about summary refs log tree commit diff
path: root/src/libstore/store-api.hh
AgeCommit message (Collapse)AuthorFilesLines
2011-07-20 * Fix a huuuuge security hole in the Nix daemon. It didn't check thatEelco Dolstra1-0/+6
derivations added to the store by clients have "correct" output paths (meaning that the output paths are computed by hashing the derivation according to a certain algorithm). This means that a malicious user could craft a special .drv file to build *any* desired path in the store with any desired contents (so long as the path doesn't already exist). Then the attacker just needs to wait for a victim to come along and install the compromised path. For instance, if Alice (the attacker) knows that the latest Firefox derivation in Nixpkgs produces the path /nix/store/1a5nyfd4ajxbyy97r1fslhgrv70gj8a7-firefox-5.0.1 then (provided this path doesn't already exist) she can craft a .drv file that creates that path (i.e., has it as one of its outputs), add it to the store using "nix-store --add", and build it with "nix-store -r". So the fake .drv could write a Trojan to the Firefox path. Then, if user Bob (the victim) comes along and does $ nix-env -i firefox $ firefox he executes the Trojan injected by Alice. The fix is to have the Nix daemon verify that derivation outputs are correct (in addValidPath()). This required some refactoring to move the hash computation code to libstore.
2010-11-17 * Before a build, show the disk space that the downloaded store pathsEelco Dolstra1-0/+1
will approximately require.
2010-11-16 * Store the size of a store path in the database (to be precise, theEelco Dolstra1-16/+24
size of the NAR serialisation of the path, i.e., `nix-store --dump PATH'). This is useful for Hydra.
2010-11-16 * Sync with the trunk.Eelco Dolstra1-3/+3
2010-10-04 * Make sure that config.h is included before the system headers,Eelco Dolstra1-3/+3
because it defines _FILE_OFFSET_BITS. Without this, on OpenSolaris the system headers define it to be 32, and then the 32-bit stat() ends up being called with a 64-bit "struct stat", or vice versa. This also ensures that we get 64-bit file sizes everywhere. * Remove the redundant call to stat() in parseExprFromFile(). The file cannot be a symlink because that's the exit condition of the loop before.
2010-06-21 * Sync with the trunk.Eelco Dolstra1-2/+0
2010-06-01 * Turn build errors during evaluation into EvalErrors.Eelco Dolstra1-2/+0
2010-05-04 * Allow unprivileged users to do `nix-store --clear-failed-paths' andEelco Dolstra1-0/+7
`nix-store --query-failed-paths'.
2010-03-04 * Remove some unused functions.Eelco Dolstra1-18/+0
2010-02-22 * Get derivation outputs from the database instead of the .drv file,Eelco Dolstra1-0/+3
which requires more I/O.
2010-02-22 * Revert r19650 (implement gc-keep-outputs by looking for derivationsEelco Dolstra1-6/+0
with the same name as the output) and instead use the DerivationOutputs table in the database, which is the correct way to to do things.
2010-02-19 * Implement registerValidPath().Eelco Dolstra1-0/+1
2010-01-25 * Make the garbage collector do the right thing when `gc-keep-outputs'Eelco Dolstra1-0/+6
is enabled by not depending on the deriver.
2009-11-23 * `nix-store --gc --print-roots': also print the path of the actualEelco Dolstra1-5/+0
root symlink, not just its target. E.g.: /nix/var/nix/profiles/system-99-link -> /nix/store/76kwf88657nq7wgk1hx3l1z5q91zb9wd-system
2009-11-20 * Remove the --use-atime / --max-atime garbage collector flags. ManyEelco Dolstra1-16/+0
(Linux) machines no longer maintain the atime because it's too expensive, and on the machines where --use-atime is useful (like the buildfarm), reading the atimes on the entire Nix store takes way too much time to make it practical.
2009-03-26 * Don't use ULLONG_MAX in maxFreed - use 0 to mean "no limit".Eelco Dolstra1-1/+2
18446744073709551615ULL breaks on GCC 3.3.6 (`integer constant is too large for "long" type').
2008-12-03 * Pass HashType values instead of strings.Eelco Dolstra1-3/+3
2008-12-03 * Unify the treatment of sources copied to the store, and recursiveEelco Dolstra1-6/+6
SHA-256 outputs of fixed-output derivations. I.e. they now produce the same store path: $ nix-store --add x /nix/store/j2fq9qxvvxgqymvpszhs773ncci45xsj-x $ nix-store --add-fixed --recursive sha256 x /nix/store/j2fq9qxvvxgqymvpszhs773ncci45xsj-x the latter being the same as the path that a derivation derivation { name = "x"; outputHashAlgo = "sha256"; outputHashMode = "recursive"; outputHash = "..."; ... }; produces. This does change the output path for such fixed-output derivations. Fortunately they are quite rare. The most common use is fetchsvn calls with SHA-256 hashes. (There are a handful of those is Nixpkgs, mostly unstable development packages.) * Documented the computation of store paths (in store-api.cc).
2008-09-17 * GC option `--max-atime' that specifies an upper limit to the lastEelco Dolstra1-0/+4
accessed time of paths that may be deleted. Anything more recently used won't be deleted. The time is specified in time_t, e.g. seconds since 1970-01-01 00:00:00 UTC; use `date +%s' to convert to time_t from the command line. Example: to delete everything that hasn't been used in the last two months: $ nix-store --gc -v --max-atime $(date +%s -d "2 months ago")
2008-09-17 * Garbage collector: added an option `--use-atime' to delete paths inEelco Dolstra1-0/+30
order of ascending last access time. This is useful in conjunction with --max-freed or --max-links to prefer deleting non-recently used garbage, which is good (especially in the build farm) since garbage may become live again. The code could easily be modified to accept other criteria for ordering garbage by changing the comparison operator used by the priority queue in collectGarbage().
2008-08-02 * Make nix-env --dry-run print the paths to be substituted correctlyEelco Dolstra1-5/+14
again. (After the previous substituter mechanism refactoring I didn't update the code that obtains the references of substitutable paths.) This required some refactoring: the substituter programs are now kept running and receive/respond to info requests via stdin/stdout.
2008-06-18 * Garbage collector: option `--max-freed' to stop after at least NEelco Dolstra1-8/+2
bytes have been freed, `--max-links' to stop when the Nix store directory has fewer than N hard links (the latter being important for very large Nix stores on filesystems with a 32000 subdirectories limit).
2008-06-18 * Some refactoring: put the GC options / results in separate structs.Eelco Dolstra1-35/+78
* The garbage collector now also prints the number of blocks freed.
2008-06-09 * Merged the no-bdb branch (-r10900:HEADEelco Dolstra1-1/+10
https://svn.nixos.org/repos/nix/nix/branches/no-bdb).
2008-01-29 * nix-store --dump-db / --load-db to dump/load the Nix DB.Eelco Dolstra1-1/+8
* nix-store --register-validity: option to supply the content hash of each path. * Removed compatibility with Nix <= 0.7 stores.
2007-11-29 * nix-env -e: support uninstalling by path, so that one can sayEelco Dolstra1-0/+10
$ nix-env -e $(which firefox) or $ nix-env -e /nix/store/nywzlygrkfcgz7dfmhm5xixlx1l0m60v-pan-0.132 * nix-env -i: if an argument contains a slash anywhere, treat it as a path and follow it through symlinks into the Nix store. This allows things like $ nix-build -A firefox $ nix-env -i ./result * nix-env -q/-i/-e: don't complain when the `*' selector doesn't match anything. In particular, `nix-env -q \*' doesn't fail anymore on an empty profile.
2007-08-12 * Get rid of the substitutes database table (NIX-47). Instead, if weEelco Dolstra1-33/+22
need any info on substitutable paths, we just call the substituters (such as download-using-manifests.pl) directly. This means that it's no longer necessary for nix-pull to register substitutes or for nix-channel to clear them, which makes those operations much faster (NIX-95). Also, we don't have to worry about keeping nix-pull manifests (in /nix/var/nix/manifests) and the database in sync with each other. The downside is that there is some overhead in calling an external program to get the substitutes info. For instance, "nix-env -qas" takes a bit longer. Abolishing the substitutes table also makes the logic in local-store.cc simpler, as we don't need to store info for invalid paths. On the downside, you cannot do things like "nix-store -qR" on a substitutable but invalid path (but nobody did that anyway). * Never catch interrupts (the Interrupted exception).
2007-06-12 * Support queryDeriver() in multi-user installations.Eelco Dolstra1-0/+4
2007-02-21 * `nix-store -qR' and friends: print the paths sorted topologicallyEelco Dolstra1-0/+5
under the references relation. This is useful for commands that want to copy paths to another Nix store in the right order.
2007-02-21 * `nix-store --import': import an archive created by `nix-storeEelco Dolstra1-0/+4
--export' into the Nix store, and optionally check the cryptographic signatures against /nix/etc/nix/signing-key.pub. (TODO: verify against a set of public keys.)
2007-02-20 * Start of `nix-store --export' operation for serialising a storeEelco Dolstra1-0/+8
path. This is like `nix-store --dump', only it also dumps the meta-information of the store path (references, deriver). Will add a `--sign' flag later to add a cryptographic signature, which we will use for exchanging store paths between build farm machines in a secure manner.
2007-01-29 * computeStorePathForText: take the references into account whenEelco Dolstra1-1/+2
computing the store path (NIX-77). This is an important security property in multi-user Nix stores. Note that this changes the store paths of derivations (since the derivation aterms are added using addTextToStore), but not most outputs (unless they use builtins.toFile).
2006-12-12 * New primop builtins.filterSource, which can be used to filter filesEelco Dolstra1-3/+7
from a source directory. All files for which a predicate function returns true are copied to the store. Typical example is to leave out the .svn directory: stdenv.mkDerivation { ... src = builtins.filterSource (path: baseNameOf (toString path) != ".svn") ./source-dir; # as opposed to # src = ./source-dir; } This is important because the .svn directory influences the hash in a rather unpredictable and variable way.
2006-12-05 * Allow unprivileged users to run the garbage collector and to doEelco Dolstra1-0/+48
`nix-store --delete'. But unprivileged users are not allowed to ignore liveness. * `nix-store --delete --ignore-liveness': ignore the runtime roots as well.
2006-12-05 * The determination of the root set should be made by the privilegedEelco Dolstra1-0/+9
process, so forward the operation. * Spam the user about GC misconfigurations (NIX-71). * findRoots: skip all roots that are unreadable - the warnings with which we spam the user should be enough.
2006-12-04 * Add indirect root registration to the protocol so that unprivilegedEelco Dolstra1-0/+7
processes can register indirect roots. Of course, there is still the problem that the garbage collector can only read the targets of the indirect roots when it's running as root...
2006-12-02 * Move addTempRoot() to the store API, and add another functionEelco Dolstra1-0/+25
syncWithGC() to allow clients to register GC roots without needing write access to the global roots directory or the GC lock.
2006-12-01 * Merge addToStore and addToStoreFixed.Eelco Dolstra1-10/+7
* addToStore now adds unconditionally, it doesn't use readOnlyMode. Read-only operation is up to the caller (who can call computeStorePathForPath).
2006-12-01 * More operations.Eelco Dolstra1-3/+27
* addToStore() and friends: don't do a round-trip to the worker if we're only interested in the path (i.e., in read-only mode).
2006-11-30 * More remote operations.Eelco Dolstra1-2/+5
* Added new operation hasSubstitutes(), which is more efficient than querySubstitutes().size() > 0.
2006-11-30 * Put building in the store API.Eelco Dolstra1-0/+13
2006-11-30 * Refactoring. There is now an abstract interface class StoreAPIEelco Dolstra1-0/+115
containing functions that operate on the Nix store. One implementation is LocalStore, which operates on the Nix store directly. The next step, to enable secure multi-user Nix, is to create a different implementation RemoteStore that talks to a privileged daemon process that uses LocalStore to perform the actual operations.