nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-12-01 14:41:00 +01:00
Code Activity
Nix, the purely functional package manager
21071 commits 190 branches 219 tags 173 MiB
Find a file
Eelco Dolstra 731b630321 Fixes for GHSA-g948-229j-48j3 
Squashed commit of the following:

commit 04fff3a637d455cbb1d75937a235950e43008db9
Author: Eelco Dolstra <edolstra@gmail.com>
Date:   Thu Jun 12 12:30:32 2025 +0200

    Chown structured attr files safely

commit 5417ad445e414c649d0cfc71a05661c7bf8f3ef5
Author: Eelco Dolstra <edolstra@gmail.com>
Date:   Thu Jun 12 12:14:04 2025 +0200

    Replace 'bool sync' with an enum for clarity

    And drop writeFileAndSync().

commit 7ae0141f328d8e8e1094be24665789c05f974ba6
Author: Eelco Dolstra <edolstra@gmail.com>
Date:   Thu Jun 12 11:35:28 2025 +0200

    Drop guessOrInventPathFromFD()

    No need to do hacky stuff like that when we already know the original path.

commit 45b05098bd019da7c57cd4227a89bfd0fa65bb08
Author: Eelco Dolstra <edolstra@gmail.com>
Date:   Thu Jun 12 11:15:58 2025 +0200

    Tweak comment

commit 0af15b31209d1b7ec8addfae9a1a6b60d8f35848
Author: Raito Bezarius <raito@lix.systems>
Date:   Thu Mar 27 12:22:26 2025 +0100

    libstore: ensure that temporary directory is always 0o000 before deletion

    In the case the deletion fails, we should ensure that the temporary
    directory cannot be used for nefarious purposes.

    Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120
    Signed-off-by: Raito Bezarius <raito@lix.systems>

commit 2c20fa37b15cfa03ac6a1a6a47cdb2ed66c0827e
Author: Raito Bezarius <raito@lix.systems>
Date:   Wed Mar 26 12:42:55 2025 +0100

    libutil: ensure that `_deletePath` does NOT use absolute paths with dirfds

    When calling `_deletePath` with a parent file descriptor, `openat` is
    made effective by using relative paths to the directory file descriptor.

    To avoid the problem, the signature is changed to resist misuse with an
    assert in the prologue of the function.

    Change-Id: I6b3fc766bad2afe54dc27d47d1df3873e188de96
    Signed-off-by: Raito Bezarius <raito@lix.systems>

commit d3c370bbcae48bb825ce19fd0f73bb4eefd2c9ea
Author: Raito Bezarius <raito@lix.systems>
Date:   Wed Mar 26 01:07:47 2025 +0100

    libstore: ensure that `passAsFile` is created in the original temp dir

    This ensures that `passAsFile` data is created inside the expected
    temporary build directory by `openat()` from the parent directory file
    descriptor.

    This avoids a TOCTOU which is part of the attack chain of CVE-????.

    Change-Id: Ie5273446c4a19403088d0389ae8e3f473af8879a
    Signed-off-by: Raito Bezarius <raito@lix.systems>

commit 45d3598724f932d024ef6bc2ffb00c1bb90e6018
Author: Raito Bezarius <raito@lix.systems>
Date:   Wed Mar 26 01:06:03 2025 +0100

    libutil: writeFile variant for file descriptors

    `writeFile` lose its `sync` boolean flag to make things simpler.

    A new `writeFileAndSync` function is created and all call sites are
    converted to it.

    Change-Id: Ib871a5283a9c047db1e4fe48a241506e4aab9192
    Signed-off-by: Raito Bezarius <raito@lix.systems>

commit 732bd9b98cabf4aaf95a01fd318923de303f9996
Author: Raito Bezarius <raito@lix.systems>
Date:   Wed Mar 26 01:05:34 2025 +0100

    libstore: chown to builder variant for file descriptors

    We use it immediately for the build temporary directory.

    Change-Id: I180193c63a2b98721f5fb8e542c4e39c099bb947
    Signed-off-by: Raito Bezarius <raito@lix.systems>

commit 962c65f8dcd5570dd92c72370a862c7b38942e0d
Author: Raito Bezarius <raito@lix.systems>
Date:   Wed Mar 26 01:04:59 2025 +0100

    libstore: open build directory as a dirfd as well

    We now keep around a proper AutoCloseFD around the temporary directory
    which we plan to use for openat operations and avoiding the build
    directory being swapped out while we are doing something else.

    Change-Id: I18d387b0f123ebf2d20c6405cd47ebadc5505f2a
    Signed-off-by: Raito Bezarius <raito@lix.systems>

commit c9b42462b75b5a37ee6564c2b53cff186c8323da
Author: Raito Bezarius <raito@lix.systems>
Date:   Wed Mar 26 01:04:12 2025 +0100

    libutil: guess or invent a path from file descriptors

    This is useful for certain error recovery paths (no pun intended) that
    does not thread through the original path name.

    Change-Id: I2d800740cb4f9912e64c923120d3f977c58ccb7e
    Signed-off-by: Raito Bezarius <raito@lix.systems>
2025-06-24 09:27:39 -04:00
.github Revert "Drop magic-nix-cache" 2025-06-19 12:12:28 +00:00
contrib function-trace: always show the trace 2019-09-18 23:23:21 +02:00
doc/manual Generate release notes for 3.6.7 2025-06-24 13:18:13 +00:00
maintainers Merge remote-tracking branch 'origin/2.29-maintenance' into detsys-main 2025-05-16 12:48:44 +02:00
misc Install init system configs only when relevant 2024-12-03 16:51:01 +01:00
nix-meson-build-support Add -Wundef to make #if FOO an error if not defined 2025-04-05 00:45:19 +02:00
packaging Run nixpkgsLibTests in lazy trees mode 2025-06-11 16:50:42 +02:00
scripts Merge pull request #12423 from ilya-bobyr/fish-profile-local-state-bin-in-PATH 2025-04-18 07:27:04 +02:00
src Fixes for GHSA-g948-229j-48j3 2025-06-24 09:27:39 -04:00
tests Merge remote-tracking branch 'origin/2.29-maintenance' into sync-2.29.1 2025-06-23 15:02:22 +02:00
.clang-format Factor out lookupExecutable and other PATH improvments 2024-08-07 18:12:58 -04:00
.clang-tidy Add .clang-tidy 2024-02-01 01:01:39 +01:00
.dir-locals.el .dir-locals.el: Set c-block-comment-prefix 2020-07-10 11:21:06 +02:00
.editorconfig No global eval settings in libnixexpr 2024-06-24 12:15:16 -04:00
.gitignore Expand manual on derivation outputs 2025-02-27 02:13:36 -05:00
.mergify.yml .mergify.yml: Add backport 2.28-maintenance entry 2025-03-31 12:15:28 -04:00
.shellcheckrc housekeeping: shellcheck for tests/functional/ca/build-cache.sh 2024-06-12 17:41:16 -04:00
.version Bump version 2025-05-22 14:48:51 +02:00
.version-determinate Set .version-determinate to 3.6.7 2025-06-24 13:18:08 +00:00
CITATION.cff chore: PhD thesis as reference in CITATION.cff 2024-05-18 20:05:22 +02:00
CONTRIBUTING.md Rename doc/manual{src -> source} 2024-10-14 11:21:24 -04:00
COPYING * Change this to LGPL to keep the government happy. 2006-04-25 16:41:06 +00:00
docker.nix Merge remote-tracking branch 'origin/2.29-maintenance' into detsys-main 2025-05-16 12:48:44 +02:00
flake.lock Provide strict version constraint for Nixpkgs 2025-06-10 18:42:40 -07:00
flake.nix Formatting 2025-06-12 16:13:28 +02:00
HACKING.md Rename doc/manual{src -> source} 2024-10-14 11:21:24 -04:00
meson.build Fix meson warning about meson_version 1.1 2025-04-09 15:31:34 +02:00
meson.options Don't build the API docs in the devshell 2024-11-12 20:18:33 +01:00
precompiled-headers.h Build a minimized Nix with MinGW 2024-04-17 12:26:10 -04:00
README.md Merge branch 'lucperkins/gtm-51-update-nix-src-readme-to-better-reflect-what-the-project-is' of https://github.com/DeterminateSystems/nix-src into lucperkins/gtm-51-update-nix-src-readme-to-better-reflect-what-the-project-is 2025-06-02 11:01:41 -07:00

README.md

 Discord   Bluesky   Mastodon   Twitter   LinkedIn 

Determinate Nix

CI

This repository houses the source for Determinate Nix, a downstream distribution of Nix created and maintained by Determinate Systems. Nix is a powerful language, package manager, and CLI for macOS, Linux, and other Unix systems that enables you to create fully reproducible development environments, to build packages in sandboxed environments, to build entire Linux systems using NixOS, and much more.

Determinate Nix is part of the Determinate platform, which also includes FlakeHub, a secure flake repository with features like FlakeHub Cache, private flakes, and semantic versioning (SemVer) for flakes.

Installing Determinate

You can install Determinate on macOS, non-NixOS Linux and WSL, and NixOS.

macOS

On macOS, we recommend using the graphical installer from Determinate Systems. Click here to download and run it.

Linux

On Linux, including Windows Subsystem for Linux (WSL), we recommend installing Determinate Nix using Determinate Nix Installer:

curl -fsSL https://install.determinate.systems/nix | sh -s -- install --determinate

NixOS

On NixOS, we recommend following our dedicated installation guide.

Other resources

Nix was created by Eelco Dolstra and developed as the subject of his 2006 PhD thesis, The Purely Functional Software Deployment Model. Today, a worldwide developer community contributes to Nix and the ecosystem that has grown around it.

  • Zero to Nix, Determinate Systems' guide to Nix and flakes for beginners
  • Nixpkgs, a collection of well over 100,000 software packages that you can build and manage using Nix
  • NixOS is a Linux distribution that can be configured fully declaratively
  • The Nix, Nixpkgs, and NixOS community on nixos.org

Reference

The primary documentation for Determinate and Determinate Nix is available at docs.determinate.systems. For deeply technical reference material, see the Determinate Nix manual which is based on the upstream Nix manual.

License

Upstream Nix is released under the LGPL v2.1 license. Determinate Nix is also released under LGPL v2.1 in accordance with the terms of the upstream license.

Contributing

Check the contributing guide if you want to get involved with developing Nix.