Commit graph

17670 commits

Author SHA1 Message Date
Eelco Dolstra
8f280d72ff
Merge pull request #11019 from DeterminateSystems/fix-failed-to-open-archive
Tarball fetcher: Fix handling of cached tarballs
2024-07-05 17:10:02 +02:00
Robert Hensing
a476383f46
Merge pull request #11031 from emilazy/push-xsrvoyspsvqx
libstore: fix sandboxed builds on macOS
2024-07-05 17:08:39 +02:00
Eelco Dolstra
98bef7c38e
Merge pull request #11035 from siddhantk232/refactor
Factor duplicate code into util function `append`
2024-07-05 16:34:23 +02:00
Eelco Dolstra
61e1880847
Merge pull request #11041 from hercules-ci/trace-nix-env-attribute-names
getDerivations: add attributes to trace
2024-07-05 16:32:27 +02:00
Eelco Dolstra
e1b6b3ce27
Merge pull request #11020 from DeterminateSystems/fix-tarball-caching
Tarball fetcher: Fix fetchToStore() and eval caching
2024-07-05 16:30:12 +02:00
Eelco Dolstra
e7e070d36b Document 2024-07-05 16:29:16 +02:00
Robert Hensing
09763c7cad getDerivations: add attributes to trace
This improves the error message of nix-env -qa, among others, which
is crucial for understanding some ofborg eval error reports, such as
https://gist.github.com/GrahamcOfBorg/89101ca9c2c855d288178f1d3c78efef

After this change, it will report the same trace, but also start with

```
error:
       … while evaluating the attribute 'devShellTools'

       … while evaluating the attribute 'nixos'

       … while evaluating the attribute 'docker-tools-nix-shell'

       … while evaluating the attribute 'aarch64-darwin'

       … from call site
         at /home/user/h/nixpkgs/outpaths.nix:48:6:
           47|   tweak = lib.mapAttrs
           48|     (name: val:
             |      ^
           49|       if name == "recurseForDerivations" then true

<same>
```
2024-07-05 15:30:07 +02:00
Emily
af2e1142b1 libstore: fix sandboxed builds on macOS
The recent fix for CVE-2024-38531 broke the sandbox on macOS
completely. As it’s not practical to use `chroot(2)` on
macOS, the build takes place in the main filesystem tree, and the
world‐unreadable wrapper directory prevents the build from accessing
its `$TMPDIR` at all.

The macOS sandbox probably shouldn’t be treated as any kind of a
security boundary in its current state, but this specific vulnerability
wasn’t possible to exploit on macOS anyway, as creating `set{u,g}id`
binaries is blocked by sandbox policy.

Locking down the build sandbox further may be a good idea in future,
but it already has significant compatibility issues. For now, restore
the previous status quo on macOS.

Thanks to @alois31 for helping me come to a better understanding of
the vulnerability.

Fixes: 1d3696f0fb
Closes: #11002
2024-07-04 16:28:37 +01:00
Emily
76e4adfaac libstore: clean up the build directory properly
After the fix for CVE-2024-38531, this was only removing the nested
build directory, rather than the top‐level temporary directory.

Fixes: 1d3696f0fb
2024-07-04 16:22:02 +01:00
siddhantCodes
976c05879f factor duplicate code into util function append 2024-07-04 11:09:23 +05:30
Eelco Dolstra
5b4102c3b2 Tarball fetcher: Include revCount/lastModified in the fingerprint
This can influence the evaluation result so they should be included in
the fingerprint.
2024-07-03 22:05:45 +02:00
John Ericson
509be0e77a
Merge pull request #11022 from obsidiansystems/fix-openbsd-socket-peercred
Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
2024-07-03 11:56:39 -04:00
kn
10ccdb7a41 Use proper struct sockpeercred for SO_PEERCRED for OpenBSD
getsockopt(2) documents this;  ucred is wrong ("cr_" member prefix, no pid).
2024-07-03 11:16:39 -04:00
John Ericson
a09360400b Ident some CPP in nix daemon
Makes it easier for me to read.
2024-07-03 11:15:56 -04:00
Eelco Dolstra
1ff186fc6e nix flake metadata: Show flake fingerprint
This is useful for testing/debugging and maybe for sharing eval caches
(since it tells you what file in ~/.cache/nix/eval-cache-v5 to copy).
2024-07-03 17:00:30 +02:00
Eelco Dolstra
9d95c228ee Tarball fetcher: Fix fetchToStore() and eval caching 2024-07-03 16:50:45 +02:00
John Ericson
30de61f16d
Merge pull request #11018 from siddhantk232/canonpath-fs-sink
Use `CanonPath` in `fs-sink.hh`
2024-07-03 10:36:18 -04:00
Eelco Dolstra
8bdd0ecd80 Add a test 2024-07-03 15:57:05 +02:00
Eelco Dolstra
79ed3df8f8 Tarball fetcher: Fix handling of cached tarballs
Fixes a regression introduced in
5a9e1c0d20 where downloading a cached
file causes the error "Failed to open archive (Unrecognized archive
format)".
2024-07-03 14:14:20 +02:00
siddhantCodes
2cf24a2df0 fix tests and minor changes
- use the iterator in `CanonPath` to count `level`
- use the `CanonPath::basename` method
- use `CanonPath::root` instead of `CanonPath{""}`
- remove `Path` and `PathView`, use `std::filesystem::path` directly
2024-07-03 17:43:55 +05:30
Valentin Gagarin
a713476790
docs: split types from syntax (#11013)
move together all syntactic and semantic information into one
page, and add a page on data types, which in turn links to the syntax and
semantics.

also split out the note on scoping rules into its own page.

Co-authored-by: Ryan Hendrickson <ryan.hendrickson@alum.mit.edu>
2024-07-03 09:03:41 +02:00
John Ericson
f809edba4f
Merge pull request #11011 from Mic92/compiler-checks
enable -Werror=unused-result
2024-07-02 09:23:03 -04:00
Jörg Thalheim
101915c9b7 enable -Werror=unused-result
Inspired by
010ff57ebb

From the original PR:

> We do not have any of these warnings appearing at the moment, but
> it seems like a good idea to enable [[nodiscard]] checking anyway.
> Once we start introducing more functions with must-use conditions we will
> need such checking, and the rust stdlib has proven them very useful.
2024-07-02 08:46:06 +02:00
Robert Hensing
80d67d603b
Merge pull request #11009 from NixOS/installer-tests
Installer tests
2024-07-02 00:45:12 +02:00
Robert Hensing
df3e92ff96 installerScriptForGHA: aarch64-darwin
GitHub Actions seems to have magically switched architectures
without changing their identifiers.
See 2813ee66cb/README.md (available-images)
Maybe they have more complete documentation elsewhere, but it
seems to be incapable of selecting a runner based on architecture.
2024-07-01 20:40:53 +02:00
Eelco Dolstra
b01b60f08c
Merge pull request #11006 from DeterminateSystems/fix-eval-cache-test
tests/functional/flakes/eval-cache.sh: Don't write a result symlink in the wrong location
2024-07-01 19:47:54 +02:00
Eelco Dolstra
6600b1c7e0 tests/functional/flakes/eval-cache.sh: Don't write a result symlink in the wrong location 2024-07-01 19:10:41 +02:00
Eelco Dolstra
10c9764c27
Merge pull request #10992 from hercules-ci/issue-10947-dont-cache-disallowed-ifd
Fix #10947; don't cache disallowed IFD
2024-07-01 11:20:27 +02:00
John Ericson
10ceb7d173
Merge pull request #10995 from NixOS/meson-remove-symlink-hack
Remove symlink hack from meson packaging
2024-06-30 17:35:46 -04:00
Robert Hensing
93b50857ed packaging: Restore .version value altering behavior 2024-06-30 19:44:36 +02:00
Robert Hensing
7dd938b228 libutil/package.nix: Remove .version symlink replacement solution 2024-06-30 19:44:04 +02:00
Robert Hensing
e084316130 Add mkMesonPackage for local meson packages
This helper makes it easy to use filesets that include files from
parent directories, which we'll need more of in
https://github.com/NixOS/nix/pull/10973
2024-06-30 19:42:19 +02:00
Sergei Trofimovich
5a16bf86c5
doc: fix directory definition in nix-archive.md (#10997)
* doc: fix `directory` definition in nix-archive.md

Before the change the document implied that directory of a single entry
contained entry:

    "type" "directory" "type" directory" "entry" ...

After the change document should expand into:

   "type" "directory" "entry" ...

Co-authored-by: John Ericson <git@JohnEricson.me>
2024-06-30 16:22:04 +00:00
Robert Hensing
c74b5aa3e0
Merge pull request #10999 from NixOS/ci-cachix-verbose
ci.yml: Put installer cachix in verbose mode
2024-06-30 17:45:22 +02:00
Robert Hensing
39154ed9be ci.yml: Put installer cachix in verbose mode
Maybe it prints something, as a workaround for https://github.com/cachix/cachix-action/issues/153,
which might explain our flaky installer_test.
2024-06-30 17:10:34 +02:00
John Ericson
dc538ad2f7
Merge pull request #10994 from hercules-ci/fix-value-print-elided
Fix underflow in `printAttrs`, `printList`
2024-06-30 10:11:47 -04:00
siddhantCodes
72bb530141 use CanonPath in fs-sink and its derivatives 2024-06-30 19:03:15 +05:30
Robert Hensing
b2c7f09b0a Fix underflow in Printer::printList
Analogous to 9b88bf8adf / three commits back
2024-06-29 14:10:58 +02:00
Robert Hensing
bfc5416240 Refactor: rename ValuePrinter::totalListItemsPrinted 2024-06-29 14:02:28 +02:00
Robert Hensing
ce1dc87711 Refactor: rename ValuePrinter::totalAttrsPrinted
Make it more distinct from the attrs printed of any specific
attrset.
2024-06-29 14:01:15 +02:00
Robert Hensing
9b88bf8adf Fix underflow in Printer::printAttrs
The code that counts the number of elided attrs incorrectly used the
per-printer "global" attribute counter instead of a counter that
was relevant only to the current attribute set.

This bug flew under the radar because often the attribute sets aren't
nested, not big enough, or we wouldn't pay attention to the numbers.
I've noticed the issue because the difference underflowed.

Although this behavior is tested by the functional test
lang/eval-fail-bad-string-interpolation-4.nix, the underflow slipped
through review. A simpler reproducer would be as follows, but I
haven't added it to the test suite to keep it simple and marginally
faster.

```
$ nix run nix/2.23.1 -- eval --expr '"" + (let v = { a = { a = 1; b = 2; c = 1; d = 1; e = 1; f = 1; g = 1; h = 1; }; b = { a = 1; b = 1; c = 1; }; }; in builtins.deepSeq v v)'
error:
       … while evaluating a path segment
         at «string»:1:6:
            1| "" + (let v = { a = { a = 1; b = 2; c = 1; d = 1; e = 1; f = 1; g = 1; h = 1; }; b = { a = 1; b = 1; c = 1; }; }; in builtins.deepSeq v v)
             |      ^

       error: cannot coerce a set to a string: { a = { a = 1; b = 2; c = 1; d = 1; e = 1; f = 1; g = 1; h = 1; }; b = { a = 1; «4294967289 attributes elided» }; }
```
2024-06-29 13:53:05 +02:00
Robert Hensing
fd94b74ee5 Fix #10947; don't cache disallowed IFD 2024-06-29 13:19:04 +02:00
Robert Hensing
32e6cc64b5
Merge pull request #10988 from cole-h/restore-summary-rename
Restore commit-lock-file-summary rename for consistency
2024-06-29 11:51:50 +02:00
Cole Helbling
d906d42330 Restore commit-lock-file-summary rename for consistency
It was originally renamed in https://github.com/NixOS/nix/pull/10691,
but https://github.com/NixOS/nix/pull/9063 accidentally removed the new
name and alias.
2024-06-28 14:53:40 -07:00
Cole Helbling
9e9730ef0f Test that commit-lock-file-summary and its alias work 2024-06-28 14:53:40 -07:00
John Ericson
02963f712e
Merge pull request #10987 from tweag/remove-thufschmitt-from-maintainers
maintainers: Drop thufschmitt
2024-06-28 16:19:14 -04:00
Théophane Hufschmitt
26089183e6 maintainers: Drop thufschmitt
https://github.com/NixOS/nixos-homepage/pull/1490
2024-06-28 15:56:53 +02:00
Valentin Gagarin
b44909ac22
add many more examples on escaping in strings (#10974) 2024-06-27 10:58:59 +02:00
Harmen
3b388f6629
string interpolation escape example (#10966)
* string interpolation escape example

Make it easier to find the documentation, and the example might be enough for most cases.

Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2024-06-27 08:30:21 +00:00
John Ericson
aff0fbc764
Merge pull request #10972 from NixOS/no-vendor-toml11
Stop vendoring toml11
2024-06-27 00:10:09 -04:00