about summary refs log tree commit diff
path: root/scripts/download-from-binary-cache.pl.in
AgeCommit message (Collapse)AuthorFilesLines
2016-01-05 Verify TLS certificate before downloading binariesPhilip Potter1-1/+1
The --insecure flag to curl tells curl not to bother checking if the TLS certificate presented by the server actually matches the hostname requested, and actually is issued by a trusted CA chain. This almost entirely negates any benefit from using TLS in the first place. This removes the --insecure flag to ensure we actually have a secure connection to the intended hostname before downloading binaries. Manually tested locally within a dev-shell; was able to download binaries from https://cache.nixos.org without issue. [Note: --insecure was only used for fetching NARs, whose integrity is verified by Nix anyway using the hash from the .narinfo. But if we can fetch the .narinfo without --insecure, we can also fetch the .nar, so there is not much point to using --insecure. --Eelco]
2015-11-25 Set default binary-caches-parallel-connections to 25Eelco Dolstra1-1/+1
Some benchmarking suggested this as a good value. Running $ benchmark -f ... -t 25 -- sh -c 'rm -f /nix/var/nix/binary-cache*; nix-store -r /nix/store/x5z8a2yvz8h6ccmhwrwrp9igg03575jg-nixos-15.09.git.5fd87e1M.drv --dry-run --option binary-caches-parallel-connections <N>' gave the following mean elapsed times for these values of N: N=10: 3.3541 N=20: 2.9320 N=25: 2.6690 N=30: 2.9417 N=50: 3.2021 N=100: 3.5718 N=150: 4.2079 Memory usage is also reduced (N=150 used 186 MB, N=25 only 68 MB). Closes #708.
2015-09-25 Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is falseUtku Demir1-1/+6
This makes that option even more insecure, by also not checking the SSL host. But without this parameter, one can still get SSL errors even when "verify-https-binary-caches" is false, which is unexpected IMO.
2015-02-19 FIXMEsEelco Dolstra1-0/+4
2015-01-15 Set correct user agent for NAR downloads from binary cachesEelco Dolstra1-2/+4
2014-12-09 DohEelco Dolstra1-1/+1
2014-12-09 Add option to disable binary cache certificate checkingEelco Dolstra1-1/+7
2014-12-09 Provide some fallback defaults for the CA bundleEelco Dolstra1-0/+2
2014-12-09 Use https://cache.nixos.org instead of http://cache.nixos.orgEelco Dolstra1-1/+1
2014-11-04 download-from-binary-cache.pl: Fix flushing of stderrEelco Dolstra1-0/+1
2014-10-15 Revert "binary download: Use $NIX_CURL_FLAGS"Eelco Dolstra1-1/+1
This reverts commit bc4795919afac59af8f27d3c1f26ab404330f718. It breaks the build: http://hydra.nixos.org/build/15860847
2014-10-14 binary download: Use $NIX_CURL_FLAGSwmertens1-1/+1
As in https://github.com/NixOS/nixpkgs/blob/5c0816567d6b99bd2ef7c8ae5744f80a6a0372c4/pkgs/build-support/fetchurl/builder.sh#L17
2014-08-29 Shut up "Wide character" warnings in Perl scriptsEelco Dolstra1-0/+2
2014-08-21 Set a curl timeout on binary cache lookupsEelco Dolstra1-0/+1
2014-08-20 Use proper quotes everywhereEelco Dolstra1-3/+3
2014-08-07 Warn about untrusted binary caches in extra-binary-cachesEelco Dolstra1-2/+5
2014-08-07 download-from-binary-cache.pl: Respect $SSL_CERT_FILEEelco Dolstra1-1/+1
2014-02-26 Also provide an option for setting the curl connection timeoutEelco Dolstra1-1/+4
2014-02-26 Respect $NIX_CONNECT_TIMEOUT properlyEelco Dolstra1-2/+4
We were 1) using CURLOPT_TIMEOUT instead of CURLOPT_CONNECTTIMEOUT; 2) not passing it to the curl child process. Issue #93.
2014-02-26 Fix broken patchEelco Dolstra1-1/+1
2014-02-26 use USER environmental variable if getting user id by getpwuid is failed in ↵Ian-Woo Kim1-1/+1
perl scripts: download-from-binary-cache.pl and nix-channel
2014-01-08 Support cryptographically signed binary cachesEelco Dolstra1-6/+18
NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
2013-10-24 Fix segfault on DarwinEelco Dolstra1-0/+1
Ever since SQLite in Nixpkgs was updated to 3.8.0.2, Nix has randomly segfaulted on Darwin: http://hydra.nixos.org/build/6175515 http://hydra.nixos.org/build/6611038 It turns out that this is because the binary cache substituter somehow ends up loading two versions of SQLite: the one in Nixpkgs and the other from /usr/lib/libsqlite3.dylib. It's not exactly clear why the latter is loaded, but it appears to be because WWW::Curl indirectly loads /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation, which in turn seems to load /usr/lib/libsqlite3.dylib. This leads to a segfault when Perl exits: #0 0x00000001010375f4 in sqlite3_finalize () #1 0x000000010125806e in sqlite_st_destroy () #2 0x000000010124bc30 in XS_DBD__SQLite__st_DESTROY () #3 0x00000001001c8155 in XS_DBI_dispatch () ... #14 0x0000000100023224 in perl_destruct () #15 0x0000000100000d6a in main () ... The workaround is to explicitly load DBD::SQLite before WWW::Curl.
2013-07-01 Add support for uncompressed NARs in binary cachesEelco Dolstra1-3/+4
Issue NixOS/hydra#102.
2013-06-20 Don't keep "disabled" substituters runningEelco Dolstra1-4/+7
For instance, it's pointless to keep copy-from-other-stores running if there are no other stores, or download-using-manifests if there are no manifests. This also speeds things up because we don't send queries to those substituters.
2013-06-07 download-from-binary-cache.pl: Respect $NIX_CONNECT_TIMEOUTEelco Dolstra1-0/+1
2013-06-07 Replace $NIX_DEBUG_SUBST with an option ‘debug-subst’Eelco Dolstra1-1/+1
Thus passing ‘--option debug-subst 1’ allows daemon users to turn on debug info and see what the substituter is doing.
2013-06-07 download-from-binary-cache.pl: Show if we're waiting for a URLEelco Dolstra1-3/+15
Previously, if a binary cache is hanging/unreachable/slow, download-from-binary-cache.pl would also hang without any indication to the user. Now, if fetching a URL takes more than 5 seconds, it will print a message to that effect.
2013-06-05 download-from-binary-cache.pl: Fix race conditionEelco Dolstra1-3/+4
Fixes the error "DBD::SQLite::db do failed: column url is not unique".
2013-06-05 Update the default binary cache URL to cache.nixos.orgEelco Dolstra1-1/+1
2013-06-04 download-from-binary-cache.pl: Treat a 403 error as a 404Eelco Dolstra1-2/+2
Amazon S3 returns HTTP status code 403 if a file doesn't exist and the user has no permission to list the contents of the bucket. So treat it as 404 (meaning it's cached in the NARExistence table).
2013-05-15 download-from-binary-cache.pl: Get rid of an uninitialized value warningEelco Dolstra1-1/+1
Reported by Pablo Costa.
2013-05-07 Add option ‘extra-binary-caches’Eelco Dolstra1-1/+10
This allows providing additional binary caches, useful in scripts like Hydra's build reproduction scripts, in particular because untrusted caches are ignored.
2013-04-23 Fix --fallback with the binary cache substituterEelco Dolstra1-0/+1
Reported by Peter Simons.
2013-04-23 Test NAR info cachingEelco Dolstra1-4/+12
2013-01-02 Reinstate the http://nixos.org/binary-cache default for the binary-caches ↵Eelco Dolstra1-2/+2
setting
2012-12-21 download-from-binary-cache: Use the channels of the calling user rather than ↵Eelco Dolstra1-1/+3
root This should make live easier for single-user (non-daemon) installations. Note that when the daemon is used, the "calling user" is root so we're not using any untrusted caches.
2012-12-06 Set a long SQLite timeout in the binary cache substituterEelco Dolstra1-0/+2
2012-11-06 download-from-binary-cache: Try next cache if downloading a NAR failsEelco Dolstra1-1/+1
2012-11-06 Process binary caches in order of priorityEelco Dolstra1-7/+14
Binary caches can now specify a priority in their nix-cache-info file. The binary cache substituter checks caches in order of priority. This is to ensure that fast, static caches like nixos.org/binary-cache are processed before slow, dynamic caches like hydra.nixos.org.
2012-11-06 Add an option ‘use-binary-caches’Eelco Dolstra1-0/+4
This allows disabling the use of binary caches, e.g. $ nix-build ... --option use-binary-caches false Note that $ nix-build ... --option binary-caches '' does not disable all binary caches, since the caches defined by channels will still be used.
2012-11-06 Fix "Not an ARRAY reference" errorEelco Dolstra1-1/+1
It's a mystery why this error is not triggered in the build farm (e.g. http://hydra.nixos.org/build/3265602). Ah well.
2012-10-17 nix-push: Only generate and copy a NAR if it doesn't already existEelco Dolstra1-40/+10
This prevents unnecessary and slow rebuilds of NARs that already exist in the binary cache.
2012-10-11 download-from-binary-cache: Remove duplicate entries in trustedURLsEelco Dolstra1-1/+1
2012-10-02 Add operation ‘nix-store --repair-path’Eelco Dolstra1-3/+4
This operation allows fixing corrupted or accidentally deleted store paths by redownloading them using substituters, if available. Since the corrupted path cannot be replaced atomically, there is a very small time window (one system call) during which neither the old (corrupted) nor the new (repaired) contents are available. So repairing should be used with some care on critical packages like Glibc.
2012-09-21 Style fixEelco Dolstra1-1/+1
2012-09-13 Put a time-to-live on negative binary cache lookupsEelco Dolstra1-3/+30
Negative lookups are purged from the DB after a day, at most once per day. However, for non-"have" lookups (e.g. all except "nix-env -qas"), negative lookups are ignored after one hour. This is to ensure that you don't have to wait a day for an operation like "nix-env -i" to start using new binaries in the cache. Should probably make this configurable.
2012-09-13 DohEelco Dolstra1-2/+2
2012-09-13 Delete manifests in "nix-channel --remove" or when a binary cache is availableEelco Dolstra1-0/+1
2012-09-12 Compatibility fix for WWW::Curl < 4.14Eelco Dolstra1-1/+2
Older versions of WWW::Curl don't support scalar references for CURLOPT_WRITEDATA directly. http://hydra.nixos.org/build/3017188