The nix-darwin master branch no longer allows following a nixpkgs release branch

[belak]

As the title says, with the additional enableNixpkgsReleaseCheck check, it is no longer possible to use a release version of nixpkgs (nixpkgs-24.11-darwin) with the nix-darwin master branch.

I was hoping to pull in the changes from my recent pull request without swapping to nixpkgs-unstable for all darwin packages.

If that's not supported that may be fine (though confusing), as long as I can still pass in the release branch as pkgs when calling darwin.lib.darwinSystem. It would just be good to clarify what nixpkgs-unstable and nixpkgs-24.11-darwin are actually used for.

[emilazy]

This is intentional; part of why we just started to use release branches is that we previously had to do elaborate backwards‐compatibility hacks to support multiple versions of Nixpkgs (mostly because of changes to the library and module system). This also means that, like NixOS, we can avoid making breaking changes on stable branches and be free to evolve more rapidly on the unstable branch. As with NixOS and Home Manager, the version of Nixpkgs has to match. See #727 for the detailed rationale.

However, in this case your changes are backwards‐compatible and could therefore be backported freely to the stable branch. We don’t yet have an automated process for doing this, but you can git cherry-pick -x the commit on top of nix-darwin-24.11, and send a PR to that branch, e.g. with the title “[24.11] Add support for additional window tiling options”.

[lvitaly]

I faced an issue with the 'libcap' build after bumping from the master to the nix-darwin-24.11. I am not 100% sure that it is related, but I have had no such issues before 🤷‍♂️

Build output

building '/nix/store/54g0q3dl4dcvsrpzzvlb2hd8wwzv57xf-libcap-2.70.drv'...
Running phase: unpackPhase
unpacking source archive /nix/store/wf63n0y28dfcilj1ffqsd9pj49bqa88v-libcap-2.70.tar.xz
source root is libcap-2.70
setting SOURCE_DATE_EPOCH to timestamp 1716094122 of file libcap-2.70/doc/pam_cap.8
Running phase: patchPhase
patching script interpreter paths in ./progs/mkcapshdoc.sh
./progs/mkcapshdoc.sh: interpreter directive changed from "#!/bin/bash" to "/nix/store/pniqzyn2jjcx2wyxdgkpw6f98c7yf56y-bash-5.2p37/bin/bash"
substituteStream() in derivation libcap-2.70: WARNING: '--replace' is deprecated, use --replace-{fail,warn,quiet}. (file 'progs/capsh.c')
Running phase: updateAutotoolsGnuConfigScriptsPhase
Running phase: configurePhase
no configure script, doing nothing
Running phase: buildPhase
build flags: SHELL=/nix/store/pniqzyn2jjcx2wyxdgkpw6f98c7yf56y-bash-5.2p37/bin/bash lib=lib PAM_CAP=yes BUILD_CC=\$\(CC_FOR_BUILD\) CC:=\$\(CC\) CROSS_COMPILE=
make -C libcap all
make[1]: Entering directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
sed -e 's,@prefix@,/nix/store/wpqssrgrzmgqr4bw6y26hs4c7lx8yxxv-libcap-2.70-lib,' \
        -e 's,@exec_prefix@,/nix/store/w8ihzqgcjgmaldr42rwbalk9cdk9bnrf-libcap-2.70,' \
        -e 's,@libdir@,/nix/store/wpqssrgrzmgqr4bw6y26hs4c7lx8yxxv-libcap-2.70-lib/lib,' \
        -e 's,@includedir@,/nix/store/72lrsq58lf9d7j199qi85iv4zkqz1b7q-libcap-2.70-dev/include,' \
        -e 's,@VERSION@,2.70,' \
        -e 's,@deps@,,' \
        libcap.pc.in >libcap.pc
make libpsx.pc
make[2]: Entering directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
sed -e 's,@prefix@,/nix/store/wpqssrgrzmgqr4bw6y26hs4c7lx8yxxv-libcap-2.70-lib,' \
        -e 's,@exec_prefix@,/nix/store/w8ihzqgcjgmaldr42rwbalk9cdk9bnrf-libcap-2.70,' \
        -e 's,@libdir@,/nix/store/wpqssrgrzmgqr4bw6y26hs4c7lx8yxxv-libcap-2.70-lib/lib,' \
        -e 's,@includedir@,/nix/store/72lrsq58lf9d7j199qi85iv4zkqz1b7q-libcap-2.70-dev/include,' \
        -e 's,@VERSION@,2.70,' \
        -e 's,@deps@,,' \
        libpsx.pc.in >libpsx.pc
make[2]: Leaving directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
=> making cap_names.list.h from /private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi/linux/capability.h
grep -E '^#define\s+CAP_([^\s]+)\s+[0-9]+\s*$' include/uapi/linux/capability.h | sed -e 's/^#define\s\+/{"/' -e 's/\s*$/},/' -e 's/\s\+/",/' -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' > cap_names.list.h
clang -O2 -Dlinux -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -Wunreachable-code  -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include _makenames.c -o _makenames
copying path '/nix/store/566aqh65m7vgad1fcishgmkc7d67jkim-str-util-0.1.0' from 'https://cache.nixos.org'...
copying path '/nix/store/9jfz1l0n1vsjc1xv83nnyfnhs8bk3i77-syn-2.0.48' from 'https://cache.nixos.org'...
./_makenames > cap_names.h
clang -O2  -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -Wunreachable-code -fPIC -Dlinux -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include -c cap_alloc.c -o cap_alloc.o
clang -O2  -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -Wunreachable-code -fPIC -Dlinux -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include -c cap_proc.c -o cap_proc.o
cap_proc.c:14:10: fatal error: 'sys/prctl.h' file not found
#include <sys/prctl.h>
         ^~~~~~~~~~~~~
1 error generated.
make[1]: *** [Makefile:135: cap_proc.o] Error 1
make[1]: Leaving directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
make: *** [Makefile:12: all] Error 2
error: builder for '/nix/store/54g0q3dl4dcvsrpzzvlb2hd8wwzv57xf-libcap-2.70.drv' failed with exit code 2;
       last 25 log lines:
       >    -e 's,@deps@,,' \
       >      libcap.pc.in >libcap.pc
       > make libpsx.pc
       > make[2]: Entering directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
       > sed -e 's,@prefix@,/nix/store/wpqssrgrzmgqr4bw6y26hs4c7lx8yxxv-libcap-2.70-lib,' \
       >         -e 's,@exec_prefix@,/nix/store/w8ihzqgcjgmaldr42rwbalk9cdk9bnrf-libcap-2.70,' \
       >        -e 's,@libdir@,/nix/store/wpqssrgrzmgqr4bw6y26hs4c7lx8yxxv-libcap-2.70-lib/lib,' \
       >     -e 's,@includedir@,/nix/store/72lrsq58lf9d7j199qi85iv4zkqz1b7q-libcap-2.70-dev/include,' \
       >     -e 's,@VERSION@,2.70,' \
       >       -e 's,@deps@,,' \
       >      libpsx.pc.in >libpsx.pc
       > make[2]: Leaving directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
       > => making cap_names.list.h from /private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi/linux/capability.h
       > grep -E '^#define\s+CAP_([^\s]+)\s+[0-9]+\s*$' include/uapi/linux/capability.h | sed -e 's/^#define\s\+/{"/' -e 's/\s*$/},/' -e 's/\s\+/",/' -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/' > cap_names.list.h
       > clang -O2 -Dlinux -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -Wunreachable-code  -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include _makenames.c -o _makenames
       > ./_makenames > cap_names.h
       > clang -O2  -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -Wunreachable-code -fPIC -Dlinux -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include -c cap_alloc.c -o cap_alloc.o
       > clang -O2  -Wall -Wwrite-strings -Wpointer-arith -Wcast-qual -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline -Wshadow -Wunreachable-code -fPIC -Dlinux -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include/uapi -I/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap/../libcap/include -c cap_proc.c -o cap_proc.o
       > cap_proc.c:14:10: fatal error: 'sys/prctl.h' file not found
       > #include <sys/prctl.h>
       >          ^~~~~~~~~~~~~
       > 1 error generated.
       > make[1]: *** [Makefile:135: cap_proc.o] Error 1
       > make[1]: Leaving directory '/private/tmp/nix-build-libcap-2.70.drv-0/libcap-2.70/libcap'
       > make: *** [Makefile:12: all] Error 2
       For full logs, run 'nix-store -l /nix/store/54g0q3dl4dcvsrpzzvlb2hd8wwzv57xf-libcap-2.70.drv'.

error: 1 dependencies of derivation '/nix/store/820n8m1aia9r9cyr2a6gy2ybpdkhrn7p-systemd-minimal-libs-256.10.drv' failed to build
copying path '/nix/store/x2mnpwx3p8n8gb44q8nyb0mbsd5666h8-syntax-gen-0.1.0' from 'https://cache.nixos.org'...
copying path '/nix/store/cfs3x9s9z4r8pvxfkn471nbmaxxfrl43-tempfile-3.10.0' from 'https://cache.nixos.org'...
error: 1 dependencies of derivation '/nix/store/3issgrd2djji0wajkmdh84w60ndql6jm-gradle-8.10.2.drv' failed to build
error: 1 dependencies of derivation '/nix/store/5cx2n5mqd66mvk8vpdsln48wynq0ynjx-gradle-8.10.2.drv' failed to build
copying path '/nix/store/n3fb6l9bkmn72zb1hiwqqk72qbdvzck4-termcolor-1.4.1' from 'https://cache.nixos.org'...
error: 1 dependencies of derivation '/nix/store/gl8mi811wg5v53bfa0jfk9b1m2xcflp6-gradle-8.10.2-fish-completions.drv' failed to build
error: 1 dependencies of derivation '/nix/store/9w6ss49cxpg5pqwqgyh9q60g8fjyd5mk-home-manager-applications.drv' failed to build
error: 1 dependencies of derivation '/nix/store/qhxliz0ffvbrch53kybxdnyfap9cdxqy-home-manager-fonts.drv' failed to build
error: 1 dependencies of derivation '/nix/store/sfa9r14cn57l3spa2bf3p4cp8g6dxmpp-home-manager-path.drv' failed to build
error: 1 dependencies of derivation '/nix/store/209lym89xmjwhs616jczpaj7nnqmvh2w-man-paths.drv' failed to build
error: 1 dependencies of derivation '/nix/store/24hihi6cs8yq3pvrsghsqr3491mc8sx6-home-manager-generation.drv' failed to build
error: 1 dependencies of derivation '/nix/store/3y6kdg4ig3rilby86k7dviz0vvdnaiyh-activation-vitaliy.lagutin.drv' failed to build
copying path '/nix/store/ngsakrnjl8384i9akmf0n6n7xsjk7xah-tzdata-2024b' from 'https://cache.nixos.org'...
copying path '/nix/store/2jy5ng7zj78smcar6zc8b9ks8wakb6wa-vim-9.1.0787' from 'https://cache.nixos.org'...
copying path '/nix/store/hvyqbzb0vmvf9qqi7kgwr98c0hgrrb18-zsh-5.9' from 'https://cache.nixos.org'...
copying path '/nix/store/lmbnsgzdcpv2rv2sij402n15phlcnlbv-zsh-5.9-man' from 'https://cache.nixos.org'...
error: 1 dependencies of derivation '/nix/store/r7xdz0falwgr35p9fqm7w9xld8zss2fl-darwin-system-24.11.drv' failed to build

[belak]

Yeah, the messaging was pretty clear that it was intentional, but I was hoping there would still be a way to force disable the check for testing purposes, or some other workaround.

Especially because if I wanted to use my own fork to backport my changes, I would need to make sure the branch name matches the expected one. It also makes it much harder to test PR changes against a flake for the same reason.

[belak]

I'm happy to backport the changes to 24.11 if that's the best path forward, but I wouldn't want to slow down any work to decide on a policy for backports, or automatically backport changes when possible. I can wait if necessary.

[Samasaur1]

There is an option to disable the check, enableNixpkgsReleaseCheck:

nix-darwin/eval-config.nix

Line 22 in 87131f5

, enableNixpkgsReleaseCheck ? true

[emilazy]

From my perspective the policy is just the same as in NixOS, i.e. backporting non‐breaking changes to supported branches is just fine. Although the check can be disabled I wouldn’t recommend it, since there’s no guarantees it will work going forward. I’d suggest using --override-input to test changes.

@lvitaly I’m not sure why your system would be building libcap. I don’t think that package is supported on macOS.

[emilazy]

Also – not sure if I understand what you mean here but just to clarify:

Especially because if I wanted to use my own fork to backport my changes, I would need to make sure the branch name matches the expected one

The branch name itself doesn’t matter. version.json contains the information about the corresponding release branch. The error message talks about branch names just because that’s how most users are going to interact with the different releases since generally people aren’t using their own forks. As long as you base your changes on nix-darwin-24.11 or master, they’ll work with the corresponding version of Nixpkgs regardless of branch name.

[belak]

Ah, I see - I misunderstood how the branches and version.json work.

Just as an experiment, I tried adding enableNixpkgsReleaseCheck = false to my darwin.lib.darwinSystem call, but I'm getting this:

building the system configuration...
error:
       … from call site
         at /nix/store/ly42plg4k6v34yy5xhw8k9h048dg3awh-source/eval-config.nix:80:10:
           79|
           80|   eval = lib.evalModules (builtins.removeAttrs args [ "lib" ] // {
             |          ^
           81|     class = "darwin";

       error: function 'evalModules' called with unexpected argument 'enableNixpkgsReleaseCheck'
       at /nix/store/i6py4qcv1j06vc5dqbamr0vhcrcv8hwk-source/lib/modules.nix:85:17:
           84|      evalModules) and the less declarative the module set is. */
           85|   evalModules = evalModulesArgs@
             |                 ^
           86|                 { modules

I also tried adding it to one of the modules and that gets the expected The option 'enableNixpkgsReleaseCheck' does not exist. error. Is there a different way that option is supposed to be used?

In any sense, knowing that backporting is an option, I've opened up #1289 to backport my PR for now.

[emilazy]

Whoops; you didn’t mess anything up, I just never tested enableNixpkgsReleaseCheck so it was broken 😅 #1290 should fix it (and I’ll backport it after merge).

[belak]

I've confirmed that enableNixpkgsReleaseCheck works for me now - I think with that option fixed, my original issue is resolved.

I'll keep thinking about the phrasing of the check message, and if I come up with any improvements I'll let you know.

Thanks for the quick responses!

[lvitaly]

@lvitaly I’m not sure why your system would be building libcap. I don’t think that package is supported on macOS.

It looks like the gradle package triggers the libcap. After I removed it from my home.nix file, everything ran well. Except for annoying warning messages

warning: ignoring the client-specified setting 'system-features', because it is a restricted setting and you are not a trusted user

Sorry for off-topic 😇