Release 3.21.0 (2026-05-22)
- Based on upstream Nix 2.34.6.
CNSA 1.0 and 2.0 signing algorithm support
Determinate Nix now supports a subset of CNSA 1.0 and 2.0 signature algorithms: ecdsa-p384, ml-dsa-44, ml-dsa-65, and ml-dsa-87. ML-DSA is a post-quantum cryptography signature scheme.
Support for these algorithms is gated behind the experimental feature cnsa.
To use these signatures, enable the cnsa experimental feature and call nix key generate-secret with --key-type ecdsa-p384|ml-dsa-{44,65,87}.
Otherwise, everything works the same as the existing ed25519 (libsodium) signatures, except that they produce larger keys/signatures (especially ML-DSA).
We've also added commands nix key convert-{public,secret}-to-pem, which may be useful if you want to use the keys with the openssl CLI.
PR: DeterminateSystems/nix-src#449
nix serve command
The new nix serve command provides a built-in binary cache server, similar to nix-serve.
It's mostly intended for testing and to serve as a reference implementation of binary caches.
PR: DeterminateSystems/nix-src#428
Lazy fetchTarball
fetchTarball is now lazy, which can prevent unnecessary copying of source trees into the Nix store.
PRs:
Various bug fixes
- Restore resBuildResult fields for failed builds DeterminateSystems/nix-src#453
- parseString(): Fix out-of-bounds read DeterminateSystems/nix-src#454
- filetransfer: handle exceptions thrown from enqueueItem DeterminateSystems/nix-src#348
- libfetchers: verify git-lfs returns the same objects as git DeterminateSystems/nix-src#456
- HttpBinaryCacheStore: Don't ignore 401/407 errors DeterminateSystems/nix-src#461
- Remove non-atomically initialised variable vImportedDrvToDerivation DeterminateSystems/nix-src#464
- Re-enable TCP keep-alive and handle S3's XML errors DeterminateSystems/nix-src#463
- Fix logging segfault by leaking logger DeterminateSystems/nix-src#470
Full Changelog: v3.20.0...v3.21.0