nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-11-27 12:41:00 +01:00
Code Activity
21493 commits 186 branches 219 tags 168 MiB
Commit graph

21493 commits

This branch
This branch
All branches
Author SHA1 Message Date
Raito Bezarius
4ea4813753 libstore: ensure that temporary directory is always 0o000 before deletion 
In the case the deletion fails, we should ensure that the temporary
directory cannot be used for nefarious purposes.

Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
Raito Bezarius
5ec047f348 libutil: ensure that _deletePath does NOT use absolute paths with dirfds 
When calling `_deletePath` with a parent file descriptor, `openat` is
made effective by using relative paths to the directory file descriptor.

To avoid the problem, the signature is changed to resist misuse with an
assert in the prologue of the function.

Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
Raito Bezarius
4e59d3fdb2 libstore: ensure that passAsFile is created in the original temp dir 
This ensures that `passAsFile` data is created inside the expected
temporary build directory by `openat()` from the parent directory file
descriptor.

This avoids a TOCTOU which is part of the attack chain of CVE-????.

Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
Raito Bezarius
034f59bbb9 libutil: writeFile variant for file descriptors 
`writeFile` lose its `sync` boolean flag to make things simpler.

A new `writeFileAndSync` function is created and all call sites are
converted to it.

Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
Raito Bezarius
002d202653 libstore: chown to builder variant for file descriptors 
We use it immediately for the build temporary directory.

Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
Raito Bezarius
6a5b6ad3b7 libstore: open build directory as a dirfd as well 
We now keep around a proper AutoCloseFD around the temporary directory
which we plan to use for openat operations and avoiding the build
directory being swapped out while we are doing something else.

Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
Raito Bezarius
7226a116a0 libutil: guess or invent a path from file descriptors 
This is useful for certain error recovery paths (no pun intended) that
does not thread through the original path name.

Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e
Signed-off-by: Raito Bezarius <raito@lix.systems>
 2025-06-22 16:48:33 +02:00
John Ericson
b9b510d692
Merge pull request #13383 from xokdvium/meson-format-multiline 
Restore multiline formatting of lists in meson files
 2025-06-20 18:19:03 -04:00
Sergei Zimmerman
a4dcce36c9
Merge pull request #13382 from synalice/patch-3 
Update docs
 2025-06-20 23:18:11 +03:00
Sergei Zimmerman
6ef683cb2a
Restore multiline formatting of lists in meson files 
Applies a workaround to enforce multiline formatting
of lists to reduce code churn introduced in 93a42a5971.
 2025-06-20 23:12:36 +03:00
Nikita Krasnov
785f3867fd
Update docs 2025-06-20 21:19:13 +03:00
Robert Hensing
42ea2724a8
Merge pull request #13353 from lucperkins/messages-present-tense 
Rework future tense in user-facing messages
 2025-06-20 10:43:03 +02:00
Luc Perkins
3132aba8e4
Fix broken test 2025-06-19 15:23:10 -07:00
Luc Perkins
9c120596ec
Merge remote-tracking branch 'upstream/master' into messages-present-tense 2025-06-19 10:51:50 -07:00
Eelco Dolstra
1d5e161755
Merge pull request #113 from DeterminateSystems/eelcodolstra/fh-851-lock-nar-hashes-by-default 
Add lazy-locks setting
 2025-06-19 17:01:14 +00:00
Eelco Dolstra
692dfb424a
Merge pull request #117 from DeterminateSystems/test-uncacheable 
Fix fetchToStore() caching with --impure, improve testing
 2025-06-19 16:51:11 +00:00
Vladimír Čunát
5d2986d3c5 tests: fixup with jq-1.8.0 2025-06-19 18:48:59 +02:00
Jörg Thalheim
aa1629ca35
Merge pull request #13378 from NixOS/improve-rosetta-hint 
Improve the Rosetta installation hint
 2025-06-19 16:38:10 +02:00
mergify[bot]
075df0b446
Merge pull request #13380 from NixOS/mergify/bp/2.29-maintenance/pr-13376 
Revert "Drop magic-nix-cache" (backport #13376)
 2025-06-19 12:44:08 +00:00
Eelco Dolstra
2f6c758d3d Revert "Drop magic-nix-cache" 
This reverts commit 9cc8be2674 since
magic-nix-cache works again (thanks @jchv).

(cherry picked from commit 9b57573bae)
 2025-06-19 12:12:28 +00:00
Jörg Thalheim
a8a5537109
Merge pull request #13376 from NixOS/use-magic-nix-cache 
Revert "Drop magic-nix-cache"
 2025-06-19 14:10:55 +02:00
Eelco Dolstra
20ba6be749 Improve the Rosetta installation hint 
The Nix daemon detects supported system types at start time, so it
needs to be restarted to detect x86_64-darwin support.
 2025-06-19 13:58:51 +02:00
John Ericson
d254c840b5
Merge pull request #13349 from obsidiansystems/structured-attrs-json 
Introduce top-level `structuredAttrs` field in JSON derivation format
 2025-06-18 16:35:42 -04:00
Eelco Dolstra
9b57573bae Revert "Drop magic-nix-cache" 
This reverts commit 9cc8be2674 since
magic-nix-cache works again (thanks @jchv).
 2025-06-18 18:06:24 +02:00
Eelco Dolstra
fc47178d0d
Merge pull request #13372 from synalice/patch-1 
Fix broken link
 2025-06-18 17:54:04 +02:00
Eelco Dolstra
197484ce1f
Merge pull request #13373 from synalice/patch-2 
Fix typo
 2025-06-18 17:52:38 +02:00
mergify[bot]
4c7e5ce7a8
Merge pull request #13375 from NixOS/mergify/bp/2.29-maintenance/pr-13371 
tests: fixup with jq-1.8.0 (backport #13371)
 2025-06-18 15:51:12 +00:00
Luc Perkins
d6710b4c04
Merge remote-tracking branch 'upstream/master' into messages-present-tense 2025-06-18 08:24:23 -07:00
Luc Perkins
d2a25fbe51
Fix Nix formatting changes 2025-06-18 08:23:37 -07:00
Vladimír Čunát
86fbaf3b14 tests: fixup with jq-1.8.0 
(cherry picked from commit 77f6b6532f)
 2025-06-18 15:18:06 +00:00
Eelco Dolstra
cd97c545d9
Merge pull request #13371 from vcunat/p/jq-1.8.0_master 
tests: fixup with jq-1.8.0
 2025-06-18 17:17:24 +02:00
Nikita Krasnov
86dda9884a
Fix typo 2025-06-18 12:46:53 +03:00
Nikita Krasnov
da76bc0cac
Fix broken link 2025-06-18 12:40:07 +03:00
Vladimír Čunát
77f6b6532f
tests: fixup with jq-1.8.0 2025-06-18 10:11:50 +02:00
Graham Christensen
fc2d5a18d1
Merge pull request #121 from DeterminateSystems/release-v3.6.6/3dd48fe2-439e-4ecf-884f-aec379a22d28 
Release v3.6.6
 2025-06-17 23:08:38 +00:00
Graham Christensen
cd0128796a
Apply suggestions from code review 2025-06-17 18:21:01 -04:00
github-actions[bot]
f9b88e3229
Generate release notes for 3.6.6 2025-06-17 22:16:00 +00:00
github-actions[bot]
97af07180c
Set .version-determinate to 3.6.6 2025-06-17 22:15:55 +00:00
github-actions[bot]
1eab4236d4
Prepare release v3.6.6 2025-06-17 22:15:52 +00:00
Eelco Dolstra
bb32fcdf30
Merge pull request #13368 from wolfgangwalther/race-state-creation 
libstore: fix race condition when creating state directories
 2025-06-17 11:33:29 +02:00
Eelco Dolstra
59c7dac867 Git fetcher: Do not consider a null revision (i.e. workdir) to be locked 2025-06-17 10:55:23 +02:00
Wolfgang Walther
d64c922164
libstore: fix race condition when creating state directories 
Running parallel nix in nix can lead to multiple instances trying to
create the state directories and failing on the `createSymlink` step,
because the link already exists.

`replaceSymlink` is already idempotent, so let's use that.

Resolves #2706
 2025-06-17 08:45:29 +02:00
John Ericson
cdb417854b
Merge pull request #13366 from drupol/push-smvorxlvxusx 
docker: add basics OpenContainers labels
 2025-06-16 18:11:53 -04:00
Eelco Dolstra
3a4e6cadeb Improve regression testing for uncachable source paths 
These now throw an error by default in the test suite.
 2025-06-16 23:59:33 +02:00
Eelco Dolstra
a175c67def Fix rootFS fingerprint in the impure case 2025-06-16 23:59:33 +02:00
Eelco Dolstra
5329a45ade Git fetcher: Make dirty repos with no commits cacheable 2025-06-16 23:59:33 +02:00
Graham Christensen
7469e7aa57
Merge pull request #119 from DeterminateSystems/release-v3.6.5/c7ec4397-7427-42b1-87fb-1266bc444391 
Release v3.6.5
 2025-06-16 21:29:31 +00:00
Graham Christensen
0f3892185d Add a final newline in the generated release notes 2025-06-16 17:21:26 -04:00
Graham Christensen
c0e53f3312 Move the 3.6.4 notes over 2025-06-16 17:20:06 -04:00
Graham Christensen
97e2e9159b Fixup generar->te in commit automation 2025-06-16 17:17:42 -04:00