2024-09-16 Nix team meeting minutes #178

Monday work session

Attendees: @edolstra @roberth @frickerlerhandwerk @tomberek @Ericson2314

Sequoia update

• @abathur updated documentation to point people to troubleshooting tips
• to discuss:
  • feat: turn fatal error of missing user into warning by tomberek · Pull Request #11384 · NixOS/nix · GitHub
  • in the common case, it will degrade in a benign way
  • in the sad case (misconfiguration etc.), it will throw a lot of warnings and bail out
  • (some discussion)
  • decided not to add any additional measures, in order to move forward
  • install-darwin: fix _nixbld uids for macOS sequoia (backport #10919) by mergify[bot] · Pull Request #11415 · NixOS/nix · GitHub

NAR unpacking vulnerability post mortem

• reviewed the draft

Bump 2.18 → 2.24 in Nixpkgs

• still a regression on nix-serve, need to fix that before merging

Priorities

• discussed priorities for the future
  • fix performance regressions in 2.24
    • packfiles: merged
    • tarball fingerprint fix: released
    • lazy paths: TBD
    • vague reports: not actionable until we receive a reproducer
  • finish the Meson transition
    • manual build via meson: TBD
    • test suite reliability (stale files): TBD

Post-meeting actions

• @abathur and @emilazy have worked on an announcement for discourse
  => @fricklerhandwerk will check up on them

• @roberth: looks into runtime missing symbol in nixosTests.nix-serve

2024-09-11 Nix team meeting minutes #177

Wednesday triaging meeting

Discussion of the recent disclosure; post mortem to be published

Is there any info on the nix-serve regressions? Didn’t see anything linked on the tracking issue for updating 2.18–>2.24.

From this change:

--- a/nix-serve.psgi
+++ b/nix-serve.psgi
@@ -22,6 +22,7 @@ BEGIN {
 my $app = sub {
     my $env = shift;
     my $path = $env->{PATH_INFO};
+    my $store = Nix::Store->new();
 
     if ($path eq "/nix-cache-info") {
         return [200, ['Content-Type' => 'text/plain'], ["StoreDir: $Nix::Config::storeDir\nWantMassQuery: 1\nPriority: 30\n"]];
@@ -29,9 +30,9 @@ my $app = sub {
 
     elsif ($path =~ /^\/([0-9a-z]+)\.narinfo$/) {
         my $hashPart = $1;
-        my $storePath = queryPathFromHashPart($hashPart);
+        my $storePath = $store->queryPathFromHashPart($hashPart);
         return [404, ['Content-Type' => 'text/plain'], ["No such path.\n"]] unless $storePath;
-        my ($deriver, $narHash, $time, $narSize, $refs, $sigs) = queryPathInfo($storePath, 1) or die;
+        my ($deriver, $narHash, $time, $narSize, $refs, $sigs) = $store->queryPathInfo($storePath, 1) or die;
         $narHash =~ /^sha256:(.*)/ or die;
         my $narHash2 = $1;
         die unless length($narHash2) == 52;
@@ -57,9 +58,9 @@ my $app = sub {
     elsif ($path =~ /^\/nar\/([0-9a-z]+)-([0-9a-z]+)\.nar$/) {
         my $hashPart = $1;
         my $expectedNarHash = $2;
-        my $storePath = queryPathFromHashPart($hashPart);
+        my $storePath = $store->queryPathFromHashPart($hashPart);
         return [404, ['Content-Type' => 'text/plain'], ["No such path.\n"]] unless $storePath;
-        my ($deriver, $narHash, $time, $narSize, $refs, $sigs) = queryPathInfo($storePath, 1) or die;
+        my ($deriver, $narHash, $time, $narSize, $refs, $sigs) = $store->queryPathInfo($storePath, 1) or die;
         return [404, ['Content-Type' => 'text/plain'], ["Incorrect NAR hash. Maybe the path has been recreated.\n"]]
             unless $narHash eq "sha256:$expectedNarHash";
         my $fh = new IO::Handle;
@@ -70,9 +71,9 @@ my $app = sub {
     # FIXME: remove soon.
     elsif ($path =~ /^\/nar\/([0-9a-z]+)\.nar$/) {
         my $hashPart = $1;
-        my $storePath = queryPathFromHashPart($hashPart);
+        my $storePath = $store->queryPathFromHashPart($hashPart);
         return [404, ['Content-Type' => 'text/plain'], ["No such path.\n"]] unless $storePath;
-        my ($deriver, $narHash, $time, $narSize, $refs) = queryPathInfo($storePath, 1) or die;
+        my ($deriver, $narHash, $time, $narSize, $refs) = $store->queryPathInfo($storePath, 1) or die;
         my $fh = new IO::Handle;
         open $fh, "-|", "nix", "dump-path", "--", $storePath;
         return [200, ['Content-Type' => 'text/plain', 'Content-Length' => $narSize], $fh];

Though still errors with

       > machine # [    7.426781] nix-daemon[852]: accepted connection from pid 838, user nix-serve
       > machine # [    7.464875] nix-serve-start[856]: warning: 'dump-path' is a deprecated alias for 'store dump-path'
       > machine # [    7.467184] nix-serve-start[856]: error: experimental Nix feature 'nix-command' is disabled; add '--extra-experimental-features nix-command' to enable it
       > machine #   0  229k    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0  0  229k    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
       > machine # curl: (18) end of response with 234672 bytes missing
       > machine: output:

--- a/nixos/tests/nix-serve.nix
+++ b/nixos/tests/nix-serve.nix
@@ -2,6 +2,7 @@ import ./make-test-python.nix ({ pkgs, ... }:
 {
   name = "nix-serve";
   nodes.machine = { pkgs, ... }: {
+    nix.settings.experimental-features = [ "nix-command" ];
     services.nix-serve.enable = true;
     environment.systemPackages = [
       pkgs.hello

test passes

Something that complicates matters is that the library version wasn’t bumped. UnU

our $VERSION = '0.15';

PR Ready