Commit graph

10148 commits

Author SHA1 Message Date
regnat 703c98c6cb Properly sign the unresolved drvs
Don't let them inherit the signature from the parent one (because it
makes no sense to do so), but re-sign them after they have been built
2021-03-15 16:35:17 +01:00
regnat 54ced9072b Check the signatures when copying store paths around
Broken atm
2021-03-15 16:35:14 +01:00
regnat 3e6017f911 pathInfoIsTrusted -> pathInfoIsUntrusted
I guess the rationale behind the old name wath that
`pathInfoIsTrusted(info)` returns `true` iff we would need to `blindly`
trust the path (because it has no valid signature and `requireSigs` is
set), but I find it to be a really confusing footgun because it's quite
natural to give it the opposite meaning.
2021-03-15 16:34:49 +01:00
regnat 826877cabf Add some logic for signing realisations
Not exposed anywhere, but built realisations are now signed (and this
should be forwarded when copy-ing them around)
2021-03-15 16:34:49 +01:00
Eelco Dolstra 306c154632
Merge pull request #4592 from NixOS/ca/remote-cache
Substitute content-addressed derivations
2021-03-15 16:22:42 +01:00
Travis A. Everett 0431cf6d09 fix nixbld user name/uid for macOS 2021-03-11 10:16:34 -06:00
Domen Kožar 8127094f76
Merge pull request #4577 from abathur/simplify_install_tests
simplify changing cachix cache for install tests
2021-03-11 15:32:13 +00:00
Eelco Dolstra 3bb1becdbb
Merge pull request #4566 from orbekk/master
Add support for bare git repositories when using git+file
2021-03-11 10:38:07 +01:00
regnat 89013bdd7e Add a nix realisation command for working on realisations
Currently only has `nix realisation info`, more to come probably
2021-03-09 10:16:44 +01:00
Eelco Dolstra 1c0e3e453d
Merge pull request #4601 from lovesegfault/fix-4598
nix-build: check that envCommand exists
2021-03-08 10:13:39 +01:00
Eelco Dolstra 8ce2045ecc
Merge pull request #4614 from abathur/patch-1
remove doc for obsolete --no-build-hook flag
2021-03-08 10:07:17 +01:00
Eelco Dolstra c5a232dda7
Merge pull request #4615 from NixOS/nix-show-stats-with-nix-cmd
Make NIX_SHOW_STATS work with new-style commands
2021-03-08 09:56:59 +01:00
Travis A. Everett ac8ba2eae4
remove doc for obsolete --no-build-hook flag
`--no-build-hook` appears to have been removed in 25f32625e2
2021-03-06 19:51:29 -06:00
Eelco Dolstra 52b6e0f837
Merge pull request #4606 from obsidiansystems/avoid-stringify-store-path
Avoid some StorePath -> Path -> StorePath roundtrips
2021-03-05 11:18:14 +01:00
Bernardo Meurer 6e849e3b0a
nix-build: set execfail
When starting a nix-shell with `-i` it was previously possible for it to
silently fail in the scenario where the specified interpreter didn't
exist. This happened due to the `exec` call masking the issue.

With this change we enable `execfail`, which causes the script using
`nix-shell` as interpreter to correctly exit with code 127.

Fixes: #4598
2021-03-04 18:54:45 -08:00
John Ericson 6212e89bf6 Avoid some StorePath -> Path -> StorePath roundtrips
There were done when StorePath was defined in Rust and there were some
FFI issues. This is no longer an issue.
2021-03-05 00:49:46 +00:00
DavHau e16431b466 improve man page for nix.conf (builders) 2021-03-04 16:14:23 +07:00
Eelco Dolstra 665d4ec2da nix repl :doc: Don't return docs for partially applied primops
This gives misleading results for Nixpkgs functions like lib.toUpper.

Fixes #4596.
2021-03-03 17:52:57 +01:00
Eelco Dolstra 1b2f5786d1
Merge pull request #4595 from dramforever/fetcher-http-redirect
libfetchers/tarball: Lock on effectiveUrl
2021-03-02 16:38:19 +01:00
regnat 7331da99ab Make NIX_SHOW_STATS work with new-style commands 2021-03-02 14:59:12 +01:00
dramforever fc6bfb261d libfetchers/tarball: Lock on effectiveUrl
Basically, if a tarball URL is used as a flake input, and the URL leads
to a redirect, the final redirect destination would be recorded as the
locked URL.

This allows tarballs under https://nixos.org/channels to be used as
flake inputs. If we, as before, lock on to the original URL it would
break every time the channel updates.
2021-03-02 21:56:50 +08:00
John Ericson 7ce10924c7 Fix bad wanted output error as requested
- UsageError -> Error

- include drv path too
2021-03-01 15:07:09 +00:00
Kjetil Orbekk 92a234322f Add test for git+file with bare repository 2021-03-01 09:03:25 -05:00
Kjetil Orbekk 9931f18c2d Add support for bare git repositories with git+file
Local git repositories are normally used directly instead of
cloning. This commit checks if a repo is bare and forces a
clone.

Co-authored-by: Théophane Hufschmitt <regnat@users.noreply.github.com>
2021-03-01 09:03:25 -05:00
regnat 93b5a59b67 Add a test for the remote caching of CA derivations 2021-03-01 14:00:17 +01:00
regnat df9d4f88d5 Allow substituting drv outputs when building 2021-03-01 14:00:17 +01:00
regnat 5d1c05b075 SubstitutionGoal -> PathSubstitutionGoal
To prepare for the upcoming DrvOutputSubstitutionGoal
2021-03-01 14:00:17 +01:00
Eelco Dolstra e64cf8e0a3
Merge pull request #4574 from grahamc/libstore-ssh-host-key
libstore: support passing a builder's public SSH host key
2021-03-01 13:12:18 +01:00
Eelco Dolstra 99b93773de
Merge pull request #4582 from puckipedia/cppflags
mk: add support for CPPFLAGS
2021-03-01 13:08:14 +01:00
Eelco Dolstra c32a7c3404 Merge remote-tracking branch 'origin/ca/move-tests-to-their-own-directory' 2021-03-01 12:57:29 +01:00
Eelco Dolstra 7d578aaba1
Merge pull request #4583 from puckipedia/revert-jar-support
Revert "Add support for building JARs from Java sources"
2021-03-01 11:56:26 +01:00
regnat 259d6778ef Move the CA tests to a sub-directory
Requires a slight update to the test infra to work properly, but
having the possibility to group tests that way makes the whole thing
quite cleaner imho
2021-03-01 11:08:01 +01:00
John Ericson 4bbd80c536 Throw error for derivation goal with bogus wanted output 2021-02-28 00:19:35 +00:00
Domen Kožar 73b3e6cd46
Merge pull request #4581 from puckipedia/fix-libseccomp
Properly propagate libseccomp linker flags
2021-02-27 10:51:43 +00:00
John Ericson ae1441e548 Fix testing fixed-output derivations in double sandboxes
What happened was that Nix was trying to unconditionally mount these
paths in fixed-output derivations, but since the outer derivation was
pure, those paths did not exist. The solution is to only mount those
paths when they exist.
2021-02-27 05:23:14 +00:00
Puck Meerburg 2d7917f035 Revert "Add support for building JARs from Java sources"
This reverts commit 259086de84.
2021-02-26 23:06:58 +00:00
Puck Meerburg 7241fdc3d2 Properly propagate libseccomp linker flags 2021-02-26 23:01:16 +00:00
Puck Meerburg bd0b0f9ab7 mk: add support for CPPFLAGS 2021-02-26 22:56:51 +00:00
Travis A. Everett 12ec962dd8 simplify changing cachix cache for install tests
- convert cachix cache name from an env into a secret so it (along
  with the token/key) can be set once per fork
- use CACHIX_AUTH_TOKEN in addition to CACHIX_SIGNING_KEY; it looks
  like cachix will try signing key first, then auth token.
2021-02-26 16:14:06 -06:00
Eelco Dolstra 6512be0a99
Merge pull request #4570 from obsidiansystems/split-building-planning
Split {,local-}derivation-goal.{cc,hh}
2021-02-26 20:00:02 +01:00
John Ericson 5b42e5b177 Restore now-working build-remote-content-addressed-fixed test
This was

 - Added in dbf96e10ec.

 - Commented out in 07975979aa, which I
   believe only reached master by mistake.

 - Deleted in c32168c9bc, when
   `tests/build-hook-ca.nix` was reused for a new test.

But the test works, and we ought to have it.
2021-02-26 16:32:52 +00:00
John Ericson 553b79f8c9 Remove unused redirectedBadOutputs 2021-02-26 16:10:54 +00:00
John Ericson d560311f76 Remove temporary #if 0...#endif from previous commit 2021-02-26 16:10:52 +00:00
John Ericson 68f4c728ec Split {,local-}derivation-goal.{cc,hh}
This separates the scheduling logic (including simple hook pathway) from
the local-store needing code.

This should be the final split for now. I'm reasonably happy with how
it's turning out, even before I'm done moving code into
`local-derivation-goal`. Benefits:

1. This will help "witness" that the hook case is indeed a lot simpler,
   and also compensate for the increased complexity that comes from
   content-addressed derivation outputs.

2. It also moves us ever so slightly towards a world where we could use
   off-the-shelf storage or sandboxing, since `local-derivation-goal`
   would be gutted in those cases, but `derivation-goal` should remain
   nearly the same.

The new `#if 0` in the new files will be deleted in the following
commit. I keep it here so if it turns out more stuff can be moved over,
it's easy to do so in a way that preserves ordering --- and thus
prevents conflicts.

N.B.
```sh
git diff HEAD^^ --color-moved --find-copies-harder --patience --stat
```
makes nicer output.
2021-02-26 16:10:26 +00:00
John Ericson 05cc5a8587 Copy {,local-}derivation-goal.{cc,h}
Doing this prior to splitting, so we get better diff with default
options (e.g. on GitHub).
2021-02-26 16:01:47 +00:00
Eelco Dolstra 94637cd7e5
Merge pull request #4477 from NixOS/ca/build-remote
Build ca derivations remotely
2021-02-26 16:54:44 +01:00
regnat f54976d77b Simplify the case where the drv is a purely input-addressed one 2021-02-26 16:35:05 +01:00
Eelco Dolstra 076d2b04da
Update src/libstore/build/derivation-goal.cc 2021-02-26 16:30:12 +01:00
Eelco Dolstra 17c98e03ea
Update src/build-remote/build-remote.cc 2021-02-26 16:29:37 +01:00
Eelco Dolstra 14f51880ba
Update src/build-remote/build-remote.cc 2021-02-26 16:29:30 +01:00