2.3'/>
<meta name='robots' content='noindex, nofollow'/>
<link rel='stylesheet' type='text/css' href='/cgit-static/cgit.css'/>
<link rel='stylesheet' type='text/css' href='/cgit-static/better-cgit-markdown-heading-color.css'/>
<link rel='shortcut icon' href='/cgit-static/favicon.ico'/>
<link rel='alternate' title='Atom feed' href='https://git.koszko.org/guix/atom/nix/libstore?h=koszko' type='application/atom+xml'/>
</head>
<body>
<div id='cgit'><table id='header'>
<tr>
<td class='logo' rowspan='2'><a href='/'><img src='https://git.koszko.org/cgit-static/cgit.png' alt='cgit logo'/></a></td>
<td class='main'><a href='/'>index</a> : <a href='/guix/'>guix</a></td><td class='form'><form method='get'>
<input type='hidden' name='id' value='b6f774e55053aff30adab9ac52c54e10e987fdea'/><select name='h' onchange='this.form.submit();'>
<option value='koszko' selected='selected'>koszko</option>
<option value='koszko-scripts'>koszko-scripts</option>
</select> <input type='submit' value='switch'/></form></td></tr>
<tr><td class='sub'>Wojtek's customized Guix</td><td class='sub right'></td></tr></table>
<table class='tabs'><tr><td>
<a href='/guix/about/'>about</a><a href='/guix/'>summary</a><a href='/guix/refs/?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>refs</a><a class='active' href='/guix/log/nix/libstore'>log</a><a href='/guix/tree/nix/libstore?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>tree</a><a href='/guix/commit/nix/libstore?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>commit</a><a href='/guix/diff/nix/libstore?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/nix/libstore'>
<input type='hidden' name='id' value='b6f774e55053aff30adab9ac52c54e10e987fdea'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>root</a>/<a href='/guix/log/nix?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>nix</a>/<a href='/guix/log/nix/libstore?id=b6f774e55053aff30adab9ac52c54e10e987fdea'>libstore</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/nix/libstore?id=b6f774e55053aff30adab9ac52c54e10e987fdea&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-11-17 23:15:49 +0100'>2024-11-17</span></td><td><a href='/guix/commit/nix/libstore?id=cf10268a7783207aec30e0169b61362df0d2512d'>daemon: Improve error message in ‘checkStoreName’.</a><span class='msg-avail'>...<span class='msg-tooltip'>* nix/libstore/store-api.cc (checkStoreName): Clarify message when NAME
starts with a dot.

Change-Id: I045a663bc6cd9844677c65b38a31d3941cf212b5
Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Brennan Vincent</td></tr>
<tr><td><span title='2024-10-21 00:09:24 +0200'>2024-10-21</span></td><td><a href='/guix/commit/nix/libstore?id=5ab3c4c1e43ebb637551223791db0ea3519986e1'>daemon: Sanitize successful build outputs prior to exposing them.</a><span class='msg-avail'>...<span class='msg-tooltip'>There is currently a window of time between when the build outputs are exposed
and when their metadata is canonicalized.

* nix/libstore/build.cc (DerivationGoal::registerOutputs): wait until after
  metadata canonicalization to move successful build outputs to the store.

Change-Id: Ia995136f3f965eaf7b0e1d92af964b816f3fb276
Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Reepca Russelstein</td></tr>
<tr><td><span title='2024-10-21 00:09:10 +0200'>2024-10-21</span></td><td><a href='/guix/commit/nix/libstore?id=558224140dab669cabdaebabff18504a066c48d4'>daemon: Sanitize failed build outputs prior to exposing them.</a><span class='msg-avail'>...<span class='msg-tooltip'>The only thing keeping a rogue builder and a local user from collaborating to
usurp control over the builder's user during the build is the fact that
whatever files the builder may produce are not accessible to any other users
yet.  If we're going to make them accessible, we should probably do some
sanity checking to ensure that sort of collaborating can't happen.

Currently this isn't happening when failed build outputs are moved from the
chroot as an aid to debugging.

* nix/libstore/build.cc (secureFilePerms): new function.
  (DerivationGoal::buildDone): use it.

Change-Id: I9dce1e3d8813b31cabd87a0e3219bf9830d8be96
Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Reepca Russelstein</td></tr>