Are you feeling lucky? The NixOS community certainly is after, to the best of our knowledge, avoiding a critical
backdoor in xz/liblzma (CVE-2024-3094).
The security team will still be downgrading the xz package to 5.4.6 to be safe, but this process will result in
a mass rebuild of hundreds of thousands of packages meaning that it will take a little more than a week to complete. Note that
users can switch the version of the package early if they are willing to perform the builds on their systems. It is
not clear whether other vulnerabilities exist in xz or other projects that the attacker has contributed to. A helpful
writeup of the events leading up to this point was posted by Evan Boehs and an official page from the original xz author is available here.
With May quickly approaching, a call for a release manager and editor of the 24.05 NixOS release has been made. @figsoda goes into detail about the release process and requirements for these roles. If you are interested in this position, you can get in touch via the announcement’s comments or on Matrix.
The end of this week also saw the creation and move to final comment period of a new, exciting RFC: RFC 0173 FCP; NixOS hotline. The community is urged to read it quickly before it is merged in. What an exciting time to be a NixPkgs contributor!
@cdmistman announced the release of rippkgs, a tool capable of
searching NixPkgs in under 30 milliseconds! For more information on how
the tool works and what makes it different from other existing programs like nix-index, check out the Replit
blog post.
@Mic92 has posted a call for testers for nix-ld-rs, a rewrite of the original nix-ld. If you are currently using nix-ld and/or would like to help make sure the new version is working well, please consider testing out the project and
reporting any regressions from the original nix-ld on GitHub.
@reckenrode has started a new thread to share updates on Darwin in NixPkgs, separate from the previous thread cataloguing sponsored work.
@fricklerhandwerk posted a full roadmap for the Nix documentation ecosystem. Documentation has been a pain point for many Nix newcomers as well as veterans and seeing the issues being addressed in a clear outline is great. Thank you to @danielsidhion and everyone else contributing to the improvement of learning and reference materials for Nix.
Last week an important update to the way venv creation in Python environments works was made by @cwp to correct the previous,
subtly broken, implementation. This was not mentioned in the previous nixpkgs.news article, but is worth knowing about for anyone using Python with Nix.
New packages added this week:
- @9999years: added
git-upstream: Pull Request - @aaronjheng: added
protobuf_26: Pull Request - @Aleksanaa: added
ascii-draw: Pull Request - @Aleksanaa: added
pdf4qt: Pull Request - @alexarice: added
emacsPackages.texpresso: Pull Request - @Atemu: added
memtest_vulkan: Pull Request - @bhankas: added
workout-tracker: Pull Request - @ByteSudoer: added
gtkhash: Pull Request - @camillemndn: added
firefoxpwa: Pull Request - @dotlambda: added
mollysocket: Pull Request - @drupol: added
lmstudio: Pull Request - @drupol: added
rabbit: Pull Request - @drupol: added
typstyle: Pull Request - @drupol: added
vscode-extensions.jbockle.jbockle-format-files: Pull Request - @drupol: added
vscode-extensions.myriad-dreamin.tinymist: Pull Request - @emilioziniades: added
dotnet-outdated: Pull Request - @fabaff: added
cvemap: Pull Request - @fabaff: added
python311Packages.romy: Pull Request - @fabaff: added
python312Packages.llama-index-embeddings-ollama: Pull Request - @fabaff: added
python312Packages.securityreporter: Pull Request - @fabaff: added
vunnel: Pull Request - @fabaff: added
world-serpant-search: Pull Request - @fabaff: added
wsrepl: Pull Request - @gaelreyrol: added
pythonPackages.pulsar: Pull Request - @GaetanLepage: added
bunbun: Pull Request - @GaetanLepage: added
vimPlugins.improved-search-nvim: Pull Request - @GaetanLepage: added
vimPlugins.qmk-nvim: Pull Request - @Guanran928: added
mpv-osc-modern,modernx, andmodernx-zydezu: Pull Request - @hatch01: added
httpy-cli: Pull Request - @hennk: added
poetryPlugins.poetry-plugin-poeblix: Pull Request - @jnsgruk: added
rockcraft: Pull Request - @jonringer: added
autoAddDriverRunpathHook: Pull Request - @katanallama: added
vscode-extensions.ms-toolsai.datawrangler: Pull Request - @kintrix007: added
vlc-bittorrent: Pull Request - @LamprosPitsillos: added
tinymist: Pull Request - @Lilacious: added
railway-travel: Pull Request - @MatthewCroughan: added
scion-bootstrapper: Pull Request - @mkg20001: added
docuum: Pull Request - @mweinelt: added
wyoming-satellite: Pull Request - @n8henrie: added
single-file-cli: Pull Request - @OPNA2608: added
famistudio: Pull Request - @OPNA2608: added
rcu: Pull Request - @pinpox: added
wastebin: Pull Request - @ri-char: added
affine: Pull Request - @RossComputerGuy: added
llvmPackages_18: Pull Request - @rsniezek: added
protonmail-desktop: Pull Request - @s1ls: added
invidious-router: Pull Request - @sarahec: added
python311Packages.scalene: Pull Request - @sarcasticadmin: added
aprx: Pull Request - @Scrumplex: added
wlx-overlay-s: Pull Request - @t4ccer: added
buffermanager: Pull Request - @vbgl: added
ocamlPackages_6_2.ocaml: Pull Request - @Vinetos: added
kmeet: Pull Request - @Vinetos: added
quarkus: Pull Request - @wineee: added
wayfirePlugins.focus-request,wayfirePlugins.wayfire-shadows, andwayfirePlugins.wwp-switcher: Pull Request - @wolfgangwalther: added
python3Packages.sphinx-rtd-dark-mode: Pull Request - @yunfachi: added
uni-sync: Pull Request
New modules added this week:
- @s1ls: added
invidious-router: Pull Request
Security fixes this week:
- @adamcstephens: updated
consulto fixCVE-2024-24786: Pull Request - @buckley310: updated
braveto fixCVE-2024-2883,CVE-2024-2885,CVE-2024-2886, andCVE-2024-2887: Pull Request - @jian-lin: updated
emacsto fixCVE-2024-30205,CVE-2024-30204,CVE-2024-30203, andCVE-2024-30202: Pull Request - @LeSuisse: patched
expatto fixCVE-2024-28757: Pull Request - @LeSuisse: updated
coreutilsto fixCVE-2024-0684: Pull Request - @natsukium: updated
python310to fixCVE-2023-52425,CVE-2024-0450, andCVE-2023-6597: Pull Request - @networkException: updated
ungoogled-chromiumto fixCVE-2024-2883,CVE-2024-2885,CVE-2024-2886, andCVE-2024-2887: Pull Request - @risicle: updated
cimgto fixCVE-2024-26540: Pull Request - @stigtsp: updated
perlPackages.HTTPBodyto fixCVE-2013-4407: Pull Request - @yayayayaka: updated
gitlabto fixCVE-2023-6371andCVE-2024-2818: Pull Request