Commit graph

694 commits

Author SHA1 Message Date
Shea Levy 47bdc52c1b Merge branch 'gh-476-fix-install-script' of git://github.com/jramnani/nix
sometimes cd prints to stdout
2015-02-22 12:00:51 -05:00
Eelco Dolstra 175935e053 FIXMEs 2015-02-19 14:10:33 +01:00
Eelco Dolstra 1816ac0db1 Escape arguments to nix-shell #! scripts 2015-02-18 20:13:53 +01:00
Eelco Dolstra dc7e8fae48 Support passing command line arguments to nix-shell #! scripts 2015-02-18 15:55:18 +01:00
Eelco Dolstra bb10010582 Fix nix-shell shebang scripts if -p is used 2015-02-18 12:40:07 +01:00
Eelco Dolstra f19b4abfb2 Include NAR size in fingerprint computation
This is not strictly needed for integrity (since we already include
the NAR hash in the fingerprint) but it helps against endless data
attacks [1]. (However, this will also require
download-from-binary-cache.pl to bail out if it receives more than the
specified number of bytes.)

[1] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf
2015-02-17 13:16:58 +01:00
Jeff Ramnani d53735c823 Nix install script failed when "cd" printed to stdout.
In some cases the bash builtin command "cd" can print the variable $CWD
to stdout.  This caused the install script to fail while copying files
because the source path was wrong.

Fixes #476.
2015-02-11 12:39:14 -06:00
Shea Levy 70cae879e3 nix-build: Respect -Q during evaluation
Fixes #474
2015-02-08 20:44:05 -05:00
Eelco Dolstra f3a5930488 Sign a subset of the .narinfo
We only need to sign the store path, NAR hash and references (the
"fingerprint"). Everything else is irrelevant to security. For
instance, the compression algorithm or the hash of the compressed NAR
don't matter as long as the contents of the uncompressed NAR are
correct.

(Maybe we should include derivers in the fingerprint, but they're
broken and nobody cares about them. Also, it might be nice in the
future if .narinfos contained signatures from multiple independent
signers. But that's impossible if the deriver is included in the
fingerprint, since everybody will tend to have a different deriver for
the same store path.)

Also renamed the "Signature" field to "Sig" since the format changed
in an incompatible way.
2015-02-04 17:59:31 +01:00
Eelco Dolstra e0def5bc4b Use libsodium instead of OpenSSL for binary cache signing
Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA
signatures. Public keys are also much shorter, so they're now
specified directly in the nix.conf option ‘binary-cache-public-keys’.

The new command ‘nix-store --generate-binary-cache-key’ generates and
prints a public and secret key.
2015-02-04 17:10:31 +01:00
Jaka Hudoklin 3688db3d43 nix-install-package: follow symlinks 2015-01-30 11:30:21 +01:00
Oliver Dunkl de91a42c6e Moves runHook to a later execution position
It moves runHook to a later position in the rcfile. After that we are
able to set the PS1 environment-variable for a nix-shell environment
e.g.:

  # turn the color of the prompt to blue
  shellHook = ''
    export PS1="\n\[\033[1;34m\][\u@\h:\w]$\[\033[0m\] ";
  '';
2015-01-28 13:39:48 +01:00
Eelco Dolstra f6716e95bb Shut up "Wide character in print" warning in copy-from-other-stores.pl 2015-01-15 17:56:56 +01:00
Eelco Dolstra a5e2c8e560 Set correct user agent for NAR downloads from binary caches 2015-01-15 12:05:27 +01:00
Eelco Dolstra 128538ef06 nix-shell: Add --run flag
‘--run’ is like ‘--command’, except that it runs the command in a
non-interactive shell. This is important if you do things like:

  $ nix-shell --command make

Hitting Ctrl-C while make is running drops you into the interactive
Nix shell, which is probably not what you want. So you can now do

  $ nix-shell --run make

instead.
2015-01-08 15:14:38 +01:00
Eelco Dolstra b76589206a nix-shell: Interpret filenames relative to the #!-script
So you can have a script like:

  #! /usr/bin/env nix-shell
  #! nix-shell script.nix -i python

  import prettytable

  x = prettytable.PrettyTable(["Foo", "Bar"])
  for i in range(1, 10): x.add_row([i, i**2])
  print x

with a ‘script.nix’ in the same directory:

  with import <nixpkgs> {};

  runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } ""

(Of course, in this particular case, using the ‘-p’ flag is more
convenient.)
2015-01-08 14:56:14 +01:00
Eelco Dolstra a957893b26 Allow nix-shell to be used as a #! interpreter
This allows scripts to fetch their own dependencies via nix-shell. For
instance, here is a Haskell script that, when executed, pulls in GHC
and the HTTP package:

  #! /usr/bin/env nix-shell
  #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP

  import Network.HTTP

  main = do
    resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/")
    body <- getResponseBody resp
    print (take 100 body)

Or a Perl script that pulls in Perl and some CPAN packages:

  #! /usr/bin/env nix-shell
  #! nix-shell -i perl -p perl perlPackages.HTMLTokeParserSimple perlPackages.LWP

  use HTML::TokeParser::Simple;

  my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/');

  while (my $token = $p->get_tag("a")) {
      my $href = $token->get_attr("href");
      print "$href\n" if $href;
  }

Note that the options to nix-shell must be given on a separate line
that starts with the magic string ‘#! nix-shell’. This is because
‘env’ does not allow passing arguments to an interpreter directly.
2015-01-08 14:32:45 +01:00
Eelco Dolstra 7ba0e9cb48 nix-shell --command: Remove bogus argument to "exit"
Fixes "exit: Inappropriate: numeric argument required" errors.
2015-01-07 16:10:20 +01:00
Eelco Dolstra c2a552b075 Install cacert before running nix-channel
Also, make it more robust against incorrent SSL_CERT_FILE values.
2014-12-13 16:53:21 +01:00
Eelco Dolstra 20cf0127f5 Include cacert in the binary tarball
This prevents having to fetch Nixpkgs or cacert over http.
2014-12-10 16:05:08 +01:00
Eelco Dolstra 2f16946064 Always use https to fetch the Nixpkgs channel 2014-12-10 11:35:56 +01:00
Eelco Dolstra 39fe52f7ac Fix bad comment 2014-12-10 11:35:05 +01:00
Eelco Dolstra af555d7694 Doh 2014-12-09 20:43:12 +01:00
Eelco Dolstra d44d923be9 Add option to disable binary cache certificate checking 2014-12-09 13:16:02 +01:00
Eelco Dolstra 5510d21193 Provide some fallback defaults for the CA bundle 2014-12-09 13:16:02 +01:00
Eelco Dolstra e5891f2ea8 Use https://cache.nixos.org instead of http://cache.nixos.org 2014-12-09 13:16:02 +01:00
Eelco Dolstra bf78a27ac9 Fix another operator precedence issue found by Perl 5.20 2014-12-05 19:25:13 +01:00
Eelco Dolstra 5d064e2698 Add a test for the binary tarball installer 2014-11-18 14:50:05 +01:00
Eelco Dolstra 5ef2453139 build-remote.pl.in: Add some more trace messages
This allows hydra-build to keep track of the actual build time (so
excluding time required to copy closures around).
2014-11-12 13:56:01 +01:00
Eelco Dolstra 8979562ed7 download-from-binary-cache.pl: Fix flushing of stderr 2014-11-04 14:37:58 +01:00
Shea Levy bca6d35636 Fix nix-copy-closure --from
http://hydra.nixos.org/build/15885652
2014-10-15 15:05:13 -04:00
Eelco Dolstra 138c257dcd Revert "binary download: Use $NIX_CURL_FLAGS"
This reverts commit bc4795919a. It
breaks the build:

  http://hydra.nixos.org/build/15860847
2014-10-15 10:22:17 +02:00
wmertens bc4795919a binary download: Use $NIX_CURL_FLAGS
As in 5c0816567d/pkgs/build-support/fetchurl/builder.sh (L17)
2014-10-14 15:36:14 +02:00
Eelco Dolstra 2c1711ae33 nix-channel: Add --rollback flag
Fixes #368.
2014-10-14 12:08:04 +02:00
Eelco Dolstra a8925a510c nix-channel --add: Validate URL / channel ID
Fixes #369.
2014-10-14 11:28:13 +02:00
Eelco Dolstra f1adf4c998 Remove unused @sshOpts flag
Closes #300.
2014-10-14 11:01:18 +02:00
Eelco Dolstra a79e56de68 nix-copy-closure: Use strict 2014-10-14 10:56:33 +02:00
Shell Turner 9dd54bc7bb Pass through --set from nix-install-package command line to nix-env 2014-09-23 15:11:24 +02:00
Eelco Dolstra d2d5543625 build-remote.pl: UTF-8-decode errors 2014-09-05 11:53:11 +02:00
Eelco Dolstra e74113a305 Fix build-remote.pl
Apparently, turning on utf8 encoding on stderr changes its flushing
behaviour, causing sendReply to not send anything.

http://hydra.nixos.org/build/13944384
2014-09-05 11:43:14 +02:00
Eelco Dolstra 27a01d92c2 Shut up "Wide character" warnings in Perl scripts 2014-08-29 17:48:25 +02:00
Eelco Dolstra 163fdf292e Set a curl timeout on binary cache lookups 2014-08-21 15:15:50 +02:00
Eelco Dolstra 11849a320e Use proper quotes everywhere 2014-08-20 18:03:48 +02:00
Eelco Dolstra 42e9ad8fd1 Propagate remote timeouts properly 2014-08-17 19:09:03 +02:00
Eelco Dolstra c6e85ee474 nix-build: Propagate exit status from nix-store -r 2014-08-17 18:37:09 +02:00
Eelco Dolstra ccd4fe5c49 build-remote.pl: Provide defaults for $NIX_CURRENT_LOAD and $NIX_REMOTE_SYSTEMS 2014-08-17 18:05:24 +02:00
Eelco Dolstra 3e5dbb2433 nix-shell: Use $XDG_RUNTIME_DIR
This prevents collisions with other users.

Fixes #262.
2014-08-13 23:16:08 +02:00
Eelco Dolstra 3bea429ae8 Use $XDG_RUNTIME_DIR for temporary files 2014-08-13 23:12:57 +02:00
Eelco Dolstra 57695d8f76 Warn about untrusted binary caches in extra-binary-caches 2014-08-07 22:46:35 +02:00
Eelco Dolstra 6e1f4c1488 nix-install-package: Use extra-binary-caches 2014-08-07 22:41:44 +02:00