forked from mirrors/nixpkgs
a6670c1a0b
Before this commit updating /var/setuid-wrappers/ folder introduced a small window where NixOS activation scripts could be terminated and resulted into empty /var/setuid-wrappers/ folder. That's very unfortunate because one might lose sudo binary. Instead we use two atomic operations mv and ln (as described in https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/) to achieve atomicity. Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints were removed in installation scripts and in boot process. Tested: - upgrade /var/setuid-wrappers/ from folder to a symlink - make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
112 lines
4.2 KiB
XML
112 lines
4.2 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-16.09">
|
|
|
|
<title>Release 16.09 (“Flounder”, 2016/09/??)</title>
|
|
|
|
<para>In addition to numerous new and upgraded packages, this release
|
|
has the following highlights: </para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
|
|
See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
|
|
1.17.* is still used due to ABI incompatibility.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The following new services were added since the last release:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
|
|
</itemizedlist>
|
|
|
|
|
|
<para>When upgrading from a previous release, please be aware of the
|
|
following incompatible changes:</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
<para>A large number of packages have been converted to use the multiple outputs feature
|
|
of Nix to greatly reduce the amount of required disk space. This may require changes
|
|
to any custom packages to make them build again; see the relevant chapter in the
|
|
Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
|
|
related to multiple-output packages
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
|
|
late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shell aliases for systemd sub-commands
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
|
|
<command>start</command>, <command>stop</command>,
|
|
<command>restart</command>, <command>status</command>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default
|
|
behavior of Redis 3.2</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>/var/setuid-wrappers/
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now a symlink so
|
|
it can be atomically updated</link>
|
|
and it's not mounted as tmpfs anymore since setuid binaries are located on /run/ as tmpfs.
|
|
</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
|
|
gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>services.xserver.libinput.accelProfile</literal> default
|
|
changed from <literal>flat</literal> to <literal>adaptive</literal>,
|
|
as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
|
|
official documentation</link>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
|
|
because our presets were obsolete for some time. New presets are hardcoded
|
|
into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
|
|
You can customize those presets via ordinary environment variables, using
|
|
<literal>environment.variables</literal>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <literal>audit</literal> service is no longer enabled by default.
|
|
Use <literal>security.audit.enable = true;</literal> to explicitly enable it.</para>
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
<para>Other notable improvements:</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem><para>Revamped grsecurity/PaX support. There is now only a single
|
|
general-purpose distribution kernel and the configuration interface has been
|
|
streamlined. Desktop users should be able to simply set
|
|
<programlisting>security.grsecurity.enable = true</programlisting> to get
|
|
a reasonably secure system without having to sacrifice too much
|
|
functionality. See <xref linkend="sec-grsecurity" /> for documentation
|
|
</para></listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
</section>
|