forked from lix-project/lix
Maximilian Bosch
0256e5578e
To demonstrate the problem: * You need a `git` at 2.33.3 in your $PATH * An expression like this in a git repository: ``` nix { outputs = { self, nixpkgs }: { packages.foo.x86_64-linux = with nixpkgs.legacyPackages.x86_64-linux; runCommand "snens" { } '' echo ${(builtins.fetchGit ./.).lastModifiedDate} > $out ''; }; } ``` Now, when instantiating the package via `builtins.getFlake`, it fails on Nix 2.7 like this: $ nix-instantiate -E '(builtins.getFlake "'"$(pwd)"'").packages.foo.x86_64-linux' fatal: unsafe repository ('/nix/store/a7j3125km4h8l0p71q6ssfkxamfh5d61-source' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /nix/store/a7j3125km4h8l0p71q6ssfkxamfh5d61-source error: program 'git' failed with exit code 128 (use '--show-trace' to show detailed location information) This breaks e.g. `nixops`-deployments using flakes with similar expressions as shown above. The cause for this is that `git(1)` tries to find the highest `.git`-directory in the directory tree and if it finds a such a directory, but with another owning user (root vs. the user who evaluates the expression), it fails as above. This was changed recently to fix CVE-2022-24765[1]. By explicitly specifying `--git-dir`, Git assumes to be in the top-level directory and doesn't attempt to look for a `.git`-directory in the parent directories and thus the code-path leading to said error is never reached. [1] https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ |
||
---|---|---|
.github | ||
config | ||
contrib | ||
doc/manual | ||
m4 | ||
maintainers | ||
misc | ||
mk | ||
perl | ||
scripts | ||
src | ||
tests | ||
.dir-locals.el | ||
.editorconfig | ||
.gitignore | ||
.version | ||
boehmgc-coroutine-sp-fallback.diff | ||
bootstrap.sh | ||
configure.ac | ||
COPYING | ||
default.nix | ||
docker.nix | ||
flake.lock | ||
flake.nix | ||
local.mk | ||
Makefile | ||
Makefile.config.in | ||
precompiled-headers.h | ||
README.md | ||
shell.nix |
Nix
Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. Please refer to the Nix manual for more details.
Installation
On Linux and macOS the easiest way to install Nix is to run the following shell command (as a user other than root):
$ curl -L https://nixos.org/nix/install | sh
Information on additional installation methods is available on the Nix download page.
Building And Developing
See our Hacking guide in our manual for instruction on how to build nix from source with nix-build or how to get a development environment.
Additional Resources
- Nix manual
- Nix jobsets on hydra.nixos.org
- NixOS Discourse
- Matrix - #nix:nixos.org
- IRC - #nixos on libera.chat
License
Nix is released under the LGPL v2.1.