Commit graph

842 commits

Author SHA1 Message Date
Eelco Dolstra
c2d27d30cf nix-copy-closure / build-remote.pl: Disable signature checking
This restores the Nix 1.11 behaviour.
2016-05-31 11:48:05 +02:00
Gabriel Gonzalez
3889415bf8 Fix ?? in Nix warning message
Nix sometimes outputs a warning message like this:

```
directory /nix does not exist; creating it by running ‘?? using sudo
```

... when it really meant to output something that looked like this:

```
directory /nix does not exist; creating it by running 'mkdir -m 0755 /nix && chown gabriel /nix' using sudo
```

The reason why is due to some bizarre behavior in Bash where it will translate anything of the form `$x’` to `??`, leading to the incorrect warning message.  I don't know what is the origin of this Bash behavior, but the easiest fix is to just use ASCII quotes instead of unicode quotes.
2016-05-18 12:02:48 -07:00
Eelco Dolstra
f435f82475 Remove OpenSSL-based signing 2016-05-04 11:01:48 +02:00
Eelco Dolstra
80f739b571 Merge pull request #883 from sheenobu/bugfix/ruby_shebang
Workaround to support ruby as an interpreter
2016-05-03 11:14:21 +02:00
Eelco Dolstra
aa3bc3d5dc Eliminate the substituter mechanism
Substitution is now simply a Store -> Store copy operation, most
typically from BinaryCacheStore to LocalStore.
2016-04-29 13:57:08 +02:00
Eelco Dolstra
6e1b099279 Remove --print-build-trace
This was added to support Hydra, but Hydra no longer uses it.
2016-04-25 19:18:45 +02:00
Eelco Dolstra
41633f9f73 Improved logging abstraction
This also gets rid of --log-type, since the nested log type isn't
useful in a multi-threaded situation, and nobody cares about the
"pretty" log type.
2016-04-25 19:18:45 +02:00
Sheena Artrip
2989783f64
Workaround to support ruby as an interpreter 2016-04-18 13:16:59 -04:00
Eelco Dolstra
a54736355a install-nix-from-closure: Don't run nix-store --verify
Verification is slow. Also, we really shouldn't advise users to nuke
their store.
2016-04-14 12:50:01 +02:00
Shea Levy
1b3e704fb9 Merge branch 'patch-2' of git://github.com/wmertens/nix
install-nix-from-closure improvments
2016-04-12 07:33:04 -04:00
Eelco Dolstra
867967265b Remove manifest support
Manifests have been superseded by binary caches for years. This also
gets rid of nix-pull, nix-generate-patches and bsdiff/bspatch.
2016-04-11 16:20:15 +02:00
Wout Mertens
af4fb6ef61 Bring nix-profile.sh in line with NixOS
Use the same logic as NixOS' profile and environment setup. Closes #414
2016-04-10 23:45:52 +02:00
Wout Mertens
ef00999fb7 Remove information about nix-store --optimise 2016-04-10 21:55:26 +02:00
wmertens
4916d92092 Always verify nix store on install
Just wasted a couple hours chasing shadows because the nix store got
corrupted and there was no indication of that anywhere.

Since an install is one-time only, might as well verify.  Optimization
showed that the copied files aren't read-only; fixed that as well.

Also, use /bin/sh since there's a good chance that this script will be
run on systems without /bin/bash
2016-04-10 21:55:26 +02:00
Shea Levy
4f011bccf8 Merge branch 'master' of git://github.com/stepcut/nix 2016-02-19 18:21:41 -05:00
Eelco Dolstra
c4d22997f3 Add C++ functions for .narinfo processing / signing
This is currently only used by the Hydra queue runner rework, but like
eff5021eaa it presumably will be useful
for the C++ rewrite of nix-push and
download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
Peter Simons
92063851b1 nix-profile.sh.in: find ca-bundle.pem on openSUSE Tumbleweed machines 2016-02-16 10:15:05 +01:00
Peter Simons
bd42510e49 nix-profile.sh.in: quote use of $HOME in shell arguments
All other places in the script do this already, so let's be consistent.
2016-02-12 13:24:25 +01:00
Alex Cruice
ad0dc41899 Check shell profile is writeable before modifying
The `set -e` at the top of the script causes the installation to fail to
complete if the shell profile is not writeable. Checking file existence
only is not enough.
2016-02-10 11:57:50 +01:00
Brian McKenna
3baf8be1d1 Fix broken call to shellwords
nix-shell shebangs were broken by 9018deab
2016-01-20 16:35:16 +01:00
Philip Potter
4f3cf06c97 Verify TLS certificate before downloading binaries
The --insecure flag to curl tells curl not to bother checking if the TLS
certificate presented by the server actually matches the hostname
requested, and actually is issued by a trusted CA chain.  This almost
entirely negates any benefit from using TLS in the first place.

This removes the --insecure flag to ensure we actually have a secure
connection to the intended hostname before downloading binaries.

Manually tested locally within a dev-shell; was able to download
binaries from https://cache.nixos.org without issue.

[Note: --insecure was only used for fetching NARs, whose integrity is
verified by Nix anyway using the hash from the .narinfo. But if we can
fetch the .narinfo without --insecure, we can also fetch the .nar, so
there is not much point to using --insecure. --Eelco]
2016-01-05 14:19:46 +01:00
Fabian Schmitthenner
0eb200e569 propagate NIX_BUILD_SHELL also in pure builds document NIX_BUILD_SHELL in the nix-shell command documentation 2016-01-05 14:11:20 +01:00
Brian McKenna
9018deab6c Use shellwords for nix-shell shebang
Previously we can't have quoted arguments.

This now allows us to use things like `ghcWithPackages`
2015-12-07 11:31:26 +11:00
Jeremy Shaw
3afa16e16f Clarify installation error message that is shown when /nix/store exists but is not writable by the user 2015-12-06 11:00:03 -06:00
Eelco Dolstra
c0d4173263 Set default binary-caches-parallel-connections to 25
Some benchmarking suggested this as a good value. Running

  $ benchmark -f ... -t 25 -- sh -c 'rm -f /nix/var/nix/binary-cache*; nix-store -r /nix/store/x5z8a2yvz8h6ccmhwrwrp9igg03575jg-nixos-15.09.git.5fd87e1M.drv --dry-run --option binary-caches-parallel-connections <N>'

gave the following mean elapsed times for these values of N:

N=10:  3.3541
N=20:  2.9320
N=25:  2.6690
N=30:  2.9417
N=50:  3.2021
N=100: 3.5718
N=150: 4.2079

Memory usage is also reduced (N=150 used 186 MB, N=25 only 68 MB).

Closes #708.
2015-11-25 17:13:11 +01:00
Jude Taylor
279fa8f618 reintroduce host deps in tandem with sandbox profiles 2015-11-21 15:57:06 -08:00
Eelco Dolstra
9ee15abe30 Fix bad characters in "copying 7 missing paths from ..." 2015-11-10 16:12:26 +01:00
Shea Levy
fef8c3a5ab resolve-system-dependencies.pl: Simplify union impl
Patch by @pikajude
2015-10-21 18:18:03 -04:00
Jude Taylor
f5a7739171 appropriately handle lock acquisition failures in resolve-system-dependencies.pl 2015-10-21 14:38:35 -07:00
Jude Taylor
ff6953cb03 Add resolve-system-dependencies.pl 2015-10-21 12:38:52 -07:00
Eelco Dolstra
bec3c31608 nix-prefetch-url: Rewrite in C++ 2015-10-01 16:47:43 +02:00
Utku Demir
a49514a2e2 Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is false
This makes that option even more insecure, by also not checking the SSL host.

But without this parameter, one can still get SSL errors even when
"verify-https-binary-caches" is false, which is unexpected IMO.
2015-09-25 22:34:08 +03:00
Eelco Dolstra
984c5cdc50 Drop newline in error message 2015-08-07 05:32:17 +02:00
Eelco Dolstra
ccf31dbc25 nix-copy-closure: Add -v flag
And make exportPath() less spammy by default.
2015-07-20 01:52:07 +02:00
Eelco Dolstra
e012c126db Revert "add the manpath to the installer"
This reverts commit 76f985b92d. We
shouldn't mess with $MANPATH, because on some "man" implementations
(like NixOS'), the default value on $MANPATH is derived from $PATH. So
if you set $MANPATH, you lose the default locations.
2015-07-01 13:04:15 +02:00
Eelco Dolstra
c48617671d nix-channel: Fix bogus error message caused by 8a84bd8c8b 2015-06-12 01:56:34 +02:00
Eelco Dolstra
f2b67fbf2a nix-push: Support -j
Fixes #548.
2015-06-08 14:16:06 +02:00
Eelco Dolstra
bf8cc4e9b6 Update cacert locations 2015-06-08 11:40:35 +02:00
Eelco Dolstra
b190f771e7 copy-from-other-stores: Use cp 2015-06-04 14:55:40 +02:00
Eelco Dolstra
f0f30f594c Naming 2015-06-03 15:19:26 +02:00
Eelco Dolstra
a80f11bf7b nix-shell: Support multiple "#! nix-shell" lines 2015-06-01 13:48:45 +02:00
Eelco Dolstra
e0a068cb97 nix-shell: Barf if -p and -E are both used
Closes #454, #455.
2015-05-21 17:04:43 +02:00
Eelco Dolstra
deb8668a0e nix-shell: Fix uninitialized value warning 2015-05-05 14:19:58 +02:00
Shea Levy
96dcc006e9 Merge branch 'nix-channel-tarballs' of git://github.com/copumpkin/nix 2015-04-27 19:07:43 -04:00
Luca Bruno
ab2b3d6668 nix-collect-garbage: translate to C++ 2015-04-22 15:08:48 +00:00
Dan Peebles
8a84bd8c8b Support tarballs in nix channel URLs 2015-04-20 00:34:29 -04:00
Michael Merickel
76f985b92d add the manpath to the installer 2015-04-12 20:30:47 -04:00
Eelco Dolstra
9f3eb56b46 Reduce verbosity in build-remote.pl 2015-03-04 16:27:42 +01:00
Shea Levy
47bdc52c1b Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nix
sometimes cd prints to stdout
2015-02-22 12:00:51 -05:00
Eelco Dolstra
175935e053 FIXMEs 2015-02-19 14:10:33 +01:00
Eelco Dolstra
1816ac0db1 Escape arguments to nix-shell #! scripts 2015-02-18 20:13:53 +01:00
Eelco Dolstra
dc7e8fae48 Support passing command line arguments to nix-shell #! scripts 2015-02-18 15:55:18 +01:00
Eelco Dolstra
bb10010582 Fix nix-shell shebang scripts if -p is used 2015-02-18 12:40:07 +01:00
Eelco Dolstra
f19b4abfb2 Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-17 13:16:58 +01:00
Jeff Ramnani
d53735c823 Nix install script failed when "cd" printed to stdout.
In some cases the bash builtin command "cd" can print the variable $CWD
to stdout.  This caused the install script to fail while copying files
because the source path was wrong.

Fixes #476.
2015-02-11 12:39:14 -06:00
Shea Levy
70cae879e3 nix-build: Respect -Q during evaluation
Fixes #474
2015-02-08 20:44:05 -05:00
Eelco Dolstra
f3a5930488 Sign a subset of the .narinfo
We only need to sign the store path, NAR hash and references (the
"fingerprint"). Everything else is irrelevant to security. For
instance, the compression algorithm or the hash of the compressed NAR
don't matter as long as the contents of the uncompressed NAR are
correct.

(Maybe we should include derivers in the fingerprint, but they're
broken and nobody cares about them. Also, it might be nice in the
future if .narinfos contained signatures from multiple independent
signers. But that's impossible if the deriver is included in the
fingerprint, since everybody will tend to have a different deriver for
the same store path.)

Also renamed the "Signature" field to "Sig" since the format changed
in an incompatible way.
2015-02-04 17:59:31 +01:00
Eelco Dolstra
e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Jaka Hudoklin
3688db3d43 nix-install-package: follow symlinks 2015-01-30 11:30:21 +01:00
Oliver Dunkl
de91a42c6e Moves runHook to a later execution position
It moves runHook to a later position in the rcfile. After that we are
able to set the PS1 environment-variable for a nix-shell environment
e.g.:

  # turn the color of the prompt to blue
  shellHook = ''
    export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] ";
  '';
2015-01-28 13:39:48 +01:00
Eelco Dolstra
f6716e95bb Shut up "Wide character in print" warning in copy-from-other-stores.pl 2015-01-15 17:56:56 +01:00
Eelco Dolstra
a5e2c8e560 Set correct user agent for NAR downloads from binary caches 2015-01-15 12:05:27 +01:00
Eelco Dolstra
128538ef06 nix-shell: Add --run flag
‘--run’ is like ‘--command’, except that it runs the command in a
non-interactive shell. This is important if you do things like:

  $ nix-shell --command make

Hitting Ctrl-C while make is running drops you into the interactive
Nix shell, which is probably not what you want. So you can now do

  $ nix-shell --run make

instead.
2015-01-08 15:14:38 +01:00
Eelco Dolstra
b76589206a nix-shell: Interpret filenames relative to the #!-script
So you can have a script like:

  #! /usr/bin/env nix-shell
  #! nix-shell script.nix -i python

  import prettytable

  x = prettytable.PrettyTable(["Foo", "Bar"])
  for i in range(1, 10): x.add_row([i, i**2])
  print x

with a ‘script.nix’ in the same directory:

  with import <nixpkgs> {};

  runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } ""

(Of course, in this particular case, using the ‘-p’ flag is more
convenient.)
2015-01-08 14:56:14 +01:00
Eelco Dolstra
a957893b26 Allow nix-shell to be used as a #! interpreter
This allows scripts to fetch their own dependencies via nix-shell. For
instance, here is a Haskell script that, when executed, pulls in GHC
and the HTTP package:

  #! /usr/bin/env nix-shell
  #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP

  import Network.HTTP

  main = do
    resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/")
    body <- getResponseBody resp
    print (take 100 body)

Or a Perl script that pulls in Perl and some CPAN packages:

  #! /usr/bin/env nix-shell
  #! nix-shell -i perl -p perl perlPackages.HTMLTokeParserSimple perlPackages.LWP

  use HTML::TokeParser::Simple;

  my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/');

  while (my $token = $p->get_tag("a")) {
      my $href = $token->get_attr("href");
      print "$href\n" if $href;
  }

Note that the options to nix-shell must be given on a separate line
that starts with the magic string ‘#! nix-shell’. This is because
‘env’ does not allow passing arguments to an interpreter directly.
2015-01-08 14:32:45 +01:00
Eelco Dolstra
7ba0e9cb48 nix-shell --command: Remove bogus argument to "exit"
Fixes "exit: Inappropriate: numeric argument required" errors.
2015-01-07 16:10:20 +01:00
Eelco Dolstra
c2a552b075 Install cacert before running nix-channel
Also, make it more robust against incorrent SSL_CERT_FILE values.
2014-12-13 16:53:21 +01:00
Eelco Dolstra
20cf0127f5 Include cacert in the binary tarball
This prevents having to fetch Nixpkgs or cacert over http.
2014-12-10 16:05:08 +01:00
Eelco Dolstra
2f16946064 Always use https to fetch the Nixpkgs channel 2014-12-10 11:35:56 +01:00
Eelco Dolstra
39fe52f7ac Fix bad comment 2014-12-10 11:35:05 +01:00
Eelco Dolstra
af555d7694 Doh 2014-12-09 20:43:12 +01:00
Eelco Dolstra
d44d923be9 Add option to disable binary cache certificate checking 2014-12-09 13:16:02 +01:00
Eelco Dolstra
5510d21193 Provide some fallback defaults for the CA bundle 2014-12-09 13:16:02 +01:00
Eelco Dolstra
e5891f2ea8 Use https://cache.nixos.org instead of http://cache.nixos.org 2014-12-09 13:16:02 +01:00
Eelco Dolstra
bf78a27ac9 Fix another operator precedence issue found by Perl 5.20 2014-12-05 19:25:13 +01:00
Eelco Dolstra
5d064e2698 Add a test for the binary tarball installer 2014-11-18 14:50:05 +01:00
Eelco Dolstra
5ef2453139 build-remote.pl.in: Add some more trace messages
This allows hydra-build to keep track of the actual build time (so
excluding time required to copy closures around).
2014-11-12 13:56:01 +01:00
Eelco Dolstra
8979562ed7 download-from-binary-cache.pl: Fix flushing of stderr 2014-11-04 14:37:58 +01:00
Shea Levy
bca6d35636 Fix nix-copy-closure --from
http://hydra.nixos.org/build/15885652
2014-10-15 15:05:13 -04:00
Eelco Dolstra
138c257dcd Revert "binary download: Use $NIX_CURL_FLAGS"
This reverts commit bc4795919a. It
breaks the build:

  http://hydra.nixos.org/build/15860847
2014-10-15 10:22:17 +02:00
wmertens
bc4795919a binary download: Use $NIX_CURL_FLAGS
As in 5c0816567d/pkgs/build-support/fetchurl/builder.sh (L17)
2014-10-14 15:36:14 +02:00
Eelco Dolstra
2c1711ae33 nix-channel: Add --rollback flag
Fixes #368.
2014-10-14 12:08:04 +02:00
Eelco Dolstra
a8925a510c nix-channel --add: Validate URL / channel ID
Fixes #369.
2014-10-14 11:28:13 +02:00
Eelco Dolstra
f1adf4c998 Remove unused @sshOpts flag
Closes #300.
2014-10-14 11:01:18 +02:00
Eelco Dolstra
a79e56de68 nix-copy-closure: Use strict 2014-10-14 10:56:33 +02:00
Shell Turner
9dd54bc7bb Pass through --set from nix-install-package command line to nix-env 2014-09-23 15:11:24 +02:00
Eelco Dolstra
d2d5543625 build-remote.pl: UTF-8-decode errors 2014-09-05 11:53:11 +02:00
Eelco Dolstra
e74113a305 Fix build-remote.pl
Apparently, turning on utf8 encoding on stderr changes its flushing
behaviour, causing sendReply to not send anything.

http://hydra.nixos.org/build/13944384
2014-09-05 11:43:14 +02:00
Eelco Dolstra
27a01d92c2 Shut up "Wide character" warnings in Perl scripts 2014-08-29 17:48:25 +02:00
Eelco Dolstra
163fdf292e Set a curl timeout on binary cache lookups 2014-08-21 15:15:50 +02:00
Eelco Dolstra
11849a320e Use proper quotes everywhere 2014-08-20 18:03:48 +02:00
Eelco Dolstra
42e9ad8fd1 Propagate remote timeouts properly 2014-08-17 19:09:03 +02:00
Eelco Dolstra
c6e85ee474 nix-build: Propagate exit status from nix-store -r 2014-08-17 18:37:09 +02:00
Eelco Dolstra
ccd4fe5c49 build-remote.pl: Provide defaults for $NIX_CURRENT_LOAD and $NIX_REMOTE_SYSTEMS 2014-08-17 18:05:24 +02:00
Eelco Dolstra
3e5dbb2433 nix-shell: Use $XDG_RUNTIME_DIR
This prevents collisions with other users.

Fixes #262.
2014-08-13 23:16:08 +02:00
Eelco Dolstra
3bea429ae8 Use $XDG_RUNTIME_DIR for temporary files 2014-08-13 23:12:57 +02:00
Eelco Dolstra
57695d8f76 Warn about untrusted binary caches in extra-binary-caches 2014-08-07 22:46:35 +02:00
Eelco Dolstra
6e1f4c1488 nix-install-package: Use extra-binary-caches 2014-08-07 22:41:44 +02:00
Eelco Dolstra
393a9b92b1 download-from-binary-cache.pl: Respect $SSL_CERT_FILE 2014-08-07 22:41:15 +02:00
Eelco Dolstra
4a198dae74 install-nix-from-closure.sh: Use https channel if possible 2014-08-07 15:37:21 +02:00
Eelco Dolstra
2ea2703fe9 install-nix-from-closure.sh: Install cacert 2014-07-29 17:12:15 +02:00
Eelco Dolstra
50ed345fad nix-profile.sh: Set $SSL_CERT_FILE 2014-07-29 17:11:54 +02:00
Eelco Dolstra
1a44f1cb65 nix-copy-closure: Drop --bzip2, --xz, --show-progress
These are too difficult to implement via nix-store --serve.

‘--show-progress’ could be re-implemented fairly easily via a
sink/source wrapper class.
2014-07-24 17:11:54 +02:00
Eelco Dolstra
7f7d4ab686 nix-copy-closure: Implement --gzip via ssh's -C flag 2014-07-24 16:32:55 +02:00
Eelco Dolstra
7b351da680 Remove obsolete SSH master connection code 2014-07-24 16:19:42 +02:00
Eelco Dolstra
03103c0a36 Implement nix-copy-closure --from via nix-store --serve 2014-07-24 16:19:41 +02:00
Eelco Dolstra
62309a2c56 build-remote.pl: Be less verbose on failing builds 2014-07-24 12:43:59 +02:00
Eelco Dolstra
5bcb982711 Remove cruft 2014-07-14 12:39:53 +02:00
Eelco Dolstra
a00a98548e build-remote.pl: Fix build log 2014-07-12 00:09:43 +02:00
Eelco Dolstra
a5c6347ff0 build-remote.pl: Use ‘nix-store --serve’ on the remote side
This makes things more efficient (we don't need to use an SSH master
connection, and we only start a single remote process) and gets rid of
locking issues (the remote nix-store process will keep inputs and
outputs locked as long as they're needed).

It also makes it more or less secure to connect directly to the root
account on the build machine, using a forced command
(e.g. ‘command="nix-store --serve --write"’). This bypasses the Nix
daemon and is therefore more efficient.

Also, don't call nix-store to import the output paths.
2014-07-11 16:22:24 +02:00
Eelco Dolstra
7bb632b024 nix-copy-closure -s: Do substitutions via ‘nix-store --serve’
This means we no longer need an SSH master connection, since we only
execute a single command on the remote host.
2014-07-10 20:43:04 +02:00
Eelco Dolstra
1114c7bd57 nix-copy-closure: Restore compression and the progress viewer 2014-07-10 14:15:12 +02:00
Aristid Breitkreuz
a457d5ad4d nix-build: --add-root also takes 1 parameter 2014-05-26 17:24:43 +02:00
Eelco Dolstra
924e19341a Don't barf when installing as root 2014-04-10 23:42:48 +02:00
Eelco Dolstra
2b6c8ef401 nix-shell --pure: Keep the user's $PAGER 2014-04-08 14:08:57 +02:00
Ricardo M. Correia
034b6f6062 nix-collect-garbage: Add --delete-older-than option 2014-03-30 00:54:16 +01:00
Maxim Ivanov
59c9019685 Fix nix-shell for derivation with multiple outputs
If derivation declares multiple outputs and first (default) output
if not "out", then "nix-instantiate" calls return path with output
names appended after "!". Than suffix must be stripped before
ant path checks are done.
2014-03-30 00:52:47 +01:00
Eelco Dolstra
77e2cc6c8e nix-build: Fix --cores flag 2014-03-17 17:33:13 +01:00
Eelco Dolstra
506d86394d Installer: Handle Darwin
"cp -r" doesn't copy symlinks properly on Darwin, but "cp -R" does.

Fixes #215.
2014-02-26 17:23:55 +01:00
Eelco Dolstra
7f74513b4e Also provide an option for setting the curl connection timeout 2014-02-26 16:07:43 +01:00
Eelco Dolstra
00d761016a Respect $NIX_CONNECT_TIMEOUT properly
We were 1) using CURLOPT_TIMEOUT instead of CURLOPT_CONNECTTIMEOUT; 2)
not passing it to the curl child process.

Issue #93.
2014-02-26 15:58:37 +01:00
Eelco Dolstra
d761009e3c Add ~/.nix-profile/sbin to $PATH
Fixes #112.
2014-02-26 15:24:48 +01:00
Eelco Dolstra
bf4a577a58 Fix broken patch 2014-02-26 13:48:23 +01:00
Ian-Woo Kim
8a02fdc38e use USER environmental variable if getting user id by getpwuid is failed in perl scripts: download-from-binary-cache.pl and nix-channel 2014-02-26 13:42:11 +01:00
Eelco Dolstra
36b90e72d7 nix-shell: Add --packages flag
This allows you to easily set up a build environment containing the
specified packages from Nixpkgs.  For example:

  $ nix-shell -p sqlite xorg.libX11 hello

will start a shell in which the given packages are present.
2014-02-19 17:08:01 +01:00
Eelco Dolstra
c31836008e nix-instantiate: Add a flag --expr / -E to read expressions from the command line
This is basically a shortcut for ‘echo 'expr...' | nix-instantiate -’.
Also supported by nix-build and nix-shell.
2014-02-19 16:30:19 +01:00
Eelco Dolstra
73f74ebba0 nix-shell: Don't leave a temporary directory in /tmp behind 2014-02-19 15:01:04 +01:00
Eelco Dolstra
1aa19b24b2 Add a flag ‘--check’ to verify build determinism
The flag ‘--check’ to ‘nix-store -r’ or ‘nix-build’ will cause Nix to
redo the build of a derivation whose output paths are already valid.
If the new output differs from the original output, an error is
printed.  This makes it easier to test if a build is deterministic.
(Obviously this cannot catch all sources of non-determinism, but it
catches the most common one, namely the current time.)

For example:

  $ nix-build '<nixpkgs>' -A patchelf
  ...
  $ nix-build '<nixpkgs>' -A patchelf --check
  error: derivation `/nix/store/1ipvxsdnbhl1rw6siz6x92s7sc8nwkkb-patchelf-0.6' may not be deterministic: hash mismatch in output `/nix/store/4pc1dmw5xkwmc6q3gdc9i5nbjl4dkjpp-patchelf-0.6.drv'

The --check build fails if not all outputs are valid.  Thus the first
call to nix-build is necessary to ensure that all outputs are valid.

The current outputs are left untouched: the new outputs are either put
in a chroot or diverted to a different location in the store using
hash rewriting.
2014-02-18 01:01:14 +01:00
Eelco Dolstra
e81d38c02b nix-shell: Execute shellHook if it exists
Since normal builds don't execute shellHook, this allows nix-shell
specific customisation.  Suggested by Domen.
2014-02-17 13:34:24 +01:00
Eelco Dolstra
1f841c9d50 Force use of Bash
"echo -n" doesn't work with /bin/sh on Darwin.
2014-02-10 17:42:36 +01:00
Eelco Dolstra
57386c9bae Binary tarball: Automatically create /nix
The tarball can now be unpacked anywhere.  The installation script
uses "sudo" to create /nix if it doesn't exist.  It also fetches the
nixpkgs-unstable channel.
2014-02-10 16:35:59 +01:00
Eelco Dolstra
c5839752b9 Binary tarball: Automatically fetch the Nixpkgs channel 2014-02-10 10:50:29 +01:00
Eelco Dolstra
b632153ebd nix-shell: Use shell.nix as the default expression if it exists 2014-02-10 10:25:13 +01:00
Eelco Dolstra
2f9bb5c7e7 Merge branch 'make' 2014-02-01 16:41:52 +01:00
Eelco Dolstra
6ef32bddc1 Fix "make dist" 2014-02-01 14:38:12 +01:00
Eelco Dolstra
0c6d62cf27 Remove Automakefiles 2014-02-01 13:54:38 +01:00
Eelco Dolstra
16e7d69209 Update Makefile variable names 2014-02-01 13:54:38 +01:00
Eelco Dolstra
e0234dfddc Rename Makefile -> local.mk 2014-01-30 12:11:06 +01:00
Eelco Dolstra
c5ba081333 nix-shell: Add --impure flag
This is currently the default, but I might change that to --pure in
the future.
2014-01-23 13:34:04 +01:00
Eelco Dolstra
79dee4283d nix-shell: Preserve the TZ variable of the user 2014-01-23 13:34:04 +01:00
Eelco Dolstra
7fdee6e136 nix-build: Refactor 2014-01-23 13:34:04 +01:00
Eelco Dolstra
81628a6ccc Merge branch 'master' into make
Conflicts:
	src/libexpr/eval.cc
2014-01-21 15:30:01 +01:00
Eelco Dolstra
bf0ad8aabc nix-profile.sh: Add the Nixpkgs channel to $NIX_PATH 2014-01-15 14:34:49 +01:00
Eelco Dolstra
f1357059a4 nix-shell: Don't set NIX_INDENT_MAKE
It generally is not useful in interactive environments (and messes up
some non-ANSI-compliant terminals).
2014-01-13 13:46:44 +01:00
Eelco Dolstra
ea59f39326 nix-shell: Set $IN_NIX_SHELL before evaluating 2014-01-13 13:43:31 +01:00
Eelco Dolstra
0fdf4da0e9 Support cryptographically signed binary caches
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.

To create a private/public key pair for signing and verifying a binary
cache, do:

  $ openssl genrsa -out ./cache-key.sec 2048
  $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub

You should also come up with a symbolic name for the key, such as
"cache.example.org-1".  This will be used by clients to look up the
public key.  (It's a good idea to number keys, in case you ever need
to revoke/replace one.)

To create a binary cache signed with the private key:

  $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1

The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:

  signed-binary-caches = *
  binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub

If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:

  *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...

On the other hand, if the signature is wrong, you get a message like

  NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring

Signatures are implemented as a single line appended to the NAR info
file, which looks like this:

  Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==

Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.

Issue #75.
2014-01-08 15:42:53 +01:00
Eelco Dolstra
405434e084 Revert "nix-shell: Set $IN_NIX_SHELL before evaluation"
This reverts commit 0c1198cf08.
2014-01-06 17:38:04 +01:00
Shea Levy
5ba5993470 nix-shell --pure: Don't clear IN_NIX_SHELL
Signed-off-by: Shea Levy <shea@shealevy.com>
2013-12-30 16:59:24 +01:00
Eelco Dolstra
b352fe2775 Revert "Scan /proc/<pid>/cmdline for GC roots"
This reverts commit 194e3374b8.
Checking the command line for GC roots means that

  $ nix-store --delete $path

will fail because $path is now a root because it's mentioned on the
command line.
2013-12-20 14:18:24 +01:00
Eelco Dolstra
194e3374b8 Scan /proc/<pid>/cmdline for GC roots 2013-12-20 13:31:31 +01:00