No description
Find a file
Maximilian Bosch 0256e5578e
libfetchers/git: hardcode --git-dir
To demonstrate the problem:

* You need a `git` at 2.33.3 in your $PATH
* An expression like this in a git repository:

  ``` nix
  {
    outputs = { self, nixpkgs }: {
      packages.foo.x86_64-linux = with nixpkgs.legacyPackages.x86_64-linux;
        runCommand "snens" { } ''
          echo ${(builtins.fetchGit ./.).lastModifiedDate} > $out
        '';
    };
  }
  ```

Now, when instantiating the package via `builtins.getFlake`, it fails on
Nix 2.7 like this:

    $ nix-instantiate -E '(builtins.getFlake "'"$(pwd)"'").packages.foo.x86_64-linux'
    fatal: unsafe repository ('/nix/store/a7j3125km4h8l0p71q6ssfkxamfh5d61-source' is owned by someone else)
    To add an exception for this directory, call:

    	git config --global --add safe.directory /nix/store/a7j3125km4h8l0p71q6ssfkxamfh5d61-source
    error: program 'git' failed with exit code 128
    (use '--show-trace' to show detailed location information)

This breaks e.g. `nixops`-deployments using flakes with similar
expressions as shown above.

The cause for this is that `git(1)` tries to find the highest
`.git`-directory in the directory tree and if it finds a such a
directory, but with another owning user (root vs. the user who evaluates
the expression), it fails as above. This was changed recently to fix
CVE-2022-24765[1].

By explicitly specifying `--git-dir`, Git assumes to be in the top-level
directory and doesn't attempt to look for a `.git`-directory in the
parent directories and thus the code-path leading to said error is never
reached.

[1] https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/
2022-04-23 23:20:17 +02:00
.github Bump actions/checkout from 2 to 3 2022-04-13 12:10:29 +00:00
config Run autoupdate 2021-06-01 11:42:38 +02:00
contrib function-trace: always show the trace 2019-09-18 23:23:21 +02:00
doc/manual Merge remote-tracking branch 'origin/master' into nixbuildaddprintstorepaths 2022-04-22 11:11:01 +02:00
m4 autoconf: Fix C++17 detection not working on Ubuntu 16.04. 2019-07-03 04:32:25 +02:00
maintainers Integrate push-docker.sh into the release script 2022-02-18 13:58:01 +01:00
misc Merge pull request #6128 from ncfavier/fix-completion 2022-04-19 13:45:33 +02:00
mk mk/run_test.sh: Add missing backslash 2022-03-02 21:36:46 +01:00
perl Remove std::string alias (for real this time) 2022-02-25 16:13:02 +01:00
scripts installer: ask for confirmation on multi-user install without systemd 2022-04-08 11:23:54 +02:00
src libfetchers/git: hardcode --git-dir 2022-04-23 23:20:17 +02:00
tests Merge remote-tracking branch 'origin/master' into nixbuildaddprintstorepaths 2022-04-22 11:11:01 +02:00
.dir-locals.el .dir-locals.el: Set c-block-comment-prefix 2020-07-10 11:21:06 +02:00
.editorconfig Add .editorconfig 2017-06-05 22:57:28 +01:00
.gitignore nix repl: make symlinks with the :bl command 2022-04-20 00:20:29 +03:00
.version Bump version 2022-04-19 21:48:17 +02:00
boehmgc-coroutine-sp-fallback.diff Fix leaking pthread_attr_t 2021-11-03 22:54:16 +01:00
bootstrap.sh bootstrap: Simplify & make more robust. 2011-09-06 12:11:05 +00:00
configure.ac Require lowdown 0.9.0 2022-02-01 10:44:19 +01:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
default.nix Remove url literals 2022-01-24 13:28:21 +01:00
docker.nix feat: include openssh in docker image 2022-04-14 13:49:47 +01:00
flake.lock flake.lock: Update 2022-04-05 16:41:40 +02:00
flake.nix add sourcehut integration test 2022-02-23 11:58:09 -03:00
local.mk Remove 'dist' target 2020-12-03 16:17:58 +01:00
Makefile Stop vendoring nlohmann_json 2022-01-26 11:50:53 +01:00
Makefile.config.in use LOWDOWN_LIBS variable 2022-01-30 20:59:58 +02:00
precompiled-headers.h Config: Use nlohmann/json 2020-08-20 11:02:16 +02:00
README.md throw freenode down the memory hole 2021-05-27 21:48:39 +02:00
shell.nix Remove url literals 2022-01-24 13:28:21 +01:00

Nix

Open Collective supporters Test

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.

Installation

On Linux and macOS the easiest way to install Nix is to run the following shell command (as a user other than root):

$ curl -L https://nixos.org/nix/install | sh

Information on additional installation methods is available on the Nix download page.

Building And Developing

See our Hacking guide in our manual for instruction on how to build nix from source with nix-build or how to get a development environment.

Additional Resources

License

Nix is released under the LGPL v2.1.