Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Upcoming release

Breaking Changes

  • builtins.floor/builtins.ceil handle out-of-range inputs correctly nix#12899 nix#13013 cl/3923

    Previously, builtins.floor and builtins.ceil always cast the input into a floating point value before running the operation and casting the floating point result back into an integer. No checks were made for precision loss in either coercing integer inputs or converting the output to an integer (and in fact in the latter case, invoked undefined behaviour).

    Now, Lix checks for precision loss on integer input (to avoid a silent eval semantics change if we were to simply pass it through as-is) and on integer output. If your code fails to evaluate after this change, use --extra-deprecated-features floor-ceil-corrupt-integers.

    Many thanks to jade, NaN-git, and rootile (Rutile) for this.

  • Shadowing internal files through the Nix search path is now an error lix#998 cl/4632 cl/5370

    As Lix uses the path <nix/fetchurl.nix> for bootstrapping purposes, the ability to shadow it by adding nix=/some/path (or /other/path that contains a nix directory) to the search path is not desirable.

    Lix 2.95 deprecated this behavior with a warning, Lix 2.96 now turns it into a hard error if the nix-path-shadow deprecated feature isn't enabled. This deprecated feature is slated to be removed in Lix 2.98.

    Many thanks to Tom Hubrecht, jade, and eldritch horrors for this.

  • Changes to flake.nix validation nix#4945 cl/5523

    Flakes try to keep their inputs and metadata "simple", to make sure no unbounded computation may happen when calling e.g. nix flake show. Those checks were haphazard, a maintenance burden, and also easily circumventable.

    Lix has now replaced all the old checks by a simple rule: No function calls outside of outputs. This is easier to reason about than the previous set of inconsistent rules, and crucially now also allows syntax features that users felt like they should have worked in the past, like let bindings. However, some warts still remain for now: Some syntax constructs like -1 internally desugar to __sub 0 1, which is a function call and thus remains forbidden. This will be rectified as soon as the deprecation period of the respective anti-features has been completed.

    This change is breaking in the sense that flakes which are written with the newly allowed language features will not evaluate with an older Lix version which still uses the old, more restrictive checks. Crucially, this also affects all transitive dependants of such Flakes.

    Many thanks to piegames, Qyriad, and eldritch horrors for this.

Features

  • allow setting nested attributes via --arg/--argstr lix#496 cl/5338

    Passing --arg config.allowUnfree true to e.g. nix-build now results in config with value { allowUnfree = true; } passed to the expression.

    Many thanks to ma27 for this.

Improvements

  • Allow moving between stack frames relative to current debugger frame lix#1156 cl/5411

    Debugging functional programs often involve switching between a bunch of stack frames to get the full context of what's happening and who's calling who. Before this change, going up or down the stack in the nix debugger with :st meant remembering the absolute index of each stack frame, instead of their positions relative to one another; this got tiring fast.

    Now, you can prepend :st's argument with a + or - sign to indicate you want to move relative to the current stack frame. For example, typing :st +3 when you were on frame 10 will go frame 13; vice-versa, typing :st -4 on frame 6 will go to frame 2.

    Many thanks to blokyk for this.

  • Print REPL backtraces in more convenient order cl/5491

    When using the debugger, stack traces printed with the :bt command were previously printed in reverse order compared to most other situations where they appeared: the current stack frame would be printed at the very top, with the most outer frame at the bottom, meaning that you'd have to scroll up to get a sense of where you are.

    With this change, the stack frames are printed such that the most relevant ones are immediatly visible at the bottom, just like other traces in lix (e.g. ones caused by errors).

    Many thanks to blokyk for this.

  • invalid arguments to :st now print an error cl/5386

    When using the debugger, the :st command used to traverse the call stack would silently fail and put the debugger in an invalid state if the argument given to it wasn't a valid stack frame index.

    This change adds an error message warning the user if the given index wasn't a valid frame (telling them the range of valid indices), as well as if it wasn't even a valid integer to begin with.

    Many thanks to blokyk for this.

Fixes

  • builtins.break doesn't break expression anymore lix#1165 cl/5422

    Wrapping an expression in builtins.break used to break some builtins like map and the is* functions, which could modify the execution path of code inadvertently, made debugging nix harder than it already is, and in some cases even crashed the interpreter. Now, using break should be completely transparent to whatever function receives it as an input, preventing the above-mentioned issues.

    Many thanks to blokyk for this.

  • flake config warnings are now printed to stderr lix#1155 cl/5379

    The settings listed in a flake-config confirmation prompt are now printed to stderr rather than stdout, which allows nix print-dev-env to emit valid bash again even in the presence of untrusted settings.

    Many thanks to lheckemann for this.

  • Fix unsigned overflow leading to out-of-band write in the NAR parser cl/5554

    The NAR parser contained an unsigned integer overflow that could be used by an attacker to write arbitrary data to an unknown memory location and possibly achieve code execution. A successful attack on the system-wide Lix daemon could lead to privilege escalation to root. Any process that involves NAR serialization could trigger this issue, including (but not limited to)

    • local user interaction, whether the users are trusted or untrusted
    • malicious substituters sending malformed NARs
    • remote builders sending malformed build results
    • remote daemons sending malformed inputs when requesting remote builds

    Successful attacks using this bug require ASLR weakening of some sort, whether by architecture constraints (e.g. on 32 bit systems, where little randomization is possible) or system configuration (e.g. low ASLR entropy when loading libraries), and millions of attempts. Local attacks can be mounted in less than an hour. Remote builds typically require a fresh SSH connection for each build and are thus less susceptible. Only one attempt can be made by substituters for every build using substituters, they are thus not a likely vector for attacks.

    At the time of writing, MITRE has not assigned this a CVE yet.

    Many thanks to eldritch horrors, Raito Bezarius, edef, and sandydoo for this.

Packaging

  • Lix now requires lowdown 1.4.0 or later cl/5374

    Support for linking against lowdown < 1.4.0 has been removed from Lix since all supported Nixpkgs channels distribute lowdown 2.0.4 or later.

    Many thanks to sterni for this.

Miscellany

  • libexpr: allow empty attr-names in parseAttrPath if they are quoted cl/5375

    Empty strings are now allowed in attribute paths as consumed by e.g. nix-build. I.e. nix-build -A 'foo."".bar' works now. The quotes are necessary, i.e. nix-build -A foo..bar will throw an error.

    Many thanks to ma27 for this.