Merge remote-tracking branch 'detsys/main' into sync-2.34

Author: edolstra

.github/workflows/build.yml

@@ -38,6 +38,12 @@ on:
         required: false
       manual_netlify_site_id:
         required: false
+      sentry_auth_token:
+        required: false
+      sentry_org:
+        required: false
+      sentry_project:
+        required: false
 
 jobs:
   build:
@@ -52,6 +58,14 @@ jobs:
       - uses: DeterminateSystems/flakehub-cache-action@main
       - run: nix build .#packages.${{ inputs.system }}.default .#packages.${{ inputs.system }}.binaryTarball --no-link -L
       - run: nix build .#packages.${{ inputs.system }}.binaryTarball --out-link tarball
+      - run: nix build .#^debug,out
+      - name: Upload debug info to Sentry
+        run: ./maintainers/upload-debug-info-to-sentry.py --debug-dir ./result-debug ./result/bin/nix
+        if: env.SENTRY_AUTH_TOKEN != ''
+        env:
+          SENTRY_AUTH_TOKEN: ${{ secrets.sentry_auth_token }}
+          SENTRY_ORG: ${{ secrets.sentry_org }}
+          SENTRY_PROJECT: ${{ secrets.sentry_project }}
       - uses: actions/upload-artifact@v6
         with:
           name: ${{ inputs.system }}

.github/workflows/ci.yml

@@ -44,6 +44,9 @@ jobs:
     secrets:
       manual_netlify_auth_token: ${{ secrets.NETLIFY_AUTH_TOKEN }}
       manual_netlify_site_id: ${{ secrets.NETLIFY_SITE_ID }}
+      sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
+      sentry_org: ${{ secrets.SENTRY_ORG }}
+      sentry_project: ${{ secrets.SENTRY_PROJECT }}
 
   build_aarch64-linux:
     uses: ./.github/workflows/build.yml
@@ -62,6 +65,10 @@ jobs:
       runner: UbuntuLatest32Cores128GArm
       runner_for_virt: UbuntuLatest32Cores128GArm
       runner_small: UbuntuLatest32Cores128GArm
+    secrets:
+      sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
+      sentry_org: ${{ secrets.SENTRY_ORG }}
+      sentry_project: ${{ secrets.SENTRY_PROJECT }}
 
   build_aarch64-darwin:
     uses: ./.github/workflows/build.yml
@@ -70,6 +77,10 @@ jobs:
       runner: namespace-profile-mac-m2-12c28g
       runner_for_virt: namespace-profile-mac-m2-12c28g
       runner_small: macos-latest-xlarge
+    secrets:
+      sentry_auth_token: ${{ secrets.SENTRY_AUTH_TOKEN }}
+      sentry_org: ${{ secrets.SENTRY_ORG }}
+      sentry_project: ${{ secrets.SENTRY_PROJECT }}
 
   success:
     runs-on: ubuntu-latest

.version-determinate

@@ -1 +1 @@
-3.17.3
+3.18.0

doc/manual/generate-manpage.nix

@@ -76,7 +76,11 @@ let
       subcommands = if length categories > 1 then listCategories else listSubcommands details.commands;
 
       categories = sort (x: y: x.id < y.id) (
-        unique (map (cmd: { inherit (cmd.category) id description; }) (attrValues details.commands))
+        unique (
+          map (cmd: { inherit (cmd.category) id description; }) (
+            builtins.filter (cmd: cmd.category.id != 103) (attrValues details.commands)
+          )
+        )
       );
 
       listCategories = concatStrings (map showCategory categories);

doc/manual/source/SUMMARY.md.in

@@ -148,6 +148,7 @@
   - [Contributing](development/contributing.md)
 - [Determinate Nix Release Notes](release-notes-determinate/index.md)
   - [Changes between Nix and Determinate Nix](release-notes-determinate/changes.md)<!-- next -->
+  - [Release 3.18.0 (2026-04-20)](release-notes-determinate/v3.18.0.md)
   - [Release 3.17.3 (2026-04-07)](release-notes-determinate/v3.17.3.md)
   - [Release 3.17.2 (2026-03-27)](release-notes-determinate/v3.17.2.md)
   - [Release 3.17.1 (2026-03-18)](release-notes-determinate/v3.17.1.md)

doc/manual/source/release-notes-determinate/changes.md

@@ -1,6 +1,6 @@
 # Changes between Nix and Determinate Nix
 
-This section lists the differences between upstream Nix 2.33 and Determinate Nix 3.17.3.<!-- differences -->
+This section lists the differences between upstream Nix 2.33 and Determinate Nix 3.18.0.<!-- differences -->
 
 * In Determinate Nix, flakes are stable. You no longer need to enable the `flakes` experimental feature.
 
@@ -153,43 +153,16 @@ This section lists the differences between upstream Nix 2.33 and Determinate Nix
 
 <!-- Determinate Nix version 3.15.2 -->
 
-* Path inputs are now lazy [DeterminateSystems/nix-src#312](https://github.com/DeterminateSystems/nix-src/pull/312)
-
-* Improved performance when fetching a lot of dependencies with curl [DeterminateSystems/nix-src#315](https://github.com/DeterminateSystems/nix-src/pull/315)
-
 <!-- Determinate Nix version 3.16.0 -->
 
-* Wasm support [DeterminateSystems/nix-src#309](https://github.com/DeterminateSystems/nix-src/pull/309)
-
-* Fix hung downloads when `http-connections = 0` [DeterminateSystems/nix-src#327](https://github.com/DeterminateSystems/nix-src/pull/327)
-
-* Support .gitattributes in subdirectories [DeterminateSystems/nix-src#335](https://github.com/DeterminateSystems/nix-src/pull/335)
-
-* builtins.getFlake fixes [DeterminateSystems/nix-src#337](https://github.com/DeterminateSystems/nix-src/pull/337)
+* Determinate Nix has an experimental builtin `builtins.wasm` that allows the Nix language to be extended using any language that compiles to Wasm. [DeterminateSystems/nix-src#309](https://github.com/DeterminateSystems/nix-src/pull/309)
 
-* builtins.getFlake: Support path values [DeterminateSystems/nix-src#338](https://github.com/DeterminateSystems/nix-src/pull/338)
+* `builtins.getFlake` supports path values. [DeterminateSystems/nix-src#338](https://github.com/DeterminateSystems/nix-src/pull/338)
 
-* Provenance [DeterminateSystems/nix-src#321](https://github.com/DeterminateSystems/nix-src/pull/321)
-
-* Add subcommand 'nix provenance show' [DeterminateSystems/nix-src#340](https://github.com/DeterminateSystems/nix-src/pull/340)
-
-* Increase the open file soft limit to the hard limit [DeterminateSystems/nix-src#347](https://github.com/DeterminateSystems/nix-src/pull/347)
+* Determinate Nix has support for keeping track of the provenance of store paths. [DeterminateSystems/nix-src#321](https://github.com/DeterminateSystems/nix-src/pull/321)
 
 <!-- Determinate Nix version 3.16.1 -->
 
-
-* Record provenance for unlocked inputs and impure evaluations in [DeterminateSystems/nix-src#354](https://github.com/DeterminateSystems/nix-src/pull/354)
-
-* Add setting narinfo-cache-meta-ttl in [DeterminateSystems/nix-src#355](https://github.com/DeterminateSystems/nix-src/pull/355)
-
-* Add derivationWithMeta builtin in [DeterminateSystems/nix-src#357](https://github.com/DeterminateSystems/nix-src/pull/357)
-
-* Add builtins.wasi in [DeterminateSystems/nix-src#359](https://github.com/DeterminateSystems/nix-src/pull/359)
-
-* Add `nix provenance verify` command in [DeterminateSystems/nix-src#356](https://github.com/DeterminateSystems/nix-src/pull/356)
-
-* builtins.hashString: Devirtualize lazy paths, and re-enable lazy trees tests in [DeterminateSystems/nix-src#360](https://github.com/DeterminateSystems/nix-src/pull/360)
-
 <!-- Determinate Nix version 3.16.2 -->
 
 
@@ -201,10 +174,12 @@ This section lists the differences between upstream Nix 2.33 and Determinate Nix
 
 <!-- Determinate Nix version 3.17.1 -->
 
-* Flake inputs are substituted if possible before fetching from the authoritative source, in [DeterminateSystems/nix-src#380](https://github.com/DeterminateSystems/nix-src/pull/380)
-
-* Provenance now supports additional nix.conf-defined tags, in [DeterminateSystems/nix-src#374](https://github.com/DeterminateSystems/nix-src/pull/374)
-
 <!-- Determinate Nix version 3.17.2 -->
 
 <!-- Determinate Nix version 3.17.3 -->
+
+<!-- Determinate Nix version 3.18.0 -->
+
+* Determinate Nix can upload crash info to Sentry. [DeterminateSystems/nix-src#418](https://github.com/DeterminateSystems/nix-src/pull/418)
+
+* Determinate Nix provides the pre-build hook with a JSON serialization of the derivation. [DeterminateSystems/nix-src#424](https://github.com/DeterminateSystems/nix-src/pull/424)

doc/manual/source/release-notes-determinate/v3.18.0.md

@@ -0,0 +1,42 @@
+# Release 3.18.0 (2026-04-20)
+
+* Based on [upstream Nix 2.33.3](../release-notes/rl-2.33.md).
+
+## What's Changed
+
+### Sentry integration
+
+In order to more proactively keep track of crashes, Sentry is now integrated into Determinate Nix.
+
+This allows us to more easily triage and remedy crashes that occur in the wild, without depending on manual use reports.
+
+It can be enabled by:
+
+* populating the file `/etc/nix/sentry-endpoint` with a Sentry DSN; or
+* setting the `NIX_SENTRY_ENDPOINT` environment variable to a Sentry DSN
+
+and can be disabled by:
+
+* setting the environment variable `DETSYS_IDS_TELEMETRY` to the value `disabled`; or
+* setting the environment variable `NIX_SENTRY_ENDPOINT` to an empty string
+
+PR: [DeterminateSystems/nix-src#418](https://github.com/DeterminateSystems/nix-src/pull/418)
+
+### Pre-build hook now receives the JSON serialization of the derivation
+
+The pre-build hook already received the path of the derivation as an argument, but that path doesn't typically exist when called as a remote build.
+
+Now, the pre-build hook is spawned with the environment variable `NIX_DERIVATION_V4` set to a file that contains the JSON representation of the derivation in v4 format, allowing instrospection of e.g. `requiredSystemFeatures` for scheduling decisions.
+
+PR: [DeterminateSystems/nix-src#424](https://github.com/DeterminateSystems/nix-src/pull/424)
+
+### Fix empty Git exports when using legacy Git compatibility
+
+A regression introduced in v3.16.0 made it possible for there to be empty Git exports in the Nix store when using legacy Git flakes (those depending on Nix 2.19 lockfile semantics).
+
+This is now fixed.
+
+PR: [DeterminateSystems/nix-src#425](https://github.com/DeterminateSystems/nix-src/pull/425)
+
+
+**Full Changelog**: [v3.17.3...v3.18.0](https://github.com/DeterminateSystems/nix-src/compare/v3.17.3...v3.18.0)

maintainers/upload-debug-info-to-sentry.py

@@ -0,0 +1,161 @@
+#!/usr/bin/env nix
+#!nix shell --inputs-from . nixpkgs#sentry-cli --command python3
+
+import argparse
+import json
+import os
+import platform
+import re
+import subprocess
+import sys
+import urllib.error
+import urllib.parse
+import urllib.request
+
+NAR_DIR = "/tmp/nars"
+DEBUG_INFO_DIR = "/tmp/debug-info"
+
+
+def get_dynamic_libraries(executable: str) -> list[str]:
+    if platform.system() == "Darwin":
+        result = subprocess.run(["otool", "-L", executable], capture_output=True, text=True, check=True)
+        libs = []
+        for line in result.stdout.splitlines()[1:]:  # skip first line (the binary path itself)
+            # otool -L output lines look like:
+            #   /nix/store/.../libfoo.dylib (compatibility version X.Y.Z, current version A.B.C)
+            m = re.match(r"\s+(\S+)\s+\(", line)
+            if m:
+                libs.append(m.group(1))
+        return libs
+    else:
+        result = subprocess.run(["ldd", executable], capture_output=True, text=True, check=True)
+        libs = []
+        for line in result.stdout.splitlines():
+            # ldd output lines look like:
+            #   libfoo.so.1 => /nix/store/.../libfoo.so.1 (0x...)
+            #   /lib64/ld-linux-x86-64.so.2 (0x...)
+            m = re.search(r"=> (/\S+)", line)
+            if m:
+                libs.append(m.group(1))
+            elif line.strip().startswith("/"):
+                path = line.strip().split()[0]
+                libs.append(path)
+        return libs
+
+
+def get_build_id(path: str) -> str | None:
+    result = subprocess.run(["readelf", "-n", path], capture_output=True, text=True)
+    m = re.search(r"Build ID:\s+([0-9a-f]+)", result.stdout)
+    return m.group(1) if m else None
+
+
+def download_nar(build_id: str, archive: str) -> str:
+    """Download a NAR to /tmp/nars and return the local path. Skips if already present."""
+    base_url = f"https://cache.nixos.org/debuginfo/{build_id}"
+    nar_url = urllib.parse.urljoin(base_url, archive)
+    filename = nar_url.split("/")[-1]
+    local_path = os.path.join(NAR_DIR, filename)
+    if not os.path.exists(local_path):
+        os.makedirs(NAR_DIR, exist_ok=True)
+        print(f"    downloading {nar_url} ...", file=sys.stderr)
+        urllib.request.urlretrieve(nar_url, local_path)
+    else:
+        print(f"    already have {filename}", file=sys.stderr)
+    return local_path
+
+
+def extract_debug_symbols(nar_path: str, member: str, build_id: str) -> str:
+    """Extract a member from a .nar.xz into /tmp/debug-info/<build_id>.debug. Returns the output path."""
+    out_path = os.path.join(DEBUG_INFO_DIR, f"{build_id}.debug")
+    if os.path.exists(out_path):
+        print(f"    already extracted {out_path}", file=sys.stderr)
+        return out_path
+    os.makedirs(DEBUG_INFO_DIR, exist_ok=True)
+    print(f"    extracting {member} -> {out_path} ...", file=sys.stderr)
+    xz = subprocess.Popen(["xz", "-d"], stdin=open(nar_path, "rb"), stdout=subprocess.PIPE)
+    nar_cat = subprocess.run(
+        ["nix", "nar", "cat", "/dev/stdin", member],
+        stdin=xz.stdout,
+        capture_output=True,
+        check=True,
+    )
+    xz.wait()
+    with open(out_path, "wb") as f:
+        f.write(nar_cat.stdout)
+    return out_path
+
+
+def find_debug_file_in_dirs(build_id: str, debug_dirs: list[str]) -> str | None:
+    """Look for a .debug file by build ID under <dir>/lib/debug/.build-id/NN/NNN.debug."""
+    subpath = os.path.join("lib", "debug", ".build-id", build_id[:2], build_id[2:] + ".debug")
+    for d in debug_dirs:
+        candidate = os.path.join(d, subpath)
+        if os.path.exists(candidate):
+            return candidate
+    return None
+
+
+def fetch_debuginfo(build_id: str) -> dict | None:
+    url = f"https://cache.nixos.org/debuginfo/{build_id}"
+    try:
+        with urllib.request.urlopen(url) as resp:
+            return json.loads(resp.read())
+    except urllib.error.HTTPError as e:
+        if e.code == 404:
+            return None
+        raise
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Upload debug symbols to Sentry."
+    )
+    parser.add_argument("executable", help="Path to the executable (e.g. ./result/bin/nix)")
+    parser.add_argument("--project", help="Sentry project ID")
+    parser.add_argument("--debug-dir", action="append", default=[], metavar="DIR",
+                        help="Directory to search for debug files (may be repeated, Linux only)")
+    args = parser.parse_args()
+
+    libs = [args.executable] + get_dynamic_libraries(args.executable)
+
+    if platform.system() == "Darwin":
+        # On macOS there are no separate debug info files; upload the binaries directly.
+        print("Files to upload:", file=sys.stderr)
+        for lib in libs:
+            print(f"  {lib}", file=sys.stderr)
+        files_to_upload = libs
+    else:
+        debug_files = []
+        print("ELF files to process:", file=sys.stderr)
+        for lib in libs:
+            build_id = get_build_id(lib)
+            if build_id is None:
+                print(f"  {lib} (no build ID)", file=sys.stderr)
+                continue
+
+            local = find_debug_file_in_dirs(build_id, args.debug_dir)
+            if local:
+                print(f"  {lib} ({build_id}): found locally at {local}", file=sys.stderr)
+                debug_files.append(local)
+                continue
+
+            debuginfo = fetch_debuginfo(build_id)
+            if debuginfo is None:
+                print(f"  {lib} ({build_id}, no debug info in cache)", file=sys.stderr)
+                continue
+            print(f"  {lib} ({build_id}): member={debuginfo['member']}", file=sys.stderr)
+            nar_path = download_nar(build_id, debuginfo["archive"])
+            debug_file = extract_debug_symbols(nar_path, debuginfo["member"], build_id)
+            debug_files.append(debug_file)
+        files_to_upload = debug_files
+
+    if files_to_upload:
+        print(f"Uploading {len(files_to_upload)} file(s) to Sentry...", file=sys.stderr)
+        cmd = ["sentry-cli", "debug-files", "upload"]
+        if args.project:
+            cmd += ["--project", args.project]
+        subprocess.run(cmd + files_to_upload, check=True)
+
+
+if __name__ == "__main__":
+    main()

packaging/dependencies.nix

@@ -142,4 +142,9 @@ scope: {
       });
 
   wasmtime = pkgs.callPackage ./wasmtime.nix { };
+
+  sentry-native = (pkgs.callPackage ./sentry-native.nix { }).override {
+    # Avoid having two curls in our closure.
+    inherit (scope) curl;
+  };
 }

packaging/dev-shell.nix

@@ -291,7 +291,8 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
       map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents2.nix-perl-bindings.mesonFlags)
     )
     ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents2.nix-expr.mesonFlags)
-    ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags);
+    ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags)
+    ++ map (transformFlag "nix") (ignoreCrossFile pkgs.nixComponents2.nix-cli.mesonFlags);
 
     nativeBuildInputs =
       let