From f7c95fde8880ce28662de9ff0dd3de0cdcc3877c Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Tue, 8 Jul 2025 16:14:06 +0200 Subject: [PATCH 1/9] Bump version --- .version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.version b/.version index 6a6900382..bcec02eeb 100644 --- a/.version +++ b/.version @@ -1 +1 @@ -2.30.0 +2.30.1 From 48c7e5e14fc341e859a7cbace67cd6849c369591 Mon Sep 17 00:00:00 2001 From: John Soo Date: Mon, 7 Jul 2025 11:14:12 -0600 Subject: [PATCH 2/9] installers, tests: remove --preserve=mode from cp invocations -p preserves xattrs and acls which can be incompatible between filesystems Unfortunately keep -p on darwin because the bsd coreutils do not support --preserve. Fixes #13426 (cherry picked from commit 87299e466daca97fd48d3d446bb587e4f9d46d9a) --- scripts/install-multi-user.sh | 9 +++++++-- scripts/install-nix-from-tarball.sh | 6 +++++- tests/nixos/github-flakes.nix | 2 +- tests/nixos/sourcehut-flakes.nix | 2 +- tests/nixos/tarball-flakes.nix | 2 +- 5 files changed, 15 insertions(+), 6 deletions(-) diff --git a/scripts/install-multi-user.sh b/scripts/install-multi-user.sh index f051ccc46..e9ddfc014 100644 --- a/scripts/install-multi-user.sh +++ b/scripts/install-multi-user.sh @@ -834,8 +834,13 @@ install_from_extracted_nix() { ( cd "$EXTRACTED_NIX_PATH" - _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \ - cp -RPp ./store/* "$NIX_ROOT/store/" + if is_os_darwin; then + _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \ + cp -RPp ./store/* "$NIX_ROOT/store/" + else + _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \ + cp -RP --preserve=ownership,timestamps ./store/* "$NIX_ROOT/store/" + fi _sudo "to make the new store non-writable at $NIX_ROOT/store" \ chmod -R ugo-w "$NIX_ROOT/store/" diff --git a/scripts/install-nix-from-tarball.sh b/scripts/install-nix-from-tarball.sh index 8d127a9c5..ec3264793 100644 --- a/scripts/install-nix-from-tarball.sh +++ b/scripts/install-nix-from-tarball.sh @@ -167,7 +167,11 @@ for i in $(cd "$self/store" >/dev/null && echo ./*); do rm -rf "$i_tmp" fi if ! [ -e "$dest/store/$i" ]; then - cp -RPp "$self/store/$i" "$i_tmp" + if [ "$(uname -s)" = "Darwin" ]; then + cp -RPp "$self/store/$i" "$i_tmp" + else + cp -RP --preserve=ownership,timestamps "$self/store/$i" "$i_tmp" + fi chmod -R a-w "$i_tmp" chmod +w "$i_tmp" mv "$i_tmp" "$dest/store/$i" diff --git a/tests/nixos/github-flakes.nix b/tests/nixos/github-flakes.nix index 06142c2ef..91fd6b062 100644 --- a/tests/nixos/github-flakes.nix +++ b/tests/nixos/github-flakes.nix @@ -81,7 +81,7 @@ let mkdir -p $out/archive dir=NixOS-nixpkgs-${nixpkgs.shortRev} - cp -prd ${nixpkgs} $dir + cp -rd --preserve=ownership,timestamps ${nixpkgs} $dir # Set the correct timestamp in the tarball. find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${ builtins.substring 12 2 nixpkgs.lastModifiedDate diff --git a/tests/nixos/sourcehut-flakes.nix b/tests/nixos/sourcehut-flakes.nix index 61670ccf3..3f05130d6 100644 --- a/tests/nixos/sourcehut-flakes.nix +++ b/tests/nixos/sourcehut-flakes.nix @@ -48,7 +48,7 @@ let nixpkgs-repo = pkgs.runCommand "nixpkgs-flake" { } '' dir=NixOS-nixpkgs-${nixpkgs.shortRev} - cp -prd ${nixpkgs} $dir + cp -rd --preserve=ownership,timestamps ${nixpkgs} $dir # Set the correct timestamp in the tarball. find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${ diff --git a/tests/nixos/tarball-flakes.nix b/tests/nixos/tarball-flakes.nix index 7b3638b64..26c20cb1a 100644 --- a/tests/nixos/tarball-flakes.nix +++ b/tests/nixos/tarball-flakes.nix @@ -13,7 +13,7 @@ let set -x dir=nixpkgs-${nixpkgs.shortRev} - cp -prd ${nixpkgs} $dir + cp -rd --preserve=ownership,timestamps ${nixpkgs} $dir # Set the correct timestamp in the tarball. find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${ builtins.substring 12 2 nixpkgs.lastModifiedDate From dcc4b7c6fd9b382b3aa43c452729794ad26e5bec Mon Sep 17 00:00:00 2001 From: h0nIg Date: Wed, 9 Jul 2025 09:30:11 +0200 Subject: [PATCH 3/9] docker: fix nixConf (cherry picked from commit 8a1f471b6607e4626e2cd8ca1e02401578e0044d) --- docker.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker.nix b/docker.nix index c6e8e478e..2addd0458 100644 --- a/docker.nix +++ b/docker.nix @@ -184,11 +184,11 @@ let } " = "; }; - nixConfContents = toConf { + nixConfContents = toConf ({ sandbox = false; build-users-group = "nixbld"; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - }; + } // nixConf); userHome = if uid == 0 then "/root" else "/home/${uname}"; From 8b0cfaed9b347b8b132aaadd3f56abd3e2f31ed4 Mon Sep 17 00:00:00 2001 From: h0nIg Date: Wed, 9 Jul 2025 09:34:50 +0200 Subject: [PATCH 4/9] docker: fix nixConf - fmt (cherry picked from commit 9857c0bb52cfb62f324ce598214f20cc3521e3a8) --- docker.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docker.nix b/docker.nix index 2addd0458..f59492025 100644 --- a/docker.nix +++ b/docker.nix @@ -184,11 +184,14 @@ let } " = "; }; - nixConfContents = toConf ({ - sandbox = false; - build-users-group = "nixbld"; - trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; - } // nixConf); + nixConfContents = toConf ( + { + sandbox = false; + build-users-group = "nixbld"; + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; + } + // nixConf + ); userHome = if uid == 0 then "/root" else "/home/${uname}"; From 37487eec8e40e04aa4091669537386ff87bc20c1 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 9 Jul 2025 17:00:49 +0200 Subject: [PATCH 5/9] lockFlake(): When updating a lock, respect the input's lock file (cherry picked from commit 95437b90fc68bd3fff5a47bd4ac6e5186eb51a00) --- src/libflake/flake.cc | 10 +++----- tests/functional/flakes/flakes.sh | 38 +++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 7 deletions(-) diff --git a/src/libflake/flake.cc b/src/libflake/flake.cc index 322abaa4a..7a11e6047 100644 --- a/src/libflake/flake.cc +++ b/src/libflake/flake.cc @@ -715,16 +715,12 @@ LockedFlake lockFlake( Finally cleanup([&]() { parents.pop_back(); }); /* Recursively process the inputs of this - flake. Also, unless we already have this flake - in the top-level lock file, use this flake's - own lock file. */ + flake, using its own lock file. */ nodePaths.emplace(childNode, inputFlake.path.parent()); computeLocks( inputFlake.inputs, childNode, inputAttrPath, - oldLock - ? std::dynamic_pointer_cast(oldLock) - : readLockFile(state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(), - oldLock ? followsPrefix : inputAttrPath, + readLockFile(state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(), + inputAttrPath, inputFlake.path, false); } diff --git a/tests/functional/flakes/flakes.sh b/tests/functional/flakes/flakes.sh index ce695a6cb..7fd9dc9b5 100755 --- a/tests/functional/flakes/flakes.sh +++ b/tests/functional/flakes/flakes.sh @@ -432,3 +432,41 @@ nix flake metadata "$flake2Dir" --reference-lock-file $TEST_ROOT/flake2-overridd # reference-lock-file can only be used if allow-dirty is set. expectStderr 1 nix flake metadata "$flake2Dir" --no-allow-dirty --reference-lock-file $TEST_ROOT/flake2-overridden.lock + +# After changing an input (flake2 from newFlake2Rev to prevFlake2Rev), we should have the transitive inputs locked by revision $prevFlake2Rev of flake2. +prevFlake1Rev=$(nix flake metadata --json "$flake1Dir" | jq -r .revision) +prevFlake2Rev=$(nix flake metadata --json "$flake2Dir" | jq -r .revision) + +echo "# bla" >> "$flake1Dir/flake.nix" +git -C "$flake1Dir" commit flake.nix -m 'bla' + +nix flake update --flake "$flake2Dir" +git -C "$flake2Dir" commit flake.lock -m 'bla' + +newFlake1Rev=$(nix flake metadata --json "$flake1Dir" | jq -r .revision) +newFlake2Rev=$(nix flake metadata --json "$flake2Dir" | jq -r .revision) + +cat > "$flake3Dir/flake.nix" < "$flake3Dir/flake.nix" < Date: Thu, 10 Jul 2025 11:41:32 +0200 Subject: [PATCH 6/9] fetchClosure: Fix gcc warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: [261/394] Linking target src/libexpr/libnixexpr.so In function ‘copy’, inlined from ‘__ct ’ at /nix/store/24sdvjs6rfqs69d21gdn437mb3vc0svh-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/basic_string.h:688:23, inlined from ‘operator+’ at /nix/store/24sdvjs6rfqs69d21gdn437mb3vc0svh-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/basic_string.h:3735:43, inlined from ‘operator()’ at ../src/libexpr/primops/fetchClosure.cc:127:58, inlined from ‘prim_fetchClosure’ at ../src/libexpr/primops/fetchClosure.cc:132:88: /nix/store/24sdvjs6rfqs69d21gdn437mb3vc0svh-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/char_traits.h:427:56: warning: ‘__builtin_memcpy’ writing 74 bytes into a region of size 16 overflows the destination [-Wstringop-overflow=] 427 | return static_cast(__builtin_memcpy(__s1, __s2, __n)); | ^ ../src/libexpr/primops/fetchClosure.cc: In function ‘prim_fetchClosure’: ../src/libexpr/primops/fetchClosure.cc:132:88: note: at offset 16 into destination object ‘’ of size 32 132 | fromPath = state.coerceToStorePath(attr.pos, *attr.value, context, attrHint()); | ^ (cherry picked from commit aa18dc54dc76102b9f568b4db5d75a5a122e1302) --- src/libexpr/primops/fetchClosure.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libexpr/primops/fetchClosure.cc b/src/libexpr/primops/fetchClosure.cc index ea6145f6f..4be4dac8f 100644 --- a/src/libexpr/primops/fetchClosure.cc +++ b/src/libexpr/primops/fetchClosure.cc @@ -124,7 +124,7 @@ static void prim_fetchClosure(EvalState & state, const PosIdx pos, Value * * arg for (auto & attr : *args[0]->attrs()) { const auto & attrName = state.symbols[attr.name]; auto attrHint = [&]() -> std::string { - return "while evaluating the '" + attrName + "' attribute passed to builtins.fetchClosure"; + return fmt("while evaluating the attribute '%s' passed to builtins.fetchClosure", attrName); }; if (attrName == "fromPath") { From 382e25405aed7913ebc679df5820be53876899b5 Mon Sep 17 00:00:00 2001 From: Sergei Zimmerman Date: Fri, 11 Jul 2025 20:20:48 +0300 Subject: [PATCH 7/9] libexpr: Fix invalid handling of errors for imported functions c39cc004043b95d55a0c2c2bdba58d6d3e0db846 has added assertions for all Value accesses and the following case has started failing with an `unreachable`: (/tmp/fun.nix): ```nix {a}: a ``` ``` $ nix eval --impure --expr 'import /tmp/fun.nix {a="a";b="b";}' ``` This would crash: ``` terminating due to unexpected unrecoverable internal error: Unexpected condition in getStorage at ../include/nix/expr/value.hh:844 ``` This is not a regression, but rather surfaces an existing problem, which previously was left undiagnosed. In the case of an import `fun` is the `import` primOp, so that read is invalid and previously this resulted in an access into an inactive union member, which is UB. The correct thing to use is `vCur`. Identical problem also affected the case of a missing argument. Add previously failing test cases to the functional/lang test suite. Fixes #13448. (cherry picked from commit 6e78cc90d3415694ec15bd273b47d21bb1be96ad) --- src/libexpr/eval.cc | 4 ++-- .../lang/eval-fail-missing-arg-import.err.exp | 12 ++++++++++++ .../lang/eval-fail-missing-arg-import.nix | 1 + .../lang/eval-fail-undeclared-arg-import.err.exp | 13 +++++++++++++ .../lang/eval-fail-undeclared-arg-import.nix | 4 ++++ .../lang/non-eval-trivial-lambda-formals.nix | 1 + 6 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 tests/functional/lang/eval-fail-missing-arg-import.err.exp create mode 100644 tests/functional/lang/eval-fail-missing-arg-import.nix create mode 100644 tests/functional/lang/eval-fail-undeclared-arg-import.err.exp create mode 100644 tests/functional/lang/eval-fail-undeclared-arg-import.nix create mode 100644 tests/functional/lang/non-eval-trivial-lambda-formals.nix diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc index 1321e00a5..47cc35daa 100644 --- a/src/libexpr/eval.cc +++ b/src/libexpr/eval.cc @@ -1602,7 +1602,7 @@ void EvalState::callFunction(Value & fun, std::span args, Value & vRes, symbols[i.name]) .atPos(lambda.pos) .withTrace(pos, "from call site") - .withFrame(*fun.lambda().env, lambda) + .withFrame(*vCur.lambda().env, lambda) .debugThrow(); } env2.values[displ++] = i.def->maybeThunk(*this, env2); @@ -1629,7 +1629,7 @@ void EvalState::callFunction(Value & fun, std::span args, Value & vRes, .atPos(lambda.pos) .withTrace(pos, "from call site") .withSuggestions(suggestions) - .withFrame(*fun.lambda().env, lambda) + .withFrame(*vCur.lambda().env, lambda) .debugThrow(); } unreachable(); diff --git a/tests/functional/lang/eval-fail-missing-arg-import.err.exp b/tests/functional/lang/eval-fail-missing-arg-import.err.exp new file mode 100644 index 000000000..45774f003 --- /dev/null +++ b/tests/functional/lang/eval-fail-missing-arg-import.err.exp @@ -0,0 +1,12 @@ +error: + … from call site + at /pwd/lang/eval-fail-missing-arg-import.nix:1:1: + 1| import ./non-eval-trivial-lambda-formals.nix { } + | ^ + 2| + + error: function 'anonymous lambda' called without required argument 'a' + at /pwd/lang/non-eval-trivial-lambda-formals.nix:1:1: + 1| { a }: a + | ^ + 2| diff --git a/tests/functional/lang/eval-fail-missing-arg-import.nix b/tests/functional/lang/eval-fail-missing-arg-import.nix new file mode 100644 index 000000000..7cb33f2b5 --- /dev/null +++ b/tests/functional/lang/eval-fail-missing-arg-import.nix @@ -0,0 +1 @@ +import ./non-eval-trivial-lambda-formals.nix { } diff --git a/tests/functional/lang/eval-fail-undeclared-arg-import.err.exp b/tests/functional/lang/eval-fail-undeclared-arg-import.err.exp new file mode 100644 index 000000000..ca797d3ec --- /dev/null +++ b/tests/functional/lang/eval-fail-undeclared-arg-import.err.exp @@ -0,0 +1,13 @@ +error: + … from call site + at /pwd/lang/eval-fail-undeclared-arg-import.nix:1:1: + 1| import ./non-eval-trivial-lambda-formals.nix { + | ^ + 2| a = "a"; + + error: function 'anonymous lambda' called with unexpected argument 'b' + at /pwd/lang/non-eval-trivial-lambda-formals.nix:1:1: + 1| { a }: a + | ^ + 2| + Did you mean a? diff --git a/tests/functional/lang/eval-fail-undeclared-arg-import.nix b/tests/functional/lang/eval-fail-undeclared-arg-import.nix new file mode 100644 index 000000000..e8454c725 --- /dev/null +++ b/tests/functional/lang/eval-fail-undeclared-arg-import.nix @@ -0,0 +1,4 @@ +import ./non-eval-trivial-lambda-formals.nix { + a = "a"; + b = "b"; +} diff --git a/tests/functional/lang/non-eval-trivial-lambda-formals.nix b/tests/functional/lang/non-eval-trivial-lambda-formals.nix new file mode 100644 index 000000000..46a7ea4f4 --- /dev/null +++ b/tests/functional/lang/non-eval-trivial-lambda-formals.nix @@ -0,0 +1 @@ +{ a }: a From 1cf202650aa664960093ee33475f8cb4cc4fce11 Mon Sep 17 00:00:00 2001 From: gustavderdrache Date: Fri, 11 Jul 2025 18:00:26 -0400 Subject: [PATCH 8/9] Address ifdef problem with macOS/BSD sandboxing (cherry picked from commit e2ef2cfcbc83ea01308ee64c38a58707ab23dec3) --- src/libstore/unix/user-lock.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libstore/unix/user-lock.cc b/src/libstore/unix/user-lock.cc index 6a07cb7cc..f5d164e5b 100644 --- a/src/libstore/unix/user-lock.cc +++ b/src/libstore/unix/user-lock.cc @@ -197,7 +197,7 @@ bool useBuildUsers() #ifdef __linux__ static bool b = (settings.buildUsersGroup != "" || settings.autoAllocateUids) && isRootUser(); return b; - #elif defined(__APPLE__) && defined(__FreeBSD__) + #elif defined(__APPLE__) || defined(__FreeBSD__) static bool b = settings.buildUsersGroup != "" && isRootUser(); return b; #else From 9497b593c685bfb40fd684fe4c21207c9fdf0c66 Mon Sep 17 00:00:00 2001 From: gustavderdrache Date: Fri, 11 Jul 2025 18:38:51 -0400 Subject: [PATCH 9/9] CI: Roll nix version to 2.29.1 This works around the macOS issue that the prior commit addresses. (cherry picked from commit 8e5814d972642def9842fba3f8a6116f6b9e5c96) --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 29cb33f56..ac749bc3f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,8 @@ jobs: with: fetch-depth: 0 - uses: cachix/install-nix-action@v31 + with: + install_url: "https://releases.nixos.org/nix/nix-2.29.1/install" - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json tests: @@ -36,6 +38,7 @@ jobs: fetch-depth: 0 - uses: cachix/install-nix-action@v31 with: + install_url: "https://releases.nixos.org/nix/nix-2.29.1/install" # The sandbox would otherwise be disabled by default on Darwin extra_nix_config: | sandbox = true