Welcome back to the weekly recap! This week Nix received an important security fix, NixOS tests can now be executed on macOS systems, and some community tooling additions.

One of the most important announcements this week comes from @thufschmitt which mentions a security fix for a Nix fixed-output derivation sandbox bypass. The bug allowed for the content of a fixed-output derivation (FOD) to be changed after it had been registered by Nix. Any derivations that consumed the corrupted one would then be contaminated. The issue has been patched in Nix 2.20.5, 2.19.4, 2.18.2, and 2.3.18. You can check your current Nix version with the command nix --version. If your version is lower than one of the listed releases then you should update immediately. The announcement provides more information along with links to both the registered CVE (CVE-2024-27297) and GitHub security advisory.

@Gabriel439 announced that NixOS tests can now be run on macOS! This should help NixOS module maintainers to continue supporting modules when switching systems, but can now also extend existing Nix CI support more easily to Darwin systems. To use this feature, macOS users will still need to use something like darwin.linux-builder in order to build and execute NixOS tests.

@thefossguy released nixos-needsreboot, a tool to determine if your NixOS machine needs to be rebooted. It can be difficult to know if your system’s Linux or Systemd versions have been upgraded and the machine needs to restart to use them. The option system.autoUpgrade.allowReboot might not always get things right, which is where this new tool comes in. nixos-needsreboot can be found on GitHub.

@kampka has created NixOS modules for running Crowdsec, a crowd-sourced security tool designed to protect servers, services, and applications by analyzing user behavior and network traffic. Feedback and contributions are welcome in the project’s GitHub repository.

New packages added this week:

Fixes and updates this week: