[Nix-commits] [NixOS/nixops] 8f4a67: Add deployment.keys..destDir and deployment.key...
Branch: refs/heads/master Home: https://github.com/NixOS/nixops Commit: 8f4a67ca591f9d127344bca3ecd752d3d97a716d https://github.com/NixOS/nixops/commit/8f4a67ca591f9d127344bca3ecd752d3d97a716d Author: Kosyrev Serge <deepf...@users.noreply.github.com> Date: 2017-05-22 (Mon, 22 May 2017) Changed paths: M nix/auto-luks.nix M nix/keys.nix M nixops/backends/__init__.py A tests/functional/single_machine_elsewhere_key.nix M tests/functional/test_send_keys_sends_keys.py Log Message: --- Add deployment.keys..destDir and deployment.keys..path (#664) * deployment.keys: Add a 'destination' option to override their default '/run/keys' target location * keys..destinationFolder: add a test * destinationFolder -> destDir * deploment.keys.*.destDir can't be null * Fix #646 to add .path property to keys ___ nix-commits mailing list nix-comm...@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixops] d4ac7d: PoC | tests: add a libvirtd backend test (#668)
Branch: refs/heads/master Home: https://github.com/NixOS/nixops Commit: d4ac7d53f65d8b79b848f6bfb6cb7d943e88a931 https://github.com/NixOS/nixops/commit/d4ac7d53f65d8b79b848f6bfb6cb7d943e88a931 Author: Kosyrev Serge <deepf...@users.noreply.github.com> Date: 2017-05-18 (Thu, 18 May 2017) Changed paths: A tests/functional/single_machine_libvirtd_base.nix M tests/functional/single_machine_test.py Log Message: --- PoC | tests: add a libvirtd backend test (#668) * tests: add a libvirtd backend test It's rather convenient to be able to run nixops tests locally, using libvirtd. * single_machine_test.py: switch string interpol to .format() ___ nix-commits mailing list nix-comm...@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixops] b2fdc4: deployment.keys: Add a 'keyFile' option to provid...
Branch: refs/heads/master Home: https://github.com/NixOS/nixops Commit: b2fdc4384f4ad48dadfaad16b42b9dd739d53226 https://github.com/NixOS/nixops/commit/b2fdc4384f4ad48dadfaad16b42b9dd739d53226 Author: Kosyrev Serge <deepf...@users.noreply.github.com> Date: 2017-05-15 (Mon, 15 May 2017) Changed paths: M nix/keys.nix M nixops/backends/__init__.py Log Message: --- deployment.keys: Add a 'keyFile' option to provide keys from local files, rather than from text literals. (#661) ___ nix-commits mailing list nix-comm...@lists.science.uu.nl https://mailman.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 38b2e2: virtualbox: a more maintenance-free way of patchi...
Branch: refs/heads/release-17.03 Home: https://github.com/NixOS/nixpkgs Commit: 38b2e27c15a353f8e7cf635b925671f17e39b0e5 https://github.com/NixOS/nixpkgs/commit/38b2e27c15a353f8e7cf635b925671f17e39b0e5 Author: Kosyrev Serge <_deepf...@feelingofgreen.ru> Date: 2017-03-28 (Tue, 28 Mar 2017) Changed paths: M pkgs/applications/virtualization/virtualbox/default.nix Log Message: --- virtualbox: a more maintenance-free way of patching refs to dlopen()-affected dependencies (cherry picked from commit 0c3138e6021dbca615d1f0efd0f3c6a2558d6f48) ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 0c3138: virtualbox: a more maintenance-free way of patchi...
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 0c3138e6021dbca615d1f0efd0f3c6a2558d6f48 https://github.com/NixOS/nixpkgs/commit/0c3138e6021dbca615d1f0efd0f3c6a2558d6f48 Author: Kosyrev Serge <_deepf...@feelingofgreen.ru> Date: 2017-03-28 (Tue, 28 Mar 2017) Changed paths: M pkgs/applications/virtualization/virtualbox/default.nix Log Message: --- virtualbox: a more maintenance-free way of patching refs to dlopen()-affected dependencies ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
Re: [Nix-dev] How do you work on big packages?
Dmitry Kalinkin writes: > On 17 Mar 2017, at 17:44, Vladimír Čunátwrote: > > I do believe the intention was for "SW distribution" etc, at least > primarily, and the suitability for development is a by-product due to > some properties, e.g. easy (non-)mixing of development and stable > versions/configs. Marc can surely remember the earlier days of NixOS. > > So nix has “nix copy” functionality to do the distribution part. But the rest > of the nix system allows to describe a > relatively general computation process in Unix-like environment. I use nix > derivations to run a numerical > calculation code and store intermediate steps in outputs. I imagine, there > are some “SW distribution”-oriented > users facing more resistance when using nix than me doing my thing. I also > think that the nix/NixOS community > will have lots of people who appreciate generality of nix as a tool. > > It's even possible to use nix-build instead of make to compile > individual files, but there it just doesn't seem to be very suitable… > > Yes. Like https://github.com/edolstra/nix-make . I wonder what didn’t work > out. Garbage management becomes complicated from a human perspective, I guess. Perhaps, Nix could adopt a generational GC approach, to avoid mixing long-lived packages-related-files and short-lived build-related files.. -- с уважениeм / respectfully, Косырев Сергей -- “Most deadly errors arise from obsolete assumptions.” -- Frank Herbert, Children of Dune ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-commits] [NixOS/nixpkgs] 2841d8: nvidia_x11: 375.26 -> 375.39
Branch: refs/heads/release-17.03 Home: https://github.com/NixOS/nixpkgs Commit: 2841d8b2b931e35c0f39e14f1d5d2b9edbf67f1d https://github.com/NixOS/nixpkgs/commit/2841d8b2b931e35c0f39e14f1d5d2b9edbf67f1d Author: Cray Elliott <m...@archlinux.us> Date: 2017-03-19 (Sun, 19 Mar 2017) Changed paths: M pkgs/os-specific/linux/nvidia-x11/default.nix Log Message: --- nvidia_x11: 375.26 -> 375.39 nvidia_x11_beta: 378.09 -> 378.13 (cherry picked from commit 12083de992057d55a575a36965260d0c153bc13a) Commit: 7b200151e62c011e6ef4428b53bd822f19346ee8 https://github.com/NixOS/nixpkgs/commit/7b200151e62c011e6ef4428b53bd822f19346ee8 Author: Cray Elliott <m...@archlinux.us> Date: 2017-03-19 (Sun, 19 Mar 2017) Changed paths: M pkgs/os-specific/linux/nvidia-x11/generic.nix Log Message: --- nvidia_x11_beta: add patch to support Linux 4.10.x thanks to bendlas for the review for pointing out a way to grab the patch remotely! (cherry picked from commit 8799254eac48f8b351aef941f3ff330e309ab150) Commit: b2a97cadd10e4188063f97b7cc9ceeb3e4afaaf8 https://github.com/NixOS/nixpkgs/commit/b2a97cadd10e4188063f97b7cc9ceeb3e4afaaf8 Author: Kosyrev Serge <_deepf...@feelingofgreen.ru> Date: 2017-03-19 (Sun, 19 Mar 2017) Changed paths: M pkgs/os-specific/linux/nvidia-x11/generic.nix Log Message: --- nvidia-x11: don't patch things if libsOnly requested (cherry picked from commit d18f55269c3a0d83c0c34875b6047adb12e4b581) Commit: 80cff1f3ca7b19cf80e019c6721a15efb812ebd0 https://github.com/NixOS/nixpkgs/commit/80cff1f3ca7b19cf80e019c6721a15efb812ebd0 Author: Kosyrev Serge <_deepf...@feelingofgreen.ru> Date: 2017-03-19 (Sun, 19 Mar 2017) Changed paths: M pkgs/os-specific/linux/nvidia-x11/builder.sh Log Message: --- nvidia-x11: $bin can be empty (cherry picked from commit d860a68fd0f203983a734094ef6eb78707c586c2) Compare: https://github.com/NixOS/nixpkgs/compare/39332aaecf21...80cff1f3ca7b___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
[Nix-commits] [NixOS/nixpkgs] 4f8b40: quodlibet: rename to quodlibet, quodlibet-without...
Branch: refs/heads/master Home: https://github.com/NixOS/nixpkgs Commit: 4f8b4069e5dbfdb319fa394f0f3b3fa9aa10d673 https://github.com/NixOS/nixpkgs/commit/4f8b4069e5dbfdb319fa394f0f3b3fa9aa10d673 Author: Kosyrev Serge <skosy...@ptsecurity.com> Date: 2017-01-25 (Wed, 25 Jan 2017) Changed paths: M pkgs/applications/audio/quodlibet/default.nix M pkgs/top-level/all-packages.nix Log Message: --- quodlibet: rename to quodlibet, quodlibet-without-gst-plugins The gst-plugin-less version is barely useful out of the box, so it is the one that should be relegated to a less prominent spot in the namespace. ___ nix-commits mailing list nix-comm...@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-commits
Re: [Nix-dev] List of companies using NixOS
Our company, Positive Technologies, uses dockerized Nix to compose fine-tuned environments for development of bare-metal security software. -- с уважениeм / respectfully, Косырев Сергей -- “Most deadly errors arise from obsolete assumptions.” -- Frank Herbert, Children of Dune ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Seemingly inexplicable proliferation of gcc/glibc runtimes
Kosyrev Serge <_deepf...@feelingofgreen.ru> writes: > What I see is this: Whoops! I'm afraid last minute changes slightly broke formatting.. Here goes the fixed version: [deepfire@andromedae:~]$ nix-analyze-rootlike glibc; echo; nix-analyze-rootlike gcc ; analyzing "/nix/store/*-glibc-*" (minus noise) referrers | disc | correlation to profile closure direct | size | user system 1073807 | 22M | 109 25 /nix/store/dad9vxniabwzidvvxfsfj6vb0xncsbbb-glibc-2.23 210 165 | 22M | 0 0 /nix/store/phffgv3pwihmpdyk8xsz3wv8ydysch8w-glibc-2.23 159 22 | 34M | 0 0 /nix/store/i0l0jjkk82wsqz9z5yhg35iy78bjq684-glibc-2.21 5 5 | 22M | 0 0 /nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21 ; analyzing "/nix/store/*-gcc-*" (minus noise) referrers | disc | correlation to profile closure direct | size | user system 388 10 | 116M | 428 /nix/store/scfqn9hsh9k1b0j1y1znzrkr2a5k-gcc-5.4.0 148 5 | 91M | 0 0 /nix/store/cpv8pyc772cx0spzz76sa6dvsf6555dh-gcc-4.8.4 7 2 | 116M | 0 0 /nix/store/l8y2srrkp5fflwph7vq0gllj1k1ai17w-gcc-5.3.0 -- с уважениeм / respectfully / Z poważaniem, Косырев Сергей ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Seemingly inexplicable proliferation of gcc/glibc runtimes
Good day! I am trying to understand the reasons for the multiplicity of glibc/gcc runtimes installed on my NixOS system -- on fresh nixpkgs master (434f9d1). The status quo is a system with: - a single system profile (system-290-link) - a single user profile (profile-483-link) - an empty root user profile (default-4-link) , | deepfire@andromedae:~]$ nix-store --gc --print-roots | /nix/var/nix/profiles/default-4-link -> /nix/store/vvm18ixrgpn9zgzp5h3lkiyx6rqfj3qn-user-environment | /nix/var/nix/profiles/per-user/deepfire/profile-483-link -> /nix/store/bg1z2vwb28my9grrpnc192a3c3sq3l8d-user-environment | /nix/var/nix/profiles/system-290-link -> /nix/store/y79r2dj7qymfhi9zdirdpfppbv4jbzqp-nixos-system-andromedae-16.09.git.434f9d1 | /run/booted-system -> /nix/store/y79r2dj7qymfhi9zdirdpfppbv4jbzqp-nixos-system-andromedae-16.09.git.434f9d1 | /run/current-system -> /nix/store/y79r2dj7qymfhi9zdirdpfppbv4jbzqp-nixos-system-andromedae-16.09.git.434f9d1 ` Additionally: 1. everything in the user environment was passed through 'nix-env --upgrade --leq --always', so it ought to be completely synchronized with nixpkgs=434f9d1 2. the booted system environment == the current system environment, as it can be seen 3. there seems to be no pinned custom environments that I could find -- not that I ever made one, actually 4. nix-store --gc, obviously What I see is this: , | [deepfire@andromedae:~]$ nix-analyze-rootlike glibc; nix-analyze-rootlike gcc | ; analyzing "/nix/store/*-glibc-*" (minus noise) | referrers | disc | correlation to profile | closure direct | size | user system | 1073 807 | 22M | 109 25 /nix/store/dad9vxniabwzidvvxfsfj6vb0xncsbbb-glibc-2.23 | 210 165 | 22M | 0 0 /nix/store/phffgv3pwihmpdyk8xsz3wv8ydysch8w-glibc-2.23 | 159 22 | 34M | 0 0 /nix/store/i0l0jjkk82wsqz9z5yhg35iy78bjq684-glibc-2.21 | 5 5 | 22M | 0 0 /nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21 | ; analyzing "/nix/store/*-gcc-*" (minus noise) | referrers | disc | correlation to profile | closure direct | size | user system | 388 10 | 116M | 428 /nix/store/scfqn9hsh9k1b0j1y1znzrkr2a5k-gcc-5.4.0 | 148 5 | 91M | 0 0 /nix/store/cpv8pyc772cx0spzz76sa6dvsf6555dh-gcc-4.8.4 | 7 2 | 116M | 0 0 /nix/store/l8y2srrkp5fflwph7vq0gllj1k1ai17w-gcc-5.3.0 ` The tools used to generate this are at https://github.com/deepfire/nix-store-analysis: - https://github.com/deepfire/nix-store-analysis/blob/master/nix-analyze-rootlike - https://github.com/deepfire/nix-store-analysis/blob/master/nix-correlate-rootlike-to-current-userenv - https://github.com/deepfire/nix-store-analysis/blob/master/nix-correlate-rootlike-to-system The basic idea is to take a store path, and correlate its referrer closure with the "leaf set" of store paths, where "leaf set" consists of: - system packages: nix-store --query --references /nix/var/nix/profiles/system - user packages: nix-env --query --installed --out-path As it can be seen, there are three glibc and two gcc store paths that are obviously involved, yet inexplicable -- given the above model, and the contents of the "About the package zoo" section below. * * * Probing a simple case = Looking at the simplest case (the glibc with smallest --referrers-closure) provides the following picture: [deepfire@andromedae:~]$ nix-store --query --referrers-closure /nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21 /nix/store/62n981f02b56wjqfdq00pq706k11xz4d-glibc-2.21 /nix/store/5m6i1h71xp6r7k381hrsv5qwn3s6b93h-libXau-1.0.8 /nix/store/kx1l6yis70h9sly7cs4b95jq0j8yxjqr-libXdmcp-1.1.2 /nix/store/bxsi9xrrfc0qw3ndys83rppwqxbn33ma-libxcb-1.11.1 /nix/store/62bmpi8kll9kj8il89kdaddvzib3r4pm-libX11-1.6.3 Why would these be used anywhere on their own? How are we supposed to understand what is going on? Should I file a ticket? -- с уважениeм / respectfully / Z poważaniem, Косырев Сергей ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] CVE-2015-7547 stdenv-changing fix merged on master and 15.09
rocon...@theorem.ca writes: > I am using the following expression which I believe will build a patched > version of glibc locally, and then build a patched NixOS derivation. > > system.replaceRuntimeDependencies = with pkgs.lib; > [{original = pkgs.glibc; replacement = > pkgs.stdenv.lib.overrideDerivation pkgs.glibc (oldAttr: { patches = > oldAttr.patches ++ > [(pkgs.fetchurl { url = > "https://raw.githubusercontent.com/NixOS/nixpkgs/master/pkgs/development/libraries/glibc/cve-2015-7547.patch;; > sha256 = > "0awpc4rp2x27rjpj83ps0rclmn73hsgfv2xxk18k82w4hdxqpp5r";})]; >});} > ]; > > I didin't time it, but I think it took around 25 minutes to update my > desktop machine this way. Good luck everyone. For those of us who aren't that fluent in Nix idioms -- could you provide a quick summary of how you manage to achieve the seemingly impossible? Normally, one would expect that updating glibc would cause a full system rebuild, but in your case it's obviously not the case. And lastly -- is this somehow related to the techniques proposed for providing NixOS with security updates? -- с уважениeм / respectfully, Косырев Сергей ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Using nix-shell in messy trees with symlinks and binary files
Good day, folks! What I'm seeing is a rather disturbingly odd, context-depenent behavior of nix-shell: , | [deepfire@andromedae:~/src/foo]$ nix-shell default.nix | warning: dumping very large path (> 256 MiB); this may run out of memory | error: file ‘/home/deepfire/src/foo/generated/rootfs/chroot/dev/fuse’ has an unsupported type | (use ‘--show-trace’ to show detailed location information) | | [deepfire@andromedae:~/src/foo]$ mv default.nix scripts/ | | [deepfire@andromedae:~/src/foo]$ nix-shell scripts/default.nix | | [nix-shell:~/src/foo]$ ` The directory structure, indeed, has some oddities -- device files, symlink loops, this kind of stuff. Consideration that nix-shell tries to compute some.. hash.. out of it all, sends shivers down my spine. That's a lot of stuff to hash through. If this theory is, indeed, correct, what would be the way to make nix-shell disregard certain paths from the equation? -- с уважениeм, Косырев Сергей руководитель отдела технологий виртуализации Positive Technologies ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ghcHEAD broken?
Peter Simons sim...@cryp.to writes: Hi Kosyrev, I'm trying to replicate the fix for ghcNokinds, but the determinism two-liner doesn't seem to be enough on its own. I'm would expect that adding the files VERSION and GIT_COMMIT_ID to the source tree would suffice. The build logs says: checking for GHC version date... configure: WARNING: cannot determine snapshot version: no .git directory and no VERSION file checking for GHC Git commit id... configure: WARNING: cannot determine snapshot revision: no .git directory and no 'GIT_COMMIT_ID' file Apparently, the build process respects those files, no? What exactly happens when you compile the nokinds GHC that way and try to use it? Sure, that's why I've adopted your determinism two-liner: , |postUnpack = '' | pushd ghc-${builtins.substring 0 7 rev} | +echo ${version} VERSION | +echo ${rev} GIT_COMMIT_ID | patchShebangs . | ./boot | popd ` ..which still fails like this: , | [deepfire@andromedae:~/src/moodel]$ nix-store --realise /nix/store/0bfz38ci1ayslcxzc8dj5wc4i4fvbi6v-ghc-nokinds-7.11.20150718.drv | these derivations will be built: | /nix/store/0bfz38ci1ayslcxzc8dj5wc4i4fvbi6v-ghc-nokinds-7.11.20150718.drv | building path(s) ‘/nix/store/kyqccq06a75wms3kklc9cykvn68bfp2c-ghc-nokinds-7.11.20150718’ | created 39 symlinks in user environment | ghc-pkg: /nix/store/kyqccq06a75wms3kklc9cykvn68bfp2c-ghc-nokinds-7.11.20150718/lib/ghc-7.11.20150718/package.conf.d/package.cache: you don't have permission to modify this file | builder for ‘/nix/store/0bfz38ci1ayslcxzc8dj5wc4i4fvbi6v-ghc-nokinds-7.11.20150718.drv’ failed with exit code 1 ` ..but I've also noticed, that you have also bumped the ghcHEAD version, and so I wondered if this made part of the difference.. -- respectfully, Косырев Серёга -- “And those who were seen dancing were thought to be insane by those who could not hear the music.” – Friedrich Wilhelm Nietzsche ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev