(This is a rewritten version of the reverted commit
a927709a35, that disables the creation of
/var/empty during build so that sandboxed builds also works. For more
context, see https://github.com/NixOS/nixpkgs/pull/16966)
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
If running NixOS inside a container where the host's root-owned files
and directories have been mapped to some other uid (like nobody), the
ssh daemon fails to start, producing this error message:
fatal: /nix/store/...-openssh-7.2p2/empty must be owned by root and not group or world-writable.
The reason for this is that when openssh is built, we explicitly set
`--with-privsep-path=$out/empty`. This commit removes that flag which
causes the default directory /var/empty to be used instead. Since NixOS'
activation script correctly sets up that directory, the ssh daemon now
also works within containers that have a non-root-owned nix store.
For some reason I haven't been able to figure out, sift does not build on OSX.
I think it is because sift uses cgo for some of its functionality which you can
see here:
https://github.com/svent/sift/blob/master/matching_cgo.go#L23
The error which hydra found (and is reproducible on OSX) can be seen here:
https://hydra.nixos.org/build/37169149
Ideally I would like to get sift building on OSX, however my nix-fu is weak.
Any suggestions are welcome. In the meantime I would like to get sift into one
of the release channels for Linux where it works fine.
New:
- compression format specification zstd_compression_format.md
- -- separator, stating that all following arguments are file names
- ZSTD_getDecompressedSize()
Fixes:
- dictBuilder using HC levels
- legacy support from ZSTD_decompress_usingDDict()
- multi-blocks decoding with intermediate uncompressed blocks
- currently pulled in from Git until the next release of PackageKit
has Nix support
- also: add in a service module to start packagekit properly
- nixos service can be enabled via services.packagekit.enable
- packagekit requires nixunstable to build properly
youtube-dl: 2016.06.27 -> 2016.07.03.1
`mps-youtube` is the only package that fails in `nox-review`, but this wat true before this merge. I have tested the updated result of `youtube-dl`. All fine for me.
Fixes:
- ZSTD_decompressBlock() using multiple consecutive blocks.
- potential segfault on very large files (many gigabytes).
- CLI displays system error message when destination file
cannot be created.
- potential leak in zdict.
Switch off HAVE_SAVED_UIDS since it activates a code path for temporary
privilege dropping which does not work on NixOS.
Vixie-cron's sources ship with two implementations. Unfortunately, the
one activated by HAVE_SAVED_UIDS (using setuid()) does not work on
NixOS. Saved UIDs work only if the program which is using them has the
setuid bit set on its own executable, not if called from a setuid
wrapper (as we do it in NixOS). The other implementation (using
setreuid()) works without problems.
Quote from
<http://stackoverflow.com/questions/8499296/realuid-saved-uid-effective-uid-whats-going-on>:
If you're euid is root and you change the uid, the privileges gets
dropped permanently.If effective user id is not root then saved user
id is never touched and you can regain the root privilege back
anytime you want in your program.
Also extend the default PATH with NixOS-specific bin directories as
vixie-cron's default is not really usable on NixOS.
Re #16518Closes#16522