about summary refs log tree commit diff
path: root/src/libstore/local-store.cc
AgeCommit message (Collapse)AuthorFilesLines
2011-07-20 * Fix a huuuuge security hole in the Nix daemon. It didn't check thatEelco Dolstra1-0/+51
derivations added to the store by clients have "correct" output paths (meaning that the output paths are computed by hashing the derivation according to a certain algorithm). This means that a malicious user could craft a special .drv file to build *any* desired path in the store with any desired contents (so long as the path doesn't already exist). Then the attacker just needs to wait for a victim to come along and install the compromised path. For instance, if Alice (the attacker) knows that the latest Firefox derivation in Nixpkgs produces the path /nix/store/1a5nyfd4ajxbyy97r1fslhgrv70gj8a7-firefox-5.0.1 then (provided this path doesn't already exist) she can craft a .drv file that creates that path (i.e., has it as one of its outputs), add it to the store using "nix-store --add", and build it with "nix-store -r". So the fake .drv could write a Trojan to the Firefox path. Then, if user Bob (the victim) comes along and does $ nix-env -i firefox $ firefox he executes the Trojan injected by Alice. The fix is to have the Nix daemon verify that derivation outputs are correct (in addValidPath()). This required some refactoring to move the hash computation code to libstore.
2010-12-17 * Do a short sleep after SQLITE_BUSY.Eelco Dolstra1-0/+11
2010-12-14 * I forgot to catch SQLiteBusy in registerValidPaths(). SoEelco Dolstra1-38/+31
registerValidPaths() now handles busy errors and registerValidPath() is simply a wrapper around it.
2010-12-13 * Create /nix/var/nix/db if it's missing.Eelco Dolstra1-0/+1
2010-12-08 * Ignore the result of sqlite3_reset().Eelco Dolstra1-3/+4
2010-12-06 * `nix-store --verify --check-contents': don't hold the global GC lockEelco Dolstra1-11/+46
while checking the contents, since this operation can take a very long time to finish. Also, fill in missing narSize fields in the DB while doing this.
2010-12-05 * Retry a transaction if SQLite returns SQLITE_BUSY. This can happenEelco Dolstra1-61/+83
even with a very long busy timeout, because SQLITE_BUSY is also returned to resolve deadlocks. This should get rid of random "database is locked" errors. This is kind of hard to test though. * Fix a horrible bug in deleteFromStore(): deletePathWrapped() should be called after committing the transaction, not before, because the commit might not succeed.
2010-11-17 * Before a build, show the disk space that the downloaded store pathsEelco Dolstra1-0/+1
will approximately require.
2010-11-17 * Add an operation `nix-store -q --size'.Eelco Dolstra1-2/+12
2010-11-16 * Store the size of a store path in the database (to be precise, theEelco Dolstra1-26/+46
size of the NAR serialisation of the path, i.e., `nix-store --dump PATH'). This is useful for Hydra.
2010-10-14 * Wrap deleteFromStore() in a transaction. Otherwise there might be aEelco Dolstra1-5/+8
race with other processes that add new referrers to a path, resulting in the garbage collector crashing with "foreign key constraint failed". (Nix/4) * Make --gc --print-dead etc. interruptible.
2010-09-01 * Only do "pragma journal_mode = ..." if the current journal modeEelco Dolstra1-1/+10
differs from the desired mode. There is an open SQLite ticket `Executing "PRAGMA journal_mode" may delete journal file while it is in use.'
2010-08-31 `nix-store --verify' improvements:Eelco Dolstra1-16/+53
* If a path has disappeared, check its referrers first, and don't try to invalidate paths that have valid referrers. Otherwise we get a foreign key constraint violation. * Read the whole Nix store directory instead of statting each valid path, which is slower. * Acquire the global GC lock.
2010-08-24 * Don't complain if the stored hash of a path is zero (unknown).Eelco Dolstra1-2/+3
2010-08-04 * Use SQLite 3.7.0's write-ahead logging (WAL mode). This is a lotEelco Dolstra1-2/+12
faster than the old mode when fsyncs are enabled, because it only performs an fsync() when doing a checkpoint, rather than at every commit. Some timings for doing a "nix-instantiate /etc/nixos/nixos -A system" after modifying the stdenv setup script: 42.5s - SQLite 3.6.23 with truncate mode and fsync 3.4s - SQLite 3.6.23 with truncate mode and no fsync 32.1s - SQLite 3.7.0 with truncate mode and fsync 16.8s - SQLite 3.7.0 with WAL mode and fsync, auto-checkpoint every 1000 pages 8.3s - SQLite 3.7.0 with WAL mode and fsync, auto-checkpoint every 8192 pages 1.7s - SQLite 3.7.0 with WAL mode and no fsync The default is now to use WAL mode with fsyncs. Because WAL doesn't work on remote filesystems such as NFS (as it uses shared memory), truncate mode can be re-enabled by setting the "use-sqlite-wal" option to false.
2010-06-21 * Okay, putting a lock on the temporary directory used by importPath()Eelco Dolstra1-6/+18
doesn't work because the garbage collector doesn't actually look at locks. So r22253 was stupid. Use addTempRoot() instead. Also, locking the temporary directory in exportPath() was silly because it isn't even in the store.
2010-06-21 * Sync with the trunk.Eelco Dolstra1-0/+4
2010-06-14 * In importPath() and exportPath(), lock the temporary directory toEelco Dolstra1-0/+4
prevent it from being deleted by the garbage collector.
2010-06-08 * Replacing ValidPath rows doesn't work because it causes a constraintEelco Dolstra1-2/+5
violation of the Refs table. So don't do that.
2010-05-12 * Sync with the trunk.Eelco Dolstra1-4/+1
2010-04-26 * Added a command `nix-store --clear-failed-paths <PATHS>' to clearEelco Dolstra1-0/+17
the "failed" status of the given store paths. The special value `*' clears all failed paths.
2010-04-26 * Add an command `nix-store --query-failed-paths' to list the cachedEelco Dolstra1-0/+21
failed paths (when using the `build-cache-failure' option).
2010-04-19 * Don't use the ATerm library for parsing/printing .drv files.Eelco Dolstra1-2/+0
2010-03-10 * Remove a debug statement.Eelco Dolstra1-1/+0
2010-03-09 * In `nix-store --export', abort if the contents of a path hasEelco Dolstra1-6/+17
changed. This prevents corrupt paths from spreading to other machines. Note that checking the hash is cheap because we're hashing anyway (because of the --sign feature).
2010-03-08 * Increase the sqlite timeout.Eelco Dolstra1-1/+1
2010-03-02 * checkInterrupt() shouldn't be called from a destructor.Eelco Dolstra1-1/+1
2010-02-24 * Support read-only access to the database.Eelco Dolstra1-1/+5
2010-02-24 * Refactor the upgrade / database initialisation logic a bit.Eelco Dolstra1-56/+61
2010-02-24 * Don't use fdatasync since it doesn't work on Snow Leopard.Eelco Dolstra1-2/+2
* Don't refer to config.h in util.hh, because config.h is not installed (http://hydra.nixos.org/build/303053).
2010-02-24 * A function to query just the database id of a valid path.Eelco Dolstra1-16/+20
2010-02-24 * Use `truncate' journal mode, which should be a bit faster.Eelco Dolstra1-0/+4
2010-02-24 * Disable fsync() in SQLite if the fsync-metadata option is set toEelco Dolstra1-5/+7
false. * Change the default for `fsync-metadata' to true. * Disable `fsync-metadata' in `make check'.
2010-02-24 * Do registerValidPaths() in one transaction, which is much faster.Eelco Dolstra1-29/+9
E.g. it cuts the runtime of the referrers test from 50s to 23s.
2010-02-24 * Use normal (rather than full) synchronous mode, which I gather fromEelco Dolstra1-0/+4
the description at http://www.sqlite.org/atomiccommit.html should be safe enough.
2010-02-22 (no commit message)Eelco Dolstra1-4/+0
2010-02-22 * The database needs a trigger to get rid of self-references toEelco Dolstra1-2/+10
prevent a foreign key constraint violation on the Refs table when deleting a path.
2010-02-22 * Get derivation outputs from the database instead of the .drv file,Eelco Dolstra1-0/+24
which requires more I/O.
2010-02-22 * Revert r19650 (implement gc-keep-outputs by looking for derivationsEelco Dolstra1-0/+24
with the same name as the output) and instead use the DerivationOutputs table in the database, which is the correct way to to do things.
2010-02-22 * Put the derivation outputs in the database. This is useful for theEelco Dolstra1-2/+24
garbage collector.
2010-02-19 * Foreign key support in SQLite is not a persistent setting, so enableEelco Dolstra1-2/+19
it at startup. * Implement negative caching. Now `make check' passes.
2010-02-19 * Implement more stuff.Eelco Dolstra1-52/+45
2010-02-19 * Implement registerValidPath().Eelco Dolstra1-111/+90
2010-02-18 * Implemented queryValidPaths() and verifyStore().Eelco Dolstra1-117/+34
2010-02-18 * Implemented queryReferrers().Eelco Dolstra1-30/+18
2010-02-18 * Implement queryPathInfo().Eelco Dolstra1-49/+46
2010-02-18 * Implement isValidPath().Eelco Dolstra1-149/+95
2010-02-18 * Automatically abort transactions if they go out of scope withoutEelco Dolstra1-6/+37
committing.
2010-02-18 * Some wrapper objects to ensure that SQLite objects are properlyEelco Dolstra1-45/+73
destroyed.
2010-02-18 * Add the deriver to the ValidPaths table. In principle we could nowEelco Dolstra1-12/+19
store all the derivers of a path efficiently. But that opens a big can of worms with respect to garbage collector semantics.