Changelog: Determinate Nix 3.20.0 (and a few others)

We are pleased to announce the release of Determinate Nix version 3.20.0, based on upstream Nix 2.34.6. This is our first changelog post in a while and this one will encompass some prior releases as well. C’est la vie!

Security patches

We recently released two important security patches involving stack-to-heap overflow and path traversal

Coroutine stack-to-heap overflow via unbounded recursion in NAR directory parser

The GHSA-vh5x-56v6-4368 vulnerability related to unbounded recursion in the NAR (Nix ARchive) parser, which could lead to a stack-to-heap overflow when the parser was run on a coroutine stack. The stack was allocated without a guard page, which meant that a stack overflow could overwrite memory on the heap and thus allow for arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening was bypassed. This vulnerability can be exploited by all users able to connect to the Nix daemon (configurable via the allowed-users setting).

This is now fixed in Determinate Nix as of v3.19.1.

Absolute path traversal when unpacking archives to disk

The GHSA-gr92-w2r5-qw5p vulnerability related to absolute path traversal. Previously, when an archive, such as a tarball, contained entries with absolute paths, commands like nix-prefetch-url --unpack and nix store prefetch-file --unpack would write to a location outside the extraction root. This also affected the builtin:unpack-channel builtin derivation builder, but it was sandboxed the same way as regular derivation builds, which meant that in sandboxed builds it could be used to achieve an arbitrary file write on the host filesystem.

Other means of unpacking archives, such as builtins.fetchTarball, builtins.fetchTree, and tarball-based flake inputs, were not affected, since Nix stores the unpacked tarball in a bare Git repository, such as .cache/nix/tarball-cache or .cache/nix/tarball-cache-v2. This primarily affected packagers running nix-prefetch-url --unpack on untrusted archives.

This vulnerability was present beginning in upstream Nix 2.24.7 but has been fixed in Determinate Nix as of v3.19.1.

Device token management in Determinate Nixd

As of Determinate Nix 3.20.0, you can manage FlakeHub device tokens using Determinate Nixd, whereas previously you could manage them only in the FlakeHub UI. Check out the new subcommand:

determinate-nixd auth token device --help

With that interface, you can list current tokens, create new tokens, and revoke existing tokens. This makes device token management much more conducive to programmatic workflows.

Support resuming from binary caches that don’t support ranged requests

Previously, Nix would fail a download if something happened in the TCP or TLS layer, which meant that a flaky proxy could fail to download a store path and fall back to building when a retry might have not been flaky.

As of v3.20.0, Determinate Nix retries these failed substitutions, which means that you don’t have to waste time building something that was cached but some proxy decided to cut you off early.

Add a session ID to JSON log messages

As of v3.20.0, Determinate Nix now includes a freeform string session ID (sid) in its JSON log messages, which allows anything that consumes these log messages to see which messages belong to the same session.

By default, every Nix command invocation is its own session, but you can use the session-id setting to give a group of invocations the same session (otherwise, a random UUIDv7 like 019e037b-f603-7443-8071-cfd8585ec8c6 is set as the session ID).

Determinate Nix Installer improvement

In v3.20.0, one of our friends at Shopify submitted a PR that fixed an issue where Determinate Nix Installer would force-unmount the /nix directory on macOS even when it’s already correctly mounted, which would cause any process with code or libraries mapped from /nix/store to crash with SIGBUS mid-install. The fix adds a precondition check that skips the unmount when the volume is already mounted at the expected location.

Sentry integration

As of v3.18.0, Determinate Nix now uploads anonymized crash reports to Sentry, the same application monitoring platform that we use for FlakeHub. We say a lot more about this in a recent blog post.

How to get Determinate Nix

If you already have Determinate Nix installed, you can upgrade to 3.20.0 with one Determinate Nixd command:

sudo determinate-nixd upgrade

If you don’t yet have Determinate Nix installed, you can upgrade or migrate to Determinate Nix on macOS using our graphical installer:

Install Determinate Nix on macOS now 🍎

With support for Apple Silicon (aarch64-darwin)

On Linux:

curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | \
  sh -s -- install --determinate

On NixOS, we recommend using our dedicated NixOS module or our NixOS ISO (NixOS installer for x86_64, NixOS installer for ARM) with Determinate Nix pre-installed.

On GitHub Actions:

on:
  pull_request:
  workflow_dispatch:
  push:
    branches:
      - main

jobs:
  nix-ci:
    runs-on: ubuntu-latest
    # Include this block to log in to FlakeHub and access private flakes
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v5
      - uses: DeterminateSystems/flake-checker-action@main
      - uses: DeterminateSystems/determinate-nix-action@v3
      - uses: DeterminateSystems/flakehub-cache-action@main
      - run: nix flake check

In Amazon Web Services:

data "aws_ami" "detsys_nixos" {
  most_recent = true
  owners      = ["535002876703"]

  filter {
    name   = "name"
    values = ["determinate/nixos/epoch-1/*"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }
}