@mio no. 2.93.0 doesn't have the security fixes that contained the regression. it's not affected.
declarative. reproducible. human-friendly.
Lix is a modern, delicious implementation of the Nix package manager, focused on correctness, usability, and growth – and committed to doing right by its community.
@mio no. 2.93.0 doesn't have the security fixes that contained the regression. it's not affected.
The Lix team is very sorry for the caused inconveniences and we will go into more details in an upcoming postmortem on how could this have happened and what we plan to do to remediate that in the future.
For more information, please review our latest blog post on the incident at https://lix.systems/blog/2025-06-27-lix-critical-bug/, which will be continually updated.
As is often the case in complex, ongoing situations, we prefer to offer clear choices and not do rash decisions, so you remain in control of how and when to act, depending on the trade-offs you are willing to make.
We have prepared patches for all supported releases to address the critical bug (publicly in our Gerrit instance). However, we have paused the release for now. We are continuing to monitor incoming reports, especially CL #3500 (https://gerrit.lix.systems/c/lix/+/3500), and want to allow more quality assurance time to avoid introducing further regressions or making upgrades unnecessarily disruptive.
We have also fixed the static builds, which enables the mitigation strategy described in the blog post.
We discovered a critical bug on 2.91.2, 2.92.3, 2.93.1 as part of the CVE fixes that will cause your system to remove certain valid Nix store paths at the end of builds.
We have an ongoing blog post on this incident, including recovery instructions: https://lix.systems/blog/2025-06-27-lix-critical-bug/
Lix releases are now out, please upgrade. A detailed writeup about the issue and the mitigations is at https://lix.systems/blog/2025-06-24-lix-cves/, scroll a bit down for for instructions on how to protect yourselves.
See also the Discourse announcement post at https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017, which also links to the various Nixpkgs PRs for those that use Lix from Nixpkgs.
Lix releases are now out, please upgrade. A detailed writeup about the issue and the mitigations is at https://lix.systems/blog/2025-06-24-lix-cves/, scroll a bit down for for instructions on how to protect yourselves.
See also the Discourse announcement post at https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017, which also links to the various Nixpkgs PRs for those that use Lix from Nixpkgs.
Security pre-disclosure:
A critical security advisory for #Nix and #Lix (and #Guix) will be published tomorrow at 14:00 UTC.
If you're building untrusted derivations, you must upgrade to ensure your systems remain secure.
Lix versions 2.91, 2.92, 2.93, and main will receive upgrades on all known channels to Lix. Lix 2.90 WILL NOT receive upgrades.
More details are available in the pre-disclosure post:
https://discourse.nixos.org/t/pre-disclosure-announcement-security-advisory-for-nix-and-lix-on-june-24-2025/65831
Please stay alert for the full announcement tomorrow at 14:00 UTC.
EDIT: after further investigation this is actually mistaken and doesn't affect the majority of store operations; this one is likely not the issue
Quick #nix PSA: do you run a binary cache? Is WantMassQuery: 1 not in its nix-cache-info file?
~~If it's not in there, clients will take an extremely long time to query whether paths are present in your cache by trying them one by one serially.~~
@PolyWolf yeah sorry it's all a bit embarrassing, but matrix is the right place. we should post on fedi and the website about it, probably. there's a ticket to do stable-release branches but it has been blocked on scheduling more than anything.
@just1602 @Profpatsch we are aware of the issue, it is fixed according to raito
-jade
@ck feel free to send a pr!
@samir https://git.lix.systems/lix-project/lix-website/issues/42 filed a bug, unsure as to timeline or who will get around to it; if you know how to work a hugo site and want to fix the templates and send a PR, that would get it done fastest, but no worries if not, it'll get done eventually -jade
@heals if you're using nix-darwin, just follow the NixOS instructions on the lix install guide. nix-darwin takes over managing the nix installation and nothing our installer does matters too much for that.
We're pleased to announce the official release of #Lix 2.92 "Bombe glacée".
This release brings many subtle stability and helpfulness improvements:
- generating opt-out errors for using deprecated language features
- config files support relative and ~ paths
- alt+left, alt+right navigate by words in nix repl
- several error message improvements
- fewer crashes
- the daemon event loop was rewritten and is faster and more maintainable
See the full release post here: https://lix.systems/blog/2025-01-18-lix-2.92-release/
users of #lix are of course also invited to have dessert to celebrate releases, that is very cute and fun too!
it would be cute to acquire the #lix release desserts and post selfies eating them when we do releases imo
did you know: you can use the experimental `nix` CLI of CppNix/Lix on non-flakes projects?
nix-build -A myAttr.foo => nix build -f . myAttr.foo
nix-shell -A myAttr.foo => nix develop -f shell.nix myAttr.foo
nix-instantiate --eval foo.nix -A myAttr.foo => nix eval -f foo.nix myAttr.foo
macOS Sequoia release day is almost upon us, and that means all your Lix and Nix installations on macOS are going to break when you upgrade your OS. It causes the following error:
error: the user '_nixbld1' in the group 'nixbld' does not exist
To repair this:
$ curl -sSf -L https://install.lix.systems/lix | sh -s -- repair sequoia
To repair before upgrading, add `--move-existing-users` to the end of the command.
We have a wiki page with more links and details: https://wiki.lix.systems/link/81
For non NixOS systems: if you used the installer from nixos.org, it is highly plausible nix upgrade-nix gives you 2.18, which *technically* fixes the vulnerability but if you would rather 2.24, use nix upgrade-nix --nix-store-paths-url https://releases.nixos.org/nix/nix-2.24.6/fallback-paths.nix
If you used the detsys installer, nix upgrade-nix should give you a non-vulnerable version.
Make sure to restart the Nix daemon (or reboot) after. There's docs here for how (skip the redundant nix-env command): https://nix.dev/manual/nix/2.23/installation/upgrading