about summary refs log tree commit diff
AgeCommit message (Collapse)AuthorFilesLines
2015-03-24 Tighten permissions on chroot directoriesEelco Dolstra1-2/+12
2015-03-24 Don't rely on __noChroot for corepkgsEelco Dolstra6-15/+24
This doesn't work anymore if the "strict" chroot mode is enabled. Instead, add Nix's store path as a dependency. This ensures that its closure is present in the chroot.
2015-03-19 Disable scanning for interior pointersEelco Dolstra1-0/+2
This may remove the "Repeated allocation of very large block" warnings.
2015-03-19 Fix Boehm API violationEelco Dolstra4-38/+48
We were calling GC_INIT() after doing an allocation (in the baseEnv construction), which is not allowed.
2015-03-19 Check return values from malloc/strdupEelco Dolstra1-11/+34
2015-03-18 Print some Boehm GC statsEelco Dolstra1-0/+7
2015-03-18 valueSize(): Take into account list/bindings/env sizeEelco Dolstra1-6/+15
2015-03-06 Fix typos: s/the the/the/Daniel Hahler4-4/+4
2015-03-06 forceValueDeep: Add to error prefixEelco Dolstra1-2/+7
2015-03-06 Improve error messageEelco Dolstra2-19/+25
2015-03-04 Reduce verbosity in build-remote.plEelco Dolstra3-0/+8
2015-03-04 Add option to hide display of missing pathsEelco Dolstra1-1/+2
2015-03-04 Don't use vfork() before clone()Eelco Dolstra1-1/+3
I'm seeing hangs in Glibc's setxid_mark_thread() again. This is probably because the use of an intermediate process to make clone() safe from a multi-threaded program (see 524f89f1399724e596f61faba2c6861b1bb7b9c5) is defeated by the use of vfork(), since the intermediate process will have a copy of Glibc's threading data structures due to the vfork(). So use a regular fork() again.
2015-03-03 Merge branch 'allow-system-library' of git://github.com/copumpkin/nixShea Levy1-1/+1
Make the default impure prefix include all of /System/Library
2015-03-02 Make the default impure prefix (not actual allowed impurities!) include all ↵Dan Peebles1-1/+1
of /System/Library, since we also want PrivateFrameworks from there and (briefly) TextEncodings, and who knows what else. Yay infectious impurities?
2015-03-02 Allow local networking in the darwin sandbox to appease testsDan Peebles1-0/+3
2015-02-23 TypoEelco Dolstra1-1/+1
2015-02-23 More graceful fallback for chroots on Linux < 2.13Eelco Dolstra1-6/+5
2015-02-23 Use chroots for all derivationsEelco Dolstra4-31/+57
If ‘build-use-chroot’ is set to ‘true’, fixed-output derivations are now also chrooted. However, unlike normal derivations, they don't get a private network namespace, so they can still access the network. Also, the use of the ‘__noChroot’ derivation attribute is no longer allowed. Setting ‘build-use-chroot’ to ‘relaxed’ gives the old behaviour.
2015-02-23 Add restricted evaluation modeEelco Dolstra6-11/+65
If ‘--option restrict-eval true’ is given, the evaluator will throw an exception if an attempt is made to access any file outside of the Nix search path. This is primarily intended for Hydra, where we don't want people doing ‘builtins.readFile ~/.ssh/id_dsa’ or stuff like that.
2015-02-22 Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nixShea Levy1-1/+1
sometimes cd prints to stdout
2015-02-22 Merge branch 'docs/channels-path' of git://github.com/iElectric/nixShea Levy1-2/+2
2015-02-22 fixes https://github.com/NixOS/nixpkgs/issues/6485Domen Kožar1-2/+2
2015-02-19 Merge branch 'tilde-paths' of https://github.com/shlevy/nixEelco Dolstra4-3/+14
2015-02-19 tilde paths: The rest of the string has to start with a slash anywayShea Levy1-1/+1
2015-02-19 tilde paths: construct the entire path at parse timeShea Levy1-6/+1
2015-02-19 tilde paths: get HOME at parse timeShea Levy1-3/+1
2015-02-19 Remove obsolete reference to ~ operatorEelco Dolstra1-1/+0
2015-02-19 ExprConcatStrings: canonicalize concatenated pathsShea Levy1-1/+2
2015-02-19 FIXMEsEelco Dolstra1-0/+4
2015-02-19 Allow the leading component of a path to be a ~Shea Levy3-2/+19
2015-02-18 Escape arguments to nix-shell #! scriptsEelco Dolstra1-2/+6
2015-02-18 Support passing command line arguments to nix-shell #! scriptsEelco Dolstra1-2/+5
2015-02-18 Fix nix-shell shebang scripts if -p is usedEelco Dolstra1-1/+1
2015-02-18 nix-store --generate-binary-cache-key: Write key to diskEelco Dolstra2-13/+15
This ensures proper permissions for the secret key.
2015-02-17 Use $<attr>Path instead of $<attr> for passAsFileEelco Dolstra3-7/+13
2015-02-17 Allow passing attributes via files instead of environment variablesEelco Dolstra4-5/+55
Closes #473.
2015-02-17 Keep sortedEelco Dolstra1-27/+27
2015-02-17 Include NAR size in fingerprint computationEelco Dolstra3-6/+5
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-16 Test chroot buildingEelco Dolstra1-0/+1
2015-02-16 Use pivot_root in addition to chroot when possibleHarald van Dijk2-7/+29
chroot only changes the process root directory, not the mount namespace root directory, and it is well-known that any process with chroot capability can break out of a chroot "jail". By using pivot_root as well, and unmounting the original mount namespace root directory, breaking out becomes impossible. Non-root processes typically have no ability to use chroot() anyway, but they can gain that capability through the use of clone() or unshare(). For security reasons, these syscalls are limited in functionality when used inside a normal chroot environment. Using pivot_root() this way does allow those syscalls to be put to their full use.
2015-02-12 Revert "Remove Fedora 18, 19 builds"Eelco Dolstra1-0/+4
This reverts commit 9c58691ce3a35833ddcbf157f9f174ab0cc1c37a. Fedora 18/19 images should build again.
2015-02-11 Nix install script failed when "cd" printed to stdout.Jeff Ramnani1-1/+1
In some cases the bash builtin command "cd" can print the variable $CWD to stdout. This caused the install script to fail while copying files because the source path was wrong. Fixes #476.
2015-02-10 Don't depend on libsodium on DarwinEelco Dolstra1-1/+3
It doesn't build at the moment. http://hydra.nixos.org/build/19557641
2015-02-10 Make libsodium an optional dependencyEelco Dolstra6-2/+28
2015-02-10 Add Fedora 21 buildEelco Dolstra1-4/+8
Fixes #467.
2015-02-10 Add base64 encoder/decoderEelco Dolstra3-8/+66
2015-02-08 nix-build: Respect -Q during evaluationShea Levy1-0/+5
Fixes #474
2015-02-05 Remove tabEelco Dolstra1-1/+1
2015-02-04 TypoEelco Dolstra1-1/+1