Skip to content

nixpkgs

Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}

Nixpkgs

Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}

Nixpkgs 26.11 ("Zokor", 2026.11/??) {#sec-nixpkgs-release-26.11}

Highlights {#sec-nixpkgs-release-26.11-highlights}

  • Create the first release note entry in this section!

Backward Incompatibilities {#sec-nixpkgs-release-26.11-incompatibilities}

  • databricks-cli has been updated from 0.290.2 to 1.x.x, the first major release. OAuth tokens for interactive logins (auth_type = databricks-cli) are now stored in the OS-native secure store by default (Secret Service on Linux) instead of ~/.databricks/token-cache.json; cached tokens from older versions are not migrated, so run databricks auth login once per profile after upgrading. To keep the previous file-backed storage, set DATABRICKS_AUTH_STORAGE=plaintext or add auth_storage = plaintext under [__settings__] in ~/.databrickscfg. Additionally, the vector_search_endpoints DABs resource renamed min_qps to target_qps (and the vector-search-endpoints command renamed --min-qps to --target-qps). See the upstream changelog for details.

  • hurl has been updated to 8.x.x which has some breaking changes. See upstream changelog for details.

  • xsecurelock no longer supports authentication via htaccess files (~/.xsecurelock.pw) or via the pamtester program by default. Only the recommended PAM module is supported unless rebuilt with withHtaccess or withPamtester.

  • python3Packages.django-health-check has been updated to major version 4. See its migration guide and changelog for breaking changes.

  • libgdata has been removed, as it was archived upstream and relied on the insecure libsoup 2.4.

  • services.mysql now sets root@localhost authentication to auth_socket when used with mysql or percona-server. Existing deployments will also be adjusted if possible. See the security advisory GHSA-6qxx-6rg8-c4p8 for more information.

  • uhttpmock providing 0.0 ABI was removed. uhttpmock_1_0 providing 1.0 ABI was renamed to uhttpmock and uhttpmock_1_0 was kept as an alias.

  • nix-serve-ng (and haskellPackages.nix-serve-ng) is now built against Lix instead of CppNix, following upstream which has switched to Lix as its supported Nix implementation.

  • Linux kernel configuration has been moved out of the linux-kernel field of the platform structure into the kernel builders:

    • linux-kernel.name has been removed.
    • linux-kernel.target is available as the target parameter and passthru attribute on the kernel builders.
    • linux-kernel.installTarget has been removed, as it should not be necessary to customize.
    • linux-kernel.DTB is available as the buildDTBs parameter and passthru attribute on the kernel builders.
    • linux-kernel.{autoModules,preferBuiltin,extraConfig} were already available as kernel builder parameters.
  • The img argument of vmTools has been renamed to kernelImage, as it collided with the top-level img package. Additionally, the kernel module tree used inside the VM has been split out of the kernel argument into a new kernelModules argument (defaulting to kernel). Callers that overrode kernel with a module tree (e.g. from pkgs.aggregateModules) to make extra modules available must now pass it via kernelModules instead, keeping kernel pointing at a bootable kernel derivation.

  • The ARMv5 Linux kernel build now uses a standard configuration and generates a standard compressed image instead of the deprecated legacy U‐Boot image format. lib.systems.{examples,platforms}.{sheevaplug,pogoplug4} have been unified into lib.systems.examples.armv5tel-multiplatform. Note that there is no official support for ARMv5 and it is not possible to build even a simple NixOS configuration out of the box.

  • pdns has been updated from 5.0.x to 5.1.x. Please be sure to review the Upgrade Notes before upgrading. Namely LUA record updates are no longer allowed by default, and the embedded webserver no longer includes a access-control-allow-origin: * header by default.

  • Support for the legacy U‐Boot image format has been removed from the Linux kernel builders, as it is deprecated upstream and no longer used by any platform in Nixpkgs.

  • rke2 retires ingress-nginx and transitions to Traefik starting in rke2_1_36. Because ingress-nginx was retired upstream as of March 2026, Traefik is now the default for new clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid breakage). This transition brings the following structural changes:

    • Airgapped Environments: The rke2-images-core tarball now contains Traefik images instead of ingress-nginx. The standalone rke2-images-traefik tarball has been removed. Users who must continue using ingress-nginx will now need to manually provide the rke2-images-ingress-nginx tarball.
    • Future Removal: The ingress-nginx chart will not receive any additional updates and will be completely removed in v1.37 for community users.
  • buildFHSEnvChroot has been removed after deprecation in 23.05.

  • requireFile now sets meta.license = lib.licenses.unfree by default. Users of requireFile-based derivations that preserve this default will need to explicitly allow their evaluation as described in .

  • librest providing 0.7 ABI was removed. librest_1_0 providing 1.0 ABI was renamed to librest and librest_1_0 was kept as an alias.

  • pnpm_10 was upgraded to version 10.34.1+, which introduced stricter integrity checks. If you encounter ERR_PNPM_MISSING_TARBALL_INTEGRITY, you can fall back to the older pnpm_10_34_0.

  • fetchPnpmDeps' fetcherVersion = 1 and fetcherVersion = 2 have been removed, as announced in the 26.05 release. Packages still using them now throw an evaluation error and must migrate to fetcherVersion = 3 (or later) and regenerate their hashes. See the pnpm fetcherVersion section of the manual for details.

  • rebuilderd has been updated to 0.27.0 introducing breaking changes. See upstream changelog for details: 0.26.0, 0.27.0

  • Starting with v14, flameshot will primarily utilise xdg-desktop-portal calls for screenshotting. This will directly affect users on X11 window managers due to the lack of a compatible portal with Screenshot feature. See upstream changelog or NixOS Flameshot wiki page for workarounds.

Other Notable Changes {#sec-nixpkgs-release-26.11-notable-changes}

  • super-productivity has been updated. The binary has been renamed from super-productivity to superproductivity. A symlink from the old name is provided for backward compatibility.

  • Package-URL (PURL, https://github.com/package-url/purl-spec) metadata identifier has been added for fetchgit, fetchpypi and fetchFromGithub fetchers. mkDerivation has been adjusted to reuse this information. Package-URLs allow reliably identifying and locating software packages. Maintainers of derivations using the adapted fetchers should rely on the drv.src.meta.identifiers.v1.purl default identifier and can enhance their drv.meta.identifiers.v1.purls list once they would like to have additional identifiers. Maintainers using fetchurl for drv.src are urged to adapt their drv.meta.identifiers.purlParts for proper identification.

  • Emacs loads the early-default library after early-init.el. Users can add early-init.el via emacs.pkgs.withPackages by packaging early-init.el into a library named early-default. To prevent loading the early-default library, set inhibit-early-default-init in early-init.el.

  • services.ceph enabled the generation of Ceph log files at /var/log/ceph/. They were missing before because Ceph omitted logs when this directory was missing. Ceph logs can grow large, so you may want to configure rotation of these logs.

Nixpkgs Library {#sec-nixpkgs-release-26.11-lib}

Breaking changes {#sec-nixpkgs-release-26.11-lib-breaking}

  • Create the first release note entry in this section!

Deprecations {#sec-nixpkgs-release-26.11-lib-deprecations}

  • Create the first release note entry in this section!

Additions and Improvements {#sec-nixpkgs-release-26.11-lib-additions-improvements}

  • Create the first release note entry in this section!