Hi,
I’m pleased to announce the availability of Nix 2.27. It is available from https://releases.nixos.org/?prefix=nix/nix-2.27.0/ .
Release notes:
inputs.self.submodules flake attribute #12421
Flakes in Git repositories can now declare that they need Git submodules to be enabled:
{
inputs.self.submodules = true;
}
Thus, it’s no longer needed for the caller of the flake to pass submodules = true.
Git LFS support #10153 #12468
The Git fetcher now supports Large File Storage (LFS). This can be enabled by passing the attribute lfs = true to the fetcher, e.g.
nix flake prefetch 'git+ssh://git@github.com/Apress/repo-with-large-file-storage.git?lfs=1'
A flake can also declare that it requires LFS to be enabled:
{
inputs.self.lfs = true;
}
Author: @b-camacho @kip93
Handle the case where a chroot store is used and some inputs are in the “host” /nix/store #12512
The evaluator now presents a “union” filesystem view of the /nix/store in the host and the chroot.
This change also removes some hacks that broke builtins.{path,filterSource} in chroot stores #11503 .
nix flake prefetch now has a --out-link option #12443
Set FD_CLOEXEC on sockets created by curl #12439
Curl created sockets without setting FD_CLOEXEC/SOCK_CLOEXEC. This could previously cause connections to remain open forever when using commands like nix shell. This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.
This release was made possible by the following 21 contributors:
29 Likes
https://github.com/NixOS/nix/issue/11503https://github.com/NixOS/nix/issue/12443
should be
opened 05:30PM - 15 Sep 24 UTC
closed 12:47AM - 20 Feb 25 UTC
bug
**Describe the bug**
The built-in functions `builtins.path` or `builtins.filt… erSource` both accept a root path and a filter function. The filter function is then called with subpaths of the root path as argument. Under certain circumstances, those subpaths are in fact *not* subpaths of the root path. As far as I could investigate, this happens if
* the `--store` argument is used to point to another store that is not the "canonical" store ("canonical" usually is `/nix/store`),
* the nix file that is evaluate and that contains the call to a built-in function is itself positioned in the "canonical" nix store,
* the root directory points to `./.`, and
* the derivation that contains the nix file is also present in the other nix store.
Note that these circumstances are usually given when you install NixOS from a live iso with `nixos-install`: Most nix files involved are contained in the `nixos` channel, which is somewhere in `/nix/store`. This channel is copied to `/mnt/nix/store` by `nixos-install` before anything else is done.
**Steps To Reproduce**
Put these two files in the same directory, then execute `test.sh` (this expects Nix to be installed and accessible, but no root privileges):
<details>
<summary><code>test.nix</code></summary>
```nix
let
root = ./.;
filter = path: type:
let
rootStr = builtins.toString ./.;
in
if builtins.substring 0 (builtins.stringLength rootStr) (builtins.toString path) == rootStr then true
else builtins.throw "root path\n${rootStr}\nnot prefix of path\n${builtins.toString path}";
in
# each one will demonstrate the problem!:
#builtins.path { name="name"; path=root; inherit filter; }
builtins.filterSource filter root
```
</details>
<details>
<summary><code>test.sh</code></summary>
```shell
#! /usr/bin/env bash
tmpdir=$(mktemp -d)
mkdir $tmpdir/directory
cp test.nix $tmpdir/directory/default.nix
result=$(nix-store --add-fixed --recursive sha256 $tmpdir/directory)
nix-instantiate --eval $result
nix-instantiate --eval $result --store $tmpdir/2nd-store
nix-store --add-fixed --recursive sha256 $tmpdir/directory --store $tmpdir/2nd-store
echo this will fail...
nix-instantiate --eval $result --store $tmpdir/2nd-store
```
</details>
The final `nix-instantiate` will trigger the `throw` from `text.nix` -- apparently `filterSource` confuses the store paths:
```
error: root path
/nix/store/dv15ix385vx19wxac0v5h5n7x8i5iwgp-directory
not prefix of path
/tmp/tmp.f3xsGxSb42/2nd-store/nix/store/dv15ix385vx19wxac0v5h5n7x8i5iwgp-directory/default.nix
```
**Expected behavior**
The final `nix-instantiate` invocation should succeed.
**`nix-env --version` output**
nix-env (Nix) 2.18.5
**Additional context**
Nixpkgs contains many instances of `src = lib.fileset.toSouce { root = ./.; fileset = ..something..; }` which are liable to trigger this bug if evaluated from within `nixos-install`; in that case `src` ends up as empty directory because the filter function from the fileset library constantly returns `false`. One such instance is documented (with steps to reproduce with `nixos-install`) in https://github.com/NixOS/nixpkgs/issues/334098 .
**Priorities**
Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).
NixOS:master ← DeterminateSystems:prefetch-out-link
opened 04:54PM - 10 Feb 25 UTC
<!--
IMPORTANT
Nix is a non-trivial project, so for your contribution to b… e successful,
it really is important to follow the contributing guidelines:
https://github.com/NixOS/nix/blob/master/CONTRIBUTING.md
Even if you've contributed to open source before, take a moment to read it,
so you understand the process and the expectations.
- what information to include in commit messages
- proper attribution
- volunteering contributions effectively
- how to get help and our review process.
-->
## Motivation
This makes `nix flake prefetch` more useful for scripting and prevents the result from being GC'ed prematurely.
## Context
---
Add :+1: to [pull requests you find important](https://github.com/NixOS/nix/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc).
The Nix maintainer team uses a [GitHub project board](https://github.com/orgs/NixOS/projects/19) to [schedule and track reviews](https://github.com/NixOS/nix/tree/master/maintainers#project-board-protocol).
I believe? The link is broken due to linking to github issue rather than pull
Thanks, I’ve fixed the post.