lix -

Age	Commit message (Collapse)	Author
2021-02-09	Revert "narinfo: Change NAR URLs to be addressed on the NAR hash instead of ↵	Graham Christensen
	the compressed hash"
2021-02-09	Merge pull request #4464 from tweag/nar-narhash-addressed	Eelco Dolstra
	narinfo: Change NAR URLs to be addressed on the NAR hash instead of the compressed hash
2021-01-21	narinfo: Change NAR URLs to be addressed on the NAR hash instead of the ↵	adisbladis
	compressed hash This change is to simplify [Trustix](https://github.com/tweag/trustix) indexing and makes it possible to reconstruct this URL regardless of the compression used. In particular this means that https://github.com/tweag/trustix/blob/7c2e9ca597de233846e0b265fb081626ca6c59d8/contrib/nix/nar/nar.go#L61-L71 can be removed and only the bits that are required to establish trust needs to be published in the Trustix build logs.
2021-01-15	Merge remote-tracking branch 'upstream/master' into non-local-store-build	John Ericson

2021-01-06	Make sodium a required dependency	Eelco Dolstra

2021-01-06	Add commands for generating secret/public keys	Eelco Dolstra

2020-12-23	Test nix-instantiate with binary cache store	John Ericson
	Trying to make sure it work with obscurers stores.
2020-12-03	Move most store-related commands to 'nix store'	Eelco Dolstra

2020-12-03	Move NAR-related commands to 'nix nar'	Eelco Dolstra

2020-11-17	Remove stray debug statement	Eelco Dolstra
	This was causing a failure on macOS. https://hydra.nixos.org/build/130354318
2020-10-26	Fix test	Eelco Dolstra

2020-10-18	Tests for #3964	Robert Hensing

2020-08-07	Fix .ls file names in binary caches	Eelco Dolstra
	These are not supposed to include the 'name' part of the store path. This was broken by 759947bf72.
2020-08-04	Make JSON equality tests agnostic to ordering	John Ericson
	It is in fact more sorted than before, but I don't think we want to guarantee anything about the ordering.
2020-07-13	Add a test for local NAR caching	Eelco Dolstra

2020-07-13	Fix 'nix verify --all' on a binary cache and add a test	Eelco Dolstra

2020-07-13	Add a test for DWARF debug info index generation	Eelco Dolstra

2020-07-13	Add a test for NAR listing generation	Eelco Dolstra

2020-05-12	tests/binary-cache.sh: Improve incomplete closure test	Eelco Dolstra
	Issue #3373.
2020-03-24	Misc changes from the flakes branch	Eelco Dolstra

2018-06-05	Don't require --fallback to recover from disappeared binary cache NARs	Eelco Dolstra

2018-06-05	Improve binary cache fallback test	Eelco Dolstra

2018-06-05	Remove non-existent NIX_DEBUG_SUBST	Eelco Dolstra

2017-11-20	Test: Replace --option with the corresponding flag	Eelco Dolstra

2017-11-20	signed-binary-caches -> require-sigs	Eelco Dolstra
	Unlike signed-binary-caches (which could only be '*' or ''), require-sigs is a proper Boolean option. The default is true.
2017-11-20	binary-cache-public-keys -> trusted-public-keys	Eelco Dolstra
	The name had become a misnomer since it's not only for substitution from binary caches, but when adding/copying any (non-content-addressed) path to a store.
2017-10-24	More progress indicator improvements	Eelco Dolstra
	In particular, don't show superfluous "fetching path" and "building path(s)" messages, and show the current round (with --repeat).
2017-10-02	Fix tests	Dan Peebles
	`nix copy` no longer accepts a `--recursive` argument
2017-03-21	Fix tests to reflect the signed-binary-caches default change	Eelco Dolstra

2016-08-10	Nuke nix-push.	Shea Levy
	Rarely used, nix copy replaces it.
2016-06-01	HttpBinaryCacheStore: Fix caching of WantMassQuery	Eelco Dolstra
	Also, test HttpBinaryCacheStore in addition to LocalBinaryCacheStore.
2016-05-30	Test trying the next substitute after a bad signature	Eelco Dolstra

2016-05-30	Test the NAR info cache	Eelco Dolstra

2016-05-30	Re-implement binary cache signature checking	Eelco Dolstra
	This is now done in LocalStore::addToStore(), rather than in the binary cache substituter (which no longer exists).
2016-05-30	LocalStore::addToStore: Verify hash of the imported path	Eelco Dolstra

2016-04-11	Remove manifest support	Eelco Dolstra
	Manifests have been superseded by binary caches for years. This also gets rid of nix-pull, nix-generate-patches and bsdiff/bspatch.
2015-02-18	nix-store --generate-binary-cache-key: Write key to disk	Eelco Dolstra
	This ensures proper permissions for the secret key.
2015-02-10	Make libsodium an optional dependency	Eelco Dolstra

2015-02-04	Use libsodium instead of OpenSSL for binary cache signing	Eelco Dolstra
	Sodium's Ed25519 signatures are much shorter than OpenSSL's RSA signatures. Public keys are also much shorter, so they're now specified directly in the nix.conf option ‘binary-cache-public-keys’. The new command ‘nix-store --generate-binary-cache-key’ generates and prints a public and secret key.
2014-02-26	Test executables in NARs	Eelco Dolstra

2014-02-17	Add a test for repairing paths	Eelco Dolstra

2014-01-08	Fix signed-binary-caches test	Eelco Dolstra

2014-01-08	Test whether Nix correctly checks the hash of downloaded NARs	Eelco Dolstra

2014-01-08	Support cryptographically signed binary caches	Eelco Dolstra
	NAR info files in binary caches can now have a cryptographic signature that Nix will verify before using the corresponding NAR file. To create a private/public key pair for signing and verifying a binary cache, do: $ openssl genrsa -out ./cache-key.sec 2048 $ openssl rsa -in ./cache-key.sec -pubout > ./cache-key.pub You should also come up with a symbolic name for the key, such as "cache.example.org-1". This will be used by clients to look up the public key. (It's a good idea to number keys, in case you ever need to revoke/replace one.) To create a binary cache signed with the private key: $ nix-push --dest /path/to/binary-cache --key ./cache-key.sec --key-name cache.example.org-1 The public key (cache-key.pub) should be distributed to the clients. They should have a nix.conf should contain something like: signed-binary-caches = * binary-cache-public-key-cache.example.org-1 = /path/to/cache-key.pub If all works well, then if Nix fetches something from the signed binary cache, you will see a message like: *** Downloading ‘http://cache.example.org/nar/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’ (signed by ‘cache.example.org-1’) to ‘/nix/store/7dppcj5sc1nda7l54rjc0g5l1hamj09j-subversion-1.7.11’... On the other hand, if the signature is wrong, you get a message like NAR info file `http://cache.example.org/7dppcj5sc1nda7l54rjc0g5l1hamj09j.narinfo' has an invalid signature; ignoring Signatures are implemented as a single line appended to the NAR info file, which looks like this: Signature: 1;cache.example.org-1;HQ9Xzyanq9iV...muQ== Thus the signature has 3 fields: a version (currently "1"), the ID of key, and the base64-encoded signature of the SHA-256 hash of the contents of the NAR info file up to but not including the Signature line. Issue #75.
2013-07-01	Add support for uncompressed NARs in binary caches	Eelco Dolstra
	Issue NixOS/hydra#102.
2013-04-23	Test whether --fallback works if NARS have disappeared from the binary cache	Eelco Dolstra

2013-04-23	Test NAR info caching	Eelco Dolstra

2013-01-02	If a substitute closure is incomplete, build dependencies, then retry the ↵	Eelco Dolstra
	substituter Issue #77.
2013-01-02	Add a test for incomplete closures in the binary cache	Eelco Dolstra
	Issue #77.
2012-12-03	Test the ‘--prebuilt-only’ flag	Eelco Dolstra