From cbca7dd47c9c7daca7ac21ddfd52121d6d4541e2 Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman Date: Fri, 27 Feb 2026 22:03:28 +0300 Subject: [PATCH 1/5] release notes: 2.34.0 --- doc/manual/rl-next/c-api-new-store-methods.md | 9 - .../rl-next/c-api-recoverable-errors.md | 23 -- .../rl-next/ignore-gc-delete-failure.md | 10 - .../rl-next/libcurl-content-encoding.md | 10 - doc/manual/rl-next/lint-url-literals.md | 46 ---- doc/manual/rl-next/mtls-substituter.md | 15 -- doc/manual/rl-next/narinfo-cache-meta-ttl.md | 6 - doc/manual/rl-next/repl-inherit.md | 21 -- doc/manual/rl-next/roots-daemon.md | 11 - doc/manual/rl-next/s3-virtual-hosted-style.md | 32 --- doc/manual/source/SUMMARY.md.in | 1 + doc/manual/source/release-notes/rl-2.34.md | 238 ++++++++++++++++++ 12 files changed, 239 insertions(+), 183 deletions(-) delete mode 100644 doc/manual/rl-next/c-api-new-store-methods.md delete mode 100644 doc/manual/rl-next/c-api-recoverable-errors.md delete mode 100644 doc/manual/rl-next/ignore-gc-delete-failure.md delete mode 100644 doc/manual/rl-next/libcurl-content-encoding.md delete mode 100644 doc/manual/rl-next/lint-url-literals.md delete mode 100644 doc/manual/rl-next/mtls-substituter.md delete mode 100644 doc/manual/rl-next/narinfo-cache-meta-ttl.md delete mode 100644 doc/manual/rl-next/repl-inherit.md delete mode 100644 doc/manual/rl-next/roots-daemon.md delete mode 100644 doc/manual/rl-next/s3-virtual-hosted-style.md create mode 100644 doc/manual/source/release-notes/rl-2.34.md diff --git a/doc/manual/rl-next/c-api-new-store-methods.md b/doc/manual/rl-next/c-api-new-store-methods.md deleted file mode 100644 index 28792e7cc42..00000000000 --- a/doc/manual/rl-next/c-api-new-store-methods.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -synopsis: "C API: New store API methods" -prs: [14766] ---- - -The C API now includes additional methods: - -- `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part -- `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking diff --git a/doc/manual/rl-next/c-api-recoverable-errors.md b/doc/manual/rl-next/c-api-recoverable-errors.md deleted file mode 100644 index 462984f529b..00000000000 --- a/doc/manual/rl-next/c-api-recoverable-errors.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -synopsis: "C API: Errors returned from your primops are not treated as recoverable by default" -prs: [15286, 13930] ---- - -Nix 2.34 by default remembers the error in the thunk that triggered it. - -Previously the following sequence of events worked: - -1. Have a thunk that invokes a primop that's defined through the C API -2. The primop returns an error -3. Force the thunk again -4. The primop returns a value -5. The thunk evaluated successfully - -**Resolution** - -C API consumers that rely on this must change their recoverable error calls: - -```diff --nix_set_err_msg(context, NIX_ERR_*, msg); -+nix_set_err_msg(context, NIX_ERR_RECOVERABLE, msg); -``` diff --git a/doc/manual/rl-next/ignore-gc-delete-failure.md b/doc/manual/rl-next/ignore-gc-delete-failure.md deleted file mode 100644 index 4241324fe0d..00000000000 --- a/doc/manual/rl-next/ignore-gc-delete-failure.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -synopsis: "New setting `ignore-gc-delete-failure` for local stores" -prs: [15054] ---- - -A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added. -When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths. -This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store. - -This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature. diff --git a/doc/manual/rl-next/libcurl-content-encoding.md b/doc/manual/rl-next/libcurl-content-encoding.md deleted file mode 100644 index 85ee0336312..00000000000 --- a/doc/manual/rl-next/libcurl-content-encoding.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -synopsis: Content-Encoding decompression is now handled by libcurl -prs: [15336] -issues: [14324] ---- - -Transparent decompression of HTTP downloads specifying `Content-Encoding` header now uses libcurl. This adds support for previously advertised, but not supported `deflate` encoding as well as deprecated `x-gzip` alias. -Non-standard `xz`, `bzip2` encodings that were previously advertised are no longer supported, as they do not commonly appear in the wild and should not be sent by compliant servers. - -`br`, `zstd`, `gzip` continue to be supported. Distro packaging should ensure that the `libcurl` dependency is linked against required libraries to support these encodings. By default now the build system requires libcurl >= 8.17.0 which is not known to have issues around [pausing and decompression](https://github.com/curl/curl/issues/16280). diff --git a/doc/manual/rl-next/lint-url-literals.md b/doc/manual/rl-next/lint-url-literals.md deleted file mode 100644 index 01bd8283d2d..00000000000 --- a/doc/manual/rl-next/lint-url-literals.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -synopsis: "New diagnostics infrastructure, with `lint-url-literals`, `lint-short-path-literals`, and `lint-absolute-path-literals` settings" -prs: [15326] -issues: [8738, 10048, 10281] ---- - -A new diagnostics infrastructure has been added for controlling language features that we are considering deprecating. - -## [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) - -The `no-url-literals` experimental feature has been stabilized and replaced with a new [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) setting. - -To migrate from the experimental feature, replace: -``` -experimental-features = no-url-literals -``` -with: -``` -lint-url-literals = fatal -``` - -## [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals) - -The [`warn-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-warn-short-path-literals) boolean setting has been deprecated and replaced with [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals). - -To migrate, replace: -``` -warn-short-path-literals = true -``` -with: -``` -lint-short-path-literals = warn -``` - -## [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) - -A new [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) setting has been added to control handling of absolute path literals (paths starting with `/`) and home path literals (paths starting with `~/`). - -## Setting values - -All three settings accept three values: -- `ignore`: Allow the feature without emitting any diagnostic (default) -- `warn`: Emit a warning when the feature is used -- `fatal`: Treat the feature as a parse error - -The defaults may change in future versions. diff --git a/doc/manual/rl-next/mtls-substituter.md b/doc/manual/rl-next/mtls-substituter.md deleted file mode 100644 index a27c80e9fd1..00000000000 --- a/doc/manual/rl-next/mtls-substituter.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -synopsis: Support HTTPS binary caches using mTLS (client certificate) authentication -issues: [13002] -prs: [13030] ---- - -Added support for `tls-certificate` and `tls-private-key` options in substituter URLs. - -Example: - -``` -https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem -``` - -When these options are configured, Nix will use this certificate/private key pair to authenticate to the server. diff --git a/doc/manual/rl-next/narinfo-cache-meta-ttl.md b/doc/manual/rl-next/narinfo-cache-meta-ttl.md deleted file mode 100644 index ba5116ace79..00000000000 --- a/doc/manual/rl-next/narinfo-cache-meta-ttl.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -synopsis: New setting `narinfo-cache-meta-ttl` -prs: [15287] ---- - -The new setting `narinfo-cache-meta-ttl` controls how long binary cache metadata (i.e. `/nix-cache-info`) is cached locally, in seconds. This was previously hard-coded to 7 days, which is still the default. As a result, you can now use `nix store info --refresh` to check whether a binary cache is still valid. diff --git a/doc/manual/rl-next/repl-inherit.md b/doc/manual/rl-next/repl-inherit.md deleted file mode 100644 index 295d70323e4..00000000000 --- a/doc/manual/rl-next/repl-inherit.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -synopsis: "`nix repl` now supports `inherit` and multiple bindings" -prs: [15082] ---- - -The `nix repl` now supports `inherit` statements and multiple bindings per line: - -``` -nix-repl> a = { x = 1; y = 2; } -nix-repl> inherit (a) x y -nix-repl> x + y -3 - -nix-repl> p = 1; q = 2; -nix-repl> p + q -3 - -nix-repl> foo.bar.baz = 1; -nix-repl> foo.bar -{ baz = 1; } -``` diff --git a/doc/manual/rl-next/roots-daemon.md b/doc/manual/rl-next/roots-daemon.md deleted file mode 100644 index b08c88fe40d..00000000000 --- a/doc/manual/rl-next/roots-daemon.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -synopsis: New command `nix store roots-daemon` for serving GC roots -prs: [15143] ---- - -New command [`nix store roots-daemon`](@docroot@/command-ref/new-cli/nix3-store-roots-daemon.md) runs a daemon that serves garbage collector roots over a Unix domain socket. -It enables the garbage collector to discover runtime roots when the main Nix daemon doesn't have `CAP_SYS_PTRACE` capability and therefore cannot scan `/proc`. - -The garbage collector can be configured to use this daemon via the [`use-roots-daemon`](@docroot@/store/types/local-store.md#store-experimental-option-use-roots-daemon) store setting. - -This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store). diff --git a/doc/manual/rl-next/s3-virtual-hosted-style.md b/doc/manual/rl-next/s3-virtual-hosted-style.md deleted file mode 100644 index e8c2d9766d4..00000000000 --- a/doc/manual/rl-next/s3-virtual-hosted-style.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -synopsis: S3 binary caches now use virtual-hosted-style addressing by default -issues: [15208] ---- - -S3 binary caches now use virtual-hosted-style URLs -(`https://bucket.s3.region.amazonaws.com/key`) instead of path-style URLs -(`https://s3.region.amazonaws.com/bucket/key`) when connecting to standard AWS -S3 endpoints. This enables HTTP/2 multiplexing and fixes TCP connection -exhaustion (TIME_WAIT socket accumulation) under high-concurrency workloads. - -A new `addressing-style` store option controls this behavior: - -- `auto` (default): virtual-hosted-style for standard AWS endpoints, path-style - for custom endpoints. -- `path`: forces path-style addressing (deprecated by AWS). -- `virtual`: forces virtual-hosted-style addressing (bucket names must not - contain dots). - -Bucket names containing dots (e.g., `my.bucket.name`) automatically fall back -to path-style addressing in `auto` mode, because dotted names create -multi-level subdomains that break TLS wildcard certificate validation. - -Example using path-style for backwards compatibility: - -``` -s3://my-bucket/key?region=us-east-1&addressing-style=path -``` - -Additionally, TCP keep-alive is now enabled on all HTTP connections, preventing -idle connections from being silently dropped by intermediate network devices -(NATs, firewalls, load balancers). diff --git a/doc/manual/source/SUMMARY.md.in b/doc/manual/source/SUMMARY.md.in index 05eed77837f..18d24788ca1 100644 --- a/doc/manual/source/SUMMARY.md.in +++ b/doc/manual/source/SUMMARY.md.in @@ -153,6 +153,7 @@ - [Contributing](development/contributing.md) - [Releases](release-notes/index.md) {{#include ./SUMMARY-rl-next.md}} + - [Release 2.34 (2026-02-27)](release-notes/rl-2.34.md) - [Release 2.33 (2025-12-09)](release-notes/rl-2.33.md) - [Release 2.32 (2025-10-06)](release-notes/rl-2.32.md) - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md) diff --git a/doc/manual/source/release-notes/rl-2.34.md b/doc/manual/source/release-notes/rl-2.34.md new file mode 100644 index 00000000000..80fa3d2b080 --- /dev/null +++ b/doc/manual/source/release-notes/rl-2.34.md @@ -0,0 +1,238 @@ +# Release 2.34.0 (2026-02-27) + +- Rust nix-installer in beta + + The Rust-based rewrite of the Nix installer is now in beta. + We'd love help testing it out! + + To test out the new installer, run: + ``` + curl -sSfL https://artifacts.nixos.org/nix-installer | sh -s -- install + ``` + + This installer can be run even when you have an existing, script-based Nix installation without any adjustments. + + This new installer also comes with the ability to uninstall your Nix installation; run: + ``` + /nix/nix-installer uninstall + ``` + + This will get rid of your entire Nix installation (even if you installed over an existing, script-based installation). + + This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems. + Thanks to Determinate Systems for all the investment they've put into the installer. + + Source for the installer is in https://github.com/NixOS/nix-installer. + Report any issues in that repo. + + For CI usage, a GitHub Action to install Nix using this installer is available at https://github.com/NixOS/nix-installer-action. + +- C API: New store API methods [#14766](https://github.com/NixOS/nix/pull/14766) + + The C API now includes additional methods: + + - `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part + - `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking + +- C API: Errors returned from your primops are not treated as recoverable by default [#13930](https://github.com/NixOS/nix/pull/13930) [#15286](https://github.com/NixOS/nix/pull/15286) + + Nix 2.34 by default remembers the error in the thunk that triggered it. + + Previously the following sequence of events worked: + + 1. Have a thunk that invokes a primop that's defined through the C API + 2. The primop returns an error + 3. Force the thunk again + 4. The primop returns a value + 5. The thunk evaluated successfully + + **Resolution** + + C API consumers that rely on this must change their recoverable error calls: + + ```diff + -nix_set_err_msg(context, NIX_ERR_*, msg); + +nix_set_err_msg(context, NIX_ERR_RECOVERABLE, msg); + ``` + +- New setting `ignore-gc-delete-failure` for local stores [#15054](https://github.com/NixOS/nix/pull/15054) + + A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added. + When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths. + This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store. + + This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature. + +- Content-Encoding decompression is now handled by libcurl [#14324](https://github.com/NixOS/nix/issues/14324) [#15336](https://github.com/NixOS/nix/pull/15336) + + Transparent decompression of HTTP downloads specifying `Content-Encoding` header now uses libcurl. This adds support for previously advertised, but not supported `deflate` encoding as well as deprecated `x-gzip` alias. + Non-standard `xz`, `bzip2` encodings that were previously advertised are no longer supported, as they do not commonly appear in the wild and should not be sent by compliant servers. + + `br`, `zstd`, `gzip` continue to be supported. Distro packaging should ensure that the `libcurl` dependency is linked against required libraries to support these encodings. By default now the build system requires libcurl >= 8.17.0 which is not known to have issues around [pausing and decompression](https://github.com/curl/curl/issues/16280). + +- New diagnostics infrastructure, with `lint-url-literals`, `lint-short-path-literals`, and `lint-absolute-path-literals` settings [#8738](https://github.com/NixOS/nix/issues/8738) [#10048](https://github.com/NixOS/nix/issues/10048) [#10281](https://github.com/NixOS/nix/issues/10281) [#15326](https://github.com/NixOS/nix/pull/15326) + + A new diagnostics infrastructure has been added for controlling language features that we are considering deprecating. + + ## [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) + + The `no-url-literals` experimental feature has been stabilized and replaced with a new [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) setting. + + To migrate from the experimental feature, replace: + ``` + experimental-features = no-url-literals + ``` + with: + ``` + lint-url-literals = fatal + ``` + + ## [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals) + + The [`warn-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-warn-short-path-literals) boolean setting has been deprecated and replaced with [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals). + + To migrate, replace: + ``` + warn-short-path-literals = true + ``` + with: + ``` + lint-short-path-literals = warn + ``` + + ## [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) + + A new [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) setting has been added to control handling of absolute path literals (paths starting with `/`) and home path literals (paths starting with `~/`). + + ## Setting values + + All three settings accept three values: + - `ignore`: Allow the feature without emitting any diagnostic (default) + - `warn`: Emit a warning when the feature is used + - `fatal`: Treat the feature as a parse error + + The defaults may change in future versions. + +- Support HTTPS binary caches using mTLS (client certificate) authentication [#13002](https://github.com/NixOS/nix/issues/13002) [#13030](https://github.com/NixOS/nix/pull/13030) + + Added support for `tls-certificate` and `tls-private-key` options in substituter URLs. + + Example: + + ``` + https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem + ``` + + When these options are configured, Nix will use this certificate/private key pair to authenticate to the server. + +- New setting `narinfo-cache-meta-ttl` [#15287](https://github.com/NixOS/nix/pull/15287) + + The new setting `narinfo-cache-meta-ttl` controls how long binary cache metadata (i.e. `/nix-cache-info`) is cached locally, in seconds. This was previously hard-coded to 7 days, which is still the default. As a result, you can now use `nix store info --refresh` to check whether a binary cache is still valid. + +- `nix repl` now supports `inherit` and multiple bindings [#15082](https://github.com/NixOS/nix/pull/15082) + + The `nix repl` now supports `inherit` statements and multiple bindings per line: + + ``` + nix-repl> a = { x = 1; y = 2; } + nix-repl> inherit (a) x y + nix-repl> x + y + 3 + + nix-repl> p = 1; q = 2; + nix-repl> p + q + 3 + + nix-repl> foo.bar.baz = 1; + nix-repl> foo.bar + { baz = 1; } + ``` + +- New command `nix store roots-daemon` for serving GC roots [#15143](https://github.com/NixOS/nix/pull/15143) + + New command [`nix store roots-daemon`](@docroot@/command-ref/new-cli/nix3-store-roots-daemon.md) runs a daemon that serves garbage collector roots over a Unix domain socket. + It enables the garbage collector to discover runtime roots when the main Nix daemon doesn't have `CAP_SYS_PTRACE` capability and therefore cannot scan `/proc`. + + The garbage collector can be configured to use this daemon via the [`use-roots-daemon`](@docroot@/store/types/local-store.md#store-experimental-option-use-roots-daemon) store setting. + + This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store). + +- S3 binary caches now use virtual-hosted-style addressing by default [#15208](https://github.com/NixOS/nix/issues/15208) + + S3 binary caches now use virtual-hosted-style URLs + (`https://bucket.s3.region.amazonaws.com/key`) instead of path-style URLs + (`https://s3.region.amazonaws.com/bucket/key`) when connecting to standard AWS + S3 endpoints. This enables HTTP/2 multiplexing and fixes TCP connection + exhaustion (TIME_WAIT socket accumulation) under high-concurrency workloads. + + A new `addressing-style` store option controls this behavior: + + - `auto` (default): virtual-hosted-style for standard AWS endpoints, path-style + for custom endpoints. + - `path`: forces path-style addressing (deprecated by AWS). + - `virtual`: forces virtual-hosted-style addressing (bucket names must not + contain dots). + + Bucket names containing dots (e.g., `my.bucket.name`) automatically fall back + to path-style addressing in `auto` mode, because dotted names create + multi-level subdomains that break TLS wildcard certificate validation. + + Example using path-style for backwards compatibility: + + ``` + s3://my-bucket/key?region=us-east-1&addressing-style=path + ``` + + Additionally, TCP keep-alive is now enabled on all HTTP connections, preventing + idle connections from being silently dropped by intermediate network devices + (NATs, firewalls, load balancers). + + +## Contributors + + +This release was made possible by the following 43 contributors: + +- Taeer Bar-Yam [**(@Radvendii)**](https://github.com/Radvendii) +- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium) +- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92) +- Graham Dennis [**(@GrahamDennis)**](https://github.com/GrahamDennis) +- Damien Diederen [**(@ztzg)**](https://github.com/ztzg) +- koberbe-jh [**(@koberbe-jh)**](https://github.com/koberbe-jh) +- Robert Hensing [**(@roberth)**](https://github.com/roberth) +- Bouke van der Bijl [**(@bouk)**](https://github.com/bouk) +- Lisanna Dettwyler [**(@lisanna-dettwyler)**](https://github.com/lisanna-dettwyler) +- kiara [**(@KiaraGrouwstra)**](https://github.com/KiaraGrouwstra) +- Side Effect [**(@YawKar)**](https://github.com/YawKar) +- dram [**(@dramforever)**](https://github.com/dramforever) +- tomf [**(@tomfitzhenry)**](https://github.com/tomfitzhenry) +- Kamil Monicz [**(@Zaczero)**](https://github.com/Zaczero) +- Cosima Neidahl [**(@OPNA2608)**](https://github.com/OPNA2608) +- Siddhant Kumar [**(@siddhantk232)**](https://github.com/siddhantk232) +- Jens Petersen [**(@juhp)**](https://github.com/juhp) +- Johannes Kirschbauer [**(@hsjobeki)**](https://github.com/hsjobeki) +- tomberek [**(@tomberek)**](https://github.com/tomberek) +- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra) +- Artemis Tosini [**(@artemist)**](https://github.com/artemist) +- David McFarland [**(@corngood)**](https://github.com/corngood) +- Tucker Shea [**(@NoRePercussions)**](https://github.com/NoRePercussions) +- Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker) +- Cole Helbling [**(@cole-h)**](https://github.com/cole-h) +- Eveeifyeve [**(@Eveeifyeve)**](https://github.com/Eveeifyeve) +- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314) +- Graham Christensen [**(@grahamc)**](https://github.com/grahamc) +- Ilja [**(@iljah)**](https://github.com/iljah) +- Pol Dellaiera [**(@drupol)**](https://github.com/drupol) +- steelman [**(@steelman)**](https://github.com/steelman) +- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh) +- JustAGuyTryingHisBest [**(@JustAGuyTryingHisBest)**](https://github.com/JustAGuyTryingHisBest) +- zowoq [**(@zowoq)**](https://github.com/zowoq) +- Agustín Covarrubias [**(@agucova)**](https://github.com/agucova) +- Sergei Trofimovich [**(@trofi)**](https://github.com/trofi) +- Bernardo Meurer [**(@lovesegfault)**](https://github.com/lovesegfault) +- Peter Bynum [**(@pkpbynum)**](https://github.com/pkpbynum) +- Amaan Qureshi [**(@amaanq)**](https://github.com/amaanq) +- Michael Hoang [**(@Enzime)**](https://github.com/Enzime) +- Michael Daniels [**(@mdaniels5757)**](https://github.com/mdaniels5757) +- Matthew Kenigsberg [**(@mkenigs)**](https://github.com/mkenigs) +- Shea Levy [**(@shlevy)**](https://github.com/shlevy) From 16f92c6547723b482ea16353f3ff8bbbc62f7e9b Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman Date: Fri, 27 Feb 2026 22:28:54 +0300 Subject: [PATCH 2/5] Edit release notes --- doc/manual/source/release-notes/rl-2.34.md | 145 +++++++++++---------- 1 file changed, 77 insertions(+), 68 deletions(-) diff --git a/doc/manual/source/release-notes/rl-2.34.md b/doc/manual/source/release-notes/rl-2.34.md index 80fa3d2b080..d7959288154 100644 --- a/doc/manual/source/release-notes/rl-2.34.md +++ b/doc/manual/source/release-notes/rl-2.34.md @@ -1,5 +1,7 @@ # Release 2.34.0 (2026-02-27) +## Highlights + - Rust nix-installer in beta The Rust-based rewrite of the Nix installer is now in beta. @@ -22,61 +24,19 @@ This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems. Thanks to Determinate Systems for all the investment they've put into the installer. - Source for the installer is in https://github.com/NixOS/nix-installer. + Source for the installer is in . Report any issues in that repo. - For CI usage, a GitHub Action to install Nix using this installer is available at https://github.com/NixOS/nix-installer-action. - -- C API: New store API methods [#14766](https://github.com/NixOS/nix/pull/14766) - - The C API now includes additional methods: - - - `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part - - `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking - -- C API: Errors returned from your primops are not treated as recoverable by default [#13930](https://github.com/NixOS/nix/pull/13930) [#15286](https://github.com/NixOS/nix/pull/15286) - - Nix 2.34 by default remembers the error in the thunk that triggered it. - - Previously the following sequence of events worked: - - 1. Have a thunk that invokes a primop that's defined through the C API - 2. The primop returns an error - 3. Force the thunk again - 4. The primop returns a value - 5. The thunk evaluated successfully - - **Resolution** - - C API consumers that rely on this must change their recoverable error calls: - - ```diff - -nix_set_err_msg(context, NIX_ERR_*, msg); - +nix_set_err_msg(context, NIX_ERR_RECOVERABLE, msg); - ``` - -- New setting `ignore-gc-delete-failure` for local stores [#15054](https://github.com/NixOS/nix/pull/15054) - - A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added. - When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths. - This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store. + For CI usage, a GitHub Action to install Nix using this installer is available at . - This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature. +- Stabilisation of `no-url-literals` experimental feature and new diagnostics infrastructure, with `lint-url-literals`, `lint-short-path-literals`, and `lint-absolute-path-literals` settings [#8738](https://github.com/NixOS/nix/issues/8738) [#10048](https://github.com/NixOS/nix/issues/10048) [#10281](https://github.com/NixOS/nix/issues/10281) [#15326](https://github.com/NixOS/nix/pull/15326) -- Content-Encoding decompression is now handled by libcurl [#14324](https://github.com/NixOS/nix/issues/14324) [#15336](https://github.com/NixOS/nix/pull/15336) + Experimental feature `no-url-literals` has been stabilised and is now controlled by the `lint-url-literals` option. + New diagnostics infrastructure has been added for linting discouraged language features. - Transparent decompression of HTTP downloads specifying `Content-Encoding` header now uses libcurl. This adds support for previously advertised, but not supported `deflate` encoding as well as deprecated `x-gzip` alias. - Non-standard `xz`, `bzip2` encodings that were previously advertised are no longer supported, as they do not commonly appear in the wild and should not be sent by compliant servers. + ### [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) - `br`, `zstd`, `gzip` continue to be supported. Distro packaging should ensure that the `libcurl` dependency is linked against required libraries to support these encodings. By default now the build system requires libcurl >= 8.17.0 which is not known to have issues around [pausing and decompression](https://github.com/curl/curl/issues/16280). - -- New diagnostics infrastructure, with `lint-url-literals`, `lint-short-path-literals`, and `lint-absolute-path-literals` settings [#8738](https://github.com/NixOS/nix/issues/8738) [#10048](https://github.com/NixOS/nix/issues/10048) [#10281](https://github.com/NixOS/nix/issues/10281) [#15326](https://github.com/NixOS/nix/pull/15326) - - A new diagnostics infrastructure has been added for controlling language features that we are considering deprecating. - - ## [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) - - The `no-url-literals` experimental feature has been stabilized and replaced with a new [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) setting. + The `no-url-literals` experimental feature has been stabilised and replaced with a new [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) setting. To migrate from the experimental feature, replace: ``` @@ -87,7 +47,7 @@ lint-url-literals = fatal ``` - ## [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals) + ### [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals) The [`warn-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-warn-short-path-literals) boolean setting has been deprecated and replaced with [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals). @@ -100,11 +60,11 @@ lint-short-path-literals = warn ``` - ## [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) + ### [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) A new [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) setting has been added to control handling of absolute path literals (paths starting with `/`) and home path literals (paths starting with `~/`). - ## Setting values + ### Setting values All three settings accept three values: - `ignore`: Allow the feature without emitting any diagnostic (default) @@ -113,21 +73,7 @@ The defaults may change in future versions. -- Support HTTPS binary caches using mTLS (client certificate) authentication [#13002](https://github.com/NixOS/nix/issues/13002) [#13030](https://github.com/NixOS/nix/pull/13030) - - Added support for `tls-certificate` and `tls-private-key` options in substituter URLs. - - Example: - - ``` - https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem - ``` - - When these options are configured, Nix will use this certificate/private key pair to authenticate to the server. - -- New setting `narinfo-cache-meta-ttl` [#15287](https://github.com/NixOS/nix/pull/15287) - - The new setting `narinfo-cache-meta-ttl` controls how long binary cache metadata (i.e. `/nix-cache-info`) is cached locally, in seconds. This was previously hard-coded to 7 days, which is still the default. As a result, you can now use `nix store info --refresh` to check whether a binary cache is still valid. +## New features - `nix repl` now supports `inherit` and multiple bindings [#15082](https://github.com/NixOS/nix/pull/15082) @@ -157,6 +103,62 @@ This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store). +- New setting `ignore-gc-delete-failure` for local stores [#15054](https://github.com/NixOS/nix/pull/15054) + + A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added. + When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths. + This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store. + + This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature. + +- New setting `narinfo-cache-meta-ttl` [#15287](https://github.com/NixOS/nix/pull/15287) + + The new setting `narinfo-cache-meta-ttl` controls how long binary cache metadata (i.e. `/nix-cache-info`) is cached locally, in seconds. This was previously hard-coded to 7 days, which is still the default. As a result, you can now use `nix store info --refresh` to check whether a binary cache is still valid. + +- Support HTTPS binary caches using mTLS (client certificate) authentication [#13002](https://github.com/NixOS/nix/issues/13002) [#13030](https://github.com/NixOS/nix/pull/13030) + + Added support for `tls-certificate` and `tls-private-key` options in substituter URLs. + + Example: + + ``` + https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem + ``` + + When these options are configured, Nix will use this certificate/private key pair to authenticate to the server. + +## C API Changes + +- New store API methods [#14766](https://github.com/NixOS/nix/pull/14766) + + The C API now includes additional methods: + + - `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part + - `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking + +- Errors returned from your primops are not treated as recoverable by default [#13930](https://github.com/NixOS/nix/pull/13930) [#15286](https://github.com/NixOS/nix/pull/15286) + + Nix 2.34 by default remembers the error in the thunk that triggered it. + + Previously the following sequence of events worked: + + 1. Have a thunk that invokes a primop that's defined through the C API + 2. The primop returns an error + 3. Force the thunk again + 4. The primop returns a value + 5. The thunk evaluated successfully + + **Resolution** + + C API consumers that rely on this must change their recoverable error calls: + + ```diff + -nix_set_err_msg(context, NIX_ERR_*, msg); + +nix_set_err_msg(context, NIX_ERR_RECOVERABLE, msg); + ``` + +## Bug fixes + - S3 binary caches now use virtual-hosted-style addressing by default [#15208](https://github.com/NixOS/nix/issues/15208) S3 binary caches now use virtual-hosted-style URLs @@ -187,9 +189,16 @@ idle connections from being silently dropped by intermediate network devices (NATs, firewalls, load balancers). +## Miscellaneous changes -## Contributors +- Content-Encoding decompression is now handled by libcurl [#14324](https://github.com/NixOS/nix/issues/14324) [#15336](https://github.com/NixOS/nix/pull/15336) + Transparent decompression of HTTP downloads specifying `Content-Encoding` header now uses libcurl. This adds support for previously advertised, but not supported `deflate` encoding as well as deprecated `x-gzip` alias. + Non-standard `xz`, `bzip2` encodings that were previously advertised are no longer supported, as they do not commonly appear in the wild and should not be sent by compliant servers. + + `br`, `zstd`, `gzip` continue to be supported. Distro packaging should ensure that the `libcurl` dependency is linked against required libraries to support these encodings. By default, the build system now requires libcurl >= 8.17.0, which is not known to have issues around [pausing and decompression](https://github.com/curl/curl/issues/16280). + +## Contributors This release was made possible by the following 43 contributors: From 2a94f4d7821aba2aff158c3740f4f819cfad56a2 Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman Date: Fri, 27 Feb 2026 23:35:36 +0300 Subject: [PATCH 3/5] Add more release notes --- doc/manual/source/release-notes/rl-2.34.md | 48 ++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/doc/manual/source/release-notes/rl-2.34.md b/doc/manual/source/release-notes/rl-2.34.md index d7959288154..ecf8ac0248c 100644 --- a/doc/manual/source/release-notes/rl-2.34.md +++ b/doc/manual/source/release-notes/rl-2.34.md @@ -73,6 +73,24 @@ The defaults may change in future versions. +- Improved parser error messages [#15092](https://github.com/NixOS/nix/pull/15092) + + Parser error messages now use legible strings for tokens instead of internal names. For example, malformed expression `a ++ ++ b` now produces the following error: + ``` + error: syntax error, unexpected '++' + at «string»:1:6: + 1| a ++ ++ b + | ^ + ``` + + Instead of: + ``` + error: syntax error, unexpected CONCAT + at «string»:1:6: + 1| a ++ ++ b + | ^ + ``` + ## New features - `nix repl` now supports `inherit` and multiple bindings [#15082](https://github.com/NixOS/nix/pull/15082) @@ -127,6 +145,21 @@ When these options are configured, Nix will use this certificate/private key pair to authenticate to the server. +## Performance improvements + +- Unpacking tarballs to `~/.cache/nix/tarball-cache-v2` is now multithreaded [#12087](https://github.com/NixOS/nix/pull/12087) + + Content-addressed cache for `builtins.fetchTarball` and tarball-based flake inputs (e.g. `github:NixOS/nixpkgs`, `https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz`) now writes git blobs (files) to the `tarball-cache-v2` repository concurrently, which significantly reduces the wall time for tarball unpacking (up to ~1.8x faster unpacking for `https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz` in our testing). + + Currently, Nix doesn't perform any maintenance on the `~/.cache/nix/tarball-cache-v2` repository, which will be addressed in future versions. Users that wish to reclaim disk space used by the tarball cache may want to run: + + ``` + rm -rf ~/.cache/nix/tarball-cache # Historical tarball-cache, not used by Nix >= 2.33 + cd ~/.cache/nix/tarball-cache-v2 && git multi-pack-index write && git multi-pack-index repack && git multi-pack-index expire + ``` + +- `nix nar ls` and other NAR listing operations have been optimised further [#15163](https://github.com/NixOS/nix/pull/15163) + ## C API Changes - New store API methods [#14766](https://github.com/NixOS/nix/pull/14766) @@ -159,6 +192,10 @@ ## Bug fixes +- Avoid dropping ssh connections with `ssh-ng://` stores for store path copying [#14998](https://github.com/NixOS/nix/pull/14998) [#6950](https://github.com/NixOS/nix/issues/6950) + + Due to a bug in how Nix handled Boost.Coroutine2 suspension and resumption, copying from `ssh-ng://` stores would drop the SSH connection for each copied path. This issue has been fixed, which improves performance by avoiding multiple SSH/Nix Worker Protocol handshakes. + - S3 binary caches now use virtual-hosted-style addressing by default [#15208](https://github.com/NixOS/nix/issues/15208) S3 binary caches now use virtual-hosted-style URLs @@ -189,6 +226,15 @@ idle connections from being silently dropped by intermediate network devices (NATs, firewalls, load balancers). +- `nix-prefetch-url --unpack` now properly checks for empty archives [#15242](https://github.com/NixOS/nix/pull/15242) + + Prior versions failed to check for empty archives and would crash with a `nullptr` dereference when unpacking empty archives. + This is now fixed. + +- Prevent runaway processes when Nix is killed with `SIGKILL` when building in a local store with build users [#15193](https://github.com/NixOS/nix/pull/15193) + + When run as root, Nix doesn't run builds via the daemon and is a parent of the forked build processes. Prior versions of Nix failed to preserve the `PR_SET_PDEATHSIG` parent-death signal across `setuid` calls. This could lead to build processes being reparented and continue running in the background. This has been fixed. + ## Miscellaneous changes - Content-Encoding decompression is now handled by libcurl [#14324](https://github.com/NixOS/nix/issues/14324) [#15336](https://github.com/NixOS/nix/pull/15336) @@ -198,6 +244,8 @@ `br`, `zstd`, `gzip` continue to be supported. Distro packaging should ensure that the `libcurl` dependency is linked against required libraries to support these encodings. By default, the build system now requires libcurl >= 8.17.0, which is not known to have issues around [pausing and decompression](https://github.com/curl/curl/issues/16280). +- Static builds now support S3 features (`libstore:s3-aws-auth` meson option) [#15076](https://github.com/NixOS/nix/pull/15076) + ## Contributors This release was made possible by the following 43 contributors: From 74ec331a463eace6c2015a869be315f955f8cdfe Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman Date: Sat, 28 Feb 2026 00:20:55 +0300 Subject: [PATCH 4/5] Indent lint infrastructure more --- doc/manual/source/release-notes/rl-2.34.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/manual/source/release-notes/rl-2.34.md b/doc/manual/source/release-notes/rl-2.34.md index ecf8ac0248c..7c3ee8b2913 100644 --- a/doc/manual/source/release-notes/rl-2.34.md +++ b/doc/manual/source/release-notes/rl-2.34.md @@ -34,7 +34,9 @@ Experimental feature `no-url-literals` has been stabilised and is now controlled by the `lint-url-literals` option. New diagnostics infrastructure has been added for linting discouraged language features. - ### [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) + ### New lint infrastructure + + #### [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) The `no-url-literals` experimental feature has been stabilised and replaced with a new [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) setting. @@ -47,7 +49,7 @@ lint-url-literals = fatal ``` - ### [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals) + #### [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals) The [`warn-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-warn-short-path-literals) boolean setting has been deprecated and replaced with [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals). @@ -60,11 +62,11 @@ lint-short-path-literals = warn ``` - ### [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) + #### [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) A new [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) setting has been added to control handling of absolute path literals (paths starting with `/`) and home path literals (paths starting with `~/`). - ### Setting values + #### Setting values All three settings accept three values: - `ignore`: Allow the feature without emitting any diagnostic (default) From 5a3e65826a644d1960b482e6207a7a232cfef23c Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman Date: Sat, 28 Feb 2026 00:26:58 +0300 Subject: [PATCH 5/5] Add rootless daemon and nix-nswrapper release note Co-authored-by: Artemis Tosini --- doc/manual/source/release-notes/rl-2.34.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/manual/source/release-notes/rl-2.34.md b/doc/manual/source/release-notes/rl-2.34.md index 7c3ee8b2913..854f1d1ed6a 100644 --- a/doc/manual/source/release-notes/rl-2.34.md +++ b/doc/manual/source/release-notes/rl-2.34.md @@ -123,6 +123,12 @@ This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store). +- New command `nix-nswrapper` in `libexec` [#15183](https://github.com/NixOS/nix/pull/15183) + + The new command `libexec/nix-nswrapper` is used to run the Nix daemon in an unprivileged user namespace on Linux. In order to use this command, build user UIDs and GIDs must be allocated in `/etc/subuid` and `/etc/subgid`. + + It can be used to run the Nix daemon with full sandboxing without executing as root. Support has been added to Nixpkgs with the new `nix.daemonUser` and `nix.daemonGroup` settings. + - New setting `ignore-gc-delete-failure` for local stores [#15054](https://github.com/NixOS/nix/pull/15054) A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added.