Age | Commit message (Collapse) | Author |
|
It's in the security section, and it was totally outdated anyway.
I took the opportunity to write down the stuff we already believed.
Change-Id: I73e62ae85a82dad13ef846e31f377c3efce13cb0
|
|
Here's my guide so far:
$ rg '((?!(recursive).*) Nix
(?!(daemon|store|expression|Rocks!|Packages|language|derivation|archive|account|user|sandbox|flake).*))'
-g '!doc/' --pcre2
All items from this query have been tackled. For the documentation side:
that's for https://git.lix.systems/lix-project/lix/issues/162.
Additionally, all remaining references to github.com/NixOS/nix which
were not relevant were also replaced.
Fixes: https://git.lix.systems/lix-project/lix/issues/148.
Fixes: https://git.lix.systems/lix-project/lix/issues/162.
Change-Id: Ib3451fae5cb8ab8cd9ac9e4e4551284ee6794545
Signed-off-by: Raito Bezarius <raito@lix.systems>
|
|
Change-Id: Icff0aa33fda5147bd5dbe256a0b9d6a6c8a2c3f6
|
|
Seccomp filtering and the no-new-privileges functionality improve the security
of the sandbox, and have been enabled by default for a long time. In
https://git.lix.systems/lix-project/lix/issues/265 it was decided that they
should be enabled unconditionally. Accordingly, remove the allow-new-privileges
(which had weird behavior anyway) and filter-syscall settings, and force the
security features on. Syscall filtering can still be enabled at build time to
support building on architectures libseccomp doesn't support.
Change-Id: Iedbfa18d720ae557dee07a24f69b2520f30119cb
|
|
Fixes https://git.lix.systems/lix-project/lix/issues/268
Change-Id: I3f1b0ddf064f891cca8b53229c5c31c74cea3d9f
|
|
this should be a link, not an anchor. it should also point to the
`gloss-store` element, not the `#gloss-store` element.
Change-Id: I1f2803093179549637e10f917ad73399a419131b
|
|
doc: fix machine-specific capabilities leaking
(cherry picked from commit dda0e34ecf16bb1c736d585414122a7e3587db70)
Change-Id: I3d07cc5039ee954b215a7a27caa3bf7359d92c26
|
|
saner default for log-lines: change to 25
(cherry picked from commit dedbbbb451bb8f2bd0925e59a8b3d127157015f8)
Change-Id: I8847df4aeb6e5c2d2be0e04f2a0a1aa595cb3b2f
|
|
Add eval-system option
(cherry picked from commit 071dbbee33af9f27338c3e53e4ea067dbfa14010)
Change-Id: Ia81358c8cfb60241da07a4d0e84b9ee62a18a53f
|
|
feat: add always-allow-substitutes
(cherry picked from commit da2b59a08878b3c6c7074595e3b6d26b6928b4c1)
Change-Id: I50481cd8fe643c673c610fec28bad84519a4d650
|
|
I'm sure that we'll adjust the implementation over time, but this
at least discerns between an apple silicon bare metal machine and
a tart VM.
(cherry picked from commit 9277eb276bf0a942e88fcf499f6a6b9c262be853)
|
|
|
|
remove the Channels section
|
|
|
|
|
|
|
|
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
|
|
|
|
|
|
add information what happens when Nix itself is cross-compiled
|
|
|
|
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
|
|
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
|
|
|
|
|
|
|
|
|
|
|
|
best-effort-supplementary-groups
|
|
reword documentation on trusted users and substituters
|
|
Rather than doing `allowEmpty` as boolean, have separate types and use
`std::optional`. This makes it harder to forget the possibility of an
empty path.
The `build-hook` setting was categorized as a `PathSetting`, but
actually it was split into arguments. No good! Now, it is
`Setting<Strings>` which actually reflects what it means and how it is
used.
Because of the subtyping, we now also have support for
`Setting<std::optional<String>>` in general. I imagine this can be used
to clean up many more settings also.
|
|
|
|
|
|
|
|
|
|
this is to make it slightly easier to scan over
|
|
Introduce what substituters "are" in the configuration option entry.
Remove arbitrary line breaks for easier editing in the future.
Link glossary some more.
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
Co-authored-by: John Ericson <git@JohnEricson.me>
|
|
aneeshusa/remove-wrong-default-value-in-docs-for-hashed-mirrors
Remove old default from docs for `hashed-mirrors`
|
|
* Document manual migration for use-xdg-base-directories
As there's currently no automatic migration for use-xdg-base-directories
option, add instructions for manual migration to the option's
description.
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
|
|
The `hashed-mirrors` option did use to have this default value,
but it was removed and re-added with an empty default value.
As the autogenerated docs show the (actual) default values from code,
remove this incorrect reference from the docs.
I was updating my nix.conf settings after a few years and noticed this.
|
|
best-effort-supplementary-groups
|
|
Document user files of nix
|
|
There is no obvious good solution for this that has occured to anyone.
|
|
|
|
|
|
|
|
Issues:
1. Features gated on disabled experimental settings should warn and be
ignored, not silently succeed.
2. Experimental settings in the same config "batch" (file or env var)
as the enabling of the experimental feature should work.
3. For (2), the order should not matter.
These are analogous to the issues @roberth caught with my changes for
arg handling, but they are instead for config handling.
Co-authored-by: Robert Hensing <roberth@users.noreply.github.com>
|
|
Make `initLibStore` a viable alternative
|
|
Fix #8162
The test is changed to compare `nlohmann::json` values, not strings of dumped
JSON, which allows us to format things more nicely.
|
|
Left over from 9747ea84b, https://github.com/NixOS/nix/pull/5821
|