Bump version

Merge pull request #6450 from NixOS/backport-6440-to-2.8-maintenance
[backport] libfetchers/git: hardcode `--git-dir`
2022-05-14 08:46:18 +02:00 · 2022-05-10 14:31:58 +02:00 · 2022-05-04 18:09:14 +02:00 · 2022-05-04 18:09:14 +02:00 · 2022-04-28 14:18:13 +02:00 · 2022-04-28 12:05:50 +00:00
8 changed files with 35 additions and 25 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.8.0
+2.8.1
--- a/doc/manual/src/SUMMARY.md.in
+++ b/doc/manual/src/SUMMARY.md.in
@@ -71,7 +71,6 @@
  - [Hacking](contributing/hacking.md)
  - [CLI guideline](contributing/cli-guideline.md)
 - [Release Notes](release-notes/release-notes.md)
-  - [Release X.Y (202?-??-??)](release-notes/rl-next.md)
  - [Release 2.8 (2022-04-19)](release-notes/rl-2.8.md)
  - [Release 2.7 (2022-03-07)](release-notes/rl-2.7.md)
  - [Release 2.6 (2022-01-24)](release-notes/rl-2.6.md)
--- a/flake.nix
+++ b/flake.nix
@@ -15,7 +15,7 @@
        then ""
        else "pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}";

-      officialRelease = false;
+      officialRelease = true;

      linux64BitSystems = [ "x86_64-linux" "aarch64-linux" ];
      linuxSystems = linux64BitSystems ++ [ "i686-linux" ];
--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@@ -21,9 +21,14 @@ namespace nix::fetchers {
 // old version of git, which will ignore unrecognized `-c` options.
 const std::string gitInitialBranch = "__nix_dummy_branch";

+static std::string getGitDir()
+{
+    return getEnv("GIT_DIR").value_or(".git");
+}
+
 static std::string readHead(const Path & path)
 {
-    return chomp(runProgram("git", true, { "-C", path, "rev-parse", "--abbrev-ref", "HEAD" }));
+    return chomp(runProgram("git", true, { "-C", path, "--git-dir", ".git", "rev-parse", "--abbrev-ref", "HEAD" }));
 }

 static bool isNotDotGitDirectory(const Path & path)
@@ -150,13 +155,14 @@ struct GitInputScheme : InputScheme
    {
        auto sourcePath = getSourcePath(input);
        assert(sourcePath);
+        auto gitDir = getGitDir();

        runProgram("git", true,
-            { "-C", *sourcePath, "add", "--force", "--intent-to-add", "--", std::string(file) });
+            { "-C", *sourcePath, "--git-dir", gitDir, "add", "--force", "--intent-to-add", "--", std::string(file) });

        if (commitMsg)
            runProgram("git", true,
-                { "-C", *sourcePath, "commit", std::string(file), "-m", *commitMsg });
+                { "-C", *sourcePath, "--git-dir", gitDir, "commit", std::string(file), "-m", *commitMsg });
    }

    std::pair<bool, std::string> getActualUrl(const Input & input) const
@@ -175,6 +181,7 @@ struct GitInputScheme : InputScheme
    std::pair<StorePath, Input> fetch(ref<Store> store, const Input & _input) override
    {
        Input input(_input);
+        auto gitDir = getGitDir();

        std::string name = input.getName();

@@ -237,7 +244,7 @@ struct GitInputScheme : InputScheme
               since that is the refrence we want to use later on. */
            auto result = runProgram(RunOptions {
                .program = "git",
-                .args = { "-C", actualUrl, "--git-dir=.git", "rev-parse", "--verify", "--no-revs", "HEAD^{commit}" },
+                .args = { "-C", actualUrl, "--git-dir", gitDir, "rev-parse", "--verify", "--no-revs", "HEAD^{commit}" },
                .environment = env,
                .mergeStderrToStdout = true
            });
@@ -259,7 +266,7 @@ struct GitInputScheme : InputScheme
                if (hasHead) {
                    // Using git diff is preferrable over lower-level operations here,
                    // because its conceptually simpler and we only need the exit code anyways.
-                    auto gitDiffOpts = Strings({ "-C", actualUrl, "diff", "HEAD", "--quiet"});
+                    auto gitDiffOpts = Strings({ "-C", actualUrl, "--git-dir", gitDir, "diff", "HEAD", "--quiet"});
                    if (!submodules) {
                        // Changes in submodules should only make the tree dirty
                        // when those submodules will be copied as well.
@@ -284,7 +291,7 @@ struct GitInputScheme : InputScheme
                if (fetchSettings.warnDirty)
                    warn("Git tree '%s' is dirty", actualUrl);

-                auto gitOpts = Strings({ "-C", actualUrl, "ls-files", "-z" });
+                auto gitOpts = Strings({ "-C", actualUrl, "--git-dir", gitDir, "ls-files", "-z" });
                if (submodules)
                    gitOpts.emplace_back("--recurse-submodules");

@@ -314,7 +321,7 @@ struct GitInputScheme : InputScheme
                // modified dirty file?
                input.attrs.insert_or_assign(
                    "lastModified",
-                    hasHead ? std::stoull(runProgram("git", true, { "-C", actualPath, "log", "-1", "--format=%ct", "--no-show-signature", "HEAD" })) : 0);
+                    hasHead ? std::stoull(runProgram("git", true, { "-C", actualPath, "--git-dir", gitDir, "log", "-1", "--format=%ct", "--no-show-signature", "HEAD" })) : 0);

                return {std::move(storePath), input};
            }
@@ -335,7 +342,7 @@ struct GitInputScheme : InputScheme

            if (!input.getRev())
                input.attrs.insert_or_assign("rev",
-                    Hash::parseAny(chomp(runProgram("git", true, { "-C", actualUrl, "rev-parse", *input.getRef() })), htSHA1).gitRev());
+                    Hash::parseAny(chomp(runProgram("git", true, { "-C", actualUrl, "--git-dir", gitDir, "rev-parse", *input.getRef() })), htSHA1).gitRev());

            repoDir = actualUrl;

@@ -351,6 +358,7 @@ struct GitInputScheme : InputScheme

            Path cacheDir = getCacheDir() + "/nix/gitv3/" + hashString(htSHA256, actualUrl).to_string(Base32, false);
            repoDir = cacheDir;
+            gitDir = ".";

            createDirs(dirOf(cacheDir));
            PathLocks cacheDirLock({cacheDir + ".lock"});
@@ -371,7 +379,7 @@ struct GitInputScheme : InputScheme
               repo. */
            if (input.getRev()) {
                try {
-                    runProgram("git", true, { "-C", repoDir, "cat-file", "-e", input.getRev()->gitRev() });
+                    runProgram("git", true, { "-C", repoDir, "--git-dir", gitDir, "cat-file", "-e", input.getRev()->gitRev() });
                    doFetch = false;
                } catch (ExecError & e) {
                    if (WIFEXITED(e.status)) {
@@ -406,7 +414,7 @@ struct GitInputScheme : InputScheme
                            : ref == "HEAD"
                                ? *ref
                                : "refs/heads/" + *ref;
-                    runProgram("git", true, { "-C", repoDir, "fetch", "--quiet", "--force", "--", actualUrl, fmt("%s:%s", fetchRef, fetchRef) });
+                    runProgram("git", true, { "-C", repoDir, "--git-dir", gitDir, "fetch", "--quiet", "--force", "--", actualUrl, fmt("%s:%s", fetchRef, fetchRef) });
                } catch (Error & e) {
                    if (!pathExists(localRefFile)) throw;
                    warn("could not update local clone of Git repository '%s'; continuing with the most recent version", actualUrl);
@@ -427,7 +435,7 @@ struct GitInputScheme : InputScheme
            // cache dir lock is removed at scope end; we will only use read-only operations on specific revisions in the remainder
        }

-        bool isShallow = chomp(runProgram("git", true, { "-C", repoDir, "rev-parse", "--is-shallow-repository" })) == "true";
+        bool isShallow = chomp(runProgram("git", true, { "-C", repoDir, "--git-dir", gitDir, "rev-parse", "--is-shallow-repository" })) == "true";

        if (isShallow && !shallow)
            throw Error("'%s' is a shallow Git repository, but a non-shallow repository is needed", actualUrl);
@@ -447,7 +455,7 @@ struct GitInputScheme : InputScheme

        auto result = runProgram(RunOptions {
            .program = "git",
-            .args = { "-C", repoDir, "cat-file", "commit", input.getRev()->gitRev() },
+            .args = { "-C", repoDir, "--git-dir", gitDir, "cat-file", "commit", input.getRev()->gitRev() },
            .mergeStderrToStdout = true
        });
        if (WEXITSTATUS(result.first) == 128
@@ -486,7 +494,7 @@ struct GitInputScheme : InputScheme
            auto source = sinkToSource([&](Sink & sink) {
                runProgram2({
                    .program = "git",
-                    .args = { "-C", repoDir, "archive", input.getRev()->gitRev() },
+                    .args = { "-C", repoDir, "--git-dir", gitDir, "archive", input.getRev()->gitRev() },
                    .standardOut = &sink
                });
            });
@@ -496,7 +504,7 @@ struct GitInputScheme : InputScheme

        auto storePath = store->addToStore(name, tmpDir, FileIngestionMethod::Recursive, htSHA256, filter);

-        auto lastModified = std::stoull(runProgram("git", true, { "-C", repoDir, "log", "-1", "--format=%ct", "--no-show-signature", input.getRev()->gitRev() }));
+        auto lastModified = std::stoull(runProgram("git", true, { "-C", repoDir, "--git-dir", gitDir, "log", "-1", "--format=%ct", "--no-show-signature", input.getRev()->gitRev() }));

        Attrs infoAttrs({
            {"rev", input.getRev()->gitRev()},
@@ -505,7 +513,7 @@ struct GitInputScheme : InputScheme

        if (!shallow)
            infoAttrs.insert_or_assign("revCount",
-                std::stoull(runProgram("git", true, { "-C", repoDir, "rev-list", "--count", input.getRev()->gitRev() })));
+                std::stoull(runProgram("git", true, { "-C", repoDir, "--git-dir", gitDir, "rev-list", "--count", input.getRev()->gitRev() })));

        if (!_input.getRev())
            getCache()->add(
--- a/src/libstore/build/derivation-goal.cc
+++ b/src/libstore/build/derivation-goal.cc
@@ -786,8 +786,7 @@ void runPostBuildHook(
    Store & store,
    Logger & logger,
    const StorePath & drvPath,
-    StorePathSet outputPaths
-)
+    const StorePathSet & outputPaths)
 {
    auto hook = settings.postBuildHook;
    if (hook == "")
@@ -906,7 +905,7 @@ void DerivationGoal::buildDone()
        auto builtOutputs = registerOutputs();

        StorePathSet outputPaths;
-        for (auto & [_, output] : buildResult.builtOutputs)
+        for (auto & [_, output] : builtOutputs)
            outputPaths.insert(output.outPath);
        runPostBuildHook(
            worker.store,
--- a/tests/fmt.sh
+++ b/tests/fmt.sh
@@ -25,6 +25,6 @@ cat << EOF > flake.nix
 EOF
 nix fmt ./file ./folder | grep 'Formatting: ./file ./folder'
 nix flake check
-nix flake show | grep -P 'x86_64-linux|x86_64-darwin'
+nix flake show | grep -P "package 'formatter'"

 clearStore
--- a/tests/post-hook.sh
+++ b/tests/post-hook.sh
@@ -9,12 +9,12 @@ echo 'require-sigs = false' >> $NIX_CONF_DIR/nix.conf

 restartDaemon

-# Build the dependencies and push them to the remote store
+# Build the dependencies and push them to the remote store.
 nix-build -o $TEST_ROOT/result dependencies.nix --post-build-hook $PWD/push-to-store.sh

 clearStore

-# Ensure that we the remote store contains both the runtime and buildtime
-# closure of what we've just built
+# Ensure that the remote store contains both the runtime and build-time
+# closure of what we've just built.
 nix copy --from "$REMOTE_STORE" --no-require-sigs -f dependencies.nix
 nix copy --from "$REMOTE_STORE" --no-require-sigs -f dependencies.nix input1_drv
--- a/tests/push-to-store.sh
+++ b/tests/push-to-store.sh
@@ -1,6 +1,10 @@
 #!/bin/sh

 set -x
+set -e
+
+[ -n "$OUT_PATHS" ]
+[ -n "$DRV_PATH" ]

 echo Pushing "$OUT_PATHS" to "$REMOTE_STORE"
 printf "%s" "$DRV_PATH" | xargs nix copy --to "$REMOTE_STORE" --no-require-sigs
Author	SHA1	Message	Date
Eelco Dolstra	65cd26eebb	Bump version	2022-05-14 08:46:18 +02:00
Théophane Hufschmitt	780c7731cd	Merge pull request #6450 from NixOS/backport-6440-to-2.8-maintenance [backport] libfetchers/git: hardcode `--git-dir`	2022-05-10 14:31:58 +02:00
Eelco Dolstra	812280b23a	Style fixes (cherry picked from commit `61289ceee3`)	2022-05-04 18:09:14 +02:00
Maximilian Bosch	813a02c7ab	libfetchers/git: fix every occasion of a permission error I'm afraid I missed a few problematic `git(1)`-calls while implementing PR #6440, sorry for that! Upon investigating what went wrong, I realized that I only tested against the "cached"-case by accident because my git-checkout with my system's flake was apparently cached during my debugging. I managed to trigger the original issue again by running: $ git commit --allow-empty -m "tmp" $ sudo nixos-rebuild switch --flake .# -L --builders '' Since `repoDir` points to the checkout that's potentially owned by another user, I decided to add `--git-dir` to each call affecting `repoDir`. Since the `tmpDir` for the temporary submodule-checkout is created by Nix itself, it doesn't seem to be an issue. Sorry for that, it should be fine now. (cherry picked from commit `1849e6a1f6`)	2022-05-04 18:09:14 +02:00
Eelco Dolstra	54555fab54	Merge pull request #6460 from NixOS/backport-6459-to-2.8-maintenance [Backport 2.8-maintenance] Fix passing $OUT_PATHS to the post-build hook	2022-04-28 14:18:13 +02:00
Eelco Dolstra	6e7bd2e0b0	Fix passing $OUT_PATHS to the post-build hook Fixes #6446. (cherry picked from commit `4a9623b129`)	2022-04-28 12:05:50 +00:00
Maximilian Bosch	23c8d1743c	libfetchers/git: fix for nixos-rebuild The `--git-dir=` must be `.` in some cases (for cached repos that are "bare" repos in `~/.cache/nix/gitv3`). With this fix we can add `--git-dir` to each `git`-invokation needed for `nixos-rebuild`. (cherry picked from commit `d1f5356311`)	2022-04-27 16:36:42 +02:00
Maximilian Bosch	274a63be37	libfetchers/git: hardcode `--git-dir` To demonstrate the problem: * You need a `git` at 2.33.3 in your $PATH * An expression like this in a git repository: ``` nix { outputs = { self, nixpkgs }: { packages.foo.x86_64-linux = with nixpkgs.legacyPackages.x86_64-linux; runCommand "snens" { } '' echo ${(builtins.fetchGit ./.).lastModifiedDate} > $out ''; }; } ``` Now, when instantiating the package via `builtins.getFlake`, it fails on Nix 2.7 like this: $ nix-instantiate -E '(builtins.getFlake "'"$(pwd)"'").packages.foo.x86_64-linux' fatal: unsafe repository ('/nix/store/a7j3125km4h8l0p71q6ssfkxamfh5d61-source' is owned by someone else) To add an exception for this directory, call: git config --global --add safe.directory /nix/store/a7j3125km4h8l0p71q6ssfkxamfh5d61-source error: program 'git' failed with exit code 128 (use '--show-trace' to show detailed location information) This breaks e.g. `nixops`-deployments using flakes with similar expressions as shown above. The cause for this is that `git(1)` tries to find the highest `.git`-directory in the directory tree and if it finds a such a directory, but with another owning user (root vs. the user who evaluates the expression), it fails as above. This was changed recently to fix CVE-2022-24765[1]. By explicitly specifying `--git-dir`, Git assumes to be in the top-level directory and doesn't attempt to look for a `.git`-directory in the parent directories and thus the code-path leading to said error is never reached. [1] https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ (cherry picked from commit `0256e5578e`)	2022-04-27 16:36:42 +02:00
Eelco Dolstra	69c6fb12ee	Fix 'nix fmt' test (cherry picked from commit `a3c843e635`)	2022-04-19 21:47:46 +02:00
Eelco Dolstra	86c07fcf2d	Mark official release	2022-04-19 21:13:51 +02:00
@@ -1 +1 @@
 .8.0
 .8.1