diff options
| -rw-r--r-- | doc/manual/command-ref/conf-file.xml | 10 | ||||
| -rw-r--r-- | misc/docker/Dockerfile | 2 | ||||
| -rw-r--r-- | misc/launchd/org.nixos.nix-daemon.plist.in | 2 | ||||
| -rw-r--r-- | release.nix | 4 | ||||
| -rw-r--r-- | src/libexpr/primops.cc | 2 | ||||
| -rw-r--r-- | src/libstore/download.cc | 3 | ||||
| -rw-r--r-- | src/libstore/globals.cc | 3 | ||||
| -rw-r--r-- | src/libstore/globals.hh | 6 | ||||
| -rw-r--r-- | src/libstore/s3-binary-cache-store.cc | 1 | ||||
| -rw-r--r-- | src/libutil/archive.hh | 6 | ||||
| -rw-r--r-- | src/libutil/util.hh | 1 |
11 files changed, 29 insertions, 11 deletions
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml index 96f8a4b608a4..36b70f0c48ff 100644 --- a/doc/manual/command-ref/conf-file.xml +++ b/doc/manual/command-ref/conf-file.xml @@ -644,6 +644,16 @@ password <replaceable>my-password</replaceable> </varlistentry> + <varlistentry xml:id="conf-allow-import-from-derivation"><term><literal>allow-import-from-derivation</literal></term> + + <listitem><para>By default, Nix allows you to <function>import</function> from a derivation, + allowing building at evaluation time. With this option set to false, Nix will throw an error + when evaluating an expression that uses this feature, allowing users to ensure their evaluation + will not require any builds to take place.</para></listitem> + + </varlistentry> + + </variablelist> </para> diff --git a/misc/docker/Dockerfile b/misc/docker/Dockerfile index 7b2865c946d3..85bd32e199a9 100644 --- a/misc/docker/Dockerfile +++ b/misc/docker/Dockerfile @@ -1,6 +1,6 @@ FROM alpine -RUN wget -O- http://nixos.org/releases/nix/nix-1.11.2/nix-1.11.2-x86_64-linux.tar.bz2 | bzcat - | tar xf - \ +RUN wget -O- http://nixos.org/releases/nix/nix-1.11.7/nix-1.11.7-x86_64-linux.tar.bz2 | bzcat - | tar xf - \ && echo "nixbld:x:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld30" >> /etc/group \ && for i in $(seq 1 30); do echo "nixbld$i:x:$((30000 + $i)):30000:::" >> /etc/passwd; done \ && mkdir -m 0755 /nix && USER=root sh nix-*-x86_64-linux/install \ diff --git a/misc/launchd/org.nixos.nix-daemon.plist.in b/misc/launchd/org.nixos.nix-daemon.plist.in index c5ef97ee9a3f..5d57a5ec8ff1 100644 --- a/misc/launchd/org.nixos.nix-daemon.plist.in +++ b/misc/launchd/org.nixos.nix-daemon.plist.in @@ -16,6 +16,8 @@ <dict> <key>NIX_SSL_CERT_FILE</key> <string>/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt</string> + <key>XDG_CACHE_HOME</key> + <string>/root/.cache</string> </dict> </dict> </plist> diff --git a/release.nix b/release.nix index 78f961963999..e61e81bdf37e 100644 --- a/release.nix +++ b/release.nix @@ -74,8 +74,8 @@ let buildInputs = [ curl perl bzip2 xz openssl pkgconfig sqlite boehmgc ] - ++ lib.optional stdenv.isLinux libsodium - ++ lib.optional stdenv.isLinux + ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium + ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) (aws-sdk-cpp.override { apis = ["s3"]; customMemoryManagement = false; diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index 5a570cefb2fa..93097f3d1bf3 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -59,6 +59,8 @@ void EvalState::realiseContext(const PathSet & context) drvs.insert(decoded.first + "!" + decoded.second); } if (!drvs.empty()) { + if (!settings.enableImportFromDerivation) + throw EvalError(format("attempted to realize ‘%1%’ during evaluation but 'allow-import-from-derivation' is false") % *(drvs.begin())); /* For performance, prefetch all substitute info. */ PathSet willBuild, willSubstitute, unknown; unsigned long long downloadSize, narSize; diff --git a/src/libstore/download.cc b/src/libstore/download.cc index 11374b1da525..6567a4dc4754 100644 --- a/src/libstore/download.cc +++ b/src/libstore/download.cc @@ -227,8 +227,7 @@ struct CurlDownloader : public Downloader curl_easy_setopt(req, CURLOPT_NOBODY, 1); if (request.verifyTLS) - curl_easy_setopt(req, CURLOPT_CAINFO, - getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt")).c_str()); + curl_easy_setopt(req, CURLOPT_CAINFO, settings.caFile.c_str()); else { curl_easy_setopt(req, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0); diff --git a/src/libstore/globals.cc b/src/libstore/globals.cc index 07af629260af..df537a51255a 100644 --- a/src/libstore/globals.cc +++ b/src/libstore/globals.cc @@ -69,6 +69,8 @@ Settings::Settings() showTrace = false; enableImportNative = false; netrcFile = fmt("%s/%s", nixConfDir, "netrc"); + caFile = getEnv("NIX_SSL_CERT_FILE", getEnv("SSL_CERT_FILE", "/etc/ssl/certs/ca-certificates.crt")); + enableImportFromDerivation = true; } @@ -184,6 +186,7 @@ void Settings::update() _get(keepGoing, "keep-going"); _get(keepFailed, "keep-failed"); _get(netrcFile, "netrc-file"); + _get(enableImportFromDerivation, "allow-import-from-derivation"); } diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh index 0ff18f8b16ea..7a9a9f6c0caa 100644 --- a/src/libstore/globals.hh +++ b/src/libstore/globals.hh @@ -195,6 +195,12 @@ struct Settings { downloads. */ Path netrcFile; + /* Path to the SSL CA file used */ + Path caFile; + + /* Whether we allow import-from-derivation */ + bool enableImportFromDerivation; + private: SettingsMap settings, overrides; diff --git a/src/libstore/s3-binary-cache-store.cc b/src/libstore/s3-binary-cache-store.cc index a110f5ade48d..5134dd175261 100644 --- a/src/libstore/s3-binary-cache-store.cc +++ b/src/libstore/s3-binary-cache-store.cc @@ -77,6 +77,7 @@ ref<Aws::Client::ClientConfiguration> S3Helper::makeConfig(const string & region res->region = region; res->requestTimeoutMs = 600 * 1000; res->retryStrategy = std::make_shared<RetryStrategy>(); + res->caFile = settings.caFile; return res; } diff --git a/src/libutil/archive.hh b/src/libutil/archive.hh index c067cd2ad243..607ebf8b28f9 100644 --- a/src/libutil/archive.hh +++ b/src/libutil/archive.hh @@ -75,12 +75,6 @@ struct TeeSink : ParseSink TeeSource source; TeeSink(Source & source) : source(source) { } - - void preallocateContents(unsigned long long size) override - { - source.data->reserve(source.data->size() + size + 1024); - }; - }; void parseDump(ParseSink & sink, Source & source); diff --git a/src/libutil/util.hh b/src/libutil/util.hh index 2950f7daa5ec..b74c1d41739a 100644 --- a/src/libutil/util.hh +++ b/src/libutil/util.hh @@ -13,6 +13,7 @@ #include <limits> #include <cstdio> #include <map> +#include <sstream> #ifndef HAVE_STRUCT_DIRENT_D_TYPE #define DT_UNKNOWN 0 |