The default LLVM has been updated from 11 to 16 for the next staging cycle. Some packages may fail to build due to breaking changes in clang. An attempt has been made to catch those failures and preemptively patch the affected packages, but it’s not possible to do so for every single affected package. If a package does not build for you, please open an issue.
The Kea services for dhcp4, dhcp6, ctrl-agent and dhcp-ddns will each get their own RuntimeDirectory shortly, since restarting one unit would previously clean out the shared /run/kea runtime directory.
This is especially relevant for users of the Prometheus Kea Exporter, which relies on the unix socket to retrieve statistics from Kea.
If you are a NixOS module author which is using a PostgreSQL database, your module has been migrated to ensureDBOwnership which will just ensure that the user will own the database.
If you are writing a NixOS module which is using a PostgreSQL database, your module will have to use ensureDBOwnership and any extra fix up procedure will have to use either initialScript (if it’s once) or postStart / preStart measures you design yourself.
If you need sophisticated privileges scheme, you will have to write your own ensure logic code.
If you are a user and have a warning about ensurePermissions being used, check that you don’t own custom logic out of tree on it and migrate it accordingly, otherwise, you may be using such a module out of tree.
Will we get ensurePermissions again?
Short-term: No.
Long-term: Anyone is free to work on rethinking the ensure logic design and build more engineering around them to make them usable and stable without potential for data loss, you can look into RFC: `ensure`-style options in NixOS modules · Issue #206467 · NixOS/nixpkgs · GitHub to see the context, and you can contact me if you want to be helped/guided/mentored/whatever to work on that, but please, do not blindly re-introduce ensurePermissions, those options create a high amount of churn for the long term maintainers, and it’s unacceptable to make long term maintainers pay the cost of “nice to have” without proper investment.
Can you provide documentation to migrate?
We will write more documentation:
this announcement is part of it
release notes for 23.11 will include information pertaining to this
the PostgreSQL manual in nixpkgs will see a section on this and offer guidance on migration strategies
In a few weeks we will restore the runtime dependency validation of python packages, that use the pypaInstallHook, which is used for the pyproject format.
It will complain about version constraint mismatches
Checking runtime dependencies for sphinx_prompt-1.6.0-py3-none-any.whl
- sphinx==7.0.0 not satisfied by version 7.2.6
- docutils==0.19 not satisfied by version 0.20.1
- pygments==2.15.1 not satisfied by version 2.16.1
as well as missing dependencies
Checking runtime dependencies for pysml-0.1.1-py3-none-any.whl
- aiohttp not installed
Both cases will be considered a hard failure, and indicate further work is needed to get a package to run correctly.
For too tight version constraints I recommend using pythonRelaxDepsHook, which lifts constraints from the built wheel for the package names given in the pythonRelaxDeps list.
The work is currently happening in the following PR, and unfortunately we’ve justed missed the latest staging cycle, so it will be in the next one after that.
With its 2023.12.0 release the home-assistant package started to more widely depend on its matter integration in through various other components.
Unfortunately, the matter integration is currently only available as binary wheel, and since it is built in an Ubuntu 20.04 container it depends on the OpenSSL version available in that distro release, which is 1.1. We provide openssl_1_1 through autopatchElfHook here.
While nixpkgs still has openssl_1_1 available, we decided a long time ago to set meta.knownVulnerabilities due to its end of life in early September 2023.
The result is that home-assistant will now transitively be flagged insecure for relying on openssl_1_1. To continue using it, a snippet like the following is most likely required:
To my knowledge, we still cache packages depending on openssl_1_1, so there will be no further impact for the time being, but time is surely running out.
In the meantime I’m trying to communicate this problem upstream.
It broke somewhere between v6.3.12..v6.4.0 and our kernel maintainers are trying to bisect it further, but it is a costly process, and it is not guaranteed, that it will yield results.
To unbreak the channel we therefore decided to remove nfs3 from the tested set, and replace it with the newer nfs4.
With the next nixos-unstable evaluation home-assistant will not require allowing openssl-1.1.1w in permittedInsecurePackages any longer. The matter integration that was previously using it was migrated to boringssl (thanks to Matt Leon), which will also benefit Home Assistant upstream, which is awesome!
Please make sure to remove the previously mentioned config snippet, so you’ll become aware again, when you use packages relying on openssl_1_1.
A symlinkJoin wrapper is left at the old path for compatibility which includes most of the toolchain and common libraries, but not e.g. nsight-systems. Use the split packages instead: NixOS Search.
At this time, the dynamic configuration is only implemented for Nvidia (it contains a CDI generator.) It has replaced the virtualisation.containers.cdi.dynamic.enable option with hardware.nvidia-container-toolkit.enable.
It has further features that are not implemented in current unstable, like the ability to add user defined mounts to containers, or the ability to choose whether the user wants to mount nvidia-docker-1 directories or the Nvidia executables inside containers.
An attempt was made to cover all appimageTools.wrapAppImage usages in Nixpkgs but at over 100 packages, it’s likely some were missed or done improperly. If an AppImage breaks the coming week, this may be the culprit, so please point people to the PR.
We decided to revert the change to dbus-broker by default due to reported issues.
However due to switch-to-configuration not handling aliases and the rule that “Dbus may not be restarted or stopped under any circumstances” it might happen that when you switch to configuration that dbus-broker.service gets stopped. Which breaks many things. Unfortunately this also breaks the reboot command and this means you might need a hard-reset to get your machine working again. The safest option is to do a nixos-rebuild boot and boot into the new configuration.
We’ve been trying to make it safer to switch between dbus implementations by delaying the restart til next boot. However this won’t help you not hit this bug that the revert caused
I’m still trying to come up with a fix that doesn’t cause nixos-rebuild switch to break but I am not sure how we can fix this properly.
If people have ideas I’m happy to hear them.
I hope at least with this post I’m saving people from some nasty surprises
Edit:
You can do sudo reboot -ff to bypas logind and dbus
Starting with the next nixos-unstable evaluation, chromium will no longer be able to automatically download and load its proprietary Widevine DRM component when it encounters DRM protected content.
Those that want to continue playing DRM protected content in chromium need to explicitly opt into our Widevine (-wv) wrapper using
enableWideVine has been part of our chromium drv for almost 10 years.
Meaning there is a high chance those that need Widevine may already have that override in their config.
The latest python-updates cycle migrated the primary Python version to 3.12. This release has been particularly breaking with the removal of commonly used modules of the past like distutils or imp.
If your package is affected by this, make sure to bug your upstream about it, maybe they already noticed and you can fetch a patch.
In the meantime you can resolve breakages by pinning packages ot python311 for the 24.11 release cycle.
First and foremost, try not to mention outputs at all, but rely on mkDerivation selecting the dev outputs, and the dev outputs propagating everything else.
For instance, do not start with a symlinkJoin, but try enumerating cuda dependencies in buildInputs (except cuda_nvcc, which goes in nativeBuildInputs). By not using symlinkJoin you’ll let Nix discard references to most of the inputs after the build. The output closure will be much smaller than the input closure.
Do not write things like bulidInputs = [ cuda_cudart.dev cuda_cudart.lib cuda_cudart.static ]. Simply write buildInputs = [ cuda_cudart ]; the other outputs are propagated automatically.
Do not expect that any particular output names are present in cudaPackages, instead rely on getDev (e.g. -I${lib.getDev cuda_cudart}/include will keep working), getLib (e.g. -L${getLib libcublas}/lib), getOutput "static", getOutput "stubs", getBin and getExe (e.g. ${getBin cuda_nvcc}/bin/nvcc, getExe cuda_nvcc, getExe' cuda_nvcc "nvcc").