nixpkgs/nixos/doc/manual/from_md/release-notes/rl-1609.section.xml

<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-16.09">
  <title>Release 16.09 (<quote>Flounder</quote>, 2016/09/30)</title>
  <para>
    In addition to numerous new and upgraded packages, this release has
    the following highlights:
  </para>
  <itemizedlist>
    <listitem>
      <para>
        Many NixOS configurations and Nix packages now use significantly
        less disk space, thanks to the
        <link xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
        work on closure size reduction</link>. For example, the closure
        size of a minimal NixOS container went down from ~424 MiB in
        16.03 to ~212 MiB in 16.09, while the closure size of Firefox
        went from ~651 MiB to ~259 MiB.
      </para>
    </listitem>
    <listitem>
      <para>
        To improve security, packages are now
        <link xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
        using various hardening features</link>. See the Nixpkgs manual
        for more information.
      </para>
    </listitem>
    <listitem>
      <para>
        Support for PXE netboot. See
        <xref linkend="sec-booting-from-pxe" /> for documentation.
      </para>
    </listitem>
    <listitem>
      <para>
        X.org server 1.18. If you use the <literal>ati_unfree</literal>
        driver, 1.17 is still used due to an ABI incompatibility.
      </para>
    </listitem>
    <listitem>
      <para>
        This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231.
        The default Linux kernel remains 4.4.
      </para>
    </listitem>
  </itemizedlist>
  <para>
    The following new services were added since the last release:
  </para>
  <itemizedlist spacing="compact">
    <listitem>
      <para>
        <literal>(this will get automatically generated at release time)</literal>
      </para>
    </listitem>
  </itemizedlist>
  <para>
    When upgrading from a previous release, please be aware of the
    following incompatible changes:
  </para>
  <itemizedlist>
    <listitem>
      <para>
        A large number of packages have been converted to use the
        multiple outputs feature of Nix to greatly reduce the amount of
        required disk space, as mentioned above. This may require
        changes to any custom packages to make them build again; see the
        relevant chapter in the Nixpkgs manual for more information.
        (Additional caveat to packagers: some packaging conventions
        related to multiple-output packages
        <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were
        changed</link> late (August 2016) in the release cycle and
        differ from the initial introduction of multiple outputs.)
      </para>
    </listitem>
    <listitem>
      <para>
        Previous versions of Nixpkgs had support for all versions of the
        LTS Haskell package set. That support has been dropped. The
        previously provided <literal>haskell.packages.lts-x_y</literal>
        package sets still exist in name to aviod breaking user code,
        but these package sets don't actually contain the versions
        mandated by the corresponding LTS release. Instead, our package
        set it loosely based on the latest available LTS release, i.e.
        LTS 7.x at the time of this writing. New releases of NixOS and
        Nixpkgs will drop those old names entirely.
        <link xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The
        motivation for this change</link> has been discussed at length
        on the <literal>nix-dev</literal> mailing list and in
        <link xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github
        issue #14897</link>. Development strategies for Haskell hackers
        who want to rely on Nix and NixOS have been described in
        <link xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another
        nix-dev article</link>.
      </para>
    </listitem>
    <listitem>
      <para>
        Shell aliases for systemd sub-commands
        <link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were
        dropped</link>: <literal>start</literal>,
        <literal>stop</literal>, <literal>restart</literal>,
        <literal>status</literal>.
      </para>
    </listitem>
    <listitem>
      <para>
        Redis now binds to 127.0.0.1 only instead of listening to all
        network interfaces. This is the default behavior of Redis 3.2
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>/var/empty</literal> is now immutable. Activation
        script runs <literal>chattr +i</literal> to forbid any
        modifications inside the folder. See
        <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
        the pull request</link> for what bugs this caused.
      </para>
    </listitem>
    <listitem>
      <para>
        Gitlab's maintainance script <literal>gitlab-runner</literal>
        was removed and split up into the more clearer
        <literal>gitlab-run</literal> and <literal>gitlab-rake</literal>
        scripts, because <literal>gitlab-runner</literal> is a component
        of Gitlab CI.
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>services.xserver.libinput.accelProfile</literal>
        default changed from <literal>flat</literal> to
        <literal>adaptive</literal>, as per
        <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
        official documentation</link>.
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>fonts.fontconfig.ultimate.rendering</literal> was
        removed because our presets were obsolete for some time. New
        presets are hardcoded into FreeType; you can select a preset via
        <literal>fonts.fontconfig.ultimate.preset</literal>. You can
        customize those presets via ordinary environment variables,
        using <literal>environment.variables</literal>.
      </para>
    </listitem>
    <listitem>
      <para>
        The <literal>audit</literal> service is no longer enabled by
        default. Use <literal>security.audit.enable = true</literal> to
        explicitly enable it.
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>pkgs.linuxPackages.virtualbox</literal> now contains
        only the kernel modules instead of the VirtualBox user space
        binaries. If you want to reference the user space binaries, you
        have to use the new <literal>pkgs.virtualbox</literal> instead.
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>goPackages</literal> was replaced with separated Go
        applications in appropriate <literal>nixpkgs</literal>
        categories. Each Go package uses its own dependency set. There's
        also a new <literal>go2nix</literal> tool introduced to generate
        a Go package definition from its Go source automatically.
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>services.mongodb.extraConfig</literal> configuration
        format was changed to YAML.
      </para>
    </listitem>
    <listitem>
      <para>
        PHP has been upgraded to 7.0
      </para>
    </listitem>
  </itemizedlist>
  <para>
    Other notable improvements:
  </para>
  <itemizedlist>
    <listitem>
      <para>
        Revamped grsecurity/PaX support. There is now only a single
        general-purpose distribution kernel and the configuration
        interface has been streamlined. Desktop users should be able to
        simply set
      </para>
      <programlisting language="bash">
{
  security.grsecurity.enable = true;
}
</programlisting>
      <para>
        to get a reasonably secure system without having to sacrifice
        too much functionality.
      </para>
    </listitem>
    <listitem>
      <para>
        Special filesystems, like <literal>/proc</literal>,
        <literal>/run</literal> and others, now have the same mount
        options as recommended by systemd and are unified across
        different places in NixOS. Mount options are updated during
        <literal>nixos-rebuild switch</literal> if possible. One benefit
        from this is improved security — most such filesystems are now
        mounted with <literal>noexec</literal>, <literal>nodev</literal>
        and/or <literal>nosuid</literal> options.
      </para>
    </listitem>
    <listitem>
      <para>
        The reverse path filter was interfering with DHCPv4 server
        operation in the past. An exception for DHCPv4 and a new option
        to log packets that were dropped due to the reverse path filter
        was added
        (<literal>networking.firewall.logReversePathDrops</literal>) for
        easier debugging.
      </para>
    </listitem>
    <listitem>
      <para>
        Containers configuration within
        <literal>containers.&lt;name&gt;.config</literal> is
        <link xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
        properly typed and checked</link>. In particular, partial
        configurations are merged correctly.
      </para>
    </listitem>
    <listitem>
      <para>
        The directory container setuid wrapper programs,
        <literal>/var/setuid-wrappers</literal>,
        <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is
        now updated atomically to prevent failures if the switch to a
        new configuration is interrupted.</link>
      </para>
    </listitem>
    <listitem>
      <para>
        <literal>services.xserver.startGnuPGAgent</literal> has been
        removed due to GnuPG 2.1.x bump. See
        <link xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
        how to achieve similar behavior</link>. You might need to
        <literal>pkill gpg-agent</literal> after the upgrade to prevent
        a stale agent being in the way.
      </para>
    </listitem>
    <listitem>
      <para>
        <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
        Declarative users could share the uid due to the bug in the
        script handling conflict resolution. </link>
      </para>
    </listitem>
    <listitem>
      <para>
        Gummi boot has been replaced using systemd-boot.
      </para>
    </listitem>
    <listitem>
      <para>
        Hydra package and NixOS module were added for convenience.
      </para>
    </listitem>
  </itemizedlist>
</section>
docs: nixos release notes (w/o 2105 - separate PR) docs: nixos release notes (revise code blocks) docs: nixos release notes (fix opt links outside of code blocks) docs: nixos release notes (fix opt links inside of code blocks) went fishing with: ```console rg -A1 \ --multiline \ --multiline-dotall \ '<programlisting>[^</programlisting>]+' \ \| rg linkend ``` docs: nixos release notes (prettier) docs: nixos release notes (fix zonefile codeblocks) docs: nixos release notes (restore admonition from prettier destriction) docs: nixos release notes (recreate xml files) docs: nixos release notes (fix trnslation error md -> xml) admonition with a title seem not to work docs: nixos release notes (fix code block indentation) docs: nixos release notes (diff after converting with https://github.com/NixOS/nixpkgs/pull/127270) docs: nixos release notes (fix remaingin '???') Those where not catched i a previous iteration since they didn't satisfy the then presumed search regex `#opt-.*` doc: nixos release notes make docbook/md conversion consistent 2021-06-22 01:59:44 +01:00			`<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xml:id="sec-release-16.09">`
			`<title>Release 16.09 (<quote>Flounder</quote>, 2016/09/30)</title>`
			`<para>`
			`In addition to numerous new and upgraded packages, this release has`
			`the following highlights:`
			`</para>`
			`<itemizedlist>`
			`<listitem>`
			`<para>`
			`Many NixOS configurations and Nix packages now use significantly`
			`less disk space, thanks to the`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive`
			`work on closure size reduction</link>. For example, the closure`
			`size of a minimal NixOS container went down from ~424 MiB in`
			`16.03 to ~212 MiB in 16.09, while the closure size of Firefox`
			`went from ~651 MiB to ~259 MiB.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`To improve security, packages are now`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built`
			`using various hardening features</link>. See the Nixpkgs manual`
			`for more information.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Support for PXE netboot. See`
			`<xref linkend="sec-booting-from-pxe" /> for documentation.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`X.org server 1.18. If you use the <literal>ati_unfree</literal>`
			`driver, 1.17 is still used due to an ABI incompatibility.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231.`
			`The default Linux kernel remains 4.4.`
			`</para>`
			`</listitem>`
			`</itemizedlist>`
			`<para>`
			`The following new services were added since the last release:`
			`</para>`
			`<itemizedlist spacing="compact">`
			`<listitem>`
			`<para>`
			`<literal>(this will get automatically generated at release time)</literal>`
			`</para>`
			`</listitem>`
			`</itemizedlist>`
			`<para>`
			`When upgrading from a previous release, please be aware of the`
			`following incompatible changes:`
			`</para>`
			`<itemizedlist>`
			`<listitem>`
			`<para>`
			`A large number of packages have been converted to use the`
			`multiple outputs feature of Nix to greatly reduce the amount of`
			`required disk space, as mentioned above. This may require`
			`changes to any custom packages to make them build again; see the`
			`relevant chapter in the Nixpkgs manual for more information.`
			`(Additional caveat to packagers: some packaging conventions`
			`related to multiple-output packages`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were`
			`changed</link> late (August 2016) in the release cycle and`
			`differ from the initial introduction of multiple outputs.)`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Previous versions of Nixpkgs had support for all versions of the`
			`LTS Haskell package set. That support has been dropped. The`
			`previously provided <literal>haskell.packages.lts-x_y</literal>`
			`package sets still exist in name to aviod breaking user code,`
			`but these package sets don't actually contain the versions`
			`mandated by the corresponding LTS release. Instead, our package`
			`set it loosely based on the latest available LTS release, i.e.`
			`LTS 7.x at the time of this writing. New releases of NixOS and`
			`Nixpkgs will drop those old names entirely.`
			`<link xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The`
			`motivation for this change</link> has been discussed at length`
			`on the <literal>nix-dev</literal> mailing list and in`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github`
			`issue #14897</link>. Development strategies for Haskell hackers`
			`who want to rely on Nix and NixOS have been described in`
			`<link xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another`
			`nix-dev article</link>.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Shell aliases for systemd sub-commands`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were`
			`dropped</link>: <literal>start</literal>,`
			`<literal>stop</literal>, <literal>restart</literal>,`
			`<literal>status</literal>.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Redis now binds to 127.0.0.1 only instead of listening to all`
			`network interfaces. This is the default behavior of Redis 3.2`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>/var/empty</literal> is now immutable. Activation`
			`script runs <literal>chattr +i</literal> to forbid any`
			`modifications inside the folder. See`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">`
			`the pull request</link> for what bugs this caused.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Gitlab's maintainance script <literal>gitlab-runner</literal>`
			`was removed and split up into the more clearer`
			`<literal>gitlab-run</literal> and <literal>gitlab-rake</literal>`
			`scripts, because <literal>gitlab-runner</literal> is a component`
			`of Gitlab CI.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>services.xserver.libinput.accelProfile</literal>`
			`default changed from <literal>flat</literal> to`
			`<literal>adaptive</literal>, as per`
			`<link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">`
			`official documentation</link>.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>fonts.fontconfig.ultimate.rendering</literal> was`
			`removed because our presets were obsolete for some time. New`
			`presets are hardcoded into FreeType; you can select a preset via`
			`<literal>fonts.fontconfig.ultimate.preset</literal>. You can`
			`customize those presets via ordinary environment variables,`
			`using <literal>environment.variables</literal>.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`The <literal>audit</literal> service is no longer enabled by`
			`default. Use <literal>security.audit.enable = true</literal> to`
			`explicitly enable it.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>pkgs.linuxPackages.virtualbox</literal> now contains`
			`only the kernel modules instead of the VirtualBox user space`
			`binaries. If you want to reference the user space binaries, you`
			`have to use the new <literal>pkgs.virtualbox</literal> instead.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>goPackages</literal> was replaced with separated Go`
			`applications in appropriate <literal>nixpkgs</literal>`
			`categories. Each Go package uses its own dependency set. There's`
			`also a new <literal>go2nix</literal> tool introduced to generate`
			`a Go package definition from its Go source automatically.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>services.mongodb.extraConfig</literal> configuration`
			`format was changed to YAML.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`PHP has been upgraded to 7.0`
			`</para>`
			`</listitem>`
			`</itemizedlist>`
			`<para>`
			`Other notable improvements:`
			`</para>`
			`<itemizedlist>`
			`<listitem>`
			`<para>`
			`Revamped grsecurity/PaX support. There is now only a single`
			`general-purpose distribution kernel and the configuration`
			`interface has been streamlined. Desktop users should be able to`
			`simply set`
			`</para>`
			`<programlisting language="bash">`
			`{`
			`security.grsecurity.enable = true;`
			`}`
			`</programlisting>`
			`<para>`
			`to get a reasonably secure system without having to sacrifice`
			`too much functionality.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Special filesystems, like <literal>/proc</literal>,`
			`<literal>/run</literal> and others, now have the same mount`
			`options as recommended by systemd and are unified across`
			`different places in NixOS. Mount options are updated during`
			`<literal>nixos-rebuild switch</literal> if possible. One benefit`
			`from this is improved security — most such filesystems are now`
			`mounted with <literal>noexec</literal>, <literal>nodev</literal>`
			`and/or <literal>nosuid</literal> options.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`The reverse path filter was interfering with DHCPv4 server`
			`operation in the past. An exception for DHCPv4 and a new option`
			`to log packets that were dropped due to the reverse path filter`
			`was added`
			`(<literal>networking.firewall.logReversePathDrops</literal>) for`
			`easier debugging.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Containers configuration within`
			`<literal>containers.<name>.config</literal> is`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now`
			`properly typed and checked</link>. In particular, partial`
			`configurations are merged correctly.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`The directory container setuid wrapper programs,`
			`<literal>/var/setuid-wrappers</literal>,`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is`
			`now updated atomically to prevent failures if the switch to a`
			`new configuration is interrupted.</link>`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<literal>services.xserver.startGnuPGAgent</literal> has been`
			`removed due to GnuPG 2.1.x bump. See`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">`
			`how to achieve similar behavior</link>. You might need to`
			`<literal>pkill gpg-agent</literal> after the upgrade to prevent`
			`a stale agent being in the way.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`<link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">`
			`Declarative users could share the uid due to the bug in the`
			`script handling conflict resolution. </link>`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Gummi boot has been replaced using systemd-boot.`
			`</para>`
			`</listitem>`
			`<listitem>`
			`<para>`
			`Hydra package and NixOS module were added for convenience.`
			`</para>`
			`</listitem>`
			`</itemizedlist>`
			`</section>`