2016-09-02 06:40:48 +00:00
<section xmlns= "http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-17.03">
<title > Release 17.03 (“XXX”, 2017/03/??)</title>
<para > In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
<itemizedlist >
<listitem >
2017-01-14 14:15:55 +00:00
<para > Nixpkgs is now extensible through overlays. See the <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">Nixpkgs
manual</link> for more information.</para>
2016-09-02 06:40:48 +00:00
</listitem>
2017-01-29 04:48:03 +00:00
<listitem >
2017-02-14 13:38:45 +00:00
<para > The setuid wrapper functionality now supports setting
capabilities.</para>
2017-01-29 04:48:03 +00:00
</listitem>
2017-02-13 23:16:28 +00:00
2017-02-12 12:12:10 +00:00
<listitem >
<para > X.org server uses branch 1.19. Due to ABI incompatibilities,
<literal > ati_unfree</literal> keeps forcing 1.17
and <literal > amdgpu-pro</literal> starts forcing 1.18.</para>
</listitem>
2017-02-13 21:43:40 +00:00
<listitem >
<para > PHP now defaults to PHP 7.1</para>
</listitem>
nixpkgs: allow packages to be marked insecure
If a package's meta has `knownVulnerabilities`, like so:
stdenv.mkDerivation {
name = "foobar-1.2.3";
...
meta.knownVulnerabilities = [
"CVE-0000-00000: remote code execution"
"CVE-0000-00001: local privilege escalation"
];
}
and a user attempts to install the package, they will be greeted with
a warning indicating that maybe they don't want to install it:
error: Package ‘foobar-1.2.3’ in ‘...default.nix:20’ is marked as insecure, refusing to evaluate.
Known issues:
- CVE-0000-00000: remote code execution
- CVE-0000-00001: local privilege escalation
You can install it anyway by whitelisting this package, using the
following methods:
a) for `nixos-rebuild` you can add ‘foobar-1.2.3’ to
`nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
like so:
{
nixpkgs.config.permittedInsecurePackages = [
"foobar-1.2.3"
];
}
b) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
‘foobar-1.2.3’ to `permittedInsecurePackages` in
~/.config/nixpkgs/config.nix, like so:
{
permittedInsecurePackages = [
"foobar-1.2.3"
];
}
Adding either of these configurations will permit this specific
version to be installed. A third option also exists:
NIXPKGS_ALLOW_INSECURE=1 nix-build ...
though I specifically avoided having a global file-based toggle to
disable this check. This way, users don't disable it once in order to
get a single package, and then don't realize future packages are
insecure.
2017-02-17 02:02:13 +00:00
<listitem >
<para > Packages in nixpkgs can be marked as insecure through listed
vulnerabilities. See the <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-allow-insecure">Nixpkgs
manual</link> for more information.</para>
</listitem>
2016-09-02 06:40:48 +00:00
</itemizedlist>
<para > The following new services were added since the last release:</para>
<itemizedlist >
<listitem >
<para > </para>
</listitem>
</itemizedlist>
<para > When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
<itemizedlist >
2017-01-22 19:36:16 +00:00
<listitem >
<para >
Cross compilation has been rewritten. See the nixpkgs manual for
details. The most obvious breaking change is that derivations absent a
<literal > .nativeDrv</literal> or <literal > .crossDrv</literal> are now
cross by default, not native.
</para>
</listitem>
2016-12-19 16:10:47 +00:00
<listitem >
<para >
<literal > stdenv.overrides</literal> is now expected to take <literal > self</literal>
and <literal > super</literal> arguments. See <literal > lib.trivial.extends</literal>
for what those parameters represent.
</para>
</listitem>
2017-02-04 11:48:11 +00:00
2017-01-27 08:58:43 +00:00
<listitem >
<para >
<literal > ansible</literal> now defaults to ansible version 2 as version 1
has been removed due to a serious <link
xlink:href="https://www.computest.nl/advisories/CT-2017-0109_Ansible.txt">
vulnerability</link> unpatched by upstream.
</para>
</listitem>
2017-02-04 11:48:11 +00:00
2016-09-02 06:40:48 +00:00
<listitem >
2016-09-11 23:08:53 +00:00
<para >
<literal > gnome</literal> alias has been removed along with
<literal > gtk</literal> , <literal > gtkmm</literal> and several others.
Now you need to use versioned attributes, like <literal > gnome3</literal> .
</para>
2016-09-02 06:40:48 +00:00
</listitem>
2016-09-24 17:26:15 +00:00
<listitem >
<para >
The attribute name of the Radicale daemon has been changed from
<literal > pythonPackages.radicale</literal> to
<literal > radicale</literal> .
</para>
</listitem>
2016-10-08 14:49:58 +00:00
2016-10-11 16:09:56 +00:00
<listitem >
<para >
The <literal > stripHash</literal> bash function in <literal > stdenv</literal>
changed according to its documentation; it now outputs the stripped name to
<literal > stdout</literal> instead of putting it in the variable
<literal > strippedName</literal> .
2016-10-08 14:49:58 +00:00
</para>
</listitem>
2016-10-16 15:07:27 +00:00
<listitem >
<para > PHP now scans for extra configuration .ini files in /etc/php.d
instead of /etc. This prevents accidentally loading non-PHP .ini files
that may be in /etc.
</para>
</listitem>
2016-11-20 14:41:38 +00:00
2017-02-09 21:22:46 +00:00
<listitem >
<para >
Two lone top-level dict dbs moved into <literal > dictdDBs</literal> . This
affects: <literal > dictdWordnet</literal> which is now at
<literal > dictdDBs.wordnet</literal> and <literal > dictdWiktionary</literal>
which is now at <literal > dictdDBs.wiktionary</literal>
</para>
</listitem>
2016-11-20 14:41:38 +00:00
<listitem >
<para >
Parsoid service now uses YAML configuration format.
<literal > service.parsoid.interwikis</literal> is now called
<literal > service.parsoid.wikis</literal> and is a list of either API URLs
or attribute sets as specified in parsoid's documentation.
</para>
</listitem>
2016-12-18 10:57:35 +00:00
<listitem >
<para >
<literal > Ntpd</literal> was replaced by
2016-12-18 12:31:12 +00:00
<literal > systemd-timesyncd</literal> as the default service to synchronize
system time with a remote NTP server. The old behavior can be restored by
2016-12-18 10:57:35 +00:00
setting <literal > services.ntp.enable</literal> to <literal > true</literal> .
Upstream time servers for all NTP implementations are now configured using
2016-12-18 12:31:12 +00:00
<literal > networking.timeServers</literal> .
2016-12-18 10:57:35 +00:00
</para>
</listitem>
2016-12-17 18:05:21 +00:00
<listitem >
2017-02-09 20:16:20 +00:00
<para >
<literal > service.nylon</literal> is now declared using named instances.
As an example:
2017-01-14 14:15:55 +00:00
2017-02-09 20:16:20 +00:00
<programlisting >
services.nylon = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
</programlisting>
should be replaced with:
<programlisting >
services.nylon.myvpn = {
enable = true;
acceptInterface = "br0";
bindInterface = "tun1";
port = 5912;
};
</programlisting>
this enables you to declare a SOCKS proxy for each uplink.
</para>
</listitem>
2016-12-17 18:05:21 +00:00
<listitem >
2017-01-14 14:15:55 +00:00
<para > <literal > overridePackages</literal> function no longer exists.
It is replaced by <link
xlink:href="https://nixos.org/nixpkgs/manual/#sec-overlays-install">
overlays</link> . For example, the following code:
<programlisting >
let
2017-01-15 23:16:37 +00:00
pkgs = import < nixpkgs> {};
2017-01-14 14:15:55 +00:00
in
pkgs.overridePackages (self: super: ...)
</programlisting>
2017-01-15 15:07:29 +00:00
should be replaced by:
2017-01-14 14:15:55 +00:00
<programlisting >
let
2017-01-17 21:24:44 +00:00
pkgs = import < nixpkgs> {};
2017-01-14 14:15:55 +00:00
in
import pkgs.path { overlays = [(self: super: ...)] }
</programlisting>
</para>
2016-12-17 18:05:21 +00:00
</listitem>
2017-01-22 18:53:19 +00:00
<listitem >
<para >
Autoloading connection tracking helpers is now disabled by default.
This default was also changed in the Linux kernel and is considered
insecure if not configured properly in your firewall. If you need
connection tracking helpers (i.e. for active FTP) please enable
<literal > networking.firewall.autoLoadConntrackHelpers</literal> and
tune <literal > networking.firewall.connectionTrackingModules</literal>
to suit your needs.
</para>
</listitem>
2017-02-04 11:48:11 +00:00
<listitem >
<para >
<literal > local_recipient_maps</literal> is not set to empty value by
Postfix service. It's an insecure default as stated by Postfix
documentation. Those who want to retain this setting need to set it via
<literal > services.postfix.extraConfig</literal> .
</para>
</listitem>
2017-02-21 22:18:30 +00:00
<listitem >
<para >
Iputils no longer provide ping6 and traceroute6. The functionality of
these tools have been integrated into ping and traceroute respectively. To
enforce an address family the new flags <literal > -4</literal> and
2017-02-22 07:45:30 +00:00
<literal > -6</literal> have been added. One notable incompatibility is that
specifying an interface (for link-local IPv6 for instance) is no longer done
2017-02-21 22:18:30 +00:00
with the <literal > -I</literal> flag, but by encoding the interface into the
address (<literal > ping fe80::1%eth0</literal> ).
</para>
</listitem>
2017-01-28 01:46:16 +00:00
<listitem >
<para >
The socket handling of the <literal > services.rmilter</literal> module
has been fixed and refactored. As rmilter doesn't support binding to
more than one socket, the options <literal > bindUnixSockets</literal>
and <literal > bindInetSockets</literal> have been replaced by
<literal > services.rmilter.bindSocket.*</literal> . The default is still
a unix socket in <literal > /run/rmilter/rmilter.sock</literal> . Refer to
the options documentation for more information.
</para>
</listitem>
2017-03-20 21:26:02 +00:00
<listitem >
<para >
The <literal > fetch*</literal> functions no longer support md5,
please use sha256 instead.
</para>
</listitem>
2016-09-02 06:40:48 +00:00
</itemizedlist>
2017-03-20 22:27:16 +00:00
<para > Other notable changes:</para>
2016-09-02 06:40:48 +00:00
<itemizedlist >
2017-02-08 18:36:22 +00:00
2016-09-02 06:40:48 +00:00
<listitem >
2016-09-07 01:03:32 +00:00
<para > Module type system have a new extensible option types feature that
allow to extend certain types, such as enum, through multiple option
declarations of the same option across multiple modules.
</para>
2016-09-02 06:40:48 +00:00
</listitem>
2017-02-08 18:36:22 +00:00
<listitem >
<para >
<literal > jre</literal> now defaults to GTK+ UI by default. This
improves visual consistency and makes Java follow system font style,
improving the situation on HighDPI displays. This has a cost of increased
closure size; for server and other headless workloads it's recommended to
use <literal > jre_headless</literal> .
</para>
</listitem>
2017-02-14 08:55:06 +00:00
<listitem >
<para > Python 2.6 interpreter and package set have been removed.</para>
</listitem>
<listitem >
<para > The Python 2.7 interpreter does not use modules anymore. Instead, all CPython interpreters now include the whole standard library except for `tkinter`, which is available in the Python package set.</para>
</listitem>
2017-03-01 10:34:44 +00:00
<listitem >
<para >
2017-02-22 14:56:16 +00:00
Python 2.7, 3.5 and 3.6 are now built deterministically and 3.4 mostly.
Minor modifications had to be made to the interpreters in order to generate
deterministic bytecode. This has security implications and is relevant for
those using Python in a <literal > nix-shell</literal> . See the Nixpkgs manual
for details.
</para>
</listitem>
2017-02-14 08:55:06 +00:00
<listitem >
<para > The Python package sets now use a fixed-point combinator and the sets are available as attributes of the interpreters.</para>
</listitem>
<listitem >
<para > The Python function `buildPythonPackage` has been improved and can be used to build from Setuptools source, Flit source, and precompiled Wheels.</para>
</listitem>
2017-03-20 22:27:16 +00:00
<listitem >
<para >
2017-02-14 08:55:06 +00:00
When adding new or updating current Python libraries, the expressions should be put
2017-03-20 22:27:16 +00:00
in separate files in <literal > pkgs/development/python-modules</literal> and
called from <literal > python-packages.nix</literal> .
</para>
</listitem>
2016-09-02 06:40:48 +00:00
</itemizedlist>
</section>