Merge branch 'master' into fix-sandbox-escape

2025-06-25 02:21:16 +02:00 · 2024-06-26 18:11:39 -04:00 · 2024-06-26 18:11:39 -04:00 · 8a420162ab
commit 8a420162ab
parent d54590fdf3 5e4e3345d4
274 changed files with 3295 additions and 900 deletions
--- a/doc/manual/redirects.js
+++ b/doc/manual/redirects.js
@ -1,7 +1,7 @@
 // redirect rules for URL fragments (client-side) to prevent link rot.
 // this must be done on the client side, as web servers do not see the fragment part of the URL.
 // it will only work with JavaScript enabled in the browser, but this is the best we can do here.
-// see ./_redirects for path redirects (client-side)
+// see src/_redirects for path redirects (server-side)

 // redirects are declared as follows:
 // each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
--- a/doc/manual/src/_redirects
+++ b/doc/manual/src/_redirects
@ -1,5 +1,5 @@
 # redirect rules for paths (server-side) to prevent link rot.
-# see ./redirects.js for redirects based on URL fragments (client-side)
+# see ../redirects.js for redirects based on URL fragments (client-side)
 #
 # concrete user story this supports:
 # - user finds URL to the manual for Nix x.y
--- a/doc/manual/src/contributing/testing.md
+++ b/doc/manual/src/contributing/testing.md
@ -114,6 +114,8 @@ On other platforms they wouldn't be run at all.
 The functional tests reside under the `tests/functional` directory and are listed in `tests/functional/local.mk`.
 Each test is a bash script.

+Functional tests are run during `installCheck` in the `nix` package build, as well as separately from the build, in VM tests.
+
 ### Running the whole test suite

 The whole test suite can be run with:
@ -252,13 +254,30 @@ Regressions are caught, and improvements always show up in code review.

 To ensure that characterisation testing doesn't make it harder to intentionally change these interfaces, there always must be an easy way to regenerate the expected output, as we do with `_NIX_TEST_ACCEPT=1`.

+### Running functional tests on NixOS
+
+We run the functional tests not just in the build, but also in VM tests.
+This helps us ensure that Nix works correctly on NixOS, and environments that have similar characteristics that are hard to reproduce in a build environment.
+
+The recommended way to run these tests during development is:
+
+```shell
+nix build .#hydraJobs.tests.functional_user.quickBuild
+```
+
+The `quickBuild` attribute configures the test to use a `nix` package that's built without integration tests, so that you can iterate on the tests without performing recompilations due to the changed sources for `installCheck`.
+
+Generally, this build is sufficient, but in nightly or CI we also test the attributes `functional_root` and `functional_trusted`, in which the test suite is run with different levels of authorization.
+
 ## Integration tests

 The integration tests are defined in the Nix flake under the `hydraJobs.tests` attribute.
 These tests include everything that needs to interact with external services or run Nix in a non-trivial distributed setup.
 Because these tests are expensive and require more than what the standard github-actions setup provides, they only run on the master branch (on <https://hydra.nixos.org/jobset/nix/master>).

-You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`
+You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`.
+
+If you are testing a build of `nix` that you haven't compiled yet, you may iterate faster by appending the `quickBuild` attribute: `nix build .#hydraJobs.tests.{testName}.quickBuild`.

 ## Installer tests

--- a/doc/manual/src/language/advanced-attributes.md
+++ b/doc/manual/src/language/advanced-attributes.md
@ -302,6 +302,12 @@ Derivations can declare some infrequently used optional attributes.
    (associative) arrays. For example, the attribute `hardening.format = true`
    ends up as the Bash associative array element `${hardening[format]}`.

+    > **Warning**
+    >
+    > If set to `true`, other advanced attributes such as [`allowedReferences`](#adv-attr-allowedReferences), [`allowedReferences`](#adv-attr-allowedReferences), [`allowedRequisites`](#adv-attr-allowedRequisites),
+    [`disallowedReferences`](#adv-attr-disallowedReferences) and [`disallowedRequisites`](#adv-attr-disallowedRequisites), maxSize, and maxClosureSize.
+    will have no effect.
+
  - [`outputChecks`]{#adv-attr-outputChecks}\
    When using [structured attributes](#adv-attr-structuredAttrs), the `outputChecks`
    attribute allows defining checks per-output.