diff --git a/doc/manual/advanced-topics/post-build-hook.xml b/doc/manual/advanced-topics/post-build-hook.xml
index 4335b308b..3dc43ee79 100644
--- a/doc/manual/advanced-topics/post-build-hook.xml
+++ b/doc/manual/advanced-topics/post-build-hook.xml
@@ -74,6 +74,8 @@ trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDS
#!/bin/sh
set -eu
+set -f # disable globbing
+export IFS=' '
echo "Signing paths" $OUT_PATHS
nix sign-paths --key-file /etc/nix/key.private $OUT_PATHS
@@ -88,8 +90,9 @@ exec nix copy --to 's3://example-nix-cache' $OUT_PATHS
list of Nix store paths. In this case, we expect and want the
shell to perform word splitting to make each output path its
own argument to nix sign-paths. Nix guarantees
- the paths will only contain characters which are safe for word
- splitting, and free of any globs.
+ the paths will not contain any spaces, however a store path
+ might contain glob characters. The set -f
+ disables globbing in the shell.
diff --git a/doc/manual/command-ref/conf-file.xml b/doc/manual/command-ref/conf-file.xml
index d2c9c7502..e818a74cd 100644
--- a/doc/manual/command-ref/conf-file.xml
+++ b/doc/manual/command-ref/conf-file.xml
@@ -674,6 +674,7 @@ password my-password
The hook does not execute on substituted paths.
The hook's output always goes to the user's terminal.
If the hook fails, the build succeeds but no further builds execute.
+ The hook executes synchronously, and blocks other builds from progressing while it runs.
The program executes with no arguments. The program's environment
@@ -693,7 +694,7 @@ password my-password
OUT_PATHS
- Output paths of the built derivation, separated by a space ( ) character.
+ Output paths of the built derivation, separated by a space character.
Example:
/nix/store/zf5lbh336mnzf1nlswdn11g4n2m8zh3g-bash-4.4-p23-dev
/nix/store/rjxwxwv1fpn9wa2x5ssk5phzwlcv4mna-bash-4.4-p23-doc