about summary refs log tree commit diff
path: root/scripts
AgeCommit message (Collapse)AuthorFilesLines
2015-02-17 Include NAR size in fingerprint computationEelco Dolstra1-1/+1
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-08 nix-build: Respect -Q during evaluationShea Levy1-0/+5
Fixes #474
2015-02-04 Sign a subset of the .narinfoEelco Dolstra1-2/+3
We only need to sign the store path, NAR hash and references (the "fingerprint"). Everything else is irrelevant to security. For instance, the compression algorithm or the hash of the compressed NAR don't matter as long as the contents of the uncompressed NAR are correct. (Maybe we should include derivers in the fingerprint, but they're broken and nobody cares about them. Also, it might be nice in the future if .narinfos contained signatures from multiple independent signers. But that's impossible if the deriver is included in the fingerprint, since everybody will tend to have a different deriver for the same store path.) Also renamed the "Signature" field to "Sig" since the format changed in an incompatible way.
2015-02-04 Use libsodium instead of OpenSSL for binary cache signingEelco Dolstra1-13/+12
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2015-01-30 nix-install-package: follow symlinksJaka Hudoklin1-1/+1
2015-01-28 Moves runHook to a later execution positionOliver Dunkl1-1/+1
It moves runHook to a later position in the rcfile. After that we are able to set the PS1 environment-variable for a nix-shell environment e.g.: # turn the color of the prompt to blue shellHook = '' export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] "; '';
2015-01-15 Shut up "Wide character in print" warning in copy-from-other-stores.plEelco Dolstra1-0/+1
2015-01-15 Set correct user agent for NAR downloads from binary cachesEelco Dolstra1-2/+4
2015-01-08 nix-shell: Add --run flagEelco Dolstra1-2/+7
‘--run’ is like ‘--command’, except that it runs the command in a non-interactive shell. This is important if you do things like: $ nix-shell --command make Hitting Ctrl-C while make is running drops you into the interactive Nix shell, which is probably not what you want. So you can now do $ nix-shell --run make instead.
2015-01-08 nix-shell: Interpret filenames relative to the #!-scriptEelco Dolstra1-0/+7
So you can have a script like: #! /usr/bin/env nix-shell #! nix-shell script.nix -i python import prettytable x = prettytable.PrettyTable(["Foo", "Bar"]) for i in range(1, 10): x.add_row([i, i**2]) print x with a ‘script.nix’ in the same directory: with import <nixpkgs> {}; runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } "" (Of course, in this particular case, using the ‘-p’ flag is more convenient.)
2015-01-08 Allow nix-shell to be used as a #! interpreterEelco Dolstra1-0/+37
This allows scripts to fetch their own dependencies via nix-shell. For instance, here is a Haskell script that, when executed, pulls in GHC and the HTTP package: #! /usr/bin/env nix-shell #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP import Network.HTTP main = do resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/") body <- getResponseBody resp print (take 100 body) Or a Perl script that pulls in Perl and some CPAN packages: #! /usr/bin/env nix-shell #! nix-shell -i perl -p perl perlPackages.HTMLTokeParserSimple perlPackages.LWP use HTML::TokeParser::Simple; my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/'); while (my $token = $p->get_tag("a")) { my $href = $token->get_attr("href"); print "$href\n" if $href; } Note that the options to nix-shell must be given on a separate line that starts with the magic string ‘#! nix-shell’. This is because ‘env’ does not allow passing arguments to an interpreter directly.
2015-01-07 nix-shell --command: Remove bogus argument to "exit"Eelco Dolstra1-1/+1
Fixes "exit: Inappropriate: numeric argument required" errors.
2014-12-13 Install cacert before running nix-channelEelco Dolstra1-5/+6
Also, make it more robust against incorrent SSL_CERT_FILE values.
2014-12-10 Include cacert in the binary tarballEelco Dolstra1-2/+5
This prevents having to fetch Nixpkgs or cacert over http.
2014-12-10 Always use https to fetch the Nixpkgs channelEelco Dolstra2-6/+2
2014-12-10 Fix bad commentEelco Dolstra1-1/+1
2014-12-09 DohEelco Dolstra1-1/+1
2014-12-09 Add option to disable binary cache certificate checkingEelco Dolstra1-1/+7
2014-12-09 Provide some fallback defaults for the CA bundleEelco Dolstra1-0/+2
2014-12-09 Use https://cache.nixos.org instead of http://cache.nixos.orgEelco Dolstra1-1/+1
2014-12-05 Fix another operator precedence issue found by Perl 5.20Eelco Dolstra1-1/+1
2014-11-18 Add a test for the binary tarball installerEelco Dolstra1-2/+4
2014-11-12 build-remote.pl.in: Add some more trace messagesEelco Dolstra1-0/+2
This allows hydra-build to keep track of the actual build time (so excluding time required to copy closures around).
2014-11-04 download-from-binary-cache.pl: Fix flushing of stderrEelco Dolstra1-0/+1
2014-10-15 Fix nix-copy-closure --fromShea Levy1-1/+1
http://hydra.nixos.org/build/15885652
2014-10-15 Revert "binary download: Use $NIX_CURL_FLAGS"Eelco Dolstra1-1/+1
This reverts commit bc4795919afac59af8f27d3c1f26ab404330f718. It breaks the build: http://hydra.nixos.org/build/15860847
2014-10-14 binary download: Use $NIX_CURL_FLAGSwmertens1-1/+1
As in https://github.com/NixOS/nixpkgs/blob/5c0816567d6b99bd2ef7c8ae5744f80a6a0372c4/pkgs/build-support/fetchurl/builder.sh#L17
2014-10-14 nix-channel: Add --rollback flagEelco Dolstra1-0/+14
Fixes #368.
2014-10-14 nix-channel --add: Validate URL / channel IDEelco Dolstra1-0/+2
Fixes #369.
2014-10-14 Remove unused @sshOpts flagEelco Dolstra1-2/+2
Closes #300.
2014-10-14 nix-copy-closure: Use strictEelco Dolstra1-0/+1
2014-09-23 Pass through --set from nix-install-package command line to nix-envShell Turner1-1/+5
2014-09-05 build-remote.pl: UTF-8-decode errorsEelco Dolstra1-1/+2
2014-09-05 Fix build-remote.plEelco Dolstra1-1/+4
Apparently, turning on utf8 encoding on stderr changes its flushing behaviour, causing sendReply to not send anything. http://hydra.nixos.org/build/13944384
2014-08-29 Shut up "Wide character" warnings in Perl scriptsEelco Dolstra10-0/+25
2014-08-21 Set a curl timeout on binary cache lookupsEelco Dolstra1-0/+1
2014-08-20 Use proper quotes everywhereEelco Dolstra12-78/+80
2014-08-17 Propagate remote timeouts properlyEelco Dolstra1-6/+1
2014-08-17 nix-build: Propagate exit status from nix-store -rEelco Dolstra1-1/+1
2014-08-17 build-remote.pl: Provide defaults for $NIX_CURRENT_LOAD and $NIX_REMOTE_SYSTEMSEelco Dolstra1-2/+2
2014-08-13 nix-shell: Use $XDG_RUNTIME_DIREelco Dolstra1-1/+2
This prevents collisions with other users. Fixes #262.
2014-08-13 Use $XDG_RUNTIME_DIR for temporary filesEelco Dolstra7-22/+7
2014-08-07 Warn about untrusted binary caches in extra-binary-cachesEelco Dolstra1-2/+5
2014-08-07 nix-install-package: Use extra-binary-cachesEelco Dolstra1-1/+1
2014-08-07 download-from-binary-cache.pl: Respect $SSL_CERT_FILEEelco Dolstra1-1/+1
2014-08-07 install-nix-from-closure.sh: Use https channel if possibleEelco Dolstra1-1/+5
2014-07-29 install-nix-from-closure.sh: Install cacertEelco Dolstra1-0/+3
2014-07-29 nix-profile.sh: Set $SSL_CERT_FILEEelco Dolstra1-1/+10
2014-07-24 nix-copy-closure: Drop --bzip2, --xz, --show-progressEelco Dolstra2-16/+6
These are too difficult to implement via nix-store --serve. ‘--show-progress’ could be re-implemented fairly easily via a sink/source wrapper class.
2014-07-24 nix-copy-closure: Implement --gzip via ssh's -C flagEelco Dolstra1-2/+1