Commit Graph

16164 Commits

Author SHA1 Message Date
Théophane Hufschmitt
cad14405c2 Add a test for the user sandboxing 2024-04-22 15:34:48 +02:00
Théophane Hufschmitt
fcdf99b5f5
Merge pull request #10459 from Ma27/backport-rl-2.20-changes
[2.20] Backport changes to release notes
2024-04-11 20:39:28 +02:00
Théophane Hufschmitt
1cf8c57990
Merge pull request #10471 from NixOS/backport-10456-to-2.20-maintenance
[Backport 2.20-maintenance] Fix adding symlink to the sandbox paths
2024-04-11 18:26:02 +02:00
Théophane Hufschmitt
ccb9779b96 Fix permission denied when building symlink derivation which points to a symlink out of the store
Bind-mounting symlinks is apparently not possible, which is why the
thing was failing.

Fortunately, symlinks are small, so we can fallback to copy them at no cost.

Fix https://github.com/NixOS/nix/issues/9579

Co-authored-by: Artturin <Artturin@artturin.com>
(cherry picked from commit 913db9f738)
2024-04-11 12:19:07 +00:00
Théophane Hufschmitt
f7146d25ec Add a test for depending on a symlink store path
Regression test for https://github.com/NixOS/nix/issues/9579

(cherry picked from commit 872d93eb13)
2024-04-11 12:19:07 +00:00
Maximilian Bosch
077bc08f9a
doc/rl-2.20: clarify builders-use-substitutes vs. substitute-on-destination
...as this lead to confusion before.

(cherry picked from commit 50557adb3b)
2024-04-11 14:18:10 +02:00
Maximilian Bosch
9e077b2d47
doc/rl-2.20: add missing entry about nix copy --to ssh-ng://...
This requires `--substitute-on-destination` if you want the remote side
to substitute instead of copying if possible.

For completeness sake, document it here.

Also, the stable Nix from nixpkgs is still 2.18, so more folks may
stumble upon this when this is bumped, so I'd expect this to be actually
useful.

Closes #10182

(cherry picked from commit f34b8de5b2)
2024-04-11 14:18:06 +02:00
Eelco Dolstra
202842e898
Merge pull request #10461 from NixOS/backport-10413-to-2.20-maintenance
[Backport 2.20-maintenance] path-info: print correct path when using `nix path-info --store file://... --all --json`
2024-04-10 22:49:22 +02:00
Maximilian Bosch
8b84348a78 path-info: print correct path when using nix path-info --store file://... --all --json
When querying all paths in a binary cache store, the path's representation
is `<hash>-x` (where `x` is the value of `MissingName`) because the .narinfo
filenames only contain the hash.

Before cc46ea1630 this worked correctly,
because the entire path info was read and the path from this
representation was printed, i.e. in the form `<hash>-<name>`. Since then
however, the direct result from `queryAllValidPaths()` was used as `path`.

Added a regression test to make sure the behavior remains correct.

(cherry picked from commit c80cd6bb06)
2024-04-10 17:37:36 +00:00
Rebecca Turner
7c6bd8b25f
Add release notes for "Functions are printed with more detail"
(cherry picked from commit abb5fef355)
2024-04-10 17:36:11 +02:00
Rebecca Turner
a383f3e408
Add release notes for "Nix no longer attempts to git add files that are .gitignored"
(cherry picked from commit 9a5d52262f)
2024-04-10 17:31:43 +02:00
Eelco Dolstra
c79d5195e5 Bump version 2024-04-05 17:24:37 +02:00
Eelco Dolstra
7bc4af7301
Merge pull request #10393 from NixOS/backport-10391-to-2.20-maintenance
[Backport 2.20-maintenance] Handle the case where a parent of ~/.nix-defexpr is a symlink
2024-04-03 18:52:21 +02:00
Eelco Dolstra
70a2c5f607 Handle the case where a parent of ~/.nix-defexpr is a symlink
Fixes https://github.com/DeterminateSystems/nix-installer/issues/912 and probably #10247.

(cherry picked from commit 09551fabd0)
2024-04-03 16:24:03 +00:00
Théophane Hufschmitt
59c629eb13
Merge pull request #10355 from NixOS/backport-10259-to-2.20-maintenance
[Backport 2.20-maintenance] doc: builtins.addDrvOutputDependencies: fix link target
2024-03-29 12:41:28 +01:00
Yueh-Shun Li
8bddaa14d4 builtins.addDrvOutputDependencies: fix commentary
(cherry picked from commit d2b512959c)
2024-03-29 10:56:46 +00:00
Yueh-Shun Li
34684db54d doc: builtins.addDrvOutputDependencies: fix link target
(cherry picked from commit 39b0b8452f)
2024-03-29 10:56:46 +00:00
Robert Hensing
ac9bedda2c
Merge pull request #10220 from lheckemann/backport-debugger-fix
[backport] fix debugger crashing while printing envs
2024-03-11 15:46:01 +01:00
pennae
631b2de30f fix debugger crashing while printing envs
fixes #9932

(cherry picked from commit 5ccb06ee1b)
2024-03-11 08:28:17 +01:00
Eelco Dolstra
fea2043060 GitHub fetcher: Ignore treeHash attribute for forward compatibility
See https://github.com/NixOS/nix/pull/10197.
2024-03-08 16:02:01 +01:00
Eelco Dolstra
02069f3058 Bump version 2024-03-07 16:49:52 +01:00
Eelco Dolstra
f8170ce9f1
Merge pull request from GHSA-2ffj-w4mj-pg37
Sandbox escape 2.20
2024-03-07 11:56:24 +01:00
Théophane Hufschmitt
d6918898c9 Add release notes 2024-03-07 09:38:54 +01:00
Théophane Hufschmitt
244f3eee0b Copy the output of fixed-output derivations before registering them
It is possible to exfiltrate a file descriptor out of the build sandbox
of FODs, and use it to modify the store path after it has been
registered.
To avoid that issue, don't register the output of the build, but a copy
of it (that will be free of any leaked file descriptor).
2024-03-07 09:38:51 +01:00
Théophane Hufschmitt
4645652975 Add a NixOS test for the sandbox escape
Test that we can't leverage abstract unix domain sockets to leak file
descriptors out of the sandbox and modify the path after it has been
registered.
2024-03-07 09:38:24 +01:00
Théophane Hufschmitt
584d64bebc
Merge pull request #10154 from intelfx/work/fix-null-deref
libfetchers/git: fix UB due to invalid usage of unique_ptr
2024-03-05 09:10:28 +01:00
Ivan Shapovalov
651e62781f libfetchers/git: use unique_ptr::get() instead of operator*()
According to N4950 20.3.1.3.5 [unique.ptr.single.observers]/1,
the behavior is undefined if get() == nullptr. Use get() instead of
operator*() on a possibly-null unique_ptr.

Fixes #10123.
2024-03-05 03:50:26 +01:00
Théophane Hufschmitt
82d7d740c9
Merge pull request #10142 from NixOS/backport-10073-to-2.20-maintenance
[Backport 2.20-maintenance] Accept multiple inputs in `nix flake update`
2024-03-04 10:31:19 +01:00
Olmo Kramer
b005d736ef Add test for nix flake update with multiple inputs
(cherry picked from commit b1ad729add)
2024-03-04 08:54:00 +00:00
Olmo Kramer
31c908a9e2 Accept multiple inputs in nix flake update
(cherry picked from commit 9f11b1b0c4)
2024-03-04 08:54:00 +00:00
Eelco Dolstra
b636f1ecd8 Bump version 2024-02-28 20:23:14 +01:00
Robert Hensing
edcb3430ef
Merge pull request #10102 from NixOS/backport-10044-to-2.20-maintenance
[Backport 2.20-maintenance] Handle empty Git repositories / workdirs
2024-02-28 03:00:35 +01:00
Eelco Dolstra
15c0a7b2ce Support empty Git repositories / workdirs
Fixes #10039.

(cherry picked from commit 9e762454cf)
2024-02-28 01:40:43 +00:00
Eelco Dolstra
2e78ef5612 AllowListInputAccessor: Clarify that the "allowed paths" are actually allowed prefixes
E.g. adding "/" will allow access to the root and *everything below it*.

(cherry picked from commit d52d91fe7a)
2024-02-28 01:40:43 +00:00
Eelco Dolstra
7599d4bbed Bump version 2024-02-21 16:22:16 +01:00
Eelco Dolstra
8a8172cd2b
Merge pull request #10050 from NixOS/backport-10049-to-2.20-maintenance
[Backport 2.20-maintenance] Don't send settings that depend on disabled experimental features to the daemon
2024-02-21 13:05:51 +01:00
Eelco Dolstra
7b45cc30a1
Merge pull request #10057 from NixOS/backport-10055-to-2.20-maintenance
[Backport 2.20-maintenance] Faster flake.lock parsing
2024-02-21 12:20:21 +01:00
Graham Dennis
e52d384766 Faster flake.lock parsing
This PR reduces the creation of short-lived basic_json objects while
parsing flake.lock files. For large flake.lock files (~1.5MB) I was
observing ~60s being spent for trivial nix build operations while
after this change it is now taking ~1.6s.

(cherry picked from commit 7fd0de38c6)
2024-02-21 11:19:23 +00:00
Eelco Dolstra
0b32c8763b Don't send settings that depend on disabled experimental features to the daemon
This fixes warnings like

   warning: Ignoring setting 'auto-allocate-uids' because experimental feature 'auto-allocate-uids' is not enabled
   warning: Ignoring setting 'impure-env' because experimental feature 'configurable-impure-env' is not enabled

when using the daemon and the user didn't actually set those settings.

Note: this also hides those settings from `nix config show`, but that
seems a good thing.

(cherry picked from commit 0acd783190)
2024-02-20 14:53:28 +00:00
Eelco Dolstra
adb1d56862
Merge pull request #10045 from NixOS/backport-10043-to-2.20-maintenance
[Backport 2.20-maintenance] fetchToStore(): Don't always respect settings.readOnlyMode
2024-02-20 12:50:30 +01:00
Eelco Dolstra
28dd392948 fetchToStore(): Don't always respect settings.readOnlyMode
It's now up to the caller whether readOnlyMode should be applied. In
some contexts (like InputScheme::fetch()), we always need to fetch.

(cherry picked from commit 7cb4d0c5b7)
2024-02-20 11:08:06 +00:00
Eelco Dolstra
7f02d17881 Don't say "copying X to the store" in read-only mode
(cherry picked from commit 6162105675)
2024-02-20 11:08:06 +00:00
Eelco Dolstra
ce23ef4a77 Bump version 2024-02-19 15:37:26 +01:00
Robert Hensing
98c22e8798
Merge pull request #10023 from NixOS/backport-9985-to-2.20-maintenance
[Backport 2.20-maintenance] Restore `builtins.pathExists` behavior on broken symlinks
2024-02-16 22:55:21 +01:00
John Ericson
02f7025deb Add note about this being a temp solution
(cherry picked from commit e27b7e04bf)
2024-02-16 14:24:23 +00:00
Alois Wohlschlager
0571e6e9b4 Restore builtins.pathExists behavior on broken symlinks
Commit 83c067c0fa changed `builtins.pathExists`
to resolve symlinks before checking for existence. Consequently, if the path
refers to a symlink itself, existence of the target of the symlink (instead of
the symlink itself) was checked. Restore the previous behavior by skipping
symlink resolution in the last component.

(cherry picked from commit 89e21ab4bd)
2024-02-16 14:24:23 +00:00
Eelco Dolstra
982d07d009
Merge pull request #10011 from NixOS/backport-10006-to-2.20-maintenance
[Backport 2.20-maintenance] <nix/fetchurl.nix>: Restore support for "impure = true"
2024-02-13 23:03:59 +01:00
Eelco Dolstra
7f66d4f167 <nix/fetchurl.nix>: Restore support for "impure = true"
(cherry picked from commit bb63bd50e6)
2024-02-13 21:51:13 +00:00
Eelco Dolstra
52e53a2983
Merge pull request #9991 from NixOS/backport-9976-to-2.20-maintenance
[Backport 2.20-maintenance] Restore manual pages
2024-02-12 15:31:57 +01:00
Alois Wohlschlager
c5a8b9050c Restore manual pages
Commit d536c57e87 inadvertedly broke build and
installation of all non-autogenerated manual pages (in particular, all the ones
documenting the stable CLI), by moving the definition of the man-pages variable
in doc/manual/local.mk after its usage in mk/lib.mk. Move including the former
earlier so that the correct order is restored.

(cherry picked from commit 8f3253c6f4)
2024-02-12 14:22:06 +00:00