Merged R8864

corepkgs/buildenv/builder.pl.in

@@ -70,7 +70,7 @@ sub createLinks {
                 }
                 unlink $dstFile or die "error unlinking `$dstFile': $!";
                 mkdir $dstFile, 0755 || die "error creating directory `$dstFile': $!";
-                createLinks($target, $dstFile, $priority); # !!! <- priority isn't right
+                createLinks($target, $dstFile, $priorities{$dstFile});
                 createLinks($srcFile, $dstFile, $priority);
             }
 

corepkgs/channels/unpack.sh.in

@@ -24,7 +24,7 @@ for ((n = 0; n < ${#inputs[*]}; n += 2)); do
     @coreutils@/mv * ../$dirName # !!! hacky
     
     attrName=$(echo $dirName | @tr@ -- '- ' '__')
-    echo "$attrName = import ./$dirName {};" >> $expr
+    echo "$attrName = let e = import ./$dirName; in if builtins.isFunction e then e {} else e;" >> $expr
 done
 
 echo '} // {_combineChannels = true;}' >> $expr

doc/manual/installation.xml

@@ -6,6 +6,39 @@
 <title>Installation</title>
 
 
+<section><title>Supported platforms</title>
+
+<para>Nix is currently supported on the following platforms:
+
+<itemizedlist>
+
+  <listitem><para>Linux (particularly on x86, x86_64, and
+  PowerPC).</para></listitem>
+
+  <listitem><para>Mac OS X, both on Intel and
+  PowerPC.</para></listitem>
+
+  <listitem><para>FreeBSD (only tested on Intel).</para></listitem>
+
+  <listitem><para>Windows through <link
+  xlink:href="http://www.cygwin.com/">Cygwin</link>.</para>
+
+  <warning><para>On Cygwin, Nix <emphasis>must</emphasis> be installed
+  on an NTFS partition.  It will not work correctly on a FAT
+  partition.</para></warning>
+
+  </listitem>
+
+</itemizedlist>
+
+</para>
+
+<para>Nix is pretty portable, so it should work on most other Unix
+platforms as well.</para>
+
+</section>
+
+
 <section><title>Obtaining Nix</title>
 
 <para>The easiest way to obtain Nix is to download a <link
@@ -97,7 +130,7 @@ preceded by the command:
     </para>
 
 <screen>
-$ autoreconf -i</screen>
+$ ./boostrap</screen>
 
 <para>The installation path can be specified by passing the
 <option>--prefix=<replaceable>prefix</replaceable></option> to
@@ -163,49 +196,44 @@ xlink:href="http://nix.cs.uu.nl/dist/nix/" />.</para>
 </section>
 
 
-<section><title>Permissions</title>
+<section><title>Security</title>
 
-<para>All Nix operations must be performed under the user ID that owns
+<para>Nix has two basic security models.  First, it can be used in
-the Nix store and database
+“single-user mode”, which is similar to what most other package
-(<filename><replaceable>prefix</replaceable>/store</filename> and
+management tools do: there is a single user (typically <systemitem
-<filename><replaceable>prefix</replaceable>/var/nix/db</filename>,
+class="username">root</systemitem>) who performs all package
-respectively).  When installed from the RPM packages, these
+management operations.  All other users can then use the installed
-directories are owned by <systemitem class="username">root</systemitem>.</para>
+packages, but they cannot perform package management operations
+themselves.</para>
 
-<section><title>Setuid installation</title>
+<para>Alternatively, you can configure Nix in “multi-user mode”.  In
+this model, all users can perform package management operations — for
+instance, every user can install software without requiring root
+privileges.  Nix ensures that this is secure.  For instance, it’s not
+possible for one user to overwrite a package used by another user with
+a Trojan horse.</para>
 
-<para>As a somewhat <emphasis>ad hoc</emphasis> hack, you can also
-install the Nix binaries <quote>setuid</quote> so that a Nix store can
-be shared among several users.  To do this, configure Nix with the
-<emphasis>--enable-setuid</emphasis> option.  Nix will be installed as
-owned by a user and group specified by the
-<option>--with-nix-user=</option><parameter>user</parameter> and
-<option>--with-nix-group=</option><parameter>group</parameter>
-options.  E.g.,
 
-<screen>
+<section><title>Single-user mode</title>
-$ ./configure --enable-setuid --with-nix-user=my_nix_user --with-nix-group=my_nix_group</screen>
   
-The user and group default to <literal>nix</literal>.  You should make
+<para>In single-user mode, all Nix operations that access the database
-sure that both the user and the group exist.  Any <quote>real</quote>
+in <filename><replaceable>prefix</replaceable>/var/nix/db</filename>
-users that you want to allow access should be added to the Nix
+or modify the Nix store in
-group.</para>
+<filename><replaceable>prefix</replaceable>/store</filename> must be
+performed under the user ID that owns those directories.  This is
+typically <systemitem class="username">root</systemitem>.  (If you
+install from RPM packages, that’s in fact the default ownership.)
+However, on single-user machines, it is often convenient to
+<command>chown</command> those directories to your normal user account
+so that you don’t have to <command>su</command> to <systemitem
+class="username">root</systemitem> all the time.</para>
 
-<warning><para>A setuid installation should only by used if the users
+</section>
-in the Nix group are mutually trusted, since any user in that group
-has the ability to change anything in the Nix store or database.  For
-instance, they could install a trojan horse in executables used by
-other users.</para></warning>
 
-<warning><para>On some platforms, the Nix binaries will be installed
-as setuid <literal>root</literal>.  They drop root privileges
-immediately after startup and switch to the Nix user.  The reason for
-this is that both the real and effective user must be set to the Nix
-user, and POSIX has no system call to do this.  This is not the case
-on systems that have the <function>setresuid()</function> system call
-(such as Linux and FreeBSD), so on those systems the binaries are
-simply owned by the Nix user.</para></warning>
 
+<section><title>Multi-user mode</title>
+
+<para></para>
 
 
 <!--
@@ -219,11 +247,17 @@ one.
 
 -->
 
-
+<note><para>Multi-user mode has one important limitation: only
+<systemitem class="username">root</systemitem> can run <command
+linkend="sec-nix-pull">nix-pull</command> to register the availability
+of pre-built binaries.  However, those registrations
+<emphasis>are</emphasis> used by all users to speed up
+builds.</para></note>
 
 </section>
 
-</section>
+
+</section> <!-- end of permissions section -->
 
 
 <section><title>Using Nix</title>

doc/manual/manual.xml

@@ -85,7 +85,7 @@
         <title>nix-prefetch-url</title>
         <xi:include href="nix-prefetch-url.xml" />
       </section>
-      <section>
+      <section xml:id="sec-nix-pull">
         <title>nix-pull</title>
         <xi:include href="nix-pull.xml" />
       </section>

doc/manual/nix-prefetch-url.xml

@@ -39,7 +39,7 @@ avoided.</para>
 <para>The environment variable <envar>NIX_HASH_ALGO</envar> specifies
 which hash algorithm to use.  It can be either <literal>md5</literal>,
 <literal>sha1</literal>, or <literal>sha256</literal>.  The default is
-<literal>md5</literal>.</para>
+<literal>sha256</literal>.</para>
 
 <para>If <replaceable>hash</replaceable> is specified, then a download
 is not performed if the Nix store already contains a file with the

doc/manual/release-notes.xml

@@ -12,7 +12,9 @@
 <itemizedlist>
 
 
-  <listitem><para>TODO: multi-user support.</para></listitem>
+  <listitem><para>TODO: multi-user support.  The old setuid method for
+  sharing a store between multiple users has been
+  removed.</para></listitem>
 
 
   <listitem><para><command>nix-copy-closure</command> copies the

scripts/nix-build.in

@@ -122,7 +122,7 @@ foreach my $expr (@exprs) {
     close DRVPATHS or exit 1;
 
     foreach my $drvPath (@drvPaths) {
-        my $target = readlink $drvPath;
+        my $target = readlink $drvPath or die "cannot read symlink `$drvPath'";
         print STDERR "store derivation is $target\n";
     }
 
@@ -134,7 +134,7 @@ foreach my $expr (@exprs) {
     close OUTPATHS or exit 1;
 
     foreach my $outPath (@outPaths) {
-        my $target = readlink $outPath;
+        my $target = readlink $outPath or die "cannot read symlink `$outPath'";
         print "$target\n";
     }
 }

scripts/nix-channel.in

@@ -94,7 +94,6 @@ sub update {
         $url =~ /\/([^\/]+)\/?$/;
         my $channelName = $1;
         $channelName = "unnamed" unless defined $channelName;
-        print "$channelName\n";
 
         my $fullURL = "$url/nixexprs.tar.bz2";
         print "downloading Nix expressions from `$fullURL'...\n";

scripts/nix-copy-closure.in

@@ -120,7 +120,6 @@ else { # Copy FROM the remote machine.
         if (!defined $storePathsSeen{$_}) {
             push @allStorePaths, $_;
             $storePathsSeen{$_} = 1;
-            print "GOT $_\n";
         }
     }
 

src/libexpr/eval.cc

@@ -478,7 +478,7 @@ LocalNoInline(Expr evalCall(EvalState & state, Expr fun, Expr arg))
     }
 
     else throwTypeError(
-        "the left-hand side of the function call is neither a function nor a primop (built-in operation) but %1%",
+        "attempt to call something which is neither a function nor a primop (built-in operation) but %1%",
         showType(fun));
 }
 

src/libexpr/parser.y

@@ -249,6 +249,7 @@ expr_list
 formals
   : formal ',' formals { $$ = ATinsert($3, $1); } /* idem - right recursive */
   | formal { $$ = ATinsert(ATempty, $1); }
+  | { $$ = ATempty; }
   ;
 
 formal

src/libexpr/primops.cc

@@ -116,6 +116,18 @@ static Expr prim_isNull(EvalState & state, const ATermVector & args)
 }
 
 
+/* Determine whether the argument is a function. */
+static Expr prim_isFunction(EvalState & state, const ATermVector & args)
+{
+    Expr e = evalExpr(state, args[0]);
+    ATermList formals;
+    ATerm name, body, pos;
+    return makeBool(
+        matchFunction(e, formals, body, pos) ||
+        matchFunction1(e, name, body, pos));
+}
+
+
 static Path findDependency(Path dir, string dep)
 {
     if (dep[0] == '/') throw EvalError(
@@ -1032,6 +1044,7 @@ void EvalState::addPrimOps()
     // Miscellaneous
     addPrimOp("import", 1, prim_import);
     addPrimOp("isNull", 1, prim_isNull);
+    addPrimOp("__isFunction", 1, prim_isFunction);
     addPrimOp("dependencyClosure", 1, prim_dependencyClosure);
     addPrimOp("abort", 1, prim_abort);
     addPrimOp("throw", 1, prim_throw);

src/libstore/db.cc

@@ -145,6 +145,15 @@ Database::~Database()
 
 void openEnv(DbEnv * & env, const string & path, u_int32_t flags)
 {
+    try {
+        createDirs(path);
+    } catch (SysError & e) {
+        if (e.errNo == EPERM || e.errNo == EACCES)
+            throw DbNoPermission(format("cannot create the Nix database in `%1%'") % path);
+        else
+            throw;
+    }
+        
     try {
         env->open(path.c_str(),
             DB_INIT_LOCK | DB_INIT_LOG | DB_INIT_MPOOL | DB_INIT_TXN |

src/libstore/gc.cc

@@ -97,6 +97,11 @@ Path addPermRoot(const Path & _storePath, const Path & _gcRoot,
     Path gcRoot(canonPath(_gcRoot));
     assertStorePath(storePath);
 
+    if (isInStore(gcRoot))
+        throw Error(format(
+                "creating a garbage collector root (%1%) in the Nix store is forbidden "
+                "(are you running nix-build inside the store?)") % gcRoot);
+
     if (indirect) {
         createSymlink(gcRoot, storePath, true);
         store->addIndirectRoot(gcRoot);
@@ -114,7 +119,6 @@ Path addPermRoot(const Path & _storePath, const Path & _gcRoot,
         }
             
         createSymlink(gcRoot, storePath, false);
-
     }
 
     /* Check that the root can be found by the garbage collector. */

src/libstore/local-store.hh

@@ -13,7 +13,7 @@ class Transaction;
 
 
 /* Nix store and database schema version.  Version 1 (or 0) was Nix <=
-   0.7.  Version 2 was Nix 0.8 and 0.8.  Version 3 is Nix 0.10 and
+   0.7.  Version 2 was Nix 0.8 and 0.9.  Version 3 is Nix 0.10 and
    up. */
 const int nixSchemaVersion = 3;
 

tests/lang/eval-okay-empty-args.exp

@@ -0,0 +1 @@
+Str("ab",[])

tests/lang/eval-okay-empty-args.nix

@@ -0,0 +1 @@
+({}: {x,y,}: "${x}${y}") {} {x = "a"; y = "b";}