about summary refs log tree commit diff
path: root/src/libstore
AgeCommit message (Collapse)AuthorFilesLines
2018-01-31 Indent properlyEelco Dolstra1-3/+3
2018-01-26 Remove signed-binary-caches as the default for require-sigsEelco Dolstra1-4/+1
This was for backward compatibility. However, with security-related configuration settings, it's best not to have any confusion. Issue #495.
2018-01-23 Fix obscure corner case in name resolution for builtin:fetchurl in sandboxed ↵Dan Peebles1-0/+17
environments
2018-01-19 Rewrite builtin derivation environmentEelco Dolstra1-1/+6
Also add a test. Fixes #1803. Closes #1805.
2018-01-19 Don't retry CURLE_URL_MALFORMATEelco Dolstra1-0/+1
2018-01-16 Make show-trace a config settingEelco Dolstra1-1/+2
2018-01-16 Add pure evaluation modeEelco Dolstra1-0/+3
In this mode, the following restrictions apply: * The builtins currentTime, currentSystem and storePath throw an error. * $NIX_PATH and -I are ignored. * fetchGit and fetchMercurial require a revision hash. * fetchurl and fetchTarball require a sha256 attribute. * No file system access is allowed outside of the paths returned by fetch{Git,Mercurial,url,Tarball}. Thus 'nix build -f ./foo.nix' is not allowed. Thus, the evaluation result is completely reproducible from the command line arguments. E.g. nix build --pure-eval '( let nix = fetchGit { url = https://github.com/NixOS/nixpkgs.git; rev = "9c927de4b179a6dd210dd88d34bda8af4b575680"; }; nixpkgs = fetchGit { url = https://github.com/NixOS/nixpkgs.git; ref = "release-17.09"; rev = "66b4de79e3841530e6d9c6baf98702aa1f7124e4"; }; in (import (nix + "/release.nix") { inherit nix nixpkgs; }).build.x86_64-linux )' The goal is to enable completely reproducible and traceable evaluation. For example, a NixOS configuration could be fully described by a single Git commit hash. 'nixos-rebuild' would do something like nix build --pure-eval '( (import (fetchGit { url = file:///my-nixos-config; rev = "..."; })).system ') where the Git repository /my-nixos-config would use further fetchGit calls or Git externals to fetch Nixpkgs and whatever other dependencies it has. Either way, the commit hash would uniquely identify the NixOS configuration and allow it to reproduced.
2018-01-15 Barf when using a diverted store on macOSEelco Dolstra1-2/+7
Fixes #1792.
2018-01-12 import, builtins.readFile: Handle diverted storesEelco Dolstra1-2/+8
Fixes #1791
2018-01-09 nix.conf: builders-use-substitutesRenzo Carbonara1-0/+5
Fixes #937
2018-01-04 Rename "use-substitutes" to "substitute"Eelco Dolstra1-1/+1
Commit c2154d4c8422ddc1c201d503bb52edff854af2ad renamed "build-use-substitutes" to "use-substitutes", but that broke "nix-copy-closure --use-substitutes".
2017-12-22 Check aws-sdk-cpp versionEelco Dolstra1-1/+9
2017-12-16 Fix build on gcc 7Eelco Dolstra1-0/+2
Fixes #1738.
2017-12-14 Fix build against current aws-sdk-cppEelco Dolstra1-1/+1
2017-12-12 Merge pull request #1722 from bhipple/fix-for-older-libcurlEelco Dolstra1-1/+3
Fix for builds with system libcurl < 7.30
2017-12-11 Mark comparison call operator as constWill Dietz1-2/+2
2017-12-09 Fix for builds with system libcurl < 7.30Benjamin Hipple1-1/+3
CentOS 7.4 and RHEL 7.4 ship with libcurl-devel-7.29.0-42.el7.x86_64; this flag was added in 7.30.0 https://curl.haxx.se/libcurl/c/CURLMOPT_MAX_TOTAL_CONNECTIONS.html
2017-12-07 Provide random access to cached NARsEelco Dolstra5-104/+198
E.g. $ time nix cat-store --store https://cache.nixos.org?local-nar-cache=/tmp/nars \ /nix/store/b0w2hafndl09h64fhb86kw6bmhbmnpm1-blender-2.79/share/icons/hicolor/scalable/apps/blender.svg > /dev/null real 0m4.139s $ time nix cat-store --store https://cache.nixos.org?local-nar-cache=/tmp/nars \ /nix/store/b0w2hafndl09h64fhb86kw6bmhbmnpm1-blender-2.79/share/icons/hicolor/scalable/apps/blender.svg > /dev/null real 0m0.024s (Before, the second call took ~0.220s.) This will use a NAR listing in /tmp/nars/b0w2hafndl09h64fhb86kw6bmhbmnpm1.ls containing all metadata, including the offsets of regular files inside the NAR. Thus, we don't need to read the entire NAR. (We do read the entire listing, but that's generally pretty small. We could use a SQLite DB by borrowing some more code from nixos-channel-scripts/file-cache.hh.) This is primarily useful when Hydra is serving files from an S3 binary cache, in particular when you have giant NARs. E.g. we had some 12 GiB NARs, so accessing individuals files was pretty slow.
2017-12-07 nix ls-{nar,store}: Return offset of files in the NAR if knownEelco Dolstra2-7/+10
E.g. $ nix ls-store --json --recursive --store https://cache.nixos.org /nix/store/b0w2hafndl09h64fhb86kw6bmhbmnpm1-blender-2.79 \ | jq .entries.bin.entries.blender.narOffset 400
2017-12-06 ssh-store: fix length when writing narDaiderd Jordan1-3/+3
This fixes nix copy and other things that use copyStorePath.
2017-11-28 Show log tail when a remote build failsEelco Dolstra1-2/+2
2017-11-24 nix path-info: Show URL of NARs in binary cachesEelco Dolstra1-0/+2
2017-11-21 Propagate flags like --sandbox to the daemon properlyEelco Dolstra1-3/+3
2017-11-20 signed-binary-caches -> require-sigsEelco Dolstra2-1/+6
Unlike signed-binary-caches (which could only be '*' or ''), require-sigs is a proper Boolean option. The default is true.
2017-11-20 binary-cache-public-keys -> trusted-public-keysEelco Dolstra2-4/+5
The name had become a misnomer since it's not only for substitution from binary caches, but when adding/copying any (non-content-addressed) path to a store.
2017-11-20 nix copy: Abbreviate "daemon"Eelco Dolstra1-2/+2
2017-11-15 Add a "profile" option to S3BinaryCacheStoreEelco Dolstra3-5/+14
This allows specifying the AWS configuration profile to use. E.g. nix copy --from s3://my-cache?profile=aws-dev-account /nix/store/cf3isrlqavvd5w7rpky1fa8j9lcnlggm-...
2017-11-14 nix sign-paths: Support binary cachesEelco Dolstra2-15/+37
2017-11-14 nix ls-{nar,store}: Don't abort on missing filesEelco Dolstra1-1/+1
2017-11-14 nix ls-{nar,store} --json: Respect -REelco Dolstra3-5/+12
2017-11-14 nix ls-{store,nar}: Add --json flagEelco Dolstra3-34/+38
2017-11-08 Remove extraneous commentEelco Dolstra1-3/+0
2017-11-08 Merge pull request #1650 from copumpkin/darwin-sandbox-unix-socketEelco Dolstra1-1/+8
Always allow builds to use unix domain sockets in Darwin sandbox
2017-11-06 Merge pull request #1632 from AmineChikhaoui/sigint-copyEelco Dolstra1-1/+9
run query paths in parallel during nix copy and handle SIGINT
2017-11-03 Merge pull request #1651 from LnL7/darwin-sandbox-getpwuidEelco Dolstra1-0/+3
Allow getpwuid in the darwin sandbox
2017-11-03 Allow getpwuid in the darwin sandbox.Daiderd Jordan1-0/+3
2017-11-03 Don't freak out if we get a 403 from S3Daniel Peebles1-2/+2
As far as we're concerned, not being able to access a file just means the file is missing. Plus, AWS explicitly goes out of its way to return a 403 if the file is missing and the requester doesn't have permission to list the bucket. Also getting rid of an old hack that Eelco said was only relevant to an older AWS SDK.
2017-11-01 Add fetchMercurial primopEelco Dolstra1-1/+1
E.g. $ nix eval '(fetchMercurial https://www.mercurial-scm.org/repo/hello)' { branch = "default"; outPath = "/nix/store/alvb9y1kfz42bjishqmyy3pphnrh1pfa-source"; rev = "82e55d328c8ca4ee16520036c0aaace03a5beb65"; revCount = 1; shortRev = "82e55d328c8c"; } $ nix eval '(fetchMercurial { url = https://www.mercurial-scm.org/repo/hello; rev = "0a04b987be5ae354b710cefeba0e2d9de7ad41a9"; })' { branch = "default"; outPath = "/nix/store/alvb9y1kfz42bjishqmyy3pphnrh1pfa-source"; rev = "0a04b987be5ae354b710cefeba0e2d9de7ad41a9"; revCount = 0; shortRev = "0a04b987be5a"; } $ nix eval '(fetchMercurial /tmp/unclean-hg-tree)' { branch = "default"; outPath = "/nix/store/cm750cdw1x8wfpm3jq7mz09r30l9r024-source"; rev = "0000000000000000000000000000000000000000"; revCount = 0; shortRev = "000000000000"; }
2017-10-31 Always allow builds to use unix domain sockets in Darwin sandboxDan Peebles1-1/+8
2017-10-30 Merge pull request #1646 from copumpkin/optional-sandbox-local-networkEelco Dolstra2-5/+33
Allow optional localhost network access to sandboxed derivations
2017-10-30 Allow optional localhost network access to sandboxed derivationsDan Peebles2-5/+33
This will allow bind and connect to 127.0.0.1, which can reduce purity/ security (if you're running a vulnerable service on localhost) but is also needed for a ton of test suites, so I'm leaving it turned off by default but allowing certain derivations to turn it on as needed. It also allows DNS resolution of arbitrary hostnames but I haven't found a way to avoid that. In principle I'd just want to allow resolving localhost but that doesn't seem to be possible. I don't think this belongs under `build-use-sandbox = relaxed` because we want it on Hydra and I don't think it's the end of the world.
2017-10-30 Add option allowed-urisEelco Dolstra1-1/+3
This allows network access in restricted eval mode.
2017-10-30 enable-http2 -> http2Eelco Dolstra1-1/+1
2017-10-30 fetchurl/fetchTarball: Respect name changesEelco Dolstra1-1/+3
The computation of urlHash didn't take the name into account, so subsequent fetchurl calls with the same URL but a different name would resolve to the same cached store path.
2017-10-25 respect SIGINT in nix copy during the paths queries #1629AmineChikhaoui1-0/+1
2017-10-25 Merge branch 'master' of github.com:NixOS/nix into sigint-copyAmineChikhaoui1-2/+2
2017-10-25 Fix building on clangEelco Dolstra1-2/+2
https://hydra.nixos.org/build/62945761
2017-10-25 attempt to fix #1630: make the queries of store paths run in parallel using ↵AmineChikhaoui1-1/+8
a thread pool
2017-10-25 exportReferencesGraph: Allow exporting a list of store pathsEelco Dolstra1-14/+22
2017-10-25 Fix exportReferencesGraph in the structured attrs caseEelco Dolstra1-69/+68