NixOS 23.05 released

NixOS 23.05 Stoat logo

Hey everyone, we are Ryan Lahfa and Martin Weinelt, the release managers for this stable release and we are very proud to announce the public availability of NixOS 23.05 “Stoat”.

This release will receive bugfixes and security updates for seven months (up until 2023-12-31).

The 23.05 release was made possible due to the efforts of 1867 contributors, who authored 36566 commits since the previous release. Our thanks go the contributors who also take care of the continued stability and security of our stable release.

NixOS is already known as the most up to date distribution while also being the distribution with the most packages. This release saw 16240 new packages and 13524 updated packages in Nixpkgs. We also removed 13466 packages in an effort to keep the package set maintainable and secure. In addition to packages the NixOS distribution also features modules and tests that make it what it is. This release brought 282 new modules and removed 183. In that process we added 2882 options and removed 728.

Removal of weak hashing algorithms

The support for weak password hashing algorithms through the crypt(3) API was disabled in NixOS 23.05. We consider password hashing methods weak if the libxcrypt project did not flag them strong. This change affects user accounts on the local system, as well as the supported algorithms in many applications that rely on that API. Examples are authentication services like OpenLDAP or PAM, databases like PostgreSQL and, more generally speaking, programming languages that offer a password hashing interface like Python. These applications should be migrated away from weak password hashes before upgrading to NixOS 23.05, as the lack of support for these algorithms may make authentication for these applications impossible. If your system has user accounts that rely on such weak hashing algorithms, a warning will be emitted during activation. Existing users accounts are most likely using sha512crypt, for which the hash is prefixed with $6$. These will continue to work for the foreseeable future, but migrating to more modern hashes is strongly recommended anyway. Interactively configured passwords can be updated using passwd, new password hashes can be generated through mkpasswd. Note, that we do offer libxcrypt-legacy as an escape hatch, that affected packages can be overridden with.

Bootspec (RFC-125)

As part of standardization efforts in RFC 125, also called “Bootspec”, all new users have a boot.json file in their system top-level derivation, you can check the one on the system you are running in /run/current-system/boot.json for example. The idea behind Bootspec is to enable new boot usecases in NixOS: UEFI Secure Boot, unifying bootloader installer scripts, multiple initrds or systemd system extensions and A/B schemas.

Special Thanks

We want to personally thank Lennart Mühlenmeier and Winter for editorializing the release notes, Vladimír Čunát for his tireless effort in managing jobsets, staging cycles and build infrastructure, Cole Helbling for his epic effort in bisecting kernel issues with ARM64 for our remote builders, and Graham Christensen for dutifully tending to our build infrastructure.

Reflections and Closing

I am very grateful for being given the opportunity to learn about the release process and run it with the help of everyone in the NixOS community. It has been a very exciting ride and witnessing the efforts of everyone poured in the project made me want to work towards supporting those efforts in many areas of the project, e.g. CI, infrastructure and more. Now that the process documentation has reached, in my experience, a high level of maturity. I believe it is now time for tooling to become consolidated, professional, comfortable and helpful for release managers and editors but also to all the persons close to the release process. As a previous release manager said it, the release process shall become only more boring in the future!