1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-07 18:31:49 +02:00
Commit graph

19930 commits

Author SHA1 Message Date
Eelco Dolstra
a1d841bf2c Bump version 2024-09-28 00:05:03 +02:00
Eelco Dolstra
048cfe51c9
Merge pull request #11604 from NixOS/mergify/bp/2.24-maintenance/pr-11600
HttpBinaryCacheStore::getFile(): Fix uncaught exception (backport #11600)
2024-09-27 13:26:21 +02:00
Eelco Dolstra
15a2b49115 HttpBinaryCacheStore::getFile(): Fix uncaught exception
This method is marked as `noexcept`, but `enqueueFileTransfer()` can
throw `Interrupted` if the user has hit Ctrl-C or if the `ThreadPool`
that the thread is a part of is shutting down.

(cherry picked from commit 4566854981)
2024-09-27 10:38:03 +00:00
Eelco Dolstra
08deebddf2
Merge pull request #11600 from DeterminateSystems/fix-uncaught-exception
HttpBinaryCacheStore::getFile(): Fix uncaught exception
2024-09-27 12:37:12 +02:00
Eelco Dolstra
f8bd7e7e5c
Merge pull request #11598 from joshheinrichs-shopify/fix-http-cache-reference
Fix reference to HTTP Binary Cache Store in docs
2024-09-27 11:43:41 +02:00
Jörg Thalheim
3b0c5ab835 tests/functional/flakes/run: fix tests in macOS devshell
same fix as in 04a47e93f6
2024-09-27 11:07:50 +02:00
Valentin Gagarin
aee34e4776
fix location 2024-09-27 11:07:04 +02:00
Jörg Thalheim
34fd00accc create git caches atomically
When working on speeding up the CI,
I triggered a race condition in the creation of the tarball cache.
This code now instead will ensure that half-initialized repositories
are no longer visible to any other nix process.

This is the error message that I got before:

error: opening Git repository '"/Users/runner/.cache/nix/tarball-cache"': could not find repository at '/Users/runner/.cache/nix/tarball-cache'
(cherry picked from commit 12d5b2cfa1)
2024-09-27 10:06:58 +02:00
Eelco Dolstra
4566854981 HttpBinaryCacheStore::getFile(): Fix uncaught exception
This method is marked as `noexcept`, but `enqueueFileTransfer()` can
throw `Interrupted` if the user has hit Ctrl-C or if the `ThreadPool`
that the thread is a part of is shutting down.
2024-09-27 00:16:52 +02:00
Eelco Dolstra
0ed67e5b7e
Merge pull request #11581 from Mic92/git-cache
create git caches atomically
2024-09-26 21:58:22 +02:00
Josh Heinrichs
1271a95b79
Fix reference to HTTP Binary Cache Store in docs 2024-09-26 12:30:41 -06:00
Jörg Thalheim
12d5b2cfa1 create git caches atomically
When working on speeding up the CI,
I triggered a race condition in the creation of the tarball cache.
This code now instead will ensure that half-initialized repositories
are no longer visible to any other nix process.

This is the error message that I got before:

error: opening Git repository '"/Users/runner/.cache/nix/tarball-cache"': could not find repository at '/Users/runner/.cache/nix/tarball-cache'
2024-09-26 17:46:25 +02:00
Eelco Dolstra
b23812a59c Bump version 2024-09-26 03:25:40 +02:00
Jason Yundt
a5959aa121
docs: specify that flake.lock files are JSON (#11594)
* docs: specify that flake.lock files are JSON

Recently, I decided that I was going to write some code that would parse
flake.lock files. I went to the Nix Reference Manual in order to look up
information on the format of flake.lock files, and I realized that a key
detail was missing from the Nix Reference Manual: it never says that
flake.lock files are JSON files. This commit fixes that issue.

This commit makes sure to specify that flake.lock files are encoded in
UTF-8. Confusingly, there’s multiple different JSON standards. Neither
ECMA-404, 2nd Edition [1] nor ISO/IEC 21778:2017 [2] mention UTF-8. RFC
8259 requires UTF-8, but only sometimes [3]. I chose to explicitly
specify that flake.lock files are UTF-8 in order to avoid any possible
ambiguities from the JSON standards.

[1]: <https://ecma-international.org/publications-and-standards/standards/ecma-404>
[2]: <https://www.iso.org/standard/71616.html>
[3]: <https://www.rfc-editor.org/rfc/rfc8259.html#section-8.1>
2024-09-26 00:21:33 +00:00
Eelco Dolstra
618a0cc987
Merge pull request #11592 from NixOS/mergify/bp/2.24-maintenance/pr-11585
builtin:fetchurl: Enable TLS verification (backport #11585)
2024-09-26 01:04:39 +02:00
Eelco Dolstra
4dc4e81b1e
Merge pull request #11593 from DeterminateSystems/typo
Fix typo
2024-09-26 00:55:46 +02:00
Eelco Dolstra
ba81598017 Resolve conflict 2024-09-26 00:17:03 +02:00
Eelco Dolstra
e87be60055 Typo
(cherry picked from commit ef8987955b)
2024-09-26 00:16:17 +02:00
Eelco Dolstra
ef8987955b Typo 2024-09-26 00:15:04 +02:00
Eelco Dolstra
345a264a39 Add release note
(cherry picked from commit 7b39cd631e)
2024-09-25 21:55:36 +00:00
Eelco Dolstra
ee6a5faf4b Add a test for builtin:fetchurl cert verification
(cherry picked from commit f2f47fa725)

# Conflicts:
#	tests/nixos/default.nix
2024-09-25 21:55:36 +00:00
Eelco Dolstra
d4824c8ff7 builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.

(cherry picked from commit c04bc17a5a)
2024-09-25 21:55:36 +00:00
Eelco Dolstra
062b4a489e
Merge pull request #11585 from NixOS/verify-tls
builtin:fetchurl: Enable TLS verification
2024-09-25 23:52:25 +02:00
Eelco Dolstra
7b39cd631e Add release note 2024-09-25 23:07:11 +02:00
Eelco Dolstra
f2063255a4 tests/functional/flakes/relative-paths.sh: Fix build failure in hydraJobs.tests.functional_user 2024-09-25 16:29:43 +02:00
Valentin Gagarin
6c37d81514
Merge pull request #11584 from Mic92/devdocs 2024-09-25 13:44:49 +02:00
Jörg Thalheim
eb3a368a33 docs/testing: add --verbose flag for running single tests
Most of the time people run single tests for debugging reason,
so it's a sane default to have them see all the console output.

This commit still retains the section about running tests directly with
meson, because in some debugging cases it's just nice to have less
abstractions i.e. when using strace.
2024-09-25 09:46:29 +02:00
Eelco Dolstra
f2f47fa725 Add a test for builtin:fetchurl cert verification 2024-09-24 16:13:28 +02:00
Eelco Dolstra
b4fcd27590
Merge pull request #11578 from Mic92/key-backport
[2.24-maintainence] Ensure error messages don't leak private key
2024-09-24 13:45:43 +02:00
John Ericson
082f6bb35d Ensure error messages don't leak private key
Since #8766, invalid base64 is rendered in errors, but we don't actually
want to show this in the case of an invalid private keys.

Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
(cherry picked from commit 2b6b03d8df)
2024-09-24 06:39:03 +02:00
John Ericson
1e03ea386b Revert "base64Decode: clearer error message when an invalid character is detected"
We have a safer way of doing this.

This reverts commit dc3ccf02bf.

(cherry picked from commit d0c351bf43)
2024-09-24 06:31:50 +02:00
John Ericson
b523e4de34
Merge pull request #11571 from NixOS/mergify/bp/2.24-maintenance/pr-11390
Don't refer to public keys as secret keys in error (backport #11390)
2024-09-23 18:50:03 -04:00
Alyssa Ross
563dedcf64 Don't refer to public keys as secret keys in error
This constructor is used for public keys as well.

(cherry picked from commit 9cc550d652)
2024-09-23 22:00:10 +00:00
John Ericson
322d2c767f
Merge pull request #11523 from obsidiansystems/base64Decode-no-leak-private-key-on-error
Ensure error messages don't leak private key
2024-09-23 17:13:32 -04:00
John Ericson
2b6b03d8df Ensure error messages don't leak private key
Since #8766, invalid base64 is rendered in errors, but we don't actually
want to show this in the case of an invalid private keys.

Co-Authored-By: Eelco Dolstra <edolstra@gmail.com>
2024-09-23 16:36:48 -04:00
Eelco Dolstra
c04bc17a5a builtin:fetchurl: Enable TLS verification
This is better for privacy and to avoid leaking netrc credentials in a
MITM attack, but also the assumption that we check the hash no longer
holds in some cases (in particular for impure derivations).

Partially reverts 5db358d4d7.
2024-09-23 15:15:43 +02:00
Eelco Dolstra
91e7d493ce Merge remote-tracking branch 'origin/master' into relative-flakes 2024-09-23 14:42:20 +02:00
Ryan Hendrickson
da332d678e libexpr: deprecate the bogus "or"-as-variable
As a prelude to making "or" work like a normal variable, emit a warning
any time the "fn or" production is used in a context that will change
how it is parsed when that production is refactored.

In detail: in the future, OR_KW will be moved to expr_simple, and the
cursed ExprCall production that is currently part of the expr_select
nonterminal will be generated "normally" in expr_app instead. Any
productions that accept an expr_select will be affected, except for the
expr_app nonterminal itself (because, while expr_app has a production
accepting a bare expr_select, its other production will continue to
accept "fn or" expressions). So all we need to do is emit an appropriate
warning when an expr_simple representing a cursed ExprCall is accepted
in one of those productions without first going through expr_app.

As the warning message describes, users can suppress the warning by
wrapping their problematic "fn or" expressions in parentheses. For
example, "f g or" can be made future-proof by rewriting it as
"f (g or)"; similarly "[ x y or ]" can be rewritten as "[ x (y or) ]",
etc. The parentheses preserve the current grouping behavior, as in the
future "f g or" will be parsed as "(f g) or", just like
"f g anything-else" is grouped. (Mechanically, this suppresses the
warning because the problem ExprCalls go through the
"expr_app : expr_select" production, which resets the cursed status on
the ExprCall.)
2024-09-20 15:57:36 -04:00
John Ericson
d0c351bf43 Revert "base64Decode: clearer error message when an invalid character is detected"
We have a safer way of doing this.

This reverts commit dc3ccf02bf.
2024-09-20 10:41:45 -04:00
Eelco Dolstra
68ba6ff470
Merge pull request #11558 from DeterminateSystems/fix-no-gc-build
Fix build without GC
2024-09-20 16:02:08 +02:00
Eelco Dolstra
ec47133be3 Fix warning 2024-09-20 15:08:45 +02:00
Eelco Dolstra
088569463b Fix build without GC 2024-09-20 15:01:32 +02:00
Eelco Dolstra
c5c68558b5
Merge pull request #11550 from DeterminateSystems/traceable-allocator-alias
Alias traceable_allocator to std::allocator when building without GC
2024-09-20 10:43:31 +02:00
Eelco Dolstra
a7fdef6858 Bump version 2024-09-20 01:19:15 +02:00
Eelco Dolstra
b2bb92ef09 Formatting
Co-authored-by: Jörg Thalheim <Mic92@users.noreply.github.com>
2024-09-19 22:59:42 +02:00
Eelco Dolstra
b5154deba3
Merge pull request #11553 from NixOS/mergify/bp/2.24-maintenance/pr-11548
Fix missing GC root in zipAttrsWith (backport #11548)
2024-09-19 22:09:56 +02:00
Eelco Dolstra
ecd83dc155 Use HAVE_BOEHMGC
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
(cherry picked from commit 4449b0da74)
2024-09-19 19:04:17 +00:00
Eelco Dolstra
5b5e1920eb Fix missing GC root in zipAttrsWith
My SNAFU was that I assumed that all the `Value *`s we put in
`attrsSeen` are already reachable (which they are), but I forgot about
the `elems` pointer in `ListBuilder`.

Fixes #11547.

(cherry picked from commit 0c2fdd2f3c)
2024-09-19 19:04:17 +00:00
Eelco Dolstra
2f4a7a8301 Add a few more aliases 2024-09-19 21:04:01 +02:00
Eelco Dolstra
589d8f1f2b Move GC-related definitions to eval-gc.hh 2024-09-19 21:04:01 +02:00