content hashes. This is to prevent a rewrite of
...HASH...HASH...
and
...HASH...0000...
(where HASH is the randomly generated prefix) from hashing to the
same value. This would happen because they would both resolve to
...0000...0000... Exploiting this into a security hole is left as
an exercise to the reader ;-)
idea is that any component in the Nix store resides has a store path
name that has a hash component equal to the hash of the contents of
that component, i.e.,
hashPartOf(path) = hashOf(contentsAt(path))
E.g., a path /nix/store/nc35k7yr8...-foo would have content hash
nc35k7yr8...
Of course, when building components in the Nix store, we don't know
the content hash until after the component has been built. We
will handle this by building the component at some randomly
generated prefix in the Nix store, and then afterwards *rewriting*
the random prefix to the hash of the actual contents.
The tricky part is components that reference themselves, such as ELF
executables that contain themselves in their RPATH. We can support
this by computing content hashes "modulo" the original prefix, i.e.,
we zero out every occurence of the randomly generated prefix,
compute the content hash, then rewrite the random prefix to the
final location.
`removeAttrs attrs ["x", "y"]' returns the set `attrs' with the
attributes named `x' and `y' removed. It is not an error for the
named attributes to be missing from the input set.
* Make the `derivation' primitive much more lazy. The expression
`derivation attrs' now evaluates to (essentially)
attrs // {
type = "derivation";
outPath = derivation! attrs;
drvPath = derivation! attrs;
}
where `derivation!' is a primop that does the actual derivation
instantiation (i.e., it does what `derivation' used to do). The
advantage is that it allows commands such as `nix-env -qa' and
`nix-env -i' to be much faster since they no longer need to
instantiate all derivations, just the `name' attribute. (However,
`nix-env' doesn't yet take advantage of this since it still always
evaluates the `outPath' and `drvPath' attributes).
Also, this allows derivations to cyclically reference each other,
for example,
webServer = derivation {
...
hostName = "svn.cs.uu.nl";
services = [svnService];
};
svnService = derivation {
...
hostName = webServer.hostName;
};
Previously, this would yield a black hole (infinite recursion).
* Add support for the creation of shared libraries to `compileC',
`link', and `makeLibrary'.
* Enable the ATerm library to be made into a shared library.
derivations. This is mostly to simplify the implementation of
nix-prefetch-{url, svn}, which now work properly in setuid
installations.
* Enforce valid store names in `nix-store --add / --add-fixed'.
