From 983efdbde47bd0ecaff866d43c3155761574c112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophane=20Hufschmitt?= Date: Tue, 21 Jun 2022 14:08:18 +0200 Subject: [PATCH 1/9] Forbid the tilde expansion in pure eval mode Fix #6684 --- src/libexpr/parser.y | 6 ++++++ tests/pure-eval.sh | 2 ++ 2 files changed, 8 insertions(+) diff --git a/src/libexpr/parser.y b/src/libexpr/parser.y index 8cbc2da4d..7c9b5a2db 100644 --- a/src/libexpr/parser.y +++ b/src/libexpr/parser.y @@ -520,6 +520,12 @@ path_start $$ = new ExprPath(path); } | HPATH { + if (evalSettings.pureEval) { + throw Error( + "the path '%s' can not be resolved in pure mode", + std::string_view($1.p, $1.l) + ); + } Path path(getHome() + std::string($1.p + 1, $1.l - 1)); $$ = new ExprPath(path); } diff --git a/tests/pure-eval.sh b/tests/pure-eval.sh index 1a4568ea6..b83ab8afe 100644 --- a/tests/pure-eval.sh +++ b/tests/pure-eval.sh @@ -30,3 +30,5 @@ nix eval --store dummy:// --write-to $TEST_ROOT/eval-out --expr '{ x = "foo" + " rm -rf $TEST_ROOT/eval-out (! nix eval --store dummy:// --write-to $TEST_ROOT/eval-out --expr '{ "." = "bla"; }') + +(! nix eval --expr '~/foo') From 2a9fddc0b16d9b4771d11fc10d8b2a9cba55ff64 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 23 Jun 2022 16:29:50 +0200 Subject: [PATCH 2/9] Automatically use a chroot store if /nix doesn't exist Specifically, if we're not root and the daemon socket does not exist, then we use ~/.local/share/nix/root as a chroot store. This enables non-root users to download nix-static and have it work out of the box, e.g. ubuntu@ip-10-13-1-146:~$ ~/nix run nixpkgs#hello warning: '/nix' does not exists, so Nix will use '/home/ubuntu/.local/share/nix/root' as a chroot store Hello, world! --- src/libstore/store-api.cc | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc index 8861274a2..b46b3066b 100644 --- a/src/libstore/store-api.cc +++ b/src/libstore/store-api.cc @@ -1302,7 +1302,8 @@ std::pair splitUriAndParams(const std::string & uri_ return {uri, params}; } -static bool isNonUriPath(const std::string & spec) { +static bool isNonUriPath(const std::string & spec) +{ return // is not a URL spec.find("://") == std::string::npos @@ -1319,7 +1320,19 @@ std::shared_ptr openFromNonUri(const std::string & uri, const Store::Para return std::make_shared(params); else if (pathExists(settings.nixDaemonSocketFile)) return std::make_shared(params); - else + else if (!pathExists(stateDir) && params.empty() && getuid() != 0) { + /* If /nix doesn't exist, there is no daemon socket, and + we're not root, then automatically set up a chroot + store in ~/.local/share/nix/root. */ + auto chrootStore = getDataDir() + "/nix/root"; + if (!pathExists(chrootStore)) + warn("'/nix' does not exists, so Nix will use '%s' as a chroot store", chrootStore); + else + debug("'/nix' does not exists, so Nix will use '%s' as a chroot store", chrootStore); + Store::Params params2; + params2["root"] = chrootStore; + return std::make_shared(params2); + } else return std::make_shared(params); } else if (uri == "daemon") { return std::make_shared(params); From 1cb376d60e3a7d0742d92fa2ea1ebebba0a513e5 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 23 Jun 2022 17:18:22 +0200 Subject: [PATCH 3/9] Fix typo Co-authored-by: Cole Helbling --- src/libstore/store-api.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc index b46b3066b..91080a2af 100644 --- a/src/libstore/store-api.cc +++ b/src/libstore/store-api.cc @@ -1326,9 +1326,9 @@ std::shared_ptr openFromNonUri(const std::string & uri, const Store::Para store in ~/.local/share/nix/root. */ auto chrootStore = getDataDir() + "/nix/root"; if (!pathExists(chrootStore)) - warn("'/nix' does not exists, so Nix will use '%s' as a chroot store", chrootStore); + warn("'/nix' does not exist, so Nix will use '%s' as a chroot store", chrootStore); else - debug("'/nix' does not exists, so Nix will use '%s' as a chroot store", chrootStore); + debug("'/nix' does not exist, so Nix will use '%s' as a chroot store", chrootStore); Store::Params params2; params2["root"] = chrootStore; return std::make_shared(params2); From 561a258f1d9fd11a5e111e14c492ee166a7551c1 Mon Sep 17 00:00:00 2001 From: Cole Helbling Date: Thu, 23 Jun 2022 14:24:23 -0400 Subject: [PATCH 4/9] libstore/nar-info: drop unused system field This was unused everywhere (and even the official NixOS binary cache did not produce .narinfo files containing a "System:" field). --- src/libstore/nar-info.cc | 5 ----- src/libstore/nar-info.hh | 1 - 2 files changed, 6 deletions(-) diff --git a/src/libstore/nar-info.cc b/src/libstore/nar-info.cc index 2d75e7a82..071d8355e 100644 --- a/src/libstore/nar-info.cc +++ b/src/libstore/nar-info.cc @@ -69,8 +69,6 @@ NarInfo::NarInfo(const Store & store, const std::string & s, const std::string & if (value != "unknown-deriver") deriver = StorePath(value); } - else if (name == "System") - system = value; else if (name == "Sig") sigs.insert(value); else if (name == "CA") { @@ -106,9 +104,6 @@ std::string NarInfo::to_string(const Store & store) const if (deriver) res += "Deriver: " + std::string(deriver->to_string()) + "\n"; - if (!system.empty()) - res += "System: " + system + "\n"; - for (auto sig : sigs) res += "Sig: " + sig + "\n"; diff --git a/src/libstore/nar-info.hh b/src/libstore/nar-info.hh index 39ced76e5..01683ec73 100644 --- a/src/libstore/nar-info.hh +++ b/src/libstore/nar-info.hh @@ -14,7 +14,6 @@ struct NarInfo : ValidPathInfo std::string compression; std::optional fileHash; uint64_t fileSize = 0; - std::string system; NarInfo() = delete; NarInfo(StorePath && path, Hash narHash) : ValidPathInfo(std::move(path), narHash) { } From 2beb929753d28604ccd40057fca295a11640e40e Mon Sep 17 00:00:00 2001 From: Rick van Schijndel Date: Thu, 23 Jun 2022 21:11:08 +0200 Subject: [PATCH 5/9] eval-cache: cast rowId to correct type Prevents errors when running with UBSan: /nix/store/j5vhrywqmz1ixwhsmmjjxa85fpwryzh0-gcc-11.3.0/include/c++/11.3.0/bits/stl_pair.h:353:4: runtime error: load of value 229, which is not a valid value for type 'AttrType' --- src/libexpr/eval-cache.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libexpr/eval-cache.cc b/src/libexpr/eval-cache.cc index d77b25898..dbfd8e70b 100644 --- a/src/libexpr/eval-cache.cc +++ b/src/libexpr/eval-cache.cc @@ -282,7 +282,7 @@ struct AttrDb auto queryAttribute(state->queryAttribute.use()(key.first)(symbols[key.second])); if (!queryAttribute.next()) return {}; - auto rowId = (AttrType) queryAttribute.getInt(0); + auto rowId = (AttrId) queryAttribute.getInt(0); auto type = (AttrType) queryAttribute.getInt(1); switch (type) { From 4b6cc3da62ba33c6861a3aa85353d75e8ac82464 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 23 Jun 2022 23:56:26 +0200 Subject: [PATCH 6/9] Fetch flake-registry.json from channels.nixos.org Using fastly is slightly faster, provides some resilience due to a high stale TTL, and allows some usage metrics. --- src/libfetchers/fetch-settings.hh | 2 +- tests/github-flakes.nix | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/libfetchers/fetch-settings.hh b/src/libfetchers/fetch-settings.hh index 04c9feda0..6452143a1 100644 --- a/src/libfetchers/fetch-settings.hh +++ b/src/libfetchers/fetch-settings.hh @@ -70,7 +70,7 @@ struct FetchSettings : public Config Setting warnDirty{this, true, "warn-dirty", "Whether to warn about dirty Git/Mercurial trees."}; - Setting flakeRegistry{this, "https://github.com/NixOS/flake-registry/raw/master/flake-registry.json", "flake-registry", + Setting flakeRegistry{this, "https://channels.nixos.org/flake-registry.json", "flake-registry", "Path or URI of the global flake registry."}; Setting useRegistries{this, true, "use-registries", diff --git a/tests/github-flakes.nix b/tests/github-flakes.nix index ddae6a21c..fc481c7e3 100644 --- a/tests/github-flakes.nix +++ b/tests/github-flakes.nix @@ -7,7 +7,7 @@ with import (nixpkgs + "/nixos/lib/testing-python.nix") { let - # Generate a fake root CA and a fake github.com certificate. + # Generate a fake root CA and a fake api.github.com / channels.nixos.org certificate. cert = pkgs.runCommand "cert" { buildInputs = [ pkgs.openssl ]; } '' mkdir -p $out @@ -18,7 +18,7 @@ let openssl req -newkey rsa:2048 -nodes -keyout $out/server.key \ -subj "/C=CN/ST=Denial/L=Springfield/O=Dis/CN=github.com" -out server.csr - openssl x509 -req -extfile <(printf "subjectAltName=DNS:api.github.com,DNS:github.com,DNS:raw.githubusercontent.com") \ + openssl x509 -req -extfile <(printf "subjectAltName=DNS:api.github.com,DNS:channels.nixos.org") \ -days 36500 -in server.csr -CA $out/ca.crt -CAkey ca.key -CAcreateserial -out $out/server.crt ''; @@ -67,7 +67,7 @@ makeTest ( name = "github-flakes"; nodes = - { # Impersonate github.com and api.github.com. + { github = { config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 80 443 ]; @@ -77,12 +77,12 @@ makeTest ( services.httpd.extraConfig = '' ErrorLog syslog:local6 ''; - services.httpd.virtualHosts."github.com" = + services.httpd.virtualHosts."channels.nixos.org" = { forceSSL = true; sslServerKey = "${cert}/server.key"; sslServerCert = "${cert}/server.crt"; servedDirs = - [ { urlPath = "/NixOS/flake-registry/raw/master"; + [ { urlPath = "/"; dir = registry; } ]; @@ -109,7 +109,7 @@ makeTest ( nix.extraOptions = "experimental-features = nix-command flakes"; environment.systemPackages = [ pkgs.jq ]; networking.hosts.${(builtins.head nodes.github.config.networking.interfaces.eth1.ipv4.addresses).address} = - [ "github.com" "api.github.com" "raw.githubusercontent.com" ]; + [ "channels.nixos.org" "api.github.com" ]; security.pki.certificateFiles = [ "${cert}/ca.crt" ]; }; }; @@ -123,7 +123,7 @@ makeTest ( github.wait_for_unit("httpd.service") - client.succeed("curl -v https://github.com/ >&2") + client.succeed("curl -v https://api.github.com/ >&2") client.succeed("nix registry list | grep nixpkgs") rev = client.succeed("nix flake info nixpkgs --json | jq -r .revision") From 749d914d10e7550fb26a3a1599e2d4d7ed59b00a Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 24 Jun 2022 23:14:56 +0200 Subject: [PATCH 7/9] Add reminder to remove nix-static testing hack https://github.com/NixOS/nix/pull/6708#issuecomment-1165912951 --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index 5df593940..22367df71 100644 --- a/flake.nix +++ b/flake.nix @@ -572,6 +572,7 @@ buildInputs = buildDeps ++ propagatedDeps; # Work around pkgsStatic disabling all tests. + # Remove in NixOS 22.11, see https://github.com/NixOS/nixpkgs/pull/140271. preHook = '' doCheck=1 From 30d4aa5dd651813578b67d70ffbcd0446f6f0fe7 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 24 Jun 2022 23:35:21 +0200 Subject: [PATCH 8/9] Only do the auto chroot store on Linux --- src/libstore/store-api.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/libstore/store-api.cc b/src/libstore/store-api.cc index 91080a2af..53b1a8777 100644 --- a/src/libstore/store-api.cc +++ b/src/libstore/store-api.cc @@ -1320,6 +1320,7 @@ std::shared_ptr openFromNonUri(const std::string & uri, const Store::Para return std::make_shared(params); else if (pathExists(settings.nixDaemonSocketFile)) return std::make_shared(params); + #if __linux__ else if (!pathExists(stateDir) && params.empty() && getuid() != 0) { /* If /nix doesn't exist, there is no daemon socket, and we're not root, then automatically set up a chroot @@ -1332,7 +1333,9 @@ std::shared_ptr openFromNonUri(const std::string & uri, const Store::Para Store::Params params2; params2["root"] = chrootStore; return std::make_shared(params2); - } else + } + #endif + else return std::make_shared(params); } else if (uri == "daemon") { return std::make_shared(params); From e8109cf405d672c50b1e5a25c632ddcb1d517233 Mon Sep 17 00:00:00 2001 From: Guillaume Girol Date: Sun, 26 Jun 2022 12:00:00 +0000 Subject: [PATCH 9/9] fetchGit: document `shallow` argument --- src/libexpr/primops/fetchTree.cc | 4 ++++ src/libfetchers/git.cc | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/libexpr/primops/fetchTree.cc b/src/libexpr/primops/fetchTree.cc index e5eeea520..84e7f5c02 100644 --- a/src/libexpr/primops/fetchTree.cc +++ b/src/libexpr/primops/fetchTree.cc @@ -364,6 +364,10 @@ static RegisterPrimOp primop_fetchGit({ A Boolean parameter that specifies whether submodules should be checked out. Defaults to `false`. + - shallow\ + A Boolean parameter that specifies whether fetching a shallow clone + is allowed. Defaults to `false`. + - allRefs\ Whether to fetch all refs of the repository. With this argument being true, it's possible to load a `rev` from *any* `ref` (by default only diff --git a/src/libfetchers/git.cc b/src/libfetchers/git.cc index 35fdf807a..7d01aaa7a 100644 --- a/src/libfetchers/git.cc +++ b/src/libfetchers/git.cc @@ -574,7 +574,7 @@ struct GitInputScheme : InputScheme bool isShallow = chomp(runProgram("git", true, { "-C", repoDir, "--git-dir", gitDir, "rev-parse", "--is-shallow-repository" })) == "true"; if (isShallow && !shallow) - throw Error("'%s' is a shallow Git repository, but a non-shallow repository is needed", actualUrl); + throw Error("'%s' is a shallow Git repository, but shallow repositories are only allowed when `shallow = true;` is specified.", actualUrl); // FIXME: check whether rev is an ancestor of ref.