diff options
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-1609.xml')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1609.xml | 372 |
1 files changed, 205 insertions, 167 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1609.xml b/nixos/doc/manual/release-notes/rl-1609.xml index 893f894f42fe..4a2343edc970 100644 --- a/nixos/doc/manual/release-notes/rl-1609.xml +++ b/nixos/doc/manual/release-notes/rl-1609.xml @@ -3,237 +3,275 @@ xmlns:xi="http://www.w3.org/2001/XInclude" version="5.0" xml:id="sec-release-16.09"> + <title>Release 16.09 (“Flounder”, 2016/09/30)</title> -<title>Release 16.09 (“Flounder”, 2016/09/30)</title> - -<para>In addition to numerous new and upgraded packages, this release -has the following highlights: </para> - -<itemizedlist> + <para> + In addition to numerous new and upgraded packages, this release has the + following highlights: + </para> + <itemizedlist> <listitem> - <para>Many NixOS configurations and Nix packages now use - significantly less disk space, thanks to the <link + <para> + Many NixOS configurations and Nix packages now use significantly less disk + space, thanks to the + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive - work on closure size reduction</link>. For example, the closure - size of a minimal NixOS container went down from ~424 MiB in 16.03 - to ~212 MiB in 16.09, while the closure size of Firefox went from - ~651 MiB to ~259 MiB.</para> + work on closure size reduction</link>. For example, the closure size of a + minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in + 16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB. + </para> </listitem> - <listitem> - <para>To improve security, packages are now <link + <para> + To improve security, packages are now + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built - using various hardening features</link>. See the Nixpkgs manual - for more information.</para> + using various hardening features</link>. See the Nixpkgs manual for more + information. + </para> </listitem> - <listitem> - <para>Support for PXE netboot. See <xref - linkend="sec-booting-from-pxe" /> for documentation.</para> + <para> + Support for PXE netboot. See <xref + linkend="sec-booting-from-pxe" /> + for documentation. + </para> </listitem> - <listitem> - <para>X.org server 1.18. If you use the - <literal>ati_unfree</literal> driver, 1.17 is still used due to an - ABI incompatibility.</para> + <para> + X.org server 1.18. If you use the <literal>ati_unfree</literal> driver, + 1.17 is still used due to an ABI incompatibility. + </para> </listitem> - <listitem> - <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd - 231. The default Linux kernel remains 4.4.</para> + <para> + This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default + Linux kernel remains 4.4. + </para> </listitem> + </itemizedlist> -</itemizedlist> - -<para>The following new services were added since the last release:</para> + <para> + The following new services were added since the last release: + </para> -<itemizedlist> - <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem> -</itemizedlist> - -<para>When upgrading from a previous release, please be aware of the -following incompatible changes:</para> + <itemizedlist> + <listitem> + <para> + <literal>(this will get automatically generated at release time)</literal> + </para> + </listitem> + </itemizedlist> -<itemizedlist> + <para> + When upgrading from a previous release, please be aware of the following + incompatible changes: + </para> + <itemizedlist> <listitem> - <para>A large number of packages have been converted to use the multiple outputs feature - of Nix to greatly reduce the amount of required disk space, as - mentioned above. This may require changes - to any custom packages to make them build again; see the relevant chapter in the - Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions - related to multiple-output packages - <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link> - late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.) - </para> + <para> + A large number of packages have been converted to use the multiple outputs + feature of Nix to greatly reduce the amount of required disk space, as + mentioned above. This may require changes to any custom packages to make + them build again; see the relevant chapter in the Nixpkgs manual for more + information. (Additional caveat to packagers: some packaging conventions + related to multiple-output packages + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were + changed</link> late (August 2016) in the release cycle and differ from the + initial introduction of multiple outputs.) + </para> </listitem> - <listitem> - <para>Previous versions of Nixpkgs had support for all versions of the LTS + <para> + Previous versions of Nixpkgs had support for all versions of the LTS Haskell package set. That support has been dropped. The previously provided <literal>haskell.packages.lts-x_y</literal> package sets still exist in name to aviod breaking user code, but these package sets don't actually contain the versions mandated by the corresponding LTS release. Instead, our package set it loosely based on the latest available LTS release, i.e. LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will - drop those old names entirely. <link + drop those old names entirely. + <link xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The motivation for this change</link> has been discussed at length on the - <literal>nix-dev</literal> mailing list and in <link - xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github issue - #14897</link>. Development strategies for Haskell hackers who want to rely - on Nix and NixOS have been described in <link + <literal>nix-dev</literal> mailing list and in + <link + xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github + issue #14897</link>. Development strategies for Haskell hackers who want to + rely on Nix and NixOS have been described in + <link xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another - nix-dev article</link>.</para> + nix-dev article</link>. + </para> </listitem> - <listitem> - <para>Shell aliases for systemd sub-commands - <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>: - <command>start</command>, <command>stop</command>, - <command>restart</command>, <command>status</command>.</para> + <para> + Shell aliases for systemd sub-commands + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were + dropped</link>: <command>start</command>, <command>stop</command>, + <command>restart</command>, <command>status</command>. + </para> </listitem> - <listitem> - <para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default - behavior of Redis 3.2</para> + <para> + Redis now binds to 127.0.0.1 only instead of listening to all network + interfaces. This is the default behavior of Redis 3.2 + </para> </listitem> - <listitem> - <para> - <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command> - to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> - the pull request</link> for what bugs this caused. - </para> + <para> + <literal>/var/empty</literal> is now immutable. Activation script runs + <command>chattr +i</command> to forbid any modifications inside the folder. + See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> the + pull request</link> for what bugs this caused. + </para> </listitem> - <listitem> - <para>Gitlab's maintainance script - <command>gitlab-runner</command> was removed and split up into the - more clearer <command>gitlab-run</command> and + <para> + Gitlab's maintainance script <command>gitlab-runner</command> was removed + and split up into the more clearer <command>gitlab-run</command> and <command>gitlab-rake</command> scripts, because - <command>gitlab-runner</command> is a component of Gitlab - CI.</para> + <command>gitlab-runner</command> is a component of Gitlab CI. + </para> </listitem> - <listitem> - <para><literal>services.xserver.libinput.accelProfile</literal> default - changed from <literal>flat</literal> to <literal>adaptive</literal>, - as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> - official documentation</link>.</para> + <para> + <literal>services.xserver.libinput.accelProfile</literal> default changed + from <literal>flat</literal> to <literal>adaptive</literal>, as per + <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79"> + official documentation</link>. + </para> </listitem> - <listitem> - <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed - because our presets were obsolete for some time. New presets are hardcoded - into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>. - You can customize those presets via ordinary environment variables, using - <literal>environment.variables</literal>.</para> + <para> + <literal>fonts.fontconfig.ultimate.rendering</literal> was removed because + our presets were obsolete for some time. New presets are hardcoded into + FreeType; you can select a preset via + <literal>fonts.fontconfig.ultimate.preset</literal>. You can customize + those presets via ordinary environment variables, using + <literal>environment.variables</literal>. + </para> </listitem> - <listitem> - <para>The <literal>audit</literal> service is no longer enabled by default. - Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para> + <para> + The <literal>audit</literal> service is no longer enabled by default. Use + <literal>security.audit.enable = true</literal> to explicitly enable it. + </para> </listitem> - <listitem> - <para> - <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the - kernel modules instead of the VirtualBox user space binaries. - If you want to reference the user space binaries, you have to use the new - <literal>pkgs.virtualbox</literal> instead. - </para> + <para> + <literal>pkgs.linuxPackages.virtualbox</literal> now contains only the + kernel modules instead of the VirtualBox user space binaries. If you want + to reference the user space binaries, you have to use the new + <literal>pkgs.virtualbox</literal> instead. + </para> </listitem> - <listitem> - <para><literal>goPackages</literal> was replaced with separated Go - applications in appropriate <literal>nixpkgs</literal> - categories. Each Go package uses its own dependency set. There's - also a new <literal>go2nix</literal> tool introduced to generate a - Go package definition from its Go source automatically.</para> + <para> + <literal>goPackages</literal> was replaced with separated Go applications + in appropriate <literal>nixpkgs</literal> categories. Each Go package uses + its own dependency set. There's also a new <literal>go2nix</literal> tool + introduced to generate a Go package definition from its Go source + automatically. + </para> </listitem> - <listitem> - <para><literal>services.mongodb.extraConfig</literal> configuration format - was changed to YAML.</para> + <para> + <literal>services.mongodb.extraConfig</literal> configuration format was + changed to YAML. + </para> </listitem> - <listitem> - <para> - PHP has been upgraded to 7.0 - </para> + <para> + PHP has been upgraded to 7.0 + </para> </listitem> -</itemizedlist> - - -<para>Other notable improvements:</para> - -<itemizedlist> + </itemizedlist> - <listitem><para>Revamped grsecurity/PaX support. There is now only a single - general-purpose distribution kernel and the configuration interface has been - streamlined. Desktop users should be able to simply set - <programlisting>security.grsecurity.enable = true</programlisting> to get - a reasonably secure system without having to sacrifice too much - functionality. - </para></listitem> + <para> + Other notable improvements: + </para> - <listitem><para>Special filesystems, like <literal>/proc</literal>, - <literal>/run</literal> and others, now have the same mount options - as recommended by systemd and are unified across different places in - NixOS. Mount options are updated during <command>nixos-rebuild - switch</command> if possible. One benefit from this is improved - security — most such filesystems are now mounted with - <literal>noexec</literal>, <literal>nodev</literal> and/or - <literal>nosuid</literal> options.</para></listitem> - - <listitem><para>The reverse path filter was interfering with DHCPv4 server - operation in the past. An exception for DHCPv4 and a new option to log - packets that were dropped due to the reverse path filter was added - (<literal>networking.firewall.logReversePathDrops</literal>) for easier - debugging.</para></listitem> - - <listitem><para>Containers configuration within - <literal>containers.<name>.config</literal> is <link + <itemizedlist> + <listitem> + <para> + Revamped grsecurity/PaX support. There is now only a single general-purpose + distribution kernel and the configuration interface has been streamlined. + Desktop users should be able to simply set +<programlisting>security.grsecurity.enable = true</programlisting> + to get a reasonably secure system without having to sacrifice too much + functionality. + </para> + </listitem> + <listitem> + <para> + Special filesystems, like <literal>/proc</literal>, <literal>/run</literal> + and others, now have the same mount options as recommended by systemd and + are unified across different places in NixOS. Mount options are updated + during <command>nixos-rebuild switch</command> if possible. One benefit + from this is improved security — most such filesystems are now mounted + with <literal>noexec</literal>, <literal>nodev</literal> and/or + <literal>nosuid</literal> options. + </para> + </listitem> + <listitem> + <para> + The reverse path filter was interfering with DHCPv4 server operation in the + past. An exception for DHCPv4 and a new option to log packets that were + dropped due to the reverse path filter was added + (<literal>networking.firewall.logReversePathDrops</literal>) for easier + debugging. + </para> + </listitem> + <listitem> + <para> + Containers configuration within + <literal>containers.<name>.config</literal> is + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now - properly typed and checked</link>. In particular, partial - configurations are merged correctly.</para></listitem> - + properly typed and checked</link>. In particular, partial configurations + are merged correctly. + </para> + </listitem> <listitem> - <para>The directory container setuid wrapper programs, - <filename>/var/setuid-wrappers</filename>, <link + <para> + The directory container setuid wrapper programs, + <filename>/var/setuid-wrappers</filename>, + <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now - updated atomically to prevent failures if the switch to a new - configuration is interrupted.</link></para> + updated atomically to prevent failures if the switch to a new configuration + is interrupted.</link> + </para> </listitem> - <listitem> - <para><literal>services.xserver.startGnuPGAgent</literal> - has been removed due to GnuPG 2.1.x bump. See <link + <para> + <literal>services.xserver.startGnuPGAgent</literal> has been removed due to + GnuPG 2.1.x bump. See + <link xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c"> - how to achieve similar behavior</link>. You might need to - <literal>pkill gpg-agent</literal> after the upgrade - to prevent a stale agent being in the way. - </para> + how to achieve similar behavior</link>. You might need to <literal>pkill + gpg-agent</literal> after the upgrade to prevent a stale agent being in the + way. + </para> </listitem> - - <listitem><para> + <listitem> + <para> <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147"> - Declarative users could share the uid due to the bug in - the script handling conflict resolution. - </link> - </para></listitem> - - <listitem><para> + Declarative users could share the uid due to the bug in the script handling + conflict resolution. </link> + </para> + </listitem> + <listitem> + <para> Gummi boot has been replaced using systemd-boot. - </para></listitem> - - <listitem><para> + </para> + </listitem> + <listitem> + <para> Hydra package and NixOS module were added for convenience. - </para></listitem> - -</itemizedlist> - - + </para> + </listitem> + </itemizedlist> </section> |