It's broken at the moment: https://hydra.nixos.org/build/105746055
Also it pulls in GHC which is a pretty big dependency.
(cherry picked from commit b4e260d887441fde9ab568dff7c21a77d7cff904)
- At the top of the release notes, we announce sandboxing is now enabled by default,
then at the bottom it says it's now disabled when missing kernel support. These
can be merged into one point for clarity.
- The point about `max-jobs` defaulting to 1 appears unrelated to sandboxing.
(cherry picked from commit 5d24e18e29ea1fff8fa316701fd95be6941da770)
Otherwise `chmod .`'ing the build directory doesn't work anymore, which
is done in nixpkgs if sourceRoot is set to '.'.
(cherry picked from commit f8dbde0813c4e8beed6dfd09b093589e027a6675)
This prevents them from being inlined. On gcc 9, this reduces the
stack size needed for
nix-instantiate '<nixpkgs>' -A texlive.combined.scheme-full --dry-run
from 12.9 MiB to 4.8 MiB.
(cherry picked from commit cb90e382b5b6e177ea902b3909fd1897643ae3cd)
If the user invokes nix with --trace-function-calls it means that they
want to see the trace.
(cherry picked from commit 619cc4af855fab7b0400586a4fd40745b23e72ad)
`s3:ListObjects` isn't a real IAM action, but _is_ the name of an S3 API method. `s3:ListBucket` is the relevant action for that method.
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html
(cherry picked from commit c92ea927e508f3c06b6b3ee68e1f0565264cac2c)
We're calling `wait4path` on the full, resolved `@bindir@/nix-daemon` path.
That means we're hardcoding something like:
/bin/wait4path /nix/store/zs9c5xhp3zv9p23qnjxp87nl5injsi1i-nix-2.3/bin/nix-daemon && /nix/var/nix/profiles/default/bin/nix-daemon
That seems unnecessarily fragile.
It might be better to wait4path on the path we intend to call.
(cherry picked from commit 8c4a5e7ba1990348b9497c0fc4dc236dda3e7986)
On Catalina, the /nix filesystem might not be mounted at start time.
To avoid this service not starting, we need to keep the launch agent
outside of the Nix store. A wait4pid will hold for our /nix dir to be
mounted.
Fixes#3125.
(cherry picked from commit 0847f2f1b3145a62dc34707ba788275ce6b6fc57)
The tmpDirInSandbox is different when in sandboxed vs. non-sandboxed.
Since we don’t know ahead of time here whether sandboxing is enabled,
we need to reset all of the env vars we’ve set previously. This fixes
the issue encountered in https://github.com/NixOS/nixpkgs/issues/70856.
(cherry picked from commit 499b0388759db0f9f385da402a4bba551268aa99)
The intent of the code was that if the window size cannot be determined,
it would be treated as having the maximum possible size. Because of a
missing assignment, it was actually treated as having a width of 0.
The reason the width could not be determined was because it was obtained
from stdout, not stderr, even though the printing was done to stderr.
This commit addresses both issues.
(cherry picked from commit c935ad3f025d5c3d8026711a1eb50b2917b61d59)
The FunctionCallTrace object consumes a few hundred bytes of stack
space, even when tracing is disabled. This was causing stack overflows:
$ nix-instantiate '<nixpkgs> -A texlive.combined.scheme-full --dry-run
error: stack overflow (possible infinite recursion)
This is with the default stack size of 8 MiB.
Putting the object on the heap reduces stack usage to < 5 MiB.
(cherry picked from commit 98ef11677c43db9aa669768d9f0cbec704e8831c)
700 is pointless since the store is world-readable anyway. And
per-user/root/channels must be world-readable.
(cherry picked from commit d7bae5680fc26303acb9a9ee1a202f537841a624)
'nix-daemon' now creates subdirectories for users when they first
connect.
Fixes#509 (CVE-2019-17365).
Should also fix#3127.
(cherry picked from commit 5a303093dcae1e5ce9212616ef18f2ca51020b0d)
Otherwise, builds like NixOS VM tests may leave the terminal in a
weird state and do resets.
(cherry picked from commit 4331eeb13d241dfe2d2e6a01c53915c556cac94f)
