Re: [Nix-dev] gimp and pygtk ImportErrors
Fixed in x-updates or so. There is a bug report or pull request at nixpkgs. So just be patient till it will be merged (will happen in a couple of weeks). Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] gimp and pygtk ImportErrors
I want to learn :-) That page tells you: quote: pygtk does not create pth files, thx @shlevy and @NixOSn00b (on irc) for pointing it out and finding workarounds for now. So learning to read the comments is how you may want to get started with learning :) Otherwise checkout x-updates, and then use git bisect till you've found the commit making the difference. (git blame on the pygtk derivation might be faster, though). Maybe its even fixed at master - I don't know exactly - thus eventually update nixpkgs and retry. Yours Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] setup.sh, addToSearchPath - only add if directory exists?
Excerpts from Peter Simons's message of Sun Apr 28 15:35:31 +0200 2013: personally, I don't see any benefit in filtering non-existent search paths. Whether these paths are included in the environment or not doesn't affect the build either way. There are other use cases such as PYTHONPATH or GI_TYPELIB_PATH (gtk3 related) etc. Well - yes - you can manage them manually. configure scripts check that the dependencies exist, and eg python requires them at runtime now. gtk3 introduces an automatic way to derive scripting glue code from xml files (which is what this GI_TYPELIB_PATH and those .gir and .typelib files are about) - thus you also have to wrap bin/* executables in order to make them work. I agree that there is no difference looking at CFLAGS/LDFLAGS env vars It doesn't make sense to populate GI_TYPELIB_PATH with dependencies like gnused. A path check would do the right thing in most cases IMHO. Thus if nobody objects I may propose it for x-updates Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] setup.sh, addToSearchPath - only add if directory exists?
I just notice that there is already a [ -d check. Sorry for the noise. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] setup.sh, addToSearchPath - only add if directory exists?
Does it make sense to patch addToSearchPath so that it only adds paths if they exist? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] wacom users - pay attention to this pull request
https://github.com/NixOS/nixos/pull/154 This drop all old config option, but also gets rid of all pain I had trying to make an Intuos 5 tablet work the way it should. I've only tested it with x-updates right now. Please report wether you have any issues If you need the old options back, you might want to override the etc file instead. We still may want to figure out which is the best way to configure the buttons. AFAIK xsetwacom can be used, too. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] minimal install archive
I've spent some time updating the old minimal install archive I
provided once which is still referenced on the wiki [G3].
Its goal is to split the nixos-install script into
reusable pieces which can then be used with a nixos install iso or a
minimal bootsrap archive.
The README/documentation roughly looks like this - which means you can
install nixos by 4 steps:
1) unpack to /mnt
2) prepare
3) adjust configuration.nix
4) install
=== README (short documentation)
HOWTO
=
export mountPoint=/mnt # and mount it
1)
IF-ARCHIVE:
tar xJf $THIS_ARCHIVE -C $mountPoint
2)
PREPARE:
${P}nixos-prepare-install copy-nix guess-config
iso-source|official-source create-etc-files
# lookup items by using --help
3)
Adjust $mountPoint/etc/nixos/configuration.nix [1], then install:
4)
${P}nixos-prepare-install install --show-trace -j NUM_CORES_PLUS_1
--install --keep-going [--no-grub]
This runs $mountPoint/nix/store/prepare-install using run-in-chroot
NOTES:
$mountPoint/nix/store contains the helper scripts listed at the beginning.
They
should be gone the next time you run the garbage collector.
= Why should nixos-install be improved ?
- split scripts into pieces, so that you can use the run-in-chroot feature to
rebuild your system quickly eg if you forgott to add a module to
initrd
- allows you to use your own sources if you check them out into
/etc/nixos/{nixos,nixpkgs}
predefined sources:
iso-source (sources from iso)
official-source (official latest trunk git sources)
- it automatically exports mountPoint :-)
(See https://github.com/NixOS/nixos/pull/151)
Alternative [guides] (requiring more manual steps):
[G1] https://nixos.org/wiki/Install_NixOS_on_Linode
[G2] https://nixos.org/wiki/Install_NixOS_on_Rackspace_Cloud_Servers
[G3] https://nixos.org/wiki/Install_NixOS_as_OpenVZ_guest
= Questions to you (community):
- Are you interested in this?
- Should be merged with the minimal binary package which does already
exist?
I ask before creating pull requests, because Eelco once removed the
previous version due to lack of documentation without asking.
The last two weeks at least two people asked on irc about how to install
nixos on linode like v-servers or on computers without cdrom.
= Things I haven't checked yet:
Will using the [guides] referenced above be in trouble if the host
system does not have a group called nixbld or such?
AFAIK nixos-install does depend on the /etc files found on the host
system which have them - but using an arbitrary linux for bootsrapping
this might be causing trouble. My scripts write minimal
/etc/{passwd,group} files
Let me know how you feel about this. The current code can be found at
github.com/MarcWeber/nixos - branch experimental/minimal-install-archive
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] PHP configuration options
Here is the code I'm using. However as said on irc it requires my patches found on my github page (see comments). http://mawercer.de/tmp/php-hosts.nix This sample is for apache. Shouldn't be too hard to make it work with lighthttpd or nginx in some way. If you care about php configuration options only see my nixpkgs branch. If you like this - vote for the multiple versions in one file patch. While it might not be the right thing to do - it is the right thing to do for PHP - because 5.2 5.3 and 5.4 can be built with minimal configuration differences. I added the php-5.2 php fpm patch for the sake of completeness, because one customer required such once. You should be using = 5.3 today. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] comments about nixos's documentation
comments about installation: nixos.org - nixos - Documentation - Nixpkgs manual link. - typo: Thus, installation from binaries falls back on nstallation from source - (channels stable): is just outdated: That's correct. eventually it should also be noted that its more likely to contain security vulnerabilities? Or does somebody care and backport fixes !? - 4.1 Basic package management: Its told that manifest contain list of available binaries However because the manifests are no longer downloaded I guess that the /etc/nix/nix.conf's binary-caches setting is much more important to talk about ? I didn't find the doc source (?) - so I'm not sure how to improve it other then notifying about it. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] nixos/nixpkgs source used by iso installer?
Does it make sense to use the nixos/nixpkgs version distributed with the live cd: - yes - installation might be faster Does it make sense to always use latest: - yes - for security reasons - and because user will update soon anyway? Wich argument is stronger? So should nixos-install found on the live cd be able to run nixos-checkout (optionally)? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Discussion: env vars as glue
check some properties, such that two libraries making up an application are built using the same glib library do make sense. I somehow feel that the overall issue is too complex to be solved easily using the one true way. I personally feel the most efficient way is to think about what must be done to make something work - and in my case its just waiting for current libreoffice to be build - or use binaries using master branch.. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS wiki
Excerpts from Domen Kožar's message of Sun Apr 07 11:10:09 +0200 2013: I'd like to help with growing community, [..] :-) Great. The major blocker is the wiki. Currently there is no way to register, So start with RTFM: https://nixos.org/wiki/Main_Page - How to contribute to the nix wiki (keep top) - how to get an account which says: quote due to spam reasons you have to ask on the mailinglist If this fails at least two times, I join your party. So do that and see whether it works, then complain :) You're welcome with helping, but in order to provide good documentation, RTFM is the first step, I'm afraid. The SPAM issue was picked up by people being responsible in reasonable time, and they took action - what else do you want? I personally want UTF-8 support: How to reproduce? Add Lluís this to an article, then hit the preview button. - clean UI for non-technical users Maybe we need two wikis then? Try describing how you'd change the UI so that everybody technical understands what you're talking about. - some offline editing support (git)? we talked about it - and we agree that there are ways - but also pay attention to what Eelco said: He fears that the quality of the contents of the wiki is not that great. So eventually start with telling us what you would add, and why it is not possible or too much work to do it with the current wiki. - markdown formatting support (for reasons that it's wide spread and most simple to explain) As I said earlier: What do you need to be succesful with a wiki? - headlines - code blocks - links Should be reasonably easiy to learn this using any wiki fast. PS: I have imported current wiki into github wiki, but it lacks categorization and search: https://github.com/iElectric/nixos/wiki/_pages First talk to the community, then wait 1-2 weeks, then take action - otherwise your effort may not be adopted. So talk about the contents you want to provide, and tell the community why you think git will be so much faster than copying an article into your editor of choice, editing it, copying it back and press the save button. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS on Linode
AFAIK there are two ways: using your own initrd, or using boot scripts: boot.loader.grub.enable = false; boot.loader.initScript.enable = true; everything else is as usual, so yes, you can prepare and upload any image (using the rescue system). For German customers admin.jiffybox.de or amazon services (ec2) are valuabble options, too - because you can rescale and pay hourly. The minimal install archive I created once is only available in my branches now, and I haven't tested it for month - its still likely to work in some way. If you need one tell me the architecture and I'll create one for you. https://nixos.org/wiki/Install_NixOS_as_OpenVZ_guest references http://hydra.nixos.org/job/nixos/trunk/minimal_install_archive/ However the documentation looks like my old description: bash $mountPoint/nix/store/nixos-prepare-install checkout-sources copy-nix I'm surpised that hydra still has copies of those old builds.. Those old copies are unlikely to work because nix has had some small language extensions since then (which can be worked around by click installing newer nix and putting it in PATH, does this happen automatically?) One alternative is listed here (using the iso) in some way (I never tried it) https://nixos.org/wiki/Install_NixOS_on_Rackspace_Cloud_Servers AFAIK there is an alternative minimal archive, but I don't know its url - so consider waiting for additional replies. For Amazon: https://nixos.org/wiki/NixOS_on_Amazon_EC2 Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] nix-prefetch-url and sha256sum differs
When I run sha256sum on the downloaded file I get the correct result: nix-hash --type sha256 [--flat] file I don't know why the output differs from the sha256sum tool. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Missing command suggestions
And if the environment variable $NIX_AUTO_INSTALL is set, the missing command is installed and executed automatically: $ hello The program ‘hello’ is currently not installed. It is provided by the package ‘hello’, which I will now install for you. installing `hello-2.8' I'd prefer such message: Application hello is provided by package hello. May I install it to your user profile by running nix-env -i hello ? As alternative you can install packages system wide by adding them to /etc/nixos/configuration.nix option environment.systemPackages [y] to install, ctrl-c to cancel Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] kbuildsococa4 calligra
I tried running krita which belongs to callgria suite. I updated calligra to current 2.6.2 version. To make it run I had to - add shared_mime_info to PATH, - setting KDEDIRS to calligra store path (and eventually the kde dir found there) - run kbuildsycocoa4 Well - this is non trivial. First it told me that part.dekstop service was missing, then the krita mime type was not found. Does anybody know about a nixos fix? If not I'd like to document it in some way .. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] wiki and utf-8 characters
For completness: I think that protecting the create new user feature by htaccess, and documenting it (even with password) on the wiki would be enough to keep spam bots away. That can be done without updating media wiki should not take much time either. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Haskell Parser for (subset of) Nix
I thought about writing a Haskell interpreter for nix, too. Haskell is very close to nix (being lazy) that comparing performance would be interesting. So what is your goal? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] wiki and utf-8 characters
gollum hard to learn vs other maybe better known syntaxes Seriously: How many features do you need? - headlines - code blocks - links to wiki pages - external links - (eventually tables ?) Nobody cares about the syntax if you document those features and if its reasonable simple to write. Not everybody is a developer Right - so if people are not familiar with github, do you think people could be told to just send their contributions to the mailinglist - because - we want to review them - adding it to a git wiki and pushing is fast for developpers As alternative those people could just be told to use the bug tracker. If we want to lower barrier for contirbution, what about adding a comment section people can write anything to ? See php.net/any-php-function - works great. We then can review the comments and change the wiki to get more content We also want to have current up to date content - we don't want to have random out of date content. It was me fixing the cross compliation wiki page (buildNative* vs nativeBuild*). spam: I think those spam pages are created by bots to create random backlinks So getting rid of spam is eventually not that closely related to reviewing nix related content. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Haskell Parser for (subset of) Nix
Excerpts from Sergey Mironov's message of Sat Mar 23 18:13:52 +0100 2013:
Cool, thanks! It opens the way for many good thinks, like ctags
see ctagsWrapped in nixpkgs, it already implements some regex. Not
perfect but pretty good for the amount of work required to implement it.
generator, safe automatic package updaters, and so on!
I've worked around this using nix-repository-manager by intorducing
regions, it looks like this:
# REGION AUTO UPDATE: { name=haxe-unstable; type=svn;
url=http://haxe.googlecode.com/svn/trunk;; }
src = (fetchurl { url =
http://mawercer.de/~nix/repos/haxe-unstable-svn-6387.tar.bz2;; sha256 =
18bcdf23d7ed32d0bafaf4a0acbc9715ea6c30ae22642cb8b797c870098835c0; });
name = haxe-unstable-svn-6387;
# END
its not perfect, but does all I need:
- it documents where to get updates from
- it knows which piece of code gets updated
- it inserts that piece of code
- still simple, everything is in one place without too many additional
files.
But its only my quick and dirty way to cope with some update problems.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] wiki and utf-8 characters
thing to maintain, especially with a database like mysql. the wiki.nixos.org uses postgresql as backend. Why is a database of that size hard to maintain using MySQL? MySQL is used that much that it should have no trouble coping with such a small wiki. Eventually some care has to be taken to set fields to utf-8 collation - but the media wiki should take care of that. In the end a wiki is a key value store and a search. going away from mediawiki is a good thing to say the least. Again - tell us why you feel that way :) I'm pretty sure mediawiki also knows how to cope with spam if you configure it correctly *and* keep it up to date. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] wiki and utf-8 characters
Excerpts from Vladimír Čunát's message of Thu Mar 21 11:33:31 +0100 2013: I didn't know about wikis on github, but they look good. They do support .mediawiki as well, so moving the content shouldn't be too difficult. But they restrict access to users with access - and they never match the nixos/nixpkgs version. As alternative I'd like to suggest evaluating pros/cons of using a git based wiki: Track wiki contents as text files (using any markup), then accept pull requests. Reviewing the wiki almost as important as reviewing code IMHO. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] wiki and utf-8 characters
I thought this is what github wiki offers, but I've never used it.
If it was I would not have spoken up. Github wiki is just a wiki you can
edit online.
I suggested it being based on the git source once.
It looks like github supports .wiki files (links by {{{url}} and
similar) natively, it could be an option for that reason.
Put those people maintaining the wiki should speak up and tell how they
feel. I don't want wiki.nixos.org to host spam.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] wiki and utf-8 characters
You can push to the wiki with git too, no? Thanks - I didn't knew this - then you can clone the wiki and have a normal git repo for it - and merge as appropriate. At least it would be fast to setup, spam and utf-8 issues would be gone, too But still I'd like to hear what those running the wiki have to say. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] wiki and utf-8 characters
Today I added guix and to https://nixos.org/wiki/Nix%28OS%29_related_repositories_and_work however I failed getting Lluís and ludovic's name right. The character encoding is detected as utf-8 by firefox (I also tried chrome). So it looks like its an issue - maybe database configuration? I think we should be able to insert utf-8 characters. Does anybody has more experience with utf-8 and nixos's mediawiki? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Cross Compiling for Raspberry PI
Excerpts from Sergey Mironov's message of Mon Mar 18 13:24:00 +0100 2013: Hi! I'm going to try compiling NixOS for Raspberry PI soon. What is the status of this target? Alexander, were you able to solve your problem? See github.com/nixos - pull requests. It works fine AFAIK. Not sure about special GPIO kernel interrupt patches and the like. Don't konw about cross-compiling either. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Failed nixos-rebuild cannot download xf86-video-vmware
What is the next step in debugging? try --fallback ? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Failed nixos-rebuild cannot download xf86-video-vmware
Where should I report the broken link in hydra though? Mailinglist should be fine. I don't know hydra enough to comment though. Excerpts from Patrick Wheeler's message of Tue Mar 12 16:17:11 +0100 2013: No improvement, wrong: There is an improvement: You know that both failed: hydra and falling back downloading it yourself. I tried to fetch the tar.gz from: http://cgit.freedesktop.org/xorg/driver/xf86-video-vmware and it turns from that location it has a different hash then from any of the mirrors found from the x.org mirror list: http://www.x.org/wiki/Releases/Download if you're paranoid the way to go is get the source, and compare the mirror source - you can't because you don't have it on disk - neither do I. Unless somebody else still has sources best you can do is use the files from the official site hoping its fine. (If you have a better reply, improve mine) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] haxe-3 updates
Posting about it so that interested people don't have to do the same work. Not sending a pull request because my patches depend on https://github.com/NixOS/nixpkgs/pull/310 (should be easy for you to pick the changes you're interested in) Most important is the change to installPhase (haxe) and the neko update (in the end very trivial changes) http://mawercer.de/tmp/haxe-3-patches.tar.gz Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Rubygems and bundler
Excerpts from Andrew Morsillo's message of Thu Mar 07 05:18:24 +0100 2013: I am trying to get an environment set up to run my rails application on nixos but I am confused about how rubygems/bundler is handled. I have read It is not at all. http://gitorious.org/nixpkgs-ruby-overlay Comes closest. See http://gitorious.org/nixpkgs-ruby-overlay/nixpkgs-ruby-overlay-specs bundler is broken by design because it doesn't check versions of dependencies level 2. Eg A B C - then version constraints for C will not be checked. over rubygems.nix and see that I could install all my dependencies by generating nix expression for them with gem nix but trying to do this has lead me to two problems: 1) gem nix does not appear to be able to handle gems that require building native extensions. You can pass paths to includes and library directories somehow, but its a mess. = see tarruby, mysql packages etc. http://gitorious.org/nixpkgs-ruby-overlay/nixpkgs-ruby-overlay/blobs/master/pkgs/defaults.nix If bundler could output a derivation description as found in http://gitorious.org/nixpkgs-ruby-overlay/nixpkgs-ruby-overlay/blobs/master/default.nix (see rails there to see some examples) You'd be pretty much done - except that its awkward to get 40.000 package descriptions if you use only 20 of them. I'd like to fix this by implementing a http api in nix, so that data can be fetched from trusted servers (and then can be cached) What is the best way to handle gems with native extensions? There is no perfect way. Why can't bundler read the existing gems I have installed into the nix store? You don't want a reply to this because you know it: Nobody implemented it. Are others running complex rails applications on nixos and if so what is your setup? Don't think so. I can run my application by setting up a custom build environment and installing rvm in my home directory, but I would rather do it the nixos way if possible. rvm is stateful and a mess (compared to nix). I had in mind making it nix compatible. Then I couldn't spend enough time on it. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Rubygems and bundler
Excerpts from shea's message of Thu Mar 07 16:10:06 +0100 2013:
I disagree with Marc's assessment. It's not true that gems are not at
all handled, gem nix works perfectly well (and can do gems with native
extensions fine, see e.g. rubyLibs.ffi), and IMO Marc's overlay
solutions are very over-complicated and unnecessary for what we actually
want to get done. I've run rails applications on NixOS setups in the
past and all worked well.
shea, you forget that it was me first writing the first version of gem
nix command. I know what I'm talking about - and I know why I
implemented the alternative.
gem nix is based on gem, not bundler. It may work, but for each
target app you have to rerun gem nix and create different sets of
dependencies. It does work - no doubt. The question is whether its
satisfying.
So it might be enough to have rails running. But bundler is about
fixing versions once and forever till somebody runs the risk updating
packages.
If you use genarted.nix you're out of control. If you extend bundler and
make it generate a package description which can be understood by code -
your app will be running fine forever (unless rubyforge drops packages).
I think we all agree that neither solution is perfect or satisfying.
My personal problem is that I'm not even satisfied with bundler.
So IMHO the true fix would be enhance bundler, then integrate this with
nix somehow. (That's on my todo list, but probaly will also stay there
for quite a while ..)
But of course that's only my view. And the best solution depends on the
use case.
solutions are very over-complicated and unnecessary for what we actually
Don't think so. I'm using this general purpose ruby env satisfying most
of my needs, and it doesn't look over complicated to me:
rubyCollection =
let ro = (pkgs.overlay ruby);
in ro.rubyEnv19 {
p = {
ruby-debug-base19 = [[= 0.11.25 ]];
};
names = [
rake bundler escape
rspec
bundler
addressable
mechanize nokogiri
sass
mechanize
selenium-webdriver
json
sequel
mysql
livereload
guard
];
};
You can add it to your ~/.nixpkgs/config.nix and be done.
However the same problem occurs unless you fix every version (which
bundler is about).
So in any case some pieces are still missing.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] cross toolchain howto request
http://nixos.org/wiki/CrossCompiling Is all I know about. If people tell you additional information that would eventually be the place to add documentation. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] hack the source, then install
The idea is to be able to quickly hack the source and see if it works or not. No, but you can run make install and test without making /nix/store/your-package valid (is this still true after making the store read only) - at least in the past it was possible. You can try something else: export DISPLAY=:0.0; rxvt then hack in that shell. If you drop the hack you'll get a new clean hash - thus you don't mess up the store. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] development environments
The overlay dumps the hackage package information into a .nix file. Then a nix code tries to determine dependencies based on (eventually patched) cabal file contents creating the .nix derivations on the fly depending on what you asked for. Because brute force is used only a limited set of haskell package versions is used when resolving dependencies. Advantage: Very often it just works. Disadvantage: If it does not it still requires some debugging and patching. Depeding on cadal flags the right dependencies are chosen automatically. Eg if you have foo-1.0 dependencies: if flag-A LIB_IF else LIB_ELSE Then either LIB_IF or LIB_ELSE will be passed as build input depending on flag configuration. Darcs on its own has more than 8 flags, thus there are 2**8 different ways to configure it (not counting slightly different versions in the dependencies). Thus in theory its strong enough to find a working configuration, but in the real world there are too many ways, which is why its me setting sane defaults. Because the whole dependency chain is calculated on the fly its possible to inject your own dev version of a packages: Eg make darcs depend on bytestring-my- version. Because dependencies are calculated on the fly, and the end result is only a script you install into a directory specific profile you can have multiple profiles. source ./ghc-6.0-setup # then compile with ghc-6.0 2nd shell: source ./ghc-7.x-setup # then compile with ghc-7.x Thus testing multiple configurations at the same time using different shells is made easy. Because I don't do much Haskell at the moment the hackage dump I created is a couple of month old. If you're interested I can show you how to update it yourself. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] development environments
Excerpts from Lucas Paul's message of Fri Feb 22 21:13:54 +0100 2013: I'm just learning how to make software in nix (with some help from the wiki). If I want to use an IDE, say Leksah, should that be in the build environment too, or should I install that into my default profile? build environment, because leksah uses ghc internal features, such depends on your build env such as ghc version AFAIK. Of course if you use the same set of libraries always, installing it into your default profile may be more convenient. Maybe try both, and keep using what works best for you. At this point in time I also want to remind that there is a second way for install haskell packages using nixpkgs https://nixos.org/wiki/Nixpkgs-haskell-overlay Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] quoted vs unquoted urls in Nix expressions
What is the difference between quoted and unquoted URLs in Nix
expressions? In nixpkgs the fetchurl urls are sometimes quoted and
sometimes not.
nix has urls as native type AFAIK.
let str = 'foo'
let url= http://bar
The latter catches typos such as http:/bar, because its not a valid URL.
However invalid urls will be caught be the build anyway usually.
Common usage interpolation is only possible with strings AFAIK:
let url = http://fooo-${version};;
Does it make a difference? In the end: No because AFAIK nix passes urls
and strings the same way as env vars to the builder.
For completness let's also compare with file paths:
./bar will be turned into an absolute path. However the path is not
passed to the builder, instead bar is copied to the store, and that
store file is passed to the builder so that everything works as expected
also in chroot builds (which are default now AFAIK)
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Suggest package to install
That was done recently by Eelco Dolstra. See commit messages. Maybe updating nixos is enough. Also see 'how to find the package ..' on the wiki. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Suggest package to install
[..] *user installed* [..] See _The collection way_ if you want to learn about user collections So reread the article if you have more time, cause it already should contain everything you want to know. In the system way it doesn't make sense to think about collections, because you install by path (correspondents nix-env -iA) and not by name anyway. It does make sense to have multiple collections because rebuilding everything at once may take a long time - and also some packages may be broken. Eg for my case I have a haxe-collection which installs - haxe - neko at the same time. I also have a personal collection which installs all the stuff I regularly use (editors, browsers etc) and so on. I update the haxe-collection more often the the personal one (for upstream reasons). but yes, this all will make more sense to you if you familiarize yourself even more with Nix. Best Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Installing custom SSL CA certs?
My environment has: export | grep certs declare -x CURL_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt declare -x GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt [..] So it doesn't look like there is already a common way to do it. Eventually this issue could even be discussed with upstream devs then. (I may be mistaken, I didn't look at openssl code yet) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] sophisticated php-fpm implementation for nixos
I've been working on php-fpm support. Now its possible to configure php for each user/account individually. You can even enable xdebug. The module takes care about pid, log, socket names etc. If pools use same php compilation flags and ini file they'll be supervised by the same php-fpm daemon, otherwise a new service will be created as neccessary. CODE: https://github.com/MarcWeber/nixos/blob/systemd/php-fpm/modules/services/misc/phpfpm.nix https://github.com/MarcWeber/nixpkgs/blob/experimental/php/pkgs/development/interpreters/php/php-5.3-fpm-system-config.nix Please be aware that it depends on some patches (sample configuration can be found here, too): https://github.com/MarcWeber/nixos/blob/systemd/php-fpm/.topmsg Talking about this progress so that interested people can join to prevent duplicate effort. What is php-fpm? Its a fastcgi implementation for PHP. php-fpm starts threads, drops priviledges and runs php code. Thus it replaced the old famous suexec like setups etc. Additionally it provides more features Summary can be viewed here: http://php-fpm.org/about/#why Its included upstream in PHP so I think it can be considered stable. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] [***SPAM***] bashCompletion / multi-shell-support update
Hi Peter, do you have an idea how bashCompletion compares with the sample
completion shipping with bash?
@list
I'd also like ask for feedback about this multi-shell patch.
The main difference is that some of the fancy setup is moved into users
.bashrc .zshrc so that they can opt-out in various ways such as:
- not sourcing /etc/{bash,zsh}/setup-all
- defining DID_* vars before sourcing it.
This way its even possible to opt-out from some bash completion scripts
only.
Eventually it does even make sense to move all code depending on
NIX_PROFILES into user's bashrc, so that they can tell the system which
profiles they want to use. I havn't had a use case yet so I don't care.
A feature attr is introduced providing initPrompt, aliases and the like.
This way administrators can override pieces only easily.
Its also duplicating some code (bash/zsh) implementation and
introducing small lib files providing helper functions.
I'll do some more testing while waiting for some feedback, too.
Sincerly
Marc Weber
multi-shell-support.patch
Description: Binary data
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Adding runtime library search path
How to easily add one particular entry without preventing deletion of other unnecessary rpath entries? patchelf also has a --print-rpath option. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to disable tests
Excerpts from Christopher Howard's message of Sat Jan 26 01:36:14 +0100 2013: Hi. I'm trying to build emacs-24.2, but I can't because guile-2.0.7 won't build. One test failed. Personally, I don't care. There is always the option to fix a test .. so eventually also talk about the error. You don't want to run nix without tests. If eg nix tests fails you're at risk. So how to disable tests for emacs only? try adding doCheck = false; to the emacs builder or commenting check phase. checkPhase = :; # : is a a short command returning 0 exit code. Does nix suppoprt disabling tests for gentoo only? Don't know. grep for doCheck to see how its done for other packages. Probably system is just linux and not gentoo. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Bundling nix-expressions with source code
Excerpts from Rickard Nilsson's message of Tue Jan 22 13:05:09 +0100 2013:
I would like to bundle nix-expressions with some of my self-developed
programs, and just let nixpkgs (or some custom-nixpkgs) use the
nix-expression from the source when building the program. Is this a wise
thing to do? Is it even possible?
Why not?
You can always build using external files like this:
let pkgs = import /etc/nixos/nixpkgs {};
in {
pkgs.mkDerivation {
./your-source-whatsoever
}
}
The only issue if you have multiple packages depending on each other.
Usually whatever works is good :)
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] GNU Guix 0.1 released (alpha)
Thus I'd appreciate more info about - why you go this way. One reason I can think of is because scheme might be more powerful than nix language. Are there more reasons? - in which way you're going to utilize the new power of scheme first applying to what problems? - how exactly you reuse existing nix* software. You should describe this. - what would be the advantages of your system - eg will you keep the lazy feature? If you build 150 packages its not a big problem. But if you think about all python, perl, scala, java, php, C, ocaml, perl, ... packages ... there are many. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] modification time
Why not just try it? Executables should run no matter which timestamp they have. Of course nobody prevents executables to fail if their timestamp is older than a particular date. It doesn't make sense to implement such behaviour so I expect most things to work. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] query package meta information
Use xpath and any scripting language? One of the Haskell libraries (haxml?) provides an executable. for ruby I recommend nokogiri other languages use google Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Nix 1.2 released
Excerpts from Eelco Dolstra's message of Fri Dec 07 17:03:58 +0100 2012: So change your script... :-) I mean, you could make the same argument about the out variable. Yes / no. lib is a very common name RUBYLIB PERLLIB etc. I have never seen RUBYOUT or the like. For the same reason why does NIX_CFLAGS exist? why not tell configure where to find libraries? Cause NIX_CFLAGS gets the job done faster (and for purity reason, I agree) I don't worry about my scripts I know. I worry about thirdy party makefiles and patching them for such a stupid reason - cause that is error prone and time consuming - and keeping them up to date. You have done a great job on this project always - so I trust you and I'll shut up after having expressed my concerns even though I have the feeling that I might get hit by it at least once in the future. Patching Makefiles or build scripts can be a lot of work and is error prone. I've also tried using some search engines to proof my point - but I somehow failed: http://symbolhound.com/?q=lib%3D searching for lib== 217 hits (without language filter so its a very week indicator) out_lib = 0 hits I've also tried http://www.krugle.com/ http://searchco.de/ but didn't get any results I expected. export | grep -i lib | wc -l 17 export | grep -i out | wc -l 0 (my environment may not be an average one) Maybe I find time to grep sources being used in nixos right now myself. nix-env -A foo-bar should just work (but I didn't test). I missunderstood you. I thought you made 2.8 = derivation legal. I mixed up dashes with dots. So forgett about this one. Thanks for your replies Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Nix 1.2 released
Thank you all for those improvements * Nix has a new binary substituter mechanism: the binary cache. A binary cache contains pre-built binaries of Nix packages. Whenever Nix wants to build a missing Nix store path, it will check a set of binary caches to see if any of them has a pre-built binary of that path. The configuration setting binary-caches contains a list of URLs of binary caches. For instance, doing $ nix-env -i thunderbird --option binary-caches http://nixos.org/binary-cache Thus are non root users allowed to choose binary caches? Thereby they could download compromised binaries having the same store paths than the system might have .. outputs = [ lib headers doc ]; This will cause Nix to pass the intended store path of each output to the builder through the environment variables lib, headers and doc. Other Which is kind of bad because LIB may be used by scripts - its too short. I expect collisions. what about using out_lib out_headers out_doc ? I mean we want short names like .lib for installation, inspection and whatnot. I just don't think its a good idea to use those short names for env vars (especially the lib case). * Dashes are now valid as part of identifiers and attribute names. :) How to quote them using nix-env -A ? * The new operation nix-store --repair-path allows corrupted or missing store paths to be repaired by redownloading them. nix-store --verify --check-contents --repair will scan and repair all paths in the Nix store. Similarly, nix-env, nix-build, nix-instantiate and nix-store --realise have a --repair flag to detect and fix bad paths by rebuilding or redownloading them. Can you be little bit more verbose about which risks you run doing so? Eg is it atomic or do you run the risk having a broken system for a short period of time? Nix will automatically make /nix/store writable as needed (using a private mount namespace) to allow modifications. This requires chroot builds, correct? * Store optimisation (replacing identical files in the store with hard links) can now be done automatically every time a path is added to the store. This is enabled by setting the configuration option auto-optimise-store to true (disabled by default). Any experience about performance? Why is it disabled by default? I mean will this require reading all of /nix/store/* to find duplicate files even if all you do is installing a small tool into your path? * The command nix-copy-closure has a new flag --use-substitutes (-s) to download missing paths on the target machine using the substitute mechanism. cool ! I was happy reading about it. * Chroot builds are now supported on systemd machines. Have you also had time to think about supporting git hashes in addition to sha256 values? For many dynamic things like getting packages from rubyforge, puypi etc you know the git commit hash, but not a sha256 or md5 value. Verifying such a store path would require running a git command and keeping the .git directory (so maybe you don't even need to checkout the files) And no, its not always an option to prefetch everything you may not need at all. Note that I don't ask you for implementing - just for sharing your thougts on the topic - and if - how you'd implement it. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] fetchgit - why sha256 protection?
Excerpts from Eelco Dolstra's message of Mon Nov 19 11:01:39 +0100 2012: No, because Nix's fixed-output derivation feature requires a md5/sha1/sha256 hash of the expected contents. I know what the current implementation requires. Just wondering whether this should be relaxed for git (like) VCS sources, because they naturally have a hash. I mean why run nix-prefetch git if using url and git commit hash could be enough? If you don't trust builders, fetching git sources is that common that it could even be built into the nix tool. My goal is to simplify installing packages from other sub universes such as ruby. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] fetchgit - why sha256 protection?
Excerpts from Eelco Dolstra's message of Mon Nov 19 11:36:00 +0100 2012: No. fetchgit won't work if it's not a fixed-output derivation, because it won't necessarily have network access (it might run in a chroot). Again: I'm not talking about the current state. I'm aware about how it works. I'm talking about: Does it make sense to introduce a special fixed hash for git repos or what about implementing git checkouts natively so that passing the git's hash is enough? git sources are very common today. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] fetchgit - why sha256 protection?
Excerpts from Shea Levy's message of Mon Nov 19 13:38:37 +0100 2012: Is it terribly difficult to run nix-prefetch-git? YES: I'm talking about such configurations: http://gembundler.com/ And here you have git repo and hash. Trying to semi automatically package such things requires much overhead if you have to prefetch everything to get a sha256 hash. I'm not talking about the one project you do package once in a year. I'm talking about 20 small ruby gem packages you need to get some bleeding edge code working. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] fetchgit - why sha256 protection?
A similar solution for rubygems would probably not be too hard. As rubygems itself is written in ruby, you can probably plug in to its dependency resolution and downloading capabilities so you can focus on generating the sha256 and the nix expression. If you still haven't got it: I worte nixpkgs-ruby-overlay which already does it. I also wrote hack-nix packaging all hackage - and I did so after having disregarder a 80% working attempt doing it the nodejs way. I'm looking for packaging fast changing dev versions of packages. And then I don't want to wait for any double fetches. I want to give code a try. I know what I want and why. I accept that the nix community eventually things differently about this. So this may just end up being another patch in my github repos. Maybe I have to use standard ubuntu distribution cause cause I may not have time to finish all this in time (yet) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] fetchgit - why sha256 protection?
Excerpts from Eelco Dolstra's message of Mon Nov 19 16:31:26 +0100 2012:
Why would you need a double fetch? After running fetchgit, the Git tree is
in
the Nix store and shouldn't be downloaded again unless you do a garbage
collect
in between.
You're right about this.
I want to make bundler (which dynamically fetches updates for
dependencies of ruby packages) use the nix store to share git sources
and gem install results.
nixpkgs-ruby-overlay gets the job done, and I could manually package all
git sources additionally to the packages found on rubyforge. It just
takes too long.
I want to work like other ruby using people do:
bundle update (fetch all dependencies, and if this was done previously reuse
store paths)
Of course running nix-prefetch-git is an option, however checking
whether a store path representing { url = ..; hash = .. } already exists
is harder. If you run nix-prefetch-git twice it will fetch twice
(waste). I haven't looked for options.
If nix could handle this, I could just create a .nix file and I'd always
get what I want: the source - if it exists I would not have to bother at
all.
About changeroot builds: You're right. So mabye a hacky
mkDerivation {
allownetwork = true;
}
would do. It could be used for such cases. Why should it be allowed?
If a programmer wants to shoot himself into the food, you can't prevent
him doing so. Thus the goal should be making it hard to do it by
accident. And this property still holds if allownetwork = true or such
existed.
So comment on whether you see huge security risks using git url and
git's hash only.
Also mind that I don't say that sha256 checks for fetchgit should no
longer be used. I just think its not worth bothering for use cases where
other tools neither do (such as bundler for ruby) - they don't even
bother to use the full git hash length (which is bad IMHO).
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] assertions / throwing an error-message
The only way to make this work is make hydra accept the license - which would be bad - cause you could install the package by one click install without setting the option. For this reason I'd suggest manually building it only. Thinking about it again - this is not even enough. If you have two users and one accepts the second can start the app from store without accepting the license. I don't know how much this matters at all. I don't see a solution - but again - I'm not a lawyer - so everything I say is void, anyway. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] assertions / throwing an error-message
You can builtins.trace a message, then cause failing assertion. AFAIK assertios show file, line. Thus its easy to lookup. Maybe it would be a use case for a soft throw behaving like a failed assertion - thus I'd not worry too much. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] fetchgit - why sha256 protection?
Isn't it enough to depend on the git's hash value, eg
fetchgit { git_hash = xxx; url = yyy; }
Is compromising a git repository (even using shallow clones) that much
easier than compromising a .tar.* file protected by sha256?
In anyway you have to find a hash collision.
A lot of foreign tools (eg bundler for ruby) just store the url and the
hash. Packaging github like projects would be a lot easier if passing a
hash would be enough.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] commercial license
I'd force the user to set a config option like this:
~/.nixpkgs/config.nix:
{
proprietary-licenses-accept.your-package = true;
}
and only allow installing the software if this is enabled.
At least this requires attention from the users..
I'm not a lawayer..
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] install4j
Excerpts from Mathijs Kwik's message of Thu Nov 15 16:27:31 +0100 2012:
Hi all,
Has anyone come across software that is packed/distributed with install4j?
Some software I need distributes itself as a .sh file (with a lot of
binary data appended).
The file extracts itself to some temp dir and wants to start a bundled JRE.
This of course fails on nix, as the bundled JRE tries to load the
wrong runtime loader.
Netbeans and the like almost all just worked .. you may want to to have
a look at those derivations. My older custom code looks like this:
Mabye just gtk is missing and setting LD_LIBRARY_PATH is enough?
Also consider using trying with oracle's jdk and openjdk.
The latter caused some trouble to some applications for different
reasons (allthough I think most should be fixed)
Something like this:
netbeansRunner = pkgs.stdenv.mkDerivation {
name = nix-netbeans-runner-script-${stdenv.system};
phases = installPhase;
installPhase = ''
ensureDir $out/bin
target=$out/bin/nix-run-netbeans-${stdenv.system}
cat $target EOF
#!/bin/sh
export PATH=${pkgs.jre}/bin:\$PATH
export
LD_LIBRARY_PATH=${pkgs.gtkLibs.glib}/lib:${pkgs.gtkLibs.gtk}/lib:${pkgs.xlibs.libXtst}/lib:${pkgs.xlibs.libXt}/lib:${pkgs.xlibs.libXi}/lib
# If you run out of XX space try these? -vmargs -Xms512m -Xmx1024m
-showLocation -XX:MaxPermSize=256m
netbeans=\$1; shift
exec \$netbeans \$@
EOF
chmod +x $target
'';
meta = {
description = provide environment to run Eclipse;
longDescription = ''
Is there one distribution providing support for up to date Eclipse
installations?
There are various reasons why not.
Installing binaries just works. Get Eclipse binaries form
eclipse.org/downloads
install this wrapper then run Eclipse like this:
nix-run-eclipse $PATH_TO_ECLIPSE/eclipse/eclipse
and be happy. Everything works including update sites.
'';
maintainers = [pkgs.lib.maintainers.marcweber];
platforms = pkgs.lib.platforms.linux;
};
};
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] (kde 4.8): knofity4 PID: 21830 Signal: Segmentation fault (11)
Hi Joachim, sometimes this behaviour is caused by different dependencies using different versions of a common dependency. nix-store -q --tree store-path will show a listing. Consider using some regex to stort by name/version to find out whether this is the case. There may be a better option than --tree, see man nix-store. If this is not the case bisecting etc has to be done. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Language-specific package managers
- and there is still quite some work left to be done. The cabal2nix way may work well if you need some packages only and is easy to understand and to debug. I hope I was able to shed some light into current state I know about - others may know more. Let's not forgett that eg most xorg packages are generated automatically, too. The some additional manual work is required to make everything build. There are more sub universes, such as gnome which is provides a central download folder hirarchy you could use to dump package information from. Nobody did it yet. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] enableParallelbuilding for many packages
Buildfarm: You're wrong and you know it. Parallelizing nix builds is easy (scaling horizontally) - You can write your own Amazon buildfarm within one day which scales automatically probably. The problem is time to get a new build - and for that (security updates etc) making each build go as fast as possible is required. The more packages and dependencies - the longer will nix take - the greater the impact using nixos vs other distros (where you can recompile something in between and everything will pick it up) You're right that the goal is to make getting some particular builds for testing faster, too. ./configure is taking much time - anwyay. Don't think rewriting most packages to use cmake would be an option (and some cmake Makefiles are slower than hand tuned ones - at least I heared about such case) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] enableParallelbuilding for many packages
I've written a small quick and dirty ruby script: http://mawercer.de/run-tests.rb for each package if enableParallelbuilding is not set yet it will build it three times: 1st to build all dependencies (with enableParallelbuilding) 2nd without enableParallelbuilding 3rd with enableParallelbuilding If all 3 succeed this means that building with enableParallelbuilding succeeded two times the build times are compared. If enableParallelbuilding is significant faster (more than 20%) better is set to true Some results are already available here: http://mawercer.de/cache Thus there are already 104 packages which might benefit significantly from being built in parallel. When the script is done (which may take some more days because my v-server only has 4 cores) I'll turn this into a patch. This only tests x86_64 builds. I also have to say that there are some builds which randomly fail rarely. (Eg ruby did once make internal error, but I couldn't reproduce it doing 5 additional builds) Thus I'm even thinking about running up to two or three times in such cases - or to patch nix to redo the whole build up to x times if a regular expressions such as make token errors are encountered in the logs. People who think accuracy is most important will disable this feature anyway - but some like me sometimes just have to do rebuilds .. and they may just work more often than not. If you have any objections about such a patch adding many enableParallelbuilding = true; lines based on my results you should tell me and make me understand why. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] openjdk cannot run GUI applications in NixOS
Excerpts from Marc Weber's message of Sat Oct 20 23:35:57 +0200 2012: eclipse fails (strange exception message box) - however it also seems to Eclipse fails due to the cairo update from 1.12.2 to 1.12.4 commit dbfcc caused the failure In the console you can see such traces, I'm not sure whether this is related. Fontconfig warning: /nix/store/i7gz1hrlrpvaz0dr3qj8hhnqx3rg60rn-fontconfig-2.8.0/etc/fonts/conf.d/45-latin.conf, line 75: Having multiple family in alias isn't supported and may not works as expected The program 'Eclipse' received an X Window System error. This probably reflects a bug in the program. The error was 'BadValue (integer parameter out of range for operation)'. (Details: serial 1398 error_code 2 request_code 25 minor_code 0) (Note to programmers: normally, X errors are reported asynchronously; that is, you will receive the error a while after causing it. To debug your program, run it with the --sync command line option to change this behavior. You can then get a meaningful backtrace from your debugger if you break on the gdk_x_error() function.) Fix see https://github.com/NixOS/nixpkgs/pull/167 Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] openjdk cannot run GUI applications in NixOS
I've found two more issues with openjdk: eclipse fails (strange exception message box) - however it also seems to fail with oraclejdk .. I will bisect soon. Amazon ec2 tools don't work with openjre: desk amazon n%ec2-run-instances --region eu-west-1 ami-732c1407 /home/marc/amazon nixos Unexpected error: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1836) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1794) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1777) at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1703) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:90) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) at java.io.BufferedOutputStream.write(BufferedOutputStream.java:121) at java.io.FilterOutputStream.write(FilterOutputStream.java:97) Maybe there is a way to tell openjre about those trust anchors - I haven't investigated yet. I'll post again if I know more details. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Adding xfce4 panel plugins
Excerpts from Eduard Carreras i Nadal's message of Fri Oct 12 00:42:55 +0200 2012: How can I do that xfce4-panel uses /run/current-system/sw/ as a prefix instead of its own prefix? look at the source code. Sometimes there are options, sometimes you have to patch it. Quicker way: Use a symlink: ln -s $out-of-xfce/panel /var/run/panel or the like Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] how to install load kernel module wl?
man configuration.nix There is a system option 'extraKernelPackages' or such (boot section). Why doesn't nix-env -i work? Because modprobe is a wrapper which is passed a module directory which is assembled by nixos. And that module directory is always represented by /var/run/booted-system only (AFAIK) for good reasons. The booted kernel should always match the modules available. So maybe you even have to restart (or manually change such a symlink). cat `which modprobe` should make you understand if you follow the MDULE_DIR path to the store. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] openjdk cannot run GUI applications in NixOS
I've had trouble with thinking rock (only using my old files). Never mind - I replaced it with task warrior For those who are still looking for a small nifty task management application: http://taskwarrior.org/projects/taskwarrior/wiki/Tutorial It looks like there are many different frontends. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] [nix language] strings that have paths/derivations embedded
Excerpts from Mathijs Kwik's message of Tue Oct 09 12:09:33 +0200 2012:
I found the scary-sounding function unsafeDiscardStringContext,
which seems to work around this problem.
Can someone please shed some light on what's going on (or nix
string/context handling in general) and if it that function is safe to
use for this case.
Example:
yourderivation {
name =
scritp = ''
${unsafeDiscardStringContext otherDerivation}
'';
}
AFAIK this should not build otherDerivation, but pass the store path of
otherDerivation.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] openjdk cannot run GUI applications in NixOS
thinkingrock, minecraft both fail, too. Minecraft shows a trace. I wasn't sure wether it was related to my ati proprietary drivers - its not. freemind is yet another simple example which can be tested. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] unable to delete a store path
Try manually deleting it: # unset readonly flag: chattr -R -i STORE_PATH # remove it: rm -fr STORE_PATH nix-store --verify should remove it automatically then. If it doesn't work you may have to delete it from the database manually (?). But then I'd make sure to have a backup. There may be more options, though Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] unable to delete a store path
Try such:
STORE_PATH=/nix/store/jra1icncr6bfp9ysjf858z9rs3r54h4
follow_link_rec(){
if [ -s $1 ]; then
[ /nix/store == ${1:0:10} ] echo $1
follow_link_rec $(readlink $1)
else
echo $1
fi
}
find /nix/var/nix/gcroots -type l | while read l; do
if follow_link_rec $l | grep -q $STORE_PATH; then
echo $l somehow references your store path $STORE_PATH
fi
done
In my test (using the store path referenced by /var/run/current-system)
I get this output:
/nix/var/nix/gcroots/current-system somehow references your store path
/nix/store/jra1icncr6bfp9ysjf858z9rs3r54h4
/nix/var/nix/gcroots/booted-system somehow references your store path
/nix/store/jra1icncr6bfp9ysjf858z9rs3r54h4
and this is expected. However mind that the nix-store query you ran does
not show the gc root origin:
%nix-store --query --referrers-closure
/nix/store/jra1icncr6bfp9ysjf858z9rs3r54h4l-nixos-0.1pre-git
/nix/store/jra1icncr6bfp9ysjf858z9rs3r54h4l-nixos-0.1pre-git
However like in your case it seems to reference itself (whatever this
means - don't know)
So what may have happened? Eventually you ran nix-build or such
(creating a result link) in /nix/var/nix/gcroots ?
Is this allowed? That's just a wild guess.
If you get some output we'll know more, if you don't we'll have to
continue digging for the cause.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS on systemd
Hi Eelco, Would you mind listening the advantages causing you to propose the switch one day? If there are strong reasons I'll try to help fix remaining bugs. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS on systemd
Excerpts from Marc Weber's message of Thu Sep 13 16:14:20 +0200 2012: Would you mind listening the advantages causing you to propose the sorry - I meant listing. Should have been clear from context though. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] easiest way to create a derivation which is just a directory with files
Excerpts from Mathijs Kwik's message of Tue Aug 28 18:14:07 +0200 2012:
I have a bunch of files created with pkgs.writeText.
writeText = you can specify the target location such as $out/bin/x or
$out/share/foo
= how to turn them into one directory?
mkDerivation {
name = x;
phases = installPhase;
derivationsToLink = [ fileA fileB ];
installPhase = ''
ensureDir $out
for i in $derivationsToLink;
mkdir -p ..
cp $i $out/ ..
done
'';
}
well - this derivation already exists, its called buildEnv and is very
very similar to what nix-env does..
I would like to bundle them into 1 derivation, so I can run buildEnv
on a few of these dirs to merge them.
Alternative - wiki how to keep multiple packages up to date easily or such.
That's using buildEnv like stuff, too.
There was yet another function using xorg tool to build symlinks - but
it does not matter anymore cause you got enough pointers now.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] [Hackage] How to install Hackage package, not presented in nixpkgs, locally?
Those hashes have been introduced somewhen after ghc 6.12 to make the dependency hell easier which existed with cabal. Eg if you have A B C D and you cabal had to recompile A and B because you tried installing yet another package C and D are stale because A,B it depends on are gone. To detect this case hashes were introduced. Usually chances were high that things just worked. But don't forget that it could have been also you reinstalling the dev version of B not changing version number. That could lead to bugs which are hard to find if you don't recompile C and D. Now what does it mean in your case? Try installing everything without hydra and retry - it may be the case that A,B were built by hydra, but C is what you're trying to build locally. I don't know exactly how ghc/cabal calculates those hashes, so I may be wrong. But it very much looks like such a problem. How to rebuild everything from source? Got to the definition of that ghc version, then add a dummy env var such as FORCE_REBUILD=1; and retry. That FORCE_REBUILD should cause nix rebuilding everything from source. Report if this solved the issue. If it does we should document it on the wiki till somebody has time to find a real fix for it. Of course you can try waiting for additional replies, too. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] [Hackage] How to install Hackage package, not presented in nixpkgs, locally?
This is the most recent howto Haskell page: https://nixos.org/wiki/Haskell
talking about how to use the Haskell packages which are packaged by
official nixpkgs.
My personal solution which is an alternative called hack-nix
allows you to install the package by adding a single line:
pipesCore = exeByName { name = pipes-core; };
See latest commit:
https://github.com/MarcWeber/nixpkgs-haskell-overlay/commit/1fde32dc7a6615a00335f33419dbc88ef84b95eb
For that repository to work you also have to use the
experimental/hack-nix branch found at github.com/MarcWeber/nixpkgs which
adds some additional knowledge about core packages of each ghc version
required by the brute force hack-nix solver.
However if you use it as dependency for a different target executable
its likely that running hack-nix --build-env will just succeed.
If it does not just ping me on irc or by mail
I'll write a nice wiki article now.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] store passwords - once again
Excerpts from Vladimír Čunát's message of Mon Aug 13 21:29:59 +0200 2012:
Isn't that essentially the private-file approach, only stored outside
the nix store?
Exacetly. An example would look like this:
Example:
let user = {
# may go to store;
domain = ...; # used for apache configuration
USER = ..;
DATABASE = ..;
# may not go to store, only use as input to writeHash ..
PASSWORD = ..; // mysql password, should not go to store, take care (don't
use except as input to)
}
# file name will be set to /var/secret/hash
# can be used in mysql/apache upstart scripts to write configuration
# files which tell PHP apps about the database connection.
user_password_file_path_not_in_store = builtins.writeHashed {
dir = /var/secret/; contents = user.PASSWORD;
# the mysql can access the database anyway ..
uid = uids.mysql;
gid = uids.mysql;
wohe 700;
};
Then you can write code initializing the database (creating user etc)
without having to write the password to the store.
Yes - you could create the files manually - but would be more work also.
Yes - there is no gc deleting files again (disk is cheap, or cleanup
and rerun nixos-rebiuld)
I totally agree with it being impure. Its a 80% of value by spending 20%
of effort solution.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ssh and zsh
Excerpts from Mathijs Kwik's message of Mon Aug 13 23:24:54 +0200 2012: Whenever I try to ssh to an account that has zsh as its shell, with a command to execute, it seems zsh doesn't source the necessary files that set PATH and other environment variables. Have a look at my multiple shell support patch on my github page. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] ssh and zsh
Any plans to get these merged? Showstoppers? Lack of feedback. Lack of testing on my side. Pay attention to the .topmsg file and the small patch for nixpkgs which you also need. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] store passwords - once again
Would a patch like this be accepted until ACLs get implemented?
At least this way you can declare passwords without putting them into
the store (if you take some care).
The idea is to create /var/passwords/mysql-345344
and have the mysql startup script read them creating the databases.
The store only contains the path to /var/passwords/.., thus only the
mysql/apache/.. user can read it.
Maybe I'd prefer a ACL solution, too. But there is much more to think
about?
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc
index 0d4efc4..2f1b141 100644
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -666,6 +666,123 @@ struct FilterFromExpr : PathFilter
return state.forceBool(res);
}
};
+/* arguments:
+ attr with names:
+ {
+ dir = /root/passwords/;
+ prefix = mysql-;
+ contents = contents;
+ uid = uids.apache
+ gid = gids.apache
+ mode = ..
+ }
+
+ The function calculates a hash based on the (string) contents writing a
+ dir/${prefix}${hash} file with 700 mode
+
+ This way you configure passwords in configuration.nix without writing them
+ to the store - which also implies that you have to copy your dir to another
+ machine to duplicate it .. copying your store contents is no longer enough.
+
+ Upstart jobs are usualyl run as root anyway.
+
+ The perfect solution would be: https://github.com/NixOS/nix/issues/8
+ But until that exists - this is faster to implement
+
+ // TODO add some caching, allow setting user/group ids and mode?
+ */
+static void prim_writeFileHashed(EvalState state, Value * * args, Value v)
+{
+PathSet context;
+
+Value a = *args[0];
+
+state.forceAttrs(a);
+
+string dir = ;
+string prefix = ;
+string contents = ;
+unsigned int mode = ~0400;
+
+int u_id = -1;
+int g_id = -1;
+
+// dir
+Bindings::iterator j = a.attrs-find(state.symbols.create(dir));
+if (j == a.attrs-end())
+throw TypeError(`dir' attribute missing in a call to
`writeFileHashed');
+dir = state.forceStringNoCtx(*j-value);
+
+// optional prefix
+j = a.attrs-find(state.symbols.create(prefix));
+if (j != a.attrs-end()){
+ prefix = state.forceStringNoCtx(*j-value);
+}
+
+// contents
+j = a.attrs-find(state.symbols.create(contents));
+if (j == a.attrs-end())
+throw TypeError(`contents' attribute missing in a call to
`writeFileHashed');
+contents = state.forceStringNoCtx(*j-value);
+
+
+// uid
+j = a.attrs-find(state.symbols.create(uid));
+if (j != a.attrs-end()){
+ u_id = state.forceInt(*j-value);
+}
+// gid
+j = a.attrs-find(state.symbols.create(gid));
+if (j != a.attrs-end()){
+ g_id = state.forceInt(*j-value);
+}
+
+// mode
+j = a.attrs-find(state.symbols.create(mode));
+if (j != a.attrs-end()){
+ string mode_str = state.forceStringNoCtx(*j-value);
+ if (mode_str.length() != 3){
+// should also verify that 0-7 only ..
+throw EvalError(format(bad mode string! %s) % mode_str);
+ }
+ if (mode_str[0] '0' || mode_str[0] '7'
+ || mode_str[1] '0' || mode_str[1] '7'
+ || mode_str[2] '0' || mode_str[2] '7'
+ )
+throw EvalError(format(bad mode string! %s) % mode_str);
+ int dec = atoi(mode_str.c_str());
+
+ mode = ~( (dec% 10)
+ + ((dec / 10 % 10) 3)
+ + ((dec / 100 % 10) 6) );
+}
+
+Hash h = hashString(htMD5, contents);
+
+string path = (format(%1%/%2%%3%) % dir % prefix % printHash(h)).str();
+
+// unlink so that the file is always recreated with umask
+unlink(path.c_str());
+
+// can't use writeFile function because fchown is used
+int old_mode = umask(mode);
+FILE *f = fopen(path.c_str(), w);
+umask(old_mode);
+
+if (!f)
+ throw EvalError(format(Couldn't create file `%1%') % path);
+
+// try setting owner:
+if (u_id != -1 || g_id != -1){
+ if (fchown(fileno(f), u_id, g_id)){
+fclose(f);
+throw EvalError(format(Couldn't set uid, gid of file `%1%' - take
care - the file may have been truncated!) % path);
+ }
+}
+
+// everything is fine - write and close
+writeFull(fileno(f), (unsigned char *) contents.data(), contents.size());
+fclose(f);
+
+mkString(v, path, context);
+};
static void prim_filterSource(EvalState state, Value * * args, Value v)
@@ -1104,6 +1221,9 @@ void EvalState::createBaseEnv()
addPrimOp(__toFile, 2, prim_toFile);
addPrimOp(__filterSource, 2, prim_filterSource);
+
+addPrimOp(writeFileHashed, 1, prim_writeFileHashed);
+
// Attribute sets
addPrimOp(__attrNames, 1, prim_attrNames);
addPrimOp(__getAttr, 2, prim_getAttr);
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] store passwords - once again
Excerpts from Eelco Dolstra's message of Mon Aug 13 01:54:35 +0200 2012: Unfortunately no, because this patch would introduce an untracked side effect to evaluation, namely creating files in a non-store location. enableParallelBuilding = true is also impure. Do you want to remove that feature again? Or can we apply the same solution to this problem: Create a new nix option so that people can opt in ? I totally agree that Nix should as close to perfect as possible. Anyway putting passwords in the store as recommended by the mediawiki case in nixos is no option either. Looks like I'm the only one wanting this for now - so I'll shut up. I'm not going to force anything. You all will find a topic branch experimental/nix here: https://github.com/MarcWeber/nixpkgs including that and the debug coercion failure patch. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] (sudo (-H)) nix-collect-garbage
Hi Florian, before we start propagating any env vars can you make me understand why a user have a different value than root? If does this happen intenionally? Would exporting NIX_CONF_DIR in profile.sh (nixos repo) be an alternative? If so why is your solution better? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] (sudo (-H)) nix-collect-garbage
All right. I agree that its the best solution. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] store passwords - once again
I've had the ACL idea, too. However I feel its little more work to implement. Also I feel there is more which can go wrong. If it works its the better solution, I a agree. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] security - observing changes - example authorizedKeys
@ Eelco: sshd should be restarted: I'll check. You make a false assumption: That the kernel operates the way it should - thus that files which are unreadable stay unreadable. Eg have a look at this case: http://www.h-online.com/security/news/item/Root-exploit-for-Linux-kernel-published-742541.html [1] And on our kernels no security audits are done - and no - I don't think that regular penetration testing tools can test that (@Eelco) because it may not be know today. But why does btrfs devs work on online filesystem checks? Maybe limiting the request to security concerns is not enough. Se let me just list a view things which can go wrong I want to detect: I might be using btrfs - and that in combination with my kernel (or the kernel used by hosting providers) might be buggy. So if something is different than I expect it to be - I want to know. This includes: * store paths of the booted/current system (maybe of all user environments, too) * .ssh/authorized_keys (for security reasons) * ports (for security reasons - every app listening to the outside world is suspicious) cosmic ray could cause corruption (and if it happens you may want to consider setting up a new system moving your data there). If something should not be changed, it has to be made impossible Well - I hope you agree on the usefulness of continuous integration and automatic tests. However the search space is that huge that it would be hard to write test cases for all kinds like [1]. In the end that would mean dropping C/C++ and using other languages. And that's not feasible. So if you'd tell developers Don't write tests - make sure it doesn't go wrong I'd ask you twice about why you think thats enough. Basically I agree - but I also feel uncertain about everything - because I code myself - and humans sometimes fail (so do kernel devs - even though they shouldn't). Next sample: If you run PHP code which was written for 5.2 on 5.3 you may git segfaults in some cases. segfaults can be used by attackers etc. You just can't make sure that such never happens. I agree that by monitoring some files I don't feel perfectly safe. But at least I have a chance to detect all kind of changes and take action. And trusting the nix store hash sums (nix-store --verify --check-contents) is not safe either - because the database could have been compromised (then the attacker would know nixos very well). Such kind of verification should happen always from the outside. So yes - verifying that the checksums didn't change is another thing to monitor. Like I said, I haven't started any of this, but I think it's a nice idea to have things activated/setup beyond /etc and to just have the full (mandatory) system in store. Additional unexpected files in /etc are also suspicious and worth knowing about. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] reverse dependencies
Excerpts from Florian Friesdorf's message of Sat Jul 21 17:50:55 +0200 2012: how do we get all packages using a derivation (e.g. python27) either directly or indirectly? nix-store has some options. If that's not enough access /nix/var/nix/db/db.sqlite and run your own queries. Or patch nix-store. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] [ANN] Guix, functional package management from Guile
Why did I miss this mail? I think lot's of us had thoughts like this (at least I had). One of the core features of nix is that its lazy - I guess that's one of the main reason why Eelco didn't just use python/ruby/perl ... So what do you think about how performance would compare? There are *lots* of use cases for using another high level language (hackage, ruby ,python packages being favorite samples). Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] security - observing changes - example authorizedKeys
I just had a look at the user.name.openssh.authorizedKeys.keys option: - That you can choose adding a section /overriding everything is great problems: - it doesn't get run in the activation phase (?) - Thus you have to restart sshd (which is non obvious without reading code) How to fix? Add it to the activation phase ensure its run after the code creating the users .. Thus which is the way to go? add postUserSetup script like options? - if you want to control that file entirely - should the script be run by a cron-job every X hours - and should be there a way to report violations? I mean you don't want to ssh every 3 days to make sure that all authorized_keys files contain what you think they contain. That's only one use case. Checking ports, permissions on files (eg home directories) and much more should be checked regularly if you want feel save. Does this make sense? Has anybody else thought about how this should be implemented? I mean nobody wants to get hacked - but if you do - you should know about it. That's why I think about how to detect that case as well. It will be very hard (if not impossible) to make sure that nixos is total secure. I feel nobody can pay full penetration testing after each small update - which is why I think about finding alternatives. I'm aware that chowning large email directories could have impacts on performance which makes me think that what I'm looking for is not feasible? Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] nix promotion material / media
What about this wiki page? https://nixos.org/wiki/Nix(OS)_related_repositories_and_work Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] variable scope / recursion
Excerpts from Mathijs Kwik's message of Fri Jul 06 11:53:28 +0200 2012:
packageOverrides = pkgs:
{ foo = string;
bar = pkgs.foo + concatenation;
};
solution a) use rec:
(rec {
foo = ...
bar = foo
;
})
solution b,c )
use let recursion or fix function (which in turn can be implemented by
let recursion or such).
second: read comments code: pkgs is the original pkgs, not the patched one:
overrider pkgsOrig // ..
Then it should be clear wy foo is not known.
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Announcing free-nix: the free Linux distribution based on the Nix package manager
What I am saying is that after 4 years of continuous work on Nix, I have a significant investment in this project, and changes that are made to this project affect me personally and professionally in ways that may not be obvious to the person who is making that change. Which is why you can't accept democracy either :) (sorry). But its great - that we all agree that hydra is the key point for professional usage. Thus free-nix is about having a free to use hydra? Can you see why I am kind-of unhappy right now? Yes - sure. And you will probably also see that free-nix can't be lead by democracy either, because you have nixos installed on 100 machines now - This I don't think its going to solve your problems unless the majority agrees on we will do whatever is necessary to keep your machines running :) What we really need is a hydra we all have kind of control over - so that we all can build and test our experimental branches ourselves. And here expenses are involved - (which is usually a problem for open source projects - which is why most of them don't want to touch money at all) Anyway: That nixos starts being used that much is a great sign - we should celebrate it :) My two cents. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Using Nix for installing local projects
Excerpts from Alexander Foremny's message of Wed Jun 27 15:23:44 +0200 2012: Talking about Haskell its always good to know about your target executable / library. imaginary dependency relations: Lib-A - hoauth - foo - TARGET-EXECUTABLE you want: hoauth-patched - foo' - TARGET-EXECUTABLE' solution 1) The quick and dirty way is using ./Setup sdist or such and replace the src attribute in nixpkgs - however this requires you to keep patches against official nixpkgs. And that might influence other packages also depending on the library.. solution 2) use kind of magic deep overwriting (applyGlobalOverwrites) or such. At This point Peter or Andres Loeh should reply - because they have setup the current haskell packages system solution 3) use hack-nix: It differs from nixpkgs: It has a set packages it knows about which I like to call package pool. By default its a limited set (latest versions found on hackage + some manually selected older versions to keep things compiling). Its advantage is that it does .cabal file dependency checking! The downside is: it does .cabal file dependency checking using brute force (and there are many ways to combine packages ..) By limiting the pool you can still get good results on average cases. Eg packaging hoauth was as much work as adding c library curl to the buildInputs of the curl hackage package.. no more manual work was required which took me about 15secs. Then you can easily add dev packages to the pool. By giving them a slightly higher version number - and the foo' and TARGET-EXECUTABLE' will be the result. See https://github.com/MarcWeber/hack-nix heading How to tell hack-nix about custom packages which are not yet on hackage Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Anarchy
Excerpts from Michael Weiss's message of Wed Jun 27 14:02:47 +0200 2012: I have a hard time following you. Having a global namespace for python and ruby's 'expect' or 'mechanize' libraries causing kind of failure doesn't seem to be what we want? Or how would you call them? prefix by python- or ruby-? Intuitively, adding something to a collection should never break what's already there. Well - you have to understand dependencies: simplified example: kernel-3.6 - glibc-1.0 - curl-library-1.0 - firefox-1.0 ^ http lib ^ target application ^ system lib Now what should happen if you add a glibc-1.1? Does this require resigning of firefox (yes, it does). Do you want to change firefox executable or just try your new glibc version with your command line application you might care about right now? That's what all issues are about: There are so many different ways to combine packages and versions - that packages have to make a decision and only test some (or only one) combination which is called the distributtion. That's what gentoo, mandrake, debian, nixpkgs, ... do. Why? Because its already enough work to test this one combination of glibc, curl, firefox, kernel. And you also want to install only one version of glibc if you reinstall your system - for that reason you __want to break existing packages__ if you add a new version of glibc - other wise you would still install 10 different kernel versions today just because any small thing was using it in the past .. The don't break any existing stuff policy you talk about is applied by many companies - which has these consequences: - they are still using technology 20 years ago - there is no chance to change it ever - because that would take many years (nobody can pay) In fact its easy to imagine the perfect world you're talking about but in the real world you want to optimize the work (testing, downloading, writing .nix files, ...) often results in the less perfect quick and dirty sets of things. It looks like what you're asking for is a pool of recipes signed by devs which can be used to build up a system using another recipe (you don't talk about). And that last recipe is the one saying: prefer glibc-1.1 over glibc-1.0 but only when building firefox, not when building mutt email client. And its saying: build package foo with expat and not with libxml even though both are possible - so that the user has to download libxml only. And that's the manual work maintainers do - limit the amount of possible combinations of package recipes creating a distribution which is much more likely to work. In the very long run nixpkgs may be refactored and look like a) pool of sources b) pool of recipes knowing how to build the referenced sources of a for various platforms c) a dependency solver which uses packages recipes from b) + additional info about which combinations to force or ignore yielding the final system. Now imagine you have such a complex system - you still have an issues: Its testing. Using the manually written all-packages.nix its very easy to bisect problems: follow the revisions, rebuild, test .. ah rev 527 caused issues. If you start thinking about software the way I sketched its much much harder to determine why something was assembled in a different by a solver eventually causing breakage. That's the same reason why kernel is only changed in very small steps - to make it possible to find bugs. Nevertheless packages systems such as rubyforge, hackage (haskell) and even Eclipse (equinox p2) show that such automation is possible, but evaluation time also increases very very much unless you take effort to limit the space of solutions (which I did in hack-nix). The great thing is: nix is still the perfect tool to give this all a try - because the idea putting each package into its own directory /nix/store/hash-package-name using a garbage collector etc - it applies to all different models we can think of. If software distribution and upgrades was so easy less people would work on it :) Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Improving the Developer Experience in the Nix Community
Excerpts from Shea Levy's message of Thu Jun 28 00:38:16 +0200 2012: Ok. Why was builderDefs rejected? What problems do you see with it, and what do others see? What does reject mean? I'd say it was not adopted (by me yet) because the existing monolitic setup.sh works good enough - I have my templates and its fastest for me. That's why I didn't spend more time on it. And if there was a change it would be ok to have different scripts until there is a big let's recompile all change - then everything could be updated to use the latest version of setup.sh Problems? You can't say this phase must be run before configure, can you? Not sure how often this case happens. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Improving the Developer Experience in the Nix Community
Excerpts from Shea Levy's message of Thu Jun 28 00:52:53 +0200 2012: Eelco has said on a few occasions that new packages should not use builderDefs, IIRC. I guess the right thing to do is adding a comment then (?) I missed it his advice :( Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Announcing free-nix: the free Linux distribution based on the Nix package manager
Excerpts from Peter Simons's message of Tue Jun 26 12:45:18 +0200 2012: project's goals, policies, and procedures. Stating a vision or project goal is great. That has been lacking for nixos IMHO. Whether new mailinglists will be created or not - will be discussed later then? Announcing a new repo is easy - have you already thought about how to run test cases (build farm?). At this point expenses are involved (IMHO). I understand that its the community who has to decide on that. New challenges I see: nixpkgs (the package collection) may provide packages for different targets in the future, eg there is http://www.android-x86.org/ etc. I don't know enough about the subject to judge it - just writing down what comes to my mind. Just thinking that 'free-nix' (whatever that will be ) may end up in different sub projects in the future. At least I would love to have similar guarantees on mobile phones as I have on my desktop pc. Another topic would be overlays. Eg for Python/Ruby/Haskell packages there exist already two implementations (mine and the one found in nixpkgs). Because there are many different topics which could be discussed - and because the community is still small I hope that whatever happens collaboration will continue to happen - nobody can afford to run a linux distribution on its own today. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] Announcing free-nix: the free Linux distribution based on the Nix package manager
Excerpts from Shea Levy's message of Tue Jun 26 15:36:17 +0200 2012: Will proprietary or non-GPL'd software be allowed to be packaged in free-nix? Or, what do you mean by the 'free' in free-nix? Peter said: and then the group of people that comes out of this process is going to constitute itself as a community by jointly creating a SOCIAL CONTRACT that determines the project's goals, policies, and procedures. Thus if you want to be a part of it its you having a vote. So its you who can ask for such ... I think that's the important thing to understand: In which way will free-nix differ from nixos.org. And that will not be known until that SOCIAL CONTRACT exists. Until then everything is void IMHO. For that reason all people caring about nixos should write down what they like - and what they dislike - eventually there is not that a huge difference. We all benefit from a strong (unsplit) community we can ask for help. Most of us have day jobs - and thus our resources are limited. Keep that in mind. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] nixpkgs/ nixos playground for sharing work and patches
log into github, there you can become a member for both gists yourself
somehow:
nixpkgs: https://gist.github.com/2995910
public git://github.com/NixOS/nixpkgs.git
private (push): git remote add gist g...@gist.github.com:2995910.git
nixos: https://gist.github.com/2995911
public git://github.com/NixOS/nixos.git
private (push): git remote add gist g...@gist.github.com:2995911.git
Thus if you run
git remote add gist ..
Then you can push to the repositories by
git push gist your-branch
and fetch everything by
git fetch gist
or cleanup (git remote prune gist; git gc)
IMPORTANT: This is experimental. I have not checked when github deletes
gists - so keep local copies (you will have them anyway).
As policy I'd just recommend using branch names such as:
need-help/... for patches you need help with
review/...for patches you want to be reviewed
feed-upstream/... which should be ready for merging upstream
complicated patches should be kept here for a week so
that they can be commented on the mailinglist.
attick/...when cleaning up branches could be moved here.
YOUR_NAME/... your personal stuff
experimental/... things which may go to review/ or feed-upstream one day
Everything else is up to your liking.
Sample workflow:
git branch need-help/gcc-experiments
git push gist need-help/gcc-experiments
# write to mailinglist, people can create # gcc-experiments-proposal-{1,2,3}
or the like
Then the patch could be moved to review/ or feed-upstream by
git branch -m feed-upstream/gcc-experiments
# push new:
git push gist feed-upstream/gcc-experiments
# delete old location:
git push gist :need-help/gcc-experiments
Now people can do git fetch once every 4 days and see what's new, in
progress, pending, urgent whatsoever.
I hope that both: nix-free (if it ever survives the following X weeks)
and nixos members enjoy using these playgrounds.
Its not perfect but will make it easy to understand whats going on.
(still pushing master to the nixpkgs gist)
Marc Weber
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] A bunch of patches to nixpkgs and questions
I've made a bunch of changes to nixpkgs that I would like to share. I've just created two gist repositories (let's see how well it works. I don't know whether github gives any guarantees - but people have local copies anyway): nixpkgs: https://gist.github.com/2995910 (upload still taking place) nixos: https://gist.github.com/2995911 Can you log into github, join the nixpkgs gist and push your changes? Let's see how well this works. Then we can review it easily (or give this gist idea a try) Then write again with your branch name or hash. See other thread. Now, the questions: * Is there a nice way to download a file, compute a hash, place the hash into the fetchurl nix-expression and to build it without redownloading the file again? nix-prefetch-url comes closest. Because those files are fixed hash derivations you can also use a local file file:///tmp/foo.tar.bz and replace that with http:// without causing rebuilds (if you have a local copy) - there may be better solutions * I saw something like nix-env -iA haskellPackages.xmonad somewhere, but it fails for me with error: attribute `haskellPackages' in selection path `haskellPackages' not found See how to find the package I'm looking for on wiki. If you use channels you may need an attr prefix. Evetually ready a .nix-profile/default.nix file or so may help (I don't use them currently so I don't know) nix-build -A haskellPackages.xmonad works (I have default.nix in $HOME symlinked to nixpkgs). Why is that? NIX_PATH env var or the like could cause that difference, maybe default.nix is used by default (maybe use strace to find out whether either one is using systemwide nixpkgs). I don't know exactly. Marc Weber ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
