Releases: DeterminateSystems/nix-src
v3.20.0
Release 3.20.0 (2026-05-07)
- Based on upstream Nix 2.34.6.
Support resuming from binary caches that don't support ranged requests
Previously, Nix would just fail a download if something happened in the TCP or TLS layer, meaning a flaky proxy could fail to download a store path and fall back to building, when a retry might have not been flaky.
Now, Determinate Nix will retry these failed substitutions, so you don't have to waste time building something that was cached but some proxy decided to cut you off early.
PR: DeterminateSystems/nix-src#445
Add a session ID to JSON log messages
Determinate Nix now includes a freeform string session ID (sid) in its JSON log messages, which allows a anything that consumes these log messages to see which messages belong to the same session.
By default, every Nix command invocation is its own session, but you can use the session-id setting to give a group of invocations the same session (otherwise, a random UUIDv7 like 019e037b-f603-7443-8071-cfd8585ec8c6 is set as the session ID).
PR: DeterminateSystems/nix-src#440
Full Changelog: v3.19.1...v3.20.0
v3.19.1
Release 3.19.1 (2026-05-04)
- Based on upstream Nix 2.34.6.
What's Changed
Fix for GHSA-vh5x-56v6-4368: Coroutine stack-to-heap overflow via unbounded recursion in NAR directory parser
Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack was allocated without a guard page, which meant that a stack overflow could overwrite memory on the heap and could allow for arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This vulnerability can be exploited by all users able to connect to the Nix daemon (configurable via allowed-users setting - all users by default).
The vulnerability is present since 2.24.4.
For more details, see the upstream advisory GHSA-vh5x-56v6-4368.
Many thanks to edef for reporting this issue and to Sergei Zimmerman and edef for implementing the fix and several hardening improvements.
Fix for GHSA-gr92-w2r5-qw5p: Absolute path traversal when unpacking archives to disk
When an archive (e.g. a tarball) contains entries with absolute paths, nix-prefetch-url --unpack, nix store prefetch-file --unpack commands would write to a location outside the extraction root. This also affects builtin:unpack-channel builtin derivation builder, but it's sandboxed the same way as regular derivations builds, so in sandboxed builds it can't be used to achieve an arbitrary file write on the host filesystem.
Other archive unpacking (builtins.fetchTarball, builtins.fetchTree and tarball-based flake inputs) is not affected, since Nix stores the unpacked tarball in a bare git repository (.cache/nix/tarball-cache or .cache/nix/tarball-cache-v2).
This primarily affects packagers running nix-prefetch-url --unpack on untrusted archives.
The vulnerability is present since 2.24.7.
For more details, see the upstream advisory GHSA-gr92-w2r5-qw5p.
Many thanks to edef for reporting this issue and to Sergei Zimmerman for implementing the fix.
Bug fixes
- A fix for random crashes on exit in the
curlFileTransferdestructor. DeterminateSystems/nix-src#444
Full Changelog: v3.19.0...v3.19.1
v3.19.0
Release 3.19.0 (2026-04-28)
- Based on upstream Nix 2.34.6.
What's Changed
Provenance is preserved when copying paths to the daemon
Previously, nix copy would not forward provenance information to the recipient.
This has been fixed, such that building a derivation on machine A and nix copying it to machine B will show the same provenance.
PR: DeterminateSystems/nix-src#399
Full Changelog: v3.18.1...v3.19.0
v3.18.1
Release 3.18.1 (2026-04-23)
- Based on upstream Nix 2.33.4.
What's Changed
Sentry integration improvements
This release includes fixes for a couple of issues with the Sentry integration:
- Ensures the chroot helper starts before the Sentry thread, allowing chroot stores to work again
- Resets Mach exception ports on macOS, so that exec'd programs do not communicate with Determinate Nix's
crashpad_handler
Additionally, Determinate Nix now includes the Nix command and subcommand to Sentry reports to make it easier to discern where an issue happened.
Not that this does not include any command-line arguments other than the command (such as nix-daemon and nix) and subcommand (such as flake show).
PRs:
Full Changelog: v3.18.0...v3.18.1
v3.18.0
Release 3.18.0 (2026-04-20)
- Based on upstream Nix 2.33.3.
What's Changed
Sentry integration
In order to more proactively keep track of crashes, Sentry is now integrated into Determinate Nix.
This allows us to more easily triage and remedy crashes that occur in the wild, without depending on manual use reports.
It can be enabled by:
- populating the file
/etc/nix/sentry-endpointwith a Sentry DSN; or - setting the
NIX_SENTRY_ENDPOINTenvironment variable to a Sentry DSN
and can be disabled by:
- setting the environment variable
DETSYS_IDS_TELEMETRYto the valuedisabled; or - setting the environment variable
NIX_SENTRY_ENDPOINTto an empty string
PR: DeterminateSystems/nix-src#418
Pre-build hook now receives the JSON serialization of the derivation
The pre-build hook already received the path of the derivation as an argument, but that path doesn't typically exist when called as a remote build.
Now, the pre-build hook is spawned with the environment variable NIX_DERIVATION_V4 set to a file that contains the JSON representation of the derivation in v4 format, allowing instrospection of e.g. requiredSystemFeatures for scheduling decisions.
PR: DeterminateSystems/nix-src#424
Fix empty Git exports when using legacy Git compatibility
A regression introduced in v3.16.0 made it possible for there to be empty Git exports in the Nix store when using legacy Git flakes (those depending on Nix 2.19 lockfile semantics).
This is now fixed.
PR: DeterminateSystems/nix-src#425
Full Changelog: v3.17.3...v3.18.0
v3.17.3
Release 3.17.3 (2026-04-07)
- Based on upstream Nix 2.33.3.
What's Changed
Fix for GHSA-g3g9-5vj6-r3gj: root privilege escalation via the Nix daemon
This release contains a critical fix for a security vulnerability on Linux that allows any user that has access to the Nix daemon to obtain root privileges.
This vulnerability affects all versions of Determinate Nix prior to 3.17.3, and all versions of upstream Nix prior to 2.34.5, 2.33.4, 2.32.7, 2.31.4, 2.30.4, 2.29.3, and 2.28.6.
All Linux users are advised to upgrade immediately.
For more details, see the upstream advisory GHSA-g3g9-5vj6-r3gj.
Many thanks to edef for reporting this issue and to Sergei Zimmerman for implementing the fix.
Avoiding duplicate source tree downloads
When multiple Nix processes (like nix-eval-jobs instances) fetch the same source tree at the same time, it was previously possible for each process to perform the download independently, resulting in wasteful multiple downloads of the same source tree. Nix now uses a per-source tree lock to ensure that only one process performs the download.
PR: DeterminateSystems/nix-src#410
WAT support in builtins.wasm
builtins.wasm now supports WebAssembly Text Format (WAT) in addition to binary Wasm modules.
This is primarily useful for testing.
PR: DeterminateSystems/nix-src#405
Git shallow fetching
Nix now removes Git's shallow.lock lock file before running git fetch.
This prevents fetches from hanging if Git was previously interrupted.
PR: DeterminateSystems/nix-src#414
Debugging improvements
Certain C++ exceptions that should never happen (like std::logic_error) are now treated as aborts, providing stack traces and core dumps that are easier to debug.
PR: DeterminateSystems/nix-src#407
Bug fixes
-
nix developrespectslegacyPackagesagain. DeterminateSystems/nix-src#413 -
The
lookupPathResolveddata structure has been made thread-safe. DeterminateSystems/nix-src#415
Full Changelog: v3.17.2...v3.17.3
v3.17.2
Release 3.17.2 (2026-03-27)
- Based on upstream Nix 2.33.3.
What's Changed
Bug fixes
- Cache
getLegacyGitAccessor(). DeterminateSystems/nix-src#396 - Don't destroy
windowSizemutex. DeterminateSystems/nix-src#397 - When doing concurrent substitutions of the same path, download only once. DeterminateSystems/nix-src#398
builtins.getFlake: Handlepath:<p>where p has a discarded string context. DeterminateSystems/nix-src#402- Ensure
_interruptCallbacksis alive whilesignalHandlerThreadis running. DeterminateSystems/nix-src#403 - Fix assertion failure in
nix::BuiltPath::toRealisedPaths(). DeterminateSystems/nix-src#401
Full Changelog: v3.17.1...v3.17.2
v3.17.1
Release 3.17.1 (2026-03-18)
- Based on upstream Nix 2.33.3.
What's Changed
Provenance now supports "build-time" provenance tags
Users can now specify key/value tags to attach to a build's provenance.
For example, the nix-installer-action now attaches the following properties to each build:
- github_workflow_ref
- github_workflow_sha
- github_sha
- github_run_attempt
- github_run_id
- github_run_number
- github_job
- github_ref
- github_repository
- github_server_url
PR: DeterminateSystems/nix-src#374
Flake inputs are substituted when possible
Locked flake inputs will be fetched from a binary cache when possible, instead of preferring the authoritative flake source.
This is intended to reduce load on code forges, and also improves the user experience on large flake inputs.
PR: [#380](https://github.com/DeterminateSystems/nix-
nix profile upgrade and nix profile remove now support tab completion
PR: DeterminateSystems/nix-src#382
Flake schemas can now define an output as "legacy"
"Legacy" flakes are intended for legacyPackages on Nixpkgs.
The "legacy" mark is intended to reduce evaluation time due to the extreme size of legacyPackages.
Note: the name "legacy" is not intended as a value judgement, and at this point we're sort of stuck with the name.
Bug fixes
- Fix crash in
nix replloading an invalid WASM file twice. DeterminateSystems/nix-src#378 - nix profile upgrade/remove: Implement tab completion by @edolstra in * Don't crash if SIGINT happens while printing an exception. DeterminateSystems/nix-src#384
- nix-env -i: Wait for the async path writer. DeterminateSystems/nix-src#385
Full Changelog: v3.17.0...v3.17.1
Contributors
Assets 2
v3.17.0
Release 3.17.0 (2026-03-04)
- Based on upstream Nix 2.33.3.
What's Changed
Determinate Nix 3.17.0 brings exciting improvements like Flake Schemas, provenance, and Wasm / WASI.
We'll be posting more details over the next week or so on our blog: https://determinate.systems/blog/.
Full Changelog: v3.16.3...v3.17.0
v3.16.3
Release 3.16.3 (2026-02-24)
- Based on upstream Nix 2.33.3.
What's Changed
This release only includes changes in determinate-nixd.