Merge remote-tracking branch 'origin/master' into relative-flakes

2025-07-08 06:53:54 +02:00 · 2025-01-16 11:05:10 +01:00 · 2025-01-16 11:05:10 +01:00 · 550fe889ee
commit 550fe889ee
parent 6cc5b48a29 e02026adae
33 changed files with 142 additions and 42 deletions
--- a/src/libcmd/installables.cc
+++ b/src/libcmd/installables.cc
@ -450,7 +450,7 @@ ref<eval_cache::EvalCache> openEvalCache(
    std::shared_ptr<flake::LockedFlake> lockedFlake)
 {
    auto fingerprint = evalSettings.useEvalCache && evalSettings.pureEval
-        ? lockedFlake->getFingerprint(state.store)
+        ? lockedFlake->getFingerprint(state.store, state.fetchSettings)
        : std::nullopt;
    auto rootLoader = [&state, lockedFlake]()
        {
--- a/src/libcmd/package.nix
+++ b/src/libcmd/package.nix
@ -76,7 +76,7 @@ mkMesonLibrary (finalAttrs: {
    (lib.mesonOption "readline-flavor" readlineFlavor)
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@ -406,7 +406,7 @@ void EvalState::checkURI(const std::string & uri)

    /* If the URI is a path, then check it against allowedPaths as
       well. */
-    if (hasPrefix(uri, "/")) {
+    if (isAbsolute(uri)) {
        if (auto rootFS2 = rootFS.dynamic_pointer_cast<AllowListSourceAccessor>())
            rootFS2->checkAccess(CanonPath(uri));
        return;
--- a/src/libexpr/package.nix
+++ b/src/libexpr/package.nix
@ -96,7 +96,7 @@ mkMesonLibrary (finalAttrs: {
    # https://github.com/NixOS/nixpkgs/issues/86131.
    BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
    BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libexpr/primops/fetchTree.cc
+++ b/src/libexpr/primops/fetchTree.cc
@ -182,7 +182,7 @@ static void fetchTree(
    if (!state.settings.pureEval && !input.isDirect() && experimentalFeatureSettings.isEnabled(Xp::Flakes))
        input = lookupInRegistries(state.store, input).first;

-    if (state.settings.pureEval && !input.isLocked()) {
+    if (state.settings.pureEval && !input.isConsideredLocked(state.fetchSettings)) {
        auto fetcher = "fetchTree";
        if (params.isFetchGit)
            fetcher = "fetchGit";
--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@ -70,6 +70,22 @@ struct Settings : public Config
    Setting<bool> warnDirty{this, true, "warn-dirty",
        "Whether to warn about dirty Git/Mercurial trees."};

+    Setting<bool> allowDirtyLocks{
+        this,
+        false,
+        "allow-dirty-locks",
+        R"(
+          Whether to allow dirty inputs (such as dirty Git workdirs)
+          to be locked via their NAR hash. This is generally bad
+          practice since Nix has no way to obtain such inputs if they
+          are subsequently modified. Therefore lock files with dirty
+          locks should generally only be used for local testing, and
+          should not be pushed to other users.
+        )",
+        {},
+        true,
+        Xp::Flakes};
+
    Setting<bool> trustTarballsFromGitForges{
        this, true, "trust-tarballs-from-git-forges",
        R"(
--- a/src/libfetchers/fetchers.cc
+++ b/src/libfetchers/fetchers.cc
@ -4,6 +4,7 @@
 #include "fetch-to-store.hh"
 #include "json-utils.hh"
 #include "store-path-accessor.hh"
+#include "fetch-settings.hh"

 #include <nlohmann/json.hpp>

@ -154,6 +155,12 @@ bool Input::isLocked() const
    return scheme && scheme->isLocked(*this);
 }

+bool Input::isConsideredLocked(
+    const Settings & settings) const
+{
+    return isLocked() || (settings.allowDirtyLocks && getNarHash());
+}
+
 bool Input::isFinal() const
 {
    return maybeGetBoolAttr(attrs, "__final").value_or(false);
--- a/src/libfetchers/fetchers.hh
+++ b/src/libfetchers/fetchers.hh
@ -90,6 +90,15 @@ public:
     */
    bool isLocked() const;

+    /**
+     * Return whether the input is either locked, or, if
+     * `allow-dirty-locks` is enabled, it has a NAR hash. In the
+     * latter case, we can verify the input but we may not be able to
+     * fetch it from anywhere.
+     */
+    bool isConsideredLocked(
+        const Settings & settings) const;
+
    /**
     * Only for relative path flakes, i.e. 'path:./foo', returns the
     * relative path, i.e. './foo'.
--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@ -426,7 +426,16 @@ struct GitInputScheme : InputScheme
        auto url = parseURL(getStrAttr(input.attrs, "url"));
        bool isBareRepository = url.scheme == "file" && !pathExists(url.path + "/.git");
        repoInfo.isLocal = url.scheme == "file" && !forceHttp && !isBareRepository;
-        repoInfo.url = repoInfo.isLocal ? url.path : url.to_string();
+        //
+        // FIXME: here we turn a possibly relative path into an absolute path.
+        // This allows relative git flake inputs to be resolved against the
+        // **current working directory** (as in POSIX), which tends to work out
+        // ok in the context of flakes, but is the wrong behavior,
+        // as it should resolve against the flake.nix base directory instead.
+        //
+        // See: https://discourse.nixos.org/t/57783 and #9708
+        //
+        repoInfo.url = repoInfo.isLocal ? std::filesystem::absolute(url.path).string() : url.to_string();

        // If this is a local directory and no ref or revision is
        // given, then allow the use of an unclean working tree.
--- a/src/libfetchers/package.nix
+++ b/src/libfetchers/package.nix
@ -49,7 +49,7 @@ mkMesonLibrary (finalAttrs: {
      echo ${version} > ../../.version
    '';

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libfetchers/path.cc
+++ b/src/libfetchers/path.cc
@ -97,7 +97,7 @@ struct PathInputScheme : InputScheme
    std::optional<std::string> isRelative(const Input & input) const override
    {
        auto path = getStrAttr(input.attrs, "path");
-        if (hasPrefix(path, "/"))
+        if (isAbsolute(path))
            return std::nullopt;
        else
            return path;
--- a/src/libfetchers/registry.cc
+++ b/src/libfetchers/registry.cc
@ -153,7 +153,7 @@ static std::shared_ptr<Registry> getGlobalRegistry(const Settings & settings, re
            return std::make_shared<Registry>(settings, Registry::Global); // empty registry
        }

-        if (!hasPrefix(path, "/")) {
+        if (!isAbsolute(path)) {
            auto storePath = downloadFile(store, path, "flake-registry.json").storePath;
            if (auto store2 = store.dynamic_pointer_cast<LocalFSStore>())
                store2->addPermRoot(storePath, getCacheDir() + "/flake-registry.json");
--- a/src/libflake/flake/flake.cc
+++ b/src/libflake/flake/flake.cc
@ -367,6 +367,7 @@ Flake getFlake(EvalState & state, const FlakeRef & originalRef, bool allowLookup
 }

 static LockFile readLockFile(
+    const Settings & settings,
    const fetchers::Settings & fetchSettings,
    const SourcePath & lockFilePath)
 {
@ -402,6 +403,7 @@ LockedFlake lockFlake(
        }

        auto oldLockFile = readLockFile(
+            settings,
            state.fetchSettings,
            lockFlags.referenceLockFilePath.value_or(
                flake.lockFilePath()));
@ -690,7 +692,7 @@ LockedFlake lockFlake(
                                inputFlake.inputs, childNode, inputPath,
                                oldLock
                                ? std::dynamic_pointer_cast<const Node>(oldLock)
-                                : readLockFile(state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(),
+                                : readLockFile(settings, state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(),
                                oldLock ? lockRootPath : inputPath,
                                inputFlake.path,
                                false);
@ -758,9 +760,11 @@ LockedFlake lockFlake(

            if (lockFlags.writeLockFile) {
                if (sourcePath || lockFlags.outputLockFilePath) {
-                    if (auto unlockedInput = newLockFile.isUnlocked()) {
+                    if (auto unlockedInput = newLockFile.isUnlocked(state.fetchSettings)) {
                        if (lockFlags.failOnUnlocked)
-                            throw Error("cannot write lock file of flake '%s' because it has an unlocked input ('%s').\n", topRef, *unlockedInput);
+                            throw Error(
+                                "Will not write lock file of flake '%s' because it has an unlocked input ('%s'). "
+                                "Use '--allow-dirty-locks' to allow this anyway.", topRef, *unlockedInput);
                        if (state.fetchSettings.warnDirty)
                            warn("will not write lock file of flake '%s' because it has an unlocked input ('%s')", topRef, *unlockedInput);
                    } else {
@ -1059,9 +1063,11 @@ static RegisterPrimOp r4({

 }

-std::optional<Fingerprint> LockedFlake::getFingerprint(ref<Store> store) const
+std::optional<Fingerprint> LockedFlake::getFingerprint(
+    ref<Store> store,
+    const fetchers::Settings & fetchSettings) const
 {
-    if (lockFile.isUnlocked()) return std::nullopt;
+    if (lockFile.isUnlocked(fetchSettings)) return std::nullopt;

    auto fingerprint = flake.lockedRef.input.getFingerprint(store);
    if (!fingerprint) return std::nullopt;
--- a/src/libflake/flake/flake.hh
+++ b/src/libflake/flake/flake.hh
@ -129,7 +129,9 @@ struct LockedFlake
     */
    std::map<ref<Node>, SourcePath> nodePaths;

-    std::optional<Fingerprint> getFingerprint(ref<Store> store) const;
+    std::optional<Fingerprint> getFingerprint(
+        ref<Store> store,
+        const fetchers::Settings & fetchSettings) const;
 };

 struct LockFlags
--- a/src/libflake/flake/flakeref.cc
+++ b/src/libflake/flake/flakeref.cc
@ -104,8 +104,8 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(

    if (baseDir) {
        /* Check if 'url' is a path (either absolute or relative
-            to 'baseDir'). If so, search upward to the root of the
-            repo (i.e. the directory containing .git). */
+           to 'baseDir'). If so, search upward to the root of the
+           repo (i.e. the directory containing .git). */

        path = absPath(path, baseDir);

@ -180,7 +180,7 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(
        }

    } else {
-        if (!preserveRelativePaths && !hasPrefix(path, "/"))
+        if (!preserveRelativePaths && !isAbsolute(path))
            throw BadURL("flake reference '%s' is not an absolute path", url);
    }

@ -231,7 +231,12 @@ std::optional<std::pair<FlakeRef, std::string>> parseURLFlakeRef(
    bool isFlake)
 {
    try {
-        return fromParsedURL(fetchSettings, parseURL(url), isFlake);
+        auto parsed = parseURL(url);
+        if (baseDir
+            && (parsed.scheme == "path" || parsed.scheme == "git+file")
+            && !isAbsolute(parsed.path))
+            parsed.path = absPath(parsed.path, *baseDir);
+        return fromParsedURL(fetchSettings, std::move(parsed), isFlake);
    } catch (BadURL &) {
        return std::nullopt;
    }
--- a/src/libflake/flake/lockfile.cc
+++ b/src/libflake/flake/lockfile.cc
@ -10,6 +10,7 @@
 #include <nlohmann/json.hpp>

 #include "strings.hh"
+#include "flake/settings.hh"

 namespace nix::flake {

@ -44,8 +45,8 @@ LockedNode::LockedNode(
    , isFlake(json.find("flake") != json.end() ? (bool) json["flake"] : true)
    , parentPath(json.find("parent") != json.end() ? (std::optional<InputPath>) json["parent"] : std::nullopt)
 {
-    if (!lockedRef.input.isLocked() && !lockedRef.input.isRelative())
-        throw Error("lock file contains unlocked input '%s'",
+    if (!lockedRef.input.isConsideredLocked(fetchSettings) && !lockedRef.input.isRelative())
+        throw Error("Lock file contains unlocked input '%s'. Use '--allow-dirty-locks' to accept this lock file.",
            fetchers::attrsToJSON(lockedRef.input.toAttrs()));

    // For backward compatibility, lock file entries are implicitly final.
@ -231,7 +232,7 @@ std::ostream & operator <<(std::ostream & stream, const LockFile & lockFile)
    return stream;
 }

-std::optional<FlakeRef> LockFile::isUnlocked() const
+std::optional<FlakeRef> LockFile::isUnlocked(const fetchers::Settings & fetchSettings) const
 {
    std::set<ref<const Node>> nodes;

@ -251,7 +252,8 @@ std::optional<FlakeRef> LockFile::isUnlocked() const
        if (i == ref<const Node>(root)) continue;
        auto node = i.dynamic_pointer_cast<const LockedNode>();
        if (node
-            && (!node->lockedRef.input.isLocked() || !node->lockedRef.input.isFinal())
+            && (!node->lockedRef.input.isConsideredLocked(fetchSettings)
+                || !node->lockedRef.input.isFinal())
            && !node->lockedRef.input.isRelative())
            return node->lockedRef;
    }
--- a/src/libflake/flake/lockfile.hh
+++ b/src/libflake/flake/lockfile.hh
@ -79,7 +79,7 @@ struct LockFile
     * Check whether this lock file has any unlocked or non-final
     * inputs. If so, return one.
     */
-    std::optional<FlakeRef> isUnlocked() const;
+    std::optional<FlakeRef> isUnlocked(const fetchers::Settings & fetchSettings) const;

    bool operator ==(const LockFile & other) const;

--- a/src/libflake/flake/settings.hh
+++ b/src/libflake/flake/settings.hh
@ -29,7 +29,7 @@ struct Settings : public Config
        this,
        false,
        "accept-flake-config",
-        "Whether to accept nix configuration from a flake without prompting.",
+        "Whether to accept Nix configuration settings from a flake without prompting.",
        {},
        true,
        Xp::Flakes};
--- a/src/libflake/package.nix
+++ b/src/libflake/package.nix
@ -48,7 +48,7 @@ mkMesonLibrary (finalAttrs: {
      echo ${version} > ../../.version
    '';

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libmain/package.nix
+++ b/src/libmain/package.nix
@ -45,7 +45,7 @@ mkMesonLibrary (finalAttrs: {
      echo ${version} > ../../.version
    '';

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libstore/package.nix
+++ b/src/libstore/package.nix
@ -87,7 +87,7 @@ mkMesonLibrary (finalAttrs: {
    # https://github.com/NixOS/nixpkgs/issues/86131.
    BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
    BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libutil/file-system.cc
+++ b/src/libutil/file-system.cc
@ -31,12 +31,7 @@ namespace nix {

 namespace fs { using namespace std::filesystem; }

-/**
- * Treat the string as possibly an absolute path, by inspecting the
- * start of it. Return whether it was probably intended to be
- * absolute.
- */
-static bool isAbsolute(PathView path)
+bool isAbsolute(PathView path)
 {
    return fs::path { path }.is_absolute();
 }
--- a/src/libutil/file-system.hh
+++ b/src/libutil/file-system.hh
@ -42,6 +42,11 @@ namespace nix {
 struct Sink;
 struct Source;

+/**
+ * Return whether the path denotes an absolute path.
+ */
+bool isAbsolute(PathView path);
+
 /**
 * @return An absolutized path, resolving paths relative to the
 * specified directory, or the current directory otherwise.  The path
--- a/src/libutil/fs-sink.cc
+++ b/src/libutil/fs-sink.cc
@ -112,7 +112,7 @@ void RestoreSink::createRegularFile(const CanonPath & path, std::function<void(C
    crf.startFsync = startFsync;
    crf.fd =
 #ifdef _WIN32
-        CreateFileW(p.c_str(), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)
+        CreateFileW(p.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL)
 #else
        open(p.c_str(), O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC, 0666)
 #endif
--- a/src/libutil/package.nix
+++ b/src/libutil/package.nix
@ -72,7 +72,7 @@ mkMesonLibrary (finalAttrs: {
    # https://github.com/NixOS/nixpkgs/issues/86131.
    BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
    BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
    LDFLAGS = "-fuse-ld=gold";
  };

--- a/src/libutil/source-accessor.cc
+++ b/src/libutil/source-accessor.cc
@ -115,7 +115,7 @@ CanonPath SourceAccessor::resolveSymlinks(
                        throw Error("infinite symlink recursion in path '%s'", showPath(path));
                    auto target = readLink(res);
                    res.pop();
-                    if (hasPrefix(target, "/"))
+                    if (isAbsolute(target))
                        res = CanonPath::root;
                    todo.splice(todo.begin(), tokenizeString<std::list<std::string>>(target, "/"));
                }
--- a/src/nix/flake.cc
+++ b/src/nix/flake.cc
@ -238,7 +238,7 @@ struct CmdFlakeMetadata : FlakeCommand, MixJSON
                j["lastModified"] = *lastModified;
            j["path"] = storePath;
            j["locks"] = lockedFlake.lockFile.toJSON().first;
-            if (auto fingerprint = lockedFlake.getFingerprint(store))
+            if (auto fingerprint = lockedFlake.getFingerprint(store, fetchSettings))
                j["fingerprint"] = fingerprint->to_string(HashFormat::Base16, false);
            logger->cout("%s", j.dump());
        } else {
@ -272,7 +272,7 @@ struct CmdFlakeMetadata : FlakeCommand, MixJSON
                logger->cout(
                    ANSI_BOLD "Last modified:" ANSI_NORMAL " %s",
                    std::put_time(std::localtime(&*lastModified), "%F %T"));
-            if (auto fingerprint = lockedFlake.getFingerprint(store))
+            if (auto fingerprint = lockedFlake.getFingerprint(store, fetchSettings))
                logger->cout(
                    ANSI_BOLD "Fingerprint:" ANSI_NORMAL "   %s",
                    fingerprint->to_string(HashFormat::Base16, false));
--- a/src/nix/package.nix
+++ b/src/nix/package.nix
@ -99,7 +99,7 @@ mkMesonExecutable (finalAttrs: {
  mesonFlags = [
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM)) {
    LDFLAGS = "-fuse-ld=gold";
  };