| Age | Commit message (Collapse) | Author |
|---|
|
This prevents builders from setting the S_ISUID or S_ISGID bits,
preventing users from using a nixbld* user to create a setuid/setgid
binary to interfere with subsequent builds under the same nixbld* uid.
This is based on aszlig's seccomp code
(47f587700d646f5b03a42f2fa57c28875a31efbe).
Reported by Linus Heckemann.
|
|
Fixes
client# error: size mismatch importing path ‘/nix/store/ywf5fihjlxwijm6ygh6s0a353b5yvq4d-libidn2-0.16’; expected 0, got 120264
This is mostly an artifact of the NixOS VM test environment, where the
Nix database doesn't contain hashes/sizes.
http://hydra.nixos.org/build/53537471
|
|
http://hydra.nixos.org/build/53537463
|
|
|
|
Fix variable name typo in derivations doc
|
|
Remove stray `>` in builtins doc
|
|
|
|
|
|
Also, make nix-shell respect --option. (Previously it only passed it
along to nix-instantiate and nix-build.)
|
|
|
|
nix-profile.sh: remove sbin from PATH
|
|
It lacked a backslash. Use a raw string and single quotes around PS1
to simplify this.
|
|
|
|
Document fetchTarball can take a sha256
|
|
|
|
|
|
Issue #1331.
|
|
|
|
|
|
This avoids a possible stack overflow if directories are very deeply nested.
|
|
|
|
Fixes #1384.
|
|
And add a 116 KiB ash shell from busybox to the release build. This
helps to make sandbox builds work out of the box on non-NixOS systems
and with diverted stores.
|
|
This is useful when we're using a diverted store (e.g. "--store
local?root=/tmp/nix") in conjunction with a statically-linked sh from
the host store (e.g. "sandbox-paths =/bin/sh=/nix/store/.../bin/busybox").
|
|
|
|
|
|
nix ls: support '/' for the root directory
|
|
|
|
Previously, if a directory `foo` existed and a file `foo-` (where `-` is any character that is sorted before `/`), then `readDirectory` would return an empty list.
To fix this, we now use a tree where we can just access the children of the node, and do not need to rely on sorting behavior to list the contents of a directory.
|
|
This is useful e.g. for distinguishing traffic to a binary cache
(e.g. certain machines can use a different tag in the user agent).
|
|
|
|
|
|
Note that a trusted signature was still required in this case so it
was not a huge deal.
|
|
Note that I refer to `nix-prefetch-url`.
|
|
It now means "paths that were built locally". It no longer includes
paths that were added locally. For those we don't need info.ultimate,
since we have the content-addressability assertion (info.ca).
|
|
It allowed the client to specify bogus narSize values. In particular,
Downloader::downloadCached wasn't setting narSize at all.
|
|
|
|
Using linenoise avoids a license compatibility issue (#1356), is a lot
smaller and doesn't pull in ncurses.
|
|
If running nix-shell as root, the terminator should be # and not $.
|
|
|
|
This is a little convenience command that opens the Nix expression of
the specified package. For example,
nix edit nixpkgs.perlPackages.Moose
opens <nixpkgs/pkgs/top-level/perl-packages.nix> in $EDITOR (at the
right line number for some editors).
This requires the package to have a meta.position attribute.
|
|
|
|
|
|
|
|
|
|
sbin is a symlink to bin.
profiles only contains packages, which have this symlink.
It is a subset of bin.
related to https://github.com/NixOS/nixpkgs/pull/25550
|
|
This is mostly for use in the sandbox tests, since if the Nix store is
under /build, then we can't use /build as the build directory.
|
|
|
|
There is a security issue when a build accidentally stores its $TMPDIR
in some critical place, such as an RPATH. If
TMPDIR=/tmp/nix-build-..., then any user on the system can recreate
that directory and inject libraries into the RPATH of programs
executed by other users. Since /build probably doesn't exist (or isn't
world-writable), this mitigates the issue.
|
|
This is primarily useful for extracting NARs from other stores (like
binary caches), which "nix-store --dump" cannot do.
|
