Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
findRootsNoTemp: fixes comment about findRuntimeRoots
|
|
To determine which seccomp filters to install, we were incorrectly
using settings.thisSystem, which doesn't denote the actual system when
--system is used.
Fixes #2791.
|
|
The NIX_ROOT_FINDER environment variable was removed in
3c46fe62b833a4e66845665edc99555022d3d98c when porting from perl to C.
|
|
The sandbox on darwin, and possibly other future platforms, doesn't have
enough isolation to redirect outputs without hash rewriting.
|
|
Fixes #2753.
|
|
|
|
|
|
The default is 1000ms, but we can hit it a lot of we don't have direct
link to AWS (e.g. using VPN).
|
|
|
|
|
|
This is less brittle than filtering paths after the fact in
nix-daemon.
|
|
Scanning of /proc/<pid>/{exe,cwd} was broken because '{memory:' was
prepended twice. Also, get rid of the whole '{memory:...}' thing
because it's unnecessary, we can just list the file in /proc directly.
|
|
|
|
This new structure makes more sense as there may be many sources rooting
the same store path. Many profiles can reference the same path but this
is even more true with /proc/<pid>/maps where distinct pids can and
often do map the same store path.
This implementation is also more efficient as the `Roots` map contains
only one entry per rooted store path.
|
|
|
|
|
|
|
|
|
|
|
|
which splits a URL into localtor and parameter parts
|
|
This reverts commit a0ef21262f4d5652bfb65cfacaec01d89c475a93. This
doesn't work in 'nix run' and nix-shell because setns() fails in
multithreaded programs, and Boehm GC mark threads are uncancellable.
Fixes #2646.
|
|
|
|
|
|
Use the same output ordering and format everywhere.
This is such a common issue that we trade the single-line error message for
more readability.
Old message:
```
fixed-output derivation produced path '/nix/store/d4nw9x2sy9q3r32f3g5l5h1k833c01vq-example.com' with sha256 hash '08y4734bm2zahw75b16bcmcg587vvyvh0n11gwiyir70divwp1rm' instead of the expected hash '1xzwnipjd54wl8g93vpw6hxnpmdabq0wqywriiwmh7x8k0lvpq5m'
```
New message:
```
hash mismatch in fixed-output derivation '/nix/store/d4nw9x2sy9q3r32f3g5l5h1k833c01vq-example.com':
wanted: sha256:1xzwnipjd54wl8g93vpw6hxnpmdabq0wqywriiwmh7x8k0lvpq5m
got: sha256:08y4734bm2zahw75b16bcmcg587vvyvh0n11gwiyir70divwp1rm
```
|
|
https://hydra.nixos.org/build/85827920
|
|
Without this information the content addressable state and hashes are
lost after the first request, this causes signatures to be required for
everything even tho the path could be verified without signing.
|
|
This enables using for http for S3 request for debugging or
implementations that don't have https configured. This is not a problem
for binary caches since they should not contain sensitive information.
Both package signatures and AWS auth already protect against tampering.
|
|
download: if there are active requests, never sleep for 10s
|
|
|
|
This ensures that they can't write to /nix/store. Fixes #2535.
|
|
Closes #179.
|
|
Since we're not using multi-part uploads at the moment, we can drop
this patch.
|
|
config: use all of XDG_CONFIG_DIRS
|
|
Previously, config would only be read from XDG_CONFIG_HOME. This change
allows reading config from additional directories, which enables e.g.
per-project binary caches or chroot stores with the help of direnv.
|
|
|
|
The use of TransferManager has several issues, including that it
doesn't allow setting a Content-Encoding without a patch, and it
doesn't handle exceptions in worker threads (causing termination on
memory allocation failure).
Fixes #2493.
|
|
Since the callback is global we can't refer to 'path' in it. This
could cause a segfault or printing of arbitrary data.
|
|
This commit partially reverts 48662d151bdf4a38670897beacea9d1bd750376a. When
copying from an older store (in my case a store running Nix 1.11.7), nix would
throw errors about there being no hash. This is fixed by recalculating the hash.
|
|
stdenv relies on this. So ignore self-references (but only in legacy non-structured attributes mode).
|
|
|
|
|
|
Promote verbose-build and log-lines
|
|
This allows commands like
nix build --log-lines 30 nixpkgs.hello
in order to obtain more information in case of a failure.
|
|
In structured-attributes derivations, you can now specify per-output
checks such as:
outputChecks."out" = {
# The closure of 'out' must not be larger than 256 MiB.
maxClosureSize = 256 * 1024 * 1024;
# It must not refer to C compiler or to the 'dev' output.
disallowedRequisites = [ stdenv.cc "dev" ];
};
outputChecks."dev" = {
# The 'dev' output must not be larger than 128 KiB.
maxSize = 128 * 1024;
};
Also fixed a bug in allowedRequisites that caused it to ignore
self-references.
|
|
$ nix-store -qR /nix/store/fnord
nix-store: src/libstore/store-api.cc:80: std::__cxx11::string nix::storePathToHash(const Path&): Assertion `base.size() >= storePathHashLen' failed.
Aborted
|
|
Fixes #2075.
|
|
Since its superclass RemoteStore::Connection contains 'to' and 'from'
fields that refer to the file descriptor maintained in the subclass,
it was possible for the flush() call in Connection::~Connection() to
write to a closed file descriptor (or worse, a file descriptor now
referencing another file). So make sure that the file descriptor
survives 'to' and 'from'.
|
|
For example, this prevents a "kvm" build on machines that don't have
KVM.
Fixes #2012.
|
|
This is primarily because Derivation::{can,will}BuildLocally() depends
on attributes like preferLocalBuild and requiredSystemFeatures, but it
can't handle them properly because it doesn't have access to the
structured attributes.
|