about summary refs log tree commit diff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/build-remote.pl.in2
-rwxr-xr-xscripts/copy-from-other-stores.pl.in1
-rw-r--r--scripts/download-from-binary-cache.pl.in17
-rw-r--r--scripts/install-nix-from-closure.sh24
-rwxr-xr-xscripts/nix-build.in59
-rw-r--r--scripts/nix-profile.sh.in4
6 files changed, 86 insertions, 21 deletions
diff --git a/scripts/build-remote.pl.in b/scripts/build-remote.pl.in
index 5f0c72b663b8..dcf245d7d55f 100755
--- a/scripts/build-remote.pl.in
+++ b/scripts/build-remote.pl.in
@@ -259,11 +259,13 @@ close UPLOADLOCK;
 
 # Perform the build.
 print STDERR "building ‘$drvPath’ on ‘$hostName’\n";
+print STDERR "@ build-remote-start $drvPath $hostName\n" if $printBuildTrace;
 writeInt(6, $to) or die; # == cmdBuildPaths
 writeStrings([$drvPath], $to);
 writeInt($maxSilentTime, $to);
 writeInt($buildTimeout, $to);
 my $res = readInt($from);
+print STDERR "@ build-remote-done $drvPath $hostName\n" if $printBuildTrace;
 if ($res != 0) {
     my $msg = decode("utf-8", readString($from));
     print STDERR "error: $msg on ‘$hostName’\n";
diff --git a/scripts/copy-from-other-stores.pl.in b/scripts/copy-from-other-stores.pl.in
index cf36bae9e803..8ce5a9d4049f 100755
--- a/scripts/copy-from-other-stores.pl.in
+++ b/scripts/copy-from-other-stores.pl.in
@@ -9,6 +9,7 @@ my $binDir = $ENV{"NIX_BIN_DIR"} || "@bindir@";
 
 
 STDOUT->autoflush(1);
+binmode STDERR, ":encoding(utf8)";
 
 my @remoteStoresAll = split ':', ($ENV{"NIX_OTHER_STORES"} or "");
 
diff --git a/scripts/download-from-binary-cache.pl.in b/scripts/download-from-binary-cache.pl.in
index cdce8eb74a41..4655f9ac9a0e 100644
--- a/scripts/download-from-binary-cache.pl.in
+++ b/scripts/download-from-binary-cache.pl.in
@@ -13,6 +13,7 @@ use WWW::Curl::Easy;
 use WWW::Curl::Multi;
 use strict;
 
+STDERR->autoflush(1);
 binmode STDERR, ":encoding(utf8)";
 
 Nix::Config::readConfig;
@@ -41,9 +42,18 @@ my $curlIdCount = 1;
 my %requests;
 my %scheduled;
 my $caBundle = $ENV{"SSL_CERT_FILE"} // $ENV{"CURL_CA_BUNDLE"} // $ENV{"OPENSSL_X509_CERT_FILE"};
+$caBundle = "/etc/ssl/certs/ca-bundle.crt" if !$caBundle && -f "/etc/ssl/certs/ca-bundle.crt";
+$caBundle = "/etc/ssl/certs/ca-certificates.crt" if !$caBundle && -f "/etc/ssl/certs/ca-certificates.crt";
 
 my $userName = getpwuid($<) || $ENV{"USER"} or die "cannot figure out user name";
 
+my $userAgent = "Nix/$Nix::Config::version";
+
+sub isTrue {
+    my ($x) = @_;
+    return $x eq "true" || $x eq "1";
+}
+
 my $requireSignedBinaryCaches = ($Nix::Config::config{"signed-binary-caches"} // "0") ne "0";
 
 my $curlConnectTimeout = int(
@@ -66,7 +76,8 @@ sub addRequest {
     $curl->setopt(CURLOPT_WRITEDATA, $fh);
     $curl->setopt(CURLOPT_FOLLOWLOCATION, 1);
     $curl->setopt(CURLOPT_CAINFO, $caBundle) if defined $caBundle;
-    $curl->setopt(CURLOPT_USERAGENT, "Nix/$Nix::Config::version");
+    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0) unless isTrue($Nix::Config::config{"verify-https-binary-caches"} // "1");
+    $curl->setopt(CURLOPT_USERAGENT, $userAgent);
     $curl->setopt(CURLOPT_NOBODY, 1) if $head;
     $curl->setopt(CURLOPT_FAILONERROR, 1);
     $curl->setopt(CURLOPT_CONNECTTIMEOUT, $curlConnectTimeout);
@@ -217,7 +228,7 @@ sub getAvailableCaches {
     }
 
     my @urls = strToList($Nix::Config::config{"binary-caches"} //
-        ($Nix::Config::storeDir eq "/nix/store" ? "http://cache.nixos.org" : ""));
+        ($Nix::Config::storeDir eq "/nix/store" ? "https://cache.nixos.org" : ""));
 
     my $urlsFiles = $Nix::Config::config{"binary-cache-files"}
         // "$Nix::Config::stateDir/profiles/per-user/$userName/channels/binary-caches/*";
@@ -546,7 +557,7 @@ sub downloadBinary {
         die if $requireSignedBinaryCaches && !defined $info->{signedBy};
         print STDERR "\n*** Downloading ‘$url’ ", ($requireSignedBinaryCaches ? "(signed by ‘$info->{signedBy}’) " : ""), "to ‘$storePath’...\n";
         checkURL $url;
-        if (system("$Nix::Config::curl --fail --location --insecure --connect-timeout $curlConnectTimeout '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
+        if (system("$Nix::Config::curl --fail --location --insecure --connect-timeout $curlConnectTimeout -A '$userAgent' '$url' $decompressor | $Nix::Config::binDir/nix-store --restore $destPath") != 0) {
             warn "download of ‘$url’ failed" . ($! ? ": $!" : "") . "\n";
             next;
         }
diff --git a/scripts/install-nix-from-closure.sh b/scripts/install-nix-from-closure.sh
index ef56149915b1..c9ba9a2a280a 100644
--- a/scripts/install-nix-from-closure.sh
+++ b/scripts/install-nix-from-closure.sh
@@ -5,6 +5,7 @@ set -e
 dest="/nix"
 self="$(dirname "$0")"
 nix="@nix@"
+cacert="@cacert@"
 
 if ! [ -e $self/.reginfo ]; then
     echo "$0: incomplete installer (.reginfo is missing)" >&2
@@ -17,7 +18,7 @@ if [ -z "$USER" ]; then
 fi
 
 if [ "$(id -u)" -eq 0 ]; then
-    echo "warning: installing Nix as root is not recommended" >&2
+    printf '\e[1;31mwarning: installing Nix as root is not supported by this script!\e[0m\n'
 fi
 
 echo "performing a single-user installation of Nix..." >&2
@@ -66,23 +67,24 @@ fi
 
 . $nix/etc/profile.d/nix.sh
 
-if ! $nix/bin/nix-env -i $nix; then
+if ! $nix/bin/nix-env -i "$nix"; then
     echo "$0: unable to install Nix into your default profile" >&2
     exit 1
 fi
 
+# Install an SSL certificate bundle.
+if [ -z "$SSL_CERT_FILE" -o ! -f "$SSL_CERT_FILE" ]; then
+    $nix/bin/nix-env -i "$cacert"
+    export SSL_CERT_FILE="$HOME/.nix-profile/etc/ca-bundle.crt"
+fi
+
 # Subscribe the user to the Nixpkgs channel and fetch it.
 if ! $nix/bin/nix-channel --list | grep -q "^nixpkgs "; then
-    if [ -n "$SSL_CERT_FILE" ]; then
-        $nix/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
-    else
-        $nix/bin/nix-channel --add http://nixos.org/channels/nixpkgs-unstable
-    fi
+    $nix/bin/nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+fi
+if [ -z "$_NIX_INSTALLER_TEST" ]; then
+    $nix/bin/nix-channel --update nixpkgs
 fi
-$nix/bin/nix-channel --update nixpkgs
-
-# Install an SSL certificate bundle.
-$nix/bin/nix-env -iA nixpkgs.cacert || true
 
 # Make the shell source nix.sh during login.
 p=$NIX_LINK/etc/profile.d/nix.sh
diff --git a/scripts/nix-build.in b/scripts/nix-build.in
index f8cf318ff07a..ca43041b77b0 100755
--- a/scripts/nix-build.in
+++ b/scripts/nix-build.in
@@ -5,6 +5,8 @@ use strict;
 use Nix::Config;
 use Nix::Store;
 use Nix::Utils;
+use File::Basename;
+use Cwd;
 
 binmode STDERR, ":encoding(utf8)";
 
@@ -14,6 +16,7 @@ my $runEnv = $0 =~ /nix-shell$/;
 my $pure = 0;
 my $fromArgs = 0;
 my $packages = 0;
+my $interactive = 1;
 
 my @instArgs = ();
 my @buildArgs = ();
@@ -25,6 +28,8 @@ my @envExclude = ();
 
 my $myName = $runEnv ? "nix-shell" : "nix-build";
 
+my $inShebang = 0;
+my $script;
 
 my $tmpDir = mkTempDir($myName);
 
@@ -35,6 +40,29 @@ my $drvLink = "$tmpDir/derivation";
 $SIG{'INT'} = sub { exit 1 };
 
 
+# Heuristic to see if we're invoked as a shebang script, namely, if we
+# have a single argument, it's the name of an executable file, and it
+# starts with "#!".
+if ($runEnv && scalar @ARGV == 1) {
+    $script = $ARGV[0];
+    if (-f $script && -x $script) {
+        open SCRIPT, "<$script" or die "$0: cannot open ‘$script’: $!\n";
+        my $first = <SCRIPT>;
+        if ($first =~ /^\#\!/) {
+            $inShebang = 1;
+            @ARGV = ();
+            while (<SCRIPT>) {
+                chomp;
+                if (/^\#\!\s*nix-shell (.*)$/) {
+                    @ARGV = split / /, $1;
+                }
+            }
+        }
+        close SCRIPT;
+    }
+}
+
+
 for (my $n = 0; $n < scalar @ARGV; $n++) {
     my $arg = $ARGV[$n];
 
@@ -131,10 +159,11 @@ for (my $n = 0; $n < scalar @ARGV; $n++) {
         $runEnv = 1;
     }
 
-    elsif ($arg eq "--command") {
+    elsif ($arg eq "--command" || $arg eq "--run") {
         $n++;
         die "$0: ‘$arg’ requires an argument\n" unless $n < scalar @ARGV;
-        $envCommand = "$ARGV[$n]\nexit $!";
+        $envCommand = "$ARGV[$n]\nexit";
+        $interactive = 0 if $arg eq "--run";
     }
 
     elsif ($arg eq "--exclude") {
@@ -155,6 +184,18 @@ for (my $n = 0; $n < scalar @ARGV; $n++) {
         $packages = 1;
     }
 
+    elsif ($inShebang && $arg eq "-i") {
+        $n++;
+        die "$0: ‘$arg’ requires an argument\n" unless $n < scalar @ARGV;
+        my $interpreter = $ARGV[$n];
+        # Überhack to support Perl. Perl examines the shebang and
+        # executes it unless it contains the string "perl" or "indir",
+        # or (undocumented) argv[0] does not contain "perl". Exploit
+        # the latter by doing "exec -a".
+        my $execArgs = $interpreter =~ /perl/ ? "-a PERL" : "";
+        $envCommand = "exec $execArgs $interpreter $script";
+    }
+
     elsif (substr($arg, 0, 1) eq "-") {
         push @buildArgs, $arg;
     }
@@ -182,6 +223,11 @@ foreach my $expr (@exprs) {
     # Instantiate.
     my @drvPaths;
     if ($expr !~ /^\/.*\.drv$/) {
+        # If we're in a #! script, interpret filenames relative to the
+        # script.
+        $expr = dirname(Cwd::abs_path($script)) . "/" . $expr
+            if $inShebang && $expr !~ /^\//;
+
         # !!! would prefer the perl 5.8.0 pipe open feature here.
         my $pid = open(DRVPATHS, "-|") || exec "$Nix::Config::binDir/nix-instantiate", "--add-root", $drvLink, "--indirect", @instArgs, $expr;
         while (<DRVPATHS>) {chomp; push @drvPaths, $_;}
@@ -232,17 +278,20 @@ foreach my $expr (@exprs) {
             ($pure ? '' : 'p=$PATH; ' ) .
             'dontAddDisableDepTrack=1; ' .
             '[ -e $stdenv/setup ] && source $stdenv/setup; ' .
-            'if [ "$(type -t runHook)" = function ]; then runHook shellHook; fi; ' .
             ($pure ? '' : 'PATH=$PATH:$p; unset p; ') .
             'set +e; ' .
             '[ -n "$PS1" ] && PS1="\n\[\033[1;32m\][nix-shell:\w]$\[\033[0m\] "; ' .
+            'if [ "$(type -t runHook)" = function ]; then runHook shellHook; fi; ' .
             'unset NIX_ENFORCE_PURITY; ' .
             'unset NIX_INDENT_MAKE; ' .
             'shopt -u nullglob; ' .
             'unset TZ; ' . (defined $ENV{'TZ'} ? "export TZ='${ENV{'TZ'}}'; " : '') .
             $envCommand);
         $ENV{BASH_ENV} = $rcfile;
-        exec($ENV{NIX_BUILD_SHELL} // "bash", "--rcfile", $rcfile);
+        my @args = ($ENV{NIX_BUILD_SHELL} // "bash");
+        push @args, "--rcfile" if $interactive;
+        push @args, $rcfile;
+        exec @args;
         die;
     }
 
@@ -276,7 +325,7 @@ foreach my $expr (@exprs) {
     while (<OUTPATHS>) {chomp; push @outPaths, $_;}
     if (!close OUTPATHS) {
         die "nix-store killed by signal " . ($? & 127) . "\n" if ($? & 127);
-        exit $? >> 8 || 1;
+        exit ($? >> 8 || 1);
     }
 
     next if $dryRun;
diff --git a/scripts/nix-profile.sh.in b/scripts/nix-profile.sh.in
index 7dd7968c314a..a91b54bd589f 100644
--- a/scripts/nix-profile.sh.in
+++ b/scripts/nix-profile.sh.in
@@ -10,9 +10,9 @@ if [ -n "$HOME" ]; then
 
     export PATH=$NIX_LINK/bin:$NIX_LINK/sbin:$PATH
 
-    # Subscribe the root user to the Nixpkgs channel by default.
+    # Subscribe the user to the Nixpkgs channel by default.
     if [ ! -e $HOME/.nix-channels ]; then
-        echo "http://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
+        echo "https://nixos.org/channels/nixpkgs-unstable nixpkgs" > $HOME/.nix-channels
     fi
 
     # Append ~/.nix-defexpr/channels/nixpkgs to $NIX_PATH so that
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-11-10T19·11+0000