about summary refs log tree commit diff
path: root/perl/lib/Nix
AgeCommit message (Collapse)AuthorFilesLines
2014-01-08 Support cryptographically signed binary cachesEelco Dolstra3-4/+81
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
2013-12-20 perl: Call loadConfFile() in doInit to avoid screwing sqlite journal mode.Petr Rockai1-0/+2
If the database is opened through perl bindings (and even though nix.conf has use-sqlite-wal set to false), the database is automatically converted into WAL mode. This makes the next nix process to access the database convert it back to "truncate". If the database is still open at the time in wal mode by the perl program, this fails and crashes the nix doing the wal -> truncate conversion.
2013-10-24 Fix segfault on DarwinEelco Dolstra1-0/+1
Ever since SQLite in Nixpkgs was updated to 3.8.0.2, Nix has randomly segfaulted on Darwin: http://hydra.nixos.org/build/6175515 http://hydra.nixos.org/build/6611038 It turns out that this is because the binary cache substituter somehow ends up loading two versions of SQLite: the one in Nixpkgs and the other from /usr/lib/libsqlite3.dylib. It's not exactly clear why the latter is loaded, but it appears to be because WWW::Curl indirectly loads /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation, which in turn seems to load /usr/lib/libsqlite3.dylib. This leads to a segfault when Perl exits: #0 0x00000001010375f4 in sqlite3_finalize () #1 0x000000010125806e in sqlite_st_destroy () #2 0x000000010124bc30 in XS_DBD__SQLite__st_DESTROY () #3 0x00000001001c8155 in XS_DBI_dispatch () ... #14 0x0000000100023224 in perl_destruct () #15 0x0000000100000d6a in main () ... The workaround is to explicitly load DBD::SQLite before WWW::Curl.
2013-09-06 Don't apply the CPU affinity hack to nix-shell (and other Perl programs)Eelco Dolstra1-0/+1
As discovered by Todd Veldhuizen, the shell started by nix-shell has its affinity set to a single CPU. This is because nix-shell connects to the Nix daemon, which causes the affinity hack to be applied. So we turn this off for Perl programs.
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra1-1/+4
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-05-10 build-remote.pl: Properly close the SSH connection between attemptsEelco Dolstra1-0/+1
2013-05-03 Fixing the pv position regarding compressionLluís Batlle i Rossell1-1/+1
Problem noticed by niksnut.
2013-05-03 Adding ETA support to the --show-progress in nix-copy-closureLluís Batlle i Rossell1-4/+8
Based on https://github.com/NixOS/nix/pull/6 from shlevy
2013-03-08 Revert "Prevent config.h from being clobbered"Eelco Dolstra1-9/+12
This reverts commit 28bba8c44f484eae38e8a15dcec73cfa999156f6.
2013-03-08 Fix annoying Perl 5.16 warningsEelco Dolstra1-17/+17
I.e. Subroutine Nix::Store::isValidPath redefined at /nix/store/clfzsf6gi7qh5i9c0vks1ifjam47rijn-perl-5.16.2/lib/perl5/5.16.2/XSLoader.pm line 92. and so on.
2013-03-07 Prevent config.h from being clobberedEelco Dolstra1-12/+9
2013-02-05 Nix::Store::derivationFromPath: Return derivation outputsEelco Dolstra1-9/+12
2012-12-20 Give a better error message if writeFile fails due to permission issuesEelco Dolstra1-2/+2
2012-11-23 nix-copy-closure: Add flag ‘--use-substitutes’Eelco Dolstra1-1/+8
2012-10-17 nix-push: Only generate and copy a NAR if it doesn't already existEelco Dolstra2-1/+58
This prevents unnecessary and slow rebuilds of NARs that already exist in the binary cache.
2012-09-19 Support xz compression in the download-using-manifests substituterEelco Dolstra1-6/+12
2012-09-13 Delete manifests in "nix-channel --remove" or when a binary cache is availableEelco Dolstra1-21/+39
2012-08-27 Drop dependency on List::MoreUtilsEelco Dolstra1-0/+11
2012-08-27 Add missing fileEelco Dolstra1-0/+8
2012-07-30 Refactor settings processingEelco Dolstra1-1/+1
Put all Nix configuration flags in a Settings object.
2012-07-30 Pass configuration settings to the substitutersEelco Dolstra1-1/+9
Previously substituters could read nix.conf themselves, but this didn't take --option flags into account.
2012-07-18 Merge branch 'master' into no-manifestsEelco Dolstra2-0/+12
2012-07-17 Add function queryPathFromHashPart()Eelco Dolstra2-0/+12
To implement binary caches efficiently, Hydra needs to be able to map the hash part of a store path (e.g. "gbg...zr7") to the full store path (e.g. "/nix/store/gbg...kzr7-subversion-1.7.5"). (The binary cache mechanism uses hash parts as a key for looking up store paths to ensure privacy.) However, doing a search in the Nix store for /nix/store/<hash>* is expensive since it requires reading the entire directory. queryPathFromHashPart() prevents this by doing a cheap database lookup.
2012-07-17 queryPathInfo(): return hash in base-32 if desiredEelco Dolstra1-2/+2
Cherry-picked from the no-manifests branch.
2012-07-11 Set the User-Agent header to "Nix/<version>"Eelco Dolstra1-0/+2
2012-07-09 download-from-binary-cache: add nix.conf optionsEelco Dolstra1-3/+3
2012-07-02 nix-push: Always generate base-32 hashesEelco Dolstra1-2/+2
2012-06-29 First attempt at the manifest-less substituterEelco Dolstra1-0/+1
2012-06-29 Use XZ compression in binary cachesEelco Dolstra1-1/+2
XZ compresses significantly better than bzip2. Here are the compression ratios and execution times (using 4 cores in parallel) on my /var/run/current-system (3.1 GiB): bzip2: total compressed size 849.56 MiB, 30.8% [2m08] xz -6: total compressed size 641.84 MiB, 23.4% [6m53] xz -7: total compressed size 621.82 MiB, 22.6% [7m19] xz -8: total compressed size 599.33 MiB, 21.8% [7m18] xz -9: total compressed size 588.18 MiB, 21.4% [7m40] Note that compression takes much longer. More importantly, however, decompression is much faster: bzip2: 1m47.274s xz -6: 0m55.446s xz -7: 0m54.119s xz -8: 0m52.388s xz -9: 0m51.842s The only downside to using -9 is that decompression takes a fair amount (~65 MB) of memory.
2012-05-10 Support building with the Perl XS bindings disabledEelco Dolstra2-2/+67
Since the Perl bindings require shared libraries, this is required on platforms such as Cygwin where we do a static build.
2012-04-13 nix-copy-closure: Move the progressViewer directly adjacent to the ssh call ↵Shea Levy1-1/+1
so that network progress is what's measured
2012-04-13 Add the '--show-progress' flag to nix-copy-closureShea Levy1-3/+4
2012-04-10 Unconfuse RobEelco Dolstra1-2/+2
2012-03-19 Add a command "nix-build --run-env" to reproduce the environment of a derivationEelco Dolstra2-0/+43
This command builds or fetches all dependencies of the given derivation, then starts a shell with the environment variables from the derivation. This shell also sources $stdenv/setup to initialise the environment further. The current directory is not changed. Thus this is a convenient way to reproduce a build environment in an existing working tree. Existing environment variables are left untouched (unless the derivation overrides them). As a special hack, the original value of $PATH is appended to the $PATH produced by $stdenv/setup. Example session: $ nix-build --run-env '<nixpkgs>' -A xterm (the dependencies of xterm are built/fetched...) $ tar xf $src $ ./configure $ make $ emacs (... hack source ...) $ make $ ./xterm
2012-03-05 nix-copy-closure: don't print copied path on stdoutEelco Dolstra1-1/+1
We're already printing progress on stderr, so printing them on stdout afterwards is kind of useless.
2012-03-05 Restore progress indication during nix-copy-closureEelco Dolstra1-1/+0
2012-01-03 * Sync with the trunk.Eelco Dolstra1-0/+1
2012-01-03 * Ignore missing manifest symlinks.Eelco Dolstra1-0/+1
2012-01-03 * Add a test for nix-channel.Eelco Dolstra1-0/+1
* Refactor the nix-channel unpacker a bit.
2011-12-02 * Add some more functions to the Perl bindings.Eelco Dolstra2-1/+48
2011-11-29 * Don't require a specific Perl version.Eelco Dolstra1-1/+0
2011-11-29 * download-using-manifests: use the Perl bindings.Eelco Dolstra2-1/+16
2011-11-29 * For consistency with "nix-store -q --hash", produce hashes inEelco Dolstra1-1/+1
base-32. (This affects Hydra manifests.)
2011-11-23 * Add an API function exportPaths() that provides the functionality ofEelco Dolstra3-1/+60
‘nix-store --export’. * Add a Perl module that provides the functionality of ‘nix-copy-closure --to’. This is used by build-remote.pl so it no longer needs to start a separate nix-copy-closure process. Also, it uses the Perl API to do the export, so it doesn't need to start a separate nix-store process either. As a result, nix-copy-closure and build-remote.pl should no longer fail on very large closures due to an "Argument list too long" error. (Note that having very many dependencies in a single derivation can still fail because the environment can become too large. Can't be helped though.)
2011-11-23 * build-remote.pl: drop a hard-coded reference to /nix/etc/nix.Eelco Dolstra1-0/+1
2011-11-22 * Move initialisation of variables like nixConfDir from libmain toEelco Dolstra1-3/+1
libstore so that the Perl bindings can use it as well. It's vital that the Perl bindings use the configuration file, because otherwise nix-copy-closure will fail with a ‘database locked’ message if the value of ‘use-sqlite-wal’ is changed from the default.
2011-11-16 * nix-pull: update the Nix manifest cache if necessary. Also, don'tEelco Dolstra1-4/+4
read the manifest just to check the version and print the number of paths. This makes nix-pull very fast for the cached cache (speeding up nixos-rebuild without the ‘--no-pull’ or ‘--fast’ options).
2011-11-16 * Don't decompress the manifests in /nix/var/nix/manifest. This savesEelco Dolstra1-2/+8
disk space, and, since they're typically only decompressed once (to fill the manifest cache), doesn't make things slower.
2011-11-16 * Remove obsolete line.Eelco Dolstra1-1/+0
2011-11-16 * Re-use prepared statements across insertions into the manifest cacheEelco Dolstra1-8/+12
DB. This speeds up creating the cache from 16.1s to 7.9s on my system.