The most important part up front: Determinate Nix 3.17.3 includes an important and coordinated security update for a critical vulnerability in Nix. Please update as soon as possible. See below for details.
I’m pleased to announce the release Determinate Nix 3.17.3. Let’s take a look at what is included in this release, including a few notes we didn’t changelog from 3.17.1 and 3.17.2.
Determinate Nix improvements
Fix for GHSA-g3g9-5vj6-r3gj: root privilege escalation via the Nix daemon
This release contains a critical fix for a security vulnerability on Linux that allows any user that has access to the Nix daemon to obtain root privileges. This vulnerability affects all versions of Determinate Nix prior to 3.17.3, and all versions of upstream Nix prior to 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6. All Linux users are advised to upgrade immediately.
For more details, see the upstream advisory for GHSA-g3g9-5vj6-r3gj. Many thanks to edef for reporting this issue and to Sergei Zimmerman for implementing the fix.
Avoiding duplicate source tree downloads
When multiple Nix processes (like nix-eval-jobs instances) fetch the same source tree at the same time, it was previously possible for each process to perform the download independently, resulting in wasteful multiple downloads of the same source tree. Nix now uses a per-source tree lock to ensure that only one process performs the download.
Relevant pull request
Flake inputs are substituted when possible
Locked flake inputs are fetched from a binary cache when possible instead of preferring the authoritative flake source. This is intended to reduce load on code forges and also improves the user experience on large flake inputs.
Relevant pull request
Git shallow fetching
Nix now removes Git’s shallow.lock lock file before running git fetch.
This prevents fetches from hanging if Git was previously interrupted.
Relevant pull request
WAT support in builtins.wasm
builtins.wasm now supports WebAssembly Text Format (WAT) in addition to binary Wasm modules.
This is primarily useful for testing.
Relevant pull request
nix profile upgrade and nix profile remove now support tab completion
Relevant pull request
nix.conf and netrc improvements
Determinate Nix’s daemon monitors the user’s nix.custom.conf for changes.
Previously, a dead symlink caused the daemon to shut down.
Similarly, the daemon would refuse to start if an additional netrc entry was invalid. Now, the daemon ignores these errors and logs a warning instead.
Improved update detection
Previously, Determinate Nix would occasionally take a long time to detect that an upgrade is available. Determinate Nix now detects updates much more reliably.
In addition, the determinate-nixd upgrade --version ... command no longer requires a leading v when specifying the tag.
Flake schemas can now define an output as “legacy”
“Legacy” flakes are intended for legacyPackages on Nixpkgs.
The “legacy” mark is intended to reduce evaluation time due to the extreme size of legacyPackages.
Please note that the name “legacy” is not intended as a value judgement, and at this point we’re sort of stuck with the name.
Debugging improvements
Certain C++ exceptions that should never happen (like std::logic_error) are now treated as aborts, providing stack traces and core dumps that are easier to debug.
Relevant pull request
Other bug fixes
nix developrespectslegacyPackagesagain. DeterminateSystems/nix-src#413- The
lookupPathResolveddata structure has been made thread-safe. DeterminateSystems/nix-src#415 - Fix crash in
nix replloading an invalid WASM file twice. DeterminateSystems/nix-src#378 - nix-env -i: Wait for the async path writer. DeterminateSystems/nix-src#385
- Cache
getLegacyGitAccessor(). DeterminateSystems/nix-src#396 - Don’t destroy
windowSizemutex. DeterminateSystems/nix-src#397 builtins.getFlake: Handlepath:<p>where p has a discarded string context. DeterminateSystems/nix-src#402- Ensure
_interruptCallbacksis alive whilesignalHandlerThreadis running. DeterminateSystems/nix-src#403 - Fix assertion failure in
nix::BuiltPath::toRealisedPaths(). DeterminateSystems/nix-src#401
Full changelog: v3.17.2…v3.17.3
New AWS regions for NixOS with Determinate Nix AMIs
Our NixOS with Determinate Nix AMIs are now available in all AWS GovCloud and AWS European Sovereign Cloud regions.
Please note that due to geopolitical circumstances, our AMIs are not guaranteed to be available or up to date in the me-south-1 and me-central-1 regions.
How to get Determinate Nix
If you already have Determinate Nix installed, you can upgrade to 3.17.3 with one Determinate Nixd command:
sudo determinate-nixd upgradeIf you don’t yet have Determinate Nix installed, you can upgrade or migrate to Determinate Nix on macOS using our graphical installer:
Install Determinate Nix on macOS now 🍎
With support for Apple Silicon (aarch64-darwin)
On Linux:
curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \ sh -s -- install --determinateOn NixOS, we recommend using our dedicated NixOS module or our NixOS ISO (NixOS installer for x86_64, NixOS installer for ARM) with Determinate Nix pre-installed.
On GitHub Actions:
on: pull_request: workflow_dispatch: push: branches: - main
jobs: nix-ci: runs-on: ubuntu-latest # Include this block to log in to FlakeHub and access private flakes permissions: id-token: write contents: read steps: - uses: actions/checkout@v6 - uses: DeterminateSystems/flake-checker-action@main - uses: DeterminateSystems/determinate-nix-action@v3 - uses: DeterminateSystems/flakehub-cache-action@v3 - run: nix flake checkIn Amazon Web Services:
data "aws_ami" "detsys_nixos" { most_recent = true owners = ["535002876703"]
filter { name = "name" values = ["determinate/nixos/epoch-1/*"] }
filter { name = "architecture" values = ["x86_64"] }}