about summary refs log tree commit diff
path: root/perl/lib/Nix/Manifest.pm
AgeCommit message (Collapse)AuthorFilesLines
2014-01-08 Support cryptographically signed binary cachesEelco Dolstra1-3/+37
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
2013-10-24 Fix segfault on DarwinEelco Dolstra1-0/+1
Ever since SQLite in Nixpkgs was updated to 3.8.0.2, Nix has randomly segfaulted on Darwin: http://hydra.nixos.org/build/6175515 http://hydra.nixos.org/build/6611038 It turns out that this is because the binary cache substituter somehow ends up loading two versions of SQLite: the one in Nixpkgs and the other from /usr/lib/libsqlite3.dylib. It's not exactly clear why the latter is loaded, but it appears to be because WWW::Curl indirectly loads /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation, which in turn seems to load /usr/lib/libsqlite3.dylib. This leads to a segfault when Perl exits: #0 0x00000001010375f4 in sqlite3_finalize () #1 0x000000010125806e in sqlite_st_destroy () #2 0x000000010124bc30 in XS_DBD__SQLite__st_DESTROY () #3 0x00000001001c8155 in XS_DBI_dispatch () ... #14 0x0000000100023224 in perl_destruct () #15 0x0000000100000d6a in main () ... The workaround is to explicitly load DBD::SQLite before WWW::Curl.
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra1-1/+4
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2012-10-17 nix-push: Only generate and copy a NAR if it doesn't already existEelco Dolstra1-1/+39
This prevents unnecessary and slow rebuilds of NARs that already exist in the binary cache.
2012-09-19 Support xz compression in the download-using-manifests substituterEelco Dolstra1-6/+12
2012-09-13 Delete manifests in "nix-channel --remove" or when a binary cache is availableEelco Dolstra1-21/+39
2012-04-10 Unconfuse RobEelco Dolstra1-2/+2
2012-01-03 * Ignore missing manifest symlinks.Eelco Dolstra1-0/+1
2011-11-16 * nix-pull: update the Nix manifest cache if necessary. Also, don'tEelco Dolstra1-4/+4
read the manifest just to check the version and print the number of paths. This makes nix-pull very fast for the cached cache (speeding up nixos-rebuild without the ‘--no-pull’ or ‘--fast’ options).
2011-11-16 * Don't decompress the manifests in /nix/var/nix/manifest. This savesEelco Dolstra1-2/+8
disk space, and, since they're typically only decompressed once (to fill the manifest cache), doesn't make things slower.
2011-11-16 * Remove obsolete line.Eelco Dolstra1-1/+0
2011-11-16 * Re-use prepared statements across insertions into the manifest cacheEelco Dolstra1-8/+12
DB. This speeds up creating the cache from 16.1s to 7.9s on my system.
2011-10-10 * Install NixManifest.pm, NixConfig.pm and GeneratePatches.pm underEelco Dolstra1-0/+357
the Nix:: namespace.