v3.15.1

Release 3.15.1 (2025-12-24)

• Based on upstream Nix 2.33.0.

What's Changed

Users reported the v3.15.0 tarball could not be fetched in a fixed-output derivation due to current stdenv paths present in the documentation. This release eliminated those paths.

PR: DeterminateSystems/nix-src#306

Additionally, this change re-enables CodeRabbit's code review on our changes. CodeRabit was disabled by the upstream project, and we inadvertently included that change.

PR: DeterminateSystems/nix-src#305

Full Changelog: v3.15.0...v3.15.1

v3.15.0

Release 3.15.0 (2025-12-19)

• Based on upstream Nix 2.33.0.

fetchTree improvement

builtins.fetchTree now implicitly treats the fetched tree as "final" when a narHash is supplied, meaning that it will not return attributes like lastModified or revCount unless they were specified by the caller. This makes it possible to substitute the tree from a binary cache, which is often more efficient. Furthermore, for Git inputs, it allows Nix to perform a shallow fetch, which is much faster.

This is primarily useful for users of flake-compat, since it uses builtins.fetchTree internally.

PR: DeterminateSystems/nix-src#297

New builtin function builtins.filterAttrs

Nixpkgs heavily relies on this function to select attributes from an attribute set:

filterAttrs = pred: set: removeAttrs set (filter (name: !pred name set.${name}) (attrNames set));

Determinate Nix now has this function built-in, which makes it much faster.

PR: DeterminateSystems/nix-src#291

New Contributors

• @not-ronjinger made their first contribution in DeterminateSystems/nix-src#291

Full Changelog: v3.14.0...v3.15.0

v3.14.0

Release 3.14.0 (2025-12-08)

• Based on upstream Nix 2.32.4.

What is going on?! nix ps to the rescue

Determinate Nix now features a nix ps command to summarize all of the active builds and child processes:

$ nix ps
USER      PID     CPU  DERIVATION/COMMAND
_nixbld1  30167  0.4s  /nix/store/h431bcfml83czhpyzljhp9mw4yrq95vs-determinate-nix-manual-3.14.0.drv (wall=9s)
_nixbld1  30167  0.2s  └───bash -e /nix/store/vj1c3wf9c11a0qs6p3ymfvrnsdgsdcbq-source-stdenv.sh /nix/store/shkw4qm9qcw5sc5n1k5jznc83ny02r39-default-builder.s
_nixbld1  30278  0.0s      └───ninja -j14
_nixbld1  30279  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30286  0.0s          │   └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix config show --json
_nixbld1  30280  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30287  0.0s          │   └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix __dump-language
_nixbld1  30281  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30288  0.0s          │   └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix __dump-cli
_nixbld1  30282  0.0s          ├───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30284  0.0s          │   └───/nix/store/z59zm01pjwzil2qkvv0s4ibk54risy9a-determinate-nix-3.14.0/bin/nix __dump-xp-features
_nixbld1  30283  0.0s          └───/nix/store/v21kg4vm7yy0wflh0avkibz0shk86jn8-python3-3.12.11/bin/python3.12 /nix/store/lp001an6p80qx2fhdxgv5ysbn2iwj9pa-mes
_nixbld1  30285  0.0s              └───/nix/store/5c8hb299k0acbypqw6j9m4znyd6b97cz-bash-5.2p37/bin/bash -euo pipefail -c if type -p build-release-notes > /de
_nixbld1  30289  0.0s                  └───changelog-d ../source/release-notes/../../rl-next

For the integrators out there, it also has a --json flag with all the raw data.

PRs:

• DeterminateSystems/nix-src#282
• DeterminateSystems/nix-src#287

Nix build, profile, and flake check commands tell you what output failed

These commands now tell you exactly what flake outputs failed to build.
Previously, the error would indicate only what derivation failed to build -- but not which output.

Now, nix build and nix profile commands provide the specific output:

$ nix build .#oneFakeHash .#badSystem --keep-going
❌ git+file:///Users/grahamc/src/github.com/DeterminateSystems/samples#oneFakeHash
error: hash mismatch in fixed-output derivation '/nix/store/58pp1y74j4f5zxfq50xncv2wvnxf7w3y-one-fake-hash.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-i7j83d71sibS/ssSjLJ5PMKmbhjAM+BHW0aElvkgEwY=
❌ git+file:///Users/grahamc/src/github.com/DeterminateSystems/samples#badSystem
error: Cannot build '/nix/store/5vsaxi730yl2icngkyvn8wiflik5wfmq-bad-system.drv'.
       Reason: required system or feature not available
       Required system: 'bogus' with features {}
       Current system: 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}

And in a great change for CI, nix flake check users get improved summaries too:

$ nix flake check
❓ checks.aarch64-darwin.twoFakeHashes (cancelled)
❓ checks.aarch64-darwin.badSystemNested (cancelled)
❓ checks.aarch64-darwin.oneFakeHash (cancelled)
❓ checks.aarch64-darwin.failure (cancelled)
❓ checks.aarch64-darwin.badSystem (cancelled)
❓ checks.aarch64-darwin.weirdHash (cancelled)
❓ checks.aarch64-darwin.all (cancelled)
❓ checks.aarch64-darwin.fakeHashes (cancelled)
❓ checks.aarch64-darwin.incorrectHashes (cancelled)
❓ checks.aarch64-darwin.badFeaturesNested (cancelled)
❓ checks.aarch64-darwin.failureNested (cancelled)
❌ checks.aarch64-darwin.badFeatures
error: Cannot build '/nix/store/sc1cyhrpsm9yjx55cl2zzyr5lypwigi6-bad-feature.drv'.
       Reason: required system or feature not available
       Required system: 'aarch64-darwin' with features {bogus}
       Current system: 'aarch64-darwin' with features {apple-virt, benchmark, big-parallel, nixos-test}

PRs:

• DeterminateSystems/nix-src#281
• DeterminateSystems/nix-src#285

More seamless upgrades from Nix 2.18 and Nix 2.19

We've heard from some users who are trying to upgrade from Nix 2.18.

These users are primarily experiencing problems caused by Nix 2.20 switching from git-archive to libgit2 for fetching repositories.
This change caused some git-archive filters to stop executing, like autocrlf.
Not running those filters is an improvement, and running those filters can cause instability in source hashes.
However, this switch did cause previously valid hashes to become invalid.

Determinate Nix now retries fetching an old archive with git-archive as a fallback when libgit2 fails to provide the correct source.

Further, to support a progressive migration Determinate Nix has a new option: nix-219-compat.
Set nix-219-compat=true to cause Nix to author new flake.nix files with a git-archive based source hash.

Finally, a user identified builtins.path changed since 2.18 and stopped propagating references.
We have corrected this regression.

PRs:

• DeterminateSystems/nix-src#283
• DeterminateSystems/nix-src#278

Flake registry mirroring

Determinate Nix now includes a fallback copy of the Nix Registry.
This change builds on top of v3.13.2, where we changed from the upstream Nix registry to a mirrored copy hosted by install.determinate.systems.

Combined, these changes increase the reliability of Nix in the face of network outages.

Note

Flake registry URLs for flake.nix inputs is deprecated.
The flake registry should only be used for interactive use.
See: #37

PR: DeterminateSystems/nix-src#273

Flake registry resolution CLI

We added the new command nix registry resolve to help debug issues with Flake registries.
This command looks up a flake registry input name and returns the flakeref it resolves to.

For example, looking up Nixpkgs:

$ nix registry resolve nixpkgs
github:NixOS/nixpkgs/nixpkgs-unstable

Or looking up the 25.11 branch of Nixpkgs:

$ nix registry resolve nixpkgs/release-25.11
github:NixOS/nixpkgs/release-25.11

Note

Flake registry URLs for flake.nix inputs is deprecated.
The flake registry should only be used for interactive use.
See: #37

PR: DeterminateSystems/nix-src#273

Improved Docker image packaging

Thanks to employee-64c7dcd530593118dcccc3fb, the OCI / Docker images built by the Determinate Nix flake.nix can be further customized.

Users can specify their own base image by specifying fromImage.

Additionally, users can specify additional directories to include at the beginning or end of the PATH variable with extraPrePaths and extraPostPaths.

PRs:

• DeterminateSystems/nix-src#277
• DeterminateSystems/nix-src#280

Bug fixes

• Corrected an error with parallel evaluation which (DeterminateSystems/nix-src#286)
• Fixed compatibility with updated Nixpkgs versions. Thank you SandaruKasa! (DeterminateSystems/nix-src#284)

Full Changelog: v3.13.2...v3.14.0

v3.13.2

Release 3.13.2 (2025-11-19)

• Based on upstream Nix 2.32.4.

What's Changed

Abbreviate flakerefs in lockfile diffs and nix flake metadata

Flake refs are now abbreviated when possible, to reduce visual clutter.

For example, this changes

• Updated input 'blender-bin':
    'https://api.flakehub.com/f/pinned/edolstra/blender-bin/1.0.19/01993ca7-2aa8-746f-96f5-ca8d2c2b962d/source.tar.gz?narHash=sha256-ZqVhVl9UYVErF8HW8lcvqss005VWYjuX//rZ%2BOmXyHg%3D' (2025-09-12)
  → 'https://api.flakehub.com/f/pinned/edolstra/blender-bin/1.0.20/019a8772-b044-7738-8c03-109bdc9f0a01/source.tar.gz?narHash=sha256-sVj9Gmx0kwTDQPJ5kgQYszE3Hdjevu0zx0b/bL2fyUc%3D' (2025-11-15)
• Updated input 'nix':
    'github:DeterminateSystems/nix-src/236ebef6514f3a2a9765c8a1d80dd503b8e672be?narHash=sha256-s6/Err0yqOp5fM3OdCF1vhmEYpeElbPOWX88YrW2qj4%3D' (2025-10-23)
  → 'github:DeterminateSystems/nix-src/ef054dc06e9701597bce0b0572af18cb4c7e7277?narHash=sha256-uqYmH0KA8caQqX5u4BMarZsuDlC%2B71HRsH3h4f3DPCA%3D' (2025-11-12)

to

• Updated input 'blender-bin':
    'https://api.flakehub.com/f/pinned/edolstra/blender-bin/1.0.19/01993ca7-2aa8-746f-96f5-ca8d2c2b962d/source.tar.gz' (2025-09-12)
  → 'https://api.flakehub.com/f/pinned/edolstra/blender-bin/1.0.20/019a8772-b044-7738-8c03-109bdc9f0a01/source.tar.gz' (2025-11-15)
• Updated input 'nix':
    'github:DeterminateSystems/nix-src/236ebef' (2025-10-23)
  → 'github:DeterminateSystems/nix-src/ef054dc' (2025-11-12)

PR: DeterminateSystems/nix-src#264

nix flake prefetch-inputs now skips build-time inputs

Build-time inputs can already be fetched in parallel, so prefetching them is usually not what you want.

This can be especially noticeable in projects that make extensive use of build-time flake inputs.

PR: DeterminateSystems/nix-src#263

Don't compute revCount/lastModified if they're already specified

We don't care if the user (or more likely the lock file) specifies an incorrect value for these attributes, since it doesn't matter for security (unlike content hashes like narHash).

This can save time when operating on large repos -- having to recalculate these attributes could slow things down greatly.

PR: DeterminateSystems/nix-src#269

Avoid unnecessary Git refetches

This fixes the issue where updating a Git input does a non-shallow fetch, and then a subsequent eval does a shallow refetch because the revCount is already known.

Now the subsequent eval will reuse the repo used in the first fetch.

PR: DeterminateSystems/nix-src#270

Use our mirrored flake registry

The flake registry is security-critical and thus should have high availability.

By mirroring the upstream Nix flake registry, we can make it less likely that a GitHub outage affects being able to resolve from the registry.

PR: DeterminateSystems/nix-src#271

Full Changelog: v3.13.1...v3.13.2

v3.13.1

Release 3.13.1 (2025-11-12)

• Based on upstream Nix 2.32.4.

What's Changed

• nix bundle: Wait for async path writer by @edolstra in DeterminateSystems/nix-src#260
• Sync with upstream 2.32.4 by @edolstra in DeterminateSystems/nix-src#261

Full Changelog: v3.13.0...v3.13.1

v3.13.0

Release 3.13.0 (2025-11-09)

• Based on upstream Nix 2.32.3.

What's Changed

Git sources have a progress indicator again

Nix used to feel "stuck" while it was cloning large repositories.
Determinate Nix now shows git's native progress indicator while fetching.

PR: DeterminateSystems/nix-src#250

C API improvements

We've invested in the C API to support our work on closure analysis for SBOM generation, and made a couple of changes:

• C API: add nix_locked_flake_read_path for flake file reading
• C API: make nix_store_get_fs_closure compatible with upstream

PRs:

• DeterminateSystems/nix-src#244
• DeterminateSystems/nix-src#254

Dropping support for Intel Macs

Determinate Nix no longer supports being installed on Intel Macs.
Determinate Nix will continue to support building for Intel macOS targets, but only from an Apple Silicon host.

From our intent-to-ship:

Over the past year, we’ve watched usage of Determinate on Intel macOS hosts dwindle to a minuscule fraction of total usage.
It currently stands at approximately 0.02% of all installations.
The vast majority are run in managed CI environments that, we anticipate, will be able to easily convert to using Apple Silicon runners.

For more information: #224

PR: DeterminateSystems/nix-src#257

Bugs fixed

• IPv6 Store URLs now handles zone ID references like it did in previous releases NixOS/nix#14434

Full Changelog: v3.12.2...v3.13.0

v3.12.2

Release 3.12.2 (2025-11-05)

• Based on upstream Nix 2.32.2.

What's Changed

Faster revCount computation

When using Git repositories with a long history, calculating the revCount attribute can take a long time. Determinate Nix now computes revCount using multiple threads, making it much faster.

Note that if you don't need revCount, you can disable it altogether by setting the flake input attribute shallow = false.

PR: DeterminateSystems/nix-src#245

More readable error messages

Previously, Nix showed full flakerefs in error messages such as stack traces, e.g.

   … from call site
     at «github:NixOS/nixpkgs/3bea86e918d8b54aa49780505d2d4cd9261413be?narHash=sha256-Ica%2B%2BSXFuLyxX9Q7YxhfZulUif6/gwM8AEQYlUxqSgE%3D»/lib/customisation.nix:69:16:
       68|     let
       69|       result = f origArgs;
         |                ^
       70|

It now abbreviates these by leaving out narHash and shortening Git revisions:

   … from call site
     at «github:NixOS/nixpkgs/3bea86e»/lib/customisation.nix:69:16:
       68|     let
       69|       result = f origArgs;
         |                ^
       70|

PR: DeterminateSystems/nix-src#243

Other changes

This release fixes an assertion failure in nix flake check. PR: DeterminateSystems/nix-src#252

Full Changelog: v3.12.1...v3.12.2

v3.12.1

Release 3.12.1 (2025-11-04)

• Based on upstream Nix 2.32.1.

What's Changed

• Allow access to the result of fetchClosure by @edolstra in DeterminateSystems/nix-src#241
• libstore/build: fixup JSON logger missing the resBuildResult result event by @cole-h in DeterminateSystems/nix-src#246

Full Changelog: v3.12.0...v3.12.1

v3.12.0

Release 3.12.0 (2025-10-23)

• Based on upstream Nix 2.32.1.

What's Changed

nix nario

Determinate Nix has a new command, nix nario, that replaces the commands nix-store --export and nix-store --import from the old CLI. nix nario allows you to serialize store paths to a file that can be imported into another Nix store. It is backwards compatible with the file format generated by nix-store --export. It also provides a new format (selected by passing --format 2) that supports store path attributes such as signatures, and allows store paths to be imported more efficiently.

Other changes

nix flake clone now supports arbitrary input types. In particular, this allows you to clone tarball flakes, such as flakes on FlakeHub.

When using -vv, Determinate Nix now prints the Nix version. This is useful when diagnosing Nix problems from the debug output of a Nix run.

Full Changelog: v3.11.3...v3.12.0

v3.11.3

Release 3.11.3 (2025-10-09)

• Based on upstream Nix 2.31.2.

What's Changed

Fix some bugs and interactions with parallel eval

We received some reports of parallel eval having issues, such as not being able to be interrupted, infinite recursion hanging forever, and segfaults when using the experimental builtins.parallel.

Those have now been fixed.

Additionally, the debugger now disables parallel eval, because the two features are incompatible.

PRs: DeterminateSystems/nix-src#206, DeterminateSystems/nix-src#213, DeterminateSystems/nix-src#218, DeterminateSystems/nix-src#205

NIX_SSHOPTS + ssh-ng://root@localhost fix

We noticed that specifying NIX_SSHOPTS=-p2222 when using a command that uses SSH (such as nix copy --to ssh-ng://root@localhost) stopped respecting the NIX_SSHOPTS setting because of an incorrect comparison.

This has been fixed, so NIX_SSHOPTS and SSH stores that are accessed like user@localhost work again.

PR: DeterminateSystems/nix-src#219

Fix error: [json.exception.type_error.302] type must be string, but is array when using exportReferencesGraph

We received a report of a nix build failing on a specific flake due to its expression using exportReferencesGraph with a heterogeneous array of dependencies, causing this inscrutable error.

This specific case has been broken since Nix 2.29.0, and is now fixed.

PRs: DeterminateSystems/nix-src#221, DeterminateSystems/nix-src#225

Full Changelog: v3.11.2...v3.11.3