Now that ARMv5 no longer uses `uImage`, there’s no point in keeping
around support for this deprecated format that the rest of the NixOS
infrastructure doesn’t handle. Modern U‐Boot setups should not
be affected in any way by this.
In Nix, glibc libraries lack rpath entries pointing to themselves,
so libc.so.6 and ld-linux-*.so.* can never be resolved through rpath
alone during initrd generation. They are always present in the initrd
through other paths (the ELF interpreter and other binaries' rpath
entries).
The scripted initrd builder (stage-1.nix findLibs) already skips
ld*.so.? for the same reason. This brings make-initrd-ng in line
with that precedent.
Also removes two unused imports (PermissionsExt, Command) and moves
the remaining warning output from stdout to stderr.
Closes#463894Closes#282145Closes#399281
Silences 2 warning messages that appear when using the systemd initrd:
1. "System tainted (var-run-bad)": occurs because `/var/run` isn't a
symlink to `/run`. Fixed by making /run and linking /var/run to it.
2. "Failed to make /usr a mountpoint": occurs because ProtectSystem
defaults to true in the initrd, which makes systemd try to remount
`/usr` as read-only, which doesn't exist in the initrd. Fixed by
linking `/usr/bin` and `/usr/sbin` to the initrd bin directories.
Also moves the `/tmp` creation from the initrd module to make-initrd-ng,
to avoid making an unnecessary `/tmp/.keep`, saving a store path and a
few bytes in the initrd image.
We want to strip the write bit from files after we copied them.
XOR is not the right operator for this, since if the bit is 0 in both
the actual permissions and the mask, then the result will be a 1.
So in practice, we were assigning write permissions for group and others
to all files and we were only stripping the write permissions of the
owner (since the owner had write permissions, and so the result of the
XOR is 0).
The correct thing to do is to AND with the maximum permissions that we
want to maintain (which is the inverse of what we want to strip), so
that only those bits are preserved and the others are always set to 0.
Previously, all initrd ELFs would be made *world-writable*.
This commit sets the write bit for the file owner exclusively, and
removes it when done. It also sets the umask so that files don't
implicitly become writable for other users by mistake.
Fixes: https://github.com/NixOS/nixpkgs/security/advisories/GHSA-m7pq-h9p4-8rr4
Reported-By: sudoBash418 <sudobash418@gmail.com>
It's hard to put the sourcing of ./.attrs.sh into all builder
consistently - mistakes will happen. Thus, load structured attrs once in
make-derivation and then source the remaining builder on top.
This should fix quite a few builders with structured attributes in
principle. Most importantly it helps substitute / substituteAll, which
are required for bootstrap on some platforms.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev 57b193d8dd
result/bin/apply-formatting $NIXPKGS_PATH
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
Originally, we switched to bsdtar from libarchive to solve a reproducibility issue related to hardlinks
As of gnu cpio 2.14 the --ignore-dirnlink option is introduced and now included in --reproducible, which solves this issue
By switching back, we are in turn solving an issue in libarchive >=3.7.5 erroring out with "Error reading archive -: (null)"
Change-Id: Ib6140d599b6547d8e941b0251ce996e303c41fa6
The current error message is hard to debug because the error is in the
nix store:
> Error: failed to parse JSON in
"/build/.attr-1s42g1c76fxb77skzq0b4wdhcrg8jmzb54czmxvh1qm7psgsbcni"
>
> Caused by:
> missing field `source` at line 1 column 102
>
> Location:
> src/main.rs:329:10
modules-closure.sh seems to consider everything under
/lib/firmware to be a kernel module,
this change adds a special handling of `edid` directory,
which does not contain kernel modules
fixes#279739
Closes#267442
$ nix path-info -Sh /nix/store/qj1dm7wfw5m3mxf1gn3fdm0az9y1h5ny-linux-firmware-20240312-xz
/nix/store/qj1dm7wfw5m3mxf1gn3fdm0az9y1h5ny-linux-firmware-20240312-xz 440.3M
$ nix path-info -Sh /nix/store/c3szcjxb3g990dbiz7llwmkaf0bi98j2-linux-firmware-20240312-zstd
/nix/store/c3szcjxb3g990dbiz7llwmkaf0bi98j2-linux-firmware-20240312-zstd 460.6M
This is an increase of 4.4%, but OTOH zstd has a significantly higher
decompression speed[1].
[1] https://gregoryszorc.com/blog/2017/03/07/better-compression-with-zstandard/
Closes#302291Closes#301536
The following things have changed:
* For 5.7+: ZSWAP compressor uses zstd now.
* For 5.11+: ZRAM compressor uses zstd now.
* For 5.13+: kernel modules are compressed with zstd instead of xz.
* For 5.19+: support zstd-compressed firmware.
The modules-closure functionality needed explicit support for copying
over `.zst` files. Also, the VM image builder used busybox's `insmod`
before which doesn't support zstd. Switched to `kmod` and added xz/zstd
as dependencies for it, similar to how it's done for the actual stage1
in d33e52b253. The use of `kmod` here
doesn't seem to be such a big deal since it's only a build-time
dependency.
The nixpkgs-unstable channel's programs.sqlite was used to identify
packages producing exactly one binary, and these automatically added
to their package definitions wherever possible.
The previous version didn't work in the case of relative symlinks in
subdirectories. If "foo/bar" was a link to "baz", it would check for
a link to "baz" in the root, rather than under "foo".
We don't need to dereference the symlink ourselves for [ anyway, as it
dereferences its arguments itself, so all we need to do to fix this is
to pass it the link.
Fixes: 14f83d5c6f ("compressFirmwareXz: fix links to directories")
The previous find invocation didn't match the root directory, so the
root directory's access and modification time wasn't set to a
deterministic value and the build time leaked into the output.
`make-initrd` replaced `cpio` with `bsdtar` in #165892 because the
former includes the number of hardlinks in the created archive, which
depends on the filesystem (and can also be influenced by `nix-store
--optimise`). The same problem applies to `make-initrd-ng`, so this
commit replaces `cpio` with `libarchive`'s `bsdtar`.
