Commit Graph

18544 Commits

Author SHA1 Message Date
Puck Meerburg
c1ecf0bee9 fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03

Tested with:

$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 16:57:50 after 1s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> error:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error setting certificate file: /nix/store/nlgbippbbgn38hynjkp1ghiybcq1dqhx-nss-cacert-3.101.1/etc/ssl/certs/ca-bundle.crt
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1

Now returns:

nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 17:05:48 after 0s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
2024-09-28 17:08:16 +02:00
Eelco Dolstra
08deebddf2
Merge pull request #11600 from DeterminateSystems/fix-uncaught-exception
HttpBinaryCacheStore::getFile(): Fix uncaught exception
2024-09-27 12:37:12 +02:00
Eelco Dolstra
f8bd7e7e5c
Merge pull request #11598 from joshheinrichs-shopify/fix-http-cache-reference
Fix reference to HTTP Binary Cache Store in docs
2024-09-27 11:43:41 +02:00
Jörg Thalheim
3b0c5ab835 tests/functional/flakes/run: fix tests in macOS devshell
same fix as in 04a47e93f6
2024-09-27 11:07:50 +02:00
Valentin Gagarin
aee34e4776
fix location 2024-09-27 11:07:04 +02:00
Eelco Dolstra
4566854981 HttpBinaryCacheStore::getFile(): Fix uncaught exception
This method is marked as `noexcept`, but `enqueueFileTransfer()` can
throw `Interrupted` if the user has hit Ctrl-C or if the `ThreadPool`
that the thread is a part of is shutting down.
2024-09-27 00:16:52 +02:00
Eelco Dolstra
0ed67e5b7e
Merge pull request #11581 from Mic92/git-cache
create git caches atomically
2024-09-26 21:58:22 +02:00
Josh Heinrichs
1271a95b79
Fix reference to HTTP Binary Cache Store in docs 2024-09-26 12:30:41 -06:00
Jörg Thalheim
12d5b2cfa1 create git caches atomically
When working on speeding up the CI,
I triggered a race condition in the creation of the tarball cache.
This code now instead will ensure that half-initialized repositories
are no longer visible to any other nix process.

This is the error message that I got before:

error: opening Git repository '"/Users/runner/.cache/nix/tarball-cache"': could not find repository at '/Users/runner/.cache/nix/tarball-cache'
2024-09-26 17:46:25 +02:00
Jason Yundt
a5959aa121
docs: specify that flake.lock files are JSON (#11594)
* docs: specify that flake.lock files are JSON

Recently, I decided that I was going to write some code that would parse
flake.lock files. I went to the Nix Reference Manual in order to look up
information on the format of flake.lock files, and I realized that a key
detail was missing from the Nix Reference Manual: it never says that
flake.lock files are JSON files. This commit fixes that issue.

This commit makes sure to specify that flake.lock files are encoded in
UTF-8. Confusingly, there’s multiple different JSON standards. Neither
ECMA-404, 2nd Edition [1] nor ISO/IEC 21778:2017 [2] mention UTF-8. RFC
8259 requires UTF-8, but only sometimes [3]. I chose to explicitly
specify that flake.lock files are UTF-8 in order to avoid any possible
ambiguities from the JSON standards.

[1]: <https://ecma-international.org/publications-and-standards/standards/ecma-404>
[2]: <https://www.iso.org/standard/71616.html>
[3]: <https://www.rfc-editor.org/rfc/rfc8259.html#section-8.1>
2024-09-26 00:21:33 +00:00
Eelco Dolstra
4dc4e81b1e
Merge pull request #11593 from DeterminateSystems/typo
Fix typo
2024-09-26 00:55:46 +02:00
Eelco Dolstra
ef8987955b Typo 2024-09-26 00:15:04 +02:00
Eelco Dolstra
062b4a489e
Merge pull request #11585 from NixOS/verify-tls
builtin:fetchurl: Enable TLS verification
2024-09-25 23:52:25 +02:00
Eelco Dolstra
7b39cd631e Add release note 2024-09-25 23:07:11 +02:00
Valentin Gagarin
6c37d81514
Merge pull request #11584 from Mic92/devdocs 2024-09-25 13:44:49 +02:00
Jörg Thalheim
eb3a368a33 docs/testing: add --verbose flag for running single tests
Most of the time people run single tests for debugging reason,
so it's a sane default to have them see all the console output.

This commit still retains the section about running tests directly with
meson, because in some debugging cases it's just nice to have less
abstractions i.e. when using strace.
2024-09-25 09:46:29 +02:00
Eelco Dolstra
f2f47fa725 Add a test for builtin:fetchurl cert verification 2024-09-24 16:13:28 +02:00
John Ericson
322d2c767f
Merge pull request #11523 from obsidiansystems/base64Decode-no-leak-private-key-on-error
Ensure error messages don't leak private key
2024-09-23 17:13:32 -04:00
John Ericson
2b6b03d8df Ensure error messages don't leak private key
Since #8766, invalid base64 is rendered in errors, but we don't actually
want to show this in the case of an invalid private keys.

Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
2024-09-23 16:36:48 -04:00
Eelco Dolstra
c04bc17a5a builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.
2024-09-23 15:15:43 +02:00
Ryan Hendrickson
da332d678e libexpr: deprecate the bogus "or"-as-variable
As a prelude to making "or" work like a normal variable, emit a warning
any time the "fn or" production is used in a context that will change
how it is parsed when that production is refactored.

In detail: in the future, OR_KW will be moved to expr_simple, and the
cursed ExprCall production that is currently part of the expr_select
nonterminal will be generated "normally" in expr_app instead. Any
productions that accept an expr_select will be affected, except for the
expr_app nonterminal itself (because, while expr_app has a production
accepting a bare expr_select, its other production will continue to
accept "fn or" expressions). So all we need to do is emit an appropriate
warning when an expr_simple representing a cursed ExprCall is accepted
in one of those productions without first going through expr_app.

As the warning message describes, users can suppress the warning by
wrapping their problematic "fn or" expressions in parentheses. For
example, "f g or" can be made future-proof by rewriting it as
"f (g or)"; similarly "[ x y or ]" can be rewritten as "[ x (y or) ]",
etc. The parentheses preserve the current grouping behavior, as in the
future "f g or" will be parsed as "(f g) or", just like
"f g anything-else" is grouped. (Mechanically, this suppresses the
warning because the problem ExprCalls go through the
"expr_app : expr_select" production, which resets the cursed status on
the ExprCall.)
2024-09-20 15:57:36 -04:00
John Ericson
d0c351bf43 Revert "base64Decode: clearer error message when an invalid character is detected"
We have a safer way of doing this.

This reverts commit dc3ccf02bf.
2024-09-20 10:41:45 -04:00
Eelco Dolstra
68ba6ff470
Merge pull request #11558 from DeterminateSystems/fix-no-gc-build
Fix build without GC
2024-09-20 16:02:08 +02:00
Eelco Dolstra
ec47133be3 Fix warning 2024-09-20 15:08:45 +02:00
Eelco Dolstra
088569463b Fix build without GC 2024-09-20 15:01:32 +02:00
Eelco Dolstra
c5c68558b5
Merge pull request #11550 from DeterminateSystems/traceable-allocator-alias
Alias traceable_allocator to std::allocator when building without GC
2024-09-20 10:43:31 +02:00
Eelco Dolstra
b2bb92ef09 Formatting
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2024-09-19 22:59:42 +02:00
Eelco Dolstra
2f4a7a8301 Add a few more aliases 2024-09-19 21:04:01 +02:00
Eelco Dolstra
589d8f1f2b Move GC-related definitions to eval-gc.hh 2024-09-19 21:04:01 +02:00
Eelco Dolstra
31d408c351 Alias gc_allocator 2024-09-19 21:04:01 +02:00
Eelco Dolstra
b9f78abb7f Alias traceable_allocator to std::allocator when building without GC
This allows us to get rid of a bunch of #ifdefs.
2024-09-19 21:04:01 +02:00
Eelco Dolstra
ca3fc1693b
Merge pull request #11548 from DeterminateSystems/fix-zipAttrsWith-gc
Fix missing GC root in zipAttrsWith
2024-09-19 21:02:36 +02:00
Eelco Dolstra
4449b0da74
Use HAVE_BOEHMGC
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
2024-09-19 19:52:47 +02:00
Eelco Dolstra
0c2fdd2f3c Fix missing GC root in zipAttrsWith
My SNAFU was that I assumed that all the `Value *`s we put in
`attrsSeen` are already reachable (which they are), but I forgot about
the `elems` pointer in `ListBuilder`.

Fixes #11547.
2024-09-19 19:16:31 +02:00
Eelco Dolstra
9ea29ea517
Merge pull request #11540 from NixOS/meson-arm-atomic
nix-util / meson: Add -latomic on arm
2024-09-19 16:09:14 +02:00
Eelco Dolstra
cd5fc45524
Merge pull request #11541 from noamraph/fix-nix-profile-sh
nix-profile.sh.in: fix envvar condition
2024-09-19 14:32:23 +02:00
Eelco Dolstra
e60b90192a
Merge pull request #11538 from NixOS/detect-close_range
Use close_range when available
2024-09-19 13:48:27 +02:00
Valentin Gagarin
a45a7e8011
Merge pull request #11528 from Mic92/mergify-2
mergify: enable merge-queue for backports
2024-09-19 11:29:52 +02:00
Noam Yorav-Raphael
97fffd8765 nix-profile.sh.in: fix envvar condition 2024-09-19 07:20:04 +03:00
Robert Hensing
3df1658ba1
Merge pull request #11539 from NixOS/fix-installer-tests
Revert "tests.installer: Load profile with -o unset"
2024-09-19 00:04:09 +02:00
Robert Hensing
56b8911766 nix-util / meson: Add -latomic on arm
I couldn't get the test program to work correctly after many attempts,
so let's just unblock this without making it perfect.
2024-09-19 00:01:24 +02:00
Robert Hensing
c75907e47b Revert "tests.installer: Load profile with -o unset"
I must have made a mistake while testing this, because nounset does
not work on any of the distributions.

This reverts commit 2f0db04da0.
2024-09-18 23:06:01 +02:00
Robert Hensing
5c87c40a5e Use close_range when available
This fixes the FreeBSD build of nix-util
2024-09-18 22:42:44 +02:00
Eelco Dolstra
59acf3b75c
Merge pull request #11532 from Mic92/macos-test-fix
tests/functional/shell: fix test in macOS devshell
2024-09-18 21:43:49 +02:00
Eelco Dolstra
96ee5450d9
Merge pull request #11529 from DeterminateSystems/test-ifd-in-chroot
Test IFD/filterSource in chroot stores
2024-09-18 21:20:04 +02:00
Valentin Gagarin
0f5c37c242
Merge pull request #11530 from Mic92/flake-archive 2024-09-18 20:58:06 +02:00
Jörg Thalheim
04a47e93f6 tests/functional/shell: fix test in macOS devshell 2024-09-18 20:51:15 +02:00
Eelco Dolstra
a673084733 Fix tests 2024-09-18 19:06:48 +02:00
Eelco Dolstra
d772a8b3dc shellcheck 2024-09-18 18:05:08 +02:00
Jörg Thalheim
f0a4f19087 add description + example for nix flake archive
Update src/nix/flake-archive.md

Update src/nix/flake-archive.md
2024-09-18 17:31:40 +02:00