pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / doc / manual / release-notes / rl-1609.xml
at 17.09-beta 9.6 kB view raw
1<section xmlns="http://docbook.org/ns/docbook" 2 xmlns:xlink="http://www.w3.org/1999/xlink" 3 xmlns:xi="http://www.w3.org/2001/XInclude" 4 version="5.0" 5 xml:id="sec-release-16.09"> 6 7<title>Release 16.09 (“Flounder”, 2016/09/30)</title> 8 9<para>In addition to numerous new and upgraded packages, this release 10has the following highlights: </para> 11 12<itemizedlist> 13 14 <listitem> 15 <para>Many NixOS configurations and Nix packages now use 16 significantly less disk space, thanks to the <link 17 xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive 18 work on closure size reduction</link>. For example, the closure 19 size of a minimal NixOS container went down from ~424 MiB in 16.03 20 to ~212 MiB in 16.09, while the closure size of Firefox went from 21 ~651 MiB to ~259 MiB.</para> 22 </listitem> 23 24 <listitem> 25 <para>To improve security, packages are now <link 26 xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built 27 using various hardening features</link>. See the Nixpkgs manual 28 for more information.</para> 29 </listitem> 30 31 <listitem> 32 <para>Support for PXE netboot. See <xref 33 linkend="sec-booting-from-pxe" /> for documentation.</para> 34 </listitem> 35 36 <listitem> 37 <para>X.org server 1.18. If you use the 38 <literal>ati_unfree</literal> driver, 1.17 is still used due to an 39 ABI incompatibility.</para> 40 </listitem> 41 42 <listitem> 43 <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd 44 231. The default Linux kernel remains 4.4.</para> 45 </listitem> 46 47</itemizedlist> 48 49<para>The following new services were added since the last release:</para> 50 51<itemizedlist> 52 <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem> 53</itemizedlist> 54 55<para>When upgrading from a previous release, please be aware of the 56following incompatible changes:</para> 57 58<itemizedlist> 59 60 <listitem> 61 <para>A large number of packages have been converted to use the multiple outputs feature 62 of Nix to greatly reduce the amount of required disk space, as 63 mentioned above. This may require changes 64 to any custom packages to make them build again; see the relevant chapter in the 65 Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions 66 related to multiple-output packages 67 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link> 68 late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.) 69 </para> 70 </listitem> 71 72 <listitem> 73 <para>Previous versions of Nixpkgs had support for all versions of the LTS 74 Haskell package set. That support has been dropped. The previously provided 75 <literal>haskell.packages.lts-x_y</literal> package sets still exist in 76 name to aviod breaking user code, but these package sets don't actually 77 contain the versions mandated by the corresponding LTS release. Instead, 78 our package set it loosely based on the latest available LTS release, i.e. 79 LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will 80 drop those old names entirely. <link 81 xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The 82 motivation for this change</link> has been discussed at length on the 83 <literal>nix-dev</literal> mailing list and in <link 84 xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue 85 #14897</link>. Development strategies for Haskell hackers who want to rely 86 on Nix and NixOS have been described in <link 87 xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another 88 nix-dev article</link>.</para> 89 </listitem> 90 91 <listitem> 92 <para>Shell aliases for systemd sub-commands 93 <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>: 94 <command>start</command>, <command>stop</command>, 95 <command>restart</command>, <command>status</command>.</para> 96 </listitem> 97 98 <listitem> 99 <para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default 100 behavior of Redis 3.2</para> 101 </listitem> 102 103 <listitem> 104 <para> 105 <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command> 106 to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> 107 the pull request</link> for what bugs this caused. 108 </para> 109 </listitem> 110 111 <listitem> 112 <para>Gitlab's maintainance script 113 <command>gitlab-runner</command> was removed and split up into the 114 more clearer <command>gitlab-run</command> and 115 <command>gitlab-rake</command> scripts, because 116 <command>gitlab-runner</command> is a component of Gitlab 117 CI.</para> 118 </listitem> 119 120 <listitem> 121 <para><literal>services.xserver.libinput.accelProfile</literal> default 122 changed from <literal>flat</literal> to <literal>adaptive</literal>, 123 as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> 124 official documentation</link>.</para> 125 </listitem> 126 127 <listitem> 128 <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed 129 because our presets were obsolete for some time. New presets are hardcoded 130 into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>. 131 You can customize those presets via ordinary environment variables, using 132 <literal>environment.variables</literal>.</para> 133 </listitem> 134 135 <listitem> 136 <para>The <literal>audit</literal> service is no longer enabled by default. 137 Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para> 138 </listitem> 139 140 <listitem> 141 <para> 142 <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the 143 kernel modules instead of the VirtualBox user space binaries. 144 If you want to reference the user space binaries, you have to use the new 145 <literal>pkgs.virtualbox</literal> instead. 146 </para> 147 </listitem> 148 149 <listitem> 150 <para><literal>goPackages</literal> was replaced with separated Go 151 applications in appropriate <literal>nixpkgs</literal> 152 categories. Each Go package uses its own dependency set. There's 153 also a new <literal>go2nix</literal> tool introduced to generate a 154 Go package definition from its Go source automatically.</para> 155 </listitem> 156 157 <listitem> 158 <para><literal>services.mongodb.extraConfig</literal> configuration format 159 was changed to YAML.</para> 160 </listitem> 161 162 <listitem> 163 <para> 164 PHP has been upgraded to 7.0 165 </para> 166 </listitem> 167</itemizedlist> 168 169 170<para>Other notable improvements:</para> 171 172<itemizedlist> 173 174 <listitem><para>Revamped grsecurity/PaX support. There is now only a single 175 general-purpose distribution kernel and the configuration interface has been 176 streamlined. Desktop users should be able to simply set 177 <programlisting>security.grsecurity.enable = true</programlisting> to get 178 a reasonably secure system without having to sacrifice too much 179 functionality. See <xref linkend="sec-grsecurity" /> for documentation 180 </para></listitem> 181 182 <listitem><para>Special filesystems, like <literal>/proc</literal>, 183 <literal>/run</literal> and others, now have the same mount options 184 as recommended by systemd and are unified across different places in 185 NixOS. Mount options are updated during <command>nixos-rebuild 186 switch</command> if possible. One benefit from this is improved 187 security — most such filesystems are now mounted with 188 <literal>noexec</literal>, <literal>nodev</literal> and/or 189 <literal>nosuid</literal> options.</para></listitem> 190 191 <listitem><para>The reverse path filter was interfering with DHCPv4 server 192 operation in the past. An exception for DHCPv4 and a new option to log 193 packets that were dropped due to the reverse path filter was added 194 (<literal>networking.firewall.logReversePathDrops</literal>) for easier 195 debugging.</para></listitem> 196 197 <listitem><para>Containers configuration within 198 <literal>containers.&lt;name&gt;.config</literal> is <link 199 xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now 200 properly typed and checked</link>. In particular, partial 201 configurations are merged correctly.</para></listitem> 202 203 <listitem> 204 <para>The directory container setuid wrapper programs, 205 <filename>/var/setuid-wrappers</filename>, <link 206 xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now 207 updated atomically to prevent failures if the switch to a new 208 configuration is interrupted.</link></para> 209 </listitem> 210 211 <listitem> 212 <para><literal>services.xserver.startGnuPGAgent</literal> 213 has been removed due to GnuPG 2.1.x bump. See <link 214 xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c"> 215 how to achieve similar behavior</link>. You might need to 216 <literal>pkill gpg-agent</literal> after the upgrade 217 to prevent a stale agent being in the way. 218 </para> 219 </listitem> 220 221 <listitem><para> 222 <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147"> 223 Declarative users could share the uid due to the bug in 224 the script handling conflict resolution. 225 </link> 226 </para></listitem> 227 228 <listitem><para> 229 Gummi boot has been replaced using systemd-boot. 230 </para></listitem> 231 232 <listitem><para> 233 Hydra package and NixOS module were added for convenience. 234 </para></listitem> 235 236</itemizedlist> 237 238 239</section>