Commit Graph

17467 Commits

Author SHA1 Message Date
Eelco Dolstra
d01638028a Merge remote-tracking branch 'nix-ghsa-wf4c-57rh-9pjg/advisory-fix-1-2.23' into 2.23-maintenance 2024-10-30 21:44:13 +01:00
Robert Hensing
67b5c70043 local-derivation-goal: Move builder preparation to non-builtin code path 2024-10-22 20:06:01 +02:00
Robert Hensing
53b4bdcb8b local-derivation-goal: Refactor
This works because the `builder` and `args` variables are only used
in the non-builtin code path.

Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-10-22 20:06:01 +02:00
Robert Hensing
c43954ffac local-derivation-goal: Print sandbox error detail on darwin
Co-Authored-By: Théophane Hufschmitt <theophane.hufschmitt@tweag.io>
2024-10-22 20:06:01 +02:00
Puck Meerburg
05994033d5 fix: Run all derivation builders inside the sandbox on macOS 2024-10-22 20:05:47 +02:00
Robert Hensing
1cc02ff16f
Merge pull request #11648 from NixOS/mergify/bp/2.23-maintenance/pr-11610
fix passing CA files into builtins:fetchurl sandbox (backport #11610)
2024-10-13 12:44:26 +02:00
Jörg Thalheim
efdeca36cf tests/nixos/fetchurl: drop unused variables
(cherry picked from commit 410853ddcf)
2024-10-07 12:44:28 +00:00
Puck Meerburg
46015afe32 fix passing CA files into builtins:fetchurl sandbox
This patch has been manually adapted from
14dc84ed03

Tested with:

$ NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 16:57:50 after 1s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> error:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        … writing file '/nix/store/0zynn4n8yx59bczy1mgh1lq2rnprvvrc-google.com'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com>        error: unable to download 'https://google.com': Problem with the SSL CA cert (path? access rights?) (77) error setting certificate file: /nix/store/nlgbippbbgn38hynjkp1ghiybcq1dqhx-nss-cacert-3.101.1/etc/ssl/certs/ca-bundle.crt
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: builder for '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv' failed with exit code 1

Now returns:

nix-env % NIX_SSL_CERT_FILE=$(nix-build '<nixpkgs>' -A cacert)/etc/ssl/certs/ca-bundle.crt nix-build --store $(mktemp -d) -E 'import <nix/fetchurl.nix> { url = https://google.com; }'
Finished at 17:05:48 after 0s
warning: found empty hash, assuming 'sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
this derivation will be built:
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
  /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
google.com> building '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv'
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
nix-output-monitor error: DerivationReadError /nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv: openFile: does not exist (No such file or directory)
error: hash mismatch in fixed-output derivation '/nix/store/4qljhy0jj2b0abjzpsbyarpia1bqylwc-google.com.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

(cherry picked from commit c1ecf0bee9)
2024-10-07 12:44:27 +00:00
Eelco Dolstra
278f26a8fc
Merge pull request #11591 from NixOS/mergify/bp/2.23-maintenance/pr-11585
builtin:fetchurl: Enable TLS verification (backport #11585)
2024-09-26 01:38:14 +02:00
Eelco Dolstra
6efc7274c4 Resolve conflict 2024-09-26 00:20:49 +02:00
Eelco Dolstra
2e82f9eedf Typo
(cherry picked from commit ef8987955b)
2024-09-26 00:20:48 +02:00
Eelco Dolstra
2915f05f44 Add release note
(cherry picked from commit 7b39cd631e)
2024-09-25 21:54:47 +00:00
Eelco Dolstra
579a4ae228 Add a test for builtin:fetchurl cert verification
(cherry picked from commit f2f47fa725)

# Conflicts:
#	tests/nixos/default.nix
2024-09-25 21:54:46 +00:00
Eelco Dolstra
a712f0fe99 builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.

(cherry picked from commit c04bc17a5a)
2024-09-25 21:54:46 +00:00
John Ericson
5ffd239adc
Merge pull request #11575 from NixOS/mergify/bp/2.23-maintenance/pr-11390
Don't refer to public keys as secret keys in error (backport #11390)
2024-09-23 19:00:08 -04:00
Alyssa Ross
f104a8b928 Don't refer to public keys as secret keys in error
This constructor is used for public keys as well.

(cherry picked from commit 9cc550d652)
2024-09-23 22:03:20 +00:00
Robert Hensing
e873d00bda
Merge pull request #11463 from NixOS/mergify/bp/2.23-maintenance/pr-11321
replace backport github action with mergify (backport #11321)
2024-09-16 12:41:26 +02:00
Robert Hensing
337f12800b
Merge pull request #11483 from NixOS/mergify/bp/2.23-maintenance/pr-11473
Fix making the build directory kept by `keep-failed` readable (backport #11473)
2024-09-16 12:39:30 +02:00
Artturin
91a13171d3 Fix making the build directory kept by keep-failed readable
Caused by 1d3696f0fb

Without this fix the kept build directory is readable only by root

```
$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5
drwx------ root root 60 B Wed Sep 11 00:09:48 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/

$ sudo ls -ld /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build
drwxr-xr-x nixbld1 nixbld 80 B Wed Sep 11 00:09:58 2024  /comp-temp/nix-build-openssh-static-x86_64-unknown-linux-musl-9.8p1.drv-5/build/
```

(cherry picked from commit ebebe626ff)
2024-09-11 12:55:16 +00:00
Eelco Dolstra
3de8fbaa4b
Merge pull request #11420 from NixOS/mergify/bp/2.23-maintenance/pr-10919
install-darwin: fix _nixbld uids for macOS sequoia (backport #10919)
2024-09-10 21:38:23 +02:00
Eelco Dolstra
45df48b410
Merge commit from fork
Backport NAR tests, fix duplicate name check
2024-09-10 12:42:55 +02:00
Eelco Dolstra
a0df929575 Fix test 2024-09-10 12:22:31 +02:00
Eelco Dolstra
78eb845950 Improve use-case-hack description slightly
(cherry picked from commit 5ca2f58798)
2024-09-10 10:01:39 +02:00
Eelco Dolstra
8ce0c82268 Typo
(cherry picked from commit 4cfa59fdb3)
2024-09-10 10:01:39 +02:00
Eelco Dolstra
b88d78f98d Test that deserializing regular files / symlinks is exclusive
(cherry picked from commit 52ba3cc5ea)
2024-09-10 10:01:39 +02:00
Eelco Dolstra
fd4f995963 Fix test on macOS
(cherry picked from commit 21dcbd7e83)
2024-09-10 10:00:58 +02:00
Eelco Dolstra
2a25c1d9b4 Test that deserializing NARs with names with equal Unicode normal forms fails on macOS
The test is based on the one by @puckipedia but with the file names
swapped to make them sorted.

(cherry picked from commit 7a765a6aaf)
2024-09-10 10:00:58 +02:00
Eelco Dolstra
b51c0915ee Detect NAR directory entries that collide with another path after case-hacking
The test was made by @puckipedia.

(cherry picked from commit 3557587381)
2024-09-10 09:58:20 +02:00
Eelco Dolstra
3ab521f8e0 More tests
(cherry picked from commit 77c090cdbd)
2024-09-10 09:58:05 +02:00
Eelco Dolstra
7358d217cf Test that nix-store --restore fails if the output already exists
This restores the behaviour from before the std::filesystem
refactorings.

(cherry picked from commit da1ad28912)
2024-09-10 09:57:50 +02:00
Eelco Dolstra
f9b3defe7f Add test case for NARs with duplicate directory entries
This test was made by @puckipedia.

(cherry picked from commit 83d5b32803)
2024-09-10 09:57:05 +02:00
Eelco Dolstra
49f21a860f NAR parser: Fix check for duplicate / incorrectly sorted entries
"prevName" was always empty because it was declared in the wrong scope.

(cherry picked from commit 495d32e1b8)
2024-09-10 09:56:51 +02:00
Jörg Thalheim
0c7cdde6e3 replace backport github action with mergify
The current backport action cannot automerge because
the github action bot does not trigger github CI actions.
Mergify instead does not have this limitation and can also
use a merge queue.

On top we have now a declarative configuration to allow
contributers to add new tests to required without having access
to the github org.

An example pull request and backport can be seen here:

https://github.com/Mic92/nix-1/pull/4

and here:

https://github.com/Mic92/nix-1/pull/5

To complete the setup the mergify app must be enabled for this repository.
It's already installed in the nixos organization for nixos-hardware and
other repositories.

(cherry picked from commit 80f20fa4cb)
2024-09-09 16:38:45 +00:00
Robert Hensing
e786a701a8 installerScriptForGHA: aarch64-darwin
Backport of df3e92ff96

https://github.com/NixOS/nix/pull/11009

GitHub Actions seems to have magically switched architectures
without changing their identifiers.
See 2813ee66cb/README.md (available-images)
Maybe they have more complete documentation elsewhere, but it
seems to be incapable of selecting a runner based on architecture.
2024-09-09 17:37:44 +02:00
Emily
4e5a997428 install-darwin: increment base UID by 1 (#15)
(cherry picked from commit 11cf29b15c)
2024-09-03 23:58:14 +00:00
Travis A. Everett
3726460c30 install-darwin: move nixbld gid to match first UID
(cherry picked from commit 75567423fb)
2024-09-03 23:58:14 +00:00
Travis A. Everett
d5dc377973 install-darwin: fix _nixbld uids for macOS sequoia
Starting in macOS 15 Sequoia, macOS daemon UIDs are encroaching on our
default UIDs of 301-332. This commit relocates our range up to avoid
clashing with the current UIDs of 301-304 and buy us a little time
while still leaving headroom for people installing more than 32 users.

(cherry picked from commit df36ff0d1e)
2024-09-03 23:58:13 +00:00
Robert Hensing
700d1355d3
Merge pull request #11333 from NixOS/backport-11329-to-2.23-maintenance
[Backport 2.23-maintenance] fix: check to see if there are any lines before
2024-08-19 16:27:24 +02:00
Tom Bereknyei
7cca0f3794 fix: check to see if there are any lines before
(cherry picked from commit 59db8fd62b)
2024-08-19 13:40:35 +00:00
tomberek
d02b2eb187
Merge pull request #11318 from NixOS/backport-11270-to-2.23-maintenance
[Backport 2.23-maintenance] libstore: fix port binding in __darwinAllowLocalNetworking sandbox
2024-08-17 02:56:20 -04:00
Andrew Marshall
8f439a2c3c libstore: fix port binding in __darwinAllowLocalNetworking sandbox
In d60c3f7f7c, this was changed to close a
hole in the sandbox. Unfortunately, this was too restrictive such that it
made local port binding fail, thus making derivations that needed
`__darwinAllowLocalNetworking` gain nearly nothing, and thus largely
fail (as the primary use for it is to enable port binding).

This unfortunately does mean that a sandboxed build process can, in
coordination with an actor outside the sandbox, escape the sandbox by
binding a port and connecting to it externally to send data. I do not
see a way around this with my experimentation and understanding of the
(quite undocumented) macOS sandbox profile API. Notably it seems not
possible to use the sandbox to do any of:

- Restrict the remote IP of inbound network requests
- Restrict the address being bound to

As such, the `(local ip "*:*")` here appears to be functionally no
different than `(local ip "localhost:*")` (however it *should* be
different than removing the filter entirely, as that would make it also
apply to non-IP networking). Doing `(allow network-inbound (require-all
(local ip "localhost:*") (remote ip "localhost:*")))` causes listening
to fail.

Note that `network-inbound` implies `network-bind`.

(cherry picked from commit 00f6db36fd)
2024-08-17 03:17:43 +00:00
Eelco Dolstra
9297d927c9
Merge pull request #11214 from NixOS/backport-11171-to-2.23-maintenance
[Backport 2.23-maintenance] Increase download buffer size and improve tarball import logging
2024-07-29 16:03:27 +02:00
Eelco Dolstra
dd0412d1b4 Show when we're unpacking an archive into the Git cache
This happens in parallel with the download (which starts later), so
you only see this message when the download has finished but the
import hasn't.

(cherry picked from commit 01839b525c)
2024-07-29 13:02:58 +00:00
Eelco Dolstra
c3e907af7d Warn if the download buffer is full
(cherry picked from commit f6a9a71b38)
2024-07-29 13:02:58 +00:00
Eelco Dolstra
78046450ab Add 'download-buffer-size' setting
We are piping curl downloads into `unpackTarfileToSink()`, but the
latter is typically slower than the former if you're on a fast
connection. So the download could appear unnecessarily slow. (There is
even a risk that if the Git import is *really* slow for whatever
reason, the TCP connection could time out.)

So let's make the download buffer bigger by default - 64 MiB is big
enough for the Nixpkgs tarball. Perhaps in the future, we could have
an unlimited buffer that spills data to disk beyond a certain
threshold, but that's probably overkill.

(cherry picked from commit 8ffea0a018)
2024-07-29 13:02:57 +00:00
Eelco Dolstra
7698e53b0b Log download durations
(cherry picked from commit caf4e98f0c)
2024-07-29 13:02:57 +00:00
Eelco Dolstra
051f3773db
Merge pull request #11194 from NixOS/backport-11086-to-2.23-maintenance
[Backport 2.23-maintenance] Eval cache: fix cache regressions
2024-07-26 18:26:25 +02:00
Lexi Mattick
77e4802ce2 Clean up cache for all commands
(cherry picked from commit 6c4470ec2a)
2024-07-26 15:59:36 +00:00
Lexi Mattick
6925a772d0 Eval cache: fix cache regressions
- Fix eval cache not being persisted in `nix develop` (since #10570)
- Don't attempt to commit cache transaction if there is no active transaction, which will spew errors in edge cases
- Drive-by: trivial typo fix

(cherry picked from commit e764ed31f6)
2024-07-26 15:59:36 +00:00
Eelco Dolstra
707a6c550f
Merge pull request #11128 from NixOS/backport-10852-to-2.23-maintenance
[Backport 2.23-maintenance] add call to `checkInterrupt` in a bunch of places
2024-07-17 18:28:29 +02:00