Home Explore Blog CI



nix
4th chunk of `doc/manual/source/release-notes/rl-2.0.md`
098d6aec40512d641a9ac6fb7e21c00ecbbd4d7c854ff6d30000000100000fdd
      - `nix
                                                                        add-to-store` replaces `nix-store
                                                                        --add`.

      - `nix sign-paths` signs store paths.

      - `nix copy-sigs` copies signatures from one store to another.

      - `nix show-config` shows all configuration options and their
        current values.

  - The store abstraction that Nix has had for a long time to support
    store access via the Nix daemon has been extended
    significantly. In particular, substituters (which used to be
    external programs such as `download-from-binary-cache`) are now
    subclasses of the abstract `Store` class. This allows many Nix
    commands to operate on such store types. For example, `nix
    path-info` shows information about paths in your local Nix store,
    while `nix path-info --store https://cache.nixos.org/` shows
    information about paths in the specified binary cache. Similarly,
    `nix-copy-closure`, `nix-push` and substitution are all instances
    of the general notion of copying paths between different kinds of
    Nix stores.

    Stores are specified using an URI-like syntax, e.g.
    <https://cache.nixos.org/> or <ssh://machine>. The following store
    types are supported:

      - `LocalStore` (stori URI `local` or an absolute path) and the
        misnamed `RemoteStore` (`daemon`) provide access to a local Nix
        store, the latter via the Nix daemon. You can use `auto` or the
        empty string to auto-select a local or daemon store depending on
        whether you have write permission to the Nix store. It is no
        longer necessary to set the `NIX_REMOTE` environment variable to
        use the Nix daemon.

        As noted above, `LocalStore` now supports chroot builds,
        allowing the “physical” location of the Nix store (e.g.
        `/home/alice/nix/store`) to differ from its “logical” location
        (typically `/nix/store`). This allows non-root users to use Nix
        while still getting the benefits from prebuilt binaries from
        [cache.nixos.org](https://cache.nixos.org/).

      - `BinaryCacheStore` is the abstract superclass of all binary
        cache stores. It supports writing build logs and NAR content
        listings in JSON format.

      - `HttpBinaryCacheStore` (`http://`, `https://`) supports binary
        caches via HTTP or HTTPS. If the server supports `PUT` requests,
        it supports uploading store paths via commands such as `nix
                                                                        copy`.

      - `LocalBinaryCacheStore` (`file://`) supports binary caches in
        the local filesystem.

      - `S3BinaryCacheStore` (`s3://`) supports binary caches stored in
        Amazon S3, if enabled at compile time.

      - `LegacySSHStore` (`ssh://`) is used to implement remote builds
        and `nix-copy-closure`.

      - `SSHStore` (`ssh-ng://`) supports arbitrary Nix operations on a
        remote machine via the same protocol used by `nix-daemon`.

  - Security has been improved in various ways:

      - Nix now stores signatures for local store paths. When paths are
        copied between stores (e.g., copied from a binary cache to a
        local store), signatures are propagated.

        Locally-built paths are signed automatically using the secret
        keys specified by the `secret-key-files` store option.
        Secret/public key pairs can be generated using `nix-store
                                                                        --generate-binary-cache-key`.

        In addition, locally-built store paths are marked as “ultimately
        trusted”, but this bit is not propagated when paths are copied
        between stores.

      - Content-addressable store paths no longer require signatures —
        they can be imported into a store by unprivileged users even if
        they lack signatures.

      - The command `nix verify` checks whether the specified paths are
Title: Nix Store Abstraction, URI Syntax, Supported Store Types, and Security Improvements
Summary
Nix has significantly extended its store abstraction, with substituters now subclasses of the abstract `Store` class. Stores are specified using a URI-like syntax (e.g., <https://cache.nixos.org/> or <ssh://machine>). Supported store types include `LocalStore`, `RemoteStore`, `BinaryCacheStore`, `HttpBinaryCacheStore`, `LocalBinaryCacheStore`, `S3BinaryCacheStore`, `LegacySSHStore`, and `SSHStore`. Security enhancements include storing signatures for local store paths, automatic signing of locally built paths, and allowing unprivileged users to import content-addressable store paths without signatures. The command `nix verify` checks path integrity.