Pierre BourdonSep 26, 2024

Remember when some people in the #nixos community were raising the alarm on corporate interests taking over the Nix project?

Today Nix apparently published a new security release, and at this point several hours after the release the only place where you can find information about it is on Determinate Systems' social media channels: https://x.com/DeterminateSys/status/1839145876486242659

Determinate Systems (@DeterminateSys) on X

Nix 2.24.8 is currently phasing in through all Determinate distribution channels. This release improves the security of Nix's builtin:fetchurl builder by validating TLS certificates against the system's certificate store. Note: builtin:fetchurl is not builtins.fetchUrl...

X (formerly Twitter)
Show threadAlexander Sosedkin Sep 26, 2024
@delroth
https://github.com/NixOS/nix/commit/618a0cc9875628171663c9bc3829ed3755a458ed is one click away from https://github.com/NixOS/nix/releases/tag/2.24.8, which is one click away from https://github.com/NixOS/nix

What else did you want to happen between 4 AM and 8 AM CET? An episode of #FullTimeNix with @jgalowicz? Calm down the FUD.
Merge pull request #11592 from NixOS/mergify/bp/2.24-maintenance/pr-1… · NixOS/nix@618a0cc

…1585 builtin:fetchurl: Enable TLS verification (backport #11585)

GitHub
Show threadsamir, an unknown quantity

@monk @delroth @jgalowicz So I’m just supposed to know that the latest commit in the release is worth reading?

This is almost never true. Usually, a release commit bumps a version number or something.

How far back should I go?

How should I determine what’s changed since the last release?

We have a well-established tool for this: release notes.

Sep 26, 2024 at 7:47amWeb
Show threadAlexander Sosedkin Sep 26, 2024
@samir @delroth @jgalowicz the commit does update release notes
Show threadsamir, an unknown quantitySep 26, 2024

@monk @delroth @jgalowicz Indeed, but I cannot verify whether it’s the only commit in the release that does so, at least not without much more work.

Release notes are useful… if you publish them.