Commit graph

729 commits

Author SHA1 Message Date
Wout Mertens af4fb6ef61 Bring nix-profile.sh in line with NixOS
Use the same logic as NixOS' profile and environment setup. Closes #414
2016-04-10 23:45:52 +02:00
Shea Levy 4f011bccf8 Merge branch 'master' of git://github.com/stepcut/nix 2016-02-19 18:21:41 -05:00
Eelco Dolstra c4d22997f3 Add C++ functions for .narinfo processing / signing
This is currently only used by the Hydra queue runner rework, but like
eff5021eaa it presumably will be useful
for the C++ rewrite of nix-push and
download-from-binary-cache. (@shlevy)
2016-02-16 16:38:44 +01:00
Peter Simons 92063851b1 nix-profile.sh.in: find ca-bundle.pem on openSUSE Tumbleweed machines 2016-02-16 10:15:05 +01:00
Peter Simons bd42510e49 nix-profile.sh.in: quote use of $HOME in shell arguments
All other places in the script do this already, so let's be consistent.
2016-02-12 13:24:25 +01:00
Alex Cruice ad0dc41899 Check shell profile is writeable before modifying
The `set -e` at the top of the script causes the installation to fail to
complete if the shell profile is not writeable. Checking file existence
only is not enough.
2016-02-10 11:57:50 +01:00
Brian McKenna 3baf8be1d1 Fix broken call to shellwords
nix-shell shebangs were broken by 9018deab
2016-01-20 16:35:16 +01:00
Philip Potter 4f3cf06c97 Verify TLS certificate before downloading binaries
The --insecure flag to curl tells curl not to bother checking if the TLS
certificate presented by the server actually matches the hostname
requested, and actually is issued by a trusted CA chain.  This almost
entirely negates any benefit from using TLS in the first place.

This removes the --insecure flag to ensure we actually have a secure
connection to the intended hostname before downloading binaries.

Manually tested locally within a dev-shell; was able to download
binaries from https://cache.nixos.org without issue.

[Note: --insecure was only used for fetching NARs, whose integrity is
verified by Nix anyway using the hash from the .narinfo. But if we can
fetch the .narinfo without --insecure, we can also fetch the .nar, so
there is not much point to using --insecure. --Eelco]
2016-01-05 14:19:46 +01:00
Fabian Schmitthenner 0eb200e569 propagate NIX_BUILD_SHELL also in pure builds document NIX_BUILD_SHELL in the nix-shell command documentation 2016-01-05 14:11:20 +01:00
Brian McKenna 9018deab6c Use shellwords for nix-shell shebang
Previously we can't have quoted arguments.

This now allows us to use things like `ghcWithPackages`
2015-12-07 11:31:26 +11:00
Jeremy Shaw 3afa16e16f Clarify installation error message that is shown when /nix/store exists but is not writable by the user 2015-12-06 11:00:03 -06:00
Eelco Dolstra c0d4173263 Set default binary-caches-parallel-connections to 25
Some benchmarking suggested this as a good value. Running

  $ benchmark -f ... -t 25 -- sh -c 'rm -f /nix/var/nix/binary-cache*; nix-store -r /nix/store/x5z8a2yvz8h6ccmhwrwrp9igg03575jg-nixos-15.09.git.5fd87e1M.drv --dry-run --option binary-caches-parallel-connections <N>'

gave the following mean elapsed times for these values of N:

N=10:  3.3541
N=20:  2.9320
N=25:  2.6690
N=30:  2.9417
N=50:  3.2021
N=100: 3.5718
N=150: 4.2079

Memory usage is also reduced (N=150 used 186 MB, N=25 only 68 MB).

Closes #708.
2015-11-25 17:13:11 +01:00
Jude Taylor 279fa8f618 reintroduce host deps in tandem with sandbox profiles 2015-11-21 15:57:06 -08:00
Eelco Dolstra 9ee15abe30 Fix bad characters in "copying 7 missing paths from ..." 2015-11-10 16:12:26 +01:00
Shea Levy fef8c3a5ab resolve-system-dependencies.pl: Simplify union impl
Patch by @pikajude
2015-10-21 18:18:03 -04:00
Jude Taylor f5a7739171 appropriately handle lock acquisition failures in resolve-system-dependencies.pl 2015-10-21 14:38:35 -07:00
Jude Taylor ff6953cb03 Add resolve-system-dependencies.pl 2015-10-21 12:38:52 -07:00
Eelco Dolstra bec3c31608 nix-prefetch-url: Rewrite in C++ 2015-10-01 16:47:43 +02:00
Utku Demir a49514a2e2 Also set CURLOPT_SSL_VERIFYHOST=0 when "verify-https-binary-caches" is false
This makes that option even more insecure, by also not checking the SSL host.

But without this parameter, one can still get SSL errors even when
"verify-https-binary-caches" is false, which is unexpected IMO.
2015-09-25 22:34:08 +03:00
Eelco Dolstra 984c5cdc50 Drop newline in error message 2015-08-07 05:32:17 +02:00
Eelco Dolstra ccf31dbc25 nix-copy-closure: Add -v flag
And make exportPath() less spammy by default.
2015-07-20 01:52:07 +02:00
Eelco Dolstra e012c126db Revert "add the manpath to the installer"
This reverts commit 76f985b92d. We
shouldn't mess with $MANPATH, because on some "man" implementations
(like NixOS'), the default value on $MANPATH is derived from $PATH. So
if you set $MANPATH, you lose the default locations.
2015-07-01 13:04:15 +02:00
Eelco Dolstra c48617671d nix-channel: Fix bogus error message caused by 8a84bd8c8b 2015-06-12 01:56:34 +02:00
Eelco Dolstra f2b67fbf2a nix-push: Support -j
Fixes #548.
2015-06-08 14:16:06 +02:00
Eelco Dolstra bf8cc4e9b6 Update cacert locations 2015-06-08 11:40:35 +02:00
Eelco Dolstra b190f771e7 copy-from-other-stores: Use cp 2015-06-04 14:55:40 +02:00
Eelco Dolstra f0f30f594c Naming 2015-06-03 15:19:26 +02:00
Eelco Dolstra a80f11bf7b nix-shell: Support multiple "#! nix-shell" lines 2015-06-01 13:48:45 +02:00
Eelco Dolstra e0a068cb97 nix-shell: Barf if -p and -E are both used
Closes #454, #455.
2015-05-21 17:04:43 +02:00
Eelco Dolstra deb8668a0e nix-shell: Fix uninitialized value warning 2015-05-05 14:19:58 +02:00
Shea Levy 96dcc006e9 Merge branch 'nix-channel-tarballs' of git://github.com/copumpkin/nix 2015-04-27 19:07:43 -04:00
Luca Bruno ab2b3d6668 nix-collect-garbage: translate to C++ 2015-04-22 15:08:48 +00:00
Dan Peebles 8a84bd8c8b Support tarballs in nix channel URLs 2015-04-20 00:34:29 -04:00
Michael Merickel 76f985b92d add the manpath to the installer 2015-04-12 20:30:47 -04:00
Eelco Dolstra 9f3eb56b46 Reduce verbosity in build-remote.pl 2015-03-04 16:27:42 +01:00
Shea Levy 47bdc52c1b Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nix
sometimes cd prints to stdout
2015-02-22 12:00:51 -05:00
Eelco Dolstra 175935e053 FIXMEs 2015-02-19 14:10:33 +01:00
Eelco Dolstra 1816ac0db1 Escape arguments to nix-shell #! scripts 2015-02-18 20:13:53 +01:00
Eelco Dolstra dc7e8fae48 Support passing command line arguments to nix-shell #! scripts 2015-02-18 15:55:18 +01:00
Eelco Dolstra bb10010582 Fix nix-shell shebang scripts if -p is used 2015-02-18 12:40:07 +01:00
Eelco Dolstra f19b4abfb2 Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-17 13:16:58 +01:00
Jeff Ramnani d53735c823 Nix install script failed when "cd" printed to stdout.
In some cases the bash builtin command "cd" can print the variable $CWD
to stdout.  This caused the install script to fail while copying files
because the source path was wrong.

Fixes #476.
2015-02-11 12:39:14 -06:00
Shea Levy 70cae879e3 nix-build: Respect -Q during evaluation
Fixes #474
2015-02-08 20:44:05 -05:00
Eelco Dolstra f3a5930488 Sign a subset of the .narinfo
We only need to sign the store path, NAR hash and references (the
"fingerprint"). Everything else is irrelevant to security. For
instance, the compression algorithm or the hash of the compressed NAR
don't matter as long as the contents of the uncompressed NAR are
correct.

(Maybe we should include derivers in the fingerprint, but they're
broken and nobody cares about them. Also, it might be nice in the
future if .narinfos contained signatures from multiple independent
signers. But that's impossible if the deriver is included in the
fingerprint, since everybody will tend to have a different deriver for
the same store path.)

Also renamed the "Signature" field to "Sig" since the format changed
in an incompatible way.
2015-02-04 17:59:31 +01:00
Eelco Dolstra e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Jaka Hudoklin 3688db3d43 nix-install-package: follow symlinks 2015-01-30 11:30:21 +01:00
Oliver Dunkl de91a42c6e Moves runHook to a later execution position
It moves runHook to a later position in the rcfile. After that we are
able to set the PS1 environment-variable for a nix-shell environment
e.g.:

  # turn the color of the prompt to blue
  shellHook = ''
    export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] ";
  '';
2015-01-28 13:39:48 +01:00
Eelco Dolstra f6716e95bb Shut up "Wide character in print" warning in copy-from-other-stores.pl 2015-01-15 17:56:56 +01:00
Eelco Dolstra a5e2c8e560 Set correct user agent for NAR downloads from binary caches 2015-01-15 12:05:27 +01:00
Eelco Dolstra 128538ef06 nix-shell: Add --run flag
‘--run’ is like ‘--command’, except that it runs the command in a
non-interactive shell. This is important if you do things like:

  $ nix-shell --command make

Hitting Ctrl-C while make is running drops you into the interactive
Nix shell, which is probably not what you want. So you can now do

  $ nix-shell --run make

instead.
2015-01-08 15:14:38 +01:00