Release 2.0 (2018-02-22)
The following incompatible changes have been made:
-
The manifest-based substituter mechanism (
download-using-manifests) has been removed. It has been superseded by the binary cache substituter mechanism since several years. As a result, the following programs have been removed:-
nix-pull -
nix-generate-patches -
bsdiff -
bspatch
-
-
The “copy from other stores” substituter mechanism (
copy-from-other-storesand theNIX_OTHER_STORESenvironment variable) has been removed. It was primarily used by the NixOS installer to copy available paths from the installation medium. The replacement is to use a chroot store as a substituter (e.g.--substituters /mnt), or to build into a chroot store (e.g.--store /mnt --substituters /). -
The command
nix-pushhas been removed as part of the effort to eliminate Nix's dependency on Perl. You can usenix copyinstead, e.g.nix copy --to file:///tmp/my-binary-cache paths… -
The “nested” log output feature (
--log-type pretty) has been removed. As a result,nix-log2xmlwas also removed. -
OpenSSL-based signing has been removed. This feature was never well-supported. A better alternative is provided by the
secret-key-filesandtrusted-public-keysoptions. -
Failed build caching has been removed. This feature was introduced to support the Hydra continuous build system, but Hydra no longer uses it.
-
nix-mode.elhas been removed from Nix. It is now a separate repository and can be installed through the MELPA package repository.
This release has the following new features:
-
It introduces a new command named
nix, which is intended to eventually replace allnix-*commands with a more consistent and better designed user interface. It currently provides replacements for some (but not all) of the functionality provided bynix-store,nix-build,nix-shell -p,nix-env -qa,nix-instantiate --eval,nix-pushandnix-copy-closure. It has the following major features:-
Unlike the legacy commands, it has a consistent way to refer to packages and package-like arguments (like store paths). For example, the following commands all copy the GNU Hello package to a remote machine:
nix copy --to ssh://machine nixpkgs.hello nix copy --to ssh://machine /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10 nix copy --to ssh://machine '(with import <nixpkgs> {}; hello)'By contrast,
nix-copy-closureonly accepted store paths as arguments. -
It is self-documenting:
--helpshows all available command-line arguments. If--helpis given after a subcommand, it shows examples for that subcommand.nix --help-configshows all configuration options. -
It is much less verbose. By default, it displays a single-line progress indicator that shows how many packages are left to be built or downloaded, and (if there are running builds) the most recent line of builder output. If a build fails, it shows the last few lines of builder output. The full build log can be retrieved using
nix log. -
It provides all
nix.confconfiguration options as command line flags. For example, instead of--option http-connections 100you can write--http-connections 100. Boolean options can be written as--fooor--no-foo(e.g.--no-auto-optimise-store). -
Many subcommands have a
--jsonflag to write results to stdout in JSON format.
Warning
Please note that the
nixcommand is a work in progress and the interface is subject to change.It provides the following high-level (“porcelain”) subcommands:
-
nix buildis a replacement fornix-build. -
nix runexecutes a command in an environment in which the specified packages are available. It is (roughly) a replacement fornix-shell -p. Unlike that command, it does not execute the command in a shell, and has a flag (-c) that specifies the unquoted command line to be executed.It is particularly useful in conjunction with chroot stores, allowing Linux users who do not have permission to install Nix in
/nix/storeto still use binary substitutes that assume/nix/store. For example,nix run --store ~/my-nix nixpkgs.hello -c hello --greeting 'Hi everybody!'downloads (or if not substitutes are available, builds) the GNU Hello package into
~/my-nix/nix/store, then runshelloin a mount namespace where~/my-nix/nix/storeis mounted onto/nix/store. -
nix searchreplacesnix-env -qa. It searches the available packages for occurrences of a search string in the attribute name, package name or description. Unlikenix-env -qa, it has a cache to speed up subsequent searches. -
nix copycopies paths between arbitrary Nix stores, generalisingnix-copy-closureandnix-push. -
nix replreplaces the external programnix-repl. It provides an interactive environment for evaluating and building Nix expressions. Note that it useslinenoise-nginstead of GNU Readline. -
nix upgrade-nixupgrades Nix to the latest stable version. This requires that Nix is installed in a profile. (Thus it won’t work on NixOS, or if it’s installed outside of the Nix store.) -
nix verifychecks whether store paths are unmodified and/or “trusted” (see below). It replacesnix-store --verifyandnix-store --verify-path. -
nix logshows the build log of a package or path. If the build log is not available locally, it will try to obtain it from the configured substituters (such as cache.nixos.org, which now provides build logs). -
nix editopens the source code of a package in your editor. -
nix evalreplacesnix-instantiate --eval. -
nix why-dependsshows why one store path has another in its closure. This is primarily useful to finding the causes of closure bloat. For example,nix why-depends nixpkgs.vlc nixpkgs.libdrm.devshows a chain of files and fragments of file contents that cause the VLC package to have the “dev” output of
libdrmin its closure — an undesirable situation. -
nix path-infoshows information about store paths, replacingnix-store -q. A useful feature is the option--closure-size(-S). For example, the following command show the closure sizes of every path in the current NixOS system closure, sorted by size:nix path-info -rS /run/current-system | sort -nk2 -
nix optimise-storereplacesnix-store --optimise. The main difference is that it has a progress indicator.
A number of low-level (“plumbing”) commands are also available:
-
nix ls-storeandnix ls-narlist the contents of a store path or NAR file. The former is primarily useful in conjunction with remote stores, e.g.nix ls-store --store https://cache.nixos.org/ -lR /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10lists the contents of path in a binary cache.
-
nix cat-storeandnix cat-narallow extracting a file from a store path or NAR file. -
nix dump-pathwrites the contents of a store path to stdout in NAR format. This replacesnix-store --dump. -
nix show-derivationdisplays a store derivation in JSON format. This is an alternative topp-aterm. -
nix add-to-storereplacesnix-store --add. -
nix sign-pathssigns store paths. -
nix copy-sigscopies signatures from one store to another. -
nix show-configshows all configuration options and their current values.
-
-
The store abstraction that Nix has had for a long time to support store access via the Nix daemon has been extended significantly. In particular, substituters (which used to be external programs such as
download-from-binary-cache) are now subclasses of the abstractStoreclass. This allows many Nix commands to operate on such store types. For example,nix path-infoshows information about paths in your local Nix store, whilenix path-info --store https://cache.nixos.org/shows information about paths in the specified binary cache. Similarly,nix-copy-closure,nix-pushand substitution are all instances of the general notion of copying paths between different kinds of Nix stores.Stores are specified using an URI-like syntax, e.g. https://cache.nixos.org/ or ssh://machine. The following store types are supported:
-
LocalStore(stori URIlocalor an absolute path) and the misnamedRemoteStore(daemon) provide access to a local Nix store, the latter via the Nix daemon. You can useautoor the empty string to auto-select a local or daemon store depending on whether you have write permission to the Nix store. It is no longer necessary to set theNIX_REMOTEenvironment variable to use the Nix daemon.As noted above,
LocalStorenow supports chroot builds, allowing the “physical” location of the Nix store (e.g./home/alice/nix/store) to differ from its “logical” location (typically/nix/store). This allows non-root users to use Nix while still getting the benefits from prebuilt binaries from cache.nixos.org. -
BinaryCacheStoreis the abstract superclass of all binary cache stores. It supports writing build logs and NAR content listings in JSON format. -
HttpBinaryCacheStore(http://,https://) supports binary caches via HTTP or HTTPS. If the server supportsPUTrequests, it supports uploading store paths via commands such asnix copy. -
LocalBinaryCacheStore(file://) supports binary caches in the local filesystem. -
S3BinaryCacheStore(s3://) supports binary caches stored in Amazon S3, if enabled at compile time. -
LegacySSHStore(ssh://) is used to implement remote builds andnix-copy-closure. -
SSHStore(ssh-ng://) supports arbitrary Nix operations on a remote machine via the same protocol used bynix-daemon.
-
-
Security has been improved in various ways:
-
Nix now stores signatures for local store paths. When paths are copied between stores (e.g., copied from a binary cache to a local store), signatures are propagated.
Locally-built paths are signed automatically using the secret keys specified by the
secret-key-filesstore option. Secret/public key pairs can be generated usingnix-store --generate-binary-cache-key.In addition, locally-built store paths are marked as “ultimately trusted”, but this bit is not propagated when paths are copied between stores.
-
Content-addressable store paths no longer require signatures — they can be imported into a store by unprivileged users even if they lack signatures.
-
The command
nix verifychecks whether the specified paths are trusted, i.e., have a certain number of trusted signatures, are ultimately trusted, or are content-addressed. -
Substitutions from binary caches now require signatures by default. This was already the case on NixOS.
-
In Linux sandbox builds, we now use
/buildinstead of/tmpas the temporary build directory. This fixes potential security problems when a build accidentally stores itsTMPDIRin some security-sensitive place, such as an RPATH.
-
-
Pure evaluation mode. With the
--pure-evalflag, Nix enables a variant of the existing restricted evaluation mode that forbids access to anything that could cause different evaluations of the same command line arguments to produce a different result. This includes builtin functions such asbuiltins.getEnv, but more importantly, all filesystem or network access unless a content hash or commit hash is specified. For example, calls tobuiltins.fetchGitare only allowed if arevattribute is specified.The goal of this feature is to enable true reproducibility and traceability of builds (including NixOS system configurations) at the evaluation level. For example, in the future,
nixos-rebuildmight build configurations from a Nix expression in a Git repository in pure mode. That expression might fetch other repositories such as Nixpkgs viabuiltins.fetchGit. The commit hash of the top-level repository then uniquely identifies a running system, and, in conjunction with that repository, allows it to be reproduced or modified. -
There are several new features to support binary reproducibility (i.e. to help ensure that multiple builds of the same derivation produce exactly the same output). When
enforce-determinismis set tofalse, it’s no longer a fatal error if build rounds produce different output. Also, a hook nameddiff-hookis provided to allow you to run tools such asdiffoscopewhen build rounds produce different output. -
Configuring remote builds is a lot easier now. Provided you are not using the Nix daemon, you can now just specify a remote build machine on the command line, e.g.
--option builders 'ssh://my-mac x86_64-darwin'. The environment variableNIX_BUILD_HOOKhas been removed and is no longer needed. The environment variableNIX_REMOTE_SYSTEMSis still supported for compatibility, but it is also possible to specify builders innix.confby setting the optionbuilders = @path. -
If a fixed-output derivation produces a result with an incorrect hash, the output path is moved to the location corresponding to the actual hash and registered as valid. Thus, a subsequent build of the fixed-output derivation with the correct hash is unnecessary.
-
nix-shellnow sets theIN_NIX_SHELLenvironment variable during evaluation and in the shell itself. This can be used to perform different actions depending on whether you’re in a Nix shell or in a regular build. Nixpkgs provideslib.inNixShellto check this variable during evaluation. -
NIX_PATHis now lazy, so URIs in the path are only downloaded if they are needed for evaluation. -
You can now use
channel:as a short-hand for https://nixos.org/channels//nixexprs.tar.xz. For example,nix-build channel:nixos-15.09 -A hellowill build the GNU Hello package from thenixos-15.09channel. In the future, this may use Git to fetch updates more efficiently. -
When
--no-build-outputis given, the last 10 lines of the build log will be shown if a build fails. -
Networking has been improved:
-
HTTP/2 is now supported. This makes binary cache lookups much more efficient.
-
We now retry downloads on many HTTP errors, making binary caches substituters more resilient to temporary failures.
-
HTTP credentials can now be configured via the standard
netrcmechanism. -
If S3 support is enabled at compile time, s3:// URIs are supported in all places where Nix allows URIs.
-
Brotli compression is now supported. In particular, cache.nixos.org build logs are now compressed using Brotli.
-
-
nix-envnow ignores packages with bad derivation names (in particular those starting with a digit or containing a dot). -
Many configuration options have been renamed, either because they were unnecessarily verbose (e.g.
build-use-sandboxis now justsandbox) or to reflect generalised behaviour (e.g.binary-cachesis nowsubstitutersbecause it allows arbitrary store URIs). The old names are still supported for compatibility. -
The
max-jobsoption can now be set toautoto use the number of CPUs in the system. -
Hashes can now be specified in base-64 format, in addition to base-16 and the non-standard base-32.
-
nix-shellnow usesbashInteractivefrom Nixpkgs, rather than thebashcommand that happens to be in the caller’sPATH. This is especially important on macOS where thebashprovided by the system is seriously outdated and cannot executestdenv’s setup script. -
Nix can now automatically trigger a garbage collection if free disk space drops below a certain level during a build. This is configured using the
min-freeandmax-freeoptions. -
nix-store -q --rootsandnix-store --gc --print-rootsnow show temporary and in-memory roots. -
Nix can now be extended with plugins. See the documentation of the
plugin-filesoption for more details.
The Nix language has the following new features:
-
It supports floating point numbers. They are based on the C++
floattype and are supported by the existing numerical operators. Export and import to and from JSON and XML works, too. -
Derivation attributes can now reference the outputs of the derivation using the
placeholderbuiltin function. For example, the attributeconfigureFlags = "--prefix=${placeholder "out"} --includedir=${placeholder "dev"}";will cause the
configureFlagsenvironment variable to contain the actual store paths corresponding to theoutanddevoutputs.
The following builtin functions are new or extended:
-
builtins.fetchGitallows Git repositories to be fetched at evaluation time. Thus it differs from thefetchgitfunction in Nixpkgs, which fetches at build time and cannot be used to fetch Nix expressions during evaluation. A typical use case is to import external NixOS modules from your configuration, e.g.imports = [ (builtins.fetchGit https://github.com/edolstra/dwarffs + "/module.nix") ]; -
Similarly,
builtins.fetchMercurialallows you to fetch Mercurial repositories. -
builtins.pathgeneralisesbuiltins.filterSourceand path literals (e.g../foo). It allows specifying a store path name that differs from the source path name (e.g.builtins.path { path = ./foo; name = "bar"; }) and also supports filtering out unwanted files. -
builtins.fetchurlandbuiltins.fetchTarballnow supportsha256andnameattributes. -
builtins.splitsplits a string using a POSIX extended regular expression as the separator. -
builtins.partitionpartitions the elements of a list into two lists, depending on a Boolean predicate. -
<nix/fetchurl.nix>now uses the content-addressable tarball cache at http://tarballs.nixos.org/, just likefetchurlin Nixpkgs. (f2682e6e18a76ecbfb8a12c17e3a0ca15c084197) -
In restricted and pure evaluation mode, builtin functions that download from the network (such as
fetchGit) are permitted to fetch underneath a list of URI prefixes specified in the optionallowed-uris.
The Nix build environment has the following changes:
-
Values such as Booleans, integers, (nested) lists and attribute sets can now be passed to builders in a non-lossy way. If the special attribute
__structuredAttrsis set totrue, the other derivation attributes are serialised in JSON format and made available to the builder via the file.attrs.jsonin the builder’s temporary directory. This obviates the need forpassAsFilesince JSON files have no size restrictions, unlike process environments.As a convenience to Bash builders, Nix writes a script named
.attrs.shto the builder’s directory that initialises shell variables corresponding to all attributes that are representable in Bash. This includes non-nested (associative) arrays. For example, the attributehardening.format = trueends up as the Bash associative array element${hardening[format]}. -
Builders can now communicate what build phase they are in by writing messages to the file descriptor specified in
NIX_LOG_FD. The current phase is shown by thenixprogress indicator. -
In Linux sandbox builds, we now provide a default
/bin/sh(namelyashfrom BusyBox). -
In structured attribute mode,
exportReferencesGraphexports extended information about closures in JSON format. In particular, it includes the sizes and hashes of paths. This is primarily useful for NixOS image builders. -
Builds are now killed as soon as Nix receives EOF on the builder’s stdout or stderr. This fixes a bug that allowed builds to hang Nix indefinitely, regardless of timeouts.
-
The
sandbox-pathsconfiguration option can now specify optional paths by appending a?, e.g./dev/nvidiactl?will bind-mount/dev/nvidiactlonly if it exists. -
On Linux, builds are now executed in a user namespace with UID 1000 and GID 100.
A number of significant internal changes were made:
-
Nix no longer depends on Perl and all Perl components have been rewritten in C++ or removed. The Perl bindings that used to be part of Nix have been moved to a separate package,
nix-perl. -
All
Storeclasses are now thread-safe.RemoteStoresupports multiple concurrent connections to the daemon. This is primarily useful in multi-threaded programs such ashydra-queue-runner.
This release has contributions from Adrien Devresse, Alexander Ried, Alex Cruice, Alexey Shmalko, AmineChikhaoui, Andy Wingo, Aneesh Agrawal, Anthony Cowley, Armijn Hemel, aszlig, Ben Gamari, Benjamin Hipple, Benjamin Staffin, Benno Fünfstück, Bjørn Forsman, Brian McKenna, Charles Strahan, Chase Adams, Chris Martin, Christian Theune, Chris Warburton, Daiderd Jordan, Dan Connolly, Daniel Peebles, Dan Peebles, davidak, David McFarland, Dmitry Kalinkin, Domen Kožar, Eelco Dolstra, Emery Hemingway, Eric Litak, Eric Wolf, Fabian Schmitthenner, Frederik Rietdijk, Gabriel Gonzalez, Giorgio Gallo, Graham Christensen, Guillaume Maudoux, Harmen, Iavael, James Broadhead, James Earl Douglas, Janus Troelsen, Jeremy Shaw, Joachim Schiele, Joe Hermaszewski, Joel Moberg, Johannes 'fish' Ziemke, Jörg Thalheim, Jude Taylor, kballou, Keshav Kini, Kjetil Orbekk, Langston Barrett, Linus Heckemann, Ludovic Courtès, Manav Rathi, Marc Scholten, Markus Hauck, Matt Audesse, Matthew Bauer, Matthias Beyer, Matthieu Coudron, N1X, Nathan Zadoks, Neil Mayhew, Nicolas B. Pierron, Niklas Hambüchen, Nikolay Amiantov, Ole Jørgen Brønner, Orivej Desh, Peter Simons, Peter Stuart, Pyry Jahkola, regnat, Renzo Carbonara, Rhys, Robert Vollmert, Scott Olson, Scott R. Parish, Sergei Trofimovich, Shea Levy, Sheena Artrip, Spencer Baugh, Stefan Junker, Susan Potter, Thomas Tuegel, Timothy Allen, Tristan Hume, Tuomas Tynkkynen, tv, Tyson Whitehead, Vladimír Čunát, Will Dietz, wmertens, Wout Mertens, zimbatm and Zoran Plesivčak.