Merge remote-tracking branch 'origin/master' into flake-schemas

.github/CODEOWNERS

@@ -23,4 +23,4 @@ maintainers/*.md @fricklerhandwerk
 src/**/*.md @fricklerhandwerk
 
 # Libstore layer
-/src/libstore @thufschmitt @ericson2314
+/src/libstore @ericson2314

.github/workflows/ci.yml

@@ -96,6 +96,7 @@ jobs:
         name: '${{ env.CACHIX_NAME }}'
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+        cachixArgs: '-v'
     - id: prepare-installer
       run: scripts/prepare-installer-for-github-actions
 

.gitignore

@@ -54,6 +54,9 @@ perl/Makefile.config
 # /src/libfetchers
 /tests/unit/libfetchers/libnixfetchers-tests
 
+# /src/libflake
+/tests/unit/libflake/libnixflake-tests
+
 # /src/libstore/
 *.gen.*
 /src/libstore/tests

Makefile

@@ -18,6 +18,7 @@ makefiles = \
   src/libfetchers/local.mk \
   src/libmain/local.mk \
   src/libexpr/local.mk \
+  src/libflake/local.mk \
   src/libcmd/local.mk \
   src/nix/local.mk \
   src/libutil-c/local.mk \
@@ -45,7 +46,8 @@ makefiles += \
   tests/unit/libstore-support/local.mk \
   tests/unit/libfetchers/local.mk \
   tests/unit/libexpr/local.mk \
-  tests/unit/libexpr-support/local.mk
+  tests/unit/libexpr-support/local.mk \
+  tests/unit/libflake/local.mk
 endif
 
 ifeq ($(ENABLE_FUNCTIONAL_TESTS), yes)

configure.ac

@@ -400,6 +400,11 @@ AS_CASE(["$enable_markdown"],
 PKG_CHECK_MODULES([LIBGIT2], [libgit2])
 
 
+# Look for toml11, a required dependency.
+AC_LANG_PUSH(C++)
+AC_CHECK_HEADER([toml.hpp], [], [AC_MSG_ERROR([toml11 is not found.])])
+AC_LANG_POP(C++)
+
 # Setuid installations.
 AC_CHECK_FUNCS([setresuid setreuid lchown])
 

doc/manual/rl-next/drop-vendored-toml11.md

@@ -0,0 +1,6 @@
+---
+synopsis: Stop vendoring toml11
+---
+
+We don't apply any patches to it, and vendoring it locks users into
+bugs (it hasn't been updated since its introduction in late 2021).

doc/manual/rl-next/harden-user-sandboxing.md

@@ -0,0 +1,7 @@
+---
+synopsis: Harden the user sandboxing
+significance: significant
+issues:
+---
+
+The build directory has been hardened against interference with the outside world by nesting it inside another directory owned by (and only readable by) the daemon user.

doc/manual/src/language/string-interpolation.md

@@ -43,6 +43,47 @@ configureFlags = "
 Note that Nix expressions and strings can be arbitrarily nested;
 in this case the outer string contains various interpolated expressions that themselves contain strings (e.g., `"-thread"`), some of which in turn contain interpolated expressions (e.g., `${mesa}`).
 
+To write a literal `${` in an regular string, escape it with a backslash (`\`).
+
+> **Example**
+>
+> ```nix
+> "echo \${PATH}"
+> ```
+>
+>     "echo ${PATH}"
+
+To write a literal `${` in an indented string, escape it with two single quotes (`''`).
+
+> **Example**
+>
+> ```nix
+> ''
+>   echo ''${PATH}
+> ''
+> ```
+>
+>     "echo ${PATH}\n"
+
+`$${` can be written literally in any string.
+
+> **Example**
+>
+> In Make, `$` in file names or recipes is represented as `$$`, see [GNU `make`: Basics of Variable Reference](https://www.gnu.org/software/make/manual/html_node/Reference.html#Basics-of-Variable-References).
+> This can be expressed directly in the Nix language strings:
+>
+> ```nix
+> ''
+>   MAKEVAR = Hello
+>   all:
+>   	@export BASHVAR=world; echo $(MAKEVAR) $${BASHVAR}
+> ''
+> ```
+>
+>     "MAKEVAR = Hello\nall:\n\t@export BASHVAR=world; echo $(MAKEVAR) $\${BASHVAR}\n"
+
+See the [documentation on strings][string] for details.
+
 ### Path
 
 Rather than writing

doc/manual/src/language/values.md

@@ -6,19 +6,60 @@
 
   *Strings* can be written in three ways.
 
-  The most common way is to enclose the string between double quotes,
-  e.g., `"foo bar"`. Strings can span multiple lines. The special
-  characters `"` and `\` and the character sequence `${` must be
-  escaped by prefixing them with a backslash (`\`). Newlines, carriage
-  returns and tabs can be written as `\n`, `\r` and `\t`,
-  respectively.
-
-  You can include the results of other expressions into a string by enclosing them in `${ }`, a feature known as [string interpolation].
+  The most common way is to enclose the string between double quotes, e.g., `"foo bar"`.
+  Strings can span multiple lines.
+  The results of other expressions can be included into a string by enclosing them in `${ }`, a feature known as [string interpolation].
 
   [string interpolation]: ./string-interpolation.md
 
-  The second way to write string literals is as an *indented string*,
-  which is enclosed between pairs of *double single-quotes*, like so:
+  The following must be escaped to represent them within a string, by prefixing with a backslash (`\`):
+
+  - Double quote (`"`)
+
+    > **Example**
+    >
+    > ```nix
+    > "\""
+    > ```
+    >
+    >    "\""
+
+  - Backslash (`\`)
+
+    > **Example**
+    >
+    > ```nix
+    > "\\"
+    > ```
+    >
+    >    "\\"
+
+  - Dollar sign followed by an opening curly bracket (`${`) – "dollar-curly"
+
+    > **Example**
+    >
+    > ```nix
+    > "\${"
+    > ```
+    >
+    >    "\${"
+
+  The newline, carriage return, and tab characters can be written as `\n`, `\r` and `\t`, respectively.
+
+  A "double-dollar-curly" (`$${`) can be written literally.
+
+  > **Example**
+  >
+  > ```nix
+  > "$${"
+  > ```
+  >
+  >    "$\${"
+
+  String values are output on the terminal with Nix-specific escaping.
+  Strings written to files will contain the characters encoded by the escaping.
+
+  The second way to write string literals is as an *indented string*, which is enclosed between pairs of *double single-quotes* (`''`), like so:
 
   ```nix
   ''
@@ -40,18 +81,71 @@
   "This is the first line.\nThis is the second line.\n  This is the third line.\n"
   ```
 
-  Note that the whitespace and newline following the opening `''` is
-  ignored if there is no non-whitespace text on the initial line.
+  > **Note**
+  >
+  > Whitespace and newline following the opening `''` is ignored if there is no non-whitespace text on the initial line.
+
+  > **Warning**
+  >
+  > Prefixed tab characters are not stripped.
+  >
+  > > **Example**
+  > >
+  > > The following indented string is prefixed with tabs:
+  > >
+  > > ''
+  > > 	all:
+  > > 		@echo hello
+  > > ''
+  > >
+  > >     "\tall:\n\t\t@echo hello\n"
 
   Indented strings support [string interpolation].
 
-  Since `${` and `''` have special meaning in indented strings, you
-  need a way to quote them. `$` can be escaped by prefixing it with
-  `''` (that is, two single quotes), i.e., `''$`. `''` can be escaped
-  by prefixing it with `'`, i.e., `'''`. `$` removes any special
-  meaning from the following `$`. Linefeed, carriage-return and tab
-  characters can be written as `''\n`, `''\r`, `''\t`, and `''\`
-  escapes any other character.
+  The following must be escaped to represent them in an indented string:
+
+  - `$` is escaped by prefixing it with two single quotes (`''`)
+
+    > **Example**
+    >
+    > ```nix
+    > ''
+    >   ''$
+    > ''
+    > ```
+    >
+    >     "$\n"
+
+  - `''` is escaped by prefixing it with one single quote (`'`)
+
+    > **Example**
+    >
+    > ```nix
+    > ''
+    >   '''
+    > ''
+    > ```
+    >
+    >     "''\n"
+
+  These special characters are escaped as follows:
+  - Linefeed (`\n`): `''\n`
+  - Carriage return (`\r`): `''\r`
+  - Tab (`\t`): `''\t`
+
+  `''\` escapes any other character.
+
+  A "double-dollar-curly" (`$${`) can be written literally.
+
+  > **Example**
+  >
+  > ```nix
+  > ''
+  >   $${
+  > ''
+  > ```
+  >
+  >     "$\${\n"
 
   Indented strings are primarily useful in that they allow multi-line
   string literals to follow the indentation of the enclosing Nix
@@ -167,7 +261,7 @@ function and the fifth being a set.
 
 Note that lists are only lazy in values, and they are strict in length.
 
-Elements in a list can be accessed using [`builtins.elemAt`](./builtins.md#builtins-elemAt). 
+Elements in a list can be accessed using [`builtins.elemAt`](./builtins.md#builtins-elemAt).
 
 ## Attribute Set
 

doc/manual/src/protocols/nix-archive.md

@@ -29,7 +29,7 @@ regular = [ str("executable"), str("") ], str("contents"), str(contents);
 symlink = str("target"), str(target);
 
 (* side condition: directory entries must be ordered by their names *)
-directory = str("type"), str("directory") { directory-entry };
+directory = { directory-entry };
 
 directory-entry = str("entry"), str("("), str("name"), str(name), str("node"), nar-obj, str(")");
 ```

maintainers/README.md

@@ -30,7 +30,6 @@ We aim to achieve this by improving the contributor experience and attracting mo
 ## Members
 
 - Eelco Dolstra (@edolstra) – Team lead
-- Théophane Hufschmitt (@thufschmitt)
 - Valentin Gagarin (@fricklerhandwerk)
 - Thomas Bereknyei (@tomberek)
 - Robert Hensing (@roberth)

maintainers/flake-module.nix

@@ -18,7 +18,6 @@
             ''^tests/unit/[^/]*/data/.*$''
 
             # Don't format vendored code
-            ''^src/toml11/.*''
             ''^doc/manual/redirects\.js$''
             ''^doc/manual/theme/highlight\.js$''
 
@@ -65,14 +64,6 @@
             ''^src/libexpr/eval-settings\.hh$''
             ''^src/libexpr/eval\.cc$''
             ''^src/libexpr/eval\.hh$''
-            ''^src/libexpr/flake/config\.cc$''
-            ''^src/libexpr/flake/flake\.cc$''
-            ''^src/libexpr/flake/flake\.hh$''
-            ''^src/libexpr/flake/flakeref\.cc$''
-            ''^src/libexpr/flake/flakeref\.hh$''
-            ''^src/libexpr/flake/lockfile\.cc$''
-            ''^src/libexpr/flake/lockfile\.hh$''
-            ''^src/libexpr/flake/url-name\.cc$''
             ''^src/libexpr/function-trace\.cc$''
             ''^src/libexpr/gc-small-vector\.hh$''
             ''^src/libexpr/get-drvs\.cc$''
@@ -127,6 +118,14 @@
             ''^src/libfetchers/tarball\.hh$''
             ''^src/libfetchers/git\.cc$''
             ''^src/libfetchers/mercurial\.cc$''
+            ''^src/libflake/flake/config\.cc$''
+            ''^src/libflake/flake/flake\.cc$''
+            ''^src/libflake/flake/flake\.hh$''
+            ''^src/libflake/flake/flakeref\.cc$''
+            ''^src/libflake/flake/flakeref\.hh$''
+            ''^src/libflake/flake/lockfile\.cc$''
+            ''^src/libflake/flake/lockfile\.hh$''
+            ''^src/libflake/flake/url-name\.cc$''
             ''^src/libmain/common-args\.cc$''
             ''^src/libmain/common-args\.hh$''
             ''^src/libmain/loggers\.cc$''
@@ -429,14 +428,13 @@
             ''^tests/functional/test-libstoreconsumer/main\.cc''
             ''^tests/nixos/ca-fd-leak/sender\.c''
             ''^tests/nixos/ca-fd-leak/smuggler\.c''
+            ''^tests/nixos/user-sandboxing/attacker\.c''
             ''^tests/unit/libexpr-support/tests/libexpr\.hh''
             ''^tests/unit/libexpr-support/tests/value/context\.cc''
             ''^tests/unit/libexpr-support/tests/value/context\.hh''
             ''^tests/unit/libexpr/derived-path\.cc''
             ''^tests/unit/libexpr/error_traces\.cc''
             ''^tests/unit/libexpr/eval\.cc''
-            ''^tests/unit/libexpr/flake/flakeref\.cc''
-            ''^tests/unit/libexpr/flake/url-name\.cc''
             ''^tests/unit/libexpr/json\.cc''
             ''^tests/unit/libexpr/main\.cc''
             ''^tests/unit/libexpr/primops\.cc''
@@ -445,6 +443,8 @@
             ''^tests/unit/libexpr/value/context\.cc''
             ''^tests/unit/libexpr/value/print\.cc''
             ''^tests/unit/libfetchers/public-key\.cc''
+            ''^tests/unit/libflake/flakeref\.cc''
+            ''^tests/unit/libflake/url-name\.cc''
             ''^tests/unit/libstore-support/tests/derived-path\.cc''
             ''^tests/unit/libstore-support/tests/derived-path\.hh''
             ''^tests/unit/libstore-support/tests/nix_api_store\.hh''

package.nix

@@ -32,6 +32,7 @@
 , pkg-config
 , rapidcheck
 , sqlite
+, toml11
 , util-linux
 , xz
 
@@ -227,6 +228,10 @@ in {
     libsodium
     openssl
     sqlite
+    (toml11.overrideAttrs (old: {
+      # TODO change in Nixpkgs, Windows works fine.
+      meta.platforms = lib.platforms.all;
+    }))
     xz
     ({ inherit readline editline; }.${readlineFlavor})
   ] ++ lib.optionals enableMarkdown [