Support file paths with a dotted basename

[copumpkin]

Currently, I think the logic tries to set the "derivation" name to the basename when copying a path into the store. If that basename starts with a dot, Nix moans about not being able to copy it in.

Luckily, the derivation name doesn't matter all that much in Nix, so it can really be anything we want. Perhaps we could just have the file copying code strip out any leading dots from the name, or replace them with the string "dot"? That way we could do something like this:

{
  foo = mkDerivation {
    name = "foo";
    src = ./foo/bar/.baz;
  };
}

[benley]

Fixing this would be mighty handy for the various "manage your dotfiles with nix" tools out there.

[benley]

What actually are the security implications of allowing store names to start with a dot? Does nix reconstitute paths based on that name at some point, or is the store path just a unique key identifying the item in the store?

[jeaye]

Gah, I'm hitting this trying to do some dotfile management within NixOS:

  environment.etc =
  {
    "user/jeaye/.i3status.conf".source = ./data/.i3status.conf;
  };

Seems like an important feature for me, though looks like an activation script will have to do for now. Any more thoughts on this?

[eqyiel]

Is this still a technical restriction or is it really for security reasons like it says here: https://github.com/NixOS/nix/blob/master/src/libstore/store-api.cc#L85-L91

A bit of discussion in the home-manager repo: nix-community/home-manager#4 (comment)

[shlevy]

This can be worked around with builtins.path. You can provide an alternate name for the file in the store.

[eqyiel]

@shlevy that works, thanks for the tip!

~
❯ nix repl
Welcome to Nix version 2.0.4. Type :? for help.

nix-repl> builtins.path { path = "/home/eqyiel/.zshrc"; name = "zshrc"; }
"/nix/store/zsdswnfqj54hbk0r3h66gz2vxfsl5v1j-zshrc"

nix-repl>

~
❯ head /nix/store/zsdswnfqj54hbk0r3h66gz2vxfsl5v1j-zshrc
source "/nix/store/jk28835dkq3i1sypgww16fai1x5jkk3n-grml-etc-core-af65087/etc/zsh/zshrc"

for i in ${HOME}/.config/zsh/functions/*; do autoload -Uz "$(basename $i)"; done

if [[ -z "$(pgrep gpg-agent)" ]]; then
  eval "$(/nix/store/2ha2niscnxfqmfn269khmf8x3xl4mxwp-gnupg-2.2.8/bin/gpg-agent --daemon --enable-ssh-support --sh)"
fi

# Don't let gnome's ssh agent clobber this variable
if isdarwin; then

~
❯

[stale]

I marked this as stale due to inactivity. → More info

[stale]

I closed this issue due to inactivity. → More info

[Ericson2314]

Oh ha (see #9095) we've gone back and forth with this since this issue was opened I guess.

[roberth]

Let's track leading period support here.

Nix versions that denied leading periods are currently:

• 2.20.*
• 2.19.*
• as of yet unreleased backports into 2.13 up to 2.18.x
• 2.3.* and older

[adrian-gierakowski]

Let's track leading period support here.

Nix versions that denied leading periods are currently:

• 2.20.*
• 2.19.*
• as of yet unreleased backports into 2.13 up to 2.18.x
• 2.3.* and older

how can I check if the backports have been released? https://nixos.org/manual/nix/stable/release-notes doesn't contain release notes for patch releases, and releases on github don't seem to come with a changelog

thanks!

[roberth]

We have some support for minor release notes in our minor release process.
Unfortunately,

• this doesn't seem to have been run. For example, https://github.com/NixOS/nix/tree/2.20.6/doc/manual/rl-next still contains unprocessed notes.
• they're not forward ported, so they're hard to find. They ought to appear on https://nix.dev/reference/nix-manual though.

cc @edolstra

[adrian-gierakowski]

Thanks @roberth!

[adrian-gierakowski]

just wanted to clarify the above:

as of yet unreleased backports into 2.13 up to 2.18.x

I checked 2.18.2, and it denies leading dots in paths, so the backport seems to have made it

Given https://nvd.nist.gov/vuln/detail/CVE-2024-27297, and that currently only the following nix versions contain the patch for it:

2.21.2
2.21.1
2.21.0
2.20.6
2.20.5
2.18.2
2.19.4
2.17.2
2.16.3
2.3.18

the only secure option available to people which want to avoid the dot problem, is to use nix >= 2.21 (or 2.20.5, see EDIT below)

note that:

1. the list above is my guess based on recently released patch versions here: https://github.com/NixOS/nix/tags
2. I've only personally tested 2.16.3, 2.18.2 and 2.21.x for the dot issue

EDIT: just tested 2.20.5 and it supports dotted paths as well 🎉