b0ccd6dd16
This reverts commit ea6e8775bd69e4676c623a85c39f1da540d29ad1. The new format is not an improvement.
278 lines
9.6 KiB
XML
278 lines
9.6 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-16.09">
|
|
<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
|
|
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release has the
|
|
following highlights:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Many NixOS configurations and Nix packages now use significantly less disk
|
|
space, thanks to the
|
|
<link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
|
|
work on closure size reduction</link>. For example, the closure size of a
|
|
minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in
|
|
16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
To improve security, packages are now
|
|
<link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
|
|
using various hardening features</link>. See the Nixpkgs manual for more
|
|
information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Support for PXE netboot. See <xref
|
|
linkend="sec-booting-from-pxe" />
|
|
for documentation.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
X.org server 1.18. If you use the <literal>ati_unfree</literal> driver,
|
|
1.17 is still used due to an ABI incompatibility.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default
|
|
Linux kernel remains 4.4.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>(this will get automatically generated at release time)</literal>
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the following
|
|
incompatible changes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
A large number of packages have been converted to use the multiple outputs
|
|
feature of Nix to greatly reduce the amount of required disk space, as
|
|
mentioned above. This may require changes to any custom packages to make
|
|
them build again; see the relevant chapter in the Nixpkgs manual for more
|
|
information. (Additional caveat to packagers: some packaging conventions
|
|
related to multiple-output packages
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were
|
|
changed</link> late (August 2016) in the release cycle and differ from the
|
|
initial introduction of multiple outputs.)
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Previous versions of Nixpkgs had support for all versions of the LTS
|
|
Haskell package set. That support has been dropped. The previously provided
|
|
<literal>haskell.packages.lts-x_y</literal> package sets still exist in
|
|
name to aviod breaking user code, but these package sets don't actually
|
|
contain the versions mandated by the corresponding LTS release. Instead,
|
|
our package set it loosely based on the latest available LTS release, i.e.
|
|
LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
|
|
drop those old names entirely.
|
|
<link
|
|
xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The
|
|
motivation for this change</link> has been discussed at length on the
|
|
<literal>nix-dev</literal> mailing list and in
|
|
<link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github
|
|
issue #14897</link>. Development strategies for Haskell hackers who want to
|
|
rely on Nix and NixOS have been described in
|
|
<link
|
|
xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another
|
|
nix-dev article</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Shell aliases for systemd sub-commands
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were
|
|
dropped</link>: <command>start</command>, <command>stop</command>,
|
|
<command>restart</command>, <command>status</command>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Redis now binds to 127.0.0.1 only instead of listening to all network
|
|
interfaces. This is the default behavior of Redis 3.2
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>/var/empty</literal> is now immutable. Activation script runs
|
|
<command>chattr +i</command> to forbid any modifications inside the folder.
|
|
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> the
|
|
pull request</link> for what bugs this caused.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Gitlab's maintainance script <command>gitlab-runner</command> was removed
|
|
and split up into the more clearer <command>gitlab-run</command> and
|
|
<command>gitlab-rake</command> scripts, because
|
|
<command>gitlab-runner</command> is a component of Gitlab CI.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.libinput.accelProfile</literal> default changed
|
|
from <literal>flat</literal> to <literal>adaptive</literal>, as per
|
|
<link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
|
|
official documentation</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>fonts.fontconfig.ultimate.rendering</literal> was removed because
|
|
our presets were obsolete for some time. New presets are hardcoded into
|
|
FreeType; you can select a preset via
|
|
<literal>fonts.fontconfig.ultimate.preset</literal>. You can customize
|
|
those presets via ordinary environment variables, using
|
|
<literal>environment.variables</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>audit</literal> service is no longer enabled by default. Use
|
|
<literal>security.audit.enable = true</literal> to explicitly enable it.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
|
|
kernel modules instead of the VirtualBox user space binaries. If you want
|
|
to reference the user space binaries, you have to use the new
|
|
<literal>pkgs.virtualbox</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>goPackages</literal> was replaced with separated Go applications
|
|
in appropriate <literal>nixpkgs</literal> categories. Each Go package uses
|
|
its own dependency set. There's also a new <literal>go2nix</literal> tool
|
|
introduced to generate a Go package definition from its Go source
|
|
automatically.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.mongodb.extraConfig</literal> configuration format was
|
|
changed to YAML.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PHP has been upgraded to 7.0
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
Other notable improvements:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Revamped grsecurity/PaX support. There is now only a single general-purpose
|
|
distribution kernel and the configuration interface has been streamlined.
|
|
Desktop users should be able to simply set
|
|
<programlisting>security.grsecurity.enable = true</programlisting>
|
|
to get a reasonably secure system without having to sacrifice too much
|
|
functionality.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Special filesystems, like <literal>/proc</literal>, <literal>/run</literal>
|
|
and others, now have the same mount options as recommended by systemd and
|
|
are unified across different places in NixOS. Mount options are updated
|
|
during <command>nixos-rebuild switch</command> if possible. One benefit
|
|
from this is improved security — most such filesystems are now mounted
|
|
with <literal>noexec</literal>, <literal>nodev</literal> and/or
|
|
<literal>nosuid</literal> options.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The reverse path filter was interfering with DHCPv4 server operation in the
|
|
past. An exception for DHCPv4 and a new option to log packets that were
|
|
dropped due to the reverse path filter was added
|
|
(<literal>networking.firewall.logReversePathDrops</literal>) for easier
|
|
debugging.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Containers configuration within
|
|
<literal>containers.<name>.config</literal> is
|
|
<link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
|
|
properly typed and checked</link>. In particular, partial configurations
|
|
are merged correctly.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The directory container setuid wrapper programs,
|
|
<filename>/var/setuid-wrappers</filename>,
|
|
<link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
|
|
updated atomically to prevent failures if the switch to a new configuration
|
|
is interrupted.</link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>services.xserver.startGnuPGAgent</literal> has been removed due to
|
|
GnuPG 2.1.x bump. See
|
|
<link
|
|
xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
|
|
how to achieve similar behavior</link>. You might need to <literal>pkill
|
|
gpg-agent</literal> after the upgrade to prevent a stale agent being in the
|
|
way.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
|
|
Declarative users could share the uid due to the bug in the script handling
|
|
conflict resolution. </link>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Gummi boot has been replaced using systemd-boot.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Hydra package and NixOS module were added for convenience.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|