I’m a bit late, but the GNOME 42 update was merged two days ago and finally hit unstable today. As usual, there are some backwards incompatible changes that require manual intervention. Also, some breakage has already been caught.
1 Like
OpenLDAP was updated from the 2.4 series to 2.6.2 today. With it comes the removal of a few storage backends, like hdb, bdb and ndb. Before upgrading everyone should dump their database (slapcat -n 1) and make sure they have a working backup. If you’re looking for a new sane default, use mdb.
1 Like
checkMeta is being enabled by default. Meta attributes have occasionally been checked for long enough so that this should not break much, but it still is a breaking change. This might slightly affect evaluation performance, but there is always the option to explicitly turn the check off.
1 Like
PPD files in pkgs.cups-drv-rastertosag-gdi are now gzipped. If you refer to such a PPD file with its path (e.g. via the option hardware.printers.ensurePrinters) you will need to append .gz to the path.
https://github.com/NixOS/nixpkgs/pull/133537
2 Likes
The firefox-wayland, thunderbird-wayland and librewolf-wayland attributes have been converted to aliases, because Wayland support has been enabled by default in the generic package versions.
Please migrate from the attributes above to firefox, thunderbird or librewolf.
The only relevant outcome from this change is that by default these programs will not use XWayland anymore, but instead Wayland on Wayland and X11 on X11.
This behaviour can be reverted at runtime by exporting MOZ_ENABLE_WAYLAND=0 in your environment.
https://github.com/NixOS/nixpkgs/pull/201359#event-7842076273
5 Likes
I updated the cinnamon desktop to 5.6, please read the pull request for what is changed. If some of your settings are “changed” / “broken” after this update, reconfigure them in the cinnamon-settings app.
1 Like
Services avahi, unifi-video, tmate-ssh-server and snapserver won’t open the firewall by default anymore. If you use them, either use openFirewall = true in the module, or open the according ports in your locally managed firewall.
4 Likes
Pipewire 0.3.67 (hopefully next staging cycle) will remove the services.pipewire.config options, as they don’t work the way most people expect and are a large maintenance burden for questionable gain. See Pipewire 0.3.67 + big module cleanup by K900 · Pull Request #220332 · NixOS/nixpkgs · GitHub for the change, Pipewire migration guide · GitHub for migration notes and feel free to ping me here, on Github or on Matrix (@k900:0upti.me) if you really want this to be preserved.
I also want to drop services.pipewire.media-session in the same cycle, but hopefully no one is using that.
1 Like
fcitx4 has stoped maintaining on upstream and fcitx5 is released instead. To avoid misguiding a new user to use old version, fcitx4 should be removed from nixpkgs and nixos.
We make a pr here. fcitx: remove version 4 by Vonfry · Pull Request #220776 · NixOS/nixpkgs · GitHub
2 Likes
With the next staging cycle the support for old and weak password hashing algorithms will be removed.
- It was previously annouced in the NixOS 22.11 release notes
- The new default algorithm will be
yescrypt - We will still support
sha512crypt(prefixed with$6$) hashes, but do recommend migrating to a proper KDF- Use
mkpasswdto generate a password hash today - Use
passwdafter this PR has reached your system
- Use
- We upgraded the warnings for stateful and declarative passwords, to highlight user accounts with unsupported algorithms, when detected
1 Like
The matrix-synapse package will stop accepting the enableSystemd and enableRedis arguments, since their discoverability is weak. Instead, all extras can now be configured from the module at services.matrix-synapse.extras.
2 Likes
PR #224042 is going to refactor RIME data support of ibus-rime and fcitx5-rime, causing two small breaking changes:
-
fcitx5-rimeusers need to removei18n.inputMethod.fcitx5.enableRimeData = truefrom their configuration.The option is no longer needed, the default rime data package
rime-datais included infcitx5-rimeby default. To customize rime data, usefcitx5-rime.override { rimeData = [ data1, data2, ... ] }fcitx5-rime.override { rimeDataPkgs = [ pkgs.rime-data, package2, ... ] }(currently there is only one RIME data packagerime-datain nixpkgs.) -
ibus-rime's rime-dataibus_rime.yamlis not loaded before this PR. As a workaround, some users use a~/.config/ibus/rime/ibus_rime.yamlfile to customizeibus-rime. With this change,ibus_rime.yamlwill be properly loaded, users need to use a~/.config/ibus/rime/ibus_rime.custom.yamlfile instead to customizeibus-rime.Migration example:
Old workaround
~/.config/ibus/rime/ibus_rime.yamlstyle: horizontal: trueShould be changed to
~/.config/ibus/rime/ibus_rime.custom.yamlpatch: style/horizontal: true
1 Like
nixos/bootspec: adopt the merged RFC-0125 by RaitoBezarius · Pull Request #224489 · NixOS/nixpkgs · GitHub will break GitHub - nix-community/lanzaboote: Secure Boot for NixOS [maintainers=@blitz @raitobezarius @nikstur] and any previous generations using the old format for bootspec.
If you are interested in backward compatibility for your older generations, please start a discussion in bootspec channel.
4 Likes
buildFHSEnv will default to using the Bubblewrap implementation rather than Chrootenv. If your FHS-wrapped packages start to misbehave, please ping me.
3 Likes
Heads-up
We decided to make Node.js 14, 16 and OpenSSL 1.1 EOL at the moment on unstable.
For what is worth, this had the effect to mark as insecure a serious amount of web applications: https://hydra.nixos.org/eval/1795260?full=1#tabs-removed including this very forum software.
While we are working hard to minimize this set by fixing stuff in Ruby, we cannot make it up for upstream shortcomings while they had months to adopt the newer V8 engine (useful reminder: Node.js | endoflife.date).
https://github.com/rubyjs/mini_racer/pull/261 ; Will Node 18 LTS become the default Node version on the agent images? · actions/runner-images · Discussion #5429 · GitHub ; [PM-358] Bump electron to 24 and node to 18 (#5205) · bitwarden/clients@9a41d5d · GitHub (not part of any release at the time of writing).
It will be a bumpy ride for the next days, but we can only hope or wait for upstream to figure out this.
FYI, it will be likely those insecure warnings (which can be bypassed by following the instructions) will be part of the stable release.
12 Likes
pkgs.ankisyncd and the services.ankisyncd service have been switched from an old obsolete version of anki-sync-server to anki-sync-server-rs
The old version only implemented the old protocol compatible with the old 2.1.15 anki package (and similarly old android/external clients), while the new one only implements the new protocol which will work with the current nixos anki packages, ankidroid etc, so if you were using it with clients held back on purpose you will need to upgrade your clients.
The password database and anki data itself is compatible, so upgrading clients should just work, resyncing if required.
5 Likes
The default version for python310Packages.django is moving from django_3 (3.2.x) to django_4 (4.2.x). This is because we want to follow the mainstream LTS support, while Django 3.x has already entered the extended LTS support period in 2021/12.
Applications should generally pin their Django version, to the upstream supported version.
python = python3.override {
packageOverrides = self: super: {
django = super.django_3;
};
};
2 Likes
Heads-up, systemd in nixpkgs unstable will move to v254 soon in systemd: 253.5 -> 254.3 by RaitoBezarius · Pull Request #243242 · NixOS/nixpkgs · GitHub
Please review NEWS to see if you will be affected by this bump.
From experience, it seems like the upgrade does not require reboot, but if you have mission-critical deployments, always consider rebooting into a new system rather than switching at runtime a systemd because this can fail in horrible ways.
8 Likes
I’m replacing the prometheus-unbound-exporter with the exporter maintained by Let’s Encrypt. The module requires a few benign changes, and the metrics might differ slightly.
2 Likes
I clicked the -rs link out of curiosity, and I see it’s no longer actively maintained either…