Commit Graph

18171 Commits

Author SHA1 Message Date
Jörg Thalheim
0e9b04a66e fix env-vars beeing written to /tmp
This overall seems like insecure tmp file handling to me. Because other
users could replace files in /tmp with a symlink and make the nix-shell
override other files.

fixes https://github.com/NixOS/nix/issues/11470

(cherry picked from commit 2105574702)
2024-10-22 12:13:47 +00:00
Eelco Dolstra
411ec33db3
Merge pull request #11692 from NixOS/mergify/bp/2.24-maintenance/pr-11690
Handle tarballs where directory entries are not contiguous (backport #11690)
2024-10-14 16:01:43 +02:00
Eelco Dolstra
31df105f45
Merge pull request #11691 from NixOS/mergify/bp/2.24-maintenance/pr-11677
builtins.fetchurl: Fix segfault on s3:// URLs (backport #11677)
2024-10-14 15:23:49 +02:00
Eelco Dolstra
57ace600af Add a test
(cherry picked from commit a7b9877da9)
2024-10-14 12:51:03 +00:00
Eelco Dolstra
9da1300617 Handle tarballs where directory entries are not contiguous
I.e. when not all entries underneath a directory X follow eachother,
but there is some entry Y that isn't a child of X in between.

Fixes #11656.

(cherry picked from commit 4012954b59)
2024-10-14 12:51:03 +00:00
Eelco Dolstra
1294442c6c Add assert
(cherry picked from commit d2f4d07619)
2024-10-14 14:44:28 +02:00
Eelco Dolstra
339236d32e Make S3 downloads slightly more interruptable
(cherry picked from commit d38f62f64d)
2024-10-14 14:44:28 +02:00
Eelco Dolstra
4912a9e7fd builtins.fetchurl: Fix segfault on s3:// URLs
Also, add an activity to show that we're downloading an s3:// file.

Fixes #11674.

(cherry picked from commit 0500fba56a)
2024-10-14 14:44:28 +02:00
Eelco Dolstra
d80bf54e3b Add a VM test for S3BinaryCacheStore
Fixes #11238.

(cherry picked from commit 2950f9e18a)
2024-10-14 14:44:28 +02:00
Robert Hensing
f1dc3b7d55
Merge pull request #11649 from NixOS/mergify/bp/2.24-maintenance/pr-11610
fix passing CA files into builtins:fetchurl sandbox (backport #11610)
2024-10-13 12:43:33 +02:00
Jörg Thalheim
5f1b132187 tests/nixos/fetchurl: drop unused variables
(cherry picked from commit 410853ddcf)
2024-10-07 12:45:04 +00:00
Puck Meerburg
742eb0f815 fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03

Tested with:

$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 16:57:50 after 1s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> error:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error setting certificate file: /nix/store/nlgbippbbgn38hynjkp1ghiybcq1dqhx-nss-cacert-3.101.1/etc/ssl/certs/ca-bundle.crt
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1

Now returns:

nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 17:05:48 after 0s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

(cherry picked from commit c1ecf0bee9)
2024-10-07 12:45:03 +00:00
Robert Hensing
13e200df45
Merge pull request #11601 from Mic92/git-cache-backport
[2.24] create git caches atomically
2024-09-30 13:11:22 +02:00
Eelco Dolstra
a1d841bf2c Bump version 2024-09-28 00:05:03 +02:00
Eelco Dolstra
048cfe51c9
Merge pull request #11604 from NixOS/mergify/bp/2.24-maintenance/pr-11600
HttpBinaryCacheStore::getFile(): Fix uncaught exception (backport #11600)
2024-09-27 13:26:21 +02:00
Eelco Dolstra
15a2b49115 HttpBinaryCacheStore::getFile(): Fix uncaught exception
This method is marked as `noexcept`, but `enqueueFileTransfer()` can
throw `Interrupted` if the user has hit Ctrl-C or if the `ThreadPool`
that the thread is a part of is shutting down.

(cherry picked from commit 4566854981)
2024-09-27 10:38:03 +00:00
Jörg Thalheim
34fd00accc create git caches atomically
When working on speeding up the CI,
I triggered a race condition in the creation of the tarball cache.
This code now instead will ensure that half-initialized repositories
are no longer visible to any other nix process.

This is the error message that I got before:

error: opening Git repository '"/Users/runner/.cache/nix/tarball-cache"': could not find repository at '/Users/runner/.cache/nix/tarball-cache'
(cherry picked from commit 12d5b2cfa1)
2024-09-27 10:06:58 +02:00
Eelco Dolstra
b23812a59c Bump version 2024-09-26 03:25:40 +02:00
Eelco Dolstra
618a0cc987
Merge pull request #11592 from NixOS/mergify/bp/2.24-maintenance/pr-11585
builtin:fetchurl: Enable TLS verification (backport #11585)
2024-09-26 01:04:39 +02:00
Eelco Dolstra
ba81598017 Resolve conflict 2024-09-26 00:17:03 +02:00
Eelco Dolstra
e87be60055 Typo
(cherry picked from commit ef8987955b)
2024-09-26 00:16:17 +02:00
Eelco Dolstra
345a264a39 Add release note
(cherry picked from commit 7b39cd631e)
2024-09-25 21:55:36 +00:00
Eelco Dolstra
ee6a5faf4b Add a test for builtin:fetchurl cert verification
(cherry picked from commit f2f47fa725)

# Conflicts:
#	tests/nixos/default.nix
2024-09-25 21:55:36 +00:00
Eelco Dolstra
d4824c8ff7 builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.

(cherry picked from commit c04bc17a5a)
2024-09-25 21:55:36 +00:00
Eelco Dolstra
b4fcd27590
Merge pull request #11578 from Mic92/key-backport
[2.24-maintainence] Ensure error messages don't leak private key
2024-09-24 13:45:43 +02:00
John Ericson
082f6bb35d Ensure error messages don't leak private key
Since #8766, invalid base64 is rendered in errors, but we don't actually
want to show this in the case of an invalid private keys.

Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
(cherry picked from commit 2b6b03d8df)
2024-09-24 06:39:03 +02:00
John Ericson
1e03ea386b Revert "base64Decode: clearer error message when an invalid character is detected"
We have a safer way of doing this.

This reverts commit dc3ccf02bf.

(cherry picked from commit d0c351bf43)
2024-09-24 06:31:50 +02:00
John Ericson
b523e4de34
Merge pull request #11571 from NixOS/mergify/bp/2.24-maintenance/pr-11390
Don't refer to public keys as secret keys in error (backport #11390)
2024-09-23 18:50:03 -04:00
Alyssa Ross
563dedcf64 Don't refer to public keys as secret keys in error
This constructor is used for public keys as well.

(cherry picked from commit 9cc550d652)
2024-09-23 22:00:10 +00:00
Eelco Dolstra
a7fdef6858 Bump version 2024-09-20 01:19:15 +02:00
Eelco Dolstra
b5154deba3
Merge pull request #11553 from NixOS/mergify/bp/2.24-maintenance/pr-11548
Fix missing GC root in zipAttrsWith (backport #11548)
2024-09-19 22:09:56 +02:00
Eelco Dolstra
ecd83dc155 Use HAVE_BOEHMGC
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
(cherry picked from commit 4449b0da74)
2024-09-19 19:04:17 +00:00
Eelco Dolstra
5b5e1920eb Fix missing GC root in zipAttrsWith
My SNAFU was that I assumed that all the `Value *`s we put in
`attrsSeen` are already reachable (which they are), but I forgot about
the `elems` pointer in `ListBuilder`.

Fixes #11547.

(cherry picked from commit 0c2fdd2f3c)
2024-09-19 19:04:17 +00:00
Valentin Gagarin
fc1d6b2f03
Merge pull request #11521 from NixOS/mergify/bp/2.24-maintenance/pr-8766
base64Decode: clearer error message when an invalid character is detected (backport #8766)
2024-09-19 11:29:21 +02:00
Brian McGee
9941f620c4 base64Decode: clearer error message when an invalid character is detected
Output the offending string in its entirety to provide context.

Closes #8479

(cherry picked from commit dc3ccf02bf)
2024-09-17 14:03:19 +00:00
Valentin Gagarin
5b2a8c223e
Merge pull request #11497 from Mic92/mergify/bp/2.24-maintenance/pr-11378 2024-09-17 07:09:32 +02:00
mergify[bot]
1b076b4f84
doc: add admonitions for macOS 15 Sequoia update (#11487) (#11509)
The impending release of macOS 15 Sequoia will break many existing nix
installs on macOS, which may lead to an increased number of people who
are looking to try to reinstall Nix without noticing the open/pinned
issue (#10892) that explains the problem and outlines how to migrate
existing installs.

These admonitions are a short-term measure until we are over the hump
and support volumes dwindle.

(cherry picked from commit 48477d4a3e)

Co-authored-by: Travis A. Everett <travis.a.everett@gmail.com>
2024-09-16 16:03:05 +02:00
Robert Hensing
d9ef3dd012
Merge pull request #11484 from NixOS/mergify/bp/2.24-maintenance/pr-11473
Fix making the build directory kept by `keep-failed` readable (backport #11473)
2024-09-16 12:46:23 +02:00
Robert Hensing
f9714bac34
Merge pull request #11456 from NixOS/mergify/bp/2.24-maintenance/pr-11321
replace backport github action with mergify (backport #11321)
2024-09-16 12:41:14 +02:00
Jörg Thalheim
684a690480 update filesystem-errors changelog to 2.24 release 2024-09-13 14:20:34 +02:00
John Ericson
4354d90384 tweak unpack channel built-in, std::filesystem::path for tarball
(cherry picked from commit 193dc49097)
2024-09-13 14:11:36 +02:00
Jörg Thalheim
60001b1936 add release notes for filesystem fixes
Update doc/manual/rl-next/filesystem-errors.md

Co-authored-by: John Ericson <git@JohnEricson.me>
(cherry picked from commit 04ce0e648a)
2024-09-13 14:11:36 +02:00
Jörg Thalheim
c84fc0120f builtins.unpackChannel: wrap filesystem errors and sanitize channelName
Otherwise these errors are not caught correctly

(cherry picked from commit 70c52d72f4)
2024-09-13 14:11:36 +02:00
Jörg Thalheim
cd97688bce builtins.readDir: fix nix error trace on filesystem errors
Before:

nix-env % ./src/nix/nix eval --impure --expr 'let f = builtins.readDir "/nix/store/hs3yxdq9knimwdm51gvbs4dvncz46f9d-hello-2.12.1/foo"; in f' --show-trace
error: filesystem error: directory iterator cannot open directory: No such file or directory [/nix/store/hs3yxdq9knimwdm51gvbs4dvncz46f9d-hello-2.12.1/foo]

After:

error:
       … while calling the 'readDir' builtin
         at «string»:1:9:
            1| let f = builtins.readDir "/nix/store/hs3yxdq9knimwdm51gvbs4dvncz46f9d-hello-2.12.1/foo"; in f
             |         ^

       error: reading directory '/nix/store/hs3yxdq9knimwdm51gvbs4dvncz46f9d-hello-2.12.1/foo': No such file or directory

(cherry picked from commit 22ba4dc78d)
2024-09-13 11:56:41 +00:00
Eelco Dolstra
07909de6ed
Merge pull request #11493 from NixOS/mergify/bp/2.24-maintenance/pr-11423
Git fetcher: Ignore .gitmodules entries that are not submodules (backport #11423)
2024-09-12 20:30:45 +02:00
Eelco Dolstra
751907dc8a Git fetcher: Ignore .gitmodules entries that are not submodules
Fixes #10739.

(cherry picked from commit 9d24080090)
2024-09-12 16:16:36 +00:00
Eelco Dolstra
d9dd6c62d6
Merge pull request #11486 from NixOS/mergify/bp/2.24-maintenance/pr-11466
Git fetcher: Don't update mtime of ref file if fetching by rev (backport #11466)
2024-09-11 19:59:10 +02:00
Eelco Dolstra
97c5ac5752 Git fetcher: Don't update mtime of ref file if fetching by rev
This fixes the warning

  $ nix eval --store /tmp/nix --expr 'builtins.fetchTree { type = "git"; url = "https://github.com/DeterminateSystems/attic"; ref = "fixups-for-magic-nix-cache"; rev = "635753a2069d4b8228e846dc5c09ad361c75cd1a"; }'
  warning: could not update mtime for file '/home/eelco/.cache/nix/gitv3/09788h9zgba5lbfkaa6ija2dvi004jwsqjf5ln21i2njs07cz766/refs/heads/fixups-for-magic-nix-cache': error: changing modification time of '"/home/eelco/.cache/nix/gitv3/09788h9zgba5lbfkaa6ija2dvi004jwsqjf5ln21i2njs07cz766/refs/heads/fixups-for-magic-nix-cache"': No such file or directory

When we're fetching by rev, that file doesn't necessarily exist, and we
don't care about it anyway.

(cherry picked from commit b80b091bac)
2024-09-11 15:37:36 +00:00
Artturin
40461a8e0e Fix making the build directory kept by keep-failed readable
Caused by 1d3696f0fb

Without this fix the kept build directory is readable only by root

```
$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5
drwx------ root root 60 B Wed Sep 11 00:09:48 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/

$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build
drwxr-xr-x nixbld1 nixbld 80 B Wed Sep 11 00:09:58 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build/
```

(cherry picked from commit ebebe626ff)
2024-09-11 12:56:18 +00:00
Eelco Dolstra
0f825b38f4 Bump version 2024-09-10 13:45:04 +02:00