From 9cee600c88d2a23b872be1c175450011a6d52152 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Wed, 30 Mar 2016 17:35:48 +0200 Subject: [PATCH] LocalStore: Keep track of ultimately trusted paths These are content-addressed paths or outputs of locally performed builds. They are trusted even if they don't have signatures, so "nix verify-paths" won't complain about them. --- src/libstore/build.cc | 9 +++++++++ src/libstore/local-store.cc | 36 +++++++++++++++++++++++++-------- src/libstore/local-store.hh | 4 ++-- src/libstore/remote-store.cc | 4 ++++ src/libstore/schema.sql | 4 +++- src/libstore/worker-protocol.hh | 2 +- src/nix-daemon/nix-daemon.cc | 4 ++++ 7 files changed, 51 insertions(+), 12 deletions(-) diff --git a/src/libstore/build.cc b/src/libstore/build.cc index ed4e0f659..31c321c83 100644 --- a/src/libstore/build.cc +++ b/src/libstore/build.cc @@ -2743,6 +2743,14 @@ void DerivationGoal::registerOutputs() throw Error(format("derivation ‘%1%’ may not be deterministic: output ‘%2%’ differs") % drvPath % path); } + + /* Since we verified the build, it's now ultimately + trusted. */ + if (!info.ultimate) { + info.ultimate = true; + worker.store.registerValidPaths({info}); + } + continue; } @@ -2799,6 +2807,7 @@ void DerivationGoal::registerOutputs() info.narSize = hash.second; info.references = references; info.deriver = drvPath; + info.ultimate = true; infos.push_back(info); } diff --git a/src/libstore/local-store.cc b/src/libstore/local-store.cc index ab087452b..9b961b192 100644 --- a/src/libstore/local-store.cc +++ b/src/libstore/local-store.cc @@ -184,7 +184,18 @@ LocalStore::LocalStore() have performed the upgrade already. */ curSchema = getSchema(); - if (curSchema < 7) { upgradeStore7(); openDB(true); } + if (curSchema < 7) { upgradeStore7(); } + + openDB(false); + + if (curSchema < 8) { + SQLiteTxn txn(db); + if (sqlite3_exec(db, "alter table ValidPaths add column ultimate integer", 0, 0, 0) != SQLITE_OK) + throwSQLiteError(db, "upgrading database schema"); + if (sqlite3_exec(db, "alter table ValidPaths add column sigs text", 0, 0, 0) != SQLITE_OK) + throwSQLiteError(db, "upgrading database schema"); + txn.commit(); + } writeFile(schemaPath, (format("%1%") % nixSchemaVersion).str()); @@ -299,13 +310,13 @@ void LocalStore::openDB(bool create) /* Prepare SQL statements. */ stmtRegisterValidPath.create(db, - "insert into ValidPaths (path, hash, registrationTime, deriver, narSize) values (?, ?, ?, ?, ?);"); + "insert into ValidPaths (path, hash, registrationTime, deriver, narSize, ultimate) values (?, ?, ?, ?, ?, ?);"); stmtUpdatePathInfo.create(db, - "update ValidPaths set narSize = ?, hash = ? where path = ?;"); + "update ValidPaths set narSize = ?, hash = ?, ultimate = ? where path = ?;"); stmtAddReference.create(db, "insert or replace into Refs (referrer, reference) values (?, ?);"); stmtQueryPathInfo.create(db, - "select id, hash, registrationTime, deriver, narSize from ValidPaths where path = ?;"); + "select id, hash, registrationTime, deriver, narSize, ultimate, sigs from ValidPaths where path = ?;"); stmtQueryReferences.create(db, "select path from Refs join ValidPaths on reference = id where referrer = ?;"); stmtQueryReferrers.create(db, @@ -535,6 +546,7 @@ uint64_t LocalStore::addValidPath(const ValidPathInfo & info, bool checkOutputs) (info.registrationTime == 0 ? time(0) : info.registrationTime) (info.deriver, info.deriver != "") (info.narSize, info.narSize != 0) + (info.ultimate ? 1 : 0, info.ultimate) .exec(); uint64_t id = sqlite3_last_insert_rowid(db); @@ -655,6 +667,11 @@ ValidPathInfo LocalStore::queryPathInfo(const Path & path) /* Note that narSize = NULL yields 0. */ info.narSize = useQueryPathInfo.getInt(4); + info.ultimate = sqlite3_column_int(stmtQueryPathInfo, 5) == 1; + + s = (const char *) sqlite3_column_text(stmtQueryPathInfo, 6); + if (s) info.sigs = tokenizeString(s, " "); + /* Get the references. */ auto useQueryReferences(stmtQueryReferences.use()(info.id)); @@ -673,6 +690,7 @@ void LocalStore::updatePathInfo(const ValidPathInfo & info) stmtUpdatePathInfo.use() (info.narSize, info.narSize != 0) ("sha256:" + printHash(info.narHash)) + (info.ultimate ? 1 : 0, info.ultimate) (info.path) .exec(); } @@ -1022,9 +1040,10 @@ void LocalStore::registerValidPath(const ValidPathInfo & info) void LocalStore::registerValidPaths(const ValidPathInfos & infos) { - /* SQLite will fsync by default, but the new valid paths may not be fsync-ed. - * So some may want to fsync them before registering the validity, at the - * expense of some speed of the path registering operation. */ + /* SQLite will fsync by default, but the new valid paths may not + be fsync-ed. So some may want to fsync them before registering + the validity, at the expense of some speed of the path + registering operation. */ if (settings.syncBeforeRegistering) sync(); return retrySQLite([&]() { @@ -1128,6 +1147,7 @@ Path LocalStore::addToStoreFromDump(const string & dump, const string & name, info.path = dstPath; info.narHash = hash.first; info.narSize = hash.second; + info.ultimate = true; registerValidPath(info); } @@ -1142,7 +1162,6 @@ Path LocalStore::addToStore(const string & name, const Path & _srcPath, bool recursive, HashType hashAlgo, PathFilter & filter, bool repair) { Path srcPath(absPath(_srcPath)); - debug(format("adding ‘%1%’ to the store") % srcPath); /* Read the whole path into memory. This is not a very scalable method for very large paths, but `copyPath' is mainly used for @@ -1187,6 +1206,7 @@ Path LocalStore::addTextToStore(const string & name, const string & s, info.narHash = hash; info.narSize = sink.s->size(); info.references = references; + info.ultimate = true; registerValidPath(info); } diff --git a/src/libstore/local-store.hh b/src/libstore/local-store.hh index 1b1721185..e90894277 100644 --- a/src/libstore/local-store.hh +++ b/src/libstore/local-store.hh @@ -15,8 +15,8 @@ namespace nix { /* Nix store and database schema version. Version 1 (or 0) was Nix <= 0.7. Version 2 was Nix 0.8 and 0.9. Version 3 is Nix 0.10. Version 4 is Nix 0.11. Version 5 is Nix 0.12-0.16. Version 6 is - Nix 1.0. Version 7 is Nix 1.3. */ -const int nixSchemaVersion = 7; + Nix 1.0. Version 7 is Nix 1.3. Version 8 is 1.12. */ +const int nixSchemaVersion = 8; extern string drvsLogDir; diff --git a/src/libstore/remote-store.cc b/src/libstore/remote-store.cc index 6d6448ba7..7893f2a4c 100644 --- a/src/libstore/remote-store.cc +++ b/src/libstore/remote-store.cc @@ -252,6 +252,10 @@ ValidPathInfo RemoteStore::queryPathInfo(const Path & path) info.references = readStorePaths(conn->from); info.registrationTime = readInt(conn->from); info.narSize = readLongLong(conn->from); + if (GET_PROTOCOL_MINOR(conn->daemonVersion) >= 16) { + info.ultimate = readInt(conn->from) != 0; + info.sigs = readStrings(conn->from); + } return info; } diff --git a/src/libstore/schema.sql b/src/libstore/schema.sql index c1b4a689a..39c74c65a 100644 --- a/src/libstore/schema.sql +++ b/src/libstore/schema.sql @@ -4,7 +4,9 @@ create table if not exists ValidPaths ( hash text not null, registrationTime integer not null, deriver text, - narSize integer + narSize integer, + ultimate integer, -- null implies "false" + sigs text -- space-separated ); create table if not exists Refs ( diff --git a/src/libstore/worker-protocol.hh b/src/libstore/worker-protocol.hh index 7d9bcb58a..4f60c3adc 100644 --- a/src/libstore/worker-protocol.hh +++ b/src/libstore/worker-protocol.hh @@ -6,7 +6,7 @@ namespace nix { #define WORKER_MAGIC_1 0x6e697863 #define WORKER_MAGIC_2 0x6478696f -#define PROTOCOL_VERSION 0x10f +#define PROTOCOL_VERSION 0x110 #define GET_PROTOCOL_MAJOR(x) ((x) & 0xff00) #define GET_PROTOCOL_MINOR(x) ((x) & 0x00ff) diff --git a/src/nix-daemon/nix-daemon.cc b/src/nix-daemon/nix-daemon.cc index 5189c9b4c..527f6bca9 100644 --- a/src/nix-daemon/nix-daemon.cc +++ b/src/nix-daemon/nix-daemon.cc @@ -517,6 +517,10 @@ static void performOp(ref store, bool trusted, unsigned int clientVe stopWork(); to << info.deriver << printHash(info.narHash) << info.references << info.registrationTime << info.narSize; + if (GET_PROTOCOL_MINOR(clientVersion) >= 16) { + to << info.ultimate + << info.sigs; + } break; }