about summary refs log tree commit diff
path: root/scripts
AgeCommit message (Collapse)AuthorFilesLines
2016-01-20 Fix broken call to shellwordsBrian McKenna1-1/+1
nix-shell shebangs were broken by 9018deab
2016-01-05 Verify TLS certificate before downloading binariesPhilip Potter2-3/+2
The --insecure flag to curl tells curl not to bother checking if the TLS certificate presented by the server actually matches the hostname requested, and actually is issued by a trusted CA chain. This almost entirely negates any benefit from using TLS in the first place. This removes the --insecure flag to ensure we actually have a secure connection to the intended hostname before downloading binaries. Manually tested locally within a dev-shell; was able to download binaries from https://cache.nixos.org without issue. [Note: --insecure was only used for fetching NARs, whose integrity is verified by Nix anyway using the hash from the .narinfo. But if we can fetch the .narinfo without --insecure, we can also fetch the .nar, so there is not much point to using --insecure. --Eelco]
2016-01-05 propagate NIX_BUILD_SHELL also in pure builds document NIX_BUILD_SHELL in ↵Fabian Schmitthenner1-1/+1
the nix-shell command documentation
2015-12-07 Use shellwords for nix-shell shebangBrian McKenna1-1/+2
Previously we can't have quoted arguments. This now allows us to use things like `ghcWithPackages`
2015-11-25 Set default binary-caches-parallel-connections to 25Eelco Dolstra1-1/+1
Some benchmarking suggested this as a good value. Running $ benchmark -f ... -t 25 -- sh -c 'rm -f /nix/var/nix/binary-cache*; nix-store -r /nix/store/x5z8a2yvz8h6ccmhwrwrp9igg03575jg-nixos-15.09.git.5fd87e1M.drv --dry-run --option binary-caches-parallel-connections <N>' gave the following mean elapsed times for these values of N: N=10: 3.3541 N=20: 2.9320 N=25: 2.6690 N=30: 2.9417 N=50: 3.2021 N=100: 3.5718 N=150: 4.2079 Memory usage is also reduced (N=150 used 186 MB, N=25 only 68 MB). Closes #708.
2015-11-21 reintroduce host deps in tandem with sandbox profilesJude Taylor1-1/+1
2015-11-10 Fix bad characters in "copying 7 missing paths from ..."Eelco Dolstra1-0/+1
2015-10-21 resolve-system-dependencies.pl: Simplify union implShea Levy1-8/+2
Patch by @pikajude
2015-10-21 appropriately handle lock acquisition failures in resolve-system-dependencies.plJude Taylor1-2/+7
2015-10-21 Add resolve-system-dependencies.plJude Taylor2-0/+125
2015-10-01 nix-prefetch-url: Rewrite in C++Eelco Dolstra2-133/+0
2015-09-25 Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is falseUtku Demir1-1/+6
This makes that option even more insecure, by also not checking the SSL host. But without this parameter, one can still get SSL errors even when "verify-https-binary-caches" is false, which is unexpected IMO.
2015-08-07 Drop newline in error messageEelco Dolstra1-1/+1
2015-07-20 nix-copy-closure: Add -v flagEelco Dolstra2-2/+5
And make exportPath() less spammy by default.
2015-07-01 Revert "add the manpath to the installer"Eelco Dolstra1-1/+0
This reverts commit 76f985b92d95fef967c1f3193d05244ced15420b. We shouldn't mess with $MANPATH, because on some "man" implementations (like NixOS'), the default value on $MANPATH is derived from $PATH. So if you set $MANPATH, you lose the default locations.
2015-06-12 nix-channel: Fix bogus error message caused by ↵Eelco Dolstra1-3/+3
8a84bd8c8bda1e4c6764c10ecdef9d74e4884800
2015-06-08 nix-push: Support -jEelco Dolstra1-1/+6
Fixes #548.
2015-06-08 Update cacert locationsEelco Dolstra2-5/+9
2015-06-04 copy-from-other-stores: Use cpEelco Dolstra1-1/+1
2015-06-03 NamingEelco Dolstra1-2/+2
2015-06-01 nix-shell: Support multiple "#! nix-shell" linesEelco Dolstra1-1/+1
2015-05-21 nix-shell: Barf if -p and -E are both usedEelco Dolstra1-0/+2
Closes #454, #455.
2015-05-05 nix-shell: Fix uninitialized value warningEelco Dolstra1-1/+1
2015-04-27 Merge branch 'nix-channel-tarballs' of git://github.com/copumpkin/nixShea Levy1-35/+54
2015-04-22 nix-collect-garbage: translate to C++Luca Bruno2-66/+0
2015-04-20 Support tarballs in nix channel URLsDan Peebles1-35/+54
2015-04-12 add the manpath to the installerMichael Merickel1-0/+1
2015-03-04 Reduce verbosity in build-remote.plEelco Dolstra1-0/+2
2015-02-22 Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nixShea Levy1-1/+1
sometimes cd prints to stdout
2015-02-19 FIXMEsEelco Dolstra1-0/+4
2015-02-18 Escape arguments to nix-shell #! scriptsEelco Dolstra1-2/+6
2015-02-18 Support passing command line arguments to nix-shell #! scriptsEelco Dolstra1-2/+5
2015-02-18 Fix nix-shell shebang scripts if -p is usedEelco Dolstra1-1/+1
2015-02-17 Include NAR size in fingerprint computationEelco Dolstra1-1/+1
This is not strictly needed for integrity (since we already include the NAR hash in the fingerprint) but it helps against endless data attacks [1]. (However, this will also require download-from-binary-cache.pl to bail out if it receives more than the specified number of bytes.) [1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-11 Nix install script failed when "cd" printed to stdout.Jeff Ramnani1-1/+1
In some cases the bash builtin command "cd" can print the variable $CWD to stdout. This caused the install script to fail while copying files because the source path was wrong. Fixes #476.
2015-02-08 nix-build: Respect -Q during evaluationShea Levy1-0/+5
Fixes #474
2015-02-04 Sign a subset of the .narinfoEelco Dolstra1-2/+3
We only need to sign the store path, NAR hash and references (the "fingerprint"). Everything else is irrelevant to security. For instance, the compression algorithm or the hash of the compressed NAR don't matter as long as the contents of the uncompressed NAR are correct. (Maybe we should include derivers in the fingerprint, but they're broken and nobody cares about them. Also, it might be nice in the future if .narinfos contained signatures from multiple independent signers. But that's impossible if the deriver is included in the fingerprint, since everybody will tend to have a different deriver for the same store path.) Also renamed the "Signature" field to "Sig" since the format changed in an incompatible way.
2015-02-04 Use libsodium instead of OpenSSL for binary cache signingEelco Dolstra1-13/+12
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2015-01-30 nix-install-package: follow symlinksJaka Hudoklin1-1/+1
2015-01-28 Moves runHook to a later execution positionOliver Dunkl1-1/+1
It moves runHook to a later position in the rcfile. After that we are able to set the PS1 environment-variable for a nix-shell environment e.g.: # turn the color of the prompt to blue shellHook = '' export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] "; '';
2015-01-15 Shut up "Wide character in print" warning in copy-from-other-stores.plEelco Dolstra1-0/+1
2015-01-15 Set correct user agent for NAR downloads from binary cachesEelco Dolstra1-2/+4
2015-01-08 nix-shell: Add --run flagEelco Dolstra1-2/+7
‘--run’ is like ‘--command’, except that it runs the command in a non-interactive shell. This is important if you do things like: $ nix-shell --command make Hitting Ctrl-C while make is running drops you into the interactive Nix shell, which is probably not what you want. So you can now do $ nix-shell --run make instead.
2015-01-08 nix-shell: Interpret filenames relative to the #!-scriptEelco Dolstra1-0/+7
So you can have a script like: #! /usr/bin/env nix-shell #! nix-shell script.nix -i python import prettytable x = prettytable.PrettyTable(["Foo", "Bar"]) for i in range(1, 10): x.add_row([i, i**2]) print x with a ‘script.nix’ in the same directory: with import <nixpkgs> {}; runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } "" (Of course, in this particular case, using the ‘-p’ flag is more convenient.)
2015-01-08 Allow nix-shell to be used as a #! interpreterEelco Dolstra1-0/+37
This allows scripts to fetch their own dependencies via nix-shell. For instance, here is a Haskell script that, when executed, pulls in GHC and the HTTP package: #! /usr/bin/env nix-shell #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP import Network.HTTP main = do resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/") body <- getResponseBody resp print (take 100 body) Or a Perl script that pulls in Perl and some CPAN packages: #! /usr/bin/env nix-shell #! nix-shell -i perl -p perl perlPackages.HTMLTokeParserSimple perlPackages.LWP use HTML::TokeParser::Simple; my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/'); while (my $token = $p->get_tag("a")) { my $href = $token->get_attr("href"); print "$href\n" if $href; } Note that the options to nix-shell must be given on a separate line that starts with the magic string ‘#! nix-shell’. This is because ‘env’ does not allow passing arguments to an interpreter directly.
2015-01-07 nix-shell --command: Remove bogus argument to "exit"Eelco Dolstra1-1/+1
Fixes "exit: Inappropriate: numeric argument required" errors.
2014-12-13 Install cacert before running nix-channelEelco Dolstra1-5/+6
Also, make it more robust against incorrent SSL_CERT_FILE values.
2014-12-10 Include cacert in the binary tarballEelco Dolstra1-2/+5
This prevents having to fetch Nixpkgs or cacert over http.
2014-12-10 Always use https to fetch the Nixpkgs channelEelco Dolstra2-6/+2
2014-12-10 Fix bad commentEelco Dolstra1-1/+1