Merge pull request #13458 from NixOS/mergify/bp/2.30-maintenance/pr-13455

Address ifdef problem with macOS/BSD sandboxing (backport #13455)
CI: Roll nix version to 2.29.1
2025-07-12 08:55:18 +02:00 · 2025-07-11 23:09:58 +00:00 · 2025-07-11 23:09:58 +00:00 · 2025-07-11 22:16:10 +03:00 · 2025-07-11 18:26:57 +00:00 · 2025-07-10 21:11:33 +02:00
19 changed files with 104 additions and 24 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -14,6 +14,8 @@ jobs:
      with:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v31
+      with:
+        install_url: "https://releases.nixos.org/nix/nix-2.29.1/install"
    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json

  tests:
@@ -36,6 +38,7 @@ jobs:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v31
      with:
+        install_url: "https://releases.nixos.org/nix/nix-2.29.1/install"
        # The sandbox would otherwise be disabled by default on Darwin
        extra_nix_config: |
          sandbox = true
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.30.0
+2.30.1
--- a/docker.nix
+++ b/docker.nix
@@ -184,11 +184,14 @@ let
      } " = ";
    };

-  nixConfContents = toConf {
-    sandbox = false;
-    build-users-group = "nixbld";
-    trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
-  };
+  nixConfContents = toConf (
+    {
+      sandbox = false;
+      build-users-group = "nixbld";
+      trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+    }
+    // nixConf
+  );

  userHome = if uid == 0 then "/root" else "/home/${uname}";

--- a/flake.nix
+++ b/flake.nix
@@ -32,7 +32,7 @@
    let
      inherit (nixpkgs) lib;

-      officialRelease = false;
+      officialRelease = true;

      linux32BitSystems = [ "i686-linux" ];
      linux64BitSystems = [
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@@ -834,8 +834,13 @@ install_from_extracted_nix() {
    (
        cd "$EXTRACTED_NIX_PATH"

-        _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
-              cp -RPp ./store/* "$NIX_ROOT/store/"
+        if is_os_darwin; then
+            _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
+                  cp -RPp ./store/* "$NIX_ROOT/store/"
+        else
+            _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
+                  cp -RP --preserve=ownership,timestamps ./store/* "$NIX_ROOT/store/"
+        fi

        _sudo "to make the new store non-writable at $NIX_ROOT/store" \
              chmod -R ugo-w "$NIX_ROOT/store/"
--- a/scripts/install-nix-from-tarball.sh
+++ b/scripts/install-nix-from-tarball.sh
@@ -167,7 +167,11 @@ for i in $(cd "$self/store" >/dev/null && echo ./*); do
        rm -rf "$i_tmp"
    fi
    if ! [ -e "$dest/store/$i" ]; then
-        cp -RPp "$self/store/$i" "$i_tmp"
+        if [ "$(uname -s)" = "Darwin" ]; then
+            cp -RPp "$self/store/$i" "$i_tmp"
+        else
+            cp -RP --preserve=ownership,timestamps "$self/store/$i" "$i_tmp"
+        fi
        chmod -R a-w "$i_tmp"
        chmod +w "$i_tmp"
        mv "$i_tmp" "$dest/store/$i"
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -1602,7 +1602,7 @@ void EvalState::callFunction(Value & fun, std::span<Value *> args, Value & vRes,
                                             symbols[i.name])
                                    .atPos(lambda.pos)
                                    .withTrace(pos, "from call site")
-                                    .withFrame(*fun.lambda().env, lambda)
+                                    .withFrame(*vCur.lambda().env, lambda)
                                    .debugThrow();
                        }
                        env2.values[displ++] = i.def->maybeThunk(*this, env2);
@@ -1629,7 +1629,7 @@ void EvalState::callFunction(Value & fun, std::span<Value *> args, Value & vRes,
                                .atPos(lambda.pos)
                                .withTrace(pos, "from call site")
                                .withSuggestions(suggestions)
-                                .withFrame(*fun.lambda().env, lambda)
+                                .withFrame(*vCur.lambda().env, lambda)
                                .debugThrow();
                        }
                    unreachable();
--- a/src/libexpr/primops/fetchClosure.cc
+++ b/src/libexpr/primops/fetchClosure.cc
@@ -124,7 +124,7 @@ static void prim_fetchClosure(EvalState & state, const PosIdx pos, Value * * arg
    for (auto & attr : *args[0]->attrs()) {
        const auto & attrName = state.symbols[attr.name];
        auto attrHint = [&]() -> std::string {
-            return "while evaluating the '" + attrName + "' attribute passed to builtins.fetchClosure";
+            return fmt("while evaluating the attribute '%s' passed to builtins.fetchClosure", attrName);
        };

        if (attrName == "fromPath") {
--- a/src/libflake/flake.cc
+++ b/src/libflake/flake.cc
@@ -715,16 +715,12 @@ LockedFlake lockFlake(
                            Finally cleanup([&]() { parents.pop_back(); });

                            /* Recursively process the inputs of this
-                               flake. Also, unless we already have this flake
-                               in the top-level lock file, use this flake's
-                               own lock file. */
+                               flake, using its own lock file. */
                            nodePaths.emplace(childNode, inputFlake.path.parent());
                            computeLocks(
                                inputFlake.inputs, childNode, inputAttrPath,
-                                oldLock
-                                ? std::dynamic_pointer_cast<const Node>(oldLock)
-                                : readLockFile(state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(),
-                                oldLock ? followsPrefix : inputAttrPath,
+                                readLockFile(state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(),
+                                inputAttrPath,
                                inputFlake.path,
                                false);
                        }
--- a/src/libstore/unix/user-lock.cc
+++ b/src/libstore/unix/user-lock.cc
@@ -197,7 +197,7 @@ bool useBuildUsers()
    #ifdef __linux__
    static bool b = (settings.buildUsersGroup != "" || settings.autoAllocateUids) && isRootUser();
    return b;
-    #elif defined(__APPLE__) && defined(__FreeBSD__)
+    #elif defined(__APPLE__) || defined(__FreeBSD__)
    static bool b = settings.buildUsersGroup != "" && isRootUser();
    return b;
    #else
--- a/tests/functional/flakes/flakes.sh
+++ b/tests/functional/flakes/flakes.sh
@@ -432,3 +432,41 @@ nix flake metadata "$flake2Dir" --reference-lock-file $TEST_ROOT/flake2-overridd

 # reference-lock-file can only be used if allow-dirty is set.
 expectStderr 1 nix flake metadata "$flake2Dir" --no-allow-dirty --reference-lock-file $TEST_ROOT/flake2-overridden.lock
+
+# After changing an input (flake2 from newFlake2Rev to prevFlake2Rev), we should have the transitive inputs locked by revision $prevFlake2Rev of flake2.
+prevFlake1Rev=$(nix flake metadata --json "$flake1Dir" | jq -r .revision)
+prevFlake2Rev=$(nix flake metadata --json "$flake2Dir" | jq -r .revision)
+
+echo "# bla" >> "$flake1Dir/flake.nix"
+git -C "$flake1Dir" commit flake.nix -m 'bla'
+
+nix flake update --flake "$flake2Dir"
+git -C "$flake2Dir" commit flake.lock -m 'bla'
+
+newFlake1Rev=$(nix flake metadata --json "$flake1Dir" | jq -r .revision)
+newFlake2Rev=$(nix flake metadata --json "$flake2Dir" | jq -r .revision)
+
+cat > "$flake3Dir/flake.nix" <<EOF
+{
+  inputs.flake2.url = "flake:flake2/master/$newFlake2Rev";
+
+  outputs = { self, flake2 }: {
+  };
+}
+EOF
+git -C "$flake3Dir" commit flake.nix -m 'bla'
+
+rm "$flake3Dir/flake.lock"
+nix flake lock "$flake3Dir"
+[[ "$(nix flake metadata --json "$flake3Dir" | jq -r .locks.nodes.flake1.locked.rev)" = $newFlake1Rev ]]
+
+cat > "$flake3Dir/flake.nix" <<EOF
+{
+  inputs.flake2.url = "flake:flake2/master/$prevFlake2Rev";
+
+  outputs = { self, flake2 }: {
+  };
+}
+EOF
+
+[[ "$(nix flake metadata --json "$flake3Dir" | jq -r .locks.nodes.flake1.locked.rev)" = $prevFlake1Rev ]]
--- a/tests/functional/lang/eval-fail-missing-arg-import.err.exp
+++ b/tests/functional/lang/eval-fail-missing-arg-import.err.exp
@@ -0,0 +1,12 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-missing-arg-import.nix:1:1:
+            1| import ./non-eval-trivial-lambda-formals.nix { }
+             | ^
+            2|
+
+       error: function 'anonymous lambda' called without required argument 'a'
+       at /pwd/lang/non-eval-trivial-lambda-formals.nix:1:1:
+            1| { a }: a
+             | ^
+            2|
--- a/tests/functional/lang/eval-fail-missing-arg-import.nix
+++ b/tests/functional/lang/eval-fail-missing-arg-import.nix
@@ -0,0 +1 @@
+import ./non-eval-trivial-lambda-formals.nix { }
--- a/tests/functional/lang/eval-fail-undeclared-arg-import.err.exp
+++ b/tests/functional/lang/eval-fail-undeclared-arg-import.err.exp
@@ -0,0 +1,13 @@
+error:
+       … from call site
+         at /pwd/lang/eval-fail-undeclared-arg-import.nix:1:1:
+            1| import ./non-eval-trivial-lambda-formals.nix {
+             | ^
+            2|   a = "a";
+
+       error: function 'anonymous lambda' called with unexpected argument 'b'
+       at /pwd/lang/non-eval-trivial-lambda-formals.nix:1:1:
+            1| { a }: a
+             | ^
+            2|
+       Did you mean a?
--- a/tests/functional/lang/eval-fail-undeclared-arg-import.nix
+++ b/tests/functional/lang/eval-fail-undeclared-arg-import.nix
@@ -0,0 +1,4 @@
+import ./non-eval-trivial-lambda-formals.nix {
+  a = "a";
+  b = "b";
+}
--- a/tests/functional/lang/non-eval-trivial-lambda-formals.nix
+++ b/tests/functional/lang/non-eval-trivial-lambda-formals.nix
@@ -0,0 +1 @@
+{ a }: a
--- a/tests/nixos/github-flakes.nix
+++ b/tests/nixos/github-flakes.nix
@@ -81,7 +81,7 @@ let
    mkdir -p $out/archive

    dir=NixOS-nixpkgs-${nixpkgs.shortRev}
-    cp -prd ${nixpkgs} $dir
+    cp -rd --preserve=ownership,timestamps ${nixpkgs} $dir
    # Set the correct timestamp in the tarball.
    find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${
      builtins.substring 12 2 nixpkgs.lastModifiedDate
--- a/tests/nixos/sourcehut-flakes.nix
+++ b/tests/nixos/sourcehut-flakes.nix
@@ -48,7 +48,7 @@ let

  nixpkgs-repo = pkgs.runCommand "nixpkgs-flake" { } ''
    dir=NixOS-nixpkgs-${nixpkgs.shortRev}
-    cp -prd ${nixpkgs} $dir
+    cp -rd --preserve=ownership,timestamps ${nixpkgs} $dir

    # Set the correct timestamp in the tarball.
    find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${
--- a/tests/nixos/tarball-flakes.nix
+++ b/tests/nixos/tarball-flakes.nix
@@ -13,7 +13,7 @@ let

    set -x
    dir=nixpkgs-${nixpkgs.shortRev}
-    cp -prd ${nixpkgs} $dir
+    cp -rd --preserve=ownership,timestamps ${nixpkgs} $dir
    # Set the correct timestamp in the tarball.
    find $dir -print0 | xargs -0 touch -h -t ${builtins.substring 0 12 nixpkgs.lastModifiedDate}.${
      builtins.substring 12 2 nixpkgs.lastModifiedDate
Author	SHA1	Message	Date
Eelco Dolstra	857365c859	Merge pull request #13458 from NixOS/mergify/bp/2.30-maintenance/pr-13455 Address ifdef problem with macOS/BSD sandboxing (backport #13455)	2025-07-12 08:55:18 +02:00
gustavderdrache	9497b593c6	CI: Roll nix version to 2.29.1 This works around the macOS issue that the prior commit addresses. (cherry picked from commit `8e5814d972`)	2025-07-11 23:09:58 +00:00
gustavderdrache	1cf202650a	Address ifdef problem with macOS/BSD sandboxing (cherry picked from commit `e2ef2cfcbc`)	2025-07-11 23:09:58 +00:00
Sergei Zimmerman	eb3c004972	Merge pull request #13453 from NixOS/mergify/bp/2.30-maintenance/pr-13450	2025-07-11 22:16:10 +03:00
Sergei Zimmerman	382e25405a	libexpr: Fix invalid handling of errors for imported functions `c39cc00404` has added assertions for all Value accesses and the following case has started failing with an `unreachable`: (/tmp/fun.nix): ```nix {a}: a ``` ``` $ nix eval --impure --expr 'import /tmp/fun.nix {a="a";b="b";}' ``` This would crash: ``` terminating due to unexpected unrecoverable internal error: Unexpected condition in getStorage at ../include/nix/expr/value.hh:844 ``` This is not a regression, but rather surfaces an existing problem, which previously was left undiagnosed. In the case of an import `fun` is the `import` primOp, so that read is invalid and previously this resulted in an access into an inactive union member, which is UB. The correct thing to use is `vCur`. Identical problem also affected the case of a missing argument. Add previously failing test cases to the functional/lang test suite. Fixes #13448. (cherry picked from commit `6e78cc90d3`)	2025-07-11 18:26:57 +00:00
Eelco Dolstra	c8cab890fa	Merge pull request #13446 from NixOS/mergify/bp/2.30-maintenance/pr-13441 fetchClosure: Fix gcc warning (backport #13441)	2025-07-10 21:11:33 +02:00
Eelco Dolstra	7119d594fc	fetchClosure: Fix gcc warning Fixes: [261/394] Linking target src/libexpr/libnixexpr.so In function ‘copy’, inlined from ‘__ct ’ at /nix/store/24sdvjs6rfqs69d21gdn437mb3vc0svh-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/basic_string.h:688:23, inlined from ‘operator+’ at /nix/store/24sdvjs6rfqs69d21gdn437mb3vc0svh-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/basic_string.h:3735:43, inlined from ‘operator()’ at ../src/libexpr/primops/fetchClosure.cc:127:58, inlined from ‘prim_fetchClosure’ at ../src/libexpr/primops/fetchClosure.cc:132:88: /nix/store/24sdvjs6rfqs69d21gdn437mb3vc0svh-gcc-14.2.1.20250322/include/c++/14.2.1.20250322/bits/char_traits.h:427:56: warning: ‘__builtin_memcpy’ writing 74 bytes into a region of size 16 overflows the destination [-Wstringop-overflow=] 427 \| return static_cast<char_type>(__builtin_memcpy(__s1, __s2, __n)); \| ^ ../src/libexpr/primops/fetchClosure.cc: In function ‘prim_fetchClosure’: ../src/libexpr/primops/fetchClosure.cc:132:88: note: at offset 16 into destination object ‘<anonymous>’ of size 32 132 \| fromPath = state.coerceToStorePath(attr.pos, attr.value, context, attrHint()); \| ^ (cherry picked from commit `aa18dc54dc`)	2025-07-10 18:33:39 +00:00
tomberek	f880135ff8	Merge pull request #13439 from NixOS/mergify/bp/2.30-maintenance/pr-13437 lockFlake(): When updating a lock, respect the input's lock file (backport #13437)	2025-07-10 01:03:55 -04:00
Eelco Dolstra	37487eec8e	lockFlake(): When updating a lock, respect the input's lock file (cherry picked from commit `95437b90fc`)	2025-07-10 04:29:39 +00:00
mergify[bot]	ed8f7df56d	Merge pull request #13436 from NixOS/mergify/bp/2.30-maintenance/pr-13435 docker: fix nixConf (backport #13435)	2025-07-09 09:50:14 +00:00
h0nIg	8b0cfaed9b	docker: fix nixConf - fmt (cherry picked from commit `9857c0bb52`)	2025-07-09 09:18:28 +00:00
h0nIg	dcc4b7c6fd	docker: fix nixConf (cherry picked from commit `8a1f471b66`)	2025-07-09 09:18:27 +00:00
Eelco Dolstra	65b9e019dd	Merge pull request #13430 from NixOS/mergify/bp/2.30-maintenance/pr-13427 installers, tests: remove --preserve=mode from cp invocations (backport #13427)	2025-07-08 18:02:58 +02:00
John Soo	48c7e5e14f	installers, tests: remove --preserve=mode from cp invocations -p preserves xattrs and acls which can be incompatible between filesystems Unfortunately keep -p on darwin because the bsd coreutils do not support --preserve. Fixes #13426 (cherry picked from commit `87299e466d`)	2025-07-08 15:10:41 +00:00
Eelco Dolstra	f7c95fde88	Bump version	2025-07-08 16:14:06 +02:00
Eelco Dolstra	812e069302	Mark official release	2025-07-07 17:36:13 +02:00
@@ -1 +1 @@
 .30.0
 .30.1
				`@@ -0,0 +1 @@`
				`import ./non-eval-trivial-lambda-formals.nix { }`