mirror of
https://github.com/privatevoid-net/nix-super.git
synced 2024-11-29 09:06:15 +02:00
Merge remote-tracking branch 'nixos/master'
This commit is contained in:
commit
c076362db8
8 changed files with 132 additions and 14 deletions
7
.github/CODEOWNERS
vendored
7
.github/CODEOWNERS
vendored
|
@ -14,5 +14,12 @@
|
|||
/doc @fricklerhandwerk
|
||||
*.md @fricklerhandwerk
|
||||
|
||||
# Documentation of built-in functions
|
||||
src/libexpr/primops.cc @fricklerhandwerk @roberth
|
||||
# Documentation on experimental features
|
||||
src/libutil/experimental-features.cc @fricklerhandwerk
|
||||
# Documentation on configuration settings
|
||||
src/libstore/globals.hh @fricklerhandwerk
|
||||
|
||||
# Libstore layer
|
||||
/src/libstore @thufschmitt
|
||||
|
|
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -144,3 +144,6 @@ result
|
|||
|
||||
# clangd and possibly more
|
||||
.cache/
|
||||
|
||||
# Mac OS
|
||||
.DS_Store
|
||||
|
|
|
@ -212,8 +212,16 @@ static Flake getFlake(
|
|||
auto [storePath, resolvedRef, lockedRef] = fetchOrSubstituteTree(
|
||||
state, originalRef, allowLookup, flakeCache);
|
||||
|
||||
// We need to guard against symlink attacks, but before we start doing
|
||||
// filesystem operations we should make sure there's a flake.nix in the
|
||||
// first place.
|
||||
auto unsafeFlakeDir = state.store->toRealPath(storePath) + "/" + lockedRef.subdir;
|
||||
auto unsafeFlakeFile = unsafeFlakeDir + "/flake.nix";
|
||||
if (!pathExists(unsafeFlakeFile))
|
||||
throw Error("source tree referenced by '%s' does not contain a '%s/flake.nix' file", lockedRef, lockedRef.subdir);
|
||||
|
||||
// Guard against symlink attacks.
|
||||
auto flakeDir = canonPath(state.store->toRealPath(storePath) + "/" + lockedRef.subdir, true);
|
||||
auto flakeDir = canonPath(unsafeFlakeDir, true);
|
||||
auto flakeFile = canonPath(flakeDir + "/flake.nix", true);
|
||||
if (!isInDir(flakeFile, state.store->toRealPath(storePath)))
|
||||
throw Error("'flake.nix' file of flake '%s' escapes from '%s'",
|
||||
|
@ -226,9 +234,6 @@ static Flake getFlake(
|
|||
.storePath = storePath,
|
||||
};
|
||||
|
||||
if (!pathExists(flakeFile))
|
||||
throw Error("source tree referenced by '%s' does not contain a '%s/flake.nix' file", lockedRef, lockedRef.subdir);
|
||||
|
||||
Value vInfo;
|
||||
state.evalFile(state.rootPath(CanonPath(flakeFile)), vInfo, false); // FIXME: symlink attack
|
||||
|
||||
|
@ -358,10 +363,13 @@ LockedFlake lockFlake(
|
|||
debug("old lock file: %s", oldLockFile);
|
||||
|
||||
std::map<InputPath, FlakeInput> overrides;
|
||||
std::set<InputPath> explicitCliOverrides;
|
||||
std::set<InputPath> overridesUsed, updatesUsed;
|
||||
|
||||
for (auto & i : lockFlags.inputOverrides)
|
||||
for (auto & i : lockFlags.inputOverrides) {
|
||||
overrides.insert_or_assign(i.first, FlakeInput { .ref = i.second });
|
||||
explicitCliOverrides.insert(i.first);
|
||||
}
|
||||
|
||||
LockFile newLockFile;
|
||||
|
||||
|
@ -432,6 +440,7 @@ LockedFlake lockFlake(
|
|||
ancestors? */
|
||||
auto i = overrides.find(inputPath);
|
||||
bool hasOverride = i != overrides.end();
|
||||
bool hasCliOverride = explicitCliOverrides.contains(inputPath);
|
||||
if (hasOverride) {
|
||||
overridesUsed.insert(inputPath);
|
||||
// Respect the “flakeness” of the input even if we
|
||||
|
@ -467,7 +476,7 @@ LockedFlake lockFlake(
|
|||
|
||||
if (oldLock
|
||||
&& oldLock->originalRef == *input.ref
|
||||
&& !hasOverride)
|
||||
&& !hasCliOverride)
|
||||
{
|
||||
debug("keeping existing input '%s'", inputPathS);
|
||||
|
||||
|
@ -547,7 +556,7 @@ LockedFlake lockFlake(
|
|||
nuked the next time we update the lock
|
||||
file. That is, overrides are sticky unless you
|
||||
use --no-write-lock-file. */
|
||||
auto ref = input2.ref ? *input2.ref : *input.ref;
|
||||
auto ref = (input2.ref && explicitCliOverrides.contains(inputPath)) ? *input2.ref : *input.ref;
|
||||
|
||||
if (input.isFlake) {
|
||||
Path localPath = parentPath;
|
||||
|
|
|
@ -3179,9 +3179,16 @@ static RegisterPrimOp primop_foldlStrict({
|
|||
.doc = R"(
|
||||
Reduce a list by applying a binary operator, from left to right,
|
||||
e.g. `foldl' op nul [x0 x1 x2 ...] = op (op (op nul x0) x1) x2)
|
||||
...`. For example, `foldl' (x: y: x + y) 0 [1 2 3]` evaluates to 6.
|
||||
The return value of each application of `op` is evaluated immediately,
|
||||
even for intermediate values.
|
||||
...`.
|
||||
|
||||
For example, `foldl' (acc: elem: acc + elem) 0 [1 2 3]` evaluates
|
||||
to `6` and `foldl' (acc: elem: { "${elem}" = elem; } // acc) {}
|
||||
["a" "b"]` evaluates to `{ a = "a"; b = "b"; }`.
|
||||
|
||||
The first argument of `op` is the accumulator whereas the second
|
||||
argument is the current element being processed. The return value
|
||||
of each application of `op` is evaluated immediately, even for
|
||||
intermediate values.
|
||||
)",
|
||||
.fun = prim_foldlStrict,
|
||||
});
|
||||
|
|
|
@ -11,6 +11,8 @@
|
|||
#include "fs-input-accessor.hh"
|
||||
#include "mounted-input-accessor.hh"
|
||||
#include "git-utils.hh"
|
||||
#include "logging.hh"
|
||||
#include "finally.hh"
|
||||
|
||||
#include "fetch-settings.hh"
|
||||
|
||||
|
@ -315,6 +317,9 @@ struct GitInputScheme : InputScheme
|
|||
runProgram("git", true,
|
||||
{ "-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "add", "--intent-to-add", "--", std::string(path.rel()) });
|
||||
|
||||
// Pause the logger to allow for user input (such as a gpg passphrase) in `git commit`
|
||||
logger->pause();
|
||||
Finally restoreLogger([]() { logger->resume(); });
|
||||
if (commitMsg)
|
||||
runProgram("git", true,
|
||||
{ "-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "commit", std::string(path.rel()), "-m", *commitMsg });
|
||||
|
|
|
@ -183,7 +183,9 @@ public:
|
|||
command line switch and defaults to `1`. The value `0` means that
|
||||
the builder should use all available CPU cores in the system.
|
||||
)",
|
||||
{"build-cores"}, false};
|
||||
{"build-cores"},
|
||||
// Don't document the machine-specific default value
|
||||
false};
|
||||
|
||||
/**
|
||||
* Read-only mode. Don't copy stuff to the store, don't change
|
||||
|
@ -699,7 +701,10 @@ public:
|
|||
|
||||
Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation.
|
||||
You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation.
|
||||
)", {}, false};
|
||||
)",
|
||||
{},
|
||||
// Don't document the machine-specific default value
|
||||
false};
|
||||
|
||||
Setting<StringSet> systemFeatures{
|
||||
this,
|
||||
|
@ -744,7 +749,10 @@ public:
|
|||
[nspawn]: https://github.com/NixOS/nix/blob/67bcb99700a0da1395fa063d7c6586740b304598/tests/systemd-nspawn.nix.
|
||||
|
||||
Included by default on Linux if the [`auto-allocate-uids`](#conf-auto-allocate-uids) setting is enabled.
|
||||
)", {}, false};
|
||||
)",
|
||||
{},
|
||||
// Don't document the machine-specific default value
|
||||
false};
|
||||
|
||||
Setting<Strings> substituters{
|
||||
this,
|
||||
|
|
|
@ -167,7 +167,10 @@ struct StoreConfig : public Config
|
|||
Optional [system features](@docroot@/command-ref/conf-file.md#conf-system-features) available on the system this store uses to build derivations.
|
||||
|
||||
Example: `"kvm"`
|
||||
)" };
|
||||
)",
|
||||
{},
|
||||
// Don't document the machine-specific default value
|
||||
false};
|
||||
};
|
||||
|
||||
class Store : public std::enable_shared_from_this<Store>, public virtual StoreConfig
|
||||
|
|
|
@ -260,3 +260,79 @@ EOF
|
|||
|
||||
checkRes=$(nix flake lock "$flakeFollowCycle" 2>&1 && fail "nix flake lock should have failed." || true)
|
||||
echo $checkRes | grep -F "error: follow cycle detected: [baz -> foo -> bar -> baz]"
|
||||
|
||||
|
||||
# Test transitive input url locking
|
||||
# This tests the following lockfile issue: https://github.com/NixOS/nix/issues/9143
|
||||
#
|
||||
# We construct the following graph, where p->q means p has input q.
|
||||
#
|
||||
# A -> B -> C
|
||||
#
|
||||
# And override B/C to flake D, first in A's flake.nix and then with --override-input.
|
||||
#
|
||||
# A -> B -> D
|
||||
flakeFollowsCustomUrlA="$TEST_ROOT/follows/custom-url/flakeA"
|
||||
flakeFollowsCustomUrlB="$TEST_ROOT/follows/custom-url/flakeA/flakeB"
|
||||
flakeFollowsCustomUrlC="$TEST_ROOT/follows/custom-url/flakeA/flakeB/flakeC"
|
||||
flakeFollowsCustomUrlD="$TEST_ROOT/follows/custom-url/flakeA/flakeB/flakeD"
|
||||
|
||||
|
||||
createGitRepo "$flakeFollowsCustomUrlA"
|
||||
mkdir -p "$flakeFollowsCustomUrlB"
|
||||
mkdir -p "$flakeFollowsCustomUrlC"
|
||||
mkdir -p "$flakeFollowsCustomUrlD"
|
||||
|
||||
cat > "$flakeFollowsCustomUrlD/flake.nix" <<EOF
|
||||
{
|
||||
description = "Flake D";
|
||||
inputs = {};
|
||||
outputs = { ... }: {};
|
||||
}
|
||||
EOF
|
||||
|
||||
cat > "$flakeFollowsCustomUrlC/flake.nix" <<EOF
|
||||
{
|
||||
description = "Flake C";
|
||||
inputs = {};
|
||||
outputs = { ... }: {};
|
||||
}
|
||||
EOF
|
||||
|
||||
cat > "$flakeFollowsCustomUrlB/flake.nix" <<EOF
|
||||
{
|
||||
description = "Flake B";
|
||||
inputs = {
|
||||
C = {
|
||||
url = "path:./flakeC";
|
||||
};
|
||||
};
|
||||
outputs = { ... }: {};
|
||||
}
|
||||
EOF
|
||||
|
||||
cat > "$flakeFollowsCustomUrlA/flake.nix" <<EOF
|
||||
{
|
||||
description = "Flake A";
|
||||
inputs = {
|
||||
B = {
|
||||
url = "path:./flakeB";
|
||||
inputs.C.url = "path:./flakeB/flakeD";
|
||||
};
|
||||
};
|
||||
outputs = { ... }: {};
|
||||
}
|
||||
EOF
|
||||
|
||||
git -C "$flakeFollowsCustomUrlA" add flake.nix flakeB/flake.nix \
|
||||
flakeB/flakeC/flake.nix flakeB/flakeD/flake.nix
|
||||
|
||||
# lock "original" entry should contain overridden url
|
||||
json=$(nix flake metadata "$flakeFollowsCustomUrlA" --json)
|
||||
[[ $(echo "$json" | jq -r .locks.nodes.C.original.path) = './flakeB/flakeD' ]]
|
||||
rm "$flakeFollowsCustomUrlA"/flake.lock
|
||||
|
||||
# if override-input is specified, lock "original" entry should contain original url
|
||||
json=$(nix flake metadata "$flakeFollowsCustomUrlA" --override-input B/C "path:./flakeB/flakeD" --json)
|
||||
echo "$json" | jq .locks.nodes.C.original
|
||||
[[ $(echo "$json" | jq -r .locks.nodes.C.original.path) = './flakeC' ]]
|
||||
|
|
Loading…
Reference in a new issue