote machine. This requires build slaves to be updated to Nix 1.8.
Nix now uses HTTPS instead of HTTP to access the default binary cache, cache.nixos.org
.
nix-env selectors are now regular expressions. For instance, you can do
$ nix-env -qa '.*zip.*'
to query all packages with a name containing zip
.
nix-store --read-log can now fetch remote build logs. If a build log is not available locally, then ‘nix-store -l’ will now try to download it from the servers listed in the ‘log-servers’ option in nix.conf. For instance, if you have the configuration option
log-servers = http://hydra.nixos.org/log
then it will try to get logs from http://hydra.nixos.org/log/
. This allows you to do things like:base name of the store path
$ nix-store -l $(which xterm)
and get a log even if xterm wasn't built locally.
New builtin functions: attrValues
, deepSeq
, fromJSON
, readDir
, seq
.
nix-instantiate --eval now has a --json
flag to print the resulting value in JSON format.
nix-copy-closure now uses nix-store --serve on the remote side to send or receive closures. This fixes a race condition between nix-copy-closure and the garbage collector.
Derivations can specify the new special attribute allowedRequisites
, which has a similar meaning to allowedReferences
. But instead of only enforcing to explicitly specify the immediate references, it requires the derivation to specify all the dependencies recursively (hence the name, requisites) that are used by the resulting output.
On Mac OS X, Nix now handles case collisions when importing closures from case-sensitive file systems. This is mostly useful for running NixOps on Mac OS X.
The Nix daemon has new configuration options allowed-users
(specifying the users and groups that are allowed to connect to the daemon) and trusted-users
(specifying the users and groups that can perform privileged operations like specifying untrusted binary caches).
The configuration option build-cores
now defaults to the number of available CPU cores.
Build users are now used by default when Nix is invoked as root. This prevents builds from accidentally running as root.
Nix now includes systemd units and Upstart jobs.
Speed improvements to nix-store --optimise.
Language change: the ==
operator now ignores string contexts (the “dependencies” of a string).
Nix now filters out Nix-specific ANSI escape sequences on standard error. They are supposed to be invisible, but some terminals show them anyway.
Various commands now automatically pipe their output into the pager as specified by the PAGER
environment variable.
Several improvements to reduce memory consumption in the evaluator.
This release has contributions from Adam Szkoda, Aristid Breitkreuz, Bob van der Linden, Charles Strahan, darealshinji, Eelco Dolstra, Gergely Risko, Joel Taylor, Ludovic Courtès, Marko Durkovic, Mikey Ariel, Paul Colomiets, Ricardo M. Correia, Ricky Elrod, Robert Helgesson, Rob Vermaas, Russell O'Connor, Shea Levy, Shell Turner, Sönke Hahn, Steve Purcell, Vladimír Čunát and Wout Mertens.
In addition to the usual bug fixes, this release has the following new features:
Antiquotation is now allowed inside of quoted attribute names (e.g. set."${foo}"
). In the case where the attribute name is just a single antiquotation, the quotes can be dropped (e.g. the above example can be written set.${foo}
). If an attribute name inside of a set declaration evaluates to null
(e.g. { ${null} = false; }
), then that attribute is not added to the set.
Experimental support for cryptographically signed binary caches. See the commit for details.
An experimental new substituter, download-via-ssh, that fetches binaries from remote machines via SSH. Specifying the flags --option use-ssh-substituter true --option ssh-substituter-hosts
will cause Nix to download binaries from the specified machine, if it has them.user@hostname
nix-store -r and nix-build have a new flag, --check
, that builds a previously built derivation again, and prints an error message if the output is not exactly the same. This helps to verify whether a derivation is truly deterministic. For example:
$ nix-build '' -A patchelf …
$ nix-build '' -A patchelf --check …
error: derivation `/nix/store/1ipvxs…-patchelf-0.6' may not be deterministic: hash mismatch in output `/nix/store/4pc1dm…-patchelf-0.6.drv'
The nix-instantiate flags --eval-only
and --parse-only
have been renamed to --eval
and --parse
, respectively.
nix-instantiate, nix-build and nix-shell now have a flag --expr
(or -E
) that allows you to specify the expression to be evaluated as a command line argument. For instance, nix-instantiate --eval -E '1 + 2'
will print 3
.
nix-shell improvements:
It has a new flag, --packages
(or -p
), that sets up a build environment containing the specified packages from Nixpkgs. For example, the command
$ nix-shell -p sqlite xorg.libX11 hello
will start a shell in which the given packages are present.
It now uses shell.nix
as the default expression, falling back to default.nix
if the former doesn’t exist. This makes it convenient to have a shell.nix
in your project to set up a nice development environment.
It evaluates the derivation attribute shellHook
, if set. Since stdenv
does not normally execute this hook, it allows you to do nix-shell-specific setup.
It preserves the user’s timezone setting.
In chroots, Nix now sets up a /dev
containing only a minimal set of devices (such as /dev/null
). Note that it only does this if you don’t have /dev
listed in your build-chroot-dirs
setting; otherwise, it will bind-mount the /dev
from outside the chroot.
Similarly, if you don’t have /dev/pts
listed in build-chroot-dirs
, Nix will mount a private devpts
filesystem on the chroot’s /dev/pts
.
New built-in function: builtins.toJSON
, which returns a JSON representation of a value.
nix-env -q has a new flag --json
to print a JSON representation of the installed or available packages.
nix-env now supports meta attributes with more complex values, such as attribute sets.
The -A
flag now allows attribute names with dots in them, e.g.
$ nix-instantiate --eval '' -A 'config.systemd.units."nscd.service".text'
The --max-freed
option to nix-store --gc now accepts a unit specifier. For example, nix-store --gc --max-freed 1G
will free up to 1 gigabyte of disk space.
nix-collect-garbage has a new flag --delete-older-than
N
d
, which deletes all user environment generations older than N
days. Likewise, nix-env --delete-generations accepts a N
d
age limit.
Nix now heuristically detects whether a build failure was due to a disk-full condition. In that case, the build is not flagged as “permanently failed”. This is mostly useful for Hydra, which needs to distinguish between permanent and transient build failures.
There is a new symbol __curPos
that expands to an attribute set containing its file name and line and column numbers, e.g. { file = "foo.nix"; line = 10; column = 5; }
. There also is a new builtin function, unsafeGetAttrPos
, that returns the position of an attribute. This is used by Nixpkgs to provide location information in error messages, e.g.
$ nix-build '' -A libreoffice --argstr system x86_64-darwin error: the package ‘libreoffice-4.0.5.2’ in ‘.../applications/office/libreoffice/default.nix:263’ is not supported on ‘x86_64-darwin’
The garbage collector is now more concurrent with other Nix processes because it releases certain locks earlier.
The binary tarball installer has been improved. You can now install Nix by running:
$ bash <(curl https://nixos.org/nix/install)
More evaluation errors include position information. For instance, selecting a missing attribute will print something like
error: attribute `nixUnstabl' missing, at /etc/nixos/configurations/misc/eelco/mandark.nix:216:15
The command nix-setuid-helper is gone.
Nix no longer uses Automake, but instead has a non-recursive, GNU Make-based build system.
All installed libraries now have the prefix libnix
. In particular, this gets rid of libutil
, which could clash with libraries with the same name from other packages.
Nix now requires a compiler that supports C++11.
This release has contributions from Danny Wilson, Domen Kožar, Eelco Dolstra, Ian-Woo Kim, Ludovic Courtès, Maxim Ivanov, Petr Rockai, Ricardo M. Correia and Shea Levy.
This is primarily a bug fix release. Changes of interest are:
Nix 1.6 accidentally changed the semantics of antiquoted paths in strings, such as "${/foo}/bar"
. This release reverts to the Nix 1.5.3 behaviour.
Previously, Nix optimised expressions such as "${
to expr
}"expr
. Thus it neither checked whether expr
could be coerced to a string, nor applied such coercions. This meant that"${123}"
evaluatued to 123
, and "${./foo}"
evaluated to ./foo
(even though "${./foo} "
evaluates to "/nix/store/
). Nix now checks the type of antiquoted expressions and applies coercions.hash
-foo "
Nix now shows the exact position of undefined variables. In particular, undefined variable errors in a with
previously didn't show any position information, so this makes it a lot easier to fix such errors.
Undefined variables are now treated consistently. Previously, the tryEval
function would catch undefined variables inside a with
but not outside. Now tryEval
never catches undefined variables.
Bash completion in nix-shell now works correctly.
Stack traces are less verbose: they no longer show calls to builtin functions and only show a single line for each derivation on the call stack.
New built-in function: builtins.typeOf
, which returns the type of its argument as a string.
In addition to the usual bug fixes, this release has several new features:
The command nix-build --run-env has been renamed to nix-shell.
nix-shell now sources $stdenv/setup
inside the interactive shell, rather than in a parent shell. This ensures that shell functions defined by stdenv
can be used in the interactive shell.
nix-shell has a new flag --pure
to clear the environment, so you get an environment that more closely corresponds to the “real” Nix build.
nix-shell now sets the shell prompt (PS1
) to ensure that Nix shells are distinguishable from your regular shells.
nix-env no longer requires a *
argument to match all packages, so nix-env -qa
is equivalent to nix-env -qa '*'
.
nix-env -i has a new flag --remove-all
(-r
) to remove all previous packages from the profile. This makes it easier to do declarative package management similar to NixOS’senvironment.systemPackages
. For instance, if you have a specification my-packages.nix
like this:
with import{}; [ thunderbird geeqie ... ]
then after any change to this file, you can run:
$ nix-env -f my-packages.nix -ir
to update your profile to match the specification.
The ‘with
’ language construct is now more lazy. It only evaluates its argument if a variable might actually refer to an attribute in the argument. For instance, this now works:
let pkgs = with pkgs; { foo = "old"; bar = foo; } // overrides; overrides = { foo = "new"; }; in pkgs.bar
This evaluates to "new"
, while previously it gave an “infinite recursion” error.
Nix now has proper integer arithmetic operators. For instance, you can write x + y
instead of builtins.add x y
, or x < y
instead of builtins.lessThan x y
. The comparison operators also work on strings.
On 64-bit systems, Nix integers are now 64 bits rather than 32 bits.
When using the Nix daemon, the nix-daemon worker process now runs on the same CPU as the client, on systems that support setting CPU affinity. This gives a significant speedup on some systems.
If a stack overflow occurs in the Nix evaluator, you now get a proper error message (rather than “Segmentation fault”) on some systems.
In addition to directories, you can now bind-mount regular files in chroots through the (now misnamed) option build-chroot-dirs
.
This release has contributions from Domen Kožar, Eelco Dolstra, Florian Friesdorf, Gergely Risko, Ivan Kozik, Ludovic Courtès and Shea Levy.
This is primarily a bug fix release. It has contributions from Eelco Dolstra, Lluís Batlle i Rossell and Shea Levy.
This is a brown paper bag release to fix a regression introduced by the hard link security fix in 1.4.
This release fixes a security bug in multi-user operation. It was possible for derivations to cause the mode of files outside of the Nix store to be changed to 444 (read-only but world-readable) by creating hard links to those files (details).
There are also the following improvements:
New built-in function: builtins.hashString
.
Build logs are now stored in /nix/var/log/nix/drvs/
, where XX
/XX
is the first two characters of the derivation. This is useful on machines that keep a lot of build logs (such as Hydra servers).
The function corepkgs/fetchurl
can now make the downloaded file executable. This will allow getting rid of all bootstrap binaries in the Nixpkgs source tree.
Language change: The expression "${./path} ..."
now evaluates to a string instead of a path.
This is primarily a bug fix release. When this version is first run on Linux, it removes any immutable bits from the Nix store and increases the schema version of the Nix store. (The previous release removed support for setting the immutable bit; this release clears any remaining immutable bits to make certain operations more efficient.)
This release has contributions from Eelco Dolstra and Stuart Pernsteiner.
This release has the following improvements and changes:
Nix has a new binary substituter mechanism: the binary cache. A binary cache contains pre-built binaries of Nix packages. Whenever Nix wants to build a missing Nix store path, it will check a set of binary caches to see if any of them has a pre-built binary of that path. The configuration setting binary-caches
contains a list of URLs of binary caches. For instance, doing
$ nix-env -i thunderbird --option binary-caches http://cache.nixos.org
will install Thunderbird and its dependencies, using the available pre-built binaries in http://cache.nixos.org
. The main advantage over the old “manifest”-based method of getting pre-built binaries is that you don’t have to worry about your manifest being in sync with the Nix expressions you’re installing from; i.e., you don’t need to run nix-pull to update your manifest. It’s also more scalable because you don’t need to redownload a giant manifest file every time.
A Nix channel can provide a binary cache URL that will be used automatically if you subscribe to that channel. If you use the Nixpkgs or NixOS channels (http://nixos.org/channels
) you automatically get the cache http://cache.nixos.org
.
Binary caches are created using nix-push. For details on the operation and format of binary caches, see the nix-push manpage. More details are provided in this nix-dev posting.
Multiple output support should now be usable. A derivation can declare that it wants to produce multiple store paths by saying something like
outputs = [ "lib" "headers" "doc" ];
This will cause Nix to pass the intended store path of each output to the builder through the environment variables lib
, headers
and doc
. Other packages can refer to a specific output by referring to
, e.g.pkg
.output
buildInputs = [ pkg.lib pkg.headers ];
If you install a package with multiple outputs using nix-env, each output path will be symlinked into the user environment.
Dashes are now valid as part of identifiers and attribute names.
The new operation nix-store --repair-path allows corrupted or missing store paths to be repaired by redownloading them. nix-store --verify --check-contents --repair will scan and repair all paths in the Nix store. Similarly, nix-env, nix-build, nix-instantiate and nix-store --realise have a --repair
flag to detect and fix bad paths by rebuilding or redownloading them.
Nix no longer sets the immutable bit on files in the Nix store. Instead, the recommended way to guard the Nix store against accidental modification on Linux is to make it a read-only bind mount, like this:
$ mount --bind /nix/store /nix/store $ mount -o remount,ro,bind /nix/store
Nix will automatically make /nix/store
writable as needed (using a private mount namespace) to allow modifications.
Store optimisation (replacing identical files in the store with hard links) can now be done automatically every time a path is added to the store. This is enabled by setting the configuration option auto-optimise-store
to true
(disabled by default).
Nix now supports xz compression for NARs in addition to bzip2. It compresses about 30% better on typical archives and decompresses about twice as fast.
Basic Nix expression evaluation profiling: setting the environment variable NIX_COUNT_CALLS
to 1
will cause Nix to print how many times each primop or function was executed.
New primops: concatLists
, elem
, elemAt
and filter
.
The command nix-copy-closure has a new flag --use-substitutes
(-s
) to download missing paths on the target machine using the substitute mechanism.
The command nix-worker has been renamed to nix-daemon. Support for running the Nix worker in “slave” mode has been removed.
The --help
flag of every Nix command now invokes man.
Chroot builds are now supported on systemd machines.
This release has contributions from Eelco Dolstra, Florian Friesdorf, Mats Erik Andersson and Shea Levy.
This release has the following improvements:
On Linux, when doing a chroot build, Nix now uses various namespace features provided by the Linux kernel to improve build isolation. Namely:
The private network namespace ensures that builders cannot talk to the outside world (or vice versa): each build only sees a private loopback interface. This also means that two concurrent builds can listen on the same port (e.g. as part of a test) without conflicting with each other.
The PID namespace causes each build to start as PID 1. Processes outside of the chroot are not visible to those on the inside. On the other hand, processes inside the chroot arevisible from the outside (though with different PIDs).
The IPC namespace prevents the builder from communicating with outside processes using SysV IPC mechanisms (shared memory, message queues, semaphores). It also ensures that all IPC objects are destroyed when the builder exits.
The UTS namespace ensures that builders see a hostname of localhost
rather than the actual hostname.
The private mount namespace was already used by Nix to ensure that the bind-mounts used to set up the chroot are cleaned up automatically.
Build logs are now compressed using bzip2. The command nix-store -l decompresses them on the fly. This can be disabled by setting the option build-compress-log
to false
.
The creation of build logs in /nix/var/log/nix/drvs
can be disabled by setting the new option build-keep-log
to false
. This is useful, for instance, for Hydra build machines.
Nix now reserves some space in /nix/var/nix/db/reserved
to ensure that the garbage collector can run successfully if the disk is full. This is necessary because SQLite transactions fail if the disk is full.
Added a basic fetchurl
function. This is not intended to replace the fetchurl
in Nixpkgs, but is useful for bootstrapping; e.g., it will allow us to get rid of the bootstrap binaries in the Nixpkgs source tree and download them instead. You can use it by doing import
. (Shea Levy)url
; sha256 = "hash
"; }
Improved RPM spec file. (Michel Alexandre Salim)
Support for on-demand socket-based activation in the Nix daemon with systemd.
Added a manpage for nix.conf(5).
When using the Nix daemon, the -s
flag in nix-env -qa is now much faster.
There have been numerous improvements and bug fixes since the previous release. Here are the most significant:
Nix can now optionally use the Boehm garbage collector. This significantly reduces the Nix evaluator’s memory footprint, especially when evaluating large NixOS system configurations. It can be enabled using the --enable-gc
configure option.
Nix now uses SQLite for its database. This is faster and more flexible than the old ad hoc format. SQLite is also used to cache the manifests in /nix/var/nix/manifests
, resulting in a significant speedup.
Nix now has an search path for expressions. The search path is set using the environment variable NIX_PATH
and the -I
command line option. In Nix expressions, paths between angle brackets are used to specify files that must be looked up in the search path. For instance, the expression
looks for a file nixpkgs/default.nix
relative to every element in the search path.
The new command nix-build --run-env builds all dependencies of a derivation, then starts a shell in an environment containing all variables from the derivation. This is useful for reproducing the environment of a derivation for development.
The new command nix-store --verify-path verifies that the contents of a store path have not changed.
The new command nix-store --print-env prints out the environment of a derivation in a format that can be evaluated by a shell.
Attribute names can now be arbitrary strings. For instance, you can write { "foo-1.2" = …; "bla bla" = …; }."bla bla"
.
Attribute selection can now provide a default value using the or
operator. For instance, the expression x.y.z or e
evaluates to the attribute x.y.z
if it exists, and e
otherwise.
The right-hand side of the ?
operator can now be an attribute path, e.g., attrs ? a.b.c
.
On Linux, Nix will now make files in the Nix store immutable on filesystems that support it. This prevents accidental modification of files in the store by the root user.
Nix has preliminary support for derivations with multiple outputs. This is useful because it allows parts of a package to be deployed and garbage-collected separately. For instance, development parts of a package such as header files or static libraries would typically not be part of the closure of an application, resulting in reduced disk usage and installation time.
The Nix store garbage collector is faster and holds the global lock for a shorter amount of time.
The option --timeout
(corresponding to the configuration setting build-timeout
) allows you to set an absolute timeout on builds — if a build runs for more than the given number of seconds, it is terminated. This is useful for recovering automatically from builds that are stuck in an infinite loop but keep producing output, and for which --max-silent-time
is ineffective.
Nix development has moved to GitHub (https://github.com/NixOS/nix).
This release has the following improvements:
The Nix expression evaluator is now much faster in most cases: typically, 3 to 8 times compared to the old implementation. It also uses less memory. It no longer depends on the ATerm library.
Support for configurable parallelism inside builders. Build scripts have always had the ability to perform multiple build actions in parallel (for instance, by running make -j 2), but this was not desirable because the number of actions to be performed in parallel was not configurable. Nix now has an option --cores
as well as a configuration setting N
build-cores =
that causes the environment variable N
NIX_BUILD_CORES
to be set to N
when the builder is invoked. The builder can use this at its discretion to perform a parallel build, e.g., by calling make -j N
. In Nixpkgs, this can be enabled on a per-package basis by setting the derivation attribute enableParallelBuilding
to true
.
nix-store -q now supports XML output through the --xml
flag.
Several bug fixes.
This is a bug-fix release. Among other things, it fixes building on Mac OS X (Snow Leopard), and improves the contents of /etc/passwd
and /etc/group
in chroot
builds.
This release has the following improvements:
The garbage collector now starts deleting garbage much faster than before. It no longer determines liveness of all paths in the store, but does so on demand.
Added a new operation, nix-store --query --roots, that shows the garbage collector roots that directly or indirectly point to the given store paths.
Removed support for converting Berkeley DB-based Nix databases to the new schema.
Removed the --use-atime
and --max-atime
garbage collector options. They were not very useful in practice.
On Windows, Nix now requires Cygwin 1.7.x.
A few bug fixes.
This is primarily a bug fix release. It has some new features:
Syntactic sugar for writing nested attribute sets. Instead of
{ foo = { bar = 123; xyzzy = true; }; a = { b = { c = "d"; }; }; }
you can write
{ foo.bar = 123; foo.xyzzy = true; a.b.c = "d"; }
This is useful, for instance, in NixOS configuration files.
Support for Nix channels generated by Hydra, the Nix-based continuous build system. (Hydra generates NAR archives on the fly, so the size and hash of these archives isn’t known in advance.)
Support i686-linux
builds directly on x86_64-linux
Nix installations. This is implemented using the personality()
syscall, which causes uname to return i686
in child processes.
Various improvements to the chroot
support. Building in a chroot
works quite well now.
Nix no longer blocks if it tries to build a path and another process is already building the same path. Instead it tries to build another buildable path first. This improves parallelism.
Support for large (> 4 GiB) files in NAR archives.
Various (performance) improvements to the remote build mechanism.
New primops: builtins.addErrorContext
(to add a string to stack traces — useful for debugging), builtins.isBool
, builtins.isString
, builtins.isInt
,builtins.intersectAttrs
.
OpenSolaris support (Sander van der Burg).
Stack traces are no longer displayed unless the --show-trace
option is used.
The scoping rules for inherit (
in recursive attribute sets have changed. The expression e
) ...e
can now refer to the attributes defined in the containing set.
Nix no longer uses Berkeley DB to store Nix store metadata. The principal advantages of the new storage scheme are: it works properly over decent implementations of NFS (allowing Nix stores to be shared between multiple machines); no recovery is needed when a Nix process crashes; no write access is needed for read-only operations; no more running out of Berkeley DB locks on certain operations.
You still need to compile Nix with Berkeley DB support if you want Nix to automatically convert your old Nix store to the new schema. If you don’t need this, you can build Nix with theconfigure
option --disable-old-db-compat
.
After the automatic conversion to the new schema, you can delete the old Berkeley DB files:
$ cd /nix/var/nix/db $ rm __db* log.* derivers references referrers reserved validpaths DB_CONFIG
The new metadata is stored in the directories /nix/var/nix/db/info
and /nix/var/nix/db/referrer
. Though the metadata is stored in human-readable plain-text files, they are not intended to be human-editable, as Nix is rather strict about the format.
The new storage schema may or may not require less disk space than the Berkeley DB environment, mostly depending on the cluster size of your file system. With 1 KiB clusters (which seems to be the ext3
default nowadays) it usually takes up much less space.
There is a new substituter that copies paths directly from other (remote) Nix stores mounted somewhere in the filesystem. For instance, you can speed up an installation by mounting some remote Nix store that already has the packages in question via NFS or sshfs
. The environment variable NIX_OTHER_STORES
specifies the locations of the remote Nix directories, e.g. /mnt/remote-fs/nix
.
New nix-store operations --dump-db
and --load-db
to dump and reload the Nix database.
The garbage collector has a number of new options to allow only some of the garbage to be deleted. The option --max-freed
tells the collector to stop after at least N
N
bytes have been deleted. The option --max-links
tells it to stop after the link count on N
/nix/store
has dropped below N
. This is useful for very large Nix stores on filesystems with a 32000 subdirectories limit (like ext3
). The option --use-atime
causes store paths to be deleted in order of ascending last access time. This allows non-recently used stuff to be deleted. The option --max-atime
specifies an upper limit to the last accessed time of paths that may be deleted. For instance,time
$ nix-store --gc -v --max-atime $(date +%s -d "2 months ago")
deletes everything that hasn’t been accessed in two months.
nix-env now uses optimistic profile locking when performing an operation like installing or upgrading, instead of setting an exclusive lock on the profile. This allows multiple nix-env -i / -u / -e operations on the same profile in parallel. If a nix-env operation sees at the end that the profile was changed in the meantime by another process, it will just restart. This is generally cheap because the build results are still in the Nix store.
The option --dry-run
is now supported by nix-store -r and nix-build.
The information previously shown by --dry-run
(i.e., which derivations will be built and which paths will be substituted) is now always shown by nix-env, nix-store -r and nix-build. The total download size of substitutable paths is now also shown. For instance, a build will show something like
the following derivations will be built: /nix/store/129sbxnk5n466zg6r1qmq1xjv9zymyy7-activate-configuration.sh.drv /nix/store/7mzy971rdm8l566ch8hgxaf89x7lr7ik-upstart-jobs.drv ... the following paths will be downloaded/copied (30.02 MiB): /nix/store/4m8pvgy2dcjgppf5b4cj5l6wyshjhalj-samba-3.2.4 /nix/store/7h1kwcj29ip8vk26rhmx6bfjraxp0g4l-libunwind-0.98.6 ...
Language features:
@-patterns as in Haskell. For instance, in a function definition
f = args @ {x, y, z}: ...
;
args
refers to the argument as a whole, which is further pattern-matched against the attribute set pattern {x, y, z}
.
“...
” (ellipsis) patterns. An attribute set pattern can now say ...
at the end of the attribute name list to specify that the function takes at least the listed attributes, while ignoring additional attributes. For instance,
{stdenv, fetchurl, fuse, ...}: ...
defines a function that accepts any attribute set that includes at least the three listed attributes.
New primops: builtins.parseDrvName
(split a package name string like "nix-0.12pre12876"
into its name and version components, e.g. "nix"
and "0.12pre12876"
),builtins.compareVersions
(compare two version strings using the same algorithm that nix-env uses), builtins.length
(efficiently compute the length of a list), builtins.mul
(integer multiplication), builtins.div
(integer division).
nix-prefetch-url now supports mirror://
URLs, provided that the environment variable NIXPKGS_ALL
points at a Nixpkgs tree.
Removed the commands nix-pack-closure and nix-unpack-closure. You can do almost the same thing but much more efficiently by doing nix-store --export $(nix-store -qR
and paths
) > closurenix-store --import < closure
.
Lots of bug fixes, including a big performance bug in the handling of with
-expressions.
Nix 0.11 has many improvements over the previous stable release. The most important improvement is secure multi-user support. It also features many usability enhancements and language extensions, many of them prompted by NixOS, the purely functional Linux distribution based on Nix. Here is an (incomplete) list:
Secure multi-user support. A single Nix store can now be shared between multiple (possible untrusted) users. This is an important feature for NixOS, where it allows non-root users to install software. The old setuid method for sharing a store between multiple users has been removed. Details for setting up a multi-user store can be found in the manual.
The new command nix-copy-closure gives you an easy and efficient way to exchange software between machines. It copies the missing parts of the closure of a set of store path to or from a remote machine via ssh.
A new kind of string literal: strings between double single-quotes (''
) have indentation “intelligently” removed. This allows large strings (such as shell scripts or configuration file fragments in NixOS) to cleanly follow the indentation of the surrounding expression. It also requires much less escaping, since ''
is less common in most languages than "
.
nix-env --set
modifies the current generation of a profile so that it contains exactly the specified derivation, and nothing else. For example, nix-env -p /nix/var/nix/profiles/browser --set firefox
lets the profile named browser
contain just Firefox.
nix-env now maintains meta-information about installed packages in profiles. The meta-information is the contents of the meta
attribute of derivations, such as description
orhomepage
. The command nix-env -q --xml --meta
shows all meta-information.
nix-env now uses the meta.priority
attribute of derivations to resolve filename collisions between packages. Lower priority values denote a higher priority. For instance, the GCC wrapper package and the Binutils package in Nixpkgs both have a file bin/ld
, so previously if you tried to install both you would get a collision. Now, on the other hand, the GCC wrapper declares a higher priority than Binutils, so the former’s bin/ld
is symlinked in the user environment.
nix-env -i / -u: instead of breaking package ties by version, break them by priority and version number. That is, if there are multiple packages with the same name, then pick the package with the highest priority, and only use the version if there are multiple packages with the same priority.
This makes it possible to mark specific versions/variant in Nixpkgs more or less desirable than others. A typical example would be a beta version of some package (e.g., gcc-4.2.0rc1
) which should not be installed even though it is the highest version, except when it is explicitly selected (e.g., nix-env -i gcc-4.2.0rc1
).
nix-env --set-flag allows meta attributes of installed packages to be modified. There are several attributes that can be usefully modified, because they affect the behaviour of nix-env or the user environment build script:
meta.priority
can be changed to resolve filename clashes (see above).
meta.keep
can be set to true
to prevent the package from being upgraded or replaced. Useful if you want to hang on to an older version of a package.
meta.active
can be set to false
to “disable” the package. That is, no symlinks will be generated to the files of the package, but it remains part of the profile (so it won’t be garbage-collected). Set it back to true
to re-enable the package.
nix-env -q now has a flag --prebuilt-only
(-b
) that causes nix-env to show only those derivations whose output is already in the Nix store or that can be substituted (i.e., downloaded from somewhere). In other words, it shows the packages that can be installed “quickly”, i.e., don’t need to be built from source. The -b
flag is also available in nix-env -i and nix-env -u to filter out derivations for which no pre-built binary is available.
The new option --argstr
(in nix-env, nix-instantiate and nix-build) is like --arg
, except that the value is a string. For example, --argstr system i686-linux
is equivalent to --arg system \"i686-linux\"
(note that --argstr
prevents annoying quoting around shell arguments).
nix-store has a new operation --read-log
(-l
) paths
that shows the build log of the given paths.
Nix now uses Berkeley DB 4.5. The database is upgraded automatically, but you should be careful not to use old versions of Nix that still use Berkeley DB 4.4.
The option --max-silent-time
(corresponding to the configuration setting build-max-silent-time
) allows you to set a timeout on builds — if a build produces no output on stdout
or stderr
for the given number of seconds, it is terminated. This is useful for recovering automatically from builds that are stuck in an infinite loop.
nix-channel: each subscribed channel is its own attribute in the top-level expression generated for the channel. This allows disambiguation (e.g. nix-env -i -A nixpkgs_unstable.firefox
).
The substitutes table has been removed from the database. This makes operations such as nix-pull and nix-channel --update much, much faster.
nix-pull now supports bzip2-compressed manifests. This speeds up channels.
nix-prefetch-url now has a limited form of caching. This is used by nix-channel to prevent unnecessary downloads when the channel hasn’t changed.
nix-prefetch-url now by default computes the SHA-256 hash of the file instead of the MD5 hash. In calls to fetchurl
you should pass the sha256
attribute instead of md5
. You can pass either a hexadecimal or a base-32 encoding of the hash.
Nix can now perform builds in an automatically generated “chroot”. This prevents a builder from accessing stuff outside of the Nix store, and thus helps ensure purity. This is an experimental feature.
The new command nix-store --optimise reduces Nix store disk space usage by finding identical files in the store and hard-linking them to each other. It typically reduces the size of the store by something like 25-35%.
~/.nix-defexpr
can now be a directory, in which case the Nix expressions in that directory are combined into an attribute set, with the file names used as the names of the attributes. The command nix-env --import (which set the ~/.nix-defexpr
symlink) is removed.
Derivations can specify the new special attribute allowedReferences
to enforce that the references in the output of a derivation are a subset of a declared set of paths. For example, if allowedReferences
is an empty list, then the output must not have any references. This is used in NixOS to check that generated files such as initial ramdisks for booting Linux don’t have any dependencies.
The new attribute exportReferencesGraph
allows builders access to the references graph of their inputs. This is used in NixOS for tasks such as generating ISO-9660 images that contain a Nix store populated with the closure of certain paths.
Fixed-output derivations (like fetchurl
) can define the attribute impureEnvVars
to allow external environment variables to be passed to builders. This is used in Nixpkgs to support proxy configuration, among other things.
Several new built-in functions: builtins.attrNames
, builtins.filterSource
, builtins.isAttrs
, builtins.isFunction
, builtins.listToAttrs
, builtins.stringLength
,builtins.sub
, builtins.substring
, throw
, builtins.trace
, builtins.readFile
.
This release fixes two somewhat obscure bugs that occur when evaluating Nix expressions that are stored inside the Nix store (NIX-67
). These do not affect most users.
This version of Nix uses Berkeley DB 4.4 instead of 4.3. The database is upgraded automatically, but you should be careful not to use old versions of Nix that still use Berkeley DB 4.3. In particular, if you use a Nix installed through Nix, you should run
$ nix-store --clear-substitutes
first.
Warning: Also, the database schema has changed slighted to fix a performance issue (see below). When you run any Nix 0.10 command for the first time, the database will be upgraded automatically. This is irreversible.
nix-env usability improvements:
An option --compare-versions
(or -c
) has been added to nix-env --query to allow you to compare installed versions of packages to available versions, or vice versa. An easy way to see if you are up to date with what’s in your subscribed channels is nix-env -qc \*
.
nix-env --query
now takes as arguments a list of package names about which to show information, just like --install
, etc.: for example, nix-env -q gcc
. Note that to show all derivations, you need to specify \*
.
nix-env -i
will now install the highest available version of pkgname
pkgname
, rather than installing all available versions (which would probably give collisions) (NIX-31
).
nix-env (-i|-u) --dry-run
now shows exactly which missing paths will be built or substituted.
nix-env -qa --description
shows human-readable descriptions of packages, provided that they have a meta.description
attribute (which most packages in Nixpkgs don’t have yet).
New language features:
Reference scanning (which happens after each build) is much faster and takes a constant amount of memory.
String interpolation. Expressions like
"--with-freetype2-library=" + freetype + "/lib"
can now be written as
"--with-freetype2-library=${freetype}/lib"
You can write arbitrary expressions within ${
, not just identifiers....
}
Multi-line string literals.
String concatenations can now involve derivations, as in the example "--with-freetype2-library=" + freetype + "/lib"
. This was not previously possible because we need to register that a derivation that uses such a string is dependent on freetype
. The evaluator now properly propagates this information. Consequently, the subpath operator (~
) has been deprecated.
Default values of function arguments can now refer to other function arguments; that is, all arguments are in scope in the default values (NIX-45
).
Lots of new built-in primitives, such as functions for list manipulation and integer arithmetic. See the manual for a complete list. All primops are now available in the set builtins
, allowing one to test for the availability of primop in a backwards-compatible way.
Real let-expressions: let x = ...; ... z = ...; in ...
.
New commands nix-pack-closure and nix-unpack-closure than can be used to easily transfer a store path with all its dependencies to another machine. Very convenient whenever you have some package on your machine and you want to copy it somewhere else.
XML support:
nix-env -q --xml
prints the installed or available packages in an XML representation for easy processing by other tools.
nix-instantiate --eval-only --xml
prints an XML representation of the resulting term. (The new flag --strict
forces ‘deep’ evaluation of the result, i.e., list elements and attributes are evaluated recursively.)
In Nix expressions, the primop builtins.toXML
converts a term to an XML representation. This is primarily useful for passing structured information to builders.
You can now unambiguously specify which derivation to build or install in nix-env, nix-instantiate and nix-build using the --attr
/ -A
flags, which takes an attribute name as argument. (Unlike symbolic package names such as subversion-1.4.0
, attribute names in an attribute set are unique.) For instance, a quick way to perform a test build of a package in Nixpkgs is nix-build pkgs/top-level/all-packages.nix -A
. foo
nix-env -q --attr
shows the attribute names corresponding to each derivation.
If the top-level Nix expression used by nix-env, nix-instantiate or nix-build evaluates to a function whose arguments all have default values, the function will be called automatically. Also, the new command-line switch --arg
can be used to specify function arguments on the command line.name
value
nix-install-package --url
allows a package to be installed directly from the given URL.URL
Nix now works behind an HTTP proxy server; just set the standard environment variables http_proxy
, https_proxy
, ftp_proxy
or all_proxy
appropriately. Functions such asfetchurl
in Nixpkgs also respect these variables.
nix-build -o
allows the symlink to the build result to be named something other than symlink
result
.
Platform support:
Support for 64-bit platforms, provided a suitably patched ATerm library is used. Also, files larger than 2 GiB are now supported.
Added support for Cygwin (Windows, i686-cygwin
), Mac OS X on Intel (i686-darwin
) and Linux on PowerPC (powerpc-linux
).
Users of SMP and multicore machines will appreciate that the number of builds to be performed in parallel can now be specified in the configuration file in the build-max-jobs
setting.
Garbage collector improvements:
Open files (such as running programs) are now used as roots of the garbage collector. This prevents programs that have been uninstalled from being garbage collected while they are still running. The script that detects these additional runtime roots (find-runtime-roots.pl
) is inherently system-specific, but it should work on Linux and on all platforms that have the lsof utility.
nix-store --gc
(a.k.a. nix-collect-garbage) prints out the number of bytes freed on standard output. nix-store --gc --print-dead
shows how many bytes would be freed by an actual garbage collection.
nix-collect-garbage -d
removes all old generations of all profiles before calling the actual garbage collector (nix-store --gc
). This is an easy way to get rid of all old packages in the Nix store.
nix-store now has an operation --delete
to delete specific paths from the Nix store. It won’t delete reachable (non-garbage) paths unless --ignore-liveness
is specified.
Berkeley DB 4.4’s process registry feature is used to recover from crashed Nix processes.
A performance issue has been fixed with the referer
table, which stores the inverse of the references
table (i.e., it tells you what store paths refer to a given path). Maintaining this table could take a quadratic amount of time, as well as a quadratic amount of Berkeley DB log file space (in particular when running the garbage collector) (NIX-23
).
Nix now catches the TERM
and HUP
signals in addition to the INT
signal. So you can now do a killall nix-store
without triggering a database recovery.
bsdiff updated to version 4.3.
Substantial performance improvements in expression evaluation and nix-env -qa
, all thanks to Valgrind. Memory use has been reduced by a factor 8 or so. Big speedup by memoisation of path hashing.
Lots of bug fixes, notably:
Make sure that the garbage collector can run successfully when the disk is full (NIX-18
).
nix-env now locks the profile to prevent races between concurrent nix-env operations on the same profile (NIX-7
).
Removed misleading messages from nix-env -i
(e.g., installing `foo'
followed by uninstalling `foo'
) (NIX-17
).
Nix source distributions are a lot smaller now since we no longer include a full copy of the Berkeley DB source distribution (but only the bits we need).
Header files are now installed so that external programs can use the Nix libraries.
This bug fix release fixes two problems on Mac OS X:
If Nix was linked against statically linked versions of the ATerm or Berkeley DB library, there would be dynamic link errors at runtime.
nix-pull and nix-push intermittently failed due to race conditions involving pipes and child processes with error messages such as open2: open(GLOB(0x180b2e4), >&=9) failed: Bad file descriptor at /nix/bin/nix-pull line 77
(issue NIX-14
).
This bug fix release addresses a problem with the ATerm library when the --with-aterm
flag in configure was not used.
NOTE: this version of Nix uses Berkeley DB 4.3 instead of 4.2. The database is upgraded automatically, but you should be careful not to use old versions of Nix that still use Berkeley DB 4.2. In particular, if you use a Nix installed through Nix, you should run
$ nix-store --clear-substitutes
first.
Unpacking of patch sequences is much faster now since we no longer do redundant unpacking and repacking of intermediate paths.
Nix now uses Berkeley DB 4.3.
The derivation
primitive is lazier. Attributes of dependent derivations can mutually refer to each other (as long as there are no data dependencies on the outPath
and drvPath
attributes computed by derivation
).
For example, the expression derivation attrs
now evaluates to (essentially)
attrs // { type = "derivation"; outPath = derivation! attrs; drvPath = derivation! attrs; }
where derivation!
is a primop that does the actual derivation instantiation (i.e., it does what derivation
used to do). The advantage is that it allows commands such as nix-env -qaand nix-env -i to be much faster since they no longer need to instantiate all derivations, just the name
attribute.
Also, it allows derivations to cyclically reference each other, for example,
webServer = derivation { ... hostName = "svn.cs.uu.nl"; services = [svnService]; }; svnService = derivation { ... hostName = webServer.hostName; };
Previously, this would yield a black hole (infinite recursion).
nix-build now defaults to using ./default.nix
if no Nix expression is specified.
nix-instantiate, when applied to a Nix expression that evaluates to a function, will call the function automatically if all its arguments have defaults.
Nix now uses libtool to build dynamic libraries. This reduces the size of executables.
A new list concatenation operator ++
. For example, [1 2 3] ++ [4 5 6]
evaluates to [1 2 3 4 5 6]
.
Some currently undocumented primops to support low-level build management using Nix (i.e., using Nix as a Make replacement). See the commit messages for r3578
and r3580
.
Various bug fixes and performance improvements.
This is a bug fix release.
Patch downloading was broken.
The garbage collector would not delete paths that had references from invalid (but substitutable) paths.
NOTE: the hashing scheme in Nix 0.8 changed (as detailed below). As a result, nix-pull manifests and channels built for Nix 0.7 and below will now work anymore. However, the Nix expression language has not changed, so you can still build from source. Also, existing user environments continue to work. Nix 0.8 will automatically upgrade the database schema of previous installations when it is first run.
If you get the error message
you have an old-style manifest `/nix/var/nix/manifests/[...]'; please delete it
you should delete previously downloaded manifests:
$ rm /nix/var/nix/manifests/*
If nix-channel gives the error message
manifest `http://catamaran.labs.cs.uu.nl/dist/nix/channels/[channel]/MANIFEST' is too old (i.e., for Nix <= 0.7)
then you should unsubscribe from the offending channel (nix-channel --remove URL
; leave out /MANIFEST
), and subscribe to the same URL, with channels
replaced by channels-v3
(e.g., http://catamaran.labs.cs.uu.nl/dist/nix/channels-v3/nixpkgs-unstable).
Nix 0.8 has the following improvements:
The cryptographic hashes used in store paths are now 160 bits long, but encoded in base-32 so that they are still only 32 characters long (e.g.,/nix/store/csw87wag8bqlqk7ipllbwypb14xainap-atk-1.9.0
). (This is actually a 160 bit truncation of a SHA-256 hash.)
Big cleanups and simplifications of the basic store semantics. The notion of “closure store expressions” is gone (and so is the notion of “successors”); the file system references of a store path are now just stored in the database.
For instance, given any store path, you can query its closure:
$ nix-store -qR $(which firefox) ... lots of paths ...
Also, Nix now remembers for each store path the derivation that built it (the “deriver”):
$ nix-store -qR $(which firefox) /nix/store/4b0jx7vq80l9aqcnkszxhymsf1ffa5jd-firefox-1.0.1.drv
So to see the build-time dependencies, you can do
$ nix-store -qR $(nix-store -qd $(which firefox))
or, in a nicer format:
$ nix-store -q --tree $(nix-store -qd $(which firefox))
File system references are also stored in reverse. For instance, you can query all paths that directly or indirectly use a certain Glibc:
$ nix-store -q --referrers-closure \ /nix/store/8lz9yc6zgmc0vlqmn2ipcpkjlmbi51vv-glibc-2.3.4
The concept of fixed-output derivations has been formalised. Previously, functions such as fetchurl
in Nixpkgs used a hack (namely, explicitly specifying a store path hash) to prevent changes to, say, the URL of the file from propagating upwards through the dependency graph, causing rebuilds of everything. This can now be done cleanly by specifying the outputHash
and outputHashAlgo
attributes. Nix itself checks that the content of the output has the specified hash. (This is important for maintaining certain invariants necessary for future work on secure shared stores.)
One-click installation :-) It is now possible to install any top-level component in Nixpkgs directly, through the web — see, e.g., http://catamaran.labs.cs.uu.nl/dist/nixpkgs-0.8/. All you have to do is associate /nix/bin/nix-install-package
with the MIME type application/nix-package
(or the extension .nixpkg
), and clicking on a package link will cause it to be installed, with all appropriate dependencies. If you just want to install some specific application, this is easier than subscribing to a channel.
nix-store -r PATHS
now builds all the derivations PATHS in parallel. Previously it did them sequentially (though exploiting possible parallelism between subderivations). This is nice for build farms.
nix-channel has new operations --list
and --remove
.
New ways of installing components into user environments:
Copy from another user environment:
$ nix-env -i --from-profile .../other-profile firefox
Install a store derivation directly (bypassing the Nix expression language entirely):
$ nix-env -i /nix/store/z58v41v21xd3...-aterm-2.3.1.drv
(This is used to implement nix-install-package, which is therefore immune to evolution in the Nix expression language.)
Install an already built store path directly:
$ nix-env -i /nix/store/hsyj5pbn0d9i...-aterm-2.3.1
Install the result of a Nix expression specified as a command-line argument:
$ nix-env -f .../i686-linux.nix -i -E 'x: x.firefoxWrapper'
The difference with the normal installation mode is that -E
does not use the name
attributes of derivations. Therefore, this can be used to disambiguate multiple derivations with the same name.
A hash of the contents of a store path is now stored in the database after a successful build. This allows you to check whether store paths have been tampered with: nix-store --verify --check-contents.
Implemented a concurrent garbage collector. It is now always safe to run the garbage collector, even if other Nix operations are happening simultaneously.
However, there can still be GC races if you use nix-instantiate and nix-store --realise directly to build things. To prevent races, use the --add-root
flag of those commands.
The garbage collector now finally deletes paths in the right order (i.e., topologically sorted under the “references” relation), thus making it safe to interrupt the collector without risking a store that violates the closure invariant.
Likewise, the substitute mechanism now downloads files in the right order, thus preserving the closure invariant at all times.
The result of nix-build is now registered as a root of the garbage collector. If the ./result
link is deleted, the GC root disappears automatically.
The behaviour of the garbage collector can be changed globally by setting options in /nix/etc/nix/nix.conf
.
gc-keep-derivations
specifies whether deriver links should be followed when searching for live paths.
gc-keep-outputs
specifies whether outputs of derivations should be followed when searching for live paths.
env-keep-derivations
specifies whether user environments should store the paths of derivations when they are added (thus keeping the derivations alive).
New nix-env query flags --drv-path
and --out-path
.
fetchurl allows SHA-1 and SHA-256 in addition to MD5. Just specify the attribute sha1
or sha256
instead of md5
.
Manual updates.
Binary patching. When upgrading components using pre-built binaries (through nix-pull / nix-channel), Nix can automatically download and apply binary patches to already installed components instead of full downloads. Patching is “smart”: if there is a sequence of patches to an installed component, Nix will use it. Patches are currently generated automatically between Nixpkgs (pre-)releases.
Simplifications to the substitute mechanism.
Nix-pull now stores downloaded manifests in /nix/var/nix/manifests
.
Metadata on files in the Nix store is canonicalised after builds: the last-modified timestamp is set to 0 (00:00:00 1/1/1970), the mode is set to 0444 or 0555 (readable and possibly executable by all; setuid/setgid bits are dropped), and the group is set to the default. This ensures that the result of a build and an installation through a substitute is the same; and that timestamp dependencies are revealed.
Rewrite of the normalisation engine.
Multiple builds can now be performed in parallel (option -j
).
Distributed builds. Nix can now call a shell script to forward builds to Nix installations on remote machines, which may or may not be of the same platform type.
Option --fallback
allows recovery from broken substitutes.
Option --keep-going
causes building of other (unaffected) derivations to continue if one failed.
Improvements to the garbage collector (i.e., it should actually work now).
Setuid Nix installations allow a Nix store to be shared among multiple users.
Substitute registration is much faster now.
A utility nix-build to build a Nix expression and create a symlink to the result int the current directory; useful for testing Nix derivations.
Manual updates.
nix-env changes:
Derivations for other platforms are filtered out (which can be overridden using --system-filter
).
--install
by default now uninstall previous derivations with the same name.
--upgrade
allows upgrading to a specific version.
New operation --delete-generations
to remove profile generations (necessary for effective garbage collection).
Nicer output (sorted, columnised).
More sensible verbosity levels all around (builder output is now shown always, unless -Q
is given).
Nix expression language changes:
New language construct: with
brings all attributes defined in the attribute set E1
; E2
E1
in scope in E2
.
Added a map
function.
Various new operators (e.g., string concatenation).
Expression evaluation is much faster.
An Emacs mode for editing Nix expressions (with syntax highlighting and indentation) has been added.
Many bug fixes.
Please refer to the Subversion commit log messages.