Commit graph

10657 commits

Author SHA1 Message Date
John Ericson
7181d1f4a1 Reformat
Factored out code is now elegible for formatting.
2024-06-26 19:56:21 -04:00
John Ericson
0084a486cc Split out a new libnixflake
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-06-26 19:56:21 -04:00
John Ericson
52730d38e2 Factor out flake:... lookup path from evaluator
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-06-26 19:56:21 -04:00
John Ericson
8a420162ab Merge branch 'master' into fix-sandbox-escape 2024-06-26 18:11:39 -04:00
Robert Hensing
85de5a60c7 Use lib instead of explicit fileset passing 2024-06-26 04:11:20 +02:00
Robert Hensing
6fe8fb967a libstore/worker.hh: Document Worker 2024-06-26 01:43:31 +02:00
Robert Hensing
fd0b376c79 libstore/worker.cc: Remove outdated comment
It was added above this conditional

    Worker::Worker(LocalStore & store)
        : store(store)
    {
        /* Debugging: prevent recursive workers. */
        if (working) abort();
        working = true;

However, `working` has since been removed.

Source: 7f8e805c8e/src/libstore/build.cc (L2617)
2024-06-26 01:43:31 +02:00
John Ericson
65d7c80365
Merge pull request #10955 from NixOS/meson-nix-util-c
Build nix-util-c with meson + unit tests
2024-06-25 19:06:06 -04:00
Robert Hensing
ac89828b5a Build nix-util-c with meson and unit test 2024-06-25 21:35:23 +02:00
Robert Hensing
7df9d6da65 Improve error messages for invalid derivation names 2024-06-25 19:41:29 +02:00
John Ericson
5f4f789144
Merge pull request #10954 from NixOS/ci-meson
ci.yml: Add meson_build
2024-06-25 09:02:33 -04:00
Robert Hensing
0674be8d49 nix-util: Fix build 2024-06-25 10:26:57 +02:00
Brian McKenna
5be44d235a Guard uses of lutimes, for portability 2024-06-24 17:35:34 -04:00
John Ericson
05580a373f Fix error in the no-GC build 2024-06-24 17:18:16 -04:00
Robert Hensing
c66f1e7660
Merge pull request #10913 from NixOS/no-global-eval-settings-in-libexpr
No global eval settings in `libnixexpr`
2024-06-24 18:52:19 +02:00
John Ericson
fda4c78921
Merge pull request #10951 from obsidiansystems/load-just-one-config
Small global config refactors
2024-06-24 12:38:04 -04:00
John Ericson
52bfccf8d8 No global eval settings in libnixexpr
Progress on #5638

There is still a global eval settings, but it pushed down into
`libnixcmd`, which is a lot less bad a place for this sort of thing.
2024-06-24 12:15:16 -04:00
John Ericson
cb0c868da4 Allow loading config files into other config objects
This gives us some hope of moving away from global variables.
2024-06-24 12:07:56 -04:00
John Ericson
b46e13840b Format config-global.{cc,hh}
Since the code is factored out, it is no longer avoding the formatter.
2024-06-24 12:07:56 -04:00
John Ericson
1620ad4587 Split out GlobalConfig into its own header
This makes it easier to understand the reach of global variables /
global state in the config system.
2024-06-24 11:36:21 -04:00
John Ericson
b51e161af5 Cleanup ContentAddressMethod to match docs
The old `std::variant` is bad because we aren't adding a new case to
`FileIngestionMethod` so much as we are defining a separate concept ---
store object content addressing rather than file system object content
addressing. As such, it is more correct to just create a fresh
enumeration.

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-06-24 10:24:06 -04:00
John Ericson
64e599ebe1 Rename Recursive -> NixArchive
For enums:

- `FileIngestionMethod`

- `FileSerialisationMethod`
2024-06-24 10:24:06 -04:00
Eelco Dolstra
903acc7c0f
Merge pull request #10873 from siddhantk232/rm-createdirs
use `std::filesystem::create_directories` for createDirs
2024-06-24 14:54:37 +02:00
Eelco Dolstra
bc21c54565
Merge pull request #10943 from pineapplehunter/master
Accept response from gitlab api with more than one entry in json
2024-06-24 14:23:47 +02:00
Robert Hensing
6f64154eea
Merge pull request #10884 from tomberek/tomberek.warn_structuredAttrs_advanced
fix: warn and document when advanced attributes will have no impact d…
2024-06-24 07:56:26 +02:00
John Ericson
df068734ac
Merge pull request #10769 from poweredbypie/mingw-spawn
Implement runProgram for Windows
2024-06-23 14:12:36 -04:00
Shogo Takata
0468061dd2
accept response from gitlab with more than one entry 2024-06-23 00:52:19 +09:00
Eelco Dolstra
d54590fdf3 Fix --no-sandbox
When sandboxing is disabled, we cannot put $TMPDIR underneath an
inaccessible directory.
2024-06-21 17:06:19 +02:00
Eelco Dolstra
58b7b3fd15 Formatting 2024-06-21 17:06:19 +02:00
Eelco Dolstra
ede95b1fc1 Put the chroot inside a directory that isn't group/world-accessible
Previously, the .chroot directory had permission 750 or 755 (depending
on the uid-range system feature) and was owned by root/nixbld. This
makes it possible for any nixbld user (if uid-range is disabled) or
any user (if uid-range is enabled) to inspect the contents of the
chroot of an active build and maybe interfere with it (e.g. via /tmp
in the chroot, which has 1777 permission).

To prevent this, the root is now a subdirectory of .chroot, which has
permission 700 and is owned by root/root.
2024-06-21 17:06:19 +02:00
Théophane Hufschmitt
1d3696f0fb Run the builds in a daemon-controled directory
Instead of running the builds under
`$TMPDIR/{unique-build-directory-owned-by-the-build-user}`, run them
under `$TMPDIR/{unique-build-directory-owned-by-the-daemon}/{subdir-owned-by-the-build-user}`
where the build directory is only readable and traversable by the daemon user.

This achieves two things:

1. It prevents builders from making their build directory world-readable
   (or even writeable), which would allow the outside world to interact
   with them.
2. It prevents external processes running as the build user (either
   because that somehow leaked, maybe as a consequence of 1., or because
   `build-users` isn't in use) from gaining access to the build
   directory.
2024-06-21 17:06:19 +02:00
siddhantCodes
85b7989764 fix: handle errors in nix::createDirs
the `std::filesystem::create_directories` can fail due to insufficient
permissions. We convert this error into a `SysError` and catch it
wherever required.
2024-06-20 19:53:25 +05:30
Valentin Gagarin
1c131ec2b7
Port C API docs to Meson (#10936)
* Port C API docs to Meson

* don't cross-compile the docs
2024-06-19 22:43:54 +02:00
PoweredByPie
8b81d083a7 Remove lookupPathForProgram and implement initial runProgram test
Apparently, CreateProcessW already searches path, so manual path search
isn't really necessary.
2024-06-18 01:01:52 -07:00
PoweredByPie
fcb92b4fa4 Fix DWORD vs. int comparison warning 2024-06-17 22:14:38 -07:00
Mingye Wang
ff1fc780d2
optimize-store.cc: Update macos exclusion comments
#2230 broadened the scope of macOS hardlink exclusion but did not change the comments. This was a little confusing for me, so I figured the comments should be updated.
2024-06-18 12:05:59 +08:00
PoweredByPie
4f6e3b9402 Implement tests for lookupPathForProgram and fix bugs caught by tests 2024-06-17 18:46:08 -07:00
PoweredByPie
4662e7d856 Implement windowsEscape 2024-06-17 14:57:57 -07:00
Tom Bereknyei
706edf26eb build: meson for libfetchers 2024-06-17 17:25:56 -04:00
PoweredByPie
b11cf8166f Format runProgram declaration 2024-06-17 13:12:28 -07:00
Valentin Gagarin
6e34c68327 Convert the internal API doc build to Meson 2024-06-17 15:51:58 -04:00
John Ericson
a83d95e26e Integrate perl with the other meson builds
One big dev shell!
2024-06-17 14:48:20 -04:00
PoweredByPie
a58ca342ca Initial runProgram implementation for Windows
This is incomplete; proper shell escaping needs to be done
2024-06-17 11:13:22 -07:00
John Ericson
a1bb668ccb Merge remote-tracking branch 'upstream/master' into rm-createdirs 2024-06-17 12:57:54 -04:00
Robert Hensing
e48abec567
Merge pull request #10916 from jmbaur/read-only-no-chown
Don't chown when local-store is read-only
2024-06-17 13:49:19 +02:00
Eelco Dolstra
48d38b32d2
Merge pull request #10918 from andir/restrict-tarfile-formats
Restrict supported tarball formats to actual Tarballs
2024-06-17 13:20:23 +02:00
PoweredByPie
b0cfac8f93 Fix compile error on windows 2024-06-17 00:03:50 -07:00
Jared Baur
de639ceafe
Don't chown when local-store is read-only
If the local-store is using the read-only flag, the underlying
filesystem might be read-only, thus an attempt to `chown` would always
fail.
2024-06-16 23:03:33 -07:00
Andreas Rammhold
5a9e1c0d20 Restrict supported tarball formats to actual Tarballs
The documentation is clear about the supported formats (with at least
`builtins.fetchTarball`). The way the code was written previously it
supported all the formats that libarchive supported. That is a
surprisingly large amount of formats that are likely not on the radar
of the Nix developers and users. Before people end up relying on
this (or if they do) it is better to break it now before it becomes a
widespread "feature".

Zip file support has been retained as (at least to my knowledge)
historically that has been used to fetch nixpkgs in some shell
expressions *many* years back.

Fixes https://github.com/NixOS/nix/issues/10917
2024-06-15 14:28:20 +02:00
Robert Hensing
573e385a68
Merge pull request #10907 from hercules-ci/issue-10561
C API: Use opaque struct instead of void for `nix_value`
2024-06-15 10:12:13 +02:00