| Age | Commit message (Collapse) | Author |
|---|
|
|
|
git-subtree-dir: mk
git-subtree-mainline: 6ef32bddc1f10034322966b3a5b85af7b9cdc4d8
git-subtree-split: 1eff3ad37fdb9dcf9f8528fdacea0ebf0e79d545
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Conflicts:
src/libexpr/eval.cc
|
|
|
|
|
|
|
|
|
|
|
|
Signed-off-by: Shea Levy <shea@shealevy.com>
|
|
Now, in addition to a."${b}".c, you can write a.${b}.c (applicable
wherever dynamic attributes are valid).
Signed-off-by: Shea Levy <shea@shealevy.com>
|
|
|
|
It generally is not useful in interactive environments (and messes up
some non-ANSI-compliant terminals).
|
|
|
|
E.g.
CXX src/nix-log2xml/log2xml.o
CC src/bsdiff-4.3/bsdiff.o
GEN scripts/nix-channel
LD src/libmain/libnixmain.so
|
|
|
|
|
|
|
|
|
|
This is useful when you do:
foo_SOURCES := $(wildcard *.cc) foo.cc
where foo.cc is a generated file. In this case, if foo.cc already
exists, you get foo.cc twice in foo_SOURCES, leading to a link error.
|
|
|
|
|
|
This makes it easier to use with "git subtree".
|
|
|
|
|
|
*headdesk*
*headdesk*
*headdesk*
So since commit 22144afa8d9f8968da351618a1347072a93bd8aa, Nix hasn't
actually checked whether the content of a downloaded NAR matches the
hash specified in the manifest / NAR info file. Urghhh...
|
|
NAR info files in binary caches can now have a cryptographic signature
that Nix will verify before using the corresponding NAR file.
To create a private/public key pair for signing and verifying a binary
cache, do:
$ openssl genrsa -out ./cache-key.sec 2048
$ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub
You should also come up with a symbolic name for the key, such as
"cache.example.org-1". This will be used by clients to look up the
public key. (It's a good idea to number keys, in case you ever need
to revoke/replace one.)
To create a binary cache signed with the private key:
$ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1
The public key (cache-key.pub) should be distributed to the clients.
They should have a nix.conf should contain something like:
signed-binary-caches = *
binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub
If all works well, then if Nix fetches something from the signed
binary cache, you will see a message like:
*** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’...
On the other hand, if the signature is wrong, you get a message like
NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring
Signatures are implemented as a single line appended to the NAR info
file, which looks like this:
Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ==
Thus the signature has 3 fields: a version (currently "1"), the ID of
key, and the base64-encoded signature of the SHA-256 hash of the
contents of the NAR info file up to but not including the Signature
line.
Issue #75.
|
|
This reverts commit 0c1198cf08576f16633b2344dc6513cefb567cfc.
|
|
|
|
|
|
The FreeBSD machines in the build farm are currently unreachable.
|
|
On i686-linux, GCC stubbornly refuses to do tail-call optimisation.
Don't know why.
http://hydra.nixos.org/build/7300170
|
|
This doesn't change any functionality but moves some behavior out of the
parser and into the evaluator in order to simplify the code.
Signed-off-by: Shea Levy <shea@shealevy.com>
|
|
Since addAttr has to iterate through the AttrPath we pass it, it makes
more sense to just iterate through the AttrNames in addAttr instead. As
an added bonus, this allows attrsets where two dynamic attribute paths
have the same static leading part (see added test case for an example
that failed previously).
Signed-off-by: Shea Levy <shea@shealevy.com>
|
