wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-06-24 22:11:15 +02:00
Code Activity

Rework future tense in user-facing messages

Browse source
This commit is contained in:
Luc Perkins 2025-06-12 08:24:39 -07:00
parent 371fcf91c3
commit ab10fddc6e
No known key found for this signature in database
GPG key ID: C86EE5D85EE4DDA5
21 changed files with 141 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/libcmd/installables.cc
View file

@ -199,7 +199,7 @@ SourceExprCommand::SourceExprCommand()
.shortName = 'f', .shortName = 'f',
.description = .description =
"Interpret [*installables*](@docroot@/command-ref/new-cli/nix.md#installables) as attribute paths relative to the Nix expression stored in *file*. " "Interpret [*installables*](@docroot@/command-ref/new-cli/nix.md#installables) as attribute paths relative to the Nix expression stored in *file*. "
"If *file* is the character -, then a Nix expression will be read from standard input. " "If *file* is the character -, then a Nix expression is read from standard input. "
"Implies `--impure`.", "Implies `--impure`.",
.category = installablesCategory, .category = installablesCategory,
.labels = {"file"}, .labels = {"file"},

20
src/libexpr/include/nix/expr/eval-settings.hh
View file

@ -132,7 +132,7 @@ struct EvalSettings : Config
Setting<bool> restrictEval{ Setting<bool> restrictEval{
this, false, "restrict-eval", this, false, "restrict-eval",
R"( R"(
If set to `true`, the Nix evaluator will not allow access to any If set to `true`, the Nix evaluator doesn't allow access to any
files outside of files outside of
[`builtins.nixPath`](@docroot@/language/builtins.md#builtins-nixPath), [`builtins.nixPath`](@docroot@/language/builtins.md#builtins-nixPath),
or to URIs outside of or to URIs outside of
@ -157,7 +157,7 @@ struct EvalSettings : Config
R"( R"(
By default, Nix allows [Import from Derivation](@docroot@/language/import-from-derivation.md). By default, Nix allows [Import from Derivation](@docroot@/language/import-from-derivation.md).
When this setting is `true`, Nix will log a warning indicating that it performed such an import. When this setting is `true`, Nix logs a warning indicating that it performed such an import.
This option has no effect if `allow-import-from-derivation` is disabled. This option has no effect if `allow-import-from-derivation` is disabled.
)" )"
}; };
@ -167,9 +167,9 @@ struct EvalSettings : Config
R"( R"(
By default, Nix allows [Import from Derivation](@docroot@/language/import-from-derivation.md). By default, Nix allows [Import from Derivation](@docroot@/language/import-from-derivation.md).
With this option set to `false`, Nix will throw an error when evaluating an expression that uses this feature, With this option set to `false`, Nix throws an error when evaluating an expression that uses this feature,
even when the required store object is readily available. even when the required store object is readily available.
This ensures that evaluation will not require any builds to take place, This ensures that evaluation doesn't require any builds to take place,
regardless of the state of the store. regardless of the state of the store.
)"}; )"};
@ -188,8 +188,8 @@ struct EvalSettings : Config
Setting<bool> traceFunctionCalls{this, false, "trace-function-calls", Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",
R"( R"(
If set to `true`, the Nix evaluator will trace every function call. If set to `true`, the Nix evaluator traces every function call.
Nix will print a log message at the "vomit" level for every function Nix prints a log message at the "vomit" level for every function
entrance and function exit. entrance and function exit.
function-trace entered undefined position at 1565795816999559622 function-trace entered undefined position at 1565795816999559622
@ -234,8 +234,8 @@ struct EvalSettings : Config
Setting<bool> ignoreExceptionsDuringTry{this, false, "ignore-try", Setting<bool> ignoreExceptionsDuringTry{this, false, "ignore-try",
R"( R"(
If set to true, ignore exceptions inside 'tryEval' calls when evaluating nix expressions in If set to true, ignore exceptions inside 'tryEval' calls when evaluating Nix expressions in
debug mode (using the --debugger flag). By default the debugger will pause on all exceptions. debug mode (using the --debugger flag). By default the debugger pauses on all exceptions.
)"}; )"};
Setting<bool> traceVerbose{this, false, "trace-verbose", Setting<bool> traceVerbose{this, false, "trace-verbose",
@ -247,7 +247,7 @@ struct EvalSettings : Config
Setting<bool> builtinsTraceDebugger{this, false, "debugger-on-trace", Setting<bool> builtinsTraceDebugger{this, false, "debugger-on-trace",
R"( R"(
If set to true and the `--debugger` flag is given, the following functions If set to true and the `--debugger` flag is given, the following functions
will enter the debugger like [`builtins.break`](@docroot@/language/builtins.md#builtins-break). enter the debugger like [`builtins.break`](@docroot@/language/builtins.md#builtins-break):
* [`builtins.trace`](@docroot@/language/builtins.md#builtins-trace) * [`builtins.trace`](@docroot@/language/builtins.md#builtins-trace)
* [`builtins.traceVerbose`](@docroot@/language/builtins.md#builtins-traceVerbose) * [`builtins.traceVerbose`](@docroot@/language/builtins.md#builtins-traceVerbose)
@ -269,7 +269,7 @@ struct EvalSettings : Config
Setting<bool> builtinsAbortOnWarn{this, false, "abort-on-warn", Setting<bool> builtinsAbortOnWarn{this, false, "abort-on-warn",
R"( R"(
If set to true, [`builtins.warn`](@docroot@/language/builtins.md#builtins-warn) will throw an error when logging a warning. If set to true, [`builtins.warn`](@docroot@/language/builtins.md#builtins-warn) throws an error when logging a warning.
This will give you a stack trace that leads to the location of the warning. This will give you a stack trace that leads to the location of the warning.

54
src/libexpr/primops.cc
View file

@ -345,7 +345,7 @@ static RegisterPrimOp primop_import({
> } > }
> ``` > ```
> >
> then the following `foo.nix` will give an error: > then the following `foo.nix` throws an error:
> >
> ```nix > ```nix
> # foo.nix > # foo.nix
@ -915,7 +915,7 @@ static RegisterPrimOp primop_ceil({
a NixInt and if `*number* < -9007199254740992` or `*number* > 9007199254740992`. a NixInt and if `*number* < -9007199254740992` or `*number* > 9007199254740992`.
If the datatype of *number* is neither a NixInt (signed 64-bit integer) nor a NixFloat If the datatype of *number* is neither a NixInt (signed 64-bit integer) nor a NixFloat
(IEEE-754 double-precision floating-point number), an evaluation error will be thrown. (IEEE-754 double-precision floating-point number), an evaluation error is thrown.
)", )",
.fun = prim_ceil, .fun = prim_ceil,
}); });
@ -1002,15 +1002,15 @@ static RegisterPrimOp primop_tryEval({
Try to shallowly evaluate *e*. Return a set containing the Try to shallowly evaluate *e*. Return a set containing the
attributes `success` (`true` if *e* evaluated successfully, attributes `success` (`true` if *e* evaluated successfully,
`false` if an error was thrown) and `value`, equalling *e* if `false` if an error was thrown) and `value`, equalling *e* if
successful and `false` otherwise. `tryEval` will only prevent successful and `false` otherwise. `tryEval` only prevents
errors created by `throw` or `assert` from being thrown. errors created by `throw` or `assert` from being thrown.
Errors `tryEval` will not catch are for example those created Errors `tryEval` doesn't catch are, for example, those created
by `abort` and type errors generated by builtins. Also note that by `abort` and type errors generated by builtins. Also note that
this doesn't evaluate *e* deeply, so `let e = { x = throw ""; }; this doesn't evaluate *e* deeply, so `let e = { x = throw ""; };
in (builtins.tryEval e).success` will be `true`. Using in (builtins.tryEval e).success` is `true`. Using
`builtins.deepSeq` one can get the expected result: `builtins.deepSeq` one can get the expected result:
`let e = { x = throw ""; }; in `let e = { x = throw ""; }; in
(builtins.tryEval (builtins.deepSeq e e)).success` will be (builtins.tryEval (builtins.deepSeq e e)).success` is
`false`. `false`.
`tryEval` intentionally does not return the error message, because that risks bringing non-determinism into the evaluation result, and it would become very difficult to improve error reporting without breaking existing expressions. `tryEval` intentionally does not return the error message, because that risks bringing non-determinism into the evaluation result, and it would become very difficult to improve error reporting without breaking existing expressions.
@ -1108,7 +1108,7 @@ static RegisterPrimOp primop_trace({
If the If the
[`debugger-on-trace`](@docroot@/command-ref/conf-file.md#conf-debugger-on-trace) [`debugger-on-trace`](@docroot@/command-ref/conf-file.md#conf-debugger-on-trace)
option is set to `true` and the `--debugger` flag is given, the option is set to `true` and the `--debugger` flag is given, the
interactive debugger will be started when `trace` is called (like interactive debugger is started when `trace` is called (like
[`break`](@docroot@/language/builtins.md#builtins-break)). [`break`](@docroot@/language/builtins.md#builtins-break)).
)", )",
.fun = prim_trace, .fun = prim_trace,
@ -1157,7 +1157,7 @@ static RegisterPrimOp primop_warn({
If the If the
[`abort-on-warn`](@docroot@/command-ref/conf-file.md#conf-abort-on-warn) [`abort-on-warn`](@docroot@/command-ref/conf-file.md#conf-abort-on-warn)
option is set, the evaluation will be aborted after the warning is printed. option is set, the evaluation is aborted after the warning is printed.
This is useful to reveal the stack trace of the warning, when the context is non-interactive and a debugger can not be launched. This is useful to reveal the stack trace of the warning, when the context is non-interactive and a debugger can not be launched.
)", )",
.fun = prim_warn, .fun = prim_warn,
@ -1634,7 +1634,7 @@ static RegisterPrimOp primop_placeholder({
.name = "placeholder", .name = "placeholder",
.args = {"output"}, .args = {"output"},
.doc = R"( .doc = R"(
Return at Return an
[output placeholder string](@docroot@/store/derivation/index.md#output-placeholder) [output placeholder string](@docroot@/store/derivation/index.md#output-placeholder)
for the specified *output* that will be substituted by the corresponding for the specified *output* that will be substituted by the corresponding
[output path](@docroot@/glossary.md#gloss-output-path) [output path](@docroot@/glossary.md#gloss-output-path)
@ -1799,7 +1799,7 @@ static RegisterPrimOp primop_baseNameOf({
After this, the *base name* is returned as previously described, assuming `/` as the directory separator. (Note that evaluation must be platform independent.) After this, the *base name* is returned as previously described, assuming `/` as the directory separator. (Note that evaluation must be platform independent.)
This is somewhat similar to the [GNU `basename`](https://www.gnu.org/software/coreutils/manual/html_node/basename-invocation.html) command, but GNU `basename` will strip any number of trailing slashes. This is somewhat similar to the [GNU `basename`](https://www.gnu.org/software/coreutils/manual/html_node/basename-invocation.html) command, but GNU `basename` strips any number of trailing slashes.
)", )",
.fun = prim_baseNameOf, .fun = prim_baseNameOf,
}); });
@ -1998,9 +1998,9 @@ static RegisterPrimOp primop_findFile(PrimOp {
> ] > ]
> ``` > ```
> >
> and a *lookup-path* value `"nixos-config"` will cause Nix to try `/home/eelco/Dev/nixos-config` and `/etc/nixos` in that order and return the first path that exists. > and a *lookup-path* value `"nixos-config"` causes Nix to try `/home/eelco/Dev/nixos-config` and `/etc/nixos` in that order and return the first path that exists.
If `path` starts with `http://` or `https://`, it is interpreted as the URL of a tarball that will be downloaded and unpacked to a temporary location. If `path` starts with `http://` or `https://`, it is interpreted as the URL of a tarball to be downloaded and unpacked to a temporary location.
The tarball must consist of a single top-level directory. The tarball must consist of a single top-level directory.
The URLs of the tarballs from the official `nixos.org` channels can be abbreviated as `channel:<channel-name>`. The URLs of the tarballs from the official `nixos.org` channels can be abbreviated as `channel:<channel-name>`.
@ -2147,7 +2147,7 @@ static RegisterPrimOp primop_readDir({
Return the contents of the directory *path* as a set mapping Return the contents of the directory *path* as a set mapping
directory entries to the corresponding file type. For instance, if directory entries to the corresponding file type. For instance, if
directory `A` contains a regular file `B` and another directory directory `A` contains a regular file `B` and another directory
`C`, then `builtins.readDir ./A` will return the set `C`, then `builtins.readDir ./A` returns the set
```nix ```nix
{ B = "regular"; C = "directory"; } { B = "regular"; C = "directory"; }
@ -2182,8 +2182,8 @@ static RegisterPrimOp primop_outputOf({
[input placeholder string](@docroot@/store/derivation/index.md#input-placeholder) [input placeholder string](@docroot@/store/derivation/index.md#input-placeholder)
if needed. if needed.
If the derivation has a statically-known output path (i.e. the derivation output is input-addressed, or fixed content-addressed), the output path will just be returned. If the derivation has a statically-known output path (i.e. the derivation output is input-addressed, or fixed content-addressed), the output path is returned.
But if the derivation is content-addressed or if the derivation is itself not-statically produced (i.e. is the output of another derivation), an input placeholder will be returned instead. But if the derivation is content-addressed or if the derivation is itself not-statically produced (i.e. is the output of another derivation), an input placeholder is returned instead.
*`derivation reference`* must be a string that may contain a regular store path to a derivation, or may be an input placeholder reference. *`derivation reference`* must be a string that may contain a regular store path to a derivation, or may be an input placeholder reference.
If the derivation is produced by a derivation, you must explicitly select `drv.outPath`. If the derivation is produced by a derivation, you must explicitly select `drv.outPath`.
@ -2196,7 +2196,7 @@ static RegisterPrimOp primop_outputOf({
"out" "out"
``` ```
will return a input placeholder for the output of the output of `myDrv`. returns an input placeholder for the output of the output of `myDrv`.
This primop corresponds to the `^` sigil for [deriving paths](@docroot@/glossary.md#gloss-deriving-paths), e.g. as part of installable syntax on the command line. This primop corresponds to the `^` sigil for [deriving paths](@docroot@/glossary.md#gloss-deriving-paths), e.g. as part of installable syntax on the command line.
)", )",
@ -2582,12 +2582,12 @@ static RegisterPrimOp primop_filterSource({
> >
> `filterSource` should not be used to filter store paths. Since > `filterSource` should not be used to filter store paths. Since
> `filterSource` uses the name of the input directory while naming > `filterSource` uses the name of the input directory while naming
> the output directory, doing so will produce a directory name in > the output directory, doing so produces a directory name in
> the form of `<hash2>-<hash>-<name>`, where `<hash>-<name>` is > the form of `<hash2>-<hash>-<name>`, where `<hash>-<name>` is
> the name of the input directory. Since `<hash>` depends on the > the name of the input directory. Since `<hash>` depends on the
> unfiltered directory, the name of the output directory will > unfiltered directory, the name of the output directory
> indirectly depend on files that are filtered out by the > indirectly depends on files that are filtered out by the
> function. This will trigger a rebuild even when a filtered out > function. This triggers a rebuild even when a filtered out
> file is changed. Use `builtins.path` instead, which allows > file is changed. Use `builtins.path` instead, which allows
> specifying the name of the output directory. > specifying the name of the output directory.
@ -2602,8 +2602,8 @@ static RegisterPrimOp primop_filterSource({
} }
``` ```
However, if `source-dir` is a Subversion working copy, then all However, if `source-dir` is a Subversion working copy, then all of
those annoying `.svn` subdirectories will also be copied to the those annoying `.svn` subdirectories are also copied to the
store. Worse, the contents of those directories may change a lot, store. Worse, the contents of those directories may change a lot,
causing lots of spurious rebuilds. With `filterSource` you can causing lots of spurious rebuilds. With `filterSource` you can
filter out the `.svn` directories: filter out the `.svn` directories:
@ -2623,8 +2623,8 @@ static RegisterPrimOp primop_filterSource({
`"regular"`, `"directory"`, `"symlink"` or `"unknown"` (for other `"regular"`, `"directory"`, `"symlink"` or `"unknown"` (for other
kinds of files such as device nodes or fifos but note that those kinds of files such as device nodes or fifos but note that those
cannot be copied to the Nix store, so if the predicate returns cannot be copied to the Nix store, so if the predicate returns
`true` for them, the copy will fail). If you exclude a directory, `true` for them, the copy fails). If you exclude a directory,
the entire corresponding subtree of *e2* will be excluded. the entire corresponding subtree of *e2* is excluded.
)", )",
.fun = prim_filterSource, .fun = prim_filterSource,
}); });
@ -2698,7 +2698,7 @@ static RegisterPrimOp primop_path({
- sha256\ - sha256\
When provided, this is the expected hash of the file at the When provided, this is the expected hash of the file at the
path. Evaluation will fail if the hash is incorrect, and path. Evaluation fails if the hash is incorrect, and
providing a hash allows `builtins.path` to be used even when the providing a hash allows `builtins.path` to be used even when the
`pure-eval` nix config option is on. `pure-eval` nix config option is on.
)", )",
@ -4806,7 +4806,7 @@ void EvalState::createBaseEnv(const EvalSettings & evalSettings)
.type = nInt, .type = nInt,
.doc = R"( .doc = R"(
Return the [Unix time](https://en.wikipedia.org/wiki/Unix_time) at first evaluation. Return the [Unix time](https://en.wikipedia.org/wiki/Unix_time) at first evaluation.
Repeated references to that name will re-use the initially obtained value. Repeated references to that name re-use the initially obtained value.
Example: Example:
@ -4821,7 +4821,7 @@ void EvalState::createBaseEnv(const EvalSettings & evalSettings)
1683705525 1683705525
``` ```
The [store path](@docroot@/store/store-path.md) of a derivation depending on `currentTime` will differ for each evaluation, unless both evaluate `builtins.currentTime` in the same second. The [store path](@docroot@/store/store-path.md) of a derivation depending on `currentTime` differs for each evaluation, unless both evaluate `builtins.currentTime` in the same second.
)", )",
.impureOnly = true, .impureOnly = true,
}); });

2
src/libexpr/primops/context.cc
View file

@ -240,7 +240,7 @@ static RegisterPrimOp primop_getContext({
The string context tracks references to derivations within a string. The string context tracks references to derivations within a string.
It is represented as an attribute set of [store derivation](@docroot@/glossary.md#gloss-store-derivation) paths mapping to output names. It is represented as an attribute set of [store derivation](@docroot@/glossary.md#gloss-store-derivation) paths mapping to output names.
Using [string interpolation](@docroot@/language/string-interpolation.md) on a derivation will add that derivation to the string context. Using [string interpolation](@docroot@/language/string-interpolation.md) on a derivation adds that derivation to the string context.
For example, For example,
```nix ```nix

2
src/libexpr/primops/fetchClosure.cc
View file

@ -214,7 +214,7 @@ static RegisterPrimOp primop_fetchClosure({
.doc = R"( .doc = R"(
Fetch a store path [closure](@docroot@/glossary.md#gloss-closure) from a binary cache, and return the store path as a string with context. Fetch a store path [closure](@docroot@/glossary.md#gloss-closure) from a binary cache, and return the store path as a string with context.
This function can be invoked in three ways, that we will discuss in order of preference. This function can be invoked in three ways that we will discuss in order of preference.
**Fetch a content-addressed store path** **Fetch a content-addressed store path**

16
src/libexpr/primops/fetchTree.cc
View file

@ -191,7 +191,7 @@ static void fetchTree(
input.to_string()); input.to_string());
else else
state.error<EvalError>( state.error<EvalError>(
"in pure evaluation mode, '%s' will not fetch unlocked input '%s'", "in pure evaluation mode, '%s' doesn't fetch unlocked input '%s'",
fetcher, input.to_string()).atPos(pos).debugThrow(); fetcher, input.to_string()).atPos(pos).debugThrow();
} }
@ -243,7 +243,7 @@ static RegisterPrimOp primop_fetchTree({
That is, `fetchTree` is idempotent. That is, `fetchTree` is idempotent.
Downloads are cached in `$XDG_CACHE_HOME/nix`. Downloads are cached in `$XDG_CACHE_HOME/nix`.
The remote source will be fetched from the network if both are true: The remote source is fetched from the network if both are true:
- A NAR hash is supplied and the corresponding store path is not [valid](@docroot@/glossary.md#gloss-validity), that is, not available in the store - A NAR hash is supplied and the corresponding store path is not [valid](@docroot@/glossary.md#gloss-validity), that is, not available in the store
> **Note** > **Note**
@ -338,7 +338,7 @@ static RegisterPrimOp primop_fetchTree({
> **Note** > **Note**
> >
> If the URL points to a local directory, and no `ref` or `rev` is given, Nix will only consider files added to the Git index, as listed by `git ls-files` but use the *current file contents* of the Git working directory. > If the URL points to a local directory, and no `ref` or `rev` is given, Nix only considers files added to the Git index, as listed by `git ls-files` but use the *current file contents* of the Git working directory.
- `ref` (String, optional) - `ref` (String, optional)
@ -681,7 +681,7 @@ static RegisterPrimOp primop_fetchGit({
This option has no effect once `shallow` cloning is enabled. This option has no effect once `shallow` cloning is enabled.
By default, the `ref` value is prefixed with `refs/heads/`. By default, the `ref` value is prefixed with `refs/heads/`.
As of 2.3.0, Nix will not prefix `refs/heads/` if `ref` starts with `refs/`. As of 2.3.0, Nix doesn't prefix `refs/heads/` if `ref` starts with `refs/`.
- `submodules` (default: `false`) - `submodules` (default: `false`)
@ -840,7 +840,7 @@ static RegisterPrimOp primop_fetchGit({
} }
``` ```
Nix will refetch the branch according to the [`tarball-ttl`](@docroot@/command-ref/conf-file.md#conf-tarball-ttl) setting. Nix refetches the branch according to the [`tarball-ttl`](@docroot@/command-ref/conf-file.md#conf-tarball-ttl) setting.
This behavior is disabled in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval). This behavior is disabled in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval).
@ -851,9 +851,9 @@ static RegisterPrimOp primop_fetchGit({
``` ```
If the URL points to a local directory, and no `ref` or `rev` is If the URL points to a local directory, and no `ref` or `rev` is
given, `fetchGit` will use the current content of the checked-out given, `fetchGit` uses the current content of the checked-out
files, even if they are not committed or added to Git's index. It will files, even if they are not committed or added to Git's index. It
only consider files added to the Git repository, as listed by `git ls-files`. only considers files added to the Git repository, as listed by `git ls-files`.
)", )",
.fun = prim_fetchGit, .fun = prim_fetchGit,
}); });

6
src/libfetchers/include/nix/fetchers/fetch-settings.hh
View file

@ -28,7 +28,7 @@ struct Settings : public Config
space-separated `host=token` values. The specific token space-separated `host=token` values. The specific token
used is selected by matching the `host` portion against the used is selected by matching the `host` portion against the
"host" specification of the input. The `host` portion may "host" specification of the input. The `host` portion may
contain a path element which will match against the prefix contain a path element which matches against the prefix
URL for the input. (eg: `github.com/org=token`). The actual use URL for the input. (eg: `github.com/org=token`). The actual use
of the `token` value is determined by the type of resource of the `token` value is determined by the type of resource
being accessed: being accessed:
@ -95,11 +95,11 @@ struct Settings : public Config
Setting<bool> trustTarballsFromGitForges{ Setting<bool> trustTarballsFromGitForges{
this, true, "trust-tarballs-from-git-forges", this, true, "trust-tarballs-from-git-forges",
R"( R"(
If enabled (the default), Nix will consider tarballs from If enabled (the default), Nix considers tarballs from
GitHub and similar Git forges to be locked if a Git revision GitHub and similar Git forges to be locked if a Git revision
is specified, is specified,
e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`. e.g. `github:NixOS/patchelf/7c2f768bf9601268a4e71c2ebe91e2011918a70f`.
This requires Nix to trust that the provider will return the This requires Nix to trust that the provider returns the
correct contents for the specified Git revision. correct contents for the specified Git revision.
If disabled, such tarballs are only considered locked if a If disabled, such tarballs are only considered locked if a

4
src/libflake/flake.cc
View file

@ -794,10 +794,10 @@ LockedFlake lockFlake(
if (auto unlockedInput = newLockFile.isUnlocked(state.fetchSettings)) { if (auto unlockedInput = newLockFile.isUnlocked(state.fetchSettings)) {
if (lockFlags.failOnUnlocked) if (lockFlags.failOnUnlocked)
throw Error( throw Error(
"Will not write lock file of flake '%s' because it has an unlocked input ('%s'). " "Not writing lock file of flake '%s' because it has an unlocked input ('%s'). "
"Use '--allow-dirty-locks' to allow this anyway.", topRef, *unlockedInput); "Use '--allow-dirty-locks' to allow this anyway.", topRef, *unlockedInput);
if (state.fetchSettings.warnDirty) if (state.fetchSettings.warnDirty)
warn("will not write lock file of flake '%s' because it has an unlocked input ('%s')", topRef, *unlockedInput); warn("not writing lock file of flake '%s' because it has an unlocked input ('%s')", topRef, *unlockedInput);
} else { } else {
if (!lockFlags.updateLockFile) if (!lockFlags.updateLockFile)
throw Error("flake '%s' requires lock file changes but they're not allowed due to '--no-update-lock-file'", topRef); throw Error("flake '%s' requires lock file changes but they're not allowed due to '--no-update-lock-file'", topRef);

8
src/libmain/plugin.cc
View file

@ -43,9 +43,9 @@ struct PluginSettings : Config
{}, {},
"plugin-files", "plugin-files",
R"( R"(
A list of plugin files to be loaded by Nix. Each of these files will A list of plugin files to be loaded by Nix. Each of these files is
be dlopened by Nix. If they contain the symbol `nix_plugin_entry()`, dlopened by Nix. If they contain the symbol `nix_plugin_entry()`,
this symbol will be called. Alternatively, they can affect execution this symbol is called. Alternatively, they can affect execution
through static initialization. In particular, these plugins may construct through static initialization. In particular, these plugins may construct
static instances of RegisterPrimOp to add new primops or constants to the static instances of RegisterPrimOp to add new primops or constants to the
expression language, RegisterStoreImplementation to add new store expression language, RegisterStoreImplementation to add new store
@ -60,7 +60,7 @@ struct PluginSettings : Config
itself, they must be DSOs compatible with the instance of Nix itself, they must be DSOs compatible with the instance of Nix
running at the time (i.e. compiled against the same headers, not running at the time (i.e. compiled against the same headers, not
linked to any incompatible libraries). They should not be linked to linked to any incompatible libraries). They should not be linked to
any Nix libs directly, as those will be available already at load any Nix libraries directly, as those are already available at load
time. time.
If an entry in the list is a directory, all files in the directory If an entry in the list is a directory, all files in the directory

2
src/libstore/include/nix/store/filetransfer.hh
View file

@ -46,7 +46,7 @@ struct FileTransferSettings : Config
)"}; )"};
Setting<unsigned int> tries{this, 5, "download-attempts", Setting<unsigned int> tries{this, 5, "download-attempts",
"How often Nix will attempt to download a file before giving up."}; "The number of times Nix attempts to download a file before giving up."};
Setting<size_t> downloadBufferSize{this, 64 * 1024 * 1024, "download-buffer-size", Setting<size_t> downloadBufferSize{this, 64 * 1024 * 1024, "download-buffer-size",
R"( R"(

123
src/libstore/include/nix/store/globals.hh
View file

@ -109,7 +109,7 @@ public:
Setting<bool> tryFallback{ Setting<bool> tryFallback{
this, false, "fallback", this, false, "fallback",
R"( R"(
If set to `true`, Nix will fall back to building from source if a If set to `true`, Nix falls back to building from source if a
binary substitute fails. This is equivalent to the `--fallback` binary substitute fails. This is equivalent to the `--fallback`
flag. The default is `false`. flag. The default is `false`.
)", )",
@ -127,11 +127,11 @@ public:
MaxBuildJobsSetting maxBuildJobs{ MaxBuildJobsSetting maxBuildJobs{
this, 1, "max-jobs", this, 1, "max-jobs",
R"( R"(
Maximum number of jobs that Nix will try to build locally in parallel. Maximum number of jobs that Nix tries to build locally in parallel.
The special value `auto` causes Nix to use the number of CPUs in your system. The special value `auto` causes Nix to use the number of CPUs in your system.
Use `0` to disable local builds and directly use the remote machines specified in [`builders`](#conf-builders). Use `0` to disable local builds and directly use the remote machines specified in [`builders`](#conf-builders).
This will not affect derivations that have [`preferLocalBuild = true`](@docroot@/language/advanced-attributes.md#adv-attr-preferLocalBuild), which are always built locally. This doesn't affect derivations that have [`preferLocalBuild = true`](@docroot@/language/advanced-attributes.md#adv-attr-preferLocalBuild), which are always built locally.
> **Note** > **Note**
> >
@ -146,8 +146,8 @@ public:
this, 16, "max-substitution-jobs", this, 16, "max-substitution-jobs",
R"( R"(
This option defines the maximum number of substitution jobs that Nix This option defines the maximum number of substitution jobs that Nix
will try to run in parallel. The default is `16`. The minimum value tries to run in parallel. The default is `16`. The minimum value
one can choose is `1` and lower values will be interpreted as `1`. one can choose is `1` and lower values are interpreted as `1`.
)", )",
{"substitution-max-jobs"}}; {"substitution-max-jobs"}};
@ -164,7 +164,7 @@ public:
A very generic example using `derivation` and `xargs` may be more appropriate to explain the mechanism. A very generic example using `derivation` and `xargs` may be more appropriate to explain the mechanism.
Using `mkDerivation` as an example requires being aware of that there are multiple independent layers that are completely opaque here. Using `mkDerivation` as an example requires being aware of that there are multiple independent layers that are completely opaque here.
--> -->
For instance, in Nixpkgs, if the attribute `enableParallelBuilding` for the `mkDerivation` build helper is set to `true`, it will pass the `-j${NIX_BUILD_CORES}` flag to GNU Make. For instance, in Nixpkgs, if the attribute `enableParallelBuilding` for the `mkDerivation` build helper is set to `true`, it passes the `-j${NIX_BUILD_CORES}` flag to GNU Make.
The value `0` means that the `builder` should use all available CPU cores in the system. The value `0` means that the `builder` should use all available CPU cores in the system.
@ -186,7 +186,7 @@ public:
this, NIX_LOCAL_SYSTEM, "system", this, NIX_LOCAL_SYSTEM, "system",
R"( R"(
The system type of the current Nix installation. The system type of the current Nix installation.
Nix will only build a given [store derivation](@docroot@/glossary.md#gloss-store-derivation) locally when its `system` attribute equals any of the values specified here or in [`extra-platforms`](#conf-extra-platforms). Nix only builds a given [store derivation](@docroot@/glossary.md#gloss-store-derivation) locally when its `system` attribute equals any of the values specified here or in [`extra-platforms`](#conf-extra-platforms).
The default value is set when Nix itself is compiled for the system it will run on. The default value is set when Nix itself is compiled for the system it will run on.
The following system types are widely used, as Nix is actively supported on these platforms: The following system types are widely used, as Nix is actively supported on these platforms:
@ -292,28 +292,28 @@ public:
> `i686-linux,x86_64-linux` > `i686-linux,x86_64-linux`
3. The SSH identity file to be used to log in to the remote machine. 3. The SSH identity file to be used to log in to the remote machine.
If omitted, SSH will use its regular identities. If omitted, SSH uses its regular identities.
> **Example** > **Example**
> >
> `/home/user/.ssh/id_mac` > `/home/user/.ssh/id_mac`
4. The maximum number of builds that Nix will execute in parallel on the machine. 4. The maximum number of builds that Nix executes in parallel on the machine.
Typically this should be equal to the number of CPU cores. Typically this should be equal to the number of CPU cores.
5. The speed factor, indicating the relative speed of the machine as a positive integer. 5. The speed factor, indicating the relative speed of the machine as a positive integer.
If there are multiple machines of the right type, Nix will prefer the fastest, taking load into account. If there are multiple machines of the right type, Nix prefers the fastest, taking load into account.
6. A comma-separated list of supported [system features](#conf-system-features). 6. A comma-separated list of supported [system features](#conf-system-features).
A machine will only be used to build a derivation if all the features in the derivation's [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute are supported by that machine. A machine is only used to build a derivation if all the features in the derivation's [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute are supported by that machine.
7. A comma-separated list of required [system features](#conf-system-features). 7. A comma-separated list of required [system features](#conf-system-features).
A machine will only be used to build a derivation if all of the machines required features appear in the derivations [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute. A machine is only used to build a derivation if all of the machines required features appear in the derivations [`requiredSystemFeatures`](@docroot@/language/advanced-attributes.html#adv-attr-requiredSystemFeatures) attribute.
8. The (base64-encoded) public host key of the remote machine. 8. The (base64-encoded) public host key of the remote machine.
If omitted, SSH will use its regular `known_hosts` file. If omitted, SSH uses its regular `known_hosts` file.
The value for this field can be obtained via `base64 -w0`. The value for this field can be obtained via `base64 -w0`.
@ -335,7 +335,7 @@ public:
> nix@poochie.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 1 2 kvm benchmark > nix@poochie.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy 1 2 kvm benchmark
> ``` > ```
> >
> However, `poochie` will only build derivations that have the attribute > However, `poochie` only builds derivations that have the attribute
> >
> ```nix > ```nix
> requiredSystemFeatures = [ "benchmark" ]; > requiredSystemFeatures = [ "benchmark" ];
@ -348,7 +348,7 @@ public:
> ``` > ```
> >
> `itchy` cannot do builds that require `kvm`, but `scratchy` does support such builds. > `itchy` cannot do builds that require `kvm`, but `scratchy` does support such builds.
> For regular builds, `itchy` will be preferred over `scratchy` because it has a higher speed factor. > For regular builds, `itchy` is preferred over `scratchy` because it has a higher speed factor.
For Nix to use substituters, the calling user must be in the [`trusted-users`](#conf-trusted-users) list. For Nix to use substituters, the calling user must be in the [`trusted-users`](#conf-trusted-users) list.
@ -372,15 +372,15 @@ public:
Setting<bool> alwaysAllowSubstitutes{ Setting<bool> alwaysAllowSubstitutes{
this, false, "always-allow-substitutes", this, false, "always-allow-substitutes",
R"( R"(
If set to `true`, Nix will ignore the [`allowSubstitutes`](@docroot@/language/advanced-attributes.md) attribute in derivations and always attempt to use [available substituters](#conf-substituters). If set to `true`, Nix ignores the [`allowSubstitutes`](@docroot@/language/advanced-attributes.md) attribute in derivations and always attempt to use [available substituters](#conf-substituters).
)"}; )"};
Setting<bool> buildersUseSubstitutes{ Setting<bool> buildersUseSubstitutes{
this, false, "builders-use-substitutes", this, false, "builders-use-substitutes",
R"( R"(
If set to `true`, Nix will instruct [remote build machines](#conf-builders) to use their own [`substituters`](#conf-substituters) if available. If set to `true`, Nix instructs [remote build machines](#conf-builders) to use their own [`substituters`](#conf-substituters) if available.
It means that remote build hosts will fetch as many dependencies as possible from their own substituters (e.g, from `cache.nixos.org`) instead of waiting for the local machine to upload them all. It means that remote build hosts fetches as many dependencies as possible from their own substituters (e.g, from `cache.nixos.org`) instead of waiting for the local machine to upload them all.
This can drastically reduce build times if the network connection between the local machine and the remote build host is slow. This can drastically reduce build times if the network connection between the local machine and the remote build host is slow.
)"}; )"};
@ -415,7 +415,7 @@ public:
Setting<bool> useSubstitutes{ Setting<bool> useSubstitutes{
this, true, "substitute", this, true, "substitute",
R"( R"(
If set to `true` (default), Nix will use binary substitutes if If set to `true` (default), Nix uses binary substitutes if
available. This option can be disabled to force building from available. This option can be disabled to force building from
source. source.
)", )",
@ -432,11 +432,11 @@ public:
since that would allow him/her to influence the build result. since that would allow him/her to influence the build result.
Therefore, if this option is non-empty and specifies a valid group, Therefore, if this option is non-empty and specifies a valid group,
builds will be performed under the user accounts that are a member builds are performed under the user accounts that are a member
of the group specified here (as listed in `/etc/group`). Those user of the group specified here (as listed in `/etc/group`). Those user
accounts should not be used for any other purpose\! accounts should not be used for any other purpose\!
Nix will never run two builds under the same user account at the Nix never runs two builds under the same user account at the
same time. This is to prevent an obvious security hole: a malicious same time. This is to prevent an obvious security hole: a malicious
user writing a Nix expression that modifies the build result of a user writing a Nix expression that modifies the build result of a
legitimate Nix expression being built by another user. Therefore it legitimate Nix expression being built by another user. Therefore it
@ -448,7 +448,7 @@ public:
by the Nix account, its group should be the group specified here, by the Nix account, its group should be the group specified here,
and its mode should be `1775`. and its mode should be `1775`.
If the build users group is empty, builds will be performed under If the build users group is empty, builds areperformed under
the uid of the Nix process (that is, the uid of the caller if the uid of the Nix process (that is, the uid of the caller if
`NIX_REMOTE` is empty, the uid under which the Nix daemon runs if `NIX_REMOTE` is empty, the uid under which the Nix daemon runs if
`NIX_REMOTE` is `daemon`). Obviously, this should not be used `NIX_REMOTE` is `daemon`). Obviously, this should not be used
@ -503,7 +503,7 @@ public:
Setting<bool> keepLog{ Setting<bool> keepLog{
this, true, "keep-build-log", this, true, "keep-build-log",
R"( R"(
If set to `true` (the default), Nix will write the build log of a If set to `true` (the default), Nix writes the build log of a
derivation (i.e. the standard output and error of its builder) to derivation (i.e. the standard output and error of its builder) to
the directory `/nix/var/log/nix/drvs`. The build log can be the directory `/nix/var/log/nix/drvs`. The build log can be
retrieved using the command `nix-store -l path`. retrieved using the command `nix-store -l path`.
@ -514,8 +514,8 @@ public:
this, true, "compress-build-log", this, true, "compress-build-log",
R"( R"(
If set to `true` (the default), build logs written to If set to `true` (the default), build logs written to
`/nix/var/log/nix/drvs` will be compressed on the fly using bzip2. `/nix/var/log/nix/drvs` are compressed on the fly using bzip2.
Otherwise, they will not be compressed. Otherwise, they are not compressed.
)", )",
{"build-compress-log"}}; {"build-compress-log"}};
@ -534,14 +534,14 @@ public:
Setting<bool> gcKeepOutputs{ Setting<bool> gcKeepOutputs{
this, false, "keep-outputs", this, false, "keep-outputs",
R"( R"(
If `true`, the garbage collector will keep the outputs of If `true`, the garbage collector keeps the outputs of
non-garbage derivations. If `false` (default), outputs will be non-garbage derivations. If `false` (default), outputs are
deleted unless they are GC roots themselves (or reachable from other deleted unless they are GC roots themselves (or reachable from other
roots). roots).
In general, outputs must be registered as roots separately. However, In general, outputs must be registered as roots separately. However,
even if the output of a derivation is registered as a root, the even if the output of a derivation is registered as a root, the
collector will still delete store paths that are used only at build collector still deletes store paths that are used only at build
time (e.g., the C compiler, or source tarballs downloaded from the time (e.g., the C compiler, or source tarballs downloaded from the
network). To prevent it from doing so, set this option to `true`. network). To prevent it from doing so, set this option to `true`.
)", )",
@ -550,9 +550,9 @@ public:
Setting<bool> gcKeepDerivations{ Setting<bool> gcKeepDerivations{
this, true, "keep-derivations", this, true, "keep-derivations",
R"( R"(
If `true` (default), the garbage collector will keep the derivations If `true` (default), the garbage collector keeps the derivations
from which non-garbage store paths were built. If `false`, they will from which non-garbage store paths were built. If `false`, they are
be deleted unless explicitly registered as a root (or reachable from deleted unless explicitly registered as a root (or reachable from
other roots). other roots).
Keeping derivation around is useful for querying and traceability Keeping derivation around is useful for querying and traceability
@ -582,7 +582,7 @@ public:
If `true`, when you add a Nix derivation to a user environment, the If `true`, when you add a Nix derivation to a user environment, the
path of the derivation is stored in the user environment. Thus, the path of the derivation is stored in the user environment. Thus, the
derivation will not be garbage-collected until the user environment derivation isn't garbage-collected until the user environment
generation is deleted (`nix-env --delete-generations`). To prevent generation is deleted (`nix-env --delete-generations`). To prevent
build-time-only dependencies from being collected, you should also build-time-only dependencies from being collected, you should also
turn on `keep-outputs`. turn on `keep-outputs`.
@ -603,9 +603,9 @@ public:
#endif #endif
, "sandbox", , "sandbox",
R"( R"(
If set to `true`, builds will be performed in a *sandboxed If set to `true`, builds are performed in a *sandboxed
environment*, i.e., theyre isolated from the normal file system environment*, i.e., theyre isolated from the normal file system
hierarchy and will only see their dependencies in the Nix store, hierarchy and only see their dependencies in the Nix store,
the temporary build directory, private versions of `/proc`, the temporary build directory, private versions of `/proc`,
`/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths `/dev`, `/dev/shm` and `/dev/pts` (on Linux), and the paths
configured with the `sandbox-paths` option. This is useful to configured with the `sandbox-paths` option. This is useful to
@ -634,13 +634,13 @@ public:
R"( R"(
A list of paths bind-mounted into Nix sandbox environments. You can A list of paths bind-mounted into Nix sandbox environments. You can
use the syntax `target=source` to mount a path in a different use the syntax `target=source` to mount a path in a different
location in the sandbox; for instance, `/bin=/nix-bin` will mount location in the sandbox; for instance, `/bin=/nix-bin` mounts
the path `/nix-bin` as `/bin` inside the sandbox. If *source* is the path `/nix-bin` as `/bin` inside the sandbox. If *source* is
followed by `?`, then it is not an error if *source* does not exist; followed by `?`, then it is not an error if *source* does not exist;
for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl` will for example, `/dev/nvidiactl?` specifies that `/dev/nvidiactl`
only be mounted in the sandbox if it exists in the host filesystem. only be mounted in the sandbox if it exists in the host filesystem.
If the source is in the Nix store, then its closure will be added to If the source is in the Nix store, then its closure is added to
the sandbox as well. the sandbox as well.
Depending on how Nix was built, the default value for this option Depending on how Nix was built, the default value for this option
@ -655,15 +655,15 @@ public:
Setting<bool> requireDropSupplementaryGroups{this, isRootUser(), "require-drop-supplementary-groups", Setting<bool> requireDropSupplementaryGroups{this, isRootUser(), "require-drop-supplementary-groups",
R"( R"(
Following the principle of least privilege, Following the principle of least privilege,
Nix will attempt to drop supplementary groups when building with sandboxing. Nix attempts to drop supplementary groups when building with sandboxing.
However this can fail under some circumstances. However this can fail under some circumstances.
For example, if the user lacks the `CAP_SETGID` capability. For example, if the user lacks the `CAP_SETGID` capability.
Search `setgroups(2)` for `EPERM` to find more detailed information on this. Search `setgroups(2)` for `EPERM` to find more detailed information on this.
If you encounter such a failure, setting this option to `false` will let you ignore it and continue. If you encounter such a failure, setting this option to `false` enables you to ignore it and continue.
But before doing so, you should consider the security implications carefully. But before doing so, you should consider the security implications carefully.
Not dropping supplementary groups means the build sandbox will be less restricted than intended. Not dropping supplementary groups means the build sandbox is less restricted than intended.
This option defaults to `true` when the user is root This option defaults to `true` when the user is root
(since `root` usually has permissions to call setgroups) (since `root` usually has permissions to call setgroups)
@ -699,12 +699,12 @@ public:
R"( R"(
The directory on the host, in which derivations' temporary build directories are created. The directory on the host, in which derivations' temporary build directories are created.
If not set, Nix will use the system temporary directory indicated by the `TMPDIR` environment variable. If not set, Nix uses the system temporary directory indicated by the `TMPDIR` environment variable.
Note that builds are often performed by the Nix daemon, so its `TMPDIR` is used, and not that of the Nix command line interface. Note that builds are often performed by the Nix daemon, so its `TMPDIR` is used, and not that of the Nix command line interface.
This is also the location where [`--keep-failed`](@docroot@/command-ref/opt-common.md#opt-keep-failed) leaves its files. This is also the location where [`--keep-failed`](@docroot@/command-ref/opt-common.md#opt-keep-failed) leaves its files.
If Nix runs without sandbox, or if the platform does not support sandboxing with bind mounts (e.g. macOS), then the [`builder`](@docroot@/language/derivations.md#attr-builder)'s environment will contain this directory, instead of the virtual location [`sandbox-build-dir`](#conf-sandbox-build-dir). If Nix runs without sandbox, or if the platform does not support sandboxing with bind mounts (e.g. macOS), then the [`builder`](@docroot@/language/derivations.md#attr-builder)'s environment contains this directory instead of the virtual location [`sandbox-build-dir`](#conf-sandbox-build-dir).
)"}; )"};
Setting<PathSet> allowedImpureHostPrefixes{this, {}, "allowed-impure-host-deps", Setting<PathSet> allowedImpureHostPrefixes{this, {}, "allowed-impure-host-deps",
@ -745,12 +745,11 @@ public:
3. The path to the build's derivation 3. The path to the build's derivation
4. The path to the build's scratch directory. This directory will 4. The path to the build's scratch directory. This directory
exist only if the build was run with `--keep-failed`. exists only if the build was run with `--keep-failed`.
The stderr and stdout output from the diff hook will not be The stderr and stdout output from the diff hook isn't
displayed to the user. Instead, it will print to the nix-daemon's displayed to the user. Instead, it print to the nix-daemon's log.
log.
When using the Nix daemon, `diff-hook` must be set in the `nix.conf` When using the Nix daemon, `diff-hook` must be set in the `nix.conf`
configuration file, and cannot be passed at the command line. configuration file, and cannot be passed at the command line.
@ -788,8 +787,8 @@ public:
this, 60 * 60, "tarball-ttl", this, 60 * 60, "tarball-ttl",
R"( R"(
The number of seconds a downloaded tarball is considered fresh. If The number of seconds a downloaded tarball is considered fresh. If
the cached tarball is stale, Nix will check whether it is still up the cached tarball is stale, Nix checks whether it is still up
to date using the ETag header. Nix will download a new version if to date using the ETag header. Nix downloads a new version if
the ETag header is unsupported, or the cached ETag doesn't match. the ETag header is unsupported, or the cached ETag doesn't match.
Setting the TTL to `0` forces Nix to always check if the tarball is Setting the TTL to `0` forces Nix to always check if the tarball is
@ -824,7 +823,7 @@ public:
R"( R"(
System types of executables that can be run on this machine. System types of executables that can be run on this machine.
Nix will only build a given [store derivation](@docroot@/glossary.md#gloss-store-derivation) locally when its `system` attribute equals any of the values specified here or in the [`system` option](#conf-system). Nix only builds a given [store derivation](@docroot@/glossary.md#gloss-store-derivation) locally when its `system` attribute equals any of the values specified here or in the [`system` option](#conf-system).
Setting this can be useful to build derivations locally on compatible machines: Setting this can be useful to build derivations locally on compatible machines:
- `i686-linux` executables can be run on `x86_64-linux` machines (set by default) - `i686-linux` executables can be run on `x86_64-linux` machines (set by default)
@ -834,7 +833,7 @@ public:
- `qemu-user` may be used to support non-native platforms (though this - `qemu-user` may be used to support non-native platforms (though this
may be slow and buggy) may be slow and buggy)
Build systems will usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation. Build systems usually detect the target platform to be the current physical system and therefore produce machine code incompatible with what may be intended in the derivation.
You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation. You should design your derivation's `builder` accordingly and cross-check the results when using this option against natively-built versions of your derivation.
)", )",
{}, {},
@ -924,7 +923,7 @@ public:
this, 3600, "narinfo-cache-negative-ttl", this, 3600, "narinfo-cache-negative-ttl",
R"( R"(
The TTL in seconds for negative lookups. The TTL in seconds for negative lookups.
If a store path is queried from a [substituter](#conf-substituters) but was not found, there will be a negative lookup cached in the local disk cache database for the specified duration. If a store path is queried from a [substituter](#conf-substituters) but was not found, a negative lookup is cached in the local disk cache database for the specified duration.
Set to `0` to force updating the lookup cache. Set to `0` to force updating the lookup cache.
@ -940,7 +939,7 @@ public:
this, 30 * 24 * 3600, "narinfo-cache-positive-ttl", this, 30 * 24 * 3600, "narinfo-cache-positive-ttl",
R"( R"(
The TTL in seconds for positive lookups. If a store path is queried The TTL in seconds for positive lookups. If a store path is queried
from a substituter, the result of the query will be cached in the from a substituter, the result of the query is cached in the
local disk cache database including some of the NAR metadata. The local disk cache database including some of the NAR metadata. The
default TTL is a month, setting a shorter TTL for positive lookups default TTL is a month, setting a shorter TTL for positive lookups
can be useful for binary caches that have frequent garbage can be useful for binary caches that have frequent garbage
@ -1026,7 +1025,7 @@ public:
Setting<std::string> netrcFile{ Setting<std::string> netrcFile{
this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file", this, fmt("%s/%s", nixConfDir, "netrc"), "netrc-file",
R"( R"(
If set to an absolute path to a `netrc` file, Nix will use the HTTP If set to an absolute path to a `netrc` file, Nix uses the HTTP
authentication credentials in this file when trying to download from authentication credentials in this file when trying to download from
a remote host through HTTP or HTTPS. Defaults to a remote host through HTTP or HTTPS. Defaults to
`$NIX_CONF_DIR/netrc`. `$NIX_CONF_DIR/netrc`.
@ -1052,7 +1051,7 @@ public:
this, getDefaultSSLCertFile(), "ssl-cert-file", this, getDefaultSSLCertFile(), "ssl-cert-file",
R"( R"(
The path of a file containing CA certificates used to The path of a file containing CA certificates used to
authenticate `https://` downloads. Nix by default will use authenticate `https://` downloads. Nix by default uses
the first of the following files that exists: the first of the following files that exists:
1. `/etc/ssl/certs/ca-certificates.crt` 1. `/etc/ssl/certs/ca-certificates.crt`
@ -1084,7 +1083,7 @@ public:
(Linux-specific.) By default, builders on Linux cannot acquire new (Linux-specific.) By default, builders on Linux cannot acquire new
privileges by calling setuid/setgid programs or programs that have privileges by calling setuid/setgid programs or programs that have
file capabilities. For example, programs such as `sudo` or `ping` file capabilities. For example, programs such as `sudo` or `ping`
will fail. (Note that in sandbox builds, no such programs are should fail. (Note that in sandbox builds, no such programs are
available unless you bind-mount them into the sandbox via the available unless you bind-mount them into the sandbox via the
`sandbox-paths` option.) You can allow the use of such programs by `sandbox-paths` option.) You can allow the use of such programs by
enabling this option. This is impure and usually undesirable, but enabling this option. This is impure and usually undesirable, but
@ -1108,7 +1107,7 @@ public:
this, {}, "hashed-mirrors", this, {}, "hashed-mirrors",
R"( R"(
A list of web servers used by `builtins.fetchurl` to obtain files by A list of web servers used by `builtins.fetchurl` to obtain files by
hash. Given a hash algorithm *ha* and a base-16 hash *h*, Nix will try to hash. Given a hash algorithm *ha* and a base-16 hash *h*, Nix tries to
download the file from *hashed-mirror*/*ha*/*h*. This allows files to download the file from *hashed-mirror*/*ha*/*h*. This allows files to
be downloaded even if they have disappeared from their original URI. be downloaded even if they have disappeared from their original URI.
For example, given an example mirror `http://tarballs.nixos.org/`, For example, given an example mirror `http://tarballs.nixos.org/`,
@ -1123,7 +1122,7 @@ public:
Nix will attempt to download this file from Nix will attempt to download this file from
`http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae` `http://tarballs.nixos.org/sha256/2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae`
first. If it is not available there, if will try the original URI. first. If it is not available there, it tries the original URI.
)"}; )"};
Setting<uint64_t> minFree{ Setting<uint64_t> minFree{
@ -1155,8 +1154,8 @@ public:
Setting<bool> allowSymlinkedStore{ Setting<bool> allowSymlinkedStore{
this, false, "allow-symlinked-store", this, false, "allow-symlinked-store",
R"( R"(
If set to `true`, Nix will stop complaining if the store directory If set to `true`, Nix stops complaining if the store directory
(typically /nix/store) contains symlink components. (typically `/nix/store`) contains symlink components.
This risks making some builds "impure" because builders sometimes This risks making some builds "impure" because builders sometimes
"canonicalise" paths by resolving all symlink components. Problems "canonicalise" paths by resolving all symlink components. Problems
@ -1168,7 +1167,7 @@ public:
Setting<bool> useXDGBaseDirectories{ Setting<bool> useXDGBaseDirectories{
this, false, "use-xdg-base-directories", this, false, "use-xdg-base-directories",
R"( R"(
If set to `true`, Nix will conform to the [XDG Base Directory Specification] for files in `$HOME`. If set to `true`, Nix conforms to the [XDG Base Directory Specification] for files in `$HOME`.
The environment variables used to implement this are documented in the [Environment Variables section](@docroot@/command-ref/env-common.md). The environment variables used to implement this are documented in the [Environment Variables section](@docroot@/command-ref/env-common.md).
[XDG Base Directory Specification]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html [XDG Base Directory Specification]: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
@ -1206,7 +1205,7 @@ public:
If the user is trusted (see `trusted-users` option), when building If the user is trusted (see `trusted-users` option), when building
a fixed-output derivation, environment variables set in this option a fixed-output derivation, environment variables set in this option
will be passed to the builder if they are listed in [`impureEnvVars`](@docroot@/language/advanced-attributes.md#adv-attr-impureEnvVars). is passed to the builder if they are listed in [`impureEnvVars`](@docroot@/language/advanced-attributes.md#adv-attr-impureEnvVars).
This option is useful for, e.g., setting `https_proxy` for This option is useful for, e.g., setting `https_proxy` for
fixed-output derivations and in a multi-user Nix installation, or fixed-output derivations and in a multi-user Nix installation, or

4
src/libstore/include/nix/store/local-fs-store.hh
View file

@ -27,12 +27,12 @@ struct LocalFSStoreConfig : virtual StoreConfig
PathSetting stateDir{this, PathSetting stateDir{this,
rootDir.get() ? *rootDir.get() + "/nix/var/nix" : settings.nixStateDir, rootDir.get() ? *rootDir.get() + "/nix/var/nix" : settings.nixStateDir,
"state", "state",
"Directory where Nix will store state."}; "Directory where Nix stores state."};
PathSetting logDir{this, PathSetting logDir{this,
rootDir.get() ? *rootDir.get() + "/nix/var/log/nix" : settings.nixLogDir, rootDir.get() ? *rootDir.get() + "/nix/var/log/nix" : settings.nixLogDir,
"log", "log",
"directory where Nix will store log files."}; "directory where Nix stores log files."};
PathSetting realStoreDir{this, PathSetting realStoreDir{this,
rootDir.get() ? *rootDir.get() + "/nix/store" : storeDir, "real", rootDir.get() ? *rootDir.get() + "/nix/store" : storeDir, "real",

2
src/libstore/include/nix/store/local-store.hh
View file

@ -54,7 +54,7 @@ struct LocalStoreConfig : std::enable_shared_from_this<LocalStoreConfig>, virtua
R"( R"(
Allow this store to be opened when its [database](@docroot@/glossary.md#gloss-nix-database) is on a read-only filesystem. Allow this store to be opened when its [database](@docroot@/glossary.md#gloss-nix-database) is on a read-only filesystem.
Normally Nix will attempt to open the store database in read-write mode, even for querying (when write access is not needed), causing it to fail if the database is on a read-only filesystem. Normally Nix attempts to open the store database in read-write mode, even for querying (when write access is not needed), causing it to fail if the database is on a read-only filesystem.
Enable read-only mode to disable locking and open the SQLite database with the [`immutable` parameter](https://www.sqlite.org/c3ref/open.html) set. Enable read-only mode to disable locking and open the SQLite database with the [`immutable` parameter](https://www.sqlite.org/c3ref/open.html) set.

6
src/libstore/include/nix/store/s3-binary-cache-store.hh
View file

@ -25,7 +25,7 @@ struct S3BinaryCacheStoreConfig : std::enable_shared_from_this<S3BinaryCacheStor
"profile", "profile",
R"( R"(
The name of the AWS configuration profile to use. By default The name of the AWS configuration profile to use. By default
Nix will use the `default` profile. Nix uses the `default` profile.
)"}; )"};
protected: protected:
@ -40,7 +40,7 @@ public:
"region", "region",
R"( R"(
The region of the S3 bucket. If your bucket is not in The region of the S3 bucket. If your bucket is not in
`useast-1`, you should always explicitly specify the region `us-east-1`, you should always explicitly specify the region
parameter. parameter.
)"}; )"};
@ -69,7 +69,7 @@ public:
> **Note** > **Note**
> >
> This endpoint must support HTTPS and will use path-based > This endpoint must support HTTPS and uses path-based
> addressing instead of virtual host based addressing. > addressing instead of virtual host based addressing.
)"}; )"};

2
src/libutil/experimental-features.cc
View file

@ -107,7 +107,7 @@ constexpr std::array<ExperimentalFeatureDetails, numXpFeatures> xpFeatureDetails
.name = "git-hashing", .name = "git-hashing",
.description = R"( .description = R"(
Allow creating (content-addressed) store objects which are hashed via Git's hashing algorithm. Allow creating (content-addressed) store objects which are hashed via Git's hashing algorithm.
These store objects will not be understandable by older versions of Nix. These store objects aren't understandable by older versions of Nix.
)", )",
.trackingUrl = "https://github.com/NixOS/nix/milestone/41", .trackingUrl = "https://github.com/NixOS/nix/milestone/41",
}, },

2
src/libutil/include/nix/util/logging.hh
View file

@ -55,7 +55,7 @@ struct LoggerSettings : Config
Setting<Path> jsonLogPath{ Setting<Path> jsonLogPath{
this, "", "json-log-path", this, "", "json-log-path",
R"( R"(
A file or unix socket to which JSON records of Nix's log output will be A file or unix socket to which JSON records of Nix's log output are
written, in the same format as `--log-format internal-json` written, in the same format as `--log-format internal-json`
(without the `@nix ` prefixes on each line). (without the `@nix ` prefixes on each line).
Concurrent writes to the same file by multiple Nix processes are not supported and Concurrent writes to the same file by multiple Nix processes are not supported and

2
src/nix-build/nix-build.cc
View file

@ -474,7 +474,7 @@ static void main_nix_build(int argc, char * * argv)
} catch (Error & e) { } catch (Error & e) {
logError(e.info()); logError(e.info());
notice("will use bash from your environment"); notice("uses bash from your environment");
shell = "bash"; shell = "bash";
} }
} }

2
src/nix/unix/daemon.cc
View file

@ -572,7 +572,7 @@ struct CmdDaemon : Command
addFlag({ addFlag({
.longName = "force-untrusted", .longName = "force-untrusted",
.description = "Force the daemon to not trust connecting clients. The connection will be processed by the receiving daemon before forwarding commands.", .description = "Force the daemon to not trust connecting clients. The connection is processed by the receiving daemon before forwarding commands.",
.handler = {[&]() { .handler = {[&]() {
isTrustedOpt = NotTrusted; isTrustedOpt = NotTrusted;
}}, }},

2
tests/functional/fetchGit.sh
View file

@ -81,7 +81,7 @@ path2=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$repo; rev = \"
[[ $(nix eval --raw --expr "builtins.readFile (fetchGit { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]] [[ $(nix eval --raw --expr "builtins.readFile (fetchGit { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]]
# But without a hash, it fails. # But without a hash, it fails.
expectStderr 1 nix eval --expr 'builtins.fetchGit "file:///foo"' | grepQuiet "'fetchGit' will not fetch unlocked input" expectStderr 1 nix eval --expr 'builtins.fetchGit "file:///foo"' | grepQuiet "'fetchGit' doesn't fetch unlocked input"
# Fetch again. This should be cached. # Fetch again. This should be cached.
mv $repo ${repo}-tmp mv $repo ${repo}-tmp

2
tests/functional/flakes/unlocked-override.sh
View file

@ -33,7 +33,7 @@ echo 456 > "$flake1Dir"/x.nix
# Dirty overrides require --allow-dirty-locks. # Dirty overrides require --allow-dirty-locks.
expectStderr 1 nix flake lock "$flake2Dir" --override-input flake1 "$TEST_ROOT/flake1" | expectStderr 1 nix flake lock "$flake2Dir" --override-input flake1 "$TEST_ROOT/flake1" |
grepQuiet "Will not write lock file.*because it has an unlocked input" grepQuiet "Not writing lock file.*because it has an unlocked input"
nix flake lock "$flake2Dir" --override-input flake1 "$TEST_ROOT/flake1" --allow-dirty-locks nix flake lock "$flake2Dir" --override-input flake1 "$TEST_ROOT/flake1" --allow-dirty-locks

22
tests/nixos/github-flakes.nix
View file

@ -1,8 +1,7 @@
{ { lib
lib, , config
config, , nixpkgs
nixpkgs, , ...
...
}: }:
let let
pkgs = config.nodes.client.nixpkgs.pkgs; pkgs = config.nodes.client.nixpkgs.pkgs;
@ -147,12 +146,11 @@ in
}; };
client = client =
{ { config
config, , lib
lib, , pkgs
pkgs, , nodes
nodes, , ...
...
}: }:
{ {
virtualisation.writableStore = true; virtualisation.writableStore = true;
@ -227,7 +225,7 @@ in
# Fetching without a narHash should succeed if trust-github is set and fail otherwise. # Fetching without a narHash should succeed if trust-github is set and fail otherwise.
client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'") client.succeed(f"nix eval --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}'")
out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1") out = client.fail(f"nix eval --no-trust-tarballs-from-git-forges --raw --expr 'builtins.fetchTree github:github:fancy-enterprise/private-flake/{info['revision']}' 2>&1")
assert "will not fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error" assert "doesn't fetch unlocked input" in out, "--no-trust-tarballs-from-git-forges did not fail with the expected error"
# Shut down the web server. The flake should be cached on the client. # Shut down the web server. The flake should be cached on the client.
github.succeed("systemctl stop httpd.service") github.succeed("systemctl stop httpd.service")