Commit graph

1118 commits

Author SHA1 Message Date
Eelco Dolstra 13b089c890 * Also kill all processes of the build user after the build. This is
critical to prevent certain kinds of 0wnage.
2005-10-17 17:43:21 +00:00
Eelco Dolstra f1b3a418fa * Before starting a build under some uid, kill all current processes
running under that uid.
2005-10-17 17:35:37 +00:00
Eelco Dolstra 439823ae80 * Check that the build result is owned by the build user, and that
nobody else has write permission to the build result.  This catches
  most hack attempts.
2005-10-17 16:59:25 +00:00
Eelco Dolstra 7ef574e5d0 * Don't use FIFOs to make Nix create the output path on behalf of the
builder.  Instead, require that the Nix store has sticky permission
  (S_ISVTX); everyone can created files in the Nix store, but they
  cannot delete, rename or modify files created by others.
2005-10-17 16:52:29 +00:00
Eelco Dolstra 32282abcea * Beginning of secure multi-user Nix stores. If Nix is started as
root (or setuid root), then builds will be performed under one of
  the users listed in the `build-users' configuration variables.  This
  is to make it impossible to influence build results externally,
  allowing locally built derivations to be shared safely between
  users (see ASE-2005 paper).

  To do: only one builder should be active per build user.
2005-10-17 15:33:24 +00:00
Armijn Hemel 15ff877438 add @coreutils@ to correctly use coreutils to create a profile. This is needed
for NixOS, where we might not know our PATH in advance.
2005-10-11 17:30:57 +00:00
Eelco Dolstra 0f133ae8d2 * Use ATerm 2.4.2. 2005-10-11 12:41:12 +00:00
Eelco Dolstra dfbf520ec2 * Swap the system and version comparion columns. 2005-10-06 15:51:59 +00:00
Eelco Dolstra 62412c5874 * Document `nix-env --compare-versions'. 2005-10-06 15:51:43 +00:00
Eelco Dolstra cec2be64f3 * Only colorise if we are attached to a terminal. 2005-10-06 15:01:46 +00:00
Eelco Dolstra b87b9c0d1f * New query option: --compare-versions' or -c' to compare installed
versions to available versions, or vice versa.

  For example, the following compares installed versions to available
  versions:

    $ nix-env -qc
    autoconf-2.59            = 2.59
    automake-1.9.4           < 1.9.6
    f-spot-0.0.10            - ?
    firefox-1.0.4            < 1.0.7
    ...

  I.e., there are newer versions available (in the current default Nix
  expression) for Automake and Firefox, but not for Autoconf, and
  F-Spot is missing altogether.

  Conversely, the available versions can be compared to the installed
  versions:

    $ nix-env -qac
    autoconf-2.59                  = 2.59
    automake-1.9.6                 > 1.9.4
    bash-3.0                       - ?
    firefox-1.0.7                  > 1.0.4
    ...

  Note that bash is available but no version of it is installed.

  If multiple versions are available for comparison, then the highest
  is used.  E.g., if Subversion 1.2.0 is installed, and Subversion
  1.1.4 and 1.2.3 are available, then `nix-env -qc' will print `<
  1.2.3', not `> 1.1.4'.

  If higher versions are available, the version column is printed in
  red (using ANSI escape codes).
2005-10-06 14:44:54 +00:00
Eelco Dolstra 0e0041b2b6 * Update NEWS in the root directory properly. 2005-10-05 13:01:45 +00:00
Eelco Dolstra 0e38578433 * log2xml -> nix-log2xml. 2005-10-05 09:42:13 +00:00
Eelco Dolstra d47e03fccd * Install the XSL stylesheets for log to html conversion. 2005-10-05 09:37:58 +00:00
Eelco Dolstra ed4de220d2 * Use "source" instead of ".". 2005-09-28 09:00:07 +00:00
Eelco Dolstra ebfe57166d * Lets not go wild with templates. 2005-09-22 17:23:43 +00:00
Eelco Dolstra 4578a490ce * Parse multi-valued options. 2005-09-22 15:43:22 +00:00
Eelco Dolstra fbedf6056e * Merge release notes. 2005-09-22 12:23:22 +00:00
Eelco Dolstra 607a2f01e6 * Remove other uses of IPC::Open2. 2005-09-21 17:14:52 +00:00
Eelco Dolstra 95304172a5 * Don't use IPC::Open2, it has a subtle race bug on Mac OS X 10.4. If
the parent runs before the child, it closes some pipe file
  descriptors which causes the child to fail due to a bad file
  descriptor.  So we just use the normal open() function instead.
  
  This fixes NIX-14 (intermittent nix-pull failures).
2005-09-21 17:06:06 +00:00
Eelco Dolstra a864aca44c * This doesn't parse for now. 2005-09-21 17:02:48 +00:00
Eelco Dolstra 8d06842a76 * Configuration options for trusted local builds. 2005-09-21 12:19:39 +00:00
Eelco Dolstra 89cd0f57b1 * Use -all_load on Mac OS X. 2005-09-21 11:12:43 +00:00
Eelco Dolstra ef9e2c8e73 * Typo. 2005-09-20 16:14:00 +00:00
Eelco Dolstra 25d217684b * Use a statically linked ATerm library and build it at -O1, since
higher optimisation levels cause statically linked libraries to
  barf.
2005-09-18 20:27:02 +00:00
Eelco Dolstra f4fe3bd5b1 * Bump the version number to 0.10. 2005-09-16 13:47:03 +00:00
Eelco Dolstra db1a4227a3 * Updated release notes. 2005-09-16 11:28:29 +00:00
Eelco Dolstra c28b8eb699 * svn:ignores.
* Add missing file to dist.
2005-09-16 10:35:48 +00:00
Eelco Dolstra 6f044ab39c * svn:ignore. 2005-09-16 09:05:54 +00:00
Eelco Dolstra d34fa9a6cc * Remove dead file. 2005-09-16 09:05:18 +00:00
Eelco Dolstra 846b53bde4 * Set the current directory to something well-defined. Might help in
setuid installations.
2005-09-16 09:03:24 +00:00
Eelco Dolstra 5c0770ac84 * Include the release notes in the manual. 2005-09-16 08:47:34 +00:00
Eelco Dolstra 1b62c2eba3 * Force release notes in ASCII, not UTF-8. 2005-09-15 20:29:08 +00:00
Eelco Dolstra d1d0271996 * Check for w3m. 2005-09-15 15:21:57 +00:00
Eelco Dolstra 7f384d9c1b * Use a proper temporary directory. 2005-09-15 15:21:35 +00:00
Eelco Dolstra 896c0b92f3 * This is not a GNU project :-P 2005-09-15 09:18:21 +00:00
Eelco Dolstra 5818e8eeaf * Remove dead code. 2005-09-14 18:51:02 +00:00
Eelco Dolstra 025086edea * Release notes in Docbook; ASCII release notes (i.e., the `NEWS'
file) is now generated from that using `w3m' and some XSL hackery.
2005-09-14 18:50:45 +00:00
Eelco Dolstra ed1db42915 * List concatenation must be right-associative for efficiency. 2005-09-14 11:41:59 +00:00
Eelco Dolstra deb75bb414 * Remove debugging code. 2005-09-13 15:54:36 +00:00
Eelco Dolstra 116e939d57 * More debugging. 2005-09-13 14:07:22 +00:00
Eelco Dolstra 55b84357a1 * Debugging. 2005-09-13 13:17:14 +00:00
Eelco Dolstra cf2bb91ec8 * Missing #include. 2005-09-13 13:17:01 +00:00
Eelco Dolstra 699073c337 * Release notes. 2005-09-13 10:57:24 +00:00
Eelco Dolstra cb44aa03b8 * Use aterm 2.4. 2005-09-01 20:48:18 +00:00
Eelco Dolstra 2bcd65ecf6 * `nix-env -e' corrupts memory due to incorrect use of iterators.
Reported by Rob Vermaas.
2005-09-01 18:14:04 +00:00
Eelco Dolstra e1a6fb7870 * `dependencyClosure' now allows a search path, e.g.,
dependencyClosure { ... searchPath = [ ../foo ../bar ]; ... }

* Primop `dirOf' to return the directory part of a path (e.g., dirOf
  /a/b/c == /a/b).

* Primop `relativise' (according to Webster that's a real word!) that
  given paths A and B returns a string representing path B relative
  path to A; e.g., relativise /a/b/c a/b/x/y => "../x/y".
2005-08-14 14:00:39 +00:00
Eelco Dolstra 08c53923db * A primitive operation `dependencyClosure' to do automatic dependency
determination (e.g., finding the header files dependencies of a C
  file) in Nix low-level builds automatically.

  For instance, in the function `compileC' in make/lib/default.nix, we
  find the header file dependencies of C file `main' as follows:

    localIncludes =
      dependencyClosure {
        scanner = file:
          import (findIncludes {
            inherit file;
          });
        startSet = [main];
      };

  The function works by "growing" the set of dependencies, starting
  with the set `startSet', and calling the function `scanner' for each
  file to get its dependencies (which should yield a list of strings
  representing relative paths).  For instance, when `scanner' is
  called on a file `foo.c' that includes the line

    #include "../bar/fnord.h"

  then `scanner' should yield ["../bar/fnord.h"].  This list of
  dependencies is absolutised relative to the including file and added
  to the set of dependencies.  The process continues until no more
  dependencies are found (hence its a closure).

  `dependencyClosure' yields a list that contains in alternation a
  dependency, and its relative path to the directory of the start
  file, e.g.,

    [ /bla/bla/foo.c
      "foo.c"
      /bla/bar/fnord.h
      "../bar/fnord.h"
    ]

  These relative paths are necessary for the builder that compiles
  foo.c to reconstruct the relative directory structure expected by
  foo.c.

  The advantage of `dependencyClosure' over the old approach (using
  the impure `__currentTime') is that it's completely pure, and more
  efficient because it only rescans for dependencies (i.e., by
  building the derivations yielded by `scanner') if sources have
  actually changed.  The old approach rescanned every time.
2005-08-14 12:38:47 +00:00
Eelco Dolstra 714b7256cd * Cleanup; sync with thesis. 2005-08-14 10:19:55 +00:00
Eelco Dolstra 0399365675 * nix-hash: option `--truncate' to truncate the hash to 160 bits. Hmm,
kind of ad hoc ;-)
2005-08-14 10:09:56 +00:00