Breaking changes announcement for unstable

hexa · December 10, 2023, 10:34pm

With its 2023.12.0 release the home-assistant package started to more widely depend on its matter integration in through various other components.

Unfortunately, the matter integration is currently only available as binary wheel, and since it is built in an Ubuntu 20.04 container it depends on the OpenSSL version available in that distro release, which is 1.1. We provide openssl_1_1 through autopatchElfHook here.

While nixpkgs still has openssl_1_1 available, we decided a long time ago to set meta.knownVulnerabilities due to its end of life in early September 2023.

The result is that home-assistant will now transitively be flagged insecure for relying on openssl_1_1. To continue using it, a snippet like the following is most likely required:

{
  nixpkgs.config.permittedInsecurePackages = [
    "openssl-1.1.1w"
  ];
}

To my knowledge, we still cache packages depending on openssl_1_1, so there will be no further impact for the time being, but time is surely running out.

In the meantime I’m trying to communicate this problem upstream.

hexa · February 27, 2024, 4:12pm

With the upgrade of the Linux default version to 6.6 we’ve seen the nixosTests.nfs3.simple regressing.

https://hydra.nixos.org/build/251337679
https://hydra.nixos.org/build/251337696

It broke somewhere between v6.3.12..v6.4.0 and our kernel maintainers are trying to bisect it further, but it is a costly process, and it is not guaranteed, that it will yield results.

To unbreak the channel we therefore decided to remove nfs3 from the tested set, and replace it with the newer nfs4.

NFS4, depending how you count is between 9 years (RFC7530) and 21 years (https://www.usenix.org/system/files/login/articles/mcdonald_0.pdf) old, and should by now be the primary NFS version in use.

The impact of this change should therefore hopefully be minimal.

hexa · February 28, 2024, 7:36pm

With the next nixos-unstable evaluation home-assistant will not require allowing openssl-1.1.1w in permittedInsecurePackages any longer. The matter integration that was previously using it was migrated to boringssl (thanks to Matt Leon), which will also benefit Home Assistant upstream, which is awesome!

Please make sure to remove the previously mentioned config snippet, so you’ll become aware again, when you use packages relying on openssl_1_1.

Janik · March 2, 2024, 11:38pm

nixosTests.networking: refactor and add NetworkManager support by Janik-Haag · Pull Request #292472 · NixOS/nixpkgs · GitHub will break networking.networkmanager.extraConfig the fix should be quite easy and you basically just have to convert your ini string to the equivalent attrset. For example:

~  networking.networkmanager = {
-    extraConfig = ''
-      [main]
-      no-auto-default=*
-    ''
+    extraConfig.main.no-auto-default = "*";
~  };

SergeK · April 15, 2024, 7:58am

cudaPackages.cudatoolkit has been renamed into cudaPackages.cudatoolkit-legacy-runfile: cudaPackages.cudatoolkit: rename, replace with a symlinkJoin · Issue #295655 · NixOS/nixpkgs · GitHub

A symlinkJoin wrapper is left at the old path for compatibility which includes most of the toolchain and common libraries, but not e.g. nsight-systems. Use the split packages instead: NixOS Search.

ereslibre · April 23, 2024, 7:49am

Heads up on CDI: Add `mount-nvidia-binaries` and `mount-nvidia-docker-1-directories` options by ereslibre · Pull Request #290979 · NixOS/nixpkgs · GitHub. This PR removes two recently introduced (in unstable too) NixOS options:

virtualisation.containers.cdi.static.enable, and
virtualisation.containers.cdi.dynamic.enable

At this time, the dynamic configuration is only implemented for Nvidia (it contains a CDI generator.) It has replaced the virtualisation.containers.cdi.dynamic.enable option with hardware.nvidia-container-toolkit.enable.

It has further features that are not implemented in current unstable, like the ability to add user defined mounts to containers, or the ability to choose whether the user wants to mount nvidia-docker-1 directories or the Nvidia executables inside containers.

There is still work in progress that will continue after the 24.05 cut, recorded at [Tracking issue] CDI Support · Issue #290609 · NixOS/nixpkgs · GitHub by @SergeK.

Atemu · April 24, 2024, 8:09pm

appimageTools.wrapAppImage: remove version from `pname` by pbsds · Pull Request #271071 · NixOS/nixpkgs · GitHub implements proper pname+version support for appimageTools.wrapAppImage. If you previously relied on AppImages being linked to $out/bin/${pname}-${version} and/or had a workaround in place to link it to just pname, this change will be breaking.

An attempt was made to cover all appimageTools.wrapAppImage usages in Nixpkgs but at over 100 packages, it’s likely some were missed or done improperly. If an AppImage breaks the coming week, this may be the culprit, so please point people to the PR.