[Nix-dev] Nix 1.4 released
Hi, I'm pleased to announce the availability of a new stable release of the Nix package manager. Release 1.5 can be found at http://hydra.nixos.org/release/nix/nix-1.5 This is a brown paper bag release to fix a regression introduced by the hard link security fix in 1.4. -- Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/ ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Nix 1.4 released
On 02/28/2013 01:08 PM, Eelco Dolstra wrote: I'm pleased to announce the availability of a new stable release of the Nix package manager. Release 1.5 can be found at http://hydra.nixos.org/release/nix/nix-1.5 This is a brown paper bag release to fix a regression introduced by the hard link security fix in 1.4. Nice. Personally I wouldn't bump the minor version number on bug fixes, but never mind. Vlada smime.p7s Description: S/MIME Cryptographic Signature ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Nix 1.4 released
Hi,
On 26/02/13 21:25, Vladimír Čunát wrote:
On 02/26/2013 02:46 PM, Eelco Dolstra wrote:
* Language change: The expression ${./path} ... now evaluates to a
string
instead of a path.
That means the such a file isn't copied into the store, and is included as a
plain ./path string, etc. Right?
It *is* copied, so an expression ${./file.sh} foo will evaluate to
/nix/store/...-file.sh foo. Previously it would try to copy ./file.sh foo,
which presumably doesn't exist.
BTW, I believe the hardlink concept is one of worst original UNIX features.
COW copy would make sense, but hardlinks are usually more trouble than worth.
Well, the main problem is that you can make hard links to files you don't own.
We should enable the kernel's hard link restrictions feature in NixOS...
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Nix 1.4 released
On 02/27/2013 12:00 PM, Eelco Dolstra wrote:
On 26/02/13 21:25, Vladimír Čunát wrote:
On 02/26/2013 02:46 PM, Eelco Dolstra wrote:
* Language change: The expression ${./path} ... now evaluates to a string
instead of a path.
That means the such a file isn't copied into the store, and is included as a
plain ./path string, etc. Right?
It *is* copied, so an expression ${./file.sh} foo will evaluate to
/nix/store/...-file.sh foo. Previously it would try to copy ./file.sh foo,
which presumably doesn't exist.
Ah :-) thanks for explaining.
BTW, I believe the hardlink concept is one of worst original UNIX features. COW
copy would make sense, but hardlinks are usually more trouble than worth.
Well, the main problem is that you can make hard links to files you don't own.
We should enable the kernel's hard link restrictions feature in NixOS...
I certainly won't mind it. The option seems to be in-tree since around 3.6.
Vlada
smime.p7s
Description: S/MIME Cryptographic Signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] Nix 1.4 released
Hi,
I'm pleased to announce the availability of a new stable release of the
Nix package manager. Release 1.4 can be found at
http://hydra.nixos.org/release/nix/nix-1.4
This release fixes a security bug in multi-user operation. It was possible for
derivations to cause the mode of files outside of the Nix store to be changed
to 444 (read-only but world-readable) by creating hard links to those files (see
https://github.com/NixOS/nix/commit/5526a282b5b44e9296e61e07d7d2626a79141ac4 for
details).
There are also the following improvements:
* New built-in function: builtins.hashString.
* Build logs are now stored in /nix/var/log/nix/drvs/XX/, where XX is the
first two characters of the derivation. This is useful on machines that
keep a lot of build logs (such as Hydra servers).
* The function corepkgs/fetchurl can now make the downloaded file executable.
This will allow getting rid of all bootstrap binaries in the Nixpkgs source
tree.
* Language change: The expression ${./path} ... now evaluates to a string
instead of a path.
--
Eelco Dolstra | LogicBlox, Inc. | http://nixos.org/~eelco/
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Nix 1.4 released
On 02/26/2013 02:46 PM, Eelco Dolstra wrote:
* Language change: The expression ${./path} ... now evaluates to a string
instead of a path.
That means the such a file isn't copied into the store, and is included
as a plain ./path string, etc. Right?
BTW, I believe the hardlink concept is one of worst original UNIX
features. COW copy would make sense, but hardlinks are usually more
trouble than worth.
Vlada
smime.p7s
Description: S/MIME Cryptographic Signature
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
