Store the crawl version in the textdatabases in SAVEDIR and upgrade the databases when the crawl version changes. By default crawl checks for a mtime difference on files in DATADIR to see if an upgrade is required, but guix nulls all file dates, and crawl would never upgrade saves. diff -ur a/source/database.cc b/source/database.cc --- a/crawl-ref/source/database.cc 2018-08-09 21:49:26.000000000 -0400 +++ b/crawl-ref/source/database.cc 2018-10-07 18:06:41.022445789 -0400 @@ -24,6 +24,7 @@ #include "stringutil.h" #include "syscalls.h" #include "unicode.h" +#include "version.h" // TextDB handles dependency checking the db vs text files, creating the // db, loading, and destroying the DB. @@ -54,6 +55,7 @@ vector _input_files; DBM* _db; string timestamp; + string version; TextDB *_parent; const char* lang() { return _parent ? Options.lang_name : 0; } public: @@ -163,7 +165,7 @@ TextDB::TextDB(const char* db_name, const char* dir, vector files) : _db_name(db_name), _directory(dir), _input_files(files), - _db(nullptr), timestamp(""), _parent(0), translation(0) + _db(nullptr), timestamp(""), version(""), _parent(0), translation(0) { } @@ -171,7 +173,7 @@ : _db_name(parent->_db_name), _directory(parent->_directory + Options.lang_name + "/"), _input_files(parent->_input_files), // FIXME: pointless copy - _db(nullptr), timestamp(""), _parent(parent), translation(nullptr) + _db(nullptr), timestamp(""), version(""), _parent(parent), translation(nullptr) { } @@ -186,6 +188,9 @@ return false; timestamp = _query_database(*this, "TIMESTAMP", false, false, true); + version = _query_database(*this, "VERSION", false, false, true); + if (version.empty()) + return false; if (timestamp.empty()) return false; @@ -229,6 +234,9 @@ string ts; bool no_files = true; + if (string(Version::Long) != version) + return true; + for (const string &file : _input_files) { string full_input_path = _directory + file; @@ -246,7 +254,7 @@ ts += buf; } - if (no_files) + if (no_files && version.empty()) { // No point in empty databases, although for simplicity keep ones // for disappeared translations for now. @@ -312,7 +320,10 @@ _store_text_db(full_input_path, _db); } } + + string current_version = string(Version::Long); _add_entry(_db, "TIMESTAMP", ts); + _add_entry(_db, "VERSION", current_version); dbm_close(_db); _db = 0; 898a01'>daemon: Loop over ‘copy_file_range’ upon short writes....Fixes <https://issues.guix.gnu.org/70877>. * nix/libutil/util.cc (copyFile): Loop over ‘copy_file_range’ instead of throwing upon short write. Reported-by: Ricardo Wurmus <rekado@elephly.net> Change-Id: Id7b8a65ea59006c2d91bc23732309a68665b9ca0 Ludovic Courtès 2024-03-12daemon: Address shortcoming in previous security fix for CVE-2024-27297....This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 Ludovic Courtès 2024-03-11daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 Ludovic Courtès 2023-01-09daemon: Improve error message for wrong hash sizes....* nix/libutil/hash.cc (parseHash): Show the hash algorithm name and expected size in the error message. * tests/derivations.scm ("fixed-output derivation, invalid hash size"): New test. Ludovic Courtès 2022-12-18daemon: Make "opening file" error messages distinguishable....* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise. Ludovic Courtès